1/* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */ 2/* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <limits.h> 19#include <stdlib.h> 20 21#include <openssl/evp.h> 22 23#include "ssl_local.h" 24 25#define TLS12_RECORD_SEQ_NUM_LEN 8 26#define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 27 28struct tls12_record_protection { 29 uint16_t epoch; 30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; 31 32 EVP_AEAD_CTX *aead_ctx; 33 34 uint8_t *aead_nonce; 35 size_t aead_nonce_len; 36 37 uint8_t *aead_fixed_nonce; 38 size_t aead_fixed_nonce_len; 39 40 size_t aead_variable_nonce_len; 41 size_t aead_tag_len; 42 43 int aead_xor_nonces; 44 int aead_variable_nonce_in_record; 45 46 EVP_CIPHER_CTX *cipher_ctx; 47 EVP_MD_CTX *hash_ctx; 48 49 int stream_mac; 50 51 uint8_t *mac_key; 52 size_t mac_key_len; 53}; 54 55static struct tls12_record_protection * 56tls12_record_protection_new(void) 57{ 58 return calloc(1, sizeof(struct tls12_record_protection)); 59} 60 61static void 62tls12_record_protection_clear(struct tls12_record_protection *rp) 63{ 64 EVP_AEAD_CTX_free(rp->aead_ctx); 65 66 freezero(rp->aead_nonce, rp->aead_nonce_len); 67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); 68 69 EVP_CIPHER_CTX_free(rp->cipher_ctx); 70 EVP_MD_CTX_free(rp->hash_ctx); 71 72 freezero(rp->mac_key, rp->mac_key_len); 73 74 memset(rp, 0, sizeof(*rp)); 75} 76 77static void 78tls12_record_protection_free(struct tls12_record_protection *rp) 79{ 80 if (rp == NULL) 81 return; 82 83 tls12_record_protection_clear(rp); 84 85 freezero(rp, sizeof(struct tls12_record_protection)); 86} 87 88static int 89tls12_record_protection_engaged(struct tls12_record_protection *rp) 90{ 91 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; 92} 93 94static int 95tls12_record_protection_unused(struct tls12_record_protection *rp) 96{ 97 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && 98 rp->hash_ctx == NULL && rp->mac_key == NULL; 99} 100 101static int 102tls12_record_protection_eiv_len(struct tls12_record_protection *rp, 103 size_t *out_eiv_len) 104{ 105 int eiv_len; 106 107 *out_eiv_len = 0; 108 109 if (rp->cipher_ctx == NULL) 110 return 0; 111 112 eiv_len = 0; 113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) 114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); 115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) 116 return 0; 117 118 *out_eiv_len = eiv_len; 119 120 return 1; 121} 122 123static int 124tls12_record_protection_block_size(struct tls12_record_protection *rp, 125 size_t *out_block_size) 126{ 127 int block_size; 128 129 *out_block_size = 0; 130 131 if (rp->cipher_ctx == NULL) 132 return 0; 133 134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); 135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) 136 return 0; 137 138 *out_block_size = block_size; 139 140 return 1; 141} 142 143static int 144tls12_record_protection_mac_len(struct tls12_record_protection *rp, 145 size_t *out_mac_len) 146{ 147 int mac_len; 148 149 *out_mac_len = 0; 150 151 if (rp->hash_ctx == NULL) 152 return 0; 153 154 mac_len = EVP_MD_CTX_size(rp->hash_ctx); 155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) 156 return 0; 157 158 *out_mac_len = mac_len; 159 160 return 1; 161} 162 163struct tls12_record_layer { 164 uint16_t version; 165 uint16_t initial_epoch; 166 int dtls; 167 168 uint8_t alert_desc; 169 170 const EVP_AEAD *aead; 171 const EVP_CIPHER *cipher; 172 const EVP_MD *handshake_hash; 173 const EVP_MD *mac_hash; 174 175 /* Pointers to active record protection (memory is not owned). */ 176 struct tls12_record_protection *read; 177 struct tls12_record_protection *write; 178 179 struct tls12_record_protection *read_current; 180 struct tls12_record_protection *write_current; 181 struct tls12_record_protection *write_previous; 182}; 183 184struct tls12_record_layer * 185tls12_record_layer_new(void) 186{ 187 struct tls12_record_layer *rl; 188 189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) 190 goto err; 191 if ((rl->read_current = tls12_record_protection_new()) == NULL) 192 goto err; 193 if ((rl->write_current = tls12_record_protection_new()) == NULL) 194 goto