1 /* $OpenBSD: tls13_record_layer.c,v 1.16 2019/11/26 23:46:18 beck Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include <openssl/curve25519.h> 21 22 #include "tls13_internal.h" 23 #include "tls13_record.h" 24 25 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 26 uint8_t content_type, const uint8_t *buf, size_t n); 27 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 28 uint8_t content_type, const uint8_t *content, size_t content_len); 29 30 struct tls13_record_layer { 31 int change_cipher_spec_seen; 32 int handshake_completed; 33 int phh; 34 35 /* 36 * Read and/or write channels are closed due to an alert being 37 * sent or received. In the case of an error alert both channels 38 * are closed, whereas in the case of a close notify only one 39 * channel is closed. 40 */ 41 int read_closed; 42 int write_closed; 43 44 struct tls13_record *rrec; 45 46 struct tls13_record *wrec; 47 uint8_t wrec_content_type; 48 size_t wrec_appdata_len; 49 size_t wrec_content_len; 50 51 /* Pending alert messages. */ 52 uint8_t *alert_data; 53 size_t alert_len; 54 55 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 56 CBS phh_cbs; 57 uint8_t *phh_data; 58 size_t phh_len; 59 60 /* Buffer containing plaintext from opened records. */ 61 uint8_t rbuf_content_type; 62 uint8_t *rbuf; 63 size_t rbuf_len; 64 CBS rbuf_cbs; 65 66 /* Record protection. */ 67 const EVP_MD *hash; 68 const EVP_AEAD *aead; 69 EVP_AEAD_CTX read_aead_ctx; 70 EVP_AEAD_CTX write_aead_ctx; 71 struct tls13_secret read_iv; 72 struct tls13_secret write_iv; 73 struct tls13_secret read_nonce; 74 struct tls13_secret write_nonce; 75 uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 76 uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 77 78 /* Record callbacks. */ 79 tls13_alert_cb alert_cb; 80 tls13_phh_recv_cb phh_recv_cb; 81 tls13_phh_sent_cb phh_sent_cb; 82 83 /* Wire read/write callbacks. */ 84 tls13_read_cb wire_read; 85 tls13_write_cb wire_write; 86 void *cb_arg; 87 }; 88 89 static void 90 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 91 { 92 CBS_init(&rl->rbuf_cbs, NULL, 0); 93 freezero(rl->rbuf, rl->rbuf_len); 94 rl->rbuf = NULL; 95 rl->rbuf_len = 0; 96 rl->rbuf_content_type = 0; 97 } 98 99 static void 100 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 101 { 102 tls13_record_free(rl->rrec); 103 rl->rrec = NULL; 104 } 105 106 static void 107 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 108 { 109 tls13_record_free(rl->wrec); 110 rl->wrec = NULL; 111 } 112 113 struct tls13_record_layer * 114 tls13_record_layer_new(tls13_read_cb wire_read, tls13_write_cb wire_write, 115 tls13_alert_cb alert_cb, 116 tls13_phh_recv_cb phh_recv_cb, 117 tls13_phh_sent_cb phh_sent_cb, 118 void *cb_arg) 119 { 120 struct tls13_record_layer *rl; 121 122 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 123 return NULL; 124 125 rl->wire_read = wire_read; 126 rl->wire_write = wire_write; 127 rl->alert_cb = alert_cb; 128 rl->phh_recv_cb = phh_recv_cb; 129 rl->phh_sent_cb = phh_sent_cb; 130 rl->cb_arg = cb_arg; 131 132 return rl; 133 } 134 135 void 136 tls13_record_layer_free(struct tls13_record_layer *rl) 137 { 138 if (rl == NULL) 139 return; 140 141 tls13_record_layer_rbuf_free(rl); 142 143 tls13_record_layer_rrec_free(rl); 144 tls13_record_layer_wrec_free(rl); 145 146 EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); 147 EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); 148 149 freezero(rl->read_iv.data, rl->read_iv.len); 150 freezero(rl->write_iv.data, rl->write_iv.len); 151 freezero(rl->read_nonce.data, rl->read_nonce.len); 152 freezero(rl->write_nonce.data, rl->write_nonce.len); 153 154 freezero(rl, sizeof(struct tls13_record_layer)); 155 } 156 157 static int 158 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 159 { 160 size_t i; 161 162 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i > 0; i--) { 163 if (++seq_num[i] != 0) 164 break; 165 } 166 167 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 168 return (i != 0 || seq_num[0] != 0); 169 } 170 171 static int 172 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 173 struct tls13_secret *iv, uint8_t *seq_num) 174 { 175 ssize_t i, j; 176 177 if (nonce->len != iv->len) 178 return 0; 179 180 /* 181 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 182 * with the IV to produce a per-record nonce. The IV will also be 183 * at least 8-bytes in length. 