]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/dtls_meth.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move some DTLS read code into the read record layer
[thirdparty/openssl.git] / ssl / record / methods / dtls_meth.c
CommitLineData
eddb067e
MC		 1/*
2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include "../../ssl_local.h"
11#include "../record_local.h"
12#include "recmethod_local.h"
13
14/* mod 128 saturating subtract of two 64-bit values in big-endian order */
15static int satsub64be(const unsigned char *v1, const unsigned char *v2)
16{
17 int64_t ret;
18 uint64_t l1, l2;
19
20 n2l8(v1, l1);
21 n2l8(v2, l2);
22
23 ret = l1 - l2;
24
25 /* We do not permit wrap-around */
26 if (l1 > l2 && ret < 0)
27 return 128;
28 else if (l2 > l1 && ret > 0)
29 return -128;
30
31 if (ret > 128)
32 return 128;
33 else if (ret < -128)
34 return -128;
35 else
36 return (int)ret;
37}
38
39static int dtls1_record_replay_check(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap)
40{
41 int cmp;
42 unsigned int shift;
43 const unsigned char *seq = s->rlayer.read_sequence;
44 OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl;
45
46 cmp = satsub64be(seq, bitmap->max_seq_num);
47 if (cmp > 0) {
48 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
49 return 1; /* this record in new */
50 }
51 shift = -cmp;
52 if (shift >= sizeof(bitmap->map) * 8)
53 return 0; /* stale, outside the window */
54 else if (bitmap->map & (1UL << shift))
55 return 0; /* record previously received */
56
57 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
58 return 1;
59}
60
61static void dtls1_record_bitmap_update(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap)
62{
63 int cmp;
64 unsigned int shift;
65 const unsigned char *seq = RECORD_LAYER_get_read_sequence(&s->rlayer);
66
67 cmp = satsub64be(seq, bitmap->max_seq_num);
68 if (cmp > 0) {
69 shift = cmp;
70 if (shift < sizeof(bitmap->map) * 8)
71 bitmap->map <<= shift, bitmap->map |= 1UL;
72 else
73 bitmap->map = 1UL;
74 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
75 } else {
76 shift = -cmp;
77 if (shift < sizeof(bitmap->map) * 8)
78 bitmap->map |= 1UL << shift;
79 }
80}
81
82static DTLS1_BITMAP *dtls1_get_bitmap(SSL_CONNECTION *s, SSL3_RECORD *rr,
83 unsigned int *is_next_epoch)
84{
85 OSSL_RECORD_LAYER *rl = s->rrl;
86 *is_next_epoch = 0;
87
88 /* In current epoch, accept HM, CCS, DATA, & ALERT */
89 if (rr->epoch == s->rlayer.d->r_epoch)
90 return &s->rlayer.d->bitmap;
91
92 /*
93 * Only HM and ALERT messages can be from the next epoch and only if we
94 * have already processed all of the unprocessed records from the last
95 * epoch
96 */
97 else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) &&
98 rl->unprocessed_rcds.epoch != s->rlayer.d->r_epoch &&
99 (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
100 *is_next_epoch = 1;
101 return &s->rlayer.d->next_bitmap;
102 }
103
104 return NULL;
105}
106
107static int dtls1_process_record(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap)
108{
109 int i;
110 int enc_err;
111 SSL_SESSION *sess;
112 SSL3_RECORD *rr;
113 int imac_size;
114 size_t mac_size = 0;
115 unsigned char md[EVP_MAX_MD_SIZE];
116 size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH;
117 SSL_MAC_BUF macbuf = { NULL, 0 };
118 int ret = 0;
119 OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl;
120 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
121
122 rr = &rl->rrec[0];
123 sess = s->session;
124
125 /*
126 * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
127 * and we have that many bytes in s->rlayer.packet
128 */
129 rr->input = &(s->rrlmethod->get0_packet(s->rrl)[DTLS1_RT_HEADER_LENGTH]);
130
131 /*
132 * ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input
133 * points at rr->length bytes, which need to be copied into rr->data by
134 * either the decryption or by the decompression. When the data is 'copied'
135 * into the rr->data buffer, rr->input will be pointed at the new buffer
136 */
137
138 /*
139 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
140 * bytes of encrypted compressed stuff.
