]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move some DTLS read code into the read record layer
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
CommitLineData
34a4068c
MC		 1/*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/bio.h>
11#include <openssl/ssl.h>
e2d5742b
MC		 12#include <openssl/err.h>
13#include <openssl/core_names.h>
14#include "internal/e_os.h"
4030869d 15#include "internal/packet.h"
4840c2a5
MC		 16#include "../../ssl_local.h"
17#include "../record_local.h"
50023e9b 18#include "recmethod_local.h"
e2d5742b
MC		 19
20# define SSL_AD_NO_ALERT -1
21
359affde
MC		 22static void tls_int_free(OSSL_RECORD_LAYER *rl);
23
50023e9b
MC		 24void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
25 const char *fmt, ...)
e2d5742b
MC		 26{
27 va_list args;
28
29 va_start(args, fmt);
30 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
31 va_end(args);
32
33 rl->alert = al;
34}
35
50023e9b
MC		 36int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
37 EVP_CIPHER_CTX *ctx,
38 const EVP_CIPHER *ciph,
7f2f0ac7 39 const EVP_MD *md)
aedbb71b
MC		 40{
41 /*
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
44 */
45 OSSL_PARAM params[3], *pprm = params;
46 size_t macsize = 0;
47 int imacsize = -1;
48
49 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
7f2f0ac7 50 && !rl->use_etm)
aedbb71b
MC		 51 imacsize = EVP_MD_get_size(md);
52 if (imacsize >= 0)
53 macsize = (size_t)imacsize;
54
55 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
56 &rl->version);
57 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
58 &macsize);
59 *pprm = OSSL_PARAM_construct_end();
60
61 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
7c293999 62 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
aedbb71b
MC		 63 return 0;
64 }
65
66 return 1;
67}
68
50023e9b
MC		 69/*
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
aedbb71b 72 */
50023e9b 73char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
2b891e30 74{
50023e9b
MC		 75 switch (EVP_MD_CTX_get_type(ctx)) {
76 case NID_md5:
77 case NID_sha1:
78 case NID_sha224:
79 case NID_sha256:
80 case NID_sha384:
81 case NID_sha512:
2b891e30 82 return 1;
50023e9b 83 default:
aedbb71b 84 return 0;
aedbb71b 85 }
aedbb71b
MC		 86}
87
976b263d 88#ifndef OPENSSL_NO_COMP
e2d5742b
MC		 89static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
90{
91 if (rl->options & SSL_OP_NO_COMPRESSION)
92 return 0;
ed0e298f
MC		 93
94 return rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
e2d5742b 95}
976b263d 96#endif
e2d5742b
MC		 97
98static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
99{
100 unsigned char *p;
101 size_t len, align = 0, headerlen;
102 SSL3_BUFFER *b;
103
104 b = &rl->rbuf;
105
106 if (rl->isdtls)
107 headerlen = DTLS1_RT_HEADER_LENGTH;
108 else
109 headerlen = SSL3_RT_HEADER_LENGTH;
110
111#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
112 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
113#endif
114
115 if (b->buf == NULL) {
116 len = SSL3_RT_MAX_PLAIN_LENGTH
117 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
118#ifndef OPENSSL_NO_COMP
119 if (rlayer_allow_compression(rl))
120 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
121#endif
122 if (b->default_len > len)
123 len = b->default_len;
124 if ((p = OPENSSL_malloc(len)) == NULL) {
125 /*
126 * We've got a malloc failure, and we're still initialising buffers.
127 * We assume we're so doomed that we won't even be able to send an
128 * alert.
129 */
130 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
131 return 0;
132 }
133 b->buf = p;
134 b->len = len;
135 }
136
137 return 1;
138}
139
140static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
141{
142 SSL3_BUFFER *b;
143
144 b = &rl->rbuf;
145 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
146 OPENSSL_cleanse(b->buf, b->len);
147 OPENSSL_free(b->buf);
148 b->buf = NULL;
149 return 1;
150}
151
1853d20a 152void tls_reset_packet_length(OSSL_RECORD_LAYER *rl)
4030869d
MC		 153{
154 rl->packet_length = 0;
155}
156
e2d5742b
MC		 157/*
158 * Return values are as per SSL_read()
159 */
1853d20a
MC		 160int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
161 int clearold, size_t *readbytes)
e2d5742b
MC		 162{
163 /*
164 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
165 * packet by another n bytes. The packet will be in the sub-array of
166 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
167 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
168 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
169 * if clearold == 1, move the packet to the start of the buffer; if
170 * clearold == 0 then leave any old packets where they were
171 */
172 size_t len, left, align = 0;
173 unsigned char *pkt;
174 SSL3_BUFFER *rb;
175
176 if (n == 0)
177 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
178
179 rb = &rl->rbuf;
cc110a0a
MC		 180 /*
181 * TODO(RECLAYER): Once this function is only called from inside the rlayer
182 * directly, we can probably remove this since it is initialised in
183 * tls_get_more_records
184 */
e2d5742b
MC		 185 if (rb->buf == NULL) {
186 if (!rlayer_setup_read_buffer(rl)) {
187 /* RLAYERfatal() already called */
188 return OSSL_RECORD_RETURN_FATAL;
189 }
190 }
191
192 left = rb->left;
193#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
194 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
195 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
196#endif
197
198 if (!extend) {
199 /* start with empty packet ... */
200 if (left == 0) {
201 rb->offset = align;
202 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
203 /*
204 * check if next packet length is large enough to justify payload
205 * alignment...
