Bug Summary

File:src/lib/libssl/tls13_record_layer.c
Warning:line 609, column 2
Potential leak of memory pointed to by 'content'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tls13_record_layer.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -I /usr/src/lib/libssl/../libcrypto/hidden -I /usr/src/lib/libssl/../libcrypto/bio -I /usr/src/lib/libssl/hidden -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libssl/tls13_record_layer.c
1/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "tls13_internal.h"
19#include "tls13_record.h"
20#include "tls_content.h"
21
22static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23 uint8_t content_type, const uint8_t *buf, size_t n);
24static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25 uint8_t content_type, const uint8_t *content, size_t content_len);
26
27struct tls13_record_protection {
28 EVP_AEAD_CTX *aead_ctx;
29 struct tls13_secret iv;
30 struct tls13_secret nonce;
31 uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN8];
32};
33
34struct tls13_record_protection *
35tls13_record_protection_new(void)
36{
37 return calloc(1, sizeof(struct tls13_record_protection));
38}
39
40void
41tls13_record_protection_clear(struct tls13_record_protection *rp)
42{
43 EVP_AEAD_CTX_free(rp->aead_ctx);
44
45 tls13_secret_cleanup(&rp->iv);
46 tls13_secret_cleanup(&rp->nonce);
47
48 memset(rp, 0, sizeof(*rp));
49}
50
51void
52tls13_record_protection_free(struct tls13_record_protection *rp)
53{
54 if (rp == NULL((void *)0))
55 return;
56
57 tls13_record_protection_clear(rp);
58
59 freezero(rp, sizeof(struct tls13_record_protection));
60}
61
62struct tls13_record_layer {
63 uint16_t legacy_version;
64
65 int ccs_allowed;
66 int ccs_seen;
67 int ccs_sent;
68 int handshake_completed;
69 int legacy_alerts_allowed;
70 int phh;
71 int phh_retry;
72
73 /*
74 * Read and/or write channels are closed due to an alert being
75 * sent or received. In the case of an error alert both channels
76 * are closed, whereas in the case of a close notify only one
77 * channel is closed.
78 */
79 int read_closed;
80 int write_closed;
81
82 struct tls13_record *rrec;
83
84 struct tls13_record *wrec;
85 uint8_t wrec_content_type;
86 size_t wrec_appdata_len;
87 size_t wrec_content_len;
88
89 /* Alert to be sent on return from current read handler. */
90 uint8_t alert;
91
92 /* Pending alert messages. */
93 uint8_t *alert_data;
94 size_t alert_len;
95 uint8_t alert_level;
96 uint8_t alert_desc;
97
98 /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99 CBS phh_cbs;
100 uint8_t *phh_data;
101 size_t phh_len;
102
103 /* Content from opened records. */
104 struct tls_content *rcontent;
105
106 /* Record protection. */
107 const EVP_MD *hash;
108 const EVP_AEAD *aead;
109 struct tls13_record_protection *read;
110 struct tls13_record_protection *write;
111
112 /* Callbacks. */
113 struct tls13_record_layer_callbacks cb;
114 void *cb_arg;
115};
116
117static void
118tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119{
120 tls13_record_free(rl->rrec);
121 rl->rrec = NULL((void *)0);
122}
123
124static void
125tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126{
127 tls13_record_free(rl->wrec);
128 rl->wrec = NULL((void *)0);
129}
130
131struct tls13_record_layer *
132tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133 void *cb_arg)
134{
135 struct tls13_record_layer *rl;
136
137 if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL((void *)0))
138 goto err;
139
140 if ((rl->rcontent = tls_content_new()) == NULL((void *)0))
141 goto err;
142
143 if ((rl->read = tls13_record_protection_new()) == NULL((void *)0))
144 goto err;
145 if ((rl->write = tls13_record_protection_new()) == NULL((void *)0))
146 goto err;
147
148 rl->legacy_version = TLS1_2_VERSION0x0303;
149
150 tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151
152 return rl;
153
154 err:
155 tls13_record_layer_free(rl);
156
157 return NULL((void *)0);
158}
159
160void
161tls13_record_layer_free(struct tls13_record_layer *rl)
162{
163 if (rl == NULL((void *)0))
164 return;
165
166 tls13_record_layer_rrec_free(rl);
167 tls13_record_layer_wrec_free(rl);
168
169 freezero(rl->alert_data, rl->alert_len);
170 freezero(rl->phh_data, rl->phh_len);
171
172 tls_content_free(rl->rcontent);
173
174 tls13_record_protection_free(rl->read);
175 tls13_record_protection_free(rl->write);
176
177 freezero(rl, sizeof(struct tls13_record_layer));
178}
179
180void
181tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182 const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183{
184 rl->cb = *callbacks;
