tls_common.c 67 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162
  1. /*
  2. * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <assert.h>
  10. #include <openssl/bio.h>
  11. #include <openssl/ssl.h>
  12. #include <openssl/err.h>
  13. #include <openssl/core_names.h>
  14. #include <openssl/comp.h>
  15. #include <openssl/ssl.h>
  16. #include "internal/e_os.h"
  17. #include "internal/packet.h"
  18. #include "internal/ssl3_cbc.h"
  19. #include "../../ssl_local.h"
  20. #include "../record_local.h"
  21. #include "recmethod_local.h"
  22. static void tls_int_free(OSSL_RECORD_LAYER *rl);
  23. void ossl_tls_buffer_release(TLS_BUFFER *b)
  24. {
  25. OPENSSL_free(b->buf);
  26. b->buf = NULL;
  27. }
  28. static void TLS_RL_RECORD_release(TLS_RL_RECORD *r, size_t num_recs)
  29. {
  30. size_t i;
  31. for (i = 0; i < num_recs; i++) {
  32. OPENSSL_free(r[i].comp);
  33. r[i].comp = NULL;
  34. }
  35. }
  36. void ossl_tls_rl_record_set_seq_num(TLS_RL_RECORD *r,
  37. const unsigned char *seq_num)
  38. {
  39. memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
  40. }
  41. void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
  42. const char *fmt, ...)
  43. {
  44. va_list args;
  45. va_start(args, fmt);
  46. ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
  47. va_end(args);
  48. rl->alert = al;
  49. }
  50. int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
  51. EVP_CIPHER_CTX *ctx,
  52. const EVP_CIPHER *ciph,
  53. const EVP_MD *md)
  54. {
  55. /*
  56. * Provided cipher, the TLS padding/MAC removal is performed provider
  57. * side so we need to tell the ctx about our TLS version and mac size
  58. */
  59. OSSL_PARAM params[3], *pprm = params;
  60. size_t macsize = 0;
  61. int imacsize = -1;
  62. if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
  63. && !rl->use_etm)
  64. imacsize = EVP_MD_get_size(md);
  65. if (imacsize >= 0)
  66. macsize = (size_t)imacsize;
  67. *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
  68. &rl->version);
  69. *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
  70. &macsize);
  71. *pprm = OSSL_PARAM_construct_end();
  72. if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
  73. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  74. return 0;
  75. }
  76. return 1;
  77. }
  78. /*
  79. * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
  80. * which ssl3_cbc_digest_record supports.
  81. */
  82. char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  83. {
  84. switch (EVP_MD_CTX_get_type(ctx)) {
  85. case NID_md5:
  86. case NID_sha1:
  87. case NID_sha224:
  88. case NID_sha256:
  89. case NID_sha384:
  90. case NID_sha512:
  91. return 1;
  92. default:
  93. return 0;
  94. }
  95. }
  96. #ifndef OPENSSL_NO_COMP
  97. static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
  98. {
  99. if (rl->options & SSL_OP_NO_COMPRESSION)
  100. return 0;
  101. return rl->security == NULL
  102. || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
  103. }
  104. #endif
  105. static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
  106. {
  107. TLS_BUFFER *wb;
  108. size_t pipes;
  109. pipes = rl->numwpipes;
  110. while (pipes > start) {
  111. wb = &rl->wbuf[pipes - 1];
  112. if (TLS_BUFFER_is_app_buffer(wb))
  113. TLS_BUFFER_set_app_buffer(wb, 0);
  114. else
  115. OPENSSL_free(wb->buf);
  116. wb->buf = NULL;
  117. pipes--;
  118. }
  119. }
  120. int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
  121. size_t firstlen, size_t nextlen)
  122. {
  123. unsigned char *p;
  124. size_t align = 0, headerlen;
  125. TLS_BUFFER *wb;
  126. size_t currpipe;
  127. size_t defltlen = 0;
  128. size_t contenttypelen = 0;
  129. if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
  130. if (rl->isdtls)
  131. headerlen = DTLS1_RT_HEADER_LENGTH + 1;
  132. else
  133. headerlen = SSL3_RT_HEADER_LENGTH;
  134. /* TLSv1.3 adds an extra content type byte after payload data */
  135. if (rl->version == TLS1_3_VERSION)
  136. contenttypelen = 1;
  137. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
  138. align = SSL3_ALIGN_PAYLOAD - 1;
  139. #endif
  140. defltlen = align + headerlen + rl->eivlen + rl->max_frag_len
  141. + contenttypelen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
  142. #ifndef OPENSSL_NO_COMP
  143. if (tls_allow_compression(rl))
  144. defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  145. #endif
  146. /*
  147. * We don't need to add eivlen here since empty fragments only occur
  148. * when we don't have an explicit IV. The contenttype byte will also
  149. * always be 0 in these protocol versions
  150. */
  151. if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0)
  152. defltlen += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
  153. }
  154. wb = rl->wbuf;
  155. for (currpipe = 0; currpipe < numwpipes; currpipe++) {
  156. TLS_BUFFER *thiswb = &wb[currpipe];
  157. size_t len = (currpipe == 0) ? firstlen : nextlen;
  158. if (len == 0)
  159. len = defltlen;
  160. if (thiswb->len != len) {
  161. OPENSSL_free(thiswb->buf);
  162. thiswb->buf = NULL; /* force reallocation */
  163. }
  164. p = thiswb->buf;
  165. if (p == NULL) {
  166. p = OPENSSL_malloc(len);
  167. if (p == NULL) {
  168. if (rl->numwpipes < currpipe)
  169. rl->numwpipes = currpipe;
  170. /*
  171. * We've got a malloc failure, and we're still initialising
  172. * buffers. We assume we're so doomed that we won't even be able
  173. * to send an alert.
  174. */
  175. RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
  176. return 0;
  177. }
  178. }
  179. memset(thiswb, 0, sizeof(TLS_BUFFER));
  180. thiswb->buf = p;
  181. thiswb->len = len;
  182. }
  183. /* Free any previously allocated buffers that we are no longer using */
  184. tls_release_write_buffer_int(rl, currpipe);
  185. rl->numwpipes = numwpipes;
  186. return 1;
  187. }
  188. static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
  189. {
  190. tls_release_write_buffer_int(rl, 0);
  191. rl->numwpipes = 0;
  192. }
  193. int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
  194. {
  195. unsigned char *p;
  196. size_t len, align = 0, headerlen;
  197. TLS_BUFFER *b;
  198. b = &rl->rbuf;
  199. if (rl->isdtls)
  200. headerlen = DTLS1_RT_HEADER_LENGTH;
  201. else
  202. headerlen = SSL3_RT_HEADER_LENGTH;
  203. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
  204. align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
  205. #endif
  206. if (b->buf == NULL) {
  207. len = rl->max_frag_len
  208. + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
  209. #ifndef OPENSSL_NO_COMP
  210. if (tls_allow_compression(rl))
  211. len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  212. #endif
  213. /* Ensure our buffer is large enough to support all our pipelines */
  214. if (rl->max_pipelines > 1)
  215. len *= rl->max_pipelines;
  216. if (b->default_len > len)
  217. len = b->default_len;
  218. if ((p = OPENSSL_malloc(len)) == NULL) {
  219. /*
  220. * We've got a malloc failure, and we're still initialising buffers.
  221. * We assume we're so doomed that we won't even be able to send an
  222. * alert.
