Provide framework for sending alerts and post-handshake handshake messages.

Discussed at length with beck@ ok beck@ tb@
author: jsing <> 2019-11-17 17:20:16 +0000
committer: jsing <> 2019-11-17 17:20:16 +0000
commit: 516efe2f49b299dbcb3e0e96afba993c37476db8 (patch)
tree: 35f5e41f42031e9a4701b5932269f219de6d35ba
parent: 1730c597e084e59232a8f9c312ac29a78c60a98a (diff)
download: openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.tar.gz
openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.tar.bz2
openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.zip
2 files changed, 174 insertions, 15 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 9ab72f4f3a..05e108952a 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.30 2019/11/17 06:35:30 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.31 2019/11/17 17:20:16 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -120,6 +120,10 @@ int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
    struct tls13_secret *read_key);
 int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
    struct tls13_secret *write_key);
+ssize_t tls13_record_layer_alert(struct tls13_record_layer *rl,
+    uint8_t alert_level, uint8_t alert_desc);
+ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, uint8_t *data,
+    size_t len);
 ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n);
 ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index ff26b09d46..8208ae508c 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.10 2019/11/17 00:10:47 beck Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.11 2019/11/17 17:20:16 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -22,6 +22,11 @@
 #include "tls13_internal.h"
 #include "tls13_record.h"
+static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
+    uint8_t content_type, const uint8_t *buf, size_t n);
+static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
+    uint8_t content_type, const uint8_t *content, size_t content_len);
 struct tls13_record_layer {
        int change_cipher_spec_seen;
        int handshake_completed;
@@ -36,7 +41,20 @@ struct tls13_record_layer {
        int write_closed;
        struct tls13_record *rrec;
        struct tls13_record *wrec;
+        uint8_t wrec_content_type;
+        size_t wrec_appdata_len;
+        size_t wrec_content_len;
+        /* Pending alert messages. */
+        uint8_t *alert_data;
+        size_t alert_len;
+        /* Pending post-handshake handshake messages. */
+        CBS phh_cbs;
+        uint8_t *phh_data;
+        size_t phh_len;
        /* Buffer containing plaintext from opened records. */
        uint8_t rbuf_content_type;
@@ -232,7 +250,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
        } else if (alert_level == SSL3_AL_FATAL) {
                rl->read_closed = 1;
                rl->write_closed = 1;
-                ret = TLS13_IO_EOF;
+                ret = TLS13_IO_FAILURE; /* XXX - ALERT? */
        } else {
                /* XXX - decode error alert. */
                return TLS13_IO_FAILURE;
@@ -244,12 +262,112 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
        return ret;
 }
-int
+static ssize_t
-tls13_record_layer_send_alert(struct tls13_record_layer *rl,
+tls13_record_layer_send_alert(struct tls13_record_layer *rl)
+{
+        ssize_t ret;
+        /* This has to fit into a single record, per RFC 8446 section 5.1. */
+        if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
+            rl->alert_data, rl->alert_len)) != rl->alert_len)
+                return ret;
+        freezero(rl->alert_data, rl->alert_len);
+        rl->alert_data = NULL;
+        rl->alert_len = 0;
+        /* XXX - only close write channel when sending close notify. */
+        rl->read_closed = 1;
+        rl->write_closed = 1;
+        /* XXX - we may want a TLS13_IO_ALERT (or handle as errors). */
+        return TLS13_IO_FAILURE;
+}
+static ssize_t
+tls13_record_layer_send_phh(struct tls13_record_layer *rl)
+{
+        ssize_t ret;
+        /* Push out pending post-handshake handshake messages. */
+        if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
+            CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) < 0)
+                return ret;
+        if (!CBS_skip(&rl->phh_cbs, ret))
+                return TLS13_IO_FAILURE;
+        if (CBS_len(&rl->phh_cbs) != 0)
+                return TLS13_IO_WANT_POLLOUT;
+        freezero(rl->phh_data, rl->phh_len);
+        rl->phh_data = NULL;
+        rl->phh_len = 0;
+        CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
+        return TLS13_IO_SUCCESS;
+}
+static ssize_t
+tls13_record_layer_send_pending(struct tls13_record_layer *rl)
+{
+        /*
+         * If an alert is pending, then it needs to be sent. However,
+         * if we're already part of the way through sending post-handshake
+         * handshake messages, then we need to finish that first...
