1 /* $OpenBSD: tls12_record_layer.c,v 1.34 2021/08/30 19:12:25 jsing Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 #include <stdlib.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_locl.h" 24 25 #define TLS12_RECORD_SEQ_NUM_LEN 8 26 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 27 28 struct tls12_record_protection { 29 uint16_t epoch; 30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; 31 32 EVP_AEAD_CTX *aead_ctx; 33 34 uint8_t *aead_nonce; 35 size_t aead_nonce_len; 36 37 uint8_t *aead_fixed_nonce; 38 size_t aead_fixed_nonce_len; 39 40 size_t aead_variable_nonce_len; 41 size_t aead_tag_len; 42 43 int aead_xor_nonces; 44 int aead_variable_nonce_in_record; 45 46 EVP_CIPHER_CTX *cipher_ctx; 47 EVP_MD_CTX *hash_ctx; 48 49 int stream_mac; 50 51 uint8_t *mac_key; 52 size_t mac_key_len; 53 }; 54 55 static struct tls12_record_protection * 56 tls12_record_protection_new(void) 57 { 58 return calloc(1, sizeof(struct tls12_record_protection)); 59 } 60 61 static void 62 tls12_record_protection_clear(struct tls12_record_protection *rp) 63 { 64 if (rp->aead_ctx != NULL) { 65 EVP_AEAD_CTX_cleanup(rp->aead_ctx); 66 freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); 67 } 68 69 freezero(rp->aead_nonce, rp->aead_nonce_len); 70 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); 71 72 EVP_CIPHER_CTX_free(rp->cipher_ctx); 73 EVP_MD_CTX_free(rp->hash_ctx); 74 75 freezero(rp->mac_key, rp->mac_key_len); 76 77 memset(rp, 0, sizeof(*rp)); 78 } 79 80 static void 81 tls12_record_protection_free(struct tls12_record_protection *rp) 82 { 83 if (rp == NULL) 84 return; 85 86 tls12_record_protection_clear(rp); 87 88 freezero(rp, sizeof(struct tls12_record_protection)); 89 } 90 91 static int 92 tls12_record_protection_engaged(struct tls12_record_protection *rp) 93 { 94 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; 95 } 96 97 static int 98 tls12_record_protection_unused(struct tls12_record_protection *rp) 99 { 100 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && 101 rp->hash_ctx == NULL && rp->mac_key == NULL; 102 } 103 104 static int 105 tls12_record_protection_eiv_len(struct tls12_record_protection *rp, 106 size_t *out_eiv_len) 107 { 108 int eiv_len; 109 110 *out_eiv_len = 0; 111 112 if (rp->cipher_ctx == NULL) 113 return 0; 114 115 eiv_len = 0; 116 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) 117 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); 118 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) 119 return 0; 120 121 *out_eiv_len = eiv_len; 122 123 return 1; 124 } 125 126 static int 127 tls12_record_protection_block_size(struct tls12_record_protection *rp, 128 size_t *out_block_size) 129 { 130 int block_size; 131 132 *out_block_size = 0; 133 134 if (rp->cipher_ctx == NULL) 135 return 0; 136 137 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); 138 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) 139 return 0; 140 141 *out_block_size = block_size; 142 143 return 1; 144 } 145 146 static int 147 tls12_record_protection_mac_len(struct tls12_record_protection *rp, 148 size_t *out_mac_len) 149 { 150 int mac_len; 151 152 *out_mac_len = 0; 153 154 if (rp->hash_ctx == NULL) 155 return 0; 156 157 mac_len = EVP_MD_CTX_size(rp->hash_ctx); 158 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) 159 return 0; 160 161 *out_mac_len = mac_len; 162 163 return 1; 164 } 165 166 struct tls12_record_layer { 167 uint16_t version; 168 uint16_t initial_epoch; 169 int dtls; 170 171 uint8_t alert_desc; 172 173 const EVP_AEAD *aead; 174 const EVP_CIPHER *cipher; 175 const EVP_MD *handshake_hash; 176 const EVP_MD *mac_hash; 177 178 /* Pointers to active record protection (memory is not owned). */ 179 struct tls12_record_protection *read; 180 struct tls12_record_protection *write; 181 182 struct tls12_record_protection *read_current; 183 struct tls12_record_protection *write_current; 184 struct tls12_record_protection *write_previous; 185 }; 186 187 struct tls12_record_layer * 188 tls12_record_layer_new(void) 189 { 190 struct tls12_record_layer *rl; 191 192 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) 193 goto err; 194 if ((rl->read_current = tls12_record_protection_new()) == NULL) 195 goto err; 196 if ((rl->write_current = tls12_record_protection_new()) == NULL) 197 