summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_record_layer.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/tls13_record_layer.c')
-rw-r--r--src/lib/libssl/tls13_record_layer.c1224
1 files changed, 0 insertions, 1224 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
deleted file mode 100644
index 6556547353..0000000000
--- a/src/lib/libssl/tls13_record_layer.c
+++ /dev/null
@@ -1,1224 +0,0 @@
1/* $OpenBSD: tls13_record_layer.c,v 1.62 2021/06/08 18:05:47 tb Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "tls13_internal.h"
19#include "tls13_record.h"
20
21static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
22 uint8_t content_type, const uint8_t *buf, size_t n);
23static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
24 uint8_t content_type, const uint8_t *content, size_t content_len);
25
26struct tls13_record_protection {
27 EVP_AEAD_CTX aead_ctx;
28 struct tls13_secret iv;
29 struct tls13_secret nonce;
30 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
31};
32
33struct tls13_record_protection *
34tls13_record_protection_new(void)
35{
36 return calloc(1, sizeof(struct tls13_record_protection));
37}
38
39void
40tls13_record_protection_clear(struct tls13_record_protection *rp)
41{
42 EVP_AEAD_CTX_cleanup(&rp->aead_ctx);
43
44 tls13_secret_cleanup(&rp->iv);
45 tls13_secret_cleanup(&rp->nonce);
46
47 memset(rp->seq_num, 0, sizeof(rp->seq_num));
48}
49
50void
51tls13_record_protection_free(struct tls13_record_protection *rp)
52{
53 if (rp == NULL)
54 return;
55
56 tls13_record_protection_clear(rp);
57
58 freezero(rp, sizeof(struct tls13_record_protection));
59}
60
61struct tls13_record_layer {
62 uint16_t legacy_version;
63
64 int ccs_allowed;
65 int ccs_seen;
66 int ccs_sent;
67 int handshake_completed;
68 int legacy_alerts_allowed;
69 int phh;
70 int phh_retry;
71
72 /*
73 * Read and/or write channels are closed due to an alert being
74 * sent or received. In the case of an error alert both channels
75 * are closed, whereas in the case of a close notify only one
76 * channel is closed.
77 */
78 int read_closed;
79 int write_closed;
80
81 struct tls13_record *rrec;
82
83 struct tls13_record *wrec;
84 uint8_t wrec_content_type;
85 size_t wrec_appdata_len;
86 size_t wrec_content_len;
87
88 /* Alert to be sent on return from current read handler. */
89 uint8_t alert;
90
91 /* Pending alert messages. */
92 uint8_t *alert_data;
93 size_t alert_len;
94 uint8_t alert_level;
95 uint8_t alert_desc;
96
97 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
98 CBS phh_cbs;
99 uint8_t *phh_data;
100 size_t phh_len;
101
102 /* Buffer containing plaintext from opened records. */
103 uint8_t rbuf_content_type;
104 uint8_t *rbuf;
105 size_t rbuf_len;
106 CBS rbuf_cbs;
107
108 /* Record protection. */
109 const EVP_MD *hash;
110 const EVP_AEAD *aead;
111 struct tls13_record_protection *read;
112 struct tls13_record_protection *write;
113
114 /* Callbacks. */
115 struct tls13_record_layer_callbacks cb;
116 void *cb_arg;
117};
118
119static void
120tls13_record_layer_rbuf_free(struct tls13_record_layer *rl)
121{
122 CBS_init(&rl->rbuf_cbs, NULL, 0);
123 freezero(rl->rbuf, rl->rbuf_len);
124 rl->rbuf = NULL;
125 rl->rbuf_len = 0;
126 rl->rbuf_content_type = 0;
127}
128
129static void
130tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
131{
132 tls13_record_free(rl->rrec);
133 rl->rrec = NULL;
134}
135
136static void
137tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
138{
139 tls13_record_free(rl->wrec);
140 rl->wrec = NULL;
141}
142
143struct tls13_record_layer *
144tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
145 void *cb_arg)
146{
147 struct tls13_record_layer *rl;
148
149 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
150 goto err;
151
152 if ((rl->read = tls13_record_protection_new()) == NULL)
153 goto err;
154 if ((rl->write = tls13_record_protection_new()) == NULL)
