]>
Commit | Line | Data |
---|---|---|
34a4068c MC |
1 | /* |
2 | * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/bio.h> | |
11 | #include <openssl/ssl.h> | |
e2d5742b MC |
12 | #include <openssl/err.h> |
13 | #include <openssl/core_names.h> | |
14 | #include "internal/e_os.h" | |
4030869d | 15 | #include "internal/packet.h" |
4840c2a5 MC |
16 | #include "../../ssl_local.h" |
17 | #include "../record_local.h" | |
50023e9b | 18 | #include "recmethod_local.h" |
e2d5742b MC |
19 | |
20 | # define SSL_AD_NO_ALERT -1 | |
21 | ||
359affde MC |
22 | static void tls_int_free(OSSL_RECORD_LAYER *rl); |
23 | ||
50023e9b MC |
24 | void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason, |
25 | const char *fmt, ...) | |
e2d5742b MC |
26 | { |
27 | va_list args; | |
28 | ||
29 | va_start(args, fmt); | |
30 | ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); | |
31 | va_end(args); | |
32 | ||
33 | rl->alert = al; | |
34 | } | |
35 | ||
50023e9b MC |
36 | int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl, |
37 | EVP_CIPHER_CTX *ctx, | |
38 | const EVP_CIPHER *ciph, | |
7f2f0ac7 | 39 | const EVP_MD *md) |
aedbb71b MC |
40 | { |
41 | /* | |
42 | * Provided cipher, the TLS padding/MAC removal is performed provider | |
43 | * side so we need to tell the ctx about our TLS version and mac size | |
44 | */ | |
45 | OSSL_PARAM params[3], *pprm = params; | |
46 | size_t macsize = 0; | |
47 | int imacsize = -1; | |
48 | ||
49 | if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 | |
7f2f0ac7 | 50 | && !rl->use_etm) |
aedbb71b MC |
51 | imacsize = EVP_MD_get_size(md); |
52 | if (imacsize >= 0) | |
53 | macsize = (size_t)imacsize; | |
54 | ||
55 | *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, | |
56 | &rl->version); | |
57 | *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, | |
58 | &macsize); | |
59 | *pprm = OSSL_PARAM_construct_end(); | |
60 | ||
61 | if (!EVP_CIPHER_CTX_set_params(ctx, params)) { | |
7c293999 | 62 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
aedbb71b MC |
63 | return 0; |
64 | } | |
65 | ||
66 | return 1; | |
67 | } | |
68 | ||
50023e9b MC |
69 | /* |
70 | * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function | |
71 | * which ssl3_cbc_digest_record supports. | |
aedbb71b | 72 | */ |
50023e9b | 73 | char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) |
2b891e30 | 74 | { |
50023e9b MC |
75 | switch (EVP_MD_CTX_get_type(ctx)) { |
76 | case NID_md5: | |
77 | case NID_sha1: | |
78 | case NID_sha224: | |
79 | case NID_sha256: | |
80 | case NID_sha384: | |
81 | case NID_sha512: | |
2b891e30 | 82 | return 1; |
50023e9b | 83 | default: |
aedbb71b | 84 | return 0; |
aedbb71b | 85 | } |
aedbb71b MC |
86 | } |
87 | ||
976b263d | 88 | #ifndef OPENSSL_NO_COMP |
e2d5742b MC |
89 | static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl) |
90 | { | |
91 | if (rl->options & SSL_OP_NO_COMPRESSION) | |
92 | return 0; | |
ed0e298f MC |
93 | |
94 | return rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL); | |
e2d5742b | 95 | } |
976b263d | 96 | #endif |
e2d5742b MC |
97 | |
98 | static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl) | |
99 | { | |
100 | unsigned char *p; | |
101 | size_t len, align = 0, headerlen; | |
102 | SSL3_BUFFER *b; | |
103 | ||
104 | b = &rl->rbuf; | |
105 | ||
106 | if (rl->isdtls) | |
107 | headerlen = DTLS1_RT_HEADER_LENGTH; | |
108 | else | |
109 | headerlen = SSL3_RT_HEADER_LENGTH; | |
110 | ||
111 | #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 | |
112 | align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); | |
113 | #endif | |
114 | ||
115 | if (b->buf == NULL) { | |
116 | len = SSL3_RT_MAX_PLAIN_LENGTH | |
117 | + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; | |
118 | #ifndef OPENSSL_NO_COMP | |
119 | if (rlayer_allow_compression(rl)) | |
120 | len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; | |
121 | #endif | |
122 | if (b->default_len > len) | |
123 | len = b->default_len; | |
124 | if ((p = OPENSSL_malloc(len)) == NULL) { | |
125 | /* | |
126 | * We've got a malloc failure, and we're still initialising buffers. | |
127 | * We assume we're so doomed that we won't even be able to send an | |
128 | * alert. | |
129 | */ | |
130 | RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE); | |
131 | return 0; | |
132 | } | |
133 | b->buf = p; | |
134 | b->len = len; | |
135 | } | |
136 | ||
137 | return 1; | |
138 | } | |
139 | ||
140 | static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl) | |
141 | { | |
142 | SSL3_BUFFER *b; | |
143 | ||
144 | b = &rl->rbuf; | |
145 | if (rl->options & SSL_OP_CLEANSE_PLAINTEXT) | |
146 | OPENSSL_cleanse(b->buf, b->len); | |
147 | OPENSSL_free(b->buf); | |
148 | b->buf = NULL; | |
149 | return 1; | |
150 | } | |
151 | ||
1853d20a | 152 | void tls_reset_packet_length(OSSL_RECORD_LAYER *rl) |
4030869d MC |
153 | { |
154 | rl->packet_length = 0; | |
155 | } | |
156 | ||
e2d5742b MC |
157 | /* |
158 | * Return values are as per SSL_read() | |
159 | */ | |
1853d20a MC |
160 | int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, |
161 | int clearold, size_t *readbytes) | |
e2d5742b MC |
162 | { |
163 | /* | |
164 | * If extend == 0, obtain new n-byte packet; if extend == 1, increase | |
165 | * packet by another n bytes. The packet will be in the sub-array of | |
166 | * s->rlayer.rbuf.buf specified by s->rlayer.packet and | |
167 | * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may | |
168 | * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].) | |
169 | * if clearold == 1, move the packet to the start of the buffer; if | |
170 | * clearold == 0 then leave any old packets where they were | |
171 | */ | |
172 | size_t len, left, align = 0; | |
173 | unsigned char *pkt; | |
174 | SSL3_BUFFER *rb; | |
175 | ||
176 | if (n == 0) | |
177 | return OSSL_RECORD_RETURN_NON_FATAL_ERR; | |
178 | ||
179 | rb = &rl->rbuf; | |
cc110a0a MC |
180 | /* |
181 | * TODO(RECLAYER): Once this function is only called from inside the rlayer | |
182 | * directly, we can probably remove this since it is initialised in | |
183 | * tls_get_more_records | |
184 | */ | |
e2d5742b MC |
185 | if (rb->buf == NULL) { |
186 | if (!rlayer_setup_read_buffer(rl)) { | |
187 | /* RLAYERfatal() already called */ | |
188 | return OSSL_RECORD_RETURN_FATAL; | |
