]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/dtls_meth.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright year updates
[thirdparty/openssl.git] / ssl / record / methods / dtls_meth.c
CommitLineData
eddb067e 1/*
da1c088f 2 * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
eddb067e
MC		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
b05fbac1 10#include <assert.h>
eddb067e
MC		 11#include "../../ssl_local.h"
12#include "../record_local.h"
13#include "recmethod_local.h"
14
15/* mod 128 saturating subtract of two 64-bit values in big-endian order */
16static int satsub64be(const unsigned char *v1, const unsigned char *v2)
17{
18 int64_t ret;
19 uint64_t l1, l2;
20
21 n2l8(v1, l1);
22 n2l8(v2, l2);
23
24 ret = l1 - l2;
25
26 /* We do not permit wrap-around */
27 if (l1 > l2 && ret < 0)
28 return 128;
29 else if (l2 > l1 && ret > 0)
30 return -128;
31
32 if (ret > 128)
33 return 128;
34 else if (ret < -128)
35 return -128;
36 else
37 return (int)ret;
38}
39
f6aab7b1 40static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
eddb067e
MC		 41{
42 int cmp;
43 unsigned int shift;
222cf410 44 const unsigned char *seq = rl->sequence;
eddb067e
MC		 45
46 cmp = satsub64be(seq, bitmap->max_seq_num);
47 if (cmp > 0) {
22094d11 48 ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
eddb067e
MC		 49 return 1; /* this record in new */
50 }
51 shift = -cmp;
52 if (shift >= sizeof(bitmap->map) * 8)
53 return 0; /* stale, outside the window */
f6aab7b1 54 else if (bitmap->map & ((uint64_t)1 << shift))
eddb067e
MC		 55 return 0; /* record previously received */
56
22094d11 57 ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
eddb067e
MC		 58 return 1;
59}
60
3a7a539e 61static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
f6aab7b1 62 DTLS_BITMAP *bitmap)
eddb067e
MC		 63{
64 int cmp;
65 unsigned int shift;
222cf410 66 const unsigned char *seq = rl->sequence;
eddb067e
MC		 67
68 cmp = satsub64be(seq, bitmap->max_seq_num);
69 if (cmp > 0) {
70 shift = cmp;
71 if (shift < sizeof(bitmap->map) * 8)
72 bitmap->map <<= shift, bitmap->map |= 1UL;
73 else
74 bitmap->map = 1UL;
75 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
76 } else {
77 shift = -cmp;
78 if (shift < sizeof(bitmap->map) * 8)
f6aab7b1 79 bitmap->map |= (uint64_t)1 << shift;
eddb067e
MC		 80 }
81}
82
22094d11 83static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rr,
f6aab7b1 84 unsigned int *is_next_epoch)
eddb067e 85{
eddb067e
MC		 86 *is_next_epoch = 0;
87
88 /* In current epoch, accept HM, CCS, DATA, & ALERT */
222cf410 89 if (rr->epoch == rl->epoch)
bfc0f10d 90 return &rl->bitmap;
eddb067e
MC		 91
92 /*
5c476976
MC		 93 * We can only handle messages from the next epoch if we have already
94 * processed all of the unprocessed records from the previous epoch
eddb067e 95 */
1704961c 96 else if (rr->epoch == (unsigned long)(rl->epoch + 1)
5c476976 97 && rl->unprocessed_rcds.epoch != rl->epoch) {
eddb067e 98 *is_next_epoch = 1;
bfc0f10d 99 return &rl->next_bitmap;
eddb067e
MC		 100 }
101
102 return NULL;
103}
104
bfc0f10d
MC		 105static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
106{
107 rl->in_init = in_init;
108}
109
f6aab7b1 110static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
eddb067e
MC		 111{
112 int i;
113 int enc_err;
22094d11 114 TLS_RL_RECORD *rr;
eddb067e
MC		 115 int imac_size;
116 size_t mac_size = 0;
117 unsigned char md[EVP_MAX_MD_SIZE];
eddb067e
MC		 118 SSL_MAC_BUF macbuf = { NULL, 0 };
119 int ret = 0;
eddb067e
MC		 120
121 rr = &rl->rrec[0];
eddb067e
MC		 122
123 /*
1704961c 124 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
222cf410 125 * and we have that many bytes in rl->packet
eddb067e 126 */
222cf410 127 rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
eddb067e
MC		 128
129 /*
222cf410 130 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
eddb067e
MC		 131 * points at rr->length bytes, which need to be copied into rr->data by
132 * either the decryption or by the decompression. When the data is 'copied'
133 * into the rr->data buffer, rr->input will be pointed at the new buffer
134 */
135
136 /*
137 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
138 * bytes of encrypted compressed stuff.
