1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to.  The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 *    notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 *    notice, this list of conditions and the following disclaimer in the
29 *    documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 *    must display the following acknowledgement:
32 *    "This product includes cryptographic software written by
33 *     Eric Young (eay@cryptsoft.com)"
34 *    The word 'cryptographic' can be left out if the rouines from the library
35 *    being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 *    the apps directory (application code) you must include an acknowledgement:
38 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed.  i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 *    notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 *    notice, this list of conditions and the following disclaimer in
69 *    the documentation and/or other materials provided with the
70 *    distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 *    software must display the following acknowledgment:
74 *    "This product includes software developed by the OpenSSL Project
75 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 *    endorse or promote products derived from this software without
79 *    prior written permission. For written permission, please contact
80 *    openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 *    nor may "OpenSSL" appear in their names without prior written
84 *    permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 *    acknowledgment:
88 *    "This product includes software developed by the OpenSSL Project
89 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com).  This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
136#include <openssl/ssl.h>
137
138#include <assert.h>
139#include <stdio.h>
140#include <string.h>
141
142#include <openssl/err.h>
143#include <openssl/evp.h>
144#include <openssl/mem.h>
145#include <openssl/md5.h>
146#include <openssl/obj.h>
147
148#include "internal.h"
149
150
151static const uint8_t ssl3_pad_1[48] = {
152    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
153    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
154    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
155    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
156};
157
158static const uint8_t ssl3_pad_2[48] = {
159    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
160    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
161    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
162    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
163};
164
165static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
166                              uint8_t *p);
167
168int ssl3_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret,
169             size_t secret_len, const char *label, size_t label_len,
170             const uint8_t *seed1, size_t seed1_len,
171             const uint8_t *seed2, size_t seed2_len) {
172  EVP_MD_CTX md5;
173  EVP_MD_CTX sha1;
174  uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
175  uint8_t c = 'A';
176  size_t i, j, k;
177
178  k = 0;
179  EVP_MD_CTX_init(&md5);
180  EVP_MD_CTX_init(&sha1);
181  for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
182    k++;
183    if (k > sizeof(buf)) {
184      /* bug: 'buf' is too small for this ciphersuite */
185      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
186      return 0;
187    }
188
189    for (j = 0; j < k; j++) {
190      buf[j] = c;
191    }
192    c++;
193    if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
194      OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
195      return 0;
196    }
197    EVP_DigestUpdate(&sha1, buf, k);
198    EVP_DigestUpdate(&sha1, secret, secret_len);
199    /* |label| is ignored for SSLv3. */
200    if (seed1_len) {
201      EVP_DigestUpdate(&sha1, seed1, seed1_len);
202    }
203    if (seed2_len) {
204      EVP_DigestUpdate(&sha1, seed2, seed2_len);
205    }
206    EVP_DigestFinal_ex(&sha1, smd, NULL);
207
208    if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
209      OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
