1 /* $OpenBSD: tls12_record_layer.c,v 1.36 2022/01/14 09:12:15 tb Exp $ */
2 /*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <limits.h>
19 #include <stdlib.h>
20
21 #include <openssl/evp.h>
22
23 #include "ssl_locl.h"
24
25 #define TLS12_RECORD_SEQ_NUM_LEN 8
26 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12
27
28 struct tls12_record_protection {
29 uint16_t epoch;
30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
31
32 EVP_AEAD_CTX *aead_ctx;
33
34 uint8_t *aead_nonce;
35 size_t aead_nonce_len;
36
37 uint8_t *aead_fixed_nonce;
38 size_t aead_fixed_nonce_len;
39
40 size_t aead_variable_nonce_len;
41 size_t aead_tag_len;
42
43 int aead_xor_nonces;
44 int aead_variable_nonce_in_record;
45
46 EVP_CIPHER_CTX *cipher_ctx;
47 EVP_MD_CTX *hash_ctx;
48
49 int stream_mac;
50
51 uint8_t *mac_key;
52 size_t mac_key_len;
53 };
54
55 static struct tls12_record_protection *
tls12_record_protection_new(void)56 tls12_record_protection_new(void)
57 {
58 return calloc(1, sizeof(struct tls12_record_protection));
59 }
60
61 static void
tls12_record_protection_clear(struct tls12_record_protection * rp)62 tls12_record_protection_clear(struct tls12_record_protection *rp)
63 {
64 EVP_AEAD_CTX_free(rp->aead_ctx);
65
66 freezero(rp->aead_nonce, rp->aead_nonce_len);
67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
68
69 EVP_CIPHER_CTX_free(rp->cipher_ctx);
70 EVP_MD_CTX_free(rp->hash_ctx);
71
72 freezero(rp->mac_key, rp->mac_key_len);
73
74 memset(rp, 0, sizeof(*rp));
75 }
76
77 static void
tls12_record_protection_free(struct tls12_record_protection * rp)78 tls12_record_protection_free(struct tls12_record_protection *rp)
79 {
80 if (rp == NULL)
81 return;
82
83 tls12_record_protection_clear(rp);
84
85 freezero(rp, sizeof(struct tls12_record_protection));
86 }
87
88 static int
tls12_record_protection_engaged(struct tls12_record_protection * rp)89 tls12_record_protection_engaged(struct tls12_record_protection *rp)
90 {
91 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
92 }
93
94 static int
tls12_record_protection_unused(struct tls12_record_protection * rp)95 tls12_record_protection_unused(struct tls12_record_protection *rp)
96 {
97 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL &&
98 rp->hash_ctx == NULL && rp->mac_key == NULL;
99 }
100
101 static int
tls12_record_protection_eiv_len(struct tls12_record_protection * rp,size_t * out_eiv_len)102 tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
103 size_t *out_eiv_len)
104 {
105 int eiv_len;
106
107 *out_eiv_len = 0;
108
109 if (rp->cipher_ctx == NULL)
110 return 0;
111
112 eiv_len = 0;
113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE)
114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
116 return 0;
117
118 *out_eiv_len = eiv_len;
119
120 return 1;
121 }
122
123 static int
tls12_record_protection_block_size(struct tls12_record_protection * rp,size_t * out_block_size)124 tls12_record_protection_block_size(struct tls12_record_protection *rp,
125 size_t *out_block_size)
126 {
127 int block_size;
128
129 *out_block_size = 0;
130
131 if (rp->cipher_ctx == NULL)
132 return 0;
133
134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
136 return 0;
137
138 *out_block_size = block_size;
139
140 return 1;
141 }
142
143 static int
tls12_record_protection_mac_len(struct tls12_record_protection * rp,size_t * out_mac_len)144 tls12_record_protection_mac_len(struct tls12_record_protection *rp,
145 size_t *out_mac_len)
146 {
147 int mac_len;
148
149 *out_mac_len = 0;
150
151 if (rp->hash_ctx == NULL)
152 return 0;
153
154 mac_len = EVP_MD_CTX_size(rp->hash_ctx);
155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
156 return 0;
157
158 *out_mac_len = mac_len;
159
160 return 1;
161 }
162
163 struct tls12_record_layer {
164 uint16_t version;
165 uint16_t initial_epoch;
166 int dtls;
167
168 uint8_t alert_desc;
169
170 const EVP_AEAD *aead;
171 const EVP_CIPHER *cipher;
172 const EVP_MD *handshake_hash;
173 const EVP_MD *mac_hash;
174
175 /* Pointers to active record protection (memory is not owned). */
176 struct tls12_record_protection *read;
177 struct tls12_record_protection *write;
178
179 struct tls12_record_protection *read_current;
180 struct tls12_record_protection *write_current;
181 struct tls12_record_protection *write_previous;
182 };
183
184 struct tls12_record_layer *
tls12_record_layer_new(void)185 tls12_record_layer_new(void)
186 {
187 struct tls12_record_layer *rl;
188
189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
190 goto err;
191 if ((rl->read_current = tls12_record_protection_new()) == NULL)
192 goto err;
193 if ((rl->write_current = tls12_record_protection_new()) == NULL)
