1*8699d7a9Stb /* $OpenBSD: tls13_record_layer.c,v 1.74 2024/09/09 03:32:29 tb Exp $ */ 22502d49fSjsing /* 32502d49fSjsing * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 42502d49fSjsing * 52502d49fSjsing * Permission to use, copy, modify, and distribute this software for any 62502d49fSjsing * purpose with or without fee is hereby granted, provided that the above 72502d49fSjsing * copyright notice and this permission notice appear in all copies. 82502d49fSjsing * 92502d49fSjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 102502d49fSjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 112502d49fSjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 122502d49fSjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 132502d49fSjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 142502d49fSjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 152502d49fSjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 162502d49fSjsing */ 172502d49fSjsing 182502d49fSjsing #include "tls13_internal.h" 192502d49fSjsing #include "tls13_record.h" 208ccc3944Sjsing #include "tls_content.h" 212502d49fSjsing 223e1c03bbSjsing static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 233e1c03bbSjsing uint8_t content_type, const uint8_t *buf, size_t n); 243e1c03bbSjsing static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 253e1c03bbSjsing uint8_t content_type, const uint8_t *content, size_t content_len); 263e1c03bbSjsing 274d9bef63Sjsing struct tls13_record_protection { 289115c013Sjsing EVP_AEAD_CTX *aead_ctx; 294d9bef63Sjsing struct tls13_secret iv; 304d9bef63Sjsing struct tls13_secret nonce; 314d9bef63Sjsing uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 324d9bef63Sjsing }; 334d9bef63Sjsing 344d9bef63Sjsing struct tls13_record_protection * 354d9bef63Sjsing tls13_record_protection_new(void) 364d9bef63Sjsing { 374d9bef63Sjsing return calloc(1, sizeof(struct tls13_record_protection)); 384d9bef63Sjsing } 394d9bef63Sjsing 404d9bef63Sjsing void 414d9bef63Sjsing tls13_record_protection_clear(struct tls13_record_protection *rp) 424d9bef63Sjsing { 43f9a06750Stb EVP_AEAD_CTX_free(rp->aead_ctx); 444d9bef63Sjsing 454d9bef63Sjsing tls13_secret_cleanup(&rp->iv); 464d9bef63Sjsing tls13_secret_cleanup(&rp->nonce); 474d9bef63Sjsing 489115c013Sjsing memset(rp, 0, sizeof(*rp)); 494d9bef63Sjsing } 504d9bef63Sjsing 514d9bef63Sjsing void 524d9bef63Sjsing tls13_record_protection_free(struct tls13_record_protection *rp) 534d9bef63Sjsing { 544d9bef63Sjsing if (rp == NULL) 554d9bef63Sjsing return; 564d9bef63Sjsing 574d9bef63Sjsing tls13_record_protection_clear(rp); 584d9bef63Sjsing 594d9bef63Sjsing freezero(rp, sizeof(struct tls13_record_protection)); 604d9bef63Sjsing } 614d9bef63Sjsing 622502d49fSjsing struct tls13_record_layer { 6394ab85a5Stb uint16_t legacy_version; 64781d0746Sjsing 65138e3c44Stb int ccs_allowed; 66138e3c44Stb int ccs_seen; 67ef59065fSjsing int ccs_sent; 682502d49fSjsing int handshake_completed; 69781d0746Sjsing int legacy_alerts_allowed; 7089458272Sbeck int phh; 713aebe440Sjsing int phh_retry; 722502d49fSjsing 73a6b06cf1Sjsing /* 74a6b06cf1Sjsing * Read and/or write channels are closed due to an alert being 75a6b06cf1Sjsing * sent or received. In the case of an error alert both channels 76a6b06cf1Sjsing * are closed, whereas in the case of a close notify only one 77a6b06cf1Sjsing * channel is closed. 78a6b06cf1Sjsing */ 79a6b06cf1Sjsing int read_closed; 80a6b06cf1Sjsing int write_closed; 81a6b06cf1Sjsing 822502d49fSjsing struct tls13_record *rrec; 833e1c03bbSjsing 842502d49fSjsing struct tls13_record *wrec; 853e1c03bbSjsing uint8_t wrec_content_type; 863e1c03bbSjsing size_t wrec_appdata_len; 873e1c03bbSjsing size_t wrec_content_len; 883e1c03bbSjsing 894c4033b4Stb /* Alert to be sent on return from current read handler. */ 904c4033b4Stb uint8_t alert; 914c4033b4Stb 923e1c03bbSjsing /* Pending alert messages. */ 933e1c03bbSjsing uint8_t *alert_data; 943e1c03bbSjsing size_t alert_len; 95828ae560Sjsing uint8_t alert_level; 96828ae560Sjsing uint8_t alert_desc; 973e1c03bbSjsing 98b5c202d7Stb /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 993e1c03bbSjsing CBS phh_cbs; 1003e1c03bbSjsing uint8_t *phh_data; 1013e1c03bbSjsing size_t phh_len; 1022502d49fSjsing 1038ccc3944Sjsing /* Content from opened records. */ 1048ccc3944Sjsing struct tls_content *rcontent; 1052502d49fSjsing 1062502d49fSjsing /* Record protection. */ 1072502d49fSjsing const EVP_MD *hash; 1082502d49fSjsing const EVP_AEAD *aead; 1094d9bef63Sjsing struct tls13_record_protection *read; 1104d9bef63Sjsing struct tls13_record_protection *write; 1112502d49fSjsing 112a234fc1eSjsing /* Callbacks. */ 113a234fc1eSjsing struct tls13_record_layer_callbacks cb; 1142502d49fSjsing void *cb_arg; 1152502d49fSjsing }; 1162502d49fSjsing 1172502d49fSjsing static void 1182502d49fSjsing tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 1192502d49fSjsing { 1202502d49fSjsing tls13_record_free(rl->rrec); 1212502d49fSjsing rl->rrec = NULL; 1222502d49fSjsing } 1232502d49fSjsing 1242502d49fSjsing static void 1252502d49fSjsing tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 1262502d49fSjsing { 1272502d49fSjsing tls13_record_free(rl->wrec); 1282502d49fSjsing rl->wrec = NULL; 1292502d49fSjsing } 1302502d49fSjsing 1312502d49fSjsing struct tls13_record_layer * 132a234fc1eSjsing tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 1332502d49fSjsing void *cb_arg) 1342502d49fSjsing { 1352502d49fSjsing struct tls13_record_layer *rl; 1362502d49fSjsing 1372502d49fSjsing if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 1384d9bef63Sjsing goto err; 1394d9bef63Sjsing 1408ccc3944Sjsing if ((rl->rcontent = tls_content_new()) == NULL) 1418ccc3944Sjsing goto err; 1428ccc3944Sjsing 1434d9bef63Sjsing if ((rl->read = tls13_record_protection_new()) == NULL) 1444d9bef63Sjsing goto err; 1454d9bef63Sjsing if ((rl->write = tls13_record_protection_new()) == NULL) 1464d9bef63Sjsing goto err; 1472502d49fSjsing 14894ab85a5Stb rl->legacy_version = TLS1_2_VERSION; 149f7e8f89fSjsing 150f7e8f89fSjsing tls13_record_layer_set_callbacks(rl, callbacks, cb_arg); 1512502d49fSjsing 1522502d49fSjsing return rl; 1534d9bef63Sjsing 1544d9bef63Sjsing err: 1554d9bef63Sjsing tls13_record_layer_free(rl); 