1 /* $OpenBSD: tls13_record_layer.c,v 1.73 2024/01/27 14:23:51 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "tls13_internal.h"
19 #include "tls13_record.h"
20 #include "tls_content.h"
21
22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27 struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
32 };
33
34 struct tls13_record_protection *
tls13_record_protection_new(void)35 tls13_record_protection_new(void)
36 {
37 return calloc(1, sizeof(struct tls13_record_protection));
38 }
39
40 void
tls13_record_protection_clear(struct tls13_record_protection * rp)41 tls13_record_protection_clear(struct tls13_record_protection *rp)
42 {
43 EVP_AEAD_CTX_free(rp->aead_ctx);
44
45 tls13_secret_cleanup(&rp->iv);
46 tls13_secret_cleanup(&rp->nonce);
47
48 memset(rp, 0, sizeof(*rp));
49 }
50
51 void
tls13_record_protection_free(struct tls13_record_protection * rp)52 tls13_record_protection_free(struct tls13_record_protection *rp)
53 {
54 if (rp == NULL)
55 return;
56
57 tls13_record_protection_clear(rp);
58
59 freezero(rp, sizeof(struct tls13_record_protection));
60 }
61
62 struct tls13_record_layer {
63 uint16_t legacy_version;
64
65 int ccs_allowed;
66 int ccs_seen;
67 int ccs_sent;
68 int handshake_completed;
69 int legacy_alerts_allowed;
70 int phh;
71 int phh_retry;
72
73 /*
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
77 * channel is closed.
78 */
79 int read_closed;
80 int write_closed;
81
82 struct tls13_record *rrec;
83
84 struct tls13_record *wrec;
85 uint8_t wrec_content_type;
86 size_t wrec_appdata_len;
87 size_t wrec_content_len;
88
89 /* Alert to be sent on return from current read handler. */
90 uint8_t alert;
91
92 /* Pending alert messages. */
93 uint8_t *alert_data;
94 size_t alert_len;
95 uint8_t alert_level;
96 uint8_t alert_desc;
97
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99 CBS phh_cbs;
100 uint8_t *phh_data;
101 size_t phh_len;
102
103 /* Content from opened records. */
104 struct tls_content *rcontent;
105
106 /* Record protection. */
107 const EVP_MD *hash;
108 const EVP_AEAD *aead;
109 struct tls13_record_protection *read;
110 struct tls13_record_protection *write;
111
112 /* Callbacks. */
113 struct tls13_record_layer_callbacks cb;
114 void *cb_arg;
115 };
116
117 static void
tls13_record_layer_rrec_free(struct tls13_record_layer * rl)118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119 {
120 tls13_record_free(rl->rrec);
121 rl->rrec = NULL;
122 }
123
124 static void
tls13_record_layer_wrec_free(struct tls13_record_layer * rl)125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126 {
127 tls13_record_free(rl->wrec);
128 rl->wrec = NULL;
129 }
130
131 struct tls13_record_layer *
tls13_record_layer_new(const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133 void *cb_arg)
134 {
135 struct tls13_record_layer *rl;
136
137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
138 goto err;
139
140 if ((rl->rcontent = tls_content_new()) == NULL)
141 goto err;
142
143 if ((rl->read = tls13_record_protection_new()) == NULL)
144 goto err;
145 if ((rl->write = tls13_record_protection_new()) == NULL)
146 goto err;
147
148 rl->legacy_version = TLS1_2_VERSION;
149
150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151
152 return rl;
153
154 err:
155 tls13_record_layer_free(rl);
156
157 return NULL;
158 }
159
160 void
tls13_record_layer_free(struct tls13_record_layer * rl)161 tls13_record_layer_free(struct tls13_record_layer *rl)
162 {
163 if (rl == NULL)
164 return;
165
166 tls13_record_layer_rrec_free(rl);
167 tls13_record_layer_wrec_free(rl);
168
169 freezero(rl->alert_data, rl->alert_len);
170 freezero(rl->phh_data, rl->phh_len);
171
172 tls_content_free(rl->rcontent);
173
174 tls13_record_protection_free(rl->read);
175 tls13_record_protection_free(rl->write);
176
177 freezero(rl, sizeof(struct tls13_record_layer));
178 }
179
180 void
tls13_record_layer_set_callbacks(struct tls13_record_layer * rl,const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183 {
184 rl->cb = *callbacks;
185 rl->cb_arg = cb_arg;
186 }
187
188 void
tls13_record_layer_rcontent(struct tls13_record_layer * rl,CBS * cbs)189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190 {
191 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192 }
193
194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196 };
197
198 int
tls13_record_layer_inc_seq_num(uint8_t * seq_num)199 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200 {
201 int i;
202
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
205 return 0;
206
207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
208 if (++seq_num[i] != 0)
