1 // Copyright 2015 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <openssl/ssl.h>
16 
17 #include <assert.h>
18 #include <limits.h>
19 #include <stdlib.h>
20 #include <string.h>
21 
22 #include <openssl/bio.h>
23 #include <openssl/err.h>
24 #include <openssl/mem.h>
25 
26 #include "../crypto/internal.h"
27 #include "internal.h"
28 
29 
30 BSSL_NAMESPACE_BEGIN
31 
32 // BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
33 // not overflow.
34 static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int");
35 
36 static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
37               "SSL3_ALIGN_PAYLOAD must be a power of 2");
38 
Clear()39 void SSLBuffer::Clear() {
40   if (buf_ != inline_buf_) {
41     free(buf_);  // Allocated with malloc().
42   }
43   buf_ = nullptr;
44   offset_ = 0;
45   size_ = 0;
46   cap_ = 0;
47 }
48 
EnsureCap(size_t header_len,size_t new_cap)49 bool SSLBuffer::EnsureCap(size_t header_len, size_t new_cap) {
50   if (new_cap > 0xffff) {
51     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
52     return false;
53   }
54 
55   if (cap_ >= new_cap) {
56     return true;
57   }
58 
59   uint8_t *new_buf;
60   size_t new_offset;
61   if (new_cap <= sizeof(inline_buf_)) {
62     // This function is called twice per TLS record, first for the five-byte
63     // header. To avoid allocating twice, use an inline buffer for short inputs.
64     new_buf = inline_buf_;
65     new_offset = 0;
66   } else {
67     // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
68     //
69     // Since this buffer gets allocated quite frequently and doesn't contain any
70     // sensitive data, we allocate with malloc rather than |OPENSSL_malloc| and
71     // avoid zeroing on free.
72     new_buf = (uint8_t *)malloc(new_cap + SSL3_ALIGN_PAYLOAD - 1);
73     if (new_buf == NULL) {
74       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
75       return false;
76     }
77 
78     // Offset the buffer such that the record body is aligned.
79     new_offset =
80         (0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
81   }
82 
83   // Note if the both old and new buffer are inline, the source and destination
84   // may alias.
85   OPENSSL_memmove(new_buf + new_offset, buf_ + offset_, size_);
86 
87   if (buf_ != inline_buf_) {
88     free(buf_);  // Allocated with malloc().
89   }
90 
91   buf_ = new_buf;
92   offset_ = new_offset;
93   cap_ = new_cap;
94   return true;
95 }
96 
DidWrite(size_t new_size)97 void SSLBuffer::DidWrite(size_t new_size) {
98   if (new_size > cap() - size()) {
99     abort();
100   }
101   size_ += new_size;
102 }
103 
Consume(size_t len)104 void SSLBuffer::Consume(size_t len) {
105   if (len > size_) {
106     abort();
107   }
108   offset_ += (uint16_t)len;
109   size_ -= (uint16_t)len;
110   cap_ -= (uint16_t)len;
111 }
112 
DiscardConsumed()113 void SSLBuffer::DiscardConsumed() {
114   if (size_ == 0) {
115     Clear();
116   }
117 }
118 
dtls_read_buffer_next_packet(SSL * ssl)119 static int dtls_read_buffer_next_packet(SSL *ssl) {
120   SSLBuffer *buf = &ssl->s3->read_buffer;
121 
122   if (!buf->empty()) {
123     // It is an error to call |dtls_read_buffer_extend| when the read buffer is
124     // not empty.
125     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
126     return -1;
127   }
128 
129   // Read a single packet from |ssl->rbio|. |buf->cap()| must fit in an int.
130   int ret =
131       BIO_read(ssl->rbio.get(), buf->data(), static_cast<int>(buf->cap()));
132   if (ret <= 0) {
133     ssl->s3->rwstate = SSL_ERROR_WANT_READ;
134     return ret;
135   }
136   buf->DidWrite(static_cast<size_t>(ret));
137   return 1;
138 }
139 
tls_read_buffer_extend_to(SSL * ssl,size_t len)140 static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
141   SSLBuffer *buf = &ssl->s3->read_buffer;
142 
143   if (len > buf->cap()) {
144     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
145     return -1;
146   }
147 
148   // Read until the target length is reached.
149   while (buf->size() < len) {
150     // The amount of data to read is bounded by |buf->cap|, which must fit in an
151     // int.
152     int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(),
153                        static_cast<int>(len - buf->size()));
154     if (ret <= 0) {
155       ssl->s3->rwstate = SSL_ERROR_WANT_READ;
156       return ret;
157     }
158     buf->DidWrite(static_cast<size_t>(ret));
159   }
160 
161   return 1;
162 }
163 
ssl_read_buffer_extend_to(SSL * ssl,size_t len)164 int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
165   // |ssl_read_buffer_extend_to| implicitly discards any consumed data.