err; 195 196 rl->read = rl->read_current; 197 rl->write = rl->write_current; 198 199 return rl; 200 201 err: 202 tls12_record_layer_free(rl); 203 204 return NULL; 205} 206 207void 208tls12_record_layer_free(struct tls12_record_layer *rl) 209{ 210 if (rl == NULL) 211 return; 212 213 tls12_record_protection_free(rl->read_current); 214 tls12_record_protection_free(rl->write_current); 215 tls12_record_protection_free(rl->write_previous); 216 217 freezero(rl, sizeof(struct tls12_record_layer)); 218} 219 220void 221tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) 222{ 223 *alert_desc = rl->alert_desc; 224} 225 226int 227tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 228 size_t *overhead) 229{ 230 size_t block_size, eiv_len, mac_len; 231 232 *overhead = 0; 233 234 if (rl->write->aead_ctx != NULL) { 235 *overhead = rl->write->aead_tag_len; 236 } else if (rl->write->cipher_ctx != NULL) { 237 eiv_len = 0; 238 if (rl->version != TLS1_VERSION) { 239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 240 return 0; 241 } 242 if (!tls12_record_protection_block_size(rl->write, &block_size)) 243 return 0; 244 if (!tls12_record_protection_mac_len(rl->write, &mac_len)) 245 return 0; 246 247 *overhead = eiv_len + block_size + mac_len; 248 } 249 250 return 1; 251} 252 253int 254tls12_record_layer_read_protected(struct tls12_record_layer *rl) 255{ 256 return tls12_record_protection_engaged(rl->read); 257} 258 259int 260tls12_record_layer_write_protected(struct tls12_record_layer *rl) 261{ 262 return tls12_record_protection_engaged(rl->write); 263} 264 265void 266tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) 267{ 268 rl->aead = aead; 269} 270 271void 272tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 274 const EVP_MD *mac_hash) 275{ 276 rl->cipher = cipher; 277 rl->handshake_hash = handshake_hash; 278 rl->mac_hash = mac_hash; 279} 280 281void 282tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 283{ 284 rl->version = version; 285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); 286} 287 288void 289tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 290 uint16_t epoch) 291{ 292 rl->initial_epoch = epoch; 293} 294 295uint16_t 296tls12_record_layer_read_epoch(struct tls12_record_layer *rl) 297{ 298 return rl->read->epoch; 299} 300 301uint16_t 302tls12_record_layer_write_epoch(struct tls12_record_layer *rl) 303{ 304 return rl->write->epoch; 305} 306 307int 308tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) 309{ 310 if (rl->write->epoch == epoch) 311 return 1; 312 313 if (rl->write_current->epoch == epoch) { 314 rl->write = rl->write_current; 315 return 1; 316 } 317 318 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { 319 rl->write = rl->write_previous; 320 return 1; 321 } 322 323 return 0; 324} 325 326void 327tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) 328{ 329 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) 330 return; 331 332 rl->write = rl->write_current; 333 334 tls12_record_protection_free(rl->write_previous); 335 rl->write_previous = NULL; 336} 337 338void 339tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 340{ 341 tls12_record_protection_clear(rl->read); 342 rl->read->epoch = rl->initial_epoch; 343} 344 345void 346tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) 347{ 348 tls12_record_protection_clear(rl->write); 349 rl->write->epoch = rl->initial_epoch; 350 351 tls12_record_protection_free(rl->write_previous); 352 rl->write_previous = NULL; 353} 354 355void 356tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) 357{ 358 memcpy(rl->write->seq_num, rl->read->seq_num, 359 sizeof(rl->write->seq_num)); 360} 361 362static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { 363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 364}; 365 366int 367tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) 368{ 369 CBS max_seq_num; 370 int i; 371 372 /* 373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS 374 * sequence numbers must not wrap. Note that for DTLS the first two 375 * bytes are used as an "epoch" and not part of the sequence number. 