2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include "internal/e_os.h"
15 #include "internal/packet.h"
16 #include "../../ssl_local.h"
17 #include "../record_local.h"
18 #include "recmethod_local.h"
20 # define SSL_AD_NO_ALERT -1
22 static void tls_int_free(OSSL_RECORD_LAYER
*rl
);
24 void ossl_rlayer_fatal(OSSL_RECORD_LAYER
*rl
, int al
, int reason
,
30 ERR_vset_error(ERR_LIB_SSL
, reason
, fmt
, args
);
36 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER
*rl
,
38 const EVP_CIPHER
*ciph
,
42 * Provided cipher, the TLS padding/MAC removal is performed provider
43 * side so we need to tell the ctx about our TLS version and mac size
45 OSSL_PARAM params
[3], *pprm
= params
;
49 if ((EVP_CIPHER_get_flags(ciph
) & EVP_CIPH_FLAG_AEAD_CIPHER
) == 0
51 imacsize
= EVP_MD_get_size(md
);
53 macsize
= (size_t)imacsize
;
55 *pprm
++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION
,
57 *pprm
++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE
,
59 *pprm
= OSSL_PARAM_construct_end();
61 if (!EVP_CIPHER_CTX_set_params(ctx
, params
)) {
62 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
70 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
71 * which ssl3_cbc_digest_record supports.
73 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX
*ctx
)
75 switch (EVP_MD_CTX_get_type(ctx
)) {
88 #ifndef OPENSSL_NO_COMP
89 static int rlayer_allow_compression(OSSL_RECORD_LAYER
*rl
)
91 if (rl
->options
& SSL_OP_NO_COMPRESSION
)
94 return rl
->security(rl
->cbarg
, SSL_SECOP_COMPRESSION
, 0, 0, NULL
);
98 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER
*rl
)
101 size_t len
, align
= 0, headerlen
;
107 headerlen
= DTLS1_RT_HEADER_LENGTH
;
109 headerlen
= SSL3_RT_HEADER_LENGTH
;
111 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
112 align
= (-SSL3_RT_HEADER_LENGTH
) & (SSL3_ALIGN_PAYLOAD
- 1);
115 if (b
->buf
== NULL
) {
116 len
= SSL3_RT_MAX_PLAIN_LENGTH
117 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ headerlen
+ align
;
118 #ifndef OPENSSL_NO_COMP
119 if (rlayer_allow_compression(rl
))
120 len
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
122 if (b
->default_len
> len
)
123 len
= b
->default_len
;
124 if ((p
= OPENSSL_malloc(len
)) == NULL
) {
126 * We've got a malloc failure, and we're still initialising buffers.
127 * We assume we're so doomed that we won't even be able to send an
130 RLAYERfatal(rl
, SSL_AD_NO_ALERT
, ERR_R_MALLOC_FAILURE
);
140 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER
*rl
)
145 if (rl
->options
& SSL_OP_CLEANSE_PLAINTEXT
)
146 OPENSSL_cleanse(b
->buf
, b
->len
);
147 OPENSSL_free(b
->buf
);
152 void tls_reset_packet_length(OSSL_RECORD_LAYER
*rl
)
154 rl
->packet_length
= 0;
158 * Return values are as per SSL_read()
160 int tls_default_read_n(OSSL_RECORD_LAYER
*rl
, size_t n
, size_t max
, int extend
,
161 int clearold
, size_t *readbytes
)
164 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
165 * packet by another n bytes. The packet will be in the sub-array of
166 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
167 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
168 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
169 * if clearold == 1, move the packet to the start of the buffer; if
170 * clearold == 0 then leave any old packets where they were
172 size_t len
, left
, align
= 0;
177 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
181 * TODO(RECLAYER): Once this function is only called from inside the rlayer
182 * directly, we can probably remove this since it is initialised in
183 * tls_get_more_records
185 if (rb
->buf
== NULL
) {
186 if (!rlayer_setup_read_buffer(rl
)) {
187 /* RLAYERfatal() already called */
188 return OSSL_RECORD_RETURN_FATAL
;
193 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
194 align
= (size_t)rb
->buf
+ SSL3_RT_HEADER_LENGTH
;
195 align
= SSL3_ALIGN_PAYLOAD
- 1 - ((align
- 1) % SSL3_ALIGN_PAYLOAD
);
199 /* start with empty packet ... */
202 } else if (align
!= 0 && left
>= SSL3_RT_HEADER_LENGTH
) {
204 * check if next packet length is large enough to justify payload
207 pkt
= rb
->buf
+ rb
->offset
;
208 if (pkt
[0] == SSL3_RT_APPLICATION_DATA
209 && (pkt
[3] << 8 | pkt
[4]) >= 128) {
211 * Note that even if packet is corrupted and its length field
212 * is insane, we can only be led to wrong decision about
213 * whether memmove will occur or not. Header values has no
214 * effect on memmove arguments and therefore no buffer
215 * overrun can be triggered.
