1 /* $OpenBSD: tls13_record_layer.c,v 1.74 2024/09/09 03:32:29 tb Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "tls13_internal.h"
19 #include "tls13_record.h"
20 #include "tls_content.h"
21
22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27 struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
32 };
33
34 struct tls13_record_protection *
tls13_record_protection_new(void)35 tls13_record_protection_new(void)
36 {
37 return calloc(1, sizeof(struct tls13_record_protection));
38 }
39
40 void
tls13_record_protection_clear(struct tls13_record_protection * rp)41 tls13_record_protection_clear(struct tls13_record_protection *rp)
42 {
43 EVP_AEAD_CTX_free(rp->aead_ctx);
44
45 tls13_secret_cleanup(&rp->iv);
46 tls13_secret_cleanup(&rp->nonce);
47
48 memset(rp, 0, sizeof(*rp));
49 }
50
51 void
tls13_record_protection_free(struct tls13_record_protection * rp)52 tls13_record_protection_free(struct tls13_record_protection *rp)
53 {
54 if (rp == NULL)
55 return;
56
57 tls13_record_protection_clear(rp);
58
59 freezero(rp, sizeof(struct tls13_record_protection));
60 }
61
62 struct tls13_record_layer {
63 uint16_t legacy_version;
64
65 int ccs_allowed;
66 int ccs_seen;
67 int ccs_sent;
68 int handshake_completed;
69 int legacy_alerts_allowed;
70 int phh;
71 int phh_retry;
72
73 /*
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
77 * channel is closed.
78 */
79 int read_closed;
80 int write_closed;
81
82 struct tls13_record *rrec;
83
84 struct tls13_record *wrec;
85 uint8_t wrec_content_type;
86 size_t wrec_appdata_len;
87 size_t wrec_content_len;
88
89 /* Alert to be sent on return from current read handler. */
90 uint8_t alert;
91
92 /* Pending alert messages. */
93 uint8_t *alert_data;
94 size_t alert_len;
95 uint8_t alert_level;
96 uint8_t alert_desc;
97
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99 CBS phh_cbs;
100 uint8_t *phh_data;
101 size_t phh_len;
102
103 /* Content from opened records. */
104 struct tls_content *rcontent;
105
106 /* Record protection. */
107 const EVP_MD *hash;
108 const EVP_AEAD *aead;
109 struct tls13_record_protection *read;
110 struct tls13_record_protection *write;
111
112 /* Callbacks. */
113 struct tls13_record_layer_callbacks cb;
114 void *cb_arg;
115 };
116
117 static void
tls13_record_layer_rrec_free(struct tls13_record_layer * rl)118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119 {
120 tls13_record_free(rl->rrec);
121 rl->rrec = NULL;
122 }
123
124 static void
tls13_record_layer_wrec_free(struct tls13_record_layer * rl)125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126 {
127 tls13_record_free(rl->wrec);
128 rl->wrec = NULL;
129 }
130
131 struct tls13_record_layer *
tls13_record_layer_new(const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133 void *cb_arg)
134 {
135 struct tls13_record_layer *rl;
136
137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
138 goto err;
139
140 if ((rl->rcontent = tls_content_new()) == NULL)
141 goto err;
142
143 if ((rl->read = tls13_record_protection_new()) == NULL)
144 goto err;
145 if ((rl->write = tls13_record_protection_new()) == NULL)
146 goto err;
147
148 rl->legacy_version = TLS1_2_VERSION;
149
150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151
152 return rl;
153
154 err:
155 tls13_record_layer_free(rl);
156
157 return NULL;
158 }
159
160 void
tls13_record_layer_free(struct tls13_record_layer * rl)161 tls13_record_layer_free(struct tls13_record_layer *rl)
162 {
163 if (rl == NULL)
164 return;
165
166 tls13_record_layer_rrec_free(rl);
167 tls13_record_layer_wrec_free(rl);
168
169 freezero(rl->alert_data, rl->alert_len);
170 freezero(rl->phh_data, rl->phh_len);
171
172 tls_content_free(rl->rcontent);
173
174 tls13_record_protection_free(rl->read);
175 tls13_record_protection_free(rl->write);
176
177 freezero(rl, sizeof(struct tls13_record_layer));
178 }
179
180 void
tls13_record_layer_set_callbacks(struct tls13_record_layer * rl,const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183 {
184 rl->cb = *callbacks;
185 rl->cb_arg = cb_arg;
186 }
187
188 void
tls13_record_layer_rcontent(struct tls13_record_layer * rl,CBS * cbs)189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190 {
191 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192 }
193
194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196 };
197
198 int
