1 /* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include "tls13_internal.h" 21 #include "tls13_record.h" 22 23 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 24 uint8_t content_type, const uint8_t *buf, size_t n); 25 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, 26 uint8_t content_type, const uint8_t *content, size_t content_len); 27 28 struct tls13_record_layer { 29 uint16_t legacy_version; 30 31 int ccs_allowed; 32 int ccs_seen; 33 int ccs_sent; 34 int handshake_completed; 35 int legacy_alerts_allowed; 36 int phh; 37 int phh_retry; 38 39 /* 40 * Read and/or write channels are closed due to an alert being 41 * sent or received. In the case of an error alert both channels 42 * are closed, whereas in the case of a close notify only one 43 * channel is closed. 44 */ 45 int read_closed; 46 int write_closed; 47 48 struct tls13_record *rrec; 49 50 struct tls13_record *wrec; 51 uint8_t wrec_content_type; 52 size_t wrec_appdata_len; 53 size_t wrec_content_len; 54 55 /* Alert to be sent on return from current read handler. */ 56 uint8_t alert; 57 58 /* Pending alert messages. */ 59 uint8_t *alert_data; 60 size_t alert_len; 61 uint8_t alert_level; 62 uint8_t alert_desc; 63 64 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ 65 CBS phh_cbs; 66 uint8_t *phh_data; 67 size_t phh_len; 68 69 /* Buffer containing plaintext from opened records. */ 70 uint8_t rbuf_content_type; 71 uint8_t *rbuf; 72 size_t rbuf_len; 73 CBS rbuf_cbs; 74 75 /* Record protection. */ 76 const EVP_MD *hash; 77 const EVP_AEAD *aead; 78 EVP_AEAD_CTX read_aead_ctx; 79 EVP_AEAD_CTX write_aead_ctx; 80 struct tls13_secret read_iv; 81 struct tls13_secret write_iv; 82 struct tls13_secret read_nonce; 83 struct tls13_secret write_nonce; 84 uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 85 uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; 86 87 /* Callbacks. */ 88 struct tls13_record_layer_callbacks cb; 89 void *cb_arg; 90 }; 91 92 static void 93 tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) 94 { 95 CBS_init(&rl->rbuf_cbs, NULL, 0); 96 freezero(rl->rbuf, rl->rbuf_len); 97 rl->rbuf = NULL; 98 rl->rbuf_len = 0; 99 rl->rbuf_content_type = 0; 100 } 101 102 static void 103 tls13_record_layer_rrec_free(struct tls13_record_layer *rl) 104 { 105 tls13_record_free(rl->rrec); 106 rl->rrec = NULL; 107 } 108 109 static void 110 tls13_record_layer_wrec_free(struct tls13_record_layer *rl) 111 { 112 tls13_record_free(rl->wrec); 113 rl->wrec = NULL; 114 } 115 116 struct tls13_record_layer * 117 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, 118 void *cb_arg) 119 { 120 struct tls13_record_layer *rl; 121 122 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) 123 return NULL; 124 125 rl->legacy_version = TLS1_2_VERSION; 126 rl->cb = *callbacks; 127 rl->cb_arg = cb_arg; 128 129 return rl; 130 } 131 132 void 133 tls13_record_layer_free(struct tls13_record_layer *rl) 134 { 135 if (rl == NULL) 136 return; 137 138 tls13_record_layer_rbuf_free(rl); 139 140 tls13_record_layer_rrec_free(rl); 141 tls13_record_layer_wrec_free(rl); 142 143 EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); 144 EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); 145 146 freezero(rl->read_iv.data, rl->read_iv.len); 147 freezero(rl->write_iv.data, rl->write_iv.len); 148 freezero(rl->read_nonce.data, rl->read_nonce.len); 149 freezero(rl->write_nonce.data, rl->write_nonce.len); 150 151 freezero(rl, sizeof(struct tls13_record_layer)); 152 } 153 154 void 155 tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) 156 { 157 CBS_dup(&rl->rbuf_cbs, cbs); 158 } 159 160 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { 161 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 162 }; 163 164 int 165 tls13_record_layer_inc_seq_num(uint8_t *seq_num) 166 { 167 int i; 168 169 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ 170 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) 171 return 0; 172 173 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 174 if (++seq_num[i] != 0) 175 break; 176 } 177 178 return 1; 179 } 180 181 static int 182 tls13_record_layer_update_nonce(struct tls13_secret *nonce, 183 struct tls13_secret *iv, uint8_t *seq_num) 184 { 185 ssize_t i, j; 186 187 if (nonce->len != iv->len) 188 return 0; 189 190 /* 191 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd 192 * with the IV to produce a per-record nonce. The IV will also be 193 * at least 8-bytes in length. 