2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include <openssl/rand.h>
15 #include "internal/e_os.h"
16 #include "internal/packet.h"
17 #include "../../ssl_local.h"
18 #include "../record_local.h"
20 /* Protocol version specific function pointers */
21 struct record_functions_st
23 int (*set_crypto_state)(OSSL_RECORD_LAYER *rl, int level,
24 unsigned char *key, size_t keylen,
25 unsigned char *iv, size_t ivlen,
26 unsigned char *mackey, size_t mackeylen,
27 const EVP_CIPHER *ciph,
29 /* TODO(RECLAYER): This probably should not be an int */
33 /* TODO(RECLAYER): Remove me */
35 int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
36 int sending, SSL_MAC_BUF *macs, size_t macsize,
37 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
38 int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
39 int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl);
42 struct ossl_record_layer_st
51 /* Types match the equivalent structures in the SSL object */
54 * TODO(RECLAYER): Should we take the opportunity to make this uint64_t
55 * even though upper layer continue to use uint32_t?
59 /* read IO goes into here */
61 /* each decoded record goes in here */
62 SSL3_RECORD rrec[SSL_MAX_PIPELINES];
64 /* How many records have we got available in the rrec bufer */
67 /* The record number in the rrec buffer that can be read next */
70 /* The number of records that have been released via tls_release_record */
73 /* Set to true if this is the first record in a connection */
74 unsigned int is_first_record;
76 /* where we are when reading */
79 /* used internally to point at a raw packet */
80 unsigned char *packet;
86 * Read as many input bytes as possible (for
88 * TODO(RECLAYER): Why isn't this just an option?
92 /* The number of consecutive empty records we have received */
93 size_t empty_record_count;
95 /* cryptographic state */
96 EVP_CIPHER_CTX *enc_read_ctx;
97 /* TLSv1.3 static read IV */
98 unsigned char read_iv[EVP_MAX_IV_LENGTH];
99 /* used for mac generation */
100 EVP_MD_CTX *read_hash;
104 /* Only used by SSLv3 */
105 unsigned char mac_secret[EVP_MAX_MD_SIZE];
107 /* TLSv1.3 static IV */
108 unsigned char iv[EVP_MAX_IV_LENGTH];
112 /* Function pointers for version specific functions */
113 /* Function pointers for version specific functions */
114 struct record_functions_st *funcs;
117 # define SSL_AD_NO_ALERT -1
119 static void rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
120 const char *fmt, ...)
125 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
132 # define RLAYERfatal(rl, al, r) RLAYERfatal_data((rl), (al), (r), NULL)
133 # define RLAYERfatal_data \
135 ERR_set_debug(OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC), \
138 static int tls_provider_set_tls_parameters(OSSL_RECORD_LAYER *rl,
140 const EVP_CIPHER *ciph,
145 * Provided cipher, the TLS padding/MAC removal is performed provider
146 * side so we need to tell the ctx about our TLS version and mac size
148 OSSL_PARAM params[3], *pprm = params;
152 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
154 * We look at s->ext.use_etm instead of SSL_READ_ETM() or
155 * SSL_WRITE_ETM() because this test applies to both reading
159 imacsize = EVP_MD_get_size(md);
161 macsize = (size_t)imacsize;
163 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
165 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
167 *pprm = OSSL_PARAM_construct_end();
169 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
170 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
177 static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
178 unsigned char *key, size_t keylen,
179 unsigned char *iv, size_t ivlen,
180 unsigned char *mackey, size_t mackeylen,
181 const EVP_CIPHER *ciph,
183 /* TODO(RECLAYER): This probably should not be an int */
186 const SSL_COMP *comp,
187 /* TODO(RECLAYER): Remove me */
190 if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
191 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
195 /* No crypto protection at the "NONE" level so nothing to be done */
200 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
201 static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
202 unsigned char *key, size_t keylen,
203 unsigned char *iv, size_t ivlen,
204 unsigned char *mackey, size_t mackeylen,
205 const EVP_CIPHER *ciph,
207 /* TODO(RECLAYER): This probably should not be an int */
210 const SSL_COMP *comp,
211 /* TODO(RECLAYER): Remove me */
214 EVP_CIPHER_CTX *ciph_ctx;
217 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
221 if ((rl->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
222 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
225 ciph_ctx = rl->enc_read_ctx;
227 rl->read_hash = EVP_MD_CTX_new();
228 if (rl->read_hash == NULL) {
229 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
232 #ifndef OPENSSL_NO_COMP
234 rl->expand = COMP_CTX_new(comp->method);
235 if (rl->expand == NULL) {
236 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
237 SSL_R_COMPRESSION_LIBRARY_ERROR);
243 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
244 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
248 if (EVP_CIPHER_get0_provider(ciph) != NULL
249 && !tls_provider_set_tls_parameters(rl, ciph_ctx, ciph, md, s)) {
250 /* RLAYERfatal already called */
254 if (mackeylen > sizeof(rl->mac_secret)) {
255 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
258 memcpy(rl->mac_secret, mackey, mackeylen);
263 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
264 static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
265 unsigned char *key, size_t keylen,
266 unsigned char *iv, size_t ivlen,
267 unsigned char *mackey, size_t mackeylen,
268 const EVP_CIPHER *ciph,
270 /* TODO(RECLAYER): This probably should not be an int */
273 const SSL_COMP *comp,
274 /* TODO(RECLAYER): Remove me */
277 EVP_CIPHER_CTX *ciph_ctx;
280 if (level != OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
284 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
286 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
288 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
289 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
291 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
293 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
294 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
296 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
298 if ((rl->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
299 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
303 ciph_ctx = rl->enc_read_ctx;
305 rl->read_hash = EVP_MD_CTX_new();
306 if (rl->read_hash == NULL) {
307 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310 #ifndef OPENSSL_NO_COMP
312 rl->expand = COMP_CTX_new(comp->method);
313 if (rl->expand == NULL) {
314 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
315 SSL_R_COMPRESSION_LIBRARY_ERROR);
321 * this is done by dtls1_reset_seq_numbers for DTLS
324 RECORD_LAYER_reset_read_sequence(&s->rlayer);
327 * If we have an AEAD Cipher, then there is no separate MAC, so we can skip
328 * setting up the MAC key.
330 if (!(EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
331 if (mactype == EVP_PKEY_HMAC) {
332 mac_key = EVP_PKEY_new_raw_private_key_ex(rl->libctx, "HMAC",
337 * If its not HMAC then the only other types of MAC we support are
338 * the GOST MACs, so we need to use the old style way of creating
341 mac_key = EVP_PKEY_new_mac_key(mactype, NULL, mackey,
345 || EVP_DigestSignInit_ex(rl->read_hash, NULL, EVP_MD_get0_name(md),
346 rl->libctx, rl->propq, mac_key,
348 EVP_PKEY_free(mac_key);
349 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
352 EVP_PKEY_free(mac_key);
355 if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_GCM_MODE) {
356 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, NULL)
357 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
359 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
362 } else if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
363 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL)
364 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12,
366 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
368 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED,
371 * TODO(RECLAYER): Why do we defer setting the key until here?
