ssl3_record.c 72 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "../ssl_local.h"
  10. #include "internal/constant_time.h"
  11. #include <openssl/trace.h>
  12. #include <openssl/rand.h>
  13. #include "record_local.h"
  14. #include "internal/cryptlib.h"
  15. static const unsigned char ssl3_pad_1[48] = {
  16. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  17. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  18. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  19. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  20. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  21. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
  22. };
  23. static const unsigned char ssl3_pad_2[48] = {
  24. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  25. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  26. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  27. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  28. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  29. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
  30. };
  31. /*
  32. * Clear the contents of an SSL3_RECORD but retain any memory allocated
  33. */
  34. void SSL3_RECORD_clear(SSL3_RECORD *r, size_t num_recs)
  35. {
  36. unsigned char *comp;
  37. size_t i;
  38. for (i = 0; i < num_recs; i++) {
  39. comp = r[i].comp;
  40. memset(&r[i], 0, sizeof(*r));
  41. r[i].comp = comp;
  42. }
  43. }
  44. void SSL3_RECORD_release(SSL3_RECORD *r, size_t num_recs)
  45. {
  46. size_t i;
  47. for (i = 0; i < num_recs; i++) {
  48. OPENSSL_free(r[i].comp);
  49. r[i].comp = NULL;
  50. }
  51. }
  52. void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
  53. {
  54. memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
  55. }
  56. /*
  57. * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
  58. * for us in the buffer.
  59. */
  60. static int ssl3_record_app_data_waiting(SSL *s)
  61. {
  62. SSL3_BUFFER *rbuf;
  63. size_t left, len;
  64. unsigned char *p;
  65. rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
  66. p = SSL3_BUFFER_get_buf(rbuf);
  67. if (p == NULL)
  68. return 0;
  69. left = SSL3_BUFFER_get_left(rbuf);
  70. if (left < SSL3_RT_HEADER_LENGTH)
  71. return 0;
  72. p += SSL3_BUFFER_get_offset(rbuf);
  73. /*
  74. * We only check the type and record length, we will sanity check version
  75. * etc later
  76. */
  77. if (*p != SSL3_RT_APPLICATION_DATA)
  78. return 0;
  79. p += 3;
  80. n2s(p, len);
  81. if (left < SSL3_RT_HEADER_LENGTH + len)
  82. return 0;
  83. return 1;
  84. }
  85. int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send)
  86. {
  87. uint32_t max_early_data;
  88. SSL_SESSION *sess = s->session;
  89. /*
  90. * If we are a client then we always use the max_early_data from the
  91. * session/psksession. Otherwise we go with the lowest out of the max early
  92. * data set in the session and the configured max_early_data.
  93. */
  94. if (!s->server && sess->ext.max_early_data == 0) {
  95. if (!ossl_assert(s->psksession != NULL
  96. && s->psksession->ext.max_early_data > 0)) {
  97. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK,
  98. ERR_R_INTERNAL_ERROR);
  99. return 0;
  100. }
  101. sess = s->psksession;
  102. }
  103. if (!s->server)
  104. max_early_data = sess->ext.max_early_data;
  105. else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
  106. max_early_data = s->recv_max_early_data;
  107. else
  108. max_early_data = s->recv_max_early_data < sess->ext.max_early_data
  109. ? s->recv_max_early_data : sess->ext.max_early_data;
  110. if (max_early_data == 0) {
  111. SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
  112. SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
  113. return 0;
  114. }
  115. /* If we are dealing with ciphertext we need to allow for the overhead */
  116. max_early_data += overhead;
  117. if (s->early_data_count + length > max_early_data) {
  118. SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
  119. SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
  120. return 0;
  121. }
  122. s->early_data_count += length;
  123. return 1;
  124. }
  125. /*
  126. * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
  127. * will be processed per call to ssl3_get_record. Without this limit an
  128. * attacker could send empty records at a faster rate than we can process and
  129. * cause ssl3_get_record to loop forever.
  130. */
  131. #define MAX_EMPTY_RECORDS 32
  132. #define SSL2_RT_HEADER_LENGTH 2
  133. /*-
  134. * Call this to get new input records.
  135. * It will return <= 0 if more data is needed, normally due to an error
  136. * or non-blocking IO.
  137. * When it finishes, |numrpipes| records have been decoded. For each record 'i':
  138. * rr[i].type - is the type of record
  139. * rr[i].data, - data
  140. * rr[i].length, - number of bytes
  141. * Multiple records will only be returned if the record types are all
  142. * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
  143. * |max_pipelines|
  144. */
  145. /* used only by ssl3_read_bytes */
  146. int ssl3_get_record(SSL *s)
  147. {
  148. int enc_err, rret;
  149. int i;
  150. size_t more, n;
  151. SSL3_RECORD *rr, *thisrr;
  152. SSL3_BUFFER *rbuf;
  153. SSL_SESSION *sess;
  154. unsigned char *p;
  155. unsigned char md[EVP_MAX_MD_SIZE];
  156. unsigned int version;
  157. size_t mac_size;
  158. int imac_size;
  159. size_t num_recs = 0, max_recs, j;
  160. PACKET pkt, sslv2pkt;
  161. size_t first_rec_len;
  162. int is_ktls_left;
  163. rr = RECORD_LAYER_get_rrec(&s->rlayer);
  164. rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
  165. is_ktls_left = (rbuf->left > 0);
  166. max_recs = s->max_pipelines;
  167. if (max_recs == 0)
  168. max_recs = 1;
  169. sess = s->session;
  170. do {
  171. thisrr = &rr[num_recs];
  172. /* check if we have the header */
  173. if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
  174. (RECORD_LAYER_get_packet_length(&s->rlayer)
  175. < SSL3_RT_HEADER_LENGTH)) {
  176. size_t sslv2len;
  177. unsigned int type;
  178. rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
  179. SSL3_BUFFER_get_len(rbuf), 0,
  180. num_recs == 0 ? 1 : 0, &n);
  181. if (rret <= 0) {
  182. #ifndef OPENSSL_NO_KTLS
  183. if (!BIO_get_ktls_recv(s->rbio))
  184. return rret; /* error or non-blocking */
  185. switch (errno) {
  186. case EBADMSG:
  187. SSLfatal(s, SSL_AD_BAD_RECORD_MAC,
  188. SSL_F_SSL3_GET_RECORD,
  189. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  190. break;
  191. case EMSGSIZE:
  192. SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
  193. SSL_F_SSL3_GET_RECORD,
  194. SSL_R_PACKET_LENGTH_TOO_LONG);
  195. break;
  196. case EINVAL:
  197. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  198. SSL_F_SSL3_GET_RECORD,
  199. SSL_R_WRONG_VERSION_NUMBER);
  200. break;
  201. default:
  202. break;
  203. }
  204. #endif
  205. return rret;
  206. }
  207. RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
  208. p = RECORD_LAYER_get_packet(&s->rlayer);
  209. if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer),
  210. RECORD_LAYER_get_packet_length(&s->rlayer))) {
  211. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
  212. ERR_R_INTERNAL_ERROR);
  213. return -1;
  214. }
  215. sslv2pkt = pkt;
  216. if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
  217. || !PACKET_get_1(&sslv2pkt, &type)) {
  218. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  219. ERR_R_INTERNAL_ERROR);
  220. return -1;
  221. }
  222. /*
  223. * The first record received by the server may be a V2ClientHello.