139 */
140
141 /* check is not needed I believe */
142 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
222cf410 143 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
eddb067e
MC		 144 return 0;
145 }
146
147 /* decrypt in place in 'rr->input' */
148 rr->data = rr->input;
149 rr->orig_len = rr->length;
150
222cf410
MC		 151 if (rl->md_ctx != NULL) {
152 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
eddb067e
MC		 153
154 if (tmpmd != NULL) {
155 imac_size = EVP_MD_get_size(tmpmd);
156 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1704961c
MC		 157 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
158 return 0;
eddb067e
MC		 159 }
160 mac_size = (size_t)imac_size;
161 }
162 }
163
1704961c 164 if (rl->use_etm && rl->md_ctx != NULL) {
eddb067e
MC		 165 unsigned char *mac;
166
167 if (rr->orig_len < mac_size) {
222cf410 168 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
eddb067e
MC		 169 return 0;
170 }
171 rr->length -= mac_size;
172 mac = rr->data + rr->length;
222cf410 173 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
eddb067e 174 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
222cf410
MC		 175 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
176 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
eddb067e
MC		 177 return 0;
178 }
179 /*
180 * We've handled the mac now - there is no MAC inside the encrypted
181 * record
182 */
183 mac_size = 0;
184 }
185
186 /*
187 * Set a mark around the packet decryption attempt. This is DTLS, so
188 * bad packets are just ignored, and we don't want to leave stray
189 * errors in the queue from processing bogus junk that we ignored.
190 */
191 ERR_set_mark();
222cf410 192 enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
eddb067e
MC		 193
194 /*-
195 * enc_err is:
196 * 0: if the record is publicly invalid, or an internal error, or AEAD
197 * decryption failed, or ETM decryption failed.
198 * 1: Success or MTE decryption failed (MAC will be randomised)
199 */
200 if (enc_err == 0) {
201 ERR_pop_to_mark();
d3192c26
MC		 202 if (rl->alert != SSL_AD_NO_ALERT) {
203 /* RLAYERfatal() already called */
eddb067e
MC		 204 goto end;
205 }
206 /* For DTLS we simply ignore bad packets. */
207 rr->length = 0;
222cf410 208 rl->packet_length = 0;
eddb067e
MC		 209 goto end;
210 }
211 ERR_clear_last_mark();
212 OSSL_TRACE_BEGIN(TLS) {
213 BIO_printf(trc_out, "dec %zd\n", rr->length);
214 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
215 } OSSL_TRACE_END(TLS);
216
217 /* r->length is now the compressed data plus mac */
222cf410
MC		 218 if (!rl->use_etm
219 && (rl->enc_ctx != NULL)
220 && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
221 /* rl->md_ctx != NULL => mac_size != -1 */
eddb067e 222
1704961c 223 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
eddb067e
MC		 224 if (i == 0 || macbuf.mac == NULL
225 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
226 enc_err = 0;
227 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
228 enc_err = 0;
229 }
230
231 if (enc_err == 0) {
232 /* decryption failed, silently discard message */
233 rr->length = 0;
222cf410 234 rl->packet_length = 0;
eddb067e
MC		 235 goto end;
236 }
237
238 /* r->length is now just compressed */
9251c3c4 239 if (rl->compctx != NULL) {
eddb067e 240 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
222cf410
MC		 241 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
242 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
eddb067e
MC		 243 goto end;
244 }
222cf410
MC		 245 if (!tls_do_uncompress(rl, rr)) {
246 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
eddb067e
MC		 247 goto end;
248 }
249 }
250
222cf410
MC		 251 /*
252 * Check if the received packet overflows the current Max Fragment
253 * Length setting.
