1 /* $OpenBSD: tls13_record_layer.c,v 1.74 2024/09/09 03:32:29 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "tls13_internal.h" 19 #include "tls13_record.h" 20 #include "tls_content.h" 21 22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 23 uint8_t content_type, const uint8_t *buf, size_t n); 24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 25 uint8_t content_type, const uint8_t *content, size_t content_len); 26 27 struct tls13_record_protection { 28 EVP_AEAD_CTX *aead_ctx; 29 struct tls13_secret iv; 30 struct tls13_secret nonce; 31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 32 }; 33 34 struct tls13_record_protection * 35 tls13_record_protection_new(void) 36 { 37 return calloc(1, sizeof(struct tls13_record_protection)); 38 } 39 40 void 41 tls13_record_protection_clear(struct tls13_record_protection *rp) 42 { 43 EVP_AEAD_CTX_free(rp->aead_ctx); 44 45 tls13_secret_cleanup(&rp->iv); 46 tls13_secret_cleanup(&rp->nonce); 47 48 memset(rp, 0, sizeof(*rp)); 49 } 50 51 void 52 tls13_record_protection_free(struct tls13_record_protection *rp) 53 { 54 if (rp == NULL) 55 return; 56 57 tls13_record_protection_clear(rp); 58 59 freezero(rp, sizeof(struct tls13_record_protection)); 60 } 61 62 struct tls13_record_layer { 63 uint16_t legacy_version; 64 65 int ccs_allowed; 66 int ccs_seen; 67 int ccs_sent; 68 int handshake_completed; 69 int legacy_alerts_allowed; 70 int phh; 71 int phh_retry; 72 73 /* 74 * Read and/or write channels are closed due to an alert being 75 * sent or received. In the case of an error alert both channels 76 * are closed, whereas in the case of a close notify only one 77 * channel is closed. 78 */ 79 int read_closed; 80 int write_closed; 81 82 struct tls13_record *rrec; 83 84 struct tls13_record *wrec; 85 uint8_t wrec_content_type; 86 size_t wrec_appdata_len; 87 size_t wrec_content_len; 88 89 /* Alert to be sent on return from current read handler. */ 90 uint8_t alert; 91 92 /* Pending alert messages. */ 93 uint8_t *alert_data; 94 size_t alert_len; 95 uint8_t alert_level; 96 uint8_t alert_desc; 97 98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 99 CBS phh_cbs; 100 uint8_t *phh_data; 101 size_t phh_len; 102 103 /* Content from opened records. */ 104 struct tls_content *rcontent; 105 106 /* Record protection. */ 107 const EVP_MD *hash; 108 const EVP_AEAD *aead; 109 struct tls13_record_protection *read; 110 struct tls13_record_protection *write; 111 112 /* Callbacks. */ 113 struct tls13_record_layer_callbacks cb; 114 void *cb_arg; 115 }; 116 117 static void 118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 119 { 120 tls13_record_free(rl->rrec); 121 rl->rrec = NULL; 122 } 123 124 static void 125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 126 { 127 tls13_record_free(rl->wrec); 128 rl->wrec = NULL; 129 } 130 131 struct tls13_record_layer * 132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 133 void *cb_arg) 134 { 135 struct tls13_record_layer *rl; 136 137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 138 goto err; 139 140 if ((rl->rcontent = tls_content_new()) == NULL) 141 goto err; 142 143 if ((rl->read = tls13_record_protection_new()) == NULL) 144 goto err; 145 if ((rl->write = tls13_record_protection_new()) == NULL) 146 goto err; 147 148 rl->legacy_version = TLS1_2_VERSION; 149 150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg); 151 152 return rl; 153 154 err: 155 tls13_record_layer_free(rl); 156 157 return NULL; 158 } 159 160 void 161 tls13_record_layer_free(struct tls13_record_layer *rl) 162 { 163 if (rl == NULL) 164 return; 165 166 tls13_record_layer_rrec_free(rl); 167 tls13_record_layer_wrec_free(rl); 168 169 freezero(rl->alert_data, rl->alert_len); 170 freezero(rl->phh_data, rl->phh_len); 171 172 tls_content_free(rl->rcontent); 173 174 tls13_record_protection_free(rl->read); 175 tls13_record_protection_free(rl->write); 176 177 freezero(rl, sizeof(struct tls13_record_layer)); 178 } 179 180 void 181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, 182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) 183 { 184 rl->cb = *callbacks; 185 rl->cb_arg = cb_arg; 186 } 187 188 void 189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) 190 { 191 CBS_dup(tls_content_cbs(rl->rcontent), cbs); 192 } 193 194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 196 }; 197 198 int 199 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 200 { 201 int i; 202 203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 205 return 0; 206 207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 208 if (++seq_num[i] != 0) 209 break; 210 } 211 212 return 1; 213 } 214 215 static int 216 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 217 struct tls13_secret *iv, uint8_t *seq_num) 218 { 219 ssize_t i, j; 220 221 if (nonce->len != iv->len) 222 return 0; 223 224 /* 225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 226 * with the IV to produce a per-record nonce. The IV will also be 227 * at least 8-bytes in length. 