2
0

tls_pad.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325
  1. /*
  2. * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/rand.h>
  10. #include <openssl/evp.h>
  11. #include "internal/constant_time.h"
  12. #include "internal/cryptlib.h"
  13. /*
  14. * This file has no dependencies on the rest of libssl because it is shared
  15. * with the providers. It contains functions for low level CBC TLS padding
  16. * removal. Responsibility for this lies with the cipher implementations in the
  17. * providers. However there are legacy code paths in libssl which also need to
  18. * do this. In time those legacy code paths can be removed and this file can be
  19. * moved out of libssl.
  20. */
  21. static int ssl3_cbc_copy_mac(size_t *reclen,
  22. size_t origreclen,
  23. unsigned char *recdata,
  24. unsigned char **mac,
  25. int *alloced,
  26. size_t block_size,
  27. size_t mac_size,
  28. size_t good,
  29. OSSL_LIB_CTX *libctx);
  30. int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
  31. size_t origreclen,
  32. unsigned char *recdata,
  33. unsigned char **mac,
  34. int *alloced,
  35. size_t block_size, size_t mac_size,
  36. OSSL_LIB_CTX *libctx);
  37. int tls1_cbc_remove_padding_and_mac(size_t *reclen,
  38. size_t origreclen,
  39. unsigned char *recdata,
  40. unsigned char **mac,
  41. int *alloced,
  42. size_t block_size, size_t mac_size,
  43. int aead,
  44. OSSL_LIB_CTX *libctx);
  45. /*-
  46. * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  47. * record in |recdata| by updating |reclen| in constant time. It also extracts
  48. * the MAC from the underlying record and places a pointer to it in |mac|. The
  49. * MAC data can either be newly allocated memory, or a pointer inside the
  50. * |recdata| buffer. If allocated then |*alloced| is set to 1, otherwise it is
  51. * set to 0.
  52. *
  53. * origreclen: the original record length before any changes were made
  54. * block_size: the block size of the cipher used to encrypt the record.
  55. * mac_size: the size of the MAC to be extracted
  56. * aead: 1 if an AEAD cipher is in use, or 0 otherwise
  57. * returns:
  58. * 0: if the record is publicly invalid.
  59. * 1: if the record is publicly valid. If the padding removal fails then the
  60. * MAC returned is random.
  61. */
  62. int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
  63. size_t origreclen,
  64. unsigned char *recdata,
  65. unsigned char **mac,
  66. int *alloced,
  67. size_t block_size, size_t mac_size,
  68. OSSL_LIB_CTX *libctx)
  69. {
  70. size_t padding_length;
  71. size_t good;
  72. const size_t overhead = 1 /* padding length byte */ + mac_size;
  73. /*
  74. * These lengths are all public so we can test them in non-constant time.
  75. */
  76. if (overhead > *reclen)
  77. return 0;
  78. padding_length = recdata[*reclen - 1];
  79. good = constant_time_ge_s(*reclen, padding_length + overhead);
  80. /* SSLv3 requires that the padding is minimal. */
  81. good &= constant_time_ge_s(block_size, padding_length + 1);
  82. *reclen -= good & (padding_length + 1);
  83. return ssl3_cbc_copy_mac(reclen, origreclen, recdata, mac, alloced,
  84. block_size, mac_size, good, libctx);
  85. }
  86. /*-
  87. * tls1_cbc_remove_padding_and_mac removes padding from the decrypted, TLS, CBC
  88. * record in |recdata| by updating |reclen| in constant time. It also extracts
  89. * the MAC from the underlying record and places a pointer to it in |mac|. The
  90. * MAC data can either be newly allocated memory, or a pointer inside the
  91. * |recdata| buffer. If allocated then |*alloced| is set to 1, otherwise it is
  92. * set to 0.
  93. *
  94. * origreclen: the original record length before any changes were made
  95. * block_size: the block size of the cipher used to encrypt the record.
