summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_record_layer.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/tls13_record_layer.c')
-rw-r--r--src/lib/libssl/tls13_record_layer.c1229
1 files changed, 0 insertions, 1229 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
deleted file mode 100644
index f5604adbeb..0000000000
--- a/src/lib/libssl/tls13_record_layer.c
+++ /dev/null
@@ -1,1229 +0,0 @@
1/* $OpenBSD: tls13_record_layer.c,v 1.74 2024/09/09 03:32:29 tb Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "tls13_internal.h"
19#include "tls13_record.h"
20#include "tls_content.h"
21
22static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
32};
33
34struct tls13_record_protection *
35tls13_record_protection_new(void)
36{
37 return calloc(1, sizeof(struct tls13_record_protection));
38}
39
40void
41tls13_record_protection_clear(struct tls13_record_protection *rp)
42{
43 EVP_AEAD_CTX_free(rp->aead_ctx);
44
45 tls13_secret_cleanup(&rp->iv);
46 tls13_secret_cleanup(&rp->nonce);
47
48 memset(rp, 0, sizeof(*rp));
49}
50
51void
52tls13_record_protection_free(struct tls13_record_protection *rp)
53{
54 if (rp == NULL)
55 return;
56
57 tls13_record_protection_clear(rp);
58
59 freezero(rp, sizeof(struct tls13_record_protection));
60}
61
62struct tls13_record_layer {
63 uint16_t legacy_version;
64
65 int ccs_allowed;
66 int ccs_seen;
67 int ccs_sent;
68 int handshake_completed;
69 int legacy_alerts_allowed;
70 int phh;
71 int phh_retry;
72
73 /*
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
77 * channel is closed.
78 */
79 int read_closed;
80 int write_closed;
81
82 struct tls13_record *rrec;
83
84 struct tls13_record *wrec;
85 uint8_t wrec_content_type;
86 size_t wrec_appdata_len;
87 size_t wrec_content_len;
88
89 /* Alert to be sent on return from current read handler. */
90 uint8_t alert;
91
92 /* Pending alert messages. */
93 uint8_t *alert_data;
94 size_t alert_len;
95 uint8_t alert_level;
96 uint8_t alert_desc;
97
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99 CBS phh_cbs;
100 uint8_t *phh_data;
101 size_t phh_len;
102
103 /* Content from opened records. */
104 struct tls_content *rcontent;
105
106 /* Record protection. */
107 const EVP_MD *hash;
108 const EVP_AEAD *aead;
109 struct tls13_record_protection *read;
110 struct tls13_record_protection *write;
111
112 /* Callbacks. */
113 struct tls13_record_layer_callbacks cb;
114 void *cb_arg;
115};
116
117static void
118tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119{
120 tls13_record_free(rl->rrec);
121 rl->rrec = NULL;
122}
123
124static void
125tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126{
127 tls13_record_free(rl->wrec);
128 rl->wrec = NULL;
129}
130
131struct tls13_record_layer *
132tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133 void *cb_arg)
134{
135 struct tls13_record_layer *rl;
136
137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
138 goto err;
139
140 if ((rl->rcontent = tls_content_new()) == NULL)
141 goto err;
142
143 if ((rl->read = tls13_record_protection_new()) == NULL)
144 goto err;
145 if ((rl->write = tls13_record_protection_new()) == NULL)
146 goto err;
147
148 rl->legacy_version = TLS1_2_VERSION;
149
150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151
152 return rl;
153
154 err:
155 tls13_record_layer_free(rl);
156
157 return NULL;
158}
159
160void
161tls13_record_layer_free(struct tls13_record_layer *rl)
162{
163 if (rl == NULL)
164 return;
165
166 tls13_record_layer_rrec_free(rl);
167 tls13_record_layer_wrec_free(rl);
168
169 freezero(rl->alert_data, rl->alert_len);
170 freezero(rl->phh_data, rl->phh_len);
171
172 tls_content_free(rl->rcontent);
173
174 tls13_record_protection_free(rl->read);
175 tls13_record_protection_free(rl->write);
176
177 freezero(rl, sizeof(struct tls13_record_layer));
178}
179
180void
181tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183{
184 rl->cb = *callbacks;
185 rl->cb_arg = cb_arg;
186}
187
188void
189tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190{
191 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192}
193
194static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196};
197
198int
199tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200{
201 int i;
202
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
205 return 0;
206
207 for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
208 if (++seq_num[i] != 0)
209 break;
210 }
211
212 return 1;
213}
214
215static int
216tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217 struct tls13_secret *iv, uint8_t *seq_num)
218{
219 ssize_t i, j;
220
221 if (nonce->len != iv->len)
222 return 0;
223
224 /*
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
228 */
229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231
232 return 1;
233}
234
235void
236tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237{
238 rl->ccs_allowed = allow;
239}
240
241void
242tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243{
244 rl->legacy_alerts_allowed = allow;
245}
246
247void
248tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249 const EVP_AEAD *aead)
250{
251 rl->aead = aead;
252}
253
254void
255tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256 const EVP_MD *hash)
257{
258 rl->hash = hash;
259}
260
261void
262tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263 uint16_t version)
264{
265 rl->legacy_version = version;
266}
267
268void
269tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270{
271 rl->handshake_completed = 1;
272}
273
274void
275tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276{
277 rl->phh_retry = retry;
278}
279
280static ssize_t
281tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282{
283 uint8_t alert_level, alert_desc;
284 ssize_t ret = TLS13_IO_FAILURE;
285
286 /*
287 * RFC 8446 - sections 5.1 and 6.
288 *
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
293 */
294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT)
295 return TLS13_IO_FAILURE;
296
297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
301
302 if (tls_content_remaining(rl->rcontent) != 0)
303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
304
305 tls_content_clear(rl->rcontent);
306
307 /*
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
311 */
312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
313 rl->read_closed = 1;
314 ret = TLS13_IO_EOF;
315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
316 /* Ignored at the record layer. */
317 ret = TLS13_IO_WANT_RETRY;
318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
319 rl->read_closed = 1;
320 rl->write_closed = 1;
321 ret = TLS13_IO_ALERT;
322 } else if (rl->legacy_alerts_allowed &&
323 alert_level == TLS13_ALERT_LEVEL_WARNING) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY;
326 } else {
327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
328 }
329
330 rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg);
331
332 return ret;
333}
334
335void
336tls13_record_layer_alert_sent(struct tls13_record_layer *rl,
337 uint8_t alert_level, uint8_t alert_desc)
338{
339 rl->cb.alert_sent(alert_level, alert_desc, rl->cb_arg);
340}
341
342static ssize_t
343tls13_record_layer_send_alert(struct tls13_record_layer *rl)
344{
345 ssize_t ret;
346
347 /* This has to fit into a single record, per RFC 8446 section 5.1. */
348 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
349 rl->alert_data, rl->alert_len)) != rl->alert_len) {
350 if (ret == TLS13_IO_EOF)
351 ret = TLS13_IO_ALERT;
352 return ret;
353 }
354
355 freezero(rl->alert_data, rl->alert_len);
356 rl->alert_data = NULL;
357 rl->alert_len = 0;
358
359 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
360 rl->write_closed = 1;
361 ret = TLS13_IO_SUCCESS;
362 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
363 /* Ignored at the record layer. */
364 ret = TLS13_IO_SUCCESS;
365 } else {
366 rl->read_closed = 1;
367 rl->write_closed = 1;
368 ret = TLS13_IO_ALERT;
369 }
370
371 tls13_record_layer_alert_sent(rl, rl->alert_level, rl->alert_desc);
372
373 return ret;
374}
375
376static ssize_t
377tls13_record_layer_send_phh(struct tls13_record_layer *rl)
378{
379 ssize_t ret;
380
381 /* Push out pending post-handshake handshake messages. */
382 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
383 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
384 return ret;
385 if (!CBS_skip(&rl->phh_cbs, ret))
386 return TLS13_IO_FAILURE;
387 if (CBS_len(&rl->phh_cbs) != 0)
388 return TLS13_IO_WANT_RETRY;
389
390 freezero(rl->phh_data, rl->phh_len);
391 rl->phh_data = NULL;
392 rl->phh_len = 0;
393
394 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
395
396 rl->cb.phh_sent(rl->cb_arg);
397
398 return TLS13_IO_SUCCESS;
399}
400
401ssize_t
402tls13_record_layer_send_pending(struct tls13_record_layer *rl)
403{
404 /*
405 * If an alert is pending, then it needs to be sent. However,
406 * if we're already part of the way through sending post-handshake
407 * handshake messages, then we need to finish that first...