  224. */
  225. if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
  226. && (sslv2len & 0x8000) != 0
  227. && (type == SSL2_MT_CLIENT_HELLO)) {
  228. /*
  229. * SSLv2 style record
  230. *
  231. * |num_recs| here will actually always be 0 because
  232. * |num_recs > 0| only ever occurs when we are processing
  233. * multiple app data records - which we know isn't the case here
  234. * because it is an SSLv2ClientHello. We keep it using
  235. * |num_recs| for the sake of consistency
  236. */
  237. thisrr->type = SSL3_RT_HANDSHAKE;
  238. thisrr->rec_version = SSL2_VERSION;
  239. thisrr->length = sslv2len & 0x7fff;
  240. if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
  241. - SSL2_RT_HEADER_LENGTH) {
  242. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  243. SSL_R_PACKET_LENGTH_TOO_LONG);
  244. return -1;
  245. }
  246. if (thisrr->length < MIN_SSL2_RECORD_LEN) {
  247. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  248. SSL_R_LENGTH_TOO_SHORT);
  249. return -1;
  250. }
  251. } else {
  252. /* SSLv3+ style record */
  253. if (s->msg_callback)
  254. s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
  255. s->msg_callback_arg);
  256. /* Pull apart the header into the SSL3_RECORD */
  257. if (!PACKET_get_1(&pkt, &type)
  258. || !PACKET_get_net_2(&pkt, &version)
  259. || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
  260. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  261. ERR_R_INTERNAL_ERROR);
  262. return -1;
  263. }
  264. thisrr->type = type;
  265. thisrr->rec_version = version;
  266. /*
  267. * Lets check version. In TLSv1.3 we only check this field
  268. * when encryption is occurring (see later check). For the
  269. * ServerHello after an HRR we haven't actually selected TLSv1.3
  270. * yet, but we still treat it as TLSv1.3, so we must check for
  271. * that explicitly
  272. */
  273. if (!s->first_packet && !SSL_IS_TLS13(s)
  274. && s->hello_retry_request != SSL_HRR_PENDING
  275. && version != (unsigned int)s->version) {
  276. if ((s->version & 0xFF00) == (version & 0xFF00)
  277. && !s->enc_write_ctx && !s->write_hash) {
  278. if (thisrr->type == SSL3_RT_ALERT) {
  279. /*
  280. * The record is using an incorrect version number,
  281. * but what we've got appears to be an alert. We
  282. * haven't read the body yet to check whether its a
  283. * fatal or not - but chances are it is. We probably
  284. * shouldn't send a fatal alert back. We'll just
  285. * end.
  286. */
  287. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
  288. SSL_R_WRONG_VERSION_NUMBER);
  289. return -1;
  290. }
  291. /*
  292. * Send back error using their minor version number :-)
  293. */
  294. s->version = (unsigned short)version;
  295. }
  296. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD,
  297. SSL_R_WRONG_VERSION_NUMBER);
  298. return -1;
  299. }
  300. if ((version >> 8) != SSL3_VERSION_MAJOR) {
  301. if (RECORD_LAYER_is_first_record(&s->rlayer)) {
  302. /* Go back to start of packet, look at the five bytes
  303. * that we have. */
  304. p = RECORD_LAYER_get_packet(&s->rlayer);
  305. if (strncmp((char *)p, "GET ", 4) == 0 ||
  306. strncmp((char *)p, "POST ", 5) == 0 ||
  307. strncmp((char *)p, "HEAD ", 5) == 0 ||
  308. strncmp((char *)p, "PUT ", 4) == 0) {
  309. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
  310. SSL_R_HTTP_REQUEST);
  311. return -1;
  312. } else if (strncmp((char *)p, "CONNE", 5) == 0) {
  313. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
  314. SSL_R_HTTPS_PROXY_REQUEST);
  315. return -1;
  316. }
  317. /* Doesn't look like TLS - don't send an alert */
  318. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
  319. SSL_R_WRONG_VERSION_NUMBER);
  320. return -1;
  321. } else {
  322. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  323. SSL_F_SSL3_GET_RECORD,
  324. SSL_R_WRONG_VERSION_NUMBER);
  325. return -1;
  326. }
  327. }
  328. if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
  329. if (thisrr->type != SSL3_RT_APPLICATION_DATA
  330. && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
  331. || !SSL_IS_FIRST_HANDSHAKE(s))
  332. && (thisrr->type != SSL3_RT_ALERT
  333. || s->statem.enc_read_state
  334. != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) {
  335. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  336. SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
  337. return -1;
  338. }
  339. if (thisrr->rec_version != TLS1_2_VERSION) {
  340. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  341. SSL_R_WRONG_VERSION_NUMBER);
  342. return -1;
  343. }
  344. }
  345. if (thisrr->length >
  346. SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
  347. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  348. SSL_R_PACKET_LENGTH_TOO_LONG);
  349. return -1;
  350. }
  351. }
  352. /* now s->rlayer.rstate == SSL_ST_READ_BODY */
  353. }
  354. if (SSL_IS_TLS13(s)) {
  355. if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
  356. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  357. SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
  358. return -1;
  359. }
  360. } else {
  361. size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
  362. #ifndef OPENSSL_NO_COMP
  363. /*
  364. * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
  365. * does not include the compression overhead anyway.
  366. */
  367. if (s->expand == NULL)
  368. len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  369. #endif
  370. if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) {
  371. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  372. SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
  373. return -1;
  374. }
  375. }
  376. /*
  377. * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
  378. * Calculate how much more data we need to read for the rest of the
  379. * record
  380. */
  381. if (thisrr->rec_version == SSL2_VERSION) {
  382. more = thisrr->length + SSL2_RT_HEADER_LENGTH
  383. - SSL3_RT_HEADER_LENGTH;
  384. } else {
  385. more = thisrr->length;
  386. }
  387. if (more > 0) {
  388. /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
  389. rret = ssl3_read_n(s, more, more, 1, 0, &n);
  390. if (rret <= 0)
  391. return rret; /* error or non-blocking io */
  392. }
  393. /* set state for later operations */
  394. RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
  395. /*
  396. * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH
  397. * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH
  398. * + thisrr->length and we have that many bytes in s->packet
  399. */
  400. if (thisrr->rec_version == SSL2_VERSION) {
  401. thisrr->input =
  402. &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
  403. } else {
  404. thisrr->input =
  405. &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
  406. }
  407. /*
  408. * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input
  409. * points at thisrr->length bytes, which need to be copied into
  410. * thisrr->data by either the decryption or by the decompression When
  411. * the data is 'copied' into the thisrr->data buffer, thisrr->input will
  412. * be pointed at the new buffer
  413. */
  414. /*
  415. * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
  416. * thisrr->length bytes of encrypted compressed stuff.
  417. */
  418. /* decrypt in place in 'thisrr->input' */
  419. thisrr->data = thisrr->input;
  420. thisrr->orig_len = thisrr->length;
  421. /* Mark this record as not read by upper layers yet */
  422. thisrr->read = 0;
  423. num_recs++;
  424. /* we have pulled in a full packet so zero things */
  425. RECORD_LAYER_reset_packet_length(&s->rlayer);
  426. RECORD_LAYER_clear_first_record(&s->rlayer);
  427. } while (num_recs < max_recs
  428. && thisrr->type == SSL3_RT_APPLICATION_DATA
  429. && SSL_USE_EXPLICIT_IV(s)
  430. && s->enc_read_ctx != NULL
  431. && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
  432. & EVP_CIPH_FLAG_PIPELINE)
  433. && ssl3_record_app_data_waiting(s));
  434. if (num_recs == 1
  435. && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
  436. && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
  437. && SSL_IS_FIRST_HANDSHAKE(s)) {
  438. /*
  439. * CCS messages must be exactly 1 byte long, containing the value 0x01
  440. */
  441. if (thisrr->length != 1 || thisrr->data[0] != 0x01) {
  442. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD,
  443. SSL_R_INVALID_CCS_MESSAGE);
  444. return -1;
  445. }
  446. /*
  447. * CCS messages are ignored in TLSv1.3. We treat it like an empty
  448. * handshake record
  449. */
  450. thisrr->type = SSL3_RT_HANDSHAKE;
  451. RECORD_LAYER_inc_empty_record_count(&s->rlayer);
  452. if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
  453. > MAX_EMPTY_RECORDS) {
  454. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
  455. SSL_R_UNEXPECTED_CCS_MESSAGE);
  456. return -1;
  457. }
  458. thisrr->read = 1;
  459. RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
  460. return 1;
  461. }
  462. /*
  463. * KTLS reads full records. If there is any data left,
  464. * then it is from before enabling ktls
  465. */
  466. if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
  467. goto skip_decryption;
  468. /*
  469. * If in encrypt-then-mac mode calculate mac from encrypted record. All
  470. * the details below are public so no timing details can leak.