155 goto err;
156
157 rl->legacy_version = TLS1_2_VERSION;
158 rl->cb = *callbacks;
159 rl->cb_arg = cb_arg;
160
161 return rl;
162
163 err:
164 tls13_record_layer_free(rl);
165
166 return NULL;
167}
168
169void
170tls13_record_layer_free(struct tls13_record_layer *rl)
171{
172 if (rl == NULL)
173 return;
174
175 tls13_record_layer_rrec_free(rl);
176 tls13_record_layer_wrec_free(rl);
177
178 freezero(rl->alert_data, rl->alert_len);
179 freezero(rl->phh_data, rl->phh_len);
180
181 tls13_record_layer_rbuf_free(rl);
182
183 tls13_record_protection_free(rl->read);
184 tls13_record_protection_free(rl->write);
185
186 freezero(rl, sizeof(struct tls13_record_layer));
187}
188
189void
190tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs)
191{
192 CBS_dup(&rl->rbuf_cbs, cbs);
193}
194
195static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
196 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
197};
198
199int
200tls13_record_layer_inc_seq_num(uint8_t *seq_num)
201{
202 int i;
203
204 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
205 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
206 return 0;
207
208 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
209 if (++seq_num[i] != 0)
210 break;
211 }
212
213 return 1;
214}
215
216static int
217tls13_record_layer_update_nonce(struct tls13_secret *nonce,
218 struct tls13_secret *iv, uint8_t *seq_num)
219{
220 ssize_t i, j;
221
222 if (nonce->len != iv->len)
223 return 0;
224
225 /*
226 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
227 * with the IV to produce a per-record nonce. The IV will also be
228 * at least 8-bytes in length.
229 */
230 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
231 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
232
233 return 1;
234}
235
236void
237tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
238{
239 rl->ccs_allowed = allow;
240}
241
242void
243tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
244{
245 rl->legacy_alerts_allowed = allow;
246}
247
248void
249tls13_record_layer_set_aead(struct tls13_record_layer *rl,
250 const EVP_AEAD *aead)
251{
252 rl->aead = aead;
253}
254
255void
256tls13_record_layer_set_hash(struct tls13_record_layer *rl,
257 const EVP_MD *hash)
258{
259 rl->hash = hash;
260}
261
262void
263tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
264 uint16_t version)
265{
266 rl->legacy_version = version;
267}
268
269void
270tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
271{
272 rl->handshake_completed = 1;
273}
274
275void
276tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
277{
278 rl->phh_retry = retry;
279}
280
281static ssize_t
282tls13_record_layer_process_alert(struct tls13_record_layer *rl)
283{
284 uint8_t alert_level, alert_desc;
285 ssize_t ret = TLS13_IO_FAILURE;
286
287 /*
288 * RFC 8446 - sections 5.1 and 6.
289 *
290 * A TLSv1.3 alert record can only contain a single alert - this means
291 * that processing the alert must consume all of the record. The alert
292 * will result in one of three things - continuation (user_cancelled),
293 * read channel closure (close_notify) or termination (all others).
294 */
295 if (rl->rbuf == NULL)
296 return TLS13_IO_FAILURE;
297
298 if (rl->rbuf_content_type != SSL3_RT_ALERT)
299 return TLS13_IO_FAILURE;
300
301 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level))
302 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
303
304 if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc))
305 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
306
307 if (CBS_len(&rl->rbuf_cbs) != 0)
308 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
309
310 tls13_record_layer_rbuf_free(rl);
311
312 /*
313 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
314 * however for error alerts (RFC 8446 section 6.2), the alert level
315 * must be specified as fatal.
