]>
Commit | Line | Data |
---|---|---|
eddb067e MC |
1 | /* |
2 | * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "../../ssl_local.h" | |
11 | #include "../record_local.h" | |
12 | #include "recmethod_local.h" | |
13 | ||
14 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ | |
15 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) | |
16 | { | |
17 | int64_t ret; | |
18 | uint64_t l1, l2; | |
19 | ||
20 | n2l8(v1, l1); | |
21 | n2l8(v2, l2); | |
22 | ||
23 | ret = l1 - l2; | |
24 | ||
25 | /* We do not permit wrap-around */ | |
26 | if (l1 > l2 && ret < 0) | |
27 | return 128; | |
28 | else if (l2 > l1 && ret > 0) | |
29 | return -128; | |
30 | ||
31 | if (ret > 128) | |
32 | return 128; | |
33 | else if (ret < -128) | |
34 | return -128; | |
35 | else | |
36 | return (int)ret; | |
37 | } | |
38 | ||
f6aab7b1 | 39 | static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap) |
eddb067e MC |
40 | { |
41 | int cmp; | |
42 | unsigned int shift; | |
222cf410 | 43 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
44 | |
45 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
46 | if (cmp > 0) { | |
47 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
48 | return 1; /* this record in new */ | |
49 | } | |
50 | shift = -cmp; | |
51 | if (shift >= sizeof(bitmap->map) * 8) | |
52 | return 0; /* stale, outside the window */ | |
f6aab7b1 | 53 | else if (bitmap->map & ((uint64_t)1 << shift)) |
eddb067e MC |
54 | return 0; /* record previously received */ |
55 | ||
56 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
57 | return 1; | |
58 | } | |
59 | ||
3a7a539e | 60 | static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl, |
f6aab7b1 | 61 | DTLS_BITMAP *bitmap) |
eddb067e MC |
62 | { |
63 | int cmp; | |
64 | unsigned int shift; | |
222cf410 | 65 | const unsigned char *seq = rl->sequence; |
eddb067e MC |
66 | |
67 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
68 | if (cmp > 0) { | |
69 | shift = cmp; | |
70 | if (shift < sizeof(bitmap->map) * 8) | |
71 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
72 | else | |
73 | bitmap->map = 1UL; | |
74 | memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE); | |
75 | } else { | |
76 | shift = -cmp; | |
77 | if (shift < sizeof(bitmap->map) * 8) | |
f6aab7b1 | 78 | bitmap->map |= (uint64_t)1 << shift; |
eddb067e MC |
79 | } |
80 | } | |
81 | ||
f6aab7b1 MC |
82 | static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rr, |
83 | unsigned int *is_next_epoch) | |
eddb067e | 84 | { |
eddb067e MC |
85 | *is_next_epoch = 0; |
86 | ||
87 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
222cf410 | 88 | if (rr->epoch == rl->epoch) |
bfc0f10d | 89 | return &rl->bitmap; |
eddb067e MC |
90 | |
91 | /* | |
92 | * Only HM and ALERT messages can be from the next epoch and only if we | |
93 | * have already processed all of the unprocessed records from the last | |
94 | * epoch | |
95 | */ | |
1704961c MC |
96 | else if (rr->epoch == (unsigned long)(rl->epoch + 1) |
97 | && rl->unprocessed_rcds.epoch != rl->epoch | |
98 | && (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { | |
eddb067e | 99 | *is_next_epoch = 1; |
bfc0f10d | 100 | return &rl->next_bitmap; |
eddb067e MC |
101 | } |
102 | ||
103 | return NULL; | |
104 | } | |
105 | ||
bfc0f10d MC |
106 | static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init) |
107 | { | |
108 | rl->in_init = in_init; | |
109 | } | |
110 | ||
f6aab7b1 | 111 | static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap) |
eddb067e MC |
112 | { |
113 | int i; | |
114 | int enc_err; | |
eddb067e MC |
115 | SSL3_RECORD *rr; |
116 | int imac_size; | |
117 | size_t mac_size = 0; | |
118 | unsigned char md[EVP_MAX_MD_SIZE]; | |
eddb067e MC |
119 | SSL_MAC_BUF macbuf = { NULL, 0 }; |
120 | int ret = 0; | |
eddb067e MC |
121 | |
122 | rr = &rl->rrec[0]; | |
eddb067e MC |
123 | |
124 | /* | |
