1/*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25#include "inner.h"
26
27#if 0
28/* obsolete */
29
30/*
31 * If BR_USE_URANDOM is not defined, then try to autodetect its presence
32 * through compiler macros.
33 */
34#ifndef BR_USE_URANDOM
35
36/*
37 * Macro values documented on:
38 *    https://sourceforge.net/p/predef/wiki/OperatingSystems/
39 *
40 * Only the most common systems have been included here for now. This
41 * should be enriched later on.
42 */
43#if defined _AIX \
44	|| defined __ANDROID__ \
45	|| defined __FreeBSD__ \
46	|| defined __NetBSD__ \
47	|| defined __OpenBSD__ \
48	|| defined __DragonFly__ \
49	|| defined __linux__ \
50	|| (defined __sun && (defined __SVR4 || defined __svr4__)) \
51	|| (defined __APPLE__ && defined __MACH__)
52#define BR_USE_URANDOM   1
53#endif
54
55#endif
56
57/*
58 * If BR_USE_WIN32_RAND is not defined, perform autodetection here.
59 */
60#ifndef BR_USE_WIN32_RAND
61
62#if defined _WIN32 || defined _WIN64
63#define BR_USE_WIN32_RAND   1
64#endif
65
66#endif
67
68#if BR_USE_URANDOM
69#include <sys/types.h>
70#include <unistd.h>
71#include <fcntl.h>
72#include <errno.h>
73#endif
74
75#if BR_USE_WIN32_RAND
76#include <windows.h>
77#include <wincrypt.h>
78#pragma comment(lib, "advapi32")
79#endif
80
81#endif
82
83/* ==================================================================== */
84/*
85 * This part of the file does the low-level record management.
86 */
87
88/*
89 * IMPLEMENTATION NOTES
90 * ====================
91 *
92 * In this file, we designate by "input" (and the "i" letter) the "recv"
93 * operations: incoming records from the peer, from which payload data
94 * is obtained, and must be extracted by the application (or the SSL
95 * handshake engine). Similarly, "output" (and the "o" letter) is for
96 * "send": payload data injected by the application (and SSL handshake
97 * engine), to be wrapped into records, that are then conveyed to the
98 * peer over the transport medium.
99 *
100 * The input and output buffers may be distinct or shared. When
101 * shared, input and output cannot occur concurrently; the caller
102 * must make sure that it never needs to output data while input
103 * data has been received. In practice, a shared buffer prevents
104 * pipelining of HTTP requests, or similar protocols; however, a
105 * shared buffer saves RAM.
106 *
107 * The input buffer is pointed to by 'ibuf' and has size 'ibuf_len';
108 * the output buffer is pointed to by 'obuf' and has size 'obuf_len'.
109 * From the size of these buffers is derived the maximum fragment
110 * length, which will be honoured upon sending records; regardless of
111 * that length, incoming records will be processed as long as they
112 * fit in the input buffer, and their length still complies with the
113 * protocol specification (maximum plaintext payload length is 16384
114 * bytes).
115 *
116 * Three registers are used to manage buffering in ibuf, called ixa,
117 * ixb and ixc. Similarly, three registers are used to manage buffering
118 * in obuf, called oxa, oxb and oxc.
119 *
120 *
121 * At any time, the engine is in one of the following modes:
122 * -- Failed mode: an error occurs, no I/O can happen.
123 * -- Input mode: the engine can either receive record bytes from the
124 * transport layer, or it has some buffered payload bytes to yield.
125 * -- Output mode: the engine can either receive payload bytes, or it
126 * has some record bytes to send to the transport layer.
127 * -- Input/Output mode: both input and output modes are active. When
128 * the buffer is shared, this can happen only when the buffer is empty
129 * (no buffered payload bytes or record bytes in either direction).
130 *
131 *
132 * Failed mode:
133 * ------------
134 *
135 * I/O failed for some reason (invalid received data, not enough room
136 * for the next record...). No I/O may ever occur again for this context,
137 * until an explicit reset is performed. This mode, and the error code,
138 * are also used for protocol errors, especially handshake errors.
139 *
140 *
141 * Input mode:
142 * -----------
143 *
144 *  ixa   index within ibuf[] for the currently read data
145 *  ixb   maximum index within ibuf[] for the currently read data
146 *  ixc   number of bytes not yet received for the current record
147 *
148 * -- When ixa == ixb, there is no available data for readers. When
149 * ixa != ixb, there is available data and it starts at offset ixa.
150 *
151 * -- When waiting for the next record header, ixa and ixb are equal
152 * and contain a value ranging from 0 to 4; ixc is equal to 5-ixa.
153 *
154 * -- When the header has been received, record data is obtained. The
155 * ixc field records how many bytes are still needed to reach the
156 * end of the current record.
157 *
158 *    ** If encryption is active, then ixa and ixb are kept equal, and
159 *    point to the end of the currently received record bytes. When
160 *    ixc reaches 0, decryption/MAC is applied, and ixa and ixb are
161 *    adjusted.
162 *
163 *    ** If encryption is not active, then ixa and ixb are distinct
164 *    and data can be read right away. Additional record data is
165 *    obtained only when ixa == ixb.
166 *
167 * Note: in input mode and no encryption, records larger than the buffer
168 * size are allowed. When encryption is active, the complete record must
169 * fit within the buffer, since it cannot be decrypted/MACed until it
170 * has been completely received.
171 *
172 * -- When receiving the next record header, 'version_in' contains the
173 * expected input version (0 if not expecting a specific version); on
174 * mismatch, the mode switches to 'failed'.
175 *
176 * -- When the header has been received, 'version_in' contains the received
177 * version. It is up to the caller to check and adjust the 'version_in' field
178 * to implement the required semantics.
179 *
180 * -- The 'record_type_in' field is updated with the incoming record type
181 * when the next record header has been received.
182 *
183 *
184 * Output mode:
185 * ------------
186 *
187 *  oxa   index within obuf[] for the currently accumulated data
188 *  oxb   maximum index within obuf[] for record data
189 *  oxc   pointer for start of record data, and for record sending
190 *
191 * -- When oxa != oxb, more data can be accumulated into the current
192 * record; when oxa == oxb, a closed record is being sent.
193 *
194 * -- When accumulating data, oxc points to the start of the data.
195 *
196 * -- During record sending, oxa (and oxb) point to the next record byte
197 * to send, and oxc indicates the end of the current record.
198 *
199 * Note: sent records must fit within the buffer, since the header is
200 * adjusted only when the complete record has been assembled.
