]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move the SSLv3 crypto code into the new record layer
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
CommitLineData
34a4068c
MC		 1/*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
1d367677 10#include <assert.h>
34a4068c
MC		 11#include <openssl/bio.h>
12#include <openssl/ssl.h>
e2d5742b
MC		 13#include <openssl/err.h>
14#include <openssl/core_names.h>
1e76110b 15#include <openssl/comp.h>
e2d5742b 16#include "internal/e_os.h"
4030869d 17#include "internal/packet.h"
4840c2a5
MC		 18#include "../../ssl_local.h"
19#include "../record_local.h"
50023e9b 20#include "recmethod_local.h"
e2d5742b 21
359affde
MC		 22static void tls_int_free(OSSL_RECORD_LAYER *rl);
23
50023e9b
MC		 24void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
25 const char *fmt, ...)
e2d5742b
MC		 26{
27 va_list args;
28
29 va_start(args, fmt);
30 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
31 va_end(args);
32
33 rl->alert = al;
34}
35
50023e9b
MC		 36int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
37 EVP_CIPHER_CTX *ctx,
38 const EVP_CIPHER *ciph,
7f2f0ac7 39 const EVP_MD *md)
aedbb71b
MC		 40{
41 /*
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
44 */
45 OSSL_PARAM params[3], *pprm = params;
46 size_t macsize = 0;
47 int imacsize = -1;
48
49 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
7f2f0ac7 50 && !rl->use_etm)
aedbb71b
MC		 51 imacsize = EVP_MD_get_size(md);
52 if (imacsize >= 0)
53 macsize = (size_t)imacsize;
54
55 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
56 &rl->version);
57 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
58 &macsize);
59 *pprm = OSSL_PARAM_construct_end();
60
61 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
7c293999 62 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
aedbb71b
MC		 63 return 0;
64 }
65
66 return 1;
67}
68
50023e9b
MC		 69/*
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
aedbb71b 72 */
50023e9b 73char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
2b891e30 74{
50023e9b
MC		 75 switch (EVP_MD_CTX_get_type(ctx)) {
76 case NID_md5:
77 case NID_sha1:
78 case NID_sha224:
79 case NID_sha256:
80 case NID_sha384:
81 case NID_sha512:
2b891e30 82 return 1;
50023e9b 83 default:
aedbb71b 84 return 0;
aedbb71b 85 }
aedbb71b
MC		 86}
87
976b263d 88#ifndef OPENSSL_NO_COMP
9b7fb65e 89static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 90{
91 if (rl->options & SSL_OP_NO_COMPRESSION)
92 return 0;
ed0e298f 93
b85ebc4b
MC		 94 return rl->security == NULL
95 || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
e2d5742b 96}
976b263d 97#endif
e2d5742b 98
23bf52a4
MC		 99static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
100{
101 SSL3_BUFFER *wb;
102 size_t pipes;
103
104 pipes = rl->numwpipes;
105
106 while (pipes > start) {
107 wb = &rl->wbuf[pipes - 1];
108
109 if (SSL3_BUFFER_is_app_buffer(wb))
110 SSL3_BUFFER_set_app_buffer(wb, 0);
111 else
112 OPENSSL_free(wb->buf);
113 wb->buf = NULL;
114 pipes--;
115 }
116}
117
85b358b0
MC		 118#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
119# ifndef OPENSSL_NO_COMP
120# define MAX_PREFIX_LEN ((SSL3_ALIGN_PAYLOAD - 1) \
121 + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
122 + SSL3_RT_HEADER_LENGTH \
123 + SSL3_RT_MAX_COMPRESSED_OVERHEAD)
124# else
125# define MAX_PREFIX_LEN ((SSL3_ALIGN_PAYLOAD - 1) \
126 + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
127 + SSL3_RT_HEADER_LENGTH)
128# endif /* OPENSSL_NO_COMP */
129#else
130# ifndef OPENSSL_NO_COMP
131# define MAX_PREFIX_LEN (SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
132 + SSL3_RT_HEADER_LENGTH \
133 + SSL3_RT_MAX_COMPRESSED_OVERHEAD)
134# else
135# define MAX_PREFIX_LEN (SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
136 + SSL3_RT_HEADER_LENGTH)
137# endif /* OPENSSL_NO_COMP */
138#endif
139
bafe524b
MC		 140int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
141 size_t firstlen, size_t nextlen)
151f313e
MC		 142{
143 unsigned char *p;
144 size_t align = 0, headerlen;
145 SSL3_BUFFER *wb;
146 size_t currpipe;
147 SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg;
85b358b0 148 size_t defltlen = 0;
151f313e 149
85b358b0 150 if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
320145d5 151 if (rl->isdtls)
151f313e
MC		 152 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
153 else
154 headerlen = SSL3_RT_HEADER_LENGTH;
155
85b358b0 156#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
151f313e
MC		 157 align = SSL3_ALIGN_PAYLOAD - 1;
158#endif
159
85b358b0 160 defltlen = ssl_get_max_send_fragment(s)
151f313e
MC		 161 + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
162#ifndef OPENSSL_NO_COMP
9251c3c4 163 if (tls_allow_compression(rl))
85b358b0 164 defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
151f313e
MC		 165#endif
166 if (!(rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
85b358b0 167 defltlen += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
151f313e
MC		 168 }
169
170 wb = rl->wbuf;
171 for (currpipe = 0; currpipe < numwpipes; currpipe++) {
172 SSL3_BUFFER *thiswb = &wb[currpipe];
85b358b0
MC		 173 size_t len = (currpipe == 0) ? firstlen : nextlen;
174
175 if (len == 0)
176 len = defltlen;
151f313e
MC		 177
178 if (thiswb->len != len) {
179 OPENSSL_free(thiswb->buf);
180 thiswb->buf = NULL; /* force reallocation */
181 }
182
183 if (thiswb->buf == NULL) {
184 if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio)) {
185 p = OPENSSL_malloc(len);
186 if (p == NULL) {
23bf52a4
MC		 187 if (rl->numwpipes < currpipe)
188 rl->numwpipes = currpipe;
151f313e
MC		 189 /*
190 * We've got a malloc failure, and we're still initialising
191 * buffers. We assume we're so doomed that we won't even be able
192 * to send an alert.
193 */
e077455e 194 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
151f313e
MC		 195 return 0;
196 }
197 } else {
198 p = NULL;
199 }
200 memset(thiswb, 0, sizeof(SSL3_BUFFER));
201 thiswb->buf = p;
202 thiswb->len = len;
203 }
204 }
205
23bf52a4
MC		 206 /* Free any previously allocated buffers that we are no longer using */
207 tls_release_write_buffer_int(rl, currpipe);
208
209 rl->numwpipes = numwpipes;
210
151f313e
MC		 211 return 1;
212}
213
214static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
215{
23bf52a4 216 tls_release_write_buffer_int(rl, 0);
e7694c69
MC		 217
218 rl->numwpipes = 0;
151f313e
MC		 219}
220
9b7fb65e 221int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 222{
223 unsigned char *p;
224 size_t len, align = 0, headerlen;
225 SSL3_BUFFER *b;
226
227 b = &rl->rbuf;
228
229 if (rl->isdtls)
230 headerlen = DTLS1_RT_HEADER_LENGTH;
231 else
232 headerlen = SSL3_RT_HEADER_LENGTH;
233
1704961c 234#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
e2d5742b
MC		 235 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
236#endif
237
238 if (b->buf == NULL) {
239 len = SSL3_RT_MAX_PLAIN_LENGTH
240 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
241#ifndef OPENSSL_NO_COMP
9b7fb65e 242 if (tls_allow_compression(rl))
e2d5742b
MC		 243 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
244#endif
245 if (b->default_len > len)
246 len = b->default_len;
247 if ((p = OPENSSL_malloc(len)) == NULL) {
248 /*
249 * We've got a malloc failure, and we're still initialising buffers.
250 * We assume we're so doomed that we won't even be able to send an
251 * alert.
252 */
e077455e 253 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
e2d5742b
MC		 254 return 0;
255 }
256 b->buf = p;
257 b->len = len;
258 }
259
260 return 1;
261}
262
9b7fb65e 263static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 264{
265 SSL3_BUFFER *b;
266
267 b = &rl->rbuf;
1704961c 268 if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
e2d5742b
MC		 269 OPENSSL_cleanse(b->buf, b->len);
270 OPENSSL_free(b->buf);
271 b->buf = NULL;
272 return 1;
273}
274
275/*
276 * Return values are as per SSL_read()
277 */
1853d20a
MC		 278int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
279 int clearold, size_t *readbytes)
e2d5742b
MC		 280{
281 /*
282 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
283 * packet by another n bytes. The packet will be in the sub-array of
b0a9042e
MC		 284 * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
285 * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
286 * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
287 * packet to the start of the buffer; if clearold == 0 then leave any old
288 * packets where they were
e2d5742b
MC		 289 */
290 size_t len, left, align = 0;
291 unsigned char *pkt;
292 SSL3_BUFFER *rb;
293
294 if (n == 0)
295 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
296
297 rb = &rl->rbuf;
e2d5742b
MC		 298 left = rb->left;
299#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
300 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
301 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
302#endif
303
304 if (!extend) {
305 /* start with empty packet ... */
306 if (left == 0) {
307 rb->offset = align;
308 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
309 /*
310 * check if next packet length is large enough to justify payload
311 * alignment...
