2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 /* For SSL3_VERSION, TLS1_VERSION etc */
12 #include <openssl/prov_ssl.h>
13 #include <openssl/rand.h>
14 #include <openssl/proverr.h>
15 #include "internal/constant_time.h"
16 #include "ciphercommon_local.h"
18 /* Functions defined in ssl/tls_pad.c */
19 int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
21 unsigned char *recdata,
24 size_t block_size, size_t mac_size,
25 OSSL_LIB_CTX *libctx);
27 int tls1_cbc_remove_padding_and_mac(size_t *reclen,
29 unsigned char *recdata,
32 size_t block_size, size_t mac_size,
34 OSSL_LIB_CTX *libctx);
37 * Fills a single block of buffered data from the input, and returns the amount
38 * of data remaining in the input that is a multiple of the blocksize. The buffer
39 * is only filled if it already has some data in it, isn't full already or we
40 * don't have at least one block in the input.
42 * buf: a buffer of blocksize bytes
43 * buflen: contains the amount of data already in buf on entry. Updated with the
44 * amount of data in buf at the end. On entry *buflen must always be
45 * less than the blocksize
46 * blocksize: size of a block. Must be greater than 0 and a power of 2
47 * in: pointer to a pointer containing the input data
48 * inlen: amount of input data available
50 * On return buf is filled with as much data as possible up to a full block,
51 * *buflen is updated containing the amount of data in buf. *in is updated to
52 * the new location where input data should be read from, *inlen is updated with
53 * the remaining amount of data in *in. Returns the largest value <= *inlen
54 * which is a multiple of the blocksize.
56 size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen,
58 const unsigned char **in, size_t *inlen)
60 size_t blockmask = ~(blocksize - 1);
61 size_t bufremain = blocksize - *buflen;
63 assert(*buflen <= blocksize);
64 assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
66 if (*inlen < bufremain)
68 memcpy(buf + *buflen, *in, bufremain);
73 return *inlen & blockmask;
77 * Fills the buffer with trailing data from an encryption/decryption that didn't
78 * fit into a full block.
80 int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
81 const unsigned char **in, size_t *inlen)
86 if (*buflen + *inlen > blocksize) {
87 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
91 memcpy(buf + *buflen, *in, *inlen);
98 /* Pad the final block for encryption */
99 void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
102 unsigned char pad = (unsigned char)(blocksize - *buflen);
104 for (i = *buflen; i < blocksize; i++)
108 int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
111 size_t len = *buflen;
113 if(len != blocksize) {
114 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
119 * The following assumes that the ciphertext has been authenticated.
120 * Otherwise it provides a padding oracle.
122 pad = buf[blocksize - 1];
123 if (pad == 0 || pad > blocksize) {
124 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
127 for (i = 0; i < pad; i++) {
128 if (buf[--len] != pad) {
129 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
138 * ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
139 * record in constant time. Also removes the MAC from the record in constant
142 * libctx: Our library context
143 * tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
144 * buf: The decrypted TLS record data
145 * buflen: The length of the decrypted TLS record data. Updated with the new
146 * length after the padding is removed
147 * block_size: the block size of the cipher used to encrypt the record.
148 * mac: Location to store the pointer to the MAC
149 * alloced: Whether the MAC is stored in a newly allocated buffer, or whether
150 * *mac points into *buf
151 * macsize: the size of the MAC inside the record (or 0 if there isn't one)
152 * aead: whether this is an aead cipher
154 * 0: (in non-constant time) if the record is publicly invalid.
155 * 1: (in constant time) Record is publicly valid. If padding is invalid then
158 int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
159 unsigned char *buf, size_t *buflen,
161 unsigned char **mac, int *alloced, size_t macsize,
166 switch (tlsversion) {
168 return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
169 alloced, blocksize, macsize,
173 case DTLS1_2_VERSION:
177 /* Remove the explicit IV */
179 *buflen -= blocksize;
182 ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
183 alloced, blocksize, macsize,