1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
/*
* sslv3.c
* Release $Name: MATRIXSSL_1_8_8_OPEN $
*
* SSLv3.0 specific code per http://wp.netscape.com/eng/ssl3.
* Primarily dealing with secret generation, message authentication codes
* and handshake hashing.
*/
/*
* Copyright (c) PeerSec Networks, 2002-2009. All Rights Reserved.
* The latest version of this code is available at http://www.matrixssl.org
*
* This software is open source; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This General Public License does NOT permit incorporating this software
* into proprietary programs. If you are unable to comply with the GPL, a
* commercial license for this software may be purchased from PeerSec Networks
* at http://www.peersec.com
*
* This program is distributed in WITHOUT ANY WARRANTY; without even the
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
* http://www.gnu.org/copyleft/gpl.html
*/
/******************************************************************************/
#include "matrixInternal.h"
/******************************************************************************/
/*
Constants used for key generation
*/
static const unsigned char SENDER_CLIENT[5] = "CLNT"; /* 0x434C4E54 */
static const unsigned char SENDER_SERVER[5] = "SRVR"; /* 0x53525652 */
static const unsigned char pad1[48]={
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};
static const unsigned char pad2[48]={
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
};
static const unsigned char *salt[10]={
(const unsigned char *)"A",
(const unsigned char *)"BB",
(const unsigned char *)"CCC",
(const unsigned char *)"DDDD",
(const unsigned char *)"EEEEE",
(const unsigned char *)"FFFFFF",
(const unsigned char *)"GGGGGGG",
(const unsigned char *)"HHHHHHHH",
(const unsigned char *)"IIIIIIIII",
(const unsigned char *)"JJJJJJJJJJ"
};
/******************************************************************************/
static int32 createKeyBlock(ssl_t *ssl, unsigned char *clientRandom,
unsigned char *serverRandom,
unsigned char *masterSecret, int32 secretLen);
/******************************************************************************/
/*
* Generates all key material.
*/
int32 sslDeriveKeys(ssl_t *ssl)
{
sslMd5Context_t md5Ctx;
sslSha1Context_t sha1Ctx;
unsigned char buf[SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE];
unsigned char *tmp;
int32 i;
/*
If this session is resumed, we want to reuse the master secret to
regenerate the key block with the new random values.
*/
if (ssl->flags & SSL_FLAGS_RESUMED) {
goto skipPremaster;
}
/*
master_secret =
MD5(pre_master_secret + SHA('A' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('BB' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
ClientHello.random + ServerHello.random));
*/
tmp = ssl->sec.masterSecret;
for (i = 0; i < 3; i++) {
matrixSha1Init(&sha1Ctx);
matrixSha1Update(&sha1Ctx, salt[i], i + 1);
matrixSha1Update(&sha1Ctx, ssl->sec.premaster, ssl->sec.premasterSize);
matrixSha1Update(&sha1Ctx, ssl->sec.clientRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Update(&sha1Ctx, ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Final(&sha1Ctx, buf);
matrixMd5Init(&md5Ctx);
matrixMd5Update(&md5Ctx, ssl->sec.premaster, ssl->sec.premasterSize);
matrixMd5Update(&md5Ctx, buf, SSL_SHA1_HASH_SIZE);
matrixMd5Final(&md5Ctx, tmp);
tmp += SSL_MD5_HASH_SIZE;
}
memset(buf, 0x0, SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE);
/*
premaster is now allocated for DH reasons. Can free here
*/
psFree(ssl->sec.premaster);
ssl->sec.premaster = NULL;
ssl->sec.premasterSize = 0;
skipPremaster:
if (createKeyBlock(ssl, ssl->sec.clientRandom, ssl->sec.serverRandom,
ssl->sec.masterSecret, SSL_HS_MASTER_SIZE) < 0) {
matrixStrDebugMsg("Unable to create key block\n", NULL);
return -1;
}
return SSL_HS_MASTER_SIZE;
}
/******************************************************************************/
/*
Generate the key block as follows. '+' indicates concatination.
