2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
16 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
17 unsigned char *key
, size_t keylen
,
18 unsigned char *iv
, size_t ivlen
,
19 unsigned char *mackey
, size_t mackeylen
,
20 const EVP_CIPHER
*ciph
,
26 EVP_CIPHER_CTX
*ciph_ctx
;
27 int enc
= (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) ? 1 : 0;
30 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
31 return OSSL_RECORD_RETURN_FATAL
;
34 if ((rl
->enc_ctx
= EVP_CIPHER_CTX_new()) == NULL
) {
35 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
36 return OSSL_RECORD_RETURN_FATAL
;
38 ciph_ctx
= rl
->enc_ctx
;
40 rl
->md_ctx
= EVP_MD_CTX_new();
41 if (rl
->md_ctx
== NULL
) {
42 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
43 return OSSL_RECORD_RETURN_FATAL
;
46 if ((md
!= NULL
&& EVP_DigestInit_ex(rl
->md_ctx
, md
, NULL
) <= 0)) {
47 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
48 return OSSL_RECORD_RETURN_FATAL
;
51 #ifndef OPENSSL_NO_COMP
53 rl
->compctx
= COMP_CTX_new(comp
);
54 if (rl
->compctx
== NULL
) {
55 ERR_raise(ERR_LIB_SSL
, SSL_R_COMPRESSION_LIBRARY_ERROR
);
56 return OSSL_RECORD_RETURN_FATAL
;
61 if (!EVP_CipherInit_ex(ciph_ctx
, ciph
, NULL
, key
, iv
, enc
)) {
62 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
63 return OSSL_RECORD_RETURN_FATAL
;
66 if (EVP_CIPHER_get0_provider(ciph
) != NULL
67 && !ossl_set_tls_provider_parameters(rl
, ciph_ctx
, ciph
, md
)) {
68 /* ERR_raise already called */
69 return OSSL_RECORD_RETURN_FATAL
;
72 if (mackeylen
> sizeof(rl
->mac_secret
)) {
73 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
74 return OSSL_RECORD_RETURN_FATAL
;
76 memcpy(rl
->mac_secret
, mackey
, mackeylen
);
78 return OSSL_RECORD_RETURN_SUCCESS
;
82 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
83 * on internal error, but not otherwise. It is the responsibility of the caller
84 * to report a bad_record_mac
87 * 0: if the record is publicly invalid, or an internal error
88 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
90 static int ssl3_cipher(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*inrecs
,
91 size_t n_recs
, int sending
, SSL_MAC_BUF
*mac
,
98 const EVP_CIPHER
*enc
;
103 * We shouldn't ever be called with more than one record in the SSLv3 case
109 if (ds
== NULL
|| (enc
= EVP_CIPHER_CTX_get0_cipher(ds
)) == NULL
)
112 provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
115 bs
= EVP_CIPHER_CTX_get_block_size(ds
);
119 if ((bs
!= 1) && sending
&& !provided
) {
121 * We only do this for legacy ciphers. Provided ciphers add the
122 * padding on the provider side.
