diff options
| author | jsing <> | 2021-01-13 18:20:54 +0000 |
|---|---|---|
| committer | jsing <> | 2021-01-13 18:20:54 +0000 |
| commit | 9a0dba9f6be22dea02c323e4d3a7d4a5dde36ea4 (patch) | |
| tree | 65b71b1e9d3928028351a0aee3a2d427b47d8dff /src/lib | |
| parent | 4f375cd7c6652350830e386787ddf80aedd74b45 (diff) | |
| download | openbsd-9a0dba9f6be22dea02c323e4d3a7d4a5dde36ea4.tar.gz openbsd-9a0dba9f6be22dea02c323e4d3a7d4a5dde36ea4.tar.bz2 openbsd-9a0dba9f6be22dea02c323e4d3a7d4a5dde36ea4.zip | |
Clean up sequence number handing in the new TLSv1.2 record layer.
Handle protocol specific (DTLS vs TLS) sequence number differences in the
open/seal record functions and propagate the sequence number through to
the called functions. This means that DTLS specific knowledge is limited
to two functions and also avoids building sequence numbers multiple times
over. As a result, the DTLS explicit sequence number is now extracted from
the record header and passed through for processing, which makes the read
epoch handling redundant.
ok inoguchi@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/d1_pkt.c | 3 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/tls12_record_layer.c | 151 |
3 files changed, 89 insertions, 69 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 30ce78414d..4c450d2cb9 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_pkt.c,v 1.85 2020/10/03 17:35:16 jsing Exp $ */ | 1 | /* $OpenBSD: d1_pkt.c,v 1.86 2021/01/13 18:20:54 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -316,7 +316,6 @@ dtls1_process_record(SSL *s) | |||
| 316 | size_t out_len; | 316 | size_t out_len; |
| 317 | 317 | ||
| 318 | tls12_record_layer_set_version(s->internal->rl, s->version); | 318 | tls12_record_layer_set_version(s->internal->rl, s->version); |
| 319 | tls12_record_layer_set_read_epoch(s->internal->rl, rr->epoch); | ||
| 320 | 319 | ||
| 321 | if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, | 320 | if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, |
| 322 | s->internal->packet_length, &out, &out_len)) { | 321 | s->internal->packet_length, &out, &out_len)) { |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 5c646d2208..560fcdc1a4 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.311 2021/01/07 15:32:59 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.312 2021/01/13 18:20:54 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -479,8 +479,6 @@ void tls12_record_layer_alert(struct tls12_record_layer *rl, | |||
| 479 | uint8_t *alert_desc); | 479 | uint8_t *alert_desc); |
| 480 | void tls12_record_layer_set_version(struct tls12_record_layer *rl, | 480 | void tls12_record_layer_set_version(struct tls12_record_layer *rl, |
| 481 | uint16_t version); | 481 | uint16_t version); |
| 482 | void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, | ||
| 483 | uint16_t epoch); | ||
| 484 | void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, | 482 | void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, |
| 485 | uint16_t epoch); | 483 | uint16_t epoch); |
| 486 | void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); | 484 | void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); |
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index 2b331355be..50311a3d84 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls12_record_layer.c,v 1.8 2021/01/12 17:47:20 jsing Exp $ */ | 1 | /* $OpenBSD: tls12_record_layer.c,v 1.9 2021/01/13 18:20:54 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -114,12 +114,6 @@ tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) | |||
| 114 | } | 114 | } |
| 115 | 115 | ||
| 116 | void | 116 | void |
| 117 | tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, uint16_t epoch) | ||
| 118 | { | ||
| 119 | rl->read->epoch = epoch; | ||
| 120 | } | ||
| 121 | |||
| 122 | void | ||
| 123 | tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) | 117 | tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) |
| 124 | { | 118 | { |
| 125 | rl->write->epoch = epoch; | 119 | rl->write->epoch = epoch; |
