Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 981936791eb76c52daedb18310fced187252ed30 / . / ssl / s3_enc.c
blob: 04aa08c9f93540527b59b91fea853e902a9af895 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]7 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]14 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]21 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]36 * 4. If you include any Windows specific code (or a derivative thereof) from
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]39 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]51 *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
David Benjamin820731a2015-07-23 20:01:51 -0400[diff] [blame]65 * notice, this list of conditions and the following disclaimer.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2005 Nokia. All rights reserved.
112 *
113 * The portions of the attached software ("Contribution") is developed by
114 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115 * license.
116 *
117 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119 * support (see RFC 4279) to OpenSSL.
120 *
121 * No patent licenses or other rights except those expressly stated in
122 * the OpenSSL open source license shall be deemed granted or received
123 * expressly, by implication, estoppel, or otherwise.
124 *
125 * No assurances are provided by Nokia that the Contribution does not
126 * infringe the patent or other intellectual property rights of any third
127 * party or that the license provides you with all the necessary rights
128 * to make use of the Contribution.
129 *
130 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134 * OTHERWISE. */
135
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]136#include <openssl/ssl.h>
137
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]138#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]139#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]140
141#include <openssl/err.h>
142#include <openssl/evp.h>
143#include <openssl/mem.h>
144#include <openssl/md5.h>
David Benjamin98193672016-03-25 18:07:11 -0400[diff] [blame^]145#include <openssl/nid.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]146
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]147#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]148
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]150static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender,
151 size_t sender_len, uint8_t *p);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]153static int ssl3_prf(const SSL *ssl, uint8_t *out, size_t out_len,
154 const uint8_t *secret, size_t secret_len, const char *label,
155 size_t label_len, const uint8_t *seed1, size_t seed1_len,
156 const uint8_t *seed2, size_t seed2_len) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]157 EVP_MD_CTX md5;
158 EVP_MD_CTX sha1;
159 uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
160 uint8_t c = 'A';
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]161 size_t i, j, k;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]162
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]163 k = 0;
164 EVP_MD_CTX_init(&md5);
165 EVP_MD_CTX_init(&sha1);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]166 for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]167 k++;
168 if (k > sizeof(buf)) {
169 /* bug: 'buf' is too small for this ciphersuite */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]170 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]171 return 0;
172 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]173
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]174 for (j = 0; j < k; j++) {
175 buf[j] = c;
176 }
177 c++;
178 if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]179 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]180 return 0;
181 }
182 EVP_DigestUpdate(&sha1, buf, k);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]183 EVP_DigestUpdate(&sha1, secret, secret_len);
David Benjamin41ac9792014-12-23 10:41:06 -0500[diff] [blame]184 /* |label| is ignored for SSLv3. */
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]185 if (seed1_len) {
186 EVP_DigestUpdate(&sha1, seed1, seed1_len);
187 }
188 if (seed2_len) {
189 EVP_DigestUpdate(&sha1, seed2, seed2_len);
190 }
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]191 EVP_DigestFinal_ex(&sha1, smd, NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]192
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]193 if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]194 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]195 return 0;
196 }
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]197 EVP_DigestUpdate(&md5, secret, secret_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]198 EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]199 if (i + MD5_DIGEST_LENGTH > out_len) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]200 EVP_DigestFinal_ex(&md5, smd, NULL);
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]201 memcpy(out, smd, out_len - i);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]202 } else {
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]203 EVP_DigestFinal_ex(&md5, out, NULL);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]204 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]205
David Benjamin31b1d812014-12-23 10:01:09 -0500[diff] [blame]206 out += MD5_DIGEST_LENGTH;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]207 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&md5);
211 EVP_MD_CTX_cleanup(&sha1);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]212
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]213 return 1;
214}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]215
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]216void ssl3_cleanup_key_block(SSL *ssl) {
217 if (ssl->s3->tmp.key_block != NULL) {
218 OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length);
219 OPENSSL_free(ssl->s3->tmp.key_block);
220 ssl->s3->tmp.key_block = NULL;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]221 }
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]222 ssl->s3->tmp.key_block_length = 0;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]223}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]224
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]225int ssl3_init_handshake_buffer(SSL *ssl) {
226 ssl3_free_handshake_buffer(ssl);
227 ssl3_free_handshake_hash(ssl);
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]228 ssl->s3->handshake_buffer = BUF_MEM_new();
229 return ssl->s3->handshake_buffer != NULL;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]230}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]231
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]232/* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
233 * writes the data in |buf| to it. */
234static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
235 const BUF_MEM *buf) {
236 if (!EVP_DigestInit_ex(ctx, md, NULL)) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]237 return 0;
238 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]239 EVP_DigestUpdate(ctx, buf->data, buf->length);
240 return 1;
241}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]242
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]243int ssl3_init_handshake_hash(SSL *ssl) {
244 ssl3_free_handshake_hash(ssl);
245
246 uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
247 if (!init_digest_with_data(&ssl->s3->handshake_hash,
248 ssl_get_handshake_digest(algorithm_prf),
249 ssl->s3->handshake_buffer)) {
250 return 0;
251 }
252
253 if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
