1 /* $OpenBSD: tls13_record_layer.c,v 1.53.4.1 2021/02/03 07:06:14 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include "tls13_internal.h" 21 #include "tls13_record.h" 22 23 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 24 uint8_t content_type, const uint8_t *buf, size_t n); 25 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 26 uint8_t content_type, const uint8_t *content, size_t content_len); 27 28 struct tls13_record_layer { 29 uint16_t legacy_version; 30 31 int ccs_allowed; 32 int ccs_seen; 33 int ccs_sent; 34 int handshake_completed; 35 int legacy_alerts_allowed; 36 int phh; 37 int phh_retry; 38 39 /* 40 * Read and/or write channels are closed due to an alert being 41 * sent or received. In the case of an error alert both channels 42 * are closed, whereas in the case of a close notify only one 43 * channel is closed. 44 */ 45 int read_closed; 46 int write_closed; 47 48 struct tls13_record *rrec; 49 50 struct tls13_record *wrec; 51 uint8_t wrec_content_type; 52 size_t wrec_appdata_len; 53 size_t wrec_content_len; 54 55 /* Alert to be sent on return from current read handler. */ 56 uint8_t alert; 57 58 /* Pending alert messages. */ 59 uint8_t *alert_data; 60 size_t alert_len; 61 uint8_t alert_level; 62 uint8_t alert_desc; 63 64 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 65 CBS phh_cbs; 66 uint8_t *phh_data; 67 size_t phh_len; 68 69 /* Buffer containing plaintext from opened records. */ 70 uint8_t rbuf_content_type; 71 uint8_t *rbuf; 72 size_t rbuf_len; 73 CBS rbuf_cbs; 74 75 /* Record protection. */ 76 const EVP_MD *hash; 77 const EVP_AEAD *aead; 78 EVP_AEAD_CTX read_aead_ctx; 79 EVP_AEAD_CTX write_aead_ctx; 80 struct tls13_secret read_iv; 81 struct tls13_secret write_iv; 82 struct tls13_secret read_nonce; 83 struct tls13_secret write_nonce; 84 uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 85 uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 86 87 /* Callbacks. */ 88 struct tls13_record_layer_callbacks cb; 89 void *cb_arg; 90 }; 91 92 static void 93 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 94 { 95 CBS_init(&rl->rbuf_cbs, NULL, 0); 96 freezero(rl->rbuf, rl->rbuf_len); 97 rl->rbuf = NULL; 98 rl->rbuf_len = 0; 99 rl->rbuf_content_type = 0; 100 } 101 102 static void 103 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 104 { 105 tls13_record_free(rl->rrec); 106 rl->rrec = NULL; 107 } 108 109 static void 110 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 111 { 112 tls13_record_free(rl->wrec); 113 rl->wrec = NULL; 114 } 115 116 struct tls13_record_layer * 117 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 118 void *cb_arg) 119 { 120 struct tls13_record_layer *rl; 121 122 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 123 return NULL; 124 125 rl->legacy_version = TLS1_2_VERSION; 126 rl->cb = *callbacks; 127 rl->cb_arg = cb_arg; 128 129 return rl; 130 } 131 132 void 133 tls13_record_layer_free(struct tls13_record_layer *rl) 134 { 135 if (rl == NULL) 136 return; 137 138 freezero(rl->alert_data, rl->alert_len); 139 freezero(rl->phh_data, rl->phh_len); 140 141 tls13_record_layer_rbuf_free(rl); 142 143 tls13_record_layer_rrec_free(rl); 144 tls13_record_layer_wrec_free(rl); 145 146 EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); 147 EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); 148 149 freezero(rl->read_iv.data, rl->read_iv.len); 150 freezero(rl->write_iv.data, rl->write_iv.len); 151 freezero(rl->read_nonce.data, rl->read_nonce.len); 152 freezero(rl->write_nonce.data, rl->write_nonce.len); 153 154 freezero(rl, sizeof(struct tls13_record_layer)); 155 } 156 157 void 158 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) 159 { 160 CBS_dup(&rl->rbuf_cbs, cbs); 161 } 162 163 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 165 }; 166 167 int 168 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 169 { 170 int i; 171 172 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 173 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 174 return 0; 175 176 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 177 if (++seq_num[i] != 0) 178 break; 179 } 180 181 return 1; 182 } 183 184 static int 185 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 186 struct tls13_secret *iv, uint8_t *seq_num) 187 { 188 ssize_t i, j; 189 190 if (nonce->len != iv->len) 191 return 0; 192 193 /* 194 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 195 * with the IV to produce a per-record nonce. The IV will also be 196 * at least 8-bytes in length. 