/* * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include #include #include #include #include #include "internal/e_os.h" #include "internal/packet.h" #include "internal/ssl3_cbc.h" #include "../../ssl_local.h" #include "../record_local.h" #include "recmethod_local.h" static void tls_int_free(OSSL_RECORD_LAYER *rl); void ossl_tls_buffer_release(TLS_BUFFER *b) { OPENSSL_free(b->buf); b->buf = NULL; } static void TLS_RL_RECORD_release(TLS_RL_RECORD *r, size_t num_recs) { size_t i; for (i = 0; i < num_recs; i++) { OPENSSL_free(r[i].comp); r[i].comp = NULL; } } void ossl_tls_rl_record_set_seq_num(TLS_RL_RECORD *r, const unsigned char *seq_num) { memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE); } void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason, const char *fmt, ...) { va_list args; va_start(args, fmt); ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); va_end(args); rl->alert = al; } int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl, EVP_CIPHER_CTX *ctx, const EVP_CIPHER *ciph, const EVP_MD *md) { /* * Provided cipher, the TLS padding/MAC removal is performed provider * side so we need to tell the ctx about our TLS version and mac size */ OSSL_PARAM params[3], *pprm = params; size_t macsize = 0; int imacsize = -1; if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 && !rl->use_etm) imacsize = EVP_MD_get_size(md); if (imacsize >= 0) macsize = (size_t)imacsize; *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, &rl->version); *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, &macsize); *pprm = OSSL_PARAM_construct_end(); if (!EVP_CIPHER_CTX_set_params(ctx, params)) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); return 0; } return 1; } /* * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { switch (EVP_MD_CTX_get_type(ctx)) { case NID_md5: case NID_sha1: case NID_sha224: case NID_sha256: case NID_sha384: case NID_sha512: return 1; default: return 0; } } #ifndef OPENSSL_NO_COMP static int tls_allow_compression(OSSL_RECORD_LAYER *rl) { if (rl->options & SSL_OP_NO_COMPRESSION) return 0; return rl->security == NULL || rl->security(rl->cbarg, SSL_SECOP_COMPRESSION, 0, 0, NULL); } #endif static void tls_release_write_buffer_int(OSSL_RECORD_LAYER *rl, size_t start) { TLS_BUFFER *wb; size_t pipes; pipes = rl->numwpipes; while (pipes > start) { wb = &rl->wbuf[pipes - 1]; if (TLS_BUFFER_is_app_buffer(wb)) TLS_BUFFER_set_app_buffer(wb, 0); else OPENSSL_free(wb->buf); wb->buf = NULL; pipes--; } } int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes, size_t firstlen, size_t nextlen) { unsigned char *p; size_t align = 0, headerlen; TLS_BUFFER *wb; size_t currpipe; size_t defltlen = 0; size_t contenttypelen = 0; if (firstlen == 0 || (numwpipes > 1 && nextlen == 0)) { if (rl->isdtls) headerlen = DTLS1_RT_HEADER_LENGTH + 1; else headerlen = SSL3_RT_HEADER_LENGTH; /* TLSv1.3 adds an extra content type byte after payload data */ if (rl->version == TLS1_3_VERSION) contenttypelen = 1; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 align = SSL3_ALIGN_PAYLOAD - 1; #endif defltlen = align + headerlen + rl->eivlen + rl->max_frag_len + contenttypelen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; #ifndef OPENSSL_NO_COMP if (tls_allow_compression(rl)) defltlen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif /* * We don't need to add eivlen here since empty fragments only occur * when we don't have an explicit IV. The contenttype byte will also * always be 0 in these protocol versions */ if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0) defltlen += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; } wb = rl->wbuf; for (currpipe = 0; currpipe < numwpipes; currpipe++) { TLS_BUFFER *thiswb = &wb[currpipe]; size_t len = (currpipe == 0) ? firstlen : nextlen; if (len == 0) len = defltlen; if (thiswb->len != len) { OPENSSL_free(thiswb->buf); thiswb->buf = NULL; /* force reallocation */ } p = thiswb->buf; if (p == NULL) { p = OPENSSL_malloc(len); if (p == NULL) { if (rl->numwpipes < currpipe) rl->numwpipes = currpipe; /* * We've got a malloc failure, and we're still initialising * buffers. We assume we're so doomed that we won't even be able * to send an alert. */ RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB); return 0; } } memset(thiswb, 0, sizeof(TLS_BUFFER)); thiswb->buf = p; thiswb->len = len; } /* Free any previously allocated buffers that we are no longer using */ tls_release_write_buffer_int(rl, currpipe); rl->numwpipes = numwpipes; return 1; } static void tls_release_write_buffer(OSSL_RECORD_LAYER *rl) { tls_release_write_buffer_int(rl, 0); rl->numwpipes = 0; } int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl) { unsigned char *p; size_t len, align = 0, headerlen; TLS_BUFFER *b; b = &rl->rbuf; if (rl->isdtls) headerlen = DTLS1_RT_HEADER_LENGTH; else headerlen = SSL3_RT_HEADER_LENGTH; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); #endif if (b->buf == NULL) { len = rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; #ifndef OPENSSL_NO_COMP if (tls_allow_compression(rl)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif /* Ensure our buffer is large enough to support all our pipelines */ if (rl->max_pipelines > 1) len *= rl->max_pipelines; if (b->default_len > len) len = b->default_len; if ((p = OPENSSL_malloc(len)) == NULL) { /* * We've got a malloc failure, and we're still initialising buffers. * We assume we're so doomed that we won't even be able to send an * alert. */ RLAYERfatal(rl, SSL_AD_NO_ALERT, ERR_R_CRYPTO_LIB); return 0; } b->buf = p; b->len = len; } return 1; } static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) { TLS_BUFFER *b; b = &rl->rbuf; if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0) OPENSSL_cleanse(b->buf, b->len); OPENSSL_free(b->buf); b->buf = NULL; return 1; } /* * Return values are as per SSL_read() */ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, int clearold, size_t *readbytes) { /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. The packet will be in the sub-array of * rl->rbuf.buf specified by rl->packet and rl->packet_length. (If * rl->read_ahead is set, 'max' bytes may be stored in rbuf [plus * rl->packet_length bytes if extend == 1].) if clearold == 1, move the * packet to the start of the buffer; if clearold == 0 then leave any old * packets where they were */ size_t len, left, align = 0; unsigned char *pkt; TLS_BUFFER *rb; if (n == 0) return OSSL_RECORD_RETURN_NON_FATAL_ERR; rb = &rl->rbuf; left = rb->left; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH; align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); #endif if (!extend) { /* start with empty packet ... */ if (left == 0) rb->offset = align; rl->packet = rb->buf + rb->offset; rl->packet_length = 0; /* ... now we can act as if 'extend' was set */ } len = rl->packet_length; pkt = rb->buf + align; /* * Move any available bytes to front of buffer: 'len' bytes already * pointed to by 'packet', 'left' extra ones at the end */ if (rl->packet != pkt && clearold == 1) { memmove(pkt, rl->packet, len + left); rl->packet = pkt; rb->offset = len + align; } /* * For DTLS/UDP reads should not span multiple packets because the read * operation returns the whole packet at once (as long as it fits into * the buffer). */ if (rl->isdtls) { if (left == 0 && extend) { /* * We received a record with a header but no body data. This will * get dumped. */ return OSSL_RECORD_RETURN_NON_FATAL_ERR; } if (left > 0 && n > left) n = left; } /* if there is enough in the buffer from a previous read, take some */ if (left >= n) { rl->packet_length += n; rb->left = left - n; rb->offset += n; *readbytes = n; return OSSL_RECORD_RETURN_SUCCESS; } /* else we need to read more data */ if (n > rb->len - rb->offset) { /* does not happen */ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } /* We always act like read_ahead is set for DTLS */ if (!rl->read_ahead && !rl->isdtls) { /* ignore max parameter */ max = n; } else { if (max < n) max = n; if (max > rb->len - rb->offset) max = rb->len - rb->offset; } while (left < n) { size_t bioread = 0; int ret; BIO *bio = rl->prev != NULL ? rl->prev : rl->bio; /* * Now we have len+left bytes at the front of rl->rbuf.buf and * need to read in more until we have len + n (up to len + max if * possible) */ clear_sys_error(); if (bio != NULL) { ret = BIO_read(bio, pkt + len + left, max - left); if (ret > 0) { bioread = ret; ret = OSSL_RECORD_RETURN_SUCCESS; } else if (BIO_should_retry(bio)) { if (rl->prev != NULL) { /* * We were reading from the previous epoch. Now there is no * more data, so swap to the actual transport BIO */ BIO_free(rl->prev); rl->prev = NULL; continue; } ret = OSSL_RECORD_RETURN_RETRY; } else if (BIO_eof(bio)) { ret = OSSL_RECORD_RETURN_EOF; } else { ret = OSSL_RECORD_RETURN_FATAL; } } else { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET); ret = OSSL_RECORD_RETURN_FATAL; } if (ret <= OSSL_RECORD_RETURN_RETRY) { rb->left = left; if ((rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && !rl->isdtls) if (len + left == 0) tls_release_read_buffer(rl); return ret; } left += bioread; /* * reads should *never* span multiple packets for DTLS because the * underlying transport protocol is message oriented as opposed to * byte oriented as in the TLS case. */ if (rl->isdtls) { if (n > left) n = left; /* makes the while condition false */ } } /* done reading, now the book-keeping */ rb->offset += n; rb->left = left - n; rl->packet_length += n; *readbytes = n; return OSSL_RECORD_RETURN_SUCCESS; } /* * Peeks ahead into "read_ahead" data to see if we have a whole record waiting * for us in the buffer. */ static int tls_record_app_data_waiting(OSSL_RECORD_LAYER *rl) { TLS_BUFFER *rbuf; size_t left, len; unsigned char *p; rbuf = &rl->rbuf; p = TLS_BUFFER_get_buf(rbuf); if (p == NULL) return 0; left = TLS_BUFFER_get_left(rbuf); if (left < SSL3_RT_HEADER_LENGTH) return 0; p += TLS_BUFFER_get_offset(rbuf); /* * We only check the type and record length, we will sanity check version * etc later */ if (*p != SSL3_RT_APPLICATION_DATA) return 0; p += 3; n2s(p, len); if (left < SSL3_RT_HEADER_LENGTH + len) return 0; return 1; } static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length, size_t overhead, int send) { uint32_t max_early_data = rl->max_early_data; if (max_early_data == 0) { RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } /* If we are dealing with ciphertext we need to allow for the overhead */ max_early_data += overhead; if (rl->early_data_count + length > max_early_data) { RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } rl->early_data_count += length; return 1; } /* * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that * will be processed per call to tls_get_more_records. Without this limit an * attacker could send empty records at a faster rate than we can process and * cause tls_get_more_records to loop forever. */ #define MAX_EMPTY_RECORDS 32 #define SSL2_RT_HEADER_LENGTH 2 /*- * Call this to buffer new input records in rl->rrec. * It will return a OSSL_RECORD_RETURN_* value. * When it finishes successfully (OSSL_RECORD_RETURN_SUCCESS), |rl->num_recs| * records have been decoded. For each record 'i': * rrec[i].type - is the type of record * rrec[i].data, - data * rrec[i].length, - number of bytes * Multiple records will only be returned if the record types are all * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <= * |max_pipelines| */ int tls_get_more_records(OSSL_RECORD_LAYER *rl) { int enc_err, rret; int i; size_t more, n; TLS_RL_RECORD *rr, *thisrr; TLS_BUFFER *rbuf; unsigned char *p; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int version; size_t mac_size = 0; int imac_size; size_t num_recs = 0, max_recs, j; PACKET pkt, sslv2pkt; SSL_MAC_BUF *macbufs = NULL; int ret = OSSL_RECORD_RETURN_FATAL; rr = rl->rrec; rbuf = &rl->rbuf; if (rbuf->buf == NULL) { if (!tls_setup_read_buffer(rl)) { /* RLAYERfatal() already called */ return OSSL_RECORD_RETURN_FATAL; } } max_recs = rl->max_pipelines; if (max_recs == 0) max_recs = 1; do { thisrr = &rr[num_recs]; /* check if we have the header */ if ((rl->rstate != SSL_ST_READ_BODY) || (rl->packet_length < SSL3_RT_HEADER_LENGTH)) { size_t sslv2len; unsigned int type; rret = rl->funcs->read_n(rl, SSL3_RT_HEADER_LENGTH, TLS_BUFFER_get_len(rbuf), 0, num_recs == 0 ? 