1564d9bef63Sjsing 1574d9bef63Sjsing return NULL; 1582502d49fSjsing } 1592502d49fSjsing 1602502d49fSjsing void 1612502d49fSjsing tls13_record_layer_free(struct tls13_record_layer *rl) 1622502d49fSjsing { 1632502d49fSjsing if (rl == NULL) 1642502d49fSjsing return; 1652502d49fSjsing 166f4ff430dStb tls13_record_layer_rrec_free(rl); 167f4ff430dStb tls13_record_layer_wrec_free(rl); 168f4ff430dStb 1690b154803Stb freezero(rl->alert_data, rl->alert_len); 1700b154803Stb freezero(rl->phh_data, rl->phh_len); 1710b154803Stb 1728ccc3944Sjsing tls_content_free(rl->rcontent); 1732502d49fSjsing 1744d9bef63Sjsing tls13_record_protection_free(rl->read); 1754d9bef63Sjsing tls13_record_protection_free(rl->write); 1762502d49fSjsing 1772502d49fSjsing freezero(rl, sizeof(struct tls13_record_layer)); 1782502d49fSjsing } 1792502d49fSjsing 18005ea345aSjsing void 181f7e8f89fSjsing tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, 182f7e8f89fSjsing const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) 183f7e8f89fSjsing { 184f7e8f89fSjsing rl->cb = *callbacks; 185f7e8f89fSjsing rl->cb_arg = cb_arg; 186f7e8f89fSjsing } 187f7e8f89fSjsing 188f7e8f89fSjsing void 1898ccc3944Sjsing tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) 19005ea345aSjsing { 1918ccc3944Sjsing CBS_dup(tls_content_cbs(rl->rcontent), cbs); 19205ea345aSjsing } 19305ea345aSjsing 19460e65ff7Sinoguchi static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 195768efcc7Stb 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 196768efcc7Stb }; 197768efcc7Stb 19895373ef8Sjsing int 1992502d49fSjsing tls13_record_layer_inc_seq_num(uint8_t *seq_num) 2002502d49fSjsing { 201768efcc7Stb int i; 2022502d49fSjsing 203768efcc7Stb /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 204768efcc7Stb if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 205768efcc7Stb return 0; 206768efcc7Stb 207768efcc7Stb for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 2082502d49fSjsing if (++seq_num[i] != 0) 2092502d49fSjsing break; 2102502d49fSjsing } 2112502d49fSjsing 212768efcc7Stb return 1; 2132502d49fSjsing } 2142502d49fSjsing 2152502d49fSjsing static int 2162502d49fSjsing tls13_record_layer_update_nonce(struct tls13_secret *nonce, 2172502d49fSjsing struct tls13_secret *iv, uint8_t *seq_num) 2182502d49fSjsing { 2192502d49fSjsing ssize_t i, j; 2202502d49fSjsing 2212502d49fSjsing if (nonce->len != iv->len) 2222502d49fSjsing return 0; 2232502d49fSjsing 2242502d49fSjsing /* 2252502d49fSjsing * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 2262502d49fSjsing * with the IV to produce a per-record nonce. The IV will also be 2272502d49fSjsing * at least 8-bytes in length. 2282502d49fSjsing */ 2292502d49fSjsing for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 2302502d49fSjsing nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 2312502d49fSjsing 2322502d49fSjsing return 1; 2332502d49fSjsing } 2342502d49fSjsing 2352502d49fSjsing void 236138e3c44Stb tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 237138e3c44Stb { 238138e3c44Stb rl->ccs_allowed = allow; 239138e3c44Stb } 240138e3c44Stb 241138e3c44Stb void 242781d0746Sjsing tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 243781d0746Sjsing { 244781d0746Sjsing rl->legacy_alerts_allowed = allow; 245781d0746Sjsing } 246781d0746Sjsing 247781d0746Sjsing void 2482502d49fSjsing tls13_record_layer_set_aead(struct tls13_record_layer *rl, 2492502d49fSjsing const EVP_AEAD *aead) 2502502d49fSjsing { 2512502d49fSjsing rl->aead = aead; 2522502d49fSjsing } 2532502d49fSjsing 2542502d49fSjsing void 2552502d49fSjsing tls13_record_layer_set_hash(struct tls13_record_layer *rl, 2562502d49fSjsing const EVP_MD *hash) 2572502d49fSjsing { 2582502d49fSjsing rl->hash = hash; 2592502d49fSjsing } 2602502d49fSjsing 2612502d49fSjsing void 26294ab85a5Stb tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 26394ab85a5Stb uint16_t version) 26494ab85a5Stb { 26594ab85a5Stb rl->legacy_version = version; 26694ab85a5Stb } 26794ab85a5Stb 26894ab85a5Stb void 2692502d49fSjsing tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 2702502d49fSjsing { 2712502d49fSjsing rl->handshake_completed = 1; 2722502d49fSjsing } 2732502d49fSjsing 2743aebe440Sjsing void 2753aebe440Sjsing tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 2763aebe440Sjsing { 2773aebe440Sjsing rl->phh_retry = retry; 2783aebe440Sjsing } 2793aebe440Sjsing 280f1283a0aSjsing static ssize_t 2812502d49fSjsing tls13_record_layer_process_alert(struct tls13_record_layer *rl) 2822502d49fSjsing { 2832502d49fSjsing uint8_t alert_level, alert_desc; 284a6b06cf1Sjsing ssize_t ret = TLS13_IO_FAILURE; 2852502d49fSjsing 2862502d49fSjsing /* 287a6b06cf1Sjsing * RFC 8446 - sections 5.1 and 6. 288a6b06cf1Sjsing * 2892502d49fSjsing * A TLSv1.3 alert record can only contain a single alert - this means 2902502d49fSjsing * that processing the alert must consume all of the record. The alert 2912502d49fSjsing * will result in one of three things - continuation (user_cancelled), 2922502d49fSjsing * read channel closure (close_notify) or termination (all others). 2932502d49fSjsing */ 2948ccc3944Sjsing if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) 2958d627bfcSbeck return TLS13_IO_FAILURE; 2968d627bfcSbeck 2978ccc3944Sjsing if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) 2988ccc3944Sjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 2998ccc3944Sjsing if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) 300c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 3018d627bfcSbeck 3028ccc3944Sjsing if (tls_content_remaining(rl->rcontent) != 0) 303c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 3042502d49fSjsing 3058ccc3944Sjsing tls_content_clear(rl->rcontent); 3062502d49fSjsing 307a6b06cf1Sjsing /* 308a6b06cf1Sjsing * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 309a6b06cf1Sjsing * however for error alerts (RFC 8446 section 6.2), the alert level 310a6b06cf1Sjsing * must be specified as fatal. 