184 */ 185 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 186 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 187 188 return 1; 189 } 190 191 void 192 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 193 const EVP_AEAD *aead) 194 { 195 rl->aead = aead; 196 } 197 198 void 199 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 200 const EVP_MD *hash) 201 { 202 rl->hash = hash; 203 } 204 205 void 206 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 207 { 208 rl->handshake_completed = 1; 209 } 210 211 static ssize_t 212 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 213 { 214 uint8_t alert_level, alert_desc; 215 ssize_t ret = TLS13_IO_FAILURE; 216 217 /* 218 * RFC 8446 - sections 5.1 and 6. 219 * 220 * A TLSv1.3 alert record can only contain a single alert - this means 221 * that processing the alert must consume all of the record. The alert 222 * will result in one of three things - continuation (user_cancelled), 223 * read channel closure (close_notify) or termination (all others). 224 */ 225 if (rl->rbuf == NULL) 226 goto err; 227 if (rl->rbuf_content_type != SSL3_RT_ALERT) 228 goto err; 229 230 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 231 goto err; /* XXX - decode error alert. */ 232 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 233 goto err; /* XXX - decode error alert. */ 234 235 if (CBS_len(&rl->rbuf_cbs) != 0) 236 goto err; /* XXX - decode error alert. */ 237 238 tls13_record_layer_rbuf_free(rl); 239 240 /* 241 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 242 * however for error alerts (RFC 8446 section 6.2), the alert level 243 * must be specified as fatal. 244 */ 245 if (alert_desc == SSL_AD_CLOSE_NOTIFY) { 246 rl->read_closed = 1; 247 ret = TLS13_IO_EOF; 248 } else if (alert_desc == SSL_AD_USER_CANCELLED) { 249 /* Ignored at the record layer. */ 250 ret = TLS13_IO_WANT_POLLIN; 251 } else if (alert_level == SSL3_AL_FATAL) { 252 rl->read_closed = 1; 253 rl->write_closed = 1; 254 ret = TLS13_IO_FAILURE; /* XXX - ALERT? */ 255 } else { 256 /* XXX - decode error alert. */ 257 return TLS13_IO_FAILURE; 258 } 259 260 rl->alert_cb(alert_desc, rl->cb_arg); 261 262 err: 263 return ret; 264 } 265 266 static ssize_t 267 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 268 { 269 ssize_t ret; 270 271 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 272 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 273 rl->alert_data, rl->alert_len)) != rl->alert_len) 274 return ret; 275 276 freezero(rl->alert_data, rl->alert_len); 277 rl->alert_data = NULL; 278 rl->alert_len = 0; 279 280 /* XXX - only close write channel when sending close notify. */ 281 rl->read_closed = 1; 282 rl->write_closed = 1; 283 284 /* XXX - we may want a TLS13_IO_ALERT (or handle as errors). */ 285 return TLS13_IO_FAILURE; 286 } 287 288 static ssize_t 289 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 290 { 291 ssize_t ret; 292 293 /* Push out pending post-handshake handshake messages. */ 294 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 295 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) < 0) 296 return ret; 297 if (!CBS_skip(&rl->phh_cbs, ret)) 298 return TLS13_IO_FAILURE; 299 if (CBS_len(&rl->phh_cbs) != 0) 300 return TLS13_IO_WANT_POLLOUT; 301 302 freezero(rl->phh_data, rl->phh_len); 303 rl->phh_data = NULL; 304 rl->phh_len = 0; 305 306 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 307 308 rl->phh_sent_cb(rl->cb_arg); 309 310 return TLS13_IO_SUCCESS; 311 } 312 313 static ssize_t 314 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 315 { 316 /* 317 * If an alert is pending, then it needs to be sent. However, 318 * if we're already part of the way through sending post-handshake 319 * handshake messages, then we need to finish that first... 