xref: /dragonfly/crypto/libressl/ssl/tls13_record_layer.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "tls13_internal.h"
19 #include "tls13_record.h"
20 #include "tls_content.h"
21 
22 static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
23     uint8_t content_type, const uint8_t *buf, size_t n);
24 static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
25     uint8_t content_type, const uint8_t *content, size_t content_len);
26 
27 struct tls13_record_protection {
28           EVP_AEAD_CTX *aead_ctx;
29           struct tls13_secret iv;
30           struct tls13_secret nonce;
31           uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN];
32 };
33 
34 struct tls13_record_protection *
tls13_record_protection_new(void)35 tls13_record_protection_new(void)
36 {
37           return calloc(1, sizeof(struct tls13_record_protection));
38 }
39 
40 void
tls13_record_protection_clear(struct tls13_record_protection * rp)41 tls13_record_protection_clear(struct tls13_record_protection *rp)
42 {
43           EVP_AEAD_CTX_free(rp->aead_ctx);
44 
45           tls13_secret_cleanup(&rp->iv);
46           tls13_secret_cleanup(&rp->nonce);
47 
48           memset(rp, 0, sizeof(*rp));
49 }
50 
51 void
tls13_record_protection_free(struct tls13_record_protection * rp)52 tls13_record_protection_free(struct tls13_record_protection *rp)
53 {
54           if (rp == NULL)
55                     return;
56 
57           tls13_record_protection_clear(rp);
58 
59           freezero(rp, sizeof(struct tls13_record_protection));
60 }
61 
62 struct tls13_record_layer {
63           uint16_t legacy_version;
64 
65           int ccs_allowed;
66           int ccs_seen;
67           int ccs_sent;
68           int handshake_completed;
69           int legacy_alerts_allowed;
70           int phh;
71           int phh_retry;
72 
73           /*
74            * Read and/or write channels are closed due to an alert being
75            * sent or received. In the case of an error alert both channels
76            * are closed, whereas in the case of a close notify only one
77            * channel is closed.
78            */
79           int read_closed;
80           int write_closed;
81 
82           struct tls13_record *rrec;
83 
84           struct tls13_record *wrec;
85           uint8_t wrec_content_type;
86           size_t wrec_appdata_len;
87           size_t wrec_content_len;
88 
89           /* Alert to be sent on return from current read handler. */
90           uint8_t alert;
91 
92           /* Pending alert messages. */
93           uint8_t *alert_data;
94           size_t alert_len;
95           uint8_t alert_level;
96           uint8_t alert_desc;
97 
98           /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */
99           CBS phh_cbs;
100           uint8_t *phh_data;
101           size_t phh_len;
102 
103           /* Content from opened records. */
104           struct tls_content *rcontent;
105 
106           /* Record protection. */
107           const EVP_MD *hash;
108           const EVP_AEAD *aead;
109           struct tls13_record_protection *read;
110           struct tls13_record_protection *write;
111 
112           /* Callbacks. */
113           struct tls13_record_layer_callbacks cb;
114           void *cb_arg;
115 };
116 
117 static void
tls13_record_layer_rrec_free(struct tls13_record_layer * rl)118 tls13_record_layer_rrec_free(struct tls13_record_layer *rl)
119 {
120           tls13_record_free(rl->rrec);
121           rl->rrec = NULL;
122 }
123 
124 static void
tls13_record_layer_wrec_free(struct tls13_record_layer * rl)125 tls13_record_layer_wrec_free(struct tls13_record_layer *rl)
126 {
127           tls13_record_free(rl->wrec);
128           rl->wrec = NULL;
129 }
130 
131 struct tls13_record_layer *
tls13_record_layer_new(const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)132 tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks,
133     void *cb_arg)
134 {
135           struct tls13_record_layer *rl;
136 
137           if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
138                     goto err;
139 
140           if ((rl->rcontent = tls_content_new()) == NULL)
141                     goto err;
142 
143           if ((rl->read = tls13_record_protection_new()) == NULL)
144                     goto err;
145           if ((rl->write = tls13_record_protection_new()) == NULL)
146                     goto err;
147 
148           rl->legacy_version = TLS1_2_VERSION;
149 
150           tls13_record_layer_set_callbacks(rl, callbacks, cb_arg);
151 
152           return rl;
153 
154  err:
155           tls13_record_layer_free(rl);
156 
157           return NULL;
158 }
159 
160 void
tls13_record_layer_free(struct tls13_record_layer * rl)161 tls13_record_layer_free(struct tls13_record_layer *rl)
162 {
163           if (rl == NULL)
164                     return;
165 
166           tls13_record_layer_rrec_free(rl);
167           tls13_record_layer_wrec_free(rl);
168 
169           freezero(rl->alert_data, rl->alert_len);
170           freezero(rl->phh_data, rl->phh_len);
171 
172           tls_content_free(rl->rcontent);
173 
174           tls13_record_protection_free(rl->read);
