Bug Summary

File:src/lib/libssl/tls13_record_layer.c
Warning:line 595, column 2
Potential leak of memory pointed to by 'content'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name tls13_record_layer.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libssl/tls13_record_layer.c
1/* $OpenBSD: tls13_record_layer.c,v 1.66 2022/01/06 18:18:13 jsing Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "tls13_internal.h"
19#include "tls13_record.h"
20#include "tls_content.h"
21
22static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN8];
32};
33
34struct tls13_record_protection *
35tls13_record_protection_new(void)
36{
37 return calloc(1, sizeof(struct tls13_record_protection));
38}
39
40void
41tls13_record_protection_clear(struct tls13_record_protection *rp)
42{
43 if (rp->aead_ctx != NULL((void*)0)) {
44 EVP_AEAD_CTX_cleanup(rp->aead_ctx);
45 freezero(rp->aead_ctx, sizeof(*rp->aead_ctx));
46 }
47
48 tls13_secret_cleanup(&rp->iv);
49 tls13_secret_cleanup(&rp->nonce);
50
51 memset(rp, 0, sizeof(*rp));
52}
53
54void
55tls13_record_protection_free(struct tls13_record_protection *rp)
56{
57 if (rp == NULL((void*)0))
58 return;
59
60 tls13_record_protection_clear(rp);
61
62 freezero(rp, sizeof(struct tls13_record_protection));
63}
64
65struct tls13_record_layer {
66 uint16_t legacy_version;
67
68 int ccs_allowed;
69 int ccs_seen;
70 int ccs_sent;
71 int handshake_completed;
72 int legacy_alerts_allowed;
73 int phh;
74 int phh_retry;
75
76 /*
77 * Read and/or write channels are closed due to an alert being
78 * sent or received. In the case of an error alert both channels
79 * are closed, whereas in the case of a close notify only one
80 * channel is closed.
81 */
82 int read_closed;
83 int write_closed;
84
85 struct tls13_record *rrec;
86
87 struct tls13_record *wrec;
88 uint8_t wrec_content_type;
89 size_t wrec_appdata_len;
90 size_t wrec_content_len;
91
92 /* Alert to be sent on return from current read handler. */
93 uint8_t alert;
94
95 /* Pending alert messages. */
96 uint8_t *alert_data;
97 size_t alert_len;
98 uint8_t alert_level;
99 uint8_t alert_desc;
100
101 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
102 CBS phh_cbs;
103 uint8_t *phh_data;
104 size_t phh_len;
105
106 /* Content from opened records. */
107 struct tls_content *rcontent;
108
109 /* Record protection. */
110 const EVP_MD *hash;
111 const EVP_AEAD *aead;
112 struct tls13_record_protection *read;
113 struct tls13_record_protection *write;
114
115 /* Callbacks. */
116 struct tls13_record_layer_callbacks cb;
117 void *cb_arg;
118};
119
120static void
121tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
122{
123 tls13_record_free(rl->rrec);
124 rl->rrec = NULL((void*)0);
125}
126
127static void
128tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
129{
130 tls13_record_free(rl->wrec);
131 rl->wrec = NULL((void*)0);
132}
133
134struct tls13_record_layer *
135tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
136 void *cb_arg)
137{
138 struct tls13_record_layer *rl;
139
140 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL((void*)0))
141 goto err;
142
143 if ((rl->rcontent = tls_content_new()) == NULL((void*)0))
144 goto err;
145
146 if ((rl->read = tls13_record_protection_new()) == NULL((void*)0))
147 goto err;
148 if ((rl->write = tls13_record_protection_new()) == NULL((void*)0))
149 goto err;
150
151 rl->legacy_version = TLS1_2_VERSION0x0303;
152 rl->cb = *callbacks;
153 rl->cb_arg = cb_arg;
154
155 return rl;
156
157 err:
158 tls13_record_layer_free(rl);
159
160 return NULL((void*)0);
161}
162
163void
164tls13_record_layer_free(struct tls13_record_layer *rl)
