1 /* $OpenBSD: tls13_record_layer.c,v 1.58 2021/01/05 17:49:04 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include "tls13_internal.h" 21 #include "tls13_record.h" 22 23 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 24 uint8_t content_type, const uint8_t *buf, size_t n); 25 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 26 uint8_t content_type, const uint8_t *content, size_t content_len); 27 28 struct tls13_record_layer { 29 uint16_t legacy_version; 30 31 int ccs_allowed; 32 int ccs_seen; 33 int ccs_sent; 34 int handshake_completed; 35 int legacy_alerts_allowed; 36 int phh; 37 int phh_retry; 38 39 /* 40 * Read and/or write channels are closed due to an alert being 41 * sent or received. In the case of an error alert both channels 42 * are closed, whereas in the case of a close notify only one 43 * channel is closed. 44 */ 45 int read_closed; 46 int write_closed; 47 48 struct tls13_record *rrec; 49 50 struct tls13_record *wrec; 51 uint8_t wrec_content_type; 52 size_t wrec_appdata_len; 53 size_t wrec_content_len; 54 55 /* Alert to be sent on return from current read handler. */ 56 uint8_t alert; 57 58 /* Pending alert messages. */ 59 uint8_t *alert_data; 60 size_t alert_len; 61 uint8_t alert_level; 62 uint8_t alert_desc; 63 64 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 65 CBS phh_cbs; 66 uint8_t *phh_data; 67 size_t phh_len; 68 69 /* Buffer containing plaintext from opened records. */ 70 uint8_t rbuf_content_type; 71 uint8_t *rbuf; 72 size_t rbuf_len; 73 CBS rbuf_cbs; 74 75 /* Record protection. */ 76 const EVP_MD *hash; 77 const EVP_AEAD *aead; 78 EVP_AEAD_CTX read_aead_ctx; 79 EVP_AEAD_CTX write_aead_ctx; 80 struct tls13_secret read_iv; 81 struct tls13_secret write_iv; 82 struct tls13_secret read_nonce; 83 struct tls13_secret write_nonce; 84 uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 85 uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 86 87 /* Callbacks. */ 88 struct tls13_record_layer_callbacks cb; 89 void *cb_arg; 90 }; 91 92 static void 93 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 94 { 95 CBS_init(&rl->rbuf_cbs, NULL, 0); 96 freezero(rl->rbuf, rl->rbuf_len); 97 rl->rbuf = NULL; 98 rl->rbuf_len = 0; 99 rl->rbuf_content_type = 0; 100 } 101 102 static void 103 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 104 { 105 tls13_record_free(rl->rrec); 106 rl->rrec = NULL; 107 } 108 109 static void 110 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 111 { 112 tls13_record_free(rl->wrec); 113 rl->wrec = NULL; 114 } 115 116 struct tls13_record_layer * 117 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 118 void *cb_arg) 119 { 120 struct tls13_record_layer *rl; 121 122 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 123 return NULL; 124 125 rl->legacy_version = TLS1_2_VERSION; 126 rl->cb = *callbacks; 127 rl->cb_arg = cb_arg; 128 129 return rl; 130 } 131 132 void 133 tls13_record_layer_free(struct tls13_record_layer *rl) 134 { 135 if (rl == NULL) 136 return; 137 138 tls13_record_layer_rrec_free(rl); 139 tls13_record_layer_wrec_free(rl); 140 141 freezero(rl->alert_data, rl->alert_len); 142 freezero(rl->phh_data, rl->phh_len); 143 144 tls13_record_layer_rbuf_free(rl); 145 146 EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); 147 EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); 148 149 tls13_secret_cleanup(&rl->read_iv); 150 tls13_secret_cleanup(&rl->write_iv); 151 tls13_secret_cleanup(&rl->read_nonce); 152 tls13_secret_cleanup(&rl->write_nonce); 153 154 freezero(rl, sizeof(struct tls13_record_layer)); 155 } 156 157 void 158 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) 159 { 160 CBS_dup(&rl->rbuf_cbs, cbs); 161 } 162 163 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 165 }; 166 167 int 168 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 169 { 170 int i; 171 172 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 173 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 174 return 0; 175 176 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 177 if (++seq_num[i] != 0) 178 break; 179 } 180 181 return 1; 182 } 183 184 static int 185 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 186 struct tls13_secret *iv, uint8_t *seq_num) 187 { 188 ssize_t i, j; 189 190 if (nonce->len != iv->len) 191 return 0; 192 193 /* 194 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 195 * with the IV to produce a per-record nonce. The IV will also be 196 * at least 8-bytes in length. 