1*44aae0c1Sjsing /* $OpenBSD: tls12_record_layer.c,v 1.34 2021/08/30 19:12:25 jsing Exp $ */ 2acef91a0Sjsing /* 3acef91a0Sjsing * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4acef91a0Sjsing * 5acef91a0Sjsing * Permission to use, copy, modify, and distribute this software for any 6acef91a0Sjsing * purpose with or without fee is hereby granted, provided that the above 7acef91a0Sjsing * copyright notice and this permission notice appear in all copies. 8acef91a0Sjsing * 9acef91a0Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10acef91a0Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11acef91a0Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12acef91a0Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13acef91a0Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14acef91a0Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15acef91a0Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16acef91a0Sjsing */ 17acef91a0Sjsing 18c37fa200Sjsing #include <limits.h> 19acef91a0Sjsing #include <stdlib.h> 20acef91a0Sjsing 21acef91a0Sjsing #include <openssl/evp.h> 22acef91a0Sjsing 23acef91a0Sjsing #include "ssl_locl.h" 24acef91a0Sjsing 25e3ae3cd6Sjsing #define TLS12_RECORD_SEQ_NUM_LEN 8 267b133c71Sjsing #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 27e3ae3cd6Sjsing 28a13669d2Sjsing struct tls12_record_protection { 29a13669d2Sjsing uint16_t epoch; 30e3ae3cd6Sjsing uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; 31a13669d2Sjsing 327b133c71Sjsing EVP_AEAD_CTX *aead_ctx; 337b133c71Sjsing 34609ec8b1Sjsing uint8_t *aead_nonce; 35609ec8b1Sjsing size_t aead_nonce_len; 36609ec8b1Sjsing 377b133c71Sjsing uint8_t *aead_fixed_nonce; 387b133c71Sjsing size_t aead_fixed_nonce_len; 397b133c71Sjsing 407b133c71Sjsing size_t aead_variable_nonce_len; 417b133c71Sjsing size_t aead_tag_len; 427b133c71Sjsing 437b133c71Sjsing int aead_xor_nonces; 447b133c71Sjsing int aead_variable_nonce_in_record; 45c37fa200Sjsing 46747682f9Sjsing EVP_CIPHER_CTX *cipher_ctx; 47747682f9Sjsing EVP_MD_CTX *hash_ctx; 48747682f9Sjsing 49a13669d2Sjsing int stream_mac; 50a13669d2Sjsing 51a13669d2Sjsing uint8_t *mac_key; 52a13669d2Sjsing size_t mac_key_len; 53a13669d2Sjsing }; 54a13669d2Sjsing 55a13669d2Sjsing static struct tls12_record_protection * 56a13669d2Sjsing tls12_record_protection_new(void) 57a13669d2Sjsing { 58a13669d2Sjsing return calloc(1, sizeof(struct tls12_record_protection)); 59a13669d2Sjsing } 60a13669d2Sjsing 61a13669d2Sjsing static void 62f2284ad0Sjsing tls12_record_protection_clear(struct tls12_record_protection *rp) 63f2284ad0Sjsing { 64c37fa200Sjsing if (rp->aead_ctx != NULL) { 657b133c71Sjsing EVP_AEAD_CTX_cleanup(rp->aead_ctx); 66c37fa200Sjsing freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); 67c37fa200Sjsing } 68c37fa200Sjsing 69609ec8b1Sjsing freezero(rp->aead_nonce, rp->aead_nonce_len); 707b133c71Sjsing freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); 717b133c71Sjsing 722935b8f4Sjsing EVP_CIPHER_CTX_free(rp->cipher_ctx); 732935b8f4Sjsing EVP_MD_CTX_free(rp->hash_ctx); 742935b8f4Sjsing 75f2284ad0Sjsing freezero(rp->mac_key, rp->mac_key_len); 7660497c21Sjsing 7760497c21Sjsing memset(rp, 0, sizeof(*rp)); 78f2284ad0Sjsing } 79f2284ad0Sjsing 80f2284ad0Sjsing static void 81a13669d2Sjsing tls12_record_protection_free(struct tls12_record_protection *rp) 82a13669d2Sjsing { 83a13669d2Sjsing if (rp == NULL) 84a13669d2Sjsing return; 85a13669d2Sjsing 86f2284ad0Sjsing tls12_record_protection_clear(rp); 87a13669d2Sjsing 88a13669d2Sjsing freezero(rp, sizeof(struct tls12_record_protection)); 89a13669d2Sjsing } 90a13669d2Sjsing 911c1840fbSjsing static int 921365e68cSjsing tls12_record_protection_engaged(struct tls12_record_protection *rp) 931365e68cSjsing { 941365e68cSjsing return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; 951365e68cSjsing } 961365e68cSjsing 971365e68cSjsing static int 98747682f9Sjsing tls12_record_protection_unused(struct tls12_record_protection *rp) 99747682f9Sjsing { 100747682f9Sjsing return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && 101747682f9Sjsing rp->hash_ctx == NULL && rp->mac_key == NULL; 102747682f9Sjsing } 103747682f9Sjsing 104747682f9Sjsing static int 1051c1840fbSjsing tls12_record_protection_eiv_len(struct tls12_record_protection *rp, 1061c1840fbSjsing size_t *out_eiv_len) 1071c1840fbSjsing { 1081c1840fbSjsing int eiv_len; 1091c1840fbSjsing 1101c1840fbSjsing *out_eiv_len = 0; 1111c1840fbSjsing 1121c1840fbSjsing if (rp->cipher_ctx == NULL) 1131c1840fbSjsing return 0; 1141c1840fbSjsing 1151c1840fbSjsing eiv_len = 0; 1161c1840fbSjsing if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) 1171c1840fbSjsing eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); 1181c1840fbSjsing if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) 1191c1840fbSjsing return 0; 1201c1840fbSjsing 1211c1840fbSjsing *out_eiv_len = eiv_len; 1221c1840fbSjsing 1231c1840fbSjsing return 1; 1241c1840fbSjsing } 1251c1840fbSjsing 1261c1840fbSjsing static int 1271c1840fbSjsing tls12_record_protection_block_size(struct tls12_record_protection *rp, 1281c1840fbSjsing size_t *out_block_size) 1291c1840fbSjsing { 1301c1840fbSjsing int block_size; 1311c1840fbSjsing 1321c1840fbSjsing *out_block_size = 0; 1331c1840fbSjsing 1341c1840fbSjsing if (rp->cipher_ctx == NULL) 1351c1840fbSjsing return 0; 1361c1840fbSjsing 1371c1840fbSjsing block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); 1381c1840fbSjsing if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) 1391c1840fbSjsing return 0; 1401c1840fbSjsing 1411c1840fbSjsing *out_block_size = block_size; 1421c1840fbSjsing 1431c1840fbSjsing return 1; 1441c1840fbSjsing } 1451c1840fbSjsing 1461c1840fbSjsing static int 1471c1840fbSjsing tls12_record_protection_mac_len(struct tls12_record_protection *rp, 1481c1840fbSjsing size_t *out_mac_len) 1491c1840fbSjsing { 1501c1840fbSjsing int mac_len; 1511c1840fbSjsing 1521c1840fbSjsing *out_mac_len = 0; 1531c1840fbSjsing 1541c1840fbSjsing if (rp->hash_ctx == NULL) 1551c1840fbSjsing return 0; 1561c1840fbSjsing 1571c1840fbSjsing mac_len = EVP_MD_CTX_size(rp->hash_ctx); 1581c1840fbSjsing if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) 1591c1840fbSjsing return 0; 1601c1840fbSjsing 1611c1840fbSjsing *out_mac_len = mac_len; 1621c1840fbSjsing 1631c1840fbSjsing return 1; 1641c1840fbSjsing } 1651c1840fbSjsing 166acef91a0Sjsing struct tls12_record_layer { 167acef91a0Sjsing uint16_t version; 168c8e2fc2bSjsing uint16_t initial_epoch; 169acef91a0Sjsing int dtls; 170acef91a0Sjsing 17140038cb8Sjsing uint8_t alert_desc; 17240038cb8Sjsing 173c37fa200Sjsing const EVP_AEAD *aead; 1742935b8f4Sjsing const EVP_CIPHER *cipher; 1752935b8f4Sjsing const EVP_MD *handshake_hash; 