summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_lib.c21
-rw-r--r--src/lib/libssl/d1_pkt.c190
-rw-r--r--src/lib/libssl/dtls_locl.h14
-rw-r--r--src/lib/libssl/s3_lib.c15
-rw-r--r--src/lib/libssl/ssl_locl.h11
-rw-r--r--src/lib/libssl/ssl_pkt.c120
-rw-r--r--src/lib/libssl/tls12_record_layer.c79
-rw-r--r--src/lib/libssl/tls13_record_layer.c3
-rw-r--r--src/lib/libssl/tls_content.c25
-rw-r--r--src/lib/libssl/tls_content.h4
10 files changed, 292 insertions, 190 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index cf4c5100d5..fe51769530 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_lib.c,v 1.62 2022/10/02 16:36:41 jsing Exp $ */ 1/* $OpenBSD: d1_lib.c,v 1.63 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -105,6 +105,23 @@ dtls1_new(SSL *s)
105} 105}
106 106
107static void 107static void
108dtls1_drain_rcontents(pqueue queue)
109{
110 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
111 pitem *item;
112
113 if (queue == NULL)
114 return;
115
116 while ((item = pqueue_pop(queue)) != NULL) {
117 rdata = (DTLS1_RCONTENT_DATA_INTERNAL *)item->data;
118 tls_content_free(rdata->rcontent);
119 free(item->data);
120 pitem_free(item);
121 }
122}
123
124static void
108dtls1_drain_records(pqueue queue) 125dtls1_drain_records(pqueue queue)
109{ 126{
110 pitem *item; 127 pitem *item;
@@ -141,7 +158,7 @@ dtls1_clear_queues(SSL *s)
141 dtls1_drain_records(s->d1->unprocessed_rcds.q); 158 dtls1_drain_records(s->d1->unprocessed_rcds.q);
142 dtls1_drain_fragments(s->d1->buffered_messages); 159 dtls1_drain_fragments(s->d1->buffered_messages);
143 dtls1_drain_fragments(s->d1->sent_messages); 160 dtls1_drain_fragments(s->d1->sent_messages);
144 dtls1_drain_records(s->d1->buffered_app_data.q); 161 dtls1_drain_rcontents(s->d1->buffered_app_data.q);
145} 162}
146 163
147void 164void
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 1431434ba8..35d5d8ec6d 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.124 2022/10/02 16:36:41 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.125 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -115,6 +115,7 @@
115 115
116#include <endian.h> 116#include <endian.h>
117#include <errno.h> 117#include <errno.h>
118#include <limits.h>
118#include <stdio.h> 119#include <stdio.h>
119 120
120#include <openssl/buffer.h> 121#include <openssl/buffer.h>
@@ -124,6 +125,7 @@
124#include "dtls_locl.h" 125#include "dtls_locl.h"
125#include "pqueue.h" 126#include "pqueue.h"
126#include "ssl_locl.h" 127#include "ssl_locl.h"
128#include "tls_content.h"
127 129
128/* mod 128 saturating subtract of two 64-bit values in big-endian order */ 130/* mod 128 saturating subtract of two 64-bit values in big-endian order */
129static int 131static int
@@ -247,6 +249,44 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
247 return (-1); 249 return (-1);
248} 250}
249 251
252static int
253dtls1_buffer_rcontent(SSL *s, rcontent_pqueue *queue, unsigned char *priority)
254{
255 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
256 pitem *item;
257
258 /* Limit the size of the queue to prevent DOS attacks */
259 if (pqueue_size(queue->q) >= 100)
260 return 0;
261
262 rdata = malloc(sizeof(DTLS1_RCONTENT_DATA_INTERNAL));
263 item = pitem_new(priority, rdata);
264 if (rdata == NULL || item == NULL)
265 goto init_err;
266
267 rdata->rcontent = s->s3->rcontent;
268 s->s3->rcontent = NULL;
269
270 item->data = rdata;
271
272 /* insert should not fail, since duplicates are dropped */
273 if (pqueue_insert(queue->q, item) == NULL)
274 goto err;
275
276 if ((s->s3->rcontent = tls_content_new()) == NULL)
277 goto err;
278
279 return (1);
280
281 err:
282 tls_content_free(rdata->rcontent);
283
284 init_err:
285 SSLerror(s, ERR_R_INTERNAL_ERROR);
286 free(rdata);
287 pitem_free(item);
288 return (-1);
289}
250 290
251static int 291static int
252dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 292dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
@@ -267,6 +307,29 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
267} 307}
268 308
269static int 309static int
310dtls1_retrieve_buffered_rcontent(SSL *s, rcontent_pqueue *queue)
311{
312 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
313 pitem *item;
314
315 item = pqueue_pop(queue->q);
316 if (item) {
317 rdata = item->data;
318
319 tls_content_free(s->s3->rcontent);
320 s->s3->rcontent = rdata->rcontent;
321 s->s3->rrec.epoch = tls_content_epoch(s->s3->rcontent);
322
323 free(item->data);
324 pitem_free(item);
325
326 return (1);
327 }
328
329 return (0);
330}
331
332static int
270dtls1_process_buffered_record(SSL *s) 333dtls1_process_buffered_record(SSL *s)
271{ 334{
272 /* Check if epoch is current. */ 335 /* Check if epoch is current. */
@@ -295,13 +358,11 @@ dtls1_process_record(SSL *s)
295{ 358{
296 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); 359 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
297 uint8_t alert_desc; 360 uint8_t alert_desc;
298 uint8_t *out;
299 size_t out_len;
300 361
301 tls12_record_layer_set_version(s->rl, s->version); 362 tls12_record_layer_set_version(s->rl, s->version);
302 363
303 if (!tls12_record_layer_open_record(s->rl, s->packet, 364 if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length,
304 s->packet_length, &out, &out_len)) { 365 s->s3->rcontent)) {
305 tls12_record_layer_alert(s->rl, &alert_desc); 366 tls12_record_layer_alert(s->rl, &alert_desc);
306 367
307 if (alert_desc == 0) 368 if (alert_desc == 0)
@@ -311,10 +372,8 @@ dtls1_process_record(SSL *s)
311 * DTLS should silently discard invalid records, including those 372 * DTLS should silently discard invalid records, including those
312 * with a bad MAC, as per RFC 6347 section 4.1.2.1. 373 * with a bad MAC, as per RFC 6347 section 4.1.2.1.