376 */ 377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); 378 if (rl->dtls) { 379 if (!CBS_skip(&max_seq_num, 2)) 380 return 0; 381 } 382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, 383 CBS_len(&max_seq_num))) 384 return 0; 385 386 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 387 if (++seq_num[i] != 0) 388 break; 389 } 390 391 return 1; 392} 393 394static int 395tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, 396 const uint8_t *mac_key, size_t mac_key_len) 397{ 398 freezero(rp->mac_key, rp->mac_key_len); 399 rp->mac_key = NULL; 400 rp->mac_key_len = 0; 401 402 if (mac_key == NULL || mac_key_len == 0) 403 return 1; 404 405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) 406 return 0; 407 408 memcpy(rp->mac_key, mac_key, mac_key_len); 409 rp->mac_key_len = mac_key_len; 410 411 return 1; 412} 413 414static int 415tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, 416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 417 CBS *iv) 418{ 419 if (!tls12_record_protection_unused(rp)) 420 return 0; 421 422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) 423 return 0; 424 425 /* AES GCM cipher suites use variable nonce in record. */ 426 if (rl->aead == EVP_aead_aes_128_gcm() || 427 rl->aead == EVP_aead_aes_256_gcm()) 428 rp->aead_variable_nonce_in_record = 1; 429 430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ 431 if (rl->aead == EVP_aead_chacha20_poly1305()) 432 rp->aead_xor_nonces = 1; 433 434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) 435 return 0; 436 437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); 438 if (rp->aead_nonce == NULL) 439 return 0; 440 441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); 442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); 443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; 444 445 if (rp->aead_xor_nonces) { 446 /* Fixed nonce length must match, variable must not exceed. */ 447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 448 return 0; 449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len) 450 return 0; 451 } else { 452 /* Concatenated nonce length must equal AEAD nonce length. */ 453 if (rp->aead_fixed_nonce_len + 454 rp->aead_variable_nonce_len != rp->aead_nonce_len) 455 return 0; 456 } 457 458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), 459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 460 return 0; 461 462 return 1; 463} 464 465static int 466tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, 467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 468 CBS *iv) 469{ 470 EVP_PKEY *mac_pkey = NULL; 471 int mac_type; 472 int ret = 0; 473 474 if (!tls12_record_protection_unused(rp)) 475 goto err; 476 477 mac_type = EVP_PKEY_HMAC; 478 rp->stream_mac = 0; 479 480 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) 481 goto err; 482 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) 483 goto err; 484 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 485 goto err; 486 if (CBS_len(mac_key) > INT_MAX) 487 goto err; 488 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) 489 goto err; 490 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 491 goto err; 492 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 493 goto err; 494 495 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), 496 CBS_len(mac_key))) 497 goto err; 498 499 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), 500 CBS_len(mac_key))) == NULL) 501 goto err; 502 503 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), 504 CBS_data(iv), is_write)) 505 goto err; 506 507 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, 508 mac_pkey) <= 0) 509 goto err; 510 511 ret = 1; 512 513 err: 514 EVP_PKEY_free(mac_pkey); 515 516 return ret; 517} 518 519static int 520tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, 521 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 522 CBS *iv) 523{ 524 if (rl->aead != NULL) 525 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, 526 key, iv); 527 528 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, 529 key, iv); 530} 531 532int 533tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 534 CBS *mac_key, CBS *key, CBS *iv) 535{ 