Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/ssl/s3_enc.c
106589 views
1
/*

2
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 * Copyright 2005 Nokia. All rights reserved.

4
 *

5
 * Licensed under the Apache License 2.0 (the "License").  You may not use

6
 * this file except in compliance with the License.  You can obtain a copy

7
 * in the file LICENSE in the source distribution or at

8
 * https://www.openssl.org/source/license.html

9
 */

10


11
#include <stdio.h>

12
#include "ssl_local.h"

13
#include <openssl/evp.h>

14
#include <openssl/md5.h>

15
#include <openssl/core_names.h>

16
#include "internal/cryptlib.h"

17
#include "internal/ssl_unwrap.h"

18


19
static int ssl3_generate_key_block(SSL_CONNECTION *s, unsigned char *km, int num)

20
{

21
    const EVP_MD *md5 = NULL, *sha1 = NULL;

22
    EVP_MD_CTX *m5;

23
    EVP_MD_CTX *s1;

24
    unsigned char buf[16], smd[SHA_DIGEST_LENGTH];

25
    unsigned char c = 'A';

26
    unsigned int i, k;

27
    int ret = 0;

28
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

29


30
#ifdef CHARSET_EBCDIC

31
    c = os_toascii[c]; /* 'A' in ASCII */

32
#endif

33
    k = 0;

34
    md5 = ssl_evp_md_fetch(sctx->libctx, NID_md5, sctx->propq);

35
    sha1 = ssl_evp_md_fetch(sctx->libctx, NID_sha1, sctx->propq);

36
    m5 = EVP_MD_CTX_new();

37
    s1 = EVP_MD_CTX_new();

38
    if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) {

39
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);

40
        goto err;

41
    }

42
    for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {

43
        k++;

44
        if (k > sizeof(buf)) {

45
            /* bug: 'buf' is too small for this ciphersuite */

46
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

47
            goto err;

48
        }

49


50
        memset(buf, c, k);

51
        c++;

52
        if (!EVP_DigestInit_ex(s1, sha1, NULL)

53
            || !EVP_DigestUpdate(s1, buf, k)

54
            || !EVP_DigestUpdate(s1, s->session->master_key,

55
                s->session->master_key_length)

56
            || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE)

57
            || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE)

58
            || !EVP_DigestFinal_ex(s1, smd, NULL)

59
            || !EVP_DigestInit_ex(m5, md5, NULL)

60
            || !EVP_DigestUpdate(m5, s->session->master_key,

61
                s->session->master_key_length)

62
            || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) {

63
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

64
            goto err;

65
        }

66
        if ((int)(i + MD5_DIGEST_LENGTH) > num) {

67
            if (!EVP_DigestFinal_ex(m5, smd, NULL)) {

68
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

69
                goto err;

70
            }

71
            memcpy(km, smd, (num - i));

72
        } else {

73
            if (!EVP_DigestFinal_ex(m5, km, NULL)) {

74
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

75
                goto err;

76
            }

77
        }

78


79
        km += MD5_DIGEST_LENGTH;

80
    }

81
    OPENSSL_cleanse(smd, sizeof(smd));

82
    ret = 1;

83
err:

84
    EVP_MD_CTX_free(m5);

85
    EVP_MD_CTX_free(s1);

86
    ssl_evp_md_free(md5);

87
    ssl_evp_md_free(sha1);

88
    return ret;

89
}

90


91
int ssl3_change_cipher_state(SSL_CONNECTION *s, int which)

92
{

93
    unsigned char *p, *mac_secret;

94
    size_t md_len;

95
    unsigned char *key, *iv;

96
    const EVP_CIPHER *ciph;

97
    const SSL_COMP *comp = NULL;

98
    const EVP_MD *md;

99
    int mdi;

100
    size_t n, iv_len, key_len;

101
    int direction = (which & SSL3_CC_READ) != 0 ? OSSL_RECORD_DIRECTION_READ

102
                                                : OSSL_RECORD_DIRECTION_WRITE;

103


104
    ciph = s->s3.tmp.new_sym_enc;

105
    md = s->s3.tmp.new_hash;

106
    /* m == NULL will lead to a crash later */

107
    if (!ossl_assert(md != NULL)) {

108
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

109
        goto err;

110
    }

111
#ifndef OPENSSL_NO_COMP

112
    comp = s->s3.tmp.new_compression;

113
#endif

114


115
    p = s->s3.tmp.key_block;

116
    mdi = EVP_MD_get_size(md);

117
    if (mdi <= 0) {

118
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

119
        goto err;

120
    }

121
    md_len = (size_t)mdi;

