search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenSSL 1.0.2f
[tomato.git] / release / src / router / openssl / ssl / s3_enc.c
blob47a0ec9fe04b18934cb80db91d52fb57539ab686
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165 EVP_MD_CTX m5;
166 EVP_MD_CTX s1;
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
170
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
173 #endif
174 k = 0;
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 k++;
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183 return 0;
184 }
185
186 for (j = 0; j < k; j++)
187 buf[j] = c;
188 c++;
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
196
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
204 } else
205 EVP_DigestFinal_ex(&m5, km, NULL);
206
207 km += MD5_DIGEST_LENGTH;
208 }
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
212 return 1;
213 }
214
215 int ssl3_change_cipher_state(SSL *s, int which)
216 {
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
221 EVP_CIPHER_CTX *dd;
222 const EVP_CIPHER *c;
223 #ifndef OPENSSL_NO_COMP
224 COMP_METHOD *comp;
225 #endif
226 const EVP_MD *m;
227 EVP_MD_CTX md;
228 int is_exp, n, i, j, k, cl;
229 int reuse_dd = 0;
230
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
235 OPENSSL_assert(m);
236 #ifndef OPENSSL_NO_COMP
237 if (s->s3->tmp.new_compression == NULL)
238 comp = NULL;
239 else
240 comp = s->s3->tmp.new_compression->method;
241 #endif
242
243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
245 reuse_dd = 1;
246 else if ((s->enc_read_ctx =
247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248 goto err;
249 else
250 /*
251 * make sure it's intialized in case we exit later with an error
252 */
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
255
256 if (ssl_replace_hash(&s->read_hash, m) == NULL) {
257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
258 goto err2;
259 }
260 #ifndef OPENSSL_NO_COMP
261 /* COMPRESS */
262 if (s->expand != NULL) {
263 COMP_CTX_free(s->expand);
264 s->expand = NULL;
265 }
266 if (comp != NULL) {
267 s->expand = COMP_CTX_new(comp);
268 if (s->expand == NULL) {
269 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
270 SSL_R_COMPRESSION_LIBRARY_ERROR);
271 goto err2;
272 }
273 if (s->s3->rrec.comp == NULL)
274 s->s3->rrec.comp = (unsigned char *)
275 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
276 if (s->s3->rrec.comp == NULL)
277 goto err;
278 }
279 #endif
280 memset(&(s->s3->read_sequence[0]), 0, 8);
281 mac_secret = &(s->s3->read_mac_secret[0]);
282 } else {
283 if (s->enc_write_ctx != NULL)
284 reuse_dd = 1;
285 else if ((s->enc_write_ctx =
286 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
287 goto err;
288 else
289 /*
290 * make sure it's intialized in case we exit later with an error
291 */
292 EVP_CIPHER_CTX_init(s->enc_write_ctx);
293 dd = s->enc_write_ctx;
294 if (ssl_replace_hash(&s->write_hash, m) == NULL) {
295 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
296 goto err2;
297 }
298 #ifndef OPENSSL_NO_COMP
299 /* COMPRESS */
300 if (s->compress != NULL) {
301 COMP_CTX_free(s->compress);
302 s->compress = NULL;
303 }
304 if (comp != NULL) {
305 s->compress = COMP_CTX_new(comp);
306 if (s->compress == NULL) {
307 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
308 SSL_R_COMPRESSION_LIBRARY_ERROR);
309 goto err2;
310 }
311 }
312 #endif
313 memset(&(s->s3->write_sequence[0]), 0, 8);
314 mac_secret = &(s->s3->write_mac_secret[0]);
315 }
316
317 if (reuse_dd)
318 EVP_CIPHER_CTX_cleanup(dd);
319
320 p = s->s3->tmp.key_block;
321 i = EVP_MD_size(m);
322 if (i < 0)
323 goto err2;
324 cl = EVP_CIPHER_key_length(c);
325 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
326 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
327 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
328 k = EVP_CIPHER_iv_length(c);
329 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
330 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
331 ms = &(p[0]);
332 n = i + i;
333 key = &(p[n]);
334 n += j + j;
335 iv = &(p[n]);
336 n += k + k;
337 er1 = &(s->s3->client_random[0]);
338 er2 = &(s->s3->server_random[0]);
339 } else {
340 n = i;
341 ms = &(p[n]);
342 n += i + j;
343 key = &(p[n]);
344 n += j + k;
345 iv = &(p[n]);
346 n += k;
347 er1 = &(s->s3->server_random[0]);
348 er2 = &(s->s3->client_random[0]);
349 }
350
351 if (n > s->s3->tmp.key_block_length) {
352 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
353 goto err2;
354 }
355
356 EVP_MD_CTX_init(&md);
357 memcpy(mac_secret, ms, i);
358 if (is_exp) {
359 /*
360 * In here I set both the read and write key/iv to the same value
361 * since only the correct one will be used :-).
