summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2020-10-03 17:35:17 +0000
committerjsing <>2020-10-03 17:35:17 +0000
commit3058247715ff89d092334e9137126e12b7220589 (patch)
treef4def91d73228cb651f854abf6bf23f4d3c22025
parent0f1f8d13de82c94a30254ca849b3933f8356101b (diff)
downloadopenbsd-3058247715ff89d092334e9137126e12b7220589.tar.gz
openbsd-3058247715ff89d092334e9137126e12b7220589.tar.bz2
openbsd-3058247715ff89d092334e9137126e12b7220589.zip
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer. The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained. ok beck@ inoguchi@ tb@
Diffstat
-rw-r--r--src/lib/libssl/d1_pkt.c134
-rw-r--r--src/lib/libssl/s3_cbc.c30
-rw-r--r--src/lib/libssl/ssl_locl.h14
-rw-r--r--src/lib/libssl/ssl_pkt.c166
-rw-r--r--src/lib/libssl/t1_enc.c339
-rw-r--r--src/lib/libssl/tls12_record_layer.c348
6 files changed, 426 insertions, 605 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 859043a3ce..30ce78414d 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.84 2020/10/03 17:11:28 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.85 2020/10/03 17:35:16 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -310,130 +310,40 @@ dtls1_process_buffered_records(SSL *s)
310static int 310static int
311dtls1_process_record(SSL *s) 311dtls1_process_record(SSL *s)
312{ 312{
313 int i, al; 313 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
314 int enc_err; 314 uint8_t alert_desc;
315 SSL_SESSION *sess; 315 uint8_t *out;
316 SSL3_RECORD_INTERNAL *rr; 316 size_t out_len;
317 unsigned int mac_size, orig_len;
318 unsigned char md[EVP_MAX_MD_SIZE];
319
320 rr = &(S3I(s)->rrec);
321 sess = s->session;
322
323 /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
324 * and we have that many bytes in s->internal->packet
325 */
326 rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]);
327
328 /* ok, we can now read from 's->internal->packet' data into 'rr'
329 * rr->input points at rr->length bytes, which
330 * need to be copied into rr->data by either
331 * the decryption or by the decompression
332 * When the data is 'copied' into the rr->data buffer,
333 * rr->input will be pointed at the new buffer */
334
335 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
336 * rr->length bytes of encrypted compressed stuff. */
337
338 /* check is not needed I believe */
339 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
340 al = SSL_AD_RECORD_OVERFLOW;
341 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
342 goto f_err;
343 }
344
345 /* decrypt in place in 'rr->input' */
346 rr->data = rr->input;
347
348 /* enc_err is:
349 * 0: (in non-constant time) if the record is publically invalid.
350 * 1: if the padding is valid
351 * -1: if the padding is invalid */
352 if ((enc_err = tls1_enc(s, 0)) == 0) {
353 /* For DTLS we simply ignore bad packets. */
354 rr->length = 0;
355 s->internal->packet_length = 0;
356 goto err;
357 }
358 317
359 /* r->length is now the compressed data plus mac */ 318 tls12_record_layer_set_version(s->internal->rl, s->version);
360 if ((sess != NULL) && (s->enc_read_ctx != NULL) && 319 tls12_record_layer_set_read_epoch(s->internal->rl, rr->epoch);
361 (EVP_MD_CTX_md(s->read_hash) != NULL)) {
362 /* s->read_hash != NULL => mac_size != -1 */
363 unsigned char *mac = NULL;
364 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
365 mac_size = EVP_MD_CTX_size(s->read_hash);
366 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
367
368 orig_len = rr->length + rr->padding_length;
369
370 /* orig_len is the length of the record before any padding was
371 * removed. This is public information, as is the MAC in use,
372 * therefore we can safely process the record in a different
373 * amount of time if it's too short to possibly contain a MAC.
374 */
375 if (orig_len < mac_size ||
376 /* CBC records must have a padding length byte too. */
377 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
378 orig_len < mac_size + 1)) {
379 al = SSL_AD_DECODE_ERROR;
380 SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
381 goto f_err;
382 }
383 320
384 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 321 if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
385 /* We update the length so that the TLS header bytes 322 s->internal->packet_length, &out, &out_len)) {
386 * can be constructed correctly but we need to extract 323 tls12_record_layer_alert(s->internal->rl, &alert_desc);
387 * the MAC in constant time from within the record,
388 * without leaking the contents of the padding bytes.
389 * */
390 mac = mac_tmp;
391 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
392 rr->length -= mac_size;
393 } else {
394 /* In this case there's no padding, so |orig_len|
395 * equals |rec->length| and we checked that there's
396 * enough bytes for |mac_size| above. */
397 rr->length -= mac_size;
398 mac = &rr->data[rr->length];
399 }
400 324
401 i = tls1_mac(s, md, 0 /* not send */); 325 if (alert_desc == 0)
402 if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 326 goto err;
403 enc_err = -1;
404 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
405 enc_err = -1;
406 }
407 327
408 if (enc_err < 0) { 328 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
409 /* decryption failed, silently discard message */ 329 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
410 rr->length = 0; 330 else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
411 s->internal->packet_length = 0; 331 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
412 goto err;
413 }
414 332
415 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
416 al = SSL_AD_RECORD_OVERFLOW;
417 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
418 goto f_err; 333 goto f_err;
419 } 334 }
420 335
336 rr->data = out;
337 rr->length = out_len;
421 rr->off = 0; 338 rr->off = 0;
422 /* So at this point the following is true
423 * ssl->s3->internal->rrec.type is the type of record
424 * ssl->s3->internal->rrec.length == number of bytes in record
425 * ssl->s3->internal->rrec.off == offset to first valid byte
426 * ssl->s3->internal->rrec.data == where to take bytes from, increment
427 * after use :-).