goto err; 198 199 rl->read = rl->read_current; 200 rl->write = rl->write_current; 201 202 return rl; 203 204 err: 205 tls12_record_layer_free(rl); 206 207 return NULL; 208 } 209 210 void 211 tls12_record_layer_free(struct tls12_record_layer *rl) 212 { 213 if (rl == NULL) 214 return; 215 216 tls12_record_protection_free(rl->read_current); 217 tls12_record_protection_free(rl->write_current); 218 tls12_record_protection_free(rl->write_previous); 219 220 freezero(rl, sizeof(struct tls12_record_layer)); 221 } 222 223 void 224 tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) 225 { 226 *alert_desc = rl->alert_desc; 227 } 228 229 int 230 tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 231 size_t *overhead) 232 { 233 size_t block_size, eiv_len, mac_len; 234 235 *overhead = 0; 236 237 if (rl->write->aead_ctx != NULL) { 238 *overhead = rl->write->aead_tag_len; 239 } else if (rl->write->cipher_ctx != NULL) { 240 eiv_len = 0; 241 if (rl->version != TLS1_VERSION) { 242 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 243 return 0; 244 } 245 if (!tls12_record_protection_block_size(rl->write, &block_size)) 246 return 0; 247 if (!tls12_record_protection_mac_len(rl->write, &mac_len)) 248 return 0; 249 250 *overhead = eiv_len + block_size + mac_len; 251 } 252 253 return 1; 254 } 255 256 int 257 tls12_record_layer_read_protected(struct tls12_record_layer *rl) 258 { 259 return tls12_record_protection_engaged(rl->read); 260 } 261 262 int 263 tls12_record_layer_write_protected(struct tls12_record_layer *rl) 264 { 265 return tls12_record_protection_engaged(rl->write); 266 } 267 268 void 269 tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) 270 { 271 rl->aead = aead; 272 } 273 274 void 275 tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 276 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 277 const EVP_MD *mac_hash) 278 { 279 rl->cipher = cipher; 280 rl->handshake_hash = handshake_hash; 281 rl->mac_hash = mac_hash; 282 } 283 284 void 285 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 286 { 287 rl->version = version; 288 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); 289 } 290 291 void 292 tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 293 uint16_t epoch) 294 { 295 rl->initial_epoch = epoch; 296 } 297 298 uint16_t 299 tls12_record_layer_read_epoch(struct tls12_record_layer *rl) 300 { 301 return rl->read->epoch; 302 } 303 304 uint16_t 305 tls12_record_layer_write_epoch(struct tls12_record_layer *rl) 306 { 307 return rl->write->epoch; 308 } 309 310 int 311 tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) 312 { 313 if (rl->write->epoch == epoch) 314 return 1; 315 316 if (rl->write_current->epoch == epoch) { 317 rl->write = rl->write_current; 318 return 1; 319 } 320 321 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { 322 rl->write = rl->write_previous; 323 return 1; 324 } 325 326 return 0; 327 } 328 329 void 330 tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) 331 { 332 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) 333 return; 334 335 rl->write = rl->write_current; 336 337 tls12_record_protection_free(rl->write_previous); 338 rl->write_previous = NULL; 339 } 340 341 void 342 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 343 { 344 tls12_record_protection_clear(rl->read); 345 rl->read->epoch = rl->initial_epoch; 346 } 347 348 void 349 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) 350 { 351 tls12_record_protection_clear(rl->write); 352 rl->write->epoch = rl->initial_epoch; 353 354 tls12_record_protection_free(rl->write_previous); 355 rl->write_previous = NULL; 356 } 357 358 void 359 tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, 360 EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash) 361 { 362 *cipher = rl->read->cipher_ctx; 363 *hash = rl->read->hash_ctx; 364 } 365 366 void 367 tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) 368 { 369 memcpy(rl->write->seq_num, rl->read->seq_num, 370 sizeof(rl->write->seq_num)); 371 } 372 373 static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { 374 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 375 }; 376 377 int 378 tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) 379 { 380 CBS max_seq_num; 381 int i; 382 383 /* 384 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS 385 * sequence numbers must not wrap. Note that for DTLS the first two 386 * bytes are used as an "epoch" and not part of the sequence number. 