1 /* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */
2 /*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <limits.h>
19 #include <stdlib.h>
20
21 #include <openssl/evp.h>
22
23 #include "ssl_local.h"
24
25 #define TLS12_RECORD_SEQ_NUM_LEN 8
26 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12
27
28 struct tls12_record_protection {
29 uint16_t epoch;
30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
31
32 EVP_AEAD_CTX *aead_ctx;
33
34 uint8_t *aead_nonce;
35 size_t aead_nonce_len;
36
37 uint8_t *aead_fixed_nonce;
38 size_t aead_fixed_nonce_len;
39
40 size_t aead_variable_nonce_len;
41 size_t aead_tag_len;
42
43 int aead_xor_nonces;
44 int aead_variable_nonce_in_record;
45
46 EVP_CIPHER_CTX *cipher_ctx;
47 EVP_MD_CTX *hash_ctx;
48
49 int stream_mac;
50
51 uint8_t *mac_key;
52 size_t mac_key_len;
53 };
54
55 static struct tls12_record_protection *
tls12_record_protection_new(void)56 tls12_record_protection_new(void)
57 {
58 return calloc(1, sizeof(struct tls12_record_protection));
59 }
60
61 static void
tls12_record_protection_clear(struct tls12_record_protection * rp)62 tls12_record_protection_clear(struct tls12_record_protection *rp)
63 {
64 EVP_AEAD_CTX_free(rp->aead_ctx);
65
66 freezero(rp->aead_nonce, rp->aead_nonce_len);
67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
68
69 EVP_CIPHER_CTX_free(rp->cipher_ctx);
70 EVP_MD_CTX_free(rp->hash_ctx);
71
72 freezero(rp->mac_key, rp->mac_key_len);
73
74 memset(rp, 0, sizeof(*rp));
75 }
76
77 static void
tls12_record_protection_free(struct tls12_record_protection * rp)78 tls12_record_protection_free(struct tls12_record_protection *rp)
79 {
80 if (rp == NULL)
81 return;
82
83 tls12_record_protection_clear(rp);
84
85 freezero(rp, sizeof(struct tls12_record_protection));
86 }
87
88 static int
tls12_record_protection_engaged(struct tls12_record_protection * rp)89 tls12_record_protection_engaged(struct tls12_record_protection *rp)
90 {
91 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
92 }
93
94 static int
tls12_record_protection_unused(struct tls12_record_protection * rp)95 tls12_record_protection_unused(struct tls12_record_protection *rp)
96 {
97 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL &&
98 rp->hash_ctx == NULL && rp->mac_key == NULL;
99 }
100
101 static int
tls12_record_protection_eiv_len(struct tls12_record_protection * rp,size_t * out_eiv_len)102 tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
103 size_t *out_eiv_len)
104 {
105 int eiv_len;
106
107 *out_eiv_len = 0;
108
109 if (rp->cipher_ctx == NULL)
110 return 0;
111
112 eiv_len = 0;
113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE)
114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
116 return 0;
117
118 *out_eiv_len = eiv_len;
119
120 return 1;
121 }
122
123 static int
tls12_record_protection_block_size(struct tls12_record_protection * rp,size_t * out_block_size)124 tls12_record_protection_block_size(struct tls12_record_protection *rp,
125 size_t *out_block_size)
126 {
127 int block_size;
128
129 *out_block_size = 0;
130
131 if (rp->cipher_ctx == NULL)
132 return 0;
133
134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
136 return 0;
137
138 *out_block_size = block_size;
139
140 return 1;
141 }
142
143 static int
tls12_record_protection_mac_len(struct tls12_record_protection * rp,size_t * out_mac_len)144 tls12_record_protection_mac_len(struct tls12_record_protection *rp,
145 size_t *out_mac_len)
146 {
147 int mac_len;
148
149 *out_mac_len = 0;
150
151 if (rp->hash_ctx == NULL)
152 return 0;
153
154 mac_len = EVP_MD_CTX_size(rp->hash_ctx);
155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
156 return 0;
157
158 *out_mac_len = mac_len;
159
160 return 1;
161 }
162
163 struct tls12_record_layer {
164 uint16_t version;
165 uint16_t initial_epoch;
166 int dtls;
167
168 uint8_t alert_desc;
169
170 const EVP_AEAD *aead;
171 const EVP_CIPHER *cipher;
172 const EVP_MD *handshake_hash;
173 const EVP_MD *mac_hash;
174
175 /* Pointers to active record protection (memory is not owned). */
176 struct tls12_record_protection *read;
177 struct tls12_record_protection *write;
178
179 struct tls12_record_protection *read_current;
180 struct tls12_record_protection *write_current;
181 struct tls12_record_protection *write_previous;
182 };
183
184 struct tls12_record_layer *
tls12_record_layer_new(void)185 tls12_record_layer_new(void)
186 {
187 struct tls12_record_layer *rl;
188
189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
