2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "../../ssl_local.h"
11 #include "../record_local.h"
12 #include "recmethod_local.h"
14 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
15 static int satsub64be(const unsigned char *v1
, const unsigned char *v2
)
25 /* We do not permit wrap-around */
26 if (l1
> l2
&& ret
< 0)
28 else if (l2
> l1
&& ret
> 0)
39 static int dtls_record_replay_check(OSSL_RECORD_LAYER
*rl
, DTLS_BITMAP
*bitmap
)
43 const unsigned char *seq
= rl
->sequence
;
45 cmp
= satsub64be(seq
, bitmap
->max_seq_num
);
47 SSL3_RECORD_set_seq_num(&rl
->rrec
[0], seq
);
48 return 1; /* this record in new */
51 if (shift
>= sizeof(bitmap
->map
) * 8)
52 return 0; /* stale, outside the window */
53 else if (bitmap
->map
& ((uint64_t)1 << shift
))
54 return 0; /* record previously received */
56 SSL3_RECORD_set_seq_num(&rl
->rrec
[0], seq
);
60 static void dtls_record_bitmap_update(OSSL_RECORD_LAYER
*rl
,
65 const unsigned char *seq
= rl
->sequence
;
67 cmp
= satsub64be(seq
, bitmap
->max_seq_num
);
70 if (shift
< sizeof(bitmap
->map
) * 8)
71 bitmap
->map
<<= shift
, bitmap
->map
|= 1UL;
74 memcpy(bitmap
->max_seq_num
, seq
, SEQ_NUM_SIZE
);
77 if (shift
< sizeof(bitmap
->map
) * 8)
78 bitmap
->map
|= (uint64_t)1 << shift
;
82 static DTLS_BITMAP
*dtls_get_bitmap(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rr
,
83 unsigned int *is_next_epoch
)
87 /* In current epoch, accept HM, CCS, DATA, & ALERT */
88 if (rr
->epoch
== rl
->epoch
)
92 * Only HM and ALERT messages can be from the next epoch and only if we
93 * have already processed all of the unprocessed records from the last
96 else if (rr
->epoch
== (unsigned long)(rl
->epoch
+ 1)
97 && rl
->unprocessed_rcds
.epoch
!= rl
->epoch
98 && (rr
->type
== SSL3_RT_HANDSHAKE
|| rr
->type
== SSL3_RT_ALERT
)) {
100 return &rl
->next_bitmap
;
106 static void dtls_set_in_init(OSSL_RECORD_LAYER
*rl
, int in_init
)
108 rl
->in_init
= in_init
;
111 static int dtls_process_record(OSSL_RECORD_LAYER
*rl
, DTLS_BITMAP
*bitmap
)
118 unsigned char md
[EVP_MAX_MD_SIZE
];
119 SSL_MAC_BUF macbuf
= { NULL
, 0 };
125 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
126 * and we have that many bytes in rl->packet
128 rr
->input
= &(rl
->packet
[DTLS1_RT_HEADER_LENGTH
]);
131 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
132 * points at rr->length bytes, which need to be copied into rr->data by
133 * either the decryption or by the decompression. When the data is 'copied'
134 * into the rr->data buffer, rr->input will be pointed at the new buffer
138 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
139 * bytes of encrypted compressed stuff.
142 /* check is not needed I believe */
143 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
144 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
148 /* decrypt in place in 'rr->input' */
149 rr
->data
= rr
->input
;
150 rr
->orig_len
= rr
->length
;
152 if (rl
->md_ctx
!= NULL
) {
153 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(rl
->md_ctx
);
156 imac_size
= EVP_MD_get_size(tmpmd
);
157 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
158 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
161 mac_size
= (size_t)imac_size
;
165 if (rl
->use_etm
&& rl
->md_ctx
!= NULL
) {
168 if (rr
->orig_len
< mac_size
) {
169 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
172 rr
->length
-= mac_size
;
173 mac
= rr
->data
+ rr
->length
;
174 i
= rl
->funcs
->mac(rl
, rr
, md
, 0 /* not send */);
175 if (i
== 0 || CRYPTO_memcmp(md
, mac
, (size_t)mac_size
) != 0) {
176 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
177 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
181 * We've handled the mac now - there is no MAC inside the encrypted
188 * Set a mark around the packet decryption attempt. This is DTLS, so
189 * bad packets are just ignored, and we don't want to leave stray
190 * errors in the queue from processing bogus junk that we ignored.
