aboutsummaryrefslogtreecommitdiff
path: root/crypto/openssl/ssl/record/methods/tls_common.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssl/ssl/record/methods/tls_common.c')
-rw-r--r--crypto/openssl/ssl/record/methods/tls_common.c2187
1 files changed, 2187 insertions, 0 deletions
diff --git a/crypto/openssl/ssl/record/methods/tls_common.c b/crypto/openssl/ssl/record/methods/tls_common.c
new file mode 100644
index 000000000000..b9c79099462d
--- /dev/null
+++ b/crypto/openssl/ssl/record/methods/tls_common.c
@@ -0,0 +1,2187 @@
+/*
+ * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <assert.h>
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/core_names.h>
+#include <openssl/comp.h>
+#include <openssl/ssl.h>
+#include "internal/e_os.h"
+#include "internal/packet.h"
+#include "internal/ssl3_cbc.h"
+#include "../../ssl_local.h"
+#include "../record_local.h"
+#include "recmethod_local.h"
+
+static void tls_int_free(OSSL_RECORD_LAYER *rl);
+
+void ossl_tls_buffer_release(TLS_BUFFER *b)
+{
+ OPENSSL_free(b->buf);
+ b->buf = NULL;
+}
+
+static void TLS_RL_RECORD_release(TLS_RL_RECORD *r, size_t num_recs)
+{
+ size_t i;
+
+ for (i = 0; i < num_recs; i++) {
+ OPENSSL_free(r[i].comp);
+ r[i].comp = NULL;
+ }
+}
+
+void ossl_tls_rl_record_set_seq_num(TLS_RL_RECORD *r,
+ const unsigned char *seq_num)
+{
+ memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
+}
+
+void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason,
+ const char *fmt, ...)
+{
+ va_list args;
+
+ va_start(args, fmt);
+ ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
+ va_end(args);
+
+ rl->alert = al;
+}
+
+int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
+ EVP_CIPHER_CTX *ctx,
+ const EVP_CIPHER *ciph,
+ const EVP_MD *md)
+{
+ /*
+ * Provided cipher, the TLS padding/MAC removal is performed provider
+ * side so we need to tell the ctx about our TLS version and mac size
+ */
+ OSSL_PARAM params[3], *pprm = params;
+ size_t macsize = 0;
+ int imacsize = -1;
+
+ if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
+ && !rl->use_etm)
+ imacsize = EVP_MD_get_size(md);
+ if (imacsize > 0)
+ macsize = (size_t)imacsize;
+
+ *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
+ &rl->version);
+ *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
+ &macsize);
+ *pprm = OSSL_PARAM_construct_end();
+
+ if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
+ * which ssl3_cbc_digest_record supports.
+ */
+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
+{
+ switch (EVP_MD_CTX_get_type(ctx)) {
+ case NID_md5:
+ case NID_sha1:
+ case NID_sha224:
+ case NID_sha256:
+ case NID_sha384:
+ case NID_sha512:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+#ifndef OPENSSL_NO_COMP
+static int tls_allow_compression(OSSL_RECORD_LAYER *rl)
+{
+ if (rl->options & SSL_OP_NO_COMPRESSION)
+ return 0;
+
+ return rl->security == NULL
+ || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL);
+}
+#endif
+
+static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start)
+{
+ TLS_BUFFER *wb;
+ size_t pipes;
+
+ pipes = rl->numwpipes;
+
+ while (pipes > start) {
+ wb = &rl->wbuf[pipes - 1];
+
+ if (TLS_BUFFER_is_app_buffer(wb))
+ TLS_BUFFER_set_app_buffer(wb, 0);
+ else
+ OPENSSL_free(wb->buf);
+ wb->buf = NULL;
+ pipes--;
+ }
+}
+
+int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
+ size_t firstlen, size_t nextlen)
+{
+ unsigned char *p;
+ size_t maxalign = 0, headerlen;
+ TLS_BUFFER *wb;
+ size_t currpipe;
+ size_t defltlen = 0;
+ size_t contenttypelen = 0;
+
+ if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) {
+ if (rl->isdtls)
+ headerlen = DTLS1_RT_HEADER_LENGTH + 1;
+ else
+ headerlen = SSL3_RT_HEADER_LENGTH;
+
+ /* TLSv1.3 adds an extra content type byte after payload data */
+ if (rl->version == TLS1_3_VERSION)
+ contenttypelen = 1;
+
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
+ maxalign = SSL3_ALIGN_PAYLOAD - 1;
+#endif
+
+ defltlen = maxalign + headerlen + rl->eivlen + rl->max_frag_len
+ + contenttypelen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
+#ifndef OPENSSL_NO_COMP
+ if (tls_allow_compression(rl))
+ defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+ /*
+ * We don't need to add eivlen here since empty fragments only occur
+ * when we don't have an explicit IV. The contenttype byte will also
+ * always be 0 in these protocol versions
+ */
+ if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0)
+ defltlen += headerlen + maxalign + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
+ }
+
+ wb = rl->wbuf;
+ for (currpipe = 0; currpipe < numwpipes; currpipe++) {
+ TLS_BUFFER *thiswb = &wb[currpipe];
+ size_t len = (currpipe == 0) ? firstlen : nextlen;
+
+ if (len == 0)
+ len = defltlen;
+
+ if (thiswb->len != len) {
+ OPENSSL_free(thiswb->buf);
+ thiswb->buf = NULL; /* force reallocation */
+ }
+
+ p = thiswb->buf;
+ if (p == NULL) {
+ p = OPENSSL_malloc(len);
+ if (p == NULL) {
+ if (rl->numwpipes < currpipe)
+ rl->numwpipes = currpipe;
+ /*
+ * We've got a malloc failure, and we're still initialising
+ * buffers. We assume we're so doomed that we won't even be able
+ * to send an alert.
+ */
+ RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
+ return 0;
+ }
+ }
+ memset(thiswb, 0, sizeof(TLS_BUFFER));
+ thiswb->buf = p;
+ thiswb->len = len;
+ }
+
+ /* Free any previously allocated buffers that we are no longer using */
+ tls_release_write_buffer_int(rl, currpipe);
+
+ rl->numwpipes = numwpipes;
+
+ return 1;
+}
+
+static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl)
+{
+ tls_release_write_buffer_int(rl, 0);
+
+ rl->numwpipes = 0;
+}
+
+int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl)
+{
+ unsigned char *p;
+ size_t len, maxalign = 0, headerlen;
+ TLS_BUFFER *b;
+
+ b = &rl->rbuf;
+
+ if (rl->isdtls)
+ headerlen = DTLS1_RT_HEADER_LENGTH;
+ else
+ headerlen = SSL3_RT_HEADER_LENGTH;
+
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
+ maxalign = SSL3_ALIGN_PAYLOAD - 1;
+#endif
+
+ if (b->buf == NULL) {
+ len = rl->max_frag_len
+ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + maxalign;
+#ifndef OPENSSL_NO_COMP
+ if (tls_allow_compression(rl))
+ len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+
+ /* Ensure our buffer is large enough to support all our pipelines */
+ if (rl->max_pipelines > 1)
+ len *= rl->max_pipelines;
+
+ if (b->default_len > len)
+ len = b->default_len;
+
+ if ((p = OPENSSL_malloc(len)) == NULL) {
+ /*
+ * We've got a malloc failure, and we're still initialising buffers.
