Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 1 | /* Copyright (c) 2015, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 15 | #include <openssl/ssl.h> |
| 16 | |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 17 | #include <assert.h> |
| 18 | #include <string.h> |
| 19 | |
| 20 | #include <openssl/aead.h> |
| 21 | #include <openssl/err.h> |
| 22 | #include <openssl/rand.h> |
| 23 | #include <openssl/type_check.h> |
| 24 | |
| 25 | #include "internal.h" |
| 26 | |
| 27 | |
| 28 | OPENSSL_COMPILE_ASSERT(EVP_AEAD_MAX_NONCE_LENGTH < 256, |
| 29 | variable_nonce_len_doesnt_fit_in_uint8_t); |
| 30 | |
| 31 | SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, |
| 32 | uint16_t version, const SSL_CIPHER *cipher, |
| 33 | const uint8_t *enc_key, size_t enc_key_len, |
| 34 | const uint8_t *mac_key, size_t mac_key_len, |
| 35 | const uint8_t *fixed_iv, size_t fixed_iv_len) { |
| 36 | const EVP_AEAD *aead; |
| 37 | size_t discard; |
| 38 | if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, cipher, version)) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 39 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 40 | return 0; |
| 41 | } |
| 42 | |
| 43 | uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH]; |
| 44 | if (mac_key_len > 0) { |
| 45 | /* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher |
| 46 | * suites). */ |
| 47 | if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 48 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 49 | return 0; |
| 50 | } |
| 51 | memcpy(merged_key, mac_key, mac_key_len); |
| 52 | memcpy(merged_key + mac_key_len, enc_key, enc_key_len); |
| 53 | memcpy(merged_key + mac_key_len + enc_key_len, fixed_iv, fixed_iv_len); |
| 54 | enc_key = merged_key; |
| 55 | enc_key_len += mac_key_len; |
| 56 | enc_key_len += fixed_iv_len; |
| 57 | } |
| 58 | |
| 59 | SSL_AEAD_CTX *aead_ctx = (SSL_AEAD_CTX *)OPENSSL_malloc(sizeof(SSL_AEAD_CTX)); |
| 60 | if (aead_ctx == NULL) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 61 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 62 | return NULL; |
| 63 | } |
| 64 | memset(aead_ctx, 0, sizeof(SSL_AEAD_CTX)); |
| 65 | aead_ctx->cipher = cipher; |
| 66 | |
| 67 | if (!EVP_AEAD_CTX_init_with_direction( |
| 68 | &aead_ctx->ctx, aead, enc_key, enc_key_len, |
| 69 | EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) { |
| 70 | OPENSSL_free(aead_ctx); |
| 71 | return NULL; |
| 72 | } |
| 73 | |
| 74 | assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH); |
| 75 | aead_ctx->variable_nonce_len = (uint8_t)EVP_AEAD_nonce_length(aead); |
| 76 | if (mac_key_len == 0) { |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 77 | assert(fixed_iv_len <= sizeof(aead_ctx->fixed_nonce)); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 78 | memcpy(aead_ctx->fixed_nonce, fixed_iv, fixed_iv_len); |
| 79 | aead_ctx->fixed_nonce_len = fixed_iv_len; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 80 | |
| 81 | if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) { |
| 82 | /* The fixed nonce into the actual nonce (the sequence number). */ |
| 83 | aead_ctx->xor_fixed_nonce = 1; |
| 84 | aead_ctx->variable_nonce_len = 8; |
| 85 | } else { |
| 86 | /* The fixed IV is prepended to the nonce. */ |
| 87 | assert(fixed_iv_len <= aead_ctx->variable_nonce_len); |
| 88 | aead_ctx->variable_nonce_len -= fixed_iv_len; |
| 89 | } |
| 90 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 91 | /* AES-GCM uses an explicit nonce. */ |
| 92 | if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) { |
| 93 | aead_ctx->variable_nonce_included_in_record = 1; |
| 94 | } |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 95 | } else { |
| 96 | aead_ctx->variable_nonce_included_in_record = 1; |
| 97 | aead_ctx->random_variable_nonce = 1; |
| 98 | aead_ctx->omit_length_in_ad = 1; |
| 99 | aead_ctx->omit_version_in_ad = (version == SSL3_VERSION); |
| 100 | } |
| 101 | |
| 102 | return aead_ctx; |
| 103 | } |
| 104 | |
| 105 | void SSL_AEAD_CTX_free(SSL_AEAD_CTX *aead) { |
