1 /* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "tls13_internal.h" 19 #include "tls13_record.h" 20 #include "tls_content.h" 21 22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 23 uint8_t content_type, const uint8_t *buf, size_t n); 24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 25 uint8_t content_type, const uint8_t *content, size_t content_len); 26 27 struct tls13_record_protection { 28 EVP_AEAD_CTX *aead_ctx; 29 struct tls13_secret iv; 30 struct tls13_secret nonce; 31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 32 }; 33 34 struct tls13_record_protection * 35 tls13_record_protection_new(void) 36 { 37 return calloc(1, sizeof(struct tls13_record_protection)); 38 } 39 40 void 41 tls13_record_protection_clear(struct tls13_record_protection *rp) 42 { 43 EVP_AEAD_CTX_free(rp->aead_ctx); 44 45 tls13_secret_cleanup(&rp->iv); 46 tls13_secret_cleanup(&rp->nonce); 47 48 memset(rp, 0, sizeof(*rp)); 49 } 50 51 void 52 tls13_record_protection_free(struct tls13_record_protection *rp) 53 { 54 if (rp == NULL) 55 return; 56 57 tls13_record_protection_clear(rp); 58 59 freezero(rp, sizeof(struct tls13_record_protection)); 60 } 61 62 struct tls13_record_layer { 63 uint16_t legacy_version; 64 65 int ccs_allowed; 66 int ccs_seen; 67 int ccs_sent; 68 int handshake_completed; 69 int legacy_alerts_allowed; 70 int phh; 71 int phh_retry; 72 73 /* 74 * Read and/or write channels are closed due to an alert being 75 * sent or received. In the case of an error alert both channels 76 * are closed, whereas in the case of a close notify only one 77 * channel is closed. 78 */ 79 int read_closed; 80 int write_closed; 81 82 struct tls13_record *rrec; 83 84 struct tls13_record *wrec; 85 uint8_t wrec_content_type; 86 size_t wrec_appdata_len; 87 size_t wrec_content_len; 88 89 /* Alert to be sent on return from current read handler. */ 90 uint8_t alert; 91 92 /* Pending alert messages. */ 93 uint8_t *alert_data; 94 size_t alert_len; 95 uint8_t alert_level; 96 uint8_t alert_desc; 97 98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 99 CBS phh_cbs; 100 uint8_t *phh_data; 101 size_t phh_len; 102 103 /* Content from opened records. */ 104 struct tls_content *rcontent; 105 106 /* Record protection. */ 107 const EVP_MD *hash; 108 const EVP_AEAD *aead; 109 struct tls13_record_protection *read; 110 struct tls13_record_protection *write; 111 112 /* Callbacks. */ 113 struct tls13_record_layer_callbacks cb; 114 void *cb_arg; 115 }; 116 117 static void 118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 119 { 120 tls13_record_free(rl->rrec); 121 rl->rrec = NULL; 122 } 123 124 static void 125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 126 { 127 tls13_record_free(rl->wrec); 128 rl->wrec = NULL; 129 } 130 131 struct tls13_record_layer * 132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 133 void *cb_arg) 134 { 135 struct tls13_record_layer *rl; 136 137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 138 goto err; 139 140 if ((rl->rcontent = tls_content_new()) == NULL) 141 goto err; 142 143 if ((rl->read = tls13_record_protection_new()) == NULL) 144 goto err; 145 if ((rl->write = tls13_record_protection_new()) == NULL) 146 goto err; 147 148 rl->legacy_version = TLS1_2_VERSION; 149 150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg); 151 152 return rl; 153 154 err: 155 tls13_record_layer_free(rl); 156 157 return NULL; 158 } 159 160 void 161 tls13_record_layer_free(struct tls13_record_layer *rl) 162 { 163 if (rl == NULL) 164 return; 165 166 tls13_record_layer_rrec_free(rl); 167 tls13_record_layer_wrec_free(rl); 168 169 freezero(rl->alert_data, rl->alert_len); 170 freezero(rl->phh_data, rl->phh_len); 171 172 tls_content_free(rl->rcontent); 173 174 tls13_record_protection_free(rl->read); 175 tls13_record_protection_free(rl->write); 176 177 freezero(rl, sizeof(struct tls13_record_layer)); 178 } 179 180 void 181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, 182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) 183 { 184 rl->cb = *callbacks; 185 rl->cb_arg = cb_arg; 186 } 187 188 void 189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) 190 { 191 CBS_dup(tls_content_cbs(rl->rcontent), cbs); 192 } 193 194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 196 }; 197 198 int 199 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 200 { 201 int i; 202 203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 205 return 0; 206 207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 208 if (++seq_num[i] != 0) 209 break; 210 } 211 212 return 1; 213 } 214 215 static int 216 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 217 struct tls13_secret *iv, uint8_t *seq_num) 218 { 219 ssize_t i, j; 220 221 if (nonce->len != iv->len) 222 return 0; 223 224 /* 225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 226 * with the IV to produce a per-record nonce. The IV will also be 227 * at least 8-bytes in length. 