clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tls13_record_layer.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -I /usr/src/lib/libssl/../libcrypto/hidden -I /usr/src/lib/libssl/../libcrypto/bio -I /usr/src/lib/libssl/hidden -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libssl/tls13_record_layer.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | #include "tls13_internal.h" |
19 | #include "tls13_record.h" |
20 | #include "tls_content.h" |
21 | |
22 | static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, |
23 | uint8_t content_type, const uint8_t *buf, size_t n); |
24 | static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, |
25 | uint8_t content_type, const uint8_t *content, size_t content_len); |
26 | |
27 | struct tls13_record_protection { |
28 | EVP_AEAD_CTX *aead_ctx; |
29 | struct tls13_secret iv; |
30 | struct tls13_secret nonce; |
31 | uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; |
32 | }; |
33 | |
34 | struct tls13_record_protection * |
35 | tls13_record_protection_new(void) |
36 | { |
37 | return calloc(1, sizeof(struct tls13_record_protection)); |
38 | } |
39 | |
40 | void |
41 | tls13_record_protection_clear(struct tls13_record_protection *rp) |
42 | { |
43 | EVP_AEAD_CTX_free(rp->aead_ctx); |
44 | |
45 | tls13_secret_cleanup(&rp->iv); |
46 | tls13_secret_cleanup(&rp->nonce); |
47 | |
48 | memset(rp, 0, sizeof(*rp)); |
49 | } |
50 | |
51 | void |
52 | tls13_record_protection_free(struct tls13_record_protection *rp) |
53 | { |
54 | if (rp == NULL) |
55 | return; |
56 | |
57 | tls13_record_protection_clear(rp); |
58 | |
59 | freezero(rp, sizeof(struct tls13_record_protection)); |
60 | } |
61 | |
62 | struct tls13_record_layer { |
63 | uint16_t legacy_version; |
64 | |
65 | int ccs_allowed; |
66 | int ccs_seen; |
67 | int ccs_sent; |
68 | int handshake_completed; |
69 | int legacy_alerts_allowed; |
70 | int phh; |
71 | int phh_retry; |
72 | |
73 | |
74 | |
75 | |
76 | |
77 | |
78 | |
79 | int read_closed; |
80 | int write_closed; |
81 | |
82 | struct tls13_record *rrec; |
83 | |
84 | struct tls13_record *wrec; |
85 | uint8_t wrec_content_type; |
86 | size_t wrec_appdata_len; |
87 | size_t wrec_content_len; |
88 | |
89 | |
90 | uint8_t alert; |
91 | |
92 | |
93 | uint8_t *alert_data; |
94 | size_t alert_len; |
95 | uint8_t alert_level; |
96 | uint8_t alert_desc; |
97 | |
98 | |
99 | CBS phh_cbs; |
100 | uint8_t *phh_data; |
101 | size_t phh_len; |
102 | |
103 | |
104 | struct tls_content *rcontent; |
105 | |
106 | |
107 | const EVP_MD *hash; |
108 | const EVP_AEAD *aead; |
109 | struct tls13_record_protection *read; |
110 | struct tls13_record_protection *write; |
111 | |
112 | |
113 | struct tls13_record_layer_callbacks cb; |
114 | void *cb_arg; |
115 | }; |
116 | |
117 | static void |
118 | tls13_record_layer_rrec_free(struct tls13_record_layer *rl) |
119 | { |
120 | tls13_record_free(rl->rrec); |
121 | rl->rrec = NULL; |
122 | } |
123 | |
124 | static void |
125 | tls13_record_layer_wrec_free(struct tls13_record_layer *rl) |
126 | { |
127 | tls13_record_free(rl->wrec); |
128 | rl->wrec = NULL; |
129 | } |
130 | |
131 | struct tls13_record_layer * |
132 | tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, |
133 | void *cb_arg) |
134 | { |
135 | struct tls13_record_layer *rl; |
136 | |
137 | if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) |
138 | goto err; |
139 | |
140 | if ((rl->rcontent = tls_content_new()) == NULL) |
141 | goto err; |
142 | |
143 | if ((rl->read = tls13_record_protection_new()) == NULL) |
144 | goto err; |
145 | if ((rl->write = tls13_record_protection_new()) == NULL) |
146 | goto err; |
147 | |
148 | rl->legacy_version = TLS1_2_VERSION; |
149 | |
150 | tls13_record_layer_set_callbacks(rl, callbacks, cb_arg); |
151 | |
152 | return rl; |
153 | |
154 | err: |
155 | tls13_record_layer_free(rl); |
156 | |
157 | return NULL; |
158 | } |
159 | |
160 | void |
161 | tls13_record_layer_free(struct tls13_record_layer *rl) |
162 | { |
163 | if (rl == NULL) |
164 | return; |
165 | |
166 | tls13_record_layer_rrec_free(rl); |
167 | tls13_record_layer_wrec_free(rl); |
168 | |
169 | freezero(rl->alert_data, rl->alert_len); |
170 | freezero(rl->phh_data, rl->phh_len); |
