]>
Commit | Line | Data |
---|---|---|
846e33c7 | 1 | /* |
da1c088f | 2 | * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. |
c51ae173 | 3 | * |
2c18d164 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
846e33c7 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
c51ae173 | 8 | */ |
d02b48c6 RE |
9 | |
10 | #include <stdio.h> | |
339da43d | 11 | #include <limits.h> |
d02b48c6 | 12 | #include <errno.h> |
7a4e109e | 13 | #include <assert.h> |
706457b7 | 14 | #include "../ssl_local.h" |
d6e7ebba | 15 | #include "../quic/quic_local.h" |
ec577822 BM |
16 | #include <openssl/evp.h> |
17 | #include <openssl/buffer.h> | |
637f374a | 18 | #include <openssl/rand.h> |
79eebb08 | 19 | #include <openssl/core_names.h> |
706457b7 | 20 | #include "record_local.h" |
0d345f0e | 21 | #include "internal/packet.h" |
d02b48c6 | 22 | |
38b051a1 | 23 | void RECORD_LAYER_init(RECORD_LAYER *rl, SSL_CONNECTION *s) |
c036e210 MC |
24 | { |
25 | rl->s = s; | |
c036e210 MC |
26 | } |
27 | ||
af9752e5 MC |
28 | void RECORD_LAYER_clear(RECORD_LAYER *rl) |
29 | { | |
6b41b3f5 | 30 | rl->wnum = 0; |
6b41b3f5 MC |
31 | memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment)); |
32 | rl->handshake_fragment_len = 0; | |
33 | rl->wpend_tot = 0; | |
34 | rl->wpend_type = 0; | |
6b41b3f5 MC |
35 | rl->wpend_buf = NULL; |
36 | ||
cffafb5f MC |
37 | if (rl->rrlmethod != NULL) |
38 | rl->rrlmethod->free(rl->rrl); /* Ignore return value */ | |
2b71b042 MC |
39 | if (rl->wrlmethod != NULL) |
40 | rl->wrlmethod->free(rl->wrl); /* Ignore return value */ | |
cffafb5f MC |
41 | BIO_free(rl->rrlnext); |
42 | rl->rrlmethod = NULL; | |
2b71b042 | 43 | rl->wrlmethod = NULL; |
cffafb5f | 44 | rl->rrlnext = NULL; |
2b71b042 MC |
45 | rl->rrl = NULL; |
46 | rl->wrl = NULL; | |
cffafb5f | 47 | |
6b41b3f5 | 48 | if (rl->d) |
5fb6f80c | 49 | DTLS_RECORD_LAYER_clear(rl); |
af9752e5 MC |
50 | } |
51 | ||
b8c49611 | 52 | /* Checks if we have unprocessed read ahead data pending */ |
49580f25 | 53 | int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) |
f161995e | 54 | { |
cffafb5f | 55 | return rl->rrlmethod->unprocessed_read_pending(rl->rrl); |
f161995e MC |
56 | } |
57 | ||
b8c49611 MC |
58 | /* Checks if we have decrypted unread record data pending */ |
59 | int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) | |
60 | { | |
4030869d | 61 | return (rl->curr_rec < rl->num_recs) |
cffafb5f | 62 | || rl->rrlmethod->processed_read_pending(rl->rrl); |
b8c49611 MC |
63 | } |
64 | ||
49580f25 | 65 | int RECORD_LAYER_write_pending(const RECORD_LAYER *rl) |
f161995e | 66 | { |
151f313e | 67 | return rl->wpend_tot > 0; |
f161995e MC |
68 | } |
69 | ||
23c57f00 MC |
70 | static uint32_t ossl_get_max_early_data(SSL_CONNECTION *s) |
71 | { | |
72 | uint32_t max_early_data; | |
73 | SSL_SESSION *sess = s->session; | |
74 | ||
75 | /* | |
76 | * If we are a client then we always use the max_early_data from the | |
77 | * session/psksession. Otherwise we go with the lowest out of the max early | |
78 | * data set in the session and the configured max_early_data. | |
79 | */ | |
80 | if (!s->server && sess->ext.max_early_data == 0) { | |
81 | if (!ossl_assert(s->psksession != NULL | |
82 | && s->psksession->ext.max_early_data > 0)) { | |
83 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
84 | return 0; | |
85 | } | |
86 | sess = s->psksession; | |
87 | } | |
88 | ||
89 | if (!s->server) | |
90 | max_early_data = sess->ext.max_early_data; | |
91 | else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) | |
92 | max_early_data = s->recv_max_early_data; | |
93 | else | |
94 | max_early_data = s->recv_max_early_data < sess->ext.max_early_data | |
95 | ? s->recv_max_early_data : sess->ext.max_early_data; | |
96 | ||
97 | return max_early_data; | |
98 | } | |
99 | ||
100 | static int ossl_early_data_count_ok(SSL_CONNECTION *s, size_t length, | |
101 | size_t overhead, int send) | |
102 | { | |
103 | uint32_t max_early_data; | |
104 | ||
105 | max_early_data = ossl_get_max_early_data(s); | |
106 | ||
107 | if (max_early_data == 0) { | |
108 | SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
109 | SSL_R_TOO_MUCH_EARLY_DATA); | |
110 | return 0; | |
111 | } | |
112 | ||
113 | /* If we are dealing with ciphertext we need to allow for the overhead */ | |
114 | max_early_data += overhead; | |
115 | ||
116 | if (s->early_data_count + length > max_early_data) { | |
117 | SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
118 | SSL_R_TOO_MUCH_EARLY_DATA); | |
119 | return 0; | |
120 | } | |
121 | s->early_data_count += length; | |
122 | ||
123 | return 1; | |
124 | } | |
125 | ||
8b0e934a | 126 | size_t ssl3_pending(const SSL *s) |
d5a25ae0 | 127 | { |
8b0e934a | 128 | size_t i, num = 0; |
38b051a1 | 129 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
94777c9c | 130 | |
38b051a1 | 131 | if (sc == NULL) |
d5a25ae0 MC |
132 | return 0; |
133 | ||
6d6b295a | 134 | if (SSL_CONNECTION_IS_DTLS(sc)) { |
eddb067e | 135 | TLS_RECORD *rdata; |
6d6b295a MC |
136 | pitem *item, *iter; |
137 | ||
138 | iter = pqueue_iterator(sc->rlayer.d->buffered_app_data.q); | |
139 | while ((item = pqueue_next(&iter)) != NULL) { | |
140 | rdata = item->data; | |
eddb067e | 141 | num += rdata->length; |
6d6b295a | 142 | } |
eddb067e | 143 | } |
6d6b295a | 144 | |
eddb067e MC |
145 | for (i = 0; i < sc->rlayer.num_recs; i++) { |
146 | if (sc->rlayer.tlsrecs[i].type != SSL3_RT_APPLICATION_DATA) | |
147 | return num; | |
148 | num += sc->rlayer.tlsrecs[i].length; | |
94777c9c MC |
149 | } |
150 | ||
cffafb5f | 151 | num += sc->rlayer.rrlmethod->app_data_pending(sc->rlayer.rrl); |
81c9ebd9 | 152 | |
94777c9c | 153 | return num; |
d5a25ae0 MC |
154 | } |
155 | ||
dad78fb1 MC |
156 | void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) |
157 | { | |
158 | ctx->default_read_buf_len = len; | |
159 | } | |
160 | ||
161 | void SSL_set_default_read_buffer_len(SSL *s, size_t len) | |
162 | { | |
38b051a1 TM |
163 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); |
164 | ||
d6e7ebba | 165 | if (sc == NULL || IS_QUIC(s)) |
38b051a1 | 166 | return; |
cffafb5f | 167 | sc->rlayer.default_read_buf_len = len; |
dad78fb1 MC |
168 | } |
169 | ||
295c3f41 MC |
170 | const char *SSL_rstate_string_long(const SSL *s) |
171 | { | |
38b051a1 | 172 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
d0b17ea0 | 173 | const char *lng; |
38b051a1 TM |
174 | |
175 | if (sc == NULL) | |
176 | return NULL; | |
177 | ||
d0b17ea0 | 178 | if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL) |
475965f2 | 179 | return "unknown"; |
d0b17ea0 MC |
180 | |
181 | sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, NULL, &lng); | |
182 | ||
183 | return lng; | |
295c3f41 MC |
184 | } |
185 | ||
186 | const char *SSL_rstate_string(const SSL *s) | |
187 | { | |
38b051a1 | 188 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
d0b17ea0 | 189 | const char *shrt; |
38b051a1 TM |
190 | |
191 | if (sc == NULL) | |
192 | return NULL; | |
193 | ||
d0b17ea0 | 194 | if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL) |
475965f2 | 195 | return "unknown"; |
295c3f41 | 196 | |
d0b17ea0 MC |
197 | sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, &shrt, NULL); |
198 | ||
199 | return shrt; | |
200 | } | |
0f113f3e | 201 | |
eb1eaa9a | 202 | static int tls_write_check_pending(SSL_CONNECTION *s, uint8_t type, |
a566864b MC |
203 | const unsigned char *buf, size_t len) |