228 */ 229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 231 232 return 1; 233 } 234 235 void 236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 237 { 238 rl->ccs_allowed = allow; 239 } 240 241 void 242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 243 { 244 rl->legacy_alerts_allowed = allow; 245 } 246 247 void 248 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 249 const EVP_AEAD *aead) 250 { 251 rl->aead = aead; 252 } 253 254 void 255 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 256 const EVP_MD *hash) 257 { 258 rl->hash = hash; 259 } 260 261 void 262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 263 uint16_t version) 264 { 265 rl->legacy_version = version; 266 } 267 268 void 269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 270 { 271 rl->handshake_completed = 1; 272 } 273 274 void 275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 276 { 277 rl->phh_retry = retry; 278 } 279 280 static ssize_t 281 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 282 { 283 uint8_t alert_level, alert_desc; 284 ssize_t ret = TLS13_IO_FAILURE; 285 286 /* 287 * RFC 8446 - sections 5.1 and 6. 288 * 289 * A TLSv1.3 alert record can only contain a single alert - this means 290 * that processing the alert must consume all of the record. The alert 291 * will result in one of three things - continuation (user_cancelled), 292 * read channel closure (close_notify) or termination (all others). 293 */ 294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) 295 return TLS13_IO_FAILURE; 296 297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) 298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) 300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 301 302 if (tls_content_remaining(rl->rcontent) != 0) 303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 304 305 tls_content_clear(rl->rcontent); 306 307 /* 308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 309 * however for error alerts (RFC 8446 section 6.2), the alert level 310 * must be specified as fatal. 311 */ 312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 313 rl->read_closed = 1; 314 ret = TLS13_IO_EOF; 315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 316 /* Ignored at the record layer. */ 317 ret = TLS13_IO_WANT_RETRY; 318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 319 rl->read_closed = 1; 320 rl->write_closed = 1; 321 ret = TLS13_IO_ALERT; 322 } else if (rl->legacy_alerts_allowed && 323 alert_level == TLS13_ALERT_LEVEL_WARNING) { 324 /* Ignored and not passed to the callback. */ 325 return TLS13_IO_WANT_RETRY; 326 } else { 327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 328 } 329 330 rl->cb.alert_recv(alert_desc, rl->cb_arg); 331 332 return ret; 333 } 334 335 static ssize_t 336 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 337 { 338 ssize_t ret; 339 340 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 341 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 342 rl->alert_data, rl->alert_len)) != rl->alert_len) { 343 if (ret == TLS13_IO_EOF) 344 ret = TLS13_IO_ALERT; 345 return ret; 346 } 347 348 freezero(rl->alert_data, rl->alert_len); 349 rl->alert_data = NULL; 350 rl->alert_len = 0; 351 352 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 353 rl->write_closed = 1; 354 ret = TLS13_IO_SUCCESS; 355 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 356 /* Ignored at the record layer. */ 357 ret = TLS13_IO_SUCCESS; 358 } else { 359 rl->read_closed = 1; 360 rl->write_closed = 1; 361 ret = TLS13_IO_ALERT; 362 } 363 364 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 365 366 return ret; 367 } 368 369 static ssize_t 370 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 371 { 372 ssize_t ret; 373 374 /* Push out pending post-handshake handshake messages. */ 375 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 376 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 377 return ret; 378 if (!CBS_skip(&rl->phh_cbs, ret)) 379 return TLS13_IO_FAILURE; 380 if (CBS_len(&rl->phh_cbs) != 0) 381 return TLS13_IO_WANT_RETRY; 382 383 freezero(rl->phh_data, rl->phh_len); 384 rl->phh_data = NULL; 385 rl->phh_len = 0; 386 387 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 388 389 rl->cb.phh_sent(rl->cb_arg); 390 391 return TLS13_IO_SUCCESS; 392 } 393 394 ssize_t 395 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 396 { 397 /* 398 * If an alert is pending, then it needs to be sent. However, 399 * if we're already part of the way through sending post-handshake 400 * handshake messages, then we need to finish that first... 