1 /* $OpenBSD: tls13_record_layer.c,v 1.61 2021/05/16 14:19:04 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "tls13_internal.h" 19 #include "tls13_record.h" 20 21 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 22 uint8_t content_type, const uint8_t *buf, size_t n); 23 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 24 uint8_t content_type, const uint8_t *content, size_t content_len); 25 26 struct tls13_record_protection { 27 EVP_AEAD_CTX aead_ctx; 28 struct tls13_secret iv; 29 struct tls13_secret nonce; 30 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 31 }; 32 33 struct tls13_record_protection * 34 tls13_record_protection_new(void) 35 { 36 return calloc(1, sizeof(struct tls13_record_protection)); 37 } 38 39 void 40 tls13_record_protection_clear(struct tls13_record_protection *rp) 41 { 42 EVP_AEAD_CTX_cleanup(&rp->aead_ctx); 43 44 tls13_secret_cleanup(&rp->iv); 45 tls13_secret_cleanup(&rp->nonce); 46 47 memset(rp->seq_num, 0, sizeof(rp->seq_num)); 48 } 49 50 void 51 tls13_record_protection_free(struct tls13_record_protection *rp) 52 { 53 if (rp == NULL) 54 return; 55 56 tls13_record_protection_clear(rp); 57 58 freezero(rp, sizeof(struct tls13_record_protection)); 59 } 60 61 struct tls13_record_layer { 62 uint16_t legacy_version; 63 64 int ccs_allowed; 65 int ccs_seen; 66 int ccs_sent; 67 int handshake_completed; 68 int legacy_alerts_allowed; 69 int phh; 70 int phh_retry; 71 72 /* 73 * Read and/or write channels are closed due to an alert being 74 * sent or received. In the case of an error alert both channels 75 * are closed, whereas in the case of a close notify only one 76 * channel is closed. 77 */ 78 int read_closed; 79 int write_closed; 80 81 struct tls13_record *rrec; 82 83 struct tls13_record *wrec; 84 uint8_t wrec_content_type; 85 size_t wrec_appdata_len; 86 size_t wrec_content_len; 87 88 /* Alert to be sent on return from current read handler. */ 89 uint8_t alert; 90 91 /* Pending alert messages. */ 92 uint8_t *alert_data; 93 size_t alert_len; 94 uint8_t alert_level; 95 uint8_t alert_desc; 96 97 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 98 CBS phh_cbs; 99 uint8_t *phh_data; 100 size_t phh_len; 101 102 /* Buffer containing plaintext from opened records. */ 103 uint8_t rbuf_content_type; 104 uint8_t *rbuf; 105 size_t rbuf_len; 106 CBS rbuf_cbs; 107 108 /* Record protection. */ 109 const EVP_MD *hash; 110 const EVP_AEAD *aead; 111 struct tls13_record_protection *read; 112 struct tls13_record_protection *write; 113 114 /* Callbacks. */ 115 struct tls13_record_layer_callbacks cb; 116 void *cb_arg; 117 }; 118 119 static void 120 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 121 { 122 CBS_init(&rl->rbuf_cbs, NULL, 0); 123 freezero(rl->rbuf, rl->rbuf_len); 124 rl->rbuf = NULL; 125 rl->rbuf_len = 0; 126 rl->rbuf_content_type = 0; 127 } 128 129 static void 130 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 131 { 132 tls13_record_free(rl->rrec); 133 rl->rrec = NULL; 134 } 135 136 static void 137 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 138 { 139 tls13_record_free(rl->wrec); 140 rl->wrec = NULL; 141 } 142 143 struct tls13_record_layer * 144 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 145 void *cb_arg) 146 { 147 struct tls13_record_layer *rl; 148 149 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 150 goto err; 151 152 if ((rl->read = tls13_record_protection_new()) == NULL) 153 goto err; 154 if ((rl->write = tls13_record_protection_new()) == NULL) 155 goto err; 156 157 rl->legacy_version = TLS1_2_VERSION; 158 rl->cb = *callbacks; 159 rl->cb_arg = cb_arg; 160 161 return rl; 162 163 err: 164 tls13_record_layer_free(rl); 165 166 return NULL; 167 } 168 169 void 170 tls13_record_layer_free(struct tls13_record_layer *rl) 171 { 172 if (rl == NULL) 173 return; 174 175 tls13_record_layer_rrec_free(rl); 176 tls13_record_layer_wrec_free(rl); 177 178 freezero(rl->alert_data, rl->alert_len); 179 freezero(rl->phh_data, rl->phh_len); 180 181 tls13_record_layer_rbuf_free(rl); 182 183 tls13_record_protection_free(rl->read); 184 tls13_record_protection_free(rl->write); 185 186 freezero(rl, sizeof(struct tls13_record_layer)); 187 } 188 189 void 190 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) 191 { 192 CBS_dup(&rl->rbuf_cbs, cbs); 193 } 194 195 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 196 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 197 }; 198 199 int 200 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 201 { 202 int i; 203 204 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 205 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 206 return 0; 207 208 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 209 if (++seq_num[i] != 0) 210 break; 211 } 212 213 return 1; 214 } 215 216 static int 217 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 218 struct tls13_secret *iv, uint8_t *seq_num) 219 { 220 ssize_t i, j; 221 222 if (nonce->len != iv->len) 223 return 0; 224 225 /* 226 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 227 * with the IV to produce a per-record nonce. The IV will also be 228 * at least 8-bytes in length. 