311a6b06cf1Sjsing */ 312c957d00cSjsing if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 313a6b06cf1Sjsing rl->read_closed = 1; 3141637394fSjsing ret = TLS13_IO_EOF; 315c957d00cSjsing } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 316a6b06cf1Sjsing /* Ignored at the record layer. */ 317c9e61bceSbeck ret = TLS13_IO_WANT_RETRY; 318c957d00cSjsing } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 319a6b06cf1Sjsing rl->read_closed = 1; 320a6b06cf1Sjsing rl->write_closed = 1; 32152e1fd77Sjsing ret = TLS13_IO_ALERT; 322c957d00cSjsing } else if (rl->legacy_alerts_allowed && 323c957d00cSjsing alert_level == TLS13_ALERT_LEVEL_WARNING) { 324781d0746Sjsing /* Ignored and not passed to the callback. */ 325781d0746Sjsing return TLS13_IO_WANT_RETRY; 326781d0746Sjsing } else { 327c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 328781d0746Sjsing } 329a6b06cf1Sjsing 3309c83d710Sjsing rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg); 331781d0746Sjsing 332a6b06cf1Sjsing return ret; 3332502d49fSjsing } 3342502d49fSjsing 335*8699d7a9Stb void 336*8699d7a9Stb tls13_record_layer_alert_sent(struct tls13_record_layer *rl, 337*8699d7a9Stb uint8_t alert_level, uint8_t alert_desc) 338*8699d7a9Stb { 339*8699d7a9Stb rl->cb.alert_sent(alert_level, alert_desc, rl->cb_arg); 340*8699d7a9Stb } 341*8699d7a9Stb 3423e1c03bbSjsing static ssize_t 3433e1c03bbSjsing tls13_record_layer_send_alert(struct tls13_record_layer *rl) 3443e1c03bbSjsing { 3453e1c03bbSjsing ssize_t ret; 3463e1c03bbSjsing 3473e1c03bbSjsing /* This has to fit into a single record, per RFC 8446 section 5.1. */ 3483e1c03bbSjsing if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 34952e1fd77Sjsing rl->alert_data, rl->alert_len)) != rl->alert_len) { 35052e1fd77Sjsing if (ret == TLS13_IO_EOF) 35152e1fd77Sjsing ret = TLS13_IO_ALERT; 3523e1c03bbSjsing return ret; 35352e1fd77Sjsing } 3543e1c03bbSjsing 3553e1c03bbSjsing freezero(rl->alert_data, rl->alert_len); 3563e1c03bbSjsing rl->alert_data = NULL; 3573e1c03bbSjsing rl->alert_len = 0; 3583e1c03bbSjsing 359c957d00cSjsing if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 360828ae560Sjsing rl->write_closed = 1; 361828ae560Sjsing ret = TLS13_IO_SUCCESS; 362c957d00cSjsing } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 363828ae560Sjsing /* Ignored at the record layer. */ 364828ae560Sjsing ret = TLS13_IO_SUCCESS; 365828ae560Sjsing } else { 3663e1c03bbSjsing rl->read_closed = 1; 3673e1c03bbSjsing rl->write_closed = 1; 36852e1fd77Sjsing ret = TLS13_IO_ALERT; 369828ae560Sjsing } 3703e1c03bbSjsing 371*8699d7a9Stb tls13_record_layer_alert_sent(rl, rl->alert_level, rl->alert_desc); 3724af36d07Sjsing 373828ae560Sjsing return ret; 3743e1c03bbSjsing } 3753e1c03bbSjsing 3763e1c03bbSjsing static ssize_t 3773e1c03bbSjsing tls13_record_layer_send_phh(struct tls13_record_layer *rl) 3783e1c03bbSjsing { 3793e1c03bbSjsing ssize_t ret; 3803e1c03bbSjsing 3813e1c03bbSjsing /* Push out pending post-handshake handshake messages. */ 3823e1c03bbSjsing if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 38310aeffa3Sjsing CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 3843e1c03bbSjsing return ret; 3853e1c03bbSjsing if (!CBS_skip(&rl->phh_cbs, ret)) 3863e1c03bbSjsing return TLS13_IO_FAILURE; 3873e1c03bbSjsing if (CBS_len(&rl->phh_cbs) != 0) 388c9e61bceSbeck return TLS13_IO_WANT_RETRY; 3893e1c03bbSjsing 3903e1c03bbSjsing freezero(rl->phh_data, rl->phh_len); 3913e1c03bbSjsing rl->phh_data = NULL; 3923e1c03bbSjsing rl->phh_len = 0; 3933e1c03bbSjsing 3943e1c03bbSjsing CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 3953e1c03bbSjsing 396a234fc1eSjsing rl->cb.phh_sent(rl->cb_arg); 39789458272Sbeck 3983e1c03bbSjsing return TLS13_IO_SUCCESS; 3993e1c03bbSjsing } 4003e1c03bbSjsing 401828ae560Sjsing ssize_t 4023e1c03bbSjsing tls13_record_layer_send_pending(struct tls13_record_layer *rl) 4033e1c03bbSjsing { 4043e1c03bbSjsing /* 4053e1c03bbSjsing * If an alert is pending, then it needs to be sent. However, 4063e1c03bbSjsing * if we're already part of the way through sending post-handshake 4073e1c03bbSjsing * handshake messages, then we need to finish that first... 4083e1c03bbSjsing */ 4093e1c03bbSjsing 4103e1c03bbSjsing if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 4113e1c03bbSjsing return tls13_record_layer_send_phh(rl); 4123e1c03bbSjsing 4133e1c03bbSjsing if (rl->alert_data != NULL) 4143e1c03bbSjsing return tls13_record_layer_send_alert(rl); 4153e1c03bbSjsing 4163e1c03bbSjsing if (rl->phh_data != NULL) 4173e1c03bbSjsing return tls13_record_layer_send_phh(rl); 4183e1c03bbSjsing 4193e1c03bbSjsing return TLS13_IO_SUCCESS; 4203e1c03bbSjsing } 4213e1c03bbSjsing 42230168b12Sjsing static ssize_t 42359628146Sjsing tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 4242502d49fSjsing uint8_t alert_level, uint8_t alert_desc) 4252502d49fSjsing { 4263e1c03bbSjsing CBB cbb; 4273e1c03bbSjsing 4283e1c03bbSjsing if (rl->alert_data != NULL) 4293e1c03bbSjsing return TLS13_IO_FAILURE; 4303e1c03bbSjsing 4313e1c03bbSjsing if (!CBB_init(&cbb, 0)) 4323e1c03bbSjsing goto err; 4333e1c03bbSjsing 4343e1c03bbSjsing if (!CBB_add_u8(&cbb, alert_level)) 4353e1c03bbSjsing goto err; 4363e1c03bbSjsing if (!CBB_add_u8(&cbb, alert_desc)) 4373e1c03bbSjsing goto err; 4383e1c03bbSjsing if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 4393e1c03bbSjsing goto err; 4403e1c03bbSjsing 441828ae560Sjsing rl->alert_level = alert_level; 442828ae560Sjsing rl->alert_desc = alert_desc; 443828ae560Sjsing 4443e1c03bbSjsing return tls13_record_layer_send_pending(rl); 4453e1c03bbSjsing 4463e1c03bbSjsing err: 4473e1c03bbSjsing CBB_cleanup(&cbb); 4483e1c03bbSjsing 4493e1c03bbSjsing return TLS13_IO_FAILURE; 4503e1c03bbSjsing } 4513e1c03bbSjsing 4523e1c03bbSjsing ssize_t 453c1274f4dSjsing tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 4543e1c03bbSjsing { 4553e1c03bbSjsing if (rl->phh_data != NULL) 4563e1c03bbSjsing return TLS13_IO_FAILURE; 4573e1c03bbSjsing 458c1274f4dSjsing if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 459c1274f4dSjsing return TLS13_IO_FAILURE; 4603e1c03bbSjsing 4613e1c03bbSjsing CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 4623e1c03bbSjsing 4633e1c03bbSjsing return tls13_record_layer_send_pending(rl); 4642502d49fSjsing } 4652502d49fSjsing 4662502d49fSjsing static int 4674d9bef63Sjsing tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 4684d9bef63Sjsing struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 4692502d49fSjsing { 4702502d49fSjsing struct tls13_secret context = { .data = "", .len = 0 }; 4712502d49fSjsing struct tls13_secret key = { .data = NULL, .len = 0 }; 4722502d49fSjsing int ret = 0; 4732502d49fSjsing 4744d9bef63Sjsing tls13_record_protection_clear(rp); 4758480570eSinoguchi 476f9a06750Stb if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) 4779115c013Sjsing return 0; 4789115c013Sjsing 4794d9bef63Sjsing if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 4802502d49fSjsing goto err; 4814d9bef63Sjsing if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 4822502d49fSjsing goto err; 483253b38faStb if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 4842502d49fSjsing goto err; 4852502d49fSjsing 4864d9bef63Sjsing if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 4872502d49fSjsing goto err; 4882502d49fSjsing if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 4892502d49fSjsing goto err; 4902502d49fSjsing 4919115c013Sjsing if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len, 4922502d49fSjsing EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 4932502d49fSjsing goto err; 4942502d49fSjsing 4952502d49fSjsing ret = 1; 4962502d49fSjsing 4972502d49fSjsing err: 498253b38faStb tls13_secret_cleanup(&key); 4992502d49fSjsing 5002502d49fSjsing return ret; 5012502d49fSjsing } 5022502d49fSjsing 5032502d49fSjsing int 50446f83330Sjsing tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 5056ea83a9dSjsing struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) 5062502d49fSjsing { 507f7e8f89fSjsing if (rl->cb.set_read_traffic_key != NULL) 508f7e8f89fSjsing return rl->cb.set_read_traffic_key(read_key, read_level, 509f7e8f89fSjsing rl->cb_arg); 510f7e8f89fSjsing 5114d9bef63Sjsing return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 5124d9bef63Sjsing rl->read, read_key); 51346f83330Sjsing } 51446f83330Sjsing 51546f83330Sjsing int 51646f83330Sjsing tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 5176ea83a9dSjsing struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) 51846f83330Sjsing { 519f7e8f89fSjsing if (rl->cb.set_write_traffic_key != NULL) 520f7e8f89fSjsing return rl->cb.set_write_traffic_key(write_key, write_level, 521f7e8f89fSjsing rl->cb_arg); 522f7e8f89fSjsing 5234d9bef63Sjsing return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 5244d9bef63Sjsing rl->write, write_key); 5252502d49fSjsing } 5262502d49fSjsing 5272502d49fSjsing static int 5282502d49fSjsing tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 5292502d49fSjsing { 5302502d49fSjsing CBS cbs; 5312502d49fSjsing 5322502d49fSjsing if (rl->aead != NULL) 5332502d49fSjsing return 0; 5342502d49fSjsing 5352502d49fSjsing /* 5362502d49fSjsing * We're still operating in plaintext mode, so just copy the 5372502d49fSjsing * content from the record to the plaintext buffer. 5382502d49fSjsing */ 5392502d49fSjsing if (!tls13_record_content(rl->rrec, &cbs)) 5402502d49fSjsing return 0; 5412502d49fSjsing 5424c4033b4Stb if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 5436b228a2cSjsing rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 5444c4033b4Stb return 0; 5454c4033b4Stb } 5464c4033b4Stb 5478ccc3944Sjsing if (!tls_content_dup_data(rl->rcontent, 5488ccc3944Sjsing tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) 5492502d49fSjsing return 0; 5502502d49fSjsing 5512502d49fSjsing return 1; 5522502d49fSjsing } 5532502d49fSjsing 5542502d49fSjsing static int 5552502d49fSjsing tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 5562502d49fSjsing { 55759c3bd6cSjsing CBS header, enc_record, inner; 5582502d49fSjsing uint8_t *content = NULL; 5597e41bb6dStb size_t content_len = 0; 5602502d49fSjsing uint8_t content_type; 5612502d49fSjsing size_t out_len; 5622502d49fSjsing 5632502d49fSjsing if (rl->aead == NULL) 5642502d49fSjsing goto err; 5652502d49fSjsing 5662502d49fSjsing if (!tls13_record_header(rl->rrec, &header)) 5672502d49fSjsing goto err; 5682502d49fSjsing if (!tls13_record_content(rl->rrec, &enc_record)) 5692502d49fSjsing goto err; 5702502d49fSjsing 571ee4250f6Sjsing /* XXX - minus tag len? */ 5722502d49fSjsing if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 5732502d49fSjsing goto err; 5742502d49fSjsing content_len = CBS_len(&enc_record); 5752502d49fSjsing 5764d9bef63Sjsing if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 5774d9bef63Sjsing rl->read->seq_num)) 5782502d49fSjsing goto err; 5792502d49fSjsing 5809115c013Sjsing if (!EVP_AEAD_CTX_open(rl->read->aead_ctx, 5812502d49fSjsing content, &out_len, content_len, 5824d9bef63Sjsing rl->read->nonce.data, rl->read->nonce.len, 5832502d49fSjsing CBS_data(&enc_record), CBS_len(&enc_record), 5842502d49fSjsing CBS_data(&header), CBS_len(&header))) 5852502d49fSjsing goto err; 5862502d49fSjsing 5874c4033b4Stb if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 5886b228a2cSjsing rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 5898d0f08c2Sjsing goto err; 5904c4033b4Stb } 5918d0f08c2Sjsing 5924d9bef63Sjsing if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 5932502d49fSjsing goto err; 5942502d49fSjsing 5952502d49fSjsing /* 5962502d49fSjsing * The real content type is hidden at the end of the record content and 5972502d49fSjsing * it may be followed by padding that consists of one or more zeroes. 5982502d49fSjsing * Time to hunt for that elusive content type! 5992502d49fSjsing */ 60059c3bd6cSjsing CBS_init(&inner, content, out_len); 60159c3bd6cSjsing content_type = 0; 60259c3bd6cSjsing while (CBS_get_last_u8(&inner, &content_type)) { 60359c3bd6cSjsing if (content_type != 0) 60459c3bd6cSjsing break; 60559c3bd6cSjsing } 60659c3bd6cSjsing if (content_type == 0) { 607267063edSjsing /* Unexpected message per RFC 8446 section 5.4. */ 608267063edSjsing rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 6092502d49fSjsing goto err; 610267063edSjsing } 61159c3bd6cSjsing if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 6126b228a2cSjsing rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 6138d0f08c2Sjsing goto err; 6144c4033b4Stb } 6152502d49fSjsing 61659c3bd6cSjsing tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner), 61759c3bd6cSjsing CBS_len(&inner)); 6182502d49fSjsing 6192502d49fSjsing return 1; 6202502d49fSjsing 6212502d49fSjsing err: 6222502d49fSjsing freezero(content, content_len); 6232502d49fSjsing 