185 rl->cb_arg = cb_arg;
186}
187
188void
189tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190{
191 CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192}
193
194static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN8] = {
195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196};
197
198int
199tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200{
201 int i;
202
203 /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204 if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN8) == 0)
205 return 0;
206
207 for (i = TLS13_RECORD_SEQ_NUM_LEN8 - 1; i >= 0; i--) {
208 if (++seq_num[i] != 0)
209 break;
210 }
211
212 return 1;
213}
214
215static int
216tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217 struct tls13_secret *iv, uint8_t *seq_num)
218{
219 ssize_t i, j;
220
221 if (nonce->len != iv->len)
222 return 0;
223
224 /*
225 * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226 * with the IV to produce a per-record nonce. The IV will also be
227 * at least 8-bytes in length.
228 */
229 for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN8 - 1; i >= 0; i--, j--)
230 nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231
232 return 1;
233}
234
235void
236tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237{
238 rl->ccs_allowed = allow;
239}
240
241void
242tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243{
244 rl->legacy_alerts_allowed = allow;
245}
246
247void
248tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249 const EVP_AEAD *aead)
250{
251 rl->aead = aead;
252}
253
254void
255tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256 const EVP_MD *hash)
257{
258 rl->hash = hash;
259}
260
261void
262tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263 uint16_t version)
264{
265 rl->legacy_version = version;
266}
267
268void
269tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270{
271 rl->handshake_completed = 1;
272}
273
274void
275tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276{
277 rl->phh_retry = retry;
278}
279
280static ssize_t
281tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282{
283 uint8_t alert_level, alert_desc;
284 ssize_t ret = TLS13_IO_FAILURE-1;
285
286 /*
287 * RFC 8446 - sections 5.1 and 6.
288 *
289 * A TLSv1.3 alert record can only contain a single alert - this means
290 * that processing the alert must consume all of the record. The alert
291 * will result in one of three things - continuation (user_cancelled),
292 * read channel closure (close_notify) or termination (all others).
293 */
294 if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT21)
295 return TLS13_IO_FAILURE-1;
296
297 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
299 if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
301
302 if (tls_content_remaining(rl->rcontent) != 0)
303 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
304
305 tls_content_clear(rl->rcontent);
306
307 /*
308 * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309 * however for error alerts (RFC 8446 section 6.2), the alert level
310 * must be specified as fatal.
311 */
312 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY0) {
313 rl->read_closed = 1;
314 ret = TLS13_IO_EOF0;
315 } else if (alert_desc == TLS13_ALERT_USER_CANCELED90) {
316 /* Ignored at the record layer. */
317 ret = TLS13_IO_WANT_RETRY-5;
318 } else if (alert_level == TLS13_ALERT_LEVEL_FATAL2) {
319 rl->read_closed = 1;
320 rl->write_closed = 1;
321 ret = TLS13_IO_ALERT-2;
322 } else if (rl->legacy_alerts_allowed &&
323 alert_level == TLS13_ALERT_LEVEL_WARNING1) {
324 /* Ignored and not passed to the callback. */
325 return TLS13_IO_WANT_RETRY-5;
326 } else {
327 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER47);
328 }
329
330 rl->cb.alert_recv(alert_desc, rl->cb_arg);
331
332 return ret;
333}
334
335static ssize_t
336tls13_record_layer_send_alert(struct tls13_record_layer *rl)
337{
338 ssize_t ret;
339
340 /* This has to fit into a single record, per RFC 8446 section 5.1. */
341 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT21,
342 rl->alert_data, rl->alert_len)) != rl->alert_len) {
343 if (ret == TLS13_IO_EOF0)
344 ret = TLS13_IO_ALERT-2;
345 return ret;
346 }
347
348 freezero(rl->alert_data, rl->alert_len);
349 rl->alert_data = NULL((void *)0);
350 rl->alert_len = 0;
351
352 if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY0) {
353 rl->write_closed = 1;
354 ret = TLS13_IO_SUCCESS1;
355 } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED90) {
356 /* Ignored at the record layer. */
357 ret = TLS13_IO_SUCCESS1;
