[thirdparty/openssl.git] / ssl / record / methods / tls1_meth.c

/*
 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/rand.h>
#include "../../ssl_local.h"
#include "../record_local.h"
#include "recmethod_local.h"

/* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                 unsigned char *key, size_t keylen,
                                 unsigned char *iv, size_t ivlen,
                                 unsigned char *mackey, size_t mackeylen,
                                 const EVP_CIPHER *ciph,
                                 size_t taglen,
                                 /* TODO(RECLAYER): This probably should not be an int */
                                 int mactype,
                                 const EVP_MD *md,
                                 const SSL_COMP *comp)
{
    EVP_CIPHER_CTX *ciph_ctx;
    EVP_PKEY *mac_key;

    if (level != OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
        return OSSL_RECORD_RETURN_FATAL;

    if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
        return OSSL_RECORD_RETURN_FATAL;
    }

    ciph_ctx = rl->enc_ctx;

    rl->md_ctx = EVP_MD_CTX_new();
    if (rl->md_ctx == NULL) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }
#ifndef OPENSSL_NO_COMP
    if (comp != NULL) {
        rl->expand = COMP_CTX_new(comp->method);
        if (rl->expand == NULL) {
            ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
    }
#endif

    /*
     * If we have an AEAD Cipher, then there is no separate MAC, so we can skip
     * setting up the MAC key.
     */
    if (!(EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
        if (mactype == EVP_PKEY_HMAC) {
            mac_key = EVP_PKEY_new_raw_private_key_ex(rl->libctx, "HMAC",
                                                      rl->propq, mackey,
                                                      mackeylen);
        } else {
            /*
             * If its not HMAC then the only other types of MAC we support are
             * the GOST MACs, so we need to use the old style way of creating
             * a MAC key.
             */
            mac_key = EVP_PKEY_new_mac_key(mactype, NULL, mackey,
                                           (int)mackeylen);
        }
        if (mac_key == NULL
            || EVP_DigestSignInit_ex(rl->md_ctx, NULL, EVP_MD_get0_name(md),
                                     rl->libctx, rl->propq, mac_key,
                                     NULL) <= 0) {
            EVP_PKEY_free(mac_key);
            ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
        EVP_PKEY_free(mac_key);
    }

    if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_GCM_MODE) {
        if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, NULL)
                || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
                                       (int)ivlen, iv) <= 0) {
            ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
    } else if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
        if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL)
                || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12,
                                       NULL) <= 0
                || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
                                       (int)taglen, NULL) <= 0
                || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED,
                                       (int)ivlen, iv) <= 0
                   /*
                    * TODO(RECLAYER): Why do we defer setting the key until here?
                    * why not in the initial EVP_DecryptInit_ex() call?
                    */
                || !EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL)) {
            ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
    } else {
        if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
            ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
    }
    /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
    if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
        && mackeylen != 0
        && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
                               (int)mackeylen, mackey) <= 0) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        return OSSL_RECORD_RETURN_FATAL;
    }
    if (EVP_CIPHER_get0_provider(ciph) != NULL
            && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md))
        return OSSL_RECORD_RETURN_FATAL;

    return OSSL_RECORD_RETURN_SUCCESS;
}

#define MAX_PADDING 256
/*-
 * tls1_cipher encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal
 * error, but not otherwise. It is the responsibility of the caller to report
 * a bad_record_mac - if appropriate (DTLS just drops the record).
 *
 * Returns:
 *    0: if the record is publicly invalid, or an internal error, or AEAD
 *       decryption failed, or Encrypt-then-mac decryption failed.
 *    1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
 */
static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
                       int sending, SSL_MAC_BUF *macs, size_t macsize)
{
    EVP_CIPHER_CTX *ds;
    size_t reclen[SSL_MAX_PIPELINES];
    unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
    int i, pad = 0, tmpr, provided;
    size_t bs, ctr, padnum, loop;
    unsigned char padval;
    const EVP_CIPHER *enc;

    if (n_recs == 0) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }


    if (EVP_MD_CTX_get0_md(rl->md_ctx)) {
        int n = EVP_MD_CTX_get_size(rl->md_ctx);
        if (!ossl_assert(n >= 0)) {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return 0;
        }
    }
    ds = rl->enc_ctx;
    if (!ossl_assert(rl->enc_ctx)) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx);

    if (sending) {
        int ivlen;

