1 /* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "tls13_internal.h"
19 #include "tls13_record.h"
20 #include "tls_content.h"
21
22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27 struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
32 };
33
34 struct tls13_record_protection *
tls13_record_protection_new(void)35 tls13_record_protection_new(void)
36 {
37 return calloc(1, sizeof(struct tls13_record_protection));
38 }
39
40 void
tls13_record_protection_clear(struct tls13_record_protection * rp)41 tls13_record_protection_clear(struct tls13_record_protection *rp)
42 {
43 EVP_AEAD_CTX_free(rp->aead_ctx);
44
45 tls13_secret_cleanup(&rp->iv);
46 tls13_secret_cleanup(&rp->nonce);
47
48 memset(rp, 0, sizeof(*rp));
49 }
50
51 void
tls13_record_protection_free(struct tls13_record_protection * rp)52 tls13_record_protection_free(struct tls13_record_protection *rp)
53 {
54 if (rp == NULL)
55 return;
56
57 tls13_record_protection_clear(rp);
58
59 freezero(rp, sizeof(struct tls13_record_protection));
60 }
61
62 struct tls13_record_layer {
63 uint16_t legacy_version;
64
65 int ccs_allowed;
66 int ccs_seen;
67 int ccs_sent;
68 int handshake_completed;
69 int legacy_alerts_allowed;
70 int phh;
71 int phh_retry;
72
73 /*
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
77 * channel is closed.
78 */
79 int read_closed;
80 int write_closed;
81
82 struct tls13_record *rrec;
83
84 struct tls13_record *wrec;
85 uint8_t wrec_content_type;
86 size_t wrec_appdata_len;
87 size_t wrec_content_len;
88
89 /* Alert to be sent on return from current read handler. */
90 uint8_t alert;
91
92 /* Pending alert messages. */
93 uint8_t *alert_data;
94 size_t alert_len;
95 uint8_t alert_level;
96 uint8_t alert_desc;
97
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99 CBS phh_cbs;
100 uint8_t *phh_data;
101 size_t phh_len;
102
103 /* Content from opened records. */
104 struct tls_content *rcontent;
105
106 /* Record protection. */
107 const EVP_MD *hash;
108 const EVP_AEAD *aead;
109 struct tls13_record_protection *read;
110 struct tls13_record_protection *write;
111
112 /* Callbacks. */
113 struct tls13_record_layer_callbacks cb;
114 void *cb_arg;
115 };
116
117 static void
tls13_record_layer_rrec_free(struct tls13_record_layer * rl)118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119 {
120 tls13_record_free(rl->rrec);
121 rl->rrec = NULL;
122 }
123
124 static void
tls13_record_layer_wrec_free(struct tls13_record_layer * rl)125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126 {
127 tls13_record_free(rl->wrec);
128 rl->wrec = NULL;
129 }
130
131 struct tls13_record_layer *
tls13_record_layer_new(const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133 void *cb_arg)
134 {
135 struct tls13_record_layer *rl;
136
137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
138 goto err;
139
140 if ((rl->rcontent = tls_content_new()) == NULL)
141 goto err;
142
143 if ((rl->read = tls13_record_protection_new()) == NULL)
144 goto err;
145 if ((rl->write = tls13_record_protection_new()) == NULL)
146 goto err;
147
148 rl->legacy_version = TLS1_2_VERSION;
149
150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151
152 return rl;
153
154 err:
155 tls13_record_layer_free(rl);
156
157 return NULL;
158 }
159
160 void
tls13_record_layer_free(struct tls13_record_layer * rl)161 tls13_record_layer_free(struct tls13_record_layer *rl)
162 {
163 if (rl == NULL)
164 return;
165
166 tls13_record_layer_rrec_free(rl);
167 tls13_record_layer_wrec_free(rl);
168
169 freezero(rl->alert_data, rl->alert_len);
170 freezero(rl->phh_data, rl->phh_len);
171
172 tls_content_free(rl->rcontent);
173
174 tls13_record_protection_free(rl->read);
175 tls13_record_protection_free(rl->write);
176
177 freezero(rl, sizeof(struct tls13_record_layer));
178 }
179
180 void
tls13_record_layer_set_callbacks(struct tls13_record_layer * rl,const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183 {
184 rl->cb = *callbacks;
185 rl->cb_arg = cb_arg;
186 }
187
188 void
tls13_record_layer_rcontent(struct tls13_record_layer * rl,CBS * cbs)189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190 {
191 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192 }
193
194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196 };
197
198 int
tls13_record_layer_inc_seq_num(uint8_t * seq_num)199 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200 {
201 int i;
202
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
205 return 0;
206
207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
208 if (++seq_num[i] != 0)
209 break;
210 }
211
212 return 1;
