summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls12_record_layer.c
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2023-04-23 13:43:47 +0000
committercvs2svn <admin@example.com>2023-04-23 13:43:47 +0000
commite2496982472bdf233be95c5ea72d1c4dc6c91db3 (patch)
tree316488e5daf86864d8466bce0e5b000d85768378 /src/lib/libssl/tls12_record_layer.c
parent097d0cf840b9007212bcd2516ed5e18939e6da3d (diff)
downloadopenbsd-tb_20230422.tar.gz
openbsd-tb_20230422.tar.bz2
openbsd-tb_20230422.zip
This commit was manufactured by cvs2git to create tag 'tb_20230422'.tb_20230422
Diffstat (limited to 'src/lib/libssl/tls12_record_layer.c')
-rw-r--r--src/lib/libssl/tls12_record_layer.c1337
1 files changed, 0 insertions, 1337 deletions
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
deleted file mode 100644
index 59f5d32452..0000000000
--- a/src/lib/libssl/tls12_record_layer.c
+++ /dev/null
@@ -1,1337 +0,0 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.38 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <limits.h>
19#include <stdlib.h>
20
21#include <openssl/evp.h>
22
23#include "ssl_local.h"
24
25#define TLS12_RECORD_SEQ_NUM_LEN 8
26#define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12
27
28struct tls12_record_protection {
29 uint16_t epoch;
30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
31
32 EVP_AEAD_CTX *aead_ctx;
33
34 uint8_t *aead_nonce;
35 size_t aead_nonce_len;
36
37 uint8_t *aead_fixed_nonce;
38 size_t aead_fixed_nonce_len;
39
40 size_t aead_variable_nonce_len;
41 size_t aead_tag_len;
42
43 int aead_xor_nonces;
44 int aead_variable_nonce_in_record;
45
46 EVP_CIPHER_CTX *cipher_ctx;
47 EVP_MD_CTX *hash_ctx;
48
49 int stream_mac;
50
51 uint8_t *mac_key;
52 size_t mac_key_len;
53};
54
55static struct tls12_record_protection *
56tls12_record_protection_new(void)
57{
58 return calloc(1, sizeof(struct tls12_record_protection));
59}
60
61static void
62tls12_record_protection_clear(struct tls12_record_protection *rp)
63{
64 EVP_AEAD_CTX_free(rp->aead_ctx);
65
66 freezero(rp->aead_nonce, rp->aead_nonce_len);
67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
68
69 EVP_CIPHER_CTX_free(rp->cipher_ctx);
70 EVP_MD_CTX_free(rp->hash_ctx);
71
72 freezero(rp->mac_key, rp->mac_key_len);
73
74 memset(rp, 0, sizeof(*rp));
75}
76
77static void
78tls12_record_protection_free(struct tls12_record_protection *rp)
79{
80 if (rp == NULL)
81 return;
82
83 tls12_record_protection_clear(rp);
84
85 freezero(rp, sizeof(struct tls12_record_protection));
86}
87
88static int
89tls12_record_protection_engaged(struct tls12_record_protection *rp)
90{
91 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
92}
93
94static int
95tls12_record_protection_unused(struct tls12_record_protection *rp)
96{
97 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL &&
98 rp->hash_ctx == NULL && rp->mac_key == NULL;
99}
100
101static int
102tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
103 size_t *out_eiv_len)
104{
105 int eiv_len;
106
107 *out_eiv_len = 0;
108
109 if (rp->cipher_ctx == NULL)
110 return 0;
111
112 eiv_len = 0;
113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE)
114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
116 return 0;
117
118 *out_eiv_len = eiv_len;
119
120 return 1;
121}
122
123static int
124tls12_record_protection_block_size(struct tls12_record_protection *rp,
125 size_t *out_block_size)
126{
127 int block_size;
128
129 *out_block_size = 0;
130
131 if (rp->cipher_ctx == NULL)
132 return 0;
133
134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
136 return 0;
137
138 *out_block_size = block_size;
139
140 return 1;
141}
142
143static int
144tls12_record_protection_mac_len(struct tls12_record_protection *rp,
145 size_t *out_mac_len)
146{
147 int mac_len;
148
149 *out_mac_len = 0;
150
151 if (rp->hash_ctx == NULL)
152 return 0;
153
154 mac_len = EVP_MD_CTX_size(rp->hash_ctx);
155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
156 return 0;
157
158 *out_mac_len = mac_len;
159
160 return 1;
161}
162
163struct tls12_record_layer {
164 uint16_t version;
165 uint16_t initial_epoch;
166 int dtls;
167
168 uint8_t alert_desc;
169
170 const EVP_AEAD *aead;
171 const EVP_CIPHER *cipher;
172 const EVP_MD *handshake_hash;
173 const EVP_MD *mac_hash;
174
175 /* Pointers to active record protection (memory is not owned). */
176 struct tls12_record_protection *read;
177 struct tls12_record_protection *write;
178
179 struct tls12_record_protection *read_current;
