1d9c36absjg/*
2d9c36absjg * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3d9c36absjg *
4d9c36absjg * Permission is hereby granted, free of charge, to any person obtaining
5d9c36absjg * a copy of this software and associated documentation files (the
6d9c36absjg * "Software"), to deal in the Software without restriction, including
7d9c36absjg * without limitation the rights to use, copy, modify, merge, publish,
8d9c36absjg * distribute, sublicense, and/or sell copies of the Software, and to
9d9c36absjg * permit persons to whom the Software is furnished to do so, subject to
10d9c36absjg * the following conditions:
11d9c36absjg *
12d9c36absjg * The above copyright notice and this permission notice shall be
13d9c36absjg * included in all copies or substantial portions of the Software.
14d9c36absjg *
15d9c36absjg * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16d9c36absjg * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17d9c36absjg * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18d9c36absjg * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19d9c36absjg * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20d9c36absjg * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21d9c36absjg * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22d9c36absjg * SOFTWARE.
23d9c36absjg */
24d9c36absjg
25d9c36absjg#include "inner.h"
26d9c36absjg
27d9c36absjg#if 0
28d9c36absjg/* obsolete */
29d9c36absjg
30d9c36absjg/*
31d9c36absjg * If BR_USE_URANDOM is not defined, then try to autodetect its presence
32d9c36absjg * through compiler macros.
33d9c36absjg */
34d9c36absjg#ifndef BR_USE_URANDOM
35d9c36absjg
36d9c36absjg/*
37d9c36absjg * Macro values documented on:
38d9c36absjg *    https://sourceforge.net/p/predef/wiki/OperatingSystems/
39d9c36absjg *
40d9c36absjg * Only the most common systems have been included here for now. This
41d9c36absjg * should be enriched later on.
42d9c36absjg */
43d9c36absjg#if defined _AIX \
44d9c36absjg	|| defined __ANDROID__ \
45d9c36absjg	|| defined __FreeBSD__ \
46d9c36absjg	|| defined __NetBSD__ \
47d9c36absjg	|| defined __OpenBSD__ \
48d9c36absjg	|| defined __DragonFly__ \
49d9c36absjg	|| defined __linux__ \
50d9c36absjg	|| (defined __sun && (defined __SVR4 || defined __svr4__)) \
51d9c36absjg	|| (defined __APPLE__ && defined __MACH__)
52d9c36absjg#define BR_USE_URANDOM   1
53d9c36absjg#endif
54d9c36absjg
55d9c36absjg#endif
56d9c36absjg
57d9c36absjg/*
58d9c36absjg * If BR_USE_WIN32_RAND is not defined, perform autodetection here.
59d9c36absjg */
60d9c36absjg#ifndef BR_USE_WIN32_RAND
61d9c36absjg
62d9c36absjg#if defined _WIN32 || defined _WIN64
63d9c36absjg#define BR_USE_WIN32_RAND   1
64d9c36absjg#endif
65d9c36absjg
66d9c36absjg#endif
67d9c36absjg
68d9c36absjg#if BR_USE_URANDOM
69d9c36absjg#include <sys/types.h>
70d9c36absjg#include <unistd.h>
71d9c36absjg#include <fcntl.h>
72d9c36absjg#include <errno.h>
73d9c36absjg#endif
74d9c36absjg
75d9c36absjg#if BR_USE_WIN32_RAND
76d9c36absjg#include <windows.h>
77d9c36absjg#include <wincrypt.h>
78d9c36absjg#pragma comment(lib, "advapi32")
79d9c36absjg#endif
80d9c36absjg
81d9c36absjg#endif
82d9c36absjg
83d9c36absjg/* ==================================================================== */
84d9c36absjg/*
85d9c36absjg * This part of the file does the low-level record management.
86d9c36absjg */
87d9c36absjg
88d9c36absjg/*
89d9c36absjg * IMPLEMENTATION NOTES
90d9c36absjg * ====================
91d9c36absjg *
92d9c36absjg * In this file, we designate by "input" (and the "i" letter) the "recv"
93d9c36absjg * operations: incoming records from the peer, from which payload data
94d9c36absjg * is obtained, and must be extracted by the application (or the SSL
95d9c36absjg * handshake engine). Similarly, "output" (and the "o" letter) is for
96d9c36absjg * "send": payload data injected by the application (and SSL handshake
97d9c36absjg * engine), to be wrapped into records, that are then conveyed to the
98d9c36absjg * peer over the transport medium.
99d9c36absjg *
100d9c36absjg * The input and output buffers may be distinct or shared. When
101d9c36absjg * shared, input and output cannot occur concurrently; the caller
102d9c36absjg * must make sure that it never needs to output data while input
103d9c36absjg * data has been received. In practice, a shared buffer prevents
104d9c36absjg * pipelining of HTTP requests, or similar protocols; however, a
105d9c36absjg * shared buffer saves RAM.
106d9c36absjg *
107d9c36absjg * The input buffer is pointed to by 'ibuf' and has size 'ibuf_len';
108d9c36absjg * the output buffer is pointed to by 'obuf' and has size 'obuf_len'.
109d9c36absjg * From the size of these buffers is derived the maximum fragment
110d9c36absjg * length, which will be honoured upon sending records; regardless of
111d9c36absjg * that length, incoming records will be processed as long as they
112d9c36absjg * fit in the input buffer, and their length still complies with the
113d9c36absjg * protocol specification (maximum plaintext payload length is 16384
114d9c36absjg * bytes).
115d9c36absjg *
116d9c36absjg * Three registers are used to manage buffering in ibuf, called ixa,
117d9c36absjg * ixb and ixc. Similarly, three registers are used to manage buffering
118d9c36absjg * in obuf, called oxa, oxb and oxc.
119d9c36absjg *
120d9c36absjg *
121d9c36absjg * At any time, the engine is in one of the following modes:
122d9c36absjg * -- Failed mode: an error occurs, no I/O can happen.
123d9c36absjg * -- Input mode: the engine can either receive record bytes from the
124d9c36absjg * transport layer, or it has some buffered payload bytes to yield.
125d9c36absjg * -- Output mode: the engine can either receive payload bytes, or it
126d9c36absjg * has some record bytes to send to the transport layer.
127d9c36absjg * -- Input/Output mode: both input and output modes are active. When
128d9c36absjg * the buffer is shared, this can happen only when the buffer is empty
129d9c36absjg * (no buffered payload bytes or record bytes in either direction).
130d9c36absjg *
131d9c36absjg *
132d9c36absjg * Failed mode:
133d9c36absjg * ------------
134d9c36absjg *
135d9c36absjg * I/O failed for some reason (invalid received data, not enough room
136d9c36absjg * for the next record...). No I/O may ever occur again for this context,
137d9c36absjg * until an explicit reset is performed. This mode, and the error code,
138d9c36absjg * are also used for protocol errors, especially handshake errors.
139d9c36absjg *
140d9c36absjg *
141d9c36absjg * Input mode:
142d9c36absjg * -----------
143d9c36absjg *
144d9c36absjg *  ixa   index within ibuf[] for the currently read data
145d9c36absjg *  ixb   maximum index within ibuf[] for the currently read data
146d9c36absjg *  ixc   number of bytes not yet received for the current record
147d9c36absjg *
148d9c36absjg * -- When ixa == ixb, there is no available data for readers. When
149d9c36absjg * ixa != ixb, there is available data and it starts at offset ixa.
150d9c36absjg *
151d9c36absjg * -- When waiting for the next record header, ixa and ixb are equal
152d9c36absjg * and contain a value ranging from 0 to 4; ixc is equal to 5-ixa.
153d9c36absjg *
154d9c36absjg * -- When the header has been received, record data is obtained. The
155d9c36absjg * ixc field records how many bytes are still needed to reach the
156d9c36absjg * end of the current record.
157d9c36absjg *
158d9c36absjg *    ** If encryption is active, then ixa and ixb are kept equal, and
159d9c36absjg *    point to the end of the currently received record bytes. When
160d9c36absjg *    ixc reaches 0, decryption/MAC is applied, and ixa and ixb are
161d9c36absjg *    adjusted.
162d9c36absjg *
163d9c36absjg *    ** If encryption is not active, then ixa and ixb are distinct
164d9c36absjg *    and data can be read right away. Additional record data is
165d9c36absjg *    obtained only when ixa == ixb.
166d9c36absjg *
167d9c36absjg * Note: in input mode and no encryption, records larger than the buffer
168d9c36absjg * size are allowed. When encryption is active, the complete record must
169d9c36absjg * fit within the buffer, since it cannot be decrypted/MACed until it
170d9c36absjg * has been completely received.
171d9c36absjg *
172d9c36absjg * -- When receiving the next record header, 'version_in' contains the
173d9c36absjg * expected input version (0 if not expecting a specific version); on
174d9c36absjg * mismatch, the mode switches to 'failed'.
175d9c36absjg *
176d9c36absjg * -- When the header has been received, 'version_in' contains the received
177d9c36absjg * version. It is up to the caller to check and adjust the 'version_in' field
178d9c36absjg * to implement the required semantics.
179d9c36absjg *
180d9c36absjg * -- The 'record_type_in' field is updated with the incoming record type
181d9c36absjg * when the next record header has been received.
182d9c36absjg *
183d9c36absjg *
184d9c36absjg * Output mode:
185d9c36absjg * ------------
186d9c36absjg *
187d9c36absjg *  oxa   index within obuf[] for the currently accumulated data
188d9c36absjg *  oxb   maximum index within obuf[] for record data
189d9c36absjg *  oxc   pointer for start of record data, and for record sending
190d9c36absjg *
191d9c36absjg * -- When oxa != oxb, more data can be accumulated into the current
192d9c36absjg * record; when oxa == oxb, a closed record is being sent.
193d9c36absjg *
194d9c36absjg * -- When accumulating data, oxc points to the start of the data.
