2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include <openssl/rand.h>
15 #include "internal/e_os.h"
16 #include "internal/packet.h"
17 #include "../../ssl_local.h"
18 #include "../record_local.h"
20 /* Protocol version specific function pointers */
21 struct record_functions_st
23 int (*set_crypto_state)(OSSL_RECORD_LAYER *rl, int level,
24 unsigned char *key, size_t keylen,
25 unsigned char *iv, size_t ivlen,
26 unsigned char *mackey, size_t mackeylen,
27 const EVP_CIPHER *ciph,
29 /* TODO(RECLAYER): This probably should not be an int */
33 /* TODO(RECLAYER): Remove me */
35 int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
36 int sending, SSL_MAC_BUF *macs, size_t macsize,
37 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
38 int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
39 int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl);
42 struct ossl_record_layer_st
51 /* Types match the equivalent structures in the SSL object */
54 * TODO(RECLAYER): Should we take the opportunity to make this uint64_t
55 * even though upper layer continue to use uint32_t?
59 /* read IO goes into here */
61 /* each decoded record goes in here */
62 SSL3_RECORD rrec[SSL_MAX_PIPELINES];
64 /* How many records have we got available in the rrec bufer */
67 /* The record number in the rrec buffer that can be read next */
70 /* The number of records that have been released via tls_release_record */
73 /* Set to true if this is the first record in a connection */
74 unsigned int is_first_record;
76 /* where we are when reading */
79 /* used internally to point at a raw packet */
80 unsigned char *packet;
86 * Read as many input bytes as possible (for
88 * TODO(RECLAYER): Why isn't this just an option?
92 /* The number of consecutive empty records we have received */
93 size_t empty_record_count;
95 /* cryptographic state */
96 EVP_CIPHER_CTX *enc_read_ctx;
97 /* TLSv1.3 static read IV */
98 unsigned char read_iv[EVP_MAX_IV_LENGTH];
99 /* used for mac generation */
100 EVP_MD_CTX *read_hash;
104 /* Only used by SSLv3 */
105 unsigned char mac_secret[EVP_MAX_MD_SIZE];
107 /* Function pointers for version specific functions */
108 /* Function pointers for version specific functions */
109 struct record_functions_st *funcs;
112 # define SSL_AD_NO_ALERT -1
114 static void rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
115 const char *fmt, ...)
120 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
127 # define RLAYERfatal(rl, al, r) RLAYERfatal_data((rl), (al), (r), NULL)
128 # define RLAYERfatal_data \
130 ERR_set_debug(OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC), \
133 static int tls_provider_set_tls_parameters(OSSL_RECORD_LAYER *rl,
135 const EVP_CIPHER *ciph,
140 * Provided cipher, the TLS padding/MAC removal is performed provider
141 * side so we need to tell the ctx about our TLS version and mac size
143 OSSL_PARAM params[3], *pprm = params;
147 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
149 * We look at s->ext.use_etm instead of SSL_READ_ETM() or
150 * SSL_WRITE_ETM() because this test applies to both reading
154 imacsize = EVP_MD_get_size(md);
156 macsize = (size_t)imacsize;
158 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
160 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
162 *pprm = OSSL_PARAM_construct_end();
164 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
165 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
172 static int tls_fail_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
173 unsigned char *key, size_t keylen,
174 unsigned char *iv, size_t ivlen,
175 unsigned char *mackey, size_t mackeylen,
176 const EVP_CIPHER *ciph,
178 /* TODO(RECLAYER): This probably should not be an int */
181 const SSL_COMP *comp,
182 /* TODO(RECLAYER): Remove me */
185 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
189 static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
190 unsigned char *key, size_t keylen,
191 unsigned char *iv, size_t ivlen,
192 unsigned char *mackey, size_t mackeylen,
193 const EVP_CIPHER *ciph,
195 /* TODO(RECLAYER): This probably should not be an int */
198 const SSL_COMP *comp,
199 /* TODO(RECLAYER): Remove me */
202 if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
203 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
207 /* No crypto protection at the "NONE" level so nothing to be done */
212 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
213 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
214 unsigned char *key, size_t keylen,
215 unsigned char *iv, size_t ivlen,
216 unsigned char *mackey, size_t mackeylen,
217 const EVP_CIPHER *ciph,
219 /* TODO(RECLAYER): This probably should not be an int */
222 const SSL_COMP *comp,
223 /* TODO(RECLAYER): Remove me */
226 EVP_CIPHER_CTX *ciph_ctx;
229 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
233 if ((rl->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
234 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
237 ciph_ctx = rl->enc_read_ctx;
239 rl->read_hash = EVP_MD_CTX_new();
240 if (rl->read_hash == NULL) {
241 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
244 #ifndef OPENSSL_NO_COMP
246 rl->expand = COMP_CTX_new(comp->method);
247 if (rl->expand == NULL) {
248 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
249 SSL_R_COMPRESSION_LIBRARY_ERROR);
255 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
256 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
260 if (EVP_CIPHER_get0_provider(ciph) != NULL
261 && !tls_provider_set_tls_parameters(rl, ciph_ctx, ciph, md, s)) {
262 /* RLAYERfatal already called */
266 if (mackeylen > sizeof(rl->mac_secret)) {
267 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
270 memcpy(rl->mac_secret, mackey, mackeylen);
275 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
276 static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
277 unsigned char *key, size_t keylen,
278 unsigned char *iv, size_t ivlen,
279 unsigned char *mackey, size_t mackeylen,
280 const EVP_CIPHER *ciph,
282 /* TODO(RECLAYER): This probably should not be an int */
285 const SSL_COMP *comp,
286 /* TODO(RECLAYER): Remove me */
289 EVP_CIPHER_CTX *ciph_ctx;
292 if (level != OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
296 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
298 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
300 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
301 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
303 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
305 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
306 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
308 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
310 if ((rl->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
311 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
315 ciph_ctx = rl->enc_read_ctx;
317 rl->read_hash = EVP_MD_CTX_new();
318 if (rl->read_hash == NULL) {
319 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
322 #ifndef OPENSSL_NO_COMP
324 rl->expand = COMP_CTX_new(comp->method);
325 if (rl->expand == NULL) {
326 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
327 SSL_R_COMPRESSION_LIBRARY_ERROR);
333 * this is done by dtls1_reset_seq_numbers for DTLS
336 RECORD_LAYER_reset_read_sequence(&s->rlayer);
339 * If we have an AEAD Cipher, then there is no separate MAC, so we can skip
340 * setting up the MAC key.
