kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2202 Commits
12 Branches
38 MiB
Tree: 95219feafd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '95219feafd'
${ noResults }
boringssl/ssl/tls_record.c

tls_record.c 14 KiB
Raw Normal View History

Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Tidy up keyblock and CCS logic slightly. Move the actual SSL_AEAD_CTX swap into the record layer. Also revise the intermediate state we store between setup_key_block and change_cipher_state. With SSL_AEAD_CTX_new abstracted out, keeping the EVP_AEAD around doesn't make much sense. Just store enough to partition the key block. Change-Id: I773fb46a2cb78fa570f00c0a89339c15bbb1d719 Reviewed-on: https://boringssl-review.googlesource.com/6832 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Reject empty records of unexpected type. The old empty record logic discarded the records at a very low-level. Let the error bubble up to ssl3_read_bytes so the type mismatch logic may kick in before the empty record is skipped. Add tests for when the record in question is application data, before before the handshake and post ChangeCipherSpec. BUG=521840 Change-Id: I47dff389cda65d6672b9be39d7d89490331063fa Reviewed-on: https://boringssl-review.googlesource.com/5754 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move ssl3_record_sequence_update with the other record-layer bits. Change-Id: I045a4d3e304872b8c97231dcde5bca7753a878fb Reviewed-on: https://boringssl-review.googlesource.com/6831 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. This dates to SSLeay 0.8.0 (or earlier). The use counter sees virtually no hits. Change-Id: Iff4c8899d5cb0ba4afca113c66d15f1d980ffe41 Reviewed-on: https://boringssl-review.googlesource.com/6558 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move ssl3_record_sequence_update with the other record-layer bits. Change-Id: I045a4d3e304872b8c97231dcde5bca7753a878fb Reviewed-on: https://boringssl-review.googlesource.com/6831 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. This dates to SSLeay 0.8.0 (or earlier). The use counter sees virtually no hits. Change-Id: Iff4c8899d5cb0ba4afca113c66d15f1d980ffe41 Reviewed-on: https://boringssl-review.googlesource.com/6558 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Reject empty records of unexpected type. The old empty record logic discarded the records at a very low-level. Let the error bubble up to ssl3_read_bytes so the type mismatch logic may kick in before the empty record is skipped. Add tests for when the record in question is application data, before before the handshake and post ChangeCipherSpec. BUG=521840 Change-Id: I47dff389cda65d6672b9be39d7d89490331063fa Reviewed-on: https://boringssl-review.googlesource.com/5754 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move ssl3_record_sequence_update with the other record-layer bits. Change-Id: I045a4d3e304872b8c97231dcde5bca7753a878fb Reviewed-on: https://boringssl-review.googlesource.com/6831 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Remove |need_record_splitting| from |SSL3_STATE|. It is redundant given the other state in the connection. Change-Id: I5dc71627132659ab4316a5ea360c9ca480fb7c6c Reviewed-on: https://boringssl-review.googlesource.com/6646 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Fix MSVC build. The difference of two pointers is signed, even though it's always non-negative here, so MSVC is complaining about signedness mismatch. Change-Id: I5a042d06ed348540706b93310af3f60f3ab5f303 Reviewed-on: https://boringssl-review.googlesource.com/5766 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Factor out the buffering and low-level record code. This begins decoupling the transport from the SSL state machine. The buffering logic is hidden behind an opaque API. Fields like ssl->packet and ssl->packet_length are gone. ssl3_get_record and dtls1_get_record now call low-level tls_open_record and dtls_open_record functions that unpack a single record independent of who owns the buffer. Both may be called in-place. This removes ssl->rstate which was redundant with the buffer length. Future work will push the buffer up the stack until it is above the handshake. Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but return a slightly larger enum due to other events being possible. Likewise the handshake state machine will be detached from its buffer. The existing SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc., combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly different needs.) The new buffering logic does not support read-ahead (removed previously) since it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added if desired. The old buffering logic wasn't quite right anyway; it tried to avoid the memmove in some cases and could get stuck too far into the buffer and not accept records. (The only time the memmove is optional is in DTLS or if enough of the record header is available to know that the entire next record would fit in the buffer.) The new logic also now actually decrypts the ciphertext in-place again, rather than almost in-place when there's an explicit nonce/IV. (That accidentally switched in https://boringssl-review.googlesource.com/#/c/4792/; see 3d59e04bce96474099ba76786a2337e99ae14505.) BUG=468889 Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2 Reviewed-on: https://boringssl-review.googlesource.com/5715 Reviewed-by: Adam Langley <agl@google.com>
9 years ago
Tidy up keyblock and CCS logic slightly. Move the actual SSL_AEAD_CTX swap into the record layer. Also revise the intermediate state we store between setup_key_block and change_cipher_state. With SSL_AEAD_CTX_new abstracted out, keeping the EVP_AEAD around doesn't make much sense. Just store enough to partition the key block. Change-Id: I773fb46a2cb78fa570f00c0a89339c15bbb1d719 Reviewed-on: https://boringssl-review.googlesource.com/6832 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Tidy up keyblock and CCS logic slightly. Move the actual SSL_AEAD_CTX swap into the record layer. Also revise the intermediate state we store between setup_key_block and change_cipher_state. With SSL_AEAD_CTX_new abstracted out, keeping the EVP_AEAD around doesn't make much sense. Just store enough to partition the key block. Change-Id: I773fb46a2cb78fa570f00c0a89339c15bbb1d719 Reviewed-on: https://boringssl-review.googlesource.com/6832 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Move aead_{read,write}_ctx and next_proto_negotiated into ssl->s3. Both are connection state rather than configuration state. Notably this cuts down more of SSL_clear that can't just use ssl_free + ssl_new. Change-Id: I3c05b3ae86d4db8bd75f1cd21656f57fc5b55ca9 Reviewed-on: https://boringssl-review.googlesource.com/6835 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
Tidy up keyblock and CCS logic slightly. Move the actual SSL_AEAD_CTX swap into the record layer. Also revise the intermediate state we store between setup_key_block and change_cipher_state. With SSL_AEAD_CTX_new abstracted out, keeping the EVP_AEAD around doesn't make much sense. Just store enough to partition the key block. Change-Id: I773fb46a2cb78fa570f00c0a89339c15bbb1d719 Reviewed-on: https://boringssl-review.googlesource.com/6832 Reviewed-by: Adam Langley <alangley@gmail.com>
8 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <openssl/ssl.h>

