]>
Commit | Line | Data |
---|---|---|
eddb067e MC |
1 | /* |
2 | * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "../../ssl_local.h" | |
11 | #include "../record_local.h" | |
12 | #include "recmethod_local.h" | |
13 | ||
14 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ | |
15 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) | |
16 | { | |
17 | int64_t ret; | |
18 | uint64_t l1, l2; | |
19 | ||
20 | n2l8(v1, l1); | |
21 | n2l8(v2, l2); | |
22 | ||
23 | ret = l1 - l2; | |
24 | ||
25 | /* We do not permit wrap-around */ | |
26 | if (l1 > l2 && ret < 0) | |
27 | return 128; | |
28 | else if (l2 > l1 && ret > 0) | |
29 | return -128; | |
30 | ||
31 | if (ret > 128) | |
32 | return 128; | |
33 | else if (ret < -128) | |
34 | return -128; | |
35 | else | |
36 | return (int)ret; | |
37 | } | |
38 | ||
39 | static int dtls1_record_replay_check(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap) | |
40 | { | |
41 | int cmp; | |
42 | unsigned int shift; | |
43 | const unsigned char *seq = s->rlayer.read_sequence; | |
44 | OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl; | |
45 | ||
46 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
47 | if (cmp > 0) { | |
48 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
49 | return 1; /* this record in new */ | |
50 | } | |
51 | shift = -cmp; | |
52 | if (shift >= sizeof(bitmap->map) * 8) | |
53 | return 0; /* stale, outside the window */ | |
54 | else if (bitmap->map & (1UL << shift)) | |
55 | return 0; /* record previously received */ | |
56 | ||
57 | SSL3_RECORD_set_seq_num(&rl->rrec[0], seq); | |
58 | return 1; | |
59 | } | |
60 | ||
61 | static void dtls1_record_bitmap_update(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap) | |
62 | { | |
63 | int cmp; | |
64 | unsigned int shift; | |
65 | const unsigned char *seq = RECORD_LAYER_get_read_sequence(&s->rlayer); | |
66 | ||
67 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
68 | if (cmp > 0) { | |
69 | shift = cmp; | |
70 | if (shift < sizeof(bitmap->map) * 8) | |
71 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
72 | else | |
73 | bitmap->map = 1UL; | |
74 | memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE); | |
75 | } else { | |
76 | shift = -cmp; | |
77 | if (shift < sizeof(bitmap->map) * 8) | |
78 | bitmap->map |= 1UL << shift; | |
79 | } | |
80 | } | |
81 | ||
82 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL_CONNECTION *s, SSL3_RECORD *rr, | |
83 | unsigned int *is_next_epoch) | |
84 | { | |
85 | OSSL_RECORD_LAYER *rl = s->rrl; | |
86 | *is_next_epoch = 0; | |
87 | ||
88 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
89 | if (rr->epoch == s->rlayer.d->r_epoch) | |
90 | return &s->rlayer.d->bitmap; | |
91 | ||
92 | /* | |
93 | * Only HM and ALERT messages can be from the next epoch and only if we | |
94 | * have already processed all of the unprocessed records from the last | |
95 | * epoch | |
96 | */ | |
97 | else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) && | |
98 | rl->unprocessed_rcds.epoch != s->rlayer.d->r_epoch && | |
99 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { | |
100 | *is_next_epoch = 1; | |
101 | return &s->rlayer.d->next_bitmap; | |
102 | } | |
103 | ||
104 | return NULL; | |
105 | } | |
106 | ||
107 | static int dtls1_process_record(SSL_CONNECTION *s, DTLS1_BITMAP *bitmap) | |
108 | { | |
109 | int i; | |
110 | int enc_err; | |
111 | SSL_SESSION *sess; | |
112 | SSL3_RECORD *rr; | |
113 | int imac_size; | |
114 | size_t mac_size = 0; | |
115 | unsigned char md[EVP_MAX_MD_SIZE]; | |