194 */ 195 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) 196 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); 197 198 return 1; 199 } 200 201 void 202 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) 203 { 204 rl->ccs_allowed = allow; 205 } 206 207 void 208 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) 209 { 210 rl->legacy_alerts_allowed = allow; 211 } 212 213 void 214 tls13_record_layer_set_aead(struct tls13_record_layer *rl, 215 const EVP_AEAD *aead) 216 { 217 rl->aead = aead; 218 } 219 220 void 221 tls13_record_layer_set_hash(struct tls13_record_layer *rl, 222 const EVP_MD *hash) 223 { 224 rl->hash = hash; 225 } 226 227 void 228 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 229 uint16_t version) 230 { 231 rl->legacy_version = version; 232 } 233 234 void 235 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) 236 { 237 rl->handshake_completed = 1; 238 } 239 240 void 241 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) 242 { 243 rl->phh_retry = retry; 244 } 245 246 static ssize_t 247 tls13_record_layer_process_alert(struct tls13_record_layer *rl) 248 { 249 uint8_t alert_level, alert_desc; 250 ssize_t ret = TLS13_IO_FAILURE; 251 252 /* 253 * RFC 8446 - sections 5.1 and 6. 254 * 255 * A TLSv1.3 alert record can only contain a single alert - this means 256 * that processing the alert must consume all of the record. The alert 257 * will result in one of three things - continuation (user_cancelled), 258 * read channel closure (close_notify) or termination (all others). 259 */ 260 if (rl->rbuf == NULL) 261 return TLS13_IO_FAILURE; 262 263 if (rl->rbuf_content_type != SSL3_RT_ALERT) 264 return TLS13_IO_FAILURE; 265 266 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) 267 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 268 269 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) 270 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 271 272 if (CBS_len(&rl->rbuf_cbs) != 0) 273 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 274 275 tls13_record_layer_rbuf_free(rl); 276 277 /* 278 * Alert level is ignored for closure alerts (RFC 8446 section 6.1), 279 * however for error alerts (RFC 8446 section 6.2), the alert level 280 * must be specified as fatal. 281 */ 282 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 283 rl->read_closed = 1; 284 ret = TLS13_IO_EOF; 285 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { 286 /* Ignored at the record layer. */ 287 ret = TLS13_IO_WANT_RETRY; 288 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { 289 rl->read_closed = 1; 290 rl->write_closed = 1; 291 ret = TLS13_IO_ALERT; 292 } else if (rl->legacy_alerts_allowed && 293 alert_level == TLS13_ALERT_LEVEL_WARNING) { 294 /* Ignored and not passed to the callback. */ 295 return TLS13_IO_WANT_RETRY; 296 } else { 297 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 298 } 299 300 rl->cb.alert_recv(alert_desc, rl->cb_arg); 301 302 return ret; 303 } 304 305 static ssize_t 306 tls13_record_layer_send_alert(struct tls13_record_layer *rl) 307 { 308 ssize_t ret; 309 310 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 311 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 312 rl->alert_data, rl->alert_len)) != rl->alert_len) { 313 if (ret == TLS13_IO_EOF) 314 ret = TLS13_IO_ALERT; 315 return ret; 316 } 317 318 freezero(rl->alert_data, rl->alert_len); 319 rl->alert_data = NULL; 320 