195d9c36absjg *
196d9c36absjg * -- During record sending, oxa (and oxb) point to the next record byte
197d9c36absjg * to send, and oxc indicates the end of the current record.
198d9c36absjg *
199d9c36absjg * Note: sent records must fit within the buffer, since the header is
200d9c36absjg * adjusted only when the complete record has been assembled.
201d9c36absjg *
202d9c36absjg * -- The 'version_out' and 'record_type_out' fields are used to build the
203d9c36absjg * record header when the mode is switched to 'sending'.
204d9c36absjg *
205d9c36absjg *
206d9c36absjg * Modes:
207d9c36absjg * ------
208d9c36absjg *
209d9c36absjg * The state register iomode contains one of the following values:
210d9c36absjg *
211d9c36absjg *  BR_IO_FAILED   I/O failed
212d9c36absjg *  BR_IO_IN       input mode
213d9c36absjg *  BR_IO_OUT      output mode
214d9c36absjg *  BR_IO_INOUT    input/output mode
215d9c36absjg *
216d9c36absjg * Whether encryption is active on incoming records is indicated by the
217d9c36absjg * incrypt flag. For outgoing records, there is no such flag; "encryption"
218d9c36absjg * is always considered active, but initially uses functions that do not
219d9c36absjg * encrypt anything. The 'incrypt' flag is needed because when there is
220d9c36absjg * no active encryption, records larger than the I/O buffer are accepted.
221d9c36absjg *
222d9c36absjg * Note: we do not support no-encryption modes (MAC only).
223d9c36absjg *
224d9c36absjg * TODO: implement GCM support
225d9c36absjg *
226d9c36absjg *
227d9c36absjg * Misc:
228d9c36absjg * -----
229d9c36absjg *
230d9c36absjg * 'max_frag_len' is the maximum plaintext size for an outgoing record.
231d9c36absjg * By default, it is set to the maximum value that fits in the provided
232d9c36absjg * buffers, in the following list: 512, 1024, 2048, 4096, 16384. The
233d9c36absjg * caller may change it if needed, but the new value MUST still fit in
234d9c36absjg * the buffers, and it MUST be one of the list above for compatibility
235d9c36absjg * with the Maximum Fragment Length extension.
236d9c36absjg *
237d9c36absjg * For incoming records, only the total buffer length and current
238d9c36absjg * encryption mode impact the maximum length for incoming records. The
239d9c36absjg * 'max_frag_len' value is still adjusted so that records up to that
240d9c36absjg * length can be both received and sent.
241d9c36absjg *
242d9c36absjg *
243d9c36absjg * Offsets and lengths:
244d9c36absjg * --------------------
245d9c36absjg *
246d9c36absjg * When sending fragments with TLS-1.1+, the maximum overhead is:
247d9c36absjg *   5 bytes for the record header
248d9c36absjg *   16 bytes for the explicit IV
249d9c36absjg *   48 bytes for the MAC (HMAC/SHA-384)
250d9c36absjg *   16 bytes for the padding (AES)
251d9c36absjg * so a total of 85 extra bytes. Note that we support block cipher sizes
252d9c36absjg * up to 16 bytes (AES) and HMAC output sizes up to 48 bytes (SHA-384).
253d9c36absjg *
254d9c36absjg * With TLS-1.0 and CBC mode, we apply a 1/n-1 split, for a maximum
255d9c36absjg * overhead of:
256d9c36absjg *   5 bytes for the first record header
257d9c36absjg *   32 bytes for the first record payload (AES-CBC + HMAC/SHA-1)
258d9c36absjg *   5 bytes for the second record header
259d9c36absjg *   20 bytes for the MAC (HMAC/SHA-1)
260d9c36absjg *   16 bytes for the padding (AES)
261d9c36absjg *   -1 byte to account for the payload byte in the first record
262d9c36absjg * so a total of 77 extra bytes at most, less than the 85 bytes above.
263d9c36absjg * Note that with TLS-1.0, the MAC is HMAC with either MD5 or SHA-1, but
264d9c36absjg * no other hash function.
265d9c36absjg *
266d9c36absjg * The implementation does not try to send larger records when the current
267d9c36absjg * encryption mode has less overhead.
268d9c36absjg *
269d9c36absjg * Maximum input record overhead is:
270d9c36absjg *   5 bytes for the record header
271d9c36absjg *   16 bytes for the explicit IV (TLS-1.1+)
272d9c36absjg *   48 bytes for the MAC (HMAC/SHA-384)
273d9c36absjg *   256 bytes for the padding
274d9c36absjg * so a total of 325 extra bytes.
275d9c36absjg *
276d9c36absjg * When receiving the next record header, it is written into the buffer
277d9c36absjg * bytes 0 to 4 (inclusive). Record data is always written into buf[]
278d9c36absjg * starting at offset 5. When encryption is active, the plaintext data
279d9c36absjg * may start at a larger offset (e.g. because of an explicit IV).
280d9c36absjg */
281d9c36absjg
282d9c36absjg#define MAX_OUT_OVERHEAD    85
283d9c36absjg#define MAX_IN_OVERHEAD    325
284d9c36absjg
285d9c36absjg/* see inner.h */
286d9c36absjgvoid
287d9c36absjgbr_ssl_engine_fail(br_ssl_engine_context *rc, int err)
288d9c36absjg{
289d9c36absjg	if (rc->iomode != BR_IO_FAILED) {
290d9c36absjg		rc->iomode = BR_IO_FAILED;
291d9c36absjg		rc->err = err;
292d9c36absjg	}
293d9c36absjg}
294d9c36absjg
295d9c36absjg/*
296d9c36absjg * Adjust registers for a new incoming record.
297d9c36absjg */
298d9c36absjgstatic void
299d9c36absjgmake_ready_in(br_ssl_engine_context *rc)
300d9c36absjg{
301d9c36absjg	rc->ixa = rc->ixb = 0;
302d9c36absjg	rc->ixc = 5;
303d9c36absjg	if (rc->iomode == BR_IO_IN) {
304d9c36absjg		rc->iomode = BR_IO_INOUT;
305d9c36absjg	}
306d9c36absjg}
307d9c36absjg
308d9c36absjg/*
309d9c36absjg * Adjust registers for a new outgoing record.
310d9c36absjg */
311d9c36absjgstatic void
312d9c36absjgmake_ready_out(br_ssl_engine_context *rc)
313d9c36absjg{
314d9c36absjg	size_t a, b;
315d9c36absjg
316d9c36absjg	a = 5;
317d9c36absjg	b = rc->obuf_len - a;
318d9c36absjg	rc->out.vtable->max_plaintext(&rc->out.vtable, &a, &b);
319d9c36absjg	if ((b - a) > rc->max_frag_len) {
320d9c36absjg		b = a + rc->max_frag_len;
321d9c36absjg	}
322d9c36absjg	rc->oxa = a;
323d9c36absjg	rc->oxb = b;
324d9c36absjg	rc->oxc = a;
325d9c36absjg	if (rc->iomode == BR_IO_OUT) {
326d9c36absjg		rc->iomode = BR_IO_INOUT;
327d9c36absjg	}
328d9c36absjg}
329d9c36absjg
330d9c36absjg/* see inner.h */
331d9c36absjgvoid
332d9c36absjgbr_ssl_engine_new_max_frag_len(br_ssl_engine_context *rc, unsigned max_frag_len)
333d9c36absjg{
334d9c36absjg	size_t nxb;
335d9c36absjg
336d9c36absjg	rc->max_frag_len = max_frag_len;
337d9c36absjg	nxb = rc->oxc + max_frag_len;
338d9c36absjg	if (rc->oxa < rc->oxb && rc->oxb > nxb && rc->oxa < nxb) {
339d9c36absjg		rc->oxb = nxb;
340d9c36absjg	}
341d9c36absjg}
342d9c36absjg
343d9c36absjg/* see bearssl_ssl.h */
344d9c36absjgvoid
345d9c36absjgbr_ssl_engine_set_buffer(br_ssl_engine_context *rc,
346d9c36absjg	void *buf, size_t buf_len, int bidi)
347d9c36absjg{
348d9c36absjg	if (buf == NULL) {
349d9c36absjg		br_ssl_engine_set_buffers_bidi(rc, NULL, 0, NULL, 0);
350d9c36absjg	} else {
351d9c36absjg		/*
352d9c36absjg		 * In bidirectional mode, we want to maximise input
353d9c36absjg		 * buffer size, since we support arbitrary fragmentation
354d9c36absjg		 * when sending, but the peer will not necessarily
355d9c36absjg		 * comply to any low fragment length (in particular if
356d9c36absjg		 * we are the server, because the maximum fragment
357d9c36absjg		 * length extension is under client control).
358d9c36absjg		 *
359d9c36absjg		 * We keep a minimum size of 512 bytes for the plaintext
360d9c36absjg		 * of our outgoing records.
361d9c36absjg		 *
362d9c36absjg		 * br_ssl_engine_set_buffers_bidi() will compute the maximum
363d9c36absjg		 * fragment length for outgoing records by using the minimum
364d9c36absjg		 * of allocated spaces for both input and output records,
365d9c36absjg		 * rounded down to a standard length.