213 }
214
215 static int
tls13_record_layer_update_nonce(struct tls13_secret * nonce,struct tls13_secret * iv,uint8_t * seq_num)216 tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217 struct tls13_secret *iv, uint8_t *seq_num)
218 {
219 ssize_t i, j;
220
221 if (nonce->len != iv->len)
222 return 0;
223
224 /*
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
228 */
229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231
232 return 1;
233 }
234
235 void
tls13_record_layer_allow_ccs(struct tls13_record_layer * rl,int allow)236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237 {
238 rl->ccs_allowed = allow;
239 }
240
241 void
tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer * rl,int allow)242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243 {
244 rl->legacy_alerts_allowed = allow;
245 }
246
247 void
tls13_record_layer_set_aead(struct tls13_record_layer * rl,const EVP_AEAD * aead)248 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249 const EVP_AEAD *aead)
250 {
251 rl->aead = aead;
252 }
253
254 void
tls13_record_layer_set_hash(struct tls13_record_layer * rl,const EVP_MD * hash)255 tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256 const EVP_MD *hash)
257 {
258 rl->hash = hash;
259 }
260
261 void
tls13_record_layer_set_legacy_version(struct tls13_record_layer * rl,uint16_t version)262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263 uint16_t version)
264 {
265 rl->legacy_version = version;
266 }
267
268 void
tls13_record_layer_handshake_completed(struct tls13_record_layer * rl)269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270 {
271 rl->handshake_completed = 1;
272 }
273
274 void
tls13_record_layer_set_retry_after_phh(struct tls13_record_layer * rl,int retry)275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276 {
277 rl->phh_retry = retry;
278 }
279
280 static ssize_t
tls13_record_layer_process_alert(struct tls13_record_layer * rl)281 tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282 {
283 uint8_t alert_level, alert_desc;
284 ssize_t ret = TLS13_IO_FAILURE;
285
286 /*
287 * RFC 8446 - sections 5.1 and 6.
288 *
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
293 */
294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT)
295 return TLS13_IO_FAILURE;
296
297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
301
302 if (tls_content_remaining(rl->rcontent) != 0)
303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
304
305 tls_content_clear(rl->rcontent);
306
307 /*
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
311 */
312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
313 rl->read_closed = 1;
314 ret = TLS13_IO_EOF;
315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
316 /* Ignored at the record layer. */
317 ret = TLS13_IO_WANT_RETRY;
318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
319 rl->read_closed = 1;
320 rl->write_closed = 1;
321 ret = TLS13_IO_ALERT;
322 } else if (rl->legacy_alerts_allowed &&
323 alert_level == TLS13_ALERT_LEVEL_WARNING) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY;
326 } else {
327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
328 }
329
330 rl->cb.alert_recv(alert_desc, rl->cb_arg);
331
332 return ret;
333 }
334
335 static ssize_t
tls13_record_layer_send_alert(struct tls13_record_layer * rl)336 tls13_record_layer_send_alert(struct tls13_record_layer *rl)
337 {
338 ssize_t ret;
339
340 /* This has to fit into a single record, per RFC 8446 section 5.1. */
341 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
342 rl->alert_data, rl->alert_len)) != rl->alert_len) {
343 if (ret == TLS13_IO_EOF)
344 ret = TLS13_IO_ALERT;
345 return ret;
346 }
347
348 freezero(rl->alert_data, rl->alert_len);
349 rl->alert_data = NULL;
350 rl->alert_len = 0;
351
352 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
353 rl->write_closed = 1;
354 ret = TLS13_IO_SUCCESS;
355 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
356 /* Ignored at the record layer. */
357 ret = TLS13_IO_SUCCESS;
358 } else {
359 rl->read_closed = 1;
360 rl->write_closed = 1;
361 ret = TLS13_IO_ALERT;
362 }
363
364 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
365
366 return ret;
367 }
368
369 static ssize_t
tls13_record_layer_send_phh(struct tls13_record_layer * rl)370 tls13_record_layer_send_phh(struct tls13_record_layer *rl)
371 {
372 ssize_t ret;
373
374 /* Push out pending post-handshake handshake messages. */
375 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
376 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
377 return ret;
378 if (!CBS_skip(&rl->phh_cbs, ret))