428 */
429 339
430 /* we have pulled in a full packet so zero things */
431 s->internal->packet_length = 0; 340 s->internal->packet_length = 0;
341
432 return (1); 342 return (1);
433 343
434f_err: 344 f_err:
435 ssl3_send_alert(s, SSL3_AL_FATAL, al); 345 ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc);
436err: 346 err:
437 return (0); 347 return (0);
438} 348}
439 349
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 74e0562c2d..4f84c9485b 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ 1/* $OpenBSD: s3_cbc.c,v 1.23 2020/10/03 17:35:16 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 2012 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -101,7 +101,7 @@ constant_time_eq_8(unsigned int a, unsigned int b)
101 return DUPLICATE_MSB_TO_ALL_8(c); 101 return DUPLICATE_MSB_TO_ALL_8(c);
102} 102}
103 103
104/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC 104/* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
105 * record in |rec| in constant time and returns 1 if the padding is valid and 105 * record in |rec| in constant time and returns 1 if the padding is valid and
106 * -1 otherwise. It also removes any explicit IV from the start of the record 106 * -1 otherwise. It also removes any explicit IV from the start of the record
107 * without leaking any timing about whether there was enough space after the 107 * without leaking any timing about whether there was enough space after the
@@ -113,26 +113,24 @@ constant_time_eq_8(unsigned int a, unsigned int b)
113 * 1: if the padding was valid 113 * 1: if the padding was valid
114 * -1: otherwise. */ 114 * -1: otherwise. */
115int 115int
116tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, 116ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
117 unsigned int block_size, unsigned int mac_size) 117 unsigned int mac_size)
118{ 118{
119 unsigned int padding_length, good, to_check, i; 119 unsigned int padding_length, good, to_check, i;
120 const unsigned int overhead = 1 /* padding length byte */ + mac_size; 120 const unsigned int overhead = 1 /* padding length byte */ + mac_size;
121 121
122 /* Check if version requires explicit IV */ 122 /*
123 if (SSL_USE_EXPLICIT_IV(s)) { 123 * These lengths are all public so we can test them in
124 /* These lengths are all public so we can test them in 124 * non-constant time.
125 * non-constant time. 125 */
126 */ 126 if (overhead + eiv_len > rec->length)
127 if (overhead + block_size > rec->length)
128 return 0;
129 /* We can now safely skip explicit IV */
130 rec->data += block_size;
131 rec->input += block_size;
132 rec->length -= block_size;
133 } else if (overhead > rec->length)
134 return 0; 127 return 0;
135 128
129 /* We can now safely skip explicit IV, if any. */
130 rec->data += eiv_len;
131 rec->input += eiv_len;
132 rec->length -= eiv_len;
133
136 padding_length = rec->data[rec->length - 1]; 134 padding_length = rec->data[rec->length - 1];
137 135
138 good = constant_time_ge(rec->length, overhead + padding_length); 136 good = constant_time_ge(rec->length, overhead + padding_length);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 9a9ef59282..0dda3ecd01 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.295 2020/09/24 18:12:00 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.296 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -477,6 +477,8 @@ struct tls12_record_layer;
477 477
478struct tls12_record_layer *tls12_record_layer_new(void); 478struct tls12_record_layer *tls12_record_layer_new(void);
479void tls12_record_layer_free(struct tls12_record_layer *rl); 479void tls12_record_layer_free(struct tls12_record_layer *rl);
480void tls12_record_layer_alert(struct tls12_record_layer *rl,
481 uint8_t *alert_desc);
480void tls12_record_layer_set_version(struct tls12_record_layer *rl, 482void tls12_record_layer_set_version(struct tls12_record_layer *rl,
481 uint16_t version); 483 uint16_t version);
482void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, 484void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl,
@@ -497,6 +499,10 @@ int tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl,
497 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); 499 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac);
498int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, 500int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl,
499 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); 501 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac);
502int tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
503 const uint8_t *mac_key, size_t mac_key_len);
504int tls12_record_layer_open_record(struct tls12_record_layer *rl,
505 uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len);
500int tls12_record_layer_seal_record(struct tls12_record_layer *rl, 506int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
501 uint8_t content_type, const uint8_t *content, size_t content_len, 507 uint8_t content_type, const uint8_t *content, size_t content_len,
502 CBB *out); 508 CBB *out);
@@ -1361,9 +1367,7 @@ int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len);
1361void tls1_cleanup_key_block(SSL *s); 1367void tls1_cleanup_key_block(SSL *s);
1362int tls1_change_cipher_state(SSL *s, int which); 1368int tls1_change_cipher_state(SSL *s, int which);
1363int tls1_setup_key_block(SSL *s); 1369int tls1_setup_key_block(SSL *s);
1364int tls1_enc(SSL *s, int snd);
1365int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p); 1370int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p);
1366int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1367int tls1_generate_master_secret(SSL *s, unsigned char *out, 1371int tls1_generate_master_secret(SSL *s, unsigned char *out,
1368 unsigned char *p, int len); 1372 unsigned char *p, int len);
1369int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1373int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -1411,8 +1415,8 @@ int tls1_check_ec_server_key(SSL *s);
1411/* s3_cbc.c */ 1415/* s3_cbc.c */
1412void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, 1416void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec,
