1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <string.h>
113
114 #include <openssl/bytestring.h>
115 #include <openssl/err.h>
116 #include <openssl/mem.h>
117
118 #include "internal.h"
119 #include "../crypto/internal.h"
120
121
122 BSSL_NAMESPACE_BEGIN
123
124 // kMaxEmptyRecords is the number of consecutive, empty records that will be
125 // processed. Without this limit an attacker could send empty records at a
126 // faster rate than we can process and cause record processing to loop
127 // forever.
128 static const uint8_t kMaxEmptyRecords = 32;
129
130 // kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
131 // will be skipped. Without this limit an attacker could send records at a
132 // faster rate than we can process and cause trial decryption to loop forever.
133 // This value should be slightly above kMaxEarlyDataAccepted, which is measured
134 // in plaintext.
135 static const size_t kMaxEarlyDataSkipped = 16384;
136
137 // kMaxWarningAlerts is the number of consecutive warning alerts that will be
138 // processed.
139 static const uint8_t kMaxWarningAlerts = 4;
140
141 // ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
142 // state needs record-splitting and zero otherwise.
ssl_needs_record_splitting(const SSL * ssl)143 static bool ssl_needs_record_splitting(const SSL *ssl) {
144 #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
145 return !ssl->s3->aead_write_ctx->is_null_cipher() &&
146 ssl->s3->aead_write_ctx->ProtocolVersion() < TLS1_1_VERSION &&
147 (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
148 SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());
149 #else
150 return false;
151 #endif
152 }
153
ssl_record_prefix_len(const SSL * ssl)154 size_t ssl_record_prefix_len(const SSL *ssl) {
155 size_t header_len;
156 if (SSL_is_dtls(ssl)) {
157 header_len = DTLS1_RT_HEADER_LENGTH;
158 } else {
159 header_len = SSL3_RT_HEADER_LENGTH;
160 }
161
162 return header_len + ssl->s3->aead_read_ctx->ExplicitNonceLen();
163 }
164
ssl_seal_align_prefix_len(const SSL * ssl)165 size_t ssl_seal_align_prefix_len(const SSL *ssl) {
166 if (SSL_is_dtls(ssl)) {
167 return DTLS1_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
168 }
169
170 size_t ret =
171 SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
172 if (ssl_needs_record_splitting(ssl)) {
173 ret += SSL3_RT_HEADER_LENGTH;
174 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
175 }
176 return ret;
177 }
178
skip_early_data(SSL * ssl,uint8_t * out_alert,size_t consumed)179 static ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert,
180 size_t consumed) {
181 ssl->s3->early_data_skipped += consumed;
182 if (ssl->s3->early_data_skipped < consumed) {
183 ssl->s3->early_data_skipped = kMaxEarlyDataSkipped + 1;
184 }
185
186 if (ssl->s3->early_data_skipped > kMaxEarlyDataSkipped) {
187 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA);
188 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
189 return ssl_open_record_error;
190 }
191
192 return ssl_open_record_discard;
193 }
194
tls_open_record(SSL * ssl,uint8_t * out_type,Span<uint8_t> * out,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)195 ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,
196 Span<uint8_t> *out, size_t *out_consumed,
197 uint8_t *out_alert, Span<uint8_t> in) {
198 *out_consumed = 0;
199 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
200 return ssl_open_record_close_notify;
201 }
202
203 // If there is an unprocessed handshake message or we are already buffering
204 // too much, stop before decrypting another handshake record.
205 if (!tls_can_accept_handshake_data(ssl, out_alert)) {
206 return ssl_open_record_error;
207 }
208
209 CBS cbs = CBS(in);
210
211 // Decode the record header.
212 uint8_t type;
213 uint16_t version, ciphertext_len;
214 if (!CBS_get_u8(&cbs, &type) ||
215 !CBS_get_u16(&cbs, &version) ||
216 !CBS_get_u16(&cbs, &ciphertext_len)) {
217 *out_consumed = SSL3_RT_HEADER_LENGTH;
218 return ssl_open_record_partial;
219 }
220
221 bool version_ok;
222 if (ssl->s3->aead_read_ctx->is_null_cipher()) {
223 // Only check the first byte. Enforcing beyond that can prevent decoding
224 // version negotiation failure alerts.
225 version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
226 } else {
227 version_ok = version == ssl->s3->aead_read_ctx->RecordVersion();
228 }
229
230 if (!version_ok) {
231 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
232 *out_alert = SSL_AD_PROTOCOL_VERSION;
233 return ssl_open_record_error;
234 }
235
236 // Check the ciphertext length.
