1 /* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "ssl_locl.h"
19
20 #include "tls13_internal.h"
21 #include "tls13_record.h"
22
23 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
24 uint8_t content_type, const uint8_t *buf, size_t n);
25 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
26 uint8_t content_type, const uint8_t *content, size_t content_len);
27
28 struct tls13_record_layer {
29 uint16_t legacy_version;
30
31 int ccs_allowed;
32 int ccs_seen;
33 int ccs_sent;
34 int handshake_completed;
35 int legacy_alerts_allowed;
36 int phh;
37 int phh_retry;
38
39 /*
40 * Read and/or write channels are closed due to an alert being
41 * sent or received. In the case of an error alert both channels
42 * are closed, whereas in the case of a close notify only one
43 * channel is closed.
44 */
45 int read_closed;
46 int write_closed;
47
48 struct tls13_record *rrec;
49
50 struct tls13_record *wrec;
51 uint8_t wrec_content_type;
52 size_t wrec_appdata_len;
53 size_t wrec_content_len;
54
55 /* Alert to be sent on return from current read handler. */
56 uint8_t alert;
57
58 /* Pending alert messages. */
59 uint8_t *alert_data;
60 size_t alert_len;
61 uint8_t alert_level;
62 uint8_t alert_desc;
63
64 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
65 CBS phh_cbs;
66 uint8_t *phh_data;
67 size_t phh_len;
68
69 /* Buffer containing plaintext from opened records. */
70 uint8_t rbuf_content_type;
71 uint8_t *rbuf;
72 size_t rbuf_len;
73 CBS rbuf_cbs;
74
75 /* Record protection. */
76 const EVP_MD *hash;
77 const EVP_AEAD *aead;
78 EVP_AEAD_CTX read_aead_ctx;
79 EVP_AEAD_CTX write_aead_ctx;
80 struct tls13_secret read_iv;
81 struct tls13_secret write_iv;
82 struct tls13_secret read_nonce;
83 struct tls13_secret write_nonce;
84 uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
85 uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN];
86
87 /* Callbacks. */
88 struct tls13_record_layer_callbacks cb;
89 void *cb_arg;
90 };
91
92 static void
tls13_record_layer_rbuf_free(struct tls13_record_layer * rl)93 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl)
94 {
95 CBS_init(&rl->rbuf_cbs, NULL, 0);
96 freezero(rl->rbuf, rl->rbuf_len);
97 rl->rbuf = NULL;
98 rl->rbuf_len = 0;
99 rl->rbuf_content_type = 0;
100 }
101
102 static void
tls13_record_layer_rrec_free(struct tls13_record_layer * rl)103 tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
104 {
105 tls13_record_free(rl->rrec);
106 rl->rrec = NULL;
107 }
108
109 static void
tls13_record_layer_wrec_free(struct tls13_record_layer * rl)110 tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
111 {
112 tls13_record_free(rl->wrec);
113 rl->wrec = NULL;
114 }
115
116 struct tls13_record_layer *
tls13_record_layer_new(const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)117 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
118 void *cb_arg)
119 {
120 struct tls13_record_layer *rl;
121
122 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
123 return NULL;
124
125 rl->legacy_version = TLS1_2_VERSION;
126 rl->cb = *callbacks;
127 rl->cb_arg = cb_arg;
128
129 return rl;
130 }
131
132 void
tls13_record_layer_free(struct tls13_record_layer * rl)133 tls13_record_layer_free(struct tls13_record_layer *rl)
134 {
135 if (rl == NULL)
136 return;
137
138 tls13_record_layer_rbuf_free(rl);
139
140 tls13_record_layer_rrec_free(rl);
141 tls13_record_layer_wrec_free(rl);
142
143 EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx);
144 EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx);
145
146 freezero(rl->read_iv.data, rl->read_iv.len);
147 freezero(rl->write_iv.data, rl->write_iv.len);
148 freezero(rl->read_nonce.data, rl->read_nonce.len);
149 freezero(rl->write_nonce.data, rl->write_nonce.len);
150
151 freezero(rl, sizeof(struct tls13_record_layer));
152 }
153
154 void
tls13_record_layer_rbuf(struct tls13_record_layer * rl,CBS * cbs)155 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs)
156 {
157 CBS_dup(&rl->rbuf_cbs, cbs);
158 }
159
160 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
161 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
162 };
163
164 int
tls13_record_layer_inc_seq_num(uint8_t * seq_num)165 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
166 {
167 int i;
168
169 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
170 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
171 return 0;
172
173 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
174 if (++seq_num[i] != 0)
175 break;
176 }
177
178 return 1;
179 }
180
181 static int
tls13_record_layer_update_nonce(struct tls13_secret * nonce,struct tls13_secret * iv,uint8_t * seq_num)182 tls13_record_layer_update_nonce(struct tls13_secret *nonce,
183 struct tls13_secret *iv, uint8_t *seq_num)
184 {
185 ssize_t i, j;
186
187 if (nonce->len != iv->len)
188 return 0;
189
190 /*
191 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
192 * with the IV to produce a per-record nonce. The IV will also be
193 * at least 8-bytes in length.