217 memmove(rb
->buf
+ align
, pkt
, left
);
221 rl
->packet
= rb
->buf
+ rb
->offset
;
222 rl
->packet_length
= 0;
223 /* ... now we can act as if 'extend' was set */
226 len
= rl
->packet_length
;
227 pkt
= rb
->buf
+ align
;
229 * Move any available bytes to front of buffer: 'len' bytes already
230 * pointed to by 'packet', 'left' extra ones at the end
232 if (rl
->packet
!= pkt
&& clearold
== 1) {
233 memmove(pkt
, rl
->packet
, len
+ left
);
235 rb
->offset
= len
+ align
;
239 * For DTLS/UDP reads should not span multiple packets because the read
240 * operation returns the whole packet at once (as long as it fits into
244 if (left
== 0 && extend
)
246 if (left
> 0 && n
> left
)
250 /* if there is enough in the buffer from a previous read, take some */
252 rl
->packet_length
+= n
;
256 return OSSL_RECORD_RETURN_SUCCESS
;
259 /* else we need to read more data */
261 if (n
> rb
->len
- rb
->offset
) {
262 /* does not happen */
263 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
264 return OSSL_RECORD_RETURN_FATAL
;
267 /* We always act like read_ahead is set for DTLS */
268 if (!rl
->read_ahead
&& !rl
->isdtls
) {
269 /* ignore max parameter */
274 if (max
> rb
->len
- rb
->offset
)
275 max
= rb
->len
- rb
->offset
;
281 BIO
*bio
= rl
->prev
!= NULL
? rl
->prev
: rl
->bio
;
284 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
285 * need to read in more until we have len+n (up to len+max if
291 ret
= BIO_read(bio
, pkt
+ len
+ left
, max
- left
);
294 ret
= OSSL_RECORD_RETURN_SUCCESS
;
295 } else if (BIO_should_retry(bio
)) {
296 if (rl
->prev
!= NULL
) {
298 * We were reading from the previous epoch. Now there is no
299 * more data, so swap to the actual transport BIO
305 ret
= OSSL_RECORD_RETURN_RETRY
;
306 } else if (BIO_eof(bio
)) {
307 ret
= OSSL_RECORD_RETURN_EOF
;
309 ret
= OSSL_RECORD_RETURN_FATAL
;
312 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_READ_BIO_NOT_SET
);
313 ret
= OSSL_RECORD_RETURN_FATAL
;
316 if (ret
<= OSSL_RECORD_RETURN_RETRY
) {
318 if (rl
->mode
& SSL_MODE_RELEASE_BUFFERS
&& !rl
->isdtls
)
320 rlayer_release_read_buffer(rl
);
325 * reads should *never* span multiple packets for DTLS because the
326 * underlying transport protocol is message oriented as opposed to
327 * byte oriented as in the TLS case.
331 n
= left
; /* makes the while condition false */
335 /* done reading, now the book-keeping */
338 rl
->packet_length
+= n
;
340 return OSSL_RECORD_RETURN_SUCCESS
;
344 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
345 * for us in the buffer.
347 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER
*rl
)
355 p
= SSL3_BUFFER_get_buf(rbuf
);
359 left
= SSL3_BUFFER_get_left(rbuf
);
361 if (left
< SSL3_RT_HEADER_LENGTH
)
364 p
+= SSL3_BUFFER_get_offset(rbuf
);
367 * We only check the type and record length, we will sanity check version
370 if (*p
!= SSL3_RT_APPLICATION_DATA
)
376 if (left
< SSL3_RT_HEADER_LENGTH
+ len
)
382 static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER
*rl
, size_t length
,
383 size_t overhead
, int send
)
385 uint32_t max_early_data
= rl
->max_early_data
;
387 if (max_early_data
== 0) {
388 RLAYERfatal(rl
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
389 SSL_R_TOO_MUCH_EARLY_DATA
);
393 /* If we are dealing with ciphertext we need to allow for the overhead */
394 max_early_data
+= overhead
;
396 if (rl
->early_data_count
+ length
> max_early_data
) {
397 RLAYERfatal(rl
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
398 SSL_R_TOO_MUCH_EARLY_DATA
);
401 rl
->early_data_count
+= length
;
407 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
408 * will be processed per call to ssl3_get_record. Without this limit an
409 * attacker could send empty records at a faster rate than we can process and
410 * cause ssl3_get_record to loop forever.