| @@ -256,8 +250,8 @@ tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, | |||
| 256 | 250 | ||
| 257 | static int | 251 | static int |
| 258 | tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, | 252 | tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, |
| 259 | uint8_t content_type, uint16_t record_len, uint16_t epoch, uint8_t *seq_num, | 253 | uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, |
| 260 | size_t seq_num_len, uint8_t **out, size_t *out_len) | 254 | size_t *out_len) |
| 261 | { | 255 | { |
| 262 | CBB cbb; | 256 | CBB cbb; |
| 263 | 257 | ||
| @@ -268,8 +262,7 @@ tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, | |||
| 268 | if (!CBB_init(&cbb, 13)) | 262 | if (!CBB_init(&cbb, 13)) |
| 269 | goto err; | 263 | goto err; |
| 270 | 264 | ||
| 271 | if (!tls12_record_layer_build_seq_num(rl, &cbb, epoch, | 265 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) |
| 272 | seq_num, seq_num_len)) | ||
| 273 | goto err; | 266 | goto err; |
| 274 | if (!CBB_add_u8(&cbb, content_type)) | 267 | if (!CBB_add_u8(&cbb, content_type)) |
| 275 | goto err; | 268 | goto err; |
| @@ -291,9 +284,8 @@ tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, | |||
| 291 | 284 | ||
| 292 | static int | 285 | static int |
| 293 | tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, | 286 | tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, |
| 294 | EVP_MD_CTX *hash_ctx, int stream_mac, uint16_t epoch, uint8_t *seq_num, | 287 | EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, |
| 295 | size_t seq_num_len, uint8_t content_type, const uint8_t *content, | 288 | const uint8_t *content, size_t content_len, size_t *out_len) |
| 296 | size_t content_len, size_t *out_len) | ||
| 297 | { | 289 | { |
| 298 | EVP_MD_CTX *mac_ctx = NULL; | 290 | EVP_MD_CTX *mac_ctx = NULL; |
| 299 | uint8_t *header = NULL; | 291 | uint8_t *header = NULL; |
| @@ -308,7 +300,7 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, | |||
| 308 | goto err; | 300 | goto err; |
| 309 | 301 | ||
| 310 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, | 302 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
| 311 | epoch, seq_num, seq_num_len, &header, &header_len)) | 303 | seq_num, &header, &header_len)) |
| 312 | goto err; | 304 | goto err; |
| 313 | 305 | ||
| 314 | if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) | 306 | if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) |
| @@ -341,8 +333,8 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, | |||
| 341 | 333 | ||
| 342 | static int | 334 | static int |
| 343 | tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, | 335 | tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, |
| 344 | uint8_t content_type, const uint8_t *content, size_t content_len, | 336 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 345 | size_t mac_len, size_t padding_len) | 337 | size_t content_len, size_t mac_len, size_t padding_len) |
| 346 | { | 338 | { |
| 347 | uint8_t *header = NULL; | 339 | uint8_t *header = NULL; |
| 348 | size_t header_len = 0; | 340 | size_t header_len = 0; |
| @@ -358,8 +350,7 @@ tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, | |||
| 358 | goto err; | 350 | goto err; |
| 359 | 351 | ||
| 360 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, | 352 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
| 361 | rl->read->epoch, rl->read->seq_num, SSL3_SEQUENCE_SIZE, | 353 | seq_num, &header, &header_len)) |
| 362 | &header, &header_len)) | ||
| 363 | goto err; | 354 | goto err; |
| 364 | 355 | ||
| 365 | if (!CBB_add_space(cbb, &mac, mac_len)) | 356 | if (!CBB_add_space(cbb, &mac, mac_len)) |
| @@ -381,7 +372,8 @@ tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, | |||
| 381 | 372 | ||
| 382 | static int | 373 | static int |
| 383 | tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, | 374 | tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, |
| 384 | uint8_t content_type, const uint8_t *content, size_t content_len) | 375 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 376 | size_t content_len) | ||