180 struct tls12_record_protection *write_current;
181 struct tls12_record_protection *write_previous;
182};
183
184struct tls12_record_layer *
185tls12_record_layer_new(void)
186{
187 struct tls12_record_layer *rl;
188
189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
190 goto err;
191 if ((rl->read_current = tls12_record_protection_new()) == NULL)
192 goto err;
193 if ((rl->write_current = tls12_record_protection_new()) == NULL)
194 goto err;
195
196 rl->read = rl->read_current;
197 rl->write = rl->write_current;
198
199 return rl;
200
201 err:
202 tls12_record_layer_free(rl);
203
204 return NULL;
205}
206
207void
208tls12_record_layer_free(struct tls12_record_layer *rl)
209{
210 if (rl == NULL)
211 return;
212
213 tls12_record_protection_free(rl->read_current);
214 tls12_record_protection_free(rl->write_current);
215 tls12_record_protection_free(rl->write_previous);
216
217 freezero(rl, sizeof(struct tls12_record_layer));
218}
219
220void
221tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
222{
223 *alert_desc = rl->alert_desc;
224}
225
226int
227tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
228 size_t *overhead)
229{
230 size_t block_size, eiv_len, mac_len;
231
232 *overhead = 0;
233
234 if (rl->write->aead_ctx != NULL) {
235 *overhead = rl->write->aead_tag_len;
236 } else if (rl->write->cipher_ctx != NULL) {
237 eiv_len = 0;
238 if (rl->version != TLS1_VERSION) {
239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
240 return 0;
241 }
242 if (!tls12_record_protection_block_size(rl->write, &block_size))
243 return 0;
244 if (!tls12_record_protection_mac_len(rl->write, &mac_len))
245 return 0;
246
247 *overhead = eiv_len + block_size + mac_len;
248 }
249
250 return 1;
251}
252
253int
254tls12_record_layer_read_protected(struct tls12_record_layer *rl)
255{
256 return tls12_record_protection_engaged(rl->read);
257}
258
259int
260tls12_record_layer_write_protected(struct tls12_record_layer *rl)
261{
262 return tls12_record_protection_engaged(rl->write);
263}
264
265void
266tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267{
268 rl->aead = aead;
269}
270
271void
272tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
274 const EVP_MD *mac_hash)
275{
276 rl->cipher = cipher;
277 rl->handshake_hash = handshake_hash;
278 rl->mac_hash = mac_hash;
279}
280
281void
282tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283{
284 rl->version = version;
285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
286}
287
288void
289tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290 uint16_t epoch)
291{
292 rl->initial_epoch = epoch;
293}
294
295uint16_t
296tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297{
298 return rl->read->epoch;
299}
300
301uint16_t
302tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303{
304 return rl->write->epoch;
305}
306
307int
308tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309{
310 if (rl->write->epoch == epoch)
311 return 1;
312
313 if (rl->write_current->epoch == epoch) {
314 rl->write = rl->write_current;
315 return 1;
316 }
317
318 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
319 rl->write = rl->write_previous;
320 return 1;
321 }
322
323 return 0;
324}
325
326void
327tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328{
329 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
330 return;
331
332 rl->write = rl->write_current;
333
334 tls12_record_protection_free(rl->write_previous);
335 rl->write_previous = NULL;
336}
337
338void
339tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340{
341 tls12_record_protection_clear(rl->read);
342 rl->read->epoch = rl->initial_epoch;
343}
344
345void
346tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347{
348 tls12_record_protection_clear(rl->write);
349 rl->write->epoch = rl->initial_epoch;
350
351 tls12_record_protection_free(rl->write_previous);
352 rl->write_previous = NULL;
353}
354
355void
356tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357{
358 memcpy(rl->write->seq_num, rl->read->seq_num,
359 sizeof(rl->write->seq_num));
360}
361
362static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364};
365
366int
367tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368{
369 CBS max_seq_num;
370 int i;
371
372 /*
373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374 * sequence numbers must not wrap. Note that for DTLS the first two
375 * bytes are used as an "epoch" and not part of the sequence number.
