2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include "internal/e_os.h"
15 #include "internal/packet.h"
16 #include "../../ssl_local.h"
17 #include "../record_local.h"
18 #include "recmethod_local.h"
20 # define SSL_AD_NO_ALERT -1
22 static void tls_int_free(OSSL_RECORD_LAYER
*rl
);
24 void ossl_rlayer_fatal(OSSL_RECORD_LAYER
*rl
, int al
, int reason
,
30 ERR_vset_error(ERR_LIB_SSL
, reason
, fmt
, args
);
36 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER
*rl
,
38 const EVP_CIPHER
*ciph
,
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
45 OSSL_PARAM params
[3], *pprm
= params
;
49 if ((EVP_CIPHER_get_flags(ciph
) & EVP_CIPH_FLAG_AEAD_CIPHER
) == 0
51 imacsize
= EVP_MD_get_size(md
);
53 macsize
= (size_t)imacsize
;
55 *pprm
++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION
,
57 *pprm
++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE
,
59 *pprm
= OSSL_PARAM_construct_end();
61 if (!EVP_CIPHER_CTX_set_params(ctx
, params
)) {
62 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
73 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX
*ctx
)
75 switch (EVP_MD_CTX_get_type(ctx
)) {
88 #ifndef OPENSSL_NO_COMP
89 static int rlayer_allow_compression(OSSL_RECORD_LAYER
*rl
)
91 if (rl
->options
& SSL_OP_NO_COMPRESSION
)
94 /* TODO(RECLAYER): Implement ssl_security inside the record layer */
95 return ssl_security(s
, SSL_SECOP_COMPRESSION
, 0, 0, NULL
);
102 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER
*rl
)
105 size_t len
, align
= 0, headerlen
;
111 headerlen
= DTLS1_RT_HEADER_LENGTH
;
113 headerlen
= SSL3_RT_HEADER_LENGTH
;
115 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
116 align
= (-SSL3_RT_HEADER_LENGTH
) & (SSL3_ALIGN_PAYLOAD
- 1);
119 if (b
->buf
== NULL
) {
120 len
= SSL3_RT_MAX_PLAIN_LENGTH
121 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ headerlen
+ align
;
122 #ifndef OPENSSL_NO_COMP
123 if (rlayer_allow_compression(rl
))
124 len
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
126 if (b
->default_len
> len
)
127 len
= b
->default_len
;
128 if ((p
= OPENSSL_malloc(len
)) == NULL
) {
130 * We've got a malloc failure, and we're still initialising buffers.
131 * We assume we're so doomed that we won't even be able to send an
134 RLAYERfatal(rl
, SSL_AD_NO_ALERT
, ERR_R_MALLOC_FAILURE
);
144 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER
*rl
)
149 if (rl
->options
& SSL_OP_CLEANSE_PLAINTEXT
)
150 OPENSSL_cleanse(b
->buf
, b
->len
);
151 OPENSSL_free(b
->buf
);
156 void tls_reset_packet_length(OSSL_RECORD_LAYER
*rl
)
158 rl
->packet_length
= 0;
162 * Return values are as per SSL_read()
164 int tls_default_read_n(OSSL_RECORD_LAYER
*rl
, size_t n
, size_t max
, int extend
,
165 int clearold
, size_t *readbytes
)
168 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
169 * packet by another n bytes. The packet will be in the sub-array of
170 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
171 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
172 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
173 * if clearold == 1, move the packet to the start of the buffer; if
174 * clearold == 0 then leave any old packets where they were
176 size_t len
, left
, align
= 0;
181 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
185 * TODO(RECLAYER): Once this function is only called from inside the rlayer
186 * directly, we can probably remove this since it is initialised in
187 * tls_get_more_records
189 if (rb
->buf
== NULL
) {
190 if (!rlayer_setup_read_buffer(rl
)) {
191 /* RLAYERfatal() already called */
192 return OSSL_RECORD_RETURN_FATAL
;
197 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
198 align
= (size_t)rb
->buf
+ SSL3_RT_HEADER_LENGTH
;
199 align
= SSL3_ALIGN_PAYLOAD
- 1 - ((align
- 1) % SSL3_ALIGN_PAYLOAD
);
203 /* start with empty packet ... */
206 } else if (align
!= 0 && left
>= SSL3_RT_HEADER_LENGTH
) {
208 * check if next packet length is large enough to justify payload
211 pkt
= rb
->buf
+ rb
->offset
;
212 if (pkt
[0] == SSL3_RT_APPLICATION_DATA
213 && (pkt
[3] << 8 | pkt
[4]) >= 128) {
215 * Note that even if packet is corrupted and its length field
216 * is insane, we can only be led to wrong decision about
217 * whether memmove will occur or not. Header values has no
218 * effect on memmove arguments and therefore no buffer
219 * overrun can be triggered.
