diff options
Diffstat (limited to 'src/lib/libssl/t1_enc.c')
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 265 | 
1 files changed, 238 insertions, 27 deletions
| diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 6d2e21c412..0ddb2d09b2 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.55 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.56 2014/06/13 11:52:03 jsing Exp $ */ | 
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 
| 3 | * All rights reserved. | 3 | * All rights reserved. | 
| 4 | * | 4 | * | 
| @@ -296,6 +296,69 @@ tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) | |||
| 296 | } | 296 | } | 
| 297 | 297 | ||
| 298 | /* | 298 | /* | 
| 299 | * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success | ||
| 300 | * and 0 on failure. | ||
| 301 | */ | ||
| 302 | static int | ||
| 303 | tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) | ||
| 304 | { | ||
| 305 | if (*aead_ctx != NULL) { | ||
| 306 | EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); | ||
| 307 | return (1); | ||
| 308 | } | ||
| 309 | |||
| 310 | *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); | ||
| 311 | if (*aead_ctx == NULL) { | ||
| 312 | SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); | ||
| 313 | return (0); | ||
| 314 | } | ||
| 315 | |||
| 316 | return (1); | ||
| 317 | } | ||
| 318 | |||
| 319 | static int | ||
| 320 | tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, | ||
| 321 | unsigned key_len, const unsigned char *iv, unsigned iv_len) | ||
| 322 | { | ||
| 323 | const EVP_AEAD *aead = s->s3->tmp.new_aead; | ||
| 324 | SSL_AEAD_CTX *aead_ctx; | ||
| 325 | |||
| 326 | if (is_read) { | ||
| 327 | if (!tls1_aead_ctx_init(&s->aead_read_ctx)) | ||
| 328 | return 0; | ||
| 329 | aead_ctx = s->aead_read_ctx; | ||
| 330 | } else { | ||
| 331 | if (!tls1_aead_ctx_init(&s->aead_write_ctx)) | ||
| 332 | return 0; | ||
| 333 | aead_ctx = s->aead_write_ctx; | ||
| 334 | } | ||
| 335 | |||
| 336 | if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, | ||
| 337 | EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) | ||
| 338 | return (0); | ||
| 339 | if (iv_len > sizeof(aead_ctx->fixed_nonce)) { | ||
| 340 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 341 | ERR_R_INTERNAL_ERROR); | ||
| 342 | return (0); | ||
| 343 | } | ||
| 344 | memcpy(aead_ctx->fixed_nonce, iv, iv_len); | ||
| 345 | aead_ctx->fixed_nonce_len = iv_len; | ||
| 346 | aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ | ||
| 347 | aead_ctx->variable_nonce_in_record = | ||
| 348 | (s->s3->tmp.new_cipher->algorithm2 & | ||
| 349 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; | ||
| 350 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | ||
| 351 | EVP_AEAD_nonce_length(aead)) { | ||
| 352 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 353 | ERR_R_INTERNAL_ERROR); | ||
| 354 | return (0); | ||
| 355 | } | ||
| 356 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | ||
| 357 | |||
| 358 | return (1); | ||
| 359 | } | ||
| 360 | |||
| 361 | /* | ||
| 299 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher | 362 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher | 
| 300 | * states when using EVP_CIPHER. The argument is_read is true iff this function | 363 | * states when using EVP_CIPHER. The argument is_read is true iff this function | 
| 301 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec | 364 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec | 
| @@ -456,6 +519,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 456 | int mac_secret_size, key_len, iv_len; | 519 | int mac_secret_size, key_len, iv_len; | 
| 457 | unsigned char *key_block, *seq; | 520 | unsigned char *key_block, *seq; | 
| 458 | const EVP_CIPHER *cipher; | 521 | const EVP_CIPHER *cipher; | 
| 522 | const EVP_AEAD *aead; | ||
