]>
Commit | Line | Data |
---|---|---|
eddb067e MC |
1 | /* |
2 | * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "../../ssl_local.h" | |
11 | #include "../record_local.h" | |
12 | #include "recmethod_local.h" | |
13 | ||
14 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ | |
15 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) | |
16 | { | |
17 | int64_t ret; | |
18 | uint64_t l1, l2; | |
19 | ||
20 | n2l8(v1, l1); | |
21 | n2l8(v2, l2); | |
22 | ||
23 | ret = l1 - l2; | |
24 | ||
25 | /* We do not permit wrap-around */ | |
26 | if (l1 > l2 && ret < 0) | |
27 | return 128; | |
28 | else if (l2 > l1 && ret > 0) | |
29 | return -128; | |
30 | ||
31 | if (ret > 128) | |
32 | return 128; | |
33 | else if (ret < -128) | |
34 | return -128; | |
35 | else | |
36 | return (int)ret; | |
37 | } | |
38 | ||
3a7a539e | 39 | static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS1_BITMAP *bitmap) |
eddb067e MC |
40 | { |
41 | int cmp; | |
42 | unsigned int shift; | |
222cf410 | 43 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
44 | |
45 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
46 | if (cmp > 0) { | |
47 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
48 | return 1; /* this record in new */ | |
49 | } | |
50 | shift = -cmp; | |
51 | if (shift >= sizeof(bitmap->map) * 8) | |
52 | return 0; /* stale, outside the window */ | |
53 | else if (bitmap->map & (1UL << shift)) | |
54 | return 0; /* record previously received */ | |
55 | ||
56 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
57 | return 1; | |
58 | } | |
59 | ||
3a7a539e MC |
60 | static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl, |
61 | DTLS1_BITMAP *bitmap) | |
eddb067e MC |
62 | { |
63 | int cmp; | |
64 | unsigned int shift; | |
222cf410 | 65 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
66 | |
67 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
68 | if (cmp > 0) { | |
69 | shift = cmp; | |
70 | if (shift < sizeof(bitmap->map) * 8) | |
71 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
72 | else | |
73 | bitmap->map = 1UL; | |
74 | memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE); | |
75 | } else { | |
76 | shift = -cmp; | |
77 | if (shift < sizeof(bitmap->map) * 8) | |
78 | bitmap->map |= 1UL << shift; | |
79 | } | |
80 | } | |
81 | ||
3a7a539e MC |
82 | static DTLS1_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rr, |
83 | unsigned int *is_next_epoch) | |
eddb067e | 84 | { |
eddb067e MC |
85 | *is_next_epoch = 0; |
86 | ||
87 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
222cf410 | 88 | if (rr->epoch == rl->epoch) |
bfc0f10d | 89 | return &rl->bitmap; |
eddb067e MC |
90 | |
91 | /* | |
92 | * Only HM and ALERT messages can be from the next epoch and only if we | |
93 | * have already processed all of the unprocessed records from the last | |
94 | * epoch | |
95 | */ | |
222cf410 MC |
96 | else if (rr->epoch == (unsigned long)(rl->epoch + 1) && |
97 | rl->unprocessed_rcds.epoch != rl->epoch && | |
eddb067e MC |
98 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { |
99 | *is_next_epoch = 1; | |
bfc0f10d | 100 | return &rl->next_bitmap; |
eddb067e MC |
101 | } |
102 | ||
103 | return NULL; | |
104 | } | |
105 | ||
bfc0f10d MC |
106 | static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init) |
107 | { | |
108 | rl->in_init = in_init; | |
109 | } | |
110 | ||
3a7a539e | 111 | static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS1_BITMAP *bitmap) |
eddb067e MC |
112 | { |
113 | int i; | |
114 | int enc_err; | |
eddb067e MC |
115 | SSL3_RECORD *rr; |
116 | int imac_size; | |
117 | size_t mac_size = 0; | |
118 | unsigned char md[EVP_MAX_MD_SIZE]; | |
eddb067e MC |
119 | SSL_MAC_BUF macbuf = { NULL, 0 }; |