193 enc_err
= rl
->funcs
->cipher(rl
, rr
, 1, 0, &macbuf
, mac_size
);
197 * 0: if the record is publicly invalid, or an internal error, or AEAD
198 * decryption failed, or ETM decryption failed.
199 * 1: Success or MTE decryption failed (MAC will be randomised)
203 if (rl
->alert
!= SSL_AD_NO_ALERT
) {
204 /* RLAYERfatal() already called */
207 /* For DTLS we simply ignore bad packets. */
209 rl
->packet_length
= 0;
212 ERR_clear_last_mark();
213 OSSL_TRACE_BEGIN(TLS
) {
214 BIO_printf(trc_out
, "dec %zd\n", rr
->length
);
215 BIO_dump_indent(trc_out
, rr
->data
, rr
->length
, 4);
216 } OSSL_TRACE_END(TLS
);
218 /* r->length is now the compressed data plus mac */
220 && (rl
->enc_ctx
!= NULL
)
221 && (EVP_MD_CTX_get0_md(rl
->md_ctx
) != NULL
)) {
222 /* rl->md_ctx != NULL => mac_size != -1 */
224 i
= rl
->funcs
->mac(rl
, rr
, md
, 0 /* not send */);
225 if (i
== 0 || macbuf
.mac
== NULL
226 || CRYPTO_memcmp(md
, macbuf
.mac
, mac_size
) != 0)
228 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
233 /* decryption failed, silently discard message */
235 rl
->packet_length
= 0;
239 /* r->length is now just compressed */
240 if (rl
->compctx
!= NULL
) {
241 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
242 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
243 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
246 if (!tls_do_uncompress(rl
, rr
)) {
247 RLAYERfatal(rl
, SSL_AD_DECOMPRESSION_FAILURE
, SSL_R_BAD_DECOMPRESSION
);
253 * Check if the received packet overflows the current Max Fragment
256 if (rr
->length
> rl
->max_frag_len
) {
257 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
263 * So at this point the following is true
264 * ssl->s3.rrec.type is the type of record
265 * ssl->s3.rrec.length == number of bytes in record
266 * ssl->s3.rrec.off == offset to first valid byte
267 * ssl->s3.rrec.data == where to take bytes from, increment
271 /* we have pulled in a full packet so zero things */
272 rl
->packet_length
= 0;
274 /* Mark receipt of record. */
275 dtls_record_bitmap_update(rl
, bitmap
);
280 OPENSSL_free(macbuf
.mac
);
284 static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER
*rl
, record_pqueue
*queue
,
285 unsigned char *priority
)
287 DTLS_RLAYER_RECORD_DATA
*rdata
;
290 /* Limit the size of the queue to prevent DOS attacks */
291 if (pqueue_size(queue
->q
) >= 100)
294 rdata
= OPENSSL_malloc(sizeof(*rdata
));
295 item
= pitem_new(priority
, rdata
);
296 if (rdata
== NULL
|| item
== NULL
) {
299 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
303 rdata
->packet
= rl
->packet
;
304 rdata
->packet_length
= rl
->packet_length
;
305 memcpy(&(rdata
->rbuf
), &rl
->rbuf
, sizeof(SSL3_BUFFER
));
306 memcpy(&(rdata
->rrec
), &rl
->rrec
[0], sizeof(SSL3_RECORD
));
311 rl
->packet_length
= 0;
312 memset(&rl
->rbuf
, 0, sizeof(SSL3_BUFFER
));
313 memset(&rl
->rrec
[0], 0, sizeof(rl
->rrec
[0]));
315 if (!tls_setup_read_buffer(rl
)) {
316 /* RLAYERfatal() already called */
317 OPENSSL_free(rdata