197 */ 198 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 199 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 200 201 return 1; 202 } 203 204 void 205 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 206 { 207 rl->ccs_allowed = allow; 208 } 209 210 void 211 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 212 { 213 rl->legacy_alerts_allowed = allow; 214 } 215 216 void 217 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 218 const EVP_AEAD *aead) 219 { 220 rl->aead = aead; 221 } 222 223 void 224 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 225 const EVP_MD *hash) 226 { 227 rl->hash = hash; 228 } 229 230 void 231 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 232 uint16_t version) 233 { 234 rl->legacy_version = version; 235 } 236 237 void 238 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 239 { 240 rl->handshake_completed = 1; 241 } 242 243 void 244 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 245 { 246 rl->phh_retry = retry; 247 } 248 249 static ssize_t 250 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 251 { 252 uint8_t alert_level, alert_desc; 253 ssize_t ret = TLS13_IO_FAILURE; 254 255 /* 256 * RFC 8446 - sections 5.1 and 6. 257 * 258 * A TLSv1.3 alert record can only contain a single alert - this means 259 * that processing the alert must consume all of the record. The alert 260 * will result in one of three things - continuation (user_cancelled), 261 * read channel closure (close_notify) or termination (all others). 262 */ 263 if (rl->rbuf == NULL) 264 return TLS13_IO_FAILURE; 265 266 if (rl->rbuf_content_type != SSL3_RT_ALERT) 267 return TLS13_IO_FAILURE; 268 269 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 270 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 271 272 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 273 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 274 275 if (CBS_len(&rl->rbuf_cbs) != 0) 276 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 277 278 tls13_record_layer_rbuf_free(rl); 279 280 /* 281 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 282 * however for error alerts (RFC 8446 section 6.2), the alert level 283 * must be specified as fatal. 284 */ 285 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 286 rl->read_closed = 1; 287 ret = TLS13_IO_EOF; 288 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 289 /* Ignored at the record layer. */ 290 ret = TLS13_IO_WANT_RETRY; 291 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 292 rl->read_closed = 1; 293 rl->write_closed = 1; 294 ret = TLS13_IO_ALERT; 295 } else if (rl->legacy_alerts_allowed && 296 alert_level == TLS13_ALERT_LEVEL_WARNING) { 297 /* Ignored and not passed to the callback. */ 298 return TLS13_IO_WANT_RETRY; 299 } else { 300 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 301 } 302 303 rl->cb.alert_recv(alert_desc, rl->cb_arg); 304 305 return ret; 306 } 307 308 static ssize_t 309 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 310 { 311 ssize_t ret; 312 313 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 314 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 315 rl->alert_data, rl->alert_len)) != rl->alert_len) { 316 if (ret == TLS13_IO_EOF) 317 ret = TLS13_IO_ALERT; 318 return ret; 319 } 320 321 freezero(rl->alert_data, rl->alert_len); 322 rl->alert_data = NULL; 323 rl->alert_len = 0; 324 325 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 326 rl->write_closed = 1; 327 ret = TLS13_IO_SUCCESS; 328 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 329 /* Ignored at the record layer. */ 330 ret = TLS13_IO_SUCCESS; 331 } else { 332 rl->read_closed = 1; 333 rl->write_closed = 1; 334 ret = TLS13_IO_ALERT; 335 } 336 337 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 338 339 return ret; 340 } 341 342 static ssize_t 343 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 344 { 345 ssize_t ret; 346 347 /* Push out pending post-handshake handshake messages. */ 348 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 349 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 350 return ret; 351 if (!CBS_skip(&rl->phh_cbs, ret)) 352 return TLS13_IO_FAILURE; 353 if (CBS_len(&rl->phh_cbs) != 0) 354 return TLS13_IO_WANT_RETRY; 355 356 freezero(rl->phh_data, rl->phh_len); 357 rl->phh_data = NULL; 358 rl->phh_len = 0; 359 360 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 361 362 rl->cb.phh_sent(rl->cb_arg); 363 364 return TLS13_IO_SUCCESS; 365 } 366 367 ssize_t 368 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 369 { 370 /* 371 * If an alert is pending, then it needs to be sent. However, 372 * if we're already part of the way through sending post-handshake 373 * handshake messages, then we need to finish that first... 