190 goto err;
191 if ((rl->read_current = tls12_record_protection_new()) == NULL)
192 goto err;
193 if ((rl->write_current = tls12_record_protection_new()) == NULL)
194 goto err;
195
196 rl->read = rl->read_current;
197 rl->write = rl->write_current;
198
199 return rl;
200
201 err:
202 tls12_record_layer_free(rl);
203
204 return NULL;
205 }
206
207 void
tls12_record_layer_free(struct tls12_record_layer * rl)208 tls12_record_layer_free(struct tls12_record_layer *rl)
209 {
210 if (rl == NULL)
211 return;
212
213 tls12_record_protection_free(rl->read_current);
214 tls12_record_protection_free(rl->write_current);
215 tls12_record_protection_free(rl->write_previous);
216
217 freezero(rl, sizeof(struct tls12_record_layer));
218 }
219
220 void
tls12_record_layer_alert(struct tls12_record_layer * rl,uint8_t * alert_desc)221 tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
222 {
223 *alert_desc = rl->alert_desc;
224 }
225
226 int
tls12_record_layer_write_overhead(struct tls12_record_layer * rl,size_t * overhead)227 tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
228 size_t *overhead)
229 {
230 size_t block_size, eiv_len, mac_len;
231
232 *overhead = 0;
233
234 if (rl->write->aead_ctx != NULL) {
235 *overhead = rl->write->aead_tag_len;
236 } else if (rl->write->cipher_ctx != NULL) {
237 eiv_len = 0;
238 if (rl->version != TLS1_VERSION) {
239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
240 return 0;
241 }
242 if (!tls12_record_protection_block_size(rl->write, &block_size))
243 return 0;
244 if (!tls12_record_protection_mac_len(rl->write, &mac_len))
245 return 0;
246
247 *overhead = eiv_len + block_size + mac_len;
248 }
249
250 return 1;
251 }
252
253 int
tls12_record_layer_read_protected(struct tls12_record_layer * rl)254 tls12_record_layer_read_protected(struct tls12_record_layer *rl)
255 {
256 return tls12_record_protection_engaged(rl->read);
257 }
258
259 int
tls12_record_layer_write_protected(struct tls12_record_layer * rl)260 tls12_record_layer_write_protected(struct tls12_record_layer *rl)
261 {
262 return tls12_record_protection_engaged(rl->write);
263 }
264
265 void
tls12_record_layer_set_aead(struct tls12_record_layer * rl,const EVP_AEAD * aead)266 tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267 {
268 rl->aead = aead;
269 }
270
271 void
tls12_record_layer_set_cipher_hash(struct tls12_record_layer * rl,const EVP_CIPHER * cipher,const EVP_MD * handshake_hash,const EVP_MD * mac_hash)272 tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
274 const EVP_MD *mac_hash)
275 {
276 rl->cipher = cipher;
277 rl->handshake_hash = handshake_hash;
278 rl->mac_hash = mac_hash;
279 }
280
281 void
tls12_record_layer_set_version(struct tls12_record_layer * rl,uint16_t version)282 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283 {
284 rl->version = version;
285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
286 }
287
288 void
tls12_record_layer_set_initial_epoch(struct tls12_record_layer * rl,uint16_t epoch)289 tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290 uint16_t epoch)
291 {
292 rl->initial_epoch = epoch;
293 }
294
295 uint16_t
tls12_record_layer_read_epoch(struct tls12_record_layer * rl)296 tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297 {
298 return rl->read->epoch;
299 }
300
301 uint16_t
tls12_record_layer_write_epoch(struct tls12_record_layer * rl)302 tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303 {
304 return rl->write->epoch;
305 }
306
307 int
tls12_record_layer_use_write_epoch(struct tls12_record_layer * rl,uint16_t epoch)308 tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309 {
310 if (rl->write->epoch == epoch)
311 return 1;
312
313 if (rl->write_current->epoch == epoch) {
314 rl->write = rl->write_current;
315 return 1;
316 }
317
318 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
319 rl->write = rl->write_previous;
320 return 1;
321 }
322
323 return 0;
324 }
325
326 void
tls12_record_layer_write_epoch_done(struct tls12_record_layer * rl,uint16_t epoch)327 tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328 {
329 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
330 return;
331
332 rl->write = rl->write_current;
333
334 tls12_record_protection_free(rl->write_previous);
335 rl->write_previous = NULL;
336 }
337
338 void
tls12_record_layer_clear_read_state(struct tls12_record_layer * rl)339 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340 {
341 tls12_record_protection_clear(rl->read);