209 break;
210 }
211
212 return 1;
213 }
214
215 static int
tls13_record_layer_update_nonce(struct tls13_secret * nonce,struct tls13_secret * iv,uint8_t * seq_num)216 tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217 struct tls13_secret *iv, uint8_t *seq_num)
218 {
219 ssize_t i, j;
220
221 if (nonce->len != iv->len)
222 return 0;
223
224 /*
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
228 */
229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231
232 return 1;
233 }
234
235 void
tls13_record_layer_allow_ccs(struct tls13_record_layer * rl,int allow)236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237 {
238 rl->ccs_allowed = allow;
239 }
240
241 void
tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer * rl,int allow)242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243 {
244 rl->legacy_alerts_allowed = allow;
245 }
246
247 void
tls13_record_layer_set_aead(struct tls13_record_layer * rl,const EVP_AEAD * aead)248 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249 const EVP_AEAD *aead)
250 {
251 rl->aead = aead;
252 }
253
254 void
tls13_record_layer_set_hash(struct tls13_record_layer * rl,const EVP_MD * hash)255 tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256 const EVP_MD *hash)
257 {
258 rl->hash = hash;
259 }
260
261 void
tls13_record_layer_set_legacy_version(struct tls13_record_layer * rl,uint16_t version)262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263 uint16_t version)
264 {
265 rl->legacy_version = version;
266 }
267
268 void
tls13_record_layer_handshake_completed(struct tls13_record_layer * rl)269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270 {
271 rl->handshake_completed = 1;
272 }
273
274 void
tls13_record_layer_set_retry_after_phh(struct tls13_record_layer * rl,int retry)275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276 {
277 rl->phh_retry = retry;
278 }
279
280 static ssize_t
tls13_record_layer_process_alert(struct tls13_record_layer * rl)281 tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282 {
283 uint8_t alert_level, alert_desc;
284 ssize_t ret = TLS13_IO_FAILURE;
285
286 /*
287 * RFC 8446 - sections 5.1 and 6.
288 *
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
293 */
294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT)
295 return TLS13_IO_FAILURE;
296
297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
301
302 if (tls_content_remaining(rl->rcontent) != 0)
303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
304
305 tls_content_clear(rl->rcontent);
306
307 /*
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
311 */
312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
313 rl->read_closed = 1;
314 ret = TLS13_IO_EOF;
315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
316 /* Ignored at the record layer. */
317 ret = TLS13_IO_WANT_RETRY;
318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
319 rl->read_closed = 1;
320 rl->write_closed = 1;
321 ret = TLS13_IO_ALERT;
322 } else if (rl->legacy_alerts_allowed &&
323 alert_level == TLS13_ALERT_LEVEL_WARNING) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY;
326 } else {
327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
328 }
329
330 rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg);
331
332 return ret;
333 }
334
335 static ssize_t
tls13_record_layer_send_alert(struct tls13_record_layer * rl)336 tls13_record_layer_send_alert(struct tls13_record_layer *rl)
337 {
338 ssize_t ret;
339
340 /* This has to fit into a single record, per RFC 8446 section 5.1. */
341 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
342 rl->alert_data, rl->alert_len)) != rl->alert_len) {
343 if (ret == TLS13_IO_EOF)
344 ret = TLS13_IO_ALERT;
345 return ret;
346 }
347
348 freezero(rl->alert_data, rl->alert_len);
349 rl->alert_data = NULL;
350 rl->alert_len = 0;
351
352 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
353 rl->write_closed = 1;
354 ret = TLS13_IO_SUCCESS;
355 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
356 /* Ignored at the record layer. */
357 ret = TLS13_IO_SUCCESS;
358 } else {
359 rl->read_closed = 1;
360 rl->write_closed = 1;
361 ret = TLS13_IO_ALERT;
362 }
363
364 rl->cb.alert_sent(rl->alert_level, rl->alert_desc, rl->cb_arg);
365
366 return ret;
367 }
368
369 static ssize_t
tls13_record_layer_send_phh(struct tls13_record_layer * rl)370 tls13_record_layer_send_phh(struct tls13_record_layer *rl)
371 {
372 ssize_t ret;
373
374 /* Push out pending post-handshake handshake messages. */
375 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
376 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
377 return ret;