372 * why not in the initial EVP_DecryptInit_ex() call?
374 || !EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL)) {
375 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379 if (!EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, key, iv)) {
380 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
384 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
385 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
387 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
388 (int)mackeylen, mackey)) {
389 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
392 if (EVP_CIPHER_get0_provider(ciph) != NULL
393 && !tls_provider_set_tls_parameters(rl, ciph_ctx, ciph, md, s)) {
394 /* RLAYERfatal already called */
401 static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
402 unsigned char *key, size_t keylen,
403 unsigned char *iv, size_t ivlen,
404 unsigned char *mackey, size_t mackeylen,
405 const EVP_CIPHER *ciph,
407 /* TODO(RECLAYER): This probably should not be an int */
410 const SSL_COMP *comp,
411 /* TODO(RECLAYER): Remove me */
414 EVP_CIPHER_CTX *ciph_ctx;
417 if (ivlen > sizeof(rl->iv)) {
418 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
421 memcpy(rl->iv, iv, ivlen);
423 ciph_ctx = rl->enc_read_ctx = EVP_CIPHER_CTX_new();
424 if (ciph_ctx == NULL) {
425 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
429 RECORD_LAYER_reset_read_sequence(&s->rlayer);
432 mode = EVP_CIPHER_get_mode(ciph);
434 if (EVP_DecryptInit_ex(ciph_ctx, ciph, NULL, NULL, NULL) <= 0
435 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
436 || (mode == EVP_CIPH_CCM_MODE
437 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL))
438 || EVP_DecryptInit_ex(ciph_ctx, NULL, NULL, key, NULL) <= 0) {
439 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
446 static int tls_any_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
447 int sending, SSL_MAC_BUF *macs, size_t macsize,
448 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
452 for (ctr = 0; ctr < n_recs; ctr++) {
453 memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
454 recs[ctr].input = recs[ctr].data;
461 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Calls SSLfatal on
462 * internal error, but not otherwise. It is the responsibility of the caller to
463 * report a bad_record_mac
466 * 0: if the record is publicly invalid, or an internal error
467 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
469 static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
470 int sending, SSL_MAC_BUF *mac, size_t macsize,
471 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
477 const EVP_CIPHER *enc;
482 * We shouldn't ever be called with more than one record in the SSLv3 case
487 ds = s->enc_write_ctx;
488 if (s->enc_write_ctx == NULL)
491 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx);
493 ds = rl->enc_read_ctx;
494 if (rl->enc_read_ctx == NULL)
497 enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx);
500 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
503 bs = EVP_CIPHER_CTX_get_block_size(ds);
507 if ((bs != 1) && sending && !provided) {
509 * We only do this for legacy ciphers. Provided ciphers add the
510 * padding on the provider side.
514 /* we need to add 'i-1' padding bytes */
517 * the last of these zero bytes will be overwritten with the
520 memset(&rec->input[rec->length], 0, i);
522 rec->input[l - 1] = (unsigned char)(i - 1);
526 if (l == 0 || l % bs != 0) {
527 /* Publicly invalid */
530 /* otherwise, rec->length >= bs */
536 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
539 rec->length = outlen;
541 if (!sending && mac != NULL) {
542 /* Now get a pointer to the MAC */
543 OSSL_PARAM params[2], *p = params;
548 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
551 *p = OSSL_PARAM_construct_end();
553 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
554 /* Shouldn't normally happen */
555 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
560 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
561 /* Shouldn't happen */
562 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
567 return ssl3_cbc_remove_padding_and_mac(&rec->length,
570 (mac != NULL) ? &mac->mac : NULL,
571 (mac != NULL) ? &mac->alloced : NULL,
580 #define MAX_PADDING 256
582 * tls1_cipher encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal
583 * error, but not otherwise. It is the responsibility of the caller to report
584 * a bad_record_mac - if appropriate (DTLS just drops the record).
587 * 0: if the record is publicly invalid, or an internal error, or AEAD
588 * decryption failed, or Encrypt-then-mac decryption failed.
589 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
591 static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
592 int sending, SSL_MAC_BUF *macs, size_t macsize,
593 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
596 size_t reclen[SSL_MAX_PIPELINES];
597 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
598 int i, pad = 0, tmpr, provided;
599 size_t bs, ctr, padnum, loop;
600 unsigned char padval;
601 const EVP_CIPHER *enc;
602 int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
603 : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
604 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
607 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
614 if (EVP_MD_CTX_get0_md(s->write_hash)) {
615 int n = EVP_MD_CTX_get_size(s->write_hash);
616 if (!ossl_assert(n >= 0)) {
617 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
621 ds = s->enc_write_ctx;
622 if (!ossl_assert(s->enc_write_ctx)) {
623 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
627 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx);
628 /* For TLSv1.1 and later explicit IV */
629 if (SSL_USE_EXPLICIT_IV(s)
630 && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
631 ivlen = EVP_CIPHER_get_iv_length(enc);
635 for (ctr = 0; ctr < n_recs; ctr++) {
636 if (recs[ctr].data != recs[ctr].input) {
638 * we can't write into the input stream: Can this ever
641 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
643 } else if (RAND_bytes_ex(sctx->libctx, recs[ctr].input,
645 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
651 if (EVP_MD_CTX_get0_md(rl->read_hash)) {
652 int n = EVP_MD_CTX_get_size(rl->read_hash);
653 if (!ossl_assert(n >= 0)) {
654 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
658 ds = rl->enc_read_ctx;
659 if (!ossl_assert(rl->enc_read_ctx)) {
660 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
664 enc = EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx);
667 if ((s->session == NULL) || (enc == NULL)) {
668 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
672 provided = (EVP_CIPHER_get0_provider(enc) != NULL);
674 bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds));
677 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
678 & EVP_CIPH_FLAG_PIPELINE) == 0) {
680 * We shouldn't have been called with pipeline data if the
681 * cipher doesn't support pipelining
683 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
687 for (ctr = 0; ctr < n_recs; ctr++) {
688 reclen[ctr] = recs[ctr].length;
690 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
691 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
694 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
695 : RECORD_LAYER_get_read_sequence(&s->rlayer);
697 if (SSL_CONNECTION_IS_DTLS(s)) {
698 /* DTLS does not support pipelining */
699 unsigned char dtlsseq[8], *p = dtlsseq;
701 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
702 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
703 memcpy(p, &seq[2], 6);
704 memcpy(buf[ctr], dtlsseq, 8);
706 memcpy(buf[ctr], seq, 8);
707 for (i = 7; i >= 0; i--) { /* increment */
714 buf[ctr][8] = recs[ctr].type;
715 buf[ctr][9] = (unsigned char)(rl->version >> 8);
716 buf[ctr][10] = (unsigned char)(rl->version);
717 buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
718 buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
719 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
720 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
722 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
728 recs[ctr].length += pad;
731 } else if ((bs != 1) && sending && !provided) {
733 * We only do this for legacy ciphers. Provided ciphers add the
734 * padding on the provider side.
