X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record_tls13.c;h=696cc37fd3d22b20a7cbba3973785e402c39fc01;hp=44c08b014b7595f16c9391f8ed06616f8f4d67c3;hb=0ef2802165706016698d6984dfcb2980881f18e5;hpb=6606d600545b28dbcfb391f3c5adf03dd6ad0ca7

diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index 44c08b014b..696cc37fd3 100644
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -9,6 +9,7 @@
 
 #include "../ssl_locl.h"
 #include "record_locl.h"
+#include "internal/cryptlib.h"
 
 /*-
  * tls13_enc encrypts/decrypts |n_recs| in |recs|.
@@ -20,15 +21,16 @@
  *   -1: if the record's AEAD-authenticator is invalid or, if sending,
  *       an internal error occurred.
  */
-int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
+int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
 {
     EVP_CIPHER_CTX *ctx;
     unsigned char iv[EVP_MAX_IV_LENGTH];
-    size_t ivlen, offset, loop;
+    size_t ivlen, taglen, offset, loop;
     unsigned char *staticiv;
     unsigned char *seq;
     int lenu, lenf;
     SSL3_RECORD *rec = &recs[0];
+    uint32_t alg_enc;
 
     if (n_recs != 1) {
         /* Should not happen */
@@ -36,7 +38,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
         return -1;
     }
 
-    if (send) {
+    if (sending) {
         ctx = s->enc_write_ctx;
         staticiv = s->write_iv;
         seq = RECORD_LAYER_get_write_sequence(&s->rlayer);
@@ -51,23 +53,53 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
         rec->input = rec->data;
         return 1;
     }
+
     ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 
-    if (!send) {
+    if (s->early_data_state == SSL_EARLY_DATA_WRITING
+            || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
+        if (s->session != NULL && s->session->ext.max_early_data > 0) {
+            alg_enc = s->session->cipher->algorithm_enc;
+        } else {
+            if (!ossl_assert(s->psksession != NULL
+                             && s->psksession->ext.max_early_data > 0))
+                return -1;
+            alg_enc = s->psksession->cipher->algorithm_enc;
+        }
+    } else {
         /*
-         * Take off tag. There must be at least one byte of content type as
-         * well as the tag
+         * To get here we must have selected a ciphersuite - otherwise ctx would
+         * be NULL
          */
+        if (!ossl_assert(s->s3->tmp.new_cipher != NULL))
+            return -1;
+        alg_enc = s->s3->tmp.new_cipher->algorithm_enc;
+    }
+
+    if (alg_enc & SSL_AESCCM) {
+        if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
+            taglen = EVP_CCM8_TLS_TAG_LEN;
+         else
+            taglen = EVP_CCM_TLS_TAG_LEN;
+         if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
+                                         NULL) <= 0)
+            return -1;
+    } else if (alg_enc & SSL_AESGCM) {
+        taglen = EVP_GCM_TLS_TAG_LEN;
+    } else if (alg_enc & SSL_CHACHA20) {
+        taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
+    } else {
+        return -1;
+    }
+
+    if (!sending) {
         /*
-         * TODO(TLS1.3): We're going to need to figure out the tag len based on
-         * the cipher. For now we just support GCM tags.
-         * TODO(TLS1.3): When we've swapped over the record layer to TLSv1.3
-         * then the length must be 1 + the tag len to account for the content
-         * byte that we know must have been encrypted.
+         * Take off tag. There must be at least one byte of content type as
+         * well as the tag
          */
-        if (rec->length < EVP_GCM_TLS_TAG_LEN)
+        if (rec->length < taglen + 1)
             return 0;
-        rec->length -= EVP_GCM_TLS_TAG_LEN;
+        rec->length -= taglen;
     }
 
     /* Set up IV */
@@ -80,24 +112,34 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
     for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
         iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
 
+    /* Increment the sequence counter */
+    for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
+        ++seq[loop - 1];
+        if (seq[loop - 1] != 0)
+            break;
+    }
+    if (loop == 0) {
+        /* Sequence has wrapped */
+        return -1;
+    }
+
     /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */
-    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0
+    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
+            || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+                                             taglen,
+                                             rec->data + rec->length) <= 0)
             || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
                                 (unsigned int)rec->length) <= 0
-            || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
-                                             EVP_GCM_TLS_TAG_LEN,
-                                             rec->data + rec->length) <= 0)
             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
             || (size_t)(lenu + lenf) != rec->length) {
         return -1;
     }
-
-    if (send) {
+    if (sending) {
         /* Add the tag */
-        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,
                                 rec->data + rec->length) <= 0)
             return -1;
-        rec->length += EVP_GCM_TLS_TAG_LEN;
+        rec->length += taglen;
     }
 
     return 1;