]>
Commit | Line | Data |
---|---|---|
eddb067e | 1 | /* |
da1c088f | 2 | * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. |
eddb067e MC |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
b05fbac1 | 10 | #include <assert.h> |
eddb067e MC |
11 | #include "../../ssl_local.h" |
12 | #include "../record_local.h" | |
13 | #include "recmethod_local.h" | |
14 | ||
15 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ | |
16 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) | |
17 | { | |
18 | int64_t ret; | |
19 | uint64_t l1, l2; | |
20 | ||
21 | n2l8(v1, l1); | |
22 | n2l8(v2, l2); | |
23 | ||
24 | ret = l1 - l2; | |
25 | ||
26 | /* We do not permit wrap-around */ | |
27 | if (l1 > l2 && ret < 0) | |
28 | return 128; | |
29 | else if (l2 > l1 && ret > 0) | |
30 | return -128; | |
31 | ||
32 | if (ret > 128) | |
33 | return 128; | |
34 | else if (ret < -128) | |
35 | return -128; | |
36 | else | |
37 | return (int)ret; | |
38 | } | |
39 | ||
f6aab7b1 | 40 | static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap) |
eddb067e MC |
41 | { |
42 | int cmp; | |
43 | unsigned int shift; | |
222cf410 | 44 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
45 | |
46 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
47 | if (cmp > 0) { | |
22094d11 | 48 | ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq); |
eddb067e MC |
49 | return 1; /* this record in new */ |
50 | } | |
51 | shift = -cmp; | |
52 | if (shift >= sizeof(bitmap->map) * 8) | |
53 | return 0; /* stale, outside the window */ | |
f6aab7b1 | 54 | else if (bitmap->map & ((uint64_t)1 << shift)) |
eddb067e MC |
55 | return 0; /* record previously received */ |
56 | ||
22094d11 | 57 | ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq); |
eddb067e MC |
58 | return 1; |
59 | } | |
60 | ||
3a7a539e | 61 | static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl, |
f6aab7b1 | 62 | DTLS_BITMAP *bitmap) |
eddb067e MC |
63 | { |
64 | int cmp; | |
65 | unsigned int shift; | |
222cf410 | 66 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
67 | |
68 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
69 | if (cmp > 0) { | |
70 | shift = cmp; | |
71 | if (shift < sizeof(bitmap->map) * 8) | |
72 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
73 | else | |
74 | bitmap->map = 1UL; | |
75 | memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE); | |
76 | } else { | |
77 | shift = -cmp; | |
78 | if (shift < sizeof(bitmap->map) * 8) | |
f6aab7b1 | 79 | bitmap->map |= (uint64_t)1 << shift; |
eddb067e MC |
80 | } |
81 | } | |
82 | ||
22094d11 | 83 | static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rr, |
f6aab7b1 | 84 | unsigned int *is_next_epoch) |
eddb067e | 85 | { |
eddb067e MC |
86 | *is_next_epoch = 0; |
87 | ||
88 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
222cf410 | 89 | if (rr->epoch == rl->epoch) |
bfc0f10d | 90 | return &rl->bitmap; |
eddb067e MC |
91 | |
92 | /* | |
5c476976 MC |
93 | * We can only handle messages from the next epoch if we have already |
94 | * processed all of the unprocessed records from the previous epoch | |
eddb067e | 95 | */ |
1704961c | 96 | else if (rr->epoch == (unsigned long)(rl->epoch + 1) |
5c476976 | 97 | && rl->unprocessed_rcds.epoch != rl->epoch) { |
eddb067e | 98 | *is_next_epoch = 1; |
bfc0f10d | 99 | return &rl->next_bitmap; |
eddb067e MC |
100 | } |
101 | ||
102 | return NULL; | |
103 | } | |
104 | ||
bfc0f10d MC |
105 | static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init) |
106 | { | |
107 | rl->in_init = in_init; | |
108 | } | |
109 | ||
f6aab7b1 | 110 | static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap) |
eddb067e MC |
111 | { |
112 | int i; | |
113 | int enc_err; | |
22094d11 | 114 | TLS_RL_RECORD *rr; |