362 */
363 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
364 EVP_DigestUpdate(&md, key, j);
365 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
366 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
367 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
368 key = &(exp_key[0]);
369
370 if (k > 0) {
371 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
372 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
373 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
374 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
375 iv = &(exp_iv[0]);
376 }
377 }
378
379 s->session->key_arg_length = 0;
380
381 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
382
383 #ifdef OPENSSL_SSL_TRACE_CRYPTO
384 if (s->msg_callback) {
385
386 int wh = which & SSL3_CC_WRITE ?
387 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
388 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
389 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
390 if (c->key_len)
391 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
392 key, c->key_len, s, s->msg_callback_arg);
393 if (k) {
394 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
395 iv, k, s, s->msg_callback_arg);
396 }
397 }
398 #endif
399
400 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
401 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
402 EVP_MD_CTX_cleanup(&md);
403 return (1);
404 err:
405 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
406 err2:
407 return (0);
408 }
409
410 int ssl3_setup_key_block(SSL *s)
411 {
412 unsigned char *p;
413 const EVP_CIPHER *c;
414 const EVP_MD *hash;
415 int num;
416 int ret = 0;
417 SSL_COMP *comp;
418
419 if (s->s3->tmp.key_block_length != 0)
420 return (1);
421
422 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
423 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
424 return (0);
425 }
426
427 s->s3->tmp.new_sym_enc = c;
428 s->s3->tmp.new_hash = hash;
429 #ifdef OPENSSL_NO_COMP
430 s->s3->tmp.new_compression = NULL;
431 #else
432 s->s3->tmp.new_compression = comp;
433 #endif
434
435 num = EVP_MD_size(hash);
436 if (num < 0)
437 return 0;
438
439 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
440 num *= 2;
441
442 ssl3_cleanup_key_block(s);
443
444 if ((p = OPENSSL_malloc(num)) == NULL)
445 goto err;
446
447 s->s3->tmp.key_block_length = num;
448 s->s3->tmp.key_block = p;
449
450 ret = ssl3_generate_key_block(s, p, num);
451
452 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
453 /*
454 * enable vulnerability countermeasure for CBC ciphers with known-IV
455 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
456 */
457 s->s3->need_empty_fragments = 1;
458
459 if (s->session->cipher != NULL) {
460 if (s->session->cipher->algorithm_enc == SSL_eNULL)
461 s->s3->need_empty_fragments = 0;
462
463 #ifndef OPENSSL_NO_RC4
464 if (s->session->cipher->algorithm_enc == SSL_RC4)
465 s->s3->need_empty_fragments = 0;
466 #endif
467 }
468 }
469
470 return ret;
471
472 err:
473 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
474 return (0);
475 }
476
477 void ssl3_cleanup_key_block(SSL *s)
478 {
479 if (s->s3->tmp.key_block != NULL) {
480 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
481 OPENSSL_free(s->s3->tmp.key_block);
482 s->s3->tmp.key_block = NULL;
483 }
484 s->s3->tmp.key_block_length = 0;
485 }
486
487 /*-
488 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
489 *
490 * Returns:
491 * 0: (in non-constant time) if the record is publically invalid (i.e. too
492 * short etc).