206 */
207 pkt = rb->buf + rb->offset;
208 if (pkt[0] == SSL3_RT_APPLICATION_DATA
209 && (pkt[3] << 8 | pkt[4]) >= 128) {
210 /*
211 * Note that even if packet is corrupted and its length field
212 * is insane, we can only be led to wrong decision about
213 * whether memmove will occur or not. Header values has no
214 * effect on memmove arguments and therefore no buffer
215 * overrun can be triggered.
216 */
217 memmove(rb->buf + align, pkt, left);
218 rb->offset = align;
219 }
220 }
221 rl->packet = rb->buf + rb->offset;
222 rl->packet_length = 0;
223 /* ... now we can act as if 'extend' was set */
224 }
225
226 len = rl->packet_length;
227 pkt = rb->buf + align;
228 /*
229 * Move any available bytes to front of buffer: 'len' bytes already
230 * pointed to by 'packet', 'left' extra ones at the end
231 */
232 if (rl->packet != pkt && clearold == 1) {
233 memmove(pkt, rl->packet, len + left);
234 rl->packet = pkt;
235 rb->offset = len + align;
236 }
237
238 /*
239 * For DTLS/UDP reads should not span multiple packets because the read
240 * operation returns the whole packet at once (as long as it fits into
241 * the buffer).
242 */
243 if (rl->isdtls) {
244 if (left == 0 && extend)
245 return 0;
246 if (left > 0 && n > left)
247 n = left;
248 }
249
250 /* if there is enough in the buffer from a previous read, take some */
251 if (left >= n) {
252 rl->packet_length += n;
253 rb->left = left - n;
254 rb->offset += n;
255 *readbytes = n;
256 return OSSL_RECORD_RETURN_SUCCESS;
257 }
258
259 /* else we need to read more data */
260
261 if (n > rb->len - rb->offset) {
262 /* does not happen */
263 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
264 return OSSL_RECORD_RETURN_FATAL;
265 }
266
1853d20a
MC		 267 /* We always act like read_ahead is set for DTLS */
268 if (!rl->read_ahead && !rl->isdtls) {
e2d5742b
MC		 269 /* ignore max parameter */
270 max = n;
271 } else {
272 if (max < n)
273 max = n;
274 if (max > rb->len - rb->offset)
275 max = rb->len - rb->offset;
276 }
277
278 while (left < n) {
279 size_t bioread = 0;
280 int ret;
359affde 281 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
e2d5742b
MC		 282
283 /*
284 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
285 * need to read in more until we have len+n (up to len+max if
286 * possible)
287 */
288
289 clear_sys_error();
359affde
MC		 290 if (bio != NULL) {
291 ret = BIO_read(bio, pkt + len + left, max - left);
e2d5742b
MC		 292 if (ret > 0) {
293 bioread = ret;
294 ret = OSSL_RECORD_RETURN_SUCCESS;
359affde
MC		 295 } else if (BIO_should_retry(bio)) {
296 if (rl->prev != NULL) {
297 /*
298 * We were reading from the previous epoch. Now there is no
299 * more data, so swap to the actual transport BIO
300 */
301 BIO_free(rl->prev);
302 rl->prev = NULL;
303 continue;
304 }
e2d5742b 305 ret = OSSL_RECORD_RETURN_RETRY;
359affde 306 } else if (BIO_eof(bio)) {
e2d5742b
MC		 307 ret = OSSL_RECORD_RETURN_EOF;
308 } else {
309 ret = OSSL_RECORD_RETURN_FATAL;
310 }
311 } else {
312 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
313 ret = OSSL_RECORD_RETURN_FATAL;
314 }
315
316 if (ret <= OSSL_RECORD_RETURN_RETRY) {
317 rb->left = left;
318 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
319 if (len + left == 0)
320 rlayer_release_read_buffer(rl);
321 return ret;
322 }
323 left += bioread;
324 /*
325 * reads should *never* span multiple packets for DTLS because the
326 * underlying transport protocol is message oriented as opposed to
327 * byte oriented as in the TLS case.
328 */
329 if (rl->isdtls) {
330 if (n > left)
331 n = left; /* makes the while condition false */
332 }
333 }
334
335 /* done reading, now the book-keeping */
336 rb->offset += n;
337 rb->left = left - n;
338 rl->packet_length += n;
339 *readbytes = n;
340 return OSSL_RECORD_RETURN_SUCCESS;
341}
342
4030869d
MC		 343/*
344 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
345 * for us in the buffer.