378 if (!CBS_skip(&rl->phh_cbs, ret))
379 return TLS13_IO_FAILURE;
380 if (CBS_len(&rl->phh_cbs) != 0)
381 return TLS13_IO_WANT_RETRY;
382
383 freezero(rl->phh_data, rl->phh_len);
384 rl->phh_data = NULL;
385 rl->phh_len = 0;
386
387 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
388
389 rl->cb.phh_sent(rl->cb_arg);
390
391 return TLS13_IO_SUCCESS;
392 }
393
394 ssize_t
tls13_record_layer_send_pending(struct tls13_record_layer * rl)395 tls13_record_layer_send_pending(struct tls13_record_layer *rl)
396 {
397 /*
398 * If an alert is pending, then it needs to be sent. However,
399 * if we're already part of the way through sending post-handshake
400 * handshake messages, then we need to finish that first...
401 */
402
403 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
404 return tls13_record_layer_send_phh(rl);
405
406 if (rl->alert_data != NULL)
407 return tls13_record_layer_send_alert(rl);
408
409 if (rl->phh_data != NULL)
410 return tls13_record_layer_send_phh(rl);
411
412 return TLS13_IO_SUCCESS;
413 }
414
415 static ssize_t
tls13_record_layer_enqueue_alert(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)416 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
417 uint8_t alert_level, uint8_t alert_desc)
418 {
419 CBB cbb;
420
421 if (rl->alert_data != NULL)
422 return TLS13_IO_FAILURE;
423
424 if (!CBB_init(&cbb, 0))
425 goto err;
426
427 if (!CBB_add_u8(&cbb, alert_level))
428 goto err;
429 if (!CBB_add_u8(&cbb, alert_desc))
430 goto err;
431 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
432 goto err;
433
434 rl->alert_level = alert_level;
435 rl->alert_desc = alert_desc;
436
437 return tls13_record_layer_send_pending(rl);
438
439 err:
440 CBB_cleanup(&cbb);
441
442 return TLS13_IO_FAILURE;
443 }
444
445 ssize_t
tls13_record_layer_phh(struct tls13_record_layer * rl,CBS * cbs)446 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
447 {
448 if (rl->phh_data != NULL)
449 return TLS13_IO_FAILURE;
450
451 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
452 return TLS13_IO_FAILURE;
453
454 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
455
456 return tls13_record_layer_send_pending(rl);
457 }
458
459 static int
tls13_record_layer_set_traffic_key(const EVP_AEAD * aead,const EVP_MD * hash,struct tls13_record_protection * rp,struct tls13_secret * traffic_key)460 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
461 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
462 {
463 struct tls13_secret context = { .data = "", .len = 0 };
464 struct tls13_secret key = { .data = NULL, .len = 0 };
465 int ret = 0;
466
467 tls13_record_protection_clear(rp);
468
469 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
470 return 0;
471
472 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
473 goto err;
474 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
475 goto err;
476 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
477 goto err;
478
479 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
480 goto err;
481 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
482 goto err;
483
484 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
485 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
486 goto err;
487
488 ret = 1;
489
490 err:
491 tls13_secret_cleanup(&key);
492
493 return ret;
494 }
495
496 int
tls13_record_layer_set_read_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * read_key,enum ssl_encryption_level_t read_level)497 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
498 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
499 {
500 if (rl->cb.set_read_traffic_key != NULL)
501 return rl->cb.set_read_traffic_key(read_key, read_level,
502 rl->cb_arg);
503
504 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
505 rl->read, read_key);
506 }
507
508 int
tls13_record_layer_set_write_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * write_key,enum ssl_encryption_level_t write_level)509 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
510 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
511 {
512 if (rl->cb.set_write_traffic_key != NULL)
513 return rl->cb.set_write_traffic_key(write_key, write_level,
514 rl->cb_arg);
515
516 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
517 rl->write, write_key);
518 }
519
520 static int
tls13_record_layer_open_record_plaintext(struct tls13_record_layer * rl)521 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
522 {
523 CBS cbs;
524
525 if (rl->aead != NULL)
526 return 0;
527
528 /*
529 * We're still operating in plaintext mode, so just copy the
530 * content from the record to the plaintext buffer.