493 * 1: if the record's padding is valid / the encryption was successful.
494 * -1: if the record's padding is invalid or, if sending, an internal error
495 * occured.
496 */
497 int ssl3_enc(SSL *s, int send)
498 {
499 SSL3_RECORD *rec;
500 EVP_CIPHER_CTX *ds;
501 unsigned long l;
502 int bs, i, mac_size = 0;
503 const EVP_CIPHER *enc;
504
505 if (send) {
506 ds = s->enc_write_ctx;
507 rec = &(s->s3->wrec);
508 if (s->enc_write_ctx == NULL)
509 enc = NULL;
510 else
511 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
512 } else {
513 ds = s->enc_read_ctx;
514 rec = &(s->s3->rrec);
515 if (s->enc_read_ctx == NULL)
516 enc = NULL;
517 else
518 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
519 }
520
521 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
522 memmove(rec->data, rec->input, rec->length);
523 rec->input = rec->data;
524 } else {
525 l = rec->length;
526 bs = EVP_CIPHER_block_size(ds->cipher);
527
528 /* COMPRESS */
529
530 if ((bs != 1) && send) {
531 i = bs - ((int)l % bs);
532
533 /* we need to add 'i-1' padding bytes */
534 l += i;
535 /*
536 * the last of these zero bytes will be overwritten with the
537 * padding length.
538 */
539 memset(&rec->input[rec->length], 0, i);
540 rec->length += i;
541 rec->input[l - 1] = (i - 1);
542 }
543
544 if (!send) {
545 if (l == 0 || l % bs != 0)
546 return 0;
547 /* otherwise, rec->length >= bs */
548 }
549
550 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
551 return -1;
552
553 if (EVP_MD_CTX_md(s->read_hash) != NULL)
554 mac_size = EVP_MD_CTX_size(s->read_hash);
555 if ((bs != 1) && !send)
556 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
557 }
558 return (1);
559 }
560
561 void ssl3_init_finished_mac(SSL *s)
562 {
563 if (s->s3->handshake_buffer)
564 BIO_free(s->s3->handshake_buffer);
565 if (s->s3->handshake_dgst)
566 ssl3_free_digest_list(s);
567 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
568 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
569 }
570
571 void ssl3_free_digest_list(SSL *s)
572 {
573 int i;
574 if (!s->s3->handshake_dgst)
575 return;
576 for (i = 0; i < SSL_MAX_DIGEST; i++) {
577 if (s->s3->handshake_dgst[i])
578 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
579 }
580 OPENSSL_free(s->s3->handshake_dgst);
581 s->s3->handshake_dgst = NULL;
582 }
583
584 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
585 {
586 if (s->s3->handshake_buffer
587 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
588 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
589 } else {
590 int i;
591 for (i = 0; i < SSL_MAX_DIGEST; i++) {
592 if (s->s3->handshake_dgst[i] != NULL)
593 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
594 }
595 }
596 }
597
598 int ssl3_digest_cached_records(SSL *s)
599 {
600 int i;
601 long mask;
602 const EVP_MD *md;
603 long hdatalen;
604 void *hdata;
605
606 /* Allocate handshake_dgst array */
607 ssl3_free_digest_list(s);
608 s->s3->handshake_dgst =
609 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
610 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
611 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
612 if (hdatalen <= 0) {
613 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
614 return 0;
615 }
616
617 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
618 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
619 if ((mask & ssl_get_algorithm2(s)) && md) {
620 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
621 #ifdef OPENSSL_FIPS
622 if (EVP_MD_nid(md) == NID_md5) {
623 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
624 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
625 }
626 #endif
627 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
628 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
629 } else {
630 s->s3->handshake_dgst[i] = NULL;
631 }
632 }
