1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "../ssl_locl.h" 11 #include "internal/constant_time_locl.h" 12 #include <openssl/rand.h> 13 #include "record_locl.h" 14 #include "internal/cryptlib.h" 15 16 static const unsigned char ssl3_pad_1[48] = { 17 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 18 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 19 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 20 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 21 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 22 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 23 }; 24 25 static const unsigned char ssl3_pad_2[48] = { 26 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 27 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 28 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 29 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 30 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 31 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c 32 }; 33 34 /* 35 * Clear the contents of an SSL3_RECORD but retain any memory allocated 36 */ 37 void SSL3_RECORD_clear(SSL3_RECORD *r, size_t num_recs) 38 { 39 unsigned char *comp; 40 size_t i; 41 42 for (i = 0; i < num_recs; i++) { 43 comp = r[i].comp; 44 45 memset(&r[i], 0, sizeof(*r)); 46 r[i].comp = comp; 47 } 48 } 49 50 void SSL3_RECORD_release(SSL3_RECORD *r, size_t num_recs) 51 { 52 size_t i; 53 54 for (i = 0; i < num_recs; i++) { 55 OPENSSL_free(r[i].comp); 56 r[i].comp = NULL; 57 } 58 } 59 60 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num) 61 { 62 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE); 63 } 64 65 /* 66 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting 67 * for us in the buffer. 68 */ 69 static int ssl3_record_app_data_waiting(SSL *s) 70 { 71 SSL3_BUFFER *rbuf; 72 size_t left, len; 73 unsigned char *p; 74 75 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); 76 77 p = SSL3_BUFFER_get_buf(rbuf); 78 if (p == NULL) 79 return 0; 80 81 left = SSL3_BUFFER_get_left(rbuf); 82 83 if (left < SSL3_RT_HEADER_LENGTH) 84 return 0; 85 86 p += SSL3_BUFFER_get_offset(rbuf); 87 88 /* 89 * We only check the type and record length, we will sanity check version 90 * etc later 91 */ 92 if (*p != SSL3_RT_APPLICATION_DATA) 93 return 0; 94 95 p += 3; 96 n2s(p, len); 97 98 if (left < SSL3_RT_HEADER_LENGTH + len) 99 return 0; 100 101 return 1; 102 } 103 104 int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send) 105 { 106 uint32_t max_early_data; 107 SSL_SESSION *sess = s->session; 108 109 /* 110 * If we are a client then we always use the max_early_data from the 111 * session/psksession. Otherwise we go with the lowest out of the max early 112 * data set in the session and the configured max_early_data. 113 */ 114 if (!s->server && sess->ext.max_early_data == 0) { 115 if (!ossl_assert(s->psksession != NULL 116 && s->psksession->ext.max_early_data > 0)) { 117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, 118 ERR_R_INTERNAL_ERROR); 119 return 0; 120 } 121 sess = s->psksession; 122 } 123 124 if (!s->server) 125 max_early_data = sess->ext.max_early_data; 126 else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) 127 max_early_data = s->recv_max_early_data; 128 else 129 max_early_data = s->recv_max_early_data < sess->ext.max_early_data 130 ? s->recv_max_early_data : sess->ext.max_early_data; 131 132 if (max_early_data == 0) { 133 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, 134 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); 135 return 0; 136 } 137 138 /* If we are dealing with ciphertext we need to allow for the overhead */ 139 max_early_data += overhead; 140 141 if (s->early_data_count + length > max_early_data) { 142 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, 143 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); 144 return 0; 145 } 146 s->early_data_count += length; 147 148 return 1; 149 } 150 151 /* 152 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that 153 * will be processed per call to ssl3_get_record. Without this limit an 154 * attacker could send empty records at a faster rate than we can process and 155 * cause ssl3_get_record to loop forever. 156 */ 157 #define MAX_EMPTY_RECORDS 32 158 159 #define SSL2_RT_HEADER_LENGTH 2 160 /*- 161 * Call this to get new input records. 162 * It will return <= 0 if more data is needed, normally due to an error 163 * or non-blocking IO. 164 * When it finishes, |numrpipes| records have been decoded. For each record 'i': 165 * rr[i].type - is the type of record 166 * rr[i].data, - data 167 * rr[i].length, - number of bytes 168 * Multiple records will only be returned if the record types are all 169 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <= 170 * |max_pipelines| 171 */ 172 /* used only by ssl3_read_bytes */ 173 int ssl3_get_record(SSL *s) 174 { 175 int enc_err, rret; 176 int i; 177 size_t more, n; 178 SSL3_RECORD *rr, *thisrr; 179 SSL3_BUFFER *rbuf; 180 SSL_SESSION *sess; 181 unsigned char *p; 182 unsigned char md[EVP_MAX_MD_SIZE]; 183 unsigned int version; 184 size_t mac_size; 185 int imac_size; 186 size_t num_recs = 0, max_recs, j; 187 PACKET pkt, sslv2pkt; 188 size_t first_rec_len; 189 190 rr = RECORD_LAYER_get_rrec(&s->rlayer); 191 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); 192 max_recs = s->max_pipelines; 193 if (max_recs == 0) 194 max_recs = 1; 195 sess = s->session; 196 197 do { 198 thisrr = &rr[num_recs]; 199 200 /* check if we have the header */ 201 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || 202 (RECORD_LAYER_get_packet_length(&s->rlayer) 203 < SSL3_RT_HEADER_LENGTH)) { 204 size_t sslv2len; 205 unsigned int type; 206 207 rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, 208 SSL3_BUFFER_get_len(rbuf), 0, 209 num_recs == 0 ? 1 : 0, &n); 210 if (rret <= 0) 211 return rret; /* error or non-blocking */ 212 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); 213 214 p = RECORD_LAYER_get_packet(&s->rlayer); 215 if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), 216 RECORD_LAYER_get_packet_length(&s->rlayer))) { 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 218 ERR_R_INTERNAL_ERROR); 219 return -1; 220 } 221 sslv2pkt = pkt; 222 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) 223 || !PACKET_get_1(&sslv2pkt, &type)) { 224 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 225 ERR_R_INTERNAL_ERROR); 226 return -1; 227 } 228 /* 229 * The first record received by the server may be a V2ClientHello. 230 */ 231 if (s->server && RECORD_LAYER_is_first_record(&s->rlayer) 232 && (sslv2len & 0x8000) != 0 233 && (type == SSL2_MT_CLIENT_HELLO)) { 234 /* 235 * SSLv2 style record 236 * 237 * |num_recs| here will actually always be 0 because 238 * |num_recs > 0| only ever occurs when we are processing 239 * multiple app data records - which we know isn't the case here 240 * because it is an SSLv2ClientHello. We keep it using 241 * |num_recs| for the sake of consistency 242 */ 243 thisrr->type = SSL3_RT_HANDSHAKE; 244 thisrr->rec_version = SSL2_VERSION; 245 246 thisrr->length = sslv2len & 0x7fff; 247 248 if (thisrr->length > SSL3_BUFFER_get_len(rbuf) 249 - SSL2_RT_HEADER_LENGTH) { 250 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 251 SSL_R_PACKET_LENGTH_TOO_LONG); 252 return -1; 253 } 254 255 if (thisrr->length < MIN_SSL2_RECORD_LEN) { 256 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 257 SSL_R_LENGTH_TOO_SHORT); 258 return -1; 259 } 260 } else { 261 /* SSLv3+ style record */ 262 if (s->msg_callback) 263 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, 264 s->msg_callback_arg); 265 266 /* Pull apart the header into the SSL3_RECORD */ 267 if (!PACKET_get_1(&pkt, &type) 268 || !PACKET_get_net_2(&pkt, &version) 269 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { 270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 271 