tls13_record_layer_inc_seq_num(uint8_t * seq_num)199 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200 {
201 int i;
202
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
205 return 0;
206
207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
208 if (++seq_num[i] != 0)
209 break;
210 }
211
212 return 1;
213 }
214
215 static int
tls13_record_layer_update_nonce(struct tls13_secret * nonce,struct tls13_secret * iv,uint8_t * seq_num)216 tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217 struct tls13_secret *iv, uint8_t *seq_num)
218 {
219 ssize_t i, j;
220
221 if (nonce->len != iv->len)
222 return 0;
223
224 /*
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
228 */
229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231
232 return 1;
233 }
234
235 void
tls13_record_layer_allow_ccs(struct tls13_record_layer * rl,int allow)236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237 {
238 rl->ccs_allowed = allow;
239 }
240
241 void
tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer * rl,int allow)242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243 {
244 rl->legacy_alerts_allowed = allow;
245 }
246
247 void
tls13_record_layer_set_aead(struct tls13_record_layer * rl,const EVP_AEAD * aead)248 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249 const EVP_AEAD *aead)
250 {
251 rl->aead = aead;
252 }
253
254 void
tls13_record_layer_set_hash(struct tls13_record_layer * rl,const EVP_MD * hash)255 tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256 const EVP_MD *hash)
257 {
258 rl->hash = hash;
259 }
260
261 void
tls13_record_layer_set_legacy_version(struct tls13_record_layer * rl,uint16_t version)262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263 uint16_t version)
264 {
265 rl->legacy_version = version;
266 }
267
268 void
tls13_record_layer_handshake_completed(struct tls13_record_layer * rl)269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270 {
271 rl->handshake_completed = 1;
272 }
273
274 void
tls13_record_layer_set_retry_after_phh(struct tls13_record_layer * rl,int retry)275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276 {
277 rl->phh_retry = retry;
278 }
279
280 static ssize_t
tls13_record_layer_process_alert(struct tls13_record_layer * rl)281 tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282 {
283 uint8_t alert_level, alert_desc;
284 ssize_t ret = TLS13_IO_FAILURE;
285
286 /*
287 * RFC 8446 - sections 5.1 and 6.
288 *
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
293 */
294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT)
295 return TLS13_IO_FAILURE;
296
297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
301
302 if (tls_content_remaining(rl->rcontent) != 0)
303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
304
305 tls_content_clear(rl->rcontent);
306
307 /*
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
311 */
312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
313 rl->read_closed = 1;
314 ret = TLS13_IO_EOF;
315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
316 /* Ignored at the record layer. */
317 ret = TLS13_IO_WANT_RETRY;
318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
319 rl->read_closed = 1;
320 rl->write_closed = 1;
321 ret = TLS13_IO_ALERT;
322 } else if (rl->legacy_alerts_allowed &&
323 alert_level == TLS13_ALERT_LEVEL_WARNING) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY;
326 } else {
327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
328 }
329
330 rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg);
331
332 return ret;
333 }
334
335 void
tls13_record_layer_alert_sent(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)336 tls13_record_layer_alert_sent(struct tls13_record_layer *rl,
337 uint8_t alert_level, uint8_t alert_desc)
338 {
339 rl->cb.alert_sent(alert_level, alert_desc, rl->cb_arg);
340 }
341
342 static ssize_t
tls13_record_layer_send_alert(struct tls13_record_layer * rl)343 tls13_record_layer_send_alert(struct tls13_record_layer *rl)
344 {
345 ssize_t ret;
346
347 /* This has to fit into a single record, per RFC 8446 section 5.1. */
348 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
349 rl->alert_data, rl->alert_len)) != rl->alert_len) {
350 if (ret == TLS13_IO_EOF)
351 ret = TLS13_IO_ALERT;
352 return ret;
353 }
354
355 freezero(rl->alert_data, rl->alert_len);
356 rl->alert_data = NULL;
