]>
Commit | Line | Data |
---|---|---|
50023e9b MC |
1 | /* |
2 | * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/evp.h> | |
11 | #include <openssl/core_names.h> | |
12 | #include <openssl/rand.h> | |
91fe8ff0 | 13 | #include <openssl/ssl.h> |
50023e9b MC |
14 | #include "../../ssl_local.h" |
15 | #include "../record_local.h" | |
16 | #include "recmethod_local.h" | |
17 | ||
50023e9b MC |
18 | static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, |
19 | unsigned char *key, size_t keylen, | |
20 | unsigned char *iv, size_t ivlen, | |
21 | unsigned char *mackey, size_t mackeylen, | |
22 | const EVP_CIPHER *ciph, | |
23 | size_t taglen, | |
50023e9b MC |
24 | int mactype, |
25 | const EVP_MD *md, | |
1e76110b | 26 | COMP_METHOD *comp) |
50023e9b MC |
27 | { |
28 | EVP_CIPHER_CTX *ciph_ctx; | |
29 | EVP_PKEY *mac_key; | |
9251c3c4 | 30 | int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0; |
50023e9b MC |
31 | |
32 | if (level != OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) | |
7c293999 | 33 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b | 34 | |
6366bdd9 | 35 | if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
e077455e | 36 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
7c293999 | 37 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b MC |
38 | } |
39 | ||
6366bdd9 | 40 | ciph_ctx = rl->enc_ctx; |
50023e9b | 41 | |
6366bdd9 MC |
42 | rl->md_ctx = EVP_MD_CTX_new(); |
43 | if (rl->md_ctx == NULL) { | |
50023e9b | 44 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
7c293999 | 45 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b MC |
46 | } |
47 | #ifndef OPENSSL_NO_COMP | |
48 | if (comp != NULL) { | |
1e76110b | 49 | rl->compctx = COMP_CTX_new(comp); |
9251c3c4 | 50 | if (rl->compctx == NULL) { |
7c293999 MC |
51 | ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR); |
52 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
53 | } |
54 | } | |
55 | #endif | |
50023e9b MC |
56 | |
57 | /* | |
58 | * If we have an AEAD Cipher, then there is no separate MAC, so we can skip | |
59 | * setting up the MAC key. | |
60 | */ | |
1704961c | 61 | if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0) { |
50023e9b MC |
62 | if (mactype == EVP_PKEY_HMAC) { |
63 | mac_key = EVP_PKEY_new_raw_private_key_ex(rl->libctx, "HMAC", | |
64 | rl->propq, mackey, | |
65 | mackeylen); | |
66 | } else { | |
67 | /* | |
68 | * If its not HMAC then the only other types of MAC we support are | |
69 | * the GOST MACs, so we need to use the old style way of creating | |
70 | * a MAC key. | |
71 | */ | |
72 | mac_key = EVP_PKEY_new_mac_key(mactype, NULL, mackey, | |
73 | (int)mackeylen); | |
74 | } | |
75 | if (mac_key == NULL | |
6366bdd9 | 76 | || EVP_DigestSignInit_ex(rl->md_ctx, NULL, EVP_MD_get0_name(md), |
50023e9b MC |
77 | rl->libctx, rl->propq, mac_key, |
78 | NULL) <= 0) { | |
79 | EVP_PKEY_free(mac_key); | |
7c293999 MC |
80 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
81 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
82 | } |
83 | EVP_PKEY_free(mac_key); | |
84 | } | |
85 | ||
86 | if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_GCM_MODE) { | |
9251c3c4 | 87 | if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, enc) |
50023e9b | 88 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED, |
7c293999 MC |
89 | (int)ivlen, iv) <= 0) { |
90 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
91 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
92 | } |
93 | } else if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { | |
9251c3c4 | 94 | if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) |
50023e9b MC |
95 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, |
96 | NULL) <= 0 | |
97 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, | |