204 | { | |
205 | if (s->rlayer.wpend_tot == 0) | |
206 | return 0; | |
207 | ||
208 | /* We have pending data, so do some sanity checks */ | |
209 | if ((s->rlayer.wpend_tot > len) | |
210 | || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) | |
211 | && (s->rlayer.wpend_buf != buf)) | |
212 | || (s->rlayer.wpend_type != type)) { | |
213 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_WRITE_RETRY); | |
214 | return -1; | |
215 | } | |
216 | return 1; | |
217 | } | |
218 | ||
0f113f3e MC |
219 | /* |
220 | * Call this to write data in records of type 'type' It will return <= 0 if | |
221 | * not all data has been sent or non-blocking IO. | |
d02b48c6 | 222 | */ |
eb1eaa9a | 223 | int ssl3_write_bytes(SSL *ssl, uint8_t type, const void *buf_, size_t len, |
7ee8627f | 224 | size_t *written) |
0f113f3e MC |
225 | { |
226 | const unsigned char *buf = buf_; | |
7ee8627f | 227 | size_t tot; |
cf72c757 | 228 | size_t n, max_send_fragment, split_send_fragment, maxpipes; |
0f113f3e | 229 | int i; |
38b051a1 | 230 | SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl); |
a566864b | 231 | OSSL_RECORD_TEMPLATE tmpls[SSL_MAX_PIPELINES]; |
1d367677 | 232 | unsigned int recversion; |
0f113f3e | 233 | |
38b051a1 TM |
234 | if (s == NULL) |
235 | return -1; | |
236 | ||
0f113f3e | 237 | s->rwstate = SSL_NOTHING; |
e2228d31 | 238 | tot = s->rlayer.wnum; |
0f113f3e MC |
239 | /* |
240 | * ensure that if we end up with a smaller value of data to write out | |
3519bae5 | 241 | * than the original len from a write which didn't complete for |
0f113f3e | 242 | * non-blocking I/O and also somehow ended up avoiding the check for |
a566864b | 243 | * this in tls_write_check_pending/SSL_R_BAD_WRITE_RETRY as it must never be |
0f113f3e MC |
244 | * possible to end up with (len-tot) as a large number that will then |
245 | * promptly send beyond the end of the users buffer ... so we trap and | |
246 | * report the error in a way the user will notice | |
247 | */ | |
bd91e3c8 | 248 | if ((len < s->rlayer.wnum) |
151f313e MC |
249 | || ((s->rlayer.wpend_tot != 0) |
250 | && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { | |
c48ffbcc | 251 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); |
1c2e5d56 MC |
252 | return -1; |
253 | } | |
254 | ||
7daf7156 | 255 | if (s->early_data_state == SSL_EARLY_DATA_WRITING |
38b051a1 | 256 | && !ossl_early_data_count_ok(s, len, 0, 1)) { |
196f2cbb | 257 | /* SSLfatal() already called */ |
7daf7156 | 258 | return -1; |
196f2cbb | 259 | } |
7daf7156 | 260 | |
1c2e5d56 MC |
261 | s->rlayer.wnum = 0; |
262 | ||
feb9e31c | 263 | /* |
3bfacb5f BK |
264 | * If we are supposed to be sending a KeyUpdate or NewSessionTicket then go |
265 | * into init unless we have writes pending - in which case we should finish | |
266 | * doing that first. | |
feb9e31c | 267 | */ |
151f313e MC |
268 | if (s->rlayer.wpend_tot == 0 && (s->key_update != SSL_KEY_UPDATE_NONE |
269 | || s->ext.extra_tickets_expected > 0)) | |
feb9e31c MC |
270 | ossl_statem_set_in_init(s, 1); |
271 | ||
59cebcf9 MC |
272 | /* |
273 | * When writing early data on the server side we could be "in_init" in | |
274 | * between receiving the EoED and the CF - but we don't want to handle those | |
275 | * messages yet. | |
276 | */ | |
38b051a1 | 277 | if (SSL_in_init(ssl) && !ossl_statem_get_in_handshake(s) |
59cebcf9 | 278 | && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) { |
38b051a1 | 279 | i = s->handshake_func(ssl); |
c2853382 | 280 | /* SSLfatal() already called */ |
1c2e5d56 | 281 | if (i < 0) |
7ee8627f | 282 | return i; |
1c2e5d56 | 283 | if (i == 0) { |
1c2e5d56 MC |
284 | return -1; |
285 | } | |
0f113f3e MC |
286 | } |
287 | ||
a566864b MC |
288 | i = tls_write_check_pending(s, type, buf, len); |
289 | if (i < 0) { | |
290 | /* SSLfatal() already called */ | |
291 | return i; | |
292 | } else if (i > 0) { | |
293 | /* Retry needed */ | |
320145d5 MC |
294 | i = HANDLE_RLAYER_WRITE_RETURN(s, |
295 | s->rlayer.wrlmethod->retry_write_records(s->rlayer.wrl)); | |
b9b9f488 MC |
296 | if (i <= 0) { |
297 | s->rlayer.wnum = tot; | |
0f113f3e | 298 | return i; |
b9b9f488 | 299 | } |
a566864b MC |
300 | tot += s->rlayer.wpend_tot; |
301 | s->rlayer.wpend_tot = 0; | |
302 | } /* else no retry required */ | |
303 | ||
304 | if (tot == 0) { | |
305 | /* | |
306 | * We've not previously sent any data for this write so memorize | |
307 | * arguments so that we can detect bad write retries later | |
308 | */ | |
309 | s->rlayer.wpend_tot = 0; | |
310 | s->rlayer.wpend_type = type; | |
311 | s->rlayer.wpend_buf = buf; | |
0f113f3e | 312 | } |
a566864b | 313 | |
0f113f3e | 314 | if (tot == len) { /* done? */ |
7ee8627f MC |
315 | *written = tot; |
316 | return 1; | |
0f113f3e MC |
317 | } |
318 | ||
3eaead71 | 319 | /* If we have an alert to send, lets send it */ |
73243502 | 320 | if (s->s3.alert_dispatch > 0) { |
3eaead71 MC |
321 | i = ssl->method->ssl_dispatch_alert(ssl); |
322 | if (i <= 0) { | |
323 | /* SSLfatal() already called if appropriate */ | |
b9b9f488 | 324 | s->rlayer.wnum = tot; |
3eaead71 MC |
325 | return i; |
326 | } | |
327 | /* if it went, fall through and send more stuff */ | |
328 | } | |
329 | ||
0f113f3e | 330 | n = (len - tot); |
d102d9df | 331 | |
cf72c757 F |
332 | max_send_fragment = ssl_get_max_send_fragment(s); |
333 | split_send_fragment = ssl_get_split_send_fragment(s); | |
c6d5f343 | 334 | |
f6c95e46 RS |
335 | if (max_send_fragment == 0 |
336 | || split_send_fragment == 0 | |
337 | || split_send_fragment > max_send_fragment) { | |
d102d9df | 338 | /* |
cf72c757 | 339 | * We should have prevented this when we set/get the split and max send |
d102d9df | 340 | * fragments so we shouldn't get here |
a230b26e | 341 | */ |
c48ffbcc | 342 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
d102d9df MC |
343 | return -1; |
344 | } | |
345 | ||
1d367677 MC |
346 | /* |
347 | * Some servers hang if initial client hello is larger than 256 bytes | |
348 | * and record version number > TLS 1.0 | |
349 | */ | |
1d367677 MC |
350 | recversion = (s->version == TLS1_3_VERSION) ? TLS1_2_VERSION : s->version; |
351 | if (SSL_get_state(ssl) == TLS_ST_CW_CLNT_HELLO | |
352 | && !s->renegotiate | |
353 | && TLS1_get_version(ssl) > TLS1_VERSION | |
354 | && s->hello_retry_request == SSL_HRR_NONE) | |
355 | recversion = TLS1_VERSION; | |
356 | ||
0f113f3e | 357 | for (;;) { |
a566864b | 358 | size_t tmppipelen, remain; |
c6186792 | 359 | size_t j, lensofar = 0; |
d102d9df | 360 | |
c6186792 MC |
361 | /* |
362 | * Ask the record layer how it would like to split the amount of data | |
363 | * that we have, and how many of those records it would like in one go. | |
364 | */ | |
365 | maxpipes = s->rlayer.wrlmethod->get_max_records(s->rlayer.wrl, type, n, | |
366 | max_send_fragment, | |
367 | &split_send_fragment); | |
368 | /* | |
369 | * If max_pipelines is 0 then this means "undefined" and we default to | |
370 | * whatever the record layer wants to do. Otherwise we use the smallest | |
371 | * value from the number requested by the record layer, and max number | |
372 | * configured by the user. | |
373 | */ | |
374 | if (s->max_pipelines > 0 && maxpipes > s->max_pipelines) | |
375 | maxpipes = s->max_pipelines; | |
376 | ||
377 | if (maxpipes > SSL_MAX_PIPELINES) | |
378 | maxpipes = SSL_MAX_PIPELINES; | |
379 | ||
380 | if (split_send_fragment > max_send_fragment) { | |
