summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/d1_pkt.c134
-rw-r--r--src/lib/libssl/s3_cbc.c30
-rw-r--r--src/lib/libssl/ssl_locl.h14
-rw-r--r--src/lib/libssl/ssl_pkt.c166
-rw-r--r--src/lib/libssl/t1_enc.c339
-rw-r--r--src/lib/libssl/tls12_record_layer.c348
6 files changed, 426 insertions, 605 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 859043a3ce..30ce78414d 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.84 2020/10/03 17:11:28 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.85 2020/10/03 17:35:16 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -310,130 +310,40 @@ dtls1_process_buffered_records(SSL *s)
310static int 310static int
311dtls1_process_record(SSL *s) 311dtls1_process_record(SSL *s)
312{ 312{
313 int i, al; 313 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
314 int enc_err; 314 uint8_t alert_desc;
315 SSL_SESSION *sess; 315 uint8_t *out;
316 SSL3_RECORD_INTERNAL *rr; 316 size_t out_len;
317 unsigned int mac_size, orig_len;
318 unsigned char md[EVP_MAX_MD_SIZE];
319
320 rr = &(S3I(s)->rrec);
321 sess = s->session;
322
323 /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
324 * and we have that many bytes in s->internal->packet
325 */
326 rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]);
327
328 /* ok, we can now read from 's->internal->packet' data into 'rr'
329 * rr->input points at rr->length bytes, which
330 * need to be copied into rr->data by either
331 * the decryption or by the decompression
332 * When the data is 'copied' into the rr->data buffer,
333 * rr->input will be pointed at the new buffer */
334
335 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
336 * rr->length bytes of encrypted compressed stuff. */
337
338 /* check is not needed I believe */
339 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
340 al = SSL_AD_RECORD_OVERFLOW;
341 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
342 goto f_err;
343 }
344
345 /* decrypt in place in 'rr->input' */
346 rr->data = rr->input;
347
348 /* enc_err is:
349 * 0: (in non-constant time) if the record is publically invalid.
350 * 1: if the padding is valid
351 * -1: if the padding is invalid */
352 if ((enc_err = tls1_enc(s, 0)) == 0) {
353 /* For DTLS we simply ignore bad packets. */
354 rr->length = 0;
355 s->internal->packet_length = 0;
356 goto err;
357 }
358 317
359 /* r->length is now the compressed data plus mac */ 318 tls12_record_layer_set_version(s->internal->rl, s->version);
360 if ((sess != NULL) && (s->enc_read_ctx != NULL) && 319 tls12_record_layer_set_read_epoch(s->internal->rl, rr->epoch);
361 (EVP_MD_CTX_md(s->read_hash) != NULL)) {
362 /* s->read_hash != NULL => mac_size != -1 */
363 unsigned char *mac = NULL;
364 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
365 mac_size = EVP_MD_CTX_size(s->read_hash);
366 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
367
368 orig_len = rr->length + rr->padding_length;
369
370 /* orig_len is the length of the record before any padding was
371 * removed. This is public information, as is the MAC in use,
372 * therefore we can safely process the record in a different
373 * amount of time if it's too short to possibly contain a MAC.
374 */
375 if (orig_len < mac_size ||
376 /* CBC records must have a padding length byte too. */
377 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
378 orig_len < mac_size + 1)) {
379 al = SSL_AD_DECODE_ERROR;
380 SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
381 goto f_err;
382 }
383 320
384 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 321 if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
385 /* We update the length so that the TLS header bytes 322 s->internal->packet_length, &out, &out_len)) {
386 * can be constructed correctly but we need to extract 323 tls12_record_layer_alert(s->internal->rl, &alert_desc);
387 * the MAC in constant time from within the record,
388 * without leaking the contents of the padding bytes.
389 * */
390 mac = mac_tmp;
391 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
392 rr->length -= mac_size;
393 } else {
394 /* In this case there's no padding, so |orig_len|
395 * equals |rec->length| and we checked that there's
396 * enough bytes for |mac_size| above. */
397 rr->length -= mac_size;
398 mac = &rr->data[rr->length];
399 }
400 324
401 i = tls1_mac(s, md, 0 /* not send */); 325 if (alert_desc == 0)
402 if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 326 goto err;
403 enc_err = -1;
404 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
405 enc_err = -1;
406 }
407 327
408 if (enc_err < 0) { 328 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
409 /* decryption failed, silently discard message */ 329 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
410 rr->length = 0; 330 else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
411 s->internal->packet_length = 0; 331 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
412 goto err;
413 }
414 332
415 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
416 al = SSL_AD_RECORD_OVERFLOW;
417 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
418 goto f_err; 333 goto f_err;
419 } 334 }
420 335
336 rr->data = out;
337 rr->length = out_len;
421 rr->off = 0; 338 rr->off = 0;
422 /* So at this point the following is true
423 * ssl->s3->internal->rrec.type is the type of record
424 * ssl->s3->internal->rrec.length == number of bytes in record
425 * ssl->s3->internal->rrec.off == offset to first valid byte
426 * ssl->s3->internal->rrec.data == where to take bytes from, increment
427 * after use :-).