| 385 | { | 377 | { |
| 386 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; | 378 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; |
| 387 | size_t out_len; | 379 | size_t out_len; |
| @@ -390,18 +382,18 @@ tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, | |||
| 390 | return 0; | 382 | return 0; |
| 391 | 383 | ||
| 392 | return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, | 384 | return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, |
| 393 | rl->read->stream_mac, rl->read->epoch, rl->read->seq_num, | 385 | rl->read->stream_mac, seq_num, content_type, content, content_len, |
| 394 | SSL3_SEQUENCE_SIZE, content_type, content, content_len, &out_len); | 386 | &out_len); |
| 395 | } | 387 | } |
| 396 | 388 | ||
| 397 | static int | 389 | static int |
| 398 | tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, | 390 | tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, |
| 399 | uint8_t content_type, const uint8_t *content, size_t content_len, | 391 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 400 | size_t *out_len) | 392 | size_t content_len, size_t *out_len) |
| 401 | { | 393 | { |
| 402 | return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, | 394 | return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, |
| 403 | rl->write->stream_mac, rl->write->epoch, rl->write->seq_num, | 395 | rl->write->stream_mac, seq_num, content_type, content, content_len, |
| 404 | SSL3_SEQUENCE_SIZE, content_type, content, content_len, out_len); | 396 | out_len); |
| 405 | } | 397 | } |
| 406 | 398 | ||
| 407 | static int | 399 | static int |
| @@ -494,21 +486,21 @@ tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, | |||
| 494 | 486 | ||
| 495 | static int | 487 | static int |
| 496 | tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | 488 | tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, |
| 497 | uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) | 489 | uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, |
| 490 | size_t *out_len) | ||
| 498 | { | 491 | { |
| 499 | const SSL_AEAD_CTX *aead = rl->read->aead_ctx; | 492 | const SSL_AEAD_CTX *aead = rl->read->aead_ctx; |
| 500 | uint8_t *header = NULL, *nonce = NULL; | 493 | uint8_t *header = NULL, *nonce = NULL; |
| 501 | size_t header_len = 0, nonce_len = 0; | 494 | size_t header_len = 0, nonce_len = 0; |
| 502 | uint8_t *plain; | 495 | uint8_t *plain; |
| 503 | size_t plain_len; | 496 | size_t plain_len; |
| 504 | uint16_t epoch = 0; | ||
| 505 | CBS var_nonce; | 497 | CBS var_nonce; |
| 506 | int ret = 0; | 498 | int ret = 0; |
| 507 | 499 | ||
| 508 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 500 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 509 | if (aead->xor_fixed_nonce) { | 501 | if (aead->xor_fixed_nonce) { |
| 510 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, | 502 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, |
| 511 | rl->read->seq_num, &nonce, &nonce_len)) | 503 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 512 | goto err; | 504 | goto err; |
| 513 | } else if (aead->variable_nonce_in_record) { | 505 | } else if (aead->variable_nonce_in_record) { |
| 514 | if (!CBS_get_bytes(fragment, &var_nonce, | 506 | if (!CBS_get_bytes(fragment, &var_nonce, |
| @@ -519,7 +511,7 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 519 | goto err; | 511 | goto err; |
| 520 | } else { | 512 | } else { |
| 521 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, | 513 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, |
| 522 | rl->read->seq_num, &nonce, &nonce_len)) | 514 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 523 | goto err; | 515 | goto err; |
| 524 | } | 516 | } |
| 525 | 517 | ||
| @@ -538,7 +530,7 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 538 | plain_len = CBS_len(fragment) - aead->tag_len; | 530 | plain_len = CBS_len(fragment) - aead->tag_len; |
| 539 | 531 | ||
