]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move tls_pad.c into ssl/record/methods
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
CommitLineData
34a4068c
MC		 1/*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
1d367677 10#include <assert.h>
34a4068c
MC		 11#include <openssl/bio.h>
12#include <openssl/ssl.h>
e2d5742b
MC		 13#include <openssl/err.h>
14#include <openssl/core_names.h>
1e76110b 15#include <openssl/comp.h>
91fe8ff0 16#include <openssl/ssl.h>
e2d5742b 17#include "internal/e_os.h"
4030869d 18#include "internal/packet.h"
4840c2a5
MC		 19#include "../../ssl_local.h"
20#include "../record_local.h"
50023e9b 21#include "recmethod_local.h"
e2d5742b 22
359affde
MC		 23static void tls_int_free(OSSL_RECORD_LAYER *rl);
24
e158ada6
MC		 25void SSL3_BUFFER_release(SSL3_BUFFER *b)
26{
27 OPENSSL_free(b->buf);
28 b->buf = NULL;
29}
30
50023e9b
MC		 31void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
32 const char *fmt, ...)
e2d5742b
MC		 33{
34 va_list args;
35
36 va_start(args, fmt);
37 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
38 va_end(args);
39
40 rl->alert = al;
41}
42
50023e9b
MC		 43int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
44 EVP_CIPHER_CTX *ctx,
45 const EVP_CIPHER *ciph,
7f2f0ac7 46 const EVP_MD *md)
aedbb71b
MC		 47{
48 /*
49 * Provided cipher, the TLS padding/MAC removal is performed provider
50 * side so we need to tell the ctx about our TLS version and mac size
51 */
52 OSSL_PARAM params[3], *pprm = params;
53 size_t macsize = 0;
54 int imacsize = -1;
55
56 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
7f2f0ac7 57 && !rl->use_etm)
aedbb71b
MC		 58 imacsize = EVP_MD_get_size(md);
59 if (imacsize >= 0)
60 macsize = (size_t)imacsize;
61
62 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
63 &rl->version);
64 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
65 &macsize);
66 *pprm = OSSL_PARAM_construct_end();
67
68 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
7c293999 69 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
aedbb71b
MC		 70 return 0;
71 }
72
73 return 1;
74}
75
50023e9b
MC		 76/*
77 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
78 * which ssl3_cbc_digest_record supports.
aedbb71b 79 */
50023e9b 80char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
2b891e30 81{
50023e9b
MC		 82 switch (EVP_MD_CTX_get_type(ctx)) {
83 case NID_md5:
84 case NID_sha1:
85 case NID_sha224:
86 case NID_sha256:
87 case NID_sha384:
88 case NID_sha512:
2b891e30 89 return 1;
50023e9b 90 default:
aedbb71b 91 return 0;
aedbb71b 92 }
aedbb71b
MC		 93}
94
976b263d 95#ifndef OPENSSL_NO_COMP
9b7fb65e 96static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 97{
98 if (rl->options & SSL_OP_NO_COMPRESSION)
99 return 0;
ed0e298f 100
b85ebc4b
MC		 101 return rl->security == NULL
102 || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
e2d5742b 103}
976b263d 104#endif
e2d5742b 105
23bf52a4
MC		 106static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
107{
108 SSL3_BUFFER *wb;
109 size_t pipes;
110
111 pipes = rl->numwpipes;
112
113 while (pipes > start) {
114 wb = &rl->wbuf[pipes - 1];
115
116 if (SSL3_BUFFER_is_app_buffer(wb))
117 SSL3_BUFFER_set_app_buffer(wb, 0);
118 else
119 OPENSSL_free(wb->buf);
120 wb->buf = NULL;
121 pipes--;
122 }
123}
124
bafe524b
MC		 125int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
126 size_t firstlen, size_t nextlen)
151f313e
MC		 127{
128 unsigned char *p;
129 size_t align = 0, headerlen;
130 SSL3_BUFFER *wb;
131 size_t currpipe;
85b358b0 132 size_t defltlen = 0;
151f313e 133
85b358b0 134 if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
320145d5 135 if (rl->isdtls)
151f313e
MC		 136 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
137 else
138 headerlen = SSL3_RT_HEADER_LENGTH;
139
85b358b0 140#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
151f313e
MC		 141 align = SSL3_ALIGN_PAYLOAD - 1;
142#endif
143
435d88d7
MC		 144 defltlen = rl->max_frag_len + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
145 + headerlen + align;
151f313e 146#ifndef OPENSSL_NO_COMP
9251c3c4 147 if (tls_allow_compression(rl))
85b358b0 148 defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
151f313e
MC		 149#endif
150 if (!(rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
85b358b0 151 defltlen += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
151f313e
MC		 152 }
153
154 wb = rl->wbuf;
155 for (currpipe = 0; currpipe < numwpipes; currpipe++) {
156 SSL3_BUFFER *thiswb = &wb[currpipe];
85b358b0
MC		 157 size_t len = (currpipe == 0) ? firstlen : nextlen;
158
159 if (len == 0)
160 len = defltlen;
151f313e
MC		 161
162 if (thiswb->len != len) {
163 OPENSSL_free(thiswb->buf);
164 thiswb->buf = NULL; /* force reallocation */
165 }
166
5bc226ab
MC		 167 p = thiswb->buf;
168 if (p == NULL) {
169 p = OPENSSL_malloc(len);
170 if (p == NULL) {
171 if (rl->numwpipes < currpipe)
172 rl->numwpipes = currpipe;
173 /*
174 * We've got a malloc failure, and we're still initialising
175 * buffers. We assume we're so doomed that we won't even be able
176 * to send an alert.
177 */
178 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
179 return 0;
151f313e 180 }
151f313e 181 }
5bc226ab
MC		 182 memset(thiswb, 0, sizeof(SSL3_BUFFER));
183 thiswb->buf = p;
184 thiswb->len = len;
151f313e
MC		 185 }
186
23bf52a4
MC		 187 /* Free any previously allocated buffers that we are no longer using */
188 tls_release_write_buffer_int(rl, currpipe);
189
190 rl->numwpipes = numwpipes;
191
151f313e
MC		 192 return 1;
193}
194
195static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
196{
23bf52a4 197 tls_release_write_buffer_int(rl, 0);
e7694c69
MC		 198
199 rl->numwpipes = 0;
151f313e
MC		 200}
201
9b7fb65e 202int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 203{
204 unsigned char *p;
205 size_t len, align = 0, headerlen;
206 SSL3_BUFFER *b;
207
208 b = &rl->rbuf;
209
210 if (rl->isdtls)
211 headerlen = DTLS1_RT_HEADER_LENGTH;
212 else
213 headerlen = SSL3_RT_HEADER_LENGTH;
214
1704961c 215#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
e2d5742b
MC		 216 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
217#endif
218
219 if (b->buf == NULL) {
435d88d7
MC		 220 len = rl->max_frag_len
221 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
e2d5742b 222#ifndef OPENSSL_NO_COMP
9b7fb65e 223 if (tls_allow_compression(rl))
e2d5742b
MC		 224 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
225#endif
8ccde3fc
MC		 226
227 /* Ensure our buffer is large enough to support all our pipelines */
228 if (rl->max_pipelines > 1)
229 len *= rl->max_pipelines;
230
e2d5742b
MC		 231 if (b->default_len > len)
232 len = b->default_len;
8ccde3fc 233
e2d5742b
MC		 234 if ((p = OPENSSL_malloc(len)) == NULL) {
235 /*
236 * We've got a malloc failure, and we're still initialising buffers.
237 * We assume we're so doomed that we won't even be able to send an
238 * alert.
