]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/tls_common.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Introduce a step to prepare the BIO before writing
[thirdparty/openssl.git] / ssl / record / methods / tls_common.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include <openssl/bio.h>
12 #include <openssl/ssl.h>
13 #include <openssl/err.h>
14 #include <openssl/core_names.h>
15 #include <openssl/comp.h>
16 #include <openssl/ssl.h>
17 #include "internal/e_os.h"
18 #include "internal/packet.h"
19 #include "../../ssl_local.h"
20 #include "../record_local.h"
21 #include "recmethod_local.h"
22
23 static void tls_int_free(OSSL_RECORD_LAYER *rl);
24
25 void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
26 const char *fmt, ...)
27 {
28 va_list args;
29
30 va_start(args, fmt);
31 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
32 va_end(args);
33
34 rl->alert = al;
35 }
36
37 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
38 EVP_CIPHER_CTX *ctx,
39 const EVP_CIPHER *ciph,
40 const EVP_MD *md)
41 {
42 /*
43 * Provided cipher, the TLS padding/MAC removal is performed provider
44 * side so we need to tell the ctx about our TLS version and mac size
45 */
46 OSSL_PARAM params[3], *pprm = params;
47 size_t macsize = 0;
48 int imacsize = -1;
49
50 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
51 && !rl->use_etm)
52 imacsize = EVP_MD_get_size(md);
53 if (imacsize >= 0)
54 macsize = (size_t)imacsize;
55
56 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
57 &rl->version);
58 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
59 &macsize);
60 *pprm = OSSL_PARAM_construct_end();
61
62 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
63 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
64 return 0;
65 }
66
67 return 1;
68 }
69
70 /*
71 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
72 * which ssl3_cbc_digest_record supports.
73 */
74 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
75 {
76 switch (EVP_MD_CTX_get_type(ctx)) {
77 case NID_md5:
78 case NID_sha1:
79 case NID_sha224:
80 case NID_sha256:
81 case NID_sha384:
82 case NID_sha512:
83 return 1;
84 default:
85 return 0;
86 }
87 }
88
89 #ifndef OPENSSL_NO_COMP
90 static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
91 {
92 if (rl->options & SSL_OP_NO_COMPRESSION)
93 return 0;
94
95 return rl->security == NULL
96 || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
97 }
98 #endif
99
100 static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
101 {
102 SSL3_BUFFER *wb;
103 size_t pipes;
104
105 pipes = rl->numwpipes;
106
107 while (pipes > start) {
108 wb = &rl->wbuf[pipes - 1];
109
110 if (SSL3_BUFFER_is_app_buffer(wb))
111 SSL3_BUFFER_set_app_buffer(wb, 0);
112 else
113 OPENSSL_free(wb->buf);
114 wb->buf = NULL;
115 pipes--;
116 }
117 }
118
119 int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
120 size_t firstlen, size_t nextlen)
121 {
122 unsigned char *p;
123 size_t align = 0, headerlen;
124 SSL3_BUFFER *wb;
125 size_t currpipe;
126 size_t defltlen = 0;
127
128 if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
129 if (rl->isdtls)
130 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
131 else
132 headerlen = SSL3_RT_HEADER_LENGTH;
133
134 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
135 align = SSL3_ALIGN_PAYLOAD - 1;
136 #endif
137
138 defltlen = rl->max_frag_len + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
139 + headerlen + align;
140 #ifndef OPENSSL_NO_COMP
141 if (tls_allow_compression(rl))
142 defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
143 #endif
144 if (!(rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
145 defltlen += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
146 }
147
148 wb = rl->wbuf;
149 for (currpipe = 0; currpipe < numwpipes; currpipe++) {
150 SSL3_BUFFER *thiswb = &wb[currpipe];
151 size_t len = (currpipe == 0) ? firstlen : nextlen;
152
153 if (len == 0)
154 len = defltlen;
155
156 if (thiswb->len != len) {
157 OPENSSL_free(thiswb->buf);
158 thiswb->buf = NULL; /* force reallocation */
159 }
160
161 p = thiswb->buf;
162 if (p == NULL) {
163 p = OPENSSL_malloc(len);
164 if (p == NULL) {
165 if (rl->numwpipes < currpipe)
166 rl->numwpipes = currpipe;
167 /*
168 * We've got a malloc failure, and we're still initialising
169 * buffers. We assume we're so doomed that we won't even be able
170 * to send an alert.
171 */
172 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
173 return 0;
174 }
175 }
176 memset(thiswb, 0, sizeof(SSL3_BUFFER));
177 thiswb->buf = p;
178 thiswb->len = len;
179 }
180
181 /* Free any previously allocated buffers that we are no longer using */
182 tls_release_write_buffer_int(rl, currpipe);
183
184 rl->numwpipes = numwpipes;
185
186 return 1;
187 }
188
189 static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
190 {
191 tls_release_write_buffer_int(rl, 0);
192
193 rl->numwpipes = 0;
194 }
195
196 int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
197 {
198 unsigned char *p;
199 size_t len, align = 0, headerlen;
200 SSL3_BUFFER *b;
201
202 b = &rl->rbuf;
203
204 if (rl->isdtls)
205 headerlen = DTLS1_RT_HEADER_LENGTH;
206 else
207 headerlen = SSL3_RT_HEADER_LENGTH;
208
209 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
210 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
211 #endif
212
213 if (b->buf == NULL) {
214 len = rl->max_frag_len
215 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
216 #ifndef OPENSSL_NO_COMP
217 if (tls_allow_compression(rl))
218 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
219 #endif
220 if (b->default_len > len)
221 len = b->default_len;
222 if ((p = OPENSSL_malloc(len)) == NULL) {
223 /*
224 * We've got a malloc failure, and we're still initialising buffers.
225 * We assume we're so doomed that we won't even be able to send an
226 * alert.
227 */
228 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
229 return 0;
230 }
231 b->buf = p;
232 b->len = len;
233 }
234
235 return 1;
236 }
237
238 static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
239 {
240 SSL3_BUFFER *b;
241
242 b = &rl->rbuf;
243 if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
244 OPENSSL_cleanse(b->buf, b->len);
245 OPENSSL_free(b->buf);
246 b->buf = NULL;
247 return 1;
248 }
249
250 /*
251 * Return values are as per SSL_read()
252 */
253 int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
254 int clearold, size_t *readbytes)
255 {
256 /*
257 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
258 * packet by another n bytes. The packet will be in the sub-array of
259 * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
260 * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
261 * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
262 * packet to the start of the buffer; if clearold == 0 then leave any old
263 * packets where they were
264 */
265 size_t len, left, align = 0;
266 unsigned char *pkt;
267 SSL3_BUFFER *rb;
268
269 if (n == 0)
270 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
271
272 rb = &rl->rbuf;
273 left = rb->left;
274 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
275 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
276 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
277 #endif
278
279 if (!extend) {
280 /* start with empty packet ... */
281 if (left == 0) {
282 rb->offset = align;
283 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
284 /*
285 * check if next packet length is large enough to justify payload
286 * alignment...