379 return TLS13_IO_FAILURE;
380 if (CBS_len(&rl->phh_cbs) != 0)
381 return TLS13_IO_WANT_RETRY;
382
383 freezero(rl->phh_data, rl->phh_len);
384 rl->phh_data = NULL;
385 rl->phh_len = 0;
386
387 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
388
389 rl->cb.phh_sent(rl->cb_arg);
390
391 return TLS13_IO_SUCCESS;
392 }
393
394 ssize_t
tls13_record_layer_send_pending(struct tls13_record_layer * rl)395 tls13_record_layer_send_pending(struct tls13_record_layer *rl)
396 {
397 /*
398 * If an alert is pending, then it needs to be sent. However,
399 * if we're already part of the way through sending post-handshake
400 * handshake messages, then we need to finish that first...
401 */
402
403 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
404 return tls13_record_layer_send_phh(rl);
405
406 if (rl->alert_data != NULL)
407 return tls13_record_layer_send_alert(rl);
408
409 if (rl->phh_data != NULL)
410 return tls13_record_layer_send_phh(rl);
411
412 return TLS13_IO_SUCCESS;
413 }
414
415 static ssize_t
tls13_record_layer_enqueue_alert(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)416 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
417 uint8_t alert_level, uint8_t alert_desc)
418 {
419 CBB cbb;
420
421 if (rl->alert_data != NULL)
422 return TLS13_IO_FAILURE;
423
424 if (!CBB_init(&cbb, 0))
425 goto err;
426
427 if (!CBB_add_u8(&cbb, alert_level))
428 goto err;
429 if (!CBB_add_u8(&cbb, alert_desc))
430 goto err;
431 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
432 goto err;
433
434 rl->alert_level = alert_level;
435 rl->alert_desc = alert_desc;
436
437 return tls13_record_layer_send_pending(rl);
438
439 err:
440 CBB_cleanup(&cbb);
441
442 return TLS13_IO_FAILURE;
443 }
444
445 ssize_t
tls13_record_layer_phh(struct tls13_record_layer * rl,CBS * cbs)446 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
447 {
448 if (rl->phh_data != NULL)
449 return TLS13_IO_FAILURE;
450
451 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
452 return TLS13_IO_FAILURE;
453
454 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
455
456 return tls13_record_layer_send_pending(rl);
457 }
458
459 static int
tls13_record_layer_set_traffic_key(const EVP_AEAD * aead,const EVP_MD * hash,struct tls13_record_protection * rp,struct tls13_secret * traffic_key)460 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
461 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
462 {
463 struct tls13_secret context = { .data = "", .len = 0 };
464 struct tls13_secret key = { .data = NULL, .len = 0 };
465 int ret = 0;
466
467 tls13_record_protection_clear(rp);
468
469 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
470 return 0;
471
472 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
473 goto err;
474 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
475 goto err;
476 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
477 goto err;
478
479 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
480 goto err;
481 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
482 goto err;
483
484 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
485 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
486 goto err;
487
488 ret = 1;
489
490 err:
491 tls13_secret_cleanup(&key);
492
493 return ret;
494 }
495
496 int
tls13_record_layer_set_read_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * read_key,enum ssl_encryption_level_t read_level)497 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
498 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
499 {
500 if (rl->cb.set_read_traffic_key != NULL)
501 return rl->cb.set_read_traffic_key(read_key, read_level,
502 rl->cb_arg);
503
504 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
505 rl->read, read_key);
506 }
507
508 int
tls13_record_layer_set_write_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * write_key,enum ssl_encryption_level_t write_level)509 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
510 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
511 {
512 if (rl->cb.set_write_traffic_key != NULL)
513 return rl->cb.set_write_traffic_key(write_key, write_level,
514 rl->cb_arg);
515
516 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
517 rl->write, write_key);
518 }
519
520 static int
tls13_record_layer_open_record_plaintext(struct tls13_record_layer * rl)521 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
522 {
523 CBS cbs;
524
525 if (rl->aead != NULL)
526 return 0;
527
528 /*
529 * We're still operating in plaintext mode, so just copy the
530 * content from the record to the plaintext buffer.
