clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tls12_record_layer.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -I /usr/src/lib/libssl/../libcrypto/hidden -I /usr/src/lib/libssl/../libcrypto/bio -I /usr/src/lib/libssl/hidden -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libssl/tls12_record_layer.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | #include <limits.h> |
19 | #include <stdlib.h> |
20 | |
21 | #include <openssl/evp.h> |
22 | |
23 | #include "ssl_local.h" |
24 | |
25 | #define TLS12_RECORD_SEQ_NUM_LEN 8 |
26 | #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 |
27 | |
28 | struct tls12_record_protection { |
29 | uint16_t epoch; |
30 | uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; |
31 | |
32 | EVP_AEAD_CTX *aead_ctx; |
33 | |
34 | uint8_t *aead_nonce; |
35 | size_t aead_nonce_len; |
36 | |
37 | uint8_t *aead_fixed_nonce; |
38 | size_t aead_fixed_nonce_len; |
39 | |
40 | size_t aead_variable_nonce_len; |
41 | size_t aead_tag_len; |
42 | |
43 | int aead_xor_nonces; |
44 | int aead_variable_nonce_in_record; |
45 | |
46 | EVP_CIPHER_CTX *cipher_ctx; |
47 | EVP_MD_CTX *hash_ctx; |
48 | |
49 | int stream_mac; |
50 | |
51 | uint8_t *mac_key; |
52 | size_t mac_key_len; |
53 | }; |
54 | |
55 | static struct tls12_record_protection * |
56 | tls12_record_protection_new(void) |
57 | { |
58 | return calloc(1, sizeof(struct tls12_record_protection)); |
59 | } |
60 | |
61 | static void |
62 | tls12_record_protection_clear(struct tls12_record_protection *rp) |
63 | { |
64 | EVP_AEAD_CTX_free(rp->aead_ctx); |
65 | |
66 | freezero(rp->aead_nonce, rp->aead_nonce_len); |
67 | freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); |
68 | |
69 | EVP_CIPHER_CTX_free(rp->cipher_ctx); |
70 | EVP_MD_CTX_free(rp->hash_ctx); |
71 | |
72 | freezero(rp->mac_key, rp->mac_key_len); |
73 | |
74 | memset(rp, 0, sizeof(*rp)); |
75 | } |
76 | |
77 | static void |
78 | tls12_record_protection_free(struct tls12_record_protection *rp) |
79 | { |
80 | if (rp == NULL) |
81 | return; |
82 | |
83 | tls12_record_protection_clear(rp); |
84 | |
85 | freezero(rp, sizeof(struct tls12_record_protection)); |
86 | } |
87 | |
88 | static int |
89 | tls12_record_protection_engaged(struct tls12_record_protection *rp) |
90 | { |
91 | return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; |
92 | } |
93 | |
94 | static int |
95 | tls12_record_protection_unused(struct tls12_record_protection *rp) |
96 | { |
97 | return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && |
98 | rp->hash_ctx == NULL && rp->mac_key == NULL; |
99 | } |
100 | |
101 | static int |
102 | tls12_record_protection_eiv_len(struct tls12_record_protection *rp, |
103 | size_t *out_eiv_len) |
104 | { |
105 | int eiv_len; |
106 | |
107 | *out_eiv_len = 0; |
108 | |
109 | if (rp->cipher_ctx == NULL) |
110 | return 0; |
111 | |
112 | eiv_len = 0; |
113 | if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) |
114 | eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); |
115 | if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) |
116 | return 0; |
117 | |
118 | *out_eiv_len = eiv_len; |
119 | |
120 | return 1; |
121 | } |
122 | |
123 | static int |
124 | tls12_record_protection_block_size(struct tls12_record_protection *rp, |
125 | size_t *out_block_size) |
126 | { |
127 | int block_size; |
128 | |
129 | *out_block_size = 0; |
130 | |
131 | if (rp->cipher_ctx == NULL) |
132 | return 0; |
133 | |
134 | block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); |
135 | if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) |
136 | return 0; |
137 | |
138 | *out_block_size = block_size; |
139 | |
140 | return 1; |
141 | } |
142 | |
143 | static int |
144 | tls12_record_protection_mac_len(struct tls12_record_protection *rp, |
145 | size_t *out_mac_len) |
146 | { |
147 | int mac_len; |
148 | |
149 | *out_mac_len = 0; |
150 | |
151 | if (rp->hash_ctx == NULL) |
152 | return 0; |
153 | |
154 | mac_len = EVP_MD_CTX_size(rp->hash_ctx); |
155 | if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) |
156 | return 0; |
157 | |
158 | *out_mac_len = mac_len; |
159 | |
160 | return 1; |
161 | } |
162 | |
163 | struct tls12_record_layer { |
164 | uint16_t version; |
165 | uint16_t initial_epoch; |
166 | int dtls; |
167 | |
168 | uint8_t alert_desc; |
169 | |
170 | const EVP_AEAD *aead; |
171 | const EVP_CIPHER *cipher; |
172 | const EVP_MD *handshake_hash; |
173 | const EVP_MD *mac_hash; |
174 | |
175 | |
176 | struct tls12_record_protection *read; |
177 | struct tls12_record_protection *write; |
178 | |
179 | struct tls12_record_protection *read_current; |
180 | struct tls12_record_protection *write_current; |
181 | struct tls12_record_protection *write_previous; |
182 | }; |
183 | |
184 | struct tls12_record_layer * |
185 | tls12_record_layer_new(void) |
186 | { |
187 | struct tls12_record_layer *rl; |
188 | |
189 | if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) |
190 | goto err; |