+ * We assume we're so doomed that we won't even be able to send an
+ * alert.
+ */
+ RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB);
+ return 0;
+ }
+ b->buf = p;
+ b->len = len;
+ }
+
+ return 1;
+}
+
+static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl)
+{
+ TLS_BUFFER *b;
+
+ b = &rl->rbuf;
+ if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
+ OPENSSL_cleanse(b->buf, b->len);
+ OPENSSL_free(b->buf);
+ b->buf = NULL;
+ rl->packet = NULL;
+ rl->packet_length = 0;
+ return 1;
+}
+
+/*
+ * Return values are as per SSL_read()
+ */
+int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
+ int clearold, size_t *readbytes)
+{
+ /*
+ * If extend == 0, obtain new n-byte packet; if extend == 1, increase
+ * packet by another n bytes. The packet will be in the sub-array of
+ * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If
+ * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus
+ * rl->packet_length bytes if extend == 1].) if clearold == 1, move the
+ * packet to the start of the buffer; if clearold == 0 then leave any old
+ * packets where they were
+ */
+ size_t len, left, align = 0;
+ unsigned char *pkt;
+ TLS_BUFFER *rb;
+
+ if (n == 0)
+ return OSSL_RECORD_RETURN_NON_FATAL_ERR;
+
+ rb = &rl->rbuf;
+ left = rb->left;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
+ align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
+ align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
+#endif
+
+ if (!extend) {
+ /* start with empty packet ... */
+ if (left == 0)
+ rb->offset = align;
+
+ rl->packet = rb->buf + rb->offset;
+ rl->packet_length = 0;
+ /* ... now we can act as if 'extend' was set */
+ }
+
+ if (!ossl_assert(rl->packet != NULL)) {
+ /* does not happen */
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ len = rl->packet_length;
+ pkt = rb->buf + align;
+ /*
+ * Move any available bytes to front of buffer: 'len' bytes already
+ * pointed to by 'packet', 'left' extra ones at the end
+ */
+ if (rl->packet != pkt && clearold == 1) {
+ memmove(pkt, rl->packet, len + left);
+ rl->packet = pkt;
+ rb->offset = len + align;
+ }
+
+ /*
+ * For DTLS/UDP reads should not span multiple packets because the read
+ * operation returns the whole packet at once (as long as it fits into
+ * the buffer).
+ */
+ if (rl->isdtls) {
+ if (left == 0 && extend) {
+ /*
+ * We received a record with a header but no body data. This will
+ * get dumped.
+ */
+ return OSSL_RECORD_RETURN_NON_FATAL_ERR;
+ }
+ if (left > 0 && n > left)
+ n = left;
+ }
+
+ /* if there is enough in the buffer from a previous read, take some */
+ if (left >= n) {
+ rl->packet_length += n;
+ rb->left = left - n;
+ rb->offset += n;
+ *readbytes = n;
+ return OSSL_RECORD_RETURN_SUCCESS;
+ }
+
+ /* else we need to read more data */
+
+ if (n > rb->len - rb->offset) {
+ /* does not happen */
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ /* We always act like read_ahead is set for DTLS */
+ if (!rl->read_ahead && !rl->isdtls) {
+ /* ignore max parameter */
+ max = n;
+ } else {
+ if (max < n)
+ max = n;
+ if (max > rb->len - rb->offset)
+ max = rb->len - rb->offset;
+ }
+
+ while (left < n) {
+ size_t bioread = 0;
+ int ret;
+ BIO *bio = rl->prev != NULL ? rl->prev : rl->bio;
+
+ /*
+ * Now we have len+left bytes at the front of rl->rbuf.buf and
+ * need to read in more until we have len + n (up to len + max if
+ * possible)
+ */
+
+ clear_sys_error();
+ if (bio != NULL) {
+ ret = BIO_read(bio, pkt + len + left, max - left);
+ if (ret > 0) {
+ bioread = ret;
+ ret = OSSL_RECORD_RETURN_SUCCESS;
+ } else if (BIO_should_retry(bio)) {
+ if (rl->prev != NULL) {
+ /*
+ * We were reading from the previous epoch. Now there is no
+ * more data, so swap to the actual transport BIO
+ */
+ BIO_free(rl->prev);
+ rl->prev = NULL;
+ continue;
+ }
+ ret = OSSL_RECORD_RETURN_RETRY;
+ } else if (BIO_eof(bio)) {
+ ret = OSSL_RECORD_RETURN_EOF;
+ } else {
+ ret = OSSL_RECORD_RETURN_FATAL;
+ }
+ } else {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET);
+ ret = OSSL_RECORD_RETURN_FATAL;
+ }
+
+ if (ret <= OSSL_RECORD_RETURN_RETRY) {
+ rb->left = left;
+ if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls)
+ if (len + left == 0)
+ tls_release_read_buffer(rl);
+ return ret;
+ }
+ left += bioread;
+ /*
+ * reads should *never* span multiple packets for DTLS because the
+ * underlying transport protocol is message oriented as opposed to
+ * byte oriented as in the TLS case.
+ */
+ if (rl->isdtls) {
+ if (n > left)
+ n = left; /* makes the while condition false */
+ }
+ }
+
+ /* done reading, now the book-keeping */
+ rb->offset += n;
+ rb->left = left - n;
+ rl->packet_length += n;
+ *readbytes = n;
+ return OSSL_RECORD_RETURN_SUCCESS;
+}
+
+/*
+ * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
+ * for us in the buffer.
+ */
+static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl)
+{
+ TLS_BUFFER *rbuf;
+ size_t left, len;
+ unsigned char *p;
+
+ rbuf = &rl->rbuf;
+
+ p = TLS_BUFFER_get_buf(rbuf);
+ if (p == NULL)
+ return 0;
+
+ left = TLS_BUFFER_get_left(rbuf);
+
+ if (left < SSL3_RT_HEADER_LENGTH)
+ return 0;
+
+ p += TLS_BUFFER_get_offset(rbuf);
+
+ /*
+ * We only check the type and record length, we will sanity check version
+ * etc later
+ */
+ if (*p != SSL3_RT_APPLICATION_DATA)
+ return 0;
+
+ p += 3;
+ n2s(p, len);
+
+ if (left < SSL3_RT_HEADER_LENGTH + len)
+ return 0;
+
+ return 1;
+}
+
+static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
+ size_t overhead, int send)
+{
+ uint32_t max_early_data = rl->max_early_data;
+
+ if (max_early_data == 0) {
+ RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_R_TOO_MUCH_EARLY_DATA);
+ return 0;
+ }
+
+ /* If we are dealing with ciphertext we need to allow for the overhead */
+ max_early_data += overhead;
+
+ if (rl->early_data_count + length > max_early_data) {
+ RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_R_TOO_MUCH_EARLY_DATA);
+ return 0;
+ }
+ rl->early_data_count += length;
+
+ return 1;
+}
+
+/*
+ * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
+ * will be processed per call to tls_get_more_records. Without this limit an
+ * attacker could send empty records at a faster rate than we can process and
+ * cause tls_get_more_records to loop forever.
+ */
+#define MAX_EMPTY_RECORDS 32
+
+#define SSL2_RT_HEADER_LENGTH 2
+
+/*-
+ * Call this to buffer new input records in rl->rrec.