| 106 | if (aead == NULL) { |
| 107 | return; |
| 108 | } |
| 109 | EVP_AEAD_CTX_cleanup(&aead->ctx); |
| 110 | OPENSSL_free(aead); |
| 111 | } |
| 112 | |
| 113 | size_t SSL_AEAD_CTX_explicit_nonce_len(SSL_AEAD_CTX *aead) { |
| 114 | if (aead != NULL && aead->variable_nonce_included_in_record) { |
| 115 | return aead->variable_nonce_len; |
| 116 | } |
| 117 | return 0; |
| 118 | } |
| 119 | |
| 120 | size_t SSL_AEAD_CTX_max_overhead(SSL_AEAD_CTX *aead) { |
| 121 | if (aead == NULL) { |
| 122 | return 0; |
| 123 | } |
| 124 | return EVP_AEAD_max_overhead(aead->ctx.aead) + |
| 125 | SSL_AEAD_CTX_explicit_nonce_len(aead); |
| 126 | } |
| 127 | |
| 128 | /* ssl_aead_ctx_get_ad writes the additional data for |aead| into |out| and |
| 129 | * returns the number of bytes written. */ |
| 130 | static size_t ssl_aead_ctx_get_ad(SSL_AEAD_CTX *aead, uint8_t out[13], |
| 131 | uint8_t type, uint16_t wire_version, |
| 132 | const uint8_t seqnum[8], |
| 133 | size_t plaintext_len) { |
| 134 | memcpy(out, seqnum, 8); |
| 135 | size_t len = 8; |
| 136 | out[len++] = type; |
| 137 | if (!aead->omit_version_in_ad) { |
| 138 | out[len++] = (uint8_t)(wire_version >> 8); |
| 139 | out[len++] = (uint8_t)wire_version; |
| 140 | } |
| 141 | if (!aead->omit_length_in_ad) { |
| 142 | out[len++] = (uint8_t)(plaintext_len >> 8); |
| 143 | out[len++] = (uint8_t)plaintext_len; |
| 144 | } |
| 145 | return len; |
| 146 | } |
| 147 | |
| 148 | int SSL_AEAD_CTX_open(SSL_AEAD_CTX *aead, uint8_t *out, size_t *out_len, |
| 149 | size_t max_out, uint8_t type, uint16_t wire_version, |
| 150 | const uint8_t seqnum[8], const uint8_t *in, |
| 151 | size_t in_len) { |
| 152 | if (aead == NULL) { |
| 153 | /* Handle the initial NULL cipher. */ |
| 154 | if (in_len > max_out) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 155 | OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 156 | return 0; |
| 157 | } |
| 158 | memmove(out, in, in_len); |
| 159 | *out_len = in_len; |
| 160 | return 1; |
| 161 | } |
| 162 | |
| 163 | /* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed |
| 164 | * overhead. Otherwise the parameter is unused. */ |
| 165 | size_t plaintext_len = 0; |
| 166 | if (!aead->omit_length_in_ad) { |
| 167 | size_t overhead = SSL_AEAD_CTX_max_overhead(aead); |
| 168 | if (in_len < overhead) { |
| 169 | /* Publicly invalid. */ |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 170 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 171 | return 0; |
| 172 | } |
| 173 | plaintext_len = in_len - overhead; |
| 174 | } |
| 175 | uint8_t ad[13]; |
| 176 | size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum, |
| 177 | plaintext_len); |
| 178 | |
| 179 | /* Assemble the nonce. */ |
| 180 | uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; |
| 181 | size_t nonce_len = 0; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 182 | |
| 183 | /* Prepend the fixed nonce, or left-pad with zeros if XORing. */ |
| 184 | if (aead->xor_fixed_nonce) { |
| 185 | nonce_len = aead->fixed_nonce_len - aead->variable_nonce_len; |
| 186 | memset(nonce, 0, nonce_len); |
| 187 | } else { |
| 188 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); |
| 189 | nonce_len += aead->fixed_nonce_len; |
| 190 | } |
| 191 | |
| 192 | /* Add the variable nonce. */ |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 193 | if (aead->variable_nonce_included_in_record) { |
| 194 | if (in_len < aead->variable_nonce_len) { |
| 195 | /* Publicly invalid. */ |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 196 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 197 | return 0; |
| 198 | } |
| 199 | memcpy(nonce + nonce_len, in, aead->variable_nonce_len); |
| 200 | in += aead->variable_nonce_len; |
| 201 | in_len -= aead->variable_nonce_len; |
| 202 | } else { |
| 203 | assert(aead->variable_nonce_len == 8); |
| 204 | memcpy(nonce + nonce_len, seqnum, aead->variable_nonce_len); |
| 205 | } |
| 206 | nonce_len += aead->variable_nonce_len; |
| 207 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 208 | /* XOR the fixed nonce, if necessary. */ |