116 | size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH; | |
117 | SSL_MAC_BUF macbuf = { NULL, 0 }; | |
118 | int ret = 0; | |
119 | OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl; | |
120 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
121 | ||
122 | rr = &rl->rrec[0]; | |
123 | sess = s->session; | |
124 | ||
125 | /* | |
126 | * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
127 | * and we have that many bytes in s->rlayer.packet | |
128 | */ | |
129 | rr->input = &(s->rrlmethod->get0_packet(s->rrl)[DTLS1_RT_HEADER_LENGTH]); | |
130 | ||
131 | /* | |
132 | * ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input | |
133 | * points at rr->length bytes, which need to be copied into rr->data by | |
134 | * either the decryption or by the decompression. When the data is 'copied' | |
135 | * into the rr->data buffer, rr->input will be pointed at the new buffer | |
136 | */ | |
137 | ||
138 | /* | |
139 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
140 | * bytes of encrypted compressed stuff. | |
141 | */ | |
142 | ||
143 | /* check is not needed I believe */ | |
144 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
145 | SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
146 | return 0; | |
147 | } | |
148 | ||
149 | /* decrypt in place in 'rr->input' */ | |
150 | rr->data = rr->input; | |
151 | rr->orig_len = rr->length; | |
152 | ||
153 | if (s->read_hash != NULL) { | |
154 | const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); | |
155 | ||
156 | if (tmpmd != NULL) { | |
157 | imac_size = EVP_MD_get_size(tmpmd); | |
158 | if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { | |
159 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); | |
160 | return 0; | |
161 | } | |
162 | mac_size = (size_t)imac_size; | |
163 | } | |
164 | } | |
165 | ||
166 | if (SSL_READ_ETM(s) && s->read_hash) { | |
167 | unsigned char *mac; | |
168 | ||
169 | if (rr->orig_len < mac_size) { | |
170 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); | |
171 | return 0; | |
172 | } | |
173 | rr->length -= mac_size; | |
174 | mac = rr->data + rr->length; | |
175 | i = ssl->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); | |
176 | if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { | |
177 | SSLfatal(s, SSL_AD_BAD_RECORD_MAC, | |
178 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
179 | return 0; | |
180 | } | |
181 | /* | |
182 | * We've handled the mac now - there is no MAC inside the encrypted | |
183 | * record | |
184 | */ | |
185 | mac_size = 0; | |
186 | } | |
187 | ||
188 | /* | |
189 | * Set a mark around the packet decryption attempt. This is DTLS, so | |
190 | * bad packets are just ignored, and we don't want to leave stray | |
191 | * errors in the queue from processing bogus junk that we ignored. | |
192 | */ | |
193 | ERR_set_mark(); | |
194 | enc_err = ssl->method->ssl3_enc->enc(s, rr, 1, 0, &macbuf, mac_size); | |
195 | ||
196 | /*- | |
197 | * enc_err is: | |
198 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
199 | * decryption failed, or ETM decryption failed. | |
200 | * 1: Success or MTE decryption failed (MAC will be randomised) | |
201 | */ | |
202 | if (enc_err == 0) { | |
203 | ERR_pop_to_mark(); | |
204 | if (ossl_statem_in_error(s)) { | |
205 | /* SSLfatal() got called */ | |
206 | goto end; | |
207 | } | |
208 | /* For DTLS we simply ignore bad packets. */ | |
209 | rr->length = 0; | |
210 | s->rrlmethod->reset_packet_length(s->rrl); | |
211 | goto end; | |
212 | } | |
213 | ERR_clear_last_mark(); | |
214 | OSSL_TRACE_BEGIN(TLS) { | |
