2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
16 static int tls13_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
17 unsigned char *key
, size_t keylen
,
18 unsigned char *iv
, size_t ivlen
,
19 unsigned char *mackey
, size_t mackeylen
,
20 const EVP_CIPHER
*ciph
,
26 EVP_CIPHER_CTX
*ciph_ctx
;
28 int enc
= (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) ? 1 : 0;
30 if (ivlen
> sizeof(rl
->iv
)) {
31 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
32 return OSSL_RECORD_RETURN_FATAL
;
34 memcpy(rl
->iv
, iv
, ivlen
);
36 ciph_ctx
= rl
->enc_ctx
= EVP_CIPHER_CTX_new();
37 if (ciph_ctx
== NULL
) {
38 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
39 return OSSL_RECORD_RETURN_FATAL
;
44 mode
= EVP_CIPHER_get_mode(ciph
);
46 if (EVP_CipherInit_ex(ciph_ctx
, ciph
, NULL
, NULL
, NULL
, enc
) <= 0
47 || EVP_CIPHER_CTX_ctrl(ciph_ctx
, EVP_CTRL_AEAD_SET_IVLEN
, ivlen
,
49 || (mode
== EVP_CIPH_CCM_MODE
50 && EVP_CIPHER_CTX_ctrl(ciph_ctx
, EVP_CTRL_AEAD_SET_TAG
, taglen
,
52 || EVP_CipherInit_ex(ciph_ctx
, NULL
, NULL
, key
, NULL
, enc
) <= 0) {
53 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
54 return OSSL_RECORD_RETURN_FATAL
;
57 return OSSL_RECORD_RETURN_SUCCESS
;
60 static int tls13_cipher(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*recs
, size_t n_recs
,
61 int sending
, SSL_MAC_BUF
*mac
, size_t macsize
)
64 unsigned char iv
[EVP_MAX_IV_LENGTH
], recheader
[SSL3_RT_HEADER_LENGTH
];
65 size_t ivlen
, offset
, loop
, hdrlen
;
66 unsigned char *staticiv
;
67 unsigned char *seq
= rl
->sequence
;
69 SSL3_RECORD
*rec
= &recs
[0];
71 const EVP_CIPHER
*cipher
;
75 /* Should not happen */
76 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
83 cipher
= EVP_CIPHER_CTX_get0_cipher(ctx
);
85 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
88 mode
= EVP_CIPHER_get_mode(cipher
);
91 * If we're sending an alert and ctx != NULL then we must be forcing
92 * plaintext alerts. If we're reading and ctx != NULL then we allow
93 * plaintext alerts at certain points in the handshake. If we've got this
94 * far then we have already validated that a plaintext alert is ok here.
96 if (ctx
== NULL
|| rec
->type
== SSL3_RT_ALERT
) {
97 memmove(rec
->data
, rec
->input
, rec
->length
);
98 rec
->input
= rec
->data
;
102 ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
106 * Take off tag. There must be at least one byte of content type as
109 if (rec
->length
< rl
->taglen
+ 1)
111 rec
->length
-= rl
->taglen
;
115 if (ivlen
< SEQ_NUM_SIZE
) {
116 /* Should not happen */
117 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
120 offset
= ivlen
- SEQ_NUM_SIZE
;
121 memcpy(iv
, staticiv
, offset
);
122 for (loop
= 0; loop
< SEQ_NUM_SIZE
; loop
++)
123 iv
[offset
+ loop
] = staticiv
[offset
+ loop
] ^ seq
[loop
];
125 /* Increment the sequence counter */
126 for (loop
= SEQ_NUM_SIZE
; loop
> 0; loop
--) {
128 if (seq
[loop
- 1] != 0)
132 /* Sequence has wrapped */
136 if (EVP_CipherInit_ex(ctx
, NULL
, NULL
, NULL
, iv
, sending
) <= 0
137 || (!sending
&& EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_SET_TAG
,
139 rec
->data
+ rec
->length
) <= 0)) {
140 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
145 if (!WPACKET_init_static_len(&wpkt
, recheader
, sizeof(recheader
), 0)
146 || !WPACKET_put_bytes_u8(&wpkt
, rec
->type
)
147 || !WPACKET_put_bytes_u16(&wpkt
, rec
->rec_version
)
148 || !WPACKET_put_bytes_u16(&wpkt
, rec
->length
+ rl
->taglen
)
149 || !WPACKET_get_total_written(&wpkt
, &hdrlen
)
150 || hdrlen
!= SSL3_RT_HEADER_LENGTH
151 || !WPACKET_finish(&wpkt
)) {
152 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
153 WPACKET_cleanup(&wpkt
);
158 * For CCM we must explicitly set the total plaintext length before we add
161 if ((mode
== EVP_CIPH_CCM_MODE
162 && EVP_CipherUpdate(ctx
, NULL
, &lenu
, NULL
,
163 (unsigned int)rec
->length
) <= 0)
164 || EVP_CipherUpdate(ctx
, NULL
, &lenu
, recheader
,
165 sizeof(recheader
)) <= 0
166 || EVP_CipherUpdate(ctx
, rec
->data
, &lenu
, rec
->input
,
167 (unsigned int)rec
->length
) <= 0
168 || EVP_CipherFinal_ex(ctx
, rec
->data
+ lenu
, &lenf
) <= 0
169 || (size_t)(lenu
+ lenf
) != rec
->length
) {
174 if (EVP_CIPHER_CTX_ctrl(ctx
, EVP_CTRL_AEAD_GET_TAG
, rl
->taglen
,
175 rec
->data
+ rec
->length
) <= 0) {
176 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
179 rec
->length
+= rl
->taglen
;
185 static int tls13_validate_record_header(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
187 if (rec
->type
!= SSL3_RT_APPLICATION_DATA
188 && (rec
->type
!= SSL3_RT_CHANGE_CIPHER_SPEC
189 || !rl
->is_first_handshake
)
190 && (rec
->type
!= SSL3_RT_ALERT
|| !rl
->allow_plain_alerts
)) {
191 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
195 if (rec
->rec_version
!= TLS1_2_VERSION
) {
196 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_WRONG_VERSION_NUMBER
);
200 if (rec
->length
> SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH
) {
201 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
202 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
208 static int tls13_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
210 /* Skip this if we've received a plaintext alert */
211 if (rec
->type
!= SSL3_RT_ALERT
) {
215 || rec
->type
!= SSL3_RT_APPLICATION_DATA
) {
216 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
217 SSL_R_BAD_RECORD_TYPE
);
221 /* Strip trailing padding */
222 for (end
= rec
->length
- 1; end
> 0 && rec
->data
[end
] == 0; end
--)
226 rec
->type
= rec
->data
[end
];
229 if (rec
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
230 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
234 if (!tls13_common_post_process_record(rl
, rec
)) {
235 /* RLAYERfatal already called */
242 struct record_functions_st tls_1_3_funcs
= {
243 tls13_set_crypto_state
,
246 tls_default_set_protocol_version
,
248 tls_get_more_records
,
249 tls13_validate_record_header
,
250 tls13_post_process_record
,
251 tls_get_max_records_default
,
252 tls_write_records_default