313 */ 374 */
314 if (alert_desc == SSL_AD_BAD_RECORD_MAC) { 375 if (alert_desc == SSL_AD_BAD_RECORD_MAC)
315 out_len = 0;
316 goto done; 376 goto done;
317 }
318 377
319 if (alert_desc == SSL_AD_RECORD_OVERFLOW) 378 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
320 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 379 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
@@ -322,11 +381,10 @@ dtls1_process_record(SSL *s)
322 goto fatal_err; 381 goto fatal_err;
323 } 382 }
324 383
325 done: 384 /* XXX move to record layer. */
326 rr->data = out; 385 tls_content_set_epoch(s->s3->rcontent, rr->epoch);
327 rr->length = out_len;
328 rr->off = 0;
329 386
387 done:
330 s->packet_length = 0; 388 s->packet_length = 0;
331 389
332 return (1); 390 return (1);
@@ -485,7 +543,6 @@ dtls1_get_record(SSL *s)
485static int 543static int
486dtls1_read_handshake_unexpected(SSL *s) 544dtls1_read_handshake_unexpected(SSL *s)
487{ 545{
488 SSL3_RECORD_INTERNAL *rr = &s->s3->rrec;
489 struct hm_header_st hs_msg_hdr; 546 struct hm_header_st hs_msg_hdr;
490 CBS cbs; 547 CBS cbs;
491 int ret; 548 int ret;
@@ -495,19 +552,16 @@ dtls1_read_handshake_unexpected(SSL *s)
495 return -1; 552 return -1;
496 } 553 }
497 554
498 if (rr->off != 0) {
499 SSLerror(s, ERR_R_INTERNAL_ERROR);
500 return -1;
501 }
502
503 /* Parse handshake message header. */ 555 /* Parse handshake message header. */
504 CBS_init(&cbs, rr->data, rr->length); 556 CBS_dup(&cbs, tls_content_cbs(s->s3->rcontent));
505 if (!dtls1_get_message_header(&cbs, &hs_msg_hdr)) 557 if (!dtls1_get_message_header(&cbs, &hs_msg_hdr))
506 return -1; /* XXX - probably should drop/continue. */ 558 return -1; /* XXX - probably should drop/continue. */
507 559
508 /* This may just be a stale retransmit. */ 560 /* This may just be a stale retransmit. */
509 if (rr->epoch != tls12_record_layer_read_epoch(s->rl)) { 561 if (tls_content_epoch(s->s3->rcontent) !=
510 rr->length = 0; 562 tls12_record_layer_read_epoch(s->rl)) {
563 tls_content_clear(s->s3->rcontent);
564 s->s3->rrec.length = 0;
511 return 1; 565 return 1;
512 } 566 }
513 567
@@ -532,10 +586,11 @@ dtls1_read_handshake_unexpected(SSL *s)
532 return -1; 586 return -1;
533 } 587 }
534 588
535 ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, rr->data, 589 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE,
536 DTLS1_HM_HEADER_LENGTH); 590 tls_content_cbs(s->s3->rcontent));
537 591
538 rr->length = 0; 592 tls_content_clear(s->s3->rcontent);
593 s->s3->rrec.length = 0;
539 594
540 /* 595 /*
541 * It should be impossible to hit this, but keep the safety 596 * It should be impossible to hit this, but keep the safety
@@ -624,7 +679,8 @@ dtls1_read_handshake_unexpected(SSL *s)
624 679
625 dtls1_retransmit_buffered_messages(s); 680 dtls1_retransmit_buffered_messages(s);
626 681
627 rr->length = 0; 682 tls_content_clear(s->s3->rcontent);
683 s->s3->rrec.length = 0;
628 684
629 return 1; 685 return 1;
630 686
@@ -685,9 +741,8 @@ dtls1_read_handshake_unexpected(SSL *s)
685int 741int
686dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 742dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
687{ 743{
688 SSL3_RECORD_INTERNAL *rr;
689 int rrcount = 0; 744 int rrcount = 0;
690 unsigned int n; 745 ssize_t ssret;
691 int ret; 746 int ret;
692 747
693 if (s->s3->rbuf.buf == NULL) { 748 if (s->s3->rbuf.buf == NULL) {
@@ -695,6 +750,11 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
695 return -1; 750 return -1;
696 } 751 }
697 752
753 if (s->s3->rcontent == NULL) {
754 if ((s->s3->rcontent = tls_content_new()) == NULL)
755 return -1;
756 }
757
698 if (len < 0) { 758 if (len < 0) {
699 SSLerror(s, ERR_R_INTERNAL_ERROR); 759 SSLerror(s, ERR_R_INTERNAL_ERROR);
700 return -1; 760 return -1;
@@ -735,19 +795,18 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
735 795
736 s->rwstate = SSL_NOTHING; 796 s->rwstate = SSL_NOTHING;
737 797
738 rr = &s->s3->rrec;
739
740 /* 798 /*
741 * We are not handshaking and have no data yet, so process data buffered 799 * We are not handshaking and have no data yet, so process data buffered
742 * during the last handshake in advance, if any. 800 * during the last handshake in advance, if any.