536 struct tls12_record_protection *read_new = NULL; 537 int ret = 0; 538 539 if ((read_new = tls12_record_protection_new()) == NULL) 540 goto err; 541 542 /* Read sequence number gets reset to zero. */ 543 544 /* DTLS epoch is incremented and is permitted to wrap. */ 545 if (rl->dtls) 546 read_new->epoch = rl->read_current->epoch + 1; 547 548 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, 549 mac_key, key, iv)) 550 goto err; 551 552 tls12_record_protection_free(rl->read_current); 553 rl->read = rl->read_current = read_new; 554 read_new = NULL; 555 556 ret = 1; 557 558 err: 559 tls12_record_protection_free(read_new); 560 561 return ret; 562} 563 564int 565tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 566 CBS *mac_key, CBS *key, CBS *iv) 567{ 568 struct tls12_record_protection *write_new; 569 int ret = 0; 570 571 if ((write_new = tls12_record_protection_new()) == NULL) 572 goto err; 573 574 /* Write sequence number gets reset to zero. */ 575 576 /* DTLS epoch is incremented and is permitted to wrap. */ 577 if (rl->dtls) 578 write_new->epoch = rl->write_current->epoch + 1; 579 580 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, 581 mac_key, key, iv)) 582 goto err; 583 584 if (rl->dtls) { 585 tls12_record_protection_free(rl->write_previous); 586 rl->write_previous = rl->write_current; 587 rl->write_current = NULL; 588 } 589 tls12_record_protection_free(rl->write_current); 590 rl->write = rl->write_current = write_new; 591 write_new = NULL; 592 593 ret = 1; 594 595 err: 596 tls12_record_protection_free(write_new); 597 598 return ret; 599} 600 601static int 602tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 603 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 604{ 605 CBS seq; 606 607 CBS_init(&seq, seq_num, seq_num_len); 608 609 if (rl->dtls) { 610 if (!CBB_add_u16(cbb, epoch)) 611 return 0; 612 if (!CBS_skip(&seq, 2)) 613 return 0; 614 } 615 616 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); 617} 618 619static int 620tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, 621 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, 622 size_t *out_len) 623{ 624 CBB cbb; 625 626 *out = NULL; 627 *out_len = 0; 628 629 /* Build the pseudo-header used for MAC/AEAD. */ 630 if (!CBB_init(&cbb, 13)) 631 goto err; 632 633 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) 634 goto err; 635 if (!CBB_add_u8(&cbb, content_type)) 636 goto err; 637 if (!CBB_add_u16(&cbb, rl->version)) 638 goto err; 639 if (!CBB_add_u16(&cbb, record_len)) 640 goto err; 641 642 if (!CBB_finish(&cbb, out, out_len)) 643 goto err; 644 645 return 1; 646 647 err: 648 CBB_cleanup(&cbb); 649 650 return 0; 651} 652 653static int 654tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, 655 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, 656 const uint8_t *content, size_t content_len, size_t *out_len) 657{ 658 EVP_MD_CTX *mac_ctx = NULL; 659 uint8_t *header = NULL; 660 size_t header_len = 0; 661 size_t mac_len; 662 uint8_t *mac; 663 int ret = 0; 664 665 if ((mac_ctx = EVP_MD_CTX_new()) == NULL) 666 goto err; 667 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) 668 goto err; 669 670 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 671 seq_num, &header, &header_len)) 672 goto err; 673 674 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) 675 goto err; 676 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) 677 goto err; 678 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) 679 goto err; 680 if (!CBB_add_space(cbb, &mac, mac_len)) 681 goto err; 682 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 683 goto err; 684 if (mac_len == 0) 685 goto err; 686 687 if (stream_mac) { 688 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 689 goto err; 690 } 691 692 *out_len = mac_len; 693 ret = 1; 694 695 err: 696 EVP_MD_CTX_free(mac_ctx); 697 freezero(header, header_len); 698 699 return ret; 700} 701 702static int 703tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, 704 uint8_t content_type, CBS *seq_num, const uint8_t *content, 705 size_t content_len, size_t mac_len, size_t padding_len) 706{ 707 uint8_t *header = NULL; 708 size_t header_len = 0; 709 uint8_t *mac = NULL; 710 size_t out_mac_len = 0; 711 int ret = 0; 712 713 /* 714 * Must be constant time to avoid leaking details about CBC padding. 