1704961c | 125 | * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length, |
222cf410 | 126 | * and we have that many bytes in rl->packet |
eddb067e | 127 | */ |
222cf410 | 128 | rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]); |
eddb067e MC |
129 | |
130 | /* | |
222cf410 | 131 | * ok, we can now read from 'rl->packet' data into 'rr'. rr->input |
eddb067e MC |
132 | * points at rr->length bytes, which need to be copied into rr->data by |
133 | * either the decryption or by the decompression. When the data is 'copied' | |
134 | * into the rr->data buffer, rr->input will be pointed at the new buffer | |
135 | */ | |
136 | ||
137 | /* | |
138 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
139 | * bytes of encrypted compressed stuff. | |
140 | */ | |
141 | ||
142 | /* check is not needed I believe */ | |
143 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
222cf410 | 144 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
eddb067e MC |
145 | return 0; |
146 | } | |
147 | ||
148 | /* decrypt in place in 'rr->input' */ | |
149 | rr->data = rr->input; | |
150 | rr->orig_len = rr->length; | |
151 | ||
222cf410 MC |
152 | if (rl->md_ctx != NULL) { |
153 | const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx); | |
eddb067e MC |
154 | |
155 | if (tmpmd != NULL) { | |
156 | imac_size = EVP_MD_get_size(tmpmd); | |
157 | if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { | |
1704961c MC |
158 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
159 | return 0; | |
eddb067e MC |
160 | } |
161 | mac_size = (size_t)imac_size; | |
162 | } | |
163 | } | |
164 | ||
1704961c | 165 | if (rl->use_etm && rl->md_ctx != NULL) { |
eddb067e MC |
166 | unsigned char *mac; |
167 | ||
168 | if (rr->orig_len < mac_size) { | |
222cf410 | 169 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); |
eddb067e MC |
170 | return 0; |
171 | } | |
172 | rr->length -= mac_size; | |
173 | mac = rr->data + rr->length; | |
222cf410 | 174 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */); |
eddb067e | 175 | if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { |
222cf410 MC |
176 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, |
177 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
eddb067e MC |
178 | return 0; |
179 | } | |
180 | /* | |
181 | * We've handled the mac now - there is no MAC inside the encrypted | |
182 | * record | |
183 | */ | |
184 | mac_size = 0; | |
185 | } | |
186 | ||
187 | /* | |
188 | * Set a mark around the packet decryption attempt. This is DTLS, so | |
189 | * bad packets are just ignored, and we don't want to leave stray | |
190 | * errors in the queue from processing bogus junk that we ignored. | |
191 | */ | |
192 | ERR_set_mark(); | |
222cf410 | 193 | enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size); |
eddb067e MC |
194 | |
195 | /*- | |
196 | * enc_err is: | |
197 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
198 | * decryption failed, or ETM decryption failed. | |
199 | * 1: Success or MTE decryption failed (MAC will be randomised) | |
200 | */ | |
201 | if (enc_err == 0) { | |
202 | ERR_pop_to_mark(); | |
d3192c26 MC |
203 | if (rl->alert != SSL_AD_NO_ALERT) { |
204 | /* RLAYERfatal() already called */ | |
eddb067e MC |
205 | goto end; |
206 | } | |
207 | /* For DTLS we simply ignore bad packets. */ | |
208 | rr->length = 0; | |
222cf410 | 209 | rl->packet_length = 0; |
eddb067e MC |
210 | goto end; |
211 | } | |
212 | ERR_clear_last_mark(); | |
213 | OSSL_TRACE_BEGIN(TLS) { | |
214 | BIO_printf(trc_out, "dec %zd\n", rr->length); | |
215 | BIO_dump_indent(trc_out, rr->data, rr->length, 4); | |
216 | } OSSL_TRACE_END(TLS); | |
217 | ||
218 | /* r->length is now the compressed data plus mac */ | |
222cf410 MC |
219 | if (!rl->use_etm |
220 | && (rl->enc_ctx != NULL) | |
221 | && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) { | |
