2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bio.h>
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/core_names.h>
14 #include "internal/e_os.h"
15 #include "internal/packet.h"
16 #include "../../ssl_local.h"
17 #include "../record_local.h"
18 #include "recmethod_local.h"
20 # define SSL_AD_NO_ALERT -1
22 void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
28 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
34 int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
36 const EVP_CIPHER *ciph,
41 * Provided cipher, the TLS padding/MAC removal is performed provider
42 * side so we need to tell the ctx about our TLS version and mac size
44 OSSL_PARAM params[3], *pprm = params;
48 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
50 * We look at s->ext.use_etm instead of SSL_READ_ETM() or
51 * SSL_WRITE_ETM() because this test applies to both reading
55 imacsize = EVP_MD_get_size(md);
57 macsize = (size_t)imacsize;
59 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
61 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
63 *pprm = OSSL_PARAM_construct_end();
65 if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
66 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
74 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
75 * which ssl3_cbc_digest_record supports.
77 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
79 switch (EVP_MD_CTX_get_type(ctx)) {
92 static int rlayer_allow_compression(OSSL_RECORD_LAYER *rl)
94 if (rl->options & SSL_OP_NO_COMPRESSION)
97 /* TODO(RECLAYER): Implement ssl_security inside the record layer */
98 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
104 static int rlayer_setup_read_buffer(OSSL_RECORD_LAYER *rl)
107 size_t len, align = 0, headerlen;
113 headerlen = DTLS1_RT_HEADER_LENGTH;
115 headerlen = SSL3_RT_HEADER_LENGTH;
117 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
118 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
121 if (b->buf == NULL) {
122 len = SSL3_RT_MAX_PLAIN_LENGTH
123 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
124 #ifndef OPENSSL_NO_COMP
125 if (rlayer_allow_compression(rl))
126 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
128 if (b->default_len > len)
129 len = b->default_len;
130 if ((p = OPENSSL_malloc(len)) == NULL) {
132 * We've got a malloc failure, and we're still initialising buffers.
133 * We assume we're so doomed that we won't even be able to send an
136 RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE);
146 static int rlayer_release_read_buffer(OSSL_RECORD_LAYER *rl)
151 if (rl->options & SSL_OP_CLEANSE_PLAINTEXT)
152 OPENSSL_cleanse(b->buf, b->len);
153 OPENSSL_free(b->buf);
158 void tls_reset_packet_length(OSSL_RECORD_LAYER *rl)
160 rl->packet_length = 0;
164 * Return values are as per SSL_read()
166 int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
167 int clearold, size_t *readbytes)
170 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
171 * packet by another n bytes. The packet will be in the sub-array of
172 * s->rlayer.rbuf.buf specified by s->rlayer.packet and
173 * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
174 * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
175 * if clearold == 1, move the packet to the start of the buffer; if
176 * clearold == 0 then leave any old packets where they were
178 size_t len, left, align = 0;
183 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
187 * TODO(RECLAYER): Once this function is only called from inside the rlayer
188 * directly, we can probably remove this since it is initialised in
189 * tls_get_more_records
191 if (rb->buf == NULL) {
192 if (!rlayer_setup_read_buffer(rl)) {
193 /* RLAYERfatal() already called */
194 return OSSL_RECORD_RETURN_FATAL;
199 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
200 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
201 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
205 /* start with empty packet ... */
208 } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
210 * check if next packet length is large enough to justify payload
213 pkt = rb->buf + rb->offset;
214 if (pkt[0] == SSL3_RT_APPLICATION_DATA
215 && (pkt[3] << 8 | pkt[4]) >= 128) {
217 * Note that even if packet is corrupted and its length field
218 * is insane, we can only be led to wrong decision about
219 * whether memmove will occur or not. Header values has no
220 * effect on memmove arguments and therefore no buffer
221 * overrun can be triggered.
