[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <assert.h>
|
---|
| 11 | #include "../ssl_locl.h"
|
---|
| 12 | #include "internal/constant_time_locl.h"
|
---|
| 13 | #include <openssl/rand.h>
|
---|
| 14 | #include "record_locl.h"
|
---|
| 15 |
|
---|
| 16 | static const unsigned char ssl3_pad_1[48] = {
|
---|
| 17 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
| 18 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
| 19 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
| 20 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
| 21 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
| 22 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
|
---|
| 23 | };
|
---|
| 24 |
|
---|
| 25 | static const unsigned char ssl3_pad_2[48] = {
|
---|
| 26 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
| 27 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
| 28 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
| 29 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
| 30 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
| 31 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
|
---|
| 32 | };
|
---|
| 33 |
|
---|
| 34 | /*
|
---|
| 35 | * Clear the contents of an SSL3_RECORD but retain any memory allocated
|
---|
| 36 | */
|
---|
| 37 | void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs)
|
---|
| 38 | {
|
---|
| 39 | unsigned char *comp;
|
---|
| 40 | unsigned int i;
|
---|
| 41 |
|
---|
| 42 | for (i = 0; i < num_recs; i++) {
|
---|
| 43 | comp = r[i].comp;
|
---|
| 44 |
|
---|
| 45 | memset(&r[i], 0, sizeof(*r));
|
---|
| 46 | r[i].comp = comp;
|
---|
| 47 | }
|
---|
| 48 | }
|
---|
| 49 |
|
---|
| 50 | void SSL3_RECORD_release(SSL3_RECORD *r, unsigned int num_recs)
|
---|
| 51 | {
|
---|
| 52 | unsigned int i;
|
---|
| 53 |
|
---|
| 54 | for (i = 0; i < num_recs; i++) {
|
---|
| 55 | OPENSSL_free(r[i].comp);
|
---|
| 56 | r[i].comp = NULL;
|
---|
| 57 | }
|
---|
| 58 | }
|
---|
| 59 |
|
---|
| 60 | void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
|
---|
| 61 | {
|
---|
| 62 | memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
|
---|
| 63 | }
|
---|
| 64 |
|
---|
| 65 | /*
|
---|
| 66 | * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
|
---|
| 67 | * for us in the buffer.
|
---|
| 68 | */
|
---|
| 69 | static int ssl3_record_app_data_waiting(SSL *s)
|
---|
| 70 | {
|
---|
| 71 | SSL3_BUFFER *rbuf;
|
---|
| 72 | int left, len;
|
---|
| 73 | unsigned char *p;
|
---|
| 74 |
|
---|
| 75 | rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
|
---|
| 76 |
|
---|
| 77 | p = SSL3_BUFFER_get_buf(rbuf);
|
---|
| 78 | if (p == NULL)
|
---|
| 79 | return 0;
|
---|
| 80 |
|
---|
| 81 | left = SSL3_BUFFER_get_left(rbuf);
|
---|
| 82 |
|
---|
| 83 | if (left < SSL3_RT_HEADER_LENGTH)
|
---|
| 84 | return 0;
|
---|
| 85 |
|
---|
| 86 | p += SSL3_BUFFER_get_offset(rbuf);
|
---|
| 87 |
|
---|
| 88 | /*
|
---|
| 89 | * We only check the type and record length, we will sanity check version
|
---|
| 90 | * etc later
|
---|
| 91 | */
|
---|
| 92 | if (*p != SSL3_RT_APPLICATION_DATA)
|
---|
| 93 | return 0;
|
---|
| 94 |
|
---|
| 95 | p += 3;
|
---|
| 96 | n2s(p, len);
|
---|
| 97 |
|
---|
| 98 | if (left < SSL3_RT_HEADER_LENGTH + len)
|
---|
| 99 | return 0;
|
---|
| 100 |
|
---|
| 101 | return 1;
|
---|
| 102 | }
|
---|
| 103 |
|
---|
| 104 | /*
|
---|
| 105 | * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
|
---|
| 106 | * will be processed per call to ssl3_get_record. Without this limit an
|
---|
| 107 | * attacker could send empty records at a faster rate than we can process and
|
---|
| 108 | * cause ssl3_get_record to loop forever.
|
---|
| 109 | */
|
---|
| 110 | #define MAX_EMPTY_RECORDS 32
|
---|
| 111 |
|
---|
| 112 | #define SSL2_RT_HEADER_LENGTH 2
|
---|
| 113 | /*-
|
---|
| 114 | * Call this to get new input records.
|
---|
| 115 | * It will return <= 0 if more data is needed, normally due to an error
|
---|
| 116 | * or non-blocking IO.
|
---|
| 117 | * When it finishes, |numrpipes| records have been decoded. For each record 'i':
|
---|
| 118 | * rr[i].type - is the type of record
|
---|
| 119 | * rr[i].data, - data
|
---|
| 120 | * rr[i].length, - number of bytes
|
---|
| 121 | * Multiple records will only be returned if the record types are all
|
---|
| 122 | * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
|
---|
| 123 | * |max_pipelines|
|
---|
| 124 | */
|
---|
| 125 | /* used only by ssl3_read_bytes */
|
---|
| 126 | int ssl3_get_record(SSL *s)
|
---|
| 127 | {
|
---|
| 128 | int ssl_major, ssl_minor, al;
|
---|
| 129 | int enc_err, n, i, ret = -1;
|
---|
| 130 | SSL3_RECORD *rr;
|
---|
| 131 | SSL3_BUFFER *rbuf;
|
---|
| 132 | SSL_SESSION *sess;
|
---|
| 133 | unsigned char *p;
|
---|
| 134 | unsigned char md[EVP_MAX_MD_SIZE];
|
---|
| 135 | short version;
|
---|
| 136 | unsigned mac_size;
|
---|
| 137 | int imac_size;
|
---|
| 138 | unsigned int num_recs = 0;
|
---|
| 139 | unsigned int max_recs;
|
---|
| 140 | unsigned int j;
|
---|
| 141 |
|
---|
| 142 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
| 143 | rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
|
---|
| 144 | max_recs = s->max_pipelines;
|
---|
| 145 | if (max_recs == 0)
|
---|
| 146 | max_recs = 1;
|
---|
| 147 | sess = s->session;
|
---|
| 148 |
|
---|
| 149 | do {
|
---|
| 150 | /* check if we have the header */
|
---|
| 151 | if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
|
---|
| 152 | (RECORD_LAYER_get_packet_length(&s->rlayer)
|
---|
| 153 | < SSL3_RT_HEADER_LENGTH)) {
|
---|
| 154 | n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
|
---|
| 155 | SSL3_BUFFER_get_len(rbuf), 0,
|
---|
| 156 | num_recs == 0 ? 1 : 0);
|
---|
| 157 | if (n <= 0)
|
---|
| 158 | return (n); /* error or non-blocking */
|
---|
| 159 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
|
---|
| 160 |
|
---|
| 161 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
| 162 |
|
---|
| 163 | /*
|
---|
| 164 | * The first record received by the server may be a V2ClientHello.
|
---|
| 165 | */
|
---|
| 166 | if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
|
---|
| 167 | && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
|
---|
| 168 | /*
|
---|
| 169 | * SSLv2 style record
|
---|
| 170 | *
|
---|
| 171 | * |num_recs| here will actually always be 0 because
|
---|
| 172 | * |num_recs > 0| only ever occurs when we are processing
|
---|
| 173 | * multiple app data records - which we know isn't the case here
|
---|
| 174 | * because it is an SSLv2ClientHello. We keep it using
|
---|
| 175 | * |num_recs| for the sake of consistency
|
---|
| 176 | */
|
---|
| 177 | rr[num_recs].type = SSL3_RT_HANDSHAKE;
|
---|
| 178 | rr[num_recs].rec_version = SSL2_VERSION;
|
---|
| 179 |
|
---|
| 180 | rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1];
|
---|
| 181 |
|
---|
| 182 | if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf)
|
---|
| 183 | - SSL2_RT_HEADER_LENGTH) {
|
---|
| 184 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 185 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
|
---|
| 186 | goto f_err;
|
---|
| 187 | }
|
---|
| 188 |
|
---|
| 189 | if (rr[num_recs].length < MIN_SSL2_RECORD_LEN) {
|
---|
| 190 | al = SSL_AD_HANDSHAKE_FAILURE;
|
---|
| 191 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
| 192 | goto f_err;
|
---|
| 193 | }
|
---|
| 194 | } else {
|
---|
| 195 | /* SSLv3+ style record */
|
---|
| 196 | if (s->msg_callback)
|
---|
| 197 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
|
---|
| 198 | s->msg_callback_arg);
|
---|
| 199 |
|
---|
| 200 | /* Pull apart the header into the SSL3_RECORD */
|
---|
| 201 | rr[num_recs].type = *(p++);
|
---|
| 202 | ssl_major = *(p++);
|
---|
| 203 | ssl_minor = *(p++);
|
---|
| 204 | version = (ssl_major << 8) | ssl_minor;
|
---|
| 205 | rr[num_recs].rec_version = version;
|
---|
| 206 | n2s(p, rr[num_recs].length);
|
---|
| 207 |
|
---|
| 208 | /* Lets check version */
|
---|
| 209 | if (!s->first_packet && version != s->version) {
|
---|
| 210 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
|
---|
| 211 | if ((s->version & 0xFF00) == (version & 0xFF00)
|
---|
| 212 | && !s->enc_write_ctx && !s->write_hash) {
|
---|
| 213 | if (rr->type == SSL3_RT_ALERT) {
|
---|
| 214 | /*
|
---|
| 215 | * The record is using an incorrect version number,
|
---|
| 216 | * but what we've got appears to be an alert. We
|
---|
| 217 | * haven't read the body yet to check whether its a
|
---|
| 218 | * fatal or not - but chances are it is. We probably
|
---|
| 219 | * shouldn't send a fatal alert back. We'll just
|
---|
| 220 | * end.