376 */
377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
378 if (rl->dtls) {
379 if (!CBS_skip(&max_seq_num, 2))
380 return 0;
381 }
382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383 CBS_len(&max_seq_num)))
384 return 0;
385
386 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
387 if (++seq_num[i] != 0)
388 break;
389 }
390
391 return 1;
392}
393
394static int
395tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
396 const uint8_t *mac_key, size_t mac_key_len)
397{
398 freezero(rp->mac_key, rp->mac_key_len);
399 rp->mac_key = NULL;
400 rp->mac_key_len = 0;
401
402 if (mac_key == NULL || mac_key_len == 0)
403 return 1;
404
405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL)
406 return 0;
407
408 memcpy(rp->mac_key, mac_key, mac_key_len);
409 rp->mac_key_len = mac_key_len;
410
411 return 1;
412}
413
414static int
415tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417 CBS *iv)
418{
419 if (!tls12_record_protection_unused(rp))
420 return 0;
421
422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
423 return 0;
424
425 /* AES GCM cipher suites use variable nonce in record. */
426 if (rl->aead == EVP_aead_aes_128_gcm() ||
427 rl->aead == EVP_aead_aes_256_gcm())
428 rp->aead_variable_nonce_in_record = 1;
429
430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431 if (rl->aead == EVP_aead_chacha20_poly1305())
432 rp->aead_xor_nonces = 1;
433
434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435 return 0;
436
437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438 if (rp->aead_nonce == NULL)
439 return 0;
440
441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN;
444
445 if (rp->aead_xor_nonces) {
446 /* Fixed nonce length must match, variable must not exceed. */
447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448 return 0;
449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450 return 0;
451 } else {
452 /* Concatenated nonce length must equal AEAD nonce length. */
453 if (rp->aead_fixed_nonce_len +
454 rp->aead_variable_nonce_len != rp->aead_nonce_len)
455 return 0;
456 }
457
458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460 return 0;
461
462 return 1;
463}
464
465static int
466tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468 CBS *iv)
469{
470 EVP_PKEY *mac_pkey = NULL;
471 int gost_param_nid;
472 int mac_type;
473 int ret = 0;
474
475 if (!tls12_record_protection_unused(rp))
476 goto err;
477
478 mac_type = EVP_PKEY_HMAC;
479 rp->stream_mac = 0;
480
481 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX)
482 goto err;
483 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
484 goto err;
485 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
486 goto err;
487
488 /* Special handling for GOST... */
489 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
490 if (CBS_len(mac_key) != 32)
491 goto err;
492 mac_type = EVP_PKEY_GOSTIMIT;
493 rp->stream_mac = 1;
494 } else {
495 if (CBS_len(mac_key) > INT_MAX)
496 goto err;
497 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
498 goto err;
499 }
500
501 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
502 goto err;
503 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
504 goto err;
505
506 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
507 CBS_len(mac_key)))
508 goto err;
509
510 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key),
511 CBS_len(mac_key))) == NULL)
512 goto err;
513
514 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key),
515 CBS_data(iv), is_write))
516 goto err;
517
518 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL,
519 mac_pkey) <= 0)
520 goto err;
521
522 /* More special handling for GOST... */
523 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) {
524 gost_param_nid = NID_id_tc26_gost_28147_param_Z;
525 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94)
526 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet;
527
528 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX,
529 gost_param_nid, 0) <= 0)
530 goto err;
531
532 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
533 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX,
534 gost_param_nid, 0) <= 0)
535 goto err;
536 }
537 }
538
539 ret = 1;
540
541 err:
542 EVP_PKEY_free(mac_pkey);
543
544 return ret;
545}
546
547static int
548tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
549 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
550 CBS *iv)
551{
552 if (rl->aead != NULL)
553 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
554 key, iv);
