xref: /openbsd/lib/libssl/tls12_record_layer.c (revision 689a9b7e) 
1*689a9b7eSbeck /* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */
2acef91a0Sjsing /*
3acef91a0Sjsing  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4acef91a0Sjsing  *
5acef91a0Sjsing  * Permission to use, copy, modify, and distribute this software for any
6acef91a0Sjsing  * purpose with or without fee is hereby granted, provided that the above
7acef91a0Sjsing  * copyright notice and this permission notice appear in all copies.
8acef91a0Sjsing  *
9acef91a0Sjsing  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10acef91a0Sjsing  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11acef91a0Sjsing  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12acef91a0Sjsing  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13acef91a0Sjsing  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14acef91a0Sjsing  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15acef91a0Sjsing  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16acef91a0Sjsing  */
17acef91a0Sjsing 
18c37fa200Sjsing #include <limits.h>
19acef91a0Sjsing #include <stdlib.h>
20acef91a0Sjsing 
21acef91a0Sjsing #include <openssl/evp.h>
22acef91a0Sjsing 
23c9675a23Stb #include "ssl_local.h"
24acef91a0Sjsing 
25e3ae3cd6Sjsing #define TLS12_RECORD_SEQ_NUM_LEN	8
267b133c71Sjsing #define TLS12_AEAD_FIXED_NONCE_MAX_LEN	12
27e3ae3cd6Sjsing 
28a13669d2Sjsing struct tls12_record_protection {
29a13669d2Sjsing 	uint16_t epoch;
30e3ae3cd6Sjsing 	uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
31a13669d2Sjsing 
327b133c71Sjsing 	EVP_AEAD_CTX *aead_ctx;
337b133c71Sjsing 
34609ec8b1Sjsing 	uint8_t *aead_nonce;
35609ec8b1Sjsing 	size_t aead_nonce_len;
36609ec8b1Sjsing 
377b133c71Sjsing 	uint8_t *aead_fixed_nonce;
387b133c71Sjsing 	size_t aead_fixed_nonce_len;
397b133c71Sjsing 
407b133c71Sjsing 	size_t aead_variable_nonce_len;
417b133c71Sjsing 	size_t aead_tag_len;
427b133c71Sjsing 
437b133c71Sjsing 	int aead_xor_nonces;
447b133c71Sjsing 	int aead_variable_nonce_in_record;
45c37fa200Sjsing 
46747682f9Sjsing 	EVP_CIPHER_CTX *cipher_ctx;
47747682f9Sjsing 	EVP_MD_CTX *hash_ctx;
48747682f9Sjsing 
49a13669d2Sjsing 	int stream_mac;
50a13669d2Sjsing 
51a13669d2Sjsing 	uint8_t *mac_key;
52a13669d2Sjsing 	size_t mac_key_len;
53a13669d2Sjsing };
54a13669d2Sjsing 
55a13669d2Sjsing static struct tls12_record_protection *
tls12_record_protection_new(void)56a13669d2Sjsing tls12_record_protection_new(void)
57a13669d2Sjsing {
58a13669d2Sjsing 	return calloc(1, sizeof(struct tls12_record_protection));
59a13669d2Sjsing }
60a13669d2Sjsing 
61a13669d2Sjsing static void
tls12_record_protection_clear(struct tls12_record_protection * rp)62f2284ad0Sjsing tls12_record_protection_clear(struct tls12_record_protection *rp)
63f2284ad0Sjsing {
64f9a06750Stb 	EVP_AEAD_CTX_free(rp->aead_ctx);
65c37fa200Sjsing 
66609ec8b1Sjsing 	freezero(rp->aead_nonce, rp->aead_nonce_len);
677b133c71Sjsing 	freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
687b133c71Sjsing 
692935b8f4Sjsing 	EVP_CIPHER_CTX_free(rp->cipher_ctx);
702935b8f4Sjsing 	EVP_MD_CTX_free(rp->hash_ctx);
712935b8f4Sjsing 
72f2284ad0Sjsing 	freezero(rp->mac_key, rp->mac_key_len);
7360497c21Sjsing 
7460497c21Sjsing 	memset(rp, 0, sizeof(*rp));
75f2284ad0Sjsing }
76f2284ad0Sjsing 
77f2284ad0Sjsing static void
tls12_record_protection_free(struct tls12_record_protection * rp)78a13669d2Sjsing tls12_record_protection_free(struct tls12_record_protection *rp)
79a13669d2Sjsing {
80a13669d2Sjsing 	if (rp == NULL)
81a13669d2Sjsing 		return;
82a13669d2Sjsing 
83f2284ad0Sjsing 	tls12_record_protection_clear(rp);
84a13669d2Sjsing 
85a13669d2Sjsing 	freezero(rp, sizeof(struct tls12_record_protection));
86a13669d2Sjsing }
87a13669d2Sjsing 
881c1840fbSjsing static int
tls12_record_protection_engaged(struct tls12_record_protection * rp)891365e68cSjsing tls12_record_protection_engaged(struct tls12_record_protection *rp)
901365e68cSjsing {
911365e68cSjsing 	return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
921365e68cSjsing }
931365e68cSjsing 
941365e68cSjsing static int
tls12_record_protection_unused(struct tls12_record_protection * rp)95747682f9Sjsing tls12_record_protection_unused(struct tls12_record_protection *rp)
96747682f9Sjsing {
97747682f9Sjsing 	return rp->aead_ctx == NULL && rp->cipher_ctx == NULL &&
98747682f9Sjsing 	    rp->hash_ctx == NULL && rp->mac_key == NULL;
99747682f9Sjsing }
100747682f9Sjsing 
101747682f9Sjsing static int
tls12_record_protection_eiv_len(struct tls12_record_protection * rp,size_t * out_eiv_len)1021c1840fbSjsing tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
1031c1840fbSjsing     size_t *out_eiv_len)
1041c1840fbSjsing {
1051c1840fbSjsing 	int eiv_len;
1061c1840fbSjsing 
1071c1840fbSjsing 	*out_eiv_len = 0;
1081c1840fbSjsing 
1091c1840fbSjsing 	if (rp->cipher_ctx == NULL)
1101c1840fbSjsing 		return 0;
1111c1840fbSjsing 
1121c1840fbSjsing 	eiv_len = 0;
1131c1840fbSjsing 	if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE)
1141c1840fbSjsing 		eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
1151c1840fbSjsing 	if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH)
1161c1840fbSjsing 		return 0;
1171c1840fbSjsing 
1181c1840fbSjsing 	*out_eiv_len = eiv_len;
1191c1840fbSjsing 
1201c1840fbSjsing 	return 1;
1211c1840fbSjsing }
1221c1840fbSjsing 
1231c1840fbSjsing static int
tls12_record_protection_block_size(struct tls12_record_protection * rp,size_t * out_block_size)1241c1840fbSjsing tls12_record_protection_block_size(struct tls12_record_protection *rp,
1251c1840fbSjsing     size_t *out_block_size)
1261c1840fbSjsing {
1271c1840fbSjsing 	int block_size;
1281c1840fbSjsing 
1291c1840fbSjsing 	*out_block_size = 0;
1301c1840fbSjsing 
1311c1840fbSjsing 	if (rp->cipher_ctx == NULL)
1321c1840fbSjsing 		return 0;
1331c1840fbSjsing 
1341c1840fbSjsing 	block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
1351c1840fbSjsing 	if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH)
1361c1840fbSjsing 		return 0;
1371c1840fbSjsing 
1381c1840fbSjsing 	*out_block_size = block_size;
1391c1840fbSjsing 
1401c1840fbSjsing 	return 1;
1411c1840fbSjsing }
1421c1840fbSjsing 
1431c1840fbSjsing static int
tls12_record_protection_mac_len(struct tls12_record_protection * rp,size_t * out_mac_len)1441c1840fbSjsing tls12_record_protection_mac_len(struct tls12_record_protection *rp,
1451c1840fbSjsing     size_t *out_mac_len)
1461c1840fbSjsing {
1471c1840fbSjsing 	int mac_len;
1481c1840fbSjsing 
1491c1840fbSjsing 	*out_mac_len = 0;
1501c1840fbSjsing 
1511c1840fbSjsing 	if (rp->hash_ctx == NULL)
1521c1840fbSjsing 		return 0;
1531c1840fbSjsing 
1541c1840fbSjsing 	mac_len = EVP_MD_CTX_size(rp->hash_ctx);
1551c1840fbSjsing 	if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE)
1561c1840fbSjsing 		return 0;
1571c1840fbSjsing 
1581c1840fbSjsing 	*out_mac_len = mac_len;
1591c1840fbSjsing 
1601c1840fbSjsing 	return 1;
1611c1840fbSjsing }
1621c1840fbSjsing 
163acef91a0Sjsing struct tls12_record_layer {
164acef91a0Sjsing 	uint16_t version;
165c8e2fc2bSjsing 	uint16_t initial_epoch;
166acef91a0Sjsing 	int dtls;
167acef91a0Sjsing 
16840038cb8Sjsing 	uint8_t alert_desc;
16940038cb8Sjsing 
170c37fa200Sjsing 	const EVP_AEAD *aead;