633 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
634 /* Free handshake_buffer BIO */
635 BIO_free(s->s3->handshake_buffer);
636 s->s3->handshake_buffer = NULL;
637 }
638
639 return 1;
640 }
641
642 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
643 {
644 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
645 }
646
647 int ssl3_final_finish_mac(SSL *s,
648 const char *sender, int len, unsigned char *p)
649 {
650 int ret, sha1len;
651 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
652 if (ret == 0)
653 return 0;
654
655 p += ret;
656
657 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
658 if (sha1len == 0)
659 return 0;
660
661 ret += sha1len;
662 return (ret);
663 }
664
665 static int ssl3_handshake_mac(SSL *s, int md_nid,
666 const char *sender, int len, unsigned char *p)
667 {
668 unsigned int ret;
669 int npad, n;
670 unsigned int i;
671 unsigned char md_buf[EVP_MAX_MD_SIZE];
672 EVP_MD_CTX ctx, *d = NULL;
673
674 if (s->s3->handshake_buffer)
675 if (!ssl3_digest_cached_records(s))
676 return 0;
677
678 /*
679 * Search for digest of specified type in the handshake_dgst array
680 */
681 for (i = 0; i < SSL_MAX_DIGEST; i++) {
682 if (s->s3->handshake_dgst[i]
683 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
684 d = s->s3->handshake_dgst[i];
685 break;
686 }
687 }
688 if (!d) {
689 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
690 return 0;
691 }
692 EVP_MD_CTX_init(&ctx);
693 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
694 EVP_MD_CTX_copy_ex(&ctx, d);
695 n = EVP_MD_CTX_size(&ctx);
696 if (n < 0)
697 return 0;
698
699 npad = (48 / n) * n;
700 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
701 || EVP_DigestUpdate(&ctx, s->session->master_key,
702 s->session->master_key_length) <= 0
703 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
704 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
705
706 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
707 || EVP_DigestUpdate(&ctx, s->session->master_key,
708 s->session->master_key_length) <= 0
709 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
710 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
711 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
712 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
713 ret = 0;
714 }
715
716 EVP_MD_CTX_cleanup(&ctx);
717
718 return ((int)ret);
719 }
720
721 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
722 {
723 SSL3_RECORD *rec;
724 unsigned char *mac_sec, *seq;
725 EVP_MD_CTX md_ctx;
726 const EVP_MD_CTX *hash;
727 unsigned char *p, rec_char;
728 size_t md_size, orig_len;
729 int npad;
730 int t;
731
732 if (send) {
733 rec = &(ssl->s3->wrec);
734 mac_sec = &(ssl->s3->write_mac_secret[0]);
735 seq = &(ssl->s3->write_sequence[0]);
736 hash = ssl->write_hash;
737 } else {
738 rec = &(ssl->s3->rrec);
739 mac_sec = &(ssl->s3->read_mac_secret[0]);
740 seq = &(ssl->s3->read_sequence[0]);
741 hash = ssl->read_hash;
742 }
743
744 t = EVP_MD_CTX_size(hash);
745 if (t < 0)
746 return -1;
747 md_size = t;
748 npad = (48 / md_size) * md_size;
749
750 /*
751 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
752 */
753 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
754 rec->type &= 0xff;
755
756 if (!send &&
757 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
758 ssl3_cbc_record_digest_supported(hash)) {
759 /*
760 * This is a CBC-encrypted record. We must avoid leaking any
761 * timing-side channel information about how many blocks of data we
762 * are hashing because that gives an attacker a timing-oracle.
763 */
764
765 /*-
766 * npad is, at most, 48 bytes and that's with MD5:
767 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
768 *
769 * With SHA-1 (the largest hash speced for SSLv3) the hash size
770 * goes up 4, but npad goes down by 8, resulting in a smaller
771 * total size.
