xref: /openssl/ssl/record/methods/dtls_meth.c (revision 14c45338)
1 /*
2  * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <assert.h>
11 #include "../../ssl_local.h"
12 #include "../record_local.h"
13 #include "recmethod_local.h"
14 
15 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
satsub64be(const unsigned char * v1,const unsigned char * v2)16 static int satsub64be(const unsigned char *v1, const unsigned char *v2)
17 {
18     int64_t ret;
19     uint64_t l1, l2;
20 
21     n2l8(v1, l1);
22     n2l8(v2, l2);
23 
24     ret = l1 - l2;
25 
26     /* We do not permit wrap-around */
27     if (l1 > l2 && ret < 0)
28         return 128;
29     else if (l2 > l1 && ret > 0)
30         return -128;
31 
32     if (ret > 128)
33         return 128;
34     else if (ret < -128)
35         return -128;
36     else
37         return (int)ret;
38 }
39 
dtls_record_replay_check(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)40 static int dtls_record_replay_check(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
41 {
42     int cmp;
43     unsigned int shift;
44     const unsigned char *seq = rl->sequence;
45 
46     cmp = satsub64be(seq, bitmap->max_seq_num);
47     if (cmp > 0) {
48         ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
49         return 1;               /* this record in new */
50     }
51     shift = -cmp;
52     if (shift >= sizeof(bitmap->map) * 8)
53         return 0;               /* stale, outside the window */
54     else if (bitmap->map & ((uint64_t)1 << shift))
55         return 0;               /* record previously received */
56 
57     ossl_tls_rl_record_set_seq_num(&rl->rrec[0], seq);
58     return 1;
59 }
60 
dtls_record_bitmap_update(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)61 static void dtls_record_bitmap_update(OSSL_RECORD_LAYER *rl,
62                                       DTLS_BITMAP *bitmap)
63 {
64     int cmp;
65     unsigned int shift;
66     const unsigned char *seq = rl->sequence;
67 
68     cmp = satsub64be(seq, bitmap->max_seq_num);
69     if (cmp > 0) {
70         shift = cmp;
71         if (shift < sizeof(bitmap->map) * 8)
72             bitmap->map <<= shift, bitmap->map |= 1UL;
73         else
74             bitmap->map = 1UL;
75         memcpy(bitmap->max_seq_num, seq, SEQ_NUM_SIZE);
76     } else {
77         shift = -cmp;
78         if (shift < sizeof(bitmap->map) * 8)
79             bitmap->map |= (uint64_t)1 << shift;
80     }
81 }
82 
dtls_get_bitmap(OSSL_RECORD_LAYER * rl,TLS_RL_RECORD * rr,unsigned int * is_next_epoch)83 static DTLS_BITMAP *dtls_get_bitmap(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rr,
84                                     unsigned int *is_next_epoch)
85 {
86     *is_next_epoch = 0;
87 
88     /* In current epoch, accept HM, CCS, DATA, & ALERT */
89     if (rr->epoch == rl->epoch)
90         return &rl->bitmap;
91 
92     /*
93      * Check if the message is from the next epoch
94      */
95     else if (rr->epoch == rl->epoch + 1) {
96         *is_next_epoch = 1;
97         return &rl->next_bitmap;
98     }
99 
100     return NULL;
101 }
102 
dtls_set_in_init(OSSL_RECORD_LAYER * rl,int in_init)103 static void dtls_set_in_init(OSSL_RECORD_LAYER *rl, int in_init)
104 {
105     rl->in_init = in_init;
106 }
107 
dtls_process_record(OSSL_RECORD_LAYER * rl,DTLS_BITMAP * bitmap)108 static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)
109 {
110     int i;
111     int enc_err;
112     TLS_RL_RECORD *rr;
113     int imac_size;
114     size_t mac_size = 0;
115     unsigned char md[EVP_MAX_MD_SIZE];
116     SSL_MAC_BUF macbuf = { NULL, 0 };
117     int ret = 0;
118 
119     rr = &rl->rrec[0];
120 
121     /*
122      * At this point, rl->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length,
123      * and we have that many bytes in rl->packet
124      */
125     rr->input = &(rl->packet[DTLS1_RT_HEADER_LENGTH]);
126 
127     /*
128      * ok, we can now read from 'rl->packet' data into 'rr'. rr->input
129      * points at rr->length bytes, which need to be copied into rr->data by
130      * either the decryption or by the decompression. When the data is 'copied'
131      * into the rr->data buffer, rr->input will be pointed at the new buffer
132      */
133 
134     /*
135      * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
136      * bytes of encrypted compressed stuff.