401 */ 402 403 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 404 return tls13_record_layer_send_phh(rl); 405 406 if (rl->alert_data != NULL) 407 return tls13_record_layer_send_alert(rl); 408 409 if (rl->phh_data != NULL) 410 return tls13_record_layer_send_phh(rl); 411 412 return TLS13_IO_SUCCESS; 413 } 414 415 static ssize_t 416 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, 417 uint8_t alert_level, uint8_t alert_desc) 418 { 419 CBB cbb; 420 421 if (rl->alert_data != NULL) 422 return TLS13_IO_FAILURE; 423 424 if (!CBB_init(&cbb, 0)) 425 goto err; 426 427 if (!CBB_add_u8(&cbb, alert_level)) 428 goto err; 429 if (!CBB_add_u8(&cbb, alert_desc)) 430 goto err; 431 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 432 goto err; 433 434 rl->alert_level = alert_level; 435 rl->alert_desc = alert_desc; 436 437 return tls13_record_layer_send_pending(rl); 438 439 err: 440 CBB_cleanup(&cbb); 441 442 return TLS13_IO_FAILURE; 443 } 444 445 ssize_t 446 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 447 { 448 if (rl->phh_data != NULL) 449 return TLS13_IO_FAILURE; 450 451 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 452 return TLS13_IO_FAILURE; 453 454 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 455 456 return tls13_record_layer_send_pending(rl); 457 } 458 459 static int 460 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, 461 struct tls13_record_protection *rp, struct tls13_secret *traffic_key) 462 { 463 struct tls13_secret context = { .data = "", .len = 0 }; 464 struct tls13_secret key = { .data = NULL, .len = 0 }; 465 int ret = 0; 466 467 tls13_record_protection_clear(rp); 468 469 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) 470 return 0; 471 472 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) 473 goto err; 474 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) 475 goto err; 476 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) 477 goto err; 478 479 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) 480 goto err; 481 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 482 goto err; 483 484 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len, 485 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 486 goto err; 487 488 ret = 1; 489 490 err: 491 tls13_secret_cleanup(&key); 492 493 return ret; 494 } 495 496 int 497 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 498 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) 499 { 500 if (rl->cb.set_read_traffic_key != NULL) 501 return rl->cb.set_read_traffic_key(read_key, read_level, 502 rl->cb_arg); 503 504 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 505 rl->read, read_key); 506 } 507 508 int 509 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 510 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) 511 { 512 if (rl->cb.set_write_traffic_key != NULL) 513 return rl->cb.set_write_traffic_key(write_key, write_level, 514 rl->cb_arg); 515 516 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, 517 rl->write, write_key); 518 } 519 520 static int 521 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 522 { 523 CBS cbs; 524 525 if (rl->aead != NULL) 526 return 0; 527 528 /* 529 * We're still operating in plaintext mode, so just copy the 530 * content from the record to the plaintext buffer. 531 */ 532 if (!tls13_record_content(rl->rrec, &cbs)) 533 return 0; 534 535 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 536 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 537 return 0; 538 } 539 540 if (!tls_content_dup_data(rl->rcontent, 541 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) 542 return 0; 543 544 return 1; 545 } 546 547 static int 548 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 549 { 550 CBS header, enc_record, inner; 551 uint8_t *content = NULL; 552 size_t content_len = 0; 553 uint8_t content_type; 554 size_t out_len; 555 556 if (rl->aead == NULL) 557 goto err; 558 559 if (!tls13_record_header(rl->rrec, &header)) 560 goto err; 561 if (!tls13_record_content(rl->rrec, &enc_record)) 562 goto err; 563 