239 */
e077455e 240 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
e2d5742b
MC		 241 return 0;
242 }
243 b->buf = p;
244 b->len = len;
245 }
246
247 return 1;
248}
249
9b7fb65e 250static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 251{
252 SSL3_BUFFER *b;
253
254 b = &rl->rbuf;
1704961c 255 if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
e2d5742b
MC		 256 OPENSSL_cleanse(b->buf, b->len);
257 OPENSSL_free(b->buf);
258 b->buf = NULL;
259 return 1;
260}
261
262/*
263 * Return values are as per SSL_read()
264 */
1853d20a
MC		 265int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
266 int clearold, size_t *readbytes)
e2d5742b
MC		 267{
268 /*
269 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
270 * packet by another n bytes. The packet will be in the sub-array of
b0a9042e
MC		 271 * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
272 * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
273 * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
274 * packet to the start of the buffer; if clearold == 0 then leave any old
275 * packets where they were
e2d5742b
MC		 276 */
277 size_t len, left, align = 0;
278 unsigned char *pkt;
279 SSL3_BUFFER *rb;
280
281 if (n == 0)
282 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
283
284 rb = &rl->rbuf;
e2d5742b
MC		 285 left = rb->left;
286#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
287 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
288 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
289#endif
290
291 if (!extend) {
292 /* start with empty packet ... */
8ccde3fc 293 if (left == 0)
e2d5742b 294 rb->offset = align;
8ccde3fc 295
e2d5742b
MC		 296 rl->packet = rb->buf + rb->offset;
297 rl->packet_length = 0;
298 /* ... now we can act as if 'extend' was set */
299 }
300
301 len = rl->packet_length;
302 pkt = rb->buf + align;
303 /*
304 * Move any available bytes to front of buffer: 'len' bytes already
305 * pointed to by 'packet', 'left' extra ones at the end
306 */
307 if (rl->packet != pkt && clearold == 1) {
308 memmove(pkt, rl->packet, len + left);
309 rl->packet = pkt;
310 rb->offset = len + align;
311 }
312
313 /*
314 * For DTLS/UDP reads should not span multiple packets because the read
315 * operation returns the whole packet at once (as long as it fits into
316 * the buffer).
317 */
318 if (rl->isdtls) {
f78c5199
MC		 319 if (left == 0 && extend) {
320 /*
321 * We received a record with a header but no body data. This will
322 * get dumped.
323 */
324 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
325 }
e2d5742b
MC		 326 if (left > 0 && n > left)
327 n = left;
328 }
329
330 /* if there is enough in the buffer from a previous read, take some */
331 if (left >= n) {
332 rl->packet_length += n;
333 rb->left = left - n;
334 rb->offset += n;
335 *readbytes = n;
336 return OSSL_RECORD_RETURN_SUCCESS;
337 }
338
339 /* else we need to read more data */
340
341 if (n > rb->len - rb->offset) {
342 /* does not happen */
343 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
344 return OSSL_RECORD_RETURN_FATAL;
345 }
346
1853d20a
MC		 347 /* We always act like read_ahead is set for DTLS */
348 if (!rl->read_ahead && !rl->isdtls) {
e2d5742b
MC		 349 /* ignore max parameter */
350 max = n;
351 } else {
352 if (max < n)
353 max = n;
354 if (max > rb->len - rb->offset)
355 max = rb->len - rb->offset;
356 }
357
358 while (left < n) {
359 size_t bioread = 0;
360 int ret;
359affde 361 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
e2d5742b
MC		 362
363 /*
1704961c
MC		 364 * Now we have len+left bytes at the front of rl->rbuf.buf and
365 * need to read in more until we have len + n (up to len + max if
e2d5742b
MC		 366 * possible)
367 */
368
369 clear_sys_error();
359affde
MC		 370 if (bio != NULL) {
371 ret = BIO_read(bio, pkt + len + left, max - left);
e2d5742b
MC		 372 if (ret > 0) {
373 bioread = ret;
374 ret = OSSL_RECORD_RETURN_SUCCESS;
359affde
MC		 375 } else if (BIO_should_retry(bio)) {
376 if (rl->prev != NULL) {
377 /*
378 * We were reading from the previous epoch. Now there is no
379 * more data, so swap to the actual transport BIO
380 */
381 BIO_free(rl->prev);
382 rl->prev = NULL;
383 continue;
384 }
e2d5742b 385 ret = OSSL_RECORD_RETURN_RETRY;
359affde 386 } else if (BIO_eof(bio)) {
e2d5742b
MC		 387 ret = OSSL_RECORD_RETURN_EOF;
388 } else {
389 ret = OSSL_RECORD_RETURN_FATAL;
390 }
391 } else {
392 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
393 ret = OSSL_RECORD_RETURN_FATAL;
394 }
395
396 if (ret <= OSSL_RECORD_RETURN_RETRY) {
397 rb->left = left;
3de76959 398 if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
e2d5742b 399 if (len + left == 0)
9b7fb65e 400 tls_release_read_buffer(rl);
e2d5742b
MC		 401 return ret;
402 }
403 left += bioread;
404 /*
405 * reads should *never* span multiple packets for DTLS because the
406 * underlying transport protocol is message oriented as opposed to
407 * byte oriented as in the TLS case.
408 */
409 if (rl->isdtls) {
410 if (n > left)
411 n = left; /* makes the while condition false */
412 }
413 }
414
415 /* done reading, now the book-keeping */
416 rb->offset += n;
417 rb->left = left - n;
418 rl->packet_length += n;
419 *readbytes = n;
420 return OSSL_RECORD_RETURN_SUCCESS;
421}
422
4030869d
MC		 423/*
424 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
425 * for us in the buffer.
426 */
427static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
428{
429 SSL3_BUFFER *rbuf;
430 size_t left, len;
431 unsigned char *p;
432
433 rbuf = &rl->rbuf;
434
435 p = SSL3_BUFFER_get_buf(rbuf);
436 if (p == NULL)
437 return 0;
438
439 left = SSL3_BUFFER_get_left(rbuf);
440
441 if (left < SSL3_RT_HEADER_LENGTH)
442 return 0;
443
444 p += SSL3_BUFFER_get_offset(rbuf);
445
446 /*
447 * We only check the type and record length, we will sanity check version
448 * etc later
449 */
450 if (*p != SSL3_RT_APPLICATION_DATA)
451 return 0;
452
453 p += 3;
454 n2s(p, len);
455
456 if (left < SSL3_RT_HEADER_LENGTH + len)
457 return 0;
458
459 return 1;
460}
461
9dd90232
MC		 462static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
463 size_t overhead, int send)
464{
465 uint32_t max_early_data = rl->max_early_data;
466
467 if (max_early_data == 0) {
468 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
1704961c 469 SSL_R_TOO_MUCH_EARLY_DATA);
9dd90232
MC		 470 return 0;
471 }
472
473 /* If we are dealing with ciphertext we need to allow for the overhead */
474 max_early_data += overhead;
475
476 if (rl->early_data_count + length > max_early_data) {
477 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
1704961c 478 SSL_R_TOO_MUCH_EARLY_DATA);
9dd90232
MC		 479 return 0;
480 }
481 rl->early_data_count += length;
482
483 return 1;
484}
485
4030869d
MC		 486/*
487 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
1704961c 488 * will be processed per call to tls_get_more_records. Without this limit an
4030869d 489 * attacker could send empty records at a faster rate than we can process and
1704961c 490 * cause tls_get_more_records to loop forever.
4030869d
MC		 491 */
492#define MAX_EMPTY_RECORDS 32
493
494#define SSL2_RT_HEADER_LENGTH 2
495
496/*-
497 * Call this to buffer new input records in rl->rrec.
498 * It will return a OSSL_RECORD_RETURN_* value.
499 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
500 * records have been decoded. For each record 'i':
501 * rrec[i].type - is the type of record
502 * rrec[i].data, - data
503 * rrec[i].length, - number of bytes
504 * Multiple records will only be returned if the record types are all
505 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
506 * |max_pipelines|
507 */
eddb067e 508int tls_get_more_records(OSSL_RECORD_LAYER *rl)
4030869d
MC		 509{
510 int enc_err, rret;
511 int i;
512 size_t more, n;
513 SSL3_RECORD *rr, *thisrr;
514 SSL3_BUFFER *rbuf;
4030869d
MC		 515 unsigned char *p;
516 unsigned char md[EVP_MAX_MD_SIZE];
517 unsigned int version;
518 size_t mac_size = 0;
519 int imac_size;
520 size_t num_recs = 0, max_recs, j;
521 PACKET pkt, sslv2pkt;
4030869d
MC		 522 SSL_MAC_BUF *macbufs = NULL;
523 int ret = OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 524
525 rr = rl->rrec;
526 rbuf = &rl->rbuf;
cc110a0a 527 if (rbuf->buf == NULL) {
9b7fb65e 528 if (!tls_setup_read_buffer(rl)) {
cc110a0a
MC		 529 /* RLAYERfatal() already called */
530 return OSSL_RECORD_RETURN_FATAL;
531 }
532 }
4030869d 533
8124ab56
MC		 534 max_recs = rl->max_pipelines;
535
4030869d
MC		 536 if (max_recs == 0)
537 max_recs = 1;
4030869d 538
4030869d
MC		 539 do {
540 thisrr = &rr[num_recs];
541
542 /* check if we have the header */
543 if ((rl->rstate != SSL_ST_READ_BODY) ||
544 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
545 size_t sslv2len;
546 unsigned int type;
547
1853d20a
MC		 548 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
549 SSL3_BUFFER_get_len(rbuf), 0,
550 num_recs == 0 ? 1 : 0, &n);
551
552 if (rret < OSSL_RECORD_RETURN_SUCCESS)
553 return rret; /* error or non-blocking */
554
4030869d
MC		 555 rl->rstate = SSL_ST_READ_BODY;
556
557 p = rl->packet;
558 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
559 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
560 return OSSL_RECORD_RETURN_FATAL;
561 }
562 sslv2pkt = pkt;
563 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
564 || !PACKET_get_1(&sslv2pkt, &type)) {
565 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
566 return OSSL_RECORD_RETURN_FATAL;
567 }
568 /*
569 * The first record received by the server may be a V2ClientHello.