531 */
532 if (!tls13_record_content(rl->rrec, &cbs))
533 return 0;
534
535 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
536 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
537 return 0;
538 }
539
540 if (!tls_content_dup_data(rl->rcontent,
541 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
542 return 0;
543
544 return 1;
545 }
546
547 static int
tls13_record_layer_open_record_protected(struct tls13_record_layer * rl)548 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
549 {
550 CBS header, enc_record, inner;
551 uint8_t *content = NULL;
552 size_t content_len = 0;
553 uint8_t content_type;
554 size_t out_len;
555
556 if (rl->aead == NULL)
557 goto err;
558
559 if (!tls13_record_header(rl->rrec, &header))
560 goto err;
561 if (!tls13_record_content(rl->rrec, &enc_record))
562 goto err;
563
564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
565 goto err;
566 content_len = CBS_len(&enc_record);
567
568 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
569 rl->read->seq_num))
570 goto err;
571
572 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
573 content, &out_len, content_len,
574 rl->read->nonce.data, rl->read->nonce.len,
575 CBS_data(&enc_record), CBS_len(&enc_record),
576 CBS_data(&header), CBS_len(&header)))
577 goto err;
578
579 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
580 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
581 goto err;
582 }
583
584 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
585 goto err;
586
587 /*
588 * The real content type is hidden at the end of the record content and
589 * it may be followed by padding that consists of one or more zeroes.
590 * Time to hunt for that elusive content type!
591 */
592 CBS_init(&inner, content, out_len);
593 content_type = 0;
594 while (CBS_get_last_u8(&inner, &content_type)) {
595 if (content_type != 0)
596 break;
597 }
598 if (content_type == 0) {
599 /* Unexpected message per RFC 8446 section 5.4. */
600 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
601 goto err;
602 }
603 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
604 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
605 goto err;
606 }
607
608 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
609 CBS_len(&inner));
610
611 return 1;
612
613 err:
614 freezero(content, content_len);
615
616 return 0;
617 }
618
619 static int
tls13_record_layer_open_record(struct tls13_record_layer * rl)620 tls13_record_layer_open_record(struct tls13_record_layer *rl)
621 {
622 if (rl->handshake_completed && rl->aead == NULL)
623 return 0;
624
625 if (rl->aead == NULL)
626 return tls13_record_layer_open_record_plaintext(rl);
627
628 return tls13_record_layer_open_record_protected(rl);
629 }
630
631 static int
tls13_record_layer_seal_record_plaintext(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)632 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
633 uint8_t content_type, const uint8_t *content, size_t content_len)
634 {
635 uint8_t *data = NULL;
636 size_t data_len = 0;
637 CBB cbb, body;
638
639 /*
640 * Allow dummy CCS messages to be sent in plaintext even when
641 * record protection has been engaged, as long as the handshake
642 * has not yet completed.
