]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blob
? search:


49ca086d814e104aa20376d917b83fd12f279162
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include "internal/e_os.h"
15 #include "internal/packet.h"
16 #include "../../ssl_local.h"
17 #include "../record_local.h"
18 #include "recmethod_local.h"
19
20 # define SSL_AD_NO_ALERT -1
21
22 static void tls_int_free(OSSL_RECORD_LAYER *rl);
23
24 void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
25 const char *fmt, ...)
26 {
27 va_list args;
28
29 va_start(args, fmt);
30 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
31 va_end(args);
32
33 rl->alert = al;
34 }
35
36 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
37 EVP_CIPHER_CTX *ctx,
38 const EVP_CIPHER *ciph,
39 const EVP_MD *md)
40 {
41 /*
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
44 */
45 OSSL_PARAM params[3], *pprm = params;
46 size_t macsize = 0;
47 int imacsize = -1;
48
49 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
50 && !rl->use_etm)
51 imacsize = EVP_MD_get_size(md);
52 if (imacsize >= 0)
53 macsize = (size_t)imacsize;
54
55 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
56 &rl->version);
57 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
58 &macsize);
59 *pprm = OSSL_PARAM_construct_end();
60
61 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
62 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
63 return 0;
64 }
65
66 return 1;
67 }
68
69 /*
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
72 */
73 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
74 {
75 switch (EVP_MD_CTX_get_type(ctx)) {
76 case NID_md5:
77 case NID_sha1:
78 case NID_sha224:
79 case NID_sha256:
80 case NID_sha384:
81 case NID_sha512:
82 return 1;
83 default:
84 return 0;
85 }
86 }
87
88 #ifndef OPENSSL_NO_COMP
89 static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
90 {
91 if (rl->options & SSL_OP_NO_COMPRESSION)
92 return 0;
93
94 return rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
95 }
96 #endif
97
98 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
99 {
100 unsigned char *p;
101 size_t len, align = 0, headerlen;
102 SSL3_BUFFER *b;
103
104 b = &rl->rbuf;
105
106 if (rl->isdtls)
107 headerlen = DTLS1_RT_HEADER_LENGTH;
108 else
109 headerlen = SSL3_RT_HEADER_LENGTH;
110
111 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
112 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
113 #endif
114
115 if (b->buf == NULL) {
116 len = SSL3_RT_MAX_PLAIN_LENGTH
117 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
118 #ifndef OPENSSL_NO_COMP
119 if (rlayer_allow_compression(rl))
120 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
121 #endif
122 if (b->default_len > len)
123 len = b->default_len;
124 if ((p = OPENSSL_malloc(len)) == NULL) {
125 /*
126 * We've got a malloc failure, and we're still initialising buffers.
127 * We assume we're so doomed that we won't even be able to send an
128 * alert.
129 */
130 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
131 return 0;
132 }
133 b->buf = p;
134 b->len = len;
135 }
136
137 return 1;
138 }
139
140 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
141 {
142 SSL3_BUFFER *b;
143
144 b = &rl->rbuf;
145 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
146 OPENSSL_cleanse(b->buf, b->len);
147 OPENSSL_free(b->buf);
148 b->buf = NULL;
149 return 1;
150 }
151
152 void tls_reset_packet_length(OSSL_RECORD_LAYER *rl)
153 {
154 rl->packet_length = 0;
155 }
156
157 /*
158 * Return values are as per SSL_read()
159 */
160 int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
161 int clearold, size_t *readbytes)
162 {
163 /*
164 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
165 * packet by another n bytes. The packet will be in the sub-array of
166 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
167 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
168 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
169 * if clearold == 1, move the packet to the start of the buffer; if
170 * clearold == 0 then leave any old packets where they were
171 */
172 size_t len, left, align = 0;
173 unsigned char *pkt;
174 SSL3_BUFFER *rb;
175
176 if (n == 0)
177 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
178
179 rb = &rl->rbuf;
180 /*
181 * TODO(RECLAYER): Once this function is only called from inside the rlayer
182 * directly, we can probably remove this since it is initialised in
183 * tls_get_more_records
184 */
185 if (rb->buf == NULL) {
186 if (!rlayer_setup_read_buffer(rl)) {
187 /* RLAYERfatal() already called */
188 return OSSL_RECORD_RETURN_FATAL;
189 }
190 }
191
192 left = rb->left;
193 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
194 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
195 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
196 #endif
197
198 if (!extend) {
199 /* start with empty packet ... */
200 if (left == 0) {
201 rb->offset = align;
202 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
203 /*
204 * check if next packet length is large enough to justify payload
205 * alignment...
206 */
207 pkt = rb->buf + rb->offset;
208 if (pkt[0] == SSL3_RT_APPLICATION_DATA
209 && (pkt[3] << 8 | pkt[4]) >= 128) {
210 /*
211 * Note that even if packet is corrupted and its length field
212 * is insane, we can only be led to wrong decision about
213 * whether memmove will occur or not. Header values has no
214 * effect on memmove arguments and therefore no buffer
215 * overrun can be triggered.