191 | if ((rl->read_current = tls12_record_protection_new()) == NULL) |
192 | goto err; |
193 | if ((rl->write_current = tls12_record_protection_new()) == NULL) |
194 | goto err; |
195 | |
196 | rl->read = rl->read_current; |
197 | rl->write = rl->write_current; |
198 | |
199 | return rl; |
200 | |
201 | err: |
202 | tls12_record_layer_free(rl); |
203 | |
204 | return NULL; |
205 | } |
206 | |
207 | void |
208 | tls12_record_layer_free(struct tls12_record_layer *rl) |
209 | { |
210 | if (rl == NULL) |
211 | return; |
212 | |
213 | tls12_record_protection_free(rl->read_current); |
214 | tls12_record_protection_free(rl->write_current); |
215 | tls12_record_protection_free(rl->write_previous); |
216 | |
217 | freezero(rl, sizeof(struct tls12_record_layer)); |
218 | } |
219 | |
220 | void |
221 | tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) |
222 | { |
223 | *alert_desc = rl->alert_desc; |
224 | } |
225 | |
226 | int |
227 | tls12_record_layer_write_overhead(struct tls12_record_layer *rl, |
228 | size_t *overhead) |
229 | { |
230 | size_t block_size, eiv_len, mac_len; |
231 | |
232 | *overhead = 0; |
233 | |
234 | if (rl->write->aead_ctx != NULL) { |
235 | *overhead = rl->write->aead_tag_len; |
236 | } else if (rl->write->cipher_ctx != NULL) { |
237 | eiv_len = 0; |
238 | if (rl->version != TLS1_VERSION) { |
239 | if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) |
240 | return 0; |
241 | } |
242 | if (!tls12_record_protection_block_size(rl->write, &block_size)) |
243 | return 0; |
244 | if (!tls12_record_protection_mac_len(rl->write, &mac_len)) |
245 | return 0; |
246 | |
247 | *overhead = eiv_len + block_size + mac_len; |
248 | } |
249 | |
250 | return 1; |
251 | } |
252 | |
253 | int |
254 | tls12_record_layer_read_protected(struct tls12_record_layer *rl) |
255 | { |
256 | return tls12_record_protection_engaged(rl->read); |
257 | } |
258 | |
259 | int |
260 | tls12_record_layer_write_protected(struct tls12_record_layer *rl) |
261 | { |
262 | return tls12_record_protection_engaged(rl->write); |
263 | } |
264 | |
265 | void |
266 | tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) |
267 | { |
268 | rl->aead = aead; |
269 | } |
270 | |
271 | void |
272 | tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, |
273 | const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, |
274 | const EVP_MD *mac_hash) |
275 | { |
276 | rl->cipher = cipher; |
277 | rl->handshake_hash = handshake_hash; |
278 | rl->mac_hash = mac_hash; |
279 | } |
280 | |
281 | void |
282 | tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) |
283 | { |
284 | rl->version = version; |
285 | rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); |
286 | } |
287 | |
288 | void |
289 | tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, |
290 | uint16_t epoch) |
291 | { |
292 | rl->initial_epoch = epoch; |
293 | } |
294 | |
295 | uint16_t |
296 | tls12_record_layer_read_epoch(struct tls12_record_layer *rl) |
297 | { |
298 | return rl->read->epoch; |
299 | } |
300 | |
301 | uint16_t |
302 | tls12_record_layer_write_epoch(struct tls12_record_layer *rl) |
303 | { |
304 | return rl->write->epoch; |
305 | } |
306 | |
307 | int |
308 | tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) |
309 | { |
310 | if (rl->write->epoch == epoch) |
311 | return 1; |
312 | |
313 | if (rl->write_current->epoch == epoch) { |
314 | rl->write = rl->write_current; |
315 | return 1; |
316 | } |
317 | |
318 | if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { |
319 | rl->write = rl->write_previous; |
320 | return 1; |
321 | } |
322 | |
323 | return 0; |
324 | } |
325 | |
326 | void |
327 | tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) |
328 | { |
329 | if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) |
330 | return; |
331 | |
332 | rl->write = rl->write_current; |
333 | |
334 | tls12_record_protection_free(rl->write_previous); |
335 | rl->write_previous = NULL; |
336 | } |
337 | |
338 | void |
339 | tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) |
340 | { |
341 | tls12_record_protection_clear(rl->read); |
342 | rl->read->epoch = rl->initial_epoch; |
343 | } |
344 | |
345 | void |
346 | tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) |
347 | { |
348 | tls12_record_protection_clear(rl->write); |
349 | rl->write->epoch = rl->initial_epoch; |
350 | |
351 | tls12_record_protection_free(rl->write_previous); |
352 | rl->write_previous = NULL; |
353 | } |
354 | |
355 | void |
356 | tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) |
357 | { |
358 | memcpy(rl->write->seq_num, rl->read->seq_num, |
359 | sizeof(rl->write->seq_num)); |
360 | } |
361 | |
362 | static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { |
363 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, |
364 | }; |
365 | |
366 | int |
367 | tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) |
368 | { |
369 | CBS max_seq_num; |
370 | int i; |
371 | |
372 | |
373 | |