287 */
288 pkt = rb->buf + rb->offset;
289 if (pkt[0] == SSL3_RT_APPLICATION_DATA
290 && (pkt[3] << 8 | pkt[4]) >= 128) {
291 /*
292 * Note that even if packet is corrupted and its length field
293 * is insane, we can only be led to wrong decision about
294 * whether memmove will occur or not. Header values has no
295 * effect on memmove arguments and therefore no buffer
296 * overrun can be triggered.
297 */
298 memmove(rb->buf + align, pkt, left);
299 rb->offset = align;
300 }
301 }
302 rl->packet = rb->buf + rb->offset;
303 rl->packet_length = 0;
304 /* ... now we can act as if 'extend' was set */
305 }
306
307 len = rl->packet_length;
308 pkt = rb->buf + align;
309 /*
310 * Move any available bytes to front of buffer: 'len' bytes already
311 * pointed to by 'packet', 'left' extra ones at the end
312 */
313 if (rl->packet != pkt && clearold == 1) {
314 memmove(pkt, rl->packet, len + left);
315 rl->packet = pkt;
316 rb->offset = len + align;
317 }
318
319 /*
320 * For DTLS/UDP reads should not span multiple packets because the read
321 * operation returns the whole packet at once (as long as it fits into
322 * the buffer).
323 */
324 if (rl->isdtls) {
325 if (left == 0 && extend)
326 return 0;
327 if (left > 0 && n > left)
328 n = left;
329 }
330
331 /* if there is enough in the buffer from a previous read, take some */
332 if (left >= n) {
333 rl->packet_length += n;
334 rb->left = left - n;
335 rb->offset += n;
336 *readbytes = n;
337 return OSSL_RECORD_RETURN_SUCCESS;
338 }
339
340 /* else we need to read more data */
341
342 if (n > rb->len - rb->offset) {
343 /* does not happen */
344 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
345 return OSSL_RECORD_RETURN_FATAL;
346 }
347
348 /* We always act like read_ahead is set for DTLS */
349 if (!rl->read_ahead && !rl->isdtls) {
350 /* ignore max parameter */
351 max = n;
352 } else {
353 if (max < n)
354 max = n;
355 if (max > rb->len - rb->offset)
356 max = rb->len - rb->offset;
357 }
358
359 while (left < n) {
360 size_t bioread = 0;
361 int ret;
362 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
363
364 /*
365 * Now we have len+left bytes at the front of rl->rbuf.buf and
366 * need to read in more until we have len + n (up to len + max if
367 * possible)
368 */
369
370 clear_sys_error();
371 if (bio != NULL) {
372 ret = BIO_read(bio, pkt + len + left, max - left);
373 if (ret > 0) {
374 bioread = ret;
375 ret = OSSL_RECORD_RETURN_SUCCESS;
376 } else if (BIO_should_retry(bio)) {
377 if (rl->prev != NULL) {
378 /*
379 * We were reading from the previous epoch. Now there is no
380 * more data, so swap to the actual transport BIO
381 */
382 BIO_free(rl->prev);
383 rl->prev = NULL;
384 continue;
385 }
386 ret = OSSL_RECORD_RETURN_RETRY;
387 } else if (BIO_eof(bio)) {
388 ret = OSSL_RECORD_RETURN_EOF;
389 } else {
390 ret = OSSL_RECORD_RETURN_FATAL;
391 }
392 } else {
393 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
394 ret = OSSL_RECORD_RETURN_FATAL;
395 }
396
397 if (ret <= OSSL_RECORD_RETURN_RETRY) {
398 rb->left = left;
399 if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
400 if (len + left == 0)
401 tls_release_read_buffer(rl);
402 return ret;
403 }
404 left += bioread;
405 /*
406 * reads should *never* span multiple packets for DTLS because the
407 * underlying transport protocol is message oriented as opposed to
408 * byte oriented as in the TLS case.
409 */
410 if (rl->isdtls) {
411 if (n > left)
412 n = left; /* makes the while condition false */
413 }
414 }
415
416 /* done reading, now the book-keeping */
417 rb->offset += n;
418 rb->left = left - n;
419 rl->packet_length += n;
420 *readbytes = n;
421 return OSSL_RECORD_RETURN_SUCCESS;
422 }
423
424 /*
425 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
426 * for us in the buffer.
427 */
428 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
429 {
430 SSL3_BUFFER *rbuf;
431 size_t left, len;
432 unsigned char *p;
433
434 rbuf = &rl->rbuf;
435
436 p = SSL3_BUFFER_get_buf(rbuf);
437 if (p == NULL)
438 return 0;
439
440 left = SSL3_BUFFER_get_left(rbuf);
441
442 if (left < SSL3_RT_HEADER_LENGTH)
443 return 0;
444
445 p += SSL3_BUFFER_get_offset(rbuf);
446
447 /*
448 * We only check the type and record length, we will sanity check version
449 * etc later
450 */
451 if (*p != SSL3_RT_APPLICATION_DATA)
452 return 0;
453
454 p += 3;
455 n2s(p, len);
456
457 if (left < SSL3_RT_HEADER_LENGTH + len)
458 return 0;
459
460 return 1;
461 }
462
463 static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
464 size_t overhead, int send)
465 {
466 uint32_t max_early_data = rl->max_early_data;
467
468 if (max_early_data == 0) {
469 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
470 SSL_R_TOO_MUCH_EARLY_DATA);
471 return 0;
472 }
473
474 /* If we are dealing with ciphertext we need to allow for the overhead */
475 max_early_data += overhead;
476
477 if (rl->early_data_count + length > max_early_data) {
478 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
479 SSL_R_TOO_MUCH_EARLY_DATA);
480 return 0;
481 }
482 rl->early_data_count += length;
483
484 return 1;
485 }
486
487 /*
488 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
489 * will be processed per call to tls_get_more_records. Without this limit an
490 * attacker could send empty records at a faster rate than we can process and
491 * cause tls_get_more_records to loop forever.
492 */
493 #define MAX_EMPTY_RECORDS 32
494
495 #define SSL2_RT_HEADER_LENGTH 2
496
497 /*-
498 * Call this to buffer new input records in rl->rrec.
499 * It will return a OSSL_RECORD_RETURN_* value.