|
---|
| 221 | */
|
---|
| 222 | goto err;
|
---|
| 223 | }
|
---|
| 224 | /*
|
---|
| 225 | * Send back error using their minor version number :-)
|
---|
| 226 | */
|
---|
| 227 | s->version = (unsigned short)version;
|
---|
| 228 | }
|
---|
| 229 | al = SSL_AD_PROTOCOL_VERSION;
|
---|
| 230 | goto f_err;
|
---|
| 231 | }
|
---|
| 232 |
|
---|
| 233 | if ((version >> 8) != SSL3_VERSION_MAJOR) {
|
---|
| 234 | if (RECORD_LAYER_is_first_record(&s->rlayer)) {
|
---|
| 235 | /* Go back to start of packet, look at the five bytes
|
---|
| 236 | * that we have. */
|
---|
| 237 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
| 238 | if (strncmp((char *)p, "GET ", 4) == 0 ||
|
---|
| 239 | strncmp((char *)p, "POST ", 5) == 0 ||
|
---|
| 240 | strncmp((char *)p, "HEAD ", 5) == 0 ||
|
---|
| 241 | strncmp((char *)p, "PUT ", 4) == 0) {
|
---|
| 242 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
|
---|
| 243 | goto err;
|
---|
| 244 | } else if (strncmp((char *)p, "CONNE", 5) == 0) {
|
---|
| 245 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
| 246 | SSL_R_HTTPS_PROXY_REQUEST);
|
---|
| 247 | goto err;
|
---|
| 248 | }
|
---|
| 249 |
|
---|
| 250 | /* Doesn't look like TLS - don't send an alert */
|
---|
| 251 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
| 252 | SSL_R_WRONG_VERSION_NUMBER);
|
---|
| 253 | goto err;
|
---|
| 254 | } else {
|
---|
| 255 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
| 256 | SSL_R_WRONG_VERSION_NUMBER);
|
---|
| 257 | al = SSL_AD_PROTOCOL_VERSION;
|
---|
| 258 | goto f_err;
|
---|
| 259 | }
|
---|
| 260 | }
|
---|
| 261 |
|
---|
| 262 | if (rr[num_recs].length >
|
---|
| 263 | SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
|
---|
| 264 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 265 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
|
---|
| 266 | goto f_err;
|
---|
| 267 | }
|
---|
| 268 | }
|
---|
| 269 |
|
---|
| 270 | /* now s->rlayer.rstate == SSL_ST_READ_BODY */
|
---|
| 271 | }
|
---|
| 272 |
|
---|
| 273 | /*
|
---|
| 274 | * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
|
---|
| 275 | * Calculate how much more data we need to read for the rest of the
|
---|
| 276 | * record
|
---|
| 277 | */
|
---|
| 278 | if (rr[num_recs].rec_version == SSL2_VERSION) {
|
---|
| 279 | i = rr[num_recs].length + SSL2_RT_HEADER_LENGTH
|
---|
| 280 | - SSL3_RT_HEADER_LENGTH;
|
---|
| 281 | } else {
|
---|
| 282 | i = rr[num_recs].length;
|
---|
| 283 | }
|
---|
| 284 | if (i > 0) {
|
---|
| 285 | /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
|
---|
| 286 |
|
---|
| 287 | n = ssl3_read_n(s, i, i, 1, 0);
|
---|
| 288 | if (n <= 0)
|
---|
| 289 | return (n); /* error or non-blocking io */
|
---|
| 290 | }
|
---|
| 291 |
|
---|
| 292 | /* set state for later operations */
|
---|
| 293 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
|
---|
| 294 |
|
---|
| 295 | /*
|
---|
| 296 | * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
|
---|
| 297 | * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
|
---|
| 298 | * and we have that many bytes in s->packet
|
---|
| 299 | */
|
---|
| 300 | if (rr[num_recs].rec_version == SSL2_VERSION) {
|
---|
| 301 | rr[num_recs].input =
|
---|
| 302 | &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
|
---|
| 303 | } else {
|
---|
| 304 | rr[num_recs].input =
|
---|
| 305 | &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
|
---|
| 306 | }
|
---|
| 307 |
|
---|
| 308 | /*
|
---|
| 309 | * ok, we can now read from 's->packet' data into 'rr' rr->input points
|
---|
| 310 | * at rr->length bytes, which need to be copied into rr->data by either
|
---|
| 311 | * the decryption or by the decompression When the data is 'copied' into
|
---|
| 312 | * the rr->data buffer, rr->input will be pointed at the new buffer
|
---|
| 313 | */
|
---|
| 314 |
|
---|
| 315 | /*
|
---|
| 316 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
|
---|
| 317 | * bytes of encrypted compressed stuff.
|
---|
| 318 | */
|
---|
| 319 |
|
---|
| 320 | /* check is not needed I believe */
|
---|
| 321 | if (rr[num_recs].length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
| 322 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 323 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
|
---|
| 324 | goto f_err;
|
---|
| 325 | }
|
---|
| 326 |
|
---|
| 327 | /* decrypt in place in 'rr->input' */
|
---|
| 328 | rr[num_recs].data = rr[num_recs].input;
|
---|
| 329 | rr[num_recs].orig_len = rr[num_recs].length;
|
---|
| 330 |
|
---|
| 331 | /* Mark this record as not read by upper layers yet */
|
---|
| 332 | rr[num_recs].read = 0;
|
---|
| 333 |
|
---|
| 334 | num_recs++;
|
---|
| 335 |
|
---|
| 336 | /* we have pulled in a full packet so zero things */
|
---|
| 337 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 338 | RECORD_LAYER_clear_first_record(&s->rlayer);
|
---|
| 339 | } while (num_recs < max_recs
|
---|
| 340 | && rr[num_recs - 1].type == SSL3_RT_APPLICATION_DATA
|
---|
| 341 | && SSL_USE_EXPLICIT_IV(s)
|
---|
| 342 | && s->enc_read_ctx != NULL
|
---|
| 343 | && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
|
---|
| 344 | & EVP_CIPH_FLAG_PIPELINE)
|
---|
| 345 | && ssl3_record_app_data_waiting(s));
|
---|
| 346 |
|
---|
| 347 | /*
|
---|
| 348 | * If in encrypt-then-mac mode calculate mac from encrypted record. All
|
---|
| 349 | * the details below are public so no timing details can leak.
|
---|
| 350 | */
|
---|
| 351 | if (SSL_READ_ETM(s) && s->read_hash) {
|
---|
| 352 | unsigned char *mac;
|
---|
| 353 |
|
---|
| 354 | imac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
| 355 | assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE);
|
---|
| 356 | if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) {
|
---|
| 357 | al = SSL_AD_INTERNAL_ERROR;
|
---|
| 358 | SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP);
|
---|
| 359 | goto f_err;
|
---|
| 360 | }
|
---|
| 361 | mac_size = (unsigned)imac_size;
|
---|
| 362 |
|
---|
| 363 | for (j = 0; j < num_recs; j++) {
|
---|
| 364 | if (rr[j].length < mac_size) {
|
---|
| 365 | al = SSL_AD_DECODE_ERROR;
|
---|
| 366 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
| 367 | goto f_err;
|
---|
| 368 | }
|
---|
| 369 | rr[j].length -= mac_size;
|
---|
| 370 | mac = rr[j].data + rr[j].length;
|
---|
| 371 | i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
|
---|
| 372 | if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
|
---|
| 373 | al = SSL_AD_BAD_RECORD_MAC;
|
---|
| 374 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
| 375 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
|
---|
| 376 | goto f_err;
|
---|
| 377 | }
|
---|
| 378 | }
|
---|
| 379 | }
|
---|
| 380 |
|
---|
| 381 | enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
|
---|
| 382 | /*-
|
---|
| 383 | * enc_err is:
|
---|
| 384 | * 0: (in non-constant time) if the record is publically invalid.