555
556 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
557 key, iv);
558}
559
560int
561tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
562 CBS *mac_key, CBS *key, CBS *iv)
563{
564 struct tls12_record_protection *read_new = NULL;
565 int ret = 0;
566
567 if ((read_new = tls12_record_protection_new()) == NULL)
568 goto err;
569
570 /* Read sequence number gets reset to zero. */
571
572 /* DTLS epoch is incremented and is permitted to wrap. */
573 if (rl->dtls)
574 read_new->epoch = rl->read_current->epoch + 1;
575
576 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
577 mac_key, key, iv))
578 goto err;
579
580 tls12_record_protection_free(rl->read_current);
581 rl->read = rl->read_current = read_new;
582 read_new = NULL;
583
584 ret = 1;
585
586 err:
587 tls12_record_protection_free(read_new);
588
589 return ret;
590}
591
592int
593tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
594 CBS *mac_key, CBS *key, CBS *iv)
595{
596 struct tls12_record_protection *write_new;
597 int ret = 0;
598
599 if ((write_new = tls12_record_protection_new()) == NULL)
600 goto err;
601
602 /* Write sequence number gets reset to zero. */
603
604 /* DTLS epoch is incremented and is permitted to wrap. */
605 if (rl->dtls)
606 write_new->epoch = rl->write_current->epoch + 1;
607
608 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
609 mac_key, key, iv))
610 goto err;
611
612 if (rl->dtls) {
613 tls12_record_protection_free(rl->write_previous);
614 rl->write_previous = rl->write_current;
615 rl->write_current = NULL;
616 }
617 tls12_record_protection_free(rl->write_current);
618 rl->write = rl->write_current = write_new;
619 write_new = NULL;
620
621 ret = 1;
622
623 err:
624 tls12_record_protection_free(write_new);
625
626 return ret;
627}
628
629static int
630tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
631 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
632{
633 CBS seq;
634
635 CBS_init(&seq, seq_num, seq_num_len);
636
637 if (rl->dtls) {
638 if (!CBB_add_u16(cbb, epoch))
639 return 0;
640 if (!CBS_skip(&seq, 2))
641 return 0;
642 }
643
644 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
645}
646
647static int
648tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
649 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
650 size_t *out_len)
651{
652 CBB cbb;
653
654 *out = NULL;
655 *out_len = 0;
656
657 /* Build the pseudo-header used for MAC/AEAD. */
658 if (!CBB_init(&cbb, 13))
659 goto err;
660
661 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
662 goto err;
663 if (!CBB_add_u8(&cbb, content_type))
664 goto err;
665 if (!CBB_add_u16(&cbb, rl->version))
666 goto err;
667 if (!CBB_add_u16(&cbb, record_len))
668 goto err;
669
670 if (!CBB_finish(&cbb, out, out_len))
671 goto err;
672
673 return 1;
674
675 err:
676 CBB_cleanup(&cbb);
677
678 return 0;
679}
680
681static int
682tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
683 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
684 const uint8_t *content, size_t content_len, size_t *out_len)
685{
686 EVP_MD_CTX *mac_ctx = NULL;
687 uint8_t *header = NULL;
688 size_t header_len = 0;
689 size_t mac_len;
690 uint8_t *mac;
691 int ret = 0;
692
693 if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
694 goto err;
695 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
696 goto err;
697
698 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
699 seq_num, &header, &header_len))
700 goto err;
701
702 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
703 goto err;
704 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
705 goto err;
706 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
707 goto err;
708 if (!CBB_add_space(cbb, &mac, mac_len))
709 goto err;
710 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
711 goto err;
712 if (mac_len == 0)
713 goto err;
714
715 if (stream_mac) {
716 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
717 goto err;
718 }
719
720 *out_len = mac_len;
721 ret = 1;
722
723 err:
724 EVP_MD_CTX_free(mac_ctx);
725 freezero(header, header_len);
726
727 return ret;
728}
729
730static int
731tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
732 uint8_t content_type, CBS *seq_num, const uint8_t *content,
733 size_t content_len, size_t mac_len, size_t padding_len)
734{
735 uint8_t *header = NULL;
736 size_t header_len = 0;
737 uint8_t *mac = NULL;
738 size_t out_mac_len = 0;
739 int ret = 0;
740
741 /*
742 * Must be constant time to avoid leaking details about CBC padding.
