1 /* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include "tls13_internal.h"
19 #include "tls13_record.h"
20 #include "tls_content.h"
22 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer
*rl
,
23 uint8_t content_type
, const uint8_t *buf
, size_t n
);
24 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer
*rl
,
25 uint8_t content_type
, const uint8_t *content
, size_t content_len
);
27 struct tls13_record_protection
{
28 EVP_AEAD_CTX
*aead_ctx
;
29 struct tls13_secret iv
;
30 struct tls13_secret nonce
;
31 uint8_t seq_num
[TLS13_RECORD_SEQ_NUM_LEN
];
34 struct tls13_record_protection
*
35 tls13_record_protection_new(void)
37 return calloc(1, sizeof(struct tls13_record_protection
));
41 tls13_record_protection_clear(struct tls13_record_protection
*rp
)
43 EVP_AEAD_CTX_free(rp
->aead_ctx
);
45 tls13_secret_cleanup(&rp
->iv
);
46 tls13_secret_cleanup(&rp
->nonce
);
48 memset(rp
, 0, sizeof(*rp
));
52 tls13_record_protection_free(struct tls13_record_protection
*rp
)
57 tls13_record_protection_clear(rp
);
59 freezero(rp
, sizeof(struct tls13_record_protection
));
62 struct tls13_record_layer
{
63 uint16_t legacy_version
;
68 int handshake_completed
;
69 int legacy_alerts_allowed
;
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
82 struct tls13_record
*rrec
;
84 struct tls13_record
*wrec
;
85 uint8_t wrec_content_type
;
86 size_t wrec_appdata_len
;
87 size_t wrec_content_len
;
89 /* Alert to be sent on return from current read handler. */
92 /* Pending alert messages. */
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
103 /* Content from opened records. */
104 struct tls_content
*rcontent
;
106 /* Record protection. */
108 const EVP_AEAD
*aead
;
109 struct tls13_record_protection
*read
;
110 struct tls13_record_protection
*write
;
113 struct tls13_record_layer_callbacks cb
;
118 tls13_record_layer_rrec_free(struct tls13_record_layer
*rl
)
120 tls13_record_free(rl
->rrec
);
125 tls13_record_layer_wrec_free(struct tls13_record_layer
*rl
)
127 tls13_record_free(rl
->wrec
);
131 struct tls13_record_layer
*
132 tls13_record_layer_new(const struct tls13_record_layer_callbacks
*callbacks
,
135 struct tls13_record_layer
*rl
;
137 if ((rl
= calloc(1, sizeof(struct tls13_record_layer
))) == NULL
)
140 if ((rl
->rcontent
= tls_content_new()) == NULL
)
143 if ((rl
->read
= tls13_record_protection_new()) == NULL
)
145 if ((rl
->write
= tls13_record_protection_new()) == NULL
)
148 rl
->legacy_version
= TLS1_2_VERSION
;
150 tls13_record_layer_set_callbacks(rl
, callbacks
, cb_arg
);
155 tls13_record_layer_free(rl
);
161 tls13_record_layer_free(struct tls13_record_layer
*rl
)
166 tls13_record_layer_rrec_free(rl
);
167 tls13_record_layer_wrec_free(rl
);
169 freezero(rl
->alert_data
, rl
->alert_len
);
170 freezero(rl
->phh_data
, rl
->phh_len
);
172 tls_content_free(rl
->rcontent
);
174 tls13_record_protection_free(rl
->read
);
175 tls13_record_protection_free(rl
->write
);
177 freezero(rl
, sizeof(struct tls13_record_layer
));
181 tls13_record_layer_set_callbacks(struct tls13_record_layer
*rl
,
182 const struct tls13_record_layer_callbacks
*callbacks
, void *cb_arg
)
189 tls13_record_layer_rcontent(struct tls13_record_layer
*rl
, CBS
*cbs
)
191 CBS_dup(tls_content_cbs(rl
->rcontent
), cbs
);
194 static const uint8_t tls13_max_seq_num
[TLS13_RECORD_SEQ_NUM_LEN
] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
199 tls13_record_layer_inc_seq_num(uint8_t *seq_num
)
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num
, tls13_max_seq_num
, TLS13_RECORD_SEQ_NUM_LEN
) == 0)
207 for (i
= TLS13_RECORD_SEQ_NUM_LEN
- 1; i
>= 0; i
--) {
208 if (++seq_num
[i
] != 0)
216 tls13_record_layer_update_nonce(struct tls13_secret
*nonce
,
217 struct tls13_secret
*iv
, uint8_t *seq_num
)
221 if (nonce
->len
!= iv
->len
)
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
