]>
Commit | Line | Data |
---|---|---|
846e33c7 | 1 | /* |
b6461792 | 2 | * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. |
c51ae173 | 3 | * |
2c18d164 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
846e33c7 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
c51ae173 | 8 | */ |
d02b48c6 RE |
9 | |
10 | #include <stdio.h> | |
339da43d | 11 | #include <limits.h> |
d02b48c6 | 12 | #include <errno.h> |
7a4e109e | 13 | #include <assert.h> |
706457b7 | 14 | #include "../ssl_local.h" |
d6e7ebba | 15 | #include "../quic/quic_local.h" |
ec577822 BM |
16 | #include <openssl/evp.h> |
17 | #include <openssl/buffer.h> | |
637f374a | 18 | #include <openssl/rand.h> |
79eebb08 | 19 | #include <openssl/core_names.h> |
706457b7 | 20 | #include "record_local.h" |
0d345f0e | 21 | #include "internal/packet.h" |
d02b48c6 | 22 | |
38b051a1 | 23 | void RECORD_LAYER_init(RECORD_LAYER *rl, SSL_CONNECTION *s) |
c036e210 MC |
24 | { |
25 | rl->s = s; | |
c036e210 MC |
26 | } |
27 | ||
4a0e4849 | 28 | int RECORD_LAYER_clear(RECORD_LAYER *rl) |
af9752e5 | 29 | { |
4a0e4849 MC |
30 | int ret = 1; |
31 | ||
32 | /* Clear any buffered records we no longer need */ | |
33 | while (rl->curr_rec < rl->num_recs) | |
34 | ret &= ssl_release_record(rl->s, | |
35 | &(rl->tlsrecs[rl->curr_rec++]), | |
36 | 0); | |
37 | ||
38 | ||
6b41b3f5 | 39 | rl->wnum = 0; |
6b41b3f5 MC |
40 | memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment)); |
41 | rl->handshake_fragment_len = 0; | |
42 | rl->wpend_tot = 0; | |
43 | rl->wpend_type = 0; | |
6b41b3f5 | 44 | rl->wpend_buf = NULL; |
4a0e4849 MC |
45 | rl->alert_count = 0; |
46 | rl->num_recs = 0; | |
47 | rl->curr_rec = 0; | |
48 | ||
49 | BIO_free(rl->rrlnext); | |
50 | rl->rrlnext = NULL; | |
6b41b3f5 | 51 | |
cffafb5f MC |
52 | if (rl->rrlmethod != NULL) |
53 | rl->rrlmethod->free(rl->rrl); /* Ignore return value */ | |
2b71b042 MC |
54 | if (rl->wrlmethod != NULL) |
55 | rl->wrlmethod->free(rl->wrl); /* Ignore return value */ | |
cffafb5f MC |
56 | BIO_free(rl->rrlnext); |
57 | rl->rrlmethod = NULL; | |
2b71b042 | 58 | rl->wrlmethod = NULL; |
cffafb5f | 59 | rl->rrlnext = NULL; |
2b71b042 MC |
60 | rl->rrl = NULL; |
61 | rl->wrl = NULL; | |
cffafb5f | 62 | |
6b41b3f5 | 63 | if (rl->d) |
5fb6f80c | 64 | DTLS_RECORD_LAYER_clear(rl); |
4a0e4849 MC |
65 | |
66 | return ret; | |
67 | } | |
68 | ||
69 | int RECORD_LAYER_reset(RECORD_LAYER *rl) | |
70 | { | |
71 | int ret; | |
72 | ||
73 | ret = RECORD_LAYER_clear(rl); | |
74 | ||
75 | /* We try and reset both record layers even if one fails */ | |
76 | ret &= ssl_set_new_record_layer(rl->s, | |
77 | SSL_CONNECTION_IS_DTLS(rl->s) | |
78 | ? DTLS_ANY_VERSION : TLS_ANY_VERSION, | |
79 | OSSL_RECORD_DIRECTION_READ, | |
80 | OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0, | |
81 | NULL, 0, NULL, 0, NULL, 0, NULL, 0, | |
82 | NID_undef, NULL, NULL, NULL); | |
83 | ||
84 | ret &= ssl_set_new_record_layer(rl->s, | |
85 | SSL_CONNECTION_IS_DTLS(rl->s) | |
86 | ? DTLS_ANY_VERSION : TLS_ANY_VERSION, | |
87 | OSSL_RECORD_DIRECTION_WRITE, | |
88 | OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0, | |
89 | NULL, 0, NULL, 0, NULL, 0, NULL, 0, | |
90 | NID_undef, NULL, NULL, NULL); | |
91 | ||
92 | /* SSLfatal already called in the event of failure */ | |
93 | return ret; | |
af9752e5 MC |
94 | } |
95 | ||
b8c49611 | 96 | /* Checks if we have unprocessed read ahead data pending */ |
49580f25 | 97 | int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) |
f161995e | 98 | { |
cffafb5f | 99 | return rl->rrlmethod->unprocessed_read_pending(rl->rrl); |
f161995e MC |
100 | } |
101 | ||
b8c49611 MC |
102 | /* Checks if we have decrypted unread record data pending */ |
103 | int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) | |
104 | { | |
4030869d | 105 | return (rl->curr_rec < rl->num_recs) |
cffafb5f | 106 | || rl->rrlmethod->processed_read_pending(rl->rrl); |
b8c49611 MC |
107 | } |
108 | ||
49580f25 | 109 | int RECORD_LAYER_write_pending(const RECORD_LAYER *rl) |
f161995e | 110 | { |
151f313e | 111 | return rl->wpend_tot > 0; |
f161995e MC |
112 | } |
113 | ||
23c57f00 MC |
114 | static uint32_t ossl_get_max_early_data(SSL_CONNECTION *s) |
115 | { | |
116 | uint32_t max_early_data; | |
117 | SSL_SESSION *sess = s->session; | |
118 | ||
119 | /* | |
120 | * If we are a client then we always use the max_early_data from the | |
121 | * session/psksession. Otherwise we go with the lowest out of the max early | |
122 | * data set in the session and the configured max_early_data. | |
123 | */ | |
124 | if (!s->server && sess->ext.max_early_data == 0) { | |
125 | if (!ossl_assert(s->psksession != NULL | |
126 | && s->psksession->ext.max_early_data > 0)) { | |
127 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
128 | return 0; | |
129 | } | |
130 | sess = s->psksession; | |
131 | } | |
132 | ||
133 | if (!s->server) | |
134 | max_early_data = sess->ext.max_early_data; | |
135 | else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) | |
136 | max_early_data = s->recv_max_early_data; | |
137 | else | |
138 | max_early_data = s->recv_max_early_data < sess->ext.max_early_data | |
139 | ? s->recv_max_early_data : sess->ext.max_early_data; | |
140 | ||
141 | return max_early_data; | |
142 | } | |
143 | ||
144 | static int ossl_early_data_count_ok(SSL_CONNECTION *s, size_t length, | |
145 | size_t overhead, int send) | |
146 | { | |
147 | uint32_t max_early_data; | |
148 | ||
149 | max_early_data = ossl_get_max_early_data(s); | |
150 | ||
151 | if (max_early_data == 0) { | |
152 | SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
153 | SSL_R_TOO_MUCH_EARLY_DATA); | |
154 | return 0; | |
155 | } | |
156 | ||
157 | /* If we are dealing with ciphertext we need to allow for the overhead */ | |
158 | max_early_data += overhead; | |
159 | ||
160 | if (s->early_data_count + length > max_early_data) { | |
161 | SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, | |
162 | SSL_R_TOO_MUCH_EARLY_DATA); | |
163 | return 0; | |
164 | } | |
165 | s->early_data_count += length; | |
166 | ||
167 | return 1; | |
168 | } | |
169 | ||
8b0e934a | 170 | size_t ssl3_pending(const SSL *s) |
d5a25ae0 | 171 | { |
8b0e934a | 172 | size_t i, num = 0; |
38b051a1 | 173 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
94777c9c | 174 | |
38b051a1 | 175 | if (sc == NULL) |
d5a25ae0 MC |
176 | return 0; |
177 | ||
6d6b295a | 178 | if (SSL_CONNECTION_IS_DTLS(sc)) { |
eddb067e | 179 | TLS_RECORD *rdata; |
6d6b295a MC |
180 | pitem *item, *iter; |
181 | ||
715a74a6 | 182 | iter = pqueue_iterator(sc->rlayer.d->buffered_app_data); |
6d6b295a MC |
183 | while ((item = pqueue_next(&iter)) != NULL) { |
184 | rdata = item->data; | |
eddb067e | 185 | num += rdata->length; |
6d6b295a | 186 | } |
eddb067e | 187 | } |
6d6b295a | 188 | |
eddb067e MC |
189 | for (i = 0; i < sc->rlayer.num_recs; i++) { |
190 | if (sc->rlayer.tlsrecs[i].type != SSL3_RT_APPLICATION_DATA) | |
191 | return num; | |
192 | num += sc->rlayer.tlsrecs[i].length; | |
94777c9c MC |
193 | } |
194 | ||
cffafb5f | 195 | num += sc->rlayer.rrlmethod->app_data_pending(sc->rlayer.rrl); |
81c9ebd9 | 196 | |
94777c9c | 197 | return num; |
d5a25ae0 MC |
198 | } |
199 | ||
dad78fb1 MC |
200 | void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) |
201 | { | |
202 | ctx->default_read_buf_len = len; | |
203 | } | |
204 | ||
205 | void SSL_set_default_read_buffer_len(SSL *s, size_t len) | |
206 | { | |
38b051a1 TM |
207 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); |
208 | ||
d6e7ebba | 209 | if (sc == NULL || IS_QUIC(s)) |
38b051a1 | 210 | return; |
cffafb5f | 211 | sc->rlayer.default_read_buf_len = len; |