374 | |
375 | |
376 | |
377 | CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); |
378 | if (rl->dtls) { |
379 | if (!CBS_skip(&max_seq_num, 2)) |
380 | return 0; |
381 | } |
382 | if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, |
383 | CBS_len(&max_seq_num))) |
384 | return 0; |
385 | |
386 | for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { |
387 | if (++seq_num[i] != 0) |
388 | break; |
389 | } |
390 | |
391 | return 1; |
392 | } |
393 | |
394 | static int |
395 | tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, |
396 | const uint8_t *mac_key, size_t mac_key_len) |
397 | { |
398 | freezero(rp->mac_key, rp->mac_key_len); |
399 | rp->mac_key = NULL; |
400 | rp->mac_key_len = 0; |
401 | |
402 | if (mac_key == NULL || mac_key_len == 0) |
403 | return 1; |
404 | |
405 | if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) |
406 | return 0; |
407 | |
408 | memcpy(rp->mac_key, mac_key, mac_key_len); |
409 | rp->mac_key_len = mac_key_len; |
410 | |
411 | return 1; |
412 | } |
413 | |
414 | static int |
415 | tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, |
416 | struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, |
417 | CBS *iv) |
418 | { |
419 | if (!tls12_record_protection_unused(rp)) |
420 | return 0; |
421 | |
422 | if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) |
423 | return 0; |
424 | |
425 | |
426 | if (rl->aead == EVP_aead_aes_128_gcm() || |
427 | rl->aead == EVP_aead_aes_256_gcm()) |
428 | rp->aead_variable_nonce_in_record = 1; |
429 | |
430 | |
431 | if (rl->aead == EVP_aead_chacha20_poly1305()) |
432 | rp->aead_xor_nonces = 1; |
433 | |
434 | if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) |
435 | return 0; |
436 | |
437 | rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); |
438 | if (rp->aead_nonce == NULL) |
439 | return 0; |
440 | |
441 | rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); |
442 | rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); |
443 | rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; |
444 | |
445 | if (rp->aead_xor_nonces) { |
446 | |
447 | if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) |
448 | return 0; |
449 | if (rp->aead_variable_nonce_len > rp->aead_nonce_len) |
450 | return 0; |
451 | } else { |
452 | |
453 | if (rp->aead_fixed_nonce_len + |
454 | rp->aead_variable_nonce_len != rp->aead_nonce_len) |
455 | return 0; |
456 | } |
457 | |
458 | if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), |
459 | CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) |
460 | return 0; |
461 | |
462 | return 1; |
463 | } |
464 | |
465 | static int |
466 | tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, |
467 | struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, |
468 | CBS *iv) |
469 | { |
470 | EVP_PKEY *mac_pkey = NULL; |
471 | int gost_param_nid; |
472 | int mac_type; |
473 | int ret = 0; |
474 | |
475 | if (!tls12_record_protection_unused(rp)) |
476 | goto err; |
477 | |
478 | mac_type = EVP_PKEY_HMAC; |
479 | rp->stream_mac = 0; |
480 | |
481 | if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) |
482 | goto err; |
483 | if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) |
484 | goto err; |
485 | if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) |
486 | goto err; |
487 | |
488 | #ifndef OPENSSL_NO_GOST |
489 | |
490 | |
491 | if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { |
492 | if (CBS_len(mac_key) != 32) |
493 | goto err; |
494 | mac_type = EVP_PKEY_GOSTIMIT; |
495 | rp->stream_mac = 1; |
496 | } else { |
497 | #endif |
498 | if (CBS_len(mac_key) > INT_MAX) |
499 | goto err; |
500 | if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) |
501 | goto err; |
502 | #ifndef OPENSSL_NO_GOST |
503 | } |
504 | #endif |
505 | |
506 | if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) |
507 | goto err; |
508 | if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) |
509 | goto err; |
510 | |
511 | if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), |
512 | CBS_len(mac_key))) |
513 | goto err; |
514 | |
515 | if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), |
516 | CBS_len(mac_key))) == NULL) |
517 | goto err; |
518 | |
519 | if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), |
520 | CBS_data(iv), is_write)) |
521 | goto err; |
522 | |
523 | if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, |
524 | mac_pkey) <= 0) |
525 | goto err; |
526 | |
527 | |
528 | if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { |
529 | gost_param_nid = NID_id_tc26_gost_28147_param_Z; |
530 | if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) |
531 | gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; |
532 | |
533 | if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, |
534 | gost_param_nid, 0) <= 0) |
535 | goto err; |
536 | |
537 | if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { |
538 | if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, |