216 */
217 memmove(rb->buf + align, pkt, left);
218 rb->offset = align;
219 }
220 }
221 rl->packet = rb->buf + rb->offset;
222 rl->packet_length = 0;
223 /* ... now we can act as if 'extend' was set */
224 }
225
226 len = rl->packet_length;
227 pkt = rb->buf + align;
228 /*
229 * Move any available bytes to front of buffer: 'len' bytes already
230 * pointed to by 'packet', 'left' extra ones at the end
231 */
232 if (rl->packet != pkt && clearold == 1) {
233 memmove(pkt, rl->packet, len + left);
234 rl->packet = pkt;
235 rb->offset = len + align;
236 }
237
238 /*
239 * For DTLS/UDP reads should not span multiple packets because the read
240 * operation returns the whole packet at once (as long as it fits into
241 * the buffer).
242 */
243 if (rl->isdtls) {
244 if (left == 0 && extend)
245 return 0;
246 if (left > 0 && n > left)
247 n = left;
248 }
249
250 /* if there is enough in the buffer from a previous read, take some */
251 if (left >= n) {
252 rl->packet_length += n;
253 rb->left = left - n;
254 rb->offset += n;
255 *readbytes = n;
256 return OSSL_RECORD_RETURN_SUCCESS;
257 }
258
259 /* else we need to read more data */
260
261 if (n > rb->len - rb->offset) {
262 /* does not happen */
263 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
264 return OSSL_RECORD_RETURN_FATAL;
265 }
266
267 /* We always act like read_ahead is set for DTLS */
268 if (!rl->read_ahead && !rl->isdtls) {
269 /* ignore max parameter */
270 max = n;
271 } else {
272 if (max < n)
273 max = n;
274 if (max > rb->len - rb->offset)
275 max = rb->len - rb->offset;
276 }
277
278 while (left < n) {
279 size_t bioread = 0;
280 int ret;
281 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
282
283 /*
284 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
285 * need to read in more until we have len+n (up to len+max if
286 * possible)
287 */
288
289 clear_sys_error();
290 if (bio != NULL) {
291 ret = BIO_read(bio, pkt + len + left, max - left);
292 if (ret > 0) {
293 bioread = ret;
294 ret = OSSL_RECORD_RETURN_SUCCESS;
295 } else if (BIO_should_retry(bio)) {
296 if (rl->prev != NULL) {
297 /*
298 * We were reading from the previous epoch. Now there is no
299 * more data, so swap to the actual transport BIO
300 */
301 BIO_free(rl->prev);
302 rl->prev = NULL;
303 continue;
304 }
305 ret = OSSL_RECORD_RETURN_RETRY;
306 } else if (BIO_eof(bio)) {
307 ret = OSSL_RECORD_RETURN_EOF;
308 } else {
309 ret = OSSL_RECORD_RETURN_FATAL;
310 }
311 } else {
312 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
313 ret = OSSL_RECORD_RETURN_FATAL;
314 }
315
316 if (ret <= OSSL_RECORD_RETURN_RETRY) {
317 rb->left = left;
318 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
319 if (len + left == 0)
320 rlayer_release_read_buffer(rl);
321 return ret;
322 }
323 left += bioread;
324 /*
325 * reads should *never* span multiple packets for DTLS because the
326 * underlying transport protocol is message oriented as opposed to
327 * byte oriented as in the TLS case.
328 */
329 if (rl->isdtls) {
330 if (n > left)
331 n = left; /* makes the while condition false */
332 }
333 }
334
335 /* done reading, now the book-keeping */
336 rb->offset += n;
337 rb->left = left - n;
338 rl->packet_length += n;
339 *readbytes = n;
340 return OSSL_RECORD_RETURN_SUCCESS;
341 }
342
343 /*
344 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
345 * for us in the buffer.
346 */
347 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
348 {
349 SSL3_BUFFER *rbuf;
350 size_t left, len;
351 unsigned char *p;
352
353 rbuf = &rl->rbuf;
354
355 p = SSL3_BUFFER_get_buf(rbuf);
356 if (p == NULL)
357 return 0;
358
359 left = SSL3_BUFFER_get_left(rbuf);
360
361 if (left < SSL3_RT_HEADER_LENGTH)
362 return 0;
363
364 p += SSL3_BUFFER_get_offset(rbuf);
365
366 /*
367 * We only check the type and record length, we will sanity check version
368 * etc later
369 */
370 if (*p != SSL3_RT_APPLICATION_DATA)
371 return 0;
372
373 p += 3;
374 n2s(p, len);
375
376 if (left < SSL3_RT_HEADER_LENGTH + len)
377 return 0;
378
379 return 1;
380 }
381
382 static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
383 size_t overhead, int send)
384 {
385 uint32_t max_early_data = rl->max_early_data;
386
387 if (max_early_data == 0) {
388 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
389 SSL_R_TOO_MUCH_EARLY_DATA);
390 return 0;
391 }
392
393 /* If we are dealing with ciphertext we need to allow for the overhead */
394 max_early_data += overhead;
395
396 if (rl->early_data_count + length > max_early_data) {
397 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
398 SSL_R_TOO_MUCH_EARLY_DATA);
399 return 0;
400 }
401 rl->early_data_count += length;
402
403 return 1;
404 }
405
406 /*
407 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
408 * will be processed per call to ssl3_get_record. Without this limit an
409 * attacker could send empty records at a faster rate than we can process and
410 * cause ssl3_get_record to loop forever.
