]>
Commit | Line | Data |
---|---|---|
50023e9b | 1 | /* |
b6461792 | 2 | * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. |
50023e9b MC |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/evp.h> | |
11 | #include <openssl/core_names.h> | |
25624c90 | 12 | #include "internal/ssl3_cbc.h" |
50023e9b MC |
13 | #include "../../ssl_local.h" |
14 | #include "../record_local.h" | |
15 | #include "recmethod_local.h" | |
16 | ||
50023e9b MC |
17 | static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, |
18 | unsigned char *key, size_t keylen, | |
19 | unsigned char *iv, size_t ivlen, | |
20 | unsigned char *mackey, size_t mackeylen, | |
21 | const EVP_CIPHER *ciph, | |
22 | size_t taglen, | |
50023e9b MC |
23 | int mactype, |
24 | const EVP_MD *md, | |
1e76110b | 25 | COMP_METHOD *comp) |
50023e9b MC |
26 | { |
27 | EVP_CIPHER_CTX *ciph_ctx; | |
a8572674 | 28 | int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0; |
50023e9b MC |
29 | |
30 | if (md == NULL) { | |
7c293999 MC |
31 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
32 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
33 | } |
34 | ||
6366bdd9 | 35 | if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
7c293999 MC |
36 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
37 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b | 38 | } |
6366bdd9 | 39 | ciph_ctx = rl->enc_ctx; |
50023e9b | 40 | |
6366bdd9 MC |
41 | rl->md_ctx = EVP_MD_CTX_new(); |
42 | if (rl->md_ctx == NULL) { | |
7c293999 MC |
43 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
44 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b | 45 | } |
a8572674 MC |
46 | |
47 | if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) { | |
48 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
49 | return OSSL_RECORD_RETURN_FATAL; | |
50 | } | |
51 | ||
50023e9b MC |
52 | #ifndef OPENSSL_NO_COMP |
53 | if (comp != NULL) { | |
1e76110b | 54 | rl->compctx = COMP_CTX_new(comp); |
9251c3c4 | 55 | if (rl->compctx == NULL) { |
7c293999 MC |
56 | ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR); |
57 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
58 | } |
59 | } | |
60 | #endif | |
61 | ||
a8572674 | 62 | if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) { |
7c293999 MC |
63 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
64 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
65 | } |
66 | ||
afcc12c4 MC |
67 | /* |
68 | * The cipher we actually ended up using in the EVP_CIPHER_CTX may be | |
69 | * different to that in ciph if we have an ENGINE in use | |
70 | */ | |
71 | if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL | |
7f2f0ac7 | 72 | && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { |
1704961c | 73 | /* ERR_raise already called */ |
7c293999 | 74 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b MC |
75 | } |
76 | ||
77 | if (mackeylen > sizeof(rl->mac_secret)) { | |
7c293999 MC |
78 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
79 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
80 | } |
81 | memcpy(rl->mac_secret, mackey, mackeylen); | |
82 | ||
7c293999 | 83 | return OSSL_RECORD_RETURN_SUCCESS; |
50023e9b MC |
84 | } |
85 | ||
86 | /* | |
87 | * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal | |
88 | * on internal error, but not otherwise. It is the responsibility of the caller | |
89 | * to report a bad_record_mac | |
90 | * | |
91 | * Returns: | |
92 | * 0: if the record is publicly invalid, or an internal error | |
93 | * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) | |
94 | */ | |
22094d11 MC |
95 | static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs, |
96 | size_t n_recs, int sending, SSL_MAC_BUF *mac, | |
97 | size_t macsize) | |
50023e9b | 98 | { |
22094d11 | 99 | TLS_RL_RECORD *rec; |
50023e9b MC |
100 | EVP_CIPHER_CTX *ds; |
101 | size_t l, i; | |
102 | size_t bs; | |
103 | const EVP_CIPHER *enc; | |
104 | int provided; | |
105 | ||
106 | rec = inrecs; | |
107 | /* | |
108 | * We shouldn't ever be called with more than one record in the SSLv3 case | |