  471. */
  472. if (SSL_READ_ETM(s) && s->read_hash) {
  473. unsigned char *mac;
  474. /* TODO(size_t): convert this to do size_t properly */
  475. imac_size = EVP_MD_CTX_size(s->read_hash);
  476. if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
  477. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
  478. ERR_LIB_EVP);
  479. return -1;
  480. }
  481. mac_size = (size_t)imac_size;
  482. for (j = 0; j < num_recs; j++) {
  483. thisrr = &rr[j];
  484. if (thisrr->length < mac_size) {
  485. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  486. SSL_R_LENGTH_TOO_SHORT);
  487. return -1;
  488. }
  489. thisrr->length -= mac_size;
  490. mac = thisrr->data + thisrr->length;
  491. i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ );
  492. if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
  493. SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
  494. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  495. return -1;
  496. }
  497. }
  498. }
  499. first_rec_len = rr[0].length;
  500. enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
  501. /*-
  502. * enc_err is:
  503. * 0: (in non-constant time) if the record is publicly invalid.
  504. * 1: if the padding is valid
  505. * -1: if the padding is invalid
  506. */
  507. if (enc_err == 0) {
  508. if (ossl_statem_in_error(s)) {
  509. /* SSLfatal() already got called */
  510. return -1;
  511. }
  512. if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
  513. /*
  514. * Valid early_data that we cannot decrypt might fail here as
  515. * publicly invalid. We treat it like an empty record.
  516. */
  517. thisrr = &rr[0];
  518. if (!early_data_count_ok(s, thisrr->length,
  519. EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
  520. /* SSLfatal() already called */
  521. return -1;
  522. }
  523. thisrr->length = 0;
  524. thisrr->read = 1;
  525. RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
  526. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  527. return 1;
  528. }
  529. SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
  530. SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
  531. return -1;
  532. }
  533. OSSL_TRACE_BEGIN(TLS) {
  534. BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length);
  535. BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4);
  536. } OSSL_TRACE_END(TLS);
  537. /* r->length is now the compressed data plus mac */
  538. if ((sess != NULL) &&
  539. (s->enc_read_ctx != NULL) &&
  540. (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
  541. /* s->read_hash != NULL => mac_size != -1 */
  542. unsigned char *mac = NULL;
  543. unsigned char mac_tmp[EVP_MAX_MD_SIZE];
  544. mac_size = EVP_MD_CTX_size(s->read_hash);
  545. if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
  546. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
  547. ERR_R_INTERNAL_ERROR);
  548. return -1;
  549. }
  550. for (j = 0; j < num_recs; j++) {
  551. thisrr = &rr[j];
  552. /*
  553. * orig_len is the length of the record before any padding was
  554. * removed. This is public information, as is the MAC in use,
  555. * therefore we can safely process the record in a different amount
  556. * of time if it's too short to possibly contain a MAC.
  557. */
  558. if (thisrr->orig_len < mac_size ||
  559. /* CBC records must have a padding length byte too. */
  560. (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
  561. thisrr->orig_len < mac_size + 1)) {
  562. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
  563. SSL_R_LENGTH_TOO_SHORT);
  564. return -1;
  565. }
  566. if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
  567. /*
  568. * We update the length so that the TLS header bytes can be
  569. * constructed correctly but we need to extract the MAC in
  570. * constant time from within the record, without leaking the
  571. * contents of the padding bytes.
  572. */
  573. mac = mac_tmp;
  574. if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) {
  575. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
  576. ERR_R_INTERNAL_ERROR);
  577. return -1;
  578. }
  579. thisrr->length -= mac_size;
  580. } else {
  581. /*
  582. * In this case there's no padding, so |rec->orig_len| equals
  583. * |rec->length| and we checked that there's enough bytes for
  584. * |mac_size| above.
  585. */
  586. thisrr->length -= mac_size;
  587. mac = &thisrr->data[thisrr->length];
  588. }
  589. i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ );
  590. if (i == 0 || mac == NULL
  591. || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
  592. enc_err = -1;
  593. if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
  594. enc_err = -1;
  595. }
  596. }
  597. if (enc_err < 0) {
  598. if (ossl_statem_in_error(s)) {
  599. /* We already called SSLfatal() */
  600. return -1;
  601. }
  602. if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
  603. /*
  604. * We assume this is unreadable early_data - we treat it like an
  605. * empty record
  606. */
  607. /*
  608. * The record length may have been modified by the mac check above
  609. * so we use the previously saved value
  610. */
  611. if (!early_data_count_ok(s, first_rec_len,
  612. EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
  613. /* SSLfatal() already called */
  614. return -1;
  615. }
  616. thisrr = &rr[0];
  617. thisrr->length = 0;
  618. thisrr->read = 1;
  619. RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
  620. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  621. return 1;
  622. }
  623. /*
  624. * A separate 'decryption_failed' alert was introduced with TLS 1.0,
  625. * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
  626. * failure is directly visible from the ciphertext anyway, we should
  627. * not reveal which kind of error occurred -- this might become
  628. * visible to an attacker (e.g. via a logfile)
  629. */
  630. SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
  631. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  632. return -1;
  633. }
  634. skip_decryption:
  635. for (j = 0; j < num_recs; j++) {
  636. thisrr = &rr[j];
  637. /* thisrr->length is now just compressed */
  638. if (s->expand != NULL) {
  639. if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
  640. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  641. SSL_R_COMPRESSED_LENGTH_TOO_LONG);
  642. return -1;
  643. }
  644. if (!ssl3_do_uncompress(s, thisrr)) {
  645. SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD,
  646. SSL_R_BAD_DECOMPRESSION);
  647. return -1;
  648. }
  649. }
  650. if (SSL_IS_TLS13(s)
  651. && s->enc_read_ctx != NULL
  652. && thisrr->type != SSL3_RT_ALERT) {
  653. size_t end;
  654. if (thisrr->length == 0
  655. || thisrr->type != SSL3_RT_APPLICATION_DATA) {
  656. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
  657. SSL_R_BAD_RECORD_TYPE);
  658. return -1;
  659. }
  660. /* Strip trailing padding */
  661. for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
  662. end--)
  663. continue;
  664. thisrr->length = end;
  665. thisrr->type = thisrr->data[end];
  666. if (thisrr->type != SSL3_RT_APPLICATION_DATA
  667. && thisrr->type != SSL3_RT_ALERT
  668. && thisrr->type != SSL3_RT_HANDSHAKE) {
  669. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
  670. SSL_R_BAD_RECORD_TYPE);
  671. return -1;
  672. }
  673. if (s->msg_callback)
  674. s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
  675. &thisrr->data[end], 1, s, s->msg_callback_arg);
  676. }
  677. /*
  678. * TLSv1.3 alert and handshake records are required to be non-zero in
  679. * length.
  680. */
  681. if (SSL_IS_TLS13(s)
  682. && (thisrr->type == SSL3_RT_HANDSHAKE
  683. || thisrr->type == SSL3_RT_ALERT)
  684. && thisrr->length == 0) {
  685. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
  686. SSL_R_BAD_LENGTH);
  687. return -1;
  688. }
  689. if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !BIO_get_ktls_recv(s->rbio)) {
  690. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  691. SSL_R_DATA_LENGTH_TOO_LONG);
  692. return -1;
  693. }
  694. /* If received packet overflows current Max Fragment Length setting */
  695. if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  696. && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)
  697. && !BIO_get_ktls_recv(s->rbio)) {
  698. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
  699. SSL_R_DATA_LENGTH_TOO_LONG);
  700. return -1;
  701. }
  702. thisrr->off = 0;
  703. /*-
  704. * So at this point the following is true
  705. * thisrr->type is the type of record
  706. * thisrr->length == number of bytes in record
  707. * thisrr->off == offset to first valid byte
  708. * thisrr->data == where to take bytes from, increment after use :-).