411 */
412 #define MAX_EMPTY_RECORDS 32
413
414 #define SSL2_RT_HEADER_LENGTH 2
415
416 /*-
417 * Call this to buffer new input records in rl->rrec.
418 * It will return a OSSL_RECORD_RETURN_* value.
419 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
420 * records have been decoded. For each record 'i':
421 * rrec[i].type - is the type of record
422 * rrec[i].data, - data
423 * rrec[i].length, - number of bytes
424 * Multiple records will only be returned if the record types are all
425 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
426 * |max_pipelines|
427 */
428 static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
429 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
430 {
431 int enc_err, rret;
432 int i;
433 size_t more, n;
434 SSL3_RECORD *rr, *thisrr;
435 SSL3_BUFFER *rbuf;
436 unsigned char *p;
437 unsigned char md[EVP_MAX_MD_SIZE];
438 unsigned int version;
439 size_t mac_size = 0;
440 int imac_size;
441 size_t num_recs = 0, max_recs, j;
442 PACKET pkt, sslv2pkt;
443 SSL_MAC_BUF *macbufs = NULL;
444 int ret = OSSL_RECORD_RETURN_FATAL;
445
446 rr = rl->rrec;
447 rbuf = &rl->rbuf;
448 if (rbuf->buf == NULL) {
449 if (!rlayer_setup_read_buffer(rl)) {
450 /* RLAYERfatal() already called */
451 return OSSL_RECORD_RETURN_FATAL;
452 }
453 }
454
455 max_recs = s->max_pipelines;
456 if (max_recs == 0)
457 max_recs = 1;
458
459 do {
460 thisrr = &rr[num_recs];
461
462 /* check if we have the header */
463 if ((rl->rstate != SSL_ST_READ_BODY) ||
464 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
465 size_t sslv2len;
466 unsigned int type;
467
468 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
469 SSL3_BUFFER_get_len(rbuf), 0,
470 num_recs == 0 ? 1 : 0, &n);
471
472 if (rret < OSSL_RECORD_RETURN_SUCCESS)
473 return rret; /* error or non-blocking */
474
475 rl->rstate = SSL_ST_READ_BODY;
476
477 p = rl->packet;
478 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
479 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return OSSL_RECORD_RETURN_FATAL;
481 }
482 sslv2pkt = pkt;
483 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
484 || !PACKET_get_1(&sslv2pkt, &type)) {
485 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
486 return OSSL_RECORD_RETURN_FATAL;
487 }
488 /*
489 * The first record received by the server may be a V2ClientHello.
490 */
491 if (rl->role == OSSL_RECORD_ROLE_SERVER
492 && rl->is_first_record
493 && (sslv2len & 0x8000) != 0
494 && (type == SSL2_MT_CLIENT_HELLO)) {
495 /*
496 * SSLv2 style record
497 *
498 * |num_recs| here will actually always be 0 because
499 * |num_recs > 0| only ever occurs when we are processing
500 * multiple app data records - which we know isn't the case here
501 * because it is an SSLv2ClientHello. We keep it using
502 * |num_recs| for the sake of consistency
503 */
504 thisrr->type = SSL3_RT_HANDSHAKE;
505 thisrr->rec_version = SSL2_VERSION;
506
507 thisrr->length = sslv2len & 0x7fff;
508
509 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
510 - SSL2_RT_HEADER_LENGTH) {
511 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
512 SSL_R_PACKET_LENGTH_TOO_LONG);
513 return OSSL_RECORD_RETURN_FATAL;
514 }
515 } else {
516 /* SSLv3+ style record */
517
518 /* Pull apart the header into the SSL3_RECORD */
519 if (!PACKET_get_1(&pkt, &type)
520 || !PACKET_get_net_2(&pkt, &version)
521 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
522 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
523 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
524 return OSSL_RECORD_RETURN_FATAL;
525 }
526 thisrr->type = type;
527 thisrr->rec_version = version;
528
529 /*
530 * When we call validate_record_header() only records actually
531 * received in SSLv2 format should have the record version set
532 * to SSL2_VERSION. This way validate_record_header() can know
533 * what format the record was in based on the version.
