2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "../../ssl_local.h"
11 #include "../record_local.h"
12 #include "recmethod_local.h"
14 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
15 static int satsub64be(const unsigned char *v1, const unsigned char *v2)
25 /* We do not permit wrap-around */
26 if (l1 > l2 && ret < 0)
28 else if (l2 > l1 && ret > 0)
39 static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
43 const unsigned char *seq = rl->sequence;
45 cmp = satsub64be(seq, bitmap->max_seq_num);
47 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
48 return 1; /* this record in new */
51 if (shift >= sizeof(bitmap->map) * 8)
52 return 0; /* stale, outside the window */
53 else if (bitmap->map & ((uint64_t)1 << shift))
54 return 0; /* record previously received */
56 SSL3_RECORD_set_seq_num(&rl->rrec[0], seq);
60 static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
65 const unsigned char *seq = rl->sequence;
67 cmp = satsub64be(seq, bitmap->max_seq_num);
70 if (shift < sizeof(bitmap->map) * 8)
71 bitmap->map <<= shift, bitmap->map |= 1UL;
74 memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
77 if (shift < sizeof(bitmap->map) * 8)
78 bitmap->map |= (uint64_t)1 << shift;
82 static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rr,
83 unsigned int *is_next_epoch)
87 /* In current epoch, accept HM, CCS, DATA, & ALERT */
88 if (rr->epoch == rl->epoch)
92 * Only HM and ALERT messages can be from the next epoch and only if we
93 * have already processed all of the unprocessed records from the last
96 else if (rr->epoch == (unsigned long)(rl->epoch + 1)
97 && rl->unprocessed_rcds.epoch != rl->epoch
98 && (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
100 return &rl->next_bitmap;
106 static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
108 rl->in_init = in_init;
111 static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
118 unsigned char md[EVP_MAX_MD_SIZE];
119 SSL_MAC_BUF macbuf = { NULL, 0 };
125 * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
126 * and we have that many bytes in rl->packet
128 rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
131 * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
132 * points at rr->length bytes, which need to be copied into rr->data by
133 * either the decryption or by the decompression. When the data is 'copied'
134 * into the rr->data buffer, rr->input will be pointed at the new buffer
138 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
139 * bytes of encrypted compressed stuff.
142 /* check is not needed I believe */
143 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
144 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
148 /* decrypt in place in 'rr->input' */
149 rr->data = rr->input;
150 rr->orig_len = rr->length;
152 if (rl->md_ctx != NULL) {
153 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
156 imac_size = EVP_MD_get_size(tmpmd);
157 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
158 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
161 mac_size = (size_t)imac_size;
165 if (rl->use_etm && rl->md_ctx != NULL) {
168 if (rr->orig_len < mac_size) {
169 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
172 rr->length -= mac_size;
173 mac = rr->data + rr->length;
174 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
175 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
176 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
177 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
181 * We've handled the mac now - there is no MAC inside the encrypted
188 * Set a mark around the packet decryption attempt. This is DTLS, so
189 * bad packets are just ignored, and we don't want to leave stray
190 * errors in the queue from processing bogus junk that we ignored.
193 enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
197 * 0: if the record is publicly invalid, or an internal error, or AEAD
198 * decryption failed, or ETM decryption failed.