736 padnum = bs - (reclen[ctr] % bs);
738 /* Add weird padding of up to 256 bytes */
740 if (padnum > MAX_PADDING) {
741 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
744 /* we need to add 'padnum' padding bytes of value padval */
745 padval = (unsigned char)(padnum - 1);
746 for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
747 recs[ctr].input[loop] = padval;
748 reclen[ctr] += padnum;
749 recs[ctr].length += padnum;
753 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) {
754 /* Publicly invalid */
760 unsigned char *data[SSL_MAX_PIPELINES];
762 /* Set the output buffers */
763 for (ctr = 0; ctr < n_recs; ctr++) {
764 data[ctr] = recs[ctr].data;
766 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
767 (int)n_recs, data) <= 0) {
768 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
771 /* Set the input buffers */
772 for (ctr = 0; ctr < n_recs; ctr++) {
773 data[ctr] = recs[ctr].input;
775 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
776 (int)n_recs, data) <= 0
777 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
778 (int)n_recs, reclen) <= 0) {
779 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE);
784 if (!SSL_CONNECTION_IS_DTLS(s) && tlstree_enc) {
786 int decrement_seq = 0;
789 * When sending, seq is incremented after MAC calculation.
790 * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
791 * Otherwise we have to decrease it in the implementation
793 if (sending && !SSL_WRITE_ETM(s))
796 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
797 : RECORD_LAYER_get_read_sequence(&s->rlayer);
798 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0) {
799 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
807 /* Provided cipher - we do not support pipelining on this path */
809 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
813 if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input,
814 (unsigned int)reclen[0]))
816 recs[0].length = outlen;
819 * The length returned from EVP_CipherUpdate above is the actual
820 * payload length. We need to adjust the data/input ptr to skip over
824 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
825 recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
826 recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
827 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
828 recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
829 recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
830 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
833 recs[0].orig_len -= bs;
836 /* Now get a pointer to the MAC (if applicable) */
838 OSSL_PARAM params[2], *p = params;
843 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
844 (void **)&macs[0].mac,
846 *p = OSSL_PARAM_construct_end();
848 if (!EVP_CIPHER_CTX_get_params(ds, params)) {
849 /* Shouldn't normally happen */
850 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR,
851 ERR_R_INTERNAL_ERROR);
859 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
860 (unsigned int)reclen[0]);
861 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
862 & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0
865 /* AEAD can fail to verify MAC */
870 for (ctr = 0; ctr < n_recs; ctr++) {
871 /* Adjust the record to remove the explicit IV/MAC/Tag */
872 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
873 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
874 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
875 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
876 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
877 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
878 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
879 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
880 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
881 if (recs[ctr].length < bs)
883 recs[ctr].data += bs;
884 recs[ctr].input += bs;
885 recs[ctr].length -= bs;
886 recs[ctr].orig_len -= bs;
890 * If using Mac-then-encrypt, then this will succeed but
891 * with a random MAC if padding is invalid
893 if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length,
896 (macs != NULL) ? &macs[ctr].mac : NULL,
897 (macs != NULL) ? &macs[ctr].alloced
900 pad ? (size_t)pad : macsize,
901 (EVP_CIPHER_get_flags(enc)
902 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
911 static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
912 int sending, SSL_MAC_BUF *mac, size_t macsize,
913 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
916 unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
917 size_t ivlen, offset, loop, hdrlen;
918 unsigned char *staticiv;
921 SSL3_RECORD *rec = &recs[0];
923 const EVP_CIPHER *cipher;
927 /* Should not happen */
928 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
933 ctx = s->enc_write_ctx;
934 staticiv = s->write_iv;
935 seq = RECORD_LAYER_get_write_sequence(&s->rlayer);
937 ctx = rl->enc_read_ctx;
939 seq = RECORD_LAYER_get_read_sequence(&s->rlayer);
942 cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
943 if (cipher == NULL) {
944 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
947 mode = EVP_CIPHER_get_mode(cipher);
950 * If we're sending an alert and ctx != NULL then we must be forcing
951 * plaintext alerts. If we're reading and ctx != NULL then we allow
952 * plaintext alerts at certain points in the handshake. If we've got this
953 * far then we have already validated that a plaintext alert is ok here.
955 if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
956 memmove(rec->data, rec->input, rec->length);
957 rec->input = rec->data;
961 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
965 * Take off tag. There must be at least one byte of content type as
968 if (rec->length < rl->taglen + 1)
970 rec->length -= rl->taglen;
974 if (ivlen < SEQ_NUM_SIZE) {
975 /* Should not happen */
976 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
979 offset = ivlen - SEQ_NUM_SIZE;
980 memcpy(iv, staticiv, offset);
981 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
982 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
984 /* Increment the sequence counter */
985 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
987 if (seq[loop - 1] != 0)
991 /* Sequence has wrapped */
995 if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
996 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
998 rec->data + rec->length) <= 0)) {
999 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1003 /* Set up the AAD */
1004 if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0)
1005 || !WPACKET_put_bytes_u8(&wpkt, rec->type)
1006 || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version)
1007 || !WPACKET_put_bytes_u16(&wpkt, rec->length + rl->taglen)
1008 || !WPACKET_get_total_written(&wpkt, &hdrlen)
1009 || hdrlen != SSL3_RT_HEADER_LENGTH
1010 || !WPACKET_finish(&wpkt)) {
1011 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1012 WPACKET_cleanup(&wpkt);
1017 * For CCM we must explicitly set the total plaintext length before we add
1020 if ((mode == EVP_CIPH_CCM_MODE
1021 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
1022 (unsigned int)rec->length) <= 0)
1023 || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
1024 sizeof(recheader)) <= 0
1025 || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
1026 (unsigned int)rec->length) <= 0
1027 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
1028 || (size_t)(lenu + lenf) != rec->length) {
1033 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
1034 rec->data + rec->length) <= 0) {
1035 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1038 rec->length += rl->taglen;
1044 static const unsigned char ssl3_pad_1[48] = {
1045 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1046 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1047 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1048 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1049 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1050 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
1053 static const unsigned char ssl3_pad_2[48] = {
1054 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1055 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1056 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1057 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1058 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1059 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
1062 static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
1063 int sending, SSL_CONNECTION *ssl)
1065 unsigned char *mac_sec, *seq;
1066 const EVP_MD_CTX *hash;
1067 unsigned char *p, rec_char;
1073 mac_sec = &(ssl->s3.write_mac_secret[0]);
1074 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
1075 hash = ssl->write_hash;
1077 mac_sec = &(rl->mac_secret[0]);
1078 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
1079 hash = rl->read_hash;
1082 t = EVP_MD_CTX_get_size(hash);
1086 npad = (48 / md_size) * md_size;
1089 && EVP_CIPHER_CTX_get_mode(rl->enc_read_ctx) == EVP_CIPH_CBC_MODE
1090 && ssl3_cbc_record_digest_supported(hash)) {
1091 #ifdef OPENSSL_NO_DEPRECATED_3_0
1095 * This is a CBC-encrypted record. We must avoid leaking any
1096 * timing-side channel information about how many blocks of data we
1097 * are hashing because that gives an attacker a timing-oracle.
