source: EcnlProtoTool/trunk/openssl-1.1.0e/ssl/record/ssl3_record.c

Last change on this file was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 54.9 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <assert.h>
11#include "../ssl_locl.h"
12#include "internal/constant_time_locl.h"
13#include <openssl/rand.h>
14#include "record_locl.h"
15
16static const unsigned char ssl3_pad_1[48] = {
17 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
18 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
19 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
20 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
21 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
22 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
23};
24
25static const unsigned char ssl3_pad_2[48] = {
26 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
27 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
28 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
29 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
30 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
31 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
32};
33
34/*
35 * Clear the contents of an SSL3_RECORD but retain any memory allocated
36 */
37void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs)
38{
39 unsigned char *comp;
40 unsigned int i;
41
42 for (i = 0; i < num_recs; i++) {
43 comp = r[i].comp;
44
45 memset(&r[i], 0, sizeof(*r));
46 r[i].comp = comp;
47 }
48}
49
50void SSL3_RECORD_release(SSL3_RECORD *r, unsigned int num_recs)
51{
52 unsigned int i;
53
54 for (i = 0; i < num_recs; i++) {
55 OPENSSL_free(r[i].comp);
56 r[i].comp = NULL;
57 }
58}
59
60void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
61{
62 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
63}
64
65/*
66 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
67 * for us in the buffer.
68 */
69static int ssl3_record_app_data_waiting(SSL *s)
70{
71 SSL3_BUFFER *rbuf;
72 int left, len;
73 unsigned char *p;
74
75 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
76
77 p = SSL3_BUFFER_get_buf(rbuf);
78 if (p == NULL)
79 return 0;
80
81 left = SSL3_BUFFER_get_left(rbuf);
82
83 if (left < SSL3_RT_HEADER_LENGTH)
84 return 0;
85
86 p += SSL3_BUFFER_get_offset(rbuf);
87
88 /*
89 * We only check the type and record length, we will sanity check version
90 * etc later
91 */
92 if (*p != SSL3_RT_APPLICATION_DATA)
93 return 0;
94
95 p += 3;
96 n2s(p, len);
97
98 if (left < SSL3_RT_HEADER_LENGTH + len)
99 return 0;
100
101 return 1;
102}
103
104/*
105 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
106 * will be processed per call to ssl3_get_record. Without this limit an
107 * attacker could send empty records at a faster rate than we can process and
108 * cause ssl3_get_record to loop forever.
109 */
110#define MAX_EMPTY_RECORDS 32
111
112#define SSL2_RT_HEADER_LENGTH 2
113/*-
114 * Call this to get new input records.
115 * It will return <= 0 if more data is needed, normally due to an error
116 * or non-blocking IO.
117 * When it finishes, |numrpipes| records have been decoded. For each record 'i':
118 * rr[i].type - is the type of record
119 * rr[i].data, - data
120 * rr[i].length, - number of bytes
121 * Multiple records will only be returned if the record types are all
122 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
123 * |max_pipelines|
124 */
125/* used only by ssl3_read_bytes */
126int ssl3_get_record(SSL *s)
127{
128 int ssl_major, ssl_minor, al;
129 int enc_err, n, i, ret = -1;
130 SSL3_RECORD *rr;
131 SSL3_BUFFER *rbuf;
132 SSL_SESSION *sess;
133 unsigned char *p;
134 unsigned char md[EVP_MAX_MD_SIZE];
135 short version;
136 unsigned mac_size;
137 int imac_size;
138 unsigned int num_recs = 0;
139 unsigned int max_recs;
140 unsigned int j;
141
142 rr = RECORD_LAYER_get_rrec(&s->rlayer);
143 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
144 max_recs = s->max_pipelines;
145 if (max_recs == 0)
146 max_recs = 1;
147 sess = s->session;
148
149 do {
150 /* check if we have the header */
151 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
152 (RECORD_LAYER_get_packet_length(&s->rlayer)
153 < SSL3_RT_HEADER_LENGTH)) {
154 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
155 SSL3_BUFFER_get_len(rbuf), 0,
156 num_recs == 0 ? 1 : 0);
157 if (n <= 0)
158 return (n); /* error or non-blocking */
159 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
160
161 p = RECORD_LAYER_get_packet(&s->rlayer);
162
163 /*
164 * The first record received by the server may be a V2ClientHello.
165 */
166 if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
167 && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
168 /*
169 * SSLv2 style record
170 *
171 * |num_recs| here will actually always be 0 because
172 * |num_recs > 0| only ever occurs when we are processing
173 * multiple app data records - which we know isn't the case here
174 * because it is an SSLv2ClientHello. We keep it using
175 * |num_recs| for the sake of consistency
176 */
177 rr[num_recs].type = SSL3_RT_HANDSHAKE;
178 rr[num_recs].rec_version = SSL2_VERSION;
179
180 rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1];
181
182 if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf)
183 - SSL2_RT_HEADER_LENGTH) {
184 al = SSL_AD_RECORD_OVERFLOW;
185 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
186 goto f_err;
187 }
188
189 if (rr[num_recs].length < MIN_SSL2_RECORD_LEN) {
190 al = SSL_AD_HANDSHAKE_FAILURE;
191 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
192 goto f_err;
193 }
194 } else {
195 /* SSLv3+ style record */
196 if (s->msg_callback)
197 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
198 s->msg_callback_arg);
199
200 /* Pull apart the header into the SSL3_RECORD */
201 rr[num_recs].type = *(p++);
202 ssl_major = *(p++);
203 ssl_minor = *(p++);
204 version = (ssl_major << 8) | ssl_minor;
205 rr[num_recs].rec_version = version;
206 n2s(p, rr[num_recs].length);
207
208 /* Lets check version */
209 if (!s->first_packet && version != s->version) {
210 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
211 if ((s->version & 0xFF00) == (version & 0xFF00)
212 && !s->enc_write_ctx && !s->write_hash) {
213 if (rr->type == SSL3_RT_ALERT) {
214 /*
215 * The record is using an incorrect version number,
216 * but what we've got appears to be an alert. We
217 * haven't read the body yet to check whether its a
218 * fatal or not - but chances are it is. We probably
219 * shouldn't send a fatal alert back. We'll just
220 * end.