1712935b8f4Sjsing 	const EVP_CIPHER *cipher;
1722935b8f4Sjsing 	const EVP_MD *handshake_hash;
1732935b8f4Sjsing 	const EVP_MD *mac_hash;
174c37fa200Sjsing 
175a802a16aSjsing 	/* Pointers to active record protection (memory is not owned). */
176a13669d2Sjsing 	struct tls12_record_protection *read;
177a13669d2Sjsing 	struct tls12_record_protection *write;
178a802a16aSjsing 
179a802a16aSjsing 	struct tls12_record_protection *read_current;
180a802a16aSjsing 	struct tls12_record_protection *write_current;
181a802a16aSjsing 	struct tls12_record_protection *write_previous;
182acef91a0Sjsing };
183acef91a0Sjsing 
184acef91a0Sjsing struct tls12_record_layer *
tls12_record_layer_new(void)185acef91a0Sjsing tls12_record_layer_new(void)
186acef91a0Sjsing {
187acef91a0Sjsing 	struct tls12_record_layer *rl;
188acef91a0Sjsing 
189acef91a0Sjsing 	if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
190a13669d2Sjsing 		goto err;
191a802a16aSjsing 	if ((rl->read_current = tls12_record_protection_new()) == NULL)
192a13669d2Sjsing 		goto err;
193a802a16aSjsing 	if ((rl->write_current = tls12_record_protection_new()) == NULL)
194a13669d2Sjsing 		goto err;
195acef91a0Sjsing 
196a802a16aSjsing 	rl->read = rl->read_current;
197a802a16aSjsing 	rl->write = rl->write_current;
198a802a16aSjsing 
199acef91a0Sjsing 	return rl;
200a13669d2Sjsing 
201a13669d2Sjsing  err:
202a13669d2Sjsing 	tls12_record_layer_free(rl);
203a13669d2Sjsing 
204a13669d2Sjsing 	return NULL;
205acef91a0Sjsing }
206acef91a0Sjsing 
207acef91a0Sjsing void
tls12_record_layer_free(struct tls12_record_layer * rl)208acef91a0Sjsing tls12_record_layer_free(struct tls12_record_layer *rl)
209acef91a0Sjsing {
2103e9ce141Sjsing 	if (rl == NULL)
2113e9ce141Sjsing 		return;
2123e9ce141Sjsing 
213a802a16aSjsing 	tls12_record_protection_free(rl->read_current);
214a802a16aSjsing 	tls12_record_protection_free(rl->write_current);
215a802a16aSjsing 	tls12_record_protection_free(rl->write_previous);
2163e9ce141Sjsing 
217acef91a0Sjsing 	freezero(rl, sizeof(struct tls12_record_layer));
218acef91a0Sjsing }
219acef91a0Sjsing 
220acef91a0Sjsing void
tls12_record_layer_alert(struct tls12_record_layer * rl,uint8_t * alert_desc)22140038cb8Sjsing tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
22240038cb8Sjsing {
22340038cb8Sjsing 	*alert_desc = rl->alert_desc;
22440038cb8Sjsing }
22540038cb8Sjsing 
2269123ae00Sjsing int
tls12_record_layer_write_overhead(struct tls12_record_layer * rl,size_t * overhead)2279123ae00Sjsing tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
2289123ae00Sjsing     size_t *overhead)
2299123ae00Sjsing {
2309123ae00Sjsing 	size_t block_size, eiv_len, mac_len;
2319123ae00Sjsing 
2329123ae00Sjsing 	*overhead = 0;
2339123ae00Sjsing 
2349123ae00Sjsing 	if (rl->write->aead_ctx != NULL) {
2357b133c71Sjsing 		*overhead = rl->write->aead_tag_len;
2369123ae00Sjsing 	} else if (rl->write->cipher_ctx != NULL) {
2379123ae00Sjsing 		eiv_len = 0;
2389123ae00Sjsing 		if (rl->version != TLS1_VERSION) {
2399123ae00Sjsing 			if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
2409123ae00Sjsing 				return 0;
2419123ae00Sjsing 		}
2429123ae00Sjsing 		if (!tls12_record_protection_block_size(rl->write, &block_size))
2439123ae00Sjsing 			return 0;
2449123ae00Sjsing 		if (!tls12_record_protection_mac_len(rl->write, &mac_len))
2459123ae00Sjsing 			return 0;
2469123ae00Sjsing 
2479123ae00Sjsing 		*overhead = eiv_len + block_size + mac_len;
2489123ae00Sjsing 	}
2499123ae00Sjsing 
2509123ae00Sjsing 	return 1;
2519123ae00Sjsing }
2529123ae00Sjsing 
2531365e68cSjsing int
tls12_record_layer_read_protected(struct tls12_record_layer * rl)2541365e68cSjsing tls12_record_layer_read_protected(struct tls12_record_layer *rl)
2551365e68cSjsing {
2561365e68cSjsing 	return tls12_record_protection_engaged(rl->read);
2571365e68cSjsing }
2581365e68cSjsing 
2591365e68cSjsing int
tls12_record_layer_write_protected(struct tls12_record_layer * rl)2601365e68cSjsing tls12_record_layer_write_protected(struct tls12_record_layer *rl)
2611365e68cSjsing {
2621365e68cSjsing 	return tls12_record_protection_engaged(rl->write);
2631365e68cSjsing }
2641365e68cSjsing 
26540038cb8Sjsing void
tls12_record_layer_set_aead(struct tls12_record_layer * rl,const EVP_AEAD * aead)266c37fa200Sjsing tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267c37fa200Sjsing {
268c37fa200Sjsing 	rl->aead = aead;
269c37fa200Sjsing }
270c37fa200Sjsing 
271c37fa200Sjsing void
tls12_record_layer_set_cipher_hash(struct tls12_record_layer * rl,const EVP_CIPHER * cipher,const EVP_MD * handshake_hash,const EVP_MD * mac_hash)2722935b8f4Sjsing tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
2732935b8f4Sjsing     const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
2742935b8f4Sjsing     const EVP_MD *mac_hash)
2752935b8f4Sjsing {
2762935b8f4Sjsing 	rl->cipher = cipher;
2772935b8f4Sjsing 	rl->handshake_hash = handshake_hash;
2782935b8f4Sjsing 	rl->mac_hash = mac_hash;
2792935b8f4Sjsing }
2802935b8f4Sjsing 
2812935b8f4Sjsing void
tls12_record_layer_set_version(struct tls12_record_layer * rl,uint16_t version)282acef91a0Sjsing tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283acef91a0Sjsing {
284acef91a0Sjsing 	rl->version = version;
285fe0929e2Sjsing 	rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
286acef91a0Sjsing }
287acef91a0Sjsing 
288c8e2fc2bSjsing void
tls12_record_layer_set_initial_epoch(struct tls12_record_layer * rl,uint16_t epoch)289c8e2fc2bSjsing tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290c8e2fc2bSjsing     uint16_t epoch)
291c8e2fc2bSjsing {
292c8e2fc2bSjsing 	rl->initial_epoch = epoch;
293c8e2fc2bSjsing }
294c8e2fc2bSjsing 
295c8e2fc2bSjsing uint16_t
tls12_record_layer_read_epoch(struct tls12_record_layer * rl)29644aae0c1Sjsing tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297c8e2fc2bSjsing {
29844aae0c1Sjsing 	return rl->read->epoch;
299c8e2fc2bSjsing }
300c8e2fc2bSjsing 
3012f4e7cfaSjsing uint16_t
tls12_record_layer_write_epoch(struct tls12_record_layer * rl)3022f4e7cfaSjsing tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303acef91a0Sjsing {
3042f4e7cfaSjsing 	return rl->write->epoch;
305acef91a0Sjsing }
306acef91a0Sjsing 
307a802a16aSjsing int
tls12_record_layer_use_write_epoch(struct tls12_record_layer * rl,uint16_t epoch)308a802a16aSjsing tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309a802a16aSjsing {
310a802a16aSjsing 	if (rl->write->epoch == epoch)
311a802a16aSjsing 		return 1;
312a802a16aSjsing 
313a802a16aSjsing 	if (rl->write_current->epoch == epoch) {
314a802a16aSjsing 		rl->write = rl->write_current;
315a802a16aSjsing 		return 1;
316a802a16aSjsing 	}
317a802a16aSjsing 
318a802a16aSjsing 	if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
319a802a16aSjsing 		rl->write = rl->write_previous;
320a802a16aSjsing 		return 1;
321a802a16aSjsing 	}
322a802a16aSjsing 
323a802a16aSjsing 	return 0;
324a802a16aSjsing }
325a802a16aSjsing 
326a802a16aSjsing void
tls12_record_layer_write_epoch_done(struct tls12_record_layer * rl,uint16_t epoch)327a802a16aSjsing tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328a802a16aSjsing {
329a802a16aSjsing 	if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
330a802a16aSjsing 		return;
331a802a16aSjsing 
332a802a16aSjsing 	rl->write = rl->write_current;