+         */
+        if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
+                return tls13_record_layer_send_phh(rl);
+        if (rl->alert_data != NULL)
+                return tls13_record_layer_send_alert(rl);
+        if (rl->phh_data != NULL)
+                return tls13_record_layer_send_phh(rl);
+        return TLS13_IO_SUCCESS;
+}
+ssize_t
+tls13_record_layer_alert(struct tls13_record_layer *rl,
    uint8_t alert_level, uint8_t alert_desc)
 {
-        /* XXX - implement. */
+        CBB cbb;
-        return -1;
+        if (rl->alert_data != NULL)
+                return TLS13_IO_FAILURE;
+        if (!CBB_init(&cbb, 0))
+                goto err;
+        if (!CBB_add_u8(&cbb, alert_level))
+                goto err;
+        if (!CBB_add_u8(&cbb, alert_desc))
+                goto err;
+        if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
+                goto err;
+        return tls13_record_layer_send_pending(rl);
+ err:
+        CBB_cleanup(&cbb);
+        return TLS13_IO_FAILURE;
+}
+ssize_t
+tls13_record_layer_phh(struct tls13_record_layer *rl, uint8_t *data,
+    size_t len)
+{
+        if (rl->phh_data != NULL)
+                return TLS13_IO_FAILURE;
+        rl->phh_data = data;
+        rl->phh_len = len;
+        CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
+        return tls13_record_layer_send_pending(rl);
 }
 static int
@@ -546,6 +664,9 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
        if (!tls13_record_set_data(rl->wrec, data, data_len))
                goto err;
+        rl->wrec_content_len = content_len;
+        rl->wrec_content_type = content_type;
        data = NULL;
        data_len = 0;
@@ -673,12 +794,12 @@ tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
 {
        ssize_t ret;
+        if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
+                return ret;
        if (rl->read_closed)
                return TLS13_IO_EOF;
-        /* XXX - loop here with record and byte limits. */
-        /* XXX - send alert... */
        /* If necessary, pull up the next record. */
        if (CBS_len(&rl->rbuf_cbs) == 0) {
                if ((ret = tls13_record_layer_read_record(rl)) <= 0)
@@ -737,16 +858,38 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
        if (rl->write_closed)
                return TLS13_IO_EOF;
+        /*
+         * If we pushed out application data while handling other messages,
+         * we need to return content length on the next call.
+         */
+        if (content_type == SSL3_RT_APPLICATION_DATA &&
+            rl->wrec_appdata_len != 0) {
+                ret = rl->wrec_appdata_len;
+                rl->wrec_appdata_len = 0;
+                return ret;
+        }
        /* See if there is an existing record and attempt to push it out... */
        if (rl->wrec != NULL) {
                if ((ret = tls13_record_send(rl->wrec, rl->wire_write,
                    rl->cb_arg)) <= 0)
                        return ret;
                tls13_record_layer_wrec_free(rl);
-                /* XXX - could be pushing out different data... */
+                if (rl->wrec_content_type == content_type) {
-                return content_len;
+                        ret = rl->wrec_content_len;
+                        rl->wrec_content_len = 0;
+                        rl->wrec_content_type = 0;
+                        return ret;
+                }
+                /*
+                 * The only partial record type should be application data.
+                 * All other cases are handled to completion.