428 */
429 339
430 /* we have pulled in a full packet so zero things */
431 s->internal->packet_length = 0; 340 s->internal->packet_length = 0;
341
432 return (1); 342 return (1);
433 343
434f_err: 344 f_err:
435 ssl3_send_alert(s, SSL3_AL_FATAL, al); 345 ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc);
436err: 346 err:
437 return (0); 347 return (0);
438} 348}
439 349
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 74e0562c2d..4f84c9485b 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ 1/* $OpenBSD: s3_cbc.c,v 1.23 2020/10/03 17:35:16 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 2012 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -101,7 +101,7 @@ constant_time_eq_8(unsigned int a, unsigned int b)
101 return DUPLICATE_MSB_TO_ALL_8(c); 101 return DUPLICATE_MSB_TO_ALL_8(c);
102} 102}
103 103
104/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC 104/* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
105 * record in |rec| in constant time and returns 1 if the padding is valid and 105 * record in |rec| in constant time and returns 1 if the padding is valid and
106 * -1 otherwise. It also removes any explicit IV from the start of the record 106 * -1 otherwise. It also removes any explicit IV from the start of the record
107 * without leaking any timing about whether there was enough space after the 107 * without leaking any timing about whether there was enough space after the
@@ -113,26 +113,24 @@ constant_time_eq_8(unsigned int a, unsigned int b)
113 * 1: if the padding was valid 113 * 1: if the padding was valid
114 * -1: otherwise. */ 114 * -1: otherwise. */
115int 115int
116tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, 116ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
117 unsigned int block_size, unsigned int mac_size) 117 unsigned int mac_size)
118{ 118{
119 unsigned int padding_length, good, to_check, i; 119 unsigned int padding_length, good, to_check, i;
120 const unsigned int overhead = 1 /* padding length byte */ + mac_size; 120 const unsigned int overhead = 1 /* padding length byte */ + mac_size;
121 121
122 /* Check if version requires explicit IV */ 122 /*
123 if (SSL_USE_EXPLICIT_IV(s)) { 123 * These lengths are all public so we can test them in
124 /* These lengths are all public so we can test them in 124 * non-constant time.
125 * non-constant time. 125 */
126 */ 126 if (overhead + eiv_len > rec->length)
127 if (overhead + block_size > rec->length)
128 return 0;
129 /* We can now safely skip explicit IV */
130 rec->data += block_size;
131 rec->input += block_size;
132 rec->length -= block_size;
133 } else if (overhead > rec->length)
134 return 0; 127 return 0;
135 128
129 /* We can now safely skip explicit IV, if any. */
130 rec->data += eiv_len;
131 rec->input += eiv_len;
132 rec->length -= eiv_len;
133
136 padding_length = rec->data[rec->length - 1]; 134 padding_length = rec->data[rec->length - 1];
137 135
138 good = constant_time_ge(rec->length, overhead + padding_length); 136 good = constant_time_ge(rec->length, overhead + padding_length);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 9a9ef59282..0dda3ecd01 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.295 2020/09/24 18:12:00 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.296 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -477,6 +477,8 @@ struct tls12_record_layer;
477 477
478struct tls12_record_layer *tls12_record_layer_new(void); 478struct tls12_record_layer *tls12_record_layer_new(void);
479void tls12_record_layer_free(struct tls12_record_layer *rl); 479void tls12_record_layer_free(struct tls12_record_layer *rl);
480void tls12_record_layer_alert(struct tls12_record_layer *rl,
481 uint8_t *alert_desc);
480void tls12_record_layer_set_version(struct tls12_record_layer *rl, 482void tls12_record_layer_set_version(struct tls12_record_layer *rl,
481 uint16_t version); 483 uint16_t version);
482void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, 484void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl,
@@ -497,6 +499,10 @@ int tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl,
497 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); 499 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac);
498int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, 500int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl,
499 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); 501 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac);
502int tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
503 const uint8_t *mac_key, size_t mac_key_len);
504int tls12_record_layer_open_record(struct tls12_record_layer *rl,
505 uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len);
500int tls12_record_layer_seal_record(struct tls12_record_layer *rl, 506int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
501 uint8_t content_type, const uint8_t *content, size_t content_len, 507 uint8_t content_type, const uint8_t *content, size_t content_len,
502 CBB *out); 508 CBB *out);
@@ -1361,9 +1367,7 @@ int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len);
1361void tls1_cleanup_key_block(SSL *s); 1367void tls1_cleanup_key_block(SSL *s);
1362int tls1_change_cipher_state(SSL *s, int which); 1368int tls1_change_cipher_state(SSL *s, int which);
1363int tls1_setup_key_block(SSL *s); 1369int tls1_setup_key_block(SSL *s);
1364int tls1_enc(SSL *s, int snd);
1365int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p); 1370int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p);
1366int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1367int tls1_generate_master_secret(SSL *s, unsigned char *out, 1371int tls1_generate_master_secret(SSL *s, unsigned char *out,
1368 unsigned char *p, int len); 1372 unsigned char *p, int len);
1369int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1373int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -1411,8 +1415,8 @@ int tls1_check_ec_server_key(SSL *s);
1411/* s3_cbc.c */ 1415/* s3_cbc.c */
1412void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, 1416void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec,
