1 /* $OpenBSD: tls12_record_layer.c,v 1.4 2020/09/16 17:15:01 jsing Exp $ */
2 /*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <stdlib.h>
19
20 #include <openssl/evp.h>
21
22 #include "ssl_locl.h"
23
24 struct tls12_record_layer {
25 uint16_t version;
26 int dtls;
27
28 uint16_t read_epoch;
29 uint16_t write_epoch;
30
31 int read_stream_mac;
32 int write_stream_mac;
33
34 /*
35 * XXX - for now these are just pointers to externally managed
36 * structs/memory. These should eventually be owned by the record layer.
37 */
38 SSL_AEAD_CTX *read_aead_ctx;
39 SSL_AEAD_CTX *write_aead_ctx;
40
41 EVP_CIPHER_CTX *read_cipher_ctx;
42 EVP_MD_CTX *read_hash_ctx;
43 EVP_CIPHER_CTX *write_cipher_ctx;
44 EVP_MD_CTX *write_hash_ctx;
45
46 uint8_t *read_seq_num;
47 uint8_t *write_seq_num;
48 };
49
50 struct tls12_record_layer *
tls12_record_layer_new(void)51 tls12_record_layer_new(void)
52 {
53 struct tls12_record_layer *rl;
54
55 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
56 return NULL;
57
58 return rl;
59 }
60
61 void
tls12_record_layer_free(struct tls12_record_layer * rl)62 tls12_record_layer_free(struct tls12_record_layer *rl)
63 {
64 freezero(rl, sizeof(struct tls12_record_layer));
65 }
66
67 void
tls12_record_layer_set_version(struct tls12_record_layer * rl,uint16_t version)68 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
69 {
70 rl->version = version;
71 rl->dtls = (version == DTLS1_VERSION);
72 }
73
74 void
tls12_record_layer_set_read_epoch(struct tls12_record_layer * rl,uint16_t epoch)75 tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, uint16_t epoch)
76 {
77 rl->read_epoch = epoch;
78 }
79
80 void
tls12_record_layer_set_write_epoch(struct tls12_record_layer * rl,uint16_t epoch)81 tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
82 {
83 rl->write_epoch = epoch;
84 }
85
86 static void
tls12_record_layer_set_read_state(struct tls12_record_layer * rl,SSL_AEAD_CTX * aead_ctx,EVP_CIPHER_CTX * cipher_ctx,EVP_MD_CTX * hash_ctx,int stream_mac)87 tls12_record_layer_set_read_state(struct tls12_record_layer *rl,
88 SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx,
89 int stream_mac)
90 {
91 rl->read_aead_ctx = aead_ctx;
92
93 rl->read_cipher_ctx = cipher_ctx;
94 rl->read_hash_ctx = hash_ctx;
95 rl->read_stream_mac = stream_mac;
96 }
97
98 static void
tls12_record_layer_set_write_state(struct tls12_record_layer * rl,SSL_AEAD_CTX * aead_ctx,EVP_CIPHER_CTX * cipher_ctx,EVP_MD_CTX * hash_ctx,int stream_mac)99 tls12_record_layer_set_write_state(struct tls12_record_layer *rl,
100 SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx,
101 int stream_mac)
102 {
103 rl->write_aead_ctx = aead_ctx;
104
105 rl->write_cipher_ctx = cipher_ctx;
106 rl->write_hash_ctx = hash_ctx;
107 rl->write_stream_mac = stream_mac;
108 }
109
110 void
tls12_record_layer_clear_read_state(struct tls12_record_layer * rl)111 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
112 {
113 tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0);
114 rl->read_seq_num = NULL;
115 }
116
117 void
tls12_record_layer_clear_write_state(struct tls12_record_layer * rl)118 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
119 {
120 tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0);
121 rl->write_seq_num = NULL;
122 }
123
124 void
tls12_record_layer_set_read_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)125 tls12_record_layer_set_read_seq_num(struct tls12_record_layer *rl,
126 uint8_t *seq_num)
127 {
128 rl->read_seq_num = seq_num;
129 }
130
131 void
tls12_record_layer_set_write_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)132 tls12_record_layer_set_write_seq_num(struct tls12_record_layer *rl,
133 uint8_t *seq_num)
134 {
135 rl->write_seq_num = seq_num;
136 }
137
138 int
tls12_record_layer_set_read_aead(struct tls12_record_layer * rl,SSL_AEAD_CTX * aead_ctx)139 tls12_record_layer_set_read_aead(struct tls12_record_layer *rl,
140 SSL_AEAD_CTX *aead_ctx)
141 {
