Bug Summary

File:src/lib/libssl/tls12_record_layer.c
Warning:line 1072, column 7
Potential leak of memory pointed to by 'rrec.input'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tls12_record_layer.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -I /usr/src/lib/libssl/../libcrypto/hidden -I /usr/src/lib/libssl/../libcrypto/bio -I /usr/src/lib/libssl/hidden -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libssl/tls12_record_layer.c
1/* $OpenBSD: tls12_record_layer.c,v 1.40 2023/07/08 20:38:23 beck Exp $ */
2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <limits.h>
19#include <stdlib.h>
20
21#include <openssl/evp.h>
22
23#include "ssl_local.h"
24
25#define TLS12_RECORD_SEQ_NUM_LEN8 8
26#define TLS12_AEAD_FIXED_NONCE_MAX_LEN12 12
27
28struct tls12_record_protection {
29 uint16_t epoch;
30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN8];
31
32 EVP_AEAD_CTX *aead_ctx;
33
34 uint8_t *aead_nonce;
35 size_t aead_nonce_len;
36
37 uint8_t *aead_fixed_nonce;
38 size_t aead_fixed_nonce_len;
39
40 size_t aead_variable_nonce_len;
41 size_t aead_tag_len;
42
43 int aead_xor_nonces;
44 int aead_variable_nonce_in_record;
45
46 EVP_CIPHER_CTX *cipher_ctx;
47 EVP_MD_CTX *hash_ctx;
48
49 int stream_mac;
50
51 uint8_t *mac_key;
52 size_t mac_key_len;
53};
54
55static struct tls12_record_protection *
56tls12_record_protection_new(void)
57{
58 return calloc(1, sizeof(struct tls12_record_protection));
59}
60
61static void
62tls12_record_protection_clear(struct tls12_record_protection *rp)
63{
64 EVP_AEAD_CTX_free(rp->aead_ctx);
65
66 freezero(rp->aead_nonce, rp->aead_nonce_len);
67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
68
69 EVP_CIPHER_CTX_free(rp->cipher_ctx);
70 EVP_MD_CTX_free(rp->hash_ctx);
71
72 freezero(rp->mac_key, rp->mac_key_len);
73
74 memset(rp, 0, sizeof(*rp));
75}
76
77static void
78tls12_record_protection_free(struct tls12_record_protection *rp)
79{
80 if (rp == NULL((void *)0))
81 return;
82
83 tls12_record_protection_clear(rp);
84
85 freezero(rp, sizeof(struct tls12_record_protection));
86}
87
88static int
89tls12_record_protection_engaged(struct tls12_record_protection *rp)
90{
91 return rp->aead_ctx != NULL((void *)0) || rp->cipher_ctx != NULL((void *)0);
92}
93
94static int
95tls12_record_protection_unused(struct tls12_record_protection *rp)
96{
97 return rp->aead_ctx == NULL((void *)0) && rp->cipher_ctx == NULL((void *)0) &&
98 rp->hash_ctx == NULL((void *)0) && rp->mac_key == NULL((void *)0);
99}
100
101static int
102tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
103 size_t *out_eiv_len)
104{
105 int eiv_len;
106
107 *out_eiv_len = 0;
108
109 if (rp->cipher_ctx == NULL((void *)0))
110 return 0;
111
112 eiv_len = 0;
113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx)(EVP_CIPHER_CTX_flags(rp->cipher_ctx) & 0xF0007) == EVP_CIPH_CBC_MODE0x2)
114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx);
115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH16)
116 return 0;
117
118 *out_eiv_len = eiv_len;
119
120 return 1;
121}
122
123static int
124tls12_record_protection_block_size(struct tls12_record_protection *rp,
125 size_t *out_block_size)
126{
127 int block_size;
128
129 *out_block_size = 0;
130
131 if (rp->cipher_ctx == NULL((void *)0))
132 return 0;
133
134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx);
135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH32)
136 return 0;
137
138 *out_block_size = block_size;
139
140 return 1;
141}
142
143static int
144tls12_record_protection_mac_len(struct tls12_record_protection *rp,
145 size_t *out_mac_len)
146{
147 int mac_len;
148
149 *out_mac_len = 0;
150
151 if (rp->hash_ctx == NULL((void *)0))
152 return 0;
153
154 mac_len = EVP_MD_CTX_size(rp->hash_ctx)EVP_MD_size(EVP_MD_CTX_md(rp->hash_ctx));
155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE64)
156 return 0;
157
158 *out_mac_len = mac_len;
159
160 return 1;
161}
162
163struct tls12_record_layer {
164 uint16_t version;
165 uint16_t initial_epoch;
166 int dtls;
167
168 uint8_t alert_desc;
169
170 const EVP_AEAD *aead;
171 const EVP_CIPHER *cipher;
172 const EVP_MD *handshake_hash;
173 const EVP_MD *mac_hash;
174
175 /* Pointers to active record protection (memory is not owned). */
176 struct tls12_record_protection *read;
177 struct tls12_record_protection *write;
178
179 struct tls12_record_protection *read_current;
180 struct tls12_record_protection *write_current;
181 struct tls12_record_protection *write_previous;
182};
183
184struct tls12_record_layer *
185tls12_record_layer_new(void)