eddb067e MC |
115 | int imac_size; |
116 | size_t mac_size = 0; | |
117 | unsigned char md[EVP_MAX_MD_SIZE]; | |
eddb067e MC |
118 | SSL_MAC_BUF macbuf = { NULL, 0 }; |
119 | int ret = 0; | |
eddb067e MC |
120 | |
121 | rr = &rl->rrec[0]; | |
eddb067e MC |
122 | |
123 | /* | |
1704961c | 124 | * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length, |
222cf410 | 125 | * and we have that many bytes in rl->packet |
eddb067e | 126 | */ |
222cf410 | 127 | rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]); |
eddb067e MC |
128 | |
129 | /* | |
222cf410 | 130 | * ok, we can now read from 'rl->packet' data into 'rr'. rr->input |
eddb067e MC |
131 | * points at rr->length bytes, which need to be copied into rr->data by |
132 | * either the decryption or by the decompression. When the data is 'copied' | |
133 | * into the rr->data buffer, rr->input will be pointed at the new buffer | |
134 | */ | |
135 | ||
136 | /* | |
137 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
138 | * bytes of encrypted compressed stuff. | |
139 | */ | |
140 | ||
141 | /* check is not needed I believe */ | |
142 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
222cf410 | 143 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
eddb067e MC |
144 | return 0; |
145 | } | |
146 | ||
147 | /* decrypt in place in 'rr->input' */ | |
148 | rr->data = rr->input; | |
149 | rr->orig_len = rr->length; | |
150 | ||
222cf410 MC |
151 | if (rl->md_ctx != NULL) { |
152 | const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx); | |
eddb067e MC |
153 | |
154 | if (tmpmd != NULL) { | |
155 | imac_size = EVP_MD_get_size(tmpmd); | |
156 | if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { | |
1704961c MC |
157 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
158 | return 0; | |
eddb067e MC |
159 | } |
160 | mac_size = (size_t)imac_size; | |
161 | } | |
162 | } | |
163 | ||
1704961c | 164 | if (rl->use_etm && rl->md_ctx != NULL) { |
eddb067e MC |
165 | unsigned char *mac; |
166 | ||
167 | if (rr->orig_len < mac_size) { | |
222cf410 | 168 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); |
eddb067e MC |
169 | return 0; |
170 | } | |
171 | rr->length -= mac_size; | |
172 | mac = rr->data + rr->length; | |
222cf410 | 173 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */); |
eddb067e | 174 | if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { |
222cf410 MC |
175 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, |
176 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
eddb067e MC |
177 | return 0; |
178 | } | |
179 | /* | |
180 | * We've handled the mac now - there is no MAC inside the encrypted | |
181 | * record | |
182 | */ | |
183 | mac_size = 0; | |
184 | } | |
185 | ||
186 | /* | |
187 | * Set a mark around the packet decryption attempt. This is DTLS, so | |
188 | * bad packets are just ignored, and we don't want to leave stray | |
189 | * errors in the queue from processing bogus junk that we ignored. | |
190 | */ | |
191 | ERR_set_mark(); | |
222cf410 | 192 | enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size); |
eddb067e MC |
193 | |
194 | /*- | |
195 | * enc_err is: | |
196 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
197 | * decryption failed, or ETM decryption failed. | |
198 | * 1: Success or MTE decryption failed (MAC will be randomised) | |
199 | */ | |
200 | if (enc_err == 0) { | |
201 | ERR_pop_to_mark(); | |
d3192c26 MC |
202 | if (rl->alert != SSL_AD_NO_ALERT) { |
203 | /* RLAYERfatal() already called */ | |
eddb067e MC |
204 | goto end; |
205 | } | |
206 | /* For DTLS we simply ignore bad packets. */ | |
207 | rr->length = 0; | |
222cf410 | 208 | rl->packet_length = 0; |
eddb067e MC |
209 | goto end; |
210 | } | |
211 | ERR_clear_last_mark(); | |