1101 * npad is, at most, 48 bytes and that's with MD5:
1102 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
1104 * With SHA-1 (the largest hash speced for SSLv3) the hash size
1105 * goes up 4, but npad goes down by 8, resulting in a smaller
1108 unsigned char header[75];
1110 memcpy(header + j, mac_sec, md_size);
1112 memcpy(header + j, ssl3_pad_1, npad);
1114 memcpy(header + j, seq, 8);
1116 header[j++] = rec->type;
1117 header[j++] = (unsigned char)(rec->length >> 8);
1118 header[j++] = (unsigned char)(rec->length & 0xff);
1120 /* Final param == is SSLv3 */
1121 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash),
1124 rec->length, rec->orig_len,
1125 mac_sec, md_size, 1) <= 0)
1129 unsigned int md_size_u;
1130 /* Chop the digest off the end :-) */
1131 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1136 rec_char = rec->type;
1138 s2n(rec->length, p);
1139 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
1140 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
1141 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
1142 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
1143 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
1144 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
1145 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
1146 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
1147 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
1148 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
1149 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
1150 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
1151 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
1152 EVP_MD_CTX_free(md_ctx);
1156 EVP_MD_CTX_free(md_ctx);
1159 ssl3_record_sequence_update(seq);
1163 static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
1164 int sending, SSL_CONNECTION *ssl)
1170 EVP_MD_CTX *hmac = NULL, *mac_ctx;
1171 unsigned char header[13];
1172 int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
1173 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM);
1174 int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
1175 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
1180 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
1181 hash = ssl->write_hash;
1183 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
1184 hash = rl->read_hash;
1187 t = EVP_MD_CTX_get_size(hash);
1188 if (!ossl_assert(t >= 0))
1192 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1196 hmac = EVP_MD_CTX_new();
1197 if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) {
1205 && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
1210 unsigned char dtlsseq[8], *p = dtlsseq;
1212 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
1213 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
1214 memcpy(p, &seq[2], 6);
1216 memcpy(header, dtlsseq, 8);
1218 memcpy(header, seq, 8);
1220 header[8] = rec->type;
1221 header[9] = (unsigned char)(ssl->version >> 8);
1222 header[10] = (unsigned char)(ssl->version);
1223 header[11] = (unsigned char)(rec->length >> 8);
1224 header[12] = (unsigned char)(rec->length & 0xff);
1226 if (!sending && !SSL_READ_ETM(ssl)
1227 && EVP_CIPHER_CTX_get_mode(rl->enc_read_ctx) == EVP_CIPH_CBC_MODE
1228 && ssl3_cbc_record_digest_supported(mac_ctx)) {
1229 OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params;
1231 *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE,
1233 *p++ = OSSL_PARAM_construct_end();
1235 if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx),
1241 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
1242 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
1243 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
1247 OSSL_TRACE_BEGIN(TLS) {
1248 BIO_printf(trc_out, "seq:\n");
1249 BIO_dump_indent(trc_out, seq, 8, 4);
1250 BIO_printf(trc_out, "rec:\n");
1251 BIO_dump_indent(trc_out, rec->data, rec->length, 4);
1252 } OSSL_TRACE_END(TLS);
1254 if (!SSL_CONNECTION_IS_DTLS(ssl)) {
1255 for (i = 7; i >= 0; i--) {
1261 OSSL_TRACE_BEGIN(TLS) {
1262 BIO_printf(trc_out, "md:\n");
1263 BIO_dump_indent(trc_out, md, md_size, 4);
1264 } OSSL_TRACE_END(TLS);
1267 EVP_MD_CTX_free(hmac);
1271 struct record_functions_st tls_any_funcs = {
1272 tls_any_set_crypto_state,
1277 struct record_functions_st tls_1_3_funcs = {
1278 tls13_set_crypto_state,
1283 struct record_functions_st tls_1_2_funcs = {
1284 tls1_set_crypto_state,
1289 struct record_functions_st tls_1_1_funcs = {
1290 tls1_set_crypto_state,
1295 struct record_functions_st tls_1_0_funcs = {
1296 tls1_set_crypto_state,
1301 struct record_functions_st ssl_3_0_funcs = {
1302 ssl3_set_crypto_state,
1307 static int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
1309 static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
1311 if (rl->options & SSL_OP_NO_COMPRESSION)
1314 /* TODO(RECLAYER): Implement ssl_security inside the record layer */
1315 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1321 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
1324 size_t len, align = 0, headerlen;
1330 headerlen = DTLS1_RT_HEADER_LENGTH;
1332 headerlen = SSL3_RT_HEADER_LENGTH;
1334 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
1335 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
1338 if (b->buf == NULL) {
1339 len = SSL3_RT_MAX_PLAIN_LENGTH
1340 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
1341 #ifndef OPENSSL_NO_COMP
1342 if (rlayer_allow_compression(rl))
1343 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1345 if (b->default_len > len)
1346 len = b->default_len;
1347 if ((p = OPENSSL_malloc(len)) == NULL) {
1349 * We've got a malloc failure, and we're still initialising buffers.
1350 * We assume we're so doomed that we won't even be able to send an
1353 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
1363 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
1368 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
1369 OPENSSL_cleanse(b->buf, b->len);
1370 OPENSSL_free(b->buf);
1375 static void tls_reset_packet_length(OSSL_RECORD_LAYER *rl)
1377 rl->packet_length = 0;
1381 * Return values are as per SSL_read()
1383 static int tls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
1384 int clearold, size_t *readbytes)
1387 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
1388 * packet by another n bytes. The packet will be in the sub-array of
1389 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
1390 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
1391 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
1392 * if clearold == 1, move the packet to the start of the buffer; if
1393 * clearold == 0 then leave any old packets where they were
1395 size_t len, left, align = 0;
1400 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
1403 if (rb->buf == NULL) {
1404 if (!rlayer_setup_read_buffer(rl)) {
1405 /* RLAYERfatal() already called */
1406 return OSSL_RECORD_RETURN_FATAL;
1411 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
1412 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
1413 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
1417 /* start with empty packet ... */
1420 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
1422 * check if next packet length is large enough to justify payload
1425 pkt = rb->buf + rb->offset;
1426 if (pkt[0] == SSL3_RT_APPLICATION_DATA
1427 && (pkt[3] << 8 | pkt[4]) >= 128) {
1429 * Note that even if packet is corrupted and its length field
1430 * is insane, we can only be led to wrong decision about
1431 * whether memmove will occur or not. Header values has no
1432 * effect on memmove arguments and therefore no buffer
1433 * overrun can be triggered.