        /* For TLSv1.1 and later explicit IV */
        if (RLAYER_USE_EXPLICIT_IV(rl)
            && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
            ivlen = EVP_CIPHER_get_iv_length(enc);
        else
            ivlen = 0;
        if (ivlen > 1) {
            for (ctr = 0; ctr < n_recs; ctr++) {
                if (recs[ctr].data != recs[ctr].input) {
                    /*
                        * we can't write into the input stream: Can this ever
                        * happen?? (steve)
                        */
                    RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                    return 0;
                } else if (RAND_bytes_ex(rl->libctx, recs[ctr].input,
                                            ivlen, 0) <= 0) {
                    RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                    return 0;
                }
            }
        }
    }
    if (!ossl_assert(enc != NULL)) {
        RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    provided = (EVP_CIPHER_get0_provider(enc) != NULL);

    bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds));

    if (n_recs > 1) {
        if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
                & EVP_CIPH_FLAG_PIPELINE) == 0) {
            /*
                * We shouldn't have been called with pipeline data if the
                * cipher doesn't support pipelining
                */
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
            return 0;
        }
    }
    for (ctr = 0; ctr < n_recs; ctr++) {
        reclen[ctr] = recs[ctr].length;

        if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
                    & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
            unsigned char *seq;

            seq = rl->sequence;

            if (rl->isdtls) {
#if 0
                /* TODO(RECLAYER): FIXME */
                /* DTLS does not support pipelining */
                unsigned char dtlsseq[8], *p = dtlsseq;

                s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
                    DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
                memcpy(p, &seq[2], 6);
                memcpy(buf[ctr], dtlsseq, 8);
#endif
            } else {
                memcpy(buf[ctr], seq, 8);
                for (i = 7; i >= 0; i--) { /* increment */
                    ++seq[i];
                    if (seq[i] != 0)
                        break;
                }
            }

            buf[ctr][8] = recs[ctr].type;
            buf[ctr][9] = (unsigned char)(rl->version >> 8);
            buf[ctr][10] = (unsigned char)(rl->version);
            buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
            buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
            pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
                                        EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
            if (pad <= 0) {
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                return 0;
            }

            if (sending) {
                reclen[ctr] += pad;
                recs[ctr].length += pad;
            }

        } else if ((bs != 1) && sending && !provided) {
            /*
                * We only do this for legacy ciphers. Provided ciphers add the
                * padding on the provider side.
                */
            padnum = bs - (reclen[ctr] % bs);

            /* Add weird padding of up to 256 bytes */

            if (padnum > MAX_PADDING) {
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                return 0;
            }
            /* we need to add 'padnum' padding bytes of value padval */
            padval = (unsigned char)(padnum - 1);
            for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
                recs[ctr].input[loop] = padval;
            reclen[ctr] += padnum;
            recs[ctr].length += padnum;
        }

        if (!sending) {
            if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) {
                /* Publicly invalid */
                return 0;
            }
        }
    }
    if (n_recs > 1) {
        unsigned char *data[SSL_MAX_PIPELINES];

        /* Set the output buffers */
        for (ctr = 0; ctr < n_recs; ctr++) {
            data[ctr] = recs[ctr].data;
        }
        if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
                                (int)n_recs, data) <= 0) {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
            return 0;
        }
        /* Set the input buffers */
        for (ctr = 0; ctr < n_recs; ctr++) {
            data[ctr] = recs[ctr].input;
        }
        if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
                                (int)n_recs, data) <= 0
            || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
                                    (int)n_recs, reclen) <= 0) {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
            return 0;
        }
    }

    if (!rl->isdtls && rl->tlstree) {
        unsigned char *seq;
        int decrement_seq = 0;

