2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/bio.h>
12 #include <openssl/ssl.h>
13 #include <openssl/err.h>
14 #include <openssl/core_names.h>
15 #include <openssl/comp.h>
16 #include <openssl/ssl.h>
17 #include "internal/e_os.h"
18 #include "internal/packet.h"
19 #include "../../ssl_local.h"
20 #include "../record_local.h"
21 #include "recmethod_local.h"
23 static void tls_int_free(OSSL_RECORD_LAYER
*rl
);
25 void ossl_rlayer_fatal(OSSL_RECORD_LAYER
*rl
, int al
, int reason
,
31 ERR_vset_error(ERR_LIB_SSL
, reason
, fmt
, args
);
37 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER
*rl
,
39 const EVP_CIPHER
*ciph
,
43 * Provided cipher, the TLS padding/MAC removal is performed provider
44 * side so we need to tell the ctx about our TLS version and mac size
46 OSSL_PARAM params
[3], *pprm
= params
;
50 if ((EVP_CIPHER_get_flags(ciph
) & EVP_CIPH_FLAG_AEAD_CIPHER
) == 0
52 imacsize
= EVP_MD_get_size(md
);
54 macsize
= (size_t)imacsize
;
56 *pprm
++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION
,
58 *pprm
++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE
,
60 *pprm
= OSSL_PARAM_construct_end();
62 if (!EVP_CIPHER_CTX_set_params(ctx
, params
)) {
63 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
71 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
72 * which ssl3_cbc_digest_record supports.
74 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX
*ctx
)
76 switch (EVP_MD_CTX_get_type(ctx
)) {
89 #ifndef OPENSSL_NO_COMP
90 static int tls_allow_compression(OSSL_RECORD_LAYER
*rl
)
92 if (rl
->options
& SSL_OP_NO_COMPRESSION
)
95 return rl
->security
== NULL
96 || rl
->security(rl
->cbarg
, SSL_SECOP_COMPRESSION
, 0, 0, NULL
);
100 static void tls_release_write_buffer_int(OSSL_RECORD_LAYER
*rl
, size_t start
)
105 pipes
= rl
->numwpipes
;
107 while (pipes
> start
) {
108 wb
= &rl
->wbuf
[pipes
- 1];
110 if (SSL3_BUFFER_is_app_buffer(wb
))
111 SSL3_BUFFER_set_app_buffer(wb
, 0);
113 OPENSSL_free(wb
->buf
);
119 int tls_setup_write_buffer(OSSL_RECORD_LAYER
*rl
, size_t numwpipes
,
120 size_t firstlen
, size_t nextlen
)
123 size_t align
= 0, headerlen
;
128 if (firstlen
== 0 || (numwpipes
> 1 && nextlen
== 0)) {
130 headerlen
= DTLS1_RT_HEADER_LENGTH
+ 1;
132 headerlen
= SSL3_RT_HEADER_LENGTH
;
134 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
135 align
= SSL3_ALIGN_PAYLOAD
- 1;
138 defltlen
= rl
->max_frag_len
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
140 #ifndef OPENSSL_NO_COMP
141 if (tls_allow_compression(rl
))
142 defltlen
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
144 if (!(rl
->options
& SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
))
145 defltlen
+= headerlen
+ align
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
;
149 for (currpipe
= 0; currpipe
< numwpipes
; currpipe
++) {
150 SSL3_BUFFER
*thiswb
= &wb
[currpipe
];
151 size_t len
= (currpipe
== 0) ? firstlen
: nextlen
;
156 if (thiswb
->len
!= len
) {
157 OPENSSL_free(thiswb
->buf
);
158 thiswb
->buf
= NULL
; /* force reallocation */
163 p
= OPENSSL_malloc(len
);
165 if (rl
->numwpipes
< currpipe
)
166 rl
->numwpipes
= currpipe
;
168 * We've got a malloc failure, and we're still initialising
169 * buffers. We assume we're so doomed that we won't even be able
172 RLAYERfatal(rl
, SSL_AD_NO_ALERT
, ERR_R_CRYPTO_LIB
);
176 memset(thiswb
, 0, sizeof(SSL3_BUFFER
));
181 /* Free any previously allocated buffers that we are no longer using */
182 tls_release_write_buffer_int(rl
, currpipe
);
184 rl
->numwpipes
= numwpipes
;
189 static void tls_release_write_buffer(OSSL_RECORD_LAYER
*rl
)
191 tls_release_write_buffer_int(rl
, 0);
196 int tls_setup_read_buffer(OSSL_RECORD_LAYER
*rl
)
199 size_t len
, align
= 0, headerlen
;
205 headerlen
= DTLS1_RT_HEADER_LENGTH
;
207 headerlen
= SSL3_RT_HEADER_LENGTH
;
209 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
210 align
= (-SSL3_RT_HEADER_LENGTH
) & (SSL3_ALIGN_PAYLOAD
- 1);
213 if (b
->buf
== NULL
) {
214 len
= rl
->max_frag_len
215 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ headerlen
+ align
;
216 #ifndef OPENSSL_NO_COMP
217 if (tls_allow_compression(rl
))
218 len
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
220 if (b
->default_len
> len
)
221 len
= b
->default_len
;
222 if ((p
= OPENSSL_malloc(len
)) == NULL
) {
224 * We've got a malloc failure, and we're still initialising buffers.
225 * We assume we're so doomed that we won't even be able to send an
228 RLAYERfatal(rl
, SSL_AD_NO_ALERT
, ERR_R_CRYPTO_LIB
);
238 static int tls_release_read_buffer(OSSL_RECORD_LAYER
*rl
)
243 if ((rl
->options
& SSL_OP_CLEANSE_PLAINTEXT
) != 0)
244 OPENSSL_cleanse(b
->buf
, b
->len
);
245 OPENSSL_free(b
->buf
);
251 * Return values are as per SSL_read()
253 int tls_default_read_n(OSSL_RECORD_LAYER
*rl
, size_t n
, size_t max
, int extend
,
254 int clearold
, size_t *readbytes
)
257 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
258 * packet by another n bytes. The packet will be in the sub-array of
259 * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
260 * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
261 * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
262 * packet to the start of the buffer; if clearold == 0 then leave any old
263 * packets where they were
265 size_t len
, left
, align
= 0;
270 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
274 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
275 align
= (size_t)rb
->buf
+ SSL3_RT_HEADER_LENGTH
;
276 align
= SSL3_ALIGN_PAYLOAD
- 1 - ((align
- 1) % SSL3_ALIGN_PAYLOAD
);
280 /* start with empty packet ... */
283 } else if (align
!= 0 && left
>= SSL3_RT_HEADER_LENGTH
) {
285 * check if next packet length is large enough to justify payload
288 pkt
= rb
->buf
+ rb
->offset
;
289 if (pkt
[0] == SSL3_RT_APPLICATION_DATA
290 && (pkt
[3] << 8 | pkt
[4]) >= 128) {
292 * Note that even if packet is corrupted and its length field
293 * is insane, we can only be led to wrong decision about
294 * whether memmove will occur or not. Header values has no
295 * effect on memmove arguments and therefore no buffer
296 * overrun can be triggered.
