rec_layer_d1.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707
  1. /*
  2. * Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <errno.h>
  11. #include "../ssl_local.h"
  12. #include <openssl/evp.h>
  13. #include <openssl/buffer.h>
  14. #include "record_local.h"
  15. #include "internal/packet.h"
  16. #include "internal/cryptlib.h"
  17. int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
  18. {
  19. DTLS_RECORD_LAYER *d;
  20. if ((d = OPENSSL_malloc(sizeof(*d))) == NULL)
  21. return 0;
  22. rl->d = d;
  23. d->buffered_app_data = pqueue_new();
  24. if (d->buffered_app_data == NULL) {
  25. OPENSSL_free(d);
  26. rl->d = NULL;
  27. return 0;
  28. }
  29. return 1;
  30. }
  31. void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl)
  32. {
  33. if (rl->d == NULL)
  34. return;
  35. DTLS_RECORD_LAYER_clear(rl);
  36. pqueue_free(rl->d->buffered_app_data);
  37. OPENSSL_free(rl->d);
  38. rl->d = NULL;
  39. }
  40. void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl)
  41. {
  42. DTLS_RECORD_LAYER *d;
  43. pitem *item = NULL;
  44. TLS_RECORD *rec;
  45. pqueue *buffered_app_data;
  46. d = rl->d;
  47. while ((item = pqueue_pop(d->buffered_app_data)) != NULL) {
  48. rec = (TLS_RECORD *)item->data;
  49. if (rl->s->options & SSL_OP_CLEANSE_PLAINTEXT)
  50. OPENSSL_cleanse(rec->allocdata, rec->length);
  51. OPENSSL_free(rec->allocdata);
  52. OPENSSL_free(item->data);
  53. pitem_free(item);
  54. }
  55. buffered_app_data = d->buffered_app_data;
  56. memset(d, 0, sizeof(*d));
  57. d->buffered_app_data = buffered_app_data;
  58. }
  59. static int dtls_buffer_record(SSL_CONNECTION *s, TLS_RECORD *rec)
  60. {
  61. TLS_RECORD *rdata;
  62. pitem *item;
  63. struct pqueue_st *queue = s->rlayer.d->buffered_app_data;
  64. /* Limit the size of the queue to prevent DOS attacks */
  65. if (pqueue_size(queue) >= 100)
  66. return 0;
  67. /* We don't buffer partially read records */
  68. if (!ossl_assert(rec->off == 0))
  69. return -1;
  70. rdata = OPENSSL_malloc(sizeof(*rdata));
  71. item = pitem_new(rec->seq_num, rdata);
  72. if (rdata == NULL || item == NULL) {
  73. OPENSSL_free(rdata);
  74. pitem_free(item);
  75. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  76. return -1;
  77. }
  78. *rdata = *rec;
  79. /*
  80. * We will release the record from the record layer soon, so we take a copy
  81. * now. Copying data isn't good - but this should be infrequent so we
  82. * accept it here.
  83. */
  84. rdata->data = rdata->allocdata = OPENSSL_memdup(rec->data, rec->length);
  85. if (rdata->data == NULL) {
  86. OPENSSL_free(rdata);
  87. pitem_free(item);
  88. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  89. return -1;
  90. }
  91. /*
  92. * We use a NULL rechandle to indicate that the data field has been
  93. * allocated by us.
