1 /*
2 * Copyright 2022-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include <openssl/bio.h>
12 #include <openssl/ssl.h>
13 #include <openssl/err.h>
14 #include <openssl/core_names.h>
15 #include <openssl/comp.h>
16 #include <openssl/ssl.h>
17 #include "internal/e_os.h"
18 #include "internal/packet.h"
19 #include "internal/ssl3_cbc.h"
20 #include "../../ssl_local.h"
21 #include "../record_local.h"
22 #include "recmethod_local.h"
23
24 static void tls_int_free(OSSL_RECORD_LAYER *rl);
25
ossl_tls_buffer_release(TLS_BUFFER * b)26 void ossl_tls_buffer_release(TLS_BUFFER *b)
27 {
28 OPENSSL_free(b->buf);
29 b->buf = NULL;
30 }
31
TLS_RL_RECORD_release(TLS_RL_RECORD * r,size_t num_recs)32 static void TLS_RL_RECORD_release(TLS_RL_RECORD *r, size_t num_recs)
33 {
34 size_t i;
35
36 for (i = 0; i < num_recs; i++) {
37 OPENSSL_free(r[i].comp);
38 r[i].comp = NULL;
39 }
40 }
41
ossl_tls_rl_record_set_seq_num(TLS_RL_RECORD * r,const unsigned char * seq_num)42 void ossl_tls_rl_record_set_seq_num(TLS_RL_RECORD *r,
43 const unsigned char *seq_num)
44 {
45 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
46 }
47
ossl_rlayer_fatal(OSSL_RECORD_LAYER * rl,int al,int reason,const char * fmt,...)48 void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
49 const char *fmt, ...)
50 {
51 va_list args;
52
53 va_start(args, fmt);
54 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
55 va_end(args);
56
57 rl->alert = al;
58 }
59
ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER * rl,EVP_CIPHER_CTX * ctx,const EVP_CIPHER * ciph,const EVP_MD * md)60 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
61 EVP_CIPHER_CTX *ctx,
62 const EVP_CIPHER *ciph,
63 const EVP_MD *md)
64 {
65 /*
66 * Provided cipher, the TLS padding/MAC removal is performed provider
67 * side so we need to tell the ctx about our TLS version and mac size
68 */
69 OSSL_PARAM params[3], *pprm = params;
70 size_t macsize = 0;
71 int imacsize = -1;
72
73 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
74 && !rl->use_etm)
75 imacsize = EVP_MD_get_size(md);
76 if (imacsize > 0)
77 macsize = (size_t)imacsize;
78
79 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
80 &rl->version);
81 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
82 &macsize);
83 *pprm = OSSL_PARAM_construct_end();
84
85 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
86 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
87 return 0;
88 }
89
90 return 1;
91 }
92
93 /*
94 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
95 * which ssl3_cbc_digest_record supports.
96 */
ssl3_cbc_record_digest_supported(const EVP_MD_CTX * ctx)97 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
98 {
99 switch (EVP_MD_CTX_get_type(ctx)) {
100 case NID_md5:
101 case NID_sha1:
102 case NID_sha224:
103 case NID_sha256:
104 case NID_sha384:
105 case NID_sha512:
106 return 1;
107 default:
108 return 0;
109 }
110 }
111
112 #ifndef OPENSSL_NO_COMP
tls_allow_compression(OSSL_RECORD_LAYER * rl)113 static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
114 {
115 if (rl->options & SSL_OP_NO_COMPRESSION)
116 return 0;
117
118 return rl->security == NULL
119 || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
120 }
121 #endif
122
tls_release_write_buffer_int(OSSL_RECORD_LAYER * rl,size_t start)123 static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
124 {
125 TLS_BUFFER *wb;
126 size_t pipes;
127
128 pipes = rl->numwpipes;
129
130 while (pipes > start) {
131 wb = &rl->wbuf[pipes - 1];
132
133 if (TLS_BUFFER_is_app_buffer(wb))
134 TLS_BUFFER_set_app_buffer(wb, 0);
135 else
136 OPENSSL_free(wb->buf);
137 wb->buf = NULL;
138 pipes--;
139 }
140 }
141
tls_setup_write_buffer(OSSL_RECORD_LAYER * rl,size_t numwpipes,size_t firstlen,size_t nextlen)142 int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
143 size_t firstlen, size_t nextlen)
144 {
145 unsigned char *p;
146 size_t maxalign = 0, headerlen;
147 TLS_BUFFER *wb;
148 size_t currpipe;
149 size_t defltlen = 0;
150 size_t contenttypelen = 0;
151
152 if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
153 if (rl->isdtls)
154 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
155 else
156 headerlen = SSL3_RT_HEADER_LENGTH;
157
158 /* TLSv1.3 adds an extra content type byte after payload data */
159 if (rl->version == TLS1_3_VERSION)
160 contenttypelen = 1;
161
162 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
163 maxalign = SSL3_ALIGN_PAYLOAD - 1;
164 #endif
165
166 defltlen = maxalign + headerlen + rl->eivlen + rl->max_frag_len
167 + contenttypelen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
168 #ifndef OPENSSL_NO_COMP
169 if (tls_allow_compression(rl))
170 defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
171 #endif
172 /*
173 * We don't need to add eivlen here since empty fragments only occur
174 * when we don't have an explicit IV. The contenttype byte will also
175 * always be 0 in these protocol versions
176 */
177 if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0)
178 defltlen += headerlen + maxalign + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
179 }
180
181 wb = rl->wbuf;
182 for (currpipe = 0; currpipe < numwpipes; currpipe++) {
183 TLS_BUFFER *thiswb = &wb[currpipe];
184 size_t len = (currpipe == 0) ? firstlen : nextlen;
185
186 if (len == 0)
187 len = defltlen;
188
189 if (thiswb->len != len) {
190 OPENSSL_free(thiswb->buf);
191 thiswb->buf = NULL; /* force reallocation */
192 }
193
194 p = thiswb->buf;
195 if (p == NULL) {
196 p = OPENSSL_malloc(len);
197 if (p == NULL) {
198 if (rl->numwpipes < currpipe)
199 rl->numwpipes = currpipe;
200 /*
201 * We've got a malloc failure, and we're still initialising
202 * buffers. We assume we're so doomed that we won't even be able
203 * to send an alert.
204 */
205 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
206 return 0;
207 }
208 }
209 memset(thiswb, 0, sizeof(TLS_BUFFER));
210 thiswb->buf = p;
211 thiswb->len = len;
212 }
213
214 /* Free any previously allocated buffers that we are no longer using */
215 tls_release_write_buffer_int(rl, currpipe);
216
217 rl->numwpipes = numwpipes;
218
219 return 1;
220 }
221
tls_release_write_buffer(OSSL_RECORD_LAYER * rl)222 static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
223 {
224 tls_release_write_buffer_int(rl, 0);
225
226 rl->numwpipes = 0;
227 }
228
tls_setup_read_buffer(OSSL_RECORD_LAYER * rl)229 int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
230 {
231 unsigned char *p;
232 size_t len, maxalign = 0, headerlen;
233 TLS_BUFFER *b;
234
235 b = &rl->rbuf;
236
237 if (rl->isdtls)
238 headerlen = DTLS1_RT_HEADER_LENGTH;
239 else
240 headerlen = SSL3_RT_HEADER_LENGTH;
241
242 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
243 maxalign = SSL3_ALIGN_PAYLOAD - 1;
244 #endif
245
246 if (b->buf == NULL) {
247 len = rl->max_frag_len
248 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + maxalign;
249 #ifndef OPENSSL_NO_COMP
250 if (tls_allow_compression(rl))
251 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
252 #endif
253
254 /* Ensure our buffer is large enough to support all our pipelines */
255 if (rl->max_pipelines > 1)
256 len *= rl->max_pipelines;
257
258 if (b->default_len > len)
259 len = b->default_len;
260
261 if ((p = OPENSSL_malloc(len)) == NULL) {
262 /*
263 * We've got a malloc failure, and we're still initialising buffers.
264 * We assume we're so doomed that we won't even be able to send an
265 * alert.
