CoCalc -- s3

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/openssl/ssl/s3_enc.c
⁴⁸¹⁵⁰ views
1
/*
2
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright 2005 Nokia. All rights reserved.
4
 *
5
 * Licensed under the Apache License 2.0 (the "License").  You may not use
6
 * this file except in compliance with the License.  You can obtain a copy
7
 * in the file LICENSE in the source distribution or at
8
 * https://www.openssl.org/source/license.html
9
 */
10

11
#include <stdio.h>
12
#include "ssl_local.h"
13
#include <openssl/evp.h>
14
#include <openssl/md5.h>
15
#include <openssl/core_names.h>
16
#include "internal/cryptlib.h"
17
#include "internal/ssl_unwrap.h"
18

19
static int ssl3_generate_key_block(SSL_CONNECTION *s, unsigned char *km, int num)
20
{
21
    const EVP_MD *md5 = NULL, *sha1 = NULL;
22
    EVP_MD_CTX *m5;
23
    EVP_MD_CTX *s1;
24
    unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
25
    unsigned char c = 'A';
26
    unsigned int i, k;
27
    int ret = 0;
28
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
29

30
#ifdef CHARSET_EBCDIC
31
    c = os_toascii[c];          /* 'A' in ASCII */
32
#endif
33
    k = 0;
34
    md5 = ssl_evp_md_fetch(sctx->libctx, NID_md5, sctx->propq);
35
    sha1 = ssl_evp_md_fetch(sctx->libctx, NID_sha1, sctx->propq);
36
    m5 = EVP_MD_CTX_new();
37
    s1 = EVP_MD_CTX_new();
38
    if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) {
39
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
40
        goto err;
41
    }
42
    for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
43
        k++;
44
        if (k > sizeof(buf)) {
45
            /* bug: 'buf' is too small for this ciphersuite */
46
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
47
            goto err;
48
        }
49

50
        memset(buf, c, k);
51
        c++;
52
        if (!EVP_DigestInit_ex(s1, sha1, NULL)
53
            || !EVP_DigestUpdate(s1, buf, k)
54
            || !EVP_DigestUpdate(s1, s->session->master_key,
55
                                 s->session->master_key_length)
56
            || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE)
57
            || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE)
58
            || !EVP_DigestFinal_ex(s1, smd, NULL)
59
            || !EVP_DigestInit_ex(m5, md5, NULL)
60
            || !EVP_DigestUpdate(m5, s->session->master_key,
61
                                 s->session->master_key_length)
62
            || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) {
63
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
64
            goto err;
65
        }
66
        if ((int)(i + MD5_DIGEST_LENGTH) > num) {
67
            if (!EVP_DigestFinal_ex(m5, smd, NULL)) {
68
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
69
                goto err;
70
            }
71
            memcpy(km, smd, (num - i));
72
        } else {
73
            if (!EVP_DigestFinal_ex(m5, km, NULL)) {
74
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
75
                goto err;
76
            }
77
        }
78

79
        km += MD5_DIGEST_LENGTH;
80
    }
81
    OPENSSL_cleanse(smd, sizeof(smd));
82
    ret = 1;
83
 err:
84
    EVP_MD_CTX_free(m5);
85
    EVP_MD_CTX_free(s1);
86
    ssl_evp_md_free(md5);
87
    ssl_evp_md_free(sha1);
88
    return ret;
89
}
90

91
int ssl3_change_cipher_state(SSL_CONNECTION *s, int which)
92
{
93
    unsigned char *p, *mac_secret;
94
    size_t md_len;
95
    unsigned char *key, *iv;
96
    const EVP_CIPHER *ciph;
97
    const SSL_COMP *comp = NULL;
98
    const EVP_MD *md;
99
    int mdi;
100
    size_t n, iv_len, key_len;
101
    int direction = (which & SSL3_CC_READ) != 0 ? OSSL_RECORD_DIRECTION_READ
102
                                                : OSSL_RECORD_DIRECTION_WRITE;
103

104
    ciph = s->s3.tmp.new_sym_enc;
105
    md = s->s3.tmp.new_hash;
106
    /* m == NULL will lead to a crash later */
107
    if (!ossl_assert(md != NULL)) {
108
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
109
        goto err;
110
    }
111
#ifndef OPENSSL_NO_COMP
112
    comp = s->s3.tmp.new_compression;
113
#endif
114

115
    p = s->s3.tmp.key_block;
116
    mdi = EVP_MD_get_size(md);
117
    if (mdi <= 0) {
118
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
119
        goto err;
120
    }
121
    md_len = (size_t)mdi;
122
    key_len = EVP_CIPHER_get_key_length(ciph);
123
    iv_len = EVP_CIPHER_get_iv_length(ciph);
124