171 | |
172 | tls_content_free(rl->rcontent); |
173 | |
174 | tls13_record_protection_free(rl->read); |
175 | tls13_record_protection_free(rl->write); |
176 | |
177 | freezero(rl, sizeof(struct tls13_record_layer)); |
178 | } |
179 | |
180 | void |
181 | tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, |
182 | const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) |
183 | { |
184 | rl->cb = *callbacks; |
185 | rl->cb_arg = cb_arg; |
186 | } |
187 | |
188 | void |
189 | tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) |
190 | { |
191 | CBS_dup(tls_content_cbs(rl->rcontent), cbs); |
192 | } |
193 | |
194 | static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { |
195 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, |
196 | }; |
197 | |
198 | int |
199 | tls13_record_layer_inc_seq_num(uint8_t *seq_num) |
200 | { |
201 | int i; |
202 | |
203 | |
204 | if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) |
205 | return 0; |
206 | |
207 | for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { |
208 | if (++seq_num[i] != 0) |
209 | break; |
210 | } |
211 | |
212 | return 1; |
213 | } |
214 | |
215 | static int |
216 | tls13_record_layer_update_nonce(struct tls13_secret *nonce, |
217 | struct tls13_secret *iv, uint8_t *seq_num) |
218 | { |
219 | ssize_t i, j; |
220 | |
221 | if (nonce->len != iv->len) |
222 | return 0; |
223 | |
224 | |
225 | |
226 | |
227 | |
228 | |
229 | for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) |
230 | nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); |
231 | |
232 | return 1; |
233 | } |
234 | |
235 | void |
236 | tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) |
237 | { |
238 | rl->ccs_allowed = allow; |
239 | } |
240 | |
241 | void |
242 | tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) |
243 | { |
244 | rl->legacy_alerts_allowed = allow; |
245 | } |
246 | |
247 | void |
248 | tls13_record_layer_set_aead(struct tls13_record_layer *rl, |
249 | const EVP_AEAD *aead) |
250 | { |
251 | rl->aead = aead; |
252 | } |
253 | |
254 | void |
255 | tls13_record_layer_set_hash(struct tls13_record_layer *rl, |
256 | const EVP_MD *hash) |
257 | { |
258 | rl->hash = hash; |
259 | } |
260 | |
261 | void |
262 | tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, |
263 | uint16_t version) |
264 | { |
265 | rl->legacy_version = version; |
266 | } |
267 | |
268 | void |
269 | tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) |
270 | { |
271 | rl->handshake_completed = 1; |
272 | } |
273 | |
274 | void |
275 | tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) |
276 | { |
277 | rl->phh_retry = retry; |
278 | } |
279 | |
280 | static ssize_t |
281 | tls13_record_layer_process_alert(struct tls13_record_layer *rl) |
282 | { |
283 | uint8_t alert_level, alert_desc; |
284 | ssize_t ret = TLS13_IO_FAILURE; |
285 | |
286 | |
287 | |
288 | |
289 | |
290 | |
291 | |
292 | |
293 | |
294 | if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) |
295 | return TLS13_IO_FAILURE; |
296 | |
297 | if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) |
298 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
299 | if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) |
300 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
301 | |
302 | if (tls_content_remaining(rl->rcontent) != 0) |
303 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
304 | |
305 | tls_content_clear(rl->rcontent); |
306 | |
307 | |
308 | |
309 | |
310 | |
311 | |
312 | if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { |
313 | rl->read_closed = 1; |
314 | ret = TLS13_IO_EOF; |
315 | } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { |
316 | |
317 | ret = TLS13_IO_WANT_RETRY; |
318 | } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { |
319 | rl->read_closed = 1; |
320 | rl->write_closed = 1; |
321 | ret = TLS13_IO_ALERT; |
322 | } else if (rl->legacy_alerts_allowed && |
323 | alert_level == TLS13_ALERT_LEVEL_WARNING) { |
324 | |
325 | return TLS13_IO_WANT_RETRY; |
326 | } else { |
327 | return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); |
328 | } |
329 | |
330 | rl->cb.alert_recv(alert_desc, rl->cb_arg); |
331 | |
332 | return ret; |