rl->alert_len = 0; 321 322 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 323 rl->write_closed = 1; 324 ret = TLS13_IO_SUCCESS; 325 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { 326 /* Ignored at the record layer. */ 327 ret = TLS13_IO_SUCCESS; 328 } else { 329 rl->read_closed = 1; 330 rl->write_closed = 1; 331 ret = TLS13_IO_ALERT; 332 } 333 334 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); 335 336 return ret; 337 } 338 339 static ssize_t 340 tls13_record_layer_send_phh(struct tls13_record_layer *rl) 341 { 342 ssize_t ret; 343 344 /* Push out pending post-handshake handshake messages. */ 345 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, 346 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) 347 return ret; 348 if (!CBS_skip(&rl->phh_cbs, ret)) 349 return TLS13_IO_FAILURE; 350 if (CBS_len(&rl->phh_cbs) != 0) 351 return TLS13_IO_WANT_RETRY; 352 353 freezero(rl->phh_data, rl->phh_len); 354 rl->phh_data = NULL; 355 rl->phh_len = 0; 356 357 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 358 359 rl->cb.phh_sent(rl->cb_arg); 360 361 return TLS13_IO_SUCCESS; 362 } 363 364 ssize_t 365 tls13_record_layer_send_pending(struct tls13_record_layer *rl) 366 { 367 /* 368 * If an alert is pending, then it needs to be sent. However, 369 * if we're already part of the way through sending post-handshake 370 * handshake messages, then we need to finish that first... 371 */ 372 373 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) 374 return tls13_record_layer_send_phh(rl); 375 376 if (rl->alert_data != NULL) 377 return tls13_record_layer_send_alert(rl); 378 379 if (rl->phh_data != NULL) 380 return tls13_record_layer_send_phh(rl); 381 382 return TLS13_IO_SUCCESS; 383 } 384 385 static ssize_t 386 tls13_record_layer_alert(struct tls13_record_layer *rl, 387 uint8_t alert_level, uint8_t alert_desc) 388 { 389 CBB cbb; 390 391 if (rl->alert_data != NULL) 392 return TLS13_IO_FAILURE; 393 394 if (!CBB_init(&cbb, 0)) 395 goto err; 396 397 if (!CBB_add_u8(&cbb, alert_level)) 398 goto err; 399 if (!CBB_add_u8(&cbb, alert_desc)) 400 goto err; 401 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) 402 goto err; 403 404 rl->alert_level = alert_level; 405 rl->alert_desc = alert_desc; 406 407 return tls13_record_layer_send_pending(rl); 408 409 err: 410 CBB_cleanup(&cbb); 411 412 return TLS13_IO_FAILURE; 413 } 414 415 ssize_t 416 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) 417 { 418 if (rl->phh_data != NULL) 419 return TLS13_IO_FAILURE; 420 421 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) 422 return TLS13_IO_FAILURE; 423 424 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); 425 426 return tls13_record_layer_send_pending(rl); 427 } 428 429 static int 430 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, 431 const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, 432 struct tls13_secret *traffic_key) 433 { 434 struct tls13_secret context = { .data = "", .len = 0 }; 435 struct tls13_secret key = { .data = NULL, .len = 0 }; 436 int ret = 0; 437 438 EVP_AEAD_CTX_cleanup(aead_ctx); 439 440 freezero(iv->data, iv->len); 441 iv->data = NULL; 442 iv->len = 0; 443 444 freezero(nonce->data, nonce->len); 445 nonce->data = NULL; 446 nonce->len = 0; 447 448 if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 449 goto err; 450 iv->len = EVP_AEAD_nonce_length(aead); 451 452 if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) 453 goto err; 454 nonce->len = EVP_AEAD_nonce_length(aead); 455 456 if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) 457 goto err; 458 key.len = EVP_AEAD_key_length(aead); 459 460 if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) 461 goto err; 462 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) 463 goto err; 464 465 if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, 466 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 467 goto err; 468 469 ret = 1; 470 