1*689a9b7eSbeck /* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */
2acef91a0Sjsing /*
3acef91a0Sjsing * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4acef91a0Sjsing *
5acef91a0Sjsing * Permission to use, copy, modify, and distribute this software for any
6acef91a0Sjsing * purpose with or without fee is hereby granted, provided that the above
7acef91a0Sjsing * copyright notice and this permission notice appear in all copies.
8acef91a0Sjsing *
9acef91a0Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10acef91a0Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11acef91a0Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12acef91a0Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13acef91a0Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14acef91a0Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15acef91a0Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16acef91a0Sjsing */
17acef91a0Sjsing
18c37fa200Sjsing #include <limits.h>
19acef91a0Sjsing #include <stdlib.h>
20acef91a0Sjsing
21acef91a0Sjsing #include <openssl/evp.h>
22acef91a0Sjsing
23c9675a23Stb #include "ssl_local.h"
24acef91a0Sjsing
25e3ae3cd6Sjsing #define TLS12_RECORD_SEQ_NUM_LEN 8
267b133c71Sjsing #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12
27e3ae3cd6Sjsing
28a13669d2Sjsing struct tls12_record_protection {
29a13669d2Sjsing uint16_t epoch;
30e3ae3cd6Sjsing uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
31a13669d2Sjsing
327b133c71Sjsing EVP_AEAD_CTX *aead_ctx;
337b133c71Sjsing
34609ec8b1Sjsing uint8_t *aead_nonce;
35609ec8b1Sjsing size_t aead_nonce_len;
36609ec8b1Sjsing
377b133c71Sjsing uint8_t *aead_fixed_nonce;
387b133c71Sjsing size_t aead_fixed_nonce_len;
397b133c71Sjsing
407b133c71Sjsing size_t aead_variable_nonce_len;
417b133c71Sjsing size_t aead_tag_len;
427b133c71Sjsing
437b133c71Sjsing int aead_xor_nonces;
447b133c71Sjsing int aead_variable_nonce_in_record;
45c37fa200Sjsing
46747682f9Sjsing EVP_CIPHER_CTX *cipher_ctx;
47747682f9Sjsing EVP_MD_CTX *hash_ctx;
48747682f9Sjsing
49a13669d2Sjsing int stream_mac;
50a13669d2Sjsing
51a13669d2Sjsing uint8_t *mac_key;
52a13669d2Sjsing size_t mac_key_len;
53a13669d2Sjsing };
54a13669d2Sjsing
55a13669d2Sjsing static struct tls12_record_protection *
tls12_record_protection_new(void)56a13669d2Sjsing tls12_record_protection_new(void)
57a13669d2Sjsing {
58a13669d2Sjsing return calloc(1, sizeof(struct tls12_record_protection));
59a13669d2Sjsing }
60a13669d2Sjsing
61a13669d2Sjsing static void
tls12_record_protection_clear(struct tls12_record_protection * rp)62f2284ad0Sjsing tls12_record_protection_clear(struct tls12_record_protection *rp)
63f2284ad0Sjsing {
64f9a06750Stb EVP_AEAD_CTX_free(rp->aead_ctx);
65c37fa200Sjsing
66609ec8b1Sjsing freezero(rp->aead_nonce, rp->aead_nonce_len);
677b133c71Sjsing freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
687b133c71Sjsing
692935b8f4Sjsing EVP_CIPHER_CTX_free(rp->cipher_ctx);
702935b8f4Sjsing EVP_MD_CTX_free(rp->hash_ctx);
712935b8f4Sjsing
72f2284ad0Sjsing freezero(rp->mac_key, rp->mac_key_len);
7360497c21Sjsing
7460497c21Sjsing memset(rp, 0, sizeof(*rp));
75f2284ad0Sjsing }
76f2284ad0Sjsing
77f2284ad0Sjsing static void
tls12_record_protection_free(struct tls12_record_protection * rp)78a13669d2Sjsing tls12_record_protection_free(struct tls12_record_protection *rp)
79a13669d2Sjsing {
80a13669d2Sjsing if (rp == NULL)
81a13669d2Sjsing return;
82a13669d2Sjsing
83f2284ad0Sjsing tls12_record_protection_clear(rp);
84a13669d2Sjsing
85a13669d2Sjsing freezero(rp, sizeof(struct tls12_record_protection));
86a13669d2Sjsing }
87a13669d2Sjsing
881c1840fbSjsing static int
tls12_record_protection_engaged(struct tls12_record_protection * rp)891365e68cSjsing tls12_record_protection_engaged(struct tls12_record_protection *rp)
901365e68cSjsing {
911365e68cSjsing return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
921365e68cSjsing }
931365e68cSjsing
941365e68cSjsing static int
tls12_record_protection_unused(struct tls12_record_protection * rp)95747682f9Sjsing tls12_record_protection_unused(struct tls12_record_protection *rp)
96747682f9Sjsing {
97747682f9Sjsing return rp->aead_ctx == NULL && rp->cipher_ctx == NULL &&
98747682f9Sjsing rp->hash_ctx == NULL && rp->mac_key == NULL;
99747682f9Sjsing }
100747682f9Sjsing
101747682f9Sjsing static int
tls12_record_protection_eiv_len(struct tls12_record_protection * rp,size_t * out_eiv_len)1021c1840fbSjsing tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
1031c1840fbSjsing size_t *out_eiv_len)
1041c1840fbSjsing {
1051c1840fbSjsing int eiv_len;
1061c1840fbSjsing
1071c1840fbSjsing *out_eiv_len = 0;
1081c1840fbSjsing
1091c1840fbSjsing if (rp->cipher_ctx == NULL)
1101c1840fbSjsing return 0;
1111c1840fbSjsing
1121c1840fbSjsing eiv_len = 0;
1131c1840fbSjsing if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE)
1141c1840fbSjsing eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
1151c1840fbSjsing if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
1161c1840fbSjsing return 0;
1171c1840fbSjsing
1181c1840fbSjsing *out_eiv_len = eiv_len;
1191c1840fbSjsing
1201c1840fbSjsing return 1;
1211c1840fbSjsing }
1221c1840fbSjsing
1231c1840fbSjsing static int
tls12_record_protection_block_size(struct tls12_record_protection * rp,size_t * out_block_size)1241c1840fbSjsing tls12_record_protection_block_size(struct tls12_record_protection *rp,
1251c1840fbSjsing size_t *out_block_size)
1261c1840fbSjsing {
1271c1840fbSjsing int block_size;
1281c1840fbSjsing
1291c1840fbSjsing *out_block_size = 0;
1301c1840fbSjsing
1311c1840fbSjsing if (rp->cipher_ctx == NULL)
1321c1840fbSjsing return 0;
1331c1840fbSjsing
1341c1840fbSjsing block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
1351c1840fbSjsing if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
1361c1840fbSjsing return 0;
1371c1840fbSjsing
1381c1840fbSjsing *out_block_size = block_size;
1391c1840fbSjsing
1401c1840fbSjsing return 1;
1411c1840fbSjsing }
1421c1840fbSjsing
1431c1840fbSjsing static int
tls12_record_protection_mac_len(struct tls12_record_protection * rp,size_t * out_mac_len)1441c1840fbSjsing tls12_record_protection_mac_len(struct tls12_record_protection *rp,
1451c1840fbSjsing size_t *out_mac_len)
1461c1840fbSjsing {
1471c1840fbSjsing int mac_len;
1481c1840fbSjsing
1491c1840fbSjsing *out_mac_len = 0;
1501c1840fbSjsing
1511c1840fbSjsing if (rp->hash_ctx == NULL)
1521c1840fbSjsing return 0;
1531c1840fbSjsing
1541c1840fbSjsing mac_len = EVP_MD_CTX_size(rp->hash_ctx);
1551c1840fbSjsing if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
1561c1840fbSjsing return 0;
1571c1840fbSjsing
1581c1840fbSjsing *out_mac_len = mac_len;
1591c1840fbSjsing
1601c1840fbSjsing return 1;
1611c1840fbSjsing }
1621c1840fbSjsing
163acef91a0Sjsing struct tls12_record_layer {
164acef91a0Sjsing uint16_t version;
165c8e2fc2bSjsing uint16_t initial_epoch;
166acef91a0Sjsing int dtls;
167acef91a0Sjsing
16840038cb8Sjsing uint8_t alert_desc;
16940038cb8Sjsing