500 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
501 * records have been decoded. For each record 'i':
502 * rrec[i].type - is the type of record
503 * rrec[i].data, - data
504 * rrec[i].length, - number of bytes
505 * Multiple records will only be returned if the record types are all
506 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
507 * |max_pipelines|
508 */
509 int tls_get_more_records(OSSL_RECORD_LAYER *rl)
510 {
511 int enc_err, rret;
512 int i;
513 size_t more, n;
514 SSL3_RECORD *rr, *thisrr;
515 SSL3_BUFFER *rbuf;
516 unsigned char *p;
517 unsigned char md[EVP_MAX_MD_SIZE];
518 unsigned int version;
519 size_t mac_size = 0;
520 int imac_size;
521 size_t num_recs = 0, max_recs, j;
522 PACKET pkt, sslv2pkt;
523 SSL_MAC_BUF *macbufs = NULL;
524 int ret = OSSL_RECORD_RETURN_FATAL;
525
526 rr = rl->rrec;
527 rbuf = &rl->rbuf;
528 if (rbuf->buf == NULL) {
529 if (!tls_setup_read_buffer(rl)) {
530 /* RLAYERfatal() already called */
531 return OSSL_RECORD_RETURN_FATAL;
532 }
533 }
534
535 max_recs = rl->max_pipelines;
536
537 if (max_recs == 0)
538 max_recs = 1;
539
540 do {
541 thisrr = &rr[num_recs];
542
543 /* check if we have the header */
544 if ((rl->rstate != SSL_ST_READ_BODY) ||
545 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
546 size_t sslv2len;
547 unsigned int type;
548
549 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
550 SSL3_BUFFER_get_len(rbuf), 0,
551 num_recs == 0 ? 1 : 0, &n);
552
553 if (rret < OSSL_RECORD_RETURN_SUCCESS)
554 return rret; /* error or non-blocking */
555
556 rl->rstate = SSL_ST_READ_BODY;
557
558 p = rl->packet;
559 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
560 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
561 return OSSL_RECORD_RETURN_FATAL;
562 }
563 sslv2pkt = pkt;
564 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
565 || !PACKET_get_1(&sslv2pkt, &type)) {
566 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
567 return OSSL_RECORD_RETURN_FATAL;
568 }
569 /*
570 * The first record received by the server may be a V2ClientHello.
571 */
572 if (rl->role == OSSL_RECORD_ROLE_SERVER
573 && rl->is_first_record
574 && (sslv2len & 0x8000) != 0
575 && (type == SSL2_MT_CLIENT_HELLO)) {
576 /*
577 * SSLv2 style record
578 *
579 * |num_recs| here will actually always be 0 because
580 * |num_recs > 0| only ever occurs when we are processing
581 * multiple app data records - which we know isn't the case here
582 * because it is an SSLv2ClientHello. We keep it using
583 * |num_recs| for the sake of consistency
584 */
585 thisrr->type = SSL3_RT_HANDSHAKE;
586 thisrr->rec_version = SSL2_VERSION;
587
588 thisrr->length = sslv2len & 0x7fff;
589
590 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
591 - SSL2_RT_HEADER_LENGTH) {
592 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
593 SSL_R_PACKET_LENGTH_TOO_LONG);
594 return OSSL_RECORD_RETURN_FATAL;
595 }
596 } else {
597 /* SSLv3+ style record */
598
599 /* Pull apart the header into the SSL3_RECORD */
600 if (!PACKET_get_1(&pkt, &type)
601 || !PACKET_get_net_2(&pkt, &version)
602 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
603 if (rl->msg_callback != NULL)
604 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
605 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
606 return OSSL_RECORD_RETURN_FATAL;
607 }
608 thisrr->type = type;
609 thisrr->rec_version = version;
610
611 /*
612 * When we call validate_record_header() only records actually
613 * received in SSLv2 format should have the record version set
614 * to SSL2_VERSION. This way validate_record_header() can know
615 * what format the record was in based on the version.
616 */
617 if (thisrr->rec_version == SSL2_VERSION) {
618 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
619 SSL_R_WRONG_VERSION_NUMBER);
620 return OSSL_RECORD_RETURN_FATAL;
621 }
622
623 if (rl->msg_callback != NULL)
624 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
625
626 if (thisrr->length >
627 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
628 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
629 SSL_R_PACKET_LENGTH_TOO_LONG);
630 return OSSL_RECORD_RETURN_FATAL;
631 }
632 }
633
634 if (!rl->funcs->validate_record_header(rl, thisrr)) {
635 /* RLAYERfatal already called */
636 return OSSL_RECORD_RETURN_FATAL;
637 }
638
639 /* now rl->rstate == SSL_ST_READ_BODY */
640 }
641
642 /*
643 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
644 * how much more data we need to read for the rest of the record
645 */
646 if (thisrr->rec_version == SSL2_VERSION) {
647 more = thisrr->length + SSL2_RT_HEADER_LENGTH
648 - SSL3_RT_HEADER_LENGTH;
649 } else {
650 more = thisrr->length;
651 }
652
653 if (more > 0) {
654 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
655
656 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
657 if (rret < OSSL_RECORD_RETURN_SUCCESS)
658 return rret; /* error or non-blocking io */
659 }
660
661 /* set state for later operations */
662 rl->rstate = SSL_ST_READ_HEADER;
663
664 /*
665 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
666 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
667 * + thisrr->length and we have that many bytes in rl->packet
668 */
669 if (thisrr->rec_version == SSL2_VERSION)
670 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
671 else
672 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
673
674 /*
675 * ok, we can now read from 'rl->packet' data into 'thisrr'.
676 * thisrr->input points at thisrr->length bytes, which need to be copied
677 * into thisrr->data by either the decryption or by the decompression.
678 * When the data is 'copied' into the thisrr->data buffer,
679 * thisrr->input will be updated to point at the new buffer
680 */
681
682 /*
683 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
684 * thisrr->length bytes of encrypted compressed stuff.
685 */
686
687 /* decrypt in place in 'thisrr->input' */
688 thisrr->data = thisrr->input;
689 thisrr->orig_len = thisrr->length;
690
691 num_recs++;
692
693 /* we have pulled in a full packet so zero things */
694 rl->packet_length = 0;
695 rl->is_first_record = 0;
696 } while (num_recs < max_recs
697 && thisrr->type == SSL3_RT_APPLICATION_DATA
698 && RLAYER_USE_EXPLICIT_IV(rl)
699 && rl->enc_ctx != NULL
700 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
701 & EVP_CIPH_FLAG_PIPELINE) != 0
702 && tls_record_app_data_waiting(rl));
703
704 if (num_recs == 1
705 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
706 /* The following can happen in tlsany_meth after HRR */
707 && rl->version == TLS1_3_VERSION
708 && rl->is_first_handshake) {
709 /*
710 * CCS messages must be exactly 1 byte long, containing the value 0x01
711 */
712 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
713 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
714 SSL_R_INVALID_CCS_MESSAGE);
715 return OSSL_RECORD_RETURN_FATAL;
716 }
717 /*
718 * CCS messages are ignored in TLSv1.3. We treat it like an empty
719 * handshake record
720 */
721 thisrr->type = SSL3_RT_HANDSHAKE;
722 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
723 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
724 SSL_R_UNEXPECTED_CCS_MESSAGE);
725 return OSSL_RECORD_RETURN_FATAL;
726 }
727 rl->num_recs = 0;
728 rl->curr_rec = 0;
729 rl->num_released = 0;
730
731 return OSSL_RECORD_RETURN_SUCCESS;
732 }
733
734 if (rl->md_ctx != NULL) {
735 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
736
737 if (tmpmd != NULL) {
738 imac_size = EVP_MD_get_size(tmpmd);
739 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
740 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
741 return OSSL_RECORD_RETURN_FATAL;
742 }
743 mac_size = (size_t)imac_size;
744 }
745 }
746
747 /*
748 * If in encrypt-then-mac mode calculate mac from encrypted record. All
749 * the details below are public so no timing details can leak.
