]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/rec_layer_s3.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Move logic for figuring out the record version out of record layer
[thirdparty/openssl.git] / ssl / record / rec_layer_s3.c
1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <limits.h>
12 #include <errno.h>
13 #include "../ssl_local.h"
14 #include <openssl/evp.h>
15 #include <openssl/buffer.h>
16 #include <openssl/rand.h>
17 #include <openssl/core_names.h>
18 #include "record_local.h"
19 #include "internal/packet.h"
20
21 #if defined(OPENSSL_SMALL_FOOTPRINT) || \
22 !( defined(AES_ASM) && ( \
23 defined(__x86_64) || defined(__x86_64__) || \
24 defined(_M_AMD64) || defined(_M_X64) ) \
25 )
26 # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
27 # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
28 #endif
29
30 void RECORD_LAYER_init(RECORD_LAYER *rl, SSL_CONNECTION *s)
31 {
32 rl->s = s;
33 }
34
35 void RECORD_LAYER_clear(RECORD_LAYER *rl)
36 {
37 rl->wnum = 0;
38 memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment));
39 rl->handshake_fragment_len = 0;
40 rl->wpend_tot = 0;
41 rl->wpend_type = 0;
42 rl->wpend_ret = 0;
43 rl->wpend_buf = NULL;
44
45 ssl3_release_write_buffer(rl->s);
46
47 RECORD_LAYER_reset_write_sequence(rl);
48
49 if (rl->rrlmethod != NULL)
50 rl->rrlmethod->free(rl->rrl); /* Ignore return value */
51 if (rl->wrlmethod != NULL)
52 rl->wrlmethod->free(rl->wrl); /* Ignore return value */
53 BIO_free(rl->rrlnext);
54 rl->rrlmethod = NULL;
55 rl->wrlmethod = NULL;
56 rl->rrlnext = NULL;
57 rl->rrl = NULL;
58 rl->wrl = NULL;
59
60 if (rl->d)
61 DTLS_RECORD_LAYER_clear(rl);
62 }
63
64 void RECORD_LAYER_release(RECORD_LAYER *rl)
65 {
66 if (rl->numwpipes > 0)
67 ssl3_release_write_buffer(rl->s);
68 }
69
70 /* Checks if we have unprocessed read ahead data pending */
71 int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
72 {
73 return rl->rrlmethod->unprocessed_read_pending(rl->rrl);
74 }
75
76 /* Checks if we have decrypted unread record data pending */
77 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
78 {
79 return (rl->curr_rec < rl->num_recs)
80 || rl->rrlmethod->processed_read_pending(rl->rrl);
81 }
82
83 int RECORD_LAYER_write_pending(const RECORD_LAYER *rl)
84 {
85 /* TODO(RECLAYER): Remove me when DTLS is moved to the write record layer */
86 if (SSL_CONNECTION_IS_DTLS(rl->s))
87 return (rl->numwpipes > 0)
88 && SSL3_BUFFER_get_left(&rl->wbuf[rl->numwpipes - 1]) != 0;
89 return rl->wpend_tot > 0;
90 }
91
92 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
93 {
94 memset(rl->write_sequence, 0, sizeof(rl->write_sequence));
95 }
96
97 size_t ssl3_pending(const SSL *s)
98 {
99 size_t i, num = 0;
100 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
101
102 if (sc == NULL)
103 return 0;
104
105 if (SSL_CONNECTION_IS_DTLS(sc)) {
106 TLS_RECORD *rdata;
107 pitem *item, *iter;
108
109 iter = pqueue_iterator(sc->rlayer.d->buffered_app_data.q);
110 while ((item = pqueue_next(&iter)) != NULL) {
111 rdata = item->data;
112 num += rdata->length;
113 }
114 }
115
116 for (i = 0; i < sc->rlayer.num_recs; i++) {
117 if (sc->rlayer.tlsrecs[i].type != SSL3_RT_APPLICATION_DATA)
118 return num;
119 num += sc->rlayer.tlsrecs[i].length;
120 }
121
122 num += sc->rlayer.rrlmethod->app_data_pending(sc->rlayer.rrl);
123
124 return num;
125 }
126
127 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
128 {
129 ctx->default_read_buf_len = len;
130 }
131
132 void SSL_set_default_read_buffer_len(SSL *s, size_t len)
133 {
134 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
135
136 if (sc == NULL)
137 return;
138 sc->rlayer.default_read_buf_len = len;
139 }
140
141 const char *SSL_rstate_string_long(const SSL *s)
142 {
143 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
144 const char *lng;
145
146 if (sc == NULL)
147 return NULL;
148
149 if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL)
150 return "unknown";
151
152 sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, NULL, &lng);
153
154 return lng;
155 }
156
157 const char *SSL_rstate_string(const SSL *s)
158 {
159 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
160 const char *shrt;
161
162 if (sc == NULL)
163 return NULL;
164
165 if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL)
166 return "unknown";
167
168 sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, &shrt, NULL);
169
170 return shrt;
171 }
172
173 static int tls_write_check_pending(SSL_CONNECTION *s, int type,
174 const unsigned char *buf, size_t len)
175 {
176 if (s->rlayer.wpend_tot == 0)
177 return 0;
178
179 /* We have pending data, so do some sanity checks */
180 if ((s->rlayer.wpend_tot > len)
181 || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
182 && (s->rlayer.wpend_buf != buf))
183 || (s->rlayer.wpend_type != type)) {
184 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_WRITE_RETRY);
185 return -1;
186 }
187 return 1;
188 }
189
190 /*
191 * Call this to write data in records of type 'type' It will return <= 0 if
192 * not all data has been sent or non-blocking IO.