570 */
571 if (rl->role == OSSL_RECORD_ROLE_SERVER
572 && rl->is_first_record
573 && (sslv2len & 0x8000) != 0
574 && (type == SSL2_MT_CLIENT_HELLO)) {
575 /*
576 * SSLv2 style record
577 *
578 * |num_recs| here will actually always be 0 because
579 * |num_recs > 0| only ever occurs when we are processing
580 * multiple app data records - which we know isn't the case here
581 * because it is an SSLv2ClientHello. We keep it using
582 * |num_recs| for the sake of consistency
583 */
584 thisrr->type = SSL3_RT_HANDSHAKE;
585 thisrr->rec_version = SSL2_VERSION;
586
587 thisrr->length = sslv2len & 0x7fff;
588
589 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
1704961c 590 - SSL2_RT_HEADER_LENGTH) {
4030869d
MC		 591 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
592 SSL_R_PACKET_LENGTH_TOO_LONG);
593 return OSSL_RECORD_RETURN_FATAL;
594 }
4030869d
MC		 595 } else {
596 /* SSLv3+ style record */
597
598 /* Pull apart the header into the SSL3_RECORD */
599 if (!PACKET_get_1(&pkt, &type)
600 || !PACKET_get_net_2(&pkt, &version)
601 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
b85ebc4b
MC		 602 if (rl->msg_callback != NULL)
603 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d
MC		 604 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
605 return OSSL_RECORD_RETURN_FATAL;
606 }
607 thisrr->type = type;
608 thisrr->rec_version = version;
609
014baa8a
MC		 610 /*
611 * When we call validate_record_header() only records actually
612 * received in SSLv2 format should have the record version set
613 * to SSL2_VERSION. This way validate_record_header() can know
614 * what format the record was in based on the version.
615 */
616 if (thisrr->rec_version == SSL2_VERSION) {
617 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
618 SSL_R_WRONG_VERSION_NUMBER);
619 return OSSL_RECORD_RETURN_FATAL;
620 }
621
b85ebc4b
MC		 622 if (rl->msg_callback != NULL)
623 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d 624
4030869d
MC		 625 if (thisrr->length >
626 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
627 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
628 SSL_R_PACKET_LENGTH_TOO_LONG);
629 return OSSL_RECORD_RETURN_FATAL;
630 }
631 }
632
1853d20a
MC		 633 if (!rl->funcs->validate_record_header(rl, thisrr)) {
634 /* RLAYERfatal already called */
4030869d
MC		 635 return OSSL_RECORD_RETURN_FATAL;
636 }
4030869d 637
1853d20a 638 /* now rl->rstate == SSL_ST_READ_BODY */
4030869d
MC		 639 }
640
641 /*
642 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
643 * how much more data we need to read for the rest of the record
644 */
645 if (thisrr->rec_version == SSL2_VERSION) {
646 more = thisrr->length + SSL2_RT_HEADER_LENGTH
1704961c 647 - SSL3_RT_HEADER_LENGTH;
4030869d
MC		 648 } else {
649 more = thisrr->length;
650 }
651
652 if (more > 0) {
653 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
654
1853d20a 655 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
4030869d
MC		 656 if (rret < OSSL_RECORD_RETURN_SUCCESS)
657 return rret; /* error or non-blocking io */
658 }
659
660 /* set state for later operations */
661 rl->rstate = SSL_ST_READ_HEADER;
662
663 /*
664 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
665 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
666 * + thisrr->length and we have that many bytes in rl->packet
667 */
668 if (thisrr->rec_version == SSL2_VERSION)
669 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
670 else
671 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
672
673 /*
674 * ok, we can now read from 'rl->packet' data into 'thisrr'.
675 * thisrr->input points at thisrr->length bytes, which need to be copied
676 * into thisrr->data by either the decryption or by the decompression.
677 * When the data is 'copied' into the thisrr->data buffer,
678 * thisrr->input will be updated to point at the new buffer
679 */
680
681 /*
682 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
683 * thisrr->length bytes of encrypted compressed stuff.
684 */
685
686 /* decrypt in place in 'thisrr->input' */
687 thisrr->data = thisrr->input;
688 thisrr->orig_len = thisrr->length;
689
4030869d
MC		 690 num_recs++;
691
692 /* we have pulled in a full packet so zero things */
81c9ebd9 693 rl->packet_length = 0;
4030869d
MC		 694 rl->is_first_record = 0;
695 } while (num_recs < max_recs
696 && thisrr->type == SSL3_RT_APPLICATION_DATA
88d61680 697 && RLAYER_USE_EXPLICIT_IV(rl)
6366bdd9
MC		 698 && rl->enc_ctx != NULL
699 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
4030869d
MC		 700 & EVP_CIPH_FLAG_PIPELINE) != 0
701 && tls_record_app_data_waiting(rl));
702
703 if (num_recs == 1
704 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
9cd9e097
MC		 705 /* The following can happen in tlsany_meth after HRR */
706 && rl->version == TLS1_3_VERSION
1853d20a 707 && rl->is_first_handshake) {
4030869d
MC		 708 /*
709 * CCS messages must be exactly 1 byte long, containing the value 0x01
710 */
711 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
712 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
713 SSL_R_INVALID_CCS_MESSAGE);
714 return OSSL_RECORD_RETURN_FATAL;
715 }
716 /*
717 * CCS messages are ignored in TLSv1.3. We treat it like an empty
718 * handshake record
719 */
720 thisrr->type = SSL3_RT_HANDSHAKE;
aedbb71b 721 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 722 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
723 SSL_R_UNEXPECTED_CCS_MESSAGE);
724 return OSSL_RECORD_RETURN_FATAL;
725 }
4030869d
MC		 726 rl->num_recs = 0;
727 rl->curr_rec = 0;
728 rl->num_released = 0;
729
730 return OSSL_RECORD_RETURN_SUCCESS;
731 }
732
6366bdd9
MC		 733 if (rl->md_ctx != NULL) {
734 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
4030869d
MC		 735
736 if (tmpmd != NULL) {
737 imac_size = EVP_MD_get_size(tmpmd);
738 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1704961c
MC		 739 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
740 return OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 741 }
742 mac_size = (size_t)imac_size;
743 }
744 }
745
746 /*
747 * If in encrypt-then-mac mode calculate mac from encrypted record. All
748 * the details below are public so no timing details can leak.
749 */
bed07b18 750 if (rl->use_etm && rl->md_ctx != NULL) {
4030869d
MC		 751 unsigned char *mac;
752
753 for (j = 0; j < num_recs; j++) {
754 thisrr = &rr[j];
755
756 if (thisrr->length < mac_size) {
757 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
758 return OSSL_RECORD_RETURN_FATAL;
759 }
760 thisrr->length -= mac_size;
761 mac = thisrr->data + thisrr->length;
8124ab56 762 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 763 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
764 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
765 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
766 return OSSL_RECORD_RETURN_FATAL;
767 }
768 }
769 /*
770 * We've handled the mac now - there is no MAC inside the encrypted
771 * record
772 */
773 mac_size = 0;
774 }
775
776 if (mac_size > 0) {
777 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
778 if (macbufs == NULL) {
e077455e 779 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
4030869d
MC		 780 return OSSL_RECORD_RETURN_FATAL;
781 }
782 }
783
8124ab56 784 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
4030869d
MC		 785
786 /*-
787 * enc_err is:
788 * 0: if the record is publicly invalid, or an internal error, or AEAD
789 * decryption failed, or ETM decryption failed.
790 * 1: Success or MTE decryption failed (MAC will be randomised)
791 */
792 if (enc_err == 0) {
d3192c26 793 if (rl->alert != SSL_AD_NO_ALERT) {
651216dd 794 /* RLAYERfatal() already got called */
4030869d
MC		 795 goto end;
796 }
b85ebc4b
MC		 797 if (num_recs == 1
798 && rl->skip_early_data != NULL
799 && rl->skip_early_data(rl->cbarg)) {
4030869d
MC		 800 /*
801 * Valid early_data that we cannot decrypt will fail here. We treat
802 * it like an empty record.
