summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2022-11-11 17:15:27 +0000
committerjsing <>2022-11-11 17:15:27 +0000
commit167103faa44f8407455f11f6599e9919e2b22653 (patch)
treea8f8e94c51cf1dc74d90e267faf0ad4720537e35
parentf8749b129444d560b9e645a68ec7b045800243ed (diff)
downloadopenbsd-167103faa44f8407455f11f6599e9919e2b22653.tar.gz
openbsd-167103faa44f8407455f11f6599e9919e2b22653.tar.bz2
openbsd-167103faa44f8407455f11f6599e9919e2b22653.zip
Convert the legacy TLS stack to tls_content.
This converts the legacy TLS stack to tls_content - records are now opened into a tls_content structure, rather than being written back into the same buffer that the sealed record was read into. This will allow for further clean up of the legacy record layer. ok tb@
Diffstat
-rw-r--r--src/lib/libssl/d1_lib.c21
-rw-r--r--src/lib/libssl/d1_pkt.c190
-rw-r--r--src/lib/libssl/dtls_locl.h14
-rw-r--r--src/lib/libssl/s3_lib.c15
-rw-r--r--src/lib/libssl/ssl_locl.h11
-rw-r--r--src/lib/libssl/ssl_pkt.c120
-rw-r--r--src/lib/libssl/tls12_record_layer.c79
-rw-r--r--src/lib/libssl/tls13_record_layer.c3
-rw-r--r--src/lib/libssl/tls_content.c25
-rw-r--r--src/lib/libssl/tls_content.h4
10 files changed, 292 insertions, 190 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index cf4c5100d5..fe51769530 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_lib.c,v 1.62 2022/10/02 16:36:41 jsing Exp $ */ 1/* $OpenBSD: d1_lib.c,v 1.63 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -105,6 +105,23 @@ dtls1_new(SSL *s)
105} 105}
106 106
107static void 107static void
108dtls1_drain_rcontents(pqueue queue)
109{
110 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
111 pitem *item;
112
113 if (queue == NULL)
114 return;
115
116 while ((item = pqueue_pop(queue)) != NULL) {
117 rdata = (DTLS1_RCONTENT_DATA_INTERNAL *)item->data;
118 tls_content_free(rdata->rcontent);
119 free(item->data);
120 pitem_free(item);
121 }
122}
123
124static void
108dtls1_drain_records(pqueue queue) 125dtls1_drain_records(pqueue queue)
109{ 126{
110 pitem *item; 127 pitem *item;
@@ -141,7 +158,7 @@ dtls1_clear_queues(SSL *s)
141 dtls1_drain_records(s->d1->unprocessed_rcds.q); 158 dtls1_drain_records(s->d1->unprocessed_rcds.q);
142 dtls1_drain_fragments(s->d1->buffered_messages); 159 dtls1_drain_fragments(s->d1->buffered_messages);
143 dtls1_drain_fragments(s->d1->sent_messages); 160 dtls1_drain_fragments(s->d1->sent_messages);
144 dtls1_drain_records(s->d1->buffered_app_data.q); 161 dtls1_drain_rcontents(s->d1->buffered_app_data.q);
145} 162}
146 163
147void 164void
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 1431434ba8..35d5d8ec6d 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.124 2022/10/02 16:36:41 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.125 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -115,6 +115,7 @@
115 115
116#include <endian.h> 116#include <endian.h>
117#include <errno.h> 117#include <errno.h>
118#include <limits.h>
118#include <stdio.h> 119#include <stdio.h>
119 120
120#include <openssl/buffer.h> 121#include <openssl/buffer.h>
@@ -124,6 +125,7 @@
124#include "dtls_locl.h" 125#include "dtls_locl.h"
125#include "pqueue.h" 126#include "pqueue.h"
126#include "ssl_locl.h" 127#include "ssl_locl.h"
128#include "tls_content.h"
127 129
128/* mod 128 saturating subtract of two 64-bit values in big-endian order */ 130/* mod 128 saturating subtract of two 64-bit values in big-endian order */
129static int 131static int
@@ -247,6 +249,44 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
247 return (-1); 249 return (-1);
248} 250}
249 251
252static int
253dtls1_buffer_rcontent(SSL *s, rcontent_pqueue *queue, unsigned char *priority)
254{
255 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
256 pitem *item;
257
258 /* Limit the size of the queue to prevent DOS attacks */
259 if (pqueue_size(queue->q) >= 100)
260 return 0;
261
262 rdata = malloc(sizeof(DTLS1_RCONTENT_DATA_INTERNAL));
263 item = pitem_new(priority, rdata);
264 if (rdata == NULL || item == NULL)
265 goto init_err;
266
267 rdata->rcontent = s->s3->rcontent;
268 s->s3->rcontent = NULL;
269
270 item->data = rdata;
271
272 /* insert should not fail, since duplicates are dropped */
273 if (pqueue_insert(queue->q, item) == NULL)
274 goto err;
275
276 if ((s->s3->rcontent = tls_content_new()) == NULL)
277 goto err;
278
279 return (1);
280
281 err:
282 tls_content_free(rdata->rcontent);
283
284 init_err:
285 SSLerror(s, ERR_R_INTERNAL_ERROR);
286 free(rdata);
287 pitem_free(item);
288 return (-1);
289}
250 290
251static int 291static int
252dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 292dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
@@ -267,6 +307,29 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
267} 307}
268 308
269static int 309static int
310dtls1_retrieve_buffered_rcontent(SSL *s, rcontent_pqueue *queue)
311{
312 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
313 pitem *item;
314
315 item = pqueue_pop(queue->q);
316 if (item) {
317 rdata = item->data;
318
319 tls_content_free(s->s3->rcontent);
320 s->s3->rcontent = rdata->rcontent;
321 s->s3->rrec.epoch = tls_content_epoch(s->s3->rcontent);
322
323 free(item->data);
324 pitem_free(item);
325
326 return (1);
327 }
328
329 return (0);
330}
331
332static int
270dtls1_process_buffered_record(SSL *s) 333dtls1_process_buffered_record(SSL *s)
271{ 334{
272 /* Check if epoch is current. */ 335 /* Check if epoch is current. */
@@ -295,13 +358,11 @@ dtls1_process_record(SSL *s)
295{ 358{
296 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); 359 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
297 uint8_t alert_desc; 360 uint8_t alert_desc;
298 uint8_t *out;
299 size_t out_len;
300 361
301 tls12_record_layer_set_version(s->rl, s->version); 362 tls12_record_layer_set_version(s->rl, s->version);
302 363
303 if (!tls12_record_layer_open_record(s->rl, s->packet, 364 if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length,
304 s->packet_length, &out, &out_len)) { 365 s->s3->rcontent)) {
305 tls12_record_layer_alert(s->rl, &alert_desc); 366 tls12_record_layer_alert(s->rl, &alert_desc);
306 367
307 if (alert_desc == 0) 368 if (alert_desc == 0)
@@ -311,10 +372,8 @@ dtls1_process_record(SSL *s)
311 * DTLS should silently discard invalid records, including those 372 * DTLS should silently discard invalid records, including those
312 * with a bad MAC, as per RFC 6347 section 4.1.2.1. 373 * with a bad MAC, as per RFC 6347 section 4.1.2.1.