166   ssl->s3->read_buffer.DiscardConsumed();
167 
168   if (SSL_is_dtls(ssl)) {
169     static_assert(
170         DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,
171         "DTLS read buffer is too large");
172 
173     // The |len| parameter is ignored in DTLS.
174     len = DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
175   }
176 
177   // The DTLS record header can have a variable length, so the |header_len|
178   // value provided for buffer alignment only works if the header is the maximum
179   // length.
180   if (!ssl->s3->read_buffer.EnsureCap(DTLS1_RT_MAX_HEADER_LENGTH, len)) {
181     return -1;
182   }
183 
184   if (ssl->rbio == nullptr) {
185     OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
186     return -1;
187   }
188 
189   int ret;
190   if (SSL_is_dtls(ssl)) {
191     // |len| is ignored for a datagram transport.
192     ret = dtls_read_buffer_next_packet(ssl);
193   } else {
194     ret = tls_read_buffer_extend_to(ssl, len);
195   }
196 
197   if (ret <= 0) {
198     // If the buffer was empty originally and remained empty after attempting to
199     // extend it, release the buffer until the next attempt.
200     ssl->s3->read_buffer.DiscardConsumed();
201   }
202   return ret;
203 }
204 
ssl_handle_open_record(SSL * ssl,bool * out_retry,ssl_open_record_t ret,size_t consumed,uint8_t alert)205 int ssl_handle_open_record(SSL *ssl, bool *out_retry, ssl_open_record_t ret,
206                            size_t consumed, uint8_t alert) {
207   *out_retry = false;
208   if (ret != ssl_open_record_partial) {
209     ssl->s3->read_buffer.Consume(consumed);
210   }
211   if (ret != ssl_open_record_success) {
212     // Nothing was returned to the caller, so discard anything marked consumed.
213     ssl->s3->read_buffer.DiscardConsumed();
214   }
215   switch (ret) {
216     case ssl_open_record_success:
217       return 1;
218 
219     case ssl_open_record_partial: {
220       int read_ret = ssl_read_buffer_extend_to(ssl, consumed);
221       if (read_ret <= 0) {
222         return read_ret;
223       }
224       *out_retry = true;
225       return 1;
226     }
227 
228     case ssl_open_record_discard:
229       *out_retry = true;
230       return 1;
231 
232     case ssl_open_record_close_notify:
233       ssl->s3->rwstate = SSL_ERROR_ZERO_RETURN;
234       return 0;
235 
236     case ssl_open_record_error:
237       if (alert != 0) {
238         ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
239       }
240       return -1;
241   }
242   assert(0);
243   return -1;
244 }
245 
246 
247 static_assert(SSL3_RT_HEADER_LENGTH * 2 +
248                       SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD * 2 +
249                       SSL3_RT_MAX_PLAIN_LENGTH <=
250                   0xffff,
251               "maximum TLS write buffer is too large");
252 
253 static_assert(DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD +
254                       SSL3_RT_MAX_PLAIN_LENGTH <=
255                   0xffff,
256               "maximum DTLS write buffer is too large");
257 
tls_write_buffer_flush(SSL * ssl)258 static int tls_write_buffer_flush(SSL *ssl) {
259   SSLBuffer *buf = &ssl->s3->write_buffer;
260 
261   while (!buf->empty()) {
262     int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
263     if (ret <= 0) {
264       ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
265       return ret;
266     }
267     buf->Consume(static_cast<size_t>(ret));
268   }
269   buf->Clear();
270   return 1;
271 }
272 
dtls_write_buffer_flush(SSL * ssl)273 static int dtls_write_buffer_flush(SSL *ssl) {
274   SSLBuffer *buf = &ssl->s3->write_buffer;
275   if (buf->empty()) {
276     return 1;
277   }
278 
279   int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
280   if (ret <= 0) {
281     ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
282     // If the write failed, drop the write buffer anyway. Datagram transports
283     // can't write half a packet, so the caller is expected to retry from the
284     // top.
285     buf->Clear();
286     return ret;
287   }
288   buf->Clear();
289   return 1;
290 }
291 
ssl_write_buffer_flush(SSL * ssl)292 int ssl_write_buffer_flush(SSL *ssl) {
293   if (ssl->wbio == nullptr) {
294     OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
295     return -1;
296   }
297 
298   if (SSL_is_dtls(ssl)) {
299     return dtls_write_buffer_flush(ssl);
300   } else {
301     return tls_write_buffer_flush(ssl);
302   }
303 }
304 
305 BSSL_NAMESPACE_END
306