1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 #if 0
28 /* obsolete */
29
30 /*
31 * If BR_USE_URANDOM is not defined, then try to autodetect its presence
32 * through compiler macros.
33 */
34 #ifndef BR_USE_URANDOM
35
36 /*
37 * Macro values documented on:
38 * https://sourceforge.net/p/predef/wiki/OperatingSystems/
39 *
40 * Only the most common systems have been included here for now. This
41 * should be enriched later on.
42 */
43 #if defined _AIX \
44 || defined __ANDROID__ \
45 || defined __FreeBSD__ \
46 || defined __NetBSD__ \
47 || defined __OpenBSD__ \
48 || defined __DragonFly__ \
49 || defined __linux__ \
50 || (defined __sun && (defined __SVR4 || defined __svr4__)) \
51 || (defined __APPLE__ && defined __MACH__)
52 #define BR_USE_URANDOM 1
53 #endif
54
55 #endif
56
57 /*
58 * If BR_USE_WIN32_RAND is not defined, perform autodetection here.
59 */
60 #ifndef BR_USE_WIN32_RAND
61
62 #if defined _WIN32 || defined _WIN64
63 #define BR_USE_WIN32_RAND 1
64 #endif
65
66 #endif
67
68 #if BR_USE_URANDOM
69 #include <sys/types.h>
70 #include <unistd.h>
71 #include <fcntl.h>
72 #include <errno.h>
73 #endif
74
75 #if BR_USE_WIN32_RAND
76 #include <windows.h>
77 #include <wincrypt.h>
78 #pragma comment(lib, "advapi32")
79 #endif
80
81 #endif
82
83 /* ==================================================================== */
84 /*
85 * This part of the file does the low-level record management.
86 */
87
88 /*
89 * IMPLEMENTATION NOTES
90 * ====================
91 *
92 * In this file, we designate by "input" (and the "i" letter) the "recv"
93 * operations: incoming records from the peer, from which payload data
94 * is obtained, and must be extracted by the application (or the SSL
95 * handshake engine). Similarly, "output" (and the "o" letter) is for
96 * "send": payload data injected by the application (and SSL handshake
97 * engine), to be wrapped into records, that are then conveyed to the
98 * peer over the transport medium.
99 *
100 * The input and output buffers may be distinct or shared. When
101 * shared, input and output cannot occur concurrently; the caller
102 * must make sure that it never needs to output data while input
103 * data has been received. In practice, a shared buffer prevents
104 * pipelining of HTTP requests, or similar protocols; however, a
105 * shared buffer saves RAM.
106 *
107 * The input buffer is pointed to by 'ibuf' and has size 'ibuf_len';
108 * the output buffer is pointed to by 'obuf' and has size 'obuf_len'.
109 * From the size of these buffers is derived the maximum fragment
110 * length, which will be honoured upon sending records; regardless of
111 * that length, incoming records will be processed as long as they
112 * fit in the input buffer, and their length still complies with the
113 * protocol specification (maximum plaintext payload length is 16384
114 * bytes).
115 *
116 * Three registers are used to manage buffering in ibuf, called ixa,
117 * ixb and ixc. Similarly, three registers are used to manage buffering
118 * in obuf, called oxa, oxb and oxc.
119 *
120 *
121 * At any time, the engine is in one of the following modes:
122 * -- Failed mode: an error occurs, no I/O can happen.
123 * -- Input mode: the engine can either receive record bytes from the
124 * transport layer, or it has some buffered payload bytes to yield.
125 * -- Output mode: the engine can either receive payload bytes, or it
126 * has some record bytes to send to the transport layer.
127 * -- Input/Output mode: both input and output modes are active. When
128 * the buffer is shared, this can happen only when the buffer is empty
129 * (no buffered payload bytes or record bytes in either direction).
130 *
131 *
132 * Failed mode:
133 * ------------
134 *
135 * I/O failed for some reason (invalid received data, not enough room
136 * for the next record...). No I/O may ever occur again for this context,
137 * until an explicit reset is performed. This mode, and the error code,
138 * are also used for protocol errors, especially handshake errors.
139 *
140 *
141 * Input mode:
142 * -----------
143 *
144 * ixa index within ibuf[] for the currently read data
145 * ixb maximum index within ibuf[] for the currently read data
146 * ixc number of bytes not yet received for the current record
147 *
148 * -- When ixa == ixb, there is no available data for readers. When
149 * ixa != ixb, there is available data and it starts at offset ixa.
150 *
151 * -- When waiting for the next record header, ixa and ixb are equal
152 * and contain a value ranging from 0 to 4; ixc is equal to 5-ixa.
153 *
154 * -- When the header has been received, record data is obtained. The
155 * ixc field records how many bytes are still needed to reach the
156 * end of the current record.
157 *
158 * ** If encryption is active, then ixa and ixb are kept equal, and
159 * point to the end of the currently received record bytes. When
160 * ixc reaches 0, decryption/MAC is applied, and ixa and ixb are
161 * adjusted.
162 *
163 * ** If encryption is not active, then ixa and ixb are distinct
164 * and data can be read right away. Additional record data is
165 * obtained only when ixa == ixb.
166 *
167 * Note: in input mode and no encryption, records larger than the buffer
168 * size are allowed. When encryption is active, the complete record must
169 * fit within the buffer, since it cannot be decrypted/MACed until it
170 * has been completely received.
171 *
172 * -- When receiving the next record header, 'version_in' contains the
173 * expected input version (0 if not expecting a specific version); on
174 * mismatch, the mode switches to 'failed'.
175 *
176 * -- When the header has been received, 'version_in' contains the received
177 * version. It is up to the caller to check and adjust the 'version_in' field
178 * to implement the required semantics.
179 *
180 * -- The 'record_type_in' field is updated with the incoming record type
181 * when the next record header has been received.
182 *
183 *
184 * Output mode:
185 * ------------
186 *
187 * oxa index within obuf[] for the currently accumulated data
188 * oxb maximum index within obuf[] for record data
189 * oxc pointer for start of record data, and for record sending
190 *
191 * -- When oxa != oxb, more data can be accumulated into the current
192 * record; when oxa == oxb, a closed record is being sent.
193 *
194 * -- When accumulating data, oxc points to the start of the data.
195 *
196 * -- During record sending, oxa (and oxb) point to the next record byte
197 * to send, and oxc indicates the end of the current record.
198 *
199 * Note: sent records must fit within the buffer, since the header is
200 * adjusted only when the complete record has been assembled.
201 *
202 * -- The 'version_out' and 'record_type_out' fields are used to build the
203 * record header when the mode is switched to 'sending'.
204 *
205 *
206 * Modes:
207 * ------
208 *
209 * The state register iomode contains one of the following values:
210 *
211 * BR_IO_FAILED I/O failed
212 * BR_IO_IN input mode
213 * BR_IO_OUT output mode
214 * BR_IO_INOUT input/output mode
215 *
216 * Whether encryption is active on incoming records is indicated by the
217 * incrypt flag. For outgoing records, there is no such flag; "encryption"
218 * is always considered active, but initially uses functions that do not
219 * encrypt anything. The 'incrypt' flag is needed because when there is
220 * no active encryption, records larger than the I/O buffer are accepted.
