Google Git
Sign in
boringssl / boringssl.git / d519bf6be0b447fb80fbc539d4bff4479b5482a2 / . / ssl / s3_enc.c
blob: 7cdc294b8465000cf55891c077fa6f06946b0d96 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]7 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]14 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]21 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]36 * 4. If you include any Windows specific code (or a derivative thereof) from
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]39 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]51 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]65 * notice, this list of conditions and the following disclaimer.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]136#include <openssl/ssl.h>
137
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]138#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]139#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]140
141#include <openssl/err.h>
142#include <openssl/evp.h>
143#include <openssl/mem.h>
144#include <openssl/md5.h>
David Benjamin98193672016-03-25 18:07:11 -0400[diff] [blame]145#include <openssl/nid.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]146
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]147#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]148
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]149static int ssl3_prf(const SSL *ssl, uint8_t *out, size_t out_len,
150 const uint8_t *secret, size_t secret_len, const char *label,
151 size_t label_len, const uint8_t *seed1, size_t seed1_len,
152 const uint8_t *seed2, size_t seed2_len) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]153 EVP_MD_CTX md5;
154 EVP_MD_CTX sha1;
155 uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
156 uint8_t c = 'A';
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]157 size_t i, j, k;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]158
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]159 k = 0;
160 EVP_MD_CTX_init(&md5);
161 EVP_MD_CTX_init(&sha1);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]162 for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]163 k++;
164 if (k > sizeof(buf)) {
165 /* bug: 'buf' is too small for this ciphersuite */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]166 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]167 return 0;
168 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]169
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]170 for (j = 0; j < k; j++) {
171 buf[j] = c;
172 }
173 c++;
174 if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]175 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]176 return 0;
177 }
178 EVP_DigestUpdate(&sha1, buf, k);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]179 EVP_DigestUpdate(&sha1, secret, secret_len);
David Benjamin41ac9792014-12-23 10:41:06 -0500[diff] [blame]180 /* |label| is ignored for SSLv3. */
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]181 if (seed1_len) {
182 EVP_DigestUpdate(&sha1, seed1, seed1_len);
183 }
184 if (seed2_len) {
185 EVP_DigestUpdate(&sha1, seed2, seed2_len);
186 }
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]187 EVP_DigestFinal_ex(&sha1, smd, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]189 if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]190 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]191 return 0;
192 }
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]193 EVP_DigestUpdate(&md5, secret, secret_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]194 EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]195 if (i + MD5_DIGEST_LENGTH > out_len) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]196 EVP_DigestFinal_ex(&md5, smd, NULL);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]197 memcpy(out, smd, out_len - i);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]198 } else {
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]199 EVP_DigestFinal_ex(&md5, out, NULL);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]200 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]202 out += MD5_DIGEST_LENGTH;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]203 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]204
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]205 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
206 EVP_MD_CTX_cleanup(&md5);
207 EVP_MD_CTX_cleanup(&sha1);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]209 return 1;
210}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]211
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]212int ssl3_init_handshake_buffer(SSL *ssl) {
213 ssl3_free_handshake_buffer(ssl);
214 ssl3_free_handshake_hash(ssl);
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]215 ssl->s3->handshake_buffer = BUF_MEM_new();
216 return ssl->s3->handshake_buffer != NULL;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]217}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]218
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]219/* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
220 * writes the data in |buf| to it. */
221static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
222 const BUF_MEM *buf) {
223 if (!EVP_DigestInit_ex(ctx, md, NULL)) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]224 return 0;
225 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]226 EVP_DigestUpdate(ctx, buf->data, buf->length);
227 return 1;
228}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]229
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]230int ssl3_init_handshake_hash(SSL *ssl) {
231 ssl3_free_handshake_hash(ssl);
232
233 uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
234 if (!init_digest_with_data(&ssl->s3->handshake_hash,
235 ssl_get_handshake_digest(algorithm_prf),
236 ssl->s3->handshake_buffer)) {
237 return 0;
238 }
239
240 if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
241 !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
242 ssl->s3->handshake_buffer)) {
243 return 0;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]244 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]245
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]246 return 1;
247}
248
249void ssl3_free_handshake_hash(SSL *ssl) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]250 EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
251 EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]252}
253
254void ssl3_free_handshake_buffer(SSL *ssl) {
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]255 BUF_MEM_free(ssl->s3->handshake_buffer);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]256 ssl->s3->handshake_buffer = NULL;
257}
258
259int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
260 /* Depending on the state of the handshake, either the handshake buffer may be
261 * active, the rolling hash, or both. */
262
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]263 if (ssl->s3->handshake_buffer != NULL) {