  223. */
  224. RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
  225. return 0;
  226. }
  227. b->buf = p;
  228. b->len = len;
  229. }
  230. return 1;
  231. }
  232. static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
  233. {
  234. TLS_BUFFER *b;
  235. b = &rl->rbuf;
  236. if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
  237. OPENSSL_cleanse(b->buf, b->len);
  238. OPENSSL_free(b->buf);
  239. b->buf = NULL;
  240. return 1;
  241. }
  242. /*
  243. * Return values are as per SSL_read()
  244. */
  245. int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
  246. int clearold, size_t *readbytes)
  247. {
  248. /*
  249. * If extend == 0, obtain new n-byte packet; if extend == 1, increase
  250. * packet by another n bytes. The packet will be in the sub-array of
  251. * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
  252. * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
  253. * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
  254. * packet to the start of the buffer; if clearold == 0 then leave any old
  255. * packets where they were
  256. */
  257. size_t len, left, align = 0;
  258. unsigned char *pkt;
  259. TLS_BUFFER *rb;
  260. if (n == 0)
  261. return OSSL_RECORD_RETURN_NON_FATAL_ERR;
  262. rb = &rl->rbuf;
  263. left = rb->left;
  264. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
  265. align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
  266. align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
  267. #endif
  268. if (!extend) {
  269. /* start with empty packet ... */
  270. if (left == 0)
  271. rb->offset = align;
  272. rl->packet = rb->buf + rb->offset;
  273. rl->packet_length = 0;
  274. /* ... now we can act as if 'extend' was set */
  275. }
  276. len = rl->packet_length;
  277. pkt = rb->buf + align;
  278. /*
  279. * Move any available bytes to front of buffer: 'len' bytes already
  280. * pointed to by 'packet', 'left' extra ones at the end
  281. */
  282. if (rl->packet != pkt && clearold == 1) {
  283. memmove(pkt, rl->packet, len + left);
  284. rl->packet = pkt;
  285. rb->offset = len + align;
  286. }
  287. /*
  288. * For DTLS/UDP reads should not span multiple packets because the read
  289. * operation returns the whole packet at once (as long as it fits into
  290. * the buffer).
  291. */
  292. if (rl->isdtls) {
  293. if (left == 0 && extend) {
  294. /*
  295. * We received a record with a header but no body data. This will
  296. * get dumped.
  297. */
  298. return OSSL_RECORD_RETURN_NON_FATAL_ERR;
  299. }
  300. if (left > 0 && n > left)
  301. n = left;
  302. }
  303. /* if there is enough in the buffer from a previous read, take some */
  304. if (left >= n) {
  305. rl->packet_length += n;
  306. rb->left = left - n;
  307. rb->offset += n;
  308. *readbytes = n;
  309. return OSSL_RECORD_RETURN_SUCCESS;
  310. }
  311. /* else we need to read more data */
  312. if (n > rb->len - rb->offset) {
  313. /* does not happen */
  314. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  315. return OSSL_RECORD_RETURN_FATAL;
  316. }
  317. /* We always act like read_ahead is set for DTLS */
  318. if (!rl->read_ahead && !rl->isdtls) {
  319. /* ignore max parameter */
  320. max = n;
  321. } else {
  322. if (max < n)
  323. max = n;
  324. if (max > rb->len - rb->offset)
  325. max = rb->len - rb->offset;
  326. }
  327. while (left < n) {
  328. size_t bioread = 0;
  329. int ret;
  330. BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
  331. /*
  332. * Now we have len+left bytes at the front of rl->rbuf.buf and
  333. * need to read in more until we have len + n (up to len + max if
  334. * possible)
  335. */
  336. clear_sys_error();
  337. if (bio != NULL) {
  338. ret = BIO_read(bio, pkt + len + left, max - left);
  339. if (ret > 0) {
  340. bioread = ret;
  341. ret = OSSL_RECORD_RETURN_SUCCESS;
  342. } else if (BIO_should_retry(bio)) {
  343. if (rl->prev != NULL) {
  344. /*
  345. * We were reading from the previous epoch. Now there is no
  346. * more data, so swap to the actual transport BIO
  347. */
  348. BIO_free(rl->prev);
  349. rl->prev = NULL;
  350. continue;
  351. }
  352. ret = OSSL_RECORD_RETURN_RETRY;
  353. } else if (BIO_eof(bio)) {
  354. ret = OSSL_RECORD_RETURN_EOF;
  355. } else {
  356. ret = OSSL_RECORD_RETURN_FATAL;
  357. }
  358. } else {
  359. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
  360. ret = OSSL_RECORD_RETURN_FATAL;
  361. }
  362. if (ret <= OSSL_RECORD_RETURN_RETRY) {
  363. rb->left = left;
  364. if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
  365. if (len + left == 0)
  366. tls_release_read_buffer(rl);
  367. return ret;
  368. }
  369. left += bioread;
  370. /*
  371. * reads should *never* span multiple packets for DTLS because the
  372. * underlying transport protocol is message oriented as opposed to
  373. * byte oriented as in the TLS case.
  374. */
  375. if (rl->isdtls) {
  376. if (n > left)
  377. n = left; /* makes the while condition false */
  378. }
  379. }
  380. /* done reading, now the book-keeping */
  381. rb->offset += n;
  382. rb->left = left - n;
  383. rl->packet_length += n;
  384. *readbytes = n;
  385. return OSSL_RECORD_RETURN_SUCCESS;
  386. }
  387. /*
  388. * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
  389. * for us in the buffer.
  390. */
  391. static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
  392. {
  393. TLS_BUFFER *rbuf;
  394. size_t left, len;
  395. unsigned char *p;
  396. rbuf = &rl->rbuf;
  397. p = TLS_BUFFER_get_buf(rbuf);
  398. if (p == NULL)
  399. return 0;
  400. left = TLS_BUFFER_get_left(rbuf);
  401. if (left < SSL3_RT_HEADER_LENGTH)
  402. return 0;
  403. p += TLS_BUFFER_get_offset(rbuf);
  404. /*
  405. * We only check the type and record length, we will sanity check version
  406. * etc later
  407. */
  408. if (*p != SSL3_RT_APPLICATION_DATA)
  409. return 0;
  410. p += 3;
  411. n2s(p, len);
  412. if (left < SSL3_RT_HEADER_LENGTH + len)
  413. return 0;
  414. return 1;
  415. }
  416. static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
  417. size_t overhead, int send)
  418. {
  419. uint32_t max_early_data = rl->max_early_data;
  420. if (max_early_data == 0) {
  421. RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
  422. SSL_R_TOO_MUCH_EARLY_DATA);
  423. return 0;
  424. }
  425. /* If we are dealing with ciphertext we need to allow for the overhead */
  426. max_early_data += overhead;
  427. if (rl->early_data_count + length > max_early_data) {
  428. RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
  429. SSL_R_TOO_MUCH_EARLY_DATA);
  430. return 0;
  431. }
  432. rl->early_data_count += length;
  433. return 1;
  434. }
  435. /*
  436. * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
  437. * will be processed per call to tls_get_more_records. Without this limit an
  438. * attacker could send empty records at a faster rate than we can process and
  439. * cause tls_get_more_records to loop forever.
  440. */
  441. #define MAX_EMPTY_RECORDS 32
  442. #define SSL2_RT_HEADER_LENGTH 2
  443. /*-
  444. * Call this to buffer new input records in rl->rrec.
  445. * It will return a OSSL_RECORD_RETURN_* value.
  446. * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
  447. * records have been decoded. For each record 'i':
  448. * rrec[i].type - is the type of record
  449. * rrec[i].data, - data
  450. * rrec[i].length, - number of bytes
  451. * Multiple records will only be returned if the record types are all
  452. * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
  453. * |max_pipelines|
  454. */
  455. int tls_get_more_records(OSSL_RECORD_LAYER *rl)
  456. {
  457. int enc_err, rret;
  458. int i;
  459. size_t more, n;
  460. TLS_RL_RECORD *rr, *thisrr;
  461. TLS_BUFFER *rbuf;
  462. unsigned char *p;
  463. unsigned char md[EVP_MAX_MD_SIZE];
  464. unsigned int version;
  465. size_t mac_size = 0;
  466. int imac_size;
  467. size_t num_recs = 0, max_recs, j;
  468. PACKET pkt, sslv2pkt;
  469. SSL_MAC_BUF *macbufs = NULL;
  470. int ret = OSSL_RECORD_RETURN_FATAL;
  471. rr = rl->rrec;
  472. rbuf = &rl->rbuf;
  473. if (rbuf->buf == NULL) {
  474. if (!tls_setup_read_buffer(rl)) {
  475. /* RLAYERfatal() already called */
  476. return OSSL_RECORD_RETURN_FATAL;
  477. }
  478. }
  479. max_recs = rl->max_pipelines;
  480. if (max_recs == 0)
  481. max_recs = 1;
  482. do {
  483. thisrr = &rr[num_recs];
  484. /* check if we have the header */
  485. if ((rl->rstate != SSL_ST_READ_BODY) ||
  486. (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
  487. size_t sslv2len;
  488. unsigned int type;
  489. rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
  490. TLS_BUFFER_get_len(rbuf), 0,
  491. num_recs == 0 ? 1 : 0, &n);
  492. if (rret < OSSL_RECORD_RETURN_SUCCESS)
  493. return rret; /* error or non-blocking */
  494. rl->rstate = SSL_ST_READ_BODY;
  495. p = rl->packet;
  496. if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
  497. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  498. return OSSL_RECORD_RETURN_FATAL;
  499. }
  500. sslv2pkt = pkt;
  501. if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
  502. || !PACKET_get_1(&sslv2pkt, &type)) {
  503. RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  504. return OSSL_RECORD_RETURN_FATAL;
  505. }
  506. /*
  507. * The first record received by the server may be a V2ClientHello.