212 | OSSL_TRACE_BEGIN(TLS) { | |
213 | BIO_printf(trc_out, "dec %zd\n", rr->length); | |
214 | BIO_dump_indent(trc_out, rr->data, rr->length, 4); | |
215 | } OSSL_TRACE_END(TLS); | |
216 | ||
217 | /* r->length is now the compressed data plus mac */ | |
222cf410 MC |
218 | if (!rl->use_etm |
219 | && (rl->enc_ctx != NULL) | |
220 | && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) { | |
221 | /* rl->md_ctx != NULL => mac_size != -1 */ | |
eddb067e | 222 | |
1704961c | 223 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */); |
eddb067e MC |
224 | if (i == 0 || macbuf.mac == NULL |
225 | || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0) | |
226 | enc_err = 0; | |
227 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
228 | enc_err = 0; | |
229 | } | |
230 | ||
231 | if (enc_err == 0) { | |
232 | /* decryption failed, silently discard message */ | |
233 | rr->length = 0; | |
222cf410 | 234 | rl->packet_length = 0; |
eddb067e MC |
235 | goto end; |
236 | } | |
237 | ||
238 | /* r->length is now just compressed */ | |
9251c3c4 | 239 | if (rl->compctx != NULL) { |
eddb067e | 240 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { |
222cf410 MC |
241 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, |
242 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
eddb067e MC |
243 | goto end; |
244 | } | |
222cf410 MC |
245 | if (!tls_do_uncompress(rl, rr)) { |
246 | RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); | |
eddb067e MC |
247 | goto end; |
248 | } | |
249 | } | |
250 | ||
222cf410 MC |
251 | /* |
252 | * Check if the received packet overflows the current Max Fragment | |
253 | * Length setting. | |
254 | */ | |
435d88d7 | 255 | if (rr->length > rl->max_frag_len) { |
222cf410 | 256 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); |
eddb067e MC |
257 | goto end; |
258 | } | |
259 | ||
260 | rr->off = 0; | |
261 | /*- | |
262 | * So at this point the following is true | |
263 | * ssl->s3.rrec.type is the type of record | |
264 | * ssl->s3.rrec.length == number of bytes in record | |
265 | * ssl->s3.rrec.off == offset to first valid byte | |
266 | * ssl->s3.rrec.data == where to take bytes from, increment | |
267 | * after use :-). | |
268 | */ | |
269 | ||
270 | /* we have pulled in a full packet so zero things */ | |
222cf410 | 271 | rl->packet_length = 0; |
eddb067e MC |
272 | |
273 | /* Mark receipt of record. */ | |
3a7a539e | 274 | dtls_record_bitmap_update(rl, bitmap); |
eddb067e MC |
275 | |
276 | ret = 1; | |
277 | end: | |
278 | if (macbuf.alloced) | |
279 | OPENSSL_free(macbuf.mac); | |
280 | return ret; | |
281 | } | |
282 | ||
222cf410 | 283 | static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue, |
eddb067e MC |
284 | unsigned char *priority) |
285 | { | |
286 | DTLS_RLAYER_RECORD_DATA *rdata; | |
287 | pitem *item; | |
eddb067e MC |
288 | |
289 | /* Limit the size of the queue to prevent DOS attacks */ | |
290 | if (pqueue_size(queue->q) >= 100) | |
291 | return 0; | |
292 | ||
293 | rdata = OPENSSL_malloc(sizeof(*rdata)); | |
294 | item = pitem_new(priority, rdata); | |
295 | if (rdata == NULL || item == NULL) { | |
296 | OPENSSL_free(rdata); | |
297 | pitem_free(item); | |
222cf410 | 298 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
eddb067e MC |
299 | return -1; |
300 | } | |
301 | ||
222cf410 MC |
302 | rdata->packet = rl->packet; |
303 | rdata->packet_length = rl->packet_length; | |
e9189cc4 | 304 | memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(TLS_BUFFER)); |
22094d11 | 305 | memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(TLS_RL_RECORD)); |
eddb067e MC |
306 | |
307 | item->data = rdata; | |
308 | ||
222cf410 MC |
309 | rl->packet = NULL; |
310 | rl->packet_length = 0; | |