221 *
222 * Note: we do not support no-encryption modes (MAC only).
223 *
224 * TODO: implement GCM support
225 *
226 *
227 * Misc:
228 * -----
229 *
230 * 'max_frag_len' is the maximum plaintext size for an outgoing record.
231 * By default, it is set to the maximum value that fits in the provided
232 * buffers, in the following list: 512, 1024, 2048, 4096, 16384. The
233 * caller may change it if needed, but the new value MUST still fit in
234 * the buffers, and it MUST be one of the list above for compatibility
235 * with the Maximum Fragment Length extension.
236 *
237 * For incoming records, only the total buffer length and current
238 * encryption mode impact the maximum length for incoming records. The
239 * 'max_frag_len' value is still adjusted so that records up to that
240 * length can be both received and sent.
241 *
242 *
243 * Offsets and lengths:
244 * --------------------
245 *
246 * When sending fragments with TLS-1.1+, the maximum overhead is:
247 * 5 bytes for the record header
248 * 16 bytes for the explicit IV
249 * 48 bytes for the MAC (HMAC/SHA-384)
250 * 16 bytes for the padding (AES)
251 * so a total of 85 extra bytes. Note that we support block cipher sizes
252 * up to 16 bytes (AES) and HMAC output sizes up to 48 bytes (SHA-384).
253 *
254 * With TLS-1.0 and CBC mode, we apply a 1/n-1 split, for a maximum
255 * overhead of:
256 * 5 bytes for the first record header
257 * 32 bytes for the first record payload (AES-CBC + HMAC/SHA-1)
258 * 5 bytes for the second record header
259 * 20 bytes for the MAC (HMAC/SHA-1)
260 * 16 bytes for the padding (AES)
261 * -1 byte to account for the payload byte in the first record
262 * so a total of 77 extra bytes at most, less than the 85 bytes above.
263 * Note that with TLS-1.0, the MAC is HMAC with either MD5 or SHA-1, but
264 * no other hash function.
265 *
266 * The implementation does not try to send larger records when the current
267 * encryption mode has less overhead.
268 *
269 * Maximum input record overhead is:
270 * 5 bytes for the record header
271 * 16 bytes for the explicit IV (TLS-1.1+)
272 * 48 bytes for the MAC (HMAC/SHA-384)
273 * 256 bytes for the padding
274 * so a total of 325 extra bytes.
275 *
276 * When receiving the next record header, it is written into the buffer
277 * bytes 0 to 4 (inclusive). Record data is always written into buf[]
278 * starting at offset 5. When encryption is active, the plaintext data
279 * may start at a larger offset (e.g. because of an explicit IV).
280 */
281
282 #define MAX_OUT_OVERHEAD 85
283 #define MAX_IN_OVERHEAD 325
284
285 /* see inner.h */
286 void
br_ssl_engine_fail(br_ssl_engine_context * rc,int err)287 br_ssl_engine_fail(br_ssl_engine_context *rc, int err)
288 {
289 if (rc->iomode != BR_IO_FAILED) {
290 rc->iomode = BR_IO_FAILED;
291 rc->err = err;
292 }
293 }
294
295 /*
296 * Adjust registers for a new incoming record.
297 */
298 static void
make_ready_in(br_ssl_engine_context * rc)299 make_ready_in(br_ssl_engine_context *rc)
300 {
301 rc->ixa = rc->ixb = 0;
302 rc->ixc = 5;
303 if (rc->iomode == BR_IO_IN) {
304 rc->iomode = BR_IO_INOUT;
305 }
306 }
307
308 /*
309 * Adjust registers for a new outgoing record.
310 */
311 static void
make_ready_out(br_ssl_engine_context * rc)312 make_ready_out(br_ssl_engine_context *rc)
313 {
314 size_t a, b;
315
316 a = 5;
317 b = rc->obuf_len - a;
318 rc->out.vtable->max_plaintext(&rc->out.vtable, &a, &b);
319 if ((b - a) > rc->max_frag_len) {
320 b = a + rc->max_frag_len;
321 }
322 rc->oxa = a;
323 rc->oxb = b;
324 rc->oxc = a;
325 if (rc->iomode == BR_IO_OUT) {
326 rc->iomode = BR_IO_INOUT;
327 }
328 }
329
330 /* see inner.h */
331 void
br_ssl_engine_new_max_frag_len(br_ssl_engine_context * rc,unsigned max_frag_len)332 br_ssl_engine_new_max_frag_len(br_ssl_engine_context *rc, unsigned max_frag_len)
333 {
334 size_t nxb;
335
336 rc->max_frag_len = max_frag_len;
337 nxb = rc->oxc + max_frag_len;
338 if (rc->oxa < rc->oxb && rc->oxb > nxb && rc->oxa < nxb) {
339 rc->oxb = nxb;
340 }
341 }
342
343 /* see bearssl_ssl.h */
344 void
br_ssl_engine_set_buffer(br_ssl_engine_context * rc,void * buf,size_t buf_len,int bidi)345 br_ssl_engine_set_buffer(br_ssl_engine_context *rc,
346 void *buf, size_t buf_len, int bidi)
347 {
348 if (buf == NULL) {
349 br_ssl_engine_set_buffers_bidi(rc, NULL, 0, NULL, 0);
350 } else {
351 /*
352 * In bidirectional mode, we want to maximise input
353 * buffer size, since we support arbitrary fragmentation
354 * when sending, but the peer will not necessarily
355 * comply to any low fragment length (in particular if
356 * we are the server, because the maximum fragment
357 * length extension is under client control).
358 *
359 * We keep a minimum size of 512 bytes for the plaintext
360 * of our outgoing records.
361 *
362 * br_ssl_engine_set_buffers_bidi() will compute the maximum
363 * fragment length for outgoing records by using the minimum
364 * of allocated spaces for both input and output records,
365 * rounded down to a standard length.
366 */
367 if (bidi) {
368 size_t w;
369
370 if (buf_len < (512 + MAX_IN_OVERHEAD
371 + 512 + MAX_OUT_OVERHEAD))
372 {
373 rc->iomode = BR_IO_FAILED;
374 rc->err = BR_ERR_BAD_PARAM;
375 return;
376 } else if (buf_len < (16384 + MAX_IN_OVERHEAD
377 + 512 + MAX_OUT_OVERHEAD))
378 {
379 w = 512 + MAX_OUT_OVERHEAD;
380 } else {
381 w = buf_len - (16384 + MAX_IN_OVERHEAD);
382 }
383 br_ssl_engine_set_buffers_bidi(rc,
384 buf, buf_len - w,
385 (unsigned char *)buf + w, w);
386 } else {
387 br_ssl_engine_set_buffers_bidi(rc,
388 buf, buf_len, NULL, 0);
389 }
390 }
391 }
392
393 /* see bearssl_ssl.h */
394 void
br_ssl_engine_set_buffers_bidi(br_ssl_engine_context * rc,void * ibuf,size_t ibuf_len,void * obuf,size_t obuf_len)395 br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *rc,
396 void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len)
397 {
398 rc->iomode = BR_IO_INOUT;
399 rc->incrypt = 0;
400 rc->err = BR_ERR_OK;
401 rc->version_in = 0;
402 rc->record_type_in = 0;
403 rc->version_out = 0;
404 rc->record_type_out = 0;
405 if (ibuf == NULL) {
406 if (rc->ibuf == NULL) {
407 br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
408 }
409 } else {
410 unsigned u;
411
412 rc->ibuf = ibuf;
413 rc->ibuf_len = ibuf_len;
414 if (obuf == NULL) {
415 obuf = ibuf;
416 obuf_len = ibuf_len;
417 }
418 rc->obuf = obuf;
419 rc->obuf_len = obuf_len;
420
421 /*
422 * Compute the maximum fragment length, that fits for
423 * both incoming and outgoing records. This length will
424 * be used in fragment length negotiation, so we must
425 * honour it both ways. Regardless, larger incoming
426 * records will be accepted, as long as they fit in the
427 * actual buffer size.