803 */
804
805 thisrr = &rr[0];
806
9dd90232
MC		 807 if (!rlayer_early_data_count_ok(rl, thisrr->length,
808 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
809 /* RLAYERfatal() already called */
4030869d
MC		 810 goto end;
811 }
812
813 thisrr->length = 0;
4030869d
MC		 814 rl->num_recs = 0;
815 rl->curr_rec = 0;
816 rl->num_released = 0;
0755722c
MC		 817 /* Reset the read sequence */
818 memset(rl->sequence, 0, sizeof(rl->sequence));
4030869d
MC		 819 ret = 1;
820 goto end;
821 }
822 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
823 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
824 goto end;
825 }
826 OSSL_TRACE_BEGIN(TLS) {
827 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
828 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
829 } OSSL_TRACE_END(TLS);
830
831 /* r->length is now the compressed data plus mac */
6366bdd9 832 if (rl->enc_ctx != NULL
ffbd6e67 833 && !rl->use_etm
6366bdd9 834 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
4030869d
MC		 835 for (j = 0; j < num_recs; j++) {
836 SSL_MAC_BUF *thismb = &macbufs[j];
1704961c 837
4030869d
MC		 838 thisrr = &rr[j];
839
8124ab56 840 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 841 if (i == 0 || thismb == NULL || thismb->mac == NULL
842 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
843 enc_err = 0;
844 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
845 enc_err = 0;
846 }
847 }
848
849 if (enc_err == 0) {
d3192c26 850 if (rl->alert != SSL_AD_NO_ALERT) {
651216dd 851 /* We already called RLAYERfatal() */
4030869d
MC		 852 goto end;
853 }
854 /*
855 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
856 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
857 * failure is directly visible from the ciphertext anyway, we should
858 * not reveal which kind of error occurred -- this might become
859 * visible to an attacker (e.g. via a logfile)
860 */
861 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
862 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
863 goto end;
864 }
865
4030869d
MC		 866 for (j = 0; j < num_recs; j++) {
867 thisrr = &rr[j];
868
8124ab56 869 if (!rl->funcs->post_process_record(rl, thisrr)) {
1853d20a 870 /* RLAYERfatal already called */
4030869d
MC		 871 goto end;
872 }
873
874 /*
875 * Check if the received packet overflows the current
876 * Max Fragment Length setting.
ffbd6e67 877 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
4030869d 878 */
435d88d7 879 if (thisrr->length > rl->max_frag_len) {
4030869d
MC		 880 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
881 goto end;
882 }
883
884 thisrr->off = 0;
885 /*-
886 * So at this point the following is true
887 * thisrr->type is the type of record
888 * thisrr->length == number of bytes in record
889 * thisrr->off == offset to first valid byte
890 * thisrr->data == where to take bytes from, increment after use :-).
891 */
892
893 /* just read a 0 length packet */
894 if (thisrr->length == 0) {
aedbb71b 895 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
1704961c
MC		 896 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
897 SSL_R_RECORD_TOO_SMALL);
4030869d
MC		 898 goto end;
899 }
900 } else {
aedbb71b 901 rl->empty_record_count = 0;
4030869d
MC		 902 }
903 }
904
9dd90232 905 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
4030869d
MC		 906 thisrr = &rr[0];
907 if (thisrr->type == SSL3_RT_APPLICATION_DATA
9dd90232
MC		 908 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
909 /* RLAYERfatal already called */
4030869d
MC		 910 goto end;
911 }
912 }
913
914 rl->num_recs = num_recs;
915 rl->curr_rec = 0;
916 rl->num_released = 0;
917 ret = OSSL_RECORD_RETURN_SUCCESS;
918 end:
919 if (macbufs != NULL) {
920 for (j = 0; j < num_recs; j++) {
921 if (macbufs[j].alloced)
922 OPENSSL_free(macbufs[j].mac);
923 }
924 OPENSSL_free(macbufs);
925 }
926 return ret;
927}
928
1853d20a
MC		 929/* Shared by ssl3_meth and tls1_meth */
930int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
931{
932 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
933
934 if (rec->rec_version != rl->version) {
935 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
936 return 0;
937 }
938
939#ifndef OPENSSL_NO_COMP
940 /*
1704961c
MC		 941 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
942 * does not include the compression overhead anyway.
943 */
9251c3c4 944 if (rl->compctx == NULL)
1853d20a
MC		 945 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
946#endif
947
948 if (rec->length > len) {
949 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
950 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
951 return 0;
952 }
953
954 return 1;
955}
956
b9e37f8f 957int tls_do_compress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *wr)
9251c3c4
MC		 958{
959#ifndef OPENSSL_NO_COMP
960 int i;
961
962 i = COMP_compress_block(rl->compctx, wr->data,
963 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
964 wr->input, (int)wr->length);
965 if (i < 0)
966 return 0;
967
968 wr->length = i;
969 wr->input = wr->data;
970 return 1;
971#else
972 return 0;
973#endif
974}
975
222cf410 976int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a
MC		 977{
978#ifndef OPENSSL_NO_COMP
979 int i;
980
981 if (rec->comp == NULL) {
982 rec->comp = (unsigned char *)
983 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
984 }
985 if (rec->comp == NULL)
986 return 0;
987
9251c3c4 988 i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
1704961c 989 rec->data, (int)rec->length);
1853d20a
MC		 990 if (i < 0)
991 return 0;
992 else
993 rec->length = i;
994 rec->data = rec->comp;
995 return 1;
996#else
997 return 0;
998#endif
999}
1000
1001/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
8124ab56 1002int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 1003{
9251c3c4 1004 if (rl->compctx != NULL) {
1853d20a
MC		 1005 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1006 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1007 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1008 return 0;
1009 }
1010 if (!tls_do_uncompress(rl, rec)) {
1011 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
1012 SSL_R_BAD_DECOMPRESSION);
1013 return 0;
1014 }
1015 }
1016
1017 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1018 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
1019 return 0;
1020 }
1021
1022 return 1;
1023}
1024
1025/* Shared by tls13_meth and ktls_meth */
8124ab56 1026int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 1027{
1853d20a
MC		 1028 if (rec->type != SSL3_RT_APPLICATION_DATA
1029 && rec->type != SSL3_RT_ALERT
1030 && rec->type != SSL3_RT_HANDSHAKE) {
1031 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
1032 return 0;
1033 }
1034
b85ebc4b
MC		 1035 if (rl->msg_callback != NULL)
1036 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
1037 1, rl->cbarg);
1853d20a
MC		 1038
1039 /*
1040 * TLSv1.3 alert and handshake records are required to be non-zero in
1041 * length.
1042 */
1704961c 1043 if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
1853d20a
MC		 1044 && rec->length == 0) {
1045 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
1046 return 0;
1047 }
1048
1049 return 1;
1050}
1051
1704961c 1052int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
1853d20a 1053 int *type, unsigned char **data, size_t *datalen,
8124ab56 1054 uint16_t *epoch, unsigned char *seq_num)
4030869d
MC		 1055{
1056 SSL3_RECORD *rec;
1057
1058 /*
1059 * tls_get_more_records() can return success without actually reading
1060 * anything useful (i.e. if empty records are read). We loop here until
1061 * we have something useful. tls_get_more_records() will eventually fail if
1062 * too many sequential empty records are read.
1063 */
1064 while (rl->curr_rec >= rl->num_recs) {
1065 int ret;
1066
1067 if (rl->num_released != rl->num_recs) {
1068 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
1069 return OSSL_RECORD_RETURN_FATAL;
1070 }
1071
eddb067e 1072 ret = rl->funcs->get_more_records(rl);
4030869d
MC		 1073
1074 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1075 return ret;
1076 }
1077
1078 /*
1079 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
1080 * points to the next one to read.
