1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <string.h>
113
114 #include <openssl/bytestring.h>
115 #include <openssl/err.h>
116 #include <openssl/mem.h>
117
118 #include "internal.h"
119 #include "../crypto/internal.h"
120
121
122 /* kMaxEmptyRecords is the number of consecutive, empty records that will be
123 * processed. Without this limit an attacker could send empty records at a
124 * faster rate than we can process and cause record processing to loop
125 * forever. */
126 static const uint8_t kMaxEmptyRecords = 32;
127
128 /* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
129 * will be skipped. Without this limit an attacker could send records at a
130 * faster rate than we can process and cause trial decryption to loop forever.
131 * This value should be slightly above kMaxEarlyDataAccepted, which is measured
132 * in plaintext. */
133 static const size_t kMaxEarlyDataSkipped = 16384;
134
135 /* kMaxWarningAlerts is the number of consecutive warning alerts that will be
136 * processed. */
137 static const uint8_t kMaxWarningAlerts = 4;
138
139 /* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
140 * state needs record-splitting and zero otherwise. */
ssl_needs_record_splitting(const SSL * ssl)141 static int ssl_needs_record_splitting(const SSL *ssl) {
142 #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
143 return ssl->s3->aead_write_ctx != NULL &&
144 ssl->s3->aead_write_ctx->version < TLS1_1_VERSION &&
145 (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
146 SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher);
147 #else
148 return 0;
149 #endif
150 }
151
ssl_record_sequence_update(uint8_t * seq,size_t seq_len)152 int ssl_record_sequence_update(uint8_t *seq, size_t seq_len) {
153 for (size_t i = seq_len - 1; i < seq_len; i--) {
154 ++seq[i];
155 if (seq[i] != 0) {
156 return 1;
157 }
158 }
159 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
160 return 0;
161 }
162
ssl_record_prefix_len(const SSL * ssl)163 size_t ssl_record_prefix_len(const SSL *ssl) {
164 size_t header_len;
165 if (SSL_is_dtls(ssl)) {
166 header_len = DTLS1_RT_HEADER_LENGTH;
167 } else {
168 header_len = SSL3_RT_HEADER_LENGTH;
169 }
170
171 return header_len + SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_read_ctx);
172 }
173
ssl_seal_align_prefix_len(const SSL * ssl)174 size_t ssl_seal_align_prefix_len(const SSL *ssl) {
175 if (SSL_is_dtls(ssl)) {
176 return DTLS1_RT_HEADER_LENGTH +
177 SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
178 }
179
180 size_t ret = SSL3_RT_HEADER_LENGTH +
181 SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
182 if (ssl_needs_record_splitting(ssl)) {
183 ret += SSL3_RT_HEADER_LENGTH;
184 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
185 }
186 return ret;
187 }
188
SSL_max_seal_overhead(const SSL * ssl)189 size_t SSL_max_seal_overhead(const SSL *ssl) {
190 if (SSL_is_dtls(ssl)) {
191 return dtls_max_seal_overhead(ssl, dtls1_use_current_epoch);
192 }
193
194 size_t ret = SSL3_RT_HEADER_LENGTH;
195 ret += SSL_AEAD_CTX_max_overhead(ssl->s3->aead_write_ctx);
196 /* TLS 1.3 needs an extra byte for the encrypted record type. */
197 if (ssl->s3->aead_write_ctx != NULL &&
198 ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
199 ret += 1;
200 }
201 if (ssl_needs_record_splitting(ssl)) {
202 ret *= 2;
203 }
204 return ret;
205 }
206
tls_open_record(SSL * ssl,uint8_t * out_type,CBS * out,size_t * out_consumed,uint8_t * out_alert,uint8_t * in,size_t in_len)207 enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
208 size_t *out_consumed, uint8_t *out_alert,
209 uint8_t *in, size_t in_len) {
210 *out_consumed = 0;
211
212 CBS cbs;
213 CBS_init(&cbs, in, in_len);
214
215 /* Decode the record header. */
216 uint8_t type;
217 uint16_t version, ciphertext_len;
218 if (!CBS_get_u8(&cbs, &type) ||
219 !CBS_get_u16(&cbs, &version) ||
220 !CBS_get_u16(&cbs, &ciphertext_len)) {
221 *out_consumed = SSL3_RT_HEADER_LENGTH;
222 return ssl_open_record_partial;
223 }
224
225 int version_ok;
226 if (ssl->s3->aead_read_ctx == NULL) {
227 /* Only check the first byte. Enforcing beyond that can prevent decoding
228 * version negotiation failure alerts. */
229 version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
230 } else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
231 /* Earlier versions of TLS switch the record version. */
232 version_ok = version == ssl->version;
233 } else {
