]>
Commit | Line | Data |
---|---|---|
50023e9b | 1 | /* |
da1c088f | 2 | * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. |
50023e9b MC |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/evp.h> | |
11 | #include <openssl/core_names.h> | |
25624c90 | 12 | #include "internal/ssl3_cbc.h" |
50023e9b MC |
13 | #include "../../ssl_local.h" |
14 | #include "../record_local.h" | |
15 | #include "recmethod_local.h" | |
16 | ||
50023e9b MC |
17 | static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, |
18 | unsigned char *key, size_t keylen, | |
19 | unsigned char *iv, size_t ivlen, | |
20 | unsigned char *mackey, size_t mackeylen, | |
21 | const EVP_CIPHER *ciph, | |
22 | size_t taglen, | |
50023e9b MC |
23 | int mactype, |
24 | const EVP_MD *md, | |
1e76110b | 25 | COMP_METHOD *comp) |
50023e9b MC |
26 | { |
27 | EVP_CIPHER_CTX *ciph_ctx; | |
a8572674 | 28 | int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0; |
50023e9b MC |
29 | |
30 | if (md == NULL) { | |
7c293999 MC |
31 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
32 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
33 | } |
34 | ||
6366bdd9 | 35 | if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
7c293999 MC |
36 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
37 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b | 38 | } |
6366bdd9 | 39 | ciph_ctx = rl->enc_ctx; |
50023e9b | 40 | |
6366bdd9 MC |
41 | rl->md_ctx = EVP_MD_CTX_new(); |
42 | if (rl->md_ctx == NULL) { | |
7c293999 MC |
43 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
44 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b | 45 | } |
a8572674 MC |
46 | |
47 | if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) { | |
48 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
49 | return OSSL_RECORD_RETURN_FATAL; | |
50 | } | |
51 | ||
50023e9b MC |
52 | #ifndef OPENSSL_NO_COMP |
53 | if (comp != NULL) { | |
1e76110b | 54 | rl->compctx = COMP_CTX_new(comp); |
9251c3c4 | 55 | if (rl->compctx == NULL) { |
7c293999 MC |
56 | ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR); |
57 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
58 | } |
59 | } | |
60 | #endif | |
61 | ||
a8572674 | 62 | if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) { |
7c293999 MC |
63 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
64 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
65 | } |
66 | ||
afcc12c4 MC |
67 | /* |
68 | * The cipher we actually ended up using in the EVP_CIPHER_CTX may be | |
69 | * different to that in ciph if we have an ENGINE in use | |
70 | */ | |
71 | if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL | |
7f2f0ac7 | 72 | && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { |
1704961c | 73 | /* ERR_raise already called */ |
7c293999 | 74 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b MC |
75 | } |
76 | ||
77 | if (mackeylen > sizeof(rl->mac_secret)) { | |
7c293999 MC |
78 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
79 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
80 | } |
81 | memcpy(rl->mac_secret, mackey, mackeylen); | |
82 | ||
7c293999 | 83 | return OSSL_RECORD_RETURN_SUCCESS; |
50023e9b MC |
84 | } |
85 | ||
86 | /* | |
87 | * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal | |
88 | * on internal error, but not otherwise. It is the responsibility of the caller | |
89 | * to report a bad_record_mac | |
90 | * | |
91 | * Returns: | |
92 | * 0: if the record is publicly invalid, or an internal error | |
93 | * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) | |
94 | */ | |
22094d11 MC |
95 | static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs, |
96 | size_t n_recs, int sending, SSL_MAC_BUF *mac, | |
97 | size_t macsize) | |
50023e9b | 98 | { |
22094d11 | 99 | TLS_RL_RECORD *rec; |
50023e9b MC |
100 | EVP_CIPHER_CTX *ds; |
101 | size_t l, i; | |
102 | size_t bs; | |
103 | const EVP_CIPHER *enc; | |
104 | int provided; | |
105 | ||
106 | rec = inrecs; | |
107 | /* | |
