]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/dtls_meth.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Convert dtls_write_records to use standard record layer functions
[thirdparty/openssl.git] / ssl / record / methods / dtls_meth.c
CommitLineData
eddb067e
MC		 1/*
2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include "../../ssl_local.h"
11#include "../record_local.h"
12#include "recmethod_local.h"
13
14/* mod 128 saturating subtract of two 64-bit values in big-endian order */
15static int satsub64be(const unsigned char *v1, const unsigned char *v2)
16{
17 int64_t ret;
18 uint64_t l1, l2;
19
20 n2l8(v1, l1);
21 n2l8(v2, l2);
22
23 ret = l1 - l2;
24
25 /* We do not permit wrap-around */
26 if (l1 > l2 && ret < 0)
27 return 128;
28 else if (l2 > l1 && ret > 0)
29 return -128;
30
31 if (ret > 128)
32 return 128;
33 else if (ret < -128)
34 return -128;
35 else
36 return (int)ret;
37}
38
f6aab7b1 39static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
eddb067e
MC		 40{
41 int cmp;
42 unsigned int shift;
222cf410 43 const unsigned char *seq = rl->sequence;
eddb067e
MC		 44
45 cmp = satsub64be(seq, bitmap->max_seq_num);
46 if (cmp > 0) {
47 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
48 return 1; /* this record in new */
49 }
50 shift = -cmp;
51 if (shift >= sizeof(bitmap->map) * 8)
52 return 0; /* stale, outside the window */
f6aab7b1 53 else if (bitmap->map & ((uint64_t)1 << shift))
eddb067e
MC		 54 return 0; /* record previously received */
55
56 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
57 return 1;
58}
59
3a7a539e 60static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
f6aab7b1 61 DTLS_BITMAP *bitmap)
eddb067e
MC		 62{
63 int cmp;
64 unsigned int shift;
222cf410 65 const unsigned char *seq = rl->sequence;
eddb067e
MC		 66
67 cmp = satsub64be(seq, bitmap->max_seq_num);
68 if (cmp > 0) {
69 shift = cmp;
70 if (shift < sizeof(bitmap->map) * 8)
71 bitmap->map <<= shift, bitmap->map |= 1UL;
72 else
73 bitmap->map = 1UL;
74 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
75 } else {
76 shift = -cmp;
77 if (shift < sizeof(bitmap->map) * 8)
f6aab7b1 78 bitmap->map |= (uint64_t)1 << shift;
eddb067e
MC		 79 }
80}
81
f6aab7b1
MC		 82static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rr,
83 unsigned int *is_next_epoch)
eddb067e 84{
eddb067e
MC		 85 *is_next_epoch = 0;
86
87 /* In current epoch, accept HM, CCS, DATA, & ALERT */
222cf410 88 if (rr->epoch == rl->epoch)
bfc0f10d 89 return &rl->bitmap;
eddb067e
MC		 90
91 /*
92 * Only HM and ALERT messages can be from the next epoch and only if we
93 * have already processed all of the unprocessed records from the last
94 * epoch
95 */
1704961c
MC		 96 else if (rr->epoch == (unsigned long)(rl->epoch + 1)
97 && rl->unprocessed_rcds.epoch != rl->epoch
98 && (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
eddb067e 99 *is_next_epoch = 1;
bfc0f10d 100 return &rl->next_bitmap;
eddb067e
MC		 101 }
102
103 return NULL;
104}
105
bfc0f10d
MC		 106static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
107{
108 rl->in_init = in_init;
109}
110
f6aab7b1 111static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
eddb067e
MC		 112{
113 int i;
114 int enc_err;
eddb067e
MC		 115 SSL3_RECORD *rr;
116 int imac_size;
117 size_t mac_size = 0;
118 unsigned char md[EVP_MAX_MD_SIZE];
eddb067e
MC		 119 SSL_MAC_BUF macbuf = { NULL, 0 };
120 int ret = 0;
eddb067e
MC		 121
122 rr = &rl->rrec[0];
eddb067e
MC		 123
124 /*
1704961c 125 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
222cf410 126 * and we have that many bytes in rl->packet
eddb067e 127 */
222cf410 128 rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
eddb067e
MC		 129
130 /*
222cf410 131 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
eddb067e
MC		 132 * points at rr->length bytes, which need to be copied into rr->data by
133 * either the decryption or by the decompression. When the data is 'copied'
134 * into the rr->data buffer, rr->input will be pointed at the new buffer
135 */
136
137 /*
138 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
139 * bytes of encrypted compressed stuff.