142 tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0);
143
144 return 1;
145 }
146
147 int
tls12_record_layer_set_write_aead(struct tls12_record_layer * rl,SSL_AEAD_CTX * aead_ctx)148 tls12_record_layer_set_write_aead(struct tls12_record_layer *rl,
149 SSL_AEAD_CTX *aead_ctx)
150 {
151 tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0);
152
153 return 1;
154 }
155
156 int
tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer * rl,EVP_CIPHER_CTX * cipher_ctx,EVP_MD_CTX * hash_ctx,int stream_mac)157 tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl,
158 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac)
159 {
160 tls12_record_layer_set_read_state(rl, NULL, cipher_ctx, hash_ctx,
161 stream_mac);
162
163 return 1;
164 }
165
166 int
tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer * rl,EVP_CIPHER_CTX * cipher_ctx,EVP_MD_CTX * hash_ctx,int stream_mac)167 tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl,
168 EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac)
169 {
170 tls12_record_layer_set_write_state(rl, NULL, cipher_ctx, hash_ctx,
171 stream_mac);
172
173 return 1;
174 }
175
176 static int
tls12_record_layer_build_seq_num(struct tls12_record_layer * rl,CBB * cbb,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len)177 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
178 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
179 {
180 CBS seq;
181
182 CBS_init(&seq, seq_num, seq_num_len);
183
184 if (rl->dtls) {
185 if (!CBB_add_u16(cbb, epoch))
186 return 0;
187 if (!CBS_skip(&seq, 2))
188 return 0;
189 }
190
191 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
192 }
193
194 static int
tls12_record_layer_pseudo_header(struct tls12_record_layer * rl,uint8_t content_type,uint16_t record_len,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len,uint8_t ** out,size_t * out_len)195 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
196 uint8_t content_type, uint16_t record_len, uint16_t epoch, uint8_t *seq_num,
197 size_t seq_num_len, uint8_t **out, size_t *out_len)
198 {
199 CBB cbb;
200
201 *out = NULL;
202 *out_len = 0;
203
204 /* Build the pseudo-header used for MAC/AEAD. */
205 if (!CBB_init(&cbb, 13))
206 goto err;
207
208 if (!tls12_record_layer_build_seq_num(rl, &cbb, epoch,
209 seq_num, seq_num_len))
210 goto err;
211 if (!CBB_add_u8(&cbb, content_type))
212 goto err;
213 if (!CBB_add_u16(&cbb, rl->version))
214 goto err;
215 if (!CBB_add_u16(&cbb, record_len))
216 goto err;
217
218 if (!CBB_finish(&cbb, out, out_len))
219 goto err;
220
221 return 1;
222
223 err:
224 CBB_cleanup(&cbb);
225
226 return 0;
227 }
228
229 static int
tls12_record_layer_mac(struct tls12_record_layer * rl,CBB * cbb,EVP_MD_CTX * hash_ctx,int stream_mac,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)230 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
231 EVP_MD_CTX *hash_ctx, int stream_mac, uint16_t epoch, uint8_t *seq_num,
232 size_t seq_num_len, uint8_t content_type, const uint8_t *content,
233 size_t content_len, size_t *out_len)
234 {
235 EVP_MD_CTX *mac_ctx = NULL;
236 uint8_t *header = NULL;
237 size_t header_len;
238 size_t mac_len;
239 uint8_t *mac;
240 int ret = 0;
241
242 if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
243 goto err;
244 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
245 goto err;
246
247 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
248 epoch, seq_num, seq_num_len, &header, &header_len))
249 goto err;
250
251 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
252 goto err;
253 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
254 goto err;
255 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
256 goto err;
257 if (!CBB_add_space(cbb, &mac, mac_len))
258 goto err;
259 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
260 goto err;
261
262 if (stream_mac) {
263 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
264 goto err;
265 }
266
