#include "../../ssl_local.h"
#include "../record_local.h"
+typedef struct dtls_bitmap_st {
+ /* Track 64 packets */
+ uint64_t map;
+ /* Max record number seen so far, 64-bit value in big-endian encoding */
+ unsigned char max_seq_num[SEQ_NUM_SIZE];
+} DTLS_BITMAP;
+
/* Protocol version specific function pointers */
struct record_functions_st
{
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph,
size_t taglen,
- /* TODO(RECLAYER): This probably should not be an int */
int mactype,
const EVP_MD *md,
- const SSL_COMP *comp,
- /* TODO(RECLAYER): Remove me */
- SSL_CONNECTION *s);
+ const SSL_COMP *comp);
int (*read_n)(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
int clearold, size_t *readbytes);
+
+ int (*get_more_records)(OSSL_RECORD_LAYER *rl);
+
/*
* Returns:
* 0: if the record is publicly invalid, or an internal error, or AEAD
* 1: Success or MtE decryption failed (MAC will be randomised)
*/
int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
- int sending, SSL_MAC_BUF *macs, size_t macsize,
- /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
+ int sending, SSL_MAC_BUF *macs, size_t macsize);
/* Returns 1 for success or 0 for error */
int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
- int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl);
+ int sending);
/* Return 1 for success or 0 for error */
int (*set_protocol_version)(OSSL_RECORD_LAYER *rl, int version);
int (*validate_record_header)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
/* Return 1 for success or 0 for error */
- int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
- /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
+ int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
};
struct ossl_record_layer_st
int role;
int direction;
int level;
+ /* DTLS only */
+ uint16_t epoch;
/*
* A BIO containing any data read in the previous epoch that was destined
*/
BIO *next;
- /* Types match the equivalent structures in the SSL object */
+ /* Types match the equivalent fields in the SSL object */
uint64_t options;
- /*
- * TODO(RECLAYER): Should we take the opportunity to make this uint64_t
- * even though upper layer continue to use uint32_t?
- */
uint32_t mode;
+ /* write IO goes into here */
+ SSL3_BUFFER wbuf[SSL_MAX_PIPELINES + 1];
+
+ /* Next wbuf with pending data still to write */
+ size_t nextwbuf;
+
+ /* How many pipelines can be used to write data */
+ size_t numwpipes;
+
/* read IO goes into here */
SSL3_BUFFER rbuf;
/* each decoded record goes in here */
int alert;
/*
- * Read as many input bytes as possible (for
- * non-blocking reads)
- * TODO(RECLAYER): Why isn't this just an option?
+ * Read as many input bytes as possible (for non-blocking reads)
*/
int read_ahead;
size_t empty_record_count;
/* cryptographic state */
- EVP_CIPHER_CTX *enc_read_ctx;
+ EVP_CIPHER_CTX *enc_ctx;
/* used for mac generation */
- EVP_MD_CTX *read_hash;
+ EVP_MD_CTX *md_ctx;
+
/* uncompress */
COMP_CTX *expand;
/* TLSv1.0/TLSv1.1/TLSv1.2 */
int use_etm;
+ /* Flags for GOST ciphers */
+ int stream_mac;
+ int tlstree;
+
/* TLSv1.3 fields */
/* static IV */
unsigned char iv[EVP_MAX_IV_LENGTH];
size_t taglen;
+ /* DTLS received handshake records (processed and unprocessed) */
+ record_pqueue unprocessed_rcds;
+ record_pqueue processed_rcds;
+
+ /* records being received in the current epoch */
+ DTLS_BITMAP bitmap;
+ /* renegotiation starts a new set of sequence numbers */
+ DTLS_BITMAP next_bitmap;
+
+ /*
+ * Whether we are currently in a hanshake or not. Only maintained for DTLS
+ */
+ int in_init;
+
/* Callbacks */
void *cbarg;
- OSSL_FUNC_rlayer_skip_early_data_fn *rlayer_skip_early_data;
+ OSSL_FUNC_rlayer_skip_early_data_fn *skip_early_data;
+ OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
+ OSSL_FUNC_rlayer_security_fn *security;
+
+ size_t max_pipelines;
/* Function pointers for version specific functions */
struct record_functions_st *funcs;
};
+typedef struct dtls_rlayer_record_data_st {
+ unsigned char *packet;
+ size_t packet_length;
+ SSL3_BUFFER rbuf;
+ SSL3_RECORD rrec;
+} DTLS_RLAYER_RECORD_DATA;
+
extern struct record_functions_st ssl_3_0_funcs;
extern struct record_functions_st tls_1_funcs;
extern struct record_functions_st tls_1_3_funcs;
extern struct record_functions_st tls_any_funcs;
+extern struct record_functions_st dtls_1_funcs;
+extern struct record_functions_st dtls_any_funcs;
void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
const char *fmt, ...);
-# define RLAYERfatal(rl, al, r) RLAYERfatal_data((rl), (al), (r), NULL)
-# define RLAYERfatal_data \
+#define RLAYERfatal(rl, al, r) RLAYERfatal_data((rl), (al), (r), NULL)
+#define RLAYERfatal_data \
(ERR_new(), \
ERR_set_debug(OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC), \
ossl_rlayer_fatal)
-# define RLAYER_USE_EXPLICIT_IV(rl) ((rl)->version == TLS1_1_VERSION \
- || (rl)->version == TLS1_2_VERSION)
+#define RLAYER_USE_EXPLICIT_IV(rl) ((rl)->version == TLS1_1_VERSION \
+ || (rl)->version == TLS1_2_VERSION \
+ || (rl)->isdtls)
int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
EVP_CIPHER_CTX *ctx,
int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
int clearold, size_t *readbytes);
+int tls_get_more_records(OSSL_RECORD_LAYER *rl);
+int dtls_get_more_records(OSSL_RECORD_LAYER *rl);
int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *re);
-int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s);
-int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
- SSL_CONNECTION *s);
+int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
+int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
+int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
int
tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
size_t keylen, unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
- /* TODO(RECLAYER): This probably should not be an int */
int mactype,
const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
BIO *transport, BIO *next,
BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg,
- OSSL_RECORD_LAYER **retrl,
- /* TODO(RECLAYER): Remove me */
- SSL_CONNECTION *s);
+ OSSL_RECORD_LAYER **retrl);
int tls_free(OSSL_RECORD_LAYER *rl);
int tls_reset(OSSL_RECORD_LAYER *rl);
int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl);
int tls_write_pending(OSSL_RECORD_LAYER *rl);
size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl);
size_t tls_get_max_records(OSSL_RECORD_LAYER *rl);
-int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates,
- size_t numtempl, size_t allowance, size_t *sent);
-int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
- size_t *sent);
+int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
+ size_t numtempl);
+int tls_retry_write_records(OSSL_RECORD_LAYER *rl);
int tls_get_alert_code(OSSL_RECORD_LAYER *rl);
int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
-int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
+int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
int *type, unsigned char **data, size_t *datalen,
- uint16_t *epoch, unsigned char *seq_num,
- /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
+ uint16_t *epoch, unsigned char *seq_num);
int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle);
int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow);
void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first);
-SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl);
-unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl);
-void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
- size_t packetlen);
-size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl);
-void tls_reset_packet_length(OSSL_RECORD_LAYER *rl);
+void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines);
+void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
+ const char **longstr);
+int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options);
+int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl);