]>
Commit | Line | Data |
---|---|---|
50023e9b MC |
1 | /* |
2 | * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/evp.h> | |
11 | #include <openssl/core_names.h> | |
12 | #include "../../ssl_local.h" | |
13 | #include "../record_local.h" | |
14 | #include "recmethod_local.h" | |
15 | ||
16 | static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, | |
17 | unsigned char *key, size_t keylen, | |
18 | unsigned char *iv, size_t ivlen, | |
19 | unsigned char *mackey, size_t mackeylen, | |
20 | const EVP_CIPHER *ciph, | |
21 | size_t taglen, | |
50023e9b MC |
22 | int mactype, |
23 | const EVP_MD *md, | |
1e76110b | 24 | COMP_METHOD *comp) |
50023e9b MC |
25 | { |
26 | EVP_CIPHER_CTX *ciph_ctx; | |
27 | int mode; | |
2c50d7fb | 28 | int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0; |
50023e9b MC |
29 | |
30 | if (ivlen > sizeof(rl->iv)) { | |
7c293999 MC |
31 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
32 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
33 | } |
34 | memcpy(rl->iv, iv, ivlen); | |
35 | ||
6366bdd9 | 36 | ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new(); |
50023e9b | 37 | if (ciph_ctx == NULL) { |
7c293999 MC |
38 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
39 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
40 | } |
41 | ||
50023e9b MC |
42 | rl->taglen = taglen; |
43 | ||
44 | mode = EVP_CIPHER_get_mode(ciph); | |
45 | ||
2c50d7fb | 46 | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0 |
1704961c MC |
47 | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, |
48 | NULL) <= 0 | |
50023e9b | 49 | || (mode == EVP_CIPH_CCM_MODE |
1704961c MC |
50 | && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, |
51 | NULL) <= 0) | |
2c50d7fb | 52 | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) { |
7c293999 MC |
53 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
54 | return OSSL_RECORD_RETURN_FATAL; | |
50023e9b MC |
55 | } |
56 | ||
7c293999 | 57 | return OSSL_RECORD_RETURN_SUCCESS; |
50023e9b MC |
58 | } |
59 | ||
60 | static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, | |
8124ab56 | 61 | int sending, SSL_MAC_BUF *mac, size_t macsize) |
50023e9b MC |
62 | { |
63 | EVP_CIPHER_CTX *ctx; | |
64 | unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; | |
65 | size_t ivlen, offset, loop, hdrlen; | |
66 | unsigned char *staticiv; | |
0755722c | 67 | unsigned char *seq = rl->sequence; |
50023e9b MC |
68 | int lenu, lenf; |
69 | SSL3_RECORD *rec = &recs[0]; | |
70 | WPACKET wpkt; | |
71 | const EVP_CIPHER *cipher; | |
72 | int mode; | |
73 | ||
74 | if (n_recs != 1) { | |
75 | /* Should not happen */ | |
76 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
77 | return 0; | |
78 | } | |
79 | ||
6366bdd9 MC |
80 | ctx = rl->enc_ctx; |
81 | staticiv = rl->iv; | |
50023e9b MC |
82 | |
83 | cipher = EVP_CIPHER_CTX_get0_cipher(ctx); | |
84 | if (cipher == NULL) { | |
85 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
86 | return 0; | |
87 | } | |
88 | mode = EVP_CIPHER_get_mode(cipher); | |
89 | ||
90 | /* | |
91 | * If we're sending an alert and ctx != NULL then we must be forcing | |
92 | * plaintext alerts. If we're reading and ctx != NULL then we allow | |
93 | * plaintext alerts at certain points in the handshake. If we've got this | |
94 | * far then we have already validated that a plaintext alert is ok here. | |
95 | */ | |
96 | if (ctx == NULL || rec->type == SSL3_RT_ALERT) { | |
97 | memmove(rec->data, rec->input, rec->length); | |
98 | rec->input = rec->data; | |
99 | return 1; | |
100 | } | |
101 | ||
102 | ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); | |
103 | ||
104 | if (!sending) { | |
105 | /* | |
106 | * Take off tag. There must be at least one byte of content type as | |
107 | * well as the tag | |
108 | */ | |
109 | if (rec->length < rl->taglen + 1) | |
110 | return 0; | |
111 | rec->length -= rl->taglen; | |