408 */
409
410 if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
411 return tls13_record_layer_send_phh(rl);
412
413 if (rl->alert_data != NULL)
414 return tls13_record_layer_send_alert(rl);
415
416 if (rl->phh_data != NULL)
417 return tls13_record_layer_send_phh(rl);
418
419 return TLS13_IO_SUCCESS;
420}
421
422static ssize_t
423tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
424 uint8_t alert_level, uint8_t alert_desc)
425{
426 CBB cbb;
427
428 if (rl->alert_data != NULL)
429 return TLS13_IO_FAILURE;
430
431 if (!CBB_init(&cbb, 0))
432 goto err;
433
434 if (!CBB_add_u8(&cbb, alert_level))
435 goto err;
436 if (!CBB_add_u8(&cbb, alert_desc))
437 goto err;
438 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
439 goto err;
440
441 rl->alert_level = alert_level;
442 rl->alert_desc = alert_desc;
443
444 return tls13_record_layer_send_pending(rl);
445
446 err:
447 CBB_cleanup(&cbb);
448
449 return TLS13_IO_FAILURE;
450}
451
452ssize_t
453tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
454{
455 if (rl->phh_data != NULL)
456 return TLS13_IO_FAILURE;
457
458 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
459 return TLS13_IO_FAILURE;
460
461 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
462
463 return tls13_record_layer_send_pending(rl);
464}
465
466static int
467tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
468 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
469{
470 struct tls13_secret context = { .data = "", .len = 0 };
471 struct tls13_secret key = { .data = NULL, .len = 0 };
472 int ret = 0;
473
474 tls13_record_protection_clear(rp);
475
476 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
477 return 0;
478
479 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
480 goto err;
481 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
482 goto err;
483 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
484 goto err;
485
486 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
487 goto err;
488 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
489 goto err;
490
491 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
492 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
493 goto err;
494
495 ret = 1;
496
497 err:
498 tls13_secret_cleanup(&key);
499
500 return ret;
501}
502
503int
504tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
505 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
506{
507 if (rl->cb.set_read_traffic_key != NULL)
508 return rl->cb.set_read_traffic_key(read_key, read_level,
509 rl->cb_arg);
510
511 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
512 rl->read, read_key);
513}
514
515int
516tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
517 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
518{
519 if (rl->cb.set_write_traffic_key != NULL)
520 return rl->cb.set_write_traffic_key(write_key, write_level,
521 rl->cb_arg);
522
523 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
524 rl->write, write_key);
525}
526
527static int
528tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
529{
530 CBS cbs;
531
532 if (rl->aead != NULL)
533 return 0;
534
535 /*
536 * We're still operating in plaintext mode, so just copy the
537 * content from the record to the plaintext buffer.
538 */
539 if (!tls13_record_content(rl->rrec, &cbs))
540 return 0;
541
542 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
543 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
544 return 0;
545 }
546
547 if (!tls_content_dup_data(rl->rcontent,
548 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
549 return 0;
550
551 return 1;
552}
553
554static int
555tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
556{
557 CBS header, enc_record, inner;
558 uint8_t *content = NULL;
559 size_t content_len = 0;
560 uint8_t content_type;
561 size_t out_len;
562
563 if (rl->aead == NULL)
564 goto err;
565
566 if (!tls13_record_header(rl->rrec, &header))
567 goto err;
568 if (!tls13_record_content(rl->rrec, &enc_record))
569 goto err;
570
571 /* XXX - minus tag len? */
572 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
573 goto err;
574 content_len = CBS_len(&enc_record);
575
576 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
577 rl->read->seq_num))
578 goto err;
579
580 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
581 content, &out_len, content_len,
582 rl->read->nonce.data, rl->read->nonce.len,
583 CBS_data(&enc_record), CBS_len(&enc_record),
584 CBS_data(&header), CBS_len(&header)))
585 goto err;
586
587 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
588 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
589 goto err;
590 }
591
592 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
593 goto err;
594
595 /*
596 * The real content type is hidden at the end of the record content and
597 * it may be followed by padding that consists of one or more zeroes.