333 | } |
334 | |
335 | static ssize_t |
336 | tls13_record_layer_send_alert(struct tls13_record_layer *rl) |
337 | { |
338 | ssize_t ret; |
339 | |
340 | |
341 | if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, |
342 | rl->alert_data, rl->alert_len)) != rl->alert_len) { |
343 | if (ret == TLS13_IO_EOF) |
344 | ret = TLS13_IO_ALERT; |
345 | return ret; |
346 | } |
347 | |
348 | freezero(rl->alert_data, rl->alert_len); |
349 | rl->alert_data = NULL; |
350 | rl->alert_len = 0; |
351 | |
352 | if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { |
353 | rl->write_closed = 1; |
354 | ret = TLS13_IO_SUCCESS; |
355 | } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { |
356 | |
357 | ret = TLS13_IO_SUCCESS; |
358 | } else { |
359 | rl->read_closed = 1; |
360 | rl->write_closed = 1; |
361 | ret = TLS13_IO_ALERT; |
362 | } |
363 | |
364 | rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); |
365 | |
366 | return ret; |
367 | } |
368 | |
369 | static ssize_t |
370 | tls13_record_layer_send_phh(struct tls13_record_layer *rl) |
371 | { |
372 | ssize_t ret; |
373 | |
374 | |
375 | if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, |
376 | CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) |
377 | return ret; |
378 | if (!CBS_skip(&rl->phh_cbs, ret)) |
379 | return TLS13_IO_FAILURE; |
380 | if (CBS_len(&rl->phh_cbs) != 0) |
381 | return TLS13_IO_WANT_RETRY; |
382 | |
383 | freezero(rl->phh_data, rl->phh_len); |
384 | rl->phh_data = NULL; |
385 | rl->phh_len = 0; |
386 | |
387 | CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); |
388 | |
389 | rl->cb.phh_sent(rl->cb_arg); |
390 | |
391 | return TLS13_IO_SUCCESS; |
392 | } |
393 | |
394 | ssize_t |
395 | tls13_record_layer_send_pending(struct tls13_record_layer *rl) |
396 | { |
397 | |
398 | |
399 | |
400 | |
401 | |
402 | |
403 | if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) |
404 | return tls13_record_layer_send_phh(rl); |
405 | |
406 | if (rl->alert_data != NULL) |
407 | return tls13_record_layer_send_alert(rl); |
408 | |
409 | if (rl->phh_data != NULL) |
410 | return tls13_record_layer_send_phh(rl); |
411 | |
412 | return TLS13_IO_SUCCESS; |
413 | } |
414 | |
415 | static ssize_t |
416 | tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, |
417 | uint8_t alert_level, uint8_t alert_desc) |
418 | { |
419 | CBB cbb; |
420 | |
421 | if (rl->alert_data != NULL) |
422 | return TLS13_IO_FAILURE; |
423 | |
424 | if (!CBB_init(&cbb, 0)) |
425 | goto err; |
426 | |
427 | if (!CBB_add_u8(&cbb, alert_level)) |
428 | goto err; |
429 | if (!CBB_add_u8(&cbb, alert_desc)) |
430 | goto err; |
431 | if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) |
432 | goto err; |
433 | |
434 | rl->alert_level = alert_level; |
435 | rl->alert_desc = alert_desc; |
436 | |
437 | return tls13_record_layer_send_pending(rl); |
438 | |
439 | err: |
440 | CBB_cleanup(&cbb); |
441 | |
442 | return TLS13_IO_FAILURE; |
443 | } |
444 | |
445 | ssize_t |
446 | tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) |
447 | { |
448 | if (rl->phh_data != NULL) |
449 | return TLS13_IO_FAILURE; |
450 | |
451 | if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) |
452 | return TLS13_IO_FAILURE; |
453 | |
454 | CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); |
455 | |
456 | return tls13_record_layer_send_pending(rl); |
457 | } |
458 | |
459 | static int |
460 | tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, |
461 | struct tls13_record_protection *rp, struct tls13_secret *traffic_key) |
462 | { |
463 | struct tls13_secret context = { .data = "", .len = 0 }; |
464 | struct tls13_secret key = { .data = NULL, .len = 0 }; |
465 | int ret = 0; |
466 | |
467 | tls13_record_protection_clear(rp); |
468 | |
469 | if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) |
470 | return 0; |
471 | |
472 | if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) |
473 | goto err; |
474 | if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) |
475 | goto err; |
476 | if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) |
477 | goto err; |
478 | |
479 | if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) |
480 | goto err; |
481 | if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) |