140 */
141
142 /* check is not needed I believe */
143 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
222cf410 144 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
eddb067e
MC		 145 return 0;
146 }
147
148 /* decrypt in place in 'rr->input' */
149 rr->data = rr->input;
150 rr->orig_len = rr->length;
151
222cf410
MC		 152 if (rl->md_ctx != NULL) {
153 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
eddb067e
MC		 154
155 if (tmpmd != NULL) {
156 imac_size = EVP_MD_get_size(tmpmd);
157 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1704961c
MC		 158 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
159 return 0;
eddb067e
MC		 160 }
161 mac_size = (size_t)imac_size;
162 }
163 }
164
1704961c 165 if (rl->use_etm && rl->md_ctx != NULL) {
eddb067e
MC		 166 unsigned char *mac;
167
168 if (rr->orig_len < mac_size) {
222cf410 169 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
eddb067e
MC		 170 return 0;
171 }
172 rr->length -= mac_size;
173 mac = rr->data + rr->length;
222cf410 174 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
eddb067e 175 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
222cf410
MC		 176 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
177 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
eddb067e
MC		 178 return 0;
179 }
180 /*
181 * We've handled the mac now - there is no MAC inside the encrypted
182 * record
183 */
184 mac_size = 0;
185 }
186
187 /*
188 * Set a mark around the packet decryption attempt. This is DTLS, so
189 * bad packets are just ignored, and we don't want to leave stray
190 * errors in the queue from processing bogus junk that we ignored.
191 */
192 ERR_set_mark();
222cf410 193 enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
eddb067e
MC		 194
195 /*-
196 * enc_err is:
197 * 0: if the record is publicly invalid, or an internal error, or AEAD
198 * decryption failed, or ETM decryption failed.
199 * 1: Success or MTE decryption failed (MAC will be randomised)
200 */
201 if (enc_err == 0) {
202 ERR_pop_to_mark();
d3192c26
MC		 203 if (rl->alert != SSL_AD_NO_ALERT) {
204 /* RLAYERfatal() already called */
eddb067e
MC		 205 goto end;
206 }
207 /* For DTLS we simply ignore bad packets. */
208 rr->length = 0;
222cf410 209 rl->packet_length = 0;
eddb067e
MC		 210 goto end;
211 }
212 ERR_clear_last_mark();
213 OSSL_TRACE_BEGIN(TLS) {
214 BIO_printf(trc_out, "dec %zd\n", rr->length);
215 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
216 } OSSL_TRACE_END(TLS);
217
218 /* r->length is now the compressed data plus mac */
222cf410
MC		 219 if (!rl->use_etm
220 && (rl->enc_ctx != NULL)
221 && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
222 /* rl->md_ctx != NULL => mac_size != -1 */
eddb067e 223
1704961c 224 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
eddb067e
MC		 225 if (i == 0 || macbuf.mac == NULL
226 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
227 enc_err = 0;
228 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
229 enc_err = 0;
230 }
231
232 if (enc_err == 0) {
233 /* decryption failed, silently discard message */
234 rr->length = 0;
222cf410 235 rl->packet_length = 0;
eddb067e
MC		 236 goto end;
237 }
238
239 /* r->length is now just compressed */
9251c3c4 240 if (rl->compctx != NULL) {
eddb067e 241 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
222cf410
MC		 242 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
243 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
eddb067e
MC		 244 goto end;
245 }
222cf410
MC		 246 if (!tls_do_uncompress(rl, rr)) {
247 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
eddb067e
MC		 248 goto end;
249 }
250 }
251
222cf410
MC		 252 /*
253 * Check if the received packet overflows the current Max Fragment
254 * Length setting.
255 */
435d88d7 256 if (rr->length > rl->max_frag_len) {
222cf410 257 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
eddb067e
MC		 258 goto end;
259 }
260
261 rr->off = 0;
262 /*-
263 * So at this point the following is true
264 * ssl->s3.rrec.type is the type of record
265 * ssl->s3.rrec.length == number of bytes in record
266 * ssl->s3.rrec.off == offset to first valid byte
267 * ssl->s3.rrec.data == where to take bytes from, increment
268 * after use :-).