+ * It will return a OSSL_RECORD_RETURN_* value.
+ * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs|
+ * records have been decoded. For each record 'i':
+ * rrec[i].type - is the type of record
+ * rrec[i].data, - data
+ * rrec[i].length, - number of bytes
+ * Multiple records will only be returned if the record types are all
+ * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
+ * |max_pipelines|
+ */
+int tls_get_more_records(OSSL_RECORD_LAYER *rl)
+{
+ int enc_err, rret;
+ int i;
+ size_t more, n;
+ TLS_RL_RECORD *rr, *thisrr;
+ TLS_BUFFER *rbuf;
+ unsigned char *p;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int version;
+ size_t mac_size = 0;
+ int imac_size;
+ size_t num_recs = 0, max_recs, j;
+ PACKET pkt, sslv2pkt;
+ SSL_MAC_BUF *macbufs = NULL;
+ int ret = OSSL_RECORD_RETURN_FATAL;
+
+ rr = rl->rrec;
+ rbuf = &rl->rbuf;
+ if (rbuf->buf == NULL) {
+ if (!tls_setup_read_buffer(rl)) {
+ /* RLAYERfatal() already called */
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ }
+
+ max_recs = rl->max_pipelines;
+
+ if (max_recs == 0)
+ max_recs = 1;
+
+ do {
+ thisrr = &rr[num_recs];
+
+ /* check if we have the header */
+ if ((rl->rstate != SSL_ST_READ_BODY) ||
+ (rl->packet_length < SSL3_RT_HEADER_LENGTH)) {
+ size_t sslv2len;
+ unsigned int type;
+
+ rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH,
+ TLS_BUFFER_get_len(rbuf), 0,
+ num_recs == 0 ? 1 : 0, &n);
+
+ if (rret < OSSL_RECORD_RETURN_SUCCESS)
+ return rret; /* error or non-blocking */
+
+ rl->rstate = SSL_ST_READ_BODY;
+
+ p = rl->packet;
+ if (!PACKET_buf_init(&pkt, p, rl->packet_length)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ sslv2pkt = pkt;
+ if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
+ || !PACKET_get_1(&sslv2pkt, &type)) {
+ RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ /*
+ * The first record received by the server may be a V2ClientHello.
+ */
+ if (rl->role == OSSL_RECORD_ROLE_SERVER
+ && rl->is_first_record
+ && (sslv2len & 0x8000) != 0
+ && (type == SSL2_MT_CLIENT_HELLO)) {
+ /*
+ * SSLv2 style record
+ *
+ * |num_recs| here will actually always be 0 because
+ * |num_recs > 0| only ever occurs when we are processing
+ * multiple app data records - which we know isn't the case here
+ * because it is an SSLv2ClientHello. We keep it using
+ * |num_recs| for the sake of consistency
+ */
+ thisrr->type = SSL3_RT_HANDSHAKE;
+ thisrr->rec_version = SSL2_VERSION;
+
+ thisrr->length = sslv2len & 0x7fff;
+
+ if (thisrr->length > TLS_BUFFER_get_len(rbuf)
+ - SSL2_RT_HEADER_LENGTH) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
+ SSL_R_PACKET_LENGTH_TOO_LONG);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ } else {
+ /* SSLv3+ style record */
+
+ /* Pull apart the header into the TLS_RL_RECORD */
+ if (!PACKET_get_1(&pkt, &type)
+ || !PACKET_get_net_2(&pkt, &version)
+ || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
+ if (rl->msg_callback != NULL)
+ rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg);
+ RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ thisrr->type = type;
+ thisrr->rec_version = version;
+
+ /*
+ * When we call validate_record_header() only records actually
+ * received in SSLv2 format should have the record version set
+ * to SSL2_VERSION. This way validate_record_header() can know
+ * what format the record was in based on the version.
+ */
+ if (thisrr->rec_version == SSL2_VERSION) {
+ RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
+ SSL_R_WRONG_VERSION_NUMBER);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ if (rl->msg_callback != NULL)
+ rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg);
+
+ if (thisrr->length >
+ TLS_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
+ SSL_R_PACKET_LENGTH_TOO_LONG);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ }
+
+ if (!rl->funcs->validate_record_header(rl, thisrr)) {
+ /* RLAYERfatal already called */
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ /* now rl->rstate == SSL_ST_READ_BODY */
+ }
+
+ /*
+ * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
+ * how much more data we need to read for the rest of the record
+ */
+ if (thisrr->rec_version == SSL2_VERSION) {
+ more = thisrr->length + SSL2_RT_HEADER_LENGTH
+ - SSL3_RT_HEADER_LENGTH;
+ } else {
+ more = thisrr->length;
+ }
+
+ if (more > 0) {
+ /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
+
+ rret = rl->funcs->read_n(rl, more, more, 1, 0, &n);
+ if (rret < OSSL_RECORD_RETURN_SUCCESS)
+ return rret; /* error or non-blocking io */
+ }
+
+ /* set state for later operations */
+ rl->rstate = SSL_ST_READ_HEADER;
+
+ /*
+ * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
+ * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
+ * + thisrr->length and we have that many bytes in rl->packet
+ */
+ if (thisrr->rec_version == SSL2_VERSION)
+ thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
+ else
+ thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
+
+ /*
+ * ok, we can now read from 'rl->packet' data into 'thisrr'.
+ * thisrr->input points at thisrr->length bytes, which need to be copied
+ * into thisrr->data by either the decryption or by the decompression.
+ * When the data is 'copied' into the thisrr->data buffer,
+ * thisrr->input will be updated to point at the new buffer
+ */
+
+ /*
+ * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
+ * thisrr->length bytes of encrypted compressed stuff.
+ */
+
+ /* decrypt in place in 'thisrr->input' */
+ thisrr->data = thisrr->input;
+ thisrr->orig_len = thisrr->length;
+
+ num_recs++;
+
+ /* we have pulled in a full packet so zero things */
+ rl->packet_length = 0;
+ rl->is_first_record = 0;
+ } while (num_recs < max_recs
+ && thisrr->type == SSL3_RT_APPLICATION_DATA
+ && RLAYER_USE_EXPLICIT_IV(rl)
+ && rl->enc_ctx != NULL
+ && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
+ & EVP_CIPH_FLAG_PIPELINE) != 0
+ && tls_record_app_data_waiting(rl));
+
+ if (num_recs == 1
+ && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
+ /* The following can happen in tlsany_meth after HRR */
+ && rl->version == TLS1_3_VERSION
+ && rl->is_first_handshake) {
+ /*
+ * CCS messages must be exactly 1 byte long, containing the value 0x01
+ */
+ if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
+ RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_R_INVALID_CCS_MESSAGE);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ /*
+ * CCS messages are ignored in TLSv1.3. We treat it like an empty
+ * handshake record - but we still call the msg_callback
+ */
+ if (rl->msg_callback != NULL)
+ rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_CHANGE_CIPHER_SPEC,
+ thisrr->data, 1, rl->cbarg);
+ thisrr->type = SSL3_RT_HANDSHAKE;
+ if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
+ RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_R_UNEXPECTED_CCS_MESSAGE);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ rl->num_recs = 0;
+ rl->curr_rec = 0;
+ rl->num_released = 0;
+
+ return OSSL_RECORD_RETURN_SUCCESS;
+ }
+
+ if (rl->md_ctx != NULL) {
+ const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
+
+ if (tmpmd != NULL) {
+ imac_size = EVP_MD_get_size(tmpmd);
+ if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ mac_size = (size_t)imac_size;
+ }
+ }
+
+ /*
+ * If in encrypt-then-mac mode calculate mac from encrypted record. All
+ * the details below are public so no timing details can leak.
