Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code. ok inoguchi@ tb@
author: jsing <> 2021-03-21 17:25:17 +0000
committer: jsing <> 2021-03-21 17:25:17 +0000
commit: 25064bbd608cffa42b7bf46d3ea7eeb88d693de4 (patch)
tree: cc502959cce0dda3950056cfd7fad89b63fed442
parent: d80f02f1a1af44e9d5abc9866168fefa7c4a6b7a (diff)
download: openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.tar.gz
openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.tar.bz2
openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.zip
1 files changed, 72 insertions, 46 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index bbecc60674..4be4bad860 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.58 2021/01/05 17:49:04 tb Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.59 2021/03/21 17:25:17 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -25,6 +25,41 @@ static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
    uint8_t content_type, const uint8_t *content, size_t content_len);
+struct tls13_record_protection {
+        EVP_AEAD_CTX aead_ctx;
+        struct tls13_secret iv;
+        struct tls13_secret nonce;
+        uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
+};
+struct tls13_record_protection *
+tls13_record_protection_new(void)
+{
+        return calloc(1, sizeof(struct tls13_record_protection));
+}
+void
+tls13_record_protection_clear(struct tls13_record_protection *rp)
+{
+        EVP_AEAD_CTX_cleanup(&rp->aead_ctx);
+        tls13_secret_cleanup(&rp->iv);
+        tls13_secret_cleanup(&rp->nonce);
+        memset(rp->seq_num, 0, sizeof(rp->seq_num));
+}
+void
+tls13_record_protection_free(struct tls13_record_protection *rp)
+{
+        if (rp == NULL)
+                return;
+        tls13_record_protection_clear(rp);
+        freezero(rp, sizeof(struct tls13_record_protection));
+}
 struct tls13_record_layer {
        uint16_t legacy_version;
@@ -75,14 +110,8 @@ struct tls13_record_layer {
        /* Record protection. */
        const EVP_MD *hash;
        const EVP_AEAD *aead;
-        EVP_AEAD_CTX read_aead_ctx;
+        struct tls13_record_protection *read;
-        EVP_AEAD_CTX write_aead_ctx;
+        struct tls13_record_protection *write;
-        struct tls13_secret read_iv;
-        struct tls13_secret write_iv;
-        struct tls13_secret read_nonce;
-        struct tls13_secret write_nonce;
-        uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
-        uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
        /* Callbacks. */
        struct tls13_record_layer_callbacks cb;
@@ -120,13 +149,23 @@ tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
        struct tls13_record_layer *rl;
        if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
-                return NULL;
+                goto err;
+        if ((rl->read = tls13_record_protection_new()) == NULL)
+                goto err;
+        if ((rl->write = tls13_record_protection_new()) == NULL)
+                goto err;
        rl->legacy_version = TLS1_2_VERSION;
        rl->cb = *callbacks;
        rl->cb_arg = cb_arg;
        return rl;
+ err:
+        tls13_record_layer_free(rl);
+        return NULL;
 }
 void
@@ -143,13 +182,8 @@ tls13_record_layer_free(struct tls13_record_layer *rl)
        tls13_record_layer_rbuf_free(rl);
-        EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx);
+        tls13_record_protection_free(rl->read);
-        EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx);
+        tls13_record_protection_free(rl->write);
-        tls13_secret_cleanup(&rl->read_iv);
-        tls13_secret_cleanup(&rl->write_iv);
-        tls13_secret_cleanup(&rl->read_nonce);
-        tls13_secret_cleanup(&rl->write_nonce);
        freezero(rl, sizeof(struct tls13_record_layer));
 }
@@ -430,32 +464,28 @@ tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
 }
 static int
-tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx,
+tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
-    const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce,
+    struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
-    struct tls13_secret *traffic_key)
 {
        struct tls13_secret context = { .data = "", .len = 0 };
        struct tls13_secret key = { .data = NULL, .len = 0 };
        int ret = 0;
-        EVP_AEAD_CTX_cleanup(aead_ctx);
+        tls13_record_protection_clear(rp);
-        tls13_secret_cleanup(iv);
+        if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
-        tls13_secret_cleanup(nonce);
-        if (!tls13_secret_init(iv, EVP_AEAD_nonce_length(aead)))
                goto err;
