Fix IV check and padding removal.

[openssl.git] / ssl / s3_cbc.c

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 694bf374d24a4c052054dcd117f5bf5a727c67a5..0f605074a4615bd7e7ca33ee3d54cb8bebd6d220 100644 (file)
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -116,7 +116,9 @@ int ssl3_cbc_remove_padding(const SSL* s,
        good = constant_time_ge(rec->length, padding_length+overhead);
        /* SSLv3 requires that the padding is minimal. */
        good &= constant_time_ge(block_size, padding_length+1);
-       rec->length -= good & (padding_length+1);
+       padding_length = good & (padding_length+1);
+       rec->length -= padding_length;
+       rec->type |= padding_length<<8; /* kludge: pass padding length */
        return (int)((good & 1) | (~good & -1));
 }
 
@@ -137,15 +139,21 @@ int tls1_cbc_remove_padding(const SSL* s,
                            unsigned mac_size)
        {
        unsigned padding_length, good, to_check, i;
-       const char has_explicit_iv =
-               s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
-       const unsigned overhead = 1 /* padding length byte */ +
-                                 mac_size +
-                                 (has_explicit_iv ? block_size : 0);
-
-       /* These lengths are all public so we can test them in non-constant
-        * time. */
-       if (overhead > rec->length)
+       const unsigned overhead = 1 /* padding length byte */ + mac_size;
+       /* Check if version requires explicit IV */
+       if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+               {
+               /* These lengths are all public so we can test them in
+                * non-constant time.
+                */
+               if (overhead + block_size > rec->length)
+                       return 0;
+               /* We can now safely skip explicit IV */
+               rec->data += block_size;
+               rec->input += block_size;
+               rec->length -= block_size;
+               }
+       else if (overhead > rec->length)
                return 0;
 
        padding_length = rec->data[rec->length-1];
@@ -170,6 +178,13 @@ int tls1_cbc_remove_padding(const SSL* s,
                        }
                }
 
+       if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+               {
+               /* padding is already verified */
+               rec->length -= padding_length + 1;
+               return 1;
+               }
+
        good = constant_time_ge(rec->length, overhead+padding_length);
        /* The padding consists of a length byte at the end of the record and
         * then that many bytes of padding, all with the same value as the
@@ -203,23 +218,9 @@ int tls1_cbc_remove_padding(const SSL* s,
        good <<= sizeof(good)*8-1;
        good = DUPLICATE_MSB_TO_ALL(good);
 
-       rec->length -= good & (padding_length+1);
-
-       /* We can always safely skip the explicit IV. We check at the beginning
-        * of this function that the record has at least enough space for the
-        * IV, MAC and padding length byte. (These can be checked in
-        * non-constant time because it's all public information.) So, if the
-        * padding was invalid, then we didn't change |rec->length| and this is
-        * safe. If the padding was valid then we know that we have at least
-        * overhead+padding_length bytes of space and so this is still safe
-        * because overhead accounts for the explicit IV. */
-       if (has_explicit_iv)
-               {
-               rec->data += block_size;
-               rec->input += block_size;
-               rec->length -= block_size;
-               rec->orig_len -= block_size;
-               }
+       padding_length = good & (padding_length+1);
+       rec->length -= padding_length;
+       rec->type |= padding_length<<8; /* kludge: pass padding length */
 
        return (int)((good & 1) | (~good & -1));
        }
@@ -246,7 +247,7 @@ int tls1_cbc_remove_padding(const SSL* s,
  */
 void ssl3_cbc_copy_mac(unsigned char* out,
                       const SSL3_RECORD *rec,
-                      unsigned md_size)
+                      unsigned md_size,unsigned orig_len)
        {
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
        unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
@@ -265,7 +266,7 @@ void ssl3_cbc_copy_mac(unsigned char* out,
        unsigned div_spoiler;
        unsigned rotate_offset;
 
-       OPENSSL_assert(rec->orig_len >= md_size);
+       OPENSSL_assert(orig_len >= md_size);
        OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
 
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
@@ -273,8 +274,8 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 #endif
 