223 memmove(rb->buf + align, pkt, left);
227 rl->packet = rb->buf + rb->offset;
228 rl->packet_length = 0;
229 /* ... now we can act as if 'extend' was set */
232 len = rl->packet_length;
233 pkt = rb->buf + align;
235 * Move any available bytes to front of buffer: 'len' bytes already
236 * pointed to by 'packet', 'left' extra ones at the end
238 if (rl->packet != pkt && clearold == 1) {
239 memmove(pkt, rl->packet, len + left);
241 rb->offset = len + align;
245 * For DTLS/UDP reads should not span multiple packets because the read
246 * operation returns the whole packet at once (as long as it fits into
250 if (left == 0 && extend)
252 if (left > 0 && n > left)
256 /* if there is enough in the buffer from a previous read, take some */
258 rl->packet_length += n;
262 return OSSL_RECORD_RETURN_SUCCESS;
265 /* else we need to read more data */
267 if (n > rb->len - rb->offset) {
268 /* does not happen */
269 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
270 return OSSL_RECORD_RETURN_FATAL;
273 /* We always act like read_ahead is set for DTLS */
274 if (!rl->read_ahead && !rl->isdtls) {
275 /* ignore max parameter */
280 if (max > rb->len - rb->offset)
281 max = rb->len - rb->offset;
289 * Now we have len+left bytes at the front of s->s3.rbuf.buf and
290 * need to read in more until we have len+n (up to len+max if
295 if (rl->bio != NULL) {
296 ret = BIO_read(rl->bio, pkt + len + left, max - left);
299 ret = OSSL_RECORD_RETURN_SUCCESS;
300 } else if (BIO_should_retry(rl->bio)) {
301 ret = OSSL_RECORD_RETURN_RETRY;
302 } else if (BIO_eof(rl->bio)) {
303 ret = OSSL_RECORD_RETURN_EOF;
305 ret = OSSL_RECORD_RETURN_FATAL;
308 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
309 ret = OSSL_RECORD_RETURN_FATAL;
312 if (ret <= OSSL_RECORD_RETURN_RETRY) {
314 if (rl->mode & SSL_MODE_RELEASE_BUFFERS && !rl->isdtls)
316 rlayer_release_read_buffer(rl);
321 * reads should *never* span multiple packets for DTLS because the
322 * underlying transport protocol is message oriented as opposed to
323 * byte oriented as in the TLS case.
327 n = left; /* makes the while condition false */
331 /* done reading, now the book-keeping */
334 rl->packet_length += n;
336 return OSSL_RECORD_RETURN_SUCCESS;
340 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
341 * for us in the buffer.
343 static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
351 p = SSL3_BUFFER_get_buf(rbuf);
355 left = SSL3_BUFFER_get_left(rbuf);
357 if (left < SSL3_RT_HEADER_LENGTH)
360 p += SSL3_BUFFER_get_offset(rbuf);
363 * We only check the type and record length, we will sanity check version
366 if (*p != SSL3_RT_APPLICATION_DATA)
372 if (left < SSL3_RT_HEADER_LENGTH + len)
379 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
380 * will be processed per call to ssl3_get_record. Without this limit an
381 * attacker could send empty records at a faster rate than we can process and
382 * cause ssl3_get_record to loop forever.
384 #define MAX_EMPTY_RECORDS 32
386 #define SSL2_RT_HEADER_LENGTH 2
389 * Call this to buffer new input records in rl->rrec.
390 * It will return a OSSL_RECORD_RETURN_* value.