98 | (int)taglen, NULL) <= 0 | |
99 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED, | |
100 | (int)ivlen, iv) <= 0 | |
9251c3c4 | 101 | || !EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc)) { |
7c293999 MC |
102 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
103 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
104 | } |
105 | } else { | |
9251c3c4 | 106 | if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, enc)) { |
7c293999 MC |
107 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
108 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
109 | } |
110 | } | |
111 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ | |
112 | if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 | |
113 | && mackeylen != 0 | |
114 | && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, | |
115 | (int)mackeylen, mackey) <= 0) { | |
7c293999 MC |
116 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
117 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
118 | } |
119 | if (EVP_CIPHER_get0_provider(ciph) != NULL | |
7f2f0ac7 | 120 | && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) |
7c293999 | 121 | return OSSL_RECORD_RETURN_FATAL; |
50023e9b | 122 | |
9251c3c4 MC |
123 | /* Calculate the explict IV length */ |
124 | if (RLAYER_USE_EXPLICIT_IV(rl)) { | |
125 | int mode = EVP_CIPHER_CTX_get_mode(ciph_ctx); | |
126 | int eivlen = 0; | |
127 | ||
128 | if (mode == EVP_CIPH_CBC_MODE) { | |
129 | eivlen = EVP_CIPHER_CTX_get_iv_length(ciph_ctx); | |
130 | if (eivlen < 0) { | |
131 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); | |
132 | return OSSL_RECORD_RETURN_FATAL; | |
133 | } | |
134 | if (eivlen <= 1) | |
135 | eivlen = 0; | |
136 | } else if (mode == EVP_CIPH_GCM_MODE) { | |
137 | /* Need explicit part of IV for GCM mode */ | |
138 | eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
139 | } else if (mode == EVP_CIPH_CCM_MODE) { | |
140 | eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
141 | } | |
142 | rl->eivlen = (size_t)eivlen; | |
143 | } | |
144 | ||
7c293999 | 145 | return OSSL_RECORD_RETURN_SUCCESS; |
50023e9b MC |
146 | } |
147 | ||
148 | #define MAX_PADDING 256 | |
149 | /*- | |
1704961c MC |
150 | * tls1_cipher encrypts/decrypts |n_recs| in |recs|. Calls RLAYERfatal on |
151 | * internal error, but not otherwise. It is the responsibility of the caller to | |
152 | * report a bad_record_mac - if appropriate (DTLS just drops the record). | |
50023e9b MC |
153 | * |
154 | * Returns: | |
155 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
156 | * decryption failed, or Encrypt-then-mac decryption failed. | |
157 | * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) | |
158 | */ | |
159 | static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, | |
8124ab56 | 160 | int sending, SSL_MAC_BUF *macs, size_t macsize) |
50023e9b MC |
161 | { |
162 | EVP_CIPHER_CTX *ds; | |
163 | size_t reclen[SSL_MAX_PIPELINES]; | |
164 | unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; | |
3961af37 | 165 | unsigned char *data[SSL_MAX_PIPELINES]; |
bed07b18 | 166 | int pad = 0, tmpr, provided; |
50023e9b MC |
167 | size_t bs, ctr, padnum, loop; |
168 | unsigned char padval; | |
169 | const EVP_CIPHER *enc; | |
50023e9b MC |
170 | |
171 | if (n_recs == 0) { | |
172 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
173 | return 0; | |
174 | } | |
175 | ||
6366bdd9 MC |
176 | if (EVP_MD_CTX_get0_md(rl->md_ctx)) { |
177 | int n = EVP_MD_CTX_get_size(rl->md_ctx); | |
1704961c | 178 | |
6366bdd9 | 179 | if (!ossl_assert(n >= 0)) { |
50023e9b MC |
180 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
181 | return 0; | |
182 | } | |
6366bdd9 MC |
183 | } |
184 | ds = rl->enc_ctx; | |
1704961c | 185 | if (!ossl_assert(rl->enc_ctx != NULL)) { |