229 for (i
= nonce
->len
- 1, j
= TLS13_RECORD_SEQ_NUM_LEN
- 1; i
>= 0; i
--, j
--)
230 nonce
->data
[i
] = iv
->data
[i
] ^ (j
>= 0 ? seq_num
[j
] : 0);
236 tls13_record_layer_allow_ccs(struct tls13_record_layer
*rl
, int allow
)
238 rl
->ccs_allowed
= allow
;
242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer
*rl
, int allow
)
244 rl
->legacy_alerts_allowed
= allow
;
248 tls13_record_layer_set_aead(struct tls13_record_layer
*rl
,
249 const EVP_AEAD
*aead
)
255 tls13_record_layer_set_hash(struct tls13_record_layer
*rl
,
262 tls13_record_layer_set_legacy_version(struct tls13_record_layer
*rl
,
265 rl
->legacy_version
= version
;
269 tls13_record_layer_handshake_completed(struct tls13_record_layer
*rl
)
271 rl
->handshake_completed
= 1;
275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer
*rl
, int retry
)
277 rl
->phh_retry
= retry
;
281 tls13_record_layer_process_alert(struct tls13_record_layer
*rl
)
283 uint8_t alert_level
, alert_desc
;
284 ssize_t ret
= TLS13_IO_FAILURE
;
287 * RFC 8446 - sections 5.1 and 6.
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
294 if (tls_content_type(rl
->rcontent
) != SSL3_RT_ALERT
)
295 return TLS13_IO_FAILURE
;
297 if (!CBS_get_u8(tls_content_cbs(rl
->rcontent
), &alert_level
))
298 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
299 if (!CBS_get_u8(tls_content_cbs(rl
->rcontent
), &alert_desc
))
300 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
302 if (tls_content_remaining(rl
->rcontent
) != 0)
303 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
305 tls_content_clear(rl
->rcontent
);
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
312 if (alert_desc
== TLS13_ALERT_CLOSE_NOTIFY
) {
315 } else if (alert_desc
== TLS13_ALERT_USER_CANCELED
) {
316 /* Ignored at the record layer. */
317 ret
= TLS13_IO_WANT_RETRY
;
318 } else if (alert_level
== TLS13_ALERT_LEVEL_FATAL
) {
320 rl
->write_closed
= 1;
321 ret
= TLS13_IO_ALERT
;
322 } else if (rl
->legacy_alerts_allowed
&&
323 alert_level
== TLS13_ALERT_LEVEL_WARNING
) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY
;
327 return tls13_send_alert(rl
, TLS13_ALERT_ILLEGAL_PARAMETER
);
330 rl
->cb
.alert_recv(alert_desc
, rl
->cb_arg
);
336 tls13_record_layer_send_alert(struct tls13_record_layer
*rl
)
340 /* This has to fit into a single record, per RFC 8446 section 5.1. */
341 if ((ret
= tls13_record_layer_write_record(rl
, SSL3_RT_ALERT
,
342 rl
->alert_data
, rl
->alert_len
)) != rl
->alert_len
) {
343 if (ret
== TLS13_IO_EOF
)
344 ret
= TLS13_IO_ALERT
;
348 freezero(rl
->alert_data
, rl
->alert_len
);
349 rl
->alert_data
= NULL
;
352 if (rl
->alert_desc
== TLS13_ALERT_CLOSE_NOTIFY
) {
353 rl
->write_closed
= 1;
354 ret
= TLS13_IO_SUCCESS
;
355 } else if (rl
->alert_desc
== TLS13_ALERT_USER_CANCELED
) {
356 /* Ignored at the record layer. */
357 ret
= TLS13_IO_SUCCESS
;
360 rl
->write_closed
= 1;
361 ret
= TLS13_IO_ALERT
;
364 rl
->cb
.alert_sent(rl
->alert_desc
, rl
->cb_arg
);
370 tls13_record_layer_send_phh(struct tls13_record_layer
*rl
)
374 /* Push out pending post-handshake handshake messages. */
375 if ((ret
= tls13_record_layer_write_chunk(rl
, SSL3_RT_HANDSHAKE
,
376 CBS_data(&rl
->phh_cbs
), CBS_len(&rl
->phh_cbs
))) <= 0)
378 if (!CBS_skip(&rl
->phh_cbs
, ret
))
379 return TLS13_IO_FAILURE
;
380 if (CBS_len(&rl
->phh_cbs
) != 0)
381 return TLS13_IO_WANT_RETRY
;
383 freezero(rl
->phh_data
, rl
->phh_len
);
387 CBS_init(&rl
->phh_cbs
, rl
->phh_data
, rl
->phh_len
);
389 rl
->cb
.phh_sent(rl
->cb_arg
);
391 return TLS13_IO_SUCCESS
;
395 tls13_record_layer_send_pending(struct tls13_record_layer
*rl
)
398 * If an alert is pending, then it needs to be sent. However,
399 * if we're already part of the way through sending post-handshake
400 * handshake messages, then we need to finish that first...