        /*
            * When sending, seq is incremented after MAC calculation.
            * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
            * Otherwise we have to decrease it in the implementation
            */
        if (sending && !rl->use_etm)
            decrement_seq = 1;

        seq = rl->sequence;
        if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0) {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return 0;
        }
    }

    if (provided) {
        int outlen;

        /* Provided cipher - we do not support pipelining on this path */
        if (n_recs > 1)  {
            RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return 0;
        }

        if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input,
                                (unsigned int)reclen[0]))
            return 0;
        recs[0].length = outlen;

        /*
            * The length returned from EVP_CipherUpdate above is the actual
            * payload length. We need to adjust the data/input ptr to skip over
            * any explicit IV
            */
        if (!sending) {
            if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
                    recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
                    recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
            } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
                    recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
                    recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
            } else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) {
                recs[0].data += bs;
                recs[0].input += bs;
                recs[0].orig_len -= bs;
            }

            /* Now get a pointer to the MAC (if applicable) */
            if (macs != NULL) {
                OSSL_PARAM params[2], *p = params;

                /* Get the MAC */
                macs[0].alloced = 0;

                *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
                                                        (void **)&macs[0].mac,
                                                        macsize);
                *p = OSSL_PARAM_construct_end();

                if (!EVP_CIPHER_CTX_get_params(ds, params)) {
                    /* Shouldn't normally happen */
                    RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
                                ERR_R_INTERNAL_ERROR);
                    return 0;
                }
            }
        }
    } else {
        /* Legacy cipher */

        tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
                            (unsigned int)reclen[0]);
        if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
                & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0
            ? (tmpr < 0)
            : (tmpr == 0)) {
            /* AEAD can fail to verify MAC */
            return 0;
        }

        if (!sending) {
            for (ctr = 0; ctr < n_recs; ctr++) {
                /* Adjust the record to remove the explicit IV/MAC/Tag */
                if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
                    recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
                    recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
                    recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
                } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
                    recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
                    recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
                    recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
                } else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) {
                    if (recs[ctr].length < bs)
                        return 0;
                    recs[ctr].data += bs;
                    recs[ctr].input += bs;
                    recs[ctr].length -= bs;
                    recs[ctr].orig_len -= bs;
                }

                /*
                    * If using Mac-then-encrypt, then this will succeed but
                    * with a random MAC if padding is invalid
                    */
                if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length,
                                        recs[ctr].orig_len,
                                        recs[ctr].data,
                                        (macs != NULL) ? &macs[ctr].mac : NULL,
                                        (macs != NULL) ? &macs[ctr].alloced
                                                    : NULL,
                                        bs,
                                        pad ? (size_t)pad : macsize,
                                        (EVP_CIPHER_get_flags(enc)
                                        & EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
                                        rl->libctx))
                    return 0;
            }
        }
    }
    return 1;
}

static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
                    int sending)
{
    unsigned char *seq = rl->sequence;
    EVP_MD_CTX *hash;
    size_t md_size;
    int i;
    EVP_MD_CTX *hmac = NULL, *mac_ctx;
    unsigned char header[13];
    int t;
    int ret = 0;

    hash = rl->md_ctx;

    t = EVP_MD_CTX_get_size(hash);
    if (!ossl_assert(t >= 0))
        return 0;
    md_size = t;

    if (rl->stream_mac) {
        mac_ctx = hash;
    } else {
        hmac = EVP_MD_CTX_new();
        if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) {
            goto end;
        }
        mac_ctx = hmac;
    }

    if (!rl->isdtls
            && rl->tlstree
            && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
        goto end;
    }

    if (rl->isdtls) {
#if 0
        /* TODO(RECLAYER): FIX ME */
        unsigned char dtlsseq[8], *p = dtlsseq;

        s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
            DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
        memcpy(p, &seq[2], 6);

        memcpy(header, dtlsseq, 8);
#endif
    } else
        memcpy(header, seq, 8);

    header[8] = rec->type;
    header[9] = (unsigned char)(rl->version >> 8);
    header[10] = (unsigned char)(rl->version);
    header[11] = (unsigned char)(rec->length >> 8);
    header[12] = (unsigned char)(rec->length & 0xff);

    if (!sending && !rl->use_etm
        && EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
        && ssl3_cbc_record_digest_supported(mac_ctx)) {
        OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params;