267 *out_len = mac_len;
268 ret = 1;
269
270 err:
271 EVP_MD_CTX_free(mac_ctx);
272 free(header);
273
274 return ret;
275 }
276
277 static int
tls12_record_layer_write_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)278 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
279 uint8_t content_type, const uint8_t *content, size_t content_len,
280 size_t *out_len)
281 {
282 return tls12_record_layer_mac(rl, cbb, rl->write_hash_ctx,
283 rl->write_stream_mac, rl->write_epoch, rl->write_seq_num,
284 SSL3_SEQUENCE_SIZE, content_type, content, content_len, out_len);
285 }
286
287 static int
tls12_record_layer_aead_concat_nonce(struct tls12_record_layer * rl,const SSL_AEAD_CTX * aead,uint8_t * seq_num,uint8_t ** out,size_t * out_len)288 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
289 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len)
290 {
291 CBB cbb;
292
293 if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE)
294 return 0;
295
296 /* Fixed nonce and variable nonce (sequence number) are concatenated. */
297 if (!CBB_init(&cbb, 16))
298 goto err;
299 if (!CBB_add_bytes(&cbb, aead->fixed_nonce,
300 aead->fixed_nonce_len))
301 goto err;
302 if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len))
303 goto err;
304 if (!CBB_finish(&cbb, out, out_len))
305 goto err;
306
307 return 1;
308
309 err:
310 CBB_cleanup(&cbb);
311
312 return 0;
313 }
314
315 static int
tls12_record_layer_aead_xored_nonce(struct tls12_record_layer * rl,const SSL_AEAD_CTX * aead,uint8_t * seq_num,uint8_t ** out,size_t * out_len)316 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
317 const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len)
318 {
319 uint8_t *nonce = NULL;
320 size_t nonce_len = 0;
321 uint8_t *pad;
322 CBB cbb;
323 int i;
324
325 if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE)
326 return 0;
327 if (aead->fixed_nonce_len < aead->variable_nonce_len)
328 return 0;
329
330 /*
331 * Variable nonce (sequence number) is right padded, before the fixed
332 * nonce is XOR'd in.
333 */
334 if (!CBB_init(&cbb, 16))
335 goto err;
336 if (!CBB_add_space(&cbb, &pad,
337 aead->fixed_nonce_len - aead->variable_nonce_len))
338 goto err;
339 if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len))
340 goto err;
341 if (!CBB_finish(&cbb, &nonce, &nonce_len))
342 goto err;
343
344 for (i = 0; i < aead->fixed_nonce_len; i++)
345 nonce[i] ^= aead->fixed_nonce[i];
346
347 *out = nonce;
348 *out_len = nonce_len;
349
350 return 1;
351
352 err:
353 CBB_cleanup(&cbb);
354 freezero(nonce, nonce_len);
355
356 return 0;
357 }
358
359 static int
tls12_record_layer_seal_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)360 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
361 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
362 {
363 if (rl->write_aead_ctx != NULL || rl->write_cipher_ctx != NULL)
364 return 0;
365
366 return CBB_add_bytes(out, content, content_len);
367 }
368
369 static int
tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)370 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
371 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
372 {
373 const SSL_AEAD_CTX *aead = rl->write_aead_ctx;
374 uint8_t *header = NULL, *nonce = NULL;
375 size_t header_len = 0, nonce_len = 0;
376 size_t enc_record_len, out_len;
377 uint16_t epoch = 0;
378 uint8_t *enc_data;
379 int ret = 0;
380
381 /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */
382 if (aead->xor_fixed_nonce) {
383 if (!tls12_record_layer_aead_xored_nonce(rl, aead,
384 rl->write_seq_num, &nonce, &nonce_len))
385 goto err;
386 } else {
387 if (!tls12_record_layer_aead_concat_nonce(rl, aead,
388 rl->write_seq_num, &nonce, &nonce_len))
389 goto err;
390 }
391
392 if (aead->variable_nonce_in_record) {
393 /* XXX - length check? */
394 if (!CBB_add_bytes(out, rl->write_seq_num, aead->variable_nonce_len))
395 goto err;
396 }
397
398 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