564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 565 goto err; 566 content_len = CBS_len(&enc_record); 567 568 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, 569 rl->read->seq_num)) 570 goto err; 571 572 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx, 573 content, &out_len, content_len, 574 rl->read->nonce.data, rl->read->nonce.len, 575 CBS_data(&enc_record), CBS_len(&enc_record), 576 CBS_data(&header), CBS_len(&header))) 577 goto err; 578 579 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 580 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 581 goto err; 582 } 583 584 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) 585 goto err; 586 587 /* 588 * The real content type is hidden at the end of the record content and 589 * it may be followed by padding that consists of one or more zeroes. 590 * Time to hunt for that elusive content type! 591 */ 592 CBS_init(&inner, content, out_len); 593 content_type = 0; 594 while (CBS_get_last_u8(&inner, &content_type)) { 595 if (content_type != 0) 596 break; 597 } 598 if (content_type == 0) { 599 /* Unexpected message per RFC 8446 section 5.4. */ 600 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 601 goto err; 602 } 603 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 604 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 605 goto err; 606 } 607 608 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner), 609 CBS_len(&inner)); 610 611 return 1; 612 613 err: 614 freezero(content, content_len); 615 616 return 0; 617 } 618 619 static int 620 tls13_record_layer_open_record(struct tls13_record_layer *rl) 621 { 622 if (rl->handshake_completed && rl->aead == NULL) 623 return 0; 624 625 if (rl->aead == NULL) 626 return tls13_record_layer_open_record_plaintext(rl); 627 628 return tls13_record_layer_open_record_protected(rl); 629 } 630 631 static int 632 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 633 uint8_t content_type, const uint8_t *content, size_t content_len) 634 { 635 uint8_t *data = NULL; 636 size_t data_len = 0; 637 CBB cbb, body; 638 639 /* 640 * Allow dummy CCS messages to be sent in plaintext even when 641 * record protection has been engaged, as long as the handshake 642 * has not yet completed. 643 */ 644 if (rl->handshake_completed) 645 return 0; 646 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 647 return 0; 648 649 /* 650 * We're still operating in plaintext mode, so just copy the 651 * content into the record. 652 */ 653 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 654 goto err; 655 656 if (!CBB_add_u8(&cbb, content_type)) 657 goto err; 658 if (!CBB_add_u16(&cbb, rl->legacy_version)) 659 goto err; 660 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 661 goto err; 662 if (!CBB_add_bytes(&body, content, content_len)) 663 goto err; 664 665 if (!CBB_finish(&cbb, &data, &data_len)) 666 goto err; 667 668 if (!tls13_record_set_data(rl->wrec, data, data_len)) 669 goto err; 670 671 rl->wrec_content_len = content_len; 672 rl->wrec_content_type = content_type; 673 674 return 1; 675 676 err: 677 CBB_cleanup(&cbb); 678 freezero(data, data_len); 679 680 return 0; 681 } 682 683 static int 684 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 685 uint8_t content_type, const uint8_t *content, size_t content_len) 686 { 687 uint8_t *data = NULL, *header = NULL, *inner = NULL; 688 size_t data_len = 0, header_len = 0, inner_len = 0; 689 uint8_t *enc_record; 690 size_t enc_record_len; 691 ssize_t ret = 0; 692 size_t out_len; 693 CBB cbb; 694 695 if (rl->aead == NULL) 696 return 0; 697 698 memset(&cbb, 0, sizeof(cbb)); 699 700 /* Build inner plaintext. */ 701 if (!CBB_init(&cbb, content_len + 1)) 702 goto err; 703 if (!CBB_add_bytes(&cbb, content, content_len)) 704 goto err; 705 if (!CBB_add_u8(&cbb, content_type)) 706 goto err; 707 /* XXX - padding? */ 708 if (!CBB_finish(&cbb, &inner, &inner_len)) 709 goto err; 710 711 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 712 goto err; 713 714 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 715 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 716 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 717 goto err; 718 719 /* Build the record header. */ 720 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 721 goto err; 722 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 723 goto err; 724 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 725 goto err; 726 if (!CBB_add_u16(&cbb, enc_record_len)) 727 goto err; 728 if (!CBB_finish(&cbb, &header, &header_len)) 729 goto err; 730 731 /* Build the actual record. */ 732 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 733 goto err; 734 if (!CBB_add_bytes(&cbb, header, header_len)) 735 goto err; 736 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 737 goto err; 738 if (!CBB_finish(&cbb, &data, &data_len)) 739 goto err; 740 741 if (!tls13_record_layer_update_nonce(&rl->write->nonce, 742 &rl->write->iv, rl->write->seq_num)) 743 goto err; 744 745 /* 746 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 747 * this would avoid a copy since the inner would be passed as two 748 * separate pieces. 