]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove some TODO(RECLAYER) comments
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
CommitLineData
34a4068c
MC		 1/*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/bio.h>
11#include <openssl/ssl.h>
e2d5742b
MC		 12#include <openssl/err.h>
13#include <openssl/core_names.h>
14#include "internal/e_os.h"
4030869d 15#include "internal/packet.h"
4840c2a5
MC		 16#include "../../ssl_local.h"
17#include "../record_local.h"
50023e9b 18#include "recmethod_local.h"
e2d5742b
MC		 19
20# define SSL_AD_NO_ALERT -1
21
359affde
MC		 22static void tls_int_free(OSSL_RECORD_LAYER *rl);
23
50023e9b
MC		 24void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
25 const char *fmt, ...)
e2d5742b
MC		 26{
27 va_list args;
28
29 va_start(args, fmt);
30 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
31 va_end(args);
32
33 rl->alert = al;
34}
35
50023e9b
MC		 36int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
37 EVP_CIPHER_CTX *ctx,
38 const EVP_CIPHER *ciph,
7f2f0ac7 39 const EVP_MD *md)
aedbb71b
MC		 40{
41 /*
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
44 */
45 OSSL_PARAM params[3], *pprm = params;
46 size_t macsize = 0;
47 int imacsize = -1;
48
49 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
7f2f0ac7 50 && !rl->use_etm)
aedbb71b
MC		 51 imacsize = EVP_MD_get_size(md);
52 if (imacsize >= 0)
53 macsize = (size_t)imacsize;
54
55 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
56 &rl->version);
57 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
58 &macsize);
59 *pprm = OSSL_PARAM_construct_end();
60
61 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
7c293999 62 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
aedbb71b
MC		 63 return 0;
64 }
65
66 return 1;
67}
68
50023e9b
MC		 69/*
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
aedbb71b 72 */
50023e9b 73char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
2b891e30 74{
50023e9b
MC		 75 switch (EVP_MD_CTX_get_type(ctx)) {
76 case NID_md5:
77 case NID_sha1:
78 case NID_sha224:
79 case NID_sha256:
80 case NID_sha384:
81 case NID_sha512:
2b891e30 82 return 1;
50023e9b 83 default:
aedbb71b 84 return 0;
aedbb71b 85 }
aedbb71b
MC		 86}
87
976b263d 88#ifndef OPENSSL_NO_COMP
e2d5742b
MC		 89static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
90{
91 if (rl->options & SSL_OP_NO_COMPRESSION)
92 return 0;
ed0e298f
MC		 93
94 return rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
e2d5742b 95}
976b263d 96#endif
e2d5742b 97
222cf410 98int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 99{
100 unsigned char *p;
101 size_t len, align = 0, headerlen;
102 SSL3_BUFFER *b;
103
104 b = &rl->rbuf;
105
106 if (rl->isdtls)
107 headerlen = DTLS1_RT_HEADER_LENGTH;
108 else
109 headerlen = SSL3_RT_HEADER_LENGTH;
110
111#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
112 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
113#endif
114
115 if (b->buf == NULL) {
116 len = SSL3_RT_MAX_PLAIN_LENGTH
117 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
118#ifndef OPENSSL_NO_COMP
119 if (rlayer_allow_compression(rl))
120 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
121#endif
122 if (b->default_len > len)
123 len = b->default_len;
124 if ((p = OPENSSL_malloc(len)) == NULL) {
125 /*
126 * We've got a malloc failure, and we're still initialising buffers.
127 * We assume we're so doomed that we won't even be able to send an
128 * alert.
129 */
130 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
131 return 0;
132 }
133 b->buf = p;
134 b->len = len;
135 }
136
137 return 1;
138}
139
140static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
141{
142 SSL3_BUFFER *b;
143
144 b = &rl->rbuf;
145 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
146 OPENSSL_cleanse(b->buf, b->len);
147 OPENSSL_free(b->buf);
148 b->buf = NULL;
149 return 1;
150}
151
152/*
153 * Return values are as per SSL_read()
154 */
1853d20a
MC		 155int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
156 int clearold, size_t *readbytes)
e2d5742b
MC		 157{
158 /*
159 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
160 * packet by another n bytes. The packet will be in the sub-array of
161 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
162 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
163 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
164 * if clearold == 1, move the packet to the start of the buffer; if
165 * clearold == 0 then leave any old packets where they were
166 */
167 size_t len, left, align = 0;
168 unsigned char *pkt;
169 SSL3_BUFFER *rb;
170
171 if (n == 0)
172 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
173
174 rb = &rl->rbuf;
cc110a0a
MC		 175 /*
176 * TODO(RECLAYER): Once this function is only called from inside the rlayer
177 * directly, we can probably remove this since it is initialised in
178 * tls_get_more_records
179 */
e2d5742b
MC		 180 if (rb->buf == NULL) {
181 if (!rlayer_setup_read_buffer(rl)) {
182 /* RLAYERfatal() already called */
183 return OSSL_RECORD_RETURN_FATAL;
184 }
185 }
186
187 left = rb->left;
188#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
189 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
190 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
191#endif
192
193 if (!extend) {
194 /* start with empty packet ... */
195 if (left == 0) {
196 rb->offset = align;
197 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
198 /*
199 * check if next packet length is large enough to justify payload
200 * alignment...
