1 /*
2 * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "internal/ssl3_cbc.h"
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
16
ssl3_set_crypto_state(OSSL_RECORD_LAYER * rl,int level,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp)17 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
18 unsigned char *key, size_t keylen,
19 unsigned char *iv, size_t ivlen,
20 unsigned char *mackey, size_t mackeylen,
21 const EVP_CIPHER *ciph,
22 size_t taglen,
23 int mactype,
24 const EVP_MD *md,
25 COMP_METHOD *comp)
26 {
27 EVP_CIPHER_CTX *ciph_ctx;
28 int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
29
30 if (md == NULL) {
31 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
32 return OSSL_RECORD_RETURN_FATAL;
33 }
34
35 if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
36 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
37 return OSSL_RECORD_RETURN_FATAL;
38 }
39 ciph_ctx = rl->enc_ctx;
40
41 rl->md_ctx = EVP_MD_CTX_new();
42 if (rl->md_ctx == NULL) {
43 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
44 return OSSL_RECORD_RETURN_FATAL;
45 }
46
47 if ((md != NULL && EVP_DigestInit_ex(rl->md_ctx, md, NULL) <= 0)) {
48 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
49 return OSSL_RECORD_RETURN_FATAL;
50 }
51
52 #ifndef OPENSSL_NO_COMP
53 if (comp != NULL) {
54 rl->compctx = COMP_CTX_new(comp);
55 if (rl->compctx == NULL) {
56 ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
57 return OSSL_RECORD_RETURN_FATAL;
58 }
59 }
60 #endif
61
62 if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) {
63 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
64 return OSSL_RECORD_RETURN_FATAL;
65 }
66
67 /*
68 * The cipher we actually ended up using in the EVP_CIPHER_CTX may be
69 * different to that in ciph if we have an ENGINE in use
70 */
71 if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL
72 && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
73 /* ERR_raise already called */
74 return OSSL_RECORD_RETURN_FATAL;
75 }
76
77 if (mackeylen > sizeof(rl->mac_secret)) {
78 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
79 return OSSL_RECORD_RETURN_FATAL;
80 }
81 memcpy(rl->mac_secret, mackey, mackeylen);
82
83 return OSSL_RECORD_RETURN_SUCCESS;
84 }
85
86 /*
87 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
88 * on internal error, but not otherwise. It is the responsibility of the caller
89 * to report a bad_record_mac
90 *
91 * Returns:
92 * 0: if the record is publicly invalid, or an internal error
93 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
94 */
ssl3_cipher(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * inrecs,size_t n_recs,int sending,SSL_MAC_BUF * mac,size_t macsize)95 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *inrecs,
96 size_t n_recs, int sending, SSL_MAC_BUF *mac,
97 size_t macsize)
98 {
99 TLS_RL_RECORD *rec;
100 EVP_CIPHER_CTX *ds;
101 size_t l, i;
102 size_t bs;
103 const EVP_CIPHER *enc;
104 int provided;
105
106 rec = inrecs;
107 /*
108 * We shouldn't ever be called with more than one record in the SSLv3 case
109 */
110 if (n_recs != 1)
111 return 0;
112
113 ds = rl->enc_ctx;
114 if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
115 return 0;
116
117 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
118
119 l = rec->length;
120 bs = EVP_CIPHER_CTX_get_block_size(ds);
121
122 if (bs == 0)
123 return 0;
124
125 /* COMPRESS */
126
127 if ((bs != 1) && sending && !provided) {
128 /*
129 * We only do this for legacy ciphers. Provided ciphers add the
130 * padding on the provider side.
131 */
132 i = bs - (l % bs);
133
134 /* we need to add 'i-1' padding bytes */
135 l += i;
136 /*
137 * the last of these zero bytes will be overwritten with the
138 * padding length.