1413 unsigned int md_size, unsigned int orig_len); 1417 unsigned int md_size, unsigned int orig_len);
1414int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD_INTERNAL *rec, 1418int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
1415 unsigned int block_size, unsigned int mac_size); 1419 unsigned int mac_size);
1416char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); 1420char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1417int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, 1421int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
1418 size_t *md_out_size, const unsigned char header[13], 1422 size_t *md_out_size, const unsigned char header[13],
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index c9c86471d3..02a476ea82 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.32 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s)
149static int 149static int
150ssl3_read_n(SSL *s, int n, int max, int extend) 150ssl3_read_n(SSL *s, int n, int max, int extend)
151{ 151{
152 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
152 int i, len, left; 153 int i, len, left;
153 size_t align; 154 size_t align;
154 unsigned char *pkt; 155 unsigned char *pkt;
155 SSL3_BUFFER_INTERNAL *rb;
156 156
157 if (n <= 0) 157 if (n <= 0)
158 return n; 158 return n;
159 159
160 rb = &(S3I(s)->rbuf);
161 if (rb->buf == NULL) 160 if (rb->buf == NULL)
162 if (!ssl3_setup_read_buffer(s)) 161 if (!ssl3_setup_read_buffer(s))
163 return -1; 162 return -1;
@@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen)
327static int 326static int
328ssl3_get_record(SSL *s) 327ssl3_get_record(SSL *s)
329{ 328{
330 int al; 329 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
331 int enc_err, n, i, ret = -1; 330 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
332 SSL3_RECORD_INTERNAL *rr; 331 uint8_t alert_desc;
333 SSL_SESSION *sess; 332 uint8_t *out;
334 unsigned char md[EVP_MAX_MD_SIZE]; 333 size_t out_len;
335 unsigned int mac_size, orig_len; 334 int al, n;
336 335 int ret = -1;
337 rr = &(S3I(s)->rrec);
338 sess = s->session;
339 336
340 again: 337 again:
341 /* check if we have the header */ 338 /* check if we have the header */
@@ -387,17 +384,13 @@ ssl3_get_record(SSL *s)
387 goto err; 384 goto err;
388 } 385 }
389 386
390 if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) { 387 if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) {
391 al = SSL_AD_RECORD_OVERFLOW; 388 al = SSL_AD_RECORD_OVERFLOW;
392 SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); 389 SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);
393 goto f_err; 390 goto f_err;
394 } 391 }
395
396 /* now s->internal->rstate == SSL_ST_READ_BODY */
397 } 392 }
398 393
399 /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */
400
401 n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length); 394 n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);
402 if (n <= 0) 395 if (n <= 0)
403 return (n); 396 return (n);
@@ -406,133 +399,40 @@ ssl3_get_record(SSL *s)
406 399
407 s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ 400 s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
408 401
409 /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 402 /*
410 * and we have that many bytes in s->internal->packet 403 * A full record has now been read from the wire, which now needs
404 * to be processed.
411 */ 405 */
412 rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]); 406 tls12_record_layer_set_version(s->internal->rl, s->version);
413
414 /* ok, we can now read from 's->internal->packet' data into 'rr'
415 * rr->input points at rr->length bytes, which
416 * need to be copied into rr->data by either
417 * the decryption or by the decompression
418 * When the data is 'copied' into the rr->data buffer,
419 * rr->input will be pointed at the new buffer */
420
421 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
422 * rr->length bytes of encrypted compressed stuff. */
423
424 /* check is not needed I believe */
425 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
426 al = SSL_AD_RECORD_OVERFLOW;
427 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
428 goto f_err;
429 }
430
431 /* decrypt in place in 'rr->input' */
432 rr->data = rr->input;
433 407
434 /* enc_err is: 408 if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
435 * 0: (in non-constant time) if the record is publically invalid. 409 s->internal->packet_length, &out, &out_len)) {
436 * 1: if the padding is valid 410 tls12_record_layer_alert(s->internal->rl, &alert_desc);
437 * -1: if the padding is invalid */
438 if ((enc_err = tls1_enc(s, 0)) == 0) {
439 al = SSL_AD_BAD_RECORD_MAC;
440 SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
441 goto f_err;
442 }
443
444 /* r->length is now the compressed data plus mac */
445 if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
446 (EVP_MD_CTX_md(s->read_hash) != NULL)) {
447 /* s->read_hash != NULL => mac_size != -1 */
448 unsigned char *mac = NULL;
449 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
450
451 mac_size = EVP_MD_CTX_size(s->read_hash);
452 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
453
454 orig_len = rr->length + rr->padding_length;
455 411
456 /* orig_len is the length of the record before any padding was 412 if (alert_desc == 0)
457 * removed. This is public information, as is the MAC in use, 413 goto err;
458 * therefore we can safely process the record in a different
459 * amount of time if it's too short to possibly contain a MAC.
460 */
461 if (orig_len < mac_size ||
462 /* CBC records must have a padding length byte too. */
463 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
464 orig_len < mac_size + 1)) {
465 al = SSL_AD_DECODE_ERROR;
466 SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
467 goto f_err;
468 }
469
470 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
471 /* We update the length so that the TLS header bytes
472 * can be constructed correctly but we need to extract
473 * the MAC in constant time from within the record,
474 * without leaking the contents of the padding bytes.