342 if (!(EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
343 if (mactype == EVP_PKEY_HMAC) {
344 mac_key = EVP_PKEY_new_raw_private_key_ex(rl->libctx, "HMAC",
349 * If its not HMAC then the only other types of MAC we support are
350 * the GOST MACs, so we need to use the old style way of creating
353 mac_key = EVP_PKEY_new_mac_key(mactype, NULL, mackey,
357 || EVP_DigestSignInit_ex(rl->read_hash, NULL, EVP_MD_get0_name(md),
358 rl->libctx, rl->propq, mac_key,
360 EVP_PKEY_free(mac_key);
361 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
364 EVP_PKEY_free(mac_key);
367 if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_GCM_MODE) {
368 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, NULL)
369 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
371 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
374 } else if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
375 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL)
376 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12,
378 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
380 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED,
383 * TODO(RECLAYER): Why do we defer setting the key until here?
384 * why not in the initial EVP_DecryptInit_ex() call?
386 || !EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL)) {
387 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
391 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
392 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
396 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
397 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
399 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
400 (int)mackeylen, mackey)) {
401 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
404 if (EVP_CIPHER_get0_provider(ciph) != NULL
405 && !tls_provider_set_tls_parameters(rl, ciph_ctx, ciph, md, s)) {
406 /* RLAYERfatal already called */
413 static int tls_any_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
414 int sending, SSL_MAC_BUF *macs, size_t macsize,
415 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
419 for (ctr = 0; ctr < n_recs; ctr++) {
420 memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
421 recs[ctr].input = recs[ctr].data;
428 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Calls SSLfatal on
429 * internal error, but not otherwise. It is the responsibility of the caller to
430 * report a bad_record_mac
433 * 0: if the record is publicly invalid, or an internal error
434 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
436 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
437 int sending, SSL_MAC_BUF *mac, size_t macsize,
438 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
444 const EVP_CIPHER *enc;
449 * We shouldn't ever be called with more than one record in the SSLv3 case
454 ds = s->enc_write_ctx;
455 if (s->enc_write_ctx == NULL)
458 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx);
460 ds = rl->enc_read_ctx;
461 if (rl->enc_read_ctx == NULL)
464 enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx);
467 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
470 bs = EVP_CIPHER_CTX_get_block_size(ds);
474 if ((bs != 1) && sending && !provided) {
476 * We only do this for legacy ciphers. Provided ciphers add the
477 * padding on the provider side.
481 /* we need to add 'i-1' padding bytes */
484 * the last of these zero bytes will be overwritten with the
487 memset(&rec->input[rec->length], 0, i);
489 rec->input[l - 1] = (unsigned char)(i - 1);
493 if (l == 0 || l % bs != 0) {
494 /* Publicly invalid */
497 /* otherwise, rec->length >= bs */
503 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
506 rec->length = outlen;
508 if (!sending && mac != NULL) {
509 /* Now get a pointer to the MAC */
510 OSSL_PARAM params[2], *p = params;
515 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
518 *p = OSSL_PARAM_construct_end();
520 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
521 /* Shouldn't normally happen */
522 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
527 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
528 /* Shouldn't happen */
529 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
534 return ssl3_cbc_remove_padding_and_mac(&rec->length,
537 (mac != NULL) ? &mac->mac : NULL,
538 (mac != NULL) ? &mac->alloced : NULL,
547 #define MAX_PADDING 256
549 * tls1_cipher encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal
550 * error, but not otherwise. It is the responsibility of the caller to report
551 * a bad_record_mac - if appropriate (DTLS just drops the record).
554 * 0: if the record is publicly invalid, or an internal error, or AEAD
555 * decryption failed, or Encrypt-then-mac decryption failed.
556 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
558 static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
559 int sending, SSL_MAC_BUF *macs, size_t macsize,
560 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
563 size_t reclen[SSL_MAX_PIPELINES];
564 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
565 int i, pad = 0, tmpr, provided;
566 size_t bs, ctr, padnum, loop;
567 unsigned char padval;
568 const EVP_CIPHER *enc;
569 int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
570 : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
571 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
574 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
581 if (EVP_MD_CTX_get0_md(s->write_hash)) {
582 int n = EVP_MD_CTX_get_size(s->write_hash);
583 if (!ossl_assert(n >= 0)) {
584 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
588 ds = s->enc_write_ctx;
589 if (!ossl_assert(s->enc_write_ctx)) {
590 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
594 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx);
595 /* For TLSv1.1 and later explicit IV */
596 if (SSL_USE_EXPLICIT_IV(s)
597 && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
598 ivlen = EVP_CIPHER_get_iv_length(enc);
602 for (ctr = 0; ctr < n_recs; ctr++) {
603 if (recs[ctr].data != recs[ctr].input) {
605 * we can't write into the input stream: Can this ever
608 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
610 } else if (RAND_bytes_ex(sctx->libctx, recs[ctr].input,
612 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
618 if (EVP_MD_CTX_get0_md(rl->read_hash)) {
619 int n = EVP_MD_CTX_get_size(rl->read_hash);
620 if (!ossl_assert(n >= 0)) {
621 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
625 ds = rl->enc_read_ctx;
626 if (!ossl_assert(rl->enc_read_ctx)) {
627 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
631 enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx);
634 if ((s->session == NULL) || (enc == NULL)) {
635 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
639 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
641 bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds));
644 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
645 & EVP_CIPH_FLAG_PIPELINE) == 0) {
647 * We shouldn't have been called with pipeline data if the
648 * cipher doesn't support pipelining
650 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
654 for (ctr = 0; ctr < n_recs; ctr++) {
655 reclen[ctr] = recs[ctr].length;
657 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
658 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
661 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
662 : RECORD_LAYER_get_read_sequence(&s->rlayer);
664 if (SSL_CONNECTION_IS_DTLS(s)) {
665 /* DTLS does not support pipelining */
666 unsigned char dtlsseq[8], *p = dtlsseq;
668 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
669 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
670 memcpy(p, &seq[2], 6);
671 memcpy(buf[ctr], dtlsseq, 8);
673 memcpy(buf[ctr], seq, 8);
674 for (i = 7; i >= 0; i--) { /* increment */
681 buf[ctr][8] = recs[ctr].type;
682 buf[ctr][9] = (unsigned char)(rl->version >> 8);
683 buf[ctr][10] = (unsigned char)(rl->version);
684 buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
685 buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
686 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
687 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
689 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
695 recs[ctr].length += pad;
698 } else if ((bs != 1) && sending && !provided) {
700 * We only do this for legacy ciphers. Provided ciphers add the
701 * padding on the provider side.