228 */ 229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 231 232 return 1; 233 } 234 235 void 236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 237 { 238 rl->ccs_allowed = allow; 239 } 240 241 void 242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 243 { 244 rl->legacy_alerts_allowed = allow; 245 } 246 247 void 248 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 249 const EVP_AEAD *aead) 250 { 251 rl->aead = aead; 252 } 253 254 void 255 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 256 const EVP_MD *hash) 257 { 258 rl->hash = hash; 259 } 260 261 void 262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 263 uint16_t version) 264 { 265 rl->legacy_version = version; 266 } 267 268 void 269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 270 { 271 rl->handshake_completed = 1; 272 } 273 274 void 275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 276 { 277 rl->phh_retry = retry; 278 } 279 280 static ssize_t 281 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 282 { 283 uint8_t alert_level, alert_desc; 284 ssize_t ret = TLS13_IO_FAILURE; 285 286 /* 287 * RFC 8446 - sections 5.1 and 6. 288 * 289 * A TLSv1.3 alert record can only contain a single alert - this means 290 * that processing the alert must consume all of the record. The alert 291 * will result in one of three things - continuation (user_cancelled), 292 * read channel closure (close_notify) or termination (all others). 293 */ 294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) 295 return TLS13_IO_FAILURE; 296 297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) 298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) 300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 301 302 if (tls_content_remaining(rl->rcontent) != 0) 303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 304 305 tls_content_clear(rl->rcontent); 306 307 /* 308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 309 * however for error alerts (RFC 8446 section 6.2), the alert level 310 * must be specified as fatal. 311 */ 312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 313 rl->read_closed = 1; 314 ret = TLS13_IO_EOF; 315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 316 /* Ignored at the record layer. */ 317 ret = TLS13_IO_WANT_RETRY; 318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 319 rl->read_closed = 1; 320 rl->write_closed = 1; 321 ret = TLS13_IO_ALERT; 322 } else if (rl->legacy_alerts_allowed && 323 alert_level == TLS13_ALERT_LEVEL_WARNING) { 324 /* Ignored and not passed to the callback. */ 325 return TLS13_IO_WANT_RETRY; 326 } else { 327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 328 } 329 330 rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg); 331 332 return ret; 333 } 334 335 void 336 tls13_record_layer_alert_sent(struct tls13_record_layer *rl, 337 uint8_t alert_level, uint8_t alert_desc) 338 { 339 rl->cb.alert_sent(alert_level, alert_desc, rl->cb_arg); 340 } 341 342 static ssize_t 343 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 344 { 345 ssize_t ret; 346 347 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 348 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 349 rl->alert_data, rl->alert_len)) != rl->alert_len) { 350 if (ret == TLS13_IO_EOF) 351 ret = TLS13_IO_ALERT; 352 return ret; 353 } 354 355 freezero(rl->alert_data, rl->alert_len); 356 rl->alert_data = NULL; 357 rl->alert_len = 0; 358 359 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 360 rl->write_closed = 1; 361 ret = TLS13_IO_SUCCESS; 362 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 363 /* Ignored at the record layer. */ 364 ret = TLS13_IO_SUCCESS; 365 } else { 366 rl->read_closed = 1; 367 rl->write_closed = 1; 368 ret = TLS13_IO_ALERT; 369 } 370 371 tls13_record_layer_alert_sent(rl, rl->alert_level, rl->alert_desc); 372 373 return ret; 374 } 375 376 static ssize_t 377 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 378 { 379 ssize_t ret; 380 381 /* Push out pending post-handshake handshake messages. */ 382 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 383 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 384 return ret; 385 if (!CBS_skip(&rl->phh_cbs, ret)) 386 return TLS13_IO_FAILURE; 387 if (CBS_len(&rl->phh_cbs) != 0) 388 return TLS13_IO_WANT_RETRY; 389 390 freezero(rl->phh_data, rl->phh_len); 391 rl->phh_data = NULL; 392 rl->phh_len = 0; 393 394 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 395 396 rl->cb.phh_sent(rl->cb_arg); 397 398 return TLS13_IO_SUCCESS; 399 } 400 401 ssize_t 402 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 403 { 404 /* 405 * If an alert is pending, then it needs to be sent. However, 406 * if we're already part of the way through sending post-handshake 407 * handshake messages, then we need to finish that first... 