141 */
142
143 /* check is not needed I believe */
144 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
145 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
146 return 0;
147 }
148
149 /* decrypt in place in 'rr->input' */
150 rr->data = rr->input;
151 rr->orig_len = rr->length;
152
153 if (s->read_hash != NULL) {
154 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash);
155
156 if (tmpmd != NULL) {
157 imac_size = EVP_MD_get_size(tmpmd);
158 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
159 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
160 return 0;
161 }
162 mac_size = (size_t)imac_size;
163 }
164 }
165
166 if (SSL_READ_ETM(s) && s->read_hash) {
167 unsigned char *mac;
168
169 if (rr->orig_len < mac_size) {
170 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
171 return 0;
172 }
173 rr->length -= mac_size;
174 mac = rr->data + rr->length;
175 i = ssl->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
176 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
177 SSLfatal(s, SSL_AD_BAD_RECORD_MAC,
178 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
179 return 0;
180 }
181 /*
182 * We've handled the mac now - there is no MAC inside the encrypted
183 * record
184 */
185 mac_size = 0;
186 }
187
188 /*
189 * Set a mark around the packet decryption attempt. This is DTLS, so
190 * bad packets are just ignored, and we don't want to leave stray
191 * errors in the queue from processing bogus junk that we ignored.
192 */
193 ERR_set_mark();
194 enc_err = ssl->method->ssl3_enc->enc(s, rr, 1, 0, &macbuf, mac_size);
195
196 /*-
197 * enc_err is:
198 * 0: if the record is publicly invalid, or an internal error, or AEAD
199 * decryption failed, or ETM decryption failed.
200 * 1: Success or MTE decryption failed (MAC will be randomised)
201 */
202 if (enc_err == 0) {
203 ERR_pop_to_mark();
204 if (ossl_statem_in_error(s)) {
205 /* SSLfatal() got called */
206 goto end;
207 }
208 /* For DTLS we simply ignore bad packets. */
209 rr->length = 0;
210 s->rrlmethod->reset_packet_length(s->rrl);
211 goto end;
212 }
213 ERR_clear_last_mark();
214 OSSL_TRACE_BEGIN(TLS) {
215 BIO_printf(trc_out, "dec %zd\n", rr->length);
216 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
217 } OSSL_TRACE_END(TLS);
218
219 /* r->length is now the compressed data plus mac */
220 if ((sess != NULL)
221 && !SSL_READ_ETM(s)
222 && (s->enc_read_ctx != NULL)
223 && (EVP_MD_CTX_get0_md(s->read_hash) != NULL)) {
224 /* s->read_hash != NULL => mac_size != -1 */
225
226 i = ssl->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
227 if (i == 0 || macbuf.mac == NULL
228 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
229 enc_err = 0;
230 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
231 enc_err = 0;
232 }
233
234 if (enc_err == 0) {
235 /* decryption failed, silently discard message */
236 rr->length = 0;
237 s->rrlmethod->reset_packet_length(s->rrl);
238 goto end;
239 }
240
241 /* r->length is now just compressed */
242 if (s->expand != NULL) {
243 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
244 SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
245 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
246 goto end;
247 }
248 if (!ssl3_do_uncompress(s, rr)) {
249 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
250 goto end;
251 }
252 }
253
254 /* use current Max Fragment Length setting if applicable */
255 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
256 max_plain_length = GET_MAX_FRAGMENT_LENGTH(s->session);
257
258 /* send overflow if the plaintext is too long now it has passed MAC */
259 if (rr->length > max_plain_length) {
260 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
261 goto end;
262 }
263
264 rr->off = 0;
265 /*-
266 * So at this point the following is true
267 * ssl->s3.rrec.type is the type of record
268 * ssl->s3.rrec.length == number of bytes in record
269 * ssl->s3.rrec.off == offset to first valid byte
270 * ssl->s3.rrec.data == where to take bytes from, increment
271 * after use :-).