108 | * We shouldn't ever be called with more than one record in the SSLv3 case | |
109 | */ | |
110 | if (n_recs != 1) | |
111 | return 0; | |
6366bdd9 MC |
112 | |
113 | ds = rl->enc_ctx; | |
35bcac13 TM |
114 | if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL) |
115 | return 0; | |
50023e9b MC |
116 | |
117 | provided = (EVP_CIPHER_get0_provider(enc) != NULL); | |
118 | ||
119 | l = rec->length; | |
120 | bs = EVP_CIPHER_CTX_get_block_size(ds); | |
121 | ||
122 | /* COMPRESS */ | |
123 | ||
124 | if ((bs != 1) && sending && !provided) { | |
125 | /* | |
1704961c MC |
126 | * We only do this for legacy ciphers. Provided ciphers add the |
127 | * padding on the provider side. | |
128 | */ | |
50023e9b MC |
129 | i = bs - (l % bs); |
130 | ||
131 | /* we need to add 'i-1' padding bytes */ | |
132 | l += i; | |
133 | /* | |
1704961c MC |
134 | * the last of these zero bytes will be overwritten with the |
135 | * padding length. | |
136 | */ | |
50023e9b MC |
137 | memset(&rec->input[rec->length], 0, i); |
138 | rec->length += i; | |
139 | rec->input[l - 1] = (unsigned char)(i - 1); | |
140 | } | |
141 | ||
142 | if (!sending) { | |
143 | if (l == 0 || l % bs != 0) { | |
144 | /* Publicly invalid */ | |
145 | return 0; | |
146 | } | |
147 | /* otherwise, rec->length >= bs */ | |
148 | } | |
149 | ||
150 | if (provided) { | |
151 | int outlen; | |
152 | ||
153 | if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input, | |
1704961c | 154 | (unsigned int)l)) |
50023e9b MC |
155 | return 0; |
156 | rec->length = outlen; | |
157 | ||
158 | if (!sending && mac != NULL) { | |
159 | /* Now get a pointer to the MAC */ | |
160 | OSSL_PARAM params[2], *p = params; | |
161 | ||
162 | /* Get the MAC */ | |
163 | mac->alloced = 0; | |
164 | ||
165 | *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC, | |
1704961c MC |
166 | (void **)&mac->mac, |
167 | macsize); | |
50023e9b MC |
168 | *p = OSSL_PARAM_construct_end(); |
169 | ||
170 | if (!EVP_CIPHER_CTX_get_params(ds, params)) { | |
171 | /* Shouldn't normally happen */ | |
172 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
173 | return 0; | |
174 | } | |
175 | } | |
176 | } else { | |
177 | if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) { | |
178 | /* Shouldn't happen */ | |
179 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR); | |
180 | return 0; | |
181 | } | |
182 | ||
183 | if (!sending) | |
184 | return ssl3_cbc_remove_padding_and_mac(&rec->length, | |
185 | rec->orig_len, | |
186 | rec->data, | |
187 | (mac != NULL) ? &mac->mac : NULL, | |
188 | (mac != NULL) ? &mac->alloced : NULL, | |
189 | bs, | |
190 | macsize, | |
191 | rl->libctx); | |
192 | } | |
193 | ||
194 | return 1; | |
195 | } | |
196 | ||
197 | static const unsigned char ssl3_pad_1[48] = { | |
198 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
199 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
200 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
201 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
202 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, | |
203 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 | |
204 | }; | |
205 | ||
206 | static const unsigned char ssl3_pad_2[48] = { | |
207 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
208 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
209 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
210 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
211 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, | |
212 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c | |
213 | }; | |
214 | ||
22094d11 | 215 | static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md, |
8124ab56 | 216 | int sending) |
50023e9b | 217 | { |
0755722c | 218 | unsigned char *mac_sec, *seq = rl->sequence; |
50023e9b MC |
219 | const EVP_MD_CTX *hash; |
220 | unsigned char *p, rec_char; | |
221 | size_t md_size; | |
222 | size_t npad; | |
223 | int t; | |
224 | ||
6366bdd9 MC |
225 | mac_sec = &(rl->mac_secret[0]); |
226 | hash = rl->md_ctx; | |