194 */
195 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
196 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
197
198 return 1;
199 }
200
201 void
tls13_record_layer_allow_ccs(struct tls13_record_layer * rl,int allow)202 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
203 {
204 rl->ccs_allowed = allow;
205 }
206
207 void
tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer * rl,int allow)208 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
209 {
210 rl->legacy_alerts_allowed = allow;
211 }
212
213 void
tls13_record_layer_set_aead(struct tls13_record_layer * rl,const EVP_AEAD * aead)214 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
215 const EVP_AEAD *aead)
216 {
217 rl->aead = aead;
218 }
219
220 void
tls13_record_layer_set_hash(struct tls13_record_layer * rl,const EVP_MD * hash)221 tls13_record_layer_set_hash(struct tls13_record_layer *rl,
222 const EVP_MD *hash)
223 {
224 rl->hash = hash;
225 }
226
227 void
tls13_record_layer_set_legacy_version(struct tls13_record_layer * rl,uint16_t version)228 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
229 uint16_t version)
230 {
231 rl->legacy_version = version;
232 }
233
234 void
tls13_record_layer_handshake_completed(struct tls13_record_layer * rl)235 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
236 {
237 rl->handshake_completed = 1;
238 }
239
240 void
tls13_record_layer_set_retry_after_phh(struct tls13_record_layer * rl,int retry)241 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
242 {
243 rl->phh_retry = retry;
244 }
245
246 static ssize_t
tls13_record_layer_process_alert(struct tls13_record_layer * rl)247 tls13_record_layer_process_alert(struct tls13_record_layer *rl)
248 {
249 uint8_t alert_level, alert_desc;
250 ssize_t ret = TLS13_IO_FAILURE;
251
252 /*
253 * RFC 8446 - sections 5.1 and 6.
254 *
255 * A TLSv1.3 alert record can only contain a single alert - this means
256 * that processing the alert must consume all of the record. The alert
257 * will result in one of three things - continuation (user_cancelled),
258 * read channel closure (close_notify) or termination (all others).
259 */
260 if (rl->rbuf == NULL)
261 return TLS13_IO_FAILURE;
262
263 if (rl->rbuf_content_type != SSL3_RT_ALERT)
264 return TLS13_IO_FAILURE;
265
266 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level))
267 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
268
269 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc))
270 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
271
272 if (CBS_len(&rl->rbuf_cbs) != 0)
273 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
274
275 tls13_record_layer_rbuf_free(rl);
276
277 /*
278 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
279 * however for error alerts (RFC 8446 section 6.2), the alert level
280 * must be specified as fatal.