186{
187 struct tls12_record_layer *rl;
188
189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL((void *)0))
190 goto err;
191 if ((rl->read_current = tls12_record_protection_new()) == NULL((void *)0))
192 goto err;
193 if ((rl->write_current = tls12_record_protection_new()) == NULL((void *)0))
194 goto err;
195
196 rl->read = rl->read_current;
197 rl->write = rl->write_current;
198
199 return rl;
200
201 err:
202 tls12_record_layer_free(rl);
203
204 return NULL((void *)0);
205}
206
207void
208tls12_record_layer_free(struct tls12_record_layer *rl)
209{
210 if (rl == NULL((void *)0))
211 return;
212
213 tls12_record_protection_free(rl->read_current);
214 tls12_record_protection_free(rl->write_current);
215 tls12_record_protection_free(rl->write_previous);
216
217 freezero(rl, sizeof(struct tls12_record_layer));
218}
219
220void
221tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc)
222{
223 *alert_desc = rl->alert_desc;
224}
225
226int
227tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
228 size_t *overhead)
229{
230 size_t block_size, eiv_len, mac_len;
231
232 *overhead = 0;
233
234 if (rl->write->aead_ctx != NULL((void *)0)) {
235 *overhead = rl->write->aead_tag_len;
236 } else if (rl->write->cipher_ctx != NULL((void *)0)) {
237 eiv_len = 0;
238 if (rl->version != TLS1_VERSION0x0301) {
239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
240 return 0;
241 }
242 if (!tls12_record_protection_block_size(rl->write, &block_size))
243 return 0;
244 if (!tls12_record_protection_mac_len(rl->write, &mac_len))
245 return 0;
246
247 *overhead = eiv_len + block_size + mac_len;
248 }
249
250 return 1;
251}
252
253int
254tls12_record_layer_read_protected(struct tls12_record_layer *rl)
255{
256 return tls12_record_protection_engaged(rl->read);
257}
258
259int
260tls12_record_layer_write_protected(struct tls12_record_layer *rl)
261{
262 return tls12_record_protection_engaged(rl->write);
263}
264
265void
266tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead)
267{
268 rl->aead = aead;
269}
270
271void
272tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
274 const EVP_MD *mac_hash)
275{
276 rl->cipher = cipher;
277 rl->handshake_hash = handshake_hash;
278 rl->mac_hash = mac_hash;
279}
280
281void
282tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
283{
284 rl->version = version;
285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR0xFE);
286}
287
288void
289tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
290 uint16_t epoch)
291{
292 rl->initial_epoch = epoch;
293}
294
295uint16_t
296tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
297{
298 return rl->read->epoch;
299}
300
301uint16_t
302tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
303{
304 return rl->write->epoch;
305}
306
307int
308tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
309{
310 if (rl->write->epoch == epoch)
311 return 1;
312
313 if (rl->write_current->epoch == epoch) {
314 rl->write = rl->write_current;
315 return 1;
316 }
317
318 if (rl->write_previous != NULL((void *)0) && rl->write_previous->epoch == epoch) {
319 rl->write = rl->write_previous;
320 return 1;
321 }
322
323 return 0;
324}
325
326void
327tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
328{
329 if (rl->write_previous == NULL((void *)0) || rl->write_previous->epoch != epoch)
330 return;
331
332 rl->write = rl->write_current;
333
334 tls12_record_protection_free(rl->write_previous);
335 rl->write_previous = NULL((void *)0);
336}
337
338void
339tls12_record_layer_clear_read_state(struct tls12_record_layer *rl)
340{
341 tls12_record_protection_clear(rl->read);
342 rl->read->epoch = rl->initial_epoch;
343}
344
345void
346tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
347{
348 tls12_record_protection_clear(rl->write);
349 rl->write->epoch = rl->initial_epoch;
350
351 tls12_record_protection_free(rl->write_previous);
352 rl->write_previous = NULL((void *)0);
353}
354
355void
356tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl)
357{
358 memcpy(rl->write->seq_num, rl->read->seq_num,
359 sizeof(rl->write->seq_num));
360}
361
362static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN8] = {
363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
364};
365
366int
367tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num)
368{
369 CBS max_seq_num;
370 int i;
371
372 /*
373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS
374 * sequence numbers must not wrap. Note that for DTLS the first two
375 * bytes are used as an "epoch" and not part of the sequence number.