e9189cc4 | 311 | memset(&rl->rbuf, 0, sizeof(TLS_BUFFER)); |
eddb067e MC |
312 | memset(&rl->rrec[0], 0, sizeof(rl->rrec[0])); |
313 | ||
9b7fb65e MC |
314 | if (!tls_setup_read_buffer(rl)) { |
315 | /* RLAYERfatal() already called */ | |
eddb067e MC |
316 | OPENSSL_free(rdata->rbuf.buf); |
317 | OPENSSL_free(rdata); | |
318 | pitem_free(item); | |
319 | return -1; | |
320 | } | |
321 | ||
322 | if (pqueue_insert(queue->q, item) == NULL) { | |
323 | /* Must be a duplicate so ignore it */ | |
324 | OPENSSL_free(rdata->rbuf.buf); | |
325 | OPENSSL_free(rdata); | |
326 | pitem_free(item); | |
327 | } | |
328 | ||
329 | return 1; | |
330 | } | |
331 | ||
bfc0f10d | 332 | /* copy buffered record into OSSL_RECORD_LAYER structure */ |
eddb067e MC |
333 | static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item) |
334 | { | |
335 | DTLS_RLAYER_RECORD_DATA *rdata; | |
eddb067e MC |
336 | |
337 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
338 | ||
e9189cc4 | 339 | ossl_tls_buffer_release(&rl->rbuf); |
eddb067e | 340 | |
222cf410 MC |
341 | rl->packet = rdata->packet; |
342 | rl->packet_length = rdata->packet_length; | |
e9189cc4 | 343 | memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(TLS_BUFFER)); |
22094d11 | 344 | memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(TLS_RL_RECORD)); |
eddb067e MC |
345 | |
346 | /* Set proper sequence number for mac calculation */ | |
222cf410 | 347 | memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6); |
eddb067e MC |
348 | |
349 | return 1; | |
350 | } | |
351 | ||
352 | static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl, | |
353 | record_pqueue *queue) | |
354 | { | |
355 | pitem *item; | |
356 | ||
357 | item = pqueue_pop(queue->q); | |
358 | if (item) { | |
359 | dtls_copy_rlayer_record(rl, item); | |
360 | ||
361 | OPENSSL_free(item->data); | |
362 | pitem_free(item); | |
363 | ||
364 | return 1; | |
365 | } | |
366 | ||
367 | return 0; | |
368 | } | |
369 | ||
eddb067e MC |
370 | /*- |
371 | * Call this to get a new input record. | |
372 | * It will return <= 0 if more data is needed, normally due to an error | |
373 | * or non-blocking IO. | |
374 | * When it finishes, one packet has been decoded and can be found in | |
375 | * ssl->s3.rrec.type - is the type of record | |
376 | * ssl->s3.rrec.data - data | |
377 | * ssl->s3.rrec.length - number of bytes | |
378 | */ | |
222cf410 | 379 | int dtls_get_more_records(OSSL_RECORD_LAYER *rl) |
eddb067e MC |
380 | { |
381 | int ssl_major, ssl_minor; | |
382 | int rret; | |
383 | size_t more, n; | |
22094d11 | 384 | TLS_RL_RECORD *rr; |
eddb067e MC |
385 | unsigned char *p = NULL; |
386 | unsigned short version; | |
f6aab7b1 | 387 | DTLS_BITMAP *bitmap; |
eddb067e | 388 | unsigned int is_next_epoch; |
eddb067e MC |
389 | |
390 | rl->num_recs = 0; | |
391 | rl->curr_rec = 0; | |
392 | rl->num_released = 0; | |
393 | ||
394 | rr = rl->rrec; | |
395 | ||
81c9ebd9 | 396 | if (rl->rbuf.buf == NULL) { |
9b7fb65e | 397 | if (!tls_setup_read_buffer(rl)) { |
81c9ebd9 MC |
398 | /* RLAYERfatal() already called */ |
399 | return OSSL_RECORD_RETURN_FATAL; | |
400 | } | |
401 | } | |
402 | ||
eddb067e | 403 | again: |
eddb067e MC |
404 | /* if we're renegotiating, then there may be buffered records */ |
405 | if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) { | |
406 | rl->num_recs = 1; | |
407 | return OSSL_RECORD_RETURN_SUCCESS; | |
408 | } | |
409 | ||
410 | /* get something from the wire */ | |
411 | ||
412 | /* check if we have the header */ | |
222cf410 MC |
413 | if ((rl->rstate != SSL_ST_READ_BODY) || |
414 | (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) { | |
415 | rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH, | |
e9189cc4 | 416 | TLS_BUFFER_get_len(&rl->rbuf), 0, 1, &n); |