165{
166 if (rl == NULL((void*)0))
167 return;
168
169 tls13_record_layer_rrec_free(rl);
170 tls13_record_layer_wrec_free(rl);
171
172 freezero(rl->alert_data, rl->alert_len);
173 freezero(rl->phh_data, rl->phh_len);
174
175 tls_content_free(rl->rcontent);
176
177 tls13_record_protection_free(rl->read);
178 tls13_record_protection_free(rl->write);
179
180 freezero(rl, sizeof(struct tls13_record_layer));
181}
182
183void
184tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
185{
186 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
187}
188
189static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN8] = {
190 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
191};
192
193int
194tls13_record_layer_inc_seq_num(uint8_t *seq_num)
195{
196 int i;
197
198 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
199 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN8) == 0)
200 return 0;
201
202 for (i = TLS13_RECORD_SEQ_NUM_LEN8 - 1; i >= 0; i--) {
203 if (++seq_num[i] != 0)
204 break;
205 }
206
207 return 1;
208}
209
210static int
211tls13_record_layer_update_nonce(struct tls13_secret *nonce,
212 struct tls13_secret *iv, uint8_t *seq_num)
213{
214 ssize_t i, j;
215
216 if (nonce->len != iv->len)
217 return 0;
218
219 /*
220 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
221 * with the IV to produce a per-record nonce. The IV will also be
222 * at least 8-bytes in length.
223 */
224 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN8 - 1; i >= 0; i--, j--)
225 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
226
227 return 1;
228}
229
230void
231tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
232{
233 rl->ccs_allowed = allow;
234}
235
236void
237tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
238{
239 rl->legacy_alerts_allowed = allow;
240}
241
242void
243tls13_record_layer_set_aead(struct tls13_record_layer *rl,
244 const EVP_AEAD *aead)
245{
246 rl->aead = aead;
247}
248
249void
250tls13_record_layer_set_hash(struct tls13_record_layer *rl,
251 const EVP_MD *hash)
252{
253 rl->hash = hash;
254}
255
256void
257tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
258 uint16_t version)
259{
260 rl->legacy_version = version;
261}
262
263void
264tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
265{
266 rl->handshake_completed = 1;
267}
268
269void
270tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
271{
272 rl->phh_retry = retry;
273}
274
275static ssize_t
276tls13_record_layer_process_alert(struct tls13_record_layer *rl)
277{
278 uint8_t alert_level, alert_desc;
279 ssize_t ret = TLS13_IO_FAILURE-1;
280
281 /*
282 * RFC 8446 - sections 5.1 and 6.
283 *
284 * A TLSv1.3 alert record can only contain a single alert - this means
285 * that processing the alert must consume all of the record. The alert
286 * will result in one of three things - continuation (user_cancelled),
287 * read channel closure (close_notify) or termination (all others).
288 */
289 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT21)
290 return TLS13_IO_FAILURE-1;
291
292 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
293 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
294 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
295 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
296
297 if (tls_content_remaining(rl->rcontent) != 0)
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
299
300 tls_content_clear(rl->rcontent);
301
302 /*
303 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
304 * however for error alerts (RFC 8446 section 6.2), the alert level
305 * must be specified as fatal.