222 | /* rl->md_ctx != NULL => mac_size != -1 */ | |
eddb067e | 223 | |
1704961c | 224 | i = rl->funcs->mac(rl, rr, md, 0 /* not send */); |
eddb067e MC |
225 | if (i == 0 || macbuf.mac == NULL |
226 | || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0) | |
227 | enc_err = 0; | |
228 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
229 | enc_err = 0; | |
230 | } | |
231 | ||
232 | if (enc_err == 0) { | |
233 | /* decryption failed, silently discard message */ | |
234 | rr->length = 0; | |
222cf410 | 235 | rl->packet_length = 0; |
eddb067e MC |
236 | goto end; |
237 | } | |
238 | ||
239 | /* r->length is now just compressed */ | |
9251c3c4 | 240 | if (rl->compctx != NULL) { |
eddb067e | 241 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { |
222cf410 MC |
242 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, |
243 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
eddb067e MC |
244 | goto end; |
245 | } | |
222cf410 MC |
246 | if (!tls_do_uncompress(rl, rr)) { |
247 | RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); | |
eddb067e MC |
248 | goto end; |
249 | } | |
250 | } | |
251 | ||
222cf410 MC |
252 | /* |
253 | * Check if the received packet overflows the current Max Fragment | |
254 | * Length setting. | |
255 | */ | |
435d88d7 | 256 | if (rr->length > rl->max_frag_len) { |
222cf410 | 257 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); |
eddb067e MC |
258 | goto end; |
259 | } | |
260 | ||
261 | rr->off = 0; | |
262 | /*- | |
263 | * So at this point the following is true | |
264 | * ssl->s3.rrec.type is the type of record | |
265 | * ssl->s3.rrec.length == number of bytes in record | |
266 | * ssl->s3.rrec.off == offset to first valid byte | |
267 | * ssl->s3.rrec.data == where to take bytes from, increment | |
268 | * after use :-). | |
269 | */ | |
270 | ||
271 | /* we have pulled in a full packet so zero things */ | |
222cf410 | 272 | rl->packet_length = 0; |
eddb067e MC |
273 | |
274 | /* Mark receipt of record. */ | |
3a7a539e | 275 | dtls_record_bitmap_update(rl, bitmap); |
eddb067e MC |
276 | |
277 | ret = 1; | |
278 | end: | |
279 | if (macbuf.alloced) | |
280 | OPENSSL_free(macbuf.mac); | |
281 | return ret; | |
282 | } | |
283 | ||
222cf410 | 284 | static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue, |
eddb067e MC |
285 | unsigned char *priority) |
286 | { | |
287 | DTLS_RLAYER_RECORD_DATA *rdata; | |
288 | pitem *item; | |
eddb067e MC |
289 | |
290 | /* Limit the size of the queue to prevent DOS attacks */ | |
291 | if (pqueue_size(queue->q) >= 100) | |
292 | return 0; | |
293 | ||
294 | rdata = OPENSSL_malloc(sizeof(*rdata)); | |
295 | item = pitem_new(priority, rdata); | |
296 | if (rdata == NULL || item == NULL) { | |
297 | OPENSSL_free(rdata); | |
298 | pitem_free(item); | |
222cf410 | 299 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
eddb067e MC |
300 | return -1; |
301 | } | |
302 | ||
222cf410 MC |
303 | rdata->packet = rl->packet; |
304 | rdata->packet_length = rl->packet_length; | |
305 | memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(SSL3_BUFFER)); | |
eddb067e MC |
306 | memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD)); |
307 | ||
308 | item->data = rdata; | |
309 | ||
222cf410 MC |
310 | rl->packet = NULL; |
311 | rl->packet_length = 0; | |
312 | memset(&rl->rbuf, 0, sizeof(SSL3_BUFFER)); | |
eddb067e MC |
313 | memset(&rl->rrec[0], 0, sizeof(rl->rrec[0])); |
314 | ||
9b7fb65e MC |
315 | if (!tls_setup_read_buffer(rl)) { |
316 | /* RLAYERfatal() already called */ | |
eddb067e MC |
317 | OPENSSL_free(rdata->rbuf.buf); |
318 | OPENSSL_free(rdata); | |
319 | pitem_free(item); | |
320 | return -1; | |
321 | } | |
322 | ||
323 | if (pqueue_insert(queue->q, item) == NULL) { | |
324 | /* Must be a duplicate so ignore it */ | |
325 | OPENSSL_free(rdata->rbuf.buf); | |
326 | OPENSSL_free(rdata); | |
327 | pitem_free(item); | |