189 | } | |
190 | } | |
191 | ||
192 | left = rb->left; | |
193 | #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 | |
194 | align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH; | |
195 | align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); | |
196 | #endif | |
197 | ||
198 | if (!extend) { | |
199 | /* start with empty packet ... */ | |
200 | if (left == 0) { | |
201 | rb->offset = align; | |
202 | } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { | |
203 | /* | |
204 | * check if next packet length is large enough to justify payload | |
205 | * alignment... | |
206 | */ | |
207 | pkt = rb->buf + rb->offset; | |
208 | if (pkt[0] == SSL3_RT_APPLICATION_DATA | |
209 | && (pkt[3] << 8 | pkt[4]) >= 128) { | |
210 | /* | |
211 | * Note that even if packet is corrupted and its length field | |
212 | * is insane, we can only be led to wrong decision about | |
213 | * whether memmove will occur or not. Header values has no | |
214 | * effect on memmove arguments and therefore no buffer | |
215 | * overrun can be triggered. | |
216 | */ | |
217 | memmove(rb->buf + align, pkt, left); | |
218 | rb->offset = align; | |
219 | } | |
220 | } | |
221 | rl->packet = rb->buf + rb->offset; | |
222 | rl->packet_length = 0; | |
223 | /* ... now we can act as if 'extend' was set */ | |
224 | } | |
225 | ||
226 | len = rl->packet_length; | |
227 | pkt = rb->buf + align; | |
228 | /* | |
229 | * Move any available bytes to front of buffer: 'len' bytes already | |
230 | * pointed to by 'packet', 'left' extra ones at the end | |
231 | */ | |
232 | if (rl->packet != pkt && clearold == 1) { | |
233 | memmove(pkt, rl->packet, len + left); | |
234 | rl->packet = pkt; | |
235 | rb->offset = len + align; | |
236 | } | |
237 | ||
238 | /* | |
239 | * For DTLS/UDP reads should not span multiple packets because the read | |
240 | * operation returns the whole packet at once (as long as it fits into | |
241 | * the buffer). | |
242 | */ | |
243 | if (rl->isdtls) { | |
244 | if (left == 0 && extend) | |
245 | return 0; | |
246 | if (left > 0 && n > left) | |
247 | n = left; | |
248 | } | |
249 | ||
250 | /* if there is enough in the buffer from a previous read, take some */ | |
251 | if (left >= n) { | |
252 | rl->packet_length += n; | |
253 | rb->left = left - n; | |
254 | rb->offset += n; | |
255 | *readbytes = n; | |
256 | return OSSL_RECORD_RETURN_SUCCESS; | |
257 | } | |
258 | ||
259 | /* else we need to read more data */ | |
260 | ||
261 | if (n > rb->len - rb->offset) { | |
262 | /* does not happen */ | |
263 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
264 | return OSSL_RECORD_RETURN_FATAL; | |
265 | } | |
266 | ||
1853d20a MC |
267 | /* We always act like read_ahead is set for DTLS */ |
268 | if (!rl->read_ahead && !rl->isdtls) { | |
e2d5742b MC |
269 | /* ignore max parameter */ |
270 | max = n; | |
271 | } else { | |
272 | if (max < n) | |
273 | max = n; | |
274 | if (max > rb->len - rb->offset) | |
275 | max = rb->len - rb->offset; | |
276 | } | |
277 | ||
278 | while (left < n) { | |
279 | size_t bioread = 0; | |
280 | int ret; | |
359affde | 281 | BIO *bio = rl->prev != NULL ? rl->prev : rl->bio; |
e2d5742b MC |
282 | |
283 | /* | |
284 | * Now we have len+left bytes at the front of s->s3.rbuf.buf and | |
285 | * need to read in more until we have len+n (up to len+max if | |
286 | * possible) | |
287 | */ | |
288 | ||
289 | clear_sys_error(); | |
359affde MC |
290 | if (bio != NULL) { |
291 | ret = BIO_read(bio, pkt + len + left, max - left); | |
e2d5742b MC |
292 | if (ret > 0) { |
293 | bioread = ret; | |
294 | ret = OSSL_RECORD_RETURN_SUCCESS; | |
359affde MC |
295 | } else if (BIO_should_retry(bio)) { |
296 | if (rl->prev != NULL) { | |
297 | /* | |
298 | * We were reading from the previous epoch. Now there is no | |
299 | * more data, so swap to the actual transport BIO | |
300 | */ | |
301 | BIO_free(rl->prev); | |
302 | rl->prev = NULL; | |
303 | continue; | |
304 | } | |
e2d5742b | 305 | ret = OSSL_RECORD_RETURN_RETRY; |
359affde | 306 | } else if (BIO_eof(bio)) { |
e2d5742b MC |
307 | ret = OSSL_RECORD_RETURN_EOF; |
308 | } else { | |
309 | ret = OSSL_RECORD_RETURN_FATAL; | |
310 | } | |
311 | } else { | |
312 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET); | |
313 | ret = OSSL_RECORD_RETURN_FATAL; | |
314 | } | |
315 | ||
316 | if (ret <= OSSL_RECORD_RETURN_RETRY) { | |
317 | rb->left = left; | |
318 | if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls) | |
319 | if (len + left == 0) | |
320 | rlayer_release_read_buffer(rl); | |
321 | return ret; | |
322 | } | |
323 | left += bioread; | |
324 | /* | |
325 | * reads should *never* span multiple packets for DTLS because the | |
326 | * underlying transport protocol is message oriented as opposed to | |
327 | * byte oriented as in the TLS case. | |
328 | */ | |
329 | if (rl->isdtls) { | |
330 | if (n > left) | |
331 | n = left; /* makes the while condition false */ | |
332 | } | |
333 | } | |
334 | ||
335 | /* done reading, now the book-keeping */ | |
336 | rb->offset += n; | |
337 | rb->left = left - n; | |
338 | rl->packet_length += n; | |
339 | *readbytes = n; | |
340 | return OSSL_RECORD_RETURN_SUCCESS; | |
341 | } | |
342 | ||
4030869d MC |
343 | /* |
344 | * Peeks ahead into "read_ahead" data to see if we have a whole record waiting | |
345 | * for us in the buffer. | |
346 | */ | |
347 | static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl) | |
348 | { | |
349 | SSL3_BUFFER *rbuf; | |
350 | size_t left, len; | |
351 | unsigned char *p; | |
352 | ||
353 | rbuf = &rl->rbuf; | |
354 | ||
355 | p = SSL3_BUFFER_get_buf(rbuf); | |
356 | if (p == NULL) | |
357 | return 0; | |
358 | ||
359 | left = SSL3_BUFFER_get_left(rbuf); | |
360 | ||
361 | if (left < SSL3_RT_HEADER_LENGTH) | |
362 | return 0; | |
363 | ||
364 | p += SSL3_BUFFER_get_offset(rbuf); | |
365 | ||
366 | /* | |
367 | * We only check the type and record length, we will sanity check version | |
368 | * etc later | |
369 | */ | |
370 | if (*p != SSL3_RT_APPLICATION_DATA) | |
371 | return 0; | |
372 | ||
373 | p += 3; | |
374 | n2s(p, len); | |
375 | ||
376 | if (left < SSL3_RT_HEADER_LENGTH + len) | |
377 | return 0; | |
378 | ||
379 | return 1; | |
380 | } | |
381 | ||
9dd90232 MC |