139 */
140 memset(&rec->input[rec->length], 0, i);
141 rec->length += i;
142 rec->input[l - 1] = (unsigned char)(i - 1);
143 }
144
145 if (!sending) {
146 if (l == 0 || l % bs != 0) {
147 /* Publicly invalid */
148 return 0;
149 }
150 /* otherwise, rec->length >= bs */
151 }
152
153 if (provided) {
154 int outlen;
155
156 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
157 (unsigned int)l))
158 return 0;
159 rec->length = outlen;
160
161 if (!sending && mac != NULL) {
162 /* Now get a pointer to the MAC */
163 OSSL_PARAM params[2], *p = params;
164
165 /* Get the MAC */
166 mac->alloced = 0;
167
168 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
169 (void **)&mac->mac,
170 macsize);
171 *p = OSSL_PARAM_construct_end();
172
173 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
174 /* Shouldn't normally happen */
175 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
176 return 0;
177 }
178 }
179 } else {
180 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
181 /* Shouldn't happen */
182 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
183 return 0;
184 }
185
186 if (!sending)
187 return ssl3_cbc_remove_padding_and_mac(&rec->length,
188 rec->orig_len,
189 rec->data,
190 (mac != NULL) ? &mac->mac : NULL,
191 (mac != NULL) ? &mac->alloced : NULL,
192 bs,
193 macsize,
194 rl->libctx);
195 }
196
197 return 1;
198 }
199
200 static const unsigned char ssl3_pad_1[48] = {
201 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
202 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
203 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
204 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
205 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
206 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
207 };
208
209 static const unsigned char ssl3_pad_2[48] = {
210 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
211 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
212 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
213 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
214 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
215 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
216 };
217
ssl3_mac(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec,unsigned char * md,int sending)218 static int ssl3_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
219 int sending)
220 {
221 unsigned char *mac_sec, *seq = rl->sequence;
222 const EVP_MD_CTX *hash;
223 unsigned char *p, rec_char;
224 size_t md_size;
225 size_t npad;
226 int t;
227
228 mac_sec = &(rl->mac_secret[0]);
229 hash = rl->md_ctx;
230
231 t = EVP_MD_CTX_get_size(hash);
232 if (t <= 0)
233 return 0;
234 md_size = t;
235 npad = (48 / md_size) * md_size;
236
237 if (!sending
238 && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
239 && ssl3_cbc_record_digest_supported(hash)) {
240 #ifdef OPENSSL_NO_DEPRECATED_3_0
241 return 0;
242 #else
243 /*
244 * This is a CBC-encrypted record. We must avoid leaking any
245 * timing-side channel information about how many blocks of data we
246 * are hashing because that gives an attacker a timing-oracle.
247 */
248
249 /*-
250 * npad is, at most, 48 bytes and that's with MD5:
251 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
252 *
253 * With SHA-1 (the largest hash speced for SSLv3) the hash size
254 * goes up 4, but npad goes down by 8, resulting in a smaller
255 * total size.
256 */
257 unsigned char header[75];
258 size_t j = 0;
259 memcpy(header + j, mac_sec, md_size);
260 j += md_size;
261 memcpy(header + j, ssl3_pad_1, npad);
262 j += npad;
263 memcpy(header + j, seq, 8);
264 j += 8;
265 header[j++] = rec->type;
266 header[j++] = (unsigned char)(rec->length >> 8);
267 header[j++] = (unsigned char)(rec->length & 0xff);
268
269 /* Final param == is SSLv3 */
270 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
271 md, &md_size,
272 header, rec->input,
273 rec->length, rec->orig_len,
274 mac_sec, md_size, 1) <= 0)
275 return 0;
276 #endif
277 } else {
278 unsigned int md_size_u;
279 /* Chop the digest off the end :-) */
280 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
281
282 if (md_ctx == NULL)
283 return 0;
284
285 rec_char = rec->type;
286 p = md;
287 s2n(rec->length, p);
288 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
289 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
290 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
291 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
292 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
293 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
294 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
295 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
296 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
297 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
298 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
299 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
300 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
301 EVP_MD_CTX_free(md_ctx);
302 return 0;
303 }
304
305 EVP_MD_CTX_free(md_ctx);
306 }
307
308 if (!tls_increment_sequence_ctr(rl))
309 return 0;
310
311 return 1;
312 }
313
314 const struct record_functions_st ssl_3_0_funcs = {
315 ssl3_set_crypto_state,
316 ssl3_cipher,
317 ssl3_mac,
318 tls_default_set_protocol_version,
319 tls_default_read_n,
320 tls_get_more_records,
321 tls_default_validate_record_header,
322 tls_default_post_process_record,
323 tls_get_max_records_default,
324 tls_write_records_default,
325 /* These 2 functions are defined in tls1_meth.c */
326 tls1_allocate_write_buffers,
327 tls1_initialise_write_packets,
328 NULL,
329 tls_prepare_record_header_default,
330 NULL,
331 tls_prepare_for_encryption_default,
332 tls_post_encryption_processing_default,
333 NULL
334 };
335