Add message callbacks for alerts in the TLSv1.3 stack.

This will make it easier to regress test shutdown behaviour in the TLSv1.3
stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3
connections.

ok tb@

Convert the legacy TLS stack to tls_content.

This converts the legacy TLS stack to tls_content - records are now
opened into a tls_content structure, rather than being written back into
the same buffer that the sealed record was read into.

This will allow for further clean up of the legacy record layer.

ok tb@

Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.

ok tb@

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.

ok tb@

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).

Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.

ok tb@

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@

Move the record layer callbacks into a struct.

This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.

ok beck@ inoguchi@ tb@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

Send dummy ChangeCipherSpec messages from the TLSv1.3 client.

When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).

ok tb@

Correct return value check to handle TLS13_IO_EOF case.

On receiving a handshake or alert record with empty inner plaintext,
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

branches: 1.33.4;
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.

In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.

However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.

Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.

Issue discovered by inoguchi@ and investigated by tb@.

ok deraadt@ tb@

Add const to TLS1.3 internal vectors

ok tb@

tls13_record_layer internal functions to static in libssl

We might remove static again for further regress around record layer
in the future.

ok jsing@ tb@

The RFC is clear (section 5.3) that sequence number should never wrap.
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.

ok jsing

Correct TLSv1.3 sequence number increment and wrapping check.

Fix proposed by tb@

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Fix basement bug where record layer would not correctly deal with
traffic retries when not yet encrypting.

ok jsing@

It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3
client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

Fix breakage in SSL_connect, SSL_accept, etc. by not propagating
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.

ok jsing@ tb@

Implement pending for TLSv1.3.

Makes `openssl s_client -peekaboo` work with TLSv1.3.

ok beck@ tb@

Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert.

Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).

ok beck@ tb@

Implement support for SSL_peek() in the TLSv1.3 record layer.

ok beck@ tb@

After the ClientHello has been sent or received and before the peer's
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.

ok jsing

The legacy_record_version must be set to TLS1_2_VERSION except
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.

ok beck@ inoguchi@ tb@

Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

Add alerts to the tls 1.3 record layer and handshake layer
ok jsing@, inoguchi@, tb@

Add support for TLS 1.3 post handshake messages and key updating.
tested against openssl 1.1's server.

ok jsing@ tb@

Provide a clean interface for sending TLSv1.3 alerts.

ok beck@

Change tls13_record_layer_phh() to take a CBS as this avoids ownership
issues and makes call sites cleaner.

ok beck@

Add a reference for the non-standard post-handshake handshake (PHH).

ok beck, jsing

Ensure that we are never operating in plaintext mode once the handshake
is complete, which should never occur.

ok beck@

Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@

ok beck@ tb@

Separate the callbacks for recieved and completed post handshake messages
from the record layer

ok jsing@

Remove the alert level from the TLSv1.3 alert callback.

In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.

ok tb@

Correct return values for non-fatal alerts.

In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.

ok tb@

Correctly handle oversize writes.

If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.

This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.

ok inoguchi@ tb@

Remove temporary gotos.

In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.

ok beck@ tb@

Wire up alert handling for TLSv1.3.

In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.

ok tb@

Change the alert callback return type from int to void.

There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.

ok tb@

Fix a few cases where int was used instead of ssize_t.

Split tls13_record_layer_set_traffic_keys() into two separate functions.

This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.

ok tb@

Provide an initial implementation of the TLS 1.3 record layer.

This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().

This currently lacks some functionality, however will be worked on in tree.

ok tb@

Convert the legacy TLS stack to tls_content.

This converts the legacy TLS stack to tls_content - records are now
opened into a tls_content structure, rather than being written back into
the same buffer that the sealed record was read into.

This will allow for further clean up of the legacy record layer.

ok tb@

Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.

ok tb@

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.

ok tb@

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).

Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.

ok tb@

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@

Move the record layer callbacks into a struct.

This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.

ok beck@ inoguchi@ tb@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

Send dummy ChangeCipherSpec messages from the TLSv1.3 client.

When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).

ok tb@

Correct return value check to handle TLS13_IO_EOF case.

On receiving a handshake or alert record with empty inner plaintext,
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

branches: 1.33.4;
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.

In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.

However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.

Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.

Issue discovered by inoguchi@ and investigated by tb@.

ok deraadt@ tb@

Add const to TLS1.3 internal vectors

ok tb@

tls13_record_layer internal functions to static in libssl

We might remove static again for further regress around record layer
in the future.

ok jsing@ tb@

The RFC is clear (section 5.3) that sequence number should never wrap.
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.

ok jsing

Correct TLSv1.3 sequence number increment and wrapping check.