ERR_R_INTERNAL_ERROR); 272 return -1; 273 } 274 thisrr->type = type; 275 thisrr->rec_version = version; 276 277 /* 278 * Lets check version. In TLSv1.3 we only check this field 279 * when encryption is occurring (see later check). For the 280 * ServerHello after an HRR we haven't actually selected TLSv1.3 281 * yet, but we still treat it as TLSv1.3, so we must check for 282 * that explicitly 283 */ 284 if (!s->first_packet && !SSL_IS_TLS13(s) 285 && s->hello_retry_request != SSL_HRR_PENDING 286 && version != (unsigned int)s->version) { 287 if ((s->version & 0xFF00) == (version & 0xFF00) 288 && !s->enc_write_ctx && !s->write_hash) { 289 if (thisrr->type == SSL3_RT_ALERT) { 290 /* 291 * The record is using an incorrect version number, 292 * but what we've got appears to be an alert. We 293 * haven't read the body yet to check whether its a 294 * fatal or not - but chances are it is. We probably 295 * shouldn't send a fatal alert back. We'll just 296 * end. 297 */ 298 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, 299 SSL_R_WRONG_VERSION_NUMBER); 300 return -1; 301 } 302 /* 303 * Send back error using their minor version number :-) 304 */ 305 s->version = (unsigned short)version; 306 } 307 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD, 308 SSL_R_WRONG_VERSION_NUMBER); 309 return -1; 310 } 311 312 if ((version >> 8) != SSL3_VERSION_MAJOR) { 313 if (RECORD_LAYER_is_first_record(&s->rlayer)) { 314 /* Go back to start of packet, look at the five bytes 315 * that we have. */ 316 p = RECORD_LAYER_get_packet(&s->rlayer); 317 if (strncmp((char *)p, "GET ", 4) == 0 || 318 strncmp((char *)p, "POST ", 5) == 0 || 319 strncmp((char *)p, "HEAD ", 5) == 0 || 320 strncmp((char *)p, "PUT ", 4) == 0) { 321 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, 322 SSL_R_HTTP_REQUEST); 323 return -1; 324 } else if (strncmp((char *)p, "CONNE", 5) == 0) { 325 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, 326 SSL_R_HTTPS_PROXY_REQUEST); 327 return -1; 328 } 329 330 /* Doesn't look like TLS - don't send an alert */ 331 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, 332 SSL_R_WRONG_VERSION_NUMBER); 333 return -1; 334 } else { 335 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 336 SSL_F_SSL3_GET_RECORD, 337 SSL_R_WRONG_VERSION_NUMBER); 338 return -1; 339 } 340 } 341 342 if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { 343 if (thisrr->type != SSL3_RT_APPLICATION_DATA 344 && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC 345 || !SSL_IS_FIRST_HANDSHAKE(s)) 346 && (thisrr->type != SSL3_RT_ALERT 347 || s->statem.enc_read_state 348 != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) { 349 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 350 SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); 351 return -1; 352 } 353 if (thisrr->rec_version != TLS1_2_VERSION) { 354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 355 SSL_R_WRONG_VERSION_NUMBER); 356 return -1; 357 } 358 } 359 360 if (thisrr->length > 361 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { 362 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 363 SSL_R_PACKET_LENGTH_TOO_LONG); 364 return -1; 365 } 366 } 367 368 /* now s->rlayer.rstate == SSL_ST_READ_BODY */ 369 } 370 371 if (SSL_IS_TLS13(s)) { 372 if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { 373 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 374 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 375 return -1; 376 } 377 } else { 378 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; 379 380 #ifndef OPENSSL_NO_COMP 381 /* 382 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH 383 * does not include the compression overhead anyway. 384 */ 385 if (s->expand == NULL) 386 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; 387 #endif 388 389 if (thisrr->length > len) { 390 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 391 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 392 return -1; 393 } 394 } 395 396 /* 397 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data. 398 * Calculate how much more data we need to read for the rest of the 399 * record 400 */ 401 if (thisrr->rec_version == SSL2_VERSION) { 402 more = thisrr->length + SSL2_RT_HEADER_LENGTH 403 - SSL3_RT_HEADER_LENGTH; 404 } else { 405 more = thisrr->length; 406 } 407 if (more > 0) { 408 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ 409 410 rret = ssl3_read_n(s, more, more, 1, 0, &n); 411 if (rret <= 0) 412 return rret; /* error or non-blocking io */ 413 } 414 415 /* set state for later operations */ 416 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); 417 418 /* 419 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH 420 * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH 421 * + thisrr->length and we have that many bytes in s->packet 422 */ 423 if (thisrr->rec_version == SSL2_VERSION) { 424 thisrr->input = 425 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]); 426 } else { 427 thisrr->input = 428 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]); 429 } 430 431 /* 432 * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input 433 * points at thisrr->length bytes, which need to be copied into 434 * thisrr->data by either the decryption or by the decompression When 435 * the data is 'copied' into the thisrr->data buffer, thisrr->input will 436 * be pointed at the new buffer 437 */ 438 439 /* 440 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] 441 * thisrr->length bytes of encrypted compressed stuff. 442 */ 443 444 /* decrypt in place in 'thisrr->input' */ 445 thisrr->data = thisrr->input; 446 thisrr->orig_len = thisrr->length; 447 448 /* Mark this record as not read by upper layers yet */ 449 thisrr->read = 0; 450 451 num_recs++; 452 453 /* we have pulled in a full packet so zero things */ 454 RECORD_LAYER_reset_packet_length(&s->rlayer); 455 RECORD_LAYER_clear_first_record(&s->rlayer); 456 } while (num_recs < max_recs 457 && thisrr->type == SSL3_RT_APPLICATION_DATA 458 && SSL_USE_EXPLICIT_IV(s) 459 && s->enc_read_ctx != NULL 460 && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) 461 & EVP_CIPH_FLAG_PIPELINE) 462 && ssl3_record_app_data_waiting(s)); 463 464 if (num_recs == 1 465 && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC 466 && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE) 467 && SSL_IS_FIRST_HANDSHAKE(s)) { 468 /* 469 * CCS messages must be exactly 1 byte long, containing the value 0x01 470 */ 471 if (thisrr->length != 1 || thisrr->data[0] != 0x01) { 472 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD, 473 SSL_R_INVALID_CCS_MESSAGE); 474 return -1; 475 } 476 /* 477 * CCS messages are ignored in TLSv1.3. We treat it like an empty 478 * handshake record 479 */ 480 thisrr->type = SSL3_RT_HANDSHAKE; 481 RECORD_LAYER_inc_empty_record_count(&s->rlayer); 482 if (RECORD_LAYER_get_empty_record_count(&s->rlayer) 483 > MAX_EMPTY_RECORDS) { 484 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 485 SSL_R_UNEXPECTED_CCS_MESSAGE); 486 return -1; 487 } 488 thisrr->read = 1; 489 RECORD_LAYER_set_numrpipes(&s->rlayer, 1); 490 491 return 1; 492 } 493 494 /* 495 * If in encrypt-then-mac mode calculate mac from encrypted record. All 496 * the details below are public so no timing details can leak. 497 */ 498 if (SSL_READ_ETM(s) && s->read_hash) { 499 unsigned char *mac; 500 /* TODO(size_t): convert this to do size_t properly */ 501 imac_size = EVP_MD_CTX_size(s->read_hash); 502 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { 503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 504 ERR_LIB_EVP); 505 return -1; 506 } 507 mac_size = (size_t)imac_size; 508 for (j = 0; j < num_recs; j++) { 509 thisrr = &rr[j]; 510 511 if (thisrr->length < mac_size) { 512 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 513 SSL_R_LENGTH_TOO_SHORT); 514 return -1; 515 } 516 thisrr->length -= mac_size; 517 mac = thisrr->data + thisrr->length; 518 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); 519 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { 520 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, 521 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 522 return -1; 523 } 524 } 525 } 526 527 first_rec_len = rr[0].length; 528 529 enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0); 530 531 /*- 532 * enc_err is: 533 * 0: (in non-constant time) if the record is publicly invalid. 