dad78fb1 MC |
212 | } |
213 | ||
295c3f41 MC |
214 | const char *SSL_rstate_string_long(const SSL *s) |
215 | { | |
38b051a1 | 216 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
d0b17ea0 | 217 | const char *lng; |
38b051a1 TM |
218 | |
219 | if (sc == NULL) | |
220 | return NULL; | |
221 | ||
d0b17ea0 | 222 | if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL) |
475965f2 | 223 | return "unknown"; |
d0b17ea0 MC |
224 | |
225 | sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, NULL, &lng); | |
226 | ||
227 | return lng; | |
295c3f41 MC |
228 | } |
229 | ||
230 | const char *SSL_rstate_string(const SSL *s) | |
231 | { | |
38b051a1 | 232 | const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); |
d0b17ea0 | 233 | const char *shrt; |
38b051a1 TM |
234 | |
235 | if (sc == NULL) | |
236 | return NULL; | |
237 | ||
d0b17ea0 | 238 | if (sc->rlayer.rrlmethod == NULL || sc->rlayer.rrl == NULL) |
475965f2 | 239 | return "unknown"; |
295c3f41 | 240 | |
d0b17ea0 MC |
241 | sc->rlayer.rrlmethod->get_state(sc->rlayer.rrl, &shrt, NULL); |
242 | ||
243 | return shrt; | |
244 | } | |
0f113f3e | 245 | |
eb1eaa9a | 246 | static int tls_write_check_pending(SSL_CONNECTION *s, uint8_t type, |
a566864b MC |
247 | const unsigned char *buf, size_t len) |
248 | { | |
249 | if (s->rlayer.wpend_tot == 0) | |
250 | return 0; | |
251 | ||
252 | /* We have pending data, so do some sanity checks */ | |
253 | if ((s->rlayer.wpend_tot > len) | |
254 | || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) | |
255 | && (s->rlayer.wpend_buf != buf)) | |
256 | || (s->rlayer.wpend_type != type)) { | |
257 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_WRITE_RETRY); | |
258 | return -1; | |
259 | } | |
260 | return 1; | |
261 | } | |
262 | ||
0f113f3e MC |
263 | /* |
264 | * Call this to write data in records of type 'type' It will return <= 0 if | |
265 | * not all data has been sent or non-blocking IO. | |
d02b48c6 | 266 | */ |
eb1eaa9a | 267 | int ssl3_write_bytes(SSL *ssl, uint8_t type, const void *buf_, size_t len, |
7ee8627f | 268 | size_t *written) |
0f113f3e MC |
269 | { |
270 | const unsigned char *buf = buf_; | |
7ee8627f | 271 | size_t tot; |
cf72c757 | 272 | size_t n, max_send_fragment, split_send_fragment, maxpipes; |
0f113f3e | 273 | int i; |
38b051a1 | 274 | SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl); |
a566864b | 275 | OSSL_RECORD_TEMPLATE tmpls[SSL_MAX_PIPELINES]; |
1d367677 | 276 | unsigned int recversion; |
0f113f3e | 277 | |
38b051a1 TM |
278 | if (s == NULL) |
279 | return -1; | |
280 | ||
0f113f3e | 281 | s->rwstate = SSL_NOTHING; |
e2228d31 | 282 | tot = s->rlayer.wnum; |
0f113f3e MC |
283 | /* |
284 | * ensure that if we end up with a smaller value of data to write out | |
3519bae5 | 285 | * than the original len from a write which didn't complete for |
0f113f3e | 286 | * non-blocking I/O and also somehow ended up avoiding the check for |
a566864b | 287 | * this in tls_write_check_pending/SSL_R_BAD_WRITE_RETRY as it must never be |
0f113f3e MC |
288 | * possible to end up with (len-tot) as a large number that will then |
289 | * promptly send beyond the end of the users buffer ... so we trap and | |
290 | * report the error in a way the user will notice | |
291 | */ | |
bd91e3c8 | 292 | if ((len < s->rlayer.wnum) |
151f313e MC |
293 | || ((s->rlayer.wpend_tot != 0) |
294 | && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { | |
c48ffbcc | 295 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); |
1c2e5d56 MC |
296 | return -1; |
297 | } | |
298 | ||
7daf7156 | 299 | if (s->early_data_state == SSL_EARLY_DATA_WRITING |
38b051a1 | 300 | && !ossl_early_data_count_ok(s, len, 0, 1)) { |
196f2cbb | 301 | /* SSLfatal() already called */ |
7daf7156 | 302 | return -1; |
196f2cbb | 303 | } |
7daf7156 | 304 | |
1c2e5d56 MC |
305 | s->rlayer.wnum = 0; |
306 | ||
feb9e31c | 307 | /* |
3bfacb5f BK |
308 | * If we are supposed to be sending a KeyUpdate or NewSessionTicket then go |
309 | * into init unless we have writes pending - in which case we should finish | |
310 | * doing that first. | |
feb9e31c | 311 | */ |
151f313e MC |
312 | if (s->rlayer.wpend_tot == 0 && (s->key_update != SSL_KEY_UPDATE_NONE |
313 | || s->ext.extra_tickets_expected > 0)) | |
feb9e31c MC |
314 | ossl_statem_set_in_init(s, 1); |
315 | ||
59cebcf9 MC |
316 | /* |
317 | * When writing early data on the server side we could be "in_init" in | |
318 | * between receiving the EoED and the CF - but we don't want to handle those | |
319 | * messages yet. | |
320 | */ | |
38b051a1 | 321 | if (SSL_in_init(ssl) && !ossl_statem_get_in_handshake(s) |
59cebcf9 | 322 | && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) { |
38b051a1 | 323 | i = s->handshake_func(ssl); |
c2853382 | 324 | /* SSLfatal() already called */ |
1c2e5d56 | 325 | if (i < 0) |
7ee8627f | 326 | return i; |
1c2e5d56 | 327 | if (i == 0) { |
1c2e5d56 MC |
328 | return -1; |
329 | } | |
0f113f3e MC |
330 | } |
331 | ||
a566864b MC |
332 | i = tls_write_check_pending(s, type, buf, len); |
333 | if (i < 0) { | |
334 | /* SSLfatal() already called */ | |
335 | return i; | |
336 | } else if (i > 0) { | |
337 | /* Retry needed */ | |
320145d5 MC |
338 | i = HANDLE_RLAYER_WRITE_RETURN(s, |
339 | s->rlayer.wrlmethod->retry_write_records(s->rlayer.wrl)); | |
b9b9f488 MC |
340 | if (i <= 0) { |
341 | s->rlayer.wnum = tot; | |
0f113f3e | 342 | return i; |
b9b9f488 | 343 | } |
a566864b MC |
344 | tot += s->rlayer.wpend_tot; |
345 | s->rlayer.wpend_tot = 0; | |
346 | } /* else no retry required */ | |
347 | ||
348 | if (tot == 0) { | |
349 | /* | |
350 | * We've not previously sent any data for this write so memorize | |
351 | * arguments so that we can detect bad write retries later | |
352 | */ | |
353 | s->rlayer.wpend_tot = 0; | |
354 | s->rlayer.wpend_type = type; | |
355 | s->rlayer.wpend_buf = buf; | |
0f113f3e | 356 | } |
a566864b | 357 | |
0f113f3e | 358 | if (tot == len) { /* done? */ |
7ee8627f MC |
359 | *written = tot; |
360 | return 1; | |
0f113f3e MC |
361 | } |
362 | ||
3eaead71 | 363 | /* If we have an alert to send, lets send it */ |
73243502 | 364 | if (s->s3.alert_dispatch > 0) { |
3eaead71 MC |
365 | i = ssl->method->ssl_dispatch_alert(ssl); |
366 | if (i <= 0) { | |
367 | /* SSLfatal() already called if appropriate */ | |
b9b9f488 | 368 | s->rlayer.wnum = tot; |
3eaead71 MC |
369 | return i; |
370 | } | |
371 | /* if it went, fall through and send more stuff */ | |
372 | } | |
373 | ||
0f113f3e | 374 | n = (len - tot); |
d102d9df | 375 | |
cf72c757 F |
376 | max_send_fragment = ssl_get_max_send_fragment(s); |
377 | split_send_fragment = ssl_get_split_send_fragment(s); | |
c6d5f343 | 378 | |
f6c95e46 RS |
379 | if (max_send_fragment == 0 |
380 | || split_send_fragment == 0 | |
381 | || split_send_fragment > max_send_fragment) { | |
d102d9df | 382 | /* |
cf72c757 | 383 | * We should have prevented this when we set/get the split and max send |
d102d9df | 384 | * fragments so we shouldn't get here |
a230b26e | 385 | */ |
c48ffbcc | 386 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
d102d9df MC |
387 | return -1; |
388 | } | |
389 | ||
1d367677 MC |
390 | /* |
391 | * Some servers hang if initial client hello is larger than 256 bytes | |
392 | * and record version number > TLS 1.0 | |
393 | */ | |
1d367677 MC |
394 | recversion = (s->version == TLS1_3_VERSION) ? TLS1_2_VERSION : s->version; |
395 | if (SSL_get_state(ssl) == TLS_ST_CW_CLNT_HELLO | |
396 | && !s->renegotiate | |
397 | && TLS1_get_version(ssl) > TLS1_VERSION | |
398 | && s->hello_retry_request == SSL_HRR_NONE) | |
399 | recversion = TLS1_VERSION; | |