312 */
313 pkt = rb->buf + rb->offset;
314 if (pkt[0] == SSL3_RT_APPLICATION_DATA
315 && (pkt[3] << 8 | pkt[4]) >= 128) {
316 /*
317 * Note that even if packet is corrupted and its length field
318 * is insane, we can only be led to wrong decision about
319 * whether memmove will occur or not. Header values has no
320 * effect on memmove arguments and therefore no buffer
321 * overrun can be triggered.
322 */
323 memmove(rb->buf + align, pkt, left);
324 rb->offset = align;
325 }
326 }
327 rl->packet = rb->buf + rb->offset;
328 rl->packet_length = 0;
329 /* ... now we can act as if 'extend' was set */
330 }
331
332 len = rl->packet_length;
333 pkt = rb->buf + align;
334 /*
335 * Move any available bytes to front of buffer: 'len' bytes already
336 * pointed to by 'packet', 'left' extra ones at the end
337 */
338 if (rl->packet != pkt && clearold == 1) {
339 memmove(pkt, rl->packet, len + left);
340 rl->packet = pkt;
341 rb->offset = len + align;
342 }
343
344 /*
345 * For DTLS/UDP reads should not span multiple packets because the read
346 * operation returns the whole packet at once (as long as it fits into
347 * the buffer).
348 */
349 if (rl->isdtls) {
350 if (left == 0 && extend)
351 return 0;
352 if (left > 0 && n > left)
353 n = left;
354 }
355
356 /* if there is enough in the buffer from a previous read, take some */
357 if (left >= n) {
358 rl->packet_length += n;
359 rb->left = left - n;
360 rb->offset += n;
361 *readbytes = n;
362 return OSSL_RECORD_RETURN_SUCCESS;
363 }
364
365 /* else we need to read more data */
366
367 if (n > rb->len - rb->offset) {
368 /* does not happen */
369 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
370 return OSSL_RECORD_RETURN_FATAL;
371 }
372
1853d20a
MC		 373 /* We always act like read_ahead is set for DTLS */
374 if (!rl->read_ahead && !rl->isdtls) {
e2d5742b
MC		 375 /* ignore max parameter */
376 max = n;
377 } else {
378 if (max < n)
379 max = n;
380 if (max > rb->len - rb->offset)
381 max = rb->len - rb->offset;
382 }
383
384 while (left < n) {
385 size_t bioread = 0;
386 int ret;
359affde 387 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
e2d5742b
MC		 388
389 /*
1704961c
MC		 390 * Now we have len+left bytes at the front of rl->rbuf.buf and
391 * need to read in more until we have len + n (up to len + max if
e2d5742b
MC		 392 * possible)
393 */
394
395 clear_sys_error();
359affde
MC		 396 if (bio != NULL) {
397 ret = BIO_read(bio, pkt + len + left, max - left);
e2d5742b
MC		 398 if (ret > 0) {
399 bioread = ret;
400 ret = OSSL_RECORD_RETURN_SUCCESS;
359affde
MC		 401 } else if (BIO_should_retry(bio)) {
402 if (rl->prev != NULL) {
403 /*
404 * We were reading from the previous epoch. Now there is no
405 * more data, so swap to the actual transport BIO
406 */
407 BIO_free(rl->prev);
408 rl->prev = NULL;
409 continue;
410 }
e2d5742b 411 ret = OSSL_RECORD_RETURN_RETRY;
359affde 412 } else if (BIO_eof(bio)) {
e2d5742b
MC		 413 ret = OSSL_RECORD_RETURN_EOF;
414 } else {
415 ret = OSSL_RECORD_RETURN_FATAL;
416 }
417 } else {
418 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
419 ret = OSSL_RECORD_RETURN_FATAL;
420 }
421
422 if (ret <= OSSL_RECORD_RETURN_RETRY) {
423 rb->left = left;
3de76959 424 if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
e2d5742b 425 if (len + left == 0)
9b7fb65e 426 tls_release_read_buffer(rl);
e2d5742b
MC		 427 return ret;
428 }
429 left += bioread;
430 /*
431 * reads should *never* span multiple packets for DTLS because the
432 * underlying transport protocol is message oriented as opposed to
433 * byte oriented as in the TLS case.
434 */
435 if (rl->isdtls) {
436 if (n > left)
437 n = left; /* makes the while condition false */
438 }
439 }
440
441 /* done reading, now the book-keeping */
442 rb->offset += n;
443 rb->left = left - n;
444 rl->packet_length += n;
445 *readbytes = n;
446 return OSSL_RECORD_RETURN_SUCCESS;
447}
448
4030869d
MC		 449/*
450 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
451 * for us in the buffer.
452 */
453static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
454{
455 SSL3_BUFFER *rbuf;
456 size_t left, len;
457 unsigned char *p;
458
459 rbuf = &rl->rbuf;
460
461 p = SSL3_BUFFER_get_buf(rbuf);
462 if (p == NULL)
463 return 0;
464
465 left = SSL3_BUFFER_get_left(rbuf);
466
467 if (left < SSL3_RT_HEADER_LENGTH)
468 return 0;
469
470 p += SSL3_BUFFER_get_offset(rbuf);
471
472 /*
473 * We only check the type and record length, we will sanity check version
474 * etc later
475 */
476 if (*p != SSL3_RT_APPLICATION_DATA)
477 return 0;
478
479 p += 3;
480 n2s(p, len);
481
482 if (left < SSL3_RT_HEADER_LENGTH + len)
483 return 0;
484
485 return 1;
486}
487
9dd90232
MC		 488static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
489 size_t overhead, int send)
490{
491 uint32_t max_early_data = rl->max_early_data;
492
493 if (max_early_data == 0) {
494 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
1704961c 495 SSL_R_TOO_MUCH_EARLY_DATA);
9dd90232
MC		 496 return 0;
497 }
498
499 /* If we are dealing with ciphertext we need to allow for the overhead */
500 max_early_data += overhead;
501
502 if (rl->early_data_count + length > max_early_data) {
503 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
1704961c 504 SSL_R_TOO_MUCH_EARLY_DATA);
9dd90232
MC		 505 return 0;
506 }
507 rl->early_data_count += length;
508
509 return 1;
510}
511
4030869d
MC		 512/*
513 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
1704961c 514 * will be processed per call to tls_get_more_records. Without this limit an
4030869d 515 * attacker could send empty records at a faster rate than we can process and
1704961c 516 * cause tls_get_more_records to loop forever.
4030869d
MC		 517 */
518#define MAX_EMPTY_RECORDS 32
519
520#define SSL2_RT_HEADER_LENGTH 2
521
522/*-
523 * Call this to buffer new input records in rl->rrec.
524 * It will return a OSSL_RECORD_RETURN_* value.
525 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
526 * records have been decoded. For each record 'i':
527 * rrec[i].type - is the type of record
528 * rrec[i].data, - data
529 * rrec[i].length, - number of bytes
530 * Multiple records will only be returned if the record types are all
531 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
532 * |max_pipelines|
533 */
eddb067e 534int tls_get_more_records(OSSL_RECORD_LAYER *rl)
4030869d
MC		 535{
536 int enc_err, rret;
537 int i;
538 size_t more, n;
539 SSL3_RECORD *rr, *thisrr;
540 SSL3_BUFFER *rbuf;
4030869d
MC		 541 unsigned char *p;
542 unsigned char md[EVP_MAX_MD_SIZE];
543 unsigned int version;
544 size_t mac_size = 0;
545 int imac_size;
546 size_t num_recs = 0, max_recs, j;
547 PACKET pkt, sslv2pkt;
4030869d
MC		 548 SSL_MAC_BUF *macbufs = NULL;
549 int ret = OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 550
551 rr = rl->rrec;
552 rbuf = &rl->rbuf;
cc110a0a 553 if (rbuf->buf == NULL) {
9b7fb65e 554 if (!tls_setup_read_buffer(rl)) {
cc110a0a
MC		 555 /* RLAYERfatal() already called */
556 return OSSL_RECORD_RETURN_FATAL;
557 }
558 }
4030869d 559
8124ab56
MC		 560 max_recs = rl->max_pipelines;
561
4030869d
MC		 562 if (max_recs == 0)
563 max_recs = 1;
4030869d 564
4030869d
MC		 565 do {
566 thisrr = &rr[num_recs];
567
568 /* check if we have the header */
569 if ((rl->rstate != SSL_ST_READ_BODY) ||
570 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
571 size_t sslv2len;
572 unsigned int type;
573
1853d20a
MC		 574 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
575 SSL3_BUFFER_get_len(rbuf), 0,
576 num_recs == 0 ? 1 : 0, &n);
577
578 if (rret < OSSL_RECORD_RETURN_SUCCESS)
579 return rret; /* error or non-blocking */
580
4030869d
MC		 581 rl->rstate = SSL_ST_READ_BODY;
582
583 p = rl->packet;
584 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
585 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
586 return OSSL_RECORD_RETURN_FATAL;
587 }
588 sslv2pkt = pkt;
589 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
590 || !PACKET_get_1(&sslv2pkt, &type)) {
591 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
592 return OSSL_RECORD_RETURN_FATAL;
593 }
594 /*
595 * The first record received by the server may be a V2ClientHello.