376 */
377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN8);
378 if (rl->dtls) {
379 if (!CBS_skip(&max_seq_num, 2))
380 return 0;
381 }
382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num,
383 CBS_len(&max_seq_num)))
384 return 0;
385
386 for (i = TLS12_RECORD_SEQ_NUM_LEN8 - 1; i >= 0; i--) {
387 if (++seq_num[i] != 0)
388 break;
389 }
390
391 return 1;
392}
393
394static int
395tls12_record_layer_set_mac_key(struct tls12_record_protection *rp,
396 const uint8_t *mac_key, size_t mac_key_len)
397{
398 freezero(rp->mac_key, rp->mac_key_len);
399 rp->mac_key = NULL((void *)0);
400 rp->mac_key_len = 0;
401
402 if (mac_key == NULL((void *)0) || mac_key_len == 0)
403 return 1;
404
405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL((void *)0))
406 return 0;
407
408 memcpy(rp->mac_key, mac_key, mac_key_len);
409 rp->mac_key_len = mac_key_len;
410
411 return 1;
412}
413
414static int
415tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
417 CBS *iv)
418{
419 if (!tls12_record_protection_unused(rp))
420 return 0;
421
422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL((void *)0))
423 return 0;
424
425 /* AES GCM cipher suites use variable nonce in record. */
426 if (rl->aead == EVP_aead_aes_128_gcm() ||
427 rl->aead == EVP_aead_aes_256_gcm())
428 rp->aead_variable_nonce_in_record = 1;
429
430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
431 if (rl->aead == EVP_aead_chacha20_poly1305())
432 rp->aead_xor_nonces = 1;
433
434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
435 return 0;
436
437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead));
438 if (rp->aead_nonce == NULL((void *)0))
439 return 0;
440
441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN8;
444
445 if (rp->aead_xor_nonces) {
446 /* Fixed nonce length must match, variable must not exceed. */
447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
448 return 0;
449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len)
450 return 0;
451 } else {
452 /* Concatenated nonce length must equal AEAD nonce length. */
453 if (rp->aead_fixed_nonce_len +
454 rp->aead_variable_nonce_len != rp->aead_nonce_len)
455 return 0;
456 }
457
458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH0, NULL((void *)0)))
460 return 0;
461
462 return 1;
463}
464
465static int
466tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
468 CBS *iv)
469{
470 EVP_PKEY *mac_pkey = NULL((void *)0);
471 int gost_param_nid;
472 int mac_type;
473 int ret = 0;
474
475 if (!tls12_record_protection_unused(rp))
476 goto err;
477
478 mac_type = EVP_PKEY_HMAC855;
479 rp->stream_mac = 0;
480
481 if (CBS_len(iv) > INT_MAX0x7fffffff || CBS_len(key) > INT_MAX0x7fffffff)
482 goto err;
483 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv))
484 goto err;
485 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
486 goto err;
487
488#ifndef OPENSSL_NO_GOST
489 /* XXX die die die */
490 /* Special handling for GOST... */
491 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC815) {
492 if (CBS_len(mac_key) != 32)
493 goto err;
494 mac_type = EVP_PKEY_GOSTIMIT815;
495 rp->stream_mac = 1;
496 } else {
497#endif
498 if (CBS_len(mac_key) > INT_MAX0x7fffffff)
499 goto err;
500 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
501 goto err;
502#ifndef OPENSSL_NO_GOST
503 }
504#endif
505
506 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL((void *)0))
507 goto err;
508 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL((void *)0))
509 goto err;
510
511 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key),
512 CBS_len(mac_key)))
513 goto err;
514
515 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL((void *)0), CBS_data(mac_key),
516 CBS_len(mac_key))) == NULL((void *)0))
517 goto err;
518
519 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL((void *)0), CBS_data(key),
520 CBS_data(iv), is_write))
521 goto err;
522
523 if (EVP_DigestSignInit(rp->hash_ctx, NULL((void *)0), rl->mac_hash, NULL((void *)0),
524 mac_pkey) <= 0)
525 goto err;
526
527 /* More special handling for GOST... */
528 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt814) {
529 gost_param_nid = NID_id_tc26_gost_28147_param_Z945;
530 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94809)
531 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet824;
532
533 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX0x19,
534 gost_param_nid, 0) <= 0)
535 goto err;
536
537 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC815) {
538 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX0x4,
539 gost_param_nid, 0) <= 0)
540 goto err;
541 }
542 }
543
544 ret = 1;
545
546 err:
547 EVP_PKEY_free(mac_pkey);
548
549 return ret;
550}
551
552static int
553tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl,
554 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
555 CBS *iv)
556{
557 if (rl->aead != NULL((void *)0))