269 */
270
271 /* we have pulled in a full packet so zero things */
222cf410 272 rl->packet_length = 0;
eddb067e
MC		 273
274 /* Mark receipt of record. */
3a7a539e 275 dtls_record_bitmap_update(rl, bitmap);
eddb067e
MC		 276
277 ret = 1;
278 end:
279 if (macbuf.alloced)
280 OPENSSL_free(macbuf.mac);
281 return ret;
282}
283
222cf410 284static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue,
eddb067e
MC		 285 unsigned char *priority)
286{
287 DTLS_RLAYER_RECORD_DATA *rdata;
288 pitem *item;
eddb067e
MC		 289
290 /* Limit the size of the queue to prevent DOS attacks */
291 if (pqueue_size(queue->q) >= 100)
292 return 0;
293
294 rdata = OPENSSL_malloc(sizeof(*rdata));
295 item = pitem_new(priority, rdata);
296 if (rdata == NULL || item == NULL) {
297 OPENSSL_free(rdata);
298 pitem_free(item);
222cf410 299 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
eddb067e
MC		 300 return -1;
301 }
302
222cf410
MC		 303 rdata->packet = rl->packet;
304 rdata->packet_length = rl->packet_length;
305 memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(SSL3_BUFFER));
eddb067e
MC		 306 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD));
307
308 item->data = rdata;
309
222cf410
MC		 310 rl->packet = NULL;
311 rl->packet_length = 0;
312 memset(&rl->rbuf, 0, sizeof(SSL3_BUFFER));
eddb067e
MC		 313 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
314
9b7fb65e
MC		 315 if (!tls_setup_read_buffer(rl)) {
316 /* RLAYERfatal() already called */
eddb067e
MC		 317 OPENSSL_free(rdata->rbuf.buf);
318 OPENSSL_free(rdata);
319 pitem_free(item);
320 return -1;
321 }
322
323 if (pqueue_insert(queue->q, item) == NULL) {
324 /* Must be a duplicate so ignore it */
325 OPENSSL_free(rdata->rbuf.buf);
326 OPENSSL_free(rdata);
327 pitem_free(item);
328 }
329
330 return 1;
331}
332
bfc0f10d 333/* copy buffered record into OSSL_RECORD_LAYER structure */
eddb067e
MC		 334static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
335{
336 DTLS_RLAYER_RECORD_DATA *rdata;
eddb067e
MC		 337
338 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
339
222cf410 340 SSL3_BUFFER_release(&rl->rbuf);
eddb067e 341
222cf410
MC		 342 rl->packet = rdata->packet;
343 rl->packet_length = rdata->packet_length;
344 memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(SSL3_BUFFER));
eddb067e
MC		 345 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD));
346
347 /* Set proper sequence number for mac calculation */
222cf410 348 memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
eddb067e
MC		 349
350 return 1;
351}
352
353static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
354 record_pqueue *queue)
355{
356 pitem *item;
357
358 item = pqueue_pop(queue->q);
359 if (item) {
360 dtls_copy_rlayer_record(rl, item);
361
362 OPENSSL_free(item->data);
363 pitem_free(item);
364
365 return 1;
366 }
367
368 return 0;
369}
370
eddb067e
MC		 371/*-
372 * Call this to get a new input record.
373 * It will return <= 0 if more data is needed, normally due to an error
374 * or non-blocking IO.