346 */
347static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
348{
349 SSL3_BUFFER *rbuf;
350 size_t left, len;
351 unsigned char *p;
352
353 rbuf = &rl->rbuf;
354
355 p = SSL3_BUFFER_get_buf(rbuf);
356 if (p == NULL)
357 return 0;
358
359 left = SSL3_BUFFER_get_left(rbuf);
360
361 if (left < SSL3_RT_HEADER_LENGTH)
362 return 0;
363
364 p += SSL3_BUFFER_get_offset(rbuf);
365
366 /*
367 * We only check the type and record length, we will sanity check version
368 * etc later
369 */
370 if (*p != SSL3_RT_APPLICATION_DATA)
371 return 0;
372
373 p += 3;
374 n2s(p, len);
375
376 if (left < SSL3_RT_HEADER_LENGTH + len)
377 return 0;
378
379 return 1;
380}
381
9dd90232
MC		 382static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
383 size_t overhead, int send)
384{
385 uint32_t max_early_data = rl->max_early_data;
386
387 if (max_early_data == 0) {
388 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
389 SSL_R_TOO_MUCH_EARLY_DATA);
390 return 0;
391 }
392
393 /* If we are dealing with ciphertext we need to allow for the overhead */
394 max_early_data += overhead;
395
396 if (rl->early_data_count + length > max_early_data) {
397 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
398 SSL_R_TOO_MUCH_EARLY_DATA);
399 return 0;
400 }
401 rl->early_data_count += length;
402
403 return 1;
404}
405
4030869d
MC		 406/*
407 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
408 * will be processed per call to ssl3_get_record. Without this limit an
409 * attacker could send empty records at a faster rate than we can process and
410 * cause ssl3_get_record to loop forever.
411 */
412#define MAX_EMPTY_RECORDS 32
413
414#define SSL2_RT_HEADER_LENGTH 2
415
416/*-
417 * Call this to buffer new input records in rl->rrec.
418 * It will return a OSSL_RECORD_RETURN_* value.
419 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
420 * records have been decoded. For each record 'i':
421 * rrec[i].type - is the type of record
422 * rrec[i].data, - data
423 * rrec[i].length, - number of bytes
424 * Multiple records will only be returned if the record types are all
425 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
426 * |max_pipelines|
427 */
eddb067e 428int tls_get_more_records(OSSL_RECORD_LAYER *rl)
4030869d
MC		 429{
430 int enc_err, rret;
431 int i;
432 size_t more, n;
433 SSL3_RECORD *rr, *thisrr;
434 SSL3_BUFFER *rbuf;
4030869d
MC		 435 unsigned char *p;
436 unsigned char md[EVP_MAX_MD_SIZE];
437 unsigned int version;
438 size_t mac_size = 0;
439 int imac_size;
440 size_t num_recs = 0, max_recs, j;
441 PACKET pkt, sslv2pkt;
4030869d
MC		 442 SSL_MAC_BUF *macbufs = NULL;
443 int ret = OSSL_RECORD_RETURN_FATAL;
4030869d
MC		 444
445 rr = rl->rrec;
446 rbuf = &rl->rbuf;
cc110a0a
MC		 447 if (rbuf->buf == NULL) {
448 if (!rlayer_setup_read_buffer(rl)) {
449 /* RLAYERfatal() already called */
450 return OSSL_RECORD_RETURN_FATAL;
451 }
452 }
4030869d 453
8124ab56
MC		 454 max_recs = rl->max_pipelines;
455
4030869d
MC		 456 if (max_recs == 0)
457 max_recs = 1;
4030869d 458
4030869d
MC		 459 do {
460 thisrr = &rr[num_recs];
461
462 /* check if we have the header */
463 if ((rl->rstate != SSL_ST_READ_BODY) ||
464 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
465 size_t sslv2len;
466 unsigned int type;
467
1853d20a
MC		 468 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
469 SSL3_BUFFER_get_len(rbuf), 0,
470 num_recs == 0 ? 1 : 0, &n);
471
472 if (rret < OSSL_RECORD_RETURN_SUCCESS)
473 return rret; /* error or non-blocking */
474
4030869d
MC		 475 rl->rstate = SSL_ST_READ_BODY;
476
477 p = rl->packet;
478 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
479 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return OSSL_RECORD_RETURN_FATAL;
481 }
482 sslv2pkt = pkt;
483 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
484 || !PACKET_get_1(&sslv2pkt, &type)) {
485 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
486 return OSSL_RECORD_RETURN_FATAL;
487 }
488 /*
489 * The first record received by the server may be a V2ClientHello.
490 */
491 if (rl->role == OSSL_RECORD_ROLE_SERVER
492 && rl->is_first_record
493 && (sslv2len & 0x8000) != 0
494 && (type == SSL2_MT_CLIENT_HELLO)) {
495 /*
496 * SSLv2 style record
497 *
498 * |num_recs| here will actually always be 0 because
499 * |num_recs > 0| only ever occurs when we are processing
500 * multiple app data records - which we know isn't the case here
501 * because it is an SSLv2ClientHello. We keep it using
502 * |num_recs| for the sake of consistency
503 */
504 thisrr->type = SSL3_RT_HANDSHAKE;
505 thisrr->rec_version = SSL2_VERSION;
506
507 thisrr->length = sslv2len & 0x7fff;
508
509 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
510 - SSL2_RT_HEADER_LENGTH) {
511 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
512 SSL_R_PACKET_LENGTH_TOO_LONG);
513 return OSSL_RECORD_RETURN_FATAL;
514 }
4030869d
MC		 515 } else {
516 /* SSLv3+ style record */
517
518 /* Pull apart the header into the SSL3_RECORD */
519 if (!PACKET_get_1(&pkt, &type)
520 || !PACKET_get_net_2(&pkt, &version)
521 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
3c7b9ef9 522 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d
MC		 523 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
524 return OSSL_RECORD_RETURN_FATAL;
525 }
526 thisrr->type = type;
527 thisrr->rec_version = version;
528
014baa8a
MC		 529 /*
530 * When we call validate_record_header() only records actually
531 * received in SSLv2 format should have the record version set
532 * to SSL2_VERSION. This way validate_record_header() can know
533 * what format the record was in based on the version.