194 goto err;
195
196 rl->read = rl->read_current;
197 rl->write = rl->write_current;
198
199 return rl;
200
201 err:
202 tls12_record_layer_free(rl);
203
204 return NULL;
205 }
206
207 void
tls12_record_layer_free(struct tls12_record_layer * rl)208 tls12_record_layer_free(struct tls12_record_layer *rl)
209 {
210 if (rl == NULL)
211 return;
212
213 tls12_record_protection_free(rl->read_current);
214 tls12_record_protection_free(rl->write_current);
215 tls12_record_protection_free(rl->write_previous);
216
217 freezero(rl, sizeof(struct tls12_record_layer));
218 }
219
220 void
tls12_record_layer_alert(struct tls12_record_layer * rl,uint8_t * alert_desc)221 tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
222 {
223 *alert_desc = rl->alert_desc;
224 }
225
226 int
tls12_record_layer_write_overhead(struct tls12_record_layer * rl,size_t * overhead)227 tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
228 size_t *overhead)
229 {
230 size_t block_size, eiv_len, mac_len;
231
232 *overhead = 0;
233
234 if (rl->write->aead_ctx != NULL) {
235 *overhead = rl->write->aead_tag_len;
236 } else if (rl->write->cipher_ctx != NULL) {
237 eiv_len = 0;
238 if (rl->version != TLS1_VERSION) {
239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
240 return 0;
241 }
242 if (!tls12_record_protection_block_size(rl->write, &block_size))
243 return 0;
244 if (!tls12_record_protection_mac_len(rl->write, &mac_len))
245 return 0;
246
247 *overhead = eiv_len + block_size + mac_len;
248 }
249
250 return 1;
251 }
252
253 int
tls12_record_layer_read_protected(struct tls12_record_layer * rl)254 tls12_record_layer_read_protected(struct tls12_record_layer *rl)
255 {
256 return tls12_record_protection_engaged(rl->read);
257 }
258
259 int
tls12_record_layer_write_protected(struct tls12_record_layer * rl)260 tls12_record_layer_write_protected(struct tls12_record_layer *rl)
261 {
262 return tls12_record_protection_engaged(rl->write);
263 }
264
265 void
tls12_record_layer_set_aead(struct tls12_record_layer * rl,const EVP_AEAD * aead)266 tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267 {
268 rl->aead = aead;
269 }
270
271 void
tls12_record_layer_set_cipher_hash(struct tls12_record_layer * rl,const EVP_CIPHER * cipher,const EVP_MD * handshake_hash,const EVP_MD * mac_hash)272 tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
274 const EVP_MD *mac_hash)
275 {
276 rl->cipher = cipher;
277 rl->handshake_hash = handshake_hash;
278 rl->mac_hash = mac_hash;
279 }
280
281 void
tls12_record_layer_set_version(struct tls12_record_layer * rl,uint16_t version)282 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283 {
284 rl->version = version;
285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
286 }
287
288 void
tls12_record_layer_set_initial_epoch(struct tls12_record_layer * rl,uint16_t epoch)289 tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290 uint16_t epoch)
291 {
292 rl->initial_epoch = epoch;
293 }
294
295 uint16_t
tls12_record_layer_read_epoch(struct tls12_record_layer * rl)296 tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297 {
298 return rl->read->epoch;
299 }
300
301 uint16_t
tls12_record_layer_write_epoch(struct tls12_record_layer * rl)302 tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303 {
304 return rl->write->epoch;
305 }
306
307 int
tls12_record_layer_use_write_epoch(struct tls12_record_layer * rl,uint16_t epoch)308 tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309 {
310 if (rl->write->epoch == epoch)
311 return 1;
312
313 if (rl->write_current->epoch == epoch) {
314 rl->write = rl->write_current;
315 return 1;
316 }
317
318 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
319 rl->write = rl->write_previous;
320 return 1;
321 }
322
323 return 0;
324 }
325
326 void
tls12_record_layer_write_epoch_done(struct tls12_record_layer * rl,uint16_t epoch)327 tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328 {
329 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
330 return;
331
332 rl->write = rl->write_current;
333
334 tls12_record_protection_free(rl->write_previous);
335 rl->write_previous = NULL;
336 }
337
338 void
tls12_record_layer_clear_read_state(struct tls12_record_layer * rl)339 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340 {
341 tls12_record_protection_clear(rl->read);
342 rl->read->epoch = rl->initial_epoch;
343 }
344
345 void
tls12_record_layer_clear_write_state(struct tls12_record_layer * rl)346 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347 {
348 tls12_record_protection_clear(rl->write);
349 rl->write->epoch = rl->initial_epoch;
350
