security/nss/gtests/ssl_gtest/tls_protect.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "tls_protect.h"
#include "sslproto.h"
#include "tls_filter.h"

namespace nss_test {

static uint64_t FirstSeqno(bool dtls, uint16_t epoc) {
  if (dtls) {
    return static_cast<uint64_t>(epoc) << 48;
  }
  return 0;
}

TlsCipherSpec::TlsCipherSpec(bool dtls, uint16_t epoc)
    : dtls_(dtls),
      epoch_(epoc),
      in_seqno_(FirstSeqno(dtls, epoc)),
      out_seqno_(FirstSeqno(dtls, epoc)) {}

bool TlsCipherSpec::SetKeys(SSLCipherSuiteInfo* cipherinfo,
                            PK11SymKey* secret) {
  SSLAeadContext* aead_ctx;
  SSLProtocolVariant variant =
      dtls_ ? ssl_variant_datagram : ssl_variant_stream;
  SECStatus rv =
      SSL_MakeVariantAead(SSL_LIBRARY_VERSION_TLS_1_3, cipherinfo->cipherSuite,
                          variant, secret, "", 0,  // Use the default labels.
                          &aead_ctx);
  if (rv != SECSuccess) {
    return false;
  }
  aead_.reset(aead_ctx);

  SSLMaskingContext* mask_ctx;
  const char kHkdfPurposeSn[] = "sn";
  rv = SSL_CreateVariantMaskingContext(
      SSL_LIBRARY_VERSION_TLS_1_3, cipherinfo->cipherSuite, variant, secret,
      kHkdfPurposeSn, strlen(kHkdfPurposeSn), &mask_ctx);
  if (rv != SECSuccess) {
    return false;
  }
  mask_.reset(mask_ctx);
  return true;
}

bool TlsCipherSpec::Unprotect(const TlsRecordHeader& header,
                              const DataBuffer& ciphertext,
                              DataBuffer* plaintext,
                              TlsRecordHeader* out_header) {
  if (!aead_ || !out_header) {
    return false;
  }
  *out_header = header;

  // Make space.
  plaintext->Allocate(ciphertext.len());

  unsigned int len;
  uint64_t seqno = dtls_ ? header.sequence_number() : in_seqno_;
  SECStatus rv;

  if (header.is_dtls13_ciphertext()) {
    if (!mask_ || !out_header) {
      return false;
    }
    PORT_Assert(ciphertext.len() >= 16);
    DataBuffer mask(2);
    rv = SSL_CreateMask(mask_.get(), ciphertext.data(), ciphertext.len(),
                        mask.data(), mask.len());
    if (rv != SECSuccess) {
      return false;
    }

    if (!out_header->MaskSequenceNumber(mask)) {
      return false;
    }
    seqno = out_header->sequence_number();
  }

  if (header.is_dtls() && (header.version() >= SSL_LIBRARY_VERSION_TLS_1_3)) {
    // Removing the epoch (16 first bits)
    seqno = seqno & 0xffffffffffff;
  }

  auto header_bytes = out_header->header();
  rv = SSL_AeadDecrypt(aead_.get(), seqno, header_bytes.data(),
                       header_bytes.len(), ciphertext.data(), ciphertext.len(),
                       plaintext->data(), &len, plaintext->len());
  if (rv != SECSuccess) {
    return false;
  }

  RecordUnprotected(seqno);
  plaintext->Truncate(static_cast<size_t>(len));

  return true;
}

bool TlsCipherSpec::Protect(const TlsRecordHeader& header,
                            const DataBuffer& plaintext, DataBuffer* ciphertext,
                            TlsRecordHeader* out_header) {
  if (!aead_ || !out_header) {
    return false;
  }

  *out_header = header;

  // Make a padded buffer.
  ciphertext->Allocate(plaintext.len() +
                       32);  // Room for any plausible auth tag
  unsigned int len;

  DataBuffer header_bytes;
  (void)header.WriteHeader(&header_bytes, 0, plaintext.len() + 16);
  uint64_t seqno = dtls_ ? header.sequence_number() : out_seqno_;

  if (header.is_dtls() && (header.version() >= SSL_LIBRARY_VERSION_TLS_1_3)) {
    // Removing the epoch (16 first bits)
    seqno = seqno & 0xffffffffffff;
  }

  SECStatus rv =
      SSL_AeadEncrypt(aead_.get(), seqno, header_bytes.data(),
                      header_bytes.len(), plaintext.data(), plaintext.len(),
                      ciphertext->data(), &len, ciphertext->len());
  if (rv != SECSuccess) {
    return false;
  }

  if (header.is_dtls13_ciphertext()) {
    if (!mask_ || !out_header) {
      return false;
    }
    PORT_Assert(ciphertext->len() >= 16);
    DataBuffer mask(2);
    rv = SSL_CreateMask(mask_.get(), ciphertext->data(), ciphertext->len(),
                        mask.data(), mask.len());
    if (rv != SECSuccess) {
      return false;
    }
    if (!out_header->MaskSequenceNumber(mask)) {
      return false;
    }
  }

  RecordProtected();
  ciphertext->Truncate(len);

  return true;
}

}  // namespace nss_test