170c37fa200Sjsing const EVP_AEAD *aead;
1712935b8f4Sjsing const EVP_CIPHER *cipher;
1722935b8f4Sjsing const EVP_MD *handshake_hash;
1732935b8f4Sjsing const EVP_MD *mac_hash;
174c37fa200Sjsing
175a802a16aSjsing /* Pointers to active record protection (memory is not owned). */
176a13669d2Sjsing struct tls12_record_protection *read;
177a13669d2Sjsing struct tls12_record_protection *write;
178a802a16aSjsing
179a802a16aSjsing struct tls12_record_protection *read_current;
180a802a16aSjsing struct tls12_record_protection *write_current;
181a802a16aSjsing struct tls12_record_protection *write_previous;
182acef91a0Sjsing };
183acef91a0Sjsing
184acef91a0Sjsing struct tls12_record_layer *
tls12_record_layer_new(void)185acef91a0Sjsing tls12_record_layer_new(void)
186acef91a0Sjsing {
187acef91a0Sjsing struct tls12_record_layer *rl;
188acef91a0Sjsing
189acef91a0Sjsing if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
190a13669d2Sjsing goto err;
191a802a16aSjsing if ((rl->read_current = tls12_record_protection_new()) == NULL)
192a13669d2Sjsing goto err;
193a802a16aSjsing if ((rl->write_current = tls12_record_protection_new()) == NULL)
194a13669d2Sjsing goto err;
195acef91a0Sjsing
196a802a16aSjsing rl->read = rl->read_current;
197a802a16aSjsing rl->write = rl->write_current;
198a802a16aSjsing
199acef91a0Sjsing return rl;
200a13669d2Sjsing
201a13669d2Sjsing err:
202a13669d2Sjsing tls12_record_layer_free(rl);
203a13669d2Sjsing
204a13669d2Sjsing return NULL;
205acef91a0Sjsing }
206acef91a0Sjsing
207acef91a0Sjsing void
tls12_record_layer_free(struct tls12_record_layer * rl)208acef91a0Sjsing tls12_record_layer_free(struct tls12_record_layer *rl)
209acef91a0Sjsing {
2103e9ce141Sjsing if (rl == NULL)
2113e9ce141Sjsing return;
2123e9ce141Sjsing
213a802a16aSjsing tls12_record_protection_free(rl->read_current);
214a802a16aSjsing tls12_record_protection_free(rl->write_current);
215a802a16aSjsing tls12_record_protection_free(rl->write_previous);
2163e9ce141Sjsing
217acef91a0Sjsing freezero(rl, sizeof(struct tls12_record_layer));
218acef91a0Sjsing }
219acef91a0Sjsing
220acef91a0Sjsing void
tls12_record_layer_alert(struct tls12_record_layer * rl,uint8_t * alert_desc)22140038cb8Sjsing tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
22240038cb8Sjsing {
22340038cb8Sjsing *alert_desc = rl->alert_desc;
22440038cb8Sjsing }
22540038cb8Sjsing
2269123ae00Sjsing int
tls12_record_layer_write_overhead(struct tls12_record_layer * rl,size_t * overhead)2279123ae00Sjsing tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
2289123ae00Sjsing size_t *overhead)
2299123ae00Sjsing {
2309123ae00Sjsing size_t block_size, eiv_len, mac_len;
2319123ae00Sjsing
2329123ae00Sjsing *overhead = 0;
2339123ae00Sjsing
2349123ae00Sjsing if (rl->write->aead_ctx != NULL) {
2357b133c71Sjsing *overhead = rl->write->aead_tag_len;
2369123ae00Sjsing } else if (rl->write->cipher_ctx != NULL) {
2379123ae00Sjsing eiv_len = 0;
2389123ae00Sjsing if (rl->version != TLS1_VERSION) {
2399123ae00Sjsing if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
2409123ae00Sjsing return 0;
2419123ae00Sjsing }
2429123ae00Sjsing if (!tls12_record_protection_block_size(rl->write, &block_size))
2439123ae00Sjsing return 0;
2449123ae00Sjsing if (!tls12_record_protection_mac_len(rl->write, &mac_len))
2459123ae00Sjsing return 0;
2469123ae00Sjsing
2479123ae00Sjsing *overhead = eiv_len + block_size + mac_len;
2489123ae00Sjsing }
2499123ae00Sjsing
2509123ae00Sjsing return 1;
2519123ae00Sjsing }
2529123ae00Sjsing
2531365e68cSjsing int
tls12_record_layer_read_protected(struct tls12_record_layer * rl)2541365e68cSjsing tls12_record_layer_read_protected(struct tls12_record_layer *rl)
2551365e68cSjsing {
2561365e68cSjsing return tls12_record_protection_engaged(rl->read);
2571365e68cSjsing }
2581365e68cSjsing
2591365e68cSjsing int
tls12_record_layer_write_protected(struct tls12_record_layer * rl)2601365e68cSjsing tls12_record_layer_write_protected(struct tls12_record_layer *rl)
2611365e68cSjsing {
2621365e68cSjsing return tls12_record_protection_engaged(rl->write);
2631365e68cSjsing }
2641365e68cSjsing
26540038cb8Sjsing void
tls12_record_layer_set_aead(struct tls12_record_layer * rl,const EVP_AEAD * aead)266c37fa200Sjsing tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267c37fa200Sjsing {
268c37fa200Sjsing rl->aead = aead;
269c37fa200Sjsing }
270c37fa200Sjsing
271c37fa200Sjsing void
tls12_record_layer_set_cipher_hash(struct tls12_record_layer * rl,const EVP_CIPHER * cipher,const EVP_MD * handshake_hash,const EVP_MD * mac_hash)2722935b8f4Sjsing tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
2732935b8f4Sjsing const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
2742935b8f4Sjsing const EVP_MD *mac_hash)
2752935b8f4Sjsing {
2762935b8f4Sjsing rl->cipher = cipher;
2772935b8f4Sjsing rl->handshake_hash = handshake_hash;
2782935b8f4Sjsing rl->mac_hash = mac_hash;
2792935b8f4Sjsing }
2802935b8f4Sjsing
2812935b8f4Sjsing void
tls12_record_layer_set_version(struct tls12_record_layer * rl,uint16_t version)282acef91a0Sjsing tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283acef91a0Sjsing {
284acef91a0Sjsing rl->version = version;
285fe0929e2Sjsing rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
286acef91a0Sjsing }
287acef91a0Sjsing
288c8e2fc2bSjsing void
tls12_record_layer_set_initial_epoch(struct tls12_record_layer * rl,uint16_t epoch)289c8e2fc2bSjsing tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290c8e2fc2bSjsing uint16_t epoch)
291c8e2fc2bSjsing {
292c8e2fc2bSjsing rl->initial_epoch = epoch;
293c8e2fc2bSjsing }
294c8e2fc2bSjsing
295c8e2fc2bSjsing uint16_t
tls12_record_layer_read_epoch(struct tls12_record_layer * rl)29644aae0c1Sjsing tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297c8e2fc2bSjsing {
29844aae0c1Sjsing return rl->read->epoch;
299c8e2fc2bSjsing }
300c8e2fc2bSjsing
3012f4e7cfaSjsing uint16_t
tls12_record_layer_write_epoch(struct tls12_record_layer * rl)3022f4e7cfaSjsing tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303acef91a0Sjsing {
3042f4e7cfaSjsing return rl->write->epoch;
305acef91a0Sjsing }
306acef91a0Sjsing
307a802a16aSjsing int
tls12_record_layer_use_write_epoch(struct tls12_record_layer * rl,uint16_t epoch)308a802a16aSjsing tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309a802a16aSjsing {
310a802a16aSjsing if (rl->write->epoch == epoch)
311a802a16aSjsing return 1;
312a802a16aSjsing
313a802a16aSjsing if (rl->write_current->epoch == epoch) {
314a802a16aSjsing rl->write = rl->write_current;
315a802a16aSjsing return 1;
316a802a16aSjsing }
317a802a16aSjsing
318a802a16aSjsing if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
319a802a16aSjsing rl->write = rl->write_previous;
320a802a16aSjsing return 1;
321a802a16aSjsing }
322a802a16aSjsing
323a802a16aSjsing return 0;
324a802a16aSjsing }
325a802a16aSjsing
326a802a16aSjsing void
tls12_record_layer_write_epoch_done(struct tls12_record_layer * rl,uint16_t epoch)327a802a16aSjsing tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328a802a16aSjsing {
