1 /*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "../ssl_local.h"
11 #include "record_local.h"
12 #include "internal/cryptlib.h"
13
14 /*-
15 * tls13_enc encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal
16 * error, but not otherwise. It is the responsibility of the caller to report
17 * a bad_record_mac.
18 *
19 * Returns:
20 * 0: On failure
21 * 1: if the record encryption/decryption was successful.
22 */
tls13_enc(SSL * s,SSL3_RECORD * recs,size_t n_recs,int sending,ossl_unused SSL_MAC_BUF * mac,ossl_unused size_t macsize)23 int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
24 ossl_unused SSL_MAC_BUF *mac, ossl_unused size_t macsize)
25 {
26 EVP_CIPHER_CTX *ctx;
27 unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
28 size_t ivlen, taglen, offset, loop, hdrlen;
29 unsigned char *staticiv;
30 unsigned char *seq;
31 int lenu, lenf;
32 SSL3_RECORD *rec = &recs[0];
33 uint32_t alg_enc;
34 WPACKET wpkt;
35
36 if (n_recs != 1) {
37 /* Should not happen */
38 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
39 return 0;
40 }
41
42 if (sending) {
43 ctx = s->enc_write_ctx;
44 staticiv = s->write_iv;
45 seq = RECORD_LAYER_get_write_sequence(&s->rlayer);
46 } else {
47 ctx = s->enc_read_ctx;
48 staticiv = s->read_iv;
49 seq = RECORD_LAYER_get_read_sequence(&s->rlayer);
50 }
51
52 /*
53 * If we're sending an alert and ctx != NULL then we must be forcing
54 * plaintext alerts. If we're reading and ctx != NULL then we allow
55 * plaintext alerts at certain points in the handshake. If we've got this
56 * far then we have already validated that a plaintext alert is ok here.
57 */
58 if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
59 memmove(rec->data, rec->input, rec->length);
60 rec->input = rec->data;
61 return 1;
62 }
63
64 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
65
66 if (s->early_data_state == SSL_EARLY_DATA_WRITING
67 || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
68 if (s->session != NULL && s->session->ext.max_early_data > 0) {
69 alg_enc = s->session->cipher->algorithm_enc;
70 } else {
71 if (!ossl_assert(s->psksession != NULL
72 && s->psksession->ext.max_early_data > 0)) {
73 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
74 return 0;
75 }
76 alg_enc = s->psksession->cipher->algorithm_enc;
77 }
78 } else {
79 /*
80 * To get here we must have selected a ciphersuite - otherwise ctx would
81 * be NULL
82 */
83 if (!ossl_assert(s->s3.tmp.new_cipher != NULL)) {
84 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85 return 0;
86 }
87 alg_enc = s->s3.tmp.new_cipher->algorithm_enc;
88 }
89
90 if (alg_enc & SSL_AESCCM) {
91 if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
92 taglen = EVP_CCM8_TLS_TAG_LEN;
93 else
94 taglen = EVP_CCM_TLS_TAG_LEN;
95 if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
96 NULL) <= 0) {
97 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
98 return 0;
99 }
100 } else if (alg_enc & SSL_AESGCM) {
101 taglen = EVP_GCM_TLS_TAG_LEN;
102 } else if (alg_enc & SSL_CHACHA20) {
103 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
104 } else {
105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
106 return 0;
107 }
108
109 if (!sending) {
110 /*
111 * Take off tag. There must be at least one byte of content type as
112 * well as the tag
113 */
114 if (rec->length < taglen + 1)
115 return 0;
116 rec->length -= taglen;
117 }
118
119 /* Set up IV */
120 if (ivlen < SEQ_NUM_SIZE) {
121 /* Should not happen */
122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
123 return 0;
124 }
125 offset = ivlen - SEQ_NUM_SIZE;
126 memcpy(iv, staticiv, offset);
127 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
128 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
129
130 /* Increment the sequence counter */
131 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
132 ++seq[loop - 1];
133 if (seq[loop - 1] != 0)
134 break;
135 }
136 if (loop == 0) {
137 /* Sequence has wrapped */
138 return 0;
139 }
140
141 if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
142 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
143 taglen,
144 rec->data + rec->length) <= 0)) {
145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
146 return 0;
147 }
148
149 /* Set up the AAD */
150 if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
151 || !WPACKET_put_bytes_u8(&wpkt, rec->type)
152 || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
153 || !WPACKET_put_bytes_u16(&wpkt, rec->length + taglen)
154 || !WPACKET_get_total_written(&wpkt, &hdrlen)
155 || hdrlen != SSL3_RT_HEADER_LENGTH
156 || !WPACKET_finish(&wpkt)) {
157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
158 WPACKET_cleanup(&wpkt);
159 return 0;
160 }
161
162 /*
163 * For CCM we must explicitly set the total plaintext length before we add
164 * any AAD.
165 */
166 if (((alg_enc & SSL_AESCCM) != 0
167 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
168 (unsigned int)rec->length) <= 0)
169 || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
170 sizeof(recheader)) <= 0
171 || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
172 (unsigned int)rec->length) <= 0
173 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
174 || (size_t)(lenu + lenf) != rec->length) {
175 return 0;
176 }
177 if (sending) {
178 /* Add the tag */
179 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,
180 rec->data + rec->length) <= 0) {
181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
182 return 0;
183 }
184 rec->length += taglen;
185 }
186
187 return 1;
188 }
189