313 */ 374 */
314 if (alert_desc == SSL_AD_BAD_RECORD_MAC) { 375 if (alert_desc == SSL_AD_BAD_RECORD_MAC)
315 out_len = 0;
316 goto done; 376 goto done;
317 }
318 377
319 if (alert_desc == SSL_AD_RECORD_OVERFLOW) 378 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
320 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 379 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
@@ -322,11 +381,10 @@ dtls1_process_record(SSL *s)
322 goto fatal_err; 381 goto fatal_err;
323 } 382 }
324 383
325 done: 384 /* XXX move to record layer. */
326 rr->data = out; 385 tls_content_set_epoch(s->s3->rcontent, rr->epoch);
327 rr->length = out_len;
328 rr->off = 0;
329 386
387 done:
330 s->packet_length = 0; 388 s->packet_length = 0;
331 389
332 return (1); 390 return (1);
@@ -485,7 +543,6 @@ dtls1_get_record(SSL *s)
485static int 543static int
486dtls1_read_handshake_unexpected(SSL *s) 544dtls1_read_handshake_unexpected(SSL *s)
487{ 545{
488 SSL3_RECORD_INTERNAL *rr = &s->s3->rrec;
489 struct hm_header_st hs_msg_hdr; 546 struct hm_header_st hs_msg_hdr;
490 CBS cbs; 547 CBS cbs;
491 int ret; 548 int ret;
@@ -495,19 +552,16 @@ dtls1_read_handshake_unexpected(SSL *s)
495 return -1; 552 return -1;
496 } 553 }
497 554
498 if (rr->off != 0) {
499 SSLerror(s, ERR_R_INTERNAL_ERROR);
500 return -1;
501 }
502
503 /* Parse handshake message header. */ 555 /* Parse handshake message header. */
504 CBS_init(&cbs, rr->data, rr->length); 556 CBS_dup(&cbs, tls_content_cbs(s->s3->rcontent));
505 if (!dtls1_get_message_header(&cbs, &hs_msg_hdr)) 557 if (!dtls1_get_message_header(&cbs, &hs_msg_hdr))
506 return -1; /* XXX - probably should drop/continue. */ 558 return -1; /* XXX - probably should drop/continue. */
507 559
508 /* This may just be a stale retransmit. */ 560 /* This may just be a stale retransmit. */
509 if (rr->epoch != tls12_record_layer_read_epoch(s->rl)) { 561 if (tls_content_epoch(s->s3->rcontent) !=
510 rr->length = 0; 562 tls12_record_layer_read_epoch(s->rl)) {
563 tls_content_clear(s->s3->rcontent);
564 s->s3->rrec.length = 0;
511 return 1; 565 return 1;
512 } 566 }
513 567
@@ -532,10 +586,11 @@ dtls1_read_handshake_unexpected(SSL *s)
532 return -1; 586 return -1;
533 } 587 }
534 588
535 ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, rr->data, 589 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE,
536 DTLS1_HM_HEADER_LENGTH); 590 tls_content_cbs(s->s3->rcontent));
537 591
538 rr->length = 0; 592 tls_content_clear(s->s3->rcontent);
593 s->s3->rrec.length = 0;
539 594
540 /* 595 /*
541 * It should be impossible to hit this, but keep the safety 596 * It should be impossible to hit this, but keep the safety
@@ -624,7 +679,8 @@ dtls1_read_handshake_unexpected(SSL *s)
624 679
625 dtls1_retransmit_buffered_messages(s); 680 dtls1_retransmit_buffered_messages(s);
626 681
627 rr->length = 0; 682 tls_content_clear(s->s3->rcontent);
683 s->s3->rrec.length = 0;
628 684
629 return 1; 685 return 1;
630 686
@@ -685,9 +741,8 @@ dtls1_read_handshake_unexpected(SSL *s)
685int 741int
686dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 742dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
687{ 743{
688 SSL3_RECORD_INTERNAL *rr;
689 int rrcount = 0; 744 int rrcount = 0;
690 unsigned int n; 745 ssize_t ssret;
691 int ret; 746 int ret;
692 747
693 if (s->s3->rbuf.buf == NULL) { 748 if (s->s3->rbuf.buf == NULL) {
@@ -695,6 +750,11 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
695 return -1; 750 return -1;
696 } 751 }
697 752
753 if (s->s3->rcontent == NULL) {
754 if ((s->s3->rcontent = tls_content_new()) == NULL)
755 return -1;
756 }
757
698 if (len < 0) { 758 if (len < 0) {
699 SSLerror(s, ERR_R_INTERNAL_ERROR); 759 SSLerror(s, ERR_R_INTERNAL_ERROR);
700 return -1; 760 return -1;
@@ -735,19 +795,18 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
735 795
736 s->rwstate = SSL_NOTHING; 796 s->rwstate = SSL_NOTHING;
737 797
738 rr = &s->s3->rrec;
739
740 /* 798 /*
741 * We are not handshaking and have no data yet, so process data buffered 799 * We are not handshaking and have no data yet, so process data buffered
742 * during the last handshake in advance, if any. 800 * during the last handshake in advance, if any.
