1 /*
2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include "../../ssl_local.h"
12 #include "../record_local.h"
13 #include "recmethod_local.h"
14
15 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
satsub64be(const unsigned char * v1,const unsigned char * v2)16 static int satsub64be(const unsigned char *v1, const unsigned char *v2)
17 {
18 int64_t ret;
19 uint64_t l1, l2;
20
21 n2l8(v1, l1);
22 n2l8(v2, l2);
23
24 ret = l1 - l2;
25
26 /* We do not permit wrap-around */
27 if (l1 > l2 && ret < 0)
28 return 128;
29 else if (l2 > l1 && ret > 0)
30 return -128;
31
32 if (ret > 128)
33 return 128;
34 else if (ret < -128)
35 return -128;
36 else
37 return (int)ret;
38 }
39
dtls_record_replay_check(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)40 static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
41 {
42 int cmp;
43 unsigned int shift;
44 const unsigned char *seq = rl->sequence;
45
46 cmp = satsub64be(seq, bitmap->max_seq_num);
47 if (cmp > 0) {
48 ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
49 return 1; /* this record in new */
50 }
51 shift = -cmp;
52 if (shift >= sizeof(bitmap->map) * 8)
53 return 0; /* stale, outside the window */
54 else if (bitmap->map & ((uint64_t)1 << shift))
55 return 0; /* record previously received */
56
57 ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
58 return 1;
59 }
60
dtls_record_bitmap_update(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)61 static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
62 DTLS_BITMAP *bitmap)
63 {
64 int cmp;
65 unsigned int shift;
66 const unsigned char *seq = rl->sequence;
67
68 cmp = satsub64be(seq, bitmap->max_seq_num);
69 if (cmp > 0) {
70 shift = cmp;
71 if (shift < sizeof(bitmap->map) * 8)
72 bitmap->map <<= shift, bitmap->map |= 1UL;
73 else
74 bitmap->map = 1UL;
75 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
76 } else {
77 shift = -cmp;
78 if (shift < sizeof(bitmap->map) * 8)
79 bitmap->map |= (uint64_t)1 << shift;
80 }
81 }
82
dtls_get_bitmap(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rr,unsigned int * is_next_epoch)83 static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rr,
84 unsigned int *is_next_epoch)
85 {
86 *is_next_epoch = 0;
87
88 /* In current epoch, accept HM, CCS, DATA, & ALERT */
89 if (rr->epoch == rl->epoch)
90 return &rl->bitmap;
91
92 /*
93 * Check if the message is from the next epoch
94 */
95 else if (rr->epoch == rl->epoch + 1) {
96 *is_next_epoch = 1;
97 return &rl->next_bitmap;
98 }
99
100 return NULL;
101 }
102
dtls_set_in_init(OSSL_RECORD_LAYER * rl,int in_init)103 static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
104 {
105 rl->in_init = in_init;
106 }
107
dtls_process_record(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)108 static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
109 {
110 int i;
111 int enc_err;
112 TLS_RL_RECORD *rr;
113 int imac_size;
114 size_t mac_size = 0;
115 unsigned char md[EVP_MAX_MD_SIZE];
116 SSL_MAC_BUF macbuf = { NULL, 0 };
117 int ret = 0;
118
119 rr = &rl->rrec[0];
120
121 /*
122 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
123 * and we have that many bytes in rl->packet
124 */
125 rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
126
127 /*
128 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
129 * points at rr->length bytes, which need to be copied into rr->data by
130 * either the decryption or by the decompression. When the data is 'copied'
131 * into the rr->data buffer, rr->input will be pointed at the new buffer
132 */
133
134 /*
135 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
136 * bytes of encrypted compressed stuff.