  94. */
  95. rdata->rechandle = NULL;
  96. item->data = rdata;
  97. #ifndef OPENSSL_NO_SCTP
  98. /* Store bio_dgram_sctp_rcvinfo struct */
  99. if (BIO_dgram_is_sctp(s->rbio) &&
  100. (ossl_statem_get_state(s) == TLS_ST_SR_FINISHED
  101. || ossl_statem_get_state(s) == TLS_ST_CR_FINISHED)) {
  102. BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SCTP_GET_RCVINFO,
  103. sizeof(rdata->recordinfo), &rdata->recordinfo);
  104. }
  105. #endif
  106. if (pqueue_insert(queue, item) == NULL) {
  107. /* Must be a duplicate so ignore it */
  108. OPENSSL_free(rdata->allocdata);
  109. OPENSSL_free(rdata);
  110. pitem_free(item);
  111. }
  112. return 1;
  113. }
  114. /* Unbuffer a previously buffered TLS_RECORD structure if any */
  115. static void dtls_unbuffer_record(SSL_CONNECTION *s)
  116. {
  117. TLS_RECORD *rdata;
  118. pitem *item;
  119. /* If we already have records to handle then do nothing */
  120. if (s->rlayer.curr_rec < s->rlayer.num_recs)
  121. return;
  122. item = pqueue_pop(s->rlayer.d->buffered_app_data);
  123. if (item != NULL) {
  124. rdata = (TLS_RECORD *)item->data;
  125. s->rlayer.tlsrecs[0] = *rdata;
  126. s->rlayer.num_recs = 1;
  127. s->rlayer.curr_rec = 0;
  128. #ifndef OPENSSL_NO_SCTP
  129. /* Restore bio_dgram_sctp_rcvinfo struct */
  130. if (BIO_dgram_is_sctp(s->rbio)) {
  131. BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SCTP_SET_RCVINFO,
  132. sizeof(rdata->recordinfo), &rdata->recordinfo);
  133. }
  134. #endif
  135. OPENSSL_free(item->data);
  136. pitem_free(item);
  137. }
  138. }
  139. /*-
  140. * Return up to 'len' payload bytes received in 'type' records.
  141. * 'type' is one of the following:
  142. *
  143. * - SSL3_RT_HANDSHAKE
  144. * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
  145. * - 0 (during a shutdown, no data has to be returned)
  146. *
  147. * If we don't have stored data to work from, read a SSL/TLS record first
  148. * (possibly multiple records if we still don't have anything to return).
  149. *
  150. * This function must handle any surprises the peer may have for us, such as
  151. * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
  152. * messages are treated as if they were handshake messages *if* the |recd_type|
  153. * argument is non NULL.
  154. * Also if record payloads contain fragments too small to process, we store
  155. * them until there is enough for the respective protocol (the record protocol
  156. * may use arbitrary fragmentation and even interleaving):
  157. * Change cipher spec protocol
  158. * just 1 byte needed, no need for keeping anything stored
  159. * Alert protocol
  160. * 2 bytes needed (AlertLevel, AlertDescription)
  161. * Handshake protocol
  162. * 4 bytes needed (HandshakeType, uint24 length) -- we just have
  163. * to detect unexpected Client Hello and Hello Request messages
  164. * here, anything else is handled by higher layers
  165. * Application data protocol
  166. * none of our business
  167. */
  168. int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type,
  169. unsigned char *buf, size_t len,
  170. int peek, size_t *readbytes)
  171. {
  172. int i, j, ret;
  173. size_t n;
  174. TLS_RECORD *rr;
  175. void (*cb) (const SSL *ssl, int type2, int val) = NULL;
  176. SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
  177. int is_dtls13;
  178. if (sc == NULL)
  179. return -1;
  180. is_dtls13 = SSL_CONNECTION_IS_DTLS13(sc);
  181. if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
  182. (type != SSL3_RT_HANDSHAKE)) ||
  183. (peek && (type != SSL3_RT_APPLICATION_DATA))) {
  184. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  185. return -1;
  186. }
  187. if (!ossl_statem_get_in_handshake(sc) && SSL_in_init(s)) {
  188. /* type == SSL3_RT_APPLICATION_DATA */
  189. i = sc->handshake_func(s);
  190. /* SSLfatal() already called if appropriate */
  191. if (i < 0)
  192. return i;
  193. if (i == 0)
  194. return -1;
  195. }
  196. start:
  197. sc->rwstate = SSL_NOTHING;
  198. /*
  199. * We are not handshaking and have no data yet, so process data buffered
  200. * during the last handshake in advance, if any.