120 | int ret = 0; | |
eddb067e MC |
121 | |
122 | rr = &rl->rrec[0]; | |
eddb067e MC |
123 | |
124 | /* | |
222cf410 MC |
125 | * At this point, rl->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, |
126 | * and we have that many bytes in rl->packet | |
eddb067e | 127 | */ |
222cf410 | 128 | rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]); |
eddb067e MC |
129 | |
130 | /* | |
222cf410 | 131 | * ok, we can now read from 'rl->packet' data into 'rr'. rr->input |
eddb067e MC |
132 | * points at rr->length bytes, which need to be copied into rr->data by |
133 | * either the decryption or by the decompression. When the data is 'copied' | |
134 | * into the rr->data buffer, rr->input will be pointed at the new buffer | |
135 | */ | |
136 | ||
137 | /* | |
138 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
139 | * bytes of encrypted compressed stuff. | |
140 | */ | |
141 | ||
142 | /* check is not needed I believe */ | |
143 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
222cf410 | 144 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
eddb067e MC |
145 | return 0; |
146 | } | |
147 | ||
148 | /* decrypt in place in 'rr->input' */ | |
149 | rr->data = rr->input; | |
150 | rr->orig_len = rr->length; | |
151 | ||
222cf410 MC |
152 | if (rl->md_ctx != NULL) { |
153 | const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx); | |
eddb067e MC |
154 | |
155 | if (tmpmd != NULL) { | |
156 | imac_size = EVP_MD_get_size(tmpmd); | |
157 | if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { | |
222cf410 | 158 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
eddb067e MC |
159 | return 0; |
160 | } | |
161 | mac_size = (size_t)imac_size; | |
162 | } | |
163 | } | |
164 | ||
222cf410 | 165 | if (rl->use_etm && rl->md_ctx) { |
eddb067e MC |
166 | unsigned char *mac; |
167 | ||
168 | if (rr->orig_len < mac_size) { | |
222cf410 | 169 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); |
eddb067e MC |
170 | return 0; |
171 | } | |
172 | rr->length -= mac_size; | |
173 | mac = rr->data + rr->length; | |
222cf410 | 174 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */); |
eddb067e | 175 | if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { |
222cf410 MC |
176 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, |
177 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
eddb067e MC |
178 | return 0; |
179 | } | |
180 | /* | |
181 | * We've handled the mac now - there is no MAC inside the encrypted | |
182 | * record | |
183 | */ | |
184 | mac_size = 0; | |
185 | } | |
186 | ||
187 | /* | |
188 | * Set a mark around the packet decryption attempt. This is DTLS, so | |
189 | * bad packets are just ignored, and we don't want to leave stray | |
190 | * errors in the queue from processing bogus junk that we ignored. | |
191 | */ | |
192 | ERR_set_mark(); | |
222cf410 | 193 | enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size); |
eddb067e MC |
194 | |
195 | /*- | |
196 | * enc_err is: | |
197 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
198 | * decryption failed, or ETM decryption failed. | |
199 | * 1: Success or MTE decryption failed (MAC will be randomised) | |
200 | */ | |
201 | if (enc_err == 0) { | |
202 | ERR_pop_to_mark(); | |
222cf410 | 203 | if (rl->alert != 0) { |
eddb067e MC |
204 | /* SSLfatal() got called */ |
205 | goto end; | |
206 | } | |
207 | /* For DTLS we simply ignore bad packets. */ | |
208 | rr->length = 0; | |
222cf410 | 209 | rl->packet_length = 0; |
eddb067e MC |
210 | goto end; |
211 | } | |
212 | ERR_clear_last_mark(); | |
213 | OSSL_TRACE_BEGIN(TLS) { | |
214 | BIO_printf(trc_out, "dec %zd\n", rr->length); | |
215 | BIO_dump_indent(trc_out, rr->data, rr->length, 4); | |
