1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
136 #include <openssl/ssl.h>
137
138 #include <assert.h>
139 #include <stdio.h>
140 #include <string.h>
141
142 #include <openssl/err.h>
143 #include <openssl/evp.h>
144 #include <openssl/mem.h>
145 #include <openssl/md5.h>
146 #include <openssl/obj.h>
147
148 #include "internal.h"
149
150
151 static const uint8_t ssl3_pad_1[48] = {
152 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
153 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
154 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
155 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
156 };
157
158 static const uint8_t ssl3_pad_2[48] = {
159 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
160 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
161 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
162 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
163 };
164
165 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
166 uint8_t *p);
167
ssl3_prf(SSL * ssl,uint8_t * out,size_t out_len,const uint8_t * secret,size_t secret_len,const char * label,size_t label_len,const uint8_t * seed1,size_t seed1_len,const uint8_t * seed2,size_t seed2_len)168 int ssl3_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret,
169 size_t secret_len, const char *label, size_t label_len,
170 const uint8_t *seed1, size_t seed1_len,
171 const uint8_t *seed2, size_t seed2_len) {
172 EVP_MD_CTX md5;
173 EVP_MD_CTX sha1;
174 uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
175 uint8_t c = 'A';
176 size_t i, j, k;
177
178 k = 0;
179 EVP_MD_CTX_init(&md5);
180 EVP_MD_CTX_init(&sha1);
181 for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
182 k++;
183 if (k > sizeof(buf)) {
184 /* bug: 'buf' is too small for this ciphersuite */
185 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
186 return 0;
187 }
188
189 for (j = 0; j < k; j++) {
190 buf[j] = c;
191 }
192 c++;
193 if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
194 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
195 return 0;
196 }
197 EVP_DigestUpdate(&sha1, buf, k);
198 EVP_DigestUpdate(&sha1, secret, secret_len);
199 /* |label| is ignored for SSLv3. */
200 if (seed1_len) {
201 EVP_DigestUpdate(&sha1, seed1, seed1_len);
202 }
203 if (seed2_len) {
204 EVP_DigestUpdate(&sha1, seed2, seed2_len);
205 }
206 EVP_DigestFinal_ex(&sha1, smd, NULL);
207
208 if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
209 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
210 return 0;
211 }
212 EVP_DigestUpdate(&md5, secret, secret_len);
213 EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
214 if (i + MD5_DIGEST_LENGTH > out_len) {
215 EVP_DigestFinal_ex(&md5, smd, NULL);
216 memcpy(out, smd, out_len - i);
217 } else {
218 EVP_DigestFinal_ex(&md5, out, NULL);
219 }
220
221 out += MD5_DIGEST_LENGTH;
222 }
223
224 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
225 EVP_MD_CTX_cleanup(&md5);
226 EVP_MD_CTX_cleanup(&sha1);
227
228 return 1;
229 }
230
ssl3_cleanup_key_block(SSL * ssl)231 void ssl3_cleanup_key_block(SSL *ssl) {
232 if (ssl->s3->tmp.key_block != NULL) {
233 OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length);
234 OPENSSL_free(ssl->s3->tmp.key_block);
235 ssl->s3->tmp.key_block = NULL;
236 }
237 ssl->s3->tmp.key_block_length = 0;
238 }
239
ssl3_init_handshake_buffer(SSL * ssl)240 int ssl3_init_handshake_buffer(SSL *ssl) {
241 ssl3_free_handshake_buffer(ssl);
242 ssl3_free_handshake_hash(ssl);
243 ssl->s3->handshake_buffer = BUF_MEM_new();
244 return ssl->s3->handshake_buffer != NULL;
245 }
246
247 /* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