137 */
138
139 /* check is not needed I believe */
140 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
141 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
142 return 0;
143 }
144
145 /* decrypt in place in 'rr->input' */
146 rr->data = rr->input;
147 rr->orig_len = rr->length;
148
149 if (rl->md_ctx != NULL) {
150 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
151
152 if (tmpmd != NULL) {
153 imac_size = EVP_MD_get_size(tmpmd);
154 if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
155 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
156 return 0;
157 }
158 mac_size = (size_t)imac_size;
159 }
160 }
161
162 if (rl->use_etm && rl->md_ctx != NULL) {
163 unsigned char *mac;
164
165 if (rr->orig_len < mac_size) {
166 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
167 return 0;
168 }
169 rr->length -= mac_size;
170 mac = rr->data + rr->length;
171 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
172 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
173 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
174 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
175 return 0;
176 }
177 /*
178 * We've handled the mac now - there is no MAC inside the encrypted
179 * record
180 */
181 mac_size = 0;
182 }
183
184 /*
185 * Set a mark around the packet decryption attempt. This is DTLS, so
186 * bad packets are just ignored, and we don't want to leave stray
187 * errors in the queue from processing bogus junk that we ignored.
188 */
189 ERR_set_mark();
190 enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
191
192 /*-
193 * enc_err is:
194 * 0: if the record is publicly invalid, or an internal error, or AEAD
195 * decryption failed, or ETM decryption failed.
196 * 1: Success or MTE decryption failed (MAC will be randomised)
197 */
198 if (enc_err == 0) {
199 ERR_pop_to_mark();
200 if (rl->alert != SSL_AD_NO_ALERT) {
201 /* RLAYERfatal() already called */
202 goto end;
203 }
204 /* For DTLS we simply ignore bad packets. */
205 rr->length = 0;
206 rl->packet_length = 0;
207 goto end;
208 }
209 ERR_clear_last_mark();
210 OSSL_TRACE_BEGIN(TLS)
211 {
212 BIO_printf(trc_out, "dec %zd\n", rr->length);
213 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
214 }
215 OSSL_TRACE_END(TLS);
216
217 /* r->length is now the compressed data plus mac */
218 if (!rl->use_etm
219 && (rl->enc_ctx != NULL)
220 && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
221 /* rl->md_ctx != NULL => mac_size != -1 */
222
223 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
224 if (i == 0 || macbuf.mac == NULL
225 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
226 enc_err = 0;
227 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
228 enc_err = 0;
229 }
230
231 if (enc_err == 0) {
232 /* decryption failed, silently discard message */
233 rr->length = 0;
234 rl->packet_length = 0;
235 goto end;
236 }
237
238 /* r->length is now just compressed */
239 if (rl->compctx != NULL) {
240 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
241 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
242 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
243 goto end;
244 }
245 if (!tls_do_uncompress(rl, rr)) {
246 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
247 goto end;
248 }
249 }
250
251 /*
252 * Check if the received packet overflows the current Max Fragment
253 * Length setting.
254 */
255 if (rr->length > rl->max_frag_len) {
256 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
257 goto end;
258 }
259
260 rr->off = 0;
261 /*-
262 * So at this point the following is true
263 * ssl->s3.rrec.type is the type of record
264 * ssl->s3.rrec.length == number of bytes in record
265 * ssl->s3.rrec.off == offset to first valid byte
266 * ssl->s3.rrec.data == where to take bytes from, increment
267 * after use :-).