357 rl->alert_len = 0;
358
359 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
360 rl->write_closed = 1;
361 ret = TLS13_IO_SUCCESS;
362 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
363 /* Ignored at the record layer. */
364 ret = TLS13_IO_SUCCESS;
365 } else {
366 rl->read_closed = 1;
367 rl->write_closed = 1;
368 ret = TLS13_IO_ALERT;
369 }
370
371 tls13_record_layer_alert_sent(rl, rl->alert_level, rl->alert_desc);
372
373 return ret;
374 }
375
376 static ssize_t
tls13_record_layer_send_phh(struct tls13_record_layer * rl)377 tls13_record_layer_send_phh(struct tls13_record_layer *rl)
378 {
379 ssize_t ret;
380
381 /* Push out pending post-handshake handshake messages. */
382 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
383 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
384 return ret;
385 if (!CBS_skip(&rl->phh_cbs, ret))
386 return TLS13_IO_FAILURE;
387 if (CBS_len(&rl->phh_cbs) != 0)
388 return TLS13_IO_WANT_RETRY;
389
390 freezero(rl->phh_data, rl->phh_len);
391 rl->phh_data = NULL;
392 rl->phh_len = 0;
393
394 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
395
396 rl->cb.phh_sent(rl->cb_arg);
397
398 return TLS13_IO_SUCCESS;
399 }
400
401 ssize_t
tls13_record_layer_send_pending(struct tls13_record_layer * rl)402 tls13_record_layer_send_pending(struct tls13_record_layer *rl)
403 {
404 /*
405 * If an alert is pending, then it needs to be sent. However,
406 * if we're already part of the way through sending post-handshake
407 * handshake messages, then we need to finish that first...
408 */
409
410 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
411 return tls13_record_layer_send_phh(rl);
412
413 if (rl->alert_data != NULL)
414 return tls13_record_layer_send_alert(rl);
415
416 if (rl->phh_data != NULL)
417 return tls13_record_layer_send_phh(rl);
418
419 return TLS13_IO_SUCCESS;
420 }
421
422 static ssize_t
tls13_record_layer_enqueue_alert(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)423 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
424 uint8_t alert_level, uint8_t alert_desc)
425 {
426 CBB cbb;
427
428 if (rl->alert_data != NULL)
429 return TLS13_IO_FAILURE;
430
431 if (!CBB_init(&cbb, 0))
432 goto err;
433
434 if (!CBB_add_u8(&cbb, alert_level))
435 goto err;
436 if (!CBB_add_u8(&cbb, alert_desc))
437 goto err;
438 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
439 goto err;
440
441 rl->alert_level = alert_level;
442 rl->alert_desc = alert_desc;
443
444 return tls13_record_layer_send_pending(rl);
445
446 err:
447 CBB_cleanup(&cbb);
448
449 return TLS13_IO_FAILURE;
450 }
451
452 ssize_t
tls13_record_layer_phh(struct tls13_record_layer * rl,CBS * cbs)453 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
454 {
455 if (rl->phh_data != NULL)
456 return TLS13_IO_FAILURE;
457
458 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
459 return TLS13_IO_FAILURE;
460
461 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
462
463 return tls13_record_layer_send_pending(rl);
464 }
465
466 static int
tls13_record_layer_set_traffic_key(const EVP_AEAD * aead,const EVP_MD * hash,struct tls13_record_protection * rp,struct tls13_secret * traffic_key)467 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
468 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
469 {
470 struct tls13_secret context = { .data = "", .len = 0 };
471 struct tls13_secret key = { .data = NULL, .len = 0 };
472 int ret = 0;
473
474 tls13_record_protection_clear(rp);
475
476 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
477 return 0;
478
479 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
480 goto err;
481 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
482 goto err;
483 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
484 goto err;
485
486 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
487 goto err;
488 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
489 goto err;
490
491 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
492 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
493 goto err;
494
495 ret = 1;
496
497 err:
498 tls13_secret_cleanup(&key);
499
500 return ret;
501 }
502
503 int
tls13_record_layer_set_read_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * read_key,enum ssl_encryption_level_t read_level)504 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