534 */
535 if (thisrr->rec_version == SSL2_VERSION) {
536 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
537 SSL_R_WRONG_VERSION_NUMBER);
538 return OSSL_RECORD_RETURN_FATAL;
539 }
540
541 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
542
543 if (thisrr->length >
544 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
545 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
546 SSL_R_PACKET_LENGTH_TOO_LONG);
547 return OSSL_RECORD_RETURN_FATAL;
548 }
549 }
550
551 if (!rl->funcs->validate_record_header(rl, thisrr)) {
552 /* RLAYERfatal already called */
553 return OSSL_RECORD_RETURN_FATAL;
554 }
555
556 /* now rl->rstate == SSL_ST_READ_BODY */
557 }
558
559 /*
560 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
561 * how much more data we need to read for the rest of the record
562 */
563 if (thisrr->rec_version == SSL2_VERSION) {
564 more = thisrr->length + SSL2_RT_HEADER_LENGTH
565 - SSL3_RT_HEADER_LENGTH;
566 } else {
567 more = thisrr->length;
568 }
569
570 if (more > 0) {
571 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
572
573 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
574 if (rret < OSSL_RECORD_RETURN_SUCCESS)
575 return rret; /* error or non-blocking io */
576 }
577
578 /* set state for later operations */
579 rl->rstate = SSL_ST_READ_HEADER;
580
581 /*
582 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
583 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
584 * + thisrr->length and we have that many bytes in rl->packet
585 */
586 if (thisrr->rec_version == SSL2_VERSION)
587 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
588 else
589 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
590
591 /*
592 * ok, we can now read from 'rl->packet' data into 'thisrr'.
593 * thisrr->input points at thisrr->length bytes, which need to be copied
594 * into thisrr->data by either the decryption or by the decompression.
595 * When the data is 'copied' into the thisrr->data buffer,
596 * thisrr->input will be updated to point at the new buffer
597 */
598
599 /*
600 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
601 * thisrr->length bytes of encrypted compressed stuff.
602 */
603
604 /* decrypt in place in 'thisrr->input' */
605 thisrr->data = thisrr->input;
606 thisrr->orig_len = thisrr->length;
607
608 /* Mark this record as not read by upper layers yet */
609 thisrr->read = 0;
610
611 num_recs++;
612
613 /* we have pulled in a full packet so zero things */
614 tls_reset_packet_length(rl);
615 rl->is_first_record = 0;
616 } while (num_recs < max_recs
617 && thisrr->type == SSL3_RT_APPLICATION_DATA
618 && RLAYER_USE_EXPLICIT_IV(rl)
619 && rl->enc_ctx != NULL
620 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
621 & EVP_CIPH_FLAG_PIPELINE) != 0
622 && tls_record_app_data_waiting(rl));
623
624 if (num_recs == 1
625 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
626 /* The following can happen in tlsany_meth after HRR */
627 && rl->version == TLS1_3_VERSION
628 && rl->is_first_handshake) {
629 /*
630 * CCS messages must be exactly 1 byte long, containing the value 0x01
631 */
632 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
633 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
634 SSL_R_INVALID_CCS_MESSAGE);
635 return OSSL_RECORD_RETURN_FATAL;
636 }
637 /*
638 * CCS messages are ignored in TLSv1.3. We treat it like an empty
639 * handshake record
640 */
641 thisrr->type = SSL3_RT_HANDSHAKE;
642 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
643 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
644 SSL_R_UNEXPECTED_CCS_MESSAGE);
645 return OSSL_RECORD_RETURN_FATAL;
646 }
647 thisrr->read = 1;
648 rl->num_recs = 0;
649 rl->curr_rec = 0;
650 rl->num_released = 0;
651
652 return OSSL_RECORD_RETURN_SUCCESS;
653 }
654
655 if (rl->md_ctx != NULL) {
656 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
657
658 if (tmpmd != NULL) {
659 imac_size = EVP_MD_get_size(tmpmd);
660 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
661 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
662 return OSSL_RECORD_RETURN_FATAL;
663 }
664 mac_size = (size_t)imac_size;
665 }
666 }
667
668 /*
669 * If in encrypt-then-mac mode calculate mac from encrypted record. All
670 * the details below are public so no timing details can leak.
671 */
672 if (rl->use_etm && rl->md_ctx) {
673 unsigned char *mac;
674
675 for (j = 0; j < num_recs; j++) {
676 thisrr = &rr[j];
677
678 if (thisrr->length < mac_size) {
679 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
680 return OSSL_RECORD_RETURN_FATAL;
681 }
682 thisrr->length -= mac_size;
683 mac = thisrr->data + thisrr->length;
684 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
685 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
686 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
687 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
688 return OSSL_RECORD_RETURN_FATAL;
689 }
690 }
691 /*
692 * We've handled the mac now - there is no MAC inside the encrypted
693 * record
694 */
695 mac_size = 0;
696 }
697
698 if (mac_size > 0) {
699 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
700 if (macbufs == NULL) {
701 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
702 return OSSL_RECORD_RETURN_FATAL;
703 }
704 }
705
706 /*
707 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
708 * record layer code
709 */
710 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s);
711
712 /*-
713 * enc_err is:
714 * 0: if the record is publicly invalid, or an internal error, or AEAD
715 * decryption failed, or ETM decryption failed.