381 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
382 | return -1; | |
383 | } | |
d102d9df | 384 | |
c6186792 | 385 | if (n / maxpipes >= split_send_fragment) { |
d102d9df MC |
386 | /* |
387 | * We have enough data to completely fill all available | |
388 | * pipelines | |
389 | */ | |
c6186792 | 390 | for (j = 0; j < maxpipes; j++) { |
a566864b | 391 | tmpls[j].type = type; |
1d367677 | 392 | tmpls[j].version = recversion; |
02719d5c MC |
393 | tmpls[j].buf = &(buf[tot]) + (j * split_send_fragment); |
394 | tmpls[j].buflen = split_send_fragment; | |
d102d9df | 395 | } |
a566864b | 396 | /* Remember how much data we are going to be sending */ |
c6186792 | 397 | s->rlayer.wpend_tot = maxpipes * split_send_fragment; |
d102d9df MC |
398 | } else { |
399 | /* We can partially fill all available pipelines */ | |
c6186792 MC |
400 | tmppipelen = n / maxpipes; |
401 | remain = n % maxpipes; | |
a566864b MC |
402 | /* |
403 | * If there is a remainder we add an extra byte to the first few | |
404 | * pipelines | |
405 | */ | |
406 | if (remain > 0) | |
407 | tmppipelen++; | |
c6186792 | 408 | for (j = 0; j < maxpipes; j++) { |
a566864b | 409 | tmpls[j].type = type; |
1d367677 | 410 | tmpls[j].version = recversion; |
a566864b MC |
411 | tmpls[j].buf = &(buf[tot]) + lensofar; |
412 | tmpls[j].buflen = tmppipelen; | |
413 | lensofar += tmppipelen; | |
414 | if (j + 1 == remain) | |
415 | tmppipelen--; | |
d102d9df | 416 | } |
a566864b MC |
417 | /* Remember how much data we are going to be sending */ |
418 | s->rlayer.wpend_tot = n; | |
d102d9df | 419 | } |
0f113f3e | 420 | |
320145d5 | 421 | i = HANDLE_RLAYER_WRITE_RETURN(s, |
c6186792 | 422 | s->rlayer.wrlmethod->write_records(s->rlayer.wrl, tmpls, maxpipes)); |
0f113f3e | 423 | if (i <= 0) { |
c2853382 | 424 | /* SSLfatal() already called if appropriate */ |
e2228d31 | 425 | s->rlayer.wnum = tot; |
0f113f3e MC |
426 | return i; |
427 | } | |
428 | ||
151f313e MC |
429 | if (s->rlayer.wpend_tot == n |
430 | || (type == SSL3_RT_APPLICATION_DATA | |
431 | && (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) != 0)) { | |
a566864b MC |
432 | *written = tot + s->rlayer.wpend_tot; |
433 | s->rlayer.wpend_tot = 0; | |
7ee8627f | 434 | return 1; |
0f113f3e MC |
435 | } |
436 | ||
a566864b MC |
437 | n -= s->rlayer.wpend_tot; |
438 | tot += s->rlayer.wpend_tot; | |
0f113f3e MC |
439 | } |
440 | } | |
d02b48c6 | 441 | |
320145d5 MC |
442 | int ossl_tls_handle_rlayer_return(SSL_CONNECTION *s, int writing, int ret, |
443 | char *file, int line) | |
4030869d MC |
444 | { |
445 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
446 | ||
447 | if (ret == OSSL_RECORD_RETURN_RETRY) { | |
320145d5 | 448 | s->rwstate = writing ? SSL_WRITING : SSL_READING; |
4030869d MC |
449 | ret = -1; |
450 | } else { | |
451 | s->rwstate = SSL_NOTHING; | |
452 | if (ret == OSSL_RECORD_RETURN_EOF) { | |
320145d5 MC |
453 | if (writing) { |
454 | /* | |
455 | * This shouldn't happen with a writing operation. We treat it | |
456 | * as fatal. | |
457 | */ | |
458 | ERR_new(); | |
459 | ERR_set_debug(file, line, 0); | |
460 | ossl_statem_fatal(s, SSL_AD_INTERNAL_ERROR, | |
461 | ERR_R_INTERNAL_ERROR, NULL); | |
462 | ret = OSSL_RECORD_RETURN_FATAL; | |
463 | } else if ((s->options & SSL_OP_IGNORE_UNEXPECTED_EOF) != 0) { | |
4030869d MC |
464 | SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); |
465 | s->s3.warn_alert = SSL_AD_CLOSE_NOTIFY; | |
466 | } else { | |
467 | ERR_new(); | |
468 | ERR_set_debug(file, line, 0); | |
469 | ossl_statem_fatal(s, SSL_AD_DECODE_ERROR, | |
470 | SSL_R_UNEXPECTED_EOF_WHILE_READING, NULL); | |
471 | } | |
472 | } else if (ret == OSSL_RECORD_RETURN_FATAL) { | |
d3192c26 MC |
473 | int al = s->rlayer.rrlmethod->get_alert_code(s->rlayer.rrl); |
474 | ||
475 | if (al != SSL_AD_NO_ALERT) { | |
476 | ERR_new(); | |
477 | ERR_set_debug(file, line, 0); | |
478 | ossl_statem_fatal(s, al, SSL_R_RECORD_LAYER_FAILURE, NULL); | |
479 | } | |
480 | /* | |
481 | * else some failure but there is no alert code. We don't log an | |
482 | * error for this. The record layer should have logged an error | |
483 | * already or, if not, its due to some sys call error which will be | |
484 | * reported via SSL_ERROR_SYSCALL and errno. | |
485 | */ | |
4030869d MC |
486 | } |
487 | /* | |
488 | * The record layer distinguishes the cases of EOF, non-fatal | |
489 | * err and retry. Upper layers do not. | |
490 | * If we got a retry or success then *ret is already correct, | |
491 | * otherwise we need to convert the return value. | |
492 | */ | |
4030869d MC |
493 | if (ret == OSSL_RECORD_RETURN_NON_FATAL_ERR || ret == OSSL_RECORD_RETURN_EOF) |
494 | ret = 0; | |
495 | else if (ret < OSSL_RECORD_RETURN_NON_FATAL_ERR) | |
496 | ret = -1; | |
497 | } | |
498 | ||
499 | return ret; | |
500 | } | |
501 | ||
7a4e109e | 502 | int ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr, size_t length) |
eddb067e | 503 | { |
7a4e109e | 504 | assert(rr->length >= length); |
eddb067e | 505 | if (rr->rechandle != NULL) { |
7a4e109e MC |
506 | if (length == 0) |
507 | length = rr->length; | |
eddb067e | 508 | /* The record layer allocated the buffers for this record */ |
7a4e109e MC |
509 | if (HANDLE_RLAYER_READ_RETURN(s, |
510 | s->rlayer.rrlmethod->release_record(s->rlayer.rrl, | |
511 | rr->rechandle, | |
512 | length)) <= 0) { | |
513 | /* RLAYER_fatal already called */ | |
514 | return 0; | |
515 | } | |
516 | ||
517 | if (length == rr->length) | |
518 | s->rlayer.curr_rec++; | |
519 | } else if (length == 0 || length == rr->length) { | |
eddb067e | 520 | /* We allocated the buffers for this record (only happens with DTLS) */ |
2eb91b0e MC |
521 | OPENSSL_free(rr->allocdata); |
522 | rr->allocdata = NULL; | |
eddb067e | 523 | } |
7a4e109e MC |
524 | rr->length -= length; |
525 | if (rr->length > 0) | |
526 | rr->off += length; | |
527 | else | |
528 | rr->off = 0; | |
529 | ||
530 | return 1; | |
eddb067e MC |
531 | } |
532 | ||
1d97c843 TH |
533 | /*- |
534 | * Return up to 'len' payload bytes received in 'type' records. | |
b35e9050 BM |
535 | * 'type' is one of the following: |
536 | * | |
5318c012 SS |
537 | * - SSL3_RT_HANDSHAKE (when tls_get_message_header and tls_get_message_body |
538 | * call us) | |
b35e9050 BM |
539 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) |
540 | * - 0 (during a shutdown, no data has to be returned) | |
541 | * | |
542 | * If we don't have stored data to work from, read a SSL/TLS record first | |
543 | * (possibly multiple records if we still don't have anything to return). | |
544 | * | |
545 | * This function must handle any surprises the peer may have for us, such as | |
657da85e | 546 | * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec |
105af0ad | 547 | * messages are treated as if they were handshake messages *if* the |recvd_type| |
657da85e | 548 | * argument is non NULL. |
b35e9050 BM |
549 | * Also if record payloads contain fragments too small to process, we store |
550 | * them until there is enough for the respective protocol (the record protocol | |
551 | * may use arbitrary fragmentation and even interleaving): | |
552 | * Change cipher spec protocol | |
553 | * just 1 byte needed, no need for keeping anything stored | |
554 | * Alert protocol | |
555 | * 2 bytes needed (AlertLevel, AlertDescription) | |
556 | * Handshake protocol | |
557 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