|
---|
| 385 | * 1: if the padding is valid
|
---|
| 386 | * -1: if the padding is invalid
|
---|
| 387 | */
|
---|
| 388 | if (enc_err == 0) {
|
---|
| 389 | al = SSL_AD_DECRYPTION_FAILED;
|
---|
| 390 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
|
---|
| 391 | goto f_err;
|
---|
| 392 | }
|
---|
| 393 | #ifdef SSL_DEBUG
|
---|
| 394 | printf("dec %d\n", rr->length);
|
---|
| 395 | {
|
---|
| 396 | unsigned int z;
|
---|
| 397 | for (z = 0; z < rr->length; z++)
|
---|
| 398 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 399 | }
|
---|
| 400 | printf("\n");
|
---|
| 401 | #endif
|
---|
| 402 |
|
---|
| 403 | /* r->length is now the compressed data plus mac */
|
---|
| 404 | if ((sess != NULL) &&
|
---|
| 405 | (s->enc_read_ctx != NULL) &&
|
---|
| 406 | (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
|
---|
| 407 | /* s->read_hash != NULL => mac_size != -1 */
|
---|
| 408 | unsigned char *mac = NULL;
|
---|
| 409 | unsigned char mac_tmp[EVP_MAX_MD_SIZE];
|
---|
| 410 |
|
---|
| 411 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
| 412 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
|
---|
| 413 |
|
---|
| 414 | for (j = 0; j < num_recs; j++) {
|
---|
| 415 | /*
|
---|
| 416 | * orig_len is the length of the record before any padding was
|
---|
| 417 | * removed. This is public information, as is the MAC in use,
|
---|
| 418 | * therefore we can safely process the record in a different amount
|
---|
| 419 | * of time if it's too short to possibly contain a MAC.
|
---|
| 420 | */
|
---|
| 421 | if (rr[j].orig_len < mac_size ||
|
---|
| 422 | /* CBC records must have a padding length byte too. */
|
---|
| 423 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
| 424 | rr[j].orig_len < mac_size + 1)) {
|
---|
| 425 | al = SSL_AD_DECODE_ERROR;
|
---|
| 426 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
| 427 | goto f_err;
|
---|
| 428 | }
|
---|
| 429 |
|
---|
| 430 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
|
---|
| 431 | /*
|
---|
| 432 | * We update the length so that the TLS header bytes can be
|
---|
| 433 | * constructed correctly but we need to extract the MAC in
|
---|
| 434 | * constant time from within the record, without leaking the
|
---|
| 435 | * contents of the padding bytes.
|
---|
| 436 | */
|
---|
| 437 | mac = mac_tmp;
|
---|
| 438 | ssl3_cbc_copy_mac(mac_tmp, &rr[j], mac_size);
|
---|
| 439 | rr[j].length -= mac_size;
|
---|
| 440 | } else {
|
---|
| 441 | /*
|
---|
| 442 | * In this case there's no padding, so |rec->orig_len| equals
|
---|
| 443 | * |rec->length| and we checked that there's enough bytes for
|
---|
| 444 | * |mac_size| above.
|
---|
| 445 | */
|
---|
| 446 | rr[j].length -= mac_size;
|
---|
| 447 | mac = &rr[j].data[rr[j].length];
|
---|
| 448 | }
|
---|
| 449 |
|
---|
| 450 | i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
|
---|
| 451 | if (i < 0 || mac == NULL
|
---|
| 452 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
|
---|
| 453 | enc_err = -1;
|
---|
| 454 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
|
---|
| 455 | enc_err = -1;
|
---|
| 456 | }
|
---|
| 457 | }
|
---|
| 458 |
|
---|
| 459 | if (enc_err < 0) {
|
---|
| 460 | /*
|
---|
| 461 | * A separate 'decryption_failed' alert was introduced with TLS 1.0,
|
---|
| 462 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
|
---|
| 463 | * failure is directly visible from the ciphertext anyway, we should
|
---|
| 464 | * not reveal which kind of error occurred -- this might become
|
---|
| 465 | * visible to an attacker (e.g. via a logfile)
|
---|
| 466 | */
|
---|
| 467 | al = SSL_AD_BAD_RECORD_MAC;
|
---|
| 468 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
| 469 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
|
---|
| 470 | goto f_err;
|
---|
| 471 | }
|
---|
| 472 |
|
---|
| 473 | for (j = 0; j < num_recs; j++) {
|
---|
| 474 | /* rr[j].length is now just compressed */
|
---|
| 475 | if (s->expand != NULL) {
|
---|
| 476 | if (rr[j].length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
|
---|
| 477 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 478 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
|
---|
| 479 | goto f_err;
|
---|
| 480 | }
|
---|
| 481 | if (!ssl3_do_uncompress(s, &rr[j])) {
|
---|
| 482 | al = SSL_AD_DECOMPRESSION_FAILURE;
|
---|
| 483 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
|
---|
| 484 | goto f_err;
|
---|
| 485 | }
|
---|
| 486 | }
|
---|
| 487 |
|
---|
| 488 | if (rr[j].length > SSL3_RT_MAX_PLAIN_LENGTH) {
|
---|
| 489 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 490 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
|
---|
| 491 | goto f_err;
|
---|
| 492 | }
|
---|
| 493 |
|
---|
| 494 | rr[j].off = 0;
|
---|
| 495 | /*-
|
---|
| 496 | * So at this point the following is true
|
---|
| 497 | * rr[j].type is the type of record
|
---|
| 498 | * rr[j].length == number of bytes in record
|
---|
| 499 | * rr[j].off == offset to first valid byte
|
---|
| 500 | * rr[j].data == where to take bytes from, increment after use :-).
|
---|
| 501 | */
|
---|
| 502 |
|
---|
| 503 | /* just read a 0 length packet */
|
---|
| 504 | if (rr[j].length == 0) {
|
---|
| 505 | RECORD_LAYER_inc_empty_record_count(&s->rlayer);
|
---|
| 506 | if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
|
---|
| 507 | > MAX_EMPTY_RECORDS) {
|
---|
| 508 | al = SSL_AD_UNEXPECTED_MESSAGE;
|
---|
| 509 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
|
---|
| 510 | goto f_err;
|
---|
| 511 | }
|
---|
| 512 | } else {
|
---|
| 513 | RECORD_LAYER_reset_empty_record_count(&s->rlayer);
|
---|
| 514 | }
|
---|
| 515 | }
|
---|
| 516 |
|
---|
| 517 | RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
|
---|
| 518 | return 1;
|
---|
| 519 |
|
---|
| 520 | f_err:
|
---|
| 521 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
| 522 | err:
|
---|
| 523 | return ret;
|
---|
| 524 | }
|
---|
| 525 |
|
---|
| 526 | int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
|
---|
| 527 | {
|
---|
| 528 | #ifndef OPENSSL_NO_COMP
|
---|
| 529 | int i;
|
---|
| 530 |
|
---|
| 531 | if (rr->comp == NULL) {
|
---|
| 532 | rr->comp = (unsigned char *)
|
---|
| 533 | OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
|
---|
| 534 | }
|
---|
| 535 | if (rr->comp == NULL)
|
---|
| 536 | return 0;
|
---|
| 537 |
|
---|
| 538 | i = COMP_expand_block(ssl->expand, rr->comp,
|
---|
| 539 | SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
|
---|
| 540 | if (i < 0)
|
---|
| 541 | return 0;
|
---|
| 542 | else
|
---|
| 543 | rr->length = i;
|
---|
| 544 | rr->data = rr->comp;
|
---|
| 545 | #endif
|
---|
| 546 | return 1;
|
---|
| 547 | }
|
---|
| 548 |
|
---|
| 549 | int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
|
---|
| 550 | {
|
---|
| 551 | #ifndef OPENSSL_NO_COMP
|
---|
| 552 | int i;
|
---|
| 553 |
|
---|
| 554 | i = COMP_compress_block(ssl->compress, wr->data,
|
---|
| 555 | SSL3_RT_MAX_COMPRESSED_LENGTH,
|
---|
| 556 | wr->input, (int)wr->length);
|
---|
| 557 | if (i < 0)
|
---|
| 558 | return (0);
|
---|
| 559 | else
|
---|
| 560 | wr->length = i;
|
---|
| 561 |
|
---|
| 562 | wr->input = wr->data;
|
---|
| 563 | #endif
|
---|
| 564 | return (1);
|
---|
| 565 | }
|
---|
| 566 |
|
---|
| 567 | /*-
|
---|
| 568 | * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|
|
---|
| 569 | *
|
---|
| 570 | * Returns:
|
---|
| 571 | * 0: (in non-constant time) if the record is publically invalid (i.e. too
|
---|
| 572 | * short etc).
|
---|
| 573 | * 1: if the record's padding is valid / the encryption was successful.
|
---|
| 574 | * -1: if the record's padding is invalid or, if sending, an internal error
|
---|
| 575 | * occurred.