266 */
267 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
268 return 0;
269 }
270 b->buf = p;
271 b->len = len;
272 }
273
274 return 1;
275 }
276
tls_release_read_buffer(OSSL_RECORD_LAYER * rl)277 static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
278 {
279 TLS_BUFFER *b;
280
281 b = &rl->rbuf;
282 if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
283 OPENSSL_cleanse(b->buf, b->len);
284 OPENSSL_free(b->buf);
285 b->buf = NULL;
286 rl->packet = NULL;
287 rl->packet_length = 0;
288 return 1;
289 }
290
291 /*
292 * Return values are as per SSL_read()
293 */
tls_default_read_n(OSSL_RECORD_LAYER * rl,size_t n,size_t max,int extend,int clearold,size_t * readbytes)294 int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
295 int clearold, size_t *readbytes)
296 {
297 /*
298 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
299 * packet by another n bytes. The packet will be in the sub-array of
300 * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
301 * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
302 * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
303 * packet to the start of the buffer; if clearold == 0 then leave any old
304 * packets where they were
305 */
306 size_t len, left, align = 0;
307 unsigned char *pkt;
308 TLS_BUFFER *rb;
309
310 if (n == 0)
311 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
312
313 rb = &rl->rbuf;
314 left = rb->left;
315 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
316 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
317 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
318 #endif
319
320 if (!extend) {
321 /* start with empty packet ... */
322 if (left == 0)
323 rb->offset = align;
324
325 rl->packet = rb->buf + rb->offset;
326 rl->packet_length = 0;
327 /* ... now we can act as if 'extend' was set */
328 }
329
330 if (!ossl_assert(rl->packet != NULL)) {
331 /* does not happen */
332 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
333 return OSSL_RECORD_RETURN_FATAL;
334 }
335
336 len = rl->packet_length;
337 pkt = rb->buf + align;
338 /*
339 * Move any available bytes to front of buffer: 'len' bytes already
340 * pointed to by 'packet', 'left' extra ones at the end
341 */
342 if (rl->packet != pkt && clearold == 1) {
343 memmove(pkt, rl->packet, len + left);
344 rl->packet = pkt;
345 rb->offset = len + align;
346 }
347
348 /*
349 * For DTLS/UDP reads should not span multiple packets because the read
350 * operation returns the whole packet at once (as long as it fits into
351 * the buffer).
352 */
353 if (rl->isdtls) {
354 if (left == 0 && extend) {
355 /*
356 * We received a record with a header but no body data. This will
357 * get dumped.
358 */
359 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
360 }
361 if (left > 0 && n > left)
362 n = left;
363 }
364
365 /* if there is enough in the buffer from a previous read, take some */
366 if (left >= n) {
367 rl->packet_length += n;
368 rb->left = left - n;
369 rb->offset += n;
370 *readbytes = n;
371 return OSSL_RECORD_RETURN_SUCCESS;
372 }
373
374 /* else we need to read more data */
375
376 if (n > rb->len - rb->offset) {
377 /* does not happen */
378 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379 return OSSL_RECORD_RETURN_FATAL;
380 }
381
382 /* We always act like read_ahead is set for DTLS */
383 if (!rl->read_ahead && !rl->isdtls) {
384 /* ignore max parameter */
385 max = n;
386 } else {
387 if (max < n)
388 max = n;
389 if (max > rb->len - rb->offset)
390 max = rb->len - rb->offset;
391 }
392
393 while (left < n) {
394 size_t bioread = 0;
395 int ret;
396 BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
397
398 /*
399 * Now we have len+left bytes at the front of rl->rbuf.buf and
400 * need to read in more until we have len + n (up to len + max if
401 * possible)
402 */
403
404 clear_sys_error();
405 if (bio != NULL) {
406 ret = BIO_read(bio, pkt + len + left, max - left);
407 if (ret > 0) {
408 bioread = ret;
409 ret = OSSL_RECORD_RETURN_SUCCESS;
410 } else if (BIO_should_retry(bio)) {
411 if (rl->prev != NULL) {
412 /*
413 * We were reading from the previous epoch. Now there is no
414 * more data, so swap to the actual transport BIO
415 */
416 BIO_free(rl->prev);
417 rl->prev = NULL;
418 continue;
419 }
420 ret = OSSL_RECORD_RETURN_RETRY;
421 } else if (BIO_eof(bio)) {
422 ret = OSSL_RECORD_RETURN_EOF;
423 } else {
424 ret = OSSL_RECORD_RETURN_FATAL;
425 }
426 } else {
427 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
428 ret = OSSL_RECORD_RETURN_FATAL;
429 }
430
431 if (ret <= OSSL_RECORD_RETURN_RETRY) {
432 rb->left = left;
433 if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
434 if (len + left == 0)
435 tls_release_read_buffer(rl);
436 return ret;
437 }
438 left += bioread;
439 /*
440 * reads should *never* span multiple packets for DTLS because the
441 * underlying transport protocol is message oriented as opposed to
442 * byte oriented as in the TLS case.
443 */
444 if (rl->isdtls) {
445 if (n > left)
446 n = left; /* makes the while condition false */
447 }
448 }
449
450 /* done reading, now the book-keeping */
451 rb->offset += n;
452 rb->left = left - n;
453 rl->packet_length += n;
454 *readbytes = n;
455 return OSSL_RECORD_RETURN_SUCCESS;
456 }
457
458 /*
459 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
460 * for us in the buffer.
461 */
tls_record_app_data_waiting(OSSL_RECORD_LAYER * rl)462 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
463 {
464 TLS_BUFFER *rbuf;
465 size_t left, len;
466 unsigned char *p;
467
468 rbuf = &rl->rbuf;
469
470 p = TLS_BUFFER_get_buf(rbuf);
471 if (p == NULL)
472 return 0;
473
474 left = TLS_BUFFER_get_left(rbuf);
475
476 if (left < SSL3_RT_HEADER_LENGTH)
477 return 0;
478
479 p += TLS_BUFFER_get_offset(rbuf);
480
481 /*
482 * We only check the type and record length, we will sanity check version
483 * etc later
484 */
485 if (*p != SSL3_RT_APPLICATION_DATA)
486 return 0;
487
488 p += 3;
489 n2s(p, len);
490
491 if (left < SSL3_RT_HEADER_LENGTH + len)
492 return 0;
493
494 return 1;
495 }
496
rlayer_early_data_count_ok(OSSL_RECORD_LAYER * rl,size_t length,size_t overhead,int send)497 static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
498 size_t overhead, int send)
499 {
500 uint32_t max_early_data = rl->max_early_data;
501
502 if (max_early_data == 0) {
503 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
504 SSL_R_TOO_MUCH_EARLY_DATA);
505 return 0;
506 }
507
508 /* If we are dealing with ciphertext we need to allow for the overhead */
509 max_early_data += overhead;
510
511 if (rl->early_data_count + length > max_early_data) {
512 RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
513 SSL_R_TOO_MUCH_EARLY_DATA);
514 return 0;
515 }
516 rl->early_data_count += length;
517
518 return 1;
519 }
520
521 /*
522 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
523 * will be processed per call to tls_get_more_records. Without this limit an
524 * attacker could send empty records at a faster rate than we can process and
525 * cause tls_get_more_records to loop forever.
526 */
527 #define MAX_EMPTY_RECORDS 32
528
529 #define SSL2_RT_HEADER_LENGTH 2
530
531 /*-
532 * Call this to buffer new input records in rl->rrec.
533 * It will return a OSSL_RECORD_RETURN_* value.
534 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
535 * records have been decoded. For each record 'i':
536 * rrec[i].type - is the type of record
537 * rrec[i].data, - data
538 * rrec[i].length, - number of bytes
539 * Multiple records will only be returned if the record types are all
540 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
541 * |max_pipelines|
542 */
tls_get_more_records(OSSL_RECORD_LAYER * rl)543 int tls_get_more_records(OSSL_RECORD_LAYER *rl)
544 {
545 int enc_err, rret;
546 int i;
547 size_t more, n;
548 TLS_RL_RECORD *rr, *thisrr;
549 TLS_BUFFER *rbuf;
550 unsigned char *p;
551 unsigned char md[EVP_MAX_MD_SIZE];
552 unsigned int version;
553 size_t mac_size = 0;
554 int imac_size;
555 size_t num_recs = 0, max_recs, j;
556 PACKET pkt, sslv2pkt;
557 SSL_MAC_BUF *macbufs = NULL;
558 int ret = OSSL_RECORD_RETURN_FATAL;
559
560 rr = rl->rrec;
561 rbuf = &rl->rbuf;
562 if (rbuf->buf == NULL) {
563 if (!tls_setup_read_buffer(rl)) {
564 /* RLAYERfatal() already called */
565 return OSSL_RECORD_RETURN_FATAL;
566 }
567 }
568
569 max_recs = rl->max_pipelines;
570
571 if (max_recs == 0)
572 max_recs = 1;
573
574 do {
575 thisrr = &rr[num_recs];
576
577 /* check if we have the header */
578 if ((rl->rstate != SSL_ST_READ_BODY) || (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
579 size_t sslv2len;
580 unsigned int type;
581
582 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
583 TLS_BUFFER_get_len(rbuf), 0,
584 num_recs == 0 ? 1 : 0, &n);
585
586 if (rret < OSSL_RECORD_RETURN_SUCCESS)
587 return rret; /* error or non-blocking */
588
589 rl->rstate = SSL_ST_READ_BODY;
590
591 p = rl->packet;
592 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
593 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
594 return OSSL_RECORD_RETURN_FATAL;
595 }
596 sslv2pkt = pkt;
597 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
598 || !PACKET_get_1(&sslv2pkt, &type)) {
599 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
600 return OSSL_RECORD_RETURN_FATAL;
601 }
602 /*
603 * The first record received by the server may be a V2ClientHello.