333a802a16aSjsing 
334a802a16aSjsing 	tls12_record_protection_free(rl->write_previous);
335a802a16aSjsing 	rl->write_previous = NULL;
336a802a16aSjsing }
337a802a16aSjsing 
338acef91a0Sjsing void
tls12_record_layer_clear_read_state(struct tls12_record_layer * rl)339acef91a0Sjsing tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340acef91a0Sjsing {
341f2284ad0Sjsing 	tls12_record_protection_clear(rl->read);
342c8e2fc2bSjsing 	rl->read->epoch = rl->initial_epoch;
343acef91a0Sjsing }
344acef91a0Sjsing 
345acef91a0Sjsing void
tls12_record_layer_clear_write_state(struct tls12_record_layer * rl)346acef91a0Sjsing tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347acef91a0Sjsing {
348f2284ad0Sjsing 	tls12_record_protection_clear(rl->write);
349c8e2fc2bSjsing 	rl->write->epoch = rl->initial_epoch;
350a802a16aSjsing 
351a802a16aSjsing 	tls12_record_protection_free(rl->write_previous);
352a802a16aSjsing 	rl->write_previous = NULL;
353acef91a0Sjsing }
354acef91a0Sjsing 
355acef91a0Sjsing void
tls12_record_layer_reflect_seq_num(struct tls12_record_layer * rl)356f2284ad0Sjsing tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357acef91a0Sjsing {
358f2284ad0Sjsing 	memcpy(rl->write->seq_num, rl->read->seq_num,
359f2284ad0Sjsing 	    sizeof(rl->write->seq_num));
360acef91a0Sjsing }
361acef91a0Sjsing 
362e3ae3cd6Sjsing static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = {
363e3ae3cd6Sjsing 	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364e3ae3cd6Sjsing };
365e3ae3cd6Sjsing 
366e3ae3cd6Sjsing int
tls12_record_layer_inc_seq_num(struct tls12_record_layer * rl,uint8_t * seq_num)367e3ae3cd6Sjsing tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368e3ae3cd6Sjsing {
369e3ae3cd6Sjsing 	CBS max_seq_num;
370e3ae3cd6Sjsing 	int i;
371e3ae3cd6Sjsing 
372e3ae3cd6Sjsing 	/*
373e3ae3cd6Sjsing 	 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374e3ae3cd6Sjsing 	 * sequence numbers must not wrap. Note that for DTLS the first two
375e3ae3cd6Sjsing 	 * bytes are used as an "epoch" and not part of the sequence number.
376e3ae3cd6Sjsing 	 */
377e3ae3cd6Sjsing 	CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN);
378e3ae3cd6Sjsing 	if (rl->dtls) {
379e3ae3cd6Sjsing 		if (!CBS_skip(&max_seq_num, 2))
380e3ae3cd6Sjsing 			return 0;
381e3ae3cd6Sjsing 	}
382e3ae3cd6Sjsing 	if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383e3ae3cd6Sjsing 	    CBS_len(&max_seq_num)))
384e3ae3cd6Sjsing 		return 0;
385e3ae3cd6Sjsing 
386e3ae3cd6Sjsing 	for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
387e3ae3cd6Sjsing 		if (++seq_num[i] != 0)
388e3ae3cd6Sjsing 			break;
389e3ae3cd6Sjsing 	}
390e3ae3cd6Sjsing 
391e3ae3cd6Sjsing 	return 1;
392e3ae3cd6Sjsing }
393e3ae3cd6Sjsing 
3942935b8f4Sjsing static int
tls12_record_layer_set_mac_key(struct tls12_record_protection * rp,const uint8_t * mac_key,size_t mac_key_len)3952935b8f4Sjsing tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
39640038cb8Sjsing     const uint8_t *mac_key, size_t mac_key_len)
39740038cb8Sjsing {
3982935b8f4Sjsing 	freezero(rp->mac_key, rp->mac_key_len);
3992935b8f4Sjsing 	rp->mac_key = NULL;
4002935b8f4Sjsing 	rp->mac_key_len = 0;
401b77c9477Sjsing 
402b77c9477Sjsing 	if (mac_key == NULL || mac_key_len == 0)
403b77c9477Sjsing 		return 1;
404b77c9477Sjsing 
4052935b8f4Sjsing 	if ((rp->mac_key = calloc(1, mac_key_len)) == NULL)
406b77c9477Sjsing 		return 0;
407b77c9477Sjsing 
4082935b8f4Sjsing 	memcpy(rp->mac_key, mac_key, mac_key_len);
4092935b8f4Sjsing 	rp->mac_key_len = mac_key_len;
41040038cb8Sjsing 
41140038cb8Sjsing 	return 1;
41240038cb8Sjsing }
41340038cb8Sjsing 
414c37fa200Sjsing static int
tls12_record_layer_ccs_aead(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)415c37fa200Sjsing tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416d7351ddfSjsing     struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417d7351ddfSjsing     CBS *iv)
418c37fa200Sjsing {
419747682f9Sjsing 	if (!tls12_record_protection_unused(rp))
420747682f9Sjsing 		return 0;
421747682f9Sjsing 
422f9a06750Stb 	if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
423c37fa200Sjsing 		return 0;
424c37fa200Sjsing 
425c37fa200Sjsing 	/* AES GCM cipher suites use variable nonce in record. */
426c37fa200Sjsing 	if (rl->aead == EVP_aead_aes_128_gcm() ||
427c37fa200Sjsing 	    rl->aead == EVP_aead_aes_256_gcm())
4287b133c71Sjsing 		rp->aead_variable_nonce_in_record = 1;
429c37fa200Sjsing 
430c37fa200Sjsing 	/* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431c37fa200Sjsing 	if (rl->aead == EVP_aead_chacha20_poly1305())
4327b133c71Sjsing 		rp->aead_xor_nonces = 1;
433c37fa200Sjsing 
4347b133c71Sjsing 	if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435c37fa200Sjsing 		return 0;
436c37fa200Sjsing 
437609ec8b1Sjsing 	rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438609ec8b1Sjsing 	if (rp->aead_nonce == NULL)
439609ec8b1Sjsing 		return 0;
440c37fa200Sjsing 
441609ec8b1Sjsing 	rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442609ec8b1Sjsing 	rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443609ec8b1Sjsing 	rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN;
4442261fe79Sjsing 
4457b133c71Sjsing 	if (rp->aead_xor_nonces) {
446c37fa200Sjsing 		/* Fixed nonce length must match, variable must not exceed. */
447609ec8b1Sjsing 		if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448c37fa200Sjsing 			return 0;
449609ec8b1Sjsing 		if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450c37fa200Sjsing 			return 0;
451c37fa200Sjsing 	} else {
452c37fa200Sjsing 		/* Concatenated nonce length must equal AEAD nonce length. */
4537b133c71Sjsing 		if (rp->aead_fixed_nonce_len +
454609ec8b1Sjsing 		    rp->aead_variable_nonce_len != rp->aead_nonce_len)
455c37fa200Sjsing 			return 0;
456c37fa200Sjsing 	}
457c37fa200Sjsing 
4587b133c71Sjsing 	if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459d7351ddfSjsing 	    CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
460c37fa200Sjsing 		return 0;
461c37fa200Sjsing 
462c37fa200Sjsing 	return 1;
463c37fa200Sjsing }
464c37fa200Sjsing 
465c37fa200Sjsing static int
tls12_record_layer_ccs_cipher(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)4662935b8f4Sjsing tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467d7351ddfSjsing     struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468d7351ddfSjsing     CBS *iv)
4692935b8f4Sjsing {
4702935b8f4Sjsing 	EVP_PKEY *mac_pkey = NULL;
4712935b8f4Sjsing 	int mac_type;
4722935b8f4Sjsing 	int ret = 0;
4732935b8f4Sjsing 
474747682f9Sjsing 	if (!tls12_record_protection_unused(rp))
475ffd1a0d4Sjsing 		goto err;
476747682f9Sjsing 
4772935b8f4Sjsing 	mac_type = EVP_PKEY_HMAC;
4782935b8f4Sjsing 	rp->stream_mac = 0;
4792935b8f4Sjsing 
480d7351ddfSjsing 	if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX)
481ffd1a0d4Sjsing 		goto err;
482d7351ddfSjsing 	if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
483ffd1a0d4Sjsing 		goto err;
484d7351ddfSjsing 	if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
485ffd1a0d4Sjsing 		goto err;
486d7351ddfSjsing 	if (CBS_len(mac_key) > INT_MAX)
487ffd1a0d4Sjsing 		goto err;
488d7351ddfSjsing 	if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
4892935b8f4Sjsing 		goto err;