366d9c36absjg		 */
367d9c36absjg		if (bidi) {
368d9c36absjg			size_t w;
369d9c36absjg
370d9c36absjg			if (buf_len < (512 + MAX_IN_OVERHEAD
371d9c36absjg				+ 512 + MAX_OUT_OVERHEAD))
372d9c36absjg			{
373d9c36absjg				rc->iomode = BR_IO_FAILED;
374d9c36absjg				rc->err = BR_ERR_BAD_PARAM;
375d9c36absjg				return;
376d9c36absjg			} else if (buf_len < (16384 + MAX_IN_OVERHEAD
377d9c36absjg				+ 512 + MAX_OUT_OVERHEAD))
378d9c36absjg			{
379d9c36absjg				w = 512 + MAX_OUT_OVERHEAD;
380d9c36absjg			} else {
381d9c36absjg				w = buf_len - (16384 + MAX_IN_OVERHEAD);
382d9c36absjg			}
383d9c36absjg			br_ssl_engine_set_buffers_bidi(rc,
384d9c36absjg				buf, buf_len - w,
385d9c36absjg				(unsigned char *)buf + w, w);
386d9c36absjg		} else {
387d9c36absjg			br_ssl_engine_set_buffers_bidi(rc,
388d9c36absjg				buf, buf_len, NULL, 0);
389d9c36absjg		}
390d9c36absjg	}
391d9c36absjg}
392d9c36absjg
393d9c36absjg/* see bearssl_ssl.h */
394d9c36absjgvoid
395d9c36absjgbr_ssl_engine_set_buffers_bidi(br_ssl_engine_context *rc,
396d9c36absjg	void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len)
397d9c36absjg{
398d9c36absjg	rc->iomode = BR_IO_INOUT;
399d9c36absjg	rc->incrypt = 0;
400d9c36absjg	rc->err = BR_ERR_OK;
401d9c36absjg	rc->version_in = 0;
402d9c36absjg	rc->record_type_in = 0;
403d9c36absjg	rc->version_out = 0;
404d9c36absjg	rc->record_type_out = 0;
405d9c36absjg	if (ibuf == NULL) {
406d9c36absjg		if (rc->ibuf == NULL) {
407d9c36absjg			br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
408d9c36absjg		}
409d9c36absjg	} else {
410d9c36absjg		unsigned u;
411d9c36absjg
412d9c36absjg		rc->ibuf = ibuf;
413d9c36absjg		rc->ibuf_len = ibuf_len;
414d9c36absjg		if (obuf == NULL) {
415d9c36absjg			obuf = ibuf;
416d9c36absjg			obuf_len = ibuf_len;
417d9c36absjg		}
418d9c36absjg		rc->obuf = obuf;
419d9c36absjg		rc->obuf_len = obuf_len;
420d9c36absjg
421d9c36absjg		/*
422d9c36absjg		 * Compute the maximum fragment length, that fits for
423d9c36absjg		 * both incoming and outgoing records. This length will
424d9c36absjg		 * be used in fragment length negotiation, so we must
425d9c36absjg		 * honour it both ways. Regardless, larger incoming
426d9c36absjg		 * records will be accepted, as long as they fit in the
427d9c36absjg		 * actual buffer size.
428d9c36absjg		 */
429d9c36absjg		for (u = 14; u >= 9; u --) {
430d9c36absjg			size_t flen;
431d9c36absjg
432d9c36absjg			flen = (size_t)1 << u;
433d9c36absjg			if (obuf_len >= flen + MAX_OUT_OVERHEAD
434d9c36absjg				&& ibuf_len >= flen + MAX_IN_OVERHEAD)
435d9c36absjg			{
436d9c36absjg				break;
437d9c36absjg			}
438d9c36absjg		}
439d9c36absjg		if (u == 8) {
440d9c36absjg			br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
441d9c36absjg			return;
442d9c36absjg		} else if (u == 13) {
443d9c36absjg			u = 12;
444d9c36absjg		}
445d9c36absjg		rc->max_frag_len = (size_t)1 << u;
446d9c36absjg		rc->log_max_frag_len = u;
447d9c36absjg		rc->peer_log_max_frag_len = 0;
448d9c36absjg	}
449d9c36absjg	rc->out.vtable = &br_sslrec_out_clear_vtable;
450d9c36absjg	make_ready_in(rc);
451d9c36absjg	make_ready_out(rc);
452d9c36absjg}
453d9c36absjg
454d9c36absjg/*
455d9c36absjg * Clear buffers in both directions.
456d9c36absjg */
457d9c36absjgstatic void
458d9c36absjgengine_clearbuf(br_ssl_engine_context *rc)
459d9c36absjg{
460d9c36absjg	make_ready_in(rc);
461d9c36absjg	make_ready_out(rc);
462d9c36absjg}
463d9c36absjg
464d9c36absjg/*
465d9c36absjg * Make sure the internal PRNG is initialised (but not necessarily
466d9c36absjg * seeded properly yet).
467d9c36absjg */
468d9c36absjgstatic int
469d9c36absjgrng_init(br_ssl_engine_context *cc)
470d9c36absjg{
471d9c36absjg	const br_hash_class *h;
472d9c36absjg
473d9c36absjg	if (cc->rng_init_done != 0) {
474d9c36absjg		return 1;
475d9c36absjg	}
476d9c36absjg
477d9c36absjg	/*
478d9c36absjg	 * If using TLS-1.2, then SHA-256 or SHA-384 must be present (or
479d9c36absjg	 * both); we prefer SHA-256 which is faster for 32-bit systems.
480d9c36absjg	 *
481d9c36absjg	 * If using TLS-1.0 or 1.1 then SHA-1 must be present.
482d9c36absjg	 *
483d9c36absjg	 * Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as
484d9c36absjg	 * these things can be, we still prefer the SHA-2 functions over
485d9c36absjg	 * SHA-1, if only for public relations (known theoretical
486d9c36absjg	 * weaknesses of SHA-1 with regards to collisions are mostly
487d9c36absjg	 * irrelevant here, but they still make people nervous).
488d9c36absjg	 */
489d9c36absjg	h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
490d9c36absjg	if (!h) {
491d9c36absjg		h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
492d9c36absjg		if (!h) {
493d9c36absjg			h = br_multihash_getimpl(&cc->mhash,
494d9c36absjg				br_sha1_ID);
495d9c36absjg			if (!h) {
496d9c36absjg				br_ssl_engine_fail(cc, BR_ERR_BAD_STATE);
497d9c36absjg				return 0;
498d9c36absjg			}
499d9c36absjg		}
500d9c36absjg	}
501d9c36absjg	br_hmac_drbg_init(&cc->rng, h, NULL, 0);
502d9c36absjg	cc->rng_init_done = 1;
503d9c36absjg	return 1;
504d9c36absjg}
505d9c36absjg
506d9c36absjg/* see inner.h */
507d9c36absjgint
508d9c36absjgbr_ssl_engine_init_rand(br_ssl_engine_context *cc)
509d9c36absjg{
510d9c36absjg	if (!rng_init(cc)) {
511d9c36absjg		return 0;
512d9c36absjg	}
513d9c36absjg
514d9c36absjg	/*
515d9c36absjg	 * We always try OS/hardware seeding once. If it works, then
516d9c36absjg	 * we assume proper seeding. If not, then external entropy must
517d9c36absjg	 * have been injected; otherwise, we report an error.
518d9c36absjg	 */
519d9c36absjg	if (!cc->rng_os_rand_done) {
520d9c36absjg		br_prng_seeder sd;
521d9c36absjg
522d9c36absjg		sd = br_prng_seeder_system(NULL);
523d9c36absjg		if (sd != 0 && sd(&cc->rng.vtable)) {
524d9c36absjg			cc->rng_init_done = 2;
525d9c36absjg		}
526d9c36absjg		cc->rng_os_rand_done = 1;
527d9c36absjg	}
528d9c36absjg	if (cc->rng_init_done < 2) {
529d9c36absjg		br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM);
530d9c36absjg		return 0;
531d9c36absjg	}
532d9c36absjg	return 1;
533d9c36absjg}
534d9c36absjg
535d9c36absjg/* see bearssl_ssl.h */
536d9c36absjgvoid
537d9c36absjgbr_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
538d9c36absjg	const void *data, size_t len)
539d9c36absjg{
540d9c36absjg	/*
541d9c36absjg	 * Externally provided entropy is assumed to be "good enough"
542d9c36absjg	 * (we cannot really test its quality) so if the RNG structure
543d9c36absjg	 * could be initialised at all, then we marked the RNG as
544d9c36absjg	 * "properly seeded".
545d9c36absjg	 */
546d9c36absjg	if (!rng_init(cc)) {
547d9c36absjg		return;
548d9c36absjg	}
549d9c36absjg	br_hmac_drbg_update(&cc->rng, data, len);
550d9c36absjg	cc->rng_init_done = 2;
551d9c36absjg}
552d9c36absjg
553d9c36absjg/*
554d9c36absjg * We define a few internal functions that implement the low-level engine
555d9c36absjg * API for I/O; the external API (br_ssl_engine_sendapp_buf() and similar
556d9c36absjg * functions) is built upon these function, with special processing for
557d9c36absjg * records which are not of type "application data".
558d9c36absjg *
559d9c36absjg *   recvrec_buf, recvrec_ack     receives bytes from transport medium
560d9c36absjg *   sendrec_buf, sendrec_ack     send bytes to transport medium
561d9c36absjg *   recvpld_buf, recvpld_ack     receives payload data from engine
562d9c36absjg *   sendpld_buf, sendpld_ack     send payload data to engine
563d9c36absjg */
564d9c36absjg
565d9c36absjgstatic unsigned char *
566d9c36absjgrecvrec_buf(const br_ssl_engine_context *rc, size_t *len)
567d9c36absjg{
568d9c36absjg	if (rc->shutdown_recv) {
569d9c36absjg		*len = 0;
570d9c36absjg		return NULL;
571d9c36absjg	}
572d9c36absjg
573d9c36absjg	/*
574d9c36absjg	 * Bytes from the transport can be injected only if the mode is
575d9c36absjg	 * compatible (in or in/out), and ixa == ixb; ixc then contains
576d9c36absjg	 * the number of bytes that are still expected (but it may
577d9c36absjg	 * exceed our buffer size).
578d9c36absjg	 *
579d9c36absjg	 * We cannot get "stuck" here (buffer is full, but still more
580d9c36absjg	 * data is expected) because oversized records are detected when
581d9c36absjg	 * their header is processed.