482 | goto err; |
483 | |
484 | if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len, |
485 | EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) |
486 | goto err; |
487 | |
488 | ret = 1; |
489 | |
490 | err: |
491 | tls13_secret_cleanup(&key); |
492 | |
493 | return ret; |
494 | } |
495 | |
496 | int |
497 | tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, |
498 | struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) |
499 | { |
500 | if (rl->cb.set_read_traffic_key != NULL) |
501 | return rl->cb.set_read_traffic_key(read_key, read_level, |
502 | rl->cb_arg); |
503 | |
504 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, |
505 | rl->read, read_key); |
506 | } |
507 | |
508 | int |
509 | tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, |
510 | struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) |
511 | { |
512 | if (rl->cb.set_write_traffic_key != NULL) |
513 | return rl->cb.set_write_traffic_key(write_key, write_level, |
514 | rl->cb_arg); |
515 | |
516 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, |
517 | rl->write, write_key); |
518 | } |
519 | |
520 | static int |
521 | tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) |
522 | { |
523 | CBS cbs; |
524 | |
525 | if (rl->aead != NULL) |
526 | return 0; |
527 | |
528 | |
529 | |
530 | |
531 | |
532 | if (!tls13_record_content(rl->rrec, &cbs)) |
533 | return 0; |
534 | |
535 | if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { |
536 | rl->alert = TLS13_ALERT_RECORD_OVERFLOW; |
537 | return 0; |
538 | } |
539 | |
540 | if (!tls_content_dup_data(rl->rcontent, |
541 | tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) |
542 | return 0; |
543 | |
544 | return 1; |
545 | } |
546 | |
547 | static int |
548 | tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) |
549 | { |
550 | CBS header, enc_record, inner; |
551 | uint8_t *content = NULL; |
552 | size_t content_len = 0; |
553 | uint8_t content_type; |
554 | size_t out_len; |
555 | |
556 | if (rl->aead == NULL) |
| 1 | Assuming field 'aead' is not equal to NULL | |
|
| |
557 | goto err; |
558 | |
559 | if (!tls13_record_header(rl->rrec, &header)) |
| 3 | | Assuming the condition is false | |
|
| |
560 | goto err; |
561 | if (!tls13_record_content(rl->rrec, &enc_record)) |
| 5 | | Assuming the condition is false | |
|
| |
562 | goto err; |
563 | |
564 | |
565 | if ((content = calloc(1, CBS_len(&enc_record))) == NULL) |
| |
| 8 | | Assuming the condition is false | |
|
| |
566 | goto err; |
567 | content_len = CBS_len(&enc_record); |
568 | |
569 | if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, |
| 10 | | Assuming the condition is false | |
|
| |
570 | rl->read->seq_num)) |
571 | goto err; |
572 | |
573 | if (!EVP_AEAD_CTX_open(rl->read->aead_ctx, |
| 12 | | Assuming the condition is false | |
|
| |
574 | content, &out_len, content_len, |
575 | rl->read->nonce.data, rl->read->nonce.len, |
576 | CBS_data(&enc_record), CBS_len(&enc_record), |
577 | CBS_data(&header), CBS_len(&header))) |
578 | goto err; |
579 | |
580 | if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { |
| 14 | | Assuming the condition is false | |
|
| |
581 | rl->alert = TLS13_ALERT_RECORD_OVERFLOW; |
582 | goto err; |
583 | } |
584 | |
585 | if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) |
| 16 | | Assuming the condition is false | |
|
| |
586 | goto err; |
587 | |
588 | |
589 | |
590 | |
591 | |
592 | |
593 | CBS_init(&inner, content, out_len); |
594 | content_type = 0; |
595 | while (CBS_get_last_u8(&inner, &content_type)) { |
| 18 | | Loop condition is false. Execution continues on line 599 | |
|
596 | if (content_type != 0) |
597 | break; |
598 | } |
599 | if (content_type == 0) { |
| 19 | | Assuming 'content_type' is not equal to 0 | |
|
| |
600 | |
601 | rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; |
602 | goto err; |
603 | } |
604 | if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { |
| 21 | | Assuming the condition is false | |
|
| |
605 | rl->alert = TLS13_ALERT_RECORD_OVERFLOW; |
606 | goto err; |
607 | } |
608 | |
609 | tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner), |
| 23 | | Potential leak of memory pointed to by 'content' |
