1 /* $OpenBSD: tls13_record_layer.c,v 1.62 2021/06/08 18:05:47 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "tls13_internal.h" 19 #include "tls13_record.h" 20 21 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 22 uint8_t content_type, const uint8_t *buf, size_t n); 23 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 24 uint8_t content_type, const uint8_t *content, size_t content_len); 25 26 struct tls13_record_protection { 27 EVP_AEAD_CTX aead_ctx; 28 struct tls13_secret iv; 29 struct tls13_secret nonce; 30 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 31 }; 32 33 struct tls13_record_protection * 34 tls13_record_protection_new(void) 35 { 36 return calloc(1, sizeof(struct tls13_record_protection)); 37 } 38 39 void 40 tls13_record_protection_clear(struct tls13_record_protection *rp) 41 { 42 EVP_AEAD_CTX_cleanup(&rp->aead_ctx); 43 44 tls13_secret_cleanup(&rp->iv); 45 tls13_secret_cleanup(&rp->nonce); 46 47 memset(rp->seq_num, 0, sizeof(rp->seq_num)); 48 } 49 50 void 51 tls13_record_protection_free(struct tls13_record_protection *rp) 52 { 53 if (rp == NULL) 54 return; 55 56 tls13_record_protection_clear(rp); 57 58 freezero(rp, sizeof(struct tls13_record_protection)); 59 } 60 61 struct tls13_record_layer { 62 uint16_t legacy_version; 63 64 int ccs_allowed; 65 int ccs_seen; 66 int ccs_sent; 67 int handshake_completed; 68 int legacy_alerts_allowed; 69 int phh; 70 int phh_retry; 71 72 /* 73 * Read and/or write channels are closed due to an alert being 74 * sent or received. In the case of an error alert both channels 75 * are closed, whereas in the case of a close notify only one 76 * channel is closed. 77 */ 78 int read_closed; 79 int write_closed; 80 81 struct tls13_record *rrec; 82 83 struct tls13_record *wrec; 84 uint8_t wrec_content_type; 85 size_t wrec_appdata_len; 86 size_t wrec_content_len; 87 88 /* Alert to be sent on return from current read handler. */ 89 uint8_t alert; 90 91 /* Pending alert messages. */ 92 uint8_t *alert_data; 93 size_t alert_len; 94 uint8_t alert_level; 95 uint8_t alert_desc; 96 97 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 98 CBS phh_cbs; 99 uint8_t *phh_data; 100 size_t phh_len; 101 102 /* Buffer containing plaintext from opened records. */ 103 uint8_t rbuf_content_type; 104 uint8_t *rbuf; 105 size_t rbuf_len; 106 CBS rbuf_cbs; 107 108 /* Record protection. */ 109 const EVP_MD *hash; 110 const EVP_AEAD *aead; 111 struct tls13_record_protection *read; 112 struct tls13_record_protection *write; 113 114 /* Callbacks. */ 115 struct tls13_record_layer_callbacks cb; 116 void *cb_arg; 117 }; 118 119 static void 120 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 121 { 122 CBS_init(&rl->rbuf_cbs, NULL, 0); 123 freezero(rl->rbuf, rl->rbuf_len); 124 rl->rbuf = NULL; 125 rl->rbuf_len = 0; 126 rl->rbuf_content_type = 0; 127 } 128 129 static void 130 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 131 { 132 tls13_record_free(rl->rrec); 133 rl->rrec = NULL; 134 } 135 136 static void 137 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 138 { 139 tls13_record_free(rl->wrec); 140 rl->wrec = NULL; 141 } 142 143 struct tls13_record_layer * 144 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 145 void *cb_arg) 146 { 147 struct tls13_record_layer *rl; 148 149 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 150 goto err; 151 152 if ((rl->read = tls13_record_protection_new()) == NULL) 153 goto err; 154 if ((rl->write = tls13_record_protection_new()) == NULL) 155 goto err; 156 157 rl->legacy_version = TLS1_2_VERSION; 158 rl->cb = *callbacks; 159 rl->cb_arg = cb_arg; 160 161 return rl; 162 163 err: 164 tls13_record_layer_free(rl); 165 166 return NULL; 167 } 168 169 void 170 tls13_record_layer_free(struct tls13_record_layer *rl) 171 { 172 if (rl == NULL) 173 return; 174 175 tls13_record_layer_rrec_free(rl); 176 tls13_record_layer_wrec_free(rl); 177 178 freezero(rl->alert_data, rl->alert_len); 179 freezero(rl->phh_data, rl->phh_len); 180 181 tls13_record_layer_rbuf_free(rl); 182 183 tls13_record_protection_free(rl->read); 184 tls13_record_protection_free(rl->write); 185 186 freezero(rl, sizeof(struct tls13_record_layer)); 187 } 188 189 void 190 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) 191 { 192 CBS_dup(&rl->rbuf_cbs, cbs); 193 } 194 195 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 196 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 197 }; 198 199 int 200 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 201 { 202 int i; 203 204 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 205 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 206 return 0; 207 208 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 209 if (++seq_num[i] != 0) 210 break; 211 } 212 213 return 1; 214 } 215 216 static int 217 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 218 struct tls13_secret *iv, uint8_t *seq_num) 219 { 220 ssize_t i, j; 221 222 if (nonce->len != iv->len) 223 return 0; 224 225 /* 226 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 227 * with the IV to produce a per-record nonce. The IV will also be 228 * at least 8-bytes in length. 