320 */ 321 322 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 323 return tls13_record_layer_send_phh(rl); 324 325 if (rl->alert_data != NULL) 326 return tls13_record_layer_send_alert(rl); 327 328 if (rl->phh_data != NULL) 329 return tls13_record_layer_send_phh(rl); 330 331 return TLS13_IO_SUCCESS; 332 } 333 334 static ssize_t 335 tls13_record_layer_alert(struct tls13_record_layer *rl, 336 uint8_t alert_level, uint8_t alert_desc) 337 { 338 CBB cbb; 339 340 if (rl->alert_data != NULL) 341 return TLS13_IO_FAILURE; 342 343 if (!CBB_init(&cbb, 0)) 344 goto err; 345 346 if (!CBB_add_u8(&cbb, alert_level)) 347 goto err; 348 if (!CBB_add_u8(&cbb, alert_desc)) 349 goto err; 350 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 351 goto err; 352 353 return tls13_record_layer_send_pending(rl); 354 355 err: 356 CBB_cleanup(&cbb); 357 358 return TLS13_IO_FAILURE; 359 } 360 361 ssize_t 362 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 363 { 364 if (rl->phh_data != NULL) 365 return TLS13_IO_FAILURE; 366 367 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 368 return TLS13_IO_FAILURE; 369 370 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 371 372 return tls13_record_layer_send_pending(rl); 373 } 374 375 static int 376 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, 377 const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, 378 struct tls13_secret *traffic_key) 379 { 380 struct tls13_secret context = { .data = "", .len = 0 }; 381 struct tls13_secret key = { .data = NULL, .len = 0 }; 382 int ret = 0; 383 384 freezero(iv->data, iv->len); 385 iv->data = NULL; 386 iv->len = 0; 387 388 freezero(nonce->data, nonce->len); 389 nonce->data = NULL; 390 nonce->len = 0; 391 392 if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 393 goto err; 394 iv->len = EVP_AEAD_nonce_length(aead); 395 396 if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 397 goto err; 398 nonce->len = EVP_AEAD_nonce_length(aead); 399 400 if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) 401 goto err; 402 key.len = EVP_AEAD_key_length(aead); 403 404 if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) 405 goto err; 406 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 407 goto err; 408 409 if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, 410 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 411 goto err; 412 413 ret = 1; 414 415 err: 416 freezero(key.data, key.len); 417 418 return ret; 419 } 420 421 int 422 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 423 struct tls13_secret *read_key) 424 { 425 memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 426 427 return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, 428 rl->hash, &rl->read_iv, &rl->read_nonce, read_key); 429 } 430 431 int 432 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 433 struct tls13_secret *write_key) 434 { 435 memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 436 437 return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, 438 rl->hash, &rl->write_iv, &rl->write_nonce, write_key); 439 } 440 441 static int 442 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 443 { 444 CBS cbs; 445 446 if (rl->aead != NULL) 447 return 0; 448 449 /* 450 * We're still operating in plaintext mode, so just copy the 451 * content from the record to the plaintext buffer. 452 */ 453 if (!tls13_record_content(rl->rrec, &cbs)) 454 return 0; 455 456 tls13_record_layer_rbuf_free(rl); 457 458 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 459 return 0; 460 461 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 462 463 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 464 465 return 1; 466 } 467 468 static int 469 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 470 { 471 CBS header, enc_record; 472 uint8_t *content = NULL; 473 ssize_t content_len = 0; 474 uint8_t content_type; 475 size_t out_len; 476 477 if (rl->aead == NULL) 478 goto err; 479 480 if (!tls13_record_header(rl->rrec, &header)) 481 goto err; 482 if (!tls13_record_content(rl->rrec, &enc_record)) 483 goto err; 484 485 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 486 goto err; 487 content_len = CBS_len(&enc_record); 488 489 if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, 490 rl->read_seq_num)) 491 goto err; 492 493 if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, 494 content, &out_len, content_len, 495 rl->read_nonce.data, rl->read_nonce.len, 496 CBS_data(&enc_record), CBS_len(&enc_record), 497 CBS_data(&header), CBS_len(&header))) 498 goto err; 499 500 if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) 501 goto err; 502 503 /* 504 * The real content type is hidden at the end of the record content and 505 * it may be followed by padding that consists of one or more zeroes. 