743 */ 801 */
744 if (s->s3->hs.state == SSL_ST_OK && rr->length == 0) 802 if (s->s3->hs.state == SSL_ST_OK &&
745 dtls1_retrieve_buffered_record(s, &s->d1->buffered_app_data); 803 tls_content_remaining(s->s3->rcontent) == 0)
804 dtls1_retrieve_buffered_rcontent(s, &s->d1->buffered_app_data);
746 805
747 if (dtls1_handle_timeout(s) > 0) 806 if (dtls1_handle_timeout(s) > 0)
748 goto start; 807 goto start;
749 808
750 if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) { 809 if (tls_content_remaining(s->s3->rcontent) == 0) {
751 if ((ret = dtls1_get_record(s)) <= 0) { 810 if ((ret = dtls1_get_record(s)) <= 0) {
752 /* Anything other than a timeout is an error. */ 811 /* Anything other than a timeout is an error. */
753 if ((ret = dtls1_read_failed(s, ret)) <= 0) 812 if ((ret = dtls1_read_failed(s, ret)) <= 0)
@@ -756,26 +815,30 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
756 } 815 }
757 } 816 }
758 817
759 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { 818 if (s->d1->listen &&
760 rr->length = 0; 819 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
820 tls_content_clear(s->s3->rcontent);
821 s->s3->rrec.length = 0;
761 goto start; 822 goto start;
762 } 823 }
763 824
764 /* We now have a packet which can be read and processed. */ 825 /* We now have a packet which can be read and processed. */
765 826
766 if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { 827 if (s->s3->change_cipher_spec &&
828 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
767 /* 829 /*
768 * We now have application data between CCS and Finished. 830 * We now have application data between CCS and Finished.
769 * Most likely the packets were reordered on their way, so 831 * Most likely the packets were reordered on their way, so
770 * buffer the application data for later processing rather 832 * buffer the application data for later processing rather
771 * than dropping the connection. 833 * than dropping the connection.
772 */ 834 */
773 if (dtls1_buffer_record(s, &s->d1->buffered_app_data, 835 if (dtls1_buffer_rcontent(s, &s->d1->buffered_app_data,
774 rr->seq_num) < 0) { 836 s->s3->rrec.seq_num) < 0) {
775 SSLerror(s, ERR_R_INTERNAL_ERROR); 837 SSLerror(s, ERR_R_INTERNAL_ERROR);
776 return (-1); 838 return (-1);
777 } 839 }
778 rr->length = 0; 840 tls_content_clear(s->s3->rcontent);
841 s->s3->rrec.length = 0;
779 goto start; 842 goto start;
780 } 843 }
781 844
@@ -785,12 +848,13 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
785 */ 848 */
786 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 849 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
787 s->rwstate = SSL_NOTHING; 850 s->rwstate = SSL_NOTHING;
788 rr->length = 0; 851 tls_content_clear(s->s3->rcontent);
852 s->s3->rrec.length = 0;
789 return 0; 853 return 0;
790 } 854 }
791 855
792 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 856 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
793 if (type == rr->type) { 857 if (tls_content_type(s->s3->rcontent) == type) {
794 /* 858 /*
795 * Make sure that we are not getting application data when we 859 * Make sure that we are not getting application data when we
796 * are doing a handshake for the first time. 860 * are doing a handshake for the first time.
@@ -806,31 +870,23 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
806 if (len <= 0) 870 if (len <= 0)
807 return len; 871 return len;
808 872
809 if ((unsigned int)len > rr->length) 873 if (peek) {
810 n = rr->length; 874 ssret = tls_content_peek(s->s3->rcontent, buf, len);
811 else 875 } else {
812 n = (unsigned int)len; 876 ssret = tls_content_read(s->s3->rcontent, buf, len);
813
814 memcpy(buf, &rr->data[rr->off], n);
815 if (!peek) {
816 memset(&rr->data[rr->off], 0, n);
817 rr->length -= n;
818 rr->off += n;
819 if (rr->length == 0) {
820 s->rstate = SSL_ST_READ_HEADER;
821 rr->off = 0;
822 }
823 } 877 }
878 if (ssret < INT_MIN || ssret > INT_MAX)
879 return -1;
880 if (ssret < 0)
881 return (int)ssret;
824 882
825 return n; 883 if (tls_content_remaining(s->s3->rcontent) == 0)
826 } 884 s->rstate = SSL_ST_READ_HEADER;
827 885
828 /* 886 return (int)ssret;
829 * If we get here, then type != rr->type; if we have a handshake 887 }
830 * message, then it was unexpected (Hello Request or Client Hello).
831 */
832 888
833 if (rr->type == SSL3_RT_ALERT) { 889 if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) {
834 if ((ret = ssl3_read_alert(s)) <= 0) 890 if ((ret = ssl3_read_alert(s)) <= 0)
835 return ret; 891 return ret;
836 goto start; 892 goto start;
@@ -838,11 +894,12 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
838 894
839 if (s->shutdown & SSL_SENT_SHUTDOWN) { 895 if (s->shutdown & SSL_SENT_SHUTDOWN) {
840 s->rwstate = SSL_NOTHING; 896 s->rwstate = SSL_NOTHING;
841 rr->length = 0; 897 tls_content_clear(s->s3->rcontent);
898 s->s3->rrec.length = 0;
842 return (0); 899 return (0);
843 } 900 }
844 901
845 if (rr->type == SSL3_RT_APPLICATION_DATA) { 902 if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) {
846 /* 903 /*
847 * At this point, we were expecting handshake data, but have 904 * At this point, we were expecting handshake data, but have
848 * application data. If the library was running inside 905 * application data. If the library was running inside
@@ -868,13 +925,13 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
868 } 925 }
869 } 926 }
870 927
871 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 928 if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) {
872 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) 929 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0)
873 return ret; 930 return ret;
874 goto start; 931 goto start;
875 } 932 }
876 933
877 if (rr->type == SSL3_RT_HANDSHAKE) { 934 if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) {
878 if ((ret = dtls1_read_handshake_unexpected(s)) <= 0) 935 if ((ret = dtls1_read_handshake_unexpected(s)) <= 0)
879 return ret; 936 return ret;
880 goto start; 937 goto start;
@@ -891,8 +948,7 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
891{ 948{
892 int i; 949 int i;
893 950
894 if (SSL_in_init(s) && !s->in_handshake) 951 if (SSL_in_init(s) && !s->in_handshake) {