        *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE,
                                           &rec->orig_len);
        *p++ = OSSL_PARAM_construct_end();

        if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx),
                                     tls_hmac_params)) {
            goto end;
        }
    }

    if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
        || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
        || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
        goto end;
    }

    OSSL_TRACE_BEGIN(TLS) {
        BIO_printf(trc_out, "seq:\n");
        BIO_dump_indent(trc_out, seq, 8, 4);
        BIO_printf(trc_out, "rec:\n");
        BIO_dump_indent(trc_out, rec->data, rec->length, 4);
    } OSSL_TRACE_END(TLS);

    if (!rl->isdtls) {
        for (i = 7; i >= 0; i--) {
            ++seq[i];
            if (seq[i] != 0)
                break;
        }
    }
    OSSL_TRACE_BEGIN(TLS) {
        BIO_printf(trc_out, "md:\n");
        BIO_dump_indent(trc_out, md, md_size, 4);
    } OSSL_TRACE_END(TLS);
    ret = 1;
 end:
    EVP_MD_CTX_free(hmac);
    return ret;
}

/* TLSv1.0, TLSv1.1 and TLSv1.2 all use the same funcs */
struct record_functions_st tls_1_funcs = {
    tls1_set_crypto_state,
    tls_default_read_n,
    tls1_cipher,
    tls1_mac,
    tls_default_set_protocol_version,
    tls_default_validate_record_header,
    tls_default_post_process_record
};
Commit	Line	Data
50023e9b MC	1	/*
	2	* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/evp.h>
	11	#include <openssl/core_names.h>
	12	#include <openssl/rand.h>
	13	#include "../../ssl_local.h"
	14	#include "../record_local.h"
	15	#include "recmethod_local.h"
	16
	17	/* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
	18	static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
	19	unsigned char *key, size_t keylen,
	20	unsigned char *iv, size_t ivlen,
	21	unsigned char *mackey, size_t mackeylen,
	22	const EVP_CIPHER *ciph,
	23	size_t taglen,
	24	/* TODO(RECLAYER): This probably should not be an int */
	25	int mactype,
	26	const EVP_MD *md,
8124ab56	27	const SSL_COMP *comp)
50023e9b MC	28	{
	29	EVP_CIPHER_CTX *ciph_ctx;
	30	EVP_PKEY *mac_key;
	31
	32	if (level != OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
7c293999	33	return OSSL_RECORD_RETURN_FATAL;
50023e9b	34
6366bdd9	35	if ((rl->enc_ctx = EVP_CIPHER_CTX_new()) == NULL) {
50023e9b	36	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
7c293999	37	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	38	}
50023e9b MC	39
6366bdd9	40	ciph_ctx = rl->enc_ctx;
50023e9b	41
6366bdd9 MC	42	rl->md_ctx = EVP_MD_CTX_new();
6366bdd9 MC	43	if (rl->md_ctx == NULL) {
50023e9b	44	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7c293999	45	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	46	}
	47	#ifndef OPENSSL_NO_COMP
	48	if (comp != NULL) {
	49	rl->expand = COMP_CTX_new(comp->method);
	50	if (rl->expand == NULL) {
7c293999 MC	51	ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
7c293999 MC	52	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	53	}
	54	}
	55	#endif
50023e9b MC	56
	57	/*
	58	* If we have an AEAD Cipher, then there is no separate MAC, so we can skip
	59	* setting up the MAC key.
	60	*/
	61	if (!(EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
	62	if (mactype == EVP_PKEY_HMAC) {
	63	mac_key = EVP_PKEY_new_raw_private_key_ex(rl->libctx, "HMAC",
	64	rl->propq, mackey,
	65	mackeylen);
	66	} else {
	67	/*
	68	* If its not HMAC then the only other types of MAC we support are
	69	* the GOST MACs, so we need to use the old style way of creating
	70	* a MAC key.
	71	*/
	72	mac_key = EVP_PKEY_new_mac_key(mactype, NULL, mackey,
	73	(int)mackeylen);
	74	}
	75	if (mac_key == NULL
6366bdd9	76	\|\| EVP_DigestSignInit_ex(rl->md_ctx, NULL, EVP_MD_get0_name(md),
50023e9b MC	77	rl->libctx, rl->propq, mac_key,