1081 */
1082 rec = &rl->rrec[rl->curr_rec++];
1083
1084 *rechandle = rec;
1085 *rversion = rec->rec_version;
1086 *type = rec->type;
eddb067e 1087 *data = rec->data + rec->off;
4030869d 1088 *datalen = rec->length;
eddb067e 1089 if (rl->isdtls) {
279754d4 1090 *epoch = rec->epoch;
eddb067e
MC		 1091 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
1092 }
4030869d
MC		 1093
1094 return OSSL_RECORD_RETURN_SUCCESS;
1095}
1096
1853d20a 1097int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
4030869d
MC		 1098{
1099 if (!ossl_assert(rl->num_released < rl->curr_rec)
1100 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
1101 /* Should not happen */
1102 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1103 return OSSL_RECORD_RETURN_FATAL;
1104 }
1105
1106 rl->num_released++;
1107
3de76959
MC		 1108 if (rl->curr_rec == rl->num_released
1109 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
1110 && SSL3_BUFFER_get_left(&rl->rbuf) == 0)
9b7fb65e 1111 tls_release_read_buffer(rl);
3de76959 1112
4030869d
MC		 1113 return OSSL_RECORD_RETURN_SUCCESS;
1114}
1115
4566dae7
MC		 1116int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
1117{
1118 const OSSL_PARAM *p;
1119
1120 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1121 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1122 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1123 return 0;
1124 }
1125
1126 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1127 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1128 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1129 return 0;
1130 }
1131
eb7d6c2a
MC		 1132 if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
1133 p = OSSL_PARAM_locate_const(options,
1134 OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
1135 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
1136 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1137 return 0;
1138 }
1139 } else {
1140 p = OSSL_PARAM_locate_const(options,
1141 OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
1142 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
1143 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1144 return 0;
1145 }
4566dae7
MC		 1146 }
1147
1148 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1149 /*
1150 * We ignore any read_ahead setting prior to the application protection
1151 * level. Otherwise we may read ahead data in a lower protection level
1152 * that is destined for a higher protection level. To simplify the logic
1153 * we don't support that at this stage.
1154 */
1155 p = OSSL_PARAM_locate_const(options,
1156 OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1157 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1158 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1159 return 0;
1160 }
1161 }
1162
1163 return 1;
1164}
1165
1853d20a 1166int
cc110a0a
MC		 1167tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1168 int role, int direction, int level, unsigned char *key,
1169 size_t keylen, unsigned char *iv, size_t ivlen,
1170 unsigned char *mackey, size_t mackeylen,
1171 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1172 int mactype,
1e76110b 1173 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
359affde
MC		 1174 BIO *transport, BIO *next, BIO_ADDR *local,
1175 BIO_ADDR *peer, const OSSL_PARAM *settings,
9dd90232
MC		 1176 const OSSL_PARAM *options,
1177 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1178 OSSL_RECORD_LAYER **retrl)
34a4068c
MC		 1179{
1180 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
e2d5742b
MC		 1181 const OSSL_PARAM *p;
1182
7c293999
MC		 1183 *retrl = NULL;
1184
e077455e 1185 if (rl == NULL)
7c293999 1186 return OSSL_RECORD_RETURN_FATAL;
e2d5742b 1187
435d88d7
MC		 1188 /*
1189 * Default the value for max_frag_len. This may be overridden by the
1190 * settings
1191 */
1192 rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH;
1193
7f2f0ac7 1194 /* Loop through all the settings since they must all be understood */
a16f9d33
MC		 1195 if (settings != NULL) {
1196 for (p = settings; p->key != NULL; p++) {
1197 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1198 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
7b7ad9e5 1199 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1200 goto err;
1201 }
1202 } else if (strcmp(p->key,
1203 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1204 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
7b7ad9e5 1205 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1206 goto err;
1207 }
1208 } else if (strcmp(p->key,
1209 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1210 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
7b7ad9e5 1211 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1212 goto err;
1213 }
1214 } else if (strcmp(p->key,
1215 OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
1216 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
7b7ad9e5 1217 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1218 goto err;
1219 }
1704961c
MC		 1220 } else if (strcmp(p->key,
1221 OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
a16f9d33 1222 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
7b7ad9e5 1223 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
a16f9d33
MC		 1224 goto err;
1225 }
1226 } else {
7b7ad9e5 1227 ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
8124ab56
MC		 1228 goto err;
1229 }
7f2f0ac7
MC		 1230 }
1231 }
1232
aedbb71b
MC		 1233 rl->libctx = libctx;
1234 rl->propq = propq;
1235
e2d5742b
MC		 1236 rl->version = vers;
1237 rl->role = role;
1238 rl->direction = direction;
9dd90232 1239 rl->level = level;
b05fbac1
MC		 1240 rl->taglen = taglen;
1241 rl->md = md;
4030869d 1242
d3192c26
MC		 1243 rl->alert = SSL_AD_NO_ALERT;
1244
1853d20a 1245 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
4030869d
MC		 1246 rl->is_first_record = 1;
1247
e2d5742b
MC		 1248 if (!tls_set1_bio(rl, transport))
1249 goto err;
1250
359affde
MC		 1251 if (prev != NULL && !BIO_up_ref(prev))
1252 goto err;
1253 rl->prev = prev;
1254
1255 if (next != NULL && !BIO_up_ref(next))
1256 goto err;
1257 rl->next = next;
1258
9dd90232 1259 rl->cbarg = cbarg;
a16f9d33
MC		 1260 if (fns != NULL) {
1261 for (; fns->function_id != 0; fns++) {
1262 switch (fns->function_id) {
1263 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
1264 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1265 break;
1266 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1267 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
1268 break;
1269 case OSSL_FUNC_RLAYER_SECURITY:
1270 rl->security = OSSL_FUNC_rlayer_security(fns);
1271 break;
5f95eb77
MC		 1272 case OSSL_FUNC_RLAYER_PADDING:
1273 rl->padding = OSSL_FUNC_rlayer_padding(fns);
a16f9d33
MC		 1274 default:
1275 /* Just ignore anything we don't understand */
1276 break;
1277 }
9dd90232
MC		 1278 }
1279 }
1280
4566dae7 1281 if (!tls_set_options(rl, options)) {
7b7ad9e5 1282 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
4566dae7
MC		 1283 goto err;
1284 }
1285
b9e4e783
MC		 1286 if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
1287 && rl->version <= TLS1_VERSION
1288 && !EVP_CIPHER_is_a(ciph, "NULL")
1289 && !EVP_CIPHER_is_a(ciph, "RC4")) {
1290 /*
1291 * Enable vulnerability countermeasure for CBC ciphers with known-IV
1292 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1293 */
1294 rl->need_empty_fragments = 1;
1295 }
1296
7c293999
MC		 1297 *retrl = rl;
1298 return OSSL_RECORD_RETURN_SUCCESS;
cc110a0a 1299 err:
359affde 1300 tls_int_free(rl);
7c293999 1301 return OSSL_RECORD_RETURN_FATAL;
cc110a0a
MC		 1302}
1303
7c293999 1304static int
cc110a0a 1305tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
279754d4 1306 int role, int direction, int level, uint16_t epoch,
222cf410
MC		 1307 unsigned char *key, size_t keylen, unsigned char *iv,
1308 size_t ivlen, unsigned char *mackey, size_t mackeylen,
cc110a0a 1309 const EVP_CIPHER *ciph, size_t taglen,
cc110a0a 1310 int mactype,
1e76110b 1311 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
359affde 1312 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
cc110a0a 1313 const OSSL_PARAM *settings, const OSSL_PARAM *options,
9dd90232 1314 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1315 OSSL_RECORD_LAYER **retrl)
cc110a0a 1316{
7c293999 1317 int ret;
1704961c 1318
7c293999
MC		 1319 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1320 key, keylen, iv, ivlen, mackey, mackeylen,
359affde
MC		 1321 ciph, taglen, mactype, md, comp, prev,
1322 transport, next, local, peer, settings,
8124ab56 1323 options, fns, cbarg, retrl);
cc110a0a 1324
7c293999
MC		 1325 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1326 return ret;
cc110a0a 1327
aedbb71b
MC		 1328 switch (vers) {
1329 case TLS_ANY_VERSION:
7c293999 1330 (*retrl)->funcs = &tls_any_funcs;
aedbb71b
MC		 1331 break;
1332 case TLS1_3_VERSION:
7c293999 1333 (*retrl)->funcs = &tls_1_3_funcs;
aedbb71b
MC		 1334 break;
1335 case TLS1_2_VERSION:
aedbb71b 1336 case TLS1_1_VERSION:
aedbb71b 1337 case TLS1_VERSION:
7c293999 1338 (*retrl)->funcs = &tls_1_funcs;
aedbb71b
MC		 1339 break;
1340 case SSL3_VERSION:
7c293999 1341 (*retrl)->funcs = &ssl_3_0_funcs;
aedbb71b
MC		 1342 break;
1343 default:
1344 /* Should not happen */
7c293999
MC		 1345 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1346 ret = OSSL_RECORD_RETURN_FATAL;
aedbb71b
MC		 1347 goto err;
1348 }
1349
7c293999 1350 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1704961c
MC		 1351 ivlen, mackey, mackeylen, ciph,
1352 taglen, mactype, md, comp);
aedbb71b 1353
e2d5742b 1354 err:
7c293999
MC		 1355 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1356 OPENSSL_free(*retrl);
1357 *retrl = NULL;
1358 }
1359 return ret;
e2d5742b
MC		 1360}
1361
359affde 1362static void tls_int_free(OSSL_RECORD_LAYER *rl)
34a4068c 1363{
359affde 1364 BIO_free(rl->prev);
e2d5742b 1365 BIO_free(rl->bio);
359affde
MC		 1366 BIO_free(rl->next);
1367 SSL3_BUFFER_release(&rl->rbuf);
1368
151f313e
MC		 1369 tls_release_write_buffer(rl);
1370
6366bdd9
MC		 1371 EVP_CIPHER_CTX_free(rl->enc_ctx);
1372 EVP_MD_CTX_free(rl->md_ctx);
976b263d 1373#ifndef OPENSSL_NO_COMP
9251c3c4 1374 COMP_CTX_free(rl->compctx);
976b263d 1375#endif
359affde 1376
c77d4556
MC		 1377 if (rl->version == SSL3_VERSION)
1378 OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
1379
6b5c7ef7
JC		 1380 SSL3_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
1381
34a4068c
MC		 1382 OPENSSL_free(rl);
1383}
1384
359affde
MC		 1385int tls_free(OSSL_RECORD_LAYER *rl)
1386{
1387 SSL3_BUFFER *rbuf;
1388 size_t left, written;
1389 int ret = 1;
1390
50bed93a
MC		 1391 if (rl == NULL)
1392 return 1;
1393
359affde
MC		 1394 rbuf = &rl->rbuf;
1395
1396 left = SSL3_BUFFER_get_left(rbuf);
1397 if (left > 0) {
1398 /*
1399 * This record layer is closing but we still have data left in our
1400 * buffer. It must be destined for the next epoch - so push it there.