342 rl->read->epoch = rl->initial_epoch;
343 }
344
345 void
tls12_record_layer_clear_write_state(struct tls12_record_layer * rl)346 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347 {
348 tls12_record_protection_clear(rl->write);
349 rl->write->epoch = rl->initial_epoch;
350
351 tls12_record_protection_free(rl->write_previous);
352 rl->write_previous = NULL;
353 }
354
355 void
tls12_record_layer_reflect_seq_num(struct tls12_record_layer * rl)356 tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357 {
358 memcpy(rl->write->seq_num, rl->read->seq_num,
359 sizeof(rl->write->seq_num));
360 }
361
362 static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364 };
365
366 int
tls12_record_layer_inc_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)367 tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368 {
369 CBS max_seq_num;
370 int i;
371
372 /*
373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374 * sequence numbers must not wrap. Note that for DTLS the first two
375 * bytes are used as an "epoch" and not part of the sequence number.
376 */
377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
378 if (rl->dtls) {
379 if (!CBS_skip(&max_seq_num, 2))
380 return 0;
381 }
382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383 CBS_len(&max_seq_num)))
384 return 0;
385
386 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
387 if (++seq_num[i] != 0)
388 break;
389 }
390
391 return 1;
392 }
393
394 static int
tls12_record_layer_set_mac_key(struct tls12_record_protection * rp,const uint8_t * mac_key,size_t mac_key_len)395 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
396 const uint8_t *mac_key, size_t mac_key_len)
397 {
398 freezero(rp->mac_key, rp->mac_key_len);
399 rp->mac_key = NULL;
400 rp->mac_key_len = 0;
401
402 if (mac_key == NULL || mac_key_len == 0)
403 return 1;
404
405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL)
406 return 0;
407
408 memcpy(rp->mac_key, mac_key, mac_key_len);
409 rp->mac_key_len = mac_key_len;
410
411 return 1;
412 }
413
414 static int
tls12_record_layer_ccs_aead(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)415 tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417 CBS *iv)
418 {
419 if (!tls12_record_protection_unused(rp))
420 return 0;
421
422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
423 return 0;
424
425 /* AES GCM cipher suites use variable nonce in record. */
426 if (rl->aead == EVP_aead_aes_128_gcm() ||
427 rl->aead == EVP_aead_aes_256_gcm())
428 rp->aead_variable_nonce_in_record = 1;
429
430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431 if (rl->aead == EVP_aead_chacha20_poly1305())
432 rp->aead_xor_nonces = 1;
433
434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435 return 0;
436
437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438 if (rp->aead_nonce == NULL)
439 return 0;
440
441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN;
444
445 if (rp->aead_xor_nonces) {
446 /* Fixed nonce length must match, variable must not exceed. */
447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448 return 0;
449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450 return 0;
451 } else {
452 /* Concatenated nonce length must equal AEAD nonce length. */
453 if (rp->aead_fixed_nonce_len +
454 rp->aead_variable_nonce_len != rp->aead_nonce_len)
455 return 0;
456 }
457
458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460 return 0;
461
462 return 1;
463 }
464
465 static int
tls12_record_layer_ccs_cipher(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)466 tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468 CBS *iv)
469 {
470 EVP_PKEY *mac_pkey = NULL;
471 int mac_type;
472 int ret = 0;
473
474 if (!tls12_record_protection_unused(rp))
475 goto err;
476
477 mac_type = EVP_PKEY_HMAC;
478 rp->stream_mac = 0;
479
480 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX)
481 goto err;
482 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
483 goto err;
484 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
485 goto err;
486 if (CBS_len(mac_key) > INT_MAX)
487 goto err;
488 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
489 goto err;
490 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
491 goto err;
492 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
493 goto err;
494
495 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
496 CBS_len(mac_key)))
497 goto err;
498
499 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key),