254 */
435d88d7 255 if (rr->length > rl->max_frag_len) {
222cf410 256 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
eddb067e
MC		 257 goto end;
258 }
259
260 rr->off = 0;
261 /*-
262 * So at this point the following is true
263 * ssl->s3.rrec.type is the type of record
264 * ssl->s3.rrec.length == number of bytes in record
265 * ssl->s3.rrec.off == offset to first valid byte
266 * ssl->s3.rrec.data == where to take bytes from, increment
267 * after use :-).
268 */
269
270 /* we have pulled in a full packet so zero things */
222cf410 271 rl->packet_length = 0;
eddb067e
MC		 272
273 /* Mark receipt of record. */
3a7a539e 274 dtls_record_bitmap_update(rl, bitmap);
eddb067e
MC		 275
276 ret = 1;
277 end:
278 if (macbuf.alloced)
279 OPENSSL_free(macbuf.mac);
280 return ret;
281}
282
222cf410 283static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue,
eddb067e
MC		 284 unsigned char *priority)
285{
286 DTLS_RLAYER_RECORD_DATA *rdata;
287 pitem *item;
eddb067e
MC		 288
289 /* Limit the size of the queue to prevent DOS attacks */
290 if (pqueue_size(queue->q) >= 100)
291 return 0;
292
293 rdata = OPENSSL_malloc(sizeof(*rdata));
294 item = pitem_new(priority, rdata);
295 if (rdata == NULL || item == NULL) {
296 OPENSSL_free(rdata);
297 pitem_free(item);
222cf410 298 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
eddb067e
MC		 299 return -1;
300 }
301
222cf410
MC		 302 rdata->packet = rl->packet;
303 rdata->packet_length = rl->packet_length;
e9189cc4 304 memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(TLS_BUFFER));
22094d11 305 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(TLS_RL_RECORD));
eddb067e
MC		 306
307 item->data = rdata;
308
222cf410
MC		 309 rl->packet = NULL;
310 rl->packet_length = 0;
e9189cc4 311 memset(&rl->rbuf, 0, sizeof(TLS_BUFFER));
eddb067e
MC		 312 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
313
9b7fb65e
MC		 314 if (!tls_setup_read_buffer(rl)) {
315 /* RLAYERfatal() already called */
eddb067e
MC		 316 OPENSSL_free(rdata->rbuf.buf);
317 OPENSSL_free(rdata);
318 pitem_free(item);
319 return -1;
320 }
321
322 if (pqueue_insert(queue->q, item) == NULL) {
323 /* Must be a duplicate so ignore it */
324 OPENSSL_free(rdata->rbuf.buf);
325 OPENSSL_free(rdata);
326 pitem_free(item);
327 }
328
329 return 1;
330}
331
bfc0f10d 332/* copy buffered record into OSSL_RECORD_LAYER structure */
eddb067e
MC		 333static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
334{
335 DTLS_RLAYER_RECORD_DATA *rdata;
eddb067e
MC		 336
337 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
338
e9189cc4 339 ossl_tls_buffer_release(&rl->rbuf);
eddb067e 340
222cf410
MC		 341 rl->packet = rdata->packet;
342 rl->packet_length = rdata->packet_length;
e9189cc4 343 memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(TLS_BUFFER));
22094d11 344 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(TLS_RL_RECORD));
eddb067e
MC		 345
346 /* Set proper sequence number for mac calculation */
222cf410 347 memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
eddb067e
MC		 348
349 return 1;
350}
351
352static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
353 record_pqueue *queue)
354{
355 pitem *item;
356
357 item = pqueue_pop(queue->q);
358 if (item) {
359 dtls_copy_rlayer_record(rl, item);
360
361 OPENSSL_free(item->data);
362 pitem_free(item);
363
364 return 1;
365 }
366
367 return 0;
368}
369
eddb067e
MC		 370/*-
371 * Call this to get a new input record.