268 */
269
270 /* we have pulled in a full packet so zero things */
271 rl->packet_length = 0;
272
273 /* Mark receipt of record. */
274 dtls_record_bitmap_update(rl, bitmap);
275
276 ret = 1;
277 end:
278 if (macbuf.alloced)
279 OPENSSL_free(macbuf.mac);
280 return ret;
281 }
282
dtls_rlayer_buffer_record(OSSL_RECORD_LAYER * rl,struct pqueue_st * queue,unsigned char * priority)283 static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, struct pqueue_st *queue,
284 unsigned char *priority)
285 {
286 DTLS_RLAYER_RECORD_DATA *rdata;
287 pitem *item;
288
289 /* Limit the size of the queue to prevent DOS attacks */
290 if (pqueue_size(queue) >= 100)
291 return 0;
292
293 rdata = OPENSSL_malloc(sizeof(*rdata));
294 item = pitem_new(priority, rdata);
295 if (rdata == NULL || item == NULL) {
296 OPENSSL_free(rdata);
297 pitem_free(item);
298 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
299 return -1;
300 }
301
302 rdata->packet = rl->packet;
303 rdata->packet_length = rl->packet_length;
304 memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(TLS_BUFFER));
305 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(TLS_RL_RECORD));
306
307 item->data = rdata;
308
309 rl->packet = NULL;
310 rl->packet_length = 0;
311 memset(&rl->rbuf, 0, sizeof(TLS_BUFFER));
312 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
313
314 if (!tls_setup_read_buffer(rl)) {
315 /* RLAYERfatal() already called */
316 OPENSSL_free(rdata->rbuf.buf);
317 OPENSSL_free(rdata);
318 pitem_free(item);
319 return -1;
320 }
321
322 if (pqueue_insert(queue, item) == NULL) {
323 /* Must be a duplicate so ignore it */
324 OPENSSL_free(rdata->rbuf.buf);
325 OPENSSL_free(rdata);
326 pitem_free(item);
327 }
328
329 return 1;
330 }
331
332 /* copy buffered record into OSSL_RECORD_LAYER structure */
dtls_copy_rlayer_record(OSSL_RECORD_LAYER * rl,pitem * item)333 static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
334 {
335 DTLS_RLAYER_RECORD_DATA *rdata;
336
337 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
338
339 ossl_tls_buffer_release(&rl->rbuf);
340
341 rl->packet = rdata->packet;
342 rl->packet_length = rdata->packet_length;
343 memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(TLS_BUFFER));
344 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(TLS_RL_RECORD));
345
346 /* Set proper sequence number for mac calculation */
347 memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
348
349 return 1;
350 }
351
dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER * rl,struct pqueue_st * queue)352 static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
353 struct pqueue_st *queue)
354 {
355 pitem *item;
356
357 item = pqueue_pop(queue);
358 if (item) {
359 dtls_copy_rlayer_record(rl, item);
360
361 OPENSSL_free(item->data);
362 pitem_free(item);
363
364 return 1;
365 }
366
367 return 0;
368 }
369
370 /*-
371 * Call this to get a new input record.
372 * It will return <= 0 if more data is needed, normally due to an error
373 * or non-blocking IO.
374 * When it finishes, one packet has been decoded and can be found in
375 * ssl->s3.rrec.type - is the type of record
376 * ssl->s3.rrec.data - data
377 * ssl->s3.rrec.length - number of bytes
378 */
dtls_get_more_records(OSSL_RECORD_LAYER * rl)379 int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
380 {
381 int ssl_major, ssl_minor;
382 int rret;
383 size_t more, n;
384 TLS_RL_RECORD *rr;
385 unsigned char *p = NULL;
386 DTLS_BITMAP *bitmap;
387 unsigned int is_next_epoch;
388
389 rl->num_recs = 0;
390 rl->curr_rec = 0;
391 rl->num_released = 0;
392
393 rr = rl->rrec;
394
395 if (rl->rbuf.buf == NULL) {
396 if (!tls_setup_read_buffer(rl)) {
397 /* RLAYERfatal() already called */
398 return OSSL_RECORD_RETURN_FATAL;
399 }
400 }
401
402 again:
403 /* if we're renegotiating, then there may be buffered records */
404 if (dtls_retrieve_rlayer_buffered_record(rl, rl->processed_rcds)) {
405 rl->num_recs = 1;
406 return OSSL_RECORD_RETURN_SUCCESS;
407 }
408
409 /* get something from the wire */
410
411 /* check if we have the header */
412 if ((rl->rstate != SSL_ST_READ_BODY) || (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
413 rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
414 TLS_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
415 /* read timeout is handled by dtls1_read_bytes */
416 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
417 /* RLAYERfatal() already called if appropriate */
418 return rret; /* error or non-blocking */
419 }
420
421 /* this packet contained a partial record, dump it */
422 if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
423 rl->packet_length = 0;
424 goto again;
425 }
426
427 rl->rstate = SSL_ST_READ_BODY;
428
429 p = rl->packet;