+ */
+ if (rl->use_etm && rl->md_ctx != NULL) {
+ unsigned char *mac;
+
+ for (j = 0; j < num_recs; j++) {
+ thisrr = &rr[j];
+
+ if (thisrr->length < mac_size) {
+ RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ thisrr->length -= mac_size;
+ mac = thisrr->data + thisrr->length;
+ i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
+ if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
+ RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
+ SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ }
+ /*
+ * We've handled the mac now - there is no MAC inside the encrypted
+ * record
+ */
+ mac_size = 0;
+ }
+
+ if (mac_size > 0) {
+ macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs);
+ if (macbufs == NULL) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+ }
+
+ ERR_set_mark();
+ enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
+
+ /*-
+ * enc_err is:
+ * 0: if the record is publicly invalid, or an internal error, or AEAD
+ * decryption failed, or ETM decryption failed.
+ * 1: Success or MTE decryption failed (MAC will be randomised)
+ */
+ if (enc_err == 0) {
+ if (rl->alert != SSL_AD_NO_ALERT) {
+ /* RLAYERfatal() already got called */
+ ERR_clear_last_mark();
+ goto end;
+ }
+ if (num_recs == 1
+ && rl->skip_early_data != NULL
+ && rl->skip_early_data(rl->cbarg)) {
+ /*
+ * Valid early_data that we cannot decrypt will fail here. We treat
+ * it like an empty record.
+ */
+
+ /*
+ * Remove any errors from the stack. Decryption failures are normal
+ * behaviour.
+ */
+ ERR_pop_to_mark();
+
+ thisrr = &rr[0];
+
+ if (!rlayer_early_data_count_ok(rl, thisrr->length,
+ EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
+ /* RLAYERfatal() already called */
+ goto end;
+ }
+
+ thisrr->length = 0;
+ rl->num_recs = 0;
+ rl->curr_rec = 0;
+ rl->num_released = 0;
+ /* Reset the read sequence */
+ memset(rl->sequence, 0, sizeof(rl->sequence));
+ ret = 1;
+ goto end;
+ }
+ ERR_clear_last_mark();
+ RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
+ SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ goto end;
+ } else {
+ ERR_clear_last_mark();
+ }
+ OSSL_TRACE_BEGIN(TLS) {
+ BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
+ BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
+ } OSSL_TRACE_END(TLS);
+
+ /* r->length is now the compressed data plus mac */
+ if (rl->enc_ctx != NULL
+ && !rl->use_etm
+ && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
+ for (j = 0; j < num_recs; j++) {
+ SSL_MAC_BUF *thismb = &macbufs[j];
+
+ thisrr = &rr[j];
+
+ i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
+ if (i == 0 || thismb == NULL || thismb->mac == NULL
+ || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
+ enc_err = 0;
+ if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
+ enc_err = 0;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ if (enc_err == 0 && mac_size > 0 && thismb != NULL &&
+ thismb->mac != NULL && (md[0] ^ thismb->mac[0]) != 0xFF) {
+ enc_err = 1;
+ }
+#endif
+ }
+ }
+
+ if (enc_err == 0) {
+ if (rl->alert != SSL_AD_NO_ALERT) {
+ /* We already called RLAYERfatal() */
+ goto end;
+ }
+ /*
+ * A separate 'decryption_failed' alert was introduced with TLS 1.0,
+ * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
+ * failure is directly visible from the ciphertext anyway, we should
+ * not reveal which kind of error occurred -- this might become
+ * visible to an attacker (e.g. via a logfile)
+ */
+ RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
+ SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ goto end;
+ }
+
+ for (j = 0; j < num_recs; j++) {
+ thisrr = &rr[j];
+
+ if (!rl->funcs->post_process_record(rl, thisrr)) {
+ /* RLAYERfatal already called */
+ goto end;
+ }
+
+ /*
+ * Record overflow checking (e.g. checking if
+ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of
+ * the post_process_record() function above. However we check here if
+ * the received packet overflows the current Max Fragment Length setting
+ * if there is one.
+ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are
+ * mutually exclusive. Also note that with KTLS thisrr->length can
+ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored)
+ */
+ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH
+ && thisrr->length > rl->max_frag_len) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
+ goto end;
+ }
+
+ thisrr->off = 0;
+ /*-
+ * So at this point the following is true
+ * thisrr->type is the type of record
+ * thisrr->length == number of bytes in record
+ * thisrr->off == offset to first valid byte
+ * thisrr->data == where to take bytes from, increment after use :-).
+ */
+
+ /* just read a 0 length packet */
+ if (thisrr->length == 0) {
+ if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) {
+ RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_R_RECORD_TOO_SMALL);
+ goto end;
+ }
+ } else {
+ rl->empty_record_count = 0;
+ }
+ }
+
+ if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) {
+ thisrr = &rr[0];
+ if (thisrr->type == SSL3_RT_APPLICATION_DATA
+ && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) {
+ /* RLAYERfatal already called */
+ goto end;
+ }
+ }
+
+ rl->num_recs = num_recs;
+ rl->curr_rec = 0;
+ rl->num_released = 0;
+ ret = OSSL_RECORD_RETURN_SUCCESS;
+ end:
+ if (macbufs != NULL) {
+ for (j = 0; j < num_recs; j++) {
+ if (macbufs[j].alloced)
+ OPENSSL_free(macbufs[j].mac);
+ }
+ OPENSSL_free(macbufs);
+ }
+ return ret;
+}
+
+/* Shared by ssl3_meth and tls1_meth */
+int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
+{
+ size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+ if (rec->rec_version != rl->version) {
+ RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER);
+ return 0;
+ }
+
+#ifndef OPENSSL_NO_COMP
+ /*
+ * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
+ * does not include the compression overhead anyway.
+ */
+ if (rl->compctx == NULL)
+ len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+#endif
+
+ if (rec->length > len) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
+ SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+ return 0;
+ }
+
+ return 1;
+}
+
+int tls_do_compress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *wr)
+{
+#ifndef OPENSSL_NO_COMP
+ int i;
+
+ i = COMP_compress_block(rl->compctx, wr->data,
+ (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
+ wr->input, (int)wr->length);
+ if (i < 0)
+ return 0;
+
+ wr->length = i;
+ wr->input = wr->data;
+ return 1;
+#else
+ return 0;
+#endif
+}
+
+int tls_do_uncompress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
+{
+#ifndef OPENSSL_NO_COMP
+ int i;
+
+ if (rec->comp == NULL) {
+ rec->comp = (unsigned char *)
+ OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+ }
+ if (rec->comp == NULL)
+ return 0;
+
+ i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH,
+ rec->data, (int)rec->length);
+ if (i < 0)
+ return 0;
+ else
+ rec->length = i;
+ rec->data = rec->comp;
+ return 1;
+#else
+ return 0;
+#endif
+}
+
+/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
+int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
+{
+ if (rl->compctx != NULL) {
+ if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
+ SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+ return 0;
+ }
+ if (!tls_do_uncompress(rl, rec)) {
+ RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE,
+ SSL_R_BAD_DECOMPRESSION);
+ return 0;
+ }
+ }
+
+ if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) {
+ RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Shared by tls13_meth and ktls_meth */
+int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
+{
+ if (rec->type != SSL3_RT_APPLICATION_DATA
+ && rec->type != SSL3_RT_ALERT
+ && rec->type != SSL3_RT_HANDSHAKE) {
+ RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
+ return 0;
+ }
+
+ if (rl->msg_callback != NULL) {
+ unsigned char ctype = (unsigned char)rec->type;
+
+ rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &ctype,
+ 1, rl->cbarg);
+ }
+
+ /*
+ * TLSv1.3 alert and handshake records are required to be non-zero in
+ * length.