500 CBS_len(mac_key))) == NULL)
501 goto err;
502
503 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key),
504 CBS_data(iv), is_write))
505 goto err;
506
507 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL,
508 mac_pkey) <= 0)
509 goto err;
510
511 ret = 1;
512
513 err:
514 EVP_PKEY_free(mac_pkey);
515
516 return ret;
517 }
518
519 static int
tls12_record_layer_change_cipher_state(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)520 tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
521 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
522 CBS *iv)
523 {
524 if (rl->aead != NULL)
525 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
526 key, iv);
527
528 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
529 key, iv);
530 }
531
532 int
tls12_record_layer_change_read_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)533 tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
534 CBS *mac_key, CBS *key, CBS *iv)
535 {
536 struct tls12_record_protection *read_new = NULL;
537 int ret = 0;
538
539 if ((read_new = tls12_record_protection_new()) == NULL)
540 goto err;
541
542 /* Read sequence number gets reset to zero. */
543
544 /* DTLS epoch is incremented and is permitted to wrap. */
545 if (rl->dtls)
546 read_new->epoch = rl->read_current->epoch + 1;
547
548 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
549 mac_key, key, iv))
550 goto err;
551
552 tls12_record_protection_free(rl->read_current);
553 rl->read = rl->read_current = read_new;
554 read_new = NULL;
555
556 ret = 1;
557
558 err:
559 tls12_record_protection_free(read_new);
560
561 return ret;
562 }
563
564 int
tls12_record_layer_change_write_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)565 tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
566 CBS *mac_key, CBS *key, CBS *iv)
567 {
568 struct tls12_record_protection *write_new;
569 int ret = 0;
570
571 if ((write_new = tls12_record_protection_new()) == NULL)
572 goto err;
573
574 /* Write sequence number gets reset to zero. */
575
576 /* DTLS epoch is incremented and is permitted to wrap. */
577 if (rl->dtls)
578 write_new->epoch = rl->write_current->epoch + 1;
579
580 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
581 mac_key, key, iv))
582 goto err;
583
584 if (rl->dtls) {
585 tls12_record_protection_free(rl->write_previous);
586 rl->write_previous = rl->write_current;
587 rl->write_current = NULL;
588 }
589 tls12_record_protection_free(rl->write_current);
590 rl->write = rl->write_current = write_new;
591 write_new = NULL;
592
593 ret = 1;
594
595 err:
596 tls12_record_protection_free(write_new);
597
598 return ret;
599 }
600
601 static int
tls12_record_layer_build_seq_num(struct tls12_record_layer * rl,CBB * cbb,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len)602 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
603 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
604 {
605 CBS seq;
606
607 CBS_init(&seq, seq_num, seq_num_len);
608
609 if (rl->dtls) {
610 if (!CBB_add_u16(cbb, epoch))
611 return 0;
612 if (!CBS_skip(&seq, 2))
613 return 0;
614 }
615
616 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
617 }
618
619 static int
tls12_record_layer_pseudo_header(struct tls12_record_layer * rl,uint8_t content_type,uint16_t record_len,CBS * seq_num,uint8_t ** out,size_t * out_len)620 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
621 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
622 size_t *out_len)
623 {
624 CBB cbb;
625
626 *out = NULL;
627 *out_len = 0;
628
629 /* Build the pseudo-header used for MAC/AEAD. */
630 if (!CBB_init(&cbb, 13))
631 goto err;
632
633 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
634 goto err;
635 if (!CBB_add_u8(&cbb, content_type))
636 goto err;
637 if (!CBB_add_u16(&cbb, rl->version))
638 goto err;
639 if (!CBB_add_u16(&cbb, record_len))
640 goto err;
641
642 if (!CBB_finish(&cbb, out, out_len))
643 goto err;
644
645 return 1;
646
647 err:
648 CBB_cleanup(&cbb);
649
650 return 0;
651 }
652
653 static int
tls12_record_layer_mac(struct tls12_record_layer * rl,CBB * cbb,EVP_MD_CTX * hash_ctx,int stream_mac,CBS * seq_num,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)654 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
655 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
656 const uint8_t *content, size_t content_len, size_t *out_len)
657 {
658 EVP_MD_CTX *mac_ctx = NULL;
659 uint8_t *header = NULL;