175           tls13_record_protection_free(rl->write);
176 
177           freezero(rl, sizeof(struct tls13_record_layer));
178 }
179 
180 void
tls13_record_layer_set_callbacks(struct tls13_record_layer * rl,const struct tls13_record_layer_callbacks * callbacks,void * cb_arg)181 tls13_record_layer_set_callbacks(struct tls13_record_layer *rl,
182     const struct tls13_record_layer_callbacks *callbacks, void *cb_arg)
183 {
184           rl->cb = *callbacks;
185           rl->cb_arg = cb_arg;
186 }
187 
188 void
tls13_record_layer_rcontent(struct tls13_record_layer * rl,CBS * cbs)189 tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs)
190 {
191           CBS_dup(tls_content_cbs(rl->rcontent), cbs);
192 }
193 
194 static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = {
195           0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
196 };
197 
198 int
tls13_record_layer_inc_seq_num(uint8_t * seq_num)199 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
200 {
201           int i;
202 
203           /* RFC 8446 section 5.3 - sequence numbers must not wrap. */
204           if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0)
205                     return 0;
206 
207           for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) {
208                     if (++seq_num[i] != 0)
209                               break;
210           }
211 
212           return 1;
213 }
214 
215 static int
tls13_record_layer_update_nonce(struct tls13_secret * nonce,struct tls13_secret * iv,uint8_t * seq_num)216 tls13_record_layer_update_nonce(struct tls13_secret *nonce,
217     struct tls13_secret *iv, uint8_t *seq_num)
218 {
219           ssize_t i, j;
220 
221           if (nonce->len != iv->len)
222                     return 0;
223 
224           /*
225            * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd
226            * with the IV to produce a per-record nonce. The IV will also be
227            * at least 8-bytes in length.
228            */
229           for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--)
230                     nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0);
231 
232           return 1;
233 }
234 
235 void
tls13_record_layer_allow_ccs(struct tls13_record_layer * rl,int allow)236 tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
237 {
238           rl->ccs_allowed = allow;
239 }
240 
241 void
tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer * rl,int allow)242 tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
243 {
244           rl->legacy_alerts_allowed = allow;
245 }
246 
247 void
tls13_record_layer_set_aead(struct tls13_record_layer * rl,const EVP_AEAD * aead)248 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
249     const EVP_AEAD *aead)
250 {
251           rl->aead = aead;
252 }
253 
254 void
tls13_record_layer_set_hash(struct tls13_record_layer * rl,const EVP_MD * hash)255 tls13_record_layer_set_hash(struct tls13_record_layer *rl,
256     const EVP_MD *hash)
257 {
258           rl->hash = hash;
259 }
260 
261 void
tls13_record_layer_set_legacy_version(struct tls13_record_layer * rl,uint16_t version)262 tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
263     uint16_t version)
264 {
265           rl->legacy_version = version;
266 }
267 
268 void
tls13_record_layer_handshake_completed(struct tls13_record_layer * rl)269 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
270 {
271           rl->handshake_completed = 1;
272 }
273 
274 void
tls13_record_layer_set_retry_after_phh(struct tls13_record_layer * rl,int retry)275 tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry)
276 {
277           rl->phh_retry = retry;
278 }
279 
280 static ssize_t
tls13_record_layer_process_alert(struct tls13_record_layer * rl)281 tls13_record_layer_process_alert(struct tls13_record_layer *rl)
282 {
283           uint8_t alert_level, alert_desc;
284           ssize_t ret = TLS13_IO_FAILURE;
285 
286           /*
287            * RFC 8446 - sections 5.1 and 6.
288            *
289            * A TLSv1.3 alert record can only contain a single alert - this means
290            * that processing the alert must consume all of the record. The alert
291            * will result in one of three things - continuation (user_cancelled),
292            * read channel closure (close_notify) or termination (all others).
293            */
294           if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT)
295                     return TLS13_IO_FAILURE;
296 
297           if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level))
298                     return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
299           if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc))
300                     return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
301 
302           if (tls_content_remaining(rl->rcontent) != 0)
303                     return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
304 
305           tls_content_clear(rl->rcontent);
306 
307           /*
308            * Alert level is ignored for closure alerts (RFC 8446 section 6.1),
309            * however for error alerts (RFC 8446 section 6.2), the alert level
310            * must be specified as fatal.