|
---|
| 576 | */
|
---|
| 577 | int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int send)
|
---|
| 578 | {
|
---|
| 579 | SSL3_RECORD *rec;
|
---|
| 580 | EVP_CIPHER_CTX *ds;
|
---|
| 581 | unsigned long l;
|
---|
| 582 | int bs, i, mac_size = 0;
|
---|
| 583 | const EVP_CIPHER *enc;
|
---|
| 584 |
|
---|
| 585 | rec = inrecs;
|
---|
| 586 | /*
|
---|
| 587 | * We shouldn't ever be called with more than one record in the SSLv3 case
|
---|
| 588 | */
|
---|
| 589 | if (n_recs != 1)
|
---|
| 590 | return 0;
|
---|
| 591 | if (send) {
|
---|
| 592 | ds = s->enc_write_ctx;
|
---|
| 593 | if (s->enc_write_ctx == NULL)
|
---|
| 594 | enc = NULL;
|
---|
| 595 | else
|
---|
| 596 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
|
---|
| 597 | } else {
|
---|
| 598 | ds = s->enc_read_ctx;
|
---|
| 599 | if (s->enc_read_ctx == NULL)
|
---|
| 600 | enc = NULL;
|
---|
| 601 | else
|
---|
| 602 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
|
---|
| 603 | }
|
---|
| 604 |
|
---|
| 605 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
|
---|
| 606 | memmove(rec->data, rec->input, rec->length);
|
---|
| 607 | rec->input = rec->data;
|
---|
| 608 | } else {
|
---|
| 609 | l = rec->length;
|
---|
| 610 | bs = EVP_CIPHER_CTX_block_size(ds);
|
---|
| 611 |
|
---|
| 612 | /* COMPRESS */
|
---|
| 613 |
|
---|
| 614 | if ((bs != 1) && send) {
|
---|
| 615 | i = bs - ((int)l % bs);
|
---|
| 616 |
|
---|
| 617 | /* we need to add 'i-1' padding bytes */
|
---|
| 618 | l += i;
|
---|
| 619 | /*
|
---|
| 620 | * the last of these zero bytes will be overwritten with the
|
---|
| 621 | * padding length.
|
---|
| 622 | */
|
---|
| 623 | memset(&rec->input[rec->length], 0, i);
|
---|
| 624 | rec->length += i;
|
---|
| 625 | rec->input[l - 1] = (i - 1);
|
---|
| 626 | }
|
---|
| 627 |
|
---|
| 628 | if (!send) {
|
---|
| 629 | if (l == 0 || l % bs != 0)
|
---|
| 630 | return 0;
|
---|
| 631 | /* otherwise, rec->length >= bs */
|
---|
| 632 | }
|
---|
| 633 |
|
---|
| 634 | if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
|
---|
| 635 | return -1;
|
---|
| 636 |
|
---|
| 637 | if (EVP_MD_CTX_md(s->read_hash) != NULL)
|
---|
| 638 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
| 639 | if ((bs != 1) && !send)
|
---|
| 640 | return ssl3_cbc_remove_padding(rec, bs, mac_size);
|
---|
| 641 | }
|
---|
| 642 | return (1);
|
---|
| 643 | }
|
---|
| 644 |
|
---|
| 645 | /*-
|
---|
| 646 | * tls1_enc encrypts/decrypts |n_recs| in |recs|.
|
---|
| 647 | *
|
---|
| 648 | * Returns:
|
---|
| 649 | * 0: (in non-constant time) if the record is publically invalid (i.e. too
|
---|
| 650 | * short etc).
|
---|
| 651 | * 1: if the record's padding is valid / the encryption was successful.
|
---|
| 652 | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
|
---|
| 653 | * an internal error occurred.
|
---|
| 654 | */
|
---|
| 655 | int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
|
---|
| 656 | {
|
---|
| 657 | EVP_CIPHER_CTX *ds;
|
---|
| 658 | size_t reclen[SSL_MAX_PIPELINES];
|
---|
| 659 | unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
|
---|
| 660 | int bs, i, j, k, pad = 0, ret, mac_size = 0;
|
---|
| 661 | const EVP_CIPHER *enc;
|
---|
| 662 | unsigned int ctr;
|
---|
| 663 |
|
---|
| 664 | if (send) {
|
---|
| 665 | if (EVP_MD_CTX_md(s->write_hash)) {
|
---|
| 666 | int n = EVP_MD_CTX_size(s->write_hash);
|
---|
| 667 | OPENSSL_assert(n >= 0);
|
---|
| 668 | }
|
---|
| 669 | ds = s->enc_write_ctx;
|
---|
| 670 | if (s->enc_write_ctx == NULL)
|
---|
| 671 | enc = NULL;
|
---|
| 672 | else {
|
---|
| 673 | int ivlen;
|
---|
| 674 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
|
---|
| 675 | /* For TLSv1.1 and later explicit IV */
|
---|
| 676 | if (SSL_USE_EXPLICIT_IV(s)
|
---|
| 677 | && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
|
---|
| 678 | ivlen = EVP_CIPHER_iv_length(enc);
|
---|
| 679 | else
|
---|
| 680 | ivlen = 0;
|
---|
| 681 | if (ivlen > 1) {
|
---|
| 682 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 683 | if (recs[ctr].data != recs[ctr].input) {
|
---|
| 684 | /*
|
---|
| 685 | * we can't write into the input stream: Can this ever
|
---|
| 686 | * happen?? (steve)
|
---|
| 687 | */
|
---|
| 688 | SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
|
---|
| 689 | return -1;
|
---|
| 690 | } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
|
---|
| 691 | SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
|
---|
| 692 | return -1;
|
---|
| 693 | }
|
---|
| 694 | }
|
---|
| 695 | }
|
---|
| 696 | }
|
---|
| 697 | } else {
|
---|
| 698 | if (EVP_MD_CTX_md(s->read_hash)) {
|
---|
| 699 | int n = EVP_MD_CTX_size(s->read_hash);
|
---|
| 700 | OPENSSL_assert(n >= 0);
|
---|
| 701 | }
|
---|
| 702 | ds = s->enc_read_ctx;
|
---|
| 703 | if (s->enc_read_ctx == NULL)
|
---|
| 704 | enc = NULL;
|
---|
| 705 | else
|
---|
| 706 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
|
---|
| 707 | }
|
---|
| 708 |
|
---|
| 709 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
|
---|
| 710 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 711 | memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
|
---|
| 712 | recs[ctr].input = recs[ctr].data;
|
---|
| 713 | }
|
---|
| 714 | ret = 1;
|
---|
| 715 | } else {
|
---|
| 716 | bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
|
---|
| 717 |
|
---|
| 718 | if (n_recs > 1) {
|
---|
| 719 | if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
| 720 | & EVP_CIPH_FLAG_PIPELINE)) {
|
---|
| 721 | /*
|
---|
| 722 | * We shouldn't have been called with pipeline data if the
|
---|
| 723 | * cipher doesn't support pipelining
|
---|
| 724 | */
|
---|
| 725 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
| 726 | return -1;
|
---|
| 727 | }
|
---|
| 728 | }
|
---|
| 729 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 730 | reclen[ctr] = recs[ctr].length;
|
---|
| 731 |
|
---|
| 732 | if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
| 733 | & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
---|
| 734 | unsigned char *seq;
|
---|
| 735 |
|
---|
| 736 | seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
|
---|
| 737 | : RECORD_LAYER_get_read_sequence(&s->rlayer);
|
---|
| 738 |
|
---|
| 739 | if (SSL_IS_DTLS(s)) {
|
---|
| 740 | /* DTLS does not support pipelining */
|
---|
| 741 | unsigned char dtlsseq[9], *p = dtlsseq;
|
---|
| 742 |
|
---|
| 743 | s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
|
---|
| 744 | DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
|
---|
| 745 | memcpy(p, &seq[2], 6);
|
---|
| 746 | memcpy(buf[ctr], dtlsseq, 8);
|
---|
| 747 | } else {
|
---|
| 748 | memcpy(buf[ctr], seq, 8);
|
---|
| 749 | for (i = 7; i >= 0; i--) { /* increment */
|
---|
| 750 | ++seq[i];
|
---|
| 751 | if (seq[i] != 0)
|
---|
| 752 | break;
|
---|
| 753 | }
|
---|
| 754 | }
|
---|
| 755 |
|
---|
| 756 | buf[ctr][8] = recs[ctr].type;
|
---|
| 757 | buf[ctr][9] = (unsigned char)(s->version >> 8);
|
---|
| 758 | buf[ctr][10] = (unsigned char)(s->version);
|
---|
| 759 | buf[ctr][11] = recs[ctr].length >> 8;
|
---|
| 760 | buf[ctr][12] = recs[ctr].length & 0xff;
|
---|
| 761 | pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
|
---|
| 762 | EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
|
---|
| 763 | if (pad <= 0)
|
---|
| 764 | return -1;
|
---|
| 765 |
|
---|
| 766 | if (send) {
|
---|
| 767 | reclen[ctr] += pad;
|
---|
| 768 | recs[ctr].length += pad;
|
---|
| 769 | }
|
---|
| 770 |
|
---|
| 771 | } else if ((bs != 1) && send) {
|
---|
| 772 | i = bs - ((int)reclen[ctr] % bs);
|
---|
| 773 |
|
---|
| 774 | /* Add weird padding of upto 256 bytes */
|
---|
| 775 |
|
---|
| 776 | /* we need to add 'i' padding bytes of value j */
|
---|
| 777 | j = i - 1;
|
---|
| 778 | for (k = (int)reclen[ctr]; k < (int)(reclen[ctr] + i); k++)
|
---|
| 779 | recs[ctr].input[k] = j;
|
---|
| 780 | reclen[ctr] += i;
|
---|
| 781 | recs[ctr].length += i;
|
---|
| 782 | }
|
---|
| 783 |
|
---|
| 784 | if (!send) {
|
---|
| 785 | if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
|
---|
| 786 | return 0;
|
---|
| 787 | }
|
---|
| 788 | }
|
---|
| 789 | if (n_recs > 1) {
|
---|
| 790 | unsigned char *data[SSL_MAX_PIPELINES];
|
---|
| 791 |
|
---|
| 792 | /* Set the output buffers */
|
---|
| 793 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 794 | data[ctr] = recs[ctr].data;
|
---|
| 795 | }
|
---|
| 796 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
|
---|
| 797 | n_recs, data) <= 0) {
|
---|
| 798 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
| 799 | }
|
---|
| 800 | /* Set the input buffers */
|
---|
| 801 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 802 | data[ctr] = recs[ctr].input;
|
---|
| 803 | }
|
---|
| 804 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
