]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/dtls_meth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rename SSL3_BUFFER to TLS_BUFFER
[thirdparty/openssl.git] / ssl / record / methods / dtls_meth.c
1 /*
2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include "../../ssl_local.h"
12 #include "../record_local.h"
13 #include "recmethod_local.h"
14
15 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
16 static int satsub64be(const unsigned char *v1, const unsigned char *v2)
17 {
18 int64_t ret;
19 uint64_t l1, l2;
20
21 n2l8(v1, l1);
22 n2l8(v2, l2);
23
24 ret = l1 - l2;
25
26 /* We do not permit wrap-around */
27 if (l1 > l2 && ret < 0)
28 return 128;
29 else if (l2 > l1 && ret > 0)
30 return -128;
31
32 if (ret > 128)
33 return 128;
34 else if (ret < -128)
35 return -128;
36 else
37 return (int)ret;
38 }
39
40 static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
41 {
42 int cmp;
43 unsigned int shift;
44 const unsigned char *seq = rl->sequence;
45
46 cmp = satsub64be(seq, bitmap->max_seq_num);
47 if (cmp > 0) {
48 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
49 return 1; /* this record in new */
50 }
51 shift = -cmp;
52 if (shift >= sizeof(bitmap->map) * 8)
53 return 0; /* stale, outside the window */
54 else if (bitmap->map & ((uint64_t)1 << shift))
55 return 0; /* record previously received */
56
57 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
58 return 1;
59 }
60
61 static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
62 DTLS_BITMAP *bitmap)
63 {
64 int cmp;
65 unsigned int shift;
66 const unsigned char *seq = rl->sequence;
67
68 cmp = satsub64be(seq, bitmap->max_seq_num);
69 if (cmp > 0) {
70 shift = cmp;
71 if (shift < sizeof(bitmap->map) * 8)
72 bitmap->map <<= shift, bitmap->map |= 1UL;
73 else
74 bitmap->map = 1UL;
75 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
76 } else {
77 shift = -cmp;
78 if (shift < sizeof(bitmap->map) * 8)
79 bitmap->map |= (uint64_t)1 << shift;
80 }
81 }
82
83 static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rr,
84 unsigned int *is_next_epoch)
85 {
86 *is_next_epoch = 0;
87
88 /* In current epoch, accept HM, CCS, DATA, & ALERT */
89 if (rr->epoch == rl->epoch)
90 return &rl->bitmap;
91
92 /*
93 * Only HM and ALERT messages can be from the next epoch and only if we
94 * have already processed all of the unprocessed records from the last
95 * epoch
96 */
97 else if (rr->epoch == (unsigned long)(rl->epoch + 1)
98 && rl->unprocessed_rcds.epoch != rl->epoch
99 && (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
100 *is_next_epoch = 1;
101 return &rl->next_bitmap;
102 }
103
104 return NULL;
105 }
106
107 static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
108 {
109 rl->in_init = in_init;
110 }
111
112 static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
113 {
114 int i;
115 int enc_err;
116 SSL3_RECORD *rr;
117 int imac_size;
118 size_t mac_size = 0;
119 unsigned char md[EVP_MAX_MD_SIZE];
120 SSL_MAC_BUF macbuf = { NULL, 0 };
121 int ret = 0;
122
123 rr = &rl->rrec[0];
124
125 /*
126 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
127 * and we have that many bytes in rl->packet
128 */
129 rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
130
131 /*
132 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
133 * points at rr->length bytes, which need to be copied into rr->data by
134 * either the decryption or by the decompression. When the data is 'copied'
135 * into the rr->data buffer, rr->input will be pointed at the new buffer
136 */
137
138 /*
139 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
140 * bytes of encrypted compressed stuff.
141 */
142
143 /* check is not needed I believe */
144 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
145 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
146 return 0;
147 }
148
149 /* decrypt in place in 'rr->input' */
150 rr->data = rr->input;
151 rr->orig_len = rr->length;
152
153 if (rl->md_ctx != NULL) {
154 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
155
156 if (tmpmd != NULL) {
157 imac_size = EVP_MD_get_size(tmpmd);
158 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
159 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
160 return 0;
161 }
162 mac_size = (size_t)imac_size;
163 }
164 }
165
166 if (rl->use_etm && rl->md_ctx != NULL) {
167 unsigned char *mac;
168
169 if (rr->orig_len < mac_size) {
170 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
171 return 0;
172 }
173 rr->length -= mac_size;
174 mac = rr->data + rr->length;
175 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
176 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
177 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
178 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
179 return 0;
180 }
181 /*
182 * We've handled the mac now - there is no MAC inside the encrypted
183 * record
184 */
185 mac_size = 0;
186 }
187
188 /*
189 * Set a mark around the packet decryption attempt. This is DTLS, so
190 * bad packets are just ignored, and we don't want to leave stray
191 * errors in the queue from processing bogus junk that we ignored.
