ciphercommon_block.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190
  1. /*
  2. * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <assert.h>
  10. /* For SSL3_VERSION, TLS1_VERSION etc */
  11. #include <openssl/ssl.h>
  12. #include <openssl/rand.h>
  13. #include <openssl/proverr.h>
  14. #include "internal/constant_time.h"
  15. #include "ciphercommon_local.h"
  16. /* Functions defined in ssl/tls_pad.c */
  17. int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
  18. size_t origreclen,
  19. unsigned char *recdata,
  20. unsigned char **mac,
  21. int *alloced,
  22. size_t block_size, size_t mac_size,
  23. OSSL_LIB_CTX *libctx);
  24. int tls1_cbc_remove_padding_and_mac(size_t *reclen,
  25. size_t origreclen,
  26. unsigned char *recdata,
  27. unsigned char **mac,
  28. int *alloced,
  29. size_t block_size, size_t mac_size,
  30. int aead,
  31. OSSL_LIB_CTX *libctx);
  32. /*
  33. * Fills a single block of buffered data from the input, and returns the amount
  34. * of data remaining in the input that is a multiple of the blocksize. The buffer
  35. * is only filled if it already has some data in it, isn't full already or we
  36. * don't have at least one block in the input.
  37. *
  38. * buf: a buffer of blocksize bytes
  39. * buflen: contains the amount of data already in buf on entry. Updated with the
  40. * amount of data in buf at the end. On entry *buflen must always be
  41. * less than the blocksize
  42. * blocksize: size of a block. Must be greater than 0 and a power of 2
  43. * in: pointer to a pointer containing the input data
  44. * inlen: amount of input data available
  45. *
  46. * On return buf is filled with as much data as possible up to a full block,
  47. * *buflen is updated containing the amount of data in buf. *in is updated to
  48. * the new location where input data should be read from, *inlen is updated with
  49. * the remaining amount of data in *in. Returns the largest value <= *inlen
  50. * which is a multiple of the blocksize.
  51. */
  52. size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen,
  53. size_t blocksize,
  54. const unsigned char **in, size_t *inlen)
  55. {
  56. size_t blockmask = ~(blocksize - 1);
  57. size_t bufremain = blocksize - *buflen;
  58. assert(*buflen <= blocksize);
  59. assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
  60. if (*inlen < bufremain)
  61. bufremain = *inlen;
  62. memcpy(buf + *buflen, *in, bufremain);
  63. *in += bufremain;
  64. *inlen -= bufremain;
  65. *buflen += bufremain;
  66. return *inlen & blockmask;
  67. }
  68. /*
  69. * Fills the buffer with trailing data from an encryption/decryption that didn't
  70. * fit into a full block.
  71. */
  72. int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
  73. const unsigned char **in, size_t *inlen)
  74. {
  75. if (*inlen == 0)
  76. return 1;
  77. if (*buflen + *inlen > blocksize) {
  78. ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
  79. return 0;
  80. }
  81. memcpy(buf + *buflen, *in, *inlen);
  82. *buflen += *inlen;
  83. *inlen = 0;
  84. return 1;
  85. }
  86. /* Pad the final block for encryption */
  87. void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
  88. {
  89. size_t i;
  90. unsigned char pad = (unsigned char)(blocksize - *buflen);
  91. for (i = *buflen; i < blocksize; i++)
  92. buf[i] = pad;
  93. }
  94. int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
  95. {
  96. size_t pad, i;
  97. size_t len = *buflen;
  98. if(len != blocksize) {
  99. ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
  100. return 0;
  101. }
  102. /*
  103. * The following assumes that the ciphertext has been authenticated.
  104. * Otherwise it provides a padding oracle.
  105. */
  106. pad = buf[blocksize - 1];
  107. if (pad == 0 || pad > blocksize) {
  108. ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
  109. return 0;
  110. }
  111. for (i = 0; i < pad; i++) {
  112. if (buf[--len] != pad) {
  113. ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
  114. return 0;
  115. }
  116. }
  117. *buflen = len;
  118. return 1;
  119. }
  120. /*-
  121. * ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
  122. * record in constant time. Also removes the MAC from the record in constant
  123. * time.
  124. *
  125. * libctx: Our library context
  126. * tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
  127. * buf: The decrypted TLS record data
  128. * buflen: The length of the decrypted TLS record data. Updated with the new
  129. * length after the padding is removed
  130. * block_size: the block size of the cipher used to encrypt the record.
  131. * mac: Location to store the pointer to the MAC
  132. * alloced: Whether the MAC is stored in a newly allocated buffer, or whether
  133. * *mac points into *buf
  134. * macsize: the size of the MAC inside the record (or 0 if there isn't one)
  135. * aead: whether this is an aead cipher
  136. * returns:
  137. * 0: (in non-constant time) if the record is publicly invalid.
  138. * 1: (in constant time) Record is publicly valid. If padding is invalid then
  139. * the mac is random
  140. */
  141. int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
  142. unsigned char *buf, size_t *buflen,
  143. size_t blocksize,
  144. unsigned char **mac, int *alloced, size_t macsize,
  145. int aead)
  146. {
  147. int ret;
  148. switch (tlsversion) {
  149. case SSL3_VERSION:
  150. return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
  151. alloced, blocksize, macsize,
  152. libctx);
  153. case TLS1_2_VERSION:
  154. case DTLS1_2_VERSION:
  155. case TLS1_1_VERSION:
  156. case DTLS1_VERSION:
  157. case DTLS1_BAD_VER:
  158. /* Remove the explicit IV */
  159. buf += blocksize;
  160. *buflen -= blocksize;
  161. /* Fall through */
  162. case TLS1_VERSION:
  163. ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
  164. alloced, blocksize, macsize,
  165. aead, libctx);
  166. return ret;
  167. default:
  168. return 0;
  169. }
  170. }