1435 memmove(rb->buf + align, pkt, left);
1439 rl->packet = rb->buf + rb->offset;
1440 rl->packet_length = 0;
1441 /* ... now we can act as if 'extend' was set */
1444 len = rl->packet_length;
1445 pkt = rb->buf + align;
1447 * Move any available bytes to front of buffer: 'len' bytes already
1448 * pointed to by 'packet', 'left' extra ones at the end
1450 if (rl->packet != pkt && clearold == 1) {
1451 memmove(pkt, rl->packet, len + left);
1453 rb->offset = len + align;
1457 * For DTLS/UDP reads should not span multiple packets because the read
1458 * operation returns the whole packet at once (as long as it fits into
1462 if (left == 0 && extend)
1464 if (left > 0 && n > left)
1468 /* if there is enough in the buffer from a previous read, take some */
1470 rl->packet_length += n;
1471 rb->left = left - n;
1474 return OSSL_RECORD_RETURN_SUCCESS;
1477 /* else we need to read more data */
1479 if (n > rb->len - rb->offset) {
1480 /* does not happen */
1481 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1482 return OSSL_RECORD_RETURN_FATAL;
1486 * Ktls always reads full records.
1487 * Also, we always act like read_ahead is set for DTLS.
1489 if (!BIO_get_ktls_recv(s->rbio) && !rl->read_ahead
1491 /* ignore max parameter */
1496 if (max > rb->len - rb->offset)
1497 max = rb->len - rb->offset;
1505 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
1506 * need to read in more until we have len+n (up to len+max if
1511 if (rl->bio != NULL) {
1512 ret = BIO_read(rl->bio, pkt + len + left, max - left);
1515 ret = OSSL_RECORD_RETURN_SUCCESS;
1516 } else if (BIO_should_retry(rl->bio)) {
1517 ret = OSSL_RECORD_RETURN_RETRY;
1518 } else if (BIO_eof(rl->bio)) {
1519 ret = OSSL_RECORD_RETURN_EOF;
1521 ret = OSSL_RECORD_RETURN_FATAL;
1524 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
1525 ret = OSSL_RECORD_RETURN_FATAL;
1528 if (ret <= OSSL_RECORD_RETURN_RETRY) {
1530 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
1531 if (len + left == 0)
1532 rlayer_release_read_buffer(rl);
1537 * reads should *never* span multiple packets for DTLS because the
1538 * underlying transport protocol is message oriented as opposed to
1539 * byte oriented as in the TLS case.
1543 n = left; /* makes the while condition false */
1547 /* done reading, now the book-keeping */
1549 rb->left = left - n;
1550 rl->packet_length += n;
1552 return OSSL_RECORD_RETURN_SUCCESS;
1556 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
1557 * for us in the buffer.
1559 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
1567 p = SSL3_BUFFER_get_buf(rbuf);
1571 left = SSL3_BUFFER_get_left(rbuf);
1573 if (left < SSL3_RT_HEADER_LENGTH)
1576 p += SSL3_BUFFER_get_offset(rbuf);
1579 * We only check the type and record length, we will sanity check version
1582 if (*p != SSL3_RT_APPLICATION_DATA)
1588 if (left < SSL3_RT_HEADER_LENGTH + len)
1595 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
1596 * will be processed per call to ssl3_get_record. Without this limit an
1597 * attacker could send empty records at a faster rate than we can process and
1598 * cause ssl3_get_record to loop forever.
1600 #define MAX_EMPTY_RECORDS 32
1602 #define SSL2_RT_HEADER_LENGTH 2
1605 * Call this to buffer new input records in rl->rrec.
1606 * It will return a OSSL_RECORD_RETURN_* value.
1607 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
1608 * records have been decoded. For each record 'i':
1609 * rrec[i].type - is the type of record
1610 * rrec[i].data, - data
1611 * rrec[i].length, - number of bytes
1612 * Multiple records will only be returned if the record types are all
1613 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
1616 static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
1617 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
1622 SSL3_RECORD *rr, *thisrr;
1626 unsigned char md[EVP_MAX_MD_SIZE];
1627 unsigned int version;
1628 size_t mac_size = 0;
1630 size_t num_recs = 0, max_recs, j;
1631 PACKET pkt, sslv2pkt;
1633 SSL_MAC_BUF *macbufs = NULL;
1634 int ret = OSSL_RECORD_RETURN_FATAL;
1635 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1640 max_recs = s->max_pipelines;
1646 * KTLS reads full records. If there is any data left,
1647 * then it is from before enabling ktls.
1649 using_ktls = BIO_get_ktls_recv(rl->bio) && SSL3_BUFFER_get_left(rbuf) == 0;
1652 thisrr = &rr[num_recs];
1654 /* check if we have the header */
1655 if ((rl->rstate != SSL_ST_READ_BODY) ||
1656 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
1660 rret = tls_read_n(rl, SSL3_RT_HEADER_LENGTH,
1661 SSL3_BUFFER_get_len(rbuf), 0,
1662 num_recs == 0 ? 1 : 0, &n);
1664 if (rret < OSSL_RECORD_RETURN_SUCCESS) {
1665 #ifndef OPENSSL_NO_KTLS
1666 if (!BIO_get_ktls_recv(rl->bio) || rret == 0)
1667 return rret; /* error or non-blocking */
1670 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
1671 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1674 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1675 SSL_R_PACKET_LENGTH_TOO_LONG);
1678 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1679 SSL_R_WRONG_VERSION_NUMBER);
1687 rl->rstate = SSL_ST_READ_BODY;
1690 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
1691 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1692 return OSSL_RECORD_RETURN_FATAL;
1695 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
1696 || !PACKET_get_1(&sslv2pkt, &type)) {
1697 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
1698 return OSSL_RECORD_RETURN_FATAL;
1701 * The first record received by the server may be a V2ClientHello.