  709. */
  710. /* just read a 0 length packet */
  711. if (thisrr->length == 0) {
  712. RECORD_LAYER_inc_empty_record_count(&s->rlayer);
  713. if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
  714. > MAX_EMPTY_RECORDS) {
  715. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
  716. SSL_R_RECORD_TOO_SMALL);
  717. return -1;
  718. }
  719. } else {
  720. RECORD_LAYER_reset_empty_record_count(&s->rlayer);
  721. }
  722. }
  723. if (s->early_data_state == SSL_EARLY_DATA_READING) {
  724. thisrr = &rr[0];
  725. if (thisrr->type == SSL3_RT_APPLICATION_DATA
  726. && !early_data_count_ok(s, thisrr->length, 0, 0)) {
  727. /* SSLfatal already called */
  728. return -1;
  729. }
  730. }
  731. RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
  732. return 1;
  733. }
  734. int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
  735. {
  736. #ifndef OPENSSL_NO_COMP
  737. int i;
  738. if (rr->comp == NULL) {
  739. rr->comp = (unsigned char *)
  740. OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
  741. }
  742. if (rr->comp == NULL)
  743. return 0;
  744. /* TODO(size_t): Convert this call */
  745. i = COMP_expand_block(ssl->expand, rr->comp,
  746. SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
  747. if (i < 0)
  748. return 0;
  749. else
  750. rr->length = i;
  751. rr->data = rr->comp;
  752. #endif
  753. return 1;
  754. }
  755. int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
  756. {
  757. #ifndef OPENSSL_NO_COMP
  758. int i;
  759. /* TODO(size_t): Convert this call */
  760. i = COMP_compress_block(ssl->compress, wr->data,
  761. (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
  762. wr->input, (int)wr->length);
  763. if (i < 0)
  764. return 0;
  765. else
  766. wr->length = i;
  767. wr->input = wr->data;
  768. #endif
  769. return 1;
  770. }
  771. /*-
  772. * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call
  773. * SSLfatal() for internal errors, but not otherwise.
  774. *
  775. * Returns:
  776. * 0: (in non-constant time) if the record is publically invalid (i.e. too
  777. * short etc).
  778. * 1: if the record's padding is valid / the encryption was successful.
  779. * -1: if the record's padding is invalid or, if sending, an internal error
  780. * occurred.
  781. */
  782. int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending)
  783. {
  784. SSL3_RECORD *rec;
  785. EVP_CIPHER_CTX *ds;
  786. size_t l, i;
  787. size_t bs, mac_size = 0;
  788. int imac_size;
  789. const EVP_CIPHER *enc;
  790. rec = inrecs;
  791. /*
  792. * We shouldn't ever be called with more than one record in the SSLv3 case
  793. */
  794. if (n_recs != 1)
  795. return 0;
  796. if (sending) {
  797. ds = s->enc_write_ctx;
  798. if (s->enc_write_ctx == NULL)
  799. enc = NULL;
  800. else
  801. enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  802. } else {
  803. ds = s->enc_read_ctx;
  804. if (s->enc_read_ctx == NULL)
  805. enc = NULL;
  806. else
  807. enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  808. }
  809. if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
  810. memmove(rec->data, rec->input, rec->length);
  811. rec->input = rec->data;
  812. } else {
  813. l = rec->length;
  814. /* TODO(size_t): Convert this call */
  815. bs = EVP_CIPHER_CTX_block_size(ds);
  816. /* COMPRESS */
  817. if ((bs != 1) && sending) {
  818. i = bs - (l % bs);
  819. /* we need to add 'i-1' padding bytes */
  820. l += i;
  821. /*
  822. * the last of these zero bytes will be overwritten with the
  823. * padding length.
  824. */
  825. memset(&rec->input[rec->length], 0, i);
  826. rec->length += i;
  827. rec->input[l - 1] = (unsigned char)(i - 1);
  828. }
  829. if (!sending) {
  830. if (l == 0 || l % bs != 0)
  831. return 0;
  832. /* otherwise, rec->length >= bs */
  833. }
  834. /* TODO(size_t): Convert this call */
  835. if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1)
  836. return -1;
  837. if (EVP_MD_CTX_md(s->read_hash) != NULL) {
  838. /* TODO(size_t): convert me */
  839. imac_size = EVP_MD_CTX_size(s->read_hash);
  840. if (imac_size < 0) {
  841. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC,
  842. ERR_R_INTERNAL_ERROR);
  843. return -1;
  844. }
  845. mac_size = (size_t)imac_size;
  846. }
  847. if ((bs != 1) && !sending)
  848. return ssl3_cbc_remove_padding(rec, bs, mac_size);
  849. }
  850. return 1;
  851. }
  852. #define MAX_PADDING 256
  853. /*-
  854. * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for
  855. * internal errors, but not otherwise.
  856. *
  857. * Returns:
  858. * 0: (in non-constant time) if the record is publically invalid (i.e. too
  859. * short etc).
  860. * 1: if the record's padding is valid / the encryption was successful.
  861. * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
  862. * an internal error occurred.
  863. */
  864. int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
  865. {
  866. EVP_CIPHER_CTX *ds;
  867. size_t reclen[SSL_MAX_PIPELINES];
  868. unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
  869. int i, pad = 0, ret, tmpr;
  870. size_t bs, mac_size = 0, ctr, padnum, loop;
  871. unsigned char padval;
  872. int imac_size;
  873. const EVP_CIPHER *enc;
  874. if (n_recs == 0) {
  875. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  876. ERR_R_INTERNAL_ERROR);
  877. return 0;
  878. }
  879. if (sending) {
  880. if (EVP_MD_CTX_md(s->write_hash)) {
  881. int n = EVP_MD_CTX_size(s->write_hash);
  882. if (!ossl_assert(n >= 0)) {
  883. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  884. ERR_R_INTERNAL_ERROR);
  885. return -1;
  886. }
  887. }
  888. ds = s->enc_write_ctx;
  889. if (s->enc_write_ctx == NULL)
  890. enc = NULL;
  891. else {
  892. int ivlen;
  893. enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  894. /* For TLSv1.1 and later explicit IV */
  895. if (SSL_USE_EXPLICIT_IV(s)
  896. && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
  897. ivlen = EVP_CIPHER_iv_length(enc);
  898. else
  899. ivlen = 0;
  900. if (ivlen > 1) {
  901. for (ctr = 0; ctr < n_recs; ctr++) {
  902. if (recs[ctr].data != recs[ctr].input) {
  903. /*
  904. * we can't write into the input stream: Can this ever
  905. * happen?? (steve)
  906. */
  907. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  908. ERR_R_INTERNAL_ERROR);
  909. return -1;
  910. } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
  911. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  912. ERR_R_INTERNAL_ERROR);
  913. return -1;
  914. }
  915. }
  916. }
  917. }
  918. } else {
  919. if (EVP_MD_CTX_md(s->read_hash)) {
  920. int n = EVP_MD_CTX_size(s->read_hash);
  921. if (!ossl_assert(n >= 0)) {
  922. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  923. ERR_R_INTERNAL_ERROR);
  924. return -1;
  925. }
  926. }
  927. ds = s->enc_read_ctx;
  928. if (s->enc_read_ctx == NULL)
  929. enc = NULL;
  930. else
  931. enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  932. }
  933. if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
  934. for (ctr = 0; ctr < n_recs; ctr++) {
  935. memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
  936. recs[ctr].input = recs[ctr].data;
  937. }
  938. ret = 1;
  939. } else {
  940. bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
  941. if (n_recs > 1) {
  942. if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
  943. & EVP_CIPH_FLAG_PIPELINE)) {
  944. /*
  945. * We shouldn't have been called with pipeline data if the
  946. * cipher doesn't support pipelining
  947. */
  948. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  949. SSL_R_PIPELINE_FAILURE);
  950. return -1;
  951. }
  952. }
  953. for (ctr = 0; ctr < n_recs; ctr++) {
  954. reclen[ctr] = recs[ctr].length;
  955. if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
  956. & EVP_CIPH_FLAG_AEAD_CIPHER) {
  957. unsigned char *seq;
  958. seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
  959. : RECORD_LAYER_get_read_sequence(&s->rlayer);
  960. if (SSL_IS_DTLS(s)) {
  961. /* DTLS does not support pipelining */
  962. unsigned char dtlsseq[9], *p = dtlsseq;
  963. s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
  964. DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
  965. memcpy(p, &seq[2], 6);
  966. memcpy(buf[ctr], dtlsseq, 8);
  967. } else {
  968. memcpy(buf[ctr], seq, 8);
  969. for (i = 7; i >= 0; i--) { /* increment */
  970. ++seq[i];
  971. if (seq[i] != 0)
  972. break;
  973. }
  974. }
  975. buf[ctr][8] = recs[ctr].type;
  976. buf[ctr][9] = (unsigned char)(s->version >> 8);
  977. buf[ctr][10] = (unsigned char)(s->version);
  978. buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
  979. buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
  980. pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
  981. EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
  982. if (pad <= 0) {
  983. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  984. ERR_R_INTERNAL_ERROR);