412 #define MAX_EMPTY_RECORDS 32
414 #define SSL2_RT_HEADER_LENGTH 2
417 * Call this to buffer new input records in rl->rrec.
418 * It will return a OSSL_RECORD_RETURN_* value.
419 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
420 * records have been decoded. For each record 'i':
421 * rrec[i].type - is the type of record
422 * rrec[i].data, - data
423 * rrec[i].length, - number of bytes
424 * Multiple records will only be returned if the record types are all
425 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
428 static int tls_get_more_records(OSSL_RECORD_LAYER
*rl
,
429 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION
*s
)
434 SSL3_RECORD
*rr
, *thisrr
;
437 unsigned char md
[EVP_MAX_MD_SIZE
];
438 unsigned int version
;
441 size_t num_recs
= 0, max_recs
, j
;
442 PACKET pkt
, sslv2pkt
;
443 SSL_MAC_BUF
*macbufs
= NULL
;
444 int ret
= OSSL_RECORD_RETURN_FATAL
;
448 if (rbuf
->buf
== NULL
) {
449 if (!rlayer_setup_read_buffer(rl
)) {
450 /* RLAYERfatal() already called */
451 return OSSL_RECORD_RETURN_FATAL
;
455 max_recs
= s
->max_pipelines
;
460 thisrr
= &rr
[num_recs
];
462 /* check if we have the header */
463 if ((rl
->rstate
!= SSL_ST_READ_BODY
) ||
464 (rl
->packet_length
< SSL3_RT_HEADER_LENGTH
)) {
468 rret
= rl
->funcs
->read_n(rl
, SSL3_RT_HEADER_LENGTH
,
469 SSL3_BUFFER_get_len(rbuf
), 0,
470 num_recs
== 0 ? 1 : 0, &n
);
472 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
473 return rret
; /* error or non-blocking */
475 rl
->rstate
= SSL_ST_READ_BODY
;
478 if (!PACKET_buf_init(&pkt
, p
, rl
->packet_length
)) {
479 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
480 return OSSL_RECORD_RETURN_FATAL
;
483 if (!PACKET_get_net_2_len(&sslv2pkt
, &sslv2len
)
484 || !PACKET_get_1(&sslv2pkt
, &type
)) {
485 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
486 return OSSL_RECORD_RETURN_FATAL
;
489 * The first record received by the server may be a V2ClientHello.
491 if (rl
->role
== OSSL_RECORD_ROLE_SERVER
492 && rl
->is_first_record
493 && (sslv2len
& 0x8000) != 0
494 && (type
== SSL2_MT_CLIENT_HELLO
)) {
498 * |num_recs| here will actually always be 0 because
499 * |num_recs > 0| only ever occurs when we are processing
500 * multiple app data records - which we know isn't the case here
501 * because it is an SSLv2ClientHello. We keep it using
502 * |num_recs| for the sake of consistency
504 thisrr
->type
= SSL3_RT_HANDSHAKE
;
505 thisrr
->rec_version
= SSL2_VERSION
;
507 thisrr
->length
= sslv2len
& 0x7fff;
509 if (thisrr
->length
> SSL3_BUFFER_get_len(rbuf
)
510 - SSL2_RT_HEADER_LENGTH
) {
511 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
512 SSL_R_PACKET_LENGTH_TOO_LONG
);
513 return OSSL_RECORD_RETURN_FATAL
;
516 /* SSLv3+ style record */
518 /* Pull apart the header into the SSL3_RECORD */
519 if (!PACKET_get_1(&pkt
, &type
)
520 || !PACKET_get_net_2(&pkt
, &version
)
521 || !PACKET_get_net_2_len(&pkt
, &thisrr
->length
)) {
522 rl
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, 5, rl
->cbarg
);
523 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
524 return OSSL_RECORD_RETURN_FATAL
;
527 thisrr
->rec_version
= version
;
530 * When we call validate_record_header() only records actually
531 * received in SSLv2 format should have the record version set
532 * to SSL2_VERSION. This way validate_record_header() can know
533 * what format the record was in based on the version.