6366bdd9 MC |
186 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
187 | return 0; | |
188 | } | |
189 | ||
190 | enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx); | |
191 | ||
192 | if (sending) { | |
193 | int ivlen; | |
50023e9b | 194 | |
50023e9b | 195 | /* For TLSv1.1 and later explicit IV */ |
8124ab56 | 196 | if (RLAYER_USE_EXPLICIT_IV(rl) |
50023e9b MC |
197 | && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE) |
198 | ivlen = EVP_CIPHER_get_iv_length(enc); | |
199 | else | |
200 | ivlen = 0; | |
201 | if (ivlen > 1) { | |
202 | for (ctr = 0; ctr < n_recs; ctr++) { | |
203 | if (recs[ctr].data != recs[ctr].input) { | |
50023e9b MC |
204 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
205 | return 0; | |
6366bdd9 | 206 | } else if (RAND_bytes_ex(rl->libctx, recs[ctr].input, |
1704961c | 207 | ivlen, 0) <= 0) { |
50023e9b MC |
208 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
209 | return 0; | |
210 | } | |
211 | } | |
212 | } | |
50023e9b | 213 | } |
8124ab56 | 214 | if (!ossl_assert(enc != NULL)) { |
50023e9b MC |
215 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
216 | return 0; | |
217 | } | |
218 | ||
219 | provided = (EVP_CIPHER_get0_provider(enc) != NULL); | |
220 | ||
221 | bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); | |
222 | ||
223 | if (n_recs > 1) { | |
224 | if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) | |
1704961c | 225 | & EVP_CIPH_FLAG_PIPELINE) == 0) { |
50023e9b | 226 | /* |
d4ee3456 MC |
227 | * We shouldn't have been called with pipeline data if the |
228 | * cipher doesn't support pipelining | |
229 | */ | |
50023e9b MC |
230 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); |
231 | return 0; | |
232 | } | |
233 | } | |
234 | for (ctr = 0; ctr < n_recs; ctr++) { | |
235 | reclen[ctr] = recs[ctr].length; | |
236 | ||
237 | if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) | |
1704961c | 238 | & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) { |
50023e9b MC |
239 | unsigned char *seq; |
240 | ||
0755722c | 241 | seq = rl->sequence; |
50023e9b | 242 | |
8124ab56 | 243 | if (rl->isdtls) { |
50023e9b MC |
244 | unsigned char dtlsseq[8], *p = dtlsseq; |
245 | ||
bfc0f10d | 246 | s2n(rl->epoch, p); |
50023e9b MC |
247 | memcpy(p, &seq[2], 6); |
248 | memcpy(buf[ctr], dtlsseq, 8); | |
249 | } else { | |
250 | memcpy(buf[ctr], seq, 8); | |
bed07b18 MC |
251 | if (!tls_increment_sequence_ctr(rl)) { |
252 | /* RLAYERfatal already called */ | |
253 | return 0; | |
50023e9b MC |
254 | } |
255 | } | |
256 | ||
257 | buf[ctr][8] = recs[ctr].type; | |
258 | buf[ctr][9] = (unsigned char)(rl->version >> 8); | |
259 | buf[ctr][10] = (unsigned char)(rl->version); | |
260 | buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8); | |
261 | buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); | |
262 | pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, | |
1704961c | 263 | EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); |
50023e9b MC |
264 | if (pad <= 0) { |
265 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
266 | return 0; | |
267 | } | |
268 | ||
269 | if (sending) { | |
270 | reclen[ctr] += pad; | |
271 | recs[ctr].length += pad; | |
272 | } | |
50023e9b MC |
273 | } else if ((bs != 1) && sending && !provided) { |
274 | /* | |
d4ee3456 MC |
275 | * We only do this for legacy ciphers. Provided ciphers add the |
276 | * padding on the provider side. | |
277 | */ | |
50023e9b MC |
278 | padnum = bs - (reclen[ctr] % bs); |
279 | ||
280 | /* Add weird padding of up to 256 bytes */ | |
281 | ||
282 | if (padnum > MAX_PADDING) { | |
283 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
284 | return 0; | |
285 | } | |
286 | /* we need to add 'padnum' padding bytes of value padval */ | |
