diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2019-01-20 09:12:06 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2019-01-20 09:12:06 +0000 |
commit | 0ada793239c83738fe19255a6de50a9bcb123f25 (patch) | |
tree | 297f2a15908ced9af5e701981baccb2fa827ea49 | |
parent | 14aae1d23d27195b5759b6bdba21d2294efa08ff (diff) |
Provide a way to get just the record header.
Also check record size limits when reading records and setting data.
ok tb@
-rw-r--r-- | lib/libssl/tls13_record.c | 24 | ||||
-rw-r--r-- | lib/libssl/tls13_record.h | 16 |
2 files changed, 33 insertions, 7 deletions
diff --git a/lib/libssl/tls13_record.c b/lib/libssl/tls13_record.c index 857d3bee49e..1a4e22ee471 100644 --- a/lib/libssl/tls13_record.c +++ b/lib/libssl/tls13_record.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.c,v 1.1 2019/01/19 02:53:54 jsing Exp $ */ +/* $OpenBSD: tls13_record.c,v 1.2 2019/01/20 09:12:05 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -62,6 +62,17 @@ tls13_record_free(struct tls13_record *rec) freezero(rec, sizeof(struct tls13_record)); } +int +tls13_record_header(struct tls13_record *rec, CBS *cbs) +{ + if (rec->data_len < TLS13_RECORD_HEADER_LEN) + return 0; + + CBS_init(cbs, rec->data, TLS13_RECORD_HEADER_LEN); + + return 1; +} + uint8_t tls13_record_content_type(struct tls13_record *rec) { @@ -89,13 +100,18 @@ tls13_record_data(struct tls13_record *rec, CBS *cbs) CBS_init(cbs, rec->data, rec->data_len); } -void +int tls13_record_set_data(struct tls13_record *rec, uint8_t *data, size_t data_len) { + if (data_len > TLS13_RECORD_MAX_LEN) + return 0; + freezero(rec->data, rec->data_len); rec->data = data; rec->data_len = data_len; CBS_init(&rec->cbs, rec->data, rec->data_len); + + return 1; } ssize_t @@ -124,6 +140,10 @@ tls13_record_recv(struct tls13_record *rec, tls13_read_cb wire_read, if (!CBS_get_u16(&cbs, &rec_len)) return TLS13_IO_FAILURE; + /* XXX - record overflow alert. */ + if (rec_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) + return TLS13_IO_FAILURE; + rec->content_type = content_type; rec->rec_len = rec_len; } diff --git a/lib/libssl/tls13_record.h b/lib/libssl/tls13_record.h index ca7a63f99cb..72350d5d49b 100644 --- a/lib/libssl/tls13_record.h +++ b/lib/libssl/tls13_record.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.h,v 1.1 2019/01/19 02:53:54 jsing Exp $ */ +/* $OpenBSD: tls13_record.h,v 1.2 2019/01/20 09:12:05 jsing Exp $ */ /* * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> * @@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS /* - * TLSv1.3 - RFC 8446 section 5. + * TLSv1.3 Record Protocol - RFC 8446 section 5. * * The maximum plaintext is 2^14, however for inner plaintext an additional * byte is allowed for the content type. A maximum AEAD overhead of 255-bytes @@ -36,17 +36,23 @@ __BEGIN_HIDDEN_DECLS #define TLS13_RECORD_MAX_PLAINTEXT_LEN 16384 #define TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN \ (TLS13_RECORD_MAX_PLAINTEXT_LEN + 1) -#define TLS13_RECORD_MAX_CIPHERTEXT \ +#define TLS13_RECORD_MAX_CIPHERTEXT_LEN \ (TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN + TLS13_RECORD_MAX_AEAD_OVERHEAD) #define TLS13_RECORD_MAX_LEN \ - (TLS13_RECORD_HEADER_LEN + TLS13_RECORD_MAX_CIPHERTEXT) + (TLS13_RECORD_HEADER_LEN + TLS13_RECORD_MAX_CIPHERTEXT_LEN) + +/* + * TLSv1.3 Per-Record Nonces and Sequence Numbers - RFC 8446 section 5.3. + */ +#define TLS13_RECORD_SEQ_NUM_LEN 8 struct tls13_record *tls13_record_new(void); void tls13_record_free(struct tls13_record *_rec); +int tls13_record_header(struct tls13_record *_rec, CBS *_cbs); uint8_t tls13_record_content_type(struct tls13_record *_rec); int tls13_record_content(struct tls13_record *_rec, CBS *_cbs); void tls13_record_data(struct tls13_record *_rec, CBS *_cbs); -void tls13_record_set_data(struct tls13_record *_rec, uint8_t *_data, +int tls13_record_set_data(struct tls13_record *_rec, uint8_t *_data, size_t _data_len); ssize_t tls13_record_recv(struct tls13_record *_rec, tls13_read_cb _wire_read, void *_wire_arg); |