1 : 0, &n); if (rret < OSSL_RECORD_RETURN_SUCCESS) return rret; /* error or non-blocking */ rl->rstate = SSL_ST_READ_BODY; p = rl->packet; if (!PACKET_buf_init(&pkt, p, rl->packet_length)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } sslv2pkt = pkt; if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) || !PACKET_get_1(&sslv2pkt, &type)) { RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } /* * The first record received by the server may be a V2ClientHello. */ if (rl->role == OSSL_RECORD_ROLE_SERVER && rl->is_first_record && (sslv2len & 0x8000) != 0 && (type == SSL2_MT_CLIENT_HELLO)) { /* * SSLv2 style record * * |num_recs| here will actually always be 0 because * |num_recs > 0| only ever occurs when we are processing * multiple app data records - which we know isn't the case here * because it is an SSLv2ClientHello. We keep it using * |num_recs| for the sake of consistency */ thisrr->type = SSL3_RT_HANDSHAKE; thisrr->rec_version = SSL2_VERSION; thisrr->length = sslv2len & 0x7fff; if (thisrr->length > TLS_BUFFER_get_len(rbuf) - SSL2_RT_HEADER_LENGTH) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_PACKET_LENGTH_TOO_LONG); return OSSL_RECORD_RETURN_FATAL; } } else { /* SSLv3+ style record */ /* Pull apart the header into the TLS_RL_RECORD */ if (!PACKET_get_1(&pkt, &type) || !PACKET_get_net_2(&pkt, &version) || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { if (rl->msg_callback != NULL) rl->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, rl->cbarg); RLAYERfatal(rl, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } thisrr->type = type; thisrr->rec_version = version; /* * When we call validate_record_header() only records actually * received in SSLv2 format should have the record version set * to SSL2_VERSION. This way validate_record_header() can know * what format the record was in based on the version. */ if (thisrr->rec_version == SSL2_VERSION) { RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER); return OSSL_RECORD_RETURN_FATAL; } if (rl->msg_callback != NULL) rl->msg_callback(0, version, SSL3_RT_HEADER, p, 5, rl->cbarg); if (thisrr->length > TLS_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_PACKET_LENGTH_TOO_LONG); return OSSL_RECORD_RETURN_FATAL; } } if (!rl->funcs->validate_record_header(rl, thisrr)) { /* RLAYERfatal already called */ return OSSL_RECORD_RETURN_FATAL; } /* now rl->rstate == SSL_ST_READ_BODY */ } /* * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate * how much more data we need to read for the rest of the record */ if (thisrr->rec_version == SSL2_VERSION) { more = thisrr->length + SSL2_RT_HEADER_LENGTH - SSL3_RT_HEADER_LENGTH; } else { more = thisrr->length; } if (more > 0) { /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */ rret = rl->funcs->read_n(rl, more, more, 1, 0, &n); if (rret < OSSL_RECORD_RETURN_SUCCESS) return rret; /* error or non-blocking io */ } /* set state for later operations */ rl->rstate = SSL_ST_READ_HEADER; /* * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH * + thisrr->length and we have that many bytes in rl->packet */ if (thisrr->rec_version == SSL2_VERSION) thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]); else thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]); /* * ok, we can now read from 'rl->packet' data into 'thisrr'. * thisrr->input points at thisrr->length bytes, which need to be copied * into thisrr->data by either the decryption or by the decompression. * When the data is 'copied' into the thisrr->data buffer, * thisrr->input will be updated to point at the new buffer */ /* * We now have - encrypted [ MAC [ compressed [ plain ] ] ] * thisrr->length bytes of encrypted compressed stuff. */ /* decrypt in place in 'thisrr->input' */ thisrr->data = thisrr->input; thisrr->orig_len = thisrr->length; num_recs++; /* we have pulled in a full packet so zero things */ rl->packet_length = 0; rl->is_first_record = 0; } while (num_recs < max_recs && thisrr->type == SSL3_RT_APPLICATION_DATA && RLAYER_USE_EXPLICIT_IV(rl) && rl->enc_ctx != NULL && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx)) & EVP_CIPH_FLAG_PIPELINE) != 0 && tls_record_app_data_waiting(rl)); if (num_recs == 1 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC /* The following can happen in tlsany_meth after HRR */ && rl->version == TLS1_3_VERSION && rl->is_first_handshake) { /* * CCS messages must be exactly 1 byte long, containing the value 0x01 */ if (thisrr->length != 1 || thisrr->data[0] != 0x01) { RLAYERfatal(rl, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_CCS_MESSAGE); return OSSL_RECORD_RETURN_FATAL; } /* * CCS messages are ignored in TLSv1.3. We treat it like an empty * handshake record */ thisrr->type = SSL3_RT_HANDSHAKE; if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) { RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_CCS_MESSAGE); return OSSL_RECORD_RETURN_FATAL; } rl->num_recs = 0; rl->curr_rec = 0; rl->num_released = 0; return OSSL_RECORD_RETURN_SUCCESS; } if (rl->md_ctx != NULL) { const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx); if (tmpmd != NULL) { imac_size = EVP_MD_get_size(tmpmd); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return OSSL_RECORD_RETURN_FATAL; } mac_size = (size_t)imac_size; } } /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ if (rl->use_etm && rl->md_ctx != NULL) { unsigned char *mac; for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; if (thisrr->length < mac_size) { RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); return OSSL_RECORD_RETURN_FATAL; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); return OSSL_RECORD_RETURN_FATAL; } } /* * We've handled the mac now - there is no MAC inside the encrypted * record */ mac_size = 0; } if (mac_size > 0) { macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs); if (macbufs == NULL) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return OSSL_RECORD_RETURN_FATAL; } } ERR_set_mark(); enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size); /*- * enc_err