6242502d49fSjsing return 0; 6252502d49fSjsing } 6262502d49fSjsing 6272502d49fSjsing static int 6282502d49fSjsing tls13_record_layer_open_record(struct tls13_record_layer *rl) 6292502d49fSjsing { 63009b7851cSjsing if (rl->handshake_completed && rl->aead == NULL) 63109b7851cSjsing return 0; 63209b7851cSjsing 6332502d49fSjsing if (rl->aead == NULL) 6342502d49fSjsing return tls13_record_layer_open_record_plaintext(rl); 6352502d49fSjsing 6362502d49fSjsing return tls13_record_layer_open_record_protected(rl); 6372502d49fSjsing } 6382502d49fSjsing 6392502d49fSjsing static int 6402502d49fSjsing tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 6412502d49fSjsing uint8_t content_type, const uint8_t *content, size_t content_len) 6422502d49fSjsing { 6432502d49fSjsing uint8_t *data = NULL; 6442502d49fSjsing size_t data_len = 0; 6452502d49fSjsing CBB cbb, body; 6462502d49fSjsing 647ef59065fSjsing /* 648ef59065fSjsing * Allow dummy CCS messages to be sent in plaintext even when 649ef59065fSjsing * record protection has been engaged, as long as the handshake 650ef59065fSjsing * has not yet completed. 651ef59065fSjsing */ 652ef59065fSjsing if (rl->handshake_completed) 653ef59065fSjsing return 0; 654ef59065fSjsing if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 6552502d49fSjsing return 0; 6562502d49fSjsing 6572502d49fSjsing /* 6582502d49fSjsing * We're still operating in plaintext mode, so just copy the 6592502d49fSjsing * content into the record. 6602502d49fSjsing */ 6612502d49fSjsing if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 6622502d49fSjsing goto err; 6632502d49fSjsing 6642502d49fSjsing if (!CBB_add_u8(&cbb, content_type)) 6652502d49fSjsing goto err; 66694ab85a5Stb if (!CBB_add_u16(&cbb, rl->legacy_version)) 6672502d49fSjsing goto err; 6682502d49fSjsing if (!CBB_add_u16_length_prefixed(&cbb, &body)) 6692502d49fSjsing goto err; 6702502d49fSjsing if (!CBB_add_bytes(&body, content, content_len)) 6712502d49fSjsing goto err; 6722502d49fSjsing 6732502d49fSjsing if (!CBB_finish(&cbb, &data, &data_len)) 6742502d49fSjsing goto err; 6752502d49fSjsing 6762502d49fSjsing if (!tls13_record_set_data(rl->wrec, data, data_len)) 6772502d49fSjsing goto err; 6782502d49fSjsing 6790992a619Sbeck rl->wrec_content_len = content_len; 6800992a619Sbeck rl->wrec_content_type = content_type; 6810992a619Sbeck 6822502d49fSjsing return 1; 6832502d49fSjsing 6842502d49fSjsing err: 6852502d49fSjsing CBB_cleanup(&cbb); 6862502d49fSjsing freezero(data, data_len); 6872502d49fSjsing 6882502d49fSjsing return 0; 6892502d49fSjsing } 6902502d49fSjsing 6912502d49fSjsing static int 6922502d49fSjsing tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 6932502d49fSjsing uint8_t content_type, const uint8_t *content, size_t content_len) 6942502d49fSjsing { 6952502d49fSjsing uint8_t *data = NULL, *header = NULL, *inner = NULL; 6962502d49fSjsing size_t data_len = 0, header_len = 0, inner_len = 0; 6972502d49fSjsing uint8_t *enc_record; 6982502d49fSjsing size_t enc_record_len; 6992502d49fSjsing ssize_t ret = 0; 7002502d49fSjsing size_t out_len; 7012502d49fSjsing CBB cbb; 7022502d49fSjsing 7032502d49fSjsing if (rl->aead == NULL) 7042502d49fSjsing return 0; 7052502d49fSjsing 7062502d49fSjsing memset(&cbb, 0, sizeof(cbb)); 7072502d49fSjsing 7082502d49fSjsing /* Build inner plaintext. */ 7092502d49fSjsing if (!CBB_init(&cbb, content_len + 1)) 7102502d49fSjsing goto err; 7112502d49fSjsing if (!CBB_add_bytes(&cbb, content, content_len)) 7122502d49fSjsing goto err; 7132502d49fSjsing if (!CBB_add_u8(&cbb, content_type)) 7142502d49fSjsing goto err; 7152502d49fSjsing /* XXX - padding? */ 7162502d49fSjsing if (!CBB_finish(&cbb, &inner, &inner_len)) 7172502d49fSjsing goto err; 7182502d49fSjsing 7192502d49fSjsing if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 7202502d49fSjsing goto err; 7212502d49fSjsing 7222502d49fSjsing /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 7232502d49fSjsing enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 7242502d49fSjsing if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 7252502d49fSjsing goto err; 7262502d49fSjsing 7272502d49fSjsing /* Build the record header. */ 7282502d49fSjsing if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 7292502d49fSjsing goto err; 7302502d49fSjsing if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 7312502d49fSjsing goto err; 7322502d49fSjsing if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 7332502d49fSjsing goto err; 7342502d49fSjsing if (!CBB_add_u16(&cbb, enc_record_len)) 7352502d49fSjsing goto err; 7362502d49fSjsing if (!CBB_finish(&cbb, &header, &header_len)) 7372502d49fSjsing goto err; 7382502d49fSjsing 7392502d49fSjsing /* Build the actual record. */ 7402502d49fSjsing if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 7412502d49fSjsing goto err; 7422502d49fSjsing if (!CBB_add_bytes(&cbb, header, header_len)) 7432502d49fSjsing goto err; 7442502d49fSjsing if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 7452502d49fSjsing goto err; 7462502d49fSjsing if (!CBB_finish(&cbb, &data, &data_len)) 7472502d49fSjsing goto err; 7482502d49fSjsing 7494d9bef63Sjsing if (!tls13_record_layer_update_nonce(&rl->write->nonce, 7504d9bef63Sjsing &rl->write->iv, rl->write->seq_num)) 7512502d49fSjsing goto err; 7522502d49fSjsing 7532502d49fSjsing /* 7542502d49fSjsing * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 7552502d49fSjsing * this would avoid a copy since the inner would be passed as two 7562502d49fSjsing * separate pieces. 