]>
Commit | Line | Data |
---|---|---|
50023e9b MC |
1 | /* |
2 | * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/evp.h> | |
11 | #include <openssl/core_names.h> | |
12 | #include "../../ssl_local.h" | |
13 | #include "../record_local.h" | |
14 | #include "recmethod_local.h" | |
15 | ||
16 | static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, | |
17 | unsigned char *key, size_t keylen, | |
18 | unsigned char *iv, size_t ivlen, | |
19 | unsigned char *mackey, size_t mackeylen, | |
20 | const EVP_CIPHER *ciph, | |
21 | size_t taglen, | |
22 | /* TODO(RECLAYER): This probably should not be an int */ | |
23 | int mactype, | |
24 | const EVP_MD *md, | |
8124ab56 | 25 | const SSL_COMP *comp) |
50023e9b MC |
26 | { |
27 | EVP_CIPHER_CTX *ciph_ctx; | |
28 | int mode; | |
29 | ||
30 | if (ivlen > sizeof(rl->iv)) { | |
7c293999 MC |
31 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
32 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
33 | } |
34 | memcpy(rl->iv, iv, ivlen); | |
35 | ||
6366bdd9 | 36 | ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new(); |
50023e9b | 37 | if (ciph_ctx == NULL) { |
7c293999 MC |
38 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
39 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
40 | } |
41 | ||
50023e9b MC |
42 | rl->taglen = taglen; |
43 | ||
44 | mode = EVP_CIPHER_get_mode(ciph); | |
45 | ||
46 | if (EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL) <= 0 | |
47 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) <= 0 | |
48 | || (mode == EVP_CIPH_CCM_MODE | |
49 | && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) | |
50 | || EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL) <= 0) { | |
7c293999 MC |
51 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
52 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
53 | } |
54 | ||
7c293999 | 55 | return OSSL_RECORD_RETURN_SUCCESS; |
50023e9b MC |
56 | } |
57 | ||
58 | static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, | |
8124ab56 | 59 | int sending, SSL_MAC_BUF *mac, size_t macsize) |
50023e9b MC |
60 | { |
61 | EVP_CIPHER_CTX *ctx; | |
62 | unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; | |
63 | size_t ivlen, offset, loop, hdrlen; | |
64 | unsigned char *staticiv; | |
0755722c | 65 | unsigned char *seq = rl->sequence; |
50023e9b MC |
66 | int lenu, lenf; |
67 | SSL3_RECORD *rec = &recs[0]; | |
68 | WPACKET wpkt; | |
69 | const EVP_CIPHER *cipher; | |
70 | int mode; | |
71 | ||
72 | if (n_recs != 1) { | |
73 | /* Should not happen */ | |
74 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
75 | return 0; | |
76 | } | |
77 | ||
6366bdd9 MC |
78 | ctx = rl->enc_ctx; |
79 | staticiv = rl->iv; | |
50023e9b MC |
80 | |
81 | cipher = EVP_CIPHER_CTX_get0_cipher(ctx); | |
82 | if (cipher == NULL) { | |
83 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
84 | return 0; | |
85 | } | |
86 | mode = EVP_CIPHER_get_mode(cipher); | |
87 | ||
88 | /* | |
89 | * If we're sending an alert and ctx != NULL then we must be forcing | |
90 | * plaintext alerts. If we're reading and ctx != NULL then we allow | |
91 | * plaintext alerts at certain points in the handshake. If we've got this | |
92 | * far then we have already validated that a plaintext alert is ok here. | |
93 | */ | |
94 | if (ctx == NULL || rec->type == SSL3_RT_ALERT) { | |
95 | memmove(rec->data, rec->input, rec->length); | |
96 | rec->input = rec->data; | |
97 | return 1; | |
98 | } | |
99 | ||
100 | ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); | |
101 | ||
102 | if (!sending) { | |
103 | /* | |
104 | * Take off tag. There must be at least one byte of content type as | |
105 | * well as the tag | |
106 | */ | |
107 | if (rec->length < rl->taglen + 1) | |
108 | return 0; | |
109 | rec->length -= rl->taglen; | |
110 | } | |
111 | ||
112 | /* Set up IV */ | |
113 | if (ivlen < SEQ_NUM_SIZE) { | |
114 | /* Should not happen */ | |
115 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
116 | return 0; | |
117 | } | |
118 | offset = ivlen - SEQ_NUM_SIZE; | |
119 | memcpy(iv, staticiv, offset); | |
120 | for (loop = 0; loop < SEQ_NUM_SIZE; loop++) | |
121 | iv[offset + loop] = staticiv[offset + loop] ^ seq[loop]; | |
122 | ||
123 | /* Increment the sequence counter */ | |
124 | for (loop = SEQ_NUM_SIZE; loop > 0; loop--) { | |