229 */ 230 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 231 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 232 233 return 1; 234 } 235 236 void 237 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 238 { 239 rl->ccs_allowed = allow; 240 } 241 242 void 243 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 244 { 245 rl->legacy_alerts_allowed = allow; 246 } 247 248 void 249 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 250 const EVP_AEAD *aead) 251 { 252 rl->aead = aead; 253 } 254 255 void 256 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 257 const EVP_MD *hash) 258 { 259 rl->hash = hash; 260 } 261 262 void 263 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 264 uint16_t version) 265 { 266 rl->legacy_version = version; 267 } 268 269 void 270 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 271 { 272 rl->handshake_completed = 1; 273 } 274 275 void 276 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 277 { 278 rl->phh_retry = retry; 279 } 280 281 static ssize_t 282 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 283 { 284 uint8_t alert_level, alert_desc; 285 ssize_t ret = TLS13_IO_FAILURE; 286 287 /* 288 * RFC 8446 - sections 5.1 and 6. 289 * 290 * A TLSv1.3 alert record can only contain a single alert - this means 291 * that processing the alert must consume all of the record. The alert 292 * will result in one of three things - continuation (user_cancelled), 293 * read channel closure (close_notify) or termination (all others). 294 */ 295 if (rl->rbuf == NULL) 296 return TLS13_IO_FAILURE; 297 298 if (rl->rbuf_content_type != SSL3_RT_ALERT) 299 return TLS13_IO_FAILURE; 300 301 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 302 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 303 304 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 305 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 306 307 if (CBS_len(&rl->rbuf_cbs) != 0) 308 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 309 310 tls13_record_layer_rbuf_free(rl); 311 312 /* 313 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 314 * however for error alerts (RFC 8446 section 6.2), the alert level 315 * must be specified as fatal. 316 */ 317 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 318 rl->read_closed = 1; 319 ret = TLS13_IO_EOF; 320 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 321 /* Ignored at the record layer. */ 322 ret = TLS13_IO_WANT_RETRY; 323 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 324 rl->read_closed = 1; 325 rl->write_closed = 1; 326 ret = TLS13_IO_ALERT; 327 } else if (rl->legacy_alerts_allowed && 328 alert_level == TLS13_ALERT_LEVEL_WARNING) { 329 /* Ignored and not passed to the callback. */ 330 return TLS13_IO_WANT_RETRY; 331 } else { 332 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 333 } 334 335 rl->cb.alert_recv(alert_desc, rl->cb_arg); 336 337 return ret; 338 } 339 340 static ssize_t 341 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 342 { 343 ssize_t ret; 344 345 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 346 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 347 rl->alert_data, rl->alert_len)) != rl->alert_len) { 348 if (ret == TLS13_IO_EOF) 349 ret = TLS13_IO_ALERT; 350 return ret; 351 } 352 353 freezero(rl->alert_data, rl->alert_len); 354 rl->alert_data = NULL; 355 rl->alert_len = 0; 356 357 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 358 rl->write_closed = 1; 359 ret = TLS13_IO_SUCCESS; 360 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 361 /* Ignored at the record layer. */ 362 ret = TLS13_IO_SUCCESS; 363 } else { 364 rl->read_closed = 1; 365 rl->write_closed = 1; 366 ret = TLS13_IO_ALERT; 367 } 368 369 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 370 371 return ret; 372 } 373 374 static ssize_t 375 