215 | BIO_printf(trc_out, "dec %zd\n", rr->length); | |
216 | BIO_dump_indent(trc_out, rr->data, rr->length, 4); | |
217 | } OSSL_TRACE_END(TLS); | |
218 | ||
219 | /* r->length is now the compressed data plus mac */ | |
220 | if ((sess != NULL) | |
221 | && !SSL_READ_ETM(s) | |
222 | && (s->enc_read_ctx != NULL) | |
223 | && (EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { | |
224 | /* s->read_hash != NULL => mac_size != -1 */ | |
225 | ||
226 | i = ssl->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); | |
227 | if (i == 0 || macbuf.mac == NULL | |
228 | || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0) | |
229 | enc_err = 0; | |
230 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
231 | enc_err = 0; | |
232 | } | |
233 | ||
234 | if (enc_err == 0) { | |
235 | /* decryption failed, silently discard message */ | |
236 | rr->length = 0; | |
237 | s->rrlmethod->reset_packet_length(s->rrl); | |
238 | goto end; | |
239 | } | |
240 | ||
241 | /* r->length is now just compressed */ | |
242 | if (s->expand != NULL) { | |
243 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { | |
244 | SSLfatal(s, SSL_AD_RECORD_OVERFLOW, | |
245 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
246 | goto end; | |
247 | } | |
248 | if (!ssl3_do_uncompress(s, rr)) { | |
249 | SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); | |
250 | goto end; | |
251 | } | |
252 | } | |
253 | ||
254 | /* use current Max Fragment Length setting if applicable */ | |
255 | if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) | |
256 | max_plain_length = GET_MAX_FRAGMENT_LENGTH(s->session); | |
257 | ||
258 | /* send overflow if the plaintext is too long now it has passed MAC */ | |
259 | if (rr->length > max_plain_length) { | |
260 | SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); | |
261 | goto end; | |
262 | } | |
263 | ||
264 | rr->off = 0; | |
265 | /*- | |
266 | * So at this point the following is true | |
267 | * ssl->s3.rrec.type is the type of record | |
268 | * ssl->s3.rrec.length == number of bytes in record | |
269 | * ssl->s3.rrec.off == offset to first valid byte | |
270 | * ssl->s3.rrec.data == where to take bytes from, increment | |
271 | * after use :-). | |
272 | */ | |
273 | ||
274 | /* we have pulled in a full packet so zero things */ | |
275 | s->rrlmethod->reset_packet_length(s->rrl); | |
276 | ||
277 | /* Mark receipt of record. */ | |
278 | dtls1_record_bitmap_update(s, bitmap); | |
279 | ||
280 | ret = 1; | |
281 | end: | |
282 | if (macbuf.alloced) | |
283 | OPENSSL_free(macbuf.mac); | |
284 | return ret; | |
285 | } | |
286 | ||
287 | static int dtls_rlayer_buffer_record(SSL_CONNECTION *s, record_pqueue *queue, | |
288 | unsigned char *priority) | |
289 | { | |
290 | DTLS_RLAYER_RECORD_DATA *rdata; | |
291 | pitem *item; | |
292 | OSSL_RECORD_LAYER *rl = (OSSL_RECORD_LAYER *)s->rrl; | |
293 | ||
294 | /* Limit the size of the queue to prevent DOS attacks */ | |
295 | if (pqueue_size(queue->q) >= 100) | |
296 | return 0; | |
297 | ||
298 | rdata = OPENSSL_malloc(sizeof(*rdata)); | |
299 | item = pitem_new(priority, rdata); | |
300 | if (rdata == NULL || item == NULL) { | |
301 | OPENSSL_free(rdata); | |
302 | pitem_free(item); | |
303 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
304 | return -1; | |
305 | } | |
306 | ||
307 | rdata->packet = s->rrlmethod->get0_packet(s->rrl); | |
308 | rdata->packet_length = s->rrlmethod->get_packet_length(s->rrl); | |
309 | memcpy(&(rdata->rbuf), s->rrlmethod->get0_rbuf(s->rrl), sizeof(SSL3_BUFFER)); | |
310 | memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD)); | |
