[thirdparty/openssl.git] / ssl / record / methods / ssl3_meth.c

/*
 * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/evp.h>
#include <openssl/core_names.h>
#include "internal/ssl3_cbc.h"
#include "../../ssl_local.h"
#include "../record_local.h"
#include "recmethod_local.h"

static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                 unsigned char *key, size_t keylen,
                                 unsigned char *iv, size_t ivlen,
                                 unsigned char *mackey, size_t mackeylen,
                                 const EVP_CIPHER *ciph,
                                 size_t taglen,
                                 int mactype,
                                 const EVP_MD *md,
                                 COMP_METHOD *comp)
{
    EVP_CIPHER_CTX *ciph_ctx;
    int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;

    if (md == NULL) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

    if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }
    ciph_ctx = rl->enc_ctx;

    rl->md_ctx = EVP_MD_CTX_new();
    if (rl->md_ctx == NULL) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

    if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

#ifndef OPENSSL_NO_COMP
    if (comp != NULL) {
        rl->compctx = COMP_CTX_new(comp);
        if (rl->compctx == NULL) {
            ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
    }
#endif

    if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

    /*
     * The cipher we actually ended up using in the EVP_CIPHER_CTX may be
     * different to that in ciph if we have an ENGINE in use
     */
    if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL
            && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
        /* ERR_raise already called */
        return OSSL_RECORD_RETURN_FATAL;
    }

    if (mackeylen > sizeof(rl->mac_secret)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }
    memcpy(rl->mac_secret, mackey, mackeylen);

    return OSSL_RECORD_RETURN_SUCCESS;
}

/*
 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
 * on internal error, but not otherwise. It is the responsibility of the caller
 * to report a bad_record_mac
 *
 * Returns:
 *    0: if the record is publicly invalid, or an internal error
 *    1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
 */
static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs,
                       size_t n_recs, int sending, SSL_MAC_BUF *mac,
                       size_t macsize)
{
    TLS_RL_RECORD *rec;
    EVP_CIPHER_CTX *ds;
    size_t l, i;
    size_t bs;
    const EVP_CIPHER *enc;
    int provided;

    rec = inrecs;
    /*
     * We shouldn't ever be called with more than one record in the SSLv3 case
     */
    if (n_recs != 1)
        return 0;

    ds = rl->enc_ctx;
    if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
        return 0;

    provided = (EVP_CIPHER_get0_provider(enc) != NULL);

    l = rec->length;
    bs = EVP_CIPHER_CTX_get_block_size(ds);

    if (bs == 0)
        return 0;

    /* COMPRESS */

    if ((bs != 1) && sending && !provided) {
        /*
         * We only do this for legacy ciphers. Provided ciphers add the
         * padding on the provider side.
         */
        i = bs - (l % bs);

        /* we need to add 'i-1' padding bytes */
        l += i;
        /*
         * the last of these zero bytes will be overwritten with the
         * padding length.
         */
        memset(&rec->input[rec->length], 0, i);
        rec->length += i;
        rec->input[l - 1] = (unsigned char)(i - 1);
    }

    if (!sending) {
        if (l == 0 || l % bs != 0) {
            /* Publicly invalid */
            return 0;
        }
        /* otherwise, rec->length >= bs */
    }

    if (provided) {
        int outlen;

        if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
                              (unsigned int)l))
            return 0;
        rec->length = outlen;

        if (!sending && mac != NULL) {
            /* Now get a pointer to the MAC */
            OSSL_PARAM params[2], *p = params;

            /* Get the MAC */
            mac->alloced = 0;

            *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
                                                  (void **)&mac->mac,
                                                  macsize);
            *p = OSSL_PARAM_construct_end();

            if (!EVP_CIPHER_CTX_get_params(ds, params)) {
                /* Shouldn't normally happen */
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                return 0;
            }
        }
    } else {
        if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
            /* Shouldn't happen */
            RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
            return 0;
        }

        if (!sending)
            return ssl3_cbc_remove_padding_and_mac(&rec->length,
                                        rec->orig_len,
                                        rec->data,
                                        (mac != NULL) ? &mac->mac : NULL,
                                        (mac != NULL) ? &mac->alloced : NULL,
                                        bs,
                                        macsize,
                                        rl->libctx);
    }

    return 1;
}

static const unsigned char ssl3_pad_1[48] = {
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};

static const unsigned char ssl3_pad_2[48] = {
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
};

static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
                    int sending)
{
    unsigned char *mac_sec, *seq = rl->sequence;
    const EVP_MD_CTX *hash;
    unsigned char *p, rec_char;
    size_t md_size;
    size_t npad;
    int t;

    mac_sec = &(rl->mac_secret[0]);
    hash = rl->md_ctx;

    t = EVP_MD_CTX_get_size(hash);
    if (t <= 0)
        return 0;
    md_size = t;
    npad = (48 / md_size) * md_size;

    if (!sending
        && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
        && ssl3_cbc_record_digest_supported(hash)) {
#ifdef OPENSSL_NO_DEPRECATED_3_0
        return 0;
#else
        /*
         * This is a CBC-encrypted record. We must avoid leaking any
         * timing-side channel information about how many blocks of data we
         * are hashing because that gives an attacker a timing-oracle.
         */