  508. */
  509. if (rl->role == OSSL_RECORD_ROLE_SERVER
  510. && rl->is_first_record
  511. && (sslv2len & 0x8000) != 0
  512. && (type == SSL2_MT_CLIENT_HELLO)) {
  513. /*
  514. * SSLv2 style record
  515. *
  516. * |num_recs| here will actually always be 0 because
  517. * |num_recs > 0| only ever occurs when we are processing
  518. * multiple app data records - which we know isn't the case here
  519. * because it is an SSLv2ClientHello. We keep it using
  520. * |num_recs| for the sake of consistency
  521. */
  522. thisrr->type = SSL3_RT_HANDSHAKE;
  523. thisrr->rec_version = SSL2_VERSION;
  524. thisrr->length = sslv2len & 0x7fff;
  525. if (thisrr->length > TLS_BUFFER_get_len(rbuf)
  526. - SSL2_RT_HEADER_LENGTH) {
  527. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
  528. SSL_R_PACKET_LENGTH_TOO_LONG);
  529. return OSSL_RECORD_RETURN_FATAL;
  530. }
  531. } else {
  532. /* SSLv3+ style record */
  533. /* Pull apart the header into the TLS_RL_RECORD */
  534. if (!PACKET_get_1(&pkt, &type)
  535. || !PACKET_get_net_2(&pkt, &version)
  536. || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
  537. if (rl->msg_callback != NULL)
  538. rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
  539. RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  540. return OSSL_RECORD_RETURN_FATAL;
  541. }
  542. thisrr->type = type;
  543. thisrr->rec_version = version;
  544. /*
  545. * When we call validate_record_header() only records actually
  546. * received in SSLv2 format should have the record version set
  547. * to SSL2_VERSION. This way validate_record_header() can know
  548. * what format the record was in based on the version.
  549. */
  550. if (thisrr->rec_version == SSL2_VERSION) {
  551. RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
  552. SSL_R_WRONG_VERSION_NUMBER);
  553. return OSSL_RECORD_RETURN_FATAL;
  554. }
  555. if (rl->msg_callback != NULL)
  556. rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
  557. if (thisrr->length >
  558. TLS_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
  559. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
  560. SSL_R_PACKET_LENGTH_TOO_LONG);
  561. return OSSL_RECORD_RETURN_FATAL;
  562. }
  563. }
  564. if (!rl->funcs->validate_record_header(rl, thisrr)) {
  565. /* RLAYERfatal already called */
  566. return OSSL_RECORD_RETURN_FATAL;
  567. }
  568. /* now rl->rstate == SSL_ST_READ_BODY */
  569. }
  570. /*
  571. * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
  572. * how much more data we need to read for the rest of the record
  573. */
  574. if (thisrr->rec_version == SSL2_VERSION) {
  575. more = thisrr->length + SSL2_RT_HEADER_LENGTH
  576. - SSL3_RT_HEADER_LENGTH;
  577. } else {
  578. more = thisrr->length;
  579. }
  580. if (more > 0) {
  581. /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
  582. rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
  583. if (rret < OSSL_RECORD_RETURN_SUCCESS)
  584. return rret; /* error or non-blocking io */
  585. }
  586. /* set state for later operations */
  587. rl->rstate = SSL_ST_READ_HEADER;
  588. /*
  589. * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
  590. * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
  591. * + thisrr->length and we have that many bytes in rl->packet
  592. */
  593. if (thisrr->rec_version == SSL2_VERSION)
  594. thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
  595. else
  596. thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
  597. /*
  598. * ok, we can now read from 'rl->packet' data into 'thisrr'.
  599. * thisrr->input points at thisrr->length bytes, which need to be copied
  600. * into thisrr->data by either the decryption or by the decompression.
  601. * When the data is 'copied' into the thisrr->data buffer,
  602. * thisrr->input will be updated to point at the new buffer
  603. */
  604. /*
  605. * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
  606. * thisrr->length bytes of encrypted compressed stuff.
  607. */
  608. /* decrypt in place in 'thisrr->input' */
  609. thisrr->data = thisrr->input;
  610. thisrr->orig_len = thisrr->length;
  611. num_recs++;
  612. /* we have pulled in a full packet so zero things */
  613. rl->packet_length = 0;
  614. rl->is_first_record = 0;
  615. } while (num_recs < max_recs
  616. && thisrr->type == SSL3_RT_APPLICATION_DATA
  617. && RLAYER_USE_EXPLICIT_IV(rl)
  618. && rl->enc_ctx != NULL
  619. && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
  620. & EVP_CIPH_FLAG_PIPELINE) != 0
  621. && tls_record_app_data_waiting(rl));
  622. if (num_recs == 1
  623. && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
  624. /* The following can happen in tlsany_meth after HRR */
  625. && rl->version == TLS1_3_VERSION
  626. && rl->is_first_handshake) {
  627. /*
  628. * CCS messages must be exactly 1 byte long, containing the value 0x01
  629. */
  630. if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
  631. RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
  632. SSL_R_INVALID_CCS_MESSAGE);
  633. return OSSL_RECORD_RETURN_FATAL;
  634. }
  635. /*
  636. * CCS messages are ignored in TLSv1.3. We treat it like an empty
  637. * handshake record
  638. */
  639. thisrr->type = SSL3_RT_HANDSHAKE;
  640. if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
  641. RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
  642. SSL_R_UNEXPECTED_CCS_MESSAGE);
  643. return OSSL_RECORD_RETURN_FATAL;
  644. }
  645. rl->num_recs = 0;
  646. rl->curr_rec = 0;
  647. rl->num_released = 0;
  648. return OSSL_RECORD_RETURN_SUCCESS;
  649. }
  650. if (rl->md_ctx != NULL) {
  651. const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
  652. if (tmpmd != NULL) {
  653. imac_size = EVP_MD_get_size(tmpmd);
  654. if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
  655. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  656. return OSSL_RECORD_RETURN_FATAL;
  657. }
  658. mac_size = (size_t)imac_size;
  659. }
  660. }
  661. /*
  662. * If in encrypt-then-mac mode calculate mac from encrypted record. All
  663. * the details below are public so no timing details can leak.
  664. */
  665. if (rl->use_etm && rl->md_ctx != NULL) {
  666. unsigned char *mac;
  667. for (j = 0; j < num_recs; j++) {
  668. thisrr = &rr[j];
  669. if (thisrr->length < mac_size) {
  670. RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  671. return OSSL_RECORD_RETURN_FATAL;
  672. }
  673. thisrr->length -= mac_size;
  674. mac = thisrr->data + thisrr->length;
  675. i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
  676. if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
  677. RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
  678. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  679. return OSSL_RECORD_RETURN_FATAL;
  680. }
  681. }
  682. /*
  683. * We've handled the mac now - there is no MAC inside the encrypted
  684. * record
  685. */
  686. mac_size = 0;
  687. }
  688. if (mac_size > 0) {
  689. macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
  690. if (macbufs == NULL) {
  691. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  692. return OSSL_RECORD_RETURN_FATAL;
  693. }
  694. }
  695. ERR_set_mark();
  696. enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
  697. /*-
  698. * enc_err is:
  699. * 0: if the record is publicly invalid, or an internal error, or AEAD
  700. * decryption failed, or ETM decryption failed.