311            */
312           if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
313                     rl->read_closed = 1;
314                     ret = TLS13_IO_EOF;
315           } else if (alert_desc == TLS13_ALERT_USER_CANCELED) {
316                     /* Ignored at the record layer. */
317                     ret = TLS13_IO_WANT_RETRY;
318           } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) {
319                     rl->read_closed = 1;
320                     rl->write_closed = 1;
321                     ret = TLS13_IO_ALERT;
322           } else if (rl->legacy_alerts_allowed &&
323               alert_level == TLS13_ALERT_LEVEL_WARNING) {
324                     /* Ignored and not passed to the callback. */
325                     return TLS13_IO_WANT_RETRY;
326           } else {
327                     return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
328           }
329 
330           rl->cb.alert_recv(alert_desc, rl->cb_arg);
331 
332           return ret;
333 }
334 
335 static ssize_t
tls13_record_layer_send_alert(struct tls13_record_layer * rl)336 tls13_record_layer_send_alert(struct tls13_record_layer *rl)
337 {
338           ssize_t ret;
339 
340           /* This has to fit into a single record, per RFC 8446 section 5.1. */
341           if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
342               rl->alert_data, rl->alert_len)) != rl->alert_len) {
343                     if (ret == TLS13_IO_EOF)
344                               ret = TLS13_IO_ALERT;
345                     return ret;
346           }
347 
348           freezero(rl->alert_data, rl->alert_len);
349           rl->alert_data = NULL;
350           rl->alert_len = 0;
351 
352           if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
353                     rl->write_closed = 1;
354                     ret = TLS13_IO_SUCCESS;
355           } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) {
356                     /* Ignored at the record layer. */
357                     ret = TLS13_IO_SUCCESS;
358           } else {
359                     rl->read_closed = 1;
360                     rl->write_closed = 1;
361                     ret = TLS13_IO_ALERT;
362           }
363 
364           rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
365 
366           return ret;
367 }
368 
369 static ssize_t
tls13_record_layer_send_phh(struct tls13_record_layer * rl)370 tls13_record_layer_send_phh(struct tls13_record_layer *rl)
371 {
372           ssize_t ret;
373 
374           /* Push out pending post-handshake handshake messages. */
375           if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
376               CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0)
377                     return ret;
378           if (!CBS_skip(&rl->phh_cbs, ret))
379                     return TLS13_IO_FAILURE;
380           if (CBS_len(&rl->phh_cbs) != 0)
381                     return TLS13_IO_WANT_RETRY;
382 
383           freezero(rl->phh_data, rl->phh_len);
384           rl->phh_data = NULL;
385           rl->phh_len = 0;
386 
387           CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
388 
389           rl->cb.phh_sent(rl->cb_arg);
390 
391           return TLS13_IO_SUCCESS;
392 }
393 
394 ssize_t
tls13_record_layer_send_pending(struct tls13_record_layer * rl)395 tls13_record_layer_send_pending(struct tls13_record_layer *rl)
396 {
397           /*
398            * If an alert is pending, then it needs to be sent. However,
399            * if we're already part of the way through sending post-handshake
400            * handshake messages, then we need to finish that first...
401            */
402 
403           if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
404                     return tls13_record_layer_send_phh(rl);
405 
406           if (rl->alert_data != NULL)
407                     return tls13_record_layer_send_alert(rl);
408 
409           if (rl->phh_data != NULL)
410                     return tls13_record_layer_send_phh(rl);
411 
412           return TLS13_IO_SUCCESS;
413 }
414 
415 static ssize_t
tls13_record_layer_enqueue_alert(struct tls13_record_layer * rl,uint8_t alert_level,uint8_t alert_desc)416 tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl,
417     uint8_t alert_level, uint8_t alert_desc)
418 {
419           CBB cbb;
420 
421           if (rl->alert_data != NULL)
422                     return TLS13_IO_FAILURE;
423 
424           if (!CBB_init(&cbb, 0))
425                     goto err;
426 
427           if (!CBB_add_u8(&cbb, alert_level))
428                     goto err;
429           if (!CBB_add_u8(&cbb, alert_desc))
430                     goto err;
431           if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
432                     goto err;
433 
434           rl->alert_level = alert_level;
435           rl->alert_desc = alert_desc;
436 
437           return tls13_record_layer_send_pending(rl);
438 
439  err:
440           CBB_cleanup(&cbb);
441 
442           return TLS13_IO_FAILURE;
443 }
444 
445 ssize_t
tls13_record_layer_phh(struct tls13_record_layer * rl,CBS * cbs)446 tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs)
447 {
448           if (rl->phh_data != NULL)
449                     return TLS13_IO_FAILURE;
450 
451           if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len))
452                     return TLS13_IO_FAILURE;
453 
454           CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
455 
456           return tls13_record_layer_send_pending(rl);
457 }
458 
459 static int
tls13_record_layer_set_traffic_key(const EVP_AEAD * aead,const EVP_MD * hash,struct tls13_record_protection * rp,struct tls13_secret * traffic_key)460 tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash,
461     struct tls13_record_protection *rp, struct tls13_secret *traffic_key)
462 {
463           struct tls13_secret context = { .data = "", .len = 0 };
464           struct tls13_secret key = { .data = NULL, .len = 0 };
465           int ret = 0;
466 
467           tls13_record_protection_clear(rp);
468 
469           if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL)
470                     return 0;
471 
472           if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead)))
473                     goto err;
474           if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead)))
475                     goto err;
476           if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead)))