272 */
273
274 /* we have pulled in a full packet so zero things */
275 s->rrlmethod->reset_packet_length(s->rrl);
276
277 /* Mark receipt of record. */
278 dtls1_record_bitmap_update(s, bitmap);
279
280 ret = 1;
281 end:
282 if (macbuf.alloced)
283 OPENSSL_free(macbuf.mac);
284 return ret;
285}
286
287static int dtls_rlayer_buffer_record(SSL_CONNECTION *s, record_pqueue *queue,
288 unsigned char *priority)
289{
290 DTLS_RLAYER_RECORD_DATA *rdata;
291 pitem *item;
292 OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl;
293
294 /* Limit the size of the queue to prevent DOS attacks */
295 if (pqueue_size(queue->q) >= 100)
296 return 0;
297
298 rdata = OPENSSL_malloc(sizeof(*rdata));
299 item = pitem_new(priority, rdata);
300 if (rdata == NULL || item == NULL) {
301 OPENSSL_free(rdata);
302 pitem_free(item);
303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
304 return -1;
305 }
306
307 rdata->packet = s->rrlmethod->get0_packet(s->rrl);
308 rdata->packet_length = s->rrlmethod->get_packet_length(s->rrl);
309 memcpy(&(rdata->rbuf), s->rrlmethod->get0_rbuf(s->rrl), sizeof(SSL3_BUFFER));
310 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD));
311
312 item->data = rdata;
313
314 s->rrlmethod->set0_packet(s->rrl, NULL, 0);
315 memset(s->rrlmethod->get0_rbuf(s->rrl), 0, sizeof(SSL3_BUFFER));
316 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
317
318 if (!ssl3_setup_buffers(s)) {
319 /* SSLfatal() already called */
320 OPENSSL_free(rdata->rbuf.buf);
321 OPENSSL_free(rdata);
322 pitem_free(item);
323 return -1;
324 }
325
326 if (pqueue_insert(queue->q, item) == NULL) {
327 /* Must be a duplicate so ignore it */
328 OPENSSL_free(rdata->rbuf.buf);
329 OPENSSL_free(rdata);
330 pitem_free(item);
331 }
332
333 return 1;
334}
335
336/* copy buffered record into SSL structure */
337static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
338{
339 DTLS_RLAYER_RECORD_DATA *rdata;
340 SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg;
341
342 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
343
344 SSL3_BUFFER_release(s->rrlmethod->get0_rbuf(s->rrl));
345
346 s->rrlmethod->set0_packet(s->rrl, rdata->packet, rdata->packet_length);
347 memcpy(s->rrlmethod->get0_rbuf(s->rrl), &(rdata->rbuf), sizeof(SSL3_BUFFER));
348 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD));
349
350 /* Set proper sequence number for mac calculation */
351 memcpy(&(s->rlayer.read_sequence[2]), &(rdata->packet[5]), 6);
352
353 return 1;
354}
355
356static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
357 record_pqueue *queue)
358{
359 pitem *item;
360
361 item = pqueue_pop(queue->q);
362 if (item) {
363 dtls_copy_rlayer_record(rl, item);
364
365 OPENSSL_free(item->data);
366 pitem_free(item);
367
368 return 1;
369 }
370
371 return 0;
372}
373
374static int dtls_process_rlayer_buffered_records(SSL_CONNECTION *s)
375{
376 pitem *item;
377 SSL3_BUFFER *rb;
378 SSL3_RECORD *rr;
379 DTLS1_BITMAP *bitmap;
380 unsigned int is_next_epoch;
381 int replayok = 1;
382 OSSL_RECORD_LAYER *rl = s->rrl;
383
384 item = pqueue_peek(rl->unprocessed_rcds.q);
385 if (item) {
386 /* Check if epoch is current. */
387 if (rl->unprocessed_rcds.epoch != s->rlayer.d->r_epoch)
388 return 1; /* Nothing to do. */
389
390 rr = rl->rrec;
391
392 rb = s->rrlmethod->get0_rbuf(s->rrl);
393
394 if (SSL3_BUFFER_get_left(rb) > 0) {
395 /*
396 * We've still got data from the current packet to read. There could
397 * be a record from the new epoch in it - so don't overwrite it
398 * with the unprocessed records yet (we'll do it when we've
399 * finished reading the current packet).
400 */
401 return 1;
402 }
403
404 /* Process all the records. */
405 while (pqueue_peek(rl->unprocessed_rcds.q)) {
406 dtls_retrieve_rlayer_buffered_record(rl, &(rl->unprocessed_rcds));
407 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
408 if (bitmap == NULL) {
409 /*
410 * Should not happen. This will only ever be NULL when the
411 * current record is from a different epoch. But that cannot
412 * be the case because we already checked the epoch above
413 */
414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
415 return 0;
416 }
417#ifndef OPENSSL_NO_SCTP
418 /* Only do replay check if no SCTP bio */
419 if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
420#endif
421 {
422 /*
423 * Check whether this is a repeat, or aged record. We did this
424 * check once already when we first received the record - but
425 * we might have updated the window since then due to
426 * records we subsequently processed.