643 */
644 if (rl->handshake_completed)
645 return 0;
646 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
647 return 0;
648
649 /*
650 * We're still operating in plaintext mode, so just copy the
651 * content into the record.
652 */
653 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
654 goto err;
655
656 if (!CBB_add_u8(&cbb, content_type))
657 goto err;
658 if (!CBB_add_u16(&cbb, rl->legacy_version))
659 goto err;
660 if (!CBB_add_u16_length_prefixed(&cbb, &body))
661 goto err;
662 if (!CBB_add_bytes(&body, content, content_len))
663 goto err;
664
665 if (!CBB_finish(&cbb, &data, &data_len))
666 goto err;
667
668 if (!tls13_record_set_data(rl->wrec, data, data_len))
669 goto err;
670
671 rl->wrec_content_len = content_len;
672 rl->wrec_content_type = content_type;
673
674 return 1;
675
676 err:
677 CBB_cleanup(&cbb);
678 freezero(data, data_len);
679
680 return 0;
681 }
682
683 static int
tls13_record_layer_seal_record_protected(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)684 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
685 uint8_t content_type, const uint8_t *content, size_t content_len)
686 {
687 uint8_t *data = NULL, *header = NULL, *inner = NULL;
688 size_t data_len = 0, header_len = 0, inner_len = 0;
689 uint8_t *enc_record;
690 size_t enc_record_len;
691 ssize_t ret = 0;
692 size_t out_len;
693 CBB cbb;
694
695 if (rl->aead == NULL)
696 return 0;
697
698 memset(&cbb, 0, sizeof(cbb));
699
700 /* Build inner plaintext. */
701 if (!CBB_init(&cbb, content_len + 1))
702 goto err;
703 if (!CBB_add_bytes(&cbb, content, content_len))
704 goto err;
705 if (!CBB_add_u8(&cbb, content_type))
706 goto err;
707 /* XXX - padding? */
708 if (!CBB_finish(&cbb, &inner, &inner_len))
709 goto err;
710
711 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
712 goto err;
713
714 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
715 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
716 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
717 goto err;
718
719 /* Build the record header. */
720 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
721 goto err;
722 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
723 goto err;
724 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
725 goto err;
726 if (!CBB_add_u16(&cbb, enc_record_len))
727 goto err;
728 if (!CBB_finish(&cbb, &header, &header_len))
729 goto err;
730
731 /* Build the actual record. */
732 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
733 goto err;
734 if (!CBB_add_bytes(&cbb, header, header_len))
735 goto err;
736 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
737 goto err;
738 if (!CBB_finish(&cbb, &data, &data_len))
739 goto err;
740
741 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
742 &rl->write->iv, rl->write->seq_num))
743 goto err;
744
745 /*
746 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
747 * this would avoid a copy since the inner would be passed as two
748 * separate pieces.
749 */
750 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
751 enc_record, &out_len, enc_record_len,
752 rl->write->nonce.data, rl->write->nonce.len,
753 inner, inner_len, header, header_len))
754 goto err;
755
756 if (out_len != enc_record_len)
757 goto err;
758
759 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
760 goto err;
761
762 if (!tls13_record_set_data(rl->wrec, data, data_len))
763 goto err;
764
765 rl->wrec_content_len = content_len;
766 rl->wrec_content_type = content_type;
767
768 data = NULL;
769 data_len = 0;
770
771 ret = 1;
772
773 err:
774 CBB_cleanup(&cbb);
775
776 freezero(data, data_len);
777 freezero(header, header_len);
778 freezero(inner, inner_len);
779
780 return ret;
781 }
782
783 static int
tls13_record_layer_seal_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)784 tls13_record_layer_seal_record(struct tls13_record_layer *rl,
785 uint8_t content_type, const uint8_t *content, size_t content_len)
786 {
787 if (rl->handshake_completed && rl->aead == NULL)
788 return 0;
789
790 tls13_record_layer_wrec_free(rl);
791
792 if ((rl->wrec = tls13_record_new()) == NULL)
793 return 0;
794
795 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
796 return tls13_record_layer_seal_record_plaintext(rl,
797 content_type, content, content_len);
798
799 return tls13_record_layer_seal_record_protected(rl, content_type,
800 content, content_len);
801 }
802
803 static ssize_t
tls13_record_layer_read_record(struct tls13_record_layer * rl)804 tls13_record_layer_read_record(struct tls13_record_layer *rl)
805 {
806 uint8_t content_type, ccs;
807 ssize_t ret;
808 CBS cbs;
809
810 if (rl->rrec == NULL) {
811 if ((rl->rrec = tls13_record_new()) == NULL)
812 goto err;
813 }
814
815 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
816 switch (ret) {
817 case TLS13_IO_RECORD_VERSION:
818 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
819 case TLS13_IO_RECORD_OVERFLOW:
820 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
821 }
822 return ret;
823 }
824
825 content_type = tls13_record_content_type(rl->rrec);
826
827 /*
828 * In response to a client hello we may receive an alert in a
829 * record with a legacy version. Otherwise enforce that the
830 * legacy record version is 0x0303 per RFC 8446, section 5.1.