475 * */
476 mac = mac_tmp;
477 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
478 rr->length -= mac_size;
479 } else {
480 /* In this case there's no padding, so |orig_len|
481 * equals |rec->length| and we checked that there's
482 * enough bytes for |mac_size| above. */
483 rr->length -= mac_size;
484 mac = &rr->data[rr->length];
485 }
486 414
487 i = tls1_mac(s,md,0 /* not send */); 415 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
488 if (i < 0 || mac == NULL || 416 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
489 timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 417 else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
490 enc_err = -1; 418 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
491 if (rr->length >
492 SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
493 enc_err = -1;
494 }
495 419
496 if (enc_err < 0) { 420 al = alert_desc;
497 /*
498 * A separate 'decryption_failed' alert was introduced with
499 * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a
500 * decryption failure is directly visible from the ciphertext
501 * anyway, we should not reveal which kind of error
502 * occurred -- this might become visible to an attacker
503 * (e.g. via a logfile)
504 */
505 al = SSL_AD_BAD_RECORD_MAC;
506 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
507 goto f_err;
508 }
509
510 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
511 al = SSL_AD_RECORD_OVERFLOW;
512 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
513 goto f_err; 421 goto f_err;
514 } 422 }
515 423
424 rr->data = out;
425 rr->length = out_len;
516 rr->off = 0; 426 rr->off = 0;
517 /*
518 * So at this point the following is true
519 *
520 * ssl->s3->internal->rrec.type is the type of record
521 * ssl->s3->internal->rrec.length == number of bytes in record
522 * ssl->s3->internal->rrec.off == offset to first valid byte
523 * ssl->s3->internal->rrec.data == where to take bytes from, increment
524 * after use :-).
525 */
526 427
527 /* we have pulled in a full packet so zero things */ 428 /* we have pulled in a full packet so zero things */
528 s->internal->packet_length = 0; 429 s->internal->packet_length = 0;
529 430
530 if (rr->length == 0) { 431 if (rr->length == 0) {
531 /* 432 /*
532 * CBC countermeasures for known IV weaknesses 433 * CBC countermeasures for known IV weaknesses can legitimately
533 * can legitimately insert a single empty record, 434 * insert a single empty record, so we allow ourselves to read
534 * so we allow ourselves to read once past a single 435 * once past a single empty record without forcing want_read.
535 * empty record without forcing want_read.
536 */ 436 */
537 if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { 437 if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
538 SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); 438 SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);
@@ -543,15 +443,15 @@ ssl3_get_record(SSL *s)
543 return -1; 443 return -1;
544 } 444 }
545 goto again; 445 goto again;
546 } else {
547 s->internal->empty_record_count = 0;
548 } 446 }
549 447
448 s->internal->empty_record_count = 0;
449
550 return (1); 450 return (1);
551 451
552f_err: 452 f_err:
553 ssl3_send_alert(s, SSL3_AL_FATAL, al); 453 ssl3_send_alert(s, SSL3_AL_FATAL, al);
554err: 454 err:
555 return (ret); 455 return (ret);
556} 456}
557 457
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a66c82bdca..7a71a08434 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.124 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -440,6 +440,10 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
440 if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl, 440 if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
441 cipher_ctx, mac_ctx, stream_mac)) 441 cipher_ctx, mac_ctx, stream_mac))
442 goto err; 442 goto err;
443
444 if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
445 S3I(s)->read_mac_secret, mac_secret_size))
446 goto err;
443 } else { 447 } else {
444 if (stream_mac) 448 if (stream_mac)
445 s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 449 s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -672,260 +676,6 @@ tls1_setup_key_block(SSL *s)
672 return (ret); 676 return (ret);
673} 677}
674 678
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 *
677 * Returns:
678 * 0: (in non-constant time) if the record is publically invalid (i.e. too
679 * short etc).
680 * 1: if the record's padding is valid / the encryption was successful.
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured.
683 */
684int
685tls1_enc(SSL *s, int send)
686{
687 const SSL_AEAD_CTX *aead;
688 const EVP_CIPHER *enc;
689 EVP_CIPHER_CTX *ds;
690 SSL3_RECORD_INTERNAL *rec;
691 unsigned char *seq;
692 unsigned long l;
693 int bs, i, j, k, ret, mac_size = 0;
694
695 if (send) {
696 /* No longer supported. */
697 return -1;
698 } else {
699 aead = s->internal->aead_read_ctx;
700 rec = &S3I(s)->rrec;
701 seq = S3I(s)->read_sequence;
702 }
703
704 if (aead) {
705 unsigned char ad[13], *in, *out, nonce[16];
706 size_t out_len, pad_len = 0;
707 unsigned int nonce_used;
708
709 if (SSL_IS_DTLS(s)) {
710 dtls1_build_sequence_number(ad, seq,
711 send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
712 } else {
713 memcpy(ad, seq, SSL3_SEQUENCE_SIZE);
714 tls1_record_sequence_increment(seq);
715 }
716
717 ad[8] = rec->type;
718 ad[9] = (unsigned char)(s->version >> 8);
719 ad[10] = (unsigned char)(s->version);
720
721 if (aead->variable_nonce_len > 8 ||
722 aead->variable_nonce_len > sizeof(nonce))
723 return -1;
724
725 if (aead->xor_fixed_nonce) {
726 if (aead->fixed_nonce_len > sizeof(nonce) ||
727 aead->variable_nonce_len > aead->fixed_nonce_len)
728 return -1; /* Should never happen. */
729 pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
730 } else {
731 if (aead->fixed_nonce_len +
732 aead->variable_nonce_len > sizeof(nonce))
733 return -1; /* Should never happen. */
734 }
735
736 if (send) {
737 size_t len = rec->length;
738 size_t eivlen = 0;
739 in = rec->input;
740 out = rec->data;
741
742 if (aead->xor_fixed_nonce) {
743 /*
744 * The sequence number is left zero
745 * padded, then xored with the fixed
746 * nonce.