201 */
202 pkt = rb->buf + rb->offset;
203 if (pkt[0] == SSL3_RT_APPLICATION_DATA
204 && (pkt[3] << 8 | pkt[4]) >= 128) {
205 /*
206 * Note that even if packet is corrupted and its length field
207 * is insane, we can only be led to wrong decision about
208 * whether memmove will occur or not. Header values has no
209 * effect on memmove arguments and therefore no buffer
210 * overrun can be triggered.
211 */
212 memmove(rb->buf + align, pkt, left);
213 rb->offset = align;
214 }
215 }
216 rl->packet = rb->buf + rb->offset;
217 rl->packet_length = 0;
218 /* ... now we can act as if 'extend' was set */
219 }
220
221 len = rl->packet_length;
222 pkt = rb->buf + align;
223 /*
224 * Move any available bytes to front of buffer: 'len' bytes already
225 * pointed to by 'packet', 'left' extra ones at the end
226 */
227 if (rl->packet != pkt && clearold == 1) {
228 memmove(pkt, rl->packet, len + left);
229 rl->packet = pkt;
230 rb->offset = len + align;
231 }
232
233 /*
234 * For DTLS/UDP reads should not span multiple packets because the read
235 * operation returns the whole packet at once (as long as it fits into
236 * the buffer).
237 */
238 if (rl->isdtls) {
239 if (left == 0 && extend)
240 return 0;
241 if (left > 0 && n > left)
242 n = left;
243 }
244
245 /* if there is enough in the buffer from a previous read, take some */
246 if (left >= n) {
247 rl->packet_length += n;
248 rb->left = left - n;
249 rb->offset += n;
250 *readbytes = n;
251 return OSSL_RECORD_RETURN_SUCCESS;
252 }
253
254 /* else we need to read more data */
255
256 if (n > rb->len - rb->offset) {
257 /* does not happen */
258 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
259 return OSSL_RECORD_RETURN_FATAL;
260 }
261
1853d20a
MC		 262 /* We always act like read_ahead is set for DTLS */
263 if (!rl->read_ahead && !rl->isdtls) {
e2d5742b
MC		 264 /* ignore max parameter */
265 max = n;
266 } else {
267 if (max < n)
268 max = n;
269 if (max > rb->len - rb->offset)
270 max = rb->len - rb->offset;
271 }
272
273 while (left < n) {
274 size_t bioread = 0;
275 int ret;
359affde 276 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
e2d5742b
MC		 277
278 /*
279 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
280 * need to read in more until we have len+n (up to len+max if
281 * possible)
282 */
283
284 clear_sys_error();
359affde
MC		 285 if (bio != NULL) {
286 ret = BIO_read(bio, pkt + len + left, max - left);
e2d5742b
MC		 287 if (ret > 0) {
288 bioread = ret;
289 ret = OSSL_RECORD_RETURN_SUCCESS;
359affde
MC		 290 } else if (BIO_should_retry(bio)) {
291 if (rl->prev != NULL) {
292 /*
293 * We were reading from the previous epoch. Now there is no
294 * more data, so swap to the actual transport BIO
295 */
296 BIO_free(rl->prev);
297 rl->prev = NULL;
298 continue;
299 }
e2d5742b 300 ret = OSSL_RECORD_RETURN_RETRY;
359affde 301 } else if (BIO_eof(bio)) {
e2d5742b
MC		 302 ret = OSSL_RECORD_RETURN_EOF;
303 } else {
304 ret = OSSL_RECORD_RETURN_FATAL;
305 }
306 } else {
307 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
308 ret = OSSL_RECORD_RETURN_FATAL;
309 }
310
311 if (ret <= OSSL_RECORD_RETURN_RETRY) {
312 rb->left = left;
313 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
314 if (len + left == 0)
315 rlayer_release_read_buffer(rl);
316 return ret;
317 }
318 left += bioread;
319 /*
320 * reads should *never* span multiple packets for DTLS because the
321 * underlying transport protocol is message oriented as opposed to
322 * byte oriented as in the TLS case.
323 */
324 if (rl->isdtls) {
325 if (n > left)
326 n = left; /* makes the while condition false */
327 }
328 }
329
330 /* done reading, now the book-keeping */
331 rb->offset += n;
332 rb->left = left - n;
333 rl->packet_length += n;
334 *readbytes = n;
335 return OSSL_RECORD_RETURN_SUCCESS;
336}
337
4030869d
MC		 338/*
339 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
340 * for us in the buffer.