831 */
832 if (rl->legacy_version == TLS1_2_VERSION &&
833 tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
834 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
835 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
836
837 /*
838 * Bag of hacks ahead... after the first ClientHello message has been
839 * sent or received and before the peer's Finished message has been
840 * received, we may receive an unencrypted ChangeCipherSpec record
841 * (see RFC 8446 section 5 and appendix D.4). This record must be
842 * ignored.
843 */
844 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
845 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
846 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
847 if (!tls13_record_content(rl->rrec, &cbs))
848 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
849 if (!CBS_get_u8(&cbs, &ccs))
850 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
851 if (ccs != 1)
852 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
853 if (CBS_len(&cbs) != 0)
854 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
855 rl->ccs_seen++;
856 tls13_record_layer_rrec_free(rl);
857 return TLS13_IO_WANT_RETRY;
858 }
859
860 /*
861 * Once record protection is engaged, we should only receive
862 * protected application data messages (aside from the
863 * dummy ChangeCipherSpec messages, handled above).
864 */
865 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
866 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
867
868 if (!tls13_record_layer_open_record(rl))
869 goto err;
870
871 tls13_record_layer_rrec_free(rl);
872
873 /*
874 * On receiving a handshake or alert record with empty inner plaintext,
875 * we must terminate the connection with an unexpected_message alert.
876 * See RFC 8446 section 5.4.
877 */
878 if (tls_content_remaining(rl->rcontent) == 0 &&
879 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT ||
880 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE))
881 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
882
883 switch (tls_content_type(rl->rcontent)) {
884 case SSL3_RT_ALERT:
885 return tls13_record_layer_process_alert(rl);
886
887 case SSL3_RT_HANDSHAKE:
888 break;
889
890 case SSL3_RT_APPLICATION_DATA:
891 if (!rl->handshake_completed)
892 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
893 break;
894
895 default:
896 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
897 }
898
899 return TLS13_IO_SUCCESS;
900
901 err:
902 return TLS13_IO_FAILURE;
903 }
904
905 static ssize_t
tls13_record_layer_pending(struct tls13_record_layer * rl,uint8_t content_type)906 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
907 {
908 if (tls_content_type(rl->rcontent) != content_type)
909 return 0;
910
911 return tls_content_remaining(rl->rcontent);
912 }
913
914 static ssize_t
tls13_record_layer_recv_phh(struct tls13_record_layer * rl)915 tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
916 {
917 ssize_t ret = TLS13_IO_FAILURE;
918
919 rl->phh = 1;
920
921 /*
922 * The post handshake handshake receive callback is allowed to return:
923 *
924 * TLS13_IO_WANT_POLLIN need more handshake data.
925 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
926 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
927 * TLS13_IO_FAILURE something broke.