199 * 1: Success or MTE decryption failed (MAC will be randomised)
203 if (rl->alert != SSL_AD_NO_ALERT) {
204 /* RLAYERfatal() already called */
207 /* For DTLS we simply ignore bad packets. */
209 rl->packet_length = 0;
212 ERR_clear_last_mark();
213 OSSL_TRACE_BEGIN(TLS) {
214 BIO_printf(trc_out, "dec %zd\n", rr->length);
215 BIO_dump_indent(trc_out, rr->data, rr->length, 4);
216 } OSSL_TRACE_END(TLS);
218 /* r->length is now the compressed data plus mac */
220 && (rl->enc_ctx != NULL)
221 && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
222 /* rl->md_ctx != NULL => mac_size != -1 */
224 i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
225 if (i == 0 || macbuf.mac == NULL
226 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
228 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
233 /* decryption failed, silently discard message */
235 rl->packet_length = 0;
239 /* r->length is now just compressed */
240 if (rl->compctx != NULL) {
241 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
242 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
243 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
246 if (!tls_do_uncompress(rl, rr)) {
247 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
253 * Check if the received packet overflows the current Max Fragment
256 if (rr->length > rl->max_frag_len) {
257 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
263 * So at this point the following is true
264 * ssl->s3.rrec.type is the type of record
265 * ssl->s3.rrec.length == number of bytes in record
266 * ssl->s3.rrec.off == offset to first valid byte
267 * ssl->s3.rrec.data == where to take bytes from, increment
271 /* we have pulled in a full packet so zero things */
272 rl->packet_length = 0;
274 /* Mark receipt of record. */
275 dtls_record_bitmap_update(rl, bitmap);
280 OPENSSL_free(macbuf.mac);
284 static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, record_pqueue *queue,
285 unsigned char *priority)
287 DTLS_RLAYER_RECORD_DATA *rdata;
290 /* Limit the size of the queue to prevent DOS attacks */
291 if (pqueue_size(queue->q) >= 100)
294 rdata = OPENSSL_malloc(sizeof(*rdata));
295 item = pitem_new(priority, rdata);
296 if (rdata == NULL || item == NULL) {
299 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
303 rdata->packet = rl->packet;
304 rdata->packet_length = rl->packet_length;
305 memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(SSL3_BUFFER));
306 memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(SSL3_RECORD));
311 rl->packet_length = 0;
312 memset(&rl->rbuf, 0, sizeof(SSL3_BUFFER));
313 memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
315 if (!tls_setup_read_buffer(rl)) {
316 /* RLAYERfatal() already called */
317 OPENSSL_free(rdata->rbuf.buf);
323 if (pqueue_insert(queue->q, item) == NULL) {
324 /* Must be a duplicate so ignore it */
325 OPENSSL_free(rdata->rbuf.buf);
333 /* copy buffered record into OSSL_RECORD_LAYER structure */
334 static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
336 DTLS_RLAYER_RECORD_DATA *rdata;
338 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
340 SSL3_BUFFER_release(&rl->rbuf);
342 rl->packet = rdata->packet;
343 rl->packet_length = rdata->packet_length;
344 memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(SSL3_BUFFER));
345 memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(SSL3_RECORD));
347 /* Set proper sequence number for mac calculation */
348 memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
353 static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
354 record_pqueue *queue)
358 item = pqueue_pop(queue->q);
360 dtls_copy_rlayer_record(rl, item);
362 OPENSSL_free(item->data);
372 * Call this to get a new input record.
373 * It will return <= 0 if more data is needed, normally due to an error
374 * or non-blocking IO.
375 * When it finishes, one packet has been decoded and can be found in
376 * ssl->s3.rrec.type - is the type of record
377 * ssl->s3.rrec.data - data
378 * ssl->s3.rrec.length - number of bytes
380 int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
382 int ssl_major, ssl_minor;
386 unsigned char *p = NULL;
387 unsigned short version;
389 unsigned int is_next_epoch;
393 rl->num_released = 0;
397 if (rl->rbuf.buf == NULL) {
398 if (!tls_setup_read_buffer(rl)) {
399 /* RLAYERfatal() already called */
400 return OSSL_RECORD_RETURN_FATAL;
405 /* if we're renegotiating, then there may be buffered records */
406 if (dtls_retrieve_rlayer_buffered_record(rl, &rl->processed_rcds)) {