316 */
317 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
318 rl->read_closed = 1;
319 ret = TLS13_IO_EOF;
320 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
321 /* Ignored at the record layer. */
322 ret = TLS13_IO_WANT_RETRY;
323 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
324 rl->read_closed = 1;
325 rl->write_closed = 1;
326 ret = TLS13_IO_ALERT;
327 } else if (rl->legacy_alerts_allowed &&
328 alert_level == TLS13_ALERT_LEVEL_WARNING) {
329 /* Ignored and not passed to the callback. */
330 return TLS13_IO_WANT_RETRY;
331 } else {
332 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
333 }
334
335 rl->cb.alert_recv(alert_desc, rl->cb_arg);
336
337 return ret;
338}
339
340static ssize_t
341tls13_record_layer_send_alert(struct tls13_record_layer *rl)
342{
343 ssize_t ret;
344
345 /* This has to fit into a single record, per RFC 8446 section 5.1. */
346 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
347 rl->alert_data, rl->alert_len)) != rl->alert_len) {
348 if (ret == TLS13_IO_EOF)
349 ret = TLS13_IO_ALERT;
350 return ret;
351 }
352
353 freezero(rl->alert_data, rl->alert_len);
354 rl->alert_data = NULL;
355 rl->alert_len = 0;
356
357 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
358 rl->write_closed = 1;
359 ret = TLS13_IO_SUCCESS;
360 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
361 /* Ignored at the record layer. */
362 ret = TLS13_IO_SUCCESS;
363 } else {
364 rl->read_closed = 1;
365 rl->write_closed = 1;
366 ret = TLS13_IO_ALERT;
367 }
368
369 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
370
371 return ret;
372}
373
374static ssize_t
375tls13_record_layer_send_phh(struct tls13_record_layer *rl)
376{
377 ssize_t ret;
378
379 /* Push out pending post-handshake handshake messages. */
380 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
381 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
382 return ret;
383 if (!CBS_skip(&rl->phh_cbs, ret))
384 return TLS13_IO_FAILURE;
385 if (CBS_len(&rl->phh_cbs) != 0)
386 return TLS13_IO_WANT_RETRY;
387
388 freezero(rl->phh_data, rl->phh_len);
389 rl->phh_data = NULL;
390 rl->phh_len = 0;
391
392 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
393
394 rl->cb.phh_sent(rl->cb_arg);
395
396 return TLS13_IO_SUCCESS;
397}
398
399ssize_t
400tls13_record_layer_send_pending(struct tls13_record_layer *rl)
401{
402 /*
403 * If an alert is pending, then it needs to be sent. However,
404 * if we're already part of the way through sending post-handshake
405 * handshake messages, then we need to finish that first...