306 */
307 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY0) {
308 rl->read_closed = 1;
309 ret = TLS13_IO_EOF0;
310 } else if (alert_desc == TLS13_ALERT_USER_CANCELED90) {
311 /* Ignored at the record layer. */
312 ret = TLS13_IO_WANT_RETRY-5;
313 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL2) {
314 rl->read_closed = 1;
315 rl->write_closed = 1;
316 ret = TLS13_IO_ALERT-2;
317 } else if (rl->legacy_alerts_allowed &&
318 alert_level == TLS13_ALERT_LEVEL_WARNING1) {
319 /* Ignored and not passed to the callback. */
320 return TLS13_IO_WANT_RETRY-5;
321 } else {
322 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER47);
323 }
324
325 rl->cb.alert_recv(alert_desc, rl->cb_arg);
326
327 return ret;
328}
329
330static ssize_t
331tls13_record_layer_send_alert(struct tls13_record_layer *rl)
332{
333 ssize_t ret;
334
335 /* This has to fit into a single record, per RFC 8446 section 5.1. */
336 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT21,
337 rl->alert_data, rl->alert_len)) != rl->alert_len) {
338 if (ret == TLS13_IO_EOF0)
339 ret = TLS13_IO_ALERT-2;
340 return ret;
341 }
342
343 freezero(rl->alert_data, rl->alert_len);
344 rl->alert_data = NULL((void*)0);
345 rl->alert_len = 0;
346
347 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY0) {
348 rl->write_closed = 1;
349 ret = TLS13_IO_SUCCESS1;
350 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED90) {
351 /* Ignored at the record layer. */
352 ret = TLS13_IO_SUCCESS1;
353 } else {
354 rl->read_closed = 1;
355 rl->write_closed = 1;
356 ret = TLS13_IO_ALERT-2;
357 }
358
359 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
360
361 return ret;
362}
363
364static ssize_t
365tls13_record_layer_send_phh(struct tls13_record_layer *rl)
366{
367 ssize_t ret;
368
369 /* Push out pending post-handshake handshake messages. */
370 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE22,
371 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
372 return ret;
373 if (!CBS_skip(&rl->phh_cbs, ret))
374 return TLS13_IO_FAILURE-1;
375 if (CBS_len(&rl->phh_cbs) != 0)
376 return TLS13_IO_WANT_RETRY-5;
377
378 freezero(rl->phh_data, rl->phh_len);
379 rl->phh_data = NULL((void*)0);
380 rl->phh_len = 0;
381
382 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
383
384 rl->cb.phh_sent(rl->cb_arg);
385
386 return TLS13_IO_SUCCESS1;
387}
388
389ssize_t
390tls13_record_layer_send_pending(struct tls13_record_layer *rl)
391{
392 /*
393 * If an alert is pending, then it needs to be sent. However,
394 * if we're already part of the way through sending post-handshake
395 * handshake messages, then we need to finish that first...
396 */
397
398 if (rl->phh_data != NULL((void*)0) && CBS_len(&rl->phh_cbs) != rl->phh_len)
399 return tls13_record_layer_send_phh(rl);
400
401 if (rl->alert_data != NULL((void*)0))
402 return tls13_record_layer_send_alert(rl);
403
404 if (rl->phh_data != NULL((void*)0))
405 return tls13_record_layer_send_phh(rl);
406
407 return TLS13_IO_SUCCESS1;
408}
409
410static ssize_t
411tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
412 uint8_t alert_level, uint8_t alert_desc)
413{
414 CBB cbb;
415
416 if (rl->alert_data != NULL((void*)0))
417 return TLS13_IO_FAILURE-1;
418
419 if (!CBB_init(&cbb, 0))
420 goto err;
421
422 if (!CBB_add_u8(&cbb, alert_level))
423 goto err;
424 if (!CBB_add_u8(&cbb, alert_desc))
425 goto err;
426 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
427 goto err;
428
429 rl->alert_level = alert_level;
430 rl->alert_desc = alert_desc;
431
432 return tls13_record_layer_send_pending(rl);
433
434 err:
435 CBB_cleanup(&cbb);
436
437 return TLS13_IO_FAILURE-1;
438}
439
440ssize_t
441tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
442{
443 if (rl->phh_data != NULL((void*)0))
444 return TLS13_IO_FAILURE-1;
445
446 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
447 return TLS13_IO_FAILURE-1;
448
449 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
450
451 return tls13_record_layer_send_pending(rl);
452}
453
454static int
455tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
456 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
457{
458 struct tls13_secret context = { .data = "", .len = 0 };
459 struct tls13_secret key = { .data = NULL((void*)0), .len = 0 };
460 int ret = 0;
461
462 tls13_record_protection_clear(rp);
463
464 if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL((void*)0))
465 return 0;
466
467 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
468 goto err;
469 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
470 goto err;
471 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
472 goto err;
473
474 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
475 goto err;
476 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
477 goto err;
478
479 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
480 EVP_AEAD_DEFAULT_TAG_LENGTH0, NULL((void*)0)))
481 goto err;
482
483 ret = 1;
484
485 err:
486 tls13_secret_cleanup(&key);
487
488 return ret;
489}
490
491int
492tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
493 struct tls13_secret *read_key)
494{
495 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
496 rl->read, read_key);
497}
498
499int
500tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
501 struct tls13_secret *write_key)
502{
503 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
504 rl->write, write_key);
505}
506
507static int
508tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
509{
510 CBS cbs;
511
512 if (rl->aead != NULL((void*)0))
513 return 0;
514
515 /*
516 * We're still operating in plaintext mode, so just copy the
517 * content from the record to the plaintext buffer.