558 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key,
559 key, iv);
560
561 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key,
562 key, iv);
563}
564
565int
566tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
567 CBS *mac_key, CBS *key, CBS *iv)
568{
569 struct tls12_record_protection *read_new = NULL((void *)0);
570 int ret = 0;
571
572 if ((read_new = tls12_record_protection_new()) == NULL((void *)0))
573 goto err;
574
575 /* Read sequence number gets reset to zero. */
576
577 /* DTLS epoch is incremented and is permitted to wrap. */
578 if (rl->dtls)
579 read_new->epoch = rl->read_current->epoch + 1;
580
581 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
582 mac_key, key, iv))
583 goto err;
584
585 tls12_record_protection_free(rl->read_current);
586 rl->read = rl->read_current = read_new;
587 read_new = NULL((void *)0);
588
589 ret = 1;
590
591 err:
592 tls12_record_protection_free(read_new);
593
594 return ret;
595}
596
597int
598tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
599 CBS *mac_key, CBS *key, CBS *iv)
600{
601 struct tls12_record_protection *write_new;
602 int ret = 0;
603
604 if ((write_new = tls12_record_protection_new()) == NULL((void *)0))
605 goto err;
606
607 /* Write sequence number gets reset to zero. */
608
609 /* DTLS epoch is incremented and is permitted to wrap. */
610 if (rl->dtls)
611 write_new->epoch = rl->write_current->epoch + 1;
612
613 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
614 mac_key, key, iv))
615 goto err;
616
617 if (rl->dtls) {
618 tls12_record_protection_free(rl->write_previous);
619 rl->write_previous = rl->write_current;
620 rl->write_current = NULL((void *)0);
621 }
622 tls12_record_protection_free(rl->write_current);
623 rl->write = rl->write_current = write_new;
624 write_new = NULL((void *)0);
625
626 ret = 1;
627
628 err:
629 tls12_record_protection_free(write_new);
630
631 return ret;
632}
633
634static int
635tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
636 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)
637{
638 CBS seq;
639
640 CBS_init(&seq, seq_num, seq_num_len);
641
642 if (rl->dtls) {
643 if (!CBB_add_u16(cbb, epoch))
644 return 0;
645 if (!CBS_skip(&seq, 2))
646 return 0;
647 }
648
649 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq));
650}
651
652static int
653tls12_record_layer_pseudo_header(struct tls12_record_layer *rl,
654 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out,
655 size_t *out_len)
656{
657 CBB cbb;
658
659 *out = NULL((void *)0);
660 *out_len = 0;
661
662 /* Build the pseudo-header used for MAC/AEAD. */
663 if (!CBB_init(&cbb, 13))
664 goto err;
665
666 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num)))
667 goto err;
668 if (!CBB_add_u8(&cbb, content_type))
669 goto err;
670 if (!CBB_add_u16(&cbb, rl->version))
671 goto err;
672 if (!CBB_add_u16(&cbb, record_len))
673 goto err;
674
675 if (!CBB_finish(&cbb, out, out_len))
676 goto err;
677
678 return 1;
679
680 err:
681 CBB_cleanup(&cbb);
682
683 return 0;
684}
685
686static int
687tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb,
688 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type,
689 const uint8_t *content, size_t content_len, size_t *out_len)
690{
691 EVP_MD_CTX *mac_ctx = NULL((void *)0);
692 uint8_t *header = NULL((void *)0);
693 size_t header_len = 0;
694 size_t mac_len;
695 uint8_t *mac;
696 int ret = 0;
697
698 if ((mac_ctx = EVP_MD_CTX_new()) == NULL((void *)0))
699 goto err;
700 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx))
701 goto err;
702
703 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
704 seq_num, &header, &header_len))
705 goto err;
706
707 if (EVP_DigestSignUpdate(mac_ctx, header, header_len)EVP_DigestUpdate(mac_ctx,header,header_len) <= 0)
708 goto err;
709 if (EVP_DigestSignUpdate(mac_ctx, content, content_len)EVP_DigestUpdate(mac_ctx,content,content_len) <= 0)
710 goto err;
711 if (EVP_DigestSignFinal(mac_ctx, NULL((void *)0), &mac_len) <= 0)
712 goto err;
713 if (!CBB_add_space(cbb, &mac, mac_len))
714 goto err;
715 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0)
716 goto err;
717 if (mac_len == 0)
718 goto err;
719
720 if (stream_mac) {
721 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx))
722 goto err;
723 }
724
725 *out_len = mac_len;
726 ret = 1;
727
728 err:
729 EVP_MD_CTX_free(mac_ctx);
730 freezero(header, header_len);
731
732 return ret;
733}
734
735static int
736tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb,
737 uint8_t content_type, CBS *seq_num, const uint8_t *content,
738 size_t content_len, size_t mac_len, size_t padding_len)
739{
740 uint8_t *header = NULL((void *)0);
741 size_t header_len = 0;
742 uint8_t *mac = NULL((void *)0);
743 size_t out_mac_len = 0;
744 int ret = 0;
745
746 /*
747 * Must be constant time to avoid leaking details about CBC padding.