387 */ 388 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); 389 if (rl->dtls) { 390 if (!CBS_skip(&max_seq_num, 2)) 391 return 0; 392 } 393 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, 394 CBS_len(&max_seq_num))) 395 return 0; 396 397 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 398 if (++seq_num[i] != 0) 399 break; 400 } 401 402 return 1; 403 } 404 405 static int 406 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, 407 const uint8_t *mac_key, size_t mac_key_len) 408 { 409 freezero(rp->mac_key, rp->mac_key_len); 410 rp->mac_key = NULL; 411 rp->mac_key_len = 0; 412 413 if (mac_key == NULL || mac_key_len == 0) 414 return 1; 415 416 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) 417 return 0; 418 419 memcpy(rp->mac_key, mac_key, mac_key_len); 420 rp->mac_key_len = mac_key_len; 421 422 return 1; 423 } 424 425 static int 426 tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, 427 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 428 CBS *iv) 429 { 430 if (!tls12_record_protection_unused(rp)) 431 return 0; 432 433 if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) 434 return 0; 435 436 /* AES GCM cipher suites use variable nonce in record. */ 437 if (rl->aead == EVP_aead_aes_128_gcm() || 438 rl->aead == EVP_aead_aes_256_gcm()) 439 rp->aead_variable_nonce_in_record = 1; 440 441 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ 442 if (rl->aead == EVP_aead_chacha20_poly1305()) 443 rp->aead_xor_nonces = 1; 444 445 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) 446 return 0; 447 448 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); 449 if (rp->aead_nonce == NULL) 450 return 0; 451 452 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); 453 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); 454 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; 455 456 if (rp->aead_xor_nonces) { 457 /* Fixed nonce length must match, variable must not exceed. */ 458 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 459 return 0; 460 if (rp->aead_variable_nonce_len > rp->aead_nonce_len) 461 return 0; 462 } else { 463 /* Concatenated nonce length must equal AEAD nonce length. */ 464 if (rp->aead_fixed_nonce_len + 465 rp->aead_variable_nonce_len != rp->aead_nonce_len) 466 return 0; 467 } 468 469 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), 470 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 471 return 0; 472 473 return 1; 474 } 475 476 static int 477 tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, 478 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 479 CBS *iv) 480 { 481 EVP_PKEY *mac_pkey = NULL; 482 int gost_param_nid; 483 int mac_type; 484 int ret = 0; 485 486 if (!tls12_record_protection_unused(rp)) 487 goto err; 488 489 mac_type = EVP_PKEY_HMAC; 490 rp->stream_mac = 0; 491 492 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) 493 goto err; 494 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) 495 goto err; 496 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 497 goto err; 498 499 /* Special handling for GOST... */ 500 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 501 if (CBS_len(mac_key) != 32) 502 goto err; 503 mac_type = EVP_PKEY_GOSTIMIT; 504 rp->stream_mac = 1; 505 } else { 506 if (CBS_len(mac_key) > INT_MAX) 507 goto err; 508 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) 509 goto err; 510 } 511 512 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 513 goto err; 514 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 515 goto err; 516 517 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), 518 CBS_len(mac_key))) 519 goto err; 520 521 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), 522 CBS_len(mac_key))) == NULL) 523 goto err; 524 525 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), 526 CBS_data(iv), is_write)) 527 goto err; 528 529 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, 530 mac_pkey) <= 0) 531 goto err; 532 533 /* More special handling for GOST... */ 534 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { 535 gost_param_nid = NID_id_tc26_gost_28147_param_Z; 536 