743 */
744
745 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
746 goto err;
747
748 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
749 seq_num, &header, &header_len))
750 goto err;
751
752 if (!CBB_add_space(cbb, &mac, mac_len))
753 goto err;
754 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
755 content, content_len + mac_len, content_len + mac_len + padding_len,
756 rl->read->mac_key, rl->read->mac_key_len))
757 goto err;
758 if (mac_len != out_mac_len)
759 goto err;
760
761 ret = 1;
762
763 err:
764 freezero(header, header_len);
765
766 return ret;
767}
768
769static int
770tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
771 uint8_t content_type, CBS *seq_num, const uint8_t *content,
772 size_t content_len)
773{
774 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
775 size_t out_len;
776
777 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
778 return 0;
779
780 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
781 rl->read->stream_mac, seq_num, content_type, content, content_len,
782 &out_len);
783}
784
785static int
786tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
787 uint8_t content_type, CBS *seq_num, const uint8_t *content,
788 size_t content_len, size_t *out_len)
789{
790 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
791 rl->write->stream_mac, seq_num, content_type, content, content_len,
792 out_len);
793}
794
795static int
796tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
797 struct tls12_record_protection *rp, CBS *seq_num)
798{
799 CBB cbb;
800
801 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
802 return 0;
803
804 /* Fixed nonce and variable nonce (sequence number) are concatenated. */
805 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
806 goto err;
807 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
808 rp->aead_fixed_nonce_len))
809 goto err;
810 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
811 rp->aead_variable_nonce_len))
812 goto err;
813 if (!CBB_finish(&cbb, NULL, NULL))
814 goto err;
815
816 return 1;
817
818 err:
819 CBB_cleanup(&cbb);
820
821 return 0;
822}
823
824static int
825tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
826 struct tls12_record_protection *rp, CBS *seq_num)
827{
828 uint8_t *pad;
829 CBB cbb;
830 int i;
831
832 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
833 return 0;
834 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
835 return 0;
836 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
837 return 0;
838
839 /*
840 * Variable nonce (sequence number) is right padded, before the fixed
841 * nonce is XOR'd in.