192 */
193 ERR_set_mark();
194 enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
195
196 /*-
197 * enc_err is:
198 * 0: if the record is publicly invalid, or an internal error, or AEAD
199 * decryption failed, or ETM decryption failed.
200 * 1: Success or MTE decryption failed (MAC will be randomised)
201 */
202 if (enc_err == 0) {
203 ERR_pop_to_mark();
204 if (rl->alert != SSL_AD_NO_ALERT) {
205 /* RLAYERfatal() already called */
206 goto end;
207 }
208 /* For DTLS we simply ignore bad packets. */
209 rr->length = 0;
210 rl->packet_length = 0;
211 goto end;
212 }
213 ERR_clear_last_mark();
214 OSSL_TRACE_BEGIN(TLS) {
215 BIO_printf(trc_out, "dec %zd\n", rr->length);
216 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
217 } OSSL_TRACE_END(TLS);
218
219 /* r->length is now the compressed data plus mac */
220 if (!rl->use_etm
221 && (rl->enc_ctx != NULL)
222 && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
223 /* rl->md_ctx != NULL => mac_size != -1 */
224
225 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
226 if (i == 0 || macbuf.mac == NULL
227 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
228 enc_err = 0;
229 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
230 enc_err = 0;
231 }
232
233 if (enc_err == 0) {
234 /* decryption failed, silently discard message */
235 rr->length = 0;
236 rl->packet_length = 0;
237 goto end;
238 }
239
240 /* r->length is now just compressed */
241 if (rl->compctx != NULL) {
242 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
243 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
244 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
245 goto end;
246 }
247 if (!tls_do_uncompress(rl, rr)) {
248 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
249 goto end;
250 }
251 }
252
253 /*
254 * Check if the received packet overflows the current Max Fragment
255 * Length setting.
256 */
257 if (rr->length > rl->max_frag_len) {
258 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
259 goto end;
260 }
261
262 rr->off = 0;
263 /*-
264 * So at this point the following is true
265 * ssl->s3.rrec.type is the type of record
266 * ssl->s3.rrec.length == number of bytes in record
267 * ssl->s3.rrec.off == offset to first valid byte
268 * ssl->s3.rrec.data == where to take bytes from, increment
269 * after use :-).
270 */
271
272 /* we have pulled in a full packet so zero things */
273 rl->packet_length = 0;
274
275 /* Mark receipt of record. */
276 dtls_record_bitmap_update(rl, bitmap);
277
278 ret = 1;
279 end:
280 if (macbuf.alloced)
281 OPENSSL_free(macbuf.mac);
282 return ret;
283 }
284
285 static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue,
286 unsigned char *priority)
287 {
288 DTLS_RLAYER_RECORD_DATA *rdata;
289 pitem *item;
290
291 /* Limit the size of the queue to prevent DOS attacks */
292 if (pqueue_size(queue->q) >= 100)
293 return 0;
294
295 rdata = OPENSSL_malloc(sizeof(*rdata));
296 item = pitem_new(priority, rdata);
297 if (rdata == NULL || item == NULL) {
298 OPENSSL_free(rdata);
299 pitem_free(item);
300 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
301 return -1;
302 }
303
304 rdata->packet = rl->packet;
305 rdata->packet_length = rl->packet_length;
306 memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(TLS_BUFFER));
307 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD));
308
309 item->data = rdata;
310
311 rl->packet = NULL;
312 rl->packet_length = 0;
313 memset(&rl->rbuf, 0, sizeof(TLS_BUFFER));
314 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
315
316 if (!tls_setup_read_buffer(rl)) {
317 /* RLAYERfatal() already called */
318 OPENSSL_free(rdata->rbuf.buf);
319 OPENSSL_free(rdata);
320 pitem_free(item);
321 return -1;
322 }
323
324 if (pqueue_insert(queue->q, item) == NULL) {
325 /* Must be a duplicate so ignore it */
326 OPENSSL_free(rdata->rbuf.buf);
327 OPENSSL_free(rdata);
328 pitem_free(item);
329 }
330
331 return 1;
332 }
333
334 /* copy buffered record into OSSL_RECORD_LAYER structure */
335 static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
336 {
337 DTLS_RLAYER_RECORD_DATA *rdata;
338
339 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
340
341 ossl_tls_buffer_release(&rl->rbuf);
342
343 rl->packet = rdata->packet;
344 rl->packet_length = rdata->packet_length;
345 memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(TLS_BUFFER));
346 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD));
347
348 /* Set proper sequence number for mac calculation */
349 memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
350
351 return 1;
352 }
353
354 static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
355 record_pqueue *queue)
356 {
357 pitem *item;
358
359 item = pqueue_pop(queue->q);
360 if (item) {
361 dtls_copy_rlayer_record(rl, item);
362
363 OPENSSL_free(item->data);
364 pitem_free(item);
365
366 return 1;
367 }
368
369 return 0;
370 }
371
372 /*-
373 * Call this to get a new input record.