197 */ 198 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 199 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 200 201 return 1; 202 } 203 204 void 205 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 206 { 207 rl->ccs_allowed = allow; 208 } 209 210 void 211 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 212 { 213 rl->legacy_alerts_allowed = allow; 214 } 215 216 void 217 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 218 const EVP_AEAD *aead) 219 { 220 rl->aead = aead; 221 } 222 223 void 224 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 225 const EVP_MD *hash) 226 { 227 rl->hash = hash; 228 } 229 230 void 231 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 232 uint16_t version) 233 { 234 rl->legacy_version = version; 235 } 236 237 void 238 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 239 { 240 rl->handshake_completed = 1; 241 } 242 243 void 244 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 245 { 246 rl->phh_retry = retry; 247 } 248 249 static ssize_t 250 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 251 { 252 uint8_t alert_level, alert_desc; 253 ssize_t ret = TLS13_IO_FAILURE; 254 255 /* 256 * RFC 8446 - sections 5.1 and 6. 257 * 258 * A TLSv1.3 alert record can only contain a single alert - this means 259 * that processing the alert must consume all of the record. The alert 260 * will result in one of three things - continuation (user_cancelled), 261 * read channel closure (close_notify) or termination (all others). 262 */ 263 if (rl->rbuf == NULL) 264 return TLS13_IO_FAILURE; 265 266 if (rl->rbuf_content_type != SSL3_RT_ALERT) 267 return TLS13_IO_FAILURE; 268 269 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 270 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 271 272 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 273 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 274 275 if (CBS_len(&rl->rbuf_cbs) != 0) 276 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 277 278 tls13_record_layer_rbuf_free(rl); 279 280 /* 281 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 282 * however for error alerts (RFC 8446 section 6.2), the alert level 283 * must be specified as fatal. 284 */ 285 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 286 rl->read_closed = 1; 287 ret = TLS13_IO_EOF; 288 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 289 /* Ignored at the record layer. */ 290 ret = TLS13_IO_WANT_RETRY; 291 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 292 rl->read_closed = 1; 293 rl->write_closed = 1; 294 ret = TLS13_IO_ALERT; 295 } else if (rl->legacy_alerts_allowed && 296 alert_level == TLS13_ALERT_LEVEL_WARNING) { 297 /* Ignored and not passed to the callback. */ 298 return TLS13_IO_WANT_RETRY; 299 } else { 300 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 301 } 302 303 rl->cb.alert_recv(alert_desc, rl->cb_arg); 304 305 return ret; 306 } 307 308 static ssize_t 309 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 310 { 311 ssize_t ret; 312 313 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 314 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 315 rl->alert_data, rl->alert_len)) != rl->alert_len) { 316 if (ret == TLS13_IO_EOF) 317 ret = TLS13_IO_ALERT; 318 return ret; 319 } 320 321 freezero(rl->alert_data, rl->alert_len); 322 rl->alert_data = NULL; 323 rl->alert_len = 0; 324 325 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 326 rl->write_closed = 1; 327 ret = TLS13_IO_SUCCESS; 328 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 329 /* Ignored at the record layer. */ 330 ret = TLS13_IO_SUCCESS; 331 } else { 332 rl->read_closed = 1; 333 rl->write_closed = 1; 334 ret = TLS13_IO_ALERT; 335 } 336 337 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 338 339 return ret; 340 } 341 342 static ssize_t 343 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 344 { 345 ssize_t ret; 346 347 /* Push out pending post-handshake handshake messages. */ 348 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 349 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 350 return ret; 351 if (!CBS_skip(&rl->phh_cbs, ret)) 352 return TLS13_IO_FAILURE; 353 if (CBS_len(&rl->phh_cbs) != 0) 354 return TLS13_IO_WANT_RETRY; 355 356 freezero(rl->phh_data, rl->phh_len); 357 rl->phh_data = NULL; 358 rl->phh_len = 0; 359 360 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 361 362 rl->cb.phh_sent(rl->cb_arg); 363 364 return TLS13_IO_SUCCESS; 365 } 366 367 ssize_t 368 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 369 { 370 /* 371 * If an alert is pending, then it needs to be sent. However, 372 * if we're already part of the way through sending post-handshake 373 * handshake messages, then we need to finish that first... 