477                     goto err;
478 
479           if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context))
480                     goto err;
481           if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context))
482                     goto err;
483 
484           if (!EVP_AEAD_CTX_init(rp->aead_ctx, aead, key.data, key.len,
485               EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
486                     goto err;
487 
488           ret = 1;
489 
490  err:
491           tls13_secret_cleanup(&key);
492 
493           return ret;
494 }
495 
496 int
tls13_record_layer_set_read_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * read_key,enum ssl_encryption_level_t read_level)497 tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
498     struct tls13_secret *read_key, enum ssl_encryption_level_t read_level)
499 {
500           if (rl->cb.set_read_traffic_key != NULL)
501                     return rl->cb.set_read_traffic_key(read_key, read_level,
502                         rl->cb_arg);
503 
504           return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
505               rl->read, read_key);
506 }
507 
508 int
tls13_record_layer_set_write_traffic_key(struct tls13_record_layer * rl,struct tls13_secret * write_key,enum ssl_encryption_level_t write_level)509 tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
510     struct tls13_secret *write_key, enum ssl_encryption_level_t write_level)
511 {
512           if (rl->cb.set_write_traffic_key != NULL)
513                     return rl->cb.set_write_traffic_key(write_key, write_level,
514                         rl->cb_arg);
515 
516           return tls13_record_layer_set_traffic_key(rl->aead, rl->hash,
517               rl->write, write_key);
518 }
519 
520 static int
tls13_record_layer_open_record_plaintext(struct tls13_record_layer * rl)521 tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl)
522 {
523           CBS cbs;
524 
525           if (rl->aead != NULL)
526                     return 0;
527 
528           /*
529            * We're still operating in plaintext mode, so just copy the
530            * content from the record to the plaintext buffer.
531            */
532           if (!tls13_record_content(rl->rrec, &cbs))
533                     return 0;
534 
535           if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
536                     rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
537                     return 0;
538           }
539 
540           if (!tls_content_dup_data(rl->rcontent,
541               tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs)))
542                     return 0;
543 
544           return 1;
545 }
546 
547 static int
tls13_record_layer_open_record_protected(struct tls13_record_layer * rl)548 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
549 {
550           CBS header, enc_record, inner;
551           uint8_t *content = NULL;
552           size_t content_len = 0;
553           uint8_t content_type;
554           size_t out_len;
555 
556           if (rl->aead == NULL)
557                     goto err;
558 
559           if (!tls13_record_header(rl->rrec, &header))
560                     goto err;
561           if (!tls13_record_content(rl->rrec, &enc_record))
562                     goto err;
563 
564           if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
565                     goto err;
566           content_len = CBS_len(&enc_record);
567 
568           if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv,
569               rl->read->seq_num))
570                     goto err;
571 
572           if (!EVP_AEAD_CTX_open(rl->read->aead_ctx,
573               content, &out_len, content_len,
574               rl->read->nonce.data, rl->read->nonce.len,
575               CBS_data(&enc_record), CBS_len(&enc_record),
576               CBS_data(&header), CBS_len(&header)))
577                     goto err;
578 
579           if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) {
580                     rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
581                     goto err;
582           }
583 
584           if (!tls13_record_layer_inc_seq_num(rl->read->seq_num))
585                     goto err;
586 
587           /*
588            * The real content type is hidden at the end of the record content and
589            * it may be followed by padding that consists of one or more zeroes.
590            * Time to hunt for that elusive content type!
591            */
592           CBS_init(&inner, content, out_len);
593           content_type = 0;
594           while (CBS_get_last_u8(&inner, &content_type)) {
595                     if (content_type != 0)
596                               break;
597           }
598           if (content_type == 0) {
599                     /* Unexpected message per RFC 8446 section 5.4. */
600                     rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
601                     goto err;
602           }
603           if (CBS_len(&inner) > TLS13_RECORD_MAX_PLAINTEXT_LEN) {
604                     rl->alert = TLS13_ALERT_RECORD_OVERFLOW;
605                     goto err;
606           }
607 
608           tls_content_set_data(rl->rcontent, content_type, CBS_data(&inner),
609               CBS_len(&inner));
610 
611           return 1;
612 
613  err:
614           freezero(content, content_len);
615 
616           return 0;
617 }
618 
619 static int
tls13_record_layer_open_record(struct tls13_record_layer * rl)620 tls13_record_layer_open_record(struct tls13_record_layer *rl)
621 {
622           if (rl->handshake_completed && rl->aead == NULL)
623                     return 0;
624 
625           if (rl->aead == NULL)
626                     return tls13_record_layer_open_record_plaintext(rl);
627 
628           return tls13_record_layer_open_record_protected(rl);
629 }
630 
631 static int
tls13_record_layer_seal_record_plaintext(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)632 tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
633     uint8_t content_type, const uint8_t *content, size_t content_len)
634 {
635           uint8_t *data = NULL;
636           size_t data_len = 0;
637           CBB cbb, body;
638 
639           /*
640            * Allow dummy CCS messages to be sent in plaintext even when
641            * record protection has been engaged, as long as the handshake
642            * has not yet completed.