|
610 | CBS_len(&inner)); |
611 | |
612 | return 1; |
613 | |
614 | err: |
615 | freezero(content, content_len); |
616 | |
617 | return 0; |
618 | } |
619 | |
620 | static int |
621 | tls13_record_layer_open_record(struct tls13_record_layer *rl) |
622 | { |
623 | if (rl->handshake_completed && rl->aead == NULL) |
624 | return 0; |
625 | |
626 | if (rl->aead == NULL) |
627 | return tls13_record_layer_open_record_plaintext(rl); |
628 | |
629 | return tls13_record_layer_open_record_protected(rl); |
630 | } |
631 | |
632 | static int |
633 | tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, |
634 | uint8_t content_type, const uint8_t *content, size_t content_len) |
635 | { |
636 | uint8_t *data = NULL; |
637 | size_t data_len = 0; |
638 | CBB cbb, body; |
639 | |
640 | |
641 | |
642 | |
643 | |
644 | |
645 | if (rl->handshake_completed) |
646 | return 0; |
647 | if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) |
648 | return 0; |
649 | |
650 | |
651 | |
652 | |
653 | |
654 | if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) |
655 | goto err; |
656 | |
657 | if (!CBB_add_u8(&cbb, content_type)) |
658 | goto err; |
659 | if (!CBB_add_u16(&cbb, rl->legacy_version)) |
660 | goto err; |
661 | if (!CBB_add_u16_length_prefixed(&cbb, &body)) |
662 | goto err; |
663 | if (!CBB_add_bytes(&body, content, content_len)) |
664 | goto err; |
665 | |
666 | if (!CBB_finish(&cbb, &data, &data_len)) |
667 | goto err; |
668 | |
669 | if (!tls13_record_set_data(rl->wrec, data, data_len)) |
670 | goto err; |
671 | |
672 | rl->wrec_content_len = content_len; |
673 | rl->wrec_content_type = content_type; |
674 | |
675 | return 1; |
676 | |
677 | err: |
678 | CBB_cleanup(&cbb); |
679 | freezero(data, data_len); |
680 | |
681 | return 0; |
682 | } |
683 | |
684 | static int |
685 | tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, |
686 | uint8_t content_type, const uint8_t *content, size_t content_len) |
687 | { |
688 | uint8_t *data = NULL, *header = NULL, *inner = NULL; |
689 | size_t data_len = 0, header_len = 0, inner_len = 0; |
690 | uint8_t *enc_record; |
691 | size_t enc_record_len; |
692 | ssize_t ret = 0; |
693 | size_t out_len; |
694 | CBB cbb; |
695 | |
696 | if (rl->aead == NULL) |
697 | return 0; |
698 | |
699 | memset(&cbb, 0, sizeof(cbb)); |
700 | |
701 | |
702 | if (!CBB_init(&cbb, content_len + 1)) |
703 | goto err; |
704 | if (!CBB_add_bytes(&cbb, content, content_len)) |
705 | goto err; |
706 | if (!CBB_add_u8(&cbb, content_type)) |
707 | goto err; |
708 | |
709 | if (!CBB_finish(&cbb, &inner, &inner_len)) |
710 | goto err; |
711 | |
712 | if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) |
713 | goto err; |
714 | |
715 | |
716 | enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); |
717 | if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) |
718 | goto err; |
719 | |
720 | |
721 | if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) |
722 | goto err; |
723 | if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) |
724 | goto err; |
725 | if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) |
726 | goto err; |
727 | if (!CBB_add_u16(&cbb, enc_record_len)) |
728 | goto err; |
729 | if (!CBB_finish(&cbb, &header, &header_len)) |
730 | goto err; |
731 | |
732 | |
733 | if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) |
734 | goto err; |
735 | if (!CBB_add_bytes(&cbb, header, header_len)) |
736 | goto err; |
737 | if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) |
738 | goto err; |
739 | if (!CBB_finish(&cbb, &data, &data_len)) |
740 | goto err; |
741 | |
742 | if (!tls13_record_layer_update_nonce(&rl->write->nonce, |
743 | &rl->write->iv, rl->write->seq_num)) |
744 | goto err; |
745 | |
746 | |
747 | |
748 | |
749 | |
750 | |
751 | if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx, |
752 | enc_record, &out_len, enc_record_len, |
753 | rl->write->nonce.data, rl->write->nonce.len, |
754 | inner, inner_len, header, header_len)) |
755 | goto err; |
756 | |
757 | if (out_len != enc_record_len) |
758 | goto err; |
759 | |
760 | if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) |
761 | goto err; |
762 | |
763 | if (!tls13_record_set_data(rl->wrec, data, data_len)) |