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 376 { 377 ssize_t ret; 378 379 /* Push out pending post-handshake handshake messages. */ 380 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 381 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 382 return ret; 383 if (!CBS_skip(&rl->phh_cbs, ret)) 384 return TLS13_IO_FAILURE; 385 if (CBS_len(&rl->phh_cbs) != 0) 386 return TLS13_IO_WANT_RETRY; 387 388 freezero(rl->phh_data, rl->phh_len); 389 rl->phh_data = NULL; 390 rl->phh_len = 0; 391 392 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 393 394 rl->cb.phh_sent(rl->cb_arg); 395 396 return TLS13_IO_SUCCESS; 397 } 398 399 ssize_t 400 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 401 { 402 /* 403 * If an alert is pending, then it needs to be sent. However, 404 * if we're already part of the way through sending post-handshake 405 * handshake messages, then we need to finish that first... 406 */ 407 408 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 409 return tls13_record_layer_send_phh(rl); 410 411 if (rl->alert_data != NULL) 412 return tls13_record_layer_send_alert(rl); 413 414 if (rl->phh_data != NULL) 415 return tls13_record_layer_send_phh(rl); 416 417 return TLS13_IO_SUCCESS; 418 } 419 420 static ssize_t 421 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 422 uint8_t alert_level, uint8_t alert_desc) 423 { 424 CBB cbb; 425 426 if (rl->alert_data != NULL) 427 return TLS13_IO_FAILURE; 428 429 if (!CBB_init(&cbb, 0)) 430 goto err; 431 432 if (!CBB_add_u8(&cbb, alert_level)) 433 goto err; 434 if (!CBB_add_u8(&cbb, alert_desc)) 435 goto err; 436 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 437 goto err; 438 439 rl->alert_level = alert_level; 440 rl->alert_desc = alert_desc; 441 442 return tls13_record_layer_send_pending(rl); 443 444 err: 445 CBB_cleanup(&cbb); 446 447 return TLS13_IO_FAILURE; 448 } 449 450 ssize_t 451 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 452 { 453 if (rl->phh_data != NULL) 454 return TLS13_IO_FAILURE; 455 456 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 457 return TLS13_IO_FAILURE; 458 459 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 460 461 return tls13_record_layer_send_pending(rl); 462 } 463 464 static int 465 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 466 struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 467 { 468 struct tls13_secret context = { .data = "", .len = 0 }; 469 struct tls13_secret key = { .data = NULL, .len = 0 }; 470 int ret = 0; 471 472 tls13_record_protection_clear(rp); 473 474 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 475 goto err; 476 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 477 goto err; 478 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 479 goto err; 480 481 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 482 goto err; 483 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 484 goto err; 485 486 if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len, 487 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 488 goto err; 489 490 ret = 1; 491 492 err: 493 tls13_secret_cleanup(&key); 494 495 return ret; 496 } 497 498 int 499 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 500 struct tls13_secret *read_key) 501 { 502 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 503 rl->read, read_key); 504 } 505 506 int 507 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 508 struct tls13_secret *write_key) 509 { 510 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 511 rl->write, write_key); 512 } 513 514 static int 515 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 516 { 517 CBS cbs; 518 519 if (rl->aead != NULL) 520 return 0; 521 522 /* 523 * We're still operating in plaintext mode, so just copy the 524 * content from the record to the plaintext buffer. 525 */ 526 if (!tls13_record_content(rl->rrec, &cbs)) 527 return 0; 528 529 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 530 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 531 return 0; 532 } 533 534 tls13_record_layer_rbuf_free(rl); 535 536 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 537 return 0; 538 539 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 540 541 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 542 543 return 1; 544 } 545 546 static int 547 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 548 { 549 CBS header, enc_record; 550 ssize_t inner_len; 551 uint8_t *content = NULL; 552 size_t content_len = 0; 553 uint8_t content_type; 