374 * It will return <= 0 if more data is needed, normally due to an error
375 * or non-blocking IO.
376 * When it finishes, one packet has been decoded and can be found in
377 * ssl->s3.rrec.type - is the type of record
378 * ssl->s3.rrec.data - data
379 * ssl->s3.rrec.length - number of bytes
380 */
381 int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
382 {
383 int ssl_major, ssl_minor;
384 int rret;
385 size_t more, n;
386 SSL3_RECORD *rr;
387 unsigned char *p = NULL;
388 unsigned short version;
389 DTLS_BITMAP *bitmap;
390 unsigned int is_next_epoch;
391
392 rl->num_recs = 0;
393 rl->curr_rec = 0;
394 rl->num_released = 0;
395
396 rr = rl->rrec;
397
398 if (rl->rbuf.buf == NULL) {
399 if (!tls_setup_read_buffer(rl)) {
400 /* RLAYERfatal() already called */
401 return OSSL_RECORD_RETURN_FATAL;
402 }
403 }
404
405 again:
406 /* if we're renegotiating, then there may be buffered records */
407 if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) {
408 rl->num_recs = 1;
409 return OSSL_RECORD_RETURN_SUCCESS;
410 }
411
412 /* get something from the wire */
413
414 /* check if we have the header */
415 if ((rl->rstate != SSL_ST_READ_BODY) ||
416 (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
417 rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
418 TLS_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
419 /* read timeout is handled by dtls1_read_bytes */
420 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
421 /* RLAYERfatal() already called if appropriate */
422 return rret; /* error or non-blocking */
423 }
424
425 /* this packet contained a partial record, dump it */
426 if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
427 rl->packet_length = 0;
428 goto again;
429 }
430
431 rl->rstate = SSL_ST_READ_BODY;
432
433 p = rl->packet;
434
435 if (rl->msg_callback != NULL)
436 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
437 rl->cbarg);
438
439 /* Pull apart the header into the DTLS1_RECORD */
440 rr->type = *(p++);
441 ssl_major = *(p++);
442 ssl_minor = *(p++);
443 version = (ssl_major << 8) | ssl_minor;
444
445 /* sequence number is 64 bits, with top 2 bytes = epoch */
446 n2s(p, rr->epoch);
447
448 memcpy(&(rl->sequence[2]), p, 6);
449 p += 6;
450
451 n2s(p, rr->length);
452
453 /*
454 * Lets check the version. We tolerate alerts that don't have the exact
455 * version number (e.g. because of protocol version errors)
456 */
457 if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
458 if (version != rl->version) {
459 /* unexpected version, silently discard */
460 rr->length = 0;
461 rl->packet_length = 0;
462 goto again;
463 }
464 }
465
466 if (ssl_major !=
467 (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR
468 : rl->version >> 8)) {
469 /* wrong version, silently discard record */
470 rr->length = 0;
471 rl->packet_length = 0;
472 goto again;
473 }
474
475 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
476 /* record too long, silently discard it */
477 rr->length = 0;
478 rl->packet_length = 0;
479 goto again;
480 }
481
482 /*
483 * If received packet overflows maximum possible fragment length then
484 * silently discard it
485 */
486 if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
487 /* record too long, silently discard it */
488 rr->length = 0;
489 rl->packet_length = 0;
490 goto again;
491 }
492
493 /* now rl->rstate == SSL_ST_READ_BODY */
494 }
495
496 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
497
498 if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
499 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
500 more = rr->length;
501 rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
502 /* this packet contained a partial record, dump it */
503 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
504 if (rl->alert != SSL_AD_NO_ALERT) {
505 /* read_n() called RLAYERfatal() */
506 return OSSL_RECORD_RETURN_FATAL;
507 }
508 rr->length = 0;
509 rl->packet_length = 0;
510 goto again;
511 }
512
513 /*
514 * now n == rr->length,
515 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
516 */
517 }
518 /* set state for later operations */
519 rl->rstate = SSL_ST_READ_HEADER;
520
521 /* match epochs. NULL means the packet is dropped on the floor */
522 bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
523 if (bitmap == NULL) {
524 rr->length = 0;
525 rl->packet_length = 0; /* dump this record */
526 goto again; /* get another record */
527 }
528 #ifndef OPENSSL_NO_SCTP
529 /* Only do replay check if no SCTP bio */
530 if (!BIO_dgram_is_sctp(rl->bio)) {
531 #endif
532 /* Check whether this is a repeat, or aged record. */
533 if (!dtls_record_replay_check(rl, bitmap)) {
534 rr->length = 0;
535 rl->packet_length = 0; /* dump this record */
536 goto again; /* get another record */
537 }
538 #ifndef OPENSSL_NO_SCTP
539 }
540 #endif
541
542 /* just read a 0 length packet */
543 if (rr->length == 0)
544 goto again;
545
546 /*
547 * If this record is from the next epoch (either HM or ALERT), and a
548 * handshake is currently in progress, buffer it since it cannot be
549 * processed at this time.