539 | gost_param_nid, 0) <= 0) |
540 | goto err; |
541 | } |
542 | } |
543 | |
544 | ret = 1; |
545 | |
546 | err: |
547 | EVP_PKEY_free(mac_pkey); |
548 | |
549 | return ret; |
550 | } |
551 | |
552 | static int |
553 | tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, |
554 | struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, |
555 | CBS *iv) |
556 | { |
557 | if (rl->aead != NULL) |
558 | return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, |
559 | key, iv); |
560 | |
561 | return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, |
562 | key, iv); |
563 | } |
564 | |
565 | int |
566 | tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, |
567 | CBS *mac_key, CBS *key, CBS *iv) |
568 | { |
569 | struct tls12_record_protection *read_new = NULL; |
570 | int ret = 0; |
571 | |
572 | if ((read_new = tls12_record_protection_new()) == NULL) |
573 | goto err; |
574 | |
575 | |
576 | |
577 | |
578 | if (rl->dtls) |
579 | read_new->epoch = rl->read_current->epoch + 1; |
580 | |
581 | if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, |
582 | mac_key, key, iv)) |
583 | goto err; |
584 | |
585 | tls12_record_protection_free(rl->read_current); |
586 | rl->read = rl->read_current = read_new; |
587 | read_new = NULL; |
588 | |
589 | ret = 1; |
590 | |
591 | err: |
592 | tls12_record_protection_free(read_new); |
593 | |
594 | return ret; |
595 | } |
596 | |
597 | int |
598 | tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, |
599 | CBS *mac_key, CBS *key, CBS *iv) |
600 | { |
601 | struct tls12_record_protection *write_new; |
602 | int ret = 0; |
603 | |
604 | if ((write_new = tls12_record_protection_new()) == NULL) |
605 | goto err; |
606 | |
607 | |
608 | |
609 | |
610 | if (rl->dtls) |
611 | write_new->epoch = rl->write_current->epoch + 1; |
612 | |
613 | if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, |
614 | mac_key, key, iv)) |
615 | goto err; |
616 | |
617 | if (rl->dtls) { |
618 | tls12_record_protection_free(rl->write_previous); |
619 | rl->write_previous = rl->write_current; |
620 | rl->write_current = NULL; |
621 | } |
622 | tls12_record_protection_free(rl->write_current); |
623 | rl->write = rl->write_current = write_new; |
624 | write_new = NULL; |
625 | |
626 | ret = 1; |
627 | |
628 | err: |
629 | tls12_record_protection_free(write_new); |
630 | |
631 | return ret; |
632 | } |
633 | |
634 | static int |
635 | tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, |
636 | uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) |
637 | { |
638 | CBS seq; |
639 | |
640 | CBS_init(&seq, seq_num, seq_num_len); |
641 | |
642 | if (rl->dtls) { |
643 | if (!CBB_add_u16(cbb, epoch)) |
644 | return 0; |
645 | if (!CBS_skip(&seq, 2)) |
646 | return 0; |
647 | } |
648 | |
649 | return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); |
650 | } |
651 | |
652 | static int |
653 | tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, |
654 | uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, |
655 | size_t *out_len) |
656 | { |
657 | CBB cbb; |
658 | |
659 | *out = NULL; |
660 | *out_len = 0; |
661 | |
662 | |
663 | if (!CBB_init(&cbb, 13)) |
664 | goto err; |
665 | |
666 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) |
667 | goto err; |
668 | if (!CBB_add_u8(&cbb, content_type)) |
669 | goto err; |
670 | if (!CBB_add_u16(&cbb, rl->version)) |
671 | goto err; |
672 | if (!CBB_add_u16(&cbb, record_len)) |
673 | goto err; |
674 | |
675 | if (!CBB_finish(&cbb, out, out_len)) |
676 | goto err; |
677 | |
678 | return 1; |
679 | |
680 | err: |
681 | CBB_cleanup(&cbb); |
682 | |
683 | return 0; |
684 | } |
685 | |
686 | static int |
687 | tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, |
688 | EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, |
689 | const uint8_t *content, size_t content_len, size_t *out_len) |
690 | { |
691 | EVP_MD_CTX *mac_ctx = NULL; |
692 | uint8_t *header = NULL; |
693 | size_t header_len = 0; |
694 | size_t mac_len; |
695 | uint8_t *mac; |
696 | int ret = 0; |
697 | |
698 | if ((mac_ctx = EVP_MD_CTX_new()) == NULL) |
699 | goto err; |
700 | if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) |
701 | goto err; |
702 | |
703 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
704 | seq_num, &header, &header_len)) |
705 | goto err; |
706 | |
707 | if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) |
708 | goto err; |
709 | if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) |
710 | goto err; |
711 | if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) |
712 | goto err; |
713 | if (!CBB_add_space(cbb, &mac, mac_len)) |
714 | goto err; |
715 | if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) |
716 | goto err; |
717 | if (mac_len == 0) |
718 | goto err; |
719 | |
720 | if (stream_mac) { |
721 | if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) |
722 | goto err; |
723 | } |
724 | |
725 | *out_len = mac_len; |
726 | ret = 1; |
727 | |