505 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
506 {
507 if (rl->cb.set_read_traffic_key != NULL)
508 return rl->cb.set_read_traffic_key(read_key, read_level,
509 rl->cb_arg);
510
511 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
512 rl->read, read_key);
513 }
514
515 int
tls13_record_layer_set_write_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * write_key,enum ssl_encryption_level_t write_level)516 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
517 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
518 {
519 if (rl->cb.set_write_traffic_key != NULL)
520 return rl->cb.set_write_traffic_key(write_key, write_level,
521 rl->cb_arg);
522
523 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
524 rl->write, write_key);
525 }
526
527 static int
tls13_record_layer_open_record_plaintext(struct tls13_record_layer * rl)528 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
529 {
530 CBS cbs;
531
532 if (rl->aead != NULL)
533 return 0;
534
535 /*
536 * We're still operating in plaintext mode, so just copy the
537 * content from the record to the plaintext buffer.
538 */
539 if (!tls13_record_content(rl->rrec, &cbs))
540 return 0;
541
542 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
543 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
544 return 0;
545 }
546
547 if (!tls_content_dup_data(rl->rcontent,
548 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
549 return 0;
550
551 return 1;
552 }
553
554 static int
tls13_record_layer_open_record_protected(struct tls13_record_layer * rl)555 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
556 {
557 CBS header, enc_record, inner;
558 uint8_t *content = NULL;
559 size_t content_len = 0;
560 uint8_t content_type;
561 size_t out_len;
562
563 if (rl->aead == NULL)
564 goto err;
565
566 if (!tls13_record_header(rl->rrec, &header))
567 goto err;
568 if (!tls13_record_content(rl->rrec, &enc_record))
569 goto err;
570
571 /* XXX - minus tag len? */
572 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
573 goto err;
574 content_len = CBS_len(&enc_record);
575
576 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
577 rl->read->seq_num))
578 goto err;
579
580 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
581 content, &out_len, content_len,
582 rl->read->nonce.data, rl->read->nonce.len,
583 CBS_data(&enc_record), CBS_len(&enc_record),
584 CBS_data(&header), CBS_len(&header)))
585 goto err;
586
587 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
588 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
589 goto err;
590 }
591
592 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
593 goto err;
594
595 /*
596 * The real content type is hidden at the end of the record content and
597 * it may be followed by padding that consists of one or more zeroes.
598 * Time to hunt for that elusive content type!
599 */
600 CBS_init(&inner, content, out_len);
601 content_type = 0;
602 while (CBS_get_last_u8(&inner, &content_type)) {
603 if (content_type != 0)
604 break;
605 }
606 if (content_type == 0) {
607 /* Unexpected message per RFC 8446 section 5.4. */
608 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
609 goto err;
610 }
611 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
612 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
613 goto err;
614 }
615
616 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
617 CBS_len(&inner));
618
619 return 1;
620
621 err:
622 freezero(content, content_len);
623
624 return 0;
625 }
626
627 static int
tls13_record_layer_open_record(struct tls13_record_layer * rl)628 tls13_record_layer_open_record(struct tls13_record_layer *rl)
629 {
630 if (rl->handshake_completed && rl->aead == NULL)
631 return 0;
632
633 if (rl->aead == NULL)
634 return tls13_record_layer_open_record_plaintext(rl);
635
636 return tls13_record_layer_open_record_protected(rl);
637 }
638
639 static int
tls13_record_layer_seal_record_plaintext(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)640 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
641 uint8_t content_type, const uint8_t *content, size_t content_len)
642 {
643 uint8_t *data = NULL;
644 size_t data_len = 0;
645 CBB cbb, body;
646
647 /*
648 * Allow dummy CCS messages to be sent in plaintext even when
649 * record protection has been engaged, as long as the handshake
650 * has not yet completed.