is: * 0: if the record is publicly invalid, or an internal error, or AEAD * decryption failed, or ETM decryption failed. * 1: Success or MTE decryption failed (MAC will be randomised) */ if (enc_err == 0) { if (rl->alert != SSL_AD_NO_ALERT) { /* RLAYERfatal() already got called */ ERR_clear_last_mark(); goto end; } if (num_recs == 1 && rl->skip_early_data != NULL && rl->skip_early_data(rl->cbarg)) { /* * Valid early_data that we cannot decrypt will fail here. We treat * it like an empty record. */ /* * Remove any errors from the stack. Decryption failures are normal * behaviour. */ ERR_pop_to_mark(); thisrr = &rr[0]; if (!rlayer_early_data_count_ok(rl, thisrr->length, EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { /* RLAYERfatal() already called */ goto end; } thisrr->length = 0; rl->num_recs = 0; rl->curr_rec = 0; rl->num_released = 0; /* Reset the read sequence */ memset(rl->sequence, 0, sizeof(rl->sequence)); ret = 1; goto end; } ERR_clear_last_mark(); RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto end; } else { ERR_clear_last_mark(); } OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4); } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ if (rl->enc_ctx != NULL && !rl->use_etm && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) { for (j = 0; j < num_recs; j++) { SSL_MAC_BUF *thismb = &macbufs[j]; thisrr = &rr[j]; i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || thismb == NULL || thismb->mac == NULL || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0) enc_err = 0; if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) enc_err = 0; #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION if (enc_err == 0 && mac_size > 0 && thismb != NULL && thismb->mac != NULL && (md[0] ^ thismb->mac[0]) != 0xFF) { enc_err = 1; } #endif } } if (enc_err == 0) { if (rl->alert != SSL_AD_NO_ALERT) { /* We already called RLAYERfatal() */ goto end; } /* * A separate 'decryption_failed' alert was introduced with TLS 1.0, * SSL 3.0 only has 'bad_record_mac'. But unless a decryption * failure is directly visible from the ciphertext anyway, we should * not reveal which kind of error occurred -- this might become * visible to an attacker (e.g. via a logfile) */ RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto end; } for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; if (!rl->funcs->post_process_record(rl, thisrr)) { /* RLAYERfatal already called */ goto end; } /* * Record overflow checking (e.g. checking if * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of * the post_process_record() function above. However we check here if * the received packet overflows the current Max Fragment Length setting * if there is one. * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are * mutually exclusive. Also note that with KTLS thisrr->length can * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored) */ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH && thisrr->length > rl->max_frag_len) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } thisrr->off = 0; /*- * So at this point the following is true * thisrr->type is the type of record * thisrr->length == number of bytes in record * thisrr->off == offset to first valid byte * thisrr->data == where to take bytes from, increment after use :-). */ /* just read a 0 length packet */ if (thisrr->length == 0) { if (++(rl->empty_record_count) > MAX_EMPTY_RECORDS) { RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL); goto end; } } else { rl->empty_record_count = 0; } } if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) { thisrr = &rr[0]; if (thisrr->type == SSL3_RT_APPLICATION_DATA && !rlayer_early_data_count_ok(rl, thisrr->length, 0, 0)) { /* RLAYERfatal already called */ goto end; } } rl->num_recs = num_recs; rl->curr_rec = 0; rl->num_released = 0; ret = OSSL_RECORD_RETURN_SUCCESS; end: if (macbufs != NULL) { for (j = 0; j < num_recs; j++) { if (macbufs[j].alloced) OPENSSL_free(macbufs[j].mac); } OPENSSL_free(macbufs); } return ret; } /* Shared by ssl3_meth and tls1_meth */ int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) { size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; if (rec->rec_version != rl->version) { RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_VERSION_NUMBER); return 0; } #ifndef OPENSSL_NO_COMP /* * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH * does not include the compression overhead anyway. */ if (rl->compctx == NULL) len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif if (rec->length > len) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); return 0; } return 1; } int tls_do_compress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *wr) { #ifndef OPENSSL_NO_COMP int i; i = COMP_compress_block(rl->compctx, wr->data, (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), wr->input, (int)wr->length); if (i < 0) return 0; wr->length = i; wr->input = wr->data; return 1; #else return 0; #endif } int tls_do_uncompress(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) { #ifndef OPENSSL_NO_COMP int i; if (rec->comp == NULL) { rec->comp = (unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); } if (rec->comp == NULL) return 0; i = COMP_expand_block(rl->compctx, rec->comp, SSL3_RT_MAX_PLAIN_LENGTH, rec->data, (int)rec->length); if (i < 0) return 0; else rec->length = i; rec->data = rec->comp; return 1; #else return 0; #endif } /* Shared by tlsany_meth, ssl3_meth and tls1_meth */ int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) { if (rl->compctx != NULL) { if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_COMPRESSED_LENGTH_TOO_LONG); return 0; } if (!tls_do_uncompress(rl, rec)) { RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); return 0; } } if (rec->length > SSL3_RT_MAX_PLAIN_LENGTH) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); return 0; } return 1; } /* Shared by tls13_meth and ktls_meth */ int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) { if (rec->type != SSL3_RT_APPLICATION_DATA && rec->type != SSL3_RT_ALERT && rec->type != SSL3_RT_HANDSHAKE) { RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); return 0; } if (rl->msg_callback != NULL) rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type, 1, rl->cbarg); /* * TLSv1.3 alert and handshake records are required to be non-zero in * length. */ if ((rec->type == SSL3_RT_HANDSHAKE || rec->type == SSL3_RT_ALERT) && rec->length == 0) { RLAYERfatal(rl, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH); return 0; } return 1; } int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, uint8_t *type, const unsigned char **data, size_t *datalen, uint16_t *epoch, unsigned char *seq_num) { TLS_RL_RECORD *rec; /* * tls_get_more_records() can return success without actually reading * anything useful (i.e. if empty records are read). We loop here until * we have something useful. tls_get_more_records() will eventually fail if * too many sequential empty records are read. */ while (rl->curr_rec >= rl->num_recs) { int ret; if (rl->num_released != rl->num_recs) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_RECORDS_NOT_RELEASED); return OSSL_RECORD_RETURN_FATAL; } ret = rl->funcs->get_more_records(rl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; } /* * We have now got rl->num_recs records buffered in rl->rrec. rl->curr_rec * points to the next one to read. */ rec = &rl->rrec[rl->curr_rec++]; *rechandle = rec; *rversion = rec->rec_version; *type = rec->type; *data = rec->data + rec->off; *datalen = rec->length; if (rl->isdtls) { *epoch = rec->epoch; memcpy(seq_num, rec->seq_num, sizeof(rec->seq_num)); } return OSSL_RECORD_RETURN_SUCCESS; } int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, size_t length) { TLS_RL_RECORD *rec = &rl->rrec[rl->num_released]; if (!ossl_assert(rl->num_released < rl->curr_rec) || !ossl_assert(rechandle == rec)) { /* Should not happen */ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_INVALID_RECORD); return OSSL_RECORD_RETURN_FATAL; } if (rec->length < length) { /* Should not happen */ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } if ((rl->options & SSL_OP_CLEANSE_PLAINTEXT) != 0) OPENSSL_cleanse(rec->data + rec->off, length); rec->off += length; rec->length -= length; if (rec->length > 0) return OSSL_RECORD_RETURN_SUCCESS; rl->num_released++; if (rl->curr_rec == rl->num_released && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0 && TLS_BUFFER_get_left(&rl->rbuf) == 0) tls_release_read_buffer(rl); return OSSL_RECORD_RETURN_SUCCESS; } int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options) { const OSSL_PARAM *p; p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS); if (p != NULL && !OSSL_PARAM_get_uint64(p, &rl->options)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); return 0; } p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE); if (p != NULL && !OSSL_PARAM_get_uint32(p, &rl->mode)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); return 0; } if (rl->direction == OSSL_RECORD_DIRECTION_READ) { p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_READ_BUFFER_LEN); if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->rbuf.default_len)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); return 0; } } else { p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING); if (p != NULL && !OSSL_PARAM_get_size_t(p, &rl->block_padding)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); return 0; } } if (rl->level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) { /* * We ignore any read_ahead setting prior to the application protection * level. Otherwise we may read ahead data in a lower protection level * that is destined for a higher protection level. To simplify the logic * we don't support that at this stage. */ p = OSSL_PARAM_locate_const(options, OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD); if (p != NULL && !OSSL_PARAM_get_int(p, &rl->read_ahead)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); return 0; } } return 1; } int tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, int role, int direction, int level, unsigned char *key, size_t keylen, unsigned char *iv, size_t ivlen, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, OSSL_RECORD_LAYER **retrl) { OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl)); const OSSL_PARAM *p; *retrl = NULL; if (rl == NULL) return OSSL_RECORD_RETURN_FATAL; /* * Default the value for max_frag_len. This may be overridden by the * settings */ rl->max_frag_len = SSL3_RT_MAX_PLAIN_LENGTH; /* Loop through all the settings since they must all be understood */ if (settings != NULL) { for (p = settings; p->key != NULL; p++) { if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) { if (!OSSL_PARAM_get_int(p, &rl->use_etm)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) { if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) { if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) { if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) { if (!OSSL_PARAM_get_int(p, &rl->tlstree)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } } else { ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_MANDATORY_PARAMETER); goto err; } } } rl->libctx = libctx; rl->propq = propq; rl->version = vers; rl->role = role; rl->direction = direction; rl->level = level; rl->taglen = taglen; rl->md = md; rl->alert = SSL_AD_NO_ALERT; rl->rstate = SSL_ST_READ_HEADER; if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) rl->is_first_record = 1; if (!tls_set1_bio(rl, transport)) goto err; if (prev != NULL && !BIO_up_ref(prev)) goto err; rl->prev = prev; if (next != NULL && !BIO_up_ref(next)) goto err; rl->next = next; rl->cbarg = cbarg; if (fns != NULL) { for (; fns->function_id != 0; fns++) { switch (fns->function_id) { case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA: rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns); break; case OSSL_FUNC_RLAYER_MSG_CALLBACK: rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns); break; case OSSL_FUNC_RLAYER_SECURITY: rl->security = OSSL_FUNC_rlayer_security(fns); break; case OSSL_FUNC_RLAYER_PADDING: rl->padding = OSSL_FUNC_rlayer_padding(fns); default: /* Just ignore anything we don't understand */ break; } } } if (!tls_set_options(rl, options)) { ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } if ((rl->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) == 0 && rl->version <= TLS1_VERSION && !EVP_CIPHER_is_a(ciph, "NULL") && !EVP_CIPHER_is_a(ciph, "RC4")) { /* * Enable vulnerability countermeasure for CBC ciphers with known-IV * problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ rl->need_empty_fragments = 1; } *retrl = rl; return OSSL_RECORD_RETURN_SUCCESS; err: tls_int_free(rl); return OSSL_RECORD_RETURN_FATAL; } static int tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, int role, int direction, int level, uint16_t epoch, unsigned char *secret, size_t secretlen, unsigned char *key, size_t keylen, unsigned char *iv, size_t ivlen, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, const EVP_MD *md, COMP_METHOD *comp, const EVP_MD *kdfdigest, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp, prev, transport, next, local, peer, settings, options, fns, cbarg, retrl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; switch (vers) { case TLS_ANY_VERSION: (*retrl)->funcs = &tls_any_funcs; break; case TLS1_3_VERSION: (*retrl)->funcs = &tls_1_3_funcs; break; case TLS1_2_VERSION: case TLS1_1_VERSION: case TLS1_VERSION: (*retrl)->funcs = &tls_1_funcs; break; case SSL3_VERSION: (*retrl)->funcs = &ssl_3_0_funcs; break; default: /* Should not happen */ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); ret = OSSL_RECORD_RETURN_FATAL; goto err; } ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp); err: if (ret != OSSL_RECORD_RETURN_SUCCESS) { tls_int_free(*retrl); *retrl = NULL; } return ret; } static void tls_int_free(OSSL_RECORD_LAYER *rl) { BIO_free(rl->prev); BIO_free(rl->bio); BIO_free(rl->next); ossl_tls_buffer_release(&rl->rbuf); tls_release_write_buffer(rl); EVP_CIPHER_CTX_free(rl->enc_ctx); EVP_MD_CTX_free(rl->md_ctx); #ifndef OPENSSL_NO_COMP COMP_CTX_free(rl->compctx); #endif if (rl->version == SSL3_VERSION) OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret)); TLS_RL_RECORD_release(rl->rrec, SSL_MAX_PIPELINES); OPENSSL_free(rl); } int tls_free(OSSL_RECORD_LAYER *rl) { TLS_BUFFER *rbuf; size_t left, written; int ret = 1; if (rl == NULL) return 1; rbuf = &rl->rbuf; left = TLS_BUFFER_get_left(rbuf); if (left > 0) { /* * This record layer is closing but we still have data left in our * buffer. It must be destined for the next epoch - so push it there. */ ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written); } tls_int_free(rl); return ret; } int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl) { return TLS_BUFFER_get_left(&rl->rbuf) != 0; } int tls_processed_read_pending(OSSL_RECORD_LAYER *rl) { return rl->curr_rec < rl->num_recs; } size_t tls_app_data_pending(OSSL_RECORD_LAYER *rl) { size_t i; size_t num = 0; for (i = rl->curr_rec; i < rl->num_recs; i++) { if (rl->rrec[i].type != SSL3_RT_APPLICATION_DATA) return num; num += rl->rrec[i].length; } return num; } size_t tls_get_max_records_default(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len, size_t maxfrag, size_t *preffrag) { /* * If we have a pipeline capable cipher, and we have been configured to use * it, then return the preferred number of pipelines. */ if (rl->max_pipelines > 0 && rl->enc_ctx != NULL && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(rl->enc_ctx)) & EVP_CIPH_FLAG_PIPELINE) != 0 && RLAYER_USE_EXPLICIT_IV(rl)) { size_t pipes; if (len == 0) return 1; pipes = ((len - 1) / *preffrag) + 1; return (pipes < rl->max_pipelines) ? pipes : rl->max_pipelines; } return 1; } size_t tls_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len, size_t maxfrag, size_t *preffrag) { return rl->funcs->get_max_records(rl, type, len, maxfrag, preffrag); } int tls_allocate_write_buffers_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl, size_t *prefix) { if (!tls_setup_write_buffer(rl, numtempl, 0, 0)) { /* RLAYERfatal() already called */ return 0; } return 1; } int tls_initialise_write_packets_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl, OSSL_RECORD_TEMPLATE *prefixtempl, WPACKET *pkt, TLS_BUFFER *bufs, size_t *wpinited) { WPACKET *thispkt; size_t j, align; TLS_BUFFER *wb; for (j = 0; j < numtempl; j++) { thispkt = &pkt[j]; wb = &bufs[j]; wb->type = templates[j].type; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 align = (size_t)TLS_BUFFER_get_buf(wb); align += rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH; align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); #endif TLS_BUFFER_set_offset(wb, align); if (!WPACKET_init_static_len(thispkt, TLS_BUFFER_get_buf(wb), TLS_BUFFER_get_len(wb), 0)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } (*wpinited)++; if (!WPACKET_allocate_bytes(thispkt, align, NULL)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } } return 1; } int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl, WPACKET *thispkt, OSSL_RECORD_TEMPLATE *templ, uint8_t rectype, unsigned char **recdata) { size_t maxcomplen; *recdata = NULL; maxcomplen = templ->buflen; if (rl->compctx != NULL) maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; if (!WPACKET_put_bytes_u8(thispkt, rectype) || !WPACKET_put_bytes_u16(thispkt, templ->version) || !WPACKET_start_sub_packet_u16(thispkt) || (rl->eivlen > 0 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL)) || (maxcomplen > 0 && !WPACKET_reserve_bytes(thispkt, maxcomplen, recdata))) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } return 1; } int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl, size_t mac_size, WPACKET *thispkt, TLS_RL_RECORD *thiswr) { size_t len; unsigned char *recordstart; /* * we should still have the output to thiswr->data and the input from * wr->input. Length should be thiswr->length. thiswr->data still points * in the wb->buf */ if (!rl->use_etm && mac_size != 0) { unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) || !rl->funcs->mac(rl, thiswr, mac, 1)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } } /* * Reserve some bytes for any growth that may occur