281 */
282 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
283 rl->read_closed = 1;
284 ret = TLS13_IO_EOF;
285 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
286 /* Ignored at the record layer. */
287 ret = TLS13_IO_WANT_RETRY;
288 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
289 rl->read_closed = 1;
290 rl->write_closed = 1;
291 ret = TLS13_IO_ALERT;
292 } else if (rl->legacy_alerts_allowed &&
293 alert_level == TLS13_ALERT_LEVEL_WARNING) {
294 /* Ignored and not passed to the callback. */
295 return TLS13_IO_WANT_RETRY;
296 } else {
297 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
298 }
299
300 rl->cb.alert_recv(alert_desc, rl->cb_arg);
301
302 return ret;
303 }
304
305 static ssize_t
tls13_record_layer_send_alert(struct tls13_record_layer * rl)306 tls13_record_layer_send_alert(struct tls13_record_layer *rl)
307 {
308 ssize_t ret;
309
310 /* This has to fit into a single record, per RFC 8446 section 5.1. */
311 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
312 rl->alert_data, rl->alert_len)) != rl->alert_len) {
313 if (ret == TLS13_IO_EOF)
314 ret = TLS13_IO_ALERT;
315 return ret;
316 }
317
318 freezero(rl->alert_data, rl->alert_len);
319 rl->alert_data = NULL;
320 rl->alert_len = 0;
321
322 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
323 rl->write_closed = 1;
324 ret = TLS13_IO_SUCCESS;
325 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
326 /* Ignored at the record layer. */
327 ret = TLS13_IO_SUCCESS;
328 } else {
329 rl->read_closed = 1;
330 rl->write_closed = 1;
331 ret = TLS13_IO_ALERT;
332 }
333
334 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
335
336 return ret;
337 }
338
339 static ssize_t
tls13_record_layer_send_phh(struct tls13_record_layer * rl)340 tls13_record_layer_send_phh(struct tls13_record_layer *rl)
341 {
342 ssize_t ret;
343
344 /* Push out pending post-handshake handshake messages. */
345 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
346 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
347 return ret;
348 if (!CBS_skip(&rl->phh_cbs, ret))
349 return TLS13_IO_FAILURE;
350 if (CBS_len(&rl->phh_cbs) != 0)
351 return TLS13_IO_WANT_RETRY;
352
353 freezero(rl->phh_data, rl->phh_len);
354 rl->phh_data = NULL;
355 rl->phh_len = 0;
356
357 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
358
359 rl->cb.phh_sent(rl->cb_arg);
360
361 return TLS13_IO_SUCCESS;
362 }
363
364 ssize_t
tls13_record_layer_send_pending(struct tls13_record_layer * rl)365 tls13_record_layer_send_pending(struct tls13_record_layer *rl)
366 {
367 /*
368 * If an alert is pending, then it needs to be sent. However,
369 * if we're already part of the way through sending post-handshake
370 * handshake messages, then we need to finish that first...
371 */
372
373 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
374 return tls13_record_layer_send_phh(rl);
375
376 if (rl->alert_data != NULL)
377 return tls13_record_layer_send_alert(rl);
378
379 if (rl->phh_data != NULL)
380 return tls13_record_layer_send_phh(rl);
381
382 return TLS13_IO_SUCCESS;
383 }
384
385 static ssize_t
tls13_record_layer_alert(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)386 tls13_record_layer_alert(struct tls13_record_layer *rl,
387 uint8_t alert_level, uint8_t alert_desc)
388 {
389 CBB cbb;
390
391 if (rl->alert_data != NULL)
392 return TLS13_IO_FAILURE;
393
394 if (!CBB_init(&cbb, 0))
395 goto err;
396
397 if (!CBB_add_u8(&cbb, alert_level))
398 goto err;
399 if (!CBB_add_u8(&cbb, alert_desc))
400 goto err;
401 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
402 goto err;
403
404 rl->alert_level = alert_level;
405 rl->alert_desc = alert_desc;
406
407 return tls13_record_layer_send_pending(rl);
408
409 err:
410 CBB_cleanup(&cbb);
411
412 return TLS13_IO_FAILURE;
413 }
414
415 ssize_t
tls13_record_layer_phh(struct tls13_record_layer * rl,CBS * cbs)416 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
417 {
418 if (rl->phh_data != NULL)
419 return TLS13_IO_FAILURE;
420
421 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
422 return TLS13_IO_FAILURE;
423
424 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
425
426 return tls13_record_layer_send_pending(rl);
427 }
428
429 static int