534 * 1: if the padding is valid 535 * -1: if the padding is invalid 536 */ 537 if (enc_err == 0) { 538 if (ossl_statem_in_error(s)) { 539 /* SSLfatal() already got called */ 540 return -1; 541 } 542 if (num_recs == 1 && ossl_statem_skip_early_data(s)) { 543 /* 544 * Valid early_data that we cannot decrypt might fail here as 545 * publicly invalid. We treat it like an empty record. 546 */ 547 548 thisrr = &rr[0]; 549 550 if (!early_data_count_ok(s, thisrr->length, 551 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { 552 /* SSLfatal() already called */ 553 return -1; 554 } 555 556 thisrr->length = 0; 557 thisrr->read = 1; 558 RECORD_LAYER_set_numrpipes(&s->rlayer, 1); 559 RECORD_LAYER_reset_read_sequence(&s->rlayer); 560 return 1; 561 } 562 SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD, 563 SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 564 return -1; 565 } 566 #ifdef SSL_DEBUG 567 printf("dec %lu\n", (unsigned long)rr[0].length); 568 { 569 size_t z; 570 for (z = 0; z < rr[0].length; z++) 571 printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n'); 572 } 573 printf("\n"); 574 #endif 575 576 /* r->length is now the compressed data plus mac */ 577 if ((sess != NULL) && 578 (s->enc_read_ctx != NULL) && 579 (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) { 580 /* s->read_hash != NULL => mac_size != -1 */ 581 unsigned char *mac = NULL; 582 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 583 584 mac_size = EVP_MD_CTX_size(s->read_hash); 585 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { 586 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 587 ERR_R_INTERNAL_ERROR); 588 return -1; 589 } 590 591 for (j = 0; j < num_recs; j++) { 592 thisrr = &rr[j]; 593 /* 594 * orig_len is the length of the record before any padding was 595 * removed. This is public information, as is the MAC in use, 596 * therefore we can safely process the record in a different amount 597 * of time if it's too short to possibly contain a MAC. 598 */ 599 if (thisrr->orig_len < mac_size || 600 /* CBC records must have a padding length byte too. */ 601 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 602 thisrr->orig_len < mac_size + 1)) { 603 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 604 SSL_R_LENGTH_TOO_SHORT); 605 return -1; 606 } 607 608 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 609 /* 610 * We update the length so that the TLS header bytes can be 611 * constructed correctly but we need to extract the MAC in 612 * constant time from within the record, without leaking the 613 * contents of the padding bytes. 614 */ 615 mac = mac_tmp; 616 if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { 617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 618 ERR_R_INTERNAL_ERROR); 619 return -1; 620 } 621 thisrr->length -= mac_size; 622 } else { 623 /* 624 * In this case there's no padding, so |rec->orig_len| equals 625 * |rec->length| and we checked that there's enough bytes for 626 * |mac_size| above. 627 */ 628 thisrr->length -= mac_size; 629 mac = &thisrr->data[thisrr->length]; 630 } 631 632 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); 633 if (i == 0 || mac == NULL 634 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) 635 enc_err = -1; 636 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 637 enc_err = -1; 638 } 639 } 640 641 if (enc_err < 0) { 642 if (ossl_statem_in_error(s)) { 643 /* We already called SSLfatal() */ 644 return -1; 645 } 646 if (num_recs == 1 && ossl_statem_skip_early_data(s)) { 647 /* 648 * We assume this is unreadable early_data - we treat it like an 649 * empty record 650 */ 651 652 /* 653 * The record length may have been modified by the mac check above 654 * so we use the previously saved value 655 */ 656 if (!early_data_count_ok(s, first_rec_len, 657 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { 658 /* SSLfatal() already called */ 659 return -1; 660 } 661 662 thisrr = &rr[0]; 663 thisrr->length = 0; 664 thisrr->read = 1; 665 RECORD_LAYER_set_numrpipes(&s->rlayer, 1); 666 RECORD_LAYER_reset_read_sequence(&s->rlayer); 667 return 1; 668 } 669 /* 670 * A separate 'decryption_failed' alert was introduced with TLS 1.0, 671 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 672 * failure is directly visible from the ciphertext anyway, we should 673 * not reveal which kind of error occurred -- this might become 674 * visible to an attacker (e.g. via a logfile) 675 */ 676 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, 677 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 678 return -1; 679 } 680 681 for (j = 0; j < num_recs; j++) { 682 thisrr = &rr[j]; 683 684 /* thisrr->length is now just compressed */ 685 if (s->expand != NULL) { 686 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 687 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 688 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 689 return -1; 690 } 691 if (!ssl3_do_uncompress(s, thisrr)) { 692 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD, 693 SSL_R_BAD_DECOMPRESSION); 694 return -1; 695 } 696 } 697 698 if (SSL_IS_TLS13(s) 699 && s->enc_read_ctx != NULL 700 && thisrr->type != SSL3_RT_ALERT) { 701 size_t end; 702 703 if (thisrr->length == 0 704 || thisrr->type != SSL3_RT_APPLICATION_DATA) { 705 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 706 SSL_R_BAD_RECORD_TYPE); 707 return -1; 708 } 709 710 /* Strip trailing padding */ 711 for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; 712 end--) 713 continue; 714 715 thisrr->length = end; 716 thisrr->type = thisrr->data[end]; 717 if (thisrr->type != SSL3_RT_APPLICATION_DATA 718 && thisrr->type != SSL3_RT_ALERT 719 && thisrr->type != SSL3_RT_HANDSHAKE) { 720 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 721 SSL_R_BAD_RECORD_TYPE); 722 return -1; 723 } 724 if (s->msg_callback) 725 s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, 726 &thisrr->data[end], 1, s, s->msg_callback_arg); 727 } 728 729 /* 730 * TLSv1.3 alert and handshake records are required to be non-zero in 731 * length. 732 */ 733 if (SSL_IS_TLS13(s) 734 && (thisrr->type == SSL3_RT_HANDSHAKE 735 || thisrr->type == SSL3_RT_ALERT) 736 && thisrr->length == 0) { 737 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 738 SSL_R_BAD_LENGTH); 739 return -1; 740 } 741 742 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { 743 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 744 SSL_R_DATA_LENGTH_TOO_LONG); 745 return -1; 746 } 747 748 /* If received packet overflows current Max Fragment Length setting */ 749 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 750 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { 751 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 752 SSL_R_DATA_LENGTH_TOO_LONG); 753 return -1; 754 } 755 756 thisrr->off = 0; 757 /*- 758 * So at this point the following is true 759 * thisrr->type is the type of record 760 * thisrr->length == number of bytes in record 761 * thisrr->off == offset to first valid byte 762 * thisrr->data == where to take bytes from, increment after use :-). 