125
    if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
126
        (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
127
        mac_secret = &(p[0]);
128
        n = md_len + md_len;
129
        key = &(p[n]);
130
        n += key_len + key_len;
131
        iv = &(p[n]);
132
        n += iv_len + iv_len;
133
    } else {
134
        n = md_len;
135
        mac_secret = &(p[n]);
136
        n += md_len + key_len;
137
        key = &(p[n]);
138
        n += key_len + iv_len;
139
        iv = &(p[n]);
140
        n += iv_len;
141
    }
142

143
    if (n > s->s3.tmp.key_block_length) {
144
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
145
        goto err;
146
    }
147

148
    if (!ssl_set_new_record_layer(s, SSL3_VERSION,
149
                                  direction,
150
                                  OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
151
                                  NULL, 0, key, key_len, iv, iv_len, mac_secret,
152
                                  md_len, ciph, 0, NID_undef, md, comp, NULL)) {
153
        /* SSLfatal already called */
154
        goto err;
155
    }
156

157
    return 1;
158
 err:
159
    return 0;
160
}
161

162
int ssl3_setup_key_block(SSL_CONNECTION *s)
163
{
164
    unsigned char *p;
165
    const EVP_CIPHER *c;
166
    const EVP_MD *hash;
167
    int num;
168
    int ret = 0;
169
    SSL_COMP *comp;
170

171
    if (s->s3.tmp.key_block_length != 0)
172
        return 1;
173

174
    if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash,
175
                            NULL, NULL, &comp, 0)) {
176
        /* Error is already recorded */
177
        SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
178
        return 0;
179
    }
180

181
    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
182
    s->s3.tmp.new_sym_enc = c;
183
    ssl_evp_md_free(s->s3.tmp.new_hash);
184
    s->s3.tmp.new_hash = hash;
185
#ifdef OPENSSL_NO_COMP
186
    s->s3.tmp.new_compression = NULL;
187
#else
188
    s->s3.tmp.new_compression = comp;
189
#endif
190

191
    num = EVP_MD_get_size(hash);
192
    if (num <= 0)
193
        return 0;
194

195
    num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c);
196
    num *= 2;
197

198
    ssl3_cleanup_key_block(s);
199

200
    if ((p = OPENSSL_malloc(num)) == NULL) {
201
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
202
        return 0;
203
    }
204

205
    s->s3.tmp.key_block_length = num;
206
    s->s3.tmp.key_block = p;
207

208
    /* Calls SSLfatal() as required */
209
    ret = ssl3_generate_key_block(s, p, num);
210

211
    return ret;
212
}
213

214
void ssl3_cleanup_key_block(SSL_CONNECTION *s)
215
{
216
    OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length);
217
    s->s3.tmp.key_block = NULL;
218
    s->s3.tmp.key_block_length = 0;
219
}
220

221
int ssl3_init_finished_mac(SSL_CONNECTION *s)
222
{
223
    BIO *buf = BIO_new(BIO_s_mem());
224

225
    if (buf == NULL) {
226
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BIO_LIB);
227
        return 0;
228
    }
229
    ssl3_free_digest_list(s);
230
    s->s3.handshake_buffer = buf;
231
    (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE);
232
    return 1;
233
}
234

235
/*
236
 * Free digest list. Also frees handshake buffer since they are always freed
237
 * together.
238
 */
239

240
void ssl3_free_digest_list(SSL_CONNECTION *s)
241
{
242
    BIO_free(s->s3.handshake_buffer);
243
    s->s3.handshake_buffer = NULL;
244
    EVP_MD_CTX_free(s->s3.handshake_dgst);
245
    s->s3.handshake_dgst = NULL;
246
}
247

248
int ssl3_finish_mac(SSL_CONNECTION *s, const unsigned char *buf, size_t len)
249
{
250
    int ret;
251

252
    if (s->s3.handshake_dgst == NULL) {
253
        /* Note: this writes to a memory BIO so a failure is a fatal error */
254
        if (len > INT_MAX) {
255
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_OVERFLOW_ERROR);
256
            return 0;
257
        }
258
        ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len);
259
        if (ret <= 0 || ret != (int)len) {
260
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
261
            return 0;
262
        }
263
    } else {
264
        ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len);
265
        if (!ret) {
266
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
267
            return 0;
268
        }
269
    }
270
    return 1;
271
}
272

273
int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
274
{
275
    const EVP_MD *md;
276
    long hdatalen;
277
    void *hdata;
278