Fix proposed by tb@

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Fix basement bug where record layer would not correctly deal with
traffic retries when not yet encrypting.

ok jsing@

It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3
client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

Fix breakage in SSL_connect, SSL_accept, etc. by not propagating
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.

ok jsing@ tb@

Implement pending for TLSv1.3.

Makes `openssl s_client -peekaboo` work with TLSv1.3.

ok beck@ tb@

Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert.

Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).

ok beck@ tb@

Implement support for SSL_peek() in the TLSv1.3 record layer.

ok beck@ tb@

After the ClientHello has been sent or received and before the peer's
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.

ok jsing

The legacy_record_version must be set to TLS1_2_VERSION except
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.

ok beck@ inoguchi@ tb@

Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

Add alerts to the tls 1.3 record layer and handshake layer
ok jsing@, inoguchi@, tb@

Add support for TLS 1.3 post handshake messages and key updating.
tested against openssl 1.1's server.

ok jsing@ tb@

Provide a clean interface for sending TLSv1.3 alerts.

ok beck@

Change tls13_record_layer_phh() to take a CBS as this avoids ownership
issues and makes call sites cleaner.

ok beck@

Add a reference for the non-standard post-handshake handshake (PHH).

ok beck, jsing

Ensure that we are never operating in plaintext mode once the handshake
is complete, which should never occur.

ok beck@

Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@

ok beck@ tb@

Separate the callbacks for recieved and completed post handshake messages
from the record layer

ok jsing@

Remove the alert level from the TLSv1.3 alert callback.

In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.

ok tb@

Correct return values for non-fatal alerts.

In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.

ok tb@

Correctly handle oversize writes.

If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.

This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.

ok inoguchi@ tb@

Remove temporary gotos.

In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.

ok beck@ tb@

Wire up alert handling for TLSv1.3.

In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.

ok tb@

Change the alert callback return type from int to void.

There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.

ok tb@

Fix a few cases where int was used instead of ssize_t.

Split tls13_record_layer_set_traffic_keys() into two separate functions.

This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.

ok tb@

Provide an initial implementation of the TLS 1.3 record layer.

This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().

This currently lacks some functionality, however will be worked on in tree.

ok tb@

Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.

ok tb@

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.

ok tb@

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).

Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.

ok tb@

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@

Move the record layer callbacks into a struct.

This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.

ok beck@ inoguchi@ tb@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

Send dummy ChangeCipherSpec messages from the TLSv1.3 client.

When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).

ok tb@

Correct return value check to handle TLS13_IO_EOF case.

On receiving a handshake or alert record with empty inner plaintext,
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

branches: 1.33.4;
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.

In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.

However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.

Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.

Issue discovered by inoguchi@ and investigated by tb@.

ok deraadt@ tb@

Add const to TLS1.3 internal vectors

ok tb@

tls13_record_layer internal functions to static in libssl

We might remove static again for further regress around record layer
in the future.

ok jsing@ tb@

The RFC is clear (section 5.3) that sequence number should never wrap.
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.

ok jsing

Correct TLSv1.3 sequence number increment and wrapping check.

Fix proposed by tb@

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Fix basement bug where record layer would not correctly deal with
traffic retries when not yet encrypting.

ok jsing@

It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3
client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

Fix breakage in SSL_connect, SSL_accept, etc. by not propagating
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.

ok jsing@ tb@

Implement pending for TLSv1.3.

Makes `openssl s_client -peekaboo` work with TLSv1.3.

ok beck@ tb@

Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert.

Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).

ok beck@ tb@

Implement support for SSL_peek() in the TLSv1.3 record layer.

ok beck@ tb@

After the ClientHello has been sent or received and before the peer's
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.

ok jsing

The legacy_record_version must be set to TLS1_2_VERSION except
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.

ok beck@ inoguchi@ tb@

Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

Add alerts to the tls 1.3 record layer and handshake layer
ok jsing@, inoguchi@, tb@

Add support for TLS 1.3 post handshake messages and key updating.
tested against openssl 1.1's server.

ok jsing@ tb@

Provide a clean interface for sending TLSv1.3 alerts.

ok beck@

Change tls13_record_layer_phh() to take a CBS as this avoids ownership
issues and makes call sites cleaner.

ok beck@

Add a reference for the non-standard post-handshake handshake (PHH).

ok beck, jsing

Ensure that we are never operating in plaintext mode once the handshake
is complete, which should never occur.

ok beck@

Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@

ok beck@ tb@

Separate the callbacks for recieved and completed post handshake messages
from the record layer

ok jsing@

Remove the alert level from the TLSv1.3 alert callback.