1762935b8f4Sjsing const EVP_MD *mac_hash; 177c37fa200Sjsing 178a802a16aSjsing /* Pointers to active record protection (memory is not owned). */ 179a13669d2Sjsing struct tls12_record_protection *read; 180a13669d2Sjsing struct tls12_record_protection *write; 181a802a16aSjsing 182a802a16aSjsing struct tls12_record_protection *read_current; 183a802a16aSjsing struct tls12_record_protection *write_current; 184a802a16aSjsing struct tls12_record_protection *write_previous; 185acef91a0Sjsing }; 186acef91a0Sjsing 187acef91a0Sjsing struct tls12_record_layer * 188acef91a0Sjsing tls12_record_layer_new(void) 189acef91a0Sjsing { 190acef91a0Sjsing struct tls12_record_layer *rl; 191acef91a0Sjsing 192acef91a0Sjsing if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) 193a13669d2Sjsing goto err; 194a802a16aSjsing if ((rl->read_current = tls12_record_protection_new()) == NULL) 195a13669d2Sjsing goto err; 196a802a16aSjsing if ((rl->write_current = tls12_record_protection_new()) == NULL) 197a13669d2Sjsing goto err; 198acef91a0Sjsing 199a802a16aSjsing rl->read = rl->read_current; 200a802a16aSjsing rl->write = rl->write_current; 201a802a16aSjsing 202acef91a0Sjsing return rl; 203a13669d2Sjsing 204a13669d2Sjsing err: 205a13669d2Sjsing tls12_record_layer_free(rl); 206a13669d2Sjsing 207a13669d2Sjsing return NULL; 208acef91a0Sjsing } 209acef91a0Sjsing 210acef91a0Sjsing void 211acef91a0Sjsing tls12_record_layer_free(struct tls12_record_layer *rl) 212acef91a0Sjsing { 2133e9ce141Sjsing if (rl == NULL) 2143e9ce141Sjsing return; 2153e9ce141Sjsing 216a802a16aSjsing tls12_record_protection_free(rl->read_current); 217a802a16aSjsing tls12_record_protection_free(rl->write_current); 218a802a16aSjsing tls12_record_protection_free(rl->write_previous); 2193e9ce141Sjsing 220acef91a0Sjsing freezero(rl, sizeof(struct tls12_record_layer)); 221acef91a0Sjsing } 222acef91a0Sjsing 223acef91a0Sjsing void 22440038cb8Sjsing tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) 22540038cb8Sjsing { 22640038cb8Sjsing *alert_desc = rl->alert_desc; 22740038cb8Sjsing } 22840038cb8Sjsing 2299123ae00Sjsing int 2309123ae00Sjsing tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 2319123ae00Sjsing size_t *overhead) 2329123ae00Sjsing { 2339123ae00Sjsing size_t block_size, eiv_len, mac_len; 2349123ae00Sjsing 2359123ae00Sjsing *overhead = 0; 2369123ae00Sjsing 2379123ae00Sjsing if (rl->write->aead_ctx != NULL) { 2387b133c71Sjsing *overhead = rl->write->aead_tag_len; 2399123ae00Sjsing } else if (rl->write->cipher_ctx != NULL) { 2409123ae00Sjsing eiv_len = 0; 2419123ae00Sjsing if (rl->version != TLS1_VERSION) { 2429123ae00Sjsing if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 2439123ae00Sjsing return 0; 2449123ae00Sjsing } 2459123ae00Sjsing if (!tls12_record_protection_block_size(rl->write, &block_size)) 2469123ae00Sjsing return 0; 2479123ae00Sjsing if (!tls12_record_protection_mac_len(rl->write, &mac_len)) 2489123ae00Sjsing return 0; 2499123ae00Sjsing 2509123ae00Sjsing *overhead = eiv_len + block_size + mac_len; 2519123ae00Sjsing } 2529123ae00Sjsing 2539123ae00Sjsing return 1; 2549123ae00Sjsing } 2559123ae00Sjsing 2561365e68cSjsing int 2571365e68cSjsing tls12_record_layer_read_protected(struct tls12_record_layer *rl) 2581365e68cSjsing { 2591365e68cSjsing return tls12_record_protection_engaged(rl->read); 2601365e68cSjsing } 2611365e68cSjsing 2621365e68cSjsing int 2631365e68cSjsing tls12_record_layer_write_protected(struct tls12_record_layer *rl) 2641365e68cSjsing { 2651365e68cSjsing return tls12_record_protection_engaged(rl->write); 2661365e68cSjsing } 2671365e68cSjsing 26840038cb8Sjsing void 269c37fa200Sjsing tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) 270c37fa200Sjsing { 271c37fa200Sjsing rl->aead = aead; 272c37fa200Sjsing } 273c37fa200Sjsing 274c37fa200Sjsing void 2752935b8f4Sjsing tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 2762935b8f4Sjsing const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 2772935b8f4Sjsing const EVP_MD *mac_hash) 2782935b8f4Sjsing { 2792935b8f4Sjsing rl->cipher = cipher; 2802935b8f4Sjsing rl->handshake_hash = handshake_hash; 2812935b8f4Sjsing rl->mac_hash = mac_hash; 2822935b8f4Sjsing } 2832935b8f4Sjsing 2842935b8f4Sjsing void 285acef91a0Sjsing tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 286acef91a0Sjsing { 287acef91a0Sjsing rl->version = version; 288fe0929e2Sjsing rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); 289acef91a0Sjsing } 290acef91a0Sjsing 291c8e2fc2bSjsing void 292c8e2fc2bSjsing tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 293c8e2fc2bSjsing uint16_t epoch) 294c8e2fc2bSjsing { 295c8e2fc2bSjsing rl->initial_epoch = epoch; 296c8e2fc2bSjsing } 297c8e2fc2bSjsing 298c8e2fc2bSjsing uint16_t 299*44aae0c1Sjsing tls12_record_layer_read_epoch(struct tls12_record_layer *rl) 300c8e2fc2bSjsing { 301*44aae0c1Sjsing return rl->read->epoch; 302c8e2fc2bSjsing } 303c8e2fc2bSjsing 3042f4e7cfaSjsing uint16_t 3052f4e7cfaSjsing tls12_record_layer_write_epoch(struct tls12_record_layer *rl) 306acef91a0Sjsing { 3072f4e7cfaSjsing return rl->write->epoch; 308acef91a0Sjsing } 309acef91a0Sjsing 310a802a16aSjsing int 311a802a16aSjsing tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) 312a802a16aSjsing { 313a802a16aSjsing if (rl->write->epoch == epoch) 314a802a16aSjsing return 1; 315a802a16aSjsing 316a802a16aSjsing if (rl->write_current->epoch == epoch) { 317a802a16aSjsing rl->write = rl->write_current; 318a802a16aSjsing return 1; 319a802a16aSjsing } 320a802a16aSjsing 321a802a16aSjsing if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { 322a802a16aSjsing rl->write = rl->write_previous; 323a802a16aSjsing return 1; 324a802a16aSjsing } 325a802a16aSjsing 326a802a16aSjsing return 0; 327a802a16aSjsing } 328a802a16aSjsing 329a802a16aSjsing void 330a802a16aSjsing tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) 331a802a16aSjsing { 332a802a16aSjsing if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) 333a802a16aSjsing return; 334a802a16aSjsing 335a802a16aSjsing rl->write = rl->write_current; 336a802a16aSjsing 337a802a16aSjsing tls12_record_protection_free(rl->write_previous); 338a802a16aSjsing rl->write_previous = NULL; 339a802a16aSjsing } 340a802a16aSjsing 341acef91a0Sjsing void 342acef91a0Sjsing tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 343acef91a0Sjsing { 344f2284ad0Sjsing tls12_record_protection_clear(rl->read); 345c8e2fc2bSjsing rl->read->epoch = rl->initial_epoch; 346acef91a0Sjsing } 347acef91a0Sjsing 348acef91a0Sjsing void 349acef91a0Sjsing tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) 350acef91a0Sjsing { 351f2284ad0Sjsing tls12_record_protection_clear(rl->write); 352c8e2fc2bSjsing rl->write->epoch = rl->initial_epoch; 