210      return 0;
211    }
212    EVP_DigestUpdate(&md5, secret, secret_len);
213    EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
214    if (i + MD5_DIGEST_LENGTH > out_len) {
215      EVP_DigestFinal_ex(&md5, smd, NULL);
216      memcpy(out, smd, out_len - i);
217    } else {
218      EVP_DigestFinal_ex(&md5, out, NULL);
219    }
220
221    out += MD5_DIGEST_LENGTH;
222  }
223
224  OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
225  EVP_MD_CTX_cleanup(&md5);
226  EVP_MD_CTX_cleanup(&sha1);
227
228  return 1;
229}
230
231void ssl3_cleanup_key_block(SSL *ssl) {
232  if (ssl->s3->tmp.key_block != NULL) {
233    OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length);
234    OPENSSL_free(ssl->s3->tmp.key_block);
235    ssl->s3->tmp.key_block = NULL;
236  }
237  ssl->s3->tmp.key_block_length = 0;
238}
239
240int ssl3_init_handshake_buffer(SSL *ssl) {
241  ssl3_free_handshake_buffer(ssl);
242  ssl3_free_handshake_hash(ssl);
243  ssl->s3->handshake_buffer = BUF_MEM_new();
244  return ssl->s3->handshake_buffer != NULL;
245}
246
247/* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
248 * writes the data in |buf| to it. */
249static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
250                                 const BUF_MEM *buf) {
251  if (!EVP_DigestInit_ex(ctx, md, NULL)) {
252    return 0;
253  }
254  EVP_DigestUpdate(ctx, buf->data, buf->length);
255  return 1;
256}
257
258int ssl3_init_handshake_hash(SSL *ssl) {
259  ssl3_free_handshake_hash(ssl);
260
261  uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
262  if (!init_digest_with_data(&ssl->s3->handshake_hash,
263                             ssl_get_handshake_digest(algorithm_prf),
264                             ssl->s3->handshake_buffer)) {
265    return 0;
266  }
267
268  if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
269      !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
270                             ssl->s3->handshake_buffer)) {
271    return 0;
272  }
273
274  return 1;
275}
276
277void ssl3_free_handshake_hash(SSL *ssl) {
278  EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
279  EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
280}
281
282void ssl3_free_handshake_buffer(SSL *ssl) {
283  BUF_MEM_free(ssl->s3->handshake_buffer);
284  ssl->s3->handshake_buffer = NULL;
285}
286
287int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
288  /* Depending on the state of the handshake, either the handshake buffer may be
289   * active, the rolling hash, or both. */
290
291  if (ssl->s3->handshake_buffer != NULL) {
292    size_t new_len = ssl->s3->handshake_buffer->length + in_len;
293    if (new_len < in_len) {
294      OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
295      return 0;
296    }
297    if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
298      return 0;
299    }
300    memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
301  }
302
303  if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
304    EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
305  }
306  if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
307    EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
308  }
309  return 1;
310}
311
312int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) {
313  return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p);
314}
315
316int ssl3_final_finish_mac(SSL *ssl, const char *sender, int len, uint8_t *p) {
317  int ret, sha1len;
318  ret = ssl3_handshake_mac(ssl, NID_md5, sender, len, p);
319  if (ret == 0) {
320    return 0;
321  }
322
323  p += ret;
324
325  sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, len, p);
326  if (sha1len == 0) {
327    return 0;
328  }
329
330  ret += sha1len;
331  return ret;
332}
333
334static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
335                              uint8_t *p) {
336  unsigned int ret;
337  size_t npad, n;
338  unsigned int i;
339  uint8_t md_buf[EVP_MAX_MD_SIZE];
340  EVP_MD_CTX ctx;
341  const EVP_MD_CTX *ctx_template;
342
343  if (md_nid == NID_md5) {
344    ctx_template = &ssl->s3->handshake_md5;
345  } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
346    ctx_template = &ssl->s3->handshake_hash;