406 */
407
408 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
409 return tls13_record_layer_send_phh(rl);
410
411 if (rl->alert_data != NULL)
412 return tls13_record_layer_send_alert(rl);
413
414 if (rl->phh_data != NULL)
415 return tls13_record_layer_send_phh(rl);
416
417 return TLS13_IO_SUCCESS;
418}
419
420static ssize_t
421tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
422 uint8_t alert_level, uint8_t alert_desc)
423{
424 CBB cbb;
425
426 if (rl->alert_data != NULL)
427 return TLS13_IO_FAILURE;
428
429 if (!CBB_init(&cbb, 0))
430 goto err;
431
432 if (!CBB_add_u8(&cbb, alert_level))
433 goto err;
434 if (!CBB_add_u8(&cbb, alert_desc))
435 goto err;
436 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
437 goto err;
438
439 rl->alert_level = alert_level;
440 rl->alert_desc = alert_desc;
441
442 return tls13_record_layer_send_pending(rl);
443
444 err:
445 CBB_cleanup(&cbb);
446
447 return TLS13_IO_FAILURE;
448}
449
450ssize_t
451tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
452{
453 if (rl->phh_data != NULL)
454 return TLS13_IO_FAILURE;
455
456 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
457 return TLS13_IO_FAILURE;
458
459 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
460
461 return tls13_record_layer_send_pending(rl);
462}
463
464static int
465tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
466 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
467{
468 struct tls13_secret context = { .data = "", .len = 0 };
469 struct tls13_secret key = { .data = NULL, .len = 0 };
470 int ret = 0;
471
472 tls13_record_protection_clear(rp);
473
474 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
475 goto err;
476 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
477 goto err;
478 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
479 goto err;
480
481 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
482 goto err;
483 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
484 goto err;
485
486 if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len,
487 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
488 goto err;
489
490 ret = 1;
491
492 err:
493 tls13_secret_cleanup(&key);
494
495 return ret;
496}
497
498int
499tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
500 struct tls13_secret *read_key)
501{
502 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
503 rl->read, read_key);
504}
505
506int
507tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
508 struct tls13_secret *write_key)
509{
510 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
511 rl->write, write_key);
512}
513
514static int
515tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
516{
517 CBS cbs;
518
519 if (rl->aead != NULL)
520 return 0;
521
522 /*
523 * We're still operating in plaintext mode, so just copy the
524 * content from the record to the plaintext buffer.
525 */
526 if (!tls13_record_content(rl->rrec, &cbs))
527 return 0;
528
529 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
530 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
531 return 0;
532 }
533
534 tls13_record_layer_rbuf_free(rl);
535
536 if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len))
537 return 0;
538
539 rl->rbuf_content_type = tls13_record_content_type(rl->rrec);
540
541 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
542
543 return 1;
544}
545
546static int
547tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
548{
549 CBS header, enc_record;
550 ssize_t inner_len;
551 uint8_t *content = NULL;
552 size_t content_len = 0;
553 uint8_t content_type;
554 size_t out_len;
555
556 if (rl->aead == NULL)
557 goto err;
558
559 if (!tls13_record_header(rl->rrec, &header))
560 goto err;
561 if (!tls13_record_content(rl->rrec, &enc_record))
562 goto err;
563
564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
565 goto err;
566 content_len = CBS_len(&enc_record);
567
568 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
569 rl->read->seq_num))
570 goto err;
571
572 if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx,
573 content, &out_len, content_len,
574 rl->read->nonce.data, rl->read->nonce.len,
575 CBS_data(&enc_record), CBS_len(&enc_record),
576 CBS_data(&header), CBS_len(&header)))
577 goto err;
578
579 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
580 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
581 goto err;
582 }
583
584 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
585 goto err;
586
587 /*
588 * The real content type is hidden at the end of the record content and
589 * it may be followed by padding that consists of one or more zeroes.
590 * Time to hunt for that elusive content type!
591 */
592 /* XXX - CBS from end? CBS_get_end_u8()? */
593 inner_len = out_len - 1;
594 while (inner_len >= 0 && content[inner_len] == 0)
595 inner_len--;
596 if (inner_len < 0) {
597 /* Unexpected message per RFC 8446 section 5.4. */
598 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
599 goto err;
600 }
601 if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
602 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
603 goto err;
604 }
605 content_type = content[inner_len];
606
607 tls13_record_layer_rbuf_free(rl);
608
609 rl->rbuf_content_type = content_type;
610 rl->rbuf = content;
611 rl->rbuf_len = inner_len;
612
613 CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
614
615 return 1;
616
617 err:
618 freezero(content, content_len);
619
620 return 0;
621}
622
623static int
624tls13_record_layer_open_record(struct tls13_record_layer *rl)
625{
626 if (rl->handshake_completed && rl->aead == NULL)
627 return 0;
628
629 if (rl->aead == NULL)
630 return tls13_record_layer_open_record_plaintext(rl);
631
632 return tls13_record_layer_open_record_protected(rl);
633}
634
635static int
636tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
637 uint8_t content_type, const uint8_t *content, size_t content_len)
638{
639 uint8_t *data = NULL;
640 size_t data_len = 0;
641 CBB cbb, body;
642
643 /*
644 * Allow dummy CCS messages to be sent in plaintext even when
645 * record protection has been engaged, as long as the handshake
646 * has not yet completed.