In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.

ok tb@

Correct return values for non-fatal alerts.

In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.

ok tb@

Correctly handle oversize writes.

If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.

This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.

ok inoguchi@ tb@

Remove temporary gotos.

In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.

ok beck@ tb@

Wire up alert handling for TLSv1.3.

In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.

ok tb@

Change the alert callback return type from int to void.

There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.

ok tb@

Fix a few cases where int was used instead of ssize_t.

Split tls13_record_layer_set_traffic_keys() into two separate functions.

This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.

ok tb@

Provide an initial implementation of the TLS 1.3 record layer.

This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().

This currently lacks some functionality, however will be worked on in tree.

ok tb@

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.

ok tb@

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).

Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.

ok tb@

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@

Move the record layer callbacks into a struct.

This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.

ok beck@ inoguchi@ tb@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

Send dummy ChangeCipherSpec messages from the TLSv1.3 client.

When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).

ok tb@

Correct return value check to handle TLS13_IO_EOF case.

On receiving a handshake or alert record with empty inner plaintext,
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

branches: 1.33.4;
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.

In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.

However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.

Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.

Issue discovered by inoguchi@ and investigated by tb@.

ok deraadt@ tb@

Add const to TLS1.3 internal vectors

ok tb@

tls13_record_layer internal functions to static in libssl

We might remove static again for further regress around record layer
in the future.

ok jsing@ tb@

The RFC is clear (section 5.3) that sequence number should never wrap.
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.

ok jsing

Correct TLSv1.3 sequence number increment and wrapping check.

Fix proposed by tb@

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Fix basement bug where record layer would not correctly deal with
traffic retries when not yet encrypting.

ok jsing@

It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3
client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

Fix breakage in SSL_connect, SSL_accept, etc. by not propagating
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.

ok jsing@ tb@

Implement pending for TLSv1.3.

Makes `openssl s_client -peekaboo` work with TLSv1.3.

ok beck@ tb@

Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert.

Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).

ok beck@ tb@

Implement support for SSL_peek() in the TLSv1.3 record layer.

ok beck@ tb@

After the ClientHello has been sent or received and before the peer's
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.

ok jsing

The legacy_record_version must be set to TLS1_2_VERSION except
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.

ok beck@ inoguchi@ tb@

Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

Add alerts to the tls 1.3 record layer and handshake layer
ok jsing@, inoguchi@, tb@

Add support for TLS 1.3 post handshake messages and key updating.
tested against openssl 1.1's server.

ok jsing@ tb@

Provide a clean interface for sending TLSv1.3 alerts.

ok beck@

Change tls13_record_layer_phh() to take a CBS as this avoids ownership
issues and makes call sites cleaner.

ok beck@

Add a reference for the non-standard post-handshake handshake (PHH).

ok beck, jsing

Ensure that we are never operating in plaintext mode once the handshake
is complete, which should never occur.

ok beck@

Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@

ok beck@ tb@

Separate the callbacks for recieved and completed post handshake messages
from the record layer

ok jsing@

Remove the alert level from the TLSv1.3 alert callback.

In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.

ok tb@

Correct return values for non-fatal alerts.

In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.

ok tb@

Correctly handle oversize writes.

If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.

This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.

ok inoguchi@ tb@

Remove temporary gotos.

In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.

ok beck@ tb@

Wire up alert handling for TLSv1.3.

In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.

ok tb@

Change the alert callback return type from int to void.

There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.

ok tb@

Fix a few cases where int was used instead of ssize_t.

Split tls13_record_layer_set_traffic_keys() into two separate functions.

This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.

ok tb@

Provide an initial implementation of the TLS 1.3 record layer.

This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().

This currently lacks some functionality, however will be worked on in tree.

ok tb@

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@

Move the record layer callbacks into a struct.

This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.

ok beck@ inoguchi@ tb@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

Send dummy ChangeCipherSpec messages from the TLSv1.3 client.

When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).

ok tb@

Correct return value check to handle TLS13_IO_EOF case.

On receiving a handshake or alert record with empty inner plaintext,
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

branches: 1.33.4;
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.

In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.

However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.

Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.