703 padnum = bs - (reclen[ctr] % bs);
705 /* Add weird padding of up to 256 bytes */
707 if (padnum > MAX_PADDING) {
708 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
711 /* we need to add 'padnum' padding bytes of value padval */
712 padval = (unsigned char)(padnum - 1);
713 for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
714 recs[ctr].input[loop] = padval;
715 reclen[ctr] += padnum;
716 recs[ctr].length += padnum;
720 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) {
721 /* Publicly invalid */
727 unsigned char *data[SSL_MAX_PIPELINES];
729 /* Set the output buffers */
730 for (ctr = 0; ctr < n_recs; ctr++) {
731 data[ctr] = recs[ctr].data;
733 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
734 (int)n_recs, data) <= 0) {
735 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
738 /* Set the input buffers */
739 for (ctr = 0; ctr < n_recs; ctr++) {
740 data[ctr] = recs[ctr].input;
742 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
743 (int)n_recs, data) <= 0
744 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
745 (int)n_recs, reclen) <= 0) {
746 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
751 if (!SSL_CONNECTION_IS_DTLS(s) && tlstree_enc) {
753 int decrement_seq = 0;
756 * When sending, seq is incremented after MAC calculation.
757 * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
758 * Otherwise we have to decrease it in the implementation
760 if (sending && !SSL_WRITE_ETM(s))
763 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
764 : RECORD_LAYER_get_read_sequence(&s->rlayer);
765 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0) {
766 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
774 /* Provided cipher - we do not support pipelining on this path */
776 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
780 if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input,
781 (unsigned int)reclen[0]))
783 recs[0].length = outlen;
786 * The length returned from EVP_CipherUpdate above is the actual
787 * payload length. We need to adjust the data/input ptr to skip over
791 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
792 recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
793 recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
794 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
795 recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
796 recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
797 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
800 recs[0].orig_len -= bs;
803 /* Now get a pointer to the MAC (if applicable) */
805 OSSL_PARAM params[2], *p = params;
810 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
811 (void **)&macs[0].mac,
813 *p = OSSL_PARAM_construct_end();
815 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
816 /* Shouldn't normally happen */
817 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
818 ERR_R_INTERNAL_ERROR);
826 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
827 (unsigned int)reclen[0]);
828 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
829 & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0
832 /* AEAD can fail to verify MAC */
837 for (ctr = 0; ctr < n_recs; ctr++) {
838 /* Adjust the record to remove the explicit IV/MAC/Tag */
839 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
840 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
841 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
842 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
843 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
844 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
845 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
846 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
847 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
848 if (recs[ctr].length < bs)
850 recs[ctr].data += bs;
851 recs[ctr].input += bs;
852 recs[ctr].length -= bs;
853 recs[ctr].orig_len -= bs;
857 * If using Mac-then-encrypt, then this will succeed but
858 * with a random MAC if padding is invalid
860 if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length,
863 (macs != NULL) ? &macs[ctr].mac : NULL,
864 (macs != NULL) ? &macs[ctr].alloced
867 pad ? (size_t)pad : macsize,
868 (EVP_CIPHER_get_flags(enc)
869 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
878 static const unsigned char ssl3_pad_1[48] = {
879 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
880 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
881 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
882 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
883 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
884 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
887 static const unsigned char ssl3_pad_2[48] = {
888 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
889 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
890 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
891 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
892 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
893 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
896 static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
897 int sending, SSL_CONNECTION *ssl)
899 unsigned char *mac_sec, *seq;
900 const EVP_MD_CTX *hash;
901 unsigned char *p, rec_char;
907 mac_sec = &(ssl->s3.write_mac_secret[0]);
908 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
909 hash = ssl->write_hash;
911 mac_sec = &(rl->mac_secret[0]);
912 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
913 hash = rl->read_hash;
916 t = EVP_MD_CTX_get_size(hash);
920 npad = (48 / md_size) * md_size;
923 && EVP_CIPHER_CTX_get_mode(rl->enc_read_ctx) == EVP_CIPH_CBC_MODE
924 && ssl3_cbc_record_digest_supported(hash)) {
925 #ifdef OPENSSL_NO_DEPRECATED_3_0
929 * This is a CBC-encrypted record. We must avoid leaking any
930 * timing-side channel information about how many blocks of data we
931 * are hashing because that gives an attacker a timing-oracle.