137      */
138 
139     /* check is not needed I believe */
140     if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
141         RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
142         return 0;
143     }
144 
145     /* decrypt in place in 'rr->input' */
146     rr->data = rr->input;
147     rr->orig_len = rr->length;
148 
149     if (rl->md_ctx != NULL) {
150         const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(rl->md_ctx);
151 
152         if (tmpmd != NULL) {
153             imac_size = EVP_MD_get_size(tmpmd);
154             if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
155                 RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
156                 return 0;
157             }
158             mac_size = (size_t)imac_size;
159         }
160     }
161 
162     if (rl->use_etm && rl->md_ctx != NULL) {
163         unsigned char *mac;
164 
165         if (rr->orig_len < mac_size) {
166             RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
167             return 0;
168         }
169         rr->length -= mac_size;
170         mac = rr->data + rr->length;
171         i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
172         if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
173             RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
174                         SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
175             return 0;
176         }
177         /*
178          * We've handled the mac now - there is no MAC inside the encrypted
179          * record
180          */
181         mac_size = 0;
182     }
183 
184     /*
185      * Set a mark around the packet decryption attempt.  This is DTLS, so
186      * bad packets are just ignored, and we don't want to leave stray
187      * errors in the queue from processing bogus junk that we ignored.
188      */
189     ERR_set_mark();
190     enc_err = rl->funcs->cipher(rl, rr, 1, 0, &macbuf, mac_size);
191 
192     /*-
193      * enc_err is:
194      *    0: if the record is publicly invalid, or an internal error, or AEAD
195      *       decryption failed, or ETM decryption failed.
196      *    1: Success or MTE decryption failed (MAC will be randomised)
197      */
198     if (enc_err == 0) {
199         ERR_pop_to_mark();
200         if (rl->alert != SSL_AD_NO_ALERT) {
201             /* RLAYERfatal() already called */
202             goto end;
203         }
204         /* For DTLS we simply ignore bad packets. */
205         rr->length = 0;
206         rl->packet_length = 0;
207         goto end;
208     }
209     ERR_clear_last_mark();
210     OSSL_TRACE_BEGIN(TLS) {
211         BIO_printf(trc_out, "dec %zd\n", rr->length);
212         BIO_dump_indent(trc_out, rr->data, rr->length, 4);
213     } OSSL_TRACE_END(TLS);
214 
215     /* r->length is now the compressed data plus mac */
216     if (!rl->use_etm
217             && (rl->enc_ctx != NULL)
218             && (EVP_MD_CTX_get0_md(rl->md_ctx) != NULL)) {
219         /* rl->md_ctx != NULL => mac_size != -1 */
220 
221         i = rl->funcs->mac(rl, rr, md, 0 /* not send */);
222         if (i == 0 || macbuf.mac == NULL
223             || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0)
224             enc_err = 0;
225         if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
226             enc_err = 0;
227     }
228 
229     if (enc_err == 0) {
230         /* decryption failed, silently discard message */
231         rr->length = 0;
232         rl->packet_length = 0;
233         goto end;
234     }
235 
236     /* r->length is now just compressed */
237     if (rl->compctx != NULL) {
238         if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
239             RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
240                         SSL_R_COMPRESSED_LENGTH_TOO_LONG);
241             goto end;
242         }
243         if (!tls_do_uncompress(rl, rr)) {
244             RLAYERfatal(rl, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION);
245             goto end;
246         }
247     }
248 
249     /*
250      * Check if the received packet overflows the current Max Fragment
251      * Length setting.
252      */
253     if (rr->length > rl->max_frag_len) {
254         RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
255         goto end;
256     }
257 
258     rr->off = 0;
259     /*-
260      * So at this point the following is true
261      * ssl->s3.rrec.type   is the type of record
262      * ssl->s3.rrec.length == number of bytes in record
263      * ssl->s3.rrec.off    == offset to first valid byte
264      * ssl->s3.rrec.data   == where to take bytes from, increment
265      *                        after use :-).
