1 /* $OpenBSD: tls12_record_layer.c,v 1.35 2021/10/23 15:02:27 jsing Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 #include <stdlib.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_locl.h" 24 25 #define TLS12_RECORD_SEQ_NUM_LEN 8 26 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 27 28 struct tls12_record_protection { 29 uint16_t epoch; 30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; 31 32 EVP_AEAD_CTX *aead_ctx; 33 34 uint8_t *aead_nonce; 35 size_t aead_nonce_len; 36 37 uint8_t *aead_fixed_nonce; 38 size_t aead_fixed_nonce_len; 39 40 size_t aead_variable_nonce_len; 41 size_t aead_tag_len; 42 43 int aead_xor_nonces; 44 int aead_variable_nonce_in_record; 45 46 EVP_CIPHER_CTX *cipher_ctx; 47 EVP_MD_CTX *hash_ctx; 48 49 int stream_mac; 50 51 uint8_t *mac_key; 52 size_t mac_key_len; 53 }; 54 55 static struct tls12_record_protection * 56 tls12_record_protection_new(void) 57 { 58 return calloc(1, sizeof(struct tls12_record_protection)); 59 } 60 61 static void 62 tls12_record_protection_clear(struct tls12_record_protection *rp) 63 { 64 if (rp->aead_ctx != NULL) { 65 EVP_AEAD_CTX_cleanup(rp->aead_ctx); 66 freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); 67 } 68 69 freezero(rp->aead_nonce, rp->aead_nonce_len); 70 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); 71 72 EVP_CIPHER_CTX_free(rp->cipher_ctx); 73 EVP_MD_CTX_free(rp->hash_ctx); 74 75 freezero(rp->mac_key, rp->mac_key_len); 76 77 memset(rp, 0, sizeof(*rp)); 78 } 79 80 static void 81 tls12_record_protection_free(struct tls12_record_protection *rp) 82 { 83 if (rp == NULL) 84 return; 85 86 tls12_record_protection_clear(rp); 87 88 freezero(rp, sizeof(struct tls12_record_protection)); 89 } 90 91 static int 92 tls12_record_protection_engaged(struct tls12_record_protection *rp) 93 { 94 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; 95 } 96 97 static int 98 tls12_record_protection_unused(struct tls12_record_protection *rp) 99 { 100 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && 101 rp->hash_ctx == NULL && rp->mac_key == NULL; 102 } 103 104 static int 105 tls12_record_protection_eiv_len(struct tls12_record_protection *rp, 106 size_t *out_eiv_len) 107 { 108 int eiv_len; 109 110 *out_eiv_len = 0; 111 112 if (rp->cipher_ctx == NULL) 113 return 0; 114 115 eiv_len = 0; 116 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) 117 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); 118 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) 119 return 0; 120 121 *out_eiv_len = eiv_len; 122 123 return 1; 124 } 125 126 static int 127 tls12_record_protection_block_size(struct tls12_record_protection *rp, 128 size_t *out_block_size) 129 { 130 int block_size; 131 132 *out_block_size = 0; 133 134 if (rp->cipher_ctx == NULL) 135 return 0; 136 137 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); 138 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) 139 return 0; 140 141 *out_block_size = block_size; 142 143 return 1; 144 } 145 146 static int 147 tls12_record_protection_mac_len(struct tls12_record_protection *rp, 148 size_t *out_mac_len) 149 { 150 int mac_len; 151 152 *out_mac_len = 0; 153 154 if (rp->hash_ctx == NULL) 155 return 0; 156 157 mac_len = EVP_MD_CTX_size(rp->hash_ctx); 158 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) 159 return 0; 160 161 *out_mac_len = mac_len; 162 163 return 1; 164 } 165 166 struct tls12_record_layer { 167 uint16_t version; 168 uint16_t initial_epoch; 169 int dtls; 170 171 uint8_t alert_desc; 172 173 const EVP_AEAD *aead; 174 const EVP_CIPHER *cipher; 175 const EVP_MD *handshake_hash; 176 const EVP_MD *mac_hash; 177 178 /* Pointers to active record protection (memory is not owned). */ 179 struct tls12_record_protection *read; 180 struct tls12_record_protection *write; 181 182 struct tls12_record_protection *read_current; 183 struct tls12_record_protection *write_current; 184 struct tls12_record_protection *write_previous; 185 }; 186 187 struct tls12_record_layer * 188 tls12_record_layer_new(void) 189 { 190 struct tls12_record_layer *rl; 191 192 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) 193 goto err; 194 if ((rl->read_current = tls12_record_protection_new()) == NULL) 195 goto err; 196 if ((rl->write_current = tls12_record_protection_new()) == NULL) 197 goto err; 198 199 rl->read = rl->read_current; 200 rl->write = rl->write_current; 201 202 return rl; 203 204 err: 205 tls12_record_layer_free(rl); 206 207 return NULL; 208 } 209 210 void 211 tls12_record_layer_free(struct tls12_record_layer *rl) 212 { 213 if (rl == NULL) 214 return; 215 216 tls12_record_protection_free(rl->read_current); 217 tls12_record_protection_free(rl->write_current); 218 tls12_record_protection_free(rl->write_previous); 219 220 freezero(rl, sizeof(struct tls12_record_layer)); 221 } 222 223 void 224 tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) 225 { 226 *alert_desc = rl->alert_desc; 227 } 228 229 int 230 tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 231 size_t *overhead) 232 { 233 size_t block_size, eiv_len, mac_len; 234 235 *overhead = 0; 236 237 if (rl->write->aead_ctx != NULL) { 238 *overhead = rl->write->aead_tag_len; 239 } else if (rl->write->cipher_ctx != NULL) { 240 eiv_len = 0; 241 if (rl->version != TLS1_VERSION) { 242 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 243 return 0; 244 } 245 if (!tls12_record_protection_block_size(rl->write, &block_size)) 246 return 0; 247 if (!tls12_record_protection_mac_len(rl->write, &mac_len)) 248 return 0; 249 250 *overhead = eiv_len + block_size + mac_len; 251 } 252 253 return 1; 254 } 255 256 int 257 tls12_record_layer_read_protected(struct tls12_record_layer *rl) 258 { 259 return tls12_record_protection_engaged(rl->read); 260 } 261 262 int 263 tls12_record_layer_write_protected(struct tls12_record_layer *rl) 264 { 265 return tls12_record_protection_engaged(rl->write); 266 } 267 268 void 269 tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) 270 { 271 rl->aead = aead; 272 } 273 274 void 275 tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 276 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 277 const EVP_MD *mac_hash) 278 { 279 rl->cipher = cipher; 280 rl->handshake_hash = handshake_hash; 281 rl->mac_hash = mac_hash; 282 } 283 284 void 285 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 286 { 287 rl->version = version; 288 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); 289 } 290 291 void 292 tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 293 uint16_t epoch) 294 { 295 rl->initial_epoch = epoch; 296 } 297 298 uint16_t 299 tls12_record_layer_read_epoch(struct tls12_record_layer *rl) 300 { 301 return rl->read->epoch; 302 } 303 304 uint16_t 305 tls12_record_layer_write_epoch(struct tls12_record_layer *rl) 306 { 307 return rl->write->epoch; 308 } 309 310 int 311 tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) 312 { 313 if (rl->write->epoch == epoch) 314 return 1; 315 316 if (rl->write_current->epoch == epoch) { 317 rl->write = rl->write_current; 318 return 1; 319 } 320 321 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { 322 rl->write = rl->write_previous; 323 return 1; 324 } 325 326 return 0; 327 } 328 329 void 330 tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) 331 { 332 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) 333 return; 334 335 rl->write = rl->write_current; 336 337 tls12_record_protection_free(rl->write_previous); 338 rl->write_previous = NULL; 339 } 340 341 void 342 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 343 { 344 tls12_record_protection_clear(rl->read); 345 rl->read->epoch = rl->initial_epoch; 346 } 347 348 void 349 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) 350 { 351 tls12_record_protection_clear(rl->write); 352 rl->write->epoch = rl->initial_epoch; 353 354 tls12_record_protection_free(rl->write_previous); 355 rl->write_previous = NULL; 356 } 357 358 void 359 tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) 360 { 361 memcpy(rl->write->seq_num, rl->read->seq_num, 362 sizeof(rl->write->seq_num)); 363 } 364 365 static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { 366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 367 }; 368 369 int 370 tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) 371 { 372 CBS max_seq_num; 373 int i; 374 375 /* 376 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS 377 * sequence numbers must not wrap. Note that for DTLS the first two 378 * bytes are used as an "epoch" and not part of the sequence number. 