341 */
342static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
343{
344 SSL3_BUFFER *rbuf;
345 size_t left, len;
346 unsigned char *p;
347
348 rbuf = &rl->rbuf;
349
350 p = SSL3_BUFFER_get_buf(rbuf);
351 if (p == NULL)
352 return 0;
353
354 left = SSL3_BUFFER_get_left(rbuf);
355
356 if (left < SSL3_RT_HEADER_LENGTH)
357 return 0;
358
359 p += SSL3_BUFFER_get_offset(rbuf);
360
361 /*
362 * We only check the type and record length, we will sanity check version
363 * etc later
364 */
365 if (*p != SSL3_RT_APPLICATION_DATA)
366 return 0;
367
368 p += 3;
369 n2s(p, len);
370
371 if (left < SSL3_RT_HEADER_LENGTH + len)
372 return 0;
373
374 return 1;
375}
376
9dd90232
MC		 377static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
378 size_t overhead, int send)
379{
380 uint32_t max_early_data = rl->max_early_data;
381
382 if (max_early_data == 0) {
383 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
384 SSL_R_TOO_MUCH_EARLY_DATA);
385 return 0;
386 }
387
388 /* If we are dealing with ciphertext we need to allow for the overhead */
389 max_early_data += overhead;
390
391 if (rl->early_data_count + length > max_early_data) {
392 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
393 SSL_R_TOO_MUCH_EARLY_DATA);
394 return 0;
395 }
396 rl->early_data_count += length;
397
398 return 1;
399}
400
4030869d
MC		 401/*
402 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
403 * will be processed per call to ssl3_get_record. Without this limit an
404 * attacker could send empty records at a faster rate than we can process and
405 * cause ssl3_get_record to loop forever.
406 */
407#define MAX_EMPTY_RECORDS 32
408
409#define SSL2_RT_HEADER_LENGTH 2
410
411/*-
412 * Call this to buffer new input records in rl->rrec.
413 * It will return a OSSL_RECORD_RETURN_* value.
414 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
415 * records have been decoded. For each record 'i':
416 * rrec[i].type - is the type of record
417 * rrec[i].data, - data
418 * rrec[i].length, - number of bytes
419 * Multiple records will only be returned if the record types are all
420 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
421 * |max_pipelines|
422 */
eddb067e 423int tls_get_more_records(OSSL_RECORD_LAYER *rl)
4030869d
MC		 424{
425 int enc_err, rret;
426 int i;
427 size_t more, n;
428 SSL3_RECORD *rr, *thisrr;
429 SSL3_BUFFER *rbuf;
4030869d
MC		 430 unsigned char *p;
431 unsigned char md[EVP_MAX_MD_SIZE];
432 unsigned int version;
433 size_t mac_size = 0;
434 int imac_size;
435 size_t num_recs = 0, max_recs, j;
436 PACKET pkt, sslv2pkt;
4030869d
MC		 437 SSL_MAC_BUF *macbufs = NULL;
438 int ret = OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 439
440 rr = rl->rrec;
441 rbuf = &rl->rbuf;
cc110a0a
MC		 442 if (rbuf->buf == NULL) {
443 if (!rlayer_setup_read_buffer(rl)) {
444 /* RLAYERfatal() already called */
445 return OSSL_RECORD_RETURN_FATAL;
446 }
447 }
4030869d 448
8124ab56
MC		 449 max_recs = rl->max_pipelines;
450
4030869d
MC		 451 if (max_recs == 0)
452 max_recs = 1;
4030869d 453
4030869d
MC		 454 do {
455 thisrr = &rr[num_recs];
456
457 /* check if we have the header */
458 if ((rl->rstate != SSL_ST_READ_BODY) ||
459 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
460 size_t sslv2len;
461 unsigned int type;
462
1853d20a
MC		 463 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
464 SSL3_BUFFER_get_len(rbuf), 0,
465 num_recs == 0 ? 1 : 0, &n);
466
467 if (rret < OSSL_RECORD_RETURN_SUCCESS)
468 return rret; /* error or non-blocking */
469
4030869d
MC		 470 rl->rstate = SSL_ST_READ_BODY;
471
472 p = rl->packet;
473 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
474 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
475 return OSSL_RECORD_RETURN_FATAL;
476 }
477 sslv2pkt = pkt;
478 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
479 || !PACKET_get_1(&sslv2pkt, &type)) {
480 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
481 return OSSL_RECORD_RETURN_FATAL;
482 }
483 /*
484 * The first record received by the server may be a V2ClientHello.
485 */
486 if (rl->role == OSSL_RECORD_ROLE_SERVER
487 && rl->is_first_record
488 && (sslv2len & 0x8000) != 0
489 && (type == SSL2_MT_CLIENT_HELLO)) {
490 /*
491 * SSLv2 style record
492 *
493 * |num_recs| here will actually always be 0 because
494 * |num_recs > 0| only ever occurs when we are processing
495 * multiple app data records - which we know isn't the case here
496 * because it is an SSLv2ClientHello. We keep it using
497 * |num_recs| for the sake of consistency
498 */
499 thisrr->type = SSL3_RT_HANDSHAKE;
500 thisrr->rec_version = SSL2_VERSION;
501
502 thisrr->length = sslv2len & 0x7fff;
503
504 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
505 - SSL2_RT_HEADER_LENGTH) {
506 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
507 SSL_R_PACKET_LENGTH_TOO_LONG);
508 return OSSL_RECORD_RETURN_FATAL;
509 }
4030869d
MC		 510 } else {
511 /* SSLv3+ style record */
512
513 /* Pull apart the header into the SSL3_RECORD */
514 if (!PACKET_get_1(&pkt, &type)
515 || !PACKET_get_net_2(&pkt, &version)
516 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
3c7b9ef9 517 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d
MC		 518 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
519 return OSSL_RECORD_RETURN_FATAL;
520 }
521 thisrr->type = type;
522 thisrr->rec_version = version;
523
014baa8a
MC		 524 /*
525 * When we call validate_record_header() only records actually
526 * received in SSLv2 format should have the record version set
527 * to SSL2_VERSION. This way validate_record_header() can know
528 * what format the record was in based on the version.