715 */ 716 717 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) 718 goto err; 719 720 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 721 seq_num, &header, &header_len)) 722 goto err; 723 724 if (!CBB_add_space(cbb, &mac, mac_len)) 725 goto err; 726 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, 727 content, content_len + mac_len, content_len + mac_len + padding_len, 728 rl->read->mac_key, rl->read->mac_key_len)) 729 goto err; 730 if (mac_len != out_mac_len) 731 goto err; 732 733 ret = 1; 734 735 err: 736 freezero(header, header_len); 737 738 return ret; 739} 740 741static int 742tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, 743 uint8_t content_type, CBS *seq_num, const uint8_t *content, 744 size_t content_len) 745{ 746 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 747 size_t out_len; 748 749 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 750 return 0; 751 752 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, 753 rl->read->stream_mac, seq_num, content_type, content, content_len, 754 &out_len); 755} 756 757static int 758tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 759 uint8_t content_type, CBS *seq_num, const uint8_t *content, 760 size_t content_len, size_t *out_len) 761{ 762 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, 763 rl->write->stream_mac, seq_num, content_type, content, content_len, 764 out_len); 765} 766 767static int 768tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 769 struct tls12_record_protection *rp, CBS *seq_num) 770{ 771 CBB cbb; 772 773 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 774 return 0; 775 776 /* Fixed nonce and variable nonce (sequence number) are concatenated. */ 777 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 778 goto err; 779 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, 780 rp->aead_fixed_nonce_len)) 781 goto err; 782 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 783 rp->aead_variable_nonce_len)) 784 goto err; 785 if (!CBB_finish(&cbb, NULL, NULL)) 786 goto err; 787 788 return 1; 789 790 err: 791 CBB_cleanup(&cbb); 792 793 return 0; 794} 795 796static int 797tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 798 struct tls12_record_protection *rp, CBS *seq_num) 799{ 800 uint8_t *pad; 801 CBB cbb; 802 int i; 803 804 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 805 return 0; 806 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) 807 return 0; 808 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 809 return 0; 810 811 /* 812 * Variable nonce (sequence number) is right padded, before the fixed 813 * nonce is XOR'd in. 814 */ 815 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 816 goto err; 817 if (!CBB_add_space(&cbb, &pad, 818 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) 819 goto err; 820 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 821 rp->aead_variable_nonce_len)) 822 goto err; 823 if (!CBB_finish(&cbb, NULL, NULL)) 824 goto err; 825 826 for (i = 0; i < rp->aead_fixed_nonce_len; i++) 827 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; 828 829 return 1; 830 831 err: 832 CBB_cleanup(&cbb); 833 834 return 0; 835} 836 837static int 838tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 839 uint8_t content_type, CBS *fragment, struct tls_content *out) 840{ 841 if (tls12_record_protection_engaged(rl->read)) 842 return 0; 843 844 return tls_content_dup_data(out, content_type, CBS_data(fragment), 845 CBS_len(fragment)); 846} 847 848static int 849tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 850 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) 851{ 852 struct tls12_record_protection *rp = rl->read; 853 uint8_t *header = NULL; 854 size_t header_len = 0; 855 uint8_t *content = NULL; 856 size_t content_len = 0; 857 size_t out_len = 0; 858 CBS var_nonce; 859 int ret = 0; 860 861 if (rp->aead_xor_nonces) { 862 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 863 goto err; 864 } else if (rp->aead_variable_nonce_in_record) { 