+ */
+ if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT)
+ && rec->length == 0) {
+ RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH);
+ return 0;
+ }
+
+ return 1;
+}
+
+int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
+ uint8_t *type, const unsigned char **data, size_t *datalen,
+ uint16_t *epoch, unsigned char *seq_num)
+{
+ TLS_RL_RECORD *rec;
+
+ /*
+ * tls_get_more_records() can return success without actually reading
+ * anything useful (i.e. if empty records are read). We loop here until
+ * we have something useful. tls_get_more_records() will eventually fail if
+ * too many sequential empty records are read.
+ */
+ while (rl->curr_rec >= rl->num_recs) {
+ int ret;
+
+ if (rl->num_released != rl->num_recs) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ ret = rl->funcs->get_more_records(rl);
+
+ if (ret != OSSL_RECORD_RETURN_SUCCESS)
+ return ret;
+ }
+
+ /*
+ * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec
+ * points to the next one to read.
+ */
+ rec = &rl->rrec[rl->curr_rec++];
+
+ *rechandle = rec;
+ *rversion = rec->rec_version;
+ *type = rec->type;
+ *data = rec->data + rec->off;
+ *datalen = rec->length;
+ if (rl->isdtls) {
+ *epoch = rec->epoch;
+ memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num));
+ }
+
+ return OSSL_RECORD_RETURN_SUCCESS;
+}
+
+int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, size_t length)
+{
+ TLS_RL_RECORD *rec = &rl->rrec[rl->num_released];
+
+ if (!ossl_assert(rl->num_released < rl->curr_rec)
+ || !ossl_assert(rechandle == rec)) {
+ /* Should not happen */
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ if (rec->length < length) {
+ /* Should not happen */
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0)
+ OPENSSL_cleanse(rec->data + rec->off, length);
+
+ rec->off += length;
+ rec->length -= length;
+
+ if (rec->length > 0)
+ return OSSL_RECORD_RETURN_SUCCESS;
+
+ rl->num_released++;
+
+ if (rl->curr_rec == rl->num_released
+ && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0
+ && TLS_BUFFER_get_left(&rl->rbuf) == 0)
+ tls_release_read_buffer(rl);
+
+ return OSSL_RECORD_RETURN_SUCCESS;
+}
+
+int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
+{
+ const OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS);
+ if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE);
+ if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+
+ if (rl->direction == OSSL_RECORD_DIRECTION_READ) {
+ p = OSSL_PARAM_locate_const(options,
+ OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN);
+ if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ } else {
+ p = OSSL_PARAM_locate_const(options,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING);
+ if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate_const(options,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_HS_PADDING);
+ if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->hs_padding)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ }
+
+ if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) {
+ /*
+ * We ignore any read_ahead setting prior to the application protection
+ * level. Otherwise we may read ahead data in a lower protection level
+ * that is destined for a higher protection level. To simplify the logic
+ * we don't support that at this stage.
+ */
+ p = OSSL_PARAM_locate_const(options,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD);
+ if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+int
+tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
+ int role, int direction, int level,
+ const EVP_CIPHER *ciph, size_t taglen,
+ const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
+ BIO *transport, BIO *next, const OSSL_PARAM *settings,
+ const OSSL_PARAM *options,
+ const OSSL_DISPATCH *fns, void *cbarg,
+ OSSL_RECORD_LAYER **retrl)
+{
+ OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
+ const OSSL_PARAM *p;
+
+ *retrl = NULL;
+
+ if (rl == NULL)
+ return OSSL_RECORD_RETURN_FATAL;
+
+ /*
+ * Default the value for max_frag_len. This may be overridden by the
+ * settings
+ */
+ rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH;
+
+ /* Loop through all the settings since they must all be understood */
+ if (settings != NULL) {
+ for (p = settings; p->key != NULL; p++) {
+ if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) {
+ if (!OSSL_PARAM_get_int(p, &rl->use_etm)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+ } else if (strcmp(p->key,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) {
+ if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+ } else if (strcmp(p->key,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) {
+ if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+ } else if (strcmp(p->key,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
+ if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+ } else if (strcmp(p->key,
+ OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
+ if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+ } else {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
+ goto err;
+ }
+ }
+ }
+
+ rl->libctx = libctx;
+ rl->propq = propq;
+
+ rl->version = vers;
+ rl->role = role;
+ rl->direction = direction;
+ rl->level = level;
+ rl->taglen = taglen;
+ rl->md = md;
+
+ rl->alert = SSL_AD_NO_ALERT;
+ rl->rstate = SSL_ST_READ_HEADER;
+
+ if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
+ rl->is_first_record = 1;
+
+ if (!tls_set1_bio(rl, transport))
+ goto err;
+
+ if (prev != NULL && !BIO_up_ref(prev))
+ goto err;
+ rl->prev = prev;
+
+ if (next != NULL && !BIO_up_ref(next))
+ goto err;
+ rl->next = next;
+
+ rl->cbarg = cbarg;
+ if (fns != NULL) {
+ for (; fns->function_id != 0; fns++) {
+ switch (fns->function_id) {
+ case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA:
+ rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns);
+ break;
+ case OSSL_FUNC_RLAYER_MSG_CALLBACK:
+ rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
+ break;
+ case OSSL_FUNC_RLAYER_SECURITY:
+ rl->security = OSSL_FUNC_rlayer_security(fns);
+ break;
+ case OSSL_FUNC_RLAYER_PADDING:
+ rl->padding = OSSL_FUNC_rlayer_padding(fns);
+ default:
+ /* Just ignore anything we don't understand */
+ break;
+ }
+ }
+ }
+
+ if (!tls_set_options(rl, options)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+
+ if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0
+ && rl->version <= TLS1_VERSION
+ && !EVP_CIPHER_is_a(ciph, "NULL")
+ && !EVP_CIPHER_is_a(ciph, "RC4")) {
+ /*
+ * Enable vulnerability countermeasure for CBC ciphers with known-IV
+ * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
+ */
+ rl->need_empty_fragments = 1;
+ }
+
+ *retrl = rl;
+ return OSSL_RECORD_RETURN_SUCCESS;
+ err:
+ tls_int_free(rl);
+ return OSSL_RECORD_RETURN_FATAL;
+}
+
+static int
+tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