471 err: 472 freezero(key.data, key.len); 473 474 return ret; 475 } 476 477 int 478 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 479 struct tls13_secret *read_key) 480 { 481 memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 482 483 return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, 484 rl->hash, &rl->read_iv, &rl->read_nonce, read_key); 485 } 486 487 int 488 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 489 struct tls13_secret *write_key) 490 { 491 memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); 492 493 return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, 494 rl->hash, &rl->write_iv, &rl->write_nonce, write_key); 495 } 496 497 static int 498 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) 499 { 500 CBS cbs; 501 502 if (rl->aead != NULL) 503 return 0; 504 505 /* 506 * We're still operating in plaintext mode, so just copy the 507 * content from the record to the plaintext buffer. 508 */ 509 if (!tls13_record_content(rl->rrec, &cbs)) 510 return 0; 511 512 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 513 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 514 return 0; 515 } 516 517 tls13_record_layer_rbuf_free(rl); 518 519 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) 520 return 0; 521 522 rl->rbuf_content_type = tls13_record_content_type(rl->rrec); 523 524 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 525 526 return 1; 527 } 528 529 static int 530 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) 531 { 532 CBS header, enc_record; 533 ssize_t inner_len; 534 uint8_t *content = NULL; 535 size_t content_len = 0; 536 uint8_t content_type; 537 size_t out_len; 538 539 if (rl->aead == NULL) 540 goto err; 541 542 if (!tls13_record_header(rl->rrec, &header)) 543 goto err; 544 if (!tls13_record_content(rl->rrec, &enc_record)) 545 goto err; 546 547 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 548 goto err; 549 content_len = CBS_len(&enc_record); 550 551 if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, 552 rl->read_seq_num)) 553 goto err; 554 555 if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, 556 content, &out_len, content_len, 557 rl->read_nonce.data, rl->read_nonce.len, 558 CBS_data(&enc_record), CBS_len(&enc_record), 559 CBS_data(&header), CBS_len(&header))) 560 goto err; 561 562 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { 563 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 564 goto err; 565 } 566 567 if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) 568 goto err; 569 570 /* 571 * The real content type is hidden at the end of the record content and 572 * it may be followed by padding that consists of one or more zeroes. 573 * Time to hunt for that elusive content type! 574 */ 575 /* XXX - CBS from end? CBS_get_end_u8()? */ 576 inner_len = out_len - 1; 577 while (inner_len >= 0 && content[inner_len] == 0) 578 inner_len--; 579 if (inner_len < 0) { 580 /* Unexpected message per RFC 8446 section 5.4. */ 581 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 582 goto err; 583 } 584 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { 585 rl->alert = TLS13_ALERT_RECORD_OVERFLOW; 586 goto err; 587 } 588 content_type = content[inner_len]; 589 590 tls13_record_layer_rbuf_free(rl); 591 592 rl->rbuf_content_type = content_type; 593 rl->rbuf = content; 594 rl->rbuf_len = inner_len; 595 596 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); 597 598 return 1; 599 600 err: 601 freezero(content, content_len); 602 603 return 0; 604 } 605 606 static int 607 tls13_record_layer_open_record(struct tls13_record_layer *rl) 608 { 609 if (rl->handshake_completed && rl->aead == NULL) 610 return 0; 611 612 if (rl->aead == NULL) 613 return tls13_record_layer_open_record_plaintext(rl); 614 615 return tls13_record_layer_open_record_protected(rl); 616 } 617 618 static int 619 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, 620 uint8_t content_type, const uint8_t *content, size_t content_len) 621 { 622 uint8_t *data = NULL; 623 size_t data_len = 0; 624 CBB cbb, body; 625 626 /* 627 * Allow dummy CCS messages to be sent in plaintext even when 628 * record protection has been engaged, as long as the handshake 629 * has not yet completed. 