tls13_record_layer_set_traffic_key(const EVP_AEAD * aead,EVP_AEAD_CTX * aead_ctx,const EVP_MD * hash,struct tls13_secret * iv,struct tls13_secret * nonce,struct tls13_secret * traffic_key)430 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx,
431 const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce,
432 struct tls13_secret *traffic_key)
433 {
434 struct tls13_secret context = { .data = "", .len = 0 };
435 struct tls13_secret key = { .data = NULL, .len = 0 };
436 int ret = 0;
437
438 EVP_AEAD_CTX_cleanup(aead_ctx);
439
440 freezero(iv->data, iv->len);
441 iv->data = NULL;
442 iv->len = 0;
443
444 freezero(nonce->data, nonce->len);
445 nonce->data = NULL;
446 nonce->len = 0;
447
448 if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL)
449 goto err;
450 iv->len = EVP_AEAD_nonce_length(aead);
451
452 if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL)
453 goto err;
454 nonce->len = EVP_AEAD_nonce_length(aead);
455
456 if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL)
457 goto err;
458 key.len = EVP_AEAD_key_length(aead);
459
460 if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context))
461 goto err;
462 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
463 goto err;
464
465 if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len,
466 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
467 goto err;
468
469 ret = 1;
470
471 err:
472 freezero(key.data, key.len);
473
474 return ret;
475 }
476
477 int
tls13_record_layer_set_read_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * read_key)478 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
479 struct tls13_secret *read_key)
480 {
481 memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);
482
483 return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx,
484 rl->hash, &rl->read_iv, &rl->read_nonce, read_key);
485 }
486
487 int
tls13_record_layer_set_write_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * write_key)488 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
489 struct tls13_secret *write_key)
490 {
491 memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN);
492
493 return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx,
494 rl->hash, &rl->write_iv, &rl->write_nonce, write_key);
495 }
496
497 static int
tls13_record_layer_open_record_plaintext(struct tls13_record_layer * rl)498 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
499 {
500 CBS cbs;
501
502 if (rl->aead != NULL)
503 return 0;
504
505 /*
506 * We're still operating in plaintext mode, so just copy the
507 * content from the record to the plaintext buffer.
508 */
509 if (!tls13_record_content(rl->rrec, &cbs))
510 return 0;
511
512 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
513 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
514 return 0;
515 }
516
517 tls13_record_layer_rbuf_free(rl);
518
519 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len))
520 return 0;
521
522 rl->rbuf_content_type = tls13_record_content_type(rl->rrec);
523
524 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
525
526 return 1;
527 }
528
529 static int
tls13_record_layer_open_record_protected(struct tls13_record_layer * rl)530 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
531 {
532 CBS header, enc_record;
533 ssize_t inner_len;
534 uint8_t *content = NULL;
535 size_t content_len = 0;
536 uint8_t content_type;
537 size_t out_len;
538
539 if (rl->aead == NULL)
540 goto err;
541
542 if (!tls13_record_header(rl->rrec, &header))
543 goto err;
544 if (!tls13_record_content(rl->rrec, &enc_record))
545 goto err;
546
547 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
548 goto err;
549 content_len = CBS_len(&enc_record);
550
551 if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv,
552 rl->read_seq_num))
553 goto err;
554
555 if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx,
556 content, &out_len, content_len,
557 rl->read_nonce.data, rl->read_nonce.len,
558 CBS_data(&enc_record), CBS_len(&enc_record),
559 CBS_data(&header), CBS_len(&header)))
560 goto err;
561
562 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
563 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
564 goto err;
565 }
566
567 if (!tls13_record_layer_inc_seq_num(rl->read_seq_num))
568 goto err;
569
570 /*
571 * The real content type is hidden at the end of the record content and
572 * it may be followed by padding that consists of one or more zeroes.
573 * Time to hunt for that elusive content type!