596 */
597 if (rl->role == OSSL_RECORD_ROLE_SERVER
598 && rl->is_first_record
599 && (sslv2len & 0x8000) != 0
600 && (type == SSL2_MT_CLIENT_HELLO)) {
601 /*
602 * SSLv2 style record
603 *
604 * |num_recs| here will actually always be 0 because
605 * |num_recs > 0| only ever occurs when we are processing
606 * multiple app data records - which we know isn't the case here
607 * because it is an SSLv2ClientHello. We keep it using
608 * |num_recs| for the sake of consistency
609 */
610 thisrr->type = SSL3_RT_HANDSHAKE;
611 thisrr->rec_version = SSL2_VERSION;
612
613 thisrr->length = sslv2len & 0x7fff;
614
615 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
1704961c 616 - SSL2_RT_HEADER_LENGTH) {
4030869d
MC		 617 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
618 SSL_R_PACKET_LENGTH_TOO_LONG);
619 return OSSL_RECORD_RETURN_FATAL;
620 }
4030869d
MC		 621 } else {
622 /* SSLv3+ style record */
623
624 /* Pull apart the header into the SSL3_RECORD */
625 if (!PACKET_get_1(&pkt, &type)
626 || !PACKET_get_net_2(&pkt, &version)
627 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
b85ebc4b
MC		 628 if (rl->msg_callback != NULL)
629 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d
MC		 630 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
631 return OSSL_RECORD_RETURN_FATAL;
632 }
633 thisrr->type = type;
634 thisrr->rec_version = version;
635
014baa8a
MC		 636 /*
637 * When we call validate_record_header() only records actually
638 * received in SSLv2 format should have the record version set
639 * to SSL2_VERSION. This way validate_record_header() can know
640 * what format the record was in based on the version.
641 */
642 if (thisrr->rec_version == SSL2_VERSION) {
643 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
644 SSL_R_WRONG_VERSION_NUMBER);
645 return OSSL_RECORD_RETURN_FATAL;
646 }
647
b85ebc4b
MC		 648 if (rl->msg_callback != NULL)
649 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d 650
4030869d
MC		 651 if (thisrr->length >
652 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
653 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
654 SSL_R_PACKET_LENGTH_TOO_LONG);
655 return OSSL_RECORD_RETURN_FATAL;
656 }
657 }
658
1853d20a
MC		 659 if (!rl->funcs->validate_record_header(rl, thisrr)) {
660 /* RLAYERfatal already called */
4030869d
MC		 661 return OSSL_RECORD_RETURN_FATAL;
662 }
4030869d 663
1853d20a 664 /* now rl->rstate == SSL_ST_READ_BODY */
4030869d
MC		 665 }
666
667 /*
668 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
669 * how much more data we need to read for the rest of the record
670 */
671 if (thisrr->rec_version == SSL2_VERSION) {
672 more = thisrr->length + SSL2_RT_HEADER_LENGTH
1704961c 673 - SSL3_RT_HEADER_LENGTH;
4030869d
MC		 674 } else {
675 more = thisrr->length;
676 }
677
678 if (more > 0) {
679 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
680
1853d20a 681 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
4030869d
MC		 682 if (rret < OSSL_RECORD_RETURN_SUCCESS)
683 return rret; /* error or non-blocking io */
684 }
685
686 /* set state for later operations */
687 rl->rstate = SSL_ST_READ_HEADER;
688
689 /*
690 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
691 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
692 * + thisrr->length and we have that many bytes in rl->packet
693 */
694 if (thisrr->rec_version == SSL2_VERSION)
695 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
696 else
697 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
698
699 /*
700 * ok, we can now read from 'rl->packet' data into 'thisrr'.
701 * thisrr->input points at thisrr->length bytes, which need to be copied
702 * into thisrr->data by either the decryption or by the decompression.
703 * When the data is 'copied' into the thisrr->data buffer,
704 * thisrr->input will be updated to point at the new buffer
705 */
706
707 /*
708 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
709 * thisrr->length bytes of encrypted compressed stuff.
710 */
711
712 /* decrypt in place in 'thisrr->input' */
713 thisrr->data = thisrr->input;
714 thisrr->orig_len = thisrr->length;
715
4030869d
MC		 716 num_recs++;
717
718 /* we have pulled in a full packet so zero things */
81c9ebd9 719 rl->packet_length = 0;
4030869d
MC		 720 rl->is_first_record = 0;
721 } while (num_recs < max_recs
722 && thisrr->type == SSL3_RT_APPLICATION_DATA
88d61680 723 && RLAYER_USE_EXPLICIT_IV(rl)
6366bdd9
MC		 724 && rl->enc_ctx != NULL
725 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
4030869d
MC		 726 & EVP_CIPH_FLAG_PIPELINE) != 0
727 && tls_record_app_data_waiting(rl));
728
729 if (num_recs == 1
730 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
9cd9e097
MC		 731 /* The following can happen in tlsany_meth after HRR */
732 && rl->version == TLS1_3_VERSION
1853d20a 733 && rl->is_first_handshake) {
4030869d
MC		 734 /*
735 * CCS messages must be exactly 1 byte long, containing the value 0x01
736 */
737 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
738 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
739 SSL_R_INVALID_CCS_MESSAGE);
740 return OSSL_RECORD_RETURN_FATAL;
741 }
742 /*
743 * CCS messages are ignored in TLSv1.3. We treat it like an empty
744 * handshake record
745 */
746 thisrr->type = SSL3_RT_HANDSHAKE;
aedbb71b 747 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 748 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
749 SSL_R_UNEXPECTED_CCS_MESSAGE);
750 return OSSL_RECORD_RETURN_FATAL;
751 }
4030869d
MC		 752 rl->num_recs = 0;
753 rl->curr_rec = 0;
754 rl->num_released = 0;
755
756 return OSSL_RECORD_RETURN_SUCCESS;
757 }
758
6366bdd9
MC		 759 if (rl->md_ctx != NULL) {
760 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
4030869d
MC		 761
762 if (tmpmd != NULL) {
763 imac_size = EVP_MD_get_size(tmpmd);
764 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1704961c
MC		 765 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
766 return OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 767 }
768 mac_size = (size_t)imac_size;
769 }
770 }
771
772 /*
773 * If in encrypt-then-mac mode calculate mac from encrypted record. All
774 * the details below are public so no timing details can leak.
775 */
6366bdd9 776 if (rl->use_etm && rl->md_ctx) {
4030869d
MC		 777 unsigned char *mac;
778
779 for (j = 0; j < num_recs; j++) {
780 thisrr = &rr[j];
781
782 if (thisrr->length < mac_size) {
783 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
784 return OSSL_RECORD_RETURN_FATAL;
785 }
786 thisrr->length -= mac_size;
787 mac = thisrr->data + thisrr->length;
8124ab56 788 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 789 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
790 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
791 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
792 return OSSL_RECORD_RETURN_FATAL;
793 }
794 }
795 /*
796 * We've handled the mac now - there is no MAC inside the encrypted
797 * record
798 */
799 mac_size = 0;
800 }
801
802 if (mac_size > 0) {
803 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
804 if (macbufs == NULL) {
e077455e 805 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
4030869d
MC		 806 return OSSL_RECORD_RETURN_FATAL;
807 }
808 }
809
8124ab56 810 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
4030869d
MC		 811
812 /*-
813 * enc_err is:
814 * 0: if the record is publicly invalid, or an internal error, or AEAD
815 * decryption failed, or ETM decryption failed.
816 * 1: Success or MTE decryption failed (MAC will be randomised)
817 */
818 if (enc_err == 0) {
d3192c26 819 if (rl->alert != SSL_AD_NO_ALERT) {
651216dd 820 /* RLAYERfatal() already got called */
4030869d
MC		 821 goto end;
822 }
b85ebc4b
MC		 823 if (num_recs == 1
824 && rl->skip_early_data != NULL
825 && rl->skip_early_data(rl->cbarg)) {
4030869d
MC		 826 /*
827 * Valid early_data that we cannot decrypt will fail here. We treat
828 * it like an empty record.