4902935b8f4Sjsing 	if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
4912935b8f4Sjsing 		goto err;
4922935b8f4Sjsing 	if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
4932935b8f4Sjsing 		goto err;
4942935b8f4Sjsing 
495d7351ddfSjsing 	if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
496d7351ddfSjsing 	    CBS_len(mac_key)))
4972935b8f4Sjsing 		goto err;
4982935b8f4Sjsing 
499d7351ddfSjsing 	if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key),
500d7351ddfSjsing 	    CBS_len(mac_key))) == NULL)
5012935b8f4Sjsing 		goto err;
5022935b8f4Sjsing 
503d7351ddfSjsing 	if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key),
504d7351ddfSjsing 	    CBS_data(iv), is_write))
5052935b8f4Sjsing 		goto err;
5062935b8f4Sjsing 
5072935b8f4Sjsing 	if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL,
5082935b8f4Sjsing 	    mac_pkey) <= 0)
5092935b8f4Sjsing 		goto err;
5102935b8f4Sjsing 
5112935b8f4Sjsing 	ret = 1;
5122935b8f4Sjsing 
5132935b8f4Sjsing  err:
5142935b8f4Sjsing 	EVP_PKEY_free(mac_pkey);
5152935b8f4Sjsing 
5162935b8f4Sjsing 	return ret;
5172935b8f4Sjsing }
5182935b8f4Sjsing 
5192935b8f4Sjsing static int
tls12_record_layer_change_cipher_state(struct tls12_record_layer * rl,struct tls12_record_protection * rp,int is_write,CBS * mac_key,CBS * key,CBS * iv)520c37fa200Sjsing tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
521d7351ddfSjsing     struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
522d7351ddfSjsing     CBS *iv)
523c37fa200Sjsing {
5242935b8f4Sjsing 	if (rl->aead != NULL)
525c37fa200Sjsing 		return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
526d7351ddfSjsing 		    key, iv);
5272935b8f4Sjsing 
5282935b8f4Sjsing 	return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
529d7351ddfSjsing 	    key, iv);
530c37fa200Sjsing }
531c37fa200Sjsing 
532a802a16aSjsing int
tls12_record_layer_change_read_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)533a802a16aSjsing tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
534d7351ddfSjsing     CBS *mac_key, CBS *key, CBS *iv)
535a802a16aSjsing {
536a802a16aSjsing 	struct tls12_record_protection *read_new = NULL;
537a802a16aSjsing 	int ret = 0;
538a802a16aSjsing 
539a802a16aSjsing 	if ((read_new = tls12_record_protection_new()) == NULL)
540a802a16aSjsing 		goto err;
541a802a16aSjsing 
542f2284ad0Sjsing 	/* Read sequence number gets reset to zero. */
543f2284ad0Sjsing 
54444aae0c1Sjsing 	/* DTLS epoch is incremented and is permitted to wrap. */
54544aae0c1Sjsing 	if (rl->dtls)
54644aae0c1Sjsing 		read_new->epoch = rl->read_current->epoch + 1;
54744aae0c1Sjsing 
548c37fa200Sjsing 	if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
549d7351ddfSjsing 	    mac_key, key, iv))
550c37fa200Sjsing 		goto err;
551a802a16aSjsing 
552a802a16aSjsing 	tls12_record_protection_free(rl->read_current);
553a802a16aSjsing 	rl->read = rl->read_current = read_new;
554a802a16aSjsing 	read_new = NULL;
555a802a16aSjsing 
556a802a16aSjsing 	ret = 1;
557a802a16aSjsing 
558a802a16aSjsing  err:
559a802a16aSjsing 	tls12_record_protection_free(read_new);
560a802a16aSjsing 
561a802a16aSjsing 	return ret;
562a802a16aSjsing }
563a802a16aSjsing 
564a802a16aSjsing int
tls12_record_layer_change_write_cipher_state(struct tls12_record_layer * rl,CBS * mac_key,CBS * key,CBS * iv)565a802a16aSjsing tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
566d7351ddfSjsing     CBS *mac_key, CBS *key, CBS *iv)
567a802a16aSjsing {
568a802a16aSjsing 	struct tls12_record_protection *write_new;
569a802a16aSjsing 	int ret = 0;
570a802a16aSjsing 
571a802a16aSjsing 	if ((write_new = tls12_record_protection_new()) == NULL)
572a802a16aSjsing 		goto err;
573a802a16aSjsing 
574f2284ad0Sjsing 	/* Write sequence number gets reset to zero. */
575f2284ad0Sjsing 
5762f4e7cfaSjsing 	/* DTLS epoch is incremented and is permitted to wrap. */
5772f4e7cfaSjsing 	if (rl->dtls)
5782f4e7cfaSjsing 		write_new->epoch = rl->write_current->epoch + 1;
5792f4e7cfaSjsing 
580c37fa200Sjsing 	if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
581d7351ddfSjsing 	    mac_key, key, iv))
582c37fa200Sjsing 		goto err;
583a802a16aSjsing 
584a802a16aSjsing 	if (rl->dtls) {
585a802a16aSjsing 		tls12_record_protection_free(rl->write_previous);
586a802a16aSjsing 		rl->write_previous = rl->write_current;
587a802a16aSjsing 		rl->write_current = NULL;
588a802a16aSjsing 	}
589a802a16aSjsing 	tls12_record_protection_free(rl->write_current);
590a802a16aSjsing 	rl->write = rl->write_current = write_new;
591a802a16aSjsing 	write_new = NULL;
592a802a16aSjsing 
593a802a16aSjsing 	ret = 1;
594a802a16aSjsing 
595a802a16aSjsing  err:
596a802a16aSjsing 	tls12_record_protection_free(write_new);
597a802a16aSjsing 
598a802a16aSjsing 	return ret;
599a802a16aSjsing }
600f2284ad0Sjsing 
601acef91a0Sjsing static int
tls12_record_layer_build_seq_num(struct tls12_record_layer * rl,CBB * cbb,uint16_t epoch,uint8_t * seq_num,size_t seq_num_len)602acef91a0Sjsing tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
603acef91a0Sjsing     uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
604acef91a0Sjsing {
605acef91a0Sjsing 	CBS seq;
606acef91a0Sjsing 
607acef91a0Sjsing 	CBS_init(&seq, seq_num, seq_num_len);
608acef91a0Sjsing 
609acef91a0Sjsing 	if (rl->dtls) {
610acef91a0Sjsing 		if (!CBB_add_u16(cbb, epoch))
611acef91a0Sjsing 			return 0;
612acef91a0Sjsing 		if (!CBS_skip(&seq, 2))
613acef91a0Sjsing 			return 0;
614acef91a0Sjsing 	}
615acef91a0Sjsing 
616acef91a0Sjsing 	return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
617acef91a0Sjsing }
618acef91a0Sjsing 
619acef91a0Sjsing static int
tls12_record_layer_pseudo_header(struct tls12_record_layer * rl,uint8_t content_type,uint16_t record_len,CBS * seq_num,uint8_t ** out,size_t * out_len)620acef91a0Sjsing tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
621108b1a0fSjsing     uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
622108b1a0fSjsing     size_t *out_len)
623acef91a0Sjsing {
624acef91a0Sjsing 	CBB cbb;
625acef91a0Sjsing 
626acef91a0Sjsing 	*out = NULL;
627acef91a0Sjsing 	*out_len = 0;
628acef91a0Sjsing 
629acef91a0Sjsing 	/* Build the pseudo-header used for MAC/AEAD. */
630acef91a0Sjsing 	if (!CBB_init(&cbb, 13))
631acef91a0Sjsing 		goto err;
632acef91a0Sjsing 
633108b1a0fSjsing 	if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
634acef91a0Sjsing 		goto err;
635acef91a0Sjsing 	if (!CBB_add_u8(&cbb, content_type))
636acef91a0Sjsing 		goto err;
637acef91a0Sjsing 	if (!CBB_add_u16(&cbb, rl->version))
638acef91a0Sjsing 		goto err;
639acef91a0Sjsing 	if (!CBB_add_u16(&cbb, record_len))
640acef91a0Sjsing 		goto err;
641acef91a0Sjsing 
642acef91a0Sjsing 	if (!CBB_finish(&cbb, out, out_len))
643acef91a0Sjsing 		goto err;
644acef91a0Sjsing 
645acef91a0Sjsing 	return 1;
646acef91a0Sjsing 
647acef91a0Sjsing  err:
648acef91a0Sjsing 	CBB_cleanup(&cbb);
649acef91a0Sjsing 
650acef91a0Sjsing 	return 0;
651acef91a0Sjsing }
652acef91a0Sjsing 
653acef91a0Sjsing static int
tls12_record_layer_mac(struct tls12_record_layer * rl,CBB * cbb,EVP_MD_CTX * hash_ctx,int stream_mac,CBS * seq_num,uint8_t content_type,const uint8_t * content,size_t content_len,size_t * out_len)65489dfa477Sjsing tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