382 | static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length, |
383 | size_t overhead, int send) | |
384 | { | |
385 | uint32_t max_early_data = rl->max_early_data; | |
386 | ||
387 | if (max_early_data == 0) { | |
388 | RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
389 | SSL_R_TOO_MUCH_EARLY_DATA); | |
390 | return 0; | |
391 | } | |
392 | ||
393 | /* If we are dealing with ciphertext we need to allow for the overhead */ | |
394 | max_early_data += overhead; | |
395 | ||
396 | if (rl->early_data_count + length > max_early_data) { | |
397 | RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
398 | SSL_R_TOO_MUCH_EARLY_DATA); | |
399 | return 0; | |
400 | } | |
401 | rl->early_data_count += length; | |
402 | ||
403 | return 1; | |
404 | } | |
405 | ||
4030869d MC |
406 | /* |
407 | * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that | |
408 | * will be processed per call to ssl3_get_record. Without this limit an | |
409 | * attacker could send empty records at a faster rate than we can process and | |
410 | * cause ssl3_get_record to loop forever. | |
411 | */ | |
412 | #define MAX_EMPTY_RECORDS 32 | |
413 | ||
414 | #define SSL2_RT_HEADER_LENGTH 2 | |
415 | ||
416 | /*- | |
417 | * Call this to buffer new input records in rl->rrec. | |
418 | * It will return a OSSL_RECORD_RETURN_* value. | |
419 | * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs| | |
420 | * records have been decoded. For each record 'i': | |
421 | * rrec[i].type - is the type of record | |
422 | * rrec[i].data, - data | |
423 | * rrec[i].length, - number of bytes | |
424 | * Multiple records will only be returned if the record types are all | |
425 | * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <= | |
426 | * |max_pipelines| | |
427 | */ | |
eddb067e | 428 | int tls_get_more_records(OSSL_RECORD_LAYER *rl) |
4030869d MC |
429 | { |
430 | int enc_err, rret; | |
431 | int i; | |
432 | size_t more, n; | |
433 | SSL3_RECORD *rr, *thisrr; | |
434 | SSL3_BUFFER *rbuf; | |
4030869d MC |
435 | unsigned char *p; |
436 | unsigned char md[EVP_MAX_MD_SIZE]; | |
437 | unsigned int version; | |
438 | size_t mac_size = 0; | |
439 | int imac_size; | |
440 | size_t num_recs = 0, max_recs, j; | |
441 | PACKET pkt, sslv2pkt; | |
4030869d MC |
442 | SSL_MAC_BUF *macbufs = NULL; |
443 | int ret = OSSL_RECORD_RETURN_FATAL; | |
4030869d MC |
444 | |
445 | rr = rl->rrec; | |
446 | rbuf = &rl->rbuf; | |
cc110a0a MC |
447 | if (rbuf->buf == NULL) { |
448 | if (!rlayer_setup_read_buffer(rl)) { | |
449 | /* RLAYERfatal() already called */ | |
450 | return OSSL_RECORD_RETURN_FATAL; | |
451 | } | |
452 | } | |
4030869d | 453 | |
8124ab56 MC |
454 | max_recs = rl->max_pipelines; |
455 | ||
4030869d MC |
456 | if (max_recs == 0) |
457 | max_recs = 1; | |
4030869d | 458 | |
4030869d MC |
459 | do { |
460 | thisrr = &rr[num_recs]; | |
461 | ||
462 | /* check if we have the header */ | |
463 | if ((rl->rstate != SSL_ST_READ_BODY) || | |
464 | (rl->packet_length < SSL3_RT_HEADER_LENGTH)) { | |
465 | size_t sslv2len; | |
466 | unsigned int type; | |
467 | ||
1853d20a MC |
468 | rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH, |
469 | SSL3_BUFFER_get_len(rbuf), 0, | |
470 | num_recs == 0 ? 1 : 0, &n); | |
471 | ||
472 | if (rret < OSSL_RECORD_RETURN_SUCCESS) | |
473 | return rret; /* error or non-blocking */ | |
474 | ||
4030869d MC |
475 | rl->rstate = SSL_ST_READ_BODY; |
476 | ||
477 | p = rl->packet; | |
478 | if (!PACKET_buf_init(&pkt, p, rl->packet_length)) { | |
479 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
480 | return OSSL_RECORD_RETURN_FATAL; | |
481 | } | |
482 | sslv2pkt = pkt; | |
483 | if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) | |
484 | || !PACKET_get_1(&sslv2pkt, &type)) { | |
485 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); | |
486 | return OSSL_RECORD_RETURN_FATAL; | |
487 | } | |
488 | /* | |
489 | * The first record received by the server may be a V2ClientHello. | |
490 | */ | |
491 | if (rl->role == OSSL_RECORD_ROLE_SERVER | |
492 | && rl->is_first_record | |
493 | && (sslv2len & 0x8000) != 0 | |
494 | && (type == SSL2_MT_CLIENT_HELLO)) { | |
495 | /* | |
496 | * SSLv2 style record | |
497 | * | |
498 | * |num_recs| here will actually always be 0 because | |
499 | * |num_recs > 0| only ever occurs when we are processing | |
500 | * multiple app data records - which we know isn't the case here | |
501 | * because it is an SSLv2ClientHello. We keep it using | |
502 | * |num_recs| for the sake of consistency | |
503 | */ | |
504 | thisrr->type = SSL3_RT_HANDSHAKE; | |
505 | thisrr->rec_version = SSL2_VERSION; | |
506 | ||
507 | thisrr->length = sslv2len & 0x7fff; | |
508 | ||
509 | if (thisrr->length > SSL3_BUFFER_get_len(rbuf) | |
510 | - SSL2_RT_HEADER_LENGTH) { | |
511 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
512 | SSL_R_PACKET_LENGTH_TOO_LONG); | |
513 | return OSSL_RECORD_RETURN_FATAL; | |
514 | } | |
4030869d MC |
515 | } else { |
516 | /* SSLv3+ style record */ | |
517 | ||
518 | /* Pull apart the header into the SSL3_RECORD */ | |
519 | if (!PACKET_get_1(&pkt, &type) | |
520 | || !PACKET_get_net_2(&pkt, &version) | |
521 | || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { | |
3c7b9ef9 | 522 | rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg); |
4030869d MC |
523 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); |
524 | return OSSL_RECORD_RETURN_FATAL; | |
525 | } | |
526 | thisrr->type = type; | |
527 | thisrr->rec_version = version; | |
528 | ||
014baa8a MC |
529 | /* |
530 | * When we call validate_record_header() only records actually | |
531 | * received in SSLv2 format should have the record version set | |
532 | * to SSL2_VERSION. This way validate_record_header() can know | |
533 | * what format the record was in based on the version. | |
534 | */ | |
535 | if (thisrr->rec_version == SSL2_VERSION) { | |
536 | RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, | |
537 | SSL_R_WRONG_VERSION_NUMBER); | |
538 | return OSSL_RECORD_RETURN_FATAL; | |
539 | } | |
540 | ||
3c7b9ef9 | 541 | rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg); |
4030869d | 542 | |
4030869d MC |
543 | if (thisrr->length > |
544 | SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { | |
545 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