842 */
843 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
844 goto err;
845 if (!CBB_add_space(&cbb, &pad,
846 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
847 goto err;
848 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
849 rp->aead_variable_nonce_len))
850 goto err;
851 if (!CBB_finish(&cbb, NULL, NULL))
852 goto err;
853
854 for (i = 0; i < rp->aead_fixed_nonce_len; i++)
855 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
856
857 return 1;
858
859 err:
860 CBB_cleanup(&cbb);
861
862 return 0;
863}
864
865static int
866tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
867 uint8_t content_type, CBS *fragment, struct tls_content *out)
868{
869 if (tls12_record_protection_engaged(rl->read))
870 return 0;
871
872 return tls_content_dup_data(out, content_type, CBS_data(fragment),
873 CBS_len(fragment));
874}
875
876static int
877tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
878 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
879{
880 struct tls12_record_protection *rp = rl->read;
881 uint8_t *header = NULL;
882 size_t header_len = 0;
883 uint8_t *content = NULL;
884 size_t content_len = 0;
885 size_t out_len = 0;
886 CBS var_nonce;
887 int ret = 0;
888
889 if (rp->aead_xor_nonces) {
890 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
891 goto err;
892 } else if (rp->aead_variable_nonce_in_record) {
893 if (!CBS_get_bytes(fragment, &var_nonce,
894 rp->aead_variable_nonce_len))
895 goto err;
896 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
897 goto err;
898 } else {
899 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
900 goto err;
901 }
902
903 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
904 if (CBS_len(fragment) < rp->aead_tag_len) {
905 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
906 goto err;
907 }
908 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
909 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
910 goto err;
911 }
912
913 content_len = CBS_len(fragment) - rp->aead_tag_len;
914 if ((content = calloc(1, CBS_len(fragment))) == NULL) {
915 content_len = 0;
916 goto err;
917 }
918
919 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
920 seq_num, &header, &header_len))
921 goto err;
922
923 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
924 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
925 CBS_len(fragment), header, header_len)) {
926 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
927 goto err;
928 }
929
930 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
931 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
932 goto err;
933 }
934
935 if (out_len != content_len)
936 goto err;
937
938 tls_content_set_data(out, content_type, content, content_len);
939 content = NULL;
940 content_len = 0;
941
942 ret = 1;
943
944 err:
945 freezero(header, header_len);
946 freezero(content, content_len);
947
948 return ret;
949}
950
951static int
952tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
953 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
954{
955 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
956 SSL3_RECORD_INTERNAL rrec;
957 size_t block_size, eiv_len;
958 uint8_t *mac = NULL;
959 size_t mac_len = 0;
960 uint8_t *out_mac = NULL;
961 size_t out_mac_len = 0;
962 uint8_t *content = NULL;
963 size_t content_len = 0;
964 size_t min_len;
965 CBB cbb_mac;
966 int ret = 0;
967
968 memset(&cbb_mac, 0, sizeof(cbb_mac));
969 memset(&rrec, 0, sizeof(rrec));
970
971 if (!tls12_record_protection_block_size(rl->read, &block_size))
972 goto err;
973
974 /* Determine explicit IV length. */
975 eiv_len = 0;
976 if (rl->version != TLS1_VERSION) {
977 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
978 goto err;
979 }
980
981 mac_len = 0;
982 if (rl->read->hash_ctx != NULL) {
983 if (!tls12_record_protection_mac_len(rl->read, &mac_len))
984 goto err;
985 }
986
987 /* CBC has at least one padding byte. */
988 min_len = eiv_len + mac_len;
989 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
990 min_len += 1;
991
992 if (CBS_len(fragment) < min_len) {
993 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
994 goto err;
995 }
996 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
997 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
998 goto err;
999 }
1000 if (CBS_len(fragment) % block_size != 0) {
1001 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1002 goto err;
1003 }
1004
1005 if ((content = calloc(1, CBS_len(fragment))) == NULL)
1006 goto err;
1007 content_len = CBS_len(fragment);
1008
1009 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
1010 goto err;
1011
1012 rrec.data = content;
1013 rrec.input = content;
1014 rrec.length = content_len;
1015
1016 /*
1017 * We now have to remove padding, extract MAC, calculate MAC
1018 * and compare MAC in constant time.