772 */
773 unsigned char header[75];
774 unsigned j = 0;
775 memcpy(header + j, mac_sec, md_size);
776 j += md_size;
777 memcpy(header + j, ssl3_pad_1, npad);
778 j += npad;
779 memcpy(header + j, seq, 8);
780 j += 8;
781 header[j++] = rec->type;
782 header[j++] = rec->length >> 8;
783 header[j++] = rec->length & 0xff;
784
785 /* Final param == is SSLv3 */
786 if (ssl3_cbc_digest_record(hash,
787 md, &md_size,
788 header, rec->input,
789 rec->length + md_size, orig_len,
790 mac_sec, md_size, 1) <= 0)
791 return -1;
792 } else {
793 unsigned int md_size_u;
794 /* Chop the digest off the end :-) */
795 EVP_MD_CTX_init(&md_ctx);
796
797 rec_char = rec->type;
798 p = md;
799 s2n(rec->length, p);
800 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
801 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
802 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
803 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
804 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
805 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
806 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
807 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
808 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
809 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
810 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
811 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
812 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
813 EVP_MD_CTX_cleanup(&md_ctx);
814 return -1;
815 }
816 md_size = md_size_u;
817
818 EVP_MD_CTX_cleanup(&md_ctx);
819 }
820
821 ssl3_record_sequence_update(seq);
822 return (md_size);
823 }
824
825 void ssl3_record_sequence_update(unsigned char *seq)
826 {
827 int i;
828
829 for (i = 7; i >= 0; i--) {
830 ++seq[i];
831 if (seq[i] != 0)
832 break;
833 }
834 }
835
836 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
837 int len)
838 {
839 static const unsigned char *salt[3] = {
840 #ifndef CHARSET_EBCDIC
841 (const unsigned char *)"A",
842 (const unsigned char *)"BB",
843 (const unsigned char *)"CCC",
844 #else
845 (const unsigned char *)"\x41",
846 (const unsigned char *)"\x42\x42",
847 (const unsigned char *)"\x43\x43\x43",
848 #endif
849 };
850 unsigned char buf[EVP_MAX_MD_SIZE];
851 EVP_MD_CTX ctx;
852 int i, ret = 0;
853 unsigned int n;
854 #ifdef OPENSSL_SSL_TRACE_CRYPTO
855 unsigned char *tmpout = out;
856 #endif
857
858 EVP_MD_CTX_init(&ctx);
859 for (i = 0; i < 3; i++) {
860 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
861 || EVP_DigestUpdate(&ctx, salt[i],
862 strlen((const char *)salt[i])) <= 0
863 || EVP_DigestUpdate(&ctx, p, len) <= 0
864 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
865 SSL3_RANDOM_SIZE) <= 0
866 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
867 SSL3_RANDOM_SIZE) <= 0
868 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
869
870 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
871 || EVP_DigestUpdate(&ctx, p, len) <= 0
872 || EVP_DigestUpdate(&ctx, buf, n) <= 0
873 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
874 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
875 ret = 0;
876 break;
877 }
878 out += n;
879 ret += n;
880 }
881 EVP_MD_CTX_cleanup(&ctx);