558 | * to detect unexpected Client Hello and Hello Request messages | |
559 | * here, anything else is handled by higher layers | |
560 | * Application data protocol | |
561 | * none of our business | |
562 | */ | |
eb1eaa9a TM |
563 | int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type, |
564 | unsigned char *buf, size_t len, | |
565 | int peek, size_t *readbytes) | |
0f113f3e | 566 | { |
99dd3740 | 567 | int i, j, ret; |
4030869d MC |
568 | size_t n, curr_rec, totalbytes; |
569 | TLS_RECORD *rr; | |
0f113f3e | 570 | void (*cb) (const SSL *ssl, int type2, int val) = NULL; |
38b051a1 TM |
571 | int is_tls13; |
572 | SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl); | |
573 | ||
574 | is_tls13 = SSL_CONNECTION_IS_TLS13(s); | |
0f113f3e | 575 | |
4030869d MC |
576 | if ((type != 0 |
577 | && (type != SSL3_RT_APPLICATION_DATA) | |
578 | && (type != SSL3_RT_HANDSHAKE)) | |
579 | || (peek && (type != SSL3_RT_APPLICATION_DATA))) { | |
c48ffbcc | 580 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
581 | return -1; |
582 | } | |
583 | ||
4aa7389e | 584 | if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0)) |
0f113f3e MC |
585 | /* (partially) satisfy request from storage */ |
586 | { | |
4aa7389e | 587 | unsigned char *src = s->rlayer.handshake_fragment; |
0f113f3e MC |
588 | unsigned char *dst = buf; |
589 | unsigned int k; | |
590 | ||
591 | /* peek == 0 */ | |
592 | n = 0; | |
4aa7389e | 593 | while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) { |
0f113f3e MC |
594 | *dst++ = *src++; |
595 | len--; | |
4aa7389e | 596 | s->rlayer.handshake_fragment_len--; |
0f113f3e MC |
597 | n++; |
598 | } | |
599 | /* move any remaining fragment bytes: */ | |
4aa7389e MC |
600 | for (k = 0; k < s->rlayer.handshake_fragment_len; k++) |
601 | s->rlayer.handshake_fragment[k] = *src++; | |
e9f6b9a1 MC |
602 | |
603 | if (recvd_type != NULL) | |
604 | *recvd_type = SSL3_RT_HANDSHAKE; | |
605 | ||
54105ddd | 606 | *readbytes = n; |
eda75751 | 607 | return 1; |
0f113f3e MC |
608 | } |
609 | ||
610 | /* | |
4aa7389e | 611 | * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. |
0f113f3e MC |
612 | */ |
613 | ||
38b051a1 | 614 | if (!ossl_statem_get_in_handshake(s) && SSL_in_init(ssl)) { |
0f113f3e | 615 | /* type == SSL3_RT_APPLICATION_DATA */ |
38b051a1 | 616 | i = s->handshake_func(ssl); |
99dd3740 | 617 | /* SSLfatal() already called */ |
0f113f3e | 618 | if (i < 0) |
eda75751 | 619 | return i; |
99dd3740 | 620 | if (i == 0) |
eda75751 | 621 | return -1; |
0f113f3e MC |
622 | } |
623 | start: | |
624 | s->rwstate = SSL_NOTHING; | |
625 | ||
50e735f9 | 626 | /*- |
94777c9c MC |
627 | * For each record 'i' up to |num_recs] |
628 | * rr[i].type - is the type of record | |
629 | * rr[i].data, - data | |
630 | * rr[i].off, - offset into 'data' for next read | |
631 | * rr[i].length, - number of bytes. | |
50e735f9 | 632 | */ |
4030869d MC |
633 | /* get new records if necessary */ |
634 | if (s->rlayer.curr_rec >= s->rlayer.num_recs) { | |
635 | s->rlayer.curr_rec = s->rlayer.num_recs = 0; | |
636 | do { | |
637 | rr = &s->rlayer.tlsrecs[s->rlayer.num_recs]; | |
94777c9c | 638 | |
320145d5 | 639 | ret = HANDLE_RLAYER_READ_RETURN(s, |
cffafb5f MC |
640 | s->rlayer.rrlmethod->read_record(s->rlayer.rrl, |
641 | &rr->rechandle, | |
642 | &rr->version, &rr->type, | |
643 | &rr->data, &rr->length, | |
644 | NULL, NULL)); | |
99dd3740 MC |
645 | if (ret <= 0) { |
646 | /* SSLfatal() already called if appropriate */ | |
eda75751 | 647 | return ret; |
99dd3740 | 648 | } |
4030869d MC |
649 | rr->off = 0; |
650 | s->rlayer.num_recs++; | |
cffafb5f | 651 | } while (s->rlayer.rrlmethod->processed_read_pending(s->rlayer.rrl) |
4030869d MC |
652 | && s->rlayer.num_recs < SSL_MAX_PIPELINES); |
653 | } | |
654 | rr = &s->rlayer.tlsrecs[s->rlayer.curr_rec]; | |
0f113f3e | 655 | |
3d35e3a2 | 656 | if (s->rlayer.handshake_fragment_len > 0 |
b0a9042e | 657 | && rr->type != SSL3_RT_HANDSHAKE |
38b051a1 | 658 | && SSL_CONNECTION_IS_TLS13(s)) { |
c48ffbcc | 659 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
3d35e3a2 MC |
660 | SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA); |
661 | return -1; | |
662 | } | |
663 | ||
af58be76 MC |
664 | /* |
665 | * Reset the count of consecutive warning alerts if we've got a non-empty | |
666 | * record that isn't an alert. | |
667 | */ | |
4030869d | 668 | if (rr->type != SSL3_RT_ALERT && rr->length != 0) |
af58be76 MC |
669 | s->rlayer.alert_count = 0; |
670 | ||
0f113f3e MC |
671 | /* we now have a packet which can be read and processed */ |
672 | ||
555cbb32 TS |
673 | if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec, |
674 | * reset by ssl3_get_finished */ | |
4030869d | 675 | && (rr->type != SSL3_RT_HANDSHAKE)) { |
c48ffbcc | 676 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
99dd3740 MC |
677 | SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
678 | return -1; | |
0f113f3e MC |
679 | } |
680 | ||
681 | /* | |
682 | * If the other end has shut down, throw anything we read away (even in | |
683 | * 'peek' mode) | |
684 | */ | |
685 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { | |
4030869d | 686 | s->rlayer.curr_rec++; |
0f113f3e | 687 | s->rwstate = SSL_NOTHING; |
eda75751 | 688 | return 0; |
0f113f3e MC |
689 | } |
690 | ||
4030869d MC |
691 | if (type == rr->type |
692 | || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC | |
97997489 | 693 | && type == SSL3_RT_HANDSHAKE && recvd_type != NULL |
bcf2907c | 694 | && !is_tls13)) { |
657da85e MC |
695 | /* |
696 | * SSL3_RT_APPLICATION_DATA or | |
697 | * SSL3_RT_HANDSHAKE or | |
698 | * SSL3_RT_CHANGE_CIPHER_SPEC | |
699 | */ | |
0f113f3e MC |
700 | /* |
701 | * make sure that we are not getting application data when we are | |
702 | * doing a handshake for the first time | |
703 | */ | |
38b051a1 | 704 | if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA |
f471f60a | 705 | && SSL_IS_FIRST_HANDSHAKE(s)) { |
c48ffbcc | 706 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_APP_DATA_IN_HANDSHAKE); |
99dd3740 | 707 | return -1; |
0f113f3e MC |
708 | } |
709 | ||
657da85e | 710 | if (type == SSL3_RT_HANDSHAKE |
4030869d | 711 | && rr->type == SSL3_RT_CHANGE_CIPHER_SPEC |
a230b26e | 712 | && s->rlayer.handshake_fragment_len > 0) { |
c48ffbcc | 713 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); |
99dd3740 | 714 | return -1; |
657da85e MC |
715 | } |
716 | ||
717 | if (recvd_type != NULL) | |
4030869d | 718 | *recvd_type = rr->type; |
657da85e | 719 | |
1c47d35a MC |
720 | if (len == 0) { |
721 | /* | |
4030869d | 722 | * Skip a zero length record. This ensures multiple calls to |
1c47d35a MC |
723 | * SSL_read() with a zero length buffer will eventually cause |
724 | * SSL_pending() to report data as being available. | |
725 | */ | |
7a4e109e MC |
726 | if (rr->length == 0 && !ssl_release_record(s, rr, 0)) |
727 | return -1; | |
eddb067e | 728 | |
eda75751 | 729 | return 0; |
1c47d35a | 730 | } |
0f113f3e | 731 | |
54105ddd | 732 | totalbytes = 0; |
4030869d | 733 | curr_rec = s->rlayer.curr_rec; |
94777c9c | 734 | do { |
4030869d MC |
735 | if (len - totalbytes > rr->length) |
736 | n = rr->length; | |
94777c9c | 737 | else |
54105ddd | 738 | n = len - totalbytes; |
94777c9c MC |
739 | |
740 | memcpy(buf, &(rr->data[rr->off]), n); | |
741 | buf += n; | |
b8d24395 MC |
742 | if (peek) { |
743 | /* Mark any zero length record as consumed CVE-2016-6305 */ | |