122
    key_len = EVP_CIPHER_get_key_length(ciph);

123
    iv_len = EVP_CIPHER_get_iv_length(ciph);

124


125
    if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {

126
        mac_secret = &(p[0]);

127
        n = md_len + md_len;

128
        key = &(p[n]);

129
        n += key_len + key_len;

130
        iv = &(p[n]);

131
        n += iv_len + iv_len;

132
    } else {

133
        n = md_len;

134
        mac_secret = &(p[n]);

135
        n += md_len + key_len;

136
        key = &(p[n]);

137
        n += key_len + iv_len;

138
        iv = &(p[n]);

139
        n += iv_len;

140
    }

141


142
    if (n > s->s3.tmp.key_block_length) {

143
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

144
        goto err;

145
    }

146


147
    if (!ssl_set_new_record_layer(s, SSL3_VERSION,

148
            direction,

149
            OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,

150
            NULL, 0, key, key_len, iv, iv_len, mac_secret,

151
            md_len, ciph, 0, NID_undef, md, comp, NULL)) {

152
        /* SSLfatal already called */

153
        goto err;

154
    }

155


156
    return 1;

157
err:

158
    return 0;

159
}

160


161
int ssl3_setup_key_block(SSL_CONNECTION *s)

162
{

163
    unsigned char *p;

164
    const EVP_CIPHER *c;

165
    const EVP_MD *hash;

166
    int num;

167
    int ret = 0;

168
    SSL_COMP *comp;

169


170
    if (s->s3.tmp.key_block_length != 0)

171
        return 1;

172


173
    if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash,

174
            NULL, NULL, &comp, 0)) {

175
        /* Error is already recorded */

176
        SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);

177
        return 0;

178
    }

179


180
    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);

181
    s->s3.tmp.new_sym_enc = c;

182
    ssl_evp_md_free(s->s3.tmp.new_hash);

183
    s->s3.tmp.new_hash = hash;

184
#ifdef OPENSSL_NO_COMP

185
    s->s3.tmp.new_compression = NULL;

186
#else

187
    s->s3.tmp.new_compression = comp;

188
#endif

189


190
    num = EVP_MD_get_size(hash);

191
    if (num <= 0)

192
        return 0;

193


194
    num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c);

195
    num *= 2;

196


197
    ssl3_cleanup_key_block(s);

198


199
    if ((p = OPENSSL_malloc(num)) == NULL) {

200
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);

201
        return 0;

202
    }

203


204
    s->s3.tmp.key_block_length = num;

205
    s->s3.tmp.key_block = p;

206


207
    /* Calls SSLfatal() as required */

208
    ret = ssl3_generate_key_block(s, p, num);

209


210
    return ret;

211
}

212


213
void ssl3_cleanup_key_block(SSL_CONNECTION *s)

214
{

215
    OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length);

216
    s->s3.tmp.key_block = NULL;

217
    s->s3.tmp.key_block_length = 0;

218
}

219


220
int ssl3_init_finished_mac(SSL_CONNECTION *s)

221
{

222
    BIO *buf = BIO_new(BIO_s_mem());

223


224
    if (buf == NULL) {

225
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BIO_LIB);

226
        return 0;

227
    }

228
    ssl3_free_digest_list(s);

229
    s->s3.handshake_buffer = buf;

230
    (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE);

231
    return 1;

232
}

233


234
/*

235
 * Free digest list. Also frees handshake buffer since they are always freed

236
 * together.

237
 */

238


239
void ssl3_free_digest_list(SSL_CONNECTION *s)

240
{

241
    BIO_free(s->s3.handshake_buffer);

242
    s->s3.handshake_buffer = NULL;

243
    EVP_MD_CTX_free(s->s3.handshake_dgst);

244
    s->s3.handshake_dgst = NULL;

245
}

246


247
int ssl3_finish_mac(SSL_CONNECTION *s, const unsigned char *buf, size_t len)

248
{

249
    int ret;

250


251
    if (s->s3.handshake_dgst == NULL) {

252
        /* Note: this writes to a memory BIO so a failure is a fatal error */

253
        if (len > INT_MAX) {

254
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_OVERFLOW_ERROR);

255
            return 0;

256
        }

257
        ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len);

258
        if (ret <= 0 || ret != (int)len) {

259
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

260
            return 0;

261
        }

262
    } else {

263
        ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len);

264
        if (!ret) {

265
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

266
            return 0;

267
        }

268
    }

269
    return 1;

270
}

271


272
int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)

273
{

274
    const EVP_MD *md;

275
    long hdatalen;

276
    void *hdata;

