From c37fa200cd9a859380920c1556f51d3cb2793a30 Mon Sep 17 00:00:00 2001 From: jsing Date: Thu, 28 Jan 2021 17:00:38 +0000 Subject: [PATCH] Move AEAD handling into the new TLSv1.2 record layer. ok tb@ --- lib/libssl/ssl_lib.c | 14 +--- lib/libssl/ssl_locl.h | 12 +--- lib/libssl/t1_enc.c | 94 ++------------------------ lib/libssl/tls12_record_layer.c | 116 +++++++++++++++++++++++++------- 4 files changed, 102 insertions(+), 134 deletions(-) diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 5cf4be74aa4..b67f8569cc2 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.243 2021/01/26 18:45:32 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.244 2021/01/28 17:00:38 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2618,12 +2618,6 @@ ssl_clear_cipher_read_state(SSL *s) s->read_hash = NULL; tls12_record_layer_clear_read_state(s->internal->rl); - - if (s->internal->aead_read_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_read_ctx->ctx); - free(s->internal->aead_read_ctx); - s->internal->aead_read_ctx = NULL; - } } void @@ -2635,12 +2629,6 @@ ssl_clear_cipher_write_state(SSL *s) s->internal->write_hash = NULL; tls12_record_layer_clear_write_state(s->internal->rl); - - if (s->internal->aead_write_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_write_ctx->ctx); - free(s->internal->aead_write_ctx); - s->internal->aead_write_ctx = NULL; - } } /* Fix this function so that it takes an optional type parameter */ diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 4390361c663..d5298d7af17 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.317 2021/01/26 14:22:20 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.318 2021/01/28 17:00:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -481,6 +481,8 @@ int tls12_record_layer_write_overhead(struct tls12_record_layer *rl, size_t *overhead); int tls12_record_layer_read_protected(struct tls12_record_layer *rl); int tls12_record_layer_write_protected(struct tls12_record_layer *rl); +void tls12_record_layer_set_aead(struct tls12_record_layer *rl, + const EVP_AEAD *aead); void tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version); void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, @@ -758,14 +760,6 @@ typedef struct ssl_internal_st { STACK_OF(SSL_CIPHER) *cipher_list_tls13; - SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then - enc_read_ctx and read_hash are - ignored. */ - - SSL_AEAD_CTX *aead_write_ctx; /* AEAD context. If non-NULL, then - enc_write_ctx and write_hash are - ignored. */ - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ EVP_MD_CTX *write_hash; /* used for mac generation */ diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index a0b377389bd..b84a5347f1b 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.130 2021/01/26 14:22:20 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -310,90 +310,6 @@ tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len) NULL, 0, NULL, 0, key_block, key_block_len); } -/* - * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success - * and 0 on failure. - */ -static int -tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) -{ - if (*aead_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); - return (1); - } - - *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); - if (*aead_ctx == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } - - return (1); -} - -static int -tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, - unsigned int key_len, const unsigned char *iv, unsigned int iv_len) -{ - const EVP_AEAD *aead = S3I(s)->tmp.new_aead; - SSL_AEAD_CTX *aead_ctx; - - /* XXX - Need to avoid clearing write state for DTLS. */ - if (SSL_is_dtls(s)) - return 0; - - if (is_read) { - ssl_clear_cipher_read_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx)) - return 0; - aead_ctx = s->internal->aead_read_ctx; - - if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx)) - return 0; - } else { - ssl_clear_cipher_write_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx)) - return 0; - aead_ctx = s->internal->aead_write_ctx; - - if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx)) - return 0; - } - - if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, - EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) - return (0); - if (iv_len > sizeof(aead_ctx->fixed_nonce)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - memcpy(aead_ctx->fixed_nonce, iv, iv_len); - aead_ctx->fixed_nonce_len = iv_len; - aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ - aead_ctx->variable_nonce_in_record = - (S3I(s)->hs.new_cipher->algorithm2 & - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; - aead_ctx->xor_fixed_nonce = - S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; - aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); - - if (aead_ctx->xor_fixed_nonce) { - if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || - aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - } else { - if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != - EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - } - - return (1); -} - /* * tls1_change_cipher_state_cipher performs the work needed to switch cipher * states when using EVP_CIPHER. The argument is_read is true iff this function @@ -566,10 +482,8 @@ tls1_change_cipher_state(SSL *s, int which) goto err; } - if (aead != NULL) { - return tls1_change_cipher_state_aead(s, is_read, key, key_len, - iv, iv_len); - } + if (aead != NULL) + return 1; return tls1_change_cipher_state_cipher(s, is_read, mac_secret, mac_secret_size, key, key_len, iv, iv_len); @@ -617,6 +531,8 @@ tls1_setup_key_block(SSL *s) S3I(s)->tmp.new_mac_pkey_type = mac_type; S3I(s)->tmp.new_mac_secret_size = mac_secret_size; + tls12_record_layer_set_aead(s->internal->rl, aead); + tls1_cleanup_key_block(s); if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, diff --git a/lib/libssl/tls12_record_layer.c b/lib/libssl/tls12_record_layer.c index 01044432863..b74a6588eff 100644 --- a/lib/libssl/tls12_record_layer.c +++ b/lib/libssl/tls12_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_record_layer.c,v 1.15 2021/01/26 14:22:20 jsing Exp $ */ +/* $OpenBSD: tls12_record_layer.c,v 1.16 2021/01/28 17:00:39 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -15,6 +15,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include #include #include @@ -25,6 +26,8 @@ struct tls12_record_protection { uint16_t epoch; uint8_t seq_num[SSL3_SEQUENCE_SIZE]; + SSL_AEAD_CTX *aead_ctx; + int stream_mac; uint8_t *mac_key; @@ -34,8 +37,6 @@ struct tls12_record_protection { * XXX - for now these are just pointers to externally managed * structs/memory. These should eventually be owned by the record layer. */ - SSL_AEAD_CTX *aead_ctx; - EVP_CIPHER_CTX *cipher_ctx; EVP_MD_CTX *hash_ctx; }; @@ -51,6 +52,12 @@ tls12_record_protection_clear(struct tls12_record_protection *rp) { memset(rp->seq_num, 0, sizeof(rp->seq_num)); + if (rp->aead_ctx != NULL) { + EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx); + freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); + rp->aead_ctx = NULL; + } + freezero(rp->mac_key, rp->mac_key_len); rp->mac_key = NULL; rp->mac_key_len = 0; @@ -141,6 +148,8 @@ struct tls12_record_layer { uint8_t alert_desc; + const EVP_AEAD *aead; + /* Pointers to active record protection (memory is not owned). */ struct tls12_record_protection *read; struct tls12_record_protection *write; @@ -231,6 +240,12 @@ tls12_record_layer_write_protected(struct tls12_record_layer *rl) return tls12_record_protection_engaged(rl->write); } +void +tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) +{ + rl->aead = aead; +} + void tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) { @@ -323,24 +338,6 @@ tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) sizeof(rl->write->seq_num)); } -int -tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx) -{ - tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0); - - return 1; -} - -int -tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx) -{ - tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0); - - return 1; -} - int tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) @@ -381,6 +378,75 @@ tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl, return 1; } +static int +tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, + size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, + size_t iv_len) +{ + size_t aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); + + if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) + return 0; + + /* AES GCM cipher suites use variable nonce in record. */ + if (rl->aead == EVP_aead_aes_128_gcm() || + rl->aead == EVP_aead_aes_256_gcm()) + rp->aead_ctx->variable_nonce_in_record = 1; + + /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ + if (rl->aead == EVP_aead_chacha20_poly1305()) + rp->aead_ctx->xor_fixed_nonce = 1; + + if (iv_len > sizeof(rp->aead_ctx->fixed_nonce)) + return 0; + + memcpy(rp->aead_ctx->fixed_nonce, iv, iv_len); + rp->aead_ctx->fixed_nonce_len = iv_len; + rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead); + rp->aead_ctx->variable_nonce_len = 8; + + if (rp->aead_ctx->xor_fixed_nonce) { + /* Fixed nonce length must match, variable must not exceed. */ + if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len) + return 0; + if (rp->aead_ctx->variable_nonce_len > aead_nonce_len) + return 0; + } else { + /* Concatenated nonce length must equal AEAD nonce length. */ + if (rp->aead_ctx->fixed_nonce_len + + rp->aead_ctx->variable_nonce_len != aead_nonce_len) + return 0; + } + + if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, key, key_len, + EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) + return 0; + + return 1; +} + +static int +tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, + size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, + size_t iv_len) +{ + /* Require unused record protection. */ + if (rp->cipher_ctx != NULL || rp->aead_ctx != NULL) + return 0; + + if (mac_key_len > INT_MAX || key_len > INT_MAX || iv_len > INT_MAX) + return 0; + + /* XXX - only aead for now. */ + if (rl->aead == NULL) + return 1; + + return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, + mac_key_len, key, key_len, iv, iv_len); +} + int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, @@ -394,7 +460,9 @@ tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, /* Read sequence number gets reset to zero. */ - /* XXX - change cipher state. */ + if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, + mac_key, mac_key_len, key, key_len, iv, iv_len)) + goto err; tls12_record_protection_free(rl->read_current); rl->read = rl->read_current = read_new; @@ -421,7 +489,9 @@ tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, /* Write sequence number gets reset to zero. */ - /* XXX - change cipher state. */ + if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, + mac_key, mac_key_len, key, key_len, iv, iv_len)) + goto err; if (rl->dtls) { tls12_record_protection_free(rl->write_previous); -- 2.20.1