298 memmove(rb
->buf
+ align
, pkt
, left
);
302 rl
->packet
= rb
->buf
+ rb
->offset
;
303 rl
->packet_length
= 0;
304 /* ... now we can act as if 'extend' was set */
307 len
= rl
->packet_length
;
308 pkt
= rb
->buf
+ align
;
310 * Move any available bytes to front of buffer: 'len' bytes already
311 * pointed to by 'packet', 'left' extra ones at the end
313 if (rl
->packet
!= pkt
&& clearold
== 1) {
314 memmove(pkt
, rl
->packet
, len
+ left
);
316 rb
->offset
= len
+ align
;
320 * For DTLS/UDP reads should not span multiple packets because the read
321 * operation returns the whole packet at once (as long as it fits into
325 if (left
== 0 && extend
)
327 if (left
> 0 && n
> left
)
331 /* if there is enough in the buffer from a previous read, take some */
333 rl
->packet_length
+= n
;
337 return OSSL_RECORD_RETURN_SUCCESS
;
340 /* else we need to read more data */
342 if (n
> rb
->len
- rb
->offset
) {
343 /* does not happen */
344 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
345 return OSSL_RECORD_RETURN_FATAL
;
348 /* We always act like read_ahead is set for DTLS */
349 if (!rl
->read_ahead
&& !rl
->isdtls
) {
350 /* ignore max parameter */
355 if (max
> rb
->len
- rb
->offset
)
356 max
= rb
->len
- rb
->offset
;
362 BIO
*bio
= rl
->prev
!= NULL
? rl
->prev
: rl
->bio
;
365 * Now we have len+left bytes at the front of rl->rbuf.buf and
366 * need to read in more until we have len + n (up to len + max if
372 ret
= BIO_read(bio
, pkt
+ len
+ left
, max
- left
);
375 ret
= OSSL_RECORD_RETURN_SUCCESS
;
376 } else if (BIO_should_retry(bio
)) {
377 if (rl
->prev
!= NULL
) {
379 * We were reading from the previous epoch. Now there is no
380 * more data, so swap to the actual transport BIO
386 ret
= OSSL_RECORD_RETURN_RETRY
;
387 } else if (BIO_eof(bio
)) {
388 ret
= OSSL_RECORD_RETURN_EOF
;
390 ret
= OSSL_RECORD_RETURN_FATAL
;
393 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_READ_BIO_NOT_SET
);
394 ret
= OSSL_RECORD_RETURN_FATAL
;
397 if (ret
<= OSSL_RECORD_RETURN_RETRY
) {
399 if ((rl
->mode
& SSL_MODE_RELEASE_BUFFERS
) != 0 && !rl
->isdtls
)
401 tls_release_read_buffer(rl
);
406 * reads should *never* span multiple packets for DTLS because the
407 * underlying transport protocol is message oriented as opposed to
408 * byte oriented as in the TLS case.
412 n
= left
; /* makes the while condition false */
416 /* done reading, now the book-keeping */
419 rl
->packet_length
+= n
;
421 return OSSL_RECORD_RETURN_SUCCESS
;
425 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
426 * for us in the buffer.
428 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER
*rl
)
436 p
= SSL3_BUFFER_get_buf(rbuf
);
440 left
= SSL3_BUFFER_get_left(rbuf
);
442 if (left
< SSL3_RT_HEADER_LENGTH
)
445 p
+= SSL3_BUFFER_get_offset(rbuf
);
448 * We only check the type and record length, we will sanity check version
451 if (*p
!= SSL3_RT_APPLICATION_DATA
)
457 if (left
< SSL3_RT_HEADER_LENGTH
+ len
)
463 static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER
*rl
, size_t length
,
464 size_t overhead
, int send
)
466 uint32_t max_early_data
= rl
->max_early_data
;
468 if (max_early_data
== 0) {
469 RLAYERfatal(rl
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
470 SSL_R_TOO_MUCH_EARLY_DATA
);
474 /* If we are dealing with ciphertext we need to allow for the overhead */
475 max_early_data
+= overhead
;
477 if (rl
->early_data_count
+ length
> max_early_data
) {
478 RLAYERfatal(rl
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
479 SSL_R_TOO_MUCH_EARLY_DATA
);
482 rl
->early_data_count
+= length
;
488 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
489 * will be processed per call to tls_get_more_records. Without this limit an
490 * attacker could send empty records at a faster rate than we can process and
491 * cause tls_get_more_records to loop forever.
493 #define MAX_EMPTY_RECORDS 32
495 #define SSL2_RT_HEADER_LENGTH 2
498 * Call this to buffer new input records in rl->rrec.
499 * It will return a OSSL_RECORD_RETURN_* value.
500 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
501 * records have been decoded. For each record 'i':
502 * rrec[i].type - is the type of record
503 * rrec[i].data, - data
504 * rrec[i].length, - number of bytes
505 * Multiple records will only be returned if the record types are all
506 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
509 int tls_get_more_records(OSSL_RECORD_LAYER
*rl
)
514 SSL3_RECORD
*rr
, *thisrr
;
517 unsigned char md
[EVP_MAX_MD_SIZE
];
518 unsigned int version
;
521 size_t num_recs
= 0, max_recs
, j
;
522 PACKET pkt
, sslv2pkt
;
523 SSL_MAC_BUF
*macbufs
= NULL
;
524 int ret
= OSSL_RECORD_RETURN_FATAL
;
528 if (rbuf
->buf
== NULL
) {
529 if (!tls_setup_read_buffer(rl
)) {
530 /* RLAYERfatal() already called */
531 return OSSL_RECORD_RETURN_FATAL
;
535 max_recs
= rl
->max_pipelines
;
541 thisrr
= &rr
[num_recs
];
543 /* check if we have the header */
544 if ((rl
->rstate
!= SSL_ST_READ_BODY
) ||
545 (rl
->packet_length
< SSL3_RT_HEADER_LENGTH
)) {
549 rret
= rl
->funcs
->read_n(rl
, SSL3_RT_HEADER_LENGTH
,
550 SSL3_BUFFER_get_len(rbuf
), 0,
551 num_recs
== 0 ? 1 : 0, &n
);
553 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
554 return rret
; /* error or non-blocking */
556 rl
->rstate
= SSL_ST_READ_BODY
;
559 if (!PACKET_buf_init(&pkt
, p
, rl
->packet_length
)) {
560 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
561 return OSSL_RECORD_RETURN_FATAL
;
564 if (!PACKET_get_net_2_len(&sslv2pkt
, &sslv2len
)
565 || !PACKET_get_1(&sslv2pkt
, &type
)) {
566 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
567 return OSSL_RECORD_RETURN_FATAL
;
570 * The first record received by the server may be a V2ClientHello.