229 */ 230 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 231 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 232 233 return 1; 234 } 235 236 void 237 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 238 { 239 rl->ccs_allowed = allow; 240 } 241 242 void 243 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 244 { 245 rl->legacy_alerts_allowed = allow; 246 } 247 248 void 249 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 250 const EVP_AEAD *aead) 251 { 252 rl->aead = aead; 253 } 254 255 void 256 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 257 const EVP_MD *hash) 258 { 259 rl->hash = hash; 260 } 261 262 void 263 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 264 uint16_t version) 265 { 266 rl->legacy_version = version; 267 } 268 269 void 270 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 271 { 272 rl->handshake_completed = 1; 273 } 274 275 void 276 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 277 { 278 rl->phh_retry = retry; 279 } 280 281 static ssize_t 282 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 283 { 284 uint8_t alert_level, alert_desc; 285 ssize_t ret = TLS13_IO_FAILURE; 286 287 /* 288 * RFC 8446 - sections 5.1 and 6. 289 * 290 * A TLSv1.3 alert record can only contain a single alert - this means 291 * that processing the alert must consume all of the record. The alert 292 * will result in one of three things - continuation (user_cancelled), 293 * read channel closure (close_notify) or termination (all others). 294 */ 295 if (rl->rbuf == NULL) 296 return TLS13_IO_FAILURE; 297 298 if (rl->rbuf_content_type != SSL3_RT_ALERT) 299 return TLS13_IO_FAILURE; 300 301 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 302 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 303 304 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 305 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 306 307 if (CBS_len(&rl->rbuf_cbs) != 0) 308 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 309 310 tls13_record_layer_rbuf_free(rl); 311 312 /* 313 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 314 * however for error alerts (RFC 8446 section 6.2), the alert level 315 * must be specified as fatal. 316 */ 317 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 318 rl->read_closed = 1; 319 ret = TLS13_IO_EOF; 320 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 321 /* Ignored at the record layer. */ 322 ret = TLS13_IO_WANT_RETRY; 323 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 324 rl->read_closed = 1; 325 rl->write_closed = 1; 326 ret = TLS13_IO_ALERT; 327 } else if (rl->legacy_alerts_allowed && 328 alert_level == TLS13_ALERT_LEVEL_WARNING) { 329 /* Ignored and not passed to the callback. */ 330 return TLS13_IO_WANT_RETRY; 331 } else { 332 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 333 } 334 335 rl->cb.alert_recv(alert_desc, rl->cb_arg); 336 337 return ret; 338 } 339 340 static ssize_t 341 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 342 { 343 ssize_t ret; 344 345 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 346 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 347 rl->alert_data, rl->alert_len)) != rl->alert_len) { 348 if (ret == TLS13_IO_EOF) 349 ret = TLS13_IO_ALERT; 350 return ret; 351 } 352 353 freezero(rl->alert_data, rl->alert_len); 354 rl->alert_data = NULL; 355 rl->alert_len = 0; 356 357 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 358 rl->write_closed = 1; 359 ret = TLS13_IO_SUCCESS; 360 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 361 /* Ignored at the record layer. */ 362 ret = TLS13_IO_SUCCESS; 363 } else { 364 rl->read_closed = 1; 365 rl->write_closed = 1; 366 ret = TLS13_IO_ALERT; 367 } 368 369 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 370 371 return ret; 372 } 373 374 static ssize_t 375 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 376 { 377 ssize_t ret; 378 379 /* Push out