7572502d49fSjsing */ 7589115c013Sjsing if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx, 7592502d49fSjsing enc_record, &out_len, enc_record_len, 7604d9bef63Sjsing rl->write->nonce.data, rl->write->nonce.len, 7612502d49fSjsing inner, inner_len, header, header_len)) 7622502d49fSjsing goto err; 7632502d49fSjsing 7642502d49fSjsing if (out_len != enc_record_len) 7652502d49fSjsing goto err; 7662502d49fSjsing 7674d9bef63Sjsing if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 7682502d49fSjsing goto err; 7692502d49fSjsing 7702502d49fSjsing if (!tls13_record_set_data(rl->wrec, data, data_len)) 7712502d49fSjsing goto err; 7722502d49fSjsing 7733e1c03bbSjsing rl->wrec_content_len = content_len; 7743e1c03bbSjsing rl->wrec_content_type = content_type; 7753e1c03bbSjsing 7762502d49fSjsing data = NULL; 7772502d49fSjsing data_len = 0; 7782502d49fSjsing 7792502d49fSjsing ret = 1; 7802502d49fSjsing 7812502d49fSjsing err: 7822502d49fSjsing CBB_cleanup(&cbb); 7832502d49fSjsing 7842502d49fSjsing freezero(data, data_len); 7852502d49fSjsing freezero(header, header_len); 7862502d49fSjsing freezero(inner, inner_len); 7872502d49fSjsing 7882502d49fSjsing return ret; 7892502d49fSjsing } 7902502d49fSjsing 7912502d49fSjsing static int 7922502d49fSjsing tls13_record_layer_seal_record(struct tls13_record_layer *rl, 7932502d49fSjsing uint8_t content_type, const uint8_t *content, size_t content_len) 7942502d49fSjsing { 79509b7851cSjsing if (rl->handshake_completed && rl->aead == NULL) 79609b7851cSjsing return 0; 79709b7851cSjsing 7982502d49fSjsing tls13_record_layer_wrec_free(rl); 7992502d49fSjsing 8002502d49fSjsing if ((rl->wrec = tls13_record_new()) == NULL) 8012502d49fSjsing return 0; 8022502d49fSjsing 803ef59065fSjsing if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 8042502d49fSjsing return tls13_record_layer_seal_record_plaintext(rl, 8052502d49fSjsing content_type, content, content_len); 8062502d49fSjsing 8072502d49fSjsing return tls13_record_layer_seal_record_protected(rl, content_type, 8082502d49fSjsing content, content_len); 8092502d49fSjsing } 8102502d49fSjsing 8112502d49fSjsing static ssize_t 8122502d49fSjsing tls13_record_layer_read_record(struct tls13_record_layer *rl) 8132502d49fSjsing { 8142502d49fSjsing uint8_t content_type, ccs; 8152502d49fSjsing ssize_t ret; 8162502d49fSjsing CBS cbs; 8172502d49fSjsing 8182502d49fSjsing if (rl->rrec == NULL) { 8192502d49fSjsing if ((rl->rrec = tls13_record_new()) == NULL) 8202502d49fSjsing goto err; 8212502d49fSjsing } 8222502d49fSjsing 823204f36c2Sjsing if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 824204f36c2Sjsing switch (ret) { 825204f36c2Sjsing case TLS13_IO_RECORD_VERSION: 8266b228a2cSjsing return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 8276423e56fSjsing case TLS13_IO_RECORD_OVERFLOW: 8286b228a2cSjsing return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 829204f36c2Sjsing } 8302502d49fSjsing return ret; 831204f36c2Sjsing } 8322502d49fSjsing 8332502d49fSjsing content_type = tls13_record_content_type(rl->rrec); 8342502d49fSjsing 8352502d49fSjsing /* 83657350ff9Stb * In response to a client hello we may receive an alert in a 83757350ff9Stb * record with a legacy version. Otherwise enforce that the 83857350ff9Stb * legacy record version is 0x0303 per RFC 8446, section 5.1. 83957350ff9Stb */ 84057350ff9Stb if (rl->legacy_version == TLS1_2_VERSION && 84157350ff9Stb tls13_record_version(rl->rrec) != TLS1_2_VERSION && 84257350ff9Stb (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) 84357350ff9Stb return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 84457350ff9Stb 84557350ff9Stb /* 8462502d49fSjsing * Bag of hacks ahead... after the first ClientHello message has been 8472502d49fSjsing * sent or received and before the peer's Finished message has been 8482502d49fSjsing * received, we may receive an unencrypted ChangeCipherSpec record 8492502d49fSjsing * (see RFC 8446 section 5 and appendix D.4). This record must be 8502502d49fSjsing * ignored. 8512502d49fSjsing */ 8522502d49fSjsing if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 8535fcf7458Sjsing if (!rl->ccs_allowed || rl->ccs_seen >= 2) 854c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 8558d627bfcSbeck if (!tls13_record_content(rl->rrec, &cbs)) 856c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 8578d627bfcSbeck if (!CBS_get_u8(&cbs, &ccs)) 858c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 8598d627bfcSbeck if (ccs != 1) 860c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 8610df32492Sjsing if (CBS_len(&cbs) != 0) 8620df32492Sjsing return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 8635fcf7458Sjsing rl->ccs_seen++; 8642502d49fSjsing tls13_record_layer_rrec_free(rl); 865c9e61bceSbeck return TLS13_IO_WANT_RETRY; 8662502d49fSjsing } 8672502d49fSjsing 8682502d49fSjsing /* 8692502d49fSjsing * Once record protection is engaged, we should only receive 8702502d49fSjsing * protected application data messages (aside from the 8712502d49fSjsing * dummy ChangeCipherSpec messages, handled above). 8722502d49fSjsing */ 8738d627bfcSbeck if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 874c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 8752502d49fSjsing 8762502d49fSjsing if (!tls13_record_layer_open_record(rl)) 8772502d49fSjsing goto err; 8782502d49fSjsing 8792502d49fSjsing tls13_record_layer_rrec_free(rl); 8802502d49fSjsing 881edb9ff5fStb /* 882edb9ff5fStb * On receiving a handshake or alert record with empty inner plaintext, 883edb9ff5fStb * we must terminate the connection with an unexpected_message alert. 884edb9ff5fStb * See RFC 8446 section 5.4. 885edb9ff5fStb */ 8868ccc3944Sjsing if (tls_content_remaining(rl->rcontent) == 0 && 8878ccc3944Sjsing (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || 8888ccc3944Sjsing tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) 889c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 890edb9ff5fStb 8918ccc3944Sjsing switch (tls_content_type(rl->rcontent)) { 8922502d49fSjsing case SSL3_RT_ALERT: 8932502d49fSjsing return tls13_record_layer_process_alert(rl); 8942502d49fSjsing 8952502d49fSjsing case SSL3_RT_HANDSHAKE: 8962502d49fSjsing break; 8972502d49fSjsing 8982502d49fSjsing case SSL3_RT_APPLICATION_DATA: 8998d627bfcSbeck if (!rl->handshake_completed) 900c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 9012502d49fSjsing break; 9022502d49fSjsing 9032502d49fSjsing default: 904c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 9052502d49fSjsing } 9062502d49fSjsing 9072502d49fSjsing return TLS13_IO_SUCCESS; 9082502d49fSjsing 9092502d49fSjsing err: 9102502d49fSjsing return TLS13_IO_FAILURE; 9112502d49fSjsing } 9122502d49fSjsing 91317b8aec1Sinoguchi static ssize_t 9147003a9ccSjsing tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 9157003a9ccSjsing { 9168ccc3944Sjsing if (tls_content_type(rl->rcontent) != content_type) 9177003a9ccSjsing return 0; 9187003a9ccSjsing 9198ccc3944Sjsing return tls_content_remaining(rl->rcontent); 9207003a9ccSjsing } 9217003a9ccSjsing 9227003a9ccSjsing static ssize_t 9230cd4ba86Stb tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 9240cd4ba86Stb { 9250cd4ba86Stb ssize_t ret = TLS13_IO_FAILURE; 9260cd4ba86Stb 9270cd4ba86Stb rl->phh = 1; 9280cd4ba86Stb 9290cd4ba86Stb /* 9300cd4ba86Stb * The post handshake handshake receive callback is allowed to return: 9310cd4ba86Stb * 9320cd4ba86Stb * TLS13_IO_WANT_POLLIN need more handshake data. 9330cd4ba86Stb * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 9340cd4ba86Stb * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 9350cd4ba86Stb * TLS13_IO_FAILURE something broke. 