428 */
429 for (u = 14; u >= 9; u --) {
430 size_t flen;
431
432 flen = (size_t)1 << u;
433 if (obuf_len >= flen + MAX_OUT_OVERHEAD
434 && ibuf_len >= flen + MAX_IN_OVERHEAD)
435 {
436 break;
437 }
438 }
439 if (u == 8) {
440 br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
441 return;
442 } else if (u == 13) {
443 u = 12;
444 }
445 rc->max_frag_len = (size_t)1 << u;
446 rc->log_max_frag_len = u;
447 rc->peer_log_max_frag_len = 0;
448 }
449 rc->out.vtable = &br_sslrec_out_clear_vtable;
450 make_ready_in(rc);
451 make_ready_out(rc);
452 }
453
454 /*
455 * Clear buffers in both directions.
456 */
457 static void
engine_clearbuf(br_ssl_engine_context * rc)458 engine_clearbuf(br_ssl_engine_context *rc)
459 {
460 make_ready_in(rc);
461 make_ready_out(rc);
462 }
463
464 /*
465 * Make sure the internal PRNG is initialised (but not necessarily
466 * seeded properly yet).
467 */
468 static int
rng_init(br_ssl_engine_context * cc)469 rng_init(br_ssl_engine_context *cc)
470 {
471 const br_hash_class *h;
472
473 if (cc->rng_init_done != 0) {
474 return 1;
475 }
476
477 /*
478 * If using TLS-1.2, then SHA-256 or SHA-384 must be present (or
479 * both); we prefer SHA-256 which is faster for 32-bit systems.
480 *
481 * If using TLS-1.0 or 1.1 then SHA-1 must be present.
482 *
483 * Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as
484 * these things can be, we still prefer the SHA-2 functions over
485 * SHA-1, if only for public relations (known theoretical
486 * weaknesses of SHA-1 with regards to collisions are mostly
487 * irrelevant here, but they still make people nervous).
488 */
489 h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
490 if (!h) {
491 h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
492 if (!h) {
493 h = br_multihash_getimpl(&cc->mhash,
494 br_sha1_ID);
495 if (!h) {
496 br_ssl_engine_fail(cc, BR_ERR_BAD_STATE);
497 return 0;
498 }
499 }
500 }
501 br_hmac_drbg_init(&cc->rng, h, NULL, 0);
502 cc->rng_init_done = 1;
503 return 1;
504 }
505
506 /* see inner.h */
507 int
br_ssl_engine_init_rand(br_ssl_engine_context * cc)508 br_ssl_engine_init_rand(br_ssl_engine_context *cc)
509 {
510 if (!rng_init(cc)) {
511 return 0;
512 }
513
514 /*
515 * We always try OS/hardware seeding once. If it works, then
516 * we assume proper seeding. If not, then external entropy must
517 * have been injected; otherwise, we report an error.
518 */
519 if (!cc->rng_os_rand_done) {
520 br_prng_seeder sd;
521
522 sd = br_prng_seeder_system(NULL);
523 if (sd != 0 && sd(&cc->rng.vtable)) {
524 cc->rng_init_done = 2;
525 }
526 cc->rng_os_rand_done = 1;
527 }
528 if (cc->rng_init_done < 2) {
529 br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM);
530 return 0;
531 }
532 return 1;
533 }
534
535 /* see bearssl_ssl.h */
536 void
br_ssl_engine_inject_entropy(br_ssl_engine_context * cc,const void * data,size_t len)537 br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
538 const void *data, size_t len)
539 {
540 /*
541 * Externally provided entropy is assumed to be "good enough"
542 * (we cannot really test its quality) so if the RNG structure
543 * could be initialised at all, then we marked the RNG as
544 * "properly seeded".
545 */
546 if (!rng_init(cc)) {
547 return;
548 }
549 br_hmac_drbg_update(&cc->rng, data, len);
550 cc->rng_init_done = 2;
551 }
552
553 /*
554 * We define a few internal functions that implement the low-level engine
555 * API for I/O; the external API (br_ssl_engine_sendapp_buf() and similar
556 * functions) is built upon these function, with special processing for
557 * records which are not of type "application data".
558 *
559 * recvrec_buf, recvrec_ack receives bytes from transport medium
560 * sendrec_buf, sendrec_ack send bytes to transport medium
561 * recvpld_buf, recvpld_ack receives payload data from engine
562 * sendpld_buf, sendpld_ack send payload data to engine
563 */
564
565 static unsigned char *
recvrec_buf(const br_ssl_engine_context * rc,size_t * len)566 recvrec_buf(const br_ssl_engine_context *rc, size_t *len)
567 {
568 if (rc->shutdown_recv) {
569 *len = 0;
570 return NULL;
571 }
572
573 /*
574 * Bytes from the transport can be injected only if the mode is
575 * compatible (in or in/out), and ixa == ixb; ixc then contains
576 * the number of bytes that are still expected (but it may
577 * exceed our buffer size).
578 *
579 * We cannot get "stuck" here (buffer is full, but still more
580 * data is expected) because oversized records are detected when
581 * their header is processed.
582 */
583 switch (rc->iomode) {
584 case BR_IO_IN:
585 case BR_IO_INOUT:
586 if (rc->ixa == rc->ixb) {
587 size_t z;
588
589 z = rc->ixc;
590 if (z > rc->ibuf_len - rc->ixa) {
591 z = rc->ibuf_len - rc->ixa;
592 }
593 *len = z;
594 return rc->ibuf + rc->ixa;
595 }
596 break;
597 }
598 *len = 0;
599 return NULL;
600 }
601
602 static void
recvrec_ack(br_ssl_engine_context * rc,size_t len)603 recvrec_ack(br_ssl_engine_context *rc, size_t len)
604 {
605 unsigned char *pbuf;
606 size_t pbuf_len;
607
608 /*
609 * Adjust state if necessary (for a shared input/output buffer):
610 * we got some incoming bytes, so we cannot (temporarily) handle
611 * outgoing data.
612 */
613 if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
614 rc->iomode = BR_IO_IN;
615 }
616
617 /*
618 * Adjust data pointers.
619 */
620 rc->ixb = (rc->ixa += len);
621 rc->ixc -= len;
622
623 /*
624 * If we are receiving a header and did not fully obtained it
625 * yet, then just wait for the next bytes.