358 } else {
359 rl->read_closed = 1;
360 rl->write_closed = 1;
361 ret = TLS13_IO_ALERT-2;
362 }
363
364 rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
365
366 return ret;
367}
368
369static ssize_t
370tls13_record_layer_send_phh(struct tls13_record_layer *rl)
371{
372 ssize_t ret;
373
374 /* Push out pending post-handshake handshake messages. */
375 if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE22,
376 CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
377 return ret;
378 if (!CBS_skip(&rl->phh_cbs, ret))
379 return TLS13_IO_FAILURE-1;
380 if (CBS_len(&rl->phh_cbs) != 0)
381 return TLS13_IO_WANT_RETRY-5;
382
383 freezero(rl->phh_data, rl->phh_len);
384 rl->phh_data = NULL((void *)0);
385 rl->phh_len = 0;
386
387 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
388
389 rl->cb.phh_sent(rl->cb_arg);
390
391 return TLS13_IO_SUCCESS1;
392}
393
394ssize_t
395tls13_record_layer_send_pending(struct tls13_record_layer *rl)
396{
397 /*
398 * If an alert is pending, then it needs to be sent. However,
399 * if we're already part of the way through sending post-handshake
400 * handshake messages, then we need to finish that first...
401 */
402
403 if (rl->phh_data != NULL((void *)0) && CBS_len(&rl->phh_cbs) != rl->phh_len)
404 return tls13_record_layer_send_phh(rl);
405
406 if (rl->alert_data != NULL((void *)0))
407 return tls13_record_layer_send_alert(rl);
408
409 if (rl->phh_data != NULL((void *)0))
410 return tls13_record_layer_send_phh(rl);
411
412 return TLS13_IO_SUCCESS1;
413}
414
415static ssize_t
416tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
417 uint8_t alert_level, uint8_t alert_desc)
418{
419 CBB cbb;
420
421 if (rl->alert_data != NULL((void *)0))
422 return TLS13_IO_FAILURE-1;
423
424 if (!CBB_init(&cbb, 0))
425 goto err;
426
427 if (!CBB_add_u8(&cbb, alert_level))
428 goto err;
429 if (!CBB_add_u8(&cbb, alert_desc))
430 goto err;
431 if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
432 goto err;
433
434 rl->alert_level = alert_level;
435 rl->alert_desc = alert_desc;
436
437 return tls13_record_layer_send_pending(rl);
438
439 err:
440 CBB_cleanup(&cbb);
441
442 return TLS13_IO_FAILURE-1;
443}
444
445ssize_t
446tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
447{
448 if (rl->phh_data != NULL((void *)0))
449 return TLS13_IO_FAILURE-1;
450
451 if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
452 return TLS13_IO_FAILURE-1;
453
454 CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
455
456 return tls13_record_layer_send_pending(rl);
457}
458
459static int
460tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
461 struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
462{
463 struct tls13_secret context = { .data = "", .len = 0 };
464 struct tls13_secret key = { .data = NULL((void *)0), .len = 0 };
465 int ret = 0;
466
467 tls13_record_protection_clear(rp);
468
469 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL((void *)0))
470 return 0;
471
472 if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
473 goto err;
474 if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
475 goto err;
476 if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
477 goto err;
478
479 if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
480 goto err;
481 if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
482 goto err;
483
484 if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
485 EVP_AEAD_DEFAULT_TAG_LENGTH0, NULL((void *)0)))
486 goto err;
487
488 ret = 1;
489
490 err:
491 tls13_secret_cleanup(&key);
492
493 return ret;
494}
495
496int
497tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
498 struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
499{
500 if (rl->cb.set_read_traffic_key != NULL((void *)0))
501 return rl->cb.set_read_traffic_key(read_key, read_level,
502 rl->cb_arg);
503
504 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
505 rl->read, read_key);
506}
507
508int
509tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
510 struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
511{
512 if (rl->cb.set_write_traffic_key != NULL((void *)0))
513 return rl->cb.set_write_traffic_key(write_key, write_level,
514 rl->cb_arg);
515
516 return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
517 rl->write, write_key);
518}
519
520static int
521tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
522{
523 CBS cbs;
524
525 if (rl->aead != NULL((void *)0))
526 return 0;
527
528 /*
529 * We're still operating in plaintext mode, so just copy the
530 * content from the record to the plaintext buffer.
