1 /* $OpenBSD: tls13_record_layer.c,v 1.65 2021/12/15 17:57:45 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "tls13_internal.h" 19 #include "tls13_record.h" 20 #include "tls_content.h" 21 22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 23 uint8_t content_type, const uint8_t *buf, size_t n); 24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 25 uint8_t content_type, const uint8_t *content, size_t content_len); 26 27 struct tls13_record_protection { 28 EVP_AEAD_CTX aead_ctx; 29 struct tls13_secret iv; 30 struct tls13_secret nonce; 31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 32 }; 33 34 struct tls13_record_protection * 35 tls13_record_protection_new(void) 36 { 37 return calloc(1, sizeof(struct tls13_record_protection)); 38 } 39 40 void 41 tls13_record_protection_clear(struct tls13_record_protection *rp) 42 { 43 EVP_AEAD_CTX_cleanup(&rp->aead_ctx); 44 45 tls13_secret_cleanup(&rp->iv); 46 tls13_secret_cleanup(&rp->nonce); 47 48 memset(rp->seq_num, 0, sizeof(rp->seq_num)); 49 } 50 51 void 52 tls13_record_protection_free(struct tls13_record_protection *rp) 53 { 54 if (rp == NULL) 55 return; 56 57 tls13_record_protection_clear(rp); 58 59 freezero(rp, sizeof(struct tls13_record_protection)); 60 } 61 62 struct tls13_record_layer { 63 uint16_t legacy_version; 64 65 int ccs_allowed; 66 int ccs_seen; 67 int ccs_sent; 68 int handshake_completed; 69 int legacy_alerts_allowed; 70 int phh; 71 int phh_retry; 72 73 /* 74 * Read and/or write channels are closed due to an alert being 75 * sent or received. In the case of an error alert both channels 76 * are closed, whereas in the case of a close notify only one 77 * channel is closed. 78 */ 79 int read_closed; 80 int write_closed; 81 82 struct tls13_record *rrec; 83 84 struct tls13_record *wrec; 85 uint8_t wrec_content_type; 86 size_t wrec_appdata_len; 87 size_t wrec_content_len; 88 89 /* Alert to be sent on return from current read handler. */ 90 uint8_t alert; 91 92 /* Pending alert messages. */ 93 uint8_t *alert_data; 94 size_t alert_len; 95 uint8_t alert_level; 96 uint8_t alert_desc; 97 98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 99 CBS phh_cbs; 100 uint8_t *phh_data; 101 size_t phh_len; 102 103 /* Content from opened records. */ 104 struct tls_content *rcontent; 105 106 /* Record protection. */ 107 const EVP_MD *hash; 108 const EVP_AEAD *aead; 109 struct tls13_record_protection *read; 110 struct tls13_record_protection *write; 111 112 /* Callbacks. */ 113 struct tls13_record_layer_callbacks cb; 114 void *cb_arg; 115 }; 116 117 static void 118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 119 { 120 tls13_record_free(rl->rrec); 121 rl->rrec = NULL; 122 } 123 124 static void 125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 126 { 127 tls13_record_free(rl->wrec); 128 rl->wrec = NULL; 129 } 130 131 struct tls13_record_layer * 132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 133 void *cb_arg) 134 { 135 struct tls13_record_layer *rl; 136 137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 138 goto err; 139 140 if ((rl->rcontent = tls_content_new()) == NULL) 141 goto err; 142 143 if ((rl->read = tls13_record_protection_new()) == NULL) 144 goto err; 145 if ((rl->write = tls13_record_protection_new()) == NULL) 146 goto err; 147 148 rl->legacy_version = TLS1_2_VERSION; 149 rl->cb = *callbacks; 150 rl->cb_arg = cb_arg; 151 152 return rl; 153 154 err: 155 tls13_record_layer_free(rl); 156 157 return NULL; 158 } 159 160 void 161 tls13_record_layer_free(struct tls13_record_layer *rl) 162 { 163 if (rl == NULL) 164 return; 165 166 tls13_record_layer_rrec_free(rl); 167 tls13_record_layer_wrec_free(rl); 168 169 freezero(rl->alert_data, rl->alert_len); 170 freezero(rl->phh_data, rl->phh_len); 171 172 tls_content_free(rl->rcontent); 173 174 tls13_record_protection_free(rl->read); 175 tls13_record_protection_free(rl->write); 176 177 freezero(rl, sizeof(struct tls13_record_layer)); 178 } 179 180 void 181 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) 182 { 183 CBS_dup(tls_content_cbs(rl->rcontent), cbs); 184 } 185 186 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 188 }; 189 190 int 191 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 192 { 193 int i; 194 195 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 196 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 197 return 0; 198 199 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 200 if (++seq_num[i] != 0) 201 break; 202 } 203 204 return 1; 205 } 206 207 static int 208 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 209 struct tls13_secret *iv, uint8_t *seq_num) 210 { 211 ssize_t i, j; 212 213 if (nonce->len != iv->len) 214 return 0; 215 216 /* 217 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 218 * with the IV to produce a per-record nonce. The IV will also be 219 * at least 8-bytes in length. 