546 | SSL_R_PACKET_LENGTH_TOO_LONG); | |
547 | return OSSL_RECORD_RETURN_FATAL; | |
548 | } | |
549 | } | |
550 | ||
1853d20a MC |
551 | if (!rl->funcs->validate_record_header(rl, thisrr)) { |
552 | /* RLAYERfatal already called */ | |
4030869d MC |
553 | return OSSL_RECORD_RETURN_FATAL; |
554 | } | |
4030869d | 555 | |
1853d20a | 556 | /* now rl->rstate == SSL_ST_READ_BODY */ |
4030869d MC |
557 | } |
558 | ||
559 | /* | |
560 | * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate | |
561 | * how much more data we need to read for the rest of the record | |
562 | */ | |
563 | if (thisrr->rec_version == SSL2_VERSION) { | |
564 | more = thisrr->length + SSL2_RT_HEADER_LENGTH | |
565 | - SSL3_RT_HEADER_LENGTH; | |
566 | } else { | |
567 | more = thisrr->length; | |
568 | } | |
569 | ||
570 | if (more > 0) { | |
571 | /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */ | |
572 | ||
1853d20a | 573 | rret = rl->funcs->read_n(rl, more, more, 1, 0, &n); |
4030869d MC |
574 | if (rret < OSSL_RECORD_RETURN_SUCCESS) |
575 | return rret; /* error or non-blocking io */ | |
576 | } | |
577 | ||
578 | /* set state for later operations */ | |
579 | rl->rstate = SSL_ST_READ_HEADER; | |
580 | ||
581 | /* | |
582 | * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH | |
583 | * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH | |
584 | * + thisrr->length and we have that many bytes in rl->packet | |
585 | */ | |
586 | if (thisrr->rec_version == SSL2_VERSION) | |
587 | thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]); | |
588 | else | |
589 | thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]); | |
590 | ||
591 | /* | |
592 | * ok, we can now read from 'rl->packet' data into 'thisrr'. | |
593 | * thisrr->input points at thisrr->length bytes, which need to be copied | |
594 | * into thisrr->data by either the decryption or by the decompression. | |
595 | * When the data is 'copied' into the thisrr->data buffer, | |
596 | * thisrr->input will be updated to point at the new buffer | |
597 | */ | |
598 | ||
599 | /* | |
600 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] | |
601 | * thisrr->length bytes of encrypted compressed stuff. | |
602 | */ | |
603 | ||
604 | /* decrypt in place in 'thisrr->input' */ | |
605 | thisrr->data = thisrr->input; | |
606 | thisrr->orig_len = thisrr->length; | |
607 | ||
608 | /* Mark this record as not read by upper layers yet */ | |
609 | thisrr->read = 0; | |
610 | ||
611 | num_recs++; | |
612 | ||
613 | /* we have pulled in a full packet so zero things */ | |
614 | tls_reset_packet_length(rl); | |
615 | rl->is_first_record = 0; | |
616 | } while (num_recs < max_recs | |
617 | && thisrr->type == SSL3_RT_APPLICATION_DATA | |
88d61680 | 618 | && RLAYER_USE_EXPLICIT_IV(rl) |
6366bdd9 MC |
619 | && rl->enc_ctx != NULL |
620 | && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx)) | |
4030869d MC |
621 | & EVP_CIPH_FLAG_PIPELINE) != 0 |
622 | && tls_record_app_data_waiting(rl)); | |
623 | ||
624 | if (num_recs == 1 | |
625 | && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC | |
9cd9e097 MC |
626 | /* The following can happen in tlsany_meth after HRR */ |
627 | && rl->version == TLS1_3_VERSION | |
1853d20a | 628 | && rl->is_first_handshake) { |
4030869d MC |
629 | /* |
630 | * CCS messages must be exactly 1 byte long, containing the value 0x01 | |
631 | */ | |
632 | if (thisrr->length != 1 || thisrr->data[0] != 0x01) { | |
633 | RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER, | |
634 | SSL_R_INVALID_CCS_MESSAGE); | |
635 | return OSSL_RECORD_RETURN_FATAL; | |
636 | } | |
637 | /* | |
638 | * CCS messages are ignored in TLSv1.3. We treat it like an empty | |
639 | * handshake record | |
640 | */ | |
641 | thisrr->type = SSL3_RT_HANDSHAKE; | |
aedbb71b | 642 | if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) { |
4030869d MC |
643 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, |
644 | SSL_R_UNEXPECTED_CCS_MESSAGE); | |
645 | return OSSL_RECORD_RETURN_FATAL; | |
646 | } | |
647 | thisrr->read = 1; | |
648 | rl->num_recs = 0; | |
649 | rl->curr_rec = 0; | |
650 | rl->num_released = 0; | |
651 | ||
652 | return OSSL_RECORD_RETURN_SUCCESS; | |
653 | } | |
654 | ||
6366bdd9 MC |
655 | if (rl->md_ctx != NULL) { |
656 | const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx); | |
4030869d MC |
657 | |
658 | if (tmpmd != NULL) { | |
659 | imac_size = EVP_MD_get_size(tmpmd); | |
660 | if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { | |
661 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); | |
662 | return OSSL_RECORD_RETURN_FATAL; | |
663 | } | |
664 | mac_size = (size_t)imac_size; | |
665 | } | |
666 | } | |
667 | ||
668 | /* | |
669 | * If in encrypt-then-mac mode calculate mac from encrypted record. All | |
670 | * the details below are public so no timing details can leak. | |
671 | */ | |
6366bdd9 | 672 | if (rl->use_etm && rl->md_ctx) { |
4030869d MC |
673 | unsigned char *mac; |
674 | ||
675 | for (j = 0; j < num_recs; j++) { | |
676 | thisrr = &rr[j]; | |
677 | ||
678 | if (thisrr->length < mac_size) { | |
679 | RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); | |
680 | return OSSL_RECORD_RETURN_FATAL; | |
681 | } | |
682 | thisrr->length -= mac_size; | |
683 | mac = thisrr->data + thisrr->length; | |
8124ab56 | 684 | i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); |
4030869d MC |
685 | if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { |
686 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, | |
687 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
688 | return OSSL_RECORD_RETURN_FATAL; | |
689 | } | |
690 | } | |
691 | /* | |
692 | * We've handled the mac now - there is no MAC inside the encrypted | |
693 | * record | |
694 | */ | |
695 | mac_size = 0; | |
696 | } | |
697 | ||
698 | if (mac_size > 0) { | |
699 | macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs); | |
700 | if (macbufs == NULL) { | |
701 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); | |
702 | return OSSL_RECORD_RETURN_FATAL; | |
703 | } | |
704 | } | |
705 | ||
aedbb71b MC |
706 | /* |
707 | * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new | |
708 | * record layer code | |
709 | */ | |
8124ab56 | 710 | enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size); |
