1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2005 Nokia. All rights reserved. 112 * 113 * The portions of the attached software ("Contribution") is developed by 114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 115 * license. 116 * 117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 119 * support (see RFC 4279) to OpenSSL. 120 * 121 * No patent licenses or other rights except those expressly stated in 122 * the OpenSSL open source license shall be deemed granted or received 123 * expressly, by implication, estoppel, or otherwise. 124 * 125 * No assurances are provided by Nokia that the Contribution does not 126 * infringe the patent or other intellectual property rights of any third 127 * party or that the license provides you with all the necessary rights 128 * to make use of the Contribution. 129 * 130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 134 * OTHERWISE. */ 135 136 #include <openssl/ssl.h> 137 138 #include <assert.h> 139 #include <stdio.h> 140 #include <string.h> 141 142 #include <openssl/err.h> 143 #include <openssl/evp.h> 144 #include <openssl/mem.h> 145 #include <openssl/md5.h> 146 #include <openssl/obj.h> 147 148 #include "internal.h" 149 150 151 static const uint8_t ssl3_pad_1[48] = { 152 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 153 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 154 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 155 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 156 }; 157 158 static const uint8_t ssl3_pad_2[48] = { 159 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 160 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 161 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 162 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 163 }; 164 165 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len, 166 uint8_t *p); 167 168 int ssl3_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret, 169 size_t secret_len, const char *label, size_t label_len, 170 const uint8_t *seed1, size_t seed1_len, 171 const uint8_t *seed2, size_t seed2_len) { 172 EVP_MD_CTX md5; 173 EVP_MD_CTX sha1; 174 uint8_t buf[16], smd[SHA_DIGEST_LENGTH]; 175 uint8_t c = 'A'; 176 size_t i, j, k; 177 178 k = 0; 179 EVP_MD_CTX_init(&md5); 180 EVP_MD_CTX_init(&sha1); 181 for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) { 182 k++; 183 if (k > sizeof(buf)) { 184 /* bug: 'buf' is too small for this ciphersuite */ 185 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 186 return 0; 187 } 188 189 for (j = 0; j < k; j++) { 190 buf[j] = c; 191 } 192 c++; 193 if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) { 194 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 195 return 0; 196 } 197 EVP_DigestUpdate(&sha1, buf, k); 198 EVP_DigestUpdate(&sha1, secret, secret_len); 199 /* |label| is ignored for SSLv3. */ 200 if (seed1_len) { 201 EVP_DigestUpdate(&sha1, seed1, seed1_len); 202 } 203 if (seed2_len) { 204 EVP_DigestUpdate(&sha1, seed2, seed2_len); 205 } 206 EVP_DigestFinal_ex(&sha1, smd, NULL); 207 208 if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) { 209 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 210 return 0; 211 } 212 EVP_DigestUpdate(&md5, secret, secret_len); 213 EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH); 214 if (i + MD5_DIGEST_LENGTH > out_len) { 215 EVP_DigestFinal_ex(&md5, smd, NULL); 216 memcpy(out, smd, out_len - i); 217 } else { 218 EVP_DigestFinal_ex(&md5, out, NULL); 219 } 220 221 out += MD5_DIGEST_LENGTH; 222 } 223 224 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH); 225 EVP_MD_CTX_cleanup(&md5); 226 EVP_MD_CTX_cleanup(&sha1); 227 228 return 1; 229 } 230 231 void ssl3_cleanup_key_block(SSL *ssl) { 232 if (ssl->s3->tmp.key_block != NULL) { 233 OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length); 234 OPENSSL_free(ssl->s3->tmp.key_block); 235 ssl->s3->tmp.key_block = NULL; 236 } 237 ssl->s3->tmp.key_block_length = 0; 238 } 239 240 int ssl3_init_handshake_buffer(SSL *ssl) { 241 ssl3_free_handshake_buffer(ssl); 242 ssl3_free_handshake_hash(ssl); 243 ssl->s3->handshake_buffer = BUF_MEM_new(); 244 return ssl->s3->handshake_buffer != NULL; 245 } 246 247 /* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then 248 * writes the data in |buf| to it. */ 249 static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md, 250 const BUF_MEM *buf) { 251 if (!EVP_DigestInit_ex(ctx, md, NULL)) { 252 return 0; 253 } 254 EVP_DigestUpdate(ctx, buf->data, buf->length); 255 return 1; 256 } 257 258 int ssl3_init_handshake_hash(SSL *ssl) { 259 ssl3_free_handshake_hash(ssl); 260 261 uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl); 262 if (!init_digest_with_data(&ssl->s3->handshake_hash, 263 ssl_get_handshake_digest(algorithm_prf), 264 ssl->s3->handshake_buffer)) { 265 return 0; 266 } 267 268 if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT && 269 !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(), 270 ssl->s3->handshake_buffer)) { 271 return 0; 272 } 273 274 return 1; 275 } 276 277 void ssl3_free_handshake_hash(SSL *ssl) { 278 EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash); 279 EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5); 280 } 281 282 void ssl3_free_handshake_buffer(SSL *ssl) { 283 BUF_MEM_free(ssl->s3->handshake_buffer); 284 ssl->s3->handshake_buffer = NULL; 285 } 286 287 int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) { 288 /* Depending on the state of the handshake, either the handshake buffer may be 289 * active, the rolling hash, or both. */ 290 291 if (ssl->s3->handshake_buffer != NULL) { 292 size_t new_len = ssl->s3->handshake_buffer->length + in_len; 293 if (new_len < in_len) { 294 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 295 return 0; 296 } 297 if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) { 298 return 0; 299 } 300 memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len); 301 } 302 303 if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) { 304 EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len); 305 } 306 if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) { 307 EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len); 308 } 309 return 1; 310 } 311 312 int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) { 313 return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p); 314 } 315 316 int ssl3_final_finish_mac(SSL *ssl, const char *sender, int len, uint8_t *p) { 317 int ret, sha1len; 318 ret = ssl3_handshake_mac(ssl, NID_md5, sender, len, p); 319 if (ret == 0) { 320 return 0; 321 } 322 323 p += ret; 324 325 sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, len, p); 326 if (sha1len == 0) { 327 return 0; 328 } 329 330 ret += sha1len; 331 return ret; 332 } 333 334 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len, 335 uint8_t *p) { 336 unsigned int ret; 337 size_t npad, n; 338 unsigned int i; 339 uint8_t md_buf[EVP_MAX_MD_SIZE]; 340 EVP_MD_CTX ctx; 341 const EVP_MD_CTX *ctx_template; 342 343 if (md_nid == NID_md5) { 344 ctx_template = &ssl->s3->handshake_md5; 345 } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) { 346 ctx_template = &ssl->s3->handshake_hash; 347 } else { 348 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST); 349 return 0; 350 } 351 352 EVP_MD_CTX_init(&ctx); 353 if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) { 354 EVP_MD_CTX_cleanup(&ctx); 355 