630 */ 631 if (rl->handshake_completed) 632 return 0; 633 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) 634 return 0; 635 636 /* 637 * We're still operating in plaintext mode, so just copy the 638 * content into the record. 639 */ 640 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) 641 goto err; 642 643 if (!CBB_add_u8(&cbb, content_type)) 644 goto err; 645 if (!CBB_add_u16(&cbb, rl->legacy_version)) 646 goto err; 647 if (!CBB_add_u16_length_prefixed(&cbb, &body)) 648 goto err; 649 if (!CBB_add_bytes(&body, content, content_len)) 650 goto err; 651 652 if (!CBB_finish(&cbb, &data, &data_len)) 653 goto err; 654 655 if (!tls13_record_set_data(rl->wrec, data, data_len)) 656 goto err; 657 658 rl->wrec_content_len = content_len; 659 rl->wrec_content_type = content_type; 660 661 return 1; 662 663 err: 664 CBB_cleanup(&cbb); 665 freezero(data, data_len); 666 667 return 0; 668 } 669 670 static int 671 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, 672 uint8_t content_type, const uint8_t *content, size_t content_len) 673 { 674 uint8_t *data = NULL, *header = NULL, *inner = NULL; 675 size_t data_len = 0, header_len = 0, inner_len = 0; 676 uint8_t *enc_record; 677 size_t enc_record_len; 678 ssize_t ret = 0; 679 size_t out_len; 680 CBB cbb; 681 682 if (rl->aead == NULL) 683 return 0; 684 685 memset(&cbb, 0, sizeof(cbb)); 686 687 /* Build inner plaintext. */ 688 if (!CBB_init(&cbb, content_len + 1)) 689 goto err; 690 if (!CBB_add_bytes(&cbb, content, content_len)) 691 goto err; 692 if (!CBB_add_u8(&cbb, content_type)) 693 goto err; 694 /* XXX - padding? */ 695 if (!CBB_finish(&cbb, &inner, &inner_len)) 696 goto err; 697 698 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) 699 goto err; 700 701 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 702 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); 703 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) 704 goto err; 705 706 /* Build the record header. */ 707 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) 708 goto err; 709 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) 710 goto err; 711 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 712 goto err; 713 if (!CBB_add_u16(&cbb, enc_record_len)) 714 goto err; 715 if (!CBB_finish(&cbb, &header, &header_len)) 716 goto err; 717 718 /* Build the actual record. */ 719 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) 720 goto err; 721 if (!CBB_add_bytes(&cbb, header, header_len)) 722 goto err; 723 if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) 724 goto err; 725 if (!CBB_finish(&cbb, &data, &data_len)) 726 goto err; 727 728 if (!tls13_record_layer_update_nonce(&rl->write_nonce, 729 &rl->write_iv, rl->write_seq_num)) 730 goto err; 731 732 /* 733 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... 734 * this would avoid a copy since the inner would be passed as two 735 * separate pieces. 736 */ 737 if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, 738 enc_record, &out_len, enc_record_len, 739 rl->write_nonce.data, rl->write_nonce.len, 740 inner, inner_len, header, header_len)) 741 goto err; 742 743 if (out_len != enc_record_len) 744 goto err; 745 746 if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) 747 goto err; 748 749 if (!tls13_record_set_data(rl->wrec, data, data_len)) 750 goto err; 751 752 rl->wrec_content_len = content_len; 753 rl->wrec_content_type = content_type; 754 755 data = NULL; 756 data_len = 0; 757 758 ret = 1; 759 760 err: 761 CBB_cleanup(&cbb); 762 763 freezero(data, data_len); 764 freezero(header, header_len); 765 freezero(inner, inner_len); 766 767 return ret; 768 } 769 770 static int 771 tls13_record_layer_seal_record(struct tls13_record_layer *rl, 772 uint8_t content_type, const uint8_t *content, size_t content_len) 773 { 774 if (rl->handshake_completed && rl->aead == NULL) 775 return 0; 776 777 tls13_record_layer_wrec_free(rl); 778 779 if ((rl->wrec = tls13_record_new()) == NULL) 780 return 0; 781 782 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) 783 return tls13_record_layer_seal_record_plaintext(rl, 784 content_type, content, content_len); 785 786 return tls13_record_layer_seal_record_protected(rl, content_type, 787 content, content_len); 788 } 789 790 static ssize_t 791 tls13_record_layer_read_record(struct tls13_record_layer *rl) 792 { 793 uint8_t content_type, ccs; 794 ssize_t ret; 795 CBS cbs; 796 797 if (rl->rrec == NULL) { 798 if ((rl->rrec = tls13_record_new()) == NULL) 799 goto err; 800 } 801 802 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { 803 switch (ret) { 804 case TLS13_IO_RECORD_VERSION: 805 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 806 case TLS13_IO_RECORD_OVERFLOW: 807 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); 808 } 809 return ret; 810 } 811 812 if (rl->legacy_version == TLS1_2_VERSION && 813 tls13_record_version(rl->rrec) != TLS1_2_VERSION) 814 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); 815 816 content_type = tls13_record_content_type(rl->rrec); 817 818 /* 819 * Bag of hacks ahead... after the first ClientHello message has been 820 * sent or received and before the peer's Finished message has been 821 * received, we may receive an unencrypted ChangeCipherSpec record 822 * (see RFC 8446 section 5 and appendix D.4). This record must be 823 * ignored. 824 */ 825 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 826 if (!rl->ccs_allowed || rl->ccs_seen >= 2) 827 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 828 if (!tls13_record_content(rl->rrec, &cbs)) 829 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 830 if (!CBS_get_u8(&cbs, &ccs)) 831 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); 832 if (ccs != 1) 833 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); 834 rl->ccs_seen++; 835 tls13_record_layer_rrec_free(rl); 836 return TLS13_IO_WANT_RETRY; 837 } 838 839 /* 840 * Once record protection is engaged, we should only receive 841 * protected application data messages (aside from the 842 * dummy ChangeCipherSpec messages, handled above). 843 */ 844 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) 845 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 846 847 if (!tls13_record_layer_open_record(rl)) 848 goto err; 849 850 tls13_record_layer_rrec_free(rl); 851 852 /* 853 * On receiving a handshake or alert record with empty inner plaintext, 854 * we must terminate the connection with an unexpected_message alert. 855 * See RFC 8446 section 5.4. 856 */ 857 if (CBS_len(&rl->rbuf_cbs) == 0 && 858 (rl->rbuf_content_type == SSL3_RT_ALERT || 859 rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) 860 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 861 862 switch (rl->rbuf_content_type) { 863 case SSL3_RT_ALERT: 864 return tls13_record_layer_process_alert(rl); 865 866 case SSL3_RT_HANDSHAKE: 867 break; 868 869 case SSL3_RT_APPLICATION_DATA: 870 if (!rl->handshake_completed) 871 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 872 break; 873 874 default: 875 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 876 } 877 878 return TLS13_IO_SUCCESS; 879 880 err: 881 return TLS13_IO_FAILURE; 882 } 883 884 static ssize_t 885 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) 886 { 887 if (rl->rbuf_content_type != content_type) 888 return 0; 889 890 return CBS_len(&rl->rbuf_cbs); 891 } 892 893 static ssize_t 894 tls13_record_layer_recv_phh(struct tls13_record_layer *rl) 895 { 896 ssize_t ret = TLS13_IO_FAILURE; 897 898 rl->phh = 1; 899 900 /* 901 * The post handshake handshake receive callback is allowed to return: 902 * 903 * TLS13_IO_WANT_POLLIN need more handshake data. 904 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. 