372 * It will return <= 0 if more data is needed, normally due to an error
373 * or non-blocking IO.
374 * When it finishes, one packet has been decoded and can be found in
375 * ssl->s3.rrec.type - is the type of record
376 * ssl->s3.rrec.data - data
377 * ssl->s3.rrec.length - number of bytes
378 */
222cf410 379int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
eddb067e
MC		 380{
381 int ssl_major, ssl_minor;
382 int rret;
383 size_t more, n;
22094d11 384 TLS_RL_RECORD *rr;
eddb067e
MC		 385 unsigned char *p = NULL;
386 unsigned short version;
f6aab7b1 387 DTLS_BITMAP *bitmap;
eddb067e 388 unsigned int is_next_epoch;
eddb067e
MC		 389
390 rl->num_recs = 0;
391 rl->curr_rec = 0;
392 rl->num_released = 0;
393
394 rr = rl->rrec;
395
81c9ebd9 396 if (rl->rbuf.buf == NULL) {
9b7fb65e 397 if (!tls_setup_read_buffer(rl)) {
81c9ebd9
MC		 398 /* RLAYERfatal() already called */
399 return OSSL_RECORD_RETURN_FATAL;
400 }
401 }
402
eddb067e 403 again:
eddb067e
MC		 404 /* if we're renegotiating, then there may be buffered records */
405 if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) {
406 rl->num_recs = 1;
407 return OSSL_RECORD_RETURN_SUCCESS;
408 }
409
410 /* get something from the wire */
411
412 /* check if we have the header */
222cf410
MC		 413 if ((rl->rstate != SSL_ST_READ_BODY) ||
414 (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
415 rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
e9189cc4 416 TLS_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
eddb067e
MC		 417 /* read timeout is handled by dtls1_read_bytes */
418 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
1704961c 419 /* RLAYERfatal() already called if appropriate */
eddb067e
MC		 420 return rret; /* error or non-blocking */
421 }
422
423 /* this packet contained a partial record, dump it */
222cf410
MC		 424 if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
425 rl->packet_length = 0;
eddb067e
MC		 426 goto again;
427 }
428
222cf410 429 rl->rstate = SSL_ST_READ_BODY;
eddb067e 430
222cf410 431 p = rl->packet;
eddb067e 432
b85ebc4b
MC		 433 if (rl->msg_callback != NULL)
434 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
435 rl->cbarg);
eddb067e
MC		 436
437 /* Pull apart the header into the DTLS1_RECORD */
438 rr->type = *(p++);
439 ssl_major = *(p++);
440 ssl_minor = *(p++);
441 version = (ssl_major << 8) | ssl_minor;
442
443 /* sequence number is 64 bits, with top 2 bytes = epoch */
444 n2s(p, rr->epoch);
445
222cf410 446 memcpy(&(rl->sequence[2]), p, 6);
eddb067e
MC		 447 p += 6;
448
449 n2s(p, rr->length);
eddb067e
MC		 450
451 /*
452 * Lets check the version. We tolerate alerts that don't have the exact
453 * version number (e.g. because of protocol version errors)
454 */
222cf410
MC		 455 if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
456 if (version != rl->version) {
eddb067e
MC		 457 /* unexpected version, silently discard */
458 rr->length = 0;
222cf410 459 rl->packet_length = 0;
eddb067e
MC		 460 goto again;
461 }
462 }
463
222cf410
MC		 464 if (ssl_major !=
465 (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR
1704961c 466 : rl->version >> 8)) {
eddb067e
MC		 467 /* wrong version, silently discard record */
468 rr->length = 0;
222cf410 469 rl->packet_length = 0;
eddb067e
MC		 470 goto again;
471 }
472
473 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
474 /* record too long, silently discard it */
475 rr->length = 0;
222cf410 476 rl->packet_length = 0;
eddb067e
MC		 477 goto again;
478 }
479
222cf410
MC		 480 /*
481 * If received packet overflows maximum possible fragment length then