572 if (rl
->role
== OSSL_RECORD_ROLE_SERVER
573 && rl
->is_first_record
574 && (sslv2len
& 0x8000) != 0
575 && (type
== SSL2_MT_CLIENT_HELLO
)) {
579 * |num_recs| here will actually always be 0 because
580 * |num_recs > 0| only ever occurs when we are processing
581 * multiple app data records - which we know isn't the case here
582 * because it is an SSLv2ClientHello. We keep it using
583 * |num_recs| for the sake of consistency
585 thisrr
->type
= SSL3_RT_HANDSHAKE
;
586 thisrr
->rec_version
= SSL2_VERSION
;
588 thisrr
->length
= sslv2len
& 0x7fff;
590 if (thisrr
->length
> SSL3_BUFFER_get_len(rbuf
)
591 - SSL2_RT_HEADER_LENGTH
) {
592 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
593 SSL_R_PACKET_LENGTH_TOO_LONG
);
594 return OSSL_RECORD_RETURN_FATAL
;
597 /* SSLv3+ style record */
599 /* Pull apart the header into the SSL3_RECORD */
600 if (!PACKET_get_1(&pkt
, &type
)
601 || !PACKET_get_net_2(&pkt
, &version
)
602 || !PACKET_get_net_2_len(&pkt
, &thisrr
->length
)) {
603 if (rl
->msg_callback
!= NULL
)
604 rl
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, 5, rl
->cbarg
);
605 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
606 return OSSL_RECORD_RETURN_FATAL
;
609 thisrr
->rec_version
= version
;
612 * When we call validate_record_header() only records actually
613 * received in SSLv2 format should have the record version set
614 * to SSL2_VERSION. This way validate_record_header() can know
615 * what format the record was in based on the version.
617 if (thisrr
->rec_version
== SSL2_VERSION
) {
618 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
,
619 SSL_R_WRONG_VERSION_NUMBER
);
620 return OSSL_RECORD_RETURN_FATAL
;
623 if (rl
->msg_callback
!= NULL
)
624 rl
->msg_callback(0, version
, SSL3_RT_HEADER
, p
, 5, rl
->cbarg
);
627 SSL3_BUFFER_get_len(rbuf
) - SSL3_RT_HEADER_LENGTH
) {
628 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
629 SSL_R_PACKET_LENGTH_TOO_LONG
);
630 return OSSL_RECORD_RETURN_FATAL
;
634 if (!rl
->funcs
->validate_record_header(rl
, thisrr
)) {
635 /* RLAYERfatal already called */
636 return OSSL_RECORD_RETURN_FATAL
;
639 /* now rl->rstate == SSL_ST_READ_BODY */
643 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
644 * how much more data we need to read for the rest of the record
646 if (thisrr
->rec_version
== SSL2_VERSION
) {
647 more
= thisrr
->length
+ SSL2_RT_HEADER_LENGTH
648 - SSL3_RT_HEADER_LENGTH
;
650 more
= thisrr
->length
;
654 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
656 rret
= rl
->funcs
->read_n(rl
, more
, more
, 1, 0, &n
);
657 if (rret
< OSSL_RECORD_RETURN_SUCCESS
)
658 return rret
; /* error or non-blocking io */
661 /* set state for later operations */
662 rl
->rstate
= SSL_ST_READ_HEADER
;
665 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
666 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
667 * + thisrr->length and we have that many bytes in rl->packet
669 if (thisrr
->rec_version
== SSL2_VERSION
)
670 thisrr
->input
= &(rl
->packet
[SSL2_RT_HEADER_LENGTH
]);
672 thisrr
->input
= &(rl
->packet
[SSL3_RT_HEADER_LENGTH
]);
675 * ok, we can now read from 'rl->packet' data into 'thisrr'.
676 * thisrr->input points at thisrr->length bytes, which need to be copied
677 * into thisrr->data by either the decryption or by the decompression.
678 * When the data is 'copied' into the thisrr->data buffer,
679 * thisrr->input will be updated to point at the new buffer
683 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
684 * thisrr->length bytes of encrypted compressed stuff.
687 /* decrypt in place in 'thisrr->input' */
688 thisrr
->data
= thisrr
->input
;
689 thisrr
->orig_len
= thisrr
->length
;
693 /* we have pulled in a full packet so zero things */
694 rl
->packet_length
= 0;
695 rl
->is_first_record
= 0;
696 } while (num_recs
< max_recs
697 && thisrr
->type
== SSL3_RT_APPLICATION_DATA
698 && RLAYER_USE_EXPLICIT_IV(rl
)
699 && rl
->enc_ctx
!= NULL
700 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl
->enc_ctx
))
701 & EVP_CIPH_FLAG_PIPELINE
) != 0
702 && tls_record_app_data_waiting(rl
));
705 && thisrr
->type
== SSL3_RT_CHANGE_CIPHER_SPEC
706 /* The following can happen in tlsany_meth after HRR */
707 && rl
->version
== TLS1_3_VERSION
708 && rl
->is_first_handshake
) {
710 * CCS messages must be exactly 1 byte long, containing the value 0x01
712 if (thisrr
->length
!= 1 || thisrr
->data
[0] != 0x01) {
713 RLAYERfatal(rl
, SSL_AD_ILLEGAL_PARAMETER
,
714 SSL_R_INVALID_CCS_MESSAGE
);
715 return OSSL_RECORD_RETURN_FATAL
;
718 * CCS messages are ignored in TLSv1.3. We treat it like an empty
721 thisrr
->type
= SSL3_RT_HANDSHAKE
;
722 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
723 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
724 SSL_R_UNEXPECTED_CCS_MESSAGE
);
725 return OSSL_RECORD_RETURN_FATAL
;
729 rl
->num_released
= 0;
731 return OSSL_RECORD_RETURN_SUCCESS
;
734 if (rl
->md_ctx
!= NULL
) {
735 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(rl
->md_ctx
);
738 imac_size
= EVP_MD_get_size(tmpmd
);
739 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
740 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
741 return OSSL_RECORD_RETURN_FATAL
;
743 mac_size
= (size_t)imac_size
;
748 * If in encrypt-then-mac mode calculate mac from encrypted record. All
749 * the details below are public so no timing details can leak.
751 if (rl
->use_etm
&& rl
->md_ctx
) {
754 for (j
= 0; j
< num_recs
; j
++) {
757 if (thisrr
->length
< mac_size
) {
758 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
759 return OSSL_RECORD_RETURN_FATAL
;
761 thisrr
->length
-= mac_size
;
762 mac
= thisrr
->data
+ thisrr
->length
;
763 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */);
764 if (i
== 0 || CRYPTO_memcmp(md
, mac
, mac_size
) != 0) {
765 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
766 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
767 return OSSL_RECORD_RETURN_FATAL
;
771 * We've handled the mac now - there is no MAC inside the encrypted
778 macbufs
= OPENSSL_zalloc(sizeof(*macbufs
) * num_recs
);
779 if (macbufs
== NULL
) {
780 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
781 return OSSL_RECORD_RETURN_FATAL
;
785 enc_err
= rl
->funcs
->cipher(rl
, rr
, num_recs
, 0, macbufs
, mac_size
);
789 * 0: if the record is publicly invalid, or an internal error, or AEAD
790 * decryption failed, or ETM decryption failed.
791 * 1: Success or MTE decryption failed (MAC will be randomised)
794 if (rl
->alert
!= SSL_AD_NO_ALERT
) {
795 /* RLAYERfatal() already got called */
799 && rl
->skip_early_data
!= NULL
800 && rl
->skip_early_data(rl
->cbarg
)) {
802 * Valid early_data that we cannot decrypt will fail here. We treat
803 * it like an empty record.