895 {
896 i = s->handshake_func(s); 952 i = s->handshake_func(s);
897 if (i < 0) 953 if (i < 0)
898 return (i); 954 return (i);
diff --git a/src/lib/libssl/dtls_locl.h b/src/lib/libssl/dtls_locl.h
index da5c259aff..784d397f7d 100644
--- a/src/lib/libssl/dtls_locl.h
+++ b/src/lib/libssl/dtls_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dtls_locl.h,v 1.10 2021/10/23 13:45:44 jsing Exp $ */ 1/* $OpenBSD: dtls_locl.h,v 1.11 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -65,6 +65,7 @@
65#include <openssl/dtls1.h> 65#include <openssl/dtls1.h>
66 66
67#include "ssl_locl.h" 67#include "ssl_locl.h"
68#include "tls_content.h"
68 69
69__BEGIN_HIDDEN_DECLS 70__BEGIN_HIDDEN_DECLS
70 71
@@ -109,6 +110,11 @@ typedef struct record_pqueue_st {
109 struct _pqueue *q; 110 struct _pqueue *q;
110} record_pqueue; 111} record_pqueue;
111 112
113typedef struct rcontent_pqueue_st {
114 unsigned short epoch;
115 struct _pqueue *q;
116} rcontent_pqueue;
117
112typedef struct hm_fragment_st { 118typedef struct hm_fragment_st {
113 struct hm_header_st msg_header; 119 struct hm_header_st msg_header;
114 unsigned char *fragment; 120 unsigned char *fragment;
@@ -122,6 +128,10 @@ typedef struct dtls1_record_data_internal_st {
122 SSL3_RECORD_INTERNAL rrec; 128 SSL3_RECORD_INTERNAL rrec;
123} DTLS1_RECORD_DATA_INTERNAL; 129} DTLS1_RECORD_DATA_INTERNAL;
124 130
131typedef struct dtls1_rcontent_data_internal_st {
132 struct tls_content *rcontent;
133} DTLS1_RCONTENT_DATA_INTERNAL;
134
125struct dtls1_state_st { 135struct dtls1_state_st {
126 /* Buffered (sent) handshake records */ 136 /* Buffered (sent) handshake records */
127 struct _pqueue *sent_messages; 137 struct _pqueue *sent_messages;
@@ -160,7 +170,7 @@ struct dtls1_state_st {
160 * to prevent either protocol violation or 170 * to prevent either protocol violation or
161 * unnecessary message loss. 171 * unnecessary message loss.
162 */ 172 */
163 record_pqueue buffered_app_data; 173 rcontent_pqueue buffered_app_data;
164 174
165 /* Is set when listening for new connections with dtls1_listen() */ 175 /* Is set when listening for new connections with dtls1_listen() */
166 unsigned int listen; 176 unsigned int listen;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 68c6fc6324..87092069df 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.240 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.241 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -163,6 +163,7 @@
163#include "ssl_locl.h" 163#include "ssl_locl.h"
164#include "ssl_sigalgs.h" 164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h" 165#include "ssl_tlsext.h"
166#include "tls_content.h"
166 167
167#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 168#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
168 169
@@ -1441,11 +1442,12 @@ ssl3_cipher_get_value(const SSL_CIPHER *c)
1441int 1442int
1442ssl3_pending(const SSL *s) 1443ssl3_pending(const SSL *s)
1443{ 1444{
1444 if (s->rstate == SSL_ST_READ_BODY) 1445 if (s->s3->rcontent == NULL)
1446 return 0;
1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1445 return 0; 1448 return 0;
1446 1449
1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1450 return tls_content_remaining(s->s3->rcontent);
1448 s->s3->rrec.length : 0;
1449} 1451}
1450 1452
1451int 1453int
@@ -1560,6 +1562,8 @@ ssl3_free(SSL *s)
1560 ssl3_release_read_buffer(s); 1562 ssl3_release_read_buffer(s);
1561 ssl3_release_write_buffer(s); 1563 ssl3_release_write_buffer(s);
1562 1564
1565 tls_content_free(s->s3->rcontent);
1566
1563 tls_buffer_free(s->s3->alert_fragment); 1567 tls_buffer_free(s->s3->alert_fragment);
1564 tls_buffer_free(s->s3->handshake_fragment); 1568 tls_buffer_free(s->s3->handshake_fragment);
1565 1569
@@ -1637,6 +1641,9 @@ ssl3_clear(SSL *s)
1637 rlen = s->s3->rbuf.len; 1641 rlen = s->s3->rbuf.len;
1638 wlen = s->s3->wbuf.len; 1642 wlen = s->s3->wbuf.len;
1639 1643
1644 tls_content_free(s->s3->rcontent);
1645 s->s3->rcontent = NULL;
1646
1640 tls1_transcript_free(s); 1647 tls1_transcript_free(s);
1641 tls1_transcript_hash_free(s); 1648 tls1_transcript_hash_free(s);
1642 1649
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 69546c0962..8387513d99 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.431 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.432 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -162,6 +162,7 @@
162#include <openssl/stack.h> 162#include <openssl/stack.h>
163 163
164#include "bytestring.h" 164#include "bytestring.h"
165#include "tls_content.h"
165#include "tls13_internal.h" 166#include "tls13_internal.h"
166 167
167__BEGIN_HIDDEN_DECLS 168__BEGIN_HIDDEN_DECLS
@@ -706,7 +707,7 @@ int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
706int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 707int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
707 CBS *mac_key, CBS *key, CBS *iv); 708 CBS *mac_key, CBS *key, CBS *iv);
708int tls12_record_layer_open_record(struct tls12_record_layer *rl, 709int tls12_record_layer_open_record(struct tls12_record_layer *rl,
709 uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); 710 uint8_t *buf, size_t buf_len, struct tls_content *out);
710int tls12_record_layer_seal_record(struct tls12_record_layer *rl, 711int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
711 uint8_t content_type, const uint8_t *content, size_t content_len, 712 uint8_t content_type, const uint8_t *content, size_t content_len,
712 CBB *out); 713 CBB *out);
@@ -1157,6 +1158,10 @@ typedef struct ssl3_state_st {
1157 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ 1158 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */
1158 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ 1159 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */
1159 1160
1161 SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */
1162
1163 struct tls_content *rcontent; /* Content from opened TLS records. */
1164
1160 /* we allow one fatal and one warning alert to be outstanding, 1165 /* we allow one fatal and one warning alert to be outstanding,
1161 * send close alert via the warning alert */ 1166 * send close alert via the warning alert */