50023e9b MC |
227 | |
228 | t = EVP_MD_CTX_get_size(hash); | |
624efd2b | 229 | if (t <= 0) |
50023e9b MC |
230 | return 0; |
231 | md_size = t; | |
232 | npad = (48 / md_size) * md_size; | |
233 | ||
234 | if (!sending | |
6366bdd9 | 235 | && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE |
50023e9b MC |
236 | && ssl3_cbc_record_digest_supported(hash)) { |
237 | #ifdef OPENSSL_NO_DEPRECATED_3_0 | |
238 | return 0; | |
239 | #else | |
240 | /* | |
241 | * This is a CBC-encrypted record. We must avoid leaking any | |
242 | * timing-side channel information about how many blocks of data we | |
243 | * are hashing because that gives an attacker a timing-oracle. | |
244 | */ | |
245 | ||
246 | /*- | |
247 | * npad is, at most, 48 bytes and that's with MD5: | |
248 | * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. | |
249 | * | |
250 | * With SHA-1 (the largest hash speced for SSLv3) the hash size | |
251 | * goes up 4, but npad goes down by 8, resulting in a smaller | |
252 | * total size. | |
253 | */ | |
254 | unsigned char header[75]; | |
255 | size_t j = 0; | |
256 | memcpy(header + j, mac_sec, md_size); | |
257 | j += md_size; | |
258 | memcpy(header + j, ssl3_pad_1, npad); | |
259 | j += npad; | |
260 | memcpy(header + j, seq, 8); | |
261 | j += 8; | |
262 | header[j++] = rec->type; | |
263 | header[j++] = (unsigned char)(rec->length >> 8); | |
264 | header[j++] = (unsigned char)(rec->length & 0xff); | |
265 | ||
266 | /* Final param == is SSLv3 */ | |
267 | if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash), | |
268 | md, &md_size, | |
269 | header, rec->input, | |
270 | rec->length, rec->orig_len, | |
271 | mac_sec, md_size, 1) <= 0) | |
272 | return 0; | |
273 | #endif | |
274 | } else { | |
275 | unsigned int md_size_u; | |
276 | /* Chop the digest off the end :-) */ | |
277 | EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); | |
278 | ||
279 | if (md_ctx == NULL) | |
280 | return 0; | |
281 | ||
282 | rec_char = rec->type; | |
283 | p = md; | |
284 | s2n(rec->length, p); | |
285 | if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 | |
286 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 | |
287 | || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0 | |
288 | || EVP_DigestUpdate(md_ctx, seq, 8) <= 0 | |
289 | || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0 | |
290 | || EVP_DigestUpdate(md_ctx, md, 2) <= 0 | |
291 | || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0 | |
292 | || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0 | |
293 | || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 | |
294 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 | |
295 | || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0 | |
296 | || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 | |
297 | || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { | |
298 | EVP_MD_CTX_free(md_ctx); | |
299 | return 0; | |
300 | } | |
301 | ||
302 | EVP_MD_CTX_free(md_ctx); | |
303 | } | |
304 | ||
bed07b18 MC |
305 | if (!tls_increment_sequence_ctr(rl)) |
306 | return 0; | |
307 | ||
50023e9b MC |
308 | return 1; |
309 | } | |
310 | ||
311 | struct record_functions_st ssl_3_0_funcs = { | |
312 | ssl3_set_crypto_state, | |
313 | ssl3_cipher, | |
1853d20a MC |
314 | ssl3_mac, |
315 | tls_default_set_protocol_version, | |
bafe524b MC |
316 | tls_default_read_n, |
317 | tls_get_more_records, | |
1853d20a | 318 | tls_default_validate_record_header, |
bafe524b MC |
319 | tls_default_post_process_record, |
320 | tls_get_max_records_default, | |
91fe8ff0 MC |
321 | tls_write_records_default, |
322 | /* These 2 functions are defined in tls1_meth.c */ | |
323 | tls1_allocate_write_buffers, | |
7ca61d63 | 324 | tls1_initialise_write_packets, |
aca70ca8 | 325 | NULL, |
2582de25 | 326 | tls_prepare_record_header_default, |
757ef3ba | 327 | NULL, |
2a354d54 | 328 | tls_prepare_for_encryption_default, |
ace38195 MC |
329 | tls_post_encryption_processing_default, |
330 | NULL | |
50023e9b | 331 | }; |