1401 */
1402 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1403 }
1404 tls_int_free(rl);
1405
1406 return ret;
1407}
1408
1853d20a 1409int tls_reset(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1410{
1411 memset(rl, 0, sizeof(*rl));
1412 return 1;
1413}
1414
1853d20a 1415int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1416{
0755722c 1417 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
34a4068c
MC		 1418}
1419
1853d20a 1420int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1421{
4030869d 1422 return rl->curr_rec < rl->num_recs;
34a4068c
MC		 1423}
1424
1853d20a 1425size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1426{
8bbf7ef6
MC		 1427 size_t i;
1428 size_t num = 0;
1429
1704961c 1430 for (i = rl->curr_rec; i < rl->num_recs; i++) {
8bbf7ef6
MC		 1431 if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
1432 return num;
1433 num += rl->rrec[i].length;
1434 }
1435 return num;
34a4068c
MC		 1436}
1437
bafe524b
MC		 1438size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, int type, size_t len,
1439 size_t maxfrag, size_t *preffrag)
34a4068c 1440{
c6186792
MC		 1441 /*
1442 * If we have a pipeline capable cipher, and we have been configured to use
1443 * it, then return the preferred number of pipelines.
1444 */
1445 if (rl->max_pipelines > 0
91fe8ff0 1446 && rl->enc_ctx != NULL
2c50d7fb 1447 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
c6186792
MC		 1448 & EVP_CIPH_FLAG_PIPELINE) != 0
1449 && RLAYER_USE_EXPLICIT_IV(rl)) {
1450 size_t pipes;
1451
1452 if (len == 0)
1453 return 1;
1454 pipes = ((len - 1) / *preffrag) + 1;
1455
1456 return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
1457 }
1458
02719d5c 1459 return 1;
34a4068c
MC		 1460}
1461
bafe524b
MC		 1462size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
1463 size_t maxfrag, size_t *preffrag)
23bf52a4 1464{
bafe524b 1465 return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
23bf52a4
MC		 1466}
1467
91fe8ff0
MC		 1468int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl,
1469 OSSL_RECORD_TEMPLATE *templates,
1470 size_t numtempl,
1471 size_t *prefix)
1472{
1473 if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) {
1474 /* RLAYERfatal() already called */
1475 return 0;
1476 }
1477
1478 return 1;
1479}
1480
1481int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl,
1482 OSSL_RECORD_TEMPLATE *templates,
1483 size_t numtempl,
1484 OSSL_RECORD_TEMPLATE *prefixtempl,
1485 WPACKET *pkt,
1486 SSL3_BUFFER *bufs,
1487 size_t *wpinited)
1488{
1489 WPACKET *thispkt;
1490 size_t j, align;
1491 SSL3_BUFFER *wb;
1492
1493 for (j = 0; j < numtempl; j++) {
1494 thispkt = &pkt[j];
1495 wb = &bufs[j];
1496
1497 wb->type = templates[j].type;
1498
1499#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
b9e37f8f
MC		 1500 align = (size_t)SSL3_BUFFER_get_buf(wb);
1501 align += rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH;
91fe8ff0
MC		 1502 align = SSL3_ALIGN_PAYLOAD - 1
1503 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1504#endif
1505 SSL3_BUFFER_set_offset(wb, align);
1506
1507 if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb),
1508 SSL3_BUFFER_get_len(wb), 0)) {
1509 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1510 return 0;
1511 }
1512 (*wpinited)++;
1513 if (!WPACKET_allocate_bytes(thispkt, align, NULL)) {
1514 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1515 return 0;
1516 }
1517 }
1518
1519 return 1;
1520}
1521
aca70ca8
MC		 1522int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
1523 WPACKET *thispkt,
1524 OSSL_RECORD_TEMPLATE *templ,
1525 unsigned int rectype,
1526 unsigned char **recdata)
1527{
1528 size_t maxcomplen;
1529
1530 *recdata = NULL;
1531
1532 maxcomplen = templ->buflen;
1533 if (rl->compctx != NULL)
1534 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1535
1536 if (!WPACKET_put_bytes_u8(thispkt, rectype)
1537 || !WPACKET_put_bytes_u16(thispkt, templ->version)
1538 || !WPACKET_start_sub_packet_u16(thispkt)
1539 || (rl->eivlen > 0
1540 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
1541 || (maxcomplen > 0
1542 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
1543 recdata))) {
1544 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1545 return 0;
1546 }
1547
1548 return 1;
1549}
1550
757ef3ba
MC		 1551int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
1552 size_t mac_size,
1553 WPACKET *thispkt,
1554 SSL3_RECORD *thiswr)
1555{
1556 size_t len;
1557 unsigned char *recordstart;
1558
1559 /*
1560 * we should still have the output to thiswr->data and the input from
1561 * wr->input. Length should be thiswr->length. thiswr->data still points
1562 * in the wb->buf
1563 */
1564
1565 if (!rl->use_etm && mac_size != 0) {
1566 unsigned char *mac;
1567
1568 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1569 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1570 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1571 return 0;
1572 }
1573 }
1574
ecacbc5e
MC		 1575 /*
1576 * Reserve some bytes for any growth that may occur during encryption. If
1577 * we are adding the MAC independently of the cipher algorithm, then the
1578 * max encrypted overhead does not need to include an allocation for that
1579 * MAC
1580 */
1581 if (!WPACKET_reserve_bytes(thispkt, SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
1582 - mac_size, NULL)
757ef3ba
MC		 1583 /*
1584 * We also need next the amount of bytes written to this
1585 * sub-packet
1586 */
1587 || !WPACKET_get_length(thispkt, &len)) {
1588 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1589 return 0;
1590 }
1591
1592 /* Get a pointer to the start of this record excluding header */
1593 recordstart = WPACKET_get_curr(thispkt) - len;
1594 SSL3_RECORD_set_data(thiswr, recordstart);
1595 SSL3_RECORD_reset_input(thiswr);
1596 SSL3_RECORD_set_length(thiswr, len);
1597
1598 return 1;
1599}
1600
2a354d54
MC		 1601int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
1602 size_t mac_size,
1603 OSSL_RECORD_TEMPLATE *thistempl,
1604 WPACKET *thispkt,
1605 SSL3_RECORD *thiswr)
1606{
1607 size_t origlen, len;
b9e37f8f
MC		 1608 size_t headerlen = rl->isdtls ? DTLS1_RT_HEADER_LENGTH
1609 : SSL3_RT_HEADER_LENGTH;
2a354d54
MC		 1610
1611 /* Allocate bytes for the encryption overhead */
1612 if (!WPACKET_get_length(thispkt, &origlen)
830eae60 1613 /* Check we allowed enough room for the encryption growth */
ecacbc5e
MC		 1614 || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
1615 - mac_size >= thiswr->length)
2a354d54
MC		 1616 /* Encryption should never shrink the data! */
1617 || origlen > thiswr->length
1618 || (thiswr->length > origlen
1619 && !WPACKET_allocate_bytes(thispkt,
1620 thiswr->length - origlen,
1621 NULL))) {
1622 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1623 return 0;
1624 }
1625 if (rl->use_etm && mac_size != 0) {
1626 unsigned char *mac;
1627
1628 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1629 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1630 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1631 return 0;
1632 }
1633
1634 SSL3_RECORD_add_length(thiswr, mac_size);
1635 }
1636
1637 if (!WPACKET_get_length(thispkt, &len)
1638 || !WPACKET_close(thispkt)) {
1639 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1640 return 0;
1641 }
1642
1643 if (rl->msg_callback != NULL) {
1644 unsigned char *recordstart;
1645
b9e37f8f 1646 recordstart = WPACKET_get_curr(thispkt) - len - headerlen;
2a354d54 1647 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