529 */
530 if (thisrr->rec_version == SSL2_VERSION) {
531 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
532 SSL_R_WRONG_VERSION_NUMBER);
533 return OSSL_RECORD_RETURN_FATAL;
534 }
535
3c7b9ef9 536 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d 537
4030869d
MC		 538 if (thisrr->length >
539 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
540 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
541 SSL_R_PACKET_LENGTH_TOO_LONG);
542 return OSSL_RECORD_RETURN_FATAL;
543 }
544 }
545
1853d20a
MC		 546 if (!rl->funcs->validate_record_header(rl, thisrr)) {
547 /* RLAYERfatal already called */
4030869d
MC		 548 return OSSL_RECORD_RETURN_FATAL;
549 }
4030869d 550
1853d20a 551 /* now rl->rstate == SSL_ST_READ_BODY */
4030869d
MC		 552 }
553
554 /*
555 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
556 * how much more data we need to read for the rest of the record
557 */
558 if (thisrr->rec_version == SSL2_VERSION) {
559 more = thisrr->length + SSL2_RT_HEADER_LENGTH
560 - SSL3_RT_HEADER_LENGTH;
561 } else {
562 more = thisrr->length;
563 }
564
565 if (more > 0) {
566 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
567
1853d20a 568 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
4030869d
MC		 569 if (rret < OSSL_RECORD_RETURN_SUCCESS)
570 return rret; /* error or non-blocking io */
571 }
572
573 /* set state for later operations */
574 rl->rstate = SSL_ST_READ_HEADER;
575
576 /*
577 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
578 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
579 * + thisrr->length and we have that many bytes in rl->packet
580 */
581 if (thisrr->rec_version == SSL2_VERSION)
582 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
583 else
584 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
585
586 /*
587 * ok, we can now read from 'rl->packet' data into 'thisrr'.
588 * thisrr->input points at thisrr->length bytes, which need to be copied
589 * into thisrr->data by either the decryption or by the decompression.
590 * When the data is 'copied' into the thisrr->data buffer,
591 * thisrr->input will be updated to point at the new buffer
592 */
593
594 /*
595 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
596 * thisrr->length bytes of encrypted compressed stuff.
597 */
598
599 /* decrypt in place in 'thisrr->input' */
600 thisrr->data = thisrr->input;
601 thisrr->orig_len = thisrr->length;
602
603 /* Mark this record as not read by upper layers yet */
604 thisrr->read = 0;
605
606 num_recs++;
607
608 /* we have pulled in a full packet so zero things */
81c9ebd9 609 rl->packet_length = 0;
4030869d
MC		 610 rl->is_first_record = 0;
611 } while (num_recs < max_recs
612 && thisrr->type == SSL3_RT_APPLICATION_DATA
88d61680 613 && RLAYER_USE_EXPLICIT_IV(rl)
6366bdd9
MC		 614 && rl->enc_ctx != NULL
615 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
4030869d
MC		 616 & EVP_CIPH_FLAG_PIPELINE) != 0
617 && tls_record_app_data_waiting(rl));
618
619 if (num_recs == 1
620 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
9cd9e097
MC		 621 /* The following can happen in tlsany_meth after HRR */
622 && rl->version == TLS1_3_VERSION
1853d20a 623 && rl->is_first_handshake) {
4030869d
MC		 624 /*
625 * CCS messages must be exactly 1 byte long, containing the value 0x01
626 */
627 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
628 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
629 SSL_R_INVALID_CCS_MESSAGE);
630 return OSSL_RECORD_RETURN_FATAL;
631 }
632 /*
633 * CCS messages are ignored in TLSv1.3. We treat it like an empty
634 * handshake record
635 */
636 thisrr->type = SSL3_RT_HANDSHAKE;
aedbb71b 637 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 638 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
639 SSL_R_UNEXPECTED_CCS_MESSAGE);
640 return OSSL_RECORD_RETURN_FATAL;
641 }
642 thisrr->read = 1;
643 rl->num_recs = 0;
644 rl->curr_rec = 0;
645 rl->num_released = 0;
646
647 return OSSL_RECORD_RETURN_SUCCESS;
648 }
649
6366bdd9
MC		 650 if (rl->md_ctx != NULL) {
651 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
4030869d
MC		 652
653 if (tmpmd != NULL) {
654 imac_size = EVP_MD_get_size(tmpmd);
655 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
656 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
657 return OSSL_RECORD_RETURN_FATAL;
658 }
659 mac_size = (size_t)imac_size;
660 }
661 }
662
663 /*
664 * If in encrypt-then-mac mode calculate mac from encrypted record. All
665 * the details below are public so no timing details can leak.
