1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include <openssl/evp.h> 14 #include <openssl/md5.h> 15 #include <openssl/core_names.h> 16 #include "internal/cryptlib.h" 17 #include "internal/ssl_unwrap.h" 18 19 static int ssl3_generate_key_block(SSL_CONNECTION *s, unsigned char *km, int num) 20 { 21 const EVP_MD *md5 = NULL, *sha1 = NULL; 22 EVP_MD_CTX *m5; 23 EVP_MD_CTX *s1; 24 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 25 unsigned char c = 'A'; 26 unsigned int i, k; 27 int ret = 0; 28 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 29 30 #ifdef CHARSET_EBCDIC 31 c = os_toascii[c]; /* 'A' in ASCII */ 32 #endif 33 k = 0; 34 md5 = ssl_evp_md_fetch(sctx->libctx, NID_md5, sctx->propq); 35 sha1 = ssl_evp_md_fetch(sctx->libctx, NID_sha1, sctx->propq); 36 m5 = EVP_MD_CTX_new(); 37 s1 = EVP_MD_CTX_new(); 38 if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) { 39 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 40 goto err; 41 } 42 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 43 k++; 44 if (k > sizeof(buf)) { 45 /* bug: 'buf' is too small for this ciphersuite */ 46 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 47 goto err; 48 } 49 50 memset(buf, c, k); 51 c++; 52 if (!EVP_DigestInit_ex(s1, sha1, NULL) 53 || !EVP_DigestUpdate(s1, buf, k) 54 || !EVP_DigestUpdate(s1, s->session->master_key, 55 s->session->master_key_length) 56 || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE) 57 || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE) 58 || !EVP_DigestFinal_ex(s1, smd, NULL) 59 || !EVP_DigestInit_ex(m5, md5, NULL) 60 || !EVP_DigestUpdate(m5, s->session->master_key, 61 s->session->master_key_length) 62 || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { 63 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 64 goto err; 65 } 66 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 67 if (!EVP_DigestFinal_ex(m5, smd, NULL)) { 68 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 69 goto err; 70 } 71 memcpy(km, smd, (num - i)); 72 } else { 73 if (!EVP_DigestFinal_ex(m5, km, NULL)) { 74 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 75 goto err; 76 } 77 } 78 79 km += MD5_DIGEST_LENGTH; 80 } 81 OPENSSL_cleanse(smd, sizeof(smd)); 82 ret = 1; 83 err: 84 EVP_MD_CTX_free(m5); 85 EVP_MD_CTX_free(s1); 86 ssl_evp_md_free(md5); 87 ssl_evp_md_free(sha1); 88 return ret; 89 } 90 91 int ssl3_change_cipher_state(SSL_CONNECTION *s, int which) 92 { 93 unsigned char *p, *mac_secret; 94 size_t md_len; 95 unsigned char *key, *iv; 96 const EVP_CIPHER *ciph; 97 const SSL_COMP *comp = NULL; 98 const EVP_MD *md; 99 int mdi; 100 size_t n, iv_len, key_len; 101 int direction = (which & SSL3_CC_READ) != 0 ? OSSL_RECORD_DIRECTION_READ 102 : OSSL_RECORD_DIRECTION_WRITE; 103 104 ciph = s->s3.tmp.new_sym_enc; 105 md = s->s3.tmp.new_hash; 106 /* m == NULL will lead to a crash later */ 107 if (!ossl_assert(md != NULL)) { 108 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 109 goto err; 110 } 111 #ifndef OPENSSL_NO_COMP 112 comp = s->s3.tmp.new_compression; 113 #endif 114 115 p = s->s3.tmp.key_block; 116 mdi = EVP_MD_get_size(md); 117 if (mdi <= 0) { 118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 119 goto err; 120 } 121 md_len = (size_t)mdi; 122 key_len = EVP_CIPHER_get_key_length(ciph); 123 iv_len = EVP_CIPHER_get_iv_length(ciph); 124 125 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 126 mac_secret = &(p[0]); 127 n = md_len + md_len; 128 key = &(p[n]); 129 n += key_len + key_len; 130 iv = &(p[n]); 131 n += iv_len + iv_len; 132 } else { 133 n = md_len; 134 mac_secret = &(p[n]); 135 n += md_len + key_len; 136 key = &(p[n]); 137 n += key_len + iv_len; 138 iv = &(p[n]); 139 n += iv_len; 140 } 141 142 if (n > s->s3.tmp.key_block_length) { 143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 144 goto err; 145 } 146 147 if (!ssl_set_new_record_layer(s, SSL3_VERSION, 148 direction, 149 OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 150 NULL, 0, key, key_len, iv, iv_len, mac_secret, 151 md_len, ciph, 0, NID_undef, md, comp, NULL)) { 152 /* SSLfatal already called */ 153 goto err; 154 } 155 156 return 1; 157 err: 158 return 0; 159 } 160 161 int ssl3_setup_key_block(SSL_CONNECTION *s) 162 { 163 unsigned char *p; 164 const EVP_CIPHER *c; 165 const EVP_MD *hash; 166 int num; 167 int ret = 0; 168 SSL_COMP *comp; 169 170 if (s->s3.tmp.key_block_length != 0) 171 return 1; 172 173 if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash, 174 NULL, NULL, &comp, 0)) { 175 /* Error is already recorded */ 176 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 177 return 0; 178 } 179 180 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 181 s->s3.tmp.new_sym_enc = c; 182 ssl_evp_md_free(s->s3.tmp.new_hash); 183 s->s3.tmp.new_hash = hash; 184 #ifdef OPENSSL_NO_COMP 185 s->s3.tmp.new_compression = NULL; 186 #else 187 s->s3.tmp.new_compression = comp; 188 #endif 189 190 num = EVP_MD_get_size(hash); 191 if (num <= 0) 192 return 0; 193 194 num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c); 195 num *= 2; 196 197 ssl3_cleanup_key_block(s); 198 199 if ((p = OPENSSL_malloc(num)) == NULL) { 200 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 201 return 0; 202 } 203 204 s->s3.tmp.key_block_length = num; 205 s->s3.tmp.key_block = p; 206 207 /* Calls SSLfatal() as required */ 208 ret = ssl3_generate_key_block(s, p, num); 209 210 return ret; 211 } 212 213 void ssl3_cleanup_key_block(SSL_CONNECTION *s) 214 { 215 OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length); 216 s->s3.tmp.key_block = NULL; 217 s->s3.tmp.key_block_length = 0; 218 } 219 220 int ssl3_init_finished_mac(SSL_CONNECTION *s) 221 { 222 BIO *buf = BIO_new(BIO_s_mem()); 223 224 if (buf == NULL) { 225 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BIO_LIB); 226 return 0; 227 } 228 ssl3_free_digest_list(s); 229 s->s3.handshake_buffer = buf; 230 (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE); 231 return 1; 232 } 233 234 /* 235 * Free digest list. Also frees handshake buffer since they are always freed 236 * together. 237 */ 238 239 void ssl3_free_digest_list(SSL_CONNECTION *s) 240 { 241 BIO_free(s->s3.handshake_buffer); 242 s->s3.handshake_buffer = NULL; 243 EVP_MD_CTX_free(s->s3.handshake_dgst); 244 s->s3.handshake_dgst = NULL; 245 } 246 247 int ssl3_finish_mac(SSL_CONNECTION *s, const unsigned char *buf, size_t len) 248 { 249 int ret; 250 251 if (s->s3.handshake_dgst == NULL) { 252 /* Note: this writes to a memory BIO so a failure is a fatal error */ 253 if (len > INT_MAX) { 254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_OVERFLOW_ERROR); 255 return 0; 256 } 257 ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len); 258 if (ret <= 0 || ret != (int)len) { 259 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 260 return 0; 261 } 262 } else { 263 ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len); 264 if (!ret) { 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 266 return 0; 267 } 268 } 269 return 1; 270 } 271 272 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep) 