| 459 | char is_read, use_client_keys; | 523 | char is_read, use_client_keys; | 
| 460 | int is_export; | 524 | int is_export; | 
| 461 | 525 | ||
| @@ -465,6 +529,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 465 | 529 | ||
| 466 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 530 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 
| 467 | cipher = s->s3->tmp.new_sym_enc; | 531 | cipher = s->s3->tmp.new_sym_enc; | 
| 532 | aead = s->s3->tmp.new_aead; | ||
| 468 | 533 | ||
| 469 | /* | 534 | /* | 
| 470 | * is_read is true if we have just read a ChangeCipherSpec message, | 535 | * is_read is true if we have just read a ChangeCipherSpec message, | 
| @@ -526,17 +591,21 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 526 | memset(seq, 0, SSL3_SEQUENCE_SIZE); | 591 | memset(seq, 0, SSL3_SEQUENCE_SIZE); | 
| 527 | } | 592 | } | 
| 528 | 593 | ||
| 529 | key_len = EVP_CIPHER_key_length(cipher); | 594 | if (aead != NULL) { | 
| 530 | if (is_export) { | 595 | key_len = EVP_AEAD_key_length(aead); | 
| 531 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | 596 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); | 
| 597 | } else { | ||
| 598 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 599 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 600 | |||
| 601 | if (is_export && | ||
| 602 | key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | ||
| 532 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); | 603 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); | 
| 533 | } | ||
| 534 | 604 | ||
| 535 | /* If GCM mode only part of IV comes from PRF. */ | 605 | /* If GCM mode only part of IV comes from PRF. */ | 
| 536 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 606 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 
| 537 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 607 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 
| 538 | else | 608 | } | 
| 539 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 540 | 609 | ||
| 541 | mac_secret_size = s->s3->tmp.new_mac_secret_size; | 610 | mac_secret_size = s->s3->tmp.new_mac_secret_size; | 
| 542 | 611 | ||
| @@ -577,6 +646,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 577 | s->s3->write_mac_secret_size = mac_secret_size; | 646 | s->s3->write_mac_secret_size = mac_secret_size; | 
| 578 | } | 647 | } | 
| 579 | 648 | ||
| 649 | if (aead != NULL) { | ||
| 650 | return tls1_change_cipher_state_aead(s, is_read, key, key_len, | ||
| 651 | iv, iv_len); | ||
| 652 | } | ||
| 653 | |||
| 580 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, | 654 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, | 
| 581 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); | 655 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); | 
| 582 | 656 | ||
| @@ -592,8 +666,9 @@ tls1_setup_key_block(SSL *s) | |||
| 592 | unsigned char *key_block, *tmp_block = NULL; | 666 | unsigned char *key_block, *tmp_block = NULL; | 
| 593 | int mac_type = NID_undef, mac_secret_size = 0; | 667 | int mac_type = NID_undef, mac_secret_size = 0; | 
| 594 | int key_block_len, key_len, iv_len; | 668 | int key_block_len, key_len, iv_len; | 
| 595 | const EVP_CIPHER *cipher; | 669 | const EVP_CIPHER *cipher = NULL; | 
| 596 | const EVP_MD *mac; | 670 | const EVP_AEAD *aead = NULL; | 
| 671 | const EVP_MD *mac = NULL; | ||
| 597 | SSL_COMP *comp; | 672 | SSL_COMP *comp; | 
| 598 | int ret = 0; | 673 | int ret = 0; | 
| 599 | 674 | ||
| @@ -606,24 +681,36 @@ tls1_setup_key_block(SSL *s) | |||
| 606 | return (0); | 681 | return (0); | 
| 607 | } | 682 | } | 
| 608 | 683 | ||
| 609 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, | 684 | if (s->session->cipher && | 
| 610 | &mac_secret_size)) { | 685 | (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { | 