248 * writes the data in |buf| to it. */
init_digest_with_data(EVP_MD_CTX * ctx,const EVP_MD * md,const BUF_MEM * buf)249 static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
250 const BUF_MEM *buf) {
251 if (!EVP_DigestInit_ex(ctx, md, NULL)) {
252 return 0;
253 }
254 EVP_DigestUpdate(ctx, buf->data, buf->length);
255 return 1;
256 }
257
ssl3_init_handshake_hash(SSL * ssl)258 int ssl3_init_handshake_hash(SSL *ssl) {
259 ssl3_free_handshake_hash(ssl);
260
261 uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
262 if (!init_digest_with_data(&ssl->s3->handshake_hash,
263 ssl_get_handshake_digest(algorithm_prf),
264 ssl->s3->handshake_buffer)) {
265 return 0;
266 }
267
268 if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
269 !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
270 ssl->s3->handshake_buffer)) {
271 return 0;
272 }
273
274 return 1;
275 }
276
ssl3_free_handshake_hash(SSL * ssl)277 void ssl3_free_handshake_hash(SSL *ssl) {
278 EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
279 EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
280 }
281
ssl3_free_handshake_buffer(SSL * ssl)282 void ssl3_free_handshake_buffer(SSL *ssl) {
283 BUF_MEM_free(ssl->s3->handshake_buffer);
284 ssl->s3->handshake_buffer = NULL;
285 }
286
ssl3_update_handshake_hash(SSL * ssl,const uint8_t * in,size_t in_len)287 int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
288 /* Depending on the state of the handshake, either the handshake buffer may be
289 * active, the rolling hash, or both. */
290
291 if (ssl->s3->handshake_buffer != NULL) {
292 size_t new_len = ssl->s3->handshake_buffer->length + in_len;
293 if (new_len < in_len) {
294 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
295 return 0;
296 }
297 if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
298 return 0;
299 }
300 memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
301 }
302
303 if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
304 EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
305 }
306 if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
307 EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
308 }
309 return 1;
310 }
311
ssl3_cert_verify_mac(SSL * ssl,int md_nid,uint8_t * p)312 int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) {
313 return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p);
314 }
315
ssl3_final_finish_mac(SSL * ssl,const char * sender,int len,uint8_t * p)316 int ssl3_final_finish_mac(SSL *ssl, const char *sender, int len, uint8_t *p) {
317 int ret, sha1len;
318 ret = ssl3_handshake_mac(ssl, NID_md5, sender, len, p);
319 if (ret == 0) {
320 return 0;
321 }
322
323 p += ret;
324
325 sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, len, p);
326 if (sha1len == 0) {
327 return 0;
328 }
329
330 ret += sha1len;
331 return ret;
332 }
333
ssl3_handshake_mac(SSL * ssl,int md_nid,const char * sender,int len,uint8_t * p)334 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
335 uint8_t *p) {
336 unsigned int ret;
337 size_t npad, n;
338 unsigned int i;
339 uint8_t md_buf[EVP_MAX_MD_SIZE];
340 EVP_MD_CTX ctx;
341 const EVP_MD_CTX *ctx_template;
342
343 if (md_nid == NID_md5) {
344 ctx_template = &ssl->s3->handshake_md5;
345 } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
346 ctx_template = &ssl->s3->handshake_hash;
347 } else {
348 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
349 return 0;
350 }
351
352 EVP_MD_CTX_init(&ctx);
353 if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
354 EVP_MD_CTX_cleanup(&ctx);
355 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
356 return 0;
357 }
358
359 n = EVP_MD_CTX_size(&ctx);
360