353a802a16aSjsing 354a802a16aSjsing tls12_record_protection_free(rl->write_previous); 355a802a16aSjsing rl->write_previous = NULL; 356acef91a0Sjsing } 357acef91a0Sjsing 358acef91a0Sjsing void 3592935b8f4Sjsing tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, 3602935b8f4Sjsing EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash) 3612935b8f4Sjsing { 3622935b8f4Sjsing *cipher = rl->read->cipher_ctx; 3632935b8f4Sjsing *hash = rl->read->hash_ctx; 3642935b8f4Sjsing } 3652935b8f4Sjsing 3662935b8f4Sjsing void 367f2284ad0Sjsing tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) 368acef91a0Sjsing { 369f2284ad0Sjsing memcpy(rl->write->seq_num, rl->read->seq_num, 370f2284ad0Sjsing sizeof(rl->write->seq_num)); 371acef91a0Sjsing } 372acef91a0Sjsing 373e3ae3cd6Sjsing static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { 374e3ae3cd6Sjsing 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 375e3ae3cd6Sjsing }; 376e3ae3cd6Sjsing 377e3ae3cd6Sjsing int 378e3ae3cd6Sjsing tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) 379e3ae3cd6Sjsing { 380e3ae3cd6Sjsing CBS max_seq_num; 381e3ae3cd6Sjsing int i; 382e3ae3cd6Sjsing 383e3ae3cd6Sjsing /* 384e3ae3cd6Sjsing * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS 385e3ae3cd6Sjsing * sequence numbers must not wrap. Note that for DTLS the first two 386e3ae3cd6Sjsing * bytes are used as an "epoch" and not part of the sequence number. 387e3ae3cd6Sjsing */ 388e3ae3cd6Sjsing CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); 389e3ae3cd6Sjsing if (rl->dtls) { 390e3ae3cd6Sjsing if (!CBS_skip(&max_seq_num, 2)) 391e3ae3cd6Sjsing return 0; 392e3ae3cd6Sjsing } 393e3ae3cd6Sjsing if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, 394e3ae3cd6Sjsing CBS_len(&max_seq_num))) 395e3ae3cd6Sjsing return 0; 396e3ae3cd6Sjsing 397e3ae3cd6Sjsing for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 398e3ae3cd6Sjsing if (++seq_num[i] != 0) 399e3ae3cd6Sjsing break; 400e3ae3cd6Sjsing } 401e3ae3cd6Sjsing 402e3ae3cd6Sjsing return 1; 403e3ae3cd6Sjsing } 404e3ae3cd6Sjsing 4052935b8f4Sjsing static int 4062935b8f4Sjsing tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, 40740038cb8Sjsing const uint8_t *mac_key, size_t mac_key_len) 40840038cb8Sjsing { 4092935b8f4Sjsing freezero(rp->mac_key, rp->mac_key_len); 4102935b8f4Sjsing rp->mac_key = NULL; 4112935b8f4Sjsing rp->mac_key_len = 0; 412b77c9477Sjsing 413b77c9477Sjsing if (mac_key == NULL || mac_key_len == 0) 414b77c9477Sjsing return 1; 415b77c9477Sjsing 4162935b8f4Sjsing if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) 417b77c9477Sjsing return 0; 418b77c9477Sjsing 4192935b8f4Sjsing memcpy(rp->mac_key, mac_key, mac_key_len); 4202935b8f4Sjsing rp->mac_key_len = mac_key_len; 42140038cb8Sjsing 42240038cb8Sjsing return 1; 42340038cb8Sjsing } 42440038cb8Sjsing 425c37fa200Sjsing static int 426c37fa200Sjsing tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, 427d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 428d7351ddfSjsing CBS *iv) 429c37fa200Sjsing { 430747682f9Sjsing if (!tls12_record_protection_unused(rp)) 431747682f9Sjsing return 0; 432747682f9Sjsing 433c37fa200Sjsing if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) 434c37fa200Sjsing return 0; 435c37fa200Sjsing 436c37fa200Sjsing /* AES GCM cipher suites use variable nonce in record. */ 437c37fa200Sjsing if (rl->aead == EVP_aead_aes_128_gcm() || 438c37fa200Sjsing rl->aead == EVP_aead_aes_256_gcm()) 4397b133c71Sjsing rp->aead_variable_nonce_in_record = 1; 440c37fa200Sjsing 441c37fa200Sjsing /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ 442c37fa200Sjsing if (rl->aead == EVP_aead_chacha20_poly1305()) 4437b133c71Sjsing rp->aead_xor_nonces = 1; 444c37fa200Sjsing 4457b133c71Sjsing if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) 446c37fa200Sjsing return 0; 447c37fa200Sjsing 448609ec8b1Sjsing rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); 449609ec8b1Sjsing if (rp->aead_nonce == NULL) 450609ec8b1Sjsing return 0; 451c37fa200Sjsing 452609ec8b1Sjsing rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); 453609ec8b1Sjsing rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); 454609ec8b1Sjsing rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; 4552261fe79Sjsing 4567b133c71Sjsing if (rp->aead_xor_nonces) { 457c37fa200Sjsing /* Fixed nonce length must match, variable must not exceed. */ 458609ec8b1Sjsing if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 459c37fa200Sjsing return 0; 460609ec8b1Sjsing if (rp->aead_variable_nonce_len > rp->aead_nonce_len) 461c37fa200Sjsing return 0; 462c37fa200Sjsing } else { 463c37fa200Sjsing /* Concatenated nonce length must equal AEAD nonce length. */ 4647b133c71Sjsing if (rp->aead_fixed_nonce_len + 465609ec8b1Sjsing rp->aead_variable_nonce_len != rp->aead_nonce_len) 466c37fa200Sjsing return 0; 467c37fa200Sjsing } 468c37fa200Sjsing 4697b133c71Sjsing if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), 470d7351ddfSjsing CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 471c37fa200Sjsing return 0; 472c37fa200Sjsing 473c37fa200Sjsing return 1; 474c37fa200Sjsing } 475c37fa200Sjsing 476c37fa200Sjsing static int 4772935b8f4Sjsing tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, 478d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 479d7351ddfSjsing CBS *iv) 4802935b8f4Sjsing { 4812935b8f4Sjsing EVP_PKEY *mac_pkey = NULL; 4822935b8f4Sjsing int gost_param_nid; 4832935b8f4Sjsing int mac_type; 4842935b8f4Sjsing int ret = 0; 4852935b8f4Sjsing 486747682f9Sjsing if (!tls12_record_protection_unused(rp)) 487ffd1a0d4Sjsing goto err; 488747682f9Sjsing 4892935b8f4Sjsing mac_type = EVP_PKEY_HMAC; 4902935b8f4Sjsing rp->stream_mac = 0; 4912935b8f4Sjsing 492d7351ddfSjsing if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) 493ffd1a0d4Sjsing goto err; 494d7351ddfSjsing if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) 495ffd1a0d4Sjsing goto err; 496d7351ddfSjsing if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 497ffd1a0d4Sjsing goto err; 498ffd1a0d4Sjsing 4992935b8f4Sjsing /* Special handling for GOST... */ 5002935b8f4Sjsing if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 501d7351ddfSjsing if (CBS_len(mac_key) != 32) 5022935b8f4Sjsing goto err; 5032935b8f4Sjsing mac_type = EVP_PKEY_GOSTIMIT; 5042935b8f4Sjsing rp->stream_mac = 1; 5052935b8f4Sjsing } else { 506d7351ddfSjsing if (CBS_len(mac_key) > INT_MAX) 507ffd1a0d4Sjsing goto err; 508d7351ddfSjsing if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) 5092935b8f4Sjsing goto err; 5102935b8f4Sjsing } 5112935b8f4Sjsing 5122935b8f4Sjsing if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 5132935b8f4Sjsing goto err; 5142935b8f4Sjsing