2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "internal/ssl3_cbc.h"
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
17 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
18 unsigned char *key
, size_t keylen
,
19 unsigned char *iv
, size_t ivlen
,
20 unsigned char *mackey
, size_t mackeylen
,
21 const EVP_CIPHER
*ciph
,
27 EVP_CIPHER_CTX
*ciph_ctx
;
28 int enc
= (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) ? 1 : 0;
31 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
32 return OSSL_RECORD_RETURN_FATAL
;
35 if ((rl
->enc_ctx
= EVP_CIPHER_CTX_new()) == NULL
) {
36 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
37 return OSSL_RECORD_RETURN_FATAL
;
39 ciph_ctx
= rl
->enc_ctx
;
41 rl
->md_ctx
= EVP_MD_CTX_new();
42 if (rl
->md_ctx
== NULL
) {
43 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
44 return OSSL_RECORD_RETURN_FATAL
;
47 if ((md
!= NULL
&& EVP_DigestInit_ex(rl
->md_ctx
, md
, NULL
) <= 0)) {
48 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
49 return OSSL_RECORD_RETURN_FATAL
;
52 #ifndef OPENSSL_NO_COMP
54 rl
->compctx
= COMP_CTX_new(comp
);
55 if (rl
->compctx
== NULL
) {
56 ERR_raise(ERR_LIB_SSL
, SSL_R_COMPRESSION_LIBRARY_ERROR
);
57 return OSSL_RECORD_RETURN_FATAL
;
62 if (!EVP_CipherInit_ex(ciph_ctx
, ciph
, NULL
, key
, iv
, enc
)) {
63 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
64 return OSSL_RECORD_RETURN_FATAL
;
67 if (EVP_CIPHER_get0_provider(ciph
) != NULL
68 && !ossl_set_tls_provider_parameters(rl
, ciph_ctx
, ciph
, md
)) {
69 /* ERR_raise already called */
70 return OSSL_RECORD_RETURN_FATAL
;
73 if (mackeylen
> sizeof(rl
->mac_secret
)) {
74 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
75 return OSSL_RECORD_RETURN_FATAL
;
77 memcpy(rl
->mac_secret
, mackey
, mackeylen
);
79 return OSSL_RECORD_RETURN_SUCCESS
;
83 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
84 * on internal error, but not otherwise. It is the responsibility of the caller
85 * to report a bad_record_mac
88 * 0: if the record is publicly invalid, or an internal error
89 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
91 static int ssl3_cipher(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*inrecs
,
92 size_t n_recs
, int sending
, SSL_MAC_BUF
*mac
,
99 const EVP_CIPHER
*enc
;
104 * We shouldn't ever be called with more than one record in the SSLv3 case
110 if (ds
== NULL
|| (enc
= EVP_CIPHER_CTX_get0_cipher(ds
)) == NULL
)
113 provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
116 bs
= EVP_CIPHER_CTX_get_block_size(ds
);
120 if ((bs
!= 1) && sending
&& !provided
) {
122 * We only do this for legacy ciphers. Provided ciphers add the
123 * padding on the provider side.