277


278
    if (s->s3.handshake_dgst == NULL) {

279
        hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);

280
        if (hdatalen <= 0) {

281
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);

282
            return 0;

283
        }

284


285
        s->s3.handshake_dgst = EVP_MD_CTX_new();

286
        if (s->s3.handshake_dgst == NULL) {

287
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);

288
            return 0;

289
        }

290


291
        md = ssl_handshake_md(s);

292
        if (md == NULL) {

293
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,

294
                SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);

295
            return 0;

296
        }

297
        if (!EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL)

298
            || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) {

299
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

300
            return 0;

301
        }

302
    }

303
    if (keep == 0) {

304
        BIO_free(s->s3.handshake_buffer);

305
        s->s3.handshake_buffer = NULL;

306
    }

307


308
    return 1;

309
}

310


311
void ssl3_digest_master_key_set_params(const SSL_SESSION *session,

312
    OSSL_PARAM params[])

313
{

314
    int n = 0;

315
    params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS,

316
        (void *)session->master_key,

317
        session->master_key_length);

318
    params[n++] = OSSL_PARAM_construct_end();

319
}

320


321
size_t ssl3_final_finish_mac(SSL_CONNECTION *s, const char *sender, size_t len,

322
    unsigned char *p)

323
{

324
    int ret;

325
    EVP_MD_CTX *ctx = NULL;

326


327
    if (!ssl3_digest_cached_records(s, 0)) {

328
        /* SSLfatal() already called */

329
        return 0;

330
    }

331


332
    if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) {

333
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST);

334
        return 0;

335
    }

336


337
    ctx = EVP_MD_CTX_new();

338
    if (ctx == NULL) {

339
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);

340
        return 0;

341
    }

342
    if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) {

343
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

344
        ret = 0;

345
        goto err;

346
    }

347


348
    ret = EVP_MD_CTX_get_size(ctx);

349
    if (ret < 0) {

350
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

351
        ret = 0;

352
        goto err;

353
    }

354


355
    if (sender != NULL) {

356
        OSSL_PARAM digest_cmd_params[3];

357


358
        ssl3_digest_master_key_set_params(s->session, digest_cmd_params);

359


360
        if (EVP_DigestUpdate(ctx, sender, len) <= 0

361
            || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0

362
            || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {

363
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

364
            ret = 0;

365
        }

366
    }

367


368
err:

369
    EVP_MD_CTX_free(ctx);

370


371
    return ret;

372
}

373


374
int ssl3_generate_master_secret(SSL_CONNECTION *s, unsigned char *out,

375
    unsigned char *p,

376
    size_t len, size_t *secret_size)

377
{

378
    static const unsigned char *const salt[3] = {

379
#ifndef CHARSET_EBCDIC

380
        (const unsigned char *)"A",

381
        (const unsigned char *)"BB",

382
        (const unsigned char *)"CCC",

383
#else

384
        (const unsigned char *)"\x41",

385
        (const unsigned char *)"\x42\x42",

386
        (const unsigned char *)"\x43\x43\x43",

387
#endif

388
    };

389
    unsigned char buf[EVP_MAX_MD_SIZE];

390
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();

391
    int i, ret = 1;

392
    unsigned int n;

393
    size_t ret_secret_size = 0;

394


395
    if (ctx == NULL) {

396
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);

397
        return 0;

398
    }

399
    for (i = 0; i < 3; i++) {

400
        if (EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->sha1, NULL) <= 0

401
            || EVP_DigestUpdate(ctx, salt[i],

402
                   strlen((const char *)salt[i]))

403
                <= 0

404
            || EVP_DigestUpdate(ctx, p, len) <= 0

405
            || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]),

406
                   SSL3_RANDOM_SIZE)

407
                <= 0

408
            || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]),

409
                   SSL3_RANDOM_SIZE)

410
                <= 0

411
            || EVP_DigestFinal_ex(ctx, buf, &n) <= 0

412
            || EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->md5, NULL) <= 0

413
            || EVP_DigestUpdate(ctx, p, len) <= 0

414
            || EVP_DigestUpdate(ctx, buf, n) <= 0

415
            || EVP_DigestFinal_ex(ctx, out, &n) <= 0) {

416
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

417
            ret = 0;

418
            break;

419
        }

420
        out += n;

421
        ret_secret_size += n;

422
    }

423
    EVP_MD_CTX_free(ctx);

424


425
    OPENSSL_cleanse(buf, sizeof(buf));

426
    if (ret)

427
        *secret_size = ret_secret_size;

428
    return ret;

429
}

430


431
int ssl3_alert_code(int code)