351 tls12_record_protection_free(rl->write_previous);
352 rl->write_previous = NULL;
353 }
354
355 void
tls12_record_layer_reflect_seq_num(struct tls12_record_layer * rl)356 tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357 {
358 memcpy(rl->write->seq_num, rl->read->seq_num,
359 sizeof(rl->write->seq_num));
360 }
361
362 static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364 };
365
366 int
tls12_record_layer_inc_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)367 tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368 {
369 CBS max_seq_num;
370 int i;
371
372 /*
373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374 * sequence numbers must not wrap. Note that for DTLS the first two
375 * bytes are used as an "epoch" and not part of the sequence number.
376 */
377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
378 if (rl->dtls) {
379 if (!CBS_skip(&max_seq_num, 2))
380 return 0;
381 }
382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383 CBS_len(&max_seq_num)))
384 return 0;
385
386 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
387 if (++seq_num[i] != 0)
388 break;
389 }
390
391 return 1;
392 }
393
394 static int
tls12_record_layer_set_mac_key(struct tls12_record_protection * rp,const uint8_t * mac_key,size_t mac_key_len)395 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
396 const uint8_t *mac_key, size_t mac_key_len)
397 {
398 freezero(rp->mac_key, rp->mac_key_len);
399 rp->mac_key = NULL;
400 rp->mac_key_len = 0;
401
402 if (mac_key == NULL || mac_key_len == 0)
403 return 1;
404
405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL)
406 return 0;
407
408 memcpy(rp->mac_key, mac_key, mac_key_len);
409 rp->mac_key_len = mac_key_len;
410
411 return 1;
412 }
413
414 static int
tls12_record_layer_ccs_aead(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)415 tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417 CBS *iv)
418 {
419 if (!tls12_record_protection_unused(rp))
420 return 0;
421
422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
423 return 0;
424
425 /* AES GCM cipher suites use variable nonce in record. */
426 if (rl->aead == EVP_aead_aes_128_gcm() ||
427 rl->aead == EVP_aead_aes_256_gcm())
428 rp->aead_variable_nonce_in_record = 1;
429
430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431 if (rl->aead == EVP_aead_chacha20_poly1305())
432 rp->aead_xor_nonces = 1;
433
434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435 return 0;
436
437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438 if (rp->aead_nonce == NULL)
439 return 0;
440
441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN;
444
445 if (rp->aead_xor_nonces) {
446 /* Fixed nonce length must match, variable must not exceed. */
447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448 return 0;
449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450 return 0;
451 } else {
452 /* Concatenated nonce length must equal AEAD nonce length. */
453 if (rp->aead_fixed_nonce_len +
454 rp->aead_variable_nonce_len != rp->aead_nonce_len)
455 return 0;
456 }
457
458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460 return 0;
461
462 return 1;
463 }
464
465 static int
tls12_record_layer_ccs_cipher(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)466 tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468 CBS *iv)
469 {
470 EVP_PKEY *mac_pkey = NULL;
471 int gost_param_nid;
472 int mac_type;
473 int ret = 0;
474
475 if (!tls12_record_protection_unused(rp))
476 goto err;
477
478 mac_type = EVP_PKEY_HMAC;
479 rp->stream_mac = 0;
480
481 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX)
482 goto err;
483 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
484 goto err;
485 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
486 goto err;
487
488 /* Special handling for GOST... */
489 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
490 if (CBS_len(mac_key) != 32)
491 goto err;
492 mac_type = EVP_PKEY_GOSTIMIT;
493 rp->stream_mac = 1;
494 } else {
495 if (CBS_len(mac_key) > INT_MAX)
496 goto err;
497 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
498 goto err;
499 }
500
501 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
502 goto err;
503 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
504 goto err;
505
506 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
507 CBS_len(mac_key)))
508 goto err;
509
510 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key),
511 CBS_len(mac_key))) == NULL)
512 goto err;
513
514 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key),
515 CBS_data(iv), is_write))
516 goto err;
517
518 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL,