531 */
532 if (!tls13_record_content(rl->rrec, &cbs))
533 return 0;
534
535 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
536 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
537 return 0;
538 }
539
540 if (!tls_content_dup_data(rl->rcontent,
541 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
542 return 0;
543
544 return 1;
545 }
546
547 static int
tls13_record_layer_open_record_protected(struct tls13_record_layer * rl)548 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
549 {
550 CBS header, enc_record, inner;
551 uint8_t *content = NULL;
552 size_t content_len = 0;
553 uint8_t content_type;
554 size_t out_len;
555
556 if (rl->aead == NULL)
557 goto err;
558
559 if (!tls13_record_header(rl->rrec, &header))
560 goto err;
561 if (!tls13_record_content(rl->rrec, &enc_record))
562 goto err;
563
564 /* XXX - minus tag len? */
565 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
566 goto err;
567 content_len = CBS_len(&enc_record);
568
569 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
570 rl->read->seq_num))
571 goto err;
572
573 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
574 content, &out_len, content_len,
575 rl->read->nonce.data, rl->read->nonce.len,
576 CBS_data(&enc_record), CBS_len(&enc_record),
577 CBS_data(&header), CBS_len(&header)))
578 goto err;
579
580 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
581 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
582 goto err;
583 }
584
585 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
586 goto err;
587
588 /*
589 * The real content type is hidden at the end of the record content and
590 * it may be followed by padding that consists of one or more zeroes.
591 * Time to hunt for that elusive content type!
592 */
593 CBS_init(&inner, content, out_len);
594 content_type = 0;
595 while (CBS_get_last_u8(&inner, &content_type)) {
596 if (content_type != 0)
597 break;
598 }
599 if (content_type == 0) {
600 /* Unexpected message per RFC 8446 section 5.4. */
601 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
602 goto err;
603 }
604 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
605 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
606 goto err;
607 }
608
609 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
610 CBS_len(&inner));
611
612 return 1;
613
614 err:
615 freezero(content, content_len);
616
617 return 0;
618 }
619
620 static int
tls13_record_layer_open_record(struct tls13_record_layer * rl)621 tls13_record_layer_open_record(struct tls13_record_layer *rl)
622 {
623 if (rl->handshake_completed && rl->aead == NULL)
624 return 0;
625
626 if (rl->aead == NULL)
627 return tls13_record_layer_open_record_plaintext(rl);
628
629 return tls13_record_layer_open_record_protected(rl);
630 }
631
632 static int
tls13_record_layer_seal_record_plaintext(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)633 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
634 uint8_t content_type, const uint8_t *content, size_t content_len)
635 {
636 uint8_t *data = NULL;
637 size_t data_len = 0;
638 CBB cbb, body;
639
640 /*
641 * Allow dummy CCS messages to be sent in plaintext even when
642 * record protection has been engaged, as long as the handshake
643 * has not yet completed.