+ int role, int direction, int level, uint16_t epoch,
+ unsigned char *secret, size_t secretlen,
+ unsigned char *key, size_t keylen, unsigned char *iv,
+ size_t ivlen, unsigned char *mackey, size_t mackeylen,
+ const EVP_CIPHER *ciph, size_t taglen,
+ int mactype,
+ const EVP_MD *md, COMP_METHOD *comp,
+ const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
+ BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
+ const OSSL_PARAM *settings, const OSSL_PARAM *options,
+ const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
+ OSSL_RECORD_LAYER **retrl)
+{
+ int ret;
+
+ ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
+ ciph, taglen, md, comp, prev,
+ transport, next, settings,
+ options, fns, cbarg, retrl);
+
+ if (ret != OSSL_RECORD_RETURN_SUCCESS)
+ return ret;
+
+ switch (vers) {
+ case TLS_ANY_VERSION:
+ (*retrl)->funcs = &tls_any_funcs;
+ break;
+ case TLS1_3_VERSION:
+ (*retrl)->funcs = &tls_1_3_funcs;
+ break;
+ case TLS1_2_VERSION:
+ case TLS1_1_VERSION:
+ case TLS1_VERSION:
+ (*retrl)->funcs = &tls_1_funcs;
+ break;
+ case SSL3_VERSION:
+ (*retrl)->funcs = &ssl_3_0_funcs;
+ break;
+ default:
+ /* Should not happen */
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ ret = OSSL_RECORD_RETURN_FATAL;
+ goto err;
+ }
+
+ ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
+ ivlen, mackey, mackeylen, ciph,
+ taglen, mactype, md, comp);
+
+ err:
+ if (ret != OSSL_RECORD_RETURN_SUCCESS) {
+ tls_int_free(*retrl);
+ *retrl = NULL;
+ }
+ return ret;
+}
+
+static void tls_int_free(OSSL_RECORD_LAYER *rl)
+{
+ BIO_free(rl->prev);
+ BIO_free(rl->bio);
+ BIO_free(rl->next);
+ ossl_tls_buffer_release(&rl->rbuf);
+
+ tls_release_write_buffer(rl);
+
+ EVP_CIPHER_CTX_free(rl->enc_ctx);
+ EVP_MAC_CTX_free(rl->mac_ctx);
+ EVP_MD_CTX_free(rl->md_ctx);
+#ifndef OPENSSL_NO_COMP
+ COMP_CTX_free(rl->compctx);
+#endif
+ OPENSSL_free(rl->iv);
+ OPENSSL_free(rl->nonce);
+ if (rl->version == SSL3_VERSION)
+ OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
+
+ TLS_RL_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
+
+ OPENSSL_free(rl);
+}
+
+int tls_free(OSSL_RECORD_LAYER *rl)
+{
+ TLS_BUFFER *rbuf;
+ size_t left, written;
+ int ret = 1;
+
+ if (rl == NULL)
+ return 1;
+
+ rbuf = &rl->rbuf;
+
+ left = TLS_BUFFER_get_left(rbuf);
+ if (left > 0) {
+ /*
+ * This record layer is closing but we still have data left in our
+ * buffer. It must be destined for the next epoch - so push it there.
+ */
+ ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
+ }
+ tls_int_free(rl);
+
+ return ret;
+}
+
+int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
+{
+ return TLS_BUFFER_get_left(&rl->rbuf) != 0;
+}
+
+int tls_processed_read_pending(OSSL_RECORD_LAYER *rl)
+{
+ return rl->curr_rec < rl->num_recs;
+}
+
+size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl)
+{
+ size_t i;
+ size_t num = 0;
+
+ for (i = rl->curr_rec; i < rl->num_recs; i++) {
+ if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA)
+ return num;
+ num += rl->rrec[i].length;
+ }
+ return num;
+}
+
+size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, uint8_t type,
+ size_t len,
+ size_t maxfrag, size_t *preffrag)
+{
+ /*
+ * If we have a pipeline capable cipher, and we have been configured to use
+ * it, then return the preferred number of pipelines.
+ */
+ if (rl->max_pipelines > 0
+ && rl->enc_ctx != NULL
+ && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx))
+ & EVP_CIPH_FLAG_PIPELINE) != 0
+ && RLAYER_USE_EXPLICIT_IV(rl)) {
+ size_t pipes;
+
+ if (len == 0)
+ return 1;
+ pipes = ((len - 1) / *preffrag) + 1;
+
+ return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines;
+ }
+
+ return 1;
+}
+
+size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len,
+ size_t maxfrag, size_t *preffrag)
+{
+ return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag);
+}
+
+int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl,
+ OSSL_RECORD_TEMPLATE *templates,
+ size_t numtempl,
+ size_t *prefix)
+{
+ if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) {
+ /* RLAYERfatal() already called */
+ return 0;
+ }
+
+ return 1;
+}
+
+int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl,
+ OSSL_RECORD_TEMPLATE *templates,
+ size_t numtempl,
+ OSSL_RECORD_TEMPLATE *prefixtempl,
+ WPACKET *pkt,
+ TLS_BUFFER *bufs,
+ size_t *wpinited)
+{
+ WPACKET *thispkt;
+ size_t j, align;
+ TLS_BUFFER *wb;
+
+ for (j = 0; j < numtempl; j++) {
+ thispkt = &pkt[j];
+ wb = &bufs[j];
+
+ wb->type = templates[j].type;
+
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
+ align = (size_t)TLS_BUFFER_get_buf(wb);
+ align += rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH;
+ align = SSL3_ALIGN_PAYLOAD - 1
+ - ((align - 1) % SSL3_ALIGN_PAYLOAD);
+#endif
+ TLS_BUFFER_set_offset(wb, align);
+
+ if (!WPACKET_init_static_len(thispkt, TLS_BUFFER_get_buf(wb),
+ TLS_BUFFER_get_len(wb), 0)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ (*wpinited)++;
+ if (!WPACKET_allocate_bytes(thispkt, align, NULL)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
+ WPACKET *thispkt,
+ OSSL_RECORD_TEMPLATE *templ,
+ uint8_t rectype,
+ unsigned char **recdata)
+{
+ size_t maxcomplen;
+
+ *recdata = NULL;
+
+ maxcomplen = templ->buflen;
+ if (rl->compctx != NULL)
+ maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+
+ if (!WPACKET_put_bytes_u8(thispkt, rectype)
+ || !WPACKET_put_bytes_u16(thispkt, templ->version)
+ || !WPACKET_start_sub_packet_u16(thispkt)
+ || (rl->eivlen > 0
+ && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
+ || (maxcomplen > 0
+ && !WPACKET_reserve_bytes(thispkt, maxcomplen,
+ recdata))) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+}
+
+int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
+ size_t mac_size,
+ WPACKET *thispkt,
+ TLS_RL_RECORD *thiswr)
+{
+ size_t len;
+ unsigned char *recordstart;
+
+ /*
+ * we should still have the output to thiswr->data and the input from
+ * wr->input. Length should be thiswr->length. thiswr->data still points
+ * in the wb->buf
+ */
+
+ if (!rl->use_etm && mac_size != 0) {
+ unsigned char *mac;
+
+ if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
+ || !rl->funcs->mac(rl, thiswr, mac, 1)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+
+ /*
+ * Reserve some bytes for any growth that may occur during encryption. If
+ * we are adding the MAC independently of the cipher algorithm, then the
+ * max encrypted overhead does not need to include an allocation for that
+ * MAC
+ */
+ if (!WPACKET_reserve_bytes(thispkt, SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ - mac_size, NULL)
+ /*
+ * We also need next the amount of bytes written to this
+ * sub-packet
+ */
+ || !WPACKET_get_length(thispkt, &len)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /* Get a pointer to the start of this record excluding header */