        /*-
         * npad is, at most, 48 bytes and that's with MD5:
         *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
         *
         * With SHA-1 (the largest hash speced for SSLv3) the hash size
         * goes up 4, but npad goes down by 8, resulting in a smaller
         * total size.
         */
        unsigned char header[75];
        size_t j = 0;
        memcpy(header + j, mac_sec, md_size);
        j += md_size;
        memcpy(header + j, ssl3_pad_1, npad);
        j += npad;
        memcpy(header + j, seq, 8);
        j += 8;
        header[j++] = rec->type;
        header[j++] = (unsigned char)(rec->length >> 8);
        header[j++] = (unsigned char)(rec->length & 0xff);

        /* Final param == is SSLv3 */
        if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
                                   md, &md_size,
                                   header, rec->input,
                                   rec->length, rec->orig_len,
                                   mac_sec, md_size, 1) <= 0)
            return 0;
#endif
    } else {
        unsigned int md_size_u;
        /* Chop the digest off the end :-) */
        EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();

        if (md_ctx == NULL)
            return 0;

        rec_char = rec->type;
        p = md;
        s2n(rec->length, p);
        if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
            || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
            || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
            || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
            || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
            || EVP_DigestUpdate(md_ctx, md, 2) <= 0
            || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
            || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
            || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
            || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
            || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
            || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
            || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
            EVP_MD_CTX_free(md_ctx);
            return 0;
        }

        EVP_MD_CTX_free(md_ctx);
    }

    if (!tls_increment_sequence_ctr(rl))
        return 0;