374 */ 375 376 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 377 return tls13_record_layer_send_phh(rl); 378 379 if (rl->alert_data != NULL) 380 return tls13_record_layer_send_alert(rl); 381 382 if (rl->phh_data != NULL) 383 return tls13_record_layer_send_phh(rl); 384 385 return TLS13_IO_SUCCESS; 386 } 387 388 static ssize_t 389 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 390 uint8_t alert_level, uint8_t alert_desc) 391 { 392 CBB cbb; 393 394 if (rl->alert_data != NULL) 395 return TLS13_IO_FAILURE; 396 397 if (!CBB_init(&cbb, 0)) 398 goto err; 399 400 if (!CBB_add_u8(&cbb, alert_level)) 401 goto err; 402 if (!CBB_add_u8(&cbb, alert_desc)) 403 goto err; 404 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 405 goto err; 406 407 rl->alert_level = alert_level; 408 rl->alert_desc = alert_desc; 409 410 return tls13_record_layer_send_pending(rl); 411 412 err: 413 CBB_cleanup(&cbb); 414 415 return TLS13_IO_FAILURE; 416 } 417 418 ssize_t 419 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 420 { 421 if (rl->phh_data != NULL) 422 return TLS13_IO_FAILURE; 423 424 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 425 return TLS13_IO_FAILURE; 426 427 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 428 429 return tls13_record_layer_send_pending(rl); 430 } 431 432 static int 433 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, 434 const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, 435 struct tls13_secret *traffic_key) 436 { 437 struct tls13_secret context = { .data = "", .len = 0 }; 438 struct tls13_secret key = { .data = NULL, .len = 0 }; 439 int ret = 0; 440 441 EVP_AEAD_CTX_cleanup(aead_ctx); 442 443 tls13_secret_cleanup(iv); 444 tls13_secret_cleanup(nonce); 445 446 if (!tls13_secret_init(iv, EVP_AEAD_nonce_length(aead))) 447 goto err; 448 if (!tls13_secret_init(nonce, EVP_AEAD_nonce_length(aead))) 449 goto err; 450 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 451 goto err; 452 453 if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) 454 goto err; 455 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 456 goto err; 457 458 if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, 459 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 460 goto err; 461 462 ret = 1; 463 464 err: 465 tls13_secret_cleanup(&key); 466 467 return ret; 468 } 469 470 int 471 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 472 struct tls13_secret *read_key) 473 { 474 memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 475 476 return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, 477 rl->hash, &rl->read_iv, &rl->read_nonce, read_key); 478 } 479 480 int 481 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 482 struct tls13_secret *write_key) 483 { 484 memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 485 486 return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, 487 rl->hash, &rl->write_iv, &rl->write_nonce, write_key); 488 } 489 490 static int 491 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 492 { 493 CBS cbs; 494 495 if (rl->aead != NULL) 496 return 0; 497 498 /* 499 * We're still operating in plaintext mode, so just copy the 500 * content from the record to the plaintext buffer. 501 */ 502 if (!tls13_record_content(rl->rrec, &cbs)) 503 return 0; 504 505 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 506 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 507 return 0; 508 } 509 510 tls13_record_layer_rbuf_free(rl); 511 512 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 513 return 0; 514 515 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 516 517 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 518 519 return 1; 520 } 521 522 static int 523 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 524 { 525 CBS header, enc_record; 526 ssize_t inner_len; 527 uint8_t *content = NULL; 528 size_t content_len = 0; 529 uint8_t content_type; 530 size_t out_len; 531 532 if (rl->aead == NULL) 533 goto err; 534 535 if (!tls13_record_header(rl->rrec, &header)) 536 goto err; 537 if (!tls13_record_content(rl->rrec, &enc_record)) 