  110. 

  111. #include <assert.h>

  112. #include <string.h>

  113. 

  114. #include <openssl/bytestring.h>

  115. #include <openssl/err.h>

  116. 

  117. #include "internal.h"

  118. 

  119. 

  120. /* kMaxEmptyRecords is the number of consecutive, empty records that will be

  121.  * processed. Without this limit an attacker could send empty records at a

  122.  * faster rate than we can process and cause record processing to loop

  123.  * forever. */

  124. static const uint8_t kMaxEmptyRecords = 32;

  125. 

  126. /* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher

  127.  * state needs record-splitting and zero otherwise. */

  128. static int ssl_needs_record_splitting(const SSL *ssl) {

  129.   return !SSL_USE_EXPLICIT_IV(ssl) && ssl->s3->aead_write_ctx != NULL &&

  130.          (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&

  131.          SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher);

  132. }

  133. 

  134. int ssl_record_sequence_update(uint8_t *seq, size_t seq_len) {

  135.   size_t i;

  136.   for (i = seq_len - 1; i < seq_len; i--) {

  137.     ++seq[i];

  138.     if (seq[i] != 0) {

  139.       return 1;

  140.     }

  141.   }

  142.   OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  143.   return 0;

  144. }

  145. 

  146. size_t ssl_record_prefix_len(const SSL *ssl) {

  147.   if (SSL_IS_DTLS(ssl)) {

  148.     return DTLS1_RT_HEADER_LENGTH +

  149.            SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_read_ctx);

  150.   } else {

  151.     return SSL3_RT_HEADER_LENGTH +

  152.            SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_read_ctx);

  153.   }

  154. }

  155. 

  156. size_t ssl_seal_prefix_len(const SSL *ssl) {

  157.   if (SSL_IS_DTLS(ssl)) {

  158.     return DTLS1_RT_HEADER_LENGTH +

  159.            SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);

  160.   } else {

  161.     size_t ret = SSL3_RT_HEADER_LENGTH +

  162.                  SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);

  163.     if (ssl_needs_record_splitting(ssl)) {

  164.       ret += SSL3_RT_HEADER_LENGTH;

  165.       ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);

  166.     }

  167.     return ret;

  168.   }

  169. }

  170. 