7a4e109e MC |
744 | if (rr->length == 0 && !ssl_release_record(s, rr, 0)) |
745 | return -1; | |
b8d24395 | 746 | } else { |
7a4e109e MC |
747 | if (!ssl_release_record(s, rr, n)) |
748 | return -1; | |
0f113f3e | 749 | } |
4030869d MC |
750 | if (rr->length == 0 |
751 | || (peek && n == rr->length)) { | |
94777c9c | 752 | rr++; |
4030869d | 753 | curr_rec++; |
94777c9c | 754 | } |
54105ddd | 755 | totalbytes += n; |
4030869d MC |
756 | } while (type == SSL3_RT_APPLICATION_DATA |
757 | && curr_rec < s->rlayer.num_recs | |
758 | && totalbytes < len); | |
54105ddd | 759 | if (totalbytes == 0) { |
255cfeac MC |
760 | /* We must have read empty records. Get more data */ |
761 | goto start; | |
762 | } | |
54105ddd | 763 | *readbytes = totalbytes; |
eda75751 | 764 | return 1; |
0f113f3e MC |
765 | } |
766 | ||
767 | /* | |
768 | * If we get here, then type != rr->type; if we have a handshake message, | |
657da85e MC |
769 | * then it was unexpected (Hello Request or Client Hello) or invalid (we |
770 | * were actually expecting a CCS). | |
0f113f3e MC |
771 | */ |
772 | ||
32ec4153 MC |
773 | /* |
774 | * Lets just double check that we've not got an SSLv2 record | |
775 | */ | |
4030869d | 776 | if (rr->version == SSL2_VERSION) { |
32ec4153 MC |
777 | /* |
778 | * Should never happen. ssl3_get_record() should only give us an SSLv2 | |
779 | * record back if this is the first packet and we are looking for an | |
780 | * initial ClientHello. Therefore |type| should always be equal to | |
781 | * |rr->type|. If not then something has gone horribly wrong | |
782 | */ | |
c48ffbcc | 783 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
99dd3740 | 784 | return -1; |
32ec4153 MC |
785 | } |
786 | ||
38b051a1 | 787 | if (ssl->method->version == TLS_ANY_VERSION |
a230b26e | 788 | && (s->server || rr->type != SSL3_RT_ALERT)) { |
13c9bb3e MC |
789 | /* |
790 | * If we've got this far and still haven't decided on what version | |
558ea847 RL |
791 | * we're using then this must be a client side alert we're dealing |
792 | * with. We shouldn't be receiving anything other than a ClientHello | |
793 | * if we are a server. | |
13c9bb3e | 794 | */ |
4030869d | 795 | s->version = rr->version; |
c48ffbcc | 796 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); |
99dd3740 | 797 | return -1; |
13c9bb3e MC |
798 | } |
799 | ||
50e735f9 | 800 | /*- |
4aa7389e | 801 | * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; |
50e735f9 MC |
802 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) |
803 | */ | |
0f113f3e | 804 | |
4030869d | 805 | if (rr->type == SSL3_RT_ALERT) { |
bd990e25 | 806 | unsigned int alert_level, alert_descr; |
2eb91b0e | 807 | const unsigned char *alert_bytes = rr->data + rr->off; |
bd990e25 MC |
808 | PACKET alert; |
809 | ||
4030869d | 810 | if (!PACKET_buf_init(&alert, alert_bytes, rr->length) |
bd990e25 MC |
811 | || !PACKET_get_1(&alert, &alert_level) |
812 | || !PACKET_get_1(&alert, &alert_descr) | |
813 | || PACKET_remaining(&alert) != 0) { | |
c48ffbcc | 814 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT); |
99dd3740 | 815 | return -1; |
bd990e25 | 816 | } |
0f113f3e MC |
817 | |
818 | if (s->msg_callback) | |
38b051a1 | 819 | s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, ssl, |
4aa7389e | 820 | s->msg_callback_arg); |
0f113f3e MC |
821 | |
822 | if (s->info_callback != NULL) | |
823 | cb = s->info_callback; | |
38b051a1 TM |
824 | else if (ssl->ctx->info_callback != NULL) |
825 | cb = ssl->ctx->info_callback; | |
0f113f3e MC |
826 | |
827 | if (cb != NULL) { | |
828 | j = (alert_level << 8) | alert_descr; | |
38b051a1 | 829 | cb(ssl, SSL_CB_READ_ALERT, j); |
0f113f3e MC |
830 | } |
831 | ||
4030869d | 832 | if ((!is_tls13 && alert_level == SSL3_AL_WARNING) |
bcf2907c | 833 | || (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED)) { |
555cbb32 | 834 | s->s3.warn_alert = alert_descr; |
7a4e109e MC |
835 | if (!ssl_release_record(s, rr, 0)) |
836 | return -1; | |
af58be76 MC |
837 | |
838 | s->rlayer.alert_count++; | |
839 | if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { | |
c48ffbcc | 840 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
99dd3740 MC |
841 | SSL_R_TOO_MANY_WARN_ALERTS); |
842 | return -1; | |
af58be76 | 843 | } |
4aa5a566 MC |
844 | } |
845 | ||
846 | /* | |
bcf2907c MC |
847 | * Apart from close_notify the only other warning alert in TLSv1.3 |
848 | * is user_cancelled - which we just ignore. | |
4aa5a566 | 849 | */ |
bcf2907c MC |
850 | if (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED) { |
851 | goto start; | |
852 | } else if (alert_descr == SSL_AD_CLOSE_NOTIFY | |
853 | && (is_tls13 || alert_level == SSL3_AL_WARNING)) { | |
854 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
855 | return 0; | |
856 | } else if (alert_level == SSL3_AL_FATAL || is_tls13) { | |
0f113f3e | 857 | s->rwstate = SSL_NOTHING; |
555cbb32 | 858 | s->s3.fatal_alert = alert_descr; |
c48ffbcc RL |
859 | SSLfatal_data(s, SSL_AD_NO_ALERT, |
860 | SSL_AD_REASON_OFFSET + alert_descr, | |
861 | "SSL alert number %d", alert_descr); | |
0f113f3e | 862 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; |
7a4e109e MC |
863 | if (!ssl_release_record(s, rr, 0)) |
864 | return -1; | |
e2bb9b9b | 865 | SSL_CTX_remove_session(s->session_ctx, s->session); |
eda75751 | 866 | return 0; |
bcf2907c MC |
867 | } else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { |
868 | /* | |
869 | * This is a warning but we receive it if we requested | |
870 | * renegotiation and the peer denied it. Terminate with a fatal | |
871 | * alert because if application tried to renegotiate it | |
872 | * presumably had a good reason and expects it to succeed. In | |
873 | * future we might have a renegotiation where we don't care if | |
874 | * the peer refused it where we carry on. | |
875 | */ | |
c48ffbcc | 876 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION); |
99dd3740 | 877 | return -1; |
fee33643 MC |
878 | } else if (alert_level == SSL3_AL_WARNING) { |
879 | /* We ignore any other warning alert in TLSv1.2 and below */ | |
880 | goto start; | |
0f113f3e | 881 | } |
bcf2907c | 882 | |
c48ffbcc | 883 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); |
bcf2907c | 884 | return -1; |
0f113f3e MC |
885 | } |
886 | ||
ba709049 | 887 | if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { |
4030869d | 888 | if (rr->type == SSL3_RT_HANDSHAKE) { |
ba709049 MC |
889 | BIO *rbio; |
890 | ||
1bf4cb0f MC |
891 | /* |
892 | * We ignore any handshake messages sent to us unless they are | |
893 | * TLSv1.3 in which case we want to process them. For all other | |
894 | * handshake messages we can't do anything reasonable with them | |
895 | * because we are unable to write any response due to having already | |
896 | * sent close_notify. | |
897 | */ | |
38b051a1 | 898 | if (!SSL_CONNECTION_IS_TLS13(s)) { |
7a4e109e MC |
899 | if (!ssl_release_record(s, rr, 0)) |
900 | return -1; | |
1bf4cb0f MC |
901 | |
902 | if ((s->mode & SSL_MODE_AUTO_RETRY) != 0) | |
903 | goto start; | |
ba709049 | 904 | |
1bf4cb0f | 905 | s->rwstate = SSL_READING; |
38b051a1 | 906 | rbio = SSL_get_rbio(ssl); |
1bf4cb0f MC |
907 | BIO_clear_retry_flags(rbio); |
908 | BIO_set_retry_read(rbio); | |
909 | return -1; | |
910 | } | |
358ffa05 MC |
911 | } else { |
912 | /* | |
913 | * The peer is continuing to send application data, but we have | |
914 | * already sent close_notify. If this was expected we should have | |
