[thirdparty/openssl.git] / ssl / record / methods / tls13_meth.c

/*
 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/evp.h>
#include <openssl/core_names.h>
#include "../../ssl_local.h"
#include "../record_local.h"
#include "recmethod_local.h"

static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                  unsigned char *key, size_t keylen,
                                  unsigned char *iv, size_t ivlen,
                                  unsigned char *mackey, size_t mackeylen,
                                  const EVP_CIPHER *ciph,
                                  size_t taglen,
                                  int mactype,
                                  const EVP_MD *md,
                                  COMP_METHOD *comp)
{
    EVP_CIPHER_CTX *ciph_ctx;
    int mode;
    int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;

    if (ivlen > sizeof(rl->iv)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }
    memcpy(rl->iv, iv, ivlen);

    ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new();
    if (ciph_ctx == NULL) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

    rl->taglen = taglen;

    mode = EVP_CIPHER_get_mode(ciph);

    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0
        || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen,
                               NULL) <= 0
        || (mode == EVP_CIPH_CCM_MODE
            && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
                                   NULL) <= 0)
        || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }

    return OSSL_RECORD_RETURN_SUCCESS;
}

static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
                        int sending, SSL_MAC_BUF *mac, size_t macsize)
{
    EVP_CIPHER_CTX *ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
    size_t ivlen, offset, loop, hdrlen;
    unsigned char *staticiv;
    unsigned char *seq = rl->sequence;
    int lenu, lenf;
    SSL3_RECORD *rec = &recs[0];
    WPACKET wpkt;
    const EVP_CIPHER *cipher;
    int mode;

    if (n_recs != 1) {
        /* Should not happen */
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    ctx = rl->enc_ctx;
    staticiv = rl->iv;

    cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
    if (cipher == NULL) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }
    mode = EVP_CIPHER_get_mode(cipher);

    /*
     * If we're sending an alert and ctx != NULL then we must be forcing
     * plaintext alerts. If we're reading and ctx != NULL then we allow
     * plaintext alerts at certain points in the handshake. If we've got this
     * far then we have already validated that a plaintext alert is ok here.
     */
    if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
        memmove(rec->data, rec->input, rec->length);
        rec->input = rec->data;
        return 1;
    }

    ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);

    if (!sending) {
        /*
         * Take off tag. There must be at least one byte of content type as
         * well as the tag
         */
        if (rec->length < rl->taglen + 1)
            return 0;
        rec->length -= rl->taglen;
    }

    /* Set up IV */
    if (ivlen < SEQ_NUM_SIZE) {
        /* Should not happen */
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }
    offset = ivlen - SEQ_NUM_SIZE;
    memcpy(iv, staticiv, offset);
    for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
        iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];

    /* Increment the sequence counter */
    for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
        ++seq[loop - 1];
        if (seq[loop - 1] != 0)
            break;
    }
    if (loop == 0) {
        /* Sequence has wrapped */
        return 0;
    }

    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
            || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
                                                rl->taglen,
                                                rec->data + rec->length) <= 0)) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    /* Set up the AAD */
    if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
            || !WPACKET_put_bytes_u8(&wpkt, rec->type)
            || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
            || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
            || !WPACKET_get_total_written(&wpkt, &hdrlen)
            || hdrlen != SSL3_RT_HEADER_LENGTH
            || !WPACKET_finish(&wpkt)) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        WPACKET_cleanup(&wpkt);
        return 0;
    }

