1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
|
/*
* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "../../ssl_local.h"
#include "../record_local.h"
typedef struct dtls_bitmap_st {
/* Track 64 packets */
uint64_t map;
/* Max record number seen so far, 64-bit value in big-endian encoding */
unsigned char max_seq_num[SEQ_NUM_SIZE];
} DTLS_BITMAP;
typedef struct ssl_mac_buf_st {
unsigned char *mac;
int alloced;
} SSL_MAC_BUF;
typedef struct tls_buffer_st {
/* at least SSL3_RT_MAX_PACKET_SIZE bytes */
unsigned char *buf;
/* default buffer size (or 0 if no default set) */
size_t default_len;
/* buffer size */
size_t len;
/* where to 'copy from' */
size_t offset;
/* how many bytes left */
size_t left;
/* 'buf' is from application for KTLS */
int app_buffer;
/* The type of data stored in this buffer. Only used for writing */
int type;
} TLS_BUFFER;
typedef struct tls_rl_record_st {
/* Record layer version */
/* r */
int rec_version;
/* type of record */
/* r */
int type;
/* How many bytes available */
/* rw */
size_t length;
/*
* How many bytes were available before padding was removed? This is used
* to implement the MAC check in constant time for CBC records.
*/
/* rw */
size_t orig_len;
/* read/write offset into 'buf' */
/* r */
size_t off;
/* pointer to the record data */
/* rw */
unsigned char *data;
/* where the decode bytes are */
/* rw */
unsigned char *input;
/* only used with decompression - malloc()ed */
/* r */
unsigned char *comp;
/* epoch number, needed by DTLS1 */
/* r */
uint16_t epoch;
/* sequence number, needed by DTLS1 */
/* r */
unsigned char seq_num[SEQ_NUM_SIZE];
} TLS_RL_RECORD;
/* Macros/functions provided by the TLS_RL_RECORD component */
#define TLS_RL_RECORD_set_type(r, t) ((r)->type = (t))
#define TLS_RL_RECORD_set_rec_version(r, v) ((r)->rec_version = (v))
#define TLS_RL_RECORD_get_length(r) ((r)->length)
#define TLS_RL_RECORD_set_length(r, l) ((r)->length = (l))
#define TLS_RL_RECORD_add_length(r, l) ((r)->length += (l))
#define TLS_RL_RECORD_set_data(r, d) ((r)->data = (d))
#define TLS_RL_RECORD_set_input(r, i) ((r)->input = (i))
#define TLS_RL_RECORD_reset_input(r) ((r)->input = (r)->data)
/* Protocol version specific function pointers */
struct record_functions_st
{
/*
* Returns either OSSL_RECORD_RETURN_SUCCESS, OSSL_RECORD_RETURN_FATAL or
* OSSL_RECORD_RETURN_NON_FATAL_ERR if we can keep trying to find an
* alternative record layer.
*/
int (*set_crypto_state)(OSSL_RECORD_LAYER *rl, int level,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph,
size_t taglen,
int mactype,
const EVP_MD *md,
COMP_METHOD *comp);
/*
* Returns:
* 0: if the record is publicly invalid, or an internal error, or AEAD
* decryption failed, or EtM decryption failed.
* 1: Success or MtE decryption failed (MAC will be randomised)
*/
int (*cipher)(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, size_t n_recs,
int sending, SSL_MAC_BUF *macs, size_t macsize);
/* Returns 1 for success or 0 for error */
int (*mac)(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md,
int sending);
/* Return 1 for success or 0 for error */
int (*set_protocol_version)(OSSL_RECORD_LAYER *rl, int version);
/* Read related functions */
int (*read_n)(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
int clearold, size_t *readbytes);
int (*get_more_records)(OSSL_RECORD_LAYER *rl);
/* Return 1 for success or 0 for error */
int (*validate_record_header)(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec);
/* Return 1 for success or 0 for error */
int (*post_process_record)(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec);
/* Write related functions */
size_t (*get_max_records)(OSSL_RECORD_LAYER *rl, uint8_t type, size_t len,
size_t maxfrag, size_t *preffrag);
/* Return 1 for success or 0 for error */
int (*write_records)(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates,
size_t numtempl);
/* Allocate the rl->wbuf buffers. Return 1 for success or 0 for error */
int (*allocate_write_buffers)(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl, size_t *prefix);
/*
* Initialise the packets in the |pkt| array using the buffers in |rl->wbuf|.