  701. * 1: Success or MTE decryption failed (MAC will be randomised)
  702. */
  703. if (enc_err == 0) {
  704. if (rl->alert != SSL_AD_NO_ALERT) {
  705. /* RLAYERfatal() already got called */
  706. ERR_clear_last_mark();
  707. goto end;
  708. }
  709. if (num_recs == 1
  710. && rl->skip_early_data != NULL
  711. && rl->skip_early_data(rl->cbarg)) {
  712. /*
  713. * Valid early_data that we cannot decrypt will fail here. We treat
  714. * it like an empty record.
  715. */
  716. /*
  717. * Remove any errors from the stack. Decryption failures are normal
  718. * behaviour.
  719. */
  720. ERR_pop_to_mark();
  721. thisrr = &rr[0];
  722. if (!rlayer_early_data_count_ok(rl, thisrr->length,
  723. EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
  724. /* RLAYERfatal() already called */
  725. goto end;
  726. }
  727. thisrr->length = 0;
  728. rl->num_recs = 0;
  729. rl->curr_rec = 0;
  730. rl->num_released = 0;
  731. /* Reset the read sequence */
  732. memset(rl->sequence, 0, sizeof(rl->sequence));
  733. ret = 1;
  734. goto end;
  735. }
  736. ERR_clear_last_mark();
  737. RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
  738. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  739. goto end;
  740. } else {
  741. ERR_clear_last_mark();
  742. }
  743. OSSL_TRACE_BEGIN(TLS) {
  744. BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
  745. BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
  746. } OSSL_TRACE_END(TLS);
  747. /* r->length is now the compressed data plus mac */
  748. if (rl->enc_ctx != NULL
  749. && !rl->use_etm
  750. && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
  751. for (j = 0; j < num_recs; j++) {
  752. SSL_MAC_BUF *thismb = &macbufs[j];
  753. thisrr = &rr[j];
  754. i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
  755. if (i == 0 || thismb == NULL || thismb->mac == NULL
  756. || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
  757. enc_err = 0;
  758. if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
  759. enc_err = 0;
  760. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  761. if (enc_err == 0 && mac_size > 0 && thismb != NULL &&
  762. thismb->mac != NULL && (md[0] ^ thismb->mac[0]) != 0xFF) {
  763. enc_err = 1;
  764. }
  765. #endif
  766. }
  767. }
  768. if (enc_err == 0) {
  769. if (rl->alert != SSL_AD_NO_ALERT) {
  770. /* We already called RLAYERfatal() */
  771. goto end;
  772. }
  773. /*
  774. * A separate 'decryption_failed' alert was introduced with TLS 1.0,
  775. * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
  776. * failure is directly visible from the ciphertext anyway, we should
  777. * not reveal which kind of error occurred -- this might become
  778. * visible to an attacker (e.g. via a logfile)
  779. */
  780. RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
  781. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  782. goto end;
  783. }
  784. for (j = 0; j < num_recs; j++) {
  785. thisrr = &rr[j];
  786. if (!rl->funcs->post_process_record(rl, thisrr)) {
  787. /* RLAYERfatal already called */
  788. goto end;
  789. }
  790. /*
  791. * Record overflow checking (e.g. checking if
  792. * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
  793. * the post_process_record() function above. However we check here if
  794. * the received packet overflows the current Max Fragment Length setting
  795. * if there is one.
  796. * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
  797. * mutually exclusive. Also note that with KTLS thisrr->length can
  798. * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
  799. */
  800. if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
  801. && thisrr->length > rl->max_frag_len) {
  802. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
  803. goto end;
  804. }
  805. thisrr->off = 0;
  806. /*-
  807. * So at this point the following is true
  808. * thisrr->type is the type of record
  809. * thisrr->length == number of bytes in record
  810. * thisrr->off == offset to first valid byte
  811. * thisrr->data == where to take bytes from, increment after use :-).
  812. */
  813. /* just read a 0 length packet */
  814. if (thisrr->length == 0) {
  815. if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
  816. RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
  817. SSL_R_RECORD_TOO_SMALL);
  818. goto end;
  819. }
  820. } else {
  821. rl->empty_record_count = 0;
  822. }
  823. }
  824. if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
  825. thisrr = &rr[0];
  826. if (thisrr->type == SSL3_RT_APPLICATION_DATA
  827. && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
  828. /* RLAYERfatal already called */
  829. goto end;
  830. }
  831. }
  832. rl->num_recs = num_recs;
  833. rl->curr_rec = 0;
  834. rl->num_released = 0;
  835. ret = OSSL_RECORD_RETURN_SUCCESS;
  836. end:
  837. if (macbufs != NULL) {
  838. for (j = 0; j < num_recs; j++) {
  839. if (macbufs[j].alloced)
  840. OPENSSL_free(macbufs[j].mac);
  841. }
  842. OPENSSL_free(macbufs);
  843. }
  844. return ret;
  845. }
  846. /* Shared by ssl3_meth and tls1_meth */
  847. int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
  848. {
  849. size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
  850. if (rec->rec_version != rl->version) {
  851. RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
  852. return 0;
  853. }
  854. #ifndef OPENSSL_NO_COMP
  855. /*
  856. * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
  857. * does not include the compression overhead anyway.
  858. */
  859. if (rl->compctx == NULL)
  860. len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  861. #endif
  862. if (rec->length > len) {
  863. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
  864. SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
  865. return 0;
  866. }
  867. return 1;
  868. }
  869. int tls_do_compress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *wr)
  870. {
  871. #ifndef OPENSSL_NO_COMP
  872. int i;
  873. i = COMP_compress_block(rl->compctx, wr->data,
  874. (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
  875. wr->input, (int)wr->length);
  876. if (i < 0)
  877. return 0;
  878. wr->length = i;
  879. wr->input = wr->data;
  880. return 1;
  881. #else
  882. return 0;
  883. #endif
  884. }
  885. int tls_do_uncompress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
  886. {
  887. #ifndef OPENSSL_NO_COMP
  888. int i;
  889. if (rec->comp == NULL) {
  890. rec->comp = (unsigned char *)
  891. OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
  892. }
  893. if (rec->comp == NULL)
  894. return 0;
  895. i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
  896. rec->data, (int)rec->length);
  897. if (i < 0)
  898. return 0;
  899. else
  900. rec->length = i;
  901. rec->data = rec->comp;
  902. return 1;
  903. #else
  904. return 0;
  905. #endif
  906. }
  907. /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
  908. int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
  909. {
  910. if (rl->compctx != NULL) {
  911. if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
  912. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
  913. SSL_R_COMPRESSED_LENGTH_TOO_LONG);
  914. return 0;
  915. }
  916. if (!tls_do_uncompress(rl, rec)) {
  917. RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
  918. SSL_R_BAD_DECOMPRESSION);
  919. return 0;
  920. }
  921. }
  922. if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
  923. RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
  924. return 0;
  925. }
  926. return 1;
  927. }
  928. /* Shared by tls13_meth and ktls_meth */
  929. int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
  930. {
  931. if (rec->type != SSL3_RT_APPLICATION_DATA
  932. && rec->type != SSL3_RT_ALERT
  933. && rec->type != SSL3_RT_HANDSHAKE) {
  934. RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
  935. return 0;
  936. }
  937. if (rl->msg_callback != NULL)
  938. rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type,
  939. 1, rl->cbarg);
  940. /*
  941. * TLSv1.3 alert and handshake records are required to be non-zero in
  942. * length.
  943. */
  944. if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
  945. && rec->length == 0) {
  946. RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
  947. return 0;
  948. }
  949. return 1;
  950. }
  951. int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
  952. uint8_t *type, const unsigned char **data, size_t *datalen,
  953. uint16_t *epoch, unsigned char *seq_num)
  954. {
  955. TLS_RL_RECORD *rec;
  956. /*
  957. * tls_get_more_records() can return success without actually reading
  958. * anything useful (i.e. if empty records are read). We loop here until
  959. * we have something useful. tls_get_more_records() will eventually fail if
  960. * too many sequential empty records are read.
