1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
136 #include <openssl/ssl.h>
137
138 #include <assert.h>
139 #include <string.h>
140
141 #include <openssl/buf.h>
142 #include <openssl/digest.h>
143 #include <openssl/err.h>
144 #include <openssl/mem.h>
145 #include <openssl/md5.h>
146 #include <openssl/nid.h>
147 #include <openssl/sha.h>
148
149 #include "../crypto/internal.h"
150 #include "internal.h"
151
152
153 namespace bssl {
154
SSLTranscript()155 SSLTranscript::SSLTranscript() {}
156
~SSLTranscript()157 SSLTranscript::~SSLTranscript() {}
158
Init()159 bool SSLTranscript::Init() {
160 buffer_.reset(BUF_MEM_new());
161 if (!buffer_) {
162 return false;
163 }
164
165 hash_.Reset();
166 md5_.Reset();
167 return true;
168 }
169
170 // InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
171 // writes the data in |buf| to it.
InitDigestWithData(EVP_MD_CTX * ctx,const EVP_MD * md,const BUF_MEM * buf)172 static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
173 const BUF_MEM *buf) {
174 if (!EVP_DigestInit_ex(ctx, md, NULL)) {
175 return false;
176 }
177 EVP_DigestUpdate(ctx, buf->data, buf->length);
178 return true;
179 }
180
InitHash(uint16_t version,const SSL_CIPHER * cipher)181 bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
182 const EVP_MD *md = ssl_get_handshake_digest(version, cipher);
183
184 // To support SSL 3.0's Finished and CertificateVerify constructions,
185 // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
186 // we can simplify this.
187 if (md == EVP_md5_sha1()) {
188 if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) {
189 return false;
190 }
191 md = EVP_sha1();
192 }
193
194 return InitDigestWithData(hash_.get(), md, buffer_.get());
195 }
196
FreeBuffer()197 void SSLTranscript::FreeBuffer() {
198 buffer_.reset();
199 }
200
DigestLen() const201 size_t SSLTranscript::DigestLen() const {
202 return EVP_MD_size(Digest());
203 }
204
Digest() const205 const EVP_MD *SSLTranscript::Digest() const {
206 if (EVP_MD_CTX_md(md5_.get()) != nullptr) {
207 return EVP_md5_sha1();
208 }
209 return EVP_MD_CTX_md(hash_.get());
210 }
211
UpdateForHelloRetryRequest()212 bool SSLTranscript::UpdateForHelloRetryRequest() {
213 if (buffer_) {
214 buffer_->length = 0;
215 }
216
217 uint8_t old_hash[EVP_MAX_MD_SIZE];
218 size_t hash_len;
219 if (!GetHash(old_hash, &hash_len)) {
220 return false;
221 }
222 const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0,
223 static_cast<uint8_t>(hash_len)};
224 if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) ||
225 !Update(header) ||
226 !Update(MakeConstSpan(old_hash, hash_len))) {
227 return false;
228 }
229 return true;
230 }
231
CopyHashContext(EVP_MD_CTX * ctx)232 bool SSLTranscript::CopyHashContext(EVP_MD_CTX *ctx) {
233 return EVP_MD_CTX_copy_ex(ctx, hash_.get());
234 }
235
Update(Span<const uint8_t> in)236 bool SSLTranscript::Update(Span<const uint8_t> in) {
237 // Depending on the state of the handshake, either the handshake buffer may be
238 // active, the rolling hash, or both.
