]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/ssl3_meth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rename SSL3_RECORD to TLS_RL_RECORD
[thirdparty/openssl.git] / ssl / record / methods / ssl3_meth.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
15
16 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
17 unsigned char *key, size_t keylen,
18 unsigned char *iv, size_t ivlen,
19 unsigned char *mackey, size_t mackeylen,
20 const EVP_CIPHER *ciph,
21 size_t taglen,
22 int mactype,
23 const EVP_MD *md,
24 COMP_METHOD *comp)
25 {
26 EVP_CIPHER_CTX *ciph_ctx;
27 int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
28
29 if (md == NULL) {
30 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
31 return OSSL_RECORD_RETURN_FATAL;
32 }
33
34 if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
35 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
36 return OSSL_RECORD_RETURN_FATAL;
37 }
38 ciph_ctx = rl->enc_ctx;
39
40 rl->md_ctx = EVP_MD_CTX_new();
41 if (rl->md_ctx == NULL) {
42 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
43 return OSSL_RECORD_RETURN_FATAL;
44 }
45
46 if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
47 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
48 return OSSL_RECORD_RETURN_FATAL;
49 }
50
51 #ifndef OPENSSL_NO_COMP
52 if (comp != NULL) {
53 rl->compctx = COMP_CTX_new(comp);
54 if (rl->compctx == NULL) {
55 ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
56 return OSSL_RECORD_RETURN_FATAL;
57 }
58 }
59 #endif
60
61 if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
62 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
63 return OSSL_RECORD_RETURN_FATAL;
64 }
65
66 if (EVP_CIPHER_get0_provider(ciph) != NULL
67 && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
68 /* ERR_raise already called */
69 return OSSL_RECORD_RETURN_FATAL;
70 }
71
72 if (mackeylen > sizeof(rl->mac_secret)) {
73 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
74 return OSSL_RECORD_RETURN_FATAL;
75 }
76 memcpy(rl->mac_secret, mackey, mackeylen);
77
78 return OSSL_RECORD_RETURN_SUCCESS;
79 }
80
81 /*
82 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
83 * on internal error, but not otherwise. It is the responsibility of the caller
84 * to report a bad_record_mac
85 *
86 * Returns:
87 * 0: if the record is publicly invalid, or an internal error
88 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
89 */
90 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs,
91 size_t n_recs, int sending, SSL_MAC_BUF *mac,
92 size_t macsize)
93 {
94 TLS_RL_RECORD *rec;
95 EVP_CIPHER_CTX *ds;
96 size_t l, i;
97 size_t bs;
98 const EVP_CIPHER *enc;
99 int provided;
100
101 rec = inrecs;
102 /*
103 * We shouldn't ever be called with more than one record in the SSLv3 case
104 */
105 if (n_recs != 1)
106 return 0;
107
108 ds = rl->enc_ctx;
109 if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
110 return 0;
111
112 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
113
114 l = rec->length;
115 bs = EVP_CIPHER_CTX_get_block_size(ds);
116
117 /* COMPRESS */
118
119 if ((bs != 1) && sending && !provided) {
120 /*
121 * We only do this for legacy ciphers. Provided ciphers add the
122 * padding on the provider side.
123 */
124 i = bs - (l % bs);
125
126 /* we need to add 'i-1' padding bytes */
127 l += i;
128 /*
129 * the last of these zero bytes will be overwritten with the
130 * padding length.