408 */ 409 410 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 411 return tls13_record_layer_send_phh(rl); 412 413 if (rl->alert_data != NULL) 414 return tls13_record_layer_send_alert(rl); 415 416 if (rl->phh_data != NULL) 417 return tls13_record_layer_send_phh(rl); 418 419 return TLS13_IO_SUCCESS; 420 } 421 422 static ssize_t 423 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 424 uint8_t alert_level, uint8_t alert_desc) 425 { 426 CBB cbb; 427 428 if (rl->alert_data != NULL) 429 return TLS13_IO_FAILURE; 430 431 if (!CBB_init(&cbb, 0)) 432 goto err; 433 434 if (!CBB_add_u8(&cbb, alert_level)) 435 goto err; 436 if (!CBB_add_u8(&cbb, alert_desc)) 437 goto err; 438 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 439 goto err; 440 441 rl->alert_level = alert_level; 442 rl->alert_desc = alert_desc; 443 444 return tls13_record_layer_send_pending(rl); 445 446 err: 447 CBB_cleanup(&cbb); 448 449 return TLS13_IO_FAILURE; 450 } 451 452 ssize_t 453 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 454 { 455 if (rl->phh_data != NULL) 456 return TLS13_IO_FAILURE; 457 458 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 459 return TLS13_IO_FAILURE; 460 461 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 462 463 return tls13_record_layer_send_pending(rl); 464 } 465 466 static int 467 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 468 struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 469 { 470 struct tls13_secret context = { .data = "", .len = 0 }; 471 struct tls13_secret key = { .data = NULL, .len = 0 }; 472 int ret = 0; 473 474 tls13_record_protection_clear(rp); 475 476 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) 477 return 0; 478 479 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 480 goto err; 481 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 482 goto err; 483 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 484 goto err; 485 486 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 487 goto err; 488 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 489 goto err; 490 491 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len, 492 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 493 goto err; 494 495 ret = 1; 496 497 err: 498 tls13_secret_cleanup(&key); 499 500 return ret; 501 } 502 503 int 504 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 505 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) 506 { 507 if (rl->cb.set_read_traffic_key != NULL) 508 return rl->cb.set_read_traffic_key(read_key, read_level, 509 rl->cb_arg); 510 511 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 512 rl->read, read_key); 513 } 514 515 int 516 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 517 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) 518 { 519 if (rl->cb.set_write_traffic_key != NULL) 520 return rl->cb.set_write_traffic_key(write_key, write_level, 521 rl->cb_arg); 522 523 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 524 rl->write, write_key); 525 } 526 527 static int 528 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 529 { 530 CBS cbs; 531 532 if (rl->aead != NULL) 533 return 0; 534 535 /* 536 * We're still operating in plaintext mode, so just copy the 537 * content from the record to the plaintext buffer. 