127 /* we need to add 'i-1' padding bytes */
130 * the last of these zero bytes will be overwritten with the
133 memset(&rec
->input
[rec
->length
], 0, i
);
135 rec
->input
[l
- 1] = (unsigned char)(i
- 1);
139 if (l
== 0 || l
% bs
!= 0) {
140 /* Publicly invalid */
143 /* otherwise, rec->length >= bs */
149 if (!EVP_CipherUpdate(ds
, rec
->data
, &outlen
, rec
->input
,
152 rec
->length
= outlen
;
154 if (!sending
&& mac
!= NULL
) {
155 /* Now get a pointer to the MAC */
156 OSSL_PARAM params
[2], *p
= params
;
161 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
164 *p
= OSSL_PARAM_construct_end();
166 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
167 /* Shouldn't normally happen */
168 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
173 if (EVP_Cipher(ds
, rec
->data
, rec
->input
, (unsigned int)l
) < 1) {
174 /* Shouldn't happen */
175 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
, ERR_R_INTERNAL_ERROR
);
180 return ssl3_cbc_remove_padding_and_mac(&rec
->length
,
183 (mac
!= NULL
) ? &mac
->mac
: NULL
,
184 (mac
!= NULL
) ? &mac
->alloced
: NULL
,
193 static const unsigned char ssl3_pad_1
[48] = {
194 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
195 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
196 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
197 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
198 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
199 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
202 static const unsigned char ssl3_pad_2
[48] = {
203 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
204 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
205 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
206 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
207 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
208 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
211 static int ssl3_mac(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*rec
, unsigned char *md
,
214 unsigned char *mac_sec
, *seq
= rl
->sequence
;
215 const EVP_MD_CTX
*hash
;
216 unsigned char *p
, rec_char
;
221 mac_sec
= &(rl
->mac_secret
[0]);
224 t
= EVP_MD_CTX_get_size(hash
);
228 npad
= (48 / md_size
) * md_size
;
231 && EVP_CIPHER_CTX_get_mode(rl
->enc_ctx
) == EVP_CIPH_CBC_MODE
232 && ssl3_cbc_record_digest_supported(hash
)) {
233 #ifdef OPENSSL_NO_DEPRECATED_3_0
237 * This is a CBC-encrypted record. We must avoid leaking any
238 * timing-side channel information about how many blocks of data we
239 * are hashing because that gives an attacker a timing-oracle.
243 * npad is, at most, 48 bytes and that's with MD5:
244 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
246 * With SHA-1 (the largest hash speced for SSLv3) the hash size
247 * goes up 4, but npad goes down by 8, resulting in a smaller
250 unsigned char header
[75];
252 memcpy(header
+ j
, mac_sec
, md_size
);
254 memcpy(header
+ j
, ssl3_pad_1
, npad
);
256 memcpy(header
+ j
, seq
, 8);
258 header
[j
++] = rec
->type
;
259 header
[j
++] = (unsigned char)(rec
->length
>> 8);
260 header
[j
++] = (unsigned char)(rec
->length
& 0xff);
262 /* Final param == is SSLv3 */
263 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash
),
266 rec
->length
, rec
->orig_len
,
267 mac_sec
, md_size
, 1) <= 0)
271 unsigned int md_size_u
;
272 /* Chop the digest off the end :-) */
273 EVP_MD_CTX
*md_ctx
= EVP_MD_CTX_new();
278 rec_char
= rec
->type
;
281 if (EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
282 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
283 || EVP_DigestUpdate(md_ctx
, ssl3_pad_1
, npad
) <= 0
284 || EVP_DigestUpdate(md_ctx
, seq
, 8) <= 0
285 || EVP_DigestUpdate(md_ctx
, &rec_char
, 1) <= 0
286 || EVP_DigestUpdate(md_ctx
, md
, 2) <= 0
287 || EVP_DigestUpdate(md_ctx
, rec
->input
, rec
->length
) <= 0
288 || EVP_DigestFinal_ex(md_ctx
, md
, NULL
) <= 0
289 || EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
290 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
291 || EVP_DigestUpdate(md_ctx
, ssl3_pad_2
, npad
) <= 0
292 || EVP_DigestUpdate(md_ctx
, md
, md_size
) <= 0
293 || EVP_DigestFinal_ex(md_ctx
, md
, &md_size_u
) <= 0) {
294 EVP_MD_CTX_free(md_ctx
);
298 EVP_MD_CTX_free(md_ctx
);
301 if (!tls_increment_sequence_ctr(rl
))
307 struct record_functions_st ssl_3_0_funcs
= {
308 ssl3_set_crypto_state
,
311 tls_default_set_protocol_version
,
313 tls_get_more_records
,
314 tls_default_validate_record_header
,
315 tls_default_post_process_record
,
316 tls_get_max_records_default
,
317 tls_write_records_default
,
318 /* These 2 functions are defined in tls1_meth.c */
319 tls1_allocate_write_buffers
,
320 tls1_initialise_write_packets
,
322 tls_prepare_record_header_default
,
324 tls_prepare_for_encryption_default
,
325 tls_post_encryption_processing_default
,