1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). */ 108 109 #include <openssl/ssl.h> 110 111 #include <assert.h> 112 #include <string.h> 113 114 #include <openssl/bytestring.h> 115 #include <openssl/err.h> 116 #include <openssl/mem.h> 117 118 #include "internal.h" 119 #include "../crypto/internal.h" 120 121 122 namespace bssl { 123 124 // kMaxEmptyRecords is the number of consecutive, empty records that will be 125 // processed. Without this limit an attacker could send empty records at a 126 // faster rate than we can process and cause record processing to loop 127 // forever. 128 static const uint8_t kMaxEmptyRecords = 32; 129 130 // kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that 131 // will be skipped. Without this limit an attacker could send records at a 132 // faster rate than we can process and cause trial decryption to loop forever. 133 // This value should be slightly above kMaxEarlyDataAccepted, which is measured 134 // in plaintext. 135 static const size_t kMaxEarlyDataSkipped = 16384; 136 137 // kMaxWarningAlerts is the number of consecutive warning alerts that will be 138 // processed. 139 static const uint8_t kMaxWarningAlerts = 4; 140 141 // ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher 142 // state needs record-splitting and zero otherwise. 143 static int ssl_needs_record_splitting(const SSL *ssl) { 144 #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE) 145 return !ssl->s3->aead_write_ctx->is_null_cipher() && 146 ssl->s3->aead_write_ctx->ProtocolVersion() < TLS1_1_VERSION && 147 (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 && 148 SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher()); 149 #else 150 return 0; 151 #endif 152 } 153 154 int ssl_record_sequence_update(uint8_t *seq, size_t seq_len) { 155 for (size_t i = seq_len - 1; i < seq_len; i--) { 156 ++seq[i]; 157 if (seq[i] != 0) { 158 return 1; 159 } 160 } 161 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 162 return 0; 163 } 164 165 size_t ssl_record_prefix_len(const SSL *ssl) { 166 size_t header_len; 167 if (SSL_is_dtls(ssl)) { 168 header_len = DTLS1_RT_HEADER_LENGTH; 169 } else { 170 header_len = SSL3_RT_HEADER_LENGTH; 171 } 172 173 return header_len + ssl->s3->aead_read_ctx->ExplicitNonceLen(); 174 } 175 176 size_t ssl_seal_align_prefix_len(const SSL *ssl) { 177 if (SSL_is_dtls(ssl)) { 178 return DTLS1_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen(); 179 } 180 181 size_t ret = 182 SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen(); 183 if (ssl_needs_record_splitting(ssl)) { 184 ret += SSL3_RT_HEADER_LENGTH; 185 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); 186 } 187 return ret; 188 } 189 190 static ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert, 191 size_t consumed) { 192 ssl->s3->early_data_skipped += consumed; 193 if (ssl->s3->early_data_skipped < consumed) { 194 ssl->s3->early_data_skipped = kMaxEarlyDataSkipped + 1; 195 } 196 197 if (ssl->s3->early_data_skipped > kMaxEarlyDataSkipped) { 198 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA); 199 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 200 return ssl_open_record_error; 201 } 202 203 return ssl_open_record_discard; 204 } 205 206 ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, 207 Span<uint8_t> *out, size_t *out_consumed, 208 uint8_t *out_alert, Span<uint8_t> in) { 209 *out_consumed = 0; 210 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) { 211 return ssl_open_record_close_notify; 212 } 213 214 // If there is an unprocessed handshake message or we are already buffering 215 // too much, stop before decrypting another handshake record. 216 if (!tls_can_accept_handshake_data(ssl, out_alert)) { 217 return ssl_open_record_error; 218 } 219 220 CBS cbs = CBS(in); 221 222 // Decode the record header. 223 uint8_t type; 224 uint16_t version, ciphertext_len; 225 if (!CBS_get_u8(&cbs, &type) || 226 !CBS_get_u16(&cbs, &version) || 227 !CBS_get_u16(&cbs, &ciphertext_len)) { 228 *out_consumed = SSL3_RT_HEADER_LENGTH; 229 return ssl_open_record_partial; 230 } 231 232 bool version_ok; 233 if (ssl->s3->aead_read_ctx->is_null_cipher()) { 234 // Only check the first byte. Enforcing beyond that can prevent decoding 235 // version negotiation failure alerts. 