193 */
194 int ssl3_write_bytes(SSL *ssl, int type, const void *buf_, size_t len,
195 size_t *written)
196 {
197 const unsigned char *buf = buf_;
198 size_t tot;
199 size_t n, max_send_fragment, split_send_fragment, maxpipes;
200 /* TODO(RECLAYER): Re-enable multiblock code */
201 #if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
202 size_t nw;
203 #endif
204 int i;
205 SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
206 OSSL_RECORD_TEMPLATE tmpls[SSL_MAX_PIPELINES];
207 unsigned int recversion;
208
209 if (s == NULL)
210 return -1;
211
212 s->rwstate = SSL_NOTHING;
213 tot = s->rlayer.wnum;
214 /*
215 * ensure that if we end up with a smaller value of data to write out
216 * than the original len from a write which didn't complete for
217 * non-blocking I/O and also somehow ended up avoiding the check for
218 * this in tls_write_check_pending/SSL_R_BAD_WRITE_RETRY as it must never be
219 * possible to end up with (len-tot) as a large number that will then
220 * promptly send beyond the end of the users buffer ... so we trap and
221 * report the error in a way the user will notice
222 */
223 if ((len < s->rlayer.wnum)
224 || ((s->rlayer.wpend_tot != 0)
225 && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) {
226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
227 return -1;
228 }
229
230 if (s->early_data_state == SSL_EARLY_DATA_WRITING
231 && !ossl_early_data_count_ok(s, len, 0, 1)) {
232 /* SSLfatal() already called */
233 return -1;
234 }
235
236 s->rlayer.wnum = 0;
237
238 /*
239 * If we are supposed to be sending a KeyUpdate or NewSessionTicket then go
240 * into init unless we have writes pending - in which case we should finish
241 * doing that first.
242 */
243 if (s->rlayer.wpend_tot == 0 && (s->key_update != SSL_KEY_UPDATE_NONE
244 || s->ext.extra_tickets_expected > 0))
245 ossl_statem_set_in_init(s, 1);
246
247 /*
248 * When writing early data on the server side we could be "in_init" in
249 * between receiving the EoED and the CF - but we don't want to handle those
250 * messages yet.
251 */
252 if (SSL_in_init(ssl) && !ossl_statem_get_in_handshake(s)
253 && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) {
254 i = s->handshake_func(ssl);
255 /* SSLfatal() already called */
256 if (i < 0)
257 return i;
258 if (i == 0) {
259 return -1;
260 }
261 }
262
263 i = tls_write_check_pending(s, type, buf, len);
264 if (i < 0) {
265 /* SSLfatal() already called */
266 return i;
267 } else if (i > 0) {
268 /* Retry needed */
269 i = s->rlayer.wrlmethod->retry_write_records(s->rlayer.wrl);
270 if (i <= 0)
271 return i;
272 tot += s->rlayer.wpend_tot;
273 s->rlayer.wpend_tot = 0;
274 } /* else no retry required */
275
276 if (tot == 0) {
277 /*
278 * We've not previously sent any data for this write so memorize
279 * arguments so that we can detect bad write retries later
280 */
281 s->rlayer.wpend_tot = 0;
282 s->rlayer.wpend_type = type;
283 s->rlayer.wpend_buf = buf;
284 s->rlayer.wpend_ret = len;
285 }
286
287 /* TODO(RECLAYER): Re-enable multiblock code */
288 #if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
289 /*
290 * Depending on platform multi-block can deliver several *times*
291 * better performance. Downside is that it has to allocate
292 * jumbo buffer to accommodate up to 8 records, but the
293 * compromise is considered worthy.
294 */
295 if (type == SSL3_RT_APPLICATION_DATA
296 && len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s))
297 && s->compress == NULL
298 && s->msg_callback == NULL
299 && !SSL_WRITE_ETM(s)
300 && SSL_USE_EXPLICIT_IV(s)
301 && !BIO_get_ktls_send(s->wbio)
302 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
303 & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) {
304 unsigned char aad[13];
305 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
306 size_t packlen;
307 int packleni;
308
309 /* minimize address aliasing conflicts */
310 if ((max_send_fragment & 0xfff) == 0)
311 max_send_fragment -= 512;
312
313 if (tot == 0 || wb->buf == NULL) { /* allocate jumbo buffer */
314 ssl3_release_write_buffer(s);
315
316 packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
317 EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
318 (int)max_send_fragment, NULL);
319
320 if (len >= 8 * max_send_fragment)
321 packlen *= 8;
322 else
323 packlen *= 4;
324
325 if (!ssl3_setup_write_buffer(s, 1, packlen)) {
326 /* SSLfatal() already called */
327 return -1;
328 }
329 } else if (tot == len) { /* done? */
330 /* free jumbo buffer */
331 ssl3_release_write_buffer(s);
332 *written = tot;
333 return 1;
334 }
335
336 n = (len - tot);
337 for (;;) {
338 if (n < 4 * max_send_fragment) {
339 /* free jumbo buffer */
340 ssl3_release_write_buffer(s);
341 break;
342 }
343
344 if (s->s3.alert_dispatch) {
345 i = ssl->method->ssl_dispatch_alert(ssl);
346 if (i <= 0) {
347 /* SSLfatal() already called if appropriate */
348 s->rlayer.wnum = tot;
349 return i;
350 }
351 }
352
353 if (n >= 8 * max_send_fragment)
354 nw = max_send_fragment * (mb_param.interleave = 8);
355 else
356 nw = max_send_fragment * (mb_param.interleave = 4);
357
358 memcpy(aad, s->rlayer.write_sequence, 8);
359 aad[8] = type;
360 aad[9] = (unsigned char)(s->version >> 8);
361 aad[10] = (unsigned char)(s->version);
362 aad[11] = 0;
363 aad[12] = 0;
364 mb_param.out = NULL;
365 mb_param.inp = aad;
366 mb_param.len = nw;
367
368 packleni = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
369 EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
370 sizeof(mb_param), &mb_param);
371 packlen = (size_t)packleni;
372 if (packleni <= 0 || packlen > wb->len) { /* never happens */
373 /* free jumbo buffer */
374 ssl3_release_write_buffer(s);
375 break;
376 }
377
378 mb_param.out = wb->buf;
379 mb_param.inp = &buf[tot];
380 mb_param.len = nw;
381
382 if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
383 EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
384 sizeof(mb_param), &mb_param) <= 0)
385 return -1;
386
387 s->rlayer.write_sequence[7] += mb_param.interleave;
388 if (s->rlayer.write_sequence[7] < mb_param.interleave) {
389 int j = 6;
390 while (j >= 0 && (++s->rlayer.write_sequence[j--]) == 0) ;