535 if (thisrr
->rec_version
== SSL2_VERSION
) {
536 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
,
537 SSL_R_WRONG_VERSION_NUMBER
);
538 return OSSL_RECORD_RETURN_FATAL
;
541 rl
->msg_callback(0, version
, SSL3_RT_HEADER
, p
, 5, rl
->cbarg
);
544 SSL3_BUFFER_get_len(rbuf
) - SSL3_RT_HEADER_LENGTH
) {
545 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
546 SSL_R_PACKET_LENGTH_TOO_LONG
);
547 return OSSL_RECORD_RETURN_FATAL
;
551 if (!rl
->funcs
->validate_record_header(rl
, thisrr
)) {
552 /* RLAYERfatal already called */
553 return OSSL_RECORD_RETURN_FATAL
;
556 /* now rl->rstate == SSL_ST_READ_BODY */
560 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
561 * how much more data we need to read for the rest of the record
563 if (thisrr
->rec_version
== SSL2_VERSION
) {
564 more
= thisrr
->length
+ SSL2_RT_HEADER_LENGTH
565 - SSL3_RT_HEADER_LENGTH
;
567 more
= thisrr
->length
;
571 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
573 rret
= rl
->funcs
->read_n(rl
, more
, more
, 1, 0, &n
);
574 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
575 return rret
; /* error or non-blocking io */
578 /* set state for later operations */
579 rl
->rstate
= SSL_ST_READ_HEADER
;
582 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
583 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
584 * + thisrr->length and we have that many bytes in rl->packet
586 if (thisrr
->rec_version
== SSL2_VERSION
)
587 thisrr
->input
= &(rl
->packet
[SSL2_RT_HEADER_LENGTH
]);
589 thisrr
->input
= &(rl
->packet
[SSL3_RT_HEADER_LENGTH
]);
592 * ok, we can now read from 'rl->packet' data into 'thisrr'.
593 * thisrr->input points at thisrr->length bytes, which need to be copied
594 * into thisrr->data by either the decryption or by the decompression.
595 * When the data is 'copied' into the thisrr->data buffer,
596 * thisrr->input will be updated to point at the new buffer
600 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
601 * thisrr->length bytes of encrypted compressed stuff.
604 /* decrypt in place in 'thisrr->input' */
605 thisrr
->data
= thisrr
->input
;
606 thisrr
->orig_len
= thisrr
->length
;
608 /* Mark this record as not read by upper layers yet */
613 /* we have pulled in a full packet so zero things */
614 tls_reset_packet_length(rl
);
615 rl
->is_first_record
= 0;
616 } while (num_recs
< max_recs
617 && thisrr
->type
== SSL3_RT_APPLICATION_DATA
618 && RLAYER_USE_EXPLICIT_IV(rl
)
619 && rl
->enc_ctx
!= NULL
620 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl
->enc_ctx
))
621 & EVP_CIPH_FLAG_PIPELINE
) != 0
622 && tls_record_app_data_waiting(rl
));
625 && thisrr
->type
== SSL3_RT_CHANGE_CIPHER_SPEC
626 /* The following can happen in tlsany_meth after HRR */
627 && rl
->version
== TLS1_3_VERSION
628 && rl
->is_first_handshake
) {
630 * CCS messages must be exactly 1 byte long, containing the value 0x01
632 if (thisrr
->length
!= 1 || thisrr
->data
[0] != 0x01) {
633 RLAYERfatal(rl
, SSL_AD_ILLEGAL_PARAMETER
,
634 SSL_R_INVALID_CCS_MESSAGE
);
635 return OSSL_RECORD_RETURN_FATAL
;
638 * CCS messages are ignored in TLSv1.3. We treat it like an empty
641 thisrr
->type
= SSL3_RT_HANDSHAKE
;
642 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
643 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
644 SSL_R_UNEXPECTED_CCS_MESSAGE
);
645 return OSSL_RECORD_RETURN_FATAL
;
650 rl
->num_released
= 0;
652 return OSSL_RECORD_RETURN_SUCCESS
;
655 if (rl
->md_ctx
!= NULL
) {
656 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(rl
->md_ctx
);
659 imac_size
= EVP_MD_get_size(tmpmd
);
660 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
661 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
662 return OSSL_RECORD_RETURN_FATAL
;
664 mac_size
= (size_t)imac_size
;
669 * If in encrypt-then-mac mode calculate mac from encrypted record. All
670 * the details below are public so no timing details can leak.
672 if (rl
->use_etm
&& rl
->md_ctx
) {
675 for (j
= 0; j
< num_recs
; j
++) {
678 if (thisrr
->length
< mac_size
) {
679 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
680 return OSSL_RECORD_RETURN_FATAL
;
682 thisrr
->length
-= mac_size
;
683 mac
= thisrr
->data
+ thisrr
->length
;
684 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */, s
);
685 if (i
== 0 || CRYPTO_memcmp(md
, mac
, mac_size
) != 0) {
686 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
687 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
688 return OSSL_RECORD_RETURN_FATAL
;
692 * We've handled the mac now - there is no MAC inside the encrypted
699 macbufs
= OPENSSL_zalloc(sizeof(*macbufs
) * num_recs
);
700 if (macbufs
== NULL
) {
701 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_MALLOC_FAILURE
);
702 return OSSL_RECORD_RETURN_FATAL
;
707 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
710 enc_err
= rl
->funcs
->cipher(rl
, rr
, num_recs
, 0, macbufs
, mac_size
, s
);
714 * 0: if the record is publicly invalid, or an internal error, or AEAD
715 * decryption failed, or ETM decryption failed.