->rbuf
.buf
);
323 if (pqueue_insert(queue
->q
, item
) == NULL
) {
324 /* Must be a duplicate so ignore it */
325 OPENSSL_free(rdata
->rbuf
.buf
);
333 /* copy buffered record into OSSL_RECORD_LAYER structure */
334 static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER
*rl
, pitem
*item
)
336 DTLS_RLAYER_RECORD_DATA
*rdata
;
338 rdata
= (DTLS_RLAYER_RECORD_DATA
*)item
->data
;
340 SSL3_BUFFER_release(&rl
->rbuf
);
342 rl
->packet
= rdata
->packet
;
343 rl
->packet_length
= rdata
->packet_length
;
344 memcpy(&rl
->rbuf
, &(rdata
->rbuf
), sizeof(SSL3_BUFFER
));
345 memcpy(&rl
->rrec
[0], &(rdata
->rrec
), sizeof(SSL3_RECORD
));
347 /* Set proper sequence number for mac calculation */
348 memcpy(&(rl
->sequence
[2]), &(rdata
->packet
[5]), 6);
353 static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER
*rl
,
354 record_pqueue
*queue
)
358 item
= pqueue_pop(queue
->q
);
360 dtls_copy_rlayer_record(rl
, item
);
362 OPENSSL_free(item
->data
);
372 * Call this to get a new input record.
373 * It will return <= 0 if more data is needed, normally due to an error
374 * or non-blocking IO.
375 * When it finishes, one packet has been decoded and can be found in
376 * ssl->s3.rrec.type - is the type of record
377 * ssl->s3.rrec.data - data
378 * ssl->s3.rrec.length - number of bytes
380 int dtls_get_more_records(OSSL_RECORD_LAYER
*rl
)
382 int ssl_major
, ssl_minor
;
386 unsigned char *p
= NULL
;
387 unsigned short version
;
389 unsigned int is_next_epoch
;
393 rl
->num_released
= 0;
397 if (rl
->rbuf
.buf
== NULL
) {
398 if (!tls_setup_read_buffer(rl
)) {
399 /* RLAYERfatal() already called */
400 return OSSL_RECORD_RETURN_FATAL
;
405 /* if we're renegotiating, then there may be buffered records */
406 if (dtls_retrieve_rlayer_buffered_record(rl
, &rl
->processed_rcds
)) {
408 return OSSL_RECORD_RETURN_SUCCESS
;
411 /* get something from the wire */
413 /* check if we have the header */
414 if ((rl
->rstate
!= SSL_ST_READ_BODY
) ||
415 (rl
->packet_length
< DTLS1_RT_HEADER_LENGTH
)) {
416 rret
= rl
->funcs
->read_n(rl
, DTLS1_RT_HEADER_LENGTH
,
417 SSL3_BUFFER_get_len(&rl
->rbuf
), 0, 1, &n
);
418 /* read timeout is handled by dtls1_read_bytes */
419 if (rret
< OSSL_RECORD_RETURN_SUCCESS
) {
420 /* RLAYERfatal() already called if appropriate */
421 return rret
; /* error or non-blocking */
424 /* this packet contained a partial record, dump it */
425 if (rl
->packet_length
!= DTLS1_RT_HEADER_LENGTH
) {
426 rl
->packet_length
= 0;
430 rl
->rstate
= SSL_ST_READ_BODY
;
434 if (rl
->msg_callback
!= NULL
)
435 rl
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, DTLS1_RT_HEADER_LENGTH
,
438 /* Pull apart the header into the DTLS1_RECORD */
442 version
= (ssl_major
<< 8) | ssl_minor
;
444 /* sequence number is 64 bits, with top 2 bytes = epoch */
447 memcpy(&(rl
->sequence
[2]), p
, 6);
453 * Lets check the version. We tolerate alerts that don't have the exact
454 * version number (e.g. because of protocol version errors)