506 * Time to hunt for that elusive content type! 507 */ 508 /* XXX - CBS from end? CBS_get_end_u8()? */ 509 content_len = out_len - 1; 510 while (content_len >= 0 && content[content_len] == 0) 511 content_len--; 512 if (content_len < 0) 513 goto err; 514 content_type = content[content_len]; 515 516 tls13_record_layer_rbuf_free(rl); 517 518 rl->rbuf_content_type = content_type; 519 rl->rbuf = content; 520 rl->rbuf_len = content_len; 521 522 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 523 524 return 1; 525 526 err: 527 freezero(content, content_len); 528 529 return 0; 530 } 531 532 static int 533 tls13_record_layer_open_record(struct tls13_record_layer *rl) 534 { 535 if (rl->handshake_completed && rl->aead == NULL) 536 return 0; 537 538 if (rl->aead == NULL) 539 return tls13_record_layer_open_record_plaintext(rl); 540 541 return tls13_record_layer_open_record_protected(rl); 542 } 543 544 static int 545 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 546 uint8_t content_type, const uint8_t *content, size_t content_len) 547 { 548 uint8_t *data = NULL; 549 size_t data_len = 0; 550 uint16_t version; 551 CBB cbb, body; 552 553 if (rl->aead != NULL) 554 return 0; 555 556 /* XXX - TLS1_VERSION for first client hello... */ 557 version = TLS1_2_VERSION; 558 559 /* 560 * We're still operating in plaintext mode, so just copy the 561 * content into the record. 562 */ 563 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 564 goto err; 565 566 if (!CBB_add_u8(&cbb, content_type)) 567 goto err; 568 if (!CBB_add_u16(&cbb, version)) 569 goto err; 570 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 571 goto err; 572 if (!CBB_add_bytes(&body, content, content_len)) 573 goto err; 574 575 if (!CBB_finish(&cbb, &data, &data_len)) 576 goto err; 577 578 if (!tls13_record_set_data(rl->wrec, data, data_len)) 579 goto err; 580 581 return 1; 582 583 err: 584 CBB_cleanup(&cbb); 585 freezero(data, data_len); 586 587 return 0; 588 } 589 590 static int 591 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 592 uint8_t content_type, const uint8_t *content, size_t content_len) 593 { 594 uint8_t *data = NULL, *header = NULL, *inner = NULL; 595 size_t data_len = 0, header_len = 0, inner_len = 0; 596 uint8_t *enc_record; 597 size_t enc_record_len; 598 ssize_t ret = 0; 599 size_t out_len; 600 CBB cbb; 601 602 if (rl->aead == NULL) 603 return 0; 604 605 memset(&cbb, 0, sizeof(cbb)); 606 607 /* Build inner plaintext. */ 608 if (!CBB_init(&cbb, content_len + 1)) 609 goto err; 610 if (!CBB_add_bytes(&cbb, content, content_len)) 611 goto err; 612 if (!CBB_add_u8(&cbb, content_type)) 613 goto err; 614 /* XXX - padding? */ 615 if (!CBB_finish(&cbb, &inner, &inner_len)) 616 goto err; 617 618 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 619 goto err; 620 621 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 622 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 623 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 624 goto err; 625 626 /* Build the record header. */ 627 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 628 goto err; 629 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 630 goto err; 631 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 632 goto err; 633 if (!CBB_add_u16(&cbb, enc_record_len)) 634 goto err; 635 if (!CBB_finish(&cbb, &header, &header_len)) 636 goto err; 637 638 /* Build the actual record. */ 639 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 640 goto err; 641 if (!CBB_add_bytes(&cbb, header, header_len)) 642 goto err; 643 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 644 goto err; 645 if (!CBB_finish(&cbb, &data, &data_len)) 646 goto err; 647 648 if (!tls13_record_layer_update_nonce(&rl->write_nonce, 649 &rl->write_iv, rl->write_seq_num)) 650 goto err; 651 652 /* 653 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 654 * this would avoid a copy since the inner would be passed as two 655 * separate pieces. 