1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
136 #include <openssl/ssl.h>
137
138 #include <assert.h>
139 #include <string.h>
140
141 #include <openssl/err.h>
142 #include <openssl/evp.h>
143 #include <openssl/mem.h>
144 #include <openssl/md5.h>
145 #include <openssl/nid.h>
146
147 #include "internal.h"
148
149
150 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender,
151 size_t sender_len, uint8_t *p);
152
ssl3_prf(const SSL * ssl,uint8_t * out,size_t out_len,const uint8_t * secret,size_t secret_len,const char * label,size_t label_len,const uint8_t * seed1,size_t seed1_len,const uint8_t * seed2,size_t seed2_len)153 static int ssl3_prf(const SSL *ssl, uint8_t *out, size_t out_len,
154 const uint8_t *secret, size_t secret_len, const char *label,
155 size_t label_len, const uint8_t *seed1, size_t seed1_len,
156 const uint8_t *seed2, size_t seed2_len) {
157 EVP_MD_CTX md5;
158 EVP_MD_CTX sha1;
159 uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
160 uint8_t c = 'A';
161 size_t i, j, k;
162
163 k = 0;
164 EVP_MD_CTX_init(&md5);
165 EVP_MD_CTX_init(&sha1);
166 for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
167 k++;
168 if (k > sizeof(buf)) {
169 /* bug: 'buf' is too small for this ciphersuite */
170 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
171 return 0;
172 }
173
174 for (j = 0; j < k; j++) {
175 buf[j] = c;
176 }
177 c++;
178 if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
179 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
180 return 0;
181 }
182 EVP_DigestUpdate(&sha1, buf, k);
183 EVP_DigestUpdate(&sha1, secret, secret_len);
184 /* |label| is ignored for SSLv3. */
185 if (seed1_len) {
186 EVP_DigestUpdate(&sha1, seed1, seed1_len);
187 }
188 if (seed2_len) {
189 EVP_DigestUpdate(&sha1, seed2, seed2_len);
190 }
191 EVP_DigestFinal_ex(&sha1, smd, NULL);
192
193 if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
194 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
195 return 0;
196 }
197 EVP_DigestUpdate(&md5, secret, secret_len);
198 EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
199 if (i + MD5_DIGEST_LENGTH > out_len) {
200 EVP_DigestFinal_ex(&md5, smd, NULL);
201 memcpy(out, smd, out_len - i);
202 } else {
203 EVP_DigestFinal_ex(&md5, out, NULL);
204 }
205
206 out += MD5_DIGEST_LENGTH;
207 }
208
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&md5);
211 EVP_MD_CTX_cleanup(&sha1);
212
213 return 1;
214 }
215
ssl3_cleanup_key_block(SSL * ssl)216 void ssl3_cleanup_key_block(SSL *ssl) {
217 if (ssl->s3->tmp.key_block != NULL) {
218 OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length);
219 OPENSSL_free(ssl->s3->tmp.key_block);
220 ssl->s3->tmp.key_block = NULL;
221 }
222 ssl->s3->tmp.key_block_length = 0;
223 }
224
ssl3_init_handshake_buffer(SSL * ssl)225 int ssl3_init_handshake_buffer(SSL *ssl) {
226 ssl3_free_handshake_buffer(ssl);
227 ssl3_free_handshake_hash(ssl);
228 ssl->s3->handshake_buffer = BUF_MEM_new();
229 return ssl->s3->handshake_buffer != NULL;
230 }
231
232 /* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
233 * writes the data in |buf| to it. */
init_digest_with_data(EVP_MD_CTX * ctx,const EVP_MD * md,const BUF_MEM * buf)234 static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
235 const BUF_MEM *buf) {
236 if (!EVP_DigestInit_ex(ctx, md, NULL)) {
237 return 0;
238 }
239 EVP_DigestUpdate(ctx, buf->data, buf->length);
240 return 1;
241 }
242
ssl3_init_handshake_hash(SSL * ssl)243 int ssl3_init_handshake_hash(SSL *ssl) {
244 ssl3_free_handshake_hash(ssl);
245
246 uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
247 if (!init_digest_with_data(&ssl->s3->handshake_hash,
248 ssl_get_handshake_digest(algorithm_prf),
249 ssl->s3->handshake_buffer)) {
250 return 0;
251 }
252
253 if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
254 !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
255 ssl->s3->handshake_buffer)) {
256 return 0;
257 }
258
259 return 1;
260 }
261
ssl3_free_handshake_hash(SSL * ssl)262 void ssl3_free_handshake_hash(SSL *ssl) {
263 EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
264 EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
265 }