374 */ 375 376 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 377 return tls13_record_layer_send_phh(rl); 378 379 if (rl->alert_data != NULL) 380 return tls13_record_layer_send_alert(rl); 381 382 if (rl->phh_data != NULL) 383 return tls13_record_layer_send_phh(rl); 384 385 return TLS13_IO_SUCCESS; 386 } 387 388 static ssize_t 389 tls13_record_layer_alert(struct tls13_record_layer *rl, 390 uint8_t alert_level, uint8_t alert_desc) 391 { 392 CBB cbb; 393 394 if (rl->alert_data != NULL) 395 return TLS13_IO_FAILURE; 396 397 if (!CBB_init(&cbb, 0)) 398 goto err; 399 400 if (!CBB_add_u8(&cbb, alert_level)) 401 goto err; 402 if (!CBB_add_u8(&cbb, alert_desc)) 403 goto err; 404 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 405 goto err; 406 407 rl->alert_level = alert_level; 408 rl->alert_desc = alert_desc; 409 410 return tls13_record_layer_send_pending(rl); 411 412 err: 413 CBB_cleanup(&cbb); 414 415 return TLS13_IO_FAILURE; 416 } 417 418 ssize_t 419 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 420 { 421 if (rl->phh_data != NULL) 422 return TLS13_IO_FAILURE; 423 424 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 425 return TLS13_IO_FAILURE; 426 427 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 428 429 return tls13_record_layer_send_pending(rl); 430 } 431 432 static int 433 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, 434 const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, 435 struct tls13_secret *traffic_key) 436 { 437 struct tls13_secret context = { .data = "", .len = 0 }; 438 struct tls13_secret key = { .data = NULL, .len = 0 }; 439 int ret = 0; 440 441 EVP_AEAD_CTX_cleanup(aead_ctx); 442 443 freezero(iv->data, iv->len); 444 iv->data = NULL; 445 iv->len = 0; 446 447 freezero(nonce->data, nonce->len); 448 nonce->data = NULL; 449 nonce->len = 0; 450 451 if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 452 goto err; 453 iv->len = EVP_AEAD_nonce_length(aead); 454 455 if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 456 goto err; 457 nonce->len = EVP_AEAD_nonce_length(aead); 458 459 if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) 460 goto err; 461 key.len = EVP_AEAD_key_length(aead); 462 463 if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) 464 goto err; 465 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 466 goto err; 467 468 if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, 469 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 470 goto err; 471 472 ret = 1; 473 474 err: 475 freezero(key.data, key.len); 476 477 return ret; 478 } 479 480 int 481 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 482 struct tls13_secret *read_key) 483 { 484 memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 485 486 return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, 487 rl->hash, &rl->read_iv, &rl->read_nonce, read_key); 488 } 489 490 int 491 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 492 struct tls13_secret *write_key) 493 { 494 memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 495 496 return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, 497 rl->hash, &rl->write_iv, &rl->write_nonce, write_key); 498 } 499 500 static int 501 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 502 { 503 CBS cbs; 504 505 if (rl->aead != NULL) 506 return 0; 507 508 /* 509 * We're still operating in plaintext mode, so just copy the 510 * content from the record to the plaintext buffer. 511 */ 512 if (!tls13_record_content(rl->rrec, &cbs)) 513 return 0; 514 515 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 516 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 517 return 0; 518 } 519 520 tls13_record_layer_rbuf_free(rl); 521 522 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 523 return 0; 524 525 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 526 527 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 528 529 return 1; 530 } 531 532 static int 533 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 534 { 535 CBS header, enc_record; 536 ssize_t inner_len; 537 uint8_t *content = NULL; 538 size_t content_len = 0; 539 uint8_t content_type; 540 size_t out_len; 