882
883 #ifdef OPENSSL_SSL_TRACE_CRYPTO
884 if (ret > 0 && s->msg_callback) {
885 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
886 p, len, s, s->msg_callback_arg);
887 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
888 s->s3->client_random, SSL3_RANDOM_SIZE,
889 s, s->msg_callback_arg);
890 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
891 s->s3->server_random, SSL3_RANDOM_SIZE,
892 s, s->msg_callback_arg);
893 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
894 tmpout, SSL3_MASTER_SECRET_SIZE,
895 s, s->msg_callback_arg);
896 }
897 #endif
898 OPENSSL_cleanse(buf, sizeof buf);
899 return (ret);
900 }
901
902 int ssl3_alert_code(int code)
903 {
904 switch (code) {
905 case SSL_AD_CLOSE_NOTIFY:
906 return (SSL3_AD_CLOSE_NOTIFY);
907 case SSL_AD_UNEXPECTED_MESSAGE:
908 return (SSL3_AD_UNEXPECTED_MESSAGE);
909 case SSL_AD_BAD_RECORD_MAC:
910 return (SSL3_AD_BAD_RECORD_MAC);
911 case SSL_AD_DECRYPTION_FAILED:
912 return (SSL3_AD_BAD_RECORD_MAC);
913 case SSL_AD_RECORD_OVERFLOW:
914 return (SSL3_AD_BAD_RECORD_MAC);
915 case SSL_AD_DECOMPRESSION_FAILURE:
916 return (SSL3_AD_DECOMPRESSION_FAILURE);
917 case SSL_AD_HANDSHAKE_FAILURE:
918 return (SSL3_AD_HANDSHAKE_FAILURE);
919 case SSL_AD_NO_CERTIFICATE:
920 return (SSL3_AD_NO_CERTIFICATE);
921 case SSL_AD_BAD_CERTIFICATE:
922 return (SSL3_AD_BAD_CERTIFICATE);
923 case SSL_AD_UNSUPPORTED_CERTIFICATE:
924 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
925 case SSL_AD_CERTIFICATE_REVOKED:
926 return (SSL3_AD_CERTIFICATE_REVOKED);
927 case SSL_AD_CERTIFICATE_EXPIRED:
928 return (SSL3_AD_CERTIFICATE_EXPIRED);
929 case SSL_AD_CERTIFICATE_UNKNOWN:
930 return (SSL3_AD_CERTIFICATE_UNKNOWN);
931 case SSL_AD_ILLEGAL_PARAMETER:
932 return (SSL3_AD_ILLEGAL_PARAMETER);
933 case SSL_AD_UNKNOWN_CA:
934 return (SSL3_AD_BAD_CERTIFICATE);
935 case SSL_AD_ACCESS_DENIED:
936 return (SSL3_AD_HANDSHAKE_FAILURE);
937 case SSL_AD_DECODE_ERROR:
938 return (SSL3_AD_HANDSHAKE_FAILURE);
939 case SSL_AD_DECRYPT_ERROR:
940 return (SSL3_AD_HANDSHAKE_FAILURE);
941 case SSL_AD_EXPORT_RESTRICTION:
942 return (SSL3_AD_HANDSHAKE_FAILURE);
943 case SSL_AD_PROTOCOL_VERSION:
944 return (SSL3_AD_HANDSHAKE_FAILURE);
945 case SSL_AD_INSUFFICIENT_SECURITY:
946 return (SSL3_AD_HANDSHAKE_FAILURE);
947 case SSL_AD_INTERNAL_ERROR:
948 return (SSL3_AD_HANDSHAKE_FAILURE);
949 case SSL_AD_USER_CANCELLED:
950 return (SSL3_AD_HANDSHAKE_FAILURE);
951 case SSL_AD_NO_RENEGOTIATION:
952 return (-1); /* Don't send it :-) */
953 case SSL_AD_UNSUPPORTED_EXTENSION:
954 return (SSL3_AD_HANDSHAKE_FAILURE);
955 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
956 return (SSL3_AD_HANDSHAKE_FAILURE);
957 case SSL_AD_UNRECOGNIZED_NAME:
958 return (SSL3_AD_HANDSHAKE_FAILURE);
959 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
960 return (SSL3_AD_HANDSHAKE_FAILURE);
961 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
962 return (SSL3_AD_HANDSHAKE_FAILURE);
963 case SSL_AD_UNKNOWN_PSK_IDENTITY:
964 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
965 case SSL_AD_INAPPROPRIATE_FALLBACK:
966 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
967 default:
968 return (-1);
969 }
970 }
Tomato firmware and modifications.