531 */
532 if (!tls13_record_content(rl->rrec, &cbs))
533 return 0;
534
535 if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN16384) {
536 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
537 return 0;
538 }
539
540 if (!tls_content_dup_data(rl->rcontent,
541 tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
542 return 0;
543
544 return 1;
545}
546
547static int
548tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
549{
550 CBS header, enc_record, inner;
551 uint8_t *content = NULL((void *)0);
552 size_t content_len = 0;
553 uint8_t content_type;
554 size_t out_len;
555
556 if (rl->aead == NULL((void *)0))
1
Assuming field 'aead' is not equal to NULL
2
Taking false branch
557 goto err;
558
559 if (!tls13_record_header(rl->rrec, &header))
3
Assuming the condition is false
4
Taking false branch
560 goto err;
561 if (!tls13_record_content(rl->rrec, &enc_record))
5
Assuming the condition is false
6
Taking false branch
562 goto err;
563
564 /* XXX - minus tag len? */
565 if ((content = calloc(1, CBS_len(&enc_record))) == NULL((void *)0))
7
Memory is allocated
8
Assuming the condition is false
9
Taking false branch
566 goto err;
567 content_len = CBS_len(&enc_record);
568
569 if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
10
Assuming the condition is false
11
Taking false branch
570 rl->read->seq_num))
571 goto err;
572
573 if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
12
Assuming the condition is false
13
Taking false branch
574 content, &out_len, content_len,
575 rl->read->nonce.data, rl->read->nonce.len,
576 CBS_data(&enc_record), CBS_len(&enc_record),
577 CBS_data(&header), CBS_len(&header)))
578 goto err;
579
580 if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN(16384 + 1)) {
14
Assuming the condition is false
15
Taking false branch
581 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
582 goto err;
583 }
584
585 if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
16
Assuming the condition is false
17
Taking false branch
586 goto err;
587
588 /*
589 * The real content type is hidden at the end of the record content and
590 * it may be followed by padding that consists of one or more zeroes.
591 * Time to hunt for that elusive content type!
592 */
593 CBS_init(&inner, content, out_len);
594 content_type = 0;
595 while (CBS_get_last_u8(&inner, &content_type)) {
18
Loop condition is false. Execution continues on line 599
596 if (content_type != 0)
597 break;
598 }
599 if (content_type == 0) {
19
Assuming 'content_type' is not equal to 0
20
Taking false branch
600 /* Unexpected message per RFC 8446 section 5.4. */
601 rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE10;
602 goto err;
603 }
604 if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN16384) {
21
Assuming the condition is false
22
Taking false branch
605 rl->alert = TLS13_ALERT_RECORD_OVERFLOW22;
606 goto err;
607 }
608
609 tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
23
Potential leak of memory pointed to by 'content'
610 CBS_len(&inner));
611
612 return 1;
613
614 err:
615 freezero(content, content_len);
616
617 return 0;
618}
619
620static int
621tls13_record_layer_open_record(struct tls13_record_layer *rl)
622{
623 if (rl->handshake_completed && rl->aead == NULL((void *)0))
624 return 0;
625
626 if (rl->aead == NULL((void *)0))
627 return tls13_record_layer_open_record_plaintext(rl);
628
629 return tls13_record_layer_open_record_protected(rl);
630}
631
632static int
633tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
634 uint8_t content_type, const uint8_t *content, size_t content_len)
635{
636 uint8_t *data = NULL((void *)0);
637 size_t data_len = 0;
638 CBB cbb, body;
639
640 /*
641 * Allow dummy CCS messages to be sent in plaintext even when
642 * record protection has been engaged, as long as the handshake
643 * has not yet completed.