865 if (!CBS_get_bytes(fragment, &var_nonce, 866 rp->aead_variable_nonce_len)) 867 goto err; 868 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) 869 goto err; 870 } else { 871 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 872 goto err; 873 } 874 875 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 876 if (CBS_len(fragment) < rp->aead_tag_len) { 877 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 878 goto err; 879 } 880 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 881 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 882 goto err; 883 } 884 885 content_len = CBS_len(fragment) - rp->aead_tag_len; 886 if ((content = calloc(1, CBS_len(fragment))) == NULL) { 887 content_len = 0; 888 goto err; 889 } 890 891 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 892 seq_num, &header, &header_len)) 893 goto err; 894 895 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len, 896 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 897 CBS_len(fragment), header, header_len)) { 898 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 899 goto err; 900 } 901 902 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 903 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 904 goto err; 905 } 906 907 if (out_len != content_len) 908 goto err; 909 910 tls_content_set_data(out, content_type, content, content_len); 911 content = NULL; 912 content_len = 0; 913 914 ret = 1; 915 916 err: 917 freezero(header, header_len); 918 freezero(content, content_len); 919 920 return ret; 921} 922 923static int 924tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 925 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) 926{ 927 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 928 SSL3_RECORD_INTERNAL rrec; 929 size_t block_size, eiv_len; 930 uint8_t *mac = NULL; 931 size_t mac_len = 0; 932 uint8_t *out_mac = NULL; 933 size_t out_mac_len = 0; 934 uint8_t *content = NULL; 935 size_t content_len = 0; 936 size_t min_len; 937 CBB cbb_mac; 938 int ret = 0; 939 940 memset(&cbb_mac, 0, sizeof(cbb_mac)); 941 memset(&rrec, 0, sizeof(rrec)); 942 943 if (!tls12_record_protection_block_size(rl->read, &block_size)) 944 goto err; 945 946 /* Determine explicit IV length. */ 947 eiv_len = 0; 948 if (rl->version != TLS1_VERSION) { 949 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) 950 goto err; 951 } 952 953 mac_len = 0; 954 if (rl->read->hash_ctx != NULL) { 955 if (!tls12_record_protection_mac_len(rl->read, &mac_len)) 956 goto err; 957 } 958 959 /* CBC has at least one padding byte. */ 960 min_len = eiv_len + mac_len; 961 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 962 min_len += 1; 963 964 if (CBS_len(fragment) < min_len) { 965 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 966 goto err; 967 } 968 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 969 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 970 goto err; 971 } 972 if (CBS_len(fragment) % block_size != 0) { 973 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 974 goto err; 975 } 976 977 if ((content = calloc(1, CBS_len(fragment))) == NULL) 978 goto err; 979 content_len = CBS_len(fragment); 980 981 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment))) 982 goto err; 983 984 rrec.data = content; 985 rrec.input = content; 986 rrec.length = content_len; 987 988 /* 989 * We now have to remove padding, extract MAC, calculate MAC 990 * and compare MAC in constant time. 991 */ 992 if (block_size > 1) 993 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); 994 995 if ((mac = calloc(1, mac_len)) == NULL) 996 goto err; 997 998 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) 999 goto err; 1000 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { 1001 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + 1002 rrec.padding_length); 1003 rrec.length -= mac_len; 1004 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, 1005 seq_num, rrec.input, rrec.length, mac_len, 1006 rrec.padding_length)) 1007 goto err; 1008 } else { 1009 rrec.length -= mac_len; 1010 memcpy(mac, rrec.data + rrec.length, mac_len); 1011 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, 