  96. * mac_size: the size of the MAC to be extracted
  97. * aead: 1 if an AEAD cipher is in use, or 0 otherwise
  98. * returns:
  99. * 0: if the record is publicly invalid.
  100. * 1: if the record is publicly valid. If the padding removal fails then the
  101. * MAC returned is random.
  102. */
  103. int tls1_cbc_remove_padding_and_mac(size_t *reclen,
  104. size_t origreclen,
  105. unsigned char *recdata,
  106. unsigned char **mac,
  107. int *alloced,
  108. size_t block_size, size_t mac_size,
  109. int aead,
  110. OSSL_LIB_CTX *libctx)
  111. {
  112. size_t good = -1;
  113. size_t padding_length, to_check, i;
  114. size_t overhead = ((block_size == 1) ? 0 : 1) /* padding length byte */
  115. + mac_size;
  116. /*
  117. * These lengths are all public so we can test them in non-constant
  118. * time.
  119. */
  120. if (overhead > *reclen)
  121. return 0;
  122. if (block_size != 1) {
  123. padding_length = recdata[*reclen - 1];
  124. if (aead) {
  125. /* padding is already verified and we don't need to check the MAC */
  126. *reclen -= padding_length + 1 + mac_size;
  127. return 1;
  128. }
  129. good = constant_time_ge_s(*reclen, overhead + padding_length);
  130. /*
  131. * The padding consists of a length byte at the end of the record and
  132. * then that many bytes of padding, all with the same value as the
  133. * length byte. Thus, with the length byte included, there are i+1 bytes
  134. * of padding. We can't check just |padding_length+1| bytes because that
  135. * leaks decrypted information. Therefore we always have to check the
  136. * maximum amount of padding possible. (Again, the length of the record
  137. * is public information so we can use it.)
  138. */
  139. to_check = 256; /* maximum amount of padding, inc length byte. */
  140. if (to_check > *reclen)
  141. to_check = *reclen;
  142. for (i = 0; i < to_check; i++) {
  143. unsigned char mask = constant_time_ge_8_s(padding_length, i);
  144. unsigned char b = recdata[*reclen - 1 - i];
  145. /*
  146. * The final |padding_length+1| bytes should all have the value
  147. * |padding_length|. Therefore the XOR should be zero.
  148. */
  149. good &= ~(mask & (padding_length ^ b));
  150. }
  151. /*
  152. * If any of the final |padding_length+1| bytes had the wrong value, one
  153. * or more of the lower eight bits of |good| will be cleared.
  154. */
  155. good = constant_time_eq_s(0xff, good & 0xff);
  156. *reclen -= good & (padding_length + 1);
  157. }
  158. return ssl3_cbc_copy_mac(reclen, origreclen, recdata, mac, alloced,
  159. block_size, mac_size, good, libctx);
  160. }
  161. /*-
  162. * ssl3_cbc_copy_mac copies |md_size| bytes from the end of the record in
  163. * |recdata| to |*mac| in constant time (independent of the concrete value of
  164. * the record length |reclen|, which may vary within a 256-byte window).
  165. *
  166. * On entry:
  167. * origreclen >= mac_size
  168. * mac_size <= EVP_MAX_MD_SIZE
  169. *
  170. * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
  171. * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
  172. * a single or pair of cache-lines, then the variable memory accesses don't
  173. * actually affect the timing. CPUs with smaller cache-lines [if any] are
  174. * not multi-core and are not considered vulnerable to cache-timing attacks.
  175. */
  176. #define CBC_MAC_ROTATE_IN_PLACE
  177. static int ssl3_cbc_copy_mac(size_t *reclen,
  178. size_t origreclen,
  179. unsigned char *recdata,
  180. unsigned char **mac,
  181. int *alloced,
  182. size_t block_size,
  183. size_t mac_size,
  184. size_t good,
  185. OSSL_LIB_CTX *libctx)
  186. {
  187. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  188. unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
  189. unsigned char *rotated_mac;
  190. char aux1, aux2, aux3, mask;
  191. #else
  192. unsigned char rotated_mac[EVP_MAX_MD_SIZE];
  193. #endif
  194. unsigned char randmac[EVP_MAX_MD_SIZE];
  195. unsigned char *out;
  196. /*
  197. * mac_end is the index of |recdata| just after the end of the MAC.