430
431 /* Pull apart the header into the DTLS1_RECORD */
432 rr->type = *(p++);
433 ssl_major = *(p++);
434 ssl_minor = *(p++);
435 rr->rec_version = (ssl_major << 8) | ssl_minor;
436
437 /* sequence number is 64 bits, with top 2 bytes = epoch */
438 n2s(p, rr->epoch);
439
440 memcpy(&(rl->sequence[2]), p, 6);
441 p += 6;
442
443 n2s(p, rr->length);
444
445 if (rl->msg_callback != NULL)
446 rl->msg_callback(0, rr->rec_version, SSL3_RT_HEADER, rl->packet, DTLS1_RT_HEADER_LENGTH,
447 rl->cbarg);
448
449 /*
450 * Lets check the version. We tolerate alerts that don't have the exact
451 * version number (e.g. because of protocol version errors)
452 */
453 if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
454 if (rr->rec_version != rl->version) {
455 /* unexpected version, silently discard */
456 rr->length = 0;
457 rl->packet_length = 0;
458 goto again;
459 }
460 }
461
462 if (ssl_major != (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR : rl->version >> 8)) {
463 /* wrong version, silently discard record */
464 rr->length = 0;
465 rl->packet_length = 0;
466 goto again;
467 }
468
469 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
470 /* record too long, silently discard it */
471 rr->length = 0;
472 rl->packet_length = 0;
473 goto again;
474 }
475
476 /*
477 * If received packet overflows maximum possible fragment length then
478 * silently discard it
479 */
480 if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
481 /* record too long, silently discard it */
482 rr->length = 0;
483 rl->packet_length = 0;
484 goto again;
485 }
486
487 /* now rl->rstate == SSL_ST_READ_BODY */
488 }
489
490 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
491
492 if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
493 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
494 more = rr->length;
495 rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
496 /* this packet contained a partial record, dump it */
497 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
498 if (rl->alert != SSL_AD_NO_ALERT) {
499 /* read_n() called RLAYERfatal() */
500 return OSSL_RECORD_RETURN_FATAL;
501 }
502 rr->length = 0;
503 rl->packet_length = 0;
504 goto again;
505 }
506
507 /*
508 * now n == rr->length,
509 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
510 */
511 }
512 /* set state for later operations */
513 rl->rstate = SSL_ST_READ_HEADER;
514
515 /* match epochs. NULL means the packet is dropped on the floor */
516 bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
517 if (bitmap == NULL) {
518 rr->length = 0;
519 rl->packet_length = 0; /* dump this record */
520 goto again; /* get another record */
521 }
522 #ifndef OPENSSL_NO_SCTP
523 /* Only do replay check if no SCTP bio */
524 if (!BIO_dgram_is_sctp(rl->bio)) {
525 #endif
526 /* Check whether this is a repeat, or aged record. */
527 if (!dtls_record_replay_check(rl, bitmap)) {
528 rr->length = 0;
529 rl->packet_length = 0; /* dump this record */
530 goto again; /* get another record */
531 }
532 #ifndef OPENSSL_NO_SCTP
533 }
534 #endif
535
536 /* just read a 0 length packet */
537 if (rr->length == 0)
538 goto again;
539
540 /*
541 * If this record is from the next epoch (either HM or ALERT), and a
542 * handshake is currently in progress, buffer it since it cannot be
543 * processed at this time.
544 */
545 if (is_next_epoch) {
546 if (rl->in_init) {
547 if (dtls_rlayer_buffer_record(rl, rl->unprocessed_rcds,
548 rr->seq_num)
549 < 0) {
550 /* RLAYERfatal() already called */
551 return OSSL_RECORD_RETURN_FATAL;
552 }
553 }
554 rr->length = 0;
555 rl->packet_length = 0;
556 goto again;
557 }
558
559 if (!dtls_process_record(rl, bitmap)) {
560 if (rl->alert != SSL_AD_NO_ALERT) {
561 /* dtls_process_record() called RLAYERfatal */
562 return OSSL_RECORD_RETURN_FATAL;
563 }
564 rr->length = 0;
565 rl->packet_length = 0; /* dump this record */
566 goto again; /* get another record */
567 }
568
569 if (rl->funcs->post_process_record && !rl->funcs->post_process_record(rl, rr)) {
570 /* RLAYERfatal already called */
571 return OSSL_RECORD_RETURN_FATAL;
572 }
573
574 if (rr->length == 0) {
575 /* No payload data in this record. Dump it */
576 rl->packet_length = 0;
577 goto again;
578 }
579
580 rl->num_recs = 1;
581 return OSSL_RECORD_RETURN_SUCCESS;
582 }
583
dtls_free(OSSL_RECORD_LAYER * rl)584 static int dtls_free(OSSL_RECORD_LAYER *rl)
585 {
586 TLS_BUFFER *rbuf;
587 size_t left, written;
588 pitem *item;
589 DTLS_RLAYER_RECORD_DATA *rdata;
590 int ret = 1;
591
592 rbuf = &rl->rbuf;
593
594 left = rbuf->left;
595 if (left > 0) {
596 /*
597 * This record layer is closing but we still have data left in our
598 * buffer. It must be destined for the next epoch - so push it there.