728 | err: |
729 | EVP_MD_CTX_free(mac_ctx); |
730 | freezero(header, header_len); |
731 | |
732 | return ret; |
733 | } |
734 | |
735 | static int |
736 | tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, |
737 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
738 | size_t content_len, size_t mac_len, size_t padding_len) |
739 | { |
740 | uint8_t *header = NULL; |
741 | size_t header_len = 0; |
742 | uint8_t *mac = NULL; |
743 | size_t out_mac_len = 0; |
744 | int ret = 0; |
745 | |
746 | |
747 | |
748 | |
749 | |
750 | if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) |
751 | goto err; |
752 | |
753 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
754 | seq_num, &header, &header_len)) |
755 | goto err; |
756 | |
757 | if (!CBB_add_space(cbb, &mac, mac_len)) |
758 | goto err; |
759 | if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, |
760 | content, content_len + mac_len, content_len + mac_len + padding_len, |
761 | rl->read->mac_key, rl->read->mac_key_len)) |
762 | goto err; |
763 | if (mac_len != out_mac_len) |
764 | goto err; |
765 | |
766 | ret = 1; |
767 | |
768 | err: |
769 | freezero(header, header_len); |
770 | |
771 | return ret; |
772 | } |
773 | |
774 | static int |
775 | tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, |
776 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
777 | size_t content_len) |
778 | { |
779 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; |
780 | size_t out_len; |
781 | |
782 | if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) |
783 | return 0; |
784 | |
785 | return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, |
786 | rl->read->stream_mac, seq_num, content_type, content, content_len, |
787 | &out_len); |
788 | } |
789 | |
790 | static int |
791 | tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, |
792 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
793 | size_t content_len, size_t *out_len) |
794 | { |
795 | return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, |
796 | rl->write->stream_mac, seq_num, content_type, content, content_len, |
797 | out_len); |
798 | } |
799 | |
800 | static int |
801 | tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, |
802 | struct tls12_record_protection *rp, CBS *seq_num) |
803 | { |
804 | CBB cbb; |
805 | |
806 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
807 | return 0; |
808 | |
809 | |
810 | if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) |
811 | goto err; |
812 | if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, |
813 | rp->aead_fixed_nonce_len)) |
814 | goto err; |
815 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), |
816 | rp->aead_variable_nonce_len)) |
817 | goto err; |
818 | if (!CBB_finish(&cbb, NULL, NULL)) |
819 | goto err; |
820 | |
821 | return 1; |
822 | |
823 | err: |
824 | CBB_cleanup(&cbb); |
825 | |
826 | return 0; |
827 | } |
828 | |
829 | static int |
830 | tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, |
831 | struct tls12_record_protection *rp, CBS *seq_num) |
832 | { |
833 | uint8_t *pad; |
834 | CBB cbb; |
835 | int i; |
836 | |
837 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
838 | return 0; |
839 | if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) |
840 | return 0; |
841 | if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) |
842 | return 0; |
843 | |
844 | |
845 | |
846 | |
847 | |
848 | if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) |
849 | goto err; |
850 | if (!CBB_add_space(&cbb, &pad, |
851 | rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) |
852 | goto err; |
853 | if (!CBB_add_bytes(&cbb, CBS_data(seq_num), |
854 | rp->aead_variable_nonce_len)) |
855 | goto err; |
856 | if (!CBB_finish(&cbb, NULL, NULL)) |
857 | goto err; |
858 | |
859 | for (i = 0; i < rp->aead_fixed_nonce_len; i++) |
860 | rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; |
861 | |
862 | return 1; |
863 | |
864 | err: |
865 | CBB_cleanup(&cbb); |
866 | |
867 | return 0; |
868 | } |
869 | |
870 | static int |
871 | tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, |
872 | uint8_t content_type, CBS *fragment, struct tls_content *out) |
873 | { |
874 | if (tls12_record_protection_engaged(rl->read)) |
875 | return 0; |
876 | |
877 | return tls_content_dup_data(out, content_type, CBS_data(fragment), |
878 | CBS_len(fragment)); |
879 | } |
880 | |
881 | static int |
882 | tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, |
883 | uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) |
884 | { |
885 | struct tls12_record_protection *rp = rl->read; |
886 | uint8_t *header = NULL; |
887 | size_t header_len = 0; |
888 | uint8_t *content = NULL; |
889 | size_t content_len = 0; |
890 | size_t out_len = 0; |
891 | CBS var_nonce; |
892 | int ret = 0; |
893 | |
894 | if (rp->aead_xor_nonces) { |
895 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) |
896 | goto err; |
897 | } else if (rp->aead_variable_nonce_in_record) { |