379 */ 380 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); 381 if (rl->dtls) { 382 if (!CBS_skip(&max_seq_num, 2)) 383 return 0; 384 } 385 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, 386 CBS_len(&max_seq_num))) 387 return 0; 388 389 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 390 if (++seq_num[i] != 0) 391 break; 392 } 393 394 return 1; 395 } 396 397 static int 398 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, 399 const uint8_t *mac_key, size_t mac_key_len) 400 { 401 freezero(rp->mac_key, rp->mac_key_len); 402 rp->mac_key = NULL; 403 rp->mac_key_len = 0; 404 405 if (mac_key == NULL || mac_key_len == 0) 406 return 1; 407 408 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) 409 return 0; 410 411 memcpy(rp->mac_key, mac_key, mac_key_len); 412 rp->mac_key_len = mac_key_len; 413 414 return 1; 415 } 416 417 static int 418 tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, 419 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 420 CBS *iv) 421 { 422 if (!tls12_record_protection_unused(rp)) 423 return 0; 424 425 if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) 426 return 0; 427 428 /* AES GCM cipher suites use variable nonce in record. */ 429 if (rl->aead == EVP_aead_aes_128_gcm() || 430 rl->aead == EVP_aead_aes_256_gcm()) 431 rp->aead_variable_nonce_in_record = 1; 432 433 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ 434 if (rl->aead == EVP_aead_chacha20_poly1305()) 435 rp->aead_xor_nonces = 1; 436 437 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) 438 return 0; 439 440 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); 441 if (rp->aead_nonce == NULL) 442 return 0; 443 444 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); 445 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); 446 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; 447 448 if (rp->aead_xor_nonces) { 449 /* Fixed nonce length must match, variable must not exceed. */ 450 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 451 return 0; 452 if (rp->aead_variable_nonce_len > rp->aead_nonce_len) 453 return 0; 454 } else { 455 /* Concatenated nonce length must equal AEAD nonce length. */ 456 if (rp->aead_fixed_nonce_len + 457 rp->aead_variable_nonce_len != rp->aead_nonce_len) 458 return 0; 459 } 460 461 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), 462 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 463 return 0; 464 465 return 1; 466 } 467 468 static int 469 tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, 470 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 471 CBS *iv) 472 { 473 EVP_PKEY *mac_pkey = NULL; 474 int gost_param_nid; 475 int mac_type; 476 int ret = 0; 477 478 if (!tls12_record_protection_unused(rp)) 479 goto err; 480 481 mac_type = EVP_PKEY_HMAC; 482 rp->stream_mac = 0; 483 484 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) 485 goto err; 486 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) 487 goto err; 488 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 489 goto err; 490 491 /* Special handling for GOST... */ 492 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 493 if (CBS_len(mac_key) != 32) 494 goto err; 495 mac_type = EVP_PKEY_GOSTIMIT; 496 rp->stream_mac = 1; 497 } else { 498 if (CBS_len(mac_key) > INT_MAX) 499 goto err; 500 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) 501 goto err; 502 } 503 504 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 505 goto err; 506 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 507 goto err; 508 509 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), 510 CBS_len(mac_key))) 511 goto err; 512 513 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), 514 CBS_len(mac_key))) == NULL) 515 goto err; 516 517 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), 518 CBS_data(iv), is_write)) 519 goto err; 520 521 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, 522 mac_pkey) <= 0) 523 goto err; 524 525 /* More special handling for GOST... */ 526 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { 527 gost_param_nid = NID_id_tc26_gost_28147_param_Z; 528 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) 529 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; 530 531 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, 