808 if (!rlayer_early_data_count_ok(rl
, thisrr
->length
,
809 EARLY_DATA_CIPHERTEXT_OVERHEAD
, 0)) {
810 /* RLAYERfatal() already called */
817 rl
->num_released
= 0;
818 /* Reset the read sequence */
819 memset(rl
->sequence
, 0, sizeof(rl
->sequence
));
823 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
824 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
827 OSSL_TRACE_BEGIN(TLS
) {
828 BIO_printf(trc_out
, "dec %lu\n", (unsigned long)rr
[0].length
);
829 BIO_dump_indent(trc_out
, rr
[0].data
, rr
[0].length
, 4);
830 } OSSL_TRACE_END(TLS
);
832 /* r->length is now the compressed data plus mac */
833 if (rl
->enc_ctx
!= NULL
835 && EVP_MD_CTX_get0_md(rl
->md_ctx
) != NULL
) {
836 /* rl->md_ctx != NULL => mac_size != -1 */
838 for (j
= 0; j
< num_recs
; j
++) {
839 SSL_MAC_BUF
*thismb
= &macbufs
[j
];
843 i
= rl
->funcs
->mac(rl
, thisrr
, md
, 0 /* not send */);
844 if (i
== 0 || thismb
== NULL
|| thismb
->mac
== NULL
845 || CRYPTO_memcmp(md
, thismb
->mac
, (size_t)mac_size
) != 0)
847 if (thisrr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
853 if (rl
->alert
!= SSL_AD_NO_ALERT
) {
854 /* We already called RLAYERfatal() */
858 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
859 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
860 * failure is directly visible from the ciphertext anyway, we should
861 * not reveal which kind of error occurred -- this might become
862 * visible to an attacker (e.g. via a logfile)
864 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
865 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
869 for (j
= 0; j
< num_recs
; j
++) {
872 if (!rl
->funcs
->post_process_record(rl
, thisrr
)) {
873 /* RLAYERfatal already called */
878 * Check if the received packet overflows the current
879 * Max Fragment Length setting.
880 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
882 if (thisrr
->length
> rl
->max_frag_len
) {
883 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
889 * So at this point the following is true
890 * thisrr->type is the type of record
891 * thisrr->length == number of bytes in record
892 * thisrr->off == offset to first valid byte
893 * thisrr->data == where to take bytes from, increment after use :-).
896 /* just read a 0 length packet */
897 if (thisrr
->length
== 0) {
898 if (++(rl
->empty_record_count
) > MAX_EMPTY_RECORDS
) {
899 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
,
900 SSL_R_RECORD_TOO_SMALL
);
904 rl
->empty_record_count
= 0;
908 if (rl
->level
== OSSL_RECORD_PROTECTION_LEVEL_EARLY
) {
910 if (thisrr
->type
== SSL3_RT_APPLICATION_DATA
911 && !rlayer_early_data_count_ok(rl
, thisrr
->length
, 0, 0)) {
912 /* RLAYERfatal already called */
917 rl
->num_recs
= num_recs
;
919 rl
->num_released
= 0;
920 ret
= OSSL_RECORD_RETURN_SUCCESS
;
922 if (macbufs
!= NULL
) {
923 for (j
= 0; j
< num_recs
; j
++) {
924 if (macbufs
[j
].alloced
)
925 OPENSSL_free(macbufs
[j
].mac
);
927 OPENSSL_free(macbufs
);
932 /* Shared by ssl3_meth and tls1_meth */
933 int tls_default_validate_record_header(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
935 size_t len
= SSL3_RT_MAX_ENCRYPTED_LENGTH
;
937 if (rec
->rec_version
!= rl
->version
) {
938 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
, SSL_R_WRONG_VERSION_NUMBER
);
942 #ifndef OPENSSL_NO_COMP
944 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
945 * does not include the compression overhead anyway.
947 if (rl
->compctx
== NULL
)
948 len
-= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
951 if (rec
->length
> len
) {
952 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
953 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
960 static int tls_do_compress(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*wr
)
962 #ifndef OPENSSL_NO_COMP
965 i
= COMP_compress_block(rl
->compctx
, wr
->data
,
966 (int)(wr
->length
+ SSL3_RT_MAX_COMPRESSED_OVERHEAD
),
967 wr
->input
, (int)wr
->length
);
972 wr
->input
= wr
->data
;
979 int tls_do_uncompress(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
981 #ifndef OPENSSL_NO_COMP
984 if (rec
->comp
== NULL
) {
985 rec
->comp
= (unsigned char *)
986 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH
);
988 if (rec
->comp
== NULL
)
991 i
= COMP_expand_block(rl
->compctx
, rec
->comp
, SSL3_RT_MAX_PLAIN_LENGTH
,
992 rec
->data
, (int)rec
->length
);
997 rec
->data
= rec
->comp
;
1004 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
1005 int tls_default_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
1007 if (rl
->compctx
!= NULL
) {
1008 if (rec
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
1009 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
1010 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
1013 if (!tls_do_uncompress(rl
, rec
)) {
1014 RLAYERfatal(rl
, SSL_AD_DECOMPRESSION_FAILURE
,
1015 SSL_R_BAD_DECOMPRESSION
);
1020 if (rec
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
1021 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
1028 /* Shared by tls13_meth and ktls_meth */
1029 int tls13_common_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
1031 if (rec
->type
!= SSL3_RT_APPLICATION_DATA
1032 && rec
->type
!= SSL3_RT_ALERT
1033 && rec
->type
!= SSL3_RT_HANDSHAKE
) {
1034 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
1038 if (rl
->msg_callback
!= NULL
)
1039 rl
->msg_callback(0, rl
->version
, SSL3_RT_INNER_CONTENT_TYPE
, &rec
->type
,
1043 * TLSv1.3 alert and handshake records are required to be non-zero in
1046 if ((rec
->type
== SSL3_RT_HANDSHAKE
|| rec
->type
== SSL3_RT_ALERT
)
1047 && rec
->length
== 0) {
1048 RLAYERfatal(rl
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_LENGTH
);
1055 int tls_read_record(OSSL_RECORD_LAYER
*rl
, void **rechandle
, int *rversion
,
1056 int *type
, unsigned char **data
, size_t *datalen
,
1057 uint16_t *epoch
, unsigned char *seq_num
)
1062 * tls_get_more_records() can return success without actually reading
1063 * anything useful (i.e. if empty records are read). We loop here until
1064 * we have something useful. tls_get_more_records() will eventually fail if
1065 * too many sequential empty records are read.
1067 while (rl
->curr_rec
>= rl
->num_recs
) {
1070 if (rl
->num_released
!= rl
->num_recs
) {
1071 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_RECORDS_NOT_RELEASED
);
1072 return OSSL_RECORD_RETURN_FATAL
;
1075 ret
= rl
->funcs
->get_more_records(rl
);
1077 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1082 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
1083 * points to the next one to read.