554 size_t out_len; 555 556 if (rl->aead == NULL) 557 goto err; 558 559 if (!tls13_record_header(rl->rrec, &header)) 560 goto err; 561 if (!tls13_record_content(rl->rrec, &enc_record)) 562 goto err; 563 564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 565 goto err; 566 content_len = CBS_len(&enc_record); 567 568 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 569 rl->read->seq_num)) 570 goto err; 571 572 if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx, 573 content, &out_len, content_len, 574 rl->read->nonce.data, rl->read->nonce.len, 575 CBS_data(&enc_record), CBS_len(&enc_record), 576 CBS_data(&header), CBS_len(&header))) 577 goto err; 578 579 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 580 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 581 goto err; 582 } 583 584 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 585 goto err; 586 587 /* 588 * The real content type is hidden at the end of the record content and 589 * it may be followed by padding that consists of one or more zeroes. 590 * Time to hunt for that elusive content type! 591 */ 592 /* XXX - CBS from end? CBS_get_end_u8()? */ 593 inner_len = out_len - 1; 594 while (inner_len >= 0 && content[inner_len] == 0) 595 inner_len--; 596 if (inner_len < 0) { 597 /* Unexpected message per RFC 8446 section 5.4. */ 598 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 599 goto err; 600 } 601 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 602 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 603 goto err; 604 } 605 content_type = content[inner_len]; 606 607 tls13_record_layer_rbuf_free(rl); 608 609 rl->rbuf_content_type = content_type; 610 rl->rbuf = content; 611 rl->rbuf_len = inner_len; 612 613 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 614 615 return 1; 616 617 err: 618 freezero(content, content_len); 619 620 return 0; 621 } 622 623 static int 624 tls13_record_layer_open_record(struct tls13_record_layer *rl) 625 { 626 if (rl->handshake_completed && rl->aead == NULL) 627 return 0; 628 629 if (rl->aead == NULL) 630 return tls13_record_layer_open_record_plaintext(rl); 631 632 return tls13_record_layer_open_record_protected(rl); 633 } 634 635 static int 636 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 637 uint8_t content_type, const uint8_t *content, size_t content_len) 638 { 639 uint8_t *data = NULL; 640 size_t data_len = 0; 641 CBB cbb, body; 642 643 /* 644 * Allow dummy CCS messages to be sent in plaintext even when 645 * record protection has been engaged, as long as the handshake 646 * has not yet completed. 647 */ 648 if (rl->handshake_completed) 649 return 0; 650 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 651 return 0; 652 653 /* 654 * We're still operating in plaintext mode, so just copy the 655 * content into the record. 656 */ 657 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 658 goto err; 659 660 if (!CBB_add_u8(&cbb, content_type)) 661 goto err; 662 if (!CBB_add_u16(&cbb, rl->legacy_version)) 663 goto err; 664 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 665 goto err; 666 if (!CBB_add_bytes(&body, content, content_len)) 667 goto err; 668 669 if (!CBB_finish(&cbb, &data, &data_len)) 670 goto err; 671 672 if (!tls13_record_set_data(rl->wrec, data, data_len)) 673 goto err; 674 675 rl->wrec_content_len = content_len; 676 rl->wrec_content_type = content_type; 677 678 return 1; 679 680 err: 681 CBB_cleanup(&cbb); 682 freezero(data, data_len); 683 684 return 0; 685 } 686 687 static int 688 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 689 uint8_t content_type, const uint8_t *content, size_t content_len) 690 { 691 uint8_t *data = NULL, *header = NULL, *inner = NULL; 692 size_t data_len = 0, header_len = 0, inner_len = 0; 693 uint8_t *enc_record; 694 size_t enc_record_len; 695 ssize_t ret = 0; 696 size_t out_len; 697 CBB cbb; 698 699 if (rl->aead == NULL) 700 return 0; 701 702 memset(&cbb, 0, sizeof(cbb)); 703 704 /* Build inner plaintext. */ 705 if (!CBB_init(&cbb, content_len + 1)) 706 goto err; 707 if (!CBB_add_bytes(&cbb, content, content_len)) 708 goto err; 709 if (!CBB_add_u8(&cbb, content_type)) 710 goto err; 711 /* XXX - padding? */ 712 if (!CBB_finish(&cbb, &inner, &inner_len)) 713 goto err; 714 715 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 716 goto err; 717 718 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 719 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 720 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 