519 mac_pkey) <= 0)
520 goto err;
521
522 /* More special handling for GOST... */
523 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) {
524 gost_param_nid = NID_id_tc26_gost_28147_param_Z;
525 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94)
526 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet;
527
528 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX,
529 gost_param_nid, 0) <= 0)
530 goto err;
531
532 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
533 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX,
534 gost_param_nid, 0) <= 0)
535 goto err;
536 }
537 }
538
539 ret = 1;
540
541 err:
542 EVP_PKEY_free(mac_pkey);
543
544 return ret;
545 }
546
547 static int
tls12_record_layer_change_cipher_state(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)548 tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
549 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
550 CBS *iv)
551 {
552 if (rl->aead != NULL)
553 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
554 key, iv);
555
556 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
557 key, iv);
558 }
559
560 int
tls12_record_layer_change_read_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)561 tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
562 CBS *mac_key, CBS *key, CBS *iv)
563 {
564 struct tls12_record_protection *read_new = NULL;
565 int ret = 0;
566
567 if ((read_new = tls12_record_protection_new()) == NULL)
568 goto err;
569
570 /* Read sequence number gets reset to zero. */
571
572 /* DTLS epoch is incremented and is permitted to wrap. */
573 if (rl->dtls)
574 read_new->epoch = rl->read_current->epoch + 1;
575
576 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
577 mac_key, key, iv))
578 goto err;
579
580 tls12_record_protection_free(rl->read_current);
581 rl->read = rl->read_current = read_new;
582 read_new = NULL;
583
584 ret = 1;
585
586 err:
587 tls12_record_protection_free(read_new);
588
589 return ret;
590 }
591
592 int
tls12_record_layer_change_write_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)593 tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
594 CBS *mac_key, CBS *key, CBS *iv)
595 {
596 struct tls12_record_protection *write_new;
597 int ret = 0;
598
599 if ((write_new = tls12_record_protection_new()) == NULL)
600 goto err;
601
602 /* Write sequence number gets reset to zero. */
603
604 /* DTLS epoch is incremented and is permitted to wrap. */
605 if (rl->dtls)
606 write_new->epoch = rl->write_current->epoch + 1;
607
608 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
609 mac_key, key, iv))
610 goto err;
611
612 if (rl->dtls) {
613 tls12_record_protection_free(rl->write_previous);
614 rl->write_previous = rl->write_current;
615 rl->write_current = NULL;
616 }
617 tls12_record_protection_free(rl->write_current);
618 rl->write = rl->write_current = write_new;
619 write_new = NULL;
620
621 ret = 1;
622
623 err:
624 tls12_record_protection_free(write_new);
625
626 return ret;
627 }
628
629 static int
tls12_record_layer_build_seq_num(struct tls12_record_layer * rl,CBB * cbb,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len)630 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
631 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
632 {
633 CBS seq;
634
635 CBS_init(&seq, seq_num, seq_num_len);
636
637 if (rl->dtls) {
638 if (!CBB_add_u16(cbb, epoch))
639 return 0;
640 if (!CBS_skip(&seq, 2))
641 return 0;
642 }
643
644 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
645 }
646
647 static int
tls12_record_layer_pseudo_header(struct tls12_record_layer * rl,uint8_t content_type,uint16_t record_len,CBS * seq_num,uint8_t ** out,size_t * out_len)648 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
649 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
650 size_t *out_len)
651 {
652 CBB cbb;
653
654 *out = NULL;
655 *out_len = 0;
656
657 /* Build the pseudo-header used for MAC/AEAD. */
658 if (!CBB_init(&cbb, 13))
659 goto err;
660
661 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
662 goto err;
663 if (!CBB_add_u8(&cbb, content_type))
664 goto err;
665 if (!CBB_add_u16(&cbb, rl->version))
666 goto err;
667 if (!CBB_add_u16(&cbb, record_len))
668 goto err;
669
670 if (!CBB_finish(&cbb, out, out_len))
671 goto err;
672
673 return 1;
674
675 err:
676 CBB_cleanup(&cbb);
677
678 return 0;
679 }
680
681 static int
tls12_record_layer_mac(struct tls12_record_layer * rl,CBB * cbb,EVP_MD_CTX * hash_ctx,int stream_mac,CBS * seq_num,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)682 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
683 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