347  } else {
348    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
349    return 0;
350  }
351
352  EVP_MD_CTX_init(&ctx);
353  if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
354    EVP_MD_CTX_cleanup(&ctx);
355    OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
356    return 0;
357  }
358
359  n = EVP_MD_CTX_size(&ctx);
360
361  npad = (48 / n) * n;
362  if (sender != NULL) {
363    EVP_DigestUpdate(&ctx, sender, len);
364  }
365  EVP_DigestUpdate(&ctx, ssl->session->master_key,
366                   ssl->session->master_key_length);
367  EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
368  EVP_DigestFinal_ex(&ctx, md_buf, &i);
369
370  if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
371    EVP_MD_CTX_cleanup(&ctx);
372    OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
373    return 0;
374  }
375  EVP_DigestUpdate(&ctx, ssl->session->master_key,
376                   ssl->session->master_key_length);
377  EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
378  EVP_DigestUpdate(&ctx, md_buf, i);
379  EVP_DigestFinal_ex(&ctx, p, &ret);
380
381  EVP_MD_CTX_cleanup(&ctx);
382
383  return ret;
384}
385
386int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) {
387  size_t i;
388  for (i = seq_len - 1; i < seq_len; i--) {
389    ++seq[i];
390    if (seq[i] != 0) {
391      return 1;
392    }
393  }
394  OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
395  return 0;
396}
397
398int ssl3_alert_code(int code) {
399  switch (code) {
400    case SSL_AD_CLOSE_NOTIFY:
401      return SSL3_AD_CLOSE_NOTIFY;
402
403    case SSL_AD_UNEXPECTED_MESSAGE:
404      return SSL3_AD_UNEXPECTED_MESSAGE;
405
406    case SSL_AD_BAD_RECORD_MAC:
407      return SSL3_AD_BAD_RECORD_MAC;
408
409    case SSL_AD_DECRYPTION_FAILED:
410      return SSL3_AD_BAD_RECORD_MAC;
411
412    case SSL_AD_RECORD_OVERFLOW:
413      return SSL3_AD_BAD_RECORD_MAC;
414
415    case SSL_AD_DECOMPRESSION_FAILURE:
416      return SSL3_AD_DECOMPRESSION_FAILURE;
417
418    case SSL_AD_HANDSHAKE_FAILURE:
419      return SSL3_AD_HANDSHAKE_FAILURE;
420
421    case SSL_AD_NO_CERTIFICATE:
422      return SSL3_AD_NO_CERTIFICATE;
423
424    case SSL_AD_BAD_CERTIFICATE:
425      return SSL3_AD_BAD_CERTIFICATE;
426
427    case SSL_AD_UNSUPPORTED_CERTIFICATE:
428      return SSL3_AD_UNSUPPORTED_CERTIFICATE;
429
430    case SSL_AD_CERTIFICATE_REVOKED:
431      return SSL3_AD_CERTIFICATE_REVOKED;
432
433    case SSL_AD_CERTIFICATE_EXPIRED:
434      return SSL3_AD_CERTIFICATE_EXPIRED;
435
436    case SSL_AD_CERTIFICATE_UNKNOWN:
437      return SSL3_AD_CERTIFICATE_UNKNOWN;
438
439    case SSL_AD_ILLEGAL_PARAMETER:
440      return SSL3_AD_ILLEGAL_PARAMETER;
441
442    case SSL_AD_UNKNOWN_CA:
443      return SSL3_AD_BAD_CERTIFICATE;
444
445    case SSL_AD_ACCESS_DENIED:
446      return SSL3_AD_HANDSHAKE_FAILURE;
447
448    case SSL_AD_DECODE_ERROR:
449      return SSL3_AD_HANDSHAKE_FAILURE;
450
451    case SSL_AD_DECRYPT_ERROR:
452      return SSL3_AD_HANDSHAKE_FAILURE;
453
454    case SSL_AD_EXPORT_RESTRICTION:
455      return SSL3_AD_HANDSHAKE_FAILURE;
456
457    case SSL_AD_PROTOCOL_VERSION:
458      return SSL3_AD_HANDSHAKE_FAILURE;
459
460    case SSL_AD_INSUFFICIENT_SECURITY:
461      return SSL3_AD_HANDSHAKE_FAILURE;
462
463    case SSL_AD_INTERNAL_ERROR:
464      return SSL3_AD_HANDSHAKE_FAILURE;
465
466    case SSL_AD_USER_CANCELLED:
467      return SSL3_AD_HANDSHAKE_FAILURE;
468
469    case SSL_AD_NO_RENEGOTIATION:
470      return -1; /* Don't send it. */
471
472    case SSL_AD_UNSUPPORTED_EXTENSION:
473      return SSL3_AD_HANDSHAKE_FAILURE;
474
475    case SSL_AD_CERTIFICATE_UNOBTAINABLE:
476      return SSL3_AD_HANDSHAKE_FAILURE;
477
478    case SSL_AD_UNRECOGNIZED_NAME:
479      return SSL3_AD_HANDSHAKE_FAILURE;
480
481    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
482      return SSL3_AD_HANDSHAKE_FAILURE;
483
484    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
485      return SSL3_AD_HANDSHAKE_FAILURE;
486
487    case SSL_AD_UNKNOWN_PSK_IDENTITY:
488      return TLS1_AD_UNKNOWN_PSK_IDENTITY;
489
490    case SSL_AD_INAPPROPRIATE_FALLBACK:
491      return SSL3_AD_INAPPROPRIATE_FALLBACK;
492
493    default:
494      return -1;
495  }
496}
497