518 */
519 if (!tls13_record_content(rl->rrec, &cbs))
520 return 0;
521
522 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN16384) {
523 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
524 return 0;
525 }
526
527 if (!tls_content_dup_data(rl->rcontent,
528 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
529 return 0;
530
531 return 1;
532}
533
534static int
535tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
536{
537 CBS header, enc_record, inner;
538 uint8_t *content = NULL((void*)0);
539 size_t content_len = 0;
540 uint8_t content_type;
541 size_t out_len;
542
543 if (rl->aead == NULL((void*)0))
1
Assuming field 'aead' is not equal to NULL
2
Taking false branch
544 goto err;
545
546 if (!tls13_record_header(rl->rrec, &header))
3
Assuming the condition is false
4
Taking false branch
547 goto err;
548 if (!tls13_record_content(rl->rrec, &enc_record))
5
Assuming the condition is false
6
Taking false branch
549 goto err;
550
551 if ((content = calloc(1, CBS_len(&enc_record))) == NULL((void*)0))
7
Memory is allocated
8
Assuming the condition is false
9
Taking false branch
552 goto err;
553 content_len = CBS_len(&enc_record);
554
555 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
10
Assuming the condition is false
11
Taking false branch
556 rl->read->seq_num))
557 goto err;
558
559 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
12
Assuming the condition is false
13
Taking false branch
560 content, &out_len, content_len,
561 rl->read->nonce.data, rl->read->nonce.len,
562 CBS_data(&enc_record), CBS_len(&enc_record),
563 CBS_data(&header), CBS_len(&header)))
564 goto err;
565
566 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN(16384 + 1)) {
14
Assuming the condition is false
15
Taking false branch
567 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
568 goto err;
569 }
570
571 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
16
Assuming the condition is false
17
Taking false branch
572 goto err;
573
574 /*
575 * The real content type is hidden at the end of the record content and
576 * it may be followed by padding that consists of one or more zeroes.
577 * Time to hunt for that elusive content type!
578 */
579 CBS_init(&inner, content, out_len);
580 content_type = 0;
581 while (CBS_get_last_u8(&inner, &content_type)) {
18
Loop condition is false. Execution continues on line 585
582 if (content_type != 0)
583 break;
584 }
585 if (content_type == 0) {
19
Assuming 'content_type' is not equal to 0
20
Taking false branch
586 /* Unexpected message per RFC 8446 section 5.4. */
587 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE10;
588 goto err;
589 }
590 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN16384) {
21
Assuming the condition is false
22
Taking false branch
591 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
592 goto err;
593 }
594
595 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
23
Potential leak of memory pointed to by 'content'
596 CBS_len(&inner));
597
598 return 1;
599
600 err:
601 freezero(content, content_len);
602
603 return 0;
604}
605
606static int
607tls13_record_layer_open_record(struct tls13_record_layer *rl)
608{
609 if (rl->handshake_completed && rl->aead == NULL((void*)0))
610 return 0;
611
612 if (rl->aead == NULL((void*)0))
613 return tls13_record_layer_open_record_plaintext(rl);
614
615 return tls13_record_layer_open_record_protected(rl);
616}
617
618static int
619tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
620 uint8_t content_type, const uint8_t *content, size_t content_len)
621{
622 uint8_t *data = NULL((void*)0);
623 size_t data_len = 0;
624 CBB cbb, body;
625
626 /*
627 * Allow dummy CCS messages to be sent in plaintext even when
628 * record protection has been engaged, as long as the handshake
629 * has not yet completed.