237 if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
238 OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
239 *out_alert = SSL_AD_RECORD_OVERFLOW;
240 return ssl_open_record_error;
241 }
242
243 // Extract the body.
244 CBS body;
245 if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
246 *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
247 return ssl_open_record_partial;
248 }
249
250 Span<const uint8_t> header = in.subspan(0, SSL3_RT_HEADER_LENGTH);
251 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header);
252
253 *out_consumed = in.size() - CBS_len(&cbs);
254
255 if (ssl->s3->have_version &&
256 ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
257 SSL_in_init(ssl) &&
258 type == SSL3_RT_CHANGE_CIPHER_SPEC &&
259 ciphertext_len == 1 &&
260 CBS_data(&body)[0] == 1) {
261 ssl->s3->empty_record_count++;
262 if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
263 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
264 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
265 return ssl_open_record_error;
266 }
267 return ssl_open_record_discard;
268 }
269
270 // Skip early data received when expecting a second ClientHello if we rejected
271 // 0RTT.
272 if (ssl->s3->skip_early_data &&
273 ssl->s3->aead_read_ctx->is_null_cipher() &&
274 type == SSL3_RT_APPLICATION_DATA) {
275 return skip_early_data(ssl, out_alert, *out_consumed);
276 }
277
278 // Ensure the sequence number update does not overflow.
279 if (ssl->s3->read_sequence + 1 == 0) {
280 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
281 *out_alert = SSL_AD_INTERNAL_ERROR;
282 return ssl_open_record_error;
283 }
284
285 // Decrypt the body in-place.
286 if (!ssl->s3->aead_read_ctx->Open(
287 out, type, version, ssl->s3->read_sequence, header,
288 MakeSpan(const_cast<uint8_t *>(CBS_data(&body)), CBS_len(&body)))) {
289 if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) {
290 ERR_clear_error();
291 return skip_early_data(ssl, out_alert, *out_consumed);
292 }
293
294 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
295 *out_alert = SSL_AD_BAD_RECORD_MAC;
296 return ssl_open_record_error;
297 }
298
299 ssl->s3->skip_early_data = false;
300 ssl->s3->read_sequence++;
301
302 // TLS 1.3 hides the record type inside the encrypted data.
303 bool has_padding =
304 !ssl->s3->aead_read_ctx->is_null_cipher() &&
305 ssl->s3->aead_read_ctx->ProtocolVersion() >= TLS1_3_VERSION;
306
307 // If there is padding, the plaintext limit includes the padding, but includes
308 // extra room for the inner content type.
309 size_t plaintext_limit =
310 has_padding ? SSL3_RT_MAX_PLAIN_LENGTH + 1 : SSL3_RT_MAX_PLAIN_LENGTH;
311 if (out->size() > plaintext_limit) {
312 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
313 *out_alert = SSL_AD_RECORD_OVERFLOW;
314 return ssl_open_record_error;
315 }
316
317 if (has_padding) {
318 // The outer record type is always application_data.
319 if (type != SSL3_RT_APPLICATION_DATA) {
320 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
321 *out_alert = SSL_AD_DECODE_ERROR;
322 return ssl_open_record_error;
323 }
324
325 do {
326 if (out->empty()) {
327 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
328 *out_alert = SSL_AD_DECRYPT_ERROR;
329 return ssl_open_record_error;
330 }
331 type = out->back();
332 *out = out->subspan(0, out->size() - 1);
333 } while (type == 0);
334 }
335
336 // Limit the number of consecutive empty records.
337 if (out->empty()) {
338 ssl->s3->empty_record_count++;
339 if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
340 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
341 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
342 return ssl_open_record_error;
343 }
344 // Apart from the limit, empty records are returned up to the caller. This
345 // allows the caller to reject records of the wrong type.
346 } else {
347 ssl->s3->empty_record_count = 0;
348 }
349
350 if (type == SSL3_RT_ALERT) {
351 return ssl_process_alert(ssl, out_alert, *out);
352 }
353
354 // Handshake messages may not interleave with any other record type.