220 */ 221 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 222 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 223 224 return 1; 225 } 226 227 void 228 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 229 { 230 rl->ccs_allowed = allow; 231 } 232 233 void 234 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 235 { 236 rl->legacy_alerts_allowed = allow; 237 } 238 239 void 240 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 241 const EVP_AEAD *aead) 242 { 243 rl->aead = aead; 244 } 245 246 void 247 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 248 const EVP_MD *hash) 249 { 250 rl->hash = hash; 251 } 252 253 void 254 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 255 uint16_t version) 256 { 257 rl->legacy_version = version; 258 } 259 260 void 261 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 262 { 263 rl->handshake_completed = 1; 264 } 265 266 void 267 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 268 { 269 rl->phh_retry = retry; 270 } 271 272 static ssize_t 273 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 274 { 275 uint8_t alert_level, alert_desc; 276 ssize_t ret = TLS13_IO_FAILURE; 277 278 /* 279 * RFC 8446 - sections 5.1 and 6. 280 * 281 * A TLSv1.3 alert record can only contain a single alert - this means 282 * that processing the alert must consume all of the record. The alert 283 * will result in one of three things - continuation (user_cancelled), 284 * read channel closure (close_notify) or termination (all others). 285 */ 286 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) 287 return TLS13_IO_FAILURE; 288 289 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) 290 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 291 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) 292 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 293 294 if (tls_content_remaining(rl->rcontent) != 0) 295 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 296 297 tls_content_clear(rl->rcontent); 298 299 /* 300 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 301 * however for error alerts (RFC 8446 section 6.2), the alert level 302 * must be specified as fatal. 303 */ 304 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 305 rl->read_closed = 1; 306 ret = TLS13_IO_EOF; 307 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 308 /* Ignored at the record layer. */ 309 ret = TLS13_IO_WANT_RETRY; 310 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 311 rl->read_closed = 1; 312 rl->write_closed = 1; 313 ret = TLS13_IO_ALERT; 314 } else if (rl->legacy_alerts_allowed && 315 alert_level == TLS13_ALERT_LEVEL_WARNING) { 316 /* Ignored and not passed to the callback. */ 317 return TLS13_IO_WANT_RETRY; 318 } else { 319 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 320 } 321 322 rl->cb.alert_recv(alert_desc, rl->cb_arg); 323 324 return ret; 325 } 326 327 static ssize_t 328 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 329 { 330 ssize_t ret; 331 332 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 333 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 334 rl->alert_data, rl->alert_len)) != rl->alert_len) { 335 if (ret == TLS13_IO_EOF) 336 ret = TLS13_IO_ALERT; 337 return ret; 338 } 339 340 freezero(rl->alert_data, rl->alert_len); 341 rl->alert_data = NULL; 342 rl->alert_len = 0; 343 344 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 345 rl->write_closed = 1; 346 ret = TLS13_IO_SUCCESS; 347 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 348 /* Ignored at the record layer. */ 349 ret = TLS13_IO_SUCCESS; 350 } else { 351 rl->read_closed = 1; 352 rl->write_closed = 1; 353 ret = TLS13_IO_ALERT; 354 } 355 356 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 357 358 return ret; 359 } 360 361 static ssize_t 362 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 363 { 364 ssize_t ret; 365 366 /* Push out pending post-handshake handshake messages. */ 367 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 