-        if (!tls13_secret_init(nonce, EVP_AEAD_nonce_length(aead)))
+        if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
                goto err;
        if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
                goto err;
-        if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context))
+        if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
                goto err;
        if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
                goto err;
-        if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len,
+        if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len,
            EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
                goto err;
@@ -471,20 +501,16 @@ int
 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
    struct tls13_secret *read_key)
 {
-        memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);
+        return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
+            rl->read, read_key);
-        return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx,
-            rl->hash, &rl->read_iv, &rl->read_nonce, read_key);
 }
 int
 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
    struct tls13_secret *write_key)
 {
-        memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);
+        return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
+            rl->write, write_key);
-        return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx,
-            rl->hash, &rl->write_iv, &rl->write_nonce, write_key);
 }
 static int
@@ -541,13 +567,13 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
                goto err;
        content_len = CBS_len(&enc_record);
-        if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv,
+        if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
-            rl->read_seq_num))
+            rl->read->seq_num))
                goto err;
-        if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx,
+        if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx,
            content, &out_len, content_len,
-            rl->read_nonce.data, rl->read_nonce.len,
+            rl->read->nonce.data, rl->read->nonce.len,
            CBS_data(&enc_record), CBS_len(&enc_record),
            CBS_data(&header), CBS_len(&header)))
                goto err;
@@ -557,7 +583,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
                goto err;
        }
-        if (!tls13_record_layer_inc_seq_num(rl->read_seq_num))
+        if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
                goto err;
        /*
@@ -718,8 +744,8 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
        if (!CBB_finish(&cbb, &data, &data_len))
                goto err;
-        if (!tls13_record_layer_update_nonce(&rl->write_nonce,
+        if (!tls13_record_layer_update_nonce(&rl->write->nonce,
-            &rl->write_iv, rl->write_seq_num))
+            &rl->write->iv, rl->write->seq_num))
                goto err;
        /*
@@ -727,16 +753,16 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
         * this would avoid a copy since the inner would be passed as two
         * separate pieces.
         */
-        if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx,
+        if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx,
            enc_record, &out_len, enc_record_len,
-            rl->write_nonce.data, rl->write_nonce.len,
+            rl->write->nonce.data, rl->write->nonce.len,
            inner, inner_len, header, header_len))
                goto err;
        if (out_len != enc_record_len)
                goto err;
-        if (!tls13_record_layer_inc_seq_num(rl->write_seq_num))
+        if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
                goto err;
        if (!tls13_record_set_data(rl->wrec, data, data_len))
author	jsing <>	2021-03-21 17:25:17 +0000
committer	jsing <>	2021-03-21 17:25:17 +0000
commit	25064bbd608cffa42b7bf46d3ea7eeb88d693de4 (patch)
tree	cc502959cce0dda3950056cfd7fad89b63fed442
parent	d80f02f1a1af44e9d5abc9866168fefa7c4a6b7a (diff)
download	openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.tar.gz openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.tar.bz2 openbsd-25064bbd608cffa42b7bf46d3ea7eeb88d693de4.zip

diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index bbecc60674..4be4bad860 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_record_layer.c,v 1.58 2021/01/05 17:49:04 tb Exp $ */	1	/* $OpenBSD: tls13_record_layer.c,v 1.59 2021/03/21 17:25:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -25,6 +25,41 @@ static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
