1 /*
2 * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include "../../ssl_local.h"
13 #include "../record_local.h"
14 #include "recmethod_local.h"
15
tls13_set_crypto_state(OSSL_RECORD_LAYER * rl,int level,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp)16 static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
17 unsigned char *key, size_t keylen,
18 unsigned char *iv, size_t ivlen,
19 unsigned char *mackey, size_t mackeylen,
20 const EVP_CIPHER *ciph,
21 size_t taglen,
22 int mactype,
23 const EVP_MD *md,
24 COMP_METHOD *comp)
25 {
26 EVP_CIPHER_CTX *ciph_ctx;
27 EVP_MAC_CTX *mac_ctx;
28 EVP_MAC *mac;
29 OSSL_PARAM params[2], *p = params;
30 int mode;
31 int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
32
33 rl->iv = OPENSSL_malloc(ivlen);
34 if (rl->iv == NULL)
35 return OSSL_RECORD_RETURN_FATAL;
36
37 rl->nonce = OPENSSL_malloc(ivlen);
38 if (rl->nonce == NULL)
39 return OSSL_RECORD_RETURN_FATAL;
40
41 memcpy(rl->iv, iv, ivlen);
42
43 /* Integrity only */
44 if (EVP_CIPHER_is_a(ciph, "NULL") && mactype == NID_hmac && md != NULL) {
45 mac = EVP_MAC_fetch(rl->libctx, "HMAC", rl->propq);
46 if (mac == NULL
47 || (mac_ctx = rl->mac_ctx = EVP_MAC_CTX_new(mac)) == NULL) {
48 EVP_MAC_free(mac);
49 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
50 return OSSL_RECORD_RETURN_FATAL;
51 }
52 EVP_MAC_free(mac);
53 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
54 (char *)EVP_MD_name(md), 0);
55 *p = OSSL_PARAM_construct_end();
56 if (!EVP_MAC_init(mac_ctx, key, keylen, params)) {
57 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
58 return OSSL_RECORD_RETURN_FATAL;
59 }
60 goto end;
61 }
62
63 ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new();
64 if (ciph_ctx == NULL) {
65 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
66 return OSSL_RECORD_RETURN_FATAL;
67 }
68
69 mode = EVP_CIPHER_get_mode(ciph);
70
71 if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0
72 || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen,
73 NULL)
74 <= 0
75 || (mode == EVP_CIPH_CCM_MODE
76 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
77 NULL)
78 <= 0)
79 || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) {
80 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
81 return OSSL_RECORD_RETURN_FATAL;
82 }
83 end:
84 return OSSL_RECORD_RETURN_SUCCESS;
85 }
86
tls13_cipher(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * recs,size_t n_recs,int sending,SSL_MAC_BUF * mac,size_t macsize)87 static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
88 size_t n_recs, int sending, SSL_MAC_BUF *mac,
89 size_t macsize)
90 {
91 EVP_CIPHER_CTX *enc_ctx;
92 unsigned char recheader[SSL3_RT_HEADER_LENGTH];
93 unsigned char tag[EVP_MAX_MD_SIZE];
94 size_t nonce_len, offset, loop, hdrlen, taglen;
95 unsigned char *staticiv;
96 unsigned char *nonce;
97 unsigned char *seq = rl->sequence;
98 int lenu, lenf;
99 TLS_RL_RECORD *rec = &recs[0];
100 WPACKET wpkt;
101 const EVP_CIPHER *cipher;
102 EVP_MAC_CTX *mac_ctx = NULL;
103 int mode;
104
105 if (n_recs != 1) {
106 /* Should not happen */
107 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
108 return 0;
109 }
110
111 enc_ctx = rl->enc_ctx; /* enc_ctx is ignored when rl->mac_ctx != NULL */
112 staticiv = rl->iv;
113 nonce = rl->nonce;
114
115 if (enc_ctx == NULL && rl->mac_ctx == NULL) {
116 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
117 return 0;
118 }
119
120 /*
121 * If we're sending an alert and ctx != NULL then we must be forcing
122 * plaintext alerts. If we're reading and ctx != NULL then we allow
123 * plaintext alerts at certain points in the handshake. If we've got this
124 * far then we have already validated that a plaintext alert is ok here.