743 */ 801 */
744 if (s->s3->hs.state == SSL_ST_OK && rr->length == 0) 802 if (s->s3->hs.state == SSL_ST_OK &&
745 dtls1_retrieve_buffered_record(s, &s->d1->buffered_app_data); 803 tls_content_remaining(s->s3->rcontent) == 0)
804 dtls1_retrieve_buffered_rcontent(s, &s->d1->buffered_app_data);
746 805
747 if (dtls1_handle_timeout(s) > 0) 806 if (dtls1_handle_timeout(s) > 0)
748 goto start; 807 goto start;
749 808
750 if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) { 809 if (tls_content_remaining(s->s3->rcontent) == 0) {
751 if ((ret = dtls1_get_record(s)) <= 0) { 810 if ((ret = dtls1_get_record(s)) <= 0) {
752 /* Anything other than a timeout is an error. */ 811 /* Anything other than a timeout is an error. */
753 if ((ret = dtls1_read_failed(s, ret)) <= 0) 812 if ((ret = dtls1_read_failed(s, ret)) <= 0)
@@ -756,26 +815,30 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
756 } 815 }
757 } 816 }
758 817
759 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { 818 if (s->d1->listen &&
760 rr->length = 0; 819 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
820 tls_content_clear(s->s3->rcontent);
821 s->s3->rrec.length = 0;
761 goto start; 822 goto start;
762 } 823 }
763 824
764 /* We now have a packet which can be read and processed. */ 825 /* We now have a packet which can be read and processed. */
765 826
766 if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { 827 if (s->s3->change_cipher_spec &&
828 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
767 /* 829 /*
768 * We now have application data between CCS and Finished. 830 * We now have application data between CCS and Finished.
769 * Most likely the packets were reordered on their way, so 831 * Most likely the packets were reordered on their way, so
770 * buffer the application data for later processing rather 832 * buffer the application data for later processing rather
771 * than dropping the connection. 833 * than dropping the connection.
772 */ 834 */
773 if (dtls1_buffer_record(s, &s->d1->buffered_app_data, 835 if (dtls1_buffer_rcontent(s, &s->d1->buffered_app_data,
774 rr->seq_num) < 0) { 836 s->s3->rrec.seq_num) < 0) {
775 SSLerror(s, ERR_R_INTERNAL_ERROR); 837 SSLerror(s, ERR_R_INTERNAL_ERROR);
776 return (-1); 838 return (-1);
777 } 839 }
778 rr->length = 0; 840 tls_content_clear(s->s3->rcontent);
841 s->s3->rrec.length = 0;
779 goto start; 842 goto start;
780 } 843 }
781 844
@@ -785,12 +848,13 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
785 */ 848 */
786 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 849 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
787 s->rwstate = SSL_NOTHING; 850 s->rwstate = SSL_NOTHING;
788 rr->length = 0; 851 tls_content_clear(s->s3->rcontent);
852 s->s3->rrec.length = 0;
789 return 0; 853 return 0;
790 } 854 }
791 855
792 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 856 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
793 if (type == rr->type) { 857 if (tls_content_type(s->s3->rcontent) == type) {
794 /* 858 /*
795 * Make sure that we are not getting application data when we 859 * Make sure that we are not getting application data when we
796 * are doing a handshake for the first time. 860 * are doing a handshake for the first time.
@@ -806,31 +870,23 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
806 if (len <= 0) 870 if (len <= 0)
807 return len; 871 return len;
808 872
809 if ((unsigned int)len > rr->length) 873 if (peek) {
810 n = rr->length; 874 ssret = tls_content_peek(s->s3->rcontent, buf, len);
811 else 875 } else {
812 n = (unsigned int)len; 876 ssret = tls_content_read(s->s3->rcontent, buf, len);
813
814 memcpy(buf, &rr->data[rr->off], n);
815 if (!peek) {
816 memset(&rr->data[rr->off], 0, n);
817 rr->length -= n;
818 rr->off += n;
819 if (rr->length == 0) {
820 s->rstate = SSL_ST_READ_HEADER;
821 rr->off = 0;
822 }
823 } 877 }
878 if (ssret < INT_MIN || ssret > INT_MAX)
879 return -1;
880 if (ssret < 0)
881 return (int)ssret;
824 882
825 return n; 883 if (tls_content_remaining(s->s3->rcontent) == 0)
826 } 884 s->rstate = SSL_ST_READ_HEADER;
827 885
828 /* 886 return (int)ssret;
829 * If we get here, then type != rr->type; if we have a handshake 887 }
830 * message, then it was unexpected (Hello Request or Client Hello).