1413 unsigned int md_size, unsigned int orig_len); 1417 unsigned int md_size, unsigned int orig_len);
1414int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD_INTERNAL *rec, 1418int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
1415 unsigned int block_size, unsigned int mac_size); 1419 unsigned int mac_size);
1416char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); 1420char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1417int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, 1421int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
1418 size_t *md_out_size, const unsigned char header[13], 1422 size_t *md_out_size, const unsigned char header[13],
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index c9c86471d3..02a476ea82 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.32 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s)
149static int 149static int
150ssl3_read_n(SSL *s, int n, int max, int extend) 150ssl3_read_n(SSL *s, int n, int max, int extend)
151{ 151{
152 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
152 int i, len, left; 153 int i, len, left;
153 size_t align; 154 size_t align;
154 unsigned char *pkt; 155 unsigned char *pkt;
155 SSL3_BUFFER_INTERNAL *rb;
156 156
157 if (n <= 0) 157 if (n <= 0)
158 return n; 158 return n;
159 159
160 rb = &(S3I(s)->rbuf);
161 if (rb->buf == NULL) 160 if (rb->buf == NULL)
162 if (!ssl3_setup_read_buffer(s)) 161 if (!ssl3_setup_read_buffer(s))
163 return -1; 162 return -1;
@@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen)
327static int 326static int
328ssl3_get_record(SSL *s) 327ssl3_get_record(SSL *s)
329{ 328{
330 int al; 329 SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
331 int enc_err, n, i, ret = -1; 330 SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
332 SSL3_RECORD_INTERNAL *rr; 331 uint8_t alert_desc;
333 SSL_SESSION *sess; 332 uint8_t *out;
334 unsigned char md[EVP_MAX_MD_SIZE]; 333 size_t out_len;
335 unsigned int mac_size, orig_len; 334 int al, n;
336 335 int ret = -1;
337 rr = &(S3I(s)->rrec);
338 sess = s->session;
339 336
340 again: 337 again:
341 /* check if we have the header */ 338 /* check if we have the header */
@@ -387,17 +384,13 @@ ssl3_get_record(SSL *s)
387 goto err; 384 goto err;
388 } 385 }
389 386
390 if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) { 387 if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) {
391 al = SSL_AD_RECORD_OVERFLOW; 388 al = SSL_AD_RECORD_OVERFLOW;
392 SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); 389 SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);
393 goto f_err; 390 goto f_err;
394 } 391 }
395
396 /* now s->internal->rstate == SSL_ST_READ_BODY */
397 } 392 }
398 393
399 /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */
400
401 n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length); 394 n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);
402 if (n <= 0) 395 if (n <= 0)
403 return (n); 396 return (n);
@@ -406,133 +399,40 @@ ssl3_get_record(SSL *s)
406 399
407 s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ 400 s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
408 401
409 /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 402 /*
410 * and we have that many bytes in s->internal->packet 403 * A full record has now been read from the wire, which now needs
404 * to be processed.
411 */ 405 */
412 rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]); 406 tls12_record_layer_set_version(s->internal->rl, s->version);
413
414 /* ok, we can now read from 's->internal->packet' data into 'rr'
415 * rr->input points at rr->length bytes, which
416 * need to be copied into rr->data by either
417 * the decryption or by the decompression
418 * When the data is 'copied' into the rr->data buffer,
419 * rr->input will be pointed at the new buffer */
420
421 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
422 * rr->length bytes of encrypted compressed stuff. */
423
424 /* check is not needed I believe */
425 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
426 al = SSL_AD_RECORD_OVERFLOW;
427 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
428 goto f_err;
429 }
430
431 /* decrypt in place in 'rr->input' */
432 rr->data = rr->input;
433 407
434 /* enc_err is: 408 if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
435 * 0: (in non-constant time) if the record is publically invalid. 409 s->internal->packet_length, &out, &out_len)) {
436 * 1: if the padding is valid 410 tls12_record_layer_alert(s->internal->rl, &alert_desc);
437 * -1: if the padding is invalid */
438 if ((enc_err = tls1_enc(s, 0)) == 0) {
439 al = SSL_AD_BAD_RECORD_MAC;
440 SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
441 goto f_err;
442 }
443
444 /* r->length is now the compressed data plus mac */
445 if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
446 (EVP_MD_CTX_md(s->read_hash) != NULL)) {
447 /* s->read_hash != NULL => mac_size != -1 */
448 unsigned char *mac = NULL;
449 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
450
451 mac_size = EVP_MD_CTX_size(s->read_hash);
452 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
453
454 orig_len = rr->length + rr->padding_length;
455 411
456 /* orig_len is the length of the record before any padding was 412 if (alert_desc == 0)
457 * removed. This is public information, as is the MAC in use, 413 goto err;
458 * therefore we can safely process the record in a different
459 * amount of time if it's too short to possibly contain a MAC.
460 */
461 if (orig_len < mac_size ||
462 /* CBC records must have a padding length byte too. */
463 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
464 orig_len < mac_size + 1)) {
465 al = SSL_AD_DECODE_ERROR;
466 SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
467 goto f_err;
468 }
469
470 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
471 /* We update the length so that the TLS header bytes
472 * can be constructed correctly but we need to extract
473 * the MAC in constant time from within the record,
474 * without leaking the contents of the padding bytes.