403 if (rl
->phh_data
!= NULL
&& CBS_len(&rl
->phh_cbs
) != rl
->phh_len
)
404 return tls13_record_layer_send_phh(rl
);
406 if (rl
->alert_data
!= NULL
)
407 return tls13_record_layer_send_alert(rl
);
409 if (rl
->phh_data
!= NULL
)
410 return tls13_record_layer_send_phh(rl
);
412 return TLS13_IO_SUCCESS
;
416 tls13_record_layer_enqueue_alert(struct tls13_record_layer
*rl
,
417 uint8_t alert_level
, uint8_t alert_desc
)
421 if (rl
->alert_data
!= NULL
)
422 return TLS13_IO_FAILURE
;
424 if (!CBB_init(&cbb
, 0))
427 if (!CBB_add_u8(&cbb
, alert_level
))
429 if (!CBB_add_u8(&cbb
, alert_desc
))
431 if (!CBB_finish(&cbb
, &rl
->alert_data
, &rl
->alert_len
))
434 rl
->alert_level
= alert_level
;
435 rl
->alert_desc
= alert_desc
;
437 return tls13_record_layer_send_pending(rl
);
442 return TLS13_IO_FAILURE
;
446 tls13_record_layer_phh(struct tls13_record_layer
*rl
, CBS
*cbs
)
448 if (rl
->phh_data
!= NULL
)
449 return TLS13_IO_FAILURE
;
451 if (!CBS_stow(cbs
, &rl
->phh_data
, &rl
->phh_len
))
452 return TLS13_IO_FAILURE
;
454 CBS_init(&rl
->phh_cbs
, rl
->phh_data
, rl
->phh_len
);
456 return tls13_record_layer_send_pending(rl
);
460 tls13_record_layer_set_traffic_key(const EVP_AEAD
*aead
, const EVP_MD
*hash
,
461 struct tls13_record_protection
*rp
, struct tls13_secret
*traffic_key
)
463 struct tls13_secret context
= { .data
= "", .len
= 0 };
464 struct tls13_secret key
= { .data
= NULL
, .len
= 0 };
467 tls13_record_protection_clear(rp
);
469 if ((rp
->aead_ctx
= EVP_AEAD_CTX_new()) == NULL
)
472 if (!tls13_secret_init(&rp
->iv
, EVP_AEAD_nonce_length(aead
)))
474 if (!tls13_secret_init(&rp
->nonce
, EVP_AEAD_nonce_length(aead
)))
476 if (!tls13_secret_init(&key
, EVP_AEAD_key_length(aead
)))
479 if (!tls13_hkdf_expand_label(&rp
->iv
, hash
, traffic_key
, "iv", &context
))
481 if (!tls13_hkdf_expand_label(&key
, hash
, traffic_key
, "key", &context
))
484 if (!EVP_AEAD_CTX_init(rp
->aead_ctx
, aead
, key
.data
, key
.len
,
485 EVP_AEAD_DEFAULT_TAG_LENGTH
, NULL
))
491 tls13_secret_cleanup(&key
);
497 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer
*rl
,
498 struct tls13_secret
*read_key
, enum ssl_encryption_level_t read_level
)
500 if (rl
->cb
.set_read_traffic_key
!= NULL
)
501 return rl
->cb
.set_read_traffic_key(read_key
, read_level
,
504 return tls13_record_layer_set_traffic_key(rl
->aead
, rl
->hash
,
509 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer
*rl
,
510 struct tls13_secret
*write_key
, enum ssl_encryption_level_t write_level
)
512 if (rl
->cb
.set_write_traffic_key
!= NULL
)
513 return rl
->cb
.set_write_traffic_key(write_key
, write_level
,
516 return tls13_record_layer_set_traffic_key(rl
->aead
, rl
->hash
,
517 rl
->write
, write_key
);
521 tls13_record_layer_open_record_plaintext(struct tls13_record_layer
*rl
)
525 if (rl
->aead
!= NULL
)
529 * We're still operating in plaintext mode, so just copy the
530 * content from the record to the plaintext buffer.