574 */
575 /* XXX - CBS from end? CBS_get_end_u8()? */
576 inner_len = out_len - 1;
577 while (inner_len >= 0 && content[inner_len] == 0)
578 inner_len--;
579 if (inner_len < 0) {
580 /* Unexpected message per RFC 8446 section 5.4. */
581 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
582 goto err;
583 }
584 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
585 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
586 goto err;
587 }
588 content_type = content[inner_len];
589
590 tls13_record_layer_rbuf_free(rl);
591
592 rl->rbuf_content_type = content_type;
593 rl->rbuf = content;
594 rl->rbuf_len = inner_len;
595
596 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
597
598 return 1;
599
600 err:
601 freezero(content, content_len);
602
603 return 0;
604 }
605
606 static int
tls13_record_layer_open_record(struct tls13_record_layer * rl)607 tls13_record_layer_open_record(struct tls13_record_layer *rl)
608 {
609 if (rl->handshake_completed && rl->aead == NULL)
610 return 0;
611
612 if (rl->aead == NULL)
613 return tls13_record_layer_open_record_plaintext(rl);
614
615 return tls13_record_layer_open_record_protected(rl);
616 }
617
618 static int
tls13_record_layer_seal_record_plaintext(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)619 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
620 uint8_t content_type, const uint8_t *content, size_t content_len)
621 {
622 uint8_t *data = NULL;
623 size_t data_len = 0;
624 CBB cbb, body;
625
626 /*
627 * Allow dummy CCS messages to be sent in plaintext even when
628 * record protection has been engaged, as long as the handshake
629 * has not yet completed.
630 */
631 if (rl->handshake_completed)
632 return 0;
633 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
634 return 0;
635
636 /*
637 * We're still operating in plaintext mode, so just copy the
638 * content into the record.
639 */
640 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
641 goto err;
642
643 if (!CBB_add_u8(&cbb, content_type))
644 goto err;
645 if (!CBB_add_u16(&cbb, rl->legacy_version))
646 goto err;
647 if (!CBB_add_u16_length_prefixed(&cbb, &body))
648 goto err;
649 if (!CBB_add_bytes(&body, content, content_len))
650 goto err;
651
652 if (!CBB_finish(&cbb, &data, &data_len))
653 goto err;
654
655 if (!tls13_record_set_data(rl->wrec, data, data_len))
656 goto err;
657
658 rl->wrec_content_len = content_len;
659 rl->wrec_content_type = content_type;
660
661 return 1;
662
663 err:
664 CBB_cleanup(&cbb);
665 freezero(data, data_len);
666
667 return 0;
668 }
669
670 static int
tls13_record_layer_seal_record_protected(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)671 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
672 uint8_t content_type, const uint8_t *content, size_t content_len)
673 {
674 uint8_t *data = NULL, *header = NULL, *inner = NULL;
675 size_t data_len = 0, header_len = 0, inner_len = 0;
676 uint8_t *enc_record;
677 size_t enc_record_len;
678 ssize_t ret = 0;
679 size_t out_len;
680 CBB cbb;
681
682 if (rl->aead == NULL)
683 return 0;
684
685 memset(&cbb, 0, sizeof(cbb));
686
687 /* Build inner plaintext. */
688 if (!CBB_init(&cbb, content_len + 1))
689 goto err;
690 if (!CBB_add_bytes(&cbb, content, content_len))
691 goto err;
692 if (!CBB_add_u8(&cbb, content_type))
693 goto err;
694 /* XXX - padding? */
695 if (!CBB_finish(&cbb, &inner, &inner_len))
696 goto err;
697
698 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
699 goto err;
700
701 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
702 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
703 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
704 goto err;
705
706 /* Build the record header. */
707 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
708 goto err;
709 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
710 goto err;
711 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
712 goto err;
713 if (!CBB_add_u16(&cbb, enc_record_len))
714 goto err;
715 if (!CBB_finish(&cbb, &header, &header_len))
716 goto err;
717
718 /* Build the actual record. */
719 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
720 goto err;
721 if (!CBB_add_bytes(&cbb, header, header_len))
722 goto err;
723 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
724 goto err;
725 if (!CBB_finish(&cbb, &data, &data_len))
726 goto err;
727
728 if (!tls13_record_layer_update_nonce(&rl->write_nonce,
729 &rl->write_iv, rl->write_seq_num))
730 goto err;
731
732 /*
733 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
734 * this would avoid a copy since the inner would be passed as two
735 * separate pieces.