  171. size_t ssl_max_seal_overhead(const SSL *ssl) {

  172.   if (SSL_IS_DTLS(ssl)) {

  173.     return DTLS1_RT_HEADER_LENGTH +

  174.            SSL_AEAD_CTX_max_overhead(ssl->s3->aead_write_ctx);

  175.   } else {

  176.     size_t ret = SSL3_RT_HEADER_LENGTH +

  177.                  SSL_AEAD_CTX_max_overhead(ssl->s3->aead_write_ctx);

  178.     if (ssl_needs_record_splitting(ssl)) {

  179.       ret *= 2;

  180.     }

  181.     return ret;

  182.   }

  183. }

  184. 

  185. enum ssl_open_record_t tls_open_record(

  186.     SSL *ssl, uint8_t *out_type, uint8_t *out, size_t *out_len,

  187.     size_t *out_consumed, uint8_t *out_alert, size_t max_out, const uint8_t *in,

  188.     size_t in_len) {

  189.   CBS cbs;

  190.   CBS_init(&cbs, in, in_len);

  191. 

  192.   /* Decode the record header. */

  193.   uint8_t type;

  194.   uint16_t version, ciphertext_len;

  195.   if (!CBS_get_u8(&cbs, &type) ||

  196.       !CBS_get_u16(&cbs, &version) ||

  197.       !CBS_get_u16(&cbs, &ciphertext_len)) {

  198.     *out_consumed = SSL3_RT_HEADER_LENGTH;

  199.     return ssl_open_record_partial;

  200.   }

  201. 

  202.   /* Check the version. */

  203.   if ((ssl->s3->have_version && version != ssl->version) ||

  204.       (version >> 8) != SSL3_VERSION_MAJOR) {

  205.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  206.     *out_alert = SSL_AD_PROTOCOL_VERSION;

  207.     return ssl_open_record_error;

  208.   }

  209. 

  210.   /* Check the ciphertext length. */

  211.   if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {

  212.     OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);

  213.     *out_alert = SSL_AD_RECORD_OVERFLOW;

  214.     return ssl_open_record_error;

  215.   }

  216. 

  217.   /* Extract the body. */

  218.   CBS body;

  219.   if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {

  220.     *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;

  221.     return ssl_open_record_partial;

  222.   }

  223. 

  224.   if (ssl->msg_callback != NULL) {

  225.     ssl->msg_callback(0 /* read */, 0, SSL3_RT_HEADER, in,

  226.                       SSL3_RT_HEADER_LENGTH, ssl, ssl->msg_callback_arg);

  227.   }

  228. 

  229.   /* Decrypt the body. */

  230.   size_t plaintext_len;

  231.   if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, &plaintext_len, max_out,

  232.                          type, version, ssl->s3->read_sequence, CBS_data(&body),

  233.                          CBS_len(&body))) {

  234.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);

  235.     *out_alert = SSL_AD_BAD_RECORD_MAC;

  236.     return ssl_open_record_error;

  237.   }

  238.   if (!ssl_record_sequence_update(ssl->s3->read_sequence, 8)) {

  239.     *out_alert = SSL_AD_INTERNAL_ERROR;

  240.     return ssl_open_record_error;

  241.   }

  242. 

  243.   /* Check the plaintext length. */

  244.   if (plaintext_len > SSL3_RT_MAX_PLAIN_LENGTH) {

  245.     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);

  246.     *out_alert = SSL_AD_RECORD_OVERFLOW;

  247.     return ssl_open_record_error;

  248.   }

  249. 

  250.   /* Limit the number of consecutive empty records. */

  251.   if (plaintext_len == 0) {

  252.     ssl->s3->empty_record_count++;

  253.     if (ssl->s3->empty_record_count > kMaxEmptyRecords) {

  254.       OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);

  255.       *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  256.       return ssl_open_record_error;

  257.     }

  258.     /* Apart from the limit, empty records are returned up to the caller. This

  259.      * allows the caller to reject records of the wrong type. */

  260.   } else {

  261.     ssl->s3->empty_record_count = 0;

  262.   }

  263. 

  264.   *out_type = type;

  265.   *out_len = plaintext_len;

  266.   *out_consumed = in_len - CBS_len(&cbs);

  267.   return ssl_open_record_success;

  268. }

  269. 