131 */
132 memset(&rec->input[rec->length], 0, i);
133 rec->length += i;
134 rec->input[l - 1] = (unsigned char)(i - 1);
135 }
136
137 if (!sending) {
138 if (l == 0 || l % bs != 0) {
139 /* Publicly invalid */
140 return 0;
141 }
142 /* otherwise, rec->length >= bs */
143 }
144
145 if (provided) {
146 int outlen;
147
148 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
149 (unsigned int)l))
150 return 0;
151 rec->length = outlen;
152
153 if (!sending && mac != NULL) {
154 /* Now get a pointer to the MAC */
155 OSSL_PARAM params[2], *p = params;
156
157 /* Get the MAC */
158 mac->alloced = 0;
159
160 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
161 (void **)&mac->mac,
162 macsize);
163 *p = OSSL_PARAM_construct_end();
164
165 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
166 /* Shouldn't normally happen */
167 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
168 return 0;
169 }
170 }
171 } else {
172 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
173 /* Shouldn't happen */
174 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
175 return 0;
176 }
177
178 if (!sending)
179 return ssl3_cbc_remove_padding_and_mac(&rec->length,
180 rec->orig_len,
181 rec->data,
182 (mac != NULL) ? &mac->mac : NULL,
183 (mac != NULL) ? &mac->alloced : NULL,
184 bs,
185 macsize,
186 rl->libctx);
187 }
188
189 return 1;
190 }
191
192 static const unsigned char ssl3_pad_1[48] = {
193 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
194 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
195 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
196 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
197 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
198 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
199 };
200
201 static const unsigned char ssl3_pad_2[48] = {
202 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
203 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
204 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
205 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
206 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
207 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
208 };
209
210 static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
211 int sending)
212 {
213 unsigned char *mac_sec, *seq = rl->sequence;
214 const EVP_MD_CTX *hash;
215 unsigned char *p, rec_char;
216 size_t md_size;
217 size_t npad;
218 int t;
219
220 mac_sec = &(rl->mac_secret[0]);
221 hash = rl->md_ctx;
222
223 t = EVP_MD_CTX_get_size(hash);
224 if (t < 0)
225 return 0;
226 md_size = t;
227 npad = (48 / md_size) * md_size;
228
229 if (!sending
230 && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
231 && ssl3_cbc_record_digest_supported(hash)) {
232 #ifdef OPENSSL_NO_DEPRECATED_3_0
233 return 0;
234 #else
235 /*
236 * This is a CBC-encrypted record. We must avoid leaking any
237 * timing-side channel information about how many blocks of data we
238 * are hashing because that gives an attacker a timing-oracle.
239 */
240
241 /*-
242 * npad is, at most, 48 bytes and that's with MD5:
243 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
244 *
245 * With SHA-1 (the largest hash speced for SSLv3) the hash size
246 * goes up 4, but npad goes down by 8, resulting in a smaller
247 * total size.
248 */
249 unsigned char header[75];
250 size_t j = 0;
251 memcpy(header + j, mac_sec, md_size);
252 j += md_size;
253 memcpy(header + j, ssl3_pad_1, npad);
254 j += npad;
255 memcpy(header + j, seq, 8);
256 j += 8;
257 header[j++] = rec->type;
258 header[j++] = (unsigned char)(rec->length >> 8);
259 header[j++] = (unsigned char)(rec->length & 0xff);
260
261 /* Final param == is SSLv3 */
262 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
263 md, &md_size,
264 header, rec->input,
265 rec->length, rec->orig_len,
266 mac_sec, md_size, 1) <= 0)
267 return 0;
268 #endif
269 } else {
270 unsigned int md_size_u;
271 /* Chop the digest off the end :-) */
272 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
273
274 if (md_ctx == NULL)
275 return 0;
276
277 rec_char = rec->type;
278 p = md;
279 s2n(rec->length, p);
280 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
281 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
282 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
283 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
284 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
285 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
286 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
287 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
288 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
289 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
290 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
291 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
292 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
293 EVP_MD_CTX_free(md_ctx);
294 return 0;
295 }
296
297 EVP_MD_CTX_free(md_ctx);
298 }
299
300 if (!tls_increment_sequence_ctr(rl))
301 return 0;
302
303 return 1;
304 }
305
306 struct record_functions_st ssl_3_0_funcs = {
307 ssl3_set_crypto_state,
308 ssl3_cipher,
309 ssl3_mac,
310 tls_default_set_protocol_version,
311 tls_default_read_n,
312 tls_get_more_records,
313 tls_default_validate_record_header,
314 tls_default_post_process_record,
315 tls_get_max_records_default,
316 tls_write_records_default,
317 /* These 2 functions are defined in tls1_meth.c */
318 tls1_allocate_write_buffers,
319 tls1_initialise_write_packets,
320 NULL,
321 tls_prepare_record_header_default,
322 NULL,
323 tls_prepare_for_encryption_default,
324 tls_post_encryption_processing_default,
325 NULL
326 };
A mirror of the official openssl repository