750 */
751 if (rl->use_etm && rl->md_ctx) {
752 unsigned char *mac;
753
754 for (j = 0; j < num_recs; j++) {
755 thisrr = &rr[j];
756
757 if (thisrr->length < mac_size) {
758 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
759 return OSSL_RECORD_RETURN_FATAL;
760 }
761 thisrr->length -= mac_size;
762 mac = thisrr->data + thisrr->length;
763 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
764 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
765 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
766 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
767 return OSSL_RECORD_RETURN_FATAL;
768 }
769 }
770 /*
771 * We've handled the mac now - there is no MAC inside the encrypted
772 * record
773 */
774 mac_size = 0;
775 }
776
777 if (mac_size > 0) {
778 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
779 if (macbufs == NULL) {
780 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
781 return OSSL_RECORD_RETURN_FATAL;
782 }
783 }
784
785 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
786
787 /*-
788 * enc_err is:
789 * 0: if the record is publicly invalid, or an internal error, or AEAD
790 * decryption failed, or ETM decryption failed.
791 * 1: Success or MTE decryption failed (MAC will be randomised)
792 */
793 if (enc_err == 0) {
794 if (rl->alert != SSL_AD_NO_ALERT) {
795 /* RLAYERfatal() already got called */
796 goto end;
797 }
798 if (num_recs == 1
799 && rl->skip_early_data != NULL
800 && rl->skip_early_data(rl->cbarg)) {
801 /*
802 * Valid early_data that we cannot decrypt will fail here. We treat
803 * it like an empty record.
804 */
805
806 thisrr = &rr[0];
807
808 if (!rlayer_early_data_count_ok(rl, thisrr->length,
809 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
810 /* RLAYERfatal() already called */
811 goto end;
812 }
813
814 thisrr->length = 0;
815 rl->num_recs = 0;
816 rl->curr_rec = 0;
817 rl->num_released = 0;
818 /* Reset the read sequence */
819 memset(rl->sequence, 0, sizeof(rl->sequence));
820 ret = 1;
821 goto end;
822 }
823 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
824 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
825 goto end;
826 }
827 OSSL_TRACE_BEGIN(TLS) {
828 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
829 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
830 } OSSL_TRACE_END(TLS);
831
832 /* r->length is now the compressed data plus mac */
833 if (rl->enc_ctx != NULL
834 && !rl->use_etm
835 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
836 /* rl->md_ctx != NULL => mac_size != -1 */
837
838 for (j = 0; j < num_recs; j++) {
839 SSL_MAC_BUF *thismb = &macbufs[j];
840
841 thisrr = &rr[j];
842
843 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
844 if (i == 0 || thismb == NULL || thismb->mac == NULL
845 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
846 enc_err = 0;
847 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
848 enc_err = 0;
849 }
850 }
851
852 if (enc_err == 0) {
853 if (rl->alert != SSL_AD_NO_ALERT) {
854 /* We already called RLAYERfatal() */
855 goto end;
856 }
857 /*
858 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
859 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
860 * failure is directly visible from the ciphertext anyway, we should
861 * not reveal which kind of error occurred -- this might become
862 * visible to an attacker (e.g. via a logfile)
863 */
864 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
865 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
866 goto end;
867 }
868
869 for (j = 0; j < num_recs; j++) {
870 thisrr = &rr[j];
871
872 if (!rl->funcs->post_process_record(rl, thisrr)) {
873 /* RLAYERfatal already called */
874 goto end;
875 }
876
877 /*
878 * Check if the received packet overflows the current
879 * Max Fragment Length setting.
880 * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive.
881 */
882 if (thisrr->length > rl->max_frag_len) {
883 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
884 goto end;
885 }
886
887 thisrr->off = 0;
888 /*-
889 * So at this point the following is true
890 * thisrr->type is the type of record
891 * thisrr->length == number of bytes in record
892 * thisrr->off == offset to first valid byte
893 * thisrr->data == where to take bytes from, increment after use :-).
894 */
895
896 /* just read a 0 length packet */
897 if (thisrr->length == 0) {
898 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
899 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
900 SSL_R_RECORD_TOO_SMALL);
901 goto end;
902 }
903 } else {
904 rl->empty_record_count = 0;
905 }
906 }
907
908 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
909 thisrr = &rr[0];
910 if (thisrr->type == SSL3_RT_APPLICATION_DATA
911 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
912 /* RLAYERfatal already called */
913 goto end;
914 }
915 }
916
917 rl->num_recs = num_recs;
918 rl->curr_rec = 0;
919 rl->num_released = 0;
920 ret = OSSL_RECORD_RETURN_SUCCESS;
921 end:
922 if (macbufs != NULL) {
923 for (j = 0; j < num_recs; j++) {
924 if (macbufs[j].alloced)
925 OPENSSL_free(macbufs[j].mac);
926 }
927 OPENSSL_free(macbufs);
928 }
929 return ret;
930 }
931
932 /* Shared by ssl3_meth and tls1_meth */
933 int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
934 {
935 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
936
937 if (rec->rec_version != rl->version) {
938 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
939 return 0;
940 }
941
942 #ifndef OPENSSL_NO_COMP
943 /*
944 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
945 * does not include the compression overhead anyway.
946 */
947 if (rl->compctx == NULL)
948 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
949 #endif
950
951 if (rec->length > len) {
952 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
953 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
954 return 0;
955 }
956
957 return 1;
958 }
959
960 static int tls_do_compress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *wr)
961 {
962 #ifndef OPENSSL_NO_COMP
963 int i;
964
965 i = COMP_compress_block(rl->compctx, wr->data,
966 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
967 wr->input, (int)wr->length);
968 if (i < 0)
969 return 0;
970
971 wr->length = i;
972 wr->input = wr->data;
973 return 1;
974 #else
975 return 0;
976 #endif
977 }
978
979 int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
980 {
981 #ifndef OPENSSL_NO_COMP
982 int i;
983
984 if (rec->comp == NULL) {
985 rec->comp = (unsigned char *)
986 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
987 }
988 if (rec->comp == NULL)
989 return 0;
990
991 i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
992 rec->data, (int)rec->length);
993 if (i < 0)
994 return 0;
995 else
996 rec->length = i;
997 rec->data = rec->comp;
998 return 1;
999 #else
1000 return 0;
1001 #endif
1002 }
1003
1004 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
1005 int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1006 {
1007 if (rl->compctx != NULL) {
1008 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1009 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1010 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1011 return 0;
1012 }
1013 if (!tls_do_uncompress(rl, rec)) {
1014 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
1015 SSL_R_BAD_DECOMPRESSION);
1016 return 0;
1017 }
1018 }
1019
1020 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1021 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
1022 return 0;
1023 }
1024
1025 return 1;
1026 }
1027
1028 /* Shared by tls13_meth and ktls_meth */
1029 int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
1030 {
1031 if (rec->type != SSL3_RT_APPLICATION_DATA
1032 && rec->type != SSL3_RT_ALERT
1033 && rec->type != SSL3_RT_HANDSHAKE) {
1034 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
1035 return 0;
1036 }
1037
1038 if (rl->msg_callback != NULL)
1039 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
1040 1, rl->cbarg);
1041
1042 /*
1043 * TLSv1.3 alert and handshake records are required to be non-zero in
1044 * length.
