tls_pad.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/rand.h>
  10. #include <openssl/evp.h>
  11. #include "internal/constant_time.h"
  12. #include "internal/cryptlib.h"
  13. /*
  14. * This file has no dependencies on the rest of libssl because it is shared
  15. * with the providers. It contains functions for low level CBC TLS padding
  16. * removal. Responsibility for this lies with the cipher implementations in the
  17. * providers. However there are legacy code paths in libssl which also need to
  18. * do this. In time those legacy code paths can be removed and this file can be
  19. * moved out of libssl.
  20. */
  21. static int ssl3_cbc_copy_mac(size_t *reclen,
  22. size_t origreclen,
  23. unsigned char *recdata,
  24. unsigned char **mac,
  25. int *alloced,
  26. size_t block_size,
  27. size_t mac_size,
  28. size_t good,
  29. OSSL_LIB_CTX *libctx);
  30. int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
  31. size_t origreclen,
  32. unsigned char *recdata,
  33. unsigned char **mac,
  34. int *alloced,
  35. size_t block_size, size_t mac_size,
  36. OSSL_LIB_CTX *libctx);
  37. int tls1_cbc_remove_padding_and_mac(size_t *reclen,
  38. size_t origreclen,
  39. unsigned char *recdata,
  40. unsigned char **mac,
  41. int *alloced,
  42. size_t block_size, size_t mac_size,
  43. int aead,
  44. OSSL_LIB_CTX *libctx);
  45. /*-
  46. * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  47. * record in |recdata| by updating |reclen| in constant time. It also extracts
  48. * the MAC from the underlying record and places a pointer to it in |mac|. The
  49. * MAC data can either be newly allocated memory, or a pointer inside the
  50. * |recdata| buffer. If allocated then |*alloced| is set to 1, otherwise it is
  51. * set to 0.
  52. *
  53. * origreclen: the original record length before any changes were made
  54. * block_size: the block size of the cipher used to encrypt the record.
  55. * mac_size: the size of the MAC to be extracted
  56. * aead: 1 if an AEAD cipher is in use, or 0 otherwise
  57. * returns:
  58. * 0: if the record is publicly invalid.
  59. * 1: if the record is publicly valid. If the padding removal fails then the
  60. * MAC returned is random.
  61. */
  62. int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
  63. size_t origreclen,
  64. unsigned char *recdata,
  65. unsigned char **mac,
  66. int *alloced,
  67. size_t block_size, size_t mac_size,
  68. OSSL_LIB_CTX *libctx)
  69. {
  70. size_t padding_length;
  71. size_t good;
  72. const size_t overhead = 1 /* padding length byte */ + mac_size;
  73. /*
  74. * These lengths are all public so we can test them in non-constant time.
  75. */
  76. if (overhead > *reclen)
  77. return 0;
  78. padding_length = recdata[*reclen - 1];
  79. good = constant_time_ge_s(*reclen, padding_length + overhead);
  80. /* SSLv3 requires that the padding is minimal. */
  81. good &= constant_time_ge_s(block_size, padding_length + 1);
  82. *reclen -= good & (padding_length + 1);
  83. return ssl3_cbc_copy_mac(reclen, origreclen, recdata, mac, alloced,
  84. block_size, mac_size, good, libctx);
  85. }
  86. /*-
  87. * tls1_cbc_remove_padding_and_mac removes padding from the decrypted, TLS, CBC
  88. * record in |recdata| by updating |reclen| in constant time. It also extracts
  89. * the MAC from the underlying record and places a pointer to it in |mac|. The
  90. * MAC data can either be newly allocated memory, or a pointer inside the
  91. * |recdata| buffer. If allocated then |*alloced| is set to 1, otherwise it is
  92. * set to 0.
  93. *
  94. * origreclen: the original record length before any changes were made
  95. * block_size: the block size of the cipher used to encrypt the record.
  96. * mac_size: the size of the MAC to be extracted
  97. * aead: 1 if an AEAD cipher is in use, or 0 otherwise
  98. * returns:
  99. * 0: if the record is publicly invalid.
  100. * 1: if the record is publicly valid. If the padding removal fails then the
  101. * MAC returned is random.
  102. */
  103. int tls1_cbc_remove_padding_and_mac(size_t *reclen,
  104. size_t origreclen,
  105. unsigned char *recdata,
  106. unsigned char **mac,
  107. int *alloced,
  108. size_t block_size, size_t mac_size,
  109. int aead,
  110. OSSL_LIB_CTX *libctx)
  111. {
  112. size_t good = -1;
  113. size_t padding_length, to_check, i;
  114. size_t overhead = ((block_size == 1) ? 0 : 1) /* padding length byte */
  115. + mac_size;
  116. /*
  117. * These lengths are all public so we can test them in non-constant
  118. * time.
  119. */
  120. if (overhead > *reclen)
  121. return 0;
  122. if (block_size != 1) {
  123. padding_length = recdata[*reclen - 1];
  124. if (aead) {
  125. /* padding is already verified and we don't need to check the MAC */
  126. *reclen -= padding_length + 1 + mac_size;
  127. *mac = NULL;
  128. *alloced = 0;
  129. return 1;
  130. }
  131. good = constant_time_ge_s(*reclen, overhead + padding_length);
  132. /*
  133. * The padding consists of a length byte at the end of the record and
  134. * then that many bytes of padding, all with the same value as the
  135. * length byte. Thus, with the length byte included, there are i+1 bytes
  136. * of padding. We can't check just |padding_length+1| bytes because that
  137. * leaks decrypted information. Therefore we always have to check the
  138. * maximum amount of padding possible. (Again, the length of the record
  139. * is public information so we can use it.)