831 */
832 888
833 if (rr->type == SSL3_RT_ALERT) { 889 if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) {
834 if ((ret = ssl3_read_alert(s)) <= 0) 890 if ((ret = ssl3_read_alert(s)) <= 0)
835 return ret; 891 return ret;
836 goto start; 892 goto start;
@@ -838,11 +894,12 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
838 894
839 if (s->shutdown & SSL_SENT_SHUTDOWN) { 895 if (s->shutdown & SSL_SENT_SHUTDOWN) {
840 s->rwstate = SSL_NOTHING; 896 s->rwstate = SSL_NOTHING;
841 rr->length = 0; 897 tls_content_clear(s->s3->rcontent);
898 s->s3->rrec.length = 0;
842 return (0); 899 return (0);
843 } 900 }
844 901
845 if (rr->type == SSL3_RT_APPLICATION_DATA) { 902 if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) {
846 /* 903 /*
847 * At this point, we were expecting handshake data, but have 904 * At this point, we were expecting handshake data, but have
848 * application data. If the library was running inside 905 * application data. If the library was running inside
@@ -868,13 +925,13 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
868 } 925 }
869 } 926 }
870 927
871 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 928 if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) {
872 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) 929 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0)
873 return ret; 930 return ret;
874 goto start; 931 goto start;
875 } 932 }
876 933
877 if (rr->type == SSL3_RT_HANDSHAKE) { 934 if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) {
878 if ((ret = dtls1_read_handshake_unexpected(s)) <= 0) 935 if ((ret = dtls1_read_handshake_unexpected(s)) <= 0)
879 return ret; 936 return ret;
880 goto start; 937 goto start;
@@ -891,8 +948,7 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
891{ 948{
892 int i; 949 int i;
893 950
894 if (SSL_in_init(s) && !s->in_handshake) 951 if (SSL_in_init(s) && !s->in_handshake) {
895 {
896 i = s->handshake_func(s); 952 i = s->handshake_func(s);
897 if (i < 0) 953 if (i < 0)
898 return (i); 954 return (i);
diff --git a/src/lib/libssl/dtls_locl.h b/src/lib/libssl/dtls_locl.h
index da5c259aff..784d397f7d 100644
--- a/src/lib/libssl/dtls_locl.h
+++ b/src/lib/libssl/dtls_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dtls_locl.h,v 1.10 2021/10/23 13:45:44 jsing Exp $ */ 1/* $OpenBSD: dtls_locl.h,v 1.11 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -65,6 +65,7 @@
65#include <openssl/dtls1.h> 65#include <openssl/dtls1.h>
66 66
67#include "ssl_locl.h" 67#include "ssl_locl.h"
68#include "tls_content.h"
68 69
69__BEGIN_HIDDEN_DECLS 70__BEGIN_HIDDEN_DECLS
70 71
@@ -109,6 +110,11 @@ typedef struct record_pqueue_st {
109 struct _pqueue *q; 110 struct _pqueue *q;
110} record_pqueue; 111} record_pqueue;
111 112
113typedef struct rcontent_pqueue_st {
114 unsigned short epoch;
115 struct _pqueue *q;
116} rcontent_pqueue;
117
112typedef struct hm_fragment_st { 118typedef struct hm_fragment_st {
113 struct hm_header_st msg_header; 119 struct hm_header_st msg_header;
114 unsigned char *fragment; 120 unsigned char *fragment;
@@ -122,6 +128,10 @@ typedef struct dtls1_record_data_internal_st {
122 SSL3_RECORD_INTERNAL rrec; 128 SSL3_RECORD_INTERNAL rrec;
123} DTLS1_RECORD_DATA_INTERNAL; 129} DTLS1_RECORD_DATA_INTERNAL;
124 130
131typedef struct dtls1_rcontent_data_internal_st {
132 struct tls_content *rcontent;
133} DTLS1_RCONTENT_DATA_INTERNAL;
134
125struct dtls1_state_st { 135struct dtls1_state_st {
126 /* Buffered (sent) handshake records */ 136 /* Buffered (sent) handshake records */
127 struct _pqueue *sent_messages; 137 struct _pqueue *sent_messages;
@@ -160,7 +170,7 @@ struct dtls1_state_st {
160 * to prevent either protocol violation or 170 * to prevent either protocol violation or
161 * unnecessary message loss. 171 * unnecessary message loss.
162 */ 172 */
163 record_pqueue buffered_app_data; 173 rcontent_pqueue buffered_app_data;
164 174
165 /* Is set when listening for new connections with dtls1_listen() */ 175 /* Is set when listening for new connections with dtls1_listen() */
166 unsigned int listen; 176 unsigned int listen;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 68c6fc6324..87092069df 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.240 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.241 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -163,6 +163,7 @@
163#include "ssl_locl.h" 163#include "ssl_locl.h"
164#include "ssl_sigalgs.h" 164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h" 165#include "ssl_tlsext.h"
166#include "tls_content.h"
166 167
167#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 168#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
168 169
@@ -1441,11 +1442,12 @@ ssl3_cipher_get_value(const SSL_CIPHER *c)
1441int 1442int
1442ssl3_pending(const SSL *s) 1443ssl3_pending(const SSL *s)
1443{ 1444{
1444 if (s->rstate == SSL_ST_READ_BODY) 1445 if (s->s3->rcontent == NULL)
1446 return 0;
1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1445 return 0; 1448 return 0;
1446 1449
1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1450 return tls_content_remaining(s->s3->rcontent);
1448 s->s3->rrec.length : 0;
1449} 1451}
1450 1452
1451int 1453int
@@ -1560,6 +1562,8 @@ ssl3_free(SSL *s)
1560 ssl3_release_read_buffer(s); 1562 ssl3_release_read_buffer(s);
1561 ssl3_release_write_buffer(s); 1563 ssl3_release_write_buffer(s);
1562 1564
1565 tls_content_free(s->s3->rcontent);
1566
1563 tls_buffer_free(s->s3->alert_fragment); 1567 tls_buffer_free(s->s3->alert_fragment);
1564 tls_buffer_free(s->s3->handshake_fragment); 1568 tls_buffer_free(s->s3->handshake_fragment);
1565 1569
@@ -1637,6 +1641,9 @@ ssl3_clear(SSL *s)
1637 rlen = s->s3->rbuf.len; 1641 rlen = s->s3->rbuf.len;
1638 wlen = s->s3->wbuf.len; 1642 wlen = s->s3->wbuf.len;
1639 1643
1644 tls_content_free(s->s3->rcontent);
1645 s->s3->rcontent = NULL;
1646
1640 tls1_transcript_free(s); 1647 tls1_transcript_free(s);
1641 tls1_transcript_hash_free(s); 1648 tls1_transcript_hash_free(s);
1642 1649
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 69546c0962..8387513d99 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.431 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.432 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -162,6 +162,7 @@
162#include <openssl/stack.h> 162#include <openssl/stack.h>
163 163