266      */
267 
268     /* we have pulled in a full packet so zero things */
269     rl->packet_length = 0;
270 
271     /* Mark receipt of record. */
272     dtls_record_bitmap_update(rl, bitmap);
273 
274     ret = 1;
275  end:
276     if (macbuf.alloced)
277         OPENSSL_free(macbuf.mac);
278     return ret;
279 }
280 
dtls_rlayer_buffer_record(OSSL_RECORD_LAYER * rl,struct pqueue_st * queue,unsigned char * priority)281 static int dtls_rlayer_buffer_record(OSSL_RECORD_LAYER *rl, struct pqueue_st *queue,
282                                      unsigned char *priority)
283 {
284     DTLS_RLAYER_RECORD_DATA *rdata;
285     pitem *item;
286 
287     /* Limit the size of the queue to prevent DOS attacks */
288     if (pqueue_size(queue) >= 100)
289         return 0;
290 
291     rdata = OPENSSL_malloc(sizeof(*rdata));
292     item = pitem_new(priority, rdata);
293     if (rdata == NULL || item == NULL) {
294         OPENSSL_free(rdata);
295         pitem_free(item);
296         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
297         return -1;
298     }
299 
300     rdata->packet = rl->packet;
301     rdata->packet_length = rl->packet_length;
302     memcpy(&(rdata->rbuf), &rl->rbuf, sizeof(TLS_BUFFER));
303     memcpy(&(rdata->rrec), &rl->rrec[0], sizeof(TLS_RL_RECORD));
304 
305     item->data = rdata;
306 
307     rl->packet = NULL;
308     rl->packet_length = 0;
309     memset(&rl->rbuf, 0, sizeof(TLS_BUFFER));
310     memset(&rl->rrec[0], 0, sizeof(rl->rrec[0]));
311 
312     if (!tls_setup_read_buffer(rl)) {
313         /* RLAYERfatal() already called */
314         OPENSSL_free(rdata->rbuf.buf);
315         OPENSSL_free(rdata);
316         pitem_free(item);
317         return -1;
318     }
319 
320     if (pqueue_insert(queue, item) == NULL) {
321         /* Must be a duplicate so ignore it */
322         OPENSSL_free(rdata->rbuf.buf);
323         OPENSSL_free(rdata);
324         pitem_free(item);
325     }
326 
327     return 1;
328 }
329 
330 /* copy buffered record into OSSL_RECORD_LAYER structure */
dtls_copy_rlayer_record(OSSL_RECORD_LAYER * rl,pitem * item)331 static int dtls_copy_rlayer_record(OSSL_RECORD_LAYER *rl, pitem *item)
332 {
333     DTLS_RLAYER_RECORD_DATA *rdata;
334 
335     rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
336 
337     ossl_tls_buffer_release(&rl->rbuf);
338 
339     rl->packet = rdata->packet;
340     rl->packet_length = rdata->packet_length;
341     memcpy(&rl->rbuf, &(rdata->rbuf), sizeof(TLS_BUFFER));
342     memcpy(&rl->rrec[0], &(rdata->rrec), sizeof(TLS_RL_RECORD));
343 
344     /* Set proper sequence number for mac calculation */
345     memcpy(&(rl->sequence[2]), &(rdata->packet[5]), 6);
346 
347     return 1;
348 }
349 
dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER * rl,struct pqueue_st * queue)350 static int dtls_retrieve_rlayer_buffered_record(OSSL_RECORD_LAYER *rl,
351                                                 struct pqueue_st *queue)
352 {
353     pitem *item;
354 
355     item = pqueue_pop(queue);
356     if (item) {
357         dtls_copy_rlayer_record(rl, item);
358 
359         OPENSSL_free(item->data);
360         pitem_free(item);
361 
362         return 1;
363     }
364 
365     return 0;
366 }
367 
368 /*-
369  * Call this to get a new input record.
370  * It will return <= 0 if more data is needed, normally due to an error
371  * or non-blocking IO.