234 /* Starting TLS 1.3, the version field is frozen at {3, 1}. */
235 version_ok = version == TLS1_VERSION;
236 }
237
238 if (!version_ok) {
239 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
240 *out_alert = SSL_AD_PROTOCOL_VERSION;
241 return ssl_open_record_error;
242 }
243
244 /* Check the ciphertext length. */
245 if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
246 OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
247 *out_alert = SSL_AD_RECORD_OVERFLOW;
248 return ssl_open_record_error;
249 }
250
251 /* Extract the body. */
252 CBS body;
253 if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
254 *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
255 return ssl_open_record_partial;
256 }
257
258 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, in,
259 SSL3_RT_HEADER_LENGTH);
260
261 *out_consumed = in_len - CBS_len(&cbs);
262
263 /* Skip early data received when expecting a second ClientHello if we rejected
264 * 0RTT. */
265 if (ssl->s3->skip_early_data &&
266 ssl->s3->aead_read_ctx == NULL &&
267 type == SSL3_RT_APPLICATION_DATA) {
268 goto skipped_data;
269 }
270
271 /* Decrypt the body in-place. */
272 if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, type, version,
273 ssl->s3->read_sequence, (uint8_t *)CBS_data(&body),
274 CBS_len(&body))) {
275 if (ssl->s3->skip_early_data &&
276 ssl->s3->aead_read_ctx != NULL) {
277 ERR_clear_error();
278 goto skipped_data;
279 }
280
281 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
282 *out_alert = SSL_AD_BAD_RECORD_MAC;
283 return ssl_open_record_error;
284 }
285
286 ssl->s3->skip_early_data = 0;
287
288 if (!ssl_record_sequence_update(ssl->s3->read_sequence, 8)) {
289 *out_alert = SSL_AD_INTERNAL_ERROR;
290 return ssl_open_record_error;
291 }
292
293 /* TLS 1.3 hides the record type inside the encrypted data. */
294 if (ssl->s3->aead_read_ctx != NULL &&
295 ssl->s3->aead_read_ctx->version >= TLS1_3_VERSION) {
296 /* The outer record type is always application_data. */
297 if (type != SSL3_RT_APPLICATION_DATA) {
298 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
299 *out_alert = SSL_AD_DECODE_ERROR;
300 return ssl_open_record_error;
301 }
302
303 do {
304 if (!CBS_get_last_u8(out, &type)) {
305 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
306 *out_alert = SSL_AD_DECRYPT_ERROR;
307 return ssl_open_record_error;
308 }
309 } while (type == 0);
310 }
311
312 /* Check the plaintext length. */
313 if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
314 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
315 *out_alert = SSL_AD_RECORD_OVERFLOW;
316 return ssl_open_record_error;
317 }
318
319 /* Limit the number of consecutive empty records. */
320 if (CBS_len(out) == 0) {
321 ssl->s3->empty_record_count++;
322 if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
323 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
324 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
325 return ssl_open_record_error;
326 }
327 /* Apart from the limit, empty records are returned up to the caller. This
328 * allows the caller to reject records of the wrong type. */
329 } else {
330 ssl->s3->empty_record_count = 0;
331 }
332
333 if (type == SSL3_RT_ALERT) {
334 /* Return end_of_early_data alerts as-is for the caller to process. */
335 if (CBS_len(out) == 2 &&
336 CBS_data(out)[0] == SSL3_AL_WARNING &&
337 CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) {
338 *out_type = type;
339 return ssl_open_record_success;
340 }
341
342 return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out));
343 }
344
345 ssl->s3->warning_alert_count = 0;
346
347 *out_type = type;
348 return ssl_open_record_success;
349
350 skipped_data:
351 ssl->s3->early_data_skipped += *out_consumed;
352 if (ssl->s3->early_data_skipped < *out_consumed) {
353 ssl->s3->early_data_skipped = kMaxEarlyDataSkipped + 1;
354 }
355
356 if (ssl->s3->early_data_skipped > kMaxEarlyDataSkipped) {
357 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA);
358 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
359 return ssl_open_record_error;
360 }
361
362 return ssl_open_record_discard;
363 }
364
do_seal_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,size_t * out_suffix_len,const size_t max_out_suffix_len,uint8_t type,const uint8_t * in,const size_t in_len)365 static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
366 uint8_t *out_suffix, size_t *out_suffix_len,