604 */
605 if (rl->role == OSSL_RECORD_ROLE_SERVER
606 && rl->is_first_record
607 && (sslv2len & 0x8000) != 0
608 && (type == SSL2_MT_CLIENT_HELLO)) {
609 /*
610 * SSLv2 style record
611 *
612 * |num_recs| here will actually always be 0 because
613 * |num_recs > 0| only ever occurs when we are processing
614 * multiple app data records - which we know isn't the case here
615 * because it is an SSLv2ClientHello. We keep it using
616 * |num_recs| for the sake of consistency
617 */
618 thisrr->type = SSL3_RT_HANDSHAKE;
619 thisrr->rec_version = SSL2_VERSION;
620
621 thisrr->length = sslv2len & 0x7fff;
622
623 if (!rl->funcs->validate_record_header(rl, thisrr)) {
624 /* RLAYERfatal already called */
625 return OSSL_RECORD_RETURN_FATAL;
626 }
627
628 if (thisrr->length > TLS_BUFFER_get_len(rbuf)
629 - SSL2_RT_HEADER_LENGTH) {
630 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
631 SSL_R_PACKET_LENGTH_TOO_LONG);
632 return OSSL_RECORD_RETURN_FATAL;
633 }
634 } else {
635 /* SSLv3+ style record */
636
637 /* Pull apart the header into the TLS_RL_RECORD */
638 if (!PACKET_get_1(&pkt, &type)
639 || !PACKET_get_net_2(&pkt, &version)
640 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
641 if (rl->msg_callback != NULL)
642 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
643 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
644 return OSSL_RECORD_RETURN_FATAL;
645 }
646 thisrr->type = type;
647 thisrr->rec_version = version;
648
649 /*
650 * When we call validate_record_header() only records actually
651 * received in SSLv2 format should have the record version set
652 * to SSL2_VERSION. This way validate_record_header() can know
653 * what format the record was in based on the version.
654 */
655 if (thisrr->rec_version == SSL2_VERSION) {
656 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
657 SSL_R_WRONG_VERSION_NUMBER);
658 return OSSL_RECORD_RETURN_FATAL;
659 }
660
661 if (rl->msg_callback != NULL)
662 rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
663
664 if (!rl->funcs->validate_record_header(rl, thisrr)) {
665 /* RLAYERfatal already called */
666 return OSSL_RECORD_RETURN_FATAL;
667 }
668
669 if (thisrr->length > TLS_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
670 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
671 SSL_R_PACKET_LENGTH_TOO_LONG);
672 return OSSL_RECORD_RETURN_FATAL;
673 }
674 }
675
676 /* now rl->rstate == SSL_ST_READ_BODY */
677 }
678
679 /*
680 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
681 * how much more data we need to read for the rest of the record
682 */
683 if (thisrr->rec_version == SSL2_VERSION) {
684 more = thisrr->length + SSL2_RT_HEADER_LENGTH
685 - SSL3_RT_HEADER_LENGTH;
686 } else {
687 more = thisrr->length;
688 }
689
690 if (more > 0) {
691 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
692
693 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
694 if (rret < OSSL_RECORD_RETURN_SUCCESS)
695 return rret; /* error or non-blocking io */
696 }
697
698 /* set state for later operations */
699 rl->rstate = SSL_ST_READ_HEADER;
700
701 /*
702 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
703 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
704 * + thisrr->length and we have that many bytes in rl->packet
705 */
706 if (thisrr->rec_version == SSL2_VERSION)
707 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
708 else
709 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
710
711 /*
712 * ok, we can now read from 'rl->packet' data into 'thisrr'.
713 * thisrr->input points at thisrr->length bytes, which need to be copied
714 * into thisrr->data by either the decryption or by the decompression.
715 * When the data is 'copied' into the thisrr->data buffer,
716 * thisrr->input will be updated to point at the new buffer
717 */
718
719 /*
720 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
721 * thisrr->length bytes of encrypted compressed stuff.
722 */
723
724 /* decrypt in place in 'thisrr->input' */
725 thisrr->data = thisrr->input;
726 thisrr->orig_len = thisrr->length;
727
728 num_recs++;
729
730 /* we have pulled in a full packet so zero things */
731 rl->packet_length = 0;
732 rl->is_first_record = 0;
733 } while (num_recs < max_recs
734 && thisrr->type == SSL3_RT_APPLICATION_DATA
735 && RLAYER_USE_EXPLICIT_IV(rl)
736 && rl->enc_ctx != NULL
737 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
738 & EVP_CIPH_FLAG_PIPELINE)
739 != 0
740 && tls_record_app_data_waiting(rl));
741
742 if (num_recs == 1
743 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
744 /* The following can happen in tlsany_meth after HRR */
745 && rl->version == TLS1_3_VERSION
746 && rl->is_first_handshake) {
747 /*
748 * CCS messages must be exactly 1 byte long, containing the value 0x01
749 */
750 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
751 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
752 SSL_R_INVALID_CCS_MESSAGE);
753 return OSSL_RECORD_RETURN_FATAL;
754 }
755 /*
756 * CCS messages are ignored in TLSv1.3. We treat it like an empty
757 * handshake record - but we still call the msg_callback
758 */
759 if (rl->msg_callback != NULL)
760 rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_CHANGE_CIPHER_SPEC,
761 thisrr->data, 1, rl->cbarg);
762 thisrr->type = SSL3_RT_HANDSHAKE;
763 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
764 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
765 SSL_R_UNEXPECTED_CCS_MESSAGE);
766 return OSSL_RECORD_RETURN_FATAL;
767 }
768 rl->num_recs = 0;
769 rl->curr_rec = 0;
770 rl->num_released = 0;
771
772 return OSSL_RECORD_RETURN_SUCCESS;
773 }
774
775 if (rl->md_ctx != NULL) {
776 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
777
778 if (tmpmd != NULL) {
779 imac_size = EVP_MD_get_size(tmpmd);
780 if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
781 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
782 return OSSL_RECORD_RETURN_FATAL;
783 }
784 mac_size = (size_t)imac_size;
785 }
786 }
787
788 /*
789 * If in encrypt-then-mac mode calculate mac from encrypted record. All
790 * the details below are public so no timing details can leak.
791 */
792 if (rl->use_etm && rl->md_ctx != NULL) {
793 unsigned char *mac;
794
795 for (j = 0; j < num_recs; j++) {
796 thisrr = &rr[j];
797
798 if (thisrr->length < mac_size) {
799 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
800 return OSSL_RECORD_RETURN_FATAL;
801 }
802 thisrr->length -= mac_size;
803 mac = thisrr->data + thisrr->length;
804 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
805 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
806 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
807 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
808 return OSSL_RECORD_RETURN_FATAL;
809 }
810 }
811 /*
812 * We've handled the mac now - there is no MAC inside the encrypted
813 * record
814 */
815 mac_size = 0;
816 }
817
818 if (mac_size > 0) {
819 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
820 if (macbufs == NULL) {
821 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
822 return OSSL_RECORD_RETURN_FATAL;
823 }
824 }
825
826 ERR_set_mark();
827 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
828
829 /*-
830 * enc_err is:
831 * 0: if the record is publicly invalid, or an internal error, or AEAD
832 * decryption failed, or ETM decryption failed.
833 * 1: Success or MTE decryption failed (MAC will be randomised)
834 */
835 if (enc_err == 0) {
836 if (rl->alert != SSL_AD_NO_ALERT) {
837 /* RLAYERfatal() already got called */
838 ERR_clear_last_mark();
839 goto end;
840 }
841 if (num_recs == 1
842 && rl->skip_early_data != NULL
843 && rl->skip_early_data(rl->cbarg)) {
844 /*
845 * Valid early_data that we cannot decrypt will fail here. We treat
846 * it like an empty record.