898 | if (!CBS_get_bytes(fragment, &var_nonce, |
899 | rp->aead_variable_nonce_len)) |
900 | goto err; |
901 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) |
902 | goto err; |
903 | } else { |
904 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) |
905 | goto err; |
906 | } |
907 | |
908 | |
909 | if (CBS_len(fragment) < rp->aead_tag_len) { |
910 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
911 | goto err; |
912 | } |
913 | if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { |
914 | rl->alert_desc = SSL_AD_RECORD_OVERFLOW; |
915 | goto err; |
916 | } |
917 | |
918 | content_len = CBS_len(fragment) - rp->aead_tag_len; |
919 | if ((content = calloc(1, CBS_len(fragment))) == NULL) { |
920 | content_len = 0; |
921 | goto err; |
922 | } |
923 | |
924 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
925 | seq_num, &header, &header_len)) |
926 | goto err; |
927 | |
928 | if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len, |
929 | rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), |
930 | CBS_len(fragment), header, header_len)) { |
931 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
932 | goto err; |
933 | } |
934 | |
935 | if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) { |
936 | rl->alert_desc = SSL_AD_RECORD_OVERFLOW; |
937 | goto err; |
938 | } |
939 | |
940 | if (out_len != content_len) |
941 | goto err; |
942 | |
943 | tls_content_set_data(out, content_type, content, content_len); |
944 | content = NULL; |
945 | content_len = 0; |
946 | |
947 | ret = 1; |
948 | |
949 | err: |
950 | freezero(header, header_len); |
951 | freezero(content, content_len); |
952 | |
953 | return ret; |
954 | } |
955 | |
956 | static int |
957 | tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, |
958 | uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) |
959 | { |
960 | EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; |
961 | SSL3_RECORD_INTERNAL rrec; |
962 | size_t block_size, eiv_len; |
963 | uint8_t *mac = NULL; |
964 | size_t mac_len = 0; |
965 | uint8_t *out_mac = NULL; |
966 | size_t out_mac_len = 0; |
967 | uint8_t *content = NULL; |
968 | size_t content_len = 0; |
969 | size_t min_len; |
970 | CBB cbb_mac; |
971 | int ret = 0; |
972 | |
973 | memset(&cbb_mac, 0, sizeof(cbb_mac)); |
974 | memset(&rrec, 0, sizeof(rrec)); |
975 | |
976 | if (!tls12_record_protection_block_size(rl->read, &block_size)) |
| |
977 | goto err; |
978 | |
979 | |
980 | eiv_len = 0; |
981 | if (rl->version != TLS1_VERSION) { |
| 19 | | Assuming field 'version' is equal to TLS1_VERSION | |
|
| |
982 | if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) |
983 | goto err; |
984 | } |
985 | |
986 | mac_len = 0; |
987 | if (rl->read->hash_ctx != NULL) { |
| 21 | | Assuming field 'hash_ctx' is equal to NULL | |
|
| |
988 | if (!tls12_record_protection_mac_len(rl->read, &mac_len)) |
989 | goto err; |
990 | } |
991 | |
992 | |
993 | min_len = eiv_len + mac_len; |
994 | if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) |
| 23 | | Assuming the condition is false | |
|
| |
995 | min_len += 1; |
996 | |
997 | if (CBS_len(fragment) < min_len) { |
| 25 | | Assuming the condition is false | |
|
| |
998 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
999 | goto err; |
1000 | } |
1001 | if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { |
| 27 | | Assuming the condition is false | |
|
| |
1002 | rl->alert_desc = SSL_AD_RECORD_OVERFLOW; |
1003 | goto err; |
1004 | } |
1005 | if (CBS_len(fragment) % block_size != 0) { |
| 29 | | Assuming the condition is false | |
|
| |
1006 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
1007 | goto err; |
1008 | } |
1009 | |
1010 | if ((content = calloc(1, CBS_len(fragment))) == NULL) |
| |
| 32 | | Assuming the condition is false | |
|
| |
1011 | goto err; |
1012 | content_len = CBS_len(fragment); |
1013 | |
1014 | if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment))) |
| 34 | | Assuming the condition is false | |
|
| |
1015 | goto err; |
1016 | |
1017 | rrec.data = content; |
1018 | rrec.input = content; |
1019 | rrec.length = content_len; |
1020 | |
1021 | |
1022 | |
1023 | |
1024 | |
1025 | if (block_size > 1) |
| 36 | | Assuming 'block_size' is <= 1 | |
|
| |
1026 | ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); |
1027 | |
1028 | if ((mac = calloc(1, mac_len)) == NULL) |
| 38 | | Assuming the condition is false | |
|
| |
1029 | goto err; |
1030 | |
1031 | if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) |
| 40 | | Assuming the condition is false | |
|
| |
1032 | goto err; |
1033 | if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { |
| 42 | | Assuming the condition is false | |
|
| |
1034 | ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + |
1035 | rrec.padding_length); |
1036 | rrec.length -= mac_len; |
1037 | if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, |
1038 | seq_num, rrec.input, rrec.length, mac_len, |