391 }
392
393 wb->offset = 0;
394 wb->left = packlen;
395
396 s->rlayer.wpend_tot = nw;
397 s->rlayer.wpend_buf = &buf[tot];
398 s->rlayer.wpend_type = type;
399 s->rlayer.wpend_ret = nw;
400
401 i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit);
402 if (i <= 0) {
403 /* SSLfatal() already called if appropriate */
404 if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
405 /* free jumbo buffer */
406 ssl3_release_write_buffer(s);
407 }
408 s->rlayer.wnum = tot;
409 return i;
410 }
411 if (tmpwrit == n) {
412 /* free jumbo buffer */
413 ssl3_release_write_buffer(s);
414 *written = tot + tmpwrit;
415 return 1;
416 }
417 n -= tmpwrit;
418 tot += tmpwrit;
419 }
420 } else
421 #endif /* !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK */
422 if (tot == len) { /* done? */
423 *written = tot;
424 return 1;
425 }
426
427 /* If we have an alert to send, lets send it */
428 if (s->s3.alert_dispatch) {
429 i = ssl->method->ssl_dispatch_alert(ssl);
430 if (i <= 0) {
431 /* SSLfatal() already called if appropriate */
432 return i;
433 }
434 /* if it went, fall through and send more stuff */
435 }
436
437 n = (len - tot);
438
439 max_send_fragment = ssl_get_max_send_fragment(s);
440 split_send_fragment = ssl_get_split_send_fragment(s);
441 /*
442 * TODO(RECLAYER): This comment is now out-of-date and probably needs to
443 * move somewhere else
444 *
445 * If max_pipelines is 0 then this means "undefined" and we default to
446 * 1 pipeline. Similarly if the cipher does not support pipelined
447 * processing then we also only use 1 pipeline, or if we're not using
448 * explicit IVs
449 */
450 maxpipes = s->max_pipelines;
451 if (maxpipes > SSL_MAX_PIPELINES) {
452 /*
453 * We should have prevented this when we set max_pipelines so we
454 * shouldn't get here
455 */
456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
457 return -1;
458 }
459 /* If no explicit maxpipes configuration - default to 1 */
460 /* TODO(RECLAYER): Should we ask the record layer how many pipes it supports? */
461 if (maxpipes <= 0)
462 maxpipes = 1;
463 #if 0
464 /* TODO(RECLAYER): FIX ME */
465 if (maxpipes == 0
466 || s->enc_write_ctx == NULL
467 || (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
468 & EVP_CIPH_FLAG_PIPELINE) == 0
469 || !SSL_USE_EXPLICIT_IV(s))
470 maxpipes = 1;
471 #endif
472 if (max_send_fragment == 0
473 || split_send_fragment == 0
474 || split_send_fragment > max_send_fragment) {
475 /*
476 * We should have prevented this when we set/get the split and max send
477 * fragments so we shouldn't get here
478 */
479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return -1;
481 }
482
483 /*
484 * Some servers hang if initial client hello is larger than 256 bytes
485 * and record version number > TLS 1.0
486 */
487 /* TODO(RECLAYER): Does this also need to be in the DTLS equivalent code? */
488 recversion = (s->version == TLS1_3_VERSION) ? TLS1_2_VERSION : s->version;
489 if (SSL_get_state(ssl) == TLS_ST_CW_CLNT_HELLO
490 && !s->renegotiate
491 && TLS1_get_version(ssl) > TLS1_VERSION
492 && s->hello_retry_request == SSL_HRR_NONE)
493 recversion = TLS1_VERSION;
494
495 for (;;) {
496 size_t tmppipelen, remain;
497 size_t numpipes, j, lensofar = 0;
498
499 if (n == 0)
500 numpipes = 1;
501 else
502 numpipes = ((n - 1) / split_send_fragment) + 1;
503 if (numpipes > maxpipes)
504 numpipes = maxpipes;
505
506 if (n / numpipes >= max_send_fragment) {
507 /*
508 * We have enough data to completely fill all available
509 * pipelines
510 */
511 for (j = 0; j < numpipes; j++) {
512 tmpls[j].type = type;
513 tmpls[j].version = recversion;
514 tmpls[j].buf = &(buf[tot]) + (j * max_send_fragment);
515 tmpls[j].buflen = max_send_fragment;
516 }
517 /* Remember how much data we are going to be sending */
518 s->rlayer.wpend_tot = numpipes * max_send_fragment;
519 } else {
520 /* We can partially fill all available pipelines */
521 tmppipelen = n / numpipes;
522 remain = n % numpipes;
523 /*
524 * If there is a remainder we add an extra byte to the first few
525 * pipelines
526 */
527 if (remain > 0)
528 tmppipelen++;
529 for (j = 0; j < numpipes; j++) {
530 tmpls[j].type = type;
531 tmpls[j].version = recversion;
532 tmpls[j].buf = &(buf[tot]) + lensofar;
533 tmpls[j].buflen = tmppipelen;
534 lensofar += tmppipelen;
535 if (j + 1 == remain)
536 tmppipelen--;
537 }
538 /* Remember how much data we are going to be sending */
539 s->rlayer.wpend_tot = n;
540 }
541
542 i = s->rlayer.wrlmethod->write_records(s->rlayer.wrl, tmpls, numpipes);
543 if (i <= 0) {
544 /* SSLfatal() already called if appropriate */
545 s->rlayer.wnum = tot;
546 return i;
547 }
548
549 if (s->rlayer.wpend_tot == n
550 || (type == SSL3_RT_APPLICATION_DATA
551 && (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) != 0)) {
552 *written = tot + s->rlayer.wpend_tot;
553 s->rlayer.wpend_tot = 0;
554 return 1;
555 }
556
557 n -= s->rlayer.wpend_tot;
558 tot += s->rlayer.wpend_tot;
559 }
560 }
561
562 int ossl_tls_handle_rlayer_return(SSL_CONNECTION *s, int ret, char *file,
563 int line)
564 {
565 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
566
567 if (ret == OSSL_RECORD_RETURN_RETRY) {
568 s->rwstate = SSL_READING;
569 ret = -1;
570 } else {
571 s->rwstate = SSL_NOTHING;
572 if (ret == OSSL_RECORD_RETURN_EOF) {
573 if (s->options & SSL_OP_IGNORE_UNEXPECTED_EOF) {
574 SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
575 s->s3.warn_alert = SSL_AD_CLOSE_NOTIFY;
576 } else {
577 ERR_new();
578 ERR_set_debug(file, line, 0);
579 ossl_statem_fatal(s, SSL_AD_DECODE_ERROR,
580 SSL_R_UNEXPECTED_EOF_WHILE_READING, NULL);
581 }
582 } else if (ret == OSSL_RECORD_RETURN_FATAL) {
583 int al = s->rlayer.rrlmethod->get_alert_code(s->rlayer.rrl);
584
585 if (al != SSL_AD_NO_ALERT) {
586 ERR_new();
587 ERR_set_debug(file, line, 0);
588 ossl_statem_fatal(s, al, SSL_R_RECORD_LAYER_FAILURE, NULL);
589 }
590 /*
591 * else some failure but there is no alert code. We don't log an
592 * error for this. The record layer should have logged an error
593 * already or, if not, its due to some sys call error which will be
594 * reported via SSL_ERROR_SYSCALL and errno.