736 */
737 if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx,
738 enc_record, &out_len, enc_record_len,
739 rl->write_nonce.data, rl->write_nonce.len,
740 inner, inner_len, header, header_len))
741 goto err;
742
743 if (out_len != enc_record_len)
744 goto err;
745
746 if (!tls13_record_layer_inc_seq_num(rl->write_seq_num))
747 goto err;
748
749 if (!tls13_record_set_data(rl->wrec, data, data_len))
750 goto err;
751
752 rl->wrec_content_len = content_len;
753 rl->wrec_content_type = content_type;
754
755 data = NULL;
756 data_len = 0;
757
758 ret = 1;
759
760 err:
761 CBB_cleanup(&cbb);
762
763 freezero(data, data_len);
764 freezero(header, header_len);
765 freezero(inner, inner_len);
766
767 return ret;
768 }
769
770 static int
tls13_record_layer_seal_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)771 tls13_record_layer_seal_record(struct tls13_record_layer *rl,
772 uint8_t content_type, const uint8_t *content, size_t content_len)
773 {
774 if (rl->handshake_completed && rl->aead == NULL)
775 return 0;
776
777 tls13_record_layer_wrec_free(rl);
778
779 if ((rl->wrec = tls13_record_new()) == NULL)
780 return 0;
781
782 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
783 return tls13_record_layer_seal_record_plaintext(rl,
784 content_type, content, content_len);
785
786 return tls13_record_layer_seal_record_protected(rl, content_type,
787 content, content_len);
788 }
789
790 static ssize_t
tls13_record_layer_read_record(struct tls13_record_layer * rl)791 tls13_record_layer_read_record(struct tls13_record_layer *rl)
792 {
793 uint8_t content_type, ccs;
794 ssize_t ret;
795 CBS cbs;
796
797 if (rl->rrec == NULL) {
798 if ((rl->rrec = tls13_record_new()) == NULL)
799 goto err;
800 }
801
802 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
803 switch (ret) {
804 case TLS13_IO_RECORD_VERSION:
805 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
806 case TLS13_IO_RECORD_OVERFLOW:
807 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
808 }
809 return ret;
810 }
811
812 if (rl->legacy_version == TLS1_2_VERSION &&
813 tls13_record_version(rl->rrec) != TLS1_2_VERSION)
814 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
815
816 content_type = tls13_record_content_type(rl->rrec);
817
818 /*
819 * Bag of hacks ahead... after the first ClientHello message has been
820 * sent or received and before the peer's Finished message has been
821 * received, we may receive an unencrypted ChangeCipherSpec record
822 * (see RFC 8446 section 5 and appendix D.4). This record must be
823 * ignored.
824 */
825 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
826 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
827 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
828 if (!tls13_record_content(rl->rrec, &cbs))
829 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
830 if (!CBS_get_u8(&cbs, &ccs))
831 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
832 if (ccs != 1)
833 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
834 rl->ccs_seen++;
835 tls13_record_layer_rrec_free(rl);
836 return TLS13_IO_WANT_RETRY;
837 }
838
839 /*
840 * Once record protection is engaged, we should only receive
841 * protected application data messages (aside from the
842 * dummy ChangeCipherSpec messages, handled above).
843 */
844 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
845 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
846
847 if (!tls13_record_layer_open_record(rl))
848 goto err;
849
850 tls13_record_layer_rrec_free(rl);
851
852 /*
853 * On receiving a handshake or alert record with empty inner plaintext,
854 * we must terminate the connection with an unexpected_message alert.
855 * See RFC 8446 section 5.4.
856 */
857 if (CBS_len(&rl->rbuf_cbs) == 0 &&
858 (rl->rbuf_content_type == SSL3_RT_ALERT ||
859 rl->rbuf_content_type == SSL3_RT_HANDSHAKE))
860 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
861
862 switch (rl->rbuf_content_type) {
863 case SSL3_RT_ALERT:
864 return tls13_record_layer_process_alert(rl);
865
866 case SSL3_RT_HANDSHAKE:
867 break;
868
869 case SSL3_RT_APPLICATION_DATA:
870 if (!rl->handshake_completed)
871 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
872 break;
873
874 default:
875 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
876 }
877
878 return TLS13_IO_SUCCESS;
879
880 err:
881 return TLS13_IO_FAILURE;
882 }
883
884 static ssize_t
tls13_record_layer_pending(struct tls13_record_layer * rl,uint8_t content_type)885 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
886 {
887 if (rl->rbuf_content_type != content_type)
888 return 0;
889
890 return CBS_len(&rl->rbuf_cbs);
891 }
892
893 static ssize_t
tls13_record_layer_recv_phh(struct tls13_record_layer * rl)894 tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
895 {
896 ssize_t ret = TLS13_IO_FAILURE;
897
898 rl->phh = 1;
899
900 /*
901 * The post handshake handshake receive callback is allowed to return:
902 *
903 * TLS13_IO_WANT_POLLIN need more handshake data.