1162 int alert_dispatch; 1167 int alert_dispatch;
@@ -1166,8 +1171,6 @@ typedef struct ssl3_state_st {
1166 int need_empty_fragments; 1171 int need_empty_fragments;
1167 int empty_fragment_done; 1172 int empty_fragment_done;
1168 1173
1169 SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */
1170
1171 /* Unprocessed Alert/Handshake protocol data. */ 1174 /* Unprocessed Alert/Handshake protocol data. */
1172 struct tls_buffer *alert_fragment; 1175 struct tls_buffer *alert_fragment;
1173 struct tls_buffer *handshake_fragment; 1176 struct tls_buffer *handshake_fragment;
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 58d3ee1db2..4d79981484 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.63 2022/11/10 18:06:37 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.64 2022/11/11 17:15:26 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -110,6 +110,7 @@
110 */ 110 */
111 111
112#include <errno.h> 112#include <errno.h>
113#include <limits.h>
113#include <stdio.h> 114#include <stdio.h>
114 115
115#include <openssl/buffer.h> 116#include <openssl/buffer.h>
@@ -118,6 +119,7 @@
118#include "bytestring.h" 119#include "bytestring.h"
119#include "dtls_locl.h" 120#include "dtls_locl.h"
120#include "ssl_locl.h" 121#include "ssl_locl.h"
122#include "tls_content.h"
121 123
122static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 124static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
123 unsigned int len); 125 unsigned int len);
@@ -333,8 +335,6 @@ ssl3_get_record(SSL *s)
333 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf); 335 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
334 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); 336 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
335 uint8_t alert_desc; 337 uint8_t alert_desc;
336 uint8_t *out;
337 size_t out_len;
338 int al, n; 338 int al, n;
339 int ret = -1; 339 int ret = -1;
340 340
@@ -410,8 +410,8 @@ ssl3_get_record(SSL *s)
410 */ 410 */
411 tls12_record_layer_set_version(s->rl, s->version); 411 tls12_record_layer_set_version(s->rl, s->version);
412 412
413 if (!tls12_record_layer_open_record(s->rl, s->packet, 413 if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length,
414 s->packet_length, &out, &out_len)) { 414 s->s3->rcontent)) {
415 tls12_record_layer_alert(s->rl, &alert_desc); 415 tls12_record_layer_alert(s->rl, &alert_desc);
416 416
417 if (alert_desc == 0) 417 if (alert_desc == 0)
@@ -426,14 +426,10 @@ ssl3_get_record(SSL *s)
426 goto fatal_err; 426 goto fatal_err;
427 } 427 }
428 428
429 rr->data = out;
430 rr->length = out_len;
431 rr->off = 0;
432
433 /* we have pulled in a full packet so zero things */ 429 /* we have pulled in a full packet so zero things */
434 s->packet_length = 0; 430 s->packet_length = 0;
435 431
436 if (rr->length == 0) { 432 if (tls_content_remaining(s->s3->rcontent) == 0) {
437 /* 433 /*
438 * Zero-length fragments are only permitted for application 434 * Zero-length fragments are only permitted for application
439 * data, as per RFC 5246 section 6.2.1. 435 * data, as per RFC 5246 section 6.2.1.
@@ -444,6 +440,8 @@ ssl3_get_record(SSL *s)
444 goto fatal_err; 440 goto fatal_err;
445 } 441 }
446 442
443 tls_content_clear(s->s3->rcontent);
444
447 /* 445 /*
448 * CBC countermeasures for known IV weaknesses can legitimately 446 * CBC countermeasures for known IV weaknesses can legitimately
449 * insert a single empty record, so we allow ourselves to read 447 * insert a single empty record, so we allow ourselves to read
@@ -691,20 +689,9 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
691static ssize_t 689static ssize_t
692ssl3_read_cb(void *buf, size_t n, void *cb_arg) 690ssl3_read_cb(void *buf, size_t n, void *cb_arg)
693{ 691{
694 SSL3_RECORD_INTERNAL *rr;
695 SSL *s = cb_arg; 692 SSL *s = cb_arg;
696 693
697 rr = &s->s3->rrec; 694 return tls_content_read(s->s3->rcontent, buf, n);
698
699 if (n > rr->length)
700 n = rr->length;
701
702 memcpy(buf, &rr->data[rr->off], n);
703
704 rr->off += n;
705 rr->length -= n;
706
707 return n;
708} 695}
709 696
710#define SSL3_ALERT_LENGTH 2 697#define SSL3_ALERT_LENGTH 2
@@ -791,21 +778,18 @@ ssl3_read_alert(SSL *s)
791int 778int
792ssl3_read_change_cipher_spec(SSL *s) 779ssl3_read_change_cipher_spec(SSL *s)
793{ 780{
794 SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; 781 const uint8_t ccs[1] = { SSL3_MT_CCS };
795 const uint8_t ccs[] = { SSL3_MT_CCS };
796 CBS cbs;
797 782
798 /* 783 /*
799 * 'Change Cipher Spec' is just a single byte, so we know exactly what 784 * 'Change Cipher Spec' is just a single byte, so we know exactly what
800 * the record payload has to look like. 785 * the record payload has to look like.
801 */ 786 */
802 CBS_init(&cbs, rr->data, rr->length); 787 if (tls_content_remaining(s->s3->rcontent) != sizeof(ccs)) {
803 if (rr->off != 0 || CBS_len(&cbs) != sizeof(ccs)) {
804 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); 788 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 789 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
806 return -1; 790 return -1;
807 } 791 }
808 if (!CBS_mem_equal(&cbs, ccs, sizeof(ccs))) { 792 if (!tls_content_equal(s->s3->rcontent, ccs, sizeof(ccs))) {
809 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); 793 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
810 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 794 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
811 return -1; 795 return -1;
@@ -813,7 +797,8 @@ ssl3_read_change_cipher_spec(SSL *s)
813 797
814 /* XDTLS: check that epoch is consistent */ 798 /* XDTLS: check that epoch is consistent */
815 799
816 ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, &cbs); 800 ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC,
801 tls_content_cbs(s->s3->rcontent));
817 802
818 /* Check that we have a cipher to change to. */ 803 /* Check that we have a cipher to change to. */
819 if (s->s3->hs.cipher == NULL) { 804 if (s->s3->hs.cipher == NULL) {
@@ -830,7 +815,7 @@ ssl3_read_change_cipher_spec(SSL *s)
830 * handshake messages are still missing, so just 815 * handshake messages are still missing, so just
831 * drop it. 816 * drop it.