  201. */
  202. if (SSL_is_init_finished(s))
  203. dtls_unbuffer_record(sc);
  204. /* Check for timeout */
  205. if (dtls1_handle_timeout(sc) > 0) {
  206. goto start;
  207. } else if (ossl_statem_in_error(sc)) {
  208. /* dtls1_handle_timeout() has failed with a fatal error */
  209. return -1;
  210. }
  211. /* get new packet if necessary */
  212. if (sc->rlayer.curr_rec >= sc->rlayer.num_recs) {
  213. sc->rlayer.curr_rec = sc->rlayer.num_recs = 0;
  214. do {
  215. rr = &sc->rlayer.tlsrecs[sc->rlayer.num_recs];
  216. ret = HANDLE_RLAYER_READ_RETURN(sc,
  217. sc->rlayer.rrlmethod->read_record(sc->rlayer.rrl,
  218. &rr->rechandle,
  219. &rr->version, &rr->type,
  220. &rr->data, &rr->length,
  221. &rr->epoch, rr->seq_num));
  222. if (ret <= 0) {
  223. ret = dtls1_read_failed(sc, ret);
  224. /*
  225. * Anything other than a timeout is an error. SSLfatal() already
  226. * called if appropriate.
  227. */
  228. if (ret <= 0)
  229. return ret;
  230. else
  231. goto start;
  232. }
  233. rr->off = 0;
  234. sc->rlayer.num_recs++;
  235. } while (sc->rlayer.rrlmethod->processed_read_pending(sc->rlayer.rrl)
  236. && sc->rlayer.num_recs < SSL_MAX_PIPELINES);
  237. }
  238. rr = &sc->rlayer.tlsrecs[sc->rlayer.curr_rec];
  239. /*
  240. * Reset the count of consecutive warning alerts if we've got a non-empty
  241. * record that isn't an alert.
  242. */
  243. if (rr->type != SSL3_RT_ALERT && rr->length != 0)
  244. sc->rlayer.alert_count = 0;
  245. /* we now have a packet which can be read and processed */
  246. if (sc->s3.change_cipher_spec /* set when we receive ChangeCipherSpec,
  247. * reset by ssl3_get_finished */
  248. && (rr->type != SSL3_RT_HANDSHAKE)) {
  249. /*
  250. * We now have application data between CCS and Finished. Most likely
  251. * the packets were reordered on their way, so buffer the application
  252. * data for later processing rather than dropping the connection.
  253. */
  254. if (dtls_buffer_record(sc, rr) < 0) {
  255. /* SSLfatal() already called */
  256. return -1;
  257. }
  258. if (!ssl_release_record(sc, rr, 0))
  259. return -1;
  260. goto start;
  261. }
  262. /*
  263. * If the other end has shut down, throw anything we read away (even in
  264. * 'peek' mode)
  265. */
  266. if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
  267. if (!ssl_release_record(sc, rr, 0))
  268. return -1;
  269. sc->rwstate = SSL_NOTHING;
  270. return 0;
  271. }
  272. if (type == rr->type
  273. || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC
  274. && type == SSL3_RT_HANDSHAKE && recvd_type != NULL
  275. && !is_dtls13)) {
  276. /*
  277. * SSL3_RT_APPLICATION_DATA or
  278. * SSL3_RT_HANDSHAKE or
  279. * SSL3_RT_CHANGE_CIPHER_SPEC
  280. */
  281. /*
  282. * make sure that we are not getting application data when we are
  283. * doing a handshake for the first time
  284. */
  285. if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA)
  286. && (SSL_IS_FIRST_HANDSHAKE(sc))) {
  287. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE,
  288. SSL_R_APP_DATA_IN_HANDSHAKE);
  289. return -1;
  290. }
  291. if (recvd_type != NULL)
  292. *recvd_type = rr->type;
  293. if (len == 0) {
  294. /*
  295. * Release a zero length record. This ensures multiple calls to
  296. * SSL_read() with a zero length buffer will eventually cause
  297. * SSL_pending() to report data as being available.
