/*- * tls13_enc encrypts/decrypts |n_recs| in |recs|. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too * short etc). * 1: if the record encryption was successful. * -1: if the record's AEAD-authenticator is invalid or, if sending, * an internal error occurred. */ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; size_t ivlen, taglen, offset, loop; unsigned char *staticiv; unsigned char *seq; int lenu, lenf; SSL3_RECORD *rec = &recs[0]; uint32_t alg_enc; if (n_recs != 1) { /* Should not happen */ /* TODO(TLS1.3): Support pipelining */ return -1; } if (sending) { ctx = s->enc_write_ctx; staticiv = s->write_iv; seq = RECORD_LAYER_get_write_sequence(&s->rlayer); } else { ctx = s->enc_read_ctx; staticiv = s->read_iv; seq = RECORD_LAYER_get_read_sequence(&s->rlayer); } if (ctx == NULL) { memmove(rec->data, rec->input, rec->length); rec->input = rec->data; return 1; } ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { alg_enc = s->session->cipher->algorithm_enc; } else { /* * To get here we must have selected a ciphersuite - otherwise ctx would * be NULL */ assert(s->s3->tmp.new_cipher != NULL); if (s->s3->tmp.new_cipher == NULL) return -1; alg_enc = s->s3->tmp.new_cipher->algorithm_enc; } if (alg_enc & SSL_AESCCM) { if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = EVP_CCM8_TLS_TAG_LEN; else taglen = EVP_CCM_TLS_TAG_LEN; if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) return -1; } else if (alg_enc & SSL_AESGCM) { taglen = EVP_GCM_TLS_TAG_LEN; } else if (alg_enc & SSL_CHACHA20) { taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; } else { return -1; } if (!sending) { /* * Take off tag. There must be at least one byte of content type as * well as the tag */ if (rec->length < taglen + 1) return 0; rec->length -= taglen; } /* Set up IV */ if (ivlen < SEQ_NUM_SIZE) { /* Should not happen */ return -1; } offset = ivlen - SEQ_NUM_SIZE; memcpy(iv, staticiv, offset); for (loop = 0; loop < SEQ_NUM_SIZE; loop++) iv[offset + loop] = staticiv[offset + loop] ^ seq[loop]; /* Increment the sequence counter */ for (loop = SEQ_NUM_SIZE; loop > 0; loop--) { ++seq[loop - 1]; if (seq[loop - 1] != 0) break; } if (loop == 0) { /* Sequence has wrapped */ return -1; } /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */ if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, rec->data + rec->length) <= 0) || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, (unsigned int)rec->length) <= 0 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 || (size_t)(lenu + lenf) != rec->length) { return -1; } if (sending) { /* Add the tag */ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, rec->data + rec->length) <= 0) return -1; rec->length += taglen; } return 1; }
static int test_tls13_encryption(void) { SSL_CTX *ctx = NULL; SSL *s = NULL; SSL3_RECORD rec; unsigned char *key = NULL, *iv = NULL, *seq = NULL; const EVP_CIPHER *ciph = EVP_aes_128_gcm(); int ret = 0; size_t ivlen, ctr; /* * Encrypted TLSv1.3 records always have an outer content type of * application data, and a record version of TLSv1.2. */ rec.data = NULL; rec.type = SSL3_RT_APPLICATION_DATA; rec.rec_version = TLS1_2_VERSION; ctx = SSL_CTX_new(TLS_method()); if (!TEST_ptr(ctx)) { TEST_info("Failed creating SSL_CTX"); goto err; } s = SSL_new(ctx); if (!TEST_ptr(s)) { TEST_info("Failed creating SSL"); goto err; } s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (!TEST_ptr(s->enc_read_ctx)) goto err; s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (!TEST_ptr(s->enc_write_ctx)) goto err; s->s3->tmp.new_cipher = SSL_CIPHER_find(s, TLS13_AES_128_GCM_SHA256_BYTES); if (!TEST_ptr(s->s3->tmp.new_cipher)) { TEST_info("Failed to find cipher"); goto err; } for (ctr = 0; ctr < OSSL_NELEM(refdata); ctr++) { /* Load the record */ ivlen = EVP_CIPHER_iv_length(ciph); if (!load_record(&rec, &refdata[ctr], &key, s->read_iv, ivlen, RECORD_LAYER_get_read_sequence(&s->rlayer))) { TEST_error("Failed loading key into EVP_CIPHER_CTX"); goto err; } /* Set up the read/write sequences */ memcpy(RECORD_LAYER_get_write_sequence(&s->rlayer), RECORD_LAYER_get_read_sequence(&s->rlayer), SEQ_NUM_SIZE); memcpy(s->write_iv, s->read_iv, ivlen); /* Load the key into the EVP_CIPHER_CTXs */ if (EVP_CipherInit_ex(s->enc_write_ctx, ciph, NULL, key, NULL, 1) <= 0 || EVP_CipherInit_ex(s->enc_read_ctx, ciph, NULL, key, NULL, 0) <= 0) { TEST_error("Failed loading key into EVP_CIPHER_CTX\n"); goto err; } /* Encrypt it */ if (!TEST_size_t_eq(tls13_enc(s, &rec, 1, 1), 1)) { TEST_info("Failed to encrypt record %zu", ctr); goto err; } if (!TEST_true(test_record(&rec, &refdata[ctr], 1))) { TEST_info("Record %zu encryption test failed", ctr); goto err; } /* Decrypt it */ if (!TEST_int_eq(tls13_enc(s, &rec, 1, 0), 1)) { TEST_info("Failed to decrypt record %zu", ctr); goto err; } if (!TEST_true(test_record(&rec, &refdata[ctr], 0))) { TEST_info("Record %zu decryption test failed", ctr); goto err; } OPENSSL_free(rec.data); OPENSSL_free(key); OPENSSL_free(iv); OPENSSL_free(seq); rec.data = NULL; key = NULL; iv = NULL; seq = NULL; } TEST_note("PASS: %zu records tested", ctr); ret = 1; err: OPENSSL_free(rec.data); OPENSSL_free(key); OPENSSL_free(iv); OPENSSL_free(seq); SSL_free(s); SSL_CTX_free(ctx); return ret; }