375 * When it finishes, one packet has been decoded and can be found in
376 * ssl->s3.rrec.type - is the type of record
377 * ssl->s3.rrec.data - data
378 * ssl->s3.rrec.length - number of bytes
379 */
222cf410 380int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
eddb067e
MC		 381{
382 int ssl_major, ssl_minor;
383 int rret;
384 size_t more, n;
385 SSL3_RECORD *rr;
386 unsigned char *p = NULL;
387 unsigned short version;
f6aab7b1 388 DTLS_BITMAP *bitmap;
eddb067e 389 unsigned int is_next_epoch;
eddb067e
MC		 390
391 rl->num_recs = 0;
392 rl->curr_rec = 0;
393 rl->num_released = 0;
394
395 rr = rl->rrec;
396
81c9ebd9 397 if (rl->rbuf.buf == NULL) {
9b7fb65e 398 if (!tls_setup_read_buffer(rl)) {
81c9ebd9
MC		 399 /* RLAYERfatal() already called */
400 return OSSL_RECORD_RETURN_FATAL;
401 }
402 }
403
eddb067e 404 again:
eddb067e
MC		 405 /* if we're renegotiating, then there may be buffered records */
406 if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) {
407 rl->num_recs = 1;
408 return OSSL_RECORD_RETURN_SUCCESS;
409 }
410
411 /* get something from the wire */
412
413 /* check if we have the header */
222cf410
MC		 414 if ((rl->rstate != SSL_ST_READ_BODY) ||
415 (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
416 rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
417 SSL3_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
eddb067e
MC		 418 /* read timeout is handled by dtls1_read_bytes */
419 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
1704961c 420 /* RLAYERfatal() already called if appropriate */
eddb067e
MC		 421 return rret; /* error or non-blocking */
422 }
423
424 /* this packet contained a partial record, dump it */
222cf410
MC		 425 if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
426 rl->packet_length = 0;
eddb067e
MC		 427 goto again;
428 }
429
222cf410 430 rl->rstate = SSL_ST_READ_BODY;
eddb067e 431
222cf410 432 p = rl->packet;
eddb067e 433
b85ebc4b
MC		 434 if (rl->msg_callback != NULL)
435 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
436 rl->cbarg);
eddb067e
MC		 437
438 /* Pull apart the header into the DTLS1_RECORD */
439 rr->type = *(p++);
440 ssl_major = *(p++);
441 ssl_minor = *(p++);
442 version = (ssl_major << 8) | ssl_minor;
443
444 /* sequence number is 64 bits, with top 2 bytes = epoch */
445 n2s(p, rr->epoch);
446
222cf410 447 memcpy(&(rl->sequence[2]), p, 6);
eddb067e
MC		 448 p += 6;
449
450 n2s(p, rr->length);
eddb067e
MC		 451
452 /*
453 * Lets check the version. We tolerate alerts that don't have the exact
454 * version number (e.g. because of protocol version errors)
455 */
222cf410
MC		 456 if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
457 if (version != rl->version) {
eddb067e
MC		 458 /* unexpected version, silently discard */
459 rr->length = 0;
222cf410 460 rl->packet_length = 0;
eddb067e
MC		 461 goto again;
462 }
463 }
464
222cf410
MC		 465 if (ssl_major !=
466 (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR
1704961c 467 : rl->version >> 8)) {
eddb067e
MC		 468 /* wrong version, silently discard record */
469 rr->length = 0;
222cf410 470 rl->packet_length = 0;
eddb067e
MC		 471 goto again;
472 }
473
474 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
475 /* record too long, silently discard it */
476 rr->length = 0;
222cf410 477 rl->packet_length = 0;
eddb067e
MC		 478 goto again;
479 }
480
222cf410
MC		 481 /*
482 * If received packet overflows maximum possible fragment length then
483 * silently discard it
484 */
435d88d7 485 if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
eddb067e
MC		 486 /* record too long, silently discard it */
487 rr->length = 0;
222cf410 488 rl->packet_length = 0;
eddb067e
MC		 489 goto again;
490 }
491
222cf410 492 /* now rl->rstate == SSL_ST_READ_BODY */
eddb067e
MC		 493 }
494
222cf410 495 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
eddb067e 496
1704961c 497 if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
222cf410 498 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
eddb067e 499 more = rr->length;
222cf410 500 rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
eddb067e
MC		 501 /* this packet contained a partial record, dump it */
502 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
d3192c26 503 if (rl->alert != SSL_AD_NO_ALERT) {
222cf410 504 /* read_n() called RLAYERfatal() */
eddb067e
MC		 505 return OSSL_RECORD_RETURN_FATAL;
506 }
507 rr->length = 0;
222cf410 508 rl->packet_length = 0;
eddb067e
MC		 509 goto again;
510 }
511
512 /*
222cf410
MC		 513 * now n == rr->length,
514 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
eddb067e
MC		 515 */
516 }
517 /* set state for later operations */
222cf410 518 rl->rstate = SSL_ST_READ_HEADER;
eddb067e
MC		 519
520 /* match epochs. NULL means the packet is dropped on the floor */
3a7a539e 521 bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
eddb067e
MC		 522 if (bitmap == NULL) {
523 rr->length = 0;
222cf410 524 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 525 goto again; /* get another record */
526 }
527#ifndef OPENSSL_NO_SCTP
528 /* Only do replay check if no SCTP bio */
222cf410 529 if (!BIO_dgram_is_sctp(rl->bio)) {
eddb067e
MC		 530#endif
531 /* Check whether this is a repeat, or aged record. */
3a7a539e 532 if (!dtls_record_replay_check(rl, bitmap)) {
eddb067e 533 rr->length = 0;
222cf410 534 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 535 goto again; /* get another record */
536 }
537#ifndef OPENSSL_NO_SCTP
538 }
539#endif
540
541 /* just read a 0 length packet */
9007412c 542 if (rr->length == 0)
eddb067e 543 goto again;
eddb067e
MC		 544
545 /*
546 * If this record is from the next epoch (either HM or ALERT), and a
547 * handshake is currently in progress, buffer it since it cannot be
548 * processed at this time.