905 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. 906 * TLS13_IO_FAILURE something broke. 907 */ 908 if (rl->cb.phh_recv != NULL) 909 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); 910 911 tls13_record_layer_rbuf_free(rl); 912 913 /* Leave post handshake handshake mode unless we need more data. */ 914 if (ret != TLS13_IO_WANT_POLLIN) 915 rl->phh = 0; 916 917 if (ret == TLS13_IO_SUCCESS) { 918 if (rl->phh_retry) 919 return TLS13_IO_WANT_RETRY; 920 921 return TLS13_IO_WANT_POLLIN; 922 } 923 924 return ret; 925 } 926 927 static ssize_t 928 tls13_record_layer_read_internal(struct tls13_record_layer *rl, 929 uint8_t content_type, uint8_t *buf, size_t n, int peek) 930 { 931 ssize_t ret; 932 933 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) 934 return ret; 935 936 if (rl->read_closed) 937 return TLS13_IO_EOF; 938 939 /* If necessary, pull up the next record. */ 940 if (CBS_len(&rl->rbuf_cbs) == 0) { 941 if ((ret = tls13_record_layer_read_record(rl)) <= 0) 942 return ret; 943 944 /* 945 * We may have read a valid 0-byte application data record, 946 * in which case we need to read the next record. 947 */ 948 if (CBS_len(&rl->rbuf_cbs) == 0) { 949 tls13_record_layer_rbuf_free(rl); 950 return TLS13_IO_WANT_POLLIN; 951 } 952 } 953 954 /* 955 * If we are in post handshake handshake mode, we must not see 956 * any record type that isn't a handshake until we are done. 957 */ 958 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) 959 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 960 961 /* 962 * Handshake content can appear as post-handshake messages (yup, 963 * the RFC reused the same content type...), which means we can 964 * be trying to read application data and need to handle a 965 * post-handshake handshake message instead... 966 */ 967 if (rl->rbuf_content_type != content_type) { 968 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { 969 if (rl->handshake_completed) 970 return tls13_record_layer_recv_phh(rl); 971 } 972 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 973 } 974 975 if (n > CBS_len(&rl->rbuf_cbs)) 976 n = CBS_len(&rl->rbuf_cbs); 977 978 /* XXX - CBS_memcpy? CBS_copy_bytes? */ 979 memcpy(buf, CBS_data(&rl->rbuf_cbs), n); 980 981 if (!peek) { 982 if (!CBS_skip(&rl->rbuf_cbs, n)) 983 goto err; 984 } 985 986 if (CBS_len(&rl->rbuf_cbs) == 0) 987 tls13_record_layer_rbuf_free(rl); 988 989 return n; 990 991 err: 992 return TLS13_IO_FAILURE; 993 } 994 995 static ssize_t 996 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, 997 uint8_t *buf, size_t n) 998 { 999 ssize_t ret; 1000 1001 do { 1002 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); 1003 } while (ret == TLS13_IO_WANT_RETRY); 1004 1005 if (rl->alert != 0) 1006 return tls13_send_alert(rl, rl->alert); 1007 1008 return ret; 1009 } 1010 1011 static ssize_t 1012 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, 1013 uint8_t *buf, size_t n) 1014 { 1015 ssize_t ret; 1016 1017 do { 1018 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); 1019 } while (ret == TLS13_IO_WANT_RETRY); 1020 1021 if (rl->alert != 0) 1022 return tls13_send_alert(rl, rl->alert); 1023 1024 return ret; 1025 } 1026 1027 static ssize_t 1028 tls13_record_layer_write_record(struct tls13_record_layer *rl, 1029 uint8_t content_type, const uint8_t *content, size_t content_len) 1030 { 1031 ssize_t ret; 1032 1033 if (rl->write_closed) 1034 return TLS13_IO_EOF; 1035 1036 /* 1037 * If we pushed out application data while handling other messages, 1038 * we need to return content length on the next call. 1039 */ 1040 if (content_type == SSL3_RT_APPLICATION_DATA && 1041 rl->wrec_appdata_len != 0) { 1042 ret = rl->wrec_appdata_len; 1043 rl->wrec_appdata_len = 0; 1044 return ret; 1045 } 1046 1047 /* See if there is an existing record and attempt to push it out... */ 1048 if (rl->wrec != NULL) { 1049 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, 1050 rl->cb_arg)) <= 0) 1051 return ret; 1052 tls13_record_layer_wrec_free(rl); 1053 1054 if (rl->wrec_content_type == content_type) { 1055 ret = rl->wrec_content_len; 1056 rl->wrec_content_len = 0; 1057 rl->wrec_content_type = 0; 1058 return ret; 1059 } 1060 1061 /* 1062 * The only partial record type should be application data. 1063 * All other cases are handled to completion. 