  298. */
  299. if (rr->length == 0 && !ssl_release_record(sc, rr, 0))
  300. return -1;
  301. return 0;
  302. }
  303. if (len > rr->length)
  304. n = rr->length;
  305. else
  306. n = len;
  307. memcpy(buf, &(rr->data[rr->off]), n);
  308. if (peek) {
  309. if (rr->length == 0 && !ssl_release_record(sc, rr, 0))
  310. return -1;
  311. } else {
  312. if (!ssl_release_record(sc, rr, n))
  313. return -1;
  314. }
  315. #ifndef OPENSSL_NO_SCTP
  316. /*
  317. * We might had to delay a close_notify alert because of reordered
  318. * app data. If there was an alert and there is no message to read
  319. * anymore, finally set shutdown.
  320. */
  321. if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
  322. sc->d1->shutdown_received
  323. && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) <= 0) {
  324. sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
  325. return 0;
  326. }
  327. #endif
  328. *readbytes = n;
  329. return 1;
  330. }
  331. /*
  332. * If we get here, then type != rr->type; if we have a handshake message,
  333. * then it was unexpected (Hello Request or Client Hello).
  334. */
  335. if (rr->type == SSL3_RT_ALERT) {
  336. unsigned int alert_level, alert_descr;
  337. const unsigned char *alert_bytes = rr->data + rr->off;
  338. PACKET alert;
  339. if (!PACKET_buf_init(&alert, alert_bytes, rr->length)
  340. || !PACKET_get_1(&alert, &alert_level)
  341. || !PACKET_get_1(&alert, &alert_descr)
  342. || PACKET_remaining(&alert) != 0) {
  343. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT);
  344. return -1;
  345. }
  346. if (sc->msg_callback)
  347. sc->msg_callback(0, sc->version, SSL3_RT_ALERT, alert_bytes, 2, s,
  348. sc->msg_callback_arg);
  349. if (sc->info_callback != NULL)
  350. cb = sc->info_callback;
  351. else if (s->ctx->info_callback != NULL)
  352. cb = s->ctx->info_callback;
  353. if (cb != NULL) {
  354. j = (alert_level << 8) | alert_descr;
  355. cb(s, SSL_CB_READ_ALERT, j);
  356. }
  357. if ((!is_dtls13 && alert_level == SSL3_AL_WARNING)
  358. || (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED)) {
  359. sc->s3.warn_alert = alert_descr;
  360. if (!ssl_release_record(sc, rr, 0))
  361. return -1;
  362. sc->rlayer.alert_count++;
  363. if (sc->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
  364. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE,
  365. SSL_R_TOO_MANY_WARN_ALERTS);
  366. return -1;
  367. }
  368. }
  369. /*
  370. * Apart from close_notify the only other warning alert in DTLSv1.3
  371. * is user_cancelled - which we just ignore.
  372. */
  373. if (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED) {
  374. goto start;
  375. } else if (alert_descr == SSL_AD_CLOSE_NOTIFY
  376. && (is_dtls13 || alert_level == SSL3_AL_WARNING)) {
  377. #ifndef OPENSSL_NO_SCTP
  378. /*
  379. * With SCTP and streams the socket may deliver app data
  380. * after a close_notify alert. We have to check this first so
  381. * that nothing gets discarded.
  382. */
  383. if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
  384. BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) > 0) {
  385. sc->d1->shutdown_received = 1;
  386. sc->rwstate = SSL_READING;
  387. BIO_clear_retry_flags(SSL_get_rbio(s));
  388. BIO_set_retry_read(SSL_get_rbio(s));
  389. return -1;
  390. }
  391. #endif
  392. sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
  393. return 0;
  394. } else if (alert_level == SSL3_AL_FATAL || is_dtls13) {
  395. sc->rwstate = SSL_NOTHING;
  396. sc->s3.fatal_alert = alert_descr;
  397. SSLfatal_data(sc, SSL_AD_NO_ALERT,
  398. SSL_AD_REASON_OFFSET + alert_descr,
  399. "SSL alert number %d", alert_descr);
  400. sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
  401. if (!ssl_release_record(sc, rr, 0))
  402. return -1;
  403. SSL_CTX_remove_session(sc->session_ctx, sc->session);
  404. return 0;
  405. } else if (alert_level == SSL3_AL_WARNING) {
  406. /* We ignore any other warning alert in (D)TLSv1.2 and below */
  407. goto start;
  408. }
  409. SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE);
  410. return -1;
  411. }
  412. if (sc->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
  413. * shutdown */
  414. sc->rwstate = SSL_NOTHING;
  415. if (!ssl_release_record(sc, rr, 0))
  416. return -1;
  417. return 0;
  418. }
  419. if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
  420. /*
  421. * We can't process a CCS now, because previous handshake messages
  422. * are still missing, so just drop it.