287 | padval = (unsigned char)(padnum - 1); | |
288 | for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) | |
289 | recs[ctr].input[loop] = padval; | |
290 | reclen[ctr] += padnum; | |
291 | recs[ctr].length += padnum; | |
292 | } | |
293 | ||
294 | if (!sending) { | |
295 | if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) { | |
296 | /* Publicly invalid */ | |
297 | return 0; | |
298 | } | |
299 | } | |
300 | } | |
301 | if (n_recs > 1) { | |
50023e9b | 302 | /* Set the output buffers */ |
1704961c | 303 | for (ctr = 0; ctr < n_recs; ctr++) |
50023e9b | 304 | data[ctr] = recs[ctr].data; |
1704961c | 305 | |
50023e9b MC |
306 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, |
307 | (int)n_recs, data) <= 0) { | |
308 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); | |
309 | return 0; | |
310 | } | |
311 | /* Set the input buffers */ | |
1704961c | 312 | for (ctr = 0; ctr < n_recs; ctr++) |
50023e9b | 313 | data[ctr] = recs[ctr].input; |
1704961c | 314 | |
50023e9b MC |
315 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS, |
316 | (int)n_recs, data) <= 0 | |
317 | || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, | |
1704961c | 318 | (int)n_recs, reclen) <= 0) { |
50023e9b MC |
319 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); |
320 | return 0; | |
321 | } | |
322 | } | |
323 | ||
8124ab56 | 324 | if (!rl->isdtls && rl->tlstree) { |
50023e9b MC |
325 | int decrement_seq = 0; |
326 | ||
327 | /* | |
d4ee3456 MC |
328 | * When sending, seq is incremented after MAC calculation. |
329 | * So if we are in ETM mode, we use seq 'as is' in the ctrl-function. | |
330 | * Otherwise we have to decrease it in the implementation | |
331 | */ | |
7f2f0ac7 | 332 | if (sending && !rl->use_etm) |
50023e9b MC |
333 | decrement_seq = 1; |
334 | ||
bed07b18 MC |
335 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, |
336 | rl->sequence) <= 0) { | |
337 | ||
50023e9b MC |
338 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
339 | return 0; | |
340 | } | |
341 | } | |
342 | ||
343 | if (provided) { | |
344 | int outlen; | |
345 | ||
346 | /* Provided cipher - we do not support pipelining on this path */ | |
1704961c | 347 | if (n_recs > 1) { |
50023e9b MC |
348 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
349 | return 0; | |
350 | } | |
351 | ||
352 | if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input, | |
1704961c | 353 | (unsigned int)reclen[0])) |
50023e9b MC |
354 | return 0; |
355 | recs[0].length = outlen; | |
356 | ||
357 | /* | |
d4ee3456 MC |
358 | * The length returned from EVP_CipherUpdate above is the actual |
359 | * payload length. We need to adjust the data/input ptr to skip over | |
360 | * any explicit IV | |
361 | */ | |
50023e9b MC |
362 | if (!sending) { |
363 | if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { | |
1704961c MC |
364 | recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
365 | recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
50023e9b | 366 | } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { |
1704961c MC |
367 | recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; |
368 | recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
88d61680 | 369 | } else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) { |
50023e9b MC |
370 | recs[0].data += bs; |
371 | recs[0].input += bs; | |
372 | recs[0].orig_len -= bs; | |
373 | } | |
374 | ||
375 | /* Now get a pointer to the MAC (if applicable) */ | |
376 | if (macs != NULL) { | |
377 | OSSL_PARAM params[2], *p = params; | |
378 | ||
379 | /* Get the MAC */ | |
380 | macs[0].alloced = 0; | |
381 | ||
382 | *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC, | |
1704961c MC |
383 | (void **)&macs[0].mac, |
384 | macsize); | |