355 if (type != SSL3_RT_HANDSHAKE &&
356 tls_has_unprocessed_handshake_data(ssl)) {
357 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
358 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
359 return ssl_open_record_error;
360 }
361
362 ssl->s3->warning_alert_count = 0;
363
364 *out_type = type;
365 return ssl_open_record_success;
366 }
367
do_seal_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,uint8_t type,const uint8_t * in,const size_t in_len)368 static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
369 uint8_t *out_suffix, uint8_t type, const uint8_t *in,
370 const size_t in_len) {
371 SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
372 uint8_t *extra_in = NULL;
373 size_t extra_in_len = 0;
374 if (!aead->is_null_cipher() &&
375 aead->ProtocolVersion() >= TLS1_3_VERSION) {
376 // TLS 1.3 hides the actual record type inside the encrypted data.
377 extra_in = &type;
378 extra_in_len = 1;
379 }
380
381 size_t suffix_len, ciphertext_len;
382 if (!aead->SuffixLen(&suffix_len, in_len, extra_in_len) ||
383 !aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) {
384 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
385 return false;
386 }
387
388 assert(in == out || !buffers_alias(in, in_len, out, in_len));
389 assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl)));
390 assert(!buffers_alias(in, in_len, out_suffix, suffix_len));
391
392 if (extra_in_len) {
393 out_prefix[0] = SSL3_RT_APPLICATION_DATA;
394 } else {
395 out_prefix[0] = type;
396 }
397
398 uint16_t record_version = aead->RecordVersion();
399
400 out_prefix[1] = record_version >> 8;
401 out_prefix[2] = record_version & 0xff;
402 out_prefix[3] = ciphertext_len >> 8;
403 out_prefix[4] = ciphertext_len & 0xff;
404 Span<const uint8_t> header = MakeSpan(out_prefix, SSL3_RT_HEADER_LENGTH);
405
406 // Ensure the sequence number update does not overflow.
407 if (ssl->s3->write_sequence + 1 == 0) {
408 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
409 return false;
410 }
411
412 if (!aead->SealScatter(out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix,
413 out_prefix[0], record_version, ssl->s3->write_sequence,
414 header, in, in_len, extra_in, extra_in_len)) {
415 return false;
416 }
417
418 ssl->s3->write_sequence++;
419 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
420 return true;
421 }
422
tls_seal_scatter_prefix_len(const SSL * ssl,uint8_t type,size_t in_len)423 static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,
424 size_t in_len) {
425 size_t ret = SSL3_RT_HEADER_LENGTH;
426 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
427 ssl_needs_record_splitting(ssl)) {
428 // In the case of record splitting, the 1-byte record (of the 1/n-1 split)
429 // will be placed in the prefix, as will four of the five bytes of the
430 // record header for the main record. The final byte will replace the first
431 // byte of the plaintext that was used in the small record.
432 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
433 ret += SSL3_RT_HEADER_LENGTH - 1;
434 } else {
435 ret += ssl->s3->aead_write_ctx->ExplicitNonceLen();
436 }
437 return ret;
438 }
439
tls_seal_scatter_suffix_len(const SSL * ssl,size_t * out_suffix_len,uint8_t type,size_t in_len)440 static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len,
441 uint8_t type, size_t in_len) {
442 size_t extra_in_len = 0;
443 if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
444 ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) {
445 // TLS 1.3 adds an extra byte for encrypted record type.
446 extra_in_len = 1;
447 }
448 // clang-format off
449 if (type == SSL3_RT_APPLICATION_DATA &&
450 in_len > 1 &&
451 ssl_needs_record_splitting(ssl)) {
452 // With record splitting enabled, the first byte gets sealed into a separate
453 // record which is written into the prefix.
454 in_len -= 1;
455 }
456 // clang-format on
457 return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len);
458 }
459
460 // tls_seal_scatter_record seals a new record of type |type| and body |in| and
461 // splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
462 // |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
463 // bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
464 // returns one on success and zero on error. If enabled,
465 // |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
466 // may write two records concatenated.
tls_seal_scatter_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,uint8_t type,const uint8_t * in,size_t in_len)467 static bool tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
468 uint8_t *out_suffix, uint8_t type,
469 const uint8_t *in, size_t in_len) {
470 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
471 ssl_needs_record_splitting(ssl)) {
472 assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
473 const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
474
475 // Write the 1-byte fragment into |out_prefix|.