764 | goto err; |
765 | |
766 | rl->wrec_content_len = content_len; |
767 | rl->wrec_content_type = content_type; |
768 | |
769 | data = NULL; |
770 | data_len = 0; |
771 | |
772 | ret = 1; |
773 | |
774 | err: |
775 | CBB_cleanup(&cbb); |
776 | |
777 | freezero(data, data_len); |
778 | freezero(header, header_len); |
779 | freezero(inner, inner_len); |
780 | |
781 | return ret; |
782 | } |
783 | |
784 | static int |
785 | tls13_record_layer_seal_record(struct tls13_record_layer *rl, |
786 | uint8_t content_type, const uint8_t *content, size_t content_len) |
787 | { |
788 | if (rl->handshake_completed && rl->aead == NULL) |
789 | return 0; |
790 | |
791 | tls13_record_layer_wrec_free(rl); |
792 | |
793 | if ((rl->wrec = tls13_record_new()) == NULL) |
794 | return 0; |
795 | |
796 | if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) |
797 | return tls13_record_layer_seal_record_plaintext(rl, |
798 | content_type, content, content_len); |
799 | |
800 | return tls13_record_layer_seal_record_protected(rl, content_type, |
801 | content, content_len); |
802 | } |
803 | |
804 | static ssize_t |
805 | tls13_record_layer_read_record(struct tls13_record_layer *rl) |
806 | { |
807 | uint8_t content_type, ccs; |
808 | ssize_t ret; |
809 | CBS cbs; |
810 | |
811 | if (rl->rrec == NULL) { |
812 | if ((rl->rrec = tls13_record_new()) == NULL) |
813 | goto err; |
814 | } |
815 | |
816 | if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { |
817 | switch (ret) { |
818 | case TLS13_IO_RECORD_VERSION: |
819 | return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); |
820 | case TLS13_IO_RECORD_OVERFLOW: |
821 | return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); |
822 | } |
823 | return ret; |
824 | } |
825 | |
826 | content_type = tls13_record_content_type(rl->rrec); |
827 | |
828 | |
829 | |
830 | |
831 | |
832 | |
833 | if (rl->legacy_version == TLS1_2_VERSION && |
834 | tls13_record_version(rl->rrec) != TLS1_2_VERSION && |
835 | (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) |
836 | return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); |
837 | |
838 | |
839 | |
840 | |
841 | |
842 | |
843 | |
844 | |
845 | if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
846 | if (!rl->ccs_allowed || rl->ccs_seen >= 2) |
847 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
848 | if (!tls13_record_content(rl->rrec, &cbs)) |
849 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
850 | if (!CBS_get_u8(&cbs, &ccs)) |
851 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
852 | if (ccs != 1) |
853 | return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); |
854 | if (CBS_len(&cbs) != 0) |
855 | return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); |
856 | rl->ccs_seen++; |
857 | tls13_record_layer_rrec_free(rl); |
858 | return TLS13_IO_WANT_RETRY; |
859 | } |
860 | |
861 | |
862 | |
863 | |
864 | |
865 | |
866 | if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) |
867 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
868 | |
869 | if (!tls13_record_layer_open_record(rl)) |
870 | goto err; |
871 | |
872 | tls13_record_layer_rrec_free(rl); |
873 | |
874 | |
875 | |
876 | |
877 | |
878 | |
879 | if (tls_content_remaining(rl->rcontent) == 0 && |
880 | (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || |
881 | tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) |
882 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
883 | |
884 | switch (tls_content_type(rl->rcontent)) { |
885 | case SSL3_RT_ALERT: |
886 | return tls13_record_layer_process_alert(rl); |
887 | |
888 | case SSL3_RT_HANDSHAKE: |
889 | break; |
890 | |
891 | case SSL3_RT_APPLICATION_DATA: |
892 | if (!rl->handshake_completed) |
893 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
894 | break; |
895 | |
896 | default: |
897 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
898 | } |
899 | |
900 | return TLS13_IO_SUCCESS; |
901 | |
902 | err: |
903 | return TLS13_IO_FAILURE; |
904 | } |
905 | |
906 | static ssize_t |
907 | tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) |
908 | { |
909 | if (tls_content_type(rl->rcontent) != content_type) |
910 | return 0; |
911 | |
