ssl3_meth.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334
  1. /*
  2. * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/evp.h>
  10. #include <openssl/core_names.h>
  11. #include "internal/ssl3_cbc.h"
  12. #include "../../ssl_local.h"
  13. #include "../record_local.h"
  14. #include "recmethod_local.h"
  15. static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
  16. unsigned char *key, size_t keylen,
  17. unsigned char *iv, size_t ivlen,
  18. unsigned char *mackey, size_t mackeylen,
  19. const EVP_CIPHER *ciph,
  20. size_t taglen,
  21. int mactype,
  22. const EVP_MD *md,
  23. COMP_METHOD *comp)
  24. {
  25. EVP_CIPHER_CTX *ciph_ctx;
  26. int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
  27. if (md == NULL) {
  28. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  29. return OSSL_RECORD_RETURN_FATAL;
  30. }
  31. if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
  32. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  33. return OSSL_RECORD_RETURN_FATAL;
  34. }
  35. ciph_ctx = rl->enc_ctx;
  36. rl->md_ctx = EVP_MD_CTX_new();
  37. if (rl->md_ctx == NULL) {
  38. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  39. return OSSL_RECORD_RETURN_FATAL;
  40. }
  41. if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
  42. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  43. return OSSL_RECORD_RETURN_FATAL;
  44. }
  45. #ifndef OPENSSL_NO_COMP
  46. if (comp != NULL) {
  47. rl->compctx = COMP_CTX_new(comp);
  48. if (rl->compctx == NULL) {
  49. ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
  50. return OSSL_RECORD_RETURN_FATAL;
  51. }
  52. }
  53. #endif
  54. if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
  55. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  56. return OSSL_RECORD_RETURN_FATAL;
  57. }
  58. /*
  59. * The cipher we actually ended up using in the EVP_CIPHER_CTX may be
  60. * different to that in ciph if we have an ENGINE in use
  61. */
  62. if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL
  63. && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
  64. /* ERR_raise already called */
  65. return OSSL_RECORD_RETURN_FATAL;
  66. }
  67. if (mackeylen > sizeof(rl->mac_secret)) {
  68. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  69. return OSSL_RECORD_RETURN_FATAL;
  70. }
  71. memcpy(rl->mac_secret, mackey, mackeylen);
  72. return OSSL_RECORD_RETURN_SUCCESS;
  73. }
  74. /*
  75. * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
  76. * on internal error, but not otherwise. It is the responsibility of the caller
  77. * to report a bad_record_mac
  78. *
  79. * Returns:
  80. * 0: if the record is publicly invalid, or an internal error
  81. * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
  82. */
  83. static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs,
  84. size_t n_recs, int sending, SSL_MAC_BUF *mac,
  85. size_t macsize)
  86. {
  87. TLS_RL_RECORD *rec;
  88. EVP_CIPHER_CTX *ds;
  89. size_t l, i;
  90. size_t bs;
  91. const EVP_CIPHER *enc;
  92. int provided;
  93. rec = inrecs;
  94. /*
  95. * We shouldn't ever be called with more than one record in the SSLv3 case
  96. */
  97. if (n_recs != 1)
  98. return 0;
  99. ds = rl->enc_ctx;
  100. if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
  101. return 0;
  102. provided = (EVP_CIPHER_get0_provider(enc) != NULL);
  103. l = rec->length;
  104. bs = EVP_CIPHER_CTX_get_block_size(ds);
  105. if (bs == 0)
  106. return 0;
  107. /* COMPRESS */
  108. if ((bs != 1) && sending && !provided) {
  109. /*
  110. * We only do this for legacy ciphers. Provided ciphers add the
  111. * padding on the provider side.
  112. */
  113. i = bs - (l % bs);
  114. /* we need to add 'i-1' padding bytes */
  115. l += i;
  116. /*
  117. * the last of these zero bytes will be overwritten with the
  118. * padding length.