216 | } OSSL_TRACE_END(TLS); | |
217 | ||
218 | /* r->length is now the compressed data plus mac */ | |
222cf410 MC |
219 | if (!rl->use_etm |
220 | && (rl->enc_ctx != NULL) | |
221 | && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) { | |
222 | /* rl->md_ctx != NULL => mac_size != -1 */ | |
eddb067e | 223 | |
222cf410 | 224 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */ ); |
eddb067e MC |
225 | if (i == 0 || macbuf.mac == NULL |
226 | || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0) | |
227 | enc_err = 0; | |
228 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
229 | enc_err = 0; | |
230 | } | |
231 | ||
232 | if (enc_err == 0) { | |
233 | /* decryption failed, silently discard message */ | |
234 | rr->length = 0; | |
222cf410 | 235 | rl->packet_length = 0; |
eddb067e MC |
236 | goto end; |
237 | } | |
238 | ||
239 | /* r->length is now just compressed */ | |
222cf410 | 240 | if (rl->expand != NULL) { |
eddb067e | 241 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { |
222cf410 MC |
242 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, |
243 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
eddb067e MC |
244 | goto end; |
245 | } | |
222cf410 MC |
246 | if (!tls_do_uncompress(rl, rr)) { |
247 | RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); | |
eddb067e MC |
248 | goto end; |
249 | } | |
250 | } | |
251 | ||
222cf410 MC |
252 | /* |
253 | * Check if the received packet overflows the current Max Fragment | |
254 | * Length setting. | |
255 | */ | |
256 | if (rl->max_frag_len > 0 && rr->length > rl->max_frag_len) { | |
257 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); | |
eddb067e MC |
258 | goto end; |
259 | } | |
260 | ||
222cf410 | 261 | |
eddb067e MC |
262 | rr->off = 0; |
263 | /*- | |
264 | * So at this point the following is true | |
265 | * ssl->s3.rrec.type is the type of record | |
266 | * ssl->s3.rrec.length == number of bytes in record | |
267 | * ssl->s3.rrec.off == offset to first valid byte | |
268 | * ssl->s3.rrec.data == where to take bytes from, increment | |
269 | * after use :-). | |
270 | */ | |
271 | ||
272 | /* we have pulled in a full packet so zero things */ | |
222cf410 | 273 | rl->packet_length = 0; |
eddb067e MC |
274 | |
275 | /* Mark receipt of record. */ | |
3a7a539e | 276 | dtls_record_bitmap_update(rl, bitmap); |
eddb067e MC |
277 | |
278 | ret = 1; | |
279 | end: | |
280 | if (macbuf.alloced) | |
281 | OPENSSL_free(macbuf.mac); | |
282 | return ret; | |
283 | } | |
284 | ||
222cf410 | 285 | static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue, |
eddb067e MC |
286 | unsigned char *priority) |
287 | { | |
288 | DTLS_RLAYER_RECORD_DATA *rdata; | |
289 | pitem *item; | |
eddb067e MC |
290 | |
291 | /* Limit the size of the queue to prevent DOS attacks */ | |
292 | if (pqueue_size(queue->q) >= 100) | |
293 | return 0; | |
294 | ||
295 | rdata = OPENSSL_malloc(sizeof(*rdata)); | |
296 | item = pitem_new(priority, rdata); | |
297 | if (rdata == NULL || item == NULL) { | |
298 | OPENSSL_free(rdata); | |
299 | pitem_free(item); | |
222cf410 | 300 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
eddb067e MC |
301 | return -1; |
302 | } | |
303 | ||
222cf410 MC |
304 | rdata->packet = rl->packet; |
305 | rdata->packet_length = rl->packet_length; | |
306 | memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(SSL3_BUFFER)); | |
eddb067e MC |
307 | memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD)); |
308 | ||
309 | item->data = rdata; | |
310 | ||
222cf410 MC |
311 | rl->packet = NULL; |
312 | rl->packet_length = 0; | |
313 | memset(&rl->rbuf, 0, sizeof(SSL3_BUFFER)); | |
eddb067e MC |
314 | memset(&rl->rrec[0], 0, sizeof(rl->rrec[0])); |
