2 * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
16 static int tls13_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
17 unsigned char *key
, size_t keylen
,
18 unsigned char *iv
, size_t ivlen
,
19 unsigned char *mackey
, size_t mackeylen
,
20 const EVP_CIPHER
*ciph
,
26 EVP_CIPHER_CTX
*ciph_ctx
;
28 int enc
= (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) ? 1 : 0;
30 if (ivlen
> sizeof(rl
->iv
)) {
31 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
32 return OSSL_RECORD_RETURN_FATAL
;
34 memcpy(rl
->iv
, iv
, ivlen
);
36 ciph_ctx
= rl
->enc_ctx
= EVP_CIPHER_CTX_new();
37 if (ciph_ctx
== NULL
) {
38 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
39 return OSSL_RECORD_RETURN_FATAL
;
42 mode
= EVP_CIPHER_get_mode(ciph
);
44 if (EVP_CipherInit_ex(ciph_ctx
, ciph
, NULL
, NULL
, NULL
, enc
) <= 0
45 || EVP_CIPHER_CTX_ctrl(ciph_ctx
, EVP_CTRL_AEAD_SET_IVLEN
, ivlen
,
47 || (mode
== EVP_CIPH_CCM_MODE
48 && EVP_CIPHER_CTX_ctrl(ciph_ctx
, EVP_CTRL_AEAD_SET_TAG
, taglen
,
50 || EVP_CipherInit_ex(ciph_ctx
, NULL
, NULL
, key
, NULL
, enc
) <= 0) {
51 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
52 return OSSL_RECORD_RETURN_FATAL
;
55 return OSSL_RECORD_RETURN_SUCCESS
;
58 static int tls13_cipher(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*recs
,
59 size_t n_recs
, int sending
, SSL_MAC_BUF
*mac
,
63 unsigned char iv
[EVP_MAX_IV_LENGTH
], recheader
[SSL3_RT_HEADER_LENGTH
];
64 size_t ivlen
, offset
, loop
, hdrlen
;
65 unsigned char *staticiv
;
66 unsigned char *seq
= rl
->sequence
;
68 TLS_RL_RECORD
*rec
= &recs
[0];
70 const EVP_CIPHER
*cipher
;
74 /* Should not happen */
75 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
82 cipher
= EVP_CIPHER_CTX_get0_cipher(ctx
);
84 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
87 mode
= EVP_CIPHER_get_mode(cipher
);
90 * If we're sending an alert and ctx != NULL then we must be forcing
91 * plaintext alerts. If we're reading and ctx != NULL then we allow
92 * plaintext alerts at certain points in the handshake. If we've got this
93 * far then we have already validated that a plaintext alert is ok here.
95 if (ctx
== NULL
|| rec
->type
== SSL3_RT_ALERT
) {
96 memmove(rec
->data
, rec
->input
, rec
->length
);
97 rec
->input
= rec
->data
;
101 ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
105 * Take off tag. There must be at least one byte of content type as
108 if (rec
->length
< rl
->taglen
+ 1)
110 rec
->length
-= rl
->taglen
;
114 if (ivlen
< SEQ_NUM_SIZE
) {
115 /* Should not happen */
116 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
119 offset
= ivlen
- SEQ_NUM_SIZE
;
120 memcpy(iv
, staticiv
, offset
);
121 for (loop
= 0; loop
< SEQ_NUM_SIZE
; loop
++)
122 iv
[offset
+ loop
] = staticiv
[offset
+ loop
] ^ seq
[loop
];
124 if (!tls_increment_sequence_ctr(rl
)) {
125 /* RLAYERfatal already called */
129 if (EVP_CipherInit_ex(ctx
, NULL
, NULL
, NULL
, iv
, sending
) <= 0
130 || (!sending
&& EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_SET_TAG
,
132 rec
->data
+ rec
->length
) <= 0)) {
133 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
138 if (!WPACKET_init_static_len(&wpkt
, recheader
, sizeof(recheader
), 0)
139 || !WPACKET_put_bytes_u8(&wpkt
, rec
->type
)
140 || !WPACKET_put_bytes_u16(&wpkt
, rec
->rec_version
)
141 || !WPACKET_put_bytes_u16(&wpkt
, rec
->length
+ rl
->taglen
)
142 || !WPACKET_get_total_written(&wpkt
, &hdrlen
)
143 || hdrlen
!= SSL3_RT_HEADER_LENGTH
144 || !WPACKET_finish(&wpkt
)) {
145 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
146 WPACKET_cleanup(&wpkt
);
151 * For CCM we must explicitly set the total plaintext length before we add
154 if ((mode
== EVP_CIPH_CCM_MODE
155 && EVP_CipherUpdate(ctx
, NULL
, &lenu
, NULL
,
156 (unsigned int)rec
->length
) <= 0)
157 || EVP_CipherUpdate(ctx
, NULL
, &lenu
, recheader
,
158 sizeof(recheader
)) <= 0
159 || EVP_CipherUpdate(ctx
, rec
->data
, &lenu
, rec
->input
,
160 (unsigned int)rec
->length
) <= 0
161 || EVP_CipherFinal_ex(ctx