* Some protocol versions may use the space in |prefixtempl| to add
* an artificial template in front of the |templates| array and hence may
* initialise 1 more WPACKET than there are templates. |*wpinited|
* returns the number of WPACKETs in |pkt| that were successfully
* initialised. This must be 0 on entry and will be filled in even on error.
*/
int (*initialise_write_packets)(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl,
OSSL_RECORD_TEMPLATE *prefixtempl,
WPACKET *pkt,
TLS_BUFFER *bufs,
size_t *wpinited);
/* Get the actual record type to be used for a given template */
uint8_t (*get_record_type)(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *template);
/* Write the record header data to the WPACKET */
int (*prepare_record_header)(OSSL_RECORD_LAYER *rl, WPACKET *thispkt,
OSSL_RECORD_TEMPLATE *templ,
uint8_t rectype,
unsigned char **recdata);
int (*add_record_padding)(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *thistempl,
WPACKET *thispkt,
TLS_RL_RECORD *thiswr);
/*
* This applies any mac that might be necessary, ensures that we have enough
* space in the WPACKET to perform the encryption and sets up the
* TLS_RL_RECORD ready for that encryption.
*/
int (*prepare_for_encryption)(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
TLS_RL_RECORD *thiswr);
/*
* Any updates required to the record after encryption has been applied. For
* example, adding a MAC if using encrypt-then-mac
*/
int (*post_encryption_processing)(OSSL_RECORD_LAYER *rl,
size_t mac_size,
OSSL_RECORD_TEMPLATE *thistempl,
WPACKET *thispkt,
TLS_RL_RECORD *thiswr);
/*
* Some record layer implementations need to do some custom preparation of
* the BIO before we write to it. KTLS does this to prevent coalescing of
* control and data messages.
*/
int (*prepare_write_bio)(OSSL_RECORD_LAYER *rl, int type);
};
struct ossl_record_layer_st
{
OSSL_LIB_CTX *libctx;
const char *propq;
int isdtls;
int version;
int role;
int direction;
int level;
const EVP_MD *md;
/* DTLS only */
uint16_t epoch;
/*
* A BIO containing any data read in the previous epoch that was destined
* for this epoch
*/
BIO *prev;
/* The transport BIO */
BIO *bio;
/*
* A BIO where we will send any data read by us that is destined for the
* next epoch.
*/
BIO *next;
/* Types match the equivalent fields in the SSL object */
uint64_t options;
uint32_t mode;
/* write IO goes into here */
TLS_BUFFER wbuf[SSL_MAX_PIPELINES + 1];
/* Next wbuf with pending data still to write */
size_t nextwbuf;
/* How many pipelines can be used to write data */
size_t numwpipes;
/* read IO goes into here */
TLS_BUFFER rbuf;
/* each decoded record goes in here */
TLS_RL_RECORD rrec[SSL_MAX_PIPELINES];
/* How many records have we got available in the rrec buffer */
size_t num_recs;
/* The record number in the rrec buffer that can be read next */
size_t curr_rec;
/* The number of records that have been released via tls_release_record */
size_t num_released;
/* where we are when reading */
int rstate;
/* used internally to point at a raw packet */
unsigned char *packet;
size_t packet_length;
/* Sequence number for the next record */
unsigned char sequence[SEQ_NUM_SIZE];
/* Alert code to be used if an error occurs */
int alert;
/*
* Read as many input bytes as possible (for non-blocking reads)
*/
int read_ahead;
/* The number of consecutive empty records we have received */
size_t empty_record_count;
/*
* Do we need to send a prefix empty record before application data as a
* countermeasure against known-IV weakness (necessary for SSLv3 and
* TLSv1.0)
*/
int need_empty_fragments;
/* cryptographic state */
EVP_CIPHER_CTX *enc_ctx;
/* Explicit IV length */
size_
|
