kris
/
boringssl
1
0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
1050 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tag: 5edc4e2a9b
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 5edc4e2a9b
${ noResults }
boringssl/crypto/cipher/e_ssl3.c

422 linhas
14 KiB
Original Anotar Histórico 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <assert.h>

  16. #include <limits.h>

  17. #include <string.h>

  18. 

  19. #include <openssl/aead.h>

  20. #include <openssl/cipher.h>

  21. #include <openssl/err.h>

  22. #include <openssl/hmac.h>

  23. #include <openssl/md5.h>

  24. #include <openssl/mem.h>

  25. #include <openssl/sha.h>

  26. 

  27. #include "internal.h"

  28. 

  29. 

  30. typedef struct {

  31.   EVP_CIPHER_CTX cipher_ctx;

  32.   EVP_MD_CTX md_ctx;

  33. } AEAD_SSL3_CTX;

  34. 

  35. static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,

  36.                     const uint8_t *ad, size_t ad_len, const uint8_t *in,

  37.                     size_t in_len) {

  38.   size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);

  39.   size_t pad_len = (md_size == 20) ? 40 : 48;

  40. 

  41.   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the

  42.    * length for legacy ciphers. */

  43.   uint8_t ad_extra[2];

  44.   ad_extra[0] = (uint8_t)(in_len >> 8);

  45.   ad_extra[1] = (uint8_t)(in_len & 0xff);

  46. 

  47.   EVP_MD_CTX md_ctx;

  48.   EVP_MD_CTX_init(&md_ctx);

  49. 

  50.   uint8_t pad[48];

  51.   uint8_t tmp[EVP_MAX_MD_SIZE];

  52.   memset(pad, 0x36, pad_len);

  53.   if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||

  54.       !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||

  55.       !EVP_DigestUpdate(&md_ctx, ad, ad_len) ||

  56.       !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) ||

  57.       !EVP_DigestUpdate(&md_ctx, in, in_len) ||

  58.       !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) {

  59.     EVP_MD_CTX_cleanup(&md_ctx);

  60.     return 0;

  61.   }

  62. 

  63.   memset(pad, 0x5c, pad_len);

  64.   if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||

  65.       !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||

  66.       !EVP_DigestUpdate(&md_ctx, tmp, md_size) ||

  67.       !EVP_DigestFinal_ex(&md_ctx, out, out_len)) {

  68.     EVP_MD_CTX_cleanup(&md_ctx);

  69.     return 0;

  70.   }

  71.   EVP_MD_CTX_cleanup(&md_ctx);

  72.   return 1;

  73. }

  74. 

  75. static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {

  76.   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;

  77.   EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);

  78.   EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);

  79.   OPENSSL_free(ssl3_ctx);

  80.   ctx->aead_state = NULL;

  81. }

  82. 

  83. static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,

  84.                           size_t tag_len, enum evp_aead_direction_t dir,

  85.                           const EVP_CIPHER *cipher, const EVP_MD *md) {

  86.   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&

  87.       tag_len != EVP_MD_size(md)) {

  88.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);

  89.     return 0;

  90.   }

  91. 

  92.   if (key_len != EVP_AEAD_key_length(ctx->aead)) {

  93.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_BAD_KEY_LENGTH);

  94.     return 0;

  95.   }

  96. 

  97.   size_t mac_key_len = EVP_MD_size(md);

  98.   size_t enc_key_len = EVP_CIPHER_key_length(cipher);

  99.   assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);

  100.   /* Although EVP_rc4() is a variable-length cipher, the default key size is

  101.    * correct for SSL3. */

  102. 

  103.   AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));

  104.   if (ssl3_ctx == NULL) {

  105.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, ERR_R_MALLOC_FAILURE);

  106.     return 0;

  107.   }

  108.   EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);

  109.   EVP_MD_CTX_init(&ssl3_ctx->md_ctx);

  110. 

  111.   ctx->aead_state = ssl3_ctx;

  112.   if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],

  113.                          &key[mac_key_len + enc_key_len],

  114.                          dir == evp_aead_seal) ||

  115.       !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||

  116.       !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {

  117.     aead_ssl3_cleanup(ctx);

  118.     return 0;

  119.   }

  120.   EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);

  121. 

  122.   return 1;

  123. }

  124. 

  125. static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  126.                          size_t *out_len, size_t max_out_len,

  127.                          const uint8_t *nonce, size_t nonce_len,

  128.                          const uint8_t *in, size_t in_len,

  129.                          const uint8_t *ad, size_t ad_len) {

  130.   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;

  131.   size_t total = 0;

  132. 