666 */
6366bdd9 667 if (rl->use_etm && rl->md_ctx) {
4030869d
MC		 668 unsigned char *mac;
669
670 for (j = 0; j < num_recs; j++) {
671 thisrr = &rr[j];
672
673 if (thisrr->length < mac_size) {
674 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
675 return OSSL_RECORD_RETURN_FATAL;
676 }
677 thisrr->length -= mac_size;
678 mac = thisrr->data + thisrr->length;
8124ab56 679 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 680 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
681 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
682 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
683 return OSSL_RECORD_RETURN_FATAL;
684 }
685 }
686 /*
687 * We've handled the mac now - there is no MAC inside the encrypted
688 * record
689 */
690 mac_size = 0;
691 }
692
693 if (mac_size > 0) {
694 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
695 if (macbufs == NULL) {
696 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
697 return OSSL_RECORD_RETURN_FATAL;
698 }
699 }
700
8124ab56 701 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
4030869d
MC		 702
703 /*-
704 * enc_err is:
705 * 0: if the record is publicly invalid, or an internal error, or AEAD
706 * decryption failed, or ETM decryption failed.
707 * 1: Success or MTE decryption failed (MAC will be randomised)
708 */
709 if (enc_err == 0) {
651216dd
MC		 710 if (rl->alert != 0) {
711 /* RLAYERfatal() already got called */
4030869d
MC		 712 goto end;
713 }
3c7b9ef9 714 if (num_recs == 1 && rl->skip_early_data(rl->cbarg)) {
4030869d
MC		 715 /*
716 * Valid early_data that we cannot decrypt will fail here. We treat
717 * it like an empty record.
718 */
719
720 thisrr = &rr[0];
721
9dd90232
MC		 722 if (!rlayer_early_data_count_ok(rl, thisrr->length,
723 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
724 /* RLAYERfatal() already called */
4030869d
MC		 725 goto end;
726 }
727
728 thisrr->length = 0;
729 thisrr->read = 1;
730 rl->num_recs = 0;
731 rl->curr_rec = 0;
732 rl->num_released = 0;
0755722c
MC		 733 /* Reset the read sequence */
734 memset(rl->sequence, 0, sizeof(rl->sequence));
4030869d
MC		 735 ret = 1;
736 goto end;
737 }
738 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
739 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
740 goto end;
741 }
742 OSSL_TRACE_BEGIN(TLS) {
743 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
744 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
745 } OSSL_TRACE_END(TLS);
746
747 /* r->length is now the compressed data plus mac */
6366bdd9 748 if (rl->enc_ctx != NULL
ffbd6e67 749 && !rl->use_etm
6366bdd9
MC		 750 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
751 /* rl->md_ctx != NULL => mac_size != -1 */
4030869d
MC		 752
753 for (j = 0; j < num_recs; j++) {
754 SSL_MAC_BUF *thismb = &macbufs[j];
755 thisrr = &rr[j];
756
8124ab56 757 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 758 if (i == 0 || thismb == NULL || thismb->mac == NULL
759 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
760 enc_err = 0;
761 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
762 enc_err = 0;
763 }
764 }
765
766 if (enc_err == 0) {
651216dd
MC		 767 if (rl->alert != 0) {
768 /* We already called RLAYERfatal() */
4030869d
MC		 769 goto end;
770 }
771 /*
772 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
773 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
774 * failure is directly visible from the ciphertext anyway, we should
775 * not reveal which kind of error occurred -- this might become
776 * visible to an attacker (e.g. via a logfile)
777 */
778 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
779 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
780 goto end;
781 }
782
4030869d
MC		 783 for (j = 0; j < num_recs; j++) {
784 thisrr = &rr[j];
785
8124ab56 786 if (!rl->funcs->post_process_record(rl, thisrr)) {
1853d20a 787 /* RLAYERfatal already called */
4030869d
MC		 788 goto end;
789 }
790
791 /*
792 * Check if the received packet overflows the current
793 * Max Fragment Length setting.
ffbd6e67 794 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
4030869d 795 */
ffbd6e67 796 if (rl->max_frag_len > 0 && thisrr->length > rl->max_frag_len) {
4030869d
MC		 797 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
798 goto end;
799 }
800
801 thisrr->off = 0;
802 /*-
803 * So at this point the following is true
804 * thisrr->type is the type of record
805 * thisrr->length == number of bytes in record
806 * thisrr->off == offset to first valid byte
807 * thisrr->data == where to take bytes from, increment after use :-).
808 */
809
810 /* just read a 0 length packet */
811 if (thisrr->length == 0) {
aedbb71b 812 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 813 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
814 goto end;
815 }
816 } else {
aedbb71b 817 rl->empty_record_count = 0;
4030869d
MC		 818 }
819 }
820
9dd90232 821 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
4030869d
MC		 822 thisrr = &rr[0];
823 if (thisrr->type == SSL3_RT_APPLICATION_DATA
9dd90232
MC		 824 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
825 /* RLAYERfatal already called */
4030869d
MC		 826 goto end;
827 }
828 }
829
830 rl->num_recs = num_recs;
831 rl->curr_rec = 0;
832 rl->num_released = 0;
833 ret = OSSL_RECORD_RETURN_SUCCESS;
834 end:
835 if (macbufs != NULL) {
836 for (j = 0; j < num_recs; j++) {
837 if (macbufs[j].alloced)
838 OPENSSL_free(macbufs[j].mac);
839 }
840 OPENSSL_free(macbufs);
841 }
842 return ret;
843}
844
1853d20a
MC		 845/* Shared by ssl3_meth and tls1_meth */
846int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
847{
848 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
849
850 if (rec->rec_version != rl->version) {
851 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
852 return 0;
853 }
854
855#ifndef OPENSSL_NO_COMP
856 /*
857 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
858 * does not include the compression overhead anyway.