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 356 return 0; 357 } 358 359 n = EVP_MD_CTX_size(&ctx); 360 361 npad = (48 / n) * n; 362 if (sender != NULL) { 363 EVP_DigestUpdate(&ctx, sender, len); 364 } 365 EVP_DigestUpdate(&ctx, ssl->session->master_key, 366 ssl->session->master_key_length); 367 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad); 368 EVP_DigestFinal_ex(&ctx, md_buf, &i); 369 370 if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) { 371 EVP_MD_CTX_cleanup(&ctx); 372 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 373 return 0; 374 } 375 EVP_DigestUpdate(&ctx, ssl->session->master_key, 376 ssl->session->master_key_length); 377 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad); 378 EVP_DigestUpdate(&ctx, md_buf, i); 379 EVP_DigestFinal_ex(&ctx, p, &ret); 380 381 EVP_MD_CTX_cleanup(&ctx); 382 383 return ret; 384 } 385 386 int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) { 387 size_t i; 388 for (i = seq_len - 1; i < seq_len; i--) { 389 ++seq[i]; 390 if (seq[i] != 0) { 391 return 1; 392 } 393 } 394 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 395 return 0; 396 } 397 398 int ssl3_alert_code(int code) { 399 switch (code) { 400 case SSL_AD_CLOSE_NOTIFY: 401 return SSL3_AD_CLOSE_NOTIFY; 402 403 case SSL_AD_UNEXPECTED_MESSAGE: 404 return SSL3_AD_UNEXPECTED_MESSAGE; 405 406 case SSL_AD_BAD_RECORD_MAC: 407 return SSL3_AD_BAD_RECORD_MAC; 408 409 case SSL_AD_DECRYPTION_FAILED: 410 return SSL3_AD_BAD_RECORD_MAC; 411 412 case SSL_AD_RECORD_OVERFLOW: 413 return SSL3_AD_BAD_RECORD_MAC; 414 415 case SSL_AD_DECOMPRESSION_FAILURE: 416 return SSL3_AD_DECOMPRESSION_FAILURE; 417 418 case SSL_AD_HANDSHAKE_FAILURE: 419 return SSL3_AD_HANDSHAKE_FAILURE; 420 421 case SSL_AD_NO_CERTIFICATE: 422 return SSL3_AD_NO_CERTIFICATE; 423 424 case SSL_AD_BAD_CERTIFICATE: 425 return SSL3_AD_BAD_CERTIFICATE; 426 427 case SSL_AD_UNSUPPORTED_CERTIFICATE: 428 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 429 430 case SSL_AD_CERTIFICATE_REVOKED: 431 return SSL3_AD_CERTIFICATE_REVOKED; 432 433 case SSL_AD_CERTIFICATE_EXPIRED: 434 return SSL3_AD_CERTIFICATE_EXPIRED; 435 436 case SSL_AD_CERTIFICATE_UNKNOWN: 437 return SSL3_AD_CERTIFICATE_UNKNOWN; 438 439 case SSL_AD_ILLEGAL_PARAMETER: 440 return SSL3_AD_ILLEGAL_PARAMETER; 441 442 case SSL_AD_UNKNOWN_CA: 443 return SSL3_AD_BAD_CERTIFICATE; 444 445 case SSL_AD_ACCESS_DENIED: 446 return SSL3_AD_HANDSHAKE_FAILURE; 447 448 case SSL_AD_DECODE_ERROR: 449 return SSL3_AD_HANDSHAKE_FAILURE; 450 451 case SSL_AD_DECRYPT_ERROR: 452 return SSL3_AD_HANDSHAKE_FAILURE; 453 454 case SSL_AD_EXPORT_RESTRICTION: 455 return SSL3_AD_HANDSHAKE_FAILURE; 456 457 case SSL_AD_PROTOCOL_VERSION: 458 return SSL3_AD_HANDSHAKE_FAILURE; 459 460 case SSL_AD_INSUFFICIENT_SECURITY: 461 return SSL3_AD_HANDSHAKE_FAILURE; 462 463 case SSL_AD_INTERNAL_ERROR: 464 return SSL3_AD_HANDSHAKE_FAILURE; 465 466 case SSL_AD_USER_CANCELLED: 467 return SSL3_AD_HANDSHAKE_FAILURE; 468 469 case SSL_AD_NO_RENEGOTIATION: 470 return -1; /* Don't send it. */ 471 472 case SSL_AD_UNSUPPORTED_EXTENSION: 473 return SSL3_AD_HANDSHAKE_FAILURE; 474 475 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 476 return SSL3_AD_HANDSHAKE_FAILURE; 477 478 case SSL_AD_UNRECOGNIZED_NAME: 479 return SSL3_AD_HANDSHAKE_FAILURE; 480 481 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 482 return SSL3_AD_HANDSHAKE_FAILURE; 483 484 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 485 return SSL3_AD_HANDSHAKE_FAILURE; 486 487 case SSL_AD_UNKNOWN_PSK_IDENTITY: 488 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 489 490 case SSL_AD_INAPPROPRIATE_FALLBACK: 491 return SSL3_AD_INAPPROPRIATE_FALLBACK; 492 493 default: 494 return -1; 495 } 496 } 497
