diff options
| author | jsing <> | 2021-06-14 14:22:52 +0000 |
|---|---|---|
| committer | jsing <> | 2021-06-14 14:22:52 +0000 |
| commit | eb169b8d33525f2c68a82e98b035a3ca5650ba28 (patch) | |
| tree | 4f7ecd3fbbe4346e050c2d052fbb7567b13dcc8c /src | |
| parent | a6498ae7dc7f3a7fb5172387281096d052ca28aa (diff) | |
| download | openbsd-eb169b8d33525f2c68a82e98b035a3ca5650ba28.tar.gz openbsd-eb169b8d33525f2c68a82e98b035a3ca5650ba28.tar.bz2 openbsd-eb169b8d33525f2c68a82e98b035a3ca5650ba28.zip | |
Simplify nonce handling in the TLSv1.2 record layer.
Pass the CBS for the sequence number through, which also allows us to do
more sensible length checks. Also, add a missing length check while here.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls12_record_layer.c | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index 06d1af9def..481680d9cc 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls12_record_layer.c,v 1.30 2021/05/16 15:49:01 jsing Exp $ */ | 1 | /* $OpenBSD: tls12_record_layer.c,v 1.31 2021/06/14 14:22:52 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -780,12 +780,12 @@ tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, | |||
| 780 | 780 | ||
| 781 | static int | 781 | static int |
| 782 | tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, | 782 | tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, |
| 783 | struct tls12_record_protection *rp, const uint8_t *seq_num, | 783 | struct tls12_record_protection *rp, CBS *seq_num, |
| 784 | uint8_t **out, size_t *out_len) | 784 | uint8_t **out, size_t *out_len) |
| 785 | { | 785 | { |
| 786 | CBB cbb; | 786 | CBB cbb; |
| 787 | 787 | ||
| 788 | if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE) | 788 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
| 789 | return 0; | 789 | return 0; |
| 790 | 790 | ||
| 791 | /* Fixed nonce and variable nonce (sequence number) are concatenated. */ | 791 | /* Fixed nonce and variable nonce (sequence number) are concatenated. */ |
| @@ -794,7 +794,8 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, | |||
| 794 | if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, | 794 | if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, |
| 795 | rp->aead_fixed_nonce_len)) | 795 | rp->aead_fixed_nonce_len)) |
| 796 | goto err; | 796 | goto err; |
| 797 | if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len)) | 797 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), |
| 798 | rp->aead_variable_nonce_len)) | ||
| 798 | goto err; | 799 | goto err; |
| 799 | if (!CBB_finish(&cbb, out, out_len)) | 800 | if (!CBB_finish(&cbb, out, out_len)) |
| 800 | goto err; | 801 | goto err; |
| @@ -809,7 +810,7 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, | |||
| 809 | 810 | ||
| 810 | static int | 811 | static int |
| 811 | tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | 812 | tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, |
| 812 | struct tls12_record_protection *rp, const uint8_t *seq_num, | 813 | struct tls12_record_protection *rp, CBS *seq_num, |
| 813 | uint8_t **out, size_t *out_len) | 814 | uint8_t **out, size_t *out_len) |
| 814 | { | 815 | { |
| 815 | uint8_t *nonce = NULL; | 816 | uint8_t *nonce = NULL; |
| @@ -818,7 +819,7 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | |||
| 818 | CBB cbb; | 819 | CBB cbb; |
| 819 | int i; | 820 | int i; |
| 820 | 821 | ||
| 821 | if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE) | 822 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
| 822 | return 0; | 823 | return 0; |
| 823 | if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) | 824 | if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) |
| 824 | return 0; | 825 | return 0; |
| @@ -832,7 +833,8 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | |||
| 832 | if (!CBB_add_space(&cbb, &pad, | 833 | if (!CBB_add_space(&cbb, &pad, |
| 833 | rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) | 834 | rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) |
| 834 | goto err; | 835 | goto err; |
| 835 | if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len)) | 836 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), |
| 837 | rp->aead_variable_nonce_len)) | ||
| 836 | goto err; | 838 | goto err; |
| 837 | if (!CBB_finish(&cbb, &nonce, &nonce_len)) | 839 | if (!CBB_finish(&cbb, &nonce, &nonce_len)) |
| 838 | goto err; | 840 | goto err; |
| @@ -882,18 +884,18 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 882 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 884 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 883 | if (rp->aead_xor_nonces) { | 885 | if (rp->aead_xor_nonces) { |
| 884 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, | 886 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, |
| 885 | CBS_data(seq_num), &nonce, &nonce_len)) | 887 | seq_num, &nonce, &nonce_len)) |
| 886 | goto err; | 888 | goto err; |
| 887 | } else if (rp->aead_variable_nonce_in_record) { | 889 | } else if (rp->aead_variable_nonce_in_record) { |
| 888 | if (!CBS_get_bytes(fragment, &var_nonce, | 890 | if (!CBS_get_bytes(fragment, &var_nonce, |
| 889 | rp->aead_variable_nonce_len)) | 891 | rp->aead_variable_nonce_len)) |
| 890 | goto err; | 892 | goto err; |
| 891 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, | 893 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 892 | CBS_data(&var_nonce), &nonce, &nonce_len)) | 894 | &var_nonce, &nonce, &nonce_len)) |
| 893 | goto err; | 895 | goto err; |
| 894 | } else { | 896 | } else { |
| 895 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, | 897 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 896 | CBS_data(seq_num), &nonce, &nonce_len)) | 898 | seq_num, &nonce, &nonce_len)) |
| 897 | goto err; | 899 | goto err; |
| 898 | } | 900 | } |
| 899 | 901 | ||
| @@ -1145,16 +1147,17 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | |||
| 1145 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 1147 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 1146 | if (rp->aead_xor_nonces) { | 1148 | if (rp->aead_xor_nonces) { |
| 1147 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, | 1149 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, |
| 1148 | CBS_data(seq_num), &nonce, &nonce_len)) | 1150 | seq_num, &nonce, &nonce_len)) |
| 1149 | goto err; | 1151 | goto err; |
| 1150 | } else { | 1152 | } else { |
| 1151 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, | 1153 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 1152 | CBS_data(seq_num), &nonce, &nonce_len)) | 1154 | seq_num, &nonce, &nonce_len)) |
| 1153 | goto err; | 1155 | goto err; |
| 1154 | } | 1156 | } |
| 1155 | 1157 | ||
| 1156 | if (rp->aead_variable_nonce_in_record) { | 1158 | if (rp->aead_variable_nonce_in_record) { |
| 1157 | /* XXX - length check? */ | 1159 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
| 1160 | goto err; | ||
| 1158 | if (!CBB_add_bytes(out, CBS_data(seq_num), | 1161 | if (!CBB_add_bytes(out, CBS_data(seq_num), |
| 1159 | rp->aead_variable_nonce_len)) | 1162 | rp->aead_variable_nonce_len)) |
| 1160 | goto err; | 1163 | goto err; |