1064 */ 1065 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) 1066 return TLS13_IO_FAILURE; 1067 rl->wrec_appdata_len = rl->wrec_content_len; 1068 } 1069 1070 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1071 goto err; 1072 1073 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) 1074 goto err; 1075 1076 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) 1077 return ret; 1078 1079 tls13_record_layer_wrec_free(rl); 1080 1081 return content_len; 1082 1083 err: 1084 return TLS13_IO_FAILURE; 1085 } 1086 1087 static ssize_t 1088 tls13_record_layer_write_chunk(struct tls13_record_layer *rl, 1089 uint8_t content_type, const uint8_t *buf, size_t n) 1090 { 1091 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) 1092 n = TLS13_RECORD_MAX_PLAINTEXT_LEN; 1093 1094 return tls13_record_layer_write_record(rl, content_type, buf, n); 1095 } 1096 1097 static ssize_t 1098 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, 1099 const uint8_t *buf, size_t n) 1100 { 1101 ssize_t ret; 1102 1103 do { 1104 ret = tls13_record_layer_send_pending(rl); 1105 } while (ret == TLS13_IO_WANT_RETRY); 1106 if (ret != TLS13_IO_SUCCESS) 1107 return ret; 1108 1109 do { 1110 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); 1111 } while (ret == TLS13_IO_WANT_RETRY); 1112 1113 return ret; 1114 } 1115 1116 static const uint8_t tls13_dummy_ccs[] = { 0x01 }; 1117 1118 ssize_t 1119 tls13_send_dummy_ccs(struct tls13_record_layer *rl) 1120 { 1121 ssize_t ret; 1122 1123 if (rl->ccs_sent) 1124 return TLS13_IO_FAILURE; 1125 1126 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, 1127 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) 1128 return ret; 1129 1130 rl->ccs_sent = 1; 1131 1132 return TLS13_IO_SUCCESS; 1133 } 1134 1135 ssize_t 1136 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1137 { 1138 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); 1139 } 1140 1141 ssize_t 1142 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 1143 size_t n) 1144 { 1145 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); 1146 } 1147 1148 ssize_t 1149 tls13_pending_application_data(struct tls13_record_layer *rl) 1150 { 1151 if (!rl->handshake_completed) 1152 return 0; 1153 1154 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); 1155 } 1156 1157 ssize_t 1158 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1159 { 1160 if (!rl->handshake_completed) 1161 return TLS13_IO_FAILURE; 1162 1163 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1164 } 1165 1166 ssize_t 1167 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) 1168 { 1169 if (!rl->handshake_completed) 1170 return TLS13_IO_FAILURE; 1171 1172 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1173 } 1174 1175 ssize_t 1176 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 1177 size_t n) 1178 { 1179 if (!rl->handshake_completed) 1180 return TLS13_IO_FAILURE; 1181 1182 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); 1183 } 1184 1185 ssize_t 1186 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) 1187 { 1188 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; 1189 ssize_t ret; 1190 1191 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || 1192 alert_desc == TLS13_ALERT_USER_CANCELED) 1193 alert_level = TLS13_ALERT_LEVEL_WARNING; 1194 1195 do { 1196 ret = tls13_record_layer_alert(rl, alert_level, alert_desc); 1197 } while (ret == TLS13_IO_WANT_RETRY); 1198 1199 return ret; 1200 } 1201