482 * silently discard it
483 */
435d88d7 484 if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
eddb067e
MC		 485 /* record too long, silently discard it */
486 rr->length = 0;
222cf410 487 rl->packet_length = 0;
eddb067e
MC		 488 goto again;
489 }
490
222cf410 491 /* now rl->rstate == SSL_ST_READ_BODY */
eddb067e
MC		 492 }
493
222cf410 494 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
eddb067e 495
1704961c 496 if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
222cf410 497 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
eddb067e 498 more = rr->length;
222cf410 499 rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
eddb067e
MC		 500 /* this packet contained a partial record, dump it */
501 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
d3192c26 502 if (rl->alert != SSL_AD_NO_ALERT) {
222cf410 503 /* read_n() called RLAYERfatal() */
eddb067e
MC		 504 return OSSL_RECORD_RETURN_FATAL;
505 }
506 rr->length = 0;
222cf410 507 rl->packet_length = 0;
eddb067e
MC		 508 goto again;
509 }
510
511 /*
222cf410
MC		 512 * now n == rr->length,
513 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
eddb067e
MC		 514 */
515 }
516 /* set state for later operations */
222cf410 517 rl->rstate = SSL_ST_READ_HEADER;
eddb067e
MC		 518
519 /* match epochs. NULL means the packet is dropped on the floor */
3a7a539e 520 bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
eddb067e
MC		 521 if (bitmap == NULL) {
522 rr->length = 0;
222cf410 523 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 524 goto again; /* get another record */
525 }
526#ifndef OPENSSL_NO_SCTP
527 /* Only do replay check if no SCTP bio */
222cf410 528 if (!BIO_dgram_is_sctp(rl->bio)) {
eddb067e
MC		 529#endif
530 /* Check whether this is a repeat, or aged record. */
3a7a539e 531 if (!dtls_record_replay_check(rl, bitmap)) {
eddb067e 532 rr->length = 0;
222cf410 533 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 534 goto again; /* get another record */
535 }
536#ifndef OPENSSL_NO_SCTP
537 }
538#endif
539
540 /* just read a 0 length packet */
9007412c 541 if (rr->length == 0)
eddb067e 542 goto again;
eddb067e
MC		 543
544 /*
545 * If this record is from the next epoch (either HM or ALERT), and a
546 * handshake is currently in progress, buffer it since it cannot be
547 * processed at this time.
548 */
549 if (is_next_epoch) {
bfc0f10d 550 if (rl->in_init) {
1704961c
MC		 551 if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds),
552 rr->seq_num) < 0) {
553 /* RLAYERfatal() already called */
eddb067e
MC		 554 return OSSL_RECORD_RETURN_FATAL;
555 }
556 }
557 rr->length = 0;
222cf410 558 rl->packet_length = 0;
eddb067e
MC		 559 goto again;
560 }
561
3a7a539e 562 if (!dtls_process_record(rl, bitmap)) {
d3192c26 563 if (rl->alert != SSL_AD_NO_ALERT) {
3a7a539e 564 /* dtls_process_record() called RLAYERfatal */
eddb067e
MC		 565 return OSSL_RECORD_RETURN_FATAL;
566 }
567 rr->length = 0;
222cf410 568 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 569 goto again; /* get another record */
570 }
571
572 rl->num_recs = 1;
573 return OSSL_RECORD_RETURN_SUCCESS;
eddb067e
MC		 574}
575
eddb067e
MC		 576static int dtls_free(OSSL_RECORD_LAYER *rl)
577{
e9189cc4 578 TLS_BUFFER *rbuf;
7a15ed64 579 size_t left, written;
eddb067e
MC		 580 pitem *item;
581 DTLS_RLAYER_RECORD_DATA *rdata;
7a15ed64 582 int ret = 1;
eddb067e 583
7a15ed64
MC		 584 rbuf = &rl->rbuf;
585
586 left = rbuf->left;
587 if (left > 0) {
588 /*
589 * This record layer is closing but we still have data left in our
590 * buffer. It must be destined for the next epoch - so push it there.