832 */ 817 */
833 rr->length = 0; 818 tls_content_clear(s->s3->rcontent);
834 return 1; 819 return 1;
835 } 820 }
836 s->d1->change_cipher_spec_ok = 0; 821 s->d1->change_cipher_spec_ok = 0;
@@ -844,7 +829,7 @@ ssl3_read_change_cipher_spec(SSL *s)
844 s->s3->flags &= ~SSL3_FLAGS_CCS_OK; 829 s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
845 } 830 }
846 831
847 rr->length = 0; 832 tls_content_clear(s->s3->rcontent);
848 833
849 s->s3->change_cipher_spec = 1; 834 s->s3->change_cipher_spec = 1;
850 if (!ssl3_do_change_cipher_spec(s)) 835 if (!ssl3_do_change_cipher_spec(s))
@@ -1053,9 +1038,8 @@ ssl3_read_handshake_unexpected(SSL *s)
1053int 1038int
1054ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 1039ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1055{ 1040{
1056 SSL3_RECORD_INTERNAL *rr;
1057 int rrcount = 0; 1041 int rrcount = 0;
1058 unsigned int n; 1042 ssize_t ssret;
1059 int ret; 1043 int ret;
1060 1044
1061 if (s->s3->rbuf.buf == NULL) { 1045 if (s->s3->rbuf.buf == NULL) {
@@ -1063,6 +1047,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1063 return -1; 1047 return -1;
1064 } 1048 }
1065 1049
1050 if (s->s3->rcontent == NULL) {
1051 if ((s->s3->rcontent = tls_content_new()) == NULL)
1052 return -1;
1053 }
1054
1066 if (len < 0) { 1055 if (len < 0) {
1067 SSLerror(s, ERR_R_INTERNAL_ERROR); 1056 SSLerror(s, ERR_R_INTERNAL_ERROR);
1068 return -1; 1057 return -1;
@@ -1120,16 +1109,15 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1120 1109
1121 s->rwstate = SSL_NOTHING; 1110 s->rwstate = SSL_NOTHING;
1122 1111
1123 rr = &s->s3->rrec; 1112 if (tls_content_remaining(s->s3->rcontent) == 0) {
1124
1125 if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) {
1126 if ((ret = ssl3_get_record(s)) <= 0) 1113 if ((ret = ssl3_get_record(s)) <= 0)
1127 return ret; 1114 return ret;
1128 } 1115 }
1129 1116
1130 /* We now have a packet which can be read and processed. */ 1117 /* We now have a packet which can be read and processed. */
1131 1118
1132 if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { 1119 if (s->s3->change_cipher_spec &&
1120 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
1133 SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 1121 SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1134 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1122 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1135 return -1; 1123 return -1;
@@ -1141,12 +1129,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1141 */ 1129 */
1142 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1130 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1143 s->rwstate = SSL_NOTHING; 1131 s->rwstate = SSL_NOTHING;
1144 rr->length = 0; 1132 tls_content_clear(s->s3->rcontent);
1133 s->s3->rrec.length = 0;
1145 return 0; 1134 return 0;
1146 } 1135 }
1147 1136
1148 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 1137 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1149 if (type == rr->type) { 1138 if (tls_content_type(s->s3->rcontent) == type) {
1150 /* 1139 /*
1151 * Make sure that we are not getting application data when we 1140 * Make sure that we are not getting application data when we
1152 * are doing a handshake for the first time. 1141 * are doing a handshake for the first time.
@@ -1162,34 +1151,28 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1162 if (len <= 0) 1151 if (len <= 0)
1163 return len; 1152 return len;
1164 1153
1165 if ((unsigned int)len > rr->length) 1154 if (peek) {
1166 n = rr->length; 1155 ssret = tls_content_peek(s->s3->rcontent, buf, len);
1167 else 1156 } else {
1168 n = (unsigned int)len; 1157 ssret = tls_content_read(s->s3->rcontent, buf, len);
1169
1170 memcpy(buf, &rr->data[rr->off], n);
1171 if (!peek) {
1172 memset(&rr->data[rr->off], 0, n);
1173 rr->length -= n;
1174 rr->off += n;
1175 if (rr->length == 0) {
1176 s->rstate = SSL_ST_READ_HEADER;
1177 rr->off = 0;
1178 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
1179 s->s3->rbuf.left == 0)
1180 ssl3_release_read_buffer(s);
1181 }
1182 } 1158 }
1159 if (ssret < INT_MIN || ssret > INT_MAX)
1160 return -1;
1161 if (ssret < 0)
1162 return (int)ssret;
1183 1163
1184 return n; 1164 if (tls_content_remaining(s->s3->rcontent) == 0) {
1185 } 1165 s->rstate = SSL_ST_READ_HEADER;
1186 1166
1187 /* 1167 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
1188 * If we get here, then type != rr->type; if we have a handshake 1168 s->s3->rbuf.left == 0)
1189 * message, then it was unexpected (Hello Request or Client Hello). 1169 ssl3_release_read_buffer(s);
1190 */ 1170 }
1171
1172 return ssret;
1173 }
1191 1174
1192 if (rr->type == SSL3_RT_ALERT) { 1175 if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) {
1193 if ((ret = ssl3_read_alert(s)) <= 0) 1176 if ((ret = ssl3_read_alert(s)) <= 0)
1194 return ret; 1177 return ret;
1195 goto start; 1178 goto start;
@@ -1197,11 +1180,12 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1197 1180
1198 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1181 if (s->shutdown & SSL_SENT_SHUTDOWN) {
1199 s->rwstate = SSL_NOTHING; 1182 s->rwstate = SSL_NOTHING;
1200 rr->length = 0; 1183 tls_content_clear(s->s3->rcontent);
1184 s->s3->rrec.length = 0;
1201 return 0; 1185 return 0;
1202 } 1186 }
1203 1187
1204 if (rr->type == SSL3_RT_APPLICATION_DATA) { 1188 if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) {
1205 /* 1189 /*
1206 * At this point, we were expecting handshake data, but have 1190 * At this point, we were expecting handshake data, but have
1207 * application data. If the library was running inside 1191 * application data. If the library was running inside
@@ -1227,13 +1211,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1227 } 1211 }
1228 } 1212 }
1229 1213
1230 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1214 if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) {
1231 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) 1215 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0)
1232 return ret; 1216 return ret;
1233 goto start; 1217 goto start;
1234 } 1218 }
1235 1219
1236 if (rr->type == SSL3_RT_HANDSHAKE) { 1220 if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) {
1237 if ((ret = ssl3_read_handshake_unexpected(s)) <= 0) 1221 if ((ret = ssl3_read_handshake_unexpected(s)) <= 0)
1238 return ret; 1222 return ret;
1239 goto start; 1223 goto start;
@@ -1244,7 +1228,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1244 * earlier versions silently ignore the record. 1228 * earlier versions silently ignore the record.
