-/* $OpenBSD: t1_enc.c,v 1.130 2021/01/26 14:22:20 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
NULL, 0, NULL, 0, key_block, key_block_len);
}
-/*
- * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success
- * and 0 on failure.
- */
-static int
-tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
-{
- if (*aead_ctx != NULL) {
- EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
- return (1);
- }
-
- *aead_ctx = malloc(sizeof(SSL_AEAD_CTX));
- if (*aead_ctx == NULL) {
- SSLerrorx(ERR_R_MALLOC_FAILURE);
- return (0);
- }
-
- return (1);
-}
-
-static int
-tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
- unsigned int key_len, const unsigned char *iv, unsigned int iv_len)
-{
- const EVP_AEAD *aead = S3I(s)->tmp.new_aead;
- SSL_AEAD_CTX *aead_ctx;
-
- /* XXX - Need to avoid clearing write state for DTLS. */
- if (SSL_is_dtls(s))
- return 0;
-
- if (is_read) {
- ssl_clear_cipher_read_state(s);
- if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx))
- return 0;
- aead_ctx = s->internal->aead_read_ctx;
-
- if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx))
- return 0;
- } else {
- ssl_clear_cipher_write_state(s);
- if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx))
- return 0;
- aead_ctx = s->internal->aead_write_ctx;
-
- if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx))
- return 0;
- }
-
- if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
- EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
- return (0);
- if (iv_len > sizeof(aead_ctx->fixed_nonce)) {
- SSLerrorx(ERR_R_INTERNAL_ERROR);
- return (0);
- }
- memcpy(aead_ctx->fixed_nonce, iv, iv_len);
- aead_ctx->fixed_nonce_len = iv_len;
- aead_ctx->variable_nonce_len = 8; /* always the case, currently. */
- aead_ctx->variable_nonce_in_record =
- (S3I(s)->hs.new_cipher->algorithm2 &
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0;
- aead_ctx->xor_fixed_nonce =
- S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305;
- aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
-
- if (aead_ctx->xor_fixed_nonce) {
- if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
- aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
- SSLerrorx(ERR_R_INTERNAL_ERROR);
- return (0);
- }
- } else {
- if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
- EVP_AEAD_nonce_length(aead)) {
- SSLerrorx(ERR_R_INTERNAL_ERROR);
- return (0);
- }
- }
-
- return (1);
-}
-
/*
* tls1_change_cipher_state_cipher performs the work needed to switch cipher
* states when using EVP_CIPHER. The argument is_read is true iff this function
goto err;
}
- if (aead != NULL) {
- return tls1_change_cipher_state_aead(s, is_read, key, key_len,
- iv, iv_len);
- }
+ if (aead != NULL)
+ return 1;
return tls1_change_cipher_state_cipher(s, is_read,
mac_secret, mac_secret_size, key, key_len, iv, iv_len);
S3I(s)->tmp.new_mac_pkey_type = mac_type;
S3I(s)->tmp.new_mac_secret_size = mac_secret_size;
+ tls12_record_layer_set_aead(s->internal->rl, aead);
+
tls1_cleanup_key_block(s);
if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,
-/* $OpenBSD: tls12_record_layer.c,v 1.15 2021/01/26 14:22:20 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.16 2021/01/28 17:00:39 jsing Exp $ */
/*
* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
*
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <limits.h>
#include <stdlib.h>
#include <openssl/evp.h>
uint16_t epoch;
uint8_t seq_num[SSL3_SEQUENCE_SIZE];
+ SSL_AEAD_CTX *aead_ctx;
+
int stream_mac;
uint8_t *mac_key;
* XXX - for now these are just pointers to externally managed
* structs/memory. These should eventually be owned by the record layer.