key_block =
MD5(master_secret + SHA(`A' + master_secret +
ServerHello.random + ClientHello.random)) +
MD5(master_secret + SHA(`BB' + master_secret +
ServerHello.random + ClientHello.random)) +
MD5(master_secret + SHA(`CCC' + master_secret +
ServerHello.random + ClientHello.random)) +
[...];
*/
static int32 createKeyBlock(ssl_t *ssl, unsigned char *clientRandom,
unsigned char *serverRandom,
unsigned char *masterSecret, int32 secretLen)
{
sslMd5Context_t md5Ctx;
sslSha1Context_t sha1Ctx;
unsigned char buf[SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE];
unsigned char *tmp;
int32 keyIter, i, ret = 0;
int32 reqKeyLen;
/*
We must generate enough key material to fill the various keys
*/
reqKeyLen = 2 * ssl->cipher->macSize +
2 * ssl->cipher->keySize +
2 * ssl->cipher->ivSize;
/*
Find the right number of iterations to make the requested length key block
*/
keyIter = 1;
while (SSL_MD5_HASH_SIZE * keyIter < reqKeyLen) {
keyIter++;
}
if (keyIter > sizeof(salt)/sizeof(char*)) {
matrixIntDebugMsg("Error: Not enough salt for key length of %d\n",
reqKeyLen);
return -1;
}
tmp = ssl->sec.keyBlock;
for (i = 0; i < keyIter; i++) {
matrixSha1Init(&sha1Ctx);
matrixSha1Update(&sha1Ctx, salt[i], i + 1);
matrixSha1Update(&sha1Ctx, masterSecret, secretLen);
matrixSha1Update(&sha1Ctx, serverRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Update(&sha1Ctx, clientRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Final(&sha1Ctx, buf);
matrixMd5Init(&md5Ctx);
matrixMd5Update(&md5Ctx, masterSecret, secretLen);
matrixMd5Update(&md5Ctx, buf, SSL_SHA1_HASH_SIZE);
matrixMd5Final(&md5Ctx, tmp);
tmp += SSL_MD5_HASH_SIZE;
ret += SSL_MD5_HASH_SIZE;
}
memset(buf, 0x0, SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE);
/*
Client and server use different read/write values, with the Client
write value being the server read value.
*/
if (ssl->flags & SSL_FLAGS_SERVER) {
ssl->sec.rMACptr = ssl->sec.keyBlock;
ssl->sec.wMACptr = ssl->sec.rMACptr + ssl->cipher->macSize;
ssl->sec.rKeyptr = ssl->sec.wMACptr + ssl->cipher->macSize;
ssl->sec.wKeyptr = ssl->sec.rKeyptr + ssl->cipher->keySize;
ssl->sec.rIVptr = ssl->sec.wKeyptr + ssl->cipher->keySize;
ssl->sec.wIVptr = ssl->sec.rIVptr + ssl->cipher->ivSize;
} else {
ssl->sec.wMACptr = ssl->sec.keyBlock;
ssl->sec.rMACptr = ssl->sec.wMACptr + ssl->cipher->macSize;
ssl->sec.wKeyptr = ssl->sec.rMACptr + ssl->cipher->macSize;
ssl->sec.rKeyptr = ssl->sec.wKeyptr + ssl->cipher->keySize;
ssl->sec.wIVptr = ssl->sec.rKeyptr + ssl->cipher->keySize;
ssl->sec.rIVptr = ssl->sec.wIVptr + ssl->cipher->ivSize;
}
return ret;
}
/******************************************************************************/
/*
Combine the running hash of the handshake mesages with some constants
and mix them up a bit more. Output the result to the given buffer.
This data will be part of the Finished handshake message.
*/
int32 sslGenerateFinishedHash(sslMd5Context_t *md5, sslSha1Context_t *sha1,
unsigned char *masterSecret,
unsigned char *out, int32 sender)
{
sslMd5Context_t omd5;
sslSha1Context_t osha1;
unsigned char ihash[SSL_SHA1_HASH_SIZE];
/*
md5Hash = MD5(master_secret + pad2 +
MD5(handshake_messages + sender + master_secret + pad1));
*/
if (sender >= 0) {
matrixMd5Update(md5,
(sender & SSL_FLAGS_SERVER) ? SENDER_SERVER : SENDER_CLIENT, 4);
}
matrixMd5Update(md5, masterSecret, SSL_HS_MASTER_SIZE);
matrixMd5Update(md5, pad1, sizeof(pad1));
matrixMd5Final(md5, ihash);
matrixMd5Init(&omd5);
matrixMd5Update(&omd5, masterSecret, SSL_HS_MASTER_SIZE);
matrixMd5Update(&omd5, pad2, sizeof(pad2));
matrixMd5Update(&omd5, ihash, SSL_MD5_HASH_SIZE);
matrixMd5Final(&omd5, out);
/*
The SHA1 hash is generated in the same way, except only 40 bytes
of pad1 and pad2 are used.
