diff options
Diffstat (limited to 'src/lib/libssl/tls12_record_layer.c')
| -rw-r--r-- | src/lib/libssl/tls12_record_layer.c | 116 |
1 files changed, 93 insertions, 23 deletions
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index 0104443286..b74a6588ef 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls12_record_layer.c,v 1.15 2021/01/26 14:22:20 jsing Exp $ */ | 1 | /* $OpenBSD: tls12_record_layer.c,v 1.16 2021/01/28 17:00:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -15,6 +15,7 @@ | |||
| 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | */ | 16 | */ |
| 17 | 17 | ||
| 18 | #include <limits.h> | ||
| 18 | #include <stdlib.h> | 19 | #include <stdlib.h> |
| 19 | 20 | ||
| 20 | #include <openssl/evp.h> | 21 | #include <openssl/evp.h> |
| @@ -25,6 +26,8 @@ struct tls12_record_protection { | |||
| 25 | uint16_t epoch; | 26 | uint16_t epoch; |
| 26 | uint8_t seq_num[SSL3_SEQUENCE_SIZE]; | 27 | uint8_t seq_num[SSL3_SEQUENCE_SIZE]; |
| 27 | 28 | ||
| 29 | SSL_AEAD_CTX *aead_ctx; | ||
| 30 | |||
| 28 | int stream_mac; | 31 | int stream_mac; |
| 29 | 32 | ||
| 30 | uint8_t *mac_key; | 33 | uint8_t *mac_key; |
| @@ -34,8 +37,6 @@ struct tls12_record_protection { | |||
| 34 | * XXX - for now these are just pointers to externally managed | 37 | * XXX - for now these are just pointers to externally managed |
| 35 | * structs/memory. These should eventually be owned by the record layer. | 38 | * structs/memory. These should eventually be owned by the record layer. |
| 36 | */ | 39 | */ |
| 37 | SSL_AEAD_CTX *aead_ctx; | ||
| 38 | |||
| 39 | EVP_CIPHER_CTX *cipher_ctx; | 40 | EVP_CIPHER_CTX *cipher_ctx; |
| 40 | EVP_MD_CTX *hash_ctx; | 41 | EVP_MD_CTX *hash_ctx; |
| 41 | }; | 42 | }; |
| @@ -51,6 +52,12 @@ tls12_record_protection_clear(struct tls12_record_protection *rp) | |||
| 51 | { | 52 | { |
| 52 | memset(rp->seq_num, 0, sizeof(rp->seq_num)); | 53 | memset(rp->seq_num, 0, sizeof(rp->seq_num)); |
| 53 | 54 | ||
| 55 | if (rp->aead_ctx != NULL) { | ||
| 56 | EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx); | ||
| 57 | freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); | ||
| 58 | rp->aead_ctx = NULL; | ||
| 59 | } | ||
| 60 | |||
| 54 | freezero(rp->mac_key, rp->mac_key_len); | 61 | freezero(rp->mac_key, rp->mac_key_len); |
| 55 | rp->mac_key = NULL; | 62 | rp->mac_key = NULL; |
| 56 | rp->mac_key_len = 0; | 63 | rp->mac_key_len = 0; |
| @@ -141,6 +148,8 @@ struct tls12_record_layer { | |||
| 141 | 148 | ||
| 142 | uint8_t alert_desc; | 149 | uint8_t alert_desc; |
| 143 | 150 | ||
| 151 | const EVP_AEAD *aead; | ||
| 152 | |||
| 144 | /* Pointers to active record protection (memory is not owned). */ | 153 | /* Pointers to active record protection (memory is not owned). */ |
| 145 | struct tls12_record_protection *read; | 154 | struct tls12_record_protection *read; |
| 146 | struct tls12_record_protection *write; | 155 | struct tls12_record_protection *write; |
| @@ -232,6 +241,12 @@ tls12_record_layer_write_protected(struct tls12_record_layer *rl) | |||
| 232 | } | 241 | } |
| 233 | 242 | ||
| 234 | void | 243 | void |
| 244 | tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) | ||
| 245 | { | ||
| 246 | rl->aead = aead; | ||
| 247 | } | ||
| 248 | |||
| 249 | void | ||
| 235 | tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) | 250 | tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) |
| 236 | { | 251 | { |
| 237 | rl->version = version; | 252 | rl->version = version; |
| @@ -324,24 +339,6 @@ tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) | |||
| 324 | } | 339 | } |
| 325 | 340 | ||
| 326 | int | 341 | int |
| 327 | tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, | ||
| 328 | SSL_AEAD_CTX *aead_ctx) | ||
| 329 | { | ||
| 330 | tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0); | ||
| 331 | |||
| 332 | return 1; | ||
| 333 | } | ||
| 334 | |||
| 335 | int | ||
| 336 | tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, | ||
| 337 | SSL_AEAD_CTX *aead_ctx) | ||
| 338 | { | ||
| 339 | tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0); | ||
| 340 | |||
| 341 | return 1; | ||
| 342 | } | ||
| 343 | |||
| 344 | int | ||
| 345 | tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, | 342 | tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, |
| 346 | EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) | 343 | EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) |
| 347 | { | 344 | { |
| @@ -381,6 +378,75 @@ tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl, | |||