  119. */
  120. memset(&rec->input[rec->length], 0, i);
  121. rec->length += i;
  122. rec->input[l - 1] = (unsigned char)(i - 1);
  123. }
  124. if (!sending) {
  125. if (l == 0 || l % bs != 0) {
  126. /* Publicly invalid */
  127. return 0;
  128. }
  129. /* otherwise, rec->length >= bs */
  130. }
  131. if (provided) {
  132. int outlen;
  133. if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
  134. (unsigned int)l))
  135. return 0;
  136. rec->length = outlen;
  137. if (!sending && mac != NULL) {
  138. /* Now get a pointer to the MAC */
  139. OSSL_PARAM params[2], *p = params;
  140. /* Get the MAC */
  141. mac->alloced = 0;
  142. *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
  143. (void **)&mac->mac,
  144. macsize);
  145. *p = OSSL_PARAM_construct_end();
  146. if (!EVP_CIPHER_CTX_get_params(ds, params)) {
  147. /* Shouldn't normally happen */
  148. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  149. return 0;
  150. }
  151. }
  152. } else {
  153. if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
  154. /* Shouldn't happen */
  155. RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
  156. return 0;
  157. }
  158. if (!sending)
  159. return ssl3_cbc_remove_padding_and_mac(&rec->length,
  160. rec->orig_len,
  161. rec->data,
  162. (mac != NULL) ? &mac->mac : NULL,
  163. (mac != NULL) ? &mac->alloced : NULL,
  164. bs,
  165. macsize,
  166. rl->libctx);
  167. }
  168. return 1;
  169. }
  170. static const unsigned char ssl3_pad_1[48] = {
  171. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  172. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  173. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  174. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  175. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  176. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
  177. };
  178. static const unsigned char ssl3_pad_2[48] = {
  179. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  180. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  181. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  182. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  183. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  184. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
  185. };
  186. static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
  187. int sending)
  188. {
  189. unsigned char *mac_sec, *seq = rl->sequence;
  190. const EVP_MD_CTX *hash;
  191. unsigned char *p, rec_char;
  192. size_t md_size;
  193. size_t npad;
  194. int t;
  195. mac_sec = &(rl->mac_secret[0]);
  196. hash = rl->md_ctx;
  197. t = EVP_MD_CTX_get_size(hash);
  198. if (t <= 0)
  199. return 0;
  200. md_size = t;
  201. npad = (48 / md_size) * md_size;
  202. if (!sending
  203. && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
  204. && ssl3_cbc_record_digest_supported(hash)) {
  205. #ifdef OPENSSL_NO_DEPRECATED_3_0
  206. return 0;
  207. #else
  208. /*
  209. * This is a CBC-encrypted record. We must avoid leaking any
  210. * timing-side channel information about how many blocks of data we
  211. * are hashing because that gives an attacker a timing-oracle.
  212. */
  213. /*-
  214. * npad is, at most, 48 bytes and that's with MD5:
  215. * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
  216. *
  217. * With SHA-1 (the largest hash speced for SSLv3) the hash size
  218. * goes up 4, but npad goes down by 8, resulting in a smaller
  219. * total size.
  220. */
  221. unsigned char header[75];
  222. size_t j = 0;
  223. memcpy(header + j, mac_sec, md_size);
  224. j += md_size;
  225. memcpy(header + j, ssl3_pad_1, npad);
  226. j += npad;
  227. memcpy(header + j, seq, 8);
  228. j += 8;
  229. header[j++] = rec->type;
  230. header[j++] = (unsigned char)(rec->length >> 8);
  231. header[j++] = (unsigned char)(rec->length & 0xff);
  232. /* Final param == is SSLv3 */
  233. if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
  234. md, &md_size,
  235. header, rec->input,
  236. rec->length, rec->orig_len,
  237. mac_sec, md_size, 1) <= 0)
  238. return 0;
  239. #endif
  240. } else {
  241. unsigned int md_size_u;
  242. /* Chop the digest off the end :-) */
  243. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  244. if (md_ctx == NULL)
  245. return 0;
  246. rec_char = rec->type;
  247. p = md;
  248. s2n(rec->length, p);
  249. if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
  250. || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
  251. || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
  252. || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
  253. || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
  254. || EVP_DigestUpdate(md_ctx, md, 2) <= 0
  255. || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
  256. || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
  257. || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
  258. || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
  259. || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
  260. || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
  261. || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
  262. EVP_MD_CTX_free(md_ctx);
  263. return 0;
  264. }
  265. EVP_MD_CTX_free(md_ctx);
  266. }
  267. if (!tls_increment_sequence_ctr(rl))
  268. return 0;
  269. return 1;
  270. }
  271. const struct record_functions_st ssl_3_0_funcs = {
  272. ssl3_set_crypto_state,
  273. ssl3_cipher,
  274. ssl3_mac,
  275. tls_default_set_protocol_version,
  276. tls_default_read_n,
  277. tls_get_more_records,
  278. tls_default_validate_record_header,
  279. tls_default_post_process_record,
  280. tls_get_max_records_default,
  281. tls_write_records_default,
  282. /* These 2 functions are defined in tls1_meth.c */
  283. tls1_allocate_write_buffers,
  284. tls1_initialise_write_packets,
  285. NULL,
  286. tls_prepare_record_header_default,
  287. NULL,
  288. tls_prepare_for_encryption_default,
  289. tls_post_encryption_processing_default,
  290. NULL
  291. };