311 | ||
312 | item->data = rdata; | |
313 | ||
314 | s->rrlmethod->set0_packet(s->rrl, NULL, 0); | |
315 | memset(s->rrlmethod->get0_rbuf(s->rrl), 0, sizeof(SSL3_BUFFER)); | |
316 | memset(&rl->rrec[0], 0, sizeof(rl->rrec[0])); | |
317 | ||
318 | if (!ssl3_setup_buffers(s)) { | |
319 | /* SSLfatal() already called */ | |
320 | OPENSSL_free(rdata->rbuf.buf); | |
321 | OPENSSL_free(rdata); | |
322 | pitem_free(item); | |
323 | return -1; | |
324 | } | |
325 | ||
326 | if (pqueue_insert(queue->q, item) == NULL) { | |
327 | /* Must be a duplicate so ignore it */ | |
328 | OPENSSL_free(rdata->rbuf.buf); | |
329 | OPENSSL_free(rdata); | |
330 | pitem_free(item); | |
331 | } | |
332 | ||
333 | return 1; | |
334 | } | |
335 | ||
336 | /* copy buffered record into SSL structure */ | |
337 | static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item) | |
338 | { | |
339 | DTLS_RLAYER_RECORD_DATA *rdata; | |
340 | SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg; | |
341 | ||
342 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
343 | ||
344 | SSL3_BUFFER_release(s->rrlmethod->get0_rbuf(s->rrl)); | |
345 | ||
346 | s->rrlmethod->set0_packet(s->rrl, rdata->packet, rdata->packet_length); | |
347 | memcpy(s->rrlmethod->get0_rbuf(s->rrl), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
348 | memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD)); | |
349 | ||
350 | /* Set proper sequence number for mac calculation */ | |
351 | memcpy(&(s->rlayer.read_sequence[2]), &(rdata->packet[5]), 6); | |
352 | ||
353 | return 1; | |
354 | } | |
355 | ||
356 | static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl, | |
357 | record_pqueue *queue) | |
358 | { | |
359 | pitem *item; | |
360 | ||
361 | item = pqueue_pop(queue->q); | |
362 | if (item) { | |
363 | dtls_copy_rlayer_record(rl, item); | |
364 | ||
365 | OPENSSL_free(item->data); | |
366 | pitem_free(item); | |
367 | ||
368 | return 1; | |
369 | } | |
370 | ||
371 | return 0; | |
372 | } | |
373 | ||
374 | static int dtls_process_rlayer_buffered_records(SSL_CONNECTION *s) | |
375 | { | |
376 | pitem *item; | |
377 | SSL3_BUFFER *rb; | |
378 | SSL3_RECORD *rr; | |
379 | DTLS1_BITMAP *bitmap; | |
380 | unsigned int is_next_epoch; | |
381 | int replayok = 1; | |
382 | OSSL_RECORD_LAYER *rl = s->rrl; | |
383 | ||
384 | item = pqueue_peek(rl->unprocessed_rcds.q); | |
385 | if (item) { | |
386 | /* Check if epoch is current. */ | |
387 | if (rl->unprocessed_rcds.epoch != s->rlayer.d->r_epoch) | |
388 | return 1; /* Nothing to do. */ | |
389 | ||
390 | rr = rl->rrec; | |
391 | ||
392 | rb = s->rrlmethod->get0_rbuf(s->rrl); | |
393 | ||
394 | if (SSL3_BUFFER_get_left(rb) > 0) { | |
395 | /* | |
396 | * We've still got data from the current packet to read. There could | |
397 | * be a record from the new epoch in it - so don't overwrite it | |
398 | * with the unprocessed records yet (we'll do it when we've | |
399 | * finished reading the current packet). | |
400 | */ | |
401 | return 1; | |
402 | } | |
403 | ||
404 | /* Process all the records. */ | |
405 | while (pqueue_peek(rl->unprocessed_rcds.q)) { | |
406 | dtls_retrieve_rlayer_buffered_record(rl, &(rl->unprocessed_rcds)); | |
407 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
408 | if (bitmap == NULL) { | |
409 | /* | |
410 | * Should not happen. This will only ever be NULL when the | |
411 | * current record is from a different epoch. But that cannot | |
412 | * be the case because we already checked the epoch above | |
413 | */ | |
414 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