  133.   if (!ssl3_ctx->cipher_ctx.encrypt) {

  134.     /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */

  135.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION);

  136.     return 0;

  137.   }

  138. 

  139.   if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||

  140.       in_len > INT_MAX) {

  141.     /* EVP_CIPHER takes int as input. */

  142.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_TOO_LARGE);

  143.     return 0;

  144.   }

  145. 

  146.   if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {

  147.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_BUFFER_TOO_SMALL);

  148.     return 0;

  149.   }

  150. 

  151.   if (nonce_len != 0) {

  152.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_IV_TOO_LARGE);

  153.     return 0;

  154.   }

  155. 

  156.   if (ad_len != 11 - 2 /* length bytes */) {

  157.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_AD_SIZE);

  158.     return 0;

  159.   }

  160. 

  161.   /* Compute the MAC. This must be first in case the operation is being done

  162.    * in-place. */

  163.   uint8_t mac[EVP_MAX_MD_SIZE];

  164.   unsigned mac_len;

  165.   if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {

  166.     return 0;

  167.   }

  168. 

  169.   /* Encrypt the input. */

  170.   int len;

  171.   if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,

  172.                          (int)in_len)) {

  173.     return 0;

  174.   }

  175.   total = len;

  176. 

  177.   /* Feed the MAC into the cipher. */

  178.   if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac,

  179.                          (int)mac_len)) {

  180.     return 0;

  181.   }

  182.   total += len;

  183. 

  184.   unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);

  185.   if (block_size > 1) {

  186.     assert(block_size <= 256);

  187.     assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);

  188. 

  189.     /* Compute padding and feed that into the cipher. */

  190.     uint8_t padding[256];

  191.     unsigned padding_len = block_size - ((in_len + mac_len) % block_size);

  192.     memset(padding, 0, padding_len - 1);

  193.     padding[padding_len - 1] = padding_len - 1;

  194.     if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,

  195.                            (int)padding_len)) {

  196.       return 0;

  197.     }

  198.     total += len;

  199.   }

  200. 

  201.   if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {

  202.     return 0;

  203.   }

  204.   total += len;

  205. 

  206.   *out_len = total;

  207.   return 1;

  208. }

  209. 

  210. static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  211.                          size_t *out_len, size_t max_out_len,

  212.                          const uint8_t *nonce, size_t nonce_len,

  213.                          const uint8_t *in, size_t in_len,

  214.                          const uint8_t *ad, size_t ad_len) {

  215.   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;

  216. 

  217.   if (ssl3_ctx->cipher_ctx.encrypt) {

  218.     /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */

  219.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION);

  220.     return 0;

  221.   }

  222. 

  223.   size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);

  224.   if (in_len < mac_len) {

  225.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);

  226.     return 0;

  227.   }

  228. 

  229.   if (max_out_len < in_len) {

  230.     /* This requires that the caller provide space for the MAC, even though it

  231.      * will always be removed on return. */

  232.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BUFFER_TOO_SMALL);

  233.     return 0;

  234.   }

  235. 

  236.   if (nonce_len != 0) {

  237.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE);

  238.     return 0;

  239.   }

  240. 

  241.   if (ad_len != 11 - 2 /* length bytes */) {

  242.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_AD_SIZE);

  243.     return 0;

  244.   }

  245. 

  246.   if (in_len > INT_MAX) {

  247.     /* EVP_CIPHER takes int as input. */

  248.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE);

  249.     return 0;

  250.   }

  251. 

  252.   /* Decrypt to get the plaintext + MAC + padding. */

  253.   size_t total = 0;

  254.   int len;

  255.   if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {

  256.     return 0;

  257.   }

  258.   total += len;

  259.   if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {

  260.     return 0;

  261.   }

  262.   total += len;

  263.   assert(total == in_len);

  264. 

  265.   /* Remove CBC padding and MAC. This would normally be timing-sensitive, but SSLv3 CBC

  266.    * ciphers are already broken. Support will be removed eventually.

  267.    * https://www.openssl.org/~bodo/ssl-poodle.pdf */

  268.   unsigned data_len;

  269.   if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {

  270.     unsigned padding_length = out[total - 1];

  271.     if (total < padding_length + 1 + mac_len) {

  272.       OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);

  273.       return 0;

  274.     }

  275.     /* The padding must be minimal. */

  276.     if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {

  277.       OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);

  278.       return 0;

  279.     }

  280.     data_len = total - padding_length - 1 - mac_len;

  281.   } else {

  282.     data_len = total - mac_len;

  283.   }

  284. 