859 */
860 if (rl->expand == NULL)
861 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
862#endif
863
864 if (rec->length > len) {
865 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
866 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
867 return 0;
868 }
869
870 return 1;
871}
872
222cf410 873int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a
MC		 874{
875#ifndef OPENSSL_NO_COMP
876 int i;
877
878 if (rec->comp == NULL) {
879 rec->comp = (unsigned char *)
880 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
881 }
882 if (rec->comp == NULL)
883 return 0;
884
885 i = COMP_expand_block(rl->expand, rec->comp,
886 SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length);
887 if (i < 0)
888 return 0;
889 else
890 rec->length = i;
891 rec->data = rec->comp;
892 return 1;
893#else
894 return 0;
895#endif
896}
897
898/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
8124ab56 899int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a
MC		 900{
901 if (rl->expand != NULL) {
902 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
903 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
904 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
905 return 0;
906 }
907 if (!tls_do_uncompress(rl, rec)) {
908 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
909 SSL_R_BAD_DECOMPRESSION);
910 return 0;
911 }
912 }
913
914 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
915 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
916 return 0;
917 }
918
919 return 1;
920}
921
922/* Shared by tls13_meth and ktls_meth */
8124ab56 923int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 924{
1853d20a
MC		 925 if (rec->type != SSL3_RT_APPLICATION_DATA
926 && rec->type != SSL3_RT_ALERT
927 && rec->type != SSL3_RT_HANDSHAKE) {
928 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
929 return 0;
930 }
931
3c7b9ef9
MC		 932 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
933 1, rl->cbarg);
1853d20a
MC		 934
935 /*
936 * TLSv1.3 alert and handshake records are required to be non-zero in
937 * length.
938 */
939 if ((rec->type == SSL3_RT_HANDSHAKE
940 || rec->type == SSL3_RT_ALERT)
941 && rec->length == 0) {
942 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
943 return 0;
944 }
945
946 return 1;
947}
948
949int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
950 int *type, unsigned char **data, size_t *datalen,
8124ab56 951 uint16_t *epoch, unsigned char *seq_num)
4030869d
MC		 952{
953 SSL3_RECORD *rec;
954
955 /*
956 * tls_get_more_records() can return success without actually reading
957 * anything useful (i.e. if empty records are read). We loop here until
958 * we have something useful. tls_get_more_records() will eventually fail if
959 * too many sequential empty records are read.
960 */
961 while (rl->curr_rec >= rl->num_recs) {
962 int ret;
963
964 if (rl->num_released != rl->num_recs) {
965 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
966 return OSSL_RECORD_RETURN_FATAL;
967 }
968
eddb067e 969 ret = rl->funcs->get_more_records(rl);
4030869d
MC		 970
971 if (ret != OSSL_RECORD_RETURN_SUCCESS)
972 return ret;
973 }
974
975 /*
976 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
977 * points to the next one to read.
978 */
979 rec = &rl->rrec[rl->curr_rec++];
980
981 *rechandle = rec;
982 *rversion = rec->rec_version;
983 *type = rec->type;
eddb067e 984 *data = rec->data + rec->off;
4030869d 985 *datalen = rec->length;
eddb067e
MC		 986 if (rl->isdtls) {
987 *epoch = (uint16_t)rec->epoch;
988 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
989 }
4030869d
MC		 990
991 return OSSL_RECORD_RETURN_SUCCESS;
992}
993
1853d20a 994int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
4030869d
MC		 995{
996 if (!ossl_assert(rl->num_released < rl->curr_rec)
997 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
998 /* Should not happen */
999 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1000 return OSSL_RECORD_RETURN_FATAL;
1001 }
1002
1003 rl->num_released++;
1004
1005 return OSSL_RECORD_RETURN_SUCCESS;
1006}
1007
1853d20a 1008int
cc110a0a
MC		 1009tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1010 int role, int direction, int level, unsigned char *key,
1011 size_t keylen, unsigned char *iv, size_t ivlen,
1012 unsigned char *mackey, size_t mackeylen,
1013 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1014 int mactype,
359affde
MC		 1015 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1016 BIO *transport, BIO *next, BIO_ADDR *local,
1017 BIO_ADDR *peer, const OSSL_PARAM *settings,
9dd90232
MC		 1018 const OSSL_PARAM *options,
1019 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1020 OSSL_RECORD_LAYER **retrl)
34a4068c
MC		 1021{
1022 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
e2d5742b
MC		 1023 const OSSL_PARAM *p;
1024
7c293999
MC		 1025 *retrl = NULL;
1026
e2d5742b
MC		 1027 if (rl == NULL) {
1028 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
7c293999 1029 return OSSL_RECORD_RETURN_FATAL;
e2d5742b
MC		 1030 }
1031
79eebb08
MC		 1032 /*
1033 * TODO(RECLAYER): Need to handle the case where the params are updated
1034 * after the record layer has been created.