475 * */
476 mac = mac_tmp;
477 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
478 rr->length -= mac_size;
479 } else {
480 /* In this case there's no padding, so |orig_len|
481 * equals |rec->length| and we checked that there's
482 * enough bytes for |mac_size| above. */
483 rr->length -= mac_size;
484 mac = &rr->data[rr->length];
485 }
486 414
487 i = tls1_mac(s,md,0 /* not send */); 415 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
488 if (i < 0 || mac == NULL || 416 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
489 timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) 417 else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
490 enc_err = -1; 418 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
491 if (rr->length >
492 SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
493 enc_err = -1;
494 }
495 419
496 if (enc_err < 0) { 420 al = alert_desc;
497 /*
498 * A separate 'decryption_failed' alert was introduced with
499 * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a
500 * decryption failure is directly visible from the ciphertext
501 * anyway, we should not reveal which kind of error
502 * occurred -- this might become visible to an attacker
503 * (e.g. via a logfile)
504 */
505 al = SSL_AD_BAD_RECORD_MAC;
506 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
507 goto f_err;
508 }
509
510 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
511 al = SSL_AD_RECORD_OVERFLOW;
512 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
513 goto f_err; 421 goto f_err;
514 } 422 }
515 423
424 rr->data = out;
425 rr->length = out_len;
516 rr->off = 0; 426 rr->off = 0;
517 /*
518 * So at this point the following is true
519 *
520 * ssl->s3->internal->rrec.type is the type of record
521 * ssl->s3->internal->rrec.length == number of bytes in record
522 * ssl->s3->internal->rrec.off == offset to first valid byte
523 * ssl->s3->internal->rrec.data == where to take bytes from, increment
524 * after use :-).
525 */
526 427
527 /* we have pulled in a full packet so zero things */ 428 /* we have pulled in a full packet so zero things */
528 s->internal->packet_length = 0; 429 s->internal->packet_length = 0;
529 430
530 if (rr->length == 0) { 431 if (rr->length == 0) {
531 /* 432 /*
532 * CBC countermeasures for known IV weaknesses 433 * CBC countermeasures for known IV weaknesses can legitimately
533 * can legitimately insert a single empty record, 434 * insert a single empty record, so we allow ourselves to read
534 * so we allow ourselves to read once past a single 435 * once past a single empty record without forcing want_read.
535 * empty record without forcing want_read.
536 */ 436 */
537 if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { 437 if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
538 SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); 438 SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);
@@ -543,15 +443,15 @@ ssl3_get_record(SSL *s)
543 return -1; 443 return -1;
544 } 444 }
545 goto again; 445 goto again;
546 } else {
547 s->internal->empty_record_count = 0;
548 } 446 }
549 447
448 s->internal->empty_record_count = 0;
449
550 return (1); 450 return (1);
551 451
552f_err: 452 f_err:
553 ssl3_send_alert(s, SSL3_AL_FATAL, al); 453 ssl3_send_alert(s, SSL3_AL_FATAL, al);
554err: 454 err:
555 return (ret); 455 return (ret);
556} 456}
557 457
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a66c82bdca..7a71a08434 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.124 2020/10/03 17:35:16 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -440,6 +440,10 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
440 if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl, 440 if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
441 cipher_ctx, mac_ctx, stream_mac)) 441 cipher_ctx, mac_ctx, stream_mac))
442 goto err; 442 goto err;
443
444 if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
445 S3I(s)->read_mac_secret, mac_secret_size))
446 goto err;
443 } else { 447 } else {
444 if (stream_mac) 448 if (stream_mac)
445 s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 449 s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -672,260 +676,6 @@ tls1_setup_key_block(SSL *s)
672 return (ret); 676 return (ret);
673} 677}
674 678
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 *
677 * Returns:
678 * 0: (in non-constant time) if the record is publically invalid (i.e. too
679 * short etc).
680 * 1: if the record's padding is valid / the encryption was successful.
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured.
683 */
684int
685tls1_enc(SSL *s, int send)
686{
687 const SSL_AEAD_CTX *aead;
688 const EVP_CIPHER *enc;
689 EVP_CIPHER_CTX *ds;
690 SSL3_RECORD_INTERNAL *rec;
691 unsigned char *seq;
692 unsigned long l;
693 int bs, i, j, k, ret, mac_size = 0;
694
695 if (send) {
696 /* No longer supported. */
697 return -1;
698 } else {
699 aead = s->internal->aead_read_ctx;
700 rec = &S3I(s)->rrec;
701 seq = S3I(s)->read_sequence;
702 }
703
704 if (aead) {
705 unsigned char ad[13], *in, *out, nonce[16];
706 size_t out_len, pad_len = 0;
707 unsigned int nonce_used;
708
709 if (SSL_IS_DTLS(s)) {
710 dtls1_build_sequence_number(ad, seq,
711 send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
712 } else {
713 memcpy(ad, seq, SSL3_SEQUENCE_SIZE);
714 tls1_record_sequence_increment(seq);
715 }
716
717 ad[8] = rec->type;
718 ad[9] = (unsigned char)(s->version >> 8);
719 ad[10] = (unsigned char)(s->version);
720
721 if (aead->variable_nonce_len > 8 ||
722 aead->variable_nonce_len > sizeof(nonce))
723 return -1;
724
725 if (aead->xor_fixed_nonce) {
726 if (aead->fixed_nonce_len > sizeof(nonce) ||
727 aead->variable_nonce_len > aead->fixed_nonce_len)
728 return -1; /* Should never happen. */
729 pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
730 } else {
731 if (aead->fixed_nonce_len +
732 aead->variable_nonce_len > sizeof(nonce))
733 return -1; /* Should never happen. */
734 }
735
736 if (send) {
737 size_t len = rec->length;
738 size_t eivlen = 0;
739 in = rec->input;
740 out = rec->data;
741
742 if (aead->xor_fixed_nonce) {
743 /*
744 * The sequence number is left zero
745 * padded, then xored with the fixed
746 * nonce.