236 version_ok = (version >> 8) == SSL3_VERSION_MAJOR; 237 } else { 238 version_ok = version == ssl->s3->aead_read_ctx->RecordVersion(); 239 } 240 241 if (!version_ok) { 242 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); 243 *out_alert = SSL_AD_PROTOCOL_VERSION; 244 return ssl_open_record_error; 245 } 246 247 // Check the ciphertext length. 248 if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 249 OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 250 *out_alert = SSL_AD_RECORD_OVERFLOW; 251 return ssl_open_record_error; 252 } 253 254 // Extract the body. 255 CBS body; 256 if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) { 257 *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len; 258 return ssl_open_record_partial; 259 } 260 261 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, 262 in.subspan(0, SSL3_RT_HEADER_LENGTH)); 263 264 *out_consumed = in.size() - CBS_len(&cbs); 265 266 if (ssl->s3->have_version && 267 ssl_protocol_version(ssl) >= TLS1_3_VERSION && 268 SSL_in_init(ssl) && 269 type == SSL3_RT_CHANGE_CIPHER_SPEC && 270 ciphertext_len == 1 && 271 CBS_data(&body)[0] == 1) { 272 ssl->s3->empty_record_count++; 273 if (ssl->s3->empty_record_count > kMaxEmptyRecords) { 274 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS); 275 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 276 return ssl_open_record_error; 277 } 278 return ssl_open_record_discard; 279 } 280 281 // Skip early data received when expecting a second ClientHello if we rejected 282 // 0RTT. 283 if (ssl->s3->skip_early_data && 284 ssl->s3->aead_read_ctx->is_null_cipher() && 285 type == SSL3_RT_APPLICATION_DATA) { 286 return skip_early_data(ssl, out_alert, *out_consumed); 287 } 288 289 // Decrypt the body in-place. 290 if (!ssl->s3->aead_read_ctx->Open( 291 out, type, version, ssl->s3->read_sequence, 292 MakeSpan(const_cast<uint8_t *>(CBS_data(&body)), CBS_len(&body)))) { 293 if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) { 294 ERR_clear_error(); 295 return skip_early_data(ssl, out_alert, *out_consumed); 296 } 297 298 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 299 *out_alert = SSL_AD_BAD_RECORD_MAC; 300 return ssl_open_record_error; 301 } 302 303 ssl->s3->skip_early_data = false; 304 305 if (!ssl_record_sequence_update(ssl->s3->read_sequence, 8)) { 306 *out_alert = SSL_AD_INTERNAL_ERROR; 307 return ssl_open_record_error; 308 } 309 310 // TLS 1.3 hides the record type inside the encrypted data. 311 bool has_padding = 312 !ssl->s3->aead_read_ctx->is_null_cipher() && 313 ssl->s3->aead_read_ctx->ProtocolVersion() >= TLS1_3_VERSION; 314 315 // If there is padding, the plaintext limit includes the padding, but includes 316 // extra room for the inner content type. 317 size_t plaintext_limit = 318 has_padding ? SSL3_RT_MAX_PLAIN_LENGTH + 1 : SSL3_RT_MAX_PLAIN_LENGTH; 319 if (out->size() > plaintext_limit) { 320 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 321 *out_alert = SSL_AD_RECORD_OVERFLOW; 322 return ssl_open_record_error; 323 } 324 325 if (has_padding) { 326 // The outer record type is always application_data. 327 if (type != SSL3_RT_APPLICATION_DATA) { 328 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE); 329 *out_alert = SSL_AD_DECODE_ERROR; 330 return ssl_open_record_error; 331 } 332 333 do { 334 if (out->empty()) { 335 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 336 *out_alert = SSL_AD_DECRYPT_ERROR; 337 return ssl_open_record_error; 338 } 339 type = out->back(); 340 *out = out->subspan(0, out->size() - 1); 341 } while (type == 0); 342 } 343 344 // Limit the number of consecutive empty records. 