1245 */ 1229 */
1246 if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) { 1230 if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) {
1247 rr->length = 0; 1231 tls_content_clear(s->s3->rcontent);
1248 goto start; 1232 goto start;
1249 } 1233 }
1250 SSLerror(s, SSL_R_UNEXPECTED_RECORD); 1234 SSLerror(s, SSL_R_UNEXPECTED_RECORD);
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 3568e1876a..a65906697d 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.36 2022/01/14 09:12:15 tb Exp $ */ 1/* $OpenBSD: tls12_record_layer.c,v 1.37 2022/11/11 17:15:26 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -864,28 +864,25 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
864 864
865static int 865static int
866tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 866tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl,
867 uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) 867 uint8_t content_type, CBS *fragment, struct tls_content *out)
868{ 868{
869 if (tls12_record_protection_engaged(rl->read)) 869 if (tls12_record_protection_engaged(rl->read))
870 return 0; 870 return 0;
871 871
872 /* XXX - decrypt/process in place for now. */ 872 return tls_content_dup_data(out, content_type, CBS_data(fragment),
873 *out = (uint8_t *)CBS_data(fragment); 873 CBS_len(fragment));
874 *out_len = CBS_len(fragment);
875
876 return 1;
877} 874}
878 875
879static int 876static int
880tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 877tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
881 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 878 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
882 size_t *out_len)
883{ 879{
884 struct tls12_record_protection *rp = rl->read; 880 struct tls12_record_protection *rp = rl->read;
885 uint8_t *header = NULL; 881 uint8_t *header = NULL;
886 size_t header_len = 0; 882 size_t header_len = 0;
887 uint8_t *plain; 883 uint8_t *content = NULL;
888 size_t plain_len; 884 size_t content_len = 0;
885 size_t out_len = 0;
889 CBS var_nonce; 886 CBS var_nonce;
890 int ret = 0; 887 int ret = 0;
891 888
@@ -913,43 +910,47 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
913 goto err; 910 goto err;
914 } 911 }
915 912
916 /* XXX - decrypt/process in place for now. */ 913 content_len = CBS_len(fragment) - rp->aead_tag_len;
917 plain = (uint8_t *)CBS_data(fragment); 914 if ((content = calloc(1, CBS_len(fragment))) == NULL) {
918 plain_len = CBS_len(fragment) - rp->aead_tag_len; 915 content_len = 0;
916 goto err;
917 }
919 918
920 if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, 919 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len,
921 seq_num, &header, &header_len)) 920 seq_num, &header, &header_len))
922 goto err; 921 goto err;
923 922
924 if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, 923 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len,
925 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 924 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment),
926 CBS_len(fragment), header, header_len)) { 925 CBS_len(fragment), header, header_len)) {
927 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 926 rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
928 goto err; 927 goto err;
929 } 928 }
930 929
931 if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 930 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) {
932 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 931 rl->alert_desc = SSL_AD_RECORD_OVERFLOW;
933 goto err; 932 goto err;
934 } 933 }
935 934
936 if (*out_len != plain_len) 935 if (out_len != content_len)
937 goto err; 936 goto err;
938 937
939 *out = plain; 938 tls_content_set_data(out, content_type, content, content_len);
939 content = NULL;
940 content_len = 0;
940 941
941 ret = 1; 942 ret = 1;
942 943
943 err: 944 err:
944 freezero(header, header_len); 945 freezero(header, header_len);
946 freezero(content, content_len);
945 947
946 return ret; 948 return ret;
947} 949}
948 950
949static int 951static int
950tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 952tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
951 uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, 953 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out)
952 size_t *out_len)
953{ 954{
954 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 955 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx;
955 SSL3_RECORD_INTERNAL rrec; 956 SSL3_RECORD_INTERNAL rrec;
@@ -958,8 +959,8 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
958 size_t mac_len = 0; 959 size_t mac_len = 0;
959 uint8_t *out_mac = NULL; 960 uint8_t *out_mac = NULL;
960 size_t out_mac_len = 0; 961 size_t out_mac_len = 0;
961 uint8_t *plain; 962 uint8_t *content = NULL;
962 size_t plain_len; 963 size_t content_len = 0;
963 size_t min_len; 964 size_t min_len;
964 CBB cbb_mac; 965 CBB cbb_mac;
965 int ret = 0; 966 int ret = 0;
@@ -1001,16 +1002,16 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1001 goto err; 1002 goto err;
1002 } 1003 }
1003 1004
1004 /* XXX - decrypt/process in place for now. */ 1005 if ((content = calloc(1, CBS_len(fragment))) == NULL)
1005 plain = (uint8_t *)CBS_data(fragment); 1006 goto err;
1006 plain_len = CBS_len(fragment); 1007 content_len = CBS_len(fragment);
1007 1008
1008 if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) 1009 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment)))
1009 goto err; 1010 goto err;
1010 1011
1011 rrec.data = plain; 1012 rrec.data = content;
1012 rrec.input = plain; 1013 rrec.input = content;
1013 rrec.length = plain_len; 1014 rrec.length = content_len;
1014 1015
1015 /* 1016 /*
1016 * We now have to remove padding, extract MAC, calculate MAC 1017 * We now have to remove padding, extract MAC, calculate MAC