749 */ 750 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx, 751 enc_record, &out_len, enc_record_len, 752 rl->write->nonce.data, rl->write->nonce.len, 753 inner, inner_len, header, header_len)) 754 goto err; 755 756 if (out_len != enc_record_len) 757 goto err; 758 759 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) 760 goto err; 761 762 if (!tls13_record_set_data(rl->wrec, data, data_len)) 763 goto err; 764 765 rl->wrec_content_len = content_len; 766 rl->wrec_content_type = content_type; 767 768 data = NULL; 769 data_len = 0; 770 771 ret = 1; 772 773 err: 774 CBB_cleanup(&cbb); 775 776 freezero(data, data_len); 777 freezero(header, header_len); 778 freezero(inner, inner_len); 779 780 return ret; 781 } 782 783 static int 784 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 785 uint8_t content_type, const uint8_t *content, size_t content_len) 786 { 787 if (rl->handshake_completed && rl->aead == NULL) 788 return 0; 789 790 tls13_record_layer_wrec_free(rl); 791 792 if ((rl->wrec = tls13_record_new()) == NULL) 793 return 0; 794 795 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 796 return tls13_record_layer_seal_record_plaintext(rl, 797 content_type, content, content_len); 798 799 return tls13_record_layer_seal_record_protected(rl, content_type, 800 content, content_len); 801 } 802 803 static ssize_t 804 tls13_record_layer_read_record(struct tls13_record_layer *rl) 805 { 806 uint8_t content_type, ccs; 807 ssize_t ret; 808 CBS cbs; 809 810 if (rl->rrec == NULL) { 811 if ((rl->rrec = tls13_record_new()) == NULL) 812 goto err; 813 } 814 815 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 816 switch (ret) { 817 case TLS13_IO_RECORD_VERSION: 818 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 819 case TLS13_IO_RECORD_OVERFLOW: 820 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 821 } 822 return ret; 823 } 824 825 content_type = tls13_record_content_type(rl->rrec); 826 827 /* 828 * In response to a client hello we may receive an alert in a 829 * record with a legacy version. Otherwise enforce that the 830 * legacy record version is 0x0303 per RFC 8446, section 5.1. 831 */ 832 if (rl->legacy_version == TLS1_2_VERSION && 833 tls13_record_version(rl->rrec) != TLS1_2_VERSION && 834 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) 835 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 836 837 /* 838 * Bag of hacks ahead... after the first ClientHello message has been 839 * sent or received and before the peer's Finished message has been 840 * received, we may receive an unencrypted ChangeCipherSpec record 841 * (see RFC 8446 section 5 and appendix D.4). This record must be 842 * ignored. 843 */ 844 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 845 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 846 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 847 if (!tls13_record_content(rl->rrec, &cbs)) 848 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 849 if (!CBS_get_u8(&cbs, &ccs)) 850 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 851 if (ccs != 1) 852 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 853 if (CBS_len(&cbs) != 0) 854 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 855 rl->ccs_seen++; 856 tls13_record_layer_rrec_free(rl); 857 return TLS13_IO_WANT_RETRY; 858 } 859 860 /* 861 * Once record protection is engaged, we should only receive 862 * protected application data messages (aside from the 863 * dummy ChangeCipherSpec messages, handled above). 864 */ 865 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 866 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 867 868 if (!tls13_record_layer_open_record(rl)) 869 goto err; 870 871 tls13_record_layer_rrec_free(rl); 872 873 /* 874 * On receiving a handshake or alert record with empty inner plaintext, 875 * we must terminate the connection with an unexpected_message alert. 876 * See RFC 8446 section 5.4. 