684 const uint8_t *content, size_t content_len, size_t *out_len)
685 {
686 EVP_MD_CTX *mac_ctx = NULL;
687 uint8_t *header = NULL;
688 size_t header_len = 0;
689 size_t mac_len;
690 uint8_t *mac;
691 int ret = 0;
692
693 if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
694 goto err;
695 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
696 goto err;
697
698 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
699 seq_num, &header, &header_len))
700 goto err;
701
702 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
703 goto err;
704 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
705 goto err;
706 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
707 goto err;
708 if (!CBB_add_space(cbb, &mac, mac_len))
709 goto err;
710 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
711 goto err;
712 if (mac_len == 0)
713 goto err;
714
715 if (stream_mac) {
716 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
717 goto err;
718 }
719
720 *out_len = mac_len;
721 ret = 1;
722
723 err:
724 EVP_MD_CTX_free(mac_ctx);
725 freezero(header, header_len);
726
727 return ret;
728 }
729
730 static int
tls12_record_layer_read_mac_cbc(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t mac_len,size_t padding_len)731 tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
732 uint8_t content_type, CBS *seq_num, const uint8_t *content,
733 size_t content_len, size_t mac_len, size_t padding_len)
734 {
735 uint8_t *header = NULL;
736 size_t header_len = 0;
737 uint8_t *mac = NULL;
738 size_t out_mac_len = 0;
739 int ret = 0;
740
741 /*
742 * Must be constant time to avoid leaking details about CBC padding.
743 */
744
745 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
746 goto err;
747
748 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
749 seq_num, &header, &header_len))
750 goto err;
751
752 if (!CBB_add_space(cbb, &mac, mac_len))
753 goto err;
754 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
755 content, content_len + mac_len, content_len + mac_len + padding_len,
756 rl->read->mac_key, rl->read->mac_key_len))
757 goto err;
758 if (mac_len != out_mac_len)
759 goto err;
760
761 ret = 1;
762
763 err:
764 freezero(header, header_len);
765
766 return ret;
767 }
768
769 static int
tls12_record_layer_read_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len)770 tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
771 uint8_t content_type, CBS *seq_num, const uint8_t *content,
772 size_t content_len)
773 {
774 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
775 size_t out_len;
776
777 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
778 return 0;
779
780 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
781 rl->read->stream_mac, seq_num, content_type, content, content_len,
782 &out_len);
783 }
784
785 static int
tls12_record_layer_write_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t * out_len)786 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
787 uint8_t content_type, CBS *seq_num, const uint8_t *content,
788 size_t content_len, size_t *out_len)
789 {
790 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
791 rl->write->stream_mac, seq_num, content_type, content, content_len,
792 out_len);
793 }
794
795 static int
tls12_record_layer_aead_concat_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)796 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
797 struct tls12_record_protection *rp, CBS *seq_num)
798 {
799 CBB cbb;
800
801 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
802 return 0;
803
804 /* Fixed nonce and variable nonce (sequence number) are concatenated. */
805 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
806 goto err;
807 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
808 rp->aead_fixed_nonce_len))
809 goto err;
810 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
811 rp->aead_variable_nonce_len))
812 goto err;
813 if (!CBB_finish(&cbb, NULL, NULL))
814 goto err;
815
816 return 1;
817
818 err:
819 CBB_cleanup(&cbb);
820
821 return 0;
822 }
823
824 static int
tls12_record_layer_aead_xored_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)825 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
826 struct tls12_record_protection *rp, CBS *seq_num)
827 {
828 uint8_t *pad;
829 CBB cbb;
830 int i;
831
832 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
833 return 0;
834 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
835 return 0;
836 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
837 return 0;
838
839 /*
840 * Variable nonce (sequence number) is right padded, before the fixed
841 * nonce is XOR'd in.