315 | ||
222cf410 MC |
316 | |
317 | if (!rlayer_setup_read_buffer(rl)) { | |
eddb067e MC |
318 | /* SSLfatal() already called */ |
319 | OPENSSL_free(rdata->rbuf.buf); | |
320 | OPENSSL_free(rdata); | |
321 | pitem_free(item); | |
322 | return -1; | |
323 | } | |
324 | ||
325 | if (pqueue_insert(queue->q, item) == NULL) { | |
326 | /* Must be a duplicate so ignore it */ | |
327 | OPENSSL_free(rdata->rbuf.buf); | |
328 | OPENSSL_free(rdata); | |
329 | pitem_free(item); | |
330 | } | |
331 | ||
332 | return 1; | |
333 | } | |
334 | ||
bfc0f10d | 335 | /* copy buffered record into OSSL_RECORD_LAYER structure */ |
eddb067e MC |
336 | static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item) |
337 | { | |
338 | DTLS_RLAYER_RECORD_DATA *rdata; | |
eddb067e MC |
339 | |
340 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
341 | ||
222cf410 | 342 | SSL3_BUFFER_release(&rl->rbuf); |
eddb067e | 343 | |
222cf410 MC |
344 | rl->packet = rdata->packet; |
345 | rl->packet_length = rdata->packet_length; | |
346 | memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
eddb067e MC |
347 | memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD)); |
348 | ||
349 | /* Set proper sequence number for mac calculation */ | |
222cf410 | 350 | memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6); |
eddb067e MC |
351 | |
352 | return 1; | |
353 | } | |
354 | ||
355 | static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl, | |
356 | record_pqueue *queue) | |
357 | { | |
358 | pitem *item; | |
359 | ||
360 | item = pqueue_pop(queue->q); | |
361 | if (item) { | |
362 | dtls_copy_rlayer_record(rl, item); | |
363 | ||
364 | OPENSSL_free(item->data); | |
365 | pitem_free(item); | |
366 | ||
367 | return 1; | |
368 | } | |
369 | ||
370 | return 0; | |
371 | } | |
372 | ||
eddb067e MC |
373 | /*- |
374 | * Call this to get a new input record. | |
375 | * It will return <= 0 if more data is needed, normally due to an error | |
376 | * or non-blocking IO. | |
377 | * When it finishes, one packet has been decoded and can be found in | |
378 | * ssl->s3.rrec.type - is the type of record | |
379 | * ssl->s3.rrec.data - data | |
380 | * ssl->s3.rrec.length - number of bytes | |
381 | */ | |
222cf410 | 382 | int dtls_get_more_records(OSSL_RECORD_LAYER *rl) |
eddb067e MC |
383 | { |
384 | int ssl_major, ssl_minor; | |
385 | int rret; | |
386 | size_t more, n; | |
387 | SSL3_RECORD *rr; | |
388 | unsigned char *p = NULL; | |
389 | unsigned short version; | |
390 | DTLS1_BITMAP *bitmap; | |
391 | unsigned int is_next_epoch; | |
eddb067e MC |
392 | |
393 | rl->num_recs = 0; | |
394 | rl->curr_rec = 0; | |
395 | rl->num_released = 0; | |
396 | ||
397 | rr = rl->rrec; | |
398 | ||
81c9ebd9 MC |
399 | if (rl->rbuf.buf == NULL) { |
400 | if (!rlayer_setup_read_buffer(rl)) { | |
401 | /* RLAYERfatal() already called */ | |
402 | return OSSL_RECORD_RETURN_FATAL; | |
403 | } | |
404 | } | |
405 | ||
eddb067e | 406 | again: |
eddb067e MC |
407 | /* if we're renegotiating, then there may be buffered records */ |
408 | if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) { | |
409 | rl->num_recs = 1; | |
410 | return OSSL_RECORD_RETURN_SUCCESS; | |
411 | } | |
412 | ||
413 | /* get something from the wire */ | |
414 | ||
415 | /* check if we have the header */ | |
222cf410 MC |
416 | if ((rl->rstate != SSL_ST_READ_BODY) || |
417 | (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) { | |
418 | rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH, | |
419 | SSL3_BUFFER_get_len(&rl->rbuf), 0, 1, &n); | |
eddb067e MC |
420 | /* read timeout is handled by dtls1_read_bytes */ |
421 | if (rret < OSSL_RECORD_RETURN_SUCCESS) { | |
