1 /* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <assert.h> 16 #include <limits.h> 17 #include <string.h> 18 19 #include <openssl/aead.h> 20 #include <openssl/cipher.h> 21 #include <openssl/err.h> 22 #include <openssl/hmac.h> 23 #include <openssl/md5.h> 24 #include <openssl/mem.h> 25 #include <openssl/sha.h> 26 27 #include "internal.h" 28 29 30 typedef struct { 31 EVP_CIPHER_CTX cipher_ctx; 32 EVP_MD_CTX md_ctx; 33 } AEAD_SSL3_CTX; 34 35 static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len, 36 const uint8_t *ad, size_t ad_len, const uint8_t *in, 37 size_t in_len) { 38 size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx); 39 size_t pad_len = (md_size == 20) ? 40 : 48; 40 41 /* To allow for CBC mode which changes cipher length, |ad| doesn't include the 42 * length for legacy ciphers. */ 43 uint8_t ad_extra[2]; 44 ad_extra[0] = (uint8_t)(in_len >> 8); 45 ad_extra[1] = (uint8_t)(in_len & 0xff); 46 47 EVP_MD_CTX md_ctx; 48 EVP_MD_CTX_init(&md_ctx); 49 50 uint8_t pad[48]; 51 uint8_t tmp[EVP_MAX_MD_SIZE]; 52 memset(pad, 0x36, pad_len); 53 if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) || 54 !EVP_DigestUpdate(&md_ctx, pad, pad_len) || 55 !EVP_DigestUpdate(&md_ctx, ad, ad_len) || 56 !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) || 57 !EVP_DigestUpdate(&md_ctx, in, in_len) || 58 !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) { 59 EVP_MD_CTX_cleanup(&md_ctx); 60 return 0; 61 } 62 63 memset(pad, 0x5c, pad_len); 64 if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) || 65 !EVP_DigestUpdate(&md_ctx, pad, pad_len) || 66 !EVP_DigestUpdate(&md_ctx, tmp, md_size) || 67 !EVP_DigestFinal_ex(&md_ctx, out, out_len)) { 68 EVP_MD_CTX_cleanup(&md_ctx); 69 return 0; 70 } 71 EVP_MD_CTX_cleanup(&md_ctx); 72 return 1; 73 } 74 75 static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) { 76 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state; 77 EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx); 78 EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx); 79 OPENSSL_free(ssl3_ctx); 80 ctx->aead_state = NULL; 81 } 82 83 static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, 84 size_t tag_len, enum evp_aead_direction_t dir, 85 const EVP_CIPHER *cipher, const EVP_MD *md) { 86 if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && 87 tag_len != EVP_MD_size(md)) { 88 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); 89 return 0; 90 } 91 92 if (key_len != EVP_AEAD_key_length(ctx->aead)) { 93 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); 94 return 0; 95 } 96 97 size_t mac_key_len = EVP_MD_size(md); 98 size_t enc_key_len = EVP_CIPHER_key_length(cipher); 99 assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len); 100 /* Although EVP_rc4() is a variable-length cipher, the default key size is 101 * correct for SSL3. */ 102 103 AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX)); 104 if (ssl3_ctx == NULL) { 105 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 106 return 0; 107 } 108 EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx); 109 EVP_MD_CTX_init(&ssl3_ctx->md_ctx); 110 111 ctx->aead_state = ssl3_ctx; 112 if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len], 113 &key[mac_key_len + enc_key_len], 114 dir == evp_aead_seal) || 115 !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) || 116 !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) { 117 aead_ssl3_cleanup(ctx); 118 ctx->aead_state = NULL; 119 return 0; 120 } 121 EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0); 122 123 return 1; 124 } 125 126 static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, 127 size_t *out_len, size_t max_out_len, 128 const uint8_t *nonce, size_t nonce_len, 129 const uint8_t *in, size_t in_len, 130 const uint8_t *ad, size_t ad_len) { 131 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state; 132 size_t total = 0; 133 134 if (!ssl3_ctx->cipher_ctx.encrypt) { 135 /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ 136 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); 137 return 0; 138 } 139 140 if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || 141 in_len > INT_MAX) { 142 /* EVP_CIPHER takes int as input. */ 143 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 144 return 0; 145 } 146 147 if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { 148 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 149 return 0; 150 } 151 152 if (nonce_len != 0) { 153 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); 154 return 0; 155 } 156 157 if (ad_len != 11 - 2 /* length bytes */) { 158 