829 */
830
831 thisrr = &rr[0];
832
9dd90232
MC		 833 if (!rlayer_early_data_count_ok(rl, thisrr->length,
834 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
835 /* RLAYERfatal() already called */
4030869d
MC		 836 goto end;
837 }
838
839 thisrr->length = 0;
4030869d
MC		 840 rl->num_recs = 0;
841 rl->curr_rec = 0;
842 rl->num_released = 0;
0755722c
MC		 843 /* Reset the read sequence */
844 memset(rl->sequence, 0, sizeof(rl->sequence));
4030869d
MC		 845 ret = 1;
846 goto end;
847 }
848 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
849 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
850 goto end;
851 }
852 OSSL_TRACE_BEGIN(TLS) {
853 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
854 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
855 } OSSL_TRACE_END(TLS);
856
857 /* r->length is now the compressed data plus mac */
6366bdd9 858 if (rl->enc_ctx != NULL
ffbd6e67 859 && !rl->use_etm
6366bdd9
MC		 860 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
861 /* rl->md_ctx != NULL => mac_size != -1 */
4030869d
MC		 862
863 for (j = 0; j < num_recs; j++) {
864 SSL_MAC_BUF *thismb = &macbufs[j];
1704961c 865
4030869d
MC		 866 thisrr = &rr[j];
867
8124ab56 868 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 869 if (i == 0 || thismb == NULL || thismb->mac == NULL
870 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
871 enc_err = 0;
872 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
873 enc_err = 0;
874 }
875 }
876
877 if (enc_err == 0) {
d3192c26 878 if (rl->alert != SSL_AD_NO_ALERT) {
651216dd 879 /* We already called RLAYERfatal() */
4030869d
MC		 880 goto end;
881 }
882 /*
883 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
884 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
885 * failure is directly visible from the ciphertext anyway, we should
886 * not reveal which kind of error occurred -- this might become
887 * visible to an attacker (e.g. via a logfile)
888 */
889 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
890 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
891 goto end;
892 }
893
4030869d
MC		 894 for (j = 0; j < num_recs; j++) {
895 thisrr = &rr[j];
896
8124ab56 897 if (!rl->funcs->post_process_record(rl, thisrr)) {
1853d20a 898 /* RLAYERfatal already called */
4030869d
MC		 899 goto end;
900 }
901
902 /*
903 * Check if the received packet overflows the current
904 * Max Fragment Length setting.
ffbd6e67 905 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
4030869d 906 */
ffbd6e67 907 if (rl->max_frag_len > 0 && thisrr->length > rl->max_frag_len) {
4030869d
MC		 908 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
909 goto end;
910 }
911
912 thisrr->off = 0;
913 /*-
914 * So at this point the following is true
915 * thisrr->type is the type of record
916 * thisrr->length == number of bytes in record
917 * thisrr->off == offset to first valid byte
918 * thisrr->data == where to take bytes from, increment after use :-).
919 */
920
921 /* just read a 0 length packet */
922 if (thisrr->length == 0) {
aedbb71b 923 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
1704961c
MC		 924 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
925 SSL_R_RECORD_TOO_SMALL);
4030869d
MC		 926 goto end;
927 }
928 } else {
aedbb71b 929 rl->empty_record_count = 0;
4030869d
MC		 930 }
931 }
932
9dd90232 933 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
4030869d
MC		 934 thisrr = &rr[0];
935 if (thisrr->type == SSL3_RT_APPLICATION_DATA
9dd90232
MC		 936 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
937 /* RLAYERfatal already called */
4030869d
MC		 938 goto end;
939 }
940 }
941
942 rl->num_recs = num_recs;
943 rl->curr_rec = 0;
944 rl->num_released = 0;
945 ret = OSSL_RECORD_RETURN_SUCCESS;
946 end:
947 if (macbufs != NULL) {
948 for (j = 0; j < num_recs; j++) {
949 if (macbufs[j].alloced)
950 OPENSSL_free(macbufs[j].mac);
951 }
952 OPENSSL_free(macbufs);
953 }
954 return ret;
955}
956
1853d20a
MC		 957/* Shared by ssl3_meth and tls1_meth */
958int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
959{
960 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
961
962 if (rec->rec_version != rl->version) {
963 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
964 return 0;
965 }
966
967#ifndef OPENSSL_NO_COMP
968 /*
1704961c
MC		 969 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
970 * does not include the compression overhead anyway.
971 */
9251c3c4 972 if (rl->compctx == NULL)
1853d20a
MC		 973 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
974#endif
975
976 if (rec->length > len) {
977 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
978 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
979 return 0;
980 }
981
982 return 1;
983}
984
9251c3c4
MC		 985static int tls_do_compress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *wr)
986{
987#ifndef OPENSSL_NO_COMP
988 int i;
989
990 i = COMP_compress_block(rl->compctx, wr->data,
991 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
992 wr->input, (int)wr->length);
993 if (i < 0)
994 return 0;
995
996 wr->length = i;
997 wr->input = wr->data;
998 return 1;
999#else
1000 return 0;
1001#endif
1002}
1003
222cf410 1004int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a
MC		 1005{
1006#ifndef OPENSSL_NO_COMP
1007 int i;
1008
1009 if (rec->comp == NULL) {
1010 rec->comp = (unsigned char *)
1011 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
1012 }
1013 if (rec->comp == NULL)
1014 return 0;
1015
9251c3c4 1016 i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
1704961c 1017 rec->data, (int)rec->length);
1853d20a
MC		 1018 if (i < 0)
1019 return 0;
1020 else
1021 rec->length = i;
1022 rec->data = rec->comp;
1023 return 1;
1024#else
1025 return 0;
1026#endif
1027}
1028
1029/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
8124ab56 1030int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 1031{
9251c3c4 1032 if (rl->compctx != NULL) {
1853d20a
MC		 1033 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1034 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1035 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1036 return 0;
1037 }
1038 if (!tls_do_uncompress(rl, rec)) {
1039 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
1040 SSL_R_BAD_DECOMPRESSION);
1041 return 0;
1042 }
1043 }
1044
1045 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1046 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
1047 return 0;
1048 }
1049
1050 return 1;
1051}
1052
1053/* Shared by tls13_meth and ktls_meth */
8124ab56 1054int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 1055{
1853d20a
MC		 1056 if (rec->type != SSL3_RT_APPLICATION_DATA
1057 && rec->type != SSL3_RT_ALERT
1058 && rec->type != SSL3_RT_HANDSHAKE) {
1059 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
1060 return 0;
1061 }
1062
b85ebc4b
MC		 1063 if (rl->msg_callback != NULL)
1064 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
1065 1, rl->cbarg);
1853d20a
MC		 1066
1067 /*
1068 * TLSv1.3 alert and handshake records are required to be non-zero in
1069 * length.
1070 */
1704961c 1071 if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
1853d20a
MC		 1072 && rec->length == 0) {
1073 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
1074 return 0;
1075 }
1076
1077 return 1;
1078}
1079
1704961c 1080int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
1853d20a 1081 int *type, unsigned char **data, size_t *datalen,
8124ab56 1082 uint16_t *epoch, unsigned char *seq_num)
4030869d
MC		 1083{
1084 SSL3_RECORD *rec;
1085
1086 /*
1087 * tls_get_more_records() can return success without actually reading
1088 * anything useful (i.e. if empty records are read). We loop here until
1089 * we have something useful. tls_get_more_records() will eventually fail if
1090 * too many sequential empty records are read.
1091 */
1092 while (rl->curr_rec >= rl->num_recs) {
1093 int ret;
1094
1095 if (rl->num_released != rl->num_recs) {
1096 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
1097 return OSSL_RECORD_RETURN_FATAL;
1098 }
1099
eddb067e 1100 ret = rl->funcs->get_more_records(rl);
4030869d
MC		 1101
1102 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1103 return ret;
1104 }
1105
1106 /*
1107 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
1108 * points to the next one to read.
1109 */
1110 rec = &rl->rrec[rl->curr_rec++];
1111
1112 *rechandle = rec;
1113 *rversion = rec->rec_version;
1114 *type = rec->type;
eddb067e 1115 *data = rec->data + rec->off;
4030869d 1116 *datalen = rec->length;
eddb067e 1117 if (rl->isdtls) {
279754d4 1118 *epoch = rec->epoch;
eddb067e
MC		 1119 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
1120 }
4030869d
MC		 1121
1122 return OSSL_RECORD_RETURN_SUCCESS;
1123}
1124
1853d20a 1125int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
4030869d
MC		 1126{
1127 if (!ossl_assert(rl->num_released < rl->curr_rec)
1128 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
1129 /* Should not happen */
1130 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1131 return OSSL_RECORD_RETURN_FATAL;
1132 }
1133
1134 rl->num_released++;
1135
3de76959
MC		 1136 if (rl->curr_rec == rl->num_released
1137 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
1138 && SSL3_BUFFER_get_left(&rl->rbuf) == 0)
9b7fb65e 1139 tls_release_read_buffer(rl);
3de76959 1140
4030869d
MC		 1141 return OSSL_RECORD_RETURN_SUCCESS;
1142}
1143
4566dae7
MC		 1144int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
1145{
1146 const OSSL_PARAM *p;
1147
1148 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1149 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1150 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1151 return 0;
1152 }
1153
1154 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1155 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1156 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1157 return 0;
1158 }
1159
eb7d6c2a
MC		 1160 if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
1161 p = OSSL_PARAM_locate_const(options,
1162 OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
1163 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
1164 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1165 return 0;
1166 }
1167 } else {
1168 p = OSSL_PARAM_locate_const(options,
1169 OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
1170 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
1171 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1172 return 0;
1173 }
4566dae7
MC		 1174 }
1175
1176 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1177 /*
1178 * We ignore any read_ahead setting prior to the application protection
1179 * level. Otherwise we may read ahead data in a lower protection level
1180 * that is destined for a higher protection level. To simplify the logic
1181 * we don't support that at this stage.