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) 537 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; 538 539 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, 540 gost_param_nid, 0) <= 0) 541 goto err; 542 543 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 544 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, 545 gost_param_nid, 0) <= 0) 546 goto err; 547 } 548 } 549 550 ret = 1; 551 552 err: 553 EVP_PKEY_free(mac_pkey); 554 555 return ret; 556 } 557 558 static int 559 tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, 560 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 561 CBS *iv) 562 { 563 if (rl->aead != NULL) 564 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, 565 key, iv); 566 567 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, 568 key, iv); 569 } 570 571 int 572 tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 573 CBS *mac_key, CBS *key, CBS *iv) 574 { 575 struct tls12_record_protection *read_new = NULL; 576 int ret = 0; 577 578 if ((read_new = tls12_record_protection_new()) == NULL) 579 goto err; 580 581 /* Read sequence number gets reset to zero. */ 582 583 /* DTLS epoch is incremented and is permitted to wrap. */ 584 if (rl->dtls) 585 read_new->epoch = rl->read_current->epoch + 1; 586 587 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, 588 mac_key, key, iv)) 589 goto err; 590 591 tls12_record_protection_free(rl->read_current); 592 rl->read = rl->read_current = read_new; 593 read_new = NULL; 594 595 ret = 1; 596 597 err: 598 tls12_record_protection_free(read_new); 599 600 return ret; 601 } 602 603 int 604 tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 605 CBS *mac_key, CBS *key, CBS *iv) 606 { 607 struct tls12_record_protection *write_new; 608 int ret = 0; 609 610 if ((write_new = tls12_record_protection_new()) == NULL) 611 goto err; 612 613 /* Write sequence number gets reset to zero. */ 614 615 /* DTLS epoch is incremented and is permitted to wrap. */ 616 if (rl->dtls) 617 write_new->epoch = rl->write_current->epoch + 1; 618 619 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, 620 mac_key, key, iv)) 621 goto err; 622 623 if (rl->dtls) { 624 tls12_record_protection_free(rl->write_previous); 625 rl->write_previous = rl->write_current; 626 rl->write_current = NULL; 627 } 628 tls12_record_protection_free(rl->write_current); 629 rl->write = rl->write_current = write_new; 630 write_new = NULL; 631 632 ret = 1; 633 634 err: 635 tls12_record_protection_free(write_new); 636 637 return ret; 638 } 639 640 static int 641 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 642 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 643 { 644 CBS seq; 645 646 CBS_init(&seq, seq_num, seq_num_len); 647 648 if (rl->dtls) { 649 if (!CBB_add_u16(cbb, epoch)) 650 return 0; 651 if (!CBS_skip(&seq, 2)) 652 return 0; 653 } 654 655 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); 656 } 657 658 static int 659 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, 660 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, 661 size_t *out_len) 662 { 663 CBB cbb; 664 665 *out = NULL; 666 *out_len = 0; 667 668 /* Build the pseudo-header used for MAC/AEAD. */ 669 if (!CBB_init(&cbb, 13)) 670 goto err; 671 672 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) 673 goto err; 674 if (!CBB_add_u8(&cbb, content_type)) 675 goto err; 676 if (!CBB_add_u16(&cbb, rl->version)) 677 goto err; 678 if (!CBB_add_u16(&cbb, record_len)) 679 goto err; 680 681 if (!CBB_finish(&cbb, out, out_len)) 682 goto err; 683 684 return 1; 685 686 err: 687 CBB_cleanup(&cbb); 688 689 return 0; 690 } 691 692 static int 693 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, 694 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, 695 const uint8_t *content, size_t content_len, size_t *out_len) 696 { 697 EVP_MD_CTX *mac_ctx = NULL; 698 uint8_t *header = NULL; 699 size_t header_len = 0; 700 size_t mac_len; 701 uint8_t *mac; 702 int ret = 0; 703 704 if ((mac_ctx = EVP_MD_CTX_new()) == NULL) 705 goto err; 706 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) 707 goto err; 708 709 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 710 seq_num, &header, &header_len)) 711 goto err; 712 713 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) 714 goto err; 715 