432
{

433
    switch (code) {

434
    case SSL_AD_CLOSE_NOTIFY:

435
        return SSL3_AD_CLOSE_NOTIFY;

436
    case SSL_AD_UNEXPECTED_MESSAGE:

437
        return SSL3_AD_UNEXPECTED_MESSAGE;

438
    case SSL_AD_BAD_RECORD_MAC:

439
        return SSL3_AD_BAD_RECORD_MAC;

440
    case SSL_AD_DECRYPTION_FAILED:

441
        return SSL3_AD_BAD_RECORD_MAC;

442
    case SSL_AD_RECORD_OVERFLOW:

443
        return SSL3_AD_BAD_RECORD_MAC;

444
    case SSL_AD_DECOMPRESSION_FAILURE:

445
        return SSL3_AD_DECOMPRESSION_FAILURE;

446
    case SSL_AD_HANDSHAKE_FAILURE:

447
        return SSL3_AD_HANDSHAKE_FAILURE;

448
    case SSL_AD_NO_CERTIFICATE:

449
        return SSL3_AD_NO_CERTIFICATE;

450
    case SSL_AD_BAD_CERTIFICATE:

451
        return SSL3_AD_BAD_CERTIFICATE;

452
    case SSL_AD_UNSUPPORTED_CERTIFICATE:

453
        return SSL3_AD_UNSUPPORTED_CERTIFICATE;

454
    case SSL_AD_CERTIFICATE_REVOKED:

455
        return SSL3_AD_CERTIFICATE_REVOKED;

456
    case SSL_AD_CERTIFICATE_EXPIRED:

457
        return SSL3_AD_CERTIFICATE_EXPIRED;

458
    case SSL_AD_CERTIFICATE_UNKNOWN:

459
        return SSL3_AD_CERTIFICATE_UNKNOWN;

460
    case SSL_AD_ILLEGAL_PARAMETER:

461
        return SSL3_AD_ILLEGAL_PARAMETER;

462
    case SSL_AD_UNKNOWN_CA:

463
        return SSL3_AD_BAD_CERTIFICATE;

464
    case SSL_AD_ACCESS_DENIED:

465
        return SSL3_AD_HANDSHAKE_FAILURE;

466
    case SSL_AD_DECODE_ERROR:

467
        return SSL3_AD_HANDSHAKE_FAILURE;

468
    case SSL_AD_DECRYPT_ERROR:

469
        return SSL3_AD_HANDSHAKE_FAILURE;

470
    case SSL_AD_EXPORT_RESTRICTION:

471
        return SSL3_AD_HANDSHAKE_FAILURE;

472
    case SSL_AD_PROTOCOL_VERSION:

473
        return SSL3_AD_HANDSHAKE_FAILURE;

474
    case SSL_AD_INSUFFICIENT_SECURITY:

475
        return SSL3_AD_HANDSHAKE_FAILURE;

476
    case SSL_AD_INTERNAL_ERROR:

477
        return SSL3_AD_HANDSHAKE_FAILURE;

478
    case SSL_AD_USER_CANCELLED:

479
        return SSL3_AD_HANDSHAKE_FAILURE;

480
    case SSL_AD_NO_RENEGOTIATION:

481
        return -1; /* Don't send it :-) */

482
    case SSL_AD_UNSUPPORTED_EXTENSION:

483
        return SSL3_AD_HANDSHAKE_FAILURE;

484
    case SSL_AD_CERTIFICATE_UNOBTAINABLE:

485
        return SSL3_AD_HANDSHAKE_FAILURE;

486
    case SSL_AD_UNRECOGNIZED_NAME:

487
        return SSL3_AD_HANDSHAKE_FAILURE;

488
    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:

489
        return SSL3_AD_HANDSHAKE_FAILURE;

490
    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:

491
        return SSL3_AD_HANDSHAKE_FAILURE;

492
    case SSL_AD_UNKNOWN_PSK_IDENTITY:

493
        return TLS1_AD_UNKNOWN_PSK_IDENTITY;

494
    case SSL_AD_INAPPROPRIATE_FALLBACK:

495
        return TLS1_AD_INAPPROPRIATE_FALLBACK;

496
    case SSL_AD_NO_APPLICATION_PROTOCOL:

497
        return TLS1_AD_NO_APPLICATION_PROTOCOL;

498
    case SSL_AD_CERTIFICATE_REQUIRED:

499
        return SSL_AD_HANDSHAKE_FAILURE;

500
    case TLS13_AD_MISSING_EXTENSION:

501
        return SSL_AD_HANDSHAKE_FAILURE;

502
    default:

503
        return -1;

504
    }

505
}

506


507