1085 rec
= &rl
->rrec
[rl
->curr_rec
++];
1088 *rversion
= rec
->rec_version
;
1090 *data
= rec
->data
+ rec
->off
;
1091 *datalen
= rec
->length
;
1093 *epoch
= rec
->epoch
;
1094 memcpy(seq_num
, rec
->seq_num
, sizeof(rec
->seq_num
));
1097 return OSSL_RECORD_RETURN_SUCCESS
;
1100 int tls_release_record(OSSL_RECORD_LAYER
*rl
, void *rechandle
)
1102 if (!ossl_assert(rl
->num_released
< rl
->curr_rec
)
1103 || !ossl_assert(rechandle
== &rl
->rrec
[rl
->num_released
])) {
1104 /* Should not happen */
1105 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_INVALID_RECORD
);
1106 return OSSL_RECORD_RETURN_FATAL
;
1111 if (rl
->curr_rec
== rl
->num_released
1112 && (rl
->mode
& SSL_MODE_RELEASE_BUFFERS
) != 0
1113 && SSL3_BUFFER_get_left(&rl
->rbuf
) == 0)
1114 tls_release_read_buffer(rl
);
1116 return OSSL_RECORD_RETURN_SUCCESS
;
1119 int tls_set_options(OSSL_RECORD_LAYER
*rl
, const OSSL_PARAM
*options
)
1121 const OSSL_PARAM
*p
;
1123 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS
);
1124 if (p
!= NULL
&& !OSSL_PARAM_get_uint64(p
, &rl
->options
)) {
1125 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1129 p
= OSSL_PARAM_locate_const(options
, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE
);
1130 if (p
!= NULL
&& !OSSL_PARAM_get_uint32(p
, &rl
->mode
)) {
1131 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1135 if (rl
->direction
== OSSL_RECORD_DIRECTION_READ
) {
1136 p
= OSSL_PARAM_locate_const(options
,
1137 OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN
);
1138 if (p
!= NULL
&& !OSSL_PARAM_get_size_t(p
, &rl
->rbuf
.default_len
)) {
1139 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1143 p
= OSSL_PARAM_locate_const(options
,
1144 OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING
);
1145 if (p
!= NULL
&& !OSSL_PARAM_get_size_t(p
, &rl
->block_padding
)) {
1146 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1151 if (rl
->level
== OSSL_RECORD_PROTECTION_LEVEL_APPLICATION
) {
1153 * We ignore any read_ahead setting prior to the application protection
1154 * level. Otherwise we may read ahead data in a lower protection level
1155 * that is destined for a higher protection level. To simplify the logic
1156 * we don't support that at this stage.
1158 p
= OSSL_PARAM_locate_const(options
,
1159 OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD
);
1160 if (p
!= NULL
&& !OSSL_PARAM_get_int(p
, &rl
->read_ahead
)) {
1161 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1170 tls_int_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1171 int role
, int direction
, int level
, unsigned char *key
,
1172 size_t keylen
, unsigned char *iv
, size_t ivlen
,
1173 unsigned char *mackey
, size_t mackeylen
,
1174 const EVP_CIPHER
*ciph
, size_t taglen
,
1176 const EVP_MD
*md
, COMP_METHOD
*comp
, BIO
*prev
,
1177 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
,
1178 BIO_ADDR
*peer
, const OSSL_PARAM
*settings
,
1179 const OSSL_PARAM
*options
,
1180 const OSSL_DISPATCH
*fns
, void *cbarg
,
1181 OSSL_RECORD_LAYER
**retrl
)
1183 OSSL_RECORD_LAYER
*rl
= OPENSSL_zalloc(sizeof(*rl
));
1184 const OSSL_PARAM
*p
;
1189 return OSSL_RECORD_RETURN_FATAL
;
1192 * Default the value for max_frag_len. This may be overridden by the
1195 rl
->max_frag_len
= SSL3_RT_MAX_PLAIN_LENGTH
;
1197 /* Loop through all the settings since they must all be understood */
1198 if (settings
!= NULL
) {
1199 for (p
= settings
; p
->key
!= NULL
; p
++) {
1200 if (strcmp(p
->key
, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM
) == 0) {
1201 if (!OSSL_PARAM_get_int(p
, &rl
->use_etm
)) {
1202 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1205 } else if (strcmp(p
->key
,
1206 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN
) == 0) {
1207 if (!OSSL_PARAM_get_uint(p
, &rl
->max_frag_len
)) {
1208 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1211 } else if (strcmp(p
->key
,
1212 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA
) == 0) {
1213 if (!OSSL_PARAM_get_uint32(p
, &rl
->max_early_data
)) {
1214 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1217 } else if (strcmp(p
->key
,
1218 OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC
) == 0) {
1219 if (!OSSL_PARAM_get_int(p
, &rl
->stream_mac
)) {
1220 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1223 } else if (strcmp(p
->key
,
1224 OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE
) == 0) {
1225 if (!OSSL_PARAM_get_int(p
, &rl
->tlstree
)) {
1226 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1230 ERR_raise(ERR_LIB_SSL
, SSL_R_UNKNOWN_MANDATORY_PARAMETER
);
1236 rl
->libctx
= libctx
;
1241 rl
->direction
= direction
;
1244 rl
->alert
= SSL_AD_NO_ALERT
;
1246 if (level
== OSSL_RECORD_PROTECTION_LEVEL_NONE
)
1247 rl
->is_first_record
= 1;
1249 if (!tls_set1_bio(rl
, transport
))
1252 if (prev
!= NULL
&& !BIO_up_ref(prev
))
1256 if (next
!= NULL
&& !BIO_up_ref(next
))
1262 for (; fns
->function_id
!= 0; fns
++) {
1263 switch (fns
->function_id
) {
1264 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA
:
1265 rl
->skip_early_data
= OSSL_FUNC_rlayer_skip_early_data(fns
);
1267 case OSSL_FUNC_RLAYER_MSG_CALLBACK
:
1268 rl
->msg_callback
= OSSL_FUNC_rlayer_msg_callback(fns
);
1270 case OSSL_FUNC_RLAYER_SECURITY
:
1271 rl
->security
= OSSL_FUNC_rlayer_security(fns
);
1273 case OSSL_FUNC_RLAYER_PADDING
:
1274 rl
->padding
= OSSL_FUNC_rlayer_padding(fns
);
1276 /* Just ignore anything we don't understand */
1282 if (!tls_set_options(rl
, options
)) {
1283 ERR_raise(ERR_LIB_SSL
, SSL_R_FAILED_TO_GET_PARAMETER
);
1287 if ((rl
->options
& SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
) == 0
1288 && rl
->version
<= TLS1_VERSION
1289 && !EVP_CIPHER_is_a(ciph
, "NULL")
1290 && !EVP_CIPHER_is_a(ciph
, "RC4")) {
1292 * Enable vulnerability countermeasure for CBC ciphers with known-IV
1293 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1295 rl
->need_empty_fragments
= 1;
1299 return OSSL_RECORD_RETURN_SUCCESS
;
