1 /* Copyright (c) 2015, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23
24 #include "../crypto/internal.h"
25 #include "internal.h"
26
27
28 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
29 #define FUZZER_MODE true
30 #else
31 #define FUZZER_MODE false
32 #endif
33
34 namespace bssl {
35
SSLAEADContext(uint16_t version_arg,bool is_dtls_arg,const SSL_CIPHER * cipher_arg)36 SSLAEADContext::SSLAEADContext(uint16_t version_arg, bool is_dtls_arg,
37 const SSL_CIPHER *cipher_arg)
38 : cipher_(cipher_arg),
39 version_(version_arg),
40 is_dtls_(is_dtls_arg),
41 variable_nonce_included_in_record_(false),
42 random_variable_nonce_(false),
43 omit_length_in_ad_(false),
44 omit_version_in_ad_(false),
45 omit_ad_(false),
46 xor_fixed_nonce_(false) {
47 OPENSSL_memset(fixed_nonce_, 0, sizeof(fixed_nonce_));
48 }
49
~SSLAEADContext()50 SSLAEADContext::~SSLAEADContext() {}
51
CreateNullCipher(bool is_dtls)52 UniquePtr<SSLAEADContext> SSLAEADContext::CreateNullCipher(bool is_dtls) {
53 return MakeUnique<SSLAEADContext>(0 /* version */, is_dtls,
54 nullptr /* cipher */);
55 }
56
Create(enum evp_aead_direction_t direction,uint16_t version,int is_dtls,const SSL_CIPHER * cipher,Span<const uint8_t> enc_key,Span<const uint8_t> mac_key,Span<const uint8_t> fixed_iv)57 UniquePtr<SSLAEADContext> SSLAEADContext::Create(
58 enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
59 const SSL_CIPHER *cipher, Span<const uint8_t> enc_key,
60 Span<const uint8_t> mac_key, Span<const uint8_t> fixed_iv) {
61 const EVP_AEAD *aead;
62 uint16_t protocol_version;
63 size_t expected_mac_key_len, expected_fixed_iv_len;
64 if (!ssl_protocol_version_from_wire(&protocol_version, version) ||
65 !ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,
66 &expected_fixed_iv_len, cipher, protocol_version,
67 is_dtls) ||
68 // Ensure the caller returned correct key sizes.
69 expected_fixed_iv_len != fixed_iv.size() ||
70 expected_mac_key_len != mac_key.size()) {
71 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
72 return nullptr;
73 }
74
75 uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];
76 if (!mac_key.empty()) {
77 // This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
78 // suites).
79 if (mac_key.size() + enc_key.size() + fixed_iv.size() >
80 sizeof(merged_key)) {
81 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
82 return nullptr;
83 }
84 OPENSSL_memcpy(merged_key, mac_key.data(), mac_key.size());
85 OPENSSL_memcpy(merged_key + mac_key.size(), enc_key.data(), enc_key.size());
86 OPENSSL_memcpy(merged_key + mac_key.size() + enc_key.size(),
87 fixed_iv.data(), fixed_iv.size());
88 enc_key = MakeConstSpan(merged_key,
89 enc_key.size() + mac_key.size() + fixed_iv.size());
90 }
91
92 UniquePtr<SSLAEADContext> aead_ctx =
93 MakeUnique<SSLAEADContext>(version, is_dtls, cipher);
94 if (!aead_ctx) {
95 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
96 return nullptr;
97 }
98
99 assert(aead_ctx->ProtocolVersion() == protocol_version);
100
101 if (!EVP_AEAD_CTX_init_with_direction(
102 aead_ctx->ctx_.get(), aead, enc_key.data(), enc_key.size(),
103 EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) {
104 return nullptr;
105 }
106
107 assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH);
108 static_assert(EVP_AEAD_MAX_NONCE_LENGTH < 256,
109 "variable_nonce_len doesn't fit in uint8_t");
110 aead_ctx->variable_nonce_len_ = (uint8_t)EVP_AEAD_nonce_length(aead);
111 if (mac_key.empty()) {
112 assert(fixed_iv.size() <= sizeof(aead_ctx->fixed_nonce_));
113 OPENSSL_memcpy(aead_ctx->fixed_nonce_, fixed_iv.data(), fixed_iv.size());
114 aead_ctx->fixed_nonce_len_ = fixed_iv.size();
115
116 if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
117 // The fixed nonce into the actual nonce (the sequence number).
