]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/tls13_meth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Convert the TLSv1.3 crypto code to the new write record layer
[thirdparty/openssl.git] / ssl / record / methods / tls13_meth.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
15
16 static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
17 unsigned char *key, size_t keylen,
18 unsigned char *iv, size_t ivlen,
19 unsigned char *mackey, size_t mackeylen,
20 const EVP_CIPHER *ciph,
21 size_t taglen,
22 int mactype,
23 const EVP_MD *md,
24 COMP_METHOD *comp)
25 {
26 EVP_CIPHER_CTX *ciph_ctx;
27 int mode;
28 int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
29
30 if (ivlen > sizeof(rl->iv)) {
31 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
32 return OSSL_RECORD_RETURN_FATAL;
33 }
34 memcpy(rl->iv, iv, ivlen);
35
36 ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new();
37 if (ciph_ctx == NULL) {
38 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
39 return OSSL_RECORD_RETURN_FATAL;
40 }
41
42 rl->taglen = taglen;
43
44 mode = EVP_CIPHER_get_mode(ciph);
45
46 if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0
47 || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen,
48 NULL) <= 0
49 || (mode == EVP_CIPH_CCM_MODE
50 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
51 NULL) <= 0)
52 || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) {
53 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
54 return OSSL_RECORD_RETURN_FATAL;
55 }
56
57 return OSSL_RECORD_RETURN_SUCCESS;
58 }
59
60 static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
61 int sending, SSL_MAC_BUF *mac, size_t macsize)
62 {
63 EVP_CIPHER_CTX *ctx;
64 unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
65 size_t ivlen, offset, loop, hdrlen;
66 unsigned char *staticiv;
67 unsigned char *seq = rl->sequence;
68 int lenu, lenf;
69 SSL3_RECORD *rec = &recs[0];
70 WPACKET wpkt;
71 const EVP_CIPHER *cipher;
72 int mode;
73
74 if (n_recs != 1) {
75 /* Should not happen */
76 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
77 return 0;
78 }
79
80 ctx = rl->enc_ctx;
81 staticiv = rl->iv;
82
83 cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
84 if (cipher == NULL) {
85 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
86 return 0;
87 }
88 mode = EVP_CIPHER_get_mode(cipher);
89
90 /*
91 * If we're sending an alert and ctx != NULL then we must be forcing
92 * plaintext alerts. If we're reading and ctx != NULL then we allow
93 * plaintext alerts at certain points in the handshake. If we've got this
94 * far then we have already validated that a plaintext alert is ok here.
95 */
96 if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
97 memmove(rec->data, rec->input, rec->length);
98 rec->input = rec->data;
99 return 1;
100 }
101
102 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
103
104 if (!sending) {
105 /*
106 * Take off tag. There must be at least one byte of content type as
107 * well as the tag
108 */
109 if (rec->length < rl->taglen + 1)
110 return 0;
111 rec->length -= rl->taglen;
112 }
113
114 /* Set up IV */
115 if (ivlen < SEQ_NUM_SIZE) {
116 /* Should not happen */
117 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
118 return 0;
119 }
120 offset = ivlen - SEQ_NUM_SIZE;
121 memcpy(iv, staticiv, offset);
122 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
123 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
124
125 /* Increment the sequence counter */
126 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
127 ++seq[loop - 1];
128 if (seq[loop - 1] != 0)
129 break;
130 }
131 if (loop == 0) {
132 /* Sequence has wrapped */
133 return 0;
134 }
135
136 if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
137 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
138 rl->taglen,
139 rec->data + rec->length) <= 0)) {
140 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
141 return 0;
142 }
143
144 /* Set up the AAD */
145 if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
146 || !WPACKET_put_bytes_u8(&wpkt, rec->type)
147 || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
148 || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
149 || !WPACKET_get_total_written(&wpkt, &hdrlen)
150 || hdrlen != SSL3_RT_HEADER_LENGTH
151 || !WPACKET_finish(&wpkt)) {
152 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
153 WPACKET_cleanup(&wpkt);
154 return 0;
155 }
156
157 /*
158 * For CCM we must explicitly set the total plaintext length before we add
159 * any AAD.
160 */
161 if ((mode == EVP_CIPH_CCM_MODE
162 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
163 (unsigned int)rec->length) <= 0)
164 || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
165 sizeof(recheader)) <= 0
166 || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
167 (unsigned int)rec->length) <= 0
168 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
169 || (size_t)(lenu + lenf) != rec->length) {
170 return 0;
171 }
172 if (sending) {
173 /* Add the tag */
174 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
175 rec->data + rec->length) <= 0) {
176 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
177 return 0;
178 }
179 rec->length += rl->taglen;
180 }
181
182 return 1;
183 }
184
185 static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
186 {
187 if (rec->type != SSL3_RT_APPLICATION_DATA
188 && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC
189 || !rl->is_first_handshake)
190 && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) {
191 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
192 return 0;
193 }
194
195 if (rec->rec_version != TLS1_2_VERSION) {
196 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
197 return 0;
198 }
199
200 if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
201 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
202 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
203 return 0;
204 }
205 return 1;
206 }
207
208 static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
209 {
210 /* Skip this if we've received a plaintext alert */
211 if (rec->type != SSL3_RT_ALERT) {
212 size_t end;
213
214 if (rec->length == 0
215 || rec->type != SSL3_RT_APPLICATION_DATA) {
216 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
217 SSL_R_BAD_RECORD_TYPE);
218 return 0;
219 }
220
221 /* Strip trailing padding */
222 for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--)
223 continue;
224
225 rec->length = end;
226 rec->type = rec->data[end];
227 }
228
229 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
230 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
231 return 0;
232 }
233
234 if (!tls13_common_post_process_record(rl, rec)) {
235 /* RLAYERfatal already called */
236 return 0;
237 }
238
239 return 1;
240 }
241
242 struct record_functions_st tls_1_3_funcs = {
243 tls13_set_crypto_state,
244 tls13_cipher,
245 NULL,
246 tls_default_set_protocol_version,
247 tls_default_read_n,
248 tls_get_more_records,
249 tls13_validate_record_header,
250 tls13_post_process_record,
251 tls_get_max_records_default,
252 tls_write_records_default
253 };
A mirror of the official openssl repository