221 */
222 goto err;
223 }
224 /*
225 * Send back error using their minor version number :-)
226 */
227 s->version = (unsigned short)version;
228 }
229 al = SSL_AD_PROTOCOL_VERSION;
230 goto f_err;
231 }
232
233 if ((version >> 8) != SSL3_VERSION_MAJOR) {
234 if (RECORD_LAYER_is_first_record(&s->rlayer)) {
235 /* Go back to start of packet, look at the five bytes
236 * that we have. */
237 p = RECORD_LAYER_get_packet(&s->rlayer);
238 if (strncmp((char *)p, "GET ", 4) == 0 ||
239 strncmp((char *)p, "POST ", 5) == 0 ||
240 strncmp((char *)p, "HEAD ", 5) == 0 ||
241 strncmp((char *)p, "PUT ", 4) == 0) {
242 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
243 goto err;
244 } else if (strncmp((char *)p, "CONNE", 5) == 0) {
245 SSLerr(SSL_F_SSL3_GET_RECORD,
246 SSL_R_HTTPS_PROXY_REQUEST);
247 goto err;
248 }
249
250 /* Doesn't look like TLS - don't send an alert */
251 SSLerr(SSL_F_SSL3_GET_RECORD,
252 SSL_R_WRONG_VERSION_NUMBER);
253 goto err;
254 } else {
255 SSLerr(SSL_F_SSL3_GET_RECORD,
256 SSL_R_WRONG_VERSION_NUMBER);
257 al = SSL_AD_PROTOCOL_VERSION;
258 goto f_err;
259 }
260 }
261
262 if (rr[num_recs].length >
263 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
264 al = SSL_AD_RECORD_OVERFLOW;
265 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
266 goto f_err;
267 }
268 }
269
270 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
271 }
272
273 /*
274 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
275 * Calculate how much more data we need to read for the rest of the
276 * record
277 */
278 if (rr[num_recs].rec_version == SSL2_VERSION) {
279 i = rr[num_recs].length + SSL2_RT_HEADER_LENGTH
280 - SSL3_RT_HEADER_LENGTH;
281 } else {
282 i = rr[num_recs].length;
283 }
284 if (i > 0) {
285 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
286
287 n = ssl3_read_n(s, i, i, 1, 0);
288 if (n <= 0)
289 return (n); /* error or non-blocking io */
290 }
291
292 /* set state for later operations */
293 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
294
295 /*
296 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
297 * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
298 * and we have that many bytes in s->packet
299 */
300 if (rr[num_recs].rec_version == SSL2_VERSION) {
301 rr[num_recs].input =
302 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
303 } else {
304 rr[num_recs].input =
305 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
306 }
307
308 /*
309 * ok, we can now read from 's->packet' data into 'rr' rr->input points
310 * at rr->length bytes, which need to be copied into rr->data by either
311 * the decryption or by the decompression When the data is 'copied' into
312 * the rr->data buffer, rr->input will be pointed at the new buffer
313 */
314
315 /*
316 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
317 * bytes of encrypted compressed stuff.
318 */
319
320 /* check is not needed I believe */
321 if (rr[num_recs].length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
322 al = SSL_AD_RECORD_OVERFLOW;
323 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
324 goto f_err;
325 }
326
327 /* decrypt in place in 'rr->input' */
328 rr[num_recs].data = rr[num_recs].input;
329 rr[num_recs].orig_len = rr[num_recs].length;
330
331 /* Mark this record as not read by upper layers yet */
332 rr[num_recs].read = 0;
333
334 num_recs++;
335
336 /* we have pulled in a full packet so zero things */
337 RECORD_LAYER_reset_packet_length(&s->rlayer);
338 RECORD_LAYER_clear_first_record(&s->rlayer);
339 } while (num_recs < max_recs
340 && rr[num_recs - 1].type == SSL3_RT_APPLICATION_DATA
341 && SSL_USE_EXPLICIT_IV(s)
342 && s->enc_read_ctx != NULL
343 && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
344 & EVP_CIPH_FLAG_PIPELINE)
345 && ssl3_record_app_data_waiting(s));
346
347 /*
348 * If in encrypt-then-mac mode calculate mac from encrypted record. All
349 * the details below are public so no timing details can leak.
350 */
351 if (SSL_READ_ETM(s) && s->read_hash) {
352 unsigned char *mac;
353
354 imac_size = EVP_MD_CTX_size(s->read_hash);
355 assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE);
356 if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) {
357 al = SSL_AD_INTERNAL_ERROR;
358 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP);
359 goto f_err;
360 }
361 mac_size = (unsigned)imac_size;
362
363 for (j = 0; j < num_recs; j++) {
364 if (rr[j].length < mac_size) {
365 al = SSL_AD_DECODE_ERROR;
366 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
367 goto f_err;
368 }
369 rr[j].length -= mac_size;
370 mac = rr[j].data + rr[j].length;
371 i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
372 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
373 al = SSL_AD_BAD_RECORD_MAC;
374 SSLerr(SSL_F_SSL3_GET_RECORD,
375 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
376 goto f_err;
377 }
378 }
379 }
380
381 enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
382 /*-
383 * enc_err is:
384 * 0: (in non-constant time) if the record is publically invalid.
385 * 1: if the padding is valid
386 * -1: if the padding is invalid
387 */
388 if (enc_err == 0) {
389 al = SSL_AD_DECRYPTION_FAILED;
390 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
391 goto f_err;
392 }
393#ifdef SSL_DEBUG
394 printf("dec %d\n", rr->length);
395 {
396 unsigned int z;
397 for (z = 0; z < rr->length; z++)
398 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
399 }
400 printf("\n");
401#endif
402
403 /* r->length is now the compressed data plus mac */
404 if ((sess != NULL) &&
405 (s->enc_read_ctx != NULL) &&
406 (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
407 /* s->read_hash != NULL => mac_size != -1 */
408 unsigned char *mac = NULL;
409 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
410
411 mac_size = EVP_MD_CTX_size(s->read_hash);
412 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
413
414 for (j = 0; j < num_recs; j++) {
415 /*
416 * orig_len is the length of the record before any padding was
417 * removed. This is public information, as is the MAC in use,
418 * therefore we can safely process the record in a different amount
419 * of time if it's too short to possibly contain a MAC.