eddb067e MC |
417 | /* read timeout is handled by dtls1_read_bytes */ |
418 | if (rret < OSSL_RECORD_RETURN_SUCCESS) { | |
1704961c | 419 | /* RLAYERfatal() already called if appropriate */ |
eddb067e MC |
420 | return rret; /* error or non-blocking */ |
421 | } | |
422 | ||
423 | /* this packet contained a partial record, dump it */ | |
222cf410 MC |
424 | if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) { |
425 | rl->packet_length = 0; | |
eddb067e MC |
426 | goto again; |
427 | } | |
428 | ||
222cf410 | 429 | rl->rstate = SSL_ST_READ_BODY; |
eddb067e | 430 | |
222cf410 | 431 | p = rl->packet; |
eddb067e | 432 | |
b85ebc4b MC |
433 | if (rl->msg_callback != NULL) |
434 | rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, | |
435 | rl->cbarg); | |
eddb067e MC |
436 | |
437 | /* Pull apart the header into the DTLS1_RECORD */ | |
438 | rr->type = *(p++); | |
439 | ssl_major = *(p++); | |
440 | ssl_minor = *(p++); | |
441 | version = (ssl_major << 8) | ssl_minor; | |
442 | ||
443 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
444 | n2s(p, rr->epoch); | |
445 | ||
222cf410 | 446 | memcpy(&(rl->sequence[2]), p, 6); |
eddb067e MC |
447 | p += 6; |
448 | ||
449 | n2s(p, rr->length); | |
eddb067e MC |
450 | |
451 | /* | |
452 | * Lets check the version. We tolerate alerts that don't have the exact | |
453 | * version number (e.g. because of protocol version errors) | |
454 | */ | |
222cf410 MC |
455 | if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { |
456 | if (version != rl->version) { | |
eddb067e MC |
457 | /* unexpected version, silently discard */ |
458 | rr->length = 0; | |
222cf410 | 459 | rl->packet_length = 0; |
eddb067e MC |
460 | goto again; |
461 | } | |
462 | } | |
463 | ||
222cf410 MC |
464 | if (ssl_major != |
465 | (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR | |
1704961c | 466 | : rl->version >> 8)) { |
eddb067e MC |
467 | /* wrong version, silently discard record */ |
468 | rr->length = 0; | |
222cf410 | 469 | rl->packet_length = 0; |
eddb067e MC |
470 | goto again; |
471 | } | |
472 | ||
473 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
474 | /* record too long, silently discard it */ | |
475 | rr->length = 0; | |
222cf410 | 476 | rl->packet_length = 0; |
eddb067e MC |
477 | goto again; |
478 | } | |
479 | ||
222cf410 MC |
480 | /* |
481 | * If received packet overflows maximum possible fragment length then | |
482 | * silently discard it | |
483 | */ | |
435d88d7 | 484 | if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) { |
eddb067e MC |
485 | /* record too long, silently discard it */ |
486 | rr->length = 0; | |
222cf410 | 487 | rl->packet_length = 0; |
eddb067e MC |
488 | goto again; |
489 | } | |
490 | ||
222cf410 | 491 | /* now rl->rstate == SSL_ST_READ_BODY */ |
eddb067e MC |
492 | } |
493 | ||
222cf410 | 494 | /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */ |
eddb067e | 495 | |
1704961c | 496 | if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) { |
222cf410 | 497 | /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */ |
eddb067e | 498 | more = rr->length; |
222cf410 | 499 | rret = rl->funcs->read_n(rl, more, more, 1, 1, &n); |
eddb067e MC |
500 | /* this packet contained a partial record, dump it */ |
501 | if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) { | |
d3192c26 | 502 | if (rl->alert != SSL_AD_NO_ALERT) { |
222cf410 | 503 | /* read_n() called RLAYERfatal() */ |
eddb067e MC |
504 | return OSSL_RECORD_RETURN_FATAL; |
505 | } | |
506 | rr->length = 0; | |
222cf410 | 507 | rl->packet_length = 0; |
eddb067e MC |
508 | goto again; |
509 | } | |
510 | ||
511 | /* | |
222cf410 MC |
512 | * now n == rr->length, |
513 | * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length | |