422 | /* SSLfatal() already called if appropriate */ | |
423 | return rret; /* error or non-blocking */ | |
424 | } | |
425 | ||
426 | /* this packet contained a partial record, dump it */ | |
222cf410 MC |
427 | if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) { |
428 | rl->packet_length = 0; | |
eddb067e MC |
429 | goto again; |
430 | } | |
431 | ||
222cf410 | 432 | rl->rstate = SSL_ST_READ_BODY; |
eddb067e | 433 | |
222cf410 | 434 | p = rl->packet; |
eddb067e | 435 | |
222cf410 MC |
436 | rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, |
437 | rl->cbarg); | |
eddb067e MC |
438 | |
439 | /* Pull apart the header into the DTLS1_RECORD */ | |
440 | rr->type = *(p++); | |
441 | ssl_major = *(p++); | |
442 | ssl_minor = *(p++); | |
443 | version = (ssl_major << 8) | ssl_minor; | |
444 | ||
445 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
446 | n2s(p, rr->epoch); | |
447 | ||
222cf410 | 448 | memcpy(&(rl->sequence[2]), p, 6); |
eddb067e MC |
449 | p += 6; |
450 | ||
451 | n2s(p, rr->length); | |
452 | rr->read = 0; | |
453 | ||
454 | /* | |
455 | * Lets check the version. We tolerate alerts that don't have the exact | |
456 | * version number (e.g. because of protocol version errors) | |
457 | */ | |
222cf410 MC |
458 | if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { |
459 | if (version != rl->version) { | |
eddb067e MC |
460 | /* unexpected version, silently discard */ |
461 | rr->length = 0; | |
462 | rr->read = 1; | |
222cf410 | 463 | rl->packet_length = 0; |
eddb067e MC |
464 | goto again; |
465 | } | |
466 | } | |
467 | ||
222cf410 MC |
468 | |
469 | if (ssl_major != | |
470 | (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR | |
471 | : rl->version >> 8)) { | |
eddb067e MC |
472 | /* wrong version, silently discard record */ |
473 | rr->length = 0; | |
474 | rr->read = 1; | |
222cf410 | 475 | rl->packet_length = 0; |
eddb067e MC |
476 | goto again; |
477 | } | |
478 | ||
479 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
480 | /* record too long, silently discard it */ | |
481 | rr->length = 0; | |
482 | rr->read = 1; | |
222cf410 | 483 | rl->packet_length = 0; |
eddb067e MC |
484 | goto again; |
485 | } | |
486 | ||
222cf410 MC |
487 | |
488 | /* | |
489 | * If received packet overflows maximum possible fragment length then | |
490 | * silently discard it | |
491 | */ | |
492 | if (rl->max_frag_len > 0 | |
493 | && rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) { | |
eddb067e MC |
494 | /* record too long, silently discard it */ |
495 | rr->length = 0; | |
496 | rr->read = 1; | |
222cf410 | 497 | rl->packet_length = 0; |
eddb067e MC |
498 | goto again; |
499 | } | |
500 | ||
222cf410 | 501 | /* now rl->rstate == SSL_ST_READ_BODY */ |
eddb067e MC |
502 | } |
503 | ||
222cf410 | 504 | /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */ |
eddb067e MC |
505 | |
506 | if (rr->length > | |
222cf410 MC |
507 | rl->packet_length - DTLS1_RT_HEADER_LENGTH) { |
508 | /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */ | |
eddb067e | 509 | more = rr->length; |
222cf410 | 510 | rret = rl->funcs->read_n(rl, more, more, 1, 1, &n); |
eddb067e MC |
511 | /* this packet contained a partial record, dump it */ |
512 | if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) { | |
222cf410 MC |
513 | if (rl->alert != 0) { |
514 | /* read_n() called RLAYERfatal() */ | |
eddb067e MC |
515 | return OSSL_RECORD_RETURN_FATAL; |
516 | } | |
517 | rr->length = 0; | |
518 | rr->read = 1; | |
222cf410 | 519 | rl->packet_length = 0; |
eddb067e MC |
520 | goto again; |
521 | } | |
522 | ||
523 | /* | |
222cf410 MC |
524 | * now n == rr->length, |
525 | * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length | |
eddb067e MC |
526 | */ |