550 */
551 if (is_next_epoch) {
552 if (rl->in_init) {
553 if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds),
554 rr->seq_num) < 0) {
555 /* RLAYERfatal() already called */
556 return OSSL_RECORD_RETURN_FATAL;
557 }
558 }
559 rr->length = 0;
560 rl->packet_length = 0;
561 goto again;
562 }
563
564 if (!dtls_process_record(rl, bitmap)) {
565 if (rl->alert != SSL_AD_NO_ALERT) {
566 /* dtls_process_record() called RLAYERfatal */
567 return OSSL_RECORD_RETURN_FATAL;
568 }
569 rr->length = 0;
570 rl->packet_length = 0; /* dump this record */
571 goto again; /* get another record */
572 }
573
574 rl->num_recs = 1;
575 return OSSL_RECORD_RETURN_SUCCESS;
576 }
577
578 static int dtls_free(OSSL_RECORD_LAYER *rl)
579 {
580 TLS_BUFFER *rbuf;
581 size_t left, written;
582 pitem *item;
583 DTLS_RLAYER_RECORD_DATA *rdata;
584 int ret = 1;
585
586 rbuf = &rl->rbuf;
587
588 left = rbuf->left;
589 if (left > 0) {
590 /*
591 * This record layer is closing but we still have data left in our
592 * buffer. It must be destined for the next epoch - so push it there.
593 */
594 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
595 rbuf->left = 0;
596 }
597
598 if (rl->unprocessed_rcds.q != NULL) {
599 while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) {
600 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
601 /* Push to the next record layer */
602 ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
603 &written);
604 OPENSSL_free(rdata->rbuf.buf);
605 OPENSSL_free(item->data);
606 pitem_free(item);
607 }
608 pqueue_free(rl->unprocessed_rcds.q);
609 }
610
611 if (rl->processed_rcds.q != NULL) {
612 while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) {
613 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
614 OPENSSL_free(rdata->rbuf.buf);
615 OPENSSL_free(item->data);
616 pitem_free(item);
617 }
618 pqueue_free(rl->processed_rcds.q);
619 }
620
621 return tls_free(rl) && ret;
622 }
623
624 static int
625 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
626 int role, int direction, int level, uint16_t epoch,
627 unsigned char *key, size_t keylen, unsigned char *iv,
628 size_t ivlen, unsigned char *mackey, size_t mackeylen,
629 const EVP_CIPHER *ciph, size_t taglen,
630 int mactype,
631 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
632 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
633 const OSSL_PARAM *settings, const OSSL_PARAM *options,
634 const OSSL_DISPATCH *fns, void *cbarg,
635 OSSL_RECORD_LAYER **retrl)
636 {
637 int ret;
638
639 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
640 key, keylen, iv, ivlen, mackey, mackeylen,
641 ciph, taglen, mactype, md, comp, prev,
642 transport, next, local, peer, settings,
643 options, fns, cbarg, retrl);
644
645 if (ret != OSSL_RECORD_RETURN_SUCCESS)
646 return ret;
647
648 (*retrl)->unprocessed_rcds.q = pqueue_new();
649 (*retrl)->processed_rcds.q = pqueue_new();
650 if ((*retrl)->unprocessed_rcds.q == NULL
651 || (*retrl)->processed_rcds.q == NULL) {
652 dtls_free(*retrl);
653 *retrl = NULL;
654 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
655 return OSSL_RECORD_RETURN_FATAL;
656 }
657
658 (*retrl)->unprocessed_rcds.epoch = epoch + 1;
659 (*retrl)->processed_rcds.epoch = epoch;
660
661 (*retrl)->isdtls = 1;
662 (*retrl)->epoch = epoch;
663 (*retrl)->in_init = 1;
664
665 switch (vers) {
666 case DTLS_ANY_VERSION:
667 (*retrl)->funcs = &dtls_any_funcs;
668 break;
669 case DTLS1_2_VERSION:
670 case DTLS1_VERSION:
671 case DTLS1_BAD_VER:
672 (*retrl)->funcs = &dtls_1_funcs;
673 break;
674 default:
675 /* Should not happen */
676 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
677 ret = OSSL_RECORD_RETURN_FATAL;
678 goto err;
679 }
680
681 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