399 epoch, rl->write_seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len))
400 goto err;
401
402 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
403 enc_record_len = content_len + aead->tag_len;
404 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
405 goto err;
406 if (!CBB_add_space(out, &enc_data, enc_record_len))
407 goto err;
408
409 if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len,
410 nonce, nonce_len, content, content_len, header, header_len))
411 goto err;
412
413 if (out_len != enc_record_len)
414 goto err;
415
416 ret = 1;
417
418 err:
419 freezero(header, header_len);
420 freezero(nonce, nonce_len);
421
422 return ret;
423 }
424
425 static int
tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)426 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
427 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
428 {
429 EVP_CIPHER_CTX *enc = rl->write_cipher_ctx;
430 size_t mac_len, pad_len;
431 int block_size, eiv_len;
432 uint8_t *enc_data, *eiv, *pad, pad_val;
433 uint8_t *plain = NULL;
434 size_t plain_len = 0;
435 int ret = 0;
436 CBB cbb;
437
438 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
439 goto err;
440
441 /* Add explicit IV if necessary. */
442 eiv_len = 0;
443 if (rl->version != TLS1_VERSION &&
444 EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
445 eiv_len = EVP_CIPHER_CTX_iv_length(enc);
446 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
447 goto err;
448 if (eiv_len > 0) {
449 if (!CBB_add_space(&cbb, &eiv, eiv_len))
450 goto err;
451 arc4random_buf(eiv, eiv_len);
452 }
453
454 if (!CBB_add_bytes(&cbb, content, content_len))
455 goto err;
456
457 mac_len = 0;
458 if (rl->write_hash_ctx != NULL) {
459 if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
460 content, content_len, &mac_len))
461 goto err;
462 }
463
464 plain_len = (size_t)eiv_len + content_len + mac_len;
465
466 /* Add padding to block size, if necessary. */
467 block_size = EVP_CIPHER_CTX_block_size(enc);
468 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
469 goto err;
470 if (block_size > 1) {
471 pad_len = block_size - (plain_len % block_size);
472 pad_val = pad_len - 1;
473
474 if (pad_len > 255)
475 goto err;
476 if (!CBB_add_space(&cbb, &pad, pad_len))
477 goto err;
478 memset(pad, pad_val, pad_len);
479 }
480
481 if (!CBB_finish(&cbb, &plain, &plain_len))
482 goto err;
483
484 if (plain_len % block_size != 0)
485 goto err;
486 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
487 goto err;
488
489 if (!CBB_add_space(out, &enc_data, plain_len))
490 goto err;
491 if (!EVP_Cipher(enc, enc_data, plain, plain_len))
492 goto err;
493
494 ret = 1;
495
496 err:
497 CBB_cleanup(&cbb);
498 freezero(plain, plain_len);
499
500 return ret;
501 }
502
503 int
tls12_record_layer_seal_record(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * cbb)504 tls12_record_layer_seal_record(struct tls12_record_layer *rl,
505 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
506 {
507 CBB fragment;
508
509 if (!CBB_add_u8(cbb, content_type))
510 return 0;
511 if (!CBB_add_u16(cbb, rl->version))
512 return 0;
513 if (rl->dtls) {
514 if (!tls12_record_layer_build_seq_num(rl, cbb,
515 rl->write_epoch, rl->write_seq_num,
516 SSL3_SEQUENCE_SIZE))
517 return 0;
518 }
519 if (!CBB_add_u16_length_prefixed(cbb, &fragment))
520 return 0;
521
522 if (rl->write_aead_ctx != NULL) {
523 if (!tls12_record_layer_seal_record_protected_aead(rl,
524 content_type, content, content_len, &fragment))
525 return 0;
526 } else if (rl->write_cipher_ctx != NULL) {
527 if (!tls12_record_layer_seal_record_protected_cipher(rl,
528 content_type, content, content_len, &fragment))
529 return 0;
530 } else {
531 if (!tls12_record_layer_seal_record_plaintext(rl,
532 content_type, content, content_len, &fragment))
533 return 0;
534 }
535
536 if (!CBB_flush(cbb))
537 return 0;
538
539 tls1_record_sequence_increment(rl->write_seq_num);
540
541 return 1;
542 }
543