532 if (!tls13_record_content(rl
->rrec
, &cbs
))
535 if (CBS_len(&cbs
) > TLS13_RECORD_MAX_PLAINTEXT_LEN
) {
536 rl
->alert
= TLS13_ALERT_RECORD_OVERFLOW
;
540 if (!tls_content_dup_data(rl
->rcontent
,
541 tls13_record_content_type(rl
->rrec
), CBS_data(&cbs
), CBS_len(&cbs
)))
548 tls13_record_layer_open_record_protected(struct tls13_record_layer
*rl
)
550 CBS header
, enc_record
, inner
;
551 uint8_t *content
= NULL
;
552 size_t content_len
= 0;
553 uint8_t content_type
;
556 if (rl
->aead
== NULL
)
559 if (!tls13_record_header(rl
->rrec
, &header
))
561 if (!tls13_record_content(rl
->rrec
, &enc_record
))
564 if ((content
= calloc(1, CBS_len(&enc_record
))) == NULL
)
566 content_len
= CBS_len(&enc_record
);
568 if (!tls13_record_layer_update_nonce(&rl
->read
->nonce
, &rl
->read
->iv
,
572 if (!EVP_AEAD_CTX_open(rl
->read
->aead_ctx
,
573 content
, &out_len
, content_len
,
574 rl
->read
->nonce
.data
, rl
->read
->nonce
.len
,
575 CBS_data(&enc_record
), CBS_len(&enc_record
),
576 CBS_data(&header
), CBS_len(&header
)))
579 if (out_len
> TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN
) {
580 rl
->alert
= TLS13_ALERT_RECORD_OVERFLOW
;
584 if (!tls13_record_layer_inc_seq_num(rl
->read
->seq_num
))
588 * The real content type is hidden at the end of the record content and
589 * it may be followed by padding that consists of one or more zeroes.
590 * Time to hunt for that elusive content type!
592 CBS_init(&inner
, content
, out_len
);
594 while (CBS_get_last_u8(&inner
, &content_type
)) {
595 if (content_type
!= 0)
598 if (content_type
== 0) {
599 /* Unexpected message per RFC 8446 section 5.4. */
600 rl
->alert
= TLS13_ALERT_UNEXPECTED_MESSAGE
;
603 if (CBS_len(&inner
) > TLS13_RECORD_MAX_PLAINTEXT_LEN
) {
604 rl
->alert
= TLS13_ALERT_RECORD_OVERFLOW
;
608 tls_content_set_data(rl
->rcontent
, content_type
, CBS_data(&inner
),
614 freezero(content
, content_len
);
620 tls13_record_layer_open_record(struct tls13_record_layer
*rl
)
622 if (rl
->handshake_completed
&& rl
->aead
== NULL
)
625 if (rl
->aead
== NULL
)
626 return tls13_record_layer_open_record_plaintext(rl
);
628 return tls13_record_layer_open_record_protected(rl
);
632 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer
*rl
,
633 uint8_t content_type
, const uint8_t *content
, size_t content_len
)
635 uint8_t *data
= NULL
;
640 * Allow dummy CCS messages to be sent in plaintext even when
641 * record protection has been engaged, as long as the handshake
642 * has not yet completed.
644 if (rl
->handshake_completed
)
646 if (rl
->aead
!= NULL
&& content_type
!= SSL3_RT_CHANGE_CIPHER_SPEC
)
650 * We're still operating in plaintext mode, so just copy the
651 * content into the record.