644 */
645 if (rl->handshake_completed)
646 return 0;
647 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
648 return 0;
649
650 /*
651 * We're still operating in plaintext mode, so just copy the
652 * content into the record.
653 */
654 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
655 goto err;
656
657 if (!CBB_add_u8(&cbb, content_type))
658 goto err;
659 if (!CBB_add_u16(&cbb, rl->legacy_version))
660 goto err;
661 if (!CBB_add_u16_length_prefixed(&cbb, &body))
662 goto err;
663 if (!CBB_add_bytes(&body, content, content_len))
664 goto err;
665
666 if (!CBB_finish(&cbb, &data, &data_len))
667 goto err;
668
669 if (!tls13_record_set_data(rl->wrec, data, data_len))
670 goto err;
671
672 rl->wrec_content_len = content_len;
673 rl->wrec_content_type = content_type;
674
675 return 1;
676
677 err:
678 CBB_cleanup(&cbb);
679 freezero(data, data_len);
680
681 return 0;
682 }
683
684 static int
tls13_record_layer_seal_record_protected(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)685 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
686 uint8_t content_type, const uint8_t *content, size_t content_len)
687 {
688 uint8_t *data = NULL, *header = NULL, *inner = NULL;
689 size_t data_len = 0, header_len = 0, inner_len = 0;
690 uint8_t *enc_record;
691 size_t enc_record_len;
692 ssize_t ret = 0;
693 size_t out_len;
694 CBB cbb;
695
696 if (rl->aead == NULL)
697 return 0;
698
699 memset(&cbb, 0, sizeof(cbb));
700
701 /* Build inner plaintext. */
702 if (!CBB_init(&cbb, content_len + 1))
703 goto err;
704 if (!CBB_add_bytes(&cbb, content, content_len))
705 goto err;
706 if (!CBB_add_u8(&cbb, content_type))
707 goto err;
708 /* XXX - padding? */
709 if (!CBB_finish(&cbb, &inner, &inner_len))
710 goto err;
711
712 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
713 goto err;
714
715 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
716 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
717 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
718 goto err;
719
720 /* Build the record header. */
721 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
722 goto err;
723 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
724 goto err;
725 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
726 goto err;
727 if (!CBB_add_u16(&cbb, enc_record_len))
728 goto err;
729 if (!CBB_finish(&cbb, &header, &header_len))
730 goto err;
731
732 /* Build the actual record. */
733 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
734 goto err;
735 if (!CBB_add_bytes(&cbb, header, header_len))
736 goto err;
737 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
738 goto err;
739 if (!CBB_finish(&cbb, &data, &data_len))
740 goto err;
741
742 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
743 &rl->write->iv, rl->write->seq_num))
744 goto err;
745
746 /*
747 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
748 * this would avoid a copy since the inner would be passed as two
749 * separate pieces.
750 */
751 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
752 enc_record, &out_len, enc_record_len,
753 rl->write->nonce.data, rl->write->nonce.len,
754 inner, inner_len, header, header_len))
755 goto err;
756
757 if (out_len != enc_record_len)
758 goto err;
759
760 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
761 goto err;
762
763 if (!tls13_record_set_data(rl->wrec, data, data_len))
764 goto err;
765
766 rl->wrec_content_len = content_len;
767 rl->wrec_content_type = content_type;
768
769 data = NULL;
770 data_len = 0;
771
772 ret = 1;
773
774 err:
775 CBB_cleanup(&cbb);
776
777 freezero(data, data_len);
778 freezero(header, header_len);
779 freezero(inner, inner_len);
780
781 return ret;
782 }
783
784 static int
tls13_record_layer_seal_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)785 tls13_record_layer_seal_record(struct tls13_record_layer *rl,
786 uint8_t content_type, const uint8_t *content, size_t content_len)
787 {
788 if (rl->handshake_completed && rl->aead == NULL)
789 return 0;
790
791 tls13_record_layer_wrec_free(rl);
792
793 if ((rl->wrec = tls13_record_new()) == NULL)
794 return 0;
795
796 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
797 return tls13_record_layer_seal_record_plaintext(rl,
798 content_type, content, content_len);
799
800 return tls13_record_layer_seal_record_protected(rl, content_type,
801 content, content_len);
802 }
803
804 static ssize_t
tls13_record_layer_read_record(struct tls13_record_layer * rl)805 tls13_record_layer_read_record(struct tls13_record_layer *rl)
806 {
807 uint8_t content_type, ccs;
808 ssize_t ret;
809 CBS cbs;
810
811 if (rl->rrec == NULL) {
812 if ((rl->rrec = tls13_record_new()) == NULL)
813 goto err;
814 }
815
816 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
817 switch (ret) {
818 case TLS13_IO_RECORD_VERSION:
819 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
820 case TLS13_IO_RECORD_OVERFLOW:
821 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
822 }
823 return ret;
824 }
825
826 content_type = tls13_record_content_type(rl->rrec);
827
828 /*
829 * In response to a client hello we may receive an alert in a
830 * record with a legacy version. Otherwise enforce that the
831 * legacy record version is 0x0303 per RFC 8446, section 5.1.