630 */
631 if (rl->handshake_completed)
632 return 0;
633 if (rl->aead != NULL((void*)0) && content_type != SSL3_RT_CHANGE_CIPHER_SPEC20)
634 return 0;
635
636 /*
637 * We're still operating in plaintext mode, so just copy the
638 * content into the record.
639 */
640 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5 + content_len))
641 goto err;
642
643 if (!CBB_add_u8(&cbb, content_type))
644 goto err;
645 if (!CBB_add_u16(&cbb, rl->legacy_version))
646 goto err;
647 if (!CBB_add_u16_length_prefixed(&cbb, &body))
648 goto err;
649 if (!CBB_add_bytes(&body, content, content_len))
650 goto err;
651
652 if (!CBB_finish(&cbb, &data, &data_len))
653 goto err;
654
655 if (!tls13_record_set_data(rl->wrec, data, data_len))
656 goto err;
657
658 rl->wrec_content_len = content_len;
659 rl->wrec_content_type = content_type;
660
661 return 1;
662
663 err:
664 CBB_cleanup(&cbb);
665 freezero(data, data_len);
666
667 return 0;
668}
669
670static int
671tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
672 uint8_t content_type, const uint8_t *content, size_t content_len)
673{
674 uint8_t *data = NULL((void*)0), *header = NULL((void*)0), *inner = NULL((void*)0);
675 size_t data_len = 0, header_len = 0, inner_len = 0;
676 uint8_t *enc_record;
677 size_t enc_record_len;
678 ssize_t ret = 0;
679 size_t out_len;
680 CBB cbb;
681
682 if (rl->aead == NULL((void*)0))
683 return 0;
684
685 memset(&cbb, 0, sizeof(cbb));
686
687 /* Build inner plaintext. */
688 if (!CBB_init(&cbb, content_len + 1))
689 goto err;
690 if (!CBB_add_bytes(&cbb, content, content_len))
691 goto err;
692 if (!CBB_add_u8(&cbb, content_type))
693 goto err;
694 /* XXX - padding? */
695 if (!CBB_finish(&cbb, &inner, &inner_len))
696 goto err;
697
698 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN(16384 + 1))
699 goto err;
700
701 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
702 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
703 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN((16384 + 1) + 255))
704 goto err;
705
706 /* Build the record header. */
707 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5))
708 goto err;
709 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA23))
710 goto err;
711 if (!CBB_add_u16(&cbb, TLS1_2_VERSION0x0303))
712 goto err;
713 if (!CBB_add_u16(&cbb, enc_record_len))
714 goto err;
715 if (!CBB_finish(&cbb, &header, &header_len))
716 goto err;
717
718 /* Build the actual record. */
719 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5 + enc_record_len))
720 goto err;
721 if (!CBB_add_bytes(&cbb, header, header_len))
722 goto err;
723 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
724 goto err;
725 if (!CBB_finish(&cbb, &data, &data_len))
726 goto err;
727
728 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
729 &rl->write->iv, rl->write->seq_num))
730 goto err;
731
732 /*
733 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
734 * this would avoid a copy since the inner would be passed as two
735 * separate pieces.