653 if (!CBB_init(&cbb
, TLS13_RECORD_HEADER_LEN
+ content_len
))
656 if (!CBB_add_u8(&cbb
, content_type
))
658 if (!CBB_add_u16(&cbb
, rl
->legacy_version
))
660 if (!CBB_add_u16_length_prefixed(&cbb
, &body
))
662 if (!CBB_add_bytes(&body
, content
, content_len
))
665 if (!CBB_finish(&cbb
, &data
, &data_len
))
668 if (!tls13_record_set_data(rl
->wrec
, data
, data_len
))
671 rl
->wrec_content_len
= content_len
;
672 rl
->wrec_content_type
= content_type
;
678 freezero(data
, data_len
);
684 tls13_record_layer_seal_record_protected(struct tls13_record_layer
*rl
,
685 uint8_t content_type
, const uint8_t *content
, size_t content_len
)
687 uint8_t *data
= NULL
, *header
= NULL
, *inner
= NULL
;
688 size_t data_len
= 0, header_len
= 0, inner_len
= 0;
690 size_t enc_record_len
;
695 if (rl
->aead
== NULL
)
698 memset(&cbb
, 0, sizeof(cbb
));
700 /* Build inner plaintext. */
701 if (!CBB_init(&cbb
, content_len
+ 1))
703 if (!CBB_add_bytes(&cbb
, content
, content_len
))
705 if (!CBB_add_u8(&cbb
, content_type
))
708 if (!CBB_finish(&cbb
, &inner
, &inner_len
))
711 if (inner_len
> TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN
)
714 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
715 enc_record_len
= inner_len
+ EVP_AEAD_max_tag_len(rl
->aead
);
716 if (enc_record_len
> TLS13_RECORD_MAX_CIPHERTEXT_LEN
)
719 /* Build the record header. */
720 if (!CBB_init(&cbb
, TLS13_RECORD_HEADER_LEN
))
722 if (!CBB_add_u8(&cbb
, SSL3_RT_APPLICATION_DATA
))
724 if (!CBB_add_u16(&cbb
, TLS1_2_VERSION
))
726 if (!CBB_add_u16(&cbb
, enc_record_len
))
728 if (!CBB_finish(&cbb
, &header
, &header_len
))
731 /* Build the actual record. */
732 if (!CBB_init(&cbb
, TLS13_RECORD_HEADER_LEN
+ enc_record_len
))
734 if (!CBB_add_bytes(&cbb
, header
, header_len
))
736 if (!CBB_add_space(&cbb
, &enc_record
, enc_record_len
))
738 if (!CBB_finish(&cbb
, &data
, &data_len
))
741 if (!tls13_record_layer_update_nonce(&rl
->write
->nonce
,
742 &rl
->write
->iv
, rl
->write
->seq_num
))
746 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
747 * this would avoid a copy since the inner would be passed as two
750 if (!EVP_AEAD_CTX_seal(rl
->write
->aead_ctx
,
751 enc_record
, &out_len
, enc_record_len
,
752 rl
->write
->nonce
.data
, rl
->write
->nonce
.len
,
753 inner
, inner_len
, header
, header_len
))
756 if (out_len
!= enc_record_len
)
759 if (!tls13_record_layer_inc_seq_num(rl
->write
->seq_num
))
762 if (!tls13_record_set_data(rl
->wrec
, data
, data_len
))
765 rl
->wrec_content_len
= content_len
;
766 rl
->wrec_content_type
= content_type
;
776 freezero(data
, data_len
);
777 freezero(header
, header_len
);
778 freezero(inner
, inner_len
);
784 tls13_record_layer_seal_record(struct tls13_record_layer
*rl
,
785 uint8_t content_type
, const uint8_t *content
, size_t content_len
)
787 if (rl
->handshake_completed
&& rl
->aead
== NULL
)
790 tls13_record_layer_wrec_free(rl
);
792 if ((rl
->wrec
= tls13_record_new()) == NULL
)
795 if (rl
->aead
== NULL
|| content_type
== SSL3_RT_CHANGE_CIPHER_SPEC
)
796 return tls13_record_layer_seal_record_plaintext(rl
,
797 content_type
, content
, content_len
);
799 return tls13_record_layer_seal_record_protected(rl
, content_type
,
800 content
, content_len
);
804 tls13_record_layer_read_record(struct tls13_record_layer
*rl
)
806 uint8_t content_type
, ccs
;
810 if (rl
->rrec
== NULL
) {
811 if ((rl
->rrec
= tls13_record_new()) == NULL
)
815 if ((ret
= tls13_record_recv(rl
->rrec
, rl
->cb
.wire_read
, rl
->cb_arg
)) <= 0) {
817 case TLS13_IO_RECORD_VERSION
:
818 return tls13_send_alert(rl
, TLS13_ALERT_PROTOCOL_VERSION
);
819 case TLS13_IO_RECORD_OVERFLOW
:
820 return tls13_send_alert(rl
, TLS13_ALERT_RECORD_OVERFLOW
);
825 content_type
= tls13_record_content_type(rl
->rrec
);
828 * In response to a client hello we may receive an alert in a
829 * record with a legacy version. Otherwise enforce that the
830 * legacy record version is 0x0303 per RFC 8446, section 5.1.