408 return OSSL_RECORD_RETURN_SUCCESS;
411 /* get something from the wire */
413 /* check if we have the header */
414 if ((rl->rstate != SSL_ST_READ_BODY) ||
415 (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
416 rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
417 SSL3_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
418 /* read timeout is handled by dtls1_read_bytes */
419 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
420 /* RLAYERfatal() already called if appropriate */
421 return rret; /* error or non-blocking */
424 /* this packet contained a partial record, dump it */
425 if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
426 rl->packet_length = 0;
430 rl->rstate = SSL_ST_READ_BODY;
434 if (rl->msg_callback != NULL)
435 rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
438 /* Pull apart the header into the DTLS1_RECORD */
442 version = (ssl_major << 8) | ssl_minor;
444 /* sequence number is 64 bits, with top 2 bytes = epoch */
447 memcpy(&(rl->sequence[2]), p, 6);
453 * Lets check the version. We tolerate alerts that don't have the exact
454 * version number (e.g. because of protocol version errors)
456 if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
457 if (version != rl->version) {
458 /* unexpected version, silently discard */
460 rl->packet_length = 0;
466 (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR
467 : rl->version >> 8)) {
468 /* wrong version, silently discard record */
470 rl->packet_length = 0;
474 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
475 /* record too long, silently discard it */
477 rl->packet_length = 0;
482 * If received packet overflows maximum possible fragment length then
483 * silently discard it
485 if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
486 /* record too long, silently discard it */
488 rl->packet_length = 0;
492 /* now rl->rstate == SSL_ST_READ_BODY */
495 /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
497 if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
498 /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
500 rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
501 /* this packet contained a partial record, dump it */
502 if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
503 if (rl->alert != SSL_AD_NO_ALERT) {
504 /* read_n() called RLAYERfatal() */
505 return OSSL_RECORD_RETURN_FATAL;
508 rl->packet_length = 0;
513 * now n == rr->length,
514 * and rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length
517 /* set state for later operations */
518 rl->rstate = SSL_ST_READ_HEADER;
520 /* match epochs. NULL means the packet is dropped on the floor */
521 bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
522 if (bitmap == NULL) {
524 rl->packet_length = 0; /* dump this record */
525 goto again; /* get another record */
527 #ifndef OPENSSL_NO_SCTP
528 /* Only do replay check if no SCTP bio */
529 if (!BIO_dgram_is_sctp(rl->bio)) {
531 /* Check whether this is a repeat, or aged record. */
532 if (!dtls_record_replay_check(rl, bitmap)) {
534 rl->packet_length = 0; /* dump this record */
535 goto again; /* get another record */
537 #ifndef OPENSSL_NO_SCTP
541 /* just read a 0 length packet */
546 * If this record is from the next epoch (either HM or ALERT), and a
547 * handshake is currently in progress, buffer it since it cannot be
548 * processed at this time.
552 if (dtls_rlayer_buffer_record(rl, &(rl->unprocessed_rcds),
554 /* RLAYERfatal() already called */
555 return OSSL_RECORD_RETURN_FATAL;
559 rl->packet_length = 0;
563 if (!dtls_process_record(rl, bitmap)) {
564 if (rl->alert != SSL_AD_NO_ALERT) {
565 /* dtls_process_record() called RLAYERfatal */
566 return OSSL_RECORD_RETURN_FATAL;
569 rl->packet_length = 0; /* dump this record */
570 goto again; /* get another record */
574 return OSSL_RECORD_RETURN_SUCCESS;
577 static int dtls_free(OSSL_RECORD_LAYER *rl)
580 size_t left, written;
582 DTLS_RLAYER_RECORD_DATA *rdata;
590 * This record layer is closing but we still have data left in our
591 * buffer. It must be destined for the next epoch - so push it there.
593 ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
597 if (rl->unprocessed_rcds.q != NULL) {
598 while ((item = pqueue_pop(rl->unprocessed_rcds.q)) != NULL) {
599 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
600 /* Push to the next record layer */
601 ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
603 OPENSSL_free(rdata->rbuf.buf);
604 OPENSSL_free(item->data);