264 size_t new_len = ssl->s3->handshake_buffer->length + in_len;
265 if (new_len < in_len) {
266 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
267 return 0;
268 }
269 if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
270 return 0;
271 }
272 memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]273 }
Adam Langley0fbf33a2014-06-20 12:00:00 -0700[diff] [blame]274
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]275 if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
276 EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
277 }
278 if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
279 EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]280 }
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]281 return 1;
282}
Adam Langley0fbf33a2014-06-20 12:00:00 -0700[diff] [blame]283
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]284static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender,
285 size_t sender_len, uint8_t *p) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]286 unsigned int ret;
Eric Roman8c9b8782015-09-22 18:32:43 -0700[diff] [blame]287 size_t npad, n;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]288 unsigned int i;
289 uint8_t md_buf[EVP_MAX_MD_SIZE];
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]290 EVP_MD_CTX ctx;
291 const EVP_MD_CTX *ctx_template;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]292
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]293 if (md_nid == NID_md5) {
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]294 ctx_template = &ssl->s3->handshake_md5;
295 } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
296 ctx_template = &ssl->s3->handshake_hash;
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]297 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]298 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]299 return 0;
300 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]302 EVP_MD_CTX_init(&ctx);
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]303 if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]304 EVP_MD_CTX_cleanup(&ctx);
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]305 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]306 return 0;
307 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]308
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]309 static const uint8_t kPad1[48] = {
310 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
311 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
312 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
313 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
314 };
315
316 static const uint8_t kPad2[48] = {
317 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
318 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
319 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
320 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
321 };
322
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]323 n = EVP_MD_CTX_size(&ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]324
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]325 SSL_SESSION *session = ssl->session;
326 if (ssl->s3->new_session != NULL) {
327 session = ssl->s3->new_session;
328 }
329
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]330 npad = (48 / n) * n;
331 if (sender != NULL) {
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]332 EVP_DigestUpdate(&ctx, sender, sender_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]333 }
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]334 EVP_DigestUpdate(&ctx, session->master_key, session->master_key_length);
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]335 EVP_DigestUpdate(&ctx, kPad1, npad);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]336 EVP_DigestFinal_ex(&ctx, md_buf, &i);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]337
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]338 if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
339 EVP_MD_CTX_cleanup(&ctx);
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]340 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]341 return 0;
342 }
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]343 EVP_DigestUpdate(&ctx, session->master_key, session->master_key_length);
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]344 EVP_DigestUpdate(&ctx, kPad2, npad);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]345 EVP_DigestUpdate(&ctx, md_buf, i);
346 EVP_DigestFinal_ex(&ctx, p, &ret);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]347
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]348 EVP_MD_CTX_cleanup(&ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]349
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]350 return ret;
351}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]352
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]353static int ssl3_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) {
354 const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST
355 : SSL3_MD_CLIENT_FINISHED_CONST;
356 const size_t sender_len = 4;
357 int ret, sha1len;
358 ret = ssl3_handshake_mac(ssl, NID_md5, sender, sender_len, out);
359 if (ret == 0) {
360 return 0;
361 }
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]362
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]363 out += ret;
364
365 sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, sender_len, out);
366 if (sha1len == 0) {
367 return 0;
368 }
369
370 ret += sha1len;
371 return ret;
372}
373
David Benjamin0aa25bd2016-07-08 14:44:56 -0700[diff] [blame]374int ssl3_cert_verify_hash(SSL *ssl, const EVP_MD **out_md, uint8_t *out,
375 size_t *out_len, uint16_t signature_algorithm) {
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]376 assert(ssl3_protocol_version(ssl) == SSL3_VERSION);
377
378 if (signature_algorithm == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
379 if (ssl3_handshake_mac(ssl, NID_md5, NULL, 0, out) == 0 ||
380 ssl3_handshake_mac(ssl, NID_sha1, NULL, 0,
381 out + MD5_DIGEST_LENGTH) == 0) {
382 return 0;
383 }
David Benjamin0aa25bd2016-07-08 14:44:56 -0700[diff] [blame]384 *out_md = EVP_md5_sha1();
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]385 *out_len = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH;
386 } else if (signature_algorithm == SSL_SIGN_ECDSA_SHA1) {
387 if (ssl3_handshake_mac(ssl, NID_sha1, NULL, 0, out) == 0) {
388 return 0;
389 }
David Benjamin0aa25bd2016-07-08 14:44:56 -0700[diff] [blame]390 *out_md = EVP_sha1();
Steven Valdez2b8415e2016-06-30 13:27:23 -0400[diff] [blame]391 *out_len = SHA_DIGEST_LENGTH;
392 } else {
393 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
394 return 0;
395 }
396
397 return 1;
398}
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]399
400const SSL3_ENC_METHOD SSLv3_enc_data = {
401 ssl3_prf,
402 ssl3_final_finish_mac,
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]403};