  985. return -1;
  986. }
  987. if (sending) {
  988. reclen[ctr] += pad;
  989. recs[ctr].length += pad;
  990. }
  991. } else if ((bs != 1) && sending) {
  992. padnum = bs - (reclen[ctr] % bs);
  993. /* Add weird padding of upto 256 bytes */
  994. if (padnum > MAX_PADDING) {
  995. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  996. ERR_R_INTERNAL_ERROR);
  997. return -1;
  998. }
  999. /* we need to add 'padnum' padding bytes of value padval */
  1000. padval = (unsigned char)(padnum - 1);
  1001. for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
  1002. recs[ctr].input[loop] = padval;
  1003. reclen[ctr] += padnum;
  1004. recs[ctr].length += padnum;
  1005. }
  1006. if (!sending) {
  1007. if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
  1008. return 0;
  1009. }
  1010. }
  1011. if (n_recs > 1) {
  1012. unsigned char *data[SSL_MAX_PIPELINES];
  1013. /* Set the output buffers */
  1014. for (ctr = 0; ctr < n_recs; ctr++) {
  1015. data[ctr] = recs[ctr].data;
  1016. }
  1017. if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
  1018. (int)n_recs, data) <= 0) {
  1019. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  1020. SSL_R_PIPELINE_FAILURE);
  1021. return -1;
  1022. }
  1023. /* Set the input buffers */
  1024. for (ctr = 0; ctr < n_recs; ctr++) {
  1025. data[ctr] = recs[ctr].input;
  1026. }
  1027. if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
  1028. (int)n_recs, data) <= 0
  1029. || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
  1030. (int)n_recs, reclen) <= 0) {
  1031. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  1032. SSL_R_PIPELINE_FAILURE);
  1033. return -1;
  1034. }
  1035. }
  1036. /* TODO(size_t): Convert this call */
  1037. tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
  1038. (unsigned int)reclen[0]);
  1039. if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
  1040. & EVP_CIPH_FLAG_CUSTOM_CIPHER)
  1041. ? (tmpr < 0)
  1042. : (tmpr == 0))
  1043. return -1; /* AEAD can fail to verify MAC */
  1044. if (sending == 0) {
  1045. if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
  1046. for (ctr = 0; ctr < n_recs; ctr++) {
  1047. recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1048. recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1049. recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1050. }
  1051. } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
  1052. for (ctr = 0; ctr < n_recs; ctr++) {
  1053. recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1054. recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1055. recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1056. }
  1057. }
  1058. }
  1059. ret = 1;
  1060. if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) {
  1061. imac_size = EVP_MD_CTX_size(s->read_hash);
  1062. if (imac_size < 0) {
  1063. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
  1064. ERR_R_INTERNAL_ERROR);
  1065. return -1;
  1066. }
  1067. mac_size = (size_t)imac_size;
  1068. }
  1069. if ((bs != 1) && !sending) {
  1070. int tmpret;
  1071. for (ctr = 0; ctr < n_recs; ctr++) {
  1072. tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
  1073. /*
  1074. * If tmpret == 0 then this means publicly invalid so we can
  1075. * short circuit things here. Otherwise we must respect constant
  1076. * time behaviour.
  1077. */
  1078. if (tmpret == 0)
  1079. return 0;
  1080. ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
  1081. ret, -1);
  1082. }
  1083. }
  1084. if (pad && !sending) {
  1085. for (ctr = 0; ctr < n_recs; ctr++) {
  1086. recs[ctr].length -= pad;
  1087. }
  1088. }
  1089. }
  1090. return ret;
  1091. }
  1092. int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
  1093. {
  1094. unsigned char *mac_sec, *seq;
  1095. const EVP_MD_CTX *hash;
  1096. unsigned char *p, rec_char;
  1097. size_t md_size;
  1098. size_t npad;
  1099. int t;
  1100. if (sending) {
  1101. mac_sec = &(ssl->s3.write_mac_secret[0]);
  1102. seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
  1103. hash = ssl->write_hash;
  1104. } else {
  1105. mac_sec = &(ssl->s3.read_mac_secret[0]);
  1106. seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
  1107. hash = ssl->read_hash;
  1108. }
  1109. t = EVP_MD_CTX_size(hash);
  1110. if (t < 0)
  1111. return 0;
  1112. md_size = t;
  1113. npad = (48 / md_size) * md_size;
  1114. if (!sending &&
  1115. EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
  1116. ssl3_cbc_record_digest_supported(hash)) {
  1117. /*
  1118. * This is a CBC-encrypted record. We must avoid leaking any
  1119. * timing-side channel information about how many blocks of data we
  1120. * are hashing because that gives an attacker a timing-oracle.
  1121. */
  1122. /*-
  1123. * npad is, at most, 48 bytes and that's with MD5:
  1124. * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
  1125. *
  1126. * With SHA-1 (the largest hash speced for SSLv3) the hash size
  1127. * goes up 4, but npad goes down by 8, resulting in a smaller
  1128. * total size.
  1129. */
  1130. unsigned char header[75];
  1131. size_t j = 0;
  1132. memcpy(header + j, mac_sec, md_size);
  1133. j += md_size;
  1134. memcpy(header + j, ssl3_pad_1, npad);
  1135. j += npad;
  1136. memcpy(header + j, seq, 8);
  1137. j += 8;
  1138. header[j++] = rec->type;
  1139. header[j++] = (unsigned char)(rec->length >> 8);
  1140. header[j++] = (unsigned char)(rec->length & 0xff);
  1141. /* Final param == is SSLv3 */
  1142. if (ssl3_cbc_digest_record(hash,
  1143. md, &md_size,
  1144. header, rec->input,
  1145. rec->length + md_size, rec->orig_len,
  1146. mac_sec, md_size, 1) <= 0)
  1147. return 0;
  1148. } else {
  1149. unsigned int md_size_u;
  1150. /* Chop the digest off the end :-) */
  1151. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  1152. if (md_ctx == NULL)
  1153. return 0;
  1154. rec_char = rec->type;
  1155. p = md;
  1156. s2n(rec->length, p);
  1157. if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
  1158. || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
  1159. || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
  1160. || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
  1161. || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
  1162. || EVP_DigestUpdate(md_ctx, md, 2) <= 0
  1163. || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
  1164. || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
  1165. || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
  1166. || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
  1167. || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
  1168. || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
  1169. || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
  1170. EVP_MD_CTX_free(md_ctx);
  1171. return 0;
  1172. }
  1173. EVP_MD_CTX_free(md_ctx);
  1174. }
  1175. ssl3_record_sequence_update(seq);
  1176. return 1;
  1177. }
  1178. int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
  1179. {
  1180. unsigned char *seq;
  1181. EVP_MD_CTX *hash;
  1182. size_t md_size;
  1183. int i;
  1184. EVP_MD_CTX *hmac = NULL, *mac_ctx;
  1185. unsigned char header[13];
  1186. int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
  1187. : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
  1188. int t;
  1189. if (sending) {
  1190. seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
  1191. hash = ssl->write_hash;
  1192. } else {
  1193. seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
  1194. hash = ssl->read_hash;
  1195. }
  1196. t = EVP_MD_CTX_size(hash);
  1197. if (!ossl_assert(t >= 0))
  1198. return 0;
  1199. md_size = t;
  1200. /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
  1201. if (stream_mac) {
  1202. mac_ctx = hash;
  1203. } else {
  1204. hmac = EVP_MD_CTX_new();
  1205. if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) {
  1206. EVP_MD_CTX_free(hmac);
  1207. return 0;
  1208. }
  1209. mac_ctx = hmac;
  1210. }
  1211. if (SSL_IS_DTLS(ssl)) {
  1212. unsigned char dtlsseq[8], *p = dtlsseq;
  1213. s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
  1214. DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
  1215. memcpy(p, &seq[2], 6);
  1216. memcpy(header, dtlsseq, 8);
  1217. } else
  1218. memcpy(header, seq, 8);
  1219. header[8] = rec->type;
  1220. header[9] = (unsigned char)(ssl->version >> 8);
  1221. header[10] = (unsigned char)(ssl->version);
  1222. header[11] = (unsigned char)(rec->length >> 8);
  1223. header[12] = (unsigned char)(rec->length & 0xff);
  1224. if (!sending && !SSL_READ_ETM(ssl) &&
  1225. EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
  1226. ssl3_cbc_record_digest_supported(mac_ctx)) {
  1227. /*
  1228. * This is a CBC-encrypted record. We must avoid leaking any
  1229. * timing-side channel information about how many blocks of data we
  1230. * are hashing because that gives an attacker a timing-oracle.