    /*
     * For CCM we must explicitly set the total plaintext length before we add
     * any AAD.
     */
    if ((mode == EVP_CIPH_CCM_MODE
                 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
                                     (unsigned int)rec->length) <= 0)
            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
                                sizeof(recheader)) <= 0
            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
                                (unsigned int)rec->length) <= 0
            || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
            || (size_t)(lenu + lenf) != rec->length) {
        return 0;
    }
    if (sending) {
        /* Add the tag */
        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
                                rec->data + rec->length) <= 0) {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return 0;
        }
        rec->length += rl->taglen;
    }

    return 1;
}

static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
{
    if (rec->type != SSL3_RT_APPLICATION_DATA
            && (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC
                || !rl->is_first_handshake)
            && (rec->type != SSL3_RT_ALERT || !rl->allow_plain_alerts)) {
        RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
        return 0;
    }

    if (rec->rec_version != TLS1_2_VERSION) {
        RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
        return 0;
    }

    if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
        RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
                    SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
        return 0;
    }
    return 1;
}

static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
{
    /* Skip this if we've received a plaintext alert */
    if (rec->type != SSL3_RT_ALERT) {
        size_t end;

        if (rec->length == 0
                || rec->type != SSL3_RT_APPLICATION_DATA) {
            RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
                        SSL_R_BAD_RECORD_TYPE);
            return 0;
        }

        /* Strip trailing padding */
        for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--)
            continue;

        rec->length = end;
        rec->type = rec->data[end];
    }

    if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
        RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
        return 0;
    }

    if (!tls13_common_post_process_record(rl, rec)) {
        /* RLAYERfatal already called */
        return 0;
    }

    return 1;
}

static unsigned int tls13_get_record_type(OSSL_RECORD_LAYER *rl,
                                          OSSL_RECORD_TEMPLATE *template)
{
    if (rl->allow_plain_alerts && template->type == SSL3_RT_ALERT)
        return  SSL3_RT_ALERT;

    /*
     * Aside from the above case we always use the application data record type
     * when encrypting in TLSv1.3. The "inner" record type encodes the "real"
     * record type from the template.
     */
    return SSL3_RT_APPLICATION_DATA;
}

static int tls13_add_record_padding(OSSL_RECORD_LAYER *rl,
                                    OSSL_RECORD_TEMPLATE *thistempl,
                                    WPACKET *thispkt,
                                    SSL3_RECORD *thiswr)
{
    size_t rlen;

    /* Nothing to be done in the case of a plaintext alert */
    if (rl->allow_plain_alerts && thistempl->type != SSL3_RT_ALERT)
        return 1;

    if (!WPACKET_put_bytes_u8(thispkt, thistempl->type)) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }
    SSL3_RECORD_add_length(thiswr, 1);

    /* Add TLS1.3 padding */
    rlen = SSL3_RECORD_get_length(thiswr);
    if (rlen < rl->max_frag_len) {
        size_t padding = 0;
        size_t max_padding = rl->max_frag_len - rlen;

        if (rl->padding != NULL) {
            padding = rl->padding(rl->cbarg, thistempl->type, rlen);
        } else if (rl->block_padding > 0) {
            size_t mask = rl->block_padding - 1;
            size_t remainder;

            /* optimize for power of 2 */
            if ((rl->block_padding & mask) == 0)
                remainder = rlen & mask;
            else
                remainder = rlen % rl->block_padding;
            /* don't want to add a block of padding if we don't have to */
            if (remainder == 0)
                padding = 0;
            else
                padding = rl->block_padding - remainder;
        }
        if (padding > 0) {
            /* do not allow the record to exceed max plaintext length */
            if (padding > max_padding)
                padding = max_padding;
            if (!WPACKET_memset(thispkt, 0, padding)) {
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
                            ERR_R_INTERNAL_ERROR);
                return 0;
            }
            SSL3_RECORD_add_length(thiswr, padding);
        }
    }