534 */
535 if (thisrr->rec_version == SSL2_VERSION) {
536 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
537 SSL_R_WRONG_VERSION_NUMBER);
538 return OSSL_RECORD_RETURN_FATAL;
539 }
540
3c7b9ef9 541 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
4030869d 542
4030869d
MC		 543 if (thisrr->length >
544 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
545 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
546 SSL_R_PACKET_LENGTH_TOO_LONG);
547 return OSSL_RECORD_RETURN_FATAL;
548 }
549 }
550
1853d20a
MC		 551 if (!rl->funcs->validate_record_header(rl, thisrr)) {
552 /* RLAYERfatal already called */
4030869d
MC		 553 return OSSL_RECORD_RETURN_FATAL;
554 }
4030869d 555
1853d20a 556 /* now rl->rstate == SSL_ST_READ_BODY */
4030869d
MC		 557 }
558
559 /*
560 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
561 * how much more data we need to read for the rest of the record
562 */
563 if (thisrr->rec_version == SSL2_VERSION) {
564 more = thisrr->length + SSL2_RT_HEADER_LENGTH
565 - SSL3_RT_HEADER_LENGTH;
566 } else {
567 more = thisrr->length;
568 }
569
570 if (more > 0) {
571 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
572
1853d20a 573 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
4030869d
MC		 574 if (rret < OSSL_RECORD_RETURN_SUCCESS)
575 return rret; /* error or non-blocking io */
576 }
577
578 /* set state for later operations */
579 rl->rstate = SSL_ST_READ_HEADER;
580
581 /*
582 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
583 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
584 * + thisrr->length and we have that many bytes in rl->packet
585 */
586 if (thisrr->rec_version == SSL2_VERSION)
587 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
588 else
589 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
590
591 /*
592 * ok, we can now read from 'rl->packet' data into 'thisrr'.
593 * thisrr->input points at thisrr->length bytes, which need to be copied
594 * into thisrr->data by either the decryption or by the decompression.
595 * When the data is 'copied' into the thisrr->data buffer,
596 * thisrr->input will be updated to point at the new buffer
597 */
598
599 /*
600 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
601 * thisrr->length bytes of encrypted compressed stuff.
602 */
603
604 /* decrypt in place in 'thisrr->input' */
605 thisrr->data = thisrr->input;
606 thisrr->orig_len = thisrr->length;
607
608 /* Mark this record as not read by upper layers yet */
609 thisrr->read = 0;
610
611 num_recs++;
612
613 /* we have pulled in a full packet so zero things */
614 tls_reset_packet_length(rl);
615 rl->is_first_record = 0;
616 } while (num_recs < max_recs
617 && thisrr->type == SSL3_RT_APPLICATION_DATA
88d61680 618 && RLAYER_USE_EXPLICIT_IV(rl)
6366bdd9
MC		 619 && rl->enc_ctx != NULL
620 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
4030869d
MC		 621 & EVP_CIPH_FLAG_PIPELINE) != 0
622 && tls_record_app_data_waiting(rl));
623
624 if (num_recs == 1
625 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
9cd9e097
MC		 626 /* The following can happen in tlsany_meth after HRR */
627 && rl->version == TLS1_3_VERSION
1853d20a 628 && rl->is_first_handshake) {
4030869d
MC		 629 /*
630 * CCS messages must be exactly 1 byte long, containing the value 0x01
631 */
632 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
633 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
634 SSL_R_INVALID_CCS_MESSAGE);
635 return OSSL_RECORD_RETURN_FATAL;
636 }
637 /*
638 * CCS messages are ignored in TLSv1.3. We treat it like an empty
639 * handshake record
640 */
641 thisrr->type = SSL3_RT_HANDSHAKE;
aedbb71b 642 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 643 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
644 SSL_R_UNEXPECTED_CCS_MESSAGE);
645 return OSSL_RECORD_RETURN_FATAL;
646 }
647 thisrr->read = 1;
648 rl->num_recs = 0;
649 rl->curr_rec = 0;
650 rl->num_released = 0;
651
652 return OSSL_RECORD_RETURN_SUCCESS;
653 }
654
6366bdd9
MC		 655 if (rl->md_ctx != NULL) {
656 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
4030869d
MC		 657
658 if (tmpmd != NULL) {
659 imac_size = EVP_MD_get_size(tmpmd);
660 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
661 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
662 return OSSL_RECORD_RETURN_FATAL;
663 }
664 mac_size = (size_t)imac_size;
665 }
666 }
667
668 /*
669 * If in encrypt-then-mac mode calculate mac from encrypted record. All
670 * the details below are public so no timing details can leak.