    return 1;
}

const struct record_functions_st ssl_3_0_funcs = {
    ssl3_set_crypto_state,
    ssl3_cipher,
    ssl3_mac,
    tls_default_set_protocol_version,
    tls_default_read_n,
    tls_get_more_records,
    tls_default_validate_record_header,
    tls_default_post_process_record,
    tls_get_max_records_default,
    tls_write_records_default,
    /* These 2 functions are defined in tls1_meth.c */
    tls1_allocate_write_buffers,
    tls1_initialise_write_packets,
    NULL,
    tls_prepare_record_header_default,
    NULL,
    tls_prepare_for_encryption_default,
    tls_post_encryption_processing_default,
    NULL
};
Commit	Line	Data
50023e9b	1	/*
b6461792	2	* Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
50023e9b MC	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/evp.h>
	11	#include <openssl/core_names.h>
25624c90	12	#include "internal/ssl3_cbc.h"
50023e9b MC	13	#include "../../ssl_local.h"
	14	#include "../record_local.h"
	15	#include "recmethod_local.h"
	16
50023e9b MC	17	static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
	18	unsigned char *key, size_t keylen,
	19	unsigned char *iv, size_t ivlen,
	20	unsigned char *mackey, size_t mackeylen,
	21	const EVP_CIPHER *ciph,
	22	size_t taglen,
50023e9b MC	23	int mactype,
50023e9b MC	24	const EVP_MD *md,
1e76110b	25	COMP_METHOD *comp)
50023e9b MC	26	{
50023e9b MC	27	EVP_CIPHER_CTX *ciph_ctx;
a8572674	28	int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
50023e9b MC	29
50023e9b MC	30	if (md == NULL) {
7c293999 MC	31	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	32	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	33	}
50023e9b MC	34
6366bdd9	35	if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
7c293999 MC	36	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	37	return OSSL_RECORD_RETURN_FATAL;
50023e9b	38	}
6366bdd9	39	ciph_ctx = rl->enc_ctx;
50023e9b	40
6366bdd9 MC	41	rl->md_ctx = EVP_MD_CTX_new();
6366bdd9 MC	42	if (rl->md_ctx == NULL) {
7c293999 MC	43	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	44	return OSSL_RECORD_RETURN_FATAL;
50023e9b	45	}
a8572674 MC	46
	47	if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
	48	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
	49	return OSSL_RECORD_RETURN_FATAL;
	50	}
	51
50023e9b MC	52	#ifndef OPENSSL_NO_COMP
50023e9b MC	53	if (comp != NULL) {
1e76110b	54	rl->compctx = COMP_CTX_new(comp);
9251c3c4	55	if (rl->compctx == NULL) {
7c293999 MC	56	ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
7c293999 MC	57	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	58	}
	59	}
	60	#endif
	61
a8572674	62	if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
7c293999 MC	63	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	64	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	65	}
50023e9b MC	66
afcc12c4 MC	67	/*
	68	* The cipher we actually ended up using in the EVP_CIPHER_CTX may be
	69	* different to that in ciph if we have an ENGINE in use
	70	*/
	71	if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL
7f2f0ac7	72	&& !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
1704961c	73	/* ERR_raise already called */
7c293999	74	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	75	}
	76
	77	if (mackeylen > sizeof(rl->mac_secret)) {
7c293999 MC	78	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	79	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	80	}
	81	memcpy(rl->mac_secret, mackey, mackeylen);
	82
7c293999	83	return OSSL_RECORD_RETURN_SUCCESS;
50023e9b MC	84	}
	85
	86	/*
	87	* ssl3_cipher encrypts/decrypts \|n_recs\| records in \|inrecs\|. Calls RLAYERfatal
	88	* on internal error, but not otherwise. It is the responsibility of the caller
	89	* to report a bad_record_mac
	90	*
	91	* Returns:
	92	* 0: if the record is publicly invalid, or an internal error
	93	* 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
	94	*/
22094d11 MC	95	static int ssl3_cipher(OSSL_RECORD_LAYER rl, TLS_RL_RECORD inrecs,
	96	size_t n_recs, int sending, SSL_MAC_BUF *mac,
	97	size_t macsize)
50023e9b	98	{
22094d11	99	TLS_RL_RECORD *rec;
50023e9b MC	100	EVP_CIPHER_CTX *ds;
	101	size_t l, i;
	102	size_t bs;
	103	const EVP_CIPHER *enc;
	104	int provided;
	105
	106	rec = inrecs;
	107	/*
	108	* We shouldn't ever be called with more than one record in the SSLv3 case
	109	*/
	110	if (n_recs != 1)
	111	return 0;
6366bdd9 MC	112
6366bdd9 MC	113	ds = rl->enc_ctx;
35bcac13 TM	114	if (ds == NULL \|\| (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
35bcac13 TM	115	return 0;
50023e9b MC	116
	117	provided = (EVP_CIPHER_get0_provider(enc) != NULL);
	118
	119	l = rec->length;
	120	bs = EVP_CIPHER_CTX_get_block_size(ds);
	121
6f22bcd6 NH	122	if (bs == 0)
	123	return 0;
	124
50023e9b MC	125	/* COMPRESS */
	126
	127	if ((bs != 1) && sending && !provided) {
	128	/*
1704961c MC	129	* We only do this for legacy ciphers. Provided ciphers add the
	130	* padding on the provider side.
	131	*/
50023e9b MC	132	i = bs - (l % bs);
	133
	134	/* we need to add 'i-1' padding bytes */
	135	l += i;
	136	/*
1704961c MC	137	* the last of these zero bytes will be overwritten with the
	138	* padding length.
	139	*/
50023e9b MC	140	memset(&rec->input[rec->length], 0, i);
	141	rec->length += i;
	142	rec->input[l - 1] = (unsigned char)(i - 1);
	143	}
	144
	145	if (!sending) {
	146	if (l == 0 \|\| l % bs != 0) {
	147	/* Publicly invalid */
	148	return 0;
	149	}
	150	/* otherwise, rec->length >= bs */
	151	}
	152
	153	if (provided) {
	154	int outlen;
	155
	156	if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
1704961c	157	(unsigned int)l))
50023e9b MC	158	return 0;
	159	rec->length = outlen;
	160
	161	if (!sending && mac != NULL) {
	162	/* Now get a pointer to the MAC */