832 if (rl
->legacy_version
== TLS1_2_VERSION
&&
833 tls13_record_version(rl
->rrec
) != TLS1_2_VERSION
&&
834 (content_type
!= SSL3_RT_ALERT
|| !rl
->legacy_alerts_allowed
))
835 return tls13_send_alert(rl
, TLS13_ALERT_PROTOCOL_VERSION
);
838 * Bag of hacks ahead... after the first ClientHello message has been
839 * sent or received and before the peer's Finished message has been
840 * received, we may receive an unencrypted ChangeCipherSpec record
841 * (see RFC 8446 section 5 and appendix D.4). This record must be
844 if (content_type
== SSL3_RT_CHANGE_CIPHER_SPEC
) {
845 if (!rl
->ccs_allowed
|| rl
->ccs_seen
>= 2)
846 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
847 if (!tls13_record_content(rl
->rrec
, &cbs
))
848 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
849 if (!CBS_get_u8(&cbs
, &ccs
))
850 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
852 return tls13_send_alert(rl
, TLS13_ALERT_ILLEGAL_PARAMETER
);
853 if (CBS_len(&cbs
) != 0)
854 return tls13_send_alert(rl
, TLS13_ALERT_DECODE_ERROR
);
856 tls13_record_layer_rrec_free(rl
);
857 return TLS13_IO_WANT_RETRY
;
861 * Once record protection is engaged, we should only receive
862 * protected application data messages (aside from the
863 * dummy ChangeCipherSpec messages, handled above).
865 if (rl
->aead
!= NULL
&& content_type
!= SSL3_RT_APPLICATION_DATA
)
866 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
868 if (!tls13_record_layer_open_record(rl
))
871 tls13_record_layer_rrec_free(rl
);
874 * On receiving a handshake or alert record with empty inner plaintext,
875 * we must terminate the connection with an unexpected_message alert.
876 * See RFC 8446 section 5.4.
878 if (tls_content_remaining(rl
->rcontent
) == 0 &&
879 (tls_content_type(rl
->rcontent
) == SSL3_RT_ALERT
||
880 tls_content_type(rl
->rcontent
) == SSL3_RT_HANDSHAKE
))
881 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
883 switch (tls_content_type(rl
->rcontent
)) {
885 return tls13_record_layer_process_alert(rl
);
887 case SSL3_RT_HANDSHAKE
:
890 case SSL3_RT_APPLICATION_DATA
:
891 if (!rl
->handshake_completed
)
892 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
896 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
899 return TLS13_IO_SUCCESS
;
902 return TLS13_IO_FAILURE
;
906 tls13_record_layer_pending(struct tls13_record_layer
*rl
, uint8_t content_type
)
908 if (tls_content_type(rl
->rcontent
) != content_type
)
911 return tls_content_remaining(rl
->rcontent
);
915 tls13_record_layer_recv_phh(struct tls13_record_layer
*rl
)
917 ssize_t ret
= TLS13_IO_FAILURE
;
922 * The post handshake handshake receive callback is allowed to return:
924 * TLS13_IO_WANT_POLLIN need more handshake data.
925 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
926 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
927 * TLS13_IO_FAILURE something broke.