582d9c36absjg	 */
583d9c36absjg	switch (rc->iomode) {
584d9c36absjg	case BR_IO_IN:
585d9c36absjg	case BR_IO_INOUT:
586d9c36absjg		if (rc->ixa == rc->ixb) {
587d9c36absjg			size_t z;
588d9c36absjg
589d9c36absjg			z = rc->ixc;
590d9c36absjg			if (z > rc->ibuf_len - rc->ixa) {
591d9c36absjg				z = rc->ibuf_len - rc->ixa;
592d9c36absjg			}
593d9c36absjg			*len = z;
594d9c36absjg			return rc->ibuf + rc->ixa;
595d9c36absjg		}
596d9c36absjg		break;
597d9c36absjg	}
598d9c36absjg	*len = 0;
599d9c36absjg	return NULL;
600d9c36absjg}
601d9c36absjg
602d9c36absjgstatic void
603d9c36absjgrecvrec_ack(br_ssl_engine_context *rc, size_t len)
604d9c36absjg{
605d9c36absjg	unsigned char *pbuf;
606d9c36absjg	size_t pbuf_len;
607d9c36absjg
608d9c36absjg	/*
609d9c36absjg	 * Adjust state if necessary (for a shared input/output buffer):
610d9c36absjg	 * we got some incoming bytes, so we cannot (temporarily) handle
611d9c36absjg	 * outgoing data.
612d9c36absjg	 */
613d9c36absjg	if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
614d9c36absjg		rc->iomode = BR_IO_IN;
615d9c36absjg	}
616d9c36absjg
617d9c36absjg	/*
618d9c36absjg	 * Adjust data pointers.
619d9c36absjg	 */
620d9c36absjg	rc->ixb = (rc->ixa += len);
621d9c36absjg	rc->ixc -= len;
622d9c36absjg
623d9c36absjg	/*
624d9c36absjg	 * If we are receiving a header and did not fully obtained it
625d9c36absjg	 * yet, then just wait for the next bytes.
626d9c36absjg	 */
627d9c36absjg	if (rc->ixa < 5) {
628d9c36absjg		return;
629d9c36absjg	}
630d9c36absjg
631d9c36absjg	/*
632d9c36absjg	 * If we just obtained a full header, process it.
633d9c36absjg	 */
634d9c36absjg	if (rc->ixa == 5) {
635d9c36absjg		unsigned version;
636d9c36absjg		unsigned rlen;
637d9c36absjg
638d9c36absjg		/*
639d9c36absjg		 * Get record type and version. We support only versions
640d9c36absjg		 * 3.x (if the version major number does not match, then
641d9c36absjg		 * we suppose that the record format is too alien for us
642d9c36absjg		 * to process it).
643d9c36absjg		 *
644d9c36absjg		 * Note: right now, we reject clients that try to send
645d9c36absjg		 * a ClientHello in a format compatible with SSL-2.0. It
646d9c36absjg		 * is unclear whether this will ever be supported; and
647d9c36absjg		 * if we want to support it, then this might be done in
648d9c36absjg		 * in the server-specific code, not here.
649d9c36absjg		 */
650d9c36absjg		rc->record_type_in = rc->ibuf[0];
651d9c36absjg		version = br_dec16be(rc->ibuf + 1);
652d9c36absjg		if ((version >> 8) != 3) {
653d9c36absjg			br_ssl_engine_fail(rc, BR_ERR_UNSUPPORTED_VERSION);
654d9c36absjg			return;
655d9c36absjg		}
656d9c36absjg
657d9c36absjg		/*
658d9c36absjg		 * We ensure that successive records have the same
659d9c36absjg		 * version. The handshake code must check and adjust the
660d9c36absjg		 * variables when necessary to accommodate the protocol
661d9c36absjg		 * negotiation details.
662d9c36absjg		 */
663d9c36absjg		if (rc->version_in != 0 && rc->version_in != version) {
664d9c36absjg			br_ssl_engine_fail(rc, BR_ERR_BAD_VERSION);
665d9c36absjg			return;
666d9c36absjg		}
667d9c36absjg		rc->version_in = version;
668d9c36absjg
669d9c36absjg		/*
670d9c36absjg		 * Decode record length. We must check that the length
671d9c36absjg		 * is valid (relatively to the current encryption mode)
672d9c36absjg		 * and also (if encryption is active) that the record
673d9c36absjg		 * will fit in our buffer.
674d9c36absjg		 *
675d9c36absjg		 * When no encryption is active, we can process records
676d9c36absjg		 * by chunks, and thus accept any record up to the
677d9c36absjg		 * maximum allowed plaintext length (16384 bytes).
678d9c36absjg		 */
679d9c36absjg		rlen = br_dec16be(rc->ibuf + 3);
680d9c36absjg		if (rc->incrypt) {
681d9c36absjg			if (!rc->in.vtable->check_length(
682d9c36absjg				&rc->in.vtable, rlen))
683d9c36absjg			{
684d9c36absjg				br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
685d9c36absjg				return;
686d9c36absjg			}
687d9c36absjg			if (rlen > (rc->ibuf_len - 5)) {
688d9c36absjg				br_ssl_engine_fail(rc, BR_ERR_TOO_LARGE);
689d9c36absjg				return;
690d9c36absjg			}
691d9c36absjg		} else {
692d9c36absjg			if (rlen > 16384) {
693d9c36absjg				br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
694d9c36absjg				return;
695d9c36absjg			}
696d9c36absjg		}
697d9c36absjg
698d9c36absjg		/*
699d9c36absjg		 * If the record is completely empty then we must switch
700d9c36absjg		 * to a new record. Note that, in that case, we
701d9c36absjg		 * completely ignore the record type, which is fitting
702d9c36absjg		 * since we received no actual data of that type.
703d9c36absjg		 *
704d9c36absjg		 * A completely empty record is technically allowed as
705d9c36absjg		 * long as encryption/MAC is not active, i.e. before
706d9c36absjg		 * completion of the first handshake. It it still weird;
707d9c36absjg		 * it might conceptually be useful as a heartbeat or
708d9c36absjg		 * keep-alive mechanism while some lengthy operation is
709d9c36absjg		 * going on, e.g. interaction with a human user.
710d9c36absjg		 */
711d9c36absjg		if (rlen == 0) {
712d9c36absjg			make_ready_in(rc);
713d9c36absjg		} else {
714d9c36absjg			rc->ixa = rc->ixb = 5;
715d9c36absjg			rc->ixc = rlen;
716d9c36absjg		}
717d9c36absjg		return;
718d9c36absjg	}
719d9c36absjg
720d9c36absjg	/*
721d9c36absjg	 * If there is no active encryption, then the data can be read
722d9c36absjg	 * right away. Note that we do not receive bytes from the
723d9c36absjg	 * transport medium when we still have payload bytes to be
724d9c36absjg	 * acknowledged.
725d9c36absjg	 */
726d9c36absjg	if (!rc->incrypt) {
727d9c36absjg		rc->ixa = 5;
728d9c36absjg		return;
729d9c36absjg	}
730d9c36absjg
731d9c36absjg	/*
732d9c36absjg	 * Since encryption is active, we must wait for a full record
733d9c36absjg	 * before processing it.
734d9c36absjg	 */
735d9c36absjg	if (rc->ixc != 0) {
736d9c36absjg		return;
737d9c36absjg	}
738d9c36absjg
739d9c36absjg	/*
740d9c36absjg	 * We got the full record. Decrypt it.
741d9c36absjg	 */
742d9c36absjg	pbuf_len = rc->ixa - 5;
743d9c36absjg	pbuf = rc->in.vtable->decrypt(&rc->in.vtable,
744d9c36absjg		rc->record_type_in, rc->version_in, rc->ibuf + 5, &pbuf_len);
745d9c36absjg	if (pbuf == 0) {
746d9c36absjg		br_ssl_engine_fail(rc, BR_ERR_BAD_MAC);
747d9c36absjg		return;
748d9c36absjg	}
749d9c36absjg	rc->ixa = (size_t)(pbuf - rc->ibuf);
750d9c36absjg	rc->ixb = rc->ixa + pbuf_len;
751d9c36absjg
752d9c36absjg	/*
753d9c36absjg	 * Decryption may have yielded an empty record, in which case
754d9c36absjg	 * we get back to "ready" state immediately.
755d9c36absjg	 */
756d9c36absjg	if (rc->ixa == rc->ixb) {
757d9c36absjg		make_ready_in(rc);
758d9c36absjg	}
759d9c36absjg}
760d9c36absjg
761d9c36absjg/* see inner.h */
762d9c36absjgint
763d9c36absjgbr_ssl_engine_recvrec_finished(const br_ssl_engine_context *rc)
764d9c36absjg{
765d9c36absjg	switch (rc->iomode) {
766d9c36absjg	case BR_IO_IN:
767d9c36absjg	case BR_IO_INOUT:
768d9c36absjg		return rc->ixc == 0 || rc->ixa < 5;
769d9c36absjg	default:
770d9c36absjg		return 1;
771d9c36absjg	}
772d9c36absjg}
773d9c36absjg
774d9c36absjgstatic unsigned char *
775d9c36absjgrecvpld_buf(const br_ssl_engine_context *rc, size_t *len)
776d9c36absjg{
777d9c36absjg	/*
778d9c36absjg	 * There is payload data to be read only if the mode is
779d9c36absjg	 * compatible, and ixa != ixb.
