1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* ==================================================================== 11 * Copyright 2005 Nokia. All rights reserved. 12 * 13 * The portions of the attached software ("Contribution") is developed by 14 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 15 * license. 16 * 17 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 18 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 19 * support (see RFC 4279) to OpenSSL. 20 * 21 * No patent licenses or other rights except those expressly stated in 22 * the OpenSSL open source license shall be deemed granted or received 23 * expressly, by implication, estoppel, or otherwise. 24 * 25 * No assurances are provided by Nokia that the Contribution does not 26 * infringe the patent or other intellectual property rights of any third 27 * party or that the license provides you with all the necessary rights 28 * to make use of the Contribution. 29 * 30 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 31 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 32 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 33 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 34 * OTHERWISE. 35 */ 36 37 #include <stdio.h> 38 #include "ssl_locl.h" 39 #include <openssl/evp.h> 40 #include <openssl/md5.h> 41 42 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) 43 { 44 EVP_MD_CTX *m5; 45 EVP_MD_CTX *s1; 46 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 47 unsigned char c = 'A'; 48 unsigned int i, j, k; 49 int ret = 0; 50 51 #ifdef CHARSET_EBCDIC 52 c = os_toascii[c]; /* 'A' in ASCII */ 53 #endif 54 k = 0; 55 m5 = EVP_MD_CTX_new(); 56 s1 = EVP_MD_CTX_new(); 57 if (m5 == NULL || s1 == NULL) { 58 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 59 goto err; 60 } 61 EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 62 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 63 k++; 64 if (k > sizeof(buf)) { 65 /* bug: 'buf' is too small for this ciphersuite */ 66 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); 67 goto err; 68 } 69 70 for (j = 0; j < k; j++) 71 buf[j] = c; 72 c++; 73 if (!EVP_DigestInit_ex(s1, EVP_sha1(), NULL) 74 || !EVP_DigestUpdate(s1, buf, k) 75 || !EVP_DigestUpdate(s1, s->session->master_key, 76 s->session->master_key_length) 77 || !EVP_DigestUpdate(s1, s->s3->server_random, SSL3_RANDOM_SIZE) 78 || !EVP_DigestUpdate(s1, s->s3->client_random, SSL3_RANDOM_SIZE) 79 || !EVP_DigestFinal_ex(s1, smd, NULL) 80 || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) 81 || !EVP_DigestUpdate(m5, s->session->master_key, 82 s->session->master_key_length) 83 || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) 84 goto err; 85 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 86 if (!EVP_DigestFinal_ex(m5, smd, NULL)) 87 goto err; 88 memcpy(km, smd, (num - i)); 89 } else { 90 if (!EVP_DigestFinal_ex(m5, km, NULL)) 91 goto err; 92 } 93 94 km += MD5_DIGEST_LENGTH; 95 } 96 OPENSSL_cleanse(smd, sizeof(smd)); 97 ret = 1; 98 err: 99 EVP_MD_CTX_free(m5); 100 EVP_MD_CTX_free(s1); 101 return ret; 102 } 103 104 int ssl3_change_cipher_state(SSL *s, int which) 105 { 106 unsigned char *p, *mac_secret; 107 unsigned char exp_key[EVP_MAX_KEY_LENGTH]; 108 unsigned char exp_iv[EVP_MAX_IV_LENGTH]; 109 unsigned char *ms, *key, *iv; 110 EVP_CIPHER_CTX *dd; 111 const EVP_CIPHER *c; 112 #ifndef OPENSSL_NO_COMP 113 COMP_METHOD *comp; 114 #endif 115 const EVP_MD *m; 116 int n, i, j, k, cl; 117 int reuse_dd = 0; 118 119 c = s->s3->tmp.new_sym_enc; 120 m = s->s3->tmp.new_hash; 121 /* m == NULL will lead to a crash later */ 122 OPENSSL_assert(m); 123 #ifndef OPENSSL_NO_COMP 124 if (s->s3->tmp.new_compression == NULL) 125 comp = NULL; 126 else 127 comp = s->s3->tmp.new_compression->method; 128 #endif 129 130 if (which & SSL3_CC_READ) { 131 if (s->enc_read_ctx != NULL) 132 reuse_dd = 1; 133 else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) 