847 */
848
849 /*
850 * Remove any errors from the stack. Decryption failures are normal
851 * behaviour.
852 */
853 ERR_pop_to_mark();
854
855 thisrr = &rr[0];
856
857 if (!rlayer_early_data_count_ok(rl, thisrr->length,
858 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
859 /* RLAYERfatal() already called */
860 goto end;
861 }
862
863 thisrr->length = 0;
864 rl->num_recs = 0;
865 rl->curr_rec = 0;
866 rl->num_released = 0;
867 /* Reset the read sequence */
868 memset(rl->sequence, 0, sizeof(rl->sequence));
869 ret = 1;
870 goto end;
871 }
872 ERR_clear_last_mark();
873 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
874 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
875 goto end;
876 } else {
877 ERR_clear_last_mark();
878 }
879 OSSL_TRACE_BEGIN(TLS)
880 {
881 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
882 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
883 }
884 OSSL_TRACE_END(TLS);
885
886 /* r->length is now the compressed data plus mac */
887 if (rl->enc_ctx != NULL
888 && !rl->use_etm
889 && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
890 for (j = 0; j < num_recs; j++) {
891 SSL_MAC_BUF *thismb = &macbufs[j];
892
893 thisrr = &rr[j];
894
895 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
896 if (i == 0 || thismb == NULL || thismb->mac == NULL
897 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
898 enc_err = 0;
899 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
900 enc_err = 0;
901 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
902 if (enc_err == 0 && mac_size > 0 && thismb != NULL && thismb->mac != NULL && (md[0] ^ thismb->mac[0]) != 0xFF) {
903 enc_err = 1;
904 }
905 #endif
906 }
907 }
908
909 if (enc_err == 0) {
910 if (rl->alert != SSL_AD_NO_ALERT) {
911 /* We already called RLAYERfatal() */
912 goto end;
913 }
914 /*
915 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
916 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
917 * failure is directly visible from the ciphertext anyway, we should
918 * not reveal which kind of error occurred -- this might become
919 * visible to an attacker (e.g. via a logfile)
920 */
921 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
922 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
923 goto end;
924 }
925
926 for (j = 0; j < num_recs; j++) {
927 thisrr = &rr[j];
928
929 if (!rl->funcs->post_process_record(rl, thisrr)) {
930 /* RLAYERfatal already called */
931 goto end;
932 }
933
934 /*
935 * Record overflow checking (e.g. checking if
936 * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
937 * the post_process_record() function above. However we check here if
938 * the received packet overflows the current Max Fragment Length setting
939 * if there is one.
940 * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
941 * mutually exclusive. Also note that with KTLS thisrr->length can
942 * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
943 */
944 if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
945 && thisrr->length > rl->max_frag_len) {
946 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
947 goto end;
948 }
949
950 thisrr->off = 0;
951 /*-
952 * So at this point the following is true
953 * thisrr->type is the type of record
954 * thisrr->length == number of bytes in record
955 * thisrr->off == offset to first valid byte
956 * thisrr->data == where to take bytes from, increment after use :-).
957 */
958
959 /* just read a 0 length packet */
960 if (thisrr->length == 0) {
961 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
962 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
963 SSL_R_RECORD_TOO_SMALL);
964 goto end;
965 }
966 } else {
967 rl->empty_record_count = 0;
968 }
969 }
970
971 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
972 thisrr = &rr[0];
973 if (thisrr->type == SSL3_RT_APPLICATION_DATA
974 && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
975 /* RLAYERfatal already called */
976 goto end;
977 }
978 }
979
980 rl->num_recs = num_recs;
981 rl->curr_rec = 0;
982 rl->num_released = 0;
983 ret = OSSL_RECORD_RETURN_SUCCESS;
984 end:
985 if (macbufs != NULL) {
986 for (j = 0; j < num_recs; j++) {
987 if (macbufs[j].alloced)
988 OPENSSL_free(macbufs[j].mac);
989 }
990 OPENSSL_free(macbufs);
991 }
992 return ret;
993 }
994
995 /* Shared by ssl3_meth and tls1_meth */
tls_default_validate_record_header(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)996 int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
997 {
998 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
999
1000 if (rec->rec_version != rl->version) {
1001 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
1002 return 0;
1003 }
1004
1005 #ifndef OPENSSL_NO_COMP
1006 /*
1007 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
1008 * does not include the compression overhead anyway.
1009 */
1010 if (rl->compctx == NULL)
1011 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1012 #endif
1013
1014 if (rec->length > len) {
1015 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1016 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1017 return 0;
1018 }
1019
1020 return 1;
1021 }
1022
tls_do_compress(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * wr)1023 int tls_do_compress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *wr)
1024 {
1025 #ifndef OPENSSL_NO_COMP
1026 int i;
1027
1028 i = COMP_compress_block(rl->compctx, wr->data,
1029 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
1030 wr->input, (int)wr->length);
1031 if (i < 0)
1032 return 0;
1033
1034 wr->length = i;
1035 wr->input = wr->data;
1036 return 1;
1037 #else
1038 return 0;
1039 #endif
1040 }
1041
tls_do_uncompress(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)1042 int tls_do_uncompress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
1043 {
1044 #ifndef OPENSSL_NO_COMP
1045 int i;
1046
1047 if (rec->comp == NULL) {
1048 rec->comp = (unsigned char *)
1049 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
1050 }
1051 if (rec->comp == NULL)
1052 return 0;
1053
1054 i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
1055 rec->data, (int)rec->length);
1056 if (i < 0)
1057 return 0;
1058 else
1059 rec->length = i;
1060 rec->data = rec->comp;
1061 return 1;
1062 #else
1063 return 0;
1064 #endif
1065 }
1066
1067 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
tls_default_post_process_record(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)1068 int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
1069 {
1070 if (rl->compctx != NULL) {
1071 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1072 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1073 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1074 return 0;
1075 }
1076 if (!tls_do_uncompress(rl, rec)) {
1077 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
1078 SSL_R_BAD_DECOMPRESSION);
1079 return 0;
1080 }
1081 }
1082
1083 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1084 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
1085 return 0;
1086 }
1087
1088 return 1;
1089 }
1090
1091 /* Shared by tls13_meth and ktls_meth */
tls13_common_post_process_record(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rec)1092 int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
1093 {
1094 if (rec->type != SSL3_RT_APPLICATION_DATA
1095 && rec->type != SSL3_RT_ALERT
1096 && rec->type != SSL3_RT_HANDSHAKE) {
1097 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
1098 return 0;
1099 }
1100
1101 if (rl->msg_callback != NULL) {
1102 unsigned char ctype = (unsigned char)rec->type;
1103
1104 rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &ctype,
1105 1, rl->cbarg);
1106 }
1107
1108 /*
1109 * TLSv1.3 alert and handshake records are required to be non-zero in
1110 * length.
1111 */
1112 if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
1113 && rec->length == 0) {
1114 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
1115 return 0;
1116 }
1117
1118 return 1;
1119 }
1120
tls_read_record(OSSL_RECORD_LAYER * rl,void ** rechandle,int * rversion,uint8_t * type,const unsigned char ** data,size_t * datalen,uint16_t * epoch,unsigned char * seq_num)1121 int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
1122 uint8_t *type, const unsigned char **data, size_t *datalen,
1123 uint16_t *epoch, unsigned char *seq_num)
1124 {
1125 TLS_RL_RECORD *rec;
1126
1127 /*
1128 * tls_get_more_records() can return success without actually reading
1129 * anything useful (i.e. if empty records are read). We loop here until
1130 * we have something useful. tls_get_more_records() will eventually fail if
1131 * too many sequential empty records are read.
1132 */
1133 while (rl->curr_rec >= rl->num_recs) {
1134 int ret;
1135
1136 if (rl->num_released != rl->num_recs) {
1137 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
1138 return OSSL_RECORD_RETURN_FATAL;
1139 }
1140
1141 ret = rl->funcs->get_more_records(rl);
1142
1143 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1144 return ret;
1145 }
1146
1147 /*
1148 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
1149 * points to the next one to read.