549 */
550 if (is_next_epoch) {
bfc0f10d 551 if (rl->in_init) {
1704961c
MC		 552 if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds),
553 rr->seq_num) < 0) {
554 /* RLAYERfatal() already called */
eddb067e
MC		 555 return OSSL_RECORD_RETURN_FATAL;
556 }
557 }
558 rr->length = 0;
222cf410 559 rl->packet_length = 0;
eddb067e
MC		 560 goto again;
561 }
562
3a7a539e 563 if (!dtls_process_record(rl, bitmap)) {
d3192c26 564 if (rl->alert != SSL_AD_NO_ALERT) {
3a7a539e 565 /* dtls_process_record() called RLAYERfatal */
eddb067e
MC		 566 return OSSL_RECORD_RETURN_FATAL;
567 }
568 rr->length = 0;
222cf410 569 rl->packet_length = 0; /* dump this record */
eddb067e
MC		 570 goto again; /* get another record */
571 }
572
573 rl->num_recs = 1;
574 return OSSL_RECORD_RETURN_SUCCESS;
eddb067e
MC		 575}
576
eddb067e
MC		 577static int dtls_free(OSSL_RECORD_LAYER *rl)
578{
7a15ed64
MC		 579 SSL3_BUFFER *rbuf;
580 size_t left, written;
eddb067e
MC		 581 pitem *item;
582 DTLS_RLAYER_RECORD_DATA *rdata;
7a15ed64 583 int ret = 1;
eddb067e 584
7a15ed64
MC		 585 rbuf = &rl->rbuf;
586
587 left = rbuf->left;
588 if (left > 0) {
589 /*
590 * This record layer is closing but we still have data left in our
591 * buffer. It must be destined for the next epoch - so push it there.
592 */
593 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
594 rbuf->left = 0;
595 }
596
597 if (rl->unprocessed_rcds.q != NULL) {
eddb067e
MC		 598 while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) {
599 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
7a15ed64 600 /* Push to the next record layer */
7a15ed64
MC		 601 ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
602 &written);
eddb067e
MC		 603 OPENSSL_free(rdata->rbuf.buf);
604 OPENSSL_free(item->data);
605 pitem_free(item);
606 }
607 pqueue_free(rl->unprocessed_rcds.q);
608 }
609
7a15ed64 610 if (rl->processed_rcds.q != NULL) {
eddb067e
MC		 611 while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) {
612 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
613 OPENSSL_free(rdata->rbuf.buf);
614 OPENSSL_free(item->data);
615 pitem_free(item);
616 }
617 pqueue_free(rl->processed_rcds.q);
618 }
619
7a15ed64 620 return tls_free(rl) && ret;
eddb067e
MC		 621}
622
623static int
624dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
279754d4 625 int role, int direction, int level, uint16_t epoch,
222cf410
MC		 626 unsigned char *key, size_t keylen, unsigned char *iv,
627 size_t ivlen, unsigned char *mackey, size_t mackeylen,
eddb067e 628 const EVP_CIPHER *ciph, size_t taglen,
eddb067e 629 int mactype,
1e76110b 630 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
eddb067e
MC		 631 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
632 const OSSL_PARAM *settings, const OSSL_PARAM *options,
633 const OSSL_DISPATCH *fns, void *cbarg,
634 OSSL_RECORD_LAYER **retrl)
635{
636 int ret;
637
eddb067e
MC		 638 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
639 key, keylen, iv, ivlen, mackey, mackeylen,
640 ciph, taglen, mactype, md, comp, prev,
641 transport, next, local, peer, settings,
642 options, fns, cbarg, retrl);
643
644 if (ret != OSSL_RECORD_RETURN_SUCCESS)
645 return ret;