221 memmove(rb
->buf
+ align
, pkt
, left
);
225 rl
->packet
= rb
->buf
+ rb
->offset
;
226 rl
->packet_length
= 0;
227 /* ... now we can act as if 'extend' was set */
230 len
= rl
->packet_length
;
231 pkt
= rb
->buf
+ align
;
233 * Move any available bytes to front of buffer: 'len' bytes already
234 * pointed to by 'packet', 'left' extra ones at the end
236 if (rl
->packet
!= pkt
&& clearold
== 1) {
237 memmove(pkt
, rl
->packet
, len
+ left
);
239 rb
->offset
= len
+ align
;
243 * For DTLS/UDP reads should not span multiple packets because the read
244 * operation returns the whole packet at once (as long as it fits into
248 if (left
== 0 && extend
)
250 if (left
> 0 && n
> left
)
254 /* if there is enough in the buffer from a previous read, take some */
256 rl
->packet_length
+= n
;
260 return OSSL_RECORD_RETURN_SUCCESS
;
263 /* else we need to read more data */
265 if (n
> rb
->len
- rb
->offset
) {
266 /* does not happen */
267 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
268 return OSSL_RECORD_RETURN_FATAL
;
271 /* We always act like read_ahead is set for DTLS */
272 if (!rl
->read_ahead
&& !rl
->isdtls
) {
273 /* ignore max parameter */
278 if (max
> rb
->len
- rb
->offset
)
279 max
= rb
->len
- rb
->offset
;
285 BIO
*bio
= rl
->prev
!= NULL
? rl
->prev
: rl
->bio
;
288 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
289 * need to read in more until we have len+n (up to len+max if
295 ret
= BIO_read(bio
, pkt
+ len
+ left
, max
- left
);
298 ret
= OSSL_RECORD_RETURN_SUCCESS
;
299 } else if (BIO_should_retry(bio
)) {
300 if (rl
->prev
!= NULL
) {
302 * We were reading from the previous epoch. Now there is no
303 * more data, so swap to the actual transport BIO
309 ret
= OSSL_RECORD_RETURN_RETRY
;
310 } else if (BIO_eof(bio
)) {
311 ret
= OSSL_RECORD_RETURN_EOF
;
313 ret
= OSSL_RECORD_RETURN_FATAL
;
316 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_READ_BIO_NOT_SET
);
317 ret
= OSSL_RECORD_RETURN_FATAL
;
320 if (ret
<= OSSL_RECORD_RETURN_RETRY
) {
322 if (rl
->mode
& SSL_MODE_RELEASE_BUFFERS
&& !rl
->isdtls
)
324 rlayer_release_read_buffer(rl
);
329 * reads should *never* span multiple packets for DTLS because the
330 * underlying transport protocol is message oriented as opposed to
331 * byte oriented as in the TLS case.
335 n
= left
; /* makes the while condition false */
339 /* done reading, now the book-keeping */
342 rl
->packet_length
+= n
;
344 return OSSL_RECORD_RETURN_SUCCESS
;
348 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
349 * for us in the buffer.
351 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER
*rl
)
359 p
= SSL3_BUFFER_get_buf(rbuf
);
363 left
= SSL3_BUFFER_get_left(rbuf
);
365 if (left
< SSL3_RT_HEADER_LENGTH
)
368 p
+= SSL3_BUFFER_get_offset(rbuf
);
371 * We only check the type and record length, we will sanity check version
374 if (*p
!= SSL3_RT_APPLICATION_DATA
)
380 if (left
< SSL3_RT_HEADER_LENGTH
+ len
)
387 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
388 * will be processed per call to ssl3_get_record. Without this limit an
389 * attacker could send empty records at a faster rate than we can process and
390 * cause ssl3_get_record to loop forever.
392 #define MAX_EMPTY_RECORDS 32
394 #define SSL2_RT_HEADER_LENGTH 2
397 * Call this to buffer new input records in rl->rrec.
398 * It will return a OSSL_RECORD_RETURN_* value.