1150 */
1151 rec = &rl->rrec[rl->curr_rec++];
1152
1153 *rechandle = rec;
1154 *rversion = rec->rec_version;
1155 *type = rec->type;
1156 *data = rec->data + rec->off;
1157 *datalen = rec->length;
1158 if (rl->isdtls) {
1159 *epoch = rec->epoch;
1160 memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
1161 }
1162
1163 return OSSL_RECORD_RETURN_SUCCESS;
1164 }
1165
tls_release_record(OSSL_RECORD_LAYER * rl,void * rechandle,size_t length)1166 int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, size_t length)
1167 {
1168 TLS_RL_RECORD *rec = &rl->rrec[rl->num_released];
1169
1170 if (!ossl_assert(rl->num_released < rl->curr_rec)
1171 || !ossl_assert(rechandle == rec)) {
1172 /* Should not happen */
1173 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
1174 return OSSL_RECORD_RETURN_FATAL;
1175 }
1176
1177 if (rec->length < length) {
1178 /* Should not happen */
1179 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1180 return OSSL_RECORD_RETURN_FATAL;
1181 }
1182
1183 if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
1184 OPENSSL_cleanse(rec->data + rec->off, length);
1185
1186 rec->off += length;
1187 rec->length -= length;
1188
1189 if (rec->length > 0)
1190 return OSSL_RECORD_RETURN_SUCCESS;
1191
1192 rl->num_released++;
1193
1194 if (rl->curr_rec == rl->num_released
1195 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
1196 && TLS_BUFFER_get_left(&rl->rbuf) == 0)
1197 tls_release_read_buffer(rl);
1198
1199 return OSSL_RECORD_RETURN_SUCCESS;
1200 }
1201
tls_set_options(OSSL_RECORD_LAYER * rl,const OSSL_PARAM * options)1202 int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
1203 {
1204 const OSSL_PARAM *p;
1205
1206 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1207 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1208 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1209 return 0;
1210 }
1211
1212 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1213 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1214 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1215 return 0;
1216 }
1217
1218 if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
1219 p = OSSL_PARAM_locate_const(options,
1220 OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
1221 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
1222 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1223 return 0;
1224 }
1225 } else {
1226 p = OSSL_PARAM_locate_const(options,
1227 OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
1228 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
1229 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1230 return 0;
1231 }
1232 p = OSSL_PARAM_locate_const(options,
1233 OSSL_LIBSSL_RECORD_LAYER_PARAM_HS_PADDING);
1234 if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->hs_padding)) {
1235 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1236 return 0;
1237 }
1238 }
1239
1240 if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1241 /*
1242 * We ignore any read_ahead setting prior to the application protection
1243 * level. Otherwise we may read ahead data in a lower protection level
1244 * that is destined for a higher protection level. To simplify the logic
1245 * we don't support that at this stage.
1246 */
1247 p = OSSL_PARAM_locate_const(options,
1248 OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1249 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1250 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1251 return 0;
1252 }
1253 }
1254
1255 return 1;
1256 }
1257
tls_int_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,const EVP_CIPHER * ciph,size_t taglen,const EVP_MD * md,COMP_METHOD * comp,BIO * prev,BIO * transport,BIO * next,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,OSSL_RECORD_LAYER ** retrl)1258 int tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1259 int role, int direction, int level,
1260 const EVP_CIPHER *ciph, size_t taglen,
1261 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
1262 BIO *transport, BIO *next, const OSSL_PARAM *settings,
1263 const OSSL_PARAM *options,
1264 const OSSL_DISPATCH *fns, void *cbarg,
1265 OSSL_RECORD_LAYER **retrl)
1266 {
1267 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
1268 const OSSL_PARAM *p;
1269
1270 *retrl = NULL;
1271
1272 if (rl == NULL)
1273 return OSSL_RECORD_RETURN_FATAL;
1274
1275 /*
1276 * Default the value for max_frag_len. This may be overridden by the
1277 * settings
1278 */
1279 rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH;
1280
1281 /* Loop through all the settings since they must all be understood */
1282 if (settings != NULL) {
1283 for (p = settings; p->key != NULL; p++) {
1284 if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
1285 if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
1286 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1287 goto err;
1288 }
1289 } else if (strcmp(p->key,
1290 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN)
1291 == 0) {
1292 if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
1293 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1294 goto err;
1295 }
1296 } else if (strcmp(p->key,
1297 OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA)
1298 == 0) {
1299 if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
1300 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1301 goto err;
1302 }
1303 } else if (strcmp(p->key,
1304 OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC)
1305 == 0) {
1306 if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
1307 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1308 goto err;
1309 }
1310 } else if (strcmp(p->key,
1311 OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE)
1312 == 0) {
1313 if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
1314 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1315 goto err;
1316 }
1317 } else {
1318 ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
1319 goto err;
1320 }
1321 }
1322 }
1323
1324 rl->libctx = libctx;
1325 rl->propq = propq;
1326
1327 rl->version = vers;
1328 rl->role = role;
1329 rl->direction = direction;
1330 rl->level = level;
1331 rl->taglen = taglen;
1332 rl->md = md;
1333
1334 rl->alert = SSL_AD_NO_ALERT;
1335 rl->rstate = SSL_ST_READ_HEADER;
1336
1337 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
1338 rl->is_first_record = 1;
1339
1340 if (!tls_set1_bio(rl, transport))
1341 goto err;
1342
1343 if (prev != NULL && !BIO_up_ref(prev))
1344 goto err;
1345 rl->prev = prev;
1346
1347 if (next != NULL && !BIO_up_ref(next))
1348 goto err;
1349 rl->next = next;
1350
1351 rl->cbarg = cbarg;
1352 if (fns != NULL) {
1353 for (; fns->function_id != 0; fns++) {
1354 switch (fns->function_id) {
1355 case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
1356 rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
1357 break;
1358 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
1359 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
1360 break;
1361 case OSSL_FUNC_RLAYER_SECURITY:
1362 rl->security = OSSL_FUNC_rlayer_security(fns);
1363 break;
1364 case OSSL_FUNC_RLAYER_PADDING:
1365 rl->padding = OSSL_FUNC_rlayer_padding(fns);
1366 default:
1367 /* Just ignore anything we don't understand */
1368 break;
1369 }
1370 }
1371 }
1372
1373 if (!tls_set_options(rl, options)) {
1374 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
1375 goto err;
1376 }
1377
1378 if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
1379 && rl->version <= TLS1_VERSION
1380 && !EVP_CIPHER_is_a(ciph, "NULL")
1381 && !EVP_CIPHER_is_a(ciph, "RC4")) {
1382 /*
1383 * Enable vulnerability countermeasure for CBC ciphers with known-IV
1384 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1385 */
1386 rl->need_empty_fragments = 1;
1387 }
1388
1389 *retrl = rl;
1390 return OSSL_RECORD_RETURN_SUCCESS;
1391 err:
1392 tls_int_free(rl);
1393 return OSSL_RECORD_RETURN_FATAL;
1394 }
1395
1396 static int
tls_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,uint16_t epoch,unsigned char * secret,size_t secretlen,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp,const EVP_MD * kdfdigest,BIO * prev,BIO * transport,BIO * next,BIO_ADDR * local,BIO_ADDR * peer,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,void * rlarg,OSSL_RECORD_LAYER ** retrl)1397 tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1398 int role, int direction, int level, uint16_t epoch,
1399 unsigned char *secret, size_t secretlen,
1400 unsigned char *key, size_t keylen, unsigned char *iv,
1401 size_t ivlen, unsigned char *mackey, size_t mackeylen,
1402 const EVP_CIPHER *ciph, size_t taglen,
1403 int mactype,
1404 const EVP_MD *md, COMP_METHOD *comp,
1405 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
1406 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
1407 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1408 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
1409 OSSL_RECORD_LAYER **retrl)
1410 {
1411 int ret;
1412
1413 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1414 ciph, taglen, md, comp, prev,
1415 transport, next, settings,
1416 options, fns, cbarg, retrl);
1417
1418 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1419 return ret;
1420
1421 switch (vers) {
1422 case TLS_ANY_VERSION:
1423 (*retrl)->funcs = &tls_any_funcs;
1424 break;
1425 case TLS1_3_VERSION:
1426 (*retrl)->funcs = &tls_1_3_funcs;
1427 break;
1428 case TLS1_2_VERSION:
1429 case TLS1_1_VERSION:
1430 case TLS1_VERSION:
1431 (*retrl)->funcs = &tls_1_funcs;
1432 break;
1433 case SSL3_VERSION:
1434 (*retrl)->funcs = &ssl_3_0_funcs;
1435 break;
1436 default:
1437 /* Should not happen */
1438 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1439 ret = OSSL_RECORD_RETURN_FATAL;
1440 goto err;
1441 }
1442
1443 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1444 ivlen, mackey, mackeylen, ciph,
1445 taglen, mactype, md, comp);
1446
1447 err:
1448 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1449 tls_int_free(*retrl);
1450 *retrl = NULL;
1451 }
1452 return ret;
1453 }
1454
tls_int_free(OSSL_RECORD_LAYER * rl)1455 static void tls_int_free(OSSL_RECORD_LAYER *rl)
1456 {
1457 BIO_free(rl->prev);
1458 BIO_free(rl->bio);
1459 BIO_free(rl->next);
1460 ossl_tls_buffer_release(&rl->rbuf);
1461
1462 tls_release_write_buffer(rl);
1463
1464 EVP_CIPHER_CTX_free(rl->enc_ctx);
1465 EVP_MAC_CTX_free(rl->mac_ctx);
1466 EVP_MD_CTX_free(rl->md_ctx);
1467 #ifndef OPENSSL_NO_COMP
1468 COMP_CTX_free(rl->compctx);
1469 #endif
1470 OPENSSL_free(rl->iv);
1471 OPENSSL_free(rl->nonce);
1472 if (rl->version == SSL3_VERSION)
1473 OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
1474
1475 TLS_RL_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
1476
1477 OPENSSL_free(rl);
1478 }
1479
tls_free(OSSL_RECORD_LAYER * rl)1480 int tls_free(OSSL_RECORD_LAYER *rl)
1481 {
1482 TLS_BUFFER *rbuf;
1483 size_t left, written;
1484 int ret = 1;
1485
1486 if (rl == NULL)
1487 return 1;
1488
1489 rbuf = &rl->rbuf;
1490
1491 left = TLS_BUFFER_get_left(rbuf);
1492 if (left > 0) {
1493 /*
1494 * This record layer is closing but we still have data left in our
1495 * buffer. It must be destined for the next epoch - so push it there.