721 goto err; 722 723 /* Build the record header. */ 724 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 725 goto err; 726 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 727 goto err; 728 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 729 goto err; 730 if (!CBB_add_u16(&cbb, enc_record_len)) 731 goto err; 732 if (!CBB_finish(&cbb, &header, &header_len)) 733 goto err; 734 735 /* Build the actual record. */ 736 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 737 goto err; 738 if (!CBB_add_bytes(&cbb, header, header_len)) 739 goto err; 740 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 741 goto err; 742 if (!CBB_finish(&cbb, &data, &data_len)) 743 goto err; 744 745 if (!tls13_record_layer_update_nonce(&rl->write->nonce, 746 &rl->write->iv, rl->write->seq_num)) 747 goto err; 748 749 /* 750 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 751 * this would avoid a copy since the inner would be passed as two 752 * separate pieces. 753 */ 754 if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx, 755 enc_record, &out_len, enc_record_len, 756 rl->write->nonce.data, rl->write->nonce.len, 757 inner, inner_len, header, header_len)) 758 goto err; 759 760 if (out_len != enc_record_len) 761 goto err; 762 763 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 764 goto err; 765 766 if (!tls13_record_set_data(rl->wrec, data, data_len)) 767 goto err; 768 769 rl->wrec_content_len = content_len; 770 rl->wrec_content_type = content_type; 771 772 data = NULL; 773 data_len = 0; 774 775 ret = 1; 776 777 err: 778 CBB_cleanup(&cbb); 779 780 freezero(data, data_len); 781 freezero(header, header_len); 782 freezero(inner, inner_len); 783 784 return ret; 785 } 786 787 static int 788 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 789 uint8_t content_type, const uint8_t *content, size_t content_len) 790 { 791 if (rl->handshake_completed && rl->aead == NULL) 792 return 0; 793 794 tls13_record_layer_wrec_free(rl); 795 796 if ((rl->wrec = tls13_record_new()) == NULL) 797 return 0; 798 799 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 800 return tls13_record_layer_seal_record_plaintext(rl, 801 content_type, content, content_len); 802 803 return tls13_record_layer_seal_record_protected(rl, content_type, 804 content, content_len); 805 } 806 807 static ssize_t 808 tls13_record_layer_read_record(struct tls13_record_layer *rl) 809 { 810 uint8_t content_type, ccs; 811 ssize_t ret; 812 CBS cbs; 813 814 if (rl->rrec == NULL) { 815 if ((rl->rrec = tls13_record_new()) == NULL) 816 goto err; 817 } 818 819 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 820 switch (ret) { 821 case TLS13_IO_RECORD_VERSION: 822 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 823 case TLS13_IO_RECORD_OVERFLOW: 824 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 825 } 826 return ret; 827 } 828 829 if (rl->legacy_version == TLS1_2_VERSION && 830 tls13_record_version(rl->rrec) != TLS1_2_VERSION) 831 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 832 833 content_type = tls13_record_content_type(rl->rrec); 834 835 /* 836 * Bag of hacks ahead... after the first ClientHello message has been 837 * sent or received and before the peer's Finished message has been 838 * received, we may receive an unencrypted ChangeCipherSpec record 839 * (see RFC 8446 section 5 and appendix D.4). This record must be 840 * ignored. 841 */ 842 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 843 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 844 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 845 if (!tls13_record_content(rl->rrec, &cbs)) 846 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 847 if (!CBS_get_u8(&cbs, &ccs)) 848 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 849 if (ccs != 1) 850 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 851 rl->ccs_seen++; 852 tls13_record_layer_rrec_free(rl); 853 return TLS13_IO_WANT_RETRY; 854 } 855 856 /* 857 * Once record protection is engaged, we should only receive 858 * protected application data messages (aside from the 859 * dummy ChangeCipherSpec messages, handled above). 860 */ 861 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 862 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 863 864 if (!tls13_record_layer_open_record(rl)) 865 goto err; 866 867 tls13_record_layer_rrec_free(rl); 868 869 /* 870 * On receiving a handshake or alert record with empty inner plaintext, 871 * we must terminate the connection with an unexpected_message alert. 