1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
15
ssl3_set_crypto_state(OSSL_RECORD_LAYER * rl,int level,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,const SSL_COMP * comp)16 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
17 unsigned char *key, size_t keylen,
18 unsigned char *iv, size_t ivlen,
19 unsigned char *mackey, size_t mackeylen,
20 const EVP_CIPHER *ciph,
21 size_t taglen,
22 int mactype,
23 const EVP_MD *md,
24 const SSL_COMP *comp)
25 {
26 EVP_CIPHER_CTX *ciph_ctx;
27
28 if (md == NULL) {
29 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
30 return OSSL_RECORD_RETURN_FATAL;
31 }
32
33 if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
34 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
35 return OSSL_RECORD_RETURN_FATAL;
36 }
37 ciph_ctx = rl->enc_ctx;
38
39 rl->md_ctx = EVP_MD_CTX_new();
40 if (rl->md_ctx == NULL) {
41 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
42 return OSSL_RECORD_RETURN_FATAL;
43 }
44 #ifndef OPENSSL_NO_COMP
45 if (comp != NULL) {
46 rl->expand = COMP_CTX_new(comp->method);
47 if (rl->expand == NULL) {
48 ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
49 return OSSL_RECORD_RETURN_FATAL;
50 }
51 }
52 #endif
53
54 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
55 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
56 return OSSL_RECORD_RETURN_FATAL;
57 }
58
59 if (EVP_CIPHER_get0_provider(ciph) != NULL
60 && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) {
61 /* ERR_raise already called */
62 return OSSL_RECORD_RETURN_FATAL;
63 }
64
65 if (mackeylen > sizeof(rl->mac_secret)) {
66 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
67 return OSSL_RECORD_RETURN_FATAL;
68 }
69 memcpy(rl->mac_secret, mackey, mackeylen);
70
71 return OSSL_RECORD_RETURN_SUCCESS;
72 }
73
74 /*
75 * ssl3_cipher encrypts/decrypts |n_recs| records in |inrecs|. Calls RLAYERfatal
76 * on internal error, but not otherwise. It is the responsibility of the caller
77 * to report a bad_record_mac
78 *
79 * Returns:
80 * 0: if the record is publicly invalid, or an internal error
81 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
82 */
ssl3_cipher(OSSL_RECORD_LAYER * rl,SSL3_RECORD * inrecs,size_t n_recs,int sending,SSL_MAC_BUF * mac,size_t macsize)83 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
84 int sending, SSL_MAC_BUF *mac, size_t macsize)
85 {
86 SSL3_RECORD *rec;
87 EVP_CIPHER_CTX *ds;
88 size_t l, i;
89 size_t bs;
90 const EVP_CIPHER *enc;
91 int provided;
92
93 rec = inrecs;
94 /*
95 * We shouldn't ever be called with more than one record in the SSLv3 case
96 */
97 if (n_recs != 1)
98 return 0;
99
100 ds = rl->enc_ctx;
101 if (ds == NULL || (enc = EVP_CIPHER_CTX_get0_cipher(ds)) == NULL)
102 return 0;
103
104 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
105
106 l = rec->length;
107 bs = EVP_CIPHER_CTX_get_block_size(ds);
108
109 /* COMPRESS */
110
111 if ((bs != 1) && sending && !provided) {
112 /*
113 * We only do this for legacy ciphers. Provided ciphers add the
114 * padding on the provider side.
115 */
116 i = bs - (l % bs);
117
118 /* we need to add 'i-1' padding bytes */
119 l += i;
120 /*
121 * the last of these zero bytes will be overwritten with the
122 * padding length.