736 */
737 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
738 enc_record, &out_len, enc_record_len,
739 rl->write->nonce.data, rl->write->nonce.len,
740 inner, inner_len, header, header_len))
741 goto err;
742
743 if (out_len != enc_record_len)
744 goto err;
745
746 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
747 goto err;
748
749 if (!tls13_record_set_data(rl->wrec, data, data_len))
750 goto err;
751
752 rl->wrec_content_len = content_len;
753 rl->wrec_content_type = content_type;
754
755 data = NULL((void*)0);
756 data_len = 0;
757
758 ret = 1;
759
760 err:
761 CBB_cleanup(&cbb);
762
763 freezero(data, data_len);
764 freezero(header, header_len);
765 freezero(inner, inner_len);
766
767 return ret;
768}
769
770static int
771tls13_record_layer_seal_record(struct tls13_record_layer *rl,
772 uint8_t content_type, const uint8_t *content, size_t content_len)
773{
774 if (rl->handshake_completed && rl->aead == NULL((void*)0))
775 return 0;
776
777 tls13_record_layer_wrec_free(rl);
778
779 if ((rl->wrec = tls13_record_new()) == NULL((void*)0))
780 return 0;
781
782 if (rl->aead == NULL((void*)0) || content_type == SSL3_RT_CHANGE_CIPHER_SPEC20)
783 return tls13_record_layer_seal_record_plaintext(rl,
784 content_type, content, content_len);
785
786 return tls13_record_layer_seal_record_protected(rl, content_type,
787 content, content_len);
788}
789
790static ssize_t
791tls13_record_layer_read_record(struct tls13_record_layer *rl)
792{
793 uint8_t content_type, ccs;
794 ssize_t ret;
795 CBS cbs;
796
797 if (rl->rrec == NULL((void*)0)) {
798 if ((rl->rrec = tls13_record_new()) == NULL((void*)0))
799 goto err;
800 }
801
802 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
803 switch (ret) {
804 case TLS13_IO_RECORD_VERSION-7:
805 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION70);
806 case TLS13_IO_RECORD_OVERFLOW-8:
807 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW22);
808 }
809 return ret;
810 }
811
812 content_type = tls13_record_content_type(rl->rrec);
813
814 /*
815 * In response to a client hello we may receive an alert in a
816 * record with a legacy version. Otherwise enforce that the
817 * legacy record version is 0x0303 per RFC 8446, section 5.1.
818 */
819 if (rl->legacy_version == TLS1_2_VERSION0x0303 &&
820 tls13_record_version(rl->rrec) != TLS1_2_VERSION0x0303 &&
821 (content_type != SSL3_RT_ALERT21 || !rl->legacy_alerts_allowed))
822 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION70);
823
824 /*
825 * Bag of hacks ahead... after the first ClientHello message has been
826 * sent or received and before the peer's Finished message has been
827 * received, we may receive an unencrypted ChangeCipherSpec record
828 * (see RFC 8446 section 5 and appendix D.4). This record must be
829 * ignored.
830 */
831 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC20) {
832 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
833 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
834 if (!tls13_record_content(rl->rrec, &cbs))
835 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
836 if (!CBS_get_u8(&cbs, &ccs))
837 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
838 if (ccs != 1)
839 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER47);
840 rl->ccs_seen++;
841 tls13_record_layer_rrec_free(rl);
842 return TLS13_IO_WANT_RETRY-5;
843 }
844
845 /*
846 * Once record protection is engaged, we should only receive
847 * protected application data messages (aside from the
848 * dummy ChangeCipherSpec messages, handled above).
849 */
850 if (rl->aead != NULL((void*)0) && content_type != SSL3_RT_APPLICATION_DATA23)
851 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
852
853 if (!tls13_record_layer_open_record(rl))
854 goto err;
855
856 tls13_record_layer_rrec_free(rl);
857
858 /*
859 * On receiving a handshake or alert record with empty inner plaintext,
860 * we must terminate the connection with an unexpected_message alert.
861 * See RFC 8446 section 5.4.
862 */
863 if (tls_content_remaining(rl->rcontent) == 0 &&
864 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT21 ||
865 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE22))
866 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
867
868 switch (tls_content_type(rl->rcontent)) {
869 case SSL3_RT_ALERT21:
870 return tls13_record_layer_process_alert(rl);
871
872 case SSL3_RT_HANDSHAKE22:
873 break;
874
875 case SSL3_RT_APPLICATION_DATA23:
876 if (!rl->handshake_completed)
877 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
878 break;
879
880 default:
881 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
882 }
883
884 return TLS13_IO_SUCCESS1;
885
886 err:
887 return TLS13_IO_FAILURE-1;
888}
889
890static ssize_t
891tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
892{
893 if (tls_content_type(rl->rcontent) != content_type)
894 return 0;
895
896 return tls_content_remaining(rl->rcontent);
897}
898
899static ssize_t
900tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
901{
902 ssize_t ret = TLS13_IO_FAILURE-1;
903
904 rl->phh = 1;
905
906 /*
907 * The post handshake handshake receive callback is allowed to return:
908 *
909 * TLS13_IO_WANT_POLLIN need more handshake data.