763 */ 764 765 /* just read a 0 length packet */ 766 if (thisrr->length == 0) { 767 RECORD_LAYER_inc_empty_record_count(&s->rlayer); 768 if (RECORD_LAYER_get_empty_record_count(&s->rlayer) 769 > MAX_EMPTY_RECORDS) { 770 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 771 SSL_R_RECORD_TOO_SMALL); 772 return -1; 773 } 774 } else { 775 RECORD_LAYER_reset_empty_record_count(&s->rlayer); 776 } 777 } 778 779 if (s->early_data_state == SSL_EARLY_DATA_READING) { 780 thisrr = &rr[0]; 781 if (thisrr->type == SSL3_RT_APPLICATION_DATA 782 && !early_data_count_ok(s, thisrr->length, 0, 0)) { 783 /* SSLfatal already called */ 784 return -1; 785 } 786 } 787 788 RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); 789 return 1; 790 } 791 792 int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) 793 { 794 #ifndef OPENSSL_NO_COMP 795 int i; 796 797 if (rr->comp == NULL) { 798 rr->comp = (unsigned char *) 799 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 800 } 801 if (rr->comp == NULL) 802 return 0; 803 804 /* TODO(size_t): Convert this call */ 805 i = COMP_expand_block(ssl->expand, rr->comp, 806 SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length); 807 if (i < 0) 808 return 0; 809 else 810 rr->length = i; 811 rr->data = rr->comp; 812 #endif 813 return 1; 814 } 815 816 int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) 817 { 818 #ifndef OPENSSL_NO_COMP 819 int i; 820 821 /* TODO(size_t): Convert this call */ 822 i = COMP_compress_block(ssl->compress, wr->data, 823 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), 824 wr->input, (int)wr->length); 825 if (i < 0) 826 return 0; 827 else 828 wr->length = i; 829 830 wr->input = wr->data; 831 #endif 832 return 1; 833 } 834 835 /*- 836 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call 837 * SSLfatal() for internal errors, but not otherwise. 838 * 839 * Returns: 840 * 0: (in non-constant time) if the record is publically invalid (i.e. too 841 * short etc). 842 * 1: if the record's padding is valid / the encryption was successful. 843 * -1: if the record's padding is invalid or, if sending, an internal error 844 * occurred. 845 */ 846 int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) 847 { 848 SSL3_RECORD *rec; 849 EVP_CIPHER_CTX *ds; 850 size_t l, i; 851 size_t bs, mac_size = 0; 852 int imac_size; 853 const EVP_CIPHER *enc; 854 855 rec = inrecs; 856 /* 857 * We shouldn't ever be called with more than one record in the SSLv3 case 858 */ 859 if (n_recs != 1) 860 return 0; 861 if (sending) { 862 ds = s->enc_write_ctx; 863 if (s->enc_write_ctx == NULL) 864 enc = NULL; 865 else 866 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 867 } else { 868 ds = s->enc_read_ctx; 869 if (s->enc_read_ctx == NULL) 870 enc = NULL; 871 else 872 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 873 } 874 875 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 876 memmove(rec->data, rec->input, rec->length); 877 rec->input = rec->data; 878 } else { 879 l = rec->length; 880 /* TODO(size_t): Convert this call */ 881 bs = EVP_CIPHER_CTX_block_size(ds); 882 883 /* COMPRESS */ 884 885 if ((bs != 1) && sending) { 886 i = bs - (l % bs); 887 888 /* we need to add 'i-1' padding bytes */ 889 l += i; 890 /* 891 * the last of these zero bytes will be overwritten with the 892 * padding length. 893 */ 894 memset(&rec->input[rec->length], 0, i); 895 rec->length += i; 896 rec->input[l - 1] = (unsigned char)(i - 1); 897 } 898 899 if (!sending) { 900 if (l == 0 || l % bs != 0) 901 return 0; 902 /* otherwise, rec->length >= bs */ 903 } 904 905 /* TODO(size_t): Convert this call */ 906 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) 907 return -1; 908 909 if (EVP_MD_CTX_md(s->read_hash) != NULL) { 910 /* TODO(size_t): convert me */ 911 imac_size = EVP_MD_CTX_size(s->read_hash); 912 if (imac_size < 0) { 913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, 914 ERR_R_INTERNAL_ERROR); 915 return -1; 916 } 917 mac_size = (size_t)imac_size; 918 } 919 if ((bs != 1) && !sending) 920 return ssl3_cbc_remove_padding(rec, bs, mac_size); 921 } 922 return 1; 923 } 924 925 #define MAX_PADDING 256 926 /*- 927 * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for 928 * internal errors, but not otherwise. 929 * 930 * Returns: 931 * 0: (in non-constant time) if the record is publically invalid (i.e. too 932 * short etc). 933 * 1: if the record's padding is valid / the encryption was successful. 934 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 935 * an internal error occurred. 936 */ 937 int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) 938 { 939 EVP_CIPHER_CTX *ds; 940 size_t reclen[SSL_MAX_PIPELINES]; 941 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; 942 int i, pad = 0, ret, tmpr; 943 size_t bs, mac_size = 0, ctr, padnum, loop; 944 unsigned char padval; 945 int imac_size; 946 const EVP_CIPHER *enc; 947 948 if (n_recs == 0) { 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 950 ERR_R_INTERNAL_ERROR); 951 return 0; 952 } 953 954 if (sending) { 955 if (EVP_MD_CTX_md(s->write_hash)) { 956 int n = EVP_MD_CTX_size(s->write_hash); 957 if (!ossl_assert(n >= 0)) { 958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 959 ERR_R_INTERNAL_ERROR); 960 return -1; 961 } 962 } 963 ds = s->enc_write_ctx; 964 if (s->enc_write_ctx == NULL) 965 enc = NULL; 966 else { 967 int ivlen; 968 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 969 /* For TLSv1.1 and later explicit IV */ 970 if (SSL_USE_EXPLICIT_IV(s) 971 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 972 ivlen = EVP_CIPHER_iv_length(enc); 973 else 974 ivlen = 0; 975 if (ivlen > 1) { 976 for (ctr = 0; ctr < n_recs; ctr++) { 977 if (recs[ctr].data != recs[ctr].input) { 978 /* 979 * we can't write into the input stream: Can this ever 980 * happen?? (steve) 981 */ 982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 983 ERR_R_INTERNAL_ERROR); 984 return -1; 985 } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { 986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 987 ERR_R_INTERNAL_ERROR); 988 return -1; 989 } 990 } 991 } 992 } 993 } else { 994 if (EVP_MD_CTX_md(s->read_hash)) { 995 int n = EVP_MD_CTX_size(s->read_hash); 996 if (!ossl_assert(n >= 0)) { 997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 998 ERR_R_INTERNAL_ERROR); 999 return -1; 1000 } 1001 } 1002 ds = s->enc_read_ctx; 1003 if (s->enc_read_ctx == NULL) 1004 enc = NULL; 1005 else 1006 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 1007 } 1008 1009 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 1010 for (ctr = 0; ctr < n_recs; ctr++) { 1011 memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length); 1012 recs[ctr].input = recs[ctr].data; 1013 } 1014 ret = 1; 1015 } else { 1016 bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds)); 1017 1018 if (n_recs > 1) { 1019 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) 1020 & EVP_CIPH_FLAG_PIPELINE)) { 1021 /* 1022 * We shouldn't have been called with pipeline data if the 1023 * cipher doesn't support pipelining 1024 */ 1025 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1026 SSL_R_PIPELINE_FAILURE); 1027 return -1; 1028 } 1029 } 1030 for (ctr = 0; ctr < n_recs; ctr++) { 1031 reclen[ctr] = recs[ctr].length; 1032 1033 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) 1034 & EVP_CIPH_FLAG_AEAD_CIPHER) { 1035 unsigned char *seq; 1036 1037 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer) 1038 : RECORD_LAYER_get_read_sequence(&s->rlayer); 1039 1040 if (SSL_IS_DTLS(s)) { 1041 /* DTLS does not support pipelining */ 1042 unsigned char dtlsseq[9], *p = dtlsseq; 1043 1044 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) : 1045 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p); 1046 memcpy(p, &seq[2], 6); 1047 memcpy(buf[ctr], dtlsseq, 8); 1048 } else { 1049 memcpy(buf[ctr], seq, 8); 1050 for (i = 7; i >= 0; i--) { /* increment */ 1051 ++seq[i]; 1052 if (seq[i] != 0) 1053 break; 1054 } 1055 } 1056 1057 buf[ctr][8] = recs[ctr].type; 1058 buf[ctr][9] = (unsigned char)(s->version >> 8); 1059 buf[ctr][10] = (unsigned char)(s->version); 1060 buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8); 