    return 1;
}

struct record_functions_st tls_1_3_funcs = {
    tls13_set_crypto_state,
    tls13_cipher,
    NULL,
    tls_default_set_protocol_version,
    tls_default_read_n,
    tls_get_more_records,
    tls13_validate_record_header,
    tls13_post_process_record,
    tls_get_max_records_default,
    tls_write_records_default,
    tls_allocate_write_buffers_default,
    tls_initialise_write_packets_default,
    tls13_get_record_type,
    tls_prepare_record_header_default,
    tls13_add_record_padding,
    tls_prepare_for_encryption_default,
    tls_post_encryption_processing_default,
    NULL
};
Commit	Line	Data
50023e9b MC	1	/*
	2	* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/evp.h>
	11	#include <openssl/core_names.h>
	12	#include "../../ssl_local.h"
	13	#include "../record_local.h"
	14	#include "recmethod_local.h"
	15
	16	static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
	17	unsigned char *key, size_t keylen,
	18	unsigned char *iv, size_t ivlen,
	19	unsigned char *mackey, size_t mackeylen,
	20	const EVP_CIPHER *ciph,
	21	size_t taglen,
50023e9b MC	22	int mactype,
50023e9b MC	23	const EVP_MD *md,
1e76110b	24	COMP_METHOD *comp)
50023e9b MC	25	{
	26	EVP_CIPHER_CTX *ciph_ctx;
	27	int mode;
2c50d7fb	28	int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
50023e9b MC	29
50023e9b MC	30	if (ivlen > sizeof(rl->iv)) {
7c293999 MC	31	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	32	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	33	}
	34	memcpy(rl->iv, iv, ivlen);
	35
6366bdd9	36	ciph_ctx = rl->enc_ctx = EVP_CIPHER_CTX_new();
50023e9b	37	if (ciph_ctx == NULL) {
7c293999 MC	38	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	39	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	40	}
50023e9b MC	41
50023e9b MC	42	rl->taglen = taglen;
	43
	44	mode = EVP_CIPHER_get_mode(ciph);
	45
2c50d7fb	46	if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0
1704961c MC	47	\|\| EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen,
1704961c MC	48	NULL) <= 0
50023e9b	49	\|\| (mode == EVP_CIPH_CCM_MODE
1704961c MC	50	&& EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
1704961c MC	51	NULL) <= 0)
2c50d7fb	52	\|\| EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) {
7c293999 MC	53	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	54	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	55	}
50023e9b MC	56
7c293999	57	return OSSL_RECORD_RETURN_SUCCESS;
50023e9b MC	58	}
	59
	60	static int tls13_cipher(OSSL_RECORD_LAYER rl, SSL3_RECORD recs, size_t n_recs,
8124ab56	61	int sending, SSL_MAC_BUF *mac, size_t macsize)
50023e9b MC	62	{
	63	EVP_CIPHER_CTX *ctx;
	64	unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
	65	size_t ivlen, offset, loop, hdrlen;
	66	unsigned char *staticiv;
0755722c	67	unsigned char *seq = rl->sequence;
50023e9b MC	68	int lenu, lenf;
	69	SSL3_RECORD *rec = &recs[0];
	70	WPACKET wpkt;
	71	const EVP_CIPHER *cipher;
	72	int mode;
	73
	74	if (n_recs != 1) {
	75	/* Should not happen */
	76	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	77	return 0;
	78	}
	79
6366bdd9 MC	80	ctx = rl->enc_ctx;
6366bdd9 MC	81	staticiv = rl->iv;
50023e9b MC	82
	83	cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
	84	if (cipher == NULL) {
	85	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	86	return 0;
	87	}
	88	mode = EVP_CIPHER_get_mode(cipher);
	89
	90	/*
	91	* If we're sending an alert and ctx != NULL then we must be forcing
	92	* plaintext alerts. If we're reading and ctx != NULL then we allow
	93	* plaintext alerts at certain points in the handshake. If we've got this
	94	* far then we have already validated that a plaintext alert is ok here.