626 */
627 if (rc->ixa < 5) {
628 return;
629 }
630
631 /*
632 * If we just obtained a full header, process it.
633 */
634 if (rc->ixa == 5) {
635 unsigned version;
636 unsigned rlen;
637
638 /*
639 * Get record type and version. We support only versions
640 * 3.x (if the version major number does not match, then
641 * we suppose that the record format is too alien for us
642 * to process it).
643 *
644 * Note: right now, we reject clients that try to send
645 * a ClientHello in a format compatible with SSL-2.0. It
646 * is unclear whether this will ever be supported; and
647 * if we want to support it, then this might be done in
648 * in the server-specific code, not here.
649 */
650 rc->record_type_in = rc->ibuf[0];
651 version = br_dec16be(rc->ibuf + 1);
652 if ((version >> 8) != 3) {
653 br_ssl_engine_fail(rc, BR_ERR_UNSUPPORTED_VERSION);
654 return;
655 }
656
657 /*
658 * We ensure that successive records have the same
659 * version. The handshake code must check and adjust the
660 * variables when necessary to accommodate the protocol
661 * negotiation details.
662 */
663 if (rc->version_in != 0 && rc->version_in != version) {
664 br_ssl_engine_fail(rc, BR_ERR_BAD_VERSION);
665 return;
666 }
667 rc->version_in = version;
668
669 /*
670 * Decode record length. We must check that the length
671 * is valid (relatively to the current encryption mode)
672 * and also (if encryption is active) that the record
673 * will fit in our buffer.
674 *
675 * When no encryption is active, we can process records
676 * by chunks, and thus accept any record up to the
677 * maximum allowed plaintext length (16384 bytes).
678 */
679 rlen = br_dec16be(rc->ibuf + 3);
680 if (rc->incrypt) {
681 if (!rc->in.vtable->check_length(
682 &rc->in.vtable, rlen))
683 {
684 br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
685 return;
686 }
687 if (rlen > (rc->ibuf_len - 5)) {
688 br_ssl_engine_fail(rc, BR_ERR_TOO_LARGE);
689 return;
690 }
691 } else {
692 if (rlen > 16384) {
693 br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
694 return;
695 }
696 }
697
698 /*
699 * If the record is completely empty then we must switch
700 * to a new record. Note that, in that case, we
701 * completely ignore the record type, which is fitting
702 * since we received no actual data of that type.
703 *
704 * A completely empty record is technically allowed as
705 * long as encryption/MAC is not active, i.e. before
706 * completion of the first handshake. It it still weird;
707 * it might conceptually be useful as a heartbeat or
708 * keep-alive mechanism while some lengthy operation is
709 * going on, e.g. interaction with a human user.
710 */
711 if (rlen == 0) {
712 make_ready_in(rc);
713 } else {
714 rc->ixa = rc->ixb = 5;
715 rc->ixc = rlen;
716 }
717 return;
718 }
719
720 /*
721 * If there is no active encryption, then the data can be read
722 * right away. Note that we do not receive bytes from the
723 * transport medium when we still have payload bytes to be
724 * acknowledged.
725 */
726 if (!rc->incrypt) {
727 rc->ixa = 5;
728 return;
729 }
730
731 /*
732 * Since encryption is active, we must wait for a full record
733 * before processing it.
734 */
735 if (rc->ixc != 0) {
736 return;
737 }
738
739 /*
740 * We got the full record. Decrypt it.
741 */
742 pbuf_len = rc->ixa - 5;
743 pbuf = rc->in.vtable->decrypt(&rc->in.vtable,
744 rc->record_type_in, rc->version_in, rc->ibuf + 5, &pbuf_len);
745 if (pbuf == 0) {
746 br_ssl_engine_fail(rc, BR_ERR_BAD_MAC);
747 return;
748 }
749 rc->ixa = (size_t)(pbuf - rc->ibuf);
750 rc->ixb = rc->ixa + pbuf_len;
751
752 /*
753 * Decryption may have yielded an empty record, in which case
754 * we get back to "ready" state immediately.
755 */
756 if (rc->ixa == rc->ixb) {
757 make_ready_in(rc);
758 }
759 }
760
761 /* see inner.h */
762 int
br_ssl_engine_recvrec_finished(const br_ssl_engine_context * rc)763 br_ssl_engine_recvrec_finished(const br_ssl_engine_context *rc)
764 {
765 switch (rc->iomode) {
766 case BR_IO_IN:
767 case BR_IO_INOUT:
768 return rc->ixc == 0 || rc->ixa < 5;
769 default:
770 return 1;
771 }
772 }
773
774 static unsigned char *
recvpld_buf(const br_ssl_engine_context * rc,size_t * len)775 recvpld_buf(const br_ssl_engine_context *rc, size_t *len)
776 {
777 /*
778 * There is payload data to be read only if the mode is
779 * compatible, and ixa != ixb.
780 */
781 switch (rc->iomode) {
782 case BR_IO_IN:
783 case BR_IO_INOUT:
784 *len = rc->ixb - rc->ixa;
785 return (*len == 0) ? NULL : (rc->ibuf + rc->ixa);
786 default:
787 *len = 0;
788 return NULL;
789 }
790 }
791
792 static void
recvpld_ack(br_ssl_engine_context * rc,size_t len)793 recvpld_ack(br_ssl_engine_context *rc, size_t len)
794 {
795 rc->ixa += len;
796
797 /*
798 * If we read all the available data, then we either expect
799 * the remainder of the current record (if the current record
800 * was not finished; this may happen when encryption is not
801 * active), or go to "ready" state.
802 */
803 if (rc->ixa == rc->ixb) {
804 if (rc->ixc == 0) {
805 make_ready_in(rc);
806 } else {
807 rc->ixa = rc->ixb = 5;
808 }
809 }
810 }
811
812 static unsigned char *
sendpld_buf(const br_ssl_engine_context * rc,size_t * len)813 sendpld_buf(const br_ssl_engine_context *rc, size_t *len)
814 {
815 /*
816 * Payload data can be injected only if the current mode is
817 * compatible, and oxa != oxb.
818 */
819 switch (rc->iomode) {
820 case BR_IO_OUT:
821 case BR_IO_INOUT:
822 *len = rc->oxb - rc->oxa;
823 return (*len == 0) ? NULL : (rc->obuf + rc->oxa);
824 default:
825 *len = 0;
826 return NULL;
827 }
828 }
829
830 /*
831 * If some payload bytes have been accumulated, then wrap them into
832 * an outgoing record. Otherwise, this function does nothing, unless
833 * 'force' is non-zero, in which case an empty record is assembled.
834 *
835 * The caller must take care not to invoke this function if the engine
836 * is not currently ready to receive payload bytes to send.