399 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
400 * records have been decoded. For each record 'i':
401 * rrec[i].type - is the type of record
402 * rrec[i].data, - data
403 * rrec[i].length, - number of bytes
404 * Multiple records will only be returned if the record types are all
405 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
408 static int tls_get_more_records(OSSL_RECORD_LAYER
*rl
,
409 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION
*s
)
414 SSL3_RECORD
*rr
, *thisrr
;
417 unsigned char md
[EVP_MAX_MD_SIZE
];
418 unsigned int version
;
421 size_t num_recs
= 0, max_recs
, j
;
422 PACKET pkt
, sslv2pkt
;
423 SSL_MAC_BUF
*macbufs
= NULL
;
424 int ret
= OSSL_RECORD_RETURN_FATAL
;
425 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
429 if (rbuf
->buf
== NULL
) {
430 if (!rlayer_setup_read_buffer(rl
)) {
431 /* RLAYERfatal() already called */
432 return OSSL_RECORD_RETURN_FATAL
;
436 max_recs
= s
->max_pipelines
;
441 thisrr
= &rr
[num_recs
];
443 /* check if we have the header */
444 if ((rl
->rstate
!= SSL_ST_READ_BODY
) ||
445 (rl
->packet_length
< SSL3_RT_HEADER_LENGTH
)) {
449 rret
= rl
->funcs
->read_n(rl
, SSL3_RT_HEADER_LENGTH
,
450 SSL3_BUFFER_get_len(rbuf
), 0,
451 num_recs
== 0 ? 1 : 0, &n
);
453 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
454 return rret
; /* error or non-blocking */
456 rl
->rstate
= SSL_ST_READ_BODY
;
459 if (!PACKET_buf_init(&pkt
, p
, rl
->packet_length
)) {
460 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
461 return OSSL_RECORD_RETURN_FATAL
;
464 if (!PACKET_get_net_2_len(&sslv2pkt
, &sslv2len
)
465 || !PACKET_get_1(&sslv2pkt
, &type
)) {
466 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
467 return OSSL_RECORD_RETURN_FATAL
;
470 * The first record received by the server may be a V2ClientHello.
472 if (rl
->role
== OSSL_RECORD_ROLE_SERVER
473 && rl
->is_first_record
474 && (sslv2len
& 0x8000) != 0
475 && (type
== SSL2_MT_CLIENT_HELLO
)) {
479 * |num_recs| here will actually always be 0 because
480 * |num_recs > 0| only ever occurs when we are processing
481 * multiple app data records - which we know isn't the case here
482 * because it is an SSLv2ClientHello. We keep it using
483 * |num_recs| for the sake of consistency
485 thisrr
->type
= SSL3_RT_HANDSHAKE
;
486 thisrr
->rec_version
= SSL2_VERSION
;
488 thisrr
->length
= sslv2len
& 0x7fff;
490 if (thisrr
->length
> SSL3_BUFFER_get_len(rbuf
)
491 - SSL2_RT_HEADER_LENGTH
) {
492 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
493 SSL_R_PACKET_LENGTH_TOO_LONG
);
494 return OSSL_RECORD_RETURN_FATAL
;
497 /* SSLv3+ style record */
499 /* Pull apart the header into the SSL3_RECORD */
500 if (!PACKET_get_1(&pkt
, &type
)
501 || !PACKET_get_net_2(&pkt
, &version
)
502 || !PACKET_get_net_2_len(&pkt
, &thisrr
->length
)) {
504 s
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, 5, ssl
,
505 s
->msg_callback_arg
);
506 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
507 return OSSL_RECORD_RETURN_FATAL
;
510 thisrr
->rec_version
= version
;
513 * When we call validate_record_header() only records actually
514 * received in SSLv2 format should have the record version set
515 * to SSL2_VERSION. This way validate_record_header() can know
516 * what format the record was in based on the version.