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) 716 goto err; 717 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) 718 goto err; 719 if (!CBB_add_space(cbb, &mac, mac_len)) 720 goto err; 721 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 722 goto err; 723 if (mac_len == 0) 724 goto err; 725 726 if (stream_mac) { 727 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 728 goto err; 729 } 730 731 *out_len = mac_len; 732 ret = 1; 733 734 err: 735 EVP_MD_CTX_free(mac_ctx); 736 freezero(header, header_len); 737 738 return ret; 739 } 740 741 static int 742 tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, 743 uint8_t content_type, CBS *seq_num, const uint8_t *content, 744 size_t content_len, size_t mac_len, size_t padding_len) 745 { 746 uint8_t *header = NULL; 747 size_t header_len = 0; 748 uint8_t *mac = NULL; 749 size_t out_mac_len = 0; 750 int ret = 0; 751 752 /* 753 * Must be constant time to avoid leaking details about CBC padding. 754 */ 755 756 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) 757 goto err; 758 759 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 760 seq_num, &header, &header_len)) 761 goto err; 762 763 if (!CBB_add_space(cbb, &mac, mac_len)) 764 goto err; 765 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, 766 content, content_len + mac_len, content_len + mac_len + padding_len, 767 rl->read->mac_key, rl->read->mac_key_len)) 768 goto err; 769 if (mac_len != out_mac_len) 770 goto err; 771 772 ret = 1; 773 774 err: 775 freezero(header, header_len); 776 777 return ret; 778 } 779 780 static int 781 tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, 782 uint8_t content_type, CBS *seq_num, const uint8_t *content, 783 size_t content_len) 784 { 785 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 786 size_t out_len; 787 788 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 789 return 0; 790 791 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, 792 rl->read->stream_mac, seq_num, content_type, content, content_len, 793 &out_len); 794 } 795 796 static int 797 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 798 uint8_t content_type, CBS *seq_num, const uint8_t *content, 799 size_t content_len, size_t *out_len) 800 { 801 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, 802 rl->write->stream_mac, seq_num, content_type, content, content_len, 803 out_len); 804 } 805 806 static int 807 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 808 struct tls12_record_protection *rp, CBS *seq_num) 809 { 810 CBB cbb; 811 812 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 813 return 0; 814 815 /* Fixed nonce and variable nonce (sequence number) are concatenated. */ 816 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 817 goto err; 818 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, 819 rp->aead_fixed_nonce_len)) 820 goto err; 821 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 822 rp->aead_variable_nonce_len)) 823 goto err; 824 if (!CBB_finish(&cbb, NULL, NULL)) 825 goto err; 826 827 return 1; 828 829 err: 830 CBB_cleanup(&cbb); 831 832 return 0; 833 } 834 835 static int 836 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 837 struct tls12_record_protection *rp, CBS *seq_num) 838 { 839 uint8_t *pad; 840 CBB cbb; 841 int i; 842 843 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 844 return 0; 845 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) 846 return 0; 847 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 848 return 0; 849 850 /* 851 * Variable nonce (sequence number) is right padded, before the fixed 852 * nonce is XOR'd in. 853 */ 854 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 855 goto err; 856 if (!CBB_add_space(&cbb, &pad, 857 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) 858 goto err; 859 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 860 rp->aead_variable_nonce_len)) 861 goto err; 862 if (!CBB_finish(&cbb, NULL, NULL)) 863 goto err; 864 865 for (i = 0; i < rp->aead_fixed_nonce_len; i++) 866 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; 867 868 return 1; 869 870 err: 871 CBB_cleanup(&cbb); 872 873 return 0; 874 } 875 876 static int 877 tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 878 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) 879 { 880 if (tls12_record_protection_engaged(rl->read)) 881 return 0; 882 883 /* XXX - decrypt/process in place for now. */ 884 *out = (uint8_t *)CBS_data(fragment); 885 *out_len = CBS_len(fragment); 886 887 return 1; 888 } 889 890 static int 891 tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 892 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 893 size_t *out_len) 894 { 895 struct tls12_record_protection *rp = rl->read; 896 uint8_t *header = NULL; 897 size_t header_len = 0; 898 uint8_t *plain; 899 size_t plain_len; 900 CBS var_nonce; 901 int ret = 0; 902 903 if (rp->aead_xor_nonces) { 904 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 905 goto err; 906 } else if (rp->aead_variable_nonce_in_record) { 907 if (!CBS_get_bytes(fragment, &var_nonce, 908 rp->aead_variable_nonce_len)) 909 goto err; 910 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) 911 goto err; 912 } else { 913 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 914 goto err; 915 } 916 917 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 918 if (CBS_len(fragment) < rp->aead_tag_len) { 919 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 920 goto err; 921 } 922 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 923 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 924 goto err; 925 } 926 927 /* XXX - decrypt/process in place for now. */ 928 plain = (uint8_t *)CBS_data(fragment); 929 plain_len = CBS_len(fragment) - rp->aead_tag_len; 930 931 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, 932 seq_num, &header, &header_len)) 933 goto err; 934 935 if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, 936 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 937 CBS_len(fragment), header, header_len)) { 938 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 939 goto err; 940 } 941 942 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 943 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 944 goto err; 945 } 946 947 if (*out_len != plain_len) 948 goto err; 949 950 *out = plain; 951 952 ret = 1; 953 954 err: 955 freezero(header, header_len); 956 957 return ret; 958 } 959 960 static int 961 tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 962 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 963 size_t *out_len) 964 { 965 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 966 SSL3_RECORD_INTERNAL rrec; 967 size_t block_size, eiv_len; 968 uint8_t *mac = NULL; 969 size_t mac_len = 0; 970 uint8_t *out_mac = NULL; 971 size_t out_mac_len = 0; 972 uint8_t *plain; 973 size_t plain_len; 974 size_t min_len; 975 CBB cbb_mac; 976 int ret = 0; 977 978 memset(&cbb_mac, 0, sizeof(cbb_mac)); 979 memset(&rrec, 0, sizeof(rrec)); 980 981 if (!tls12_record_protection_block_size(rl->read, &block_size)) 982 goto err; 983 984 /* Determine explicit IV length. */ 985 eiv_len = 0; 986 if (rl->version != TLS1_VERSION) { 987 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) 988 goto err; 989 } 990 991 mac_len = 0; 992 if (rl->read->hash_ctx != NULL) { 993 if (!tls12_record_protection_mac_len(rl->read, &mac_len)) 994 goto err; 995 } 996 997 /* CBC has at least one padding byte. */ 998 min_len = eiv_len + mac_len; 999 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 1000 min_len += 1; 1001 1002 if (CBS_len(fragment) < min_len) { 1003 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1004 goto err; 1005 } 1006 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 1007 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1008 goto err; 1009 } 1010 if (CBS_len(fragment) % block_size != 0) { 1011 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1012 goto err; 1013 } 1014 1015 /* XXX - decrypt/process in place for now. */ 1016 plain = (uint8_t *)CBS_data(fragment); 1017 plain_len = CBS_len(fragment); 1018 1019 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) 1020 goto err; 1021 1022 rrec.data = plain; 1023 rrec.input = plain; 1024 rrec.length = plain_len; 1025 1026 /* 1027 * We now have to remove padding, extract MAC, calculate MAC 1028 * and compare MAC in constant time. 1029 */ 1030 if (block_size > 1) 1031 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); 1032 1033 if ((mac = calloc(1, mac_len)) == NULL) 1034 goto err; 1035 1036 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) 1037 goto err; 1038 