391 * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
392 * records have been decoded. For each record 'i':
393 * rrec[i].type - is the type of record
394 * rrec[i].data, - data
395 * rrec[i].length, - number of bytes
396 * Multiple records will only be returned if the record types are all
397 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
400 static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
401 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
406 SSL3_RECORD *rr, *thisrr;
410 unsigned char md[EVP_MAX_MD_SIZE];
411 unsigned int version;
414 size_t num_recs = 0, max_recs, j;
415 PACKET pkt, sslv2pkt;
416 SSL_MAC_BUF *macbufs = NULL;
417 int ret = OSSL_RECORD_RETURN_FATAL;
418 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
422 if (rbuf->buf == NULL) {
423 if (!rlayer_setup_read_buffer(rl)) {
424 /* RLAYERfatal() already called */
425 return OSSL_RECORD_RETURN_FATAL;
429 max_recs = s->max_pipelines;
435 thisrr = &rr[num_recs];
437 /* check if we have the header */
438 if ((rl->rstate != SSL_ST_READ_BODY) ||
439 (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
443 rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
444 SSL3_BUFFER_get_len(rbuf), 0,
445 num_recs == 0 ? 1 : 0, &n);
447 if (rret < OSSL_RECORD_RETURN_SUCCESS)
448 return rret; /* error or non-blocking */
450 rl->rstate = SSL_ST_READ_BODY;
453 if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
454 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
455 return OSSL_RECORD_RETURN_FATAL;
458 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
459 || !PACKET_get_1(&sslv2pkt, &type)) {
460 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
461 return OSSL_RECORD_RETURN_FATAL;
464 * The first record received by the server may be a V2ClientHello.
466 if (rl->role == OSSL_RECORD_ROLE_SERVER
467 && rl->is_first_record
468 && (sslv2len & 0x8000) != 0
469 && (type == SSL2_MT_CLIENT_HELLO)) {
473 * |num_recs| here will actually always be 0 because
474 * |num_recs > 0| only ever occurs when we are processing
475 * multiple app data records - which we know isn't the case here
476 * because it is an SSLv2ClientHello. We keep it using
477 * |num_recs| for the sake of consistency
479 thisrr->type = SSL3_RT_HANDSHAKE;
480 thisrr->rec_version = SSL2_VERSION;
482 thisrr->length = sslv2len & 0x7fff;
484 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
485 - SSL2_RT_HEADER_LENGTH) {
486 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
487 SSL_R_PACKET_LENGTH_TOO_LONG);
488 return OSSL_RECORD_RETURN_FATAL;
491 /* SSLv3+ style record */
493 /* Pull apart the header into the SSL3_RECORD */
494 if (!PACKET_get_1(&pkt, &type)
495 || !PACKET_get_net_2(&pkt, &version)
496 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
498 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, ssl,
499 s->msg_callback_arg);
500 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
501 return OSSL_RECORD_RETURN_FATAL;
504 thisrr->rec_version = version;
507 s->msg_callback(0, version, SSL3_RT_HEADER, p, 5, ssl,
508 s->msg_callback_arg);
511 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
512 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
513 SSL_R_PACKET_LENGTH_TOO_LONG);
514 return OSSL_RECORD_RETURN_FATAL;
518 if (!rl->funcs->validate_record_header(rl, thisrr)) {
519 /* RLAYERfatal already called */
520 return OSSL_RECORD_RETURN_FATAL;
523 /* now rl->rstate == SSL_ST_READ_BODY */
527 * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
528 * how much more data we need to read for the rest of the record
530 if (thisrr->rec_version == SSL2_VERSION) {
531 more = thisrr->length + SSL2_RT_HEADER_LENGTH
532 - SSL3_RT_HEADER_LENGTH;
534 more = thisrr->length;
538 /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
540 rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
541 if (rret < OSSL_RECORD_RETURN_SUCCESS)
542 return rret; /* error or non-blocking io */
545 /* set state for later operations */
546 rl->rstate = SSL_ST_READ_HEADER;
549 * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
550 * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
551 * + thisrr->length and we have that many bytes in rl->packet
553 if (thisrr->rec_version == SSL2_VERSION)
554 thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
556 thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
559 * ok, we can now read from 'rl->packet' data into 'thisrr'.
560 * thisrr->input points at thisrr->length bytes, which need to be copied
561 * into thisrr->data by either the decryption or by the decompression.