427 */
428 replayok = dtls1_record_replay_check(s, bitmap);
429 }
430
431 if (!replayok || !dtls1_process_record(s, bitmap)) {
432 if (ossl_statem_in_error(s)) {
433 /* dtls1_process_record called SSLfatal() */
434 return 0;
435 }
436 /* dump this record */
437 rr->length = 0;
438 s->rrlmethod->reset_packet_length(s->rrl);
439 continue;
440 }
441
442 if (dtls_rlayer_buffer_record(s, &(rl->processed_rcds),
443 SSL3_RECORD_get_seq_num(&rl->rrec[0])) < 0) {
444 /* SSLfatal() already called */
445 return 0;
446 }
447 }
448 }
449
450 /*
451 * sync epoch numbers once all the unprocessed records have been
452 * processed
453 */
454 rl->processed_rcds.epoch = s->rlayer.d->r_epoch;
455 rl->unprocessed_rcds.epoch = s->rlayer.d->r_epoch + 1;
456
457 return 1;
458}
459
460int dtls_buffer_listen_record(SSL_CONNECTION *s, size_t len, unsigned char *seq, size_t off)
461{
462 SSL3_RECORD *rr;
463 OSSL_RECORD_LAYER *rl = s->rrl;
464
465 rr = &rl->rrec[0];
466 memset(rr, 0, sizeof(SSL3_RECORD));
467
468 rr->length = len;
469 rr->type = SSL3_RT_HANDSHAKE;
470 memcpy(rr->seq_num, seq, sizeof(rr->seq_num));
471 rr->off = off;
472
473 s->rrlmethod->set0_packet(s->rrl, s->rrlmethod->get0_rbuf(s->rrl)->buf,
474 DTLS1_RT_HEADER_LENGTH + len);
475 rr->data = s->rrlmethod->get0_packet(s->rrl) + DTLS1_RT_HEADER_LENGTH;
476
477 if (dtls_rlayer_buffer_record(s, &(rl->processed_rcds),
478 SSL3_RECORD_get_seq_num(rr)) <= 0) {
479 /* SSLfatal() already called */
480 return 0;
481 }
482
483 return 1;
484}
485
486/*-
487 * Call this to get a new input record.
488 * It will return <= 0 if more data is needed, normally due to an error
489 * or non-blocking IO.
490 * When it finishes, one packet has been decoded and can be found in
491 * ssl->s3.rrec.type - is the type of record
492 * ssl->s3.rrec.data - data
493 * ssl->s3.rrec.length - number of bytes
494 */
495/* used only by dtls1_read_bytes */
496static int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
497{
498 int ssl_major, ssl_minor;
499 int rret;
500 size_t more, n;
501 SSL3_RECORD *rr;
502 unsigned char *p = NULL;
503 unsigned short version;
504 DTLS1_BITMAP *bitmap;
505 unsigned int is_next_epoch;
506 /* TODO(RECLAYER): Remove me */
507 SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg;
508 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
509
510 rl->num_recs = 0;
511 rl->curr_rec = 0;
512 rl->num_released = 0;
513
514 rr = rl->rrec;
515
516 again:
517 /*
518 * The epoch may have changed. If so, process all the pending records.
519 * This is a non-blocking operation.