656 */ 657 if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, 658 enc_record, &out_len, enc_record_len, 659 rl->write_nonce.data, rl->write_nonce.len, 660 inner, inner_len, header, header_len)) 661 goto err; 662 663 if (out_len != enc_record_len) 664 goto err; 665 666 if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) 667 goto err; 668 669 if (!tls13_record_set_data(rl->wrec, data, data_len)) 670 goto err; 671 672 rl->wrec_content_len = content_len; 673 rl->wrec_content_type = content_type; 674 675 data = NULL; 676 data_len = 0; 677 678 ret = 1; 679 680 err: 681 CBB_cleanup(&cbb); 682 683 freezero(data, data_len); 684 freezero(header, header_len); 685 freezero(inner, inner_len); 686 687 return ret; 688 } 689 690 static int 691 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 692 uint8_t content_type, const uint8_t *content, size_t content_len) 693 { 694 if (rl->handshake_completed && rl->aead == NULL) 695 return 0; 696 697 tls13_record_layer_wrec_free(rl); 698 699 if ((rl->wrec = tls13_record_new()) == NULL) 700 return 0; 701 702 if (rl->aead == NULL) 703 return tls13_record_layer_seal_record_plaintext(rl, 704 content_type, content, content_len); 705 706 return tls13_record_layer_seal_record_protected(rl, content_type, 707 content, content_len); 708 } 709 710 static ssize_t 711 tls13_record_layer_read_record(struct tls13_record_layer *rl) 712 { 713 uint8_t content_type, ccs; 714 ssize_t ret; 715 CBS cbs; 716 717 if (rl->rrec == NULL) { 718 if ((rl->rrec = tls13_record_new()) == NULL) 719 goto err; 720 } 721 722 if ((ret = tls13_record_recv(rl->rrec, rl->wire_read, rl->cb_arg)) <= 0) 723 return ret; 724 725 /* XXX - record version checks. */ 726 727 content_type = tls13_record_content_type(rl->rrec); 728 729 /* 730 * Bag of hacks ahead... after the first ClientHello message has been 731 * sent or received and before the peer's Finished message has been 732 * received, we may receive an unencrypted ChangeCipherSpec record 733 * (see RFC 8446 section 5 and appendix D.4). This record must be 734 * ignored. 735 */ 736 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 737 /* XXX - need to check after ClientHello, before Finished. */ 738 if (rl->handshake_completed || rl->change_cipher_spec_seen) { 739 /* XXX - unexpected message alert. */ 740 goto err; 741 } 742 if (!tls13_record_content(rl->rrec, &cbs)) { 743 /* XXX - decode error alert. */ 744 goto err; 745 } 746 if (!CBS_get_u8(&cbs, &ccs)) { 747 /* XXX - decode error alert. */ 748 goto err; 749 } 750 if (ccs != 1) { 751 /* XXX - something alert. */ 752 goto err; 753 } 754 rl->change_cipher_spec_seen = 1; 755 tls13_record_layer_rrec_free(rl); 756 return TLS13_IO_WANT_POLLIN; 757 } 758 759 /* 760 * Once record protection is engaged, we should only receive 761 * protected application data messages (aside from the 762 * dummy ChangeCipherSpec messages, handled above). 763 */ 764 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) { 765 /* XXX - unexpected message alert. */ 766 goto err; 767 } 768 769 if (!tls13_record_layer_open_record(rl)) 770 goto err; 771 772 tls13_record_layer_rrec_free(rl); 773 774 switch (rl->rbuf_content_type) { 775 case SSL3_RT_ALERT: 776 return tls13_record_layer_process_alert(rl); 777 778 case SSL3_RT_HANDSHAKE: 779 break; 780 781 case SSL3_RT_APPLICATION_DATA: 782 if (!rl->handshake_completed) { 783 /* XXX - unexpected message alert. */ 784 goto err; 785 } 786 break; 787 788 default: 789 /* XXX - unexpected message alert. */ 790 goto err; 791 } 792 793 return TLS13_IO_SUCCESS; 794 795 err: 796 return TLS13_IO_FAILURE; 797 } 798 799 ssize_t 800 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 801 uint8_t *buf, size_t n) 802 { 803 ssize_t ret; 804 805 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 806 return ret; 807 808 if (rl->read_closed) 809 return TLS13_IO_EOF; 810 811 /* If necessary, pull up the next record. */ 812 if (CBS_len(&rl->rbuf_cbs) == 0) { 813 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 814 return ret; 815 816 /* XXX - need to check record version. */ 817 } 818 819 /* 820 * If we are in post handshake handshake mode, we may not see 821 * any record type that isn't a handshake until we are done. 822 */ 823 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) { 824 /* XXX send unexpected message alert */ 825 return TLS13_IO_FAILURE; 826 } 827 828 if (rl->rbuf_content_type != content_type) { 829 /* 830 * Handshake content can appear as post-handshake messages (yup, 831 * the RFC reused the same content type...), which means we can 832 * be trying to read application data and need to handle a 833 * post-handshake handshake message instead... 834 */ 835 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 836 if (rl->handshake_completed) { 837 rl->phh = 1; 838 ret = TLS13_IO_FAILURE; 839 840 /* 841 * The post handshake handshake 842 * receive callback is allowed to 843 * return: 844 * 845 * TLS13_IO_WANT_POLLIN -> 846 * I need more handshake data. 847 * 848 * TLS13_IO_WANT_POLLOUT -> I got the 849 * whole handshake message, and have 850 * enqueued a response 851 * 852 * TLS13_IO_SUCCESS -> I got the whole handshake, 853 * nothing more to do 854 * 855 * TLS13_IO_FAILURE -> something broke. 