562 * When the data is 'copied' into the thisrr->data buffer,
563 * thisrr->input will be updated to point at the new buffer
567 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
568 * thisrr->length bytes of encrypted compressed stuff.
571 /* decrypt in place in 'thisrr->input' */
572 thisrr->data = thisrr->input;
573 thisrr->orig_len = thisrr->length;
575 /* Mark this record as not read by upper layers yet */
580 /* we have pulled in a full packet so zero things */
581 tls_reset_packet_length(rl);
582 rl->is_first_record = 0;
583 } while (num_recs < max_recs
584 && thisrr->type == SSL3_RT_APPLICATION_DATA
585 && SSL_USE_EXPLICIT_IV(s)
586 && rl->enc_read_ctx != NULL
587 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_read_ctx))
588 & EVP_CIPH_FLAG_PIPELINE) != 0
589 && tls_record_app_data_waiting(rl));
592 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
593 && (SSL_CONNECTION_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
594 && rl->is_first_handshake) {
596 * CCS messages must be exactly 1 byte long, containing the value 0x01
598 if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
599 RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER,
600 SSL_R_INVALID_CCS_MESSAGE);
601 return OSSL_RECORD_RETURN_FATAL;
604 * CCS messages are ignored in TLSv1.3. We treat it like an empty
607 thisrr->type = SSL3_RT_HANDSHAKE;
608 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
609 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
610 SSL_R_UNEXPECTED_CCS_MESSAGE);
611 return OSSL_RECORD_RETURN_FATAL;
616 rl->num_released = 0;
618 return OSSL_RECORD_RETURN_SUCCESS;
621 if (rl->read_hash != NULL) {
622 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->read_hash);
625 imac_size = EVP_MD_get_size(tmpmd);
626 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
627 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
628 return OSSL_RECORD_RETURN_FATAL;
630 mac_size = (size_t)imac_size;
635 * If in encrypt-then-mac mode calculate mac from encrypted record. All
636 * the details below are public so no timing details can leak.
638 if (SSL_READ_ETM(s) && rl->read_hash) {
641 for (j = 0; j < num_recs; j++) {
644 if (thisrr->length < mac_size) {
645 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
646 return OSSL_RECORD_RETURN_FATAL;
648 thisrr->length -= mac_size;
649 mac = thisrr->data + thisrr->length;
650 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
651 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
652 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
653 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
654 return OSSL_RECORD_RETURN_FATAL;
658 * We've handled the mac now - there is no MAC inside the encrypted
665 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
666 if (macbufs == NULL) {
667 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
668 return OSSL_RECORD_RETURN_FATAL;
673 * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
676 enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s);
680 * 0: if the record is publicly invalid, or an internal error, or AEAD
681 * decryption failed, or ETM decryption failed.
682 * 1: Success or MTE decryption failed (MAC will be randomised)
685 if (ossl_statem_in_error(s)) {
686 /* SSLfatal() already got called */
689 if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
691 * Valid early_data that we cannot decrypt will fail here. We treat
692 * it like an empty record.
697 if (!ossl_early_data_count_ok(s, thisrr->length,
698 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
699 /* SSLfatal() already called */
707 rl->num_released = 0;
708 RECORD_LAYER_reset_read_sequence(&s->rlayer);
712 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
713 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
716 OSSL_TRACE_BEGIN(TLS) {
717 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
718 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
719 } OSSL_TRACE_END(TLS);
721 /* r->length is now the compressed data plus mac */
723 && (rl->enc_read_ctx != NULL)
724 && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(rl->read_hash) != NULL)) {
725 /* rl->read_hash != NULL => mac_size != -1 */
727 for (j = 0; j < num_recs; j++) {
728 SSL_MAC_BUF *thismb = &macbufs[j];
731 i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
732 if (i == 0 || thismb == NULL || thismb->mac == NULL
733 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
735 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
741 if (ossl_statem_in_error(s)) {
742 /* We already called SSLfatal() */
746 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
747 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
748 * failure is directly visible from the ciphertext anyway, we should
749 * not reveal which kind of error occurred -- this might become
750 * visible to an attacker (e.g. via a logfile)
752 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
753 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
757 for (j = 0; j < num_recs; j++) {
760 if (!rl->funcs->post_process_record(rl, thisrr, s)) {
761 /* RLAYERfatal already called */
766 * Check if the received packet overflows the current
767 * Max Fragment Length setting.