644 */
645 if (rl->handshake_completed)
646 return 0;
647 if (rl->aead != NULL((void *)0) && content_type != SSL3_RT_CHANGE_CIPHER_SPEC20)
648 return 0;
649
650 /*
651 * We're still operating in plaintext mode, so just copy the
652 * content into the record.
653 */
654 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5 + content_len))
655 goto err;
656
657 if (!CBB_add_u8(&cbb, content_type))
658 goto err;
659 if (!CBB_add_u16(&cbb, rl->legacy_version))
660 goto err;
661 if (!CBB_add_u16_length_prefixed(&cbb, &body))
662 goto err;
663 if (!CBB_add_bytes(&body, content, content_len))
664 goto err;
665
666 if (!CBB_finish(&cbb, &data, &data_len))
667 goto err;
668
669 if (!tls13_record_set_data(rl->wrec, data, data_len))
670 goto err;
671
672 rl->wrec_content_len = content_len;
673 rl->wrec_content_type = content_type;
674
675 return 1;
676
677 err:
678 CBB_cleanup(&cbb);
679 freezero(data, data_len);
680
681 return 0;
682}
683
684static int
685tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
686 uint8_t content_type, const uint8_t *content, size_t content_len)
687{
688 uint8_t *data = NULL((void *)0), *header = NULL((void *)0), *inner = NULL((void *)0);
689 size_t data_len = 0, header_len = 0, inner_len = 0;
690 uint8_t *enc_record;
691 size_t enc_record_len;
692 ssize_t ret = 0;
693 size_t out_len;
694 CBB cbb;
695
696 if (rl->aead == NULL((void *)0))
697 return 0;
698
699 memset(&cbb, 0, sizeof(cbb));
700
701 /* Build inner plaintext. */
702 if (!CBB_init(&cbb, content_len + 1))
703 goto err;
704 if (!CBB_add_bytes(&cbb, content, content_len))
705 goto err;
706 if (!CBB_add_u8(&cbb, content_type))
707 goto err;
708 /* XXX - padding? */
709 if (!CBB_finish(&cbb, &inner, &inner_len))
710 goto err;
711
712 if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN(16384 + 1))
713 goto err;
714
715 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
716 enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
717 if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN((16384 + 1) + 255))
718 goto err;
719
720 /* Build the record header. */
721 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5))
722 goto err;
723 if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA23))
724 goto err;
725 if (!CBB_add_u16(&cbb, TLS1_2_VERSION0x0303))
726 goto err;
727 if (!CBB_add_u16(&cbb, enc_record_len))
728 goto err;
729 if (!CBB_finish(&cbb, &header, &header_len))
730 goto err;
731
732 /* Build the actual record. */
733 if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN5 + enc_record_len))
734 goto err;
735 if (!CBB_add_bytes(&cbb, header, header_len))
736 goto err;
737 if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
738 goto err;
739 if (!CBB_finish(&cbb, &data, &data_len))
740 goto err;
741
742 if (!tls13_record_layer_update_nonce(&rl->write->nonce,
743 &rl->write->iv, rl->write->seq_num))
744 goto err;
745
746 /*
747 * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
748 * this would avoid a copy since the inner would be passed as two
749 * separate pieces.