671 */
6366bdd9 672 if (rl->use_etm && rl->md_ctx) {
4030869d
MC		 673 unsigned char *mac;
674
675 for (j = 0; j < num_recs; j++) {
676 thisrr = &rr[j];
677
678 if (thisrr->length < mac_size) {
679 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
680 return OSSL_RECORD_RETURN_FATAL;
681 }
682 thisrr->length -= mac_size;
683 mac = thisrr->data + thisrr->length;
8124ab56 684 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 685 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
686 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
687 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
688 return OSSL_RECORD_RETURN_FATAL;
689 }
690 }
691 /*
692 * We've handled the mac now - there is no MAC inside the encrypted
693 * record
694 */
695 mac_size = 0;
696 }
697
698 if (mac_size > 0) {
699 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
700 if (macbufs == NULL) {
701 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
702 return OSSL_RECORD_RETURN_FATAL;
703 }
704 }
705
aedbb71b
MC		 706 /*
707 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
708 * record layer code
709 */
8124ab56 710 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
4030869d
MC		 711
712 /*-
713 * enc_err is:
714 * 0: if the record is publicly invalid, or an internal error, or AEAD
715 * decryption failed, or ETM decryption failed.
716 * 1: Success or MTE decryption failed (MAC will be randomised)
717 */
718 if (enc_err == 0) {
651216dd
MC		 719 if (rl->alert != 0) {
720 /* RLAYERfatal() already got called */
4030869d
MC		 721 goto end;
722 }
3c7b9ef9 723 if (num_recs == 1 && rl->skip_early_data(rl->cbarg)) {
4030869d
MC		 724 /*
725 * Valid early_data that we cannot decrypt will fail here. We treat
726 * it like an empty record.
727 */
728
729 thisrr = &rr[0];
730
9dd90232
MC		 731 if (!rlayer_early_data_count_ok(rl, thisrr->length,
732 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
733 /* RLAYERfatal() already called */
4030869d
MC		 734 goto end;
735 }
736
737 thisrr->length = 0;
738 thisrr->read = 1;
739 rl->num_recs = 0;
740 rl->curr_rec = 0;
741 rl->num_released = 0;
0755722c
MC		 742 /* Reset the read sequence */
743 memset(rl->sequence, 0, sizeof(rl->sequence));
4030869d
MC		 744 ret = 1;
745 goto end;
746 }
747 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
748 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
749 goto end;
750 }
751 OSSL_TRACE_BEGIN(TLS) {
752 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
753 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
754 } OSSL_TRACE_END(TLS);
755
756 /* r->length is now the compressed data plus mac */
6366bdd9 757 if (rl->enc_ctx != NULL
ffbd6e67 758 && !rl->use_etm
6366bdd9
MC		 759 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
760 /* rl->md_ctx != NULL => mac_size != -1 */
4030869d
MC		 761
762 for (j = 0; j < num_recs; j++) {
763 SSL_MAC_BUF *thismb = &macbufs[j];
764 thisrr = &rr[j];
765
8124ab56 766 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
4030869d
MC		 767 if (i == 0 || thismb == NULL || thismb->mac == NULL
768 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
769 enc_err = 0;
770 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
771 enc_err = 0;
772 }
773 }
774
775 if (enc_err == 0) {
651216dd
MC		 776 if (rl->alert != 0) {
777 /* We already called RLAYERfatal() */
4030869d
MC		 778 goto end;
779 }
780 /*
781 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
782 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
783 * failure is directly visible from the ciphertext anyway, we should
784 * not reveal which kind of error occurred -- this might become
785 * visible to an attacker (e.g. via a logfile)
786 */
787 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
788 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
789 goto end;
790 }
791
4030869d
MC		 792 for (j = 0; j < num_recs; j++) {
793 thisrr = &rr[j];
794
8124ab56 795 if (!rl->funcs->post_process_record(rl, thisrr)) {
1853d20a 796 /* RLAYERfatal already called */
4030869d
MC		 797 goto end;
798 }
799
800 /*
801 * Check if the received packet overflows the current
802 * Max Fragment Length setting.
ffbd6e67 803 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
4030869d 804 */
ffbd6e67 805 if (rl->max_frag_len > 0 && thisrr->length > rl->max_frag_len) {
4030869d
MC		 806 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
807 goto end;
808 }
809
810 thisrr->off = 0;
811 /*-
812 * So at this point the following is true
813 * thisrr->type is the type of record
814 * thisrr->length == number of bytes in record
815 * thisrr->off == offset to first valid byte
816 * thisrr->data == where to take bytes from, increment after use :-).
817 */
818
819 /* just read a 0 length packet */
820 if (thisrr->length == 0) {
aedbb71b 821 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
4030869d
MC		 822 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
823 goto end;
824 }
825 } else {
aedbb71b 826 rl->empty_record_count = 0;
4030869d
MC		 827 }
828 }
829
9dd90232 830 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
4030869d
MC		 831 thisrr = &rr[0];
832 if (thisrr->type == SSL3_RT_APPLICATION_DATA
9dd90232
MC		 833 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
834 /* RLAYERfatal already called */
4030869d
MC		 835 goto end;
836 }
837 }
838
839 rl->num_recs = num_recs;
840 rl->curr_rec = 0;
841 rl->num_released = 0;
842 ret = OSSL_RECORD_RETURN_SUCCESS;
843 end:
844 if (macbufs != NULL) {
845 for (j = 0; j < num_recs; j++) {
846 if (macbufs[j].alloced)
847 OPENSSL_free(macbufs[j].mac);
848 }
849 OPENSSL_free(macbufs);
850 }
851 return ret;
852}
853
1853d20a
MC		 854/* Shared by ssl3_meth and tls1_meth */
855int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
856{
857 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
858
859 if (rec->rec_version != rl->version) {
860 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
861 return 0;
862 }
863
864#ifndef OPENSSL_NO_COMP
865 /*
866 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
867 * does not include the compression overhead anyway.