541 542 if (rl->aead == NULL) 543 goto err; 544 545 if (!tls13_record_header(rl->rrec, &header)) 546 goto err; 547 if (!tls13_record_content(rl->rrec, &enc_record)) 548 goto err; 549 550 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 551 goto err; 552 content_len = CBS_len(&enc_record); 553 554 if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, 555 rl->read_seq_num)) 556 goto err; 557 558 if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, 559 content, &out_len, content_len, 560 rl->read_nonce.data, rl->read_nonce.len, 561 CBS_data(&enc_record), CBS_len(&enc_record), 562 CBS_data(&header), CBS_len(&header))) 563 goto err; 564 565 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 566 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 567 goto err; 568 } 569 570 if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) 571 goto err; 572 573 /* 574 * The real content type is hidden at the end of the record content and 575 * it may be followed by padding that consists of one or more zeroes. 576 * Time to hunt for that elusive content type! 577 */ 578 /* XXX - CBS from end? CBS_get_end_u8()? */ 579 inner_len = out_len - 1; 580 while (inner_len >= 0 && content[inner_len] == 0) 581 inner_len--; 582 if (inner_len < 0) { 583 /* Unexpected message per RFC 8446 section 5.4. */ 584 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 585 goto err; 586 } 587 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 588 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 589 goto err; 590 } 591 content_type = content[inner_len]; 592 593 tls13_record_layer_rbuf_free(rl); 594 595 rl->rbuf_content_type = content_type; 596 rl->rbuf = content; 597 rl->rbuf_len = inner_len; 598 599 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 600 601 return 1; 602 603 err: 604 freezero(content, content_len); 605 606 return 0; 607 } 608 609 static int 610 tls13_record_layer_open_record(struct tls13_record_layer *rl) 611 { 612 if (rl->handshake_completed && rl->aead == NULL) 613 return 0; 614 615 if (rl->aead == NULL) 616 return tls13_record_layer_open_record_plaintext(rl); 617 618 return tls13_record_layer_open_record_protected(rl); 619 } 620 621 static int 622 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 623 uint8_t content_type, const uint8_t *content, size_t content_len) 624 { 625 uint8_t *data = NULL; 626 size_t data_len = 0; 627 CBB cbb, body; 628 629 /* 630 * Allow dummy CCS messages to be sent in plaintext even when 631 * record protection has been engaged, as long as the handshake 632 * has not yet completed. 633 */ 634 if (rl->handshake_completed) 635 return 0; 636 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 637 return 0; 638 639 /* 640 * We're still operating in plaintext mode, so just copy the 641 * content into the record. 642 */ 643 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 644 goto err; 645 646 if (!CBB_add_u8(&cbb, content_type)) 647 goto err; 648 if (!CBB_add_u16(&cbb, rl->legacy_version)) 649 goto err; 650 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 651 goto err; 652 if (!CBB_add_bytes(&body, content, content_len)) 653 goto err; 654 655 if (!CBB_finish(&cbb, &data, &data_len)) 656 goto err; 657 658 if (!tls13_record_set_data(rl->wrec, data, data_len)) 659 goto err; 660 661 rl->wrec_content_len = content_len; 662 rl->wrec_content_type = content_type; 663 664 return 1; 665 666 err: 667 CBB_cleanup(&cbb); 668 freezero(data, data_len); 669 670 return 0; 671 } 672 673 static int 674 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 675 uint8_t content_type, const uint8_t *content, size_t content_len) 676 { 677 uint8_t *data = NULL, *header = NULL, *inner = NULL; 678 size_t data_len = 0, header_len = 0, inner_len = 0; 679 uint8_t *enc_record; 680 size_t enc_record_len; 681 ssize_t ret = 0; 682 size_t out_len; 683 CBB cbb; 684 685 if (rl->aead == NULL) 686 return 0; 687 688 memset(&cbb, 0, sizeof(cbb)); 689 690 /* Build inner plaintext. */ 691 if (!CBB_init(&cbb, content_len + 1)) 692 goto err; 693 if (!CBB_add_bytes(&cbb, content, content_len)) 694 goto err; 695 if (!CBB_add_u8(&cbb, content_type)) 696 goto err; 697 /* XXX - padding? */ 698 if (!CBB_finish(&cbb, &inner, &inner_len)) 699 goto err; 700 701 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 702 goto err; 703 704 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 705 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 706 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 