599 */
600 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
601 rbuf->left = 0;
602 }
603
604 if (rl->unprocessed_rcds != NULL) {
605 while ((item = pqueue_pop(rl->unprocessed_rcds)) != NULL) {
606 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
607 /* Push to the next record layer */
608 ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
609 &written);
610 OPENSSL_free(rdata->rbuf.buf);
611 OPENSSL_free(item->data);
612 pitem_free(item);
613 }
614 pqueue_free(rl->unprocessed_rcds);
615 }
616
617 if (rl->processed_rcds != NULL) {
618 while ((item = pqueue_pop(rl->processed_rcds)) != NULL) {
619 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
620 OPENSSL_free(rdata->rbuf.buf);
621 OPENSSL_free(item->data);
622 pitem_free(item);
623 }
624 pqueue_free(rl->processed_rcds);
625 }
626
627 return tls_free(rl) && ret;
628 }
629
630 static int
dtls_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,uint16_t epoch,unsigned char * secret,size_t secretlen,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp,const EVP_MD * kdfdigest,BIO * prev,BIO * transport,BIO * next,BIO_ADDR * local,BIO_ADDR * peer,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,void * rlarg,OSSL_RECORD_LAYER ** retrl)631 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
632 int role, int direction, int level, uint16_t epoch,
633 unsigned char *secret, size_t secretlen,
634 unsigned char *key, size_t keylen, unsigned char *iv,
635 size_t ivlen, unsigned char *mackey, size_t mackeylen,
636 const EVP_CIPHER *ciph, size_t taglen,
637 int mactype,
638 const EVP_MD *md, COMP_METHOD *comp,
639 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
640 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
641 const OSSL_PARAM *settings, const OSSL_PARAM *options,
642 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
643 OSSL_RECORD_LAYER **retrl)
644 {
645 int ret;
646
647 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
648 ciph, taglen, md, comp, prev,
649 transport, next, settings,
650 options, fns, cbarg, retrl);
651
652 if (ret != OSSL_RECORD_RETURN_SUCCESS)
653 return ret;
654
655 (*retrl)->unprocessed_rcds = pqueue_new();
656 (*retrl)->processed_rcds = pqueue_new();
657
658 if ((*retrl)->unprocessed_rcds == NULL
659 || (*retrl)->processed_rcds == NULL) {
660 dtls_free(*retrl);
661 *retrl = NULL;
662 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
663 return OSSL_RECORD_RETURN_FATAL;
664 }
665
666 (*retrl)->isdtls = 1;
667 (*retrl)->epoch = epoch;
668 (*retrl)->in_init = 1;
669
670 switch (vers) {
671 case DTLS_ANY_VERSION:
672 (*retrl)->funcs = &dtls_any_funcs;
673 break;
674 case DTLS1_2_VERSION:
675 case DTLS1_VERSION:
676 case DTLS1_BAD_VER:
677 (*retrl)->funcs = &dtls_1_funcs;
678 break;
679 default:
680 /* Should not happen */
681 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
682 ret = OSSL_RECORD_RETURN_FATAL;
683 goto err;
684 }
685
686 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
687 ivlen, mackey, mackeylen, ciph,
688 taglen, mactype, md, comp);
689
690 err:
691 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
692 dtls_free(*retrl);
693 *retrl = NULL;
694 }
695 return ret;
696 }
697
dtls_prepare_record_header(OSSL_RECORD_LAYER * rl,WPACKET * thispkt,OSSL_RECORD_TEMPLATE * templ,uint8_t rectype,unsigned char ** recdata)698 int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl,
699 WPACKET *thispkt,
700 OSSL_RECORD_TEMPLATE *templ,
701 uint8_t rectype,
702 unsigned char **recdata)
703 {
704 size_t maxcomplen;
