1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include "error/s2n_errno.h"
#include "utils/s2n_safety.h"
#include "utils/s2n_mem.h"
#include "tls/s2n_connection.h"
#include "tls/s2n_record.h"
/* Derive the AAD for an AEAD mode cipher suite from the connection state, per
* RFC 5246 section 6.2.3.3 */
S2N_RESULT s2n_aead_aad_init(const struct s2n_connection *conn, uint8_t * sequence_number, uint8_t content_type, uint16_t record_length, struct s2n_blob *ad)
{
RESULT_ENSURE_REF(ad);
RESULT_ENSURE_GTE(ad->size, S2N_TLS_MAX_AAD_LEN);
uint8_t *data = ad->data;
RESULT_GUARD_PTR(data);
/* ad = seq_num || record_type || version || length */
size_t idx = 0;
for(; idx < S2N_TLS_SEQUENCE_NUM_LEN; idx++) {
data[idx] = sequence_number[idx];
}
data[idx++] = content_type;
data[idx++] = conn->actual_protocol_version / 10;
data[idx++] = conn->actual_protocol_version % 10;
data[idx++] = record_length >> 8;
data[idx++] = record_length & UINT8_MAX;
/* Double check no overflow */
RESULT_ENSURE_LTE(idx, ad->size);
return S2N_RESULT_OK;
}
/* Prepares an AAD (additional authentication data) for a TLS 1.3 AEAD record */
S2N_RESULT s2n_tls13_aead_aad_init(uint16_t record_length, uint8_t tag_length, struct s2n_blob *additional_data)
{
RESULT_ENSURE_GT(tag_length, 0);
RESULT_ENSURE_REF(additional_data);
RESULT_ENSURE_GTE(additional_data->size, S2N_TLS13_AAD_LEN);
uint8_t *data = additional_data->data;
RESULT_GUARD_PTR(data);
size_t idx = 0;
/**
*= https://tools.ietf.org/rfc/rfc8446#section-5.2
*# opaque_type: The outer opaque_type field of a TLSCiphertext record
*# is always set to the value 23 (application_data) for outward
*# compatibility with middleboxes accustomed to parsing previous
*# versions of TLS. The actual content type of the record is found
*# in TLSInnerPlaintext.type after decryption.
**/
data[idx++] = TLS_APPLICATION_DATA;
/**
*= https://tools.ietf.org/rfc/rfc8446#section-5.2
*# legacy_record_version: The legacy_record_version field is always
*# 0x0303. TLS 1.3 TLSCiphertexts are not generated until after
*# TLS 1.3 has been negotiated, so there are no historical
*# compatibility concerns where other values might be received. Note
*# that the handshake protocol, including the ClientHello and
*# ServerHello messages, authenticates the protocol version, so this
*# value is redundant.
*/
data[idx++] = 0x03;
data[idx++] = 0x03;
/**
*= https://tools.ietf.org/rfc/rfc8446#section-5.2
*# length: The length (in bytes) of the following
*# TLSCiphertext.encrypted_record, which is the sum of the lengths of
*# the content and the padding, plus one for the inner content type,
*# plus any expansion added by the AEAD algorithm. The length
*# MUST NOT exceed 2^14 + 256 bytes. An endpoint that receives a
*# record that exceeds this length MUST terminate the connection with
*# a "record_overflow" alert.
*/
uint16_t length = record_length + tag_length;
RESULT_ENSURE(length <= (1 << 14) + 256, S2N_ERR_RECORD_LIMIT);
data[idx++] = length >> 8;
data[idx++] = length & UINT8_MAX;
/* Double check no overflow */
RESULT_ENSURE_LTE(idx, additional_data->size);
return S2N_RESULT_OK;
}
|