928 */
929 if (rl->cb.phh_recv != NULL)
930 ret = rl->cb.phh_recv(rl->cb_arg);
931
932 tls_content_clear(rl->rcontent);
933
934 /* Leave post handshake handshake mode unless we need more data. */
935 if (ret != TLS13_IO_WANT_POLLIN)
936 rl->phh = 0;
937
938 if (ret == TLS13_IO_SUCCESS) {
939 if (rl->phh_retry)
940 return TLS13_IO_WANT_RETRY;
941
942 return TLS13_IO_WANT_POLLIN;
943 }
944
945 return ret;
946 }
947
948 static ssize_t
tls13_record_layer_read_internal(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n,int peek)949 tls13_record_layer_read_internal(struct tls13_record_layer *rl,
950 uint8_t content_type, uint8_t *buf, size_t n, int peek)
951 {
952 ssize_t ret;
953
954 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
955 return ret;
956
957 if (rl->read_closed)
958 return TLS13_IO_EOF;
959
960 /* If necessary, pull up the next record. */
961 if (tls_content_remaining(rl->rcontent) == 0) {
962 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
963 return ret;
964
965 /*
966 * We may have read a valid 0-byte application data record,
967 * in which case we need to read the next record.
968 */
969 if (tls_content_remaining(rl->rcontent) == 0)
970 return TLS13_IO_WANT_POLLIN;
971 }
972
973 /*
974 * If we are in post handshake handshake mode, we must not see
975 * any record type that isn't a handshake until we are done.
976 */
977 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE)
978 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
979
980 /*
981 * Handshake content can appear as post-handshake messages (yup,
982 * the RFC reused the same content type...), which means we can
983 * be trying to read application data and need to handle a
984 * post-handshake handshake message instead...
985 */
986 if (tls_content_type(rl->rcontent) != content_type) {
987 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) {
988 if (rl->handshake_completed)
989 return tls13_record_layer_recv_phh(rl);
990 }
991 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
992 }
993
994 if (peek)
995 return tls_content_peek(rl->rcontent, buf, n);
996
997 return tls_content_read(rl->rcontent, buf, n);
998 }
999
1000 static ssize_t
tls13_record_layer_peek(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1001 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1002 uint8_t *buf, size_t n)
1003 {
1004 ssize_t ret;
1005
1006 do {
1007 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1008 } while (ret == TLS13_IO_WANT_RETRY);
1009
1010 if (rl->alert != 0)
1011 return tls13_send_alert(rl, rl->alert);
1012
1013 return ret;
1014 }
1015
1016 static ssize_t
tls13_record_layer_read(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1017 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1018 uint8_t *buf, size_t n)
1019 {
1020 ssize_t ret;
1021
1022 do {
1023 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1024 } while (ret == TLS13_IO_WANT_RETRY);
1025
1026 if (rl->alert != 0)
1027 return tls13_send_alert(rl, rl->alert);
1028
1029 return ret;
1030 }
1031
1032 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)1033 tls13_record_layer_write_record(struct tls13_record_layer *rl,
1034 uint8_t content_type, const uint8_t *content, size_t content_len)
1035 {
1036 ssize_t ret;
1037
1038 if (rl->write_closed)
1039 return TLS13_IO_EOF;
1040
1041 /*
1042 * If we pushed out application data while handling other messages,
1043 * we need to return content length on the next call.
1044 */
1045 if (content_type == SSL3_RT_APPLICATION_DATA &&
1046 rl->wrec_appdata_len != 0) {
1047 ret = rl->wrec_appdata_len;
1048 rl->wrec_appdata_len = 0;
1049 return ret;
1050 }
1051
1052 /* See if there is an existing record and attempt to push it out... */
1053 if (rl->wrec != NULL) {
1054 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1055 rl->cb_arg)) <= 0)
1056 return ret;
1057 tls13_record_layer_wrec_free(rl);
1058
1059 if (rl->wrec_content_type == content_type) {
1060 ret = rl->wrec_content_len;
1061 rl->wrec_content_len = 0;
1062 rl->wrec_content_type = 0;
1063 return ret;
1064 }
1065
1066 /*
1067 * The only partial record type should be application data.