+                 */
+                if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
+                        return TLS13_IO_FAILURE;
+                rl->wrec_appdata_len = rl->wrec_content_len;
        }
        if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
@@ -767,8 +910,8 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
 }
 static ssize_t
-tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
+tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
-    const uint8_t *buf, size_t n)
+    uint8_t content_type, const uint8_t *buf, size_t n)
 {
        if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
                n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
@@ -776,6 +919,18 @@ tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
        return tls13_record_layer_write_record(rl, content_type, buf, n);
 }
+static ssize_t
+tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
+    const uint8_t *buf, size_t n)
+{
+        ssize_t ret;
+        if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
+                return ret;
+        return tls13_record_layer_write_chunk(rl, content_type, buf, n);
+}
 ssize_t
 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
 {
author	jsing <>	2019-11-17 17:20:16 +0000
committer	jsing <>	2019-11-17 17:20:16 +0000
commit	516efe2f49b299dbcb3e0e96afba993c37476db8 (patch)
tree	35f5e41f42031e9a4701b5932269f219de6d35ba
parent	1730c597e084e59232a8f9c312ac29a78c60a98a (diff)
download	openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.tar.gz openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.tar.bz2 openbsd-516efe2f49b299dbcb3e0e96afba993c37476db8.zip

diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 9ab72f4f3a..05e108952a 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.30 2019/11/17 06:35:30 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.31 2019/11/17 17:20:16 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -120,6 +120,10 @@ int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
120	struct tls13_secret *read_key);	120	struct tls13_secret *read_key);
121	int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,	121	int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
122	struct tls13_secret *write_key);	122	struct tls13_secret *write_key);
		123	ssize_t tls13_record_layer_alert(struct tls13_record_layer *rl,
		124	uint8_t alert_level, uint8_t alert_desc);
		125	ssize_t tls13_record_layer_phh(struct tls13_record_layer rl, uint8_t data,
		126	size_t len);
123		127
124	ssize_t tls13_read_handshake_data(struct tls13_record_layer rl, uint8_t buf, size_t n);	128	ssize_t tls13_read_handshake_data(struct tls13_record_layer rl, uint8_t buf, size_t n);
125	ssize_t tls13_write_handshake_data(struct tls13_record_layer rl, const uint8_t buf,	129	ssize_t tls13_write_handshake_data(struct tls13_record_layer rl, const uint8_t buf,


diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index ff26b09d46..8208ae508c 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_record_layer.c,v 1.10 2019/11/17 00:10:47 beck Exp $ */	1	/* $OpenBSD: tls13_record_layer.c,v 1.11 2019/11/17 17:20:16 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -22,6 +22,11 @@
22	#include "tls13_internal.h"	22	#include "tls13_internal.h"
23	#include "tls13_record.h"	23	#include "tls13_record.h"
24		24
		25	static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
		26	uint8_t content_type, const uint8_t *buf, size_t n);
		27	static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
		28	uint8_t content_type, const uint8_t *content, size_t content_len);
		29
25	struct tls13_record_layer {	30	struct tls13_record_layer {
26	int change_cipher_spec_seen;	31	int change_cipher_spec_seen;
27	int handshake_completed;	32	int handshake_completed;
@@ -36,7 +41,20 @@ struct tls13_record_layer {
36	int write_closed;	41	int write_closed;
37		42
38	struct tls13_record *rrec;	43	struct tls13_record *rrec;
		44
39	struct tls13_record *wrec;	45	struct tls13_record *wrec;
		46	uint8_t wrec_content_type;
		47	size_t wrec_appdata_len;
		48	size_t wrec_content_len;
		49
		50	/* Pending alert messages. */