201 *
202 * -- The 'version_out' and 'record_type_out' fields are used to build the
203 * record header when the mode is switched to 'sending'.
204 *
205 *
206 * Modes:
207 * ------
208 *
209 * The state register iomode contains one of the following values:
210 *
211 *  BR_IO_FAILED   I/O failed
212 *  BR_IO_IN       input mode
213 *  BR_IO_OUT      output mode
214 *  BR_IO_INOUT    input/output mode
215 *
216 * Whether encryption is active on incoming records is indicated by the
217 * incrypt flag. For outgoing records, there is no such flag; "encryption"
218 * is always considered active, but initially uses functions that do not
219 * encrypt anything. The 'incrypt' flag is needed because when there is
220 * no active encryption, records larger than the I/O buffer are accepted.
221 *
222 * Note: we do not support no-encryption modes (MAC only).
223 *
224 * TODO: implement GCM support
225 *
226 *
227 * Misc:
228 * -----
229 *
230 * 'max_frag_len' is the maximum plaintext size for an outgoing record.
231 * By default, it is set to the maximum value that fits in the provided
232 * buffers, in the following list: 512, 1024, 2048, 4096, 16384. The
233 * caller may change it if needed, but the new value MUST still fit in
234 * the buffers, and it MUST be one of the list above for compatibility
235 * with the Maximum Fragment Length extension.
236 *
237 * For incoming records, only the total buffer length and current
238 * encryption mode impact the maximum length for incoming records. The
239 * 'max_frag_len' value is still adjusted so that records up to that
240 * length can be both received and sent.
241 *
242 *
243 * Offsets and lengths:
244 * --------------------
245 *
246 * When sending fragments with TLS-1.1+, the maximum overhead is:
247 *   5 bytes for the record header
248 *   16 bytes for the explicit IV
249 *   48 bytes for the MAC (HMAC/SHA-384)
250 *   16 bytes for the padding (AES)
251 * so a total of 85 extra bytes. Note that we support block cipher sizes
252 * up to 16 bytes (AES) and HMAC output sizes up to 48 bytes (SHA-384).
253 *
254 * With TLS-1.0 and CBC mode, we apply a 1/n-1 split, for a maximum
255 * overhead of:
256 *   5 bytes for the first record header
257 *   32 bytes for the first record payload (AES-CBC + HMAC/SHA-1)
258 *   5 bytes for the second record header
259 *   20 bytes for the MAC (HMAC/SHA-1)
260 *   16 bytes for the padding (AES)
261 *   -1 byte to account for the payload byte in the first record
262 * so a total of 77 extra bytes at most, less than the 85 bytes above.
263 * Note that with TLS-1.0, the MAC is HMAC with either MD5 or SHA-1, but
264 * no other hash function.
265 *
266 * The implementation does not try to send larger records when the current
267 * encryption mode has less overhead.
268 *
269 * Maximum input record overhead is:
270 *   5 bytes for the record header
271 *   16 bytes for the explicit IV (TLS-1.1+)
272 *   48 bytes for the MAC (HMAC/SHA-384)
273 *   256 bytes for the padding
274 * so a total of 325 extra bytes.
275 *
276 * When receiving the next record header, it is written into the buffer
277 * bytes 0 to 4 (inclusive). Record data is always written into buf[]
278 * starting at offset 5. When encryption is active, the plaintext data
279 * may start at a larger offset (e.g. because of an explicit IV).
280 */
281
282#define MAX_OUT_OVERHEAD    85
283#define MAX_IN_OVERHEAD    325
284
285/* see inner.h */
286void
287br_ssl_engine_fail(br_ssl_engine_context *rc, int err)
288{
289	if (rc->iomode != BR_IO_FAILED) {
290		rc->iomode = BR_IO_FAILED;
291		rc->err = err;
292	}
293}
294
295/*
296 * Adjust registers for a new incoming record.
297 */
298static void
299make_ready_in(br_ssl_engine_context *rc)
300{
301	rc->ixa = rc->ixb = 0;
302	rc->ixc = 5;
303	if (rc->iomode == BR_IO_IN) {
304		rc->iomode = BR_IO_INOUT;
305	}
306}
307
308/*
309 * Adjust registers for a new outgoing record.
310 */
311static void
312make_ready_out(br_ssl_engine_context *rc)
313{
314	size_t a, b;
315
316	a = 5;
317	b = rc->obuf_len - a;
318	rc->out.vtable->max_plaintext(&rc->out.vtable, &a, &b);
319	if ((b - a) > rc->max_frag_len) {
320		b = a + rc->max_frag_len;
321	}
322	rc->oxa = a;
323	rc->oxb = b;
324	rc->oxc = a;
325	if (rc->iomode == BR_IO_OUT) {
326		rc->iomode = BR_IO_INOUT;
327	}
328}
329
330/* see inner.h */
331void
332br_ssl_engine_new_max_frag_len(br_ssl_engine_context *rc, unsigned max_frag_len)
333{
334	size_t nxb;
335
336	rc->max_frag_len = max_frag_len;
337	nxb = rc->oxc + max_frag_len;
338	if (rc->oxa < rc->oxb && rc->oxb > nxb && rc->oxa < nxb) {
339		rc->oxb = nxb;
340	}
341}
342
343/* see bearssl_ssl.h */
344void
345br_ssl_engine_set_buffer(br_ssl_engine_context *rc,
346	void *buf, size_t buf_len, int bidi)
347{
348	if (buf == NULL) {
349		br_ssl_engine_set_buffers_bidi(rc, NULL, 0, NULL, 0);
350	} else {
351		/*
352		 * In bidirectional mode, we want to maximise input
353		 * buffer size, since we support arbitrary fragmentation
354		 * when sending, but the peer will not necessarily
355		 * comply to any low fragment length (in particular if
356		 * we are the server, because the maximum fragment
357		 * length extension is under client control).
358		 *
359		 * We keep a minimum size of 512 bytes for the plaintext
360		 * of our outgoing records.
361		 *
362		 * br_ssl_engine_set_buffers_bidi() will compute the maximum
363		 * fragment length for outgoing records by using the minimum
364		 * of allocated spaces for both input and output records,
365		 * rounded down to a standard length.