651 */
652 if (rl->handshake_completed)
653 return 0;
654 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
655 return 0;
656
657 /*
658 * We're still operating in plaintext mode, so just copy the
659 * content into the record.
660 */
661 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
662 goto err;
663
664 if (!CBB_add_u8(&cbb, content_type))
665 goto err;
666 if (!CBB_add_u16(&cbb, rl->legacy_version))
667 goto err;
668 if (!CBB_add_u16_length_prefixed(&cbb, &body))
669 goto err;
670 if (!CBB_add_bytes(&body, content, content_len))
671 goto err;
672
673 if (!CBB_finish(&cbb, &data, &data_len))
674 goto err;
675
676 if (!tls13_record_set_data(rl->wrec, data, data_len))
677 goto err;
678
679 rl->wrec_content_len = content_len;
680 rl->wrec_content_type = content_type;
681
682 return 1;
683
684 err:
685 CBB_cleanup(&cbb);
686 freezero(data, data_len);
687
688 return 0;
689 }
690
691 static int
tls13_record_layer_seal_record_protected(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)692 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
693 uint8_t content_type, const uint8_t *content, size_t content_len)
694 {
695 uint8_t *data = NULL, *header = NULL, *inner = NULL;
696 size_t data_len = 0, header_len = 0, inner_len = 0;
697 uint8_t *enc_record;
698 size_t enc_record_len;
699 ssize_t ret = 0;
700 size_t out_len;
701 CBB cbb;
702
703 if (rl->aead == NULL)
704 return 0;
705
706 memset(&cbb, 0, sizeof(cbb));
707
708 /* Build inner plaintext. */
709 if (!CBB_init(&cbb, content_len + 1))
710 goto err;
711 if (!CBB_add_bytes(&cbb, content, content_len))
712 goto err;
713 if (!CBB_add_u8(&cbb, content_type))
714 goto err;
715 /* XXX - padding? */
716 if (!CBB_finish(&cbb, &inner, &inner_len))
717 goto err;
718
719 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
720 goto err;
721
722 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
723 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
724 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
725 goto err;
726
727 /* Build the record header. */
728 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
729 goto err;
730 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
731 goto err;
732 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
733 goto err;
734 if (!CBB_add_u16(&cbb, enc_record_len))
735 goto err;
736 if (!CBB_finish(&cbb, &header, &header_len))
737 goto err;
738
739 /* Build the actual record. */
740 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
741 goto err;
742 if (!CBB_add_bytes(&cbb, header, header_len))
743 goto err;
744 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
745 goto err;
746 if (!CBB_finish(&cbb, &data, &data_len))
747 goto err;
748
749 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
750 &rl->write->iv, rl->write->seq_num))
751 goto err;
752
753 /*
754 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
755 * this would avoid a copy since the inner would be passed as two
756 * separate pieces.