868 */
869 if (rl->expand == NULL)
870 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
871#endif
872
873 if (rec->length > len) {
874 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
875 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
876 return 0;
877 }
878
879 return 1;
880}
881
882static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
883{
884#ifndef OPENSSL_NO_COMP
885 int i;
886
887 if (rec->comp == NULL) {
888 rec->comp = (unsigned char *)
889 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
890 }
891 if (rec->comp == NULL)
892 return 0;
893
894 i = COMP_expand_block(rl->expand, rec->comp,
895 SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length);
896 if (i < 0)
897 return 0;
898 else
899 rec->length = i;
900 rec->data = rec->comp;
901 return 1;
902#else
903 return 0;
904#endif
905}
906
907/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
8124ab56 908int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a
MC		 909{
910 if (rl->expand != NULL) {
911 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
912 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
913 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
914 return 0;
915 }
916 if (!tls_do_uncompress(rl, rec)) {
917 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
918 SSL_R_BAD_DECOMPRESSION);
919 return 0;
920 }
921 }
922
923 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
924 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
925 return 0;
926 }
927
928 return 1;
929}
930
931/* Shared by tls13_meth and ktls_meth */
8124ab56 932int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1853d20a 933{
1853d20a
MC		 934 if (rec->type != SSL3_RT_APPLICATION_DATA
935 && rec->type != SSL3_RT_ALERT
936 && rec->type != SSL3_RT_HANDSHAKE) {
937 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
938 return 0;
939 }
940
3c7b9ef9
MC		 941 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
942 1, rl->cbarg);
1853d20a
MC		 943
944 /*
945 * TLSv1.3 alert and handshake records are required to be non-zero in
946 * length.
947 */
948 if ((rec->type == SSL3_RT_HANDSHAKE
949 || rec->type == SSL3_RT_ALERT)
950 && rec->length == 0) {
951 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
952 return 0;
953 }
954
955 return 1;
956}
957
958int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
959 int *type, unsigned char **data, size_t *datalen,
8124ab56 960 uint16_t *epoch, unsigned char *seq_num)
4030869d
MC		 961{
962 SSL3_RECORD *rec;
963
964 /*
965 * tls_get_more_records() can return success without actually reading
966 * anything useful (i.e. if empty records are read). We loop here until
967 * we have something useful. tls_get_more_records() will eventually fail if
968 * too many sequential empty records are read.
969 */
970 while (rl->curr_rec >= rl->num_recs) {
971 int ret;
972
973 if (rl->num_released != rl->num_recs) {
974 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
975 return OSSL_RECORD_RETURN_FATAL;
976 }
977
eddb067e 978 ret = rl->funcs->get_more_records(rl);
4030869d
MC		 979
980 if (ret != OSSL_RECORD_RETURN_SUCCESS)
981 return ret;
982 }
983
984 /*
985 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
986 * points to the next one to read.
987 */
988 rec = &rl->rrec[rl->curr_rec++];
989
990 *rechandle = rec;
991 *rversion = rec->rec_version;
992 *type = rec->type;
eddb067e 993 *data = rec->data + rec->off;
4030869d 994 *datalen = rec->length;
eddb067e
MC		 995 if (rl->isdtls) {
996 *epoch = (uint16_t)rec->epoch;
997 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
998 }
4030869d
MC		 999
1000 return OSSL_RECORD_RETURN_SUCCESS;
1001}
1002
1853d20a 1003int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
4030869d
MC		 1004{
1005 if (!ossl_assert(rl->num_released < rl->curr_rec)
1006 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
1007 /* Should not happen */
1008 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1009 return OSSL_RECORD_RETURN_FATAL;
1010 }
1011
1012 rl->num_released++;
1013
1014 return OSSL_RECORD_RETURN_SUCCESS;
1015}
1016
1853d20a 1017int
cc110a0a
MC		 1018tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1019 int role, int direction, int level, unsigned char *key,
1020 size_t keylen, unsigned char *iv, size_t ivlen,
1021 unsigned char *mackey, size_t mackeylen,
1022 const EVP_CIPHER *ciph, size_t taglen,
1023 /* TODO(RECLAYER): This probably should not be an int */
1024 int mactype,
359affde
MC		 1025 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1026 BIO *transport, BIO *next, BIO_ADDR *local,
1027 BIO_ADDR *peer, const OSSL_PARAM *settings,
9dd90232
MC		 1028 const OSSL_PARAM *options,
1029 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1030 OSSL_RECORD_LAYER **retrl)
34a4068c
MC		 1031{
1032 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
e2d5742b
MC		 1033 const OSSL_PARAM *p;
1034
7c293999
MC		 1035 *retrl = NULL;
1036
e2d5742b
MC		 1037 if (rl == NULL) {
1038 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
7c293999 1039 return OSSL_RECORD_RETURN_FATAL;
e2d5742b
MC		 1040 }
1041
79eebb08
MC		 1042 /*
1043 * TODO(RECLAYER): Need to handle the case where the params are updated
1044 * after the record layer has been created.