118 aead_ctx->xor_fixed_nonce_ = true;
119 aead_ctx->variable_nonce_len_ = 8;
120 } else {
121 // The fixed IV is prepended to the nonce.
122 assert(fixed_iv.size() <= aead_ctx->variable_nonce_len_);
123 aead_ctx->variable_nonce_len_ -= fixed_iv.size();
124 }
125
126 // AES-GCM uses an explicit nonce.
127 if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
128 aead_ctx->variable_nonce_included_in_record_ = true;
129 }
130
131 // The TLS 1.3 construction XORs the fixed nonce into the sequence number
132 // and omits the additional data.
133 if (protocol_version >= TLS1_3_VERSION) {
134 aead_ctx->xor_fixed_nonce_ = true;
135 aead_ctx->variable_nonce_len_ = 8;
136 aead_ctx->variable_nonce_included_in_record_ = false;
137 aead_ctx->omit_ad_ = true;
138 assert(fixed_iv.size() >= aead_ctx->variable_nonce_len_);
139 }
140 } else {
141 assert(protocol_version < TLS1_3_VERSION);
142 aead_ctx->variable_nonce_included_in_record_ = true;
143 aead_ctx->random_variable_nonce_ = true;
144 aead_ctx->omit_length_in_ad_ = true;
145 aead_ctx->omit_version_in_ad_ = (protocol_version == SSL3_VERSION);
146 }
147
148 return aead_ctx;
149 }
150
SetVersionIfNullCipher(uint16_t version)151 void SSLAEADContext::SetVersionIfNullCipher(uint16_t version) {
152 if (is_null_cipher()) {
153 version_ = version;
154 }
155 }
156
ProtocolVersion() const157 uint16_t SSLAEADContext::ProtocolVersion() const {
158 uint16_t protocol_version;
159 if(!ssl_protocol_version_from_wire(&protocol_version, version_)) {
160 assert(false);
161 return 0;
162 }
163 return protocol_version;
164 }
165
RecordVersion() const166 uint16_t SSLAEADContext::RecordVersion() const {
167 if (version_ == 0) {
168 assert(is_null_cipher());
169 return is_dtls_ ? DTLS1_VERSION : TLS1_VERSION;
170 }
171
172 if (ProtocolVersion() <= TLS1_2_VERSION) {
173 return version_;
174 }
175
176 return TLS1_2_VERSION;
177 }
178
ExplicitNonceLen() const179 size_t SSLAEADContext::ExplicitNonceLen() const {
180 if (!FUZZER_MODE && variable_nonce_included_in_record_) {
181 return variable_nonce_len_;
182 }
183 return 0;
184 }
185
SuffixLen(size_t * out_suffix_len,const size_t in_len,const size_t extra_in_len) const186 bool SSLAEADContext::SuffixLen(size_t *out_suffix_len, const size_t in_len,
187 const size_t extra_in_len) const {
188 if (is_null_cipher() || FUZZER_MODE) {
189 *out_suffix_len = extra_in_len;
190 return true;
191 }
192 return !!EVP_AEAD_CTX_tag_len(ctx_.get(), out_suffix_len, in_len,
193 extra_in_len);
194 }
195
MaxOverhead() const196 size_t SSLAEADContext::MaxOverhead() const {
197 return ExplicitNonceLen() +
198 (is_null_cipher() || FUZZER_MODE
199 ? 0
200 : EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get())));
201 }
202
GetAdditionalData(uint8_t out[13],uint8_t type,uint16_t record_version,const uint8_t seqnum[8],size_t plaintext_len)203 size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type,
204 uint16_t record_version,
205 const uint8_t seqnum[8],
206 size_t plaintext_len) {
207 if (omit_ad_) {
208 return 0;
209 }
210
211 OPENSSL_memcpy(out, seqnum, 8);
212 size_t len = 8;
213 out[len++] = type;
214 if (!omit_version_in_ad_) {
215 out[len++] = static_cast<uint8_t>((record_version >> 8));
216 out[len++] = static_cast<uint8_t>(record_version);
217 }
218 if (!omit_length_in_ad_) {
219 out[len++] = static_cast<uint8_t>((plaintext_len >> 8));