595 */
596 }
597 /*
598 * The record layer distinguishes the cases of EOF, non-fatal
599 * err and retry. Upper layers do not.
600 * If we got a retry or success then *ret is already correct,
601 * otherwise we need to convert the return value.
602 */
603 if (ret == OSSL_RECORD_RETURN_NON_FATAL_ERR || ret == OSSL_RECORD_RETURN_EOF)
604 ret = 0;
605 else if (ret < OSSL_RECORD_RETURN_NON_FATAL_ERR)
606 ret = -1;
607 }
608
609 return ret;
610 }
611
612 void ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr)
613 {
614 if (rr->rechandle != NULL) {
615 /* The record layer allocated the buffers for this record */
616 s->rlayer.rrlmethod->release_record(s->rlayer.rrl, rr->rechandle);
617 } else {
618 /* We allocated the buffers for this record (only happens with DTLS) */
619 OPENSSL_free(rr->data);
620 }
621 s->rlayer.curr_rec++;
622 }
623
624 /*-
625 * Return up to 'len' payload bytes received in 'type' records.
626 * 'type' is one of the following:
627 *
628 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
629 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
630 * - 0 (during a shutdown, no data has to be returned)
631 *
632 * If we don't have stored data to work from, read a SSL/TLS record first
633 * (possibly multiple records if we still don't have anything to return).
634 *
635 * This function must handle any surprises the peer may have for us, such as
636 * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
637 * messages are treated as if they were handshake messages *if* the |recvd_type|
638 * argument is non NULL.
639 * Also if record payloads contain fragments too small to process, we store
640 * them until there is enough for the respective protocol (the record protocol
641 * may use arbitrary fragmentation and even interleaving):
642 * Change cipher spec protocol
643 * just 1 byte needed, no need for keeping anything stored
644 * Alert protocol
645 * 2 bytes needed (AlertLevel, AlertDescription)
646 * Handshake protocol
647 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
648 * to detect unexpected Client Hello and Hello Request messages
649 * here, anything else is handled by higher layers
650 * Application data protocol
651 * none of our business
652 */
653 int ssl3_read_bytes(SSL *ssl, int type, int *recvd_type, unsigned char *buf,
654 size_t len, int peek, size_t *readbytes)
655 {
656 int i, j, ret;
657 size_t n, curr_rec, totalbytes;
658 TLS_RECORD *rr;
659 void (*cb) (const SSL *ssl, int type2, int val) = NULL;
660 int is_tls13;
661 SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
662
663 is_tls13 = SSL_CONNECTION_IS_TLS13(s);
664
665 if ((type != 0
666 && (type != SSL3_RT_APPLICATION_DATA)
667 && (type != SSL3_RT_HANDSHAKE))
668 || (peek && (type != SSL3_RT_APPLICATION_DATA))) {
669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
670 return -1;
671 }
672
673 if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0))
674 /* (partially) satisfy request from storage */
675 {
676 unsigned char *src = s->rlayer.handshake_fragment;
677 unsigned char *dst = buf;
678 unsigned int k;
679
680 /* peek == 0 */
681 n = 0;
682 while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) {
683 *dst++ = *src++;
684 len--;
685 s->rlayer.handshake_fragment_len--;
686 n++;
687 }
688 /* move any remaining fragment bytes: */
689 for (k = 0; k < s->rlayer.handshake_fragment_len; k++)
690 s->rlayer.handshake_fragment[k] = *src++;
691
692 if (recvd_type != NULL)
693 *recvd_type = SSL3_RT_HANDSHAKE;
694
695 *readbytes = n;
696 return 1;
697 }
698
699 /*
700 * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
701 */
702
703 if (!ossl_statem_get_in_handshake(s) && SSL_in_init(ssl)) {
704 /* type == SSL3_RT_APPLICATION_DATA */
705 i = s->handshake_func(ssl);
706 /* SSLfatal() already called */
707 if (i < 0)
708 return i;
709 if (i == 0)
710 return -1;
711 }
712 start:
713 s->rwstate = SSL_NOTHING;
714
715 /*-
716 * For each record 'i' up to |num_recs]
717 * rr[i].type - is the type of record
718 * rr[i].data, - data
719 * rr[i].off, - offset into 'data' for next read
720 * rr[i].length, - number of bytes.