if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 5152935b8f4Sjsing goto err; 5162935b8f4Sjsing 517d7351ddfSjsing if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), 518d7351ddfSjsing CBS_len(mac_key))) 5192935b8f4Sjsing goto err; 5202935b8f4Sjsing 521d7351ddfSjsing if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), 522d7351ddfSjsing CBS_len(mac_key))) == NULL) 5232935b8f4Sjsing goto err; 5242935b8f4Sjsing 525d7351ddfSjsing if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), 526d7351ddfSjsing CBS_data(iv), is_write)) 5272935b8f4Sjsing goto err; 5282935b8f4Sjsing 5292935b8f4Sjsing if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, 5302935b8f4Sjsing mac_pkey) <= 0) 5312935b8f4Sjsing goto err; 5322935b8f4Sjsing 5332935b8f4Sjsing /* More special handling for GOST... */ 5342935b8f4Sjsing if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { 5352935b8f4Sjsing gost_param_nid = NID_id_tc26_gost_28147_param_Z; 5362935b8f4Sjsing if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) 5372935b8f4Sjsing gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; 5382935b8f4Sjsing 5392935b8f4Sjsing if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, 5402935b8f4Sjsing gost_param_nid, 0) <= 0) 5412935b8f4Sjsing goto err; 5422935b8f4Sjsing 5432935b8f4Sjsing if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 5442935b8f4Sjsing if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, 5452935b8f4Sjsing gost_param_nid, 0) <= 0) 5462935b8f4Sjsing goto err; 5472935b8f4Sjsing } 5482935b8f4Sjsing } 5492935b8f4Sjsing 5502935b8f4Sjsing ret = 1; 5512935b8f4Sjsing 5522935b8f4Sjsing err: 5532935b8f4Sjsing EVP_PKEY_free(mac_pkey); 5542935b8f4Sjsing 5552935b8f4Sjsing return ret; 5562935b8f4Sjsing } 5572935b8f4Sjsing 5582935b8f4Sjsing static int 559c37fa200Sjsing tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, 560d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 561d7351ddfSjsing CBS *iv) 562c37fa200Sjsing { 5632935b8f4Sjsing if (rl->aead != NULL) 564c37fa200Sjsing return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, 565d7351ddfSjsing key, iv); 5662935b8f4Sjsing 5672935b8f4Sjsing return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, 568d7351ddfSjsing key, iv); 569c37fa200Sjsing } 570c37fa200Sjsing 571a802a16aSjsing int 572a802a16aSjsing tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 573d7351ddfSjsing CBS *mac_key, CBS *key, CBS *iv) 574a802a16aSjsing { 575a802a16aSjsing struct tls12_record_protection *read_new = NULL; 576a802a16aSjsing int ret = 0; 577a802a16aSjsing 578a802a16aSjsing if ((read_new = tls12_record_protection_new()) == NULL) 579a802a16aSjsing goto err; 580a802a16aSjsing 581f2284ad0Sjsing /* Read sequence number gets reset to zero. */ 582f2284ad0Sjsing 583*44aae0c1Sjsing /* DTLS epoch is incremented and is permitted to wrap. */ 584*44aae0c1Sjsing if (rl->dtls) 585*44aae0c1Sjsing read_new->epoch = rl->read_current->epoch + 1; 586*44aae0c1Sjsing 587c37fa200Sjsing if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, 588d7351ddfSjsing mac_key, key, iv)) 589c37fa200Sjsing goto err; 590a802a16aSjsing 591a802a16aSjsing tls12_record_protection_free(rl->read_current); 592a802a16aSjsing rl->read = rl->read_current = read_new; 593a802a16aSjsing read_new = NULL; 594a802a16aSjsing 595a802a16aSjsing ret = 1; 596a802a16aSjsing 597a802a16aSjsing err: 598a802a16aSjsing tls12_record_protection_free(read_new); 599a802a16aSjsing 600a802a16aSjsing return ret; 601a802a16aSjsing } 602a802a16aSjsing 603a802a16aSjsing int 604a802a16aSjsing tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 605d7351ddfSjsing CBS *mac_key, CBS *key, CBS *iv) 606a802a16aSjsing { 607a802a16aSjsing struct tls12_record_protection *write_new; 608a802a16aSjsing int ret = 0; 609a802a16aSjsing 610a802a16aSjsing if ((write_new = tls12_record_protection_new()) == NULL) 611a802a16aSjsing goto err; 612a802a16aSjsing 613f2284ad0Sjsing /* Write sequence number gets reset to zero. */ 614f2284ad0Sjsing 6152f4e7cfaSjsing /* DTLS epoch is incremented and is permitted to wrap. */ 6162f4e7cfaSjsing if (rl->dtls) 6172f4e7cfaSjsing write_new->epoch = rl->write_current->epoch + 1; 6182f4e7cfaSjsing 619c37fa200Sjsing if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, 620d7351ddfSjsing mac_key, key, iv)) 621c37fa200Sjsing goto err; 622a802a16aSjsing 623a802a16aSjsing if (rl->dtls) { 624a802a16aSjsing tls12_record_protection_free(rl->write_previous); 625a802a16aSjsing rl->write_previous = rl->write_current; 626a802a16aSjsing rl->write_current = NULL; 627a802a16aSjsing } 628a802a16aSjsing tls12_record_protection_free(rl->write_current); 629a802a16aSjsing rl->write = rl->write_current = write_new; 630a802a16aSjsing write_new = NULL; 631a802a16aSjsing 632a802a16aSjsing ret = 1; 633a802a16aSjsing 634a802a16aSjsing err: 635a802a16aSjsing tls12_record_protection_free(write_new); 636a802a16aSjsing 637a802a16aSjsing return ret; 638a802a16aSjsing } 639f2284ad0Sjsing 640acef91a0Sjsing static int 641acef91a0Sjsing tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 642acef91a0Sjsing uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 643acef91a0Sjsing { 644acef91a0Sjsing CBS seq; 645acef91a0Sjsing 646acef91a0Sjsing CBS_init(&seq, seq_num, seq_num_len); 647acef91a0Sjsing 648acef91a0Sjsing if (rl->dtls) { 649acef91a0Sjsing if (!CBB_add_u16(cbb, epoch)) 650acef91a0Sjsing return 0; 651acef91a0Sjsing if (!CBS_skip(&seq, 2)) 652acef91a0Sjsing return 0; 653acef91a0Sjsing } 654acef91a0Sjsing 655acef91a0Sjsing return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); 656acef91a0Sjsing } 657acef91a0Sjsing 658acef91a0Sjsing static int 659acef91a0Sjsing tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, 660108b1a0fSjsing uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, 661108b1a0fSjsing size_t *out_len) 662acef91a0Sjsing { 663acef91a0Sjsing CBB cbb; 664acef91a0Sjsing 665acef91a0Sjsing *out = NULL; 666acef91a0Sjsing *out_len = 0; 667acef91a0Sjsing 668acef91a0Sjsing /* Build the pseudo-header used for MAC/AEAD. */ 669acef91a0Sjsing if (!CBB_init(&cbb, 13)) 670acef91a0Sjsing goto err; 671acef91a0Sjsing 672108b1a0fSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) 673acef91a0Sjsing goto err; 674acef91a0Sjsing if (!CBB_add_u8(&cbb, content_type)) 675acef91a0Sjsing goto err; 676acef91a0Sjsing if (!CBB_add_u16(&cbb, rl->version)) 677acef91a0Sjsing goto err; 678acef91a0Sjsing if (!CBB_add_u16(&cbb, record_len)) 679acef91a0Sjsing goto err; 680acef91a0Sjsing 681acef91a0Sjsing if (!CBB_finish(&cbb, out, out_len)) 682acef91a0Sjsing goto err; 683acef91a0Sjsing 684acef91a0Sjsing return 1; 685acef91a0Sjsing 686acef91a0Sjsing err: 687acef91a0Sjsing CBB_cleanup(&cbb); 688acef91a0Sjsing 689acef91a0Sjsing