220 out[len++] = static_cast<uint8_t>(plaintext_len);
221 }
222 return len;
223 }
224
Open(Span<uint8_t> * out,uint8_t type,uint16_t record_version,const uint8_t seqnum[8],Span<uint8_t> in)225 bool SSLAEADContext::Open(Span<uint8_t> *out, uint8_t type,
226 uint16_t record_version, const uint8_t seqnum[8],
227 Span<uint8_t> in) {
228 if (is_null_cipher() || FUZZER_MODE) {
229 // Handle the initial NULL cipher.
230 *out = in;
231 return true;
232 }
233
234 // TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
235 // overhead. Otherwise the parameter is unused.
236 size_t plaintext_len = 0;
237 if (!omit_length_in_ad_) {
238 size_t overhead = MaxOverhead();
239 if (in.size() < overhead) {
240 // Publicly invalid.
241 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
242 return false;
243 }
244 plaintext_len = in.size() - overhead;
245 }
246 uint8_t ad[13];
247 size_t ad_len =
248 GetAdditionalData(ad, type, record_version, seqnum, plaintext_len);
249
250 // Assemble the nonce.
251 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
252 size_t nonce_len = 0;
253
254 // Prepend the fixed nonce, or left-pad with zeros if XORing.
255 if (xor_fixed_nonce_) {
256 nonce_len = fixed_nonce_len_ - variable_nonce_len_;
257 OPENSSL_memset(nonce, 0, nonce_len);
258 } else {
259 OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
260 nonce_len += fixed_nonce_len_;
261 }
262
263 // Add the variable nonce.
264 if (variable_nonce_included_in_record_) {
265 if (in.size() < variable_nonce_len_) {
266 // Publicly invalid.
267 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
268 return false;
269 }
270 OPENSSL_memcpy(nonce + nonce_len, in.data(), variable_nonce_len_);
271 in = in.subspan(variable_nonce_len_);
272 } else {
273 assert(variable_nonce_len_ == 8);
274 OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
275 }
276 nonce_len += variable_nonce_len_;
277
278 // XOR the fixed nonce, if necessary.
279 if (xor_fixed_nonce_) {
280 assert(nonce_len == fixed_nonce_len_);
281 for (size_t i = 0; i < fixed_nonce_len_; i++) {
282 nonce[i] ^= fixed_nonce_[i];
283 }
284 }
285
286 // Decrypt in-place.
287 size_t len;
288 if (!EVP_AEAD_CTX_open(ctx_.get(), in.data(), &len, in.size(), nonce,
289 nonce_len, in.data(), in.size(), ad, ad_len)) {
290 return false;
291 }
292 *out = in.subspan(0, len);
293 return true;
294 }
295
SealScatter(uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,uint8_t type,uint16_t record_version,const uint8_t seqnum[8],const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len)296 bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
297 uint8_t *out_suffix, uint8_t type,
298 uint16_t record_version,
299 const uint8_t seqnum[8], const uint8_t *in,
300 size_t in_len, const uint8_t *extra_in,
301 size_t extra_in_len) {
302 const size_t prefix_len = ExplicitNonceLen();
303 size_t suffix_len;
304 if (!SuffixLen(&suffix_len, in_len, extra_in_len)) {
305 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
306 return false;
307 }
308 if ((in != out && buffers_alias(in, in_len, out, in_len)) ||
309 buffers_alias(in, in_len, out_prefix, prefix_len) ||
310 buffers_alias(in, in_len, out_suffix, suffix_len)) {
311 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
312 return false;
313 }
314
315 if (is_null_cipher() || FUZZER_MODE) {
316 // Handle the initial NULL cipher.