328 | } | |
329 | ||
330 | return 1; | |
331 | } | |
332 | ||
bfc0f10d | 333 | /* copy buffered record into OSSL_RECORD_LAYER structure */ |
eddb067e MC |
334 | static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item) |
335 | { | |
336 | DTLS_RLAYER_RECORD_DATA *rdata; | |
eddb067e MC |
337 | |
338 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
339 | ||
222cf410 | 340 | SSL3_BUFFER_release(&rl->rbuf); |
eddb067e | 341 | |
222cf410 MC |
342 | rl->packet = rdata->packet; |
343 | rl->packet_length = rdata->packet_length; | |
344 | memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
eddb067e MC |
345 | memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD)); |
346 | ||
347 | /* Set proper sequence number for mac calculation */ | |
222cf410 | 348 | memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6); |
eddb067e MC |
349 | |
350 | return 1; | |
351 | } | |
352 | ||
353 | static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl, | |
354 | record_pqueue *queue) | |
355 | { | |
356 | pitem *item; | |
357 | ||
358 | item = pqueue_pop(queue->q); | |
359 | if (item) { | |
360 | dtls_copy_rlayer_record(rl, item); | |
361 | ||
362 | OPENSSL_free(item->data); | |
363 | pitem_free(item); | |
364 | ||
365 | return 1; | |
366 | } | |
367 | ||
368 | return 0; | |
369 | } | |
370 | ||
eddb067e MC |
371 | /*- |
372 | * Call this to get a new input record. | |
373 | * It will return <= 0 if more data is needed, normally due to an error | |
374 | * or non-blocking IO. | |
375 | * When it finishes, one packet has been decoded and can be found in | |
376 | * ssl->s3.rrec.type - is the type of record | |
377 | * ssl->s3.rrec.data - data | |
378 | * ssl->s3.rrec.length - number of bytes | |
379 | */ | |
222cf410 | 380 | int dtls_get_more_records(OSSL_RECORD_LAYER *rl) |
eddb067e MC |
381 | { |
382 | int ssl_major, ssl_minor; | |
383 | int rret; | |
384 | size_t more, n; | |
385 | SSL3_RECORD *rr; | |
386 | unsigned char *p = NULL; | |
387 | unsigned short version; | |
f6aab7b1 | 388 | DTLS_BITMAP *bitmap; |
eddb067e | 389 | unsigned int is_next_epoch; |
eddb067e MC |
390 | |
391 | rl->num_recs = 0; | |
392 | rl->curr_rec = 0; | |
393 | rl->num_released = 0; | |
394 | ||
395 | rr = rl->rrec; | |
396 | ||
81c9ebd9 | 397 | if (rl->rbuf.buf == NULL) { |
9b7fb65e | 398 | if (!tls_setup_read_buffer(rl)) { |
81c9ebd9 MC |
399 | /* RLAYERfatal() already called */ |
400 | return OSSL_RECORD_RETURN_FATAL; | |
401 | } | |
402 | } | |
403 | ||
eddb067e | 404 | again: |
eddb067e MC |
405 | /* if we're renegotiating, then there may be buffered records */ |
406 | if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) { | |
407 | rl->num_recs = 1; | |
408 | return OSSL_RECORD_RETURN_SUCCESS; | |
409 | } | |
410 | ||
411 | /* get something from the wire */ | |
412 | ||
413 | /* check if we have the header */ | |
222cf410 MC |
414 | if ((rl->rstate != SSL_ST_READ_BODY) || |
415 | (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) { | |
416 | rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH, | |
417 | SSL3_BUFFER_get_len(&rl->rbuf), 0, 1, &n); | |
eddb067e MC |
418 | /* read timeout is handled by dtls1_read_bytes */ |
419 | if (rret < OSSL_RECORD_RETURN_SUCCESS) { | |
1704961c | 420 | /* RLAYERfatal() already called if appropriate */ |
eddb067e MC |
421 | return rret; /* error or non-blocking */ |
422 | } | |
423 | ||
424 | /* this packet contained a partial record, dump it */ | |
222cf410 MC |
425 | if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) { |
426 | rl->packet_length = 0; | |
eddb067e MC |
427 | goto again; |
428 | } | |
429 | ||
222cf410 | 430 | rl->rstate = SSL_ST_READ_BODY; |
eddb067e | 431 | |
222cf410 | 432 | p = rl->packet; |
eddb067e | 433 | |
b85ebc4b MC |
434 | if (rl->msg_callback != NULL) |
435 | rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, | |
436 | rl->cbarg); | |