126 /* we need to add 'i-1' padding bytes */
129 * the last of these zero bytes will be overwritten with the
132 memset(&rec
->input
[rec
->length
], 0, i
);
134 rec
->input
[l
- 1] = (unsigned char)(i
- 1);
138 if (l
== 0 || l
% bs
!= 0) {
139 /* Publicly invalid */
142 /* otherwise, rec->length >= bs */
148 if (!EVP_CipherUpdate(ds
, rec
->data
, &outlen
, rec
->input
,
151 rec
->length
= outlen
;
153 if (!sending
&& mac
!= NULL
) {
154 /* Now get a pointer to the MAC */
155 OSSL_PARAM params
[2], *p
= params
;
160 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
163 *p
= OSSL_PARAM_construct_end();
165 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
166 /* Shouldn't normally happen */
167 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
172 if (EVP_Cipher(ds
, rec
->data
, rec
->input
, (unsigned int)l
) < 1) {
173 /* Shouldn't happen */
174 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
, ERR_R_INTERNAL_ERROR
);
179 return ssl3_cbc_remove_padding_and_mac(&rec
->length
,
182 (mac
!= NULL
) ? &mac
->mac
: NULL
,
183 (mac
!= NULL
) ? &mac
->alloced
: NULL
,
192 static const unsigned char ssl3_pad_1
[48] = {
193 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
194 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
195 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
196 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
197 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
198 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
201 static const unsigned char ssl3_pad_2
[48] = {
202 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
203 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
204 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
205 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
206 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
207 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
210 static int ssl3_mac(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*rec
, unsigned char *md
,
213 unsigned char *mac_sec
, *seq
= rl
->sequence
;
214 const EVP_MD_CTX
*hash
;
215 unsigned char *p
, rec_char
;
220 mac_sec
= &(rl
->mac_secret
[0]);
223 t
= EVP_MD_CTX_get_size(hash
);
227 npad
= (48 / md_size
) * md_size
;
230 && EVP_CIPHER_CTX_get_mode(rl
->enc_ctx
) == EVP_CIPH_CBC_MODE
231 && ssl3_cbc_record_digest_supported(hash
)) {
232 #ifdef OPENSSL_NO_DEPRECATED_3_0
236 * This is a CBC-encrypted record. We must avoid leaking any
237 * timing-side channel information about how many blocks of data we
238 * are hashing because that gives an attacker a timing-oracle.
242 * npad is, at most, 48 bytes and that's with MD5:
243 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
245 * With SHA-1 (the largest hash speced for SSLv3) the hash size
246 * goes up 4, but npad goes down by 8, resulting in a smaller
249 unsigned char header
[75];
251 memcpy(header
+ j
, mac_sec
, md_size
);
253 memcpy(header
+ j
, ssl3_pad_1
, npad
);
255 memcpy(header
+ j
, seq
, 8);
257 header
[j
++] = rec
->type
;
258 header
[j
++] = (unsigned char)(rec
->length
>> 8);
259 header
[j
++] = (unsigned char)(rec
->length
& 0xff);
261 /* Final param == is SSLv3 */
262 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash
),
265 rec
->length
, rec
->orig_len
,
266 mac_sec
, md_size
, 1) <= 0)
270 unsigned int md_size_u
;
271 /* Chop the digest off the end :-) */
272 EVP_MD_CTX
*md_ctx
= EVP_MD_CTX_new();
277 rec_char
= rec
->type
;
280 if (EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
281 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
282 || EVP_DigestUpdate(md_ctx
, ssl3_pad_1
, npad
) <= 0
283 || EVP_DigestUpdate(md_ctx
, seq
, 8) <= 0
284 || EVP_DigestUpdate(md_ctx
, &rec_char
, 1) <= 0
285 || EVP_DigestUpdate(md_ctx
, md
, 2) <= 0
286 || EVP_DigestUpdate(md_ctx
, rec
->input
, rec
->length
) <= 0
287 || EVP_DigestFinal_ex(md_ctx
, md
, NULL
) <= 0
288 || EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
289 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
290 || EVP_DigestUpdate(md_ctx
, ssl3_pad_2
, npad
) <= 0
291 || EVP_DigestUpdate(md_ctx
, md
, md_size
) <= 0
292 || EVP_DigestFinal_ex(md_ctx
, md
, &md_size_u
) <= 0) {
293 EVP_MD_CTX_free(md_ctx
);
297 EVP_MD_CTX_free(md_ctx
);
300 if (!tls_increment_sequence_ctr(rl
))
306 struct record_functions_st ssl_3_0_funcs
= {
307 ssl3_set_crypto_state
,
310 tls_default_set_protocol_version
,
312 tls_get_more_records
,
313 tls_default_validate_record_header
,
314 tls_default_post_process_record
,
315 tls_get_max_records_default
,
316 tls_write_records_default
,
317 /* These 2 functions are defined in tls1_meth.c */
318 tls1_allocate_write_buffers
,
319 tls1_initialise_write_packets
,
321 tls_prepare_record_header_default
,
323 tls_prepare_for_encryption_default
,
324 tls_post_encryption_processing_default
,