366		 */
367		if (bidi) {
368			size_t w;
369
370			if (buf_len < (512 + MAX_IN_OVERHEAD
371				+ 512 + MAX_OUT_OVERHEAD))
372			{
373				rc->iomode = BR_IO_FAILED;
374				rc->err = BR_ERR_BAD_PARAM;
375				return;
376			} else if (buf_len < (16384 + MAX_IN_OVERHEAD
377				+ 512 + MAX_OUT_OVERHEAD))
378			{
379				w = 512 + MAX_OUT_OVERHEAD;
380			} else {
381				w = buf_len - (16384 + MAX_IN_OVERHEAD);
382			}
383			br_ssl_engine_set_buffers_bidi(rc,
384				buf, buf_len - w,
385				(unsigned char *)buf + w, w);
386		} else {
387			br_ssl_engine_set_buffers_bidi(rc,
388				buf, buf_len, NULL, 0);
389		}
390	}
391}
392
393/* see bearssl_ssl.h */
394void
395br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *rc,
396	void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len)
397{
398	rc->iomode = BR_IO_INOUT;
399	rc->incrypt = 0;
400	rc->err = BR_ERR_OK;
401	rc->version_in = 0;
402	rc->record_type_in = 0;
403	rc->version_out = 0;
404	rc->record_type_out = 0;
405	if (ibuf == NULL) {
406		if (rc->ibuf == NULL) {
407			br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
408		}
409	} else {
410		unsigned u;
411
412		rc->ibuf = ibuf;
413		rc->ibuf_len = ibuf_len;
414		if (obuf == NULL) {
415			obuf = ibuf;
416			obuf_len = ibuf_len;
417		}
418		rc->obuf = obuf;
419		rc->obuf_len = obuf_len;
420
421		/*
422		 * Compute the maximum fragment length, that fits for
423		 * both incoming and outgoing records. This length will
424		 * be used in fragment length negotiation, so we must
425		 * honour it both ways. Regardless, larger incoming
426		 * records will be accepted, as long as they fit in the
427		 * actual buffer size.
428		 */
429		for (u = 14; u >= 9; u --) {
430			size_t flen;
431
432			flen = (size_t)1 << u;
433			if (obuf_len >= flen + MAX_OUT_OVERHEAD
434				&& ibuf_len >= flen + MAX_IN_OVERHEAD)
435			{
436				break;
437			}
438		}
439		if (u == 8) {
440			br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
441			return;
442		} else if (u == 13) {
443			u = 12;
444		}
445		rc->max_frag_len = (size_t)1 << u;
446		rc->log_max_frag_len = u;
447		rc->peer_log_max_frag_len = 0;
448	}
449	rc->out.vtable = &br_sslrec_out_clear_vtable;
450	make_ready_in(rc);
451	make_ready_out(rc);
452}
453
454/*
455 * Clear buffers in both directions.
456 */
457static void
458engine_clearbuf(br_ssl_engine_context *rc)
459{
460	make_ready_in(rc);
461	make_ready_out(rc);
462}
463
464/*
465 * Make sure the internal PRNG is initialised (but not necessarily
466 * seeded properly yet).
467 */
468static int
469rng_init(br_ssl_engine_context *cc)
470{
471	const br_hash_class *h;
472
473	if (cc->rng_init_done != 0) {
474		return 1;
475	}
476
477	/*
478	 * If using TLS-1.2, then SHA-256 or SHA-384 must be present (or
479	 * both); we prefer SHA-256 which is faster for 32-bit systems.
480	 *
481	 * If using TLS-1.0 or 1.1 then SHA-1 must be present.
482	 *
483	 * Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as
484	 * these things can be, we still prefer the SHA-2 functions over
485	 * SHA-1, if only for public relations (known theoretical
486	 * weaknesses of SHA-1 with regards to collisions are mostly
487	 * irrelevant here, but they still make people nervous).
488	 */
489	h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
490	if (!h) {
491		h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
492		if (!h) {
493			h = br_multihash_getimpl(&cc->mhash,
494				br_sha1_ID);
495			if (!h) {
496				br_ssl_engine_fail(cc, BR_ERR_BAD_STATE);
497				return 0;
498			}
499		}
500	}
501	br_hmac_drbg_init(&cc->rng, h, NULL, 0);
502	cc->rng_init_done = 1;
503	return 1;
504}
505
506/* see inner.h */
507int
508br_ssl_engine_init_rand(br_ssl_engine_context *cc)
509{
510	if (!rng_init(cc)) {
511		return 0;
512	}
513
514	/*
515	 * We always try OS/hardware seeding once. If it works, then
516	 * we assume proper seeding. If not, then external entropy must
517	 * have been injected; otherwise, we report an error.
518	 */
519	if (!cc->rng_os_rand_done) {
520		br_prng_seeder sd;
521
522		sd = br_prng_seeder_system(NULL);
523		if (sd != 0 && sd(&cc->rng.vtable)) {
524			cc->rng_init_done = 2;
525		}
526		cc->rng_os_rand_done = 1;
527	}
528	if (cc->rng_init_done < 2) {
529		br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM);
530		return 0;
531	}
532	return 1;
533}
534
535/* see bearssl_ssl.h */
536void
537br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
538	const void *data, size_t len)
539{
540	/*
541	 * Externally provided entropy is assumed to be "good enough"
542	 * (we cannot really test its quality) so if the RNG structure
543	 * could be initialised at all, then we marked the RNG as
544	 * "properly seeded".
545	 */
546	if (!rng_init(cc)) {
547		return;
548	}
549	br_hmac_drbg_update(&cc->rng, data, len);
550	cc->rng_init_done = 2;
551}
552
553/*
554 * We define a few internal functions that implement the low-level engine
555 * API for I/O; the external API (br_ssl_engine_sendapp_buf() and similar
556 * functions) is built upon these function, with special processing for
557 * records which are not of type "application data".
558 *
559 *   recvrec_buf, recvrec_ack     receives bytes from transport medium
560 *   sendrec_buf, sendrec_ack     send bytes to transport medium
561 *   recvpld_buf, recvpld_ack     receives payload data from engine
562 *   sendpld_buf, sendpld_ack     send payload data to engine
563 */
564
565static unsigned char *
566recvrec_buf(const br_ssl_engine_context *rc, size_t *len)
567{
568	if (rc->shutdown_recv) {
569		*len = 0;
570		return NULL;
571	}
572
573	/*
574	 * Bytes from the transport can be injected only if the mode is
575	 * compatible (in or in/out), and ixa == ixb; ixc then contains
576	 * the number of bytes that are still expected (but it may
577	 * exceed our buffer size).