50023e9b MC |
385 | *p = OSSL_PARAM_construct_end(); |
386 | ||
387 | if (!EVP_CIPHER_CTX_get_params(ds, params)) { | |
388 | /* Shouldn't normally happen */ | |
389 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, | |
390 | ERR_R_INTERNAL_ERROR); | |
391 | return 0; | |
392 | } | |
393 | } | |
394 | } | |
395 | } else { | |
396 | /* Legacy cipher */ | |
397 | ||
398 | tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, | |
1704961c | 399 | (unsigned int)reclen[0]); |
50023e9b | 400 | if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) |
1704961c | 401 | & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0 |
50023e9b MC |
402 | ? (tmpr < 0) |
403 | : (tmpr == 0)) { | |
404 | /* AEAD can fail to verify MAC */ | |
405 | return 0; | |
406 | } | |
407 | ||
408 | if (!sending) { | |
409 | for (ctr = 0; ctr < n_recs; ctr++) { | |
410 | /* Adjust the record to remove the explicit IV/MAC/Tag */ | |
411 | if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { | |
412 | recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
413 | recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
414 | recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
415 | } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { | |
416 | recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
417 | recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
418 | recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
88d61680 | 419 | } else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) { |
50023e9b MC |
420 | if (recs[ctr].length < bs) |
421 | return 0; | |
422 | recs[ctr].data += bs; | |
423 | recs[ctr].input += bs; | |
424 | recs[ctr].length -= bs; | |
425 | recs[ctr].orig_len -= bs; | |
426 | } | |
427 | ||
428 | /* | |
d4ee3456 MC |
429 | * If using Mac-then-encrypt, then this will succeed but |
430 | * with a random MAC if padding is invalid | |
431 | */ | |
50023e9b MC |
432 | if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length, |
433 | recs[ctr].orig_len, | |
434 | recs[ctr].data, | |
435 | (macs != NULL) ? &macs[ctr].mac : NULL, | |
436 | (macs != NULL) ? &macs[ctr].alloced | |
1704961c | 437 | : NULL, |
50023e9b MC |
438 | bs, |
439 | pad ? (size_t)pad : macsize, | |
440 | (EVP_CIPHER_get_flags(enc) | |
441 | & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, | |
8124ab56 | 442 | rl->libctx)) |
50023e9b MC |
443 | return 0; |
444 | } | |
445 | } | |
446 | } | |
447 | return 1; | |
448 | } | |
449 | ||
450 | static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, | |
8124ab56 | 451 | int sending) |
50023e9b | 452 | { |
0755722c | 453 | unsigned char *seq = rl->sequence; |
50023e9b MC |
454 | EVP_MD_CTX *hash; |
455 | size_t md_size; | |
50023e9b MC |
456 | EVP_MD_CTX *hmac = NULL, *mac_ctx; |
457 | unsigned char header[13]; | |
50023e9b MC |
458 | int t; |
459 | int ret = 0; | |
460 | ||
6366bdd9 | 461 | hash = rl->md_ctx; |
50023e9b MC |
462 | |
463 | t = EVP_MD_CTX_get_size(hash); | |
464 | if (!ossl_assert(t >= 0)) | |
465 | return 0; | |
466 | md_size = t; | |
467 | ||
8124ab56 | 468 | if (rl->stream_mac) { |
50023e9b MC |
469 | mac_ctx = hash; |
470 | } else { | |
471 | hmac = EVP_MD_CTX_new(); | |
472 | if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { | |
473 | goto end; | |
474 | } | |
475 | mac_ctx = hmac; | |
476 | } | |
477 | ||
478 | if (!rl->isdtls | |
8124ab56 | 479 | && rl->tlstree |
1704961c | 480 | && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) |
50023e9b | 481 | goto end; |
50023e9b MC |
482 | |
483 | if (rl->isdtls) { | |
484 | unsigned char dtlsseq[8], *p = dtlsseq; | |
485 | ||
bfc0f10d | 486 | s2n(rl->epoch, p); |
50023e9b MC |
487 | memcpy(p, &seq[2], 6); |
488 | ||
489 | memcpy(header, dtlsseq, 8); | |
1704961c | 490 | } else { |