|
---|
| 805 | n_recs, data) <= 0
|
---|
| 806 | || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
|
---|
| 807 | n_recs, reclen) <= 0) {
|
---|
| 808 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
| 809 | return -1;
|
---|
| 810 | }
|
---|
| 811 | }
|
---|
| 812 |
|
---|
| 813 | i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]);
|
---|
| 814 | if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
| 815 | & EVP_CIPH_FLAG_CUSTOM_CIPHER)
|
---|
| 816 | ? (i < 0)
|
---|
| 817 | : (i == 0))
|
---|
| 818 | return -1; /* AEAD can fail to verify MAC */
|
---|
| 819 | if (send == 0) {
|
---|
| 820 | if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
|
---|
| 821 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 822 | recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 823 | recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 824 | recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 825 | }
|
---|
| 826 | } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
|
---|
| 827 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 828 | recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 829 | recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 830 | recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
| 831 | }
|
---|
| 832 | }
|
---|
| 833 | }
|
---|
| 834 |
|
---|
| 835 | ret = 1;
|
---|
| 836 | if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
|
---|
| 837 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
| 838 | if ((bs != 1) && !send) {
|
---|
| 839 | int tmpret;
|
---|
| 840 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 841 | tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
|
---|
| 842 | /*
|
---|
| 843 | * If tmpret == 0 then this means publicly invalid so we can
|
---|
| 844 | * short circuit things here. Otherwise we must respect constant
|
---|
| 845 | * time behaviour.
|
---|
| 846 | */
|
---|
| 847 | if (tmpret == 0)
|
---|
| 848 | return 0;
|
---|
| 849 | ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
|
---|
| 850 | ret, -1);
|
---|
| 851 | }
|
---|
| 852 | }
|
---|
| 853 | if (pad && !send) {
|
---|
| 854 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
| 855 | recs[ctr].length -= pad;
|
---|
| 856 | }
|
---|
| 857 | }
|
---|
| 858 | }
|
---|
| 859 | return ret;
|
---|
| 860 | }
|
---|
| 861 |
|
---|
| 862 | int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
|
---|
| 863 | {
|
---|
| 864 | unsigned char *mac_sec, *seq;
|
---|
| 865 | const EVP_MD_CTX *hash;
|
---|
| 866 | unsigned char *p, rec_char;
|
---|
| 867 | size_t md_size;
|
---|
| 868 | int npad;
|
---|
| 869 | int t;
|
---|
| 870 |
|
---|
| 871 | if (send) {
|
---|
| 872 | mac_sec = &(ssl->s3->write_mac_secret[0]);
|
---|
| 873 | seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
|
---|
| 874 | hash = ssl->write_hash;
|
---|
| 875 | } else {
|
---|
| 876 | mac_sec = &(ssl->s3->read_mac_secret[0]);
|
---|
| 877 | seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
|
---|
| 878 | hash = ssl->read_hash;
|
---|
| 879 | }
|
---|
| 880 |
|
---|
| 881 | t = EVP_MD_CTX_size(hash);
|
---|
| 882 | if (t < 0)
|
---|
| 883 | return -1;
|
---|
| 884 | md_size = t;
|
---|
| 885 | npad = (48 / md_size) * md_size;
|
---|
| 886 |
|
---|
| 887 | if (!send &&
|
---|
| 888 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
| 889 | ssl3_cbc_record_digest_supported(hash)) {
|
---|
| 890 | /*
|
---|
| 891 | * This is a CBC-encrypted record. We must avoid leaking any
|
---|
| 892 | * timing-side channel information about how many blocks of data we
|
---|
| 893 | * are hashing because that gives an attacker a timing-oracle.
|
---|
| 894 | */
|
---|
| 895 |
|
---|
| 896 | /*-
|
---|
| 897 | * npad is, at most, 48 bytes and that's with MD5:
|
---|
| 898 | * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
|
---|
| 899 | *
|
---|
| 900 | * With SHA-1 (the largest hash speced for SSLv3) the hash size
|
---|
| 901 | * goes up 4, but npad goes down by 8, resulting in a smaller
|
---|
| 902 | * total size.
|
---|
| 903 | */
|
---|
| 904 | unsigned char header[75];
|
---|
| 905 | unsigned j = 0;
|
---|
| 906 | memcpy(header + j, mac_sec, md_size);
|
---|
| 907 | j += md_size;
|
---|
| 908 | memcpy(header + j, ssl3_pad_1, npad);
|
---|
| 909 | j += npad;
|
---|
| 910 | memcpy(header + j, seq, 8);
|
---|
| 911 | j += 8;
|
---|
| 912 | header[j++] = rec->type;
|
---|
| 913 | header[j++] = rec->length >> 8;
|
---|
| 914 | header[j++] = rec->length & 0xff;
|
---|
| 915 |
|
---|
| 916 | /* Final param == is SSLv3 */
|
---|
| 917 | if (ssl3_cbc_digest_record(hash,
|
---|
| 918 | md, &md_size,
|
---|
| 919 | header, rec->input,
|
---|
| 920 | rec->length + md_size, rec->orig_len,
|
---|
| 921 | mac_sec, md_size, 1) <= 0)
|
---|
| 922 | return -1;
|
---|
| 923 | } else {
|
---|
| 924 | unsigned int md_size_u;
|
---|
| 925 | /* Chop the digest off the end :-) */
|
---|
| 926 | EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
|
---|
| 927 |
|
---|
| 928 | if (md_ctx == NULL)
|
---|
| 929 | return -1;
|
---|
| 930 |
|
---|
| 931 | rec_char = rec->type;
|
---|
| 932 | p = md;
|
---|
| 933 | s2n(rec->length, p);
|
---|
| 934 | if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
|
---|
| 935 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
|
---|
| 936 | || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
|
---|
| 937 | || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
|
---|
| 938 | || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
|
---|
| 939 | || EVP_DigestUpdate(md_ctx, md, 2) <= 0
|
---|
| 940 | || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
|
---|
| 941 | || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
|
---|
| 942 | || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
|
---|
| 943 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
|
---|
| 944 | || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
|
---|
| 945 | || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
|
---|
| 946 | || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
|
---|
| 947 | EVP_MD_CTX_reset(md_ctx);
|
---|
| 948 | return -1;
|
---|
| 949 | }
|
---|
| 950 | md_size = md_size_u;
|
---|
| 951 |
|
---|
| 952 | EVP_MD_CTX_free(md_ctx);
|
---|
| 953 | }
|
---|
| 954 |
|
---|
| 955 | ssl3_record_sequence_update(seq);
|
---|
| 956 | return (md_size);
|
---|
| 957 | }
|
---|
| 958 |
|
---|
| 959 | int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
|
---|
| 960 | {
|
---|
| 961 | unsigned char *seq;
|
---|
| 962 | EVP_MD_CTX *hash;
|
---|
| 963 | size_t md_size;
|
---|
| 964 | int i;
|
---|
| 965 | EVP_MD_CTX *hmac = NULL, *mac_ctx;
|
---|
| 966 | unsigned char header[13];
|
---|
| 967 | int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
|
---|
| 968 | : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
|
---|
| 969 | int t;
|
---|
| 970 |
|
---|
| 971 | if (send) {
|
---|
| 972 | seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
|
---|
| 973 | hash = ssl->write_hash;
|
---|
| 974 | } else {
|
---|
| 975 | seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
|
---|
| 976 | hash = ssl->read_hash;
|
---|
| 977 | }
|
---|
| 978 |
|
---|
| 979 | t = EVP_MD_CTX_size(hash);
|
---|
| 980 | OPENSSL_assert(t >= 0);
|
---|
| 981 | md_size = t;
|
---|
| 982 |
|
---|
| 983 | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
|
---|
| 984 | if (stream_mac) {
|
---|
| 985 | mac_ctx = hash;
|
---|
| 986 | } else {
|
---|
| 987 | hmac = EVP_MD_CTX_new();
|
---|
| 988 | if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
|
---|
| 989 | return -1;
|
---|
| 990 | mac_ctx = hmac;
|
---|
| 991 | }
|
---|
| 992 |
|
---|
| 993 | if (SSL_IS_DTLS(ssl)) {
|
---|
| 994 | unsigned char dtlsseq[8], *p = dtlsseq;
|
---|
| 995 |
|
---|
| 996 | s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
|
---|
| 997 | DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
|
---|
| 998 | memcpy(p, &seq[2], 6);
|
---|
| 999 |
|
---|
| 1000 | memcpy(header, dtlsseq, 8);
|
---|
| 1001 | } else
|
---|
| 1002 | memcpy(header, seq, 8);
|
---|
| 1003 |
|
---|
| 1004 | header[8] = rec->type;
|
---|
| 1005 | header[9] = (unsigned char)(ssl->version >> 8);
|
---|
| 1006 | header[10] = (unsigned char)(ssl->version);
|
---|
| 1007 | header[11] = (rec->length) >> 8;
|
---|
| 1008 | header[12] = (rec->length) & 0xff;
|
---|
| 1009 |
|
---|
| 1010 | if (!send && !SSL_READ_ETM(ssl) &&
|
---|
| 1011 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
| 1012 | ssl3_cbc_record_digest_supported(mac_ctx)) {
|
---|
| 1013 | /*
|
---|
| 1014 | * This is a CBC-encrypted record. We must avoid leaking any
|
---|
| 1015 | * timing-side channel information about how many blocks of data we
|
---|
| 1016 | * are hashing because that gives an attacker a timing-oracle.