	95	*/
	96	if (ctx == NULL \|\| rec->type == SSL3_RT_ALERT) {
	97	memmove(rec->data, rec->input, rec->length);
	98	rec->input = rec->data;
	99	return 1;
	100	}
	101
	102	ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
	103
	104	if (!sending) {
	105	/*
	106	* Take off tag. There must be at least one byte of content type as
	107	* well as the tag
	108	*/
	109	if (rec->length < rl->taglen + 1)
	110	return 0;
	111	rec->length -= rl->taglen;
	112	}
	113
	114	/* Set up IV */
	115	if (ivlen < SEQ_NUM_SIZE) {
	116	/* Should not happen */
	117	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	118	return 0;
	119	}
	120	offset = ivlen - SEQ_NUM_SIZE;
	121	memcpy(iv, staticiv, offset);
	122	for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
	123	iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
	124
	125	/* Increment the sequence counter */
	126	for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
	127	++seq[loop - 1];
	128	if (seq[loop - 1] != 0)
	129	break;
	130	}
	131	if (loop == 0) {
	132	/* Sequence has wrapped */
	133	return 0;
	134	}
	135
	136	if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
	137	\|\| (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
	138	rl->taglen,
	139	rec->data + rec->length) <= 0)) {
	140	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	141	return 0;
	142	}
	143
	144	/* Set up the AAD */
	145	if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
146	\|\| !WPACKET_put_bytes_u8(&wpkt, rec->type)
147	\|\| !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
148	\|\| !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
149	\|\| !WPACKET_get_total_written(&wpkt, &hdrlen)
150	\|\| hdrlen != SSL3_RT_HEADER_LENGTH
151	\|\| !WPACKET_finish(&wpkt)) {
152	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
153	WPACKET_cleanup(&wpkt);
154	return 0;
155	}
156
157	/*
158	* For CCM we must explicitly set the total plaintext length before we add
159	* any AAD.
160	*/
161	if ((mode == EVP_CIPH_CCM_MODE
162	&& EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
163	(unsigned int)rec->length) <= 0)
164	\|\| EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
165	sizeof(recheader)) <= 0
166	\|\| EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
167	(unsigned int)rec->length) <= 0
168	\|\| EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
169	\|\| (size_t)(lenu + lenf) != rec->length) {
170	return 0;
171	}
172	if (sending) {
173	/* Add the tag */
174	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
175	rec->data + rec->length) <= 0) {
176	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
177	return 0;
178	}
179	rec->length += rl->taglen;
180	}
181
182	return 1;
183	}
184
1853d20a MC	185	static int tls13_validate_record_header(OSSL_RECORD_LAYER rl, SSL3_RECORD rec)
	186	{
	187	if (rec->type != SSL3_RT_APPLICATION_DATA
	188	&& (rec->type != SSL3_RT_CHANGE_CIPHER_SPEC
	189	\|\| !rl->is_first_handshake)
	190	&& (rec->type != SSL3_RT_ALERT \|\| !rl->allow_plain_alerts)) {
	191	RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
	192	return 0;
	193	}
	194
	195	if (rec->rec_version != TLS1_2_VERSION) {
	196	RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
	197	return 0;
	198	}
	199
	200	if (rec->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
	201	RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
	202	SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
	203	return 0;
	204	}
	205	return 1;
	206	}
	207
8124ab56	208	static int tls13_post_process_record(OSSL_RECORD_LAYER rl, SSL3_RECORD rec)
1853d20a MC	209	{
	210	/* Skip this if we've received a plaintext alert */
	211	if (rec->type != SSL3_RT_ALERT) {
	212	size_t end;