598 * Time to hunt for that elusive content type!
599 */
600 CBS_init(&inner, content, out_len);
601 content_type = 0;
602 while (CBS_get_last_u8(&inner, &content_type)) {
603 if (content_type != 0)
604 break;
605 }
606 if (content_type == 0) {
607 /* Unexpected message per RFC 8446 section 5.4. */
608 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
609 goto err;
610 }
611 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
612 rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
613 goto err;
614 }
615
616 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
617 CBS_len(&inner));
618
619 return 1;
620
621 err:
622 freezero(content, content_len);
623
624 return 0;
625}
626
627static int
628tls13_record_layer_open_record(struct tls13_record_layer *rl)
629{
630 if (rl->handshake_completed && rl->aead == NULL)
631 return 0;
632
633 if (rl->aead == NULL)
634 return tls13_record_layer_open_record_plaintext(rl);
635
636 return tls13_record_layer_open_record_protected(rl);
637}
638
639static int
640tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
641 uint8_t content_type, const uint8_t *content, size_t content_len)
642{
643 uint8_t *data = NULL;
644 size_t data_len = 0;
645 CBB cbb, body;
646
647 /*
648 * Allow dummy CCS messages to be sent in plaintext even when
649 * record protection has been engaged, as long as the handshake
650 * has not yet completed.
651 */
652 if (rl->handshake_completed)
653 return 0;
654 if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
655 return 0;
656
657 /*
658 * We're still operating in plaintext mode, so just copy the
659 * content into the record.
660 */
661 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
662 goto err;
663
664 if (!CBB_add_u8(&cbb, content_type))
665 goto err;
666 if (!CBB_add_u16(&cbb, rl->legacy_version))
667 goto err;
668 if (!CBB_add_u16_length_prefixed(&cbb, &body))
669 goto err;
670 if (!CBB_add_bytes(&body, content, content_len))
671 goto err;
672
673 if (!CBB_finish(&cbb, &data, &data_len))
674 goto err;
675
676 if (!tls13_record_set_data(rl->wrec, data, data_len))
677 goto err;
678
679 rl->wrec_content_len = content_len;
680 rl->wrec_content_type = content_type;
681
682 return 1;
683
684 err:
685 CBB_cleanup(&cbb);
686 freezero(data, data_len);
687
688 return 0;
689}
690
691static int
692tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
693 uint8_t content_type, const uint8_t *content, size_t content_len)
694{
695 uint8_t *data = NULL, *header = NULL, *inner = NULL;
696 size_t data_len = 0, header_len = 0, inner_len = 0;
697 uint8_t *enc_record;
698 size_t enc_record_len;
699 ssize_t ret = 0;
700 size_t out_len;
701 CBB cbb;
702
703 if (rl->aead == NULL)
704 return 0;
705
706 memset(&cbb, 0, sizeof(cbb));
707
708 /* Build inner plaintext. */
709 if (!CBB_init(&cbb, content_len + 1))
710 goto err;
711 if (!CBB_add_bytes(&cbb, content, content_len))
712 goto err;
713 if (!CBB_add_u8(&cbb, content_type))
714 goto err;
715 /* XXX - padding? */
716 if (!CBB_finish(&cbb, &inner, &inner_len))
717 goto err;
718
719 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
720 goto err;
721
722 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
723 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
724 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
725 goto err;
726
727 /* Build the record header. */
728 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
729 goto err;
730 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
731 goto err;
732 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
733 goto err;
734 if (!CBB_add_u16(&cbb, enc_record_len))
735 goto err;
736 if (!CBB_finish(&cbb, &header, &header_len))
737 goto err;
738
739 /* Build the actual record. */
740 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
741 goto err;
742 if (!CBB_add_bytes(&cbb, header, header_len))
743 goto err;
744 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
745 goto err;
746 if (!CBB_finish(&cbb, &data, &data_len))
747 goto err;
748
749 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
750 &rl->write->iv, rl->write->seq_num))
751 goto err;
752
753 /*
754 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
755 * this would avoid a copy since the inner would be passed as two
756 * separate pieces.