164#include "bytestring.h" 164#include "bytestring.h"
165#include "tls_content.h"
165#include "tls13_internal.h" 166#include "tls13_internal.h"
166 167
167__BEGIN_HIDDEN_DECLS 168__BEGIN_HIDDEN_DECLS
@@ -706,7 +707,7 @@ int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
706int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 707int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
707 CBS *mac_key, CBS *key, CBS *iv); 708 CBS *mac_key, CBS *key, CBS *iv);
708int tls12_record_layer_open_record(struct tls12_record_layer *rl, 709int tls12_record_layer_open_record(struct tls12_record_layer *rl,
709 uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); 710 uint8_t *buf, size_t buf_len, struct tls_content *out);
710int tls12_record_layer_seal_record(struct tls12_record_layer *rl, 711int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
711 uint8_t content_type, const uint8_t *content, size_t content_len, 712 uint8_t content_type, const uint8_t *content, size_t content_len,
712 CBB *out); 713 CBB *out);
@@ -1157,6 +1158,10 @@ typedef struct ssl3_state_st {
1157 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ 1158 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */
1158 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ 1159 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */
1159 1160
1161 SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */
1162
1163 struct tls_content *rcontent; /* Content from opened TLS records. */
1164
1160 /* we allow one fatal and one warning alert to be outstanding, 1165 /* we allow one fatal and one warning alert to be outstanding,
1161 * send close alert via the warning alert */ 1166 * send close alert via the warning alert */
1162 int alert_dispatch; 1167 int alert_dispatch;
@@ -1166,8 +1171,6 @@ typedef struct ssl3_state_st {
1166 int need_empty_fragments; 1171 int need_empty_fragments;
1167 int empty_fragment_done; 1172 int empty_fragment_done;
1168 1173
1169 SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */
1170
1171 /* Unprocessed Alert/Handshake protocol data. */ 1174 /* Unprocessed Alert/Handshake protocol data. */
1172 struct tls_buffer *alert_fragment; 1175 struct tls_buffer *alert_fragment;
1173 struct tls_buffer *handshake_fragment; 1176 struct tls_buffer *handshake_fragment;
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 58d3ee1db2..4d79981484 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.63 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.64 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -110,6 +110,7 @@
110 */ 110 */
111 111
112#include <errno.h> 112#include <errno.h>
113#include <limits.h>
113#include <stdio.h> 114#include <stdio.h>
114 115
115#include <openssl/buffer.h> 116#include <openssl/buffer.h>
@@ -118,6 +119,7 @@
118#include "bytestring.h" 119#include "bytestring.h"
119#include "dtls_locl.h" 120#include "dtls_locl.h"
120#include "ssl_locl.h" 121#include "ssl_locl.h"
122#include "tls_content.h"
121 123
122static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 124static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
123 unsigned int len); 125 unsigned int len);
@@ -333,8 +335,6 @@ ssl3_get_record(SSL *s)
333 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf); 335 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
334 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); 336 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
335 uint8_t alert_desc; 337 uint8_t alert_desc;
336 uint8_t *out;
337 size_t out_len;
338 int al, n; 338 int al, n;
339 int ret = -1; 339 int ret = -1;
340 340
@@ -410,8 +410,8 @@ ssl3_get_record(SSL *s)
410 */ 410 */
411 tls12_record_layer_set_version(s->rl, s->version); 411 tls12_record_layer_set_version(s->rl, s->version);
412 412
413 if (!tls12_record_layer_open_record(s->rl, s->packet, 413 if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length,
414 s->packet_length, &out, &out_len)) { 414 s->s3->rcontent)) {
415 tls12_record_layer_alert(s->rl, &alert_desc); 415 tls12_record_layer_alert(s->rl, &alert_desc);
416 416
417 if (alert_desc == 0) 417 if (alert_desc == 0)
@@ -426,14 +426,10 @@ ssl3_get_record(SSL *s)
426 goto fatal_err; 426 goto fatal_err;
427 } 427 }
428 428
429 rr->data = out;
430 rr->length = out_len;
431 rr->off = 0;
432
433 /* we have pulled in a full packet so zero things */ 429 /* we have pulled in a full packet so zero things */
434 s->packet_length = 0; 430 s->packet_length = 0;
435 431
436 if (rr->length == 0) { 432 if (tls_content_remaining(s->s3->rcontent) == 0) {
437 /* 433 /*
438 * Zero-length fragments are only permitted for application 434 * Zero-length fragments are only permitted for application
439 * data, as per RFC 5246 section 6.2.1. 435 * data, as per RFC 5246 section 6.2.1.
@@ -444,6 +440,8 @@ ssl3_get_record(SSL *s)
444 goto fatal_err; 440 goto fatal_err;
445 } 441 }
446 442
443 tls_content_clear(s->s3->rcontent);
444
447 /* 445 /*
448 * CBC countermeasures for known IV weaknesses can legitimately 446 * CBC countermeasures for known IV weaknesses can legitimately
449 * insert a single empty record, so we allow ourselves to read 447 * insert a single empty record, so we allow ourselves to read
@@ -691,20 +689,9 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
691static ssize_t 689static ssize_t
692ssl3_read_cb(void *buf, size_t n, void *cb_arg) 690ssl3_read_cb(void *buf, size_t n, void *cb_arg)
693{ 691{
694 SSL3_RECORD_INTERNAL *rr;
695 SSL *s = cb_arg; 692 SSL *s = cb_arg;
696 693
697 rr = &s->s3->rrec; 694 return tls_content_read(s->s3->rcontent, buf, n);
698
699 if (n > rr->length)
700 n = rr->length;
701
702 memcpy(buf, &rr->data[rr->off], n);
703
704 rr->off += n;
705 rr->length -= n;
706
707 return n;
708} 695}
709 696
710#define SSL3_ALERT_LENGTH 2 697#define SSL3_ALERT_LENGTH 2
@@ -791,21 +778,18 @@ ssl3_read_alert(SSL *s)
791int 778int
792ssl3_read_change_cipher_spec(SSL *s) 779ssl3_read_change_cipher_spec(SSL *s)
793{ 780{
794 SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; 781 const uint8_t ccs[1] = { SSL3_MT_CCS };
795 const uint8_t ccs[] = { SSL3_MT_CCS };
796 CBS cbs;
797 782
798 /* 783 /*
799 * 'Change Cipher Spec' is just a single byte, so we know exactly what 784 * 'Change Cipher Spec' is just a single byte, so we know exactly what
800 * the record payload has to look like. 785 * the record payload has to look like.