	163	OSSL_PARAM params[2], *p = params;
	164
	165	/* Get the MAC */
	166	mac->alloced = 0;
	167
	168	*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
1704961c MC	169	(void **)&mac->mac,
1704961c MC	170	macsize);
50023e9b MC	171	*p = OSSL_PARAM_construct_end();
	172
	173	if (!EVP_CIPHER_CTX_get_params(ds, params)) {
	174	/* Shouldn't normally happen */
	175	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	176	return 0;
	177	}
	178	}
	179	} else {
	180	if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
	181	/* Shouldn't happen */
	182	RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
	183	return 0;
	184	}
	185
	186	if (!sending)
	187	return ssl3_cbc_remove_padding_and_mac(&rec->length,
	188	rec->orig_len,
	189	rec->data,
	190	(mac != NULL) ? &mac->mac : NULL,
	191	(mac != NULL) ? &mac->alloced : NULL,
	192	bs,
	193	macsize,
	194	rl->libctx);
	195	}
	196
	197	return 1;
	198	}
	199
	200	static const unsigned char ssl3_pad_1[48] = {
	201	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
	202	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
	203	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
	204	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
	205	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
	206	0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
	207	};
	208
	209	static const unsigned char ssl3_pad_2[48] = {
	210	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
	211	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
	212	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
	213	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
	214	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
	215	0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
	216	};
	217
22094d11	218	static int ssl3_mac(OSSL_RECORD_LAYER rl, TLS_RL_RECORD rec, unsigned char *md,
8124ab56	219	int sending)
50023e9b	220	{
0755722c	221	unsigned char mac_sec, seq = rl->sequence;
50023e9b MC	222	const EVP_MD_CTX *hash;
	223	unsigned char *p, rec_char;
	224	size_t md_size;
	225	size_t npad;
	226	int t;
	227
6366bdd9 MC	228	mac_sec = &(rl->mac_secret[0]);
6366bdd9 MC	229	hash = rl->md_ctx;
50023e9b MC	230
50023e9b MC	231	t = EVP_MD_CTX_get_size(hash);
624efd2b	232	if (t <= 0)
50023e9b MC	233	return 0;
	234	md_size = t;
	235	npad = (48 / md_size) * md_size;
	236
	237	if (!sending
6366bdd9	238	&& EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
50023e9b MC	239	&& ssl3_cbc_record_digest_supported(hash)) {
	240	#ifdef OPENSSL_NO_DEPRECATED_3_0
	241	return 0;
	242	#else
	243	/*
	244	* This is a CBC-encrypted record. We must avoid leaking any
	245	* timing-side channel information about how many blocks of data we
	246	* are hashing because that gives an attacker a timing-oracle.
	247	*/
	248
	249	/*-
	250	* npad is, at most, 48 bytes and that's with MD5:
	251	* 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
	252	*
	253	* With SHA-1 (the largest hash speced for SSLv3) the hash size
	254	* goes up 4, but npad goes down by 8, resulting in a smaller
	255	* total size.
	256	*/
	257	unsigned char header[75];
	258	size_t j = 0;
	259	memcpy(header + j, mac_sec, md_size);
	260	j += md_size;
	261	memcpy(header + j, ssl3_pad_1, npad);
	262	j += npad;
	263	memcpy(header + j, seq, 8);
	264	j += 8;
	265	header[j++] = rec->type;
	266	header[j++] = (unsigned char)(rec->length >> 8);
	267	header[j++] = (unsigned char)(rec->length & 0xff);
	268
	269	/* Final param == is SSLv3 */
	270	if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
	271	md, &md_size,
	272	header, rec->input,
	273	rec->length, rec->orig_len,
	274	mac_sec, md_size, 1) <= 0)
	275	return 0;
	276	#endif
	277	} else {
	278	unsigned int md_size_u;
	279	/* Chop the digest off the end :-) */
	280	EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
	281
	282	if (md_ctx == NULL)
	283	return 0;
	284
	285	rec_char = rec->type;
	286	p = md;
	287	s2n(rec->length, p);
	288	if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
	289	\|\| EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
	290	\|\| EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
	291	\|\| EVP_DigestUpdate(md_ctx, seq, 8) <= 0
	292	\|\| EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
	293	\|\| EVP_DigestUpdate(md_ctx, md, 2) <= 0
	294	\|\| EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
	295	\|\| EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
	296	\|\| EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
	297	\|\| EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
	298	\|\| EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
	299	\|\| EVP_DigestUpdate(md_ctx, md, md_size) <= 0
	300	\|\| EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
	301	EVP_MD_CTX_free(md_ctx);
	302	return 0;
303	}
304
305	EVP_MD_CTX_free(md_ctx);
306	}
307
bed07b18 MC	308	if (!tls_increment_sequence_ctr(rl))
	309	return 0;
	310
50023e9b MC	311	return 1;
	312	}
	313
89dd87e1	314	const struct record_functions_st ssl_3_0_funcs = {
50023e9b MC	315	ssl3_set_crypto_state,
50023e9b MC	316	ssl3_cipher,
1853d20a MC	317	ssl3_mac,
1853d20a MC	318	tls_default_set_protocol_version,
bafe524b MC	319	tls_default_read_n,
bafe524b MC	320	tls_get_more_records,
1853d20a	321	tls_default_validate_record_header,
bafe524b MC	322	tls_default_post_process_record,
bafe524b MC	323	tls_get_max_records_default,
91fe8ff0 MC	324	tls_write_records_default,
	325	/* These 2 functions are defined in tls1_meth.c */
	326	tls1_allocate_write_buffers,
7ca61d63	327	tls1_initialise_write_packets,
aca70ca8	328	NULL,
2582de25	329	tls_prepare_record_header_default,
757ef3ba	330	NULL,
2a354d54	331	tls_prepare_for_encryption_default,
ace38195 MC	332	tls_post_encryption_processing_default,
ace38195 MC	333	NULL
50023e9b	334	};