520 */
521 if (!dtls_process_rlayer_buffered_records(s)) {
522 /* SSLfatal() already called */
523 return OSSL_RECORD_RETURN_FATAL;
524 }
525
526 /* if we're renegotiating, then there may be buffered records */
527 if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) {
528 rl->num_recs = 1;
529 return OSSL_RECORD_RETURN_SUCCESS;
530 }
531
532 /* get something from the wire */
533
534 /* check if we have the header */
535 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
536 (s->rrlmethod->get_packet_length(s->rrl) < DTLS1_RT_HEADER_LENGTH)) {
537 rret = s->rrlmethod->read_n(s->rrl, DTLS1_RT_HEADER_LENGTH,
538 SSL3_BUFFER_get_len(s->rrlmethod->get0_rbuf(s->rrl)),
539 0, 1, &n);
540 /* read timeout is handled by dtls1_read_bytes */
541 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
542 /* SSLfatal() already called if appropriate */
543 return rret; /* error or non-blocking */
544 }
545
546 /* this packet contained a partial record, dump it */
547 if (s->rrlmethod->get_packet_length(s->rrl) != DTLS1_RT_HEADER_LENGTH) {
548 s->rrlmethod->reset_packet_length(s->rrl);
549 goto again;
550 }
551
552 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
553
554 p = s->rrlmethod->get0_packet(s->rrl);
555
556 if (s->msg_callback)
557 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
558 ssl, s->msg_callback_arg);
559
560 /* Pull apart the header into the DTLS1_RECORD */
561 rr->type = *(p++);
562 ssl_major = *(p++);
563 ssl_minor = *(p++);
564 version = (ssl_major << 8) | ssl_minor;
565
566 /* sequence number is 64 bits, with top 2 bytes = epoch */
567 n2s(p, rr->epoch);
568
569 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
570 p += 6;
571
572 n2s(p, rr->length);
573 rr->read = 0;
574
575 /*
576 * Lets check the version. We tolerate alerts that don't have the exact
577 * version number (e.g. because of protocol version errors)
578 */
579 if (!s->first_packet && rr->type != SSL3_RT_ALERT) {
580 if (version != s->version) {
581 /* unexpected version, silently discard */
582 rr->length = 0;
583 rr->read = 1;
584 s->rrlmethod->reset_packet_length(s->rrl);
585 goto again;
586 }
587 }
588
589 if ((version & 0xff00) != (s->version & 0xff00)) {
590 /* wrong version, silently discard record */
591 rr->length = 0;
592 rr->read = 1;
593 s->rrlmethod->reset_packet_length(s->rrl);
594 goto again;
595 }
596
597 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
598 /* record too long, silently discard it */
599 rr->length = 0;
600 rr->read = 1;
601 s->rrlmethod->reset_packet_length(s->rrl);
602 goto again;
603 }
604
605 /* If received packet overflows own-client Max Fragment Length setting */
606 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
607 && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
608 /* record too long, silently discard it */
609 rr->length = 0;
610 rr->read = 1;
611 s->rrlmethod->reset_packet_length(s->rrl);
612 goto again;
613 }
614
615 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
616 }
617
618 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
619
620 if (rr->length >
621 s->rrlmethod->get_packet_length(s->rrl) - DTLS1_RT_HEADER_LENGTH) {
622 /* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */
623 more = rr->length;
624 rret = s->rrlmethod->read_n(s->rrl, more, more, 1, 1, &n);
625 /* this packet contained a partial record, dump it */
626 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
627 if (ossl_statem_in_error(s)) {
628 /* read_n() called SSLfatal() */
629 return OSSL_RECORD_RETURN_FATAL;
630 }
631 rr->length = 0;
632 rr->read = 1;
633 s->rrlmethod->reset_packet_length(s->rrl);
634 goto again;
635 }
636
637 /*
638 * now n == rr->length, and s->rlayer.packet_length ==
639 * DTLS1_RT_HEADER_LENGTH + rr->length
640 */
641 }
642 /* set state for later operations */
643 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
644
645 /* match epochs. NULL means the packet is dropped on the floor */
646 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
647 if (bitmap == NULL) {
648 rr->length = 0;
649 s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */
650 goto again; /* get another record */
651 }
652#ifndef OPENSSL_NO_SCTP
653 /* Only do replay check if no SCTP bio */
654 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
655#endif
656 /* Check whether this is a repeat, or aged record. */
657 if (!dtls1_record_replay_check(s, bitmap)) {
658 rr->length = 0;
659 rr->read = 1;
660 s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */
661 goto again; /* get another record */
662 }
663#ifndef OPENSSL_NO_SCTP
664 }
665#endif
666
667 /* just read a 0 length packet */
668 if (rr->length == 0) {
669 rr->read = 1;
670 goto again;
671 }
672
673 /*
674 * If this record is from the next epoch (either HM or ALERT), and a
675 * handshake is currently in progress, buffer it since it cannot be
676 * processed at this time.