  961. */
  962. while (rl->curr_rec >= rl->num_recs) {
  963. int ret;
  964. if (rl->num_released != rl->num_recs) {
  965. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
  966. return OSSL_RECORD_RETURN_FATAL;
  967. }
  968. ret = rl->funcs->get_more_records(rl);
  969. if (ret != OSSL_RECORD_RETURN_SUCCESS)
  970. return ret;
  971. }
  972. /*
  973. * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
  974. * points to the next one to read.
  975. */
  976. rec = &rl->rrec[rl->curr_rec++];
  977. *rechandle = rec;
  978. *rversion = rec->rec_version;
  979. *type = rec->type;
  980. *data = rec->data + rec->off;
  981. *datalen = rec->length;
  982. if (rl->isdtls) {
  983. *epoch = rec->epoch;
  984. memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
  985. }
  986. return OSSL_RECORD_RETURN_SUCCESS;
  987. }
  988. int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, size_t length)
  989. {
  990. TLS_RL_RECORD *rec = &rl->rrec[rl->num_released];
  991. if (!ossl_assert(rl->num_released < rl->curr_rec)
  992. || !ossl_assert(rechandle == rec)) {
  993. /* Should not happen */
  994. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
  995. return OSSL_RECORD_RETURN_FATAL;
  996. }
  997. if (rec->length < length) {
  998. /* Should not happen */
  999. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1000. return OSSL_RECORD_RETURN_FATAL;
  1001. }
  1002. if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
  1003. OPENSSL_cleanse(rec->data + rec->off, length);
  1004. rec->off += length;
  1005. rec->length -= length;
  1006. if (rec->length > 0)
  1007. return OSSL_RECORD_RETURN_SUCCESS;
  1008. rl->num_released++;
  1009. if (rl->curr_rec == rl->num_released
  1010. && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
  1011. && TLS_BUFFER_get_left(&rl->rbuf) == 0)
  1012. tls_release_read_buffer(rl);
  1013. return OSSL_RECORD_RETURN_SUCCESS;
  1014. }
  1015. int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
  1016. {
  1017. const OSSL_PARAM *p;
  1018. p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
  1019. if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
  1020. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1021. return 0;
  1022. }
  1023. p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
  1024. if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
  1025. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1026. return 0;
  1027. }
  1028. if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
  1029. p = OSSL_PARAM_locate_const(options,
  1030. OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
  1031. if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
  1032. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1033. return 0;
  1034. }
  1035. } else {
  1036. p = OSSL_PARAM_locate_const(options,
  1037. OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
  1038. if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
  1039. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1040. return 0;
  1041. }
  1042. }
  1043. if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
  1044. /*
  1045. * We ignore any read_ahead setting prior to the application protection
  1046. * level. Otherwise we may read ahead data in a lower protection level
  1047. * that is destined for a higher protection level. To simplify the logic
  1048. * we don't support that at this stage.
  1049. */
  1050. p = OSSL_PARAM_locate_const(options,
  1051. OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
  1052. if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
  1053. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1054. return 0;
  1055. }
  1056. }
  1057. return 1;
  1058. }
  1059. int
  1060. tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
  1061. int role, int direction, int level,
  1062. const EVP_CIPHER *ciph, size_t taglen,
  1063. const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
  1064. BIO *transport, BIO *next, const OSSL_PARAM *settings,
  1065. const OSSL_PARAM *options,
  1066. const OSSL_DISPATCH *fns, void *cbarg,
  1067. OSSL_RECORD_LAYER **retrl)
  1068. {
  1069. OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
  1070. const OSSL_PARAM *p;
  1071. *retrl = NULL;
  1072. if (rl == NULL)
  1073. return OSSL_RECORD_RETURN_FATAL;
  1074. /*
  1075. * Default the value for max_frag_len. This may be overridden by the
  1076. * settings
  1077. */
  1078. rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH;
  1079. /* Loop through all the settings since they must all be understood */
  1080. if (settings != NULL) {
  1081. for (p = settings; p->key != NULL; p++) {
  1082. if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
  1083. if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
  1084. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1085. goto err;
  1086. }
  1087. } else if (strcmp(p->key,
  1088. OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
  1089. if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
  1090. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1091. goto err;
  1092. }
  1093. } else if (strcmp(p->key,
  1094. OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
  1095. if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
  1096. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1097. goto err;
  1098. }
  1099. } else if (strcmp(p->key,
  1100. OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
  1101. if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
  1102. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1103. goto err;
  1104. }
  1105. } else if (strcmp(p->key,
  1106. OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
  1107. if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
  1108. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1109. goto err;
  1110. }
  1111. } else {
  1112. ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
  1113. goto err;
  1114. }
  1115. }
  1116. }
  1117. rl->libctx = libctx;
  1118. rl->propq = propq;
  1119. rl->version = vers;
  1120. rl->role = role;
  1121. rl->direction = direction;
  1122. rl->level = level;
  1123. rl->taglen = taglen;
  1124. rl->md = md;
  1125. rl->alert = SSL_AD_NO_ALERT;
  1126. rl->rstate = SSL_ST_READ_HEADER;
  1127. if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
  1128. rl->is_first_record = 1;
  1129. if (!tls_set1_bio(rl, transport))
  1130. goto err;
  1131. if (prev != NULL && !BIO_up_ref(prev))
  1132. goto err;
  1133. rl->prev = prev;
  1134. if (next != NULL && !BIO_up_ref(next))
  1135. goto err;
  1136. rl->next = next;
  1137. rl->cbarg = cbarg;
  1138. if (fns != NULL) {
  1139. for (; fns->function_id != 0; fns++) {
  1140. switch (fns->function_id) {
  1141. case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
  1142. rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
  1143. break;
  1144. case OSSL_FUNC_RLAYER_MSG_CALLBACK:
  1145. rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
  1146. break;
  1147. case OSSL_FUNC_RLAYER_SECURITY:
  1148. rl->security = OSSL_FUNC_rlayer_security(fns);
  1149. break;
  1150. case OSSL_FUNC_RLAYER_PADDING:
  1151. rl->padding = OSSL_FUNC_rlayer_padding(fns);
  1152. default:
  1153. /* Just ignore anything we don't understand */
  1154. break;
  1155. }
  1156. }
  1157. }
  1158. if (!tls_set_options(rl, options)) {
  1159. ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
  1160. goto err;
  1161. }
  1162. if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
  1163. && rl->version <= TLS1_VERSION
  1164. && !EVP_CIPHER_is_a(ciph, "NULL")
  1165. && !EVP_CIPHER_is_a(ciph, "RC4")) {
  1166. /*
  1167. * Enable vulnerability countermeasure for CBC ciphers with known-IV
  1168. * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
  1169. */
  1170. rl->need_empty_fragments = 1;
  1171. }
  1172. *retrl = rl;
  1173. return OSSL_RECORD_RETURN_SUCCESS;
  1174. err:
  1175. tls_int_free(rl);
  1176. return OSSL_RECORD_RETURN_FATAL;
  1177. }
  1178. static int
  1179. tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
  1180. int role, int direction, int level, uint16_t epoch,
  1181. unsigned char *secret, size_t secretlen,
  1182. unsigned char *key, size_t keylen, unsigned char *iv,
  1183. size_t ivlen, unsigned char *mackey, size_t mackeylen,
  1184. const EVP_CIPHER *ciph, size_t taglen,
  1185. int mactype,
  1186. const EVP_MD *md, COMP_METHOD *comp,
  1187. const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
  1188. BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
  1189. const OSSL_PARAM *settings, const OSSL_PARAM *options,
  1190. const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
  1191. OSSL_RECORD_LAYER **retrl)
  1192. {
  1193. int ret;
  1194. ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
  1195. ciph, taglen, md, comp, prev,
  1196. transport, next, settings,
  1197. options, fns, cbarg, retrl);
  1198. if (ret != OSSL_RECORD_RETURN_SUCCESS)
  1199. return ret;
  1200. switch (vers) {
  1201. case TLS_ANY_VERSION:
  1202. (*retrl)->funcs = &tls_any_funcs;
  1203. break;
  1204. case TLS1_3_VERSION:
  1205. (*retrl)->funcs = &tls_1_3_funcs;
  1206. break;
  1207. case TLS1_2_VERSION:
  1208. case TLS1_1_VERSION:
  1209. case TLS1_VERSION:
  1210. (*retrl)->funcs = &tls_1_funcs;
  1211. break;
  1212. case SSL3_VERSION:
  1213. (*retrl)->funcs = &ssl_3_0_funcs;
  1214. break;
  1215. default:
  1216. /* Should not happen */
  1217. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  1218. ret = OSSL_RECORD_RETURN_FATAL;
  1219. goto err;
  1220. }
  1221. ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
  1222. ivlen, mackey, mackeylen, ciph,
  1223. taglen, mactype, md, comp);
  1224. err:
  1225. if (ret != OSSL_RECORD_RETURN_SUCCESS) {
  1226. tls_int_free(*retrl);
  1227. *retrl = NULL;
  1228. }
  1229. return ret;
  1230. }
  1231. static void tls_int_free(OSSL_RECORD_LAYER *rl)
  1232. {
  1233. BIO_free(rl->prev);
  1234. BIO_free(rl->bio);
  1235. BIO_free(rl->next);
  1236. ossl_tls_buffer_release(&rl->rbuf);
  1237. tls_release_write_buffer(rl);
  1238. EVP_CIPHER_CTX_free(rl->enc_ctx);
  1239. EVP_MD_CTX_free(rl->md_ctx);
  1240. #ifndef OPENSSL_NO_COMP
  1241. COMP_CTX_free(rl->compctx);
  1242. #endif
  1243. if (rl->version == SSL3_VERSION)
  1244. OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
  1245. TLS_RL_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
  1246. OPENSSL_free(rl);
  1247. }
  1248. int tls_free(OSSL_RECORD_LAYER *rl)
  1249. {
  1250. TLS_BUFFER *rbuf;
  1251. size_t left, written;
  1252. int ret = 1;
  1253. if (rl == NULL)
  1254. return 1;
  1255. rbuf = &rl->rbuf;
  1256. left = TLS_BUFFER_get_left(rbuf);
  1257. if (left > 0) {
  1258. /*
  1259. * This record layer is closing but we still have data left in our
  1260. * buffer. It must be destined for the next epoch - so push it there.