1019 */
1020 if (block_size > 1)
1021 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
1022
1023 if ((mac = calloc(1, mac_len)) == NULL)
1024 goto err;
1025
1026 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
1027 goto err;
1028 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
1029 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
1030 rrec.padding_length);
1031 rrec.length -= mac_len;
1032 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1033 seq_num, rrec.input, rrec.length, mac_len,
1034 rrec.padding_length))
1035 goto err;
1036 } else {
1037 rrec.length -= mac_len;
1038 memcpy(mac, rrec.data + rrec.length, mac_len);
1039 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
1040 seq_num, rrec.input, rrec.length))
1041 goto err;
1042 }
1043 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
1044 goto err;
1045 if (mac_len != out_mac_len)
1046 goto err;
1047
1048 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
1049 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1050 goto err;
1051 }
1052
1053 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
1054 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1055 goto err;
1056 }
1057 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
1058 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
1059 goto err;
1060 }
1061
1062 tls_content_set_data(out, content_type, content, content_len);
1063 content = NULL;
1064 content_len = 0;
1065
1066 /* Actual content is after EIV, minus padding and MAC. */
1067 if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1068 goto err;
1069
1070 ret = 1;
1071
1072 err:
1073 CBB_cleanup(&cbb_mac);
1074 freezero(mac, mac_len);
1075 freezero(out_mac, out_mac_len);
1076 freezero(content, content_len);
1077
1078 return ret;
1079}
1080
1081int
1082tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1083 size_t buf_len, struct tls_content *out)
1084{
1085 CBS cbs, fragment, seq_num;
1086 uint16_t version;
1087 uint8_t content_type;
1088
1089 CBS_init(&cbs, buf, buf_len);
1090 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
1091
1092 if (!CBS_get_u8(&cbs, &content_type))
1093 return 0;
1094 if (!CBS_get_u16(&cbs, &version))
1095 return 0;
1096 if (rl->dtls) {
1097 /*
1098 * The DTLS sequence number is split into a 16 bit epoch and
1099 * 48 bit sequence number, however for the purposes of record
1100 * processing it is treated the same as a TLS 64 bit sequence
1101 * number. DTLS also uses explicit read sequence numbers, which
1102 * we need to extract from the DTLS record header.
1103 */
1104 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE))
1105 return 0;
1106 if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
1107 sizeof(rl->read->seq_num), NULL))
1108 return 0;
1109 }
1110 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
1111 return 0;
1112
1113 if (rl->read->aead_ctx != NULL) {
1114 if (!tls12_record_layer_open_record_protected_aead(rl,
1115 content_type, &seq_num, &fragment, out))
1116 return 0;
1117 } else if (rl->read->cipher_ctx != NULL) {
1118 if (!tls12_record_layer_open_record_protected_cipher(rl,
1119 content_type, &seq_num, &fragment, out))
1120 return 0;
1121 } else {
1122 if (!tls12_record_layer_open_record_plaintext(rl,
1123 content_type, &fragment, out))
1124 return 0;
1125 }
1126
1127 if (!rl->dtls) {
1128 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1129 return 0;
1130 }
1131
1132 return 1;
1133}
1134
1135static int
1136tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1137 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1138{
1139 if (tls12_record_protection_engaged(rl->write))
1140 return 0;
1141
1142 return CBB_add_bytes(out, content, content_len);
1143}
1144
1145static int
1146tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1147 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1148 size_t content_len, CBB *out)
1149{
1150 struct tls12_record_protection *rp = rl->write;
1151 uint8_t *header = NULL;
1152 size_t header_len = 0;
1153 size_t enc_record_len, out_len;
1154 uint8_t *enc_data;
1155 int ret = 0;
1156
1157 if (rp->aead_xor_nonces) {
1158 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1159 goto err;
1160 } else {
1161 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1162 goto err;
1163 }
1164
1165 if (rp->aead_variable_nonce_in_record) {
1166 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
1167 goto err;
1168 if (!CBB_add_bytes(out, CBS_data(seq_num),
1169 rp->aead_variable_nonce_len))
1170 goto err;
1171 }
1172