591 */
592 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
593 rbuf->left = 0;
594 }
595
596 if (rl->unprocessed_rcds.q != NULL) {
eddb067e
MC		 597 while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) {
598 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
7a15ed64 599 /* Push to the next record layer */
7a15ed64
MC		 600 ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
601 &written);
eddb067e
MC		 602 OPENSSL_free(rdata->rbuf.buf);
603 OPENSSL_free(item->data);
604 pitem_free(item);
605 }
606 pqueue_free(rl->unprocessed_rcds.q);
607 }
608
7a15ed64 609 if (rl->processed_rcds.q != NULL) {
eddb067e
MC		 610 while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) {
611 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
612 OPENSSL_free(rdata->rbuf.buf);
613 OPENSSL_free(item->data);
614 pitem_free(item);
615 }
616 pqueue_free(rl->processed_rcds.q);
617 }
618
7a15ed64 619 return tls_free(rl) && ret;
eddb067e
MC		 620}
621
622static int
623dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
279754d4 624 int role, int direction, int level, uint16_t epoch,
3f9175c7 625 unsigned char *secret, size_t secretlen,
222cf410
MC		 626 unsigned char *key, size_t keylen, unsigned char *iv,
627 size_t ivlen, unsigned char *mackey, size_t mackeylen,
eddb067e 628 const EVP_CIPHER *ciph, size_t taglen,
eddb067e 629 int mactype,
3f9175c7
MC		 630 const EVP_MD *md, COMP_METHOD *comp,
631 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
632 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
eddb067e 633 const OSSL_PARAM *settings, const OSSL_PARAM *options,
bea8d704 634 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
eddb067e
MC		 635 OSSL_RECORD_LAYER **retrl)
636{
637 int ret;
638
eddb067e
MC		 639 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
640 key, keylen, iv, ivlen, mackey, mackeylen,
641 ciph, taglen, mactype, md, comp, prev,
642 transport, next, local, peer, settings,
643 options, fns, cbarg, retrl);
644
645 if (ret != OSSL_RECORD_RETURN_SUCCESS)
646 return ret;
647
648 (*retrl)->unprocessed_rcds.q = pqueue_new();
649 (*retrl)->processed_rcds.q = pqueue_new();
1704961c
MC		 650 if ((*retrl)->unprocessed_rcds.q == NULL
651 || (*retrl)->processed_rcds.q == NULL) {
eddb067e
MC		 652 dtls_free(*retrl);
653 *retrl = NULL;
e077455e 654 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
eddb067e
MC		 655 return OSSL_RECORD_RETURN_FATAL;
656 }
657
7a15ed64
MC		 658 (*retrl)->unprocessed_rcds.epoch = epoch + 1;
659 (*retrl)->processed_rcds.epoch = epoch;
660
eddb067e 661 (*retrl)->isdtls = 1;
222cf410 662 (*retrl)->epoch = epoch;
bfc0f10d 663 (*retrl)->in_init = 1;
222cf410
MC		 664
665 switch (vers) {
666 case DTLS_ANY_VERSION:
667 (*retrl)->funcs = &dtls_any_funcs;
668 break;
669 case DTLS1_2_VERSION:
670 case DTLS1_VERSION:
671 case DTLS1_BAD_VER:
672 (*retrl)->funcs = &dtls_1_funcs;
673 break;
674 default:
675 /* Should not happen */
676 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
677 ret = OSSL_RECORD_RETURN_FATAL;
678 goto err;
679 }
eddb067e 680
222cf410 681 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1704961c
MC		 682 ivlen, mackey, mackeylen, ciph,
683 taglen, mactype, md, comp);
222cf410
MC		 684
685 err:
686 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
20c7febc 687 dtls_free(*retrl);
222cf410
MC		 688 *retrl = NULL;
689 }
690 return ret;
eddb067e
MC		 691}
692
b9e37f8f
MC		 693int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl,
694 WPACKET *thispkt,
695 OSSL_RECORD_TEMPLATE *templ,
eb1eaa9a 696 uint8_t rectype,
b9e37f8f
MC		 697 unsigned char **recdata)
698{
699 size_t maxcomplen;