345 if (out->empty()) { 346 ssl->s3->empty_record_count++; 347 if (ssl->s3->empty_record_count > kMaxEmptyRecords) { 348 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS); 349 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 350 return ssl_open_record_error; 351 } 352 // Apart from the limit, empty records are returned up to the caller. This 353 // allows the caller to reject records of the wrong type. 354 } else { 355 ssl->s3->empty_record_count = 0; 356 } 357 358 if (type == SSL3_RT_ALERT) { 359 return ssl_process_alert(ssl, out_alert, *out); 360 } 361 362 // Handshake messages may not interleave with any other record type. 363 if (type != SSL3_RT_HANDSHAKE && 364 tls_has_unprocessed_handshake_data(ssl)) { 365 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); 366 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 367 return ssl_open_record_error; 368 } 369 370 ssl->s3->warning_alert_count = 0; 371 372 *out_type = type; 373 return ssl_open_record_success; 374 } 375 376 static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, 377 uint8_t *out_suffix, uint8_t type, const uint8_t *in, 378 const size_t in_len) { 379 uint8_t *extra_in = NULL; 380 size_t extra_in_len = 0; 381 if (!ssl->s3->aead_write_ctx->is_null_cipher() && 382 ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) { 383 // TLS 1.3 hides the actual record type inside the encrypted data. 384 extra_in = &type; 385 extra_in_len = 1; 386 } 387 388 size_t suffix_len; 389 if (!ssl->s3->aead_write_ctx->SuffixLen(&suffix_len, in_len, extra_in_len)) { 390 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); 391 return 0; 392 } 393 size_t ciphertext_len = 394 ssl->s3->aead_write_ctx->ExplicitNonceLen() + suffix_len; 395 if (ciphertext_len + in_len < ciphertext_len) { 396 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); 397 return 0; 398 } 399 ciphertext_len += in_len; 400 401 assert(in == out || !buffers_alias(in, in_len, out, in_len)); 402 assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl))); 403 assert(!buffers_alias(in, in_len, out_suffix, suffix_len)); 404 405 if (extra_in_len) { 406 out_prefix[0] = SSL3_RT_APPLICATION_DATA; 407 } else { 408 out_prefix[0] = type; 409 } 410 411 uint16_t record_version = ssl->s3->aead_write_ctx->RecordVersion(); 412 413 out_prefix[1] = record_version >> 8; 414 out_prefix[2] = record_version & 0xff; 415 out_prefix[3] = ciphertext_len >> 8; 416 out_prefix[4] = ciphertext_len & 0xff; 417 418 if (!ssl->s3->aead_write_ctx->SealScatter( 419 out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix, type, 420 record_version, ssl->s3->write_sequence, in, in_len, extra_in, 421 extra_in_len) || 422 !ssl_record_sequence_update(ssl->s3->write_sequence, 8)) { 423 return 0; 424 } 425 426 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, 427 MakeSpan(out_prefix, SSL3_RT_HEADER_LENGTH)); 428 return 1; 429 } 430 431 static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type, 432 size_t in_len) { 433 size_t ret = SSL3_RT_HEADER_LENGTH; 434 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 && 435 ssl_needs_record_splitting(ssl)) { 436 // In the case of record splitting, the 1-byte record (of the 1/n-1 split) 437 // will be placed in the prefix, as will four of the five bytes of the 438 // record header for the main record. The final byte will replace the first 439 // byte of the plaintext that was used in the small record. 440 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); 441 ret += SSL3_RT_HEADER_LENGTH - 1; 442 } else { 443 ret += ssl->s3->aead_write_ctx->ExplicitNonceLen(); 444 } 445 return ret; 446 } 447 448 static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, 449 uint8_t type, size_t in_len) { 450 size_t extra_in_len = 0; 451 if (!ssl->s3->aead_write_ctx->is_null_cipher() && 452 ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) { 453 // TLS 1.3 adds an extra byte for encrypted record type. 454 extra_in_len = 1; 455 } 456 if (type == SSL3_RT_APPLICATION_DATA && // clang-format off 457 in_len > 1 && 458 ssl_needs_record_splitting(ssl)) { 459 // With record splitting enabled, the first byte gets sealed into a separate 460 // record which is written into the prefix. 