1302 return OSSL_RECORD_RETURN_FATAL
;
1306 tls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
1307 int role
, int direction
, int level
, uint16_t epoch
,
1308 unsigned char *key
, size_t keylen
, unsigned char *iv
,
1309 size_t ivlen
, unsigned char *mackey
, size_t mackeylen
,
1310 const EVP_CIPHER
*ciph
, size_t taglen
,
1312 const EVP_MD
*md
, COMP_METHOD
*comp
, BIO
*prev
,
1313 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
1314 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
1315 const OSSL_DISPATCH
*fns
, void *cbarg
,
1316 OSSL_RECORD_LAYER
**retrl
)
1320 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
1321 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
1322 ciph
, taglen
, mactype
, md
, comp
, prev
,
1323 transport
, next
, local
, peer
, settings
,
1324 options
, fns
, cbarg
, retrl
);
1326 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1330 case TLS_ANY_VERSION
:
1331 (*retrl
)->funcs
= &tls_any_funcs
;
1333 case TLS1_3_VERSION
:
1334 (*retrl
)->funcs
= &tls_1_3_funcs
;
1336 case TLS1_2_VERSION
:
1337 case TLS1_1_VERSION
:
1339 (*retrl
)->funcs
= &tls_1_funcs
;
1342 (*retrl
)->funcs
= &ssl_3_0_funcs
;
1345 /* Should not happen */
1346 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
1347 ret
= OSSL_RECORD_RETURN_FATAL
;
1351 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
1352 ivlen
, mackey
, mackeylen
, ciph
,
1353 taglen
, mactype
, md
, comp
);
1356 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
1357 OPENSSL_free(*retrl
);
1363 static void tls_int_free(OSSL_RECORD_LAYER
*rl
)
1368 SSL3_BUFFER_release(&rl
->rbuf
);
1370 tls_release_write_buffer(rl
);
1372 EVP_CIPHER_CTX_free(rl
->enc_ctx
);
1373 EVP_MD_CTX_free(rl
->md_ctx
);
1374 #ifndef OPENSSL_NO_COMP
1375 COMP_CTX_free(rl
->compctx
);
1378 if (rl
->version
== SSL3_VERSION
)
1379 OPENSSL_cleanse(rl
->mac_secret
, sizeof(rl
->mac_secret
));
1381 SSL3_RECORD_release(rl
->rrec
, SSL_MAX_PIPELINES
);
1386 int tls_free(OSSL_RECORD_LAYER
*rl
)
1389 size_t left
, written
;
1394 left
= SSL3_BUFFER_get_left(rbuf
);
1397 * This record layer is closing but we still have data left in our
1398 * buffer. It must be destined for the next epoch - so push it there.
1400 ret
= BIO_write_ex(rl
->next
, rbuf
->buf
+ rbuf
->offset
, left
, &written
);
1407 int tls_reset(OSSL_RECORD_LAYER
*rl
)
1409 memset(rl
, 0, sizeof(*rl
));
1413 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER
*rl
)
1415 return SSL3_BUFFER_get_left(&rl
->rbuf
) != 0;
1418 int tls_processed_read_pending(OSSL_RECORD_LAYER
*rl
)
1420 return rl
->curr_rec
< rl
->num_recs
;
1423 size_t tls_app_data_pending(OSSL_RECORD_LAYER
*rl
)
1428 for (i
= rl
->curr_rec
; i
< rl
->num_recs
; i
++) {
1429 if (rl
->rrec
[i
].type
!= SSL3_RT_APPLICATION_DATA
)
1431 num
+= rl
->rrec
[i
].length
;
1436 int tls_write_pending(OSSL_RECORD_LAYER
*rl
)
1441 size_t tls_get_max_record_len(OSSL_RECORD_LAYER
*rl
)
1446 size_t tls_get_max_records_default(OSSL_RECORD_LAYER
*rl
, int type
, size_t len
,
1447 size_t maxfrag
, size_t *preffrag
)
1450 * TODO(RECLAYER): There is no test for the pipelining code. We should add
1454 * If we have a pipeline capable cipher, and we have been configured to use
1455 * it, then return the preferred number of pipelines.
1457 if (rl
->max_pipelines
> 0
1458 && rl
->enc_ctx
!= NULL
1459 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl
->enc_ctx
))
1460 & EVP_CIPH_FLAG_PIPELINE
) != 0
1461 && RLAYER_USE_EXPLICIT_IV(rl
)) {
1466 pipes
= ((len
- 1) / *preffrag
) + 1;
1468 return (pipes
< rl
->max_pipelines
) ? pipes
: rl
->max_pipelines
;
1474 size_t tls_get_max_records(OSSL_RECORD_LAYER
*rl
, int type
, size_t len
,
1475 size_t maxfrag
, size_t *preffrag
)
1477 return rl
->funcs
->get_max_records(rl
, type
, len
, maxfrag
, preffrag
);
1480 int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER
*rl
,
1481 OSSL_RECORD_TEMPLATE
*templates
,
1485 if (!tls_setup_write_buffer(rl
, numtempl
, 0, 0)) {
1486 /* RLAYERfatal() already called */
1493 int tls_initialise_write_packets_default(OSSL_RECORD_LAYER
*rl
,
1494 OSSL_RECORD_TEMPLATE
*templates
,
1496 OSSL_RECORD_TEMPLATE
*prefixtempl
,
1505 for (j
= 0; j
< numtempl
; j
++) {
1509 wb
->type
= templates
[j
].type
;
1511 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1512 align
= (size_t)SSL3_BUFFER_get_buf(wb
) + SSL3_RT_HEADER_LENGTH
;
1513 align
= SSL3_ALIGN_PAYLOAD
- 1
1514 - ((align
- 1) % SSL3_ALIGN_PAYLOAD
);
1516 SSL3_BUFFER_set_offset(wb
, align
);
1518 if (!WPACKET_init_static_len(thispkt
, SSL3_BUFFER_get_buf(wb
),
1519 SSL3_BUFFER_get_len(wb
), 0)) {
1520 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1524 if (!WPACKET_allocate_bytes(thispkt
, align
, NULL
)) {
1525 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1533 int tls_prepare_record_header_default(OSSL_RECORD_LAYER
*rl
,
1535 OSSL_RECORD_TEMPLATE
*templ
,
1536 unsigned int rectype
,
1537 unsigned char **recdata
)
1543 maxcomplen
= templ
->buflen
;
1544 if (rl
->compctx
!= NULL
)
1545 maxcomplen
+= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
1547 if (!WPACKET_put_bytes_u8(thispkt
, rectype
)
1548 || !WPACKET_put_bytes_u16(thispkt
, templ
->version
)
1549 || !WPACKET_start_sub_packet_u16(thispkt
)
1551 && !WPACKET_allocate_bytes(thispkt
, rl
->eivlen
, NULL
))
1553 && !WPACKET_reserve_bytes(thispkt
, maxcomplen
,
1555 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1562 int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER
*rl
,
1565 SSL3_RECORD
*thiswr
)
1568 unsigned char *recordstart
;
1571 * we should still have the output to thiswr->data and the input from
1572 * wr->input. Length should be thiswr->length. thiswr->data still points
1576 if (!rl
->use_etm
&& mac_size
!= 0) {
1579 if (!WPACKET_allocate_bytes(thispkt
, mac_size
, &mac
)
1580 || !rl
->funcs
->mac(rl
, thiswr
, mac
, 1)) {
1581 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1587 * Reserve some bytes for any growth that may occur during encryption.