721 */
722 /* get new records if necessary */
723 if (s->rlayer.curr_rec >= s->rlayer.num_recs) {
724 s->rlayer.curr_rec = s->rlayer.num_recs = 0;
725 do {
726 rr = &s->rlayer.tlsrecs[s->rlayer.num_recs];
727
728 ret = HANDLE_RLAYER_RETURN(s,
729 s->rlayer.rrlmethod->read_record(s->rlayer.rrl,
730 &rr->rechandle,
731 &rr->version, &rr->type,
732 &rr->data, &rr->length,
733 NULL, NULL));
734 if (ret <= 0) {
735 /* SSLfatal() already called if appropriate */
736 return ret;
737 }
738 rr->off = 0;
739 s->rlayer.num_recs++;
740 } while (s->rlayer.rrlmethod->processed_read_pending(s->rlayer.rrl)
741 && s->rlayer.num_recs < SSL_MAX_PIPELINES);
742 }
743 rr = &s->rlayer.tlsrecs[s->rlayer.curr_rec];
744
745 if (s->rlayer.handshake_fragment_len > 0
746 && rr->type != SSL3_RT_HANDSHAKE
747 && SSL_CONNECTION_IS_TLS13(s)) {
748 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
749 SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA);
750 return -1;
751 }
752
753 /*
754 * Reset the count of consecutive warning alerts if we've got a non-empty
755 * record that isn't an alert.
756 */
757 if (rr->type != SSL3_RT_ALERT && rr->length != 0)
758 s->rlayer.alert_count = 0;
759
760 /* we now have a packet which can be read and processed */
761
762 if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec,
763 * reset by ssl3_get_finished */
764 && (rr->type != SSL3_RT_HANDSHAKE)) {
765 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
766 SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
767 return -1;
768 }
769
770 /*
771 * If the other end has shut down, throw anything we read away (even in
772 * 'peek' mode)
773 */
774 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
775 s->rlayer.curr_rec++;
776 s->rwstate = SSL_NOTHING;
777 return 0;
778 }
779
780 if (type == rr->type
781 || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC
782 && type == SSL3_RT_HANDSHAKE && recvd_type != NULL
783 && !is_tls13)) {
784 /*
785 * SSL3_RT_APPLICATION_DATA or
786 * SSL3_RT_HANDSHAKE or
787 * SSL3_RT_CHANGE_CIPHER_SPEC
788 */
789 /*
790 * make sure that we are not getting application data when we are
791 * doing a handshake for the first time
792 */
793 if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA
794 && s->enc_read_ctx == NULL) {
795 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_APP_DATA_IN_HANDSHAKE);
796 return -1;
797 }
798
799 if (type == SSL3_RT_HANDSHAKE
800 && rr->type == SSL3_RT_CHANGE_CIPHER_SPEC
801 && s->rlayer.handshake_fragment_len > 0) {
802 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
803 return -1;
804 }
805
806 if (recvd_type != NULL)
807 *recvd_type = rr->type;
808
809 if (len == 0) {
810 /*
811 * Skip a zero length record. This ensures multiple calls to
812 * SSL_read() with a zero length buffer will eventually cause
813 * SSL_pending() to report data as being available.
814 */
815 if (rr->length == 0)
816 ssl_release_record(s, rr);
817
818 return 0;
819 }
820
821 totalbytes = 0;
822 curr_rec = s->rlayer.curr_rec;
823 do {
824 if (len - totalbytes > rr->length)
825 n = rr->length;
826 else
827 n = len - totalbytes;
828
829 memcpy(buf, &(rr->data[rr->off]), n);
830 buf += n;
831 if (peek) {
832 /* Mark any zero length record as consumed CVE-2016-6305 */
833 if (rr->length == 0)
834 ssl_release_record(s, rr);
835 } else {
836 if (s->options & SSL_OP_CLEANSE_PLAINTEXT)
837 OPENSSL_cleanse(&(rr->data[rr->off]), n);
838 rr->length -= n;
839 rr->off += n;
840 if (rr->length == 0)
841 ssl_release_record(s, rr);
842 }
843 if (rr->length == 0
844 || (peek && n == rr->length)) {
845 rr++;
846 curr_rec++;
847 }
848 totalbytes += n;
849 } while (type == SSL3_RT_APPLICATION_DATA
850 && curr_rec < s->rlayer.num_recs
851 && totalbytes < len);
852 if (totalbytes == 0) {
853 /* We must have read empty records. Get more data */
854 goto start;
855 }
856 *readbytes = totalbytes;
857 return 1;
858 }
859
860 /*
861 * If we get here, then type != rr->type; if we have a handshake message,
862 * then it was unexpected (Hello Request or Client Hello) or invalid (we
863 * were actually expecting a CCS).
864 */
865
866 /*
867 * Lets just double check that we've not got an SSLv2 record
868 */
869 if (rr->version == SSL2_VERSION) {
870 /*
871 * Should never happen. ssl3_get_record() should only give us an SSLv2
872 * record back if this is the first packet and we are looking for an
873 * initial ClientHello. Therefore |type| should always be equal to
874 * |rr->type|. If not then something has gone horribly wrong
875 */
876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
877 return -1;
878 }
879
880 if (ssl->method->version == TLS_ANY_VERSION
881 && (s->server || rr->type != SSL3_RT_ALERT)) {
882 /*
883 * If we've got this far and still haven't decided on what version
884 * we're using then this must be a client side alert we're dealing
885 * with. We shouldn't be receiving anything other than a ClientHello
886 * if we are a server.
887 */
888 s->version = rr->version;
889 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
890 return -1;
891 }
892
893 /*-
894 * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
895 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
896 */
897
898 if (rr->type == SSL3_RT_ALERT) {
899 unsigned int alert_level, alert_descr;
900 unsigned char *alert_bytes = rr->data
901 + rr->off;
902 PACKET alert;
903
904 if (!PACKET_buf_init(&alert, alert_bytes, rr->length)
905 || !PACKET_get_1(&alert, &alert_level)
906 || !PACKET_get_1(&alert, &alert_descr)
907 || PACKET_remaining(&alert) != 0) {
908 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT);
909 return -1;
910 }
911
912 if (s->msg_callback)
913 s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, ssl,
914 s->msg_callback_arg);
915
916 if (s->info_callback != NULL)
917 cb = s->info_callback;
918 else if (ssl->ctx->info_callback != NULL)
919 cb = ssl->ctx->info_callback;
920
921 if (cb != NULL) {
922 j = (alert_level << 8) | alert_descr;
923 cb(ssl, SSL_CB_READ_ALERT, j);
924 }
925
926 if ((!is_tls13 && alert_level == SSL3_AL_WARNING)
927 || (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED)) {
928 s->s3.warn_alert = alert_descr;
929 ssl_release_record(s, rr);
930
931 s->rlayer.alert_count++;
932 if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
933 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
934 SSL_R_TOO_MANY_WARN_ALERTS);
935 return -1;
936 }
937 }
938
939 /*
940 * Apart from close_notify the only other warning alert in TLSv1.3
941 * is user_cancelled - which we just ignore.