4030869d MC |
711 | |
712 | /*- | |
713 | * enc_err is: | |
714 | * 0: if the record is publicly invalid, or an internal error, or AEAD | |
715 | * decryption failed, or ETM decryption failed. | |
716 | * 1: Success or MTE decryption failed (MAC will be randomised) | |
717 | */ | |
718 | if (enc_err == 0) { | |
651216dd MC |
719 | if (rl->alert != 0) { |
720 | /* RLAYERfatal() already got called */ | |
4030869d MC |
721 | goto end; |
722 | } | |
3c7b9ef9 | 723 | if (num_recs == 1 && rl->skip_early_data(rl->cbarg)) { |
4030869d MC |
724 | /* |
725 | * Valid early_data that we cannot decrypt will fail here. We treat | |
726 | * it like an empty record. | |
727 | */ | |
728 | ||
729 | thisrr = &rr[0]; | |
730 | ||
9dd90232 MC |
731 | if (!rlayer_early_data_count_ok(rl, thisrr->length, |
732 | EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { | |
733 | /* RLAYERfatal() already called */ | |
4030869d MC |
734 | goto end; |
735 | } | |
736 | ||
737 | thisrr->length = 0; | |
738 | thisrr->read = 1; | |
739 | rl->num_recs = 0; | |
740 | rl->curr_rec = 0; | |
741 | rl->num_released = 0; | |
0755722c MC |
742 | /* Reset the read sequence */ |
743 | memset(rl->sequence, 0, sizeof(rl->sequence)); | |
4030869d MC |
744 | ret = 1; |
745 | goto end; | |
746 | } | |
747 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, | |
748 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
749 | goto end; | |
750 | } | |
751 | OSSL_TRACE_BEGIN(TLS) { | |
752 | BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); | |
753 | BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4); | |
754 | } OSSL_TRACE_END(TLS); | |
755 | ||
756 | /* r->length is now the compressed data plus mac */ | |
6366bdd9 | 757 | if (rl->enc_ctx != NULL |
ffbd6e67 | 758 | && !rl->use_etm |
6366bdd9 MC |
759 | && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) { |
760 | /* rl->md_ctx != NULL => mac_size != -1 */ | |
4030869d MC |
761 | |
762 | for (j = 0; j < num_recs; j++) { | |
763 | SSL_MAC_BUF *thismb = &macbufs[j]; | |
764 | thisrr = &rr[j]; | |
765 | ||
8124ab56 | 766 | i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); |
4030869d MC |
767 | if (i == 0 || thismb == NULL || thismb->mac == NULL |
768 | || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0) | |
769 | enc_err = 0; | |
770 | if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
771 | enc_err = 0; | |
772 | } | |
773 | } | |
774 | ||
775 | if (enc_err == 0) { | |
651216dd MC |
776 | if (rl->alert != 0) { |
777 | /* We already called RLAYERfatal() */ | |
4030869d MC |
778 | goto end; |
779 | } | |
780 | /* | |
781 | * A separate 'decryption_failed' alert was introduced with TLS 1.0, | |
782 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | |
783 | * failure is directly visible from the ciphertext anyway, we should | |
784 | * not reveal which kind of error occurred -- this might become | |
785 | * visible to an attacker (e.g. via a logfile) | |
786 | */ | |
787 | RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, | |
788 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | |
789 | goto end; | |
790 | } | |
791 | ||
4030869d MC |
792 | for (j = 0; j < num_recs; j++) { |
793 | thisrr = &rr[j]; | |
794 | ||
8124ab56 | 795 | if (!rl->funcs->post_process_record(rl, thisrr)) { |
1853d20a | 796 | /* RLAYERfatal already called */ |
4030869d MC |
797 | goto end; |
798 | } | |
799 | ||
800 | /* | |
801 | * Check if the received packet overflows the current | |
802 | * Max Fragment Length setting. | |
ffbd6e67 | 803 | * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive. |
4030869d | 804 | */ |
ffbd6e67 | 805 | if (rl->max_frag_len > 0 && thisrr->length > rl->max_frag_len) { |
4030869d MC |
806 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); |
807 | goto end; | |
808 | } | |
809 | ||
810 | thisrr->off = 0; | |
811 | /*- | |
812 | * So at this point the following is true | |
813 | * thisrr->type is the type of record | |
814 | * thisrr->length == number of bytes in record | |
815 | * thisrr->off == offset to first valid byte | |
816 | * thisrr->data == where to take bytes from, increment after use :-). | |
817 | */ | |
818 | ||
819 | /* just read a 0 length packet */ | |
820 | if (thisrr->length == 0) { | |
aedbb71b | 821 | if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) { |
4030869d MC |
822 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL); |
823 | goto end; | |
824 | } | |
825 | } else { | |
aedbb71b | 826 | rl->empty_record_count = 0; |
4030869d MC |
827 | } |
828 | } | |
829 | ||
9dd90232 | 830 | if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) { |
4030869d MC |
831 | thisrr = &rr[0]; |
832 | if (thisrr->type == SSL3_RT_APPLICATION_DATA | |
9dd90232 MC |
833 | && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) { |
834 | /* RLAYERfatal already called */ | |
4030869d MC |
835 | goto end; |
836 | } | |
837 | } | |
838 | ||
839 | rl->num_recs = num_recs; | |
840 | rl->curr_rec = 0; | |
841 | rl->num_released = 0; | |
842 | ret = OSSL_RECORD_RETURN_SUCCESS; | |
843 | end: | |
844 | if (macbufs != NULL) { | |
845 | for (j = 0; j < num_recs; j++) { | |
846 | if (macbufs[j].alloced) | |
847 | OPENSSL_free(macbufs[j].mac); | |
848 | } | |
849 | OPENSSL_free(macbufs); | |
850 | } | |
851 | return ret; | |
852 | } | |
853 | ||
1853d20a MC |
854 | /* Shared by ssl3_meth and tls1_meth */ |
855 | int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) | |
856 | { | |
857 | size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; | |
858 | ||
859 | if (rec->rec_version != rl->version) { | |
860 | RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER); | |
861 | return 0; | |
862 | } | |
863 | ||
864 | #ifndef OPENSSL_NO_COMP | |
865 | /* | |
866 | * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH | |
867 | * does not include the compression overhead anyway. | |
868 | */ | |
869 | if (rl->expand == NULL) | |
870 | len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; | |
871 | #endif | |
872 | ||
873 | if (rec->length > len) { | |
874 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
875 | SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
876 | return 0; | |
877 | } | |
878 | ||
879 | return 1; | |
880 | } | |
881 | ||
882 | static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) | |