929 if (rl
->cb
.phh_recv
!= NULL
)
930 ret
= rl
->cb
.phh_recv(rl
->cb_arg
);
932 tls_content_clear(rl
->rcontent
);
934 /* Leave post handshake handshake mode unless we need more data. */
935 if (ret
!= TLS13_IO_WANT_POLLIN
)
938 if (ret
== TLS13_IO_SUCCESS
) {
940 return TLS13_IO_WANT_RETRY
;
942 return TLS13_IO_WANT_POLLIN
;
949 tls13_record_layer_read_internal(struct tls13_record_layer
*rl
,
950 uint8_t content_type
, uint8_t *buf
, size_t n
, int peek
)
954 if ((ret
= tls13_record_layer_send_pending(rl
)) != TLS13_IO_SUCCESS
)
960 /* If necessary, pull up the next record. */
961 if (tls_content_remaining(rl
->rcontent
) == 0) {
962 if ((ret
= tls13_record_layer_read_record(rl
)) <= 0)
966 * We may have read a valid 0-byte application data record,
967 * in which case we need to read the next record.
969 if (tls_content_remaining(rl
->rcontent
) == 0)
970 return TLS13_IO_WANT_POLLIN
;
974 * If we are in post handshake handshake mode, we must not see
975 * any record type that isn't a handshake until we are done.
977 if (rl
->phh
&& tls_content_type(rl
->rcontent
) != SSL3_RT_HANDSHAKE
)
978 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
981 * Handshake content can appear as post-handshake messages (yup,
982 * the RFC reused the same content type...), which means we can
983 * be trying to read application data and need to handle a
984 * post-handshake handshake message instead...
986 if (tls_content_type(rl
->rcontent
) != content_type
) {
987 if (tls_content_type(rl
->rcontent
) == SSL3_RT_HANDSHAKE
) {
988 if (rl
->handshake_completed
)
989 return tls13_record_layer_recv_phh(rl
);
991 return tls13_send_alert(rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
995 return tls_content_peek(rl
->rcontent
, buf
, n
);
997 return tls_content_read(rl
->rcontent
, buf
, n
);
1001 tls13_record_layer_peek(struct tls13_record_layer
*rl
, uint8_t content_type
,
1002 uint8_t *buf
, size_t n
)
1007 ret
= tls13_record_layer_read_internal(rl
, content_type
, buf
, n
, 1);
1008 } while (ret
== TLS13_IO_WANT_RETRY
);
1011 return tls13_send_alert(rl
, rl
->alert
);
1017 tls13_record_layer_read(struct tls13_record_layer
*rl
, uint8_t content_type
,
1018 uint8_t *buf
, size_t n
)
1023 ret
= tls13_record_layer_read_internal(rl
, content_type
, buf
, n
, 0);
1024 } while (ret
== TLS13_IO_WANT_RETRY
);
1027 return tls13_send_alert(rl
, rl
->alert
);
1033 tls13_record_layer_write_record(struct tls13_record_layer
*rl
,
1034 uint8_t content_type
, const uint8_t *content
, size_t content_len
)
1038 if (rl
->write_closed
)
1039 return TLS13_IO_EOF
;
1042 * If we pushed out application data while handling other messages,
1043 * we need to return content length on the next call.
1045 if (content_type
== SSL3_RT_APPLICATION_DATA
&&
1046 rl
->wrec_appdata_len
!= 0) {
1047 ret
= rl
->wrec_appdata_len
;
1048 rl
->wrec_appdata_len
= 0;
1052 /* See if there is an existing record and attempt to push it out... */
1053 if (rl
->wrec
!= NULL
) {
1054 if ((ret
= tls13_record_send(rl
->wrec
, rl
->cb
.wire_write
,
1057 tls13_record_layer_wrec_free(rl
);
1059 if (rl
->wrec_content_type
== content_type
) {
1060 ret
= rl
->wrec_content_len
;
1061 rl
->wrec_content_len
= 0;
1062 rl
->wrec_content_type
= 0;
1067 * The only partial record type should be application data.
1068 * All other cases are handled to completion.