368 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 369 return ret; 370 if (!CBS_skip(&rl->phh_cbs, ret)) 371 return TLS13_IO_FAILURE; 372 if (CBS_len(&rl->phh_cbs) != 0) 373 return TLS13_IO_WANT_RETRY; 374 375 freezero(rl->phh_data, rl->phh_len); 376 rl->phh_data = NULL; 377 rl->phh_len = 0; 378 379 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 380 381 rl->cb.phh_sent(rl->cb_arg); 382 383 return TLS13_IO_SUCCESS; 384 } 385 386 ssize_t 387 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 388 { 389 /* 390 * If an alert is pending, then it needs to be sent. However, 391 * if we're already part of the way through sending post-handshake 392 * handshake messages, then we need to finish that first... 393 */ 394 395 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 396 return tls13_record_layer_send_phh(rl); 397 398 if (rl->alert_data != NULL) 399 return tls13_record_layer_send_alert(rl); 400 401 if (rl->phh_data != NULL) 402 return tls13_record_layer_send_phh(rl); 403 404 return TLS13_IO_SUCCESS; 405 } 406 407 static ssize_t 408 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 409 uint8_t alert_level, uint8_t alert_desc) 410 { 411 CBB cbb; 412 413 if (rl->alert_data != NULL) 414 return TLS13_IO_FAILURE; 415 416 if (!CBB_init(&cbb, 0)) 417 goto err; 418 419 if (!CBB_add_u8(&cbb, alert_level)) 420 goto err; 421 if (!CBB_add_u8(&cbb, alert_desc)) 422 goto err; 423 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 424 goto err; 425 426 rl->alert_level = alert_level; 427 rl->alert_desc = alert_desc; 428 429 return tls13_record_layer_send_pending(rl); 430 431 err: 432 CBB_cleanup(&cbb); 433 434 return TLS13_IO_FAILURE; 435 } 436 437 ssize_t 438 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 439 { 440 if (rl->phh_data != NULL) 441 return TLS13_IO_FAILURE; 442 443 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 444 return TLS13_IO_FAILURE; 445 446 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 447 448 return tls13_record_layer_send_pending(rl); 449 } 450 451 static int 452 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 453 struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 454 { 455 struct tls13_secret context = { .data = "", .len = 0 }; 456 struct tls13_secret key = { .data = NULL, .len = 0 }; 457 int ret = 0; 458 459 tls13_record_protection_clear(rp); 460 461 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 462 goto err; 463 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 464 goto err; 465 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 466 goto err; 467 468 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 469 goto err; 470 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 471 goto err; 472 473 if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len, 474 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 475 goto err; 476 477 ret = 1; 478 479 err: 480 tls13_secret_cleanup(&key); 481 482 return ret; 483 } 484 485 int 486 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 487 struct tls13_secret *read_key) 488 { 489 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 490 rl->read, read_key); 491 } 492 493 int 494 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 495 struct tls13_secret *write_key) 496 { 497 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 498 rl->write, write_key); 499 } 500 501 static int 502 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 503 { 504 CBS cbs; 505 506 if (rl->aead != NULL) 507 return 0; 508 509 /* 510 * We're still operating in plaintext mode, so just copy the 511 * content from the record to the plaintext buffer. 512 */ 513 if (!tls13_record_content(rl->rrec, &cbs)) 514 return 0; 515 516 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 517 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 518 return 0; 519 } 520 521 if (!tls_content_dup_data(rl->rcontent, 522 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) 523 return 0; 524 525 return 1; 526 } 527 528 static int 529 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 530 { 531 CBS header, enc_record, inner; 532 uint8_t *content = NULL; 533 size_t content_len = 0; 534 uint8_t content_type; 535 size_t out_len; 536 537 if (rl->aead == NULL) 538 goto err; 539 540 if (!tls13_record_header(rl->rrec, &header)) 541 goto err; 542 if (!tls13_record_content(rl->rrec, &enc_record)) 543 goto err; 544 545 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 