883 | { | |
884 | #ifndef OPENSSL_NO_COMP | |
885 | int i; | |
886 | ||
887 | if (rec->comp == NULL) { | |
888 | rec->comp = (unsigned char *) | |
889 | OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); | |
890 | } | |
891 | if (rec->comp == NULL) | |
892 | return 0; | |
893 | ||
894 | i = COMP_expand_block(rl->expand, rec->comp, | |
895 | SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length); | |
896 | if (i < 0) | |
897 | return 0; | |
898 | else | |
899 | rec->length = i; | |
900 | rec->data = rec->comp; | |
901 | return 1; | |
902 | #else | |
903 | return 0; | |
904 | #endif | |
905 | } | |
906 | ||
907 | /* Shared by tlsany_meth, ssl3_meth and tls1_meth */ | |
8124ab56 | 908 | int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
1853d20a MC |
909 | { |
910 | if (rl->expand != NULL) { | |
911 | if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { | |
912 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, | |
913 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
914 | return 0; | |
915 | } | |
916 | if (!tls_do_uncompress(rl, rec)) { | |
917 | RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, | |
918 | SSL_R_BAD_DECOMPRESSION); | |
919 | return 0; | |
920 | } | |
921 | } | |
922 | ||
923 | if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) { | |
924 | RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); | |
925 | return 0; | |
926 | } | |
927 | ||
928 | return 1; | |
929 | } | |
930 | ||
931 | /* Shared by tls13_meth and ktls_meth */ | |
8124ab56 | 932 | int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) |
1853d20a | 933 | { |
1853d20a MC |
934 | if (rec->type != SSL3_RT_APPLICATION_DATA |
935 | && rec->type != SSL3_RT_ALERT | |
936 | && rec->type != SSL3_RT_HANDSHAKE) { | |
937 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); | |
938 | return 0; | |
939 | } | |
940 | ||
3c7b9ef9 MC |
941 | rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type, |
942 | 1, rl->cbarg); | |
1853d20a MC |
943 | |
944 | /* | |
945 | * TLSv1.3 alert and handshake records are required to be non-zero in | |
946 | * length. | |
947 | */ | |
948 | if ((rec->type == SSL3_RT_HANDSHAKE | |
949 | || rec->type == SSL3_RT_ALERT) | |
950 | && rec->length == 0) { | |
951 | RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH); | |
952 | return 0; | |
953 | } | |
954 | ||
955 | return 1; | |
956 | } | |
957 | ||
958 | int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, | |
959 | int *type, unsigned char **data, size_t *datalen, | |
8124ab56 | 960 | uint16_t *epoch, unsigned char *seq_num) |
4030869d MC |
961 | { |
962 | SSL3_RECORD *rec; | |
963 | ||
964 | /* | |
965 | * tls_get_more_records() can return success without actually reading | |
966 | * anything useful (i.e. if empty records are read). We loop here until | |
967 | * we have something useful. tls_get_more_records() will eventually fail if | |
968 | * too many sequential empty records are read. | |
969 | */ | |
970 | while (rl->curr_rec >= rl->num_recs) { | |
971 | int ret; | |
972 | ||
973 | if (rl->num_released != rl->num_recs) { | |
974 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED); | |
975 | return OSSL_RECORD_RETURN_FATAL; | |
976 | } | |
977 | ||
eddb067e | 978 | ret = rl->funcs->get_more_records(rl); |
4030869d MC |
979 | |
980 | if (ret != OSSL_RECORD_RETURN_SUCCESS) | |
981 | return ret; | |
982 | } | |
983 | ||
984 | /* | |
985 | * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec | |
986 | * points to the next one to read. | |
987 | */ | |
988 | rec = &rl->rrec[rl->curr_rec++]; | |
989 | ||
990 | *rechandle = rec; | |
991 | *rversion = rec->rec_version; | |
992 | *type = rec->type; | |
eddb067e | 993 | *data = rec->data + rec->off; |
4030869d | 994 | *datalen = rec->length; |
eddb067e MC |
995 | if (rl->isdtls) { |
996 | *epoch = (uint16_t)rec->epoch; | |
997 | memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num)); | |
998 | } | |
4030869d MC |
999 | |
1000 | return OSSL_RECORD_RETURN_SUCCESS; | |
1001 | } | |
1002 | ||
1853d20a | 1003 | int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle) |
4030869d MC |
1004 | { |
1005 | if (!ossl_assert(rl->num_released < rl->curr_rec) | |
1006 | || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) { | |
1007 | /* Should not happen */ | |
1008 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD); | |
1009 | return OSSL_RECORD_RETURN_FATAL; | |
1010 | } | |
1011 | ||
1012 | rl->num_released++; | |
1013 | ||
1014 | return OSSL_RECORD_RETURN_SUCCESS; | |
1015 | } | |
1016 | ||
1853d20a | 1017 | int |
cc110a0a MC |
1018 | tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, |
1019 | int role, int direction, int level, unsigned char *key, | |
1020 | size_t keylen, unsigned char *iv, size_t ivlen, | |
1021 | unsigned char *mackey, size_t mackeylen, | |
1022 | const EVP_CIPHER *ciph, size_t taglen, | |
1023 | /* TODO(RECLAYER): This probably should not be an int */ | |
1024 | int mactype, | |
359affde MC |
1025 | const EVP_MD *md, const SSL_COMP *comp, BIO *prev, |
1026 | BIO *transport, BIO *next, BIO_ADDR *local, | |
1027 | BIO_ADDR *peer, const OSSL_PARAM *settings, | |
9dd90232 MC |
1028 | const OSSL_PARAM *options, |
1029 | const OSSL_DISPATCH *fns, void *cbarg, | |
8124ab56 | 1030 | OSSL_RECORD_LAYER **retrl) |
34a4068c MC |
1031 | { |
1032 | OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl)); | |
e2d5742b MC |
1033 | const OSSL_PARAM *p; |
1034 | ||
7c293999 MC |
1035 | *retrl = NULL; |
1036 | ||
e2d5742b MC |
1037 | if (rl == NULL) { |
1038 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); | |
7c293999 | 1039 | return OSSL_RECORD_RETURN_FATAL; |
e2d5742b MC |
1040 | } |
1041 | ||
79eebb08 MC |
1042 | /* |
1043 | * TODO(RECLAYER): Need to handle the case where the params are updated | |
1044 | * after the record layer has been created. | |
1045 | */ | |
e2d5742b MC |
1046 | p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS); |
1047 | if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) { | |
1048 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1049 | goto err; | |
1050 | } | |
1051 | ||
1052 | p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE); | |
1053 | if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) { | |