1588 * This will be at most one cipher block or the tag length if using
1589 * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
1591 if (!WPACKET_reserve_bytes(thispkt
,
1592 SSL_RT_MAX_CIPHER_BLOCK_SIZE
,
1595 * We also need next the amount of bytes written to this
1598 || !WPACKET_get_length(thispkt
, &len
)) {
1599 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1603 /* Get a pointer to the start of this record excluding header */
1604 recordstart
= WPACKET_get_curr(thispkt
) - len
;
1605 SSL3_RECORD_set_data(thiswr
, recordstart
);
1606 SSL3_RECORD_reset_input(thiswr
);
1607 SSL3_RECORD_set_length(thiswr
, len
);
1612 int tls_post_encryption_processing_default(OSSL_RECORD_LAYER
*rl
,
1614 OSSL_RECORD_TEMPLATE
*thistempl
,
1616 SSL3_RECORD
*thiswr
)
1618 size_t origlen
, len
;
1620 /* Allocate bytes for the encryption overhead */
1621 if (!WPACKET_get_length(thispkt
, &origlen
)
1622 /* Encryption should never shrink the data! */
1623 || origlen
> thiswr
->length
1624 || (thiswr
->length
> origlen
1625 && !WPACKET_allocate_bytes(thispkt
,
1626 thiswr
->length
- origlen
,
1628 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1631 if (rl
->use_etm
&& mac_size
!= 0) {
1634 if (!WPACKET_allocate_bytes(thispkt
, mac_size
, &mac
)
1635 || !rl
->funcs
->mac(rl
, thiswr
, mac
, 1)) {
1636 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1640 SSL3_RECORD_add_length(thiswr
, mac_size
);
1643 if (!WPACKET_get_length(thispkt
, &len
)
1644 || !WPACKET_close(thispkt
)) {
1645 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1649 if (rl
->msg_callback
!= NULL
) {
1650 unsigned char *recordstart
;
1652 recordstart
= WPACKET_get_curr(thispkt
) - len
- SSL3_RT_HEADER_LENGTH
;
1653 rl
->msg_callback(1, thiswr
->rec_version
, SSL3_RT_HEADER
, recordstart
,
1654 SSL3_RT_HEADER_LENGTH
, rl
->cbarg
);
1656 if (rl
->version
== TLS1_3_VERSION
&& rl
->enc_ctx
!= NULL
) {
1657 unsigned char ctype
= thistempl
->type
;
1659 rl
->msg_callback(1, thiswr
->rec_version
, SSL3_RT_INNER_CONTENT_TYPE
,
1660 &ctype
, 1, rl
->cbarg
);
1664 if (!WPACKET_finish(thispkt
)) {
1665 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1669 SSL3_RECORD_add_length(thiswr
, SSL3_RT_HEADER_LENGTH
);
1674 int tls_write_records_default(OSSL_RECORD_LAYER
*rl
,
1675 OSSL_RECORD_TEMPLATE
*templates
,
1678 WPACKET pkt
[SSL_MAX_PIPELINES
+ 1];
1679 SSL3_RECORD wr
[SSL_MAX_PIPELINES
+ 1];
1681 SSL3_RECORD
*thiswr
;
1682 int mac_size
= 0, ret
= 0;
1683 size_t wpinited
= 0;
1684 size_t j
, prefix
= 0;
1685 OSSL_RECORD_TEMPLATE prefixtempl
;
1686 OSSL_RECORD_TEMPLATE
*thistempl
;
1688 if (rl
->md_ctx
!= NULL
&& EVP_MD_CTX_get0_md(rl
->md_ctx
) != NULL
) {
1689 mac_size
= EVP_MD_CTX_get_size(rl
->md_ctx
);
1691 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1696 if (!rl
->funcs
->allocate_write_buffers(rl
, templates
, numtempl
, &prefix
)) {
1697 /* RLAYERfatal() already called */
1701 if (!rl
->funcs
->initialise_write_packets(rl
, templates
, numtempl
,
1702 &prefixtempl
, pkt
, rl
->wbuf
,
1704 /* RLAYERfatal() already called */
1708 /* Clear our SSL3_RECORD structures */
1709 memset(wr
, 0, sizeof(wr
));
1710 for (j
= 0; j
< numtempl
+ prefix
; j
++) {
1711 unsigned char *compressdata
= NULL
;
1712 unsigned int rectype
;
1716 thistempl
= (j
< prefix
) ? &prefixtempl
: &templates
[j
- prefix
];
1719 * Default to the record type as specified in the template unless the
1720 * protocol implementation says differently.
1722 if (rl
->funcs
->get_record_type
!= NULL
)
1723 rectype
= rl
->funcs
->get_record_type(rl
, thistempl
);
1725 rectype
= thistempl
->type
;
1727 SSL3_RECORD_set_type(thiswr
, rectype
);
1728 SSL3_RECORD_set_rec_version(thiswr
, thistempl
->version
);
1730 if (!rl
->funcs
->prepare_record_header(rl
, thispkt
, thistempl
, rectype
,
1732 /* RLAYERfatal() already called */
1736 /* lets setup the record stuff. */
1737 SSL3_RECORD_set_data(thiswr
, compressdata
);
1738 SSL3_RECORD_set_length(thiswr
, thistempl
->buflen
);
1740 SSL3_RECORD_set_input(thiswr
, (unsigned char *)thistempl
->buf
);
1743 * we now 'read' from thiswr->input, thiswr->length bytes into
1747 /* first we compress */
1748 if (rl
->compctx
!= NULL
) {
1749 if (!tls_do_compress(rl
, thiswr
)
1750 || !WPACKET_allocate_bytes(thispkt
, thiswr
->length
, NULL
)) {
1751 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_COMPRESSION_FAILURE
);
1754 } else if (compressdata
!= NULL
) {
1755 if (!WPACKET_memcpy(thispkt
, thiswr
->input
, thiswr
->length
)) {
1756 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1759 SSL3_RECORD_reset_input(&wr
[j
]);
1762 if (rl
->funcs
->add_record_padding
!= NULL
1763 && !rl
->funcs
->add_record_padding(rl
, thistempl
, thispkt
,
1765 /* RLAYERfatal() already called */
1769 if (!rl
->funcs
->prepare_for_encryption(rl
, mac_size
, thispkt
, thiswr
)) {
1770 /* RLAYERfatal() already called */
1776 if (rl
->funcs
->cipher(rl
, wr
, 1, 1, NULL
, mac_size
) < 1) {
1777 if (rl
->alert
== SSL_AD_NO_ALERT
) {
1778 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1784 if (rl
->funcs
->cipher(rl
, wr
+ prefix
, numtempl
, 1, NULL
, mac_size
) < 1) {
1785 if (rl
->alert
== SSL_AD_NO_ALERT
) {
1786 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1791 for (j
= 0; j
< numtempl
+ prefix
; j
++) {
1794 thistempl
= (j
< prefix
) ? &prefixtempl
: &templates
[j
- prefix
];
1796 if (!rl
->funcs
->post_encryption_processing(rl
, mac_size
, thistempl
,
1798 /* RLAYERfatal() already called */
1803 * we should now have thiswr->data pointing to the encrypted data, which
1804 * is thiswr->length long.