329a802a16aSjsing if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
330a802a16aSjsing return;
331a802a16aSjsing
332a802a16aSjsing rl->write = rl->write_current;
333a802a16aSjsing
334a802a16aSjsing tls12_record_protection_free(rl->write_previous);
335a802a16aSjsing rl->write_previous = NULL;
336a802a16aSjsing }
337a802a16aSjsing
338acef91a0Sjsing void
tls12_record_layer_clear_read_state(struct tls12_record_layer * rl)339acef91a0Sjsing tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340acef91a0Sjsing {
341f2284ad0Sjsing tls12_record_protection_clear(rl->read);
342c8e2fc2bSjsing rl->read->epoch = rl->initial_epoch;
343acef91a0Sjsing }
344acef91a0Sjsing
345acef91a0Sjsing void
tls12_record_layer_clear_write_state(struct tls12_record_layer * rl)346acef91a0Sjsing tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347acef91a0Sjsing {
348f2284ad0Sjsing tls12_record_protection_clear(rl->write);
349c8e2fc2bSjsing rl->write->epoch = rl->initial_epoch;
350a802a16aSjsing
351a802a16aSjsing tls12_record_protection_free(rl->write_previous);
352a802a16aSjsing rl->write_previous = NULL;
353acef91a0Sjsing }
354acef91a0Sjsing
355acef91a0Sjsing void
tls12_record_layer_reflect_seq_num(struct tls12_record_layer * rl)356f2284ad0Sjsing tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357acef91a0Sjsing {
358f2284ad0Sjsing memcpy(rl->write->seq_num, rl->read->seq_num,
359f2284ad0Sjsing sizeof(rl->write->seq_num));
360acef91a0Sjsing }
361acef91a0Sjsing
362e3ae3cd6Sjsing static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
363e3ae3cd6Sjsing 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364e3ae3cd6Sjsing };
365e3ae3cd6Sjsing
366e3ae3cd6Sjsing int
tls12_record_layer_inc_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)367e3ae3cd6Sjsing tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368e3ae3cd6Sjsing {
369e3ae3cd6Sjsing CBS max_seq_num;
370e3ae3cd6Sjsing int i;
371e3ae3cd6Sjsing
372e3ae3cd6Sjsing /*
373e3ae3cd6Sjsing * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374e3ae3cd6Sjsing * sequence numbers must not wrap. Note that for DTLS the first two
375e3ae3cd6Sjsing * bytes are used as an "epoch" and not part of the sequence number.
376e3ae3cd6Sjsing */
377e3ae3cd6Sjsing CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
378e3ae3cd6Sjsing if (rl->dtls) {
379e3ae3cd6Sjsing if (!CBS_skip(&max_seq_num, 2))
380e3ae3cd6Sjsing return 0;
381e3ae3cd6Sjsing }
382e3ae3cd6Sjsing if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383e3ae3cd6Sjsing CBS_len(&max_seq_num)))
384e3ae3cd6Sjsing return 0;
385e3ae3cd6Sjsing
386e3ae3cd6Sjsing for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
387e3ae3cd6Sjsing if (++seq_num[i] != 0)
388e3ae3cd6Sjsing break;
389e3ae3cd6Sjsing }
390e3ae3cd6Sjsing
391e3ae3cd6Sjsing return 1;
392e3ae3cd6Sjsing }
393e3ae3cd6Sjsing
3942935b8f4Sjsing static int
tls12_record_layer_set_mac_key(struct tls12_record_protection * rp,const uint8_t * mac_key,size_t mac_key_len)3952935b8f4Sjsing tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
39640038cb8Sjsing const uint8_t *mac_key, size_t mac_key_len)
39740038cb8Sjsing {
3982935b8f4Sjsing freezero(rp->mac_key, rp->mac_key_len);
3992935b8f4Sjsing rp->mac_key = NULL;
4002935b8f4Sjsing rp->mac_key_len = 0;
401b77c9477Sjsing
402b77c9477Sjsing if (mac_key == NULL || mac_key_len == 0)
403b77c9477Sjsing return 1;
404b77c9477Sjsing
4052935b8f4Sjsing if ((rp->mac_key = calloc(1, mac_key_len)) == NULL)
406b77c9477Sjsing return 0;
407b77c9477Sjsing
4082935b8f4Sjsing memcpy(rp->mac_key, mac_key, mac_key_len);
4092935b8f4Sjsing rp->mac_key_len = mac_key_len;
41040038cb8Sjsing
41140038cb8Sjsing return 1;
41240038cb8Sjsing }
41340038cb8Sjsing
414c37fa200Sjsing static int
tls12_record_layer_ccs_aead(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)415c37fa200Sjsing tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417d7351ddfSjsing CBS *iv)
418c37fa200Sjsing {
419747682f9Sjsing if (!tls12_record_protection_unused(rp))
420747682f9Sjsing return 0;
421747682f9Sjsing
422f9a06750Stb if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
423c37fa200Sjsing return 0;
424c37fa200Sjsing
425c37fa200Sjsing /* AES GCM cipher suites use variable nonce in record. */
426c37fa200Sjsing if (rl->aead == EVP_aead_aes_128_gcm() ||
427c37fa200Sjsing rl->aead == EVP_aead_aes_256_gcm())
4287b133c71Sjsing rp->aead_variable_nonce_in_record = 1;
429c37fa200Sjsing
430c37fa200Sjsing /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431c37fa200Sjsing if (rl->aead == EVP_aead_chacha20_poly1305())
4327b133c71Sjsing rp->aead_xor_nonces = 1;
433c37fa200Sjsing
4347b133c71Sjsing if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435c37fa200Sjsing return 0;
436c37fa200Sjsing
437609ec8b1Sjsing rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438609ec8b1Sjsing if (rp->aead_nonce == NULL)
439609ec8b1Sjsing return 0;
440c37fa200Sjsing
441609ec8b1Sjsing rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442609ec8b1Sjsing rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443609ec8b1Sjsing rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN;
4442261fe79Sjsing
4457b133c71Sjsing if (rp->aead_xor_nonces) {
446c37fa200Sjsing /* Fixed nonce length must match, variable must not exceed. */
447609ec8b1Sjsing if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448c37fa200Sjsing return 0;
449609ec8b1Sjsing if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450c37fa200Sjsing return 0;
451c37fa200Sjsing } else {
452c37fa200Sjsing /* Concatenated nonce length must equal AEAD nonce length. */
4537b133c71Sjsing if (rp->aead_fixed_nonce_len +
454609ec8b1Sjsing rp->aead_variable_nonce_len != rp->aead_nonce_len)
455c37fa200Sjsing return 0;
456c37fa200Sjsing }
457c37fa200Sjsing
4587b133c71Sjsing if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459d7351ddfSjsing CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460c37fa200Sjsing return 0;
461c37fa200Sjsing
462c37fa200Sjsing return 1;
463c37fa200Sjsing }
464c37fa200Sjsing
465c37fa200Sjsing static int
tls12_record_layer_ccs_cipher(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)4662935b8f4Sjsing tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468d7351ddfSjsing CBS *iv)
4692935b8f4Sjsing {
4702935b8f4Sjsing EVP_PKEY *mac_pkey = NULL;
4712935b8f4Sjsing int mac_type;
4722935b8f4Sjsing int ret = 0;
4732935b8f4Sjsing
474747682f9Sjsing if (!tls12_record_protection_unused(rp))
475ffd1a0d4Sjsing goto err;
476747682f9Sjsing
4772935b8f4Sjsing mac_type = EVP_PKEY_HMAC;
4782935b8f4Sjsing rp->stream_mac = 0;
4792935b8f4Sjsing
480d7351ddfSjsing if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX)
481ffd1a0d4Sjsing goto err;
482d7351ddfSjsing if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
483ffd1a0d4Sjsing goto err;
484d7351ddfSjsing if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
485ffd1a0d4Sjsing goto err;
486d7351ddfSjsing if (CBS_len(mac_key) > INT_MAX)