538 */ 539 if (!tls13_record_content(rl->rrec, &cbs)) 540 return 0; 541 542 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 543 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 544 return 0; 545 } 546 547 if (!tls_content_dup_data(rl->rcontent, 548 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) 549 return 0; 550 551 return 1; 552 } 553 554 static int 555 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 556 { 557 CBS header, enc_record, inner; 558 uint8_t *content = NULL; 559 size_t content_len = 0; 560 uint8_t content_type; 561 size_t out_len; 562 563 if (rl->aead == NULL) 564 goto err; 565 566 if (!tls13_record_header(rl->rrec, &header)) 567 goto err; 568 if (!tls13_record_content(rl->rrec, &enc_record)) 569 goto err; 570 571 /* XXX - minus tag len? */ 572 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 573 goto err; 574 content_len = CBS_len(&enc_record); 575 576 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 577 rl->read->seq_num)) 578 goto err; 579 580 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx, 581 content, &out_len, content_len, 582 rl->read->nonce.data, rl->read->nonce.len, 583 CBS_data(&enc_record), CBS_len(&enc_record), 584 CBS_data(&header), CBS_len(&header))) 585 goto err; 586 587 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 588 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 589 goto err; 590 } 591 592 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 593 goto err; 594 595 /* 596 * The real content type is hidden at the end of the record content and 597 * it may be followed by padding that consists of one or more zeroes. 598 * Time to hunt for that elusive content type! 599 */ 600 CBS_init(&inner, content, out_len); 601 content_type = 0; 602 while (CBS_get_last_u8(&inner, &content_type)) { 603 if (content_type != 0) 604 break; 605 } 606 if (content_type == 0) { 607 /* Unexpected message per RFC 8446 section 5.4. */ 608 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 609 goto err; 610 } 611 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 612 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 613 goto err; 614 } 615 616 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner), 617 CBS_len(&inner)); 618 619 return 1; 620 621 err: 622 freezero(content, content_len); 623 624 return 0; 625 } 626 627 static int 628 tls13_record_layer_open_record(struct tls13_record_layer *rl) 629 { 630 if (rl->handshake_completed && rl->aead == NULL) 631 return 0; 632 633 if (rl->aead == NULL) 634 return tls13_record_layer_open_record_plaintext(rl); 635 636 return tls13_record_layer_open_record_protected(rl); 637 } 638 639 static int 640 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 641 uint8_t content_type, const uint8_t *content, size_t content_len) 642 { 643 uint8_t *data = NULL; 644 size_t data_len = 0; 645 CBB cbb, body; 646 647 /* 648 * Allow dummy CCS messages to be sent in plaintext even when 649 * record protection has been engaged, as long as the handshake 650 * has not yet completed. 651 */ 652 if (rl->handshake_completed) 653 return 0; 654 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 655 return 0; 656 657 /* 658 * We're still operating in plaintext mode, so just copy the 659 * content into the record. 660 */ 661 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 662 goto err; 663 664 if (!CBB_add_u8(&cbb, content_type)) 665 goto err; 666 if (!CBB_add_u16(&cbb, rl->legacy_version)) 667 goto err; 668 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 669 goto err; 670 if (!CBB_add_bytes(&body, content, content_len)) 671 goto err; 672 673 if (!CBB_finish(&cbb, &data, &data_len)) 674 goto err; 675 676 if (!tls13_record_set_data(rl->wrec, data, data_len)) 677 goto err; 678 679 rl->wrec_content_len = content_len; 680 rl->wrec_content_type = content_type; 681 682 return 1; 683 684 err: 685 CBB_cleanup(&cbb); 686 freezero(data, data_len); 687 688 return 0; 689 } 690 691 static int 692 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 693 uint8_t content_type, const uint8_t *content, size_t content_len) 694 { 695 uint8_t *data = NULL, *header = NULL, *inner = NULL; 696 size_t data_len = 0, header_len = 0, inner_len = 0; 697 uint8_t *enc_record; 698 size_t enc_record_len; 699 ssize_t ret = 0; 700 size_t out_len; 701 CBB cbb; 702 703 if (rl->aead == NULL) 704 return 0; 705 706 memset(&cbb, 0, sizeof(cbb)); 707 708 /* Build inner plaintext. */ 709 if (!CBB_init(&cbb, content_len + 1)) 710 goto err; 711 if (!CBB_add_bytes(&cbb, content, content_len)) 712 goto err; 713 if (!CBB_add_u8(&cbb, content_type)) 714 goto err; 715 /* XXX - padding? */ 716 if (!CBB_finish(&cbb, &inner, &inner_len)) 717 goto err; 718 719 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 720 goto err; 721 722 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 723 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 724 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 725 goto err; 726 727 /* Build the record header. */ 728 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 729 goto err; 730 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 731 goto err; 732 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 733 goto err; 