361 npad = (48 / n) * n;
362 if (sender != NULL) {
363 EVP_DigestUpdate(&ctx, sender, len);
364 }
365 EVP_DigestUpdate(&ctx, ssl->session->master_key,
366 ssl->session->master_key_length);
367 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
368 EVP_DigestFinal_ex(&ctx, md_buf, &i);
369
370 if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
371 EVP_MD_CTX_cleanup(&ctx);
372 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
373 return 0;
374 }
375 EVP_DigestUpdate(&ctx, ssl->session->master_key,
376 ssl->session->master_key_length);
377 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
378 EVP_DigestUpdate(&ctx, md_buf, i);
379 EVP_DigestFinal_ex(&ctx, p, &ret);
380
381 EVP_MD_CTX_cleanup(&ctx);
382
383 return ret;
384 }
385
ssl3_record_sequence_update(uint8_t * seq,size_t seq_len)386 int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) {
387 size_t i;
388 for (i = seq_len - 1; i < seq_len; i--) {
389 ++seq[i];
390 if (seq[i] != 0) {
391 return 1;
392 }
393 }
394 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
395 return 0;
396 }
397
ssl3_alert_code(int code)398 int ssl3_alert_code(int code) {
399 switch (code) {
400 case SSL_AD_CLOSE_NOTIFY:
401 return SSL3_AD_CLOSE_NOTIFY;
402
403 case SSL_AD_UNEXPECTED_MESSAGE:
404 return SSL3_AD_UNEXPECTED_MESSAGE;
405
406 case SSL_AD_BAD_RECORD_MAC:
407 return SSL3_AD_BAD_RECORD_MAC;
408
409 case SSL_AD_DECRYPTION_FAILED:
410 return SSL3_AD_BAD_RECORD_MAC;
411
412 case SSL_AD_RECORD_OVERFLOW:
413 return SSL3_AD_BAD_RECORD_MAC;
414
415 case SSL_AD_DECOMPRESSION_FAILURE:
416 return SSL3_AD_DECOMPRESSION_FAILURE;
417
418 case SSL_AD_HANDSHAKE_FAILURE:
419 return SSL3_AD_HANDSHAKE_FAILURE;
420
421 case SSL_AD_NO_CERTIFICATE:
422 return SSL3_AD_NO_CERTIFICATE;
423
424 case SSL_AD_BAD_CERTIFICATE:
425 return SSL3_AD_BAD_CERTIFICATE;
426
427 case SSL_AD_UNSUPPORTED_CERTIFICATE:
428 return SSL3_AD_UNSUPPORTED_CERTIFICATE;
429
430 case SSL_AD_CERTIFICATE_REVOKED:
431 return SSL3_AD_CERTIFICATE_REVOKED;
432
433 case SSL_AD_CERTIFICATE_EXPIRED:
434 return SSL3_AD_CERTIFICATE_EXPIRED;
435
436 case SSL_AD_CERTIFICATE_UNKNOWN:
437 return SSL3_AD_CERTIFICATE_UNKNOWN;
438
439 case SSL_AD_ILLEGAL_PARAMETER:
440 return SSL3_AD_ILLEGAL_PARAMETER;
441
442 case SSL_AD_UNKNOWN_CA:
443 return SSL3_AD_BAD_CERTIFICATE;
444
445 case SSL_AD_ACCESS_DENIED:
446 return SSL3_AD_HANDSHAKE_FAILURE;
447
448 case SSL_AD_DECODE_ERROR:
449 return SSL3_AD_HANDSHAKE_FAILURE;
450
451 case SSL_AD_DECRYPT_ERROR:
452 return SSL3_AD_HANDSHAKE_FAILURE;
453
454 case SSL_AD_EXPORT_RESTRICTION:
455 return SSL3_AD_HANDSHAKE_FAILURE;
456
457 case SSL_AD_PROTOCOL_VERSION:
458 return SSL3_AD_HANDSHAKE_FAILURE;
459
460 case SSL_AD_INSUFFICIENT_SECURITY:
461 return SSL3_AD_HANDSHAKE_FAILURE;
462
463 case SSL_AD_INTERNAL_ERROR:
464 return SSL3_AD_HANDSHAKE_FAILURE;
465
466 case SSL_AD_USER_CANCELLED:
467 return SSL3_AD_HANDSHAKE_FAILURE;
468
469 case SSL_AD_NO_RENEGOTIATION:
470 return -1; /* Don't send it. */
471
472 case SSL_AD_UNSUPPORTED_EXTENSION:
473 return SSL3_AD_HANDSHAKE_FAILURE;
474
475 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
476 return SSL3_AD_HANDSHAKE_FAILURE;
477
478 case SSL_AD_UNRECOGNIZED_NAME:
479 return SSL3_AD_HANDSHAKE_FAILURE;
480
481 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
482 return SSL3_AD_HANDSHAKE_FAILURE;
483
484 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
485 return SSL3_AD_HANDSHAKE_FAILURE;
486
487 case SSL_AD_UNKNOWN_PSK_IDENTITY:
488 return TLS1_AD_UNKNOWN_PSK_IDENTITY;
489
490 case SSL_AD_INAPPROPRIATE_FALLBACK:
491 return SSL3_AD_INAPPROPRIATE_FALLBACK;
492
493 default:
494 return -1;
495 }
496 }
497