487ffd1a0d4Sjsing goto err;
488d7351ddfSjsing if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
4892935b8f4Sjsing goto err;
4902935b8f4Sjsing if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
4912935b8f4Sjsing goto err;
4922935b8f4Sjsing if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
4932935b8f4Sjsing goto err;
4942935b8f4Sjsing
495d7351ddfSjsing if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
496d7351ddfSjsing CBS_len(mac_key)))
4972935b8f4Sjsing goto err;
4982935b8f4Sjsing
499d7351ddfSjsing if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key),
500d7351ddfSjsing CBS_len(mac_key))) == NULL)
5012935b8f4Sjsing goto err;
5022935b8f4Sjsing
503d7351ddfSjsing if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key),
504d7351ddfSjsing CBS_data(iv), is_write))
5052935b8f4Sjsing goto err;
5062935b8f4Sjsing
5072935b8f4Sjsing if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL,
5082935b8f4Sjsing mac_pkey) <= 0)
5092935b8f4Sjsing goto err;
5102935b8f4Sjsing
5112935b8f4Sjsing ret = 1;
5122935b8f4Sjsing
5132935b8f4Sjsing err:
5142935b8f4Sjsing EVP_PKEY_free(mac_pkey);
5152935b8f4Sjsing
5162935b8f4Sjsing return ret;
5172935b8f4Sjsing }
5182935b8f4Sjsing
5192935b8f4Sjsing static int
tls12_record_layer_change_cipher_state(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)520c37fa200Sjsing tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
521d7351ddfSjsing struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
522d7351ddfSjsing CBS *iv)
523c37fa200Sjsing {
5242935b8f4Sjsing if (rl->aead != NULL)
525c37fa200Sjsing return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
526d7351ddfSjsing key, iv);
5272935b8f4Sjsing
5282935b8f4Sjsing return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
529d7351ddfSjsing key, iv);
530c37fa200Sjsing }
531c37fa200Sjsing
532a802a16aSjsing int
tls12_record_layer_change_read_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)533a802a16aSjsing tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
534d7351ddfSjsing CBS *mac_key, CBS *key, CBS *iv)
535a802a16aSjsing {
536a802a16aSjsing struct tls12_record_protection *read_new = NULL;
537a802a16aSjsing int ret = 0;
538a802a16aSjsing
539a802a16aSjsing if ((read_new = tls12_record_protection_new()) == NULL)
540a802a16aSjsing goto err;
541a802a16aSjsing
542f2284ad0Sjsing /* Read sequence number gets reset to zero. */
543f2284ad0Sjsing
54444aae0c1Sjsing /* DTLS epoch is incremented and is permitted to wrap. */
54544aae0c1Sjsing if (rl->dtls)
54644aae0c1Sjsing read_new->epoch = rl->read_current->epoch + 1;
54744aae0c1Sjsing
548c37fa200Sjsing if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
549d7351ddfSjsing mac_key, key, iv))
550c37fa200Sjsing goto err;
551a802a16aSjsing
552a802a16aSjsing tls12_record_protection_free(rl->read_current);
553a802a16aSjsing rl->read = rl->read_current = read_new;
554a802a16aSjsing read_new = NULL;
555a802a16aSjsing
556a802a16aSjsing ret = 1;
557a802a16aSjsing
558a802a16aSjsing err:
559a802a16aSjsing tls12_record_protection_free(read_new);
560a802a16aSjsing
561a802a16aSjsing return ret;
562a802a16aSjsing }
563a802a16aSjsing
564a802a16aSjsing int
tls12_record_layer_change_write_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)565a802a16aSjsing tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
566d7351ddfSjsing CBS *mac_key, CBS *key, CBS *iv)
567a802a16aSjsing {
568a802a16aSjsing struct tls12_record_protection *write_new;
569a802a16aSjsing int ret = 0;
570a802a16aSjsing
571a802a16aSjsing if ((write_new = tls12_record_protection_new()) == NULL)
572a802a16aSjsing goto err;
573a802a16aSjsing
574f2284ad0Sjsing /* Write sequence number gets reset to zero. */
575f2284ad0Sjsing
5762f4e7cfaSjsing /* DTLS epoch is incremented and is permitted to wrap. */
5772f4e7cfaSjsing if (rl->dtls)
5782f4e7cfaSjsing write_new->epoch = rl->write_current->epoch + 1;
5792f4e7cfaSjsing
580c37fa200Sjsing if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
581d7351ddfSjsing mac_key, key, iv))
582c37fa200Sjsing goto err;
583a802a16aSjsing
584a802a16aSjsing if (rl->dtls) {
585a802a16aSjsing tls12_record_protection_free(rl->write_previous);
586a802a16aSjsing rl->write_previous = rl->write_current;
587a802a16aSjsing rl->write_current = NULL;
588a802a16aSjsing }
589a802a16aSjsing tls12_record_protection_free(rl->write_current);
590a802a16aSjsing rl->write = rl->write_current = write_new;
591a802a16aSjsing write_new = NULL;
592a802a16aSjsing
593a802a16aSjsing ret = 1;
594a802a16aSjsing
595a802a16aSjsing err:
596a802a16aSjsing tls12_record_protection_free(write_new);
597a802a16aSjsing
598a802a16aSjsing return ret;
599a802a16aSjsing }
600f2284ad0Sjsing
601acef91a0Sjsing static int
tls12_record_layer_build_seq_num(struct tls12_record_layer * rl,CBB * cbb,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len)602acef91a0Sjsing tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
603acef91a0Sjsing uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
604acef91a0Sjsing {
605acef91a0Sjsing CBS seq;
606acef91a0Sjsing
607acef91a0Sjsing CBS_init(&seq, seq_num, seq_num_len);
608acef91a0Sjsing
609acef91a0Sjsing if (rl->dtls) {
610acef91a0Sjsing if (!CBB_add_u16(cbb, epoch))
611acef91a0Sjsing return 0;
612acef91a0Sjsing if (!CBS_skip(&seq, 2))
613acef91a0Sjsing return 0;
614acef91a0Sjsing }
615acef91a0Sjsing
616acef91a0Sjsing return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
617acef91a0Sjsing }
618acef91a0Sjsing
619acef91a0Sjsing static int
tls12_record_layer_pseudo_header(struct tls12_record_layer * rl,uint8_t content_type,uint16_t record_len,CBS * seq_num,uint8_t ** out,size_t * out_len)620acef91a0Sjsing tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
621108b1a0fSjsing uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
622108b1a0fSjsing size_t *out_len)
623acef91a0Sjsing {
624acef91a0Sjsing CBB cbb;
625acef91a0Sjsing
626acef91a0Sjsing *out = NULL;
627acef91a0Sjsing *out_len = 0;
628acef91a0Sjsing
629acef91a0Sjsing /* Build the pseudo-header used for MAC/AEAD. */
630acef91a0Sjsing if (!CBB_init(&cbb, 13))
631acef91a0Sjsing goto err;
632acef91a0Sjsing
633108b1a0fSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
634acef91a0Sjsing goto err;
635acef91a0Sjsing if (!CBB_add_u8(&cbb, content_type))
636acef91a0Sjsing goto err;
637acef91a0Sjsing if (!CBB_add_u16(&cbb, rl->version))
638acef91a0Sjsing goto err;
639acef91a0Sjsing if (!CBB_add_u16(&cbb, record_len))
640acef91a0Sjsing goto err;
641acef91a0Sjsing
642acef91a0Sjsing if (!CBB_finish(&cbb, out, out_len))
643acef91a0Sjsing goto err;
644acef91a0Sjsing
645acef91a0Sjsing return 1;
646acef91a0Sjsing
647acef91a0Sjsing err:
648acef91a0Sjsing CBB_cleanup(&cbb);
649acef91a0Sjsing
650acef91a0Sjsing return 0;
651acef91a0Sjsing }
652acef91a0Sjsing
653acef91a0Sjsing static int
tls12_record_layer_mac(struct tls12_record_layer * rl,CBB * cbb,EVP_MD_CTX * hash_ctx,int stream_mac,CBS * seq_num,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)65489dfa477Sjsing tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