546 goto err; 547 content_len = CBS_len(&enc_record); 548 549 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 550 rl->read->seq_num)) 551 goto err; 552 553 if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx, 554 content, &out_len, content_len, 555 rl->read->nonce.data, rl->read->nonce.len, 556 CBS_data(&enc_record), CBS_len(&enc_record), 557 CBS_data(&header), CBS_len(&header))) 558 goto err; 559 560 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 561 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 562 goto err; 563 } 564 565 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 566 goto err; 567 568 /* 569 * The real content type is hidden at the end of the record content and 570 * it may be followed by padding that consists of one or more zeroes. 571 * Time to hunt for that elusive content type! 572 */ 573 CBS_init(&inner, content, out_len); 574 content_type = 0; 575 while (CBS_get_last_u8(&inner, &content_type)) { 576 if (content_type != 0) 577 break; 578 } 579 if (content_type == 0) { 580 /* Unexpected message per RFC 8446 section 5.4. */ 581 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 582 goto err; 583 } 584 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 585 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 586 goto err; 587 } 588 589 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner), 590 CBS_len(&inner)); 591 592 return 1; 593 594 err: 595 freezero(content, content_len); 596 597 return 0; 598 } 599 600 static int 601 tls13_record_layer_open_record(struct tls13_record_layer *rl) 602 { 603 if (rl->handshake_completed && rl->aead == NULL) 604 return 0; 605 606 if (rl->aead == NULL) 607 return tls13_record_layer_open_record_plaintext(rl); 608 609 return tls13_record_layer_open_record_protected(rl); 610 } 611 612 static int 613 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 614 uint8_t content_type, const uint8_t *content, size_t content_len) 615 { 616 uint8_t *data = NULL; 617 size_t data_len = 0; 618 CBB cbb, body; 619 620 /* 621 * Allow dummy CCS messages to be sent in plaintext even when 622 * record protection has been engaged, as long as the handshake 623 * has not yet completed. 624 */ 625 if (rl->handshake_completed) 626 return 0; 627 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 628 return 0; 629 630 /* 631 * We're still operating in plaintext mode, so just copy the 632 * content into the record. 633 */ 634 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 635 goto err; 636 637 if (!CBB_add_u8(&cbb, content_type)) 638 goto err; 639 if (!CBB_add_u16(&cbb, rl->legacy_version)) 640 goto err; 641 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 642 goto err; 643 if (!CBB_add_bytes(&body, content, content_len)) 644 goto err; 645 646 if (!CBB_finish(&cbb, &data, &data_len)) 647 goto err; 648 649 if (!tls13_record_set_data(rl->wrec, data, data_len)) 650 goto err; 651 652 rl->wrec_content_len = content_len; 653 rl->wrec_content_type = content_type; 654 655 return 1; 656 657 err: 658 CBB_cleanup(&cbb); 659 freezero(data, data_len); 660 661 return 0; 662 } 663 664 static int 665 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 666 uint8_t content_type, const uint8_t *content, size_t content_len) 667 { 668 uint8_t *data = NULL, *header = NULL, *inner = NULL; 669 size_t data_len = 0, header_len = 0, inner_len = 0; 670 uint8_t *enc_record; 671 size_t enc_record_len; 672 ssize_t ret = 0; 673 size_t out_len; 674 CBB cbb; 675 676 if (rl->aead == NULL) 677 return 0; 678 679 memset(&cbb, 0, sizeof(cbb)); 680 681 /* Build inner plaintext. */ 682 if (!CBB_init(&cbb, content_len + 1)) 683 goto err; 684 if (!CBB_add_bytes(&cbb, content, content_len)) 685 goto err; 686 if (!CBB_add_u8(&cbb, content_type)) 687 goto err; 688 /* XXX - padding? */ 689 if (!CBB_finish(&cbb, &inner, &inner_len)) 690 goto err; 691 692 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 693 goto err; 694 695 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 696 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 697 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 698 goto err; 699 700 /* Build the record header. */ 701 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 702 goto err; 703 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 704 goto err; 705 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 706 goto err; 707 if (!CBB_add_u16(&cbb, enc_record_len)) 708 goto err; 709 if (!CBB_finish(&cbb, &header, &header_len)) 710 goto err; 711 712 /* Build the actual record. */ 713 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 714 goto err; 715 if (!CBB_add_bytes(&cbb, header, header_len)) 716 goto err; 717 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 718 goto err; 719 if (!CBB_finish(&cbb, &data, &data_len)) 720 goto err; 721 722 if (!tls13_record_layer_update_nonce(&rl->write->nonce, 723 &rl->write->iv, rl->write->seq_num)) 724 goto err; 725 726 /* 727 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 728 * this would avoid a copy since the inner would be passed as two 729 * separate pieces. 