532 gost_param_nid, 0) <= 0) 533 goto err; 534 535 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 536 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, 537 gost_param_nid, 0) <= 0) 538 goto err; 539 } 540 } 541 542 ret = 1; 543 544 err: 545 EVP_PKEY_free(mac_pkey); 546 547 return ret; 548 } 549 550 static int 551 tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, 552 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 553 CBS *iv) 554 { 555 if (rl->aead != NULL) 556 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, 557 key, iv); 558 559 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, 560 key, iv); 561 } 562 563 int 564 tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 565 CBS *mac_key, CBS *key, CBS *iv) 566 { 567 struct tls12_record_protection *read_new = NULL; 568 int ret = 0; 569 570 if ((read_new = tls12_record_protection_new()) == NULL) 571 goto err; 572 573 /* Read sequence number gets reset to zero. */ 574 575 /* DTLS epoch is incremented and is permitted to wrap. */ 576 if (rl->dtls) 577 read_new->epoch = rl->read_current->epoch + 1; 578 579 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, 580 mac_key, key, iv)) 581 goto err; 582 583 tls12_record_protection_free(rl->read_current); 584 rl->read = rl->read_current = read_new; 585 read_new = NULL; 586 587 ret = 1; 588 589 err: 590 tls12_record_protection_free(read_new); 591 592 return ret; 593 } 594 595 int 596 tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 597 CBS *mac_key, CBS *key, CBS *iv) 598 { 599 struct tls12_record_protection *write_new; 600 int ret = 0; 601 602 if ((write_new = tls12_record_protection_new()) == NULL) 603 goto err; 604 605 /* Write sequence number gets reset to zero. */ 606 607 /* DTLS epoch is incremented and is permitted to wrap. */ 608 if (rl->dtls) 609 write_new->epoch = rl->write_current->epoch + 1; 610 611 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, 612 mac_key, key, iv)) 613 goto err; 614 615 if (rl->dtls) { 616 tls12_record_protection_free(rl->write_previous); 617 rl->write_previous = rl->write_current; 618 rl->write_current = NULL; 619 } 620 tls12_record_protection_free(rl->write_current); 621 rl->write = rl->write_current = write_new; 622 write_new = NULL; 623 624 ret = 1; 625 626 err: 627 tls12_record_protection_free(write_new); 628 629 return ret; 630 } 631 632 static int 633 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 634 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 635 { 636 CBS seq; 637 638 CBS_init(&seq, seq_num, seq_num_len); 639 640 if (rl->dtls) { 641 if (!CBB_add_u16(cbb, epoch)) 642 return 0; 643 if (!CBS_skip(&seq, 2)) 644 return 0; 645 } 646 647 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); 648 } 649 650 static int 651 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, 652 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, 653 size_t *out_len) 654 { 655 CBB cbb; 656 657 *out = NULL; 658 *out_len = 0; 659 660 /* Build the pseudo-header used for MAC/AEAD. */ 661 if (!CBB_init(&cbb, 13)) 662 goto err; 663 664 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) 665 goto err; 666 if (!CBB_add_u8(&cbb, content_type)) 667 goto err; 668 if (!CBB_add_u16(&cbb, rl->version)) 669 goto err; 670 if (!CBB_add_u16(&cbb, record_len)) 671 goto err; 672 673 if (!CBB_finish(&cbb, out, out_len)) 674 goto err; 675 676 return 1; 677 678 err: 679 CBB_cleanup(&cbb); 680 681 return 0; 682 } 683 684 static int 685 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, 686 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, 687 const uint8_t *content, size_t content_len, size_t *out_len) 688 { 689 EVP_MD_CTX *mac_ctx = NULL; 690 uint8_t *header = NULL; 691 size_t header_len = 0; 692 size_t mac_len; 693 uint8_t *mac; 694 int ret = 0; 695 696 if ((mac_ctx = EVP_MD_CTX_new()) == NULL) 697 goto err; 698 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) 699 goto err; 700 701 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 702 seq_num, &header, &header_len)) 703 goto err; 704 705 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) 706 goto err; 707 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) 708 goto err; 709 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) 