112 | } | |
113 | ||
114 | /* Set up IV */ | |
115 | if (ivlen < SEQ_NUM_SIZE) { | |
116 | /* Should not happen */ | |
117 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
118 | return 0; | |
119 | } | |
120 | offset = ivlen - SEQ_NUM_SIZE; | |
121 | memcpy(iv, staticiv, offset); | |
122 | for (loop = 0; loop < SEQ_NUM_SIZE; loop++) | |
123 | iv[offset + loop] = staticiv[offset + loop] ^ seq[loop]; | |
124 | ||
125 | /* Increment the sequence counter */ | |
126 | for (loop = SEQ_NUM_SIZE; loop > 0; loop--) { | |
127 | ++seq[loop - 1]; | |
128 | if (seq[loop - 1] != 0) | |
129 | break; | |
130 | } | |
131 | if (loop == 0) { | |
132 | /* Sequence has wrapped */ | |
133 | return 0; | |
134 | } | |
135 | ||
136 | if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 | |
137 | || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, | |
138 | rl->taglen, | |
139 | rec->data + rec->length) <= 0)) { | |
140 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
141 | return 0; | |
142 | } | |
143 | ||
144 | /* Set up the AAD */ | |
145 | if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0) | |
146 | || !WPACKET_put_bytes_u8(&wpkt, rec->type) | |
147 | || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version) | |
148 | || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen) | |
149 | || !WPACKET_get_total_written(&wpkt, &hdrlen) | |
150 | || hdrlen != SSL3_RT_HEADER_LENGTH | |
151 | || !WPACKET_finish(&wpkt)) { | |
152 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
153 | WPACKET_cleanup(&wpkt); | |
154 | return 0; | |
155 | } | |
156 | ||
157 | /* | |
158 | * For CCM we must explicitly set the total plaintext length before we add | |
159 | * any AAD. | |
160 | */ | |
161 | if ((mode == EVP_CIPH_CCM_MODE | |
162 | && EVP_CipherUpdate(ctx, NULL, &lenu, NULL, | |
163 | (unsigned int)rec->length) <= 0) | |
164 | || EVP_CipherUpdate(ctx, NULL, &lenu, recheader, | |
165 | sizeof(recheader)) <= 0 | |
166 | || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, | |
167 | (unsigned int)rec->length) <= 0 | |
168 | || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 | |
169 | || (size_t)(lenu + lenf) != rec->length) { | |
170 | return 0; | |
171 | } | |
172 | if (sending) { | |
173 | /* Add the tag */ | |
174 | if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen, | |
175 | rec->data + rec->length) <= 0) { | |
176 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
177 | return 0; | |
178 | } | |
179 | rec->length += rl->taglen; | |
180 | } | |
181 | ||
182 | return 1; | |
183 | } | |
184 | ||
1853d20a MC |
185 | static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
186 | { | |
187 | if (rec->type != SSL3_RT_APPLICATION_DATA | |
188 | && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC | |
189 | || !rl->is_first_handshake) | |
190 | && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) { | |
191 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); | |
192 | return 0; | |
193 | } | |
194 | ||
195 | if (rec->rec_version != TLS1_2_VERSION) { | |
196 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER); | |
197 | return 0; | |
198 | } | |
199 | ||
200 | if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { | |
201 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
202 | SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
203 | return 0; | |
204 | } | |
205 | return 1; | |
206 | } | |
207 | ||
8124ab56 | 208 | static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
1853d20a MC |
209 | { |
210 | /* Skip this if we've received a plaintext alert */ | |
211 | if (rec->type != SSL3_RT_ALERT) { | |
212 | size_t end; | |
213 | ||
214 | if (rec->length == 0 | |
215 | || rec->type != SSL3_RT_APPLICATION_DATA) { | |
216 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, | |
217 | SSL_R_BAD_RECORD_TYPE); | |
218 | return 0; | |
219 | } | |
220 | ||
221 | /* Strip trailing padding */ | |