705
706 *recdata = NULL;
707
708 maxcomplen = templ->buflen;
709 if (rl->compctx != NULL)
710 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
711
712 if (!WPACKET_put_bytes_u8(thispkt, rectype)
713 || !WPACKET_put_bytes_u16(thispkt, templ->version)
714 || !WPACKET_put_bytes_u16(thispkt, rl->epoch)
715 || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6)
716 || !WPACKET_start_sub_packet_u16(thispkt)
717 || (rl->eivlen > 0
718 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
719 || (maxcomplen > 0
720 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
721 recdata))) {
722 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
723 return 0;
724 }
725
726 return 1;
727 }
728
dtls_post_encryption_processing(OSSL_RECORD_LAYER * rl,size_t mac_size,OSSL_RECORD_TEMPLATE * thistempl,WPACKET * thispkt,TLS_RL_RECORD * thiswr)729 int dtls_post_encryption_processing(OSSL_RECORD_LAYER *rl,
730 size_t mac_size,
731 OSSL_RECORD_TEMPLATE *thistempl,
732 WPACKET *thispkt,
733 TLS_RL_RECORD *thiswr)
734 {
735 if (!tls_post_encryption_processing_default(rl, mac_size, thistempl,
736 thispkt, thiswr)) {
737 /* RLAYERfatal() already called */
738 return 0;
739 }
740
741 return tls_increment_sequence_ctr(rl);
742 }
743
dtls_get_max_record_overhead(OSSL_RECORD_LAYER * rl)744 static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
745 {
746 size_t blocksize = 0;
747
748 if (rl->enc_ctx != NULL && (EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE))
749 blocksize = EVP_CIPHER_CTX_get_block_size(rl->enc_ctx);
750
751 /*
752 * If we have a cipher in place then the tag is mandatory. If the cipher is
753 * CBC mode then an explicit IV is also mandatory. If we know the digest,
754 * then we check it is consistent with the taglen. In the case of stitched
755 * ciphers or AEAD ciphers we don't now the digest (or there isn't one) so
756 * we just trust that the taglen is correct.
757 */
758 assert(rl->enc_ctx == NULL || ((blocksize == 0 || rl->eivlen > 0) && rl->taglen > 0));
759 assert(rl->md == NULL || (int)rl->taglen == EVP_MD_size(rl->md));
760
761 /*
762 * Record overhead consists of the record header, the explicit IV, any
763 * expansion due to cbc padding, and the mac/tag len. There could be
764 * further expansion due to compression - but we don't know what this will
765 * be without knowing the length of the data. However when this function is
766 * called we don't know what the length will be yet - so this is a catch-22.
767 * We *could* use SSL_3_RT_MAX_COMPRESSED_OVERHEAD which is an upper limit
768 * for the maximum record size. But this value is larger than our fallback
769 * MTU size - so isn't very helpful. We just ignore potential expansion
770 * due to compression.
771 */
772 return DTLS1_RT_HEADER_LENGTH + rl->eivlen + blocksize + rl->taglen;
773 }
774
775 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
776 dtls_new_record_layer,
777 dtls_free,
778 tls_unprocessed_read_pending,
779 tls_processed_read_pending,
780 tls_app_data_pending,
781 tls_get_max_records,
782 tls_write_records,
783 tls_retry_write_records,
784 tls_read_record,
785 tls_release_record,
786 tls_get_alert_code,
787 tls_set1_bio,
788 tls_set_protocol_version,
789 NULL,
790 tls_set_first_handshake,
791 tls_set_max_pipelines,
792 dtls_set_in_init,
793 tls_get_state,
794 tls_set_options,
795 tls_get_compression,
796 tls_set_max_frag_len,
797 dtls_get_max_record_overhead,
798 tls_increment_sequence_ctr,
799 tls_alloc_buffers,
800 tls_free_buffers
801 };
802