  1231. */
  1232. /* Final param == not SSLv3 */
  1233. if (ssl3_cbc_digest_record(mac_ctx,
  1234. md, &md_size,
  1235. header, rec->input,
  1236. rec->length + md_size, rec->orig_len,
  1237. ssl->s3.read_mac_secret,
  1238. ssl->s3.read_mac_secret_size, 0) <= 0) {
  1239. EVP_MD_CTX_free(hmac);
  1240. return 0;
  1241. }
  1242. } else {
  1243. /* TODO(size_t): Convert these calls */
  1244. if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
  1245. || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
  1246. || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
  1247. EVP_MD_CTX_free(hmac);
  1248. return 0;
  1249. }
  1250. }
  1251. EVP_MD_CTX_free(hmac);
  1252. OSSL_TRACE_BEGIN(TLS) {
  1253. BIO_printf(trc_out, "seq:\n");
  1254. BIO_dump_indent(trc_out, seq, 8, 4);
  1255. BIO_printf(trc_out, "rec:\n");
  1256. BIO_dump_indent(trc_out, rec->data, rec->length, 4);
  1257. } OSSL_TRACE_END(TLS);
  1258. if (!SSL_IS_DTLS(ssl)) {
  1259. for (i = 7; i >= 0; i--) {
  1260. ++seq[i];
  1261. if (seq[i] != 0)
  1262. break;
  1263. }
  1264. }
  1265. OSSL_TRACE_BEGIN(TLS) {
  1266. BIO_printf(trc_out, "md:\n");
  1267. BIO_dump_indent(trc_out, md, md_size, 4);
  1268. } OSSL_TRACE_END(TLS);
  1269. return 1;
  1270. }
  1271. /*-
  1272. * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  1273. * record in |rec| by updating |rec->length| in constant time.
  1274. *
  1275. * block_size: the block size of the cipher used to encrypt the record.
  1276. * returns:
  1277. * 0: (in non-constant time) if the record is publicly invalid.
  1278. * 1: if the padding was valid
  1279. * -1: otherwise.
  1280. */
  1281. int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
  1282. size_t block_size, size_t mac_size)
  1283. {
  1284. size_t padding_length;
  1285. size_t good;
  1286. const size_t overhead = 1 /* padding length byte */ + mac_size;
  1287. /*
  1288. * These lengths are all public so we can test them in non-constant time.
  1289. */
  1290. if (overhead > rec->length)
  1291. return 0;
  1292. padding_length = rec->data[rec->length - 1];
  1293. good = constant_time_ge_s(rec->length, padding_length + overhead);
  1294. /* SSLv3 requires that the padding is minimal. */
  1295. good &= constant_time_ge_s(block_size, padding_length + 1);
  1296. rec->length -= good & (padding_length + 1);
  1297. return constant_time_select_int_s(good, 1, -1);
  1298. }
  1299. /*-
  1300. * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
  1301. * record in |rec| in constant time and returns 1 if the padding is valid and
  1302. * -1 otherwise. It also removes any explicit IV from the start of the record
  1303. * without leaking any timing about whether there was enough space after the
  1304. * padding was removed.
  1305. *
  1306. * block_size: the block size of the cipher used to encrypt the record.
  1307. * returns:
  1308. * 0: (in non-constant time) if the record is publicly invalid.
  1309. * 1: if the padding was valid
  1310. * -1: otherwise.
  1311. */
  1312. int tls1_cbc_remove_padding(const SSL *s,
  1313. SSL3_RECORD *rec,
  1314. size_t block_size, size_t mac_size)
  1315. {
  1316. size_t good;
  1317. size_t padding_length, to_check, i;
  1318. const size_t overhead = 1 /* padding length byte */ + mac_size;
  1319. /* Check if version requires explicit IV */
  1320. if (SSL_USE_EXPLICIT_IV(s)) {
  1321. /*
  1322. * These lengths are all public so we can test them in non-constant
  1323. * time.
  1324. */
  1325. if (overhead + block_size > rec->length)
  1326. return 0;
  1327. /* We can now safely skip explicit IV */
  1328. rec->data += block_size;
  1329. rec->input += block_size;
  1330. rec->length -= block_size;
  1331. rec->orig_len -= block_size;
  1332. } else if (overhead > rec->length)
  1333. return 0;
  1334. padding_length = rec->data[rec->length - 1];
  1335. if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
  1336. EVP_CIPH_FLAG_AEAD_CIPHER) {
  1337. /* padding is already verified */
  1338. rec->length -= padding_length + 1;
  1339. return 1;
  1340. }
  1341. good = constant_time_ge_s(rec->length, overhead + padding_length);
  1342. /*
  1343. * The padding consists of a length byte at the end of the record and
  1344. * then that many bytes of padding, all with the same value as the length
  1345. * byte. Thus, with the length byte included, there are i+1 bytes of
  1346. * padding. We can't check just |padding_length+1| bytes because that
  1347. * leaks decrypted information. Therefore we always have to check the
  1348. * maximum amount of padding possible. (Again, the length of the record
  1349. * is public information so we can use it.)
  1350. */
  1351. to_check = 256; /* maximum amount of padding, inc length byte. */
  1352. if (to_check > rec->length)
  1353. to_check = rec->length;
  1354. for (i = 0; i < to_check; i++) {
  1355. unsigned char mask = constant_time_ge_8_s(padding_length, i);
  1356. unsigned char b = rec->data[rec->length - 1 - i];
  1357. /*
  1358. * The final |padding_length+1| bytes should all have the value
  1359. * |padding_length|. Therefore the XOR should be zero.
  1360. */
  1361. good &= ~(mask & (padding_length ^ b));
  1362. }
  1363. /*
  1364. * If any of the final |padding_length+1| bytes had the wrong value, one
  1365. * or more of the lower eight bits of |good| will be cleared.
  1366. */
  1367. good = constant_time_eq_s(0xff, good & 0xff);
  1368. rec->length -= good & (padding_length + 1);
  1369. return constant_time_select_int_s(good, 1, -1);
  1370. }
  1371. /*-
  1372. * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
  1373. * constant time (independent of the concrete value of rec->length, which may
  1374. * vary within a 256-byte window).
  1375. *
  1376. * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
  1377. * this function.
  1378. *
  1379. * On entry:
  1380. * rec->orig_len >= md_size
  1381. * md_size <= EVP_MAX_MD_SIZE
  1382. *
  1383. * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
  1384. * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
  1385. * a single or pair of cache-lines, then the variable memory accesses don't
  1386. * actually affect the timing. CPUs with smaller cache-lines [if any] are
  1387. * not multi-core and are not considered vulnerable to cache-timing attacks.
  1388. */
  1389. #define CBC_MAC_ROTATE_IN_PLACE
  1390. int ssl3_cbc_copy_mac(unsigned char *out,
  1391. const SSL3_RECORD *rec, size_t md_size)
  1392. {
  1393. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  1394. unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
  1395. unsigned char *rotated_mac;
  1396. #else
  1397. unsigned char rotated_mac[EVP_MAX_MD_SIZE];
  1398. #endif
  1399. /*
  1400. * mac_end is the index of |rec->data| just after the end of the MAC.