1496 */
1497 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
1498 }
1499 tls_int_free(rl);
1500
1501 return ret;
1502 }
1503
tls_unprocessed_read_pending(OSSL_RECORD_LAYER * rl)1504 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
1505 {
1506 return TLS_BUFFER_get_left(&rl->rbuf) != 0;
1507 }
1508
tls_processed_read_pending(OSSL_RECORD_LAYER * rl)1509 int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
1510 {
1511 return rl->curr_rec < rl->num_recs;
1512 }
1513
tls_app_data_pending(OSSL_RECORD_LAYER * rl)1514 size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
1515 {
1516 size_t i;
1517 size_t num = 0;
1518
1519 for (i = rl->curr_rec; i < rl->num_recs; i++) {
1520 if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
1521 return num;
1522 num += rl->rrec[i].length;
1523 }
1524 return num;
1525 }
1526
tls_get_max_records_default(OSSL_RECORD_LAYER * rl,uint8_t type,size_t len,size_t maxfrag,size_t * preffrag)1527 size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, uint8_t type,
1528 size_t len,
1529 size_t maxfrag, size_t *preffrag)
1530 {
1531 /*
1532 * If we have a pipeline capable cipher, and we have been configured to use
1533 * it, then return the preferred number of pipelines.
1534 */
1535 if (rl->max_pipelines > 0
1536 && rl->enc_ctx != NULL
1537 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
1538 & EVP_CIPH_FLAG_PIPELINE)
1539 != 0
1540 && RLAYER_USE_EXPLICIT_IV(rl)) {
1541 size_t pipes;
1542
1543 if (len == 0)
1544 return 1;
1545 pipes = ((len - 1) / *preffrag) + 1;
1546
1547 return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
1548 }
1549
1550 return 1;
1551 }
1552
tls_get_max_records(OSSL_RECORD_LAYER * rl,uint8_t type,size_t len,size_t maxfrag,size_t * preffrag)1553 size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len,
1554 size_t maxfrag, size_t *preffrag)
1555 {
1556 return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
1557 }
1558
tls_allocate_write_buffers_default(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * templates,size_t numtempl,size_t * prefix)1559 int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl,
1560 OSSL_RECORD_TEMPLATE *templates,
1561 size_t numtempl,
1562 size_t *prefix)
1563 {
1564 if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) {
1565 /* RLAYERfatal() already called */
1566 return 0;
1567 }
1568
1569 return 1;
1570 }
1571
tls_initialise_write_packets_default(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * templates,size_t numtempl,OSSL_RECORD_TEMPLATE * prefixtempl,WPACKET * pkt,TLS_BUFFER * bufs,size_t * wpinited)1572 int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl,
1573 OSSL_RECORD_TEMPLATE *templates,
1574 size_t numtempl,
1575 OSSL_RECORD_TEMPLATE *prefixtempl,
1576 WPACKET *pkt,
1577 TLS_BUFFER *bufs,
1578 size_t *wpinited)
1579 {
1580 WPACKET *thispkt;
1581 size_t j, align;
1582 TLS_BUFFER *wb;
1583
1584 for (j = 0; j < numtempl; j++) {
1585 thispkt = &pkt[j];
1586 wb = &bufs[j];
1587
1588 wb->type = templates[j].type;
1589
1590 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1591 align = (size_t)TLS_BUFFER_get_buf(wb);
1592 align += rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH;
1593 align = SSL3_ALIGN_PAYLOAD - 1
1594 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1595 #endif
1596 TLS_BUFFER_set_offset(wb, align);
1597
1598 if (!WPACKET_init_static_len(thispkt, TLS_BUFFER_get_buf(wb),
1599 TLS_BUFFER_get_len(wb), 0)) {
1600 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1601 return 0;
1602 }
1603 (*wpinited)++;
1604 if (!WPACKET_allocate_bytes(thispkt, align, NULL)) {
1605 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1606 return 0;
1607 }
1608 }
1609
1610 return 1;
1611 }
1612
tls_prepare_record_header_default(OSSL_RECORD_LAYER * rl,WPACKET * thispkt,OSSL_RECORD_TEMPLATE * templ,uint8_t rectype,unsigned char ** recdata)1613 int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
1614 WPACKET *thispkt,
1615 OSSL_RECORD_TEMPLATE *templ,
1616 uint8_t rectype,
1617 unsigned char **recdata)
1618 {
1619 size_t maxcomplen;
1620
1621 *recdata = NULL;
1622
1623 maxcomplen = templ->buflen;
1624 if (rl->compctx != NULL)
1625 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1626
1627 if (!WPACKET_put_bytes_u8(thispkt, rectype)
1628 || !WPACKET_put_bytes_u16(thispkt, templ->version)
1629 || !WPACKET_start_sub_packet_u16(thispkt)
1630 || (rl->eivlen > 0
1631 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
1632 || (maxcomplen > 0
1633 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
1634 recdata))) {
1635 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1636 return 0;
1637 }
1638
1639 return 1;
1640 }
1641
tls_prepare_for_encryption_default(OSSL_RECORD_LAYER * rl,size_t mac_size,WPACKET * thispkt,TLS_RL_RECORD * thiswr)1642 int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
1643 size_t mac_size,
1644 WPACKET *thispkt,
1645 TLS_RL_RECORD *thiswr)
1646 {
1647 size_t len;
1648 unsigned char *recordstart;
1649
1650 /*
1651 * we should still have the output to thiswr->data and the input from
1652 * wr->input. Length should be thiswr->length. thiswr->data still points
1653 * in the wb->buf
1654 */
1655
1656 if (!rl->use_etm && mac_size != 0) {
1657 unsigned char *mac;
1658
1659 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1660 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1661 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1662 return 0;
1663 }
1664 }
1665
1666 /*
1667 * Reserve some bytes for any growth that may occur during encryption. If
1668 * we are adding the MAC independently of the cipher algorithm, then the
1669 * max encrypted overhead does not need to include an allocation for that
1670 * MAC
1671 */
1672 if (!WPACKET_reserve_bytes(thispkt, SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD - mac_size, NULL)
1673 /*
1674 * We also need next the amount of bytes written to this
1675 * sub-packet
1676 */
1677 || !WPACKET_get_length(thispkt, &len)) {
1678 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1679 return 0;
1680 }
1681
1682 /* Get a pointer to the start of this record excluding header */
1683 recordstart = WPACKET_get_curr(thispkt) - len;
1684 TLS_RL_RECORD_set_data(thiswr, recordstart);
1685 TLS_RL_RECORD_reset_input(thiswr);
1686 TLS_RL_RECORD_set_length(thiswr, len);
1687
1688 return 1;
1689 }
1690
tls_post_encryption_processing_default(OSSL_RECORD_LAYER * rl,size_t mac_size,OSSL_RECORD_TEMPLATE * thistempl,WPACKET * thispkt,TLS_RL_RECORD * thiswr)1691 int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
1692 size_t mac_size,
1693 OSSL_RECORD_TEMPLATE *thistempl,
1694 WPACKET *thispkt,
1695 TLS_RL_RECORD *thiswr)
1696 {
1697 size_t origlen, len;
1698 size_t headerlen = rl->isdtls ? DTLS1_RT_HEADER_LENGTH
1699 : SSL3_RT_HEADER_LENGTH;
1700
1701 /* Allocate bytes for the encryption overhead */
1702 if (!WPACKET_get_length(thispkt, &origlen)
1703 /* Check we allowed enough room for the encryption growth */
1704 || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
1705 - mac_size
1706 >= thiswr->length)
1707 /* Encryption should never shrink the data! */
1708 || origlen > thiswr->length
1709 || (thiswr->length > origlen
1710 && !WPACKET_allocate_bytes(thispkt,
1711 thiswr->length - origlen,
1712 NULL))) {
1713 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1714 return 0;
1715 }
1716 if (rl->use_etm && mac_size != 0) {