837 */
838 static void
sendpld_flush(br_ssl_engine_context * rc,int force)839 sendpld_flush(br_ssl_engine_context *rc, int force)
840 {
841 size_t xlen;
842 unsigned char *buf;
843
844 if (rc->oxa == rc->oxb) {
845 return;
846 }
847 xlen = rc->oxa - rc->oxc;
848 if (xlen == 0 && !force) {
849 return;
850 }
851 buf = rc->out.vtable->encrypt(&rc->out.vtable,
852 rc->record_type_out, rc->version_out,
853 rc->obuf + rc->oxc, &xlen);
854 rc->oxb = rc->oxa = (size_t)(buf - rc->obuf);
855 rc->oxc = rc->oxa + xlen;
856 }
857
858 static void
sendpld_ack(br_ssl_engine_context * rc,size_t len)859 sendpld_ack(br_ssl_engine_context *rc, size_t len)
860 {
861 /*
862 * If using a shared buffer, then we may have to modify the
863 * current mode.
864 */
865 if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
866 rc->iomode = BR_IO_OUT;
867 }
868 rc->oxa += len;
869 if (rc->oxa >= rc->oxb) {
870 /*
871 * Set oxb to one more than oxa so that sendpld_flush()
872 * does not mistakingly believe that a record is
873 * already prepared and being sent.
874 */
875 rc->oxb = rc->oxa + 1;
876 sendpld_flush(rc, 0);
877 }
878 }
879
880 static unsigned char *
sendrec_buf(const br_ssl_engine_context * rc,size_t * len)881 sendrec_buf(const br_ssl_engine_context *rc, size_t *len)
882 {
883 /*
884 * When still gathering payload bytes, oxc points to the start
885 * of the record data, so oxc <= oxa. However, when a full
886 * record has been completed, oxc points to the end of the record,
887 * so oxc > oxa.
888 */
889 switch (rc->iomode) {
890 case BR_IO_OUT:
891 case BR_IO_INOUT:
892 if (rc->oxc > rc->oxa) {
893 *len = rc->oxc - rc->oxa;
894 return rc->obuf + rc->oxa;
895 }
896 break;
897 }
898 *len = 0;
899 return NULL;
900 }
901
902 static void
sendrec_ack(br_ssl_engine_context * rc,size_t len)903 sendrec_ack(br_ssl_engine_context *rc, size_t len)
904 {
905 rc->oxb = (rc->oxa += len);
906 if (rc->oxa == rc->oxc) {
907 make_ready_out(rc);
908 }
909 }
910
911 /*
912 * Test whether there is some buffered outgoing record that still must
913 * sent.
914 */
915 static inline int
has_rec_tosend(const br_ssl_engine_context * rc)916 has_rec_tosend(const br_ssl_engine_context *rc)
917 {
918 return rc->oxa == rc->oxb && rc->oxa != rc->oxc;
919 }
920
921 /*
922 * The "no encryption" mode has no overhead. It limits the payload size
923 * to the maximum size allowed by the standard (16384 bytes); the caller
924 * is responsible for possibly enforcing a smaller fragment length.
925 */
926 static void
clear_max_plaintext(const br_sslrec_out_clear_context * cc,size_t * start,size_t * end)927 clear_max_plaintext(const br_sslrec_out_clear_context *cc,
928 size_t *start, size_t *end)
929 {
930 size_t len;
931
932 (void)cc;
933 len = *end - *start;
934 if (len > 16384) {
935 *end = *start + 16384;
936 }
937 }
938
939 /*
940 * In "no encryption" mode, encryption is trivial (a no-operation) so
941 * we just have to encode the header.
942 */
943 static unsigned char *
clear_encrypt(br_sslrec_out_clear_context * cc,int record_type,unsigned version,void * data,size_t * data_len)944 clear_encrypt(br_sslrec_out_clear_context *cc,
945 int record_type, unsigned version, void *data, size_t *data_len)
946 {
947 unsigned char *buf;
948
949 (void)cc;
950 buf = (unsigned char *)data - 5;
951 buf[0] = record_type;
952 br_enc16be(buf + 1, version);
953 br_enc16be(buf + 3, *data_len);
954 *data_len += 5;
955 return buf;
956 }
957
958 /* see bearssl_ssl.h */
959 const br_sslrec_out_class br_sslrec_out_clear_vtable = {
960 sizeof(br_sslrec_out_clear_context),
961 (void (*)(const br_sslrec_out_class *const *, size_t *, size_t *))
962 &clear_max_plaintext,
963 (unsigned char *(*)(const br_sslrec_out_class **,
964 int, unsigned, void *, size_t *))
965 &clear_encrypt
966 };
967
968 /* ==================================================================== */
969 /*
970 * In this part of the file, we handle the various record types, and
971 * communications with the handshake processor.
972 */
973
974 /*
975 * IMPLEMENTATION NOTES
976 * ====================
977 *
978 * The handshake processor is written in T0 and runs as a coroutine.
979 * It receives the contents of all records except application data, and
980 * is responsible for producing the contents of all records except
981 * application data.
982 *
983 * A state flag is maintained, which specifies whether application data
984 * is acceptable or not. When it is set:
985 *
986 * -- Application data can be injected as payload data (provided that
987 * the output buffer is ready for that).
988 *
989 * -- Incoming application data records are accepted, and yield data
990 * that the caller may retrieve.
991 *
992 * When the flag is cleared, application data is not accepted from the
993 * application, and incoming application data records trigger an error.
994 *
995 *
996 * Records of type handshake, alert or change-cipher-spec are handled
997 * by the handshake processor. The handshake processor is written in T0
998 * and runs as a coroutine; it gets invoked whenever one of the following
999 * situations is reached:
1000 *
1001 * -- An incoming record has type handshake, alert or change-cipher-spec,
1002 * and yields data that can be read (zero-length records are thus
1003 * ignored).
1004 *
1005 * -- An outgoing record has just finished being sent, and the "application
1006 * data" flag is cleared.
1007 *
1008 * -- The caller wishes to perform a close (call to br_ssl_engine_close()).
1009 *
1010 * -- The caller wishes to perform a renegotiation (call to
1011 * br_ssl_engine_renegotiate()).
1012 *
1013 * Whenever the handshake processor is entered, access to the payload
1014 * buffers is provided, along with some information about explicit
1015 * closures or renegotiations.
1016 */
1017
1018 /* see bearssl_ssl.h */
1019 void
br_ssl_engine_set_suites(br_ssl_engine_context * cc,const uint16_t * suites,size_t suites_num)1020 br_ssl_engine_set_suites(br_ssl_engine_context *cc,
1021 const uint16_t *suites, size_t suites_num)
1022 {
1023 if ((suites_num * sizeof *suites) > sizeof cc->suites_buf) {
1024 br_ssl_engine_fail(cc, BR_ERR_BAD_PARAM);
1025 return;
1026 }
1027 memcpy(cc->suites_buf, suites, suites_num * sizeof *suites);
1028 cc->suites_num = suites_num;
1029 }
1030
1031 /*
1032 * Give control to handshake processor. 'action' is 1 for a close,
1033 * 2 for a renegotiation, or 0 for a jump due to I/O completion.
1034 */
1035 static void
jump_handshake(br_ssl_engine_context * cc,int action)1036 jump_handshake(br_ssl_engine_context *cc, int action)
1037 {
1038 /*
1039 * We use a loop because the handshake processor actions may
1040 * allow for more actions; namely, if the processor reads all
1041 * input data, then it may allow for output data to be produced,
1042 * in case of a shared in/out buffer.