747 */
748 memset(nonce, 0, pad_len);
749 memcpy(nonce + pad_len, ad,
750 aead->variable_nonce_len);
751 for (i = 0; i < aead->fixed_nonce_len; i++)
752 nonce[i] ^= aead->fixed_nonce[i];
753 nonce_used = aead->fixed_nonce_len;
754 } else {
755 /*
756 * When sending we use the sequence number as
757 * the variable part of the nonce.
758 */
759 memcpy(nonce, aead->fixed_nonce,
760 aead->fixed_nonce_len);
761 nonce_used = aead->fixed_nonce_len;
762 memcpy(nonce + nonce_used, ad,
763 aead->variable_nonce_len);
764 nonce_used += aead->variable_nonce_len;
765 }
766
767 /*
768 * In do_ssl3_write, rec->input is moved forward by
769 * variable_nonce_len in order to leave space for the
770 * variable nonce. Thus we can copy the sequence number
771 * bytes into place without overwriting any of the
772 * plaintext.
773 */
774 if (aead->variable_nonce_in_record) {
775 memcpy(out, ad, aead->variable_nonce_len);
776 len -= aead->variable_nonce_len;
777 eivlen = aead->variable_nonce_len;
778 }
779
780 ad[11] = len >> 8;
781 ad[12] = len & 0xff;
782
783 if (!EVP_AEAD_CTX_seal(&aead->ctx,
784 out + eivlen, &out_len, len + aead->tag_len, nonce,
785 nonce_used, in + eivlen, len, ad, sizeof(ad)))
786 return -1;
787 if (aead->variable_nonce_in_record)
788 out_len += aead->variable_nonce_len;
789 } else {
790 /* receive */
791 size_t len = rec->length;
792
793 if (rec->data != rec->input)
794 return -1; /* internal error - should never happen. */
795 out = in = rec->input;
796
797 if (len < aead->variable_nonce_len)
798 return 0;
799
800 if (aead->xor_fixed_nonce) {
801 /*
802 * The sequence number is left zero
803 * padded, then xored with the fixed
804 * nonce.
805 */
806 memset(nonce, 0, pad_len);
807 memcpy(nonce + pad_len, ad,
808 aead->variable_nonce_len);
809 for (i = 0; i < aead->fixed_nonce_len; i++)
810 nonce[i] ^= aead->fixed_nonce[i];
811 nonce_used = aead->fixed_nonce_len;
812 } else {
813 memcpy(nonce, aead->fixed_nonce,
814 aead->fixed_nonce_len);
815 nonce_used = aead->fixed_nonce_len;
816
817 memcpy(nonce + nonce_used,
818 aead->variable_nonce_in_record ? in : ad,
819 aead->variable_nonce_len);
820 nonce_used += aead->variable_nonce_len;
821 }
822
823 if (aead->variable_nonce_in_record) {
824 in += aead->variable_nonce_len;
825 len -= aead->variable_nonce_len;
826 out += aead->variable_nonce_len;
827 }
828
829 if (len < aead->tag_len)
830 return 0;
831 len -= aead->tag_len;
832
833 ad[11] = len >> 8;
834 ad[12] = len & 0xff;
835
836 if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len,
837 nonce, nonce_used, in, len + aead->tag_len, ad,
838 sizeof(ad)))
839 return -1;
840
841 rec->data = rec->input = out;
842 }
843
844 rec->length = out_len;
845
846 return 1;
847 }
848
849 if (send) {
850 if (EVP_MD_CTX_md(s->internal->write_hash)) {
851 int n = EVP_MD_CTX_size(s->internal->write_hash);
852 OPENSSL_assert(n >= 0);
853 }
854 ds = s->internal->enc_write_ctx;
855 if (s->internal->enc_write_ctx == NULL)
856 enc = NULL;
857 else {
858 int ivlen = 0;
859 enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx);
860 if (SSL_USE_EXPLICIT_IV(s) &&
861 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
862 ivlen = EVP_CIPHER_iv_length(enc);
863 if (ivlen > 1) {
864 if (rec->data != rec->input) {
865#ifdef DEBUG
866 /* we can't write into the input stream:
867 * Can this ever happen?? (steve)
868 */
869 fprintf(stderr,
870 "%s:%d: rec->data != rec->input\n",
871 __FILE__, __LINE__);
872#endif
873 } else
874 arc4random_buf(rec->input, ivlen);
875 }
876 }
877 } else {
878 if (EVP_MD_CTX_md(s->read_hash)) {
879 int n = EVP_MD_CTX_size(s->read_hash);
880 OPENSSL_assert(n >= 0);
881 }
882 ds = s->enc_read_ctx;
883 if (s->enc_read_ctx == NULL)
884 enc = NULL;
885 else
886 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
887 }
888
889 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
890 memmove(rec->data, rec->input, rec->length);
891 rec->input = rec->data;
892 ret = 1;
893 } else {
894 l = rec->length;
895 bs = EVP_CIPHER_block_size(ds->cipher);
896
897 if (bs != 1 && send) {
898 i = bs - ((int)l % bs);
899
900 /* Add weird padding of upto 256 bytes */
901
902 /* we need to add 'i' padding bytes of value j */
903 j = i - 1;
904 for (k = (int)l; k < (int)(l + i); k++)
905 rec->input[k] = j;
906 l += i;
907 rec->length += i;
908 }
909
910 if (!send) {
911 if (l == 0 || l % bs != 0)
912 return 0;
913 }
914
915 i = EVP_Cipher(ds, rec->data, rec->input, l);
916 if ((EVP_CIPHER_flags(ds->cipher) &
917 EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
918 return -1; /* AEAD can fail to verify MAC */
919
920 ret = 1;
921 if (EVP_MD_CTX_md(s->read_hash) != NULL)
922 mac_size = EVP_MD_CTX_size(s->read_hash);
923 if ((bs != 1) && !send)
924 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
925 }
926 return ret;
927}
928
929int 679int
930tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) 680tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
931{ 681{
@@ -947,85 +697,6 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
947} 697}
948 698
949int 699int
950tls1_mac(SSL *ssl, unsigned char *md, int send)
951{
952 SSL3_RECORD_INTERNAL *rec;
953 unsigned char *seq;
954 EVP_MD_CTX *hash;
955 size_t md_size, orig_len;
956 EVP_MD_CTX hmac, *mac_ctx;
957 unsigned char header[13];
958 int stream_mac = (send ?