125 | ++seq[loop - 1]; | |
126 | if (seq[loop - 1] != 0) | |
127 | break; | |
128 | } | |
129 | if (loop == 0) { | |
130 | /* Sequence has wrapped */ | |
131 | return 0; | |
132 | } | |
133 | ||
134 | if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 | |
135 | || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, | |
136 | rl->taglen, | |
137 | rec->data + rec->length) <= 0)) { | |
138 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
139 | return 0; | |
140 | } | |
141 | ||
142 | /* Set up the AAD */ | |
143 | if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0) | |
144 | || !WPACKET_put_bytes_u8(&wpkt, rec->type) | |
145 | || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version) | |
146 | || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen) | |
147 | || !WPACKET_get_total_written(&wpkt, &hdrlen) | |
148 | || hdrlen != SSL3_RT_HEADER_LENGTH | |
149 | || !WPACKET_finish(&wpkt)) { | |
150 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
151 | WPACKET_cleanup(&wpkt); | |
152 | return 0; | |
153 | } | |
154 | ||
155 | /* | |
156 | * For CCM we must explicitly set the total plaintext length before we add | |
157 | * any AAD. | |
158 | */ | |
159 | if ((mode == EVP_CIPH_CCM_MODE | |
160 | && EVP_CipherUpdate(ctx, NULL, &lenu, NULL, | |
161 | (unsigned int)rec->length) <= 0) | |
162 | || EVP_CipherUpdate(ctx, NULL, &lenu, recheader, | |
163 | sizeof(recheader)) <= 0 | |
164 | || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, | |
165 | (unsigned int)rec->length) <= 0 | |
166 | || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 | |
167 | || (size_t)(lenu + lenf) != rec->length) { | |
168 | return 0; | |
169 | } | |
170 | if (sending) { | |
171 | /* Add the tag */ | |
172 | if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen, | |
173 | rec->data + rec->length) <= 0) { | |
174 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
175 | return 0; | |
176 | } | |
177 | rec->length += rl->taglen; | |
178 | } | |
179 | ||
180 | return 1; | |
181 | } | |
182 | ||
1853d20a MC |
183 | static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
184 | { | |
185 | if (rec->type != SSL3_RT_APPLICATION_DATA | |
186 | && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC | |
187 | || !rl->is_first_handshake) | |
188 | && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) { | |
189 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); | |
190 | return 0; | |
191 | } | |
192 | ||
193 | if (rec->rec_version != TLS1_2_VERSION) { | |
194 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER); | |
195 | return 0; | |
196 | } | |
197 | ||
198 | if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { | |
199 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
200 | SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
201 | return 0; | |
202 | } | |
203 | return 1; | |
204 | } | |
205 | ||
8124ab56 | 206 | static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
1853d20a MC |
207 | { |
208 | /* Skip this if we've received a plaintext alert */ | |
209 | if (rec->type != SSL3_RT_ALERT) { | |
210 | size_t end; | |
211 | ||
212 | if (rec->length == 0 | |
213 | || rec->type != SSL3_RT_APPLICATION_DATA) { | |
214 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, | |
215 | SSL_R_BAD_RECORD_TYPE); | |
216 | return 0; | |
217 | } | |
218 | ||
219 | /* Strip trailing padding */ | |
220 | for (end = rec->length - 1; end > 0 && rec->data[end] == 0; | |
221 | end--) | |
222 | continue; | |
223 | ||
224 | rec->length = end; | |
225 | rec->type = rec->data[end]; | |
226 | } | |
227 | ||
228 | if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) { | |
229 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); | |
230 | return 0; | |
231 | } | |
232 | ||
8124ab56 | 233 | if (!tls13_common_post_process_record(rl, rec)) { |
1853d20a MC |
234 | /* RLAYERfatal already called */ |
235 | return 0; | |
236 | } | |
237 | ||
238 | return 1; | |
239 | } | |
240 | ||
50023e9b MC |
241 | struct record_functions_st tls_1_3_funcs = { |
242 | tls13_set_crypto_state, | |
1853d20a | 243 | tls_default_read_n, |
50023e9b | 244 | tls13_cipher, |
1853d20a MC |
245 | NULL, |
246 | tls_default_set_protocol_version, | |
247 | tls13_validate_record_header, | |
248 | tls13_post_process_record | |
50023e9b | 249 | }; |