710 goto err; 711 if (!CBB_add_space(cbb, &mac, mac_len)) 712 goto err; 713 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 714 goto err; 715 if (mac_len == 0) 716 goto err; 717 718 if (stream_mac) { 719 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 720 goto err; 721 } 722 723 *out_len = mac_len; 724 ret = 1; 725 726 err: 727 EVP_MD_CTX_free(mac_ctx); 728 freezero(header, header_len); 729 730 return ret; 731 } 732 733 static int 734 tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, 735 uint8_t content_type, CBS *seq_num, const uint8_t *content, 736 size_t content_len, size_t mac_len, size_t padding_len) 737 { 738 uint8_t *header = NULL; 739 size_t header_len = 0; 740 uint8_t *mac = NULL; 741 size_t out_mac_len = 0; 742 int ret = 0; 743 744 /* 745 * Must be constant time to avoid leaking details about CBC padding. 746 */ 747 748 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) 749 goto err; 750 751 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 752 seq_num, &header, &header_len)) 753 goto err; 754 755 if (!CBB_add_space(cbb, &mac, mac_len)) 756 goto err; 757 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, 758 content, content_len + mac_len, content_len + mac_len + padding_len, 759 rl->read->mac_key, rl->read->mac_key_len)) 760 goto err; 761 if (mac_len != out_mac_len) 762 goto err; 763 764 ret = 1; 765 766 err: 767 freezero(header, header_len); 768 769 return ret; 770 } 771 772 static int 773 tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, 774 uint8_t content_type, CBS *seq_num, const uint8_t *content, 775 size_t content_len) 776 { 777 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 778 size_t out_len; 779 780 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 781 return 0; 782 783 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, 784 rl->read->stream_mac, seq_num, content_type, content, content_len, 785 &out_len); 786 } 787 788 static int 789 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 790 uint8_t content_type, CBS *seq_num, const uint8_t *content, 791 size_t content_len, size_t *out_len) 792 { 793 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, 794 rl->write->stream_mac, seq_num, content_type, content, content_len, 795 out_len); 796 } 797 798 static int 799 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 800 struct tls12_record_protection *rp, CBS *seq_num) 801 { 802 CBB cbb; 803 804 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 805 return 0; 806 807 /* Fixed nonce and variable nonce (sequence number) are concatenated. */ 808 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 809 goto err; 810 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, 811 rp->aead_fixed_nonce_len)) 812 goto err; 813 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 814 rp->aead_variable_nonce_len)) 815 goto err; 816 if (!CBB_finish(&cbb, NULL, NULL)) 817 goto err; 818 819 return 1; 820 821 err: 822 CBB_cleanup(&cbb); 823 824 return 0; 825 } 826 827 static int 828 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 829 struct tls12_record_protection *rp, CBS *seq_num) 830 { 831 uint8_t *pad; 832 CBB cbb; 833 int i; 834 835 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 836 return 0; 837 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) 838 return 0; 839 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 840 return 0; 841 842 /* 843 * Variable nonce (sequence number) is right padded, before the fixed 844 * nonce is XOR'd in. 845 */ 846 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 847 goto err; 848 if (!CBB_add_space(&cbb, &pad, 849 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) 850 goto err; 851 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 852 rp->aead_variable_nonce_len)) 853 goto err; 854 if (!CBB_finish(&cbb, NULL, NULL)) 855 goto err; 856 857 for (i = 0; i < rp->aead_fixed_nonce_len; i++) 858 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; 859 860 return 1; 861 862 err: 863 CBB_cleanup(&cbb); 864 865 return 0; 866 } 867 868 static int 869 tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 870 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) 871 { 872 if (tls12_record_protection_engaged(rl->read)) 873 return 0; 874 875 /* XXX - decrypt/process