935 * npad is, at most, 48 bytes and that's with MD5:
936 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
938 * With SHA-1 (the largest hash speced for SSLv3) the hash size
939 * goes up 4, but npad goes down by 8, resulting in a smaller
942 unsigned char header[75];
944 memcpy(header + j, mac_sec, md_size);
946 memcpy(header + j, ssl3_pad_1, npad);
948 memcpy(header + j, seq, 8);
950 header[j++] = rec->type;
951 header[j++] = (unsigned char)(rec->length >> 8);
952 header[j++] = (unsigned char)(rec->length & 0xff);
954 /* Final param == is SSLv3 */
955 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
958 rec->length, rec->orig_len,
959 mac_sec, md_size, 1) <= 0)
963 unsigned int md_size_u;
964 /* Chop the digest off the end :-) */
965 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
970 rec_char = rec->type;
973 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
974 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
975 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
976 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
977 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
978 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
979 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
980 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
981 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
982 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
983 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
984 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
985 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
986 EVP_MD_CTX_free(md_ctx);
990 EVP_MD_CTX_free(md_ctx);
993 ssl3_record_sequence_update(seq);
997 static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
998 int sending, SSL_CONNECTION *ssl)
1004 EVP_MD_CTX *hmac = NULL, *mac_ctx;
1005 unsigned char header[13];
1006 int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
1007 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM);
1008 int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
1009 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
1014 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
1015 hash = ssl->write_hash;
1017 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
1018 hash = rl->read_hash;
1021 t = EVP_MD_CTX_get_size(hash);
1022 if (!ossl_assert(t >= 0))
1026 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1030 hmac = EVP_MD_CTX_new();
1031 if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) {
1039 && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
1044 unsigned char dtlsseq[8], *p = dtlsseq;
1046 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
1047 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
1048 memcpy(p, &seq[2], 6);
1050 memcpy(header, dtlsseq, 8);
1052 memcpy(header, seq, 8);
1054 header[8] = rec->type;
1055 header[9] = (unsigned char)(ssl->version >> 8);
1056 header[10] = (unsigned char)(ssl->version);
1057 header[11] = (unsigned char)(rec->length >> 8);
1058 header[12] = (unsigned char)(rec->length & 0xff);
1060 if (!sending && !SSL_READ_ETM(ssl)
1061 && EVP_CIPHER_CTX_get_mode(rl->enc_read_ctx) == EVP_CIPH_CBC_MODE
1062 && ssl3_cbc_record_digest_supported(mac_ctx)) {
1063 OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params;
1065 *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE,
1067 *p++ = OSSL_PARAM_construct_end();
1069 if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx),
1075 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
1076 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
1077 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
1081 OSSL_TRACE_BEGIN(TLS) {
1082 BIO_printf(trc_out, "seq:\n");
1083 BIO_dump_indent(trc_out, seq, 8, 4);
1084 BIO_printf(trc_out, "rec:\n");
1085 BIO_dump_indent(trc_out, rec->data, rec->length, 4);
1086 } OSSL_TRACE_END(TLS);
1088 if (!SSL_CONNECTION_IS_DTLS(ssl)) {
1089 for (i = 7; i >= 0; i--) {
1095 OSSL_TRACE_BEGIN(TLS) {
1096 BIO_printf(trc_out, "md:\n");
1097 BIO_dump_indent(trc_out, md, md_size, 4);
1098 } OSSL_TRACE_END(TLS);
1101 EVP_MD_CTX_free(hmac);
1106 struct record_functions_st tls_any_funcs = {
1107 tls_any_set_crypto_state,
1112 struct record_functions_st tls_1_3_funcs = {
1113 tls_fail_set_crypto_state,
1118 struct record_functions_st tls_1_2_funcs = {
1119 tls1_set_crypto_state,
1124 struct record_functions_st tls_1_1_funcs = {
1125 tls1_set_crypto_state,
1130 struct record_functions_st tls_1_0_funcs = {
1131 tls1_set_crypto_state,
1136 struct record_functions_st ssl_3_0_funcs = {
1137 ssl3_set_crypto_state,
1142 static int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
1144 static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
1146 if (rl->options & SSL_OP_NO_COMPRESSION)
1149 /* TODO(RECLAYER): Implement ssl_security inside the record layer */
1150 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1156 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
1159 size_t len, align = 0, headerlen;
1165 headerlen = DTLS1_RT_HEADER_LENGTH;
1167 headerlen = SSL3_RT_HEADER_LENGTH;
1169 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
1170 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
1173 if (b->buf == NULL) {
1174 len = SSL3_RT_MAX_PLAIN_LENGTH
1175 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
1176 #ifndef OPENSSL_NO_COMP
1177 if (rlayer_allow_compression(rl))
1178 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1180 if (b->default_len > len)
1181 len = b->default_len;
1182 if ((p = OPENSSL_malloc(len)) == NULL) {
1184 * We've got a malloc failure, and we're still initialising buffers.
1185 * We assume we're so doomed that we won't even be able to send an
1188 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
1198 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
1203 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
1204 OPENSSL_cleanse(b->buf, b->len);
1205 OPENSSL_free(b->buf);
1210 static void tls_reset_packet_length(OSSL_RECORD_LAYER *rl)
1212 rl->packet_length = 0;
1216 * Return values are as per SSL_read()
1218 static int tls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
1219 int clearold, size_t *readbytes)
1222 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
1223 * packet by another n bytes. The packet will be in the sub-array of
1224 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
1225 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
1226 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
1227 * if clearold == 1, move the packet to the start of the buffer; if
1228 * clearold == 0 then leave any old packets where they were
1230 size_t len, left, align = 0;
1235 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
1238 if (rb->buf == NULL) {
1239 if (!rlayer_setup_read_buffer(rl)) {
1240 /* RLAYERfatal() already called */
1241 return OSSL_RECORD_RETURN_FATAL;
1246 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1247 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
1248 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1252 /* start with empty packet ... */
1255 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
1257 * check if next packet length is large enough to justify payload
1260 pkt = rb->buf + rb->offset;
1261 if (pkt[0] == SSL3_RT_APPLICATION_DATA
1262 && (pkt[3] << 8 | pkt[4]) >= 128) {
1264 * Note that even if packet is corrupted and its length field
1265 * is insane, we can only be led to wrong decision about
1266 * whether memmove will occur or not. Header values has no
1267 * effect on memmove arguments and therefore no buffer
1268 * overrun can be triggered.
1270 memmove(rb->buf + align, pkt, left);
1274 rl->packet = rb->buf + rb->offset;
1275 rl->packet_length = 0;
1276 /* ... now we can act as if 'extend' was set */
1279 len = rl->packet_length;
1280 pkt = rb->buf + align;
1282 * Move any available bytes to front of buffer: 'len' bytes already
1283 * pointed to by 'packet', 'left' extra ones at the end
1285 if (rl->packet != pkt && clearold == 1) {
1286 memmove(pkt, rl->packet, len + left);
1288 rb->offset = len + align;
1292 * For DTLS/UDP reads should not span multiple packets because the read
1293 * operation returns the whole packet at once (as long as it fits into
1297 if (left == 0 && extend)
1299 if (left > 0 && n > left)
1303 /* if there is enough in the buffer from a previous read, take some */
1305 rl->packet_length += n;
1306 rb->left = left - n;
1309 return OSSL_RECORD_RETURN_SUCCESS;
1312 /* else we need to read more data */
1314 if (n > rb->len - rb->offset) {
1315 /* does not happen */
1316 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1317 return OSSL_RECORD_RETURN_FATAL;
1321 * Ktls always reads full records.
1322 * Also, we always act like read_ahead is set for DTLS.