518 if (thisrr
->rec_version
== SSL2_VERSION
) {
519 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
,
520 SSL_R_WRONG_VERSION_NUMBER
);
521 return OSSL_RECORD_RETURN_FATAL
;
525 s
->msg_callback(0, version
, SSL3_RT_HEADER
, p
, 5, ssl
,
526 s
->msg_callback_arg
);
529 SSL3_BUFFER_get_len(rbuf
) - SSL3_RT_HEADER_LENGTH
) {
530 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
531 SSL_R_PACKET_LENGTH_TOO_LONG
);
532 return OSSL_RECORD_RETURN_FATAL
;
536 if (!rl
->funcs
->validate_record_header(rl
, thisrr
)) {
537 /* RLAYERfatal already called */
538 return OSSL_RECORD_RETURN_FATAL
;
541 /* now rl->rstate == SSL_ST_READ_BODY */
545 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
546 * how much more data we need to read for the rest of the record
548 if (thisrr
->rec_version
== SSL2_VERSION
) {
549 more
= thisrr
->length
+ SSL2_RT_HEADER_LENGTH
550 - SSL3_RT_HEADER_LENGTH
;
552 more
= thisrr
->length
;
556 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
558 rret
= rl
->funcs
->read_n(rl
, more
, more
, 1, 0, &n
);
559 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
560 return rret
; /* error or non-blocking io */
563 /* set state for later operations */
564 rl
->rstate
= SSL_ST_READ_HEADER
;
567 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
568 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
569 * + thisrr->length and we have that many bytes in rl->packet
571 if (thisrr
->rec_version
== SSL2_VERSION
)
572 thisrr
->input
= &(rl
->packet
[SSL2_RT_HEADER_LENGTH
]);
574 thisrr
->input
= &(rl
->packet
[SSL3_RT_HEADER_LENGTH
]);
577 * ok, we can now read from 'rl->packet' data into 'thisrr'.
578 * thisrr->input points at thisrr->length bytes, which need to be copied
579 * into thisrr->data by either the decryption or by the decompression.
580 * When the data is 'copied' into the thisrr->data buffer,
581 * thisrr->input will be updated to point at the new buffer
585 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
586 * thisrr->length bytes of encrypted compressed stuff.
589 /* decrypt in place in 'thisrr->input' */
590 thisrr
->data
= thisrr
->input
;
591 thisrr
->orig_len
= thisrr
->length
;
593 /* Mark this record as not read by upper layers yet */
598 /* we have pulled in a full packet so zero things */
599 tls_reset_packet_length(rl
);
600 rl
->is_first_record
= 0;
601 } while (num_recs
< max_recs
602 && thisrr
->type
== SSL3_RT_APPLICATION_DATA
603 && RLAYER_USE_EXPLICIT_IV(rl
)
604 && rl
->enc_read_ctx
!= NULL
605 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl
->enc_read_ctx
))
606 & EVP_CIPH_FLAG_PIPELINE
) != 0
607 && tls_record_app_data_waiting(rl
));
610 && thisrr
->type
== SSL3_RT_CHANGE_CIPHER_SPEC
611 /* The following can happen in tlsany_meth after HRR */
612 && rl
->version
== TLS1_3_VERSION
613 && rl
->is_first_handshake
) {
615 * CCS messages must be exactly 1 byte long, containing the value 0x01
617 if (thisrr
->length
!= 1 || thisrr
->data
[0] != 0x01) {
618 RLAYERfatal(rl
, SSL_AD_ILLEGAL_PARAMETER
,
619 SSL_R_INVALID_CCS_MESSAGE
);
620 return OSSL_RECORD_RETURN_FATAL
;
623 * CCS messages are ignored in TLSv1.3. We treat it like an empty
626 thisrr
->type
= SSL3_RT_HANDSHAKE
;
627 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
628 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
629 SSL_R_UNEXPECTED_CCS_MESSAGE
);
630 return OSSL_RECORD_RETURN_FATAL
;
635 rl
->num_released
= 0;
637 return OSSL_RECORD_RETURN_SUCCESS
;
640 if (rl
->read_hash
!= NULL
) {
641 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(rl
->read_hash
);
644 imac_size
= EVP_MD_get_size(tmpmd
);
645 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
646 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
647 return OSSL_RECORD_RETURN_FATAL
;
649 mac_size
= (size_t)imac_size
;
654 * If in encrypt-then-mac mode calculate mac from encrypted record. All
655 * the details below are public so no timing details can leak.
657 if (rl
->use_etm
&& rl
->read_hash
) {
660 for (j
= 0; j
< num_recs
; j
++) {
663 if (thisrr
->length
< mac_size
) {
664 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
665 return OSSL_RECORD_RETURN_FATAL
;
667 thisrr
->length
-= mac_size
;
668 mac
= thisrr
->data
+ thisrr
->length
;
669 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */, s
);
670 if (i
== 0 || CRYPTO_memcmp(md
, mac
, mac_size
) != 0) {
671 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
672 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
673 return OSSL_RECORD_RETURN_FATAL
;
677 * We've handled the mac now - there is no MAC inside the encrypted
684 macbufs
= OPENSSL_zalloc(sizeof(*macbufs
) * num_recs
);
685 if (macbufs
== NULL
) {
686 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_MALLOC_FAILURE
);
687 return OSSL_RECORD_RETURN_FATAL
;
692 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
695 enc_err
= rl
->funcs
->cipher(rl
, rr
, num_recs
, 0, macbufs
, mac_size
, s
);
699 * 0: if the record is publicly invalid, or an internal error, or AEAD
700 * decryption failed, or ETM decryption failed.