757 */
758 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
759 enc_record, &out_len, enc_record_len,
760 rl->write->nonce.data, rl->write->nonce.len,
761 inner, inner_len, header, header_len))
762 goto err;
763
764 if (out_len != enc_record_len)
765 goto err;
766
767 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
768 goto err;
769
770 if (!tls13_record_set_data(rl->wrec, data, data_len))
771 goto err;
772
773 rl->wrec_content_len = content_len;
774 rl->wrec_content_type = content_type;
775
776 data = NULL;
777 data_len = 0;
778
779 ret = 1;
780
781 err:
782 CBB_cleanup(&cbb);
783
784 freezero(data, data_len);
785 freezero(header, header_len);
786 freezero(inner, inner_len);
787
788 return ret;
789}
790
791static int
792tls13_record_layer_seal_record(struct tls13_record_layer *rl,
793 uint8_t content_type, const uint8_t *content, size_t content_len)
794{
795 if (rl->handshake_completed && rl->aead == NULL)
796 return 0;
797
798 tls13_record_layer_wrec_free(rl);
799
800 if ((rl->wrec = tls13_record_new()) == NULL)
801 return 0;
802
803 if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
804 return tls13_record_layer_seal_record_plaintext(rl,
805 content_type, content, content_len);
806
807 return tls13_record_layer_seal_record_protected(rl, content_type,
808 content, content_len);
809}
810
811static ssize_t
812tls13_record_layer_read_record(struct tls13_record_layer *rl)
813{
814 uint8_t content_type, ccs;
815 ssize_t ret;
816 CBS cbs;
817
818 if (rl->rrec == NULL) {
819 if ((rl->rrec = tls13_record_new()) == NULL)
820 goto err;
821 }
822
823 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
824 switch (ret) {
825 case TLS13_IO_RECORD_VERSION:
826 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
827 case TLS13_IO_RECORD_OVERFLOW:
828 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
829 }
830 return ret;
831 }
832
833 content_type = tls13_record_content_type(rl->rrec);
834
835 /*
836 * In response to a client hello we may receive an alert in a
837 * record with a legacy version. Otherwise enforce that the
838 * legacy record version is 0x0303 per RFC 8446, section 5.1.
839 */
840 if (rl->legacy_version == TLS1_2_VERSION &&
841 tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
842 (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
843 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
844
845 /*
846 * Bag of hacks ahead... after the first ClientHello message has been
847 * sent or received and before the peer's Finished message has been
848 * received, we may receive an unencrypted ChangeCipherSpec record
849 * (see RFC 8446 section 5 and appendix D.4). This record must be
850 * ignored.
851 */
852 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
853 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
854 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
855 if (!tls13_record_content(rl->rrec, &cbs))
856 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
857 if (!CBS_get_u8(&cbs, &ccs))
858 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
859 if (ccs != 1)
860 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
861 if (CBS_len(&cbs) != 0)
862 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
863 rl->ccs_seen++;
864 tls13_record_layer_rrec_free(rl);
865 return TLS13_IO_WANT_RETRY;
866 }
867
868 /*
869 * Once record protection is engaged, we should only receive
870 * protected application data messages (aside from the
871 * dummy ChangeCipherSpec messages, handled above).
872 */
873 if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
874 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
875
876 if (!tls13_record_layer_open_record(rl))
877 goto err;
878
879 tls13_record_layer_rrec_free(rl);
880
881 /*
882 * On receiving a handshake or alert record with empty inner plaintext,
883 * we must terminate the connection with an unexpected_message alert.
884 * See RFC 8446 section 5.4.