780d9c36absjg	 */
781d9c36absjg	switch (rc->iomode) {
782d9c36absjg	case BR_IO_IN:
783d9c36absjg	case BR_IO_INOUT:
784d9c36absjg		*len = rc->ixb - rc->ixa;
785d9c36absjg		return (*len == 0) ? NULL : (rc->ibuf + rc->ixa);
786d9c36absjg	default:
787d9c36absjg		*len = 0;
788d9c36absjg		return NULL;
789d9c36absjg	}
790d9c36absjg}
791d9c36absjg
792d9c36absjgstatic void
793d9c36absjgrecvpld_ack(br_ssl_engine_context *rc, size_t len)
794d9c36absjg{
795d9c36absjg	rc->ixa += len;
796d9c36absjg
797d9c36absjg	/*
798d9c36absjg	 * If we read all the available data, then we either expect
799d9c36absjg	 * the remainder of the current record (if the current record
800d9c36absjg	 * was not finished; this may happen when encryption is not
801d9c36absjg	 * active), or go to "ready" state.
802d9c36absjg	 */
803d9c36absjg	if (rc->ixa == rc->ixb) {
804d9c36absjg		if (rc->ixc == 0) {
805d9c36absjg			make_ready_in(rc);
806d9c36absjg		} else {
807d9c36absjg			rc->ixa = rc->ixb = 5;
808d9c36absjg		}
809d9c36absjg	}
810d9c36absjg}
811d9c36absjg
812d9c36absjgstatic unsigned char *
813d9c36absjgsendpld_buf(const br_ssl_engine_context *rc, size_t *len)
814d9c36absjg{
815d9c36absjg	/*
816d9c36absjg	 * Payload data can be injected only if the current mode is
817d9c36absjg	 * compatible, and oxa != oxb.
818d9c36absjg	 */
819d9c36absjg	switch (rc->iomode) {
820d9c36absjg	case BR_IO_OUT:
821d9c36absjg	case BR_IO_INOUT:
822d9c36absjg		*len = rc->oxb - rc->oxa;
823d9c36absjg		return (*len == 0) ? NULL : (rc->obuf + rc->oxa);
824d9c36absjg	default:
825d9c36absjg		*len = 0;
826d9c36absjg		return NULL;
827d9c36absjg	}
828d9c36absjg}
829d9c36absjg
830d9c36absjg/*
831d9c36absjg * If some payload bytes have been accumulated, then wrap them into
832d9c36absjg * an outgoing record. Otherwise, this function does nothing, unless
833d9c36absjg * 'force' is non-zero, in which case an empty record is assembled.
834d9c36absjg *
835d9c36absjg * The caller must take care not to invoke this function if the engine
836d9c36absjg * is not currently ready to receive payload bytes to send.
837d9c36absjg */
838d9c36absjgstatic void
839d9c36absjgsendpld_flush(br_ssl_engine_context *rc, int force)
840d9c36absjg{
841d9c36absjg	size_t xlen;
842d9c36absjg	unsigned char *buf;
843d9c36absjg
844d9c36absjg	if (rc->oxa == rc->oxb) {
845d9c36absjg		return;
846d9c36absjg	}
847d9c36absjg	xlen = rc->oxa - rc->oxc;
848d9c36absjg	if (xlen == 0 && !force) {
849d9c36absjg		return;
850d9c36absjg	}
851d9c36absjg	buf = rc->out.vtable->encrypt(&rc->out.vtable,
852d9c36absjg		rc->record_type_out, rc->version_out,
853d9c36absjg		rc->obuf + rc->oxc, &xlen);
854d9c36absjg	rc->oxb = rc->oxa = (size_t)(buf - rc->obuf);
855d9c36absjg	rc->oxc = rc->oxa + xlen;
856d9c36absjg}
857d9c36absjg
858d9c36absjgstatic void
859d9c36absjgsendpld_ack(br_ssl_engine_context *rc, size_t len)
860d9c36absjg{
861d9c36absjg	/*
862d9c36absjg	 * If using a shared buffer, then we may have to modify the
863d9c36absjg	 * current mode.
864d9c36absjg	 */
865d9c36absjg	if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
866d9c36absjg		rc->iomode = BR_IO_OUT;
867d9c36absjg	}
868d9c36absjg	rc->oxa += len;
869d9c36absjg	if (rc->oxa >= rc->oxb) {
870d9c36absjg		/*
871d9c36absjg		 * Set oxb to one more than oxa so that sendpld_flush()
872d9c36absjg		 * does not mistakingly believe that a record is
873d9c36absjg		 * already prepared and being sent.
874d9c36absjg		 */
875d9c36absjg		rc->oxb = rc->oxa + 1;
876d9c36absjg		sendpld_flush(rc, 0);
877d9c36absjg	}
878d9c36absjg}
879d9c36absjg
880d9c36absjgstatic unsigned char *
881d9c36absjgsendrec_buf(const br_ssl_engine_context *rc, size_t *len)
882d9c36absjg{
883d9c36absjg	/*
884d9c36absjg	 * When still gathering payload bytes, oxc points to the start
885d9c36absjg	 * of the record data, so oxc <= oxa. However, when a full
886d9c36absjg	 * record has been completed, oxc points to the end of the record,
887d9c36absjg	 * so oxc > oxa.
888d9c36absjg	 */
889d9c36absjg	switch (rc->iomode) {
890d9c36absjg	case BR_IO_OUT:
891d9c36absjg	case BR_IO_INOUT:
892d9c36absjg		if (rc->oxc > rc->oxa) {
893d9c36absjg			*len = rc->oxc - rc->oxa;
894d9c36absjg			return rc->obuf + rc->oxa;
895d9c36absjg		}
896d9c36absjg		break;
897d9c36absjg	}
898d9c36absjg	*len = 0;
899d9c36absjg	return NULL;
900d9c36absjg}
901d9c36absjg
902d9c36absjgstatic void
903d9c36absjgsendrec_ack(br_ssl_engine_context *rc, size_t len)
904d9c36absjg{
905d9c36absjg	rc->oxb = (rc->oxa += len);
906d9c36absjg	if (rc->oxa == rc->oxc) {
907d9c36absjg		make_ready_out(rc);
908d9c36absjg	}
909d9c36absjg}
910d9c36absjg
911d9c36absjg/*
912d9c36absjg * Test whether there is some buffered outgoing record that still must
913d9c36absjg * sent.
914d9c36absjg */
915d9c36absjgstatic inline int
916d9c36absjghas_rec_tosend(const br_ssl_engine_context *rc)
917d9c36absjg{
918d9c36absjg	return rc->oxa == rc->oxb && rc->oxa != rc->oxc;
919d9c36absjg}
920d9c36absjg
921d9c36absjg/*
922d9c36absjg * The "no encryption" mode has no overhead. It limits the payload size
923d9c36absjg * to the maximum size allowed by the standard (16384 bytes); the caller
924d9c36absjg * is responsible for possibly enforcing a smaller fragment length.
925d9c36absjg */
926d9c36absjgstatic void
927d9c36absjgclear_max_plaintext(const br_sslrec_out_clear_context *cc,
928d9c36absjg	size_t *start, size_t *end)
929d9c36absjg{
930d9c36absjg	size_t len;
931d9c36absjg
932d9c36absjg	(void)cc;
933d9c36absjg	len = *end - *start;
934d9c36absjg	if (len > 16384) {
935d9c36absjg		*end = *start + 16384;
936d9c36absjg	}
937d9c36absjg}
938d9c36absjg
939d9c36absjg/*
940d9c36absjg * In "no encryption" mode, encryption is trivial (a no-operation) so
941d9c36absjg * we just have to encode the header.
942d9c36absjg */
943d9c36absjgstatic unsigned char *
944d9c36absjgclear_encrypt(br_sslrec_out_clear_context *cc,
945d9c36absjg	int record_type, unsigned version, void *data, size_t *data_len)
946d9c36absjg{
947d9c36absjg	unsigned char *buf;
948d9c36absjg
949d9c36absjg	(void)cc;
950d9c36absjg	buf = (unsigned char *)data - 5;
951d9c36absjg	buf[0] = record_type;
952d9c36absjg	br_enc16be(buf + 1, version);
953d9c36absjg	br_enc16be(buf + 3, *data_len);
954d9c36absjg	*data_len += 5;
955d9c36absjg	return buf;
956d9c36absjg}
957d9c36absjg
958d9c36absjg/* see bearssl_ssl.h */
959d9c36absjgconst br_sslrec_out_class br_sslrec_out_clear_vtable = {
960d9c36absjg	sizeof(br_sslrec_out_clear_context),
961d9c36absjg	(void (*)(const br_sslrec_out_class *const *, size_t *, size_t *))
962d9c36absjg		&clear_max_plaintext,
963d9c36absjg	(unsigned char *(*)(const br_sslrec_out_class **,
964d9c36absjg		int, unsigned, void *, size_t *))
965d9c36absjg		&clear_encrypt
966d9c36absjg};
967d9c36absjg
968d9c36absjg/* ==================================================================== */
969d9c36absjg/*
970d9c36absjg * In this part of the file, we handle the various record types, and
971d9c36absjg * communications with the handshake processor.
972d9c36absjg */
973d9c36absjg
974d9c36absjg/*
975d9c36absjg * IMPLEMENTATION NOTES
976d9c36absjg * ====================
977d9c36absjg *
978d9c36absjg * The handshake processor is written in T0 and runs as a coroutine.
979d9c36absjg * It receives the contents of all records except application data, and
980d9c36absjg * is responsible for producing the contents of all records except
981d9c36absjg * application data.
982d9c36absjg *
983d9c36absjg * A state flag is maintained, which specifies whether application data
984d9c36absjg * is acceptable or not. When it is set:
985d9c36absjg *
986d9c36absjg * -- Application data can be injected as payload data (provided that
987d9c36absjg *    the output buffer is ready for that).
988d9c36absjg *
989d9c36absjg * -- Incoming application data records are accepted, and yield data
990d9c36absjg *    that the caller may retrieve.
991d9c36absjg *
992d9c36absjg * When the flag is cleared, application data is not accepted from the
993d9c36absjg * application, and incoming application data records trigger an error.