748 */
749
750 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx))
751 goto err;
752
753 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
754 seq_num, &header, &header_len))
755 goto err;
756
757 if (!CBB_add_space(cbb, &mac, mac_len))
758 goto err;
759 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header,
760 content, content_len + mac_len, content_len + mac_len + padding_len,
761 rl->read->mac_key, rl->read->mac_key_len))
762 goto err;
763 if (mac_len != out_mac_len)
764 goto err;
765
766 ret = 1;
767
768 err:
769 freezero(header, header_len);
770
771 return ret;
772}
773
774static int
775tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb,
776 uint8_t content_type, CBS *seq_num, const uint8_t *content,
777 size_t content_len)
778{
779 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
780 size_t out_len;
781
782 if (EVP_CIPHER_CTX_mode(enc)(EVP_CIPHER_CTX_flags(enc) & 0xF0007) == EVP_CIPH_CBC_MODE0x2)
783 return 0;
784
785 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx,
786 rl->read->stream_mac, seq_num, content_type, content, content_len,
787 &out_len);
788}
789
790static int
791tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
792 uint8_t content_type, CBS *seq_num, const uint8_t *content,
793 size_t content_len, size_t *out_len)
794{
795 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx,
796 rl->write->stream_mac, seq_num, content_type, content, content_len,
797 out_len);
798}
799
800static int
801tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
802 struct tls12_record_protection *rp, CBS *seq_num)
803{
804 CBB cbb;
805
806 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
807 return 0;
808
809 /* Fixed nonce and variable nonce (sequence number) are concatenated. */
810 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
811 goto err;
812 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
813 rp->aead_fixed_nonce_len))
814 goto err;
815 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
816 rp->aead_variable_nonce_len))
817 goto err;
818 if (!CBB_finish(&cbb, NULL((void *)0), NULL((void *)0)))
819 goto err;
820
821 return 1;
822
823 err:
824 CBB_cleanup(&cbb);
825
826 return 0;
827}
828
829static int
830tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
831 struct tls12_record_protection *rp, CBS *seq_num)
832{
833 uint8_t *pad;
834 CBB cbb;
835 int i;
836
837 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
838 return 0;
839 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
840 return 0;
841 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len)
842 return 0;
843
844 /*
845 * Variable nonce (sequence number) is right padded, before the fixed
846 * nonce is XOR'd in.
847 */
848 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len))
849 goto err;
850 if (!CBB_add_space(&cbb, &pad,
851 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
852 goto err;
853 if (!CBB_add_bytes(&cbb, CBS_data(seq_num),
854 rp->aead_variable_nonce_len))
855 goto err;
856 if (!CBB_finish(&cbb, NULL((void *)0), NULL((void *)0)))
857 goto err;
858
859 for (i = 0; i < rp->aead_fixed_nonce_len; i++)
860 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i];
861
862 return 1;
863
864 err:
865 CBB_cleanup(&cbb);
866
867 return 0;
868}
869
870static int
871tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
872 uint8_t content_type, CBS *fragment, struct tls_content *out)
873{
874 if (tls12_record_protection_engaged(rl->read))
875 return 0;
876
877 return tls_content_dup_data(out, content_type, CBS_data(fragment),
878 CBS_len(fragment));
879}
880
881static int
882tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
883 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
884{
885 struct tls12_record_protection *rp = rl->read;
886 uint8_t *header = NULL((void *)0);
887 size_t header_len = 0;
888 uint8_t *content = NULL((void *)0);
889 size_t content_len = 0;
890 size_t out_len = 0;
891 CBS var_nonce;
892 int ret = 0;
893
894 if (rp->aead_xor_nonces) {
895 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
896 goto err;
897 } else if (rp->aead_variable_nonce_in_record) {
898 if (!CBS_get_bytes(fragment, &var_nonce,
899 rp->aead_variable_nonce_len))
900 goto err;
901 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce))
902 goto err;
903 } else {
904 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
905 goto err;
906 }
907
908 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
909 if (CBS_len(fragment) < rp->aead_tag_len) {
910 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
911 goto err;
912 }
913 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH((256 + 64)+16384)) {
914 rl->alert_desc = SSL_AD_RECORD_OVERFLOW22;