655108b1a0fSjsing     EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
656108b1a0fSjsing     const uint8_t *content, size_t content_len, size_t *out_len)
657acef91a0Sjsing {
658acef91a0Sjsing 	EVP_MD_CTX *mac_ctx = NULL;
659acef91a0Sjsing 	uint8_t *header = NULL;
66040038cb8Sjsing 	size_t header_len = 0;
661acef91a0Sjsing 	size_t mac_len;
662acef91a0Sjsing 	uint8_t *mac;
663acef91a0Sjsing 	int ret = 0;
664acef91a0Sjsing 
665acef91a0Sjsing 	if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
666acef91a0Sjsing 		goto err;
66789dfa477Sjsing 	if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
668acef91a0Sjsing 		goto err;
669acef91a0Sjsing 
670acef91a0Sjsing 	if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
671108b1a0fSjsing 	    seq_num, &header, &header_len))
672acef91a0Sjsing 		goto err;
673acef91a0Sjsing 
674acef91a0Sjsing 	if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0)
675acef91a0Sjsing 		goto err;
676acef91a0Sjsing 	if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0)
677acef91a0Sjsing 		goto err;
678acef91a0Sjsing 	if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0)
679acef91a0Sjsing 		goto err;
680acef91a0Sjsing 	if (!CBB_add_space(cbb, &mac, mac_len))
681acef91a0Sjsing 		goto err;
682acef91a0Sjsing 	if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
683acef91a0Sjsing 		goto err;
68440038cb8Sjsing 	if (mac_len == 0)
68540038cb8Sjsing 		goto err;
686acef91a0Sjsing 
68789dfa477Sjsing 	if (stream_mac) {
68889dfa477Sjsing 		if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
689acef91a0Sjsing 			goto err;
690acef91a0Sjsing 	}
691acef91a0Sjsing 
692acef91a0Sjsing 	*out_len = mac_len;
693acef91a0Sjsing 	ret = 1;
694acef91a0Sjsing 
695acef91a0Sjsing  err:
696acef91a0Sjsing 	EVP_MD_CTX_free(mac_ctx);
69740038cb8Sjsing 	freezero(header, header_len);
698acef91a0Sjsing 
699acef91a0Sjsing 	return ret;
700acef91a0Sjsing }
701acef91a0Sjsing 
702acef91a0Sjsing static int
tls12_record_layer_read_mac_cbc(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t mac_len,size_t padding_len)70340038cb8Sjsing tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
704108b1a0fSjsing     uint8_t content_type, CBS *seq_num, const uint8_t *content,
705108b1a0fSjsing     size_t content_len, size_t mac_len, size_t padding_len)
70640038cb8Sjsing {
70740038cb8Sjsing 	uint8_t *header = NULL;
70840038cb8Sjsing 	size_t header_len = 0;
70940038cb8Sjsing 	uint8_t *mac = NULL;
71040038cb8Sjsing 	size_t out_mac_len = 0;
71140038cb8Sjsing 	int ret = 0;
71240038cb8Sjsing 
71340038cb8Sjsing 	/*
71440038cb8Sjsing 	 * Must be constant time to avoid leaking details about CBC padding.
71540038cb8Sjsing 	 */
71640038cb8Sjsing 
717a13669d2Sjsing 	if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
71840038cb8Sjsing 		goto err;
71940038cb8Sjsing 
72040038cb8Sjsing 	if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
721108b1a0fSjsing 	    seq_num, &header, &header_len))
72240038cb8Sjsing 		goto err;
72340038cb8Sjsing 
72440038cb8Sjsing 	if (!CBB_add_space(cbb, &mac, mac_len))
72540038cb8Sjsing 		goto err;
726a13669d2Sjsing 	if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
72740038cb8Sjsing 	    content, content_len + mac_len, content_len + mac_len + padding_len,
728a13669d2Sjsing 	    rl->read->mac_key, rl->read->mac_key_len))
72940038cb8Sjsing 		goto err;
73040038cb8Sjsing 	if (mac_len != out_mac_len)
73140038cb8Sjsing 		goto err;
73240038cb8Sjsing 
73340038cb8Sjsing 	ret = 1;
73440038cb8Sjsing 
73540038cb8Sjsing  err:
73640038cb8Sjsing 	freezero(header, header_len);
73740038cb8Sjsing 
73840038cb8Sjsing 	return ret;
73940038cb8Sjsing }
74040038cb8Sjsing 
74140038cb8Sjsing static int
tls12_record_layer_read_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len)74240038cb8Sjsing tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
743108b1a0fSjsing     uint8_t content_type, CBS *seq_num, const uint8_t *content,
744108b1a0fSjsing     size_t content_len)
74540038cb8Sjsing {
746a13669d2Sjsing 	EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
74740038cb8Sjsing 	size_t out_len;
74840038cb8Sjsing 
74940038cb8Sjsing 	if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
75040038cb8Sjsing 		return 0;
75140038cb8Sjsing 
752a13669d2Sjsing 	return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
753108b1a0fSjsing 	    rl->read->stream_mac, seq_num, content_type, content, content_len,
754108b1a0fSjsing 	    &out_len);
75540038cb8Sjsing }
75640038cb8Sjsing 
75740038cb8Sjsing static int
tls12_record_layer_write_mac(struct tls12_record_layer * rl,CBB * cbb,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,size_t * out_len)75889dfa477Sjsing tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
759108b1a0fSjsing     uint8_t content_type, CBS *seq_num, const uint8_t *content,
760108b1a0fSjsing     size_t content_len, size_t *out_len)
76189dfa477Sjsing {
762a13669d2Sjsing 	return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
763108b1a0fSjsing 	    rl->write->stream_mac, seq_num, content_type, content, content_len,
764108b1a0fSjsing 	    out_len);
76589dfa477Sjsing }
76689dfa477Sjsing 
76789dfa477Sjsing static int
tls12_record_layer_aead_concat_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)768acef91a0Sjsing tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
769609ec8b1Sjsing     struct tls12_record_protection *rp, CBS *seq_num)
770acef91a0Sjsing {
771acef91a0Sjsing 	CBB cbb;
772acef91a0Sjsing 
77360ac916aSjsing 	if (rp->aead_variable_nonce_len > CBS_len(seq_num))
774acef91a0Sjsing 		return 0;
775acef91a0Sjsing 
776acef91a0Sjsing 	/* Fixed nonce and variable nonce (sequence number) are concatenated. */
777609ec8b1Sjsing 	if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
778acef91a0Sjsing 		goto err;
7797b133c71Sjsing 	if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
7807b133c71Sjsing 	    rp->aead_fixed_nonce_len))
781acef91a0Sjsing 		goto err;
78260ac916aSjsing 	if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
78360ac916aSjsing 	    rp->aead_variable_nonce_len))
784acef91a0Sjsing 		goto err;
785609ec8b1Sjsing 	if (!CBB_finish(&cbb, NULL, NULL))
786acef91a0Sjsing 		goto err;
787acef91a0Sjsing 
788acef91a0Sjsing 	return 1;
789acef91a0Sjsing 
790acef91a0Sjsing  err:
791acef91a0Sjsing 	CBB_cleanup(&cbb);
792acef91a0Sjsing 
793acef91a0Sjsing 	return 0;
794acef91a0Sjsing }
795acef91a0Sjsing 
796acef91a0Sjsing static int
tls12_record_layer_aead_xored_nonce(struct tls12_record_layer * rl,struct tls12_record_protection * rp,CBS * seq_num)797acef91a0Sjsing tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
798609ec8b1Sjsing     struct tls12_record_protection *rp, CBS *seq_num)
799acef91a0Sjsing {
800acef91a0Sjsing 	uint8_t *pad;
801acef91a0Sjsing 	CBB cbb;
802acef91a0Sjsing 	int i;
803acef91a0Sjsing 
80460ac916aSjsing 	if (rp->aead_variable_nonce_len > CBS_len(seq_num))
805acef91a0Sjsing 		return 0;
8067b133c71Sjsing 	if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
807acef91a0Sjsing 		return 0;
808609ec8b1Sjsing 	if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
809609ec8b1Sjsing 		return 0;
810acef91a0Sjsing 
811acef91a0Sjsing 	/*
812acef91a0Sjsing 	 * Variable nonce (sequence number) is right padded, before the fixed
813acef91a0Sjsing 	 * nonce is XOR'd in.