607 pqueue_free(rl->unprocessed_rcds.q);
610 if (rl->processed_rcds.q != NULL) {
611 while ((item = pqueue_pop(rl->processed_rcds.q)) != NULL) {
612 rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
613 OPENSSL_free(rdata->rbuf.buf);
614 OPENSSL_free(item->data);
617 pqueue_free(rl->processed_rcds.q);
620 return tls_free(rl) && ret;
624 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
625 int role, int direction, int level, uint16_t epoch,
626 unsigned char *key, size_t keylen, unsigned char *iv,
627 size_t ivlen, unsigned char *mackey, size_t mackeylen,
628 const EVP_CIPHER *ciph, size_t taglen,
630 const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
631 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
632 const OSSL_PARAM *settings, const OSSL_PARAM *options,
633 const OSSL_DISPATCH *fns, void *cbarg,
634 OSSL_RECORD_LAYER **retrl)
638 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
639 key, keylen, iv, ivlen, mackey, mackeylen,
640 ciph, taglen, mactype, md, comp, prev,
641 transport, next, local, peer, settings,
642 options, fns, cbarg, retrl);
644 if (ret != OSSL_RECORD_RETURN_SUCCESS)
647 (*retrl)->unprocessed_rcds.q = pqueue_new();
648 (*retrl)->processed_rcds.q = pqueue_new();
649 if ((*retrl)->unprocessed_rcds.q == NULL
650 || (*retrl)->processed_rcds.q == NULL) {
653 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
654 return OSSL_RECORD_RETURN_FATAL;
657 (*retrl)->unprocessed_rcds.epoch = epoch + 1;
658 (*retrl)->processed_rcds.epoch = epoch;
660 (*retrl)->isdtls = 1;
661 (*retrl)->epoch = epoch;
662 (*retrl)->in_init = 1;
665 case DTLS_ANY_VERSION:
666 (*retrl)->funcs = &dtls_any_funcs;
668 case DTLS1_2_VERSION:
671 (*retrl)->funcs = &dtls_1_funcs;
674 /* Should not happen */
675 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
676 ret = OSSL_RECORD_RETURN_FATAL;
680 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
681 ivlen, mackey, mackeylen, ciph,
682 taglen, mactype, md, comp);
685 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
686 OPENSSL_free(*retrl);
693 * TODO(RECLAYER): Temporary copy of the old ssl3_write_pending() function now
694 * replaced by tls_retry_write_records(). Needs to be removed when the DTLS code
697 /* if SSL3_BUFFER_get_left() != 0, we need to call this
699 * Return values are as per SSL_write()
701 static int ssl3_write_pending(OSSL_RECORD_LAYER *rl, int type,
702 const unsigned char *buf, size_t len,
706 /* TODO(RECLAYER): Remove me */
707 SSL_CONNECTION *s = (SSL_CONNECTION *)rl->cbarg;
708 SSL3_BUFFER *wb = rl->wbuf;
712 if ((s->rlayer.wpend_tot > len)
713 || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
714 && (s->rlayer.wpend_buf != buf))
715 || (s->rlayer.wpend_type != type)) {
716 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_WRITE_RETRY);
717 return OSSL_RECORD_RETURN_FATAL;
722 if (s->wbio != NULL) {
723 s->rwstate = SSL_WRITING;
725 i = BIO_write(s->wbio, (char *)
726 &(SSL3_BUFFER_get_buf(&wb[currbuf])
727 [SSL3_BUFFER_get_offset(&wb[currbuf])]),
728 (unsigned int)SSL3_BUFFER_get_left(&wb[currbuf]));
732 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
737 * When an empty fragment is sent on a connection using KTLS,
738 * it is sent as a write of zero bytes. If this zero byte
739 * write succeeds, i will be 0 rather than a non-zero value.
740 * Treat i == 0 as success rather than an error for zero byte
741 * writes to permit this case.
743 if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
744 SSL3_BUFFER_set_left(&wb[currbuf], 0);
745 SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
746 s->rwstate = SSL_NOTHING;
747 *written = s->rlayer.wpend_ret;
748 return OSSL_RECORD_RETURN_SUCCESS;
750 if (SSL_CONNECTION_IS_DTLS(s)) {
752 * For DTLS, just drop it. That's kind of the whole point in
753 * using a datagram service
755 SSL3_BUFFER_set_left(&wb[currbuf], 0);
758 if (BIO_should_retry(s->wbio))
759 return OSSL_RECORD_RETURN_RETRY;
761 return OSSL_RECORD_RETURN_FATAL;
763 SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
764 SSL3_BUFFER_sub_left(&wb[currbuf], tmpwrit);
768 static int dtls_write_records(OSSL_RECORD_LAYER *rl,
769 OSSL_RECORD_TEMPLATE *templates,
772 /* TODO(RECLAYER): Remove me */
773 SSL_CONNECTION *sc = (SSL_CONNECTION *)rl->cbarg;
774 unsigned char *p, *pseq;
775 int mac_size, clear = 0;
781 SSL *s = SSL_CONNECTION_GET_SSL(sc);
786 || (sc->enc_write_ctx == NULL)
787 || (EVP_MD_CTX_get0_md(sc->write_hash) == NULL))
793 mac_size = EVP_MD_CTX_get_size(sc->write_hash);
795 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