842 */
843 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
844 goto err;
845 if (!CBB_add_space(&cbb, &pad,
846 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
847 goto err;
848 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
849 rp->aead_variable_nonce_len))
850 goto err;
851 if (!CBB_finish(&cbb, NULL, NULL))
852 goto err;
853
854 for (i = 0; i < rp->aead_fixed_nonce_len; i++)
855 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
856
857 return 1;
858
859 err:
860 CBB_cleanup(&cbb);
861
862 return 0;
863 }
864
865 static int
tls12_record_layer_open_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,CBS * fragment,uint8_t ** out,size_t * out_len)866 tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
867 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len)
868 {
869 if (tls12_record_protection_engaged(rl->read))
870 return 0;
871
872 /* XXX - decrypt/process in place for now. */
873 *out = (uint8_t *)CBS_data(fragment);
874 *out_len = CBS_len(fragment);
875
876 return 1;
877 }
878
879 static int
tls12_record_layer_open_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,uint8_t ** out,size_t * out_len)880 tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
881 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out,
882 size_t *out_len)
883 {
884 struct tls12_record_protection *rp = rl->read;
885 uint8_t *header = NULL;
886 size_t header_len = 0;
887 uint8_t *plain;
888 size_t plain_len;
889 CBS var_nonce;
890 int ret = 0;
891
892 if (rp->aead_xor_nonces) {
893 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
894 goto err;
895 } else if (rp->aead_variable_nonce_in_record) {
896 if (!CBS_get_bytes(fragment, &var_nonce,
897 rp->aead_variable_nonce_len))
898 goto err;
899 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
900 goto err;
901 } else {
902 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
903 goto err;
904 }
905
906 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
907 if (CBS_len(fragment) < rp->aead_tag_len) {
908 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
909 goto err;
910 }
911 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
912 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
913 goto err;
914 }
915
916 /* XXX - decrypt/process in place for now. */
917 plain = (uint8_t *)CBS_data(fragment);
918 plain_len = CBS_len(fragment) - rp->aead_tag_len;
919
920 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len,
921 seq_num, &header, &header_len))
922 goto err;
923
924 if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len,
925 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
926 CBS_len(fragment), header, header_len)) {
927 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
928 goto err;
929 }
930
931 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
932 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
933 goto err;
934 }
935
936 if (*out_len != plain_len)
937 goto err;
938
939 *out = plain;
940
941 ret = 1;
942
943 err:
944 freezero(header, header_len);
945
946 return ret;
947 }
948
949 static int
tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,uint8_t ** out,size_t * out_len)950 tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
951 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out,
952 size_t *out_len)
953 {
954 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
955 SSL3_RECORD_INTERNAL rrec;
956 size_t block_size, eiv_len;
957 uint8_t *mac = NULL;
958 size_t mac_len = 0;
959 uint8_t *out_mac = NULL;
960 size_t out_mac_len = 0;
961 uint8_t *plain;
962 size_t plain_len;
963 size_t min_len;
964 CBB cbb_mac;
965 int ret = 0;
966
967 memset(&cbb_mac, 0, sizeof(cbb_mac));
968 memset(&rrec, 0, sizeof(rrec));
969
970 if (!tls12_record_protection_block_size(rl->read, &block_size))
971 goto err;
972
973 /* Determine explicit IV length. */
974 eiv_len = 0;
975 if (rl->version != TLS1_VERSION) {
976 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
977 goto err;
978 }
979
980 mac_len = 0;
981 if (rl->read->hash_ctx != NULL) {
982 if (!tls12_record_protection_mac_len(rl->read, &mac_len))
983 goto err;
984 }
985
986 /* CBC has at least one padding byte. */
987 min_len = eiv_len + mac_len;
988 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
989 min_len += 1;
990
991 if (CBS_len(fragment) < min_len) {
992 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
993 goto err;
994 }
995 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
996 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
997 goto err;
998 }
999 if (CBS_len(fragment) % block_size != 0) {
1000 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1001 goto err;
1002 }
1003
1004 /* XXX - decrypt/process in place for now. */
1005 plain = (uint8_t *)CBS_data(fragment);
1006 plain_len = CBS_len(fragment);
1007
1008 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len))
1009 goto err;
1010
1011 rrec.data = plain;
1012 rrec.input = plain;
1013 rrec.length = plain_len;
1014
1015 /*
1016 * We now have to remove padding, extract MAC, calculate MAC
1017 * and compare MAC in constant time.