return 0; 690acef91a0Sjsing } 691acef91a0Sjsing 692acef91a0Sjsing static int 69389dfa477Sjsing tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, 694108b1a0fSjsing EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, 695108b1a0fSjsing const uint8_t *content, size_t content_len, size_t *out_len) 696acef91a0Sjsing { 697acef91a0Sjsing EVP_MD_CTX *mac_ctx = NULL; 698acef91a0Sjsing uint8_t *header = NULL; 69940038cb8Sjsing size_t header_len = 0; 700acef91a0Sjsing size_t mac_len; 701acef91a0Sjsing uint8_t *mac; 702acef91a0Sjsing int ret = 0; 703acef91a0Sjsing 704acef91a0Sjsing if ((mac_ctx = EVP_MD_CTX_new()) == NULL) 705acef91a0Sjsing goto err; 70689dfa477Sjsing if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) 707acef91a0Sjsing goto err; 708acef91a0Sjsing 709acef91a0Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 710108b1a0fSjsing seq_num, &header, &header_len)) 711acef91a0Sjsing goto err; 712acef91a0Sjsing 713acef91a0Sjsing if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) 714acef91a0Sjsing goto err; 715acef91a0Sjsing if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) 716acef91a0Sjsing goto err; 717acef91a0Sjsing if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) 718acef91a0Sjsing goto err; 719acef91a0Sjsing if (!CBB_add_space(cbb, &mac, mac_len)) 720acef91a0Sjsing goto err; 721acef91a0Sjsing if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 722acef91a0Sjsing goto err; 72340038cb8Sjsing if (mac_len == 0) 72440038cb8Sjsing goto err; 725acef91a0Sjsing 72689dfa477Sjsing if (stream_mac) { 72789dfa477Sjsing if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 728acef91a0Sjsing goto err; 729acef91a0Sjsing } 730acef91a0Sjsing 731acef91a0Sjsing *out_len = mac_len; 732acef91a0Sjsing ret = 1; 733acef91a0Sjsing 734acef91a0Sjsing err: 735acef91a0Sjsing EVP_MD_CTX_free(mac_ctx); 73640038cb8Sjsing freezero(header, header_len); 737acef91a0Sjsing 738acef91a0Sjsing return ret; 739acef91a0Sjsing } 740acef91a0Sjsing 741acef91a0Sjsing static int 74240038cb8Sjsing tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, 743108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content, 744108b1a0fSjsing size_t content_len, size_t mac_len, size_t padding_len) 74540038cb8Sjsing { 74640038cb8Sjsing uint8_t *header = NULL; 74740038cb8Sjsing size_t header_len = 0; 74840038cb8Sjsing uint8_t *mac = NULL; 74940038cb8Sjsing size_t out_mac_len = 0; 75040038cb8Sjsing int ret = 0; 75140038cb8Sjsing 75240038cb8Sjsing /* 75340038cb8Sjsing * Must be constant time to avoid leaking details about CBC padding. 75440038cb8Sjsing */ 75540038cb8Sjsing 756a13669d2Sjsing if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) 75740038cb8Sjsing goto err; 75840038cb8Sjsing 75940038cb8Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 760108b1a0fSjsing seq_num, &header, &header_len)) 76140038cb8Sjsing goto err; 76240038cb8Sjsing 76340038cb8Sjsing if (!CBB_add_space(cbb, &mac, mac_len)) 76440038cb8Sjsing goto err; 765a13669d2Sjsing if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, 76640038cb8Sjsing content, content_len + mac_len, content_len + mac_len + padding_len, 767a13669d2Sjsing rl->read->mac_key, rl->read->mac_key_len)) 76840038cb8Sjsing goto err; 76940038cb8Sjsing if (mac_len != out_mac_len) 77040038cb8Sjsing goto err; 77140038cb8Sjsing 77240038cb8Sjsing ret = 1; 77340038cb8Sjsing 77440038cb8Sjsing err: 77540038cb8Sjsing freezero(header, header_len); 77640038cb8Sjsing 77740038cb8Sjsing return ret; 77840038cb8Sjsing } 77940038cb8Sjsing 78040038cb8Sjsing static int 78140038cb8Sjsing tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, 782108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content, 783108b1a0fSjsing size_t content_len) 78440038cb8Sjsing { 785a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 78640038cb8Sjsing size_t out_len; 78740038cb8Sjsing 78840038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 78940038cb8Sjsing return 0; 79040038cb8Sjsing 791a13669d2Sjsing return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, 792108b1a0fSjsing rl->read->stream_mac, seq_num, content_type, content, content_len, 793108b1a0fSjsing &out_len); 79440038cb8Sjsing } 79540038cb8Sjsing 79640038cb8Sjsing static int 79789dfa477Sjsing tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 798108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content, 799108b1a0fSjsing size_t content_len, size_t *out_len) 80089dfa477Sjsing { 801a13669d2Sjsing return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, 802108b1a0fSjsing rl->write->stream_mac, seq_num, content_type, content, content_len, 803108b1a0fSjsing out_len); 80489dfa477Sjsing } 80589dfa477Sjsing 80689dfa477Sjsing static int 807acef91a0Sjsing tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 808609ec8b1Sjsing struct tls12_record_protection *rp, CBS *seq_num) 809acef91a0Sjsing { 810acef91a0Sjsing CBB cbb; 811acef91a0Sjsing 81260ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 813acef91a0Sjsing return 0; 814acef91a0Sjsing 815acef91a0Sjsing /* Fixed nonce and variable nonce (sequence number) are concatenated. */ 816609ec8b1Sjsing if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 817acef91a0Sjsing goto err; 8187b133c71Sjsing if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, 8197b133c71Sjsing rp->aead_fixed_nonce_len)) 820acef91a0Sjsing goto err; 82160ac916aSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 82260ac916aSjsing rp->aead_variable_nonce_len)) 823acef91a0Sjsing goto err; 824609ec8b1Sjsing if (!CBB_finish(&cbb, NULL, NULL)) 825acef91a0Sjsing goto err; 826acef91a0Sjsing 827acef91a0Sjsing return 1; 828acef91a0Sjsing 829acef91a0Sjsing err: 830acef91a0Sjsing CBB_cleanup(&cbb); 831acef91a0Sjsing 832acef91a0Sjsing return 0; 833acef91a0Sjsing } 834acef91a0Sjsing 835acef91a0Sjsing static int 836acef91a0Sjsing tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 837609ec8b1Sjsing struct tls12_record_protection *rp, CBS *seq_num) 838acef91a0Sjsing { 839acef91a0Sjsing uint8_t *pad; 840acef91a0Sjsing CBB cbb; 841acef91a0Sjsing int i; 842acef91a0Sjsing 84360ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 844acef91a0Sjsing return 0; 8457b133c71Sjsing if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) 846acef91a0Sjsing return 0; 847609ec8b1Sjsing if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 848609ec8b1Sjsing return 0; 849acef91a0Sjsing 850acef91a0Sjsing /* 851acef91a0Sjsing * Variable nonce (sequence number) is right padded, before the fixed 852acef91a0Sjsing * nonce is XOR'd in. 853acef91a0Sjsing */ 854609ec8b1Sjsing if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 855acef91a0Sjsing goto err; 856acef91a0Sjsing if (!CBB_add_space(&cbb, &pad, 