50023e9b | 491 | memcpy(header, seq, 8); |
1704961c | 492 | } |
50023e9b MC |
493 | |
494 | header[8] = rec->type; | |
8124ab56 MC |
495 | header[9] = (unsigned char)(rl->version >> 8); |
496 | header[10] = (unsigned char)(rl->version); | |
50023e9b MC |
497 | header[11] = (unsigned char)(rec->length >> 8); |
498 | header[12] = (unsigned char)(rec->length & 0xff); | |
499 | ||
7f2f0ac7 | 500 | if (!sending && !rl->use_etm |
6366bdd9 | 501 | && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE |
50023e9b MC |
502 | && ssl3_cbc_record_digest_supported(mac_ctx)) { |
503 | OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params; | |
504 | ||
505 | *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, | |
506 | &rec->orig_len); | |
507 | *p++ = OSSL_PARAM_construct_end(); | |
508 | ||
509 | if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx), | |
1704961c | 510 | tls_hmac_params)) |
50023e9b | 511 | goto end; |
50023e9b MC |
512 | } |
513 | ||
514 | if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 | |
515 | || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 | |
1704961c | 516 | || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) |
50023e9b | 517 | goto end; |
50023e9b MC |
518 | |
519 | OSSL_TRACE_BEGIN(TLS) { | |
520 | BIO_printf(trc_out, "seq:\n"); | |
521 | BIO_dump_indent(trc_out, seq, 8, 4); | |
522 | BIO_printf(trc_out, "rec:\n"); | |
523 | BIO_dump_indent(trc_out, rec->data, rec->length, 4); | |
524 | } OSSL_TRACE_END(TLS); | |
525 | ||
bed07b18 MC |
526 | if (!rl->isdtls && !tls_increment_sequence_ctr(rl)) { |
527 | /* RLAYERfatal already called */ | |
528 | goto end; | |
50023e9b | 529 | } |
bed07b18 | 530 | |
50023e9b MC |
531 | OSSL_TRACE_BEGIN(TLS) { |
532 | BIO_printf(trc_out, "md:\n"); | |
533 | BIO_dump_indent(trc_out, md, md_size, 4); | |
534 | } OSSL_TRACE_END(TLS); | |
535 | ret = 1; | |
536 | end: | |
537 | EVP_MD_CTX_free(hmac); | |
538 | return ret; | |
539 | } | |
540 | ||
91fe8ff0 MC |
541 | #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 |
542 | # ifndef OPENSSL_NO_COMP | |
543 | # define MAX_PREFIX_LEN ((SSL3_ALIGN_PAYLOAD - 1) \ | |
544 | + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ | |
545 | + SSL3_RT_HEADER_LENGTH \ | |
546 | + SSL3_RT_MAX_COMPRESSED_OVERHEAD) | |
547 | # else | |
548 | # define MAX_PREFIX_LEN ((SSL3_ALIGN_PAYLOAD - 1) \ | |
549 | + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ | |
550 | + SSL3_RT_HEADER_LENGTH) | |
551 | # endif /* OPENSSL_NO_COMP */ | |
552 | #else | |
553 | # ifndef OPENSSL_NO_COMP | |
554 | # define MAX_PREFIX_LEN (SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ | |
555 | + SSL3_RT_HEADER_LENGTH \ | |
556 | + SSL3_RT_MAX_COMPRESSED_OVERHEAD) | |
557 | # else | |
558 | # define MAX_PREFIX_LEN (SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ | |
559 | + SSL3_RT_HEADER_LENGTH) | |
560 | # endif /* OPENSSL_NO_COMP */ | |
561 | #endif | |
562 | ||
563 | /* This function is also used by the SSLv3 implementation */ | |
564 | int tls1_allocate_write_buffers(OSSL_RECORD_LAYER *rl, | |
565 | OSSL_RECORD_TEMPLATE *templates, | |
566 | size_t numtempl, size_t *prefix) | |
567 | { | |
568 | /* Do we need to add an empty record prefix? */ | |
569 | *prefix = rl->need_empty_fragments | |
570 | && templates[0].type == SSL3_RT_APPLICATION_DATA; | |
571 | ||
572 | /* | |
573 | * In the prefix case we can allocate a much smaller buffer. Otherwise we | |
574 | * just allocate the default buffer size | |
575 | */ | |
576 | if (!tls_setup_write_buffer(rl, numtempl + *prefix, | |
577 | *prefix ? MAX_PREFIX_LEN : 0, 0)) { | |
578 | /* RLAYERfatal() already called */ | |
579 | return 0; | |
580 | } | |
581 | ||
582 | return 1; | |
583 | } | |
584 | ||
585 | /* This function is also used by the SSLv3 implementation */ | |