1018 */
1019 if (block_size > 1)
1020 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
1021
1022 if ((mac = calloc(1, mac_len)) == NULL)
1023 goto err;
1024
1025 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
1026 goto err;
1027 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
1028 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
1029 rrec.padding_length);
1030 rrec.length -= mac_len;
1031 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1032 seq_num, rrec.input, rrec.length, mac_len,
1033 rrec.padding_length))
1034 goto err;
1035 } else {
1036 rrec.length -= mac_len;
1037 memcpy(mac, rrec.data + rrec.length, mac_len);
1038 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
1039 seq_num, rrec.input, rrec.length))
1040 goto err;
1041 }
1042 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
1043 goto err;
1044 if (mac_len != out_mac_len)
1045 goto err;
1046
1047 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
1048 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1049 goto err;
1050 }
1051
1052 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
1053 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
1054 goto err;
1055 }
1056 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
1057 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
1058 goto err;
1059 }
1060
1061 *out = rrec.data;
1062 *out_len = rrec.length;
1063
1064 ret = 1;
1065
1066 err:
1067 CBB_cleanup(&cbb_mac);
1068 freezero(mac, mac_len);
1069 freezero(out_mac, out_mac_len);
1070
1071 return ret;
1072 }
1073
1074 int
tls12_record_layer_open_record(struct tls12_record_layer * rl,uint8_t * buf,size_t buf_len,uint8_t ** out,size_t * out_len)1075 tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1076 size_t buf_len, uint8_t **out, size_t *out_len)
1077 {
1078 CBS cbs, fragment, seq_num;
1079 uint16_t version;
1080 uint8_t content_type;
1081
1082 CBS_init(&cbs, buf, buf_len);
1083 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
1084
1085 if (!CBS_get_u8(&cbs, &content_type))
1086 return 0;
1087 if (!CBS_get_u16(&cbs, &version))
1088 return 0;
1089 if (rl->dtls) {
1090 /*
1091 * The DTLS sequence number is split into a 16 bit epoch and
1092 * 48 bit sequence number, however for the purposes of record
1093 * processing it is treated the same as a TLS 64 bit sequence
1094 * number. DTLS also uses explicit read sequence numbers, which
1095 * we need to extract from the DTLS record header.
1096 */
1097 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE))
1098 return 0;
1099 if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
1100 sizeof(rl->read->seq_num), NULL))
1101 return 0;
1102 }
1103 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
1104 return 0;
1105
1106 if (rl->read->aead_ctx != NULL) {
1107 if (!tls12_record_layer_open_record_protected_aead(rl,
1108 content_type, &seq_num, &fragment, out, out_len))
1109 return 0;
1110 } else if (rl->read->cipher_ctx != NULL) {
1111 if (!tls12_record_layer_open_record_protected_cipher(rl,
1112 content_type, &seq_num, &fragment, out, out_len))
1113 return 0;
1114 } else {
1115 if (!tls12_record_layer_open_record_plaintext(rl,
1116 content_type, &fragment, out, out_len))
1117 return 0;
1118 }
1119
1120 if (!rl->dtls) {
1121 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1122 return 0;
1123 }
1124
1125 return 1;
1126 }
1127
1128 static int
tls12_record_layer_seal_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)1129 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1130 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1131 {
1132 if (tls12_record_protection_engaged(rl->write))
1133 return 0;
1134
1135 return CBB_add_bytes(out, content, content_len);
1136 }
1137
1138 static int
tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1139 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1140 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1141 size_t content_len, CBB *out)
1142 {
1143 struct tls12_record_protection *rp = rl->write;
1144 uint8_t *header = NULL;
1145 size_t header_len = 0;
1146 size_t enc_record_len, out_len;
1147 uint8_t *enc_data;
1148 int ret = 0;
1149
1150 if (rp->aead_xor_nonces) {
1151 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1152 goto err;
1153 } else {
1154 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1155 goto err;
1156 }
1157
1158 if (rp->aead_variable_nonce_in_record) {
1159 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
1160 goto err;
1161 if (!CBB_add_bytes(out, CBS_data(seq_num),
1162 rp->aead_variable_nonce_len))
1163 goto err;
1164 }
1165