	213
	214	if (rec->length == 0
	215	\|\| rec->type != SSL3_RT_APPLICATION_DATA) {
	216	RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
	217	SSL_R_BAD_RECORD_TYPE);
	218	return 0;
	219	}
	220
	221	/* Strip trailing padding */
1704961c	222	for (end = rec->length - 1; end > 0 && rec->data[end] == 0; end--)
1853d20a MC	223	continue;
	224
	225	rec->length = end;
	226	rec->type = rec->data[end];
	227	}
	228
	229	if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
	230	RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
	231	return 0;
	232	}
	233
8124ab56	234	if (!tls13_common_post_process_record(rl, rec)) {
1853d20a MC	235	/* RLAYERfatal already called */
	236	return 0;
	237	}
	238
	239	return 1;
	240	}
	241
7ca61d63 MC	242	static unsigned int tls13_get_record_type(OSSL_RECORD_LAYER *rl,
	243	OSSL_RECORD_TEMPLATE *template)
	244	{
	245	if (rl->allow_plain_alerts && template->type == SSL3_RT_ALERT)
	246	return SSL3_RT_ALERT;
	247
	248	/*
	249	* Aside from the above case we always use the application data record type
	250	* when encrypting in TLSv1.3. The "inner" record type encodes the "real"
	251	* record type from the template.
	252	*/
	253	return SSL3_RT_APPLICATION_DATA;
	254	}
	255
2582de25 MC	256	static int tls13_add_record_padding(OSSL_RECORD_LAYER *rl,
	257	OSSL_RECORD_TEMPLATE *thistempl,
	258	WPACKET *thispkt,
	259	SSL3_RECORD *thiswr)
	260	{
	261	size_t rlen;
	262
	263	/* Nothing to be done in the case of a plaintext alert */
	264	if (rl->allow_plain_alerts && thistempl->type != SSL3_RT_ALERT)
	265	return 1;
	266
	267	if (!WPACKET_put_bytes_u8(thispkt, thistempl->type)) {
	268	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	269	return 0;
	270	}
	271	SSL3_RECORD_add_length(thiswr, 1);
	272
	273	/* Add TLS1.3 padding */
	274	rlen = SSL3_RECORD_get_length(thiswr);
	275	if (rlen < rl->max_frag_len) {
	276	size_t padding = 0;
	277	size_t max_padding = rl->max_frag_len - rlen;
	278
	279	if (rl->padding != NULL) {
	280	padding = rl->padding(rl->cbarg, thistempl->type, rlen);
	281	} else if (rl->block_padding > 0) {
	282	size_t mask = rl->block_padding - 1;
	283	size_t remainder;
	284
	285	/* optimize for power of 2 */
	286	if ((rl->block_padding & mask) == 0)
	287	remainder = rlen & mask;
	288	else
	289	remainder = rlen % rl->block_padding;
	290	/* don't want to add a block of padding if we don't have to */
	291	if (remainder == 0)
	292	padding = 0;
	293	else
	294	padding = rl->block_padding - remainder;
	295	}
	296	if (padding > 0) {
	297	/* do not allow the record to exceed max plaintext length */
	298	if (padding > max_padding)
	299	padding = max_padding;
	300	if (!WPACKET_memset(thispkt, 0, padding)) {
	301	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
	302	ERR_R_INTERNAL_ERROR);
	303	return 0;
	304	}
	305	SSL3_RECORD_add_length(thiswr, padding);
	306	}
	307	}
	308
	309	return 1;
	310	}
	311
50023e9b MC	312	struct record_functions_st tls_1_3_funcs = {
	313	tls13_set_crypto_state,
	314	tls13_cipher,
1853d20a MC	315	NULL,
1853d20a MC	316	tls_default_set_protocol_version,
bafe524b MC	317	tls_default_read_n,
bafe524b MC	318	tls_get_more_records,
1853d20a	319	tls13_validate_record_header,
bafe524b MC	320	tls13_post_process_record,
bafe524b MC	321	tls_get_max_records_default,
91fe8ff0 MC	322	tls_write_records_default,
91fe8ff0 MC	323	tls_allocate_write_buffers_default,
7ca61d63	324	tls_initialise_write_packets_default,
aca70ca8	325	tls13_get_record_type,
2582de25	326	tls_prepare_record_header_default,
757ef3ba	327	tls13_add_record_padding,
2a354d54	328	tls_prepare_for_encryption_default,
ace38195 MC	329	tls_post_encryption_processing_default,
ace38195 MC	330	NULL
50023e9b	331	};