910 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
911 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
912 * TLS13_IO_FAILURE something broke.
913 */
914 if (rl->cb.phh_recv != NULL((void*)0))
915 ret = rl->cb.phh_recv(rl->cb_arg, tls_content_cbs(rl->rcontent));
916
917 tls_content_clear(rl->rcontent);
918
919 /* Leave post handshake handshake mode unless we need more data. */
920 if (ret != TLS13_IO_WANT_POLLIN-3)
921 rl->phh = 0;
922
923 if (ret == TLS13_IO_SUCCESS1) {
924 if (rl->phh_retry)
925 return TLS13_IO_WANT_RETRY-5;
926
927 return TLS13_IO_WANT_POLLIN-3;
928 }
929
930 return ret;
931}
932
933static ssize_t
934tls13_record_layer_read_internal(struct tls13_record_layer *rl,
935 uint8_t content_type, uint8_t *buf, size_t n, int peek)
936{
937 ssize_t ret;
938
939 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS1)
940 return ret;
941
942 if (rl->read_closed)
943 return TLS13_IO_EOF0;
944
945 /* If necessary, pull up the next record. */
946 if (tls_content_remaining(rl->rcontent) == 0) {
947 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
948 return ret;
949
950 /*
951 * We may have read a valid 0-byte application data record,
952 * in which case we need to read the next record.
953 */
954 if (tls_content_remaining(rl->rcontent) == 0)
955 return TLS13_IO_WANT_POLLIN-3;
956 }
957
958 /*
959 * If we are in post handshake handshake mode, we must not see
960 * any record type that isn't a handshake until we are done.
961 */
962 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE22)
963 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
964
965 /*
966 * Handshake content can appear as post-handshake messages (yup,
967 * the RFC reused the same content type...), which means we can
968 * be trying to read application data and need to handle a
969 * post-handshake handshake message instead...
970 */
971 if (tls_content_type(rl->rcontent) != content_type) {
972 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE22) {
973 if (rl->handshake_completed)
974 return tls13_record_layer_recv_phh(rl);
975 }
976 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
977 }
978
979 if (peek)
980 return tls_content_peek(rl->rcontent, buf, n);
981
982 return tls_content_read(rl->rcontent, buf, n);
983}
984
985static ssize_t
986tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
987 uint8_t *buf, size_t n)
988{
989 ssize_t ret;
990
991 do {
992 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
993 } while (ret == TLS13_IO_WANT_RETRY-5);
994
995 if (rl->alert != 0)
996 return tls13_send_alert(rl, rl->alert);
997
998 return ret;
999}
1000
1001static ssize_t
1002tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1003 uint8_t *buf, size_t n)
1004{
1005 ssize_t ret;
1006
1007 do {
1008 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1009 } while (ret == TLS13_IO_WANT_RETRY-5);
1010
1011 if (rl->alert != 0)
1012 return tls13_send_alert(rl, rl->alert);
1013
1014 return ret;
1015}
1016
1017static ssize_t
1018tls13_record_layer_write_record(struct tls13_record_layer *rl,
1019 uint8_t content_type, const uint8_t *content, size_t content_len)
1020{
1021 ssize_t ret;
1022
1023 if (rl->write_closed)
1024 return TLS13_IO_EOF0;
1025
1026 /*
1027 * If we pushed out application data while handling other messages,
1028 * we need to return content length on the next call.