+ recordstart = WPACKET_get_curr(thispkt) - len;
+ TLS_RL_RECORD_set_data(thiswr, recordstart);
+ TLS_RL_RECORD_reset_input(thiswr);
+ TLS_RL_RECORD_set_length(thiswr, len);
+
+ return 1;
+}
+
+int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
+ size_t mac_size,
+ OSSL_RECORD_TEMPLATE *thistempl,
+ WPACKET *thispkt,
+ TLS_RL_RECORD *thiswr)
+{
+ size_t origlen, len;
+ size_t headerlen = rl->isdtls ? DTLS1_RT_HEADER_LENGTH
+ : SSL3_RT_HEADER_LENGTH;
+
+ /* Allocate bytes for the encryption overhead */
+ if (!WPACKET_get_length(thispkt, &origlen)
+ /* Check we allowed enough room for the encryption growth */
+ || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ - mac_size >= thiswr->length)
+ /* Encryption should never shrink the data! */
+ || origlen > thiswr->length
+ || (thiswr->length > origlen
+ && !WPACKET_allocate_bytes(thispkt,
+ thiswr->length - origlen,
+ NULL))) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (rl->use_etm && mac_size != 0) {
+ unsigned char *mac;
+
+ if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
+ || !rl->funcs->mac(rl, thiswr, mac, 1)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ TLS_RL_RECORD_add_length(thiswr, mac_size);
+ }
+
+ if (!WPACKET_get_length(thispkt, &len)
+ || !WPACKET_close(thispkt)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (rl->msg_callback != NULL) {
+ unsigned char *recordstart;
+
+ recordstart = WPACKET_get_curr(thispkt) - len - headerlen;
+ rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart,
+ headerlen, rl->cbarg);
+
+ if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) {
+ unsigned char ctype = thistempl->type;
+
+ rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE,
+ &ctype, 1, rl->cbarg);
+ }
+ }
+
+ if (!WPACKET_finish(thispkt)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ TLS_RL_RECORD_add_length(thiswr, headerlen);
+
+ return 1;
+}
+
+int tls_write_records_default(OSSL_RECORD_LAYER *rl,
+ OSSL_RECORD_TEMPLATE *templates,
+ size_t numtempl)
+{
+ WPACKET pkt[SSL_MAX_PIPELINES + 1];
+ TLS_RL_RECORD wr[SSL_MAX_PIPELINES + 1];
+ WPACKET *thispkt;
+ TLS_RL_RECORD *thiswr;
+ int mac_size = 0, ret = 0;
+ size_t wpinited = 0;
+ size_t j, prefix = 0;
+ OSSL_RECORD_TEMPLATE prefixtempl;
+ OSSL_RECORD_TEMPLATE *thistempl;
+
+ if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) {
+ mac_size = EVP_MD_CTX_get_size(rl->md_ctx);
+ if (mac_size < 0) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+
+ if (!rl->funcs->initialise_write_packets(rl, templates, numtempl,
+ &prefixtempl, pkt, rl->wbuf,
+ &wpinited)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+
+ /* Clear our TLS_RL_RECORD structures */
+ memset(wr, 0, sizeof(wr));
+ for (j = 0; j < numtempl + prefix; j++) {
+ unsigned char *compressdata = NULL;
+ uint8_t rectype;
+
+ thispkt = &pkt[j];
+ thiswr = &wr[j];
+ thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
+
+ /*
+ * Default to the record type as specified in the template unless the
+ * protocol implementation says differently.
+ */
+ if (rl->funcs->get_record_type != NULL)
+ rectype = rl->funcs->get_record_type(rl, thistempl);
+ else
+ rectype = thistempl->type;
+
+ TLS_RL_RECORD_set_type(thiswr, rectype);
+ TLS_RL_RECORD_set_rec_version(thiswr, thistempl->version);
+
+ if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype,
+ &compressdata)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+
+ /* lets setup the record stuff. */
+ TLS_RL_RECORD_set_data(thiswr, compressdata);
+ TLS_RL_RECORD_set_length(thiswr, thistempl->buflen);
+
+ TLS_RL_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf);
+
+ /*
+ * we now 'read' from thiswr->input, thiswr->length bytes into
+ * thiswr->data
+ */
+
+ /* first we compress */
+ if (rl->compctx != NULL) {
+ if (!tls_do_compress(rl, thiswr)
+ || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE);
+ goto err;
+ }
+ } else if (compressdata != NULL) {
+ if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ TLS_RL_RECORD_reset_input(&wr[j]);
+ }
+
+ if (rl->funcs->add_record_padding != NULL
+ && !rl->funcs->add_record_padding(rl, thistempl, thispkt,
+ thiswr)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+
+ if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+ }
+
+ if (prefix) {
+ if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) {
+ if (rl->alert == SSL_AD_NO_ALERT) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ }
+ goto err;
+ }
+ }
+
+ if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) {
+ if (rl->alert == SSL_AD_NO_ALERT) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ }
+ goto err;
+ }
+
+ for (j = 0; j < numtempl + prefix; j++) {
+ thispkt = &pkt[j];
+ thiswr = &wr[j];
+ thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix];
+
+ if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl,
+ thispkt, thiswr)) {
+ /* RLAYERfatal() already called */
+ goto err;
+ }
+
+ /* now let's set up wb */
+ TLS_BUFFER_set_left(&rl->wbuf[j], TLS_RL_RECORD_get_length(thiswr));
+ }
+
+ ret = 1;
+ err:
+ for (j = 0; j < wpinited; j++)
+ WPACKET_cleanup(&pkt[j]);
+ return ret;
+}
+
+int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
+ size_t numtempl)
+{
+ /* Check we don't have pending data waiting to write */
+ if (!ossl_assert(rl->nextwbuf >= rl->numwpipes
+ || TLS_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ if (!rl->funcs->write_records(rl, templates, numtempl)) {
+ /* RLAYERfatal already called */
+ return OSSL_RECORD_RETURN_FATAL;
+ }
+
+ rl->nextwbuf = 0;
+ /* we now just need to write the buffers */
+ return tls_retry_write_records(rl);
+}
+
+int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
+{
+ int i, ret;
+ TLS_BUFFER *thiswb;
+ size_t tmpwrit = 0;
+
+ if (rl->nextwbuf >= rl->numwpipes)
+ return OSSL_RECORD_RETURN_SUCCESS;
+
+ for (;;) {
+ thiswb = &rl->wbuf[rl->nextwbuf];
+
+ clear_sys_error();
+ if (rl->bio != NULL) {
+ if (rl->funcs->prepare_write_bio != NULL) {
+ ret = rl->funcs->prepare_write_bio(rl, thiswb->type);
+ if (ret != OSSL_RECORD_RETURN_SUCCESS)
+ return ret;
+ }
+ i = BIO_write(rl->bio, (char *)
+ &(TLS_BUFFER_get_buf(thiswb)
+ [TLS_BUFFER_get_offset(thiswb)]),
+ (unsigned int)TLS_BUFFER_get_left(thiswb));
+ if (i >= 0) {
+ tmpwrit = i;
+ if (i == 0 && BIO_should_retry(rl->bio))
+ ret = OSSL_RECORD_RETURN_RETRY;
+ else
+ ret = OSSL_RECORD_RETURN_SUCCESS;
+ } else {
+ if (BIO_should_retry(rl->bio)) {
+ ret = OSSL_RECORD_RETURN_RETRY;
+ } else {
+ ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
+ "tls_retry_write_records failure");
+ ret = OSSL_RECORD_RETURN_FATAL;
+ }
+ }
+ } else {
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
+ ret = OSSL_RECORD_RETURN_FATAL;
+ i = -1;
+ }
+
+ /*
+ * When an empty fragment is sent on a connection using KTLS,
+ * it is sent as a write of zero bytes. If this zero byte
+ * write succeeds, i will be 0 rather than a non-zero value.