856 */ 857 if (rl->phh_recv_cb != NULL) { 858 ret = rl->phh_recv_cb( 859 rl->cb_arg, &rl->rbuf_cbs); 860 } 861 862 tls13_record_layer_rbuf_free(rl); 863 864 if (ret == TLS13_IO_WANT_POLLIN) 865 return ret; 866 867 /* 868 * leave post handshake handshake mode 869 * if we do not need more handshake data 870 */ 871 rl->phh = 0; 872 873 if (ret == TLS13_IO_SUCCESS) 874 return TLS13_IO_WANT_POLLIN; 875 876 return ret; 877 } 878 } 879 880 /* XXX - unexpected message alert. */ 881 goto err; 882 } 883 884 if (n > CBS_len(&rl->rbuf_cbs)) 885 n = CBS_len(&rl->rbuf_cbs); 886 887 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 888 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 889 if (!CBS_skip(&rl->rbuf_cbs, n)) 890 goto err; 891 892 if (CBS_len(&rl->rbuf_cbs) == 0) 893 tls13_record_layer_rbuf_free(rl); 894 895 return n; 896 897 err: 898 return TLS13_IO_FAILURE; 899 } 900 901 static ssize_t 902 tls13_record_layer_write_record(struct tls13_record_layer *rl, 903 uint8_t content_type, const uint8_t *content, size_t content_len) 904 { 905 ssize_t ret; 906 907 if (rl->write_closed) 908 return TLS13_IO_EOF; 909 910 /* 911 * If we pushed out application data while handling other messages, 912 * we need to return content length on the next call. 913 */ 914 if (content_type == SSL3_RT_APPLICATION_DATA && 915 rl->wrec_appdata_len != 0) { 916 ret = rl->wrec_appdata_len; 917 rl->wrec_appdata_len = 0; 918 return ret; 919 } 920 921 /* See if there is an existing record and attempt to push it out... */ 922 if (rl->wrec != NULL) { 923 if ((ret = tls13_record_send(rl->wrec, rl->wire_write, 924 rl->cb_arg)) <= 0) 925 return ret; 926 tls13_record_layer_wrec_free(rl); 927 928 if (rl->wrec_content_type == content_type) { 929 ret = rl->wrec_content_len; 930 rl->wrec_content_len = 0; 931 rl->wrec_content_type = 0; 932 return ret; 933 } 934 935 /* 936 * The only partial record type should be application data. 937 * All other cases are handled to completion. 938 */ 939 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 940 return TLS13_IO_FAILURE; 941 rl->wrec_appdata_len = rl->wrec_content_len; 942 } 943 944 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 945 goto err; 946 947 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 948 goto err; 949 950 if ((ret = tls13_record_send(rl->wrec, rl->wire_write, rl->cb_arg)) <= 0) 951 return ret; 952 953 tls13_record_layer_wrec_free(rl); 954 955 return content_len; 956 957 err: 958 return TLS13_IO_FAILURE; 959 } 960 961 static ssize_t 962 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 963 uint8_t content_type, const uint8_t *buf, size_t n) 964 { 965 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 966 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 967 968 return tls13_record_layer_write_record(rl, content_type, buf, n); 969 } 970 971 static ssize_t 972 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 973 const uint8_t *buf, size_t n) 974 { 975 ssize_t ret; 976 977 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 978 return ret; 979 980 return tls13_record_layer_write_chunk(rl, content_type, buf, n); 981 } 982 983 ssize_t 984 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 985 { 986 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 987 } 988 989 ssize_t 990 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 991 size_t n) 992 { 993 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 994 } 995 996 ssize_t 997 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 998 { 999 if (!rl->handshake_completed) 1000 return TLS13_IO_FAILURE; 1001 1002 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1003 } 1004 1005 ssize_t 1006 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1007 size_t n) 1008 { 1009 if (!rl->handshake_completed) 1010 return TLS13_IO_FAILURE; 1011 1012 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1013 } 1014 1015 ssize_t 1016 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1017 { 1018 uint8_t alert_level = SSL3_AL_FATAL; 1019 1020 if (alert_desc == SSL_AD_CLOSE_NOTIFY || 1021 alert_desc == SSL_AD_USER_CANCELLED) 1022 alert_level = SSL3_AL_WARNING; 1023 1024 return tls13_record_layer_alert(rl, alert_level, alert_desc); 1025 } 1026