716 * 1: Success or MTE decryption failed (MAC will be randomised)
719 if (rl
->alert
!= 0) {
720 /* RLAYERfatal() already got called */
723 if (num_recs
== 1 && rl
->skip_early_data(rl
->cbarg
)) {
725 * Valid early_data that we cannot decrypt will fail here. We treat
726 * it like an empty record.
731 if (!rlayer_early_data_count_ok(rl
, thisrr
->length
,
732 EARLY_DATA_CIPHERTEXT_OVERHEAD
, 0)) {
733 /* RLAYERfatal() already called */
741 rl
->num_released
= 0;
742 /* Reset the read sequence */
743 memset(rl
->sequence
, 0, sizeof(rl
->sequence
));
747 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
748 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
751 OSSL_TRACE_BEGIN(TLS
) {
752 BIO_printf(trc_out
, "dec %lu\n", (unsigned long)rr
[0].length
);
753 BIO_dump_indent(trc_out
, rr
[0].data
, rr
[0].length
, 4);
754 } OSSL_TRACE_END(TLS
);
756 /* r->length is now the compressed data plus mac */
757 if (rl
->enc_ctx
!= NULL
759 && EVP_MD_CTX_get0_md(rl
->md_ctx
) != NULL
) {
760 /* rl->md_ctx != NULL => mac_size != -1 */
762 for (j
= 0; j
< num_recs
; j
++) {
763 SSL_MAC_BUF
*thismb
= &macbufs
[j
];
766 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */, s
);
767 if (i
== 0 || thismb
== NULL
|| thismb
->mac
== NULL
768 || CRYPTO_memcmp(md
, thismb
->mac
, (size_t)mac_size
) != 0)
770 if (thisrr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
776 if (rl
->alert
!= 0) {
777 /* We already called RLAYERfatal() */
781 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
782 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
783 * failure is directly visible from the ciphertext anyway, we should
784 * not reveal which kind of error occurred -- this might become
785 * visible to an attacker (e.g. via a logfile)
787 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
788 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
792 for (j
= 0; j
< num_recs
; j
++) {
795 if (!rl
->funcs
->post_process_record(rl
, thisrr
, s
)) {
796 /* RLAYERfatal already called */
801 * Check if the received packet overflows the current
802 * Max Fragment Length setting.
803 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
805 if (rl
->max_frag_len
> 0 && thisrr
->length
> rl
->max_frag_len
) {
806 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
812 * So at this point the following is true
813 * thisrr->type is the type of record
814 * thisrr->length == number of bytes in record
815 * thisrr->off == offset to first valid byte
816 * thisrr->data == where to take bytes from, increment after use :-).
819 /* just read a 0 length packet */
820 if (thisrr
->length
== 0) {
821 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
822 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_RECORD_TOO_SMALL
);
826 rl
->empty_record_count
= 0;
830 if (rl
->level
== OSSL_RECORD_PROTECTION_LEVEL_EARLY
) {
832 if (thisrr
->type
== SSL3_RT_APPLICATION_DATA
833 && !rlayer_early_data_count_ok(rl
, thisrr
->length
, 0, 0)) {
834 /* RLAYERfatal already called */
839 rl
->num_recs
= num_recs
;
841 rl
->num_released
= 0;
842 ret
= OSSL_RECORD_RETURN_SUCCESS
;
844 if (macbufs
!= NULL
) {
845 for (j
= 0; j
< num_recs
; j
++) {
846 if (macbufs
[j
].alloced
)
847 OPENSSL_free(macbufs
[j
].mac
);
849 OPENSSL_free(macbufs
);
854 /* Shared by ssl3_meth and tls1_meth */
855 int tls_default_validate_record_header(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
857 size_t len
= SSL3_RT_MAX_ENCRYPTED_LENGTH
;
859 if (rec
->rec_version
!= rl
->version
) {
860 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
, SSL_R_WRONG_VERSION_NUMBER
);
864 #ifndef OPENSSL_NO_COMP
866 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
867 * does not include the compression overhead anyway.