1324 if (!BIO_get_ktls_recv(s->rbio) && !rl->read_ahead
1326 /* ignore max parameter */
1331 if (max > rb->len - rb->offset)
1332 max = rb->len - rb->offset;
1340 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
1341 * need to read in more until we have len+n (up to len+max if
1346 if (rl->bio != NULL) {
1347 ret = BIO_read(rl->bio, pkt + len + left, max - left);
1350 ret = OSSL_RECORD_RETURN_SUCCESS;
1351 } else if (BIO_should_retry(rl->bio)) {
1352 ret = OSSL_RECORD_RETURN_RETRY;
1353 } else if (BIO_eof(rl->bio)) {
1354 ret = OSSL_RECORD_RETURN_EOF;
1356 ret = OSSL_RECORD_RETURN_FATAL;
1359 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
1360 ret = OSSL_RECORD_RETURN_FATAL;
1363 if (ret <= OSSL_RECORD_RETURN_RETRY) {
1365 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
1366 if (len + left == 0)
1367 rlayer_release_read_buffer(rl);
1372 * reads should *never* span multiple packets for DTLS because the
1373 * underlying transport protocol is message oriented as opposed to
1374 * byte oriented as in the TLS case.
1378 n = left; /* makes the while condition false */
1382 /* done reading, now the book-keeping */
1384 rb->left = left - n;
1385 rl->packet_length += n;
1387 return OSSL_RECORD_RETURN_SUCCESS;
1391 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
1392 * for us in the buffer.
1394 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
1402 p = SSL3_BUFFER_get_buf(rbuf);
1406 left = SSL3_BUFFER_get_left(rbuf);
1408 if (left < SSL3_RT_HEADER_LENGTH)
1411 p += SSL3_BUFFER_get_offset(rbuf);
1414 * We only check the type and record length, we will sanity check version
1417 if (*p != SSL3_RT_APPLICATION_DATA)
1423 if (left < SSL3_RT_HEADER_LENGTH + len)
1430 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
1431 * will be processed per call to ssl3_get_record. Without this limit an
1432 * attacker could send empty records at a faster rate than we can process and
1433 * cause ssl3_get_record to loop forever.
1435 #define MAX_EMPTY_RECORDS 32
1437 #define SSL2_RT_HEADER_LENGTH 2
1440 * Call this to buffer new input records in rl->rrec.
1441 * It will return a OSSL_RECORD_RETURN_* value.
1442 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
1443 * records have been decoded. For each record 'i':
1444 * rrec[i].type - is the type of record
1445 * rrec[i].data, - data
1446 * rrec[i].length, - number of bytes
1447 * Multiple records will only be returned if the record types are all
1448 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
1451 static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
1452 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
1457 SSL3_RECORD *rr, *thisrr;
1461 unsigned char md[EVP_MAX_MD_SIZE];
1462 unsigned int version;
1463 size_t mac_size = 0;
1465 size_t num_recs = 0, max_recs, j;
1466 PACKET pkt, sslv2pkt;
1468 SSL_MAC_BUF *macbufs = NULL;
1469 int ret = OSSL_RECORD_RETURN_FATAL;
1470 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1475 max_recs = s->max_pipelines;
1481 * KTLS reads full records. If there is any data left,
1482 * then it is from before enabling ktls.
1484 using_ktls = BIO_get_ktls_recv(rl->bio) && SSL3_BUFFER_get_left(rbuf) == 0;
1487 thisrr = &rr[num_recs];
1489 /* check if we have the header */
1490 if ((rl->rstate != SSL_ST_READ_BODY) ||
1491 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
1495 rret = tls_read_n(rl, SSL3_RT_HEADER_LENGTH,
1496 SSL3_BUFFER_get_len(rbuf), 0,
1497 num_recs == 0 ? 1 : 0, &n);
1499 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
1500 #ifndef OPENSSL_NO_KTLS
1501 if (!BIO_get_ktls_recv(rl->bio) || rret == 0)
1502 return rret; /* error or non-blocking */
1505 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
1506 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1509 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1510 SSL_R_PACKET_LENGTH_TOO_LONG);
1513 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1514 SSL_R_WRONG_VERSION_NUMBER);
1522 rl->rstate = SSL_ST_READ_BODY;
1525 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
1526 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1527 return OSSL_RECORD_RETURN_FATAL;
1530 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
1531 || !PACKET_get_1(&sslv2pkt, &type)) {
1532 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
1533 return OSSL_RECORD_RETURN_FATAL;
1536 * The first record received by the server may be a V2ClientHello.