239 if (buffer_ &&
240 !BUF_MEM_append(buffer_.get(), in.data(), in.size())) {
241 return false;
242 }
243
244 if (EVP_MD_CTX_md(hash_.get()) != NULL) {
245 EVP_DigestUpdate(hash_.get(), in.data(), in.size());
246 }
247 if (EVP_MD_CTX_md(md5_.get()) != NULL) {
248 EVP_DigestUpdate(md5_.get(), in.data(), in.size());
249 }
250
251 return true;
252 }
253
GetHash(uint8_t * out,size_t * out_len)254 bool SSLTranscript::GetHash(uint8_t *out, size_t *out_len) {
255 ScopedEVP_MD_CTX ctx;
256 unsigned md5_len = 0;
257 if (EVP_MD_CTX_md(md5_.get()) != NULL) {
258 if (!EVP_MD_CTX_copy_ex(ctx.get(), md5_.get()) ||
259 !EVP_DigestFinal_ex(ctx.get(), out, &md5_len)) {
260 return false;
261 }
262 }
263
264 unsigned len;
265 if (!EVP_MD_CTX_copy_ex(ctx.get(), hash_.get()) ||
266 !EVP_DigestFinal_ex(ctx.get(), out + md5_len, &len)) {
267 return false;
268 }
269
270 *out_len = md5_len + len;
271 return true;
272 }
273
SSL3HandshakeMAC(const SSL_SESSION * session,const EVP_MD_CTX * ctx_template,const char * sender,size_t sender_len,uint8_t * p,size_t * out_len)274 static bool SSL3HandshakeMAC(const SSL_SESSION *session,
275 const EVP_MD_CTX *ctx_template, const char *sender,
276 size_t sender_len, uint8_t *p, size_t *out_len) {
277 ScopedEVP_MD_CTX ctx;
278 if (!EVP_MD_CTX_copy_ex(ctx.get(), ctx_template)) {
279 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
280 return false;
281 }
282
283 static const uint8_t kPad1[48] = {
284 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
285 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
286 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
287 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
288 };
289
290 static const uint8_t kPad2[48] = {
291 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
292 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
293 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
294 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
295 };
296
297 size_t n = EVP_MD_CTX_size(ctx.get());
298
299 size_t npad = (48 / n) * n;
300 EVP_DigestUpdate(ctx.get(), sender, sender_len);
301 EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length);
302 EVP_DigestUpdate(ctx.get(), kPad1, npad);
303 unsigned md_buf_len;
304 uint8_t md_buf[EVP_MAX_MD_SIZE];
305 EVP_DigestFinal_ex(ctx.get(), md_buf, &md_buf_len);
306
307 if (!EVP_DigestInit_ex(ctx.get(), EVP_MD_CTX_md(ctx.get()), NULL)) {
308 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
309 return false;
310 }
311 EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length);
312 EVP_DigestUpdate(ctx.get(), kPad2, npad);
313 EVP_DigestUpdate(ctx.get(), md_buf, md_buf_len);
314 unsigned len;
315 EVP_DigestFinal_ex(ctx.get(), p, &len);
316
317 *out_len = len;
318 return true;
319 }
320
GetSSL3CertVerifyHash(uint8_t * out,size_t * out_len,const SSL_SESSION * session,uint16_t signature_algorithm)321 bool SSLTranscript::GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len,
322 const SSL_SESSION *session,
323 uint16_t signature_algorithm) {
324 if (Digest() != EVP_md5_sha1()) {
325 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
326 return false;
327 }
328
329 if (signature_algorithm == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
330 size_t md5_len, len;
331 if (!SSL3HandshakeMAC(session, md5_.get(), NULL, 0, out, &md5_len) ||
332 !SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out + md5_len, &len)) {
333 return false;
334 }
335 *out_len = md5_len + len;
336 return true;
337 }
338
339 if (signature_algorithm == SSL_SIGN_ECDSA_SHA1) {
340 return SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out, out_len);
341 }
342
343 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
344 return false;
345 }
346
GetFinishedMAC(uint8_t * out,size_t * out_len,const SSL_SESSION * session,bool from_server)347 bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
348 const SSL_SESSION *session,
349 bool from_server) {
350 if (session->ssl_version == SSL3_VERSION) {
351 if (Digest() != EVP_md5_sha1()) {
352 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
353 return false;
354 }
355
356 const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST
357 : SSL3_MD_CLIENT_FINISHED_CONST;
358 const size_t sender_len = 4;
359 size_t md5_len, len;
360 if (!SSL3HandshakeMAC(session, md5_.get(), sender, sender_len, out,
361 &md5_len) ||
362 !SSL3HandshakeMAC(session, hash_.get(), sender, sender_len,
363 out + md5_len, &len)) {
364 return false;
365 }
366
367 *out_len = md5_len + len;
368 return true;
369 }
370
371 // At this point, the handshake should have released the handshake buffer on
372 // its own.
373 assert(!buffer_);
374
375 static const char kClientLabel[] = "client finished";
376 static const char kServerLabel[] = "server finished";
377 auto label = from_server
378 ? MakeConstSpan(kServerLabel, sizeof(kServerLabel) - 1)
379 : MakeConstSpan(kClientLabel, sizeof(kClientLabel) - 1);
380
381 uint8_t digests[EVP_MAX_MD_SIZE];
382 size_t digests_len;
383 if (!GetHash(digests, &digests_len)) {
384 return false;
385 }
386
387 static const size_t kFinishedLen = 12;
388 if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
389 MakeConstSpan(session->master_key, session->master_key_length),
390 label, MakeConstSpan(digests, digests_len), {})) {
391 return false;
392 }
393
394 *out_len = kFinishedLen;
395 return true;
396 }
397
398 } // namespace bssl
399