655108b1a0fSjsing EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
656108b1a0fSjsing const uint8_t *content, size_t content_len, size_t *out_len)
657acef91a0Sjsing {
658acef91a0Sjsing EVP_MD_CTX *mac_ctx = NULL;
659acef91a0Sjsing uint8_t *header = NULL;
66040038cb8Sjsing size_t header_len = 0;
661acef91a0Sjsing size_t mac_len;
662acef91a0Sjsing uint8_t *mac;
663acef91a0Sjsing int ret = 0;
664acef91a0Sjsing
665acef91a0Sjsing if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
666acef91a0Sjsing goto err;
66789dfa477Sjsing if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
668acef91a0Sjsing goto err;
669acef91a0Sjsing
670acef91a0Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
671108b1a0fSjsing seq_num, &header, &header_len))
672acef91a0Sjsing goto err;
673acef91a0Sjsing
674acef91a0Sjsing if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
675acef91a0Sjsing goto err;
676acef91a0Sjsing if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
677acef91a0Sjsing goto err;
678acef91a0Sjsing if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
679acef91a0Sjsing goto err;
680acef91a0Sjsing if (!CBB_add_space(cbb, &mac, mac_len))
681acef91a0Sjsing goto err;
682acef91a0Sjsing if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
683acef91a0Sjsing goto err;
68440038cb8Sjsing if (mac_len == 0)
68540038cb8Sjsing goto err;
686acef91a0Sjsing
68789dfa477Sjsing if (stream_mac) {
68889dfa477Sjsing if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
689acef91a0Sjsing goto err;
690acef91a0Sjsing }
691acef91a0Sjsing
692acef91a0Sjsing *out_len = mac_len;
693acef91a0Sjsing ret = 1;
694acef91a0Sjsing
695acef91a0Sjsing err:
696acef91a0Sjsing EVP_MD_CTX_free(mac_ctx);
69740038cb8Sjsing freezero(header, header_len);
698acef91a0Sjsing
699acef91a0Sjsing return ret;
700acef91a0Sjsing }
701acef91a0Sjsing
702acef91a0Sjsing static int
tls12_record_layer_read_mac_cbc(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t mac_len,size_t padding_len)70340038cb8Sjsing tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
704108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content,
705108b1a0fSjsing size_t content_len, size_t mac_len, size_t padding_len)
70640038cb8Sjsing {
70740038cb8Sjsing uint8_t *header = NULL;
70840038cb8Sjsing size_t header_len = 0;
70940038cb8Sjsing uint8_t *mac = NULL;
71040038cb8Sjsing size_t out_mac_len = 0;
71140038cb8Sjsing int ret = 0;
71240038cb8Sjsing
71340038cb8Sjsing /*
71440038cb8Sjsing * Must be constant time to avoid leaking details about CBC padding.
71540038cb8Sjsing */
71640038cb8Sjsing
717a13669d2Sjsing if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
71840038cb8Sjsing goto err;
71940038cb8Sjsing
72040038cb8Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
721108b1a0fSjsing seq_num, &header, &header_len))
72240038cb8Sjsing goto err;
72340038cb8Sjsing
72440038cb8Sjsing if (!CBB_add_space(cbb, &mac, mac_len))
72540038cb8Sjsing goto err;
726a13669d2Sjsing if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
72740038cb8Sjsing content, content_len + mac_len, content_len + mac_len + padding_len,
728a13669d2Sjsing rl->read->mac_key, rl->read->mac_key_len))
72940038cb8Sjsing goto err;
73040038cb8Sjsing if (mac_len != out_mac_len)
73140038cb8Sjsing goto err;
73240038cb8Sjsing
73340038cb8Sjsing ret = 1;
73440038cb8Sjsing
73540038cb8Sjsing err:
73640038cb8Sjsing freezero(header, header_len);
73740038cb8Sjsing
73840038cb8Sjsing return ret;
73940038cb8Sjsing }
74040038cb8Sjsing
74140038cb8Sjsing static int
tls12_record_layer_read_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len)74240038cb8Sjsing tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
743108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content,
744108b1a0fSjsing size_t content_len)
74540038cb8Sjsing {
746a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
74740038cb8Sjsing size_t out_len;
74840038cb8Sjsing
74940038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
75040038cb8Sjsing return 0;
75140038cb8Sjsing
752a13669d2Sjsing return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
753108b1a0fSjsing rl->read->stream_mac, seq_num, content_type, content, content_len,
754108b1a0fSjsing &out_len);
75540038cb8Sjsing }
75640038cb8Sjsing
75740038cb8Sjsing static int
tls12_record_layer_write_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t * out_len)75889dfa477Sjsing tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
759108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content,
760108b1a0fSjsing size_t content_len, size_t *out_len)
76189dfa477Sjsing {
762a13669d2Sjsing return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
763108b1a0fSjsing rl->write->stream_mac, seq_num, content_type, content, content_len,
764108b1a0fSjsing out_len);
76589dfa477Sjsing }
76689dfa477Sjsing
76789dfa477Sjsing static int
tls12_record_layer_aead_concat_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)768acef91a0Sjsing tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
769609ec8b1Sjsing struct tls12_record_protection *rp, CBS *seq_num)
770acef91a0Sjsing {
771acef91a0Sjsing CBB cbb;
772acef91a0Sjsing
77360ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num))
774acef91a0Sjsing return 0;
775acef91a0Sjsing
776acef91a0Sjsing /* Fixed nonce and variable nonce (sequence number) are concatenated. */
777609ec8b1Sjsing if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
778acef91a0Sjsing goto err;
7797b133c71Sjsing if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
7807b133c71Sjsing rp->aead_fixed_nonce_len))
781acef91a0Sjsing goto err;
78260ac916aSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
78360ac916aSjsing rp->aead_variable_nonce_len))
784acef91a0Sjsing goto err;
785609ec8b1Sjsing if (!CBB_finish(&cbb, NULL, NULL))
786acef91a0Sjsing goto err;
787acef91a0Sjsing
788acef91a0Sjsing return 1;
789acef91a0Sjsing
790acef91a0Sjsing err:
791acef91a0Sjsing CBB_cleanup(&cbb);
792acef91a0Sjsing
793acef91a0Sjsing return 0;
794acef91a0Sjsing }
795acef91a0Sjsing
796acef91a0Sjsing static int
tls12_record_layer_aead_xored_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)797acef91a0Sjsing tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
798609ec8b1Sjsing struct tls12_record_protection *rp, CBS *seq_num)
799acef91a0Sjsing {
800acef91a0Sjsing uint8_t *pad;
801acef91a0Sjsing CBB cbb;
802acef91a0Sjsing int i;
803acef91a0Sjsing
80460ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num))
805acef91a0Sjsing return 0;
8067b133c71Sjsing if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
807acef91a0Sjsing return 0;
808609ec8b1Sjsing if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
809609ec8b1Sjsing return 0;
810acef91a0Sjsing
811acef91a0Sjsing /*
812acef91a0Sjsing * Variable nonce (sequence number) is right padded, before the fixed
813acef91a0Sjsing * nonce is XOR'd in.