1717 unsigned char *mac;
1718
1719 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
1720 || !rl->funcs->mac(rl, thiswr, mac, 1)) {
1721 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1722 return 0;
1723 }
1724
1725 TLS_RL_RECORD_add_length(thiswr, mac_size);
1726 }
1727
1728 if (!WPACKET_get_length(thispkt, &len)
1729 || !WPACKET_close(thispkt)) {
1730 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1731 return 0;
1732 }
1733
1734 if (rl->msg_callback != NULL) {
1735 unsigned char *recordstart;
1736
1737 recordstart = WPACKET_get_curr(thispkt) - len - headerlen;
1738 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
1739 headerlen, rl->cbarg);
1740
1741 if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) {
1742 unsigned char ctype = thistempl->type;
1743
1744 rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
1745 &ctype, 1, rl->cbarg);
1746 }
1747 }
1748
1749 if (!WPACKET_finish(thispkt)) {
1750 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1751 return 0;
1752 }
1753
1754 TLS_RL_RECORD_add_length(thiswr, headerlen);
1755
1756 return 1;
1757 }
1758
tls_write_records_default(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * templates,size_t numtempl)1759 int tls_write_records_default(OSSL_RECORD_LAYER *rl,
1760 OSSL_RECORD_TEMPLATE *templates,
1761 size_t numtempl)
1762 {
1763 WPACKET pkt[SSL_MAX_PIPELINES + 1];
1764 TLS_RL_RECORD wr[SSL_MAX_PIPELINES + 1];
1765 WPACKET *thispkt;
1766 TLS_RL_RECORD *thiswr;
1767 int mac_size = 0, ret = 0;
1768 size_t wpinited = 0;
1769 size_t j, prefix = 0;
1770 OSSL_RECORD_TEMPLATE prefixtempl;
1771 OSSL_RECORD_TEMPLATE *thistempl;
1772
1773 if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
1774 mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
1775 if (mac_size < 0) {
1776 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1777 goto err;
1778 }
1779 }
1780
1781 if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) {
1782 /* RLAYERfatal() already called */
1783 goto err;
1784 }
1785
1786 if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
1787 &prefixtempl, pkt, rl->wbuf,
1788 &wpinited)) {
1789 /* RLAYERfatal() already called */
1790 goto err;
1791 }
1792
1793 /* Clear our TLS_RL_RECORD structures */
1794 memset(wr, 0, sizeof(wr));
1795 for (j = 0; j < numtempl + prefix; j++) {
1796 unsigned char *compressdata = NULL;
1797 uint8_t rectype;
1798
1799 thispkt = &pkt[j];
1800 thiswr = &wr[j];
1801 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
1802
1803 /*
1804 * Default to the record type as specified in the template unless the
1805 * protocol implementation says differently.
1806 */
1807 if (rl->funcs->get_record_type != NULL)
1808 rectype = rl->funcs->get_record_type(rl, thistempl);
1809 else
1810 rectype = thistempl->type;
1811
1812 TLS_RL_RECORD_set_type(thiswr, rectype);
1813 TLS_RL_RECORD_set_rec_version(thiswr, thistempl->version);
1814
1815 if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype,
1816 &compressdata)) {
1817 /* RLAYERfatal() already called */
1818 goto err;
1819 }
1820
1821 /* lets setup the record stuff. */
1822 TLS_RL_RECORD_set_data(thiswr, compressdata);
1823 TLS_RL_RECORD_set_length(thiswr, thistempl->buflen);
1824
1825 TLS_RL_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
1826
1827 /*
1828 * we now 'read' from thiswr->input, thiswr->length bytes into
1829 * thiswr->data
1830 */
1831
1832 /* first we compress */
1833 if (rl->compctx != NULL) {
1834 if (!tls_do_compress(rl, thiswr)
1835 || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
1836 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
1837 goto err;
1838 }
1839 } else if (compressdata != NULL) {
1840 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
1841 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1842 goto err;
1843 }
1844 TLS_RL_RECORD_reset_input(&wr[j]);
1845 }
1846
1847 if (rl->funcs->add_record_padding != NULL
1848 && !rl->funcs->add_record_padding(rl, thistempl, thispkt,
1849 thiswr)) {
1850 /* RLAYERfatal() already called */
1851 goto err;
1852 }
1853
1854 if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
1855 /* RLAYERfatal() already called */
1856 goto err;
1857 }
1858 }
1859
1860 if (prefix) {
1861 if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
1862 if (rl->alert == SSL_AD_NO_ALERT) {
1863 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1864 }
1865 goto err;
1866 }
1867 }
1868
1869 if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) {
1870 if (rl->alert == SSL_AD_NO_ALERT) {
1871 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1872 }
1873 goto err;
1874 }
1875
1876 for (j = 0; j < numtempl + prefix; j++) {
1877 thispkt = &pkt[j];
1878 thiswr = &wr[j];
1879 thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
1880
1881 if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl,
1882 thispkt, thiswr)) {
1883 /* RLAYERfatal() already called */
1884 goto err;
1885 }
1886
1887 /* now let's set up wb */
1888 TLS_BUFFER_set_left(&rl->wbuf[j], TLS_RL_RECORD_get_length(thiswr));
1889 }
1890
1891 ret = 1;
1892 err:
1893 for (j = 0; j < wpinited; j++)
1894 WPACKET_cleanup(&pkt[j]);
1895 return ret;
1896 }
1897
tls_write_records(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * templates,size_t numtempl)1898 int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
1899 size_t numtempl)
1900 {
1901 /* Check we don't have pending data waiting to write */
1902 if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
1903 || TLS_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
1904 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1905 return OSSL_RECORD_RETURN_FATAL;
1906 }
1907
1908 if (!rl->funcs->write_records(rl, templates, numtempl)) {
1909 /* RLAYERfatal already called */
1910 return OSSL_RECORD_RETURN_FATAL;
1911 }
1912
1913 rl->nextwbuf = 0;
1914 /* we now just need to write the buffers */
1915 return tls_retry_write_records(rl);
1916 }
1917
tls_retry_write_records(OSSL_RECORD_LAYER * rl)1918 int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
1919 {
1920 int i, ret;
1921 TLS_BUFFER *thiswb;
1922 size_t tmpwrit = 0;
1923
1924 if (rl->nextwbuf >= rl->numwpipes)
1925 return OSSL_RECORD_RETURN_SUCCESS;
1926
1927 for (;;) {
1928 thiswb = &rl->wbuf[rl->nextwbuf];
1929
1930 clear_sys_error();
1931 if (rl->bio != NULL) {
1932 if (rl->funcs->prepare_write_bio != NULL) {
1933 ret = rl->funcs->prepare_write_bio(rl, thiswb->type);
1934 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1935 return ret;
1936 }
1937 i = BIO_write(rl->bio, (char *)&(TLS_BUFFER_get_buf(thiswb)[TLS_BUFFER_get_offset(thiswb)]),
1938 (unsigned int)TLS_BUFFER_get_left(thiswb));
1939 if (i >= 0) {
1940 tmpwrit = i;
1941 if (i == 0 && BIO_should_retry(rl->bio))
1942 ret = OSSL_RECORD_RETURN_RETRY;
1943 else
1944 ret = OSSL_RECORD_RETURN_SUCCESS;
1945 } else {
1946 if (BIO_should_retry(rl->bio)) {
1947 ret = OSSL_RECORD_RETURN_RETRY;
1948 } else {
1949 ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
1950 "tls_retry_write_records failure");
1951 ret = OSSL_RECORD_RETURN_FATAL;
1952 }
1953 }
1954 } else {
1955 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
1956 ret = OSSL_RECORD_RETURN_FATAL;
1957 i = -1;
1958 }
1959
1960 /*
1961 * When an empty fragment is sent on a connection using KTLS,
1962 * it is sent as a write of zero bytes. If this zero byte
1963 * write succeeds, i will be 0 rather than a non-zero value.