1538 if (rl->role == OSSL_RECORD_ROLE_SERVER
1539 && rl->is_first_record
1540 && (sslv2len & 0x8000) != 0
1541 && (type == SSL2_MT_CLIENT_HELLO)) {
1543 * SSLv2 style record
1545 * |num_recs| here will actually always be 0 because
1546 * |num_recs > 0| only ever occurs when we are processing
1547 * multiple app data records - which we know isn't the case here
1548 * because it is an SSLv2ClientHello. We keep it using
1549 * |num_recs| for the sake of consistency
1551 thisrr->type = SSL3_RT_HANDSHAKE;
1552 thisrr->rec_version = SSL2_VERSION;
1554 thisrr->length = sslv2len & 0x7fff;
1556 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
1557 - SSL2_RT_HEADER_LENGTH) {
1558 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1559 SSL_R_PACKET_LENGTH_TOO_LONG);
1560 return OSSL_RECORD_RETURN_FATAL;
1563 if (thisrr->length < MIN_SSL2_RECORD_LEN) {
1564 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
1565 return OSSL_RECORD_RETURN_FATAL;
1568 /* SSLv3+ style record */
1570 /* Pull apart the header into the SSL3_RECORD */
1571 if (!PACKET_get_1(&pkt, &type)
1572 || !PACKET_get_net_2(&pkt, &version)
1573 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
1574 if (s->msg_callback)
1575 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, ssl,
1576 s->msg_callback_arg);
1577 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
1578 return OSSL_RECORD_RETURN_FATAL;
1580 thisrr->type = type;
1581 thisrr->rec_version = version;
1583 if (s->msg_callback)
1584 s->msg_callback(0, version, SSL3_RT_HEADER, p, 5, ssl,
1585 s->msg_callback_arg);
1588 * Lets check version. In TLSv1.3 we only check this field
1589 * when encryption is occurring (see later check). For the
1590 * ServerHello after an HRR we haven't actually selected TLSv1.3
1591 * yet, but we still treat it as TLSv1.3, so we must check for
1594 if (!s->first_packet && !SSL_CONNECTION_IS_TLS13(s)
1595 && s->hello_retry_request != SSL_HRR_PENDING
1596 && version != (unsigned int)s->version) {
1597 if ((s->version & 0xFF00) == (version & 0xFF00)
1598 && !s->enc_write_ctx && !s->write_hash) {
1599 if (thisrr->type == SSL3_RT_ALERT) {
1601 * The record is using an incorrect version number,
1602 * but what we've got appears to be an alert. We
1603 * haven't read the body yet to check whether its a
1604 * fatal or not - but chances are it is. We probably
1605 * shouldn't send a fatal alert back. We'll just
1608 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1609 SSL_R_WRONG_VERSION_NUMBER);
1610 return OSSL_RECORD_RETURN_FATAL;
1613 * Send back error using their minor version number :-)
1615 s->version = (unsigned short)version;
1617 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1618 SSL_R_WRONG_VERSION_NUMBER);
1619 return OSSL_RECORD_RETURN_FATAL;
1622 if ((version >> 8) != SSL3_VERSION_MAJOR) {
1623 if (rl->is_first_record) {
1624 /* Go back to start of packet, look at the five bytes
1627 if (HAS_PREFIX((char *)p, "GET ") ||
1628 HAS_PREFIX((char *)p, "POST ") ||
1629 HAS_PREFIX((char *)p, "HEAD ") ||
1630 HAS_PREFIX((char *)p, "PUT ")) {
1631 RLAYERfatal(rl, SSL_AD_NO_ALERT, SSL_R_HTTP_REQUEST);
1632 return OSSL_RECORD_RETURN_FATAL;
1633 } else if (HAS_PREFIX((char *)p, "CONNE")) {
1634 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1635 SSL_R_HTTPS_PROXY_REQUEST);
1636 return OSSL_RECORD_RETURN_FATAL;
1639 /* Doesn't look like TLS - don't send an alert */
1640 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1641 SSL_R_WRONG_VERSION_NUMBER);
1642 return OSSL_RECORD_RETURN_FATAL;
1644 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1645 SSL_R_WRONG_VERSION_NUMBER);
1646 return OSSL_RECORD_RETURN_FATAL;
1650 if (SSL_CONNECTION_IS_TLS13(s)
1651 && s->enc_read_ctx != NULL
1653 if (thisrr->type != SSL3_RT_APPLICATION_DATA
1654 && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
1655 || !SSL_IS_FIRST_HANDSHAKE(s))
1656 && (thisrr->type != SSL3_RT_ALERT
1657 || s->statem.enc_read_state
1658 != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) {
1659 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
1660 SSL_R_BAD_RECORD_TYPE);
1661 return OSSL_RECORD_RETURN_FATAL;
1663 if (thisrr->rec_version != TLS1_2_VERSION) {
1664 RLAYERfatal(rl, SSL_AD_DECODE_ERROR,
1665 SSL_R_WRONG_VERSION_NUMBER);
1666 return OSSL_RECORD_RETURN_FATAL;
1670 if (thisrr->length >
1671 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
1672 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1673 SSL_R_PACKET_LENGTH_TOO_LONG);
1674 return OSSL_RECORD_RETURN_FATAL;
1678 /* now rl->rstate == SSL_ST_READ_BODY */
1681 if (SSL_CONNECTION_IS_TLS13(s)) {
1682 size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
1684 /* KTLS strips the inner record type. */
1686 len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
1688 if (thisrr->length > len) {
1689 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1690 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1691 return OSSL_RECORD_RETURN_FATAL;
1694 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
1696 #ifndef OPENSSL_NO_COMP
1698 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
1699 * does not include the compression overhead anyway.
1701 if (s->expand == NULL)
1702 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1705 /* KTLS may use all of the buffer */
1707 len = SSL3_BUFFER_get_left(rbuf);
1709 if (thisrr->length > len) {
1710 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1711 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1712 return OSSL_RECORD_RETURN_FATAL;
1717 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
1718 * how much more data we need to read for the rest of the record
1720 if (thisrr->rec_version == SSL2_VERSION) {
1721 more = thisrr->length + SSL2_RT_HEADER_LENGTH
1722 - SSL3_RT_HEADER_LENGTH;
1724 more = thisrr->length;
1728 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
1730 rret = tls_read_n(rl, more, more, 1, 0, &n);
1731 if (rret < OSSL_RECORD_RETURN_SUCCESS)
1732 return rret; /* error or non-blocking io */
1735 /* set state for later operations */
1736 rl->rstate = SSL_ST_READ_HEADER;
1739 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
1740 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
1741 * + thisrr->length and we have that many bytes in rl->packet
1743 if (thisrr->rec_version == SSL2_VERSION)
1744 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
1746 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
1749 * ok, we can now read from 'rl->packet' data into 'thisrr'.
1750 * thisrr->input points at thisrr->length bytes, which need to be copied
1751 * into thisrr->data by either the decryption or by the decompression.
1752 * When the data is 'copied' into the thisrr->data buffer,
1753 * thisrr->input will be updated to point at the new buffer
1757 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
1758 * thisrr->length bytes of encrypted compressed stuff.
