1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
/*
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <assert.h>
/* For SSL3_VERSION, TLS1_VERSION etc */
#include <openssl/prov_ssl.h>
#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "internal/constant_time.h"
#include "ciphercommon_local.h"
/* Functions defined in ssl/tls_pad.c */
int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
size_t origreclen,
unsigned char *recdata,
unsigned char **mac,
int *alloced,
size_t block_size, size_t mac_size,
OSSL_LIB_CTX *libctx);
int tls1_cbc_remove_padding_and_mac(size_t *reclen,
size_t origreclen,
unsigned char *recdata,
unsigned char **mac,
int *alloced,
size_t block_size, size_t mac_size,
int aead,
OSSL_LIB_CTX *libctx);
/*
* Fills a single block of buffered data from the input, and returns the amount
* of data remaining in the input that is a multiple of the blocksize. The buffer
* is only filled if it already has some data in it, isn't full already or we
* don't have at least one block in the input.
*
* buf: a buffer of blocksize bytes
* buflen: contains the amount of data already in buf on entry. Updated with the
* amount of data in buf at the end. On entry *buflen must always be
* less than the blocksize
* blocksize: size of a block. Must be greater than 0 and a power of 2
* in: pointer to a pointer containing the input data
* inlen: amount of input data available
*
* On return buf is filled with as much data as possible up to a full block,
* *buflen is updated containing the amount of data in buf. *in is updated to
* the new location where input data should be read from, *inlen is updated with
* the remaining amount of data in *in. Returns the largest value <= *inlen
* which is a multiple of the blocksize.
*/
size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen,
size_t blocksize,
const unsigned char **in, size_t *inlen)
{
size_t blockmask = ~(blocksize - 1);
size_t bufremain = blocksize - *buflen;
assert(*buflen <= blocksize);
assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
if (*inlen < bufremain)
bufremain = *inlen;
memcpy(buf + *buflen, *in, bufremain);
*in += bufremain;
*inlen -= bufremain;
*buflen += bufremain;
return *inlen & blockmask;
}
/*
* Fills the buffer with trailing data from an encryption/decryption that didn't
* fit into a full block.
*/
int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
const unsigned char **in, size_t *inlen)
{
if (*inlen == 0)
return 1;
if (*buflen + *inlen > blocksize) {
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
return 0;
}
memcpy(buf + *buflen, *in, *inlen);
*buflen += *inlen;
*inlen = 0;
return 1;
}
/* Pad the final block for encryption */
void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
{
size_t i;
unsigned char pad = (unsigned char)(blocksize - *buflen);
for (i = *buflen; i < blocksize; i++)
buf[i] = pad;
}
int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
{
size_t pad, i;
size_t len = *buflen;
if (len != blocksize) {
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
return 0;
}
/*
* The following assumes that the ciphertext has been authenticated.
* Otherwise it provides a padding oracle.
*/
pad = buf[blocksize - 1];
if (pad == 0 || pad > blocksize) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
return 0;
}
for (i = 0; i < pad; i++) {
if (buf[--len] != pad) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
return 0;
}
}
*buflen = len;
return 1;
}
/*-
* ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
* record in constant time. Also removes the MAC from the record in constant
* time.
*
* libctx: Our library context
* tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
* buf: The decrypted TLS record data
* buflen: The length of the decrypted TLS record data. Updated with the new
* length after the padding is removed
* block_size: the block size of the cipher used to encrypt the record.
* mac: Location to store the pointer to the MAC
* alloced: Whether the MAC is stored in a newly allocated buffer, or whether
* *mac points into *buf
* macsize: the size of the MAC inside the record (or 0 if there isn't one)
* aead: whether this is an aead cipher
* returns:
* 0: (in non-constant time) if the record is publicly invalid.
* 1: (in constant time) Record is publicly valid. If padding is invalid then
* the mac is random
*/
int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
unsigned char *buf, size_t *buflen,
size_t blocksize,
unsigned char **mac, int *alloced, size_t macsize,
int aead)
{
int ret;
switch (tlsversion) {
case SSL3_VERSION:
return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
alloced, blocksize, macsize,
libctx);
case TLS1_2_VERSION:
case DTLS1_2_VERSION:
case TLS1_1_VERSION:
case DTLS1_VERSION:
case DTLS1_BAD_VER:
/* Remove the explicit IV */
buf += blocksize;
*buflen -= blocksize;
/* Fall through */
case TLS1_VERSION:
ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
alloced, blocksize, macsize,
aead, libctx);
return ret;
default:
return 0;
}
}
|