730 */ 731 if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx, 732 enc_record, &out_len, enc_record_len, 733 rl->write->nonce.data, rl->write->nonce.len, 734 inner, inner_len, header, header_len)) 735 goto err; 736 737 if (out_len != enc_record_len) 738 goto err; 739 740 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 741 goto err; 742 743 if (!tls13_record_set_data(rl->wrec, data, data_len)) 744 goto err; 745 746 rl->wrec_content_len = content_len; 747 rl->wrec_content_type = content_type; 748 749 data = NULL; 750 data_len = 0; 751 752 ret = 1; 753 754 err: 755 CBB_cleanup(&cbb); 756 757 freezero(data, data_len); 758 freezero(header, header_len); 759 freezero(inner, inner_len); 760 761 return ret; 762 } 763 764 static int 765 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 766 uint8_t content_type, const uint8_t *content, size_t content_len) 767 { 768 if (rl->handshake_completed && rl->aead == NULL) 769 return 0; 770 771 tls13_record_layer_wrec_free(rl); 772 773 if ((rl->wrec = tls13_record_new()) == NULL) 774 return 0; 775 776 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 777 return tls13_record_layer_seal_record_plaintext(rl, 778 content_type, content, content_len); 779 780 return tls13_record_layer_seal_record_protected(rl, content_type, 781 content, content_len); 782 } 783 784 static ssize_t 785 tls13_record_layer_read_record(struct tls13_record_layer *rl) 786 { 787 uint8_t content_type, ccs; 788 ssize_t ret; 789 CBS cbs; 790 791 if (rl->rrec == NULL) { 792 if ((rl->rrec = tls13_record_new()) == NULL) 793 goto err; 794 } 795 796 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 797 switch (ret) { 798 case TLS13_IO_RECORD_VERSION: 799 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 800 case TLS13_IO_RECORD_OVERFLOW: 801 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 802 } 803 return ret; 804 } 805 806 content_type = tls13_record_content_type(rl->rrec); 807 808 /* 809 * In response to a client hello we may receive an alert in a 810 * record with a legacy version. Otherwise enforce that the 811 * legacy record version is 0x0303 per RFC 8446, section 5.1. 812 */ 813 if (rl->legacy_version == TLS1_2_VERSION && 814 tls13_record_version(rl->rrec) != TLS1_2_VERSION && 815 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) 816 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 817 818 /* 819 * Bag of hacks ahead... after the first ClientHello message has been 820 * sent or received and before the peer's Finished message has been 821 * received, we may receive an unencrypted ChangeCipherSpec record 822 * (see RFC 8446 section 5 and appendix D.4). This record must be 823 * ignored. 824 */ 825 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 826 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 827 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 828 if (!tls13_record_content(rl->rrec, &cbs)) 829 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 830 if (!CBS_get_u8(&cbs, &ccs)) 831 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 832 if (ccs != 1) 833 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 834 rl->ccs_seen++; 835 tls13_record_layer_rrec_free(rl); 836 return TLS13_IO_WANT_RETRY; 837 } 838 839 /* 840 * Once record protection is engaged, we should only receive 841 * protected application data messages (aside from the 842 * dummy ChangeCipherSpec messages, handled above). 843 */ 844 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 845 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 846 847 if (!tls13_record_layer_open_record(rl)) 848 goto err; 849 850 tls13_record_layer_rrec_free(rl); 851 852 /* 853 * On receiving a handshake or alert record with empty inner plaintext, 854 * we must terminate the connection with an unexpected_message alert. 