538 goto err; 539 540 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 541 goto err; 542 content_len = CBS_len(&enc_record); 543 544 if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, 545 rl->read_seq_num)) 546 goto err; 547 548 if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, 549 content, &out_len, content_len, 550 rl->read_nonce.data, rl->read_nonce.len, 551 CBS_data(&enc_record), CBS_len(&enc_record), 552 CBS_data(&header), CBS_len(&header))) 553 goto err; 554 555 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 556 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 557 goto err; 558 } 559 560 if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) 561 goto err; 562 563 /* 564 * The real content type is hidden at the end of the record content and 565 * it may be followed by padding that consists of one or more zeroes. 566 * Time to hunt for that elusive content type! 567 */ 568 /* XXX - CBS from end? CBS_get_end_u8()? */ 569 inner_len = out_len - 1; 570 while (inner_len >= 0 && content[inner_len] == 0) 571 inner_len--; 572 if (inner_len < 0) { 573 /* Unexpected message per RFC 8446 section 5.4. */ 574 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 575 goto err; 576 } 577 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 578 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 579 goto err; 580 } 581 content_type = content[inner_len]; 582 583 tls13_record_layer_rbuf_free(rl); 584 585 rl->rbuf_content_type = content_type; 586 rl->rbuf = content; 587 rl->rbuf_len = inner_len; 588 589 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 590 591 return 1; 592 593 err: 594 freezero(content, content_len); 595 596 return 0; 597 } 598 599 static int 600 tls13_record_layer_open_record(struct tls13_record_layer *rl) 601 { 602 if (rl->handshake_completed && rl->aead == NULL) 603 return 0; 604 605 if (rl->aead == NULL) 606 return tls13_record_layer_open_record_plaintext(rl); 607 608 return tls13_record_layer_open_record_protected(rl); 609 } 610 611 static int 612 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 613 uint8_t content_type, const uint8_t *content, size_t content_len) 614 { 615 uint8_t *data = NULL; 616 size_t data_len = 0; 617 CBB cbb, body; 618 619 /* 620 * Allow dummy CCS messages to be sent in plaintext even when 621 * record protection has been engaged, as long as the handshake 622 * has not yet completed. 623 */ 624 if (rl->handshake_completed) 625 return 0; 626 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 627 return 0; 628 629 /* 630 * We're still operating in plaintext mode, so just copy the 631 * content into the record. 632 */ 633 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 634 goto err; 635 636 if (!CBB_add_u8(&cbb, content_type)) 637 goto err; 638 if (!CBB_add_u16(&cbb, rl->legacy_version)) 639 goto err; 640 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 641 goto err; 642 if (!CBB_add_bytes(&body, content, content_len)) 643 goto err; 644 645 if (!CBB_finish(&cbb, &data, &data_len)) 646 goto err; 647 648 if (!tls13_record_set_data(rl->wrec, data, data_len)) 649 goto err; 650 651 rl->wrec_content_len = content_len; 652 rl->wrec_content_type = content_type; 653 654 return 1; 655 656 err: 657 CBB_cleanup(&cbb); 658 freezero(data, data_len); 659 660 return 0; 661 } 662 663 static int 664 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 665 uint8_t content_type, const uint8_t *content, size_t content_len) 666 { 667 uint8_t *data = NULL, *header = NULL, *inner = NULL; 668 size_t data_len = 0, header_len = 0, inner_len = 0; 669 uint8_t *enc_record; 670 size_t enc_record_len; 671 ssize_t ret = 0; 672 size_t out_len; 673 CBB cbb; 674 675 if (rl->aead == NULL) 676 return 0; 677 678 memset(&cbb, 0, sizeof(cbb)); 679 680 /* Build inner plaintext. */ 681 if (!CBB_init(&cbb, content_len + 1)) 682 goto err; 683 if (!CBB_add_bytes(&cbb, content, content_len)) 684 goto err; 685 if (!CBB_add_u8(&cbb, content_type)) 686 goto err; 687 /* XXX - padding? */ 688 if (!CBB_finish(&cbb, &inner, &inner_len)) 689 goto err; 690 691 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 692 goto err; 693 694 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 695 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 696 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 697 goto err; 698 699 /* Build the record header. */ 700 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 701 goto