  285.   /* Compute the MAC and compare against the one in the record. */

  286.   uint8_t mac[EVP_MAX_MD_SIZE];

  287.   if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {

  288.     return 0;

  289.   }

  290.   if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {

  291.     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);

  292.     return 0;

  293.   }

  294. 

  295.   *out_len = data_len;

  296.   return 1;

  297. }

  298. 

  299. static int aead_ssl3_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {

  300.   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;

  301.   if (EVP_CIPHER_CTX_cipher(&ssl3_ctx->cipher_ctx) != EVP_rc4()) {

  302.     return 0;

  303.   }

  304. 

  305.   *out_key = (RC4_KEY*) ssl3_ctx->cipher_ctx.cipher_data;

  306.   return 1;

  307. }

  308. 

  309. static int aead_rc4_md5_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  310.                                   size_t key_len, size_t tag_len,

  311.                                   enum evp_aead_direction_t dir) {

  312.   return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5());

  313. }

  314. 

  315. static int aead_rc4_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  316.                                    size_t key_len, size_t tag_len,

  317.                                    enum evp_aead_direction_t dir) {

  318.   return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1());

  319. }

  320. 

  321. static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  322.                                            size_t key_len, size_t tag_len,

  323.                                            enum evp_aead_direction_t dir) {

  324.   return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),

  325.                         EVP_sha1());

  326. }

  327. 

  328. static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  329.                                            size_t key_len, size_t tag_len,

  330.                                            enum evp_aead_direction_t dir) {

  331.   return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),

  332.                         EVP_sha1());

  333. }

  334. static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,

  335.                                             const uint8_t *key, size_t key_len,

  336.                                             size_t tag_len,

  337.                                             enum evp_aead_direction_t dir) {

  338.   return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),

  339.                         EVP_sha1());

  340. }

  341. 

  342. static const EVP_AEAD aead_rc4_md5_ssl3 = {

  343.     MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */

  344.     0,                      /* nonce len */

  345.     MD5_DIGEST_LENGTH,      /* overhead */

  346.     MD5_DIGEST_LENGTH,      /* max tag length */

  347.     NULL, /* init */

  348.     aead_rc4_md5_ssl3_init,

  349.     aead_ssl3_cleanup,

  350.     aead_ssl3_seal,

  351.     aead_ssl3_open,

  352.     aead_ssl3_get_rc4_state,

  353. };

  354. 

  355. static const EVP_AEAD aead_rc4_sha1_ssl3 = {

  356.     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */

  357.     0,                      /* nonce len */

  358.     SHA_DIGEST_LENGTH,      /* overhead */

  359.     SHA_DIGEST_LENGTH,      /* max tag length */

  360.     NULL, /* init */

  361.     aead_rc4_sha1_ssl3_init,

  362.     aead_ssl3_cleanup,

  363.     aead_ssl3_seal,

  364.     aead_ssl3_open,

  365.     aead_ssl3_get_rc4_state,

  366. };

  367. 

  368. static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {

  369.     SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */

  370.     0,                           /* nonce len */

  371.     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  372.     SHA_DIGEST_LENGTH,           /* max tag length */

  373.     NULL, /* init */

  374.     aead_aes_128_cbc_sha1_ssl3_init,

  375.     aead_ssl3_cleanup,

  376.     aead_ssl3_seal,

  377.     aead_ssl3_open,

  378.     NULL,                        /* get_rc4_state */

  379. };

  380. 

  381. static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {

  382.     SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */

  383.     0,                           /* nonce len */

  384.     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  385.     SHA_DIGEST_LENGTH,           /* max tag length */

  386.     NULL, /* init */

  387.     aead_aes_256_cbc_sha1_ssl3_init,

  388.     aead_ssl3_cleanup,

  389.     aead_ssl3_seal,

  390.     aead_ssl3_open,

  391.     NULL,                        /* get_rc4_state */

  392. };

  393. 

  394. static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {

  395.     SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */

  396.     0,                          /* nonce len */

  397.     8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  398.     SHA_DIGEST_LENGTH,          /* max tag length */

  399.     NULL, /* init */

  400.     aead_des_ede3_cbc_sha1_ssl3_init,

  401.     aead_ssl3_cleanup,

  402.     aead_ssl3_seal,

  403.     aead_ssl3_open,

  404.     NULL,                        /* get_rc4_state */

  405. };

  406. 

  407. const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; }

  408. 

  409. const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; }

  410. 

  411. const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {

  412.   return &aead_aes_128_cbc_sha1_ssl3;

  413. }

  414. 

  415. const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) {

  416.   return &aead_aes_256_cbc_sha1_ssl3;

  417. }

  418. 

  419. const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) {

  420.   return &aead_des_ede3_cbc_sha1_ssl3;

  421. }