	78	NULL) <= 0) {
	79	EVP_PKEY_free(mac_key);
7c293999 MC	80	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	81	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	82	}
	83	EVP_PKEY_free(mac_key);
	84	}
	85
	86	if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_GCM_MODE) {
	87	if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, NULL)
	88	\|\| EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
7c293999 MC	89	(int)ivlen, iv) <= 0) {
	90	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
	91	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	92	}
	93	} else if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
	94	if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL)
	95	\|\| EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12,
	96	NULL) <= 0
	97	\|\| EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
	98	(int)taglen, NULL) <= 0
	99	\|\| EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED,
	100	(int)ivlen, iv) <= 0
	101	/*
	102	* TODO(RECLAYER): Why do we defer setting the key until here?
	103	* why not in the initial EVP_DecryptInit_ex() call?
	104	*/
	105	\|\| !EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL)) {
7c293999 MC	106	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	107	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	108	}
	109	} else {
	110	if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
7c293999 MC	111	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	112	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	113	}
	114	}
	115	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
	116	if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
	117	&& mackeylen != 0
	118	&& EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
	119	(int)mackeylen, mackey) <= 0) {
7c293999 MC	120	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7c293999 MC	121	return OSSL_RECORD_RETURN_FATAL;
50023e9b MC	122	}
50023e9b MC	123	if (EVP_CIPHER_get0_provider(ciph) != NULL
7f2f0ac7	124	&& !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md))
7c293999	125	return OSSL_RECORD_RETURN_FATAL;
50023e9b	126
7c293999	127	return OSSL_RECORD_RETURN_SUCCESS;
50023e9b MC	128	}
	129
	130	#define MAX_PADDING 256
	131	/*-
	132	* tls1_cipher encrypts/decrypts \|n_recs\| in \|recs\|. Calls SSLfatal on internal
	133	* error, but not otherwise. It is the responsibility of the caller to report
	134	* a bad_record_mac - if appropriate (DTLS just drops the record).
	135	*
	136	* Returns:
	137	* 0: if the record is publicly invalid, or an internal error, or AEAD
	138	* decryption failed, or Encrypt-then-mac decryption failed.
	139	* 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
	140	*/
	141	static int tls1_cipher(OSSL_RECORD_LAYER rl, SSL3_RECORD recs, size_t n_recs,
8124ab56	142	int sending, SSL_MAC_BUF *macs, size_t macsize)
50023e9b MC	143	{
	144	EVP_CIPHER_CTX *ds;
	145	size_t reclen[SSL_MAX_PIPELINES];
	146	unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
	147	int i, pad = 0, tmpr, provided;
	148	size_t bs, ctr, padnum, loop;
	149	unsigned char padval;
	150	const EVP_CIPHER *enc;
50023e9b MC	151
	152	if (n_recs == 0) {
	153	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	154	return 0;
	155	}
	156
50023e9b	157
6366bdd9 MC	158	if (EVP_MD_CTX_get0_md(rl->md_ctx)) {
	159	int n = EVP_MD_CTX_get_size(rl->md_ctx);
	160	if (!ossl_assert(n >= 0)) {
50023e9b MC	161	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	162	return 0;
	163	}
6366bdd9 MC	164	}
	165	ds = rl->enc_ctx;
	166	if (!ossl_assert(rl->enc_ctx)) {
	167	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	168	return 0;
	169	}
	170
	171	enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx);
	172
	173	if (sending) {
	174	int ivlen;
50023e9b	175
50023e9b	176	/* For TLSv1.1 and later explicit IV */
8124ab56	177	if (RLAYER_USE_EXPLICIT_IV(rl)