109 | */ | |
110 | if (n_recs != 1) | |
111 | return 0; | |
6366bdd9 MC |
112 | |
113 | ds = rl->enc_ctx; | |
35bcac13 TM |
114 | if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL) |
115 | return 0; | |
50023e9b MC |
116 | |
117 | provided = (EVP_CIPHER_get0_provider(enc) != NULL); | |
118 | ||
119 | l = rec->length; | |
120 | bs = EVP_CIPHER_CTX_get_block_size(ds); | |
121 | ||
6f22bcd6 NH |
122 | if (bs == 0) |
123 | return 0; | |
124 | ||
50023e9b MC |
125 | /* COMPRESS */ |
126 | ||
127 | if ((bs != 1) && sending && !provided) { | |
128 | /* | |
1704961c MC |
129 | * We only do this for legacy ciphers. Provided ciphers add the |
130 | * padding on the provider side. | |
131 | */ | |
50023e9b MC |
132 | i = bs - (l % bs); |
133 | ||
134 | /* we need to add 'i-1' padding bytes */ | |
135 | l += i; | |
136 | /* | |
1704961c MC |
137 | * the last of these zero bytes will be overwritten with the |
138 | * padding length. | |
139 | */ | |
50023e9b MC |
140 | memset(&rec->input[rec->length], 0, i); |
141 | rec->length += i; | |
142 | rec->input[l - 1] = (unsigned char)(i - 1); | |
143 | } | |
144 | ||
145 | if (!sending) { | |
146 | if (l == 0 || l % bs != 0) { | |
147 | /* Publicly invalid */ | |
148 | return 0; | |
149 | } | |
150 | /* otherwise, rec->length >= bs */ | |
151 | } | |
152 | ||
153 | if (provided) { | |
154 | int outlen; | |
155 | ||
156 | if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input, | |
1704961c | 157 | (unsigned int)l)) |
50023e9b MC |
158 | return 0; |
159 | rec->length = outlen; | |
160 | ||
161 | if (!sending && mac != NULL) { | |
162 | /* Now get a pointer to the MAC */ | |
163 | OSSL_PARAM params[2], *p = params; | |
164 | ||
165 | /* Get the MAC */ | |
166 | mac->alloced = 0; | |
167 | ||
168 | *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC, | |
1704961c MC |
169 | (void **)&mac->mac, |
170 | macsize); | |
50023e9b MC |
171 | *p = OSSL_PARAM_construct_end(); |
172 | ||
173 | if (!EVP_CIPHER_CTX_get_params(ds, params)) { | |
174 | /* Shouldn't normally happen */ | |
175 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
176 | return 0; | |
177 | } | |
178 | } | |
179 | } else { | |
180 | if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) { | |
181 | /* Shouldn't happen */ | |
182 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR); | |
183 | return 0; | |
184 | } | |
185 | ||
186 | if (!sending) | |
187 | return ssl3_cbc_remove_padding_and_mac(&rec->length, | |
188 | rec->orig_len, | |
189 | rec->data, | |
190 | (mac != NULL) ? &mac->mac : NULL, | |
191 | (mac != NULL) ? &mac->alloced : NULL, | |
192 | bs, | |
193 | macsize, | |
194 | rl->libctx); | |
195 | } | |
196 | ||
197 | return 1; | |
198 | } | |
199 | ||
200 | static const unsigned char ssl3_pad_1[48] = { | |
201 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
202 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
203 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
204 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
205 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
206 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 | |
207 | }; | |
208 | ||
209 | static const unsigned char ssl3_pad_2[48] = { | |
210 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
211 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
212 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
213 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
214 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
215 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c | |
216 | }; | |
217 | ||
22094d11 | 218 | static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md, |
8124ab56 | 219 | int sending) |
50023e9b | 220 | { |
0755722c | 221 | unsigned char *mac_sec, *seq = rl->sequence; |
50023e9b MC |
222 | const EVP_MD_CTX *hash; |
223 | unsigned char *p, rec_char; | |
224 | size_t md_size; | |
225 | size_t npad; | |
226 | int t; | |
227 | ||
6366bdd9 MC |
228 | mac_sec = &(rl->mac_secret[0]); |
229 | hash = rl->md_ctx; | |