1043 */
1044 for (;;) {
1045 size_t hlen_in, hlen_out;
1046
1047 /*
1048 * Get input buffer. We do not want to provide
1049 * application data to the handshake processor (we could
1050 * get called with an explicit close or renegotiation
1051 * while there is application data ready to be read).
1052 */
1053 cc->hbuf_in = recvpld_buf(cc, &hlen_in);
1054 if (cc->hbuf_in != NULL
1055 && cc->record_type_in == BR_SSL_APPLICATION_DATA)
1056 {
1057 hlen_in = 0;
1058 }
1059
1060 /*
1061 * Get output buffer. The handshake processor never
1062 * leaves an unfinished outgoing record, so if there is
1063 * buffered output, then it MUST be some application
1064 * data, so the processor cannot write to it.
1065 */
1066 cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &hlen_out);
1067 if (cc->hbuf_out != NULL && br_ssl_engine_has_pld_to_send(cc)) {
1068 hlen_out = 0;
1069 }
1070
1071 /*
1072 * Note: hlen_in and hlen_out can be both non-zero only if
1073 * the input and output buffers are disjoint. Thus, we can
1074 * offer both buffers to the handshake code.
1075 */
1076
1077 cc->hlen_in = hlen_in;
1078 cc->hlen_out = hlen_out;
1079 cc->action = action;
1080 cc->hsrun(&cc->cpu);
1081 if (br_ssl_engine_closed(cc)) {
1082 return;
1083 }
1084 if (cc->hbuf_out != cc->saved_hbuf_out) {
1085 sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1086 }
1087 if (hlen_in != cc->hlen_in) {
1088 recvpld_ack(cc, hlen_in - cc->hlen_in);
1089 if (cc->hlen_in == 0) {
1090 /*
1091 * We read all data bytes, which may have
1092 * released the output buffer in case it
1093 * is shared with the input buffer, and
1094 * the handshake code might be waiting for
1095 * that.
1096 */
1097 action = 0;
1098 continue;
1099 }
1100 }
1101 break;
1102 }
1103 }
1104
1105 /* see inner.h */
1106 void
br_ssl_engine_flush_record(br_ssl_engine_context * cc)1107 br_ssl_engine_flush_record(br_ssl_engine_context *cc)
1108 {
1109 if (cc->hbuf_out != cc->saved_hbuf_out) {
1110 sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1111 }
1112 if (br_ssl_engine_has_pld_to_send(cc)) {
1113 sendpld_flush(cc, 0);
1114 }
1115 cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &cc->hlen_out);
1116 }
1117
1118 /* see bearssl_ssl.h */
1119 unsigned char *
br_ssl_engine_sendapp_buf(const br_ssl_engine_context * cc,size_t * len)1120 br_ssl_engine_sendapp_buf(const br_ssl_engine_context *cc, size_t *len)
1121 {
1122 if (!(cc->application_data & 1)) {
1123 *len = 0;
1124 return NULL;
1125 }
1126 return sendpld_buf(cc, len);
1127 }
1128
1129 /* see bearssl_ssl.h */
1130 void
br_ssl_engine_sendapp_ack(br_ssl_engine_context * cc,size_t len)1131 br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len)
1132 {
1133 sendpld_ack(cc, len);
1134 }
1135
1136 /* see bearssl_ssl.h */
1137 unsigned char *
br_ssl_engine_recvapp_buf(const br_ssl_engine_context * cc,size_t * len)1138 br_ssl_engine_recvapp_buf(const br_ssl_engine_context *cc, size_t *len)
1139 {
1140 if (!(cc->application_data & 1)
1141 || cc->record_type_in != BR_SSL_APPLICATION_DATA)
1142 {
1143 *len = 0;
1144 return NULL;
1145 }
1146 return recvpld_buf(cc, len);
1147 }
1148
1149 /* see bearssl_ssl.h */
1150 void
br_ssl_engine_recvapp_ack(br_ssl_engine_context * cc,size_t len)1151 br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len)
1152 {
1153 recvpld_ack(cc, len);
1154 }
1155
1156 /* see bearssl_ssl.h */
1157 unsigned char *
br_ssl_engine_sendrec_buf(const br_ssl_engine_context * cc,size_t * len)1158 br_ssl_engine_sendrec_buf(const br_ssl_engine_context *cc, size_t *len)
1159 {
1160 return sendrec_buf(cc, len);
1161 }
1162
1163 /* see bearssl_ssl.h */
1164 void
br_ssl_engine_sendrec_ack(br_ssl_engine_context * cc,size_t len)1165 br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len)
1166 {
1167 sendrec_ack(cc, len);
1168 if (len != 0 && !has_rec_tosend(cc)
1169 && (cc->record_type_out != BR_SSL_APPLICATION_DATA
1170 || (cc->application_data & 1) == 0))
1171 {
1172 jump_handshake(cc, 0);
1173 }
1174 }
1175
1176 /* see bearssl_ssl.h */
1177 unsigned char *
br_ssl_engine_recvrec_buf(const br_ssl_engine_context * cc,size_t * len)1178 br_ssl_engine_recvrec_buf(const br_ssl_engine_context *cc, size_t *len)
1179 {
1180 return recvrec_buf(cc, len);
1181 }
1182
1183 /* see bearssl_ssl.h */
1184 void
br_ssl_engine_recvrec_ack(br_ssl_engine_context * cc,size_t len)1185 br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len)
1186 {
1187 unsigned char *buf;
1188
1189 recvrec_ack(cc, len);
1190 if (br_ssl_engine_closed(cc)) {
1191 return;
1192 }
1193
1194 /*
1195 * We just received some bytes from the peer. This may have
1196 * yielded some payload bytes, in which case we must process
1197 * them according to the record type.
1198 */
1199 buf = recvpld_buf(cc, &len);
1200 if (buf != NULL) {
1201 switch (cc->record_type_in) {
1202 case BR_SSL_CHANGE_CIPHER_SPEC:
1203 case BR_SSL_ALERT:
1204 case BR_SSL_HANDSHAKE:
1205 jump_handshake(cc, 0);
1206 break;
1207 case BR_SSL_APPLICATION_DATA:
1208 if (cc->application_data == 1) {
1209 break;
1210 }
1211
1212 /*
1213 * If we are currently closing, and waiting for
1214 * a close_notify from the peer, then incoming
1215 * application data should be discarded.
1216 */
1217 if (cc->application_data == 2) {
1218 recvpld_ack(cc, len);
1219 break;
1220 }
1221
1222 /* Fall through */
1223 default:
1224 br_ssl_engine_fail(cc, BR_ERR_UNEXPECTED);
1225 break;
1226 }
1227 }
1228 }
1229
1230 /* see bearssl_ssl.h */
1231 void
br_ssl_engine_close(br_ssl_engine_context * cc)1232 br_ssl_engine_close(br_ssl_engine_context *cc)
1233 {
1234 if (!br_ssl_engine_closed(cc)) {
1235 /*
1236 * If we are not already closed, then we need to
1237 * initiate the closure. Once closing, any incoming
1238 * application data is discarded; we should also discard
1239 * application data which is already there but has not
1240 * been acknowledged by the application yet (this mimics
1241 * usual semantics on BSD sockets: you cannot read()
1242 * once you called close(), even if there was some
1243 * unread data already buffered).