912 | return tls_content_remaining(rl->rcontent); |
913 | } |
914 | |
915 | static ssize_t |
916 | tls13_record_layer_recv_phh(struct tls13_record_layer *rl) |
917 | { |
918 | ssize_t ret = TLS13_IO_FAILURE; |
919 | |
920 | rl->phh = 1; |
921 | |
922 | |
923 | |
924 | |
925 | |
926 | |
927 | |
928 | |
929 | |
930 | if (rl->cb.phh_recv != NULL) |
931 | ret = rl->cb.phh_recv(rl->cb_arg); |
932 | |
933 | tls_content_clear(rl->rcontent); |
934 | |
935 | |
936 | if (ret != TLS13_IO_WANT_POLLIN) |
937 | rl->phh = 0; |
938 | |
939 | if (ret == TLS13_IO_SUCCESS) { |
940 | if (rl->phh_retry) |
941 | return TLS13_IO_WANT_RETRY; |
942 | |
943 | return TLS13_IO_WANT_POLLIN; |
944 | } |
945 | |
946 | return ret; |
947 | } |
948 | |
949 | static ssize_t |
950 | tls13_record_layer_read_internal(struct tls13_record_layer *rl, |
951 | uint8_t content_type, uint8_t *buf, size_t n, int peek) |
952 | { |
953 | ssize_t ret; |
954 | |
955 | if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) |
956 | return ret; |
957 | |
958 | if (rl->read_closed) |
959 | return TLS13_IO_EOF; |
960 | |
961 | |
962 | if (tls_content_remaining(rl->rcontent) == 0) { |
963 | if ((ret = tls13_record_layer_read_record(rl)) <= 0) |
964 | return ret; |
965 | |
966 | |
967 | |
968 | |
969 | |
970 | if (tls_content_remaining(rl->rcontent) == 0) |
971 | return TLS13_IO_WANT_POLLIN; |
972 | } |
973 | |
974 | |
975 | |
976 | |
977 | |
978 | if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) |
979 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
980 | |
981 | |
982 | |
983 | |
984 | |
985 | |
986 | |
987 | if (tls_content_type(rl->rcontent) != content_type) { |
988 | if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { |
989 | if (rl->handshake_completed) |
990 | return tls13_record_layer_recv_phh(rl); |
991 | } |
992 | return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
993 | } |
994 | |
995 | if (peek) |
996 | return tls_content_peek(rl->rcontent, buf, n); |
997 | |
998 | return tls_content_read(rl->rcontent, buf, n); |
999 | } |
1000 | |
1001 | static ssize_t |
1002 | tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, |
1003 | uint8_t *buf, size_t n) |
1004 | { |
1005 | ssize_t ret; |
1006 | |
1007 | do { |
1008 | ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); |
1009 | } while (ret == TLS13_IO_WANT_RETRY); |
1010 | |
1011 | if (rl->alert != 0) |
1012 | return tls13_send_alert(rl, rl->alert); |
1013 | |
1014 | return ret; |
1015 | } |
1016 | |
1017 | static ssize_t |
1018 | tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, |
1019 | uint8_t *buf, size_t n) |
1020 | { |
1021 | ssize_t ret; |
1022 | |
1023 | do { |
1024 | ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); |
1025 | } while (ret == TLS13_IO_WANT_RETRY); |
1026 | |
1027 | if (rl->alert != 0) |
1028 | return tls13_send_alert(rl, rl->alert); |
1029 | |
1030 | return ret; |
1031 | } |
1032 | |
1033 | static ssize_t |
1034 | tls13_record_layer_write_record(struct tls13_record_layer *rl, |
1035 | uint8_t content_type, const uint8_t *content, size_t content_len) |
1036 | { |
1037 | ssize_t ret; |
1038 | |
1039 | if (rl->write_closed) |
1040 | return TLS13_IO_EOF; |
1041 | |
1042 | |
1043 | |
1044 | |
1045 | |
1046 | if (content_type == SSL3_RT_APPLICATION_DATA && |
1047 | rl->wrec_appdata_len != 0) { |
1048 | ret = rl->wrec_appdata_len; |
1049 | rl->wrec_appdata_len = 0; |
1050 | return ret; |
1051 | } |
1052 | |
1053 | |
1054 | if (rl->wrec != NULL) { |
1055 | if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, |
1056 | rl->cb_arg)) <= 0) |
1057 | return ret; |
1058 | tls13_record_layer_wrec_free(rl); |
1059 | |
1060 | if (rl->wrec_content_type == content_type) { |
1061 | ret = rl->wrec_content_len; |
1062 | rl->wrec_content_len = 0; |
1063 | rl->wrec_content_type = 0; |
1064 | return ret; |
1065 | } |
1066 | |
1067 | |
1068 | |
1069 | |
1070 | |
1071 | if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) |
1072 | return TLS13_IO_FAILURE; |
1073 | rl->wrec_appdata_len = rl->wrec_content_len; |
1074 | } |
1075 | |
1076 | if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) |
1077 | goto err; |
1078 | |
1079 | if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) |