400 | ||
0f113f3e | 401 | for (;;) { |
a566864b | 402 | size_t tmppipelen, remain; |
c6186792 | 403 | size_t j, lensofar = 0; |
d102d9df | 404 | |
c6186792 MC |
405 | /* |
406 | * Ask the record layer how it would like to split the amount of data | |
407 | * that we have, and how many of those records it would like in one go. | |
408 | */ | |
409 | maxpipes = s->rlayer.wrlmethod->get_max_records(s->rlayer.wrl, type, n, | |
410 | max_send_fragment, | |
411 | &split_send_fragment); | |
412 | /* | |
413 | * If max_pipelines is 0 then this means "undefined" and we default to | |
414 | * whatever the record layer wants to do. Otherwise we use the smallest | |
415 | * value from the number requested by the record layer, and max number | |
416 | * configured by the user. | |
417 | */ | |
418 | if (s->max_pipelines > 0 && maxpipes > s->max_pipelines) | |
419 | maxpipes = s->max_pipelines; | |
420 | ||
421 | if (maxpipes > SSL_MAX_PIPELINES) | |
422 | maxpipes = SSL_MAX_PIPELINES; | |
423 | ||
424 | if (split_send_fragment > max_send_fragment) { | |
425 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
426 | return -1; | |
427 | } | |
d102d9df | 428 | |
c6186792 | 429 | if (n / maxpipes >= split_send_fragment) { |
d102d9df MC |
430 | /* |
431 | * We have enough data to completely fill all available | |
432 | * pipelines | |
433 | */ | |
c6186792 | 434 | for (j = 0; j < maxpipes; j++) { |
a566864b | 435 | tmpls[j].type = type; |
1d367677 | 436 | tmpls[j].version = recversion; |
02719d5c MC |
437 | tmpls[j].buf = &(buf[tot]) + (j * split_send_fragment); |
438 | tmpls[j].buflen = split_send_fragment; | |
d102d9df | 439 | } |
a566864b | 440 | /* Remember how much data we are going to be sending */ |
c6186792 | 441 | s->rlayer.wpend_tot = maxpipes * split_send_fragment; |
d102d9df MC |
442 | } else { |
443 | /* We can partially fill all available pipelines */ | |
c6186792 MC |
444 | tmppipelen = n / maxpipes; |
445 | remain = n % maxpipes; | |
a566864b MC |
446 | /* |
447 | * If there is a remainder we add an extra byte to the first few | |
448 | * pipelines | |
449 | */ | |
450 | if (remain > 0) | |
451 | tmppipelen++; | |
c6186792 | 452 | for (j = 0; j < maxpipes; j++) { |
a566864b | 453 | tmpls[j].type = type; |
1d367677 | 454 | tmpls[j].version = recversion; |
a566864b MC |
455 | tmpls[j].buf = &(buf[tot]) + lensofar; |
456 | tmpls[j].buflen = tmppipelen; | |
457 | lensofar += tmppipelen; | |
458 | if (j + 1 == remain) | |
459 | tmppipelen--; | |
d102d9df | 460 | } |
a566864b MC |
461 | /* Remember how much data we are going to be sending */ |
462 | s->rlayer.wpend_tot = n; | |
d102d9df | 463 | } |
0f113f3e | 464 | |
320145d5 | 465 | i = HANDLE_RLAYER_WRITE_RETURN(s, |
c6186792 | 466 | s->rlayer.wrlmethod->write_records(s->rlayer.wrl, tmpls, maxpipes)); |
0f113f3e | 467 | if (i <= 0) { |
c2853382 | 468 | /* SSLfatal() already called if appropriate */ |
e2228d31 | 469 | s->rlayer.wnum = tot; |
0f113f3e MC |
470 | return i; |
471 | } | |
472 | ||
151f313e MC |
473 | if (s->rlayer.wpend_tot == n |
474 | || (type == SSL3_RT_APPLICATION_DATA | |
475 | && (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) != 0)) { | |
a566864b MC |
476 | *written = tot + s->rlayer.wpend_tot; |
477 | s->rlayer.wpend_tot = 0; | |
7ee8627f | 478 | return 1; |
0f113f3e MC |
479 | } |
480 | ||
a566864b MC |
481 | n -= s->rlayer.wpend_tot; |
482 | tot += s->rlayer.wpend_tot; | |
0f113f3e MC |
483 | } |
484 | } | |
d02b48c6 | 485 | |
320145d5 MC |
486 | int ossl_tls_handle_rlayer_return(SSL_CONNECTION *s, int writing, int ret, |
487 | char *file, int line) | |
4030869d MC |
488 | { |
489 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
490 | ||
491 | if (ret == OSSL_RECORD_RETURN_RETRY) { | |
320145d5 | 492 | s->rwstate = writing ? SSL_WRITING : SSL_READING; |
4030869d MC |
493 | ret = -1; |
494 | } else { | |
495 | s->rwstate = SSL_NOTHING; | |
496 | if (ret == OSSL_RECORD_RETURN_EOF) { | |
320145d5 MC |
497 | if (writing) { |
498 | /* | |
499 | * This shouldn't happen with a writing operation. We treat it | |
500 | * as fatal. | |
501 | */ | |
502 | ERR_new(); | |
503 | ERR_set_debug(file, line, 0); | |
504 | ossl_statem_fatal(s, SSL_AD_INTERNAL_ERROR, | |
505 | ERR_R_INTERNAL_ERROR, NULL); | |
506 | ret = OSSL_RECORD_RETURN_FATAL; | |
507 | } else if ((s->options & SSL_OP_IGNORE_UNEXPECTED_EOF) != 0) { | |
4030869d MC |
508 | SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); |
509 | s->s3.warn_alert = SSL_AD_CLOSE_NOTIFY; | |
510 | } else { | |
511 | ERR_new(); | |
512 | ERR_set_debug(file, line, 0); | |
ead44e19 MC |
513 | /* |
514 | * This reason code is part of the API and may be used by | |
515 | * applications for control flow decisions. | |
516 | */ | |
4030869d MC |
517 | ossl_statem_fatal(s, SSL_AD_DECODE_ERROR, |
518 | SSL_R_UNEXPECTED_EOF_WHILE_READING, NULL); | |
519 | } | |
520 | } else if (ret == OSSL_RECORD_RETURN_FATAL) { | |
d3192c26 MC |
521 | int al = s->rlayer.rrlmethod->get_alert_code(s->rlayer.rrl); |
522 | ||
523 | if (al != SSL_AD_NO_ALERT) { | |
524 | ERR_new(); | |
525 | ERR_set_debug(file, line, 0); | |
526 | ossl_statem_fatal(s, al, SSL_R_RECORD_LAYER_FAILURE, NULL); | |
527 | } | |
528 | /* | |
529 | * else some failure but there is no alert code. We don't log an | |
530 | * error for this. The record layer should have logged an error | |
531 | * already or, if not, its due to some sys call error which will be | |
532 | * reported via SSL_ERROR_SYSCALL and errno. | |
533 | */ | |
4030869d MC |
534 | } |
535 | /* | |
536 | * The record layer distinguishes the cases of EOF, non-fatal | |
537 | * err and retry. Upper layers do not. | |
538 | * If we got a retry or success then *ret is already correct, | |
539 | * otherwise we need to convert the return value. | |
540 | */ | |
4030869d MC |
541 | if (ret == OSSL_RECORD_RETURN_NON_FATAL_ERR || ret == OSSL_RECORD_RETURN_EOF) |
542 | ret = 0; | |
543 | else if (ret < OSSL_RECORD_RETURN_NON_FATAL_ERR) | |
544 | ret = -1; | |
545 | } | |
546 | ||
547 | return ret; | |
548 | } | |
549 | ||
7a4e109e | 550 | int ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr, size_t length) |
eddb067e | 551 | { |
7a4e109e | 552 | assert(rr->length >= length); |
eddb067e | 553 | if (rr->rechandle != NULL) { |
7a4e109e MC |
554 | if (length == 0) |
555 | length = rr->length; | |
eddb067e | 556 | /* The record layer allocated the buffers for this record */ |
7a4e109e MC |
557 | if (HANDLE_RLAYER_READ_RETURN(s, |
558 | s->rlayer.rrlmethod->release_record(s->rlayer.rrl, | |
559 | rr->rechandle, | |
560 | length)) <= 0) { | |
561 | /* RLAYER_fatal already called */ | |
562 | return 0; | |
563 | } | |
564 | ||
565 | if (length == rr->length) | |
566 | s->rlayer.curr_rec++; | |
567 | } else if (length == 0 || length == rr->length) { | |
eddb067e | 568 | /* We allocated the buffers for this record (only happens with DTLS) */ |
2eb91b0e MC |
569 | OPENSSL_free(rr->allocdata); |
570 | rr->allocdata = NULL; | |
eddb067e | 571 | } |
7a4e109e MC |
572 | rr->length -= length; |
573 | if (rr->length > 0) | |
574 | rr->off += length; | |
575 | else | |
576 | rr->off = 0; | |
577 | ||
578 | return 1; | |
eddb067e MC |
579 | } |
580 | ||
1d97c843 TH |
581 | /*- |
582 | * Return up to 'len' payload bytes received in 'type' records. | |
b35e9050 BM |
583 | * 'type' is one of the following: |
584 | * | |
5318c012 SS |
585 | * - SSL3_RT_HANDSHAKE (when tls_get_message_header and tls_get_message_body |
586 | * call us) | |
b35e9050 BM |
587 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) |
588 | * - 0 (during a shutdown, no data has to be returned) | |
589 | * | |