701 * 1: Success or MTE decryption failed (MAC will be randomised)
704 if (rl
->alert
!= 0) {
705 /* RLAYERfatal() already got called */
708 if (num_recs
== 1 && ossl_statem_skip_early_data(s
)) {
710 * Valid early_data that we cannot decrypt will fail here. We treat
711 * it like an empty record.
716 if (!ossl_early_data_count_ok(s
, thisrr
->length
,
717 EARLY_DATA_CIPHERTEXT_OVERHEAD
, 0)) {
718 /* SSLfatal() already called */
726 rl
->num_released
= 0;
727 /* Reset the read sequence */
728 memset(rl
->sequence
, 0, sizeof(rl
->sequence
));
732 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
733 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
736 OSSL_TRACE_BEGIN(TLS
) {
737 BIO_printf(trc_out
, "dec %lu\n", (unsigned long)rr
[0].length
);
738 BIO_dump_indent(trc_out
, rr
[0].data
, rr
[0].length
, 4);
739 } OSSL_TRACE_END(TLS
);
741 /* r->length is now the compressed data plus mac */
742 if (rl
->enc_read_ctx
!= NULL
744 && EVP_MD_CTX_get0_md(rl
->read_hash
) != NULL
) {
745 /* rl->read_hash != NULL => mac_size != -1 */
747 for (j
= 0; j
< num_recs
; j
++) {
748 SSL_MAC_BUF
*thismb
= &macbufs
[j
];
751 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */, s
);
752 if (i
== 0 || thismb
== NULL
|| thismb
->mac
== NULL
753 || CRYPTO_memcmp(md
, thismb
->mac
, (size_t)mac_size
) != 0)
755 if (thisrr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
761 if (rl
->alert
!= 0) {
762 /* We already called RLAYERfatal() */
766 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
767 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
768 * failure is directly visible from the ciphertext anyway, we should
769 * not reveal which kind of error occurred -- this might become
770 * visible to an attacker (e.g. via a logfile)
772 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
773 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
777 for (j
= 0; j
< num_recs
; j
++) {
780 if (!rl
->funcs
->post_process_record(rl
, thisrr
, s
)) {
781 /* RLAYERfatal already called */
786 * Check if the received packet overflows the current
787 * Max Fragment Length setting.
788 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
790 if (rl
->max_frag_len
> 0 && thisrr
->length
> rl
->max_frag_len
) {
791 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
797 * So at this point the following is true
798 * thisrr->type is the type of record
799 * thisrr->length == number of bytes in record
800 * thisrr->off == offset to first valid byte
801 * thisrr->data == where to take bytes from, increment after use :-).
804 /* just read a 0 length packet */
805 if (thisrr
->length
== 0) {
806 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
807 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_RECORD_TOO_SMALL
);
811 rl
->empty_record_count
= 0;
815 if (s
->early_data_state
== SSL_EARLY_DATA_READING
) {
817 if (thisrr
->type
== SSL3_RT_APPLICATION_DATA
818 && !ossl_early_data_count_ok(s
, thisrr
->length
, 0, 0)) {
819 /* SSLfatal already called */
824 rl
->num_recs
= num_recs
;
826 rl
->num_released
= 0;
827 ret
= OSSL_RECORD_RETURN_SUCCESS
;
829 if (macbufs
!= NULL
) {
830 for (j
= 0; j
< num_recs
; j
++) {
831 if (macbufs
[j
].alloced
)
832 OPENSSL_free(macbufs
[j
].mac
);
834 OPENSSL_free(macbufs
);
839 /* Shared by ssl3_meth and tls1_meth */
840 int tls_default_validate_record_header(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
842 size_t len
= SSL3_RT_MAX_ENCRYPTED_LENGTH
;
844 if (rec
->rec_version
!= rl
->version
) {
845 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
, SSL_R_WRONG_VERSION_NUMBER
);
849 #ifndef OPENSSL_NO_COMP
851 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
852 * does not include the compression overhead anyway.