915 | * been called via SSL_read() and this would have been handled | |
916 | * above. | |
917 | * No alert sent because we already sent close_notify | |
918 | */ | |
7a4e109e MC |
919 | if (!ssl_release_record(s, rr, 0)) |
920 | return -1; | |
c48ffbcc | 921 | SSLfatal(s, SSL_AD_NO_ALERT, |
358ffa05 | 922 | SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY); |
1bf4cb0f | 923 | return -1; |
ba709049 | 924 | } |
0f113f3e MC |
925 | } |
926 | ||
93f528f3 MC |
927 | /* |
928 | * For handshake data we have 'fragment' storage, so fill that so that we | |
929 | * can process the header at a fixed place. This is done after the | |
930 | * "SHUTDOWN" code above to avoid filling the fragment storage with data | |
931 | * that we're just going to discard. | |
932 | */ | |
4030869d | 933 | if (rr->type == SSL3_RT_HANDSHAKE) { |
93f528f3 MC |
934 | size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment); |
935 | unsigned char *dest = s->rlayer.handshake_fragment; | |
936 | size_t *dest_len = &s->rlayer.handshake_fragment_len; | |
937 | ||
938 | n = dest_maxlen - *dest_len; /* available space in 'dest' */ | |
4030869d MC |
939 | if (rr->length < n) |
940 | n = rr->length; /* available bytes */ | |
93f528f3 MC |
941 | |
942 | /* now move 'n' bytes: */ | |
7a4e109e MC |
943 | if (n > 0) { |
944 | memcpy(dest + *dest_len, rr->data + rr->off, n); | |
945 | *dest_len += n; | |
7a4e109e | 946 | } |
c20d923b MC |
947 | /* |
948 | * We release the number of bytes consumed, or the whole record if it | |
949 | * is zero length | |
950 | */ | |
951 | if ((n > 0 || rr->length == 0) && !ssl_release_record(s, rr, n)) | |
952 | return -1; | |
93f528f3 MC |
953 | |
954 | if (*dest_len < dest_maxlen) | |
955 | goto start; /* fragment was too small */ | |
956 | } | |
957 | ||
4030869d | 958 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
c48ffbcc | 959 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); |
99dd3740 | 960 | return -1; |
0f113f3e MC |
961 | } |
962 | ||
963 | /* | |
c7f47786 | 964 | * Unexpected handshake message (ClientHello, NewSessionTicket (TLS1.3) or |
0386aad1 | 965 | * protocol violation) |
0f113f3e | 966 | */ |
024f543c | 967 | if ((s->rlayer.handshake_fragment_len >= 4) |
c7f47786 | 968 | && !ossl_statem_get_in_handshake(s)) { |
39ef7821 MC |
969 | int ined = (s->early_data_state == SSL_EARLY_DATA_READING); |
970 | ||
c7f47786 MC |
971 | /* We found handshake data, so we're going back into init */ |
972 | ossl_statem_set_in_init(s, 1); | |
973 | ||
38b051a1 | 974 | i = s->handshake_func(ssl); |
99dd3740 | 975 | /* SSLfatal() already called if appropriate */ |
0f113f3e | 976 | if (i < 0) |
eda75751 | 977 | return i; |
0f113f3e | 978 | if (i == 0) { |
eda75751 | 979 | return -1; |
0f113f3e MC |
980 | } |
981 | ||
39ef7821 MC |
982 | /* |
983 | * If we were actually trying to read early data and we found a | |
984 | * handshake message, then we don't want to continue to try and read | |
985 | * the application data any more. It won't be "early" now. | |
986 | */ | |
987 | if (ined) | |
988 | return -1; | |
989 | ||
0f113f3e | 990 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { |
4030869d | 991 | if (!RECORD_LAYER_read_pending(&s->rlayer)) { |
0f113f3e MC |
992 | BIO *bio; |
993 | /* | |
994 | * In the case where we try to read application data, but we | |
995 | * trigger an SSL handshake, we return -1 with the retry | |
996 | * option set. Otherwise renegotiation may cause nasty | |
997 | * problems in the blocking world | |
998 | */ | |
999 | s->rwstate = SSL_READING; | |
38b051a1 | 1000 | bio = SSL_get_rbio(ssl); |
0f113f3e MC |
1001 | BIO_clear_retry_flags(bio); |
1002 | BIO_set_retry_read(bio); | |
eda75751 | 1003 | return -1; |
0f113f3e MC |
1004 | } |
1005 | } | |
1006 | goto start; | |
1007 | } | |
1008 | ||
4030869d | 1009 | switch (rr->type) { |
0f113f3e | 1010 | default: |
0f113f3e | 1011 | /* |
436a2a01 MC |
1012 | * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but |
1013 | * TLS 1.2 says you MUST send an unexpected message alert. We use the | |
1014 | * TLS 1.2 behaviour for all protocol versions to prevent issues where | |
1015 | * no progress is being made and the peer continually sends unrecognised | |
1016 | * record types, using up resources processing them. | |
0f113f3e | 1017 | */ |
c48ffbcc | 1018 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); |
99dd3740 | 1019 | return -1; |
0f113f3e MC |
1020 | case SSL3_RT_CHANGE_CIPHER_SPEC: |
1021 | case SSL3_RT_ALERT: | |
1022 | case SSL3_RT_HANDSHAKE: | |
1023 | /* | |
1024 | * we already handled all of these, with the possible exception of | |
024f543c MC |
1025 | * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but |
1026 | * that should not happen when type != rr->type | |
0f113f3e | 1027 | */ |
c48ffbcc | 1028 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR); |
99dd3740 | 1029 | return -1; |
0f113f3e MC |
1030 | case SSL3_RT_APPLICATION_DATA: |
1031 | /* | |
1032 | * At this point, we were expecting handshake data, but have | |
1033 | * application data. If the library was running inside ssl3_read() | |
1034 | * (i.e. in_read_app_data is set) and it makes sense to read | |
1035 | * application data at this point (session renegotiation not yet | |
1036 | * started), we will indulge it. | |
1037 | */ | |
fe3a3291 | 1038 | if (ossl_statem_app_data_allowed(s)) { |
555cbb32 | 1039 | s->s3.in_read_app_data = 2; |
eda75751 | 1040 | return -1; |
a832b5ef MC |
1041 | } else if (ossl_statem_skip_early_data(s)) { |
1042 | /* | |
1043 | * This can happen after a client sends a CH followed by early_data, | |
1044 | * but the server responds with a HelloRetryRequest. The server | |
1045 | * reads the next record from the client expecting to find a | |
1046 | * plaintext ClientHello but gets a record which appears to be | |
1047 | * application data. The trial decrypt "works" because null | |
1048 | * decryption was applied. We just skip it and move on to the next | |
1049 | * record. | |
1050 | */ | |
38b051a1 TM |
1051 | if (!ossl_early_data_count_ok(s, rr->length, |
1052 | EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { | |
196f2cbb | 1053 | /* SSLfatal() already called */ |
99dd3740 | 1054 | return -1; |
196f2cbb | 1055 | } |
7a4e109e MC |
1056 | if (!ssl_release_record(s, rr, 0)) |
1057 | return -1; | |
a832b5ef | 1058 | goto start; |
0f113f3e | 1059 | } else { |
c48ffbcc | 1060 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); |
99dd3740 | 1061 | return -1; |
0f113f3e MC |
1062 | } |
1063 | } | |
0f113f3e | 1064 | } |
d02b48c6 | 1065 | |
d45ba43d MC |
1066 | /* |
1067 | * Returns true if the current rrec was sent in SSLv2 backwards compatible | |
1068 | * format and false otherwise. | |
1069 | */ | |
32ec4153 MC |
1070 | int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl) |
1071 | { | |
4030869d MC |
1072 | if (SSL_CONNECTION_IS_DTLS(rl->s)) |
1073 | return 0; | |
1074 | return rl->tlsrecs[0].version == SSL2_VERSION; | |
32ec4153 | 1075 | } |
0f113f3e | 1076 | |
ed0e298f | 1077 | static OSSL_FUNC_rlayer_msg_callback_fn rlayer_msg_callback_wrapper; |
3c7b9ef9 MC |
1078 | static void rlayer_msg_callback_wrapper(int write_p, int version, |
1079 | int content_type, const void *buf, | |
1080 | size_t len, void *cbarg) | |
1081 | { | |
1082 | SSL_CONNECTION *s = cbarg; | |
1083 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