872 * See RFC 8446 section 5.4. 873 */ 874 if (CBS_len(&rl->rbuf_cbs) == 0 && 875 (rl->rbuf_content_type == SSL3_RT_ALERT || 876 rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) 877 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 878 879 switch (rl->rbuf_content_type) { 880 case SSL3_RT_ALERT: 881 return tls13_record_layer_process_alert(rl); 882 883 case SSL3_RT_HANDSHAKE: 884 break; 885 886 case SSL3_RT_APPLICATION_DATA: 887 if (!rl->handshake_completed) 888 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 889 break; 890 891 default: 892 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 893 } 894 895 return TLS13_IO_SUCCESS; 896 897 err: 898 return TLS13_IO_FAILURE; 899 } 900 901 static ssize_t 902 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 903 { 904 if (rl->rbuf_content_type != content_type) 905 return 0; 906 907 return CBS_len(&rl->rbuf_cbs); 908 } 909 910 static ssize_t 911 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 912 { 913 ssize_t ret = TLS13_IO_FAILURE; 914 915 rl->phh = 1; 916 917 /* 918 * The post handshake handshake receive callback is allowed to return: 919 * 920 * TLS13_IO_WANT_POLLIN need more handshake data. 921 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 922 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 923 * TLS13_IO_FAILURE something broke. 924 */ 925 if (rl->cb.phh_recv != NULL) 926 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); 927 928 tls13_record_layer_rbuf_free(rl); 929 930 /* Leave post handshake handshake mode unless we need more data. */ 931 if (ret != TLS13_IO_WANT_POLLIN) 932 rl->phh = 0; 933 934 if (ret == TLS13_IO_SUCCESS) { 935 if (rl->phh_retry) 936 return TLS13_IO_WANT_RETRY; 937 938 return TLS13_IO_WANT_POLLIN; 939 } 940 941 return ret; 942 } 943 944 static ssize_t 945 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 946 uint8_t content_type, uint8_t *buf, size_t n, int peek) 947 { 948 ssize_t ret; 949 950 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 951 return ret; 952 953 if (rl->read_closed) 954 return TLS13_IO_EOF; 955 956 /* If necessary, pull up the next record. */ 957 if (CBS_len(&rl->rbuf_cbs) == 0) { 958 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 959 return ret; 960 961 /* 962 * We may have read a valid 0-byte application data record, 963 * in which case we need to read the next record. 964 */ 965 if (CBS_len(&rl->rbuf_cbs) == 0) { 966 tls13_record_layer_rbuf_free(rl); 967 return TLS13_IO_WANT_POLLIN; 968 } 969 } 970 971 /* 972 * If we are in post handshake handshake mode, we must not see 973 * any record type that isn't a handshake until we are done. 974 */ 975 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) 976 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 977 978 /* 979 * Handshake content can appear as post-handshake messages (yup, 980 * the RFC reused the same content type...), which means we can 981 * be trying to read application data and need to handle a 982 * post-handshake handshake message instead... 983 */ 984 if (rl->rbuf_content_type != content_type) { 985 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 986 if (rl->handshake_completed) 987 return tls13_record_layer_recv_phh(rl); 988 } 989 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 990 } 991 992 if (n > CBS_len(&rl->rbuf_cbs)) 993 n = CBS_len(&rl->rbuf_cbs); 994 995 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 996 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 997 998 if (!peek) { 999 if (!CBS_skip(&rl->rbuf_cbs, n)) 1000 goto err; 1001 } 1002 1003 if (CBS_len(&rl->rbuf_cbs) == 0) 1004 tls13_record_layer_rbuf_free(rl); 1005 1006 return n; 1007 1008 err: 1009 return TLS13_IO_FAILURE; 1010 } 1011 1012 static ssize_t 1013 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1014 uint8_t *buf, size_t n) 1015 { 1016 ssize_t ret; 1017 1018 do { 1019 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1020 } while (ret == TLS13_IO_WANT_RETRY); 1021 1022 if (rl->alert != 0) 1023 return tls13_send_alert(rl, rl->alert); 1024 1025 return ret; 1026 } 1027 1028 static ssize_t 1029 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1030 uint8_t *buf, size_t n) 1031 { 1032 ssize_t ret; 1033 1034 do { 1035 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1036 } while (ret == TLS13_IO_WANT_RETRY); 1037 1038 if (rl->alert != 0) 1039 return tls13_send_alert(rl, rl->alert); 1040 1041 return ret; 1042 } 1043 1044 static ssize_t 1045 