854 if (rl
->expand
== NULL
)
855 len
-= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
858 if (rec
->length
> len
) {
859 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
860 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
867 static int tls_do_uncompress(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
869 #ifndef OPENSSL_NO_COMP
872 if (rec
->comp
== NULL
) {
873 rec
->comp
= (unsigned char *)
874 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH
);
876 if (rec
->comp
== NULL
)
879 i
= COMP_expand_block(rl
->expand
, rec
->comp
,
880 SSL3_RT_MAX_PLAIN_LENGTH
, rec
->data
, (int)rec
->length
);
885 rec
->data
= rec
->comp
;
892 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
893 int tls_default_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
, SSL_CONNECTION
*s
)
895 if (rl
->expand
!= NULL
) {
896 if (rec
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
897 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
898 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
901 if (!tls_do_uncompress(rl
, rec
)) {
902 RLAYERfatal(rl
, SSL_AD_DECOMPRESSION_FAILURE
,
903 SSL_R_BAD_DECOMPRESSION
);
908 if (rec
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
909 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
916 /* Shared by tls13_meth and ktls_meth */
917 int tls13_common_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
,
920 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
922 if (rec
->type
!= SSL3_RT_APPLICATION_DATA
923 && rec
->type
!= SSL3_RT_ALERT
924 && rec
->type
!= SSL3_RT_HANDSHAKE
) {
925 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
930 s
->msg_callback(0, rl
->version
, SSL3_RT_INNER_CONTENT_TYPE
,
931 &rec
->type
, 1, ssl
, s
->msg_callback_arg
);
934 * TLSv1.3 alert and handshake records are required to be non-zero in
937 if ((rec
->type
== SSL3_RT_HANDSHAKE
938 || rec
->type
== SSL3_RT_ALERT
)
939 && rec
->length
== 0) {
940 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_LENGTH
);
947 int tls_read_record(OSSL_RECORD_LAYER
*rl
, void **rechandle
, int *rversion
,
948 int *type
, unsigned char **data
, size_t *datalen
,
949 uint16_t *epoch
, unsigned char *seq_num
,
950 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION
*s
)
955 * tls_get_more_records() can return success without actually reading
956 * anything useful (i.e. if empty records are read). We loop here until
957 * we have something useful. tls_get_more_records() will eventually fail if
958 * too many sequential empty records are read.
960 while (rl
->curr_rec
>= rl
->num_recs
) {
963 if (rl
->num_released
!= rl
->num_recs
) {
964 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_RECORDS_NOT_RELEASED
);
965 return OSSL_RECORD_RETURN_FATAL
;
968 ret
= tls_get_more_records(rl
, s
);
970 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
975 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
976 * points to the next one to read.
978 rec
= &rl
->rrec
[rl
->curr_rec
++];
981 *rversion
= rec
->rec_version
;
984 *datalen
= rec
->length
;
986 return OSSL_RECORD_RETURN_SUCCESS
;
989 int tls_release_record(OSSL_RECORD_LAYER
*rl
, void *rechandle
)
991 if (!ossl_assert(rl
->num_released
< rl
->curr_rec
)
992 || !ossl_assert(rechandle
== &rl
->rrec
[rl
->num_released
])) {
993 /* Should not happen */
994 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_INVALID_RECORD
);
995 return OSSL_RECORD_RETURN_FATAL
;
1000 return OSSL_RECORD_RETURN_SUCCESS
;
1004 tls_int_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1005 int role
, int direction
, int level
, unsigned char *key
,
1006 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1007 unsigned char *mackey
, size_t mackeylen
,
1008 const EVP_CIPHER
*ciph
, size_t taglen
,
1009 /* TODO(RECLAYER): This probably should not be an int */
1011 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1012 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
,
1013 BIO_ADDR
*peer
, const OSSL_PARAM
*settings
,
1014 const OSSL_PARAM
*options
, OSSL_RECORD_LAYER
**retrl
,
1015 /* TODO(RECLAYER): Remove me */
1018 OSSL_RECORD_LAYER
*rl
= OPENSSL_zalloc(sizeof(*rl
));
1019 const OSSL_PARAM
*p
;
1024 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_MALLOC_FAILURE
);
1025 return OSSL_RECORD_RETURN_FATAL
;
1029 * TODO(RECLAYER): Need to handle the case where the params are updated
1030 * after the record layer has been created.