1084 | ||
1085 | if (s->msg_callback != NULL) | |
1086 | s->msg_callback(write_p, version, content_type, buf, len, ssl, | |
1087 | s->msg_callback_arg); | |
1088 | } | |
1089 | ||
ed0e298f MC |
1090 | static OSSL_FUNC_rlayer_security_fn rlayer_security_wrapper; |
1091 | static int rlayer_security_wrapper(void *cbarg, int op, int bits, int nid, | |
1092 | void *other) | |
1093 | { | |
1094 | SSL_CONNECTION *s = cbarg; | |
1095 | ||
1096 | return ssl_security(s, op, bits, nid, other); | |
1097 | } | |
1098 | ||
5f95eb77 MC |
1099 | static OSSL_FUNC_rlayer_padding_fn rlayer_padding_wrapper; |
1100 | static size_t rlayer_padding_wrapper(void *cbarg, int type, size_t len) | |
1101 | { | |
1102 | SSL_CONNECTION *s = cbarg; | |
1103 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
1104 | ||
eb7d6c2a MC |
1105 | return s->rlayer.record_padding_cb(ssl, type, len, |
1106 | s->rlayer.record_padding_arg); | |
5f95eb77 MC |
1107 | } |
1108 | ||
9dd90232 MC |
1109 | static const OSSL_DISPATCH rlayer_dispatch[] = { |
1110 | { OSSL_FUNC_RLAYER_SKIP_EARLY_DATA, (void (*)(void))ossl_statem_skip_early_data }, | |
3c7b9ef9 | 1111 | { OSSL_FUNC_RLAYER_MSG_CALLBACK, (void (*)(void))rlayer_msg_callback_wrapper }, |
ed0e298f | 1112 | { OSSL_FUNC_RLAYER_SECURITY, (void (*)(void))rlayer_security_wrapper }, |
5f95eb77 | 1113 | { OSSL_FUNC_RLAYER_PADDING, (void (*)(void))rlayer_padding_wrapper }, |
1e6bd31e | 1114 | OSSL_DISPATCH_END |
9dd90232 MC |
1115 | }; |
1116 | ||
bea8d704 MC |
1117 | void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, |
1118 | const OSSL_RECORD_METHOD *meth, | |
1119 | void *rlarg) | |
1120 | { | |
1121 | s->rlayer.custom_rlmethod = meth; | |
1122 | s->rlayer.rlarg = rlarg; | |
1123 | } | |
1124 | ||
cc110a0a | 1125 | static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s, |
2c50d7fb | 1126 | int direction, |
cc110a0a MC |
1127 | int level) |
1128 | { | |
bea8d704 MC |
1129 | if (s->rlayer.custom_rlmethod != NULL) |
1130 | return s->rlayer.custom_rlmethod; | |
cc110a0a MC |
1131 | |
1132 | if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) { | |
1133 | if (SSL_CONNECTION_IS_DTLS(s)) | |
1134 | return &ossl_dtls_record_method; | |
1135 | ||
1136 | return &ossl_tls_record_method; | |
1137 | } | |
1138 | ||
1139 | #ifndef OPENSSL_NO_KTLS | |
1140 | /* KTLS does not support renegotiation */ | |
1141 | if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION | |
1142 | && (s->options & SSL_OP_ENABLE_KTLS) != 0 | |
1143 | && (SSL_CONNECTION_IS_TLS13(s) || SSL_IS_FIRST_HANDSHAKE(s))) | |
1144 | return &ossl_ktls_record_method; | |
1145 | #endif | |
1146 | ||
1147 | /* Default to the current OSSL_RECORD_METHOD */ | |
2c50d7fb MC |
1148 | return direction == OSSL_RECORD_DIRECTION_READ ? s->rlayer.rrlmethod |
1149 | : s->rlayer.wrlmethod; | |
cc110a0a MC |
1150 | } |
1151 | ||
2b71b042 | 1152 | static int ssl_post_record_layer_select(SSL_CONNECTION *s, int direction) |
cc110a0a | 1153 | { |
2b71b042 MC |
1154 | const OSSL_RECORD_METHOD *thismethod; |
1155 | OSSL_RECORD_LAYER *thisrl; | |
1156 | ||
1157 | if (direction == OSSL_RECORD_DIRECTION_READ) { | |
1158 | thismethod = s->rlayer.rrlmethod; | |
1159 | thisrl = s->rlayer.rrl; | |
1160 | } else { | |
1161 | thismethod = s->rlayer.wrlmethod; | |
1162 | thisrl = s->rlayer.wrl; | |
1163 | } | |
1164 | ||
cc110a0a | 1165 | #ifndef OPENSSL_NO_KTLS |
2b71b042 MC |
1166 | { |
1167 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
cc110a0a | 1168 | |
2b71b042 MC |
1169 | if (s->rlayer.rrlmethod == &ossl_ktls_record_method) { |
1170 | /* KTLS does not support renegotiation so disallow it */ | |
1171 | SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION); | |
1172 | } | |
cc110a0a MC |
1173 | } |
1174 | #endif | |
2b71b042 MC |
1175 | if (SSL_IS_FIRST_HANDSHAKE(s) && thismethod->set_first_handshake != NULL) |
1176 | thismethod->set_first_handshake(thisrl, 1); | |
8124ab56 | 1177 | |
2b71b042 MC |
1178 | if (s->max_pipelines != 0 && thismethod->set_max_pipelines != NULL) |
1179 | thismethod->set_max_pipelines(thisrl, s->max_pipelines); | |
8124ab56 | 1180 | |
cc110a0a MC |
1181 | return 1; |
1182 | } | |
1183 | ||
1184 | int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, | |
1185 | int direction, int level, | |
3f9175c7 | 1186 | unsigned char *secret, size_t secretlen, |
79eebb08 MC |
1187 | unsigned char *key, size_t keylen, |
1188 | unsigned char *iv, size_t ivlen, | |
1189 | unsigned char *mackey, size_t mackeylen, | |
1190 | const EVP_CIPHER *ciph, size_t taglen, | |
1191 | int mactype, const EVP_MD *md, | |
3f9175c7 | 1192 | const SSL_COMP *comp, const EVP_MD *kdfdigest) |
79eebb08 | 1193 | { |
81c9ebd9 | 1194 | OSSL_PARAM options[5], *opts = options; |
8124ab56 | 1195 | OSSL_PARAM settings[6], *set = settings; |
2b71b042 | 1196 | const OSSL_RECORD_METHOD **thismethod; |
b5cf81f7 | 1197 | OSSL_RECORD_LAYER **thisrl, *newrl = NULL; |
2b71b042 | 1198 | BIO *thisbio; |
79eebb08 | 1199 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
cc110a0a | 1200 | const OSSL_RECORD_METHOD *meth; |
8124ab56 | 1201 | int use_etm, stream_mac = 0, tlstree = 0; |
435d88d7 MC |
1202 | unsigned int maxfrag = (direction == OSSL_RECORD_DIRECTION_WRITE) |
1203 | ? ssl_get_max_send_fragment(s) | |
1204 | : SSL3_RT_MAX_PLAIN_LENGTH; | |
9dd90232 MC |
1205 | int use_early_data = 0; |
1206 | uint32_t max_early_data; | |
1e76110b | 1207 | COMP_METHOD *compm = (comp == NULL) ? NULL : comp->method; |
cc110a0a | 1208 | |
2c50d7fb | 1209 | meth = ssl_select_next_record_layer(s, direction, level); |
79eebb08 | 1210 | |
2b71b042 MC |
1211 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1212 | thismethod = &s->rlayer.rrlmethod; | |
1213 | thisrl = &s->rlayer.rrl; | |
1214 | thisbio = s->rbio; | |
1215 | } else { | |
1216 | thismethod = &s->rlayer.wrlmethod; | |
1217 | thisrl = &s->rlayer.wrl; | |
1218 | thisbio = s->wbio; | |
1219 | } | |
1220 | ||
b5cf81f7 MC |
1221 | if (meth == NULL) |
1222 | meth = *thismethod; | |
79eebb08 | 1223 | |
b5cf81f7 | 1224 | if (!ossl_assert(meth != NULL)) { |
79eebb08 MC |
1225 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
1226 | return 0; | |
1227 | } | |
1228 | ||
7f2f0ac7 MC |
1229 | /* Parameters that *may* be supported by a record layer if passed */ |
1230 | *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS, | |
1231 | &s->options); | |
1232 | *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE, | |
1233 | &s->mode); | |
2b71b042 MC |
1234 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1235 | *opts++ = OSSL_PARAM_construct_size_t(OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN, | |
1236 | &s->rlayer.default_read_buf_len); | |
1237 | *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD, | |
1238 | &s->rlayer.read_ahead); | |
eb7d6c2a MC |
1239 | } else { |
1240 | *opts++ = OSSL_PARAM_construct_size_t(OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING, | |
1241 | &s->rlayer.block_padding); | |
2b71b042 | 1242 | } |
7f2f0ac7 MC |
1243 | *opts = OSSL_PARAM_construct_end(); |
1244 | ||
1245 | /* Parameters that *must* be supported by a record layer if passed */ | |
8124ab56 | 1246 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
7f2f0ac7 | 1247 | use_etm = SSL_READ_ETM(s) ? 1 : 0; |
8124ab56 MC |
1248 | if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM) != 0) |
1249 | stream_mac = 1; | |
1250 | ||
1251 | if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE) != 0) | |