Issue discovered by inoguchi@ and investigated by tb@.

ok deraadt@ tb@

Add const to TLS1.3 internal vectors

ok tb@

tls13_record_layer internal functions to static in libssl

We might remove static again for further regress around record layer
in the future.

ok jsing@ tb@

The RFC is clear (section 5.3) that sequence number should never wrap.
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.

ok jsing

Correct TLSv1.3 sequence number increment and wrapping check.

Fix proposed by tb@

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Fix basement bug where record layer would not correctly deal with
traffic retries when not yet encrypting.

ok jsing@

It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3
client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

Fix breakage in SSL_connect, SSL_accept, etc. by not propagating
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.

ok jsing@ tb@

Implement pending for TLSv1.3.

Makes `openssl s_client -peekaboo` work with TLSv1.3.

ok beck@ tb@

Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert.

Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).

ok beck@ tb@

Implement support for SSL_peek() in the TLSv1.3 record layer.

ok beck@ tb@

After the ClientHello has been sent or received and before the peer's
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.

ok jsing

The legacy_record_version must be set to TLS1_2_VERSION except
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.

ok beck@ inoguchi@ tb@

Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

Add alerts to the tls 1.3 record layer and handshake layer
ok jsing@, inoguchi@, tb@

Add support for TLS 1.3 post handshake messages and key updating.
tested against openssl 1.1's server.

ok jsing@ tb@

Provide a clean interface for sending TLSv1.3 alerts.

ok beck@

Change tls13_record_layer_phh() to take a CBS as this avoids ownership
issues and makes call sites cleaner.

ok beck@

Add a reference for the non-standard post-handshake handshake (PHH).

ok beck, jsing

Ensure that we are never operating in plaintext mode once the handshake
is complete, which should never occur.

ok beck@

Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@

ok beck@ tb@

Separate the callbacks for recieved and completed post handshake messages
from the record layer

ok jsing@

Remove the alert level from the TLSv1.3 alert callback.

In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.

ok tb@

Correct return values for non-fatal alerts.

In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.

ok tb@

Correctly handle oversize writes.

If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.

This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.

ok inoguchi@ tb@

Remove temporary gotos.

In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.

ok beck@ tb@

Wire up alert handling for TLSv1.3.

In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.

ok tb@

Change the alert callback return type from int to void.

There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.

ok tb@

Fix a few cases where int was used instead of ssize_t.

Split tls13_record_layer_set_traffic_keys() into two separate functions.

This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.

ok tb@

Provide an initial implementation of the TLS 1.3 record layer.

This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().

This currently lacks some functionality, however will be worked on in tree.

ok tb@

Convert the new record layers to opaque EVP_AEAD_CTX

ok jsing

Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

Use CBS_get_last_u8() to find the content type in TLSv1.3 records.

ok tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

Factor out the TLSv1.3 code that handles content from TLS records.

Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.

This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.

ok beck@ tb@

Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

Avoid pulling ssl_locl.h into self-contained code.

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Split TLSv1.3 record protection from record layer.

This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.

ok inoguchi@ tb@

Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()

ok jsing

Keep the various free calls of tls13_record_layer_free() in the
order of the struct members for reviewability.

ok jsing

Free {alert,phh}_data in tls13_record_layer_free()

httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.

The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.

ok inoguchi jsing

zap annoying stray spaces

Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()

This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.

Requested by tb@

branches: 1.53.4;
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Send an unexpected message alert if no valid content type is found.

When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.

ok tb@

Avoid passing -1 to freezero.

If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.

ok inoguchi jsing

Cleanup aead_ctx

ok jsing@ tb@

Split the handling of post handshake handshake messages into its
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.

ok jsing

Add a mechanism to set an alert in those parts of the read half of
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.

Fixes most of the remaining record-layer-limits failures of tlsfuzzer.

ok jsing

Handle the case where we receive a valid 0 byte application data record.

In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.

ok tb@

Add additional length checks for TLSv1.3 plaintext and inner plaintext.

Reminded by and ok beck@

Provide the option to retry or return after post-handshake messages.

In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.

ok beck@ inoguchi@ tb@

Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and
SSL_connect in blocking mode.

While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.

ok tb@

Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.

After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.

This reverts part of r1.25.

Issue noticed by inoguchi@

ok beck@ tb@

Remove a no longer relevant XXX comment.

Propagate record overflows to the record layer and alert.

ok beck@ tb@

Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.

ok beck@ tb@

Provide an alert sent record layer callback.

Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.

ok tb@