1703 if (rl->role == OSSL_RECORD_ROLE_SERVER
1704 && rl->is_first_record
1705 && (sslv2len & 0x8000) != 0
1706 && (type == SSL2_MT_CLIENT_HELLO)) {
1708 * SSLv2 style record
1710 * |num_recs| here will actually always be 0 because
1711 * |num_recs > 0| only ever occurs when we are processing
1712 * multiple app data records - which we know isn't the case here
1713 * because it is an SSLv2ClientHello. We keep it using
1714 * |num_recs| for the sake of consistency
1716 thisrr->type = SSL3_RT_HANDSHAKE;
1717 thisrr->rec_version = SSL2_VERSION;
1719 thisrr->length = sslv2len & 0x7fff;
1721 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
1722 - SSL2_RT_HEADER_LENGTH) {
1723 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1724 SSL_R_PACKET_LENGTH_TOO_LONG);
1725 return OSSL_RECORD_RETURN_FATAL;
1728 if (thisrr->length < MIN_SSL2_RECORD_LEN) {
1729 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
1730 return OSSL_RECORD_RETURN_FATAL;
1733 /* SSLv3+ style record */
1735 /* Pull apart the header into the SSL3_RECORD */
1736 if (!PACKET_get_1(&pkt, &type)
1737 || !PACKET_get_net_2(&pkt, &version)
1738 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
1739 if (s->msg_callback)
1740 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, ssl,
1741 s->msg_callback_arg);
1742 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
1743 return OSSL_RECORD_RETURN_FATAL;
1745 thisrr->type = type;
1746 thisrr->rec_version = version;
1748 if (s->msg_callback)
1749 s->msg_callback(0, version, SSL3_RT_HEADER, p, 5, ssl,
1750 s->msg_callback_arg);
1753 * Lets check version. In TLSv1.3 we only check this field
1754 * when encryption is occurring (see later check). For the
1755 * ServerHello after an HRR we haven't actually selected TLSv1.3
1756 * yet, but we still treat it as TLSv1.3, so we must check for
1759 if (!s->first_packet && !SSL_CONNECTION_IS_TLS13(s)
1760 && s->hello_retry_request != SSL_HRR_PENDING
1761 && version != (unsigned int)s->version) {
1762 if ((s->version & 0xFF00) == (version & 0xFF00)
1763 && !s->enc_write_ctx && !s->write_hash) {
1764 if (thisrr->type == SSL3_RT_ALERT) {
1766 * The record is using an incorrect version number,
1767 * but what we've got appears to be an alert. We
1768 * haven't read the body yet to check whether its a
1769 * fatal or not - but chances are it is. We probably
1770 * shouldn't send a fatal alert back. We'll just
1773 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1774 SSL_R_WRONG_VERSION_NUMBER);
1775 return OSSL_RECORD_RETURN_FATAL;
1778 * Send back error using their minor version number :-)
1780 s->version = (unsigned short)version;
1782 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1783 SSL_R_WRONG_VERSION_NUMBER);
1784 return OSSL_RECORD_RETURN_FATAL;
1787 if ((version >> 8) != SSL3_VERSION_MAJOR) {
1788 if (rl->is_first_record) {
1789 /* Go back to start of packet, look at the five bytes
1792 if (HAS_PREFIX((char *)p, "GET ") ||
1793 HAS_PREFIX((char *)p, "POST ") ||
1794 HAS_PREFIX((char *)p, "HEAD ") ||
1795 HAS_PREFIX((char *)p, "PUT ")) {
1796 RLAYERfatal(rl, SSL_AD_NO_ALERT, SSL_R_HTTP_REQUEST);
1797 return OSSL_RECORD_RETURN_FATAL;
1798 } else if (HAS_PREFIX((char *)p, "CONNE")) {
1799 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1800 SSL_R_HTTPS_PROXY_REQUEST);
1801 return OSSL_RECORD_RETURN_FATAL;
1804 /* Doesn't look like TLS - don't send an alert */
1805 RLAYERfatal(rl, SSL_AD_NO_ALERT,
1806 SSL_R_WRONG_VERSION_NUMBER);
1807 return OSSL_RECORD_RETURN_FATAL;
1809 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
1810 SSL_R_WRONG_VERSION_NUMBER);
1811 return OSSL_RECORD_RETURN_FATAL;
1815 if (SSL_CONNECTION_IS_TLS13(s)
1816 && rl->enc_read_ctx != NULL
1818 if (thisrr->type != SSL3_RT_APPLICATION_DATA
1819 && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
1820 || !SSL_IS_FIRST_HANDSHAKE(s))
1821 && (thisrr->type != SSL3_RT_ALERT
1822 || s->statem.enc_read_state
1823 != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) {
1824 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
1825 SSL_R_BAD_RECORD_TYPE);
1826 return OSSL_RECORD_RETURN_FATAL;
1828 if (thisrr->rec_version != TLS1_2_VERSION) {
1829 RLAYERfatal(rl, SSL_AD_DECODE_ERROR,
1830 SSL_R_WRONG_VERSION_NUMBER);
1831 return OSSL_RECORD_RETURN_FATAL;
1835 if (thisrr->length >
1836 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
1837 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1838 SSL_R_PACKET_LENGTH_TOO_LONG);
1839 return OSSL_RECORD_RETURN_FATAL;
1843 /* now rl->rstate == SSL_ST_READ_BODY */
1846 if (SSL_CONNECTION_IS_TLS13(s)) {
1847 size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
1849 /* KTLS strips the inner record type. */
1851 len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
1853 if (thisrr->length > len) {
1854 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1855 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1856 return OSSL_RECORD_RETURN_FATAL;
1859 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
1861 #ifndef OPENSSL_NO_COMP
1863 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
1864 * does not include the compression overhead anyway.
1866 if (s->expand == NULL)
1867 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
1870 /* KTLS may use all of the buffer */
1872 len = SSL3_BUFFER_get_left(rbuf);
1874 if (thisrr->length > len) {
1875 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
1876 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1877 return OSSL_RECORD_RETURN_FATAL;
1882 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
1883 * how much more data we need to read for the rest of the record
1885 if (thisrr->rec_version == SSL2_VERSION) {
1886 more = thisrr->length + SSL2_RT_HEADER_LENGTH
1887 - SSL3_RT_HEADER_LENGTH;
1889 more = thisrr->length;
1893 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
1895 rret = tls_read_n(rl, more, more, 1, 0, &n);
1896 if (rret < OSSL_RECORD_RETURN_SUCCESS)
1897 return rret; /* error or non-blocking io */
1900 /* set state for later operations */
1901 rl->rstate = SSL_ST_READ_HEADER;
1904 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
1905 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
1906 * + thisrr->length and we have that many bytes in rl->packet
1908 if (thisrr->rec_version == SSL2_VERSION)
1909 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
1911 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
1914 * ok, we can now read from 'rl->packet' data into 'thisrr'.
1915 * thisrr->input points at thisrr->length bytes, which need to be copied
1916 * into thisrr->data by either the decryption or by the decompression.