1182 */
1183 p = OSSL_PARAM_locate_const(options,
1184 OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1185 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1186 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1187 return 0;
1188 }
1189 }
1190
1191 return 1;
1192}
1193
1853d20a 1194int
cc110a0a
MC		 1195tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1196 int role, int direction, int level, unsigned char *key,
1197 size_t keylen, unsigned char *iv, size_t ivlen,
1198 unsigned char *mackey, size_t mackeylen,
1199 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1200 int mactype,
1e76110b 1201 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
359affde
MC		 1202 BIO *transport, BIO *next, BIO_ADDR *local,
1203 BIO_ADDR *peer, const OSSL_PARAM *settings,
9dd90232
MC		 1204 const OSSL_PARAM *options,
1205 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1206 OSSL_RECORD_LAYER **retrl)
34a4068c
MC		 1207{
1208 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
e2d5742b
MC		 1209 const OSSL_PARAM *p;
1210
7c293999
MC		 1211 *retrl = NULL;
1212
e077455e 1213 if (rl == NULL)
7c293999 1214 return OSSL_RECORD_RETURN_FATAL;
e2d5742b 1215
7f2f0ac7 1216 /* Loop through all the settings since they must all be understood */
a16f9d33
MC		 1217 if (settings != NULL) {
1218 for (p = settings; p->key != NULL; p++) {
1219 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1220 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
7b7ad9e5 1221 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1222 goto err;
1223 }
1224 } else if (strcmp(p->key,
1225 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1226 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
7b7ad9e5 1227 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1228 goto err;
1229 }
1230 } else if (strcmp(p->key,
1231 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1232 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
7b7ad9e5 1233 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1234 goto err;
1235 }
1236 } else if (strcmp(p->key,
1237 OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
1238 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
7b7ad9e5 1239 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1240 goto err;
1241 }
1704961c
MC		 1242 } else if (strcmp(p->key,
1243 OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
a16f9d33 1244 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
7b7ad9e5 1245 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1246 goto err;
1247 }
1248 } else {
7b7ad9e5 1249 ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
8124ab56
MC		 1250 goto err;
1251 }
7f2f0ac7
MC		 1252 }
1253 }
1254
aedbb71b
MC		 1255 rl->libctx = libctx;
1256 rl->propq = propq;
1257
e2d5742b
MC		 1258 rl->version = vers;
1259 rl->role = role;
1260 rl->direction = direction;
9dd90232 1261 rl->level = level;
4030869d 1262
d3192c26
MC		 1263 rl->alert = SSL_AD_NO_ALERT;
1264
1853d20a 1265 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
4030869d
MC		 1266 rl->is_first_record = 1;
1267
e2d5742b
MC		 1268 if (!tls_set1_bio(rl, transport))
1269 goto err;
1270
359affde
MC		 1271 if (prev != NULL && !BIO_up_ref(prev))
1272 goto err;
1273 rl->prev = prev;
1274
1275 if (next != NULL && !BIO_up_ref(next))
1276 goto err;
1277 rl->next = next;
1278
9dd90232 1279 rl->cbarg = cbarg;
a16f9d33
MC		 1280 if (fns != NULL) {
1281 for (; fns->function_id != 0; fns++) {
1282 switch (fns->function_id) {
1283 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
1284 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1285 break;
1286 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1287 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
1288 break;
1289 case OSSL_FUNC_RLAYER_SECURITY:
1290 rl->security = OSSL_FUNC_rlayer_security(fns);
1291 break;
5f95eb77
MC		 1292 case OSSL_FUNC_RLAYER_PADDING:
1293 rl->padding = OSSL_FUNC_rlayer_padding(fns);
a16f9d33
MC		 1294 default:
1295 /* Just ignore anything we don't understand */
1296 break;
1297 }
9dd90232
MC		 1298 }
1299 }
1300
4566dae7 1301 if (!tls_set_options(rl, options)) {
7b7ad9e5 1302 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
4566dae7
MC		 1303 goto err;
1304 }
1305
b9e4e783
MC		 1306 if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
1307 && rl->version <= TLS1_VERSION
1308 && !EVP_CIPHER_is_a(ciph, "NULL")
1309 && !EVP_CIPHER_is_a(ciph, "RC4")) {
1310 /*
1311 * Enable vulnerability countermeasure for CBC ciphers with known-IV
1312 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1313 */
1314 rl->need_empty_fragments = 1;
1315 }
1316
7c293999
MC		 1317 *retrl = rl;
1318 return OSSL_RECORD_RETURN_SUCCESS;
cc110a0a 1319 err:
359affde 1320 tls_int_free(rl);
7c293999 1321 return OSSL_RECORD_RETURN_FATAL;
cc110a0a
MC		 1322}
1323
7c293999 1324static int
cc110a0a 1325tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
279754d4 1326 int role, int direction, int level, uint16_t epoch,
222cf410
MC		 1327 unsigned char *key, size_t keylen, unsigned char *iv,
1328 size_t ivlen, unsigned char *mackey, size_t mackeylen,
cc110a0a 1329 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1330 int mactype,
1e76110b 1331 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
359affde 1332 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
cc110a0a 1333 const OSSL_PARAM *settings, const OSSL_PARAM *options,
9dd90232 1334 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1335 OSSL_RECORD_LAYER **retrl)
cc110a0a 1336{
7c293999 1337 int ret;
1704961c 1338
7c293999
MC		 1339 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1340 key, keylen, iv, ivlen, mackey, mackeylen,
359affde
MC		 1341 ciph, taglen, mactype, md, comp, prev,
1342 transport, next, local, peer, settings,
8124ab56 1343 options, fns, cbarg, retrl);
cc110a0a 1344
7c293999
MC		 1345 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1346 return ret;
cc110a0a 1347
aedbb71b
MC		 1348 switch (vers) {
1349 case TLS_ANY_VERSION:
7c293999 1350 (*retrl)->funcs = &tls_any_funcs;
aedbb71b
MC		 1351 break;
1352 case TLS1_3_VERSION:
7c293999 1353 (*retrl)->funcs = &tls_1_3_funcs;
aedbb71b
MC		 1354 break;
1355 case TLS1_2_VERSION:
aedbb71b 1356 case TLS1_1_VERSION:
aedbb71b 1357 case TLS1_VERSION:
7c293999 1358 (*retrl)->funcs = &tls_1_funcs;
aedbb71b
MC		 1359 break;
1360 case SSL3_VERSION:
7c293999 1361 (*retrl)->funcs = &ssl_3_0_funcs;
aedbb71b
MC		 1362 break;
1363 default:
1364 /* Should not happen */
7c293999
MC		 1365 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1366 ret = OSSL_RECORD_RETURN_FATAL;
aedbb71b
MC		 1367 goto err;
1368 }
1369
7c293999 1370 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1704961c
MC		 1371 ivlen, mackey, mackeylen, ciph,
1372 taglen, mactype, md, comp);
aedbb71b 1373
e2d5742b 1374 err:
7c293999
MC		 1375 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1376 OPENSSL_free(*retrl);
1377 *retrl = NULL;
1378 }
1379 return ret;
e2d5742b
MC		 1380}
1381
359affde 1382static void tls_int_free(OSSL_RECORD_LAYER *rl)
34a4068c 1383{
359affde 1384 BIO_free(rl->prev);
e2d5742b 1385 BIO_free(rl->bio);
359affde
MC		 1386 BIO_free(rl->next);
1387 SSL3_BUFFER_release(&rl->rbuf);
1388
151f313e
MC		 1389 tls_release_write_buffer(rl);
1390
6366bdd9
MC		 1391 EVP_CIPHER_CTX_free(rl->enc_ctx);
1392 EVP_MD_CTX_free(rl->md_ctx);
976b263d 1393#ifndef OPENSSL_NO_COMP
9251c3c4 1394 COMP_CTX_free(rl->compctx);
976b263d 1395#endif
359affde 1396
c77d4556
MC		 1397 if (rl->version == SSL3_VERSION)
1398 OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
1399
6b5c7ef7
JC		 1400 SSL3_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
1401
34a4068c
MC		 1402 OPENSSL_free(rl);
1403}
1404
359affde
MC		 1405int tls_free(OSSL_RECORD_LAYER *rl)
1406{
1407 SSL3_BUFFER *rbuf;
1408 size_t left, written;
1409 int ret = 1;
1410
1411 rbuf = &rl->rbuf;
1412
1413 left = SSL3_BUFFER_get_left(rbuf);
1414 if (left > 0) {
1415 /*
1416 * This record layer is closing but we still have data left in our
1417 * buffer. It must be destined for the next epoch - so push it there.