25	static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,	25	static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
26	uint8_t content_type, const uint8_t *content, size_t content_len);	26	uint8_t content_type, const uint8_t *content, size_t content_len);
27		27
		28	struct tls13_record_protection {
		29	EVP_AEAD_CTX aead_ctx;
		30	struct tls13_secret iv;
		31	struct tls13_secret nonce;
		32	uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
		33	};
		34
		35	struct tls13_record_protection *
		36	tls13_record_protection_new(void)
		37	{
		38	return calloc(1, sizeof(struct tls13_record_protection));
		39	}
		40
		41	void
		42	tls13_record_protection_clear(struct tls13_record_protection *rp)
		43	{
		44	EVP_AEAD_CTX_cleanup(&rp->aead_ctx);
		45
		46	tls13_secret_cleanup(&rp->iv);
		47	tls13_secret_cleanup(&rp->nonce);
		48
		49	memset(rp->seq_num, 0, sizeof(rp->seq_num));
		50	}
		51
		52	void
		53	tls13_record_protection_free(struct tls13_record_protection *rp)
		54	{
		55	if (rp == NULL)
		56	return;
		57
		58	tls13_record_protection_clear(rp);
		59
		60	freezero(rp, sizeof(struct tls13_record_protection));
		61	}
		62
28	struct tls13_record_layer {	63	struct tls13_record_layer {
29	uint16_t legacy_version;	64	uint16_t legacy_version;
30		65
@@ -75,14 +110,8 @@ struct tls13_record_layer {
75	/* Record protection. */	110	/* Record protection. */
76	const EVP_MD *hash;	111	const EVP_MD *hash;
77	const EVP_AEAD *aead;	112	const EVP_AEAD *aead;
78	EVP_AEAD_CTX read_aead_ctx;	113	struct tls13_record_protection *read;
79	EVP_AEAD_CTX write_aead_ctx;	114	struct tls13_record_protection *write;
80	struct tls13_secret read_iv;
81	struct tls13_secret write_iv;
82	struct tls13_secret read_nonce;
83	struct tls13_secret write_nonce;
84	uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
85	uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
86		115
87	/* Callbacks. */	116	/* Callbacks. */
88	struct tls13_record_layer_callbacks cb;	117	struct tls13_record_layer_callbacks cb;
@@ -120,13 +149,23 @@ tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
120	struct tls13_record_layer *rl;	149	struct tls13_record_layer *rl;
121		150
122	if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)	151	if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
123	return NULL;	152	goto err;
		153
		154	if ((rl->read = tls13_record_protection_new()) == NULL)
		155	goto err;
		156	if ((rl->write = tls13_record_protection_new()) == NULL)
		157	goto err;
124		158
125	rl->legacy_version = TLS1_2_VERSION;	159	rl->legacy_version = TLS1_2_VERSION;
126	rl->cb = *callbacks;	160	rl->cb = *callbacks;
127	rl->cb_arg = cb_arg;	161	rl->cb_arg = cb_arg;
128		162
129	return rl;	163	return rl;
		164
		165	err:
		166	tls13_record_layer_free(rl);
		167
		168	return NULL;
130	}	169	}
131		170
132	void	171	void
@@ -143,13 +182,8 @@ tls13_record_layer_free(struct tls13_record_layer *rl)
143		182
144	tls13_record_layer_rbuf_free(rl);	183	tls13_record_layer_rbuf_free(rl);
145		184
146	EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx);	185	tls13_record_protection_free(rl->read);
147	EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx);	186	tls13_record_protection_free(rl->write);
148
149	tls13_secret_cleanup(&rl->read_iv);
150	tls13_secret_cleanup(&rl->write_iv);
151	tls13_secret_cleanup(&rl->read_nonce);
152	tls13_secret_cleanup(&rl->write_nonce);
153		187
154	freezero(rl, sizeof(struct tls13_record_layer));	188	freezero(rl, sizeof(struct tls13_record_layer));
155	}	189	}
@@ -430,32 +464,28 @@ tls13_record_layer_phh(struct tls13_record_layer rl, CBS cbs)
430	}	464	}
431		465
432	static int	466	static int
433	tls13_record_layer_set_traffic_key(const EVP_AEAD aead, EVP_AEAD_CTX aead_ctx,	467	tls13_record_layer_set_traffic_key(const EVP_AEAD aead, const EVP_MD hash,
434	const EVP_MD hash, struct tls13_secret iv, struct tls13_secret *nonce,	468	struct tls13_record_protection rp, struct tls13_secret traffic_key)
435	struct tls13_secret *traffic_key)
436	{	469	{
437	struct tls13_secret context = { .data = "", .len = 0 };	470	struct tls13_secret context = { .data = "", .len = 0 };
438	struct tls13_secret key = { .data = NULL, .len = 0 };	471	struct tls13_secret key = { .data = NULL, .len = 0 };
439	int ret = 0;	472	int ret = 0;
440		473
441	EVP_AEAD_CTX_cleanup(aead_ctx);	474	tls13_record_protection_clear(rp);
442		475
443	tls13_secret_cleanup(iv);	476	if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
444	tls13_secret_cleanup(nonce);
445
446	if (!tls13_secret_init(iv, EVP_AEAD_nonce_length(aead)))
447	goto err;	477	goto err;