707 goto err; 708 709 /* Build the record header. */ 710 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 711 goto err; 712 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 713 goto err; 714 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 715 goto err; 716 if (!CBB_add_u16(&cbb, enc_record_len)) 717 goto err; 718 if (!CBB_finish(&cbb, &header, &header_len)) 719 goto err; 720 721 /* Build the actual record. */ 722 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 723 goto err; 724 if (!CBB_add_bytes(&cbb, header, header_len)) 725 goto err; 726 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 727 goto err; 728 if (!CBB_finish(&cbb, &data, &data_len)) 729 goto err; 730 731 if (!tls13_record_layer_update_nonce(&rl->write_nonce, 732 &rl->write_iv, rl->write_seq_num)) 733 goto err; 734 735 /* 736 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 737 * this would avoid a copy since the inner would be passed as two 738 * separate pieces. 739 */ 740 if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, 741 enc_record, &out_len, enc_record_len, 742 rl->write_nonce.data, rl->write_nonce.len, 743 inner, inner_len, header, header_len)) 744 goto err; 745 746 if (out_len != enc_record_len) 747 goto err; 748 749 if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) 750 goto err; 751 752 if (!tls13_record_set_data(rl->wrec, data, data_len)) 753 goto err; 754 755 rl->wrec_content_len = content_len; 756 rl->wrec_content_type = content_type; 757 758 data = NULL; 759 data_len = 0; 760 761 ret = 1; 762 763 err: 764 CBB_cleanup(&cbb); 765 766 freezero(data, data_len); 767 freezero(header, header_len); 768 freezero(inner, inner_len); 769 770 return ret; 771 } 772 773 static int 774 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 775 uint8_t content_type, const uint8_t *content, size_t content_len) 776 { 777 if (rl->handshake_completed && rl->aead == NULL) 778 return 0; 779 780 tls13_record_layer_wrec_free(rl); 781 782 if ((rl->wrec = tls13_record_new()) == NULL) 783 return 0; 784 785 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 786 return tls13_record_layer_seal_record_plaintext(rl, 787 content_type, content, content_len); 788 789 return tls13_record_layer_seal_record_protected(rl, content_type, 790 content, content_len); 791 } 792 793 static ssize_t 794 tls13_record_layer_read_record(struct tls13_record_layer *rl) 795 { 796 uint8_t content_type, ccs; 797 ssize_t ret; 798 CBS cbs; 799 800 if (rl->rrec == NULL) { 801 if ((rl->rrec = tls13_record_new()) == NULL) 802 goto err; 803 } 804 805 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 806 switch (ret) { 807 case TLS13_IO_RECORD_VERSION: 808 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 809 case TLS13_IO_RECORD_OVERFLOW: 810 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 811 } 812 return ret; 813 } 814 815 if (rl->legacy_version == TLS1_2_VERSION && 816 tls13_record_version(rl->rrec) != TLS1_2_VERSION) 817 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 818 819 content_type = tls13_record_content_type(rl->rrec); 820 821 /* 822 * Bag of hacks ahead... after the first ClientHello message has been 823 * sent or received and before the peer's Finished message has been 824 * received, we may receive an unencrypted ChangeCipherSpec record 825 * (see RFC 8446 section 5 and appendix D.4). This record must be 826 * ignored. 827 */ 828 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 829 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 830 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 831 if (!tls13_record_content(rl->rrec, &cbs)) 832 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 833 if (!CBS_get_u8(&cbs, &ccs)) 834 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 835 if (ccs != 1) 836 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 837 rl->ccs_seen++; 838 tls13_record_layer_rrec_free(rl); 839 return TLS13_IO_WANT_RETRY; 840 } 841 842 /* 843 * Once record protection is engaged, we should only receive 844 * protected application data messages (aside from the 845 * dummy ChangeCipherSpec messages, handled above). 846 */ 847 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 848 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 849 850 if (!tls13_record_layer_open_record(rl)) 851 goto err; 852 853 tls13_record_layer_rrec_free(rl); 854 855 /* 856 * On receiving a handshake or alert record with empty inner plaintext, 857 * we must terminate the connection with an unexpected_message alert. 