855 * See RFC 8446 section 5.4. 856 */ 857 if (tls_content_remaining(rl->rcontent) == 0 && 858 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || 859 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) 860 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 861 862 switch (tls_content_type(rl->rcontent)) { 863 case SSL3_RT_ALERT: 864 return tls13_record_layer_process_alert(rl); 865 866 case SSL3_RT_HANDSHAKE: 867 break; 868 869 case SSL3_RT_APPLICATION_DATA: 870 if (!rl->handshake_completed) 871 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 872 break; 873 874 default: 875 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 876 } 877 878 return TLS13_IO_SUCCESS; 879 880 err: 881 return TLS13_IO_FAILURE; 882 } 883 884 static ssize_t 885 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 886 { 887 if (tls_content_type(rl->rcontent) != content_type) 888 return 0; 889 890 return tls_content_remaining(rl->rcontent); 891 } 892 893 static ssize_t 894 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 895 { 896 ssize_t ret = TLS13_IO_FAILURE; 897 898 rl->phh = 1; 899 900 /* 901 * The post handshake handshake receive callback is allowed to return: 902 * 903 * TLS13_IO_WANT_POLLIN need more handshake data. 904 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 905 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 906 * TLS13_IO_FAILURE something broke. 907 */ 908 if (rl->cb.phh_recv != NULL) 909 ret = rl->cb.phh_recv(rl->cb_arg, tls_content_cbs(rl->rcontent)); 910 911 tls_content_clear(rl->rcontent); 912 913 /* Leave post handshake handshake mode unless we need more data. */ 914 if (ret != TLS13_IO_WANT_POLLIN) 915 rl->phh = 0; 916 917 if (ret == TLS13_IO_SUCCESS) { 918 if (rl->phh_retry) 919 return TLS13_IO_WANT_RETRY; 920 921 return TLS13_IO_WANT_POLLIN; 922 } 923 924 return ret; 925 } 926 927 static ssize_t 928 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 929 uint8_t content_type, uint8_t *buf, size_t n, int peek) 930 { 931 ssize_t ret; 932 933 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 934 return ret; 935 936 if (rl->read_closed) 937 return TLS13_IO_EOF; 938 939 /* If necessary, pull up the next record. */ 940 if (tls_content_remaining(rl->rcontent) == 0) { 941 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 942 return ret; 943 944 /* 945 * We may have read a valid 0-byte application data record, 946 * in which case we need to read the next record. 947 */ 948 if (tls_content_remaining(rl->rcontent) == 0) 949 return TLS13_IO_WANT_POLLIN; 950 } 951 952 /* 953 * If we are in post handshake handshake mode, we must not see 954 * any record type that isn't a handshake until we are done. 955 */ 956 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) 957 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 958 959 /* 960 * Handshake content can appear as post-handshake messages (yup, 961 * the RFC reused the same content type...), which means we can 962 * be trying to read application data and need to handle a 963 * post-handshake handshake message instead... 964 */ 965 if (tls_content_type(rl->rcontent) != content_type) { 966 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { 967 if (rl->handshake_completed) 968 return tls13_record_layer_recv_phh(rl); 969 } 970 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 971 } 972 973 if (peek) 974 return tls_content_peek(rl->rcontent, buf, n); 975 976 return tls_content_read(rl->rcontent, buf, n); 977 } 978 979 static ssize_t 980 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 981 uint8_t *buf, size_t n) 982 { 983 ssize_t ret; 984 985 do { 986 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 987 } while (ret == TLS13_IO_WANT_RETRY); 988 989 if (rl->alert != 0) 990 return tls13_send_alert(rl, rl->alert); 991 992 return ret; 993 } 994 995 static ssize_t 996 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 997 uint8_t *buf, size_t n) 998 { 999 ssize_t ret; 1000 1001 do { 1002 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1003 } while (ret == TLS13_IO_WANT_RETRY); 1004 1005 if (rl->alert != 0) 1006 return tls13_send_alert(rl, rl->alert); 1007 1008 return ret; 1009 } 1010 1011 static ssize_t 1012 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1013 uint8_t content_type, const uint8_t *content, size_t content_len) 1014 { 1015 ssize_t ret; 1016 1017 if (rl->write_closed) 1018 return TLS13_IO_EOF; 