1061 buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); 1062 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 1063 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); 1064 if (pad <= 0) { 1065 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1066 ERR_R_INTERNAL_ERROR); 1067 return -1; 1068 } 1069 1070 if (sending) { 1071 reclen[ctr] += pad; 1072 recs[ctr].length += pad; 1073 } 1074 1075 } else if ((bs != 1) && sending) { 1076 padnum = bs - (reclen[ctr] % bs); 1077 1078 /* Add weird padding of upto 256 bytes */ 1079 1080 if (padnum > MAX_PADDING) { 1081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1082 ERR_R_INTERNAL_ERROR); 1083 return -1; 1084 } 1085 /* we need to add 'padnum' padding bytes of value padval */ 1086 padval = (unsigned char)(padnum - 1); 1087 for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) 1088 recs[ctr].input[loop] = padval; 1089 reclen[ctr] += padnum; 1090 recs[ctr].length += padnum; 1091 } 1092 1093 if (!sending) { 1094 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) 1095 return 0; 1096 } 1097 } 1098 if (n_recs > 1) { 1099 unsigned char *data[SSL_MAX_PIPELINES]; 1100 1101 /* Set the output buffers */ 1102 for (ctr = 0; ctr < n_recs; ctr++) { 1103 data[ctr] = recs[ctr].data; 1104 } 1105 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, 1106 (int)n_recs, data) <= 0) { 1107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1108 SSL_R_PIPELINE_FAILURE); 1109 return -1; 1110 } 1111 /* Set the input buffers */ 1112 for (ctr = 0; ctr < n_recs; ctr++) { 1113 data[ctr] = recs[ctr].input; 1114 } 1115 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS, 1116 (int)n_recs, data) <= 0 1117 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, 1118 (int)n_recs, reclen) <= 0) { 1119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1120 SSL_R_PIPELINE_FAILURE); 1121 return -1; 1122 } 1123 } 1124 1125 /* TODO(size_t): Convert this call */ 1126 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, 1127 (unsigned int)reclen[0]); 1128 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) 1129 & EVP_CIPH_FLAG_CUSTOM_CIPHER) 1130 ? (tmpr < 0) 1131 : (tmpr == 0)) 1132 return -1; /* AEAD can fail to verify MAC */ 1133 1134 if (sending == 0) { 1135 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { 1136 for (ctr = 0; ctr < n_recs; ctr++) { 1137 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1138 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1139 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1140 } 1141 } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) { 1142 for (ctr = 0; ctr < n_recs; ctr++) { 1143 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1144 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1145 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN; 1146 } 1147 } 1148 } 1149 1150 ret = 1; 1151 if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { 1152 imac_size = EVP_MD_CTX_size(s->read_hash); 1153 if (imac_size < 0) { 1154 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1155 ERR_R_INTERNAL_ERROR); 1156 return -1; 1157 } 1158 mac_size = (size_t)imac_size; 1159 } 1160 if ((bs != 1) && !sending) { 1161 int tmpret; 1162 for (ctr = 0; ctr < n_recs; ctr++) { 1163 tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size); 1164 /* 1165 * If tmpret == 0 then this means publicly invalid so we can 1166 * short circuit things here. Otherwise we must respect constant 1167 * time behaviour. 1168 */ 1169 if (tmpret == 0) 1170 return 0; 1171 ret = constant_time_select_int(constant_time_eq_int(tmpret, 1), 1172 ret, -1); 1173 } 1174 } 1175 if (pad && !sending) { 1176 for (ctr = 0; ctr < n_recs; ctr++) { 1177 recs[ctr].length -= pad; 1178 } 1179 } 1180 } 1181 return ret; 1182 } 1183 1184 int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) 1185 { 1186 unsigned char *mac_sec, *seq; 1187 const EVP_MD_CTX *hash; 1188 unsigned char *p, rec_char; 1189 size_t md_size; 1190 size_t npad; 1191 int t; 1192 1193 if (sending) { 1194 mac_sec = &(ssl->s3->write_mac_secret[0]); 1195 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); 1196 hash = ssl->write_hash; 1197 } else { 1198 mac_sec = &(ssl->s3->read_mac_secret[0]); 1199 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer); 1200 hash = ssl->read_hash; 1201 } 1202 1203 t = EVP_MD_CTX_size(hash); 1204 if (t < 0) 1205 return 0; 1206 md_size = t; 1207 npad = (48 / md_size) * md_size; 1208 1209 if (!sending && 1210 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1211 ssl3_cbc_record_digest_supported(hash)) { 1212 /* 1213 * This is a CBC-encrypted record. We must avoid leaking any 1214 * timing-side channel information about how many blocks of data we 1215 * are hashing because that gives an attacker a timing-oracle. 1216 */ 1217 1218 /*- 1219 * npad is, at most, 48 bytes and that's with MD5: 1220 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. 1221 * 1222 * With SHA-1 (the largest hash speced for SSLv3) the hash size 1223 * goes up 4, but npad goes down by 8, resulting in a smaller 1224 * total size. 1225 */ 1226 unsigned char header[75]; 1227 size_t j = 0; 1228 memcpy(header + j, mac_sec, md_size); 1229 j += md_size; 1230 memcpy(header + j, ssl3_pad_1, npad); 1231 j += npad; 1232 memcpy(header + j, seq, 8); 1233 j += 8; 1234 header[j++] = rec->type; 1235 header[j++] = (unsigned char)(rec->length >> 8); 1236 header[j++] = (unsigned char)(rec->length & 0xff); 1237 1238 /* Final param == is SSLv3 */ 1239 if (ssl3_cbc_digest_record(hash, 1240 md, &md_size, 1241 header, rec->input, 1242 rec->length + md_size, rec->orig_len, 1243 mac_sec, md_size, 1) <= 0) 1244 return 0; 1245 } else { 1246 unsigned int md_size_u; 1247 /* Chop the digest off the end :-) */ 1248 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); 1249 1250 if (md_ctx == NULL) 1251 return 0; 1252 1253 rec_char = rec->type; 1254 p = md; 1255 s2n(rec->length, p); 1256 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 1257 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 1258 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0 1259 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0 1260 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0 1261 || EVP_DigestUpdate(md_ctx, md, 2) <= 0 1262 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0 1263 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0 1264 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0 1265 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0 1266 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0 1267 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 1268 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { 1269 EVP_MD_CTX_free(md_ctx); 1270 return 0; 1271 } 1272 1273 EVP_MD_CTX_free(md_ctx); 1274 } 1275 1276 ssl3_record_sequence_update(seq); 1277 return 1; 1278 } 1279 1280 int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) 1281 { 1282 unsigned char *seq; 1283 EVP_MD_CTX *hash; 1284 size_t md_size; 1285 int i; 1286 EVP_MD_CTX *hmac = NULL, *mac_ctx; 1287 unsigned char header[13]; 1288 int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) 1289 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); 1290 int t; 1291 1292 if (sending) { 1293 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); 1294 hash = ssl->write_hash; 1295 } else { 1296 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer); 1297 hash = ssl->read_hash; 1298 } 1299 1300 t = EVP_MD_CTX_size(hash); 1301 if (!ossl_assert(t >= 0)) 1302 return 0; 1303 md_size = t; 1304 1305 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 1306 if (stream_mac) { 1307 mac_ctx = hash; 1308 } else { 1309 hmac = EVP_MD_CTX_new(); 1310 if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { 1311 EVP_MD_CTX_free(hmac); 1312 return 0; 1313 } 1314 mac_ctx = hmac; 1315 } 1316 1317 if (SSL_IS_DTLS(ssl)) { 1318 unsigned char dtlsseq[8], *p = dtlsseq; 1319 1320 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) : 1321 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p); 1322 memcpy(p, &seq[2], 6); 1323 1324 memcpy(header, dtlsseq, 8); 1325 } else 1326 memcpy(header, seq, 8); 1327 1328 header[8] = rec->type; 1329 header[9] = (unsigned char)(ssl->version >> 8); 1330 header[10] = (unsigned char)(ssl->version); 1331 header[11] = (unsigned char)(rec->length >> 8); 1332 header[12] = (unsigned char)(rec->length & 0xff); 1333 1334 if (!sending && !SSL_READ_ETM(ssl) && 1335 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1336 ssl3_cbc_record_digest_supported(mac_ctx)) { 1337 /* 1338 * This is a CBC-encrypted record. We must avoid leaking any 1339 * timing-side channel information about how many blocks of data we 1340 * are hashing because that gives an attacker a timing-oracle. 