578	 *
579	 * We cannot get "stuck" here (buffer is full, but still more
580	 * data is expected) because oversized records are detected when
581	 * their header is processed.
582	 */
583	switch (rc->iomode) {
584	case BR_IO_IN:
585	case BR_IO_INOUT:
586		if (rc->ixa == rc->ixb) {
587			size_t z;
588
589			z = rc->ixc;
590			if (z > rc->ibuf_len - rc->ixa) {
591				z = rc->ibuf_len - rc->ixa;
592			}
593			*len = z;
594			return rc->ibuf + rc->ixa;
595		}
596		break;
597	}
598	*len = 0;
599	return NULL;
600}
601
602static void
603recvrec_ack(br_ssl_engine_context *rc, size_t len)
604{
605	unsigned char *pbuf;
606	size_t pbuf_len;
607
608	/*
609	 * Adjust state if necessary (for a shared input/output buffer):
610	 * we got some incoming bytes, so we cannot (temporarily) handle
611	 * outgoing data.
612	 */
613	if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
614		rc->iomode = BR_IO_IN;
615	}
616
617	/*
618	 * Adjust data pointers.
619	 */
620	rc->ixb = (rc->ixa += len);
621	rc->ixc -= len;
622
623	/*
624	 * If we are receiving a header and did not fully obtained it
625	 * yet, then just wait for the next bytes.
626	 */
627	if (rc->ixa < 5) {
628		return;
629	}
630
631	/*
632	 * If we just obtained a full header, process it.
633	 */
634	if (rc->ixa == 5) {
635		unsigned version;
636		unsigned rlen;
637
638		/*
639		 * Get record type and version. We support only versions
640		 * 3.x (if the version major number does not match, then
641		 * we suppose that the record format is too alien for us
642		 * to process it).
643		 *
644		 * Note: right now, we reject clients that try to send
645		 * a ClientHello in a format compatible with SSL-2.0. It
646		 * is unclear whether this will ever be supported; and
647		 * if we want to support it, then this might be done in
648		 * in the server-specific code, not here.
649		 */
650		rc->record_type_in = rc->ibuf[0];
651		version = br_dec16be(rc->ibuf + 1);
652		if ((version >> 8) != 3) {
653			br_ssl_engine_fail(rc, BR_ERR_UNSUPPORTED_VERSION);
654			return;
655		}
656
657		/*
658		 * We ensure that successive records have the same
659		 * version. The handshake code must check and adjust the
660		 * variables when necessary to accommodate the protocol
661		 * negotiation details.
662		 */
663		if (rc->version_in != 0 && rc->version_in != version) {
664			br_ssl_engine_fail(rc, BR_ERR_BAD_VERSION);
665			return;
666		}
667		rc->version_in = version;
668
669		/*
670		 * Decode record length. We must check that the length
671		 * is valid (relatively to the current encryption mode)
672		 * and also (if encryption is active) that the record
673		 * will fit in our buffer.
674		 *
675		 * When no encryption is active, we can process records
676		 * by chunks, and thus accept any record up to the
677		 * maximum allowed plaintext length (16384 bytes).
678		 */
679		rlen = br_dec16be(rc->ibuf + 3);
680		if (rc->incrypt) {
681			if (!rc->in.vtable->check_length(
682				&rc->in.vtable, rlen))
683			{
684				br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
685				return;
686			}
687			if (rlen > (rc->ibuf_len - 5)) {
688				br_ssl_engine_fail(rc, BR_ERR_TOO_LARGE);
689				return;
690			}
691		} else {
692			if (rlen > 16384) {
693				br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
694				return;
695			}
696		}
697
698		/*
699		 * If the record is completely empty then we must switch
700		 * to a new record. Note that, in that case, we
701		 * completely ignore the record type, which is fitting
702		 * since we received no actual data of that type.
703		 *
704		 * A completely empty record is technically allowed as
705		 * long as encryption/MAC is not active, i.e. before
706		 * completion of the first handshake. It it still weird;
707		 * it might conceptually be useful as a heartbeat or
708		 * keep-alive mechanism while some lengthy operation is
709		 * going on, e.g. interaction with a human user.
710		 */
711		if (rlen == 0) {
712			make_ready_in(rc);
713		} else {
714			rc->ixa = rc->ixb = 5;
715			rc->ixc = rlen;
716		}
717		return;
718	}
719
720	/*
721	 * If there is no active encryption, then the data can be read
722	 * right away. Note that we do not receive bytes from the
723	 * transport medium when we still have payload bytes to be
724	 * acknowledged.
725	 */
726	if (!rc->incrypt) {
727		rc->ixa = 5;
728		return;
729	}
730
731	/*
732	 * Since encryption is active, we must wait for a full record
733	 * before processing it.
734	 */
735	if (rc->ixc != 0) {
736		return;
737	}
738
739	/*
740	 * We got the full record. Decrypt it.
741	 */
742	pbuf_len = rc->ixa - 5;
743	pbuf = rc->in.vtable->decrypt(&rc->in.vtable,
744		rc->record_type_in, rc->version_in, rc->ibuf + 5, &pbuf_len);
745	if (pbuf == 0) {
746		br_ssl_engine_fail(rc, BR_ERR_BAD_MAC);
747		return;
748	}
749	rc->ixa = (size_t)(pbuf - rc->ibuf);
750	rc->ixb = rc->ixa + pbuf_len;
751
752	/*
753	 * Decryption may have yielded an empty record, in which case
754	 * we get back to "ready" state immediately.
755	 */
756	if (rc->ixa == rc->ixb) {
757		make_ready_in(rc);
758	}
759}
760
761/* see inner.h */
762int
763br_ssl_engine_recvrec_finished(const br_ssl_engine_context *rc)
764{
765	switch (rc->iomode) {
766	case BR_IO_IN:
767	case BR_IO_INOUT:
768		return rc->ixc == 0 || rc->ixa < 5;
769	default:
770		return 1;
771	}
772}
773
774static unsigned char *
775recvpld_buf(const br_ssl_engine_context *rc, size_t *len)
776{
777	/*
778	 * There is payload data to be read only if the mode is
779	 * compatible, and ixa != ixb.
780	 */
781	switch (rc->iomode) {
782	case BR_IO_IN:
783	case BR_IO_INOUT:
784		*len = rc->ixb - rc->ixa;
785		return (*len == 0) ? NULL : (rc->ibuf + rc->ixa);
786	default:
787		*len = 0;
788		return NULL;
789	}
790}
791
792static void
793recvpld_ack(br_ssl_engine_context *rc, size_t len)
794{
795	rc->ixa += len;
796
797	/*
798	 * If we read all the available data, then we either expect
799	 * the remainder of the current record (if the current record
800	 * was not finished; this may happen when encryption is not
801	 * active), or go to "ready" state.