660 size_t header_len = 0;
661 size_t mac_len;
662 uint8_t *mac;
663 int ret = 0;
664
665 if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
666 goto err;
667 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
668 goto err;
669
670 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
671 seq_num, &header, &header_len))
672 goto err;
673
674 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
675 goto err;
676 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
677 goto err;
678 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
679 goto err;
680 if (!CBB_add_space(cbb, &mac, mac_len))
681 goto err;
682 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
683 goto err;
684 if (mac_len == 0)
685 goto err;
686
687 if (stream_mac) {
688 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
689 goto err;
690 }
691
692 *out_len = mac_len;
693 ret = 1;
694
695 err:
696 EVP_MD_CTX_free(mac_ctx);
697 freezero(header, header_len);
698
699 return ret;
700 }
701
702 static int
tls12_record_layer_read_mac_cbc(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t mac_len,size_t padding_len)703 tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
704 uint8_t content_type, CBS *seq_num, const uint8_t *content,
705 size_t content_len, size_t mac_len, size_t padding_len)
706 {
707 uint8_t *header = NULL;
708 size_t header_len = 0;
709 uint8_t *mac = NULL;
710 size_t out_mac_len = 0;
711 int ret = 0;
712
713 /*
714 * Must be constant time to avoid leaking details about CBC padding.
715 */
716
717 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
718 goto err;
719
720 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
721 seq_num, &header, &header_len))
722 goto err;
723
724 if (!CBB_add_space(cbb, &mac, mac_len))
725 goto err;
726 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
727 content, content_len + mac_len, content_len + mac_len + padding_len,
728 rl->read->mac_key, rl->read->mac_key_len))
729 goto err;
730 if (mac_len != out_mac_len)
731 goto err;
732
733 ret = 1;
734
735 err:
736 freezero(header, header_len);
737
738 return ret;
739 }
740
741 static int
tls12_record_layer_read_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len)742 tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
743 uint8_t content_type, CBS *seq_num, const uint8_t *content,
744 size_t content_len)
745 {
746 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
747 size_t out_len;
748
749 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
750 return 0;
751
752 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
753 rl->read->stream_mac, seq_num, content_type, content, content_len,
754 &out_len);
755 }
756
757 static int
tls12_record_layer_write_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t * out_len)758 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
759 uint8_t content_type, CBS *seq_num, const uint8_t *content,
760 size_t content_len, size_t *out_len)
761 {
762 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
763 rl->write->stream_mac, seq_num, content_type, content, content_len,
764 out_len);
765 }
766
767 static int
tls12_record_layer_aead_concat_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)768 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
769 struct tls12_record_protection *rp, CBS *seq_num)
770 {
771 CBB cbb;
772
773 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
774 return 0;
775
776 /* Fixed nonce and variable nonce (sequence number) are concatenated. */
777 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
778 goto err;
779 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
780 rp->aead_fixed_nonce_len))
781 goto err;
782 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
783 rp->aead_variable_nonce_len))
784 goto err;
785 if (!CBB_finish(&cbb, NULL, NULL))
786 goto err;
787
788 return 1;
789
790 err:
791 CBB_cleanup(&cbb);
792
793 return 0;
794 }
795
796 static int
tls12_record_layer_aead_xored_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)797 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
798 struct tls12_record_protection *rp, CBS *seq_num)
799 {
800 uint8_t *pad;
801 CBB cbb;
802 int i;
803
804 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
805 return 0;
806 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
807 return 0;
808 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
809 return 0;
810
811 /*
812 * Variable nonce (sequence number) is right padded, before the fixed
813 * nonce is XOR'd in.