994d9c36absjg *
995d9c36absjg *
996d9c36absjg * Records of type handshake, alert or change-cipher-spec are handled
997d9c36absjg * by the handshake processor. The handshake processor is written in T0
998d9c36absjg * and runs as a coroutine; it gets invoked whenever one of the following
999d9c36absjg * situations is reached:
1000d9c36absjg *
1001d9c36absjg * -- An incoming record has type handshake, alert or change-cipher-spec,
1002d9c36absjg *    and yields data that can be read (zero-length records are thus
1003d9c36absjg *    ignored).
1004d9c36absjg *
1005d9c36absjg * -- An outgoing record has just finished being sent, and the "application
1006d9c36absjg *    data" flag is cleared.
1007d9c36absjg *
1008d9c36absjg * -- The caller wishes to perform a close (call to br_ssl_engine_close()).
1009d9c36absjg *
1010d9c36absjg * -- The caller wishes to perform a renegotiation (call to
1011d9c36absjg *    br_ssl_engine_renegotiate()).
1012d9c36absjg *
1013d9c36absjg * Whenever the handshake processor is entered, access to the payload
1014d9c36absjg * buffers is provided, along with some information about explicit
1015d9c36absjg * closures or renegotiations.
1016d9c36absjg */
1017d9c36absjg
1018d9c36absjg/* see bearssl_ssl.h */
1019d9c36absjgvoid
1020d9c36absjgbr_ssl_engine_set_suites(br_ssl_engine_context *cc,
1021d9c36absjg	const uint16_t *suites, size_t suites_num)
1022d9c36absjg{
1023d9c36absjg	if ((suites_num * sizeof *suites) > sizeof cc->suites_buf) {
1024d9c36absjg		br_ssl_engine_fail(cc, BR_ERR_BAD_PARAM);
1025d9c36absjg		return;
1026d9c36absjg	}
1027d9c36absjg	memcpy(cc->suites_buf, suites, suites_num * sizeof *suites);
1028d9c36absjg	cc->suites_num = suites_num;
1029d9c36absjg}
1030d9c36absjg
1031d9c36absjg/*
1032d9c36absjg * Give control to handshake processor. 'action' is 1 for a close,
1033d9c36absjg * 2 for a renegotiation, or 0 for a jump due to I/O completion.
1034d9c36absjg */
1035d9c36absjgstatic void
1036d9c36absjgjump_handshake(br_ssl_engine_context *cc, int action)
1037d9c36absjg{
1038d9c36absjg	/*
1039d9c36absjg	 * We use a loop because the handshake processor actions may
1040d9c36absjg	 * allow for more actions; namely, if the processor reads all
1041d9c36absjg	 * input data, then it may allow for output data to be produced,
1042d9c36absjg	 * in case of a shared in/out buffer.
1043d9c36absjg	 */
1044d9c36absjg	for (;;) {
1045d9c36absjg		size_t hlen_in, hlen_out;
1046d9c36absjg
1047d9c36absjg		/*
1048d9c36absjg		 * Get input buffer. We do not want to provide
1049d9c36absjg		 * application data to the handshake processor (we could
1050d9c36absjg		 * get called with an explicit close or renegotiation
1051d9c36absjg		 * while there is application data ready to be read).
1052d9c36absjg		 */
1053d9c36absjg		cc->hbuf_in = recvpld_buf(cc, &hlen_in);
1054d9c36absjg		if (cc->hbuf_in != NULL
1055d9c36absjg			&& cc->record_type_in == BR_SSL_APPLICATION_DATA)
1056d9c36absjg		{
1057d9c36absjg			hlen_in = 0;
1058d9c36absjg		}
1059d9c36absjg
1060d9c36absjg		/*
1061d9c36absjg		 * Get output buffer. The handshake processor never
1062d9c36absjg		 * leaves an unfinished outgoing record, so if there is
1063d9c36absjg		 * buffered output, then it MUST be some application
1064d9c36absjg		 * data, so the processor cannot write to it.
1065d9c36absjg		 */
1066d9c36absjg		cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &hlen_out);
1067d9c36absjg		if (cc->hbuf_out != NULL && br_ssl_engine_has_pld_to_send(cc)) {
1068d9c36absjg			hlen_out = 0;
1069d9c36absjg		}
1070d9c36absjg
1071d9c36absjg		/*
1072d9c36absjg		 * Note: hlen_in and hlen_out can be both non-zero only if
1073d9c36absjg		 * the input and output buffers are disjoint. Thus, we can
1074d9c36absjg		 * offer both buffers to the handshake code.
1075d9c36absjg		 */
1076d9c36absjg
1077d9c36absjg		cc->hlen_in = hlen_in;
1078d9c36absjg		cc->hlen_out = hlen_out;
1079d9c36absjg		cc->action = action;
1080d9c36absjg		cc->hsrun(&cc->cpu);
1081d9c36absjg		if (br_ssl_engine_closed(cc)) {
1082d9c36absjg			return;
1083d9c36absjg		}
1084d9c36absjg		if (cc->hbuf_out != cc->saved_hbuf_out) {
1085d9c36absjg			sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1086d9c36absjg		}
1087d9c36absjg		if (hlen_in != cc->hlen_in) {
1088d9c36absjg			recvpld_ack(cc, hlen_in - cc->hlen_in);
1089d9c36absjg			if (cc->hlen_in == 0) {
1090d9c36absjg				/*
1091d9c36absjg				 * We read all data bytes, which may have
1092d9c36absjg				 * released the output buffer in case it
1093d9c36absjg				 * is shared with the input buffer, and
1094d9c36absjg				 * the handshake code might be waiting for
1095d9c36absjg				 * that.
1096d9c36absjg				 */
1097d9c36absjg				action = 0;
1098d9c36absjg				continue;
1099d9c36absjg			}
1100d9c36absjg		}
1101d9c36absjg		break;
1102d9c36absjg	}
1103d9c36absjg}
1104d9c36absjg
1105d9c36absjg/* see inner.h */
1106d9c36absjgvoid
1107d9c36absjgbr_ssl_engine_flush_record(br_ssl_engine_context *cc)
1108d9c36absjg{
1109d9c36absjg	if (cc->hbuf_out != cc->saved_hbuf_out) {
1110d9c36absjg		sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
1111d9c36absjg	}
1112d9c36absjg	if (br_ssl_engine_has_pld_to_send(cc)) {
1113d9c36absjg		sendpld_flush(cc, 0);
1114d9c36absjg	}
1115d9c36absjg	cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &cc->hlen_out);
1116d9c36absjg}
1117d9c36absjg
1118d9c36absjg/* see bearssl_ssl.h */
1119d9c36absjgunsigned char *
1120d9c36absjgbr_ssl_engine_sendapp_buf(const br_ssl_engine_context *cc, size_t *len)
1121d9c36absjg{
1122d9c36absjg	if (!(cc->application_data & 1)) {
1123d9c36absjg		*len = 0;
1124d9c36absjg		return NULL;
1125d9c36absjg	}
1126d9c36absjg	return sendpld_buf(cc, len);
1127d9c36absjg}
1128d9c36absjg
1129d9c36absjg/* see bearssl_ssl.h */
1130d9c36absjgvoid
1131d9c36absjgbr_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len)
1132d9c36absjg{
1133d9c36absjg	sendpld_ack(cc, len);
1134d9c36absjg}
1135d9c36absjg
1136d9c36absjg/* see bearssl_ssl.h */
1137d9c36absjgunsigned char *
1138d9c36absjgbr_ssl_engine_recvapp_buf(const br_ssl_engine_context *cc, size_t *len)
1139d9c36absjg{
1140d9c36absjg	if (!(cc->application_data & 1)
1141d9c36absjg		|| cc->record_type_in != BR_SSL_APPLICATION_DATA)
1142d9c36absjg	{
1143d9c36absjg		*len = 0;
1144d9c36absjg		return NULL;
1145d9c36absjg	}
1146d9c36absjg	return recvpld_buf(cc, len);
1147d9c36absjg}
1148d9c36absjg
1149d9c36absjg/* see bearssl_ssl.h */
1150d9c36absjgvoid
1151d9c36absjgbr_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len)
1152d9c36absjg{
1153d9c36absjg	recvpld_ack(cc, len);
1154d9c36absjg}
1155d9c36absjg
1156d9c36absjg/* see bearssl_ssl.h */
1157d9c36absjgunsigned char *
1158d9c36absjgbr_ssl_engine_sendrec_buf(const br_ssl_engine_context *cc, size_t *len)
1159d9c36absjg{
1160d9c36absjg	return sendrec_buf(cc, len);
1161d9c36absjg}
1162d9c36absjg
1163d9c36absjg/* see bearssl_ssl.h */
1164d9c36absjgvoid
1165d9c36absjgbr_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len)
1166d9c36absjg{
1167d9c36absjg	sendrec_ack(cc, len);
1168d9c36absjg	if (len != 0 && !has_rec_tosend(cc)
1169d9c36absjg		&& (cc->record_type_out != BR_SSL_APPLICATION_DATA
1170d9c36absjg		|| (cc->application_data & 1) == 0))
1171d9c36absjg	{
1172d9c36absjg		jump_handshake(cc, 0);
1173d9c36absjg	}
1174d9c36absjg}
1175d9c36absjg
1176d9c36absjg/* see bearssl_ssl.h */
1177d9c36absjgunsigned char *
1178d9c36absjgbr_ssl_engine_recvrec_buf(const br_ssl_engine_context *cc, size_t *len)
1179d9c36absjg{
1180d9c36absjg	return recvrec_buf(cc, len);
1181d9c36absjg}
1182d9c36absjg
1183d9c36absjg/* see bearssl_ssl.h */
1184d9c36absjgvoid
1185d9c36absjgbr_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len)
1186d9c36absjg{
1187d9c36absjg	unsigned char *buf;
1188d9c36absjg
1189d9c36absjg	recvrec_ack(cc, len);
1190d9c36absjg	if (br_ssl_engine_closed(cc)) {
1191d9c36absjg		return;
1192d9c36absjg	}
1193d9c36absjg
1194d9c36absjg	/*
1195d9c36absjg	 * We just received some bytes from the peer. This may have
1196d9c36absjg	 * yielded some payload bytes, in which case we must process
1197d9c36absjg	 * them according to the record type.