  1401. */
  1402. size_t mac_end = rec->length;
  1403. size_t mac_start = mac_end - md_size;
  1404. size_t in_mac;
  1405. /*
  1406. * scan_start contains the number of bytes that we can ignore because the
  1407. * MAC's position can only vary by 255 bytes.
  1408. */
  1409. size_t scan_start = 0;
  1410. size_t i, j;
  1411. size_t rotate_offset;
  1412. if (!ossl_assert(rec->orig_len >= md_size
  1413. && md_size <= EVP_MAX_MD_SIZE))
  1414. return 0;
  1415. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  1416. rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
  1417. #endif
  1418. /* This information is public so it's safe to branch based on it. */
  1419. if (rec->orig_len > md_size + 255 + 1)
  1420. scan_start = rec->orig_len - (md_size + 255 + 1);
  1421. in_mac = 0;
  1422. rotate_offset = 0;
  1423. memset(rotated_mac, 0, md_size);
  1424. for (i = scan_start, j = 0; i < rec->orig_len; i++) {
  1425. size_t mac_started = constant_time_eq_s(i, mac_start);
  1426. size_t mac_ended = constant_time_lt_s(i, mac_end);
  1427. unsigned char b = rec->data[i];
  1428. in_mac |= mac_started;
  1429. in_mac &= mac_ended;
  1430. rotate_offset |= j & mac_started;
  1431. rotated_mac[j++] |= b & in_mac;
  1432. j &= constant_time_lt_s(j, md_size);
  1433. }
  1434. /* Now rotate the MAC */
  1435. #if defined(CBC_MAC_ROTATE_IN_PLACE)
  1436. j = 0;
  1437. for (i = 0; i < md_size; i++) {
  1438. /* in case cache-line is 32 bytes, touch second line */
  1439. ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
  1440. out[j++] = rotated_mac[rotate_offset++];
  1441. rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
  1442. }
  1443. #else
  1444. memset(out, 0, md_size);
  1445. rotate_offset = md_size - rotate_offset;
  1446. rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
  1447. for (i = 0; i < md_size; i++) {
  1448. for (j = 0; j < md_size; j++)
  1449. out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset);
  1450. rotate_offset++;
  1451. rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
  1452. }
  1453. #endif
  1454. return 1;
  1455. }
  1456. int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
  1457. {
  1458. int i;
  1459. int enc_err;
  1460. SSL_SESSION *sess;
  1461. SSL3_RECORD *rr;
  1462. int imac_size;
  1463. size_t mac_size;
  1464. unsigned char md[EVP_MAX_MD_SIZE];
  1465. rr = RECORD_LAYER_get_rrec(&s->rlayer);
  1466. sess = s->session;
  1467. /*
  1468. * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
  1469. * and we have that many bytes in s->packet
  1470. */
  1471. rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
  1472. /*
  1473. * ok, we can now read from 's->packet' data into 'rr' rr->input points
  1474. * at rr->length bytes, which need to be copied into rr->data by either
  1475. * the decryption or by the decompression When the data is 'copied' into
  1476. * the rr->data buffer, rr->input will be pointed at the new buffer
  1477. */
  1478. /*
  1479. * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
  1480. * bytes of encrypted compressed stuff.
  1481. */
  1482. /* check is not needed I believe */
  1483. if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
  1484. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
  1485. SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
  1486. return 0;
  1487. }
  1488. /* decrypt in place in 'rr->input' */
  1489. rr->data = rr->input;
  1490. rr->orig_len = rr->length;
  1491. if (SSL_READ_ETM(s) && s->read_hash) {
  1492. unsigned char *mac;
  1493. mac_size = EVP_MD_CTX_size(s->read_hash);
  1494. if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
  1495. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1496. ERR_R_INTERNAL_ERROR);
  1497. return 0;
  1498. }
  1499. if (rr->orig_len < mac_size) {
  1500. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1501. SSL_R_LENGTH_TOO_SHORT);
  1502. return 0;
  1503. }
  1504. rr->length -= mac_size;
  1505. mac = rr->data + rr->length;
  1506. i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
  1507. if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
  1508. SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD,
  1509. SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  1510. return 0;
  1511. }
  1512. }
  1513. enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
  1514. /*-
  1515. * enc_err is:
  1516. * 0: (in non-constant time) if the record is publically invalid.
  1517. * 1: if the padding is valid
  1518. * -1: if the padding is invalid
  1519. */
  1520. if (enc_err == 0) {
  1521. if (ossl_statem_in_error(s)) {
  1522. /* SSLfatal() got called */
  1523. return 0;
  1524. }
  1525. /* For DTLS we simply ignore bad packets. */
  1526. rr->length = 0;
  1527. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1528. return 0;
  1529. }
  1530. OSSL_TRACE_BEGIN(TLS) {
  1531. BIO_printf(trc_out, "dec %zd\n", rr->length);
  1532. BIO_dump_indent(trc_out, rr->data, rr->length, 4);
  1533. } OSSL_TRACE_END(TLS);
  1534. /* r->length is now the compressed data plus mac */
  1535. if ((sess != NULL) && !SSL_READ_ETM(s) &&
  1536. (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
  1537. /* s->read_hash != NULL => mac_size != -1 */
  1538. unsigned char *mac = NULL;
  1539. unsigned char mac_tmp[EVP_MAX_MD_SIZE];
  1540. /* TODO(size_t): Convert this to do size_t properly */
  1541. imac_size = EVP_MD_CTX_size(s->read_hash);
  1542. if (imac_size < 0) {
  1543. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1544. ERR_LIB_EVP);
  1545. return 0;
  1546. }
  1547. mac_size = (size_t)imac_size;
  1548. if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
  1549. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1550. ERR_R_INTERNAL_ERROR);
  1551. return 0;
  1552. }
  1553. /*
  1554. * orig_len is the length of the record before any padding was
  1555. * removed. This is public information, as is the MAC in use,
  1556. * therefore we can safely process the record in a different amount
  1557. * of time if it's too short to possibly contain a MAC.
  1558. */
  1559. if (rr->orig_len < mac_size ||
  1560. /* CBC records must have a padding length byte too. */
  1561. (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
  1562. rr->orig_len < mac_size + 1)) {
  1563. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1564. SSL_R_LENGTH_TOO_SHORT);
  1565. return 0;
  1566. }
  1567. if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
  1568. /*
  1569. * We update the length so that the TLS header bytes can be
  1570. * constructed correctly but we need to extract the MAC in
  1571. * constant time from within the record, without leaking the
  1572. * contents of the padding bytes.
  1573. */
  1574. mac = mac_tmp;
  1575. if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) {
  1576. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
  1577. ERR_R_INTERNAL_ERROR);
  1578. return 0;
  1579. }
  1580. rr->length -= mac_size;
  1581. } else {
  1582. /*
  1583. * In this case there's no padding, so |rec->orig_len| equals
  1584. * |rec->length| and we checked that there's enough bytes for
  1585. * |mac_size| above.
  1586. */
  1587. rr->length -= mac_size;
  1588. mac = &rr->data[rr->length];
  1589. }
  1590. i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
  1591. if (i == 0 || mac == NULL
  1592. || CRYPTO_memcmp(md, mac, mac_size) != 0)
  1593. enc_err = -1;
  1594. if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
  1595. enc_err = -1;
  1596. }
  1597. if (enc_err < 0) {
  1598. /* decryption failed, silently discard message */
  1599. rr->length = 0;
  1600. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1601. return 0;
  1602. }
  1603. /* r->length is now just compressed */
  1604. if (s->expand != NULL) {
  1605. if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
  1606. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
  1607. SSL_R_COMPRESSED_LENGTH_TOO_LONG);
  1608. return 0;
  1609. }
  1610. if (!ssl3_do_uncompress(s, rr)) {
  1611. SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE,
  1612. SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
  1613. return 0;
  1614. }
  1615. }
  1616. if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
  1617. SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
  1618. SSL_R_DATA_LENGTH_TOO_LONG);
  1619. return 0;
  1620. }
  1621. rr->off = 0;
  1622. /*-
  1623. * So at this point the following is true
  1624. * ssl->s3.rrec.type is the type of record
  1625. * ssl->s3.rrec.length == number of bytes in record
  1626. * ssl->s3.rrec.off == offset to first valid byte
  1627. * ssl->s3.rrec.data == where to take bytes from, increment
  1628. * after use :-).