646
647 (*retrl)->unprocessed_rcds.q = pqueue_new();
648 (*retrl)->processed_rcds.q = pqueue_new();
1704961c
MC		 649 if ((*retrl)->unprocessed_rcds.q == NULL
650 || (*retrl)->processed_rcds.q == NULL) {
eddb067e
MC		 651 dtls_free(*retrl);
652 *retrl = NULL;
e077455e 653 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
eddb067e
MC		 654 return OSSL_RECORD_RETURN_FATAL;
655 }
656
7a15ed64
MC		 657 (*retrl)->unprocessed_rcds.epoch = epoch + 1;
658 (*retrl)->processed_rcds.epoch = epoch;
659
eddb067e 660 (*retrl)->isdtls = 1;
222cf410 661 (*retrl)->epoch = epoch;
bfc0f10d 662 (*retrl)->in_init = 1;
222cf410
MC		 663
664 switch (vers) {
665 case DTLS_ANY_VERSION:
666 (*retrl)->funcs = &dtls_any_funcs;
667 break;
668 case DTLS1_2_VERSION:
669 case DTLS1_VERSION:
670 case DTLS1_BAD_VER:
671 (*retrl)->funcs = &dtls_1_funcs;
672 break;
673 default:
674 /* Should not happen */
675 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
676 ret = OSSL_RECORD_RETURN_FATAL;
677 goto err;
678 }
eddb067e 679
222cf410 680 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1704961c
MC		 681 ivlen, mackey, mackeylen, ciph,
682 taglen, mactype, md, comp);
222cf410
MC		 683
684 err:
685 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
686 OPENSSL_free(*retrl);
687 *retrl = NULL;
688 }
689 return ret;
eddb067e
MC		 690}
691
b9e37f8f
MC		 692int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl,
693 WPACKET *thispkt,
694 OSSL_RECORD_TEMPLATE *templ,
695 unsigned int rectype,
696 unsigned char **recdata)
697{
698 size_t maxcomplen;
699
700 *recdata = NULL;
701
702 maxcomplen = templ->buflen;
703 if (rl->compctx != NULL)
704 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
705
706 if (!WPACKET_put_bytes_u8(thispkt, rectype)
707 || !WPACKET_put_bytes_u16(thispkt, templ->version)
708 || !WPACKET_put_bytes_u16(thispkt, rl->epoch)
709 || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6)
710 || !WPACKET_start_sub_packet_u16(thispkt)
711 || (rl->eivlen > 0
712 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
713 || (maxcomplen > 0
714 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
715 recdata))) {
716 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
717 return 0;
718 }
719
720 return 1;
721}
722
602ee1f6
MC		 723int dtls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
724 size_t numtempl)
fc938db6 725{
b9e37f8f 726 int mac_size = 0;
fc938db6 727 SSL3_RECORD wr;
bf04cbfa 728 SSL3_BUFFER *wb;
248a9bf2
MC		 729 WPACKET pkt, *thispkt = &pkt;
730 size_t wpinited = 0;
731 int ret = 0;
b9e37f8f 732 unsigned char *compressdata = NULL;
fc938db6 733
b9e37f8f
MC		 734 if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
735 mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
fc938db6 736 if (mac_size < 0) {
b9e37f8f 737 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
602ee1f6 738 return 0;
fc938db6
MC		 739 }
740 }
741
bf04cbfa
MC		 742 if (numtempl != 1) {
743 /* Should not happen */
4cdd198e 744 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
602ee1f6 745 return 0;
bf04cbfa
MC		 746 }
747
748 if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, NULL)) {
749 /* RLAYERfatal() already called */