  1261. */
  1262. ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
  1263. }
  1264. tls_int_free(rl);
  1265. return ret;
  1266. }
  1267. int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
  1268. {
  1269. return TLS_BUFFER_get_left(&rl->rbuf) != 0;
  1270. }
  1271. int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
  1272. {
  1273. return rl->curr_rec < rl->num_recs;
  1274. }
  1275. size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
  1276. {
  1277. size_t i;
  1278. size_t num = 0;
  1279. for (i = rl->curr_rec; i < rl->num_recs; i++) {
  1280. if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
  1281. return num;
  1282. num += rl->rrec[i].length;
  1283. }
  1284. return num;
  1285. }
  1286. size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, uint8_t type,
  1287. size_t len,
  1288. size_t maxfrag, size_t *preffrag)
  1289. {
  1290. /*
  1291. * If we have a pipeline capable cipher, and we have been configured to use
  1292. * it, then return the preferred number of pipelines.
  1293. */
  1294. if (rl->max_pipelines > 0
  1295. && rl->enc_ctx != NULL
  1296. && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
  1297. & EVP_CIPH_FLAG_PIPELINE) != 0
  1298. && RLAYER_USE_EXPLICIT_IV(rl)) {
  1299. size_t pipes;
  1300. if (len == 0)
  1301. return 1;
  1302. pipes = ((len - 1) / *preffrag) + 1;
  1303. return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
  1304. }
  1305. return 1;
  1306. }
  1307. size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len,
  1308. size_t maxfrag, size_t *preffrag)
  1309. {
  1310. return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
  1311. }
  1312. int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl,
  1313. OSSL_RECORD_TEMPLATE *templates,
  1314. size_t numtempl,
  1315. size_t *prefix)
  1316. {
  1317. if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) {
  1318. /* RLAYERfatal() already called */
  1319. return 0;
  1320. }
  1321. return 1;
  1322. }
  1323. int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl,
  1324. OSSL_RECORD_TEMPLATE *templates,
  1325. size_t numtempl,
  1326. OSSL_RECORD_TEMPLATE *prefixtempl,
  1327. WPACKET *pkt,
  1328. TLS_BUFFER *bufs,
  1329. size_t *wpinited)
  1330. {
  1331. WPACKET *thispkt;
  1332. size_t j, align;
  1333. TLS_BUFFER *wb;
  1334. for (j = 0; j < numtempl; j++) {
  1335. thispkt = &pkt[j];
  1336. wb = &bufs[j];
  1337. wb->type = templates[j].type;
  1338. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
  1339. align = (size_t)TLS_BUFFER_get_buf(wb);
  1340. align += rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH;
  1341. align = SSL3_ALIGN_PAYLOAD - 1
  1342. - ((align - 1) % SSL3_ALIGN_PAYLOAD);
  1343. #endif
  1344. TLS_BUFFER_set_offset(wb, align);
  1345. if (!WPACKET_init_static_len(thispkt, TLS_BUFFER_get_buf(wb),
  1346. TLS_BUFFER_get_len(wb), 0)) {
  1347. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1348. return 0;
  1349. }
  1350. (*wpinited)++;
  1351. if (!WPACKET_allocate_bytes(thispkt, align, NULL)) {
  1352. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1353. return 0;
  1354. }
  1355. }
  1356. return 1;
  1357. }
  1358. int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
  1359. WPACKET *thispkt,
  1360. OSSL_RECORD_TEMPLATE *templ,
  1361. uint8_t rectype,
  1362. unsigned char **recdata)
  1363. {
  1364. size_t maxcomplen;
  1365. *recdata = NULL;
  1366. maxcomplen = templ->buflen;
  1367. if (rl->compctx != NULL)
  1368. maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  1369. if (!WPACKET_put_bytes_u8(thispkt, rectype)
  1370. || !WPACKET_put_bytes_u16(thispkt, templ->version)
  1371. || !WPACKET_start_sub_packet_u16(thispkt)
  1372. || (rl->eivlen > 0
  1373. && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
  1374. || (maxcomplen > 0
  1375. && !WPACKET_reserve_bytes(thispkt, maxcomplen,
  1376. recdata))) {
  1377. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1378. return 0;
  1379. }
  1380. return 1;
  1381. }
  1382. int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
  1383. size_t mac_size,
  1384. WPACKET *thispkt,
  1385. TLS_RL_RECORD *thiswr)
  1386. {
  1387. size_t len;
  1388. unsigned char *recordstart;
  1389. /*
  1390. * we should still have the output to thiswr->data and the input from
  1391. * wr->input. Length should be thiswr->length. thiswr->data still points
  1392. * in the wb->buf
  1393. */
  1394. if (!rl->use_etm && mac_size != 0) {
  1395. unsigned char *mac;
  1396. if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
  1397. || !rl->funcs->mac(rl, thiswr, mac, 1)) {
  1398. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1399. return 0;
  1400. }
  1401. }
  1402. /*
  1403. * Reserve some bytes for any growth that may occur during encryption. If
  1404. * we are adding the MAC independently of the cipher algorithm, then the
  1405. * max encrypted overhead does not need to include an allocation for that
  1406. * MAC
  1407. */
  1408. if (!WPACKET_reserve_bytes(thispkt, SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
  1409. - mac_size, NULL)
  1410. /*
  1411. * We also need next the amount of bytes written to this
  1412. * sub-packet
  1413. */
  1414. || !WPACKET_get_length(thispkt, &len)) {
  1415. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1416. return 0;
  1417. }
  1418. /* Get a pointer to the start of this record excluding header */
  1419. recordstart = WPACKET_get_curr(thispkt) - len;
  1420. TLS_RL_RECORD_set_data(thiswr, recordstart);
  1421. TLS_RL_RECORD_reset_input(thiswr);
  1422. TLS_RL_RECORD_set_length(thiswr, len);
  1423. return 1;
  1424. }
  1425. int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
  1426. size_t mac_size,
  1427. OSSL_RECORD_TEMPLATE *thistempl,
  1428. WPACKET *thispkt,
  1429. TLS_RL_RECORD *thiswr)
  1430. {
  1431. size_t origlen, len;
  1432. size_t headerlen = rl->isdtls ? DTLS1_RT_HEADER_LENGTH
  1433. : SSL3_RT_HEADER_LENGTH;
  1434. /* Allocate bytes for the encryption overhead */
  1435. if (!WPACKET_get_length(thispkt, &origlen)
  1436. /* Check we allowed enough room for the encryption growth */
  1437. || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
  1438. - mac_size >= thiswr->length)
  1439. /* Encryption should never shrink the data! */
  1440. || origlen > thiswr->length
  1441. || (thiswr->length > origlen
  1442. && !WPACKET_allocate_bytes(thispkt,
  1443. thiswr->length - origlen,
  1444. NULL))) {
  1445. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1446. return 0;
  1447. }
  1448. if (rl->use_etm && mac_size != 0) {
  1449. unsigned char *mac;
  1450. if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
  1451. || !rl->funcs->mac(rl, thiswr, mac, 1)) {
  1452. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1453. return 0;
  1454. }
  1455. TLS_RL_RECORD_add_length(thiswr, mac_size);
  1456. }
  1457. if (!WPACKET_get_length(thispkt, &len)
  1458. || !WPACKET_close(thispkt)) {
  1459. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1460. return 0;