832 */
833 if (rl->legacy_version == TLS1_2_VERSION &&
834 tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
835 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
836 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
837
838 /*
839 * Bag of hacks ahead... after the first ClientHello message has been
840 * sent or received and before the peer's Finished message has been
841 * received, we may receive an unencrypted ChangeCipherSpec record
842 * (see RFC 8446 section 5 and appendix D.4). This record must be
843 * ignored.
844 */
845 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
846 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
847 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
848 if (!tls13_record_content(rl->rrec, &cbs))
849 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
850 if (!CBS_get_u8(&cbs, &ccs))
851 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
852 if (ccs != 1)
853 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
854 if (CBS_len(&cbs) != 0)
855 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
856 rl->ccs_seen++;
857 tls13_record_layer_rrec_free(rl);
858 return TLS13_IO_WANT_RETRY;
859 }
860
861 /*
862 * Once record protection is engaged, we should only receive
863 * protected application data messages (aside from the
864 * dummy ChangeCipherSpec messages, handled above).
865 */
866 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
867 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
868
869 if (!tls13_record_layer_open_record(rl))
870 goto err;
871
872 tls13_record_layer_rrec_free(rl);
873
874 /*
875 * On receiving a handshake or alert record with empty inner plaintext,
876 * we must terminate the connection with an unexpected_message alert.
877 * See RFC 8446 section 5.4.
878 */
879 if (tls_content_remaining(rl->rcontent) == 0 &&
880 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT ||
881 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE))
882 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
883
884 switch (tls_content_type(rl->rcontent)) {
885 case SSL3_RT_ALERT:
886 return tls13_record_layer_process_alert(rl);
887
888 case SSL3_RT_HANDSHAKE:
889 break;
890
891 case SSL3_RT_APPLICATION_DATA:
892 if (!rl->handshake_completed)
893 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
894 break;
895
896 default:
897 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
898 }
899
900 return TLS13_IO_SUCCESS;
901
902 err:
903 return TLS13_IO_FAILURE;
904 }
905
906 static ssize_t
tls13_record_layer_pending(struct tls13_record_layer * rl,uint8_t content_type)907 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
908 {
909 if (tls_content_type(rl->rcontent) != content_type)
910 return 0;
911
912 return tls_content_remaining(rl->rcontent);
913 }
914
915 static ssize_t
tls13_record_layer_recv_phh(struct tls13_record_layer * rl)916 tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
917 {
918 ssize_t ret = TLS13_IO_FAILURE;
919
920 rl->phh = 1;
921
922 /*
923 * The post handshake handshake receive callback is allowed to return:
924 *
925 * TLS13_IO_WANT_POLLIN need more handshake data.
926 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
927 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
928 * TLS13_IO_FAILURE something broke.