during encryption. If * we are adding the MAC independently of the cipher algorithm, then the * max encrypted overhead does not need to include an allocation for that * MAC */ if (!WPACKET_reserve_bytes(thispkt, SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD - mac_size, NULL) /* * We also need next the amount of bytes written to this * sub-packet */ || !WPACKET_get_length(thispkt, &len)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } /* Get a pointer to the start of this record excluding header */ recordstart = WPACKET_get_curr(thispkt) - len; TLS_RL_RECORD_set_data(thiswr, recordstart); TLS_RL_RECORD_reset_input(thiswr); TLS_RL_RECORD_set_length(thiswr, len); return 1; } int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl, size_t mac_size, OSSL_RECORD_TEMPLATE *thistempl, WPACKET *thispkt, TLS_RL_RECORD *thiswr) { size_t origlen, len; size_t headerlen = rl->isdtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH; /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) /* Check we allowed enough room for the encryption growth */ || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD - mac_size >= thiswr->length) /* Encryption should never shrink the data! */ || origlen > thiswr->length || (thiswr->length > origlen && !WPACKET_allocate_bytes(thispkt, thiswr->length - origlen, NULL))) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } if (rl->use_etm && mac_size != 0) { unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) || !rl->funcs->mac(rl, thiswr, mac, 1)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } TLS_RL_RECORD_add_length(thiswr, mac_size); } if (!WPACKET_get_length(thispkt, &len) || !WPACKET_close(thispkt)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } if (rl->msg_callback != NULL) { unsigned char *recordstart; recordstart = WPACKET_get_curr(thispkt) - len - headerlen; rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart, headerlen, rl->cbarg); if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) { unsigned char ctype = thistempl->type; rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE, &ctype, 1, rl->cbarg); } } if (!WPACKET_finish(thispkt)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } TLS_RL_RECORD_add_length(thiswr, headerlen); return 1; } int tls_write_records_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl) { WPACKET pkt[SSL_MAX_PIPELINES + 1]; TLS_RL_RECORD wr[SSL_MAX_PIPELINES + 1]; WPACKET *thispkt; TLS_RL_RECORD *thiswr; int mac_size = 0, ret = 0; size_t wpinited = 0; size_t j, prefix = 0; OSSL_RECORD_TEMPLATE prefixtempl; OSSL_RECORD_TEMPLATE *thistempl; if (rl->md_ctx != NULL && EVP_MD_CTX_get0_md(rl->md_ctx) != NULL) { mac_size = EVP_MD_CTX_get_size(rl->md_ctx); if (mac_size < 0) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } } if (!rl->funcs->allocate_write_buffers(rl, templates, numtempl, &prefix)) { /* RLAYERfatal() already called */ goto err; } if (!rl->funcs->initialise_write_packets(rl, templates, numtempl, &prefixtempl, pkt, rl->wbuf, &wpinited)) { /* RLAYERfatal() already called */ goto err; } /* Clear our TLS_RL_RECORD structures */ memset(wr, 0, sizeof(wr)); for (j = 0; j < numtempl + prefix; j++) { unsigned char *compressdata = NULL; uint8_t rectype; thispkt = &pkt[j]; thiswr = &wr[j]; thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix]; /* * Default to the record type as specified in the template unless the * protocol implementation says differently. */ if (rl->funcs->get_record_type != NULL) rectype = rl->funcs->get_record_type(rl, thistempl); else rectype = thistempl->type; TLS_RL_RECORD_set_type(thiswr, rectype); TLS_RL_RECORD_set_rec_version(thiswr, thistempl->version); if (!rl->funcs->prepare_record_header(rl, thispkt, thistempl, rectype, &compressdata)) { /* RLAYERfatal() already called */ goto err; } /* lets setup the record stuff. */ TLS_RL_RECORD_set_data(thiswr, compressdata); TLS_RL_RECORD_set_length(thiswr, thistempl->buflen); TLS_RL_RECORD_set_input(thiswr, (unsigned char *)thistempl->buf); /* * we now 'read' from thiswr->input, thiswr->length bytes into * thiswr->data */ /* first we compress */ if (rl->compctx != NULL) { if (!tls_do_compress(rl, thiswr) || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE); goto err; } } else if (compressdata != NULL) { if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } TLS_RL_RECORD_reset_input(&wr[j]); } if (rl->funcs->add_record_padding != NULL && !rl->funcs->add_record_padding(rl, thistempl, thispkt, thiswr)) { /* RLAYERfatal() already called */ goto err; } if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) { /* RLAYERfatal() already called */ goto err; } } if (prefix) { if (rl->funcs->cipher(rl, wr, 1, 1, NULL, mac_size) < 1) { if (rl->alert == SSL_AD_NO_ALERT) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); } goto err; } } if (rl->funcs->cipher(rl, wr + prefix, numtempl, 1, NULL, mac_size) < 1) { if (rl->alert == SSL_AD_NO_ALERT) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); } goto err; } for (j = 0; j < numtempl + prefix; j++) { thispkt = &pkt[j]; thiswr = &wr[j]; thistempl = (j < prefix) ? &prefixtempl : &templates[j - prefix]; if (!rl->funcs->post_encryption_processing(rl, mac_size, thistempl, thispkt, thiswr)) { /* RLAYERfatal() already called */ goto err; } /* now let's set up wb */ TLS_BUFFER_set_left(&rl->wbuf[j], TLS_RL_RECORD_get_length(thiswr)); } ret = 1; err: for (j = 0; j < wpinited; j++) WPACKET_cleanup(&pkt[j]); return ret; } int tls_write_records(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl) { /* Check we don't have pending data waiting to write */ if (!ossl_assert(rl->nextwbuf >= rl->numwpipes || TLS_BUFFER_get_left(&rl->wbuf[rl->nextwbuf]) == 0)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return OSSL_RECORD_RETURN_FATAL; } if (!rl->funcs->write_records(rl, templates, numtempl)) { /* RLAYERfatal already called */ return OSSL_RECORD_RETURN_FATAL; } rl->nextwbuf = 0; /* we now just need to write the buffers */ return tls_retry_write_records(rl); } int tls_retry_write_records(OSSL_RECORD_LAYER *rl) { int i, ret; TLS_BUFFER *thiswb; size_t tmpwrit = 0; if (rl->nextwbuf >= rl->numwpipes) return OSSL_RECORD_RETURN_SUCCESS; for (;;) { thiswb = &rl->wbuf[rl->nextwbuf]; clear_sys_error(); if (rl->bio != NULL) { if (rl->funcs->prepare_write_bio != NULL) { ret = rl->funcs->prepare_write_bio(rl, thiswb->type); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; } i = BIO_write(rl->bio, (char *) &(TLS_BUFFER_get_buf(thiswb) [TLS_BUFFER_get_offset(thiswb)]), (unsigned int)TLS_BUFFER_get_left(thiswb)); if (i >= 0) { tmpwrit = i; if (i == 0 && BIO_should_retry(rl->bio)) ret = OSSL_RECORD_RETURN_RETRY; else ret = OSSL_RECORD_RETURN_SUCCESS; } else { if (BIO_should_retry(rl->bio)) ret = OSSL_RECORD_RETURN_RETRY; else ret = OSSL_RECORD_RETURN_FATAL; } } else { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET); ret = OSSL_RECORD_RETURN_FATAL; i = -1; } /* * When an empty fragment is sent on a connection using KTLS, * it is sent as a write of zero bytes. If this zero byte * write succeeds, i will be 0 rather than a non-zero value. * Treat i == 0 as success rather than an error for zero byte * writes to permit this case. */ if (i >= 0 && tmpwrit == TLS_BUFFER_get_left(thiswb)) { TLS_BUFFER_set_left(thiswb, 0); TLS_BUFFER_add_offset(thiswb, tmpwrit); if (++(rl->nextwbuf) < rl->numwpipes) continue; if (rl->nextwbuf == rl->numwpipes && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0) tls_release_write_buffer(rl); return OSSL_RECORD_RETURN_SUCCESS; } else if (i <= 0) { if (rl->isdtls) { /* * For DTLS, just drop it. That's kind of the whole point in * using a datagram service */ TLS_BUFFER_set_left(thiswb, 0); if (++(rl->nextwbuf) == rl->numwpipes && (rl->mode & SSL_MODE_RELEASE_BUFFERS) != 0) tls_release_write_buffer(rl); } return ret; } TLS_BUFFER_add_offset(thiswb, tmpwrit); TLS_BUFFER_sub_left(thiswb, tmpwrit); } } int tls_get_alert_code(OSSL_RECORD_LAYER *rl) { return rl->alert; } int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio) { if (bio != NULL && !BIO_up_ref(bio)) return 0; BIO_free(rl->bio); rl->bio = bio; return 1; } /* Shared by most methods except tlsany_meth */ int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version) { if (rl->version != version) return 0; return 1; } int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version) { return rl->funcs->set_protocol_version(rl, version); } void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow) { rl->allow_plain_alerts = allow; } void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first) { rl->is_first_handshake = first; } void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines) { rl->max_pipelines = max_pipelines; if (max_pipelines > 1) rl->read_ahead = 1; } void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr, const char **longstr) { const char *shrt, *lng; switch (rl->rstate) { case SSL_ST_READ_HEADER: shrt = "RH"; lng = "read header"; break; case SSL_ST_READ_BODY: shrt = "RB"; lng = "read body"; break; default: shrt = lng = "unknown"; break; } if (shortstr != NULL) *shortstr = shrt; if (longstr != NULL) *longstr = lng; } const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl) { #ifndef OPENSSL_NO_COMP return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx); #else return NULL; #endif } void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len) { rl->max_frag_len = max_frag_len; /* * We don't need to adjust buffer sizes. Write buffer sizes are * automatically checked anyway. We should only be changing the read buffer * size during the handshake, so we will create a new buffer when we create * the new record layer. We can't change the existing buffer because it may * already have data in it. */ } int tls_increment_sequence_ctr(OSSL_RECORD_LAYER *rl) { int i; /* Increment the sequence counter */ for (i = SEQ_NUM_SIZE; i > 0; i--) { ++(rl->sequence[i - 1]); if (rl->sequence[i - 1] != 0) break; } if (i == 0) { /* Sequence has wrapped */ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_SEQUENCE_CTR_WRAPPED); return 0; } return 1; } int tls_alloc_buffers(OSSL_RECORD_LAYER *rl) { if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) { /* If we have a pending write then buffers are already allocated */ if (rl->nextwbuf < rl->numwpipes) return 1; /* * We assume 1 pipe with default sized buffer. If what we need ends up * being a different size to that then it will be reallocated on demand. * If we need more than 1 pipe then that will also be allocated on * demand */ if (!tls_setup_write_buffer(rl, 1, 0, 0)) return 0; /* * Normally when we allocate write buffers we immediately write * something into it. In this case we're not doing that so mark the * buffer as empty. */ TLS_BUFFER_set_left(&rl->wbuf[0], 0); return 1; } /* Read direction */ /* If we have pending data to be read then buffers are already allocated */ if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) return 1; return tls_setup_read_buffer(rl); } int tls_free_buffers(OSSL_RECORD_LAYER *rl) { if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) { if (rl->nextwbuf < rl->numwpipes) { /* * We may have pending data. If we've just got one empty buffer * allocated then it has probably just been alloc'd via * tls_alloc_buffers, and it is fine to free it. Otherwise this * looks like real pending data and it is an error. */ if (rl->nextwbuf != 0 || rl->numwpipes != 1 || TLS_BUFFER_get_left(&rl->wbuf[0]) != 0) return 0; } tls_release_write_buffer(rl); return 1; } /* Read direction */ /* If we have pending data to be read then fail */ if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) return 0; return tls_release_read_buffer(rl); } const OSSL_RECORD_METHOD ossl_tls_record_method = { tls_new_record_layer, tls_free, tls_unprocessed_read_pending, tls_processed_read_pending, tls_app_data_pending, tls_get_max_records, tls_write_records, tls_retry_write_records, tls_read_record, tls_release_record, tls_get_alert_code, tls_set1_bio, tls_set_protocol_version, tls_set_plain_alerts, tls_set_first_handshake, tls_set_max_pipelines, NULL, tls_get_state, tls_set_options, tls_get_compression, tls_set_max_frag_len, NULL, tls_increment_sequence_ctr, tls_alloc_buffers, tls_free_buffers };