590 | * If we don't have stored data to work from, read a SSL/TLS record first | |
591 | * (possibly multiple records if we still don't have anything to return). | |
592 | * | |
593 | * This function must handle any surprises the peer may have for us, such as | |
657da85e | 594 | * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec |
105af0ad | 595 | * messages are treated as if they were handshake messages *if* the |recvd_type| |
657da85e | 596 | * argument is non NULL. |
b35e9050 BM |
597 | * Also if record payloads contain fragments too small to process, we store |
598 | * them until there is enough for the respective protocol (the record protocol | |
599 | * may use arbitrary fragmentation and even interleaving): | |
600 | * Change cipher spec protocol | |
601 | * just 1 byte needed, no need for keeping anything stored | |
602 | * Alert protocol | |
603 | * 2 bytes needed (AlertLevel, AlertDescription) | |
604 | * Handshake protocol | |
605 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
606 | * to detect unexpected Client Hello and Hello Request messages | |
607 | * here, anything else is handled by higher layers | |
608 | * Application data protocol | |
609 | * none of our business | |
610 | */ | |
eb1eaa9a TM |
611 | int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type, |
612 | unsigned char *buf, size_t len, | |
613 | int peek, size_t *readbytes) | |
0f113f3e | 614 | { |
99dd3740 | 615 | int i, j, ret; |
4030869d MC |
616 | size_t n, curr_rec, totalbytes; |
617 | TLS_RECORD *rr; | |
0f113f3e | 618 | void (*cb) (const SSL *ssl, int type2, int val) = NULL; |
38b051a1 TM |
619 | int is_tls13; |
620 | SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl); | |
621 | ||
622 | is_tls13 = SSL_CONNECTION_IS_TLS13(s); | |
0f113f3e | 623 | |
4030869d MC |
624 | if ((type != 0 |
625 | && (type != SSL3_RT_APPLICATION_DATA) | |
626 | && (type != SSL3_RT_HANDSHAKE)) | |
627 | || (peek && (type != SSL3_RT_APPLICATION_DATA))) { | |
c48ffbcc | 628 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
0f113f3e MC |
629 | return -1; |
630 | } | |
631 | ||
4aa7389e | 632 | if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0)) |
0f113f3e MC |
633 | /* (partially) satisfy request from storage */ |
634 | { | |
4aa7389e | 635 | unsigned char *src = s->rlayer.handshake_fragment; |
0f113f3e MC |
636 | unsigned char *dst = buf; |
637 | unsigned int k; | |
638 | ||
639 | /* peek == 0 */ | |
640 | n = 0; | |
4aa7389e | 641 | while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) { |
0f113f3e MC |
642 | *dst++ = *src++; |
643 | len--; | |
4aa7389e | 644 | s->rlayer.handshake_fragment_len--; |
0f113f3e MC |
645 | n++; |
646 | } | |
647 | /* move any remaining fragment bytes: */ | |
4aa7389e MC |
648 | for (k = 0; k < s->rlayer.handshake_fragment_len; k++) |
649 | s->rlayer.handshake_fragment[k] = *src++; | |
e9f6b9a1 MC |
650 | |
651 | if (recvd_type != NULL) | |
652 | *recvd_type = SSL3_RT_HANDSHAKE; | |
653 | ||
54105ddd | 654 | *readbytes = n; |
eda75751 | 655 | return 1; |
0f113f3e MC |
656 | } |
657 | ||
658 | /* | |
4aa7389e | 659 | * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. |
0f113f3e MC |
660 | */ |
661 | ||
38b051a1 | 662 | if (!ossl_statem_get_in_handshake(s) && SSL_in_init(ssl)) { |
0f113f3e | 663 | /* type == SSL3_RT_APPLICATION_DATA */ |
38b051a1 | 664 | i = s->handshake_func(ssl); |
99dd3740 | 665 | /* SSLfatal() already called */ |
0f113f3e | 666 | if (i < 0) |
eda75751 | 667 | return i; |
99dd3740 | 668 | if (i == 0) |
eda75751 | 669 | return -1; |
0f113f3e MC |
670 | } |
671 | start: | |
672 | s->rwstate = SSL_NOTHING; | |
673 | ||
50e735f9 | 674 | /*- |
94777c9c MC |
675 | * For each record 'i' up to |num_recs] |
676 | * rr[i].type - is the type of record | |
677 | * rr[i].data, - data | |
678 | * rr[i].off, - offset into 'data' for next read | |
679 | * rr[i].length, - number of bytes. | |
50e735f9 | 680 | */ |
4030869d MC |
681 | /* get new records if necessary */ |
682 | if (s->rlayer.curr_rec >= s->rlayer.num_recs) { | |
683 | s->rlayer.curr_rec = s->rlayer.num_recs = 0; | |
684 | do { | |
685 | rr = &s->rlayer.tlsrecs[s->rlayer.num_recs]; | |
94777c9c | 686 | |
320145d5 | 687 | ret = HANDLE_RLAYER_READ_RETURN(s, |
cffafb5f MC |
688 | s->rlayer.rrlmethod->read_record(s->rlayer.rrl, |
689 | &rr->rechandle, | |
690 | &rr->version, &rr->type, | |
691 | &rr->data, &rr->length, | |
692 | NULL, NULL)); | |
99dd3740 MC |
693 | if (ret <= 0) { |
694 | /* SSLfatal() already called if appropriate */ | |
eda75751 | 695 | return ret; |
99dd3740 | 696 | } |
4030869d MC |
697 | rr->off = 0; |
698 | s->rlayer.num_recs++; | |
cffafb5f | 699 | } while (s->rlayer.rrlmethod->processed_read_pending(s->rlayer.rrl) |
4030869d MC |
700 | && s->rlayer.num_recs < SSL_MAX_PIPELINES); |
701 | } | |
702 | rr = &s->rlayer.tlsrecs[s->rlayer.curr_rec]; | |
0f113f3e | 703 | |
3d35e3a2 | 704 | if (s->rlayer.handshake_fragment_len > 0 |
b0a9042e | 705 | && rr->type != SSL3_RT_HANDSHAKE |
38b051a1 | 706 | && SSL_CONNECTION_IS_TLS13(s)) { |
c48ffbcc | 707 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
3d35e3a2 MC |
708 | SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA); |
709 | return -1; | |
710 | } | |
711 | ||
af58be76 MC |
712 | /* |
713 | * Reset the count of consecutive warning alerts if we've got a non-empty | |
714 | * record that isn't an alert. | |
715 | */ | |
4030869d | 716 | if (rr->type != SSL3_RT_ALERT && rr->length != 0) |
af58be76 MC |
717 | s->rlayer.alert_count = 0; |
718 | ||
0f113f3e MC |
719 | /* we now have a packet which can be read and processed */ |
720 | ||
555cbb32 TS |
721 | if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec, |
722 | * reset by ssl3_get_finished */ | |
4030869d | 723 | && (rr->type != SSL3_RT_HANDSHAKE)) { |
c48ffbcc | 724 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
99dd3740 MC |
725 | SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
726 | return -1; | |
0f113f3e MC |
727 | } |
728 | ||
729 | /* | |
730 | * If the other end has shut down, throw anything we read away (even in | |
731 | * 'peek' mode) | |
732 | */ | |
733 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { | |
4030869d | 734 | s->rlayer.curr_rec++; |
0f113f3e | 735 | s->rwstate = SSL_NOTHING; |
eda75751 | 736 | return 0; |
0f113f3e MC |
737 | } |
738 | ||
4030869d MC |
739 | if (type == rr->type |
740 | || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC | |
97997489 | 741 | && type == SSL3_RT_HANDSHAKE && recvd_type != NULL |
bcf2907c | 742 | && !is_tls13)) { |
657da85e MC |
743 | /* |
744 | * SSL3_RT_APPLICATION_DATA or | |
745 | * SSL3_RT_HANDSHAKE or | |
746 | * SSL3_RT_CHANGE_CIPHER_SPEC | |
747 | */ | |
0f113f3e MC |
748 | /* |
749 | * make sure that we are not getting application data when we are | |
750 | * doing a handshake for the first time | |
751 | */ | |
38b051a1 | 752 | if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA |
f471f60a | 753 | && SSL_IS_FIRST_HANDSHAKE(s)) { |
c48ffbcc | 754 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_APP_DATA_IN_HANDSHAKE); |
99dd3740 | 755 | return -1; |
0f113f3e MC |
756 | } |
757 | ||
657da85e | 758 | if (type == SSL3_RT_HANDSHAKE |
4030869d | 759 | && rr->type == SSL3_RT_CHANGE_CIPHER_SPEC |
a230b26e | 760 | && s->rlayer.handshake_fragment_len > 0) { |
c48ffbcc | 761 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); |
99dd3740 | 762 | return -1; |
657da85e MC |
763 | } |
764 | ||
765 | if (recvd_type != NULL) | |
4030869d | 766 | *recvd_type = rr->type; |
657da85e | 767 | |
1c47d35a MC |
768 | if (len == 0) { |
769 | /* | |
4030869d | 770 | * Skip a zero length record. This ensures multiple calls to |