647 */
648 if (rl->handshake_completed)
649 return 0;
650 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
651 return 0;
652
653 /*
654 * We're still operating in plaintext mode, so just copy the
655 * content into the record.
656 */
657 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
658 goto err;
659
660 if (!CBB_add_u8(&cbb, content_type))
661 goto err;
662 if (!CBB_add_u16(&cbb, rl->legacy_version))
663 goto err;
664 if (!CBB_add_u16_length_prefixed(&cbb, &body))
665 goto err;
666 if (!CBB_add_bytes(&body, content, content_len))
667 goto err;
668
669 if (!CBB_finish(&cbb, &data, &data_len))
670 goto err;
671
672 if (!tls13_record_set_data(rl->wrec, data, data_len))
673 goto err;
674
675 rl->wrec_content_len = content_len;
676 rl->wrec_content_type = content_type;
677
678 return 1;
679
680 err:
681 CBB_cleanup(&cbb);
682 freezero(data, data_len);
683
684 return 0;
685}
686
687static int
688tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
689 uint8_t content_type, const uint8_t *content, size_t content_len)
690{
691 uint8_t *data = NULL, *header = NULL, *inner = NULL;
692 size_t data_len = 0, header_len = 0, inner_len = 0;
693 uint8_t *enc_record;
694 size_t enc_record_len;
695 ssize_t ret = 0;
696 size_t out_len;
697 CBB cbb;
698
699 if (rl->aead == NULL)
700 return 0;
701
702 memset(&cbb, 0, sizeof(cbb));
703
704 /* Build inner plaintext. */
705 if (!CBB_init(&cbb, content_len + 1))
706 goto err;
707 if (!CBB_add_bytes(&cbb, content, content_len))
708 goto err;
709 if (!CBB_add_u8(&cbb, content_type))
710 goto err;
711 /* XXX - padding? */
712 if (!CBB_finish(&cbb, &inner, &inner_len))
713 goto err;
714
715 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
716 goto err;
717
718 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
719 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
720 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
721 goto err;
722
723 /* Build the record header. */
724 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
725 goto err;
726 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
727 goto err;
728 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
729 goto err;
730 if (!CBB_add_u16(&cbb, enc_record_len))
731 goto err;
732 if (!CBB_finish(&cbb, &header, &header_len))
733 goto err;
734
735 /* Build the actual record. */
736 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
737 goto err;
738 if (!CBB_add_bytes(&cbb, header, header_len))
739 goto err;
740 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
741 goto err;
742 if (!CBB_finish(&cbb, &data, &data_len))
743 goto err;
744
745 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
746 &rl->write->iv, rl->write->seq_num))
747 goto err;
748
749 /*
750 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
751 * this would avoid a copy since the inner would be passed as two
752 * separate pieces.