eddb067e MC |
514 | */ |
515 | } | |
516 | /* set state for later operations */ | |
222cf410 | 517 | rl->rstate = SSL_ST_READ_HEADER; |
eddb067e MC |
518 | |
519 | /* match epochs. NULL means the packet is dropped on the floor */ | |
3a7a539e | 520 | bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch); |
eddb067e MC |
521 | if (bitmap == NULL) { |
522 | rr->length = 0; | |
222cf410 | 523 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
524 | goto again; /* get another record */ |
525 | } | |
526 | #ifndef OPENSSL_NO_SCTP | |
527 | /* Only do replay check if no SCTP bio */ | |
222cf410 | 528 | if (!BIO_dgram_is_sctp(rl->bio)) { |
eddb067e MC |
529 | #endif |
530 | /* Check whether this is a repeat, or aged record. */ | |
3a7a539e | 531 | if (!dtls_record_replay_check(rl, bitmap)) { |
eddb067e | 532 | rr->length = 0; |
222cf410 | 533 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
534 | goto again; /* get another record */ |
535 | } | |
536 | #ifndef OPENSSL_NO_SCTP | |
537 | } | |
538 | #endif | |
539 | ||
540 | /* just read a 0 length packet */ | |
9007412c | 541 | if (rr->length == 0) |
eddb067e | 542 | goto again; |
eddb067e MC |
543 | |
544 | /* | |
545 | * If this record is from the next epoch (either HM or ALERT), and a | |
546 | * handshake is currently in progress, buffer it since it cannot be | |
547 | * processed at this time. | |
548 | */ | |
549 | if (is_next_epoch) { | |
bfc0f10d | 550 | if (rl->in_init) { |
1704961c MC |
551 | if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds), |
552 | rr->seq_num) < 0) { | |
553 | /* RLAYERfatal() already called */ | |
eddb067e MC |
554 | return OSSL_RECORD_RETURN_FATAL; |
555 | } | |
556 | } | |
557 | rr->length = 0; | |
222cf410 | 558 | rl->packet_length = 0; |
eddb067e MC |
559 | goto again; |
560 | } | |
561 | ||
3a7a539e | 562 | if (!dtls_process_record(rl, bitmap)) { |
d3192c26 | 563 | if (rl->alert != SSL_AD_NO_ALERT) { |
3a7a539e | 564 | /* dtls_process_record() called RLAYERfatal */ |
eddb067e MC |
565 | return OSSL_RECORD_RETURN_FATAL; |
566 | } | |
567 | rr->length = 0; | |
222cf410 | 568 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
569 | goto again; /* get another record */ |
570 | } | |
571 | ||
572 | rl->num_recs = 1; | |
573 | return OSSL_RECORD_RETURN_SUCCESS; | |
eddb067e MC |
574 | } |
575 | ||
eddb067e MC |
576 | static int dtls_free(OSSL_RECORD_LAYER *rl) |
577 | { | |
e9189cc4 | 578 | TLS_BUFFER *rbuf; |
7a15ed64 | 579 | size_t left, written; |
eddb067e MC |
580 | pitem *item; |
581 | DTLS_RLAYER_RECORD_DATA *rdata; | |
7a15ed64 | 582 | int ret = 1; |
eddb067e | 583 | |
7a15ed64 MC |
584 | rbuf = &rl->rbuf; |
585 | ||
586 | left = rbuf->left; | |
587 | if (left > 0) { | |
588 | /* | |
589 | * This record layer is closing but we still have data left in our | |
590 | * buffer. It must be destined for the next epoch - so push it there. | |
591 | */ | |
592 | ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written); | |
593 | rbuf->left = 0; | |
594 | } | |
595 | ||
596 | if (rl->unprocessed_rcds.q != NULL) { | |
eddb067e MC |
597 | while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) { |
598 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
7a15ed64 | 599 | /* Push to the next record layer */ |
7a15ed64 MC |
600 | ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length, |
601 | &written); | |
eddb067e MC |
602 | OPENSSL_free(rdata->rbuf.buf); |
603 | OPENSSL_free(item->data); | |
604 | pitem_free(item); | |
605 | } | |
606 | pqueue_free(rl->unprocessed_rcds.q); | |
607 | } | |
608 | ||
7a15ed64 | 609 | if (rl->processed_rcds.q != NULL) { |
eddb067e MC |
610 | while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) { |
611 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