942 */
943 if (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED) {
944 goto start;
945 } else if (alert_descr == SSL_AD_CLOSE_NOTIFY
946 && (is_tls13 || alert_level == SSL3_AL_WARNING)) {
947 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
948 return 0;
949 } else if (alert_level == SSL3_AL_FATAL || is_tls13) {
950 s->rwstate = SSL_NOTHING;
951 s->s3.fatal_alert = alert_descr;
952 SSLfatal_data(s, SSL_AD_NO_ALERT,
953 SSL_AD_REASON_OFFSET + alert_descr,
954 "SSL alert number %d", alert_descr);
955 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
956 ssl_release_record(s, rr);
957 SSL_CTX_remove_session(s->session_ctx, s->session);
958 return 0;
959 } else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
960 /*
961 * This is a warning but we receive it if we requested
962 * renegotiation and the peer denied it. Terminate with a fatal
963 * alert because if application tried to renegotiate it
964 * presumably had a good reason and expects it to succeed. In
965 * future we might have a renegotiation where we don't care if
966 * the peer refused it where we carry on.
967 */
968 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION);
969 return -1;
970 } else if (alert_level == SSL3_AL_WARNING) {
971 /* We ignore any other warning alert in TLSv1.2 and below */
972 goto start;
973 }
974
975 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE);
976 return -1;
977 }
978
979 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
980 if (rr->type == SSL3_RT_HANDSHAKE) {
981 BIO *rbio;
982
983 /*
984 * We ignore any handshake messages sent to us unless they are
985 * TLSv1.3 in which case we want to process them. For all other
986 * handshake messages we can't do anything reasonable with them
987 * because we are unable to write any response due to having already
988 * sent close_notify.
989 */
990 if (!SSL_CONNECTION_IS_TLS13(s)) {
991 ssl_release_record(s, rr);
992
993 if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)
994 goto start;
995
996 s->rwstate = SSL_READING;
997 rbio = SSL_get_rbio(ssl);
998 BIO_clear_retry_flags(rbio);
999 BIO_set_retry_read(rbio);
1000 return -1;
1001 }
1002 } else {
1003 /*
1004 * The peer is continuing to send application data, but we have
1005 * already sent close_notify. If this was expected we should have
1006 * been called via SSL_read() and this would have been handled
1007 * above.
1008 * No alert sent because we already sent close_notify
1009 */
1010 ssl_release_record(s, rr);
1011 SSLfatal(s, SSL_AD_NO_ALERT,
1012 SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY);
1013 return -1;
1014 }
1015 }
1016
1017 /*
1018 * For handshake data we have 'fragment' storage, so fill that so that we
1019 * can process the header at a fixed place. This is done after the
1020 * "SHUTDOWN" code above to avoid filling the fragment storage with data
1021 * that we're just going to discard.
1022 */
1023 if (rr->type == SSL3_RT_HANDSHAKE) {
1024 size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment);
1025 unsigned char *dest = s->rlayer.handshake_fragment;
1026 size_t *dest_len = &s->rlayer.handshake_fragment_len;
1027
1028 n = dest_maxlen - *dest_len; /* available space in 'dest' */
1029 if (rr->length < n)
1030 n = rr->length; /* available bytes */
1031
1032 /* now move 'n' bytes: */
1033 memcpy(dest + *dest_len, rr->data + rr->off, n);
1034 rr->off += n;
1035 rr->length -= n;
1036 *dest_len += n;
1037 if (rr->length == 0)
1038 ssl_release_record(s, rr);
1039
1040 if (*dest_len < dest_maxlen)
1041 goto start; /* fragment was too small */
1042 }
1043
1044 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1045 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
1046 return -1;
1047 }
1048
1049 /*
1050 * Unexpected handshake message (ClientHello, NewSessionTicket (TLS1.3) or
1051 * protocol violation)
1052 */
1053 if ((s->rlayer.handshake_fragment_len >= 4)
1054 && !ossl_statem_get_in_handshake(s)) {
1055 int ined = (s->early_data_state == SSL_EARLY_DATA_READING);
1056
1057 /* We found handshake data, so we're going back into init */
1058 ossl_statem_set_in_init(s, 1);
1059
1060 i = s->handshake_func(ssl);
1061 /* SSLfatal() already called if appropriate */
1062 if (i < 0)
1063 return i;
1064 if (i == 0) {
1065 return -1;
1066 }
1067
1068 /*
1069 * If we were actually trying to read early data and we found a
1070 * handshake message, then we don't want to continue to try and read
1071 * the application data any more. It won't be "early" now.
1072 */
1073 if (ined)
1074 return -1;
1075
1076 if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
1077 if (!RECORD_LAYER_read_pending(&s->rlayer)) {
1078 BIO *bio;
1079 /*
1080 * In the case where we try to read application data, but we
1081 * trigger an SSL handshake, we return -1 with the retry
1082 * option set. Otherwise renegotiation may cause nasty
1083 * problems in the blocking world
1084 */
1085 s->rwstate = SSL_READING;
1086 bio = SSL_get_rbio(ssl);
1087 BIO_clear_retry_flags(bio);
1088 BIO_set_retry_read(bio);
1089 return -1;
1090 }
1091 }
1092 goto start;
1093 }
1094
1095 switch (rr->type) {
1096 default:
1097 /*
1098 * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
1099 * TLS 1.2 says you MUST send an unexpected message alert. We use the
1100 * TLS 1.2 behaviour for all protocol versions to prevent issues where
1101 * no progress is being made and the peer continually sends unrecognised
1102 * record types, using up resources processing them.