1c47d35a MC |
771 | * SSL_read() with a zero length buffer will eventually cause |
772 | * SSL_pending() to report data as being available. | |
773 | */ | |
7a4e109e MC |
774 | if (rr->length == 0 && !ssl_release_record(s, rr, 0)) |
775 | return -1; | |
eddb067e | 776 | |
eda75751 | 777 | return 0; |
1c47d35a | 778 | } |
0f113f3e | 779 | |
54105ddd | 780 | totalbytes = 0; |
4030869d | 781 | curr_rec = s->rlayer.curr_rec; |
94777c9c | 782 | do { |
4030869d MC |
783 | if (len - totalbytes > rr->length) |
784 | n = rr->length; | |
94777c9c | 785 | else |
54105ddd | 786 | n = len - totalbytes; |
94777c9c MC |
787 | |
788 | memcpy(buf, &(rr->data[rr->off]), n); | |
789 | buf += n; | |
b8d24395 MC |
790 | if (peek) { |
791 | /* Mark any zero length record as consumed CVE-2016-6305 */ | |
7a4e109e MC |
792 | if (rr->length == 0 && !ssl_release_record(s, rr, 0)) |
793 | return -1; | |
b8d24395 | 794 | } else { |
7a4e109e MC |
795 | if (!ssl_release_record(s, rr, n)) |
796 | return -1; | |
0f113f3e | 797 | } |
4030869d MC |
798 | if (rr->length == 0 |
799 | || (peek && n == rr->length)) { | |
94777c9c | 800 | rr++; |
4030869d | 801 | curr_rec++; |
94777c9c | 802 | } |
54105ddd | 803 | totalbytes += n; |
4030869d MC |
804 | } while (type == SSL3_RT_APPLICATION_DATA |
805 | && curr_rec < s->rlayer.num_recs | |
806 | && totalbytes < len); | |
54105ddd | 807 | if (totalbytes == 0) { |
255cfeac MC |
808 | /* We must have read empty records. Get more data */ |
809 | goto start; | |
810 | } | |
54105ddd | 811 | *readbytes = totalbytes; |
eda75751 | 812 | return 1; |
0f113f3e MC |
813 | } |
814 | ||
815 | /* | |
816 | * If we get here, then type != rr->type; if we have a handshake message, | |
657da85e MC |
817 | * then it was unexpected (Hello Request or Client Hello) or invalid (we |
818 | * were actually expecting a CCS). | |
0f113f3e MC |
819 | */ |
820 | ||
32ec4153 MC |
821 | /* |
822 | * Lets just double check that we've not got an SSLv2 record | |
823 | */ | |
4030869d | 824 | if (rr->version == SSL2_VERSION) { |
32ec4153 MC |
825 | /* |
826 | * Should never happen. ssl3_get_record() should only give us an SSLv2 | |
827 | * record back if this is the first packet and we are looking for an | |
828 | * initial ClientHello. Therefore |type| should always be equal to | |
829 | * |rr->type|. If not then something has gone horribly wrong | |
830 | */ | |
c48ffbcc | 831 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
99dd3740 | 832 | return -1; |
32ec4153 MC |
833 | } |
834 | ||
38b051a1 | 835 | if (ssl->method->version == TLS_ANY_VERSION |
a230b26e | 836 | && (s->server || rr->type != SSL3_RT_ALERT)) { |
13c9bb3e MC |
837 | /* |
838 | * If we've got this far and still haven't decided on what version | |
558ea847 RL |
839 | * we're using then this must be a client side alert we're dealing |
840 | * with. We shouldn't be receiving anything other than a ClientHello | |
841 | * if we are a server. | |
13c9bb3e | 842 | */ |
4030869d | 843 | s->version = rr->version; |
c48ffbcc | 844 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); |
99dd3740 | 845 | return -1; |
13c9bb3e MC |
846 | } |
847 | ||
50e735f9 | 848 | /*- |
4aa7389e | 849 | * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; |
50e735f9 MC |
850 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) |
851 | */ | |
0f113f3e | 852 | |
4030869d | 853 | if (rr->type == SSL3_RT_ALERT) { |
bd990e25 | 854 | unsigned int alert_level, alert_descr; |
2eb91b0e | 855 | const unsigned char *alert_bytes = rr->data + rr->off; |
bd990e25 MC |
856 | PACKET alert; |
857 | ||
4030869d | 858 | if (!PACKET_buf_init(&alert, alert_bytes, rr->length) |
bd990e25 MC |
859 | || !PACKET_get_1(&alert, &alert_level) |
860 | || !PACKET_get_1(&alert, &alert_descr) | |
861 | || PACKET_remaining(&alert) != 0) { | |
c48ffbcc | 862 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT); |
99dd3740 | 863 | return -1; |
bd990e25 | 864 | } |
0f113f3e MC |
865 | |
866 | if (s->msg_callback) | |
38b051a1 | 867 | s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, ssl, |
4aa7389e | 868 | s->msg_callback_arg); |
0f113f3e MC |
869 | |
870 | if (s->info_callback != NULL) | |
871 | cb = s->info_callback; | |
38b051a1 TM |
872 | else if (ssl->ctx->info_callback != NULL) |
873 | cb = ssl->ctx->info_callback; | |
0f113f3e MC |
874 | |
875 | if (cb != NULL) { | |
876 | j = (alert_level << 8) | alert_descr; | |
38b051a1 | 877 | cb(ssl, SSL_CB_READ_ALERT, j); |
0f113f3e MC |
878 | } |
879 | ||
4030869d | 880 | if ((!is_tls13 && alert_level == SSL3_AL_WARNING) |
bcf2907c | 881 | || (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED)) { |
555cbb32 | 882 | s->s3.warn_alert = alert_descr; |
7a4e109e MC |
883 | if (!ssl_release_record(s, rr, 0)) |
884 | return -1; | |
af58be76 MC |
885 | |
886 | s->rlayer.alert_count++; | |
887 | if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { | |
c48ffbcc | 888 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
99dd3740 MC |
889 | SSL_R_TOO_MANY_WARN_ALERTS); |
890 | return -1; | |
af58be76 | 891 | } |
4aa5a566 MC |
892 | } |
893 | ||
894 | /* | |
bcf2907c MC |
895 | * Apart from close_notify the only other warning alert in TLSv1.3 |
896 | * is user_cancelled - which we just ignore. | |
4aa5a566 | 897 | */ |
bcf2907c MC |
898 | if (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED) { |
899 | goto start; | |
900 | } else if (alert_descr == SSL_AD_CLOSE_NOTIFY | |
901 | && (is_tls13 || alert_level == SSL3_AL_WARNING)) { | |
902 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
903 | return 0; | |
904 | } else if (alert_level == SSL3_AL_FATAL || is_tls13) { | |
0f113f3e | 905 | s->rwstate = SSL_NOTHING; |
555cbb32 | 906 | s->s3.fatal_alert = alert_descr; |
c48ffbcc RL |
907 | SSLfatal_data(s, SSL_AD_NO_ALERT, |
908 | SSL_AD_REASON_OFFSET + alert_descr, | |
909 | "SSL alert number %d", alert_descr); | |
0f113f3e | 910 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; |
7a4e109e MC |
911 | if (!ssl_release_record(s, rr, 0)) |
912 | return -1; | |
e2bb9b9b | 913 | SSL_CTX_remove_session(s->session_ctx, s->session); |
eda75751 | 914 | return 0; |
bcf2907c MC |
915 | } else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { |
916 | /* | |
917 | * This is a warning but we receive it if we requested | |
918 | * renegotiation and the peer denied it. Terminate with a fatal | |
919 | * alert because if application tried to renegotiate it | |
920 | * presumably had a good reason and expects it to succeed. In | |
921 | * future we might have a renegotiation where we don't care if | |
922 | * the peer refused it where we carry on. | |
923 | */ | |
c48ffbcc | 924 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION); |
99dd3740 | 925 | return -1; |
fee33643 MC |
926 | } else if (alert_level == SSL3_AL_WARNING) { |
927 | /* We ignore any other warning alert in TLSv1.2 and below */ | |
928 | goto start; | |
0f113f3e | 929 | } |
bcf2907c | 930 | |
c48ffbcc | 931 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); |
bcf2907c | 932 | return -1; |
0f113f3e MC |
933 | } |
934 | ||
ba709049 | 935 | if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { |
4030869d | 936 | if (rr->type == SSL3_RT_HANDSHAKE) { |
ba709049 MC |
937 | BIO *rbio; |
938 | ||
1bf4cb0f MC |
939 | /* |
940 | * We ignore any handshake messages sent to us unless they are | |
941 | * TLSv1.3 in which case we want to process them. For all other | |
942 | * handshake messages we can't do anything reasonable with them | |
943 | * because we are unable to write any response due to having already | |
944 | * sent close_notify. | |
945 | */ | |