1418 */
1419 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1420 }
1421 tls_int_free(rl);
1422
1423 return ret;
1424}
1425
1853d20a 1426int tls_reset(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1427{
1428 memset(rl, 0, sizeof(*rl));
1429 return 1;
1430}
1431
1853d20a 1432int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1433{
0755722c 1434 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
34a4068c
MC		 1435}
1436
1853d20a 1437int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1438{
4030869d 1439 return rl->curr_rec < rl->num_recs;
34a4068c
MC		 1440}
1441
1853d20a 1442size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1443{
8bbf7ef6
MC		 1444 size_t i;
1445 size_t num = 0;
1446
1704961c 1447 for (i = rl->curr_rec; i < rl->num_recs; i++) {
8bbf7ef6
MC		 1448 if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
1449 return num;
1450 num += rl->rrec[i].length;
1451 }
1452 return num;
34a4068c
MC		 1453}
1454
1853d20a 1455int tls_write_pending(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1456{
1457 return 0;
1458}
1459
1853d20a 1460size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1461{
1462 return 0;
1463}
1464
bafe524b
MC		 1465size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, int type, size_t len,
1466 size_t maxfrag, size_t *preffrag)
34a4068c 1467{
c6186792
MC		 1468 /* TODO(RECLAYER): Remove me */
1469 SSL_CONNECTION *s = rl->cbarg;
1470
c6186792
MC		 1471 /*
1472 * TODO(RECLYAER): There is no test for the pipelining code. We should add
1473 * one.
1474 */
1475 /*
1476 * If we have a pipeline capable cipher, and we have been configured to use
1477 * it, then return the preferred number of pipelines.
1478 */
1479 if (rl->max_pipelines > 0
1480 && s->enc_write_ctx != NULL
1481 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
1482 & EVP_CIPH_FLAG_PIPELINE) != 0
1483 && RLAYER_USE_EXPLICIT_IV(rl)) {
1484 size_t pipes;
1485
1486 if (len == 0)
1487 return 1;
1488 pipes = ((len - 1) / *preffrag) + 1;
1489
1490 return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
1491 }
1492
02719d5c 1493 return 1;
34a4068c
MC		 1494}
1495
bafe524b
MC		 1496size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
1497 size_t maxfrag, size_t *preffrag)
23bf52a4 1498{
bafe524b 1499 return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
23bf52a4
MC		 1500}
1501
bafe524b
MC		 1502int tls_write_records_default(OSSL_RECORD_LAYER *rl,
1503 OSSL_RECORD_TEMPLATE *templates,
1504 size_t numtempl)
34a4068c 1505{
2b71b042
MC		 1506 WPACKET pkt[SSL_MAX_PIPELINES + 1];
1507 SSL3_RECORD wr[SSL_MAX_PIPELINES + 1];
1508 WPACKET *thispkt;
1509 SSL3_RECORD *thiswr;
1510 unsigned char *recordstart;
9251c3c4 1511 int mac_size = 0, ret = 0;
2b71b042
MC		 1512 size_t align = 0;
1513 SSL3_BUFFER *wb;
3c9ffd02 1514 size_t len, wpinited = 0;
2b71b042
MC		 1515 size_t j, prefix = 0;
1516 int using_ktls;
1517 /* TODO(RECLAYER): REMOVE ME */
1518 SSL_CONNECTION *s = rl->cbarg;
1519 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1520 OSSL_RECORD_TEMPLATE prefixtempl;
1521 OSSL_RECORD_TEMPLATE *thistempl;
1522
9251c3c4 1523 /*
a8572674 1524 * TODO(RECLAYER): Remove this once TLSv1.3/DTLS crypto has
9251c3c4
MC		 1525 * been moved to the new write record layer.
1526 */
a8572674 1527 if (rl->version == TLS1_3_VERSION
9251c3c4
MC		 1528 || rl->isdtls) {
1529 SSL_SESSION *sess = s->session;
1530
1531 if ((sess == NULL)
1532 || (s->enc_write_ctx == NULL)
1533 || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) {
1534 mac_size = 0;
1535 } else {
1536 mac_size = EVP_MD_CTX_get_size(s->write_hash);
1537 if (mac_size < 0) {
1538 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1539 goto err;
1540 }
1541 }
2b71b042 1542 } else {
9251c3c4
MC		 1543 if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
1544 mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
1545 if (mac_size < 0) {
1546 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1547 goto err;
1548 }
2b71b042
MC		 1549 }
1550 }
9251c3c4 1551 /* Do we need to add an empty record prefix? */
b9e4e783 1552 prefix = rl->need_empty_fragments
2b71b042
MC		 1553 && templates[0].type == SSL3_RT_APPLICATION_DATA;
1554
23bf52a4 1555 /*
85b358b0
MC		 1556 * In the prefix case we can allocate a much smaller buffer. Otherwise we
1557 * just allocate the default buffer size
23bf52a4 1558 */
85b358b0
MC		 1559 if (!tls_setup_write_buffer(rl, numtempl + prefix,
1560 prefix ? MAX_PREFIX_LEN : 0, 0)) {
23bf52a4
MC		 1561 /* RLAYERfatal() already called */
1562 goto err;
2b71b042
MC		 1563 }
1564
b5cf81f7 1565 using_ktls = BIO_get_ktls_send(rl->bio);
2b71b042 1566 if (!ossl_assert(!using_ktls || !prefix)) {
320145d5 1567 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1568 goto err;
1569 }
1570
1571 if (prefix) {
1572 /*
1573 * countermeasure against known-IV weakness in CBC ciphersuites (see
1574 * http://www.openssl.org/~bodo/tls-cbc.txt)
1575 */
1576 prefixtempl.buf = NULL;
1d367677 1577 prefixtempl.version = templates[0].version;
2b71b042
MC		 1578 prefixtempl.buflen = 0;
1579 prefixtempl.type = SSL3_RT_APPLICATION_DATA;
1580 wpinited = 1;
1581
151f313e 1582 wb = &rl->wbuf[0];
4fed6ee1
MC		 1583#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1584 align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
1585 align = SSL3_ALIGN_PAYLOAD - 1
1586 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
2b71b042
MC		 1587#endif
1588 SSL3_BUFFER_set_offset(wb, align);
1589 if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb),
1590 SSL3_BUFFER_get_len(wb), 0)
1591 || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) {
320145d5 1592 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1593 goto err;
1594 }
1595 wpinited = 1;
1596 }
1597 for (j = 0; j < numtempl; j++) {
1598 thispkt = &pkt[prefix + j];
1599
151f313e 1600 wb = &rl->wbuf[prefix + j];
2b71b042
MC		 1601 wb->type = templates[j].type;
1602
1603 if (using_ktls) {
1604 /*
1605 * ktls doesn't modify the buffer, but to avoid a warning we need
1606 * to discard the const qualifier.
1607 * This doesn't leak memory because the buffers have been
1608 * released when switching to ktls.
1609 */
1610 SSL3_BUFFER_set_buf(wb, (unsigned char *)templates[j].buf);
1611 SSL3_BUFFER_set_offset(wb, 0);
1612 SSL3_BUFFER_set_app_buffer(wb, 1);
1613 } else {
1614#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1615 align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
1616 align = SSL3_ALIGN_PAYLOAD - 1
1617 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1618#endif
2b71b042
MC		 1619 SSL3_BUFFER_set_offset(wb, align);
1620 if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb),
1621 SSL3_BUFFER_get_len(wb), 0)
1622 || !WPACKET_allocate_bytes(thispkt, align, NULL)) {
320145d5 1623 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1624 goto err;
1625 }
1626 wpinited++;
1627 }
1628 }
1629
2b71b042
MC		 1630 /* Clear our SSL3_RECORD structures */
1631 memset(wr, 0, sizeof(wr));
1632 for (j = 0; j < numtempl + prefix; j++) {
2b71b042
MC		 1633 unsigned char *compressdata = NULL;
1634 size_t maxcomplen;
1635 unsigned int rectype;
1636
1637 thispkt = &pkt[j];
1638 thiswr = &wr[j];
1639 thistempl = (j == 0 && prefix == 1) ? &prefixtempl :
1640 &templates[j - prefix];
1641
1642 /*
1643 * In TLSv1.3, once encrypting, we always use application data for the
1644 * record type
1645 */
f2892e21 1646 if (rl->version == TLS1_3_VERSION
2b71b042
MC		 1647 && s->enc_write_ctx != NULL
1648 && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
1649 || thistempl->type != SSL3_RT_ALERT))
1650 rectype = SSL3_RT_APPLICATION_DATA;
1651 else
1652 rectype = thistempl->type;
1653
1654 SSL3_RECORD_set_type(thiswr, rectype);
1d367677 1655 SSL3_RECORD_set_rec_version(thiswr, thistempl->version);
2b71b042
MC		 1656
1657 maxcomplen = thistempl->buflen;
9251c3c4 1658 if (rl->compctx != NULL)
2b71b042
MC		 1659 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1660
1661 /*
1662 * When using offload kernel will write the header.