415 | return 0; | |
416 | } | |
417 | #ifndef OPENSSL_NO_SCTP | |
418 | /* Only do replay check if no SCTP bio */ | |
419 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) | |
420 | #endif | |
421 | { | |
422 | /* | |
423 | * Check whether this is a repeat, or aged record. We did this | |
424 | * check once already when we first received the record - but | |
425 | * we might have updated the window since then due to | |
426 | * records we subsequently processed. | |
427 | */ | |
428 | replayok = dtls1_record_replay_check(s, bitmap); | |
429 | } | |
430 | ||
431 | if (!replayok || !dtls1_process_record(s, bitmap)) { | |
432 | if (ossl_statem_in_error(s)) { | |
433 | /* dtls1_process_record called SSLfatal() */ | |
434 | return 0; | |
435 | } | |
436 | /* dump this record */ | |
437 | rr->length = 0; | |
438 | s->rrlmethod->reset_packet_length(s->rrl); | |
439 | continue; | |
440 | } | |
441 | ||
442 | if (dtls_rlayer_buffer_record(s, &(rl->processed_rcds), | |
443 | SSL3_RECORD_get_seq_num(&rl->rrec[0])) < 0) { | |
444 | /* SSLfatal() already called */ | |
445 | return 0; | |
446 | } | |
447 | } | |
448 | } | |
449 | ||
450 | /* | |
451 | * sync epoch numbers once all the unprocessed records have been | |
452 | * processed | |
453 | */ | |
454 | rl->processed_rcds.epoch = s->rlayer.d->r_epoch; | |
455 | rl->unprocessed_rcds.epoch = s->rlayer.d->r_epoch + 1; | |
456 | ||
457 | return 1; | |
458 | } | |
459 | ||
460 | int dtls_buffer_listen_record(SSL_CONNECTION *s, size_t len, unsigned char *seq, size_t off) | |
461 | { | |
462 | SSL3_RECORD *rr; | |
463 | OSSL_RECORD_LAYER *rl = s->rrl; | |
464 | ||
465 | rr = &rl->rrec[0]; | |
466 | memset(rr, 0, sizeof(SSL3_RECORD)); | |
467 | ||
468 | rr->length = len; | |
469 | rr->type = SSL3_RT_HANDSHAKE; | |
470 | memcpy(rr->seq_num, seq, sizeof(rr->seq_num)); | |
471 | rr->off = off; | |
472 | ||
473 | s->rrlmethod->set0_packet(s->rrl, s->rrlmethod->get0_rbuf(s->rrl)->buf, | |
474 | DTLS1_RT_HEADER_LENGTH + len); | |
475 | rr->data = s->rrlmethod->get0_packet(s->rrl) + DTLS1_RT_HEADER_LENGTH; | |
476 | ||
477 | if (dtls_rlayer_buffer_record(s, &(rl->processed_rcds), | |
478 | SSL3_RECORD_get_seq_num(rr)) <= 0) { | |
479 | /* SSLfatal() already called */ | |
480 | return 0; | |
481 | } | |
482 | ||
483 | return 1; | |
484 | } | |
485 | ||
486 | /*- | |
487 | * Call this to get a new input record. | |
488 | * It will return <= 0 if more data is needed, normally due to an error | |
489 | * or non-blocking IO. | |
490 | * When it finishes, one packet has been decoded and can be found in | |
491 | * ssl->s3.rrec.type - is the type of record | |
492 | * ssl->s3.rrec.data - data | |
493 | * ssl->s3.rrec.length - number of bytes | |
494 | */ | |
495 | /* used only by dtls1_read_bytes */ | |
496 | static int dtls_get_more_records(OSSL_RECORD_LAYER *rl) | |
497 | { | |
498 | int ssl_major, ssl_minor; | |
499 | int rret; | |
500 | size_t more, n; | |
501 | SSL3_RECORD *rr; | |
502 | unsigned char *p = NULL; | |
503 | unsigned short version; | |
504 | DTLS1_BITMAP *bitmap; | |
505 | unsigned int is_next_epoch; | |
506 | /* TODO(RECLAYER): Remove me */ | |
507 | SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg; | |
508 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
509 | ||
510 | rl->num_recs = 0; | |
511 | rl->curr_rec = 0; | |
512 | rl->num_released = 0; | |
513 | ||
514 | rr = rl->rrec; | |
515 | ||
516 | again: | |
517 | /* | |
518 | * The epoch may have changed. If so, process all the pending records. | |
519 | * This is a non-blocking operation. | |