877 */ 878 if (tls_content_remaining(rl->rcontent) == 0 && 879 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || 880 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) 881 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 882 883 switch (tls_content_type(rl->rcontent)) { 884 case SSL3_RT_ALERT: 885 return tls13_record_layer_process_alert(rl); 886 887 case SSL3_RT_HANDSHAKE: 888 break; 889 890 case SSL3_RT_APPLICATION_DATA: 891 if (!rl->handshake_completed) 892 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 893 break; 894 895 default: 896 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 897 } 898 899 return TLS13_IO_SUCCESS; 900 901 err: 902 return TLS13_IO_FAILURE; 903 } 904 905 static ssize_t 906 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 907 { 908 if (tls_content_type(rl->rcontent) != content_type) 909 return 0; 910 911 return tls_content_remaining(rl->rcontent); 912 } 913 914 static ssize_t 915 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 916 { 917 ssize_t ret = TLS13_IO_FAILURE; 918 919 rl->phh = 1; 920 921 /* 922 * The post handshake handshake receive callback is allowed to return: 923 * 924 * TLS13_IO_WANT_POLLIN need more handshake data. 925 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 926 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 927 * TLS13_IO_FAILURE something broke. 928 */ 929 if (rl->cb.phh_recv != NULL) 930 ret = rl->cb.phh_recv(rl->cb_arg); 931 932 tls_content_clear(rl->rcontent); 933 934 /* Leave post handshake handshake mode unless we need more data. */ 935 if (ret != TLS13_IO_WANT_POLLIN) 936 rl->phh = 0; 937 938 if (ret == TLS13_IO_SUCCESS) { 939 if (rl->phh_retry) 940 return TLS13_IO_WANT_RETRY; 941 942 return TLS13_IO_WANT_POLLIN; 943 } 944 945 return ret; 946 } 947 948 static ssize_t 949 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 950 uint8_t content_type, uint8_t *buf, size_t n, int peek) 951 { 952 ssize_t ret; 953 954 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 955 return ret; 956 957 if (rl->read_closed) 958 return TLS13_IO_EOF; 959 960 /* If necessary, pull up the next record. */ 961 if (tls_content_remaining(rl->rcontent) == 0) { 962 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 963 return ret; 964 965 /* 966 * We may have read a valid 0-byte application data record, 967 * in which case we need to read the next record. 968 */ 969 if (tls_content_remaining(rl->rcontent) == 0) 970 return TLS13_IO_WANT_POLLIN; 971 } 972 973 /* 974 * If we are in post handshake handshake mode, we must not see 975 * any record type that isn't a handshake until we are done. 976 */ 977 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) 978 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 979 980 /* 981 * Handshake content can appear as post-handshake messages (yup, 982 * the RFC reused the same content type...), which means we can 983 * be trying to read application data and need to handle a 984 * post-handshake handshake message instead... 985 */ 986 if (tls_content_type(rl->rcontent) != content_type) { 987 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { 988 if (rl->handshake_completed) 989 return tls13_record_layer_recv_phh(rl); 990 } 991 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 992 } 993 994 if (peek) 995 return tls_content_peek(rl->rcontent, buf, n); 996 997 return tls_content_read(rl->rcontent, buf, n); 998 } 999 1000 static ssize_t 1001 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 1002 uint8_t *buf, size_t n) 1003 { 1004 ssize_t ret; 1005 1006 do { 1007 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1008 } while (ret == TLS13_IO_WANT_RETRY); 1009 1010 if (rl->alert != 0) 1011 return tls13_send_alert(rl, rl->alert); 1012 1013 return ret; 1014 } 1015 1016 static ssize_t 1017 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1018 uint8_t *buf, size_t n) 1019 { 1020 ssize_t ret; 1021 1022 do { 1023 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1024 } while (ret == TLS13_IO_WANT_RETRY); 1025 1026 if (rl->alert != 0) 1027 return tls13_send_alert(rl, rl->alert); 1028 1029 return ret; 1030 } 1031 1032 static ssize_t 1033 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1034 uint8_t content_type, const uint8_t *content, size_t content_len) 1035 { 1036 ssize_t ret; 1037 1038 if (rl->write_closed) 1039 return TLS13_IO_EOF; 1040 1041 /* 1042 * If we pushed out application data while handling other messages, 1043 * we need to return content length on the next call. 1044 */ 1045 if (content_type == SSL3_RT_APPLICATION_DATA && 1046 rl->wrec_appdata_len != 0) { 1047 ret = rl->wrec_appdata_len; 1048 rl->wrec_appdata_len = 0; 1049 return ret; 1050 } 1051 1052 /* See if there is an existing record and attempt to push it out... */ 1053 if (rl->wrec != NULL) { 1054 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1055 rl->cb_arg)) <= 0) 1056 return ret; 1057 tls13_record_layer_wrec_free(rl); 1058 1059 if (rl->wrec_content_type == content_type) { 1060 ret = rl->wrec_content_len; 1061 rl->wrec_content_len = 0; 1062 rl->wrec_content_type = 0; 1063 return ret; 1064 } 1065 1066 /* 1067 * The only partial record type should be application data. 1068 * All other cases are handled to completion. 