801 */ 786 */
802 CBS_init(&cbs, rr->data, rr->length); 787 if (tls_content_remaining(s->s3->rcontent) != sizeof(ccs)) {
803 if (rr->off != 0 || CBS_len(&cbs) != sizeof(ccs)) {
804 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); 788 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 789 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
806 return -1; 790 return -1;
807 } 791 }
808 if (!CBS_mem_equal(&cbs, ccs, sizeof(ccs))) { 792 if (!tls_content_equal(s->s3->rcontent, ccs, sizeof(ccs))) {
809 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); 793 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
810 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 794 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
811 return -1; 795 return -1;
@@ -813,7 +797,8 @@ ssl3_read_change_cipher_spec(SSL *s)
813 797
814 /* XDTLS: check that epoch is consistent */ 798 /* XDTLS: check that epoch is consistent */
815 799
816 ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, &cbs); 800 ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC,
801 tls_content_cbs(s->s3->rcontent));
817 802
818 /* Check that we have a cipher to change to. */ 803 /* Check that we have a cipher to change to. */
819 if (s->s3->hs.cipher == NULL) { 804 if (s->s3->hs.cipher == NULL) {
@@ -830,7 +815,7 @@ ssl3_read_change_cipher_spec(SSL *s)
830 * handshake messages are still missing, so just 815 * handshake messages are still missing, so just
831 * drop it. 816 * drop it.
832 */ 817 */
833 rr->length = 0; 818 tls_content_clear(s->s3->rcontent);
834 return 1; 819 return 1;
835 } 820 }
836 s->d1->change_cipher_spec_ok = 0; 821 s->d1->change_cipher_spec_ok = 0;
@@ -844,7 +829,7 @@ ssl3_read_change_cipher_spec(SSL *s)
844 s->s3->flags &= ~SSL3_FLAGS_CCS_OK; 829 s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
845 } 830 }
846 831
847 rr->length = 0; 832 tls_content_clear(s->s3->rcontent);
848 833
849 s->s3->change_cipher_spec = 1; 834 s->s3->change_cipher_spec = 1;
850 if (!ssl3_do_change_cipher_spec(s)) 835 if (!ssl3_do_change_cipher_spec(s))
@@ -1053,9 +1038,8 @@ ssl3_read_handshake_unexpected(SSL *s)
1053int 1038int
1054ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 1039ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1055{ 1040{
1056 SSL3_RECORD_INTERNAL *rr;
1057 int rrcount = 0; 1041 int rrcount = 0;
1058 unsigned int n; 1042 ssize_t ssret;
1059 int ret; 1043 int ret;
1060 1044
1061 if (s->s3->rbuf.buf == NULL) { 1045 if (s->s3->rbuf.buf == NULL) {
@@ -1063,6 +1047,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1063 return -1; 1047 return -1;
1064 } 1048 }
1065 1049
1050 if (s->s3->rcontent == NULL) {
1051 if ((s->s3->rcontent = tls_content_new()) == NULL)
1052 return -1;
1053 }
1054
1066 if (len < 0) { 1055 if (len < 0) {
1067 SSLerror(s, ERR_R_INTERNAL_ERROR); 1056 SSLerror(s, ERR_R_INTERNAL_ERROR);
1068 return -1; 1057 return -1;
@@ -1120,16 +1109,15 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1120 1109
1121 s->rwstate = SSL_NOTHING; 1110 s->rwstate = SSL_NOTHING;
1122 1111
1123 rr = &s->s3->rrec; 1112 if (tls_content_remaining(s->s3->rcontent) == 0) {
1124
1125 if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) {
1126 if ((ret = ssl3_get_record(s)) <= 0) 1113 if ((ret = ssl3_get_record(s)) <= 0)
1127 return ret; 1114 return ret;
1128 } 1115 }
1129 1116
1130 /* We now have a packet which can be read and processed. */ 1117 /* We now have a packet which can be read and processed. */
1131 1118
1132 if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { 1119 if (s->s3->change_cipher_spec &&
1120 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
1133 SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 1121 SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1134 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1122 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1135 return -1; 1123 return -1;
@@ -1141,12 +1129,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1141 */ 1129 */
1142 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1130 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1143 s->rwstate = SSL_NOTHING; 1131 s->rwstate = SSL_NOTHING;
1144 rr->length = 0; 1132 tls_content_clear(s->s3->rcontent);
1133 s->s3->rrec.length = 0;
1145 return 0; 1134 return 0;
1146 } 1135 }
1147 1136
1148 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 1137 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1149 if (type == rr->type) { 1138 if (tls_content_type(s->s3->rcontent) == type) {
1150 /* 1139 /*
1151 * Make sure that we are not getting application data when we 1140 * Make sure that we are not getting application data when we
1152 * are doing a handshake for the first time. 1141 * are doing a handshake for the first time.
@@ -1162,34 +1151,28 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1162 if (len <= 0) 1151 if (len <= 0)
1163 return len; 1152 return len;
1164 1153
1165 if ((unsigned int)len > rr->length) 1154 if (peek) {
1166 n = rr->length; 1155 ssret = tls_content_peek(s->s3->rcontent, buf, len);
1167 else 1156 } else {
1168 n = (unsigned int)len; 1157 ssret = tls_content_read(s->s3->rcontent, buf, len);
1169
1170 memcpy(buf, &rr->data[rr->off], n);
1171 if (!peek) {
1172 memset(&rr->data[rr->off], 0, n);
1173 rr->length -= n;
1174 rr->off += n;
1175 if (rr->length == 0) {
1176 s->rstate = SSL_ST_READ_HEADER;
1177 rr->off = 0;
1178 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
1179 s->s3->rbuf.left == 0)
1180 ssl3_release_read_buffer(s);
1181 }
1182 } 1158 }
1159 if (ssret < INT_MIN || ssret > INT_MAX)
1160 return -1;
1161 if (ssret < 0)
1162 return (int)ssret;
1183 1163
1184 return n; 1164 if (tls_content_remaining(s->s3->rcontent) == 0) {
1185 } 1165 s->rstate = SSL_ST_READ_HEADER;
1186 1166
1187 /* 1167 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
1188 * If we get here, then type != rr->type; if we have a handshake 1168 s->s3->rbuf.left == 0)
1189 * message, then it was unexpected (Hello Request or Client Hello). 1169 ssl3_release_read_buffer(s);
1190 */ 1170 }
1171
1172 return ssret;
1173 }
1191 1174
1192 if (rr->type == SSL3_RT_ALERT) { 1175 if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) {
1193 if ((ret = ssl3_read_alert(s)) <= 0) 1176 if ((ret = ssl3_read_alert(s)) <= 0)
1194 return ret; 1177 return ret;
1195 goto start; 1178 goto start;
@@ -1197,11 +1180,12 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1197 1180
1198 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1181 if (s->shutdown & SSL_SENT_SHUTDOWN) {
1199 s->rwstate = SSL_NOTHING; 1182 s->rwstate = SSL_NOTHING;
1200 rr->length = 0; 1183 tls_content_clear(s->s3->rcontent);
1184 s->s3->rrec.length = 0;
1201 return 0; 1185 return 0;
1202 } 1186 }
1203 1187
1204 if (rr->type == SSL3_RT_APPLICATION_DATA) { 1188 if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) {
1205 /* 1189 /*
1206 * At this point, we were expecting handshake data, but have 1190 * At this point, we were expecting handshake data, but have
1207 * application data. If the library was running inside 1191 * application data. If the library was running inside
@@ -1227,13 +1211,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1227 } 1211 }
1228 } 1212 }
1229 1213
1230 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1214 if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) {
1231 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) 1215 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0)
1232 return ret; 1216 return ret;
1233 goto start; 1217 goto start;
1234 } 1218 }
1235 1219
1236 if (rr->type == SSL3_RT_HANDSHAKE) { 1220 if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) {
1237 if ((ret = ssl3_read_handshake_unexpected(s)) <= 0) 1221 if ((ret = ssl3_read_handshake_unexpected(s)) <= 0)
1238 return ret; 1222 return ret;
1239 goto start; 1223 goto start;
@@ -1244,7 +1228,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1244 * earlier versions silently ignore the record. 1228 * earlier versions silently ignore the record.