677 */
678 if (is_next_epoch) {
679 if ((SSL_in_init(ssl) || ossl_statem_get_in_handshake(s))) {
680 if (dtls_rlayer_buffer_record (s,
681 &(rl->unprocessed_rcds),
682 rr->seq_num) < 0) {
683 /* SSLfatal() already called */
684 return OSSL_RECORD_RETURN_FATAL;
685 }
686 }
687 rr->length = 0;
688 rr->read = 1;
689 s->rrlmethod->reset_packet_length(s->rrl);
690 goto again;
691 }
692
693 if (!dtls1_process_record(s, bitmap)) {
694 if (ossl_statem_in_error(s)) {
695 /* dtls1_process_record() called SSLfatal */
696 return OSSL_RECORD_RETURN_FATAL;
697 }
698 rr->length = 0;
699 rr->read = 1;
700 s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */
701 goto again; /* get another record */
702 }
703
704 rl->num_recs = 1;
705 return OSSL_RECORD_RETURN_SUCCESS;
706
707}
708
709static int dtls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
710{
711 rl->version = version;
712 return 1;
713}
714
715static struct record_functions_st dtls_funcs = {
716 NULL,
717 NULL,
718 dtls_get_more_records,
719 NULL,
720 NULL,
721 dtls_set_protocol_version,
722 NULL
723};
724
725static int dtls_free(OSSL_RECORD_LAYER *rl)
726{
727 pitem *item;
728 DTLS_RLAYER_RECORD_DATA *rdata;
729
730 if (rl->unprocessed_rcds.q == NULL) {
731 while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) {
732 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
733 OPENSSL_free(rdata->rbuf.buf);
734 OPENSSL_free(item->data);
735 pitem_free(item);
736 }
737 pqueue_free(rl->unprocessed_rcds.q);
738 }
739
740 if (rl->processed_rcds.q == NULL) {
741 while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) {
742 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
743 OPENSSL_free(rdata->rbuf.buf);
744 OPENSSL_free(item->data);
745 pitem_free(item);
746 }
747 pqueue_free(rl->processed_rcds.q);
748 }
749
750 return tls_free(rl);
751}
752
753static int
754dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
755 int role, int direction, int level, unsigned char *key,
756 size_t keylen, unsigned char *iv, size_t ivlen,
757 unsigned char *mackey, size_t mackeylen,
758 const EVP_CIPHER *ciph, size_t taglen,
759 /* TODO(RECLAYER): This probably should not be an int */
760 int mactype,
761 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
762 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
763 const OSSL_PARAM *settings, const OSSL_PARAM *options,
764 const OSSL_DISPATCH *fns, void *cbarg,
765 OSSL_RECORD_LAYER **retrl)
766{
767 int ret;
768
769
770 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
771 key, keylen, iv, ivlen, mackey, mackeylen,
772 ciph, taglen, mactype, md, comp, prev,
773 transport, next, local, peer, settings,
774 options, fns, cbarg, retrl);
775
776 if (ret != OSSL_RECORD_RETURN_SUCCESS)
777 return ret;
778
779 (*retrl)->unprocessed_rcds.q = pqueue_new();
780 (*retrl)->processed_rcds.q = pqueue_new();
781 if ((*retrl)->unprocessed_rcds.q == NULL || (*retrl)->processed_rcds.q == NULL) {
782 dtls_free(*retrl);
783 *retrl = NULL;
784 RLAYERfatal(*retrl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
785 return OSSL_RECORD_RETURN_FATAL;
786 }
787
788 (*retrl)->isdtls = 1;
789 (*retrl)->funcs = &dtls_funcs;
790
791 return OSSL_RECORD_RETURN_SUCCESS;
792}
793
794const OSSL_RECORD_METHOD ossl_dtls_record_method = {
795 dtls_new_record_layer,
796 dtls_free,
797 tls_reset,
798 tls_unprocessed_read_pending,
799 tls_processed_read_pending,
800 tls_app_data_pending,
801 tls_write_pending,
802 tls_get_max_record_len,
803 tls_get_max_records,
804 tls_write_records,
805 tls_retry_write_records,
806 tls_read_record,
807 tls_release_record,
808 tls_get_alert_code,
809 tls_set1_bio,
810 tls_set_protocol_version,
811 NULL,
812 tls_set_first_handshake,
813 tls_set_max_pipelines,
814
815 /*
816 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
817 * during the record layer refactoring. They need to be removed before the
818 * refactor is complete.
819 */
820 tls_default_read_n,
821 tls_get0_rbuf,
822 tls_get0_packet,
823 tls_set0_packet,
824 tls_get_packet_length,
825 tls_reset_packet_length
826};
A mirror of the official openssl repository