520 | */ | |
521 | if (!dtls_process_rlayer_buffered_records(s)) { | |
522 | /* SSLfatal() already called */ | |
523 | return OSSL_RECORD_RETURN_FATAL; | |
524 | } | |
525 | ||
526 | /* if we're renegotiating, then there may be buffered records */ | |
527 | if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) { | |
528 | rl->num_recs = 1; | |
529 | return OSSL_RECORD_RETURN_SUCCESS; | |
530 | } | |
531 | ||
532 | /* get something from the wire */ | |
533 | ||
534 | /* check if we have the header */ | |
535 | if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || | |
536 | (s->rrlmethod->get_packet_length(s->rrl) < DTLS1_RT_HEADER_LENGTH)) { | |
537 | rret = s->rrlmethod->read_n(s->rrl, DTLS1_RT_HEADER_LENGTH, | |
538 | SSL3_BUFFER_get_len(s->rrlmethod->get0_rbuf(s->rrl)), | |
539 | 0, 1, &n); | |
540 | /* read timeout is handled by dtls1_read_bytes */ | |
541 | if (rret < OSSL_RECORD_RETURN_SUCCESS) { | |
542 | /* SSLfatal() already called if appropriate */ | |
543 | return rret; /* error or non-blocking */ | |
544 | } | |
545 | ||
546 | /* this packet contained a partial record, dump it */ | |
547 | if (s->rrlmethod->get_packet_length(s->rrl) != DTLS1_RT_HEADER_LENGTH) { | |
548 | s->rrlmethod->reset_packet_length(s->rrl); | |
549 | goto again; | |
550 | } | |
551 | ||
552 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); | |
553 | ||
554 | p = s->rrlmethod->get0_packet(s->rrl); | |
555 | ||
556 | if (s->msg_callback) | |
557 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, | |
558 | ssl, s->msg_callback_arg); | |
559 | ||
560 | /* Pull apart the header into the DTLS1_RECORD */ | |
561 | rr->type = *(p++); | |
562 | ssl_major = *(p++); | |
563 | ssl_minor = *(p++); | |
564 | version = (ssl_major << 8) | ssl_minor; | |
565 | ||
566 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
567 | n2s(p, rr->epoch); | |
568 | ||
569 | memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6); | |
570 | p += 6; | |
571 | ||
572 | n2s(p, rr->length); | |
573 | rr->read = 0; | |
574 | ||
575 | /* | |
576 | * Lets check the version. We tolerate alerts that don't have the exact | |
577 | * version number (e.g. because of protocol version errors) | |
578 | */ | |
579 | if (!s->first_packet && rr->type != SSL3_RT_ALERT) { | |
580 | if (version != s->version) { | |
581 | /* unexpected version, silently discard */ | |
582 | rr->length = 0; | |
583 | rr->read = 1; | |
584 | s->rrlmethod->reset_packet_length(s->rrl); | |
585 | goto again; | |
586 | } | |
587 | } | |
588 | ||
589 | if ((version & 0xff00) != (s->version & 0xff00)) { | |
590 | /* wrong version, silently discard record */ | |
591 | rr->length = 0; | |
592 | rr->read = 1; | |
593 | s->rrlmethod->reset_packet_length(s->rrl); | |
594 | goto again; | |
595 | } | |
596 | ||
597 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
598 | /* record too long, silently discard it */ | |
599 | rr->length = 0; | |
600 | rr->read = 1; | |
601 | s->rrlmethod->reset_packet_length(s->rrl); | |
602 | goto again; | |
603 | } | |
604 | ||
605 | /* If received packet overflows own-client Max Fragment Length setting */ | |
606 | if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) | |
607 | && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) { | |
608 | /* record too long, silently discard it */ | |
609 | rr->length = 0; | |
610 | rr->read = 1; | |
611 | s->rrlmethod->reset_packet_length(s->rrl); | |
612 | goto again; | |
613 | } | |
614 | ||
615 | /* now s->rlayer.rstate == SSL_ST_READ_BODY */ | |
616 | } | |
617 | ||
618 | /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */ | |
619 | ||
620 | if (rr->length > | |
621 | s->rrlmethod->get_packet_length(s->rrl) - DTLS1_RT_HEADER_LENGTH) { | |
622 | /* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */ | |
623 | more = rr->length; | |
624 | rret = s->rrlmethod->read_n(s->rrl, more, more, 1, 1, &n); | |
625 | /* this packet contained a partial record, dump it */ | |
626 | if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) { | |
627 | if (ossl_statem_in_error(s)) { | |
628 | /* read_n() called SSLfatal() */ | |
629 | return OSSL_RECORD_RETURN_FATAL; | |
630 | } | |
631 | rr->length = 0; | |
632 | rr->read = 1; | |
633 | s->rrlmethod->reset_packet_length(s->rrl); | |
634 | goto again; | |
635 | } | |
636 | ||
637 | /* | |
638 | * now n == rr->length, and s->rlayer.packet_length == | |
639 | * DTLS1_RT_HEADER_LENGTH + rr->length | |
640 | */ | |
641 | } | |
642 | /* set state for later operations */ | |
643 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); | |
644 | ||
645 | /* match epochs. NULL means the packet is dropped on the floor */ | |
646 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
647 | if (bitmap == NULL) { | |
648 | rr->length = 0; | |
649 | s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */ | |
650 | goto again; /* get another record */ | |
651 | } | |
652 | #ifndef OPENSSL_NO_SCTP | |
653 | /* Only do replay check if no SCTP bio */ | |
654 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { | |
655 | #endif | |
656 | /* Check whether this is a repeat, or aged record. */ | |
657 | if (!dtls1_record_replay_check(s, bitmap)) { | |
658 | rr->length = 0; | |
659 | rr->read = 1; | |
660 | s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */ | |
661 | goto again; /* get another record */ | |
662 | } | |
663 | #ifndef OPENSSL_NO_SCTP | |
664 | } | |
665 | #endif | |
666 | ||
667 | /* just read a 0 length packet */ | |
668 | if (rr->length == 0) { | |
669 | rr->read = 1; | |
670 | goto again; | |
671 | } | |
672 | ||
673 | /* | |
674 | * If this record is from the next epoch (either HM or ALERT), and a | |
675 | * handshake is currently in progress, buffer it since it cannot be | |
676 | * processed at this time. | |
677 | */ | |
678 | if (is_next_epoch) { | |
679 | if ((SSL_in_init(ssl) || ossl_statem_get_in_handshake(s))) { | |
680 | if (dtls_rlayer_buffer_record (s, | |
681 | &(rl->unprocessed_rcds), | |
682 | rr->seq_num) < 0) { | |
683 | /* SSLfatal() already called */ | |
684 | return OSSL_RECORD_RETURN_FATAL; | |
685 | } | |
686 | } | |
687 | rr->length = 0; | |
688 | rr->read = 1; | |
689 | s->rrlmethod->reset_packet_length(s->rrl); | |
690 | goto again; | |
691 | } | |
692 | ||
693 | if (!dtls1_process_record(s, bitmap)) { | |
694 | if (ossl_statem_in_error(s)) { | |
695 | /* dtls1_process_record() called SSLfatal */ | |
696 | return OSSL_RECORD_RETURN_FATAL; | |
697 | } | |
698 | rr->length = 0; | |
699 | rr->read = 1; | |
700 | s->rrlmethod->reset_packet_length(s->rrl); /* dump this record */ | |
701 | goto again; /* get another record */ | |
702 | } | |
703 | ||
704 | rl->num_recs = 1; | |
705 | return OSSL_RECORD_RETURN_SUCCESS; | |
706 | ||
707 | } | |
708 | ||
709 | static int dtls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version) | |
710 | { | |
711 | rl->version = version; | |
712 | return 1; | |
713 | } | |
714 | ||
715 | static struct record_functions_st dtls_funcs = { | |
716 | NULL, | |
717 | NULL, | |
718 | dtls_get_more_records, | |
719 | NULL, | |
720 | NULL, | |
721 | dtls_set_protocol_version, | |
722 | NULL | |
723 | }; | |
724 | ||