125 */
126 if (rec->type == SSL3_RT_ALERT) {
127 memmove(rec->data, rec->input, rec->length);
128 rec->input = rec->data;
129 return 1;
130 }
131
132 /* For integrity-only ciphers, nonce_len is same as MAC size */
133 if (rl->mac_ctx != NULL) {
134 nonce_len = EVP_MAC_CTX_get_mac_size(rl->mac_ctx);
135 } else {
136 int ivlen = EVP_CIPHER_CTX_get_iv_length(enc_ctx);
137
138 if (ivlen < 0) {
139 /* Should not happen */
140 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
141 return 0;
142 }
143 nonce_len = (size_t)ivlen;
144 }
145
146 if (!sending) {
147 /*
148 * Take off tag. There must be at least one byte of content type as
149 * well as the tag
150 */
151 if (rec->length < rl->taglen + 1)
152 return 0;
153 rec->length -= rl->taglen;
154 }
155
156 /* Set up nonce: part of static IV followed by sequence number */
157 if (nonce_len < SEQ_NUM_SIZE) {
158 /* Should not happen */
159 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
160 return 0;
161 }
162 offset = nonce_len - SEQ_NUM_SIZE;
163 memcpy(nonce, staticiv, offset);
164 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
165 nonce[offset + loop] = staticiv[offset + loop] ^ seq[loop];
166
167 if (!tls_increment_sequence_ctr(rl)) {
168 /* RLAYERfatal already called */
169 return 0;
170 }
171
172 /* Set up the AAD */
173 if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
174 || !WPACKET_put_bytes_u8(&wpkt, rec->type)
175 || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
176 || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
177 || !WPACKET_get_total_written(&wpkt, &hdrlen)
178 || hdrlen != SSL3_RT_HEADER_LENGTH
179 || !WPACKET_finish(&wpkt)) {
180 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
181 WPACKET_cleanup(&wpkt);
182 return 0;
183 }
184
185 if (rl->mac_ctx != NULL) {
186 int ret = 0;
187
188 if ((mac_ctx = EVP_MAC_CTX_dup(rl->mac_ctx)) == NULL
189 || !EVP_MAC_update(mac_ctx, nonce, nonce_len)
190 || !EVP_MAC_update(mac_ctx, recheader, sizeof(recheader))
191 || !EVP_MAC_update(mac_ctx, rec->input, rec->length)
192 || !EVP_MAC_final(mac_ctx, tag, &taglen, rl->taglen)) {
193 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
194 goto end_mac;
195 }
196
197 if (sending) {
198 memcpy(rec->data + rec->length, tag, rl->taglen);
199 rec->length += rl->taglen;
200 } else if (CRYPTO_memcmp(tag, rec->data + rec->length,
201 rl->taglen)
202 != 0) {
203 goto end_mac;
204 }
205 ret = 1;
206 end_mac:
207 EVP_MAC_CTX_free(mac_ctx);
208 return ret;
209 }
210
211 cipher = EVP_CIPHER_CTX_get0_cipher(enc_ctx);
212 if (cipher == NULL) {
213 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
214 return 0;
215 }
216 mode = EVP_CIPHER_get_mode(cipher);
217
218 if (EVP_CipherInit_ex(enc_ctx, NULL, NULL, NULL, nonce, sending) <= 0
219 || (!sending && EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_SET_TAG, rl->taglen, rec->data + rec->length) <= 0)) {
220 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
221 return 0;
222 }
223
224 /*
225 * For CCM we must explicitly set the total plaintext length before we add
226 * any AAD.
227 */
228 if ((mode == EVP_CIPH_CCM_MODE
229 && EVP_CipherUpdate(enc_ctx, NULL, &lenu, NULL,
230 (unsigned int)rec->length)
231 <= 0)
232 || EVP_CipherUpdate(enc_ctx, NULL, &lenu, recheader,
233 sizeof(recheader))
234 <= 0
235 || EVP_CipherUpdate(enc_ctx, rec->data, &lenu, rec->input,
236 (unsigned int)rec->length)
237 <= 0
238 || EVP_CipherFinal_ex(enc_ctx, rec->data + lenu, &lenf) <= 0
239 || (size_t)(lenu + lenf) != rec->length) {
240 return 0;
241 }
242 if (sending) {
243 /* Add the tag */
244 if (EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
245 rec->data + rec->length)
246 <= 0) {
247 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
248 return 0;
249 }
250 rec->length += rl->taglen;
251 }
252
253 return 1;
254 }
255
tls13_validate_record_header(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)256 static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl,
257 TLS_RL_RECORD *rec)
258 {
259 if (rec->type != SSL3_RT_APPLICATION_DATA
260 && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC
261 || !rl->is_first_handshake)
262 && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) {
263 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
264 return 0;
265 }
266
267 if (rec->rec_version != TLS1_2_VERSION) {
268 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
269 return 0;
270 }
271
272 if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
273 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
274 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
275 return 0;
276 }
277 return 1;
278 }
279
tls13_post_process_record(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)280 static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
281 {
282 /* Skip this if we've received a plaintext alert */
283 if (rec->type != SSL3_RT_ALERT) {
284 size_t end;
285
286 if (rec->length == 0
287 || rec->type != SSL3_RT_APPLICATION_DATA) {
288 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
289 SSL_R_BAD_RECORD_TYPE);
290 return 0;
291 }
292
293 /* Strip trailing padding */
294 for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--)
295 continue;
296
297 rec->length = end;
298 rec->type = rec->data[end];
299 }
300
301 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
302 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
303 return 0;
304 }
305
306 if (!tls13_common_post_process_record(rl, rec)) {
307 /* RLAYERfatal already called */
308 return 0;
309 }
310
311 return 1;
312 }
313
tls13_get_record_type(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * template)314 static uint8_t tls13_get_record_type(OSSL_RECORD_LAYER *rl,
315 OSSL_RECORD_TEMPLATE *template)
316 {
317 if (rl->allow_plain_alerts && template->type == SSL3_RT_ALERT)
318 return SSL3_RT_ALERT;
319
320 /*
321 * Aside from the above case we always use the application data record type
322 * when encrypting in TLSv1.3. The "inner" record type encodes the "real"
323 * record type from the template.