b9e37f8f 1648 headerlen, rl->cbarg);
2a354d54
MC		 1649
1650 if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) {
1651 unsigned char ctype = thistempl->type;
1652
1653 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
1654 &ctype, 1, rl->cbarg);
1655 }
1656 }
1657
1658 if (!WPACKET_finish(thispkt)) {
1659 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1660 return 0;
1661 }
1662
b9e37f8f 1663 SSL3_RECORD_add_length(thiswr, headerlen);
2a354d54
MC		 1664
1665 return 1;
1666}
1667
bafe524b
MC		 1668int tls_write_records_default(OSSL_RECORD_LAYER *rl,
1669 OSSL_RECORD_TEMPLATE *templates,
1670 size_t numtempl)
34a4068c 1671{
2b71b042
MC		 1672 WPACKET pkt[SSL_MAX_PIPELINES + 1];
1673 SSL3_RECORD wr[SSL_MAX_PIPELINES + 1];
1674 WPACKET *thispkt;
1675 SSL3_RECORD *thiswr;
9251c3c4 1676 int mac_size = 0, ret = 0;
2a354d54 1677 size_t wpinited = 0;
2b71b042 1678 size_t j, prefix = 0;
2b71b042
MC		 1679 OSSL_RECORD_TEMPLATE prefixtempl;
1680 OSSL_RECORD_TEMPLATE *thistempl;
1681
bfda3aee
MC		 1682 if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
1683 mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
1684 if (mac_size < 0) {
1685 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1686 goto err;
2b71b042
MC		 1687 }
1688 }
bfda3aee 1689
91fe8ff0
MC		 1690 if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) {
1691 /* RLAYERfatal() already called */
1692 goto err;
1693 }
2b71b042 1694
91fe8ff0
MC		 1695 if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
1696 &prefixtempl, pkt, rl->wbuf,
1697 &wpinited)) {
23bf52a4
MC		 1698 /* RLAYERfatal() already called */
1699 goto err;
2b71b042
MC		 1700 }
1701
2b71b042
MC		 1702 /* Clear our SSL3_RECORD structures */
1703 memset(wr, 0, sizeof(wr));
1704 for (j = 0; j < numtempl + prefix; j++) {
2b71b042 1705 unsigned char *compressdata = NULL;
2b71b042
MC		 1706 unsigned int rectype;
1707
1708 thispkt = &pkt[j];
1709 thiswr = &wr[j];
91fe8ff0 1710 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
2b71b042
MC		 1711
1712 /*
7ca61d63
MC		 1713 * Default to the record type as specified in the template unless the
1714 * protocol implementation says differently.
2b71b042 1715 */
7ca61d63
MC		 1716 if (rl->funcs->get_record_type != NULL)
1717 rectype = rl->funcs->get_record_type(rl, thistempl);
2b71b042
MC		 1718 else
1719 rectype = thistempl->type;
1720
1721 SSL3_RECORD_set_type(thiswr, rectype);
1d367677 1722 SSL3_RECORD_set_rec_version(thiswr, thistempl->version);
2b71b042 1723
aca70ca8
MC		 1724 if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype,
1725 &compressdata)) {
2582de25 1726 /* RLAYERfatal() already called */
2b71b042
MC		 1727 goto err;
1728 }
1729
1730 /* lets setup the record stuff. */
1731 SSL3_RECORD_set_data(thiswr, compressdata);
1732 SSL3_RECORD_set_length(thiswr, thistempl->buflen);
4fed6ee1 1733
2b71b042 1734 SSL3_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
2b71b042
MC		 1735
1736 /*
1737 * we now 'read' from thiswr->input, thiswr->length bytes into
1738 * thiswr->data
1739 */
1740
1741 /* first we compress */
9251c3c4
MC		 1742 if (rl->compctx != NULL) {
1743 if (!tls_do_compress(rl, thiswr)
2b71b042 1744 || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
320145d5 1745 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
2b71b042
MC		 1746 goto err;
1747 }
aca70ca8
MC		 1748 } else if (compressdata != NULL) {
1749 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
1750 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1751 goto err;
2b71b042 1752 }
aca70ca8 1753 SSL3_RECORD_reset_input(&wr[j]);
2b71b042
MC		 1754 }
1755
2582de25
MC		 1756 if (rl->funcs->add_record_padding != NULL
1757 && !rl->funcs->add_record_padding(rl, thistempl, thispkt,
1758 thiswr)) {
1759 /* RLAYERfatal() already called */
1760 goto err;
2b71b042
MC		 1761 }
1762
757ef3ba
MC		 1763 if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
1764 /* RLAYERfatal() already called */
1765 goto err;
2b71b042
MC		 1766 }
1767 }
1768
b6f7519b
MC		 1769 if (prefix) {
1770 if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
4bf610bd 1771 if (rl->alert == SSL_AD_NO_ALERT) {
2f6e24eb
MC		 1772 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1773 }
1774 goto err;
1775 }
2b71b042
MC		 1776 }
1777
b6f7519b
MC		 1778 if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) {
1779 if (rl->alert == SSL_AD_NO_ALERT) {
1780 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1781 }
1782 goto err;
1783 }
1784
91fe8ff0 1785 for (j = 0; j < numtempl + prefix; j++) {
2b71b042
MC		 1786 thispkt = &pkt[j];
1787 thiswr = &wr[j];
91fe8ff0 1788 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
2b71b042 1789
2a354d54
MC		 1790 if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl,
1791 thispkt, thiswr)) {
1792 /* RLAYERfatal() already called */
2b71b042
MC		 1793 goto err;
1794 }
1795
2b71b042 1796 /* now let's set up wb */
151f313e 1797 SSL3_BUFFER_set_left(&rl->wbuf[j], SSL3_RECORD_get_length(thiswr));
2b71b042
MC		 1798 }
1799
23bf52a4 1800 ret = 1;
2b71b042
MC		 1801 err:
1802 for (j = 0; j < wpinited; j++)
1803 WPACKET_cleanup(&pkt[j]);
23bf52a4
MC		 1804 return ret;
1805}
1806
1807int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
1808 size_t numtempl)
1809{
23bf52a4
MC		 1810 /* Check we don't have pending data waiting to write */
1811 if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
1812 || SSL3_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
1813 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1814 return OSSL_RECORD_RETURN_FATAL;
1815 }
1816
bafe524b 1817 if (!rl->funcs->write_records(rl, templates, numtempl)) {
23bf52a4
MC		 1818 /* RLAYERfatal already called */
1819 return OSSL_RECORD_RETURN_FATAL;
1820 }
23bf52a4
MC		 1821
1822 rl->nextwbuf = 0;
1823 /* we now just need to write the buffers */
1824 return tls_retry_write_records(rl);
34a4068c
MC		 1825}
1826
2b71b042 1827int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
34a4068c 1828{
320145d5 1829 int i, ret;
2b71b042 1830 SSL3_BUFFER *thiswb;
2b71b042 1831 size_t tmpwrit = 0;
2b71b042 1832
e7694c69 1833 if (rl->nextwbuf >= rl->numwpipes)
320145d5 1834 return OSSL_RECORD_RETURN_SUCCESS;
151f313e 1835
2b71b042 1836 for (;;) {
151f313e
MC		 1837 thiswb = &rl->wbuf[rl->nextwbuf];
1838
2b71b042 1839 clear_sys_error();
b5cf81f7 1840 if (rl->bio != NULL) {
ace38195
MC		 1841 if (rl->funcs->prepare_write_bio != NULL) {
1842 ret = rl->funcs->prepare_write_bio(rl, thiswb->type);
1843 if (ret != OSSL_RECORD_RETURN_SUCCESS)
320145d5 1844 return ret;
2b71b042 1845 }
b5cf81f7 1846 i = BIO_write(rl->bio, (char *)
2b71b042
MC		 1847 &(SSL3_BUFFER_get_buf(thiswb)
1848 [SSL3_BUFFER_get_offset(thiswb)]),
1849 (unsigned int)SSL3_BUFFER_get_left(thiswb));
320145d5 1850 if (i >= 0) {
2b71b042 1851 tmpwrit = i;
320145d5
MC		 1852 if (i == 0 && BIO_should_retry(rl->bio))
1853 ret = OSSL_RECORD_RETURN_RETRY;
1854 else
1855 ret = OSSL_RECORD_RETURN_SUCCESS;
1856 } else {
1857 if (BIO_should_retry(rl->bio))
1858 ret = OSSL_RECORD_RETURN_RETRY;
1859 else
1860 ret = OSSL_RECORD_RETURN_FATAL;
1861 }
2b71b042 1862 } else {
320145d5
MC		 1863 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
1864 ret = OSSL_RECORD_RETURN_FATAL;
2b71b042
MC		 1865 i = -1;
1866 }
1867
1868 /*
1869 * When an empty fragment is sent on a connection using KTLS,
1870 * it is sent as a write of zero bytes. If this zero byte
1871 * write succeeds, i will be 0 rather than a non-zero value.