pending post-handshake handshake messages. */ 380 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 381 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 382 return ret; 383 if (!CBS_skip(&rl->phh_cbs, ret)) 384 return TLS13_IO_FAILURE; 385 if (CBS_len(&rl->phh_cbs) != 0) 386 return TLS13_IO_WANT_RETRY; 387 388 freezero(rl->phh_data, rl->phh_len); 389 rl->phh_data = NULL; 390 rl->phh_len = 0; 391 392 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 393 394 rl->cb.phh_sent(rl->cb_arg); 395 396 return TLS13_IO_SUCCESS; 397 } 398 399 ssize_t 400 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 401 { 402 /* 403 * If an alert is pending, then it needs to be sent. However, 404 * if we're already part of the way through sending post-handshake 405 * handshake messages, then we need to finish that first... 406 */ 407 408 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 409 return tls13_record_layer_send_phh(rl); 410 411 if (rl->alert_data != NULL) 412 return tls13_record_layer_send_alert(rl); 413 414 if (rl->phh_data != NULL) 415 return tls13_record_layer_send_phh(rl); 416 417 return TLS13_IO_SUCCESS; 418 } 419 420 static ssize_t 421 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 422 uint8_t alert_level, uint8_t alert_desc) 423 { 424 CBB cbb; 425 426 if (rl->alert_data != NULL) 427 return TLS13_IO_FAILURE; 428 429 if (!CBB_init(&cbb, 0)) 430 goto err; 431 432 if (!CBB_add_u8(&cbb, alert_level)) 433 goto err; 434 if (!CBB_add_u8(&cbb, alert_desc)) 435 goto err; 436 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 437 goto err; 438 439 rl->alert_level = alert_level; 440 rl->alert_desc = alert_desc; 441 442 return tls13_record_layer_send_pending(rl); 443 444 err: 445 CBB_cleanup(&cbb); 446 447 return TLS13_IO_FAILURE; 448 } 449 450 ssize_t 451 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 452 { 453 if (rl->phh_data != NULL) 454 return TLS13_IO_FAILURE; 455 456 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 457 return TLS13_IO_FAILURE; 458 459 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 460 461 return tls13_record_layer_send_pending(rl); 462 } 463 464 static int 465 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 466 struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 467 { 468 struct tls13_secret context = { .data = "", .len = 0 }; 469 struct tls13_secret key = { .data = NULL, .len = 0 }; 470 int ret = 0; 471 472 tls13_record_protection_clear(rp); 473 474 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 475 goto err; 476 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 477 goto err; 478 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 479 goto err; 480 481 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 482 goto err; 483 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 484 goto err; 485 486 if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len, 487 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 488 goto err; 489 490 ret = 1; 491 492 err: 493 tls13_secret_cleanup(&key); 494 495 return ret; 496 } 497 498 int 499 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 500 struct tls13_secret *read_key) 501 { 502 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 503 rl->read, read_key); 504 } 505 506 int 507 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 508 struct tls13_secret *write_key) 509 { 510 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 511 rl->write, write_key); 512 } 513 514 static int 515 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 516 { 517 CBS cbs; 518 519 if (rl->aead != NULL) 520 return 0; 521 522 /* 523 * We're still operating in plaintext mode, so just copy the 524 * content from the record to the plaintext buffer. 525 */ 526 if (!tls13_record_content(rl->rrec, &cbs)) 527 return 0; 528 529 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 530 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 531 return 0; 532 } 533 534 tls13_record_layer_rbuf_free(rl); 535 536 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 537 return 0; 538 539 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 540 541 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 542 543 return 1; 544 } 545 546 static int 547 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 548 { 549 CBS header, enc_record; 550 ssize_t inner_len; 551 uint8_t *content = NULL; 552 size_t content_len = 0; 553 uint8_t content_type; 554 size_t out_len; 555 556 if (rl->aead == NULL) 557 goto err; 558 559 if (!tls13_record_header(rl->rrec, &header)) 