716 * 1: Success or MTE decryption failed (MAC will be randomised)
717 */
718 if (enc_err == 0) {
719 if (rl->alert != 0) {
720 /* RLAYERfatal() already got called */
721 goto end;
722 }
723 if (num_recs == 1 && rl->skip_early_data(rl->cbarg)) {
724 /*
725 * Valid early_data that we cannot decrypt will fail here. We treat
726 * it like an empty record.
727 */
728
729 thisrr = &rr[0];
730
731 if (!rlayer_early_data_count_ok(rl, thisrr->length,
732 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
733 /* RLAYERfatal() already called */
734 goto end;
735 }
736
737 thisrr->length = 0;
738 thisrr->read = 1;
739 rl->num_recs = 0;
740 rl->curr_rec = 0;
741 rl->num_released = 0;
742 /* Reset the read sequence */
743 memset(rl->sequence, 0, sizeof(rl->sequence));
744 ret = 1;
745 goto end;
746 }
747 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
748 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
749 goto end;
750 }
751 OSSL_TRACE_BEGIN(TLS) {
752 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
753 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
754 } OSSL_TRACE_END(TLS);
755
756 /* r->length is now the compressed data plus mac */
757 if (rl->enc_ctx != NULL
758 && !rl->use_etm
759 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
760 /* rl->md_ctx != NULL => mac_size != -1 */
761
762 for (j = 0; j < num_recs; j++) {
763 SSL_MAC_BUF *thismb = &macbufs[j];
764 thisrr = &rr[j];
765
766 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
767 if (i == 0 || thismb == NULL || thismb->mac == NULL
768 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
769 enc_err = 0;
770 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
771 enc_err = 0;
772 }
773 }
774
775 if (enc_err == 0) {
776 if (rl->alert != 0) {
777 /* We already called RLAYERfatal() */
778 goto end;
779 }
780 /*
781 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
782 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
783 * failure is directly visible from the ciphertext anyway, we should
784 * not reveal which kind of error occurred -- this might become
785 * visible to an attacker (e.g. via a logfile)
786 */
787 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
788 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
789 goto end;
790 }
791
792 for (j = 0; j < num_recs; j++) {
793 thisrr = &rr[j];
794
795 if (!rl->funcs->post_process_record(rl, thisrr, s)) {
796 /* RLAYERfatal already called */
797 goto end;
798 }
799
800 /*
801 * Check if the received packet overflows the current
802 * Max Fragment Length setting.
803 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
804 */
805 if (rl->max_frag_len > 0 && thisrr->length > rl->max_frag_len) {
806 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
807 goto end;
808 }
809
810 thisrr->off = 0;
811 /*-
812 * So at this point the following is true
813 * thisrr->type is the type of record
814 * thisrr->length == number of bytes in record
815 * thisrr->off == offset to first valid byte
816 * thisrr->data == where to take bytes from, increment after use :-).
817 */
818
819 /* just read a 0 length packet */
820 if (thisrr->length == 0) {
821 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
822 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
823 goto end;
824 }
825 } else {
826 rl->empty_record_count = 0;
827 }
828 }
829
830 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
831 thisrr = &rr[0];
832 if (thisrr->type == SSL3_RT_APPLICATION_DATA
833 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
834 /* RLAYERfatal already called */
835 goto end;
836 }
837 }
838
839 rl->num_recs = num_recs;
840 rl->curr_rec = 0;
841 rl->num_released = 0;
842 ret = OSSL_RECORD_RETURN_SUCCESS;
843 end:
844 if (macbufs != NULL) {
845 for (j = 0; j < num_recs; j++) {
846 if (macbufs[j].alloced)
847 OPENSSL_free(macbufs[j].mac);
848 }
849 OPENSSL_free(macbufs);
850 }
851 return ret;
852 }
853
854 /* Shared by ssl3_meth and tls1_meth */
855 int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
856 {
857 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
858
859 if (rec->rec_version != rl->version) {
860 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
861 return 0;
862 }
863
864 #ifndef OPENSSL_NO_COMP
865 /*
866 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
867 * does not include the compression overhead anyway.
868 */
869 if (rl->expand == NULL)
870 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
871 #endif
872
873 if (rec->length > len) {
874 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
875 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
876 return 0;
877 }
878
879 return 1;
880 }
881
882 static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
883 {
884 #ifndef OPENSSL_NO_COMP
885 int i;
886
887 if (rec->comp == NULL) {
888 rec->comp = (unsigned char *)
889 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
890 }
891 if (rec->comp == NULL)
892 return 0;
893
894 i = COMP_expand_block(rl->expand, rec->comp,
895 SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length);
896 if (i < 0)
897 return 0;
898 else
899 rec->length = i;
900 rec->data = rec->comp;
901 return 1;
902 #else
903 return 0;
904 #endif
905 }
906
907 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
908 int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s)
909 {
910 if (rl->expand != NULL) {
911 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
912 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
913 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
914 return 0;
915 }
916 if (!tls_do_uncompress(rl, rec)) {
917 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
918 SSL_R_BAD_DECOMPRESSION);
919 return 0;
920 }
921 }
922
923 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
924 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
925 return 0;
926 }
927
928 return 1;
929 }
930
931 /* Shared by tls13_meth and ktls_meth */
932 int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
933 SSL_CONNECTION *s)
934 {
935 if (rec->type != SSL3_RT_APPLICATION_DATA
936 && rec->type != SSL3_RT_ALERT
937 && rec->type != SSL3_RT_HANDSHAKE) {
938 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
939 return 0;
940 }
941
942 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
943 1, rl->cbarg);
944
945 /*
946 * TLSv1.3 alert and handshake records are required to be non-zero in
947 * length.