796 SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE);
797 return OSSL_RECORD_RETURN_FATAL;
802 /* Should not happen */
803 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
804 return OSSL_RECORD_RETURN_FATAL;
807 if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, NULL)) {
808 /* RLAYERfatal() already called */
809 return OSSL_RECORD_RETURN_FATAL;
813 p = SSL3_BUFFER_get_buf(wb);
815 /* write the header */
817 *(p++) = templates->type & 0xff;
818 SSL3_RECORD_set_type(&wr, templates->type);
819 *(p++) = templates->version >> 8;
820 *(p++) = templates->version & 0xff;
822 /* field where we are to write out packet epoch, seq num and len */
826 /* Explicit IV length, block ciphers appropriate version flag */
827 if (sc->enc_write_ctx) {
828 int mode = EVP_CIPHER_CTX_get_mode(sc->enc_write_ctx);
829 if (mode == EVP_CIPH_CBC_MODE) {
830 eivlen = EVP_CIPHER_CTX_get_iv_length(sc->enc_write_ctx);
832 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
833 return OSSL_RECORD_RETURN_FATAL;
838 /* Need explicit part of IV for GCM mode */
839 else if (mode == EVP_CIPH_GCM_MODE)
840 eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
841 else if (mode == EVP_CIPH_CCM_MODE)
842 eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
848 /* lets setup the record stuff. */
849 SSL3_RECORD_set_data(&wr, p + eivlen); /* make room for IV in case of CBC */
850 SSL3_RECORD_set_length(&wr, templates->buflen);
851 SSL3_RECORD_set_input(&wr, (unsigned char *)templates->buf);
854 * we now 'read' from wr.input, wr.length bytes into wr.data
857 /* first we compress */
858 if (sc->compress != NULL) {
859 if (!ssl3_do_compress(sc, &wr)) {
860 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
861 return OSSL_RECORD_RETURN_FATAL;
864 memcpy(SSL3_RECORD_get_data(&wr), SSL3_RECORD_get_input(&wr),
865 SSL3_RECORD_get_length(&wr));
866 SSL3_RECORD_reset_input(&wr);
870 * we should still have the output to wr.data and the input from
871 * wr.input. Length should be wr.length. wr.data still points in the
875 if (!SSL_WRITE_ETM(sc) && mac_size != 0) {
876 if (!s->method->ssl3_enc->mac(sc, &wr,
877 &(p[SSL3_RECORD_get_length(&wr) + eivlen]),
879 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
880 return OSSL_RECORD_RETURN_FATAL;
882 SSL3_RECORD_add_length(&wr, mac_size);
885 /* this is true regardless of mac size */
886 SSL3_RECORD_set_data(&wr, p);
887 SSL3_RECORD_reset_input(&wr);
890 SSL3_RECORD_add_length(&wr, eivlen);
892 if (s->method->ssl3_enc->enc(sc, &wr, 1, 1, NULL, mac_size) < 1) {
893 if (!ossl_statem_in_error(sc)) {
894 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
896 return OSSL_RECORD_RETURN_FATAL;
899 if (SSL_WRITE_ETM(sc) && mac_size != 0) {
900 if (!s->method->ssl3_enc->mac(sc, &wr,
901 &(p[SSL3_RECORD_get_length(&wr)]), 1)) {
902 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
903 return OSSL_RECORD_RETURN_FATAL;
905 SSL3_RECORD_add_length(&wr, mac_size);
908 /* record length after mac and block padding */
910 /* there's only one epoch between handshake and app data */
912 s2n(sc->rlayer.d->w_epoch, pseq);
914 memcpy(pseq, &(sc->rlayer.write_sequence[2]), 6);
916 s2n(SSL3_RECORD_get_length(&wr), pseq);
918 if (sc->msg_callback)
919 sc->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH,
920 DTLS1_RT_HEADER_LENGTH, s, sc->msg_callback_arg);
923 * we should now have wr.data pointing to the encrypted data, which is
926 SSL3_RECORD_set_type(&wr, templates->type); /* not needed but helps for debugging */
927 SSL3_RECORD_add_length(&wr, DTLS1_RT_HEADER_LENGTH);
929 ssl3_record_sequence_update(&(sc->rlayer.write_sequence[0]));
931 /* now let's set up wb */
932 SSL3_BUFFER_set_left(wb, SSL3_RECORD_get_length(&wr));
933 SSL3_BUFFER_set_offset(wb, 0);
936 * memorize arguments so that ssl3_write_pending can detect bad write
939 sc->rlayer.wpend_tot = templates->buflen;
940 sc->rlayer.wpend_buf = templates->buf;
941 sc->rlayer.wpend_type = templates->type;
942 sc->rlayer.wpend_ret = templates->buflen;
944 /* we now just need to write the buffer. Calls SSLfatal() as required. */
945 return ssl3_write_pending(rl, templates->type, templates->buf,
946 templates->buflen, &written);
949 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
950 dtls_new_record_layer,
953 tls_unprocessed_read_pending,
954 tls_processed_read_pending,
955 tls_app_data_pending,
957 tls_get_max_record_len,
960 tls_retry_write_records,
965 tls_set_protocol_version,
967 tls_set_first_handshake,
968 tls_set_max_pipelines,