1070 if (rl
->wrec_content_type
!= SSL3_RT_APPLICATION_DATA
)
1071 return TLS13_IO_FAILURE
;
1072 rl
->wrec_appdata_len
= rl
->wrec_content_len
;
1075 if (content_len
> TLS13_RECORD_MAX_PLAINTEXT_LEN
)
1078 if (!tls13_record_layer_seal_record(rl
, content_type
, content
, content_len
))
1081 if ((ret
= tls13_record_send(rl
->wrec
, rl
->cb
.wire_write
, rl
->cb_arg
)) <= 0)
1084 tls13_record_layer_wrec_free(rl
);
1089 return TLS13_IO_FAILURE
;
1093 tls13_record_layer_write_chunk(struct tls13_record_layer
*rl
,
1094 uint8_t content_type
, const uint8_t *buf
, size_t n
)
1096 if (n
> TLS13_RECORD_MAX_PLAINTEXT_LEN
)
1097 n
= TLS13_RECORD_MAX_PLAINTEXT_LEN
;
1099 return tls13_record_layer_write_record(rl
, content_type
, buf
, n
);
1103 tls13_record_layer_write(struct tls13_record_layer
*rl
, uint8_t content_type
,
1104 const uint8_t *buf
, size_t n
)
1109 ret
= tls13_record_layer_send_pending(rl
);
1110 } while (ret
== TLS13_IO_WANT_RETRY
);
1111 if (ret
!= TLS13_IO_SUCCESS
)
1115 ret
= tls13_record_layer_write_chunk(rl
, content_type
, buf
, n
);
1116 } while (ret
== TLS13_IO_WANT_RETRY
);
1122 tls13_record_layer_flush(struct tls13_record_layer
*rl
)
1124 return rl
->cb
.wire_flush(rl
->cb_arg
);
1127 static const uint8_t tls13_dummy_ccs
[] = { 0x01 };
1130 tls13_send_dummy_ccs(struct tls13_record_layer
*rl
)
1135 return TLS13_IO_FAILURE
;
1137 if ((ret
= tls13_record_layer_write(rl
, SSL3_RT_CHANGE_CIPHER_SPEC
,
1138 tls13_dummy_ccs
, sizeof(tls13_dummy_ccs
))) <= 0)
1143 return TLS13_IO_SUCCESS
;
1147 tls13_read_handshake_data(struct tls13_record_layer
*rl
, uint8_t *buf
, size_t n
)
1149 if (rl
->cb
.handshake_read
!= NULL
)
1150 return rl
->cb
.handshake_read(buf
, n
, rl
->cb_arg
);
1152 return tls13_record_layer_read(rl
, SSL3_RT_HANDSHAKE
, buf
, n
);
1156 tls13_write_handshake_data(struct tls13_record_layer
*rl
, const uint8_t *buf
,
1159 if (rl
->cb
.handshake_write
!= NULL
)
1160 return rl
->cb
.handshake_write(buf
, n
, rl
->cb_arg
);
1162 return tls13_record_layer_write(rl
, SSL3_RT_HANDSHAKE
, buf
, n
);
1166 tls13_pending_application_data(struct tls13_record_layer
*rl
)
1168 if (!rl
->handshake_completed
)
1171 return tls13_record_layer_pending(rl
, SSL3_RT_APPLICATION_DATA
);
1175 tls13_peek_application_data(struct tls13_record_layer
*rl
, uint8_t *buf
, size_t n
)
1177 if (!rl
->handshake_completed
)
1178 return TLS13_IO_FAILURE
;
1180 return tls13_record_layer_peek(rl
, SSL3_RT_APPLICATION_DATA
, buf
, n
);
1184 tls13_read_application_data(struct tls13_record_layer
*rl
, uint8_t *buf
, size_t n
)
1186 if (!rl
->handshake_completed
)
1187 return TLS13_IO_FAILURE
;
1189 return tls13_record_layer_read(rl
, SSL3_RT_APPLICATION_DATA
, buf
, n
);
1193 tls13_write_application_data(struct tls13_record_layer
*rl
, const uint8_t *buf
,
1196 if (!rl
->handshake_completed
)
1197 return TLS13_IO_FAILURE
;
1199 return tls13_record_layer_write(rl
, SSL3_RT_APPLICATION_DATA
, buf
, n
);
1203 tls13_send_alert(struct tls13_record_layer
*rl
, uint8_t alert_desc
)
1205 uint8_t alert_level
= TLS13_ALERT_LEVEL_FATAL
;
1208 if (rl
->cb
.alert_send
!= NULL
)
1209 return rl
->cb
.alert_send(alert_desc
, rl
->cb_arg
);
1211 if (alert_desc
== TLS13_ALERT_CLOSE_NOTIFY
||
1212 alert_desc
== TLS13_ALERT_USER_CANCELED
)
1213 alert_level
= TLS13_ALERT_LEVEL_WARNING
;
1216 ret
= tls13_record_layer_enqueue_alert(rl
, alert_level
,
1218 } while (ret
== TLS13_IO_WANT_RETRY
);