1054 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1055 | goto err; | |
1056 | } | |
1057 | ||
7f2f0ac7 MC |
1058 | /* Loop through all the settings since they must all be understood */ |
1059 | for (p = settings; p->key != NULL; p++) { | |
1060 | if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) { | |
1061 | if (!OSSL_PARAM_get_int(p, &rl->use_etm)) { | |
1062 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1063 | goto err; | |
1064 | } | |
ffbd6e67 MC |
1065 | } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) { |
1066 | if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) { | |
1067 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1068 | goto err; | |
1069 | } | |
9dd90232 MC |
1070 | } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) { |
1071 | if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) { | |
1072 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1073 | goto err; | |
1074 | } | |
8124ab56 MC |
1075 | } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) { |
1076 | if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) { | |
1077 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1078 | goto err; | |
1079 | } | |
1080 | } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) { | |
1081 | if (!OSSL_PARAM_get_int(p, &rl->tlstree)) { | |
1082 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1083 | goto err; | |
1084 | } | |
7f2f0ac7 MC |
1085 | } else { |
1086 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER); | |
1087 | goto err; | |
1088 | } | |
1089 | } | |
1090 | ||
1091 | ||
79eebb08 MC |
1092 | if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) { |
1093 | /* | |
1094 | * We ignore any read_ahead setting prior to the application protection | |
1095 | * level. Otherwise we may read ahead data in a lower protection level | |
1096 | * that is destined for a higher protection level. To simplify the logic | |
1097 | * we don't support that at this stage. | |
1098 | */ | |
1099 | /* | |
1100 | * TODO(RECLAYER): Handle the case of read_ahead at the application | |
1101 | * level and a key update/reneg occurs. | |
1102 | */ | |
1103 | p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD); | |
1104 | if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) { | |
1105 | RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); | |
1106 | goto err; | |
1107 | } | |
e2d5742b MC |
1108 | } |
1109 | ||
aedbb71b MC |
1110 | rl->libctx = libctx; |
1111 | rl->propq = propq; | |
1112 | ||
e2d5742b MC |
1113 | rl->version = vers; |
1114 | rl->role = role; | |
1115 | rl->direction = direction; | |
9dd90232 | 1116 | rl->level = level; |
4030869d | 1117 | |
1853d20a | 1118 | if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) |
4030869d MC |
1119 | rl->is_first_record = 1; |
1120 | ||
e2d5742b MC |
1121 | if (!tls_set1_bio(rl, transport)) |
1122 | goto err; | |
1123 | ||
359affde MC |
1124 | if (prev != NULL && !BIO_up_ref(prev)) |
1125 | goto err; | |
1126 | rl->prev = prev; | |
1127 | ||
1128 | if (next != NULL && !BIO_up_ref(next)) | |
1129 | goto err; | |
1130 | rl->next = next; | |
1131 | ||
9dd90232 MC |
1132 | rl->cbarg = cbarg; |
1133 | for (; fns->function_id != 0; fns++) { | |
1134 | switch (fns->function_id) { | |
1135 | case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA: | |
3c7b9ef9 MC |
1136 | rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns); |
1137 | break; | |
1138 | case OSSL_FUNC_RLAYER_MSG_CALLBACK: | |
1139 | rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns); | |
9dd90232 | 1140 | break; |
ed0e298f MC |
1141 | case OSSL_FUNC_RLAYER_SECURITY: |
1142 | rl->security = OSSL_FUNC_rlayer_security(fns); | |
1143 | break; | |
9dd90232 MC |
1144 | default: |
1145 | /* Just ignore anything we don't understand */ | |
1146 | break; | |
1147 | } | |
1148 | } | |
1149 | ||
7c293999 MC |
1150 | *retrl = rl; |
1151 | return OSSL_RECORD_RETURN_SUCCESS; | |
cc110a0a | 1152 | err: |
359affde | 1153 | tls_int_free(rl); |
7c293999 | 1154 | return OSSL_RECORD_RETURN_FATAL; |
cc110a0a MC |
1155 | } |
1156 | ||
7c293999 | 1157 | static int |
cc110a0a MC |
1158 | tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, |
1159 | int role, int direction, int level, unsigned char *key, | |
1160 | size_t keylen, unsigned char *iv, size_t ivlen, | |
1161 | unsigned char *mackey, size_t mackeylen, | |
1162 | const EVP_CIPHER *ciph, size_t taglen, | |
1163 | /* TODO(RECLAYER): This probably should not be an int */ | |
1164 | int mactype, | |
359affde MC |
1165 | const EVP_MD *md, const SSL_COMP *comp, BIO *prev, |
1166 | BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, | |
cc110a0a | 1167 | const OSSL_PARAM *settings, const OSSL_PARAM *options, |
9dd90232 | 1168 | const OSSL_DISPATCH *fns, void *cbarg, |
8124ab56 | 1169 | OSSL_RECORD_LAYER **retrl) |
cc110a0a | 1170 | { |
7c293999 MC |
1171 | int ret; |
1172 | ||
1173 | ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, | |
1174 | key, keylen, iv, ivlen, mackey, mackeylen, | |
359affde MC |
1175 | ciph, taglen, mactype, md, comp, prev, |
1176 | transport, next, local, peer, settings, | |
8124ab56 | 1177 | options, fns, cbarg, retrl); |
cc110a0a | 1178 | |
7c293999 MC |
1179 | if (ret != OSSL_RECORD_RETURN_SUCCESS) |
1180 | return ret; | |
cc110a0a | 1181 | |
aedbb71b MC |
1182 | switch (vers) { |
1183 | case TLS_ANY_VERSION: | |
7c293999 | 1184 | (*retrl)->funcs = &tls_any_funcs; |
aedbb71b MC |
1185 | break; |
1186 | case TLS1_3_VERSION: | |
7c293999 | 1187 | (*retrl)->funcs = &tls_1_3_funcs; |
aedbb71b MC |
1188 | break; |
1189 | case TLS1_2_VERSION: | |
aedbb71b | 1190 | case TLS1_1_VERSION: |
aedbb71b | 1191 | case TLS1_VERSION: |
7c293999 | 1192 | (*retrl)->funcs = &tls_1_funcs; |
aedbb71b MC |
1193 | break; |
1194 | case SSL3_VERSION: | |
7c293999 | 1195 | (*retrl)->funcs = &ssl_3_0_funcs; |
aedbb71b MC |
1196 | break; |
1197 | default: | |
1198 | /* Should not happen */ | |
7c293999 MC |
1199 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
1200 | ret = OSSL_RECORD_RETURN_FATAL; | |
aedbb71b MC |
1201 | goto err; |
1202 | } | |
1203 | ||
7c293999 MC |
1204 | ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, |
1205 | ivlen, mackey, mackeylen, ciph, | |
8124ab56 | 1206 | taglen, mactype, md, comp); |
aedbb71b | 1207 | |
e2d5742b | 1208 | err: |
7c293999 MC |