1045 */
1046 if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
1047 && rec->length == 0) {
1048 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
1049 return 0;
1050 }
1051
1052 return 1;
1053 }
1054
1055 int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
1056 int *type, unsigned char **data, size_t *datalen,
1057 uint16_t *epoch, unsigned char *seq_num)
1058 {
1059 SSL3_RECORD *rec;
1060
1061 /*
1062 * tls_get_more_records() can return success without actually reading
1063 * anything useful (i.e. if empty records are read). We loop here until
1064 * we have something useful. tls_get_more_records() will eventually fail if
1065 * too many sequential empty records are read.
1066 */
1067 while (rl->curr_rec >= rl->num_recs) {
1068 int ret;
1069
1070 if (rl->num_released != rl->num_recs) {
1071 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
1072 return OSSL_RECORD_RETURN_FATAL;
1073 }
1074
1075 ret = rl->funcs->get_more_records(rl);
1076
1077 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1078 return ret;
1079 }
1080
1081 /*
1082 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
1083 * points to the next one to read.
1084 */
1085 rec = &rl->rrec[rl->curr_rec++];
1086
1087 *rechandle = rec;
1088 *rversion = rec->rec_version;
1089 *type = rec->type;
1090 *data = rec->data + rec->off;
1091 *datalen = rec->length;
1092 if (rl->isdtls) {
1093 *epoch = rec->epoch;
1094 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
1095 }
1096
1097 return OSSL_RECORD_RETURN_SUCCESS;
1098 }
1099
1100 int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
1101 {
1102 if (!ossl_assert(rl->num_released < rl->curr_rec)
1103 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
1104 /* Should not happen */
1105 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1106 return OSSL_RECORD_RETURN_FATAL;
1107 }
1108
1109 rl->num_released++;
1110
1111 if (rl->curr_rec == rl->num_released
1112 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
1113 && SSL3_BUFFER_get_left(&rl->rbuf) == 0)
1114 tls_release_read_buffer(rl);
1115
1116 return OSSL_RECORD_RETURN_SUCCESS;
1117 }
1118
1119 int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
1120 {
1121 const OSSL_PARAM *p;
1122
1123 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1124 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1125 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1126 return 0;
1127 }
1128
1129 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1130 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1131 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1132 return 0;
1133 }
1134
1135 if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
1136 p = OSSL_PARAM_locate_const(options,
1137 OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
1138 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
1139 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1140 return 0;
1141 }
1142 } else {
1143 p = OSSL_PARAM_locate_const(options,
1144 OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
1145 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
1146 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1147 return 0;
1148 }
1149 }
1150
1151 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1152 /*
1153 * We ignore any read_ahead setting prior to the application protection
1154 * level. Otherwise we may read ahead data in a lower protection level
1155 * that is destined for a higher protection level. To simplify the logic
1156 * we don't support that at this stage.
1157 */
1158 p = OSSL_PARAM_locate_const(options,
1159 OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1160 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1161 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1162 return 0;
1163 }
1164 }
1165
1166 return 1;
1167 }
1168
1169 int
1170 tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1171 int role, int direction, int level, unsigned char *key,
1172 size_t keylen, unsigned char *iv, size_t ivlen,
1173 unsigned char *mackey, size_t mackeylen,
1174 const EVP_CIPHER *ciph, size_t taglen,
1175 int mactype,
1176 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
1177 BIO *transport, BIO *next, BIO_ADDR *local,
1178 BIO_ADDR *peer, const OSSL_PARAM *settings,
1179 const OSSL_PARAM *options,
1180 const OSSL_DISPATCH *fns, void *cbarg,
1181 OSSL_RECORD_LAYER **retrl)
1182 {
1183 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
1184 const OSSL_PARAM *p;
1185
1186 *retrl = NULL;
1187
1188 if (rl == NULL)
1189 return OSSL_RECORD_RETURN_FATAL;
1190
1191 /*
1192 * Default the value for max_frag_len. This may be overridden by the
1193 * settings
1194 */
1195 rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH;
1196
1197 /* Loop through all the settings since they must all be understood */
1198 if (settings != NULL) {
1199 for (p = settings; p->key != NULL; p++) {
1200 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1201 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
1202 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1203 goto err;
1204 }
1205 } else if (strcmp(p->key,
1206 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
1207 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
1208 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1209 goto err;
1210 }
1211 } else if (strcmp(p->key,
1212 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
1213 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
1214 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1215 goto err;
1216 }
1217 } else if (strcmp(p->key,
1218 OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
1219 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
1220 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1221 goto err;
1222 }
1223 } else if (strcmp(p->key,
1224 OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
1225 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
1226 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1227 goto err;
1228 }
1229 } else {
1230 ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
1231 goto err;
1232 }
1233 }
1234 }
1235
1236 rl->libctx = libctx;
1237 rl->propq = propq;
1238
1239 rl->version = vers;
1240 rl->role = role;
1241 rl->direction = direction;
1242 rl->level = level;
1243
1244 rl->alert = SSL_AD_NO_ALERT;
1245
1246 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
1247 rl->is_first_record = 1;
1248
1249 if (!tls_set1_bio(rl, transport))
1250 goto err;
1251
1252 if (prev != NULL && !BIO_up_ref(prev))
1253 goto err;
1254 rl->prev = prev;
1255
1256 if (next != NULL && !BIO_up_ref(next))
1257 goto err;
1258 rl->next = next;
1259
1260 rl->cbarg = cbarg;
1261 if (fns != NULL) {
1262 for (; fns->function_id != 0; fns++) {
1263 switch (fns->function_id) {
1264 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
1265 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1266 break;
1267 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1268 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
1269 break;
1270 case OSSL_FUNC_RLAYER_SECURITY:
1271 rl->security = OSSL_FUNC_rlayer_security(fns);
1272 break;
1273 case OSSL_FUNC_RLAYER_PADDING:
1274 rl->padding = OSSL_FUNC_rlayer_padding(fns);
1275 default:
1276 /* Just ignore anything we don't understand */
1277 break;
1278 }
1279 }
1280 }
1281
1282 if (!tls_set_options(rl, options)) {
1283 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1284 goto err;
1285 }
1286
1287 if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
1288 && rl->version <= TLS1_VERSION
1289 && !EVP_CIPHER_is_a(ciph, "NULL")
1290 && !EVP_CIPHER_is_a(ciph, "RC4")) {
1291 /*
1292 * Enable vulnerability countermeasure for CBC ciphers with known-IV
1293 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1294 */