461 in_len -= 1; 462 } 463 return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len); 464 } 465 466 // tls_seal_scatter_record seals a new record of type |type| and body |in| and 467 // splits it between |out_prefix|, |out|, and |out_suffix|. Exactly 468 // |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| 469 // bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It 470 // returns one on success and zero on error. If enabled, 471 // |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and 472 // may write two records concatenated. 473 static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, 474 uint8_t *out_suffix, uint8_t type, 475 const uint8_t *in, size_t in_len) { 476 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 && 477 ssl_needs_record_splitting(ssl)) { 478 assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0); 479 const size_t prefix_len = SSL3_RT_HEADER_LENGTH; 480 481 // Write the 1-byte fragment into |out_prefix|. 482 uint8_t *split_body = out_prefix + prefix_len; 483 uint8_t *split_suffix = split_body + 1; 484 485 if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in, 486 1)) { 487 return 0; 488 } 489 490 size_t split_record_suffix_len; 491 if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) { 492 assert(false); 493 return 0; 494 } 495 const size_t split_record_len = prefix_len + 1 + split_record_suffix_len; 496 assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len( 497 ssl->s3->aead_write_ctx->cipher()) == 498 split_record_len); 499 500 // Write the n-1-byte fragment. The header gets split between |out_prefix| 501 // (header[:-1]) and |out| (header[-1:]). 502 uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH]; 503 if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1, 504 in_len - 1)) { 505 return 0; 506 } 507 assert(tls_seal_scatter_prefix_len(ssl, type, in_len) == 508 split_record_len + SSL3_RT_HEADER_LENGTH - 1); 509 OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix, 510 SSL3_RT_HEADER_LENGTH - 1); 511 OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1); 512 return 1; 513 } 514 515 return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len); 516 } 517 518 int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, 519 uint8_t type, const uint8_t *in, size_t in_len) { 520 if (buffers_alias(in, in_len, out, max_out_len)) { 521 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); 522 return 0; 523 } 524 525 const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len); 526 size_t suffix_len; 527 if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, type, in_len)) { 528 return false; 529 } 530 if (in_len + prefix_len < in_len || 531 prefix_len + in_len + suffix_len < prefix_len + in_len) { 532 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); 533 return 0; 534 } 535 if (max_out_len < in_len + prefix_len + suffix_len) { 536 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); 537 return 0; 538 } 539 540 uint8_t *prefix = out; 541 uint8_t *body = out + prefix_len; 542 uint8_t *suffix = body + in_len; 543 if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) { 544 return 0; 545 } 546 547 *out_len = prefix_len + in_len + suffix_len; 548 return 1; 549 } 550 551 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, 552 Span<const uint8_t> in) { 553 // Alerts records may not contain fragmented or multiple alerts. 554 if (in.size() != 2) { 555 *out_alert = SSL_AD_DECODE_ERROR; 556 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); 557 return ssl_open_record_error; 558 } 559 560 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_ALERT, in); 561 562 const uint8_t alert_level = in[0]; 563 const uint8_t alert_descr = in[1]; 564 565 uint16_t alert = (alert_level << 8) | alert_descr; 566 ssl_do_info_callback(ssl, SSL_CB_READ_ALERT, alert); 567 568 if (alert_level == SSL3_AL_WARNING) { 569 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 570 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 571 return ssl_open_record_close_notify; 572 } 573 574 // Warning alerts do not exist in TLS 1.3. 