123 */
124 memset(&rec->input[rec->length], 0, i);
125 rec->length += i;
126 rec->input[l - 1] = (unsigned char)(i - 1);
127 }
128
129 if (!sending) {
130 if (l == 0 || l % bs != 0) {
131 /* Publicly invalid */
132 return 0;
133 }
134 /* otherwise, rec->length >= bs */
135 }
136
137 if (provided) {
138 int outlen;
139
140 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
141 (unsigned int)l))
142 return 0;
143 rec->length = outlen;
144
145 if (!sending && mac != NULL) {
146 /* Now get a pointer to the MAC */
147 OSSL_PARAM params[2], *p = params;
148
149 /* Get the MAC */
150 mac->alloced = 0;
151
152 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
153 (void **)&mac->mac,
154 macsize);
155 *p = OSSL_PARAM_construct_end();
156
157 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
158 /* Shouldn't normally happen */
159 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
160 return 0;
161 }
162 }
163 } else {
164 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
165 /* Shouldn't happen */
166 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
167 return 0;
168 }
169
170 if (!sending)
171 return ssl3_cbc_remove_padding_and_mac(&rec->length,
172 rec->orig_len,
173 rec->data,
174 (mac != NULL) ? &mac->mac : NULL,
175 (mac != NULL) ? &mac->alloced : NULL,
176 bs,
177 macsize,
178 rl->libctx);
179 }
180
181 return 1;
182 }
183
184 static const unsigned char ssl3_pad_1[48] = {
185 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
186 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
187 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
188 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
189 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
190 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
191 };
192
193 static const unsigned char ssl3_pad_2[48] = {
194 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
195 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
196 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
197 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
198 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
199 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
200 };
201
ssl3_mac(OSSL_RECORD_LAYER * rl,SSL3_RECORD * rec,unsigned char * md,int sending)202 static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
203 int sending)
204 {
205 unsigned char *mac_sec, *seq = rl->sequence;
206 const EVP_MD_CTX *hash;
207 unsigned char *p, rec_char;
208 size_t md_size;
209 size_t npad;
210 int t;
211
212 mac_sec = &(rl->mac_secret[0]);
213 hash = rl->md_ctx;
214
215 t = EVP_MD_CTX_get_size(hash);
216 if (t < 0)
217 return 0;
218 md_size = t;
219 npad = (48 / md_size) * md_size;
220
221 if (!sending
222 && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
223 && ssl3_cbc_record_digest_supported(hash)) {
224 #ifdef OPENSSL_NO_DEPRECATED_3_0
225 return 0;
226 #else
227 /*
228 * This is a CBC-encrypted record. We must avoid leaking any
229 * timing-side channel information about how many blocks of data we
230 * are hashing because that gives an attacker a timing-oracle.
231 */
232
233 /*-
234 * npad is, at most, 48 bytes and that's with MD5:
235 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
236 *
237 * With SHA-1 (the largest hash speced for SSLv3) the hash size
238 * goes up 4, but npad goes down by 8, resulting in a smaller
239 * total size.
240 */
241 unsigned char header[75];
242 size_t j = 0;
243 memcpy(header + j, mac_sec, md_size);
244 j += md_size;
245 memcpy(header + j, ssl3_pad_1, npad);
246 j += npad;
247 memcpy(header + j, seq, 8);
248 j += 8;
249 header[j++] = rec->type;
250 header[j++] = (unsigned char)(rec->length >> 8);
251 header[j++] = (unsigned char)(rec->length & 0xff);
252
253 /* Final param == is SSLv3 */
254 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
255 md, &md_size,
256 header, rec->input,
257 rec->length, rec->orig_len,
258 mac_sec, md_size, 1) <= 0)
259 return 0;
260 #endif
261 } else {
262 unsigned int md_size_u;
263 /* Chop the digest off the end :-) */
264 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
265
266 if (md_ctx == NULL)
267 return 0;
268
269 rec_char = rec->type;
270 p = md;
271 s2n(rec->length, p);
272 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
273 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
274 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
275 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
276 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
277 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
278 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
279 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
280 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
281 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
282 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
283 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
284 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
285 EVP_MD_CTX_free(md_ctx);
286 return 0;
287 }
288
289 EVP_MD_CTX_free(md_ctx);
290 }
291
292 ssl3_record_sequence_update(seq);
293 return 1;
294 }
295
296 struct record_functions_st ssl_3_0_funcs = {
297 ssl3_set_crypto_state,
298 tls_default_read_n,
299 tls_get_more_records,
300 ssl3_cipher,
301 ssl3_mac,
302 tls_default_set_protocol_version,
303 tls_default_validate_record_header,
304 tls_default_post_process_record
305 };
306