1198d9c36absjg	 */
1199d9c36absjg	buf = recvpld_buf(cc, &len);
1200d9c36absjg	if (buf != NULL) {
1201d9c36absjg		switch (cc->record_type_in) {
1202d9c36absjg		case BR_SSL_CHANGE_CIPHER_SPEC:
1203d9c36absjg		case BR_SSL_ALERT:
1204d9c36absjg		case BR_SSL_HANDSHAKE:
1205d9c36absjg			jump_handshake(cc, 0);
1206d9c36absjg			break;
1207d9c36absjg		case BR_SSL_APPLICATION_DATA:
1208d9c36absjg			if (cc->application_data == 1) {
1209d9c36absjg				break;
1210d9c36absjg			}
1211d9c36absjg
1212d9c36absjg			/*
1213d9c36absjg			 * If we are currently closing, and waiting for
1214d9c36absjg			 * a close_notify from the peer, then incoming
1215d9c36absjg			 * application data should be discarded.
1216d9c36absjg			 */
1217d9c36absjg			if (cc->application_data == 2) {
1218d9c36absjg				recvpld_ack(cc, len);
1219d9c36absjg				break;
1220d9c36absjg			}
1221d9c36absjg
1222d9c36absjg			/* Fall through */
1223d9c36absjg		default:
1224d9c36absjg			br_ssl_engine_fail(cc, BR_ERR_UNEXPECTED);
1225d9c36absjg			break;
1226d9c36absjg		}
1227d9c36absjg	}
1228d9c36absjg}
1229d9c36absjg
1230d9c36absjg/* see bearssl_ssl.h */
1231d9c36absjgvoid
1232d9c36absjgbr_ssl_engine_close(br_ssl_engine_context *cc)
1233d9c36absjg{
1234d9c36absjg	if (!br_ssl_engine_closed(cc)) {
1235d9c36absjg		jump_handshake(cc, 1);
1236d9c36absjg	}
1237d9c36absjg}
1238d9c36absjg
1239d9c36absjg/* see bearssl_ssl.h */
1240d9c36absjgint
1241d9c36absjgbr_ssl_engine_renegotiate(br_ssl_engine_context *cc)
1242d9c36absjg{
1243d9c36absjg	size_t len;
1244d9c36absjg
1245d9c36absjg	if (br_ssl_engine_closed(cc) || cc->reneg == 1
1246d9c36absjg		|| (cc->flags & BR_OPT_NO_RENEGOTIATION) != 0
1247d9c36absjg		|| br_ssl_engine_recvapp_buf(cc, &len) != NULL)
1248d9c36absjg	{
1249d9c36absjg		return 0;
1250d9c36absjg	}
1251d9c36absjg	jump_handshake(cc, 2);
1252d9c36absjg	return 1;
1253d9c36absjg}
1254d9c36absjg
1255d9c36absjg/* see bearssl.h */
1256d9c36absjgunsigned
1257d9c36absjgbr_ssl_engine_current_state(const br_ssl_engine_context *cc)
1258d9c36absjg{
1259d9c36absjg	unsigned s;
1260d9c36absjg	size_t len;
1261d9c36absjg
1262d9c36absjg	if (br_ssl_engine_closed(cc)) {
1263d9c36absjg		return BR_SSL_CLOSED;
1264d9c36absjg	}
1265d9c36absjg
1266d9c36absjg	s = 0;
1267d9c36absjg	if (br_ssl_engine_sendrec_buf(cc, &len) != NULL) {
1268d9c36absjg		s |= BR_SSL_SENDREC;
1269d9c36absjg	}
1270d9c36absjg	if (br_ssl_engine_recvrec_buf(cc, &len) != NULL) {
1271d9c36absjg		s |= BR_SSL_RECVREC;
1272d9c36absjg	}
1273d9c36absjg	if (br_ssl_engine_sendapp_buf(cc, &len) != NULL) {
1274d9c36absjg		s |= BR_SSL_SENDAPP;
1275d9c36absjg	}
1276d9c36absjg	if (br_ssl_engine_recvapp_buf(cc, &len) != NULL) {
1277d9c36absjg		s |= BR_SSL_RECVAPP;
1278d9c36absjg	}
1279d9c36absjg	return s;
1280d9c36absjg}
1281d9c36absjg
1282d9c36absjg/* see bearssl_ssl.h */
1283d9c36absjgvoid
1284d9c36absjgbr_ssl_engine_flush(br_ssl_engine_context *cc, int force)
1285d9c36absjg{
1286d9c36absjg	if (!br_ssl_engine_closed(cc) && (cc->application_data & 1) != 0) {
1287d9c36absjg		sendpld_flush(cc, force);
1288d9c36absjg	}
1289d9c36absjg}
1290d9c36absjg
1291d9c36absjg/* see inner.h */
1292d9c36absjgvoid
1293d9c36absjgbr_ssl_engine_hs_reset(br_ssl_engine_context *cc,
1294d9c36absjg	void (*hsinit)(void *), void (*hsrun)(void *))
1295d9c36absjg{
1296d9c36absjg	engine_clearbuf(cc);
1297d9c36absjg	cc->cpu.dp = cc->dp_stack;
1298d9c36absjg	cc->cpu.rp = cc->rp_stack;
1299d9c36absjg	hsinit(&cc->cpu);
1300d9c36absjg	cc->hsrun = hsrun;
1301d9c36absjg	cc->shutdown_recv = 0;
1302d9c36absjg	cc->application_data = 0;
1303d9c36absjg	cc->alert = 0;
1304d9c36absjg	jump_handshake(cc, 0);
1305d9c36absjg}
1306d9c36absjg
1307d9c36absjg/* see inner.h */
1308d9c36absjgbr_tls_prf_impl
1309d9c36absjgbr_ssl_engine_get_PRF(br_ssl_engine_context *cc, int prf_id)
1310d9c36absjg{
1311d9c36absjg	if (cc->session.version >= BR_TLS12) {
1312d9c36absjg		if (prf_id == br_sha384_ID) {
1313d9c36absjg			return cc->prf_sha384;
1314d9c36absjg		} else {
1315d9c36absjg			return cc->prf_sha256;
1316d9c36absjg		}
1317d9c36absjg	} else {
1318d9c36absjg		return cc->prf10;
1319d9c36absjg	}
1320d9c36absjg}
1321d9c36absjg
1322d9c36absjg/* see inner.h */
1323d9c36absjgvoid
1324d9c36absjgbr_ssl_engine_compute_master(br_ssl_engine_context *cc,
1325d9c36absjg	int prf_id, const void *pms, size_t pms_len)
1326d9c36absjg{
1327d9c36absjg	br_tls_prf_impl iprf;
1328d9c36absjg	br_tls_prf_seed_chunk seed[2] = {
1329d9c36absjg		{ cc->client_random, sizeof cc->client_random },
1330d9c36absjg		{ cc->server_random, sizeof cc->server_random }
1331d9c36absjg	};
1332d9c36absjg
1333d9c36absjg	iprf = br_ssl_engine_get_PRF(cc, prf_id);
1334d9c36absjg	iprf(cc->session.master_secret, sizeof cc->session.master_secret,
1335d9c36absjg		pms, pms_len, "master secret", 2, seed);
1336d9c36absjg}
1337d9c36absjg
1338d9c36absjg/*
1339d9c36absjg * Compute key block.