858 * See RFC 8446 section 5.4. 859 */ 860 if (CBS_len(&rl->rbuf_cbs) == 0 && 861 (rl->rbuf_content_type == SSL3_RT_ALERT || 862 rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) 863 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 864 865 switch (rl->rbuf_content_type) { 866 case SSL3_RT_ALERT: 867 return tls13_record_layer_process_alert(rl); 868 869 case SSL3_RT_HANDSHAKE: 870 break; 871 872 case SSL3_RT_APPLICATION_DATA: 873 if (!rl->handshake_completed) 874 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 875 break; 876 877 default: 878 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 879 } 880 881 return TLS13_IO_SUCCESS; 882 883 err: 884 return TLS13_IO_FAILURE; 885 } 886 887 static ssize_t 888 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 889 { 890 if (rl->rbuf_content_type != content_type) 891 return 0; 892 893 return CBS_len(&rl->rbuf_cbs); 894 } 895 896 static ssize_t 897 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 898 { 899 ssize_t ret = TLS13_IO_FAILURE; 900 901 rl->phh = 1; 902 903 /* 904 * The post handshake handshake receive callback is allowed to return: 905 * 906 * TLS13_IO_WANT_POLLIN need more handshake data. 907 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 908 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 909 * TLS13_IO_FAILURE something broke. 910 */ 911 if (rl->cb.phh_recv != NULL) 912 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); 913 914 tls13_record_layer_rbuf_free(rl); 915 916 /* Leave post handshake handshake mode unless we need more data. */ 917 if (ret != TLS13_IO_WANT_POLLIN) 918 rl->phh = 0; 919 920 if (ret == TLS13_IO_SUCCESS) { 921 if (rl->phh_retry) 922 return TLS13_IO_WANT_RETRY; 923 924 return TLS13_IO_WANT_POLLIN; 925 } 926 927 return ret; 928 } 929 930 static ssize_t 931 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 932 uint8_t content_type, uint8_t *buf, size_t n, int peek) 933 { 934 ssize_t ret; 935 936 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 937 return ret; 938 939 if (rl->read_closed) 940 return TLS13_IO_EOF; 941 942 /* If necessary, pull up the next record. */ 943 if (CBS_len(&rl->rbuf_cbs) == 0) { 944 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 945 return ret; 946 947 /* 948 * We may have read a valid 0-byte application data record, 949 * in which case we need to read the next record. 950 */ 951 if (CBS_len(&rl->rbuf_cbs) == 0) { 952 tls13_record_layer_rbuf_free(rl); 953 return TLS13_IO_WANT_POLLIN; 954 } 955 } 956 957 /* 958 * If we are in post handshake handshake mode, we must not see 959 * any record type that isn't a handshake until we are done. 960 */ 961 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) 962 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 963 964 /* 965 * Handshake content can appear as post-handshake messages (yup, 966 * the RFC reused the same content type...), which means we can 967 * be trying to read application data and need to handle a 968 * post-handshake handshake message instead... 969 */ 970 if (rl->rbuf_content_type != content_type) { 971 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 972 if (rl->handshake_completed) 973 return tls13_record_layer_recv_phh(rl); 974 } 975 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 976 } 977 978 if (n > CBS_len(&rl->rbuf_cbs)) 979 n = CBS_len(&rl->rbuf_cbs); 980 981 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 982 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 983 984 if (!peek) { 985 if (!CBS_skip(&rl->rbuf_cbs, n)) 986 goto err; 987 } 988 989 if (CBS_len(&rl->rbuf_cbs) == 0) 990 tls13_record_layer_rbuf_free(rl); 991 992 return n; 993 994 err: 995 return TLS13_IO_FAILURE; 996 } 997 998 static ssize_t 999 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1000 uint8_t *buf, size_t n) 1001 { 1002 ssize_t ret; 1003 1004 do { 1005 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1006 } while (ret == TLS13_IO_WANT_RETRY); 1007 1008 if (rl->alert != 0) 1009 return tls13_send_alert(rl, rl->alert); 1010 1011 return ret; 1012 } 1013 1014 static ssize_t 1015 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1016 uint8_t *buf, size_t n) 1017 { 1018 ssize_t ret; 1019 1020 do { 1021 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1022 } while (ret == TLS13_IO_WANT_RETRY); 1023 1024 if (rl->alert != 0) 1025 return tls13_send_alert(rl, rl->alert); 1026 1027 return ret; 1028 } 1029 1030 static ssize_t 1031 