50023e9b MC |
230 | |
231 | t = EVP_MD_CTX_get_size(hash); | |
624efd2b | 232 | if (t <= 0) |
50023e9b MC |
233 | return 0; |
234 | md_size = t; | |
235 | npad = (48 / md_size) * md_size; | |
236 | ||
237 | if (!sending | |
6366bdd9 | 238 | && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE |
50023e9b MC |
239 | && ssl3_cbc_record_digest_supported(hash)) { |
240 | #ifdef OPENSSL_NO_DEPRECATED_3_0 | |
241 | return 0; | |
242 | #else | |
243 | /* | |
244 | * This is a CBC-encrypted record. We must avoid leaking any | |
245 | * timing-side channel information about how many blocks of data we | |
246 | * are hashing because that gives an attacker a timing-oracle. | |
247 | */ | |
248 | ||
249 | /*- | |
250 | * npad is, at most, 48 bytes and that's with MD5: | |
251 | * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. | |
252 | * | |
253 | * With SHA-1 (the largest hash speced for SSLv3) the hash size | |
254 | * goes up 4, but npad goes down by 8, resulting in a smaller | |
255 | * total size. | |
256 | */ | |
257 | unsigned char header[75]; | |
258 | size_t j = 0; | |
259 | memcpy(header + j, mac_sec, md_size); | |
260 | j += md_size; | |
261 | memcpy(header + j, ssl3_pad_1, npad); | |
262 | j += npad; | |
263 | memcpy(header + j, seq, 8); | |
264 | j += 8; | |
265 | header[j++] = rec->type; | |
266 | header[j++] = (unsigned char)(rec->length >> 8); | |
267 | header[j++] = (unsigned char)(rec->length & 0xff); | |
268 | ||
269 | /* Final param == is SSLv3 */ | |
270 | if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash), | |
271 | md, &md_size, | |
272 | header, rec->input, | |
273 | rec->length, rec->orig_len, | |
274 | mac_sec, md_size, 1) <= 0) | |
275 | return 0; | |
276 | #endif | |
277 | } else { | |
278 | unsigned int md_size_u; | |
279 | /* Chop the digest off the end :-) */ | |
280 | EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); | |
281 | ||
282 | if (md_ctx == NULL) | |
283 | return 0; | |
284 | ||
285 | rec_char = rec->type; | |
286 | p = md; | |
287 | s2n(rec->length, p); | |
288 | if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 | |
289 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 | |
290 | || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0 | |
291 | || EVP_DigestUpdate(md_ctx, seq, 8) <= 0 | |
292 | || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0 | |
293 | || EVP_DigestUpdate(md_ctx, md, 2) <= 0 | |
294 | || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0 | |
295 | || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0 | |
296 | || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 | |
297 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 | |
298 | || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0 | |
299 | || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 | |
300 | || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { | |
301 | EVP_MD_CTX_free(md_ctx); | |
302 | return 0; | |
303 | } | |
304 | ||
305 | EVP_MD_CTX_free(md_ctx); | |
306 | } | |
307 | ||
bed07b18 MC |
308 | if (!tls_increment_sequence_ctr(rl)) |
309 | return 0; | |
310 | ||
50023e9b MC |
311 | return 1; |
312 | } | |
313 | ||
89dd87e1 | 314 | const struct record_functions_st ssl_3_0_funcs = { |
50023e9b MC |
315 | ssl3_set_crypto_state, |
316 | ssl3_cipher, | |
1853d20a MC |
317 | ssl3_mac, |
318 | tls_default_set_protocol_version, | |
bafe524b MC |
319 | tls_default_read_n, |
320 | tls_get_more_records, | |
1853d20a | 321 | tls_default_validate_record_header, |
bafe524b MC |
322 | tls_default_post_process_record, |
323 | tls_get_max_records_default, | |
91fe8ff0 MC |
324 | tls_write_records_default, |
325 | /* These 2 functions are defined in tls1_meth.c */ | |
326 | tls1_allocate_write_buffers, | |
7ca61d63 | 327 | tls1_initialise_write_packets, |
aca70ca8 | 328 | NULL, |
2582de25 | 329 | tls_prepare_record_header_default, |
757ef3ba | 330 | NULL, |
2a354d54 | 331 | tls_prepare_for_encryption_default, |
ace38195 MC |
332 | tls_post_encryption_processing_default, |
333 | NULL | |
50023e9b | 334 | }; |