372  * When it finishes, one packet has been decoded and can be found in
373  * ssl->s3.rrec.type    - is the type of record
374  * ssl->s3.rrec.data    - data
375  * ssl->s3.rrec.length  - number of bytes
376  */
dtls_get_more_records(OSSL_RECORD_LAYER * rl)377 int dtls_get_more_records(OSSL_RECORD_LAYER *rl)
378 {
379     int ssl_major, ssl_minor;
380     int rret;
381     size_t more, n;
382     TLS_RL_RECORD *rr;
383     unsigned char *p = NULL;
384     DTLS_BITMAP *bitmap;
385     unsigned int is_next_epoch;
386 
387     rl->num_recs = 0;
388     rl->curr_rec = 0;
389     rl->num_released = 0;
390 
391     rr = rl->rrec;
392 
393     if (rl->rbuf.buf == NULL) {
394         if (!tls_setup_read_buffer(rl)) {
395             /* RLAYERfatal() already called */
396             return OSSL_RECORD_RETURN_FATAL;
397         }
398     }
399 
400  again:
401     /* if we're renegotiating, then there may be buffered records */
402     if (dtls_retrieve_rlayer_buffered_record(rl, rl->processed_rcds)) {
403         rl->num_recs = 1;
404         return OSSL_RECORD_RETURN_SUCCESS;
405     }
406 
407     /* get something from the wire */
408 
409     /* check if we have the header */
410     if ((rl->rstate != SSL_ST_READ_BODY) ||
411         (rl->packet_length < DTLS1_RT_HEADER_LENGTH)) {
412         rret = rl->funcs->read_n(rl, DTLS1_RT_HEADER_LENGTH,
413                                  TLS_BUFFER_get_len(&rl->rbuf), 0, 1, &n);
414         /* read timeout is handled by dtls1_read_bytes */
415         if (rret < OSSL_RECORD_RETURN_SUCCESS) {
416             /* RLAYERfatal() already called if appropriate */
417             return rret;         /* error or non-blocking */
418         }
419 
420         /* this packet contained a partial record, dump it */
421         if (rl->packet_length != DTLS1_RT_HEADER_LENGTH) {
422             rl->packet_length = 0;
423             goto again;
424         }
425 
426         rl->rstate = SSL_ST_READ_BODY;
427 
428         p = rl->packet;
429 
430         /* Pull apart the header into the DTLS1_RECORD */
431         rr->type = *(p++);
432         ssl_major = *(p++);
433         ssl_minor = *(p++);
434         rr->rec_version = (ssl_major << 8) | ssl_minor;
435 
436         /* sequence number is 64 bits, with top 2 bytes = epoch */
437         n2s(p, rr->epoch);
438 
439         memcpy(&(rl->sequence[2]), p, 6);
440         p += 6;
441 
442         n2s(p, rr->length);
443 
444         if (rl->msg_callback != NULL)
445             rl->msg_callback(0, rr->rec_version, SSL3_RT_HEADER, rl->packet, DTLS1_RT_HEADER_LENGTH,
446                              rl->cbarg);
447 
448         /*
449          * Lets check the version. We tolerate alerts that don't have the exact
450          * version number (e.g. because of protocol version errors)
451          */
452         if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) {
453             if (rr->rec_version != rl->version) {
454                 /* unexpected version, silently discard */
455                 rr->length = 0;
456                 rl->packet_length = 0;
457                 goto again;
458             }
459         }
460 
461         if (ssl_major !=
462                 (rl->version == DTLS_ANY_VERSION ? DTLS1_VERSION_MAJOR
463                                                  : rl->version >> 8)) {
464             /* wrong version, silently discard record */
465             rr->length = 0;
466             rl->packet_length = 0;
467             goto again;
468         }
469 
470         if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
471             /* record too long, silently discard it */
472             rr->length = 0;
473             rl->packet_length = 0;
474             goto again;
475         }
476 
477         /*
478          * If received packet overflows maximum possible fragment length then
479          * silently discard it
480          */
481         if (rr->length > rl->max_frag_len + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
