]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/ssl3_meth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rationalize FIPS sources
[thirdparty/openssl.git] / ssl / record / methods / ssl3_meth.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "internal/ssl3_cbc.h"
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
16
17 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
18 unsigned char *key, size_t keylen,
19 unsigned char *iv, size_t ivlen,
20 unsigned char *mackey, size_t mackeylen,
21 const EVP_CIPHER *ciph,
22 size_t taglen,
23 int mactype,
24 const EVP_MD *md,
25 COMP_METHOD *comp)
26 {
27 EVP_CIPHER_CTX *ciph_ctx;
28 int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
29
30 if (md == NULL) {
31 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
32 return OSSL_RECORD_RETURN_FATAL;
33 }
34
35 if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
36 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
37 return OSSL_RECORD_RETURN_FATAL;
38 }
39 ciph_ctx = rl->enc_ctx;
40
41 rl->md_ctx = EVP_MD_CTX_new();
42 if (rl->md_ctx == NULL) {
43 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
44 return OSSL_RECORD_RETURN_FATAL;
45 }
46
47 if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
48 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
49 return OSSL_RECORD_RETURN_FATAL;
50 }
51
52 #ifndef OPENSSL_NO_COMP
53 if (comp != NULL) {
54 rl->compctx = COMP_CTX_new(comp);
55 if (rl->compctx == NULL) {
56 ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
57 return OSSL_RECORD_RETURN_FATAL;
58 }
59 }
60 #endif
61
62 if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
63 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
64 return OSSL_RECORD_RETURN_FATAL;
65 }
66
67 if (EVP_CIPHER_get0_provider(ciph) != NULL
68 && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
69 /* ERR_raise already called */
70 return OSSL_RECORD_RETURN_FATAL;
71 }
72
73 if (mackeylen > sizeof(rl->mac_secret)) {
74 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
75 return OSSL_RECORD_RETURN_FATAL;
76 }
77 memcpy(rl->mac_secret, mackey, mackeylen);
78
79 return OSSL_RECORD_RETURN_SUCCESS;
80 }
81
82 /*
83 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
84 * on internal error, but not otherwise. It is the responsibility of the caller
85 * to report a bad_record_mac
86 *
87 * Returns:
88 * 0: if the record is publicly invalid, or an internal error
89 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
90 */
91 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs,
92 size_t n_recs, int sending, SSL_MAC_BUF *mac,
93 size_t macsize)
94 {
95 TLS_RL_RECORD *rec;
96 EVP_CIPHER_CTX *ds;
97 size_t l, i;
98 size_t bs;
99 const EVP_CIPHER *enc;
100 int provided;
101
102 rec = inrecs;
103 /*
104 * We shouldn't ever be called with more than one record in the SSLv3 case
105 */
106 if (n_recs != 1)
107 return 0;
108
109 ds = rl->enc_ctx;
110 if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
111 return 0;
112
113 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
114
115 l = rec->length;
116 bs = EVP_CIPHER_CTX_get_block_size(ds);
117
118 /* COMPRESS */
119
120 if ((bs != 1) && sending && !provided) {
121 /*
122 * We only do this for legacy ciphers. Provided ciphers add the
123 * padding on the provider side.
124 */
125 i = bs - (l % bs);
126
127 /* we need to add 'i-1' padding bytes */
128 l += i;
129 /*
130 * the last of these zero bytes will be overwritten with the
131 * padding length.