1245 */ 1229 */
1246 if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) { 1230 if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) {
1247 rr->length = 0; 1231 tls_content_clear(s->s3->rcontent);
1248 goto start; 1232 goto start;
1249 } 1233 }
1250 SSLerror(s, SSL_R_UNEXPECTED_RECORD); 1234 SSLerror(s, SSL_R_UNEXPECTED_RECORD);
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 3568e1876a..a65906697d 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.36 2022/01/14 09:12:15 tb Exp $ */ 1/* $OpenBSD: tls12_record_layer.c,v 1.37 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -864,28 +864,25 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
864 864
865static int 865static int
866tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 866tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
867 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) 867 uint8_t content_type, CBS *fragment, struct tls_content *out)
868{ 868{
869 if (tls12_record_protection_engaged(rl->read)) 869 if (tls12_record_protection_engaged(rl->read))
870 return 0; 870 return 0;
871 871
872 /* XXX - decrypt/process in place for now. */ 872 return tls_content_dup_data(out, content_type, CBS_data(fragment),
873 *out = (uint8_t *)CBS_data(fragment); 873 CBS_len(fragment));
874 *out_len = CBS_len(fragment);
875
876 return 1;
877} 874}
878 875
879static int 876static int
880tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 877tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
881 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 878 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
882 size_t *out_len)
883{ 879{
884 struct tls12_record_protection *rp = rl->read; 880 struct tls12_record_protection *rp = rl->read;
885 uint8_t *header = NULL; 881 uint8_t *header = NULL;
886 size_t header_len = 0; 882 size_t header_len = 0;
887 uint8_t *plain; 883 uint8_t *content = NULL;
888 size_t plain_len; 884 size_t content_len = 0;
885 size_t out_len = 0;
889 CBS var_nonce; 886 CBS var_nonce;
890 int ret = 0; 887 int ret = 0;
891 888
@@ -913,43 +910,47 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
913 goto err; 910 goto err;
914 } 911 }
915 912
916 /* XXX - decrypt/process in place for now. */ 913 content_len = CBS_len(fragment) - rp->aead_tag_len;
917 plain = (uint8_t *)CBS_data(fragment); 914 if ((content = calloc(1, CBS_len(fragment))) == NULL) {
918 plain_len = CBS_len(fragment) - rp->aead_tag_len; 915 content_len = 0;
916 goto err;
917 }
919 918
920 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, 919 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
921 seq_num, &header, &header_len)) 920 seq_num, &header, &header_len))
922 goto err; 921 goto err;
923 922
924 if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, 923 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
925 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 924 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
926 CBS_len(fragment), header, header_len)) { 925 CBS_len(fragment), header, header_len)) {
927 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 926 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
928 goto err; 927 goto err;
929 } 928 }
930 929
931 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 930 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
932 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 931 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
933 goto err; 932 goto err;
934 } 933 }
935 934
936 if (*out_len != plain_len) 935 if (out_len != content_len)
937 goto err; 936 goto err;
938 937
939 *out = plain; 938 tls_content_set_data(out, content_type, content, content_len);
939 content = NULL;
940 content_len = 0;
940 941
941 ret = 1; 942 ret = 1;
942 943
943 err: 944 err:
944 freezero(header, header_len); 945 freezero(header, header_len);
946 freezero(content, content_len);
945 947
946 return ret; 948 return ret;
947} 949}
948 950
949static int 951static int
950tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 952tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
951 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 953 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
952 size_t *out_len)
953{ 954{
954 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 955 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
955 SSL3_RECORD_INTERNAL rrec; 956 SSL3_RECORD_INTERNAL rrec;
@@ -958,8 +959,8 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
958 size_t mac_len = 0; 959 size_t mac_len = 0;
959 uint8_t *out_mac = NULL; 960 uint8_t *out_mac = NULL;
960 size_t out_mac_len = 0; 961 size_t out_mac_len = 0;
961 uint8_t *plain; 962 uint8_t *content = NULL;
962 size_t plain_len; 963 size_t content_len = 0;
963 size_t min_len; 964 size_t min_len;
964 CBB cbb_mac; 965 CBB cbb_mac;
965 int ret = 0; 966 int ret = 0;
@@ -1001,16 +1002,16 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1001 goto err; 1002 goto err;
1002 } 1003 }
1003 1004
1004 /* XXX - decrypt/process in place for now. */ 1005 if ((content = calloc(1, CBS_len(fragment))) == NULL)
1005 plain = (uint8_t *)CBS_data(fragment); 1006 goto err;
1006 plain_len = CBS_len(fragment); 1007 content_len = CBS_len(fragment);
1007 1008
1008 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) 1009 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
1009 goto err; 1010 goto err;
1010 1011
1011 rrec.data = plain; 1012 rrec.data = content;
1012 rrec.input = plain; 1013 rrec.input = content;
1013 rrec.length = plain_len; 1014 rrec.length = content_len;
1014 1015
1015 /* 1016 /*
1016 * We now have to remove padding, extract MAC, calculate MAC 1017 * We now have to remove padding, extract MAC, calculate MAC