482             /* record too long, silently discard it */
483             rr->length = 0;
484             rl->packet_length = 0;
485             goto again;
486         }
487 
488         /* now rl->rstate == SSL_ST_READ_BODY */
489     }
490 
491     /* rl->rstate == SSL_ST_READ_BODY, get and decode the data */
492 
493     if (rr->length > rl->packet_length - DTLS1_RT_HEADER_LENGTH) {
494         /* now rl->packet_length == DTLS1_RT_HEADER_LENGTH */
495         more = rr->length;
496         rret = rl->funcs->read_n(rl, more, more, 1, 1, &n);
497         /* this packet contained a partial record, dump it */
498         if (rret < OSSL_RECORD_RETURN_SUCCESS || n != more) {
499             if (rl->alert != SSL_AD_NO_ALERT) {
500                 /* read_n() called RLAYERfatal() */
501                 return OSSL_RECORD_RETURN_FATAL;
502             }
503             rr->length = 0;
504             rl->packet_length = 0;
505             goto again;
506         }
507 
508         /*
509          * now n == rr->length,
510          * and rl->packet_length ==  DTLS1_RT_HEADER_LENGTH + rr->length
511          */
512     }
513     /* set state for later operations */
514     rl->rstate = SSL_ST_READ_HEADER;
515 
516     /* match epochs.  NULL means the packet is dropped on the floor */
517     bitmap = dtls_get_bitmap(rl, rr, &is_next_epoch);
518     if (bitmap == NULL) {
519         rr->length = 0;
520         rl->packet_length = 0; /* dump this record */
521         goto again;             /* get another record */
522     }
523 #ifndef OPENSSL_NO_SCTP
524     /* Only do replay check if no SCTP bio */
525     if (!BIO_dgram_is_sctp(rl->bio)) {
526 #endif
527         /* Check whether this is a repeat, or aged record. */
528         if (!dtls_record_replay_check(rl, bitmap)) {
529             rr->length = 0;
530             rl->packet_length = 0; /* dump this record */
531             goto again;         /* get another record */
532         }
533 #ifndef OPENSSL_NO_SCTP
534     }
535 #endif
536 
537     /* just read a 0 length packet */
538     if (rr->length == 0)
539         goto again;
540 
541     /*
542      * If this record is from the next epoch (either HM or ALERT), and a
543      * handshake is currently in progress, buffer it since it cannot be
544      * processed at this time.
545      */
546     if (is_next_epoch) {
547         if (rl->in_init) {
548             if (dtls_rlayer_buffer_record(rl, rl->unprocessed_rcds,
549                                           rr->seq_num) < 0) {
550                 /* RLAYERfatal() already called */
551                 return OSSL_RECORD_RETURN_FATAL;
552             }
553         }
554         rr->length = 0;
555         rl->packet_length = 0;
556         goto again;
557     }
558 
559     if (!dtls_process_record(rl, bitmap)) {
560         if (rl->alert != SSL_AD_NO_ALERT) {
561             /* dtls_process_record() called RLAYERfatal */
562             return OSSL_RECORD_RETURN_FATAL;
563         }
564         rr->length = 0;
565         rl->packet_length = 0; /* dump this record */
566         goto again;             /* get another record */
567     }
568 
569     if (rl->funcs->post_process_record && !rl->funcs->post_process_record(rl, rr)) {
570         /* RLAYERfatal already called */
571         return OSSL_RECORD_RETURN_FATAL;
572     }
573 
574     rl->num_recs = 1;
575     return OSSL_RECORD_RETURN_SUCCESS;
576 }
577 
dtls_free(OSSL_RECORD_LAYER * rl)578 static int dtls_free(OSSL_RECORD_LAYER *rl)
579 {
580     TLS_BUFFER *rbuf;
581     size_t left, written;
582     pitem *item;
583     DTLS_RLAYER_RECORD_DATA *rdata;
584     int ret = 1;
585 
586     rbuf = &rl->rbuf;
587 
588     left = rbuf->left;
589     if (left > 0) {
590         /*
591          * This record layer is closing but we still have data left in our
592          * buffer. It must be destined for the next epoch - so push it there.