in place for now. */ 876 *out = (uint8_t *)CBS_data(fragment); 877 *out_len = CBS_len(fragment); 878 879 return 1; 880 } 881 882 static int 883 tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 884 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 885 size_t *out_len) 886 { 887 struct tls12_record_protection *rp = rl->read; 888 uint8_t *header = NULL; 889 size_t header_len = 0; 890 uint8_t *plain; 891 size_t plain_len; 892 CBS var_nonce; 893 int ret = 0; 894 895 if (rp->aead_xor_nonces) { 896 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 897 goto err; 898 } else if (rp->aead_variable_nonce_in_record) { 899 if (!CBS_get_bytes(fragment, &var_nonce, 900 rp->aead_variable_nonce_len)) 901 goto err; 902 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) 903 goto err; 904 } else { 905 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 906 goto err; 907 } 908 909 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 910 if (CBS_len(fragment) < rp->aead_tag_len) { 911 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 912 goto err; 913 } 914 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 915 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 916 goto err; 917 } 918 919 /* XXX - decrypt/process in place for now. */ 920 plain = (uint8_t *)CBS_data(fragment); 921 plain_len = CBS_len(fragment) - rp->aead_tag_len; 922 923 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, 924 seq_num, &header, &header_len)) 925 goto err; 926 927 if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, 928 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 929 CBS_len(fragment), header, header_len)) { 930 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 931 goto err; 932 } 933 934 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 935 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 936 goto err; 937 } 938 939 if (*out_len != plain_len) 940 goto err; 941 942 *out = plain; 943 944 ret = 1; 945 946 err: 947 freezero(header, header_len); 948 949 return ret; 950 } 951 952 static int 953 tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 954 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 955 size_t *out_len) 956 { 957 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 958 SSL3_RECORD_INTERNAL rrec; 959 size_t block_size, eiv_len; 960 uint8_t *mac = NULL; 961 size_t mac_len = 0; 962 uint8_t *out_mac = NULL; 963 size_t out_mac_len = 0; 964 uint8_t *plain; 965 size_t plain_len; 966 size_t min_len; 967 CBB cbb_mac; 968 int ret = 0; 969 970 memset(&cbb_mac, 0, sizeof(cbb_mac)); 971 memset(&rrec, 0, sizeof(rrec)); 972 973 if (!tls12_record_protection_block_size(rl->read, &block_size)) 974 goto err; 975 976 /* Determine explicit IV length. */ 977 eiv_len = 0; 978 if (rl->version != TLS1_VERSION) { 979 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) 980 goto err; 981 } 982 983 mac_len = 0; 984 if (rl->read->hash_ctx != NULL) { 985 if (!tls12_record_protection_mac_len(rl->read, &mac_len)) 986 goto err; 987 } 988 989 /* CBC has at least one padding byte. */ 990 min_len = eiv_len + mac_len; 991 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 992 min_len += 1; 993 994 if (CBS_len(fragment) < min_len) { 995 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 996 goto err; 997 } 998 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 999 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1000 goto err; 1001 } 1002 if (CBS_len(fragment) % block_size != 0) { 1003 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1004 goto err; 1005 } 1006 1007 /* XXX - decrypt/process in place for now. */ 1008 plain = (uint8_t *)CBS_data(fragment); 1009 plain_len = CBS_len(fragment); 1010 1011 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) 1012 goto err; 1013 1014 rrec.data = plain; 1015 rrec.input = plain; 1016 rrec.length = plain_len; 1017 1018 /* 1019 * We now have to remove padding, extract MAC, calculate MAC 1020 * and compare MAC in constant time. 1021 */ 1022 if (block_size > 1) 1023 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); 1024 1025 if ((mac = calloc(1, mac_len)) == NULL) 1026 goto err; 1027 1028 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) 1029 goto err; 1030 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { 1031 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + 1032 rrec.padding_length); 1033 rrec.length -= mac_len; 1034 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, 1035 seq_num, rrec.input, rrec.length, mac_len, 1036 rrec.padding_length)) 1037 goto err; 1038 } else { 1039 rrec.length -= mac_len; 1040 memcpy(mac, rrec.data + rrec.length, mac_len); 1041 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, 1042 seq_num, rrec.input, rrec.length)) 1043 goto err; 1044 } 1045 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) 1046 goto err; 1047 if (mac_len != out_mac_len) 1048 goto err; 1049 1050 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { 1051 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1052 goto err; 1053 } 1054 1055 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { 1056 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1057 goto err; 1058 } 1059 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { 1060 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1061 goto err; 1062 } 1063 1064 *out = rrec.data; 1065 *out_len = rrec.length; 1066 1067 ret = 1; 1068 1069 err: 1070 CBB_cleanup(&cbb_mac); 1071 freezero(mac, mac_len); 1072 freezero(out_mac, out_mac_len); 1073 1074 return ret; 1075 } 1076 1077 int 1078 tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1079 size_t buf_len, uint8_t **out, size_t *out_len) 1080 { 1081 CBS cbs, fragment, seq_num; 1082 uint16_t version; 1083 uint8_t content_type; 1084 1085 CBS_init(&cbs, buf, buf_len); 1086 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); 1087 1088 if (!CBS_get_u8(&cbs, &content_type)) 1089 return 0; 1090 if (!CBS_get_u16(&cbs, &version)) 1091 return 0; 1092 if (rl->dtls) { 1093 /* 1094 * The DTLS sequence number is split into a 16 bit epoch and 1095 * 48 bit sequence number, however for the purposes of record 1096 * processing it is treated the same as a TLS 64 bit sequence 1097 * number. DTLS also uses explicit read sequence numbers, which 1098 * we need to extract from the DTLS record header. 1099 */ 1100 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) 1101 return 0; 1102 if (!CBS_write_bytes(&seq_num, rl->read->seq_num, 1103 sizeof(rl->read->seq_num), NULL)) 1104 return 0; 1105 } 1106 if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) 1107 return 0; 1108 1109 if (rl->read->aead_ctx != NULL) { 1110 if (!tls12_record_layer_open_record_protected_aead(rl, 1111 content_type, &seq_num, &fragment, out, out_len)) 1112 return 0; 1113 } else if (rl->read->cipher_ctx != NULL) { 1114 if (!tls12_record_layer_open_record_protected_cipher(rl, 1115 content_type, &seq_num, &fragment, out, out_len)) 1116 return 0; 1117 } else { 1118 if (!tls12_record_layer_open_record_plaintext(rl, 1119 content_type, &fragment, out, out_len)) 1120 return 0; 1121 } 1122 1123 if (!rl->dtls) { 1124 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) 1125 return 0; 1126 } 1127 1128 return 1; 1129 } 1130 1131 static int 1132 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 1133 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 1134 { 1135 if (tls12_record_protection_engaged(rl->write)) 1136 return 0; 1137 1138 return CBB_add_bytes(out, content, content_len); 1139 } 1140 1141 static int 1142 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, 1143 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1144 size_t content_len, CBB *out) 1145 { 1146 struct tls12_record_protection *rp = rl->write; 1147 uint8_t *header = NULL; 1148 size_t header_len = 0; 1149 size_t enc_record_len, out_len; 1150 uint8_t *enc_data; 1151 int ret = 0; 1152 1153 if (rp->aead_xor_nonces) { 1154 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 1155 goto err; 1156 } else { 1157 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 1158 goto err; 1159 } 1160 1161 if (rp->aead_variable_nonce_in_record) { 1162 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 1163 goto err; 1164 if (!CBB_add_bytes(out, CBS_data(seq_num), 1165 rp->aead_variable_nonce_len)) 1166 goto err; 1167 } 1168 1169 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 1170 seq_num, &header, &header_len)) 1171 goto err; 1172 1173 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 1174 enc_record_len = content_len + rp->aead_tag_len; 1175 