747 */
748 memset(nonce, 0, pad_len);
749 memcpy(nonce + pad_len, ad,
750 aead->variable_nonce_len);
751 for (i = 0; i < aead->fixed_nonce_len; i++)
752 nonce[i] ^= aead->fixed_nonce[i];
753 nonce_used = aead->fixed_nonce_len;
754 } else {
755 /*
756 * When sending we use the sequence number as
757 * the variable part of the nonce.
758 */
759 memcpy(nonce, aead->fixed_nonce,
760 aead->fixed_nonce_len);
761 nonce_used = aead->fixed_nonce_len;
762 memcpy(nonce + nonce_used, ad,
763 aead->variable_nonce_len);
764 nonce_used += aead->variable_nonce_len;
765 }
766
767 /*
768 * In do_ssl3_write, rec->input is moved forward by
769 * variable_nonce_len in order to leave space for the
770 * variable nonce. Thus we can copy the sequence number
771 * bytes into place without overwriting any of the
772 * plaintext.
773 */
774 if (aead->variable_nonce_in_record) {
775 memcpy(out, ad, aead->variable_nonce_len);
776 len -= aead->variable_nonce_len;
777 eivlen = aead->variable_nonce_len;
778 }
779
780 ad[11] = len >> 8;
781 ad[12] = len & 0xff;
782
783 if (!EVP_AEAD_CTX_seal(&aead->ctx,
784 out + eivlen, &out_len, len + aead->tag_len, nonce,
785 nonce_used, in + eivlen, len, ad, sizeof(ad)))
786 return -1;
787 if (aead->variable_nonce_in_record)
788 out_len += aead->variable_nonce_len;
789 } else {
790 /* receive */
791 size_t len = rec->length;
792
793 if (rec->data != rec->input)
794 return -1; /* internal error - should never happen. */
795 out = in = rec->input;
796
797 if (len < aead->variable_nonce_len)
798 return 0;
799
800 if (aead->xor_fixed_nonce) {
801 /*
802 * The sequence number is left zero
803 * padded, then xored with the fixed
804 * nonce.
805 */
806 memset(nonce, 0, pad_len);
807 memcpy(nonce + pad_len, ad,
808 aead->variable_nonce_len);
809 for (i = 0; i < aead->fixed_nonce_len; i++)
810 nonce[i] ^= aead->fixed_nonce[i];
811 nonce_used = aead->fixed_nonce_len;
812 } else {
813 memcpy(nonce, aead->fixed_nonce,
814 aead->fixed_nonce_len);
815 nonce_used = aead->fixed_nonce_len;
816
817 memcpy(nonce + nonce_used,
818 aead->variable_nonce_in_record ? in : ad,
819 aead->variable_nonce_len);
820 nonce_used += aead->variable_nonce_len;
821 }
822
823 if (aead->variable_nonce_in_record) {
824 in += aead->variable_nonce_len;
825 len -= aead->variable_nonce_len;
826 out += aead->variable_nonce_len;
827 }
828
829 if (len < aead->tag_len)
830 return 0;
831 len -= aead->tag_len;
832
833 ad[11] = len >> 8;
834 ad[12] = len & 0xff;
835
836 if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len,
837 nonce, nonce_used, in, len + aead->tag_len, ad,
838 sizeof(ad)))
839 return -1;
840
841 rec->data = rec->input = out;
842 }
843
844 rec->length = out_len;
845
846 return 1;
847 }
848
849 if (send) {
850 if (EVP_MD_CTX_md(s->internal->write_hash)) {
851 int n = EVP_MD_CTX_size(s->internal->write_hash);
852 OPENSSL_assert(n >= 0);
853 }
854 ds = s->internal->enc_write_ctx;
855 if (s->internal->enc_write_ctx == NULL)
856 enc = NULL;
857 else {
858 int ivlen = 0;
859 enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx);
860 if (SSL_USE_EXPLICIT_IV(s) &&
861 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
862 ivlen = EVP_CIPHER_iv_length(enc);
863 if (ivlen > 1) {
864 if (rec->data != rec->input) {
865#ifdef DEBUG
866 /* we can't write into the input stream:
867 * Can this ever happen?? (steve)
868 */
869 fprintf(stderr,
870 "%s:%d: rec->data != rec->input\n",
871 __FILE__, __LINE__);
872#endif
873 } else
874 arc4random_buf(rec->input, ivlen);
875 }
876 }
877 } else {
878 if (EVP_MD_CTX_md(s->read_hash)) {
879 int n = EVP_MD_CTX_size(s->read_hash);
880 OPENSSL_assert(n >= 0);
881 }
882 ds = s->enc_read_ctx;
883 if (s->enc_read_ctx == NULL)
884 enc = NULL;
885 else
886 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
887 }
888
889 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
890 memmove(rec->data, rec->input, rec->length);
891 rec->input = rec->data;
892 ret = 1;
893 } else {
894 l = rec->length;
895 bs = EVP_CIPHER_block_size(ds->cipher);
896
897 if (bs != 1 && send) {
898 i = bs - ((int)l % bs);
899
900 /* Add weird padding of upto 256 bytes */
901
902 /* we need to add 'i' padding bytes of value j */
903 j = i - 1;
904 for (k = (int)l; k < (int)(l + i); k++)
905 rec->input[k] = j;
906 l += i;
907 rec->length += i;
908 }
909
910 if (!send) {
911 if (l == 0 || l % bs != 0)
912 return 0;
913 }
914
915 i = EVP_Cipher(ds, rec->data, rec->input, l);
916 if ((EVP_CIPHER_flags(ds->cipher) &
917 EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
918 return -1; /* AEAD can fail to verify MAC */
919
920 ret = 1;
921 if (EVP_MD_CTX_md(s->read_hash) != NULL)
922 mac_size = EVP_MD_CTX_size(s->read_hash);
923 if ((bs != 1) && !send)
924 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
925 }
926 return ret;
927}
928
929int 679int
930tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) 680tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
931{ 681{
@@ -947,85 +697,6 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
947} 697}
948 698
949int 699int
950tls1_mac(SSL *ssl, unsigned char *md, int send)
951{
952 SSL3_RECORD_INTERNAL *rec;
953 unsigned char *seq;
954 EVP_MD_CTX *hash;
955 size_t md_size, orig_len;
956 EVP_MD_CTX hmac, *mac_ctx;
957 unsigned char header[13];
958 int stream_mac = (send ?