| 540 | if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, | 532 | if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, |
| 541 | epoch, rl->read->seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len)) | 533 | seq_num, &header, &header_len)) |
| 542 | goto err; | 534 | goto err; |
| 543 | 535 | ||
| 544 | if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len, | 536 | if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len, |
| @@ -569,7 +561,8 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 569 | 561 | ||
| 570 | static int | 562 | static int |
| 571 | tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, | 563 | tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, |
| 572 | uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) | 564 | uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, |
| 565 | size_t *out_len) | ||
| 573 | { | 566 | { |
| 574 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; | 567 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; |
| 575 | SSL3_RECORD_INTERNAL rrec; | 568 | SSL3_RECORD_INTERNAL rrec; |
| @@ -651,13 +644,14 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, | |||
| 651 | rrec.padding_length); | 644 | rrec.padding_length); |
| 652 | rrec.length -= mac_len; | 645 | rrec.length -= mac_len; |
| 653 | if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, | 646 | if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, |
| 654 | rrec.input, rrec.length, mac_len, rrec.padding_length)) | 647 | seq_num, rrec.input, rrec.length, mac_len, |
| 648 | rrec.padding_length)) | ||
| 655 | goto err; | 649 | goto err; |
| 656 | } else { | 650 | } else { |
| 657 | rrec.length -= mac_len; | 651 | rrec.length -= mac_len; |
| 658 | memcpy(mac, rrec.data + rrec.length, mac_len); | 652 | memcpy(mac, rrec.data + rrec.length, mac_len); |
| 659 | if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, | 653 | if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, |
| 660 | rrec.input, rrec.length)) | 654 | seq_num, rrec.input, rrec.length)) |
| 661 | goto err; | 655 | goto err; |
| 662 | } | 656 | } |
| 663 | if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) | 657 | if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) |
| @@ -696,20 +690,26 @@ int | |||
| 696 | tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, | 690 | tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, |
| 697 | size_t buf_len, uint8_t **out, size_t *out_len) | 691 | size_t buf_len, uint8_t **out, size_t *out_len) |
| 698 | { | 692 | { |
| 699 | CBS cbs, fragment, seq_no; | 693 | CBS cbs, fragment, seq_num; |
| 700 | uint16_t epoch, version; | 694 | uint16_t version; |
| 701 | uint8_t content_type; | 695 | uint8_t content_type; |
| 702 | 696 | ||
| 703 | CBS_init(&cbs, buf, buf_len); | 697 | CBS_init(&cbs, buf, buf_len); |
| 698 | CBS_init(&seq_num, rl->read->seq_num, SSL3_SEQUENCE_SIZE); | ||
| 704 | 699 | ||
| 705 | if (!CBS_get_u8(&cbs, &content_type)) | 700 | if (!CBS_get_u8(&cbs, &content_type)) |
| 706 | return 0; | 701 | return 0; |
| 707 | if (!CBS_get_u16(&cbs, &version)) | 702 | if (!CBS_get_u16(&cbs, &version)) |
| 708 | return 0; | 703 | return 0; |
| 709 | if (rl->dtls) { | 704 | if (rl->dtls) { |
| 710 | if (!CBS_get_u16(&cbs, &epoch)) | 705 | /* |
| 711 | return 0; | 706 | * The DTLS sequence number is split into a 16 bit epoch and |
| 712 | if (!CBS_get_bytes(&cbs, &seq_no, 6)) | 707 | * 48 bit sequence number, however for the purposes of record |
| 708 | * processing it is treated the same as a TLS 64 bit sequence | ||
| 709 | * number. DTLS also uses explicit read sequence numbers, which | ||
| 710 | * we need to extract from the DTLS record header. | ||
| 711 | */ | ||
| 712 | if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) | ||
| 713 | return 0; | 713 | return 0; |
| 714 | } | 714 | } |
| 715 | if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) | 715 | if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) |
| @@ -717,11 +717,11 @@ tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, | |||
| 717 | 717 | ||