814acef91a0Sjsing 	 */
815609ec8b1Sjsing 	if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
816acef91a0Sjsing 		goto err;
817acef91a0Sjsing 	if (!CBB_add_space(&cbb, &pad,
8187b133c71Sjsing 	    rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
819acef91a0Sjsing 		goto err;
82060ac916aSjsing 	if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
82160ac916aSjsing 	    rp->aead_variable_nonce_len))
822acef91a0Sjsing 		goto err;
823609ec8b1Sjsing 	if (!CBB_finish(&cbb, NULL, NULL))
824acef91a0Sjsing 		goto err;
825acef91a0Sjsing 
8267b133c71Sjsing 	for (i = 0; i < rp->aead_fixed_nonce_len; i++)
827609ec8b1Sjsing 		rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
828acef91a0Sjsing 
829acef91a0Sjsing 	return 1;
830acef91a0Sjsing 
831acef91a0Sjsing  err:
832acef91a0Sjsing 	CBB_cleanup(&cbb);
833acef91a0Sjsing 
834acef91a0Sjsing 	return 0;
835acef91a0Sjsing }
836acef91a0Sjsing 
837acef91a0Sjsing static int
tls12_record_layer_open_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,CBS * fragment,struct tls_content * out)83840038cb8Sjsing tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
839ee4250f6Sjsing     uint8_t content_type, CBS *fragment, struct tls_content *out)
84040038cb8Sjsing {
84123d98bd4Sjsing 	if (tls12_record_protection_engaged(rl->read))
84240038cb8Sjsing 		return 0;
84340038cb8Sjsing 
844ee4250f6Sjsing 	return tls_content_dup_data(out, content_type, CBS_data(fragment),
845ee4250f6Sjsing 	    CBS_len(fragment));
84640038cb8Sjsing }
84740038cb8Sjsing 
84840038cb8Sjsing static int
tls12_record_layer_open_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)84940038cb8Sjsing tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
850ee4250f6Sjsing     uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
85140038cb8Sjsing {
8527b133c71Sjsing 	struct tls12_record_protection *rp = rl->read;
853609ec8b1Sjsing 	uint8_t *header = NULL;
854609ec8b1Sjsing 	size_t header_len = 0;
855ee4250f6Sjsing 	uint8_t *content = NULL;
856ee4250f6Sjsing 	size_t content_len = 0;
857ee4250f6Sjsing 	size_t out_len = 0;
85840038cb8Sjsing 	CBS var_nonce;
85940038cb8Sjsing 	int ret = 0;
86040038cb8Sjsing 
8617b133c71Sjsing 	if (rp->aead_xor_nonces) {
862609ec8b1Sjsing 		if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
86340038cb8Sjsing 			goto err;
8647b133c71Sjsing 	} else if (rp->aead_variable_nonce_in_record) {
86540038cb8Sjsing 		if (!CBS_get_bytes(fragment, &var_nonce,
8667b133c71Sjsing 		    rp->aead_variable_nonce_len))
86740038cb8Sjsing 			goto err;
868609ec8b1Sjsing 		if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
86940038cb8Sjsing 			goto err;
87040038cb8Sjsing 	} else {
871609ec8b1Sjsing 		if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
87240038cb8Sjsing 			goto err;
87340038cb8Sjsing 	}
87440038cb8Sjsing 
87540038cb8Sjsing 	/* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
8767b133c71Sjsing 	if (CBS_len(fragment) < rp->aead_tag_len) {
87740038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
87840038cb8Sjsing 		goto err;
87940038cb8Sjsing 	}
88040038cb8Sjsing 	if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
88140038cb8Sjsing 		rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
88240038cb8Sjsing 		goto err;
88340038cb8Sjsing 	}
88440038cb8Sjsing 
885ee4250f6Sjsing 	content_len = CBS_len(fragment) - rp->aead_tag_len;
886ee4250f6Sjsing 	if ((content = calloc(1, CBS_len(fragment))) == NULL) {
887ee4250f6Sjsing 		content_len = 0;
888ee4250f6Sjsing 		goto err;
889ee4250f6Sjsing 	}
89040038cb8Sjsing 
891ee4250f6Sjsing 	if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
892108b1a0fSjsing 	    seq_num, &header, &header_len))
89340038cb8Sjsing 		goto err;
89440038cb8Sjsing 
895ee4250f6Sjsing 	if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
896609ec8b1Sjsing 	    rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
897609ec8b1Sjsing 	    CBS_len(fragment), header, header_len)) {
89840038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
89940038cb8Sjsing 		goto err;
90040038cb8Sjsing 	}
90140038cb8Sjsing 
902ee4250f6Sjsing 	if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
90340038cb8Sjsing 		rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
90440038cb8Sjsing 		goto err;
90540038cb8Sjsing 	}
90640038cb8Sjsing 
907ee4250f6Sjsing 	if (out_len != content_len)
90840038cb8Sjsing 		goto err;
90940038cb8Sjsing 
910ee4250f6Sjsing 	tls_content_set_data(out, content_type, content, content_len);
911ee4250f6Sjsing 	content = NULL;
912ee4250f6Sjsing 	content_len = 0;
91340038cb8Sjsing 
91440038cb8Sjsing 	ret = 1;
91540038cb8Sjsing 
91640038cb8Sjsing  err:
91740038cb8Sjsing 	freezero(header, header_len);
918ee4250f6Sjsing 	freezero(content, content_len);
91940038cb8Sjsing 
92040038cb8Sjsing 	return ret;
92140038cb8Sjsing }
92240038cb8Sjsing 
92340038cb8Sjsing static int
tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,CBS * fragment,struct tls_content * out)92440038cb8Sjsing tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
925ee4250f6Sjsing     uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
92640038cb8Sjsing {
927a13669d2Sjsing 	EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
92840038cb8Sjsing 	SSL3_RECORD_INTERNAL rrec;
9291c1840fbSjsing 	size_t block_size, eiv_len;
93040038cb8Sjsing 	uint8_t *mac = NULL;
9311c1840fbSjsing 	size_t mac_len = 0;
93240038cb8Sjsing 	uint8_t *out_mac = NULL;
93340038cb8Sjsing 	size_t out_mac_len = 0;
934ee4250f6Sjsing 	uint8_t *content = NULL;
935ee4250f6Sjsing 	size_t content_len = 0;
93640038cb8Sjsing 	size_t min_len;
93740038cb8Sjsing 	CBB cbb_mac;
93840038cb8Sjsing 	int ret = 0;
93940038cb8Sjsing 
94040038cb8Sjsing 	memset(&cbb_mac, 0, sizeof(cbb_mac));
94127e46ee6Stb 	memset(&rrec, 0, sizeof(rrec));
94240038cb8Sjsing 
9431c1840fbSjsing 	if (!tls12_record_protection_block_size(rl->read, &block_size))
94440038cb8Sjsing 		goto err;
94540038cb8Sjsing 
94640038cb8Sjsing 	/* Determine explicit IV length. */
94740038cb8Sjsing 	eiv_len = 0;
9481c1840fbSjsing 	if (rl->version != TLS1_VERSION) {
9491c1840fbSjsing 		if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
95040038cb8Sjsing 			goto err;
9511c1840fbSjsing 	}
95240038cb8Sjsing 
95340038cb8Sjsing 	mac_len = 0;
954a13669d2Sjsing 	if (rl->read->hash_ctx != NULL) {
9551c1840fbSjsing 		if (!tls12_record_protection_mac_len(rl->read, &mac_len))
95640038cb8Sjsing 			goto err;
95740038cb8Sjsing 	}
95840038cb8Sjsing 
95940038cb8Sjsing 	/* CBC has at least one padding byte. */
96040038cb8Sjsing 	min_len = eiv_len + mac_len;
96140038cb8Sjsing 	if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE)
96240038cb8Sjsing 		min_len += 1;
96340038cb8Sjsing 
96440038cb8Sjsing 	if (CBS_len(fragment) < min_len) {
96540038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
96640038cb8Sjsing 		goto err;
96740038cb8Sjsing 	}
96840038cb8Sjsing 	if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
96940038cb8Sjsing 		rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
97040038cb8Sjsing 		goto err;
97140038cb8Sjsing 	}
97240038cb8Sjsing 	if (CBS_len(fragment) % block_size != 0) {
97340038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
97440038cb8Sjsing 		goto err;
97540038cb8Sjsing 	}
97640038cb8Sjsing 
977ee4250f6Sjsing 	if ((content = calloc(1, CBS_len(fragment))) == NULL)
978ee4250f6Sjsing 		goto err;
979ee4250f6Sjsing 	content_len = CBS_len(fragment);
98040038cb8Sjsing 
981ee4250f6Sjsing 	if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
98240038cb8Sjsing 		goto err;
98340038cb8Sjsing 
984ee4250f6Sjsing 	rrec.data = content;
985ee4250f6Sjsing 	rrec.input = content;
986ee4250f6Sjsing 	rrec.length = content_len;
98740038cb8Sjsing 
98840038cb8Sjsing 	/*
98940038cb8Sjsing 	 * We now have to remove padding, extract MAC, calculate MAC
99040038cb8Sjsing 	 * and compare MAC in constant time.