|
---|
| 1017 | */
|
---|
| 1018 | /* Final param == not SSLv3 */
|
---|
| 1019 | if (ssl3_cbc_digest_record(mac_ctx,
|
---|
| 1020 | md, &md_size,
|
---|
| 1021 | header, rec->input,
|
---|
| 1022 | rec->length + md_size, rec->orig_len,
|
---|
| 1023 | ssl->s3->read_mac_secret,
|
---|
| 1024 | ssl->s3->read_mac_secret_size, 0) <= 0) {
|
---|
| 1025 | EVP_MD_CTX_free(hmac);
|
---|
| 1026 | return -1;
|
---|
| 1027 | }
|
---|
| 1028 | } else {
|
---|
| 1029 | if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
|
---|
| 1030 | || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
|
---|
| 1031 | || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
|
---|
| 1032 | EVP_MD_CTX_free(hmac);
|
---|
| 1033 | return -1;
|
---|
| 1034 | }
|
---|
| 1035 | if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
|
---|
| 1036 | if (!tls_fips_digest_extra(ssl->enc_read_ctx,
|
---|
| 1037 | mac_ctx, rec->input,
|
---|
| 1038 | rec->length, rec->orig_len)) {
|
---|
| 1039 | EVP_MD_CTX_free(hmac);
|
---|
| 1040 | return -1;
|
---|
| 1041 | }
|
---|
| 1042 | }
|
---|
| 1043 |
|
---|
| 1044 | EVP_MD_CTX_free(hmac);
|
---|
| 1045 |
|
---|
| 1046 | #ifdef SSL_DEBUG
|
---|
| 1047 | fprintf(stderr, "seq=");
|
---|
| 1048 | {
|
---|
| 1049 | int z;
|
---|
| 1050 | for (z = 0; z < 8; z++)
|
---|
| 1051 | fprintf(stderr, "%02X ", seq[z]);
|
---|
| 1052 | fprintf(stderr, "\n");
|
---|
| 1053 | }
|
---|
| 1054 | fprintf(stderr, "rec=");
|
---|
| 1055 | {
|
---|
| 1056 | unsigned int z;
|
---|
| 1057 | for (z = 0; z < rec->length; z++)
|
---|
| 1058 | fprintf(stderr, "%02X ", rec->data[z]);
|
---|
| 1059 | fprintf(stderr, "\n");
|
---|
| 1060 | }
|
---|
| 1061 | #endif
|
---|
| 1062 |
|
---|
| 1063 | if (!SSL_IS_DTLS(ssl)) {
|
---|
| 1064 | for (i = 7; i >= 0; i--) {
|
---|
| 1065 | ++seq[i];
|
---|
| 1066 | if (seq[i] != 0)
|
---|
| 1067 | break;
|
---|
| 1068 | }
|
---|
| 1069 | }
|
---|
| 1070 | #ifdef SSL_DEBUG
|
---|
| 1071 | {
|
---|
| 1072 | unsigned int z;
|
---|
| 1073 | for (z = 0; z < md_size; z++)
|
---|
| 1074 | fprintf(stderr, "%02X ", md[z]);
|
---|
| 1075 | fprintf(stderr, "\n");
|
---|
| 1076 | }
|
---|
| 1077 | #endif
|
---|
| 1078 | return (md_size);
|
---|
| 1079 | }
|
---|
| 1080 |
|
---|
| 1081 | /*-
|
---|
| 1082 | * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
|
---|
| 1083 | * record in |rec| by updating |rec->length| in constant time.
|
---|
| 1084 | *
|
---|
| 1085 | * block_size: the block size of the cipher used to encrypt the record.
|
---|
| 1086 | * returns:
|
---|
| 1087 | * 0: (in non-constant time) if the record is publicly invalid.
|
---|
| 1088 | * 1: if the padding was valid
|
---|
| 1089 | * -1: otherwise.
|
---|
| 1090 | */
|
---|
| 1091 | int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
|
---|
| 1092 | unsigned block_size, unsigned mac_size)
|
---|
| 1093 | {
|
---|
| 1094 | unsigned padding_length, good;
|
---|
| 1095 | const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
---|
| 1096 |
|
---|
| 1097 | /*
|
---|
| 1098 | * These lengths are all public so we can test them in non-constant time.
|
---|
| 1099 | */
|
---|
| 1100 | if (overhead > rec->length)
|
---|
| 1101 | return 0;
|
---|
| 1102 |
|
---|
| 1103 | padding_length = rec->data[rec->length - 1];
|
---|
| 1104 | good = constant_time_ge(rec->length, padding_length + overhead);
|
---|
| 1105 | /* SSLv3 requires that the padding is minimal. */
|
---|
| 1106 | good &= constant_time_ge(block_size, padding_length + 1);
|
---|
| 1107 | rec->length -= good & (padding_length + 1);
|
---|
| 1108 | return constant_time_select_int(good, 1, -1);
|
---|
| 1109 | }
|
---|
| 1110 |
|
---|
| 1111 | /*-
|
---|
| 1112 | * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
|
---|
| 1113 | * record in |rec| in constant time and returns 1 if the padding is valid and
|
---|
| 1114 | * -1 otherwise. It also removes any explicit IV from the start of the record
|
---|
| 1115 | * without leaking any timing about whether there was enough space after the
|
---|
| 1116 | * padding was removed.
|
---|
| 1117 | *
|
---|
| 1118 | * block_size: the block size of the cipher used to encrypt the record.
|
---|
| 1119 | * returns:
|
---|
| 1120 | * 0: (in non-constant time) if the record is publicly invalid.
|
---|
| 1121 | * 1: if the padding was valid
|
---|
| 1122 | * -1: otherwise.
|
---|
| 1123 | */
|
---|
| 1124 | int tls1_cbc_remove_padding(const SSL *s,
|
---|
| 1125 | SSL3_RECORD *rec,
|
---|
| 1126 | unsigned block_size, unsigned mac_size)
|
---|
| 1127 | {
|
---|
| 1128 | unsigned padding_length, good, to_check, i;
|
---|
| 1129 | const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
---|
| 1130 | /* Check if version requires explicit IV */
|
---|
| 1131 | if (SSL_USE_EXPLICIT_IV(s)) {
|
---|
| 1132 | /*
|
---|
| 1133 | * These lengths are all public so we can test them in non-constant
|
---|
| 1134 | * time.
