1 files changed, 42 insertions, 5 deletions
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index ba3c3dfb2b..6cf8b31c63 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.24 2021/03/21 19:08:22 tb Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.25 2021/03/29 16:19:15 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -22,9 +22,11 @@
 #include "ssl_locl.h"
+#define TLS12_RECORD_SEQ_NUM_LEN 8
 struct tls12_record_protection {
        uint16_t epoch;
-        uint8_t seq_num[SSL3_SEQUENCE_SIZE];
+        uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
        SSL_AEAD_CTX *aead_ctx;
@@ -342,6 +344,38 @@ tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
            sizeof(rl->write->seq_num));
 }
+static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+};
+int
+tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
+{
+        CBS max_seq_num;
+        int i;
+        /*
+         * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
+         * sequence numbers must not wrap. Note that for DTLS the first two
+         * bytes are used as an "epoch" and not part of the sequence number.
+         */
+        CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
+        if (rl->dtls) {
+                if (!CBS_skip(&max_seq_num, 2))
+                        return 0;
+        }
+        if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
+            CBS_len(&max_seq_num)))
+                return 0;
+        for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
+                if (++seq_num[i] != 0)
+                        break;
+        }
+        return 1;
+}
 static int
 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
    const uint8_t *mac_key, size_t mac_key_len)
@@ -1074,8 +1108,10 @@ tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
                        return 0;
        }
-        if (!rl->dtls)
+        if (!rl->dtls) {
-                tls1_record_sequence_increment(rl->read->seq_num);
+                if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
+                        return 0;
+        }
        return 1;
 }
@@ -1274,7 +1310,8 @@ tls12_record_layer_seal_record(struct tls12_record_layer *rl,
        if (!CBB_flush(cbb))
                goto err;
-        tls1_record_sequence_increment(rl->write->seq_num);
+        if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
+                goto err;
        ret = 1;

diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index ba3c3dfb2b..6cf8b31c63 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls12_record_layer.c,v 1.24 2021/03/21 19:08:22 tb Exp $ */	1	/* $OpenBSD: tls12_record_layer.c,v 1.25 2021/03/29 16:19:15 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -22,9 +22,11 @@
22		22
23	#include "ssl_locl.h"	23	#include "ssl_locl.h"
24		24
		25	#define TLS12_RECORD_SEQ_NUM_LEN 8
		26
25	struct tls12_record_protection {	27	struct tls12_record_protection {
26	uint16_t epoch;	28	uint16_t epoch;
27	uint8_t seq_num[SSL3_SEQUENCE_SIZE];	29	uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
28		30
29	SSL_AEAD_CTX *aead_ctx;	31	SSL_AEAD_CTX *aead_ctx;
30		32
@@ -342,6 +344,38 @@ tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
342	sizeof(rl->write->seq_num));	344	sizeof(rl->write->seq_num));
343	}	345	}
344		346
		347	static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
		348	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
		349	};
		350
		351	int
		352	tls12_record_layer_inc_seq_num(struct tls12_record_layer rl, uint8_t seq_num)
		353	{
		354	CBS max_seq_num;
		355	int i;
		356
		357	/*
		358	* RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
		359	* sequence numbers must not wrap. Note that for DTLS the first two
		360	* bytes are used as an "epoch" and not part of the sequence number.
		361	*/
		362	CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
		363	if (rl->dtls) {
		364	if (!CBS_skip(&max_seq_num, 2))
		365	return 0;
		366	}
		367	if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
		368	CBS_len(&max_seq_num)))
		369	return 0;
		370
		371	for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
		372	if (++seq_num[i] != 0)
		373	break;
		374	}
		375
		376	return 1;
		377	}
		378
345	static int	379	static int
346	tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,	380	tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
347	const uint8_t *mac_key, size_t mac_key_len)	381	const uint8_t *mac_key, size_t mac_key_len)
@@ -1074,8 +1108,10 @@ tls12_record_layer_open_record(struct tls12_record_layer rl, uint8_t buf,
1074	return 0;	1108	return 0;
1075	}	1109	}
1076		1110
1077	if (!rl->dtls)	1111	if (!rl->dtls) {
1078	tls1_record_sequence_increment(rl->read->seq_num);	1112	if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
		1113	return 0;
		1114	}
1079		1115
1080	return 1;	1116	return 1;
1081	}	1117	}
@@ -1274,7 +1310,8 @@ tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1274	if (!CBB_flush(cbb))	1310	if (!CBB_flush(cbb))
1275	goto err;	1311	goto err;
1276		1312
1277	tls1_record_sequence_increment(rl->write->seq_num);	1313	if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
		1314	goto err;
1278		1315
1279	ret = 1;	1316	ret = 1;
1280		1317