420 */
421 if (rr[j].orig_len < mac_size ||
422 /* CBC records must have a padding length byte too. */
423 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
424 rr[j].orig_len < mac_size + 1)) {
425 al = SSL_AD_DECODE_ERROR;
426 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
427 goto f_err;
428 }
429
430 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
431 /*
432 * We update the length so that the TLS header bytes can be
433 * constructed correctly but we need to extract the MAC in
434 * constant time from within the record, without leaking the
435 * contents of the padding bytes.
436 */
437 mac = mac_tmp;
438 ssl3_cbc_copy_mac(mac_tmp, &rr[j], mac_size);
439 rr[j].length -= mac_size;
440 } else {
441 /*
442 * In this case there's no padding, so |rec->orig_len| equals
443 * |rec->length| and we checked that there's enough bytes for
444 * |mac_size| above.
445 */
446 rr[j].length -= mac_size;
447 mac = &rr[j].data[rr[j].length];
448 }
449
450 i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
451 if (i < 0 || mac == NULL
452 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
453 enc_err = -1;
454 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
455 enc_err = -1;
456 }
457 }
458
459 if (enc_err < 0) {
460 /*
461 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
462 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
463 * failure is directly visible from the ciphertext anyway, we should
464 * not reveal which kind of error occurred -- this might become
465 * visible to an attacker (e.g. via a logfile)
466 */
467 al = SSL_AD_BAD_RECORD_MAC;
468 SSLerr(SSL_F_SSL3_GET_RECORD,
469 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
470 goto f_err;
471 }
472
473 for (j = 0; j < num_recs; j++) {
474 /* rr[j].length is now just compressed */
475 if (s->expand != NULL) {
476 if (rr[j].length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
477 al = SSL_AD_RECORD_OVERFLOW;
478 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
479 goto f_err;
480 }
481 if (!ssl3_do_uncompress(s, &rr[j])) {
482 al = SSL_AD_DECOMPRESSION_FAILURE;
483 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
484 goto f_err;
485 }
486 }
487
488 if (rr[j].length > SSL3_RT_MAX_PLAIN_LENGTH) {
489 al = SSL_AD_RECORD_OVERFLOW;
490 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
491 goto f_err;
492 }
493
494 rr[j].off = 0;
495 /*-
496 * So at this point the following is true
497 * rr[j].type is the type of record
498 * rr[j].length == number of bytes in record
499 * rr[j].off == offset to first valid byte
500 * rr[j].data == where to take bytes from, increment after use :-).
501 */
502
503 /* just read a 0 length packet */
504 if (rr[j].length == 0) {
505 RECORD_LAYER_inc_empty_record_count(&s->rlayer);
506 if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
507 > MAX_EMPTY_RECORDS) {
508 al = SSL_AD_UNEXPECTED_MESSAGE;
509 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
510 goto f_err;
511 }
512 } else {
513 RECORD_LAYER_reset_empty_record_count(&s->rlayer);
514 }
515 }
516
517 RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
518 return 1;
519
520 f_err:
521 ssl3_send_alert(s, SSL3_AL_FATAL, al);
522 err:
523 return ret;
524}
525
526int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
527{
528#ifndef OPENSSL_NO_COMP
529 int i;
530
531 if (rr->comp == NULL) {
532 rr->comp = (unsigned char *)
533 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
534 }
535 if (rr->comp == NULL)
536 return 0;
537
538 i = COMP_expand_block(ssl->expand, rr->comp,
539 SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
540 if (i < 0)
541 return 0;
542 else
543 rr->length = i;
544 rr->data = rr->comp;
545#endif
546 return 1;
547}
548
549int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
550{
551#ifndef OPENSSL_NO_COMP
552 int i;
553
554 i = COMP_compress_block(ssl->compress, wr->data,
555 SSL3_RT_MAX_COMPRESSED_LENGTH,
556 wr->input, (int)wr->length);
557 if (i < 0)
558 return (0);
559 else
560 wr->length = i;
561
562 wr->input = wr->data;
563#endif
564 return (1);
565}
566
567/*-
568 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|
569 *
570 * Returns:
571 * 0: (in non-constant time) if the record is publically invalid (i.e. too
572 * short etc).
573 * 1: if the record's padding is valid / the encryption was successful.
574 * -1: if the record's padding is invalid or, if sending, an internal error
575 * occurred.
576 */
577int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int send)
578{
579 SSL3_RECORD *rec;
580 EVP_CIPHER_CTX *ds;
581 unsigned long l;
582 int bs, i, mac_size = 0;
583 const EVP_CIPHER *enc;
584
585 rec = inrecs;
586 /*
587 * We shouldn't ever be called with more than one record in the SSLv3 case
588 */
589 if (n_recs != 1)
590 return 0;
591 if (send) {
592 ds = s->enc_write_ctx;
593 if (s->enc_write_ctx == NULL)
594 enc = NULL;
595 else
596 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
597 } else {
598 ds = s->enc_read_ctx;
599 if (s->enc_read_ctx == NULL)
600 enc = NULL;
601 else
602 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
603 }
604
605 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
606 memmove(rec->data, rec->input, rec->length);
607 rec->input = rec->data;
608 } else {
609 l = rec->length;
610 bs = EVP_CIPHER_CTX_block_size(ds);
611
612 /* COMPRESS */
613
614 if ((bs != 1) && send) {
615 i = bs - ((int)l % bs);
616
617 /* we need to add 'i-1' padding bytes */
618 l += i;
619 /*
620 * the last of these zero bytes will be overwritten with the
621 * padding length.