768 * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive.
770 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
771 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
772 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
778 * So at this point the following is true
779 * thisrr->type is the type of record
780 * thisrr->length == number of bytes in record
781 * thisrr->off == offset to first valid byte
782 * thisrr->data == where to take bytes from, increment after use :-).
785 /* just read a 0 length packet */
786 if (thisrr->length == 0) {
787 if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
788 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL);
792 rl->empty_record_count = 0;
796 if (s->early_data_state == SSL_EARLY_DATA_READING) {
798 if (thisrr->type == SSL3_RT_APPLICATION_DATA
799 && !ossl_early_data_count_ok(s, thisrr->length, 0, 0)) {
800 /* SSLfatal already called */
805 rl->num_recs = num_recs;
807 rl->num_released = 0;
808 ret = OSSL_RECORD_RETURN_SUCCESS;
810 if (macbufs != NULL) {
811 for (j = 0; j < num_recs; j++) {
812 if (macbufs[j].alloced)
813 OPENSSL_free(macbufs[j].mac);
815 OPENSSL_free(macbufs);
820 /* Shared by ssl3_meth and tls1_meth */
821 int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
823 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
825 if (rec->rec_version != rl->version) {
826 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
830 #ifndef OPENSSL_NO_COMP
832 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
833 * does not include the compression overhead anyway.
835 if (rl->expand == NULL)
836 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
839 if (rec->length > len) {
840 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
841 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
848 static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
850 #ifndef OPENSSL_NO_COMP
853 if (rec->comp == NULL) {
854 rec->comp = (unsigned char *)
855 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
857 if (rec->comp == NULL)
860 i = COMP_expand_block(rl->expand, rec->comp,
861 SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length);
866 rec->data = rec->comp;
873 /* Shared by tlsany_meth, ssl3_meth and tls1_meth */
874 int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s)
876 if (rl->expand != NULL) {
877 if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
878 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
879 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
882 if (!tls_do_uncompress(rl, rec)) {
883 RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
884 SSL_R_BAD_DECOMPRESSION);
889 if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
890 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
897 /* Shared by tls13_meth and ktls_meth */
898 int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
901 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
903 if (rec->type != SSL3_RT_APPLICATION_DATA
904 && rec->type != SSL3_RT_ALERT
905 && rec->type != SSL3_RT_HANDSHAKE) {
906 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
911 s->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE,
912 &rec->type, 1, ssl, s->msg_callback_arg);
915 * TLSv1.3 alert and handshake records are required to be non-zero in
918 if ((rec->type == SSL3_RT_HANDSHAKE
919 || rec->type == SSL3_RT_ALERT)
920 && rec->length == 0) {
921 RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
928 int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
929 int *type, unsigned char **data, size_t *datalen,
930 uint16_t *epoch, unsigned char *seq_num,
931 /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
936 * tls_get_more_records() can return success without actually reading
937 * anything useful (i.e. if empty records are read). We loop here until
938 * we have something useful. tls_get_more_records() will eventually fail if
939 * too many sequential empty records are read.
941 while (rl->curr_rec >= rl->num_recs) {
944 if (rl->num_released != rl->num_recs) {
945 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
946 return OSSL_RECORD_RETURN_FATAL;
949 ret = tls_get_more_records(rl, s);
951 if (ret != OSSL_RECORD_RETURN_SUCCESS)
956 * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
957 * points to the next one to read.