753 */
754 if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx,
755 enc_record, &out_len, enc_record_len,
756 rl->write->nonce.data, rl->write->nonce.len,
757 inner, inner_len, header, header_len))
758 goto err;
759
760 if (out_len != enc_record_len)
761 goto err;
762
763 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
764 goto err;
765
766 if (!tls13_record_set_data(rl->wrec, data, data_len))
767 goto err;
768
769 rl->wrec_content_len = content_len;
770 rl->wrec_content_type = content_type;
771
772 data = NULL;
773 data_len = 0;
774
775 ret = 1;
776
777 err:
778 CBB_cleanup(&cbb);
779
780 freezero(data, data_len);
781 freezero(header, header_len);
782 freezero(inner, inner_len);
783
784 return ret;
785}
786
787static int
788tls13_record_layer_seal_record(struct tls13_record_layer *rl,
789 uint8_t content_type, const uint8_t *content, size_t content_len)
790{
791 if (rl->handshake_completed && rl->aead == NULL)
792 return 0;
793
794 tls13_record_layer_wrec_free(rl);
795
796 if ((rl->wrec = tls13_record_new()) == NULL)
797 return 0;
798
799 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
800 return tls13_record_layer_seal_record_plaintext(rl,
801 content_type, content, content_len);
802
803 return tls13_record_layer_seal_record_protected(rl, content_type,
804 content, content_len);
805}
806
807static ssize_t
808tls13_record_layer_read_record(struct tls13_record_layer *rl)
809{
810 uint8_t content_type, ccs;
811 ssize_t ret;
812 CBS cbs;
813
814 if (rl->rrec == NULL) {
815 if ((rl->rrec = tls13_record_new()) == NULL)
816 goto err;
817 }
818
819 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
820 switch (ret) {
821 case TLS13_IO_RECORD_VERSION:
822 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
823 case TLS13_IO_RECORD_OVERFLOW:
824 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
825 }
826 return ret;
827 }
828
829 content_type = tls13_record_content_type(rl->rrec);
830
831 /*
832 * In response to a client hello we may receive an alert in a
833 * record with a legacy version. Otherwise enforce that the
834 * legacy record version is 0x0303 per RFC 8446, section 5.1.
835 */
836 if (rl->legacy_version == TLS1_2_VERSION &&
837 tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
838 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
839 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
840
841 /*
842 * Bag of hacks ahead... after the first ClientHello message has been
843 * sent or received and before the peer's Finished message has been
844 * received, we may receive an unencrypted ChangeCipherSpec record
845 * (see RFC 8446 section 5 and appendix D.4). This record must be
846 * ignored.
847 */
848 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
849 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
850 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
851 if (!tls13_record_content(rl->rrec, &cbs))
852 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
853 if (!CBS_get_u8(&cbs, &ccs))
854 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
855 if (ccs != 1)
856 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
857 rl->ccs_seen++;
858 tls13_record_layer_rrec_free(rl);
859 return TLS13_IO_WANT_RETRY;
860 }
861
862 /*
863 * Once record protection is engaged, we should only receive
864 * protected application data messages (aside from the
865 * dummy ChangeCipherSpec messages, handled above).
866 */
867 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
868 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
869
870 if (!tls13_record_layer_open_record(rl))
871 goto err;
872
873 tls13_record_layer_rrec_free(rl);
874
875 /*
876 * On receiving a handshake or alert record with empty inner plaintext,
877 * we must terminate the connection with an unexpected_message alert.
878 * See RFC 8446 section 5.4.
879 */
880 if (CBS_len(&rl->rbuf_cbs) == 0 &&
881 (rl->rbuf_content_type == SSL3_RT_ALERT ||
882 rl->rbuf_content_type == SSL3_RT_HANDSHAKE))
883 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
884
885 switch (rl->rbuf_content_type) {
886 case SSL3_RT_ALERT:
887 return tls13_record_layer_process_alert(rl);
888
889 case SSL3_RT_HANDSHAKE:
890 break;
891
892 case SSL3_RT_APPLICATION_DATA:
893 if (!rl->handshake_completed)
894 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
895 break;
896
897 default:
898 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
899 }
900
901 return TLS13_IO_SUCCESS;
902
903 err:
904 return TLS13_IO_FAILURE;
905}
906
907static ssize_t
908tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
909{
910 if (rl->rbuf_content_type != content_type)
911 return 0;
912
913 return CBS_len(&rl->rbuf_cbs);
914}
915
916static ssize_t
917tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
918{
919 ssize_t ret = TLS13_IO_FAILURE;
920
921 rl->phh = 1;
922
923 /*
924 * The post handshake handshake receive callback is allowed to return:
925 *
926 * TLS13_IO_WANT_POLLIN need more handshake data.