959 (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) :
960 (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
961 int t;
962
963 if (send) {
964 /* No longer supported. */
965 return -1;
966 } else {
967 rec = &(ssl->s3->internal->rrec);
968 seq = &(ssl->s3->internal->read_sequence[0]);
969 hash = ssl->read_hash;
970 }
971
972 t = EVP_MD_CTX_size(hash);
973 OPENSSL_assert(t >= 0);
974 md_size = t;
975
976 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
977 if (stream_mac) {
978 mac_ctx = hash;
979 } else {
980 if (!EVP_MD_CTX_copy(&hmac, hash))
981 return -1;
982 mac_ctx = &hmac;
983 }
984
985 if (SSL_IS_DTLS(ssl))
986 dtls1_build_sequence_number(header, seq,
987 send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch);
988 else
989 memcpy(header, seq, SSL3_SEQUENCE_SIZE);
990
991 orig_len = rec->length + md_size + rec->padding_length;
992
993 header[8] = rec->type;
994 header[9] = (unsigned char)(ssl->version >> 8);
995 header[10] = (unsigned char)(ssl->version);
996 header[11] = (rec->length) >> 8;
997 header[12] = (rec->length) & 0xff;
998
999 if (!send &&
1000 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1001 ssl3_cbc_record_digest_supported(mac_ctx)) {
1002 /* This is a CBC-encrypted record. We must avoid leaking any
1003 * timing-side channel information about how many blocks of
1004 * data we are hashing because that gives an attacker a
1005 * timing-oracle. */
1006 if (!ssl3_cbc_digest_record(mac_ctx,
1007 md, &md_size, header, rec->input,
1008 rec->length + md_size, orig_len,
1009 ssl->s3->internal->read_mac_secret,
1010 ssl->s3->internal->read_mac_secret_size))
1011 return -1;
1012 } else {
1013 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
1014 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
1015 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
1016 OPENSSL_assert(t > 0);
1017 }
1018
1019 if (!stream_mac)
1020 EVP_MD_CTX_cleanup(&hmac);
1021
1022 if (!SSL_IS_DTLS(ssl))
1023 tls1_record_sequence_increment(seq);
1024
1025 return (md_size);
1026}
1027
1028int
1029tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 700tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1030 int len) 701 int len)
1031{ 702{
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 10d0f1194b..56ff94d95c 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.4 2020/09/16 17:15:01 jsing Exp $ */ 1/* $OpenBSD: tls12_record_layer.c,v 1.5 2020/10/03 17:35:17 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -25,6 +25,8 @@ struct tls12_record_layer {
25 uint16_t version; 25 uint16_t version;
26 int dtls; 26 int dtls;
27 27
28 uint8_t alert_desc;
29
28 uint16_t read_epoch; 30 uint16_t read_epoch;
29 uint16_t write_epoch; 31 uint16_t write_epoch;
30 32
@@ -43,6 +45,9 @@ struct tls12_record_layer {
43 EVP_CIPHER_CTX *write_cipher_ctx; 45 EVP_CIPHER_CTX *write_cipher_ctx;
44 EVP_MD_CTX *write_hash_ctx; 46 EVP_MD_CTX *write_hash_ctx;
45 47
48 const uint8_t *read_mac_key;
49 size_t read_mac_key_len;
50
46 uint8_t *read_seq_num; 51 uint8_t *read_seq_num;
47 uint8_t *write_seq_num; 52 uint8_t *write_seq_num;
48}; 53};
@@ -65,6 +70,12 @@ tls12_record_layer_free(struct tls12_record_layer *rl)
65} 70}
66 71
67void 72void
73tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
74{
75 *alert_desc = rl->alert_desc;
76}
77
78void
68tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 79tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
69{ 80{
70 rl->version = version; 81 rl->version = version;
@@ -111,6 +122,7 @@ void
111tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 122tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
112{ 123{
113 tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0); 124 tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0);
125 tls12_record_layer_set_read_mac_key(rl, NULL, 0);
114 rl->read_seq_num = NULL; 126 rl->read_seq_num = NULL;
115} 127}
116 128
@@ -173,6 +185,16 @@ tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl,
173 return 1; 185 return 1;
174} 186}
175 187
188int
189tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
190 const uint8_t *mac_key, size_t mac_key_len)
191{
192 rl->read_mac_key = mac_key;
193 rl->read_mac_key_len = mac_key_len;
194
195 return 1;
196}
197
176static int 198static int
177tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 199tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
178 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 200 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
@@ -234,7 +256,7 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
234{ 256{
235 EVP_MD_CTX *mac_ctx = NULL; 257 EVP_MD_CTX *mac_ctx = NULL;
236 uint8_t *header = NULL; 258 uint8_t *header = NULL;
237 size_t header_len; 259 size_t header_len = 0;
238 size_t mac_len; 260 size_t mac_len;
239 uint8_t *mac; 261 uint8_t *mac;
240 int ret = 0; 262 int ret = 0;
@@ -258,6 +280,8 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
258 goto err; 280 goto err;
259 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 281 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
260 goto err; 282 goto err;
283 if (mac_len == 0)
284 goto err;
261 285
262 if (stream_mac) { 286 if (stream_mac) {
263 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 287 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