367 const size_t max_out_suffix_len, uint8_t type,
368 const uint8_t *in, const size_t in_len) {
369 assert(in == out || !buffers_alias(in, in_len, out, in_len));
370 assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl)));
371 assert(!buffers_alias(in, in_len, out_suffix, max_out_suffix_len));
372
373 /* TLS 1.3 hides the actual record type inside the encrypted data. */
374 uint8_t *extra_in = NULL;
375 size_t extra_in_len = 0;
376 if (ssl->s3->aead_write_ctx != NULL &&
377 ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
378 extra_in = &type;
379 extra_in_len = 1;
380 out_prefix[0] = SSL3_RT_APPLICATION_DATA;
381 } else {
382 out_prefix[0] = type;
383 }
384
385 /* The TLS record-layer version number is meaningless and, starting in
386 * TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
387 * ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
388 * to change after version negotiation. */
389 uint16_t wire_version = TLS1_VERSION;
390 if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) {
391 wire_version = SSL3_VERSION;
392 }
393 if (ssl->s3->have_version && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
394 wire_version = ssl->version;
395 }
396 out_prefix[1] = wire_version >> 8;
397 out_prefix[2] = wire_version & 0xff;
398
399 /* Write the ciphertext, leaving two bytes for the length. */
400 if (!SSL_AEAD_CTX_seal_scatter(
401 ssl->s3->aead_write_ctx, out_prefix + SSL3_RT_HEADER_LENGTH, out,
402 out_suffix, out_suffix_len, max_out_suffix_len, type, wire_version,
403 ssl->s3->write_sequence, in, in_len, extra_in, extra_in_len) ||
404 !ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {
405 return 0;
406 }
407
408 /* Fill in the length. */
409 const size_t ciphertext_len =
410 SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) + in_len +
411 *out_suffix_len;
412 if (ciphertext_len >= 1 << 15) {
413 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
414 return 0;
415 }
416 out_prefix[3] = ciphertext_len >> 8;
417 out_prefix[4] = ciphertext_len & 0xff;
418
419 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, out_prefix,
420 SSL3_RT_HEADER_LENGTH);
421 return 1;
422 }
423
tls_seal_scatter_prefix_len(const SSL * ssl,uint8_t type,size_t in_len)424 static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,
425 size_t in_len) {
426 size_t ret = SSL3_RT_HEADER_LENGTH;
427 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
428 ssl_needs_record_splitting(ssl)) {
429 /* In the case of record splitting, the 1-byte record (of the 1/n-1 split)
430 * will be placed in the prefix, as will four of the five bytes of the
431 * record header for the main record. The final byte will replace the first
432 * byte of the plaintext that was used in the small record. */
433 ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
434 ret += SSL3_RT_HEADER_LENGTH - 1;
435 } else {
436 ret += SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
437 }
438 return ret;
439 }
440
441 /* tls_seal_scatter_record seals a new record of type |type| and body |in| and
442 * splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
443 * |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
444 * bytes to |out|, and up to 1 + |SSL_AEAD_CTX_max_overhead| bytes to
445 * |out_suffix|. |*out_suffix_len| is set to the actual number of bytes written
446 * to |out_suffix|. It returns one on success and zero on error. If enabled,
447 * |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
448 * may write two records concatenated. */
tls_seal_scatter_record(SSL * ssl,uint8_t * out_prefix,uint8_t * out,uint8_t * out_suffix,size_t * out_suffix_len,size_t max_out_suffix_len,uint8_t type,const uint8_t * in,size_t in_len)449 static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
450 uint8_t *out_suffix, size_t *out_suffix_len,
451 size_t max_out_suffix_len, uint8_t type,
452 const uint8_t *in, size_t in_len) {
453 if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
454 ssl_needs_record_splitting(ssl)) {
455 assert(SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) == 0);
456 const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
457
458 /* Write the 1-byte fragment into |out_prefix|. */
459 uint8_t *split_body = out_prefix + prefix_len;
460 uint8_t *split_suffix = split_body + 1;
461
462 /* TODO(martinkr): Make AEAD code not complain if max_suffix_len is lower
463 * than |EVP_AEAD_max_overhead| but still sufficiently large. */
464 size_t split_max_suffix_len =