586 | int tls1_initialise_write_packets(OSSL_RECORD_LAYER *rl, | |
587 | OSSL_RECORD_TEMPLATE *templates, | |
588 | size_t numtempl, | |
589 | OSSL_RECORD_TEMPLATE *prefixtempl, | |
590 | WPACKET *pkt, | |
591 | SSL3_BUFFER *bufs, | |
592 | size_t *wpinited) | |
593 | { | |
594 | size_t align = 0; | |
595 | SSL3_BUFFER *wb; | |
596 | size_t prefix; | |
597 | ||
598 | /* Do we need to add an empty record prefix? */ | |
599 | prefix = rl->need_empty_fragments | |
600 | && templates[0].type == SSL3_RT_APPLICATION_DATA; | |
601 | ||
602 | if (prefix) { | |
603 | /* | |
604 | * countermeasure against known-IV weakness in CBC ciphersuites (see | |
605 | * http://www.openssl.org/~bodo/tls-cbc.txt) | |
606 | */ | |
607 | prefixtempl->buf = NULL; | |
608 | prefixtempl->version = templates[0].version; | |
609 | prefixtempl->buflen = 0; | |
610 | prefixtempl->type = SSL3_RT_APPLICATION_DATA; | |
611 | ||
612 | wb = &bufs[0]; | |
613 | ||
614 | #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 | |
615 | align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH; | |
616 | align = SSL3_ALIGN_PAYLOAD - 1 | |
617 | - ((align - 1) % SSL3_ALIGN_PAYLOAD); | |
618 | #endif | |
619 | SSL3_BUFFER_set_offset(wb, align); | |
620 | ||
621 | if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb), | |
622 | SSL3_BUFFER_get_len(wb), 0)) { | |
623 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
624 | return 0; | |
625 | } | |
626 | *wpinited = 1; | |
627 | if (!WPACKET_allocate_bytes(&pkt[0], align, NULL)) { | |
628 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
629 | return 0; | |
630 | } | |
631 | } | |
632 | ||
633 | return tls_initialise_write_packets_default(rl, templates, numtempl, | |
634 | NULL, | |
635 | pkt + prefix, bufs + prefix, | |
636 | wpinited); | |
637 | } | |
638 | ||
50023e9b MC |
639 | /* TLSv1.0, TLSv1.1 and TLSv1.2 all use the same funcs */ |
640 | struct record_functions_st tls_1_funcs = { | |
641 | tls1_set_crypto_state, | |
642 | tls1_cipher, | |
1853d20a MC |
643 | tls1_mac, |
644 | tls_default_set_protocol_version, | |
bafe524b MC |
645 | tls_default_read_n, |
646 | tls_get_more_records, | |
1853d20a | 647 | tls_default_validate_record_header, |
bafe524b MC |
648 | tls_default_post_process_record, |
649 | tls_get_max_records_multiblock, | |
91fe8ff0 MC |
650 | tls_write_records_multiblock, /* Defined in tls_multib.c */ |
651 | tls1_allocate_write_buffers, | |
7ca61d63 | 652 | tls1_initialise_write_packets, |
aca70ca8 | 653 | NULL, |
2582de25 | 654 | tls_prepare_record_header_default, |
757ef3ba | 655 | NULL, |
2a354d54 | 656 | tls_prepare_for_encryption_default, |
ace38195 MC |
657 | tls_post_encryption_processing_default, |
658 | NULL | |
50023e9b | 659 | }; |
222cf410 MC |
660 | |
661 | struct record_functions_st dtls_1_funcs = { | |
662 | tls1_set_crypto_state, | |
222cf410 MC |
663 | tls1_cipher, |
664 | tls1_mac, | |
665 | tls_default_set_protocol_version, | |
bafe524b MC |
666 | tls_default_read_n, |
667 | dtls_get_more_records, | |
668 | NULL, | |
669 | NULL, | |
222cf410 | 670 | NULL, |
43dfa5a9 | 671 | tls_write_records_default, |
bf04cbfa MC |
672 | /* |
673 | * Don't use tls1_allocate_write_buffers since that handles empty fragment | |
674 | * records which aren't needed in DTLS. We just use the default allocation | |
675 | * instead. | |
676 | */ | |
677 | tls_allocate_write_buffers_default, | |
248a9bf2 MC |
678 | /* Don't use tls1_initialise_write_packets for same reason as above */ |
679 | tls_initialise_write_packets_default, | |
2582de25 | 680 | NULL, |
b9e37f8f | 681 | dtls_prepare_record_header, |
757ef3ba | 682 | NULL, |
b9e37f8f | 683 | tls_prepare_for_encryption_default, |
421386e3 | 684 | dtls_post_encryption_processing, |
222cf410 MC |
685 | NULL |
686 | }; |