1244 */
1245 size_t len;
1246
1247 if (br_ssl_engine_recvapp_buf(cc, &len) != NULL && len != 0) {
1248 br_ssl_engine_recvapp_ack(cc, len);
1249 }
1250 jump_handshake(cc, 1);
1251 }
1252 }
1253
1254 /* see bearssl_ssl.h */
1255 int
br_ssl_engine_renegotiate(br_ssl_engine_context * cc)1256 br_ssl_engine_renegotiate(br_ssl_engine_context *cc)
1257 {
1258 size_t len;
1259
1260 if (br_ssl_engine_closed(cc) || cc->reneg == 1
1261 || (cc->flags & BR_OPT_NO_RENEGOTIATION) != 0
1262 || br_ssl_engine_recvapp_buf(cc, &len) != NULL)
1263 {
1264 return 0;
1265 }
1266 jump_handshake(cc, 2);
1267 return 1;
1268 }
1269
1270 /* see bearssl.h */
1271 unsigned
br_ssl_engine_current_state(const br_ssl_engine_context * cc)1272 br_ssl_engine_current_state(const br_ssl_engine_context *cc)
1273 {
1274 unsigned s;
1275 size_t len;
1276
1277 if (br_ssl_engine_closed(cc)) {
1278 return BR_SSL_CLOSED;
1279 }
1280
1281 s = 0;
1282 if (br_ssl_engine_sendrec_buf(cc, &len) != NULL) {
1283 s |= BR_SSL_SENDREC;
1284 }
1285 if (br_ssl_engine_recvrec_buf(cc, &len) != NULL) {
1286 s |= BR_SSL_RECVREC;
1287 }
1288 if (br_ssl_engine_sendapp_buf(cc, &len) != NULL) {
1289 s |= BR_SSL_SENDAPP;
1290 }
1291 if (br_ssl_engine_recvapp_buf(cc, &len) != NULL) {
1292 s |= BR_SSL_RECVAPP;
1293 }
1294 return s;
1295 }
1296
1297 /* see bearssl_ssl.h */
1298 void
br_ssl_engine_flush(br_ssl_engine_context * cc,int force)1299 br_ssl_engine_flush(br_ssl_engine_context *cc, int force)
1300 {
1301 if (!br_ssl_engine_closed(cc) && (cc->application_data & 1) != 0) {
1302 sendpld_flush(cc, force);
1303 }
1304 }
1305
1306 /* see inner.h */
1307 void
br_ssl_engine_hs_reset(br_ssl_engine_context * cc,void (* hsinit)(void *),void (* hsrun)(void *))1308 br_ssl_engine_hs_reset(br_ssl_engine_context *cc,
1309 void (*hsinit)(void *), void (*hsrun)(void *))
1310 {
1311 engine_clearbuf(cc);
1312 cc->cpu.dp = cc->dp_stack;
1313 cc->cpu.rp = cc->rp_stack;
1314 hsinit(&cc->cpu);
1315 cc->hsrun = hsrun;
1316 cc->shutdown_recv = 0;
1317 cc->application_data = 0;
1318 cc->alert = 0;
1319 jump_handshake(cc, 0);
1320 }
1321
1322 /* see inner.h */
1323 br_tls_prf_impl
br_ssl_engine_get_PRF(br_ssl_engine_context * cc,int prf_id)1324 br_ssl_engine_get_PRF(br_ssl_engine_context *cc, int prf_id)
1325 {
1326 if (cc->session.version >= BR_TLS12) {
1327 if (prf_id == br_sha384_ID) {
1328 return cc->prf_sha384;
1329 } else {
1330 return cc->prf_sha256;
1331 }
1332 } else {
1333 return cc->prf10;
1334 }
1335 }
1336
1337 /* see inner.h */
1338 void
br_ssl_engine_compute_master(br_ssl_engine_context * cc,int prf_id,const void * pms,size_t pms_len)1339 br_ssl_engine_compute_master(br_ssl_engine_context *cc,
1340 int prf_id, const void *pms, size_t pms_len)
1341 {
1342 br_tls_prf_impl iprf;
1343 br_tls_prf_seed_chunk seed[2] = {
1344 { cc->client_random, sizeof cc->client_random },
1345 { cc->server_random, sizeof cc->server_random }
1346 };
1347
1348 iprf = br_ssl_engine_get_PRF(cc, prf_id);
1349 iprf(cc->session.master_secret, sizeof cc->session.master_secret,
1350 pms, pms_len, "master secret", 2, seed);
1351 }
1352
1353 /*
1354 * Compute key block.
1355 */
1356 static void
compute_key_block(br_ssl_engine_context * cc,int prf_id,size_t half_len,unsigned char * kb)1357 compute_key_block(br_ssl_engine_context *cc, int prf_id,
1358 size_t half_len, unsigned char *kb)
1359 {
1360 br_tls_prf_impl iprf;
1361 br_tls_prf_seed_chunk seed[2] = {
1362 { cc->server_random, sizeof cc->server_random },
1363 { cc->client_random, sizeof cc->client_random }
1364 };
1365
1366 iprf = br_ssl_engine_get_PRF(cc, prf_id);
1367 iprf(kb, half_len << 1,
1368 cc->session.master_secret, sizeof cc->session.master_secret,
1369 "key expansion", 2, seed);
1370 }
1371
1372 /* see inner.h */
1373 void
br_ssl_engine_switch_cbc_in(br_ssl_engine_context * cc,int is_client,int prf_id,int mac_id,const br_block_cbcdec_class * bc_impl,size_t cipher_key_len)1374 br_ssl_engine_switch_cbc_in(br_ssl_engine_context *cc,
1375 int is_client, int prf_id, int mac_id,
1376 const br_block_cbcdec_class *bc_impl, size_t cipher_key_len)
1377 {
1378 unsigned char kb[192];
1379 unsigned char *cipher_key, *mac_key, *iv;
1380 const br_hash_class *imh;
1381 size_t mac_key_len, mac_out_len, iv_len;
1382
1383 imh = br_ssl_engine_get_hash(cc, mac_id);
1384 mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1385 mac_key_len = mac_out_len;
1386
1387 /*
1388 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1389 */
1390 if (cc->session.version >= BR_TLS11) {
1391 iv_len = 0;
1392 } else {
1393 iv_len = bc_impl->block_size;
1394 }
1395 compute_key_block(cc, prf_id,
1396 mac_key_len + cipher_key_len + iv_len, kb);
1397 if (is_client) {
1398 mac_key = &kb[mac_key_len];
1399 cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1400 iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1401 } else {
1402 mac_key = &kb[0];
1403 cipher_key = &kb[mac_key_len << 1];
1404 iv = &kb[(mac_key_len + cipher_key_len) << 1];
1405 }
1406 if (iv_len == 0) {
1407 iv = NULL;
1408 }
1409 cc->icbc_in->init(&cc->in.cbc.vtable,
1410 bc_impl, cipher_key, cipher_key_len,
1411 imh, mac_key, mac_key_len, mac_out_len, iv);
1412 cc->incrypt = 1;
1413 }
1414
1415 /* see inner.h */
1416 void
br_ssl_engine_switch_cbc_out(br_ssl_engine_context * cc,int is_client,int prf_id,int mac_id,const br_block_cbcenc_class * bc_impl,size_t cipher_key_len)1417 br_ssl_engine_switch_cbc_out(br_ssl_engine_context *cc,
1418 int is_client, int prf_id, int mac_id,