456 if (!rl
->is_first_record
&& rr
->type
!= SSL3_RT_ALERT
) {
457 if (version
!= rl
->version
) {
458 /* unexpected version, silently discard */
460 rl
->packet_length
= 0;
466 (rl
->version
== DTLS_ANY_VERSION
? DTLS1_VERSION_MAJOR
467 : rl
->version
>> 8)) {
468 /* wrong version, silently discard record */
470 rl
->packet_length
= 0;
474 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
475 /* record too long, silently discard it */
477 rl
->packet_length
= 0;
482 * If received packet overflows maximum possible fragment length then
483 * silently discard it
485 if (rr
->length
> rl
->max_frag_len
+ SSL3_RT_MAX_ENCRYPTED_OVERHEAD
) {
486 /* record too long, silently discard it */
488 rl
->packet_length
= 0;
492 /* now rl->rstate == SSL_ST_READ_BODY */
495 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
497 if (rr
->length
> rl
->packet_length
- DTLS1_RT_HEADER_LENGTH
) {
498 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
500 rret
= rl
->funcs
->read_n(rl
, more
, more
, 1, 1, &n
);
501 /* this packet contained a partial record, dump it */
502 if (rret
< OSSL_RECORD_RETURN_SUCCESS
|| n
!= more
) {
503 if (rl
->alert
!= SSL_AD_NO_ALERT
) {
504 /* read_n() called RLAYERfatal() */
505 return OSSL_RECORD_RETURN_FATAL
;
508 rl
->packet_length
= 0;
513 * now n == rr->length,
514 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
517 /* set state for later operations */
518 rl
->rstate
= SSL_ST_READ_HEADER
;
520 /* match epochs. NULL means the packet is dropped on the floor */
521 bitmap
= dtls_get_bitmap(rl
, rr
, &is_next_epoch
);
522 if (bitmap
== NULL
) {
524 rl
->packet_length
= 0; /* dump this record */
525 goto again
; /* get another record */
527 #ifndef OPENSSL_NO_SCTP
528 /* Only do replay check if no SCTP bio */
529 if (!BIO_dgram_is_sctp(rl
->bio
)) {
531 /* Check whether this is a repeat, or aged record. */
532 if (!dtls_record_replay_check(rl
, bitmap
)) {
534 rl
->packet_length
= 0; /* dump this record */
535 goto again
; /* get another record */
537 #ifndef OPENSSL_NO_SCTP
541 /* just read a 0 length packet */
546 * If this record is from the next epoch (either HM or ALERT), and a
547 * handshake is currently in progress, buffer it since it cannot be
548 * processed at this time.
552 if (dtls_rlayer_buffer_record(rl
, &(rl
->unprocessed_rcds
),
554 /* RLAYERfatal() already called */
555 return OSSL_RECORD_RETURN_FATAL
;
559 rl
->packet_length
= 0;
563 if (!dtls_process_record(rl
, bitmap
)) {
564 if (rl
->alert
!= SSL_AD_NO_ALERT
) {
565 /* dtls_process_record() called RLAYERfatal */
566 return OSSL_RECORD_RETURN_FATAL
;
569 rl
->packet_length
= 0; /* dump this record */
570 goto again
; /* get another record */
574 return OSSL_RECORD_RETURN_SUCCESS
;
577 static int dtls_free(OSSL_RECORD_LAYER
*rl
)
580 size_t left
, written
;
582 DTLS_RLAYER_RECORD_DATA
*rdata
;
590 * This record layer is closing but we still have data left in our
591 * buffer. It must be destined for the next epoch - so push it there.