927 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
928 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
929 * TLS13_IO_FAILURE something broke.
930 */
931 if (rl->cb.phh_recv != NULL)
932 ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs);
933
934 tls13_record_layer_rbuf_free(rl);
935
936 /* Leave post handshake handshake mode unless we need more data. */
937 if (ret != TLS13_IO_WANT_POLLIN)
938 rl->phh = 0;
939
940 if (ret == TLS13_IO_SUCCESS) {
941 if (rl->phh_retry)
942 return TLS13_IO_WANT_RETRY;
943
944 return TLS13_IO_WANT_POLLIN;
945 }
946
947 return ret;
948}
949
950static ssize_t
951tls13_record_layer_read_internal(struct tls13_record_layer *rl,
952 uint8_t content_type, uint8_t *buf, size_t n, int peek)
953{
954 ssize_t ret;
955
956 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
957 return ret;
958
959 if (rl->read_closed)
960 return TLS13_IO_EOF;
961
962 /* If necessary, pull up the next record. */
963 if (CBS_len(&rl->rbuf_cbs) == 0) {
964 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
965 return ret;
966
967 /*
968 * We may have read a valid 0-byte application data record,
969 * in which case we need to read the next record.
970 */
971 if (CBS_len(&rl->rbuf_cbs) == 0) {
972 tls13_record_layer_rbuf_free(rl);
973 return TLS13_IO_WANT_POLLIN;
974 }
975 }
976
977 /*
978 * If we are in post handshake handshake mode, we must not see
979 * any record type that isn't a handshake until we are done.
980 */
981 if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE)
982 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
983
984 /*
985 * Handshake content can appear as post-handshake messages (yup,
986 * the RFC reused the same content type...), which means we can
987 * be trying to read application data and need to handle a
988 * post-handshake handshake message instead...
989 */
990 if (rl->rbuf_content_type != content_type) {
991 if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) {
992 if (rl->handshake_completed)
993 return tls13_record_layer_recv_phh(rl);
994 }
995 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
996 }
997
998 if (n > CBS_len(&rl->rbuf_cbs))
999 n = CBS_len(&rl->rbuf_cbs);
1000
1001 /* XXX - CBS_memcpy? CBS_copy_bytes? */
1002 memcpy(buf, CBS_data(&rl->rbuf_cbs), n);
1003
1004 if (!peek) {
1005 if (!CBS_skip(&rl->rbuf_cbs, n))
1006 goto err;
1007 }
1008
1009 if (CBS_len(&rl->rbuf_cbs) == 0)
1010 tls13_record_layer_rbuf_free(rl);
1011
1012 return n;
1013
1014 err:
1015 return TLS13_IO_FAILURE;
1016}
1017
1018static ssize_t
1019tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1020 uint8_t *buf, size_t n)
1021{
1022 ssize_t ret;
1023
1024 do {
1025 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1026 } while (ret == TLS13_IO_WANT_RETRY);
1027
1028 if (rl->alert != 0)
1029 return tls13_send_alert(rl, rl->alert);
1030
1031 return ret;
1032}
1033
1034static ssize_t
1035tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1036 uint8_t *buf, size_t n)
1037{
1038 ssize_t ret;
1039
1040 do {
1041 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1042 } while (ret == TLS13_IO_WANT_RETRY);
1043
1044 if (rl->alert != 0)
1045 return tls13_send_alert(rl, rl->alert);
1046
1047 return ret;
1048}
1049
1050static ssize_t
1051tls13_record_layer_write_record(struct tls13_record_layer *rl,
1052 uint8_t content_type, const uint8_t *content, size_t content_len)
1053{
1054 ssize_t ret;
1055
1056 if (rl->write_closed)
1057 return TLS13_IO_EOF;
1058
1059 /*
1060 * If we pushed out application data while handling other messages,
1061 * we need to return content length on the next call.