757 */
758 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
759 enc_record, &out_len, enc_record_len,
760 rl->write->nonce.data, rl->write->nonce.len,
761 inner, inner_len, header, header_len))
762 goto err;
763
764 if (out_len != enc_record_len)
765 goto err;
766
767 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
768 goto err;
769
770 if (!tls13_record_set_data(rl->wrec, data, data_len))
771 goto err;
772
773 rl->wrec_content_len = content_len;
774 rl->wrec_content_type = content_type;
775
776 data = NULL;
777 data_len = 0;
778
779 ret = 1;
780
781 err:
782 CBB_cleanup(&cbb);
783
784 freezero(data, data_len);
785 freezero(header, header_len);
786 freezero(inner, inner_len);
787
788 return ret;
789 }
790
791 static int
tls13_record_layer_seal_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)792 tls13_record_layer_seal_record(struct tls13_record_layer *rl,
793 uint8_t content_type, const uint8_t *content, size_t content_len)
794 {
795 if (rl->handshake_completed && rl->aead == NULL)
796 return 0;
797
798 tls13_record_layer_wrec_free(rl);
799
800 if ((rl->wrec = tls13_record_new()) == NULL)
801 return 0;
802
803 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
804 return tls13_record_layer_seal_record_plaintext(rl,
805 content_type, content, content_len);
806
807 return tls13_record_layer_seal_record_protected(rl, content_type,
808 content, content_len);
809 }
810
811 static ssize_t
tls13_record_layer_read_record(struct tls13_record_layer * rl)812 tls13_record_layer_read_record(struct tls13_record_layer *rl)
813 {
814 uint8_t content_type, ccs;
815 ssize_t ret;
816 CBS cbs;
817
818 if (rl->rrec == NULL) {
819 if ((rl->rrec = tls13_record_new()) == NULL)
820 goto err;
821 }
822
823 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
824 switch (ret) {
825 case TLS13_IO_RECORD_VERSION:
826 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
827 case TLS13_IO_RECORD_OVERFLOW:
828 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
829 }
830 return ret;
831 }
832
833 content_type = tls13_record_content_type(rl->rrec);
834
835 /*
836 * In response to a client hello we may receive an alert in a
837 * record with a legacy version. Otherwise enforce that the
838 * legacy record version is 0x0303 per RFC 8446, section 5.1.
839 */
840 if (rl->legacy_version == TLS1_2_VERSION &&
841 tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
842 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
843 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
844
845 /*
846 * Bag of hacks ahead... after the first ClientHello message has been
847 * sent or received and before the peer's Finished message has been
848 * received, we may receive an unencrypted ChangeCipherSpec record
849 * (see RFC 8446 section 5 and appendix D.4). This record must be
850 * ignored.
851 */
852 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
853 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
854 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
855 if (!tls13_record_content(rl->rrec, &cbs))
856 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
857 if (!CBS_get_u8(&cbs, &ccs))
858 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
859 if (ccs != 1)
860 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
861 if (CBS_len(&cbs) != 0)
862 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
863 rl->ccs_seen++;
864 tls13_record_layer_rrec_free(rl);
865 return TLS13_IO_WANT_RETRY;
866 }
867
868 /*
869 * Once record protection is engaged, we should only receive
870 * protected application data messages (aside from the
871 * dummy ChangeCipherSpec messages, handled above).
872 */
873 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
874 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
875
876 if (!tls13_record_layer_open_record(rl))
877 goto err;
878
879 tls13_record_layer_rrec_free(rl);
880
881 /*
882 * On receiving a handshake or alert record with empty inner plaintext,
883 * we must terminate the connection with an unexpected_message alert.
884 * See RFC 8446 section 5.4.
885 */
886 if (tls_content_remaining(rl->rcontent) == 0 &&
887 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT ||
888 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE))
889 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
890
891 switch (tls_content_type(rl->rcontent)) {
892 case SSL3_RT_ALERT:
893 return tls13_record_layer_process_alert(rl);
894
895 case SSL3_RT_HANDSHAKE:
896 break;
897
898 case SSL3_RT_APPLICATION_DATA:
899 if (!rl->handshake_completed)
900 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
901 break;
902
903 default:
904 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
905 }
906
907 return TLS13_IO_SUCCESS;
908
909 err:
910 return TLS13_IO_FAILURE;
911 }
912
913 static ssize_t
tls13_record_layer_pending(struct tls13_record_layer * rl,uint8_t content_type)914 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
915 {
916 if (tls_content_type(rl->rcontent) != content_type)
917 return 0;
918
919 return tls_content_remaining(rl->rcontent);
920 }
921
922 static ssize_t
tls13_record_layer_recv_phh(struct tls13_record_layer * rl)923 tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
924 {
925 ssize_t ret = TLS13_IO_FAILURE;
926
927 rl->phh = 1;
928
929 /*
930 * The post handshake handshake receive callback is allowed to return:
931 *
932 * TLS13_IO_WANT_POLLIN need more handshake data.
933 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
934 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
935 * TLS13_IO_FAILURE something broke.