99140038cb8Sjsing 	 */
99240038cb8Sjsing 	if (block_size > 1)
99340038cb8Sjsing 		ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
99440038cb8Sjsing 
99540038cb8Sjsing 	if ((mac = calloc(1, mac_len)) == NULL)
99640038cb8Sjsing 		goto err;
99740038cb8Sjsing 
99840038cb8Sjsing 	if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE))
99940038cb8Sjsing 		goto err;
100040038cb8Sjsing 	if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) {
100140038cb8Sjsing 		ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
100240038cb8Sjsing 		    rrec.padding_length);
100340038cb8Sjsing 		rrec.length -= mac_len;
100440038cb8Sjsing 		if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1005108b1a0fSjsing 		    seq_num, rrec.input, rrec.length, mac_len,
1006108b1a0fSjsing 		    rrec.padding_length))
100740038cb8Sjsing 			goto err;
100840038cb8Sjsing 	} else {
100940038cb8Sjsing 		rrec.length -= mac_len;
101040038cb8Sjsing 		memcpy(mac, rrec.data + rrec.length, mac_len);
101140038cb8Sjsing 		if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
1012108b1a0fSjsing 		    seq_num, rrec.input, rrec.length))
101340038cb8Sjsing 			goto err;
101440038cb8Sjsing 	}
101540038cb8Sjsing 	if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
101640038cb8Sjsing 		goto err;
101740038cb8Sjsing 	if (mac_len != out_mac_len)
101840038cb8Sjsing 		goto err;
101940038cb8Sjsing 
102040038cb8Sjsing 	if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
102140038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
102240038cb8Sjsing 		goto err;
102340038cb8Sjsing 	}
102440038cb8Sjsing 
102540038cb8Sjsing 	if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) {
102640038cb8Sjsing 		rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
102740038cb8Sjsing 		goto err;
102840038cb8Sjsing 	}
102940038cb8Sjsing 	if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) {
103040038cb8Sjsing 		rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
103140038cb8Sjsing 		goto err;
103240038cb8Sjsing 	}
103340038cb8Sjsing 
1034ee4250f6Sjsing 	tls_content_set_data(out, content_type, content, content_len);
1035ee4250f6Sjsing 	content = NULL;
1036ee4250f6Sjsing 	content_len = 0;
1037ee4250f6Sjsing 
1038ee4250f6Sjsing 	/* Actual content is after EIV, minus padding and MAC. */
1039ee4250f6Sjsing 	if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1040ee4250f6Sjsing 		goto err;
104140038cb8Sjsing 
104240038cb8Sjsing 	ret = 1;
104340038cb8Sjsing 
104440038cb8Sjsing  err:
104540038cb8Sjsing 	CBB_cleanup(&cbb_mac);
104640038cb8Sjsing 	freezero(mac, mac_len);
104740038cb8Sjsing 	freezero(out_mac, out_mac_len);
1048ee4250f6Sjsing 	freezero(content, content_len);
104940038cb8Sjsing 
105040038cb8Sjsing 	return ret;
105140038cb8Sjsing }
105240038cb8Sjsing 
105340038cb8Sjsing int
tls12_record_layer_open_record(struct tls12_record_layer * rl,uint8_t * buf,size_t buf_len,struct tls_content * out)105440038cb8Sjsing tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1055ee4250f6Sjsing     size_t buf_len, struct tls_content *out)
105640038cb8Sjsing {
1057108b1a0fSjsing 	CBS cbs, fragment, seq_num;
1058108b1a0fSjsing 	uint16_t version;
105940038cb8Sjsing 	uint8_t content_type;
106040038cb8Sjsing 
106140038cb8Sjsing 	CBS_init(&cbs, buf, buf_len);
1062f2284ad0Sjsing 	CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
106340038cb8Sjsing 
106440038cb8Sjsing 	if (!CBS_get_u8(&cbs, &content_type))
106540038cb8Sjsing 		return 0;
106640038cb8Sjsing 	if (!CBS_get_u16(&cbs, &version))
106740038cb8Sjsing 		return 0;
106840038cb8Sjsing 	if (rl->dtls) {
1069108b1a0fSjsing 		/*
1070108b1a0fSjsing 		 * The DTLS sequence number is split into a 16 bit epoch and
1071108b1a0fSjsing 		 * 48 bit sequence number, however for the purposes of record
1072108b1a0fSjsing 		 * processing it is treated the same as a TLS 64 bit sequence
1073108b1a0fSjsing 		 * number. DTLS also uses explicit read sequence numbers, which
1074108b1a0fSjsing 		 * we need to extract from the DTLS record header.
1075108b1a0fSjsing 		 */
1076108b1a0fSjsing 		if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE))
107740038cb8Sjsing 			return 0;
1078f2284ad0Sjsing 		if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
1079f2284ad0Sjsing 		    sizeof(rl->read->seq_num), NULL))
1080f2284ad0Sjsing 			return 0;
108140038cb8Sjsing 	}
108240038cb8Sjsing 	if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
108340038cb8Sjsing 		return 0;
108440038cb8Sjsing 
1085a13669d2Sjsing 	if (rl->read->aead_ctx != NULL) {
108640038cb8Sjsing 		if (!tls12_record_layer_open_record_protected_aead(rl,
1087ee4250f6Sjsing 		    content_type, &seq_num, &fragment, out))
108840038cb8Sjsing 			return 0;
1089a13669d2Sjsing 	} else if (rl->read->cipher_ctx != NULL) {
109040038cb8Sjsing 		if (!tls12_record_layer_open_record_protected_cipher(rl,
1091ee4250f6Sjsing 		    content_type, &seq_num, &fragment, out))
109240038cb8Sjsing 			return 0;
109340038cb8Sjsing 	} else {
109440038cb8Sjsing 		if (!tls12_record_layer_open_record_plaintext(rl,
1095ee4250f6Sjsing 		    content_type, &fragment, out))
109640038cb8Sjsing 			return 0;
109740038cb8Sjsing 	}
109840038cb8Sjsing 
1099e3ae3cd6Sjsing 	if (!rl->dtls) {
1100e3ae3cd6Sjsing 		if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1101e3ae3cd6Sjsing 			return 0;
1102e3ae3cd6Sjsing 	}
110340038cb8Sjsing 
110440038cb8Sjsing 	return 1;
110540038cb8Sjsing }
110640038cb8Sjsing 
110740038cb8Sjsing static int
tls12_record_layer_seal_record_plaintext(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * out)1108de70c6e8Sjsing tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1109de70c6e8Sjsing     uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1110de70c6e8Sjsing {
111123d98bd4Sjsing 	if (tls12_record_protection_engaged(rl->write))
1112de70c6e8Sjsing 		return 0;
1113de70c6e8Sjsing 
1114de70c6e8Sjsing 	return CBB_add_bytes(out, content, content_len);
1115de70c6e8Sjsing }
1116de70c6e8Sjsing 
1117de70c6e8Sjsing static int
tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1118acef91a0Sjsing tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1119108b1a0fSjsing     uint8_t content_type, CBS *seq_num, const uint8_t *content,
1120108b1a0fSjsing     size_t content_len, CBB *out)
1121acef91a0Sjsing {
11227b133c71Sjsing 	struct tls12_record_protection *rp = rl->write;
1123609ec8b1Sjsing 	uint8_t *header = NULL;
1124609ec8b1Sjsing 	size_t header_len = 0;
1125acef91a0Sjsing 	size_t enc_record_len, out_len;
1126acef91a0Sjsing 	uint8_t *enc_data;
1127acef91a0Sjsing 	int ret = 0;
1128acef91a0Sjsing 
11297b133c71Sjsing 	if (rp->aead_xor_nonces) {
1130609ec8b1Sjsing 		if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1131acef91a0Sjsing 			goto err;
1132acef91a0Sjsing 	} else {
1133609ec8b1Sjsing 		if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1134acef91a0Sjsing 			goto err;
1135acef91a0Sjsing 	}
1136acef91a0Sjsing 
11377b133c71Sjsing 	if (rp->aead_variable_nonce_in_record) {
113860ac916aSjsing 		if (rp->aead_variable_nonce_len > CBS_len(seq_num))
113960ac916aSjsing 			goto err;
1140108b1a0fSjsing 		if (!CBB_add_bytes(out, CBS_data(seq_num),
11417b133c71Sjsing 		    rp->aead_variable_nonce_len))
1142acef91a0Sjsing 			goto err;
1143acef91a0Sjsing 	}
1144acef91a0Sjsing 