750 */
751 if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
752 enc_record, &out_len, enc_record_len,
753 rl->write->nonce.data, rl->write->nonce.len,
754 inner, inner_len, header, header_len))
755 goto err;
756
757 if (out_len != enc_record_len)
758 goto err;
759
760 if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
761 goto err;
762
763 if (!tls13_record_set_data(rl->wrec, data, data_len))
764 goto err;
765
766 rl->wrec_content_len = content_len;
767 rl->wrec_content_type = content_type;
768
769 data = NULL((void *)0);
770 data_len = 0;
771
772 ret = 1;
773
774 err:
775 CBB_cleanup(&cbb);
776
777 freezero(data, data_len);
778 freezero(header, header_len);
779 freezero(inner, inner_len);
780
781 return ret;
782}
783
784static int
785tls13_record_layer_seal_record(struct tls13_record_layer *rl,
786 uint8_t content_type, const uint8_t *content, size_t content_len)
787{
788 if (rl->handshake_completed && rl->aead == NULL((void *)0))
789 return 0;
790
791 tls13_record_layer_wrec_free(rl);
792
793 if ((rl->wrec = tls13_record_new()) == NULL((void *)0))
794 return 0;
795
796 if (rl->aead == NULL((void *)0) || content_type == SSL3_RT_CHANGE_CIPHER_SPEC20)
797 return tls13_record_layer_seal_record_plaintext(rl,
798 content_type, content, content_len);
799
800 return tls13_record_layer_seal_record_protected(rl, content_type,
801 content, content_len);
802}
803
804static ssize_t
805tls13_record_layer_read_record(struct tls13_record_layer *rl)
806{
807 uint8_t content_type, ccs;
808 ssize_t ret;
809 CBS cbs;
810
811 if (rl->rrec == NULL((void *)0)) {
812 if ((rl->rrec = tls13_record_new()) == NULL((void *)0))
813 goto err;
814 }
815
816 if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
817 switch (ret) {
818 case TLS13_IO_RECORD_VERSION-7:
819 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION70);
820 case TLS13_IO_RECORD_OVERFLOW-8:
821 return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW22);
822 }
823 return ret;
824 }
825
826 content_type = tls13_record_content_type(rl->rrec);
827
828 /*
829 * In response to a client hello we may receive an alert in a
830 * record with a legacy version. Otherwise enforce that the
831 * legacy record version is 0x0303 per RFC 8446, section 5.1.
832 */
833 if (rl->legacy_version == TLS1_2_VERSION0x0303 &&
834 tls13_record_version(rl->rrec) != TLS1_2_VERSION0x0303 &&
835 (content_type != SSL3_RT_ALERT21 || !rl->legacy_alerts_allowed))
836 return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION70);
837
838 /*
839 * Bag of hacks ahead... after the first ClientHello message has been
840 * sent or received and before the peer's Finished message has been
841 * received, we may receive an unencrypted ChangeCipherSpec record
842 * (see RFC 8446 section 5 and appendix D.4). This record must be
843 * ignored.
844 */
845 if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC20) {
846 if (!rl->ccs_allowed || rl->ccs_seen >= 2)
847 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
848 if (!tls13_record_content(rl->rrec, &cbs))
849 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
850 if (!CBS_get_u8(&cbs, &ccs))
851 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
852 if (ccs != 1)
853 return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER47);
854 if (CBS_len(&cbs) != 0)
855 return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR50);
856 rl->ccs_seen++;
857 tls13_record_layer_rrec_free(rl);
858 return TLS13_IO_WANT_RETRY-5;
859 }
860
861 /*
862 * Once record protection is engaged, we should only receive
863 * protected application data messages (aside from the
864 * dummy ChangeCipherSpec messages, handled above).
865 */
866 if (rl->aead != NULL((void *)0) && content_type != SSL3_RT_APPLICATION_DATA23)
867 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
868
869 if (!tls13_record_layer_open_record(rl))
870 goto err;
871
872 tls13_record_layer_rrec_free(rl);
873
874 /*
875 * On receiving a handshake or alert record with empty inner plaintext,
876 * we must terminate the connection with an unexpected_message alert.
877 * See RFC 8446 section 5.4.
878 */
879 if (tls_content_remaining(rl->rcontent) == 0 &&
880 (tls_content_type(rl->rcontent) == SSL3_RT_ALERT21 ||
881 tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE22))
882 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
883
884 switch (tls_content_type(rl->rcontent)) {
885 case SSL3_RT_ALERT21:
886 return tls13_record_layer_process_alert(rl);
887
888 case SSL3_RT_HANDSHAKE22:
889 break;
890
891 case SSL3_RT_APPLICATION_DATA23:
892 if (!rl->handshake_completed)
893 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
894 break;
895
896 default:
897 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
898 }
899
900 return TLS13_IO_SUCCESS1;
901
902 err:
903 return TLS13_IO_FAILURE-1;
904}
905
906static ssize_t
907tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
908{
909 if (tls_content_type(rl->rcontent) != content_type)
910 return 0;
911
912 return tls_content_remaining(rl->rcontent);
913}
914
915static ssize_t
916tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
917{
918 ssize_t ret = TLS13_IO_FAILURE-1;
919
920 rl->phh = 1;
921
922 /*
923 * The post handshake handshake receive callback is allowed to return:
924 *
925 * TLS13_IO_WANT_POLLIN need more handshake data.