1419 const br_block_cbcenc_class *bc_impl, size_t cipher_key_len)
1420 {
1421 unsigned char kb[192];
1422 unsigned char *cipher_key, *mac_key, *iv;
1423 const br_hash_class *imh;
1424 size_t mac_key_len, mac_out_len, iv_len;
1425
1426 imh = br_ssl_engine_get_hash(cc, mac_id);
1427 mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1428 mac_key_len = mac_out_len;
1429
1430 /*
1431 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1432 */
1433 if (cc->session.version >= BR_TLS11) {
1434 iv_len = 0;
1435 } else {
1436 iv_len = bc_impl->block_size;
1437 }
1438 compute_key_block(cc, prf_id,
1439 mac_key_len + cipher_key_len + iv_len, kb);
1440 if (is_client) {
1441 mac_key = &kb[0];
1442 cipher_key = &kb[mac_key_len << 1];
1443 iv = &kb[(mac_key_len + cipher_key_len) << 1];
1444 } else {
1445 mac_key = &kb[mac_key_len];
1446 cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1447 iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1448 }
1449 if (iv_len == 0) {
1450 iv = NULL;
1451 }
1452 cc->icbc_out->init(&cc->out.cbc.vtable,
1453 bc_impl, cipher_key, cipher_key_len,
1454 imh, mac_key, mac_key_len, mac_out_len, iv);
1455 }
1456
1457 /* see inner.h */
1458 void
br_ssl_engine_switch_gcm_in(br_ssl_engine_context * cc,int is_client,int prf_id,const br_block_ctr_class * bc_impl,size_t cipher_key_len)1459 br_ssl_engine_switch_gcm_in(br_ssl_engine_context *cc,
1460 int is_client, int prf_id,
1461 const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1462 {
1463 unsigned char kb[72];
1464 unsigned char *cipher_key, *iv;
1465
1466 compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1467 if (is_client) {
1468 cipher_key = &kb[cipher_key_len];
1469 iv = &kb[(cipher_key_len << 1) + 4];
1470 } else {
1471 cipher_key = &kb[0];
1472 iv = &kb[cipher_key_len << 1];
1473 }
1474 cc->igcm_in->init(&cc->in.gcm.vtable.in,
1475 bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1476 cc->incrypt = 1;
1477 }
1478
1479 /* see inner.h */
1480 void
br_ssl_engine_switch_gcm_out(br_ssl_engine_context * cc,int is_client,int prf_id,const br_block_ctr_class * bc_impl,size_t cipher_key_len)1481 br_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
1482 int is_client, int prf_id,
1483 const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1484 {
1485 unsigned char kb[72];
1486 unsigned char *cipher_key, *iv;
1487
1488 compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1489 if (is_client) {
1490 cipher_key = &kb[0];
1491 iv = &kb[cipher_key_len << 1];
1492 } else {
1493 cipher_key = &kb[cipher_key_len];
1494 iv = &kb[(cipher_key_len << 1) + 4];
1495 }
1496 cc->igcm_out->init(&cc->out.gcm.vtable.out,
1497 bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1498 }
1499
1500 /* see inner.h */
1501 void
br_ssl_engine_switch_chapol_in(br_ssl_engine_context * cc,int is_client,int prf_id)1502 br_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
1503 int is_client, int prf_id)
1504 {
1505 unsigned char kb[88];
1506 unsigned char *cipher_key, *iv;
1507
1508 compute_key_block(cc, prf_id, 44, kb);
1509 if (is_client) {
1510 cipher_key = &kb[32];
1511 iv = &kb[76];
1512 } else {
1513 cipher_key = &kb[0];
1514 iv = &kb[64];
1515 }
1516 cc->ichapol_in->init(&cc->in.chapol.vtable.in,
1517 cc->ichacha, cc->ipoly, cipher_key, iv);
1518 cc->incrypt = 1;
1519 }
1520
1521 /* see inner.h */
1522 void
br_ssl_engine_switch_chapol_out(br_ssl_engine_context * cc,int is_client,int prf_id)1523 br_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
1524 int is_client, int prf_id)
1525 {
1526 unsigned char kb[88];
1527 unsigned char *cipher_key, *iv;
1528
1529 compute_key_block(cc, prf_id, 44, kb);
1530 if (is_client) {
1531 cipher_key = &kb[0];
1532 iv = &kb[64];
1533 } else {
1534 cipher_key = &kb[32];
1535 iv = &kb[76];
1536 }
1537 cc->ichapol_out->init(&cc->out.chapol.vtable.out,
1538 cc->ichacha, cc->ipoly, cipher_key, iv);
1539 }
1540
1541 /* see inner.h */
1542 void
br_ssl_engine_switch_ccm_in(br_ssl_engine_context * cc,int is_client,int prf_id,const br_block_ctrcbc_class * bc_impl,size_t cipher_key_len,size_t tag_len)1543 br_ssl_engine_switch_ccm_in(br_ssl_engine_context *cc,
1544 int is_client, int prf_id,
1545 const br_block_ctrcbc_class *bc_impl,
1546 size_t cipher_key_len, size_t tag_len)
1547 {
1548 unsigned char kb[72];
1549 unsigned char *cipher_key, *iv;
1550
1551 compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1552 if (is_client) {
1553 cipher_key = &kb[cipher_key_len];
1554 iv = &kb[(cipher_key_len << 1) + 4];
1555 } else {
1556 cipher_key = &kb[0];
1557 iv = &kb[cipher_key_len << 1];
1558 }
1559 cc->iccm_in->init(&cc->in.ccm.vtable.in,
1560 bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1561 cc->incrypt = 1;
1562 }
1563
1564 /* see inner.h */
1565 void
br_ssl_engine_switch_ccm_out(br_ssl_engine_context * cc,int is_client,int prf_id,const br_block_ctrcbc_class * bc_impl,size_t cipher_key_len,size_t tag_len)1566 br_ssl_engine_switch_ccm_out(br_ssl_engine_context *cc,
1567 int is_client, int prf_id,
1568 const br_block_ctrcbc_class *bc_impl,
1569 size_t cipher_key_len, size_t tag_len)
1570 {
1571 unsigned char kb[72];
1572 unsigned char *cipher_key, *iv;
1573
1574 compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1575 if (is_client) {
1576 cipher_key = &kb[0];
1577 iv = &kb[cipher_key_len << 1];
1578 } else {
1579 cipher_key = &kb[cipher_key_len];
1580 iv = &kb[(cipher_key_len << 1) + 4];
1581 }
1582 cc->iccm_out->init(&cc->out.ccm.vtable.out,
1583 bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1584 }
1585