		51	uint8_t *alert_data;
		52	size_t alert_len;
		53
		54	/* Pending post-handshake handshake messages. */
		55	CBS phh_cbs;
		56	uint8_t *phh_data;
		57	size_t phh_len;
40		58
41	/* Buffer containing plaintext from opened records. */	59	/* Buffer containing plaintext from opened records. */
42	uint8_t rbuf_content_type;	60	uint8_t rbuf_content_type;
@@ -232,7 +250,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
232	} else if (alert_level == SSL3_AL_FATAL) {	250	} else if (alert_level == SSL3_AL_FATAL) {
233	rl->read_closed = 1;	251	rl->read_closed = 1;
234	rl->write_closed = 1;	252	rl->write_closed = 1;
235	ret = TLS13_IO_EOF;	253	ret = TLS13_IO_FAILURE; /* XXX - ALERT? */
236	} else {	254	} else {
237	/* XXX - decode error alert. */	255	/* XXX - decode error alert. */
238	return TLS13_IO_FAILURE;	256	return TLS13_IO_FAILURE;
@@ -244,12 +262,112 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
244	return ret;	262	return ret;
245	}	263	}
246		264
247	int	265	static ssize_t
248	tls13_record_layer_send_alert(struct tls13_record_layer *rl,	266	tls13_record_layer_send_alert(struct tls13_record_layer *rl)
		267	{
		268	ssize_t ret;
		269
		270	/* This has to fit into a single record, per RFC 8446 section 5.1. */
		271	if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
		272	rl->alert_data, rl->alert_len)) != rl->alert_len)
		273	return ret;
		274
		275	freezero(rl->alert_data, rl->alert_len);
		276	rl->alert_data = NULL;
		277	rl->alert_len = 0;
		278
		279	/* XXX - only close write channel when sending close notify. */
		280	rl->read_closed = 1;
		281	rl->write_closed = 1;
		282
		283	/* XXX - we may want a TLS13_IO_ALERT (or handle as errors). */
		284	return TLS13_IO_FAILURE;
		285	}
		286
		287	static ssize_t
		288	tls13_record_layer_send_phh(struct tls13_record_layer *rl)
		289	{
		290	ssize_t ret;
		291
		292	/* Push out pending post-handshake handshake messages. */
		293	if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
		294	CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) < 0)
		295	return ret;
		296	if (!CBS_skip(&rl->phh_cbs, ret))
		297	return TLS13_IO_FAILURE;
		298	if (CBS_len(&rl->phh_cbs) != 0)
		299	return TLS13_IO_WANT_POLLOUT;
		300
		301	freezero(rl->phh_data, rl->phh_len);
		302	rl->phh_data = NULL;
		303	rl->phh_len = 0;
		304
		305	CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
		306
		307	return TLS13_IO_SUCCESS;
		308	}
		309
		310	static ssize_t
		311	tls13_record_layer_send_pending(struct tls13_record_layer *rl)
		312	{
		313	/*
		314	* If an alert is pending, then it needs to be sent. However,
		315	* if we're already part of the way through sending post-handshake
		316	* handshake messages, then we need to finish that first...
		317	*/
		318
		319	if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
		320	return tls13_record_layer_send_phh(rl);
		321
		322	if (rl->alert_data != NULL)
		323	return tls13_record_layer_send_alert(rl);
		324
		325	if (rl->phh_data != NULL)
		326	return tls13_record_layer_send_phh(rl);
		327
		328	return TLS13_IO_SUCCESS;
		329	}
		330
		331	ssize_t
		332	tls13_record_layer_alert(struct tls13_record_layer *rl,
249	uint8_t alert_level, uint8_t alert_desc)	333	uint8_t alert_level, uint8_t alert_desc)
250	{	334	{
251	/* XXX - implement. */	335	CBB cbb;
252	return -1;	336
		337	if (rl->alert_data != NULL)
		338	return TLS13_IO_FAILURE;
		339
		340	if (!CBB_init(&cbb, 0))
		341	goto err;
		342
		343	if (!CBB_add_u8(&cbb, alert_level))
		344	goto err;
		345	if (!CBB_add_u8(&cbb, alert_desc))
		346	goto err;
		347	if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
		348	goto err;
		349
		350	return tls13_record_layer_send_pending(rl);
		351
		352	err:
		353	CBB_cleanup(&cbb);
		354
		355	return TLS13_IO_FAILURE;
		356	}
		357
		358	ssize_t
		359	tls13_record_layer_phh(struct tls13_record_layer rl, uint8_t data,
		360	size_t len)
		361	{
		362	if (rl->phh_data != NULL)
		363	return TLS13_IO_FAILURE;
		364
		365	rl->phh_data = data;
		366	rl->phh_len = len;
		367
		368	CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
		369
		370	return tls13_record_layer_send_pending(rl);
253	}	371	}
254		372