885 */
886 if (tls_content_remaining(rl->rcontent) == 0 &&
887 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT ||
888 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE))
889 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
890
891 switch (tls_content_type(rl->rcontent)) {
892 case SSL3_RT_ALERT:
893 return tls13_record_layer_process_alert(rl);
894
895 case SSL3_RT_HANDSHAKE:
896 break;
897
898 case SSL3_RT_APPLICATION_DATA:
899 if (!rl->handshake_completed)
900 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
901 break;
902
903 default:
904 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
905 }
906
907 return TLS13_IO_SUCCESS;
908
909 err:
910 return TLS13_IO_FAILURE;
911}
912
913static ssize_t
914tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
915{
916 if (tls_content_type(rl->rcontent) != content_type)
917 return 0;
918
919 return tls_content_remaining(rl->rcontent);
920}
921
922static ssize_t
923tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
924{
925 ssize_t ret = TLS13_IO_FAILURE;
926
927 rl->phh = 1;
928
929 /*
930 * The post handshake handshake receive callback is allowed to return:
931 *
932 * TLS13_IO_WANT_POLLIN need more handshake data.
933 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
934 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
935 * TLS13_IO_FAILURE something broke.
936 */
937 if (rl->cb.phh_recv != NULL)
938 ret = rl->cb.phh_recv(rl->cb_arg);
939
940 tls_content_clear(rl->rcontent);
941
942 /* Leave post handshake handshake mode unless we need more data. */
943 if (ret != TLS13_IO_WANT_POLLIN)
944 rl->phh = 0;
945
946 if (ret == TLS13_IO_SUCCESS) {
947 if (rl->phh_retry)
948 return TLS13_IO_WANT_RETRY;
949
950 return TLS13_IO_WANT_POLLIN;
951 }
952
953 return ret;
954}
955
956static ssize_t
957tls13_record_layer_read_internal(struct tls13_record_layer *rl,
958 uint8_t content_type, uint8_t *buf, size_t n, int peek)
959{
960 ssize_t ret;
961
962 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
963 return ret;
964
965 if (rl->read_closed)
966 return TLS13_IO_EOF;
967
968 /* If necessary, pull up the next record. */
969 if (tls_content_remaining(rl->rcontent) == 0) {
970 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
971 return ret;
972
973 /*
974 * We may have read a valid 0-byte application data record,
975 * in which case we need to read the next record.
976 */
977 if (tls_content_remaining(rl->rcontent) == 0)
978 return TLS13_IO_WANT_POLLIN;
979 }
980
981 /*
982 * If we are in post handshake handshake mode, we must not see
983 * any record type that isn't a handshake until we are done.
984 */
985 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE)
986 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
987
988 /*
989 * Handshake content can appear as post-handshake messages (yup,
990 * the RFC reused the same content type...), which means we can
991 * be trying to read application data and need to handle a
992 * post-handshake handshake message instead...
993 */
994 if (tls_content_type(rl->rcontent) != content_type) {
995 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) {
996 if (rl->handshake_completed)
997 return tls13_record_layer_recv_phh(rl);
998 }
999 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
1000 }
1001
1002 if (peek)
1003 return tls_content_peek(rl->rcontent, buf, n);
1004
1005 return tls_content_read(rl->rcontent, buf, n);
1006}
1007
1008static ssize_t
1009tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1010 uint8_t *buf, size_t n)
1011{
1012 ssize_t ret;
1013
1014 do {
1015 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1016 } while (ret == TLS13_IO_WANT_RETRY);
1017
1018 if (rl->alert != 0)
1019 return tls13_send_alert(rl, rl->alert);
1020
1021 return ret;
1022}
1023
1024static ssize_t
1025tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1026 uint8_t *buf, size_t n)
1027{
1028 ssize_t ret;
1029
1030 do {
1031 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1032 } while (ret == TLS13_IO_WANT_RETRY);
1033
1034 if (rl->alert != 0)
1035 return tls13_send_alert(rl, rl->alert);
1036
1037 return ret;
1038}
1039
1040static ssize_t
1041tls13_record_layer_write_record(struct tls13_record_layer *rl,
1042 uint8_t content_type, const uint8_t *content, size_t content_len)
1043{
1044 ssize_t ret;
1045
1046 if (rl->write_closed)
1047 return TLS13_IO_EOF;
1048
1049 /*
1050 * If we pushed out application data while handling other messages,
1051 * we need to return content length on the next call.