869 if (rl
->expand
== NULL
)
870 len
-= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
873 if (rec
->length
> len
) {
874 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
875 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
882 static int tls_do_uncompress(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
884 #ifndef OPENSSL_NO_COMP
887 if (rec
->comp
== NULL
) {
888 rec
->comp
= (unsigned char *)
889 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH
);
891 if (rec
->comp
== NULL
)
894 i
= COMP_expand_block(rl
->expand
, rec
->comp
,
895 SSL3_RT_MAX_PLAIN_LENGTH
, rec
->data
, (int)rec
->length
);
900 rec
->data
= rec
->comp
;
907 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
908 int tls_default_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
, SSL_CONNECTION
*s
)
910 if (rl
->expand
!= NULL
) {
911 if (rec
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
912 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
913 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
916 if (!tls_do_uncompress(rl
, rec
)) {
917 RLAYERfatal(rl
, SSL_AD_DECOMPRESSION_FAILURE
,
918 SSL_R_BAD_DECOMPRESSION
);
923 if (rec
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
924 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
931 /* Shared by tls13_meth and ktls_meth */
932 int tls13_common_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
,
935 if (rec
->type
!= SSL3_RT_APPLICATION_DATA
936 && rec
->type
!= SSL3_RT_ALERT
937 && rec
->type
!= SSL3_RT_HANDSHAKE
) {
938 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
942 rl
->msg_callback(0, rl
->version
, SSL3_RT_INNER_CONTENT_TYPE
, &rec
->type
,
946 * TLSv1.3 alert and handshake records are required to be non-zero in
949 if ((rec
->type
== SSL3_RT_HANDSHAKE
950 || rec
->type
== SSL3_RT_ALERT
)
951 && rec
->length
== 0) {
952 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_LENGTH
);
959 int tls_read_record(OSSL_RECORD_LAYER
*rl
, void **rechandle
, int *rversion
,
960 int *type
, unsigned char **data
, size_t *datalen
,
961 uint16_t *epoch
, unsigned char *seq_num
,
962 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION
*s
)
967 * tls_get_more_records() can return success without actually reading
968 * anything useful (i.e. if empty records are read). We loop here until
969 * we have something useful. tls_get_more_records() will eventually fail if
970 * too many sequential empty records are read.
972 while (rl
->curr_rec
>= rl
->num_recs
) {
975 if (rl
->num_released
!= rl
->num_recs
) {
976 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_RECORDS_NOT_RELEASED
);
977 return OSSL_RECORD_RETURN_FATAL
;
980 ret
= tls_get_more_records(rl
, s
);
982 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
987 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
988 * points to the next one to read.
990 rec
= &rl
->rrec
[rl
->curr_rec
++];
993 *rversion
= rec
->rec_version
;
996 *datalen
= rec
->length
;
998 return OSSL_RECORD_RETURN_SUCCESS
;
1001 int tls_release_record(OSSL_RECORD_LAYER
*rl
, void *rechandle
)
1003 if (!ossl_assert(rl
->num_released
< rl
->curr_rec
)
1004 || !ossl_assert(rechandle
== &rl
->rrec
[rl
->num_released
])) {
1005 /* Should not happen */
1006 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_INVALID_RECORD
);
1007 return OSSL_RECORD_RETURN_FATAL
;
1012 return OSSL_RECORD_RETURN_SUCCESS
;
1016 tls_int_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1017 int role
, int direction
, int level
, unsigned char *key
,
1018 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1019 unsigned char *mackey
, size_t mackeylen
,
1020 const EVP_CIPHER
*ciph
, size_t taglen
,
1021 /* TODO(RECLAYER): This probably should not be an int */
1023 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1024 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
,
1025 BIO_ADDR
*peer
, const OSSL_PARAM
*settings
,
1026 const OSSL_PARAM
*options
,
1027 const OSSL_DISPATCH
*fns
, void *cbarg
,
1028 OSSL_RECORD_LAYER
**retrl
,
1029 /* TODO(RECLAYER): Remove me */
1032 OSSL_RECORD_LAYER
*rl
= OPENSSL_zalloc(sizeof(*rl
));
1033 const OSSL_PARAM
*p
;
1038 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_MALLOC_FAILURE
);
1039 return OSSL_RECORD_RETURN_FATAL
;
1043 * TODO(RECLAYER): Need to handle the case where the params are updated
1044 * after the record layer has been created.
1046 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS
);
1047 if (p
!= NULL
&& !OSSL_PARAM_get_uint64(p
, &rl
->options
)) {
1048 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1052 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE
);
1053 if (p
!= NULL
&& !OSSL_PARAM_get_uint32(p
, &rl
->mode
)) {
1054 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1058 /* Loop through all the settings since they must all be understood */
1059 for (p
= settings
; p
->key
!= NULL
; p
++) {
1060 if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM
) == 0) {
1061 if (!OSSL_PARAM_get_int(p
, &rl
->use_etm
)) {
1062 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1065 } else if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN
) == 0) {
1066 if (!OSSL_PARAM_get_uint(p
, &rl
->max_frag_len
)) {
1067 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1070 } else if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA
) == 0) {
1071 if (!OSSL_PARAM_get_uint32(p
, &rl
->max_early_data
)) {
1072 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1076 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_UNKNOWN_MANDATORY_PARAMETER
);
1082 if (level
== OSSL_RECORD_PROTECTION_LEVEL_APPLICATION
) {
1084 * We ignore any read_ahead setting prior to the application protection
1085 * level. Otherwise we may read ahead data in a lower protection level
1086 * that is destined for a higher protection level. To simplify the logic
1087 * we don't support that at this stage.