814acef91a0Sjsing */
815609ec8b1Sjsing if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
816acef91a0Sjsing goto err;
817acef91a0Sjsing if (!CBB_add_space(&cbb, &pad,
8187b133c71Sjsing rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
819acef91a0Sjsing goto err;
82060ac916aSjsing if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
82160ac916aSjsing rp->aead_variable_nonce_len))
822acef91a0Sjsing goto err;
823609ec8b1Sjsing if (!CBB_finish(&cbb, NULL, NULL))
824acef91a0Sjsing goto err;
825acef91a0Sjsing
8267b133c71Sjsing for (i = 0; i < rp->aead_fixed_nonce_len; i++)
827609ec8b1Sjsing rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
828acef91a0Sjsing
829acef91a0Sjsing return 1;
830acef91a0Sjsing
831acef91a0Sjsing err:
832acef91a0Sjsing CBB_cleanup(&cbb);
833acef91a0Sjsing
834acef91a0Sjsing return 0;
835acef91a0Sjsing }
836acef91a0Sjsing
837acef91a0Sjsing static int
tls12_record_layer_open_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,CBS * fragment,struct tls_content * out)83840038cb8Sjsing tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
839ee4250f6Sjsing uint8_t content_type, CBS *fragment, struct tls_content *out)
84040038cb8Sjsing {
84123d98bd4Sjsing if (tls12_record_protection_engaged(rl->read))
84240038cb8Sjsing return 0;
84340038cb8Sjsing
844ee4250f6Sjsing return tls_content_dup_data(out, content_type, CBS_data(fragment),
845ee4250f6Sjsing CBS_len(fragment));
84640038cb8Sjsing }
84740038cb8Sjsing
84840038cb8Sjsing static int
tls12_record_layer_open_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)84940038cb8Sjsing tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
850ee4250f6Sjsing uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
85140038cb8Sjsing {
8527b133c71Sjsing struct tls12_record_protection *rp = rl->read;
853609ec8b1Sjsing uint8_t *header = NULL;
854609ec8b1Sjsing size_t header_len = 0;
855ee4250f6Sjsing uint8_t *content = NULL;
856ee4250f6Sjsing size_t content_len = 0;
857ee4250f6Sjsing size_t out_len = 0;
85840038cb8Sjsing CBS var_nonce;
85940038cb8Sjsing int ret = 0;
86040038cb8Sjsing
8617b133c71Sjsing if (rp->aead_xor_nonces) {
862609ec8b1Sjsing if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
86340038cb8Sjsing goto err;
8647b133c71Sjsing } else if (rp->aead_variable_nonce_in_record) {
86540038cb8Sjsing if (!CBS_get_bytes(fragment, &var_nonce,
8667b133c71Sjsing rp->aead_variable_nonce_len))
86740038cb8Sjsing goto err;
868609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
86940038cb8Sjsing goto err;
87040038cb8Sjsing } else {
871609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
87240038cb8Sjsing goto err;
87340038cb8Sjsing }
87440038cb8Sjsing
87540038cb8Sjsing /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
8767b133c71Sjsing if (CBS_len(fragment) < rp->aead_tag_len) {
87740038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
87840038cb8Sjsing goto err;
87940038cb8Sjsing }
88040038cb8Sjsing if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
88140038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
88240038cb8Sjsing goto err;
88340038cb8Sjsing }
88440038cb8Sjsing
885ee4250f6Sjsing content_len = CBS_len(fragment) - rp->aead_tag_len;
886ee4250f6Sjsing if ((content = calloc(1, CBS_len(fragment))) == NULL) {
887ee4250f6Sjsing content_len = 0;
888ee4250f6Sjsing goto err;
889ee4250f6Sjsing }
89040038cb8Sjsing
891ee4250f6Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
892108b1a0fSjsing seq_num, &header, &header_len))
89340038cb8Sjsing goto err;
89440038cb8Sjsing
895ee4250f6Sjsing if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
896609ec8b1Sjsing rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
897609ec8b1Sjsing CBS_len(fragment), header, header_len)) {
89840038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
89940038cb8Sjsing goto err;
90040038cb8Sjsing }
90140038cb8Sjsing
902ee4250f6Sjsing if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
90340038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
90440038cb8Sjsing goto err;
90540038cb8Sjsing }
90640038cb8Sjsing
907ee4250f6Sjsing if (out_len != content_len)
90840038cb8Sjsing goto err;
90940038cb8Sjsing
910ee4250f6Sjsing tls_content_set_data(out, content_type, content, content_len);
911ee4250f6Sjsing content = NULL;
912ee4250f6Sjsing content_len = 0;
91340038cb8Sjsing
91440038cb8Sjsing ret = 1;
91540038cb8Sjsing
91640038cb8Sjsing err:
91740038cb8Sjsing freezero(header, header_len);
918ee4250f6Sjsing freezero(content, content_len);
91940038cb8Sjsing
92040038cb8Sjsing return ret;
92140038cb8Sjsing }
92240038cb8Sjsing
92340038cb8Sjsing static int
tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)92440038cb8Sjsing tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
925ee4250f6Sjsing uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
92640038cb8Sjsing {
927a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
92840038cb8Sjsing SSL3_RECORD_INTERNAL rrec;
9291c1840fbSjsing size_t block_size, eiv_len;
93040038cb8Sjsing uint8_t *mac = NULL;
9311c1840fbSjsing size_t mac_len = 0;
93240038cb8Sjsing uint8_t *out_mac = NULL;
93340038cb8Sjsing size_t out_mac_len = 0;
934ee4250f6Sjsing uint8_t *content = NULL;
935ee4250f6Sjsing size_t content_len = 0;
93640038cb8Sjsing size_t min_len;
93740038cb8Sjsing CBB cbb_mac;
93840038cb8Sjsing int ret = 0;
93940038cb8Sjsing
94040038cb8Sjsing memset(&cbb_mac, 0, sizeof(cbb_mac));
94127e46ee6Stb memset(&rrec, 0, sizeof(rrec));
94240038cb8Sjsing
9431c1840fbSjsing if (!tls12_record_protection_block_size(rl->read, &block_size))
94440038cb8Sjsing goto err;
94540038cb8Sjsing
94640038cb8Sjsing /* Determine explicit IV length. */
94740038cb8Sjsing eiv_len = 0;
9481c1840fbSjsing if (rl->version != TLS1_VERSION) {
9491c1840fbSjsing if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
95040038cb8Sjsing goto err;
9511c1840fbSjsing }
95240038cb8Sjsing
95340038cb8Sjsing mac_len = 0;
954a13669d2Sjsing if (rl->read->hash_ctx != NULL) {
9551c1840fbSjsing if (!tls12_record_protection_mac_len(rl->read, &mac_len))
95640038cb8Sjsing goto err;
95740038cb8Sjsing }
95840038cb8Sjsing
95940038cb8Sjsing /* CBC has at least one padding byte. */
96040038cb8Sjsing min_len = eiv_len + mac_len;
96140038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
96240038cb8Sjsing min_len += 1;
96340038cb8Sjsing
96440038cb8Sjsing if (CBS_len(fragment) < min_len) {
96540038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
96640038cb8Sjsing goto err;
96740038cb8Sjsing }
96840038cb8Sjsing if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
96940038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
97040038cb8Sjsing goto err;
97140038cb8Sjsing }
97240038cb8Sjsing if (CBS_len(fragment) % block_size != 0) {
97340038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
97440038cb8Sjsing goto err;
97540038cb8Sjsing }
97640038cb8Sjsing
977ee4250f6Sjsing if ((content = calloc(1, CBS_len(fragment))) == NULL)
978ee4250f6Sjsing goto err;
979ee4250f6Sjsing content_len = CBS_len(fragment);
98040038cb8Sjsing
981ee4250f6Sjsing if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
98240038cb8Sjsing goto err;
98340038cb8Sjsing
984ee4250f6Sjsing rrec.data = content;
985ee4250f6Sjsing rrec.input = content;
986ee4250f6Sjsing rrec.length = content_len;
98740038cb8Sjsing
98840038cb8Sjsing /*
98940038cb8Sjsing * We now have to remove padding, extract MAC, calculate MAC
99040038cb8Sjsing * and compare MAC in constant time.