  270. static int do_seal_record(SSL *ssl, uint8_t *out, size_t *out_len,

  271.                           size_t max_out, uint8_t type, const uint8_t *in,

  272.                           size_t in_len) {

  273.   if (max_out < SSL3_RT_HEADER_LENGTH) {

  274.     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  275.     return 0;

  276.   }

  277.   /* Check the record header does not alias any part of the input.

  278.    * |SSL_AEAD_CTX_seal| will internally enforce other aliasing requirements. */

  279.   if (in < out + SSL3_RT_HEADER_LENGTH && out < in + in_len) {

  280.     OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);

  281.     return 0;

  282.   }

  283. 

  284.   out[0] = type;

  285. 

  286.   /* Some servers hang if initial ClientHello is larger than 256 bytes and

  287.    * record version number > TLS 1.0. */

  288.   uint16_t wire_version = ssl->version;

  289.   if (!ssl->s3->have_version && ssl->version > SSL3_VERSION) {

  290.     wire_version = TLS1_VERSION;

  291.   }

  292.   out[1] = wire_version >> 8;

  293.   out[2] = wire_version & 0xff;

  294. 

  295.   size_t ciphertext_len;

  296.   if (!SSL_AEAD_CTX_seal(ssl->s3->aead_write_ctx, out + SSL3_RT_HEADER_LENGTH,

  297.                          &ciphertext_len, max_out - SSL3_RT_HEADER_LENGTH,

  298.                          type, wire_version, ssl->s3->write_sequence, in,

  299.                          in_len) ||

  300.       !ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {

  301.     return 0;

  302.   }

  303. 

  304.   if (ciphertext_len >= 1 << 16) {

  305.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  306.     return 0;

  307.   }

  308.   out[3] = ciphertext_len >> 8;

  309.   out[4] = ciphertext_len & 0xff;

  310. 

  311.   *out_len = SSL3_RT_HEADER_LENGTH + ciphertext_len;

  312. 

  313.   if (ssl->msg_callback) {

  314.     ssl->msg_callback(1 /* write */, 0, SSL3_RT_HEADER, out,

  315.                       SSL3_RT_HEADER_LENGTH, ssl, ssl->msg_callback_arg);

  316.   }

  317. 

  318.   return 1;

  319. }

  320. 

  321. int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,

  322.                     uint8_t type, const uint8_t *in, size_t in_len) {

  323.   size_t frag_len = 0;

  324.   if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&

  325.       ssl_needs_record_splitting(ssl)) {

  326.     /* |do_seal_record| will notice if it clobbers |in[0]|, but not if it

  327.      * aliases the rest of |in|. */

  328.     if (in + 1 <= out && out < in + in_len) {

  329.       OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);

  330.       return 0;

  331.     }

  332.     /* Ensure |do_seal_record| does not write beyond |in[0]|. */

  333.     size_t frag_max_out = max_out;

  334.     if (out <= in + 1 && in + 1 < out + frag_max_out) {

  335.       frag_max_out = (size_t)(in + 1 - out);

  336.     }

  337.     if (!do_seal_record(ssl, out, &frag_len, frag_max_out, type, in, 1)) {

  338.       return 0;

  339.     }

  340.     in++;

  341.     in_len--;

  342.     out += frag_len;

  343.     max_out -= frag_len;

  344. 

  345.     assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(

  346.                                        ssl->s3->aead_write_ctx->cipher) ==

  347.            frag_len);

  348.   }

  349. 

  350.   if (!do_seal_record(ssl, out, out_len, max_out, type, in, in_len)) {

  351.     return 0;

  352.   }

  353.   *out_len += frag_len;

  354.   return 1;

  355. }

  356. 

  357. void ssl_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {

  358.   if (SSL_IS_DTLS(ssl)) {

  359.     ssl->d1->r_epoch++;

  360.     memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap));

  361.   }

  362.   memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));

  363. 

  364.   SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);

  365.   ssl->s3->aead_read_ctx = aead_ctx;

  366. }

  367. 

  368. void ssl_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {

  369.   if (SSL_IS_DTLS(ssl)) {

  370.     ssl->d1->w_epoch++;

  371.     memcpy(ssl->d1->last_write_sequence, ssl->s3->write_sequence,

  372.            sizeof(ssl->s3->write_sequence));

  373.   }

  374.   memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));

  375. 

  376.   SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);

  377.   ssl->s3->aead_write_ctx = aead_ctx;

  378. }