959 (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) :
960 (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
961 int t;
962
963 if (send) {
964 /* No longer supported. */
965 return -1;
966 } else {
967 rec = &(ssl->s3->internal->rrec);
968 seq = &(ssl->s3->internal->read_sequence[0]);
969 hash = ssl->read_hash;
970 }
971
972 t = EVP_MD_CTX_size(hash);
973 OPENSSL_assert(t >= 0);
974 md_size = t;
975
976 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
977 if (stream_mac) {
978 mac_ctx = hash;
979 } else {
980 if (!EVP_MD_CTX_copy(&hmac, hash))
981 return -1;
982 mac_ctx = &hmac;
983 }
984
985 if (SSL_IS_DTLS(ssl))
986 dtls1_build_sequence_number(header, seq,
987 send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch);
988 else
989 memcpy(header, seq, SSL3_SEQUENCE_SIZE);
990
991 orig_len = rec->length + md_size + rec->padding_length;
992
993 header[8] = rec->type;
994 header[9] = (unsigned char)(ssl->version >> 8);
995 header[10] = (unsigned char)(ssl->version);
996 header[11] = (rec->length) >> 8;
997 header[12] = (rec->length) & 0xff;
998
999 if (!send &&
1000 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1001 ssl3_cbc_record_digest_supported(mac_ctx)) {
1002 /* This is a CBC-encrypted record. We must avoid leaking any
1003 * timing-side channel information about how many blocks of
1004 * data we are hashing because that gives an attacker a
1005 * timing-oracle. */
1006 if (!ssl3_cbc_digest_record(mac_ctx,
1007 md, &md_size, header, rec->input,
1008 rec->length + md_size, orig_len,
1009 ssl->s3->internal->read_mac_secret,
1010 ssl->s3->internal->read_mac_secret_size))
1011 return -1;
1012 } else {
1013 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
1014 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
1015 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
1016 OPENSSL_assert(t > 0);
1017 }
1018
1019 if (!stream_mac)
1020 EVP_MD_CTX_cleanup(&hmac);
1021
1022 if (!SSL_IS_DTLS(ssl))
1023 tls1_record_sequence_increment(seq);
1024
1025 return (md_size);
1026}
1027
1028int
1029tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 700tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1030 int len) 701 int len)
1031{ 702{
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 10d0f1194b..56ff94d95c 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.4 2020/09/16 17:15:01 jsing Exp $ */ 1/* $OpenBSD: tls12_record_layer.c,v 1.5 2020/10/03 17:35:17 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -25,6 +25,8 @@ struct tls12_record_layer {
25 uint16_t version; 25 uint16_t version;
26 int dtls; 26 int dtls;
27 27
28 uint8_t alert_desc;
29
28 uint16_t read_epoch; 30 uint16_t read_epoch;
29 uint16_t write_epoch; 31 uint16_t write_epoch;
30 32
@@ -43,6 +45,9 @@ struct tls12_record_layer {
43 EVP_CIPHER_CTX *write_cipher_ctx; 45 EVP_CIPHER_CTX *write_cipher_ctx;
44 EVP_MD_CTX *write_hash_ctx; 46 EVP_MD_CTX *write_hash_ctx;
45 47
48 const uint8_t *read_mac_key;
49 size_t read_mac_key_len;
50
46 uint8_t *read_seq_num; 51 uint8_t *read_seq_num;
47 uint8_t *write_seq_num; 52 uint8_t *write_seq_num;
48}; 53};
@@ -65,6 +70,12 @@ tls12_record_layer_free(struct tls12_record_layer *rl)
65} 70}
66 71
67void 72void
73tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
74{
75 *alert_desc = rl->alert_desc;
76}
77
78void
68tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 79tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
69{ 80{
70 rl->version = version; 81 rl->version = version;
@@ -111,6 +122,7 @@ void
111tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 122tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
112{ 123{
113 tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0); 124 tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0);
125 tls12_record_layer_set_read_mac_key(rl, NULL, 0);
114 rl->read_seq_num = NULL; 126 rl->read_seq_num = NULL;
115} 127}
116 128
@@ -173,6 +185,16 @@ tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl,
173 return 1; 185 return 1;
174} 186}
175 187
188int
189tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
190 const uint8_t *mac_key, size_t mac_key_len)
191{
192 rl->read_mac_key = mac_key;
193 rl->read_mac_key_len = mac_key_len;
194
195 return 1;
196}
197
176static int 198static int
177tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 199tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
178 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 200 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
@@ -234,7 +256,7 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
234{ 256{
235 EVP_MD_CTX *mac_ctx = NULL; 257 EVP_MD_CTX *mac_ctx = NULL;
236 uint8_t *header = NULL; 258 uint8_t *header = NULL;
237 size_t header_len; 259 size_t header_len = 0;
238 size_t mac_len; 260 size_t mac_len;
239 uint8_t *mac; 261 uint8_t *mac;
240 int ret = 0; 262 int ret = 0;
@@ -258,6 +280,8 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
258 goto err; 280 goto err;
259 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 281 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
260 goto err; 282 goto err;
283 if (mac_len == 0)
284 goto err;
261 285
262 if (stream_mac) { 286 if (stream_mac) {
263 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 287 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