1069 */ 1070 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1071 return TLS13_IO_FAILURE; 1072 rl->wrec_appdata_len = rl->wrec_content_len; 1073 } 1074 1075 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1076 goto err; 1077 1078 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1079 goto err; 1080 1081 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1082 return ret; 1083 1084 tls13_record_layer_wrec_free(rl); 1085 1086 return content_len; 1087 1088 err: 1089 return TLS13_IO_FAILURE; 1090 } 1091 1092 static ssize_t 1093 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1094 uint8_t content_type, const uint8_t *buf, size_t n) 1095 { 1096 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1097 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1098 1099 return tls13_record_layer_write_record(rl, content_type, buf, n); 1100 } 1101 1102 static ssize_t 1103 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1104 const uint8_t *buf, size_t n) 1105 { 1106 ssize_t ret; 1107 1108 do { 1109 ret = tls13_record_layer_send_pending(rl); 1110 } while (ret == TLS13_IO_WANT_RETRY); 1111 if (ret != TLS13_IO_SUCCESS) 1112 return ret; 1113 1114 do { 1115 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1116 } while (ret == TLS13_IO_WANT_RETRY); 1117 1118 return ret; 1119 } 1120 1121 ssize_t 1122 tls13_record_layer_flush(struct tls13_record_layer *rl) 1123 { 1124 return rl->cb.wire_flush(rl->cb_arg); 1125 } 1126 1127 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1128 1129 ssize_t 1130 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1131 { 1132 ssize_t ret; 1133 1134 if (rl->ccs_sent) 1135 return TLS13_IO_FAILURE; 1136 1137 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1138 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1139 return ret; 1140 1141 rl->ccs_sent = 1; 1142 1143 return TLS13_IO_SUCCESS; 1144 } 1145 1146 ssize_t 1147 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1148 { 1149 if (rl->cb.handshake_read != NULL) 1150 return rl->cb.handshake_read(buf, n, rl->cb_arg); 1151 1152 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1153 } 1154 1155 ssize_t 1156 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1157 size_t n) 1158 { 1159 if (rl->cb.handshake_write != NULL) 1160 return rl->cb.handshake_write(buf, n, rl->cb_arg); 1161 1162 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1163 } 1164 1165 ssize_t 1166 tls13_pending_application_data(struct tls13_record_layer *rl) 1167 { 1168 if (!rl->handshake_completed) 1169 return 0; 1170 1171 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1172 } 1173 1174 ssize_t 1175 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1176 { 1177 if (!rl->handshake_completed) 1178 return TLS13_IO_FAILURE; 1179 1180 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1181 } 1182 1183 ssize_t 1184 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1185 { 1186 if (!rl->handshake_completed) 1187 return TLS13_IO_FAILURE; 1188 1189 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1190 } 1191 1192 ssize_t 1193 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1194 size_t n) 1195 { 1196 if (!rl->handshake_completed) 1197 return TLS13_IO_FAILURE; 1198 1199 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1200 } 1201 1202 ssize_t 1203 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1204 { 1205 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1206 ssize_t ret; 1207 1208 if (rl->cb.alert_send != NULL) 1209 return rl->cb.alert_send(alert_desc, rl->cb_arg); 1210 1211 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1212 alert_desc == TLS13_ALERT_USER_CANCELED) 1213 alert_level = TLS13_ALERT_LEVEL_WARNING; 1214 1215 do { 1216 ret = tls13_record_layer_enqueue_alert(rl, alert_level, 1217 alert_desc); 1218 } while (ret == TLS13_IO_WANT_RETRY); 1219 1220 return ret; 1221 } 1222