734 if (!CBB_add_u16(&cbb, enc_record_len)) 735 goto err; 736 if (!CBB_finish(&cbb, &header, &header_len)) 737 goto err; 738 739 /* Build the actual record. */ 740 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 741 goto err; 742 if (!CBB_add_bytes(&cbb, header, header_len)) 743 goto err; 744 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 745 goto err; 746 if (!CBB_finish(&cbb, &data, &data_len)) 747 goto err; 748 749 if (!tls13_record_layer_update_nonce(&rl->write->nonce, 750 &rl->write->iv, rl->write->seq_num)) 751 goto err; 752 753 /* 754 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 755 * this would avoid a copy since the inner would be passed as two 756 * separate pieces. 757 */ 758 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx, 759 enc_record, &out_len, enc_record_len, 760 rl->write->nonce.data, rl->write->nonce.len, 761 inner, inner_len, header, header_len)) 762 goto err; 763 764 if (out_len != enc_record_len) 765 goto err; 766 767 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 768 goto err; 769 770 if (!tls13_record_set_data(rl->wrec, data, data_len)) 771 goto err; 772 773 rl->wrec_content_len = content_len; 774 rl->wrec_content_type = content_type; 775 776 data = NULL; 777 data_len = 0; 778 779 ret = 1; 780 781 err: 782 CBB_cleanup(&cbb); 783 784 freezero(data, data_len); 785 freezero(header, header_len); 786 freezero(inner, inner_len); 787 788 return ret; 789 } 790 791 static int 792 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 793 uint8_t content_type, const uint8_t *content, size_t content_len) 794 { 795 if (rl->handshake_completed && rl->aead == NULL) 796 return 0; 797 798 tls13_record_layer_wrec_free(rl); 799 800 if ((rl->wrec = tls13_record_new()) == NULL) 801 return 0; 802 803 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 804 return tls13_record_layer_seal_record_plaintext(rl, 805 content_type, content, content_len); 806 807 return tls13_record_layer_seal_record_protected(rl, content_type, 808 content, content_len); 809 } 810 811 static ssize_t 812 tls13_record_layer_read_record(struct tls13_record_layer *rl) 813 { 814 uint8_t content_type, ccs; 815 ssize_t ret; 816 CBS cbs; 817 818 if (rl->rrec == NULL) { 819 if ((rl->rrec = tls13_record_new()) == NULL) 820 goto err; 821 } 822 823 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 824 switch (ret) { 825 case TLS13_IO_RECORD_VERSION: 826 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 827 case TLS13_IO_RECORD_OVERFLOW: 828 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 829 } 830 return ret; 831 } 832 833 content_type = tls13_record_content_type(rl->rrec); 834 835 /* 836 * In response to a client hello we may receive an alert in a 837 * record with a legacy version. Otherwise enforce that the 838 * legacy record version is 0x0303 per RFC 8446, section 5.1. 839 */ 840 if (rl->legacy_version == TLS1_2_VERSION && 841 tls13_record_version(rl->rrec) != TLS1_2_VERSION && 842 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) 843 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 844 845 /* 846 * Bag of hacks ahead... after the first ClientHello message has been 847 * sent or received and before the peer's Finished message has been 848 * received, we may receive an unencrypted ChangeCipherSpec record 849 * (see RFC 8446 section 5 and appendix D.4). This record must be 850 * ignored. 851 */ 852 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 853 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 854 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 855 if (!tls13_record_content(rl->rrec, &cbs)) 856 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 857 if (!CBS_get_u8(&cbs, &ccs)) 858 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 859 if (ccs != 1) 860 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 861 if (CBS_len(&cbs) != 0) 862 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 863 rl->ccs_seen++; 864 tls13_record_layer_rrec_free(rl); 865 return TLS13_IO_WANT_RETRY; 866 } 867 868 /* 869 * Once record protection is engaged, we should only receive 870 * protected application data messages (aside from the 871 * dummy ChangeCipherSpec messages, handled above). 872 */ 873 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 874 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 875 876 if (!tls13_record_layer_open_record(rl)) 877 goto err; 878 879 tls13_record_layer_rrec_free(rl); 880 881 /* 882 * On receiving a handshake or alert record with empty inner plaintext, 883 * we must terminate the connection with an unexpected_message alert. 