1295 rl->need_empty_fragments = 1;
1296 }
1297
1298 *retrl = rl;
1299 return OSSL_RECORD_RETURN_SUCCESS;
1300 err:
1301 tls_int_free(rl);
1302 return OSSL_RECORD_RETURN_FATAL;
1303 }
1304
1305 static int
1306 tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1307 int role, int direction, int level, uint16_t epoch,
1308 unsigned char *key, size_t keylen, unsigned char *iv,
1309 size_t ivlen, unsigned char *mackey, size_t mackeylen,
1310 const EVP_CIPHER *ciph, size_t taglen,
1311 int mactype,
1312 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
1313 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
1314 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1315 const OSSL_DISPATCH *fns, void *cbarg,
1316 OSSL_RECORD_LAYER **retrl)
1317 {
1318 int ret;
1319
1320 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1321 key, keylen, iv, ivlen, mackey, mackeylen,
1322 ciph, taglen, mactype, md, comp, prev,
1323 transport, next, local, peer, settings,
1324 options, fns, cbarg, retrl);
1325
1326 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1327 return ret;
1328
1329 switch (vers) {
1330 case TLS_ANY_VERSION:
1331 (*retrl)->funcs = &tls_any_funcs;
1332 break;
1333 case TLS1_3_VERSION:
1334 (*retrl)->funcs = &tls_1_3_funcs;
1335 break;
1336 case TLS1_2_VERSION:
1337 case TLS1_1_VERSION:
1338 case TLS1_VERSION:
1339 (*retrl)->funcs = &tls_1_funcs;
1340 break;
1341 case SSL3_VERSION:
1342 (*retrl)->funcs = &ssl_3_0_funcs;
1343 break;
1344 default:
1345 /* Should not happen */
1346 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1347 ret = OSSL_RECORD_RETURN_FATAL;
1348 goto err;
1349 }
1350
1351 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1352 ivlen, mackey, mackeylen, ciph,
1353 taglen, mactype, md, comp);
1354
1355 err:
1356 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1357 OPENSSL_free(*retrl);
1358 *retrl = NULL;
1359 }
1360 return ret;
1361 }
1362
1363 static void tls_int_free(OSSL_RECORD_LAYER *rl)
1364 {
1365 BIO_free(rl->prev);
1366 BIO_free(rl->bio);
1367 BIO_free(rl->next);
1368 SSL3_BUFFER_release(&rl->rbuf);
1369
1370 tls_release_write_buffer(rl);
1371
1372 EVP_CIPHER_CTX_free(rl->enc_ctx);
1373 EVP_MD_CTX_free(rl->md_ctx);
1374 #ifndef OPENSSL_NO_COMP
1375 COMP_CTX_free(rl->compctx);
1376 #endif
1377
1378 if (rl->version == SSL3_VERSION)
1379 OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
1380
1381 SSL3_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
1382
1383 OPENSSL_free(rl);
1384 }
1385
1386 int tls_free(OSSL_RECORD_LAYER *rl)
1387 {
1388 SSL3_BUFFER *rbuf;
1389 size_t left, written;
1390 int ret = 1;
1391
1392 rbuf = &rl->rbuf;
1393
1394 left = SSL3_BUFFER_get_left(rbuf);
1395 if (left > 0) {
1396 /*
1397 * This record layer is closing but we still have data left in our
1398 * buffer. It must be destined for the next epoch - so push it there.
1399 */
1400 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1401 }
1402 tls_int_free(rl);
1403
1404 return ret;
1405 }
1406
1407 int tls_reset(OSSL_RECORD_LAYER *rl)
1408 {
1409 memset(rl, 0, sizeof(*rl));
1410 return 1;
1411 }
1412
1413 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
1414 {
1415 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
1416 }
1417
1418 int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
1419 {
1420 return rl->curr_rec < rl->num_recs;
1421 }
1422
1423 size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
1424 {
1425 size_t i;
1426 size_t num = 0;
1427
1428 for (i = rl->curr_rec; i < rl->num_recs; i++) {
1429 if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
1430 return num;
1431 num += rl->rrec[i].length;
1432 }
1433 return num;
1434 }
1435
1436 int tls_write_pending(OSSL_RECORD_LAYER *rl)
1437 {
1438 return 0;
1439 }
1440
1441 size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
1442 {
1443 return 0;
1444 }
1445
1446 size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, int type, size_t len,
1447 size_t maxfrag, size_t *preffrag)
1448 {
1449 /*
1450 * TODO(RECLAYER): There is no test for the pipelining code. We should add
1451 * one.
1452 */
1453 /*
1454 * If we have a pipeline capable cipher, and we have been configured to use
1455 * it, then return the preferred number of pipelines.
1456 */
1457 if (rl->max_pipelines > 0
1458 && rl->enc_ctx != NULL
1459 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
1460 & EVP_CIPH_FLAG_PIPELINE) != 0
1461 && RLAYER_USE_EXPLICIT_IV(rl)) {
1462 size_t pipes;
1463
1464 if (len == 0)
1465 return 1;
1466 pipes = ((len - 1) / *preffrag) + 1;
1467
1468 return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
1469 }
1470
1471 return 1;
1472 }
1473
1474 size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
1475 size_t maxfrag, size_t *preffrag)
1476 {
1477 return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
1478 }
1479
1480 int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl,
1481 OSSL_RECORD_TEMPLATE *templates,
1482 size_t numtempl,
1483 size_t *prefix)
1484 {
1485 if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) {
1486 /* RLAYERfatal() already called */
1487 return 0;
1488 }
1489
1490 return 1;
1491 }
1492
1493 int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl,
1494 OSSL_RECORD_TEMPLATE *templates,
1495 size_t numtempl,
1496 OSSL_RECORD_TEMPLATE *prefixtempl,
1497 WPACKET *pkt,
1498 SSL3_BUFFER *bufs,
1499 size_t *wpinited)
1500 {
1501 WPACKET *thispkt;
1502 size_t j, align;
1503 SSL3_BUFFER *wb;
1504
1505 for (j = 0; j < numtempl; j++) {
1506 thispkt = &pkt[j];
1507 wb = &bufs[j];
1508
1509 wb->type = templates[j].type;
1510
1511 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1512 align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
1513 align = SSL3_ALIGN_PAYLOAD - 1
1514 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1515 #endif
1516 SSL3_BUFFER_set_offset(wb, align);
1517
1518 if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb),
1519 SSL3_BUFFER_get_len(wb), 0)) {
1520 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1521 return 0;
1522 }
1523 (*wpinited)++;
1524 if (!WPACKET_allocate_bytes(thispkt, align, NULL)) {
1525 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1526 return 0;
1527 }
1528 }
1529
1530 return 1;
1531 }
1532
1533 int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
1534 WPACKET *thispkt,
1535 OSSL_RECORD_TEMPLATE *templ,
1536 unsigned int rectype,
1537 unsigned char **recdata)
1538 {
1539 size_t maxcomplen;
1540
1541 *recdata = NULL;
1542
1543 maxcomplen = templ->buflen;
1544 if (rl->compctx != NULL)
1545 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1546
1547 if (!WPACKET_put_bytes_u8(thispkt, rectype)
1548 || !WPACKET_put_bytes_u16(thispkt, templ->version)
1549 || !WPACKET_start_sub_packet_u16(thispkt)
1550 || (rl->eivlen > 0
1551 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
1552 || (maxcomplen > 0
1553 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
1554 recdata))) {
1555 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1556 return 0;
1557 }
1558
1559 return 1;
1560 }
1561
1562 int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
1563 size_t mac_size,
1564 WPACKET *thispkt,
1565 SSL3_RECORD *thiswr)
1566 {
1567 size_t len;
1568 unsigned char *recordstart;
1569
1570 /*
1571 * we should still have the output to thiswr->data and the input from
1572 * wr->input. Length should be thiswr->length. thiswr->data still points
1573 * in the wb->buf
1574 */
1575
1576 if (!rl->use_etm && mac_size != 0) {
1577 unsigned char *mac;
1578
1579 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1580 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1581 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1582 return 0;
1583 }
1584 }
1585
1586 /*
1587 * Reserve some bytes for any growth that may occur during encryption.