1035 */
e2d5742b
MC		 1036 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1037 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1038 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1039 goto err;
1040 }
1041
1042 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1043 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1044 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1045 goto err;
1046 }
1047
81c9ebd9
MC		 1048 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
1049 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
1050 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1051 goto err;
1052 }
1053
7f2f0ac7
MC		 1054 /* Loop through all the settings since they must all be understood */
1055 for (p = settings; p->key != NULL; p++) {
1056 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1057 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
1058 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1059 goto err;
1060 }
ffbd6e67
MC		 1061 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1062 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
1063 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1064 goto err;
1065 }
9dd90232
MC		 1066 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1067 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
1068 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1069 goto err;
1070 }
8124ab56
MC		 1071 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
1072 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
1073 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1074 goto err;
1075 }
1076 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
1077 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
1078 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1079 goto err;
1080 }
7f2f0ac7
MC		 1081 } else {
1082 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
1083 goto err;
1084 }
1085 }
1086
1087
79eebb08
MC		 1088 if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1089 /*
1090 * We ignore any read_ahead setting prior to the application protection
1091 * level. Otherwise we may read ahead data in a lower protection level
1092 * that is destined for a higher protection level. To simplify the logic
1093 * we don't support that at this stage.
1094 */
1095 /*
1096 * TODO(RECLAYER): Handle the case of read_ahead at the application
1097 * level and a key update/reneg occurs.
1098 */
1099 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1100 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1101 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1102 goto err;
1103 }
e2d5742b
MC		 1104 }
1105
aedbb71b
MC		 1106 rl->libctx = libctx;
1107 rl->propq = propq;
1108
e2d5742b
MC		 1109 rl->version = vers;
1110 rl->role = role;
1111 rl->direction = direction;
9dd90232 1112 rl->level = level;
4030869d 1113
1853d20a 1114 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
4030869d
MC		 1115 rl->is_first_record = 1;
1116
e2d5742b
MC		 1117 if (!tls_set1_bio(rl, transport))
1118 goto err;
1119
359affde
MC		 1120 if (prev != NULL && !BIO_up_ref(prev))
1121 goto err;
1122 rl->prev = prev;
1123
1124 if (next != NULL && !BIO_up_ref(next))
1125 goto err;
1126 rl->next = next;
1127
9dd90232
MC		 1128 rl->cbarg = cbarg;
1129 for (; fns->function_id != 0; fns++) {
1130 switch (fns->function_id) {
1131 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
3c7b9ef9
MC		 1132 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1133 break;
1134 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1135 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
9dd90232 1136 break;
ed0e298f
MC		 1137 case OSSL_FUNC_RLAYER_SECURITY:
1138 rl->security = OSSL_FUNC_rlayer_security(fns);
1139 break;
9dd90232
MC		 1140 default:
1141 /* Just ignore anything we don't understand */
1142 break;
1143 }
1144 }
1145
7c293999
MC		 1146 *retrl = rl;
1147 return OSSL_RECORD_RETURN_SUCCESS;
cc110a0a 1148 err:
359affde 1149 tls_int_free(rl);
7c293999 1150 return OSSL_RECORD_RETURN_FATAL;
cc110a0a
MC		 1151}
1152
7c293999 1153static int
cc110a0a 1154tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
222cf410
MC		 1155 int role, int direction, int level, unsigned int epoch,
1156 unsigned char *key, size_t keylen, unsigned char *iv,
1157 size_t ivlen, unsigned char *mackey, size_t mackeylen,
cc110a0a 1158 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1159 int mactype,
359affde
MC		 1160 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1161 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
cc110a0a 1162 const OSSL_PARAM *settings, const OSSL_PARAM *options,
9dd90232 1163 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1164 OSSL_RECORD_LAYER **retrl)
cc110a0a 1165{
7c293999
MC		 1166 int ret;
1167
1168 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1169 key, keylen, iv, ivlen, mackey, mackeylen,
359affde
MC		 1170 ciph, taglen, mactype, md, comp, prev,
1171 transport, next, local, peer, settings,
8124ab56 1172 options, fns, cbarg, retrl);
cc110a0a 1173
7c293999
MC		 1174 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1175 return ret;