884 * See RFC 8446 section 5.4. 885 */ 886 if (tls_content_remaining(rl->rcontent) == 0 && 887 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || 888 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) 889 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 890 891 switch (tls_content_type(rl->rcontent)) { 892 case SSL3_RT_ALERT: 893 return tls13_record_layer_process_alert(rl); 894 895 case SSL3_RT_HANDSHAKE: 896 break; 897 898 case SSL3_RT_APPLICATION_DATA: 899 if (!rl->handshake_completed) 900 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 901 break; 902 903 default: 904 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 905 } 906 907 return TLS13_IO_SUCCESS; 908 909 err: 910 return TLS13_IO_FAILURE; 911 } 912 913 static ssize_t 914 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 915 { 916 if (tls_content_type(rl->rcontent) != content_type) 917 return 0; 918 919 return tls_content_remaining(rl->rcontent); 920 } 921 922 static ssize_t 923 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 924 { 925 ssize_t ret = TLS13_IO_FAILURE; 926 927 rl->phh = 1; 928 929 /* 930 * The post handshake handshake receive callback is allowed to return: 931 * 932 * TLS13_IO_WANT_POLLIN need more handshake data. 933 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 934 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 935 * TLS13_IO_FAILURE something broke. 936 */ 937 if (rl->cb.phh_recv != NULL) 938 ret = rl->cb.phh_recv(rl->cb_arg); 939 940 tls_content_clear(rl->rcontent); 941 942 /* Leave post handshake handshake mode unless we need more data. */ 943 if (ret != TLS13_IO_WANT_POLLIN) 944 rl->phh = 0; 945 946 if (ret == TLS13_IO_SUCCESS) { 947 if (rl->phh_retry) 948 return TLS13_IO_WANT_RETRY; 949 950 return TLS13_IO_WANT_POLLIN; 951 } 952 953 return ret; 954 } 955 956 static ssize_t 957 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 958 uint8_t content_type, uint8_t *buf, size_t n, int peek) 959 { 960 ssize_t ret; 961 962 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 963 return ret; 964 965 if (rl->read_closed) 966 return TLS13_IO_EOF; 967 968 /* If necessary, pull up the next record. */ 969 if (tls_content_remaining(rl->rcontent) == 0) { 970 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 971 return ret; 972 973 /* 974 * We may have read a valid 0-byte application data record, 975 * in which case we need to read the next record. 976 */ 977 if (tls_content_remaining(rl->rcontent) == 0) 978 return TLS13_IO_WANT_POLLIN; 979 } 980 981 /* 982 * If we are in post handshake handshake mode, we must not see 983 * any record type that isn't a handshake until we are done. 984 */ 985 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) 986 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 987 988 /* 989 * Handshake content can appear as post-handshake messages (yup, 990 * the RFC reused the same content type...), which means we can 991 * be trying to read application data and need to handle a 992 * post-handshake handshake message instead... 993 */ 994 if (tls_content_type(rl->rcontent) != content_type) { 995 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { 996 if (rl->handshake_completed) 997 return tls13_record_layer_recv_phh(rl); 998 } 999 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 1000 } 1001 1002 if (peek) 1003 return tls_content_peek(rl->rcontent, buf, n); 1004 1005 return tls_content_read(rl->rcontent, buf, n); 1006 } 1007 1008 static ssize_t 1009 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1010 uint8_t *buf, size_t n) 1011 { 1012 ssize_t ret; 1013 1014 do { 1015 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1016 } while (ret == TLS13_IO_WANT_RETRY); 1017 1018 if (rl->alert != 0) 1019 return tls13_send_alert(rl, rl->alert); 1020 1021 return ret; 1022 } 1023 1024 static ssize_t 1025 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1026 uint8_t *buf, size_t n) 1027 { 1028 ssize_t ret; 1029 1030 do { 1031 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1032 } while (ret == TLS13_IO_WANT_RETRY); 1033 1034 if (rl->alert != 0) 1035 return tls13_send_alert(rl, rl->alert); 1036 1037 return ret; 1038 } 1039 1040 static ssize_t 1041 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1042 uint8_t content_type, const uint8_t *content, size_t content_len) 1043 { 1044 ssize_t ret; 1045 1046 if (rl->write_closed) 1047 return TLS13_IO_EOF; 1048 1049 /* 1050 * If we pushed out application data while handling other messages, 1051 * we need to return content length on the next call. 1052 */ 