err; 702 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 703 goto err; 704 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 705 goto err; 706 if (!CBB_add_u16(&cbb, enc_record_len)) 707 goto err; 708 if (!CBB_finish(&cbb, &header, &header_len)) 709 goto err; 710 711 /* Build the actual record. */ 712 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 713 goto err; 714 if (!CBB_add_bytes(&cbb, header, header_len)) 715 goto err; 716 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 717 goto err; 718 if (!CBB_finish(&cbb, &data, &data_len)) 719 goto err; 720 721 if (!tls13_record_layer_update_nonce(&rl->write_nonce, 722 &rl->write_iv, rl->write_seq_num)) 723 goto err; 724 725 /* 726 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 727 * this would avoid a copy since the inner would be passed as two 728 * separate pieces. 729 */ 730 if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, 731 enc_record, &out_len, enc_record_len, 732 rl->write_nonce.data, rl->write_nonce.len, 733 inner, inner_len, header, header_len)) 734 goto err; 735 736 if (out_len != enc_record_len) 737 goto err; 738 739 if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) 740 goto err; 741 742 if (!tls13_record_set_data(rl->wrec, data, data_len)) 743 goto err; 744 745 rl->wrec_content_len = content_len; 746 rl->wrec_content_type = content_type; 747 748 data = NULL; 749 data_len = 0; 750 751 ret = 1; 752 753 err: 754 CBB_cleanup(&cbb); 755 756 freezero(data, data_len); 757 freezero(header, header_len); 758 freezero(inner, inner_len); 759 760 return ret; 761 } 762 763 static int 764 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 765 uint8_t content_type, const uint8_t *content, size_t content_len) 766 { 767 if (rl->handshake_completed && rl->aead == NULL) 768 return 0; 769 770 tls13_record_layer_wrec_free(rl); 771 772 if ((rl->wrec = tls13_record_new()) == NULL) 773 return 0; 774 775 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 776 return tls13_record_layer_seal_record_plaintext(rl, 777 content_type, content, content_len); 778 779 return tls13_record_layer_seal_record_protected(rl, content_type, 780 content, content_len); 781 } 782 783 static ssize_t 784 tls13_record_layer_read_record(struct tls13_record_layer *rl) 785 { 786 uint8_t content_type, ccs; 787 ssize_t ret; 788 CBS cbs; 789 790 if (rl->rrec == NULL) { 791 if ((rl->rrec = tls13_record_new()) == NULL) 792 goto err; 793 } 794 795 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 796 switch (ret) { 797 case TLS13_IO_RECORD_VERSION: 798 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 799 case TLS13_IO_RECORD_OVERFLOW: 800 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 801 } 802 return ret; 803 } 804 805 if (rl->legacy_version == TLS1_2_VERSION && 806 tls13_record_version(rl->rrec) != TLS1_2_VERSION) 807 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 808 809 content_type = tls13_record_content_type(rl->rrec); 810 811 /* 812 * Bag of hacks ahead... after the first ClientHello message has been 813 * sent or received and before the peer's Finished message has been 814 * received, we may receive an unencrypted ChangeCipherSpec record 815 * (see RFC 8446 section 5 and appendix D.4). This record must be 816 * ignored. 817 */ 818 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 819 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 820 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 821 if (!tls13_record_content(rl->rrec, &cbs)) 822 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 823 if (!CBS_get_u8(&cbs, &ccs)) 824 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 825 if (ccs != 1) 826 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 827 rl->ccs_seen++; 828 tls13_record_layer_rrec_free(rl); 829 return TLS13_IO_WANT_RETRY; 830 } 831 832 /* 833 * Once record protection is engaged, we should only receive 834 * protected application data messages (aside from the 835 * dummy ChangeCipherSpec messages, handled above). 836 */ 837 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 838 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 839 840 if (!tls13_record_layer_open_record(rl)) 841 goto err; 842 843 tls13_record_layer_rrec_free(rl); 844 845 /* 846 * On receiving a handshake or alert record with empty inner plaintext, 847 * we must terminate the connection with an unexpected_message alert. 848 * See RFC 8446 section 5.4. 