  423. */
  424. if (!ssl_release_record(sc, rr, 0))
  425. return -1;
  426. goto start;
  427. }
  428. /*
  429. * Unexpected handshake message (Client Hello, or protocol violation)
  430. */
  431. if (rr->type == SSL3_RT_HANDSHAKE && !ossl_statem_get_in_handshake(sc)) {
  432. struct hm_header_st msg_hdr;
  433. /*
  434. * This may just be a stale retransmit. Also sanity check that we have
  435. * at least enough record bytes for a message header
  436. */
  437. if (rr->epoch != sc->rlayer.d->r_epoch
  438. || rr->length < DTLS1_HM_HEADER_LENGTH) {
  439. if (!ssl_release_record(sc, rr, 0))
  440. return -1;
  441. goto start;
  442. }
  443. dtls1_get_message_header(rr->data, &msg_hdr);
  444. /*
  445. * If we are server, we may have a repeated FINISHED of the client
  446. * here, then retransmit our CCS and FINISHED.
  447. */
  448. if (msg_hdr.type == SSL3_MT_FINISHED) {
  449. if (dtls1_check_timeout_num(sc) < 0) {
  450. /* SSLfatal) already called */
  451. return -1;
  452. }
  453. if (dtls1_retransmit_buffered_messages(sc) <= 0) {
  454. /* Fail if we encountered a fatal error */
  455. if (ossl_statem_in_error(sc))
  456. return -1;
  457. }
  458. if (!ssl_release_record(sc, rr, 0))
  459. return -1;
  460. if (!(sc->mode & SSL_MODE_AUTO_RETRY)) {
  461. if (!sc->rlayer.rrlmethod->unprocessed_read_pending(sc->rlayer.rrl)) {
  462. /* no read-ahead left? */
  463. BIO *bio;
  464. sc->rwstate = SSL_READING;
  465. bio = SSL_get_rbio(s);
  466. BIO_clear_retry_flags(bio);
  467. BIO_set_retry_read(bio);
  468. return -1;
  469. }
  470. }
  471. goto start;
  472. }
  473. /*
  474. * To get here we must be trying to read app data but found handshake
  475. * data. But if we're trying to read app data, and we're not in init
  476. * (which is tested for at the top of this function) then init must be
  477. * finished
  478. */
  479. if (!ossl_assert(SSL_is_init_finished(s))) {
  480. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  481. return -1;
  482. }
  483. /* We found handshake data, so we're going back into init */
  484. ossl_statem_set_in_init(sc, 1);
  485. i = sc->handshake_func(s);
  486. /* SSLfatal() called if appropriate */
  487. if (i < 0)
  488. return i;
  489. if (i == 0)
  490. return -1;
  491. if (!(sc->mode & SSL_MODE_AUTO_RETRY)) {
  492. if (!sc->rlayer.rrlmethod->unprocessed_read_pending(sc->rlayer.rrl)) {
  493. /* no read-ahead left? */
  494. BIO *bio;
  495. /*
  496. * In the case where we try to read application data, but we
  497. * trigger an SSL handshake, we return -1 with the retry
  498. * option set. Otherwise renegotiation may cause nasty
  499. * problems in the blocking world
  500. */
  501. sc->rwstate = SSL_READING;
  502. bio = SSL_get_rbio(s);
  503. BIO_clear_retry_flags(bio);
  504. BIO_set_retry_read(bio);
  505. return -1;
  506. }
  507. }
  508. goto start;
  509. }
  510. switch (rr->type) {
  511. default:
  512. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
  513. return -1;
  514. case SSL3_RT_CHANGE_CIPHER_SPEC:
  515. case SSL3_RT_ALERT:
  516. case SSL3_RT_HANDSHAKE:
  517. /*
  518. * we already handled all of these, with the possible exception of
  519. * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
  520. * that should not happen when type != rr->type
  521. */
  522. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR);
  523. return -1;
  524. case SSL3_RT_APPLICATION_DATA:
  525. /*
  526. * At this point, we were expecting handshake data, but have
  527. * application data. If the library was running inside ssl3_read()
  528. * (i.e. in_read_app_data is set) and it makes sense to read
  529. * application data at this point (session renegotiation not yet
  530. * started), we will indulge it.