1012 seq_num, rrec.input, rrec.length)) 1013 goto err; 1014 } 1015 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) 1016 goto err; 1017 if (mac_len != out_mac_len) 1018 goto err; 1019 1020 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { 1021 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1022 goto err; 1023 } 1024 1025 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { 1026 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1027 goto err; 1028 } 1029 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { 1030 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1031 goto err; 1032 } 1033 1034 tls_content_set_data(out, content_type, content, content_len); 1035 content = NULL; 1036 content_len = 0; 1037 1038 /* Actual content is after EIV, minus padding and MAC. */ 1039 if (!tls_content_set_bounds(out, eiv_len, rrec.length)) 1040 goto err; 1041 1042 ret = 1; 1043 1044 err: 1045 CBB_cleanup(&cbb_mac); 1046 freezero(mac, mac_len); 1047 freezero(out_mac, out_mac_len); 1048 freezero(content, content_len); 1049 1050 return ret; 1051} 1052 1053int 1054tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1055 size_t buf_len, struct tls_content *out) 1056{ 1057 CBS cbs, fragment, seq_num; 1058 uint16_t version; 1059 uint8_t content_type; 1060 1061 CBS_init(&cbs, buf, buf_len); 1062 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); 1063 1064 if (!CBS_get_u8(&cbs, &content_type)) 1065 return 0; 1066 if (!CBS_get_u16(&cbs, &version)) 1067 return 0; 1068 if (rl->dtls) { 1069 /* 1070 * The DTLS sequence number is split into a 16 bit epoch and 1071 * 48 bit sequence number, however for the purposes of record 1072 * processing it is treated the same as a TLS 64 bit sequence 1073 * number. DTLS also uses explicit read sequence numbers, which 1074 * we need to extract from the DTLS record header. 1075 */ 1076 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) 1077 return 0; 1078 if (!CBS_write_bytes(&seq_num, rl->read->seq_num, 1079 sizeof(rl->read->seq_num), NULL)) 1080 return 0; 1081 } 1082 if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) 1083 return 0; 1084 1085 if (rl->read->aead_ctx != NULL) { 1086 if (!tls12_record_layer_open_record_protected_aead(rl, 1087 content_type, &seq_num, &fragment, out)) 1088 return 0; 1089 } else if (rl->read->cipher_ctx != NULL) { 1090 if (!tls12_record_layer_open_record_protected_cipher(rl, 1091 content_type, &seq_num, &fragment, out)) 1092 return 0; 1093 } else { 1094 if (!tls12_record_layer_open_record_plaintext(rl, 1095 content_type, &fragment, out)) 1096 return 0; 1097 } 1098 1099 if (!rl->dtls) { 1100 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) 1101 return 0; 1102 } 1103 1104 return 1; 1105} 1106 1107static int 1108tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 1109 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 1110{ 1111 if (tls12_record_protection_engaged(rl->write)) 1112 return 0; 1113 1114 return CBB_add_bytes(out, content, content_len); 1115} 1116 1117static int 1118tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, 1119 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1120 size_t content_len, CBB *out) 1121{ 1122 struct tls12_record_protection *rp = rl->write; 1123 uint8_t *header = NULL; 1124 size_t header_len = 0; 1125 size_t enc_record_len, out_len; 1126 uint8_t *enc_data; 1127 int ret = 0; 1128 1129 if (rp->aead_xor_nonces) { 1130 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 1131 goto err; 1132 } else { 1133 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 1134 goto err; 1135 } 1136 1137 if (rp->aead_variable_nonce_in_record) { 1138 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 1139 goto err; 1140 if (!CBB_add_bytes(out, CBS_data(seq_num), 1141 rp->aead_variable_nonce_len)) 1142 goto err; 1143 } 1144 1145 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 1146 seq_num, &header, &header_len)) 1147 goto err; 1148 1149 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 1150 enc_record_len = content_len + rp->aead_tag_len; 1151 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1152 goto err; 1153 if (!CBB_add_space(out, &enc_data, enc_record_len)) 