266
ssl3_free_handshake_buffer(SSL * ssl)267 void ssl3_free_handshake_buffer(SSL *ssl) {
268 BUF_MEM_free(ssl->s3->handshake_buffer);
269 ssl->s3->handshake_buffer = NULL;
270 }
271
ssl3_update_handshake_hash(SSL * ssl,const uint8_t * in,size_t in_len)272 int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
273 /* Depending on the state of the handshake, either the handshake buffer may be
274 * active, the rolling hash, or both. */
275
276 if (ssl->s3->handshake_buffer != NULL) {
277 size_t new_len = ssl->s3->handshake_buffer->length + in_len;
278 if (new_len < in_len) {
279 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
280 return 0;
281 }
282 if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
283 return 0;
284 }
285 memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
286 }
287
288 if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
289 EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
290 }
291 if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
292 EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
293 }
294 return 1;
295 }
296
ssl3_cert_verify_mac(SSL * ssl,int md_nid,uint8_t * p)297 static int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) {
298 return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p);
299 }
300
ssl3_final_finish_mac(SSL * ssl,int from_server,uint8_t * out)301 static int ssl3_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) {
302 const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST
303 : SSL3_MD_CLIENT_FINISHED_CONST;
304 const size_t sender_len = 4;
305 int ret, sha1len;
306 ret = ssl3_handshake_mac(ssl, NID_md5, sender, sender_len, out);
307 if (ret == 0) {
308 return 0;
309 }
310
311 out += ret;
312
313 sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, sender_len, out);
314 if (sha1len == 0) {
315 return 0;
316 }
317
318 ret += sha1len;
319 return ret;
320 }
321
ssl3_handshake_mac(SSL * ssl,int md_nid,const char * sender,size_t sender_len,uint8_t * p)322 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender,
323 size_t sender_len, uint8_t *p) {
324 unsigned int ret;
325 size_t npad, n;
326 unsigned int i;
327 uint8_t md_buf[EVP_MAX_MD_SIZE];
328 EVP_MD_CTX ctx;
329 const EVP_MD_CTX *ctx_template;
330
331 if (md_nid == NID_md5) {
332 ctx_template = &ssl->s3->handshake_md5;
333 } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
334 ctx_template = &ssl->s3->handshake_hash;
335 } else {
336 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
337 return 0;
338 }
339
340 EVP_MD_CTX_init(&ctx);
341 if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
342 EVP_MD_CTX_cleanup(&ctx);
343 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
344 return 0;
345 }
346
347 static const uint8_t kPad1[48] = {
348 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
349 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
350 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
351 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
352 };
353
354 static const uint8_t kPad2[48] = {
355 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
356 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
357 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
358 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
359 };
360
361 n = EVP_MD_CTX_size(&ctx);
362
363 npad = (48 / n) * n;
364 if (sender != NULL) {
365 EVP_DigestUpdate(&ctx, sender, sender_len);
366 }
367 EVP_DigestUpdate(&ctx, ssl->session->master_key,
368 ssl->session->master_key_length);
369 EVP_DigestUpdate(&ctx, kPad1, npad);
370 EVP_DigestFinal_ex(&ctx, md_buf, &i);
371
372 if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
373 EVP_MD_CTX_cleanup(&ctx);
374 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
375 return 0;
376 }
377 EVP_DigestUpdate(&ctx, ssl->session->master_key,
378 ssl->session->master_key_length);
379 EVP_DigestUpdate(&ctx, kPad2, npad);
380 EVP_DigestUpdate(&ctx, md_buf, i);
381 EVP_DigestFinal_ex(&ctx, p, &ret);
382
383 EVP_MD_CTX_cleanup(&ctx);
384
385 return ret;
386 }
387
388
389
390 const SSL3_ENC_METHOD SSLv3_enc_data = {
391 ssl3_prf,
392 ssl3_final_finish_mac,
393 ssl3_cert_verify_mac,
394 };
395