273 { 274 const EVP_MD *md; 275 long hdatalen; 276 void *hdata; 277 278 if (s->s3.handshake_dgst == NULL) { 279 hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); 280 if (hdatalen <= 0) { 281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); 282 return 0; 283 } 284 285 s->s3.handshake_dgst = EVP_MD_CTX_new(); 286 if (s->s3.handshake_dgst == NULL) { 287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 288 return 0; 289 } 290 291 md = ssl_handshake_md(s); 292 if (md == NULL) { 293 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 294 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); 295 return 0; 296 } 297 if (!EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL) 298 || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) { 299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 300 return 0; 301 } 302 } 303 if (keep == 0) { 304 BIO_free(s->s3.handshake_buffer); 305 s->s3.handshake_buffer = NULL; 306 } 307 308 return 1; 309 } 310 311 void ssl3_digest_master_key_set_params(const SSL_SESSION *session, 312 OSSL_PARAM params[]) 313 { 314 int n = 0; 315 params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS, 316 (void *)session->master_key, 317 session->master_key_length); 318 params[n++] = OSSL_PARAM_construct_end(); 319 } 320 321 size_t ssl3_final_finish_mac(SSL_CONNECTION *s, const char *sender, size_t len, 322 unsigned char *p) 323 { 324 int ret; 325 EVP_MD_CTX *ctx = NULL; 326 327 if (!ssl3_digest_cached_records(s, 0)) { 328 /* SSLfatal() already called */ 329 return 0; 330 } 331 332 if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) { 333 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST); 334 return 0; 335 } 336 337 ctx = EVP_MD_CTX_new(); 338 if (ctx == NULL) { 339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 340 return 0; 341 } 342 if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) { 343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 344 ret = 0; 345 goto err; 346 } 347 348 ret = EVP_MD_CTX_get_size(ctx); 349 if (ret < 0) { 350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 351 ret = 0; 352 goto err; 353 } 354 355 if (sender != NULL) { 356 OSSL_PARAM digest_cmd_params[3]; 357 358 ssl3_digest_master_key_set_params(s->session, digest_cmd_params); 359 360 if (EVP_DigestUpdate(ctx, sender, len) <= 0 361 || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0 362 || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { 363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 364 ret = 0; 365 } 366 } 367 368 err: 369 EVP_MD_CTX_free(ctx); 370 371 return ret; 372 } 373 374 int ssl3_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, 375 unsigned char *p, 376 size_t len, size_t *secret_size) 377 { 378 static const unsigned char *const salt[3] = { 379 #ifndef CHARSET_EBCDIC 380 (const unsigned char *)"A", 381 (const unsigned char *)"BB", 382 (const unsigned char *)"CCC", 383 #else 384 (const unsigned char *)"\x41", 385 (const unsigned char *)"\x42\x42", 386 (const unsigned char *)"\x43\x43\x43", 387 #endif 388 }; 389 unsigned char buf[EVP_MAX_MD_SIZE]; 390 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 391 int i, ret = 1; 392 unsigned int n; 393 size_t ret_secret_size = 0; 394 395 if (ctx == NULL) { 396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 397 return 0; 398 } 399 for (i = 0; i < 3; i++) { 400 if (EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->sha1, NULL) <= 0 401 || EVP_DigestUpdate(ctx, salt[i], 402 strlen((const char *)salt[i])) 403 <= 0 404 || EVP_DigestUpdate(ctx, p, len) <= 0 405 || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]), 406 SSL3_RANDOM_SIZE) 407 <= 0 408 || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]), 409 SSL3_RANDOM_SIZE) 410 <= 0 411 || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 412 || EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->md5, NULL) <= 0 413 || EVP_DigestUpdate(ctx, p, len) <= 0 414 || EVP_DigestUpdate(ctx, buf, n) <= 0 415 || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { 416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 417 ret = 0; 418 break; 419 } 420 out += n; 421 ret_secret_size += n; 422 } 423 EVP_MD_CTX_free(ctx); 424 425 OPENSSL_cleanse(buf, sizeof(buf)); 426 if (ret) 427 *secret_size = ret_secret_size; 428 return ret; 429 } 430 431 int ssl3_alert_code(int code) 432 { 433 switch (code) { 434 case SSL_AD_CLOSE_NOTIFY: 435 return SSL3_AD_CLOSE_NOTIFY; 436 case SSL_AD_UNEXPECTED_MESSAGE: 437 return SSL3_AD_UNEXPECTED_MESSAGE; 438 case SSL_AD_BAD_RECORD_MAC: 439 return SSL3_AD_BAD_RECORD_MAC; 440 case SSL_AD_DECRYPTION_FAILED: 441 return SSL3_AD_BAD_RECORD_MAC; 442 case SSL_AD_RECORD_OVERFLOW: 443 return SSL3_AD_BAD_RECORD_MAC; 444 case SSL_AD_DECOMPRESSION_FAILURE: 445 return SSL3_AD_DECOMPRESSION_FAILURE; 446 case SSL_AD_HANDSHAKE_FAILURE: 447 return SSL3_AD_HANDSHAKE_FAILURE; 448 case SSL_AD_NO_CERTIFICATE: 449 return SSL3_AD_NO_CERTIFICATE; 450 case SSL_AD_BAD_CERTIFICATE: 451 return SSL3_AD_BAD_CERTIFICATE; 452 case SSL_AD_UNSUPPORTED_CERTIFICATE: 453 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 454 case SSL_AD_CERTIFICATE_REVOKED: 455 return SSL3_AD_CERTIFICATE_REVOKED; 456 case SSL_AD_CERTIFICATE_EXPIRED: 457 return SSL3_AD_CERTIFICATE_EXPIRED; 458 case SSL_AD_CERTIFICATE_UNKNOWN: 459 return SSL3_AD_CERTIFICATE_UNKNOWN; 460 case SSL_AD_ILLEGAL_PARAMETER: 461 return SSL3_AD_ILLEGAL_PARAMETER; 462 case SSL_AD_UNKNOWN_CA: 463 return SSL3_AD_BAD_CERTIFICATE; 464 case SSL_AD_ACCESS_DENIED: 465 return SSL3_AD_HANDSHAKE_FAILURE; 466 case SSL_AD_DECODE_ERROR: 467 return SSL3_AD_HANDSHAKE_FAILURE; 468 case SSL_AD_DECRYPT_ERROR: 469 return SSL3_AD_HANDSHAKE_FAILURE; 470 case SSL_AD_EXPORT_RESTRICTION: 471 return SSL3_AD_HANDSHAKE_FAILURE; 472 case SSL_AD_PROTOCOL_VERSION: 473 return SSL3_AD_HANDSHAKE_FAILURE; 474 case SSL_AD_INSUFFICIENT_SECURITY: 475 return SSL3_AD_HANDSHAKE_FAILURE; 476 case SSL_AD_INTERNAL_ERROR: 477 return SSL3_AD_HANDSHAKE_FAILURE; 478 case SSL_AD_USER_CANCELLED: 479 return SSL3_AD_HANDSHAKE_FAILURE; 480 case SSL_AD_NO_RENEGOTIATION: 481 return -1; /* Don't send it :-) */ 482 case SSL_AD_UNSUPPORTED_EXTENSION: 483 return SSL3_AD_HANDSHAKE_FAILURE; 484 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 485 return SSL3_AD_HANDSHAKE_FAILURE; 486 case SSL_AD_UNRECOGNIZED_NAME: 487 return SSL3_AD_HANDSHAKE_FAILURE; 488 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 489 return SSL3_AD_HANDSHAKE_FAILURE; 490 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 491 return SSL3_AD_HANDSHAKE_FAILURE; 492 case SSL_AD_UNKNOWN_PSK_IDENTITY: 493 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 494 case SSL_AD_INAPPROPRIATE_FALLBACK: 495 return TLS1_AD_INAPPROPRIATE_FALLBACK; 496 case SSL_AD_NO_APPLICATION_PROTOCOL: 497 return TLS1_AD_NO_APPLICATION_PROTOCOL; 498 case SSL_AD_CERTIFICATE_REQUIRED: 499 return SSL_AD_HANDSHAKE_FAILURE; 500 case TLS13_AD_MISSING_EXTENSION: 501 return SSL_AD_HANDSHAKE_FAILURE; 502 default: 503 return -1; 504 } 505 } 506
Indexes created Sun Mar 01 05:31:48 UTC 2026