593          */
594         ret = BIO_write_ex(rl->next, rbuf->buf + rbuf->offset, left, &written);
595         rbuf->left = 0;
596     }
597 
598     if (rl->unprocessed_rcds != NULL) {
599         while ((item = pqueue_pop(rl->unprocessed_rcds)) != NULL) {
600             rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
601             /* Push to the next record layer */
602             ret &= BIO_write_ex(rl->next, rdata->packet, rdata->packet_length,
603                                 &written);
604             OPENSSL_free(rdata->rbuf.buf);
605             OPENSSL_free(item->data);
606             pitem_free(item);
607         }
608         pqueue_free(rl->unprocessed_rcds);
609     }
610 
611     if (rl->processed_rcds!= NULL) {
612         while ((item = pqueue_pop(rl->processed_rcds)) != NULL) {
613             rdata = (DTLS_RLAYER_RECORD_DATA *)item->data;
614             OPENSSL_free(rdata->rbuf.buf);
615             OPENSSL_free(item->data);
616             pitem_free(item);
617         }
618         pqueue_free(rl->processed_rcds);
619     }
620 
621     return tls_free(rl) && ret;
622 }
623 
624 static int
dtls_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,uint16_t epoch,unsigned char * secret,size_t secretlen,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp,const EVP_MD * kdfdigest,BIO * prev,BIO * transport,BIO * next,BIO_ADDR * local,BIO_ADDR * peer,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,void * rlarg,OSSL_RECORD_LAYER ** retrl)625 dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
626                       int role, int direction, int level, uint16_t epoch,
627                       unsigned char *secret, size_t secretlen,
628                       unsigned char *key, size_t keylen, unsigned char *iv,
629                       size_t ivlen, unsigned char *mackey, size_t mackeylen,
630                       const EVP_CIPHER *ciph, size_t taglen,
631                       int mactype,
632                       const EVP_MD *md, COMP_METHOD *comp,
633                       const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
634                       BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
635                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
636                       const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
637                       OSSL_RECORD_LAYER **retrl)
638 {
639     int ret;
640 
641     ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
642                                    ciph, taglen, md, comp, prev,
643                                    transport, next, settings,
644                                    options, fns, cbarg, retrl);
645 
646     if (ret != OSSL_RECORD_RETURN_SUCCESS)
647         return ret;
648 
649     (*retrl)->unprocessed_rcds = pqueue_new();
650     (*retrl)->processed_rcds = pqueue_new();
651 
652     if ((*retrl)->unprocessed_rcds == NULL
653             || (*retrl)->processed_rcds == NULL) {
654         dtls_free(*retrl);
655         *retrl = NULL;
656         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
657         return OSSL_RECORD_RETURN_FATAL;
658     }
659 
660     (*retrl)->isdtls = 1;
661     (*retrl)->epoch = epoch;
662     (*retrl)->in_init = 1;
663 
664     switch (vers) {
665     case DTLS_ANY_VERSION:
666         (*retrl)->funcs = &dtls_any_funcs;
667         break;
668     case DTLS1_2_VERSION:
669     case DTLS1_VERSION:
670     case DTLS1_BAD_VER:
671         (*retrl)->funcs = &dtls_1_funcs;
672         break;
673     default:
674         /* Should not happen */
675         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
676         ret = OSSL_RECORD_RETURN_FATAL;
677         goto err;
678     }
679 
680     ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
681                                             ivlen, mackey, mackeylen, ciph,
682                                             taglen, mactype, md, comp);
683 
684  err:
685     if (ret != OSSL_RECORD_RETURN_SUCCESS) {
686         dtls_free(*retrl);
687         *retrl = NULL;
688     }
689     return ret;
690 }
691 
dtls_prepare_record_header(OSSL_RECORD_LAYER * rl,WPACKET * thispkt,OSSL_RECORD_TEMPLATE * templ,uint8_t rectype,unsigned char ** recdata)692 int dtls_prepare_record_header(OSSL_RECORD_LAYER *rl,
693                                WPACKET *thispkt,