1019 1020 /* 1021 * If we pushed out application data while handling other messages, 1022 * we need to return content length on the next call. 1023 */ 1024 if (content_type == SSL3_RT_APPLICATION_DATA && 1025 rl->wrec_appdata_len != 0) { 1026 ret = rl->wrec_appdata_len; 1027 rl->wrec_appdata_len = 0; 1028 return ret; 1029 } 1030 1031 /* See if there is an existing record and attempt to push it out... */ 1032 if (rl->wrec != NULL) { 1033 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1034 rl->cb_arg)) <= 0) 1035 return ret; 1036 tls13_record_layer_wrec_free(rl); 1037 1038 if (rl->wrec_content_type == content_type) { 1039 ret = rl->wrec_content_len; 1040 rl->wrec_content_len = 0; 1041 rl->wrec_content_type = 0; 1042 return ret; 1043 } 1044 1045 /* 1046 * The only partial record type should be application data. 1047 * All other cases are handled to completion. 1048 */ 1049 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1050 return TLS13_IO_FAILURE; 1051 rl->wrec_appdata_len = rl->wrec_content_len; 1052 } 1053 1054 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1055 goto err; 1056 1057 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1058 goto err; 1059 1060 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1061 return ret; 1062 1063 tls13_record_layer_wrec_free(rl); 1064 1065 return content_len; 1066 1067 err: 1068 return TLS13_IO_FAILURE; 1069 } 1070 1071 static ssize_t 1072 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1073 uint8_t content_type, const uint8_t *buf, size_t n) 1074 { 1075 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1076 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1077 1078 return tls13_record_layer_write_record(rl, content_type, buf, n); 1079 } 1080 1081 static ssize_t 1082 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1083 const uint8_t *buf, size_t n) 1084 { 1085 ssize_t ret; 1086 1087 do { 1088 ret = tls13_record_layer_send_pending(rl); 1089 } while (ret == TLS13_IO_WANT_RETRY); 1090 if (ret != TLS13_IO_SUCCESS) 1091 return ret; 1092 1093 do { 1094 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1095 } while (ret == TLS13_IO_WANT_RETRY); 1096 1097 return ret; 1098 } 1099 1100 ssize_t 1101 tls13_record_layer_flush(struct tls13_record_layer *rl) 1102 { 1103 return rl->cb.wire_flush(rl->cb_arg); 1104 } 1105 1106 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1107 1108 ssize_t 1109 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1110 { 1111 ssize_t ret; 1112 1113 if (rl->ccs_sent) 1114 return TLS13_IO_FAILURE; 1115 1116 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1117 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1118 return ret; 1119 1120 rl->ccs_sent = 1; 1121 1122 return TLS13_IO_SUCCESS; 1123 } 1124 1125 ssize_t 1126 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1127 { 1128 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1129 } 1130 1131 ssize_t 1132 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1133 size_t n) 1134 { 1135 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1136 } 1137 1138 ssize_t 1139 tls13_pending_application_data(struct tls13_record_layer *rl) 1140 { 1141 if (!rl->handshake_completed) 1142 return 0; 1143 1144 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1145 } 1146 1147 ssize_t 1148 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1149 { 1150 if (!rl->handshake_completed) 1151 return TLS13_IO_FAILURE; 1152 1153 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1154 } 1155 1156 ssize_t 1157 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1158 { 1159 if (!rl->handshake_completed) 1160 return TLS13_IO_FAILURE; 1161 1162 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1163 } 1164 1165 ssize_t 1166 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1167 size_t n) 1168 { 1169 if (!rl->handshake_completed) 1170 return TLS13_IO_FAILURE; 1171 1172 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1173 } 1174 1175 ssize_t 1176 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1177 { 1178 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1179 ssize_t ret; 1180 1181 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1182 alert_desc == TLS13_ALERT_USER_CANCELED) 1183 alert_level = TLS13_ALERT_LEVEL_WARNING; 1184 1185 do { 1186 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1187 alert_desc); 1188 } while (ret == TLS13_IO_WANT_RETRY); 1189 1190 return ret; 1191 } 1192