8577b133c71Sjsing rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) 858acef91a0Sjsing goto err; 85960ac916aSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 86060ac916aSjsing rp->aead_variable_nonce_len)) 861acef91a0Sjsing goto err; 862609ec8b1Sjsing if (!CBB_finish(&cbb, NULL, NULL)) 863acef91a0Sjsing goto err; 864acef91a0Sjsing 8657b133c71Sjsing for (i = 0; i < rp->aead_fixed_nonce_len; i++) 866609ec8b1Sjsing rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; 867acef91a0Sjsing 868acef91a0Sjsing return 1; 869acef91a0Sjsing 870acef91a0Sjsing err: 871acef91a0Sjsing CBB_cleanup(&cbb); 872acef91a0Sjsing 873acef91a0Sjsing return 0; 874acef91a0Sjsing } 875acef91a0Sjsing 876acef91a0Sjsing static int 87740038cb8Sjsing tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 87840038cb8Sjsing uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) 87940038cb8Sjsing { 88023d98bd4Sjsing if (tls12_record_protection_engaged(rl->read)) 88140038cb8Sjsing return 0; 88240038cb8Sjsing 88340038cb8Sjsing /* XXX - decrypt/process in place for now. */ 88440038cb8Sjsing *out = (uint8_t *)CBS_data(fragment); 88540038cb8Sjsing *out_len = CBS_len(fragment); 88640038cb8Sjsing 88740038cb8Sjsing return 1; 88840038cb8Sjsing } 88940038cb8Sjsing 89040038cb8Sjsing static int 89140038cb8Sjsing tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 892108b1a0fSjsing uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 893108b1a0fSjsing size_t *out_len) 89440038cb8Sjsing { 8957b133c71Sjsing struct tls12_record_protection *rp = rl->read; 896609ec8b1Sjsing uint8_t *header = NULL; 897609ec8b1Sjsing size_t header_len = 0; 89840038cb8Sjsing uint8_t *plain; 89940038cb8Sjsing size_t plain_len; 90040038cb8Sjsing CBS var_nonce; 90140038cb8Sjsing int ret = 0; 90240038cb8Sjsing 9037b133c71Sjsing if (rp->aead_xor_nonces) { 904609ec8b1Sjsing if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 90540038cb8Sjsing goto err; 9067b133c71Sjsing } else if (rp->aead_variable_nonce_in_record) { 90740038cb8Sjsing if (!CBS_get_bytes(fragment, &var_nonce, 9087b133c71Sjsing rp->aead_variable_nonce_len)) 90940038cb8Sjsing goto err; 910609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) 91140038cb8Sjsing goto err; 91240038cb8Sjsing } else { 913609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 91440038cb8Sjsing goto err; 91540038cb8Sjsing } 91640038cb8Sjsing 91740038cb8Sjsing /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 9187b133c71Sjsing if (CBS_len(fragment) < rp->aead_tag_len) { 91940038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 92040038cb8Sjsing goto err; 92140038cb8Sjsing } 92240038cb8Sjsing if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 92340038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 92440038cb8Sjsing goto err; 92540038cb8Sjsing } 92640038cb8Sjsing 92740038cb8Sjsing /* XXX - decrypt/process in place for now. */ 92840038cb8Sjsing plain = (uint8_t *)CBS_data(fragment); 9297b133c71Sjsing plain_len = CBS_len(fragment) - rp->aead_tag_len; 93040038cb8Sjsing 93140038cb8Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, 932108b1a0fSjsing seq_num, &header, &header_len)) 93340038cb8Sjsing goto err; 93440038cb8Sjsing 9357b133c71Sjsing if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, 936609ec8b1Sjsing rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 937609ec8b1Sjsing CBS_len(fragment), header, header_len)) { 93840038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 93940038cb8Sjsing goto err; 94040038cb8Sjsing } 94140038cb8Sjsing 94240038cb8Sjsing if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 94340038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 94440038cb8Sjsing goto err; 94540038cb8Sjsing } 94640038cb8Sjsing 94740038cb8Sjsing if (*out_len != plain_len) 94840038cb8Sjsing goto err; 94940038cb8Sjsing 95040038cb8Sjsing *out = plain; 95140038cb8Sjsing 95240038cb8Sjsing ret = 1; 95340038cb8Sjsing 95440038cb8Sjsing err: 95540038cb8Sjsing freezero(header, header_len); 95640038cb8Sjsing 95740038cb8Sjsing return ret; 95840038cb8Sjsing } 95940038cb8Sjsing 96040038cb8Sjsing static int 96140038cb8Sjsing tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 962108b1a0fSjsing uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 963108b1a0fSjsing size_t *out_len) 96440038cb8Sjsing { 965a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 96640038cb8Sjsing SSL3_RECORD_INTERNAL rrec; 9671c1840fbSjsing size_t block_size, eiv_len; 96840038cb8Sjsing uint8_t *mac = NULL; 9691c1840fbSjsing size_t mac_len = 0; 97040038cb8Sjsing uint8_t *out_mac = NULL; 97140038cb8Sjsing size_t out_mac_len = 0; 97240038cb8Sjsing uint8_t *plain; 97340038cb8Sjsing size_t plain_len; 97440038cb8Sjsing size_t min_len; 97540038cb8Sjsing CBB cbb_mac; 97640038cb8Sjsing int ret = 0; 97740038cb8Sjsing 97840038cb8Sjsing memset(&cbb_mac, 0, sizeof(cbb_mac)); 97927e46ee6Stb memset(&rrec, 0, sizeof(rrec)); 98040038cb8Sjsing 9811c1840fbSjsing if (!tls12_record_protection_block_size(rl->read, &block_size)) 98240038cb8Sjsing goto err; 98340038cb8Sjsing 98440038cb8Sjsing /* Determine explicit IV length. */ 98540038cb8Sjsing eiv_len = 0; 9861c1840fbSjsing if (rl->version != TLS1_VERSION) { 9871c1840fbSjsing if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) 98840038cb8Sjsing goto err; 9891c1840fbSjsing } 99040038cb8Sjsing 99140038cb8Sjsing mac_len = 0; 992a13669d2Sjsing if (rl->read->hash_ctx != NULL) { 9931c1840fbSjsing if (!tls12_record_protection_mac_len(rl->read, &mac_len)) 99440038cb8Sjsing goto err; 99540038cb8Sjsing } 99640038cb8Sjsing 99740038cb8Sjsing /* CBC has at least one padding byte. */ 99840038cb8Sjsing min_len = eiv_len + mac_len; 99940038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 100040038cb8Sjsing min_len += 1; 100140038cb8Sjsing 100240038cb8Sjsing if (CBS_len(fragment) < min_len) { 100340038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 100440038cb8Sjsing goto err; 100540038cb8Sjsing } 100640038cb8Sjsing if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 100740038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 100840038cb8Sjsing goto err; 100940038cb8Sjsing } 101040038cb8Sjsing if (CBS_len(fragment) % block_size != 0) { 101140038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 101240038cb8Sjsing goto err; 101340038cb8Sjsing } 101440038cb8Sjsing 101540038cb8Sjsing /* XXX - decrypt/process in place for now. */ 101640038cb8Sjsing plain = (uint8_t *)CBS_data(fragment); 101740038cb8Sjsing plain_len = CBS_len(fragment); 101840038cb8Sjsing 101940038cb8Sjsing if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) 102040038cb8Sjsing goto err; 102140038cb8Sjsing 102240038cb8Sjsing rrec.data = plain; 102340038cb8Sjsing