560 goto err; 561 if (!tls13_record_content(rl->rrec, &enc_record)) 562 goto err; 563 564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 565 goto err; 566 content_len = CBS_len(&enc_record); 567 568 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 569 rl->read->seq_num)) 570 goto err; 571 572 if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx, 573 content, &out_len, content_len, 574 rl->read->nonce.data, rl->read->nonce.len, 575 CBS_data(&enc_record), CBS_len(&enc_record), 576 CBS_data(&header), CBS_len(&header))) 577 goto err; 578 579 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 580 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 581 goto err; 582 } 583 584 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 585 goto err; 586 587 /* 588 * The real content type is hidden at the end of the record content and 589 * it may be followed by padding that consists of one or more zeroes. 590 * Time to hunt for that elusive content type! 591 */ 592 /* XXX - CBS from end? CBS_get_end_u8()? */ 593 inner_len = out_len - 1; 594 while (inner_len >= 0 && content[inner_len] == 0) 595 inner_len--; 596 if (inner_len < 0) { 597 /* Unexpected message per RFC 8446 section 5.4. */ 598 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 599 goto err; 600 } 601 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 602 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 603 goto err; 604 } 605 content_type = content[inner_len]; 606 607 tls13_record_layer_rbuf_free(rl); 608 609 rl->rbuf_content_type = content_type; 610 rl->rbuf = content; 611 rl->rbuf_len = inner_len; 612 613 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 614 615 return 1; 616 617 err: 618 freezero(content, content_len); 619 620 return 0; 621 } 622 623 static int 624 tls13_record_layer_open_record(struct tls13_record_layer *rl) 625 { 626 if (rl->handshake_completed && rl->aead == NULL) 627 return 0; 628 629 if (rl->aead == NULL) 630 return tls13_record_layer_open_record_plaintext(rl); 631 632 return tls13_record_layer_open_record_protected(rl); 633 } 634 635 static int 636 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 637 uint8_t content_type, const uint8_t *content, size_t content_len) 638 { 639 uint8_t *data = NULL; 640 size_t data_len = 0; 641 CBB cbb, body; 642 643 /* 644 * Allow dummy CCS messages to be sent in plaintext even when 645 * record protection has been engaged, as long as the handshake 646 * has not yet completed. 647 */ 648 if (rl->handshake_completed) 649 return 0; 650 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 651 return 0; 652 653 /* 654 * We're still operating in plaintext mode, so just copy the 655 * content into the record. 656 */ 657 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 658 goto err; 659 660 if (!CBB_add_u8(&cbb, content_type)) 661 goto err; 662 if (!CBB_add_u16(&cbb, rl->legacy_version)) 663 goto err; 664 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 665 goto err; 666 if (!CBB_add_bytes(&body, content, content_len)) 667 goto err; 668 669 if (!CBB_finish(&cbb, &data, &data_len)) 670 goto err; 671 672 if (!tls13_record_set_data(rl->wrec, data, data_len)) 673 goto err; 674 675 rl->wrec_content_len = content_len; 676 rl->wrec_content_type = content_type; 677 678 return 1; 679 680 err: 681 CBB_cleanup(&cbb); 682 freezero(data, data_len); 683 684 return 0; 685 } 686 687 static int 688 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 689 uint8_t content_type, const uint8_t *content, size_t content_len) 690 { 691 uint8_t *data = NULL, *header = NULL, *inner = NULL; 692 size_t data_len = 0, header_len = 0, inner_len = 0; 693 uint8_t *enc_record; 694 size_t enc_record_len; 695 ssize_t ret = 0; 696 size_t out_len; 697 CBB cbb; 698 699 if (rl->aead == NULL) 700 return 0; 701 702 memset(&cbb, 0, sizeof(cbb)); 703 704 /* Build inner plaintext. */ 705 if (!CBB_init(&cbb, content_len + 1)) 706 goto err; 707 if (!CBB_add_bytes(&cbb, content, content_len)) 708 goto err; 709 if (!CBB_add_u8(&cbb, content_type)) 710 goto err; 711 /* XXX - padding? */ 712 if (!CBB_finish(&cbb, &inner, &inner_len)) 713 goto err; 714 715 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 716 goto err; 717 718 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 719 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 720 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 721 goto err; 722 723 /* Build the record header. */ 724 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 725 goto err; 726 