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1032 uint8_t content_type, const uint8_t *content, size_t content_len) 1033 { 1034 ssize_t ret; 1035 1036 if (rl->write_closed) 1037 return TLS13_IO_EOF; 1038 1039 /* 1040 * If we pushed out application data while handling other messages, 1041 * we need to return content length on the next call. 1042 */ 1043 if (content_type == SSL3_RT_APPLICATION_DATA && 1044 rl->wrec_appdata_len != 0) { 1045 ret = rl->wrec_appdata_len; 1046 rl->wrec_appdata_len = 0; 1047 return ret; 1048 } 1049 1050 /* See if there is an existing record and attempt to push it out... */ 1051 if (rl->wrec != NULL) { 1052 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1053 rl->cb_arg)) <= 0) 1054 return ret; 1055 tls13_record_layer_wrec_free(rl); 1056 1057 if (rl->wrec_content_type == content_type) { 1058 ret = rl->wrec_content_len; 1059 rl->wrec_content_len = 0; 1060 rl->wrec_content_type = 0; 1061 return ret; 1062 } 1063 1064 /* 1065 * The only partial record type should be application data. 1066 * All other cases are handled to completion. 1067 */ 1068 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1069 return TLS13_IO_FAILURE; 1070 rl->wrec_appdata_len = rl->wrec_content_len; 1071 } 1072 1073 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1074 goto err; 1075 1076 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1077 goto err; 1078 1079 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1080 return ret; 1081 1082 tls13_record_layer_wrec_free(rl); 1083 1084 return content_len; 1085 1086 err: 1087 return TLS13_IO_FAILURE; 1088 } 1089 1090 static ssize_t 1091 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1092 uint8_t content_type, const uint8_t *buf, size_t n) 1093 { 1094 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1095 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1096 1097 return tls13_record_layer_write_record(rl, content_type, buf, n); 1098 } 1099 1100 static ssize_t 1101 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1102 const uint8_t *buf, size_t n) 1103 { 1104 ssize_t ret; 1105 1106 do { 1107 ret = tls13_record_layer_send_pending(rl); 1108 } while (ret == TLS13_IO_WANT_RETRY); 1109 if (ret != TLS13_IO_SUCCESS) 1110 return ret; 1111 1112 do { 1113 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1114 } while (ret == TLS13_IO_WANT_RETRY); 1115 1116 return ret; 1117 } 1118 1119 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1120 1121 ssize_t 1122 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1123 { 1124 ssize_t ret; 1125 1126 if (rl->ccs_sent) 1127 return TLS13_IO_FAILURE; 1128 1129 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1130 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1131 return ret; 1132 1133 rl->ccs_sent = 1; 1134 1135 return TLS13_IO_SUCCESS; 1136 } 1137 1138 ssize_t 1139 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1140 { 1141 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1142 } 1143 1144 ssize_t 1145 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1146 size_t n) 1147 { 1148 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1149 } 1150 1151 ssize_t 1152 tls13_pending_application_data(struct tls13_record_layer *rl) 1153 { 1154 if (!rl->handshake_completed) 1155 return 0; 1156 1157 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1158 } 1159 1160 ssize_t 1161 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1162 { 1163 if (!rl->handshake_completed) 1164 return TLS13_IO_FAILURE; 1165 1166 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1167 } 1168 1169 ssize_t 1170 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1171 { 1172 if (!rl->handshake_completed) 1173 return TLS13_IO_FAILURE; 1174 1175 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1176 } 1177 1178 ssize_t 1179 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1180 size_t n) 1181 { 1182 if (!rl->handshake_completed) 1183 return TLS13_IO_FAILURE; 1184 1185 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1186 } 1187 1188 ssize_t 1189 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1190 { 1191 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1192 ssize_t ret; 1193 1194 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1195 alert_desc == TLS13_ALERT_USER_CANCELED) 1196 alert_level = TLS13_ALERT_LEVEL_WARNING; 1197 1198 do { 1199 ret = tls13_record_layer_alert(rl, alert_level, alert_desc); 1200 } while (ret == TLS13_IO_WANT_RETRY); 1201 1202 return ret; 1203 } 1204