602ee1f6 750 return 0;
bf04cbfa
MC		 751 }
752
248a9bf2
MC		 753 if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
754 NULL, thispkt, rl->wbuf,
755 &wpinited)) {
756 /* RLAYERfatal() already called */
757 return 0;
758 }
759
bf04cbfa 760 wb = rl->wbuf;
fc938db6 761
bf04cbfa 762 SSL3_RECORD_set_type(&wr, templates->type);
b9e37f8f
MC		 763 SSL3_RECORD_set_rec_version(&wr, templates->version);
764
765 if (!rl->funcs->prepare_record_header(rl, thispkt, templates,
766 templates->type, &compressdata)) {
767 /* RLAYERfatal() already called */
768 goto err;
769 }
fc938db6
MC		 770
771 /* lets setup the record stuff. */
b9e37f8f 772 SSL3_RECORD_set_data(&wr, compressdata);
bf04cbfa
MC		 773 SSL3_RECORD_set_length(&wr, templates->buflen);
774 SSL3_RECORD_set_input(&wr, (unsigned char *)templates->buf);
fc938db6
MC		 775
776 /*
777 * we now 'read' from wr.input, wr.length bytes into wr.data
778 */
779
780 /* first we compress */
b9e37f8f
MC		 781 if (rl->compctx != NULL) {
782 if (!tls_do_compress(rl, &wr)
783 || !WPACKET_allocate_bytes(thispkt, wr.length, NULL)) {
4cdd198e 784 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
248a9bf2 785 goto err;
fc938db6 786 }
b9e37f8f
MC		 787 } else if (compressdata != NULL) {
788 if (!WPACKET_memcpy(thispkt, wr.input, wr.length)) {
4cdd198e 789 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
248a9bf2 790 goto err;
fc938db6 791 }
b9e37f8f 792 SSL3_RECORD_reset_input(&wr);
fc938db6
MC		 793 }
794
b9e37f8f
MC		 795 if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, &wr)) {
796 /* RLAYERfatal() already called */
248a9bf2 797 goto err;
fc938db6
MC		 798 }
799
b9e37f8f
MC		 800 if (rl->funcs->cipher(rl, &wr, 1, 1, NULL, mac_size) < 1) {
801 if (rl->alert == SSL_AD_NO_ALERT) {
4cdd198e 802 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
fc938db6 803 }
b9e37f8f 804 goto err;
fc938db6
MC		 805 }
806
b9e37f8f
MC		 807 if (!rl->funcs->post_encryption_processing(rl, mac_size, templates,
808 thispkt, &wr)) {
809 /* RLAYERfatal() already called */
810 goto err;
811 }
fc938db6 812
b9e37f8f
MC		 813 /* TODO(RECLAYER): FIXME */
814 ssl3_record_sequence_update(rl->sequence);
fc938db6
MC		 815
816 /* now let's set up wb */
bf04cbfa 817 SSL3_BUFFER_set_left(wb, SSL3_RECORD_get_length(&wr));
fc938db6 818
248a9bf2
MC		 819 ret = 1;
820 err:
821 if (wpinited > 0)
822 WPACKET_cleanup(thispkt);
823 return ret;
fc938db6
MC		 824}
825
eddb067e
MC		 826const OSSL_RECORD_METHOD ossl_dtls_record_method = {
827 dtls_new_record_layer,
828 dtls_free,
829 tls_reset,
830 tls_unprocessed_read_pending,
831 tls_processed_read_pending,
832 tls_app_data_pending,
833 tls_write_pending,
834 tls_get_max_record_len,
835 tls_get_max_records,
602ee1f6 836 tls_write_records,
2b71b042 837 tls_retry_write_records,
eddb067e
MC		 838 tls_read_record,
839 tls_release_record,
840 tls_get_alert_code,
841 tls_set1_bio,
842 tls_set_protocol_version,
843 NULL,
844 tls_set_first_handshake,
845 tls_set_max_pipelines,
d0b17ea0 846 dtls_set_in_init,
4566dae7 847 tls_get_state,
1e76110b 848 tls_set_options,
435d88d7
MC		 849 tls_get_compression,
850 tls_set_max_frag_len
eddb067e 851};
A mirror of the official openssl repository