38b051a1 | 946 | if (!SSL_CONNECTION_IS_TLS13(s)) { |
7a4e109e MC |
947 | if (!ssl_release_record(s, rr, 0)) |
948 | return -1; | |
1bf4cb0f MC |
949 | |
950 | if ((s->mode & SSL_MODE_AUTO_RETRY) != 0) | |
951 | goto start; | |
ba709049 | 952 | |
1bf4cb0f | 953 | s->rwstate = SSL_READING; |
38b051a1 | 954 | rbio = SSL_get_rbio(ssl); |
1bf4cb0f MC |
955 | BIO_clear_retry_flags(rbio); |
956 | BIO_set_retry_read(rbio); | |
957 | return -1; | |
958 | } | |
358ffa05 MC |
959 | } else { |
960 | /* | |
961 | * The peer is continuing to send application data, but we have | |
962 | * already sent close_notify. If this was expected we should have | |
963 | * been called via SSL_read() and this would have been handled | |
964 | * above. | |
965 | * No alert sent because we already sent close_notify | |
966 | */ | |
7a4e109e MC |
967 | if (!ssl_release_record(s, rr, 0)) |
968 | return -1; | |
c48ffbcc | 969 | SSLfatal(s, SSL_AD_NO_ALERT, |
358ffa05 | 970 | SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY); |
1bf4cb0f | 971 | return -1; |
ba709049 | 972 | } |
0f113f3e MC |
973 | } |
974 | ||
93f528f3 MC |
975 | /* |
976 | * For handshake data we have 'fragment' storage, so fill that so that we | |
977 | * can process the header at a fixed place. This is done after the | |
978 | * "SHUTDOWN" code above to avoid filling the fragment storage with data | |
979 | * that we're just going to discard. | |
980 | */ | |
4030869d | 981 | if (rr->type == SSL3_RT_HANDSHAKE) { |
93f528f3 MC |
982 | size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment); |
983 | unsigned char *dest = s->rlayer.handshake_fragment; | |
984 | size_t *dest_len = &s->rlayer.handshake_fragment_len; | |
985 | ||
986 | n = dest_maxlen - *dest_len; /* available space in 'dest' */ | |
4030869d MC |
987 | if (rr->length < n) |
988 | n = rr->length; /* available bytes */ | |
93f528f3 MC |
989 | |
990 | /* now move 'n' bytes: */ | |
7a4e109e MC |
991 | if (n > 0) { |
992 | memcpy(dest + *dest_len, rr->data + rr->off, n); | |
993 | *dest_len += n; | |
7a4e109e | 994 | } |
c20d923b MC |
995 | /* |
996 | * We release the number of bytes consumed, or the whole record if it | |
997 | * is zero length | |
998 | */ | |
999 | if ((n > 0 || rr->length == 0) && !ssl_release_record(s, rr, n)) | |
1000 | return -1; | |
93f528f3 MC |
1001 | |
1002 | if (*dest_len < dest_maxlen) | |
1003 | goto start; /* fragment was too small */ | |
1004 | } | |
1005 | ||
4030869d | 1006 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
c48ffbcc | 1007 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); |
99dd3740 | 1008 | return -1; |
0f113f3e MC |
1009 | } |
1010 | ||
1011 | /* | |
c7f47786 | 1012 | * Unexpected handshake message (ClientHello, NewSessionTicket (TLS1.3) or |
0386aad1 | 1013 | * protocol violation) |
0f113f3e | 1014 | */ |
024f543c | 1015 | if ((s->rlayer.handshake_fragment_len >= 4) |
c7f47786 | 1016 | && !ossl_statem_get_in_handshake(s)) { |
39ef7821 MC |
1017 | int ined = (s->early_data_state == SSL_EARLY_DATA_READING); |
1018 | ||
c7f47786 MC |
1019 | /* We found handshake data, so we're going back into init */ |
1020 | ossl_statem_set_in_init(s, 1); | |
1021 | ||
38b051a1 | 1022 | i = s->handshake_func(ssl); |
99dd3740 | 1023 | /* SSLfatal() already called if appropriate */ |
0f113f3e | 1024 | if (i < 0) |
eda75751 | 1025 | return i; |
0f113f3e | 1026 | if (i == 0) { |
eda75751 | 1027 | return -1; |
0f113f3e MC |
1028 | } |
1029 | ||
39ef7821 MC |
1030 | /* |
1031 | * If we were actually trying to read early data and we found a | |
1032 | * handshake message, then we don't want to continue to try and read | |
1033 | * the application data any more. It won't be "early" now. | |
1034 | */ | |
1035 | if (ined) | |
1036 | return -1; | |
1037 | ||
0f113f3e | 1038 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { |
4030869d | 1039 | if (!RECORD_LAYER_read_pending(&s->rlayer)) { |
0f113f3e MC |
1040 | BIO *bio; |
1041 | /* | |
1042 | * In the case where we try to read application data, but we | |
1043 | * trigger an SSL handshake, we return -1 with the retry | |
1044 | * option set. Otherwise renegotiation may cause nasty | |
1045 | * problems in the blocking world | |
1046 | */ | |
1047 | s->rwstate = SSL_READING; | |
38b051a1 | 1048 | bio = SSL_get_rbio(ssl); |
0f113f3e MC |
1049 | BIO_clear_retry_flags(bio); |
1050 | BIO_set_retry_read(bio); | |
eda75751 | 1051 | return -1; |
0f113f3e MC |
1052 | } |
1053 | } | |
1054 | goto start; | |
1055 | } | |
1056 | ||
4030869d | 1057 | switch (rr->type) { |
0f113f3e | 1058 | default: |
0f113f3e | 1059 | /* |
436a2a01 MC |
1060 | * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but |
1061 | * TLS 1.2 says you MUST send an unexpected message alert. We use the | |
1062 | * TLS 1.2 behaviour for all protocol versions to prevent issues where | |
1063 | * no progress is being made and the peer continually sends unrecognised | |
1064 | * record types, using up resources processing them. | |
0f113f3e | 1065 | */ |
c48ffbcc | 1066 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); |
99dd3740 | 1067 | return -1; |
0f113f3e MC |
1068 | case SSL3_RT_CHANGE_CIPHER_SPEC: |
1069 | case SSL3_RT_ALERT: | |
1070 | case SSL3_RT_HANDSHAKE: | |
1071 | /* | |
1072 | * we already handled all of these, with the possible exception of | |
024f543c MC |
1073 | * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but |
1074 | * that should not happen when type != rr->type | |
0f113f3e | 1075 | */ |
c48ffbcc | 1076 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR); |
99dd3740 | 1077 | return -1; |
0f113f3e MC |
1078 | case SSL3_RT_APPLICATION_DATA: |
1079 | /* | |
1080 | * At this point, we were expecting handshake data, but have | |
1081 | * application data. If the library was running inside ssl3_read() | |
1082 | * (i.e. in_read_app_data is set) and it makes sense to read | |
1083 | * application data at this point (session renegotiation not yet | |
1084 | * started), we will indulge it. | |
1085 | */ | |
fe3a3291 | 1086 | if (ossl_statem_app_data_allowed(s)) { |
555cbb32 | 1087 | s->s3.in_read_app_data = 2; |
eda75751 | 1088 | return -1; |
a832b5ef MC |
1089 | } else if (ossl_statem_skip_early_data(s)) { |
1090 | /* | |
1091 | * This can happen after a client sends a CH followed by early_data, | |
1092 | * but the server responds with a HelloRetryRequest. The server | |
1093 | * reads the next record from the client expecting to find a | |
1094 | * plaintext ClientHello but gets a record which appears to be | |
1095 | * application data. The trial decrypt "works" because null | |
1096 | * decryption was applied. We just skip it and move on to the next | |
1097 | * record. | |
1098 | */ | |
38b051a1 TM |
1099 | if (!ossl_early_data_count_ok(s, rr->length, |
1100 | EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { | |
196f2cbb | 1101 | /* SSLfatal() already called */ |
99dd3740 | 1102 | return -1; |
196f2cbb | 1103 | } |
7a4e109e MC |
1104 | if (!ssl_release_record(s, rr, 0)) |
1105 | return -1; | |
a832b5ef | 1106 | goto start; |
0f113f3e | 1107 | } else { |
c48ffbcc | 1108 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); |
99dd3740 | 1109 | return -1; |
0f113f3e MC |
1110 | } |
1111 | } | |
0f113f3e | 1112 | } |
d02b48c6 | 1113 | |
d45ba43d MC |
1114 | /* |
1115 | * Returns true if the current rrec was sent in SSLv2 backwards compatible | |
1116 | * format and false otherwise. | |
1117 | */ | |
32ec4153 MC |
1118 | int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl) |
1119 | { | |
4030869d MC |
1120 | if (SSL_CONNECTION_IS_DTLS(rl->s)) |
1121 | return 0; | |