725 | static int dtls_free(OSSL_RECORD_LAYER *rl) | |
726 | { | |
727 | pitem *item; | |
728 | DTLS_RLAYER_RECORD_DATA *rdata; | |
729 | ||
730 | if (rl->unprocessed_rcds.q == NULL) { | |
731 | while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) { | |
732 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
733 | OPENSSL_free(rdata->rbuf.buf); | |
734 | OPENSSL_free(item->data); | |
735 | pitem_free(item); | |
736 | } | |
737 | pqueue_free(rl->unprocessed_rcds.q); | |
738 | } | |
739 | ||
740 | if (rl->processed_rcds.q == NULL) { | |
741 | while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) { | |
742 | rdata = (DTLS_RLAYER_RECORD_DATA *)item->data; | |
743 | OPENSSL_free(rdata->rbuf.buf); | |
744 | OPENSSL_free(item->data); | |
745 | pitem_free(item); | |
746 | } | |
747 | pqueue_free(rl->processed_rcds.q); | |
748 | } | |
749 | ||
750 | return tls_free(rl); | |
751 | } | |
752 | ||
753 | static int | |
754 | dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, | |
755 | int role, int direction, int level, unsigned char *key, | |
756 | size_t keylen, unsigned char *iv, size_t ivlen, | |
757 | unsigned char *mackey, size_t mackeylen, | |
758 | const EVP_CIPHER *ciph, size_t taglen, | |
759 | /* TODO(RECLAYER): This probably should not be an int */ | |
760 | int mactype, | |
761 | const EVP_MD *md, const SSL_COMP *comp, BIO *prev, | |
762 | BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, | |
763 | const OSSL_PARAM *settings, const OSSL_PARAM *options, | |
764 | const OSSL_DISPATCH *fns, void *cbarg, | |
765 | OSSL_RECORD_LAYER **retrl) | |
766 | { | |
767 | int ret; | |
768 | ||
769 | ||
770 | ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, | |
771 | key, keylen, iv, ivlen, mackey, mackeylen, | |
772 | ciph, taglen, mactype, md, comp, prev, | |
773 | transport, next, local, peer, settings, | |
774 | options, fns, cbarg, retrl); | |
775 | ||
776 | if (ret != OSSL_RECORD_RETURN_SUCCESS) | |
777 | return ret; | |
778 | ||
779 | (*retrl)->unprocessed_rcds.q = pqueue_new(); | |
780 | (*retrl)->processed_rcds.q = pqueue_new(); | |
781 | if ((*retrl)->unprocessed_rcds.q == NULL || (*retrl)->processed_rcds.q == NULL) { | |
782 | dtls_free(*retrl); | |
783 | *retrl = NULL; | |
784 | RLAYERfatal(*retrl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); | |
785 | return OSSL_RECORD_RETURN_FATAL; | |
786 | } | |
787 | ||
788 | (*retrl)->isdtls = 1; | |
789 | (*retrl)->funcs = &dtls_funcs; | |
790 | ||
791 | return OSSL_RECORD_RETURN_SUCCESS; | |
792 | } | |
793 | ||
794 | const OSSL_RECORD_METHOD ossl_dtls_record_method = { | |
795 | dtls_new_record_layer, | |
796 | dtls_free, | |
797 | tls_reset, | |
798 | tls_unprocessed_read_pending, | |
799 | tls_processed_read_pending, | |
800 | tls_app_data_pending, | |
801 | tls_write_pending, | |
802 | tls_get_max_record_len, | |
803 | tls_get_max_records, | |
804 | tls_write_records, | |
805 | tls_retry_write_records, | |
806 | tls_read_record, | |
807 | tls_release_record, | |
808 | tls_get_alert_code, | |
809 | tls_set1_bio, | |
810 | tls_set_protocol_version, | |
811 | NULL, | |
812 | tls_set_first_handshake, | |
813 | tls_set_max_pipelines, | |
814 | ||
815 | /* | |
816 | * TODO(RECLAYER): Remove these. These function pointers are temporary hacks | |
817 | * during the record layer refactoring. They need to be removed before the | |
818 | * refactor is complete. | |
819 | */ | |
820 | tls_default_read_n, | |
821 | tls_get0_rbuf, | |
822 | tls_get0_packet, | |
823 | tls_set0_packet, | |
824 | tls_get_packet_length, | |
825 | tls_reset_packet_length | |
826 | }; |