622 */
623 memset(&rec->input[rec->length], 0, i);
624 rec->length += i;
625 rec->input[l - 1] = (i - 1);
626 }
627
628 if (!send) {
629 if (l == 0 || l % bs != 0)
630 return 0;
631 /* otherwise, rec->length >= bs */
632 }
633
634 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
635 return -1;
636
637 if (EVP_MD_CTX_md(s->read_hash) != NULL)
638 mac_size = EVP_MD_CTX_size(s->read_hash);
639 if ((bs != 1) && !send)
640 return ssl3_cbc_remove_padding(rec, bs, mac_size);
641 }
642 return (1);
643}
644
645/*-
646 * tls1_enc encrypts/decrypts |n_recs| in |recs|.
647 *
648 * Returns:
649 * 0: (in non-constant time) if the record is publically invalid (i.e. too
650 * short etc).
651 * 1: if the record's padding is valid / the encryption was successful.
652 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
653 * an internal error occurred.
654 */
655int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
656{
657 EVP_CIPHER_CTX *ds;
658 size_t reclen[SSL_MAX_PIPELINES];
659 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
660 int bs, i, j, k, pad = 0, ret, mac_size = 0;
661 const EVP_CIPHER *enc;
662 unsigned int ctr;
663
664 if (send) {
665 if (EVP_MD_CTX_md(s->write_hash)) {
666 int n = EVP_MD_CTX_size(s->write_hash);
667 OPENSSL_assert(n >= 0);
668 }
669 ds = s->enc_write_ctx;
670 if (s->enc_write_ctx == NULL)
671 enc = NULL;
672 else {
673 int ivlen;
674 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
675 /* For TLSv1.1 and later explicit IV */
676 if (SSL_USE_EXPLICIT_IV(s)
677 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
678 ivlen = EVP_CIPHER_iv_length(enc);
679 else
680 ivlen = 0;
681 if (ivlen > 1) {
682 for (ctr = 0; ctr < n_recs; ctr++) {
683 if (recs[ctr].data != recs[ctr].input) {
684 /*
685 * we can't write into the input stream: Can this ever
686 * happen?? (steve)
687 */
688 SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
689 return -1;
690 } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
691 SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
692 return -1;
693 }
694 }
695 }
696 }
697 } else {
698 if (EVP_MD_CTX_md(s->read_hash)) {
699 int n = EVP_MD_CTX_size(s->read_hash);
700 OPENSSL_assert(n >= 0);
701 }
702 ds = s->enc_read_ctx;
703 if (s->enc_read_ctx == NULL)
704 enc = NULL;
705 else
706 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
707 }
708
709 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
710 for (ctr = 0; ctr < n_recs; ctr++) {
711 memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
712 recs[ctr].input = recs[ctr].data;
713 }
714 ret = 1;
715 } else {
716 bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
717
718 if (n_recs > 1) {
719 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
720 & EVP_CIPH_FLAG_PIPELINE)) {
721 /*
722 * We shouldn't have been called with pipeline data if the
723 * cipher doesn't support pipelining
724 */
725 SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
726 return -1;
727 }
728 }
729 for (ctr = 0; ctr < n_recs; ctr++) {
730 reclen[ctr] = recs[ctr].length;
731
732 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
733 & EVP_CIPH_FLAG_AEAD_CIPHER) {
734 unsigned char *seq;
735
736 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
737 : RECORD_LAYER_get_read_sequence(&s->rlayer);
738
739 if (SSL_IS_DTLS(s)) {
740 /* DTLS does not support pipelining */
741 unsigned char dtlsseq[9], *p = dtlsseq;
742
743 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
744 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
745 memcpy(p, &seq[2], 6);
746 memcpy(buf[ctr], dtlsseq, 8);
747 } else {
748 memcpy(buf[ctr], seq, 8);
749 for (i = 7; i >= 0; i--) { /* increment */
750 ++seq[i];
751 if (seq[i] != 0)
752 break;
753 }
754 }
755
756 buf[ctr][8] = recs[ctr].type;
757 buf[ctr][9] = (unsigned char)(s->version >> 8);
758 buf[ctr][10] = (unsigned char)(s->version);
759 buf[ctr][11] = recs[ctr].length >> 8;
760 buf[ctr][12] = recs[ctr].length & 0xff;
761 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
762 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
763 if (pad <= 0)
764 return -1;
765
766 if (send) {
767 reclen[ctr] += pad;
768 recs[ctr].length += pad;
769 }
770
771 } else if ((bs != 1) && send) {
772 i = bs - ((int)reclen[ctr] % bs);
773
774 /* Add weird padding of upto 256 bytes */
775
776 /* we need to add 'i' padding bytes of value j */
777 j = i - 1;
778 for (k = (int)reclen[ctr]; k < (int)(reclen[ctr] + i); k++)
779 recs[ctr].input[k] = j;
780 reclen[ctr] += i;
781 recs[ctr].length += i;
782 }
783
784 if (!send) {
785 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
786 return 0;
787 }
788 }
789 if (n_recs > 1) {
790 unsigned char *data[SSL_MAX_PIPELINES];
791
792 /* Set the output buffers */
793 for (ctr = 0; ctr < n_recs; ctr++) {
794 data[ctr] = recs[ctr].data;
795 }
796 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
797 n_recs, data) <= 0) {
798 SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
799 }
800 /* Set the input buffers */
801 for (ctr = 0; ctr < n_recs; ctr++) {
802 data[ctr] = recs[ctr].input;
803 }
804 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
805 n_recs, data) <= 0
806 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
807 n_recs, reclen) <= 0) {
808 SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
809 return -1;
810 }
811 }
812
813 i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]);
814 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
815 & EVP_CIPH_FLAG_CUSTOM_CIPHER)
816 ? (i < 0)
817 : (i == 0))
818 return -1; /* AEAD can fail to verify MAC */
819 if (send == 0) {
820 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
821 for (ctr = 0; ctr < n_recs; ctr++) {
822 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
823 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
824 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
825 }
826 } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
827 for (ctr = 0; ctr < n_recs; ctr++) {
828 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
829 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
830 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
831 }
832 }
833 }
834
835 ret = 1;
836 if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
837 mac_size = EVP_MD_CTX_size(s->read_hash);
838 if ((bs != 1) && !send) {
839 int tmpret;
840 for (ctr = 0; ctr < n_recs; ctr++) {
841 tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
842 /*
843 * If tmpret == 0 then this means publicly invalid so we can
844 * short circuit things here. Otherwise we must respect constant
845 * time behaviour.