/*- * tls13_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for * internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too * short etc). * 1: if the record encryption was successful. * -1: if the record's AEAD-authenticator is invalid or, if sending, * an internal error occurred. */ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; size_t ivlen, taglen, offset, loop, hdrlen; unsigned char *staticiv; unsigned char *seq; int lenu, lenf; SSL3_RECORD *rec = &recs[0]; uint32_t alg_enc; WPACKET wpkt; if (n_recs != 1) { /* Should not happen */ /* TODO(TLS1.3): Support pipelining */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } if (sending) { ctx = s->enc_write_ctx; staticiv = s->write_iv; seq = RECORD_LAYER_get_write_sequence(&s->rlayer); } else { ctx = s->enc_read_ctx; staticiv = s->read_iv; seq = RECORD_LAYER_get_read_sequence(&s->rlayer); } /* * If we're sending an alert and ctx != NULL then we must be forcing * plaintext alerts. If we're reading and ctx != NULL then we allow * plaintext alerts at certain points in the handshake. If we've got this * far then we have already validated that a plaintext alert is ok here. */ if (ctx == NULL || rec->type == SSL3_RT_ALERT) { memmove(rec->data, rec->input, rec->length); rec->input = rec->data; return 1; } ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { if (s->session != NULL && s->session->ext.max_early_data > 0) { alg_enc = s->session->cipher->algorithm_enc; } else { if (!ossl_assert(s->psksession != NULL && s->psksession->ext.max_early_data > 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } alg_enc = s->psksession->cipher->algorithm_enc; } } else { /* * To get here we must have selected a ciphersuite - otherwise ctx would * be NULL */ if (!ossl_assert(s->s3->tmp.new_cipher != NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } alg_enc = s->s3->tmp.new_cipher->algorithm_enc; } if (alg_enc & SSL_AESCCM) { if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = EVP_CCM8_TLS_TAG_LEN; else taglen = EVP_CCM_TLS_TAG_LEN; if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } } else if (alg_enc & SSL_AESGCM) { taglen = EVP_GCM_TLS_TAG_LEN; } else if (alg_enc & SSL_CHACHA20) { taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; } else { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } if (!sending) { /* * Take off tag. There must be at least one byte of content type as * well as the tag */ if (rec->length < taglen + 1) return 0; rec->length -= taglen; } /* Set up IV */ if (ivlen < SEQ_NUM_SIZE) { /* Should not happen */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } offset = ivlen - SEQ_NUM_SIZE; memcpy(iv, staticiv, offset); for (loop = 0; loop < SEQ_NUM_SIZE; loop++) iv[offset + loop] = staticiv[offset + loop] ^ seq[loop]; /* Increment the sequence counter */ for (loop = SEQ_NUM_SIZE; loop > 0; loop--) { ++seq[loop - 1]; if (seq[loop - 1] != 0) break; } if (loop == 0) { /* Sequence has wrapped */ return -1; } /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */ if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, rec->data + rec->length) <= 0)) { return -1; } /* Set up the AAD */ if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0) || !WPACKET_put_bytes_u8(&wpkt, rec->type) || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version) || !WPACKET_put_bytes_u16(&wpkt, rec->length + taglen) || !WPACKET_get_total_written(&wpkt, &hdrlen) || hdrlen != SSL3_RT_HEADER_LENGTH || !WPACKET_finish(&wpkt)) { WPACKET_cleanup(&wpkt); return -1; } /* * For CCM we must explicitly set the total plaintext length before we add * any AAD. */ if (((alg_enc & SSL_AESCCM) != 0 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL, (unsigned int)rec->length) <= 0) || EVP_CipherUpdate(ctx, NULL, &lenu, recheader, sizeof(recheader)) <= 0 || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, (unsigned int)rec->length) <= 0 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 || (size_t)(lenu + lenf) != rec->length) { return -1; } if (sending) { /* Add the tag */ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, rec->data + rec->length) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, ERR_R_INTERNAL_ERROR); return -1; } rec->length += taglen; } return 1; }