948 */
949 if ((rec->type == SSL3_RT_HANDSHAKE
950 || rec->type == SSL3_RT_ALERT)
951 && rec->length == 0) {
952 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
953 return 0;
954 }
955
956 return 1;
957 }
958
959 int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
960 int *type, unsigned char **data, size_t *datalen,
961 uint16_t *epoch, unsigned char *seq_num,
962 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
963 {
964 SSL3_RECORD *rec;
965
966 /*
967 * tls_get_more_records() can return success without actually reading
968 * anything useful (i.e. if empty records are read). We loop here until
969 * we have something useful. tls_get_more_records() will eventually fail if
970 * too many sequential empty records are read.
971 */
972 while (rl->curr_rec >= rl->num_recs) {
973 int ret;
974
975 if (rl->num_released != rl->num_recs) {
976 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
977 return OSSL_RECORD_RETURN_FATAL;
978 }
979
980 ret = tls_get_more_records(rl, s);
981
982 if (ret != OSSL_RECORD_RETURN_SUCCESS)
983 return ret;
984 }
985
986 /*
987 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
988 * points to the next one to read.
989 */
990 rec = &rl->rrec[rl->curr_rec++];
991
992 *rechandle = rec;
993 *rversion = rec->rec_version;
994 *type = rec->type;
995 *data = rec->data;
996 *datalen = rec->length;
997
998 return OSSL_RECORD_RETURN_SUCCESS;
999 }
1000
1001 int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
1002 {
1003 if (!ossl_assert(rl->num_released < rl->curr_rec)
1004 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
1005 /* Should not happen */
1006 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1007 return OSSL_RECORD_RETURN_FATAL;
1008 }
1009
1010 rl->num_released++;
1011
1012 return OSSL_RECORD_RETURN_SUCCESS;
1013 }
1014
1015 int
1016 tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1017 int role, int direction, int level, unsigned char *key,
1018 size_t keylen, unsigned char *iv, size_t ivlen,
1019 unsigned char *mackey, size_t mackeylen,
1020 const EVP_CIPHER *ciph, size_t taglen,
1021 /* TODO(RECLAYER): This probably should not be an int */
1022 int mactype,
1023 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1024 BIO *transport, BIO *next, BIO_ADDR *local,
1025 BIO_ADDR *peer, const OSSL_PARAM *settings,
1026 const OSSL_PARAM *options,
1027 const OSSL_DISPATCH *fns, void *cbarg,
1028 OSSL_RECORD_LAYER **retrl,
1029 /* TODO(RECLAYER): Remove me */
1030 SSL_CONNECTION *s)
1031 {
1032 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
1033 const OSSL_PARAM *p;
1034
1035 *retrl = NULL;
1036
1037 if (rl == NULL) {
1038 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1039 return OSSL_RECORD_RETURN_FATAL;
1040 }
1041
1042 /*
1043 * TODO(RECLAYER): Need to handle the case where the params are updated
1044 * after the record layer has been created.
1045 */
1046 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1047 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1048 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1049 goto err;
1050 }
1051
1052 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1053 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1054 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1055 goto err;
1056 }
1057
1058 /* Loop through all the settings since they must all be understood */
1059 for (p = settings; p->key != NULL; p++) {
1060 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1061 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
1062 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1063 goto err;
1064 }
1065 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1066 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
1067 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1068 goto err;
1069 }
1070 } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1071 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
1072 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1073 goto err;
1074 }
1075 } else {
1076 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
1077 goto err;
1078 }
1079 }
1080
1081
1082 if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1083 /*
1084 * We ignore any read_ahead setting prior to the application protection
1085 * level. Otherwise we may read ahead data in a lower protection level
1086 * that is destined for a higher protection level. To simplify the logic
1087 * we don't support that at this stage.
1088 */
1089 /*
1090 * TODO(RECLAYER): Handle the case of read_ahead at the application
1091 * level and a key update/reneg occurs.