50023e9b MC	178	&& EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
	179	ivlen = EVP_CIPHER_get_iv_length(enc);
	180	else
	181	ivlen = 0;
	182	if (ivlen > 1) {
	183	for (ctr = 0; ctr < n_recs; ctr++) {
	184	if (recs[ctr].data != recs[ctr].input) {
	185	/*
	186	* we can't write into the input stream: Can this ever
	187	* happen?? (steve)
	188	*/
	189	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	190	return 0;
6366bdd9 MC	191	} else if (RAND_bytes_ex(rl->libctx, recs[ctr].input,
6366bdd9 MC	192	ivlen, 0) <= 0) {
50023e9b MC	193	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	194	return 0;
	195	}
	196	}
	197	}
50023e9b	198	}
8124ab56	199	if (!ossl_assert(enc != NULL)) {
50023e9b MC	200	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	201	return 0;
	202	}
	203
	204	provided = (EVP_CIPHER_get0_provider(enc) != NULL);
	205
	206	bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds));
	207
	208	if (n_recs > 1) {
	209	if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
	210	& EVP_CIPH_FLAG_PIPELINE) == 0) {
	211	/*
	212	* We shouldn't have been called with pipeline data if the
	213	* cipher doesn't support pipelining
	214	*/
	215	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
	216	return 0;
	217	}
	218	}
	219	for (ctr = 0; ctr < n_recs; ctr++) {
	220	reclen[ctr] = recs[ctr].length;
	221
	222	if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
	223	& EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
	224	unsigned char *seq;
	225
0755722c	226	seq = rl->sequence;
50023e9b	227
8124ab56 MC	228	if (rl->isdtls) {
	229	#if 0
	230	/* TODO(RECLAYER): FIXME */
50023e9b MC	231	/* DTLS does not support pipelining */
	232	unsigned char dtlsseq[8], *p = dtlsseq;
	233
	234	s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
	235	DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
	236	memcpy(p, &seq[2], 6);
	237	memcpy(buf[ctr], dtlsseq, 8);
8124ab56	238	#endif
50023e9b MC	239	} else {
	240	memcpy(buf[ctr], seq, 8);
	241	for (i = 7; i >= 0; i--) { /* increment */
	242	++seq[i];
	243	if (seq[i] != 0)
	244	break;
	245	}
	246	}
	247
	248	buf[ctr][8] = recs[ctr].type;
	249	buf[ctr][9] = (unsigned char)(rl->version >> 8);
	250	buf[ctr][10] = (unsigned char)(rl->version);
	251	buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
	252	buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
	253	pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
	254	EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
	255	if (pad <= 0) {
	256	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	257	return 0;
	258	}
	259
	260	if (sending) {
	261	reclen[ctr] += pad;
	262	recs[ctr].length += pad;
	263	}
	264
	265	} else if ((bs != 1) && sending && !provided) {
	266	/*
	267	* We only do this for legacy ciphers. Provided ciphers add the
	268	* padding on the provider side.
	269	*/
	270	padnum = bs - (reclen[ctr] % bs);
	271
	272	/* Add weird padding of up to 256 bytes */
	273
	274	if (padnum > MAX_PADDING) {
	275	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	276	return 0;
	277	}
	278	/* we need to add 'padnum' padding bytes of value padval */
	279	padval = (unsigned char)(padnum - 1);
	280	for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
	281	recs[ctr].input[loop] = padval;
	282	reclen[ctr] += padnum;
	283	recs[ctr].length += padnum;
	284	}
	285
	286	if (!sending) {
	287	if (reclen[ctr] == 0 \|\| reclen[ctr] % bs != 0) {
	288	/* Publicly invalid */
	289	return 0;
	290	}
	291	}
	292	}
	293	if (n_recs > 1) {
	294	unsigned char *data[SSL_MAX_PIPELINES];
	295
	296	/* Set the output buffers */
	297	for (ctr = 0; ctr < n_recs; ctr++) {
	298	data[ctr] = recs[ctr].data;
	299	}
	300	if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
	301	(int)n_recs, data) <= 0) {
	302	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
303	return 0;
304	}