1039 | rrec.padding_length)) |
1040 | goto err; |
1041 | } else { |
1042 | rrec.length -= mac_len; |
1043 | memcpy(mac, rrec.data + rrec.length, mac_len); |
1044 | if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, |
| |
1045 | seq_num, rrec.input, rrec.length)) |
1046 | goto err; |
1047 | } |
1048 | if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) |
| 45 | | Assuming the condition is false | |
|
| |
1049 | goto err; |
1050 | if (mac_len != out_mac_len) |
| 47 | | Assuming 'mac_len' is equal to 'out_mac_len' | |
|
| |
1051 | goto err; |
1052 | |
1053 | if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { |
| 49 | | Assuming the condition is false | |
|
| |
1054 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
1055 | goto err; |
1056 | } |
1057 | |
1058 | if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { |
| 51 | | Assuming the condition is false | |
|
| |
1059 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
1060 | goto err; |
1061 | } |
1062 | if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { |
| |
1063 | rl->alert_desc = SSL_AD_RECORD_OVERFLOW; |
1064 | goto err; |
1065 | } |
1066 | |
1067 | tls_content_set_data(out, content_type, content, content_len); |
1068 | content = NULL; |
1069 | content_len = 0; |
1070 | |
1071 | |
1072 | if (!tls_content_set_bounds(out, eiv_len, rrec.length)) |
| 54 | | Potential leak of memory pointed to by 'rrec.input' |
|
1073 | goto err; |
1074 | |
1075 | ret = 1; |
1076 | |
1077 | err: |
1078 | CBB_cleanup(&cbb_mac); |
1079 | freezero(mac, mac_len); |
1080 | freezero(out_mac, out_mac_len); |
1081 | freezero(content, content_len); |
1082 | |
1083 | return ret; |
1084 | } |
1085 | |
1086 | int |
1087 | tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, |
1088 | size_t buf_len, struct tls_content *out) |
1089 | { |
1090 | CBS cbs, fragment, seq_num; |
1091 | uint16_t version; |
1092 | uint8_t content_type; |
1093 | |
1094 | CBS_init(&cbs, buf, buf_len); |
1095 | CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); |
1096 | |
1097 | if (!CBS_get_u8(&cbs, &content_type)) |
| 1 | Assuming the condition is false | |
|
| |
1098 | return 0; |
1099 | if (!CBS_get_u16(&cbs, &version)) |
| 3 | | Assuming the condition is false | |
|
| |
1100 | return 0; |
1101 | if (rl->dtls) { |
| 5 | | Assuming field 'dtls' is not equal to 0 | |
|
| |
1102 | |
1103 | |
1104 | |
1105 | |
1106 | |
1107 | |
1108 | |
1109 | if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) |
| 7 | | Assuming the condition is false | |
|
| |
1110 | return 0; |
1111 | if (!CBS_write_bytes(&seq_num, rl->read->seq_num, |
| 9 | | Assuming the condition is false | |
|
| |
1112 | sizeof(rl->read->seq_num), NULL)) |
1113 | return 0; |
1114 | } |
1115 | if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) |
| 11 | | Assuming the condition is false | |
|
| |
1116 | return 0; |
1117 | |
1118 | if (rl->read->aead_ctx != NULL) { |
| 13 | | Assuming field 'aead_ctx' is equal to NULL | |
|
| |
1119 | if (!tls12_record_layer_open_record_protected_aead(rl, |
1120 | content_type, &seq_num, &fragment, out)) |
1121 | return 0; |
1122 | } else if (rl->read->cipher_ctx != NULL) { |
| 15 | | Assuming field 'cipher_ctx' is not equal to NULL | |
|
| |
1123 | if (!tls12_record_layer_open_record_protected_cipher(rl, |
| 17 | | Calling 'tls12_record_layer_open_record_protected_cipher' | |
|
1124 | content_type, &seq_num, &fragment, out)) |
1125 | return 0; |
1126 | } else { |
1127 | if (!tls12_record_layer_open_record_plaintext(rl, |
1128 | content_type, &fragment, out)) |
1129 | return 0; |
1130 | } |
1131 | |
1132 | if (!rl->dtls) { |
1133 | if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) |
1134 | return 0; |
1135 | } |
1136 | |
1137 | return 1; |
1138 | } |
1139 | |
1140 | static int |
1141 | tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, |
1142 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) |
1143 | { |
1144 | if (tls12_record_protection_engaged(rl->write)) |
1145 | return 0; |
1146 | |
1147 | return CBB_add_bytes(out, content, content_len); |
1148 | } |
1149 | |
1150 | static int |
1151 | tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, |
1152 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
1153 | size_t content_len, CBB *out) |
1154 | { |
1155 | struct tls12_record_protection *rp = rl->write; |
1156 | uint8_t *header = NULL; |
1157 | size_t header_len = 0; |
1158 | size_t enc_record_len, out_len; |
1159 | uint8_t *enc_data; |
1160 | int ret = 0; |
1161 | |
1162 | if (rp->aead_xor_nonces) { |
1163 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) |
1164 | goto err; |
1165 | } else { |
1166 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) |
1167 | goto err; |
1168 | } |
1169 | |
1170 | if (rp->aead_variable_nonce_in_record) { |
1171 | if (rp->aead_variable_nonce_len > CBS_len(seq_num)) |
1172 | goto err; |
1173 | if (!CBB_add_bytes(out, CBS_data(seq_num), |
1174 | rp->aead_variable_nonce_len)) |