@@ -269,12 +293,67 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
269 293
270 err: 294 err:
271 EVP_MD_CTX_free(mac_ctx); 295 EVP_MD_CTX_free(mac_ctx);
272 free(header); 296 freezero(header, header_len);
273 297
274 return ret; 298 return ret;
275} 299}
276 300
277static int 301static int
302tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
303 uint8_t content_type, const uint8_t *content, size_t content_len,
304 size_t mac_len, size_t padding_len)
305{
306 uint8_t *header = NULL;
307 size_t header_len = 0;
308 uint8_t *mac = NULL;
309 size_t out_mac_len = 0;
310 int ret = 0;
311
312 /*
313 * Must be constant time to avoid leaking details about CBC padding.
314 */
315
316 if (!ssl3_cbc_record_digest_supported(rl->read_hash_ctx))
317 goto err;
318
319 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
320 rl->read_epoch, rl->read_seq_num, SSL3_SEQUENCE_SIZE,
321 &header, &header_len))
322 goto err;
323
324 if (!CBB_add_space(cbb, &mac, mac_len))
325 goto err;
326 if (!ssl3_cbc_digest_record(rl->read_hash_ctx, mac, &out_mac_len, header,
327 content, content_len + mac_len, content_len + mac_len + padding_len,
328 rl->read_mac_key, rl->read_mac_key_len))
329 goto err;
330 if (mac_len != out_mac_len)
331 goto err;
332
333 ret = 1;
334
335 err:
336 freezero(header, header_len);
337
338 return ret;
339}
340
341static int
342tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
343 uint8_t content_type, const uint8_t *content, size_t content_len)
344{
345 EVP_CIPHER_CTX *enc = rl->read_cipher_ctx;
346 size_t out_len;
347
348 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
349 return 0;
350
351 return tls12_record_layer_mac(rl, cbb, rl->read_hash_ctx,
352 rl->read_stream_mac, rl->read_epoch, rl->read_seq_num,
353 SSL3_SEQUENCE_SIZE, content_type, content, content_len, &out_len);
354}
355
356static int
278tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 357tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
279 uint8_t content_type, const uint8_t *content, size_t content_len, 358 uint8_t content_type, const uint8_t *content, size_t content_len,
280 size_t *out_len) 359 size_t *out_len)
@@ -286,7 +365,8 @@ tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
286 365
287static int 366static int
288tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 367tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
289 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) 368 const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
369 uint8_t **out, size_t *out_len)
290{ 370{
291 CBB cbb; 371 CBB cbb;
292 372
@@ -314,7 +394,8 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
314 394
315static int 395static int
316tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 396tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
317 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) 397 const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
398 uint8_t **out, size_t *out_len)
318{ 399{
319 uint8_t *nonce = NULL; 400 uint8_t *nonce = NULL;
320 size_t nonce_len = 0; 401 size_t nonce_len = 0;
@@ -357,6 +438,263 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
357} 438}
358 439
359static int 440static int
441tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
442 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
443{
444 if (rl->read_aead_ctx != NULL || rl->read_cipher_ctx != NULL)
445 return 0;
446
447 /* XXX - decrypt/process in place for now. */
448 *out = (uint8_t *)CBS_data(fragment);
449 *out_len = CBS_len(fragment);
450
451 return 1;
452}
453
454static int
455tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
456 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
457{
458 const SSL_AEAD_CTX *aead = rl->read_aead_ctx;
459 uint8_t *header = NULL, *nonce = NULL;
460 size_t header_len = 0, nonce_len = 0;
461 uint8_t *plain;
462 size_t plain_len;
463 uint16_t epoch = 0;
464 CBS var_nonce;
465 int ret = 0;
466
467 /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */
468 if (aead->xor_fixed_nonce) {
469 if (!tls12_record_layer_aead_xored_nonce(rl, aead,
470 rl->read_seq_num, &nonce, &nonce_len))
471 goto err;
472 } else if (aead->variable_nonce_in_record) {
473 if (!CBS_get_bytes(fragment, &var_nonce,
474 aead->variable_nonce_len))
475 goto err;
476 if (!tls12_record_layer_aead_concat_nonce(rl, aead,
477 CBS_data(&var_nonce), &nonce, &nonce_len))
478 goto err;
479 } else {
480 if (!tls12_record_layer_aead_concat_nonce(rl, aead,
481 rl->read_seq_num, &nonce, &nonce_len))
482 goto err;
483 }
484
485 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
486 if (CBS_len(fragment) < aead->tag_len) {
487 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
488 goto err;
489 }
490 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
491 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
492 goto err;
493 }
494
495 /* XXX - decrypt/process in place for now. */
496 plain = (uint8_t *)CBS_data(fragment);
497 plain_len = CBS_len(fragment) - aead->tag_len;
498
499 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len,
500 epoch, rl->read_seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len))
501 goto err;
502
503 if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len,
504 nonce, nonce_len, CBS_data(fragment), CBS_len(fragment),
505 header, header_len)) {
506 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