305	/* Set the input buffers */
306	for (ctr = 0; ctr < n_recs; ctr++) {
307	data[ctr] = recs[ctr].input;
308	}
309	if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
310	(int)n_recs, data) <= 0
311	\|\| EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
312	(int)n_recs, reclen) <= 0) {
313	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
314	return 0;
315	}
316	}
317
8124ab56	318	if (!rl->isdtls && rl->tlstree) {
50023e9b MC	319	unsigned char *seq;
	320	int decrement_seq = 0;
	321
	322	/*
	323	* When sending, seq is incremented after MAC calculation.
	324	* So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
	325	* Otherwise we have to decrease it in the implementation
	326	*/
7f2f0ac7	327	if (sending && !rl->use_etm)
50023e9b MC	328	decrement_seq = 1;
50023e9b MC	329
0755722c	330	seq = rl->sequence;
50023e9b MC	331	if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0) {
	332	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	333	return 0;
	334	}
	335	}
	336
	337	if (provided) {
	338	int outlen;
	339
	340	/* Provided cipher - we do not support pipelining on this path */
	341	if (n_recs > 1) {
	342	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
	343	return 0;
	344	}
	345
	346	if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input,
	347	(unsigned int)reclen[0]))
	348	return 0;
	349	recs[0].length = outlen;
	350
	351	/*
	352	* The length returned from EVP_CipherUpdate above is the actual
	353	* payload length. We need to adjust the data/input ptr to skip over
	354	* any explicit IV
	355	*/
	356	if (!sending) {
	357	if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
	358	recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
	359	recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
	360	} else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
	361	recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
	362	recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
88d61680	363	} else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) {
50023e9b MC	364	recs[0].data += bs;
	365	recs[0].input += bs;
	366	recs[0].orig_len -= bs;
	367	}
	368
	369	/* Now get a pointer to the MAC (if applicable) */
	370	if (macs != NULL) {
	371	OSSL_PARAM params[2], *p = params;
	372
	373	/* Get the MAC */
	374	macs[0].alloced = 0;
	375
	376	*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
	377	(void **)&macs[0].mac,
	378	macsize);
	379	*p = OSSL_PARAM_construct_end();
	380
	381	if (!EVP_CIPHER_CTX_get_params(ds, params)) {
	382	/* Shouldn't normally happen */
	383	RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
	384	ERR_R_INTERNAL_ERROR);
	385	return 0;
	386	}
	387	}
	388	}
	389	} else {
	390	/* Legacy cipher */
	391
	392	tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
	393	(unsigned int)reclen[0]);
	394	if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
	395	& EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0
	396	? (tmpr < 0)
	397	: (tmpr == 0)) {
	398	/* AEAD can fail to verify MAC */
	399	return 0;
	400	}
	401
	402	if (!sending) {
	403	for (ctr = 0; ctr < n_recs; ctr++) {
	404	/* Adjust the record to remove the explicit IV/MAC/Tag */
	405	if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
	406	recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
	407	recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
	408	recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
	409	} else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
	410	recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
	411	recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
	412	recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
88d61680	413	} else if (bs != 1 && RLAYER_USE_EXPLICIT_IV(rl)) {
50023e9b MC	414	if (recs[ctr].length < bs)
	415	return 0;
	416	recs[ctr].data += bs;
	417	recs[ctr].input += bs;
	418	recs[ctr].length -= bs;