1090 * TODO(RECLAYER): Handle the case of read_ahead at the application
1091 * level and a key update/reneg occurs.
1093 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD
);
1094 if (p
!= NULL
&& !OSSL_PARAM_get_int(p
, &rl
->read_ahead
)) {
1095 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_FAILED_TO_GET_PARAMETER
);
1100 rl
->libctx
= libctx
;
1105 rl
->direction
= direction
;
1108 if (level
== OSSL_RECORD_PROTECTION_LEVEL_NONE
)
1109 rl
->is_first_record
= 1;
1111 if (!tls_set1_bio(rl
, transport
))
1114 if (prev
!= NULL
&& !BIO_up_ref(prev
))
1118 if (next
!= NULL
&& !BIO_up_ref(next
))
1123 for (; fns
->function_id
!= 0; fns
++) {
1124 switch (fns
->function_id
) {
1125 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA
:
1126 rl
->skip_early_data
= OSSL_FUNC_rlayer_skip_early_data(fns
);
1128 case OSSL_FUNC_RLAYER_MSG_CALLBACK
:
1129 rl
->msg_callback
= OSSL_FUNC_rlayer_msg_callback(fns
);
1131 case OSSL_FUNC_RLAYER_SECURITY
:
1132 rl
->security
= OSSL_FUNC_rlayer_security(fns
);
1135 /* Just ignore anything we don't understand */
1141 return OSSL_RECORD_RETURN_SUCCESS
;
1144 return OSSL_RECORD_RETURN_FATAL
;
1148 tls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1149 int role
, int direction
, int level
, unsigned char *key
,
1150 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1151 unsigned char *mackey
, size_t mackeylen
,
1152 const EVP_CIPHER
*ciph
, size_t taglen
,
1153 /* TODO(RECLAYER): This probably should not be an int */
1155 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1156 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
1157 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
1158 const OSSL_DISPATCH
*fns
, void *cbarg
,
1159 OSSL_RECORD_LAYER
**retrl
,
1160 /* TODO(RECLAYER): Remove me */
1165 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
1166 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
1167 ciph
, taglen
, mactype
, md
, comp
, prev
,
1168 transport
, next
, local
, peer
, settings
,
1169 options
, fns
, cbarg
, retrl
, s
);
1171 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1175 case TLS_ANY_VERSION
:
1176 (*retrl
)->funcs
= &tls_any_funcs
;
1178 case TLS1_3_VERSION
:
1179 (*retrl
)->funcs
= &tls_1_3_funcs
;
1181 case TLS1_2_VERSION
:
1182 case TLS1_1_VERSION
:
1184 (*retrl
)->funcs
= &tls_1_funcs
;
1187 (*retrl
)->funcs
= &ssl_3_0_funcs
;
1190 /* Should not happen */
1191 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
1192 ret
= OSSL_RECORD_RETURN_FATAL
;
1196 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
1197 ivlen
, mackey
, mackeylen
, ciph
,
1198 taglen
, mactype
, md
, comp
, s
);
1201 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
1202 OPENSSL_free(*retrl
);
1208 /* TODO(RECLAYER): Temporary funcs */
1209 static int dtls_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1211 rl
->version
= version
;
1214 static struct record_functions_st dtls_funcs
= {
1219 dtls_set_protocol_version
,
1224 dtls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1225 int role
, int direction
, int level
, unsigned char *key
,
1226 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1227 unsigned char *mackey
, size_t mackeylen
,
1228 const EVP_CIPHER
*ciph
, size_t taglen
,
1229 /* TODO(RECLAYER): This probably should not be an int */
1231 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
1232 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
1233 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
1234 const OSSL_DISPATCH
*fns
, void *cbarg
,
1235 OSSL_RECORD_LAYER
**retrl
,
1236 /* TODO(RECLAYER): Remove me */
1242 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
1243 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
1244 ciph
, taglen
, mactype
, md
, comp
, prev
,
1245 transport
, next
, local
, peer
, settings
,
1246 options
, fns
, cbarg
, retrl
, s
);
1248 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1251 (*retrl
)->isdtls
= 1;
1252 (*retrl
)->funcs
= &dtls_funcs
;
1254 return OSSL_RECORD_RETURN_SUCCESS
;
1257 static void tls_int_free(OSSL_RECORD_LAYER
*rl
)
1259 /* TODO(RECLAYER): Cleanse sensitive fields */
1263 SSL3_BUFFER_release(&rl
->rbuf
);
1265 EVP_CIPHER_CTX_free(rl
->enc_ctx
);
1266 EVP_MD_CTX_free(rl
->md_ctx
);
1267 #ifndef OPENSSL_NO_COMP
1268 COMP_CTX_free(rl
->expand
);
1274 int tls_free(OSSL_RECORD_LAYER
*rl
)
1277 size_t left
, written
;
1282 left
= SSL3_BUFFER_get_left(rbuf
);
1285 * This record layer is closing but we still have data left in our
1286 * buffer. It must be destined for the next epoch - so push it there.