9360cd4ba86Stb */ 9370cd4ba86Stb if (rl->cb.phh_recv != NULL) 938fc718d1dSjsing ret = rl->cb.phh_recv(rl->cb_arg); 9390cd4ba86Stb 9408ccc3944Sjsing tls_content_clear(rl->rcontent); 9410cd4ba86Stb 9420cd4ba86Stb /* Leave post handshake handshake mode unless we need more data. */ 9430cd4ba86Stb if (ret != TLS13_IO_WANT_POLLIN) 9440cd4ba86Stb rl->phh = 0; 9450cd4ba86Stb 9460cd4ba86Stb if (ret == TLS13_IO_SUCCESS) { 9470cd4ba86Stb if (rl->phh_retry) 9480cd4ba86Stb return TLS13_IO_WANT_RETRY; 9490cd4ba86Stb 9500cd4ba86Stb return TLS13_IO_WANT_POLLIN; 9510cd4ba86Stb } 9520cd4ba86Stb 9530cd4ba86Stb return ret; 9540cd4ba86Stb } 9550cd4ba86Stb 9560cd4ba86Stb static ssize_t 957373302c0Sjsing tls13_record_layer_read_internal(struct tls13_record_layer *rl, 958373302c0Sjsing uint8_t content_type, uint8_t *buf, size_t n, int peek) 9592502d49fSjsing { 960f1283a0aSjsing ssize_t ret; 9612502d49fSjsing 9623e1c03bbSjsing if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 9633e1c03bbSjsing return ret; 9643e1c03bbSjsing 965a6b06cf1Sjsing if (rl->read_closed) 966a6b06cf1Sjsing return TLS13_IO_EOF; 967a6b06cf1Sjsing 9682502d49fSjsing /* If necessary, pull up the next record. */ 9698ccc3944Sjsing if (tls_content_remaining(rl->rcontent) == 0) { 9702502d49fSjsing if ((ret = tls13_record_layer_read_record(rl)) <= 0) 9712502d49fSjsing return ret; 972d69bc5b9Sjsing 973d69bc5b9Sjsing /* 974d69bc5b9Sjsing * We may have read a valid 0-byte application data record, 975d69bc5b9Sjsing * in which case we need to read the next record. 976d69bc5b9Sjsing */ 9778ccc3944Sjsing if (tls_content_remaining(rl->rcontent) == 0) 978d69bc5b9Sjsing return TLS13_IO_WANT_POLLIN; 979d69bc5b9Sjsing } 98089458272Sbeck 98189458272Sbeck /* 9820cd4ba86Stb * If we are in post handshake handshake mode, we must not see 98389458272Sbeck * any record type that isn't a handshake until we are done. 98489458272Sbeck */ 9858ccc3944Sjsing if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) 986c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 98789458272Sbeck 9882502d49fSjsing /* 9892502d49fSjsing * Handshake content can appear as post-handshake messages (yup, 9902502d49fSjsing * the RFC reused the same content type...), which means we can 9912502d49fSjsing * be trying to read application data and need to handle a 9922502d49fSjsing * post-handshake handshake message instead... 9932502d49fSjsing */ 9948ccc3944Sjsing if (tls_content_type(rl->rcontent) != content_type) { 9958ccc3944Sjsing if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { 9960cd4ba86Stb if (rl->handshake_completed) 9970cd4ba86Stb return tls13_record_layer_recv_phh(rl); 99889458272Sbeck } 999c957d00cSjsing return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 10002502d49fSjsing } 10012502d49fSjsing 10028ccc3944Sjsing if (peek) 10038ccc3944Sjsing return tls_content_peek(rl->rcontent, buf, n); 10042502d49fSjsing 10058ccc3944Sjsing return tls_content_read(rl->rcontent, buf, n); 10062502d49fSjsing } 10072502d49fSjsing 100817b8aec1Sinoguchi static ssize_t 1009373302c0Sjsing tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1010373302c0Sjsing uint8_t *buf, size_t n) 1011373302c0Sjsing { 1012c9e61bceSbeck ssize_t ret; 1013c9e61bceSbeck 1014c9e61bceSbeck do { 1015c9e61bceSbeck ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1016c9e61bceSbeck } while (ret == TLS13_IO_WANT_RETRY); 1017c9e61bceSbeck 10184c4033b4Stb if (rl->alert != 0) 10194c4033b4Stb return tls13_send_alert(rl, rl->alert); 10204c4033b4Stb 1021c9e61bceSbeck return ret; 1022373302c0Sjsing } 1023373302c0Sjsing 102417b8aec1Sinoguchi static ssize_t 1025373302c0Sjsing tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1026373302c0Sjsing uint8_t *buf, size_t n) 1027373302c0Sjsing { 1028c9e61bceSbeck ssize_t ret; 1029c9e61bceSbeck 1030c9e61bceSbeck do { 1031c9e61bceSbeck ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1032c9e61bceSbeck } while (ret == TLS13_IO_WANT_RETRY); 1033c9e61bceSbeck 10344c4033b4Stb if (rl->alert != 0) 10354c4033b4Stb return tls13_send_alert(rl, rl->alert); 10364c4033b4Stb 1037c9e61bceSbeck return ret; 1038373302c0Sjsing } 1039373302c0Sjsing 10402502d49fSjsing static ssize_t 10412502d49fSjsing tls13_record_layer_write_record(struct tls13_record_layer *rl, 10422502d49fSjsing uint8_t content_type, const uint8_t *content, size_t content_len) 10432502d49fSjsing { 10442502d49fSjsing ssize_t ret; 10452502d49fSjsing 1046a6b06cf1Sjsing if (rl->write_closed) 1047a6b06cf1Sjsing return TLS13_IO_EOF; 1048a6b06cf1Sjsing 10493e1c03bbSjsing /* 10503e1c03bbSjsing * If we pushed out application data while handling other messages, 10513e1c03bbSjsing * we need to return content length on the next call. 10523e1c03bbSjsing */ 10533e1c03bbSjsing if (content_type == SSL3_RT_APPLICATION_DATA && 10543e1c03bbSjsing rl->wrec_appdata_len != 0) { 10553e1c03bbSjsing ret = rl->wrec_appdata_len; 10563e1c03bbSjsing rl->wrec_appdata_len = 0; 10573e1c03bbSjsing return ret; 10583e1c03bbSjsing } 10593e1c03bbSjsing 10602502d49fSjsing /* See if there is an existing record and attempt to push it out... */ 10612502d49fSjsing if (rl->wrec != NULL) { 1062a234fc1eSjsing if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 10632502d49fSjsing rl->cb_arg)) <= 0) 10642502d49fSjsing return ret; 10652502d49fSjsing tls13_record_layer_wrec_free(rl); 10662502d49fSjsing 10673e1c03bbSjsing if (rl->wrec_content_type == content_type) { 10683e1c03bbSjsing ret = rl->wrec_content_len; 10693e1c03bbSjsing rl->wrec_content_len = 0; 10703e1c03bbSjsing rl->wrec_content_type = 0; 10713e1c03bbSjsing return ret; 10723e1c03bbSjsing } 10733e1c03bbSjsing 10743e1c03bbSjsing /* 10753e1c03bbSjsing * The only partial record type should be application data. 10763e1c03bbSjsing * All other cases are handled to completion. 