802	 */
803	if (rc->ixa == rc->ixb) {
804		if (rc->ixc == 0) {
805			make_ready_in(rc);
806		} else {
807			rc->ixa = rc->ixb = 5;
808		}
809	}
810}
811
812static unsigned char *
813sendpld_buf(const br_ssl_engine_context *rc, size_t *len)
814{
815	/*
816	 * Payload data can be injected only if the current mode is
817	 * compatible, and oxa != oxb.
818	 */
819	switch (rc->iomode) {
820	case BR_IO_OUT:
821	case BR_IO_INOUT:
822		*len = rc->oxb - rc->oxa;
823		return (*len == 0) ? NULL : (rc->obuf + rc->oxa);
824	default:
825		*len = 0;
826		return NULL;
827	}
828}
829
830/*
831 * If some payload bytes have been accumulated, then wrap them into
832 * an outgoing record. Otherwise, this function does nothing, unless
833 * 'force' is non-zero, in which case an empty record is assembled.
834 *
835 * The caller must take care not to invoke this function if the engine
836 * is not currently ready to receive payload bytes to send.
837 */
838static void
839sendpld_flush(br_ssl_engine_context *rc, int force)
840{
841	size_t xlen;
842	unsigned char *buf;
843
844	if (rc->oxa == rc->oxb) {
845		return;
846	}
847	xlen = rc->oxa - rc->oxc;
848	if (xlen == 0 && !force) {
849		return;
850	}
851	buf = rc->out.vtable->encrypt(&rc->out.vtable,
852		rc->record_type_out, rc->version_out,
853		rc->obuf + rc->oxc, &xlen);
854	rc->oxb = rc->oxa = (size_t)(buf - rc->obuf);
855	rc->oxc = rc->oxa + xlen;
856}
857
858static void
859sendpld_ack(br_ssl_engine_context *rc, size_t len)
860{
861	/*
862	 * If using a shared buffer, then we may have to modify the
863	 * current mode.
864	 */
865	if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
866		rc->iomode = BR_IO_OUT;
867	}
868	rc->oxa += len;
869	if (rc->oxa >= rc->oxb) {
870		/*
871		 * Set oxb to one more than oxa so that sendpld_flush()
872		 * does not mistakingly believe that a record is
873		 * already prepared and being sent.
874		 */
875		rc->oxb = rc->oxa + 1;
876		sendpld_flush(rc, 0);
877	}
878}
879
880static unsigned char *
881sendrec_buf(const br_ssl_engine_context *rc, size_t *len)
882{
883	/*
884	 * When still gathering payload bytes, oxc points to the start
885	 * of the record data, so oxc <= oxa. However, when a full
886	 * record has been completed, oxc points to the end of the record,
887	 * so oxc > oxa.
888	 */
889	switch (rc->iomode) {
890	case BR_IO_OUT:
891	case BR_IO_INOUT:
892		if (rc->oxc > rc->oxa) {
893			*len = rc->oxc - rc->oxa;
894			return rc->obuf + rc->oxa;
895		}
896		break;
897	}
898	*len = 0;
899	return NULL;
900}
901
902static void
903sendrec_ack(br_ssl_engine_context *rc, size_t len)
904{
905	rc->oxb = (rc->oxa += len);
906	if (rc->oxa == rc->oxc) {
907		make_ready_out(rc);
908	}
909}
910
911/*
912 * Test whether there is some buffered outgoing record that still must
913 * sent.
914 */
915static inline int
916has_rec_tosend(const br_ssl_engine_context *rc)
917{
918	return rc->oxa == rc->oxb && rc->oxa != rc->oxc;
919}
920
921/*
922 * The "no encryption" mode has no overhead. It limits the payload size
923 * to the maximum size allowed by the standard (16384 bytes); the caller
924 * is responsible for possibly enforcing a smaller fragment length.
925 */
926static void
927clear_max_plaintext(const br_sslrec_out_clear_context *cc,
928	size_t *start, size_t *end)
929{
930	size_t len;
931
932	(void)cc;
933	len = *end - *start;
934	if (len > 16384) {
935		*end = *start + 16384;
936	}
937}
938
939/*
940 * In "no encryption" mode, encryption is trivial (a no-operation) so
941 * we just have to encode the header.
942 */
943static unsigned char *
944clear_encrypt(br_sslrec_out_clear_context *cc,
945	int record_type, unsigned version, void *data, size_t *data_len)
946{
947	unsigned char *buf;
948
949	(void)cc;
950	buf = (unsigned char *)data - 5;
951	buf[0] = record_type;
952	br_enc16be(buf + 1, version);
953	br_enc16be(buf + 3, *data_len);
954	*data_len += 5;
955	return buf;
956}
957
958/* see bearssl_ssl.h */
959const br_sslrec_out_class br_sslrec_out_clear_vtable = {
960	sizeof(br_sslrec_out_clear_context),
961	(void (*)(const br_sslrec_out_class *const *, size_t *, size_t *))
962		&clear_max_plaintext,
963	(unsigned char *(*)(const br_sslrec_out_class **,
964		int, unsigned, void *, size_t *))
965		&clear_encrypt
966};
967
968/* ==================================================================== */
969/*
970 * In this part of the file, we handle the various record types, and
971 * communications with the handshake processor.
972 */
973
974/*
975 * IMPLEMENTATION NOTES
976 * ====================
977 *
978 * The handshake processor is written in T0 and runs as a coroutine.
979 * It receives the contents of all records except application data, and
980 * is responsible for producing the contents of all records except
981 * application data.
982 *
983 * A state flag is maintained, which specifies whether application data
984 * is acceptable or not. When it is set:
985 *
986 * -- Application data can be injected as payload data (provided that
987 *    the output buffer is ready for that).
988 *
989 * -- Incoming application data records are accepted, and yield data
990 *    that the caller may retrieve.
991 *
992 * When the flag is cleared, application data is not accepted from the
993 * application, and incoming application data records trigger an error.
994 *
995 *
996 * Records of type handshake, alert or change-cipher-spec are handled
997 * by the handshake processor. The handshake processor is written in T0
998 * and runs as a coroutine; it gets invoked whenever one of the following
999 * situations is reached:
1000 *
1001 * -- An incoming record has type handshake, alert or change-cipher-spec,
1002 *    and yields data that can be read (zero-length records are thus
1003 *    ignored).