  198. */
  199. size_t mac_end = *reclen;
  200. size_t mac_start = mac_end - mac_size;
  201. size_t in_mac;
  202. /*
  203. * scan_start contains the number of bytes that we can ignore because the
  204. * MAC's position can only vary by 255 bytes.
  205. */
  206. size_t scan_start = 0;
  207. size_t i, j;
  208. size_t rotate_offset;
  209. if (!ossl_assert(origreclen >= mac_size
  210. && mac_size <= EVP_MAX_MD_SIZE))
  211. return 0;
  212. /* If no MAC then nothing to be done */
  213. if (mac_size == 0) {
  214. /* No MAC so we can do this in non-constant time */
  215. if (good == 0)
  216. return 0;
  217. return 1;
  218. }
  219. *reclen -= mac_size;
  220. if (block_size == 1) {
  221. /* There's no padding so the position of the MAC is fixed */
  222. if (mac != NULL)
  223. *mac = &recdata[*reclen];
  224. if (alloced != NULL)
  225. *alloced = 0;
  226. return 1;
  227. }
  228. /* Create the random MAC we will emit if padding is bad */
  229. if (RAND_bytes_ex(libctx, randmac, mac_size, 0) <= 0)
  230. return 0;
  231. if (!ossl_assert(mac != NULL && alloced != NULL))
  232. return 0;
  233. *mac = out = OPENSSL_malloc(mac_size);
  234. if (*mac == NULL)
  235. return 0;
  236. *alloced = 1;
  237. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  238. rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
  239. #endif
  240. /* This information is public so it's safe to branch based on it. */
  241. if (origreclen > mac_size + 255 + 1)
  242. scan_start = origreclen - (mac_size + 255 + 1);
  243. in_mac = 0;
  244. rotate_offset = 0;
  245. memset(rotated_mac, 0, mac_size);
  246. for (i = scan_start, j = 0; i < origreclen; i++) {
  247. size_t mac_started = constant_time_eq_s(i, mac_start);
  248. size_t mac_ended = constant_time_lt_s(i, mac_end);
  249. unsigned char b = recdata[i];
  250. in_mac |= mac_started;
  251. in_mac &= mac_ended;
  252. rotate_offset |= j & mac_started;
  253. rotated_mac[j++] |= b & in_mac;
  254. j &= constant_time_lt_s(j, mac_size);
  255. }
  256. /* Now rotate the MAC */
  257. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  258. j = 0;
  259. for (i = 0; i < mac_size; i++) {
  260. /*
  261. * in case cache-line is 32 bytes,
  262. * load from both lines and select appropriately
  263. */
  264. aux1 = rotated_mac[rotate_offset & ~32];
  265. aux2 = rotated_mac[rotate_offset | 32];
  266. mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
  267. aux3 = constant_time_select_8(mask, aux1, aux2);
  268. rotate_offset++;
  269. /* If the padding wasn't good we emit a random MAC */
  270. out[j++] = constant_time_select_8((unsigned char)(good & 0xff),
  271. aux3,
  272. randmac[i]);
  273. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  274. }
  275. #else
  276. memset(out, 0, mac_size);
  277. rotate_offset = mac_size - rotate_offset;
  278. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  279. for (i = 0; i < mac_size; i++) {
  280. for (j = 0; j < mac_size; j++)
  281. out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset);
  282. rotate_offset++;
  283. rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
  284. /* If the padding wasn't good we emit a random MAC */
  285. out[i] = constant_time_select_8((unsigned char)(good & 0xff), out[i],
  286. randmac[i]);
  287. }
  288. #endif
  289. return 1;
  290. }