134 goto err; 135 else 136 /* 137 * make sure it's initialised in case we exit later with an error 138 */ 139 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 140 dd = s->enc_read_ctx; 141 142 if (ssl_replace_hash(&s->read_hash, m) == NULL) { 143 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 144 goto err2; 145 } 146 #ifndef OPENSSL_NO_COMP 147 /* COMPRESS */ 148 COMP_CTX_free(s->expand); 149 s->expand = NULL; 150 if (comp != NULL) { 151 s->expand = COMP_CTX_new(comp); 152 if (s->expand == NULL) { 153 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 154 SSL_R_COMPRESSION_LIBRARY_ERROR); 155 goto err2; 156 } 157 } 158 #endif 159 RECORD_LAYER_reset_read_sequence(&s->rlayer); 160 mac_secret = &(s->s3->read_mac_secret[0]); 161 } else { 162 if (s->enc_write_ctx != NULL) 163 reuse_dd = 1; 164 else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) 165 goto err; 166 else 167 /* 168 * make sure it's initialised in case we exit later with an error 169 */ 170 EVP_CIPHER_CTX_reset(s->enc_write_ctx); 171 dd = s->enc_write_ctx; 172 if (ssl_replace_hash(&s->write_hash, m) == NULL) { 173 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 174 goto err2; 175 } 176 #ifndef OPENSSL_NO_COMP 177 /* COMPRESS */ 178 COMP_CTX_free(s->compress); 179 s->compress = NULL; 180 if (comp != NULL) { 181 s->compress = COMP_CTX_new(comp); 182 if (s->compress == NULL) { 183 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 184 SSL_R_COMPRESSION_LIBRARY_ERROR); 185 goto err2; 186 } 187 } 188 #endif 189 RECORD_LAYER_reset_write_sequence(&s->rlayer); 190 mac_secret = &(s->s3->write_mac_secret[0]); 191 } 192 193 if (reuse_dd) 194 EVP_CIPHER_CTX_reset(dd); 195 196 p = s->s3->tmp.key_block; 197 i = EVP_MD_size(m); 198 if (i < 0) 199 goto err2; 200 cl = EVP_CIPHER_key_length(c); 201 j = cl; 202 k = EVP_CIPHER_iv_length(c); 203 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 204 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 205 ms = &(p[0]); 206 n = i + i; 207 key = &(p[n]); 208 n += j + j; 209 iv = &(p[n]); 210 n += k + k; 211 } else { 212 n = i; 213 ms = &(p[n]); 214 n += i + j; 215 key = &(p[n]); 216 n += j + k; 217 iv = &(p[n]); 218 n += k; 219 } 220 221 if (n > s->s3->tmp.key_block_length) { 222 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 223 goto err2; 224 } 225 226 memcpy(mac_secret, ms, i); 227 228 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) 229 goto err2; 230 231 OPENSSL_cleanse(exp_key, sizeof(exp_key)); 232 OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); 233 return (1); 234 err: 235 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 236 err2: 237 OPENSSL_cleanse(exp_key, sizeof(exp_key)); 238 OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); 239 return (0); 240 } 241 242 int ssl3_setup_key_block(SSL *s) 243 { 244 unsigned char *p; 245 const EVP_CIPHER *c; 246 const EVP_MD *hash; 247 int num; 248 int ret = 0; 249 SSL_COMP *comp; 250 251 if (s->s3->tmp.key_block_length != 0) 252 return (1); 253 254 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { 255 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 256 return (0); 257 } 258 259 s->s3->tmp.new_sym_enc = c; 260 s->s3->tmp.new_hash = hash; 261 #ifdef OPENSSL_NO_COMP 262 s->s3->tmp.new_compression = NULL; 263 #else 264 s->s3->tmp.new_compression = comp; 265 #endif 266 267 num = EVP_MD_size(hash); 268 if (num < 0) 269 return 0; 270 271 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); 272 num *= 2; 273 274 ssl3_cleanup_key_block(s); 275 276 if ((p = OPENSSL_malloc(num)) == NULL) 277 goto err; 278 279 s->s3->tmp.key_block_length = num; 280 s->s3->tmp.key_block = p; 281 282 ret = ssl3_generate_key_block(s, p, num); 283 284 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { 285 /* 286 * enable vulnerability countermeasure for CBC ciphers with known-IV 287 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 288 */ 289 s->s3->need_empty_fragments = 1; 290 291 if (s->session->cipher != NULL) { 292 if (s->session->cipher->algorithm_enc == SSL_eNULL) 293 s->s3->need_empty_fragments = 0; 294 295 #ifndef OPENSSL_NO_RC4 296 if (s->session->cipher->algorithm_enc == SSL_RC4) 297 s->s3->need_empty_fragments = 0; 298 #endif 299 } 300 } 301 302 return ret; 303 304 err: 305 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 306 return (0); 307 } 308 309 void ssl3_cleanup_key_block(SSL *s) 310 { 311 OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); 312 s->s3->tmp.key_block = NULL; 313 s->s3->tmp.key_block_length = 0; 314 } 315 316 int ssl3_init_finished_mac(SSL *s) 317 { 318 BIO *buf = BIO_new(BIO_s_mem()); 319 320 if (buf == NULL) { 321 SSLerr(SSL_F_SSL3_INIT_FINISHED_MAC, ERR_R_MALLOC_FAILURE); 322 return 0; 323 } 324 ssl3_free_digest_list(s); 325 s->s3->handshake_buffer = buf; 326 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); 327 return 1; 328 } 329 330 /* 331 * Free digest list. Also frees handshake buffer since they are always freed 332 * together. 333 */ 334 335 void ssl3_free_digest_list(SSL *s) 336 { 337 BIO_free(s->s3->handshake_buffer); 338 s->s3->handshake_buffer = NULL; 339 EVP_MD_CTX_free(s->s3->handshake_dgst); 340 s->s3->handshake_dgst = NULL; 341 } 342 343 int ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) 344 { 345 if (s->s3->handshake_dgst == NULL) 346 /* Note: this writes to a memory BIO so a failure is a fatal error */ 347 return BIO_write(s->s3->handshake_buffer, (void *)buf, len) == len; 348 else 349 return EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); 350 } 351 352 int ssl3_digest_cached_records(SSL *s, int keep) 353 { 354 const EVP_MD *md; 355 long hdatalen; 356 void *hdata; 357 358 if (s->s3->handshake_dgst == NULL) { 359 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 360 if (hdatalen <= 0) { 361 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, 362 SSL_R_BAD_HANDSHAKE_LENGTH); 363 return 0; 364 } 365 366 s->s3->handshake_dgst = EVP_MD_CTX_new(); 367 if (s->s3->handshake_dgst == NULL) { 368 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); 369 return 0; 370 } 371 372 md = ssl_handshake_md(s); 373 if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) 374 || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { 375 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR); 376 return 0; 377 } 378 } 379 if (keep == 0) { 380 BIO_free(s->s3->handshake_buffer); 381 s->s3->handshake_buffer = NULL; 382 } 383 384 return 1; 385 } 386 387 int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) 388 { 389 int ret; 390 EVP_MD_CTX *ctx = NULL; 391 392 if (!ssl3_digest_cached_records(s, 0)) 393 return 0; 394 395 if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { 396 SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, SSL_R_NO_REQUIRED_DIGEST); 397 return 0; 398 } 399 400 ctx = EVP_MD_CTX_new(); 401 if (ctx == NULL) { 402 SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_MALLOC_FAILURE); 403 return 0; 404 } 405 if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { 406 SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); 407 return 0; 408 } 409 410 ret = EVP_MD_CTX_size(ctx); 411 if (ret < 0) { 412 EVP_MD_CTX_reset(ctx); 413 return 0; 414 } 415 416 if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) 417 || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, 418 s->session->master_key_length, 419 s->session->master_key) <= 0 420 || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { 421 SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); 422 ret = 0; 423 } 424 425 EVP_MD_CTX_free(ctx); 426 427 return ret; 428 } 429 430 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 431 int len) 432 { 433 static const unsigned char *salt[3] = { 434 #ifndef CHARSET_EBCDIC 435 (const unsigned char *)"A", 436 (const unsigned char *)"BB", 437 (const unsigned char *)"CCC", 