| 718 | if (rl->read->aead_ctx != NULL) { | 718 | if (rl->read->aead_ctx != NULL) { |
| 719 | if (!tls12_record_layer_open_record_protected_aead(rl, | 719 | if (!tls12_record_layer_open_record_protected_aead(rl, |
| 720 | content_type, &fragment, out, out_len)) | 720 | content_type, &seq_num, &fragment, out, out_len)) |
| 721 | return 0; | 721 | return 0; |
| 722 | } else if (rl->read->cipher_ctx != NULL) { | 722 | } else if (rl->read->cipher_ctx != NULL) { |
| 723 | if (!tls12_record_layer_open_record_protected_cipher(rl, | 723 | if (!tls12_record_layer_open_record_protected_cipher(rl, |
| 724 | content_type, &fragment, out, out_len)) | 724 | content_type, &seq_num, &fragment, out, out_len)) |
| 725 | return 0; | 725 | return 0; |
| 726 | } else { | 726 | } else { |
| 727 | if (!tls12_record_layer_open_record_plaintext(rl, | 727 | if (!tls12_record_layer_open_record_plaintext(rl, |
| @@ -747,35 +747,36 @@ tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, | |||
| 747 | 747 | ||
| 748 | static int | 748 | static int |
| 749 | tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | 749 | tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, |
| 750 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) | 750 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 751 | size_t content_len, CBB *out) | ||
| 751 | { | 752 | { |
| 752 | const SSL_AEAD_CTX *aead = rl->write->aead_ctx; | 753 | const SSL_AEAD_CTX *aead = rl->write->aead_ctx; |
| 753 | uint8_t *header = NULL, *nonce = NULL; | 754 | uint8_t *header = NULL, *nonce = NULL; |
| 754 | size_t header_len = 0, nonce_len = 0; | 755 | size_t header_len = 0, nonce_len = 0; |
| 755 | size_t enc_record_len, out_len; | 756 | size_t enc_record_len, out_len; |
| 756 | uint16_t epoch = 0; | ||
| 757 | uint8_t *enc_data; | 757 | uint8_t *enc_data; |
| 758 | int ret = 0; | 758 | int ret = 0; |
| 759 | 759 | ||
| 760 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 760 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 761 | if (aead->xor_fixed_nonce) { | 761 | if (aead->xor_fixed_nonce) { |
| 762 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, | 762 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, |
| 763 | rl->write->seq_num, &nonce, &nonce_len)) | 763 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 764 | goto err; | 764 | goto err; |
| 765 | } else { | 765 | } else { |
| 766 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, | 766 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, |
| 767 | rl->write->seq_num, &nonce, &nonce_len)) | 767 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 768 | goto err; | 768 | goto err; |
| 769 | } | 769 | } |
| 770 | 770 | ||
| 771 | if (aead->variable_nonce_in_record) { | 771 | if (aead->variable_nonce_in_record) { |
| 772 | /* XXX - length check? */ | 772 | /* XXX - length check? */ |
| 773 | if (!CBB_add_bytes(out, rl->write->seq_num, aead->variable_nonce_len)) | 773 | if (!CBB_add_bytes(out, CBS_data(seq_num), |
| 774 | aead->variable_nonce_len)) | ||
| 774 | goto err; | 775 | goto err; |
| 775 | } | 776 | } |
| 776 | 777 | ||
| 777 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, | 778 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
| 778 | epoch, rl->write->seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len)) | 779 | seq_num, &header, &header_len)) |
| 779 | goto err; | 780 | goto err; |
| 780 | 781 | ||
| 781 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ | 782 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ |
| @@ -803,7 +804,8 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | |||
| 803 | 804 | ||
| 804 | static int | 805 | static int |
| 805 | tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, | 806 | tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, |
| 806 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) | 807 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 808 | size_t content_len, CBB *out) | ||
| 807 | { | 809 | { |
| 808 | EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; | 810 | EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; |