  1461. }
  1462. if (rl->msg_callback != NULL) {
  1463. unsigned char *recordstart;
  1464. recordstart = WPACKET_get_curr(thispkt) - len - headerlen;
  1465. rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
  1466. headerlen, rl->cbarg);
  1467. if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) {
  1468. unsigned char ctype = thistempl->type;
  1469. rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
  1470. &ctype, 1, rl->cbarg);
  1471. }
  1472. }
  1473. if (!WPACKET_finish(thispkt)) {
  1474. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1475. return 0;
  1476. }
  1477. TLS_RL_RECORD_add_length(thiswr, headerlen);
  1478. return 1;
  1479. }
  1480. int tls_write_records_default(OSSL_RECORD_LAYER *rl,
  1481. OSSL_RECORD_TEMPLATE *templates,
  1482. size_t numtempl)
  1483. {
  1484. WPACKET pkt[SSL_MAX_PIPELINES + 1];
  1485. TLS_RL_RECORD wr[SSL_MAX_PIPELINES + 1];
  1486. WPACKET *thispkt;
  1487. TLS_RL_RECORD *thiswr;
  1488. int mac_size = 0, ret = 0;
  1489. size_t wpinited = 0;
  1490. size_t j, prefix = 0;
  1491. OSSL_RECORD_TEMPLATE prefixtempl;
  1492. OSSL_RECORD_TEMPLATE *thistempl;
  1493. if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
  1494. mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
  1495. if (mac_size < 0) {
  1496. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1497. goto err;
  1498. }
  1499. }
  1500. if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) {
  1501. /* RLAYERfatal() already called */
  1502. goto err;
  1503. }
  1504. if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
  1505. &prefixtempl, pkt, rl->wbuf,
  1506. &wpinited)) {
  1507. /* RLAYERfatal() already called */
  1508. goto err;
  1509. }
  1510. /* Clear our TLS_RL_RECORD structures */
  1511. memset(wr, 0, sizeof(wr));
  1512. for (j = 0; j < numtempl + prefix; j++) {
  1513. unsigned char *compressdata = NULL;
  1514. uint8_t rectype;
  1515. thispkt = &pkt[j];
  1516. thiswr = &wr[j];
  1517. thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
  1518. /*
  1519. * Default to the record type as specified in the template unless the
  1520. * protocol implementation says differently.
  1521. */
  1522. if (rl->funcs->get_record_type != NULL)
  1523. rectype = rl->funcs->get_record_type(rl, thistempl);
  1524. else
  1525. rectype = thistempl->type;
  1526. TLS_RL_RECORD_set_type(thiswr, rectype);
  1527. TLS_RL_RECORD_set_rec_version(thiswr, thistempl->version);
  1528. if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype,
  1529. &compressdata)) {
  1530. /* RLAYERfatal() already called */
  1531. goto err;
  1532. }
  1533. /* lets setup the record stuff. */
  1534. TLS_RL_RECORD_set_data(thiswr, compressdata);
  1535. TLS_RL_RECORD_set_length(thiswr, thistempl->buflen);
  1536. TLS_RL_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
  1537. /*
  1538. * we now 'read' from thiswr->input, thiswr->length bytes into
  1539. * thiswr->data
  1540. */
  1541. /* first we compress */
  1542. if (rl->compctx != NULL) {
  1543. if (!tls_do_compress(rl, thiswr)
  1544. || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
  1545. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
  1546. goto err;
  1547. }
  1548. } else if (compressdata != NULL) {
  1549. if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
  1550. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1551. goto err;
  1552. }
  1553. TLS_RL_RECORD_reset_input(&wr[j]);
  1554. }
  1555. if (rl->funcs->add_record_padding != NULL
  1556. && !rl->funcs->add_record_padding(rl, thistempl, thispkt,
  1557. thiswr)) {
  1558. /* RLAYERfatal() already called */
  1559. goto err;
  1560. }
  1561. if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
  1562. /* RLAYERfatal() already called */
  1563. goto err;
  1564. }
  1565. }
  1566. if (prefix) {
  1567. if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
  1568. if (rl->alert == SSL_AD_NO_ALERT) {
  1569. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1570. }
  1571. goto err;
  1572. }
  1573. }
  1574. if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) {
  1575. if (rl->alert == SSL_AD_NO_ALERT) {
  1576. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1577. }
  1578. goto err;
  1579. }
  1580. for (j = 0; j < numtempl + prefix; j++) {
  1581. thispkt = &pkt[j];
  1582. thiswr = &wr[j];
  1583. thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
  1584. if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl,
  1585. thispkt, thiswr)) {
  1586. /* RLAYERfatal() already called */
  1587. goto err;
  1588. }
  1589. /* now let's set up wb */
  1590. TLS_BUFFER_set_left(&rl->wbuf[j], TLS_RL_RECORD_get_length(thiswr));
  1591. }
  1592. ret = 1;
  1593. err:
  1594. for (j = 0; j < wpinited; j++)
  1595. WPACKET_cleanup(&pkt[j]);
  1596. return ret;
  1597. }
  1598. int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
  1599. size_t numtempl)
  1600. {
  1601. /* Check we don't have pending data waiting to write */
  1602. if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
  1603. || TLS_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
  1604. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1605. return OSSL_RECORD_RETURN_FATAL;
  1606. }
  1607. if (!rl->funcs->write_records(rl, templates, numtempl)) {
  1608. /* RLAYERfatal already called */
  1609. return OSSL_RECORD_RETURN_FATAL;
  1610. }
  1611. rl->nextwbuf = 0;
  1612. /* we now just need to write the buffers */
  1613. return tls_retry_write_records(rl);
  1614. }
  1615. int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
  1616. {
  1617. int i, ret;
  1618. TLS_BUFFER *thiswb;
  1619. size_t tmpwrit = 0;
  1620. if (rl->nextwbuf >= rl->numwpipes)
  1621. return OSSL_RECORD_RETURN_SUCCESS;
  1622. for (;;) {
  1623. thiswb = &rl->wbuf[rl->nextwbuf];
  1624. clear_sys_error();
  1625. if (rl->bio != NULL) {
  1626. if (rl->funcs->prepare_write_bio != NULL) {
  1627. ret = rl->funcs->prepare_write_bio(rl, thiswb->type);
  1628. if (ret != OSSL_RECORD_RETURN_SUCCESS)
  1629. return ret;
  1630. }
  1631. i = BIO_write(rl->bio, (char *)
  1632. &(TLS_BUFFER_get_buf(thiswb)
  1633. [TLS_BUFFER_get_offset(thiswb)]),
  1634. (unsigned int)TLS_BUFFER_get_left(thiswb));
  1635. if (i >= 0) {
  1636. tmpwrit = i;
  1637. if (i == 0 && BIO_should_retry(rl->bio))
  1638. ret = OSSL_RECORD_RETURN_RETRY;
  1639. else
  1640. ret = OSSL_RECORD_RETURN_SUCCESS;
  1641. } else {
  1642. if (BIO_should_retry(rl->bio)) {
  1643. ret = OSSL_RECORD_RETURN_RETRY;
  1644. } else {
  1645. ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
  1646. "tls_retry_write_records failure");
  1647. ret = OSSL_RECORD_RETURN_FATAL;
  1648. }
  1649. }
  1650. } else {
  1651. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
  1652. ret = OSSL_RECORD_RETURN_FATAL;
  1653. i = -1;
  1654. }
  1655. /*
  1656. * When an empty fragment is sent on a connection using KTLS,
  1657. * it is sent as a write of zero bytes. If this zero byte
  1658. * write succeeds, i will be 0 rather than a non-zero value.