|
---|
| 1135 | */
|
---|
| 1136 | if (overhead + block_size > rec->length)
|
---|
| 1137 | return 0;
|
---|
| 1138 | /* We can now safely skip explicit IV */
|
---|
| 1139 | rec->data += block_size;
|
---|
| 1140 | rec->input += block_size;
|
---|
| 1141 | rec->length -= block_size;
|
---|
| 1142 | rec->orig_len -= block_size;
|
---|
| 1143 | } else if (overhead > rec->length)
|
---|
| 1144 | return 0;
|
---|
| 1145 |
|
---|
| 1146 | padding_length = rec->data[rec->length - 1];
|
---|
| 1147 |
|
---|
| 1148 | if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
|
---|
| 1149 | EVP_CIPH_FLAG_AEAD_CIPHER) {
|
---|
| 1150 | /* padding is already verified */
|
---|
| 1151 | rec->length -= padding_length + 1;
|
---|
| 1152 | return 1;
|
---|
| 1153 | }
|
---|
| 1154 |
|
---|
| 1155 | good = constant_time_ge(rec->length, overhead + padding_length);
|
---|
| 1156 | /*
|
---|
| 1157 | * The padding consists of a length byte at the end of the record and
|
---|
| 1158 | * then that many bytes of padding, all with the same value as the length
|
---|
| 1159 | * byte. Thus, with the length byte included, there are i+1 bytes of
|
---|
| 1160 | * padding. We can't check just |padding_length+1| bytes because that
|
---|
| 1161 | * leaks decrypted information. Therefore we always have to check the
|
---|
| 1162 | * maximum amount of padding possible. (Again, the length of the record
|
---|
| 1163 | * is public information so we can use it.)
|
---|
| 1164 | */
|
---|
| 1165 | to_check = 256; /* maximum amount of padding, inc length byte. */
|
---|
| 1166 | if (to_check > rec->length)
|
---|
| 1167 | to_check = rec->length;
|
---|
| 1168 |
|
---|
| 1169 | for (i = 0; i < to_check; i++) {
|
---|
| 1170 | unsigned char mask = constant_time_ge_8(padding_length, i);
|
---|
| 1171 | unsigned char b = rec->data[rec->length - 1 - i];
|
---|
| 1172 | /*
|
---|
| 1173 | * The final |padding_length+1| bytes should all have the value
|
---|
| 1174 | * |padding_length|. Therefore the XOR should be zero.
|
---|
| 1175 | */
|
---|
| 1176 | good &= ~(mask & (padding_length ^ b));
|
---|
| 1177 | }
|
---|
| 1178 |
|
---|
| 1179 | /*
|
---|
| 1180 | * If any of the final |padding_length+1| bytes had the wrong value, one
|
---|
| 1181 | * or more of the lower eight bits of |good| will be cleared.
|
---|
| 1182 | */
|
---|
| 1183 | good = constant_time_eq(0xff, good & 0xff);
|
---|
| 1184 | rec->length -= good & (padding_length + 1);
|
---|
| 1185 |
|
---|
| 1186 | return constant_time_select_int(good, 1, -1);
|
---|
| 1187 | }
|
---|
| 1188 |
|
---|
| 1189 | /*-
|
---|
| 1190 | * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
|
---|
| 1191 | * constant time (independent of the concrete value of rec->length, which may
|
---|
| 1192 | * vary within a 256-byte window).
|
---|
| 1193 | *
|
---|
| 1194 | * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
|
---|
| 1195 | * this function.
|
---|
| 1196 | *
|
---|
| 1197 | * On entry:
|
---|
| 1198 | * rec->orig_len >= md_size
|
---|
| 1199 | * md_size <= EVP_MAX_MD_SIZE
|
---|
| 1200 | *
|
---|
| 1201 | * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
|
---|
| 1202 | * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
|
---|
| 1203 | * a single or pair of cache-lines, then the variable memory accesses don't
|
---|
| 1204 | * actually affect the timing. CPUs with smaller cache-lines [if any] are
|
---|
| 1205 | * not multi-core and are not considered vulnerable to cache-timing attacks.
|
---|
| 1206 | */
|
---|
| 1207 | #define CBC_MAC_ROTATE_IN_PLACE
|
---|
| 1208 |
|
---|
| 1209 | void ssl3_cbc_copy_mac(unsigned char *out,
|
---|
| 1210 | const SSL3_RECORD *rec, unsigned md_size)
|
---|
| 1211 | {
|
---|
| 1212 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
| 1213 | unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
|
---|
| 1214 | unsigned char *rotated_mac;
|
---|
| 1215 | #else
|
---|
| 1216 | unsigned char rotated_mac[EVP_MAX_MD_SIZE];
|
---|
| 1217 | #endif
|
---|
| 1218 |
|
---|
| 1219 | /*
|
---|
| 1220 | * mac_end is the index of |rec->data| just after the end of the MAC.
|
---|
| 1221 | */
|
---|
| 1222 | unsigned mac_end = rec->length;
|
---|
| 1223 | unsigned mac_start = mac_end - md_size;
|
---|
| 1224 | unsigned in_mac;
|
---|
| 1225 | /*
|
---|
| 1226 | * scan_start contains the number of bytes that we can ignore because the
|
---|
| 1227 | * MAC's position can only vary by 255 bytes.
|
---|
| 1228 | */
|
---|
| 1229 | unsigned scan_start = 0;
|
---|
| 1230 | unsigned i, j;
|
---|
| 1231 | unsigned rotate_offset;
|
---|
| 1232 |
|
---|
| 1233 | OPENSSL_assert(rec->orig_len >= md_size);
|
---|
| 1234 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
|
---|
| 1235 |
|
---|
| 1236 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
| 1237 | rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
|
---|
| 1238 | #endif
|
---|
| 1239 |
|
---|
| 1240 | /* This information is public so it's safe to branch based on it. */
|
---|
| 1241 | if (rec->orig_len > md_size + 255 + 1)
|
---|
| 1242 | scan_start = rec->orig_len - (md_size + 255 + 1);
|
---|
| 1243 |
|
---|
| 1244 | in_mac = 0;
|
---|
| 1245 | rotate_offset = 0;
|
---|
| 1246 | memset(rotated_mac, 0, md_size);
|
---|
| 1247 | for (i = scan_start, j = 0; i < rec->orig_len; i++) {
|
---|
| 1248 | unsigned mac_started = constant_time_eq(i, mac_start);
|
---|
| 1249 | unsigned mac_ended = constant_time_lt(i, mac_end);
|
---|
| 1250 | unsigned char b = rec->data[i];
|
---|
| 1251 |
|
---|
| 1252 | in_mac |= mac_started;
|
---|
| 1253 | in_mac &= mac_ended;
|
---|
| 1254 | rotate_offset |= j & mac_started;
|
---|
| 1255 | rotated_mac[j++] |= b & in_mac;
|
---|
| 1256 | j &= constant_time_lt(j, md_size);
|
---|
| 1257 | }
|
---|
| 1258 |
|
---|
| 1259 | /* Now rotate the MAC */
|
---|
| 1260 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
| 1261 | j = 0;
|
---|
| 1262 | for (i = 0; i < md_size; i++) {
|
---|
| 1263 | /* in case cache-line is 32 bytes, touch second line */
|
---|
| 1264 | ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
|
---|
| 1265 | out[j++] = rotated_mac[rotate_offset++];
|
---|
| 1266 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
| 1267 | }
|
---|
| 1268 | #else
|
---|
| 1269 | memset(out, 0, md_size);
|
---|
| 1270 | rotate_offset = md_size - rotate_offset;
|
---|
| 1271 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
| 1272 | for (i = 0; i < md_size; i++) {
|
---|
| 1273 | for (j = 0; j < md_size; j++)
|
---|
| 1274 | out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
|
---|
| 1275 | rotate_offset++;
|
---|
| 1276 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
| 1277 | }
|
---|
| 1278 | #endif
|
---|
| 1279 | }
|
---|
| 1280 |
|
---|
| 1281 | int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
|
---|
| 1282 | {
|
---|
| 1283 | int i, al;
|
---|
| 1284 | int enc_err;
|
---|
| 1285 | SSL_SESSION *sess;
|
---|
| 1286 | SSL3_RECORD *rr;
|
---|
| 1287 | unsigned int mac_size;
|
---|
| 1288 | unsigned char md[EVP_MAX_MD_SIZE];
|
---|
| 1289 |
|
---|
| 1290 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
| 1291 | sess = s->session;
|
---|
| 1292 |
|
---|
| 1293 | /*
|
---|
| 1294 | * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
|
---|
| 1295 | * and we have that many bytes in s->packet
|
---|
| 1296 | */
|
---|
| 1297 | rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
|
---|
| 1298 |
|
---|
| 1299 | /*
|
---|
| 1300 | * ok, we can now read from 's->packet' data into 'rr' rr->input points
|
---|
| 1301 | * at rr->length bytes, which need to be copied into rr->data by either
|
---|
| 1302 | * the decryption or by the decompression When the data is 'copied' into
|
---|
| 1303 | * the rr->data buffer, rr->input will be pointed at the new buffer
|
---|
| 1304 | */
|
---|
| 1305 |
|
---|
| 1306 | /*
|
---|
| 1307 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
|
---|
| 1308 | * bytes of encrypted compressed stuff.