527 | } | |
528 | /* set state for later operations */ | |
222cf410 | 529 | rl->rstate = SSL_ST_READ_HEADER; |
eddb067e MC |
530 | |
531 | /* match epochs. NULL means the packet is dropped on the floor */ | |
3a7a539e | 532 | bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch); |
eddb067e MC |
533 | if (bitmap == NULL) { |
534 | rr->length = 0; | |
222cf410 | 535 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
536 | goto again; /* get another record */ |
537 | } | |
538 | #ifndef OPENSSL_NO_SCTP | |
539 | /* Only do replay check if no SCTP bio */ | |
222cf410 | 540 | if (!BIO_dgram_is_sctp(rl->bio)) { |
eddb067e MC |
541 | #endif |
542 | /* Check whether this is a repeat, or aged record. */ | |
3a7a539e | 543 | if (!dtls_record_replay_check(rl, bitmap)) { |
eddb067e MC |
544 | rr->length = 0; |
545 | rr->read = 1; | |
222cf410 | 546 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
547 | goto again; /* get another record */ |
548 | } | |
549 | #ifndef OPENSSL_NO_SCTP | |
550 | } | |
551 | #endif | |
552 | ||
553 | /* just read a 0 length packet */ | |
554 | if (rr->length == 0) { | |
555 | rr->read = 1; | |
556 | goto again; | |
557 | } | |
558 | ||
559 | /* | |
560 | * If this record is from the next epoch (either HM or ALERT), and a | |
561 | * handshake is currently in progress, buffer it since it cannot be | |
562 | * processed at this time. | |
563 | */ | |
564 | if (is_next_epoch) { | |
bfc0f10d | 565 | if (rl->in_init) { |
222cf410 | 566 | if (dtls_rlayer_buffer_record(rl, |
eddb067e MC |
567 | &(rl->unprocessed_rcds), |
568 | rr->seq_num) < 0) { | |
569 | /* SSLfatal() already called */ | |
570 | return OSSL_RECORD_RETURN_FATAL; | |
571 | } | |
572 | } | |
573 | rr->length = 0; | |
574 | rr->read = 1; | |
222cf410 | 575 | rl->packet_length = 0; |
eddb067e MC |
576 | goto again; |
577 | } | |
578 | ||
3a7a539e | 579 | if (!dtls_process_record(rl, bitmap)) { |
222cf410 | 580 | if (rl->alert != 0) { |
3a7a539e | 581 | /* dtls_process_record() called RLAYERfatal */ |
eddb067e MC |
582 | return OSSL_RECORD_RETURN_FATAL; |
583 | } | |
584 | rr->length = 0; | |
585 | rr->read = 1; | |
222cf410 | 586 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
587 | goto again; /* get another record */ |
588 | } | |
589 | ||
590 | rl->num_recs = 1; | |
591 | return OSSL_RECORD_RETURN_SUCCESS; | |
592 | ||
593 | } | |
594 | ||
eddb067e MC |
595 | static int dtls_free(OSSL_RECORD_LAYER *rl) |
596 | { | |
7a15ed64 MC |
597 | SSL3_BUFFER *rbuf; |
598 | size_t left, written; | |
eddb067e MC |
599 | pitem *item; |
600 | DTLS_RLAYER_RECORD_DATA *rdata; | |
7a15ed64 | 601 | int ret = 1; |
eddb067e | 602 | |
7a15ed64 MC |
603 | rbuf = &rl->rbuf; |
604 | ||
605 | left = rbuf->left; | |
606 | if (left > 0) { | |
607 | /* | |
608 | * This record layer is closing but we still have data left in our | |
609 | * buffer. It must be destined for the next epoch - so push it there. | |
610 | */ | |
611 | ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written); | |
612 | rbuf->left = 0; | |
613 | } | |
614 | ||
615 | if (rl->unprocessed_rcds.q != NULL) { | |
eddb067e MC |
616 | while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) { |
617 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
7a15ed64 MC |
618 | /* Push to the next record layer */ |
619 | /* TODO(RECLAYER): Handle SCTP meta data */ | |
620 | ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length, | |
621 | &written); | |
eddb067e MC |
622 | OPENSSL_free(rdata->rbuf.buf); |
623 | OPENSSL_free(item->data); | |
624 | pitem_free(item); | |
625 | } | |
626 | pqueue_free(rl->unprocessed_rcds.q); | |
627 | } | |
628 | ||
7a15ed64 | 629 | if (rl->processed_rcds.q != NULL) { |
eddb067e MC |