1092 */
1093 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1094 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1095 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1096 goto err;
1097 }
1098 }
1099
1100 rl->libctx = libctx;
1101 rl->propq = propq;
1102
1103 rl->version = vers;
1104 rl->role = role;
1105 rl->direction = direction;
1106 rl->level = level;
1107
1108 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
1109 rl->is_first_record = 1;
1110
1111 if (!tls_set1_bio(rl, transport))
1112 goto err;
1113
1114 if (prev != NULL && !BIO_up_ref(prev))
1115 goto err;
1116 rl->prev = prev;
1117
1118 if (next != NULL && !BIO_up_ref(next))
1119 goto err;
1120 rl->next = next;
1121
1122 rl->cbarg = cbarg;
1123 for (; fns->function_id != 0; fns++) {
1124 switch (fns->function_id) {
1125 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
1126 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1127 break;
1128 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1129 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
1130 break;
1131 case OSSL_FUNC_RLAYER_SECURITY:
1132 rl->security = OSSL_FUNC_rlayer_security(fns);
1133 break;
1134 default:
1135 /* Just ignore anything we don't understand */
1136 break;
1137 }
1138 }
1139
1140 *retrl = rl;
1141 return OSSL_RECORD_RETURN_SUCCESS;
1142 err:
1143 tls_int_free(rl);
1144 return OSSL_RECORD_RETURN_FATAL;
1145 }
1146
1147 static int
1148 tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1149 int role, int direction, int level, unsigned char *key,
1150 size_t keylen, unsigned char *iv, size_t ivlen,
1151 unsigned char *mackey, size_t mackeylen,
1152 const EVP_CIPHER *ciph, size_t taglen,
1153 /* TODO(RECLAYER): This probably should not be an int */
1154 int mactype,
1155 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1156 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
1157 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1158 const OSSL_DISPATCH *fns, void *cbarg,
1159 OSSL_RECORD_LAYER **retrl,
1160 /* TODO(RECLAYER): Remove me */
1161 SSL_CONNECTION *s)
1162 {
1163 int ret;
1164
1165 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1166 key, keylen, iv, ivlen, mackey, mackeylen,
1167 ciph, taglen, mactype, md, comp, prev,
1168 transport, next, local, peer, settings,
1169 options, fns, cbarg, retrl, s);
1170
1171 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1172 return ret;
1173
1174 switch (vers) {
1175 case TLS_ANY_VERSION:
1176 (*retrl)->funcs = &tls_any_funcs;
1177 break;
1178 case TLS1_3_VERSION:
1179 (*retrl)->funcs = &tls_1_3_funcs;
1180 break;
1181 case TLS1_2_VERSION:
1182 case TLS1_1_VERSION:
1183 case TLS1_VERSION:
1184 (*retrl)->funcs = &tls_1_funcs;
1185 break;
1186 case SSL3_VERSION:
1187 (*retrl)->funcs = &ssl_3_0_funcs;
1188 break;
1189 default:
1190 /* Should not happen */
1191 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1192 ret = OSSL_RECORD_RETURN_FATAL;
1193 goto err;
1194 }
1195
1196 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1197 ivlen, mackey, mackeylen, ciph,
1198 taglen, mactype, md, comp, s);
1199
1200 err:
1201 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1202 OPENSSL_free(*retrl);
1203 *retrl = NULL;
1204 }
1205 return ret;
1206 }
1207
1208 /* TODO(RECLAYER): Temporary funcs */
1209 static int dtls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1210 {
1211 rl->version = version;
1212 return 1;
1213 }
1214 static struct record_functions_st dtls_funcs = {
1215 NULL,
1216 NULL,
1217 NULL,
1218 NULL,
1219 dtls_set_protocol_version,
1220 NULL
1221 };
1222
1223 static int
1224 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1225 int role, int direction, int level, unsigned char *key,
1226 size_t keylen, unsigned char *iv, size_t ivlen,
1227 unsigned char *mackey, size_t mackeylen,
1228 const EVP_CIPHER *ciph, size_t taglen,
1229 /* TODO(RECLAYER): This probably should not be an int */
1230 int mactype,
1231 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
1232 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
1233 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1234 const OSSL_DISPATCH *fns, void *cbarg,
1235 OSSL_RECORD_LAYER **retrl,
1236 /* TODO(RECLAYER): Remove me */
1237 SSL_CONNECTION *s)
1238 {
1239 int ret;
1240
1241
1242 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1243 key, keylen, iv, ivlen, mackey, mackeylen,
1244 ciph, taglen, mactype, md, comp, prev,
1245 transport, next, local, peer, settings,
1246 options, fns, cbarg, retrl, s);
1247
1248 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1249 return ret;
1250
1251 (*retrl)->isdtls = 1;
1252 (*retrl)->funcs = &dtls_funcs;
1253
1254 return OSSL_RECORD_RETURN_SUCCESS;
1255 }
1256
1257 static void tls_int_free(OSSL_RECORD_LAYER *rl)
1258 {
1259 /* TODO(RECLAYER): Cleanse sensitive fields */
1260 BIO_free(rl->prev);
1261 BIO_free(rl->bio);
1262 BIO_free(rl->next);
1263 SSL3_BUFFER_release(&rl->rbuf);
1264
1265 EVP_CIPHER_CTX_free(rl->enc_ctx);
1266 EVP_MD_CTX_free(rl->md_ctx);
1267 #ifndef OPENSSL_NO_COMP
1268 COMP_CTX_free(rl->expand);
1269 #endif
1270
1271 OPENSSL_free(rl);
1272 }
1273
1274 int tls_free(OSSL_RECORD_LAYER *rl)
1275 {
1276 SSL3_BUFFER *rbuf;
1277 size_t left, written;
1278 int ret = 1;
1279
1280 rbuf = &rl->rbuf;
1281
1282 left = SSL3_BUFFER_get_left(rbuf);
1283 if (left > 0) {
1284 /*
1285 * This record layer is closing but we still have data left in our
1286 * buffer. It must be destined for the next epoch - so push it there.