324 */
325 return SSL3_RT_APPLICATION_DATA;
326 }
327
tls13_add_record_padding(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * thistempl,WPACKET * thispkt,TLS_RL_RECORD * thiswr)328 static int tls13_add_record_padding(OSSL_RECORD_LAYER *rl,
329 OSSL_RECORD_TEMPLATE *thistempl,
330 WPACKET *thispkt,
331 TLS_RL_RECORD *thiswr)
332 {
333 size_t rlen;
334
335 /* Nothing to be done in the case of a plaintext alert */
336 if (rl->allow_plain_alerts && thistempl->type != SSL3_RT_ALERT)
337 return 1;
338
339 if (!WPACKET_put_bytes_u8(thispkt, thistempl->type)) {
340 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
341 return 0;
342 }
343 TLS_RL_RECORD_add_length(thiswr, 1);
344
345 /* Add TLS1.3 padding */
346 rlen = TLS_RL_RECORD_get_length(thiswr);
347 if (rlen < rl->max_frag_len) {
348 size_t padding = 0;
349 size_t max_padding = rl->max_frag_len - rlen;
350
351 /*
352 * We might want to change the "else if" below so that
353 * library-added padding can still happen even if there
354 * is an application-layer callback. The reason being
355 * the application may not be aware that the effectiveness
356 * of ECH could be damaged if the callback e.g. only
357 * padded application data. However, doing so would be
358 * a change that could break some application that has
359 * a client and server that both know what padding they
360 * like, and that dislike any other padding. That'd need
361 * one of those to have been updated though so the
362 * probability may be low enough that we could change
363 * the "else if" below to just an "if" and pick the
364 * larger of the library and callback's idea of padding.
365 * (Still subject to max_padding though.)
366 */
367 if (rl->padding != NULL) {
368 padding = rl->padding(rl->cbarg, thistempl->type, rlen);
369 } else if (rl->block_padding > 0 || rl->hs_padding > 0) {
370 size_t mask, bp = 0, remainder;
371
372 /*
373 * pad handshake or alert messages based on |hs_padding|
374 * but application data based on |block_padding|
375 */
376 if (thistempl->type == SSL3_RT_HANDSHAKE && rl->hs_padding > 0)
377 bp = rl->hs_padding;
378 else if (thistempl->type == SSL3_RT_ALERT && rl->hs_padding > 0)
379 bp = rl->hs_padding;
380 else if (thistempl->type == SSL3_RT_APPLICATION_DATA
381 && rl->block_padding > 0)
382 bp = rl->block_padding;
383 if (bp > 0) {
384 mask = bp - 1;
385 /* optimize for power of 2 */
386 if ((bp & mask) == 0)
387 remainder = rlen & mask;
388 else
389 remainder = rlen % bp;
390 /* don't want to add a block of padding if we don't have to */
391 if (remainder == 0)
392 padding = 0;
393 else
394 padding = bp - remainder;
395 }
396 }
397 if (padding > 0) {
398 /* do not allow the record to exceed max plaintext length */
399 if (padding > max_padding)
400 padding = max_padding;
401 if (!WPACKET_memset(thispkt, 0, padding)) {
402 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
403 ERR_R_INTERNAL_ERROR);
404 return 0;
405 }
406 TLS_RL_RECORD_add_length(thiswr, padding);
407 }
408 }
409
410 return 1;
411 }
412
413 const struct record_functions_st tls_1_3_funcs = {
414 tls13_set_crypto_state,
415 tls13_cipher,
416 NULL,
417 tls_default_set_protocol_version,
418 tls_default_read_n,
419 tls_get_more_records,
420 tls13_validate_record_header,
421 tls13_post_process_record,
422 tls_get_max_records_default,
423 tls_write_records_default,
424 tls_allocate_write_buffers_default,
425 tls_initialise_write_packets_default,
426 tls13_get_record_type,
427 tls_prepare_record_header_default,
428 tls13_add_record_padding,
429 tls_prepare_for_encryption_default,
430 tls_post_encryption_processing_default,
431 NULL
432 };
433