1154 goto err; 1155 1156 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, 1157 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, 1158 header_len)) 1159 goto err; 1160 1161 if (out_len != enc_record_len) 1162 goto err; 1163 1164 ret = 1; 1165 1166 err: 1167 freezero(header, header_len); 1168 1169 return ret; 1170} 1171 1172static int 1173tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, 1174 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1175 size_t content_len, CBB *out) 1176{ 1177 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; 1178 size_t block_size, eiv_len, mac_len, pad_len; 1179 uint8_t *enc_data, *eiv, *pad, pad_val; 1180 uint8_t *plain = NULL; 1181 size_t plain_len = 0; 1182 int ret = 0; 1183 CBB cbb; 1184 1185 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) 1186 goto err; 1187 1188 /* Add explicit IV if necessary. */ 1189 eiv_len = 0; 1190 if (rl->version != TLS1_VERSION) { 1191 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 1192 goto err; 1193 } 1194 if (eiv_len > 0) { 1195 if (!CBB_add_space(&cbb, &eiv, eiv_len)) 1196 goto err; 1197 arc4random_buf(eiv, eiv_len); 1198 } 1199 1200 if (!CBB_add_bytes(&cbb, content, content_len)) 1201 goto err; 1202 1203 mac_len = 0; 1204 if (rl->write->hash_ctx != NULL) { 1205 if (!tls12_record_layer_write_mac(rl, &cbb, content_type, 1206 seq_num, content, content_len, &mac_len)) 1207 goto err; 1208 } 1209 1210 plain_len = eiv_len + content_len + mac_len; 1211 1212 /* Add padding to block size, if necessary. */ 1213 if (!tls12_record_protection_block_size(rl->write, &block_size)) 1214 goto err; 1215 if (block_size > 1) { 1216 pad_len = block_size - (plain_len % block_size); 1217 pad_val = pad_len - 1; 1218 1219 if (pad_len > 255) 1220 goto err; 1221 if (!CBB_add_space(&cbb, &pad, pad_len)) 1222 goto err; 1223 memset(pad, pad_val, pad_len); 1224 } 1225 1226 if (!CBB_finish(&cbb, &plain, &plain_len)) 1227 goto err; 1228 1229 if (plain_len % block_size != 0) 1230 goto err; 1231 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1232 goto err; 1233 1234 if (!CBB_add_space(out, &enc_data, plain_len)) 1235 goto err; 1236 if (!EVP_Cipher(enc, enc_data, plain, plain_len)) 1237 goto err; 1238 1239 ret = 1; 1240 1241 err: 1242 CBB_cleanup(&cbb); 1243 freezero(plain, plain_len); 1244 1245 return ret; 1246} 1247 1248int 1249tls12_record_layer_seal_record(struct tls12_record_layer *rl, 1250 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) 1251{ 1252 uint8_t *seq_num_data = NULL; 1253 size_t seq_num_len = 0; 1254 CBB fragment, seq_num_cbb; 1255 CBS seq_num; 1256 int ret = 0; 1257 1258 /* 1259 * Construct the effective sequence number - this is used in both 1260 * the DTLS header and for MAC calculations. 1261 */ 1262 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) 1263 goto err; 1264 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, 1265 rl->write->seq_num, sizeof(rl->write->seq_num))) 1266 goto err; 1267 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) 1268 goto err; 1269 CBS_init(&seq_num, seq_num_data, seq_num_len); 1270 1271 if (!CBB_add_u8(cbb, content_type)) 1272 goto err; 1273 if (!CBB_add_u16(cbb, rl->version)) 1274 goto err; 1275 if (rl->dtls) { 1276 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) 1277 goto err; 1278 } 1279 if (!CBB_add_u16_length_prefixed(cbb, &fragment)) 1280 goto err; 1281 1282 if (rl->write->aead_ctx != NULL) { 1283 if (!tls12_record_layer_seal_record_protected_aead(rl, 1284 content_type, &seq_num, content, content_len, &fragment)) 1285 goto err; 1286 } else if (rl->write->cipher_ctx != NULL) { 1287 if (!tls12_record_layer_seal_record_protected_cipher(rl, 1288 content_type, &seq_num, content, content_len, &fragment)) 1289 goto err; 1290 } else { 1291 if (!tls12_record_layer_seal_record_plaintext(rl, 1292 content_type, content, content_len, &fragment)) 1293 goto err; 1294 } 1295 1296 if (!CBB_flush(cbb)) 1297 goto err; 1298 1299 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) 1300 goto err; 1301 1302 ret = 1; 1303 1304 err: 1305 CBB_cleanup(&seq_num_cbb); 1306 free(seq_num_data); 1307 1308 return ret; 1309} 1310