700
701 *recdata = NULL;
702
703 maxcomplen = templ->buflen;
704 if (rl->compctx != NULL)
705 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
706
707 if (!WPACKET_put_bytes_u8(thispkt, rectype)
708 || !WPACKET_put_bytes_u16(thispkt, templ->version)
709 || !WPACKET_put_bytes_u16(thispkt, rl->epoch)
710 || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6)
711 || !WPACKET_start_sub_packet_u16(thispkt)
712 || (rl->eivlen > 0
713 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
714 || (maxcomplen > 0
715 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
716 recdata))) {
717 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
718 return 0;
719 }
720
721 return 1;
722}
723
421386e3
MC		 724int dtls_post_encryption_processing(OSSL_RECORD_LAYER *rl,
725 size_t mac_size,
726 OSSL_RECORD_TEMPLATE *thistempl,
727 WPACKET *thispkt,
22094d11 728 TLS_RL_RECORD *thiswr)
421386e3
MC		 729{
730 if (!tls_post_encryption_processing_default(rl, mac_size, thistempl,
731 thispkt, thiswr)) {
732 /* RLAYERfatal() already called */
733 return 0;
734 }
735
736 return tls_increment_sequence_ctr(rl);
737}
738
4f428e86
MC		 739static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
740{
b05fbac1 741 size_t blocksize = 0;
4f428e86
MC		 742
743 if (rl->enc_ctx != NULL &&
744 (EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE))
b05fbac1 745 blocksize = EVP_CIPHER_CTX_get_block_size(rl->enc_ctx);
4f428e86 746
b05fbac1
MC		 747 /*
748 * If we have a cipher in place then the tag is mandatory. If the cipher is
749 * CBC mode then an explicit IV is also mandatory. If we know the digest,
750 * then we check it is consistent with the taglen. In the case of stitched
751 * ciphers or AEAD ciphers we don't now the digest (or there isn't one) so
752 * we just trust that the taglen is correct.
753 */
754 assert(rl->enc_ctx == NULL || ((blocksize == 0 || rl->eivlen > 0)
755 && rl->taglen > 0));
756 assert(rl->md == NULL || (int)rl->taglen == EVP_MD_size(rl->md));
757
758 /*
759 * Record overhead consists of the record header, the explicit IV, any
760 * expansion due to cbc padding, and the mac/tag len. There could be
761 * further expansion due to compression - but we don't know what this will
762 * be without knowing the length of the data. However when this function is
763 * called we don't know what the length will be yet - so this is a catch-22.
764 * We *could* use SSL_3_RT_MAX_COMPRESSED_OVERHEAD which is an upper limit
765 * for the maximum record size. But this value is larger than our fallback
766 * MTU size - so isn't very helpful. We just ignore potential expansion
767 * due to compression.
768 */
769 return DTLS1_RT_HEADER_LENGTH + rl->eivlen + blocksize + rl->taglen;
4f428e86
MC		 770}
771
eddb067e
MC		 772const OSSL_RECORD_METHOD ossl_dtls_record_method = {
773 dtls_new_record_layer,
774 dtls_free,
eddb067e
MC		 775 tls_unprocessed_read_pending,
776 tls_processed_read_pending,
777 tls_app_data_pending,
eddb067e 778 tls_get_max_records,
602ee1f6 779 tls_write_records,
2b71b042 780 tls_retry_write_records,
eddb067e
MC		 781 tls_read_record,
782 tls_release_record,
783 tls_get_alert_code,
784 tls_set1_bio,
785 tls_set_protocol_version,
786 NULL,
787 tls_set_first_handshake,
788 tls_set_max_pipelines,
d0b17ea0 789 dtls_set_in_init,
4566dae7 790 tls_get_state,
1e76110b 791 tls_set_options,
435d88d7 792 tls_get_compression,
4f428e86 793 tls_set_max_frag_len,
b92fc4ae 794 dtls_get_max_record_overhead,
7eb39ecb
MC		 795 tls_increment_sequence_ctr,
796 tls_alloc_buffers,
797 tls_free_buffers
eddb067e 798};
A mirror of the official openssl repository