926 * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
927 * TLS13_IO_SUCCESS got the whole handshake, nothing more to do.
928 * TLS13_IO_FAILURE something broke.
929 */
930 if (rl->cb.phh_recv != NULL((void *)0))
931 ret = rl->cb.phh_recv(rl->cb_arg);
932
933 tls_content_clear(rl->rcontent);
934
935 /* Leave post handshake handshake mode unless we need more data. */
936 if (ret != TLS13_IO_WANT_POLLIN-3)
937 rl->phh = 0;
938
939 if (ret == TLS13_IO_SUCCESS1) {
940 if (rl->phh_retry)
941 return TLS13_IO_WANT_RETRY-5;
942
943 return TLS13_IO_WANT_POLLIN-3;
944 }
945
946 return ret;
947}
948
949static ssize_t
950tls13_record_layer_read_internal(struct tls13_record_layer *rl,
951 uint8_t content_type, uint8_t *buf, size_t n, int peek)
952{
953 ssize_t ret;
954
955 if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS1)
956 return ret;
957
958 if (rl->read_closed)
959 return TLS13_IO_EOF0;
960
961 /* If necessary, pull up the next record. */
962 if (tls_content_remaining(rl->rcontent) == 0) {
963 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
964 return ret;
965
966 /*
967 * We may have read a valid 0-byte application data record,
968 * in which case we need to read the next record.
969 */
970 if (tls_content_remaining(rl->rcontent) == 0)
971 return TLS13_IO_WANT_POLLIN-3;
972 }
973
974 /*
975 * If we are in post handshake handshake mode, we must not see
976 * any record type that isn't a handshake until we are done.
977 */
978 if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE22)
979 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
980
981 /*
982 * Handshake content can appear as post-handshake messages (yup,
983 * the RFC reused the same content type...), which means we can
984 * be trying to read application data and need to handle a
985 * post-handshake handshake message instead...
986 */
987 if (tls_content_type(rl->rcontent) != content_type) {
988 if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE22) {
989 if (rl->handshake_completed)
990 return tls13_record_layer_recv_phh(rl);
991 }
992 return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE10);
993 }
994
995 if (peek)
996 return tls_content_peek(rl->rcontent, buf, n);
997
998 return tls_content_read(rl->rcontent, buf, n);
999}
1000
1001static ssize_t
1002tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1003 uint8_t *buf, size_t n)
1004{
1005 ssize_t ret;
1006
1007 do {
1008 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1009 } while (ret == TLS13_IO_WANT_RETRY-5);
1010
1011 if (rl->alert != 0)
1012 return tls13_send_alert(rl, rl->alert);
1013
1014 return ret;
1015}
1016
1017static ssize_t
1018tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1019 uint8_t *buf, size_t n)
1020{
1021 ssize_t ret;
1022
1023 do {
1024 ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1025 } while (ret == TLS13_IO_WANT_RETRY-5);
1026
1027 if (rl->alert != 0)
1028 return tls13_send_alert(rl, rl->alert);
1029
1030 return ret;
1031}
1032
1033static ssize_t
1034tls13_record_layer_write_record(struct tls13_record_layer *rl,
1035 uint8_t content_type, const uint8_t *content, size_t content_len)
1036{
1037 ssize_t ret;
1038
1039 if (rl->write_closed)
1040 return TLS13_IO_EOF0;
1041
1042 /*
1043 * If we pushed out application data while handling other messages,
1044 * we need to return content length on the next call.
1045 */
1046 if (content_type == SSL3_RT_APPLICATION_DATA23 &&
1047 rl->wrec_appdata_len != 0) {
1048 ret = rl->wrec_appdata_len;
1049 rl->wrec_appdata_len = 0;
1050 return ret;
1051 }
1052
1053 /* See if there is an existing record and attempt to push it out... */
1054 if (rl->wrec != NULL((void *)0)) {
1055 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1056 rl->cb_arg)) <= 0)
1057 return ret;
1058 tls13_record_layer_wrec_free(rl);
1059
1060 if (rl->wrec_content_type == content_type) {
1061 ret = rl->wrec_content_len;
1062 rl->wrec_content_len = 0;
1063 rl->wrec_content_type = 0;
1064 return ret;
1065 }
1066
1067 /*
1068 * The only partial record type should be application data.