1588 * This will be at most one cipher block or the tag length if using
1589 * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
1590 */
1591 if (!WPACKET_reserve_bytes(thispkt,
1592 SSL_RT_MAX_CIPHER_BLOCK_SIZE,
1593 NULL)
1594 /*
1595 * We also need next the amount of bytes written to this
1596 * sub-packet
1597 */
1598 || !WPACKET_get_length(thispkt, &len)) {
1599 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1600 return 0;
1601 }
1602
1603 /* Get a pointer to the start of this record excluding header */
1604 recordstart = WPACKET_get_curr(thispkt) - len;
1605 SSL3_RECORD_set_data(thiswr, recordstart);
1606 SSL3_RECORD_reset_input(thiswr);
1607 SSL3_RECORD_set_length(thiswr, len);
1608
1609 return 1;
1610 }
1611
1612 int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
1613 size_t mac_size,
1614 OSSL_RECORD_TEMPLATE *thistempl,
1615 WPACKET *thispkt,
1616 SSL3_RECORD *thiswr)
1617 {
1618 size_t origlen, len;
1619
1620 /* Allocate bytes for the encryption overhead */
1621 if (!WPACKET_get_length(thispkt, &origlen)
1622 /* Encryption should never shrink the data! */
1623 || origlen > thiswr->length
1624 || (thiswr->length > origlen
1625 && !WPACKET_allocate_bytes(thispkt,
1626 thiswr->length - origlen,
1627 NULL))) {
1628 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1629 return 0;
1630 }
1631 if (rl->use_etm && mac_size != 0) {
1632 unsigned char *mac;
1633
1634 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1635 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1636 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1637 return 0;
1638 }
1639
1640 SSL3_RECORD_add_length(thiswr, mac_size);
1641 }
1642
1643 if (!WPACKET_get_length(thispkt, &len)
1644 || !WPACKET_close(thispkt)) {
1645 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1646 return 0;
1647 }
1648
1649 if (rl->msg_callback != NULL) {
1650 unsigned char *recordstart;
1651
1652 recordstart = WPACKET_get_curr(thispkt) - len - SSL3_RT_HEADER_LENGTH;
1653 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
1654 SSL3_RT_HEADER_LENGTH, rl->cbarg);
1655
1656 if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) {
1657 unsigned char ctype = thistempl->type;
1658
1659 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
1660 &ctype, 1, rl->cbarg);
1661 }
1662 }
1663
1664 if (!WPACKET_finish(thispkt)) {
1665 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1666 return 0;
1667 }
1668
1669 SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH);
1670
1671 return 1;
1672 }
1673
1674 int tls_write_records_default(OSSL_RECORD_LAYER *rl,
1675 OSSL_RECORD_TEMPLATE *templates,
1676 size_t numtempl)
1677 {
1678 WPACKET pkt[SSL_MAX_PIPELINES + 1];
1679 SSL3_RECORD wr[SSL_MAX_PIPELINES + 1];
1680 WPACKET *thispkt;
1681 SSL3_RECORD *thiswr;
1682 int mac_size = 0, ret = 0;
1683 size_t wpinited = 0;
1684 size_t j, prefix = 0;
1685 OSSL_RECORD_TEMPLATE prefixtempl;
1686 OSSL_RECORD_TEMPLATE *thistempl;
1687
1688 if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
1689 mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
1690 if (mac_size < 0) {
1691 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1692 goto err;
1693 }
1694 }
1695
1696 if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) {
1697 /* RLAYERfatal() already called */
1698 goto err;
1699 }
1700
1701 if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
1702 &prefixtempl, pkt, rl->wbuf,
1703 &wpinited)) {
1704 /* RLAYERfatal() already called */
1705 goto err;
1706 }
1707
1708 /* Clear our SSL3_RECORD structures */
1709 memset(wr, 0, sizeof(wr));
1710 for (j = 0; j < numtempl + prefix; j++) {
1711 unsigned char *compressdata = NULL;
1712 unsigned int rectype;
1713
1714 thispkt = &pkt[j];
1715 thiswr = &wr[j];
1716 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
1717
1718 /*
1719 * Default to the record type as specified in the template unless the
1720 * protocol implementation says differently.
1721 */
1722 if (rl->funcs->get_record_type != NULL)
1723 rectype = rl->funcs->get_record_type(rl, thistempl);
1724 else
1725 rectype = thistempl->type;
1726
1727 SSL3_RECORD_set_type(thiswr, rectype);
1728 SSL3_RECORD_set_rec_version(thiswr, thistempl->version);
1729
1730 if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype,
1731 &compressdata)) {
1732 /* RLAYERfatal() already called */
1733 goto err;
1734 }
1735
1736 /* lets setup the record stuff. */
1737 SSL3_RECORD_set_data(thiswr, compressdata);
1738 SSL3_RECORD_set_length(thiswr, thistempl->buflen);
1739
1740 SSL3_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
1741
1742 /*
1743 * we now 'read' from thiswr->input, thiswr->length bytes into
1744 * thiswr->data
1745 */
1746
1747 /* first we compress */
1748 if (rl->compctx != NULL) {
1749 if (!tls_do_compress(rl, thiswr)
1750 || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
1751 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
1752 goto err;
1753 }
1754 } else if (compressdata != NULL) {
1755 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
1756 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1757 goto err;
1758 }
1759 SSL3_RECORD_reset_input(&wr[j]);
1760 }
1761
1762 if (rl->funcs->add_record_padding != NULL
1763 && !rl->funcs->add_record_padding(rl, thistempl, thispkt,
1764 thiswr)) {
1765 /* RLAYERfatal() already called */
1766 goto err;
1767 }
1768
1769 if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
1770 /* RLAYERfatal() already called */
1771 goto err;
1772 }
1773 }
1774
1775 if (prefix) {
1776 if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
1777 if (rl->alert == SSL_AD_NO_ALERT) {
1778 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1779 }
1780 goto err;
1781 }
1782 }
1783
1784 if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) {
1785 if (rl->alert == SSL_AD_NO_ALERT) {
1786 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1787 }
1788 goto err;
1789 }
1790
1791 for (j = 0; j < numtempl + prefix; j++) {
1792 thispkt = &pkt[j];
1793 thiswr = &wr[j];
1794 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
1795
1796 if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl,
1797 thispkt, thiswr)) {
1798 /* RLAYERfatal() already called */
1799 goto err;
1800 }
1801
1802 /*
1803 * we should now have thiswr->data pointing to the encrypted data, which
1804 * is thiswr->length long.