612 | OPENSSL_free(rdata->rbuf.buf); | |
613 | OPENSSL_free(item->data); | |
614 | pitem_free(item); | |
615 | } | |
616 | pqueue_free(rl->processed_rcds.q); | |
617 | } | |
618 | ||
7a15ed64 | 619 | return tls_free(rl) && ret; |
eddb067e MC |
620 | } |
621 | ||
622 | static int | |
623 | dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, | |
279754d4 | 624 | int role, int direction, int level, uint16_t epoch, |
3f9175c7 | 625 | unsigned char *secret, size_t secretlen, |
222cf410 MC |
626 | unsigned char *key, size_t keylen, unsigned char *iv, |
627 | size_t ivlen, unsigned char *mackey, size_t mackeylen, | |
eddb067e | 628 | const EVP_CIPHER *ciph, size_t taglen, |
eddb067e | 629 | int mactype, |
3f9175c7 MC |
630 | const EVP_MD *md, COMP_METHOD *comp, |
631 | const EVP_MD *kdfdigest, BIO *prev, BIO *transport, | |
632 | BIO *next, BIO_ADDR *local, BIO_ADDR *peer, | |
eddb067e | 633 | const OSSL_PARAM *settings, const OSSL_PARAM *options, |
bea8d704 | 634 | const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, |
eddb067e MC |
635 | OSSL_RECORD_LAYER **retrl) |
636 | { | |
637 | int ret; | |
638 | ||
eddb067e MC |
639 | ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, |
640 | key, keylen, iv, ivlen, mackey, mackeylen, | |
641 | ciph, taglen, mactype, md, comp, prev, | |
642 | transport, next, local, peer, settings, | |
643 | options, fns, cbarg, retrl); | |
644 | ||
645 | if (ret != OSSL_RECORD_RETURN_SUCCESS) | |
646 | return ret; | |
647 | ||
648 | (*retrl)->unprocessed_rcds.q = pqueue_new(); | |
649 | (*retrl)->processed_rcds.q = pqueue_new(); | |
1704961c MC |
650 | if ((*retrl)->unprocessed_rcds.q == NULL |
651 | || (*retrl)->processed_rcds.q == NULL) { | |
eddb067e MC |
652 | dtls_free(*retrl); |
653 | *retrl = NULL; | |
e077455e | 654 | ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); |
eddb067e MC |
655 | return OSSL_RECORD_RETURN_FATAL; |
656 | } | |
657 | ||
7a15ed64 MC |
658 | (*retrl)->unprocessed_rcds.epoch = epoch + 1; |
659 | (*retrl)->processed_rcds.epoch = epoch; | |
660 | ||
eddb067e | 661 | (*retrl)->isdtls = 1; |
222cf410 | 662 | (*retrl)->epoch = epoch; |
bfc0f10d | 663 | (*retrl)->in_init = 1; |
222cf410 MC |
664 | |
665 | switch (vers) { | |
666 | case DTLS_ANY_VERSION: | |
667 | (*retrl)->funcs = &dtls_any_funcs; | |
668 | break; | |
669 | case DTLS1_2_VERSION: | |
670 | case DTLS1_VERSION: | |
671 | case DTLS1_BAD_VER: | |
672 | (*retrl)->funcs = &dtls_1_funcs; | |
673 | break; | |
674 | default: | |
675 | /* Should not happen */ | |
676 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
677 | ret = OSSL_RECORD_RETURN_FATAL; | |
678 | goto err; | |
679 | } | |
eddb067e | 680 | |
222cf410 | 681 | ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, |
1704961c MC |
682 | ivlen, mackey, mackeylen, ciph, |
683 | taglen, mactype, md, comp); | |
222cf410 MC |
684 | |
685 | err: | |
686 | if (ret != OSSL_RECORD_RETURN_SUCCESS) { | |
20c7febc | 687 | dtls_free(*retrl); |
222cf410 MC |
688 | *retrl = NULL; |
689 | } | |
690 | return ret; | |
eddb067e MC |
691 | } |
692 | ||
b9e37f8f MC |
693 | int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl, |
694 | WPACKET *thispkt, | |
695 | OSSL_RECORD_TEMPLATE *templ, | |
eb1eaa9a | 696 | uint8_t rectype, |
b9e37f8f MC |
697 | unsigned char **recdata) |
698 | { | |
699 | size_t maxcomplen; | |
700 | ||
701 | *recdata = NULL; | |
702 | ||
703 | maxcomplen = templ->buflen; | |
704 | if (rl->compctx != NULL) | |
705 | maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; | |
706 | ||
707 | if (!WPACKET_put_bytes_u8(thispkt, rectype) | |
708 | || !WPACKET_put_bytes_u16(thispkt, templ->version) | |
709 | || !WPACKET_put_bytes_u16(thispkt, rl->epoch) | |