+ * Treat i == 0 as success rather than an error for zero byte
+ * writes to permit this case.
+ */
+ if (i >= 0 && tmpwrit == TLS_BUFFER_get_left(thiswb)) {
+ TLS_BUFFER_set_left(thiswb, 0);
+ TLS_BUFFER_add_offset(thiswb, tmpwrit);
+ if (++(rl->nextwbuf) < rl->numwpipes)
+ continue;
+
+ if (rl->nextwbuf == rl->numwpipes
+ && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
+ tls_release_write_buffer(rl);
+ return OSSL_RECORD_RETURN_SUCCESS;
+ } else if (i <= 0) {
+ if (rl->isdtls) {
+ /*
+ * For DTLS, just drop it. That's kind of the whole point in
+ * using a datagram service
+ */
+ TLS_BUFFER_set_left(thiswb, 0);
+ if (++(rl->nextwbuf) == rl->numwpipes
+ && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0)
+ tls_release_write_buffer(rl);
+
+ }
+ return ret;
+ }
+ TLS_BUFFER_add_offset(thiswb, tmpwrit);
+ TLS_BUFFER_sub_left(thiswb, tmpwrit);
+ }
+}
+
+int tls_get_alert_code(OSSL_RECORD_LAYER *rl)
+{
+ return rl->alert;
+}
+
+int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
+{
+ if (bio != NULL && !BIO_up_ref(bio))
+ return 0;
+ BIO_free(rl->bio);
+ rl->bio = bio;
+
+ return 1;
+}
+
+/* Shared by most methods except tlsany_meth */
+int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
+{
+ if (rl->version != version)
+ return 0;
+
+ return 1;
+}
+
+int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
+{
+ return rl->funcs->set_protocol_version(rl, version);
+}
+
+void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
+{
+ rl->allow_plain_alerts = allow;
+}
+
+void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
+{
+ rl->is_first_handshake = first;
+}
+
+void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
+{
+ rl->max_pipelines = max_pipelines;
+ if (max_pipelines > 1)
+ rl->read_ahead = 1;
+}
+
+void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
+ const char **longstr)
+{
+ const char *shrt, *lng;
+
+ switch (rl->rstate) {
+ case SSL_ST_READ_HEADER:
+ shrt = "RH";
+ lng = "read header";
+ break;
+ case SSL_ST_READ_BODY:
+ shrt = "RB";
+ lng = "read body";
+ break;
+ default:
+ shrt = lng = "unknown";
+ break;
+ }
+ if (shortstr != NULL)
+ *shortstr = shrt;
+ if (longstr != NULL)
+ *longstr = lng;
+}
+
+const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
+{
+#ifndef OPENSSL_NO_COMP
+ return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
+#else
+ return NULL;
+#endif
+}
+
+void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
+{
+ rl->max_frag_len = max_frag_len;
+ /*
+ * We don't need to adjust buffer sizes. Write buffer sizes are
+ * automatically checked anyway. We should only be changing the read buffer
+ * size during the handshake, so we will create a new buffer when we create
+ * the new record layer. We can't change the existing buffer because it may
+ * already have data in it.
+ */
+}
+
+int tls_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
+{
+ int i;
+
+ /* Increment the sequence counter */
+ for (i = SEQ_NUM_SIZE; i > 0; i--) {
+ ++(rl->sequence[i - 1]);
+ if (rl->sequence[i - 1] != 0)
+ break;
+ }
+ if (i == 0) {
+ /* Sequence has wrapped */
+ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_SEQUENCE_CTR_WRAPPED);
+ return 0;
+ }
+ return 1;
+}
+
+int tls_alloc_buffers(OSSL_RECORD_LAYER *rl)
+{
+ if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
+ /* If we have a pending write then buffers are already allocated */
+ if (rl->nextwbuf < rl->numwpipes)
+ return 1;
+ /*
+ * We assume 1 pipe with default sized buffer. If what we need ends up
+ * being a different size to that then it will be reallocated on demand.
+ * If we need more than 1 pipe then that will also be allocated on
+ * demand
+ */
+ if (!tls_setup_write_buffer(rl, 1, 0, 0))
+ return 0;
+
+ /*
+ * Normally when we allocate write buffers we immediately write
+ * something into it. In this case we're not doing that so mark the
+ * buffer as empty.
+ */
+ TLS_BUFFER_set_left(&rl->wbuf[0], 0);
+ return 1;
+ }
+
+ /* Read direction */
+
+ /* If we have pending data to be read then buffers are already allocated */
+ if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
+ return 1;
+ return tls_setup_read_buffer(rl);
+}
+
+int tls_free_buffers(OSSL_RECORD_LAYER *rl)
+{
+ if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
+ if (rl->nextwbuf < rl->numwpipes) {
+ /*
+ * We may have pending data. If we've just got one empty buffer
+ * allocated then it has probably just been alloc'd via
+ * tls_alloc_buffers, and it is fine to free it. Otherwise this
+ * looks like real pending data and it is an error.
+ */
+ if (rl->nextwbuf != 0
+ || rl->numwpipes != 1
+ || TLS_BUFFER_get_left(&rl->wbuf[0]) != 0)
+ return 0;
+ }
+ tls_release_write_buffer(rl);
+ return 1;
+ }
+
+ /* Read direction */
+
+ /* If we have pending data to be read then fail */
+ if (rl->curr_rec < rl->num_recs
+ || rl->curr_rec != rl->num_released
+ || TLS_BUFFER_get_left(&rl->rbuf) != 0
+ || rl->rstate == SSL_ST_READ_BODY)
+ return 0;
+
+ return tls_release_read_buffer(rl);
+}
+
+const OSSL_RECORD_METHOD ossl_tls_record_method = {
+ tls_new_record_layer,
+ tls_free,
+ tls_unprocessed_read_pending,
+ tls_processed_read_pending,
+ tls_app_data_pending,
+ tls_get_max_records,
+ tls_write_records,
+ tls_retry_write_records,
+ tls_read_record,
+ tls_release_record,
+ tls_get_alert_code,
+ tls_set1_bio,
+ tls_set_protocol_version,
+ tls_set_plain_alerts,
+ tls_set_first_handshake,
+ tls_set_max_pipelines,
+ NULL,
+ tls_get_state,
+ tls_set_options,
+ tls_get_compression,
+ tls_set_max_frag_len,
+ NULL,
+ tls_increment_sequence_ctr,
+ tls_alloc_buffers,
+ tls_free_buffers
+};
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-24 00:12:12 +0000