1209 | if (ret != OSSL_RECORD_RETURN_SUCCESS) { |
1210 | OPENSSL_free(*retrl); | |
1211 | *retrl = NULL; | |
1212 | } | |
1213 | return ret; | |
e2d5742b MC |
1214 | } |
1215 | ||
359affde | 1216 | static void tls_int_free(OSSL_RECORD_LAYER *rl) |
34a4068c | 1217 | { |
2b891e30 | 1218 | /* TODO(RECLAYER): Cleanse sensitive fields */ |
359affde | 1219 | BIO_free(rl->prev); |
e2d5742b | 1220 | BIO_free(rl->bio); |
359affde MC |
1221 | BIO_free(rl->next); |
1222 | SSL3_BUFFER_release(&rl->rbuf); | |
1223 | ||
6366bdd9 MC |
1224 | EVP_CIPHER_CTX_free(rl->enc_ctx); |
1225 | EVP_MD_CTX_free(rl->md_ctx); | |
976b263d | 1226 | #ifndef OPENSSL_NO_COMP |
359affde | 1227 | COMP_CTX_free(rl->expand); |
976b263d | 1228 | #endif |
359affde | 1229 | |
34a4068c MC |
1230 | OPENSSL_free(rl); |
1231 | } | |
1232 | ||
359affde MC |
1233 | int tls_free(OSSL_RECORD_LAYER *rl) |
1234 | { | |
1235 | SSL3_BUFFER *rbuf; | |
1236 | size_t left, written; | |
1237 | int ret = 1; | |
1238 | ||
1239 | rbuf = &rl->rbuf; | |
1240 | ||
1241 | left = SSL3_BUFFER_get_left(rbuf); | |
1242 | if (left > 0) { | |
1243 | /* | |
1244 | * This record layer is closing but we still have data left in our | |
1245 | * buffer. It must be destined for the next epoch - so push it there. | |
1246 | */ | |
1247 | ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written); | |
1248 | } | |
1249 | tls_int_free(rl); | |
1250 | ||
1251 | return ret; | |
1252 | } | |
1253 | ||
1254 | ||
1853d20a | 1255 | int tls_reset(OSSL_RECORD_LAYER *rl) |
34a4068c MC |
1256 | { |
1257 | memset(rl, 0, sizeof(*rl)); | |
1258 | return 1; | |
1259 | } | |
1260 | ||
1853d20a | 1261 | int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl) |
34a4068c | 1262 | { |
0755722c | 1263 | return SSL3_BUFFER_get_left(&rl->rbuf) != 0; |
34a4068c MC |
1264 | } |
1265 | ||
1853d20a | 1266 | int tls_processed_read_pending(OSSL_RECORD_LAYER *rl) |
34a4068c | 1267 | { |
4030869d | 1268 | return rl->curr_rec < rl->num_recs; |
34a4068c MC |
1269 | } |
1270 | ||
1853d20a | 1271 | size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl) |
34a4068c MC |
1272 | { |
1273 | return 0; | |
1274 | } | |
1275 | ||
1853d20a | 1276 | int tls_write_pending(OSSL_RECORD_LAYER *rl) |
34a4068c MC |
1277 | { |
1278 | return 0; | |
1279 | } | |
1280 | ||
1853d20a | 1281 | size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl) |
34a4068c MC |
1282 | { |
1283 | return 0; | |
1284 | } | |
1285 | ||
1853d20a | 1286 | size_t tls_get_max_records(OSSL_RECORD_LAYER *rl) |
34a4068c MC |
1287 | { |
1288 | return 0; | |
1289 | } | |
1290 | ||
1853d20a MC |
1291 | int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates, |
1292 | size_t numtempl, size_t allowance, size_t *sent) | |
34a4068c MC |
1293 | { |
1294 | return 0; | |
1295 | } | |
1296 | ||
1853d20a MC |
1297 | int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance, |
1298 | size_t *sent) | |
34a4068c MC |
1299 | { |
1300 | return 0; | |
1301 | } | |
1302 | ||
34a4068c | 1303 | |
1853d20a | 1304 | int tls_get_alert_code(OSSL_RECORD_LAYER *rl) |
e2d5742b MC |
1305 | { |
1306 | return rl->alert; | |
1307 | } | |
1308 | ||
1853d20a | 1309 | int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio) |
e2d5742b MC |
1310 | { |
1311 | if (bio != NULL && !BIO_up_ref(bio)) | |
1312 | return 0; | |
1313 | BIO_free(rl->bio); | |
1314 | rl->bio = bio; | |
1315 | ||
1316 | return 1; | |
1317 | } | |
1318 | ||
1853d20a MC |
1319 | /* Shared by most methods except tlsany_meth */ |
1320 | int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version) | |
1321 | { | |
1322 | if (rl->version != version) | |
1323 | return 0; | |
1324 | ||
1325 | return 1; | |
1326 | } | |
1327 | ||
1328 | int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version) | |
1329 | { | |
1330 | return rl->funcs->set_protocol_version(rl, version); | |
1331 | } | |
1332 | ||
1333 | void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow) | |
1334 | { | |
1335 | rl->allow_plain_alerts = allow; | |
1336 | } | |
1337 | ||
1338 | void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first) | |
1339 | { | |
1340 | rl->is_first_handshake = first; | |
1341 | } | |
1342 | ||
8124ab56 MC |
1343 | void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines) |
1344 | { | |
1345 | rl->max_pipelines = max_pipelines; | |
1346 | if (max_pipelines > 1) | |
1347 | rl->read_ahead = 1; | |
1348 | } | |
1349 | ||
1853d20a | 1350 | SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl) |
e2d5742b MC |
1351 | { |
1352 | return &rl->rbuf; | |
1353 | } | |
1354 | ||
1853d20a | 1355 | unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl) |
e2d5742b MC |
1356 | { |
1357 | return rl->packet; | |
1358 | } | |
1359 | ||
1853d20a MC |
1360 | void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet, |
1361 | size_t packetlen) | |
e2d5742b MC |
1362 | { |
1363 | rl->packet = packet; | |
1364 | rl->packet_length = packetlen; | |
1365 | } | |
1366 | ||
1853d20a | 1367 | size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl) |
e2d5742b MC |
1368 | { |
1369 | return rl->packet_length; | |
1370 | } | |
1371 | ||
34a4068c MC |
1372 | const OSSL_RECORD_METHOD ossl_tls_record_method = { |
1373 | tls_new_record_layer, | |
1374 | tls_free, | |
1375 | tls_reset, | |
1376 | tls_unprocessed_read_pending, | |
1377 | tls_processed_read_pending, | |
1378 | tls_app_data_pending, | |
1379 | tls_write_pending, | |
1380 | tls_get_max_record_len, | |
1381 | tls_get_max_records, | |
1382 | tls_write_records, | |
1383 | tls_retry_write_records, | |
1384 | tls_read_record, | |
e2d5742b MC |
1385 | tls_release_record, |
1386 | tls_get_alert_code, | |
1387 | tls_set1_bio, | |
1853d20a MC |
1388 | tls_set_protocol_version, |
1389 | tls_set_plain_alerts, | |
1390 | tls_set_first_handshake, | |
8124ab56 | 1391 | tls_set_max_pipelines, |
e2d5742b MC |
1392 | |
1393 | /* | |
1394 | * TODO(RECLAYER): Remove these. These function pointers are temporary hacks | |
1395 | * during the record layer refactoring. They need to be removed before the | |
1396 | * refactor is complete. | |
1397 | */ | |
1853d20a | 1398 | tls_default_read_n, |
cc110a0a MC |
1399 | tls_get0_rbuf, |
1400 | tls_get0_packet, | |
1401 | tls_set0_packet, | |
1402 | tls_get_packet_length, | |
1403 | tls_reset_packet_length | |
1404 | }; |