929 */
930 if (rl->cb.phh_recv != NULL)
931 ret = rl->cb.phh_recv(rl->cb_arg);
932
933 tls_content_clear(rl->rcontent);
934
935 /* Leave post handshake handshake mode unless we need more data. */
936 if (ret != TLS13_IO_WANT_POLLIN)
937 rl->phh = 0;
938
939 if (ret == TLS13_IO_SUCCESS) {
940 if (rl->phh_retry)
941 return TLS13_IO_WANT_RETRY;
942
943 return TLS13_IO_WANT_POLLIN;
944 }
945
946 return ret;
947 }
948
949 static ssize_t
tls13_record_layer_read_internal(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n,int peek)950 tls13_record_layer_read_internal(struct tls13_record_layer *rl,
951 uint8_t content_type, uint8_t *buf, size_t n, int peek)
952 {
953 ssize_t ret;
954
955 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
956 return ret;
957
958 if (rl->read_closed)
959 return TLS13_IO_EOF;
960
961 /* If necessary, pull up the next record. */
962 if (tls_content_remaining(rl->rcontent) == 0) {
963 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
964 return ret;
965
966 /*
967 * We may have read a valid 0-byte application data record,
968 * in which case we need to read the next record.
969 */
970 if (tls_content_remaining(rl->rcontent) == 0)
971 return TLS13_IO_WANT_POLLIN;
972 }
973
974 /*
975 * If we are in post handshake handshake mode, we must not see
976 * any record type that isn't a handshake until we are done.
977 */
978 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE)
979 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
980
981 /*
982 * Handshake content can appear as post-handshake messages (yup,
983 * the RFC reused the same content type...), which means we can
984 * be trying to read application data and need to handle a
985 * post-handshake handshake message instead...
986 */
987 if (tls_content_type(rl->rcontent) != content_type) {
988 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) {
989 if (rl->handshake_completed)
990 return tls13_record_layer_recv_phh(rl);
991 }
992 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
993 }
994
995 if (peek)
996 return tls_content_peek(rl->rcontent, buf, n);
997
998 return tls_content_read(rl->rcontent, buf, n);
999 }
1000
1001 static ssize_t
tls13_record_layer_peek(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1002 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1003 uint8_t *buf, size_t n)
1004 {
1005 ssize_t ret;
1006
1007 do {
1008 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1009 } while (ret == TLS13_IO_WANT_RETRY);
1010
1011 if (rl->alert != 0)
1012 return tls13_send_alert(rl, rl->alert);
1013
1014 return ret;
1015 }
1016
1017 static ssize_t
tls13_record_layer_read(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1018 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1019 uint8_t *buf, size_t n)
1020 {
1021 ssize_t ret;
1022
1023 do {
1024 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1025 } while (ret == TLS13_IO_WANT_RETRY);
1026
1027 if (rl->alert != 0)
1028 return tls13_send_alert(rl, rl->alert);
1029
1030 return ret;
1031 }
1032
1033 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)1034 tls13_record_layer_write_record(struct tls13_record_layer *rl,
1035 uint8_t content_type, const uint8_t *content, size_t content_len)
1036 {
1037 ssize_t ret;
1038
1039 if (rl->write_closed)
1040 return TLS13_IO_EOF;
1041
1042 /*
1043 * If we pushed out application data while handling other messages,
1044 * we need to return content length on the next call.
1045 */
1046 if (content_type == SSL3_RT_APPLICATION_DATA &&
1047 rl->wrec_appdata_len != 0) {
1048 ret = rl->wrec_appdata_len;
1049 rl->wrec_appdata_len = 0;
1050 return ret;
1051 }
1052
1053 /* See if there is an existing record and attempt to push it out... */
1054 if (rl->wrec != NULL) {
1055 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1056 rl->cb_arg)) <= 0)
1057 return ret;
1058 tls13_record_layer_wrec_free(rl);
1059
1060 if (rl->wrec_content_type == content_type) {
1061 ret = rl->wrec_content_len;
1062 rl->wrec_content_len = 0;
1063 rl->wrec_content_type = 0;
1064 return ret;
1065 }
1066
1067 /*
1068 * The only partial record type should be application data.