1704961c | 222 | for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--) |
1853d20a MC |
223 | continue; |
224 | ||
225 | rec->length = end; | |
226 | rec->type = rec->data[end]; | |
227 | } | |
228 | ||
229 | if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) { | |
230 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); | |
231 | return 0; | |
232 | } | |
233 | ||
8124ab56 | 234 | if (!tls13_common_post_process_record(rl, rec)) { |
1853d20a MC |
235 | /* RLAYERfatal already called */ |
236 | return 0; | |
237 | } | |
238 | ||
239 | return 1; | |
240 | } | |
241 | ||
7ca61d63 MC |
242 | static unsigned int tls13_get_record_type(OSSL_RECORD_LAYER *rl, |
243 | OSSL_RECORD_TEMPLATE *template) | |
244 | { | |
245 | if (rl->allow_plain_alerts && template->type == SSL3_RT_ALERT) | |
246 | return SSL3_RT_ALERT; | |
247 | ||
248 | /* | |
249 | * Aside from the above case we always use the application data record type | |
250 | * when encrypting in TLSv1.3. The "inner" record type encodes the "real" | |
251 | * record type from the template. | |
252 | */ | |
253 | return SSL3_RT_APPLICATION_DATA; | |
254 | } | |
255 | ||
2582de25 MC |
256 | static int tls13_add_record_padding(OSSL_RECORD_LAYER *rl, |
257 | OSSL_RECORD_TEMPLATE *thistempl, | |
258 | WPACKET *thispkt, | |
259 | SSL3_RECORD *thiswr) | |
260 | { | |
261 | size_t rlen; | |
262 | ||
263 | /* Nothing to be done in the case of a plaintext alert */ | |
264 | if (rl->allow_plain_alerts && thistempl->type != SSL3_RT_ALERT) | |
265 | return 1; | |
266 | ||
267 | if (!WPACKET_put_bytes_u8(thispkt, thistempl->type)) { | |
268 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
269 | return 0; | |
270 | } | |
271 | SSL3_RECORD_add_length(thiswr, 1); | |
272 | ||
273 | /* Add TLS1.3 padding */ | |
274 | rlen = SSL3_RECORD_get_length(thiswr); | |
275 | if (rlen < rl->max_frag_len) { | |
276 | size_t padding = 0; | |
277 | size_t max_padding = rl->max_frag_len - rlen; | |
278 | ||
279 | if (rl->padding != NULL) { | |
280 | padding = rl->padding(rl->cbarg, thistempl->type, rlen); | |
281 | } else if (rl->block_padding > 0) { | |
282 | size_t mask = rl->block_padding - 1; | |
283 | size_t remainder; | |
284 | ||
285 | /* optimize for power of 2 */ | |
286 | if ((rl->block_padding & mask) == 0) | |
287 | remainder = rlen & mask; | |
288 | else | |
289 | remainder = rlen % rl->block_padding; | |
290 | /* don't want to add a block of padding if we don't have to */ | |
291 | if (remainder == 0) | |
292 | padding = 0; | |
293 | else | |
294 | padding = rl->block_padding - remainder; | |
295 | } | |
296 | if (padding > 0) { | |
297 | /* do not allow the record to exceed max plaintext length */ | |
298 | if (padding > max_padding) | |
299 | padding = max_padding; | |
300 | if (!WPACKET_memset(thispkt, 0, padding)) { | |
301 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, | |
302 | ERR_R_INTERNAL_ERROR); | |
303 | return 0; | |
304 | } | |
305 | SSL3_RECORD_add_length(thiswr, padding); | |
306 | } | |
307 | } | |
308 | ||
309 | return 1; | |
310 | } | |
311 | ||
50023e9b MC |
312 | struct record_functions_st tls_1_3_funcs = { |
313 | tls13_set_crypto_state, | |
314 | tls13_cipher, | |
1853d20a MC |
315 | NULL, |
316 | tls_default_set_protocol_version, | |
bafe524b MC |
317 | tls_default_read_n, |
318 | tls_get_more_records, | |
1853d20a | 319 | tls13_validate_record_header, |
bafe524b MC |
320 | tls13_post_process_record, |
321 | tls_get_max_records_default, | |
91fe8ff0 MC |
322 | tls_write_records_default, |
323 | tls_allocate_write_buffers_default, | |
7ca61d63 | 324 | tls_initialise_write_packets_default, |
aca70ca8 | 325 | tls13_get_record_type, |
2582de25 | 326 | tls_prepare_record_header_default, |
757ef3ba | 327 | tls13_add_record_padding, |
2a354d54 | 328 | tls_prepare_for_encryption_default, |
ace38195 MC |
329 | tls_post_encryption_processing_default, |
330 | NULL | |
50023e9b | 331 | }; |