| 809 | size_t mac_len, pad_len; | 811 | size_t mac_len, pad_len; |
| @@ -836,7 +838,7 @@ tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, | |||
| 836 | mac_len = 0; | 838 | mac_len = 0; |
| 837 | if (rl->write->hash_ctx != NULL) { | 839 | if (rl->write->hash_ctx != NULL) { |
| 838 | if (!tls12_record_layer_write_mac(rl, &cbb, content_type, | 840 | if (!tls12_record_layer_write_mac(rl, &cbb, content_type, |
| 839 | content, content_len, &mac_len)) | 841 | seq_num, content, content_len, &mac_len)) |
| 840 | goto err; | 842 | goto err; |
| 841 | } | 843 | } |
| 842 | 844 | ||
| @@ -883,39 +885,60 @@ int | |||
| 883 | tls12_record_layer_seal_record(struct tls12_record_layer *rl, | 885 | tls12_record_layer_seal_record(struct tls12_record_layer *rl, |
| 884 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) | 886 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) |
| 885 | { | 887 | { |
| 886 | CBB fragment; | 888 | uint8_t *seq_num_data = NULL; |
| 889 | size_t seq_num_len = 0; | ||
| 890 | CBB fragment, seq_num_cbb; | ||
| 891 | CBS seq_num; | ||
| 892 | int ret = 0; | ||
| 893 | |||
| 894 | /* | ||
| 895 | * Construct the effective sequence number - this is used in both | ||
| 896 | * the DTLS header and for MAC calculations. | ||
| 897 | */ | ||
| 898 | if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) | ||
| 899 | goto err; | ||
| 900 | if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, | ||
| 901 | rl->write->seq_num, SSL3_SEQUENCE_SIZE)) | ||
| 902 | goto err; | ||
| 903 | if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) | ||
| 904 | goto err; | ||
| 905 | CBS_init(&seq_num, seq_num_data, seq_num_len); | ||
| 887 | 906 | ||
| 888 | if (!CBB_add_u8(cbb, content_type)) | 907 | if (!CBB_add_u8(cbb, content_type)) |
| 889 | return 0; | 908 | goto err; |
| 890 | if (!CBB_add_u16(cbb, rl->version)) | 909 | if (!CBB_add_u16(cbb, rl->version)) |
| 891 | return 0; | 910 | goto err; |
| 892 | if (rl->dtls) { | 911 | if (rl->dtls) { |
| 893 | if (!tls12_record_layer_build_seq_num(rl, cbb, | 912 | if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) |
| 894 | rl->write->epoch, rl->write->seq_num, | 913 | goto err; |
| 895 | SSL3_SEQUENCE_SIZE)) | ||
| 896 | return 0; | ||
| 897 | } | 914 | } |
| 898 | if (!CBB_add_u16_length_prefixed(cbb, &fragment)) | 915 | if (!CBB_add_u16_length_prefixed(cbb, &fragment)) |
| 899 | return 0; | 916 | goto err; |
| 900 | 917 | ||
| 901 | if (rl->write->aead_ctx != NULL) { | 918 | if (rl->write->aead_ctx != NULL) { |
| 902 | if (!tls12_record_layer_seal_record_protected_aead(rl, | 919 | if (!tls12_record_layer_seal_record_protected_aead(rl, |
| 903 | content_type, content, content_len, &fragment)) | 920 | content_type, &seq_num, content, content_len, &fragment)) |
| 904 | return 0; | 921 | goto err; |
| 905 | } else if (rl->write->cipher_ctx != NULL) { | 922 | } else if (rl->write->cipher_ctx != NULL) { |
| 906 | if (!tls12_record_layer_seal_record_protected_cipher(rl, | 923 | if (!tls12_record_layer_seal_record_protected_cipher(rl, |
| 907 | content_type, content, content_len, &fragment)) | 924 | content_type, &seq_num, content, content_len, &fragment)) |
| 908 | return 0; | 925 | goto err; |
| 909 | } else { | 926 | } else { |
| 910 | if (!tls12_record_layer_seal_record_plaintext(rl, | 927 | if (!tls12_record_layer_seal_record_plaintext(rl, |
| 911 | content_type, content, content_len, &fragment)) | 928 | content_type, content, content_len, &fragment)) |
| 912 | return 0; | 929 | goto err; |
| 913 | } | 930 | } |
| 914 | 931 | ||
| 915 | if (!CBB_flush(cbb)) | 932 | if (!CBB_flush(cbb)) |
| 916 | return 0; | 933 | goto err; |
| 917 | 934 | ||
| 918 | tls1_record_sequence_increment(rl->write->seq_num); | 935 | tls1_record_sequence_increment(rl->write->seq_num); |
| 919 | 936 | ||
| 920 | return 1; | 937 | ret = 1; |
| 938 | |||
| 939 | err: | ||
| 940 | CBB_cleanup(&seq_num_cbb); | ||
| 941 | free(seq_num_data); | ||
| 942 | |||
| 943 | return ret; | ||
| 921 | } | 944 | } |