849 */ 850 if (CBS_len(&rl->rbuf_cbs) == 0 && 851 (rl->rbuf_content_type == SSL3_RT_ALERT || 852 rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) 853 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 854 855 switch (rl->rbuf_content_type) { 856 case SSL3_RT_ALERT: 857 return tls13_record_layer_process_alert(rl); 858 859 case SSL3_RT_HANDSHAKE: 860 break; 861 862 case SSL3_RT_APPLICATION_DATA: 863 if (!rl->handshake_completed) 864 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 865 break; 866 867 default: 868 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 869 } 870 871 return TLS13_IO_SUCCESS; 872 873 err: 874 return TLS13_IO_FAILURE; 875 } 876 877 static ssize_t 878 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 879 { 880 if (rl->rbuf_content_type != content_type) 881 return 0; 882 883 return CBS_len(&rl->rbuf_cbs); 884 } 885 886 static ssize_t 887 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 888 { 889 ssize_t ret = TLS13_IO_FAILURE; 890 891 rl->phh = 1; 892 893 /* 894 * The post handshake handshake receive callback is allowed to return: 895 * 896 * TLS13_IO_WANT_POLLIN need more handshake data. 897 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 898 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 899 * TLS13_IO_FAILURE something broke. 900 */ 901 if (rl->cb.phh_recv != NULL) 902 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); 903 904 tls13_record_layer_rbuf_free(rl); 905 906 /* Leave post handshake handshake mode unless we need more data. */ 907 if (ret != TLS13_IO_WANT_POLLIN) 908 rl->phh = 0; 909 910 if (ret == TLS13_IO_SUCCESS) { 911 if (rl->phh_retry) 912 return TLS13_IO_WANT_RETRY; 913 914 return TLS13_IO_WANT_POLLIN; 915 } 916 917 return ret; 918 } 919 920 static ssize_t 921 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 922 uint8_t content_type, uint8_t *buf, size_t n, int peek) 923 { 924 ssize_t ret; 925 926 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 927 return ret; 928 929 if (rl->read_closed) 930 return TLS13_IO_EOF; 931 932 /* If necessary, pull up the next record. */ 933 if (CBS_len(&rl->rbuf_cbs) == 0) { 934 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 935 return ret; 936 937 /* 938 * We may have read a valid 0-byte application data record, 939 * in which case we need to read the next record. 940 */ 941 if (CBS_len(&rl->rbuf_cbs) == 0) { 942 tls13_record_layer_rbuf_free(rl); 943 return TLS13_IO_WANT_POLLIN; 944 } 945 } 946 947 /* 948 * If we are in post handshake handshake mode, we must not see 949 * any record type that isn't a handshake until we are done. 950 */ 951 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) 952 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 953 954 /* 955 * Handshake content can appear as post-handshake messages (yup, 956 * the RFC reused the same content type...), which means we can 957 * be trying to read application data and need to handle a 958 * post-handshake handshake message instead... 959 */ 960 if (rl->rbuf_content_type != content_type) { 961 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 962 if (rl->handshake_completed) 963 return tls13_record_layer_recv_phh(rl); 964 } 965 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 966 } 967 968 if (n > CBS_len(&rl->rbuf_cbs)) 969 n = CBS_len(&rl->rbuf_cbs); 970 971 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 972 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 973 974 if (!peek) { 975 if (!CBS_skip(&rl->rbuf_cbs, n)) 976 goto err; 977 } 978 979 if (CBS_len(&rl->rbuf_cbs) == 0) 980 tls13_record_layer_rbuf_free(rl); 981 982 return n; 983 984 err: 985 return TLS13_IO_FAILURE; 986 } 987 988 static ssize_t 989 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 990 uint8_t *buf, size_t n) 991 { 992 ssize_t ret; 993 994 do { 995 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 996 } while (ret == TLS13_IO_WANT_RETRY); 997 998 if (rl->alert != 0) 999 return tls13_send_alert(rl, rl->alert); 1000 1001 return ret; 1002 } 1003 1004 static ssize_t 1005 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1006 uint8_t *buf, size_t n) 1007 { 1008 ssize_t ret; 1009 1010 do { 1011 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1012 } while (ret == TLS13_IO_WANT_RETRY); 1013 1014 if (rl->alert != 0) 1015 return tls13_send_alert(rl, rl->alert); 1016 1017 return ret; 1018 } 1019 1020 static ssize_t 1021 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1022 