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); 159 return 0; 160 } 161 162 /* Compute the MAC. This must be first in case the operation is being done 163 * in-place. */ 164 uint8_t mac[EVP_MAX_MD_SIZE]; 165 unsigned mac_len; 166 if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) { 167 return 0; 168 } 169 170 /* Encrypt the input. */ 171 int len; 172 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, 173 (int)in_len)) { 174 return 0; 175 } 176 total = len; 177 178 /* Feed the MAC into the cipher. */ 179 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac, 180 (int)mac_len)) { 181 return 0; 182 } 183 total += len; 184 185 unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx); 186 if (block_size > 1) { 187 assert(block_size <= 256); 188 assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); 189 190 /* Compute padding and feed that into the cipher. */ 191 uint8_t padding[256]; 192 unsigned padding_len = block_size - ((in_len + mac_len) % block_size); 193 memset(padding, 0, padding_len - 1); 194 padding[padding_len - 1] = padding_len - 1; 195 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding, 196 (int)padding_len)) { 197 return 0; 198 } 199 total += len; 200 } 201 202 if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) { 203 return 0; 204 } 205 total += len; 206 207 *out_len = total; 208 return 1; 209 } 210 211 static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 212 size_t *out_len, size_t max_out_len, 213 const uint8_t *nonce, size_t nonce_len, 214 const uint8_t *in, size_t in_len, 215 const uint8_t *ad, size_t ad_len) { 216 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state; 217 218 if (ssl3_ctx->cipher_ctx.encrypt) { 219 /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ 220 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); 221 return 0; 222 } 223 224 size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx); 225 if (in_len < mac_len) { 226 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 227 return 0; 228 } 229 230 if (max_out_len < in_len) { 231 /* This requires that the caller provide space for the MAC, even though it 232 * will always be removed on return. */ 233 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 234 return 0; 235 } 236 237 if (nonce_len != 0) { 238 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 239 return 0; 240 } 241 242 if (ad_len != 11 - 2 /* length bytes */) { 243 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); 244 return 0; 245 } 246 247 if (in_len > INT_MAX) { 248 /* EVP_CIPHER takes int as input. */ 249 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 250 return 0; 251 } 252 253 /* Decrypt to get the plaintext + MAC + padding. */ 254 size_t total = 0; 255 int len; 256 if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) { 257 return 0; 258 } 259 total += len; 260 if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) { 261 return 0; 262 } 263 total += len; 264 assert(total == in_len); 265 266 /* Remove CBC padding and MAC. This would normally be timing-sensitive, but SSLv3 CBC 267 * ciphers are already broken. Support will be removed eventually. 268 * https://www.openssl.org/~bodo/ssl-poodle.pdf */ 269 unsigned data_len; 270 if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { 271 unsigned padding_length = out[total - 1]; 272 if (total < padding_length + 1 + mac_len) { 273 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 274 return 0; 275 } 276 /* The padding must be minimal. */ 277 if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) { 278 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 279 return 0; 280 } 281 data_len = total - padding_length - 1 - mac_len; 282 } else { 283 data_len = total - mac_len; 284 } 285 286 /* Compute the MAC and compare against the one in the record. */ 287 uint8_t mac[EVP_MAX_MD_SIZE]; 288 if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) { 289 return 0; 290 } 291 if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) { 292 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 293 return 0; 294 } 295 296 *out_len = data_len; 297 return 1; 298 } 299 300 static int aead_ssl3_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) { 301 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state; 302 if (EVP_CIPHER_CTX_cipher(&ssl3_ctx->cipher_ctx) != EVP_rc4()) { 303 return 0; 304 } 305 306 *out_key = (RC4_KEY*) ssl3_ctx->cipher_ctx.cipher_data; 307 return 1; 308 } 309 310 static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, 311 size_t *out_iv_len) { 312 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state; 313 