  531. */
  532. if (sc->s3.in_read_app_data &&
  533. (sc->s3.total_renegotiations != 0) &&
  534. ossl_statem_app_data_allowed(sc)) {
  535. sc->s3.in_read_app_data = 2;
  536. return -1;
  537. } else {
  538. SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
  539. return -1;
  540. }
  541. }
  542. /* not reached */
  543. }
  544. /*
  545. * Call this to write data in records of type 'type' It will return <= 0 if
  546. * not all data has been sent or non-blocking IO.
  547. */
  548. int dtls1_write_bytes(SSL_CONNECTION *s, uint8_t type, const void *buf,
  549. size_t len, size_t *written)
  550. {
  551. int i;
  552. if (!ossl_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH)) {
  553. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  554. return -1;
  555. }
  556. s->rwstate = SSL_NOTHING;
  557. i = do_dtls1_write(s, type, buf, len, written);
  558. return i;
  559. }
  560. int do_dtls1_write(SSL_CONNECTION *sc, uint8_t type, const unsigned char *buf,
  561. size_t len, size_t *written)
  562. {
  563. int i;
  564. OSSL_RECORD_TEMPLATE tmpl;
  565. SSL *s = SSL_CONNECTION_GET_SSL(sc);
  566. int ret;
  567. /* If we have an alert to send, lets send it */
  568. if (sc->s3.alert_dispatch > 0) {
  569. i = s->method->ssl_dispatch_alert(s);
  570. if (i <= 0)
  571. return i;
  572. /* if it went, fall through and send more stuff */
  573. }
  574. if (len == 0)
  575. return 0;
  576. if (len > ssl_get_max_send_fragment(sc)) {
  577. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE);
  578. return 0;
  579. }
  580. tmpl.type = type;
  581. if (sc->version == DTLS1_3_VERSION)
  582. tmpl.version = DTLS1_2_VERSION;
  583. /*
  584. * Special case: for hello verify request, client version 1.0 and we
  585. * haven't decided which version to use yet send back using version 1.0
  586. * header: otherwise some clients will ignore it.
  587. */
  588. else if (s->method->version == DTLS_ANY_VERSION
  589. && sc->max_proto_version != DTLS1_BAD_VER)
  590. tmpl.version = DTLS1_VERSION;
  591. else
  592. tmpl.version = sc->version;
  593. tmpl.buf = buf;
  594. tmpl.buflen = len;
  595. ret = HANDLE_RLAYER_WRITE_RETURN(sc,
  596. sc->rlayer.wrlmethod->write_records(sc->rlayer.wrl, &tmpl, 1));
  597. if (ret > 0)
  598. *written = (int)len;
  599. return ret;
  600. }
  601. void dtls1_increment_epoch(SSL_CONNECTION *s, int rw)
  602. {
  603. if (rw & SSL3_CC_READ) {
  604. s->rlayer.d->r_epoch++;
  605. /*
  606. * We must not use any buffered messages received from the previous
  607. * epoch
  608. */
  609. dtls1_clear_received_buffer(s);
  610. } else {
  611. s->rlayer.d->w_epoch++;
  612. }
  613. }
  614. uint16_t dtls1_get_epoch(SSL_CONNECTION *s, int rw) {
  615. uint16_t epoch;
  616. if (rw & SSL3_CC_READ)
  617. epoch = s->rlayer.d->r_epoch;
  618. else
  619. epoch = s->rlayer.d->w_epoch;
  620. return epoch;
  621. }