1805 * Setting the type is not needed but helps for debugging
1807 SSL3_RECORD_set_type(thiswr
, thistempl
->type
);
1809 /* now let's set up wb */
1810 SSL3_BUFFER_set_left(&rl
->wbuf
[j
], SSL3_RECORD_get_length(thiswr
));
1815 for (j
= 0; j
< wpinited
; j
++)
1816 WPACKET_cleanup(&pkt
[j
]);
1820 int tls_write_records(OSSL_RECORD_LAYER
*rl
, OSSL_RECORD_TEMPLATE
*templates
,
1823 /* Check we don't have pending data waiting to write */
1824 if (!ossl_assert(rl
->nextwbuf
>= rl
->numwpipes
1825 || SSL3_BUFFER_get_left(&rl
->wbuf
[rl
->nextwbuf
]) == 0)) {
1826 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
1827 return OSSL_RECORD_RETURN_FATAL
;
1830 if (!rl
->funcs
->write_records(rl
, templates
, numtempl
)) {
1831 /* RLAYERfatal already called */
1832 return OSSL_RECORD_RETURN_FATAL
;
1836 /* we now just need to write the buffers */
1837 return tls_retry_write_records(rl
);
1840 int tls_retry_write_records(OSSL_RECORD_LAYER
*rl
)
1843 SSL3_BUFFER
*thiswb
;
1846 if (rl
->nextwbuf
>= rl
->numwpipes
)
1847 return OSSL_RECORD_RETURN_SUCCESS
;
1850 thiswb
= &rl
->wbuf
[rl
->nextwbuf
];
1853 if (rl
->bio
!= NULL
) {
1854 if (rl
->funcs
->prepare_write_bio
!= NULL
) {
1855 ret
= rl
->funcs
->prepare_write_bio(rl
, thiswb
->type
);
1856 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
1859 i
= BIO_write(rl
->bio
, (char *)
1860 &(SSL3_BUFFER_get_buf(thiswb
)
1861 [SSL3_BUFFER_get_offset(thiswb
)]),
1862 (unsigned int)SSL3_BUFFER_get_left(thiswb
));
1865 if (i
== 0 && BIO_should_retry(rl
->bio
))
1866 ret
= OSSL_RECORD_RETURN_RETRY
;
1868 ret
= OSSL_RECORD_RETURN_SUCCESS
;
1870 if (BIO_should_retry(rl
->bio
))
1871 ret
= OSSL_RECORD_RETURN_RETRY
;
1873 ret
= OSSL_RECORD_RETURN_FATAL
;
1876 RLAYERfatal(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_BIO_NOT_SET
);
1877 ret
= OSSL_RECORD_RETURN_FATAL
;
1882 * When an empty fragment is sent on a connection using KTLS,
1883 * it is sent as a write of zero bytes. If this zero byte
1884 * write succeeds, i will be 0 rather than a non-zero value.
1885 * Treat i == 0 as success rather than an error for zero byte
1886 * writes to permit this case.
1888 if (i
>= 0 && tmpwrit
== SSL3_BUFFER_get_left(thiswb
)) {
1889 SSL3_BUFFER_set_left(thiswb
, 0);
1890 SSL3_BUFFER_add_offset(thiswb
, tmpwrit
);
1891 if (++(rl
->nextwbuf
) < rl
->numwpipes
)
1894 if (rl
->nextwbuf
== rl
->numwpipes
1895 && (rl
->mode
& SSL_MODE_RELEASE_BUFFERS
) != 0)
1896 tls_release_write_buffer(rl
);
1897 return OSSL_RECORD_RETURN_SUCCESS
;
1898 } else if (i
<= 0) {
1901 * For DTLS, just drop it. That's kind of the whole point in
1902 * using a datagram service
1904 SSL3_BUFFER_set_left(thiswb
, 0);
1905 if (++(rl
->nextwbuf
) == rl
->numwpipes
1906 && (rl
->mode
& SSL_MODE_RELEASE_BUFFERS
) != 0)
1907 tls_release_write_buffer(rl
);
1912 SSL3_BUFFER_add_offset(thiswb
, tmpwrit
);
1913 SSL3_BUFFER_sub_left(thiswb
, tmpwrit
);
1917 int tls_get_alert_code(OSSL_RECORD_LAYER
*rl
)
1922 int tls_set1_bio(OSSL_RECORD_LAYER
*rl
, BIO
*bio
)
1924 if (bio
!= NULL
&& !BIO_up_ref(bio
))
1932 /* Shared by most methods except tlsany_meth */
1933 int tls_default_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1935 if (rl
->version
!= version
)
1941 int tls_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
1943 return rl
->funcs
->set_protocol_version(rl
, version
);
1946 void tls_set_plain_alerts(OSSL_RECORD_LAYER
*rl
, int allow
)
1948 rl
->allow_plain_alerts
= allow
;
1951 void tls_set_first_handshake(OSSL_RECORD_LAYER
*rl
, int first
)
1953 rl
->is_first_handshake
= first
;
1956 void tls_set_max_pipelines(OSSL_RECORD_LAYER
*rl
, size_t max_pipelines
)
1958 rl
->max_pipelines
= max_pipelines
;
1959 if (max_pipelines
> 1)
1963 void tls_get_state(OSSL_RECORD_LAYER
*rl
, const char **shortstr
,
1964 const char **longstr
)
1966 const char *shrt
, *lng
;
1968 switch (rl
->rstate
) {
1969 case SSL_ST_READ_HEADER
:
1971 lng
= "read header";
1973 case SSL_ST_READ_BODY
:
1978 shrt
= lng
= "unknown";
1981 if (shortstr
!= NULL
)
1983 if (longstr
!= NULL
)
1987 const COMP_METHOD
*tls_get_compression(OSSL_RECORD_LAYER
*rl
)
1989 #ifndef OPENSSL_NO_COMP
1990 return (rl
->compctx
== NULL
) ? NULL
: COMP_CTX_get_method(rl
->compctx
);
1996 void tls_set_max_frag_len(OSSL_RECORD_LAYER
*rl
, size_t max_frag_len
)
1998 rl
->max_frag_len
= max_frag_len
;
2000 * We don't need to adjust buffer sizes. Write buffer sizes are
2001 * automatically checked anyway. We should only be changing the read buffer
2002 * size during the handshake, so we will create a new buffer when we create
2003 * the new record layer. We can't change the existing buffer because it may
2004 * already have data in it.
2008 const OSSL_RECORD_METHOD ossl_tls_record_method
= {
2009 tls_new_record_layer
,
2012 tls_unprocessed_read_pending
,
2013 tls_processed_read_pending
,
2014 tls_app_data_pending
,
2016 tls_get_max_record_len
,
2017 tls_get_max_records
,
2019 tls_retry_write_records
,
2024 tls_set_protocol_version
,
2025 tls_set_plain_alerts
,
2026 tls_set_first_handshake
,
2027 tls_set_max_pipelines
,
2031 tls_get_compression
,
2032 tls_set_max_frag_len