2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
16 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
17 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
18 unsigned char *key
, size_t keylen
,
19 unsigned char *iv
, size_t ivlen
,
20 unsigned char *mackey
, size_t mackeylen
,
21 const EVP_CIPHER
*ciph
,
23 /* TODO(RECLAYER): This probably should not be an int */
28 EVP_CIPHER_CTX
*ciph_ctx
;
31 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
32 return OSSL_RECORD_RETURN_FATAL
;
35 if ((rl
->enc_ctx
= EVP_CIPHER_CTX_new()) == NULL
) {
36 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
37 return OSSL_RECORD_RETURN_FATAL
;
39 ciph_ctx
= rl
->enc_ctx
;
41 rl
->md_ctx
= EVP_MD_CTX_new();
42 if (rl
->md_ctx
== NULL
) {
43 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
44 return OSSL_RECORD_RETURN_FATAL
;
46 #ifndef OPENSSL_NO_COMP
48 rl
->expand
= COMP_CTX_new(comp
->method
);
49 if (rl
->expand
== NULL
) {
50 ERR_raise(ERR_LIB_SSL
, SSL_R_COMPRESSION_LIBRARY_ERROR
);
51 return OSSL_RECORD_RETURN_FATAL
;
56 if (!EVP_DecryptInit_ex(ciph_ctx
, ciph
, NULL
, key
, iv
)) {
57 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
58 return OSSL_RECORD_RETURN_FATAL
;
61 if (EVP_CIPHER_get0_provider(ciph
) != NULL
62 && !ossl_set_tls_provider_parameters(rl
, ciph_ctx
, ciph
, md
)) {
63 return OSSL_RECORD_RETURN_FATAL
;
66 if (mackeylen
> sizeof(rl
->mac_secret
)) {
67 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
68 return OSSL_RECORD_RETURN_FATAL
;
70 memcpy(rl
->mac_secret
, mackey
, mackeylen
);
72 return OSSL_RECORD_RETURN_SUCCESS
;
76 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
77 * on internal error, but not otherwise. It is the responsibility of the caller
78 * to report a bad_record_mac
81 * 0: if the record is publicly invalid, or an internal error
82 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
84 static int ssl3_cipher(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*inrecs
, size_t n_recs
,
85 int sending
, SSL_MAC_BUF
*mac
, size_t macsize
)
91 const EVP_CIPHER
*enc
;
96 * We shouldn't ever be called with more than one record in the SSLv3 case
102 if (rl
->enc_ctx
== NULL
)
105 enc
= EVP_CIPHER_CTX_get0_cipher(rl
->enc_ctx
);
107 provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
110 bs
= EVP_CIPHER_CTX_get_block_size(ds
);
114 if ((bs
!= 1) && sending
&& !provided
) {
116 * We only do this for legacy ciphers. Provided ciphers add the
117 * padding on the provider side.
121 /* we need to add 'i-1' padding bytes */
124 * the last of these zero bytes will be overwritten with the
127 memset(&rec
->input
[rec
->length
], 0, i
);
129 rec
->input
[l
- 1] = (unsigned char)(i
- 1);
133 if (l
== 0 || l
% bs
!= 0) {
134 /* Publicly invalid */
137 /* otherwise, rec->length >= bs */
143 if (!EVP_CipherUpdate(ds
, rec
->data
, &outlen
, rec
->input
,
146 rec
->length
= outlen
;
148 if (!sending
&& mac
!= NULL
) {
149 /* Now get a pointer to the MAC */
150 OSSL_PARAM params
[2], *p
= params
;
155 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
158 *p
= OSSL_PARAM_construct_end();
160 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
161 /* Shouldn't normally happen */
162 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
167 if (EVP_Cipher(ds
, rec
->data
, rec
->input
, (unsigned int)l
) < 1) {
168 /* Shouldn't happen */
169 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
, ERR_R_INTERNAL_ERROR
);
174 return ssl3_cbc_remove_padding_and_mac(&rec
->length
,
177 (mac
!= NULL
) ? &mac
->mac
: NULL
,
178 (mac
!= NULL
) ? &mac
->alloced
: NULL
,
187 static const unsigned char ssl3_pad_1
[48] = {
188 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
189 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
190 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
191 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
192 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
193 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
196 static const unsigned char ssl3_pad_2
[48] = {
197 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
198 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
199 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
200 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
201 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
202 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
205 static int ssl3_mac(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
, unsigned char *md
,
208 unsigned char *mac_sec
, *seq
= rl
->sequence
;
209 const EVP_MD_CTX
*hash
;
210 unsigned char *p
, rec_char
;
215 mac_sec
= &(rl
->mac_secret
[0]);
218 t
= EVP_MD_CTX_get_size(hash
);
222 npad
= (48 / md_size
) * md_size
;
225 && EVP_CIPHER_CTX_get_mode(rl
->enc_ctx
) == EVP_CIPH_CBC_MODE
226 && ssl3_cbc_record_digest_supported(hash
)) {
227 #ifdef OPENSSL_NO_DEPRECATED_3_0
231 * This is a CBC-encrypted record. We must avoid leaking any
232 * timing-side channel information about how many blocks of data we
233 * are hashing because that gives an attacker a timing-oracle.
237 * npad is, at most, 48 bytes and that's with MD5:
238 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
240 * With SHA-1 (the largest hash speced for SSLv3) the hash size
241 * goes up 4, but npad goes down by 8, resulting in a smaller
244 unsigned char header
[75];
246 memcpy(header
+ j
, mac_sec
, md_size
);
248 memcpy(header
+ j
, ssl3_pad_1
, npad
);
250 memcpy(header
+ j
, seq
, 8);
252 header
[j
++] = rec
->type
;
253 header
[j
++] = (unsigned char)(rec
->length
>> 8);
254 header
[j
++] = (unsigned char)(rec
->length
& 0xff);
256 /* Final param == is SSLv3 */
257 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash
),
260 rec
->length
, rec
->orig_len
,
261 mac_sec
, md_size
, 1) <= 0)
265 unsigned int md_size_u
;
266 /* Chop the digest off the end :-) */
267 EVP_MD_CTX
*md_ctx
= EVP_MD_CTX_new();
272 rec_char
= rec
->type
;
275 if (EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
276 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
277 || EVP_DigestUpdate(md_ctx
, ssl3_pad_1
, npad
) <= 0
278 || EVP_DigestUpdate(md_ctx
, seq
, 8) <= 0
279 || EVP_DigestUpdate(md_ctx
, &rec_char
, 1) <= 0
280 || EVP_DigestUpdate(md_ctx
, md
, 2) <= 0
281 || EVP_DigestUpdate(md_ctx
, rec
->input
, rec
->length
) <= 0
282 || EVP_DigestFinal_ex(md_ctx
, md
, NULL
) <= 0
283 || EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
284 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
285 || EVP_DigestUpdate(md_ctx
, ssl3_pad_2
, npad
) <= 0
286 || EVP_DigestUpdate(md_ctx
, md
, md_size
) <= 0
287 || EVP_DigestFinal_ex(md_ctx
, md
, &md_size_u
) <= 0) {
288 EVP_MD_CTX_free(md_ctx
);
292 EVP_MD_CTX_free(md_ctx
);
295 ssl3_record_sequence_update(seq
);
299 struct record_functions_st ssl_3_0_funcs
= {
300 ssl3_set_crypto_state
,
304 tls_default_set_protocol_version
,
305 tls_default_validate_record_header
,
306 tls_default_post_process_record