2 files changed, 174 insertions, 15 deletions

diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 9ab72f4f3a..05e108952a 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.30 2019/11/17 06:35:30 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.31 2019/11/17 17:20:16 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -120,6 +120,10 @@ int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
     struct tls13_secret *read_key);
 int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl,
     struct tls13_secret *write_key);
+ssize_t tls13_record_layer_alert(struct tls13_record_layer *rl,
+    uint8_t alert_level, uint8_t alert_desc);
+ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, uint8_t *data,
+    size_t len);
 
 ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n);
 ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index ff26b09d46..8208ae508c 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.10 2019/11/17 00:10:47 beck Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.11 2019/11/17 17:20:16 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -22,6 +22,11 @@
 #include "tls13_internal.h"
 #include "tls13_record.h"
 
+static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
+    uint8_t content_type, const uint8_t *buf, size_t n);
+static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
+    uint8_t content_type, const uint8_t *content, size_t content_len);
+
 struct tls13_record_layer {
         int change_cipher_spec_seen;
         int handshake_completed;
@@ -36,7 +41,20 @@ struct tls13_record_layer {
         int write_closed;
 
         struct tls13_record *rrec;
+
         struct tls13_record *wrec;
+        uint8_t wrec_content_type;
+        size_t wrec_appdata_len;
+        size_t wrec_content_len;
+
+        /* Pending alert messages. */
+        uint8_t *alert_data;
+        size_t alert_len;
+
+        /* Pending post-handshake handshake messages. */
+        CBS phh_cbs;
+        uint8_t *phh_data;
+        size_t phh_len;
 
         /* Buffer containing plaintext from opened records. */
         uint8_t rbuf_content_type;
@@ -232,7 +250,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
         } else if (alert_level == SSL3_AL_FATAL) {
                 rl->read_closed = 1;
                 rl->write_closed = 1;
-                ret = TLS13_IO_EOF;
+                ret = TLS13_IO_FAILURE; /* XXX - ALERT? */
         } else {
                 /* XXX - decode error alert. */
                 return TLS13_IO_FAILURE;
@@ -244,12 +262,112 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
         return ret;
 }
 
-int
-tls13_record_layer_send_alert(struct tls13_record_layer *rl,
+static ssize_t
+tls13_record_layer_send_alert(struct tls13_record_layer *rl)
+{
+        ssize_t ret;
+
+        /* This has to fit into a single record, per RFC 8446 section 5.1. */
+        if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
+            rl->alert_data, rl->alert_len)) != rl->alert_len)
+                return ret;
+
+        freezero(rl->alert_data, rl->alert_len);
+        rl->alert_data = NULL;
+        rl->alert_len = 0;
+
+        /* XXX - only close write channel when sending close notify. */
+        rl->read_closed = 1;
+        rl->write_closed = 1;
+
+        /* XXX - we may want a TLS13_IO_ALERT (or handle as errors). */
+        return TLS13_IO_FAILURE;
+}
+
+static ssize_t
+tls13_record_layer_send_phh(struct tls13_record_layer *rl)
+{
+        ssize_t ret;
+
+        /* Push out pending post-handshake handshake messages. */
+        if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE,
+            CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) < 0)
+                return ret;
+        if (!CBS_skip(&rl->phh_cbs, ret))
+                return TLS13_IO_FAILURE;
+        if (CBS_len(&rl->phh_cbs) != 0)
+                return TLS13_IO_WANT_POLLOUT;
+
+        freezero(rl->phh_data, rl->phh_len);
+        rl->phh_data = NULL;
+        rl->phh_len = 0;
+
+        CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
+
+        return TLS13_IO_SUCCESS;
+}
+
+static ssize_t
+tls13_record_layer_send_pending(struct tls13_record_layer *rl)
+{
+        /*
+         * If an alert is pending, then it needs to be sent. However,
+         * if we're already part of the way through sending post-handshake
+         * handshake messages, then we need to finish that first...
+         */
+
+        if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len)
+                return tls13_record_layer_send_phh(rl);
+
+        if (rl->alert_data != NULL)
+                return tls13_record_layer_send_alert(rl);
+
+        if (rl->phh_data != NULL)
+                return tls13_record_layer_send_phh(rl);
+
+        return TLS13_IO_SUCCESS;
+}
+
+ssize_t
+tls13_record_layer_alert(struct tls13_record_layer *rl,
     uint8_t alert_level, uint8_t alert_desc)
 {
-        /* XXX - implement. */
-        return -1;
+        CBB cbb;
+
+        if (rl->alert_data != NULL)
+                return TLS13_IO_FAILURE;
+
+        if (!CBB_init(&cbb, 0))
+                goto err;
+
+        if (!CBB_add_u8(&cbb, alert_level))
+                goto err;
+        if (!CBB_add_u8(&cbb, alert_desc))
+                goto err;
+        if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len))
+                goto err;
+
+        return tls13_record_layer_send_pending(rl);
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return TLS13_IO_FAILURE;
+}
+
+ssize_t
+tls13_record_layer_phh(struct tls13_record_layer *rl, uint8_t *data,
+    size_t len)
+{
+        if (rl->phh_data != NULL)
+                return TLS13_IO_FAILURE;
+
+        rl->phh_data = data;
+        rl->phh_len = len;
+
+        CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len);
+
+        return tls13_record_layer_send_pending(rl);
 }
 