| 611 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | 686 | if (!ssl_cipher_get_evp_aead(s->session, &aead)) { | 
| 612 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | 687 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | 
| 613 | return (0); | 688 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | 
| 614 | } | 689 | return (0); | 
| 615 | 690 | } | |
| 616 | key_len = EVP_CIPHER_key_length(cipher); | 691 | key_len = EVP_AEAD_key_length(aead); | 
| 617 | 692 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); | |
| 618 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 693 | } else { | 
| 619 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 694 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, | 
| 620 | else | 695 | &mac_secret_size)) { | 
| 696 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | ||
| 697 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | ||
| 698 | return (0); | ||
| 699 | } | ||
| 700 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 621 | iv_len = EVP_CIPHER_iv_length(cipher); | 701 | iv_len = EVP_CIPHER_iv_length(cipher); | 
| 622 | 702 | ||
| 703 | /* If GCM mode only part of IV comes from PRF. */ | ||
| 704 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | ||
| 705 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | ||
| 706 | } | ||
| 707 | |||
| 708 | s->s3->tmp.new_aead = aead; | ||
| 623 | s->s3->tmp.new_sym_enc = cipher; | 709 | s->s3->tmp.new_sym_enc = cipher; | 
| 624 | s->s3->tmp.new_hash = mac; | 710 | s->s3->tmp.new_hash = mac; | 
| 625 | s->s3->tmp.new_mac_pkey_type = mac_type; | 711 | s->s3->tmp.new_mac_pkey_type = mac_type; | 
| 626 | s->s3->tmp.new_mac_secret_size = mac_secret_size; | 712 | s->s3->tmp.new_mac_secret_size = mac_secret_size; | 
| 713 | |||
| 627 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; | 714 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; | 
| 628 | 715 | ||
| 629 | ssl3_cleanup_key_block(s); | 716 | ssl3_cleanup_key_block(s); | 
| @@ -664,6 +751,7 @@ tls1_setup_key_block(SSL *s) | |||
| 664 | } | 751 | } | 
| 665 | 752 | ||
| 666 | ret = 1; | 753 | ret = 1; | 
| 754 | |||
| 667 | err: | 755 | err: | 
| 668 | if (tmp_block) { | 756 | if (tmp_block) { | 
| 669 | OPENSSL_cleanse(tmp_block, key_block_len); | 757 | OPENSSL_cleanse(tmp_block, key_block_len); | 
| @@ -684,11 +772,135 @@ err: | |||
| 684 | int | 772 | int | 
| 685 | tls1_enc(SSL *s, int send) | 773 | tls1_enc(SSL *s, int send) | 
| 686 | { | 774 | { | 
| 687 | SSL3_RECORD *rec; | 775 | const SSL_AEAD_CTX *aead; | 
| 776 | const EVP_CIPHER *enc; | ||
| 688 | EVP_CIPHER_CTX *ds; | 777 | EVP_CIPHER_CTX *ds; | 
| 778 | SSL3_RECORD *rec; | ||
| 689 | unsigned long l; | 779 | unsigned long l; | 
| 690 | int bs, i, j, k, pad = 0, ret, mac_size = 0; | 780 | int bs, i, j, k, pad = 0, ret, mac_size = 0; | 
| 691 | const EVP_CIPHER *enc; | 781 | |
| 782 | if (send) { | ||
| 783 | aead = s->aead_write_ctx; | ||
| 784 | rec = &s->s3->wrec; | ||
| 785 | } else { | ||
| 786 | aead = s->aead_read_ctx; | ||
| 787 | rec = &s->s3->rrec; | ||
| 788 | } | ||
| 789 | |||
| 790 | if (aead) { | ||
| 791 | unsigned char ad[13], *seq, *in, *out, nonce[16]; | ||
| 792 | unsigned nonce_used; | ||
| 793 | ssize_t n; | ||
| 794 | |||
| 795 | seq = send ? s->s3->write_sequence : s->s3->read_sequence; | ||
| 796 | |||
| 797 | if (SSL_IS_DTLS(s)) { | ||
| 798 | unsigned char dtlsseq[9], *p = dtlsseq; | ||
| 799 | |||
| 800 | s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); | ||
| 801 | memcpy(p, &seq[2], 6); | ||
| 802 | memcpy(ad, dtlsseq, 8); | ||
| 803 | } else { | ||
| 804 | memcpy(ad, seq, SSL3_SEQUENCE_SIZE); | ||
| 805 | for (i = 7; i >= 0; i--) { | ||
| 806 | ++seq[i]; | ||
| 807 | if (seq[i] != 0) | ||
| 808 | break; | ||
| 809 | } | ||
| 810 | } | ||
| 811 | |||
| 812 | ad[8] = rec->type; | ||
| 813 | ad[9] = (unsigned char)(s->version >> 8); | ||