1032 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS
);
1033 if (p
!= NULL
&& !OSSL_PARAM_get_uint64(p
, &rl
->options
)) {
1034 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1038 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE
);
1039 if (p
!= NULL
&& !OSSL_PARAM_get_uint32(p
, &rl
->mode
)) {
1040 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1044 /* Loop through all the settings since they must all be understood */
1045 for (p
= settings
; p
->key
!= NULL
; p
++) {
1046 if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM
) == 0) {
1047 if (!OSSL_PARAM_get_int(p
, &rl
->use_etm
)) {
1048 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1051 } else if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN
) == 0) {
1052 if (!OSSL_PARAM_get_uint(p
, &rl
->max_frag_len
)) {
1053 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1057 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_UNKNOWN_MANDATORY_PARAMETER
);
1063 if (level
== OSSL_RECORD_PROTECTION_LEVEL_APPLICATION
) {
1065 * We ignore any read_ahead setting prior to the application protection
1066 * level. Otherwise we may read ahead data in a lower protection level
1067 * that is destined for a higher protection level. To simplify the logic
1068 * we don't support that at this stage.
1071 * TODO(RECLAYER): Handle the case of read_ahead at the application
1072 * level and a key update/reneg occurs.
1074 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD
);
1075 if (p
!= NULL
&& !OSSL_PARAM_get_int(p
, &rl
->read_ahead
)) {
1076 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1081 rl
->libctx
= libctx
;
1086 rl
->direction
= direction
;
1088 if (level
== OSSL_RECORD_PROTECTION_LEVEL_NONE
)
1089 rl
->is_first_record
= 1;
1091 if (!tls_set1_bio(rl
, transport
))
1094 if (prev
!= NULL
&& !BIO_up_ref(prev
))
1098 if (next
!= NULL
&& !BIO_up_ref(next
))
1103 return OSSL_RECORD_RETURN_SUCCESS
;
1106 return OSSL_RECORD_RETURN_FATAL
;
1110 tls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1111 int role
, int direction
, int level
, unsigned char *key
,
1112 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1113 unsigned char *mackey
, size_t mackeylen
,
1114 const EVP_CIPHER
*ciph
, size_t taglen
,
1115 /* TODO(RECLAYER): This probably should not be an int */
1117 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1118 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
1119 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
1120 OSSL_RECORD_LAYER
**retrl
,
1121 /* TODO(RECLAYER): Remove me */
1126 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
1127 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
1128 ciph
, taglen
, mactype
, md
, comp
, prev
,
1129 transport
, next
, local
, peer
, settings
,
1132 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1136 case TLS_ANY_VERSION
:
1137 (*retrl
)->funcs
= &tls_any_funcs
;
1139 case TLS1_3_VERSION
:
1140 (*retrl
)->funcs
= &tls_1_3_funcs
;
1142 case TLS1_2_VERSION
:
1143 case TLS1_1_VERSION
:
1145 (*retrl
)->funcs
= &tls_1_funcs
;
1148 (*retrl
)->funcs
= &ssl_3_0_funcs
;
1151 /* Should not happen */
1152 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
1153 ret
= OSSL_RECORD_RETURN_FATAL
;
1157 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
1158 ivlen
, mackey
, mackeylen
, ciph
,
1159 taglen
, mactype
, md
, comp
, s
);
1162 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
1163 OPENSSL_free(*retrl
);
1169 /* TODO(RECLAYER): Temporary funcs */
1170 static int dtls_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1172 rl
->version
= version
;
1175 static struct record_functions_st dtls_funcs
= {
1180 dtls_set_protocol_version
,
1185 dtls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1186 int role
, int direction
, int level
, unsigned char *key
,
1187 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1188 unsigned char *mackey
, size_t mackeylen
,
1189 const EVP_CIPHER
*ciph
, size_t taglen
,
1190 /* TODO(RECLAYER): This probably should not be an int */
1192 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1193 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
1194 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
1195 OSSL_RECORD_LAYER
**retrl
,
1196 /* TODO(RECLAYER): Remove me */
1202 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
1203 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
1204 ciph
, taglen
, mactype
, md
, comp
, prev
,
1205 transport
, next
, local
, peer
, settings
,
1208 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1211 (*retrl
)->isdtls
= 1;
1212 (*retrl
)->funcs
= &dtls_funcs
;
1214 return OSSL_RECORD_RETURN_SUCCESS
;
1217 static void tls_int_free(OSSL_RECORD_LAYER
*rl
)
1219 /* TODO(RECLAYER): Cleanse sensitive fields */
1223 SSL3_BUFFER_release(&rl
->rbuf
);
1225 EVP_CIPHER_CTX_free(rl
->enc_read_ctx
);
1226 EVP_MD_CTX_free(rl
->read_hash
);
1227 #ifndef OPENSSL_NO_COMP
1228 COMP_CTX_free(rl
->expand
);
1234 int tls_free(OSSL_RECORD_LAYER
*rl
)
1237 size_t left
, written
;
1242 left
= SSL3_BUFFER_get_left(rbuf
);
1245 * This record layer is closing but we still have data left in our
1246 * buffer. It must be destined for the next epoch - so push it there.