630 | while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) { |
631 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
632 | OPENSSL_free(rdata->rbuf.buf); | |
633 | OPENSSL_free(item->data); | |
634 | pitem_free(item); | |
635 | } | |
636 | pqueue_free(rl->processed_rcds.q); | |
637 | } | |
638 | ||
7a15ed64 | 639 | return tls_free(rl) && ret; |
eddb067e MC |
640 | } |
641 | ||
642 | static int | |
643 | dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, | |
222cf410 MC |
644 | int role, int direction, int level, unsigned int epoch, |
645 | unsigned char *key, size_t keylen, unsigned char *iv, | |
646 | size_t ivlen, unsigned char *mackey, size_t mackeylen, | |
eddb067e MC |
647 | const EVP_CIPHER *ciph, size_t taglen, |
648 | /* TODO(RECLAYER): This probably should not be an int */ | |
649 | int mactype, | |
650 | const EVP_MD *md, const SSL_COMP *comp, BIO *prev, | |
651 | BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, | |
652 | const OSSL_PARAM *settings, const OSSL_PARAM *options, | |
653 | const OSSL_DISPATCH *fns, void *cbarg, | |
654 | OSSL_RECORD_LAYER **retrl) | |
655 | { | |
656 | int ret; | |
657 | ||
658 | ||
659 | ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, | |
660 | key, keylen, iv, ivlen, mackey, mackeylen, | |
661 | ciph, taglen, mactype, md, comp, prev, | |
662 | transport, next, local, peer, settings, | |
663 | options, fns, cbarg, retrl); | |
664 | ||
665 | if (ret != OSSL_RECORD_RETURN_SUCCESS) | |
666 | return ret; | |
667 | ||
668 | (*retrl)->unprocessed_rcds.q = pqueue_new(); | |
669 | (*retrl)->processed_rcds.q = pqueue_new(); | |
670 | if ((*retrl)->unprocessed_rcds.q == NULL || (*retrl)->processed_rcds.q == NULL) { | |
671 | dtls_free(*retrl); | |
672 | *retrl = NULL; | |
673 | RLAYERfatal(*retrl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); | |
674 | return OSSL_RECORD_RETURN_FATAL; | |
675 | } | |
676 | ||
7a15ed64 MC |
677 | (*retrl)->unprocessed_rcds.epoch = epoch + 1; |
678 | (*retrl)->processed_rcds.epoch = epoch; | |
679 | ||
eddb067e | 680 | (*retrl)->isdtls = 1; |
222cf410 | 681 | (*retrl)->epoch = epoch; |
bfc0f10d | 682 | (*retrl)->in_init = 1; |
222cf410 MC |
683 | |
684 | switch (vers) { | |
685 | case DTLS_ANY_VERSION: | |
686 | (*retrl)->funcs = &dtls_any_funcs; | |
687 | break; | |
688 | case DTLS1_2_VERSION: | |
689 | case DTLS1_VERSION: | |
690 | case DTLS1_BAD_VER: | |
691 | (*retrl)->funcs = &dtls_1_funcs; | |
692 | break; | |
693 | default: | |
694 | /* Should not happen */ | |
695 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
696 | ret = OSSL_RECORD_RETURN_FATAL; | |
697 | goto err; | |
698 | } | |
eddb067e | 699 | |
222cf410 MC |
700 | ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, |
701 | ivlen, mackey, mackeylen, ciph, | |
702 | taglen, mactype, md, comp); | |
703 | ||
704 | err: | |
705 | if (ret != OSSL_RECORD_RETURN_SUCCESS) { | |
706 | OPENSSL_free(*retrl); | |
707 | *retrl = NULL; | |
708 | } | |
709 | return ret; | |
eddb067e MC |
710 | } |
711 | ||
712 | const OSSL_RECORD_METHOD ossl_dtls_record_method = { | |
713 | dtls_new_record_layer, | |
714 | dtls_free, | |
715 | tls_reset, | |
716 | tls_unprocessed_read_pending, | |
717 | tls_processed_read_pending, | |
718 | tls_app_data_pending, | |
719 | tls_write_pending, | |
720 | tls_get_max_record_len, | |
721 | tls_get_max_records, | |
722 | tls_write_records, | |
723 | tls_retry_write_records, | |
724 | tls_read_record, | |
725 | tls_release_record, | |
726 | tls_get_alert_code, | |
727 | tls_set1_bio, | |
728 | tls_set_protocol_version, | |
729 | NULL, | |
730 | tls_set_first_handshake, | |
731 | tls_set_max_pipelines, | |
81c9ebd9 | 732 | dtls_set_in_init |
eddb067e | 733 | }; |