	419	recs[ctr].orig_len -= bs;
	420	}
	421
	422	/*
	423	* If using Mac-then-encrypt, then this will succeed but
	424	* with a random MAC if padding is invalid
	425	*/
	426	if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length,
	427	recs[ctr].orig_len,
	428	recs[ctr].data,
	429	(macs != NULL) ? &macs[ctr].mac : NULL,
	430	(macs != NULL) ? &macs[ctr].alloced
	431	: NULL,
	432	bs,
	433	pad ? (size_t)pad : macsize,
	434	(EVP_CIPHER_get_flags(enc)
	435	& EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
8124ab56	436	rl->libctx))
50023e9b MC	437	return 0;
	438	}
	439	}
	440	}
	441	return 1;
	442	}
	443
	444	static int tls1_mac(OSSL_RECORD_LAYER rl, SSL3_RECORD rec, unsigned char *md,
8124ab56	445	int sending)
50023e9b	446	{
0755722c	447	unsigned char *seq = rl->sequence;
50023e9b MC	448	EVP_MD_CTX *hash;
	449	size_t md_size;
	450	int i;
	451	EVP_MD_CTX hmac = NULL, mac_ctx;
	452	unsigned char header[13];
50023e9b MC	453	int t;
	454	int ret = 0;
	455
6366bdd9	456	hash = rl->md_ctx;
50023e9b MC	457
	458	t = EVP_MD_CTX_get_size(hash);
	459	if (!ossl_assert(t >= 0))
	460	return 0;
	461	md_size = t;
	462
8124ab56	463	if (rl->stream_mac) {
50023e9b MC	464	mac_ctx = hash;
	465	} else {
	466	hmac = EVP_MD_CTX_new();
	467	if (hmac == NULL \|\| !EVP_MD_CTX_copy(hmac, hash)) {
	468	goto end;
	469	}
	470	mac_ctx = hmac;
	471	}
	472
	473	if (!rl->isdtls
8124ab56	474	&& rl->tlstree
50023e9b MC	475	&& EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
	476	goto end;
	477	}
	478
	479	if (rl->isdtls) {
8124ab56 MC	480	#if 0
8124ab56 MC	481	/* TODO(RECLAYER): FIX ME */
50023e9b MC	482	unsigned char dtlsseq[8], *p = dtlsseq;
	483
	484	s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
	485	DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
	486	memcpy(p, &seq[2], 6);
	487
	488	memcpy(header, dtlsseq, 8);
8124ab56	489	#endif
50023e9b MC	490	} else
	491	memcpy(header, seq, 8);
	492
	493	header[8] = rec->type;
8124ab56 MC	494	header[9] = (unsigned char)(rl->version >> 8);
8124ab56 MC	495	header[10] = (unsigned char)(rl->version);
50023e9b MC	496	header[11] = (unsigned char)(rec->length >> 8);
	497	header[12] = (unsigned char)(rec->length & 0xff);
	498
7f2f0ac7	499	if (!sending && !rl->use_etm
6366bdd9	500	&& EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE
50023e9b MC	501	&& ssl3_cbc_record_digest_supported(mac_ctx)) {
	502	OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params;
	503
	504	*p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE,
	505	&rec->orig_len);
	506	*p++ = OSSL_PARAM_construct_end();
	507
	508	if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx),
	509	tls_hmac_params)) {
	510	goto end;
	511	}
	512	}
	513
	514	if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
	515	\|\| EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
	516	\|\| EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
	517	goto end;
	518	}
	519
	520	OSSL_TRACE_BEGIN(TLS) {
	521	BIO_printf(trc_out, "seq:\n");
	522	BIO_dump_indent(trc_out, seq, 8, 4);
	523	BIO_printf(trc_out, "rec:\n");
	524	BIO_dump_indent(trc_out, rec->data, rec->length, 4);
	525	} OSSL_TRACE_END(TLS);
	526
8124ab56	527	if (!rl->isdtls) {
50023e9b MC	528	for (i = 7; i >= 0; i--) {
	529	++seq[i];
	530	if (seq[i] != 0)
	531	break;
	532	}
	533	}
	534	OSSL_TRACE_BEGIN(TLS) {
	535	BIO_printf(trc_out, "md:\n");
	536	BIO_dump_indent(trc_out, md, md_size, 4);
	537	} OSSL_TRACE_END(TLS);
	538	ret = 1;
	539	end:
	540	EVP_MD_CTX_free(hmac);
	541	return ret;
	542	}
	543
	544	/* TLSv1.0, TLSv1.1 and TLSv1.2 all use the same funcs */
	545	struct record_functions_st tls_1_funcs = {
	546	tls1_set_crypto_state,
1853d20a	547	tls_default_read_n,
50023e9b	548	tls1_cipher,
1853d20a MC	549	tls1_mac,
	550	tls_default_set_protocol_version,
	551	tls_default_validate_record_header,
	552	tls_default_post_process_record
50023e9b	553	};