@@ -1058,8 +1059,13 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1058 goto err; 1059 goto err;
1059 } 1060 }
1060 1061
1061 *out = rrec.data; 1062 tls_content_set_data(out, content_type, content, content_len);
1062 *out_len = rrec.length; 1063 content = NULL;
1064 content_len = 0;
1065
1066 /* Actual content is after EIV, minus padding and MAC. */
1067 if (!tls_content_set_bounds(out, eiv_len, rrec.length))
1068 goto err;
1063 1069
1064 ret = 1; 1070 ret = 1;
1065 1071
@@ -1067,13 +1073,14 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl,
1067 CBB_cleanup(&cbb_mac); 1073 CBB_cleanup(&cbb_mac);
1068 freezero(mac, mac_len); 1074 freezero(mac, mac_len);
1069 freezero(out_mac, out_mac_len); 1075 freezero(out_mac, out_mac_len);
1076 freezero(content, content_len);
1070 1077
1071 return ret; 1078 return ret;
1072} 1079}
1073 1080
1074int 1081int
1075tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1082tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1076 size_t buf_len, uint8_t **out, size_t *out_len) 1083 size_t buf_len, struct tls_content *out)
1077{ 1084{
1078 CBS cbs, fragment, seq_num; 1085 CBS cbs, fragment, seq_num;
1079 uint16_t version; 1086 uint16_t version;
@@ -1105,15 +1112,15 @@ tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf,
1105 1112
1106 if (rl->read->aead_ctx != NULL) { 1113 if (rl->read->aead_ctx != NULL) {
1107 if (!tls12_record_layer_open_record_protected_aead(rl, 1114 if (!tls12_record_layer_open_record_protected_aead(rl,
1108 content_type, &seq_num, &fragment, out, out_len)) 1115 content_type, &seq_num, &fragment, out))
1109 return 0; 1116 return 0;
1110 } else if (rl->read->cipher_ctx != NULL) { 1117 } else if (rl->read->cipher_ctx != NULL) {
1111 if (!tls12_record_layer_open_record_protected_cipher(rl, 1118 if (!tls12_record_layer_open_record_protected_cipher(rl,
1112 content_type, &seq_num, &fragment, out, out_len)) 1119 content_type, &seq_num, &fragment, out))
1113 return 0; 1120 return 0;
1114 } else { 1121 } else {
1115 if (!tls12_record_layer_open_record_plaintext(rl, 1122 if (!tls12_record_layer_open_record_plaintext(rl,
1116 content_type, &fragment, out, out_len)) 1123 content_type, &fragment, out))
1117 return 0; 1124 return 0;
1118 } 1125 }
1119 1126
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 423b405cbd..4ae4e298eb 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */ 1/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -561,6 +561,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
561 if (!tls13_record_content(rl->rrec, &enc_record)) 561 if (!tls13_record_content(rl->rrec, &enc_record))
562 goto err; 562 goto err;
563 563
564 /* XXX - minus tag len? */
564 if ((content = calloc(1, CBS_len(&enc_record))) == NULL) 565 if ((content = calloc(1, CBS_len(&enc_record))) == NULL)
565 goto err; 566 goto err;
566 content_len = CBS_len(&enc_record); 567 content_len = CBS_len(&enc_record);
diff --git a/src/lib/libssl/tls_content.c b/src/lib/libssl/tls_content.c
index ede178f84c..726de0fdc4 100644
--- a/src/lib/libssl/tls_content.c
+++ b/src/lib/libssl/tls_content.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_content.c,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ 1/* $OpenBSD: tls_content.c,v 1.2 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -26,7 +26,7 @@ struct tls_content {
26 uint16_t epoch; 26 uint16_t epoch;
27 27
28 const uint8_t *data; 28 const uint8_t *data;
29 size_t len; 29 size_t data_len;
30 CBS cbs; 30 CBS cbs;
31}; 31};
32 32
@@ -39,7 +39,7 @@ tls_content_new(void)
39void 39void
40tls_content_clear(struct tls_content *content) 40tls_content_clear(struct tls_content *content)
41{ 41{
42 freezero((void *)content->data, content->len); 42 freezero((void *)content->data, content->data_len);
43 memset(content, 0, sizeof(*content)); 43 memset(content, 0, sizeof(*content));
44} 44}
45 45
@@ -113,9 +113,24 @@ tls_content_set_data(struct tls_content *content, uint8_t type,
113 113
114 content->type = type; 114 content->type = type;
115 content->data = data; 115 content->data = data;
116 content->len = data_len; 116 content->data_len = data_len;
117 117
118 CBS_init(&content->cbs, content->data, content->len); 118 CBS_init(&content->cbs, content->data, content->data_len);
119}
120
121int
122tls_content_set_bounds(struct tls_content *content, size_t offset, size_t len)
123{
124 size_t content_len;
125
126 content_len = offset + len;
127 if (content_len < len)
128 return 0;
129 if (content_len > content->data_len)
130 return 0;
131
132 CBS_init(&content->cbs, content->data, content_len);
133 return CBS_skip(&content->cbs, offset);
119} 134}
120 135
121static ssize_t 136static ssize_t
diff --git a/src/lib/libssl/tls_content.h b/src/lib/libssl/tls_content.h
index 173af2a740..b807248f60 100644
--- a/src/lib/libssl/tls_content.h
+++ b/src/lib/libssl/tls_content.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_content.h,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ 1/* $OpenBSD: tls_content.h,v 1.2 2022/11/11 17:15:27 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -38,6 +38,8 @@ int tls_content_dup_data(struct tls_content *content, uint8_t type,
38 const uint8_t *data, size_t data_len); 38 const uint8_t *data, size_t data_len);
39void tls_content_set_data(struct tls_content *content, uint8_t type, 39void tls_content_set_data(struct tls_content *content, uint8_t type,
40 const uint8_t *data, size_t data_len); 40 const uint8_t *data, size_t data_len);
41int tls_content_set_bounds(struct tls_content *content, size_t offset,
42 size_t len);
41void tls_content_set_epoch(struct tls_content *content, uint16_t epoch); 43void tls_content_set_epoch(struct tls_content *content, uint16_t epoch);
42 44
43ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n); 45ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 03:04:54 +0000