846 */
847 if (tmpret == 0)
848 return 0;
849 ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
850 ret, -1);
851 }
852 }
853 if (pad && !send) {
854 for (ctr = 0; ctr < n_recs; ctr++) {
855 recs[ctr].length -= pad;
856 }
857 }
858 }
859 return ret;
860}
861
862int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
863{
864 unsigned char *mac_sec, *seq;
865 const EVP_MD_CTX *hash;
866 unsigned char *p, rec_char;
867 size_t md_size;
868 int npad;
869 int t;
870
871 if (send) {
872 mac_sec = &(ssl->s3->write_mac_secret[0]);
873 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
874 hash = ssl->write_hash;
875 } else {
876 mac_sec = &(ssl->s3->read_mac_secret[0]);
877 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
878 hash = ssl->read_hash;
879 }
880
881 t = EVP_MD_CTX_size(hash);
882 if (t < 0)
883 return -1;
884 md_size = t;
885 npad = (48 / md_size) * md_size;
886
887 if (!send &&
888 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
889 ssl3_cbc_record_digest_supported(hash)) {
890 /*
891 * This is a CBC-encrypted record. We must avoid leaking any
892 * timing-side channel information about how many blocks of data we
893 * are hashing because that gives an attacker a timing-oracle.
894 */
895
896 /*-
897 * npad is, at most, 48 bytes and that's with MD5:
898 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
899 *
900 * With SHA-1 (the largest hash speced for SSLv3) the hash size
901 * goes up 4, but npad goes down by 8, resulting in a smaller
902 * total size.
903 */
904 unsigned char header[75];
905 unsigned j = 0;
906 memcpy(header + j, mac_sec, md_size);
907 j += md_size;
908 memcpy(header + j, ssl3_pad_1, npad);
909 j += npad;
910 memcpy(header + j, seq, 8);
911 j += 8;
912 header[j++] = rec->type;
913 header[j++] = rec->length >> 8;
914 header[j++] = rec->length & 0xff;
915
916 /* Final param == is SSLv3 */
917 if (ssl3_cbc_digest_record(hash,
918 md, &md_size,
919 header, rec->input,
920 rec->length + md_size, rec->orig_len,
921 mac_sec, md_size, 1) <= 0)
922 return -1;
923 } else {
924 unsigned int md_size_u;
925 /* Chop the digest off the end :-) */
926 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
927
928 if (md_ctx == NULL)
929 return -1;
930
931 rec_char = rec->type;
932 p = md;
933 s2n(rec->length, p);
934 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
935 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
936 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
937 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
938 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
939 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
940 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
941 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
942 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
943 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
944 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
945 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
946 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
947 EVP_MD_CTX_reset(md_ctx);
948 return -1;
949 }
950 md_size = md_size_u;
951
952 EVP_MD_CTX_free(md_ctx);
953 }
954
955 ssl3_record_sequence_update(seq);
956 return (md_size);
957}
958
959int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
960{
961 unsigned char *seq;
962 EVP_MD_CTX *hash;
963 size_t md_size;
964 int i;
965 EVP_MD_CTX *hmac = NULL, *mac_ctx;
966 unsigned char header[13];
967 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
968 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
969 int t;
970
971 if (send) {
972 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
973 hash = ssl->write_hash;
974 } else {
975 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
976 hash = ssl->read_hash;
977 }
978
979 t = EVP_MD_CTX_size(hash);
980 OPENSSL_assert(t >= 0);
981 md_size = t;
982
983 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
984 if (stream_mac) {
985 mac_ctx = hash;
986 } else {
987 hmac = EVP_MD_CTX_new();
988 if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
989 return -1;
990 mac_ctx = hmac;
991 }
992
993 if (SSL_IS_DTLS(ssl)) {
994 unsigned char dtlsseq[8], *p = dtlsseq;
995
996 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
997 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
998 memcpy(p, &seq[2], 6);
999
1000 memcpy(header, dtlsseq, 8);
1001 } else
1002 memcpy(header, seq, 8);
1003
1004 header[8] = rec->type;
1005 header[9] = (unsigned char)(ssl->version >> 8);
1006 header[10] = (unsigned char)(ssl->version);
1007 header[11] = (rec->length) >> 8;
1008 header[12] = (rec->length) & 0xff;
1009
1010 if (!send && !SSL_READ_ETM(ssl) &&
1011 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1012 ssl3_cbc_record_digest_supported(mac_ctx)) {
1013 /*
1014 * This is a CBC-encrypted record. We must avoid leaking any
1015 * timing-side channel information about how many blocks of data we
1016 * are hashing because that gives an attacker a timing-oracle.
1017 */
1018 /* Final param == not SSLv3 */
1019 if (ssl3_cbc_digest_record(mac_ctx,
1020 md, &md_size,
1021 header, rec->input,
1022 rec->length + md_size, rec->orig_len,
1023 ssl->s3->read_mac_secret,
1024 ssl->s3->read_mac_secret_size, 0) <= 0) {
1025 EVP_MD_CTX_free(hmac);
1026 return -1;
1027 }
1028 } else {
1029 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
1030 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
1031 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
1032 EVP_MD_CTX_free(hmac);
1033 return -1;
1034 }
1035 if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
1036 if (!tls_fips_digest_extra(ssl->enc_read_ctx,
1037 mac_ctx, rec->input,
1038 rec->length, rec->orig_len)) {
1039 EVP_MD_CTX_free(hmac);
1040 return -1;
1041 }
1042 }
1043
1044 EVP_MD_CTX_free(hmac);
1045
1046#ifdef SSL_DEBUG
1047 fprintf(stderr, "seq=");
1048 {
1049 int z;
1050 for (z = 0; z < 8; z++)
1051 fprintf(stderr, "%02X ", seq[z]);
1052 fprintf(stderr, "\n");
1053 }
1054 fprintf(stderr, "rec=");
1055 {
1056 unsigned int z;
1057 for (z = 0; z < rec->length; z++)
1058 fprintf(stderr, "%02X ", rec->data[z]);
1059 fprintf(stderr, "\n");
1060 }
1061#endif
1062
1063 if (!SSL_IS_DTLS(ssl)) {
1064 for (i = 7; i >= 0; i--) {
1065 ++seq[i];
1066 if (seq[i] != 0)
1067 break;
1068 }
1069 }
1070#ifdef SSL_DEBUG
1071 {
1072 unsigned int z;
1073 for (z = 0; z < md_size; z++)
1074 fprintf(stderr, "%02X ", md[z]);
1075 fprintf(stderr, "\n");
1076 }
1077#endif
1078 return (md_size);
1079}
1080
1081/*-
1082 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
1083 * record in |rec| by updating |rec->length| in constant time.