1029 */
1030 if (content_type == SSL3_RT_APPLICATION_DATA23 &&
1031 rl->wrec_appdata_len != 0) {
1032 ret = rl->wrec_appdata_len;
1033 rl->wrec_appdata_len = 0;
1034 return ret;
1035 }
1036
1037 /* See if there is an existing record and attempt to push it out... */
1038 if (rl->wrec != NULL((void*)0)) {
1039 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1040 rl->cb_arg)) <= 0)
1041 return ret;
1042 tls13_record_layer_wrec_free(rl);
1043
1044 if (rl->wrec_content_type == content_type) {
1045 ret = rl->wrec_content_len;
1046 rl->wrec_content_len = 0;
1047 rl->wrec_content_type = 0;
1048 return ret;
1049 }
1050
1051 /*
1052 * The only partial record type should be application data.
1053 * All other cases are handled to completion.
1054 */
1055 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA23)
1056 return TLS13_IO_FAILURE-1;
1057 rl->wrec_appdata_len = rl->wrec_content_len;
1058 }
1059
1060 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN16384)
1061 goto err;
1062
1063 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1064 goto err;
1065
1066 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1067 return ret;
1068
1069 tls13_record_layer_wrec_free(rl);
1070
1071 return content_len;
1072
1073 err:
1074 return TLS13_IO_FAILURE-1;
1075}
1076
1077static ssize_t
1078tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1079 uint8_t content_type, const uint8_t *buf, size_t n)
1080{
1081 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN16384)
1082 n = TLS13_RECORD_MAX_PLAINTEXT_LEN16384;
1083
1084 return tls13_record_layer_write_record(rl, content_type, buf, n);
1085}
1086
1087static ssize_t
1088tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1089 const uint8_t *buf, size_t n)
1090{
1091 ssize_t ret;
1092
1093 do {
1094 ret = tls13_record_layer_send_pending(rl);
1095 } while (ret == TLS13_IO_WANT_RETRY-5);
1096 if (ret != TLS13_IO_SUCCESS1)
1097 return ret;
1098
1099 do {
1100 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1101 } while (ret == TLS13_IO_WANT_RETRY-5);
1102
1103 return ret;
1104}
1105
1106ssize_t
1107tls13_record_layer_flush(struct tls13_record_layer *rl)
1108{
1109 return rl->cb.wire_flush(rl->cb_arg);
1110}
1111
1112static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1113
1114ssize_t
1115tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1116{
1117 ssize_t ret;
1118
1119 if (rl->ccs_sent)
1120 return TLS13_IO_FAILURE-1;
1121
1122 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC20,
1123 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1124 return ret;
1125
1126 rl->ccs_sent = 1;
1127
1128 return TLS13_IO_SUCCESS1;
1129}
1130
1131ssize_t
1132tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1133{
1134 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE22, buf, n);
1135}
1136
1137ssize_t
1138tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1139 size_t n)
1140{
1141 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE22, buf, n);
1142}
1143
1144ssize_t
1145tls13_pending_application_data(struct tls13_record_layer *rl)
1146{
1147 if (!rl->handshake_completed)
1148 return 0;
1149
1150 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA23);
1151}
1152
1153ssize_t
1154tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1155{
1156 if (!rl->handshake_completed)
1157 return TLS13_IO_FAILURE-1;
1158
1159 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1160}
1161
1162ssize_t
1163tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1164{
1165 if (!rl->handshake_completed)
1166 return TLS13_IO_FAILURE-1;
1167
1168 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1169}
1170
1171ssize_t
1172tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1173 size_t n)
1174{
1175 if (!rl->handshake_completed)
1176 return TLS13_IO_FAILURE-1;
1177
1178 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1179}
1180
1181ssize_t
1182tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1183{
1184 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL2;
1185 ssize_t ret;
1186
1187 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY0 ||
1188 alert_desc == TLS13_ALERT_USER_CANCELED90)
1189 alert_level = TLS13_ALERT_LEVEL_WARNING1;
1190
1191 do {
1192 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1193 alert_desc);
1194 } while (ret == TLS13_IO_WANT_RETRY-5);
1195
1196 return ret;
1197}