682 ivlen, mackey, mackeylen, ciph,
683 taglen, mactype, md, comp);
684
685 err:
686 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
687 OPENSSL_free(*retrl);
688 *retrl = NULL;
689 }
690 return ret;
691 }
692
693 int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl,
694 WPACKET *thispkt,
695 OSSL_RECORD_TEMPLATE *templ,
696 unsigned int rectype,
697 unsigned char **recdata)
698 {
699 size_t maxcomplen;
700
701 *recdata = NULL;
702
703 maxcomplen = templ->buflen;
704 if (rl->compctx != NULL)
705 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
706
707 if (!WPACKET_put_bytes_u8(thispkt, rectype)
708 || !WPACKET_put_bytes_u16(thispkt, templ->version)
709 || !WPACKET_put_bytes_u16(thispkt, rl->epoch)
710 || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6)
711 || !WPACKET_start_sub_packet_u16(thispkt)
712 || (rl->eivlen > 0
713 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
714 || (maxcomplen > 0
715 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
716 recdata))) {
717 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
718 return 0;
719 }
720
721 return 1;
722 }
723
724 int dtls_post_encryption_processing(OSSL_RECORD_LAYER *rl,
725 size_t mac_size,
726 OSSL_RECORD_TEMPLATE *thistempl,
727 WPACKET *thispkt,
728 SSL3_RECORD *thiswr)
729 {
730 if (!tls_post_encryption_processing_default(rl, mac_size, thistempl,
731 thispkt, thiswr)) {
732 /* RLAYERfatal() already called */
733 return 0;
734 }
735
736 return tls_increment_sequence_ctr(rl);
737 }
738
739 static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
740 {
741 size_t blocksize = 0;
742
743 if (rl->enc_ctx != NULL &&
744 (EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE))
745 blocksize = EVP_CIPHER_CTX_get_block_size(rl->enc_ctx);
746
747 /*
748 * If we have a cipher in place then the tag is mandatory. If the cipher is
749 * CBC mode then an explicit IV is also mandatory. If we know the digest,
750 * then we check it is consistent with the taglen. In the case of stitched
751 * ciphers or AEAD ciphers we don't now the digest (or there isn't one) so
752 * we just trust that the taglen is correct.
753 */
754 assert(rl->enc_ctx == NULL || ((blocksize == 0 || rl->eivlen > 0)
755 && rl->taglen > 0));
756 assert(rl->md == NULL || (int)rl->taglen == EVP_MD_size(rl->md));
757
758 /*
759 * Record overhead consists of the record header, the explicit IV, any
760 * expansion due to cbc padding, and the mac/tag len. There could be
761 * further expansion due to compression - but we don't know what this will
762 * be without knowing the length of the data. However when this function is
763 * called we don't know what the length will be yet - so this is a catch-22.
764 * We *could* use SSL_3_RT_MAX_COMPRESSED_OVERHEAD which is an upper limit
765 * for the maximum record size. But this value is larger than our fallback
766 * MTU size - so isn't very helpful. We just ignore potential expansion
767 * due to compression.
768 */
769 return DTLS1_RT_HEADER_LENGTH + rl->eivlen + blocksize + rl->taglen;
770 }
771
772 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
773 dtls_new_record_layer,
774 dtls_free,
775 tls_reset,
776 tls_unprocessed_read_pending,
777 tls_processed_read_pending,
778 tls_app_data_pending,
779 tls_get_max_records,
780 tls_write_records,
781 tls_retry_write_records,
782 tls_read_record,
783 tls_release_record,
784 tls_get_alert_code,
785 tls_set1_bio,
786 tls_set_protocol_version,
787 NULL,
788 tls_set_first_handshake,
789 tls_set_max_pipelines,
790 dtls_set_in_init,
791 tls_get_state,
792 tls_set_options,
793 tls_get_compression,
794 tls_set_max_frag_len,
795 dtls_get_max_record_overhead,
796 tls_increment_sequence_ctr,
797 tls_alloc_buffers,
798 tls_free_buffers
799 };
A mirror of the official openssl repository