ciphercommon_block.c 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. /*
  2. * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <assert.h>
  10. /* For SSL3_VERSION, TLS1_VERSION etc */
  11. #include <openssl/prov_ssl.h>
  12. #include <openssl/rand.h>
  13. #include <openssl/proverr.h>
  14. #include "internal/constant_time.h"
  15. #include "internal/ssl3_cbc.h"
  16. #include "ciphercommon_local.h"
  17. /*
  18. * Fills a single block of buffered data from the input, and returns the amount
  19. * of data remaining in the input that is a multiple of the blocksize. The buffer
  20. * is only filled if it already has some data in it, isn't full already or we
  21. * don't have at least one block in the input.
  22. *
  23. * buf: a buffer of blocksize bytes
  24. * buflen: contains the amount of data already in buf on entry. Updated with the
  25. * amount of data in buf at the end. On entry *buflen must always be
  26. * less than the blocksize
  27. * blocksize: size of a block. Must be greater than 0 and a power of 2
  28. * in: pointer to a pointer containing the input data
  29. * inlen: amount of input data available
  30. *
  31. * On return buf is filled with as much data as possible up to a full block,
  32. * *buflen is updated containing the amount of data in buf. *in is updated to
  33. * the new location where input data should be read from, *inlen is updated with
  34. * the remaining amount of data in *in. Returns the largest value <= *inlen
  35. * which is a multiple of the blocksize.
  36. */
  37. size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen,
  38. size_t blocksize,
  39. const unsigned char **in, size_t *inlen)
  40. {
  41. size_t blockmask = ~(blocksize - 1);
  42. size_t bufremain = blocksize - *buflen;
  43. assert(*buflen <= blocksize);
  44. assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
  45. if (*inlen < bufremain)
  46. bufremain = *inlen;
  47. memcpy(buf + *buflen, *in, bufremain);
  48. *in += bufremain;
  49. *inlen -= bufremain;
  50. *buflen += bufremain;
  51. return *inlen & blockmask;
  52. }
  53. /*
  54. * Fills the buffer with trailing data from an encryption/decryption that didn't
  55. * fit into a full block.
  56. */
  57. int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
  58. const unsigned char **in, size_t *inlen)
  59. {
  60. if (*inlen == 0)
  61. return 1;
  62. if (*buflen + *inlen > blocksize) {
  63. ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
  64. return 0;
  65. }
  66. memcpy(buf + *buflen, *in, *inlen);
  67. *buflen += *inlen;
  68. *inlen = 0;
  69. return 1;
  70. }
  71. /* Pad the final block for encryption */
  72. void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
  73. {
  74. size_t i;
  75. unsigned char pad = (unsigned char)(blocksize - *buflen);
  76. for (i = *buflen; i < blocksize; i++)
  77. buf[i] = pad;
  78. }
  79. int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
  80. {
  81. size_t pad, i;
  82. size_t len = *buflen;
  83. if (len != blocksize) {
  84. ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
  85. return 0;
  86. }
  87. /*
  88. * The following assumes that the ciphertext has been authenticated.
  89. * Otherwise it provides a padding oracle.
  90. */
  91. pad = buf[blocksize - 1];
  92. if (pad == 0 || pad > blocksize) {
  93. ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
  94. return 0;
  95. }
  96. for (i = 0; i < pad; i++) {
  97. if (buf[--len] != pad) {
  98. ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
  99. return 0;
  100. }
  101. }
  102. *buflen = len;
  103. return 1;
  104. }
  105. /*-
  106. * ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
  107. * record in constant time. Also removes the MAC from the record in constant
  108. * time.
  109. *
  110. * libctx: Our library context
  111. * tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
  112. * buf: The decrypted TLS record data
  113. * buflen: The length of the decrypted TLS record data. Updated with the new
  114. * length after the padding is removed
  115. * block_size: the block size of the cipher used to encrypt the record.
  116. * mac: Location to store the pointer to the MAC
  117. * alloced: Whether the MAC is stored in a newly allocated buffer, or whether
  118. * *mac points into *buf
  119. * macsize: the size of the MAC inside the record (or 0 if there isn't one)
  120. * aead: whether this is an aead cipher
  121. * returns:
  122. * 0: (in non-constant time) if the record is publicly invalid.
  123. * 1: (in constant time) Record is publicly valid. If padding is invalid then
  124. * the mac is random
  125. */
  126. int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
  127. unsigned char *buf, size_t *buflen,
  128. size_t blocksize,
  129. unsigned char **mac, int *alloced, size_t macsize,
  130. int aead)
  131. {
  132. int ret;
  133. switch (tlsversion) {
  134. case SSL3_VERSION:
  135. return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
  136. alloced, blocksize, macsize,
  137. libctx);
  138. case TLS1_2_VERSION:
  139. case DTLS1_2_VERSION:
  140. case TLS1_1_VERSION:
  141. case DTLS1_VERSION:
  142. case DTLS1_BAD_VER:
  143. /* Remove the explicit IV */
  144. buf += blocksize;
  145. *buflen -= blocksize;
  146. /* Fall through */
  147. case TLS1_VERSION:
  148. ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
  149. alloced, blocksize, macsize,
  150. aead, libctx);
  151. return ret;
  152. default:
  153. return 0;
  154. }
  155. }