317 OPENSSL_memmove(out, in, in_len);
318 OPENSSL_memmove(out_suffix, extra_in, extra_in_len);
319 return true;
320 }
321
322 uint8_t ad[13];
323 size_t ad_len = GetAdditionalData(ad, type, record_version, seqnum, in_len);
324
325 // Assemble the nonce.
326 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
327 size_t nonce_len = 0;
328
329 // Prepend the fixed nonce, or left-pad with zeros if XORing.
330 if (xor_fixed_nonce_) {
331 nonce_len = fixed_nonce_len_ - variable_nonce_len_;
332 OPENSSL_memset(nonce, 0, nonce_len);
333 } else {
334 OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
335 nonce_len += fixed_nonce_len_;
336 }
337
338 // Select the variable nonce.
339 if (random_variable_nonce_) {
340 assert(variable_nonce_included_in_record_);
341 if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {
342 return false;
343 }
344 } else {
345 // When sending we use the sequence number as the variable part of the
346 // nonce.
347 assert(variable_nonce_len_ == 8);
348 OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
349 }
350 nonce_len += variable_nonce_len_;
351
352 // Emit the variable nonce if included in the record.
353 if (variable_nonce_included_in_record_) {
354 assert(!xor_fixed_nonce_);
355 if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {
356 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
357 return false;
358 }
359 OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_len_,
360 variable_nonce_len_);
361 }
362
363 // XOR the fixed nonce, if necessary.
364 if (xor_fixed_nonce_) {
365 assert(nonce_len == fixed_nonce_len_);
366 for (size_t i = 0; i < fixed_nonce_len_; i++) {
367 nonce[i] ^= fixed_nonce_[i];
368 }
369 }
370
371 size_t written_suffix_len;
372 bool result = !!EVP_AEAD_CTX_seal_scatter(
373 ctx_.get(), out, out_suffix, &written_suffix_len, suffix_len, nonce,
374 nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len);
375 assert(!result || written_suffix_len == suffix_len);
376 return result;
377 }
378
Seal(uint8_t * out,size_t * out_len,size_t max_out_len,uint8_t type,uint16_t record_version,const uint8_t seqnum[8],const uint8_t * in,size_t in_len)379 bool SSLAEADContext::Seal(uint8_t *out, size_t *out_len, size_t max_out_len,
380 uint8_t type, uint16_t record_version,
381 const uint8_t seqnum[8], const uint8_t *in,
382 size_t in_len) {
383 const size_t prefix_len = ExplicitNonceLen();
384 size_t suffix_len;
385 if (!SuffixLen(&suffix_len, in_len, 0)) {
386 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
387 return false;
388 }
389 if (in_len + prefix_len < in_len ||
390 in_len + prefix_len + suffix_len < in_len + prefix_len) {
391 OPENSSL_PUT_ERROR(CIPHER, SSL_R_RECORD_TOO_LARGE);
392 return false;
393 }
394 if (in_len + prefix_len + suffix_len > max_out_len) {
395 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
396 return false;
397 }
398
399 if (!SealScatter(out, out + prefix_len, out + prefix_len + in_len, type,
400 record_version, seqnum, in, in_len, 0, 0)) {
401 return false;
402 }
403 *out_len = prefix_len + in_len + suffix_len;
404 return true;
405 }
406
GetIV(const uint8_t ** out_iv,size_t * out_iv_len) const407 bool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const {
408 return !is_null_cipher() &&
409 EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len);
410 }
411
412 } // namespace bssl
413