1173 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1174 seq_num, &header, &header_len))
1175 goto err;
1176
1177 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
1178 enc_record_len = content_len + rp->aead_tag_len;
1179 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1180 goto err;
1181 if (!CBB_add_space(out, &enc_data, enc_record_len))
1182 goto err;
1183
1184 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1185 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1186 header_len))
1187 goto err;
1188
1189 if (out_len != enc_record_len)
1190 goto err;
1191
1192 ret = 1;
1193
1194 err:
1195 freezero(header, header_len);
1196
1197 return ret;
1198}
1199
1200static int
1201tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1202 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1203 size_t content_len, CBB *out)
1204{
1205 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
1206 size_t block_size, eiv_len, mac_len, pad_len;
1207 uint8_t *enc_data, *eiv, *pad, pad_val;
1208 uint8_t *plain = NULL;
1209 size_t plain_len = 0;
1210 int ret = 0;
1211 CBB cbb;
1212
1213 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
1214 goto err;
1215
1216 /* Add explicit IV if necessary. */
1217 eiv_len = 0;
1218 if (rl->version != TLS1_VERSION) {
1219 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1220 goto err;
1221 }
1222 if (eiv_len > 0) {
1223 if (!CBB_add_space(&cbb, &eiv, eiv_len))
1224 goto err;
1225 arc4random_buf(eiv, eiv_len);
1226 }
1227
1228 if (!CBB_add_bytes(&cbb, content, content_len))
1229 goto err;
1230
1231 mac_len = 0;
1232 if (rl->write->hash_ctx != NULL) {
1233 if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1234 seq_num, content, content_len, &mac_len))
1235 goto err;
1236 }
1237
1238 plain_len = eiv_len + content_len + mac_len;
1239
1240 /* Add padding to block size, if necessary. */
1241 if (!tls12_record_protection_block_size(rl->write, &block_size))
1242 goto err;
1243 if (block_size > 1) {
1244 pad_len = block_size - (plain_len % block_size);
1245 pad_val = pad_len - 1;
1246
1247 if (pad_len > 255)
1248 goto err;
1249 if (!CBB_add_space(&cbb, &pad, pad_len))
1250 goto err;
1251 memset(pad, pad_val, pad_len);
1252 }
1253
1254 if (!CBB_finish(&cbb, &plain, &plain_len))
1255 goto err;
1256
1257 if (plain_len % block_size != 0)
1258 goto err;
1259 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1260 goto err;
1261
1262 if (!CBB_add_space(out, &enc_data, plain_len))
1263 goto err;
1264 if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1265 goto err;
1266
1267 ret = 1;
1268
1269 err:
1270 CBB_cleanup(&cbb);
1271 freezero(plain, plain_len);
1272
1273 return ret;
1274}
1275
1276int
1277tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1278 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1279{
1280 uint8_t *seq_num_data = NULL;
1281 size_t seq_num_len = 0;
1282 CBB fragment, seq_num_cbb;
1283 CBS seq_num;
1284 int ret = 0;
1285
1286 /*
1287 * Construct the effective sequence number - this is used in both
1288 * the DTLS header and for MAC calculations.
1289 */
1290 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE))
1291 goto err;
1292 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1293 rl->write->seq_num, sizeof(rl->write->seq_num)))
1294 goto err;
1295 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1296 goto err;
1297 CBS_init(&seq_num, seq_num_data, seq_num_len);
1298
1299 if (!CBB_add_u8(cbb, content_type))
1300 goto err;
1301 if (!CBB_add_u16(cbb, rl->version))
1302 goto err;
1303 if (rl->dtls) {
1304 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1305 goto err;
1306 }
1307 if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1308 goto err;
1309
1310 if (rl->write->aead_ctx != NULL) {
1311 if (!tls12_record_layer_seal_record_protected_aead(rl,
1312 content_type, &seq_num, content, content_len, &fragment))
1313 goto err;
1314 } else if (rl->write->cipher_ctx != NULL) {
1315 if (!tls12_record_layer_seal_record_protected_cipher(rl,
1316 content_type, &seq_num, content, content_len, &fragment))
1317 goto err;
1318 } else {
1319 if (!tls12_record_layer_seal_record_plaintext(rl,
1320 content_type, content, content_len, &fragment))
1321 goto err;
1322 }
1323
1324 if (!CBB_flush(cbb))
1325 goto err;
1326
1327 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1328 goto err;
1329
1330 ret = 1;
1331
1332 err:
1333 CBB_cleanup(&seq_num_cbb);
1334 free(seq_num_data);
1335
1336 return ret;
1337}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-11 23:50:41 +0000