814 */
815 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
816 goto err;
817 if (!CBB_add_space(&cbb, &pad,
818 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
819 goto err;
820 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
821 rp->aead_variable_nonce_len))
822 goto err;
823 if (!CBB_finish(&cbb, NULL, NULL))
824 goto err;
825
826 for (i = 0; i < rp->aead_fixed_nonce_len; i++)
827 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
828
829 return 1;
830
831 err:
832 CBB_cleanup(&cbb);
833
834 return 0;
835 }
836
837 static int
tls12_record_layer_open_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,CBS * fragment,struct tls_content * out)838 tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
839 uint8_t content_type, CBS *fragment, struct tls_content *out)
840 {
841 if (tls12_record_protection_engaged(rl->read))
842 return 0;
843
844 return tls_content_dup_data(out, content_type, CBS_data(fragment),
845 CBS_len(fragment));
846 }
847
848 static int
tls12_record_layer_open_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)849 tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
850 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
851 {
852 struct tls12_record_protection *rp = rl->read;
853 uint8_t *header = NULL;
854 size_t header_len = 0;
855 uint8_t *content = NULL;
856 size_t content_len = 0;
857 size_t out_len = 0;
858 CBS var_nonce;
859 int ret = 0;
860
861 if (rp->aead_xor_nonces) {
862 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
863 goto err;
864 } else if (rp->aead_variable_nonce_in_record) {
865 if (!CBS_get_bytes(fragment, &var_nonce,
866 rp->aead_variable_nonce_len))
867 goto err;
868 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
869 goto err;
870 } else {
871 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
872 goto err;
873 }
874
875 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
876 if (CBS_len(fragment) < rp->aead_tag_len) {
877 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
878 goto err;
879 }
880 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
881 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
882 goto err;
883 }
884
885 content_len = CBS_len(fragment) - rp->aead_tag_len;
886 if ((content = calloc(1, CBS_len(fragment))) == NULL) {
887 content_len = 0;
888 goto err;
889 }
890
891 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
892 seq_num, &header, &header_len))
893 goto err;
894
895 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
896 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
897 CBS_len(fragment), header, header_len)) {
898 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
899 goto err;
900 }
901
902 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
903 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
904 goto err;
905 }
906
907 if (out_len != content_len)
908 goto err;
909
910 tls_content_set_data(out, content_type, content, content_len);
911 content = NULL;
912 content_len = 0;
913
914 ret = 1;
915
916 err:
917 freezero(header, header_len);
918 freezero(content, content_len);
919
920 return ret;
921 }
922
923 static int
tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)924 tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
925 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
926 {
927 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
928 SSL3_RECORD_INTERNAL rrec;
929 size_t block_size, eiv_len;
930 uint8_t *mac = NULL;
931 size_t mac_len = 0;
932 uint8_t *out_mac = NULL;
933 size_t out_mac_len = 0;
934 uint8_t *content = NULL;
935 size_t content_len = 0;
936 size_t min_len;
937 CBB cbb_mac;
938 int ret = 0;
939
940 memset(&cbb_mac, 0, sizeof(cbb_mac));
941 memset(&rrec, 0, sizeof(rrec));
942
943 if (!tls12_record_protection_block_size(rl->read, &block_size))
944 goto err;
945
946 /* Determine explicit IV length. */
947 eiv_len = 0;
948 if (rl->version != TLS1_VERSION) {
949 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
950 goto err;
951 }
952
953 mac_len = 0;
954 if (rl->read->hash_ctx != NULL) {
955 if (!tls12_record_protection_mac_len(rl->read, &mac_len))
956 goto err;
957 }
958
959 /* CBC has at least one padding byte. */
960 min_len = eiv_len + mac_len;
961 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
962 min_len += 1;
963
964 if (CBS_len(fragment) < min_len) {
965 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
966 goto err;
967 }
968 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
969 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
970 goto err;
971 }
972 if (CBS_len(fragment) % block_size != 0) {
973 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
974 goto err;
975 }
976
977 if ((content = calloc(1, CBS_len(fragment))) == NULL)
978 goto err;
979 content_len = CBS_len(fragment);
980
981 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
982 goto err;
983
984 rrec.data = content;
985 rrec.input = content;
986 rrec.length = content_len;
987
988 /*
989 * We now have to remove padding, extract MAC, calculate MAC
990 * and compare MAC in constant time.