1341 */ 1342 /* Final param == not SSLv3 */ 1343 if (ssl3_cbc_digest_record(mac_ctx, 1344 md, &md_size, 1345 header, rec->input, 1346 rec->length + md_size, rec->orig_len, 1347 ssl->s3->read_mac_secret, 1348 ssl->s3->read_mac_secret_size, 0) <= 0) { 1349 EVP_MD_CTX_free(hmac); 1350 return 0; 1351 } 1352 } else { 1353 /* TODO(size_t): Convert these calls */ 1354 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 1355 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 1356 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { 1357 EVP_MD_CTX_free(hmac); 1358 return 0; 1359 } 1360 } 1361 1362 EVP_MD_CTX_free(hmac); 1363 1364 #ifdef SSL_DEBUG 1365 fprintf(stderr, "seq="); 1366 { 1367 int z; 1368 for (z = 0; z < 8; z++) 1369 fprintf(stderr, "%02X ", seq[z]); 1370 fprintf(stderr, "\n"); 1371 } 1372 fprintf(stderr, "rec="); 1373 { 1374 size_t z; 1375 for (z = 0; z < rec->length; z++) 1376 fprintf(stderr, "%02X ", rec->data[z]); 1377 fprintf(stderr, "\n"); 1378 } 1379 #endif 1380 1381 if (!SSL_IS_DTLS(ssl)) { 1382 for (i = 7; i >= 0; i--) { 1383 ++seq[i]; 1384 if (seq[i] != 0) 1385 break; 1386 } 1387 } 1388 #ifdef SSL_DEBUG 1389 { 1390 unsigned int z; 1391 for (z = 0; z < md_size; z++) 1392 fprintf(stderr, "%02X ", md[z]); 1393 fprintf(stderr, "\n"); 1394 } 1395 #endif 1396 return 1; 1397 } 1398 1399 /*- 1400 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC 1401 * record in |rec| by updating |rec->length| in constant time. 1402 * 1403 * block_size: the block size of the cipher used to encrypt the record. 1404 * returns: 1405 * 0: (in non-constant time) if the record is publicly invalid. 1406 * 1: if the padding was valid 1407 * -1: otherwise. 1408 */ 1409 int ssl3_cbc_remove_padding(SSL3_RECORD *rec, 1410 size_t block_size, size_t mac_size) 1411 { 1412 size_t padding_length; 1413 size_t good; 1414 const size_t overhead = 1 /* padding length byte */ + mac_size; 1415 1416 /* 1417 * These lengths are all public so we can test them in non-constant time. 1418 */ 1419 if (overhead > rec->length) 1420 return 0; 1421 1422 padding_length = rec->data[rec->length - 1]; 1423 good = constant_time_ge_s(rec->length, padding_length + overhead); 1424 /* SSLv3 requires that the padding is minimal. */ 1425 good &= constant_time_ge_s(block_size, padding_length + 1); 1426 rec->length -= good & (padding_length + 1); 1427 return constant_time_select_int_s(good, 1, -1); 1428 } 1429 1430 /*- 1431 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC 1432 * record in |rec| in constant time and returns 1 if the padding is valid and 1433 * -1 otherwise. It also removes any explicit IV from the start of the record 1434 * without leaking any timing about whether there was enough space after the 1435 * padding was removed. 1436 * 1437 * block_size: the block size of the cipher used to encrypt the record. 1438 * returns: 1439 * 0: (in non-constant time) if the record is publicly invalid. 1440 * 1: if the padding was valid 1441 * -1: otherwise. 1442 */ 1443 int tls1_cbc_remove_padding(const SSL *s, 1444 SSL3_RECORD *rec, 1445 size_t block_size, size_t mac_size) 1446 { 1447 size_t good; 1448 size_t padding_length, to_check, i; 1449 const size_t overhead = 1 /* padding length byte */ + mac_size; 1450 /* Check if version requires explicit IV */ 1451 if (SSL_USE_EXPLICIT_IV(s)) { 1452 /* 1453 * These lengths are all public so we can test them in non-constant 1454 * time. 1455 */ 1456 if (overhead + block_size > rec->length) 1457 return 0; 1458 /* We can now safely skip explicit IV */ 1459 rec->data += block_size; 1460 rec->input += block_size; 1461 rec->length -= block_size; 1462 rec->orig_len -= block_size; 1463 } else if (overhead > rec->length) 1464 return 0; 1465 1466 padding_length = rec->data[rec->length - 1]; 1467 1468 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & 1469 EVP_CIPH_FLAG_AEAD_CIPHER) { 1470 /* padding is already verified */ 1471 rec->length -= padding_length + 1; 1472 return 1; 1473 } 1474 1475 good = constant_time_ge_s(rec->length, overhead + padding_length); 1476 /* 1477 * The padding consists of a length byte at the end of the record and 1478 * then that many bytes of padding, all with the same value as the length 1479 * byte. Thus, with the length byte included, there are i+1 bytes of 1480 * padding. We can't check just |padding_length+1| bytes because that 1481 * leaks decrypted information. Therefore we always have to check the 1482 * maximum amount of padding possible. (Again, the length of the record 1483 * is public information so we can use it.) 1484 */ 1485 to_check = 256; /* maximum amount of padding, inc length byte. */ 1486 if (to_check > rec->length) 1487 to_check = rec->length; 1488 1489 for (i = 0; i < to_check; i++) { 1490 unsigned char mask = constant_time_ge_8_s(padding_length, i); 1491 unsigned char b = rec->data[rec->length - 1 - i]; 1492 /* 1493 * The final |padding_length+1| bytes should all have the value 1494 * |padding_length|. Therefore the XOR should be zero. 1495 */ 1496 good &= ~(mask & (padding_length ^ b)); 1497 } 1498 1499 /* 1500 * If any of the final |padding_length+1| bytes had the wrong value, one 1501 * or more of the lower eight bits of |good| will be cleared. 1502 */ 1503 good = constant_time_eq_s(0xff, good & 0xff); 1504 rec->length -= good & (padding_length + 1); 1505 1506 return constant_time_select_int_s(good, 1, -1); 1507 } 1508 1509 /*- 1510 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in 1511 * constant time (independent of the concrete value of rec->length, which may 1512 * vary within a 256-byte window). 1513 * 1514 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to 1515 * this function. 1516 * 1517 * On entry: 1518 * rec->orig_len >= md_size 1519 * md_size <= EVP_MAX_MD_SIZE 1520 * 1521 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with 1522 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into 1523 * a single or pair of cache-lines, then the variable memory accesses don't 1524 * actually affect the timing. CPUs with smaller cache-lines [if any] are 1525 * not multi-core and are not considered vulnerable to cache-timing attacks. 1526 */ 1527 #define CBC_MAC_ROTATE_IN_PLACE 1528 1529 int ssl3_cbc_copy_mac(unsigned char *out, 1530 const SSL3_RECORD *rec, size_t md_size) 1531 { 1532 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1533 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; 1534 unsigned char *rotated_mac; 1535 #else 1536 unsigned char rotated_mac[EVP_MAX_MD_SIZE]; 1537 #endif 1538 1539 /* 1540 * mac_end is the index of |rec->data| just after the end of the MAC. 1541 */ 1542 size_t mac_end = rec->length; 1543 size_t mac_start = mac_end - md_size; 1544 size_t in_mac; 1545 /* 1546 * scan_start contains the number of bytes that we can ignore because the 1547 * MAC's position can only vary by 255 bytes. 