1045 */
e2d5742b
MC		 1046 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1047 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1048 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1049 goto err;
1050 }
1051
1052 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1053 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1054 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1055 goto err;
1056 }
1057
7f2f0ac7
MC		 1058 /* Loop through all the settings since they must all be understood */
1059 for (p = settings; p->key != NULL; p++) {
1060 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1061 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
1062 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1063 goto err;
1064 }
ffbd6e67
MC		 1065 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1066 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
1067 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1068 goto err;
1069 }
9dd90232
MC		 1070 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1071 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
1072 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1073 goto err;
1074 }
8124ab56
MC		 1075 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
1076 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
1077 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1078 goto err;
1079 }
1080 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
1081 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
1082 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1083 goto err;
1084 }
7f2f0ac7
MC		 1085 } else {
1086 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
1087 goto err;
1088 }
1089 }
1090
1091
79eebb08
MC		 1092 if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1093 /*
1094 * We ignore any read_ahead setting prior to the application protection
1095 * level. Otherwise we may read ahead data in a lower protection level
1096 * that is destined for a higher protection level. To simplify the logic
1097 * we don't support that at this stage.
1098 */
1099 /*
1100 * TODO(RECLAYER): Handle the case of read_ahead at the application
1101 * level and a key update/reneg occurs.
1102 */
1103 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1104 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1105 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1106 goto err;
1107 }
e2d5742b
MC		 1108 }
1109
aedbb71b
MC		 1110 rl->libctx = libctx;
1111 rl->propq = propq;
1112
e2d5742b
MC		 1113 rl->version = vers;
1114 rl->role = role;
1115 rl->direction = direction;
9dd90232 1116 rl->level = level;
4030869d 1117
1853d20a 1118 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
4030869d
MC		 1119 rl->is_first_record = 1;
1120
e2d5742b
MC		 1121 if (!tls_set1_bio(rl, transport))
1122 goto err;
1123
359affde
MC		 1124 if (prev != NULL && !BIO_up_ref(prev))
1125 goto err;
1126 rl->prev = prev;
1127
1128 if (next != NULL && !BIO_up_ref(next))
1129 goto err;
1130 rl->next = next;
1131
9dd90232
MC		 1132 rl->cbarg = cbarg;
1133 for (; fns->function_id != 0; fns++) {
1134 switch (fns->function_id) {
1135 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
3c7b9ef9
MC		 1136 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1137 break;
1138 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1139 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
9dd90232 1140 break;
ed0e298f
MC		 1141 case OSSL_FUNC_RLAYER_SECURITY:
1142 rl->security = OSSL_FUNC_rlayer_security(fns);
1143 break;
9dd90232
MC		 1144 default:
1145 /* Just ignore anything we don't understand */
1146 break;
1147 }
1148 }
1149
7c293999
MC		 1150 *retrl = rl;
1151 return OSSL_RECORD_RETURN_SUCCESS;
cc110a0a 1152 err:
359affde 1153 tls_int_free(rl);
7c293999 1154 return OSSL_RECORD_RETURN_FATAL;
cc110a0a
MC		 1155}
1156
7c293999 1157static int
cc110a0a
MC		 1158tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1159 int role, int direction, int level, unsigned char *key,
1160 size_t keylen, unsigned char *iv, size_t ivlen,
1161 unsigned char *mackey, size_t mackeylen,
1162 const EVP_CIPHER *ciph, size_t taglen,
1163 /* TODO(RECLAYER): This probably should not be an int */
1164 int mactype,
359affde
MC		 1165 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1166 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
cc110a0a 1167 const OSSL_PARAM *settings, const OSSL_PARAM *options,
9dd90232 1168 const OSSL_DISPATCH *fns, void *cbarg,
8124ab56 1169 OSSL_RECORD_LAYER **retrl)
cc110a0a 1170{
7c293999
MC		 1171 int ret;
1172
1173 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1174 key, keylen, iv, ivlen, mackey, mackeylen,
359affde
MC		 1175 ciph, taglen, mactype, md, comp, prev,
1176 transport, next, local, peer, settings,
8124ab56 1177 options, fns, cbarg, retrl);
cc110a0a 1178
7c293999
MC		 1179 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1180 return ret;
cc110a0a 1181
aedbb71b
MC		 1182 switch (vers) {
1183 case TLS_ANY_VERSION:
7c293999 1184 (*retrl)->funcs = &tls_any_funcs;
aedbb71b
MC		 1185 break;
1186 case TLS1_3_VERSION:
7c293999 1187 (*retrl)->funcs = &tls_1_3_funcs;
aedbb71b
MC		 1188 break;
1189 case TLS1_2_VERSION:
aedbb71b 1190 case TLS1_1_VERSION:
aedbb71b 1191 case TLS1_VERSION:
7c293999 1192 (*retrl)->funcs = &tls_1_funcs;
aedbb71b
MC		 1193 break;
1194 case SSL3_VERSION:
7c293999 1195 (*retrl)->funcs = &ssl_3_0_funcs;
aedbb71b
MC		 1196 break;
1197 default:
1198 /* Should not happen */
7c293999
MC		 1199 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1200 ret = OSSL_RECORD_RETURN_FATAL;
aedbb71b
MC		 1201 goto err;
1202 }
1203
7c293999
MC		 1204 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1205 ivlen, mackey, mackeylen, ciph,
8124ab56 1206 taglen, mactype, md, comp);
aedbb71b 1207
e2d5742b 1208 err:
7c293999
MC		 1209 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1210 OPENSSL_free(*retrl);
1211 *retrl = NULL;
1212 }
1213 return ret;
e2d5742b
MC		 1214}
1215
359affde 1216static void tls_int_free(OSSL_RECORD_LAYER *rl)
34a4068c 1217{
2b891e30 1218 /* TODO(RECLAYER): Cleanse sensitive fields */
359affde 1219 BIO_free(rl->prev);
e2d5742b 1220 BIO_free(rl->bio);
359affde
MC		 1221 BIO_free(rl->next);
1222 SSL3_BUFFER_release(&rl->rbuf);
1223
6366bdd9
MC		 1224 EVP_CIPHER_CTX_free(rl->enc_ctx);
1225 EVP_MD_CTX_free(rl->md_ctx);
976b263d 1226#ifndef OPENSSL_NO_COMP
359affde 1227 COMP_CTX_free(rl->expand);
976b263d 1228#endif
359affde 1229
34a4068c
MC		 1230 OPENSSL_free(rl);
1231}
1232
359affde
MC		 1233int tls_free(OSSL_RECORD_LAYER *rl)
1234{
1235 SSL3_BUFFER *rbuf;
1236 size_t left, written;
1237 int ret = 1;
1238
1239 rbuf = &rl->rbuf;
1240
1241 left = SSL3_BUFFER_get_left(rbuf);
1242 if (left > 0) {
1243 /*
1244 * This record layer is closing but we still have data left in our
1245 * buffer. It must be destined for the next epoch - so push it there.