eddb067e MC |
437 | |
438 | /* Pull apart the header into the DTLS1_RECORD */ | |
439 | rr->type = *(p++); | |
440 | ssl_major = *(p++); | |
441 | ssl_minor = *(p++); | |
442 | version = (ssl_major << 8) | ssl_minor; | |
443 | ||
444 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
445 | n2s(p, rr->epoch); | |
446 | ||
222cf410 | 447 | memcpy(&(rl->sequence[2]), p, 6); |
eddb067e MC |
448 | p += 6; |
449 | ||
450 | n2s(p, rr->length); | |
eddb067e MC |
451 | |
452 | /* | |
453 | * Lets check the version. We tolerate alerts that don't have the exact | |
454 | * version number (e.g. because of protocol version errors) | |
455 | */ | |
222cf410 MC |
456 | if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { |
457 | if (version != rl->version) { | |
eddb067e MC |
458 | /* unexpected version, silently discard */ |
459 | rr->length = 0; | |
222cf410 | 460 | rl->packet_length = 0; |
eddb067e MC |
461 | goto again; |
462 | } | |
463 | } | |
464 | ||
222cf410 MC |
465 | if (ssl_major != |
466 | (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR | |
1704961c | 467 | : rl->version >> 8)) { |
eddb067e MC |
468 | /* wrong version, silently discard record */ |
469 | rr->length = 0; | |
222cf410 | 470 | rl->packet_length = 0; |
eddb067e MC |
471 | goto again; |
472 | } | |
473 | ||
474 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
475 | /* record too long, silently discard it */ | |
476 | rr->length = 0; | |
222cf410 | 477 | rl->packet_length = 0; |
eddb067e MC |
478 | goto again; |
479 | } | |
480 | ||
222cf410 MC |
481 | /* |
482 | * If received packet overflows maximum possible fragment length then | |
483 | * silently discard it | |
484 | */ | |
435d88d7 | 485 | if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) { |
eddb067e MC |
486 | /* record too long, silently discard it */ |
487 | rr->length = 0; | |
222cf410 | 488 | rl->packet_length = 0; |
eddb067e MC |
489 | goto again; |
490 | } | |
491 | ||
222cf410 | 492 | /* now rl->rstate == SSL_ST_READ_BODY */ |
eddb067e MC |
493 | } |
494 | ||
222cf410 | 495 | /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */ |
eddb067e | 496 | |
1704961c | 497 | if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) { |
222cf410 | 498 | /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */ |
eddb067e | 499 | more = rr->length; |
222cf410 | 500 | rret = rl->funcs->read_n(rl, more, more, 1, 1, &n); |
eddb067e MC |
501 | /* this packet contained a partial record, dump it */ |
502 | if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) { | |
d3192c26 | 503 | if (rl->alert != SSL_AD_NO_ALERT) { |
222cf410 | 504 | /* read_n() called RLAYERfatal() */ |
eddb067e MC |
505 | return OSSL_RECORD_RETURN_FATAL; |
506 | } | |
507 | rr->length = 0; | |
222cf410 | 508 | rl->packet_length = 0; |
eddb067e MC |
509 | goto again; |
510 | } | |
511 | ||
512 | /* | |
222cf410 MC |
513 | * now n == rr->length, |
514 | * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length | |
eddb067e MC |
515 | */ |
516 | } | |
517 | /* set state for later operations */ | |
222cf410 | 518 | rl->rstate = SSL_ST_READ_HEADER; |
eddb067e MC |
519 | |
520 | /* match epochs. NULL means the packet is dropped on the floor */ | |
3a7a539e | 521 | bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch); |
eddb067e MC |
522 | if (bitmap == NULL) { |
523 | rr->length = 0; | |
222cf410 | 524 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
525 | goto again; /* get another record */ |
526 | } | |
527 | #ifndef OPENSSL_NO_SCTP | |
528 | /* Only do replay check if no SCTP bio */ | |
222cf410 | 529 | if (!BIO_dgram_is_sctp(rl->bio)) { |
eddb067e MC |
530 | #endif |
531 | /* Check whether this is a repeat, or aged record. */ | |
3a7a539e | 532 | if (!dtls_record_replay_check(rl, bitmap)) { |
eddb067e | 533 | rr->length = 0; |
222cf410 | 534 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