1103 */
1104 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
1105 return -1;
1106 case SSL3_RT_CHANGE_CIPHER_SPEC:
1107 case SSL3_RT_ALERT:
1108 case SSL3_RT_HANDSHAKE:
1109 /*
1110 * we already handled all of these, with the possible exception of
1111 * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
1112 * that should not happen when type != rr->type
1113 */
1114 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR);
1115 return -1;
1116 case SSL3_RT_APPLICATION_DATA:
1117 /*
1118 * At this point, we were expecting handshake data, but have
1119 * application data. If the library was running inside ssl3_read()
1120 * (i.e. in_read_app_data is set) and it makes sense to read
1121 * application data at this point (session renegotiation not yet
1122 * started), we will indulge it.
1123 */
1124 if (ossl_statem_app_data_allowed(s)) {
1125 s->s3.in_read_app_data = 2;
1126 return -1;
1127 } else if (ossl_statem_skip_early_data(s)) {
1128 /*
1129 * This can happen after a client sends a CH followed by early_data,
1130 * but the server responds with a HelloRetryRequest. The server
1131 * reads the next record from the client expecting to find a
1132 * plaintext ClientHello but gets a record which appears to be
1133 * application data. The trial decrypt "works" because null
1134 * decryption was applied. We just skip it and move on to the next
1135 * record.
1136 */
1137 if (!ossl_early_data_count_ok(s, rr->length,
1138 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
1139 /* SSLfatal() already called */
1140 return -1;
1141 }
1142 ssl_release_record(s, rr);
1143 goto start;
1144 } else {
1145 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
1146 return -1;
1147 }
1148 }
1149 }
1150
1151 void ssl3_record_sequence_update(unsigned char *seq)
1152 {
1153 int i;
1154
1155 for (i = 7; i >= 0; i--) {
1156 ++seq[i];
1157 if (seq[i] != 0)
1158 break;
1159 }
1160 }
1161
1162 /*
1163 * Returns true if the current rrec was sent in SSLv2 backwards compatible
1164 * format and false otherwise.
1165 */
1166 int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl)
1167 {
1168 if (SSL_CONNECTION_IS_DTLS(rl->s))
1169 return 0;
1170 return rl->tlsrecs[0].version == SSL2_VERSION;
1171 }
1172
1173 static OSSL_FUNC_rlayer_msg_callback_fn rlayer_msg_callback_wrapper;
1174 static void rlayer_msg_callback_wrapper(int write_p, int version,
1175 int content_type, const void *buf,
1176 size_t len, void *cbarg)
1177 {
1178 SSL_CONNECTION *s = cbarg;
1179 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1180
1181 if (s->msg_callback != NULL)
1182 s->msg_callback(write_p, version, content_type, buf, len, ssl,
1183 s->msg_callback_arg);
1184 }
1185
1186 static OSSL_FUNC_rlayer_security_fn rlayer_security_wrapper;
1187 static int rlayer_security_wrapper(void *cbarg, int op, int bits, int nid,
1188 void *other)
1189 {
1190 SSL_CONNECTION *s = cbarg;
1191
1192 return ssl_security(s, op, bits, nid, other);
1193 }
1194
1195 static const OSSL_DISPATCH rlayer_dispatch[] = {
1196 { OSSL_FUNC_RLAYER_SKIP_EARLY_DATA, (void (*)(void))ossl_statem_skip_early_data },
1197 { OSSL_FUNC_RLAYER_MSG_CALLBACK, (void (*)(void))rlayer_msg_callback_wrapper },
1198 { OSSL_FUNC_RLAYER_SECURITY, (void (*)(void))rlayer_security_wrapper },
1199 { 0, NULL }
1200 };
1201
1202 static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s,
1203 int level)
1204 {
1205
1206 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) {
1207 if (SSL_CONNECTION_IS_DTLS(s))
1208 return &ossl_dtls_record_method;
1209
1210 return &ossl_tls_record_method;
1211 }
1212
1213 #ifndef OPENSSL_NO_KTLS
1214 /* KTLS does not support renegotiation */
1215 if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION
1216 && (s->options & SSL_OP_ENABLE_KTLS) != 0
1217 && (SSL_CONNECTION_IS_TLS13(s) || SSL_IS_FIRST_HANDSHAKE(s)))
1218 return &ossl_ktls_record_method;
1219 #endif
1220
1221 /* Default to the current OSSL_RECORD_METHOD */
1222 return s->rlayer.rrlmethod;
1223 }
1224
1225 static int ssl_post_record_layer_select(SSL_CONNECTION *s, int direction)
1226 {
1227 const OSSL_RECORD_METHOD *thismethod;
1228 OSSL_RECORD_LAYER *thisrl;
1229
1230 if (direction == OSSL_RECORD_DIRECTION_READ) {
1231 thismethod = s->rlayer.rrlmethod;
1232 thisrl = s->rlayer.rrl;
1233 } else {
1234 thismethod = s->rlayer.wrlmethod;
1235 thisrl = s->rlayer.wrl;
1236 }
1237
1238 #ifndef OPENSSL_NO_KTLS
1239 {
1240 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1241
1242 if (s->rlayer.rrlmethod == &ossl_ktls_record_method) {
1243 /* KTLS does not support renegotiation so disallow it */
1244 SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
1245 }
1246 }
1247 #endif
1248 if (SSL_IS_FIRST_HANDSHAKE(s) && thismethod->set_first_handshake != NULL)
1249 thismethod->set_first_handshake(thisrl, 1);
1250
1251 if (s->max_pipelines != 0 && thismethod->set_max_pipelines != NULL)
1252 thismethod->set_max_pipelines(thisrl, s->max_pipelines);
1253
1254 return 1;
1255 }
1256
1257 int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
1258 int direction, int level,
1259 unsigned char *key, size_t keylen,
1260 unsigned char *iv, size_t ivlen,
1261 unsigned char *mackey, size_t mackeylen,
1262 const EVP_CIPHER *ciph, size_t taglen,
1263 int mactype, const EVP_MD *md,
1264 const SSL_COMP *comp)
1265 {
1266 OSSL_PARAM options[5], *opts = options;
1267 OSSL_PARAM settings[6], *set = settings;
1268 const OSSL_RECORD_METHOD **thismethod;
1269 OSSL_RECORD_LAYER **thisrl, *newrl = NULL;
1270 BIO *thisbio;
1271 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1272 const OSSL_RECORD_METHOD *meth;
1273 int use_etm, stream_mac = 0, tlstree = 0;
1274 unsigned int maxfrag = SSL3_RT_MAX_PLAIN_LENGTH;