1761 /* decrypt in place in 'thisrr->input' */
1762 thisrr->data = thisrr->input;
1763 thisrr->orig_len = thisrr->length;
1765 /* Mark this record as not read by upper layers yet */
1770 /* we have pulled in a full packet so zero things */
1771 tls_reset_packet_length(rl);
1772 rl->is_first_record = 0;
1773 } while (num_recs < max_recs
1774 && thisrr->type == SSL3_RT_APPLICATION_DATA
1775 && SSL_USE_EXPLICIT_IV(s)
1776 && rl->enc_read_ctx != NULL
1777 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx))
1778 & EVP_CIPH_FLAG_PIPELINE) != 0
1779 && tls_record_app_data_waiting(rl));
1782 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
1783 && (SSL_CONNECTION_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
1784 && SSL_IS_FIRST_HANDSHAKE(s)) {
1786 * CCS messages must be exactly 1 byte long, containing the value 0x01
1788 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
1789 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
1790 SSL_R_INVALID_CCS_MESSAGE);
1791 return OSSL_RECORD_RETURN_FATAL;
1794 * CCS messages are ignored in TLSv1.3. We treat it like an empty
1797 thisrr->type = SSL3_RT_HANDSHAKE;
1798 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
1799 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
1800 SSL_R_UNEXPECTED_CCS_MESSAGE);
1801 return OSSL_RECORD_RETURN_FATAL;
1806 rl->num_released = 0;
1808 return OSSL_RECORD_RETURN_SUCCESS;
1812 goto skip_decryption;
1814 if (rl->read_hash != NULL) {
1815 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->read_hash);
1817 if (tmpmd != NULL) {
1818 imac_size = EVP_MD_get_size(tmpmd);
1819 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1820 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1821 return OSSL_RECORD_RETURN_FATAL;
1823 mac_size = (size_t)imac_size;
1828 * If in encrypt-then-mac mode calculate mac from encrypted record. All
1829 * the details below are public so no timing details can leak.
1831 if (SSL_READ_ETM(s) && rl->read_hash) {
1834 for (j = 0; j < num_recs; j++) {
1837 if (thisrr->length < mac_size) {
1838 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
1839 return OSSL_RECORD_RETURN_FATAL;
1841 thisrr->length -= mac_size;
1842 mac = thisrr->data + thisrr->length;
1843 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
1844 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
1845 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
1846 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1847 return OSSL_RECORD_RETURN_FATAL;
1851 * We've handled the mac now - there is no MAC inside the encrypted
1858 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
1859 if (macbufs == NULL) {
1860 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1861 return OSSL_RECORD_RETURN_FATAL;
1866 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
1869 if (!SSL_CONNECTION_IS_TLS13(s))
1870 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s);
1872 enc_err = ssl->method->ssl3_enc->enc(s, rr, num_recs, 0, macbufs, mac_size);
1876 * 0: if the record is publicly invalid, or an internal error, or AEAD
1877 * decryption failed, or ETM decryption failed.
1878 * 1: Success or MTE decryption failed (MAC will be randomised)
1881 if (ossl_statem_in_error(s)) {
1882 /* SSLfatal() already got called */
1885 if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
1887 * Valid early_data that we cannot decrypt will fail here. We treat
1888 * it like an empty record.
1893 if (!ossl_early_data_count_ok(s, thisrr->length,
1894 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
1895 /* SSLfatal() already called */
1903 rl->num_released = 0;
1904 RECORD_LAYER_reset_read_sequence(&s->rlayer);
1908 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
1909 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1912 OSSL_TRACE_BEGIN(TLS) {
1913 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
1914 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
1915 } OSSL_TRACE_END(TLS);
1917 /* r->length is now the compressed data plus mac */
1919 && (rl->enc_read_ctx != NULL)
1920 && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(rl->read_hash) != NULL)) {
1921 /* rl->read_hash != NULL => mac_size != -1 */
1923 for (j = 0; j < num_recs; j++) {
1924 SSL_MAC_BUF *thismb = &macbufs[j];
1927 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
1928 if (i == 0 || thismb == NULL || thismb->mac == NULL
1929 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
1931 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1937 if (ossl_statem_in_error(s)) {
1938 /* We already called SSLfatal() */
1942 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
1943 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
1944 * failure is directly visible from the ciphertext anyway, we should
1945 * not reveal which kind of error occurred -- this might become
1946 * visible to an attacker (e.g. via a logfile)
1948 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
1949 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1955 for (j = 0; j < num_recs; j++) {
1958 /* thisrr->length is now just compressed */
1959 if (s->expand != NULL) {
1960 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1961 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1962 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1965 if (!ssl3_do_uncompress(s, thisrr)) {
1966 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
1967 SSL_R_BAD_DECOMPRESSION);
1972 if (SSL_CONNECTION_IS_TLS13(s)
1973 && s->enc_read_ctx != NULL
1974 && thisrr->type != SSL3_RT_ALERT) {
1976 * The following logic are irrelevant in KTLS: the kernel provides
1977 * unprotected record and thus record type represent the actual
1978 * content type, and padding is already removed and thisrr->type and
1979 * thisrr->length should have the correct values.
1984 if (thisrr->length == 0
1985 || thisrr->type != SSL3_RT_APPLICATION_DATA) {
1986 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
1987 SSL_R_BAD_RECORD_TYPE);
1991 /* Strip trailing padding */
1992 for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
1996 thisrr->length = end;
1997 thisrr->type = thisrr->data[end];
1999 if (thisrr->type != SSL3_RT_APPLICATION_DATA
2000 && thisrr->type != SSL3_RT_ALERT
2001 && thisrr->type != SSL3_RT_HANDSHAKE) {
2002 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
2005 if (s->msg_callback)
2006 s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
2007 &thisrr->type, 1, ssl, s->msg_callback_arg);
2011 * TLSv1.3 alert and handshake records are required to be non-zero in
2014 if (SSL_CONNECTION_IS_TLS13(s)
2015 && (thisrr->type == SSL3_RT_HANDSHAKE
2016 || thisrr->type == SSL3_RT_ALERT)
2017 && thisrr->length == 0) {
2018 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
2023 * Usually thisrr->length is the length of a single record, but when
2024 * KTLS handles the decryption, thisrr->length may be larger than
2025 * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced
2027 * Therefore we have to rely on KTLS to check the plaintext length
2028 * limit in the kernel.
2030 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
2031 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
2036 * Check if the received packet overflows the current
2037 * Max Fragment Length setting.
2038 * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive.
2040 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
2041 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
2042 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
2048 * So at this point the following is true
2049 * thisrr->type is the type of record
2050 * thisrr->length == number of bytes in record
2051 * thisrr->off == offset to first valid byte
2052 * thisrr->data == where to take bytes from, increment after use :-).