rrec.input = plain; 102440038cb8Sjsing rrec.length = plain_len; 102540038cb8Sjsing 102640038cb8Sjsing /* 102740038cb8Sjsing * We now have to remove padding, extract MAC, calculate MAC 102840038cb8Sjsing * and compare MAC in constant time. 102940038cb8Sjsing */ 103040038cb8Sjsing if (block_size > 1) 103140038cb8Sjsing ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); 103240038cb8Sjsing 103340038cb8Sjsing if ((mac = calloc(1, mac_len)) == NULL) 103440038cb8Sjsing goto err; 103540038cb8Sjsing 103640038cb8Sjsing if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) 103740038cb8Sjsing goto err; 103840038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { 103940038cb8Sjsing ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + 104040038cb8Sjsing rrec.padding_length); 104140038cb8Sjsing rrec.length -= mac_len; 104240038cb8Sjsing if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, 1043108b1a0fSjsing seq_num, rrec.input, rrec.length, mac_len, 1044108b1a0fSjsing rrec.padding_length)) 104540038cb8Sjsing goto err; 104640038cb8Sjsing } else { 104740038cb8Sjsing rrec.length -= mac_len; 104840038cb8Sjsing memcpy(mac, rrec.data + rrec.length, mac_len); 104940038cb8Sjsing if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, 1050108b1a0fSjsing seq_num, rrec.input, rrec.length)) 105140038cb8Sjsing goto err; 105240038cb8Sjsing } 105340038cb8Sjsing if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) 105440038cb8Sjsing goto err; 105540038cb8Sjsing if (mac_len != out_mac_len) 105640038cb8Sjsing goto err; 105740038cb8Sjsing 105840038cb8Sjsing if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { 105940038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 106040038cb8Sjsing goto err; 106140038cb8Sjsing } 106240038cb8Sjsing 106340038cb8Sjsing if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { 106440038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 106540038cb8Sjsing goto err; 106640038cb8Sjsing } 106740038cb8Sjsing if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { 106840038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 106940038cb8Sjsing goto err; 107040038cb8Sjsing } 107140038cb8Sjsing 107240038cb8Sjsing *out = rrec.data; 107340038cb8Sjsing *out_len = rrec.length; 107440038cb8Sjsing 107540038cb8Sjsing ret = 1; 107640038cb8Sjsing 107740038cb8Sjsing err: 107840038cb8Sjsing CBB_cleanup(&cbb_mac); 107940038cb8Sjsing freezero(mac, mac_len); 108040038cb8Sjsing freezero(out_mac, out_mac_len); 108140038cb8Sjsing 108240038cb8Sjsing return ret; 108340038cb8Sjsing } 108440038cb8Sjsing 108540038cb8Sjsing int 108640038cb8Sjsing tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 108740038cb8Sjsing size_t buf_len, uint8_t **out, size_t *out_len) 108840038cb8Sjsing { 1089108b1a0fSjsing CBS cbs, fragment, seq_num; 1090108b1a0fSjsing uint16_t version; 109140038cb8Sjsing uint8_t content_type; 109240038cb8Sjsing 109340038cb8Sjsing CBS_init(&cbs, buf, buf_len); 1094f2284ad0Sjsing CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); 109540038cb8Sjsing 109640038cb8Sjsing if (!CBS_get_u8(&cbs, &content_type)) 109740038cb8Sjsing return 0; 109840038cb8Sjsing if (!CBS_get_u16(&cbs, &version)) 109940038cb8Sjsing return 0; 110040038cb8Sjsing if (rl->dtls) { 1101108b1a0fSjsing /* 1102108b1a0fSjsing * The DTLS sequence number is split into a 16 bit epoch and 1103108b1a0fSjsing * 48 bit sequence number, however for the purposes of record 1104108b1a0fSjsing * processing it is treated the same as a TLS 64 bit sequence 1105108b1a0fSjsing * number. DTLS also uses explicit read sequence numbers, which 1106108b1a0fSjsing * we need to extract from the DTLS record header. 1107108b1a0fSjsing */ 1108108b1a0fSjsing if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) 110940038cb8Sjsing return 0; 1110f2284ad0Sjsing if (!CBS_write_bytes(&seq_num, rl->read->seq_num, 1111f2284ad0Sjsing sizeof(rl->read->seq_num), NULL)) 1112f2284ad0Sjsing return 0; 111340038cb8Sjsing } 111440038cb8Sjsing if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) 111540038cb8Sjsing return 0; 111640038cb8Sjsing 1117a13669d2Sjsing if (rl->read->aead_ctx != NULL) { 111840038cb8Sjsing if (!tls12_record_layer_open_record_protected_aead(rl, 1119108b1a0fSjsing content_type, &seq_num, &fragment, out, out_len)) 112040038cb8Sjsing return 0; 1121a13669d2Sjsing } else if (rl->read->cipher_ctx != NULL) { 112240038cb8Sjsing if (!tls12_record_layer_open_record_protected_cipher(rl, 1123108b1a0fSjsing content_type, &seq_num, &fragment, out, out_len)) 112440038cb8Sjsing return 0; 112540038cb8Sjsing } else { 112640038cb8Sjsing if (!tls12_record_layer_open_record_plaintext(rl, 112740038cb8Sjsing content_type, &fragment, out, out_len)) 112840038cb8Sjsing return 0; 112940038cb8Sjsing } 113040038cb8Sjsing 1131e3ae3cd6Sjsing if (!rl->dtls) { 1132e3ae3cd6Sjsing if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) 1133e3ae3cd6Sjsing return 0; 1134e3ae3cd6Sjsing } 113540038cb8Sjsing 113640038cb8Sjsing return 1; 113740038cb8Sjsing } 113840038cb8Sjsing 113940038cb8Sjsing static int 1140de70c6e8Sjsing tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 1141de70c6e8Sjsing uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 1142de70c6e8Sjsing { 114323d98bd4Sjsing if (tls12_record_protection_engaged(rl->write)) 1144de70c6e8Sjsing return 0; 1145de70c6e8Sjsing 1146de70c6e8Sjsing return CBB_add_bytes(out, content, content_len); 1147de70c6e8Sjsing } 1148de70c6e8Sjsing 1149de70c6e8Sjsing static int 1150acef91a0Sjsing tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, 1151108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content, 1152108b1a0fSjsing size_t content_len, CBB *out) 1153acef91a0Sjsing { 11547b133c71Sjsing struct tls12_record_protection *rp = rl->write; 1155609ec8b1Sjsing uint8_t *header = NULL; 1156609ec8b1Sjsing size_t header_len = 0; 1157acef91a0Sjsing size_t enc_record_len, out_len; 1158acef91a0Sjsing uint8_t *enc_data; 1159acef91a0Sjsing int ret = 0; 1160acef91a0Sjsing 11617b133c71Sjsing if (rp->aead_xor_nonces) { 1162609ec8b1Sjsing if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 1163acef91a0Sjsing goto err; 1164acef91a0Sjsing } else { 1165609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 1166acef91a0Sjsing goto err; 1167acef91a0Sjsing } 1168acef91a0Sjsing 11697b133c71Sjsing if (rp->aead_variable_nonce_in_record) { 117060ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 117160ac916aSjsing goto err; 1172108b1a0fSjsing if (!CBB_add_bytes(out, CBS_data(seq_num), 11737b133c71Sjsing rp->aead_variable_nonce_len)) 1174acef91a0Sjsing goto err; 1175acef91a0Sjsing } 1176acef91a0Sjsing 1177acef91a0Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 1178108b1a0fSjsing seq_num, &header, &header_len)) 