1084 *
1085 * block_size: the block size of the cipher used to encrypt the record.
1086 * returns:
1087 * 0: (in non-constant time) if the record is publicly invalid.
1088 * 1: if the padding was valid
1089 * -1: otherwise.
1090 */
1091int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
1092 unsigned block_size, unsigned mac_size)
1093{
1094 unsigned padding_length, good;
1095 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1096
1097 /*
1098 * These lengths are all public so we can test them in non-constant time.
1099 */
1100 if (overhead > rec->length)
1101 return 0;
1102
1103 padding_length = rec->data[rec->length - 1];
1104 good = constant_time_ge(rec->length, padding_length + overhead);
1105 /* SSLv3 requires that the padding is minimal. */
1106 good &= constant_time_ge(block_size, padding_length + 1);
1107 rec->length -= good & (padding_length + 1);
1108 return constant_time_select_int(good, 1, -1);
1109}
1110
1111/*-
1112 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1113 * record in |rec| in constant time and returns 1 if the padding is valid and
1114 * -1 otherwise. It also removes any explicit IV from the start of the record
1115 * without leaking any timing about whether there was enough space after the
1116 * padding was removed.
1117 *
1118 * block_size: the block size of the cipher used to encrypt the record.
1119 * returns:
1120 * 0: (in non-constant time) if the record is publicly invalid.
1121 * 1: if the padding was valid
1122 * -1: otherwise.
1123 */
1124int tls1_cbc_remove_padding(const SSL *s,
1125 SSL3_RECORD *rec,
1126 unsigned block_size, unsigned mac_size)
1127{
1128 unsigned padding_length, good, to_check, i;
1129 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1130 /* Check if version requires explicit IV */
1131 if (SSL_USE_EXPLICIT_IV(s)) {
1132 /*
1133 * These lengths are all public so we can test them in non-constant
1134 * time.
1135 */
1136 if (overhead + block_size > rec->length)
1137 return 0;
1138 /* We can now safely skip explicit IV */
1139 rec->data += block_size;
1140 rec->input += block_size;
1141 rec->length -= block_size;
1142 rec->orig_len -= block_size;
1143 } else if (overhead > rec->length)
1144 return 0;
1145
1146 padding_length = rec->data[rec->length - 1];
1147
1148 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
1149 EVP_CIPH_FLAG_AEAD_CIPHER) {
1150 /* padding is already verified */
1151 rec->length -= padding_length + 1;
1152 return 1;
1153 }
1154
1155 good = constant_time_ge(rec->length, overhead + padding_length);
1156 /*
1157 * The padding consists of a length byte at the end of the record and
1158 * then that many bytes of padding, all with the same value as the length
1159 * byte. Thus, with the length byte included, there are i+1 bytes of
1160 * padding. We can't check just |padding_length+1| bytes because that
1161 * leaks decrypted information. Therefore we always have to check the
1162 * maximum amount of padding possible. (Again, the length of the record
1163 * is public information so we can use it.)
1164 */
1165 to_check = 256; /* maximum amount of padding, inc length byte. */
1166 if (to_check > rec->length)
1167 to_check = rec->length;
1168
1169 for (i = 0; i < to_check; i++) {
1170 unsigned char mask = constant_time_ge_8(padding_length, i);
1171 unsigned char b = rec->data[rec->length - 1 - i];
1172 /*
1173 * The final |padding_length+1| bytes should all have the value
1174 * |padding_length|. Therefore the XOR should be zero.
1175 */
1176 good &= ~(mask & (padding_length ^ b));
1177 }
1178
1179 /*
1180 * If any of the final |padding_length+1| bytes had the wrong value, one
1181 * or more of the lower eight bits of |good| will be cleared.
1182 */
1183 good = constant_time_eq(0xff, good & 0xff);
1184 rec->length -= good & (padding_length + 1);
1185
1186 return constant_time_select_int(good, 1, -1);
1187}
1188
1189/*-
1190 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1191 * constant time (independent of the concrete value of rec->length, which may
1192 * vary within a 256-byte window).
1193 *
1194 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1195 * this function.
1196 *
1197 * On entry:
1198 * rec->orig_len >= md_size
1199 * md_size <= EVP_MAX_MD_SIZE
1200 *
1201 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1202 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1203 * a single or pair of cache-lines, then the variable memory accesses don't
1204 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1205 * not multi-core and are not considered vulnerable to cache-timing attacks.
1206 */
1207#define CBC_MAC_ROTATE_IN_PLACE
1208
1209void ssl3_cbc_copy_mac(unsigned char *out,
1210 const SSL3_RECORD *rec, unsigned md_size)
1211{
1212#if defined(CBC_MAC_ROTATE_IN_PLACE)
1213 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1214 unsigned char *rotated_mac;
1215#else
1216 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1217#endif
1218
1219 /*
1220 * mac_end is the index of |rec->data| just after the end of the MAC.
1221 */
1222 unsigned mac_end = rec->length;
1223 unsigned mac_start = mac_end - md_size;
1224 unsigned in_mac;
1225 /*
1226 * scan_start contains the number of bytes that we can ignore because the
1227 * MAC's position can only vary by 255 bytes.