1122 | return rl->tlsrecs[0].version == SSL2_VERSION; | |
32ec4153 | 1123 | } |
0f113f3e | 1124 | |
ed0e298f | 1125 | static OSSL_FUNC_rlayer_msg_callback_fn rlayer_msg_callback_wrapper; |
3c7b9ef9 MC |
1126 | static void rlayer_msg_callback_wrapper(int write_p, int version, |
1127 | int content_type, const void *buf, | |
1128 | size_t len, void *cbarg) | |
1129 | { | |
1130 | SSL_CONNECTION *s = cbarg; | |
1131 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
1132 | ||
1133 | if (s->msg_callback != NULL) | |
1134 | s->msg_callback(write_p, version, content_type, buf, len, ssl, | |
1135 | s->msg_callback_arg); | |
1136 | } | |
1137 | ||
ed0e298f MC |
1138 | static OSSL_FUNC_rlayer_security_fn rlayer_security_wrapper; |
1139 | static int rlayer_security_wrapper(void *cbarg, int op, int bits, int nid, | |
1140 | void *other) | |
1141 | { | |
1142 | SSL_CONNECTION *s = cbarg; | |
1143 | ||
1144 | return ssl_security(s, op, bits, nid, other); | |
1145 | } | |
1146 | ||
5f95eb77 MC |
1147 | static OSSL_FUNC_rlayer_padding_fn rlayer_padding_wrapper; |
1148 | static size_t rlayer_padding_wrapper(void *cbarg, int type, size_t len) | |
1149 | { | |
1150 | SSL_CONNECTION *s = cbarg; | |
1151 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
1152 | ||
eb7d6c2a MC |
1153 | return s->rlayer.record_padding_cb(ssl, type, len, |
1154 | s->rlayer.record_padding_arg); | |
5f95eb77 MC |
1155 | } |
1156 | ||
9dd90232 MC |
1157 | static const OSSL_DISPATCH rlayer_dispatch[] = { |
1158 | { OSSL_FUNC_RLAYER_SKIP_EARLY_DATA, (void (*)(void))ossl_statem_skip_early_data }, | |
3c7b9ef9 | 1159 | { OSSL_FUNC_RLAYER_MSG_CALLBACK, (void (*)(void))rlayer_msg_callback_wrapper }, |
ed0e298f | 1160 | { OSSL_FUNC_RLAYER_SECURITY, (void (*)(void))rlayer_security_wrapper }, |
5f95eb77 | 1161 | { OSSL_FUNC_RLAYER_PADDING, (void (*)(void))rlayer_padding_wrapper }, |
1e6bd31e | 1162 | OSSL_DISPATCH_END |
9dd90232 MC |
1163 | }; |
1164 | ||
bea8d704 MC |
1165 | void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, |
1166 | const OSSL_RECORD_METHOD *meth, | |
1167 | void *rlarg) | |
1168 | { | |
1169 | s->rlayer.custom_rlmethod = meth; | |
1170 | s->rlayer.rlarg = rlarg; | |
1171 | } | |
1172 | ||
cc110a0a | 1173 | static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s, |
2c50d7fb | 1174 | int direction, |
cc110a0a MC |
1175 | int level) |
1176 | { | |
bea8d704 MC |
1177 | if (s->rlayer.custom_rlmethod != NULL) |
1178 | return s->rlayer.custom_rlmethod; | |
cc110a0a MC |
1179 | |
1180 | if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) { | |
1181 | if (SSL_CONNECTION_IS_DTLS(s)) | |
1182 | return &ossl_dtls_record_method; | |
1183 | ||
1184 | return &ossl_tls_record_method; | |
1185 | } | |
1186 | ||
1187 | #ifndef OPENSSL_NO_KTLS | |
1188 | /* KTLS does not support renegotiation */ | |
1189 | if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION | |
1190 | && (s->options & SSL_OP_ENABLE_KTLS) != 0 | |
1191 | && (SSL_CONNECTION_IS_TLS13(s) || SSL_IS_FIRST_HANDSHAKE(s))) | |
1192 | return &ossl_ktls_record_method; | |
1193 | #endif | |
1194 | ||
1195 | /* Default to the current OSSL_RECORD_METHOD */ | |
2c50d7fb MC |
1196 | return direction == OSSL_RECORD_DIRECTION_READ ? s->rlayer.rrlmethod |
1197 | : s->rlayer.wrlmethod; | |
cc110a0a MC |
1198 | } |
1199 | ||
2b71b042 | 1200 | static int ssl_post_record_layer_select(SSL_CONNECTION *s, int direction) |
cc110a0a | 1201 | { |
2b71b042 MC |
1202 | const OSSL_RECORD_METHOD *thismethod; |
1203 | OSSL_RECORD_LAYER *thisrl; | |
1204 | ||
1205 | if (direction == OSSL_RECORD_DIRECTION_READ) { | |
1206 | thismethod = s->rlayer.rrlmethod; | |
1207 | thisrl = s->rlayer.rrl; | |
1208 | } else { | |
1209 | thismethod = s->rlayer.wrlmethod; | |
1210 | thisrl = s->rlayer.wrl; | |
1211 | } | |
1212 | ||
cc110a0a | 1213 | #ifndef OPENSSL_NO_KTLS |
2b71b042 MC |
1214 | { |
1215 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); | |
cc110a0a | 1216 | |
2b71b042 MC |
1217 | if (s->rlayer.rrlmethod == &ossl_ktls_record_method) { |
1218 | /* KTLS does not support renegotiation so disallow it */ | |
1219 | SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION); | |
1220 | } | |
cc110a0a MC |
1221 | } |
1222 | #endif | |
2b71b042 MC |
1223 | if (SSL_IS_FIRST_HANDSHAKE(s) && thismethod->set_first_handshake != NULL) |
1224 | thismethod->set_first_handshake(thisrl, 1); | |
8124ab56 | 1225 | |
2b71b042 MC |
1226 | if (s->max_pipelines != 0 && thismethod->set_max_pipelines != NULL) |
1227 | thismethod->set_max_pipelines(thisrl, s->max_pipelines); | |
8124ab56 | 1228 | |
cc110a0a MC |
1229 | return 1; |
1230 | } | |
1231 | ||
1232 | int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, | |
1233 | int direction, int level, | |
3f9175c7 | 1234 | unsigned char *secret, size_t secretlen, |
79eebb08 MC |
1235 | unsigned char *key, size_t keylen, |
1236 | unsigned char *iv, size_t ivlen, | |
1237 | unsigned char *mackey, size_t mackeylen, | |
1238 | const EVP_CIPHER *ciph, size_t taglen, | |
1239 | int mactype, const EVP_MD *md, | |
3f9175c7 | 1240 | const SSL_COMP *comp, const EVP_MD *kdfdigest) |
79eebb08 | 1241 | { |
81c9ebd9 | 1242 | OSSL_PARAM options[5], *opts = options; |
8124ab56 | 1243 | OSSL_PARAM settings[6], *set = settings; |
2b71b042 | 1244 | const OSSL_RECORD_METHOD **thismethod; |
b5cf81f7 | 1245 | OSSL_RECORD_LAYER **thisrl, *newrl = NULL; |
2b71b042 | 1246 | BIO *thisbio; |
79eebb08 | 1247 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
cc110a0a | 1248 | const OSSL_RECORD_METHOD *meth; |
8124ab56 | 1249 | int use_etm, stream_mac = 0, tlstree = 0; |
435d88d7 MC |
1250 | unsigned int maxfrag = (direction == OSSL_RECORD_DIRECTION_WRITE) |
1251 | ? ssl_get_max_send_fragment(s) | |
1252 | : SSL3_RT_MAX_PLAIN_LENGTH; | |
9dd90232 MC |
1253 | int use_early_data = 0; |
1254 | uint32_t max_early_data; | |
1e76110b | 1255 | COMP_METHOD *compm = (comp == NULL) ? NULL : comp->method; |
cc110a0a | 1256 | |
2c50d7fb | 1257 | meth = ssl_select_next_record_layer(s, direction, level); |
79eebb08 | 1258 | |
2b71b042 MC |
1259 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1260 | thismethod = &s->rlayer.rrlmethod; | |
1261 | thisrl = &s->rlayer.rrl; | |
1262 | thisbio = s->rbio; | |
1263 | } else { | |
1264 | thismethod = &s->rlayer.wrlmethod; | |
1265 | thisrl = &s->rlayer.wrl; | |
1266 | thisbio = s->wbio; | |
1267 | } | |
1268 | ||
b5cf81f7 MC |
1269 | if (meth == NULL) |
1270 | meth = *thismethod; | |
79eebb08 | 1271 | |
b5cf81f7 | 1272 | if (!ossl_assert(meth != NULL)) { |
79eebb08 MC |
1273 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
1274 | return 0; | |
1275 | } | |
1276 | ||
7f2f0ac7 MC |
1277 | /* Parameters that *may* be supported by a record layer if passed */ |
1278 | *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS, | |
1279 | &s->options); | |
1280 | *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE, | |
1281 | &s->mode); | |
2b71b042 MC |
1282 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1283 | *opts++ = OSSL_PARAM_construct_size_t(OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN, | |
1284 | &s->rlayer.default_read_buf_len); | |
1285 | *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD, | |
1286 | &s->rlayer.read_ahead); | |
eb7d6c2a MC |
1287 | } else { |
1288 | *opts++ = OSSL_PARAM_construct_size_t(OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING, | |
1289 | &s->rlayer.block_padding); | |
2b71b042 | 1290 | } |
7f2f0ac7 MC |
1291 | *opts = OSSL_PARAM_construct_end(); |
1292 | ||
1293 | /* Parameters that *must* be supported by a record layer if passed */ | |
8124ab56 | 1294 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