915 goto err;
916 }
917
918 content_len = CBS_len(fragment) - rp->aead_tag_len;
919 if ((content = calloc(1, CBS_len(fragment))) == NULL((void *)0)) {
920 content_len = 0;
921 goto err;
922 }
923
924 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
925 seq_num, &header, &header_len))
926 goto err;
927
928 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
929 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
930 CBS_len(fragment), header, header_len)) {
931 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
932 goto err;
933 }
934
935 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH16384) {
936 rl->alert_desc = SSL_AD_RECORD_OVERFLOW22;
937 goto err;
938 }
939
940 if (out_len != content_len)
941 goto err;
942
943 tls_content_set_data(out, content_type, content, content_len);
944 content = NULL((void *)0);
945 content_len = 0;
946
947 ret = 1;
948
949 err:
950 freezero(header, header_len);
951 freezero(content, content_len);
952
953 return ret;
954}
955
956static int
957tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
958 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
959{
960 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
961 SSL3_RECORD_INTERNAL rrec;
962 size_t block_size, eiv_len;
963 uint8_t *mac = NULL((void *)0);
964 size_t mac_len = 0;
965 uint8_t *out_mac = NULL((void *)0);
966 size_t out_mac_len = 0;
967 uint8_t *content = NULL((void *)0);
968 size_t content_len = 0;
969 size_t min_len;
970 CBB cbb_mac;
971 int ret = 0;
972
973 memset(&cbb_mac, 0, sizeof(cbb_mac));
974 memset(&rrec, 0, sizeof(rrec));
975
976 if (!tls12_record_protection_block_size(rl->read, &block_size))
18
Taking false branch
977 goto err;
978
979 /* Determine explicit IV length. */
980 eiv_len = 0;
981 if (rl->version != TLS1_VERSION0x0301) {
19
Assuming field 'version' is equal to TLS1_VERSION
20
Taking false branch
982 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len))
983 goto err;
984 }
985
986 mac_len = 0;
987 if (rl->read->hash_ctx != NULL((void *)0)) {
21
Assuming field 'hash_ctx' is equal to NULL
22
Taking false branch
988 if (!tls12_record_protection_mac_len(rl->read, &mac_len))
989 goto err;
990 }
991
992 /* CBC has at least one padding byte. */
993 min_len = eiv_len + mac_len;
994 if (EVP_CIPHER_CTX_mode(enc)(EVP_CIPHER_CTX_flags(enc) & 0xF0007) == EVP_CIPH_CBC_MODE0x2)
23
Assuming the condition is false
24
Taking false branch
995 min_len += 1;
996
997 if (CBS_len(fragment) < min_len) {
25
Assuming the condition is false
26
Taking false branch
998 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
999 goto err;
1000 }
1001 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH((256 + 64)+16384)) {
27
Assuming the condition is false
28
Taking false branch
1002 rl->alert_desc = SSL_AD_RECORD_OVERFLOW22;
1003 goto err;
1004 }
1005 if (CBS_len(fragment) % block_size != 0) {
29
Assuming the condition is false
30
Taking false branch
1006 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
1007 goto err;
1008 }
1009
1010 if ((content = calloc(1, CBS_len(fragment))) == NULL((void *)0))
31
Memory is allocated
32
Assuming the condition is false
33
Taking false branch
1011 goto err;
1012 content_len = CBS_len(fragment);
1013
1014 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
34
Assuming the condition is false
35
Taking false branch
1015 goto err;
1016
1017 rrec.data = content;
1018 rrec.input = content;
1019 rrec.length = content_len;
1020
1021 /*
1022 * We now have to remove padding, extract MAC, calculate MAC
1023 * and compare MAC in constant time.
1024 */
1025 if (block_size > 1)
36
Assuming 'block_size' is <= 1
37
Taking false branch
1026 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len);
1027
1028 if ((mac = calloc(1, mac_len)) == NULL((void *)0))
38
Assuming the condition is false
39
Taking false branch
1029 goto err;
1030
1031 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE64))
40
Assuming the condition is false
41
Taking false branch
1032 goto err;
1033 if (EVP_CIPHER_CTX_mode(enc)(EVP_CIPHER_CTX_flags(enc) & 0xF0007) == EVP_CIPH_CBC_MODE0x2) {
42
Assuming the condition is false
43
Taking false branch
1034 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length +
1035 rrec.padding_length);
1036 rrec.length -= mac_len;
1037 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type,
1038 seq_num, rrec.input, rrec.length, mac_len,
1039 rrec.padding_length))
1040 goto err;
1041 } else {
1042 rrec.length -= mac_len;
1043 memcpy(mac, rrec.data + rrec.length, mac_len);
1044 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type,
44
Taking false branch
1045 seq_num, rrec.input, rrec.length))
1046 goto err;
1047 }