535 | goto again; /* get another record */ |
536 | } | |
537 | #ifndef OPENSSL_NO_SCTP | |
538 | } | |
539 | #endif | |
540 | ||
541 | /* just read a 0 length packet */ | |
9007412c | 542 | if (rr->length == 0) |
eddb067e | 543 | goto again; |
eddb067e MC |
544 | |
545 | /* | |
546 | * If this record is from the next epoch (either HM or ALERT), and a | |
547 | * handshake is currently in progress, buffer it since it cannot be | |
548 | * processed at this time. | |
549 | */ | |
550 | if (is_next_epoch) { | |
bfc0f10d | 551 | if (rl->in_init) { |
1704961c MC |
552 | if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds), |
553 | rr->seq_num) < 0) { | |
554 | /* RLAYERfatal() already called */ | |
eddb067e MC |
555 | return OSSL_RECORD_RETURN_FATAL; |
556 | } | |
557 | } | |
558 | rr->length = 0; | |
222cf410 | 559 | rl->packet_length = 0; |
eddb067e MC |
560 | goto again; |
561 | } | |
562 | ||
3a7a539e | 563 | if (!dtls_process_record(rl, bitmap)) { |
d3192c26 | 564 | if (rl->alert != SSL_AD_NO_ALERT) { |
3a7a539e | 565 | /* dtls_process_record() called RLAYERfatal */ |
eddb067e MC |
566 | return OSSL_RECORD_RETURN_FATAL; |
567 | } | |
568 | rr->length = 0; | |
222cf410 | 569 | rl->packet_length = 0; /* dump this record */ |
eddb067e MC |
570 | goto again; /* get another record */ |
571 | } | |
572 | ||
573 | rl->num_recs = 1; | |
574 | return OSSL_RECORD_RETURN_SUCCESS; | |
eddb067e MC |
575 | } |
576 | ||
eddb067e MC |
577 | static int dtls_free(OSSL_RECORD_LAYER *rl) |
578 | { | |
7a15ed64 MC |
579 | SSL3_BUFFER *rbuf; |
580 | size_t left, written; | |
eddb067e MC |
581 | pitem *item; |
582 | DTLS_RLAYER_RECORD_DATA *rdata; | |
7a15ed64 | 583 | int ret = 1; |
eddb067e | 584 | |
7a15ed64 MC |
585 | rbuf = &rl->rbuf; |
586 | ||
587 | left = rbuf->left; | |
588 | if (left > 0) { | |
589 | /* | |
590 | * This record layer is closing but we still have data left in our | |
591 | * buffer. It must be destined for the next epoch - so push it there. | |
592 | */ | |
593 | ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written); | |
594 | rbuf->left = 0; | |
595 | } | |
596 | ||
597 | if (rl->unprocessed_rcds.q != NULL) { | |
eddb067e MC |
598 | while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) { |
599 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
7a15ed64 | 600 | /* Push to the next record layer */ |
7a15ed64 MC |
601 | ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length, |
602 | &written); | |
eddb067e MC |
603 | OPENSSL_free(rdata->rbuf.buf); |
604 | OPENSSL_free(item->data); | |
605 | pitem_free(item); | |
606 | } | |
607 | pqueue_free(rl->unprocessed_rcds.q); | |
608 | } | |
609 | ||
7a15ed64 | 610 | if (rl->processed_rcds.q != NULL) { |
eddb067e MC |
611 | while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) { |
612 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
613 | OPENSSL_free(rdata->rbuf.buf); | |
614 | OPENSSL_free(item->data); | |
615 | pitem_free(item); | |
616 | } | |
617 | pqueue_free(rl->processed_rcds.q); | |
618 | } | |
619 | ||
7a15ed64 | 620 | return tls_free(rl) && ret; |
eddb067e MC |
621 | } |
622 | ||
623 | static int | |
624 | dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, | |
279754d4 | 625 | int role, int direction, int level, uint16_t epoch, |
222cf410 MC |
626 | unsigned char *key, size_t keylen, unsigned char *iv, |
627 | size_t ivlen, unsigned char *mackey, size_t mackeylen, | |
eddb067e | 628 | const EVP_CIPHER *ciph, size_t taglen, |
eddb067e | 629 | int mactype, |
1e76110b | 630 | const EVP_MD *md, COMP_METHOD *comp, BIO *prev, |
eddb067e MC |
631 | BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, |
632 | const OSSL_PARAM *settings, const OSSL_PARAM *options, | |
633 | const OSSL_DISPATCH *fns, void *cbarg, | |
634 | OSSL_RECORD_LAYER **retrl) | |
635 | { | |
636 | int ret; | |
637 | ||
eddb067e MC |