279
    if (s->s3.handshake_dgst == NULL) {
280
        hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
281
        if (hdatalen <= 0) {
282
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
283
            return 0;
284
        }
285

286
        s->s3.handshake_dgst = EVP_MD_CTX_new();
287
        if (s->s3.handshake_dgst == NULL) {
288
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
289
            return 0;
290
        }
291

292
        md = ssl_handshake_md(s);
293
        if (md == NULL) {
294
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
295
                     SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
296
            return 0;
297
        }
298
        if (!EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL)
299
            || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) {
300
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
301
            return 0;
302
        }
303
    }
304
    if (keep == 0) {
305
        BIO_free(s->s3.handshake_buffer);
306
        s->s3.handshake_buffer = NULL;
307
    }
308

309
    return 1;
310
}
311

312
void ssl3_digest_master_key_set_params(const SSL_SESSION *session,
313
                                       OSSL_PARAM params[])
314
{
315
    int n = 0;
316
    params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS,
317
                                                    (void *)session->master_key,
318
                                                    session->master_key_length);
319
    params[n++] = OSSL_PARAM_construct_end();
320
}
321

322
size_t ssl3_final_finish_mac(SSL_CONNECTION *s, const char *sender, size_t len,
323
                             unsigned char *p)
324
{
325
    int ret;
326
    EVP_MD_CTX *ctx = NULL;
327

328
    if (!ssl3_digest_cached_records(s, 0)) {
329
        /* SSLfatal() already called */
330
        return 0;
331
    }
332

333
    if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) {
334
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST);
335
        return 0;
336
    }
337

338
    ctx = EVP_MD_CTX_new();
339
    if (ctx == NULL) {
340
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341
        return 0;
342
    }
343
    if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) {
344
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
345
        ret = 0;
346
        goto err;
347
    }
348

349
    ret = EVP_MD_CTX_get_size(ctx);
350
    if (ret < 0) {
351
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
352
        ret = 0;
353
        goto err;
354
    }
355

356
    if (sender != NULL) {
357
        OSSL_PARAM digest_cmd_params[3];
358

359
        ssl3_digest_master_key_set_params(s->session, digest_cmd_params);
360

361
        if (EVP_DigestUpdate(ctx, sender, len) <= 0
362
            || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0
363
            || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
364
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
365
                ret = 0;
366
        }
367
    }
368

369
 err:
370
    EVP_MD_CTX_free(ctx);
371

372
    return ret;
373
}
374

375
int ssl3_generate_master_secret(SSL_CONNECTION *s, unsigned char *out,
376
                                unsigned char *p,
377
                                size_t len, size_t *secret_size)
378
{
379
    static const unsigned char *const salt[3] = {
380
#ifndef CHARSET_EBCDIC
381
        (const unsigned char *)"A",
382
        (const unsigned char *)"BB",
383
        (const unsigned char *)"CCC",
384
#else
385
        (const unsigned char *)"\x41",
386
        (const unsigned char *)"\x42\x42",
387
        (const unsigned char *)"\x43\x43\x43",
388
#endif
389
    };
390
    unsigned char buf[EVP_MAX_MD_SIZE];
391
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
392
    int i, ret = 1;
393
    unsigned int n;
394
    size_t ret_secret_size = 0;
395

396
    if (ctx == NULL) {
397
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
398
        return 0;
399
    }
400
    for (i = 0; i < 3; i++) {
401
        if (EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->sha1, NULL) <= 0
402
            || EVP_DigestUpdate(ctx, salt[i],
403
                                strlen((const char *)salt[i])) <= 0
404
            || EVP_DigestUpdate(ctx, p, len) <= 0
405
            || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]),
406
                                SSL3_RANDOM_SIZE) <= 0
407
            || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]),
408
                                SSL3_RANDOM_SIZE) <= 0
409
            || EVP_DigestFinal_ex(ctx, buf, &n) <= 0
410
            || EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->md5, NULL) <= 0
411
            || EVP_DigestUpdate(ctx, p, len) <= 0
412
            || EVP_DigestUpdate(ctx, buf, n) <= 0
413
            || EVP_DigestFinal_ex(ctx, out, &n) <= 0) {
414
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
415
            ret = 0;
416
            break;
417
        }
418
        out += n;
419
        ret_secret_size += n;
420
    }
421
    EVP_MD_CTX_free(ctx);
422

423
    OPENSSL_cleanse(buf, sizeof(buf));
424
    if (ret)
425
        *secret_size = ret_secret_size;
426
    return ret;
427
}
428