1548 */ 1549 size_t scan_start = 0; 1550 size_t i, j; 1551 size_t rotate_offset; 1552 1553 if (!ossl_assert(rec->orig_len >= md_size 1554 && md_size <= EVP_MAX_MD_SIZE)) 1555 return 0; 1556 1557 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1558 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63); 1559 #endif 1560 1561 /* This information is public so it's safe to branch based on it. */ 1562 if (rec->orig_len > md_size + 255 + 1) 1563 scan_start = rec->orig_len - (md_size + 255 + 1); 1564 1565 in_mac = 0; 1566 rotate_offset = 0; 1567 memset(rotated_mac, 0, md_size); 1568 for (i = scan_start, j = 0; i < rec->orig_len; i++) { 1569 size_t mac_started = constant_time_eq_s(i, mac_start); 1570 size_t mac_ended = constant_time_lt_s(i, mac_end); 1571 unsigned char b = rec->data[i]; 1572 1573 in_mac |= mac_started; 1574 in_mac &= mac_ended; 1575 rotate_offset |= j & mac_started; 1576 rotated_mac[j++] |= b & in_mac; 1577 j &= constant_time_lt_s(j, md_size); 1578 } 1579 1580 /* Now rotate the MAC */ 1581 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1582 j = 0; 1583 for (i = 0; i < md_size; i++) { 1584 /* in case cache-line is 32 bytes, touch second line */ 1585 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; 1586 out[j++] = rotated_mac[rotate_offset++]; 1587 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1588 } 1589 #else 1590 memset(out, 0, md_size); 1591 rotate_offset = md_size - rotate_offset; 1592 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1593 for (i = 0; i < md_size; i++) { 1594 for (j = 0; j < md_size; j++) 1595 out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset); 1596 rotate_offset++; 1597 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1598 } 1599 #endif 1600 1601 return 1; 1602 } 1603 1604 int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) 1605 { 1606 int i; 1607 int enc_err; 1608 SSL_SESSION *sess; 1609 SSL3_RECORD *rr; 1610 int imac_size; 1611 size_t mac_size; 1612 unsigned char md[EVP_MAX_MD_SIZE]; 1613 1614 rr = RECORD_LAYER_get_rrec(&s->rlayer); 1615 sess = s->session; 1616 1617 /* 1618 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 1619 * and we have that many bytes in s->packet 1620 */ 1621 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]); 1622 1623 /* 1624 * ok, we can now read from 's->packet' data into 'rr' rr->input points 1625 * at rr->length bytes, which need to be copied into rr->data by either 1626 * the decryption or by the decompression When the data is 'copied' into 1627 * the rr->data buffer, rr->input will be pointed at the new buffer 1628 */ 1629 1630 /* 1631 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length 1632 * bytes of encrypted compressed stuff. 1633 */ 1634 1635 /* check is not needed I believe */ 1636 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 1637 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, 1638 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 1639 return 0; 1640 } 1641 1642 /* decrypt in place in 'rr->input' */ 1643 rr->data = rr->input; 1644 rr->orig_len = rr->length; 1645 1646 if (SSL_READ_ETM(s) && s->read_hash) { 1647 unsigned char *mac; 1648 mac_size = EVP_MD_CTX_size(s->read_hash); 1649 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { 1650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1651 ERR_R_INTERNAL_ERROR); 1652 return 0; 1653 } 1654 if (rr->orig_len < mac_size) { 1655 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1656 SSL_R_LENGTH_TOO_SHORT); 1657 return 0; 1658 } 1659 rr->length -= mac_size; 1660 mac = rr->data + rr->length; 1661 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); 1662 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { 1663 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD, 1664 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 1665 return 0; 1666 } 1667 } 1668 1669 enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0); 1670 /*- 1671 * enc_err is: 1672 * 0: (in non-constant time) if the record is publically invalid. 1673 * 1: if the padding is valid 1674 * -1: if the padding is invalid 1675 */ 1676 if (enc_err == 0) { 1677 if (ossl_statem_in_error(s)) { 1678 /* SSLfatal() got called */ 1679 return 0; 1680 } 1681 /* For DTLS we simply ignore bad packets. */ 1682 rr->length = 0; 1683 RECORD_LAYER_reset_packet_length(&s->rlayer); 1684 return 0; 1685 } 1686 #ifdef SSL_DEBUG 1687 printf("dec %ld\n", rr->length); 1688 { 1689 size_t z; 1690 for (z = 0; z < rr->length; z++) 1691 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); 1692 } 1693 printf("\n"); 1694 #endif 1695 1696 /* r->length is now the compressed data plus mac */ 1697 if ((sess != NULL) && !SSL_READ_ETM(s) && 1698 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { 1699 /* s->read_hash != NULL => mac_size != -1 */ 1700 unsigned char *mac = NULL; 1701 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 1702 1703 /* TODO(size_t): Convert this to do size_t properly */ 1704 imac_size = EVP_MD_CTX_size(s->read_hash); 1705 if (imac_size < 0) { 1706 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1707 ERR_LIB_EVP); 1708 return 0; 1709 } 1710 mac_size = (size_t)imac_size; 1711 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { 1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1713 ERR_R_INTERNAL_ERROR); 1714 return 0; 1715 } 1716 1717 /* 1718 * orig_len is the length of the record before any padding was 1719 * removed. This is public information, as is the MAC in use, 1720 * therefore we can safely process the record in a different amount 1721 * of time if it's too short to possibly contain a MAC. 1722 */ 1723 if (rr->orig_len < mac_size || 1724 /* CBC records must have a padding length byte too. */ 1725 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1726 rr->orig_len < mac_size + 1)) { 1727 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1728 SSL_R_LENGTH_TOO_SHORT); 1729 return 0; 1730 } 1731 1732 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 1733 /* 1734 * We update the length so that the TLS header bytes can be 1735 * constructed correctly but we need to extract the MAC in 1736 * constant time from within the record, without leaking the 1737 * contents of the padding bytes. 1738 */ 1739 mac = mac_tmp; 1740 if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { 1741 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1742 ERR_R_INTERNAL_ERROR); 1743 return 0; 1744 } 1745 rr->length -= mac_size; 1746 } else { 1747 /* 1748 * In this case there's no padding, so |rec->orig_len| equals 1749 * |rec->length| and we checked that there's enough bytes for 1750 * |mac_size| above. 1751 */ 1752 rr->length -= mac_size; 1753 mac = &rr->data[rr->length]; 1754 } 1755 1756 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); 1757 if (i == 0 || mac == NULL 1758 || CRYPTO_memcmp(md, mac, mac_size) != 0) 1759 enc_err = -1; 1760 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 1761 enc_err = -1; 1762 } 1763 1764 if (enc_err < 0) { 1765 /* decryption failed, silently discard message */ 1766 rr->length = 0; 1767 RECORD_LAYER_reset_packet_length(&s->rlayer); 1768 return 0; 1769 } 1770 1771 /* r->length is now just compressed */ 1772 if (s->expand != NULL) { 1773 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 1774 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, 1775 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 1776 return 0; 1777 } 1778 if (!ssl3_do_uncompress(s, rr)) { 1779 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, 1780 SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); 1781 return 0; 1782 } 1783 } 1784 1785 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { 1786 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, 1787 SSL_R_DATA_LENGTH_TOO_LONG); 1788 return 0; 1789 } 1790 1791 rr->off = 0; 1792 /*- 1793 * So at this point the following is true 1794 * ssl->s3->rrec.type is the type of record 1795 * ssl->s3->rrec.length == number of bytes in record 1796 * ssl->s3->rrec.off == offset to first valid byte 1797 * ssl->s3->rrec.data == where to take bytes from, increment 1798 * after use :-). 