132 */
133 memset(&rec->input[rec->length], 0, i);
134 rec->length += i;
135 rec->input[l - 1] = (unsigned char)(i - 1);
136 }
137
138 if (!sending) {
139 if (l == 0 || l % bs != 0) {
140 /* Publicly invalid */
141 return 0;
142 }
143 /* otherwise, rec->length >= bs */
144 }
145
146 if (provided) {
147 int outlen;
148
149 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
150 (unsigned int)l))
151 return 0;
152 rec->length = outlen;
153
154 if (!sending && mac != NULL) {
155 /* Now get a pointer to the MAC */
156 OSSL_PARAM params[2], *p = params;
157
158 /* Get the MAC */
159 mac->alloced = 0;
160
161 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
162 (void **)&mac->mac,
163 macsize);
164 *p = OSSL_PARAM_construct_end();
165
166 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
167 /* Shouldn't normally happen */
168 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
169 return 0;
170 }
171 }
172 } else {
173 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
174 /* Shouldn't happen */
175 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
176 return 0;
177 }
178
179 if (!sending)
180 return ssl3_cbc_remove_padding_and_mac(&rec->length,
181 rec->orig_len,
182 rec->data,
183 (mac != NULL) ? &mac->mac : NULL,
184 (mac != NULL) ? &mac->alloced : NULL,
185 bs,
186 macsize,
187 rl->libctx);
188 }
189
190 return 1;
191 }
192
193 static const unsigned char ssl3_pad_1[48] = {
194 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
195 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
196 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
197 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
198 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
199 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
200 };
201
202 static const unsigned char ssl3_pad_2[48] = {
203 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
204 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
205 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
206 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
207 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
208 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
209 };
210
211 static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
212 int sending)
213 {
214 unsigned char *mac_sec, *seq = rl->sequence;
215 const EVP_MD_CTX *hash;
216 unsigned char *p, rec_char;
217 size_t md_size;
218 size_t npad;
219 int t;
220
221 mac_sec = &(rl->mac_secret[0]);
222 hash = rl->md_ctx;
223
224 t = EVP_MD_CTX_get_size(hash);
225 if (t <= 0)
226 return 0;
227 md_size = t;
228 npad = (48 / md_size) * md_size;
229
230 if (!sending
231 && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
232 && ssl3_cbc_record_digest_supported(hash)) {
233 #ifdef OPENSSL_NO_DEPRECATED_3_0
234 return 0;
235 #else
236 /*
237 * This is a CBC-encrypted record. We must avoid leaking any
238 * timing-side channel information about how many blocks of data we
239 * are hashing because that gives an attacker a timing-oracle.
240 */
241
242 /*-
243 * npad is, at most, 48 bytes and that's with MD5:
244 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
245 *
246 * With SHA-1 (the largest hash speced for SSLv3) the hash size
247 * goes up 4, but npad goes down by 8, resulting in a smaller
248 * total size.
249 */
250 unsigned char header[75];
251 size_t j = 0;
252 memcpy(header + j, mac_sec, md_size);
253 j += md_size;
254 memcpy(header + j, ssl3_pad_1, npad);
255 j += npad;
256 memcpy(header + j, seq, 8);
257 j += 8;
258 header[j++] = rec->type;
259 header[j++] = (unsigned char)(rec->length >> 8);
260 header[j++] = (unsigned char)(rec->length & 0xff);
261
262 /* Final param == is SSLv3 */
263 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
264 md, &md_size,
265 header, rec->input,
266 rec->length, rec->orig_len,
267 mac_sec, md_size, 1) <= 0)
268 return 0;
269 #endif
270 } else {
271 unsigned int md_size_u;
272 /* Chop the digest off the end :-) */
273 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
274
275 if (md_ctx == NULL)
276 return 0;
277
278 rec_char = rec->type;
279 p = md;
280 s2n(rec->length, p);
281 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
282 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
283 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
284 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
285 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
286 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
287 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
288 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
289 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
290 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
291 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
292 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
293 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
294 EVP_MD_CTX_free(md_ctx);
295 return 0;
296 }
297
298 EVP_MD_CTX_free(md_ctx);
299 }
300
301 if (!tls_increment_sequence_ctr(rl))
302 return 0;
303
304 return 1;
305 }
306
307 struct record_functions_st ssl_3_0_funcs = {
308 ssl3_set_crypto_state,
309 ssl3_cipher,
310 ssl3_mac,
311 tls_default_set_protocol_version,
312 tls_default_read_n,
313 tls_get_more_records,
314 tls_default_validate_record_header,
315 tls_default_post_process_record,
316 tls_get_max_records_default,
317 tls_write_records_default,
318 /* These 2 functions are defined in tls1_meth.c */
319 tls1_allocate_write_buffers,
320 tls1_initialise_write_packets,
321 NULL,
322 tls_prepare_record_header_default,
323 NULL,
324 tls_prepare_for_encryption_default,
325 tls_post_encryption_processing_default,
326 NULL
327 };
A mirror of the official openssl repository