1917 * When the data is 'copied' into the thisrr->data buffer,
1918 * thisrr->input will be updated to point at the new buffer
1922 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
1923 * thisrr->length bytes of encrypted compressed stuff.
1926 /* decrypt in place in 'thisrr->input' */
1927 thisrr->data = thisrr->input;
1928 thisrr->orig_len = thisrr->length;
1930 /* Mark this record as not read by upper layers yet */
1935 /* we have pulled in a full packet so zero things */
1936 tls_reset_packet_length(rl);
1937 rl->is_first_record = 0;
1938 } while (num_recs < max_recs
1939 && thisrr->type == SSL3_RT_APPLICATION_DATA
1940 && SSL_USE_EXPLICIT_IV(s)
1941 && rl->enc_read_ctx != NULL
1942 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx))
1943 & EVP_CIPH_FLAG_PIPELINE) != 0
1944 && tls_record_app_data_waiting(rl));
1947 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
1948 && (SSL_CONNECTION_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
1949 && SSL_IS_FIRST_HANDSHAKE(s)) {
1951 * CCS messages must be exactly 1 byte long, containing the value 0x01
1953 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
1954 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
1955 SSL_R_INVALID_CCS_MESSAGE);
1956 return OSSL_RECORD_RETURN_FATAL;
1959 * CCS messages are ignored in TLSv1.3. We treat it like an empty
1962 thisrr->type = SSL3_RT_HANDSHAKE;
1963 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
1964 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
1965 SSL_R_UNEXPECTED_CCS_MESSAGE);
1966 return OSSL_RECORD_RETURN_FATAL;
1971 rl->num_released = 0;
1973 return OSSL_RECORD_RETURN_SUCCESS;
1977 goto skip_decryption;
1979 if (rl->read_hash != NULL) {
1980 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->read_hash);
1982 if (tmpmd != NULL) {
1983 imac_size = EVP_MD_get_size(tmpmd);
1984 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
1985 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1986 return OSSL_RECORD_RETURN_FATAL;
1988 mac_size = (size_t)imac_size;
1993 * If in encrypt-then-mac mode calculate mac from encrypted record. All
1994 * the details below are public so no timing details can leak.
1996 if (SSL_READ_ETM(s) && rl->read_hash) {
1999 for (j = 0; j < num_recs; j++) {
2002 if (thisrr->length < mac_size) {
2003 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
2004 return OSSL_RECORD_RETURN_FATAL;
2006 thisrr->length -= mac_size;
2007 mac = thisrr->data + thisrr->length;
2008 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
2009 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
2010 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
2011 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
2012 return OSSL_RECORD_RETURN_FATAL;
2016 * We've handled the mac now - there is no MAC inside the encrypted
2023 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
2024 if (macbufs == NULL) {
2025 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2026 return OSSL_RECORD_RETURN_FATAL;
2031 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
2034 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s);
2038 * 0: if the record is publicly invalid, or an internal error, or AEAD
2039 * decryption failed, or ETM decryption failed.
2040 * 1: Success or MTE decryption failed (MAC will be randomised)
2043 if (ossl_statem_in_error(s)) {
2044 /* SSLfatal() already got called */
2047 if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
2049 * Valid early_data that we cannot decrypt will fail here. We treat
2050 * it like an empty record.
2055 if (!ossl_early_data_count_ok(s, thisrr->length,
2056 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
2057 /* SSLfatal() already called */
2065 rl->num_released = 0;
2066 RECORD_LAYER_reset_read_sequence(&s->rlayer);
2070 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
2071 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
2074 OSSL_TRACE_BEGIN(TLS) {
2075 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
2076 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
2077 } OSSL_TRACE_END(TLS);
2079 /* r->length is now the compressed data plus mac */
2081 && (rl->enc_read_ctx != NULL)
2082 && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(rl->read_hash) != NULL)) {
2083 /* rl->read_hash != NULL => mac_size != -1 */
2085 for (j = 0; j < num_recs; j++) {
2086 SSL_MAC_BUF *thismb = &macbufs[j];
2089 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
2090 if (i == 0 || thismb == NULL || thismb->mac == NULL
2091 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
2093 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
2099 if (ossl_statem_in_error(s)) {
2100 /* We already called SSLfatal() */
2104 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
2105 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
2106 * failure is directly visible from the ciphertext anyway, we should
2107 * not reveal which kind of error occurred -- this might become
2108 * visible to an attacker (e.g. via a logfile)
2110 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
2111 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
2117 for (j = 0; j < num_recs; j++) {
2120 /* thisrr->length is now just compressed */
2121 if (s->expand != NULL) {
2122 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
2123 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
2124 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
2127 if (!ssl3_do_uncompress(s, thisrr)) {
2128 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
2129 SSL_R_BAD_DECOMPRESSION);
2134 if (SSL_CONNECTION_IS_TLS13(s)
2135 && rl->enc_read_ctx != NULL
2136 && thisrr->type != SSL3_RT_ALERT) {
2138 * The following logic are irrelevant in KTLS: the kernel provides
2139 * unprotected record and thus record type represent the actual
2140 * content type, and padding is already removed and thisrr->type and
2141 * thisrr->length should have the correct values.
2146 if (thisrr->length == 0
2147 || thisrr->type != SSL3_RT_APPLICATION_DATA) {
2148 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
2149 SSL_R_BAD_RECORD_TYPE);
2153 /* Strip trailing padding */
2154 for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
2158 thisrr->length = end;
2159 thisrr->type = thisrr->data[end];
2161 if (thisrr->type != SSL3_RT_APPLICATION_DATA
2162 && thisrr->type != SSL3_RT_ALERT
2163 && thisrr->type != SSL3_RT_HANDSHAKE) {
2164 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
2167 if (s->msg_callback)
2168 s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
2169 &thisrr->type, 1, ssl, s->msg_callback_arg);
2173 * TLSv1.3 alert and handshake records are required to be non-zero in
2176 if (SSL_CONNECTION_IS_TLS13(s)
2177 && (thisrr->type == SSL3_RT_HANDSHAKE
2178 || thisrr->type == SSL3_RT_ALERT)
2179 && thisrr->length == 0) {
2180 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
2185 * Usually thisrr->length is the length of a single record, but when
2186 * KTLS handles the decryption, thisrr->length may be larger than
2187 * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced
2189 * Therefore we have to rely on KTLS to check the plaintext length
2190 * limit in the kernel.
2192 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
2193 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
2198 * Check if the received packet overflows the current
2199 * Max Fragment Length setting.
2200 * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive.
2202 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
2203 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
2204 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
2210 * So at this point the following is true
2211 * thisrr->type is the type of record
2212 * thisrr->length == number of bytes in record
2213 * thisrr->off == offset to first valid byte
2214 * thisrr->data == where to take bytes from, increment after use :-).