694                                OSSL_RECORD_TEMPLATE *templ,
695                                uint8_t rectype,
696                                unsigned char **recdata)
697 {
698     size_t maxcomplen;
699 
700     *recdata = NULL;
701 
702     maxcomplen = templ->buflen;
703     if (rl->compctx != NULL)
704         maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
705 
706     if (!WPACKET_put_bytes_u8(thispkt, rectype)
707             || !WPACKET_put_bytes_u16(thispkt, templ->version)
708             || !WPACKET_put_bytes_u16(thispkt, rl->epoch)
709             || !WPACKET_memcpy(thispkt, &(rl->sequence[2]), 6)
710             || !WPACKET_start_sub_packet_u16(thispkt)
711             || (rl->eivlen > 0
712                 && !WPACKET_allocate_bytes(thispkt, rl->eivlen, NULL))
713             || (maxcomplen > 0
714                 && !WPACKET_reserve_bytes(thispkt, maxcomplen,
715                                           recdata))) {
716         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
717         return 0;
718     }
719 
720     return 1;
721 }
722 
dtls_post_encryption_processing(OSSL_RECORD_LAYER * rl,size_t mac_size,OSSL_RECORD_TEMPLATE * thistempl,WPACKET * thispkt,TLS_RL_RECORD * thiswr)723 int dtls_post_encryption_processing(OSSL_RECORD_LAYER *rl,
724                                     size_t mac_size,
725                                     OSSL_RECORD_TEMPLATE *thistempl,
726                                     WPACKET *thispkt,
727                                     TLS_RL_RECORD *thiswr)
728 {
729     if (!tls_post_encryption_processing_default(rl, mac_size, thistempl,
730                                                 thispkt, thiswr)) {
731         /* RLAYERfatal() already called */
732         return 0;
733     }
734 
735     return tls_increment_sequence_ctr(rl);
736 }
737 
dtls_get_max_record_overhead(OSSL_RECORD_LAYER * rl)738 static size_t dtls_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
739 {
740     size_t blocksize = 0;
741 
742     if (rl->enc_ctx != NULL &&
743         (EVP_CIPHER_CTX_get_mode(rl->enc_ctx) == EVP_CIPH_CBC_MODE))
744         blocksize = EVP_CIPHER_CTX_get_block_size(rl->enc_ctx);
745 
746     /*
747      * If we have a cipher in place then the tag is mandatory. If the cipher is
748      * CBC mode then an explicit IV is also mandatory. If we know the digest,
749      * then we check it is consistent with the taglen. In the case of stitched
750      * ciphers or AEAD ciphers we don't now the digest (or there isn't one) so
751      * we just trust that the taglen is correct.
752      */
753     assert(rl->enc_ctx == NULL  || ((blocksize == 0 || rl->eivlen > 0)
754                                     && rl->taglen > 0));
755     assert(rl->md == NULL || (int)rl->taglen == EVP_MD_size(rl->md));
756 
757     /*
758      * Record overhead consists of the record header, the explicit IV, any
759      * expansion due to cbc padding, and the mac/tag len. There could be
760      * further expansion due to compression - but we don't know what this will
761      * be without knowing the length of the data. However when this function is
762      * called we don't know what the length will be yet - so this is a catch-22.
763      * We *could* use SSL_3_RT_MAX_COMPRESSED_OVERHEAD which is an upper limit
764      * for the maximum record size. But this value is larger than our fallback
765      * MTU size - so isn't very helpful. We just ignore potential expansion
766      * due to compression.
767      */
768     return DTLS1_RT_HEADER_LENGTH + rl->eivlen + blocksize + rl->taglen;
769 }
770 
771 const OSSL_RECORD_METHOD ossl_dtls_record_method = {
772     dtls_new_record_layer,
773     dtls_free,
774     tls_unprocessed_read_pending,
775     tls_processed_read_pending,
776     tls_app_data_pending,
777     tls_get_max_records,
778     tls_write_records,
779     tls_retry_write_records,
780     tls_read_record,
781     tls_release_record,
782     tls_get_alert_code,
783     tls_set1_bio,
784     tls_set_protocol_version,
785     NULL,
786     tls_set_first_handshake,
787     tls_set_max_pipelines,
788     dtls_set_in_init,
789     tls_get_state,
790     tls_set_options,
791     tls_get_compression,
792     tls_set_max_frag_len,
793     dtls_get_max_record_overhead,
794     tls_increment_sequence_ctr,
795     tls_alloc_buffers,
796     tls_free_buffers
797 };
798