643            */
644           if (rl->handshake_completed)
645                     return 0;
646           if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC)
647                     return 0;
648 
649           /*
650            * We're still operating in plaintext mode, so just copy the
651            * content into the record.
652            */
653           if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len))
654                     goto err;
655 
656           if (!CBB_add_u8(&cbb, content_type))
657                     goto err;
658           if (!CBB_add_u16(&cbb, rl->legacy_version))
659                     goto err;
660           if (!CBB_add_u16_length_prefixed(&cbb, &body))
661                     goto err;
662           if (!CBB_add_bytes(&body, content, content_len))
663                     goto err;
664 
665           if (!CBB_finish(&cbb, &data, &data_len))
666                     goto err;
667 
668           if (!tls13_record_set_data(rl->wrec, data, data_len))
669                     goto err;
670 
671           rl->wrec_content_len = content_len;
672           rl->wrec_content_type = content_type;
673 
674           return 1;
675 
676  err:
677           CBB_cleanup(&cbb);
678           freezero(data, data_len);
679 
680           return 0;
681 }
682 
683 static int
tls13_record_layer_seal_record_protected(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)684 tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
685     uint8_t content_type, const uint8_t *content, size_t content_len)
686 {
687           uint8_t *data = NULL, *header = NULL, *inner = NULL;
688           size_t data_len = 0, header_len = 0, inner_len = 0;
689           uint8_t *enc_record;
690           size_t enc_record_len;
691           ssize_t ret = 0;
692           size_t out_len;
693           CBB cbb;
694 
695           if (rl->aead == NULL)
696                     return 0;
697 
698           memset(&cbb, 0, sizeof(cbb));
699 
700           /* Build inner plaintext. */
701           if (!CBB_init(&cbb, content_len + 1))
702                     goto err;
703           if (!CBB_add_bytes(&cbb, content, content_len))
704                     goto err;
705           if (!CBB_add_u8(&cbb, content_type))
706                     goto err;
707           /* XXX - padding? */
708           if (!CBB_finish(&cbb, &inner, &inner_len))
709                     goto err;
710 
711           if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
712                     goto err;
713 
714           /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
715           enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead);
716           if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
717                     goto err;
718 
719           /* Build the record header. */
720           if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN))
721                     goto err;
722           if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA))
723                     goto err;
724           if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
725                     goto err;
726           if (!CBB_add_u16(&cbb, enc_record_len))
727                     goto err;
728           if (!CBB_finish(&cbb, &header, &header_len))
729                     goto err;
730 
731           /* Build the actual record. */
732           if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len))
733                     goto err;
734           if (!CBB_add_bytes(&cbb, header, header_len))
735                     goto err;
736           if (!CBB_add_space(&cbb, &enc_record, enc_record_len))
737                     goto err;
738           if (!CBB_finish(&cbb, &data, &data_len))
739                     goto err;
740 
741           if (!tls13_record_layer_update_nonce(&rl->write->nonce,
742               &rl->write->iv, rl->write->seq_num))
743                     goto err;
744 
745           /*
746            * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec...
747            * this would avoid a copy since the inner would be passed as two
748            * separate pieces.