936 */
937 if (rl->cb.phh_recv != NULL)
938 ret = rl->cb.phh_recv(rl->cb_arg);
939
940 tls_content_clear(rl->rcontent);
941
942 /* Leave post handshake handshake mode unless we need more data. */
943 if (ret != TLS13_IO_WANT_POLLIN)
944 rl->phh = 0;
945
946 if (ret == TLS13_IO_SUCCESS) {
947 if (rl->phh_retry)
948 return TLS13_IO_WANT_RETRY;
949
950 return TLS13_IO_WANT_POLLIN;
951 }
952
953 return ret;
954 }
955
956 static ssize_t
tls13_record_layer_read_internal(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n,int peek)957 tls13_record_layer_read_internal(struct tls13_record_layer *rl,
958 uint8_t content_type, uint8_t *buf, size_t n, int peek)
959 {
960 ssize_t ret;
961
962 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
963 return ret;
964
965 if (rl->read_closed)
966 return TLS13_IO_EOF;
967
968 /* If necessary, pull up the next record. */
969 if (tls_content_remaining(rl->rcontent) == 0) {
970 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
971 return ret;
972
973 /*
974 * We may have read a valid 0-byte application data record,
975 * in which case we need to read the next record.
976 */
977 if (tls_content_remaining(rl->rcontent) == 0)
978 return TLS13_IO_WANT_POLLIN;
979 }
980
981 /*
982 * If we are in post handshake handshake mode, we must not see
983 * any record type that isn't a handshake until we are done.
984 */
985 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE)
986 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
987
988 /*
989 * Handshake content can appear as post-handshake messages (yup,
990 * the RFC reused the same content type...), which means we can
991 * be trying to read application data and need to handle a
992 * post-handshake handshake message instead...
993 */
994 if (tls_content_type(rl->rcontent) != content_type) {
995 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) {
996 if (rl->handshake_completed)
997 return tls13_record_layer_recv_phh(rl);
998 }
999 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
1000 }
1001
1002 if (peek)
1003 return tls_content_peek(rl->rcontent, buf, n);
1004
1005 return tls_content_read(rl->rcontent, buf, n);
1006 }
1007
1008 static ssize_t
tls13_record_layer_peek(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1009 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1010 uint8_t *buf, size_t n)
1011 {
1012 ssize_t ret;
1013
1014 do {
1015 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1016 } while (ret == TLS13_IO_WANT_RETRY);
1017
1018 if (rl->alert != 0)
1019 return tls13_send_alert(rl, rl->alert);
1020
1021 return ret;
1022 }
1023
1024 static ssize_t
tls13_record_layer_read(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1025 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1026 uint8_t *buf, size_t n)
1027 {
1028 ssize_t ret;
1029
1030 do {
1031 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1032 } while (ret == TLS13_IO_WANT_RETRY);
1033
1034 if (rl->alert != 0)
1035 return tls13_send_alert(rl, rl->alert);
1036
1037 return ret;
1038 }
1039
1040 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)1041 tls13_record_layer_write_record(struct tls13_record_layer *rl,
1042 uint8_t content_type, const uint8_t *content, size_t content_len)
1043 {
1044 ssize_t ret;
1045
1046 if (rl->write_closed)
1047 return TLS13_IO_EOF;
1048
1049 /*
1050 * If we pushed out application data while handling other messages,
1051 * we need to return content length on the next call.
1052 */
1053 if (content_type == SSL3_RT_APPLICATION_DATA &&
1054 rl->wrec_appdata_len != 0) {
1055 ret = rl->wrec_appdata_len;
1056 rl->wrec_appdata_len = 0;
1057 return ret;
1058 }
1059
1060 /* See if there is an existing record and attempt to push it out... */
1061 if (rl->wrec != NULL) {
1062 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1063 rl->cb_arg)) <= 0)
1064 return ret;
1065 tls13_record_layer_wrec_free(rl);
1066
1067 if (rl->wrec_content_type == content_type) {
1068 ret = rl->wrec_content_len;
1069 rl->wrec_content_len = 0;
1070 rl->wrec_content_type = 0;
1071 return ret;
1072 }
1073
1074 /*
1075 * The only partial record type should be application data.