1288 ret
= BIO_write_ex(rl
->next
, rbuf
->buf
+ rbuf
->offset
, left
, &written
);
1296 int tls_reset(OSSL_RECORD_LAYER
*rl
)
1298 memset(rl
, 0, sizeof(*rl
));
1302 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER
*rl
)
1304 return SSL3_BUFFER_get_left(&rl
->rbuf
) != 0;
1307 int tls_processed_read_pending(OSSL_RECORD_LAYER
*rl
)
1309 return rl
->curr_rec
< rl
->num_recs
;
1312 size_t tls_app_data_pending(OSSL_RECORD_LAYER
*rl
)
1317 int tls_write_pending(OSSL_RECORD_LAYER
*rl
)
1322 size_t tls_get_max_record_len(OSSL_RECORD_LAYER
*rl
)
1327 size_t tls_get_max_records(OSSL_RECORD_LAYER
*rl
)
1332 int tls_write_records(OSSL_RECORD_LAYER
*rl
, OSSL_RECORD_TEMPLATE
**templates
,
1333 size_t numtempl
, size_t allowance
, size_t *sent
)
1338 int tls_retry_write_records(OSSL_RECORD_LAYER
*rl
, size_t allowance
,
1345 int tls_get_alert_code(OSSL_RECORD_LAYER
*rl
)
1350 int tls_set1_bio(OSSL_RECORD_LAYER
*rl
, BIO
*bio
)
1352 if (bio
!= NULL
&& !BIO_up_ref(bio
))
1360 /* Shared by most methods except tlsany_meth */
1361 int tls_default_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1363 if (rl
->version
!= version
)
1369 int tls_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1371 return rl
->funcs
->set_protocol_version(rl
, version
);
1374 void tls_set_plain_alerts(OSSL_RECORD_LAYER
*rl
, int allow
)
1376 rl
->allow_plain_alerts
= allow
;
1379 void tls_set_first_handshake(OSSL_RECORD_LAYER
*rl
, int first
)
1381 rl
->is_first_handshake
= first
;
1384 SSL3_BUFFER
*tls_get0_rbuf(OSSL_RECORD_LAYER
*rl
)
1389 unsigned char *tls_get0_packet(OSSL_RECORD_LAYER
*rl
)
1394 void tls_set0_packet(OSSL_RECORD_LAYER
*rl
, unsigned char *packet
,
1397 rl
->packet
= packet
;
1398 rl
->packet_length
= packetlen
;
1401 size_t tls_get_packet_length(OSSL_RECORD_LAYER
*rl
)
1403 return rl
->packet_length
;
1406 const OSSL_RECORD_METHOD ossl_tls_record_method
= {
1407 tls_new_record_layer
,
1410 tls_unprocessed_read_pending
,
1411 tls_processed_read_pending
,
1412 tls_app_data_pending
,
1414 tls_get_max_record_len
,
1415 tls_get_max_records
,
1417 tls_retry_write_records
,
1422 tls_set_protocol_version
,
1423 tls_set_plain_alerts
,
1424 tls_set_first_handshake
,
1427 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1428 * during the record layer refactoring. They need to be removed before the
1429 * refactor is complete.
1435 tls_get_packet_length
,
1436 tls_reset_packet_length
1439 const OSSL_RECORD_METHOD ossl_dtls_record_method
= {
1440 dtls_new_record_layer
,
1443 tls_unprocessed_read_pending
,
1444 tls_processed_read_pending
,
1445 tls_app_data_pending
,
1447 tls_get_max_record_len
,
1448 tls_get_max_records
,
1450 tls_retry_write_records
,
1455 tls_set_protocol_version
,
1457 tls_set_first_handshake
,
1460 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1461 * during the record layer refactoring. They need to be removed before the
1462 * refactor is complete.
1468 tls_get_packet_length
,
1469 tls_reset_packet_length