1275 int use_early_data = 0;
1276 uint32_t max_early_data;
1277
1278 meth = ssl_select_next_record_layer(s, level);
1279
1280 if (direction == OSSL_RECORD_DIRECTION_READ) {
1281 thismethod = &s->rlayer.rrlmethod;
1282 thisrl = &s->rlayer.rrl;
1283 thisbio = s->rbio;
1284 } else {
1285 thismethod = &s->rlayer.wrlmethod;
1286 thisrl = &s->rlayer.wrl;
1287 thisbio = s->wbio;
1288 }
1289
1290 if (meth == NULL)
1291 meth = *thismethod;
1292
1293 if (!ossl_assert(meth != NULL)) {
1294 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1295 return 0;
1296 }
1297
1298 /* Parameters that *may* be supported by a record layer if passed */
1299 *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
1300 &s->options);
1301 *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
1302 &s->mode);
1303 if (direction == OSSL_RECORD_DIRECTION_READ) {
1304 *opts++ = OSSL_PARAM_construct_size_t(OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN,
1305 &s->rlayer.default_read_buf_len);
1306 *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD,
1307 &s->rlayer.read_ahead);
1308 }
1309 *opts = OSSL_PARAM_construct_end();
1310
1311 /* Parameters that *must* be supported by a record layer if passed */
1312 if (direction == OSSL_RECORD_DIRECTION_READ) {
1313 use_etm = SSL_READ_ETM(s) ? 1 : 0;
1314 if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM) != 0)
1315 stream_mac = 1;
1316
1317 if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE) != 0)
1318 tlstree = 1;
1319 } else {
1320 use_etm = SSL_WRITE_ETM(s) ? 1 : 0;
1321 if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) != 0)
1322 stream_mac = 1;
1323
1324 if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) != 0)
1325 tlstree = 1;
1326 }
1327
1328 if (use_etm)
1329 *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM,
1330 &use_etm);
1331
1332 if (stream_mac)
1333 *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC,
1334 &stream_mac);
1335
1336 if (tlstree)
1337 *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE,
1338 &tlstree);
1339
1340 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1341 maxfrag = GET_MAX_FRAGMENT_LENGTH(s->session);
1342
1343 if (maxfrag != SSL3_RT_MAX_PLAIN_LENGTH)
1344 *set++ = OSSL_PARAM_construct_uint(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN,
1345 &maxfrag);
1346
1347 /*
1348 * The record layer must check the amount of early data sent or received
1349 * using the early keys. A server also needs to worry about rejected early
1350 * data that might arrive when the handshake keys are in force.
1351 */
1352 /* TODO(RECLAYER): Check this when doing the "write" record layer */
1353 if (s->server && direction == OSSL_RECORD_DIRECTION_READ) {
1354 use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY
1355 || level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE);
1356 } else if (!s->server && direction == OSSL_RECORD_DIRECTION_WRITE) {
1357 use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY);
1358 }
1359 if (use_early_data) {
1360 max_early_data = ossl_get_max_early_data(s);
1361
1362 if (max_early_data != 0)
1363 *set++ = OSSL_PARAM_construct_uint(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA,
1364 &max_early_data);
1365 }
1366
1367 *set = OSSL_PARAM_construct_end();
1368
1369 for (;;) {
1370 int rlret;
1371 BIO *prev = NULL;
1372 BIO *next = NULL;
1373 unsigned int epoch = 0;;
1374
1375 if (direction == OSSL_RECORD_DIRECTION_READ) {
1376 prev = s->rlayer.rrlnext;
1377 if (SSL_CONNECTION_IS_DTLS(s)
1378 && level != OSSL_RECORD_PROTECTION_LEVEL_NONE)
1379 epoch = DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer) + 1; /* new epoch */
1380
1381 if (SSL_CONNECTION_IS_DTLS(s))
1382 next = BIO_new(BIO_s_dgram_mem());
1383 else
1384 next = BIO_new(BIO_s_mem());
1385
1386 if (next == NULL) {
1387 BIO_free(prev);
1388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1389 return 0;
1390 }
1391 s->rlayer.rrlnext = next;
1392 }
1393
1394 rlret = meth->new_record_layer(sctx->libctx, sctx->propq, version,
1395 s->server, direction, level, epoch,
1396 key, keylen, iv, ivlen, mackey,
1397 mackeylen, ciph, taglen, mactype, md,
1398 comp, prev, thisbio, next, NULL, NULL,
1399 settings, options, rlayer_dispatch, s,
1400 &newrl);
1401 BIO_free(prev);
1402 switch (rlret) {
1403 case OSSL_RECORD_RETURN_FATAL:
1404 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_RECORD_LAYER_FAILURE);
1405 return 0;
1406
1407 case OSSL_RECORD_RETURN_NON_FATAL_ERR:
1408 if (*thismethod != meth && *thismethod != NULL) {
1409 /*
1410 * We tried a new record layer method, but it didn't work out,
1411 * so we fallback to the original method and try again
1412 */
1413 meth = *thismethod;
1414 continue;
1415 }
1416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_RECORD_LAYER);
1417 return 0;
1418
1419 case OSSL_RECORD_RETURN_SUCCESS:
1420 break;
1421
1422 default:
1423 /* Should not happen */
1424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1425 return 0;
1426 }
1427 break;
1428 }
1429
1430 if (*thismethod != NULL && !(*thismethod)->free(*thisrl)) {
1431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1432 return 0;
1433 }
1434
1435 *thisrl = newrl;
1436 *thismethod = meth;
1437
1438 return ssl_post_record_layer_select(s, direction);
1439 }
1440
1441 int ssl_set_record_protocol_version(SSL_CONNECTION *s, int vers)
1442 {
1443 if (!ossl_assert(s->rlayer.rrlmethod != NULL)
1444 || !ossl_assert(s->rlayer.wrlmethod != NULL))
1445 return 0;
1446 s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, s->version);
1447 s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, s->version);
1448
1449 return 1;
1450 }
A mirror of the official openssl repository