1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
15
tls13_set_crypto_state(OSSL_RECORD_LAYER * rl,int level,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,const SSL_COMP * comp)16 static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
17 unsigned char *key, size_t keylen,
18 unsigned char *iv, size_t ivlen,
19 unsigned char *mackey, size_t mackeylen,
20 const EVP_CIPHER *ciph,
21 size_t taglen,
22 int mactype,
23 const EVP_MD *md,
24 const SSL_COMP *comp)
25 {
26 EVP_CIPHER_CTX *ciph_ctx;
27 int mode;
28
29 if (ivlen > sizeof(rl->iv)) {
30 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
31 return OSSL_RECORD_RETURN_FATAL;
32 }
33 memcpy(rl->iv, iv, ivlen);
34
35 ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new();
36 if (ciph_ctx == NULL) {
37 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
38 return OSSL_RECORD_RETURN_FATAL;
39 }
40
41 rl->taglen = taglen;
42
43 mode = EVP_CIPHER_get_mode(ciph);
44
45 if (EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL) <= 0
46 || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen,
47 NULL) <= 0
48 || (mode == EVP_CIPH_CCM_MODE
49 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
50 NULL) <= 0)
51 || EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL) <= 0) {
52 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
53 return OSSL_RECORD_RETURN_FATAL;
54 }
55
56 return OSSL_RECORD_RETURN_SUCCESS;
57 }
58
tls13_cipher(OSSL_RECORD_LAYER * rl,SSL3_RECORD * recs,size_t n_recs,int sending,SSL_MAC_BUF * mac,size_t macsize)59 static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
60 int sending, SSL_MAC_BUF *mac, size_t macsize)
61 {
62 EVP_CIPHER_CTX *ctx;
63 unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
64 size_t ivlen, offset, loop, hdrlen;
65 unsigned char *staticiv;
66 unsigned char *seq = rl->sequence;
67 int lenu, lenf;
68 SSL3_RECORD *rec = &recs[0];
69 WPACKET wpkt;
70 const EVP_CIPHER *cipher;
71 int mode;
72
73 if (n_recs != 1) {
74 /* Should not happen */
75 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
76 return 0;
77 }
78
79 ctx = rl->enc_ctx;
80 staticiv = rl->iv;
81
82 cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
83 if (cipher == NULL) {
84 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85 return 0;
86 }
87 mode = EVP_CIPHER_get_mode(cipher);
88
89 /*
90 * If we're sending an alert and ctx != NULL then we must be forcing
91 * plaintext alerts. If we're reading and ctx != NULL then we allow
92 * plaintext alerts at certain points in the handshake. If we've got this
93 * far then we have already validated that a plaintext alert is ok here.
94 */
95 if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
96 memmove(rec->data, rec->input, rec->length);
97 rec->input = rec->data;
98 return 1;
99 }
100
101 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
102
103 if (!sending) {
104 /*
105 * Take off tag. There must be at least one byte of content type as
106 * well as the tag
107 */
108 if (rec->length < rl->taglen + 1)
109 return 0;
110 rec->length -= rl->taglen;
111 }
112
113 /* Set up IV */
114 if (ivlen < SEQ_NUM_SIZE) {
115 /* Should not happen */
116 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
117 return 0;
118 }
119 offset = ivlen - SEQ_NUM_SIZE;
120 memcpy(iv, staticiv, offset);
121 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
122 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
123
124 /* Increment the sequence counter */
125 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
126 ++seq[loop - 1];
127 if (seq[loop - 1] != 0)
128 break;
129 }
130 if (loop == 0) {
131 /* Sequence has wrapped */
132 return 0;
133 }
134
135 if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
136 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
137 rl->taglen,
138 rec->data + rec->length) <= 0)) {
139 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
140 return 0;
141 }
142
143 /* Set up the AAD */
144 if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
145 || !WPACKET_put_bytes_u8(&wpkt, rec->type)
146 || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
147 || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
148 || !WPACKET_get_total_written(&wpkt, &hdrlen)
149 || hdrlen != SSL3_RT_HEADER_LENGTH
150 || !WPACKET_finish(&wpkt)) {
151 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
152 WPACKET_cleanup(&wpkt);
153 return 0;
154 }
155
156 /*
157 * For CCM we must explicitly set the total plaintext length before we add
158 * any AAD.
159 */
160 if ((mode == EVP_CIPH_CCM_MODE
161 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
162 (unsigned int)rec->length) <= 0)
163 || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
164 sizeof(recheader)) <= 0
165 || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
166 (unsigned int)rec->length) <= 0
167 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
168 || (size_t)(lenu + lenf) != rec->length) {
169 return 0;
170 }
171 if (sending) {
172 /* Add the tag */
173 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
174 rec->data + rec->length) <= 0) {
175 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
176 return 0;
177 }
178 rec->length += rl->taglen;
179 }
180
181 return 1;
182 }
183
tls13_validate_record_header(OSSL_RECORD_LAYER * rl,SSL3_RECORD * rec)184 static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
185 {
186 if (rec->type != SSL3_RT_APPLICATION_DATA
187 && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC
188 || !rl->is_first_handshake)
189 && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) {
190 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
191 return 0;
192 }
193
194 if (rec->rec_version != TLS1_2_VERSION) {
195 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
196 return 0;
197 }
198
199 if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
200 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
201 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
202 return 0;
203 }
204 return 1;
205 }
206
tls13_post_process_record(OSSL_RECORD_LAYER * rl,SSL3_RECORD * rec)207 static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
208 {
209 /* Skip this if we've received a plaintext alert */
210 if (rec->type != SSL3_RT_ALERT) {
211 size_t end;
212
213 if (rec->length == 0
214 || rec->type != SSL3_RT_APPLICATION_DATA) {
215 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
216 SSL_R_BAD_RECORD_TYPE);
217 return 0;
218 }
219
220 /* Strip trailing padding */
221 for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--)
222 continue;
223
224 rec->length = end;
225 rec->type = rec->data[end];
226 }
227
228 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
229 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
230 return 0;
231 }
232
233 if (!tls13_common_post_process_record(rl, rec)) {
234 /* RLAYERfatal already called */
235 return 0;
236 }
237
238 return 1;
239 }
240
241 struct record_functions_st tls_1_3_funcs = {
242 tls13_set_crypto_state,
243 tls_default_read_n,
244 tls_get_more_records,
245 tls13_cipher,
246 NULL,
247 tls_default_set_protocol_version,
248 tls13_validate_record_header,
249 tls13_post_process_record
250 };
251