476 uint8_t *split_body = out_prefix + prefix_len;
477 uint8_t *split_suffix = split_body + 1;
478
479 if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in,
480 1)) {
481 return false;
482 }
483
484 size_t split_record_suffix_len;
485 if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) {
486 assert(false);
487 return false;
488 }
489 const size_t split_record_len = prefix_len + 1 + split_record_suffix_len;
490 assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
491 ssl->s3->aead_write_ctx->cipher()) ==
492 split_record_len);
493
494 // Write the n-1-byte fragment. The header gets split between |out_prefix|
495 // (header[:-1]) and |out| (header[-1:]).
496 uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
497 if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
498 in_len - 1)) {
499 return false;
500 }
501 assert(tls_seal_scatter_prefix_len(ssl, type, in_len) ==
502 split_record_len + SSL3_RT_HEADER_LENGTH - 1);
503 OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix,
504 SSL3_RT_HEADER_LENGTH - 1);
505 OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1);
506 return true;
507 }
508
509 return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len);
510 }
511
tls_seal_record(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,uint8_t type,const uint8_t * in,size_t in_len)512 bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len,
513 size_t max_out_len, uint8_t type, const uint8_t *in,
514 size_t in_len) {
515 if (buffers_alias(in, in_len, out, max_out_len)) {
516 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
517 return false;
518 }
519
520 const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len);
521 size_t suffix_len;
522 if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, type, in_len)) {
523 return false;
524 }
525 if (in_len + prefix_len < in_len ||
526 prefix_len + in_len + suffix_len < prefix_len + in_len) {
527 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
528 return false;
529 }
530 if (max_out_len < in_len + prefix_len + suffix_len) {
531 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
532 return false;
533 }
534
535 uint8_t *prefix = out;
536 uint8_t *body = out + prefix_len;
537 uint8_t *suffix = body + in_len;
538 if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) {
539 return false;
540 }
541
542 *out_len = prefix_len + in_len + suffix_len;
543 return true;
544 }
545
ssl_process_alert(SSL * ssl,uint8_t * out_alert,Span<const uint8_t> in)546 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
547 Span<const uint8_t> in) {
548 // Alerts records may not contain fragmented or multiple alerts.
549 if (in.size() != 2) {
550 *out_alert = SSL_AD_DECODE_ERROR;
551 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
552 return ssl_open_record_error;
553 }
554
555 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_ALERT, in);
556
557 const uint8_t alert_level = in[0];
558 const uint8_t alert_descr = in[1];
559
560 uint16_t alert = (alert_level << 8) | alert_descr;
561 ssl_do_info_callback(ssl, SSL_CB_READ_ALERT, alert);
562
563 if (alert_level == SSL3_AL_WARNING) {
564 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
565 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
566 return ssl_open_record_close_notify;
567 }
568
569 // Warning alerts do not exist in TLS 1.3, but RFC 8446 section 6.1
570 // continues to define user_canceled as a signal to cancel the handshake,
571 // without specifying how to handle it. JDK11 misuses it to signal
572 // full-duplex connection close after the handshake. As a workaround, skip
573 // user_canceled as in TLS 1.2. This matches NSS and OpenSSL.
574 if (ssl->s3->have_version &&
575 ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
576 alert_descr != SSL_AD_USER_CANCELLED) {
577 *out_alert = SSL_AD_DECODE_ERROR;
578 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
579 return ssl_open_record_error;
580 }
581
582 ssl->s3->warning_alert_count++;
583 if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
584 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
585 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
586 return ssl_open_record_error;
587 }
588 return ssl_open_record_discard;
589 }
590
591 if (alert_level == SSL3_AL_FATAL) {
592 OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
593 ERR_add_error_dataf("SSL alert number %d", alert_descr);
594 *out_alert = 0; // No alert to send back to the peer.
595 return ssl_open_record_error;
596 }
597
598 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
599 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
600 return ssl_open_record_error;
601 }
602
603 BSSL_NAMESPACE_END
604
605 using namespace bssl;
606
SSL_max_seal_overhead(const SSL * ssl)607 size_t SSL_max_seal_overhead(const SSL *ssl) {
608 if (SSL_is_dtls(ssl)) {
609 return dtls_max_seal_overhead(ssl, dtls1_use_current_epoch);
610 }
611
612 size_t ret = SSL3_RT_HEADER_LENGTH;
613 ret += ssl->s3->aead_write_ctx->MaxOverhead();
614 // TLS 1.3 needs an extra byte for the encrypted record type.
615 if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
616 ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) {
617 ret += 1;
618 }
619 if (ssl_needs_record_splitting(ssl)) {
620 ret *= 2;
621 }
622 return ret;
623 }
624