638 | ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, |
639 | key, keylen, iv, ivlen, mackey, mackeylen, | |
640 | ciph, taglen, mactype, md, comp, prev, | |
641 | transport, next, local, peer, settings, | |
642 | options, fns, cbarg, retrl); | |
643 | ||
644 | if (ret != OSSL_RECORD_RETURN_SUCCESS) | |
645 | return ret; | |
646 | ||
647 | (*retrl)->unprocessed_rcds.q = pqueue_new(); | |
648 | (*retrl)->processed_rcds.q = pqueue_new(); | |
1704961c MC |
649 | if ((*retrl)->unprocessed_rcds.q == NULL |
650 | || (*retrl)->processed_rcds.q == NULL) { | |
eddb067e MC |
651 | dtls_free(*retrl); |
652 | *retrl = NULL; | |
e077455e | 653 | ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB); |
eddb067e MC |
654 | return OSSL_RECORD_RETURN_FATAL; |
655 | } | |
656 | ||
7a15ed64 MC |
657 | (*retrl)->unprocessed_rcds.epoch = epoch + 1; |
658 | (*retrl)->processed_rcds.epoch = epoch; | |
659 | ||
eddb067e | 660 | (*retrl)->isdtls = 1; |
222cf410 | 661 | (*retrl)->epoch = epoch; |
bfc0f10d | 662 | (*retrl)->in_init = 1; |
222cf410 MC |
663 | |
664 | switch (vers) { | |
665 | case DTLS_ANY_VERSION: | |
666 | (*retrl)->funcs = &dtls_any_funcs; | |
667 | break; | |
668 | case DTLS1_2_VERSION: | |
669 | case DTLS1_VERSION: | |
670 | case DTLS1_BAD_VER: | |
671 | (*retrl)->funcs = &dtls_1_funcs; | |
672 | break; | |
673 | default: | |
674 | /* Should not happen */ | |
675 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); | |
676 | ret = OSSL_RECORD_RETURN_FATAL; | |
677 | goto err; | |
678 | } | |
eddb067e | 679 | |
222cf410 | 680 | ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, |
1704961c MC |
681 | ivlen, mackey, mackeylen, ciph, |
682 | taglen, mactype, md, comp); | |
222cf410 MC |
683 | |
684 | err: | |
685 | if (ret != OSSL_RECORD_RETURN_SUCCESS) { | |
686 | OPENSSL_free(*retrl); | |
687 | *retrl = NULL; | |
688 | } | |
689 | return ret; | |
eddb067e MC |
690 | } |
691 | ||
b9e37f8f MC |
692 | int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl, |
693 | WPACKET *thispkt, | |
694 | OSSL_RECORD_TEMPLATE *templ, | |
695 | unsigned int rectype, | |
696 | unsigned char **recdata) | |
697 | { | |
698 | size_t maxcomplen; | |
699 | ||
700 | *recdata = NULL; | |
701 | ||
702 | maxcomplen = templ->buflen; | |
703 | if (rl->compctx != NULL) | |
704 | maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; | |
705 | ||
706 | if (!WPACKET_put_bytes_u8(thispkt, rectype) | |
707 | || !WPACKET_put_bytes_u16(thispkt, templ->version) | |
708 | || !WPACKET_put_bytes_u16(thispkt, rl->epoch) | |
709 | || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6) | |
710 | || !WPACKET_start_sub_packet_u16(thispkt) | |
711 | || (rl->eivlen > 0 | |
712 | && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL)) | |
713 | || (maxcomplen > 0 | |
714 | && !WPACKET_reserve_bytes(thispkt, maxcomplen, | |
715 | recdata))) { | |
716 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
717 | return 0; | |
718 | } | |
719 | ||
720 | return 1; | |
721 | } | |
722 | ||
602ee1f6 MC |
723 | int dtls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, |
724 | size_t numtempl) | |
fc938db6 | 725 | { |
b9e37f8f | 726 | int mac_size = 0; |
fc938db6 | 727 | SSL3_RECORD wr; |
bf04cbfa | 728 | SSL3_BUFFER *wb; |
248a9bf2 MC |
729 | WPACKET pkt, *thispkt = &pkt; |
730 | size_t wpinited = 0; | |
731 | int ret = 0; | |
b9e37f8f | 732 | unsigned char *compressdata = NULL; |
fc938db6 | 733 | |
b9e37f8f MC |
734 | if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) { |
735 | mac_size = EVP_MD_CTX_get_size(rl->md_ctx); | |
fc938db6 | 736 | if (mac_size < 0) { |
b9e37f8f | 737 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
602ee1f6 | 738 | return 0; |
fc938db6 MC |
739 | } |
740 | } | |
741 | ||
bf04cbfa MC |
742 | if (numtempl != 1) { |
743 | /* Should not happen */ | |
4cdd198e | 744 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