const size_t iv_len = EVP_CIPHER_CTX_iv_length(&ssl3_ctx->cipher_ctx); 314 if (iv_len <= 1) { 315 return 0; 316 } 317 318 *out_iv = ssl3_ctx->cipher_ctx.iv; 319 *out_iv_len = iv_len; 320 return 1; 321 } 322 323 static int aead_rc4_md5_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 324 size_t key_len, size_t tag_len, 325 enum evp_aead_direction_t dir) { 326 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5()); 327 } 328 329 static int aead_rc4_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 330 size_t key_len, size_t tag_len, 331 enum evp_aead_direction_t dir) { 332 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1()); 333 } 334 335 static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 336 size_t key_len, size_t tag_len, 337 enum evp_aead_direction_t dir) { 338 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), 339 EVP_sha1()); 340 } 341 342 static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 343 size_t key_len, size_t tag_len, 344 enum evp_aead_direction_t dir) { 345 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), 346 EVP_sha1()); 347 } 348 static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, 349 const uint8_t *key, size_t key_len, 350 size_t tag_len, 351 enum evp_aead_direction_t dir) { 352 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), 353 EVP_sha1()); 354 } 355 356 static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 357 size_t key_len, size_t tag_len, 358 enum evp_aead_direction_t dir) { 359 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), 360 EVP_sha1()); 361 } 362 363 static const EVP_AEAD aead_rc4_md5_ssl3 = { 364 MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */ 365 0, /* nonce len */ 366 MD5_DIGEST_LENGTH, /* overhead */ 367 MD5_DIGEST_LENGTH, /* max tag length */ 368 NULL, /* init */ 369 aead_rc4_md5_ssl3_init, 370 aead_ssl3_cleanup, 371 aead_ssl3_seal, 372 aead_ssl3_open, 373 aead_ssl3_get_rc4_state, 374 NULL, /* get_iv */ 375 }; 376 377 static const EVP_AEAD aead_rc4_sha1_ssl3 = { 378 SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */ 379 0, /* nonce len */ 380 SHA_DIGEST_LENGTH, /* overhead */ 381 SHA_DIGEST_LENGTH, /* max tag length */ 382 NULL, /* init */ 383 aead_rc4_sha1_ssl3_init, 384 aead_ssl3_cleanup, 385 aead_ssl3_seal, 386 aead_ssl3_open, 387 aead_ssl3_get_rc4_state, 388 NULL, /* get_iv */ 389 }; 390 391 static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = { 392 SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */ 393 0, /* nonce len */ 394 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 395 SHA_DIGEST_LENGTH, /* max tag length */ 396 NULL, /* init */ 397 aead_aes_128_cbc_sha1_ssl3_init, 398 aead_ssl3_cleanup, 399 aead_ssl3_seal, 400 aead_ssl3_open, 401 NULL, /* get_rc4_state */ 402 aead_ssl3_get_iv, 403 }; 404 405 static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = { 406 SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */ 407 0, /* nonce len */ 408 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 409 SHA_DIGEST_LENGTH, /* max tag length */ 410 NULL, /* init */ 411 aead_aes_256_cbc_sha1_ssl3_init, 412 aead_ssl3_cleanup, 413 aead_ssl3_seal, 414 aead_ssl3_open, 415 NULL, /* get_rc4_state */ 416 aead_ssl3_get_iv, 417 }; 418 419 static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = { 420 SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */ 421 0, /* nonce len */ 422 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 423 SHA_DIGEST_LENGTH, /* max tag length */ 424 NULL, /* init */ 425 aead_des_ede3_cbc_sha1_ssl3_init, 426 aead_ssl3_cleanup, 427 aead_ssl3_seal, 428 aead_ssl3_open, 429 NULL, /* get_rc4_state */ 430 aead_ssl3_get_iv, 431 }; 432 433 static const EVP_AEAD aead_null_sha1_ssl3 = { 434 SHA_DIGEST_LENGTH, /* key len */ 435 0, /* nonce len */ 436 SHA_DIGEST_LENGTH, /* overhead (SHA1) */ 437 SHA_DIGEST_LENGTH, /* max tag length */ 438 NULL, /* init */ 439 aead_null_sha1_ssl3_init, 440 aead_ssl3_cleanup, 441 aead_ssl3_seal, 442 aead_ssl3_open, 443 NULL, /* get_rc4_state */ 444 NULL, /* get_iv */ 445 }; 446 447 const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; } 448 449 const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; } 450 451 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) { 452 return &aead_aes_128_cbc_sha1_ssl3; 453 } 454 455 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) { 456 return &aead_aes_256_cbc_sha1_ssl3; 457 } 458 459 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) { 460 return &aead_des_ede3_cbc_sha1_ssl3; 461 } 462 463 const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; } 464
