2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
16 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
17 unsigned char *key
, size_t keylen
,
18 unsigned char *iv
, size_t ivlen
,
19 unsigned char *mackey
, size_t mackeylen
,
20 const EVP_CIPHER
*ciph
,
26 EVP_CIPHER_CTX
*ciph_ctx
;
27 int enc
= (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) ? 1 : 0;
30 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
31 return OSSL_RECORD_RETURN_FATAL
;
34 if ((rl
->enc_ctx
= EVP_CIPHER_CTX_new()) == NULL
) {
35 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
36 return OSSL_RECORD_RETURN_FATAL
;
38 ciph_ctx
= rl
->enc_ctx
;
40 rl
->md_ctx
= EVP_MD_CTX_new();
41 if (rl
->md_ctx
== NULL
) {
42 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
43 return OSSL_RECORD_RETURN_FATAL
;
46 if ((md
!= NULL
&& EVP_DigestInit_ex(rl
->md_ctx
, md
, NULL
) <= 0)) {
47 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
48 return OSSL_RECORD_RETURN_FATAL
;
51 #ifndef OPENSSL_NO_COMP
53 rl
->compctx
= COMP_CTX_new(comp
);
54 if (rl
->compctx
== NULL
) {
55 ERR_raise(ERR_LIB_SSL
, SSL_R_COMPRESSION_LIBRARY_ERROR
);
56 return OSSL_RECORD_RETURN_FATAL
;
61 if (!EVP_CipherInit_ex(ciph_ctx
, ciph
, NULL
, key
, iv
, enc
)) {
62 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
63 return OSSL_RECORD_RETURN_FATAL
;
66 if (EVP_CIPHER_get0_provider(ciph
) != NULL
67 && !ossl_set_tls_provider_parameters(rl
, ciph_ctx
, ciph
, md
)) {
68 /* ERR_raise already called */
69 return OSSL_RECORD_RETURN_FATAL
;
72 if (mackeylen
> sizeof(rl
->mac_secret
)) {
73 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
74 return OSSL_RECORD_RETURN_FATAL
;
76 memcpy(rl
->mac_secret
, mackey
, mackeylen
);
78 return OSSL_RECORD_RETURN_SUCCESS
;
82 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
83 * on internal error, but not otherwise. It is the responsibility of the caller
84 * to report a bad_record_mac
87 * 0: if the record is publicly invalid, or an internal error
88 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
90 static int ssl3_cipher(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*inrecs
, size_t n_recs
,
91 int sending
, SSL_MAC_BUF
*mac
, size_t macsize
)
97 const EVP_CIPHER
*enc
;
102 * We shouldn't ever be called with more than one record in the SSLv3 case
108 if (ds
== NULL
|| (enc
= EVP_CIPHER_CTX_get0_cipher(ds
)) == NULL
)
111 provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
114 bs
= EVP_CIPHER_CTX_get_block_size(ds
);
118 if ((bs
!= 1) && sending
&& !provided
) {
120 * We only do this for legacy ciphers. Provided ciphers add the
121 * padding on the provider side.