448	if (!tls13_secret_init(nonce, EVP_AEAD_nonce_length(aead)))	478	if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
449	goto err;	479	goto err;
450	if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))	480	if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
451	goto err;	481	goto err;
452		482
453	if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context))	483	if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
454	goto err;	484	goto err;
455	if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))	485	if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
456	goto err;	486	goto err;
457		487
458	if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len,	488	if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len,
459	EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))	489	EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460	goto err;	490	goto err;
461		491
@@ -471,20 +501,16 @@ int
471	tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,	501	tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
472	struct tls13_secret *read_key)	502	struct tls13_secret *read_key)
473	{	503	{
474	memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);	504	return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
475		505	rl->read, read_key);
476	return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx,
477	rl->hash, &rl->read_iv, &rl->read_nonce, read_key);
478	}	506	}
479		507
480	int	508	int
481	tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,	509	tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
482	struct tls13_secret *write_key)	510	struct tls13_secret *write_key)
483	{	511	{
484	memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);	512	return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
485		513	rl->write, write_key);
486	return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx,
487	rl->hash, &rl->write_iv, &rl->write_nonce, write_key);
488	}	514	}
489		515
490	static int	516	static int
@@ -541,13 +567,13 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
541	goto err;	567	goto err;
542	content_len = CBS_len(&enc_record);	568	content_len = CBS_len(&enc_record);
543		569
544	if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv,	570	if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
545	rl->read_seq_num))	571	rl->read->seq_num))
546	goto err;	572	goto err;
547		573
548	if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx,	574	if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx,
549	content, &out_len, content_len,	575	content, &out_len, content_len,
550	rl->read_nonce.data, rl->read_nonce.len,	576	rl->read->nonce.data, rl->read->nonce.len,
551	CBS_data(&enc_record), CBS_len(&enc_record),	577	CBS_data(&enc_record), CBS_len(&enc_record),
552	CBS_data(&header), CBS_len(&header)))	578	CBS_data(&header), CBS_len(&header)))
553	goto err;	579	goto err;
@@ -557,7 +583,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
557	goto err;	583	goto err;
558	}	584	}
559		585
560	if (!tls13_record_layer_inc_seq_num(rl->read_seq_num))	586	if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
561	goto err;	587	goto err;
562		588
563	/*	589	/*
@@ -718,8 +744,8 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
718	if (!CBB_finish(&cbb, &data, &data_len))	744	if (!CBB_finish(&cbb, &data, &data_len))
719	goto err;	745	goto err;
720		746
721	if (!tls13_record_layer_update_nonce(&rl->write_nonce,	747	if (!tls13_record_layer_update_nonce(&rl->write->nonce,
722	&rl->write_iv, rl->write_seq_num))	748	&rl->write->iv, rl->write->seq_num))
723	goto err;	749	goto err;
724		750
725	/*	751	/*
@@ -727,16 +753,16 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
727	* this would avoid a copy since the inner would be passed as two	753	* this would avoid a copy since the inner would be passed as two
728	* separate pieces.	754	* separate pieces.
729	*/	755	*/
730	if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx,	756	if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx,
731	enc_record, &out_len, enc_record_len,	757	enc_record, &out_len, enc_record_len,
732	rl->write_nonce.data, rl->write_nonce.len,	758	rl->write->nonce.data, rl->write->nonce.len,
733	inner, inner_len, header, header_len))	759	inner, inner_len, header, header_len))
734	goto err;	760	goto err;
735		761
736	if (out_len != enc_record_len)	762	if (out_len != enc_record_len)
737	goto err;	763	goto err;
738		764
739	if (!tls13_record_layer_inc_seq_num(rl->write_seq_num))	765	if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
740	goto err;	766	goto err;
741		767
742	if (!tls13_record_set_data(rl->wrec, data, data_len))	768	if (!tls13_record_set_data(rl->wrec, data, data_len))