1179acef91a0Sjsing goto err; 1180acef91a0Sjsing 1181acef91a0Sjsing /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 11827b133c71Sjsing enc_record_len = content_len + rp->aead_tag_len; 1183acef91a0Sjsing if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1184acef91a0Sjsing goto err; 1185acef91a0Sjsing if (!CBB_add_space(out, &enc_data, enc_record_len)) 1186acef91a0Sjsing goto err; 1187acef91a0Sjsing 11887b133c71Sjsing if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, 1189609ec8b1Sjsing rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, 1190609ec8b1Sjsing header_len)) 1191acef91a0Sjsing goto err; 1192acef91a0Sjsing 1193acef91a0Sjsing if (out_len != enc_record_len) 1194acef91a0Sjsing goto err; 1195acef91a0Sjsing 1196acef91a0Sjsing ret = 1; 1197acef91a0Sjsing 1198acef91a0Sjsing err: 1199acef91a0Sjsing freezero(header, header_len); 1200acef91a0Sjsing 1201acef91a0Sjsing return ret; 1202acef91a0Sjsing } 1203acef91a0Sjsing 1204acef91a0Sjsing static int 1205acef91a0Sjsing tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, 1206108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content, 1207108b1a0fSjsing size_t content_len, CBB *out) 1208acef91a0Sjsing { 1209a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; 12101c1840fbSjsing size_t block_size, eiv_len, mac_len, pad_len; 1211acef91a0Sjsing uint8_t *enc_data, *eiv, *pad, pad_val; 1212acef91a0Sjsing uint8_t *plain = NULL; 1213acef91a0Sjsing size_t plain_len = 0; 1214acef91a0Sjsing int ret = 0; 1215acef91a0Sjsing CBB cbb; 1216acef91a0Sjsing 1217acef91a0Sjsing if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) 1218acef91a0Sjsing goto err; 1219acef91a0Sjsing 1220acef91a0Sjsing /* Add explicit IV if necessary. */ 1221acef91a0Sjsing eiv_len = 0; 12221c1840fbSjsing if (rl->version != TLS1_VERSION) { 12231c1840fbSjsing if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 1224acef91a0Sjsing goto err; 12251c1840fbSjsing } 1226acef91a0Sjsing if (eiv_len > 0) { 1227acef91a0Sjsing if (!CBB_add_space(&cbb, &eiv, eiv_len)) 1228acef91a0Sjsing goto err; 1229acef91a0Sjsing arc4random_buf(eiv, eiv_len); 1230acef91a0Sjsing } 1231acef91a0Sjsing 1232acef91a0Sjsing if (!CBB_add_bytes(&cbb, content, content_len)) 1233acef91a0Sjsing goto err; 1234acef91a0Sjsing 1235acef91a0Sjsing mac_len = 0; 1236a13669d2Sjsing if (rl->write->hash_ctx != NULL) { 1237acef91a0Sjsing if (!tls12_record_layer_write_mac(rl, &cbb, content_type, 1238108b1a0fSjsing seq_num, content, content_len, &mac_len)) 1239acef91a0Sjsing goto err; 1240acef91a0Sjsing } 1241acef91a0Sjsing 1242679f355aStb plain_len = eiv_len + content_len + mac_len; 1243acef91a0Sjsing 1244acef91a0Sjsing /* Add padding to block size, if necessary. */ 12451c1840fbSjsing if (!tls12_record_protection_block_size(rl->write, &block_size)) 124611d1e10cSjsing goto err; 1247acef91a0Sjsing if (block_size > 1) { 1248acef91a0Sjsing pad_len = block_size - (plain_len % block_size); 1249acef91a0Sjsing pad_val = pad_len - 1; 1250acef91a0Sjsing 1251acef91a0Sjsing if (pad_len > 255) 1252acef91a0Sjsing goto err; 1253acef91a0Sjsing if (!CBB_add_space(&cbb, &pad, pad_len)) 1254acef91a0Sjsing goto err; 1255acef91a0Sjsing memset(pad, pad_val, pad_len); 1256acef91a0Sjsing } 1257acef91a0Sjsing 1258acef91a0Sjsing if (!CBB_finish(&cbb, &plain, &plain_len)) 1259acef91a0Sjsing goto err; 1260acef91a0Sjsing 1261acef91a0Sjsing if (plain_len % block_size != 0) 1262acef91a0Sjsing goto err; 1263acef91a0Sjsing if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1264acef91a0Sjsing goto err; 1265acef91a0Sjsing 1266acef91a0Sjsing if (!CBB_add_space(out, &enc_data, plain_len)) 1267acef91a0Sjsing goto err; 1268acef91a0Sjsing if (!EVP_Cipher(enc, enc_data, plain, plain_len)) 1269acef91a0Sjsing goto err; 1270acef91a0Sjsing 1271acef91a0Sjsing ret = 1; 1272acef91a0Sjsing 1273acef91a0Sjsing err: 1274acef91a0Sjsing CBB_cleanup(&cbb); 1275acef91a0Sjsing freezero(plain, plain_len); 1276acef91a0Sjsing 1277acef91a0Sjsing return ret; 1278acef91a0Sjsing } 1279acef91a0Sjsing 1280acef91a0Sjsing int 1281acef91a0Sjsing tls12_record_layer_seal_record(struct tls12_record_layer *rl, 1282acef91a0Sjsing uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) 1283acef91a0Sjsing { 1284108b1a0fSjsing uint8_t *seq_num_data = NULL; 1285108b1a0fSjsing size_t seq_num_len = 0; 1286108b1a0fSjsing CBB fragment, seq_num_cbb; 1287108b1a0fSjsing CBS seq_num; 1288108b1a0fSjsing int ret = 0; 1289108b1a0fSjsing 1290108b1a0fSjsing /* 1291108b1a0fSjsing * Construct the effective sequence number - this is used in both 1292108b1a0fSjsing * the DTLS header and for MAC calculations. 1293108b1a0fSjsing */ 1294108b1a0fSjsing if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) 1295108b1a0fSjsing goto err; 1296108b1a0fSjsing if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, 1297f2284ad0Sjsing rl->write->seq_num, sizeof(rl->write->seq_num))) 1298108b1a0fSjsing goto err; 1299108b1a0fSjsing if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) 1300108b1a0fSjsing goto err; 1301108b1a0fSjsing CBS_init(&seq_num, seq_num_data, seq_num_len); 1302acef91a0Sjsing 1303acef91a0Sjsing if (!CBB_add_u8(cbb, content_type)) 1304108b1a0fSjsing goto err; 1305acef91a0Sjsing if (!CBB_add_u16(cbb, rl->version)) 1306108b1a0fSjsing goto err; 1307acef91a0Sjsing if (rl->dtls) { 1308108b1a0fSjsing if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) 1309108b1a0fSjsing goto err; 1310acef91a0Sjsing } 1311acef91a0Sjsing if (!CBB_add_u16_length_prefixed(cbb, &fragment)) 1312108b1a0fSjsing goto err; 1313acef91a0Sjsing 1314a13669d2Sjsing if (rl->write->aead_ctx != NULL) { 1315acef91a0Sjsing if (!tls12_record_layer_seal_record_protected_aead(rl, 1316108b1a0fSjsing content_type, &seq_num, content, content_len, &fragment)) 1317108b1a0fSjsing goto err; 1318a13669d2Sjsing } else if (rl->write->cipher_ctx != NULL) { 1319acef91a0Sjsing if (!tls12_record_layer_seal_record_protected_cipher(rl, 1320108b1a0fSjsing content_type, &seq_num, content, content_len, &fragment)) 1321108b1a0fSjsing goto err; 1322acef91a0Sjsing } else { 1323acef91a0Sjsing if (!tls12_record_layer_seal_record_plaintext(rl, 1324acef91a0Sjsing content_type, content, content_len, &fragment)) 1325108b1a0fSjsing goto err; 1326acef91a0Sjsing } 1327acef91a0Sjsing 1328acef91a0Sjsing if (!CBB_flush(cbb)) 1329108b1a0fSjsing goto err; 1330acef91a0Sjsing 1331e3ae3cd6Sjsing if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) 1332e3ae3cd6Sjsing goto err; 1333acef91a0Sjsing 1334108b1a0fSjsing ret = 1; 1335108b1a0fSjsing 1336108b1a0fSjsing err: 1337108b1a0fSjsing CBB_cleanup(&seq_num_cbb); 1338108b1a0fSjsing free(seq_num_data); 1339108b1a0fSjsing 1340108b1a0fSjsing return ret; 1341acef91a0Sjsing } 1342