904 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
905 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
906 * TLS13_IO_FAILURE something broke.
907 */
908 if (rl->cb.phh_recv != NULL)
909 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs);
910
911 tls13_record_layer_rbuf_free(rl);
912
913 /* Leave post handshake handshake mode unless we need more data. */
914 if (ret != TLS13_IO_WANT_POLLIN)
915 rl->phh = 0;
916
917 if (ret == TLS13_IO_SUCCESS) {
918 if (rl->phh_retry)
919 return TLS13_IO_WANT_RETRY;
920
921 return TLS13_IO_WANT_POLLIN;
922 }
923
924 return ret;
925 }
926
927 static ssize_t
tls13_record_layer_read_internal(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n,int peek)928 tls13_record_layer_read_internal(struct tls13_record_layer *rl,
929 uint8_t content_type, uint8_t *buf, size_t n, int peek)
930 {
931 ssize_t ret;
932
933 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
934 return ret;
935
936 if (rl->read_closed)
937 return TLS13_IO_EOF;
938
939 /* If necessary, pull up the next record. */
940 if (CBS_len(&rl->rbuf_cbs) == 0) {
941 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
942 return ret;
943
944 /*
945 * We may have read a valid 0-byte application data record,
946 * in which case we need to read the next record.
947 */
948 if (CBS_len(&rl->rbuf_cbs) == 0) {
949 tls13_record_layer_rbuf_free(rl);
950 return TLS13_IO_WANT_POLLIN;
951 }
952 }
953
954 /*
955 * If we are in post handshake handshake mode, we must not see
956 * any record type that isn't a handshake until we are done.
957 */
958 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE)
959 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
960
961 /*
962 * Handshake content can appear as post-handshake messages (yup,
963 * the RFC reused the same content type...), which means we can
964 * be trying to read application data and need to handle a
965 * post-handshake handshake message instead...
966 */
967 if (rl->rbuf_content_type != content_type) {
968 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) {
969 if (rl->handshake_completed)
970 return tls13_record_layer_recv_phh(rl);
971 }
972 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
973 }
974
975 if (n > CBS_len(&rl->rbuf_cbs))
976 n = CBS_len(&rl->rbuf_cbs);
977
978 /* XXX - CBS_memcpy? CBS_copy_bytes? */
979 memcpy(buf, CBS_data(&rl->rbuf_cbs), n);
980
981 if (!peek) {
982 if (!CBS_skip(&rl->rbuf_cbs, n))
983 goto err;
984 }
985
986 if (CBS_len(&rl->rbuf_cbs) == 0)
987 tls13_record_layer_rbuf_free(rl);
988
989 return n;
990
991 err:
992 return TLS13_IO_FAILURE;
993 }
994
995 static ssize_t
tls13_record_layer_peek(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)996 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
997 uint8_t *buf, size_t n)
998 {
999 ssize_t ret;
1000
1001 do {
1002 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1003 } while (ret == TLS13_IO_WANT_RETRY);
1004
1005 if (rl->alert != 0)
1006 return tls13_send_alert(rl, rl->alert);
1007
1008 return ret;
1009 }
1010
1011 static ssize_t
tls13_record_layer_read(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1012 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1013 uint8_t *buf, size_t n)
1014 {
1015 ssize_t ret;
1016
1017 do {
1018 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1019 } while (ret == TLS13_IO_WANT_RETRY);
1020
1021 if (rl->alert != 0)
1022 return tls13_send_alert(rl, rl->alert);
1023
1024 return ret;
1025 }
1026
1027 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)1028 tls13_record_layer_write_record(struct tls13_record_layer *rl,
1029 uint8_t content_type, const uint8_t *content, size_t content_len)
1030 {
1031 ssize_t ret;
1032
1033 if (rl->write_closed)
1034 return TLS13_IO_EOF;
1035
1036 /*
1037 * If we pushed out application data while handling other messages,
1038 * we need to return content length on the next call.