1080 | goto err; |
1081 | |
1082 | if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) |
1083 | return ret; |
1084 | |
1085 | tls13_record_layer_wrec_free(rl); |
1086 | |
1087 | return content_len; |
1088 | |
1089 | err: |
1090 | return TLS13_IO_FAILURE; |
1091 | } |
1092 | |
1093 | static ssize_t |
1094 | tls13_record_layer_write_chunk(struct tls13_record_layer *rl, |
1095 | uint8_t content_type, const uint8_t *buf, size_t n) |
1096 | { |
1097 | if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) |
1098 | n = TLS13_RECORD_MAX_PLAINTEXT_LEN; |
1099 | |
1100 | return tls13_record_layer_write_record(rl, content_type, buf, n); |
1101 | } |
1102 | |
1103 | static ssize_t |
1104 | tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, |
1105 | const uint8_t *buf, size_t n) |
1106 | { |
1107 | ssize_t ret; |
1108 | |
1109 | do { |
1110 | ret = tls13_record_layer_send_pending(rl); |
1111 | } while (ret == TLS13_IO_WANT_RETRY); |
1112 | if (ret != TLS13_IO_SUCCESS) |
1113 | return ret; |
1114 | |
1115 | do { |
1116 | ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); |
1117 | } while (ret == TLS13_IO_WANT_RETRY); |
1118 | |
1119 | return ret; |
1120 | } |
1121 | |
1122 | ssize_t |
1123 | tls13_record_layer_flush(struct tls13_record_layer *rl) |
1124 | { |
1125 | return rl->cb.wire_flush(rl->cb_arg); |
1126 | } |
1127 | |
1128 | static const uint8_t tls13_dummy_ccs[] = { 0x01 }; |
1129 | |
1130 | ssize_t |
1131 | tls13_send_dummy_ccs(struct tls13_record_layer *rl) |
1132 | { |
1133 | ssize_t ret; |
1134 | |
1135 | if (rl->ccs_sent) |
1136 | return TLS13_IO_FAILURE; |
1137 | |
1138 | if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, |
1139 | tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) |
1140 | return ret; |
1141 | |
1142 | rl->ccs_sent = 1; |
1143 | |
1144 | return TLS13_IO_SUCCESS; |
1145 | } |
1146 | |
1147 | ssize_t |
1148 | tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) |
1149 | { |
1150 | if (rl->cb.handshake_read != NULL) |
1151 | return rl->cb.handshake_read(buf, n, rl->cb_arg); |
1152 | |
1153 | return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); |
1154 | } |
1155 | |
1156 | ssize_t |
1157 | tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, |
1158 | size_t n) |
1159 | { |
1160 | if (rl->cb.handshake_write != NULL) |
1161 | return rl->cb.handshake_write(buf, n, rl->cb_arg); |
1162 | |
1163 | return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); |
1164 | } |
1165 | |
1166 | ssize_t |
1167 | tls13_pending_application_data(struct tls13_record_layer *rl) |
1168 | { |
1169 | if (!rl->handshake_completed) |
1170 | return 0; |
1171 | |
1172 | return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); |
1173 | } |
1174 | |
1175 | ssize_t |
1176 | tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) |
1177 | { |
1178 | if (!rl->handshake_completed) |
1179 | return TLS13_IO_FAILURE; |
1180 | |
1181 | return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); |
1182 | } |
1183 | |
1184 | ssize_t |
1185 | tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) |
1186 | { |
1187 | if (!rl->handshake_completed) |
1188 | return TLS13_IO_FAILURE; |
1189 | |
1190 | return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); |
1191 | } |
1192 | |
1193 | ssize_t |
1194 | tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, |
1195 | size_t n) |
1196 | { |
1197 | if (!rl->handshake_completed) |
1198 | return TLS13_IO_FAILURE; |
1199 | |
1200 | return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); |
1201 | } |
1202 | |
1203 | ssize_t |
1204 | tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) |
1205 | { |
1206 | uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; |
1207 | ssize_t ret; |
1208 | |
1209 | if (rl->cb.alert_send != NULL) |
1210 | return rl->cb.alert_send(alert_desc, rl->cb_arg); |
1211 | |
1212 | if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || |
1213 | alert_desc == TLS13_ALERT_USER_CANCELED) |
1214 | alert_level = TLS13_ALERT_LEVEL_WARNING; |
1215 | |
1216 | do { |
1217 | ret = tls13_record_layer_enqueue_alert(rl, alert_level, |
1218 | alert_desc); |
1219 | } while (ret == TLS13_IO_WANT_RETRY); |
1220 | |
1221 | return ret; |
1222 | } |