2055 /* just read a 0 length packet */
2056 if (thisrr->length == 0) {
2057 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
2058 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
2062 rl->empty_record_count = 0;
2066 if (s->early_data_state == SSL_EARLY_DATA_READING) {
2068 if (thisrr->type == SSL3_RT_APPLICATION_DATA
2069 && !ossl_early_data_count_ok(s, thisrr->length, 0, 0)) {
2070 /* SSLfatal already called */
2075 rl->num_recs = num_recs;
2077 rl->num_released = 0;
2078 ret = OSSL_RECORD_RETURN_SUCCESS;
2080 if (macbufs != NULL) {
2081 for (j = 0; j < num_recs; j++) {
2082 if (macbufs[j].alloced)
2083 OPENSSL_free(macbufs[j].mac);
2085 OPENSSL_free(macbufs);
2090 static int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
2091 int *rversion, int *type, unsigned char **data,
2092 size_t *datalen, uint16_t *epoch,
2093 unsigned char *seq_num,
2094 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
2099 * tls_get_more_records() can return success without actually reading
2100 * anything useful (i.e. if empty records are read). We loop here until
2101 * we have something useful. tls_get_more_records() will eventually fail if
2102 * too many sequential empty records are read.
2104 while (rl->curr_rec >= rl->num_recs) {
2107 if (rl->num_released != rl->num_recs) {
2108 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
2109 return OSSL_RECORD_RETURN_FATAL;
2112 ret = tls_get_more_records(rl, s);
2114 if (ret != OSSL_RECORD_RETURN_SUCCESS)
2119 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
2120 * points to the next one to read.
2122 rec = &rl->rrec[rl->curr_rec++];
2125 *rversion = rec->rec_version;
2128 *datalen = rec->length;
2130 return OSSL_RECORD_RETURN_SUCCESS;
2133 static int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
2135 if (!ossl_assert(rl->num_released < rl->curr_rec)
2136 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
2137 /* Should not happen */
2138 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
2139 return OSSL_RECORD_RETURN_FATAL;
2144 return OSSL_RECORD_RETURN_SUCCESS;
2147 static OSSL_RECORD_LAYER *tls_new_record_layer(OSSL_LIB_CTX *libctx,
2148 const char *propq, int vers,
2149 int role, int direction,
2150 int level, unsigned char *key,
2154 unsigned char *mackey,
2156 const EVP_CIPHER *ciph,
2158 /* TODO(RECLAYER): This probably should not be an int */
2161 const SSL_COMP *comp,
2162 BIO *transport, BIO_ADDR *local,
2164 const OSSL_PARAM *settings,
2165 const OSSL_PARAM *options,
2166 /* TODO(RECLAYER): Remove me */
2169 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
2170 const OSSL_PARAM *p;
2173 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2177 if (transport != NULL && !BIO_up_ref(transport)) {
2178 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2182 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
2183 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
2184 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2188 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
2189 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
2190 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2195 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
2196 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
2197 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2201 rl->libctx = libctx;
2206 rl->direction = direction;
2209 rl->is_first_record = 1;
2211 if (!tls_set1_bio(rl, transport))
2215 case TLS_ANY_VERSION:
2216 rl->funcs = &tls_any_funcs;
2218 case TLS1_3_VERSION:
2219 rl->funcs = &tls_1_3_funcs;
2221 case TLS1_2_VERSION:
2222 rl->funcs = &tls_1_2_funcs;
2224 case TLS1_1_VERSION:
2225 rl->funcs = &tls_1_1_funcs;
2228 rl->funcs = &tls_1_0_funcs;
2231 rl->funcs = &ssl_3_0_funcs;
2234 /* Should not happen */
2235 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2239 if (!rl->funcs->set_crypto_state(rl, level, key, keylen, iv, ivlen,
2240 mackey, mackeylen, ciph, taglen,
2241 mactype, md, comp, s)) {
2242 /* RLAYERfatal already called */
2252 static OSSL_RECORD_LAYER *dtls_new_record_layer(OSSL_LIB_CTX *libctx,
2253 const char *propq, int vers,
2254 int role, int direction,
2255 int level, unsigned char *key,
2259 unsigned char *mackey,
2261 const EVP_CIPHER *ciph,
2263 /* TODO(RECLAYER): This probably should not be an int */
2266 const SSL_COMP *comp,
2267 BIO *transport, BIO_ADDR *local,
2269 const OSSL_PARAM *settings,
2270 const OSSL_PARAM *options,
2271 /* TODO(RECLAYER): Remove me */
2274 OSSL_RECORD_LAYER *rl = tls_new_record_layer(libctx, propq, vers, role,
2275 direction, level, key, keylen,
2276 iv, ivlen, mackey, mackeylen,
2277 ciph, taglen, mactype, md,
2278 comp, transport, local, peer,
2279 settings, options, s);
2289 static void tls_free(OSSL_RECORD_LAYER *rl)
2295 static int tls_reset(OSSL_RECORD_LAYER *rl)
2297 memset(rl, 0, sizeof(*rl));
2301 static int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
2303 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;;
2306 static int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
2308 return rl->curr_rec < rl->num_recs;
2311 static size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
2316 static int tls_write_pending(OSSL_RECORD_LAYER *rl)
2321 static size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
2326 static size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
2331 static int tls_write_records(OSSL_RECORD_LAYER *rl,
2332 OSSL_RECORD_TEMPLATE **templates, size_t numtempl,
2333 size_t allowance, size_t *sent)
2338 static int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
2345 static int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
2350 static int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
2352 if (bio != NULL && !BIO_up_ref(bio))
2360 static SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
2365 static unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl)
2370 static void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
2373 rl->packet = packet;
2374 rl->packet_length = packetlen;
2377 static size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl)
2379 return rl->packet_length;
2382 const OSSL_RECORD_METHOD ossl_tls_record_method = {
2383 tls_new_record_layer,
2386 tls_unprocessed_read_pending,
2387 tls_processed_read_pending,
2388 tls_app_data_pending,
2390 tls_get_max_record_len,
2391 tls_get_max_records,
2393 tls_retry_write_records,
2400 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
2401 * during the record layer refactoring. They need to be removed before the
2402 * refactor is complete.
2408 tls_get_packet_length,
2409 tls_reset_packet_length
2412 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
2413 dtls_new_record_layer,
2416 tls_unprocessed_read_pending,
2417 tls_processed_read_pending,
2418 tls_app_data_pending,
2420 tls_get_max_record_len,
2421 tls_get_max_records,
2423 tls_retry_write_records,
2430 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
2431 * during the record layer refactoring. They need to be removed before the
2432 * refactor is complete.
2438 tls_get_packet_length,
2439 tls_reset_packet_length