1004 *
1005 * -- An outgoing record has just finished being sent, and the "application
1006 *    data" flag is cleared.
1007 *
1008 * -- The caller wishes to perform a close (call to br_ssl_engine_close()).
1009 *
1010 * -- The caller wishes to perform a renegotiation (call to
1011 *    br_ssl_engine_renegotiate()).
1012 *
1013 * Whenever the handshake processor is entered, access to the payload
1014 * buffers is provided, along with some information about explicit
1015 * closures or renegotiations.
1016 */
1017
1018/* see bearssl_ssl.h */
1019void
1020br_ssl_engine_set_suites(br_ssl_engine_context *cc,
1021	const uint16_t *suites, size_t suites_num)
1022{
1023	if ((suites_num * sizeof *suites) > sizeof cc->suites_buf) {
1024		br_ssl_engine_fail(cc, BR_ERR_BAD_PARAM);
1025		return;
1026	}
1027	memcpy(cc->suites_buf, suites, suites_num * sizeof *suites);
1028	cc->suites_num = suites_num;
1029}
1030
1031/*
1032 * Give control to handshake processor. 'action' is 1 for a close,
1033 * 2 for a renegotiation, or 0 for a jump due to I/O completion.
1034 */
1035static void
1036jump_handshake(br_ssl_engine_context *cc, int action)
1037{
1038	/*
1039	 * We use a loop because the handshake processor actions may
1040	 * allow for more actions; namely, if the processor reads all
1041	 * input data, then it may allow for output data to be produced,
1042	 * in case of a shared in/out buffer.
1043	 */
1044	for (;;) {
1045		size_t hlen_in, hlen_out;
1046
1047		/*
1048		 * Get input buffer. We do not want to provide
1049		 * application data to the handshake processor (we could
1050		 * get called with an explicit close or renegotiation
1051		 * while there is application data ready to be read).
1052		 */
1053		cc->hbuf_in = recvpld_buf(cc, &hlen_in);
1054		if (cc->hbuf_in != NULL
1055			&& cc->record_type_in == BR_SSL_APPLICATION_DATA)
1056		{
1057			hlen_in = 0;
1058		}
1059
1060		/*
1061		 * Get output buffer. The handshake processor never
1062		 * leaves an unfinished outgoing record, so if there is
1063		 * buffered output, then it MUST be some application
1064		 * data, so the processor cannot write to it.
1065		 */
1066		cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &hlen_out);
1067		if (cc->hbuf_out != NULL && br_ssl_engine_has_pld_to_send(cc)) {
1068			hlen_out = 0;
1069		}
1070
1071		/*
1072		 * Note: hlen_in and hlen_out can be both non-zero only if
1073		 * the input and output buffers are disjoint. Thus, we can
1074		 * offer both buffers to the handshake code.
1075		 */
1076
1077		cc->hlen_in = hlen_in;
1078		cc->hlen_out = hlen_out;
1079		cc->action = action;
1080		cc->hsrun(&cc->cpu);
1081		if (br_ssl_engine_closed(cc)) {
1082			return;
1083		}
1084		if (cc->hbuf_out != cc->saved_hbuf_out) {
1085			sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1086		}
1087		if (hlen_in != cc->hlen_in) {
1088			recvpld_ack(cc, hlen_in - cc->hlen_in);
1089			if (cc->hlen_in == 0) {
1090				/*
1091				 * We read all data bytes, which may have
1092				 * released the output buffer in case it
1093				 * is shared with the input buffer, and
1094				 * the handshake code might be waiting for
1095				 * that.
1096				 */
1097				action = 0;
1098				continue;
1099			}
1100		}
1101		break;
1102	}
1103}
1104
1105/* see inner.h */
1106void
1107br_ssl_engine_flush_record(br_ssl_engine_context *cc)
1108{
1109	if (cc->hbuf_out != cc->saved_hbuf_out) {
1110		sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1111	}
1112	if (br_ssl_engine_has_pld_to_send(cc)) {
1113		sendpld_flush(cc, 0);
1114	}
1115	cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &cc->hlen_out);
1116}
1117
1118/* see bearssl_ssl.h */
1119unsigned char *
1120br_ssl_engine_sendapp_buf(const br_ssl_engine_context *cc, size_t *len)
1121{
1122	if (!(cc->application_data & 1)) {
1123		*len = 0;
1124		return NULL;
1125	}
1126	return sendpld_buf(cc, len);
1127}
1128
1129/* see bearssl_ssl.h */
1130void
1131br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len)
1132{
1133	sendpld_ack(cc, len);
1134}
1135
1136/* see bearssl_ssl.h */
1137unsigned char *
1138br_ssl_engine_recvapp_buf(const br_ssl_engine_context *cc, size_t *len)
1139{
1140	if (!(cc->application_data & 1)
1141		|| cc->record_type_in != BR_SSL_APPLICATION_DATA)
1142	{
1143		*len = 0;
1144		return NULL;
1145	}
1146	return recvpld_buf(cc, len);
1147}
1148
1149/* see bearssl_ssl.h */
1150void
1151br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len)
1152{
1153	recvpld_ack(cc, len);
1154}
1155
1156/* see bearssl_ssl.h */
1157unsigned char *
1158br_ssl_engine_sendrec_buf(const br_ssl_engine_context *cc, size_t *len)
1159{
1160	return sendrec_buf(cc, len);
1161}
1162
1163/* see bearssl_ssl.h */
1164void
1165br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len)
1166{
1167	sendrec_ack(cc, len);
1168	if (len != 0 && !has_rec_tosend(cc)
1169		&& (cc->record_type_out != BR_SSL_APPLICATION_DATA
1170		|| (cc->application_data & 1) == 0))
1171	{
1172		jump_handshake(cc, 0);
1173	}
1174}
1175
1176/* see bearssl_ssl.h */
1177unsigned char *
1178br_ssl_engine_recvrec_buf(const br_ssl_engine_context *cc, size_t *len)
1179{
1180	return recvrec_buf(cc, len);
1181}
1182
1183/* see bearssl_ssl.h */
1184void
1185br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len)
1186{
1187	unsigned char *buf;
1188
1189	recvrec_ack(cc, len);
1190	if (br_ssl_engine_closed(cc)) {
1191		return;
1192	}
1193
1194	/*
1195	 * We just received some bytes from the peer. This may have
1196	 * yielded some payload bytes, in which case we must process
1197	 * them according to the record type.
1198	 */
1199	buf = recvpld_buf(cc, &len);
1200	if (buf != NULL) {
1201		switch (cc->record_type_in) {
1202		case BR_SSL_CHANGE_CIPHER_SPEC:
1203		case BR_SSL_ALERT:
1204		case BR_SSL_HANDSHAKE:
1205			jump_handshake(cc, 0);
1206			break;
1207		case BR_SSL_APPLICATION_DATA:
1208			if (cc->application_data == 1) {
1209				break;
1210			}
1211
1212			/*
1213			 * If we are currently closing, and waiting for
1214			 * a close_notify from the peer, then incoming
1215			 * application data should be discarded.
1216			 */
1217			if (cc->application_data == 2) {
1218				recvpld_ack(cc, len);
1219				break;
1220			}
1221
1222			/* Fall through */
1223		default:
1224			br_ssl_engine_fail(cc, BR_ERR_UNEXPECTED);
1225			break;
1226		}
1227	}
1228}
1229
1230/* see bearssl_ssl.h */
1231void
1232br_ssl_engine_close(br_ssl_engine_context *cc)
1233{
1234	if (!br_ssl_engine_closed(cc)) {
1235		jump_handshake(cc, 1);
1236	}
1237}
1238
1239/* see bearssl_ssl.h */
1240int
1241br_ssl_engine_renegotiate(br_ssl_engine_context *cc)
1242{
1243	size_t len;
1244
1245	if (br_ssl_engine_closed(cc) || cc->reneg == 1
1246		|| (cc->flags & BR_OPT_NO_RENEGOTIATION) != 0
1247		|| br_ssl_engine_recvapp_buf(cc, &len) != NULL)
1248	{
1249		return 0;
1250	}
1251	jump_handshake(cc, 2);
1252	return 1;
1253}
1254
1255/* see bearssl.h */
1256unsigned
1257br_ssl_engine_current_state(const br_ssl_engine_context *cc)
1258{
1259	unsigned s;
1260	size_t len;
1261
1262	if (br_ssl_engine_closed(cc)) {
1263		return BR_SSL_CLOSED;
1264	}
1265
1266	s = 0;
1267	if (br_ssl_engine_sendrec_buf(cc, &len) != NULL) {
1268		s |= BR_SSL_SENDREC;
1269	}
1270	if (br_ssl_engine_recvrec_buf(cc, &len) != NULL) {
1271		s |= BR_SSL_RECVREC;
1272	}
1273	if (br_ssl_engine_sendapp_buf(cc, &len) != NULL) {
1274		s |= BR_SSL_SENDAPP;
1275	}
1276	if (br_ssl_engine_recvapp_buf(cc, &len) != NULL) {
1277		s |= BR_SSL_RECVAPP;
1278	}
1279	return s;
1280}
1281
1282/* see bearssl_ssl.h */
1283void
1284br_ssl_engine_flush(br_ssl_engine_context *cc, int force)
1285{
1286	if (!br_ssl_engine_closed(cc) && (cc->application_data & 1) != 0) {
1287		sendpld_flush(cc, force);
1288	}
1289}
1290
1291/* see inner.h */
1292void
1293br_ssl_engine_hs_reset(br_ssl_engine_context *cc,
1294	void (*hsinit)(void *), void (*hsrun)(void *))
1295{
1296	engine_clearbuf(cc);
1297	cc->cpu.dp = cc->dp_stack;
1298	cc->cpu.rp = cc->rp_stack;
1299	hsinit(&cc->cpu);
1300	cc->hsrun = hsrun;
1301	cc->shutdown_recv = 0;
1302	cc->application_data = 0;
1303	cc->alert = 0;
1304	jump_handshake(cc, 0);
1305}
1306
1307/* see inner.h */
1308br_tls_prf_impl
1309br_ssl_engine_get_PRF(br_ssl_engine_context *cc, int prf_id)
1310{
1311	if (cc->session.version >= BR_TLS12) {
1312		if (prf_id == br_sha384_ID) {
1313			return cc->prf_sha384;
1314		} else {
1315			return cc->prf_sha256;
1316		}
1317	} else {
1318		return cc->prf10;
1319	}
1320}
1321
1322/* see inner.h */
1323void
1324br_ssl_engine_compute_master(br_ssl_engine_context *cc,
1325	int prf_id, const void *pms, size_t pms_len)
1326{
1327	br_tls_prf_impl iprf;
1328	br_tls_prf_seed_chunk seed[2] = {
1329		{ cc->client_random, sizeof cc->client_random },
1330		{ cc->server_random, sizeof cc->server_random }
1331	};
1332
1333	iprf = br_ssl_engine_get_PRF(cc, prf_id);
1334	iprf(cc->session.master_secret, sizeof cc->session.master_secret,
1335		pms, pms_len, "master secret", 2, seed);
1336}
1337
1338/*
1339 * Compute key block.