749            */
750           if (!EVP_AEAD_CTX_seal(rl->write->aead_ctx,
751               enc_record, &out_len, enc_record_len,
752               rl->write->nonce.data, rl->write->nonce.len,
753               inner, inner_len, header, header_len))
754                     goto err;
755 
756           if (out_len != enc_record_len)
757                     goto err;
758 
759           if (!tls13_record_layer_inc_seq_num(rl->write->seq_num))
760                     goto err;
761 
762           if (!tls13_record_set_data(rl->wrec, data, data_len))
763                     goto err;
764 
765           rl->wrec_content_len = content_len;
766           rl->wrec_content_type = content_type;
767 
768           data = NULL;
769           data_len = 0;
770 
771           ret = 1;
772 
773  err:
774           CBB_cleanup(&cbb);
775 
776           freezero(data, data_len);
777           freezero(header, header_len);
778           freezero(inner, inner_len);
779 
780           return ret;
781 }
782 
783 static int
tls13_record_layer_seal_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)784 tls13_record_layer_seal_record(struct tls13_record_layer *rl,
785     uint8_t content_type, const uint8_t *content, size_t content_len)
786 {
787           if (rl->handshake_completed && rl->aead == NULL)
788                     return 0;
789 
790           tls13_record_layer_wrec_free(rl);
791 
792           if ((rl->wrec = tls13_record_new()) == NULL)
793                     return 0;
794 
795           if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC)
796                     return tls13_record_layer_seal_record_plaintext(rl,
797                         content_type, content, content_len);
798 
799           return tls13_record_layer_seal_record_protected(rl, content_type,
800               content, content_len);
801 }
802 
803 static ssize_t
tls13_record_layer_read_record(struct tls13_record_layer * rl)804 tls13_record_layer_read_record(struct tls13_record_layer *rl)
805 {
806           uint8_t content_type, ccs;
807           ssize_t ret;
808           CBS cbs;
809 
810           if (rl->rrec == NULL) {
811                     if ((rl->rrec = tls13_record_new()) == NULL)
812                               goto err;
813           }
814 
815           if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
816                     switch (ret) {
817                     case TLS13_IO_RECORD_VERSION:
818                               return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
819                     case TLS13_IO_RECORD_OVERFLOW:
820                               return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW);
821                     }
822                     return ret;
823           }
824 
825           content_type = tls13_record_content_type(rl->rrec);
826 
827           /*
828            * In response to a client hello we may receive an alert in a
829            * record with a legacy version. Otherwise enforce that the
830            * legacy record version is 0x0303 per RFC 8446, section 5.1.
831            */
832           if (rl->legacy_version == TLS1_2_VERSION &&
833               tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
834               (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
835                     return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
836 
837           /*
838            * Bag of hacks ahead... after the first ClientHello message has been
839            * sent or received and before the peer's Finished message has been
840            * received, we may receive an unencrypted ChangeCipherSpec record
841            * (see RFC 8446 section 5 and appendix D.4). This record must be
842            * ignored.
843            */
844           if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
845                     if (!rl->ccs_allowed || rl->ccs_seen >= 2)
846                               return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
847                     if (!tls13_record_content(rl->rrec, &cbs))
848                               return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
849                     if (!CBS_get_u8(&cbs, &ccs))
850                               return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
851                     if (ccs != 1)
852                               return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
853                     if (CBS_len(&cbs) != 0)
854                               return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
855                     rl->ccs_seen++;
856                     tls13_record_layer_rrec_free(rl);
857                     return TLS13_IO_WANT_RETRY;
858           }
859 
860           /*
861            * Once record protection is engaged, we should only receive
862            * protected application data messages (aside from the
863            * dummy ChangeCipherSpec messages, handled above).
864            */
865           if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA)
866                     return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
867 
868           if (!tls13_record_layer_open_record(rl))
869                     goto err;
870 
871           tls13_record_layer_rrec_free(rl);
872 
873           /*
874            * On receiving a handshake or alert record with empty inner plaintext,
875            * we must terminate the connection with an unexpected_message alert.
876            * See RFC 8446 section 5.4.
877            */
878           if (tls_content_remaining(rl->rcontent) == 0 &&
879               (tls_content_type(rl->rcontent) == SSL3_RT_ALERT ||
880                tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE))
881                     return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
882 
883           switch (tls_content_type(rl->rcontent)) {
884           case SSL3_RT_ALERT:
885                     return tls13_record_layer_process_alert(rl);
886 
887           case SSL3_RT_HANDSHAKE:
888                     break;
889 
890           case SSL3_RT_APPLICATION_DATA:
891                     if (!rl->handshake_completed)
892                               return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
893                     break;
894 
895           default:
896                     return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
897           }
898 
899           return TLS13_IO_SUCCESS;
900 
901  err:
902           return TLS13_IO_FAILURE;
903 }
904 
905 static ssize_t
tls13_record_layer_pending(struct tls13_record_layer * rl,uint8_t content_type)906 tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type)
907 {
908           if (tls_content_type(rl->rcontent) != content_type)
909                     return 0;
910 
911           return tls_content_remaining(rl->rcontent);
912 }
913 
914 static ssize_t
tls13_record_layer_recv_phh(struct tls13_record_layer * rl)915 tls13_record_layer_recv_phh(struct tls13_record_layer *rl)
916 {
917           ssize_t ret = TLS13_IO_FAILURE;
918 
919           rl->phh = 1;
920 
921           /*
922            * The post handshake handshake receive callback is allowed to return:
923            *
924            * TLS13_IO_WANT_POLLIN  need more handshake data.
925            * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued.
926            * TLS13_IO_SUCCESS  got the whole handshake, nothing more to do.
927            * TLS13_IO_FAILURE  something broke.