1248 ret
= BIO_write_ex(rl
->next
, rbuf
->buf
+ rbuf
->offset
, left
, &written
);
1256 int tls_reset(OSSL_RECORD_LAYER
*rl
)
1258 memset(rl
, 0, sizeof(*rl
));
1262 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER
*rl
)
1264 return SSL3_BUFFER_get_left(&rl
->rbuf
) != 0;
1267 int tls_processed_read_pending(OSSL_RECORD_LAYER
*rl
)
1269 return rl
->curr_rec
< rl
->num_recs
;
1272 size_t tls_app_data_pending(OSSL_RECORD_LAYER
*rl
)
1277 int tls_write_pending(OSSL_RECORD_LAYER
*rl
)
1282 size_t tls_get_max_record_len(OSSL_RECORD_LAYER
*rl
)
1287 size_t tls_get_max_records(OSSL_RECORD_LAYER
*rl
)
1292 int tls_write_records(OSSL_RECORD_LAYER
*rl
, OSSL_RECORD_TEMPLATE
**templates
,
1293 size_t numtempl
, size_t allowance
, size_t *sent
)
1298 int tls_retry_write_records(OSSL_RECORD_LAYER
*rl
, size_t allowance
,
1305 int tls_get_alert_code(OSSL_RECORD_LAYER
*rl
)
1310 int tls_set1_bio(OSSL_RECORD_LAYER
*rl
, BIO
*bio
)
1312 if (bio
!= NULL
&& !BIO_up_ref(bio
))
1320 /* Shared by most methods except tlsany_meth */
1321 int tls_default_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1323 if (rl
->version
!= version
)
1329 int tls_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1331 return rl
->funcs
->set_protocol_version(rl
, version
);
1334 void tls_set_plain_alerts(OSSL_RECORD_LAYER
*rl
, int allow
)
1336 rl
->allow_plain_alerts
= allow
;
1339 void tls_set_first_handshake(OSSL_RECORD_LAYER
*rl
, int first
)
1341 rl
->is_first_handshake
= first
;
1344 SSL3_BUFFER
*tls_get0_rbuf(OSSL_RECORD_LAYER
*rl
)
1349 unsigned char *tls_get0_packet(OSSL_RECORD_LAYER
*rl
)
1354 void tls_set0_packet(OSSL_RECORD_LAYER
*rl
, unsigned char *packet
,
1357 rl
->packet
= packet
;
1358 rl
->packet_length
= packetlen
;
1361 size_t tls_get_packet_length(OSSL_RECORD_LAYER
*rl
)
1363 return rl
->packet_length
;
1366 const OSSL_RECORD_METHOD ossl_tls_record_method
= {
1367 tls_new_record_layer
,
1370 tls_unprocessed_read_pending
,
1371 tls_processed_read_pending
,
1372 tls_app_data_pending
,
1374 tls_get_max_record_len
,
1375 tls_get_max_records
,
1377 tls_retry_write_records
,
1382 tls_set_protocol_version
,
1383 tls_set_plain_alerts
,
1384 tls_set_first_handshake
,
1387 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1388 * during the record layer refactoring. They need to be removed before the
1389 * refactor is complete.
1395 tls_get_packet_length
,
1396 tls_reset_packet_length
1399 const OSSL_RECORD_METHOD ossl_dtls_record_method
= {
1400 dtls_new_record_layer
,
1403 tls_unprocessed_read_pending
,
1404 tls_processed_read_pending
,
1405 tls_app_data_pending
,
1407 tls_get_max_record_len
,
1408 tls_get_max_records
,
1410 tls_retry_write_records
,
1415 tls_set_protocol_version
,
1417 tls_set_first_handshake
,
1420 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1421 * during the record layer refactoring. They need to be removed before the
1422 * refactor is complete.
1428 tls_get_packet_length
,
1429 tls_reset_packet_length