1799 */ 1800 1801 /* we have pulled in a full packet so zero things */ 1802 RECORD_LAYER_reset_packet_length(&s->rlayer); 1803 1804 /* Mark receipt of record. */ 1805 dtls1_record_bitmap_update(s, bitmap); 1806 1807 return 1; 1808 } 1809 1810 /* 1811 * Retrieve a buffered record that belongs to the current epoch, i.e. processed 1812 */ 1813 #define dtls1_get_processed_record(s) \ 1814 dtls1_retrieve_buffered_record((s), \ 1815 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer))) 1816 1817 /*- 1818 * Call this to get a new input record. 1819 * It will return <= 0 if more data is needed, normally due to an error 1820 * or non-blocking IO. 1821 * When it finishes, one packet has been decoded and can be found in 1822 * ssl->s3->rrec.type - is the type of record 1823 * ssl->s3->rrec.data, - data 1824 * ssl->s3->rrec.length, - number of bytes 1825 */ 1826 /* used only by dtls1_read_bytes */ 1827 int dtls1_get_record(SSL *s) 1828 { 1829 int ssl_major, ssl_minor; 1830 int rret; 1831 size_t more, n; 1832 SSL3_RECORD *rr; 1833 unsigned char *p = NULL; 1834 unsigned short version; 1835 DTLS1_BITMAP *bitmap; 1836 unsigned int is_next_epoch; 1837 1838 rr = RECORD_LAYER_get_rrec(&s->rlayer); 1839 1840 again: 1841 /* 1842 * The epoch may have changed. If so, process all the pending records. 1843 * This is a non-blocking operation. 1844 */ 1845 if (!dtls1_process_buffered_records(s)) { 1846 /* SSLfatal() already called */ 1847 return -1; 1848 } 1849 1850 /* if we're renegotiating, then there may be buffered records */ 1851 if (dtls1_get_processed_record(s)) 1852 return 1; 1853 1854 /* get something from the wire */ 1855 1856 /* check if we have the header */ 1857 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || 1858 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) { 1859 rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, 1860 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); 1861 /* read timeout is handled by dtls1_read_bytes */ 1862 if (rret <= 0) { 1863 /* SSLfatal() already called if appropriate */ 1864 return rret; /* error or non-blocking */ 1865 } 1866 1867 /* this packet contained a partial record, dump it */ 1868 if (RECORD_LAYER_get_packet_length(&s->rlayer) != 1869 DTLS1_RT_HEADER_LENGTH) { 1870 RECORD_LAYER_reset_packet_length(&s->rlayer); 1871 goto again; 1872 } 1873 1874 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); 1875 1876 p = RECORD_LAYER_get_packet(&s->rlayer); 1877 1878 if (s->msg_callback) 1879 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, 1880 s, s->msg_callback_arg); 1881 1882 /* Pull apart the header into the DTLS1_RECORD */ 1883 rr->type = *(p++); 1884 ssl_major = *(p++); 1885 ssl_minor = *(p++); 1886 version = (ssl_major << 8) | ssl_minor; 1887 1888 /* sequence number is 64 bits, with top 2 bytes = epoch */ 1889 n2s(p, rr->epoch); 1890 1891 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6); 1892 p += 6; 1893 1894 n2s(p, rr->length); 1895 rr->read = 0; 1896 1897 /* 1898 * Lets check the version. We tolerate alerts that don't have the exact 1899 * version number (e.g. because of protocol version errors) 1900 */ 1901 if (!s->first_packet && rr->type != SSL3_RT_ALERT) { 1902 if (version != s->version) { 1903 /* unexpected version, silently discard */ 1904 rr->length = 0; 1905 rr->read = 1; 1906 RECORD_LAYER_reset_packet_length(&s->rlayer); 1907 goto again; 1908 } 1909 } 1910 1911 if ((version & 0xff00) != (s->version & 0xff00)) { 1912 /* wrong version, silently discard record */ 1913 rr->length = 0; 1914 rr->read = 1; 1915 RECORD_LAYER_reset_packet_length(&s->rlayer); 1916 goto again; 1917 } 1918 1919 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 1920 /* record too long, silently discard it */ 1921 rr->length = 0; 1922 rr->read = 1; 1923 RECORD_LAYER_reset_packet_length(&s->rlayer); 1924 goto again; 1925 } 1926 1927 /* If received packet overflows own-client Max Fragment Length setting */ 1928 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1929 && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { 1930 /* record too long, silently discard it */ 1931 rr->length = 0; 1932 rr->read = 1; 1933 RECORD_LAYER_reset_packet_length(&s->rlayer); 1934 goto again; 1935 } 1936 1937 /* now s->rlayer.rstate == SSL_ST_READ_BODY */ 1938 } 1939 1940 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */ 1941 1942 if (rr->length > 1943 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) { 1944 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ 1945 more = rr->length; 1946 rret = ssl3_read_n(s, more, more, 1, 1, &n); 1947 /* this packet contained a partial record, dump it */ 1948 if (rret <= 0 || n != more) { 1949 if (ossl_statem_in_error(s)) { 1950 /* ssl3_read_n() called SSLfatal() */ 1951 return -1; 1952 } 1953 rr->length = 0; 1954 rr->read = 1; 1955 RECORD_LAYER_reset_packet_length(&s->rlayer); 1956 goto again; 1957 } 1958 1959 /* 1960 * now n == rr->length, and s->packet_length == 1961 * DTLS1_RT_HEADER_LENGTH + rr->length 1962 */ 1963 } 1964 /* set state for later operations */ 1965 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); 1966 1967 /* match epochs. NULL means the packet is dropped on the floor */ 1968 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 1969 if (bitmap == NULL) { 1970 rr->length = 0; 1971 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ 1972 goto again; /* get another record */ 1973 } 1974 #ifndef OPENSSL_NO_SCTP 1975 /* Only do replay check if no SCTP bio */ 1976 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { 1977 #endif 1978 /* Check whether this is a repeat, or aged record. */ 1979 /* 1980 * TODO: Does it make sense to have replay protection in epoch 0 where 1981 * we have no integrity negotiated yet? 1982 */ 1983 if (!dtls1_record_replay_check(s, bitmap)) { 1984 rr->length = 0; 1985 rr->read = 1; 1986 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ 1987 goto again; /* get another record */ 1988 } 1989 #ifndef OPENSSL_NO_SCTP 1990 } 1991 #endif 1992 1993 /* just read a 0 length packet */ 1994 if (rr->length == 0) { 1995 rr->read = 1; 1996 goto again; 1997 } 1998 1999 /* 2000 * If this record is from the next epoch (either HM or ALERT), and a 2001 * handshake is currently in progress, buffer it since it cannot be 2002 * processed at this time. 2003 */ 2004 if (is_next_epoch) { 2005 if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { 2006 if (dtls1_buffer_record (s, 2007 &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), 2008 rr->seq_num) < 0) { 2009 /* SSLfatal() already called */ 2010 return -1; 2011 } 2012 } 2013 rr->length = 0; 2014 rr->read = 1; 2015 RECORD_LAYER_reset_packet_length(&s->rlayer); 2016 goto again; 2017 } 2018 2019 if (!dtls1_process_record(s, bitmap)) { 2020 if (ossl_statem_in_error(s)) { 2021 /* dtls1_process_record() called SSLfatal */ 2022 return -1; 2023 } 2024 rr->length = 0; 2025 rr->read = 1; 2026 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ 2027 goto again; /* get another record */ 2028 } 2029 2030 return 1; 2031 2032 } 2033 2034 int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, size_t off) 2035 { 2036 SSL3_RECORD *rr; 2037 2038 rr = RECORD_LAYER_get_rrec(&s->rlayer); 2039 memset(rr, 0, sizeof(SSL3_RECORD)); 2040 2041 rr->length = len; 2042 rr->type = SSL3_RT_HANDSHAKE; 2043 memcpy(rr->seq_num, seq, sizeof(rr->seq_num)); 2044 rr->off = off; 2045 2046 s->rlayer.packet = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; 2047 s->rlayer.packet_length = DTLS1_RT_HEADER_LENGTH + len; 2048 rr->data = s->rlayer.packet + DTLS1_RT_HEADER_LENGTH; 2049 2050 if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), 2051 SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <= 0) { 2052 /* SSLfatal() already called */ 2053 return 0; 2054 } 2055 2056 return 1; 2057 } 2058