928            */
929           if (rl->cb.phh_recv != NULL)
930                     ret = rl->cb.phh_recv(rl->cb_arg);
931 
932           tls_content_clear(rl->rcontent);
933 
934           /* Leave post handshake handshake mode unless we need more data. */
935           if (ret != TLS13_IO_WANT_POLLIN)
936                     rl->phh = 0;
937 
938           if (ret == TLS13_IO_SUCCESS) {
939                     if (rl->phh_retry)
940                               return TLS13_IO_WANT_RETRY;
941 
942                     return TLS13_IO_WANT_POLLIN;
943           }
944 
945           return ret;
946 }
947 
948 static ssize_t
tls13_record_layer_read_internal(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n,int peek)949 tls13_record_layer_read_internal(struct tls13_record_layer *rl,
950     uint8_t content_type, uint8_t *buf, size_t n, int peek)
951 {
952           ssize_t ret;
953 
954           if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
955                     return ret;
956 
957           if (rl->read_closed)
958                     return TLS13_IO_EOF;
959 
960           /* If necessary, pull up the next record. */
961           if (tls_content_remaining(rl->rcontent) == 0) {
962                     if ((ret = tls13_record_layer_read_record(rl)) <= 0)
963                               return ret;
964 
965                     /*
966                      * We may have read a valid 0-byte application data record,
967                      * in which case we need to read the next record.
968                      */
969                     if (tls_content_remaining(rl->rcontent) == 0)
970                               return TLS13_IO_WANT_POLLIN;
971           }
972 
973           /*
974            * If we are in post handshake handshake mode, we must not see
975            * any record type that isn't a handshake until we are done.
976            */
977           if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE)
978                     return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
979 
980           /*
981            * Handshake content can appear as post-handshake messages (yup,
982            * the RFC reused the same content type...), which means we can
983            * be trying to read application data and need to handle a
984            * post-handshake handshake message instead...
985            */
986           if (tls_content_type(rl->rcontent) != content_type) {
987                     if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) {
988                               if (rl->handshake_completed)
989                                         return tls13_record_layer_recv_phh(rl);
990                     }
991                     return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
992           }
993 
994           if (peek)
995                     return tls_content_peek(rl->rcontent, buf, n);
996 
997           return tls_content_read(rl->rcontent, buf, n);
998 }
999 
1000 static ssize_t
tls13_record_layer_peek(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1001 tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type,
1002     uint8_t *buf, size_t n)
1003 {
1004           ssize_t ret;
1005 
1006           do {
1007                     ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1);
1008           } while (ret == TLS13_IO_WANT_RETRY);
1009 
1010           if (rl->alert != 0)
1011                     return tls13_send_alert(rl, rl->alert);
1012 
1013           return ret;
1014 }
1015 
1016 static ssize_t
tls13_record_layer_read(struct tls13_record_layer * rl,uint8_t content_type,uint8_t * buf,size_t n)1017 tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
1018     uint8_t *buf, size_t n)
1019 {
1020           ssize_t ret;
1021 
1022           do {
1023                     ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0);
1024           } while (ret == TLS13_IO_WANT_RETRY);
1025 
1026           if (rl->alert != 0)
1027                     return tls13_send_alert(rl, rl->alert);
1028 
1029           return ret;
1030 }
1031 
1032 static ssize_t
tls13_record_layer_write_record(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * content,size_t content_len)1033 tls13_record_layer_write_record(struct tls13_record_layer *rl,
1034     uint8_t content_type, const uint8_t *content, size_t content_len)
1035 {
1036           ssize_t ret;
1037 
1038           if (rl->write_closed)
1039                     return TLS13_IO_EOF;
1040 
1041           /*
1042            * If we pushed out application data while handling other messages,
1043            * we need to return content length on the next call.
1044            */
1045           if (content_type == SSL3_RT_APPLICATION_DATA &&
1046               rl->wrec_appdata_len != 0) {
1047                     ret = rl->wrec_appdata_len;
1048                     rl->wrec_appdata_len = 0;
1049                     return ret;
1050           }
1051 
1052           /* See if there is an existing record and attempt to push it out... */
1053           if (rl->wrec != NULL) {
1054                     if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write,
1055                         rl->cb_arg)) <= 0)
1056                               return ret;
1057                     tls13_record_layer_wrec_free(rl);
1058 
1059                     if (rl->wrec_content_type == content_type) {
1060                               ret = rl->wrec_content_len;
1061                               rl->wrec_content_len = 0;
1062                               rl->wrec_content_type = 0;
1063                               return ret;
1064                     }
1065 
1066                     /*
1067                      * The only partial record type should be application data.
1068                      * All other cases are handled to completion.
