1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2005 Nokia. All rights reserved. 112 * 113 * The portions of the attached software ("Contribution") is developed by 114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 115 * license. 116 * 117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 119 * support (see RFC 4279) to OpenSSL. 120 * 121 * No patent licenses or other rights except those expressly stated in 122 * the OpenSSL open source license shall be deemed granted or received 123 * expressly, by implication, estoppel, or otherwise. 124 * 125 * No assurances are provided by Nokia that the Contribution does not 126 * infringe the patent or other intellectual property rights of any third 127 * party or that the license provides you with all the necessary rights 128 * to make use of the Contribution. 129 * 130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 134 * OTHERWISE. */ 135 136 #include <openssl/ssl.h> 137 138 #include <assert.h> 139 #include <string.h> 140 141 #include <openssl/buf.h> 142 #include <openssl/digest.h> 143 #include <openssl/err.h> 144 #include <openssl/mem.h> 145 #include <openssl/md5.h> 146 #include <openssl/nid.h> 147 #include <openssl/sha.h> 148 149 #include "../crypto/internal.h" 150 #include "internal.h" 151 152 153 namespace bssl { 154 155 SSLTranscript::SSLTranscript() {} 156 157 SSLTranscript::~SSLTranscript() {} 158 159 bool SSLTranscript::Init() { 160 buffer_.reset(BUF_MEM_new()); 161 if (!buffer_) { 162 return false; 163 } 164 165 hash_.Reset(); 166 md5_.Reset(); 167 return true; 168 } 169 170 // InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then 171 // writes the data in |buf| to it. 172 static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md, 173 const BUF_MEM *buf) { 174 if (!EVP_DigestInit_ex(ctx, md, NULL)) { 175 return false; 176 } 177 EVP_DigestUpdate(ctx, buf->data, buf->length); 178 return true; 179 } 180 181 bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) { 182 const EVP_MD *md = ssl_get_handshake_digest(version, cipher); 183 184 // To support SSL 3.0's Finished and CertificateVerify constructions, 185 // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed, 186 // we can simplify this. 187 if (md == EVP_md5_sha1()) { 188 if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) { 189 return false; 190 } 191 md = EVP_sha1(); 192 } 193 194 return InitDigestWithData(hash_.get(), md, buffer_.get()); 195 } 196 197 void SSLTranscript::FreeBuffer() { 198 buffer_.reset(); 199 } 200 201 size_t SSLTranscript::DigestLen() const { 202 return EVP_MD_size(Digest()); 203 } 204 205 const EVP_MD *SSLTranscript::Digest() const { 206 if (EVP_MD_CTX_md(md5_.get()) != nullptr) { 207 return EVP_md5_sha1(); 208 } 209 return EVP_MD_CTX_md(hash_.get()); 210 } 211 212 bool SSLTranscript::UpdateForHelloRetryRequest() { 213 if (buffer_) { 214 buffer_->length = 0; 215 } 216 217 uint8_t old_hash[EVP_MAX_MD_SIZE]; 218 size_t hash_len; 219 if (!GetHash(old_hash, &hash_len)) { 220 return false; 221 } 222 const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0, 223 static_cast<uint8_t>(hash_len)}; 224 if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) || 225 !Update(header) || 226 !Update(MakeConstSpan(old_hash, hash_len))) { 227 return false; 228 } 229 return true; 230 } 231 232 bool SSLTranscript::CopyHashContext(EVP_MD_CTX *ctx) { 233 return EVP_MD_CTX_copy_ex(ctx, hash_.get()); 234 } 235 236 bool SSLTranscript::Update(Span<const uint8_t> in) { 237 // Depending on the state of the handshake, either the handshake buffer may be 238 // active, the rolling hash, or both. 239 if (buffer_ && 240 !BUF_MEM_append(buffer_.get(), in.data(), in.size())) { 241 return false; 242 } 243 244 if (EVP_MD_CTX_md(hash_.get()) != NULL) { 245 EVP_DigestUpdate(hash_.get(), in.data(), in.size()); 246 } 247 if (EVP_MD_CTX_md(md5_.get()) != NULL) { 248 EVP_DigestUpdate(md5_.get(), in.data(), in.size()); 249 } 250 251 return true; 252 } 253 254 bool SSLTranscript::GetHash(uint8_t *out, size_t *out_len) { 255 ScopedEVP_MD_CTX ctx; 256 unsigned md5_len = 0; 257 if (EVP_MD_CTX_md(md5_.get()) != NULL) { 258 if (!EVP_MD_CTX_copy_ex(ctx.get(), md5_.get()) || 259 !EVP_DigestFinal_ex(ctx.get(), out, &md5_len)) { 260 return false; 261 } 262 } 263 264 unsigned len; 265 if (!EVP_MD_CTX_copy_ex(ctx.get(), hash_.get()) || 266 !EVP_DigestFinal_ex(ctx.get(), out + md5_len, &len)) { 267 return false; 268 } 269 270 *out_len = md5_len + len; 271 return true; 272 } 273 274 static bool SSL3HandshakeMAC(const SSL_SESSION *session, 275 const EVP_MD_CTX *ctx_template, const char *sender, 276 size_t sender_len, uint8_t *p, size_t *out_len) { 277 ScopedEVP_MD_CTX ctx; 278 if (!EVP_MD_CTX_copy_ex(ctx.get(), ctx_template)) { 279 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 280 return false; 281 } 282 283 static const uint8_t kPad1[48] = { 284 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 285 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 286 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 287 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 288 }; 289 290 static const uint8_t kPad2[48] = { 291 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 292 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 293 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 294 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 295 }; 296 297 size_t n = EVP_MD_CTX_size(ctx.get()); 298 299 size_t npad = (48 / n) * n; 300 EVP_DigestUpdate(ctx.get(), sender, sender_len); 301 EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length); 302 EVP_DigestUpdate(ctx.get(), kPad1, npad); 303 unsigned md_buf_len; 304 uint8_t md_buf[EVP_MAX_MD_SIZE]; 305 EVP_DigestFinal_ex(ctx.get(), md_buf, &md_buf_len); 306 307 if (!EVP_DigestInit_ex(ctx.get(), EVP_MD_CTX_md(ctx.get()), NULL)) { 308 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP); 309 return false; 310 } 311 EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length); 312 EVP_DigestUpdate(ctx.get(), kPad2, npad); 313 EVP_DigestUpdate(ctx.get(), md_buf, md_buf_len); 314 unsigned len; 315 EVP_DigestFinal_ex(ctx.get(), p, &len); 316 317 *out_len = len; 318 return true; 319 } 320 321 bool SSLTranscript::GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len, 322 const SSL_SESSION *session, 323 uint16_t signature_algorithm) { 324 if (Digest() != EVP_md5_sha1()) { 325 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 326 return false; 327 } 328 329 if (signature_algorithm == SSL_SIGN_RSA_PKCS1_MD5_SHA1) { 330 size_t md5_len, len; 331 if (!SSL3HandshakeMAC(session, md5_.get(), NULL, 0, out, &md5_len) || 332 !SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out + md5_len, &len)) { 333 return false; 334 } 335 *out_len = md5_len + len; 336 return true; 337 } 338 339 if (signature_algorithm == SSL_SIGN_ECDSA_SHA1) { 340 return SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out, out_len); 341 } 342 343 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 344 return false; 345 } 346 347 bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len, 348 const SSL_SESSION *session, 349 bool from_server) { 350 if (session->ssl_version == SSL3_VERSION) { 351 if (Digest() != EVP_md5_sha1()) { 352 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 353 return false; 354 } 355 356 const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST 357 : SSL3_MD_CLIENT_FINISHED_CONST; 358 const size_t sender_len = 4; 359 size_t md5_len, len; 360 if (!SSL3HandshakeMAC(session, md5_.get(), sender, sender_len, out, 361 &md5_len) || 362 !SSL3HandshakeMAC(session, hash_.get(), sender, sender_len, 363 out + md5_len, &len)) { 364 return false; 365 } 366 367 *out_len = md5_len + len; 368 return true; 369 } 370 371 // At this point, the handshake should have released the handshake buffer on 372 // its own. 373 assert(!buffer_); 374 375 static const char kClientLabel[] = "client finished"; 376 static const char kServerLabel[] = "server finished"; 377 auto label = from_server 378 ? MakeConstSpan(kServerLabel, sizeof(kServerLabel) - 1) 379 : MakeConstSpan(kClientLabel, sizeof(kClientLabel) - 1); 380 381 uint8_t digests[EVP_MAX_MD_SIZE]; 382 size_t digests_len; 383 if (!GetHash(digests, &digests_len)) { 384 return false; 385 } 386 387 static const size_t kFinishedLen = 12; 388 if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen), 389 MakeConstSpan(session->master_key, session->master_key_length), 390 label, MakeConstSpan(digests, digests_len), {})) { 391 return false; 392 } 393 394 *out_len = kFinishedLen; 395 return true; 396 } 397 398 } // namespace bssl 399