*/
- SSL_AEAD_CTX *aead_ctx;
-
EVP_CIPHER_CTX *cipher_ctx;
EVP_MD_CTX *hash_ctx;
};
{
memset(rp->seq_num, 0, sizeof(rp->seq_num));
+ if (rp->aead_ctx != NULL) {
+ EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx);
+ freezero(rp->aead_ctx, sizeof(*rp->aead_ctx));
+ rp->aead_ctx = NULL;
+ }
+
freezero(rp->mac_key, rp->mac_key_len);
rp->mac_key = NULL;
rp->mac_key_len = 0;
uint8_t alert_desc;
+ const EVP_AEAD *aead;
+
/* Pointers to active record protection (memory is not owned). */
struct tls12_record_protection *read;
struct tls12_record_protection *write;
return tls12_record_protection_engaged(rl->write);
}
+void
+tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
+{
+ rl->aead = aead;
+}
+
void
tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
{
sizeof(rl->write->seq_num));
}
-int
-tls12_record_layer_set_read_aead(struct tls12_record_layer *rl,
- SSL_AEAD_CTX *aead_ctx)
-{
- tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0);
-
- return 1;
-}
-
-int
-tls12_record_layer_set_write_aead(struct tls12_record_layer *rl,
- SSL_AEAD_CTX *aead_ctx)
-{
- tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0);
-
- return 1;
-}
-
int
tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl,
EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac)
return 1;
}
+static int
+tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
+ struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key,
+ size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv,
+ size_t iv_len)
+{
+ size_t aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
+
+ if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL)
+ return 0;
+
+ /* AES GCM cipher suites use variable nonce in record. */
+ if (rl->aead == EVP_aead_aes_128_gcm() ||
+ rl->aead == EVP_aead_aes_256_gcm())
+ rp->aead_ctx->variable_nonce_in_record = 1;
+
+ /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
+ if (rl->aead == EVP_aead_chacha20_poly1305())
+ rp->aead_ctx->xor_fixed_nonce = 1;
+
+ if (iv_len > sizeof(rp->aead_ctx->fixed_nonce))
+ return 0;
+
+ memcpy(rp->aead_ctx->fixed_nonce, iv, iv_len);
+ rp->aead_ctx->fixed_nonce_len = iv_len;
+ rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead);
+ rp->aead_ctx->variable_nonce_len = 8;
+
+ if (rp->aead_ctx->xor_fixed_nonce) {
+ /* Fixed nonce length must match, variable must not exceed. */
+ if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len)
+ return 0;
+ if (rp->aead_ctx->variable_nonce_len > aead_nonce_len)
+ return 0;
+ } else {
+ /* Concatenated nonce length must equal AEAD nonce length. */
+ if (rp->aead_ctx->fixed_nonce_len +
+ rp->aead_ctx->variable_nonce_len != aead_nonce_len)
+ return 0;
+ }
+
+ if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, key, key_len,
+ EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
+ return 0;
+
+ return 1;
+}
+
+static int
+tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
+ struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key,
+ size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv,
+ size_t iv_len)
+{
+ /* Require unused record protection. */
+ if (rp->cipher_ctx != NULL || rp->aead_ctx != NULL)
+ return 0;
+
+ if (mac_key_len > INT_MAX || key_len > INT_MAX || iv_len > INT_MAX)
+ return 0;
+
+ /* XXX - only aead for now. */
+ if (rl->aead == NULL)
+ return 1;
+
+ return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
+ mac_key_len, key, key_len, iv, iv_len);
+}
+
int
tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key,
/* Read sequence number gets reset to zero. */
- /* XXX - change cipher state. */
+ if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
+ mac_key, mac_key_len, key, key_len, iv, iv_len))
+ goto err;
tls12_record_protection_free(rl->read_current);
rl->read = rl->read_current = read_new;
/* Write sequence number gets reset to zero. */
- /* XXX - change cipher state. */
+ if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
+ mac_key, mac_key_len, key, key_len, iv, iv_len))
+ goto err;
if (rl->dtls) {
tls12_record_protection_free(rl->write_previous);
projects / openbsd / commitdiff