1069                      */
1070                     if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
1071                               return TLS13_IO_FAILURE;
1072                     rl->wrec_appdata_len = rl->wrec_content_len;
1073           }
1074 
1075           if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1076                     goto err;
1077 
1078           if (!tls13_record_layer_seal_record(rl, content_type, content, content_len))
1079                     goto err;
1080 
1081           if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0)
1082                     return ret;
1083 
1084           tls13_record_layer_wrec_free(rl);
1085 
1086           return content_len;
1087 
1088  err:
1089           return TLS13_IO_FAILURE;
1090 }
1091 
1092 static ssize_t
tls13_record_layer_write_chunk(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1093 tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
1094     uint8_t content_type, const uint8_t *buf, size_t n)
1095 {
1096           if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
1097                     n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
1098 
1099           return tls13_record_layer_write_record(rl, content_type, buf, n);
1100 }
1101 
1102 static ssize_t
tls13_record_layer_write(struct tls13_record_layer * rl,uint8_t content_type,const uint8_t * buf,size_t n)1103 tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
1104     const uint8_t *buf, size_t n)
1105 {
1106           ssize_t ret;
1107 
1108           do {
1109                     ret = tls13_record_layer_send_pending(rl);
1110           } while (ret == TLS13_IO_WANT_RETRY);
1111           if (ret != TLS13_IO_SUCCESS)
1112                     return ret;
1113 
1114           do {
1115                     ret = tls13_record_layer_write_chunk(rl, content_type, buf, n);
1116           } while (ret == TLS13_IO_WANT_RETRY);
1117 
1118           return ret;
1119 }
1120 
1121 ssize_t
tls13_record_layer_flush(struct tls13_record_layer * rl)1122 tls13_record_layer_flush(struct tls13_record_layer *rl)
1123 {
1124           return rl->cb.wire_flush(rl->cb_arg);
1125 }
1126 
1127 static const uint8_t tls13_dummy_ccs[] = { 0x01 };
1128 
1129 ssize_t
tls13_send_dummy_ccs(struct tls13_record_layer * rl)1130 tls13_send_dummy_ccs(struct tls13_record_layer *rl)
1131 {
1132           ssize_t ret;
1133 
1134           if (rl->ccs_sent)
1135                     return TLS13_IO_FAILURE;
1136 
1137           if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC,
1138               tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0)
1139                     return ret;
1140 
1141           rl->ccs_sent = 1;
1142 
1143           return TLS13_IO_SUCCESS;
1144 }
1145 
1146 ssize_t
tls13_read_handshake_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1147 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1148 {
1149           if (rl->cb.handshake_read != NULL)
1150                     return rl->cb.handshake_read(buf, n, rl->cb_arg);
1151 
1152           return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n);
1153 }
1154 
1155 ssize_t
tls13_write_handshake_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1156 tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
1157     size_t n)
1158 {
1159           if (rl->cb.handshake_write != NULL)
1160                     return rl->cb.handshake_write(buf, n, rl->cb_arg);
1161 
1162           return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n);
1163 }
1164 
1165 ssize_t
tls13_pending_application_data(struct tls13_record_layer * rl)1166 tls13_pending_application_data(struct tls13_record_layer *rl)
1167 {
1168           if (!rl->handshake_completed)
1169                     return 0;
1170 
1171           return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA);
1172 }
1173 
1174 ssize_t
tls13_peek_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1175 tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1176 {
1177           if (!rl->handshake_completed)
1178                     return TLS13_IO_FAILURE;
1179 
1180           return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1181 }
1182 
1183 ssize_t
tls13_read_application_data(struct tls13_record_layer * rl,uint8_t * buf,size_t n)1184 tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
1185 {
1186           if (!rl->handshake_completed)
1187                     return TLS13_IO_FAILURE;
1188 
1189           return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1190 }
1191 
1192 ssize_t
tls13_write_application_data(struct tls13_record_layer * rl,const uint8_t * buf,size_t n)1193 tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
1194     size_t n)
1195 {
1196           if (!rl->handshake_completed)
1197                     return TLS13_IO_FAILURE;
1198 
1199           return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n);
1200 }
1201 
1202 ssize_t
tls13_send_alert(struct tls13_record_layer * rl,uint8_t alert_desc)1203 tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc)
1204 {
1205           uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL;
1206           ssize_t ret;
1207 
1208           if (rl->cb.alert_send != NULL)
1209                     return rl->cb.alert_send(alert_desc, rl->cb_arg);
1210 
1211           if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY ||
1212               alert_desc == TLS13_ALERT_USER_CANCELED)
1213                     alert_level = TLS13_ALERT_LEVEL_WARNING;
1214 
1215           do {
1216                     ret = tls13_record_layer_enqueue_alert(rl, alert_level,
1217                         alert_desc);
1218           } while (ret == TLS13_IO_WANT_RETRY);
1219 
1220           return ret;
1221 }
1222