        /* This information is public so it's safe to branch based on it. */
-       if (rec->orig_len > md_size + 255 + 1)
-               scan_start = rec->orig_len - (md_size + 255 + 1);
+       if (orig_len > md_size + 255 + 1)
+               scan_start = orig_len - (md_size + 255 + 1);
        /* div_spoiler contains a multiple of md_size that is used to cause the
         * modulo operation to be constant time. Without this, the time varies
         * based on the amount of padding when running on Intel chips at least.
@@ -287,9 +288,9 @@ void ssl3_cbc_copy_mac(unsigned char* out,
        rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
 
        memset(rotated_mac, 0, md_size);
-       for (i = scan_start; i < rec->orig_len;)
+       for (i = scan_start; i < orig_len;)
                {
-               for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
+               for (j = 0; j < md_size && i < orig_len; i++, j++)
                        {
                        unsigned char mac_started = constant_time_ge(i, mac_start);
                        unsigned char mac_ended = constant_time_ge(i, mac_end);
@@ -318,16 +319,24 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 #endif
        }
 
+/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+ * little-endian order. The value of p is advanced by four. */
+#define u32toLE(n, p) \
+       (*((p)++)=(unsigned char)(n), \
+        *((p)++)=(unsigned char)(n>>8), \
+        *((p)++)=(unsigned char)(n>>16), \
+        *((p)++)=(unsigned char)(n>>24))
+
 /* These functions serialize the state of a hash and thus perform the standard
  * "final" operation without adding the padding and length that such a function
  * typically does. */
 static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
        {
        MD5_CTX *md5 = ctx;
-       l2n(md5->A, md_out);
-       l2n(md5->B, md_out);
-       l2n(md5->C, md_out);
-       l2n(md5->D, md_out);
+       u32toLE(md5->A, md_out);
+       u32toLE(md5->B, md_out);
+       u32toLE(md5->C, md_out);
+       u32toLE(md5->D, md_out);
        }
 
 static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
@@ -339,7 +348,9 @@ static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
        l2n(sha1->h3, md_out);
        l2n(sha1->h4, md_out);
        }
+#define LARGEST_DIGEST_CTX SHA_CTX
 
+#ifndef OPENSSL_NO_SHA256
 static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
        {
        SHA256_CTX *sha256 = ctx;
@@ -350,7 +361,11 @@ static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
                l2n(sha256->h[i], md_out);
                }
        }
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA256_CTX
+#endif
 
+#ifndef OPENSSL_NO_SHA512
 static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
        {
        SHA512_CTX *sha512 = ctx;
@@ -361,6 +376,9 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
                l2n8(sha512->h[i], md_out);
                }
        }
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA512_CTX
+#endif
 
 /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
  * which ssl3_cbc_digest_record supports. */
@@ -370,14 +388,18 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
        if (FIPS_mode())
                return 0;
 #endif
-       switch (ctx->digest->type)
+       switch (EVP_MD_CTX_type(ctx))
                {
                case NID_md5:
                case NID_sha1:
+#ifndef OPENSSL_NO_SHA256
                case NID_sha224:
                case NID_sha256:
+#endif
+#ifndef OPENSSL_NO_SHA512
                case NID_sha384:
                case NID_sha512:
+#endif
                        return 1;
                default:
                        return 0;
@@ -415,7 +437,8 @@ void ssl3_cbc_digest_record(
        unsigned mac_secret_length,
        char is_sslv3)
        {
-       unsigned char md_state[sizeof(SHA512_CTX)];
+       union { double align;
+               unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
        void (*md_final_raw)(void *ctx, unsigned char *md_out);
        void (*md_transform)(void *ctx, const unsigned char *block);
        unsigned md_size, md_block_size = 64;
@@ -433,40 +456,45 @@ void ssl3_cbc_digest_record(
        /* mdLengthSize is the number of bytes in the length field that terminates
        * the hash. */
        unsigned md_length_size = 8;
+       char length_is_big_endian = 1;
 
        /* This is a, hopefully redundant, check that allows us to forget about
         * many possible overflows later in this function. */
        OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
 