1068 * All other cases are handled to completion.
1069 */
1070 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1071 return TLS13_IO_FAILURE;
1072 rl->wrec_appdata_len = rl->wrec_content_len;
1073 }
1074
1075 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1076 goto err;
1077
1078 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1079 goto err;
1080
1081 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1082 return ret;
1083
1084 tls13_record_layer_wrec_free(rl);
1085
1086 return content_len;
1087
1088 err:
1089 return TLS13_IO_FAILURE;
1090 }
1091
1092 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1093 tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1094 uint8_t content_type, const uint8_t *buf, size_t n)
1095 {
1096 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1097 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1098
1099 return tls13_record_layer_write_record(rl, content_type, buf, n);
1100 }
1101
1102 static ssize_t
tls13_record_layer_write(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1103 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1104 const uint8_t *buf, size_t n)
1105 {
1106 ssize_t ret;
1107
1108 do {
1109 ret = tls13_record_layer_send_pending(rl);
1110 } while (ret == TLS13_IO_WANT_RETRY);
1111 if (ret != TLS13_IO_SUCCESS)
1112 return ret;
1113
1114 do {
1115 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1116 } while (ret == TLS13_IO_WANT_RETRY);
1117
1118 return ret;
1119 }
1120
1121 ssize_t
tls13_record_layer_flush(struct tls13_record_layer * rl)1122 tls13_record_layer_flush(struct tls13_record_layer *rl)
1123 {
1124 return rl->cb.wire_flush(rl->cb_arg);
1125 }
1126
1127 static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1128
1129 ssize_t
tls13_send_dummy_ccs(struct tls13_record_layer * rl)1130 tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1131 {
1132 ssize_t ret;
1133
1134 if (rl->ccs_sent)
1135 return TLS13_IO_FAILURE;
1136
1137 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1138 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1139 return ret;
1140
1141 rl->ccs_sent = 1;
1142
1143 return TLS13_IO_SUCCESS;
1144 }
1145
1146 ssize_t
tls13_read_handshake_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1147 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1148 {
1149 if (rl->cb.handshake_read != NULL)
1150 return rl->cb.handshake_read(buf, n, rl->cb_arg);
1151
1152 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1153 }
1154
1155 ssize_t
tls13_write_handshake_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1156 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1157 size_t n)
1158 {
1159 if (rl->cb.handshake_write != NULL)
1160 return rl->cb.handshake_write(buf, n, rl->cb_arg);
1161
1162 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1163 }
1164
1165 ssize_t
tls13_pending_application_data(struct tls13_record_layer * rl)1166 tls13_pending_application_data(struct tls13_record_layer *rl)
1167 {
1168 if (!rl->handshake_completed)
1169 return 0;
1170
1171 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1172 }
1173
1174 ssize_t
tls13_peek_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1175 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1176 {
1177 if (!rl->handshake_completed)
1178 return TLS13_IO_FAILURE;
1179
1180 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1181 }
1182
1183 ssize_t
tls13_read_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1184 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1185 {
1186 if (!rl->handshake_completed)
1187 return TLS13_IO_FAILURE;
1188
1189 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1190 }
1191
1192 ssize_t
tls13_write_application_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1193 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1194 size_t n)
1195 {
1196 if (!rl->handshake_completed)
1197 return TLS13_IO_FAILURE;
1198
1199 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1200 }
1201
1202 ssize_t
tls13_send_alert(struct tls13_record_layer * rl,uint8_t alert_desc)1203 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1204 {
1205 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1206 ssize_t ret;
1207
1208 if (rl->cb.alert_send != NULL)
1209 return rl->cb.alert_send(alert_desc, rl->cb_arg);
1210
1211 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1212 alert_desc == TLS13_ALERT_USER_CANCELED)
1213 alert_level = TLS13_ALERT_LEVEL_WARNING;
1214
1215 do {
1216 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1217 alert_desc);
1218 } while (ret == TLS13_IO_WANT_RETRY);
1219
1220 return ret;
1221 }
1222