  140. */
  141. to_check = 256; /* maximum amount of padding, inc length byte. */
  142. if (to_check > *reclen)
  143. to_check = *reclen;
  144. for (i = 0; i < to_check; i++) {
  145. unsigned char mask = constant_time_ge_8_s(padding_length, i);
  146. unsigned char b = recdata[*reclen - 1 - i];
  147. /*
  148. * The final |padding_length+1| bytes should all have the value
  149. * |padding_length|. Therefore the XOR should be zero.
  150. */
  151. good &= ~(mask & (padding_length ^ b));
  152. }
  153. /*
  154. * If any of the final |padding_length+1| bytes had the wrong value, one
  155. * or more of the lower eight bits of |good| will be cleared.
  156. */
  157. good = constant_time_eq_s(0xff, good & 0xff);
  158. *reclen -= good & (padding_length + 1);
  159. }
  160. return ssl3_cbc_copy_mac(reclen, origreclen, recdata, mac, alloced,
  161. block_size, mac_size, good, libctx);
  162. }
  163. /*-
  164. * ssl3_cbc_copy_mac copies |md_size| bytes from the end of the record in
  165. * |recdata| to |*mac| in constant time (independent of the concrete value of
  166. * the record length |reclen|, which may vary within a 256-byte window).
  167. *
  168. * On entry:
  169. * origreclen >= mac_size
  170. * mac_size <= EVP_MAX_MD_SIZE
  171. *
  172. * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
  173. * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
  174. * a single or pair of cache-lines, then the variable memory accesses don't
  175. * actually affect the timing. CPUs with smaller cache-lines [if any] are
  176. * not multi-core and are not considered vulnerable to cache-timing attacks.
  177. */
  178. #define CBC_MAC_ROTATE_IN_PLACE
  179. static int ssl3_cbc_copy_mac(size_t *reclen,
  180. size_t origreclen,
  181. unsigned char *recdata,
  182. unsigned char **mac,
  183. int *alloced,
  184. size_t block_size,
  185. size_t mac_size,
  186. size_t good,
  187. OSSL_LIB_CTX *libctx)
  188. {
  189. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  190. unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
  191. unsigned char *rotated_mac;
  192. #else
  193. unsigned char rotated_mac[EVP_MAX_MD_SIZE];
  194. #endif
  195. unsigned char randmac[EVP_MAX_MD_SIZE];
  196. unsigned char *out;
  197. /*
  198. * mac_end is the index of |recdata| just after the end of the MAC.
  199. */
  200. size_t mac_end = *reclen;
  201. size_t mac_start = mac_end - mac_size;
  202. size_t in_mac;
  203. /*
  204. * scan_start contains the number of bytes that we can ignore because the
  205. * MAC's position can only vary by 255 bytes.
  206. */
  207. size_t scan_start = 0;
  208. size_t i, j;
  209. size_t rotate_offset;
  210. if (!ossl_assert(origreclen >= mac_size
  211. && mac_size <= EVP_MAX_MD_SIZE))
  212. return 0;
  213. /* If no MAC then nothing to be done */
  214. if (mac_size == 0) {
  215. /* No MAC so we can do this in non-constant time */
  216. if (good == 0)
  217. return 0;
  218. return 1;
  219. }
  220. *reclen -= mac_size;
  221. if (block_size == 1) {
  222. /* There's no padding so the position of the MAC is fixed */
  223. if (mac != NULL)
  224. *mac = &recdata[*reclen];
  225. if (alloced != NULL)
  226. *alloced = 0;
  227. return 1;
  228. }
  229. /* Create the random MAC we will emit if padding is bad */
  230. if (!RAND_bytes_ex(libctx, randmac, mac_size, 0))
  231. return 0;
  232. if (!ossl_assert(mac != NULL && alloced != NULL))
  233. return 0;
  234. *mac = out = OPENSSL_malloc(mac_size);
  235. if (*mac == NULL)
  236. return 0;
  237. *alloced = 1;
  238. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  239. rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
  240. #endif
  241. /* This information is public so it's safe to branch based on it. */
  242. if (origreclen > mac_size + 255 + 1)
  243. scan_start = origreclen - (mac_size + 255 + 1);
  244. in_mac = 0;
  245. rotate_offset = 0;
  246. memset(rotated_mac, 0, mac_size);
  247. for (i = scan_start, j = 0; i < origreclen; i++) {
  248. size_t mac_started = constant_time_eq_s(i, mac_start);
  249. size_t mac_ended = constant_time_lt_s(i, mac_end);
  250. unsigned char b = recdata[i];
  251. in_mac |= mac_started;
  252. in_mac &= mac_ended;
  253. rotate_offset |= j & mac_started;
  254. rotated_mac[j++] |= b & in_mac;
  255. j &= constant_time_lt_s(j, mac_size);
  256. }
  257. /* Now rotate the MAC */
  258. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  259. j = 0;
  260. for (i = 0; i < mac_size; i++) {
  261. /* in case cache-line is 32 bytes, touch second line */
  262. ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
  263. /* If the padding wasn't good we emit a random MAC */
  264. out[j++] = constant_time_select_8((unsigned char)(good & 0xff),
  265. rotated_mac[rotate_offset++],
  266. randmac[i]);
  267. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  268. }
  269. #else
  270. memset(out, 0, mac_size);
  271. rotate_offset = mac_size - rotate_offset;
  272. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  273. for (i = 0; i < mac_size; i++) {
  274. for (j = 0; j < mac_size; j++)
  275. out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset);
  276. rotate_offset++;
  277. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  278. /* If the padding wasn't good we emit a random MAC */
  279. out[i] = constant_time_select_8((unsigned char)(good & 0xff), out[i],
  280. randmac[i]);
  281. }
  282. #endif
  283. return 1;
  284. }