991 */
992 if (block_size > 1)
993 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
994
995 if ((mac = calloc(1, mac_len)) == NULL)
996 goto err;
997
998 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
999 goto err;
1000 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
1001 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
1002 rrec.padding_length);
1003 rrec.length -= mac_len;
1004 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1005 seq_num, rrec.input, rrec.length, mac_len,
1006 rrec.padding_length))
1007 goto err;
1008 } else {
1009 rrec.length -= mac_len;
1010 memcpy(mac, rrec.data + rrec.length, mac_len);
1011 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
1012 seq_num, rrec.input, rrec.length))
1013 goto err;
1014 }
1015 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
1016 goto err;
1017 if (mac_len != out_mac_len)
1018 goto err;
1019
1020 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
1021 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1022 goto err;
1023 }
1024
1025 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
1026 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1027 goto err;
1028 }
1029 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
1030 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
1031 goto err;
1032 }
1033
1034 tls_content_set_data(out, content_type, content, content_len);
1035 content = NULL;
1036 content_len = 0;
1037
1038 /* Actual content is after EIV, minus padding and MAC. */
1039 if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1040 goto err;
1041
1042 ret = 1;
1043
1044 err:
1045 CBB_cleanup(&cbb_mac);
1046 freezero(mac, mac_len);
1047 freezero(out_mac, out_mac_len);
1048 freezero(content, content_len);
1049
1050 return ret;
1051 }
1052
1053 int
tls12_record_layer_open_record(struct tls12_record_layer * rl,uint8_t * buf,size_t buf_len,struct tls_content * out)1054 tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1055 size_t buf_len, struct tls_content *out)
1056 {
1057 CBS cbs, fragment, seq_num;
1058 uint16_t version;
1059 uint8_t content_type;
1060
1061 CBS_init(&cbs, buf, buf_len);
1062 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
1063
1064 if (!CBS_get_u8(&cbs, &content_type))
1065 return 0;
1066 if (!CBS_get_u16(&cbs, &version))
1067 return 0;
1068 if (rl->dtls) {
1069 /*
1070 * The DTLS sequence number is split into a 16 bit epoch and
1071 * 48 bit sequence number, however for the purposes of record
1072 * processing it is treated the same as a TLS 64 bit sequence
1073 * number. DTLS also uses explicit read sequence numbers, which
1074 * we need to extract from the DTLS record header.
1075 */
1076 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE))
1077 return 0;
1078 if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
1079 sizeof(rl->read->seq_num), NULL))
1080 return 0;
1081 }
1082 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
1083 return 0;
1084
1085 if (rl->read->aead_ctx != NULL) {
1086 if (!tls12_record_layer_open_record_protected_aead(rl,
1087 content_type, &seq_num, &fragment, out))
1088 return 0;
1089 } else if (rl->read->cipher_ctx != NULL) {
1090 if (!tls12_record_layer_open_record_protected_cipher(rl,
1091 content_type, &seq_num, &fragment, out))
1092 return 0;
1093 } else {
1094 if (!tls12_record_layer_open_record_plaintext(rl,
1095 content_type, &fragment, out))
1096 return 0;
1097 }
1098
1099 if (!rl->dtls) {
1100 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1101 return 0;
1102 }
1103
1104 return 1;
1105 }
1106
1107 static int
tls12_record_layer_seal_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)1108 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1109 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1110 {
1111 if (tls12_record_protection_engaged(rl->write))
1112 return 0;
1113
1114 return CBB_add_bytes(out, content, content_len);
1115 }
1116
1117 static int
tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1118 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1119 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1120 size_t content_len, CBB *out)
1121 {
1122 struct tls12_record_protection *rp = rl->write;
1123 uint8_t *header = NULL;
1124 size_t header_len = 0;
1125 size_t enc_record_len, out_len;
1126 uint8_t *enc_data;
1127 int ret = 0;
1128
1129 if (rp->aead_xor_nonces) {
1130 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1131 goto err;
1132 } else {
1133 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1134 goto err;
1135 }
1136
1137 if (rp->aead_variable_nonce_in_record) {
1138 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
1139 goto err;
1140 if (!CBB_add_bytes(out, CBS_data(seq_num),