1805 * Setting the type is not needed but helps for debugging
1806 */
1807 SSL3_RECORD_set_type(thiswr, thistempl->type);
1808
1809 /* now let's set up wb */
1810 SSL3_BUFFER_set_left(&rl->wbuf[j], SSL3_RECORD_get_length(thiswr));
1811 }
1812
1813 ret = 1;
1814 err:
1815 for (j = 0; j < wpinited; j++)
1816 WPACKET_cleanup(&pkt[j]);
1817 return ret;
1818 }
1819
1820 int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
1821 size_t numtempl)
1822 {
1823 /* Check we don't have pending data waiting to write */
1824 if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
1825 || SSL3_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
1826 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1827 return OSSL_RECORD_RETURN_FATAL;
1828 }
1829
1830 if (!rl->funcs->write_records(rl, templates, numtempl)) {
1831 /* RLAYERfatal already called */
1832 return OSSL_RECORD_RETURN_FATAL;
1833 }
1834
1835 rl->nextwbuf = 0;
1836 /* we now just need to write the buffers */
1837 return tls_retry_write_records(rl);
1838 }
1839
1840 int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
1841 {
1842 int i, ret;
1843 SSL3_BUFFER *thiswb;
1844 size_t tmpwrit = 0;
1845
1846 if (rl->nextwbuf >= rl->numwpipes)
1847 return OSSL_RECORD_RETURN_SUCCESS;
1848
1849 for (;;) {
1850 thiswb = &rl->wbuf[rl->nextwbuf];
1851
1852 clear_sys_error();
1853 if (rl->bio != NULL) {
1854 if (rl->funcs->prepare_write_bio != NULL) {
1855 ret = rl->funcs->prepare_write_bio(rl, thiswb->type);
1856 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1857 return ret;
1858 }
1859 i = BIO_write(rl->bio, (char *)
1860 &(SSL3_BUFFER_get_buf(thiswb)
1861 [SSL3_BUFFER_get_offset(thiswb)]),
1862 (unsigned int)SSL3_BUFFER_get_left(thiswb));
1863 if (i >= 0) {
1864 tmpwrit = i;
1865 if (i == 0 && BIO_should_retry(rl->bio))
1866 ret = OSSL_RECORD_RETURN_RETRY;
1867 else
1868 ret = OSSL_RECORD_RETURN_SUCCESS;
1869 } else {
1870 if (BIO_should_retry(rl->bio))
1871 ret = OSSL_RECORD_RETURN_RETRY;
1872 else
1873 ret = OSSL_RECORD_RETURN_FATAL;
1874 }
1875 } else {
1876 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
1877 ret = OSSL_RECORD_RETURN_FATAL;
1878 i = -1;
1879 }
1880
1881 /*
1882 * When an empty fragment is sent on a connection using KTLS,
1883 * it is sent as a write of zero bytes. If this zero byte
1884 * write succeeds, i will be 0 rather than a non-zero value.
1885 * Treat i == 0 as success rather than an error for zero byte
1886 * writes to permit this case.
1887 */
1888 if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(thiswb)) {
1889 SSL3_BUFFER_set_left(thiswb, 0);
1890 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
1891 if (++(rl->nextwbuf) < rl->numwpipes)
1892 continue;
1893
1894 if (rl->nextwbuf == rl->numwpipes
1895 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1896 tls_release_write_buffer(rl);
1897 return OSSL_RECORD_RETURN_SUCCESS;
1898 } else if (i <= 0) {
1899 if (rl->isdtls) {
1900 /*
1901 * For DTLS, just drop it. That's kind of the whole point in
1902 * using a datagram service
1903 */
1904 SSL3_BUFFER_set_left(thiswb, 0);
1905 if (++(rl->nextwbuf) == rl->numwpipes
1906 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1907 tls_release_write_buffer(rl);
1908
1909 }
1910 return ret;
1911 }
1912 SSL3_BUFFER_add_offset(thiswb, tmpwrit);
1913 SSL3_BUFFER_sub_left(thiswb, tmpwrit);
1914 }
1915 }
1916
1917 int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
1918 {
1919 return rl->alert;
1920 }
1921
1922 int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
1923 {
1924 if (bio != NULL && !BIO_up_ref(bio))
1925 return 0;
1926 BIO_free(rl->bio);
1927 rl->bio = bio;
1928
1929 return 1;
1930 }
1931
1932 /* Shared by most methods except tlsany_meth */
1933 int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1934 {
1935 if (rl->version != version)
1936 return 0;
1937
1938 return 1;
1939 }
1940
1941 int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1942 {
1943 return rl->funcs->set_protocol_version(rl, version);
1944 }
1945
1946 void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1947 {
1948 rl->allow_plain_alerts = allow;
1949 }
1950
1951 void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1952 {
1953 rl->is_first_handshake = first;
1954 }
1955
1956 void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
1957 {
1958 rl->max_pipelines = max_pipelines;
1959 if (max_pipelines > 1)
1960 rl->read_ahead = 1;
1961 }
1962
1963 void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
1964 const char **longstr)
1965 {
1966 const char *shrt, *lng;
1967
1968 switch (rl->rstate) {
1969 case SSL_ST_READ_HEADER:
1970 shrt = "RH";
1971 lng = "read header";
1972 break;
1973 case SSL_ST_READ_BODY:
1974 shrt = "RB";
1975 lng = "read body";
1976 break;
1977 default:
1978 shrt = lng = "unknown";
1979 break;
1980 }
1981 if (shortstr != NULL)
1982 *shortstr = shrt;
1983 if (longstr != NULL)
1984 *longstr = lng;
1985 }
1986
1987 const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
1988 {
1989 #ifndef OPENSSL_NO_COMP
1990 return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
1991 #else
1992 return NULL;
1993 #endif
1994 }
1995
1996 void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
1997 {
1998 rl->max_frag_len = max_frag_len;
1999 /*
2000 * We don't need to adjust buffer sizes. Write buffer sizes are
2001 * automatically checked anyway. We should only be changing the read buffer
2002 * size during the handshake, so we will create a new buffer when we create
2003 * the new record layer. We can't change the existing buffer because it may
2004 * already have data in it.
2005 */
2006 }
2007
2008 const OSSL_RECORD_METHOD ossl_tls_record_method = {
2009 tls_new_record_layer,
2010 tls_free,
2011 tls_reset,
2012 tls_unprocessed_read_pending,
2013 tls_processed_read_pending,
2014 tls_app_data_pending,
2015 tls_write_pending,
2016 tls_get_max_record_len,
2017 tls_get_max_records,
2018 tls_write_records,
2019 tls_retry_write_records,
2020 tls_read_record,
2021 tls_release_record,
2022 tls_get_alert_code,
2023 tls_set1_bio,
2024 tls_set_protocol_version,
2025 tls_set_plain_alerts,
2026 tls_set_first_handshake,
2027 tls_set_max_pipelines,
2028 NULL,
2029 tls_get_state,
2030 tls_set_options,
2031 tls_get_compression,
2032 tls_set_max_frag_len
2033 };
A mirror of the official openssl repository