1964 * Treat i == 0 as success rather than an error for zero byte
1965 * writes to permit this case.
1966 */
1967 if (i >= 0 && tmpwrit == TLS_BUFFER_get_left(thiswb)) {
1968 TLS_BUFFER_set_left(thiswb, 0);
1969 TLS_BUFFER_add_offset(thiswb, tmpwrit);
1970 if (++(rl->nextwbuf) < rl->numwpipes)
1971 continue;
1972
1973 if (rl->nextwbuf == rl->numwpipes
1974 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1975 tls_release_write_buffer(rl);
1976 return OSSL_RECORD_RETURN_SUCCESS;
1977 } else if (i <= 0) {
1978 if (rl->isdtls) {
1979 /*
1980 * For DTLS, just drop it. That's kind of the whole point in
1981 * using a datagram service
1982 */
1983 TLS_BUFFER_set_left(thiswb, 0);
1984 if (++(rl->nextwbuf) == rl->numwpipes
1985 && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
1986 tls_release_write_buffer(rl);
1987 }
1988 return ret;
1989 }
1990 TLS_BUFFER_add_offset(thiswb, tmpwrit);
1991 TLS_BUFFER_sub_left(thiswb, tmpwrit);
1992 }
1993 }
1994
tls_get_alert_code(OSSL_RECORD_LAYER * rl)1995 int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
1996 {
1997 return rl->alert;
1998 }
1999
tls_set1_bio(OSSL_RECORD_LAYER * rl,BIO * bio)2000 int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
2001 {
2002 if (bio != NULL && !BIO_up_ref(bio))
2003 return 0;
2004 BIO_free(rl->bio);
2005 rl->bio = bio;
2006
2007 return 1;
2008 }
2009
2010 /* Shared by most methods except tlsany_meth */
tls_default_set_protocol_version(OSSL_RECORD_LAYER * rl,int version)2011 int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
2012 {
2013 if (rl->version != version)
2014 return 0;
2015
2016 return 1;
2017 }
2018
tls_set_protocol_version(OSSL_RECORD_LAYER * rl,int version)2019 int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
2020 {
2021 return rl->funcs->set_protocol_version(rl, version);
2022 }
2023
tls_set_plain_alerts(OSSL_RECORD_LAYER * rl,int allow)2024 void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
2025 {
2026 rl->allow_plain_alerts = allow;
2027 }
2028
tls_set_first_handshake(OSSL_RECORD_LAYER * rl,int first)2029 void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
2030 {
2031 rl->is_first_handshake = first;
2032 }
2033
tls_set_max_pipelines(OSSL_RECORD_LAYER * rl,size_t max_pipelines)2034 void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
2035 {
2036 rl->max_pipelines = max_pipelines;
2037 if (max_pipelines > 1)
2038 rl->read_ahead = 1;
2039 }
2040
tls_get_state(OSSL_RECORD_LAYER * rl,const char ** shortstr,const char ** longstr)2041 void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
2042 const char **longstr)
2043 {
2044 const char *shrt, *lng;
2045
2046 switch (rl->rstate) {
2047 case SSL_ST_READ_HEADER:
2048 shrt = "RH";
2049 lng = "read header";
2050 break;
2051 case SSL_ST_READ_BODY:
2052 shrt = "RB";
2053 lng = "read body";
2054 break;
2055 default:
2056 shrt = lng = "unknown";
2057 break;
2058 }
2059 if (shortstr != NULL)
2060 *shortstr = shrt;
2061 if (longstr != NULL)
2062 *longstr = lng;
2063 }
2064
tls_get_compression(OSSL_RECORD_LAYER * rl)2065 const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
2066 {
2067 #ifndef OPENSSL_NO_COMP
2068 return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
2069 #else
2070 return NULL;
2071 #endif
2072 }
2073
tls_set_max_frag_len(OSSL_RECORD_LAYER * rl,size_t max_frag_len)2074 void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
2075 {
2076 rl->max_frag_len = max_frag_len;
2077 /*
2078 * We don't need to adjust buffer sizes. Write buffer sizes are
2079 * automatically checked anyway. We should only be changing the read buffer
2080 * size during the handshake, so we will create a new buffer when we create
2081 * the new record layer. We can't change the existing buffer because it may
2082 * already have data in it.
2083 */
2084 }
2085
tls_increment_sequence_ctr(OSSL_RECORD_LAYER * rl)2086 int tls_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
2087 {
2088 int i;
2089
2090 /* Increment the sequence counter */
2091 for (i = SEQ_NUM_SIZE; i > 0; i--) {
2092 ++(rl->sequence[i - 1]);
2093 if (rl->sequence[i - 1] != 0)
2094 break;
2095 }
2096 if (i == 0) {
2097 /* Sequence has wrapped */
2098 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_SEQUENCE_CTR_WRAPPED);
2099 return 0;
2100 }
2101 return 1;
2102 }
2103
tls_alloc_buffers(OSSL_RECORD_LAYER * rl)2104 int tls_alloc_buffers(OSSL_RECORD_LAYER *rl)
2105 {
2106 if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
2107 /* If we have a pending write then buffers are already allocated */
2108 if (rl->nextwbuf < rl->numwpipes)
2109 return 1;
2110 /*
2111 * We assume 1 pipe with default sized buffer. If what we need ends up
2112 * being a different size to that then it will be reallocated on demand.
2113 * If we need more than 1 pipe then that will also be allocated on
2114 * demand
2115 */
2116 if (!tls_setup_write_buffer(rl, 1, 0, 0))
2117 return 0;
2118
2119 /*
2120 * Normally when we allocate write buffers we immediately write
2121 * something into it. In this case we're not doing that so mark the
2122 * buffer as empty.
2123 */
2124 TLS_BUFFER_set_left(&rl->wbuf[0], 0);
2125 return 1;
2126 }
2127
2128 /* Read direction */
2129
2130 /* If we have pending data to be read then buffers are already allocated */
2131 if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
2132 return 1;
2133 return tls_setup_read_buffer(rl);
2134 }
2135
tls_free_buffers(OSSL_RECORD_LAYER * rl)2136 int tls_free_buffers(OSSL_RECORD_LAYER *rl)
2137 {
2138 if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
2139 if (rl->nextwbuf < rl->numwpipes) {
2140 /*
2141 * We may have pending data. If we've just got one empty buffer
2142 * allocated then it has probably just been alloc'd via
2143 * tls_alloc_buffers, and it is fine to free it. Otherwise this
2144 * looks like real pending data and it is an error.
2145 */
2146 if (rl->nextwbuf != 0
2147 || rl->numwpipes != 1
2148 || TLS_BUFFER_get_left(&rl->wbuf[0]) != 0)
2149 return 0;
2150 }
2151 tls_release_write_buffer(rl);
2152 return 1;
2153 }
2154
2155 /* Read direction */
2156
2157 /* If we have pending data to be read then fail */
2158 if (rl->curr_rec < rl->num_recs
2159 || rl->curr_rec != rl->num_released
2160 || TLS_BUFFER_get_left(&rl->rbuf) != 0
2161 || rl->rstate == SSL_ST_READ_BODY)
2162 return 0;
2163
2164 return tls_release_read_buffer(rl);
2165 }
2166
2167 const OSSL_RECORD_METHOD ossl_tls_record_method = {
2168 tls_new_record_layer,
2169 tls_free,
2170 tls_unprocessed_read_pending,
2171 tls_processed_read_pending,
2172 tls_app_data_pending,
2173 tls_get_max_records,
2174 tls_write_records,
2175 tls_retry_write_records,
2176 tls_read_record,
2177 tls_release_record,
2178 tls_get_alert_code,
2179 tls_set1_bio,
2180 tls_set_protocol_version,
2181 tls_set_plain_alerts,
2182 tls_set_first_handshake,
2183 tls_set_max_pipelines,
2184 NULL,
2185 tls_get_state,
2186 tls_set_options,
2187 tls_get_compression,
2188 tls_set_max_frag_len,
2189 NULL,
2190 tls_increment_sequence_ctr,
2191 tls_alloc_buffers,
2192 tls_free_buffers
2193 };
2194