602ee1f6 | 745 | return 0; |
bf04cbfa MC |
746 | } |
747 | ||
748 | if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, NULL)) { | |
749 | /* RLAYERfatal() already called */ | |
602ee1f6 | 750 | return 0; |
bf04cbfa MC |
751 | } |
752 | ||
248a9bf2 MC |
753 | if (!rl->funcs->initialise_write_packets(rl, templates, numtempl, |
754 | NULL, thispkt, rl->wbuf, | |
755 | &wpinited)) { | |
756 | /* RLAYERfatal() already called */ | |
757 | return 0; | |
758 | } | |
759 | ||
bf04cbfa | 760 | wb = rl->wbuf; |
fc938db6 | 761 | |
bf04cbfa | 762 | SSL3_RECORD_set_type(&wr, templates->type); |
b9e37f8f MC |
763 | SSL3_RECORD_set_rec_version(&wr, templates->version); |
764 | ||
765 | if (!rl->funcs->prepare_record_header(rl, thispkt, templates, | |
766 | templates->type, &compressdata)) { | |
767 | /* RLAYERfatal() already called */ | |
768 | goto err; | |
769 | } | |
fc938db6 MC |
770 | |
771 | /* lets setup the record stuff. */ | |
b9e37f8f | 772 | SSL3_RECORD_set_data(&wr, compressdata); |
bf04cbfa MC |
773 | SSL3_RECORD_set_length(&wr, templates->buflen); |
774 | SSL3_RECORD_set_input(&wr, (unsigned char *)templates->buf); | |
fc938db6 MC |
775 | |
776 | /* | |
777 | * we now 'read' from wr.input, wr.length bytes into wr.data | |
778 | */ | |
779 | ||
780 | /* first we compress */ | |
b9e37f8f MC |
781 | if (rl->compctx != NULL) { |
782 | if (!tls_do_compress(rl, &wr) | |
783 | || !WPACKET_allocate_bytes(thispkt, wr.length, NULL)) { | |
4cdd198e | 784 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE); |
248a9bf2 | 785 | goto err; |
fc938db6 | 786 | } |
b9e37f8f MC |
787 | } else if (compressdata != NULL) { |
788 | if (!WPACKET_memcpy(thispkt, wr.input, wr.length)) { | |
4cdd198e | 789 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
248a9bf2 | 790 | goto err; |
fc938db6 | 791 | } |
b9e37f8f | 792 | SSL3_RECORD_reset_input(&wr); |
fc938db6 MC |
793 | } |
794 | ||
b9e37f8f MC |
795 | if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, &wr)) { |
796 | /* RLAYERfatal() already called */ | |
248a9bf2 | 797 | goto err; |
fc938db6 MC |
798 | } |
799 | ||
b9e37f8f MC |
800 | if (rl->funcs->cipher(rl, &wr, 1, 1, NULL, mac_size) < 1) { |
801 | if (rl->alert == SSL_AD_NO_ALERT) { | |
4cdd198e | 802 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
fc938db6 | 803 | } |
b9e37f8f | 804 | goto err; |
fc938db6 MC |
805 | } |
806 | ||
b9e37f8f MC |
807 | if (!rl->funcs->post_encryption_processing(rl, mac_size, templates, |
808 | thispkt, &wr)) { | |
809 | /* RLAYERfatal() already called */ | |
810 | goto err; | |
811 | } | |
fc938db6 | 812 | |
b9e37f8f MC |
813 | /* TODO(RECLAYER): FIXME */ |
814 | ssl3_record_sequence_update(rl->sequence); | |
fc938db6 MC |
815 | |
816 | /* now let's set up wb */ | |
bf04cbfa | 817 | SSL3_BUFFER_set_left(wb, SSL3_RECORD_get_length(&wr)); |
fc938db6 | 818 | |
248a9bf2 MC |
819 | ret = 1; |
820 | err: | |
821 | if (wpinited > 0) | |
822 | WPACKET_cleanup(thispkt); | |
823 | return ret; | |
fc938db6 MC |
824 | } |
825 | ||
eddb067e MC |
826 | const OSSL_RECORD_METHOD ossl_dtls_record_method = { |
827 | dtls_new_record_layer, | |
828 | dtls_free, | |
829 | tls_reset, | |
830 | tls_unprocessed_read_pending, | |
831 | tls_processed_read_pending, | |
832 | tls_app_data_pending, | |
833 | tls_write_pending, | |
834 | tls_get_max_record_len, | |
835 | tls_get_max_records, | |
602ee1f6 | 836 | tls_write_records, |
2b71b042 | 837 | tls_retry_write_records, |
eddb067e MC |
838 | tls_read_record, |
839 | tls_release_record, | |
840 | tls_get_alert_code, | |
841 | tls_set1_bio, | |
842 | tls_set_protocol_version, | |
843 | NULL, | |
844 | tls_set_first_handshake, | |
845 | tls_set_max_pipelines, | |
d0b17ea0 | 846 | dtls_set_in_init, |
4566dae7 | 847 | tls_get_state, |
1e76110b | 848 | tls_set_options, |
435d88d7 MC |
849 | tls_get_compression, |
850 | tls_set_max_frag_len | |
eddb067e | 851 | }; |