1663 * Otherwise write the header now
1664 */
1665 if (!using_ktls
1666 && (!WPACKET_put_bytes_u8(thispkt, rectype)
1d367677 1667 || !WPACKET_put_bytes_u16(thispkt, thistempl->version)
2b71b042 1668 || !WPACKET_start_sub_packet_u16(thispkt)
9251c3c4
MC		 1669 || (rl->eivlen > 0
1670 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
2b71b042
MC		 1671 || (maxcomplen > 0
1672 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
1673 &compressdata)))) {
320145d5 1674 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1675 goto err;
1676 }
1677
1678 /* lets setup the record stuff. */
1679 SSL3_RECORD_set_data(thiswr, compressdata);
1680 SSL3_RECORD_set_length(thiswr, thistempl->buflen);
4fed6ee1 1681
2b71b042 1682 SSL3_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
2b71b042
MC		 1683
1684 /*
1685 * we now 'read' from thiswr->input, thiswr->length bytes into
1686 * thiswr->data
1687 */
1688
1689 /* first we compress */
9251c3c4
MC		 1690 if (rl->compctx != NULL) {
1691 if (!tls_do_compress(rl, thiswr)
2b71b042 1692 || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
320145d5 1693 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
2b71b042
MC		 1694 goto err;
1695 }
1696 } else {
1697 if (using_ktls) {
1698 SSL3_RECORD_reset_data(&wr[j]);
1699 } else {
1700 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
320145d5 1701 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1702 goto err;
1703 }
1704 SSL3_RECORD_reset_input(&wr[j]);
1705 }
1706 }
1707
f2892e21 1708 if (rl->version == TLS1_3_VERSION
2b71b042
MC		 1709 && !using_ktls
1710 && s->enc_write_ctx != NULL
1711 && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
1712 || thistempl->type != SSL3_RT_ALERT)) {
1713 size_t rlen, max_send_fragment;
1714
1715 if (!WPACKET_put_bytes_u8(thispkt, thistempl->type)) {
320145d5 1716 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1717 goto err;
1718 }
1719 SSL3_RECORD_add_length(thiswr, 1);
1720
1721 /* Add TLS1.3 padding */
1722 max_send_fragment = ssl_get_max_send_fragment(s);
1723 rlen = SSL3_RECORD_get_length(thiswr);
1724 if (rlen < max_send_fragment) {
1725 size_t padding = 0;
1726 size_t max_padding = max_send_fragment - rlen;
5f95eb77
MC		 1727
1728 if (rl->padding != NULL) {
1729 padding = rl->padding(rl->cbarg, thistempl->type, rlen);
eb7d6c2a
MC		 1730 } else if (rl->block_padding > 0) {
1731 size_t mask = rl->block_padding - 1;
2b71b042
MC		 1732 size_t remainder;
1733
1734 /* optimize for power of 2 */
eb7d6c2a 1735 if ((rl->block_padding & mask) == 0)
2b71b042
MC		 1736 remainder = rlen & mask;
1737 else
eb7d6c2a 1738 remainder = rlen % rl->block_padding;
2b71b042
MC		 1739 /* don't want to add a block of padding if we don't have to */
1740 if (remainder == 0)
1741 padding = 0;
1742 else
eb7d6c2a 1743 padding = rl->block_padding - remainder;
2b71b042
MC		 1744 }
1745 if (padding > 0) {
1746 /* do not allow the record to exceed max plaintext length */
1747 if (padding > max_padding)
1748 padding = max_padding;
1749 if (!WPACKET_memset(thispkt, 0, padding)) {
320145d5
MC		 1750 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
1751 ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1752 goto err;
1753 }
1754 SSL3_RECORD_add_length(thiswr, padding);
1755 }
1756 }
1757 }
1758
1759 /*
1760 * we should still have the output to thiswr->data and the input from
1761 * wr->input. Length should be thiswr->length. thiswr->data still points
1762 * in the wb->buf
1763 */
1764
5361a5a9 1765 if (!using_ktls && !rl->use_etm && mac_size != 0) {
2b71b042
MC		 1766 unsigned char *mac;
1767
9251c3c4 1768 /*
a8572674 1769 * TODO(RECLAYER): Remove this once TLSv1.3/DTLS crypto has
9251c3c4
MC		 1770 * been moved to the new write record layer.
1771 */
a8572674 1772 if (rl->version == TLS1_3_VERSION
9251c3c4
MC		 1773 || rl->isdtls) {
1774 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1775 || !ssl->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
1776 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1777 goto err;
1778 }
1779 } else {
1780 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1781 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1782 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1783 goto err;
1784 }
2b71b042
MC		 1785 }
1786 }
1787
1788 /*
1789 * Reserve some bytes for any growth that may occur during encryption.
1790 * This will be at most one cipher block or the tag length if using
1791 * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
1792 */
1793 if (!using_ktls) {
1794 if (!WPACKET_reserve_bytes(thispkt,
1795 SSL_RT_MAX_CIPHER_BLOCK_SIZE,
1796 NULL)
320145d5
MC		 1797 /*
1798 * We also need next the amount of bytes written to this
1799 * sub-packet
1800 */
1801 || !WPACKET_get_length(thispkt, &len)) {
1802 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1803 goto err;
2b71b042
MC		 1804 }
1805
1806 /* Get a pointer to the start of this record excluding header */
1807 recordstart = WPACKET_get_curr(thispkt) - len;
1808 SSL3_RECORD_set_data(thiswr, recordstart);
1809 SSL3_RECORD_reset_input(thiswr);
1810 SSL3_RECORD_set_length(thiswr, len);
1811 }
1812 }
1813
1814 if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) {
1815 /*
1816 * We haven't actually negotiated the version yet, but we're trying to
1817 * send early data - so we need to use the tls13enc function.
1818 */
1819 if (tls13_enc(s, wr, numtempl, 1, NULL, mac_size) < 1) {
320145d5
MC		 1820 if (!ossl_statem_in_error(s))
1821 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1822 goto err;
1823 }
1824 } else {
1825 if (!using_ktls) {
1826 if (prefix) {
a8572674
MC		 1827 if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
1828 if (!ossl_statem_in_error(s))
1829 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1830 goto err;
9251c3c4
MC		 1831 }
1832 }
1833 /*
a8572674 1834 * TODO(RECLAYER): Remove this once TLSv1.3/DTLS crypto has
9251c3c4
MC		 1835 * been moved to the new write record layer.
1836 */
a8572674 1837 if (rl->version == TLS1_3_VERSION
9251c3c4
MC		 1838 || rl->isdtls) {
1839 if (ssl->method->ssl3_enc->enc(s, wr + prefix, numtempl, 1, NULL,
1840 mac_size) < 1) {
1841 if (!ossl_statem_in_error(s))
1842 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1843 goto err;
1844 }
1845 } else {
1846 if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL,
1847 mac_size) < 1) {
320145d5
MC		 1848 if (!ossl_statem_in_error(s))
1849 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1850 goto err;
1851 }
2b71b042
MC		 1852 }
1853 }
1854 }
1855
1856 for (j = 0; j < prefix + numtempl; j++) {
1857 size_t origlen;
1858
1859 thispkt = &pkt[j];
1860 thiswr = &wr[j];
1861 thistempl = (prefix == 1 && j == 0) ? &prefixtempl
1862 : &templates[j - prefix];
1863
1864 if (using_ktls)
1865 goto mac_done;
1866
1867 /* Allocate bytes for the encryption overhead */
1868 if (!WPACKET_get_length(thispkt, &origlen)
1869 /* Encryption should never shrink the data! */
1870 || origlen > thiswr->length
1871 || (thiswr->length > origlen
1872 && !WPACKET_allocate_bytes(thispkt,
1873 thiswr->length - origlen,
1874 NULL))) {
320145d5 1875 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1876 goto err;
1877 }
5361a5a9 1878 if (rl->use_etm && mac_size != 0) {
2b71b042
MC		 1879 unsigned char *mac;
1880
9251c3c4 1881 /*
a8572674 1882 * TODO(RECLAYER): Remove this once TLSv1.3/DTLS crypto has
9251c3c4
MC		 1883 * been moved to the new write record layer.
1884 */
a8572674 1885 if (rl->version == TLS1_3_VERSION
9251c3c4
MC		 1886 || rl->isdtls) {
1887 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1888 || !ssl->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
1889 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1890 goto err;
1891 }
1892 } else {
1893 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1894 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1895 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1896 goto err;
1897 }
2b71b042 1898 }
9251c3c4 1899
2b71b042
MC		 1900 SSL3_RECORD_add_length(thiswr, mac_size);
1901 }
1902
1903 if (!WPACKET_get_length(thispkt, &len)
1904 || !WPACKET_close(thispkt)) {
320145d5 1905 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1906 goto err;
1907 }
1908
31059013 1909 if (rl->msg_callback) {
2b71b042
MC		 1910 recordstart = WPACKET_get_curr(thispkt) - len
1911 - SSL3_RT_HEADER_LENGTH;
31059013
MC		 1912 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
1913 SSL3_RT_HEADER_LENGTH, rl->cbarg);
2b71b042 1914
f2892e21 1915 if (rl->version == TLS1_3_VERSION && s->enc_write_ctx != NULL) {
2b71b042
MC		 1916 unsigned char ctype = thistempl->type;
1917
31059013
MC		 1918 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
1919 &ctype, 1, rl->cbarg);
2b71b042
MC		 1920 }
1921 }
1922
1923 if (!WPACKET_finish(thispkt)) {
320145d5 1924 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2b71b042
MC		 1925 goto err;
1926 }
1927
1928 /* header is added by the kernel when using offload */
1929 SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH);
1930
1931 mac_done:
1932 /*
1933 * we should now have thiswr->data pointing to the encrypted data, which
1934 * is thiswr->length long.