 static int
@@ -546,6 +664,9 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl,
         if (!tls13_record_set_data(rl->wrec, data, data_len))
                 goto err;
 
+        rl->wrec_content_len = content_len;
+        rl->wrec_content_type = content_type;
+
         data = NULL;
         data_len = 0;
 
@@ -673,12 +794,12 @@ tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type,
 {
         ssize_t ret;
 
+        if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
+                return ret;
+
         if (rl->read_closed)
                 return TLS13_IO_EOF;
 
-        /* XXX - loop here with record and byte limits. */
-        /* XXX - send alert... */
-
         /* If necessary, pull up the next record. */
         if (CBS_len(&rl->rbuf_cbs) == 0) {
                 if ((ret = tls13_record_layer_read_record(rl)) <= 0)
@@ -737,16 +858,38 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
         if (rl->write_closed)
                 return TLS13_IO_EOF;
 
+        /*
+         * If we pushed out application data while handling other messages,
+         * we need to return content length on the next call.
+         */
+        if (content_type == SSL3_RT_APPLICATION_DATA &&
+            rl->wrec_appdata_len != 0) {
+                ret = rl->wrec_appdata_len;
+                rl->wrec_appdata_len = 0;
+                return ret;
+        }
+
         /* See if there is an existing record and attempt to push it out... */
         if (rl->wrec != NULL) {
                 if ((ret = tls13_record_send(rl->wrec, rl->wire_write,
                     rl->cb_arg)) <= 0)
                         return ret;
-
                 tls13_record_layer_wrec_free(rl);
 
-                /* XXX - could be pushing out different data... */
-                return content_len;
+                if (rl->wrec_content_type == content_type) {
+                        ret = rl->wrec_content_len;
+                        rl->wrec_content_len = 0;
+                        rl->wrec_content_type = 0;
+                        return ret;
+                }
+
+                /*
+                 * The only partial record type should be application data.
+                 * All other cases are handled to completion.
+                 */
+                if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA)
+                        return TLS13_IO_FAILURE;
+                rl->wrec_appdata_len = rl->wrec_content_len;
         }
 
         if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
@@ -767,8 +910,8 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl,
 }
 
 static ssize_t
-tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
-    const uint8_t *buf, size_t n)
+tls13_record_layer_write_chunk(struct tls13_record_layer *rl,
+    uint8_t content_type, const uint8_t *buf, size_t n)
 {
         if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN)
                 n = TLS13_RECORD_MAX_PLAINTEXT_LEN;
@@ -776,6 +919,18 @@ tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
         return tls13_record_layer_write_record(rl, content_type, buf, n);
 }
 
+static ssize_t
+tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type,
+    const uint8_t *buf, size_t n)
+{
+        ssize_t ret;
+
+        if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS)
+                return ret;
+
+        return tls13_record_layer_write_chunk(rl, content_type, buf, n);
+}
+
 ssize_t
 tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n)
 {