710 | || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6) | |
711 | || !WPACKET_start_sub_packet_u16(thispkt) | |
712 | || (rl->eivlen > 0 | |
713 | && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL)) | |
714 | || (maxcomplen > 0 | |
715 | && !WPACKET_reserve_bytes(thispkt, maxcomplen, | |
716 | recdata))) { | |
717 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
718 | return 0; | |
719 | } | |
720 | ||
721 | return 1; | |
722 | } | |
723 | ||
421386e3 MC |
724 | int dtls_post_encryption_processing(OSSL_RECORD_LAYER *rl, |
725 | size_t mac_size, | |
726 | OSSL_RECORD_TEMPLATE *thistempl, | |
727 | WPACKET *thispkt, | |
22094d11 | 728 | TLS_RL_RECORD *thiswr) |
421386e3 MC |
729 | { |
730 | if (!tls_post_encryption_processing_default(rl, mac_size, thistempl, | |
731 | thispkt, thiswr)) { | |
732 | /* RLAYERfatal() already called */ | |
733 | return 0; | |
734 | } | |
735 | ||
736 | return tls_increment_sequence_ctr(rl); | |
737 | } | |
738 | ||
4f428e86 MC |
739 | static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER *rl) |
740 | { | |
b05fbac1 | 741 | size_t blocksize = 0; |
4f428e86 MC |
742 | |
743 | if (rl->enc_ctx != NULL && | |
744 | (EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE)) | |
b05fbac1 | 745 | blocksize = EVP_CIPHER_CTX_get_block_size(rl->enc_ctx); |
4f428e86 | 746 | |
b05fbac1 MC |
747 | /* |
748 | * If we have a cipher in place then the tag is mandatory. If the cipher is | |
749 | * CBC mode then an explicit IV is also mandatory. If we know the digest, | |
750 | * then we check it is consistent with the taglen. In the case of stitched | |
751 | * ciphers or AEAD ciphers we don't now the digest (or there isn't one) so | |
752 | * we just trust that the taglen is correct. | |
753 | */ | |
754 | assert(rl->enc_ctx == NULL || ((blocksize == 0 || rl->eivlen > 0) | |
755 | && rl->taglen > 0)); | |
756 | assert(rl->md == NULL || (int)rl->taglen == EVP_MD_size(rl->md)); | |
757 | ||
758 | /* | |
759 | * Record overhead consists of the record header, the explicit IV, any | |
760 | * expansion due to cbc padding, and the mac/tag len. There could be | |
761 | * further expansion due to compression - but we don't know what this will | |
762 | * be without knowing the length of the data. However when this function is | |
763 | * called we don't know what the length will be yet - so this is a catch-22. | |
764 | * We *could* use SSL_3_RT_MAX_COMPRESSED_OVERHEAD which is an upper limit | |
765 | * for the maximum record size. But this value is larger than our fallback | |
766 | * MTU size - so isn't very helpful. We just ignore potential expansion | |
767 | * due to compression. | |
768 | */ | |
769 | return DTLS1_RT_HEADER_LENGTH + rl->eivlen + blocksize + rl->taglen; | |
4f428e86 MC |
770 | } |
771 | ||
eddb067e MC |
772 | const OSSL_RECORD_METHOD ossl_dtls_record_method = { |
773 | dtls_new_record_layer, | |
774 | dtls_free, | |
eddb067e MC |
775 | tls_unprocessed_read_pending, |
776 | tls_processed_read_pending, | |
777 | tls_app_data_pending, | |
eddb067e | 778 | tls_get_max_records, |
602ee1f6 | 779 | tls_write_records, |
2b71b042 | 780 | tls_retry_write_records, |
eddb067e MC |
781 | tls_read_record, |
782 | tls_release_record, | |
783 | tls_get_alert_code, | |
784 | tls_set1_bio, | |
785 | tls_set_protocol_version, | |
786 | NULL, | |
787 | tls_set_first_handshake, | |
788 | tls_set_max_pipelines, | |
d0b17ea0 | 789 | dtls_set_in_init, |
4566dae7 | 790 | tls_get_state, |
1e76110b | 791 | tls_set_options, |
435d88d7 | 792 | tls_get_compression, |
4f428e86 | 793 | tls_set_max_frag_len, |
b92fc4ae | 794 | dtls_get_max_record_overhead, |
7eb39ecb MC |
795 | tls_increment_sequence_ctr, |
796 | tls_alloc_buffers, | |
797 | tls_free_buffers | |
eddb067e | 798 | }; |