125 /* we need to add 'i-1' padding bytes */
128 * the last of these zero bytes will be overwritten with the
131 memset(&rec
->input
[rec
->length
], 0, i
);
133 rec
->input
[l
- 1] = (unsigned char)(i
- 1);
137 if (l
== 0 || l
% bs
!= 0) {
138 /* Publicly invalid */
141 /* otherwise, rec->length >= bs */
147 if (!EVP_CipherUpdate(ds
, rec
->data
, &outlen
, rec
->input
,
150 rec
->length
= outlen
;
152 if (!sending
&& mac
!= NULL
) {
153 /* Now get a pointer to the MAC */
154 OSSL_PARAM params
[2], *p
= params
;
159 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
162 *p
= OSSL_PARAM_construct_end();
164 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
165 /* Shouldn't normally happen */
166 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
171 if (EVP_Cipher(ds
, rec
->data
, rec
->input
, (unsigned int)l
) < 1) {
172 /* Shouldn't happen */
173 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
, ERR_R_INTERNAL_ERROR
);
178 return ssl3_cbc_remove_padding_and_mac(&rec
->length
,
181 (mac
!= NULL
) ? &mac
->mac
: NULL
,
182 (mac
!= NULL
) ? &mac
->alloced
: NULL
,
191 static const unsigned char ssl3_pad_1
[48] = {
192 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
193 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
194 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
195 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
196 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
197 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
200 static const unsigned char ssl3_pad_2
[48] = {
201 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
202 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
203 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
204 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
205 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
206 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
209 static int ssl3_mac(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
, unsigned char *md
,
212 unsigned char *mac_sec
, *seq
= rl
->sequence
;
213 const EVP_MD_CTX
*hash
;
214 unsigned char *p
, rec_char
;
219 mac_sec
= &(rl
->mac_secret
[0]);
222 t
= EVP_MD_CTX_get_size(hash
);
226 npad
= (48 / md_size
) * md_size
;
229 && EVP_CIPHER_CTX_get_mode(rl
->enc_ctx
) == EVP_CIPH_CBC_MODE
230 && ssl3_cbc_record_digest_supported(hash
)) {
231 #ifdef OPENSSL_NO_DEPRECATED_3_0
235 * This is a CBC-encrypted record. We must avoid leaking any
236 * timing-side channel information about how many blocks of data we
237 * are hashing because that gives an attacker a timing-oracle.
241 * npad is, at most, 48 bytes and that's with MD5:
242 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
244 * With SHA-1 (the largest hash speced for SSLv3) the hash size
245 * goes up 4, but npad goes down by 8, resulting in a smaller
248 unsigned char header
[75];
250 memcpy(header
+ j
, mac_sec
, md_size
);
252 memcpy(header
+ j
, ssl3_pad_1
, npad
);
254 memcpy(header
+ j
, seq
, 8);
256 header
[j
++] = rec
->type
;
257 header
[j
++] = (unsigned char)(rec
->length
>> 8);
258 header
[j
++] = (unsigned char)(rec
->length
& 0xff);
260 /* Final param == is SSLv3 */
261 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash
),
264 rec
->length
, rec
->orig_len
,
265 mac_sec
, md_size
, 1) <= 0)
269 unsigned int md_size_u
;
270 /* Chop the digest off the end :-) */
271 EVP_MD_CTX
*md_ctx
= EVP_MD_CTX_new();
276 rec_char
= rec
->type
;
279 if (EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
280 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
281 || EVP_DigestUpdate(md_ctx
, ssl3_pad_1
, npad
) <= 0
282 || EVP_DigestUpdate(md_ctx
, seq
, 8) <= 0
283 || EVP_DigestUpdate(md_ctx
, &rec_char
, 1) <= 0
284 || EVP_DigestUpdate(md_ctx
, md
, 2) <= 0
285 || EVP_DigestUpdate(md_ctx
, rec
->input
, rec
->length
) <= 0
286 || EVP_DigestFinal_ex(md_ctx
, md
, NULL
) <= 0
287 || EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
288 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
289 || EVP_DigestUpdate(md_ctx
, ssl3_pad_2
, npad
) <= 0
290 || EVP_DigestUpdate(md_ctx
, md
, md_size
) <= 0
291 || EVP_DigestFinal_ex(md_ctx
, md
, &md_size_u
) <= 0) {
292 EVP_MD_CTX_free(md_ctx
);
296 EVP_MD_CTX_free(md_ctx
);
299 ssl3_record_sequence_update(seq
);
303 struct record_functions_st ssl_3_0_funcs
= {
304 ssl3_set_crypto_state
,
307 tls_default_set_protocol_version
,
309 tls_get_more_records
,
310 tls_default_validate_record_header
,
311 tls_default_post_process_record
,
312 tls_get_max_records_default
,
313 tls_write_records_default