2217 /* just read a 0 length packet */
2218 if (thisrr->length == 0) {
2219 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
2220 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
2224 rl->empty_record_count = 0;
2228 if (s->early_data_state == SSL_EARLY_DATA_READING) {
2230 if (thisrr->type == SSL3_RT_APPLICATION_DATA
2231 && !ossl_early_data_count_ok(s, thisrr->length, 0, 0)) {
2232 /* SSLfatal already called */
2237 rl->num_recs = num_recs;
2239 rl->num_released = 0;
2240 ret = OSSL_RECORD_RETURN_SUCCESS;
2242 if (macbufs != NULL) {
2243 for (j = 0; j < num_recs; j++) {
2244 if (macbufs[j].alloced)
2245 OPENSSL_free(macbufs[j].mac);
2247 OPENSSL_free(macbufs);
2252 static int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
2253 int *rversion, int *type, unsigned char **data,
2254 size_t *datalen, uint16_t *epoch,
2255 unsigned char *seq_num,
2256 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
2261 * tls_get_more_records() can return success without actually reading
2262 * anything useful (i.e. if empty records are read). We loop here until
2263 * we have something useful. tls_get_more_records() will eventually fail if
2264 * too many sequential empty records are read.
2266 while (rl->curr_rec >= rl->num_recs) {
2269 if (rl->num_released != rl->num_recs) {
2270 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
2271 return OSSL_RECORD_RETURN_FATAL;
2274 ret = tls_get_more_records(rl, s);
2276 if (ret != OSSL_RECORD_RETURN_SUCCESS)
2281 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
2282 * points to the next one to read.
2284 rec = &rl->rrec[rl->curr_rec++];
2287 *rversion = rec->rec_version;
2290 *datalen = rec->length;
2292 return OSSL_RECORD_RETURN_SUCCESS;
2295 static int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
2297 if (!ossl_assert(rl->num_released < rl->curr_rec)
2298 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
2299 /* Should not happen */
2300 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
2301 return OSSL_RECORD_RETURN_FATAL;
2306 return OSSL_RECORD_RETURN_SUCCESS;
2309 static OSSL_RECORD_LAYER *tls_new_record_layer(OSSL_LIB_CTX *libctx,
2310 const char *propq, int vers,
2311 int role, int direction,
2312 int level, unsigned char *key,
2316 unsigned char *mackey,
2318 const EVP_CIPHER *ciph,
2320 /* TODO(RECLAYER): This probably should not be an int */
2323 const SSL_COMP *comp,
2324 BIO *transport, BIO_ADDR *local,
2326 const OSSL_PARAM *settings,
2327 const OSSL_PARAM *options,
2328 /* TODO(RECLAYER): Remove me */
2331 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
2332 const OSSL_PARAM *p;
2335 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2339 if (transport != NULL && !BIO_up_ref(transport)) {
2340 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2344 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
2345 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
2346 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2350 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
2351 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
2352 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2357 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
2358 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
2359 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
2363 rl->libctx = libctx;
2368 rl->direction = direction;
2371 rl->is_first_record = 1;
2373 if (!tls_set1_bio(rl, transport))
2377 case TLS_ANY_VERSION:
2378 rl->funcs = &tls_any_funcs;
2380 case TLS1_3_VERSION:
2381 rl->funcs = &tls_1_3_funcs;
2383 case TLS1_2_VERSION:
2384 rl->funcs = &tls_1_2_funcs;
2386 case TLS1_1_VERSION:
2387 rl->funcs = &tls_1_1_funcs;
2390 rl->funcs = &tls_1_0_funcs;
2393 rl->funcs = &ssl_3_0_funcs;
2396 /* Should not happen */
2397 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2401 if (!rl->funcs->set_crypto_state(rl, level, key, keylen, iv, ivlen,
2402 mackey, mackeylen, ciph, taglen,
2403 mactype, md, comp, s)) {
2404 /* RLAYERfatal already called */
2414 static OSSL_RECORD_LAYER *dtls_new_record_layer(OSSL_LIB_CTX *libctx,
2415 const char *propq, int vers,
2416 int role, int direction,
2417 int level, unsigned char *key,
2421 unsigned char *mackey,
2423 const EVP_CIPHER *ciph,
2425 /* TODO(RECLAYER): This probably should not be an int */
2428 const SSL_COMP *comp,
2429 BIO *transport, BIO_ADDR *local,
2431 const OSSL_PARAM *settings,
2432 const OSSL_PARAM *options,
2433 /* TODO(RECLAYER): Remove me */
2436 OSSL_RECORD_LAYER *rl = tls_new_record_layer(libctx, propq, vers, role,
2437 direction, level, key, keylen,
2438 iv, ivlen, mackey, mackeylen,
2439 ciph, taglen, mactype, md,
2440 comp, transport, local, peer,
2441 settings, options, s);
2451 static void tls_free(OSSL_RECORD_LAYER *rl)
2453 /* TODO(RECLAYER): Cleanse sensitive fields */
2458 static int tls_reset(OSSL_RECORD_LAYER *rl)
2460 memset(rl, 0, sizeof(*rl));
2464 static int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
2466 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;;
2469 static int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
2471 return rl->curr_rec < rl->num_recs;
2474 static size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
2479 static int tls_write_pending(OSSL_RECORD_LAYER *rl)
2484 static size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
2489 static size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
2494 static int tls_write_records(OSSL_RECORD_LAYER *rl,
2495 OSSL_RECORD_TEMPLATE **templates, size_t numtempl,
2496 size_t allowance, size_t *sent)
2501 static int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
2508 static int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
2513 static int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
2515 if (bio != NULL && !BIO_up_ref(bio))
2523 static SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
2528 static unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl)
2533 static void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
2536 rl->packet = packet;
2537 rl->packet_length = packetlen;
2540 static size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl)
2542 return rl->packet_length;
2545 const OSSL_RECORD_METHOD ossl_tls_record_method = {
2546 tls_new_record_layer,
2549 tls_unprocessed_read_pending,
2550 tls_processed_read_pending,
2551 tls_app_data_pending,
2553 tls_get_max_record_len,
2554 tls_get_max_records,
2556 tls_retry_write_records,
2563 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
2564 * during the record layer refactoring. They need to be removed before the
2565 * refactor is complete.
2571 tls_get_packet_length,
2572 tls_reset_packet_length
2575 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
2576 dtls_new_record_layer,
2579 tls_unprocessed_read_pending,
2580 tls_processed_read_pending,
2581 tls_app_data_pending,
2583 tls_get_max_record_len,
2584 tls_get_max_records,
2586 tls_retry_write_records,
2593 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
2594 * during the record layer refactoring. They need to be removed before the
2595 * refactor is complete.
2601 tls_get_packet_length,
2602 tls_reset_packet_length