1340 */
1341static void
1342compute_key_block(br_ssl_engine_context *cc, int prf_id,
1343	size_t half_len, unsigned char *kb)
1344{
1345	br_tls_prf_impl iprf;
1346	br_tls_prf_seed_chunk seed[2] = {
1347		{ cc->server_random, sizeof cc->server_random },
1348		{ cc->client_random, sizeof cc->client_random }
1349	};
1350
1351	iprf = br_ssl_engine_get_PRF(cc, prf_id);
1352	iprf(kb, half_len << 1,
1353		cc->session.master_secret, sizeof cc->session.master_secret,
1354		"key expansion", 2, seed);
1355}
1356
1357/* see inner.h */
1358void
1359br_ssl_engine_switch_cbc_in(br_ssl_engine_context *cc,
1360	int is_client, int prf_id, int mac_id,
1361	const br_block_cbcdec_class *bc_impl, size_t cipher_key_len)
1362{
1363	unsigned char kb[192];
1364	unsigned char *cipher_key, *mac_key, *iv;
1365	const br_hash_class *imh;
1366	size_t mac_key_len, mac_out_len, iv_len;
1367
1368	imh = br_ssl_engine_get_hash(cc, mac_id);
1369	mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1370	mac_key_len = mac_out_len;
1371
1372	/*
1373	 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1374	 */
1375	if (cc->session.version >= BR_TLS11) {
1376		iv_len = 0;
1377	} else {
1378		iv_len = bc_impl->block_size;
1379	}
1380	compute_key_block(cc, prf_id,
1381		mac_key_len + cipher_key_len + iv_len, kb);
1382	if (is_client) {
1383		mac_key = &kb[mac_key_len];
1384		cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1385		iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1386	} else {
1387		mac_key = &kb[0];
1388		cipher_key = &kb[mac_key_len << 1];
1389		iv = &kb[(mac_key_len + cipher_key_len) << 1];
1390	}
1391	if (iv_len == 0) {
1392		iv = NULL;
1393	}
1394	cc->icbc_in->init(&cc->in.cbc.vtable,
1395		bc_impl, cipher_key, cipher_key_len,
1396		imh, mac_key, mac_key_len, mac_out_len, iv);
1397	cc->incrypt = 1;
1398}
1399
1400/* see inner.h */
1401void
1402br_ssl_engine_switch_cbc_out(br_ssl_engine_context *cc,
1403	int is_client, int prf_id, int mac_id,
1404	const br_block_cbcenc_class *bc_impl, size_t cipher_key_len)
1405{
1406	unsigned char kb[192];
1407	unsigned char *cipher_key, *mac_key, *iv;
1408	const br_hash_class *imh;
1409	size_t mac_key_len, mac_out_len, iv_len;
1410
1411	imh = br_ssl_engine_get_hash(cc, mac_id);
1412	mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1413	mac_key_len = mac_out_len;
1414
1415	/*
1416	 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1417	 */
1418	if (cc->session.version >= BR_TLS11) {
1419		iv_len = 0;
1420	} else {
1421		iv_len = bc_impl->block_size;
1422	}
1423	compute_key_block(cc, prf_id,
1424		mac_key_len + cipher_key_len + iv_len, kb);
1425	if (is_client) {
1426		mac_key = &kb[0];
1427		cipher_key = &kb[mac_key_len << 1];
1428		iv = &kb[(mac_key_len + cipher_key_len) << 1];
1429	} else {
1430		mac_key = &kb[mac_key_len];
1431		cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1432		iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1433	}
1434	if (iv_len == 0) {
1435		iv = NULL;
1436	}
1437	cc->icbc_out->init(&cc->out.cbc.vtable,
1438		bc_impl, cipher_key, cipher_key_len,
1439		imh, mac_key, mac_key_len, mac_out_len, iv);
1440}
1441
1442/* see inner.h */
1443void
1444br_ssl_engine_switch_gcm_in(br_ssl_engine_context *cc,
1445	int is_client, int prf_id,
1446	const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1447{
1448	unsigned char kb[72];
1449	unsigned char *cipher_key, *iv;
1450
1451	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1452	if (is_client) {
1453		cipher_key = &kb[cipher_key_len];
1454		iv = &kb[(cipher_key_len << 1) + 4];
1455	} else {
1456		cipher_key = &kb[0];
1457		iv = &kb[cipher_key_len << 1];
1458	}
1459	cc->igcm_in->init(&cc->in.gcm.vtable.in,
1460		bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1461	cc->incrypt = 1;
1462}
1463
1464/* see inner.h */
1465void
1466br_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
1467	int is_client, int prf_id,
1468	const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1469{
1470	unsigned char kb[72];
1471	unsigned char *cipher_key, *iv;
1472
1473	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1474	if (is_client) {
1475		cipher_key = &kb[0];
1476		iv = &kb[cipher_key_len << 1];
1477	} else {
1478		cipher_key = &kb[cipher_key_len];
1479		iv = &kb[(cipher_key_len << 1) + 4];
1480	}
1481	cc->igcm_out->init(&cc->out.gcm.vtable.out,
1482		bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1483}
1484
1485/* see inner.h */
1486void
1487br_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
1488	int is_client, int prf_id)
1489{
1490	unsigned char kb[88];
1491	unsigned char *cipher_key, *iv;
1492
1493	compute_key_block(cc, prf_id, 44, kb);
1494	if (is_client) {
1495		cipher_key = &kb[32];
1496		iv = &kb[76];
1497	} else {
1498		cipher_key = &kb[0];
1499		iv = &kb[64];
1500	}
1501	cc->ichapol_in->init(&cc->in.chapol.vtable.in,
1502		cc->ichacha, cc->ipoly, cipher_key, iv);
1503	cc->incrypt = 1;
1504}
1505
1506/* see inner.h */
1507void
1508br_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
1509	int is_client, int prf_id)
1510{
1511	unsigned char kb[88];
1512	unsigned char *cipher_key, *iv;
1513
1514	compute_key_block(cc, prf_id, 44, kb);
1515	if (is_client) {
1516		cipher_key = &kb[0];
1517		iv = &kb[64];
1518	} else {
1519		cipher_key = &kb[32];
1520		iv = &kb[76];
1521	}
1522	cc->ichapol_out->init(&cc->out.chapol.vtable.out,
1523		cc->ichacha, cc->ipoly, cipher_key, iv);
1524}
1525
1526/* see inner.h */
1527void
1528br_ssl_engine_switch_ccm_in(br_ssl_engine_context *cc,
1529	int is_client, int prf_id,
1530	const br_block_ctrcbc_class *bc_impl,
1531	size_t cipher_key_len, size_t tag_len)
1532{
1533	unsigned char kb[72];
1534	unsigned char *cipher_key, *iv;
1535
1536	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1537	if (is_client) {
1538		cipher_key = &kb[cipher_key_len];
1539		iv = &kb[(cipher_key_len << 1) + 4];
1540	} else {
1541		cipher_key = &kb[0];
1542		iv = &kb[cipher_key_len << 1];
1543	}
1544	cc->iccm_in->init(&cc->in.ccm.vtable.in,
1545		bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1546	cc->incrypt = 1;
1547}
1548
1549/* see inner.h */
1550void
1551br_ssl_engine_switch_ccm_out(br_ssl_engine_context *cc,
1552	int is_client, int prf_id,
1553	const br_block_ctrcbc_class *bc_impl,
1554	size_t cipher_key_len, size_t tag_len)
1555{
1556	unsigned char kb[72];
1557	unsigned char *cipher_key, *iv;
1558
1559	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1560	if (is_client) {
1561		cipher_key = &kb[0];
1562		iv = &kb[cipher_key_len << 1];
1563	} else {
1564		cipher_key = &kb[cipher_key_len];
1565		iv = &kb[(cipher_key_len << 1) + 4];
1566	}
1567	cc->iccm_out->init(&cc->out.ccm.vtable.out,
1568		bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1569}
1570