1053 if (content_type == SSL3_RT_APPLICATION_DATA && 1054 rl->wrec_appdata_len != 0) { 1055 ret = rl->wrec_appdata_len; 1056 rl->wrec_appdata_len = 0; 1057 return ret; 1058 } 1059 1060 /* See if there is an existing record and attempt to push it out... */ 1061 if (rl->wrec != NULL) { 1062 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1063 rl->cb_arg)) <= 0) 1064 return ret; 1065 tls13_record_layer_wrec_free(rl); 1066 1067 if (rl->wrec_content_type == content_type) { 1068 ret = rl->wrec_content_len; 1069 rl->wrec_content_len = 0; 1070 rl->wrec_content_type = 0; 1071 return ret; 1072 } 1073 1074 /* 1075 * The only partial record type should be application data. 1076 * All other cases are handled to completion. 1077 */ 1078 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1079 return TLS13_IO_FAILURE; 1080 rl->wrec_appdata_len = rl->wrec_content_len; 1081 } 1082 1083 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1084 goto err; 1085 1086 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1087 goto err; 1088 1089 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1090 return ret; 1091 1092 tls13_record_layer_wrec_free(rl); 1093 1094 return content_len; 1095 1096 err: 1097 return TLS13_IO_FAILURE; 1098 } 1099 1100 static ssize_t 1101 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1102 uint8_t content_type, const uint8_t *buf, size_t n) 1103 { 1104 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1105 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1106 1107 return tls13_record_layer_write_record(rl, content_type, buf, n); 1108 } 1109 1110 static ssize_t 1111 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1112 const uint8_t *buf, size_t n) 1113 { 1114 ssize_t ret; 1115 1116 do { 1117 ret = tls13_record_layer_send_pending(rl); 1118 } while (ret == TLS13_IO_WANT_RETRY); 1119 if (ret != TLS13_IO_SUCCESS) 1120 return ret; 1121 1122 do { 1123 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1124 } while (ret == TLS13_IO_WANT_RETRY); 1125 1126 return ret; 1127 } 1128 1129 ssize_t 1130 tls13_record_layer_flush(struct tls13_record_layer *rl) 1131 { 1132 return rl->cb.wire_flush(rl->cb_arg); 1133 } 1134 1135 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1136 1137 ssize_t 1138 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1139 { 1140 ssize_t ret; 1141 1142 if (rl->ccs_sent) 1143 return TLS13_IO_FAILURE; 1144 1145 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1146 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1147 return ret; 1148 1149 rl->ccs_sent = 1; 1150 1151 return TLS13_IO_SUCCESS; 1152 } 1153 1154 ssize_t 1155 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1156 { 1157 if (rl->cb.handshake_read != NULL) 1158 return rl->cb.handshake_read(buf, n, rl->cb_arg); 1159 1160 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1161 } 1162 1163 ssize_t 1164 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1165 size_t n) 1166 { 1167 if (rl->cb.handshake_write != NULL) 1168 return rl->cb.handshake_write(buf, n, rl->cb_arg); 1169 1170 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1171 } 1172 1173 ssize_t 1174 tls13_pending_application_data(struct tls13_record_layer *rl) 1175 { 1176 if (!rl->handshake_completed) 1177 return 0; 1178 1179 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1180 } 1181 1182 ssize_t 1183 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1184 { 1185 if (!rl->handshake_completed) 1186 return TLS13_IO_FAILURE; 1187 1188 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1189 } 1190 1191 ssize_t 1192 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1193 { 1194 if (!rl->handshake_completed) 1195 return TLS13_IO_FAILURE; 1196 1197 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1198 } 1199 1200 ssize_t 1201 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1202 size_t n) 1203 { 1204 if (!rl->handshake_completed) 1205 return TLS13_IO_FAILURE; 1206 1207 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1208 } 1209 1210 ssize_t 1211 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1212 { 1213 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1214 ssize_t ret; 1215 1216 if (rl->cb.alert_send != NULL) 1217 return rl->cb.alert_send(alert_desc, rl->cb_arg); 1218 1219 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1220 alert_desc == TLS13_ALERT_USER_CANCELED) 1221 alert_level = TLS13_ALERT_LEVEL_WARNING; 1222 1223 do { 1224 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1225 alert_desc); 1226 } while (ret == TLS13_IO_WANT_RETRY); 1227 1228 return ret; 1229 } 1230