-       switch (ctx->digest->type)
+       switch (EVP_MD_CTX_type(ctx))
                {
                case NID_md5:
-                       MD5_Init((MD5_CTX*)md_state);
+                       MD5_Init((MD5_CTX*)md_state.c);
                        md_final_raw = tls1_md5_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
                        md_size = 16;
                        sslv3_pad_length = 48;
+                       length_is_big_endian = 0;
                        break;
                case NID_sha1:
-                       SHA1_Init((SHA_CTX*)md_state);
+                       SHA1_Init((SHA_CTX*)md_state.c);
                        md_final_raw = tls1_sha1_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
                        md_size = 20;
                        break;
+#ifndef OPENSSL_NO_SHA256
                case NID_sha224:
-                       SHA224_Init((SHA256_CTX*)md_state);
+                       SHA224_Init((SHA256_CTX*)md_state.c);
                        md_final_raw = tls1_sha256_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
                        md_size = 224/8;
                        break;
                case NID_sha256:
-                       SHA256_Init((SHA256_CTX*)md_state);
+                       SHA256_Init((SHA256_CTX*)md_state.c);
                        md_final_raw = tls1_sha256_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
                        md_size = 32;
                        break;
+#endif
+#ifndef OPENSSL_NO_SHA512
                case NID_sha384:
-                       SHA384_Init((SHA512_CTX*)md_state);
+                       SHA384_Init((SHA512_CTX*)md_state.c);
                        md_final_raw = tls1_sha512_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
                        md_size = 384/8;
@@ -474,13 +502,14 @@ void ssl3_cbc_digest_record(
                        md_length_size = 16;
                        break;
                case NID_sha512:
-                       SHA512_Init((SHA512_CTX*)md_state);
+                       SHA512_Init((SHA512_CTX*)md_state.c);
                        md_final_raw = tls1_sha512_final_raw;
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
                        md_size = 64;
                        md_block_size = 128;
                        md_length_size = 16;
                        break;
+#endif
                default:
                        /* ssl3_cbc_record_digest_supported should have been
                         * called first to check that the hash function is
@@ -579,14 +608,25 @@ void ssl3_cbc_digest_record(
                for (i = 0; i < md_block_size; i++)
                        hmac_pad[i] ^= 0x36;
 
-               md_transform(md_state, hmac_pad);
+               md_transform(md_state.c, hmac_pad);
                }
 
-       memset(length_bytes,0,md_length_size-4);
-       length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
-       length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
-       length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
-       length_bytes[md_length_size-1] = (unsigned char)bits;
+       if (length_is_big_endian)
+               {
+               memset(length_bytes,0,md_length_size-4);
+               length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-1] = (unsigned char)bits;
+               }
+       else
+               {
+               memset(length_bytes,0,md_length_size);
+               length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-8] = (unsigned char)bits;
+               }
 
        if (k > 0)
                {
@@ -597,21 +637,21 @@ void ssl3_cbc_digest_record(
                         * block that the header consumes: either 7 bytes
                         * (SHA1) or 11 bytes (MD5). */
                        unsigned overhang = header_length-md_block_size;
-                       md_transform(md_state, header);
+                       md_transform(md_state.c, header);
                        memcpy(first_block, header + md_block_size, overhang);
                        memcpy(first_block + overhang, data, md_block_size-overhang);
-                       md_transform(md_state, first_block);
+                       md_transform(md_state.c, first_block);
                        for (i = 1; i < k/md_block_size - 1; i++)
-                               md_transform(md_state, data + md_block_size*i - overhang);
+                               md_transform(md_state.c, data + md_block_size*i - overhang);
                        }
                else
                        {
                        /* k is a multiple of md_block_size. */
                        memcpy(first_block, header, 13);
                        memcpy(first_block+13, data, md_block_size-13);
-                       md_transform(md_state, first_block);
+                       md_transform(md_state.c, first_block);
                        for (i = 1; i < k/md_block_size; i++)
-                               md_transform(md_state, data + md_block_size*i - 13);
+                               md_transform(md_state.c, data + md_block_size*i - 13);
                        }
                }
 
@@ -661,8 +701,8 @@ void ssl3_cbc_digest_record(
                        block[j] = b;
                        }
 
-               md_transform(md_state, block);
-               md_final_raw(md_state, block);
+               md_transform(md_state.c, block);
+               md_final_raw(md_state.c, block);
                /* If this is index_b, copy the hash value to |mac_out|. */
                for (j = 0; j < md_size; j++)
                        mac_out[j] |= block[j]&is_block_b;