1069 * All other cases are handled to completion.
1070 */
1071 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1072 return TLS13_IO_FAILURE;
1073 rl->wrec_appdata_len = rl->wrec_content_len;
1074 }
1075
1076 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1077 goto err;
1078
1079 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1080 goto err;
1081
1082 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1083 return ret;
1084
1085 tls13_record_layer_wrec_free(rl);
1086
1087 return content_len;
1088
1089 err:
1090 return TLS13_IO_FAILURE;
1091 }
1092
1093 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1094 tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1095 uint8_t content_type, const uint8_t *buf, size_t n)
1096 {
1097 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1098 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1099
1100 return tls13_record_layer_write_record(rl, content_type, buf, n);
1101 }
1102
1103 static ssize_t
tls13_record_layer_write(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1104 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1105 const uint8_t *buf, size_t n)
1106 {
1107 ssize_t ret;
1108
1109 do {
1110 ret = tls13_record_layer_send_pending(rl);
1111 } while (ret == TLS13_IO_WANT_RETRY);
1112 if (ret != TLS13_IO_SUCCESS)
1113 return ret;
1114
1115 do {
1116 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1117 } while (ret == TLS13_IO_WANT_RETRY);
1118
1119 return ret;
1120 }
1121
1122 ssize_t
tls13_record_layer_flush(struct tls13_record_layer * rl)1123 tls13_record_layer_flush(struct tls13_record_layer *rl)
1124 {
1125 return rl->cb.wire_flush(rl->cb_arg);
1126 }
1127
1128 static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1129
1130 ssize_t
tls13_send_dummy_ccs(struct tls13_record_layer * rl)1131 tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1132 {
1133 ssize_t ret;
1134
1135 if (rl->ccs_sent)
1136 return TLS13_IO_FAILURE;
1137
1138 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1139 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1140 return ret;
1141
1142 rl->ccs_sent = 1;
1143
1144 return TLS13_IO_SUCCESS;
1145 }
1146
1147 ssize_t
tls13_read_handshake_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1148 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1149 {
1150 if (rl->cb.handshake_read != NULL)
1151 return rl->cb.handshake_read(buf, n, rl->cb_arg);
1152
1153 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1154 }
1155
1156 ssize_t
tls13_write_handshake_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1157 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1158 size_t n)
1159 {
1160 if (rl->cb.handshake_write != NULL)
1161 return rl->cb.handshake_write(buf, n, rl->cb_arg);
1162
1163 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1164 }
1165
1166 ssize_t
tls13_pending_application_data(struct tls13_record_layer * rl)1167 tls13_pending_application_data(struct tls13_record_layer *rl)
1168 {
1169 if (!rl->handshake_completed)
1170 return 0;
1171
1172 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1173 }
1174
1175 ssize_t
tls13_peek_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1176 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1177 {
1178 if (!rl->handshake_completed)
1179 return TLS13_IO_FAILURE;
1180
1181 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1182 }
1183
1184 ssize_t
tls13_read_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1185 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1186 {
1187 if (!rl->handshake_completed)
1188 return TLS13_IO_FAILURE;
1189
1190 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1191 }
1192
1193 ssize_t
tls13_write_application_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1194 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1195 size_t n)
1196 {
1197 if (!rl->handshake_completed)
1198 return TLS13_IO_FAILURE;
1199
1200 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1201 }
1202
1203 ssize_t
tls13_send_alert(struct tls13_record_layer * rl,uint8_t alert_desc)1204 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1205 {
1206 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1207 ssize_t ret;
1208
1209 if (rl->cb.alert_send != NULL)
1210 return rl->cb.alert_send(alert_desc, rl->cb_arg);
1211
1212 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1213 alert_desc == TLS13_ALERT_USER_CANCELED)
1214 alert_level = TLS13_ALERT_LEVEL_WARNING;
1215
1216 do {
1217 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1218 alert_desc);
1219 } while (ret == TLS13_IO_WANT_RETRY);
1220
1221 return ret;
1222 }
1223