1252 | tlstree = 1; | |
1253 | } else { | |
7f2f0ac7 | 1254 | use_etm = SSL_WRITE_ETM(s) ? 1 : 0; |
8124ab56 MC |
1255 | if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) != 0) |
1256 | stream_mac = 1; | |
1257 | ||
1258 | if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) != 0) | |
1259 | tlstree = 1; | |
1260 | } | |
7f2f0ac7 MC |
1261 | |
1262 | if (use_etm) | |
1263 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM, | |
1264 | &use_etm); | |
ffbd6e67 | 1265 | |
8124ab56 MC |
1266 | if (stream_mac) |
1267 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC, | |
1268 | &stream_mac); | |
1269 | ||
1270 | if (tlstree) | |
1271 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE, | |
1272 | &tlstree); | |
1273 | ||
435d88d7 MC |
1274 | /* |
1275 | * We only need to do this for the read side. The write side should already | |
1276 | * have the correct value due to the ssl_get_max_send_fragment() call above | |
1277 | */ | |
1278 | if (direction == OSSL_RECORD_DIRECTION_READ | |
1279 | && s->session != NULL | |
1280 | && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) | |
ffbd6e67 MC |
1281 | maxfrag = GET_MAX_FRAGMENT_LENGTH(s->session); |
1282 | ||
435d88d7 | 1283 | |
ffbd6e67 MC |
1284 | if (maxfrag != SSL3_RT_MAX_PLAIN_LENGTH) |
1285 | *set++ = OSSL_PARAM_construct_uint(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN, | |
1286 | &maxfrag); | |
1287 | ||
9dd90232 MC |
1288 | /* |
1289 | * The record layer must check the amount of early data sent or received | |
1290 | * using the early keys. A server also needs to worry about rejected early | |
1291 | * data that might arrive when the handshake keys are in force. | |
1292 | */ | |
9dd90232 MC |
1293 | if (s->server && direction == OSSL_RECORD_DIRECTION_READ) { |
1294 | use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY | |
1295 | || level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE); | |
1296 | } else if (!s->server && direction == OSSL_RECORD_DIRECTION_WRITE) { | |
1297 | use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY); | |
1298 | } | |
1299 | if (use_early_data) { | |
1300 | max_early_data = ossl_get_max_early_data(s); | |
1301 | ||
1302 | if (max_early_data != 0) | |
1e065a15 J |
1303 | *set++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA, |
1304 | &max_early_data); | |
9dd90232 MC |
1305 | } |
1306 | ||
7f2f0ac7 | 1307 | *set = OSSL_PARAM_construct_end(); |
79eebb08 | 1308 | |
cc110a0a | 1309 | for (;;) { |
7c293999 | 1310 | int rlret; |
2b71b042 MC |
1311 | BIO *prev = NULL; |
1312 | BIO *next = NULL; | |
5f95eb77 MC |
1313 | unsigned int epoch = 0; |
1314 | OSSL_DISPATCH rlayer_dispatch_tmp[OSSL_NELEM(rlayer_dispatch)]; | |
1315 | size_t i, j; | |
222cf410 | 1316 | |
2b71b042 MC |
1317 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1318 | prev = s->rlayer.rrlnext; | |
1319 | if (SSL_CONNECTION_IS_DTLS(s) | |
1320 | && level != OSSL_RECORD_PROTECTION_LEVEL_NONE) | |
1321 | epoch = DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer) + 1; /* new epoch */ | |
359affde | 1322 | |
3a857b95 | 1323 | #ifndef OPENSSL_NO_DGRAM |
2b71b042 MC |
1324 | if (SSL_CONNECTION_IS_DTLS(s)) |
1325 | next = BIO_new(BIO_s_dgram_mem()); | |
1326 | else | |
3a857b95 | 1327 | #endif |
2b71b042 MC |
1328 | next = BIO_new(BIO_s_mem()); |
1329 | ||
1330 | if (next == NULL) { | |
2b71b042 MC |
1331 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
1332 | return 0; | |
1333 | } | |
1334 | s->rlayer.rrlnext = next; | |
b9e37f8f MC |
1335 | } else { |
1336 | if (SSL_CONNECTION_IS_DTLS(s) | |
1337 | && level != OSSL_RECORD_PROTECTION_LEVEL_NONE) | |
1338 | epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) + 1; /* new epoch */ | |
359affde | 1339 | } |
7c293999 | 1340 | |
5f95eb77 MC |
1341 | /* |
1342 | * Create a copy of the dispatch array, missing out wrappers for | |
1343 | * callbacks that we don't need. | |
1344 | */ | |
1345 | for (i = 0, j = 0; i < OSSL_NELEM(rlayer_dispatch); i++) { | |
1346 | switch (rlayer_dispatch[i].function_id) { | |
1347 | case OSSL_FUNC_RLAYER_MSG_CALLBACK: | |
1348 | if (s->msg_callback == NULL) | |
1349 | continue; | |
1350 | break; | |
1351 | case OSSL_FUNC_RLAYER_PADDING: | |
eb7d6c2a | 1352 | if (s->rlayer.record_padding_cb == NULL) |
5f95eb77 MC |
1353 | continue; |
1354 | break; | |
1355 | default: | |
1356 | break; | |
1357 | } | |
1358 | rlayer_dispatch_tmp[j++] = rlayer_dispatch[i]; | |
1359 | } | |
1360 | ||
b5cf81f7 MC |
1361 | rlret = meth->new_record_layer(sctx->libctx, sctx->propq, version, |
1362 | s->server, direction, level, epoch, | |
3f9175c7 MC |
1363 | secret, secretlen, key, keylen, iv, |
1364 | ivlen, mackey, mackeylen, ciph, taglen, | |
1365 | mactype, md, compm, kdfdigest, prev, | |
1366 | thisbio, next, NULL, NULL, settings, | |
1367 | options, rlayer_dispatch_tmp, s, | |
1368 | s->rlayer.rlarg, &newrl); | |
359affde | 1369 | BIO_free(prev); |
7c293999 MC |
1370 | switch (rlret) { |
1371 | case OSSL_RECORD_RETURN_FATAL: | |
1372 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_RECORD_LAYER_FAILURE); | |
7f2f0ac7 | 1373 | return 0; |
7c293999 MC |
1374 | |
1375 | case OSSL_RECORD_RETURN_NON_FATAL_ERR: | |
b5cf81f7 | 1376 | if (*thismethod != meth && *thismethod != NULL) { |
cc110a0a MC |
1377 | /* |
1378 | * We tried a new record layer method, but it didn't work out, | |
1379 | * so we fallback to the original method and try again | |
1380 | */ | |
b5cf81f7 | 1381 | meth = *thismethod; |
cc110a0a MC |
1382 | continue; |
1383 | } | |
7c293999 | 1384 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_RECORD_LAYER); |
7f2f0ac7 | 1385 | return 0; |
7c293999 MC |
1386 | |
1387 | case OSSL_RECORD_RETURN_SUCCESS: | |
1388 | break; | |
1389 | ||
1390 | default: | |
1391 | /* Should not happen */ | |
1392 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
7f2f0ac7 | 1393 | return 0; |
cc110a0a MC |
1394 | } |
1395 | break; | |
79eebb08 MC |
1396 | } |
1397 | ||
b9e37f8f MC |
1398 | /* |
1399 | * Free the old record layer if we have one except in the case of DTLS when | |
20c7febc MC |
1400 | * writing and there are still buffered sent messages in our queue. In that |
1401 | * case the record layer is still referenced by those buffered messages for | |
1402 | * potential retransmit. Only when those buffered messages get freed do we | |
1403 | * free the record layer object (see dtls1_hm_fragment_free) | |
b9e37f8f | 1404 | */ |
20c7febc MC |
1405 | if (!SSL_CONNECTION_IS_DTLS(s) |
1406 | || direction == OSSL_RECORD_DIRECTION_READ | |
1407 | || pqueue_peek(s->d1->sent_messages) == NULL) { | |
b9e37f8f MC |
1408 | if (*thismethod != NULL && !(*thismethod)->free(*thisrl)) { |
1409 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
1410 | return 0; | |
1411 | } | |
b5cf81f7 MC |
1412 | } |
1413 | ||
1414 | *thisrl = newrl; | |
1415 | *thismethod = meth; | |
1416 | ||
2b71b042 | 1417 | return ssl_post_record_layer_select(s, direction); |
79eebb08 | 1418 | } |
1d367677 MC |
1419 | |
1420 | int ssl_set_record_protocol_version(SSL_CONNECTION *s, int vers) | |
1421 | { | |
1422 | if (!ossl_assert(s->rlayer.rrlmethod != NULL) | |
1423 | || !ossl_assert(s->rlayer.wrlmethod != NULL)) | |
1424 | return 0; | |
1425 | s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, s->version); | |
1426 | s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, s->version); | |
1427 | ||
1428 | return 1; | |
1429 | } |