429
int ssl3_alert_code(int code)
430
{
431
    switch (code) {
432
    case SSL_AD_CLOSE_NOTIFY:
433
        return SSL3_AD_CLOSE_NOTIFY;
434
    case SSL_AD_UNEXPECTED_MESSAGE:
435
        return SSL3_AD_UNEXPECTED_MESSAGE;
436
    case SSL_AD_BAD_RECORD_MAC:
437
        return SSL3_AD_BAD_RECORD_MAC;
438
    case SSL_AD_DECRYPTION_FAILED:
439
        return SSL3_AD_BAD_RECORD_MAC;
440
    case SSL_AD_RECORD_OVERFLOW:
441
        return SSL3_AD_BAD_RECORD_MAC;
442
    case SSL_AD_DECOMPRESSION_FAILURE:
443
        return SSL3_AD_DECOMPRESSION_FAILURE;
444
    case SSL_AD_HANDSHAKE_FAILURE:
445
        return SSL3_AD_HANDSHAKE_FAILURE;
446
    case SSL_AD_NO_CERTIFICATE:
447
        return SSL3_AD_NO_CERTIFICATE;
448
    case SSL_AD_BAD_CERTIFICATE:
449
        return SSL3_AD_BAD_CERTIFICATE;
450
    case SSL_AD_UNSUPPORTED_CERTIFICATE:
451
        return SSL3_AD_UNSUPPORTED_CERTIFICATE;
452
    case SSL_AD_CERTIFICATE_REVOKED:
453
        return SSL3_AD_CERTIFICATE_REVOKED;
454
    case SSL_AD_CERTIFICATE_EXPIRED:
455
        return SSL3_AD_CERTIFICATE_EXPIRED;
456
    case SSL_AD_CERTIFICATE_UNKNOWN:
457
        return SSL3_AD_CERTIFICATE_UNKNOWN;
458
    case SSL_AD_ILLEGAL_PARAMETER:
459
        return SSL3_AD_ILLEGAL_PARAMETER;
460
    case SSL_AD_UNKNOWN_CA:
461
        return SSL3_AD_BAD_CERTIFICATE;
462
    case SSL_AD_ACCESS_DENIED:
463
        return SSL3_AD_HANDSHAKE_FAILURE;
464
    case SSL_AD_DECODE_ERROR:
465
        return SSL3_AD_HANDSHAKE_FAILURE;
466
    case SSL_AD_DECRYPT_ERROR:
467
        return SSL3_AD_HANDSHAKE_FAILURE;
468
    case SSL_AD_EXPORT_RESTRICTION:
469
        return SSL3_AD_HANDSHAKE_FAILURE;
470
    case SSL_AD_PROTOCOL_VERSION:
471
        return SSL3_AD_HANDSHAKE_FAILURE;
472
    case SSL_AD_INSUFFICIENT_SECURITY:
473
        return SSL3_AD_HANDSHAKE_FAILURE;
474
    case SSL_AD_INTERNAL_ERROR:
475
        return SSL3_AD_HANDSHAKE_FAILURE;
476
    case SSL_AD_USER_CANCELLED:
477
        return SSL3_AD_HANDSHAKE_FAILURE;
478
    case SSL_AD_NO_RENEGOTIATION:
479
        return -1;            /* Don't send it :-) */
480
    case SSL_AD_UNSUPPORTED_EXTENSION:
481
        return SSL3_AD_HANDSHAKE_FAILURE;
482
    case SSL_AD_CERTIFICATE_UNOBTAINABLE:
483
        return SSL3_AD_HANDSHAKE_FAILURE;
484
    case SSL_AD_UNRECOGNIZED_NAME:
485
        return SSL3_AD_HANDSHAKE_FAILURE;
486
    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
487
        return SSL3_AD_HANDSHAKE_FAILURE;
488
    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
489
        return SSL3_AD_HANDSHAKE_FAILURE;
490
    case SSL_AD_UNKNOWN_PSK_IDENTITY:
491
        return TLS1_AD_UNKNOWN_PSK_IDENTITY;
492
    case SSL_AD_INAPPROPRIATE_FALLBACK:
493
        return TLS1_AD_INAPPROPRIATE_FALLBACK;
494
    case SSL_AD_NO_APPLICATION_PROTOCOL:
495
        return TLS1_AD_NO_APPLICATION_PROTOCOL;
496
    case SSL_AD_CERTIFICATE_REQUIRED:
497
        return SSL_AD_HANDSHAKE_FAILURE;
498
    case TLS13_AD_MISSING_EXTENSION:
499
        return SSL_AD_HANDSHAKE_FAILURE;
500
    default:
501
        return -1;
502
    }
503
}
504

505
Product

Resources

Company