| 381 | return 1; | 378 | return 1; |
| 382 | } | 379 | } |
| 383 | 380 | ||
| 381 | static int | ||
| 382 | tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, | ||
| 383 | struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, | ||
| 384 | size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, | ||
| 385 | size_t iv_len) | ||
| 386 | { | ||
| 387 | size_t aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); | ||
| 388 | |||
| 389 | if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) | ||
| 390 | return 0; | ||
| 391 | |||
| 392 | /* AES GCM cipher suites use variable nonce in record. */ | ||
| 393 | if (rl->aead == EVP_aead_aes_128_gcm() || | ||
| 394 | rl->aead == EVP_aead_aes_256_gcm()) | ||
| 395 | rp->aead_ctx->variable_nonce_in_record = 1; | ||
| 396 | |||
| 397 | /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ | ||
| 398 | if (rl->aead == EVP_aead_chacha20_poly1305()) | ||
| 399 | rp->aead_ctx->xor_fixed_nonce = 1; | ||
| 400 | |||
| 401 | if (iv_len > sizeof(rp->aead_ctx->fixed_nonce)) | ||
| 402 | return 0; | ||
| 403 | |||
| 404 | memcpy(rp->aead_ctx->fixed_nonce, iv, iv_len); | ||
| 405 | rp->aead_ctx->fixed_nonce_len = iv_len; | ||
| 406 | rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead); | ||
| 407 | rp->aead_ctx->variable_nonce_len = 8; | ||
| 408 | |||
| 409 | if (rp->aead_ctx->xor_fixed_nonce) { | ||
| 410 | /* Fixed nonce length must match, variable must not exceed. */ | ||
| 411 | if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len) | ||
| 412 | return 0; | ||
| 413 | if (rp->aead_ctx->variable_nonce_len > aead_nonce_len) | ||
| 414 | return 0; | ||
| 415 | } else { | ||
| 416 | /* Concatenated nonce length must equal AEAD nonce length. */ | ||
| 417 | if (rp->aead_ctx->fixed_nonce_len + | ||
| 418 | rp->aead_ctx->variable_nonce_len != aead_nonce_len) | ||
| 419 | return 0; | ||
| 420 | } | ||
| 421 | |||
| 422 | if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, key, key_len, | ||
| 423 | EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) | ||
| 424 | return 0; | ||
| 425 | |||
| 426 | return 1; | ||
| 427 | } | ||
| 428 | |||
| 429 | static int | ||
| 430 | tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, | ||
| 431 | struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, | ||
| 432 | size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, | ||
| 433 | size_t iv_len) | ||
| 434 | { | ||
| 435 | /* Require unused record protection. */ | ||
| 436 | if (rp->cipher_ctx != NULL || rp->aead_ctx != NULL) | ||
| 437 | return 0; | ||
| 438 | |||
| 439 | if (mac_key_len > INT_MAX || key_len > INT_MAX || iv_len > INT_MAX) | ||
| 440 | return 0; | ||
| 441 | |||
| 442 | /* XXX - only aead for now. */ | ||
| 443 | if (rl->aead == NULL) | ||
| 444 | return 1; | ||
| 445 | |||
| 446 | return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, | ||
| 447 | mac_key_len, key, key_len, iv, iv_len); | ||
| 448 | } | ||
| 449 | |||
| 384 | int | 450 | int |
| 385 | tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, | 451 | tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, |
| 386 | const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, | 452 | const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, |
| @@ -394,7 +460,9 @@ tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, | |||
| 394 | 460 | ||
| 395 | /* Read sequence number gets reset to zero. */ | 461 | /* Read sequence number gets reset to zero. */ |
| 396 | 462 | ||
| 397 | /* XXX - change cipher state. */ | 463 | if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, |
| 464 | mac_key, mac_key_len, key, key_len, iv, iv_len)) | ||
| 465 | goto err; | ||
| 398 | 466 | ||
| 399 | tls12_record_protection_free(rl->read_current); | 467 | tls12_record_protection_free(rl->read_current); |
| 400 | rl->read = rl->read_current = read_new; | 468 | rl->read = rl->read_current = read_new; |
| @@ -421,7 +489,9 @@ tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, | |||
| 421 | 489 | ||
| 422 | /* Write sequence number gets reset to zero. */ | 490 | /* Write sequence number gets reset to zero. */ |
| 423 | 491 | ||
| 424 | /* XXX - change cipher state. */ | 492 | if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, |
| 493 | mac_key, mac_key_len, key, key_len, iv, iv_len)) | ||
| 494 | goto err; | ||
| 425 | 495 | ||
| 426 | if (rl->dtls) { | 496 | if (rl->dtls) { |
| 427 | tls12_record_protection_free(rl->write_previous); | 497 | tls12_record_protection_free(rl->write_previous); |