255	static int	373	static int
@@ -546,6 +664,9 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
546	if (!tls13_record_set_data(rl->wrec, data, data_len))	664	if (!tls13_record_set_data(rl->wrec, data, data_len))
547	goto err;	665	goto err;
548		666
		667	rl->wrec_content_len = content_len;
		668	rl->wrec_content_type = content_type;
		669
549	data = NULL;	670	data = NULL;
550	data_len = 0;	671	data_len = 0;
551		672
@@ -673,12 +794,12 @@ tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
673	{	794	{
674	ssize_t ret;	795	ssize_t ret;
675		796
		797	if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
		798	return ret;
		799
676	if (rl->read_closed)	800	if (rl->read_closed)
677	return TLS13_IO_EOF;	801	return TLS13_IO_EOF;
678		802
679	/* XXX - loop here with record and byte limits. */
680	/* XXX - send alert... */
681
682	/* If necessary, pull up the next record. */	803	/* If necessary, pull up the next record. */
683	if (CBS_len(&rl->rbuf_cbs) == 0) {	804	if (CBS_len(&rl->rbuf_cbs) == 0) {
684	if ((ret = tls13_record_layer_read_record(rl)) <= 0)	805	if ((ret = tls13_record_layer_read_record(rl)) <= 0)
@@ -737,16 +858,38 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
737	if (rl->write_closed)	858	if (rl->write_closed)
738	return TLS13_IO_EOF;	859	return TLS13_IO_EOF;
739		860
		861	/*
		862	* If we pushed out application data while handling other messages,
		863	* we need to return content length on the next call.
		864	*/
		865	if (content_type == SSL3_RT_APPLICATION_DATA &&
		866	rl->wrec_appdata_len != 0) {
		867	ret = rl->wrec_appdata_len;
		868	rl->wrec_appdata_len = 0;
		869	return ret;
		870	}
		871
740	/* See if there is an existing record and attempt to push it out... */	872	/* See if there is an existing record and attempt to push it out... */
741	if (rl->wrec != NULL) {	873	if (rl->wrec != NULL) {
742	if ((ret = tls13_record_send(rl->wrec, rl->wire_write,	874	if ((ret = tls13_record_send(rl->wrec, rl->wire_write,
743	rl->cb_arg)) <= 0)	875	rl->cb_arg)) <= 0)
744	return ret;	876	return ret;
745
746	tls13_record_layer_wrec_free(rl);	877	tls13_record_layer_wrec_free(rl);
747		878
748	/* XXX - could be pushing out different data... */	879	if (rl->wrec_content_type == content_type) {
749	return content_len;	880	ret = rl->wrec_content_len;
		881	rl->wrec_content_len = 0;
		882	rl->wrec_content_type = 0;
		883	return ret;
		884	}
		885
		886	/*
		887	* The only partial record type should be application data.
		888	* All other cases are handled to completion.
		889	*/
		890	if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
		891	return TLS13_IO_FAILURE;
		892	rl->wrec_appdata_len = rl->wrec_content_len;
750	}	893	}
751		894
752	if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)	895	if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
@@ -767,8 +910,8 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
767	}	910	}
768		911
769	static ssize_t	912	static ssize_t
770	tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,	913	tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
771	const uint8_t *buf, size_t n)	914	uint8_t content_type, const uint8_t *buf, size_t n)
772	{	915	{
773	if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)	916	if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
774	n = TLS13_RECORD_MAX_PLAINTEXT_LEN;	917	n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
@@ -776,6 +919,18 @@ tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
776	return tls13_record_layer_write_record(rl, content_type, buf, n);	919	return tls13_record_layer_write_record(rl, content_type, buf, n);
777	}	920	}
778		921
		922	static ssize_t
		923	tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
		924	const uint8_t *buf, size_t n)
		925	{
		926	ssize_t ret;
		927
		928	if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
		929	return ret;
		930
		931	return tls13_record_layer_write_chunk(rl, content_type, buf, n);
		932	}
		933
779	ssize_t	934	ssize_t
780	tls13_read_handshake_data(struct tls13_record_layer rl, uint8_t buf, size_t n)	935	tls13_read_handshake_data(struct tls13_record_layer rl, uint8_t buf, size_t n)
781	{	936	{