1048 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len))
45
Assuming the condition is false
46
Taking false branch
1049 goto err;
1050 if (mac_len != out_mac_len)
47
Assuming 'mac_len' is equal to 'out_mac_len'
48
Taking false branch
1051 goto err;
1052
1053 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) {
49
Assuming the condition is false
50
Taking false branch
1054 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
1055 goto err;
1056 }
1057
1058 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH16384 + mac_len) {
51
Assuming the condition is false
52
Taking false branch
1059 rl->alert_desc = SSL_AD_BAD_RECORD_MAC20;
1060 goto err;
1061 }
1062 if (rrec.length
52.1
Field 'length' is <= SSL3_RT_MAX_PLAIN_LENGTH
 > SSL3_RT_MAX_PLAIN_LENGTH16384) {
53
Taking false branch
1063 rl->alert_desc = SSL_AD_RECORD_OVERFLOW22;
1064 goto err;
1065 }
1066
1067 tls_content_set_data(out, content_type, content, content_len);
1068 content = NULL((void *)0);
1069 content_len = 0;
1070
1071 /* Actual content is after EIV, minus padding and MAC. */
1072 if (!tls_content_set_bounds(out, eiv_len, rrec.length))
54
Potential leak of memory pointed to by 'rrec.input'
1073 goto err;
1074
1075 ret = 1;
1076
1077 err:
1078 CBB_cleanup(&cbb_mac);
1079 freezero(mac, mac_len);
1080 freezero(out_mac, out_mac_len);
1081 freezero(content, content_len);
1082
1083 return ret;
1084}
1085
1086int
1087tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1088 size_t buf_len, struct tls_content *out)
1089{
1090 CBS cbs, fragment, seq_num;
1091 uint16_t version;
1092 uint8_t content_type;
1093
1094 CBS_init(&cbs, buf, buf_len);
1095 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num));
1096
1097 if (!CBS_get_u8(&cbs, &content_type))
1
Assuming the condition is false
2
Taking false branch
1098 return 0;
1099 if (!CBS_get_u16(&cbs, &version))
3
Assuming the condition is false
4
Taking false branch
1100 return 0;
1101 if (rl->dtls) {
5
Assuming field 'dtls' is not equal to 0
6
Taking true branch
1102 /*
1103 * The DTLS sequence number is split into a 16 bit epoch and
1104 * 48 bit sequence number, however for the purposes of record
1105 * processing it is treated the same as a TLS 64 bit sequence
1106 * number. DTLS also uses explicit read sequence numbers, which
1107 * we need to extract from the DTLS record header.
1108 */
1109 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE8))
7
Assuming the condition is false
8
Taking false branch
1110 return 0;
1111 if (!CBS_write_bytes(&seq_num, rl->read->seq_num,
9
Assuming the condition is false
10
Taking false branch
1112 sizeof(rl->read->seq_num), NULL((void *)0)))
1113 return 0;
1114 }
1115 if (!CBS_get_u16_length_prefixed(&cbs, &fragment))
11
Assuming the condition is false
12
Taking false branch
1116 return 0;
1117
1118 if (rl->read->aead_ctx != NULL((void *)0)) {
13
Assuming field 'aead_ctx' is equal to NULL
14
Taking false branch
1119 if (!tls12_record_layer_open_record_protected_aead(rl,
1120 content_type, &seq_num, &fragment, out))
1121 return 0;
1122 } else if (rl->read->cipher_ctx != NULL((void *)0)) {
15
Assuming field 'cipher_ctx' is not equal to NULL
16
Taking true branch
1123 if (!tls12_record_layer_open_record_protected_cipher(rl,
17
Calling 'tls12_record_layer_open_record_protected_cipher'
1124 content_type, &seq_num, &fragment, out))
1125 return 0;
1126 } else {
1127 if (!tls12_record_layer_open_record_plaintext(rl,
1128 content_type, &fragment, out))
1129 return 0;
1130 }
1131
1132 if (!rl->dtls) {
1133 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num))
1134 return 0;
1135 }
1136
1137 return 1;
1138}
1139
1140static int
1141tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl,
1142 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out)
1143{
1144 if (tls12_record_protection_engaged(rl->write))
1145 return 0;
1146
1147 return CBB_add_bytes(out, content, content_len);
1148}
1149
1150static int
1151tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
1152 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1153 size_t content_len, CBB *out)
1154{
1155 struct tls12_record_protection *rp = rl->write;
1156 uint8_t *header = NULL((void *)0);
1157 size_t header_len = 0;
1158 size_t enc_record_len, out_len;
1159 uint8_t *enc_data;
1160 int ret = 0;
1161
1162 if (rp->aead_xor_nonces) {
1163 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num))
1164 goto err;
1165 } else {
1166 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num))
1167 goto err;
1168 }
1169
1170 if (rp->aead_variable_nonce_in_record) {
1171 if (rp->aead_variable_nonce_len > CBS_len(seq_num))
1172 goto err;
1173 if (!CBB_add_bytes(out, CBS_data(seq_num),