1166 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1167 seq_num, &header, &header_len))
1168 goto err;
1169
1170 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
1171 enc_record_len = content_len + rp->aead_tag_len;
1172 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1173 goto err;
1174 if (!CBB_add_space(out, &enc_data, enc_record_len))
1175 goto err;
1176
1177 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1178 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1179 header_len))
1180 goto err;
1181
1182 if (out_len != enc_record_len)
1183 goto err;
1184
1185 ret = 1;
1186
1187 err:
1188 freezero(header, header_len);
1189
1190 return ret;
1191 }
1192
1193 static int
tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1194 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1195 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1196 size_t content_len, CBB *out)
1197 {
1198 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
1199 size_t block_size, eiv_len, mac_len, pad_len;
1200 uint8_t *enc_data, *eiv, *pad, pad_val;
1201 uint8_t *plain = NULL;
1202 size_t plain_len = 0;
1203 int ret = 0;
1204 CBB cbb;
1205
1206 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
1207 goto err;
1208
1209 /* Add explicit IV if necessary. */
1210 eiv_len = 0;
1211 if (rl->version != TLS1_VERSION) {
1212 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1213 goto err;
1214 }
1215 if (eiv_len > 0) {
1216 if (!CBB_add_space(&cbb, &eiv, eiv_len))
1217 goto err;
1218 arc4random_buf(eiv, eiv_len);
1219 }
1220
1221 if (!CBB_add_bytes(&cbb, content, content_len))
1222 goto err;
1223
1224 mac_len = 0;
1225 if (rl->write->hash_ctx != NULL) {
1226 if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1227 seq_num, content, content_len, &mac_len))
1228 goto err;
1229 }
1230
1231 plain_len = eiv_len + content_len + mac_len;
1232
1233 /* Add padding to block size, if necessary. */
1234 if (!tls12_record_protection_block_size(rl->write, &block_size))
1235 goto err;
1236 if (block_size > 1) {
1237 pad_len = block_size - (plain_len % block_size);
1238 pad_val = pad_len - 1;
1239
1240 if (pad_len > 255)
1241 goto err;
1242 if (!CBB_add_space(&cbb, &pad, pad_len))
1243 goto err;
1244 memset(pad, pad_val, pad_len);
1245 }
1246
1247 if (!CBB_finish(&cbb, &plain, &plain_len))
1248 goto err;
1249
1250 if (plain_len % block_size != 0)
1251 goto err;
1252 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1253 goto err;
1254
1255 if (!CBB_add_space(out, &enc_data, plain_len))
1256 goto err;
1257 if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1258 goto err;
1259
1260 ret = 1;
1261
1262 err:
1263 CBB_cleanup(&cbb);
1264 freezero(plain, plain_len);
1265
1266 return ret;
1267 }
1268
1269 int
tls12_record_layer_seal_record(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * cbb)1270 tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1271 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1272 {
1273 uint8_t *seq_num_data = NULL;
1274 size_t seq_num_len = 0;
1275 CBB fragment, seq_num_cbb;
1276 CBS seq_num;
1277 int ret = 0;
1278
1279 /*
1280 * Construct the effective sequence number - this is used in both
1281 * the DTLS header and for MAC calculations.
1282 */
1283 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE))
1284 goto err;
1285 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1286 rl->write->seq_num, sizeof(rl->write->seq_num)))
1287 goto err;
1288 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1289 goto err;
1290 CBS_init(&seq_num, seq_num_data, seq_num_len);
1291
1292 if (!CBB_add_u8(cbb, content_type))
1293 goto err;
1294 if (!CBB_add_u16(cbb, rl->version))
1295 goto err;
1296 if (rl->dtls) {
1297 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1298 goto err;
1299 }
1300 if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1301 goto err;
1302
1303 if (rl->write->aead_ctx != NULL) {
1304 if (!tls12_record_layer_seal_record_protected_aead(rl,
1305 content_type, &seq_num, content, content_len, &fragment))
1306 goto err;
1307 } else if (rl->write->cipher_ctx != NULL) {
1308 if (!tls12_record_layer_seal_record_protected_cipher(rl,
1309 content_type, &seq_num, content, content_len, &fragment))
1310 goto err;
1311 } else {
1312 if (!tls12_record_layer_seal_record_plaintext(rl,
1313 content_type, content, content_len, &fragment))
1314 goto err;
1315 }
1316
1317 if (!CBB_flush(cbb))
1318 goto err;
1319
1320 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1321 goto err;
1322
1323 ret = 1;
1324
1325 err:
1326 CBB_cleanup(&seq_num_cbb);
1327 free(seq_num_data);
1328
1329 return ret;
1330 }
1331