10773e1c03bbSjsing */ 10783e1c03bbSjsing if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 10793e1c03bbSjsing return TLS13_IO_FAILURE; 10803e1c03bbSjsing rl->wrec_appdata_len = rl->wrec_content_len; 10812502d49fSjsing } 10822502d49fSjsing 10832502d49fSjsing if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 10842502d49fSjsing goto err; 10852502d49fSjsing 10862502d49fSjsing if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 10872502d49fSjsing goto err; 10882502d49fSjsing 1089a234fc1eSjsing if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 10902502d49fSjsing return ret; 10912502d49fSjsing 10922502d49fSjsing tls13_record_layer_wrec_free(rl); 10932502d49fSjsing 10942502d49fSjsing return content_len; 10952502d49fSjsing 10962502d49fSjsing err: 10972502d49fSjsing return TLS13_IO_FAILURE; 10982502d49fSjsing } 10992502d49fSjsing 11002502d49fSjsing static ssize_t 11013e1c03bbSjsing tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 11023e1c03bbSjsing uint8_t content_type, const uint8_t *buf, size_t n) 11032502d49fSjsing { 110419110973Sjsing if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 110519110973Sjsing n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 110619110973Sjsing 11072502d49fSjsing return tls13_record_layer_write_record(rl, content_type, buf, n); 11082502d49fSjsing } 11092502d49fSjsing 11103e1c03bbSjsing static ssize_t 11113e1c03bbSjsing tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 11123e1c03bbSjsing const uint8_t *buf, size_t n) 11133e1c03bbSjsing { 11143e1c03bbSjsing ssize_t ret; 11153e1c03bbSjsing 1116c9e61bceSbeck do { 1117c9e61bceSbeck ret = tls13_record_layer_send_pending(rl); 1118c9e61bceSbeck } while (ret == TLS13_IO_WANT_RETRY); 1119c9e61bceSbeck if (ret != TLS13_IO_SUCCESS) 11203e1c03bbSjsing return ret; 11213e1c03bbSjsing 1122c9e61bceSbeck do { 1123c9e61bceSbeck ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1124c9e61bceSbeck } while (ret == TLS13_IO_WANT_RETRY); 1125c9e61bceSbeck 1126c9e61bceSbeck return ret; 11273e1c03bbSjsing } 11283e1c03bbSjsing 11291e0f72feSjsing ssize_t 11301e0f72feSjsing tls13_record_layer_flush(struct tls13_record_layer *rl) 11311e0f72feSjsing { 11321e0f72feSjsing return rl->cb.wire_flush(rl->cb_arg); 11331e0f72feSjsing } 11341e0f72feSjsing 1135ef59065fSjsing static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1136ef59065fSjsing 1137ef59065fSjsing ssize_t 1138ef59065fSjsing tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1139ef59065fSjsing { 1140ef59065fSjsing ssize_t ret; 1141ef59065fSjsing 1142ef59065fSjsing if (rl->ccs_sent) 1143ef59065fSjsing return TLS13_IO_FAILURE; 1144ef59065fSjsing 1145ef59065fSjsing if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1146ef59065fSjsing tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1147ef59065fSjsing return ret; 1148ef59065fSjsing 1149ef59065fSjsing rl->ccs_sent = 1; 1150ef59065fSjsing 1151ef59065fSjsing return TLS13_IO_SUCCESS; 1152ef59065fSjsing } 1153ef59065fSjsing 11542502d49fSjsing ssize_t 11552502d49fSjsing tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 11562502d49fSjsing { 1157f7e8f89fSjsing if (rl->cb.handshake_read != NULL) 1158f7e8f89fSjsing return rl->cb.handshake_read(buf, n, rl->cb_arg); 1159f7e8f89fSjsing 11602502d49fSjsing return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 11612502d49fSjsing } 11622502d49fSjsing 11632502d49fSjsing ssize_t 11642502d49fSjsing tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 11652502d49fSjsing size_t n) 11662502d49fSjsing { 1167f7e8f89fSjsing if (rl->cb.handshake_write != NULL) 1168f7e8f89fSjsing return rl->cb.handshake_write(buf, n, rl->cb_arg); 1169f7e8f89fSjsing 11702502d49fSjsing return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 11712502d49fSjsing } 11722502d49fSjsing 11732502d49fSjsing ssize_t 11747003a9ccSjsing tls13_pending_application_data(struct tls13_record_layer *rl) 11757003a9ccSjsing { 11767003a9ccSjsing if (!rl->handshake_completed) 11777003a9ccSjsing return 0; 11787003a9ccSjsing 11797003a9ccSjsing return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 11807003a9ccSjsing } 11817003a9ccSjsing 11827003a9ccSjsing ssize_t 1183373302c0Sjsing tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1184373302c0Sjsing { 1185373302c0Sjsing if (!rl->handshake_completed) 1186373302c0Sjsing return TLS13_IO_FAILURE; 1187373302c0Sjsing 1188373302c0Sjsing return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1189373302c0Sjsing } 1190373302c0Sjsing 1191373302c0Sjsing ssize_t 11922502d49fSjsing tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 11932502d49fSjsing { 11942502d49fSjsing if (!rl->handshake_completed) 11952502d49fSjsing return TLS13_IO_FAILURE; 11962502d49fSjsing 11972502d49fSjsing return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 11982502d49fSjsing } 11992502d49fSjsing 12002502d49fSjsing ssize_t 12012502d49fSjsing tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 12022502d49fSjsing size_t n) 12032502d49fSjsing { 12042502d49fSjsing if (!rl->handshake_completed) 12052502d49fSjsing return TLS13_IO_FAILURE; 12062502d49fSjsing 12072502d49fSjsing return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 12082502d49fSjsing } 120930168b12Sjsing 121030168b12Sjsing ssize_t 121130168b12Sjsing tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 121230168b12Sjsing { 1213c957d00cSjsing uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1214c9e61bceSbeck ssize_t ret; 121530168b12Sjsing 1216f7e8f89fSjsing if (rl->cb.alert_send != NULL) 1217f7e8f89fSjsing return rl->cb.alert_send(alert_desc, rl->cb_arg); 1218f7e8f89fSjsing 1219c957d00cSjsing if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1220c957d00cSjsing alert_desc == TLS13_ALERT_USER_CANCELED) 1221c957d00cSjsing alert_level = TLS13_ALERT_LEVEL_WARNING; 122230168b12Sjsing 1223c9e61bceSbeck do { 122459628146Sjsing ret = tls13_record_layer_enqueue_alert(rl, alert_level, 122559628146Sjsing alert_desc); 1226c9e61bceSbeck } while (ret == TLS13_IO_WANT_RETRY); 1227c9e61bceSbeck 1228c9e61bceSbeck return ret; 122930168b12Sjsing } 1230