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1046 uint8_t content_type, const uint8_t *content, size_t content_len) 1047 { 1048 ssize_t ret; 1049 1050 if (rl->write_closed) 1051 return TLS13_IO_EOF; 1052 1053 /* 1054 * If we pushed out application data while handling other messages, 1055 * we need to return content length on the next call. 1056 */ 1057 if (content_type == SSL3_RT_APPLICATION_DATA && 1058 rl->wrec_appdata_len != 0) { 1059 ret = rl->wrec_appdata_len; 1060 rl->wrec_appdata_len = 0; 1061 return ret; 1062 } 1063 1064 /* See if there is an existing record and attempt to push it out... */ 1065 if (rl->wrec != NULL) { 1066 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1067 rl->cb_arg)) <= 0) 1068 return ret; 1069 tls13_record_layer_wrec_free(rl); 1070 1071 if (rl->wrec_content_type == content_type) { 1072 ret = rl->wrec_content_len; 1073 rl->wrec_content_len = 0; 1074 rl->wrec_content_type = 0; 1075 return ret; 1076 } 1077 1078 /* 1079 * The only partial record type should be application data. 1080 * All other cases are handled to completion. 1081 */ 1082 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1083 return TLS13_IO_FAILURE; 1084 rl->wrec_appdata_len = rl->wrec_content_len; 1085 } 1086 1087 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1088 goto err; 1089 1090 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1091 goto err; 1092 1093 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1094 return ret; 1095 1096 tls13_record_layer_wrec_free(rl); 1097 1098 return content_len; 1099 1100 err: 1101 return TLS13_IO_FAILURE; 1102 } 1103 1104 static ssize_t 1105 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1106 uint8_t content_type, const uint8_t *buf, size_t n) 1107 { 1108 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1109 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1110 1111 return tls13_record_layer_write_record(rl, content_type, buf, n); 1112 } 1113 1114 static ssize_t 1115 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1116 const uint8_t *buf, size_t n) 1117 { 1118 ssize_t ret; 1119 1120 do { 1121 ret = tls13_record_layer_send_pending(rl); 1122 } while (ret == TLS13_IO_WANT_RETRY); 1123 if (ret != TLS13_IO_SUCCESS) 1124 return ret; 1125 1126 do { 1127 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1128 } while (ret == TLS13_IO_WANT_RETRY); 1129 1130 return ret; 1131 } 1132 1133 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1134 1135 ssize_t 1136 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1137 { 1138 ssize_t ret; 1139 1140 if (rl->ccs_sent) 1141 return TLS13_IO_FAILURE; 1142 1143 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1144 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1145 return ret; 1146 1147 rl->ccs_sent = 1; 1148 1149 return TLS13_IO_SUCCESS; 1150 } 1151 1152 ssize_t 1153 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1154 { 1155 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1156 } 1157 1158 ssize_t 1159 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1160 size_t n) 1161 { 1162 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1163 } 1164 1165 ssize_t 1166 tls13_pending_application_data(struct tls13_record_layer *rl) 1167 { 1168 if (!rl->handshake_completed) 1169 return 0; 1170 1171 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1172 } 1173 1174 ssize_t 1175 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1176 { 1177 if (!rl->handshake_completed) 1178 return TLS13_IO_FAILURE; 1179 1180 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1181 } 1182 1183 ssize_t 1184 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1185 { 1186 if (!rl->handshake_completed) 1187 return TLS13_IO_FAILURE; 1188 1189 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1190 } 1191 1192 ssize_t 1193 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1194 size_t n) 1195 { 1196 if (!rl->handshake_completed) 1197 return TLS13_IO_FAILURE; 1198 1199 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1200 } 1201 1202 ssize_t 1203 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1204 { 1205 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1206 ssize_t ret; 1207 1208 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1209 alert_desc == TLS13_ALERT_USER_CANCELED) 1210 alert_level = TLS13_ALERT_LEVEL_WARNING; 1211 1212 do { 1213 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1214 alert_desc); 1215 } while (ret == TLS13_IO_WANT_RETRY); 1216 1217 return ret; 1218 } 1219