  1659. * Treat i == 0 as success rather than an error for zero byte
  1660. * writes to permit this case.
  1661. */
  1662. if (i >= 0 && tmpwrit == TLS_BUFFER_get_left(thiswb)) {
  1663. TLS_BUFFER_set_left(thiswb, 0);
  1664. TLS_BUFFER_add_offset(thiswb, tmpwrit);
  1665. if (++(rl->nextwbuf) < rl->numwpipes)
  1666. continue;
  1667. if (rl->nextwbuf == rl->numwpipes
  1668. && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
  1669. tls_release_write_buffer(rl);
  1670. return OSSL_RECORD_RETURN_SUCCESS;
  1671. } else if (i <= 0) {
  1672. if (rl->isdtls) {
  1673. /*
  1674. * For DTLS, just drop it. That's kind of the whole point in
  1675. * using a datagram service
  1676. */
  1677. TLS_BUFFER_set_left(thiswb, 0);
  1678. if (++(rl->nextwbuf) == rl->numwpipes
  1679. && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
  1680. tls_release_write_buffer(rl);
  1681. }
  1682. return ret;
  1683. }
  1684. TLS_BUFFER_add_offset(thiswb, tmpwrit);
  1685. TLS_BUFFER_sub_left(thiswb, tmpwrit);
  1686. }
  1687. }
  1688. int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
  1689. {
  1690. return rl->alert;
  1691. }
  1692. int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
  1693. {
  1694. if (bio != NULL && !BIO_up_ref(bio))
  1695. return 0;
  1696. BIO_free(rl->bio);
  1697. rl->bio = bio;
  1698. return 1;
  1699. }
  1700. /* Shared by most methods except tlsany_meth */
  1701. int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
  1702. {
  1703. if (rl->version != version)
  1704. return 0;
  1705. return 1;
  1706. }
  1707. int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
  1708. {
  1709. return rl->funcs->set_protocol_version(rl, version);
  1710. }
  1711. void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
  1712. {
  1713. rl->allow_plain_alerts = allow;
  1714. }
  1715. void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
  1716. {
  1717. rl->is_first_handshake = first;
  1718. }
  1719. void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
  1720. {
  1721. rl->max_pipelines = max_pipelines;
  1722. if (max_pipelines > 1)
  1723. rl->read_ahead = 1;
  1724. }
  1725. void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
  1726. const char **longstr)
  1727. {
  1728. const char *shrt, *lng;
  1729. switch (rl->rstate) {
  1730. case SSL_ST_READ_HEADER:
  1731. shrt = "RH";
  1732. lng = "read header";
  1733. break;
  1734. case SSL_ST_READ_BODY:
  1735. shrt = "RB";
  1736. lng = "read body";
  1737. break;
  1738. default:
  1739. shrt = lng = "unknown";
  1740. break;
  1741. }
  1742. if (shortstr != NULL)
  1743. *shortstr = shrt;
  1744. if (longstr != NULL)
  1745. *longstr = lng;
  1746. }
  1747. const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
  1748. {
  1749. #ifndef OPENSSL_NO_COMP
  1750. return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
  1751. #else
  1752. return NULL;
  1753. #endif
  1754. }
  1755. void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
  1756. {
  1757. rl->max_frag_len = max_frag_len;
  1758. /*
  1759. * We don't need to adjust buffer sizes. Write buffer sizes are
  1760. * automatically checked anyway. We should only be changing the read buffer
  1761. * size during the handshake, so we will create a new buffer when we create
  1762. * the new record layer. We can't change the existing buffer because it may
  1763. * already have data in it.
  1764. */
  1765. }
  1766. int tls_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
  1767. {
  1768. int i;
  1769. /* Increment the sequence counter */
  1770. for (i = SEQ_NUM_SIZE; i > 0; i--) {
  1771. ++(rl->sequence[i - 1]);
  1772. if (rl->sequence[i - 1] != 0)
  1773. break;
  1774. }
  1775. if (i == 0) {
  1776. /* Sequence has wrapped */
  1777. RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_SEQUENCE_CTR_WRAPPED);
  1778. return 0;
  1779. }
  1780. return 1;
  1781. }
  1782. int tls_alloc_buffers(OSSL_RECORD_LAYER *rl)
  1783. {
  1784. if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
  1785. /* If we have a pending write then buffers are already allocated */
  1786. if (rl->nextwbuf < rl->numwpipes)
  1787. return 1;
  1788. /*
  1789. * We assume 1 pipe with default sized buffer. If what we need ends up
  1790. * being a different size to that then it will be reallocated on demand.
  1791. * If we need more than 1 pipe then that will also be allocated on
  1792. * demand
  1793. */
  1794. if (!tls_setup_write_buffer(rl, 1, 0, 0))
  1795. return 0;
  1796. /*
  1797. * Normally when we allocate write buffers we immediately write
  1798. * something into it. In this case we're not doing that so mark the
  1799. * buffer as empty.
  1800. */
  1801. TLS_BUFFER_set_left(&rl->wbuf[0], 0);
  1802. return 1;
  1803. }
  1804. /* Read direction */
  1805. /* If we have pending data to be read then buffers are already allocated */
  1806. if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
  1807. return 1;
  1808. return tls_setup_read_buffer(rl);
  1809. }
  1810. int tls_free_buffers(OSSL_RECORD_LAYER *rl)
  1811. {
  1812. if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
  1813. if (rl->nextwbuf < rl->numwpipes) {
  1814. /*
  1815. * We may have pending data. If we've just got one empty buffer
  1816. * allocated then it has probably just been alloc'd via
  1817. * tls_alloc_buffers, and it is fine to free it. Otherwise this
  1818. * looks like real pending data and it is an error.
  1819. */
  1820. if (rl->nextwbuf != 0
  1821. || rl->numwpipes != 1
  1822. || TLS_BUFFER_get_left(&rl->wbuf[0]) != 0)
  1823. return 0;
  1824. }
  1825. tls_release_write_buffer(rl);
  1826. return 1;
  1827. }
  1828. /* Read direction */
  1829. /* If we have pending data to be read then fail */
  1830. if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
  1831. return 0;
  1832. return tls_release_read_buffer(rl);
  1833. }
  1834. const OSSL_RECORD_METHOD ossl_tls_record_method = {
  1835. tls_new_record_layer,
  1836. tls_free,
  1837. tls_unprocessed_read_pending,
  1838. tls_processed_read_pending,
  1839. tls_app_data_pending,
  1840. tls_get_max_records,
  1841. tls_write_records,
  1842. tls_retry_write_records,
  1843. tls_read_record,
  1844. tls_release_record,
  1845. tls_get_alert_code,
  1846. tls_set1_bio,
  1847. tls_set_protocol_version,
  1848. tls_set_plain_alerts,
  1849. tls_set_first_handshake,
  1850. tls_set_max_pipelines,
  1851. NULL,
  1852. tls_get_state,
  1853. tls_set_options,
  1854. tls_get_compression,
  1855. tls_set_max_frag_len,
  1856. NULL,
  1857. tls_increment_sequence_ctr,
  1858. tls_alloc_buffers,
  1859. tls_free_buffers
  1860. };