438 #else 439 (const unsigned char *)"\x41", 440 (const unsigned char *)"\x42\x42", 441 (const unsigned char *)"\x43\x43\x43", 442 #endif 443 }; 444 unsigned char buf[EVP_MAX_MD_SIZE]; 445 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 446 int i, ret = 0; 447 unsigned int n; 448 449 if (ctx == NULL) { 450 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_MALLOC_FAILURE); 451 return 0; 452 } 453 for (i = 0; i < 3; i++) { 454 if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0 455 || EVP_DigestUpdate(ctx, salt[i], 456 strlen((const char *)salt[i])) <= 0 457 || EVP_DigestUpdate(ctx, p, len) <= 0 458 || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]), 459 SSL3_RANDOM_SIZE) <= 0 460 || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), 461 SSL3_RANDOM_SIZE) <= 0 462 || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 463 || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 464 || EVP_DigestUpdate(ctx, p, len) <= 0 465 || EVP_DigestUpdate(ctx, buf, n) <= 0 466 || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { 467 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 468 ret = 0; 469 break; 470 } 471 out += n; 472 ret += n; 473 } 474 EVP_MD_CTX_free(ctx); 475 476 OPENSSL_cleanse(buf, sizeof(buf)); 477 return (ret); 478 } 479 480 int ssl3_alert_code(int code) 481 { 482 switch (code) { 483 case SSL_AD_CLOSE_NOTIFY: 484 return (SSL3_AD_CLOSE_NOTIFY); 485 case SSL_AD_UNEXPECTED_MESSAGE: 486 return (SSL3_AD_UNEXPECTED_MESSAGE); 487 case SSL_AD_BAD_RECORD_MAC: 488 return (SSL3_AD_BAD_RECORD_MAC); 489 case SSL_AD_DECRYPTION_FAILED: 490 return (SSL3_AD_BAD_RECORD_MAC); 491 case SSL_AD_RECORD_OVERFLOW: 492 return (SSL3_AD_BAD_RECORD_MAC); 493 case SSL_AD_DECOMPRESSION_FAILURE: 494 return (SSL3_AD_DECOMPRESSION_FAILURE); 495 case SSL_AD_HANDSHAKE_FAILURE: 496 return (SSL3_AD_HANDSHAKE_FAILURE); 497 case SSL_AD_NO_CERTIFICATE: 498 return (SSL3_AD_NO_CERTIFICATE); 499 case SSL_AD_BAD_CERTIFICATE: 500 return (SSL3_AD_BAD_CERTIFICATE); 501 case SSL_AD_UNSUPPORTED_CERTIFICATE: 502 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 503 case SSL_AD_CERTIFICATE_REVOKED: 504 return (SSL3_AD_CERTIFICATE_REVOKED); 505 case SSL_AD_CERTIFICATE_EXPIRED: 506 return (SSL3_AD_CERTIFICATE_EXPIRED); 507 case SSL_AD_CERTIFICATE_UNKNOWN: 508 return (SSL3_AD_CERTIFICATE_UNKNOWN); 509 case SSL_AD_ILLEGAL_PARAMETER: 510 return (SSL3_AD_ILLEGAL_PARAMETER); 511 case SSL_AD_UNKNOWN_CA: 512 return (SSL3_AD_BAD_CERTIFICATE); 513 case SSL_AD_ACCESS_DENIED: 514 return (SSL3_AD_HANDSHAKE_FAILURE); 515 case SSL_AD_DECODE_ERROR: 516 return (SSL3_AD_HANDSHAKE_FAILURE); 517 case SSL_AD_DECRYPT_ERROR: 518 return (SSL3_AD_HANDSHAKE_FAILURE); 519 case SSL_AD_EXPORT_RESTRICTION: 520 return (SSL3_AD_HANDSHAKE_FAILURE); 521 case SSL_AD_PROTOCOL_VERSION: 522 return (SSL3_AD_HANDSHAKE_FAILURE); 523 case SSL_AD_INSUFFICIENT_SECURITY: 524 return (SSL3_AD_HANDSHAKE_FAILURE); 525 case SSL_AD_INTERNAL_ERROR: 526 return (SSL3_AD_HANDSHAKE_FAILURE); 527 case SSL_AD_USER_CANCELLED: 528 return (SSL3_AD_HANDSHAKE_FAILURE); 529 case SSL_AD_NO_RENEGOTIATION: 530 return (-1); /* Don't send it :-) */ 531 case SSL_AD_UNSUPPORTED_EXTENSION: 532 return (SSL3_AD_HANDSHAKE_FAILURE); 533 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 534 return (SSL3_AD_HANDSHAKE_FAILURE); 535 case SSL_AD_UNRECOGNIZED_NAME: 536 return (SSL3_AD_HANDSHAKE_FAILURE); 537 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 538 return (SSL3_AD_HANDSHAKE_FAILURE); 539 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 540 return (SSL3_AD_HANDSHAKE_FAILURE); 541 case SSL_AD_UNKNOWN_PSK_IDENTITY: 542 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 543 case SSL_AD_INAPPROPRIATE_FALLBACK: 544 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 545 case SSL_AD_NO_APPLICATION_PROTOCOL: 546 return (TLS1_AD_NO_APPLICATION_PROTOCOL); 547 default: 548 return (-1); 549 } 550 } 551