99140038cb8Sjsing */
99240038cb8Sjsing if (block_size > 1)
99340038cb8Sjsing ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
99440038cb8Sjsing
99540038cb8Sjsing if ((mac = calloc(1, mac_len)) == NULL)
99640038cb8Sjsing goto err;
99740038cb8Sjsing
99840038cb8Sjsing if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
99940038cb8Sjsing goto err;
100040038cb8Sjsing if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
100140038cb8Sjsing ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
100240038cb8Sjsing rrec.padding_length);
100340038cb8Sjsing rrec.length -= mac_len;
100440038cb8Sjsing if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1005108b1a0fSjsing seq_num, rrec.input, rrec.length, mac_len,
1006108b1a0fSjsing rrec.padding_length))
100740038cb8Sjsing goto err;
100840038cb8Sjsing } else {
100940038cb8Sjsing rrec.length -= mac_len;
101040038cb8Sjsing memcpy(mac, rrec.data + rrec.length, mac_len);
101140038cb8Sjsing if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
1012108b1a0fSjsing seq_num, rrec.input, rrec.length))
101340038cb8Sjsing goto err;
101440038cb8Sjsing }
101540038cb8Sjsing if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
101640038cb8Sjsing goto err;
101740038cb8Sjsing if (mac_len != out_mac_len)
101840038cb8Sjsing goto err;
101940038cb8Sjsing
102040038cb8Sjsing if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
102140038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
102240038cb8Sjsing goto err;
102340038cb8Sjsing }
102440038cb8Sjsing
102540038cb8Sjsing if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
102640038cb8Sjsing rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
102740038cb8Sjsing goto err;
102840038cb8Sjsing }
102940038cb8Sjsing if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
103040038cb8Sjsing rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
103140038cb8Sjsing goto err;
103240038cb8Sjsing }
103340038cb8Sjsing
1034ee4250f6Sjsing tls_content_set_data(out, content_type, content, content_len);
1035ee4250f6Sjsing content = NULL;
1036ee4250f6Sjsing content_len = 0;
1037ee4250f6Sjsing
1038ee4250f6Sjsing /* Actual content is after EIV, minus padding and MAC. */
1039ee4250f6Sjsing if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1040ee4250f6Sjsing goto err;
104140038cb8Sjsing
104240038cb8Sjsing ret = 1;
104340038cb8Sjsing
104440038cb8Sjsing err:
104540038cb8Sjsing CBB_cleanup(&cbb_mac);
104640038cb8Sjsing freezero(mac, mac_len);
104740038cb8Sjsing freezero(out_mac, out_mac_len);
1048ee4250f6Sjsing freezero(content, content_len);
104940038cb8Sjsing
105040038cb8Sjsing return ret;
105140038cb8Sjsing }
105240038cb8Sjsing
105340038cb8Sjsing int
tls12_record_layer_open_record(struct tls12_record_layer * rl,uint8_t * buf,size_t buf_len,struct tls_content * out)105440038cb8Sjsing tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1055ee4250f6Sjsing size_t buf_len, struct tls_content *out)
105640038cb8Sjsing {
1057108b1a0fSjsing CBS cbs, fragment, seq_num;
1058108b1a0fSjsing uint16_t version;
105940038cb8Sjsing uint8_t content_type;
106040038cb8Sjsing
106140038cb8Sjsing CBS_init(&cbs, buf, buf_len);
1062f2284ad0Sjsing CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
106340038cb8Sjsing
106440038cb8Sjsing if (!CBS_get_u8(&cbs, &content_type))
106540038cb8Sjsing return 0;
106640038cb8Sjsing if (!CBS_get_u16(&cbs, &version))
106740038cb8Sjsing return 0;
106840038cb8Sjsing if (rl->dtls) {
1069108b1a0fSjsing /*
1070108b1a0fSjsing * The DTLS sequence number is split into a 16 bit epoch and
1071108b1a0fSjsing * 48 bit sequence number, however for the purposes of record
1072108b1a0fSjsing * processing it is treated the same as a TLS 64 bit sequence
1073108b1a0fSjsing * number. DTLS also uses explicit read sequence numbers, which
1074108b1a0fSjsing * we need to extract from the DTLS record header.
1075108b1a0fSjsing */
1076108b1a0fSjsing if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE))
107740038cb8Sjsing return 0;
1078f2284ad0Sjsing if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
1079f2284ad0Sjsing sizeof(rl->read->seq_num), NULL))
1080f2284ad0Sjsing return 0;
108140038cb8Sjsing }
108240038cb8Sjsing if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
108340038cb8Sjsing return 0;
108440038cb8Sjsing
1085a13669d2Sjsing if (rl->read->aead_ctx != NULL) {
108640038cb8Sjsing if (!tls12_record_layer_open_record_protected_aead(rl,
1087ee4250f6Sjsing content_type, &seq_num, &fragment, out))
108840038cb8Sjsing return 0;
1089a13669d2Sjsing } else if (rl->read->cipher_ctx != NULL) {
109040038cb8Sjsing if (!tls12_record_layer_open_record_protected_cipher(rl,
1091ee4250f6Sjsing content_type, &seq_num, &fragment, out))
109240038cb8Sjsing return 0;
109340038cb8Sjsing } else {
109440038cb8Sjsing if (!tls12_record_layer_open_record_plaintext(rl,
1095ee4250f6Sjsing content_type, &fragment, out))
109640038cb8Sjsing return 0;
109740038cb8Sjsing }
109840038cb8Sjsing
1099e3ae3cd6Sjsing if (!rl->dtls) {
1100e3ae3cd6Sjsing if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1101e3ae3cd6Sjsing return 0;
1102e3ae3cd6Sjsing }
110340038cb8Sjsing
110440038cb8Sjsing return 1;
110540038cb8Sjsing }
110640038cb8Sjsing
110740038cb8Sjsing static int
tls12_record_layer_seal_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)1108de70c6e8Sjsing tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1109de70c6e8Sjsing uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1110de70c6e8Sjsing {
111123d98bd4Sjsing if (tls12_record_protection_engaged(rl->write))
1112de70c6e8Sjsing return 0;
1113de70c6e8Sjsing
1114de70c6e8Sjsing return CBB_add_bytes(out, content, content_len);
1115de70c6e8Sjsing }
1116de70c6e8Sjsing
1117de70c6e8Sjsing static int
tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1118acef91a0Sjsing tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1119108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content,
1120108b1a0fSjsing size_t content_len, CBB *out)
1121acef91a0Sjsing {
11227b133c71Sjsing struct tls12_record_protection *rp = rl->write;
1123609ec8b1Sjsing uint8_t *header = NULL;
1124609ec8b1Sjsing size_t header_len = 0;
1125acef91a0Sjsing size_t enc_record_len, out_len;
1126acef91a0Sjsing uint8_t *enc_data;
1127acef91a0Sjsing int ret = 0;
1128acef91a0Sjsing
11297b133c71Sjsing if (rp->aead_xor_nonces) {
1130609ec8b1Sjsing if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1131acef91a0Sjsing goto err;
1132acef91a0Sjsing } else {
1133609ec8b1Sjsing if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1134acef91a0Sjsing goto err;
1135acef91a0Sjsing }
1136acef91a0Sjsing
11377b133c71Sjsing if (rp->aead_variable_nonce_in_record) {
113860ac916aSjsing if (rp->aead_variable_nonce_len > CBS_len(seq_num))
113960ac916aSjsing goto err;
1140108b1a0fSjsing if (!CBB_add_bytes(out, CBS_data(seq_num),
11417b133c71Sjsing rp->aead_variable_nonce_len))
1142acef91a0Sjsing goto err;
1143acef91a0Sjsing }
1144acef91a0Sjsing