sha1Hash = SHA1(master_secret + pad2 +
SHA1(handshake_messages + sender + master_secret + pad1));
*/
if (sender >= 0) {
matrixSha1Update(sha1,
(sender & SSL_FLAGS_SERVER) ? SENDER_SERVER : SENDER_CLIENT, 4);
}
matrixSha1Update(sha1, masterSecret, SSL_HS_MASTER_SIZE);
matrixSha1Update(sha1, pad1, 40);
matrixSha1Final(sha1, ihash);
matrixSha1Init(&osha1);
matrixSha1Update(&osha1, masterSecret, SSL_HS_MASTER_SIZE);
matrixSha1Update(&osha1, pad2, 40);
matrixSha1Update(&osha1, ihash, SSL_SHA1_HASH_SIZE);
matrixSha1Final(&osha1, out + SSL_MD5_HASH_SIZE);
return SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE;
}
#ifdef USE_SHA1_MAC
/******************************************************************************/
/*
SSLv3 uses a method similar to HMAC to generate the SHA1 message MAC.
For SHA1, 40 bytes of the pad are used.
SHA1(MAC_write_secret + pad2 +
SHA1(MAC_write_secret + pad1 + seq_num + length + content));
*/
int32 ssl3HMACSha1(unsigned char *key, unsigned char *seq,
unsigned char type, unsigned char *data, int32 len,
unsigned char *mac)
{
sslSha1Context_t sha1;
unsigned char ihash[SSL_SHA1_HASH_SIZE];
int32 i;
matrixSha1Init(&sha1);
matrixSha1Update(&sha1, key, SSL_SHA1_HASH_SIZE);
matrixSha1Update(&sha1, pad1, 40);
matrixSha1Update(&sha1, seq, 8);
ihash[0] = type;
ihash[1] = (len & 0xFF00) >> 8;
ihash[2] = len & 0xFF;
matrixSha1Update(&sha1, ihash, 3);
matrixSha1Update(&sha1, data, len);
matrixSha1Final(&sha1, ihash);
matrixSha1Init(&sha1);
matrixSha1Update(&sha1, key, SSL_SHA1_HASH_SIZE);
matrixSha1Update(&sha1, pad2, 40);
matrixSha1Update(&sha1, ihash, SSL_SHA1_HASH_SIZE);
matrixSha1Final(&sha1, mac);
/*
Increment sequence number
*/
for (i = 7; i >= 0; i--) {
seq[i]++;
if (seq[i] != 0) {
break;
}
}
return SSL_SHA1_HASH_SIZE;
}
#endif /* USE_SHA1_MAC */
#ifdef USE_MD5_MAC
/******************************************************************************/
/*
SSLv3 uses a method similar to HMAC to generate the MD5 message MAC.
For MD5, 48 bytes of the pad are used.
MD5(MAC_write_secret + pad2 +
MD5(MAC_write_secret + pad1 + seq_num + length + content));
*/
int32 ssl3HMACMd5(unsigned char *key, unsigned char *seq,
unsigned char type, unsigned char *data, int32 len,
unsigned char *mac)
{
sslMd5Context_t md5;
unsigned char ihash[SSL_MD5_HASH_SIZE];
int32 i;
matrixMd5Init(&md5);
matrixMd5Update(&md5, key, SSL_MD5_HASH_SIZE);
matrixMd5Update(&md5, pad1, 48);
matrixMd5Update(&md5, seq, 8);
ihash[0] = type;
ihash[1] = (len & 0xFF00) >> 8;
ihash[2] = len & 0xFF;
matrixMd5Update(&md5, ihash, 3);
matrixMd5Update(&md5, data, len);
matrixMd5Final(&md5, ihash);
matrixMd5Init(&md5);
matrixMd5Update(&md5, key, SSL_MD5_HASH_SIZE);
matrixMd5Update(&md5, pad2, 48);
matrixMd5Update(&md5, ihash, SSL_MD5_HASH_SIZE);
matrixMd5Final(&md5, mac);
/*
Increment sequence number
*/
for (i = 7; i >= 0; i--) {
seq[i]++;
if (seq[i] != 0) {
break;
}
}
return SSL_MD5_HASH_SIZE;
}
#endif /* USE_MD5_MAC */
/******************************************************************************/
|