507 goto err;
508 }
509
510 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
511 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
512 goto err;
513 }
514
515 if (*out_len != plain_len)
516 goto err;
517
518 *out = plain;
519
520 ret = 1;
521
522 err:
523 freezero(header, header_len);
524 freezero(nonce, nonce_len);
525
526 return ret;
527}
528
529static int
530tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
531 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
532{
533 EVP_CIPHER_CTX *enc = rl->read_cipher_ctx;
534 SSL3_RECORD_INTERNAL rrec;
535 int block_size, eiv_len;
536 uint8_t *mac = NULL;
537 int mac_len = 0;
538 uint8_t *out_mac = NULL;
539 size_t out_mac_len = 0;
540 uint8_t *plain;
541 size_t plain_len;
542 size_t min_len;
543 CBB cbb_mac;
544 int ret = 0;
545
546 memset(&cbb_mac, 0, sizeof(cbb_mac));
547
548 block_size = EVP_CIPHER_CTX_block_size(enc);
549 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
550 goto err;
551
552 /* Determine explicit IV length. */
553 eiv_len = 0;
554 if (rl->version != TLS1_VERSION &&
555 EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
556 eiv_len = EVP_CIPHER_CTX_iv_length(enc);
557 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
558 goto err;
559
560 mac_len = 0;
561 if (rl->read_hash_ctx != NULL) {
562 mac_len = EVP_MD_CTX_size(rl->read_hash_ctx);
563 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
564 goto err;
565 }
566
567 /* CBC has at least one padding byte. */
568 min_len = eiv_len + mac_len;
569 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
570 min_len += 1;
571
572 if (CBS_len(fragment) < min_len) {
573 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
574 goto err;
575 }
576 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
577 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
578 goto err;
579 }
580 if (CBS_len(fragment) % block_size != 0) {
581 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
582 goto err;
583 }
584
585 /* XXX - decrypt/process in place for now. */
586 plain = (uint8_t *)CBS_data(fragment);
587 plain_len = CBS_len(fragment);
588
589 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len))
590 goto err;
591
592 rrec.data = plain;
593 rrec.input = plain;
594 rrec.length = plain_len;
595
596 /*
597 * We now have to remove padding, extract MAC, calculate MAC
598 * and compare MAC in constant time.
599 */
600 if (block_size > 1)
601 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
602
603 if ((mac = calloc(1, mac_len)) == NULL)
604 goto err;
605
606 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
607 goto err;
608 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
609 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
610 rrec.padding_length);
611 rrec.length -= mac_len;
612 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
613 rrec.input, rrec.length, mac_len, rrec.padding_length))
614 goto err;
615 } else {
616 rrec.length -= mac_len;
617 memcpy(mac, rrec.data + rrec.length, mac_len);
618 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
619 rrec.input, rrec.length))
620 goto err;
621 }
622 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
623 goto err;
624 if (mac_len != out_mac_len)
625 goto err;
626
627 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
628 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
629 goto err;
630 }
631
632 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
633 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
634 goto err;
635 }
636 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
637 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
638 goto err;
639 }
640
641 *out = rrec.data;
642 *out_len = rrec.length;
643
644 ret = 1;
645
646 err:
647 CBB_cleanup(&cbb_mac);
648 freezero(mac, mac_len);
649 freezero(out_mac, out_mac_len);
650
651 return ret;
652}
653
654int
655tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
656 size_t buf_len, uint8_t **out, size_t *out_len)
657{
658 CBS cbs, fragment, seq_no;
659 uint16_t epoch, version;
660 uint8_t content_type;
661
662 CBS_init(&cbs, buf, buf_len);
663
664 if (!CBS_get_u8(&cbs, &content_type))
665 return 0;
666 if (!CBS_get_u16(&cbs, &version))
667 return 0;
668 if (rl->dtls) {
669 if (!CBS_get_u16(&cbs, &epoch))
670 return 0;
671 if (!CBS_get_bytes(&cbs, &seq_no, 6))
672 return 0;
673 }
674 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
675 return 0;
676
677 if (rl->read_aead_ctx != NULL) {
678 if (!tls12_record_layer_open_record_protected_aead(rl,
679 content_type, &fragment, out, out_len))
680 return 0;
681 } else if (rl->read_cipher_ctx != NULL) {
682 if (!tls12_record_layer_open_record_protected_cipher(rl,
683 content_type, &fragment, out, out_len))
684 return 0;
685 } else {
686 if (!tls12_record_layer_open_record_plaintext(rl,
687 content_type, &fragment, out, out_len))
688 return 0;
689 }
690
691 if (!rl->dtls)
692 tls1_record_sequence_increment(rl->read_seq_num);
693
694 return 1;
695}
696
697static int
360tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 698tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
361 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 699 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
362{ 700{
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 12:03:32 +0000