1872 * Treat i == 0 as success rather than an error for zero byte
1873 * writes to permit this case.
1874 */
1875 if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(thiswb)) {
1876 SSL3_BUFFER_set_left(thiswb, 0);
1877 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
e7694c69 1878 if (++(rl->nextwbuf) < rl->numwpipes)
2b71b042 1879 continue;
151f313e 1880
e7694c69 1881 if (rl->nextwbuf == rl->numwpipes
151f313e
MC		 1882 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1883 tls_release_write_buffer(rl);
320145d5 1884 return OSSL_RECORD_RETURN_SUCCESS;
2b71b042 1885 } else if (i <= 0) {
5361a5a9 1886 if (rl->isdtls) {
2b71b042
MC		 1887 /*
1888 * For DTLS, just drop it. That's kind of the whole point in
1889 * using a datagram service
1890 */
1891 SSL3_BUFFER_set_left(thiswb, 0);
e7694c69 1892 if (++(rl->nextwbuf) == rl->numwpipes
151f313e
MC		 1893 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1894 tls_release_write_buffer(rl);
1895
2b71b042 1896 }
320145d5 1897 return ret;
2b71b042
MC		 1898 }
1899 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
1900 SSL3_BUFFER_sub_left(thiswb, tmpwrit);
1901 }
34a4068c
MC		 1902}
1903
1853d20a 1904int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1905{
1906 return rl->alert;
1907}
1908
1853d20a 1909int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
e2d5742b
MC		 1910{
1911 if (bio != NULL && !BIO_up_ref(bio))
1912 return 0;
1913 BIO_free(rl->bio);
1914 rl->bio = bio;
1915
1916 return 1;
1917}
1918
1853d20a
MC		 1919/* Shared by most methods except tlsany_meth */
1920int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1921{
1922 if (rl->version != version)
1923 return 0;
1924
1925 return 1;
1926}
1927
1928int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1929{
1930 return rl->funcs->set_protocol_version(rl, version);
1931}
1932
1933void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1934{
1935 rl->allow_plain_alerts = allow;
1936}
1937
1938void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1939{
1940 rl->is_first_handshake = first;
1941}
1942
8124ab56
MC		 1943void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
1944{
1945 rl->max_pipelines = max_pipelines;
1946 if (max_pipelines > 1)
1947 rl->read_ahead = 1;
1948}
1949
d0b17ea0
MC		 1950void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
1951 const char **longstr)
1952{
1953 const char *shrt, *lng;
1704961c 1954
d0b17ea0
MC		 1955 switch (rl->rstate) {
1956 case SSL_ST_READ_HEADER:
1957 shrt = "RH";
1958 lng = "read header";
1959 break;
1960 case SSL_ST_READ_BODY:
1961 shrt = "RB";
1962 lng = "read body";
1963 break;
1964 default:
1965 shrt = lng = "unknown";
1966 break;
1967 }
1968 if (shortstr != NULL)
1969 *shortstr = shrt;
1970 if (longstr != NULL)
1971 *longstr = lng;
1972}
1973
1e76110b
MC		 1974const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
1975{
1976#ifndef OPENSSL_NO_COMP
1977 return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
1978#else
1979 return NULL;
1980#endif
1981}
1982
435d88d7
MC		 1983void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
1984{
1985 rl->max_frag_len = max_frag_len;
1986 /*
1987 * We don't need to adjust buffer sizes. Write buffer sizes are
1988 * automatically checked anyway. We should only be changing the read buffer
1989 * size during the handshake, so we will create a new buffer when we create
1990 * the new record layer. We can't change the existing buffer because it may
1991 * already have data in it.
1992 */
1993}
1994
b92fc4ae
MC		 1995int tls_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
1996{
1997 int i;
1998
1999 /* Increment the sequence counter */
2000 for (i = SEQ_NUM_SIZE; i > 0; i--) {
2001 ++(rl->sequence[i - 1]);
2002 if (rl->sequence[i - 1] != 0)
2003 break;
2004 }
2005 if (i == 0) {
2006 /* Sequence has wrapped */
2007 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_SEQUENCE_CTR_WRAPPED);
2008 return 0;
2009 }
2010 return 1;
2011}
2012
7eb39ecb
MC		 2013int tls_alloc_buffers(OSSL_RECORD_LAYER *rl)
2014{
2015 if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
2016 /* If we have a pending write then buffers are already allocated */
2017 if (rl->nextwbuf < rl->numwpipes)
2018 return 1;
2019 /*
2020 * We assume 1 pipe with default sized buffer. If what we need ends up
2021 * being a different size to that then it will be reallocated on demand.
2022 * If we need more than 1 pipe then that will also be allocated on
2023 * demand
2024 */
2025 if (!tls_setup_write_buffer(rl, 1, 0, 0))
2026 return 0;
2027
2028 /*
2029 * Normally when we allocate write buffers we immediately write
2030 * something into it. In this case we're not doing that so mark the
2031 * buffer as empty.
2032 */
2033 SSL3_BUFFER_set_left(&rl->wbuf[0], 0);
2034 return 1;
2035 }
2036
2037 /* Read direction */
2038
2039 /* If we have pending data to be read then buffers are already allocated */
2040 if (rl->curr_rec < rl->num_recs || SSL3_BUFFER_get_left(&rl->rbuf) != 0)
2041 return 1;
2042 return tls_setup_read_buffer(rl);
2043}
2044
2045int tls_free_buffers(OSSL_RECORD_LAYER *rl)
2046{
2047 if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
2048 if (rl->nextwbuf < rl->numwpipes) {
2049 /*
2050 * We may have pending data. If we've just got one empty buffer
2051 * allocated then it has probably just been alloc'd via
2052 * tls_alloc_buffers, and it is fine to free it. Otherwise this
2053 * looks like real pending data and it is an error.
2054 */
2055 if (rl->nextwbuf != 0
2056 || rl->numwpipes != 1
2057 || SSL3_BUFFER_get_left(&rl->wbuf[0]) != 0)
2058 return 0;
2059 }
2060 tls_release_write_buffer(rl);
2061 return 1;
2062 }
2063
2064 /* Read direction */
2065
2066 /* If we have pending data to be read then fail */
2067 if (rl->curr_rec < rl->num_recs || SSL3_BUFFER_get_left(&rl->rbuf) != 0)
2068 return 0;
2069
2070 return tls_release_read_buffer(rl);
2071}
2072
34a4068c
MC		 2073const OSSL_RECORD_METHOD ossl_tls_record_method = {
2074 tls_new_record_layer,
2075 tls_free,
2076 tls_reset,
2077 tls_unprocessed_read_pending,
2078 tls_processed_read_pending,
2079 tls_app_data_pending,
34a4068c 2080 tls_get_max_records,
2b71b042
MC		 2081 tls_write_records,
2082 tls_retry_write_records,
34a4068c 2083 tls_read_record,
e2d5742b
MC		 2084 tls_release_record,
2085 tls_get_alert_code,
2086 tls_set1_bio,
1853d20a
MC		 2087 tls_set_protocol_version,
2088 tls_set_plain_alerts,
2089 tls_set_first_handshake,
8124ab56 2090 tls_set_max_pipelines,
d0b17ea0 2091 NULL,
4566dae7 2092 tls_get_state,
1e76110b 2093 tls_set_options,
435d88d7 2094 tls_get_compression,
4f428e86 2095 tls_set_max_frag_len,
b92fc4ae 2096 NULL,
7eb39ecb
MC		 2097 tls_increment_sequence_ctr,
2098 tls_alloc_buffers,
2099 tls_free_buffers
cc110a0a 2100};
A mirror of the official openssl repository