@@ -1058,8 +1059,13 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1058 goto err; 1059 goto err;
1059 } 1060 }
1060 1061
1061 *out = rrec.data; 1062 tls_content_set_data(out, content_type, content, content_len);
1062 *out_len = rrec.length; 1063 content = NULL;
1064 content_len = 0;
1065
1066 /* Actual content is after EIV, minus padding and MAC. */
1067 if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1068 goto err;
1063 1069
1064 ret = 1; 1070 ret = 1;
1065 1071
@@ -1067,13 +1073,14 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1067 CBB_cleanup(&cbb_mac); 1073 CBB_cleanup(&cbb_mac);
1068 freezero(mac, mac_len); 1074 freezero(mac, mac_len);
1069 freezero(out_mac, out_mac_len); 1075 freezero(out_mac, out_mac_len);
1076 freezero(content, content_len);
1070 1077
1071 return ret; 1078 return ret;
1072} 1079}
1073 1080
1074int 1081int
1075tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1082tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1076 size_t buf_len, uint8_t **out, size_t *out_len) 1083 size_t buf_len, struct tls_content *out)
1077{ 1084{
1078 CBS cbs, fragment, seq_num; 1085 CBS cbs, fragment, seq_num;
1079 uint16_t version; 1086 uint16_t version;
@@ -1105,15 +1112,15 @@ tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1105 1112
1106 if (rl->read->aead_ctx != NULL) { 1113 if (rl->read->aead_ctx != NULL) {
1107 if (!tls12_record_layer_open_record_protected_aead(rl, 1114 if (!tls12_record_layer_open_record_protected_aead(rl,
1108 content_type, &seq_num, &fragment, out, out_len)) 1115 content_type, &seq_num, &fragment, out))
1109 return 0; 1116 return 0;
1110 } else if (rl->read->cipher_ctx != NULL) { 1117 } else if (rl->read->cipher_ctx != NULL) {
1111 if (!tls12_record_layer_open_record_protected_cipher(rl, 1118 if (!tls12_record_layer_open_record_protected_cipher(rl,
1112 content_type, &seq_num, &fragment, out, out_len)) 1119 content_type, &seq_num, &fragment, out))
1113 return 0; 1120 return 0;
1114 } else { 1121 } else {
1115 if (!tls12_record_layer_open_record_plaintext(rl, 1122 if (!tls12_record_layer_open_record_plaintext(rl,
1116 content_type, &fragment, out, out_len)) 1123 content_type, &fragment, out))
1117 return 0; 1124 return 0;
1118 } 1125 }
1119 1126
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 423b405cbd..4ae4e298eb 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */ 1/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -561,6 +561,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
561 if (!tls13_record_content(rl->rrec, &enc_record)) 561 if (!tls13_record_content(rl->rrec, &enc_record))
562 goto err; 562 goto err;
563 563
564 /* XXX - minus tag len? */
564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 565 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
565 goto err; 566 goto err;
566 content_len = CBS_len(&enc_record); 567 content_len = CBS_len(&enc_record);
diff --git a/src/lib/libssl/tls_content.c b/src/lib/libssl/tls_content.c
index ede178f84c..726de0fdc4 100644
--- a/src/lib/libssl/tls_content.c
+++ b/src/lib/libssl/tls_content.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_content.c,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ 1/* $OpenBSD: tls_content.c,v 1.2 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -26,7 +26,7 @@ struct tls_content {
26 uint16_t epoch; 26 uint16_t epoch;
27 27
28 const uint8_t *data; 28 const uint8_t *data;
29 size_t len; 29 size_t data_len;
30 CBS cbs; 30 CBS cbs;
31}; 31};
32 32
@@ -39,7 +39,7 @@ tls_content_new(void)
39void 39void
40tls_content_clear(struct tls_content *content) 40tls_content_clear(struct tls_content *content)
41{ 41{
42 freezero((void *)content->data, content->len); 42 freezero((void *)content->data, content->data_len);
43 memset(content, 0, sizeof(*content)); 43 memset(content, 0, sizeof(*content));
44} 44}
45 45
@@ -113,9 +113,24 @@ tls_content_set_data(struct tls_content *content, uint8_t type,
113 113
114 content->type = type; 114 content->type = type;
115 content->data = data; 115 content->data = data;
116 content->len = data_len; 116 content->data_len = data_len;
117 117
118 CBS_init(&content->cbs, content->data, content->len); 118 CBS_init(&content->cbs, content->data, content->data_len);
119}
120
121int
122tls_content_set_bounds(struct tls_content *content, size_t offset, size_t len)
123{
124 size_t content_len;
125
126 content_len = offset + len;
127 if (content_len < len)
128 return 0;
129 if (content_len > content->data_len)
130 return 0;
131
132 CBS_init(&content->cbs, content->data, content_len);
133 return CBS_skip(&content->cbs, offset);
119} 134}
120 135
121static ssize_t 136static ssize_t
diff --git a/src/lib/libssl/tls_content.h b/src/lib/libssl/tls_content.h
index 173af2a740..b807248f60 100644
--- a/src/lib/libssl/tls_content.h
+++ b/src/lib/libssl/tls_content.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_content.h,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ 1/* $OpenBSD: tls_content.h,v 1.2 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -38,6 +38,8 @@ int tls_content_dup_data(struct tls_content *content, uint8_t type,
38 const uint8_t *data, size_t data_len); 38 const uint8_t *data, size_t data_len);
39void tls_content_set_data(struct tls_content *content, uint8_t type, 39void tls_content_set_data(struct tls_content *content, uint8_t type,
40 const uint8_t *data, size_t data_len); 40 const uint8_t *data, size_t data_len);
41int tls_content_set_bounds(struct tls_content *content, size_t offset,
42 size_t len);
41void tls_content_set_epoch(struct tls_content *content, uint16_t epoch); 43void tls_content_set_epoch(struct tls_content *content, uint16_t epoch);
42 44
43ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n); 45ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 15:18:46 +0000