1141 rp->aead_variable_nonce_len))
1142 goto err;
1143 }
1144
1145 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1146 seq_num, &header, &header_len))
1147 goto err;
1148
1149 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
1150 enc_record_len = content_len + rp->aead_tag_len;
1151 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1152 goto err;
1153 if (!CBB_add_space(out, &enc_data, enc_record_len))
1154 goto err;
1155
1156 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1157 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1158 header_len))
1159 goto err;
1160
1161 if (out_len != enc_record_len)
1162 goto err;
1163
1164 ret = 1;
1165
1166 err:
1167 freezero(header, header_len);
1168
1169 return ret;
1170 }
1171
1172 static int
tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1173 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1174 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1175 size_t content_len, CBB *out)
1176 {
1177 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
1178 size_t block_size, eiv_len, mac_len, pad_len;
1179 uint8_t *enc_data, *eiv, *pad, pad_val;
1180 uint8_t *plain = NULL;
1181 size_t plain_len = 0;
1182 int ret = 0;
1183 CBB cbb;
1184
1185 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
1186 goto err;
1187
1188 /* Add explicit IV if necessary. */
1189 eiv_len = 0;
1190 if (rl->version != TLS1_VERSION) {
1191 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1192 goto err;
1193 }
1194 if (eiv_len > 0) {
1195 if (!CBB_add_space(&cbb, &eiv, eiv_len))
1196 goto err;
1197 arc4random_buf(eiv, eiv_len);
1198 }
1199
1200 if (!CBB_add_bytes(&cbb, content, content_len))
1201 goto err;
1202
1203 mac_len = 0;
1204 if (rl->write->hash_ctx != NULL) {
1205 if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1206 seq_num, content, content_len, &mac_len))
1207 goto err;
1208 }
1209
1210 plain_len = eiv_len + content_len + mac_len;
1211
1212 /* Add padding to block size, if necessary. */
1213 if (!tls12_record_protection_block_size(rl->write, &block_size))
1214 goto err;
1215 if (block_size > 1) {
1216 pad_len = block_size - (plain_len % block_size);
1217 pad_val = pad_len - 1;
1218
1219 if (pad_len > 255)
1220 goto err;
1221 if (!CBB_add_space(&cbb, &pad, pad_len))
1222 goto err;
1223 memset(pad, pad_val, pad_len);
1224 }
1225
1226 if (!CBB_finish(&cbb, &plain, &plain_len))
1227 goto err;
1228
1229 if (plain_len % block_size != 0)
1230 goto err;
1231 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1232 goto err;
1233
1234 if (!CBB_add_space(out, &enc_data, plain_len))
1235 goto err;
1236 if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1237 goto err;
1238
1239 ret = 1;
1240
1241 err:
1242 CBB_cleanup(&cbb);
1243 freezero(plain, plain_len);
1244
1245 return ret;
1246 }
1247
1248 int
tls12_record_layer_seal_record(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * cbb)1249 tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1250 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1251 {
1252 uint8_t *seq_num_data = NULL;
1253 size_t seq_num_len = 0;
1254 CBB fragment, seq_num_cbb;
1255 CBS seq_num;
1256 int ret = 0;
1257
1258 /*
1259 * Construct the effective sequence number - this is used in both
1260 * the DTLS header and for MAC calculations.
1261 */
1262 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE))
1263 goto err;
1264 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1265 rl->write->seq_num, sizeof(rl->write->seq_num)))
1266 goto err;
1267 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1268 goto err;
1269 CBS_init(&seq_num, seq_num_data, seq_num_len);
1270
1271 if (!CBB_add_u8(cbb, content_type))
1272 goto err;
1273 if (!CBB_add_u16(cbb, rl->version))
1274 goto err;
1275 if (rl->dtls) {
1276 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1277 goto err;
1278 }
1279 if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1280 goto err;
1281
1282 if (rl->write->aead_ctx != NULL) {
1283 if (!tls12_record_layer_seal_record_protected_aead(rl,
1284 content_type, &seq_num, content, content_len, &fragment))
1285 goto err;
1286 } else if (rl->write->cipher_ctx != NULL) {
1287 if (!tls12_record_layer_seal_record_protected_cipher(rl,
1288 content_type, &seq_num, content, content_len, &fragment))
1289 goto err;
1290 } else {
1291 if (!tls12_record_layer_seal_record_plaintext(rl,
1292 content_type, content, content_len, &fragment))
1293 goto err;
1294 }
1295
1296 if (!CBB_flush(cbb))
1297 goto err;
1298
1299 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1300 goto err;
1301
1302 ret = 1;
1303
1304 err:
1305 CBB_cleanup(&seq_num_cbb);
1306 free(seq_num_data);
1307
1308 return ret;
1309 }
1310