cc110a0a 1176
aedbb71b
MC		 1177 switch (vers) {
1178 case TLS_ANY_VERSION:
7c293999 1179 (*retrl)->funcs = &tls_any_funcs;
aedbb71b
MC		 1180 break;
1181 case TLS1_3_VERSION:
7c293999 1182 (*retrl)->funcs = &tls_1_3_funcs;
aedbb71b
MC		 1183 break;
1184 case TLS1_2_VERSION:
aedbb71b 1185 case TLS1_1_VERSION:
aedbb71b 1186 case TLS1_VERSION:
7c293999 1187 (*retrl)->funcs = &tls_1_funcs;
aedbb71b
MC		 1188 break;
1189 case SSL3_VERSION:
7c293999 1190 (*retrl)->funcs = &ssl_3_0_funcs;
aedbb71b
MC		 1191 break;
1192 default:
1193 /* Should not happen */
7c293999
MC		 1194 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1195 ret = OSSL_RECORD_RETURN_FATAL;
aedbb71b
MC		 1196 goto err;
1197 }
1198
7c293999
MC		 1199 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1200 ivlen, mackey, mackeylen, ciph,
8124ab56 1201 taglen, mactype, md, comp);
aedbb71b 1202
e2d5742b 1203 err:
7c293999
MC		 1204 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1205 OPENSSL_free(*retrl);
1206 *retrl = NULL;
1207 }
1208 return ret;
e2d5742b
MC		 1209}
1210
359affde 1211static void tls_int_free(OSSL_RECORD_LAYER *rl)
34a4068c 1212{
2b891e30 1213 /* TODO(RECLAYER): Cleanse sensitive fields */
359affde 1214 BIO_free(rl->prev);
e2d5742b 1215 BIO_free(rl->bio);
359affde
MC		 1216 BIO_free(rl->next);
1217 SSL3_BUFFER_release(&rl->rbuf);
1218
6366bdd9
MC		 1219 EVP_CIPHER_CTX_free(rl->enc_ctx);
1220 EVP_MD_CTX_free(rl->md_ctx);
976b263d 1221#ifndef OPENSSL_NO_COMP
359affde 1222 COMP_CTX_free(rl->expand);
976b263d 1223#endif
359affde 1224
34a4068c
MC		 1225 OPENSSL_free(rl);
1226}
1227
359affde
MC		 1228int tls_free(OSSL_RECORD_LAYER *rl)
1229{
1230 SSL3_BUFFER *rbuf;
1231 size_t left, written;
1232 int ret = 1;
1233
1234 rbuf = &rl->rbuf;
1235
1236 left = SSL3_BUFFER_get_left(rbuf);
1237 if (left > 0) {
1238 /*
1239 * This record layer is closing but we still have data left in our
1240 * buffer. It must be destined for the next epoch - so push it there.
1241 */
1242 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1243 }
1244 tls_int_free(rl);
1245
1246 return ret;
1247}
1248
1249
1853d20a 1250int tls_reset(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1251{
1252 memset(rl, 0, sizeof(*rl));
1253 return 1;
1254}
1255
1853d20a 1256int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1257{
0755722c 1258 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
34a4068c
MC		 1259}
1260
1853d20a 1261int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1262{
4030869d 1263 return rl->curr_rec < rl->num_recs;
34a4068c
MC		 1264}
1265
1853d20a 1266size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1267{
1268 return 0;
1269}
1270
1853d20a 1271int tls_write_pending(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1272{
1273 return 0;
1274}
1275
1853d20a 1276size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1277{
1278 return 0;
1279}
1280
1853d20a 1281size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1282{
1283 return 0;
1284}
1285
1853d20a
MC		 1286int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates,
1287 size_t numtempl, size_t allowance, size_t *sent)
34a4068c
MC		 1288{
1289 return 0;
1290}
1291
1853d20a
MC		 1292int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
1293 size_t *sent)
34a4068c
MC		 1294{
1295 return 0;
1296}
1297
34a4068c 1298
1853d20a 1299int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1300{
1301 return rl->alert;
1302}
1303
1853d20a 1304int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
e2d5742b
MC		 1305{
1306 if (bio != NULL && !BIO_up_ref(bio))
1307 return 0;
1308 BIO_free(rl->bio);
1309 rl->bio = bio;
1310
1311 return 1;
1312}
1313
1853d20a
MC		 1314/* Shared by most methods except tlsany_meth */
1315int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1316{
1317 if (rl->version != version)
1318 return 0;
1319
1320 return 1;
1321}
1322
1323int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1324{
1325 return rl->funcs->set_protocol_version(rl, version);
1326}
1327
1328void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1329{
1330 rl->allow_plain_alerts = allow;
1331}
1332
1333void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1334{
1335 rl->is_first_handshake = first;
1336}
1337
8124ab56
MC		 1338void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
1339{
1340 rl->max_pipelines = max_pipelines;
1341 if (max_pipelines > 1)
1342 rl->read_ahead = 1;
1343}
1344
34a4068c
MC		 1345const OSSL_RECORD_METHOD ossl_tls_record_method = {
1346 tls_new_record_layer,
1347 tls_free,
1348 tls_reset,
1349 tls_unprocessed_read_pending,
1350 tls_processed_read_pending,
1351 tls_app_data_pending,
1352 tls_write_pending,
1353 tls_get_max_record_len,
1354 tls_get_max_records,
1355 tls_write_records,
1356 tls_retry_write_records,
1357 tls_read_record,
e2d5742b
MC		 1358 tls_release_record,
1359 tls_get_alert_code,
1360 tls_set1_bio,
1853d20a
MC		 1361 tls_set_protocol_version,
1362 tls_set_plain_alerts,
1363 tls_set_first_handshake,
8124ab56 1364 tls_set_max_pipelines,
81c9ebd9 1365 NULL
cc110a0a 1366};
A mirror of the official openssl repository