1052 */
1053 if (content_type == SSL3_RT_APPLICATION_DATA &&
1054 rl->wrec_appdata_len != 0) {
1055 ret = rl->wrec_appdata_len;
1056 rl->wrec_appdata_len = 0;
1057 return ret;
1058 }
1059
1060 /* See if there is an existing record and attempt to push it out... */
1061 if (rl->wrec != NULL) {
1062 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1063 rl->cb_arg)) <= 0)
1064 return ret;
1065 tls13_record_layer_wrec_free(rl);
1066
1067 if (rl->wrec_content_type == content_type) {
1068 ret = rl->wrec_content_len;
1069 rl->wrec_content_len = 0;
1070 rl->wrec_content_type = 0;
1071 return ret;
1072 }
1073
1074 /*
1075 * The only partial record type should be application data.
1076 * All other cases are handled to completion.
1077 */
1078 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1079 return TLS13_IO_FAILURE;
1080 rl->wrec_appdata_len = rl->wrec_content_len;
1081 }
1082
1083 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1084 goto err;
1085
1086 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1087 goto err;
1088
1089 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1090 return ret;
1091
1092 tls13_record_layer_wrec_free(rl);
1093
1094 return content_len;
1095
1096 err:
1097 return TLS13_IO_FAILURE;
1098}
1099
1100static ssize_t
1101tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1102 uint8_t content_type, const uint8_t *buf, size_t n)
1103{
1104 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1105 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1106
1107 return tls13_record_layer_write_record(rl, content_type, buf, n);
1108}
1109
1110static ssize_t
1111tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1112 const uint8_t *buf, size_t n)
1113{
1114 ssize_t ret;
1115
1116 do {
1117 ret = tls13_record_layer_send_pending(rl);
1118 } while (ret == TLS13_IO_WANT_RETRY);
1119 if (ret != TLS13_IO_SUCCESS)
1120 return ret;
1121
1122 do {
1123 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1124 } while (ret == TLS13_IO_WANT_RETRY);
1125
1126 return ret;
1127}
1128
1129ssize_t
1130tls13_record_layer_flush(struct tls13_record_layer *rl)
1131{
1132 return rl->cb.wire_flush(rl->cb_arg);
1133}
1134
1135static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1136
1137ssize_t
1138tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1139{
1140 ssize_t ret;
1141
1142 if (rl->ccs_sent)
1143 return TLS13_IO_FAILURE;
1144
1145 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1146 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1147 return ret;
1148
1149 rl->ccs_sent = 1;
1150
1151 return TLS13_IO_SUCCESS;
1152}
1153
1154ssize_t
1155tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1156{
1157 if (rl->cb.handshake_read != NULL)
1158 return rl->cb.handshake_read(buf, n, rl->cb_arg);
1159
1160 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1161}
1162
1163ssize_t
1164tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1165 size_t n)
1166{
1167 if (rl->cb.handshake_write != NULL)
1168 return rl->cb.handshake_write(buf, n, rl->cb_arg);
1169
1170 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1171}
1172
1173ssize_t
1174tls13_pending_application_data(struct tls13_record_layer *rl)
1175{
1176 if (!rl->handshake_completed)
1177 return 0;
1178
1179 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1180}
1181
1182ssize_t
1183tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1184{
1185 if (!rl->handshake_completed)
1186 return TLS13_IO_FAILURE;
1187
1188 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1189}
1190
1191ssize_t
1192tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1193{
1194 if (!rl->handshake_completed)
1195 return TLS13_IO_FAILURE;
1196
1197 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1198}
1199
1200ssize_t
1201tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1202 size_t n)
1203{
1204 if (!rl->handshake_completed)
1205 return TLS13_IO_FAILURE;
1206
1207 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1208}
1209
1210ssize_t
1211tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1212{
1213 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1214 ssize_t ret;
1215
1216 if (rl->cb.alert_send != NULL)
1217 return rl->cb.alert_send(alert_desc, rl->cb_arg);
1218
1219 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1220 alert_desc == TLS13_ALERT_USER_CANCELED)
1221 alert_level = TLS13_ALERT_LEVEL_WARNING;
1222
1223 do {
1224 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1225 alert_desc);
1226 } while (ret == TLS13_IO_WANT_RETRY);
1227
1228 return ret;
1229}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-29 08:36:10 +0000