1039 */
1040 if (content_type == SSL3_RT_APPLICATION_DATA &&
1041 rl->wrec_appdata_len != 0) {
1042 ret = rl->wrec_appdata_len;
1043 rl->wrec_appdata_len = 0;
1044 return ret;
1045 }
1046
1047 /* See if there is an existing record and attempt to push it out... */
1048 if (rl->wrec != NULL) {
1049 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1050 rl->cb_arg)) <= 0)
1051 return ret;
1052 tls13_record_layer_wrec_free(rl);
1053
1054 if (rl->wrec_content_type == content_type) {
1055 ret = rl->wrec_content_len;
1056 rl->wrec_content_len = 0;
1057 rl->wrec_content_type = 0;
1058 return ret;
1059 }
1060
1061 /*
1062 * The only partial record type should be application data.
1063 * All other cases are handled to completion.
1064 */
1065 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1066 return TLS13_IO_FAILURE;
1067 rl->wrec_appdata_len = rl->wrec_content_len;
1068 }
1069
1070 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1071 goto err;
1072
1073 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1074 goto err;
1075
1076 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1077 return ret;
1078
1079 tls13_record_layer_wrec_free(rl);
1080
1081 return content_len;
1082
1083 err:
1084 return TLS13_IO_FAILURE;
1085 }
1086
1087 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1088 tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1089 uint8_t content_type, const uint8_t *buf, size_t n)
1090 {
1091 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1092 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1093
1094 return tls13_record_layer_write_record(rl, content_type, buf, n);
1095 }
1096
1097 static ssize_t
tls13_record_layer_write(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1098 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1099 const uint8_t *buf, size_t n)
1100 {
1101 ssize_t ret;
1102
1103 do {
1104 ret = tls13_record_layer_send_pending(rl);
1105 } while (ret == TLS13_IO_WANT_RETRY);
1106 if (ret != TLS13_IO_SUCCESS)
1107 return ret;
1108
1109 do {
1110 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1111 } while (ret == TLS13_IO_WANT_RETRY);
1112
1113 return ret;
1114 }
1115
1116 static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1117
1118 ssize_t
tls13_send_dummy_ccs(struct tls13_record_layer * rl)1119 tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1120 {
1121 ssize_t ret;
1122
1123 if (rl->ccs_sent)
1124 return TLS13_IO_FAILURE;
1125
1126 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1127 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1128 return ret;
1129
1130 rl->ccs_sent = 1;
1131
1132 return TLS13_IO_SUCCESS;
1133 }
1134
1135 ssize_t
tls13_read_handshake_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1136 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1137 {
1138 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1139 }
1140
1141 ssize_t
tls13_write_handshake_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1142 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1143 size_t n)
1144 {
1145 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1146 }
1147
1148 ssize_t
tls13_pending_application_data(struct tls13_record_layer * rl)1149 tls13_pending_application_data(struct tls13_record_layer *rl)
1150 {
1151 if (!rl->handshake_completed)
1152 return 0;
1153
1154 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1155 }
1156
1157 ssize_t
tls13_peek_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1158 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1159 {
1160 if (!rl->handshake_completed)
1161 return TLS13_IO_FAILURE;
1162
1163 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1164 }
1165
1166 ssize_t
tls13_read_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1167 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1168 {
1169 if (!rl->handshake_completed)
1170 return TLS13_IO_FAILURE;
1171
1172 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1173 }
1174
1175 ssize_t
tls13_write_application_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1176 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1177 size_t n)
1178 {
1179 if (!rl->handshake_completed)
1180 return TLS13_IO_FAILURE;
1181
1182 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1183 }
1184
1185 ssize_t
tls13_send_alert(struct tls13_record_layer * rl,uint8_t alert_desc)1186 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1187 {
1188 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1189 ssize_t ret;
1190
1191 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1192 alert_desc == TLS13_ALERT_USER_CANCELED)
1193 alert_level = TLS13_ALERT_LEVEL_WARNING;
1194
1195 do {
1196 ret = tls13_record_layer_alert(rl, alert_level, alert_desc);
1197 } while (ret == TLS13_IO_WANT_RETRY);
1198
1199 return ret;
1200 }
1201