593 ret
= BIO_write_ex(rl
->next
, rbuf
->buf
+ rbuf
->offset
, left
, &written
);
597 if (rl
->unprocessed_rcds
.q
!= NULL
) {
598 while ((item
= pqueue_pop(rl
->unprocessed_rcds
.q
)) != NULL
) {
599 rdata
= (DTLS_RLAYER_RECORD_DATA
*)item
->data
;
600 /* Push to the next record layer */
601 ret
&= BIO_write_ex(rl
->next
, rdata
->packet
, rdata
->packet_length
,
603 OPENSSL_free(rdata
->rbuf
.buf
);
604 OPENSSL_free(item
->data
);
607 pqueue_free(rl
->unprocessed_rcds
.q
);
610 if (rl
->processed_rcds
.q
!= NULL
) {
611 while ((item
= pqueue_pop(rl
->processed_rcds
.q
)) != NULL
) {
612 rdata
= (DTLS_RLAYER_RECORD_DATA
*)item
->data
;
613 OPENSSL_free(rdata
->rbuf
.buf
);
614 OPENSSL_free(item
->data
);
617 pqueue_free(rl
->processed_rcds
.q
);
620 return tls_free(rl
) && ret
;
624 dtls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
625 int role
, int direction
, int level
, uint16_t epoch
,
626 unsigned char *key
, size_t keylen
, unsigned char *iv
,
627 size_t ivlen
, unsigned char *mackey
, size_t mackeylen
,
628 const EVP_CIPHER
*ciph
, size_t taglen
,
630 const EVP_MD
*md
, COMP_METHOD
*comp
, BIO
*prev
,
631 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
632 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
633 const OSSL_DISPATCH
*fns
, void *cbarg
,
634 OSSL_RECORD_LAYER
**retrl
)
638 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
639 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
640 ciph
, taglen
, mactype
, md
, comp
, prev
,
641 transport
, next
, local
, peer
, settings
,
642 options
, fns
, cbarg
, retrl
);
644 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
647 (*retrl
)->unprocessed_rcds
.q
= pqueue_new();
648 (*retrl
)->processed_rcds
.q
= pqueue_new();
649 if ((*retrl
)->unprocessed_rcds
.q
== NULL
650 || (*retrl
)->processed_rcds
.q
== NULL
) {
653 ERR_raise(ERR_LIB_SSL
, ERR_R_SSL_LIB
);
654 return OSSL_RECORD_RETURN_FATAL
;
657 (*retrl
)->unprocessed_rcds
.epoch
= epoch
+ 1;
658 (*retrl
)->processed_rcds
.epoch
= epoch
;
660 (*retrl
)->isdtls
= 1;
661 (*retrl
)->epoch
= epoch
;
662 (*retrl
)->in_init
= 1;
665 case DTLS_ANY_VERSION
:
666 (*retrl
)->funcs
= &dtls_any_funcs
;
668 case DTLS1_2_VERSION
:
671 (*retrl
)->funcs
= &dtls_1_funcs
;
674 /* Should not happen */
675 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
676 ret
= OSSL_RECORD_RETURN_FATAL
;
680 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
681 ivlen
, mackey
, mackeylen
, ciph
,
682 taglen
, mactype
, md
, comp
);
685 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
686 OPENSSL_free(*retrl
);
692 int dtls_prepare_record_header(OSSL_RECORD_LAYER
*rl
,
694 OSSL_RECORD_TEMPLATE
*templ
,
695 unsigned int rectype
,
696 unsigned char **recdata
)
702 maxcomplen
= templ
->buflen
;
703 if (rl
->compctx
!= NULL
)
704 maxcomplen
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
706 if (!WPACKET_put_bytes_u8(thispkt
, rectype
)
707 || !WPACKET_put_bytes_u16(thispkt
, templ
->version
)
708 || !WPACKET_put_bytes_u16(thispkt
, rl
->epoch
)
709 || !WPACKET_memcpy(thispkt
, &(rl
->sequence
[2]), 6)
710 || !WPACKET_start_sub_packet_u16(thispkt
)
712 && !WPACKET_allocate_bytes(thispkt
, rl
->eivlen
, NULL
))
714 && !WPACKET_reserve_bytes(thispkt
, maxcomplen
,
716 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
723 int dtls_write_records(OSSL_RECORD_LAYER