| 814 | ad[10] = (unsigned char)(s->version); | ||
| 815 | |||
| 816 | if (aead->fixed_nonce_len + | ||
| 817 | aead->variable_nonce_len > sizeof(nonce) || | ||
| 818 | aead->variable_nonce_len > 8) | ||
| 819 | return -1; /* internal error - should never happen. */ | ||
| 820 | |||
| 821 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | ||
| 822 | nonce_used = aead->fixed_nonce_len; | ||
| 823 | |||
| 824 | if (send) { | ||
| 825 | size_t len = rec->length; | ||
| 826 | size_t eivlen = 0; | ||
| 827 | in = rec->input; | ||
| 828 | out = rec->data; | ||
| 829 | |||
| 830 | /* | ||
| 831 | * When sending we use the sequence number as the | ||
| 832 | * variable part of the nonce. | ||
| 833 | */ | ||
| 834 | if (aead->variable_nonce_len > 8) | ||
| 835 | return -1; | ||
| 836 | memcpy(nonce + nonce_used, ad, | ||
| 837 | aead->variable_nonce_len); | ||
| 838 | nonce_used += aead->variable_nonce_len; | ||
| 839 | |||
| 840 | /* | ||
| 841 | * In do_ssl3_write, rec->input is moved forward by | ||
| 842 | * variable_nonce_len in order to leave space for the | ||
| 843 | * variable nonce. Thus we can copy the sequence number | ||
| 844 | * bytes into place without overwriting any of the | ||
| 845 | * plaintext. | ||
| 846 | */ | ||
| 847 | if (aead->variable_nonce_in_record) { | ||
| 848 | memcpy(out, ad, aead->variable_nonce_len); | ||
| 849 | len -= aead->variable_nonce_len; | ||
| 850 | eivlen = aead->variable_nonce_len; | ||
| 851 | } | ||
| 852 | |||
| 853 | ad[11] = len >> 8; | ||
| 854 | ad[12] = len & 0xff; | ||
| 855 | |||
| 856 | if (!EVP_AEAD_CTX_seal(&aead->ctx, | ||
| 857 | out + eivlen, &n, len + aead->tag_len, nonce, | ||
| 858 | nonce_used, in + eivlen, len, ad, sizeof(ad))) | ||
| 859 | return -1; | ||
| 860 | if (n >= 0 && aead->variable_nonce_in_record) | ||
| 861 | n += aead->variable_nonce_len; | ||
| 862 | } else { | ||
| 863 | /* receive */ | ||
| 864 | size_t len = rec->length; | ||
| 865 | |||
| 866 | if (rec->data != rec->input) | ||
| 867 | return -1; /* internal error - should never happen. */ | ||
| 868 | out = in = rec->input; | ||
| 869 | |||
| 870 | if (len < aead->variable_nonce_len) | ||
| 871 | return 0; | ||
| 872 | memcpy(nonce + nonce_used, | ||
| 873 | aead->variable_nonce_in_record ? in : ad, | ||
| 874 | aead->variable_nonce_len); | ||
| 875 | nonce_used += aead->variable_nonce_len; | ||
| 876 | |||
| 877 | if (aead->variable_nonce_in_record) { | ||
| 878 | in += aead->variable_nonce_len; | ||
| 879 | len -= aead->variable_nonce_len; | ||
| 880 | out += aead->variable_nonce_len; | ||
| 881 | } | ||
| 882 | |||
| 883 | if (len < aead->tag_len) | ||
| 884 | return 0; | ||
| 885 | len -= aead->tag_len; | ||
| 886 | |||
| 887 | ad[11] = len >> 8; | ||
| 888 | ad[12] = len & 0xff; | ||
| 889 | |||
| 890 | if (!EVP_AEAD_CTX_open(&aead->ctx, out, &n, len, nonce, | ||
| 891 | nonce_used, in, len + aead->tag_len, ad, | ||
| 892 | sizeof(ad))) | ||
| 893 | return -1; | ||
| 894 | |||
| 895 | rec->data = rec->input = out; | ||
| 896 | } | ||
| 897 | |||
| 898 | if (n == -1) | ||
| 899 | return -1; | ||
| 900 | rec->length = n; | ||
| 901 | |||
| 902 | return 1; | ||
| 903 | } | ||
| 692 | 904 | ||
| 693 | if (send) { | 905 | if (send) { | 
| 694 | if (EVP_MD_CTX_md(s->write_hash)) { | 906 | if (EVP_MD_CTX_md(s->write_hash)) { | 
| @@ -730,7 +942,6 @@ tls1_enc(SSL *s, int send) | |||
| 730 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | 942 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | 
| 731 | } | 943 | } | 
| 732 | 944 | ||
| 733 | |||
| 734 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { | 945 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { | 
| 735 | memmove(rec->data, rec->input, rec->length); | 946 | memmove(rec->data, rec->input, rec->length); | 
| 736 | rec->input = rec->data; | 947 | rec->input = rec->data; | 