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 727 goto err; 728 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 729 goto err; 730 if (!CBB_add_u16(&cbb, enc_record_len)) 731 goto err; 732 if (!CBB_finish(&cbb, &header, &header_len)) 733 goto err; 734 735 /* Build the actual record. */ 736 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 737 goto err; 738 if (!CBB_add_bytes(&cbb, header, header_len)) 739 goto err; 740 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 741 goto err; 742 if (!CBB_finish(&cbb, &data, &data_len)) 743 goto err; 744 745 if (!tls13_record_layer_update_nonce(&rl->write->nonce, 746 &rl->write->iv, rl->write->seq_num)) 747 goto err; 748 749 /* 750 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 751 * this would avoid a copy since the inner would be passed as two 752 * separate pieces. 753 */ 754 if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx, 755 enc_record, &out_len, enc_record_len, 756 rl->write->nonce.data, rl->write->nonce.len, 757 inner, inner_len, header, header_len)) 758 goto err; 759 760 if (out_len != enc_record_len) 761 goto err; 762 763 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 764 goto err; 765 766 if (!tls13_record_set_data(rl->wrec, data, data_len)) 767 goto err; 768 769 rl->wrec_content_len = content_len; 770 rl->wrec_content_type = content_type; 771 772 data = NULL; 773 data_len = 0; 774 775 ret = 1; 776 777 err: 778 CBB_cleanup(&cbb); 779 780 freezero(data, data_len); 781 freezero(header, header_len); 782 freezero(inner, inner_len); 783 784 return ret; 785 } 786 787 static int 788 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 789 uint8_t content_type, const uint8_t *content, size_t content_len) 790 { 791 if (rl->handshake_completed && rl->aead == NULL) 792 return 0; 793 794 tls13_record_layer_wrec_free(rl); 795 796 if ((rl->wrec = tls13_record_new()) == NULL) 797 return 0; 798 799 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 800 return tls13_record_layer_seal_record_plaintext(rl, 801 content_type, content, content_len); 802 803 return tls13_record_layer_seal_record_protected(rl, content_type, 804 content, content_len); 805 } 806 807 static ssize_t 808 tls13_record_layer_read_record(struct tls13_record_layer *rl) 809 { 810 uint8_t content_type, ccs; 811 ssize_t ret; 812 CBS cbs; 813 814 if (rl->rrec == NULL) { 815 if ((rl->rrec = tls13_record_new()) == NULL) 816 goto err; 817 } 818 819 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 820 switch (ret) { 821 case TLS13_IO_RECORD_VERSION: 822 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 823 case TLS13_IO_RECORD_OVERFLOW: 824 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 825 } 826 return ret; 827 } 828 829 content_type = tls13_record_content_type(rl->rrec); 830 831 /* 832 * In response to a client hello we may receive an alert in a 833 * record with a legacy version. Otherwise enforce that the 834 * legacy record version is 0x0303 per RFC 8446, section 5.1. 835 */ 836 if (rl->legacy_version == TLS1_2_VERSION && 837 tls13_record_version(rl->rrec) != TLS1_2_VERSION && 838 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) 839 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 840 841 /* 842 * Bag of hacks ahead... after the first ClientHello message has been 843 * sent or received and before the peer's Finished message has been 844 * received, we may receive an unencrypted ChangeCipherSpec record 845 * (see RFC 8446 section 5 and appendix D.4). This record must be 846 * ignored. 847 */ 848 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 849 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 850 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 851 if (!tls13_record_content(rl->rrec, &cbs)) 852 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 853 if (!CBS_get_u8(&cbs, &ccs)) 854 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 855 if (ccs != 1) 856 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 857 rl->ccs_seen++; 858 tls13_record_layer_rrec_free(rl); 859 return TLS13_IO_WANT_RETRY; 860 } 861 862 /* 863 * Once record protection is engaged, we should only receive 864 * protected application data messages (aside from the 865 * dummy ChangeCipherSpec messages, handled above). 866 */ 867 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 868 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 869 870 if (!tls13_record_layer_open_record(rl)) 871 goto err; 872 873 tls13_record_layer_rrec_free(rl); 874 875 /* 876 * On receiving a handshake or alert record with empty inner plaintext, 877 * we must terminate the connection with an unexpected_message alert. 