*rl
, OSSL_RECORD_TEMPLATE
*templates
,
729 WPACKET pkt
, *thispkt
= &pkt
;
732 unsigned char *compressdata
= NULL
;
734 if (rl
->md_ctx
!= NULL
&& EVP_MD_CTX_get0_md(rl
->md_ctx
) != NULL
) {
735 mac_size
= EVP_MD_CTX_get_size(rl
->md_ctx
);
737 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
743 /* Should not happen */
744 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
748 if (!rl
->funcs
->allocate_write_buffers(rl
, templates
, numtempl
, NULL
)) {
749 /* RLAYERfatal() already called */
753 if (!rl
->funcs
->initialise_write_packets(rl
, templates
, numtempl
,
754 NULL
, thispkt
, rl
->wbuf
,
756 /* RLAYERfatal() already called */
762 SSL3_RECORD_set_type(&wr
, templates
->type
);
763 SSL3_RECORD_set_rec_version(&wr
, templates
->version
);
765 if (!rl
->funcs
->prepare_record_header(rl
, thispkt
, templates
,
766 templates
->type
, &compressdata
)) {
767 /* RLAYERfatal() already called */
771 /* lets setup the record stuff. */
772 SSL3_RECORD_set_data(&wr
, compressdata
);
773 SSL3_RECORD_set_length(&wr
, templates
->buflen
);
774 SSL3_RECORD_set_input(&wr
, (unsigned char *)templates
->buf
);
777 * we now 'read' from wr.input, wr.length bytes into wr.data
780 /* first we compress */
781 if (rl
->compctx
!= NULL
) {
782 if (!tls_do_compress(rl
, &wr
)
783 || !WPACKET_allocate_bytes(thispkt
, wr
.length
, NULL
)) {
784 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_COMPRESSION_FAILURE
);
787 } else if (compressdata
!= NULL
) {
788 if (!WPACKET_memcpy(thispkt
, wr
.input
, wr
.length
)) {
789 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
792 SSL3_RECORD_reset_input(&wr
);
795 if (!rl
->funcs
->prepare_for_encryption(rl
, mac_size
, thispkt
, &wr
)) {
796 /* RLAYERfatal() already called */
800 if (rl
->funcs
->cipher(rl
, &wr
, 1, 1, NULL
, mac_size
) < 1) {
801 if (rl
->alert
== SSL_AD_NO_ALERT
) {
802 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
807 if (!rl
->funcs
->post_encryption_processing(rl
, mac_size
, templates
,
809 /* RLAYERfatal() already called */
813 /* TODO(RECLAYER): FIXME */
814 ssl3_record_sequence_update(rl
->sequence
);
816 /* now let's set up wb */
817 SSL3_BUFFER_set_left(wb
, SSL3_RECORD_get_length(&wr
));
822 WPACKET_cleanup(thispkt
);
826 static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER
*rl
)
828 size_t blocksize
, mac_size
;
831 * TODO(RECLAYER): Review this. This is what the existing code did.
832 * I suspect it's not quite right. What about IV? AEAD Tag? Compression
835 if (rl
->md_ctx
!= NULL
) {
836 if (rl
->enc_ctx
!= NULL
837 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl
->enc_ctx
)) &
838 EVP_CIPH_FLAG_AEAD_CIPHER
) != 0)
841 mac_size
= EVP_MD_CTX_get_size(rl
->md_ctx
);
846 if (rl
->enc_ctx
!= NULL
&&
847 (EVP_CIPHER_CTX_get_mode(rl
->enc_ctx
) == EVP_CIPH_CBC_MODE
))
848 blocksize
= 2 * EVP_CIPHER_CTX_get_block_size(rl
->enc_ctx
);
852 return DTLS1_RT_HEADER_LENGTH
+ mac_size
+ blocksize
;
855 const OSSL_RECORD_METHOD ossl_dtls_record_method
= {
856 dtls_new_record_layer
,
859 tls_unprocessed_read_pending
,
860 tls_processed_read_pending
,
861 tls_app_data_pending
,
863 tls_get_max_record_len
,
866 tls_retry_write_records
,
871 tls_set_protocol_version
,
873 tls_set_first_handshake
,
874 tls_set_max_pipelines
,
879 tls_set_max_frag_len
,
880 dtls_get_max_record_overhead