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { 1039 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + 1040 rrec.padding_length); 1041 rrec.length -= mac_len; 1042 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, 1043 seq_num, rrec.input, rrec.length, mac_len, 1044 rrec.padding_length)) 1045 goto err; 1046 } else { 1047 rrec.length -= mac_len; 1048 memcpy(mac, rrec.data + rrec.length, mac_len); 1049 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, 1050 seq_num, rrec.input, rrec.length)) 1051 goto err; 1052 } 1053 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) 1054 goto err; 1055 if (mac_len != out_mac_len) 1056 goto err; 1057 1058 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { 1059 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1060 goto err; 1061 } 1062 1063 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { 1064 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1065 goto err; 1066 } 1067 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { 1068 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1069 goto err; 1070 } 1071 1072 *out = rrec.data; 1073 *out_len = rrec.length; 1074 1075 ret = 1; 1076 1077 err: 1078 CBB_cleanup(&cbb_mac); 1079 freezero(mac, mac_len); 1080 freezero(out_mac, out_mac_len); 1081 1082 return ret; 1083 } 1084 1085 int 1086 tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1087 size_t buf_len, uint8_t **out, size_t *out_len) 1088 { 1089 CBS cbs, fragment, seq_num; 1090 uint16_t version; 1091 uint8_t content_type; 1092 1093 CBS_init(&cbs, buf, buf_len); 1094 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); 1095 1096 if (!CBS_get_u8(&cbs, &content_type)) 1097 return 0; 1098 if (!CBS_get_u16(&cbs, &version)) 1099 return 0; 1100 if (rl->dtls) { 1101 /* 1102 * The DTLS sequence number is split into a 16 bit epoch and 1103 * 48 bit sequence number, however for the purposes of record 1104 * processing it is treated the same as a TLS 64 bit sequence 1105 * number. DTLS also uses explicit read sequence numbers, which 1106 * we need to extract from the DTLS record header. 1107 */ 1108 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) 1109 return 0; 1110 if (!CBS_write_bytes(&seq_num, rl->read->seq_num, 1111 sizeof(rl->read->seq_num), NULL)) 1112 return 0; 1113 } 1114 if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) 1115 return 0; 1116 1117 if (rl->read->aead_ctx != NULL) { 1118 if (!tls12_record_layer_open_record_protected_aead(rl, 1119 content_type, &seq_num, &fragment, out, out_len)) 1120 return 0; 1121 } else if (rl->read->cipher_ctx != NULL) { 1122 if (!tls12_record_layer_open_record_protected_cipher(rl, 1123 content_type, &seq_num, &fragment, out, out_len)) 1124 return 0; 1125 } else { 1126 if (!tls12_record_layer_open_record_plaintext(rl, 1127 content_type, &fragment, out, out_len)) 1128 return 0; 1129 } 1130 1131 if (!rl->dtls) { 1132 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) 1133 return 0; 1134 } 1135 1136 return 1; 1137 } 1138 1139 static int 1140 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 1141 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 1142 { 1143 if (tls12_record_protection_engaged(rl->write)) 1144 return 0; 1145 1146 return CBB_add_bytes(out, content, content_len); 1147 } 1148 1149 static int 1150 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, 1151 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1152 size_t content_len, CBB *out) 1153 { 1154 struct tls12_record_protection *rp = rl->write; 1155 uint8_t *header = NULL; 1156 size_t header_len = 0; 1157 size_t enc_record_len, out_len; 1158 uint8_t *enc_data; 1159 int ret = 0; 1160 1161 if (rp->aead_xor_nonces) { 1162 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 1163 goto err; 1164 } else { 1165 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 1166 goto err; 1167 } 1168 1169 if (rp->aead_variable_nonce_in_record) { 1170 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 1171 goto err; 1172 if (!CBB_add_bytes(out, CBS_data(seq_num), 1173 rp->aead_variable_nonce_len)) 1174 goto err; 1175 } 1176 1177 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 1178 seq_num, &header, &header_len)) 1179 goto err; 1180 1181 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 1182 enc_record_len = content_len + rp->aead_tag_len; 1183 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1184 goto err; 1185 if (!CBB_add_space(out, &enc_data, enc_record_len)) 1186 goto err; 1187 1188 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, 1189 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, 1190 header_len)) 1191 goto err; 1192 1193 if (out_len != enc_record_len) 1194 goto err; 1195 1196 ret = 1; 1197 1198 err: 1199 freezero(header, header_len); 1200 1201 return ret; 1202 } 1203 1204 static int 1205 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, 1206 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1207 size_t content_len, CBB *out) 1208 { 1209 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; 1210 size_t block_size, eiv_len, mac_len, pad_len; 1211 uint8_t *enc_data, *eiv, *pad, pad_val; 1212 uint8_t *plain = NULL; 1213 size_t plain_len = 0; 1214 int ret = 0; 1215 CBB cbb; 1216 1217 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) 1218 goto err; 1219 1220 /* Add explicit IV if necessary. */ 1221 eiv_len = 0; 1222 if (rl->version != TLS1_VERSION) { 1223 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 1224 goto err; 1225 } 1226 if (eiv_len > 0) { 1227 if (!CBB_add_space(&cbb, &eiv, eiv_len)) 1228 goto err; 1229 arc4random_buf(eiv, eiv_len); 1230 } 1231 1232 if (!CBB_add_bytes(&cbb, content, content_len)) 1233 goto err; 1234 1235 mac_len = 0; 1236 if (rl->write->hash_ctx != NULL) { 1237 if (!tls12_record_layer_write_mac(rl, &cbb, content_type, 1238 seq_num, content, content_len, &mac_len)) 1239 goto err; 1240 } 1241 1242 plain_len = eiv_len + content_len + mac_len; 1243 1244 /* Add padding to block size, if necessary. */ 1245 if (!tls12_record_protection_block_size(rl->write, &block_size)) 1246 goto err; 1247 if (block_size > 1) { 1248 pad_len = block_size - (plain_len % block_size); 1249 pad_val = pad_len - 1; 1250 1251 if (pad_len > 255) 1252 goto err; 1253 if (!CBB_add_space(&cbb, &pad, pad_len)) 1254 goto err; 1255 memset(pad, pad_val, pad_len); 1256 } 1257 1258 if (!CBB_finish(&cbb, &plain, &plain_len)) 1259 goto err; 1260 1261 if (plain_len % block_size != 0) 1262 goto err; 1263 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1264 goto err; 1265 1266 if (!CBB_add_space(out, &enc_data, plain_len)) 1267 goto err; 1268 if (!EVP_Cipher(enc, enc_data, plain, plain_len)) 1269 goto err; 1270 1271 ret = 1; 1272 1273 err: 1274 CBB_cleanup(&cbb); 1275 freezero(plain, plain_len); 1276 1277 return ret; 1278 } 1279 1280 int 1281 tls12_record_layer_seal_record(struct tls12_record_layer *rl, 1282 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) 1283 { 1284 uint8_t *seq_num_data = NULL; 1285 size_t seq_num_len = 0; 1286 CBB fragment, seq_num_cbb; 1287 CBS seq_num; 1288 int ret = 0; 1289 1290 /* 1291 * Construct the effective sequence number - this is used in both 1292 * the DTLS header and for MAC calculations. 1293 */ 1294 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) 1295 goto err; 1296 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, 1297 rl->write->seq_num, sizeof(rl->write->seq_num))) 1298 goto err; 1299 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) 1300 goto err; 1301 CBS_init(&seq_num, seq_num_data, seq_num_len); 1302 1303 if (!CBB_add_u8(cbb, content_type)) 1304 goto err; 1305 if (!CBB_add_u16(cbb, rl->version)) 1306 goto err; 1307 if (rl->dtls) { 1308 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) 1309 goto err; 1310 } 1311 if (!CBB_add_u16_length_prefixed(cbb, &fragment)) 1312 goto err; 1313 1314 if (rl->write->aead_ctx != NULL) { 1315 if (!tls12_record_layer_seal_record_protected_aead(rl, 1316 content_type, &seq_num, content, content_len, &fragment)) 1317 goto err; 1318 } else if (rl->write->cipher_ctx != NULL) { 1319 if (!tls12_record_layer_seal_record_protected_cipher(rl, 1320 content_type, &seq_num, content, content_len, &fragment)) 1321 goto err; 1322 } else { 1323 if (!tls12_record_layer_seal_record_plaintext(rl, 1324 content_type, content, content_len, &fragment)) 1325 goto err; 1326 } 1327 1328 if (!CBB_flush(cbb)) 1329 goto err; 1330 1331 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) 1332 goto err; 1333 1334 ret = 1; 1335 1336 err: 1337 CBB_cleanup(&seq_num_cbb); 1338 free(seq_num_data); 1339 1340 return ret; 1341 } 1342