1062 */
1063 if (content_type == SSL3_RT_APPLICATION_DATA &&
1064 rl->wrec_appdata_len != 0) {
1065 ret = rl->wrec_appdata_len;
1066 rl->wrec_appdata_len = 0;
1067 return ret;
1068 }
1069
1070 /* See if there is an existing record and attempt to push it out... */
1071 if (rl->wrec != NULL) {
1072 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1073 rl->cb_arg)) <= 0)
1074 return ret;
1075 tls13_record_layer_wrec_free(rl);
1076
1077 if (rl->wrec_content_type == content_type) {
1078 ret = rl->wrec_content_len;
1079 rl->wrec_content_len = 0;
1080 rl->wrec_content_type = 0;
1081 return ret;
1082 }
1083
1084 /*
1085 * The only partial record type should be application data.
1086 * All other cases are handled to completion.
1087 */
1088 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1089 return TLS13_IO_FAILURE;
1090 rl->wrec_appdata_len = rl->wrec_content_len;
1091 }
1092
1093 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1094 goto err;
1095
1096 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1097 goto err;
1098
1099 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1100 return ret;
1101
1102 tls13_record_layer_wrec_free(rl);
1103
1104 return content_len;
1105
1106 err:
1107 return TLS13_IO_FAILURE;
1108}
1109
1110static ssize_t
1111tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1112 uint8_t content_type, const uint8_t *buf, size_t n)
1113{
1114 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1115 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1116
1117 return tls13_record_layer_write_record(rl, content_type, buf, n);
1118}
1119
1120static ssize_t
1121tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1122 const uint8_t *buf, size_t n)
1123{
1124 ssize_t ret;
1125
1126 do {
1127 ret = tls13_record_layer_send_pending(rl);
1128 } while (ret == TLS13_IO_WANT_RETRY);
1129 if (ret != TLS13_IO_SUCCESS)
1130 return ret;
1131
1132 do {
1133 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1134 } while (ret == TLS13_IO_WANT_RETRY);
1135
1136 return ret;
1137}
1138
1139static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1140
1141ssize_t
1142tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1143{
1144 ssize_t ret;
1145
1146 if (rl->ccs_sent)
1147 return TLS13_IO_FAILURE;
1148
1149 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1150 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1151 return ret;
1152
1153 rl->ccs_sent = 1;
1154
1155 return TLS13_IO_SUCCESS;
1156}
1157
1158ssize_t
1159tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1160{
1161 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1162}
1163
1164ssize_t
1165tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1166 size_t n)
1167{
1168 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1169}
1170
1171ssize_t
1172tls13_pending_application_data(struct tls13_record_layer *rl)
1173{
1174 if (!rl->handshake_completed)
1175 return 0;
1176
1177 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1178}
1179
1180ssize_t
1181tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1182{
1183 if (!rl->handshake_completed)
1184 return TLS13_IO_FAILURE;
1185
1186 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1187}
1188
1189ssize_t
1190tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1191{
1192 if (!rl->handshake_completed)
1193 return TLS13_IO_FAILURE;
1194
1195 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1196}
1197
1198ssize_t
1199tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1200 size_t n)
1201{
1202 if (!rl->handshake_completed)
1203 return TLS13_IO_FAILURE;
1204
1205 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1206}
1207
1208ssize_t
1209tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1210{
1211 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1212 ssize_t ret;
1213
1214 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1215 alert_desc == TLS13_ALERT_USER_CANCELED)
1216 alert_level = TLS13_ALERT_LEVEL_WARNING;
1217
1218 do {
1219 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1220 alert_desc);
1221 } while (ret == TLS13_IO_WANT_RETRY);
1222
1223 return ret;
1224}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 17:30:32 +0000