1228 */
1229 unsigned scan_start = 0;
1230 unsigned i, j;
1231 unsigned rotate_offset;
1232
1233 OPENSSL_assert(rec->orig_len >= md_size);
1234 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1235
1236#if defined(CBC_MAC_ROTATE_IN_PLACE)
1237 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1238#endif
1239
1240 /* This information is public so it's safe to branch based on it. */
1241 if (rec->orig_len > md_size + 255 + 1)
1242 scan_start = rec->orig_len - (md_size + 255 + 1);
1243
1244 in_mac = 0;
1245 rotate_offset = 0;
1246 memset(rotated_mac, 0, md_size);
1247 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1248 unsigned mac_started = constant_time_eq(i, mac_start);
1249 unsigned mac_ended = constant_time_lt(i, mac_end);
1250 unsigned char b = rec->data[i];
1251
1252 in_mac |= mac_started;
1253 in_mac &= mac_ended;
1254 rotate_offset |= j & mac_started;
1255 rotated_mac[j++] |= b & in_mac;
1256 j &= constant_time_lt(j, md_size);
1257 }
1258
1259 /* Now rotate the MAC */
1260#if defined(CBC_MAC_ROTATE_IN_PLACE)
1261 j = 0;
1262 for (i = 0; i < md_size; i++) {
1263 /* in case cache-line is 32 bytes, touch second line */
1264 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1265 out[j++] = rotated_mac[rotate_offset++];
1266 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1267 }
1268#else
1269 memset(out, 0, md_size);
1270 rotate_offset = md_size - rotate_offset;
1271 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1272 for (i = 0; i < md_size; i++) {
1273 for (j = 0; j < md_size; j++)
1274 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1275 rotate_offset++;
1276 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1277 }
1278#endif
1279}
1280
1281int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
1282{
1283 int i, al;
1284 int enc_err;
1285 SSL_SESSION *sess;
1286 SSL3_RECORD *rr;
1287 unsigned int mac_size;
1288 unsigned char md[EVP_MAX_MD_SIZE];
1289
1290 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1291 sess = s->session;
1292
1293 /*
1294 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1295 * and we have that many bytes in s->packet
1296 */
1297 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1298
1299 /*
1300 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1301 * at rr->length bytes, which need to be copied into rr->data by either
1302 * the decryption or by the decompression When the data is 'copied' into
1303 * the rr->data buffer, rr->input will be pointed at the new buffer
1304 */
1305
1306 /*
1307 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1308 * bytes of encrypted compressed stuff.
1309 */
1310
1311 /* check is not needed I believe */
1312 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1313 al = SSL_AD_RECORD_OVERFLOW;
1314 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1315 goto f_err;
1316 }
1317
1318 /* decrypt in place in 'rr->input' */
1319 rr->data = rr->input;
1320 rr->orig_len = rr->length;
1321
1322 enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
1323 /*-
1324 * enc_err is:
1325 * 0: (in non-constant time) if the record is publically invalid.
1326 * 1: if the padding is valid
1327 * -1: if the padding is invalid
1328 */
1329 if (enc_err == 0) {
1330 /* For DTLS we simply ignore bad packets. */
1331 rr->length = 0;
1332 RECORD_LAYER_reset_packet_length(&s->rlayer);
1333 goto err;
1334 }
1335#ifdef SSL_DEBUG
1336 printf("dec %d\n", rr->length);
1337 {
1338 unsigned int z;
1339 for (z = 0; z < rr->length; z++)
1340 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1341 }
1342 printf("\n");
1343#endif
1344
1345 /* r->length is now the compressed data plus mac */
1346 if ((sess != NULL) &&
1347 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1348 /* s->read_hash != NULL => mac_size != -1 */
1349 unsigned char *mac = NULL;
1350 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1351 mac_size = EVP_MD_CTX_size(s->read_hash);
1352 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1353
1354 /*
1355 * orig_len is the length of the record before any padding was
1356 * removed. This is public information, as is the MAC in use,
1357 * therefore we can safely process the record in a different amount
1358 * of time if it's too short to possibly contain a MAC.
1359 */
1360 if (rr->orig_len < mac_size ||
1361 /* CBC records must have a padding length byte too. */
1362 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1363 rr->orig_len < mac_size + 1)) {
1364 al = SSL_AD_DECODE_ERROR;
1365 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1366 goto f_err;
1367 }
1368
1369 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1370 /*
1371 * We update the length so that the TLS header bytes can be
1372 * constructed correctly but we need to extract the MAC in
1373 * constant time from within the record, without leaking the
1374 * contents of the padding bytes.
1375 */
1376 mac = mac_tmp;
1377 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1378 rr->length -= mac_size;
1379 } else {
1380 /*
1381 * In this case there's no padding, so |rec->orig_len| equals
1382 * |rec->length| and we checked that there's enough bytes for
1383 * |mac_size| above.
1384 */
1385 rr->length -= mac_size;
1386 mac = &rr->data[rr->length];
1387 }
1388
1389 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
1390 if (i < 0 || mac == NULL
1391 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1392 enc_err = -1;
1393 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1394 enc_err = -1;
1395 }
1396
1397 if (enc_err < 0) {
1398 /* decryption failed, silently discard message */
1399 rr->length = 0;
1400 RECORD_LAYER_reset_packet_length(&s->rlayer);
1401 goto err;
1402 }
1403
1404 /* r->length is now just compressed */
1405 if (s->expand != NULL) {
1406 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1407 al = SSL_AD_RECORD_OVERFLOW;
1408 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1409 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1410 goto f_err;
1411 }
1412 if (!ssl3_do_uncompress(s, rr)) {
1413 al = SSL_AD_DECOMPRESSION_FAILURE;
1414 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1415 goto f_err;
1416 }
1417 }
1418
1419 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1420 al = SSL_AD_RECORD_OVERFLOW;
1421 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1422 goto f_err;
1423 }
1424
1425 rr->off = 0;
1426 /*-
1427 * So at this point the following is true
1428 * ssl->s3->rrec.type is the type of record
1429 * ssl->s3->rrec.length == number of bytes in record
1430 * ssl->s3->rrec.off == offset to first valid byte
1431 * ssl->s3->rrec.data == where to take bytes from, increment
1432 * after use :-).