1069 * All other cases are handled to completion.
1070 */
1071 if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA23)
1072 return TLS13_IO_FAILURE-1;
1073 rl->wrec_appdata_len = rl->wrec_content_len;
1074 }
1075
1076 if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN16384)
1077 goto err;
1078
1079 if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1080 goto err;
1081
1082 if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1083 return ret;
1084
1085 tls13_record_layer_wrec_free(rl);
1086
1087 return content_len;
1088
1089 err:
1090 return TLS13_IO_FAILURE-1;
1091}
1092
1093static ssize_t
1094tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1095 uint8_t content_type, const uint8_t *buf, size_t n)
1096{
1097 if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN16384)
1098 n = TLS13_RECORD_MAX_PLAINTEXT_LEN16384;
1099
1100 return tls13_record_layer_write_record(rl, content_type, buf, n);
1101}
1102
1103static ssize_t
1104tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1105 const uint8_t *buf, size_t n)
1106{
1107 ssize_t ret;
1108
1109 do {
1110 ret = tls13_record_layer_send_pending(rl);
1111 } while (ret == TLS13_IO_WANT_RETRY-5);
1112 if (ret != TLS13_IO_SUCCESS1)
1113 return ret;
1114
1115 do {
1116 ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1117 } while (ret == TLS13_IO_WANT_RETRY-5);
1118
1119 return ret;
1120}
1121
1122ssize_t
1123tls13_record_layer_flush(struct tls13_record_layer *rl)
1124{
1125 return rl->cb.wire_flush(rl->cb_arg);
1126}
1127
1128static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1129
1130ssize_t
1131tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1132{
1133 ssize_t ret;
1134
1135 if (rl->ccs_sent)
1136 return TLS13_IO_FAILURE-1;
1137
1138 if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC20,
1139 tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1140 return ret;
1141
1142 rl->ccs_sent = 1;
1143
1144 return TLS13_IO_SUCCESS1;
1145}
1146
1147ssize_t
1148tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1149{
1150 if (rl->cb.handshake_read != NULL((void *)0))
1151 return rl->cb.handshake_read(buf, n, rl->cb_arg);
1152
1153 return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE22, buf, n);
1154}
1155
1156ssize_t
1157tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1158 size_t n)
1159{
1160 if (rl->cb.handshake_write != NULL((void *)0))
1161 return rl->cb.handshake_write(buf, n, rl->cb_arg);
1162
1163 return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE22, buf, n);
1164}
1165
1166ssize_t
1167tls13_pending_application_data(struct tls13_record_layer *rl)
1168{
1169 if (!rl->handshake_completed)
1170 return 0;
1171
1172 return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA23);
1173}
1174
1175ssize_t
1176tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1177{
1178 if (!rl->handshake_completed)
1179 return TLS13_IO_FAILURE-1;
1180
1181 return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1182}
1183
1184ssize_t
1185tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1186{
1187 if (!rl->handshake_completed)
1188 return TLS13_IO_FAILURE-1;
1189
1190 return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1191}
1192
1193ssize_t
1194tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1195 size_t n)
1196{
1197 if (!rl->handshake_completed)
1198 return TLS13_IO_FAILURE-1;
1199
1200 return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA23, buf, n);
1201}
1202
1203ssize_t
1204tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1205{
1206 uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL2;
1207 ssize_t ret;
1208
1209 if (rl->cb.alert_send != NULL((void *)0))
1210 return rl->cb.alert_send(alert_desc, rl->cb_arg);
1211
1212 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY0 ||
1213 alert_desc == TLS13_ALERT_USER_CANCELED90)
1214 alert_level = TLS13_ALERT_LEVEL_WARNING1;
1215
1216 do {
1217 ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1218 alert_desc);
1219 } while (ret == TLS13_IO_WANT_RETRY-5);
1220
1221 return ret;
1222}