1340d9c36absjg */
1341d9c36absjgstatic void
1342d9c36absjgcompute_key_block(br_ssl_engine_context *cc, int prf_id,
1343d9c36absjg	size_t half_len, unsigned char *kb)
1344d9c36absjg{
1345d9c36absjg	br_tls_prf_impl iprf;
1346d9c36absjg	br_tls_prf_seed_chunk seed[2] = {
1347d9c36absjg		{ cc->server_random, sizeof cc->server_random },
1348d9c36absjg		{ cc->client_random, sizeof cc->client_random }
1349d9c36absjg	};
1350d9c36absjg
1351d9c36absjg	iprf = br_ssl_engine_get_PRF(cc, prf_id);
1352d9c36absjg	iprf(kb, half_len << 1,
1353d9c36absjg		cc->session.master_secret, sizeof cc->session.master_secret,
1354d9c36absjg		"key expansion", 2, seed);
1355d9c36absjg}
1356d9c36absjg
1357d9c36absjg/* see inner.h */
1358d9c36absjgvoid
1359d9c36absjgbr_ssl_engine_switch_cbc_in(br_ssl_engine_context *cc,
1360d9c36absjg	int is_client, int prf_id, int mac_id,
1361d9c36absjg	const br_block_cbcdec_class *bc_impl, size_t cipher_key_len)
1362d9c36absjg{
1363d9c36absjg	unsigned char kb[192];
1364d9c36absjg	unsigned char *cipher_key, *mac_key, *iv;
1365d9c36absjg	const br_hash_class *imh;
1366d9c36absjg	size_t mac_key_len, mac_out_len, iv_len;
1367d9c36absjg
1368d9c36absjg	imh = br_ssl_engine_get_hash(cc, mac_id);
1369d9c36absjg	mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1370d9c36absjg	mac_key_len = mac_out_len;
1371d9c36absjg
1372d9c36absjg	/*
1373d9c36absjg	 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1374d9c36absjg	 */
1375d9c36absjg	if (cc->session.version >= BR_TLS11) {
1376d9c36absjg		iv_len = 0;
1377d9c36absjg	} else {
1378d9c36absjg		iv_len = bc_impl->block_size;
1379d9c36absjg	}
1380d9c36absjg	compute_key_block(cc, prf_id,
1381d9c36absjg		mac_key_len + cipher_key_len + iv_len, kb);
1382d9c36absjg	if (is_client) {
1383d9c36absjg		mac_key = &kb[mac_key_len];
1384d9c36absjg		cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1385d9c36absjg		iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1386d9c36absjg	} else {
1387d9c36absjg		mac_key = &kb[0];
1388d9c36absjg		cipher_key = &kb[mac_key_len << 1];
1389d9c36absjg		iv = &kb[(mac_key_len + cipher_key_len) << 1];
1390d9c36absjg	}
1391d9c36absjg	if (iv_len == 0) {
1392d9c36absjg		iv = NULL;
1393d9c36absjg	}
1394d9c36absjg	cc->icbc_in->init(&cc->in.cbc.vtable,
1395d9c36absjg		bc_impl, cipher_key, cipher_key_len,
1396d9c36absjg		imh, mac_key, mac_key_len, mac_out_len, iv);
1397d9c36absjg	cc->incrypt = 1;
1398d9c36absjg}
1399d9c36absjg
1400d9c36absjg/* see inner.h */
1401d9c36absjgvoid
1402d9c36absjgbr_ssl_engine_switch_cbc_out(br_ssl_engine_context *cc,
1403d9c36absjg	int is_client, int prf_id, int mac_id,
1404d9c36absjg	const br_block_cbcenc_class *bc_impl, size_t cipher_key_len)
1405d9c36absjg{
1406d9c36absjg	unsigned char kb[192];
1407d9c36absjg	unsigned char *cipher_key, *mac_key, *iv;
1408d9c36absjg	const br_hash_class *imh;
1409d9c36absjg	size_t mac_key_len, mac_out_len, iv_len;
1410d9c36absjg
1411d9c36absjg	imh = br_ssl_engine_get_hash(cc, mac_id);
1412d9c36absjg	mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
1413d9c36absjg	mac_key_len = mac_out_len;
1414d9c36absjg
1415d9c36absjg	/*
1416d9c36absjg	 * TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
1417d9c36absjg	 */
1418d9c36absjg	if (cc->session.version >= BR_TLS11) {
1419d9c36absjg		iv_len = 0;
1420d9c36absjg	} else {
1421d9c36absjg		iv_len = bc_impl->block_size;
1422d9c36absjg	}
1423d9c36absjg	compute_key_block(cc, prf_id,
1424d9c36absjg		mac_key_len + cipher_key_len + iv_len, kb);
1425d9c36absjg	if (is_client) {
1426d9c36absjg		mac_key = &kb[0];
1427d9c36absjg		cipher_key = &kb[mac_key_len << 1];
1428d9c36absjg		iv = &kb[(mac_key_len + cipher_key_len) << 1];
1429d9c36absjg	} else {
1430d9c36absjg		mac_key = &kb[mac_key_len];
1431d9c36absjg		cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
1432d9c36absjg		iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
1433d9c36absjg	}
1434d9c36absjg	if (iv_len == 0) {
1435d9c36absjg		iv = NULL;
1436d9c36absjg	}
1437d9c36absjg	cc->icbc_out->init(&cc->out.cbc.vtable,
1438d9c36absjg		bc_impl, cipher_key, cipher_key_len,
1439d9c36absjg		imh, mac_key, mac_key_len, mac_out_len, iv);
1440d9c36absjg}
1441d9c36absjg
1442d9c36absjg/* see inner.h */
1443d9c36absjgvoid
1444d9c36absjgbr_ssl_engine_switch_gcm_in(br_ssl_engine_context *cc,
1445d9c36absjg	int is_client, int prf_id,
1446d9c36absjg	const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1447d9c36absjg{
1448d9c36absjg	unsigned char kb[72];
1449d9c36absjg	unsigned char *cipher_key, *iv;
1450d9c36absjg
1451d9c36absjg	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1452d9c36absjg	if (is_client) {
1453d9c36absjg		cipher_key = &kb[cipher_key_len];
1454d9c36absjg		iv = &kb[(cipher_key_len << 1) + 4];
1455d9c36absjg	} else {
1456d9c36absjg		cipher_key = &kb[0];
1457d9c36absjg		iv = &kb[cipher_key_len << 1];
1458d9c36absjg	}
1459d9c36absjg	cc->igcm_in->init(&cc->in.gcm.vtable.in,
1460d9c36absjg		bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1461d9c36absjg	cc->incrypt = 1;
1462d9c36absjg}
1463d9c36absjg
1464d9c36absjg/* see inner.h */
1465d9c36absjgvoid
1466d9c36absjgbr_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
1467d9c36absjg	int is_client, int prf_id,
1468d9c36absjg	const br_block_ctr_class *bc_impl, size_t cipher_key_len)
1469d9c36absjg{
1470d9c36absjg	unsigned char kb[72];
1471d9c36absjg	unsigned char *cipher_key, *iv;
1472d9c36absjg
1473d9c36absjg	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1474d9c36absjg	if (is_client) {
1475d9c36absjg		cipher_key = &kb[0];
1476d9c36absjg		iv = &kb[cipher_key_len << 1];
1477d9c36absjg	} else {
1478d9c36absjg		cipher_key = &kb[cipher_key_len];
1479d9c36absjg		iv = &kb[(cipher_key_len << 1) + 4];
1480d9c36absjg	}
1481d9c36absjg	cc->igcm_out->init(&cc->out.gcm.vtable.out,
1482d9c36absjg		bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
1483d9c36absjg}
1484d9c36absjg
1485d9c36absjg/* see inner.h */
1486d9c36absjgvoid
1487d9c36absjgbr_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
1488d9c36absjg	int is_client, int prf_id)
1489d9c36absjg{
1490d9c36absjg	unsigned char kb[88];
1491d9c36absjg	unsigned char *cipher_key, *iv;
1492d9c36absjg
1493d9c36absjg	compute_key_block(cc, prf_id, 44, kb);
1494d9c36absjg	if (is_client) {
1495d9c36absjg		cipher_key = &kb[32];
1496d9c36absjg		iv = &kb[76];
1497d9c36absjg	} else {
1498d9c36absjg		cipher_key = &kb[0];
1499d9c36absjg		iv = &kb[64];
1500d9c36absjg	}
1501d9c36absjg	cc->ichapol_in->init(&cc->in.chapol.vtable.in,
1502d9c36absjg		cc->ichacha, cc->ipoly, cipher_key, iv);
1503d9c36absjg	cc->incrypt = 1;
1504d9c36absjg}
1505d9c36absjg
1506d9c36absjg/* see inner.h */
1507d9c36absjgvoid
1508d9c36absjgbr_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
1509d9c36absjg	int is_client, int prf_id)
1510d9c36absjg{
1511d9c36absjg	unsigned char kb[88];
1512d9c36absjg	unsigned char *cipher_key, *iv;
1513d9c36absjg
1514d9c36absjg	compute_key_block(cc, prf_id, 44, kb);
1515d9c36absjg	if (is_client) {
1516d9c36absjg		cipher_key = &kb[0];
1517d9c36absjg		iv = &kb[64];
1518d9c36absjg	} else {
1519d9c36absjg		cipher_key = &kb[32];
1520d9c36absjg		iv = &kb[76];
1521d9c36absjg	}
1522d9c36absjg	cc->ichapol_out->init(&cc->out.chapol.vtable.out,
1523d9c36absjg		cc->ichacha, cc->ipoly, cipher_key, iv);
1524d9c36absjg}
1525d9c36absjg
1526d9c36absjg/* see inner.h */
1527d9c36absjgvoid
1528d9c36absjgbr_ssl_engine_switch_ccm_in(br_ssl_engine_context *cc,
1529d9c36absjg	int is_client, int prf_id,
1530d9c36absjg	const br_block_ctrcbc_class *bc_impl,
1531d9c36absjg	size_t cipher_key_len, size_t tag_len)
1532d9c36absjg{
1533d9c36absjg	unsigned char kb[72];
1534d9c36absjg	unsigned char *cipher_key, *iv;
1535d9c36absjg
1536d9c36absjg	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1537d9c36absjg	if (is_client) {
1538d9c36absjg		cipher_key = &kb[cipher_key_len];
1539d9c36absjg		iv = &kb[(cipher_key_len << 1) + 4];
1540d9c36absjg	} else {
1541d9c36absjg		cipher_key = &kb[0];
1542d9c36absjg		iv = &kb[cipher_key_len << 1];
1543d9c36absjg	}
1544d9c36absjg	cc->iccm_in->init(&cc->in.ccm.vtable.in,
1545d9c36absjg		bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1546d9c36absjg	cc->incrypt = 1;
1547d9c36absjg}
1548d9c36absjg
1549d9c36absjg/* see inner.h */
1550d9c36absjgvoid
1551d9c36absjgbr_ssl_engine_switch_ccm_out(br_ssl_engine_context *cc,
1552d9c36absjg	int is_client, int prf_id,
1553d9c36absjg	const br_block_ctrcbc_class *bc_impl,
1554d9c36absjg	size_t cipher_key_len, size_t tag_len)
1555d9c36absjg{
1556d9c36absjg	unsigned char kb[72];
1557d9c36absjg	unsigned char *cipher_key, *iv;
1558d9c36absjg
1559d9c36absjg	compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
1560d9c36absjg	if (is_client) {
1561d9c36absjg		cipher_key = &kb[0];
1562d9c36absjg		iv = &kb[cipher_key_len << 1];
1563d9c36absjg	} else {
1564d9c36absjg		cipher_key = &kb[cipher_key_len];
1565d9c36absjg		iv = &kb[(cipher_key_len << 1) + 4];
1566d9c36absjg	}
1567d9c36absjg	cc->iccm_out->init(&cc->out.ccm.vtable.out,
1568d9c36absjg		bc_impl, cipher_key, cipher_key_len, iv, tag_len);
1569d9c36absjg}
1570