  1629. */
  1630. /* we have pulled in a full packet so zero things */
  1631. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1632. /* Mark receipt of record. */
  1633. dtls1_record_bitmap_update(s, bitmap);
  1634. return 1;
  1635. }
  1636. /*
  1637. * Retrieve a buffered record that belongs to the current epoch, i.e. processed
  1638. */
  1639. #define dtls1_get_processed_record(s) \
  1640. dtls1_retrieve_buffered_record((s), \
  1641. &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
  1642. /*-
  1643. * Call this to get a new input record.
  1644. * It will return <= 0 if more data is needed, normally due to an error
  1645. * or non-blocking IO.
  1646. * When it finishes, one packet has been decoded and can be found in
  1647. * ssl->s3.rrec.type - is the type of record
  1648. * ssl->s3.rrec.data - data
  1649. * ssl->s3.rrec.length - number of bytes
  1650. */
  1651. /* used only by dtls1_read_bytes */
  1652. int dtls1_get_record(SSL *s)
  1653. {
  1654. int ssl_major, ssl_minor;
  1655. int rret;
  1656. size_t more, n;
  1657. SSL3_RECORD *rr;
  1658. unsigned char *p = NULL;
  1659. unsigned short version;
  1660. DTLS1_BITMAP *bitmap;
  1661. unsigned int is_next_epoch;
  1662. rr = RECORD_LAYER_get_rrec(&s->rlayer);
  1663. again:
  1664. /*
  1665. * The epoch may have changed. If so, process all the pending records.
  1666. * This is a non-blocking operation.
  1667. */
  1668. if (!dtls1_process_buffered_records(s)) {
  1669. /* SSLfatal() already called */
  1670. return -1;
  1671. }
  1672. /* if we're renegotiating, then there may be buffered records */
  1673. if (dtls1_get_processed_record(s))
  1674. return 1;
  1675. /* get something from the wire */
  1676. /* check if we have the header */
  1677. if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
  1678. (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
  1679. rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
  1680. SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n);
  1681. /* read timeout is handled by dtls1_read_bytes */
  1682. if (rret <= 0) {
  1683. /* SSLfatal() already called if appropriate */
  1684. return rret; /* error or non-blocking */
  1685. }
  1686. /* this packet contained a partial record, dump it */
  1687. if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
  1688. DTLS1_RT_HEADER_LENGTH) {
  1689. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1690. goto again;
  1691. }
  1692. RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
  1693. p = RECORD_LAYER_get_packet(&s->rlayer);
  1694. if (s->msg_callback)
  1695. s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
  1696. s, s->msg_callback_arg);
  1697. /* Pull apart the header into the DTLS1_RECORD */
  1698. rr->type = *(p++);
  1699. ssl_major = *(p++);
  1700. ssl_minor = *(p++);
  1701. version = (ssl_major << 8) | ssl_minor;
  1702. /* sequence number is 64 bits, with top 2 bytes = epoch */
  1703. n2s(p, rr->epoch);
  1704. memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
  1705. p += 6;
  1706. n2s(p, rr->length);
  1707. rr->read = 0;
  1708. /*
  1709. * Lets check the version. We tolerate alerts that don't have the exact
  1710. * version number (e.g. because of protocol version errors)
  1711. */
  1712. if (!s->first_packet && rr->type != SSL3_RT_ALERT) {
  1713. if (version != s->version) {
  1714. /* unexpected version, silently discard */
  1715. rr->length = 0;
  1716. rr->read = 1;
  1717. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1718. goto again;
  1719. }
  1720. }
  1721. if ((version & 0xff00) != (s->version & 0xff00)) {
  1722. /* wrong version, silently discard record */
  1723. rr->length = 0;
  1724. rr->read = 1;
  1725. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1726. goto again;
  1727. }
  1728. if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
  1729. /* record too long, silently discard it */
  1730. rr->length = 0;
  1731. rr->read = 1;
  1732. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1733. goto again;
  1734. }
  1735. /* If received packet overflows own-client Max Fragment Length setting */
  1736. if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1737. && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
  1738. /* record too long, silently discard it */
  1739. rr->length = 0;
  1740. rr->read = 1;
  1741. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1742. goto again;
  1743. }
  1744. /* now s->rlayer.rstate == SSL_ST_READ_BODY */
  1745. }
  1746. /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
  1747. if (rr->length >
  1748. RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
  1749. /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
  1750. more = rr->length;
  1751. rret = ssl3_read_n(s, more, more, 1, 1, &n);
  1752. /* this packet contained a partial record, dump it */
  1753. if (rret <= 0 || n != more) {
  1754. if (ossl_statem_in_error(s)) {
  1755. /* ssl3_read_n() called SSLfatal() */
  1756. return -1;
  1757. }
  1758. rr->length = 0;
  1759. rr->read = 1;
  1760. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1761. goto again;
  1762. }
  1763. /*
  1764. * now n == rr->length, and s->packet_length ==
  1765. * DTLS1_RT_HEADER_LENGTH + rr->length
  1766. */
  1767. }
  1768. /* set state for later operations */
  1769. RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
  1770. /* match epochs. NULL means the packet is dropped on the floor */
  1771. bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
  1772. if (bitmap == NULL) {
  1773. rr->length = 0;
  1774. RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
  1775. goto again; /* get another record */
  1776. }
  1777. #ifndef OPENSSL_NO_SCTP
  1778. /* Only do replay check if no SCTP bio */
  1779. if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
  1780. #endif
  1781. /* Check whether this is a repeat, or aged record. */
  1782. /*
  1783. * TODO: Does it make sense to have replay protection in epoch 0 where
  1784. * we have no integrity negotiated yet?
  1785. */
  1786. if (!dtls1_record_replay_check(s, bitmap)) {
  1787. rr->length = 0;
  1788. rr->read = 1;
  1789. RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
  1790. goto again; /* get another record */
  1791. }
  1792. #ifndef OPENSSL_NO_SCTP
  1793. }
  1794. #endif
  1795. /* just read a 0 length packet */
  1796. if (rr->length == 0) {
  1797. rr->read = 1;
  1798. goto again;
  1799. }
  1800. /*
  1801. * If this record is from the next epoch (either HM or ALERT), and a
  1802. * handshake is currently in progress, buffer it since it cannot be
  1803. * processed at this time.
  1804. */
  1805. if (is_next_epoch) {
  1806. if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
  1807. if (dtls1_buffer_record (s,
  1808. &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
  1809. rr->seq_num) < 0) {
  1810. /* SSLfatal() already called */
  1811. return -1;
  1812. }
  1813. }
  1814. rr->length = 0;
  1815. rr->read = 1;
  1816. RECORD_LAYER_reset_packet_length(&s->rlayer);
  1817. goto again;
  1818. }
  1819. if (!dtls1_process_record(s, bitmap)) {
  1820. if (ossl_statem_in_error(s)) {
  1821. /* dtls1_process_record() called SSLfatal */
  1822. return -1;
  1823. }
  1824. rr->length = 0;
  1825. rr->read = 1;
  1826. RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
  1827. goto again; /* get another record */
  1828. }
  1829. return 1;
  1830. }
  1831. int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, size_t off)
  1832. {
  1833. SSL3_RECORD *rr;
  1834. rr = RECORD_LAYER_get_rrec(&s->rlayer);
  1835. memset(rr, 0, sizeof(SSL3_RECORD));
  1836. rr->length = len;
  1837. rr->type = SSL3_RT_HANDSHAKE;
  1838. memcpy(rr->seq_num, seq, sizeof(rr->seq_num));
  1839. rr->off = off;
  1840. s->rlayer.packet = RECORD_LAYER_get_rbuf(&s->rlayer)->buf;
  1841. s->rlayer.packet_length = DTLS1_RT_HEADER_LENGTH + len;
  1842. rr->data = s->rlayer.packet + DTLS1_RT_HEADER_LENGTH;
  1843. if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds),
  1844. SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <= 0) {
  1845. /* SSLfatal() already called */
  1846. return 0;
  1847. }
  1848. return 1;
  1849. }