878 * See RFC 8446 section 5.4. 879 */ 880 if (CBS_len(&rl->rbuf_cbs) == 0 && 881 (rl->rbuf_content_type == SSL3_RT_ALERT || 882 rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) 883 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 884 885 switch (rl->rbuf_content_type) { 886 case SSL3_RT_ALERT: 887 return tls13_record_layer_process_alert(rl); 888 889 case SSL3_RT_HANDSHAKE: 890 break; 891 892 case SSL3_RT_APPLICATION_DATA: 893 if (!rl->handshake_completed) 894 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 895 break; 896 897 default: 898 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 899 } 900 901 return TLS13_IO_SUCCESS; 902 903 err: 904 return TLS13_IO_FAILURE; 905 } 906 907 static ssize_t 908 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 909 { 910 if (rl->rbuf_content_type != content_type) 911 return 0; 912 913 return CBS_len(&rl->rbuf_cbs); 914 } 915 916 static ssize_t 917 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 918 { 919 ssize_t ret = TLS13_IO_FAILURE; 920 921 rl->phh = 1; 922 923 /* 924 * The post handshake handshake receive callback is allowed to return: 925 * 926 * TLS13_IO_WANT_POLLIN need more handshake data. 927 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 928 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 929 * TLS13_IO_FAILURE something broke. 930 */ 931 if (rl->cb.phh_recv != NULL) 932 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); 933 934 tls13_record_layer_rbuf_free(rl); 935 936 /* Leave post handshake handshake mode unless we need more data. */ 937 if (ret != TLS13_IO_WANT_POLLIN) 938 rl->phh = 0; 939 940 if (ret == TLS13_IO_SUCCESS) { 941 if (rl->phh_retry) 942 return TLS13_IO_WANT_RETRY; 943 944 return TLS13_IO_WANT_POLLIN; 945 } 946 947 return ret; 948 } 949 950 static ssize_t 951 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 952 uint8_t content_type, uint8_t *buf, size_t n, int peek) 953 { 954 ssize_t ret; 955 956 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 957 return ret; 958 959 if (rl->read_closed) 960 return TLS13_IO_EOF; 961 962 /* If necessary, pull up the next record. */ 963 if (CBS_len(&rl->rbuf_cbs) == 0) { 964 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 965 return ret; 966 967 /* 968 * We may have read a valid 0-byte application data record, 969 * in which case we need to read the next record. 970 */ 971 if (CBS_len(&rl->rbuf_cbs) == 0) { 972 tls13_record_layer_rbuf_free(rl); 973 return TLS13_IO_WANT_POLLIN; 974 } 975 } 976 977 /* 978 * If we are in post handshake handshake mode, we must not see 979 * any record type that isn't a handshake until we are done. 980 */ 981 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) 982 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 983 984 /* 985 * Handshake content can appear as post-handshake messages (yup, 986 * the RFC reused the same content type...), which means we can 987 * be trying to read application data and need to handle a 988 * post-handshake handshake message instead... 989 */ 990 if (rl->rbuf_content_type != content_type) { 991 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 992 if (rl->handshake_completed) 993 return tls13_record_layer_recv_phh(rl); 994 } 995 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 996 } 997 998 if (n > CBS_len(&rl->rbuf_cbs)) 999 n = CBS_len(&rl->rbuf_cbs); 1000 1001 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 1002 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 1003 1004 if (!peek) { 1005 if (!CBS_skip(&rl->rbuf_cbs, n)) 1006 goto err; 1007 } 1008 1009 if (CBS_len(&rl->rbuf_cbs) == 0) 1010 tls13_record_layer_rbuf_free(rl); 1011 1012 return n; 1013 1014 err: 1015 return TLS13_IO_FAILURE; 1016 } 1017 1018 static ssize_t 1019 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1020 uint8_t *buf, size_t n) 1021 { 1022 ssize_t ret; 1023 1024 do { 1025 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1026 } while (ret == TLS13_IO_WANT_RETRY); 1027 1028 if (rl->alert != 0) 1029 return tls13_send_alert(rl, rl->alert); 1030 1031 return ret; 1032 } 1033 1034 static ssize_t 1035 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1036 uint8_t *buf, size_t n) 1037 { 1038 ssize_t ret; 1039 1040 do { 1041 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1042 } while (ret == TLS13_IO_WANT_RETRY); 1043 1044 if (rl->alert != 0) 1045 return tls13_send_alert(rl, rl->alert); 1046 1047 return ret; 1048 } 1049 1050 static ssize_t 1051 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1052 uint8_t content_type, const uint8_t *content, size_t content_len) 1053 { 1054 ssize_t ret; 1055 1056 if (rl->write_closed) 1057 return TLS13_IO_EOF; 1058 1059 /* 1060 * If we pushed out application data while handling other messages, 1061 * we need to return content length on the next call. 1062 */ 1063 if (content_type == SSL3_RT_APPLICATION_DATA && 1064 rl->wrec_appdata_len != 0) { 1065 ret = rl->wrec_appdata_len; 1066 rl->wrec_appdata_len = 0; 1067 return ret; 1068 } 1069 1070 /* See if there is an existing record and attempt to push it out... */ 1071 if (rl->wrec != NULL) { 1072 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1073 rl->cb_arg)) <= 0) 1074 return ret; 1075 tls13_record_layer_wrec_free(rl); 1076 1077 if (rl->wrec_content_type == content_type) { 1078 ret = rl->wrec_content_len; 1079 rl->wrec_content_len = 0; 1080 rl->wrec_content_type = 0; 1081 return ret; 1082 } 1083 1084 /* 1085 * The only partial record type should be application data. 1086 * All other cases are handled to completion. 1087 */ 1088 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1089 return TLS13_IO_FAILURE; 1090 rl->wrec_appdata_len = rl->wrec_content_len; 1091 } 1092 1093 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1094 goto err; 1095 1096 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1097 goto err; 1098 1099 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1100 return ret; 1101 1102 tls13_record_layer_wrec_free(rl); 1103 1104 return content_len; 1105 1106 err: 1107 return TLS13_IO_FAILURE; 1108 } 1109 1110 static ssize_t 1111 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1112 uint8_t content_type, const uint8_t *buf, size_t n) 1113 { 1114 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1115 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1116 1117 return tls13_record_layer_write_record(rl, content_type, buf, n); 1118 } 1119 1120 static ssize_t 1121 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1122 const uint8_t *buf, size_t n) 1123 { 1124 ssize_t ret; 1125 1126 do { 1127 ret = tls13_record_layer_send_pending(rl); 1128 } while (ret == TLS13_IO_WANT_RETRY); 1129 if (ret != TLS13_IO_SUCCESS) 1130 return ret; 1131 1132 do { 1133 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1134 } while (ret == TLS13_IO_WANT_RETRY); 1135 1136 return ret; 1137 } 1138 1139 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1140 1141 ssize_t 1142 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1143 { 1144 ssize_t ret; 1145 1146 if (rl->ccs_sent) 1147 return TLS13_IO_FAILURE; 1148 1149 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1150 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1151 return ret; 1152 1153 rl->ccs_sent = 1; 1154 1155 return TLS13_IO_SUCCESS; 1156 } 1157 1158 ssize_t 1159 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1160 { 1161 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1162 } 1163 1164 ssize_t 1165 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1166 size_t n) 1167 { 1168 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1169 } 1170 1171 ssize_t 1172 tls13_pending_application_data(struct tls13_record_layer *rl) 1173 { 1174 if (!rl->handshake_completed) 1175 return 0; 1176 1177 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1178 } 1179 1180 ssize_t 1181 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1182 { 1183 if (!rl->handshake_completed) 1184 return TLS13_IO_FAILURE; 1185 1186 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1187 } 1188 1189 ssize_t 1190 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1191 { 1192 if (!rl->handshake_completed) 1193 return TLS13_IO_FAILURE; 1194 1195 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1196 } 1197 1198 ssize_t 1199 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1200 size_t n) 1201 { 1202 if (!rl->handshake_completed) 1203 return TLS13_IO_FAILURE; 1204 1205 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1206 } 1207 1208 ssize_t 1209 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1210 { 1211 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1212 ssize_t ret; 1213 1214 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1215 alert_desc == TLS13_ALERT_USER_CANCELED) 1216 alert_level = TLS13_ALERT_LEVEL_WARNING; 1217 1218 do { 1219 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1220 alert_desc); 1221 } while (ret == TLS13_IO_WANT_RETRY); 1222 1223 return ret; 1224 } 1225