@@ -269,12 +293,67 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
269 293
270 err: 294 err:
271 EVP_MD_CTX_free(mac_ctx); 295 EVP_MD_CTX_free(mac_ctx);
272 free(header); 296 freezero(header, header_len);
273 297
274 return ret; 298 return ret;
275} 299}
276 300
277static int 301static int
302tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
303 uint8_t content_type, const uint8_t *content, size_t content_len,
304 size_t mac_len, size_t padding_len)
305{
306 uint8_t *header = NULL;
307 size_t header_len = 0;
308 uint8_t *mac = NULL;
309 size_t out_mac_len = 0;
310 int ret = 0;
311
312 /*
313 * Must be constant time to avoid leaking details about CBC padding.
314 */
315
316 if (!ssl3_cbc_record_digest_supported(rl->read_hash_ctx))
317 goto err;
318
319 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
320 rl->read_epoch, rl->read_seq_num, SSL3_SEQUENCE_SIZE,
321 &header, &header_len))
322 goto err;
323
324 if (!CBB_add_space(cbb, &mac, mac_len))
325 goto err;
326 if (!ssl3_cbc_digest_record(rl->read_hash_ctx, mac, &out_mac_len, header,
327 content, content_len + mac_len, content_len + mac_len + padding_len,
328 rl->read_mac_key, rl->read_mac_key_len))
329 goto err;
330 if (mac_len != out_mac_len)
331 goto err;
332
333 ret = 1;
334
335 err:
336 freezero(header, header_len);
337
338 return ret;
339}
340
341static int
342tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
343 uint8_t content_type, const uint8_t *content, size_t content_len)
344{
345 EVP_CIPHER_CTX *enc = rl->read_cipher_ctx;
346 size_t out_len;
347
348 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
349 return 0;
350
351 return tls12_record_layer_mac(rl, cbb, rl->read_hash_ctx,
352 rl->read_stream_mac, rl->read_epoch, rl->read_seq_num,
353 SSL3_SEQUENCE_SIZE, content_type, content, content_len, &out_len);
354}
355
356static int
278tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 357tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
279 uint8_t content_type, const uint8_t *content, size_t content_len, 358 uint8_t content_type, const uint8_t *content, size_t content_len,
280 size_t *out_len) 359 size_t *out_len)
@@ -286,7 +365,8 @@ tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
286 365
287static int 366static int
288tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 367tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
289 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) 368 const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
369 uint8_t **out, size_t *out_len)
290{ 370{
291 CBB cbb; 371 CBB cbb;
292 372
@@ -314,7 +394,8 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
314 394
315static int 395static int
316tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 396tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
317 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) 397 const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
398 uint8_t **out, size_t *out_len)
318{ 399{
319 uint8_t *nonce = NULL; 400 uint8_t *nonce = NULL;
320 size_t nonce_len = 0; 401 size_t nonce_len = 0;
@@ -357,6 +438,263 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
357} 438}
358 439
359static int 440static int
441tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
442 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
443{
444 if (rl->read_aead_ctx != NULL || rl->read_cipher_ctx != NULL)
445 return 0;
446
447 /* XXX - decrypt/process in place for now. */
448 *out = (uint8_t *)CBS_data(fragment);
449 *out_len = CBS_len(fragment);
450
451 return 1;
452}
453
454static int
455tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
456 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
457{
458 const SSL_AEAD_CTX *aead = rl->read_aead_ctx;
459 uint8_t *header = NULL, *nonce = NULL;
460 size_t header_len = 0, nonce_len = 0;
461 uint8_t *plain;
462 size_t plain_len;
463 uint16_t epoch = 0;
464 CBS var_nonce;
465 int ret = 0;
466
467 /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */
468 if (aead->xor_fixed_nonce) {
469 if (!tls12_record_layer_aead_xored_nonce(rl, aead,
470 rl->read_seq_num, &nonce, &nonce_len))
471 goto err;
472 } else if (aead->variable_nonce_in_record) {
473 if (!CBS_get_bytes(fragment, &var_nonce,
474 aead->variable_nonce_len))
475 goto err;
476 if (!tls12_record_layer_aead_concat_nonce(rl, aead,
477 CBS_data(&var_nonce), &nonce, &nonce_len))
478 goto err;
479 } else {
480 if (!tls12_record_layer_aead_concat_nonce(rl, aead,
481 rl->read_seq_num, &nonce, &nonce_len))
482 goto err;
483 }
484
485 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
486 if (CBS_len(fragment) < aead->tag_len) {
487 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
488 goto err;
489 }
490 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
491 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
492 goto err;
493 }
494
495 /* XXX - decrypt/process in place for now. */
496 plain = (uint8_t *)CBS_data(fragment);
497 plain_len = CBS_len(fragment) - aead->tag_len;
498
499 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len,
500 epoch, rl->read_seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len))
501 goto err;
502
503 if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len,
504 nonce, nonce_len, CBS_data(fragment), CBS_len(fragment),
505 header, header_len)) {
506 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