1175 | goto err; |
1176 | } |
1177 | |
1178 | if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, |
1179 | seq_num, &header, &header_len)) |
1180 | goto err; |
1181 | |
1182 | |
1183 | enc_record_len = content_len + rp->aead_tag_len; |
1184 | if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
1185 | goto err; |
1186 | if (!CBB_add_space(out, &enc_data, enc_record_len)) |
1187 | goto err; |
1188 | |
1189 | if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, |
1190 | rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, |
1191 | header_len)) |
1192 | goto err; |
1193 | |
1194 | if (out_len != enc_record_len) |
1195 | goto err; |
1196 | |
1197 | ret = 1; |
1198 | |
1199 | err: |
1200 | freezero(header, header_len); |
1201 | |
1202 | return ret; |
1203 | } |
1204 | |
1205 | static int |
1206 | tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, |
1207 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
1208 | size_t content_len, CBB *out) |
1209 | { |
1210 | EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; |
1211 | size_t block_size, eiv_len, mac_len, pad_len; |
1212 | uint8_t *enc_data, *eiv, *pad, pad_val; |
1213 | uint8_t *plain = NULL; |
1214 | size_t plain_len = 0; |
1215 | int ret = 0; |
1216 | CBB cbb; |
1217 | |
1218 | if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) |
1219 | goto err; |
1220 | |
1221 | |
1222 | eiv_len = 0; |
1223 | if (rl->version != TLS1_VERSION) { |
1224 | if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) |
1225 | goto err; |
1226 | } |
1227 | if (eiv_len > 0) { |
1228 | if (!CBB_add_space(&cbb, &eiv, eiv_len)) |
1229 | goto err; |
1230 | arc4random_buf(eiv, eiv_len); |
1231 | } |
1232 | |
1233 | if (!CBB_add_bytes(&cbb, content, content_len)) |
1234 | goto err; |
1235 | |
1236 | mac_len = 0; |
1237 | if (rl->write->hash_ctx != NULL) { |
1238 | if (!tls12_record_layer_write_mac(rl, &cbb, content_type, |
1239 | seq_num, content, content_len, &mac_len)) |
1240 | goto err; |
1241 | } |
1242 | |
1243 | plain_len = eiv_len + content_len + mac_len; |
1244 | |
1245 | |
1246 | if (!tls12_record_protection_block_size(rl->write, &block_size)) |
1247 | goto err; |
1248 | if (block_size > 1) { |
1249 | pad_len = block_size - (plain_len % block_size); |
1250 | pad_val = pad_len - 1; |
1251 | |
1252 | if (pad_len > 255) |
1253 | goto err; |
1254 | if (!CBB_add_space(&cbb, &pad, pad_len)) |
1255 | goto err; |
1256 | memset(pad, pad_val, pad_len); |
1257 | } |
1258 | |
1259 | if (!CBB_finish(&cbb, &plain, &plain_len)) |
1260 | goto err; |
1261 | |
1262 | if (plain_len % block_size != 0) |
1263 | goto err; |
1264 | if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
1265 | goto err; |
1266 | |
1267 | if (!CBB_add_space(out, &enc_data, plain_len)) |
1268 | goto err; |
1269 | if (!EVP_Cipher(enc, enc_data, plain, plain_len)) |
1270 | goto err; |
1271 | |
1272 | ret = 1; |
1273 | |
1274 | err: |
1275 | CBB_cleanup(&cbb); |
1276 | freezero(plain, plain_len); |
1277 | |
1278 | return ret; |
1279 | } |
1280 | |
1281 | int |
1282 | tls12_record_layer_seal_record(struct tls12_record_layer *rl, |
1283 | uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) |
1284 | { |
1285 | uint8_t *seq_num_data = NULL; |
1286 | size_t seq_num_len = 0; |
1287 | CBB fragment, seq_num_cbb; |
1288 | CBS seq_num; |
1289 | int ret = 0; |
1290 | |
1291 | |
1292 | |
1293 | |
1294 | |
1295 | if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) |
1296 | goto err; |
1297 | if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, |
1298 | rl->write->seq_num, sizeof(rl->write->seq_num))) |
1299 | goto err; |
1300 | if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) |
1301 | goto err; |
1302 | CBS_init(&seq_num, seq_num_data, seq_num_len); |
1303 | |
1304 | if (!CBB_add_u8(cbb, content_type)) |
1305 | goto err; |
1306 | if (!CBB_add_u16(cbb, rl->version)) |
1307 | goto err; |
1308 | if (rl->dtls) { |
1309 | if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) |
1310 | goto err; |
1311 | } |
1312 | if (!CBB_add_u16_length_prefixed(cbb, &fragment)) |
1313 | goto err; |
1314 | |
1315 | if (rl->write->aead_ctx != NULL) { |
1316 | if (!tls12_record_layer_seal_record_protected_aead(rl, |
1317 | content_type, &seq_num, content, content_len, &fragment)) |
1318 | goto err; |
1319 | } else if (rl->write->cipher_ctx != NULL) { |
1320 | if (!tls12_record_layer_seal_record_protected_cipher(rl, |
1321 | content_type, &seq_num, content, content_len, &fragment)) |
1322 | goto err; |
1323 | } else { |
1324 | if (!tls12_record_layer_seal_record_plaintext(rl, |
1325 | content_type, content, content_len, &fragment)) |
1326 | goto err; |
1327 | } |
1328 | |
1329 | if (!CBB_flush(cbb)) |
1330 | goto err; |
1331 | |
1332 | if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) |
1333 | goto err; |
1334 | |
1335 | ret = 1; |
1336 | |
1337 | err: |
1338 | CBB_cleanup(&seq_num_cbb); |
1339 | free(seq_num_data); |
1340 | |
1341 | return ret; |
1342 | } |