1935 * Setting the type is not needed but helps for debugging
1936 */
1937 SSL3_RECORD_set_type(thiswr, thistempl->type);
1938
1939 /* now let's set up wb */
151f313e 1940 SSL3_BUFFER_set_left(&rl->wbuf[j], SSL3_RECORD_get_length(thiswr));
2b71b042
MC		 1941 }
1942
23bf52a4 1943 ret = 1;
2b71b042
MC		 1944 err:
1945 for (j = 0; j < wpinited; j++)
1946 WPACKET_cleanup(&pkt[j]);
23bf52a4
MC		 1947 return ret;
1948}
1949
1950int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
1951 size_t numtempl)
1952{
23bf52a4
MC		 1953 /* Check we don't have pending data waiting to write */
1954 if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
1955 || SSL3_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
1956 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1957 return OSSL_RECORD_RETURN_FATAL;
1958 }
1959
bafe524b 1960 if (!rl->funcs->write_records(rl, templates, numtempl)) {
23bf52a4
MC		 1961 /* RLAYERfatal already called */
1962 return OSSL_RECORD_RETURN_FATAL;
1963 }
23bf52a4
MC		 1964
1965 rl->nextwbuf = 0;
1966 /* we now just need to write the buffers */
1967 return tls_retry_write_records(rl);
34a4068c
MC		 1968}
1969
2b71b042 1970int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
34a4068c 1971{
320145d5 1972 int i, ret;
2b71b042 1973 SSL3_BUFFER *thiswb;
2b71b042 1974 size_t tmpwrit = 0;
2b71b042 1975
e7694c69 1976 if (rl->nextwbuf >= rl->numwpipes)
320145d5 1977 return OSSL_RECORD_RETURN_SUCCESS;
151f313e 1978
2b71b042 1979 for (;;) {
151f313e
MC		 1980 thiswb = &rl->wbuf[rl->nextwbuf];
1981
2b71b042 1982 clear_sys_error();
b5cf81f7 1983 if (rl->bio != NULL) {
2b71b042
MC		 1984 /*
1985 * To prevent coalescing of control and data messages,
1986 * such as in buffer_write, we flush the BIO
1987 */
b5cf81f7 1988 if (BIO_get_ktls_send(rl->bio)
2b71b042 1989 && thiswb->type != SSL3_RT_APPLICATION_DATA) {
b5cf81f7 1990 i = BIO_flush(rl->bio);
320145d5
MC		 1991 if (i <= 0) {
1992 if (BIO_should_retry(rl->bio))
1993 ret = OSSL_RECORD_RETURN_RETRY;
1994 else
1995 ret = OSSL_RECORD_RETURN_FATAL;
1996 return ret;
1997 }
b5cf81f7 1998 BIO_set_ktls_ctrl_msg(rl->bio, thiswb->type);
2b71b042 1999 }
b5cf81f7 2000 i = BIO_write(rl->bio, (char *)
2b71b042
MC		 2001 &(SSL3_BUFFER_get_buf(thiswb)
2002 [SSL3_BUFFER_get_offset(thiswb)]),
2003 (unsigned int)SSL3_BUFFER_get_left(thiswb));
320145d5 2004 if (i >= 0) {
2b71b042 2005 tmpwrit = i;
320145d5
MC		 2006 if (i == 0 && BIO_should_retry(rl->bio))
2007 ret = OSSL_RECORD_RETURN_RETRY;
2008 else
2009 ret = OSSL_RECORD_RETURN_SUCCESS;
2010 } else {
2011 if (BIO_should_retry(rl->bio))
2012 ret = OSSL_RECORD_RETURN_RETRY;
2013 else
2014 ret = OSSL_RECORD_RETURN_FATAL;
2015 }
2b71b042 2016 } else {
320145d5
MC		 2017 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
2018 ret = OSSL_RECORD_RETURN_FATAL;
2b71b042
MC		 2019 i = -1;
2020 }
2021
2022 /*
2023 * When an empty fragment is sent on a connection using KTLS,
2024 * it is sent as a write of zero bytes. If this zero byte
2025 * write succeeds, i will be 0 rather than a non-zero value.
2026 * Treat i == 0 as success rather than an error for zero byte
2027 * writes to permit this case.
2028 */
2029 if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(thiswb)) {
2030 SSL3_BUFFER_set_left(thiswb, 0);
2031 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
e7694c69 2032 if (++(rl->nextwbuf) < rl->numwpipes)
2b71b042 2033 continue;
151f313e 2034
e7694c69 2035 if (rl->nextwbuf == rl->numwpipes
151f313e
MC		 2036 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
2037 tls_release_write_buffer(rl);
320145d5 2038 return OSSL_RECORD_RETURN_SUCCESS;
2b71b042 2039 } else if (i <= 0) {
5361a5a9 2040 if (rl->isdtls) {
2b71b042
MC		 2041 /*
2042 * For DTLS, just drop it. That's kind of the whole point in
2043 * using a datagram service
2044 */
2045 SSL3_BUFFER_set_left(thiswb, 0);
e7694c69 2046 if (++(rl->nextwbuf) == rl->numwpipes
151f313e
MC		 2047 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
2048 tls_release_write_buffer(rl);
2049
2b71b042 2050 }
320145d5 2051 return ret;
2b71b042
MC		 2052 }
2053 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
2054 SSL3_BUFFER_sub_left(thiswb, tmpwrit);
2055 }
34a4068c
MC		 2056}
2057
1853d20a 2058int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 2059{
2060 return rl->alert;
2061}
2062
1853d20a 2063int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
e2d5742b
MC		 2064{
2065 if (bio != NULL && !BIO_up_ref(bio))
2066 return 0;
2067 BIO_free(rl->bio);
2068 rl->bio = bio;
2069
2070 return 1;
2071}
2072
1853d20a
MC		 2073/* Shared by most methods except tlsany_meth */
2074int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
2075{
2076 if (rl->version != version)
2077 return 0;
2078
2079 return 1;
2080}
2081
2082int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
2083{
2084 return rl->funcs->set_protocol_version(rl, version);
2085}
2086
2087void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
2088{
2089 rl->allow_plain_alerts = allow;
2090}
2091
2092void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
2093{
2094 rl->is_first_handshake = first;
2095}
2096
8124ab56
MC		 2097void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
2098{
2099 rl->max_pipelines = max_pipelines;
2100 if (max_pipelines > 1)
2101 rl->read_ahead = 1;
2102}
2103
d0b17ea0
MC		 2104void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
2105 const char **longstr)
2106{
2107 const char *shrt, *lng;
1704961c 2108
d0b17ea0
MC		 2109 switch (rl->rstate) {
2110 case SSL_ST_READ_HEADER:
2111 shrt = "RH";
2112 lng = "read header";
2113 break;
2114 case SSL_ST_READ_BODY:
2115 shrt = "RB";
2116 lng = "read body";
2117 break;
2118 default:
2119 shrt = lng = "unknown";
2120 break;
2121 }
2122 if (shortstr != NULL)
2123 *shortstr = shrt;
2124 if (longstr != NULL)
2125 *longstr = lng;
2126}
2127
1e76110b
MC		 2128const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
2129{
2130#ifndef OPENSSL_NO_COMP
2131 return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
2132#else
2133 return NULL;
2134#endif
2135}
2136
34a4068c
MC		 2137const OSSL_RECORD_METHOD ossl_tls_record_method = {
2138 tls_new_record_layer,
2139 tls_free,
2140 tls_reset,
2141 tls_unprocessed_read_pending,
2142 tls_processed_read_pending,
2143 tls_app_data_pending,
2144 tls_write_pending,
2145 tls_get_max_record_len,
2146 tls_get_max_records,
2b71b042
MC		 2147 tls_write_records,
2148 tls_retry_write_records,
34a4068c 2149 tls_read_record,
e2d5742b
MC		 2150 tls_release_record,
2151 tls_get_alert_code,
2152 tls_set1_bio,
1853d20a
MC		 2153 tls_set_protocol_version,
2154 tls_set_plain_alerts,
2155 tls_set_first_handshake,
8124ab56 2156 tls_set_max_pipelines,
d0b17ea0 2157 NULL,
4566dae7 2158 tls_get_state,
1e76110b
MC		 2159 tls_set_options,
2160 tls_get_compression
cc110a0a 2161};
A mirror of the official openssl repository