uint8_t content_type, const uint8_t *content, size_t content_len) 1023 { 1024 ssize_t ret; 1025 1026 if (rl->write_closed) 1027 return TLS13_IO_EOF; 1028 1029 /* 1030 * If we pushed out application data while handling other messages, 1031 * we need to return content length on the next call. 1032 */ 1033 if (content_type == SSL3_RT_APPLICATION_DATA && 1034 rl->wrec_appdata_len != 0) { 1035 ret = rl->wrec_appdata_len; 1036 rl->wrec_appdata_len = 0; 1037 return ret; 1038 } 1039 1040 /* See if there is an existing record and attempt to push it out... */ 1041 if (rl->wrec != NULL) { 1042 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1043 rl->cb_arg)) <= 0) 1044 return ret; 1045 tls13_record_layer_wrec_free(rl); 1046 1047 if (rl->wrec_content_type == content_type) { 1048 ret = rl->wrec_content_len; 1049 rl->wrec_content_len = 0; 1050 rl->wrec_content_type = 0; 1051 return ret; 1052 } 1053 1054 /* 1055 * The only partial record type should be application data. 1056 * All other cases are handled to completion. 1057 */ 1058 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1059 return TLS13_IO_FAILURE; 1060 rl->wrec_appdata_len = rl->wrec_content_len; 1061 } 1062 1063 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1064 goto err; 1065 1066 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1067 goto err; 1068 1069 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1070 return ret; 1071 1072 tls13_record_layer_wrec_free(rl); 1073 1074 return content_len; 1075 1076 err: 1077 return TLS13_IO_FAILURE; 1078 } 1079 1080 static ssize_t 1081 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1082 uint8_t content_type, const uint8_t *buf, size_t n) 1083 { 1084 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1085 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1086 1087 return tls13_record_layer_write_record(rl, content_type, buf, n); 1088 } 1089 1090 static ssize_t 1091 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1092 const uint8_t *buf, size_t n) 1093 { 1094 ssize_t ret; 1095 1096 do { 1097 ret = tls13_record_layer_send_pending(rl); 1098 } while (ret == TLS13_IO_WANT_RETRY); 1099 if (ret != TLS13_IO_SUCCESS) 1100 return ret; 1101 1102 do { 1103 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1104 } while (ret == TLS13_IO_WANT_RETRY); 1105 1106 return ret; 1107 } 1108 1109 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1110 1111 ssize_t 1112 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1113 { 1114 ssize_t ret; 1115 1116 if (rl->ccs_sent) 1117 return TLS13_IO_FAILURE; 1118 1119 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1120 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1121 return ret; 1122 1123 rl->ccs_sent = 1; 1124 1125 return TLS13_IO_SUCCESS; 1126 } 1127 1128 ssize_t 1129 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1130 { 1131 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1132 } 1133 1134 ssize_t 1135 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1136 size_t n) 1137 { 1138 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1139 } 1140 1141 ssize_t 1142 tls13_pending_application_data(struct tls13_record_layer *rl) 1143 { 1144 if (!rl->handshake_completed) 1145 return 0; 1146 1147 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1148 } 1149 1150 ssize_t 1151 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1152 { 1153 if (!rl->handshake_completed) 1154 return TLS13_IO_FAILURE; 1155 1156 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1157 } 1158 1159 ssize_t 1160 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1161 { 1162 if (!rl->handshake_completed) 1163 return TLS13_IO_FAILURE; 1164 1165 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1166 } 1167 1168 ssize_t 1169 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1170 size_t n) 1171 { 1172 if (!rl->handshake_completed) 1173 return TLS13_IO_FAILURE; 1174 1175 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1176 } 1177 1178 ssize_t 1179 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1180 { 1181 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1182 ssize_t ret; 1183 1184 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1185 alert_desc == TLS13_ALERT_USER_CANCELED) 1186 alert_level = TLS13_ALERT_LEVEL_WARNING; 1187 1188 do { 1189 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1190 alert_desc); 1191 } while (ret == TLS13_IO_WANT_RETRY); 1192 1193 return ret; 1194 } 1195