959 rec = &rl->rrec[rl->curr_rec++];
962 *rversion = rec->rec_version;
965 *datalen = rec->length;
967 return OSSL_RECORD_RETURN_SUCCESS;
970 int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
972 if (!ossl_assert(rl->num_released < rl->curr_rec)
973 || !ossl_assert(rechandle == &rl->rrec[rl->num_released])) {
974 /* Should not happen */
975 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
976 return OSSL_RECORD_RETURN_FATAL;
981 return OSSL_RECORD_RETURN_SUCCESS;
985 tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
986 int role, int direction, int level, unsigned char *key,
987 size_t keylen, unsigned char *iv, size_t ivlen,
988 unsigned char *mackey, size_t mackeylen,
989 const EVP_CIPHER *ciph, size_t taglen,
990 /* TODO(RECLAYER): This probably should not be an int */
992 const EVP_MD *md, const SSL_COMP *comp, BIO *transport,
993 BIO_ADDR *local, BIO_ADDR *peer,
994 const OSSL_PARAM *settings, const OSSL_PARAM *options,
995 OSSL_RECORD_LAYER **retrl,
996 /* TODO(RECLAYER): Remove me */
999 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
1000 const OSSL_PARAM *p;
1005 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1006 return OSSL_RECORD_RETURN_FATAL;
1009 if (transport != NULL && !BIO_up_ref(transport)) {
1010 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1015 * TODO(RECLAYER): Need to handle the case where the params are updated
1016 * after the record layer has been created.
1018 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
1019 if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
1020 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1024 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
1025 if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
1026 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1030 if (level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
1032 * We ignore any read_ahead setting prior to the application protection
1033 * level. Otherwise we may read ahead data in a lower protection level
1034 * that is destined for a higher protection level. To simplify the logic
1035 * we don't support that at this stage.
1038 * TODO(RECLAYER): Handle the case of read_ahead at the application
1039 * level and a key update/reneg occurs.
1041 p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
1042 if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
1043 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
1048 rl->libctx = libctx;
1053 rl->direction = direction;
1055 if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
1056 rl->is_first_record = 1;
1058 if (!tls_set1_bio(rl, transport))
1062 return OSSL_RECORD_RETURN_SUCCESS;
1065 return OSSL_RECORD_RETURN_FATAL;
1069 tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1070 int role, int direction, int level, unsigned char *key,
1071 size_t keylen, unsigned char *iv, size_t ivlen,
1072 unsigned char *mackey, size_t mackeylen,
1073 const EVP_CIPHER *ciph, size_t taglen,
1074 /* TODO(RECLAYER): This probably should not be an int */
1076 const EVP_MD *md, const SSL_COMP *comp, BIO *transport,
1077 BIO_ADDR *local, BIO_ADDR *peer,
1078 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1079 OSSL_RECORD_LAYER **retrl,
1080 /* TODO(RECLAYER): Remove me */
1085 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1086 key, keylen, iv, ivlen, mackey, mackeylen,
1087 ciph, taglen, mactype, md, comp, transport,
1088 local, peer, settings, options, retrl, s);
1090 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1094 case TLS_ANY_VERSION:
1095 (*retrl)->funcs = &tls_any_funcs;
1097 case TLS1_3_VERSION:
1098 (*retrl)->funcs = &tls_1_3_funcs;
1100 case TLS1_2_VERSION:
1101 case TLS1_1_VERSION:
1103 (*retrl)->funcs = &tls_1_funcs;
1106 (*retrl)->funcs = &ssl_3_0_funcs;
1109 /* Should not happen */
1110 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1111 ret = OSSL_RECORD_RETURN_FATAL;
1115 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
1116 ivlen, mackey, mackeylen, ciph,
1117 taglen, mactype, md, comp, s);
1120 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