1145acef91a0Sjsing if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1146108b1a0fSjsing seq_num, &header, &header_len))
1147acef91a0Sjsing goto err;
1148acef91a0Sjsing
1149acef91a0Sjsing /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
11507b133c71Sjsing enc_record_len = content_len + rp->aead_tag_len;
1151acef91a0Sjsing if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1152acef91a0Sjsing goto err;
1153acef91a0Sjsing if (!CBB_add_space(out, &enc_data, enc_record_len))
1154acef91a0Sjsing goto err;
1155acef91a0Sjsing
11567b133c71Sjsing if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1157609ec8b1Sjsing rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1158609ec8b1Sjsing header_len))
1159acef91a0Sjsing goto err;
1160acef91a0Sjsing
1161acef91a0Sjsing if (out_len != enc_record_len)
1162acef91a0Sjsing goto err;
1163acef91a0Sjsing
1164acef91a0Sjsing ret = 1;
1165acef91a0Sjsing
1166acef91a0Sjsing err:
1167acef91a0Sjsing freezero(header, header_len);
1168acef91a0Sjsing
1169acef91a0Sjsing return ret;
1170acef91a0Sjsing }
1171acef91a0Sjsing
1172acef91a0Sjsing static int
tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1173acef91a0Sjsing tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1174108b1a0fSjsing uint8_t content_type, CBS *seq_num, const uint8_t *content,
1175108b1a0fSjsing size_t content_len, CBB *out)
1176acef91a0Sjsing {
1177a13669d2Sjsing EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
11781c1840fbSjsing size_t block_size, eiv_len, mac_len, pad_len;
1179acef91a0Sjsing uint8_t *enc_data, *eiv, *pad, pad_val;
1180acef91a0Sjsing uint8_t *plain = NULL;
1181acef91a0Sjsing size_t plain_len = 0;
1182acef91a0Sjsing int ret = 0;
1183acef91a0Sjsing CBB cbb;
1184acef91a0Sjsing
1185acef91a0Sjsing if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
1186acef91a0Sjsing goto err;
1187acef91a0Sjsing
1188acef91a0Sjsing /* Add explicit IV if necessary. */
1189acef91a0Sjsing eiv_len = 0;
11901c1840fbSjsing if (rl->version != TLS1_VERSION) {
11911c1840fbSjsing if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1192acef91a0Sjsing goto err;
11931c1840fbSjsing }
1194acef91a0Sjsing if (eiv_len > 0) {
1195acef91a0Sjsing if (!CBB_add_space(&cbb, &eiv, eiv_len))
1196acef91a0Sjsing goto err;
1197acef91a0Sjsing arc4random_buf(eiv, eiv_len);
1198acef91a0Sjsing }
1199acef91a0Sjsing
1200acef91a0Sjsing if (!CBB_add_bytes(&cbb, content, content_len))
1201acef91a0Sjsing goto err;
1202acef91a0Sjsing
1203acef91a0Sjsing mac_len = 0;
1204a13669d2Sjsing if (rl->write->hash_ctx != NULL) {
1205acef91a0Sjsing if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1206108b1a0fSjsing seq_num, content, content_len, &mac_len))
1207acef91a0Sjsing goto err;
1208acef91a0Sjsing }
1209acef91a0Sjsing
1210679f355aStb plain_len = eiv_len + content_len + mac_len;
1211acef91a0Sjsing
1212acef91a0Sjsing /* Add padding to block size, if necessary. */
12131c1840fbSjsing if (!tls12_record_protection_block_size(rl->write, &block_size))
121411d1e10cSjsing goto err;
1215acef91a0Sjsing if (block_size > 1) {
1216acef91a0Sjsing pad_len = block_size - (plain_len % block_size);
1217acef91a0Sjsing pad_val = pad_len - 1;
1218acef91a0Sjsing
1219acef91a0Sjsing if (pad_len > 255)
1220acef91a0Sjsing goto err;
1221acef91a0Sjsing if (!CBB_add_space(&cbb, &pad, pad_len))
1222acef91a0Sjsing goto err;
1223acef91a0Sjsing memset(pad, pad_val, pad_len);
1224acef91a0Sjsing }
1225acef91a0Sjsing
1226acef91a0Sjsing if (!CBB_finish(&cbb, &plain, &plain_len))
1227acef91a0Sjsing goto err;
1228acef91a0Sjsing
1229acef91a0Sjsing if (plain_len % block_size != 0)
1230acef91a0Sjsing goto err;
1231acef91a0Sjsing if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1232acef91a0Sjsing goto err;
1233acef91a0Sjsing
1234acef91a0Sjsing if (!CBB_add_space(out, &enc_data, plain_len))
1235acef91a0Sjsing goto err;
1236acef91a0Sjsing if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1237acef91a0Sjsing goto err;
1238acef91a0Sjsing
1239acef91a0Sjsing ret = 1;
1240acef91a0Sjsing
1241acef91a0Sjsing err:
1242acef91a0Sjsing CBB_cleanup(&cbb);
1243acef91a0Sjsing freezero(plain, plain_len);
1244acef91a0Sjsing
1245acef91a0Sjsing return ret;
1246acef91a0Sjsing }
1247acef91a0Sjsing
1248acef91a0Sjsing int
tls12_record_layer_seal_record(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * cbb)1249acef91a0Sjsing tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1250acef91a0Sjsing uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1251acef91a0Sjsing {
1252108b1a0fSjsing uint8_t *seq_num_data = NULL;
1253108b1a0fSjsing size_t seq_num_len = 0;
1254108b1a0fSjsing CBB fragment, seq_num_cbb;
1255108b1a0fSjsing CBS seq_num;
1256108b1a0fSjsing int ret = 0;
1257108b1a0fSjsing
1258108b1a0fSjsing /*
1259108b1a0fSjsing * Construct the effective sequence number - this is used in both
1260108b1a0fSjsing * the DTLS header and for MAC calculations.
1261108b1a0fSjsing */
1262108b1a0fSjsing if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE))
1263108b1a0fSjsing goto err;
1264108b1a0fSjsing if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1265f2284ad0Sjsing rl->write->seq_num, sizeof(rl->write->seq_num)))
1266108b1a0fSjsing goto err;
1267108b1a0fSjsing if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1268108b1a0fSjsing goto err;
1269108b1a0fSjsing CBS_init(&seq_num, seq_num_data, seq_num_len);
1270acef91a0Sjsing
1271acef91a0Sjsing if (!CBB_add_u8(cbb, content_type))
1272108b1a0fSjsing goto err;
1273acef91a0Sjsing if (!CBB_add_u16(cbb, rl->version))
1274108b1a0fSjsing goto err;
1275acef91a0Sjsing if (rl->dtls) {
1276108b1a0fSjsing if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1277108b1a0fSjsing goto err;
1278acef91a0Sjsing }
1279acef91a0Sjsing if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1280108b1a0fSjsing goto err;
1281acef91a0Sjsing
1282a13669d2Sjsing if (rl->write->aead_ctx != NULL) {
1283acef91a0Sjsing if (!tls12_record_layer_seal_record_protected_aead(rl,
1284108b1a0fSjsing content_type, &seq_num, content, content_len, &fragment))
1285108b1a0fSjsing goto err;
1286a13669d2Sjsing } else if (rl->write->cipher_ctx != NULL) {
1287acef91a0Sjsing if (!tls12_record_layer_seal_record_protected_cipher(rl,
1288108b1a0fSjsing content_type, &seq_num, content, content_len, &fragment))
1289108b1a0fSjsing goto err;
1290acef91a0Sjsing } else {
1291acef91a0Sjsing if (!tls12_record_layer_seal_record_plaintext(rl,
1292acef91a0Sjsing content_type, content, content_len, &fragment))
1293108b1a0fSjsing goto err;
1294acef91a0Sjsing }
1295acef91a0Sjsing
1296acef91a0Sjsing if (!CBB_flush(cbb))
1297108b1a0fSjsing goto err;
1298acef91a0Sjsing
1299e3ae3cd6Sjsing if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1300e3ae3cd6Sjsing goto err;
1301acef91a0Sjsing
1302108b1a0fSjsing ret = 1;
1303108b1a0fSjsing
1304108b1a0fSjsing err:
1305108b1a0fSjsing CBB_cleanup(&seq_num_cbb);
1306108b1a0fSjsing free(seq_num_data);
1307108b1a0fSjsing
1308108b1a0fSjsing return ret;
1309acef91a0Sjsing }
1310