1433 */
1434
1435 /* we have pulled in a full packet so zero things */
1436 RECORD_LAYER_reset_packet_length(&s->rlayer);
1437
1438 /* Mark receipt of record. */
1439 dtls1_record_bitmap_update(s, bitmap);
1440
1441 return (1);
1442
1443 f_err:
1444 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1445 err:
1446 return (0);
1447}
1448
1449/*
1450 * retrieve a buffered record that belongs to the current epoch, ie,
1451 * processed
1452 */
1453#define dtls1_get_processed_record(s) \
1454 dtls1_retrieve_buffered_record((s), \
1455 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1456
1457/*-
1458 * Call this to get a new input record.
1459 * It will return <= 0 if more data is needed, normally due to an error
1460 * or non-blocking IO.
1461 * When it finishes, one packet has been decoded and can be found in
1462 * ssl->s3->rrec.type - is the type of record
1463 * ssl->s3->rrec.data, - data
1464 * ssl->s3->rrec.length, - number of bytes
1465 */
1466/* used only by dtls1_read_bytes */
1467int dtls1_get_record(SSL *s)
1468{
1469 int ssl_major, ssl_minor;
1470 int i, n;
1471 SSL3_RECORD *rr;
1472 unsigned char *p = NULL;
1473 unsigned short version;
1474 DTLS1_BITMAP *bitmap;
1475 unsigned int is_next_epoch;
1476
1477 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1478
1479 again:
1480 /*
1481 * The epoch may have changed. If so, process all the pending records.
1482 * This is a non-blocking operation.
1483 */
1484 if (!dtls1_process_buffered_records(s))
1485 return -1;
1486
1487 /* if we're renegotiating, then there may be buffered records */
1488 if (dtls1_get_processed_record(s))
1489 return 1;
1490
1491 /* get something from the wire */
1492
1493 /* check if we have the header */
1494 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1495 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1496 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1497 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
1498 /* read timeout is handled by dtls1_read_bytes */
1499 if (n <= 0)
1500 return (n); /* error or non-blocking */
1501
1502 /* this packet contained a partial record, dump it */
1503 if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
1504 DTLS1_RT_HEADER_LENGTH) {
1505 RECORD_LAYER_reset_packet_length(&s->rlayer);
1506 goto again;
1507 }
1508
1509 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1510
1511 p = RECORD_LAYER_get_packet(&s->rlayer);
1512
1513 if (s->msg_callback)
1514 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1515 s, s->msg_callback_arg);
1516
1517 /* Pull apart the header into the DTLS1_RECORD */
1518 rr->type = *(p++);
1519 ssl_major = *(p++);
1520 ssl_minor = *(p++);
1521 version = (ssl_major << 8) | ssl_minor;
1522
1523 /* sequence number is 64 bits, with top 2 bytes = epoch */
1524 n2s(p, rr->epoch);
1525
1526 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1527 p += 6;
1528
1529 n2s(p, rr->length);
1530
1531 /* Lets check version */
1532 if (!s->first_packet) {
1533 if (version != s->version) {
1534 /* unexpected version, silently discard */
1535 rr->length = 0;
1536 RECORD_LAYER_reset_packet_length(&s->rlayer);
1537 goto again;
1538 }
1539 }
1540
1541 if ((version & 0xff00) != (s->version & 0xff00)) {
1542 /* wrong version, silently discard record */
1543 rr->length = 0;
1544 RECORD_LAYER_reset_packet_length(&s->rlayer);
1545 goto again;
1546 }
1547
1548 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1549 /* record too long, silently discard it */
1550 rr->length = 0;
1551 RECORD_LAYER_reset_packet_length(&s->rlayer);
1552 goto again;
1553 }
1554
1555 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1556 }
1557
1558 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1559
1560 if (rr->length >
1561 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1562 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1563 i = rr->length;
1564 n = ssl3_read_n(s, i, i, 1, 1);
1565 /* this packet contained a partial record, dump it */
1566 if (n != i) {
1567 rr->length = 0;
1568 RECORD_LAYER_reset_packet_length(&s->rlayer);
1569 goto again;
1570 }
1571
1572 /*
1573 * now n == rr->length, and s->packet_length ==
1574 * DTLS1_RT_HEADER_LENGTH + rr->length
1575 */
1576 }
1577 /* set state for later operations */
1578 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1579
1580 /* match epochs. NULL means the packet is dropped on the floor */
1581 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1582 if (bitmap == NULL) {
1583 rr->length = 0;
1584 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1585 goto again; /* get another record */
1586 }
1587#ifndef OPENSSL_NO_SCTP
1588 /* Only do replay check if no SCTP bio */
1589 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1590#endif
1591 /* Check whether this is a repeat, or aged record. */
1592 /*
1593 * TODO: Does it make sense to have replay protection in epoch 0 where
1594 * we have no integrity negotiated yet?
1595 */
1596 if (!dtls1_record_replay_check(s, bitmap)) {
1597 rr->length = 0;
1598 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1599 goto again; /* get another record */
1600 }
1601#ifndef OPENSSL_NO_SCTP
1602 }
1603#endif
1604
1605 /* just read a 0 length packet */
1606 if (rr->length == 0)
1607 goto again;
1608
1609 /*
1610 * If this record is from the next epoch (either HM or ALERT), and a
1611 * handshake is currently in progress, buffer it since it cannot be
1612 * processed at this time.
1613 */
1614 if (is_next_epoch) {
1615 if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
1616 if (dtls1_buffer_record
1617 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1618 rr->seq_num) < 0)
1619 return -1;
1620 }
1621 rr->length = 0;
1622 RECORD_LAYER_reset_packet_length(&s->rlayer);
1623 goto again;
1624 }
1625
1626 if (!dtls1_process_record(s, bitmap)) {
1627 rr->length = 0;
1628 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1629 goto again; /* get another record */
1630 }
1631
1632 return (1);
1633
1634}
Note: See TracBrowser for help on using the repository browser.