1121 OPENSSL_free(*retrl);
1127 /* TODO(RECLAYER): Temporary funcs */
1128 static int dtls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1130 rl->version = version;
1133 static struct record_functions_st dtls_funcs = {
1138 dtls_set_protocol_version,
1143 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
1144 int role, int direction, int level, unsigned char *key,
1145 size_t keylen, unsigned char *iv, size_t ivlen,
1146 unsigned char *mackey, size_t mackeylen,
1147 const EVP_CIPHER *ciph, size_t taglen,
1148 /* TODO(RECLAYER): This probably should not be an int */
1150 const EVP_MD *md, const SSL_COMP *comp, BIO *transport,
1151 BIO_ADDR *local, BIO_ADDR *peer,
1152 const OSSL_PARAM *settings, const OSSL_PARAM *options,
1153 OSSL_RECORD_LAYER **retrl,
1154 /* TODO(RECLAYER): Remove me */
1160 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
1161 key, keylen, iv, ivlen, mackey, mackeylen,
1162 ciph, taglen, mactype, md, comp, transport,
1163 local, peer, settings, options, retrl, s);
1165 if (ret != OSSL_RECORD_RETURN_SUCCESS)
1168 (*retrl)->isdtls = 1;
1169 (*retrl)->funcs = &dtls_funcs;
1171 return OSSL_RECORD_RETURN_SUCCESS;
1174 void tls_free(OSSL_RECORD_LAYER *rl)
1176 /* TODO(RECLAYER): Cleanse sensitive fields */
1181 int tls_reset(OSSL_RECORD_LAYER *rl)
1183 memset(rl, 0, sizeof(*rl));
1187 int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
1189 return SSL3_BUFFER_get_left(&rl->rbuf) != 0;;
1192 int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
1194 return rl->curr_rec < rl->num_recs;
1197 size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
1202 int tls_write_pending(OSSL_RECORD_LAYER *rl)
1207 size_t tls_get_max_record_len(OSSL_RECORD_LAYER *rl)
1212 size_t tls_get_max_records(OSSL_RECORD_LAYER *rl)
1217 int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE **templates,
1218 size_t numtempl, size_t allowance, size_t *sent)
1223 int tls_retry_write_records(OSSL_RECORD_LAYER *rl, size_t allowance,
1230 int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
1235 int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
1237 if (bio != NULL && !BIO_up_ref(bio))
1245 /* Shared by most methods except tlsany_meth */
1246 int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1248 if (rl->version != version)
1254 int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
1256 return rl->funcs->set_protocol_version(rl, version);
1259 void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
1261 rl->allow_plain_alerts = allow;
1264 void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
1266 rl->is_first_handshake = first;
1269 SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
1274 unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl)
1279 void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
1282 rl->packet = packet;
1283 rl->packet_length = packetlen;
1286 size_t tls_get_packet_length(OSSL_RECORD_LAYER *rl)
1288 return rl->packet_length;
1291 const OSSL_RECORD_METHOD ossl_tls_record_method = {
1292 tls_new_record_layer,
1295 tls_unprocessed_read_pending,
1296 tls_processed_read_pending,
1297 tls_app_data_pending,
1299 tls_get_max_record_len,
1300 tls_get_max_records,
1302 tls_retry_write_records,
1307 tls_set_protocol_version,
1308 tls_set_plain_alerts,
1309 tls_set_first_handshake,
1312 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1313 * during the record layer refactoring. They need to be removed before the
1314 * refactor is complete.
1320 tls_get_packet_length,
1321 tls_reset_packet_length
1324 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
1325 dtls_new_record_layer,
1328 tls_unprocessed_read_pending,
1329 tls_processed_read_pending,
1330 tls_app_data_pending,
1332 tls_get_max_record_len,
1333 tls_get_max_records,
1335 tls_retry_write_records,
1340 tls_set_protocol_version,
1342 tls_set_first_handshake,
1345 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
1346 * during the record layer refactoring. They need to be removed before the
1347 * refactor is complete.
1353 tls_get_packet_length,
1354 tls_reset_packet_length