254 !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
255 ssl->s3->handshake_buffer)) {
256 return 0;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]257 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]258
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]259 return 1;
260}
261
262void ssl3_free_handshake_hash(SSL *ssl) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]263 EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
264 EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]265}
266
267void ssl3_free_handshake_buffer(SSL *ssl) {
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]268 BUF_MEM_free(ssl->s3->handshake_buffer);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]269 ssl->s3->handshake_buffer = NULL;
270}
271
272int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
273 /* Depending on the state of the handshake, either the handshake buffer may be
274 * active, the rolling hash, or both. */
275
David Benjamin5375fd52015-08-06 01:32:10 -0400[diff] [blame]276 if (ssl->s3->handshake_buffer != NULL) {
277 size_t new_len = ssl->s3->handshake_buffer->length + in_len;
278 if (new_len < in_len) {
279 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
280 return 0;
281 }
282 if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
283 return 0;
284 }
285 memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]286 }
Adam Langley0fbf33a2014-06-20 12:00:00 -0700[diff] [blame]287
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]288 if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
289 EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
290 }
291 if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
292 EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
David Benjamin9550c3a2015-08-05 08:50:34 -0400[diff] [blame]293 }
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]294 return 1;
295}
Adam Langley0fbf33a2014-06-20 12:00:00 -0700[diff] [blame]296
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]297static int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) {
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]298 return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]299}
Adam Langley0fbf33a2014-06-20 12:00:00 -0700[diff] [blame]300
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]301static int ssl3_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) {
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]302 const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST
303 : SSL3_MD_CLIENT_FINISHED_CONST;
304 const size_t sender_len = 4;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]305 int ret, sha1len;
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]306 ret = ssl3_handshake_mac(ssl, NID_md5, sender, sender_len, out);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]307 if (ret == 0) {
308 return 0;
309 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]310
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]311 out += ret;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]312
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]313 sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, sender_len, out);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]314 if (sha1len == 0) {
315 return 0;
316 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]317
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]318 ret += sha1len;
319 return ret;
320}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]321
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]322static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender,
323 size_t sender_len, uint8_t *p) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]324 unsigned int ret;
Eric Roman8c9b8782015-09-22 18:32:43 -0700[diff] [blame]325 size_t npad, n;
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]326 unsigned int i;
327 uint8_t md_buf[EVP_MAX_MD_SIZE];
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]328 EVP_MD_CTX ctx;
329 const EVP_MD_CTX *ctx_template;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]330
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]331 if (md_nid == NID_md5) {
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]332 ctx_template = &ssl->s3->handshake_md5;
333 } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
334 ctx_template = &ssl->s3->handshake_hash;
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]335 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]336 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]337 return 0;
338 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]339
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]340 EVP_MD_CTX_init(&ctx);
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]341 if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]342 EVP_MD_CTX_cleanup(&ctx);
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]343 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]344 return 0;
345 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]346
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]347 static const uint8_t kPad1[48] = {
348 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
349 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
350 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
351 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
352 };
353
354 static const uint8_t kPad2[48] = {
355 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
356 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
357 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
358 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
359 };
360
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]361 n = EVP_MD_CTX_size(&ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]362
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]363 npad = (48 / n) * n;
364 if (sender != NULL) {
David Benjaminbaa12162015-12-29 19:13:58 -0500[diff] [blame]365 EVP_DigestUpdate(&ctx, sender, sender_len);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]366 }
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]367 EVP_DigestUpdate(&ctx, ssl->session->master_key,
368 ssl->session->master_key_length);
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]369 EVP_DigestUpdate(&ctx, kPad1, npad);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]370 EVP_DigestFinal_ex(&ctx, md_buf, &i);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]371
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]372 if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
373 EVP_MD_CTX_cleanup(&ctx);
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]374 OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]375 return 0;
376 }
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]377 EVP_DigestUpdate(&ctx, ssl->session->master_key,
378 ssl->session->master_key_length);
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]379 EVP_DigestUpdate(&ctx, kPad2, npad);
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]380 EVP_DigestUpdate(&ctx, md_buf, i);
381 EVP_DigestFinal_ex(&ctx, p, &ret);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]382
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]383 EVP_MD_CTX_cleanup(&ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]384
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]385 return ret;
386}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]387
Adam Langleybe2900a2014-12-18 12:09:04 -0800[diff] [blame]388
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]389
390const SSL3_ENC_METHOD SSLv3_enc_data = {
391 ssl3_prf,
392 ssl3_final_finish_mac,
393 ssl3_cert_verify_mac,
David Benjamin23b0a652015-12-29 23:41:34 -0500[diff] [blame]394};