1174 rp->aead_variable_nonce_len))
1175 goto err;
1176 }
1177
1178 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
1179 seq_num, &header, &header_len))
1180 goto err;
1181
1182 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
1183 enc_record_len = content_len + rp->aead_tag_len;
1184 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH((256 + 64)+16384))
1185 goto err;
1186 if (!CBB_add_space(out, &enc_data, enc_record_len))
1187 goto err;
1188
1189 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
1190 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header,
1191 header_len))
1192 goto err;
1193
1194 if (out_len != enc_record_len)
1195 goto err;
1196
1197 ret = 1;
1198
1199 err:
1200 freezero(header, header_len);
1201
1202 return ret;
1203}
1204
1205static int
1206tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl,
1207 uint8_t content_type, CBS *seq_num, const uint8_t *content,
1208 size_t content_len, CBB *out)
1209{
1210 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx;
1211 size_t block_size, eiv_len, mac_len, pad_len;
1212 uint8_t *enc_data, *eiv, *pad, pad_val;
1213 uint8_t *plain = NULL((void *)0);
1214 size_t plain_len = 0;
1215 int ret = 0;
1216 CBB cbb;
1217
1218 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH16384))
1219 goto err;
1220
1221 /* Add explicit IV if necessary. */
1222 eiv_len = 0;
1223 if (rl->version != TLS1_VERSION0x0301) {
1224 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len))
1225 goto err;
1226 }
1227 if (eiv_len > 0) {
1228 if (!CBB_add_space(&cbb, &eiv, eiv_len))
1229 goto err;
1230 arc4random_buf(eiv, eiv_len);
1231 }
1232
1233 if (!CBB_add_bytes(&cbb, content, content_len))
1234 goto err;
1235
1236 mac_len = 0;
1237 if (rl->write->hash_ctx != NULL((void *)0)) {
1238 if (!tls12_record_layer_write_mac(rl, &cbb, content_type,
1239 seq_num, content, content_len, &mac_len))
1240 goto err;
1241 }
1242
1243 plain_len = eiv_len + content_len + mac_len;
1244
1245 /* Add padding to block size, if necessary. */
1246 if (!tls12_record_protection_block_size(rl->write, &block_size))
1247 goto err;
1248 if (block_size > 1) {
1249 pad_len = block_size - (plain_len % block_size);
1250 pad_val = pad_len - 1;
1251
1252 if (pad_len > 255)
1253 goto err;
1254 if (!CBB_add_space(&cbb, &pad, pad_len))
1255 goto err;
1256 memset(pad, pad_val, pad_len);
1257 }
1258
1259 if (!CBB_finish(&cbb, &plain, &plain_len))
1260 goto err;
1261
1262 if (plain_len % block_size != 0)
1263 goto err;
1264 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH((256 + 64)+16384))
1265 goto err;
1266
1267 if (!CBB_add_space(out, &enc_data, plain_len))
1268 goto err;
1269 if (!EVP_Cipher(enc, enc_data, plain, plain_len))
1270 goto err;
1271
1272 ret = 1;
1273
1274 err:
1275 CBB_cleanup(&cbb);
1276 freezero(plain, plain_len);
1277
1278 return ret;
1279}
1280
1281int
1282tls12_record_layer_seal_record(struct tls12_record_layer *rl,
1283 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb)
1284{
1285 uint8_t *seq_num_data = NULL((void *)0);
1286 size_t seq_num_len = 0;
1287 CBB fragment, seq_num_cbb;
1288 CBS seq_num;
1289 int ret = 0;
1290
1291 /*
1292 * Construct the effective sequence number - this is used in both
1293 * the DTLS header and for MAC calculations.
1294 */
1295 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE8))
1296 goto err;
1297 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch,
1298 rl->write->seq_num, sizeof(rl->write->seq_num)))
1299 goto err;
1300 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len))
1301 goto err;
1302 CBS_init(&seq_num, seq_num_data, seq_num_len);
1303
1304 if (!CBB_add_u8(cbb, content_type))
1305 goto err;
1306 if (!CBB_add_u16(cbb, rl->version))
1307 goto err;
1308 if (rl->dtls) {
1309 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num)))
1310 goto err;
1311 }
1312 if (!CBB_add_u16_length_prefixed(cbb, &fragment))
1313 goto err;
1314
1315 if (rl->write->aead_ctx != NULL((void *)0)) {
1316 if (!tls12_record_layer_seal_record_protected_aead(rl,
1317 content_type, &seq_num, content, content_len, &fragment))
1318 goto err;
1319 } else if (rl->write->cipher_ctx != NULL((void *)0)) {
1320 if (!tls12_record_layer_seal_record_protected_cipher(rl,
1321 content_type, &seq_num, content, content_len, &fragment))
1322 goto err;
1323 } else {
1324 if (!tls12_record_layer_seal_record_plaintext(rl,
1325 content_type, content, content_len, &fragment))
1326 goto err;
1327 }
1328
1329 if (!CBB_flush(cbb))
1330 goto err;
1331
1332 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num))
1333 goto err;
1334
1335 ret = 1;
1336
1337 err:
1338 CBB_cleanup(&seq_num_cbb);
1339 free(seq_num_data);
1340
1341 return ret;
1342}