507 goto err;
508 }
509
510 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
511 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
512 goto err;
513 }
514
515 if (*out_len != plain_len)
516 goto err;
517
518 *out = plain;
519
520 ret = 1;
521
522 err:
523 freezero(header, header_len);
524 freezero(nonce, nonce_len);
525
526 return ret;
527}
528
529static int
530tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
531 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
532{
533 EVP_CIPHER_CTX *enc = rl->read_cipher_ctx;
534 SSL3_RECORD_INTERNAL rrec;
535 int block_size, eiv_len;
536 uint8_t *mac = NULL;
537 int mac_len = 0;
538 uint8_t *out_mac = NULL;
539 size_t out_mac_len = 0;
540 uint8_t *plain;
541 size_t plain_len;
542 size_t min_len;
543 CBB cbb_mac;
544 int ret = 0;
545
546 memset(&cbb_mac, 0, sizeof(cbb_mac));
547
548 block_size = EVP_CIPHER_CTX_block_size(enc);
549 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
550 goto err;
551
552 /* Determine explicit IV length. */
553 eiv_len = 0;
554 if (rl->version != TLS1_VERSION &&
555 EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
556 eiv_len = EVP_CIPHER_CTX_iv_length(enc);
557 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
558 goto err;
559
560 mac_len = 0;
561 if (rl->read_hash_ctx != NULL) {
562 mac_len = EVP_MD_CTX_size(rl->read_hash_ctx);
563 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
564 goto err;
565 }
566
567 /* CBC has at least one padding byte. */
568 min_len = eiv_len + mac_len;
569 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
570 min_len += 1;
571
572 if (CBS_len(fragment) < min_len) {
573 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
574 goto err;
575 }
576 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
577 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
578 goto err;
579 }
580 if (CBS_len(fragment) % block_size != 0) {
581 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
582 goto err;
583 }
584
585 /* XXX - decrypt/process in place for now. */
586 plain = (uint8_t *)CBS_data(fragment);
587 plain_len = CBS_len(fragment);
588
589 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len))
590 goto err;
591
592 rrec.data = plain;
593 rrec.input = plain;
594 rrec.length = plain_len;
595
596 /*
597 * We now have to remove padding, extract MAC, calculate MAC
598 * and compare MAC in constant time.
599 */
600 if (block_size > 1)
601 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
602
603 if ((mac = calloc(1, mac_len)) == NULL)
604 goto err;
605
606 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
607 goto err;
608 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
609 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
610 rrec.padding_length);
611 rrec.length -= mac_len;
612 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
613 rrec.input, rrec.length, mac_len, rrec.padding_length))
614 goto err;
615 } else {
616 rrec.length -= mac_len;
617 memcpy(mac, rrec.data + rrec.length, mac_len);
618 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
619 rrec.input, rrec.length))
620 goto err;
621 }
622 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
623 goto err;
624 if (mac_len != out_mac_len)
625 goto err;
626
627 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
628 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
629 goto err;
630 }
631
632 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
633 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
634 goto err;
635 }
636 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
637 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
638 goto err;
639 }
640
641 *out = rrec.data;
642 *out_len = rrec.length;
643
644 ret = 1;
645
646 err:
647 CBB_cleanup(&cbb_mac);
648 freezero(mac, mac_len);
649 freezero(out_mac, out_mac_len);
650
651 return ret;
652}
653
654int
655tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
656 size_t buf_len, uint8_t **out, size_t *out_len)
657{
658 CBS cbs, fragment, seq_no;
659 uint16_t epoch, version;
660 uint8_t content_type;
661
662 CBS_init(&cbs, buf, buf_len);
663
664 if (!CBS_get_u8(&cbs, &content_type))
665 return 0;
666 if (!CBS_get_u16(&cbs, &version))
667 return 0;
668 if (rl->dtls) {
669 if (!CBS_get_u16(&cbs, &epoch))
670 return 0;
671 if (!CBS_get_bytes(&cbs, &seq_no, 6))
672 return 0;
673 }
674 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
675 return 0;
676
677 if (rl->read_aead_ctx != NULL) {
678 if (!tls12_record_layer_open_record_protected_aead(rl,
679 content_type, &fragment, out, out_len))
680 return 0;
681 } else if (rl->read_cipher_ctx != NULL) {
682 if (!tls12_record_layer_open_record_protected_cipher(rl,
683 content_type, &fragment, out, out_len))
684 return 0;
685 } else {
686 if (!tls12_record_layer_open_record_plaintext(rl,
687 content_type, &fragment, out, out_len))
688 return 0;
689 }
690
691 if (!rl->dtls)
692 tls1_record_sequence_increment(rl->read_seq_num);
693
694 return 1;
695}
696
697static int
360tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 698tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
361 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 699 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
362{ 700{
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 23:26:24 +0000