| 209 | if (aead->xor_fixed_nonce) { |
| 210 | assert(nonce_len == aead->fixed_nonce_len); |
| 211 | size_t i; |
| 212 | for (i = 0; i < aead->fixed_nonce_len; i++) { |
| 213 | nonce[i] ^= aead->fixed_nonce[i]; |
| 214 | } |
| 215 | } |
| 216 | |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 217 | return EVP_AEAD_CTX_open(&aead->ctx, out, out_len, max_out, nonce, nonce_len, |
| 218 | in, in_len, ad, ad_len); |
| 219 | } |
| 220 | |
| 221 | int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *aead, uint8_t *out, size_t *out_len, |
| 222 | size_t max_out, uint8_t type, uint16_t wire_version, |
| 223 | const uint8_t seqnum[8], const uint8_t *in, |
| 224 | size_t in_len) { |
| 225 | if (aead == NULL) { |
| 226 | /* Handle the initial NULL cipher. */ |
| 227 | if (in_len > max_out) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 228 | OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 229 | return 0; |
| 230 | } |
| 231 | memmove(out, in, in_len); |
| 232 | *out_len = in_len; |
| 233 | return 1; |
| 234 | } |
| 235 | |
| 236 | uint8_t ad[13]; |
| 237 | size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum, |
| 238 | in_len); |
| 239 | |
| 240 | /* Assemble the nonce. */ |
| 241 | uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; |
| 242 | size_t nonce_len = 0; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 243 | |
| 244 | /* Prepend the fixed nonce, or left-pad with zeros if XORing. */ |
| 245 | if (aead->xor_fixed_nonce) { |
| 246 | nonce_len = aead->fixed_nonce_len - aead->variable_nonce_len; |
| 247 | memset(nonce, 0, nonce_len); |
| 248 | } else { |
| 249 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); |
| 250 | nonce_len += aead->fixed_nonce_len; |
| 251 | } |
| 252 | |
| 253 | /* Select the variable nonce. */ |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 254 | if (aead->random_variable_nonce) { |
| 255 | assert(aead->variable_nonce_included_in_record); |
| 256 | if (!RAND_bytes(nonce + nonce_len, aead->variable_nonce_len)) { |
| 257 | return 0; |
| 258 | } |
| 259 | } else { |
| 260 | /* When sending we use the sequence number as the variable part of the |
| 261 | * nonce. */ |
| 262 | assert(aead->variable_nonce_len == 8); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 263 | memcpy(nonce + nonce_len, seqnum, aead->variable_nonce_len); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 264 | } |
| 265 | nonce_len += aead->variable_nonce_len; |
| 266 | |
| 267 | /* Emit the variable nonce if included in the record. */ |
| 268 | size_t extra_len = 0; |
| 269 | if (aead->variable_nonce_included_in_record) { |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 270 | assert(!aead->xor_fixed_nonce); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 271 | if (max_out < aead->variable_nonce_len) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 272 | OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 273 | return 0; |
| 274 | } |
| 275 | if (out < in + in_len && in < out + aead->variable_nonce_len) { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 276 | OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 277 | return 0; |
| 278 | } |
| 279 | memcpy(out, nonce + aead->fixed_nonce_len, aead->variable_nonce_len); |
| 280 | extra_len = aead->variable_nonce_len; |
| 281 | out += aead->variable_nonce_len; |
| 282 | max_out -= aead->variable_nonce_len; |
| 283 | } |
| 284 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame^] | 285 | /* XOR the fixed nonce, if necessary. */ |
| 286 | if (aead->xor_fixed_nonce) { |
| 287 | assert(nonce_len == aead->fixed_nonce_len); |
| 288 | size_t i; |
| 289 | for (i = 0; i < aead->fixed_nonce_len; i++) { |
| 290 | nonce[i] ^= aead->fixed_nonce[i]; |
| 291 | } |
| 292 | } |
| 293 | |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 294 | if (!EVP_AEAD_CTX_seal(&aead->ctx, out, out_len, max_out, nonce, nonce_len, |
| 295 | in, in_len, ad, ad_len)) { |
| 296 | return 0; |
| 297 | } |
| 298 | *out_len += extra_len; |
| 299 | return 1; |
| 300 | } |