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1176 goto err; 1177 if (!CBB_add_space(out, &enc_data, enc_record_len)) 1178 goto err; 1179 1180 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, 1181 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, 1182 header_len)) 1183 goto err; 1184 1185 if (out_len != enc_record_len) 1186 goto err; 1187 1188 ret = 1; 1189 1190 err: 1191 freezero(header, header_len); 1192 1193 return ret; 1194 } 1195 1196 static int 1197 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, 1198 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1199 size_t content_len, CBB *out) 1200 { 1201 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; 1202 size_t block_size, eiv_len, mac_len, pad_len; 1203 uint8_t *enc_data, *eiv, *pad, pad_val; 1204 uint8_t *plain = NULL; 1205 size_t plain_len = 0; 1206 int ret = 0; 1207 CBB cbb; 1208 1209 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) 1210 goto err; 1211 1212 /* Add explicit IV if necessary. */ 1213 eiv_len = 0; 1214 if (rl->version != TLS1_VERSION) { 1215 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 1216 goto err; 1217 } 1218 if (eiv_len > 0) { 1219 if (!CBB_add_space(&cbb, &eiv, eiv_len)) 1220 goto err; 1221 arc4random_buf(eiv, eiv_len); 1222 } 1223 1224 if (!CBB_add_bytes(&cbb, content, content_len)) 1225 goto err; 1226 1227 mac_len = 0; 1228 if (rl->write->hash_ctx != NULL) { 1229 if (!tls12_record_layer_write_mac(rl, &cbb, content_type, 1230 seq_num, content, content_len, &mac_len)) 1231 goto err; 1232 } 1233 1234 plain_len = eiv_len + content_len + mac_len; 1235 1236 /* Add padding to block size, if necessary. */ 1237 if (!tls12_record_protection_block_size(rl->write, &block_size)) 1238 goto err; 1239 if (block_size > 1) { 1240 pad_len = block_size - (plain_len % block_size); 1241 pad_val = pad_len - 1; 1242 1243 if (pad_len > 255) 1244 goto err; 1245 if (!CBB_add_space(&cbb, &pad, pad_len)) 1246 goto err; 1247 memset(pad, pad_val, pad_len); 1248 } 1249 1250 if (!CBB_finish(&cbb, &plain, &plain_len)) 1251 goto err; 1252 1253 if (plain_len % block_size != 0) 1254 goto err; 1255 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1256 goto err; 1257 1258 if (!CBB_add_space(out, &enc_data, plain_len)) 1259 goto err; 1260 if (!EVP_Cipher(enc, enc_data, plain, plain_len)) 1261 goto err; 1262 1263 ret = 1; 1264 1265 err: 1266 CBB_cleanup(&cbb); 1267 freezero(plain, plain_len); 1268 1269 return ret; 1270 } 1271 1272 int 1273 tls12_record_layer_seal_record(struct tls12_record_layer *rl, 1274 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) 1275 { 1276 uint8_t *seq_num_data = NULL; 1277 size_t seq_num_len = 0; 1278 CBB fragment, seq_num_cbb; 1279 CBS seq_num; 1280 int ret = 0; 1281 1282 /* 1283 * Construct the effective sequence number - this is used in both 1284 * the DTLS header and for MAC calculations. 1285 */ 1286 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) 1287 goto err; 1288 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, 1289 rl->write->seq_num, sizeof(rl->write->seq_num))) 1290 goto err; 1291 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) 1292 goto err; 1293 CBS_init(&seq_num, seq_num_data, seq_num_len); 1294 1295 if (!CBB_add_u8(cbb, content_type)) 1296 goto err; 1297 if (!CBB_add_u16(cbb, rl->version)) 1298 goto err; 1299 if (rl->dtls) { 1300 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) 1301 goto err; 1302 } 1303 if (!CBB_add_u16_length_prefixed(cbb, &fragment)) 1304 goto err; 1305 1306 if (rl->write->aead_ctx != NULL) { 1307 if (!tls12_record_layer_seal_record_protected_aead(rl, 1308 content_type, &seq_num, content, content_len, &fragment)) 1309 goto err; 1310 } else if (rl->write->cipher_ctx != NULL) { 1311 if (!tls12_record_layer_seal_record_protected_cipher(rl, 1312 content_type, &seq_num, content, content_len, &fragment)) 1313 goto err; 1314 } else { 1315 if (!tls12_record_layer_seal_record_plaintext(rl, 1316 content_type, content, content_len, &fragment)) 1317 goto err; 1318 } 1319 1320 if (!CBB_flush(cbb)) 1321 goto err; 1322 1323 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) 1324 goto err; 1325 1326 ret = 1; 1327 1328 err: 1329 CBB_cleanup(&seq_num_cbb); 1330 free(seq_num_data); 1331 1332 return ret; 1333 } 1334