1287 */
1288 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1289 }
1290 tls_int_free(rl);
1291
1292 return ret;
1293 }
1294
1295
1296 int tls_reset(OSSL_RECORD_LAYER *rl)
1297 {
1298 memset(rl, 0, sizeof(*rl));
1299 return 1;
1300 }
1301
1302 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
1303 {
1304 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
1305 }
1306
1307 int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
1308 {
1309 return rl->curr_rec < rl->num_recs;
1310 }
1311
1312 size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
1313 {
1314 return 0;
1315 }
1316
1317 int tls_write_pending(OSSL_RECORD_LAYER *rl)
1318 {
1319 return 0;
1320 }
1321
1322 size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
1323 {
1324 return 0;
1325 }
1326
1327 size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
1328 {
1329 return 0;
1330 }
1331
1332 int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates,
1333 size_t numtempl, size_t allowance, size_t *sent)
1334 {
1335 return 0;
1336 }
1337
1338 int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
1339 size_t *sent)
1340 {
1341 return 0;
1342 }
1343
1344
1345 int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
1346 {
1347 return rl->alert;
1348 }
1349
1350 int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
1351 {
1352 if (bio != NULL && !BIO_up_ref(bio))
1353 return 0;
1354 BIO_free(rl->bio);
1355 rl->bio = bio;
1356
1357 return 1;
1358 }
1359
1360 /* Shared by most methods except tlsany_meth */
1361 int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1362 {
1363 if (rl->version != version)
1364 return 0;
1365
1366 return 1;
1367 }
1368
1369 int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1370 {
1371 return rl->funcs->set_protocol_version(rl, version);
1372 }
1373
1374 void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1375 {
1376 rl->allow_plain_alerts = allow;
1377 }
1378
1379 void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1380 {
1381 rl->is_first_handshake = first;
1382 }
1383
1384 SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
1385 {
1386 return &rl->rbuf;
1387 }
1388
1389 unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl)
1390 {
1391 return rl->packet;
1392 }
1393
1394 void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
1395 size_t packetlen)
1396 {
1397 rl->packet = packet;
1398 rl->packet_length = packetlen;
1399 }
1400
1401 size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl)
1402 {
1403 return rl->packet_length;
1404 }
1405
1406 const OSSL_RECORD_METHOD ossl_tls_record_method = {
1407 tls_new_record_layer,
1408 tls_free,
1409 tls_reset,
1410 tls_unprocessed_read_pending,
1411 tls_processed_read_pending,
1412 tls_app_data_pending,
1413 tls_write_pending,
1414 tls_get_max_record_len,
1415 tls_get_max_records,
1416 tls_write_records,
1417 tls_retry_write_records,
1418 tls_read_record,
1419 tls_release_record,
1420 tls_get_alert_code,
1421 tls_set1_bio,
1422 tls_set_protocol_version,
1423 tls_set_plain_alerts,
1424 tls_set_first_handshake,
1425
1426 /*
1427 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1428 * during the record layer refactoring. They need to be removed before the
1429 * refactor is complete.
1430 */
1431 tls_default_read_n,
1432 tls_get0_rbuf,
1433 tls_get0_packet,
1434 tls_set0_packet,
1435 tls_get_packet_length,
1436 tls_reset_packet_length
1437 };
1438
1439 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
1440 dtls_new_record_layer,
1441 tls_free,
1442 tls_reset,
1443 tls_unprocessed_read_pending,
1444 tls_processed_read_pending,
1445 tls_app_data_pending,
1446 tls_write_pending,
1447 tls_get_max_record_len,
1448 tls_get_max_records,
1449 tls_write_records,
1450 tls_retry_write_records,
1451 tls_read_record,
1452 tls_release_record,
1453 tls_get_alert_code,
1454 tls_set1_bio,
1455 tls_set_protocol_version,
1456 NULL,
1457 tls_set_first_handshake,
1458
1459 /*
1460 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1461 * during the record layer refactoring. They need to be removed before the
1462 * refactor is complete.
1463 */
1464 tls_default_read_n,
1465 tls_get0_rbuf,
1466 tls_get0_packet,
1467 tls_set0_packet,
1468 tls_get_packet_length,
1469 tls_reset_packet_length
1470 };
A mirror of the official openssl repository