1076 * All other cases are handled to completion.
1077 */
1078 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1079 return TLS13_IO_FAILURE;
1080 rl->wrec_appdata_len = rl->wrec_content_len;
1081 }
1082
1083 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1084 goto err;
1085
1086 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1087 goto err;
1088
1089 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1090 return ret;
1091
1092 tls13_record_layer_wrec_free(rl);
1093
1094 return content_len;
1095
1096 err:
1097 return TLS13_IO_FAILURE;
1098 }
1099
1100 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1101 tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1102 uint8_t content_type, const uint8_t *buf, size_t n)
1103 {
1104 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1105 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1106
1107 return tls13_record_layer_write_record(rl, content_type, buf, n);
1108 }
1109
1110 static ssize_t
tls13_record_layer_write(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1111 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1112 const uint8_t *buf, size_t n)
1113 {
1114 ssize_t ret;
1115
1116 do {
1117 ret = tls13_record_layer_send_pending(rl);
1118 } while (ret == TLS13_IO_WANT_RETRY);
1119 if (ret != TLS13_IO_SUCCESS)
1120 return ret;
1121
1122 do {
1123 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1124 } while (ret == TLS13_IO_WANT_RETRY);
1125
1126 return ret;
1127 }
1128
1129 ssize_t
tls13_record_layer_flush(struct tls13_record_layer * rl)1130 tls13_record_layer_flush(struct tls13_record_layer *rl)
1131 {
1132 return rl->cb.wire_flush(rl->cb_arg);
1133 }
1134
1135 static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1136
1137 ssize_t
tls13_send_dummy_ccs(struct tls13_record_layer * rl)1138 tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1139 {
1140 ssize_t ret;
1141
1142 if (rl->ccs_sent)
1143 return TLS13_IO_FAILURE;
1144
1145 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1146 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1147 return ret;
1148
1149 rl->ccs_sent = 1;
1150
1151 return TLS13_IO_SUCCESS;
1152 }
1153
1154 ssize_t
tls13_read_handshake_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1155 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1156 {
1157 if (rl->cb.handshake_read != NULL)
1158 return rl->cb.handshake_read(buf, n, rl->cb_arg);
1159
1160 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1161 }
1162
1163 ssize_t
tls13_write_handshake_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1164 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1165 size_t n)
1166 {
1167 if (rl->cb.handshake_write != NULL)
1168 return rl->cb.handshake_write(buf, n, rl->cb_arg);
1169
1170 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1171 }
1172
1173 ssize_t
tls13_pending_application_data(struct tls13_record_layer * rl)1174 tls13_pending_application_data(struct tls13_record_layer *rl)
1175 {
1176 if (!rl->handshake_completed)
1177 return 0;
1178
1179 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1180 }
1181
1182 ssize_t
tls13_peek_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1183 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1184 {
1185 if (!rl->handshake_completed)
1186 return TLS13_IO_FAILURE;
1187
1188 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1189 }
1190
1191 ssize_t
tls13_read_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1192 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1193 {
1194 if (!rl->handshake_completed)
1195 return TLS13_IO_FAILURE;
1196
1197 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1198 }
1199
1200 ssize_t
tls13_write_application_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1201 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1202 size_t n)
1203 {
1204 if (!rl->handshake_completed)
1205 return TLS13_IO_FAILURE;
1206
1207 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1208 }
1209
1210 ssize_t
tls13_send_alert(struct tls13_record_layer * rl,uint8_t alert_desc)1211 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1212 {
1213 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1214 ssize_t ret;
1215
1216 if (rl->cb.alert_send != NULL)
1217 return rl->cb.alert_send(alert_desc, rl->cb_arg);
1218
1219 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1220 alert_desc == TLS13_ALERT_USER_CANCELED)
1221 alert_level = TLS13_ALERT_LEVEL_WARNING;
1222
1223 do {
1224 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1225 alert_desc);
1226 } while (ret == TLS13_IO_WANT_RETRY);
1227
1228 return ret;
1229 }
1230