1145acef91a0Sjsing 	if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1146108b1a0fSjsing 	    seq_num, &header, &header_len))
1147acef91a0Sjsing 		goto err;
1148acef91a0Sjsing 
1149acef91a0Sjsing 	/* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
11507b133c71Sjsing 	enc_record_len = content_len + rp->aead_tag_len;
1151acef91a0Sjsing 	if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1152acef91a0Sjsing 		goto err;
1153acef91a0Sjsing 	if (!CBB_add_space(out, &enc_data, enc_record_len))
1154acef91a0Sjsing 		goto err;
1155acef91a0Sjsing 
11567b133c71Sjsing 	if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1157609ec8b1Sjsing 	    rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1158609ec8b1Sjsing 	    header_len))
1159acef91a0Sjsing 		goto err;
1160acef91a0Sjsing 
1161acef91a0Sjsing 	if (out_len != enc_record_len)
1162acef91a0Sjsing 		goto err;
1163acef91a0Sjsing 
1164acef91a0Sjsing 	ret = 1;
1165acef91a0Sjsing 
1166acef91a0Sjsing  err:
1167acef91a0Sjsing 	freezero(header, header_len);
1168acef91a0Sjsing 
1169acef91a0Sjsing 	return ret;
1170acef91a0Sjsing }
1171acef91a0Sjsing 
1172acef91a0Sjsing static int
tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer * rl,uint8_t content_type,CBS * seq_num,const uint8_t * content,size_t content_len,CBB * out)1173acef91a0Sjsing tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1174108b1a0fSjsing     uint8_t content_type, CBS *seq_num, const uint8_t *content,
1175108b1a0fSjsing     size_t content_len, CBB *out)
1176acef91a0Sjsing {
1177a13669d2Sjsing 	EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
11781c1840fbSjsing 	size_t block_size, eiv_len, mac_len, pad_len;
1179acef91a0Sjsing 	uint8_t *enc_data, *eiv, *pad, pad_val;
1180acef91a0Sjsing 	uint8_t *plain = NULL;
1181acef91a0Sjsing 	size_t plain_len = 0;
1182acef91a0Sjsing 	int ret = 0;
1183acef91a0Sjsing 	CBB cbb;
1184acef91a0Sjsing 
1185acef91a0Sjsing 	if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
1186acef91a0Sjsing 		goto err;
1187acef91a0Sjsing 
1188acef91a0Sjsing 	/* Add explicit IV if necessary. */
1189acef91a0Sjsing 	eiv_len = 0;
11901c1840fbSjsing 	if (rl->version != TLS1_VERSION) {
11911c1840fbSjsing 		if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1192acef91a0Sjsing 			goto err;
11931c1840fbSjsing 	}
1194acef91a0Sjsing 	if (eiv_len > 0) {
1195acef91a0Sjsing 		if (!CBB_add_space(&cbb, &eiv, eiv_len))
1196acef91a0Sjsing 			goto err;
1197acef91a0Sjsing 		arc4random_buf(eiv, eiv_len);
1198acef91a0Sjsing 	}
1199acef91a0Sjsing 
1200acef91a0Sjsing 	if (!CBB_add_bytes(&cbb, content, content_len))
1201acef91a0Sjsing 		goto err;
1202acef91a0Sjsing 
1203acef91a0Sjsing 	mac_len = 0;
1204a13669d2Sjsing 	if (rl->write->hash_ctx != NULL) {
1205acef91a0Sjsing 		if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1206108b1a0fSjsing 		    seq_num, content, content_len, &mac_len))
1207acef91a0Sjsing 			goto err;
1208acef91a0Sjsing 	}
1209acef91a0Sjsing 
1210679f355aStb 	plain_len = eiv_len + content_len + mac_len;
1211acef91a0Sjsing 
1212acef91a0Sjsing 	/* Add padding to block size, if necessary. */
12131c1840fbSjsing 	if (!tls12_record_protection_block_size(rl->write, &block_size))
121411d1e10cSjsing 		goto err;
1215acef91a0Sjsing 	if (block_size > 1) {
1216acef91a0Sjsing 		pad_len = block_size - (plain_len % block_size);
1217acef91a0Sjsing 		pad_val = pad_len - 1;
1218acef91a0Sjsing 
1219acef91a0Sjsing 		if (pad_len > 255)
1220acef91a0Sjsing 			goto err;
1221acef91a0Sjsing 		if (!CBB_add_space(&cbb, &pad, pad_len))
1222acef91a0Sjsing 			goto err;
1223acef91a0Sjsing 		memset(pad, pad_val, pad_len);
1224acef91a0Sjsing 	}
1225acef91a0Sjsing 
1226acef91a0Sjsing 	if (!CBB_finish(&cbb, &plain, &plain_len))
1227acef91a0Sjsing 		goto err;
1228acef91a0Sjsing 
1229acef91a0Sjsing 	if (plain_len % block_size != 0)
1230acef91a0Sjsing 		goto err;
1231acef91a0Sjsing 	if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1232acef91a0Sjsing 		goto err;
1233acef91a0Sjsing 
1234acef91a0Sjsing 	if (!CBB_add_space(out, &enc_data, plain_len))
1235acef91a0Sjsing 		goto err;
1236acef91a0Sjsing 	if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1237acef91a0Sjsing 		goto err;
1238acef91a0Sjsing 
1239acef91a0Sjsing 	ret = 1;
1240acef91a0Sjsing 
1241acef91a0Sjsing  err:
1242acef91a0Sjsing 	CBB_cleanup(&cbb);
1243acef91a0Sjsing 	freezero(plain, plain_len);
1244acef91a0Sjsing 
1245acef91a0Sjsing 	return ret;
1246acef91a0Sjsing }
1247acef91a0Sjsing 
1248acef91a0Sjsing int
tls12_record_layer_seal_record(struct tls12_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len,CBB * cbb)1249acef91a0Sjsing tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1250acef91a0Sjsing     uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1251acef91a0Sjsing {
1252108b1a0fSjsing 	uint8_t *seq_num_data = NULL;
1253108b1a0fSjsing 	size_t seq_num_len = 0;
1254108b1a0fSjsing 	CBB fragment, seq_num_cbb;
1255108b1a0fSjsing 	CBS seq_num;
1256108b1a0fSjsing 	int ret = 0;
1257108b1a0fSjsing 
1258108b1a0fSjsing 	/*
1259108b1a0fSjsing 	 * Construct the effective sequence number - this is used in both
1260108b1a0fSjsing 	 * the DTLS header and for MAC calculations.
1261108b1a0fSjsing 	 */
1262108b1a0fSjsing 	if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE))
1263108b1a0fSjsing 		goto err;
1264108b1a0fSjsing 	if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1265f2284ad0Sjsing 	    rl->write->seq_num, sizeof(rl->write->seq_num)))
1266108b1a0fSjsing 		goto err;
1267108b1a0fSjsing 	if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1268108b1a0fSjsing 		goto err;
1269108b1a0fSjsing 	CBS_init(&seq_num, seq_num_data, seq_num_len);
1270acef91a0Sjsing 
1271acef91a0Sjsing 	if (!CBB_add_u8(cbb, content_type))
1272108b1a0fSjsing 		goto err;
1273acef91a0Sjsing 	if (!CBB_add_u16(cbb, rl->version))
1274108b1a0fSjsing 		goto err;
1275acef91a0Sjsing 	if (rl->dtls) {
1276108b1a0fSjsing 		if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1277108b1a0fSjsing 			goto err;
1278acef91a0Sjsing 	}
1279acef91a0Sjsing 	if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1280108b1a0fSjsing 		goto err;
1281acef91a0Sjsing 
1282a13669d2Sjsing 	if (rl->write->aead_ctx != NULL) {
1283acef91a0Sjsing 		if (!tls12_record_layer_seal_record_protected_aead(rl,
1284108b1a0fSjsing 		    content_type, &seq_num, content, content_len, &fragment))
1285108b1a0fSjsing 			goto err;
1286a13669d2Sjsing 	} else if (rl->write->cipher_ctx != NULL) {
1287acef91a0Sjsing 		if (!tls12_record_layer_seal_record_protected_cipher(rl,
1288108b1a0fSjsing 		    content_type, &seq_num, content, content_len, &fragment))
1289108b1a0fSjsing 			goto err;
1290acef91a0Sjsing 	} else {
1291acef91a0Sjsing 		if (!tls12_record_layer_seal_record_plaintext(rl,
1292acef91a0Sjsing 		    content_type, content, content_len, &fragment))
1293108b1a0fSjsing 			goto err;
1294acef91a0Sjsing 	}
1295acef91a0Sjsing 
1296acef91a0Sjsing 	if (!CBB_flush(cbb))
1297108b1a0fSjsing 		goto err;
1298acef91a0Sjsing 
1299e3ae3cd6Sjsing 	if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1300e3ae3cd6Sjsing 		goto err;
1301acef91a0Sjsing 
1302108b1a0fSjsing 	ret = 1;
1303108b1a0fSjsing 
1304108b1a0fSjsing  err:
1305108b1a0fSjsing 	CBB_cleanup(&seq_num_cbb);
1306108b1a0fSjsing 	free(seq_num_data);
1307108b1a0fSjsing 
1308108b1a0fSjsing 	return ret;
1309acef91a0Sjsing }
1310