7f2f0ac7 | 1295 | use_etm = SSL_READ_ETM(s) ? 1 : 0; |
8124ab56 MC |
1296 | if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM) != 0) |
1297 | stream_mac = 1; | |
1298 | ||
1299 | if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE) != 0) | |
1300 | tlstree = 1; | |
1301 | } else { | |
7f2f0ac7 | 1302 | use_etm = SSL_WRITE_ETM(s) ? 1 : 0; |
8124ab56 MC |
1303 | if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) != 0) |
1304 | stream_mac = 1; | |
1305 | ||
1306 | if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) != 0) | |
1307 | tlstree = 1; | |
1308 | } | |
7f2f0ac7 MC |
1309 | |
1310 | if (use_etm) | |
1311 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM, | |
1312 | &use_etm); | |
ffbd6e67 | 1313 | |
8124ab56 MC |
1314 | if (stream_mac) |
1315 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC, | |
1316 | &stream_mac); | |
1317 | ||
1318 | if (tlstree) | |
1319 | *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE, | |
1320 | &tlstree); | |
1321 | ||
435d88d7 MC |
1322 | /* |
1323 | * We only need to do this for the read side. The write side should already | |
1324 | * have the correct value due to the ssl_get_max_send_fragment() call above | |
1325 | */ | |
1326 | if (direction == OSSL_RECORD_DIRECTION_READ | |
1327 | && s->session != NULL | |
1328 | && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) | |
ffbd6e67 MC |
1329 | maxfrag = GET_MAX_FRAGMENT_LENGTH(s->session); |
1330 | ||
435d88d7 | 1331 | |
ffbd6e67 MC |
1332 | if (maxfrag != SSL3_RT_MAX_PLAIN_LENGTH) |
1333 | *set++ = OSSL_PARAM_construct_uint(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN, | |
1334 | &maxfrag); | |
1335 | ||
9dd90232 MC |
1336 | /* |
1337 | * The record layer must check the amount of early data sent or received | |
1338 | * using the early keys. A server also needs to worry about rejected early | |
1339 | * data that might arrive when the handshake keys are in force. | |
1340 | */ | |
9dd90232 MC |
1341 | if (s->server && direction == OSSL_RECORD_DIRECTION_READ) { |
1342 | use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY | |
1343 | || level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE); | |
1344 | } else if (!s->server && direction == OSSL_RECORD_DIRECTION_WRITE) { | |
1345 | use_early_data = (level == OSSL_RECORD_PROTECTION_LEVEL_EARLY); | |
1346 | } | |
1347 | if (use_early_data) { | |
1348 | max_early_data = ossl_get_max_early_data(s); | |
1349 | ||
1350 | if (max_early_data != 0) | |
1e065a15 J |
1351 | *set++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA, |
1352 | &max_early_data); | |
9dd90232 MC |
1353 | } |
1354 | ||
7f2f0ac7 | 1355 | *set = OSSL_PARAM_construct_end(); |
79eebb08 | 1356 | |
cc110a0a | 1357 | for (;;) { |
7c293999 | 1358 | int rlret; |
2b71b042 MC |
1359 | BIO *prev = NULL; |
1360 | BIO *next = NULL; | |
5f95eb77 MC |
1361 | unsigned int epoch = 0; |
1362 | OSSL_DISPATCH rlayer_dispatch_tmp[OSSL_NELEM(rlayer_dispatch)]; | |
1363 | size_t i, j; | |
222cf410 | 1364 | |
2b71b042 MC |
1365 | if (direction == OSSL_RECORD_DIRECTION_READ) { |
1366 | prev = s->rlayer.rrlnext; | |
1367 | if (SSL_CONNECTION_IS_DTLS(s) | |
1368 | && level != OSSL_RECORD_PROTECTION_LEVEL_NONE) | |
4897bd20 | 1369 | epoch = dtls1_get_epoch(s, SSL3_CC_READ); /* new epoch */ |
359affde | 1370 | |
3a857b95 | 1371 | #ifndef OPENSSL_NO_DGRAM |
2b71b042 MC |
1372 | if (SSL_CONNECTION_IS_DTLS(s)) |
1373 | next = BIO_new(BIO_s_dgram_mem()); | |
1374 | else | |
3a857b95 | 1375 | #endif |
2b71b042 MC |
1376 | next = BIO_new(BIO_s_mem()); |
1377 | ||
1378 | if (next == NULL) { | |
2b71b042 MC |
1379 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
1380 | return 0; | |
1381 | } | |
1382 | s->rlayer.rrlnext = next; | |
b9e37f8f MC |
1383 | } else { |
1384 | if (SSL_CONNECTION_IS_DTLS(s) | |
1385 | && level != OSSL_RECORD_PROTECTION_LEVEL_NONE) | |
4897bd20 | 1386 | epoch = dtls1_get_epoch(s, SSL3_CC_WRITE); /* new epoch */ |
359affde | 1387 | } |
7c293999 | 1388 | |
5f95eb77 MC |
1389 | /* |
1390 | * Create a copy of the dispatch array, missing out wrappers for | |
1391 | * callbacks that we don't need. | |
1392 | */ | |
1393 | for (i = 0, j = 0; i < OSSL_NELEM(rlayer_dispatch); i++) { | |
1394 | switch (rlayer_dispatch[i].function_id) { | |
1395 | case OSSL_FUNC_RLAYER_MSG_CALLBACK: | |
1396 | if (s->msg_callback == NULL) | |
1397 | continue; | |
1398 | break; | |
1399 | case OSSL_FUNC_RLAYER_PADDING: | |
eb7d6c2a | 1400 | if (s->rlayer.record_padding_cb == NULL) |
5f95eb77 MC |
1401 | continue; |
1402 | break; | |
1403 | default: | |
1404 | break; | |
1405 | } | |
1406 | rlayer_dispatch_tmp[j++] = rlayer_dispatch[i]; | |
1407 | } | |
1408 | ||
b5cf81f7 MC |
1409 | rlret = meth->new_record_layer(sctx->libctx, sctx->propq, version, |
1410 | s->server, direction, level, epoch, | |
3f9175c7 MC |
1411 | secret, secretlen, key, keylen, iv, |
1412 | ivlen, mackey, mackeylen, ciph, taglen, | |
1413 | mactype, md, compm, kdfdigest, prev, | |
1414 | thisbio, next, NULL, NULL, settings, | |
1415 | options, rlayer_dispatch_tmp, s, | |
1416 | s->rlayer.rlarg, &newrl); | |
359affde | 1417 | BIO_free(prev); |
7c293999 MC |
1418 | switch (rlret) { |
1419 | case OSSL_RECORD_RETURN_FATAL: | |
1420 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_RECORD_LAYER_FAILURE); | |
7f2f0ac7 | 1421 | return 0; |
7c293999 MC |
1422 | |
1423 | case OSSL_RECORD_RETURN_NON_FATAL_ERR: | |
b5cf81f7 | 1424 | if (*thismethod != meth && *thismethod != NULL) { |
cc110a0a MC |
1425 | /* |
1426 | * We tried a new record layer method, but it didn't work out, | |
1427 | * so we fallback to the original method and try again | |
1428 | */ | |
b5cf81f7 | 1429 | meth = *thismethod; |
cc110a0a MC |
1430 | continue; |
1431 | } | |
7c293999 | 1432 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_RECORD_LAYER); |
7f2f0ac7 | 1433 | return 0; |
7c293999 MC |
1434 | |
1435 | case OSSL_RECORD_RETURN_SUCCESS: | |
1436 | break; | |
1437 | ||
1438 | default: | |
1439 | /* Should not happen */ | |
1440 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
7f2f0ac7 | 1441 | return 0; |
cc110a0a MC |
1442 | } |
1443 | break; | |
79eebb08 MC |
1444 | } |
1445 | ||
b9e37f8f MC |
1446 | /* |
1447 | * Free the old record layer if we have one except in the case of DTLS when | |
20c7febc MC |
1448 | * writing and there are still buffered sent messages in our queue. In that |
1449 | * case the record layer is still referenced by those buffered messages for | |
1450 | * potential retransmit. Only when those buffered messages get freed do we | |
1451 | * free the record layer object (see dtls1_hm_fragment_free) | |
b9e37f8f | 1452 | */ |
20c7febc MC |
1453 | if (!SSL_CONNECTION_IS_DTLS(s) |
1454 | || direction == OSSL_RECORD_DIRECTION_READ | |
1455 | || pqueue_peek(s->d1->sent_messages) == NULL) { | |
b9e37f8f MC |
1456 | if (*thismethod != NULL && !(*thismethod)->free(*thisrl)) { |
1457 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
1458 | return 0; | |
1459 | } | |
b5cf81f7 MC |
1460 | } |
1461 | ||
1462 | *thisrl = newrl; | |
1463 | *thismethod = meth; | |
1464 | ||
2b71b042 | 1465 | return ssl_post_record_layer_select(s, direction); |
79eebb08 | 1466 | } |
1d367677 MC |
1467 | |
1468 | int ssl_set_record_protocol_version(SSL_CONNECTION *s, int vers) | |
1469 | { | |
1470 | if (!ossl_assert(s->rlayer.rrlmethod != NULL) | |
1471 | || !ossl_assert(s->rlayer.wrlmethod != NULL)) | |
1472 | return 0; | |
1473 | s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, s->version); | |
1474 | s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, s->version); | |
1475 | ||
1476 | return 1; | |
1477 | } |