1246 */
1247 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1248 }
1249 tls_int_free(rl);
1250
1251 return ret;
1252}
1253
1254
1853d20a 1255int tls_reset(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1256{
1257 memset(rl, 0, sizeof(*rl));
1258 return 1;
1259}
1260
1853d20a 1261int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1262{
0755722c 1263 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
34a4068c
MC		 1264}
1265
1853d20a 1266int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
34a4068c 1267{
4030869d 1268 return rl->curr_rec < rl->num_recs;
34a4068c
MC		 1269}
1270
1853d20a 1271size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1272{
1273 return 0;
1274}
1275
1853d20a 1276int tls_write_pending(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1277{
1278 return 0;
1279}
1280
1853d20a 1281size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1282{
1283 return 0;
1284}
1285
1853d20a 1286size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
34a4068c
MC		 1287{
1288 return 0;
1289}
1290
1853d20a
MC		 1291int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates,
1292 size_t numtempl, size_t allowance, size_t *sent)
34a4068c
MC		 1293{
1294 return 0;
1295}
1296
1853d20a
MC		 1297int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
1298 size_t *sent)
34a4068c
MC		 1299{
1300 return 0;
1301}
1302
34a4068c 1303
1853d20a 1304int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1305{
1306 return rl->alert;
1307}
1308
1853d20a 1309int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
e2d5742b
MC		 1310{
1311 if (bio != NULL && !BIO_up_ref(bio))
1312 return 0;
1313 BIO_free(rl->bio);
1314 rl->bio = bio;
1315
1316 return 1;
1317}
1318
1853d20a
MC		 1319/* Shared by most methods except tlsany_meth */
1320int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1321{
1322 if (rl->version != version)
1323 return 0;
1324
1325 return 1;
1326}
1327
1328int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1329{
1330 return rl->funcs->set_protocol_version(rl, version);
1331}
1332
1333void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1334{
1335 rl->allow_plain_alerts = allow;
1336}
1337
1338void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1339{
1340 rl->is_first_handshake = first;
1341}
1342
8124ab56
MC		 1343void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
1344{
1345 rl->max_pipelines = max_pipelines;
1346 if (max_pipelines > 1)
1347 rl->read_ahead = 1;
1348}
1349
1853d20a 1350SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1351{
1352 return &rl->rbuf;
1353}
1354
1853d20a 1355unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1356{
1357 return rl->packet;
1358}
1359
1853d20a
MC		 1360void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
1361 size_t packetlen)
e2d5742b
MC		 1362{
1363 rl->packet = packet;
1364 rl->packet_length = packetlen;
1365}
1366
1853d20a 1367size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl)
e2d5742b
MC		 1368{
1369 return rl->packet_length;
1370}
1371
34a4068c
MC		 1372const OSSL_RECORD_METHOD ossl_tls_record_method = {
1373 tls_new_record_layer,
1374 tls_free,
1375 tls_reset,
1376 tls_unprocessed_read_pending,
1377 tls_processed_read_pending,
1378 tls_app_data_pending,
1379 tls_write_pending,
1380 tls_get_max_record_len,
1381 tls_get_max_records,
1382 tls_write_records,
1383 tls_retry_write_records,
1384 tls_read_record,
e2d5742b
MC		 1385 tls_release_record,
1386 tls_get_alert_code,
1387 tls_set1_bio,
1853d20a
MC		 1388 tls_set_protocol_version,
1389 tls_set_plain_alerts,
1390 tls_set_first_handshake,
8124ab56 1391 tls_set_max_pipelines,
e2d5742b
MC		 1392
1393 /*
1394 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1395 * during the record layer refactoring. They need to be removed before the
1396 * refactor is complete.
1397 */
1853d20a 1398 tls_default_read_n,
cc110a0a
MC		 1399 tls_get0_rbuf,
1400 tls_get0_packet,
1401 tls_set0_packet,
1402 tls_get_packet_length,
1403 tls_reset_packet_length
1404};
A mirror of the official openssl repository