, rec
->data
+ lenu
, &lenf
) <= 0
162 || (size_t)(lenu
+ lenf
) != rec
->length
) {
167 if (EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_GET_TAG
, rl
->taglen
,
168 rec
->data
+ rec
->length
) <= 0) {
169 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
172 rec
->length
+= rl
->taglen
;
178 static int tls13_validate_record_header(OSSL_RECORD_LAYER
*rl
,
181 if (rec
->type
!= SSL3_RT_APPLICATION_DATA
182 && (rec
->type
!= SSL3_RT_CHANGE_CIPHER_SPEC
183 || !rl
->is_first_handshake
)
184 && (rec
->type
!= SSL3_RT_ALERT
|| !rl
->allow_plain_alerts
)) {
185 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
189 if (rec
->rec_version
!= TLS1_2_VERSION
) {
190 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_WRONG_VERSION_NUMBER
);
194 if (rec
->length
> SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH
) {
195 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
196 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
202 static int tls13_post_process_record(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*rec
)
204 /* Skip this if we've received a plaintext alert */
205 if (rec
->type
!= SSL3_RT_ALERT
) {
209 || rec
->type
!= SSL3_RT_APPLICATION_DATA
) {
210 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
211 SSL_R_BAD_RECORD_TYPE
);
215 /* Strip trailing padding */
216 for (end
= rec
->length
- 1; end
> 0 && rec
->data
[end
] == 0; end
--)
220 rec
->type
= rec
->data
[end
];
223 if (rec
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
224 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
228 if (!tls13_common_post_process_record(rl
, rec
)) {
229 /* RLAYERfatal already called */
236 static uint8_t tls13_get_record_type(OSSL_RECORD_LAYER
*rl
,
237 OSSL_RECORD_TEMPLATE
*template)
239 if (rl
->allow_plain_alerts
&& template->type
== SSL3_RT_ALERT
)
240 return SSL3_RT_ALERT
;
243 * Aside from the above case we always use the application data record type
244 * when encrypting in TLSv1.3. The "inner" record type encodes the "real"
245 * record type from the template.
247 return SSL3_RT_APPLICATION_DATA
;
250 static int tls13_add_record_padding(OSSL_RECORD_LAYER
*rl
,
251 OSSL_RECORD_TEMPLATE
*thistempl
,
253 TLS_RL_RECORD
*thiswr
)
257 /* Nothing to be done in the case of a plaintext alert */
258 if (rl
->allow_plain_alerts
&& thistempl
->type
!= SSL3_RT_ALERT
)
261 if (!WPACKET_put_bytes_u8(thispkt
, thistempl
->type
)) {
262 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
265 TLS_RL_RECORD_add_length(thiswr
, 1);
267 /* Add TLS1.3 padding */
268 rlen
= TLS_RL_RECORD_get_length(thiswr
);
269 if (rlen
< rl
->max_frag_len
) {
271 size_t max_padding
= rl
->max_frag_len
- rlen
;
273 if (rl
->padding
!= NULL
) {
274 padding
= rl
->padding(rl
->cbarg
, thistempl
->type
, rlen
);
275 } else if (rl
->block_padding
> 0) {
276 size_t mask
= rl
->block_padding
- 1;
279 /* optimize for power of 2 */
280 if ((rl
->block_padding
& mask
) == 0)
281 remainder
= rlen
& mask
;
283 remainder
= rlen
% rl
->block_padding
;
284 /* don't want to add a block of padding if we don't have to */
288 padding
= rl
->block_padding
- remainder
;
291 /* do not allow the record to exceed max plaintext length */
292 if (padding
> max_padding
)
293 padding
= max_padding
;
294 if (!WPACKET_memset(thispkt
, 0, padding
)) {
295 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
,
296 ERR_R_INTERNAL_ERROR
);
299 TLS_RL_RECORD_add_length(thiswr
, padding
);
306 const struct record_functions_st tls_1_3_funcs
= {
307 tls13_set_crypto_state
,
310 tls_default_set_protocol_version
,
312 tls_get_more_records
,
313 tls13_validate_record_header
,
314 tls13_post_process_record
,
315 tls_get_max_records_default
,
316 tls_write_records_default
,
317 tls_allocate_write_buffers_default
,
318 tls_initialise_write_packets_default
,
319 tls13_get_record_type
,
320 tls_prepare_record_header_default
,
321 tls13_add_record_padding
,
322 tls_prepare_for_encryption_default
,
323 tls_post_encryption_processing_default
,