575 if (ssl->s3->have_version && 576 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 577 *out_alert = SSL_AD_DECODE_ERROR; 578 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); 579 return ssl_open_record_error; 580 } 581 582 ssl->s3->warning_alert_count++; 583 if (ssl->s3->warning_alert_count > kMaxWarningAlerts) { 584 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 585 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS); 586 return ssl_open_record_error; 587 } 588 return ssl_open_record_discard; 589 } 590 591 if (alert_level == SSL3_AL_FATAL) { 592 OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr); 593 ERR_add_error_dataf("SSL alert number %d", alert_descr); 594 *out_alert = 0; // No alert to send back to the peer. 595 return ssl_open_record_error; 596 } 597 598 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 599 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE); 600 return ssl_open_record_error; 601 } 602 603 OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out, 604 size_t *out_record_len, uint8_t *out_alert, 605 const Span<uint8_t> in) { 606 // This API is a work in progress and currently only works for TLS 1.2 servers 607 // and below. 608 if (SSL_in_init(ssl) || 609 SSL_is_dtls(ssl) || 610 ssl_protocol_version(ssl) > TLS1_2_VERSION) { 611 assert(false); 612 *out_alert = SSL_AD_INTERNAL_ERROR; 613 return OpenRecordResult::kError; 614 } 615 616 Span<uint8_t> plaintext; 617 uint8_t type = 0; 618 const ssl_open_record_t result = tls_open_record( 619 ssl, &type, &plaintext, out_record_len, out_alert, in); 620 621 switch (result) { 622 case ssl_open_record_success: 623 if (type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_ALERT) { 624 *out_alert = SSL_AD_UNEXPECTED_MESSAGE; 625 return OpenRecordResult::kError; 626 } 627 *out = plaintext; 628 return OpenRecordResult::kOK; 629 case ssl_open_record_discard: 630 return OpenRecordResult::kDiscard; 631 case ssl_open_record_partial: 632 return OpenRecordResult::kIncompleteRecord; 633 case ssl_open_record_close_notify: 634 return OpenRecordResult::kAlertCloseNotify; 635 case ssl_open_record_error: 636 return OpenRecordResult::kError; 637 } 638 assert(false); 639 return OpenRecordResult::kError; 640 } 641 642 size_t SealRecordPrefixLen(const SSL *ssl, const size_t record_len) { 643 return tls_seal_scatter_prefix_len(ssl, SSL3_RT_APPLICATION_DATA, record_len); 644 } 645 646 size_t SealRecordSuffixLen(const SSL *ssl, const size_t plaintext_len) { 647 assert(plaintext_len <= SSL3_RT_MAX_PLAIN_LENGTH); 648 size_t suffix_len; 649 if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, SSL3_RT_APPLICATION_DATA, 650 plaintext_len)) { 651 assert(false); 652 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 653 return 0; 654 } 655 assert(suffix_len <= SSL3_RT_MAX_ENCRYPTED_OVERHEAD); 656 return suffix_len; 657 } 658 659 bool SealRecord(SSL *ssl, const Span<uint8_t> out_prefix, 660 const Span<uint8_t> out, Span<uint8_t> out_suffix, 661 const Span<const uint8_t> in) { 662 // This API is a work in progress and currently only works for TLS 1.2 servers 663 // and below. 664 if (SSL_in_init(ssl) || 665 SSL_is_dtls(ssl) || 666 ssl_protocol_version(ssl) > TLS1_2_VERSION) { 667 assert(false); 668 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 669 return false; 670 } 671 672 if (out_prefix.size() != SealRecordPrefixLen(ssl, in.size()) || 673 out.size() != in.size() || 674 out_suffix.size() != SealRecordSuffixLen(ssl, in.size())) { 675 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); 676 return false; 677 } 678 return tls_seal_scatter_record(ssl, out_prefix.data(), out.data(), 679 out_suffix.data(), SSL3_RT_APPLICATION_DATA, 680 in.data(), in.size()); 681 } 682 683 } // namespace bssl 684 685 using namespace bssl; 686 687 size_t SSL_max_seal_overhead(const SSL *ssl) { 688 if (SSL_is_dtls(ssl)) { 689 return dtls_max_seal_overhead(ssl, dtls1_use_current_epoch); 690 } 691 692 size_t ret = SSL3_RT_HEADER_LENGTH; 693 ret += ssl->s3->aead_write_ctx->MaxOverhead(); 694 // TLS 1.3 needs an extra byte for the encrypted record type. 695 if (!ssl->s3->aead_write_ctx->is_null_cipher() && 696 ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) { 697 ret += 1; 698 } 699 if (ssl_needs_record_splitting(ssl)) { 700 ret *= 2; 701 } 702 return ret; 703 } 704