465 SSL_AEAD_CTX_max_suffix_len(ssl->s3->aead_write_ctx, 0);
466 size_t split_suffix_len = 0;
467 if (!do_seal_record(ssl, out_prefix, split_body, split_suffix,
468 &split_suffix_len, split_max_suffix_len, type, in, 1)) {
469 return 0;
470 }
471
472 size_t split_record_len = prefix_len + 1 + split_suffix_len;
473
474 assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
475 ssl->s3->aead_write_ctx->cipher) ==
476 split_record_len);
477
478 /* Write the n-1-byte fragment. The header gets split between |out_prefix|
479 * (header[:-1]) and |out| (header[-1:]). */
480 uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
481 if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, out_suffix_len,
482 max_out_suffix_len, type, in + 1, in_len - 1)) {
483 return 0;
484 }
485 assert(tls_seal_scatter_prefix_len(ssl, type, in_len) ==
486 split_record_len + SSL3_RT_HEADER_LENGTH - 1);
487 OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix,
488 SSL3_RT_HEADER_LENGTH - 1);
489 OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1);
490 return 1;
491 }
492
493 return do_seal_record(ssl, out_prefix, out, out_suffix, out_suffix_len,
494 max_out_suffix_len, type, in, in_len);
495 }
496
tls_seal_record(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out_len,uint8_t type,const uint8_t * in,size_t in_len)497 int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
498 uint8_t type, const uint8_t *in, size_t in_len) {
499 if (buffers_alias(in, in_len, out, max_out_len)) {
500 OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
501 return 0;
502 }
503
504 const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len);
505
506 if (in_len + prefix_len < in_len) {
507 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
508 return 0;
509 }
510 if (max_out_len < in_len + prefix_len) {
511 OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
512 return 0;
513 }
514
515 uint8_t *prefix = out;
516 uint8_t *body = out + prefix_len;
517 uint8_t *suffix = body + in_len;
518 size_t max_suffix_len = max_out_len - prefix_len - in_len;
519 size_t suffix_len = 0;
520
521 if (!tls_seal_scatter_record(ssl, prefix, body, suffix, &suffix_len,
522 max_suffix_len, type, in, in_len)) {
523 return 0;
524 }
525
526 if (prefix_len + in_len + suffix_len < prefix_len + in_len) {
527 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
528 return 0;
529 }
530
531 *out_len = prefix_len + in_len + suffix_len;
532 return 1;
533 }
534
ssl_process_alert(SSL * ssl,uint8_t * out_alert,const uint8_t * in,size_t in_len)535 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
536 const uint8_t *in, size_t in_len) {
537 /* Alerts records may not contain fragmented or multiple alerts. */
538 if (in_len != 2) {
539 *out_alert = SSL_AD_DECODE_ERROR;
540 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
541 return ssl_open_record_error;
542 }
543
544 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_ALERT, in, in_len);
545
546 const uint8_t alert_level = in[0];
547 const uint8_t alert_descr = in[1];
548
549 uint16_t alert = (alert_level << 8) | alert_descr;
550 ssl_do_info_callback(ssl, SSL_CB_READ_ALERT, alert);
551
552 if (alert_level == SSL3_AL_WARNING) {
553 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
554 ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
555 return ssl_open_record_close_notify;
556 }
557
558 /* Warning alerts do not exist in TLS 1.3. */
559 if (ssl->s3->have_version &&
560 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
561 *out_alert = SSL_AD_DECODE_ERROR;
562 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
563 return ssl_open_record_error;
564 }
565
566 ssl->s3->warning_alert_count++;
567 if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
568 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
569 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
570 return ssl_open_record_error;
571 }
572 return ssl_open_record_discard;
573 }
574
575 if (alert_level == SSL3_AL_FATAL) {
576 ssl->s3->recv_shutdown = ssl_shutdown_fatal_alert;
577
578 char tmp[16];
579 OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
580 BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
581 ERR_add_error_data(2, "SSL alert number ", tmp);
582 return ssl_open_record_fatal_alert;
583 }
584
585 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
586 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
587 return ssl_open_record_error;
588 }
589