|
---|
| 1309 | */
|
---|
| 1310 |
|
---|
| 1311 | /* check is not needed I believe */
|
---|
| 1312 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
| 1313 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 1314 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
|
---|
| 1315 | goto f_err;
|
---|
| 1316 | }
|
---|
| 1317 |
|
---|
| 1318 | /* decrypt in place in 'rr->input' */
|
---|
| 1319 | rr->data = rr->input;
|
---|
| 1320 | rr->orig_len = rr->length;
|
---|
| 1321 |
|
---|
| 1322 | enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
|
---|
| 1323 | /*-
|
---|
| 1324 | * enc_err is:
|
---|
| 1325 | * 0: (in non-constant time) if the record is publically invalid.
|
---|
| 1326 | * 1: if the padding is valid
|
---|
| 1327 | * -1: if the padding is invalid
|
---|
| 1328 | */
|
---|
| 1329 | if (enc_err == 0) {
|
---|
| 1330 | /* For DTLS we simply ignore bad packets. */
|
---|
| 1331 | rr->length = 0;
|
---|
| 1332 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1333 | goto err;
|
---|
| 1334 | }
|
---|
| 1335 | #ifdef SSL_DEBUG
|
---|
| 1336 | printf("dec %d\n", rr->length);
|
---|
| 1337 | {
|
---|
| 1338 | unsigned int z;
|
---|
| 1339 | for (z = 0; z < rr->length; z++)
|
---|
| 1340 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 1341 | }
|
---|
| 1342 | printf("\n");
|
---|
| 1343 | #endif
|
---|
| 1344 |
|
---|
| 1345 | /* r->length is now the compressed data plus mac */
|
---|
| 1346 | if ((sess != NULL) &&
|
---|
| 1347 | (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
|
---|
| 1348 | /* s->read_hash != NULL => mac_size != -1 */
|
---|
| 1349 | unsigned char *mac = NULL;
|
---|
| 1350 | unsigned char mac_tmp[EVP_MAX_MD_SIZE];
|
---|
| 1351 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
| 1352 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
|
---|
| 1353 |
|
---|
| 1354 | /*
|
---|
| 1355 | * orig_len is the length of the record before any padding was
|
---|
| 1356 | * removed. This is public information, as is the MAC in use,
|
---|
| 1357 | * therefore we can safely process the record in a different amount
|
---|
| 1358 | * of time if it's too short to possibly contain a MAC.
|
---|
| 1359 | */
|
---|
| 1360 | if (rr->orig_len < mac_size ||
|
---|
| 1361 | /* CBC records must have a padding length byte too. */
|
---|
| 1362 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
| 1363 | rr->orig_len < mac_size + 1)) {
|
---|
| 1364 | al = SSL_AD_DECODE_ERROR;
|
---|
| 1365 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
| 1366 | goto f_err;
|
---|
| 1367 | }
|
---|
| 1368 |
|
---|
| 1369 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
|
---|
| 1370 | /*
|
---|
| 1371 | * We update the length so that the TLS header bytes can be
|
---|
| 1372 | * constructed correctly but we need to extract the MAC in
|
---|
| 1373 | * constant time from within the record, without leaking the
|
---|
| 1374 | * contents of the padding bytes.
|
---|
| 1375 | */
|
---|
| 1376 | mac = mac_tmp;
|
---|
| 1377 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
|
---|
| 1378 | rr->length -= mac_size;
|
---|
| 1379 | } else {
|
---|
| 1380 | /*
|
---|
| 1381 | * In this case there's no padding, so |rec->orig_len| equals
|
---|
| 1382 | * |rec->length| and we checked that there's enough bytes for
|
---|
| 1383 | * |mac_size| above.
|
---|
| 1384 | */
|
---|
| 1385 | rr->length -= mac_size;
|
---|
| 1386 | mac = &rr->data[rr->length];
|
---|
| 1387 | }
|
---|
| 1388 |
|
---|
| 1389 | i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
|
---|
| 1390 | if (i < 0 || mac == NULL
|
---|
| 1391 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
|
---|
| 1392 | enc_err = -1;
|
---|
| 1393 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
|
---|
| 1394 | enc_err = -1;
|
---|
| 1395 | }
|
---|
| 1396 |
|
---|
| 1397 | if (enc_err < 0) {
|
---|
| 1398 | /* decryption failed, silently discard message */
|
---|
| 1399 | rr->length = 0;
|
---|
| 1400 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1401 | goto err;
|
---|
| 1402 | }
|
---|
| 1403 |
|
---|
| 1404 | /* r->length is now just compressed */
|
---|
| 1405 | if (s->expand != NULL) {
|
---|
| 1406 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
|
---|
| 1407 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 1408 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
|
---|
| 1409 | SSL_R_COMPRESSED_LENGTH_TOO_LONG);
|
---|
| 1410 | goto f_err;
|
---|
| 1411 | }
|
---|
| 1412 | if (!ssl3_do_uncompress(s, rr)) {
|
---|
| 1413 | al = SSL_AD_DECOMPRESSION_FAILURE;
|
---|
| 1414 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
|
---|
| 1415 | goto f_err;
|
---|
| 1416 | }
|
---|
| 1417 | }
|
---|
| 1418 |
|
---|
| 1419 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
|
---|
| 1420 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
| 1421 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
|
---|
| 1422 | goto f_err;
|
---|
| 1423 | }
|
---|
| 1424 |
|
---|
| 1425 | rr->off = 0;
|
---|
| 1426 | /*-
|
---|
| 1427 | * So at this point the following is true
|
---|
| 1428 | * ssl->s3->rrec.type is the type of record
|
---|
| 1429 | * ssl->s3->rrec.length == number of bytes in record
|
---|
| 1430 | * ssl->s3->rrec.off == offset to first valid byte
|
---|
| 1431 | * ssl->s3->rrec.data == where to take bytes from, increment
|
---|
| 1432 | * after use :-).
|
---|
| 1433 | */
|
---|
| 1434 |
|
---|
| 1435 | /* we have pulled in a full packet so zero things */
|
---|
| 1436 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1437 |
|
---|
| 1438 | /* Mark receipt of record. */
|
---|
| 1439 | dtls1_record_bitmap_update(s, bitmap);
|
---|
| 1440 |
|
---|
| 1441 | return (1);
|
---|
| 1442 |
|
---|
| 1443 | f_err:
|
---|
| 1444 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
| 1445 | err:
|
---|
| 1446 | return (0);
|
---|
| 1447 | }
|
---|
| 1448 |
|
---|
| 1449 | /*
|
---|
| 1450 | * retrieve a buffered record that belongs to the current epoch, ie,
|
---|
| 1451 | * processed
|
---|
| 1452 | */
|
---|
| 1453 | #define dtls1_get_processed_record(s) \
|
---|
| 1454 | dtls1_retrieve_buffered_record((s), \
|
---|
| 1455 | &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
|
---|
| 1456 |
|
---|
| 1457 | /*-
|
---|
| 1458 | * Call this to get a new input record.
|
---|
| 1459 | * It will return <= 0 if more data is needed, normally due to an error
|
---|
| 1460 | * or non-blocking IO.
|
---|
| 1461 | * When it finishes, one packet has been decoded and can be found in
|
---|
| 1462 | * ssl->s3->rrec.type - is the type of record
|
---|
| 1463 | * ssl->s3->rrec.data, - data
|
---|
| 1464 | * ssl->s3->rrec.length, - number of bytes
|
---|
| 1465 | */
|
---|
| 1466 | /* used only by dtls1_read_bytes */
|
---|
| 1467 | int dtls1_get_record(SSL *s)
|
---|
| 1468 | {
|
---|
| 1469 | int ssl_major, ssl_minor;
|
---|
| 1470 | int i, n;
|
---|
| 1471 | SSL3_RECORD *rr;
|
---|
| 1472 | unsigned char *p = NULL;
|
---|
| 1473 | unsigned short version;
|
---|
| 1474 | DTLS1_BITMAP *bitmap;
|
---|
| 1475 | unsigned int is_next_epoch;
|
---|
| 1476 |
|
---|
| 1477 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
| 1478 |
|
---|
| 1479 | again:
|
---|
| 1480 | /*
|
---|
| 1481 | * The epoch may have changed. If so, process all the pending records.
|
---|
| 1482 | * This is a non-blocking operation.
|
---|
| 1483 | */
|
---|
| 1484 | if (!dtls1_process_buffered_records(s))
|
---|
| 1485 | return -1;
|
---|
| 1486 |
|
---|
| 1487 | /* if we're renegotiating, then there may be buffered records */
|
---|
| 1488 | if (dtls1_get_processed_record(s))
|
---|
| 1489 | return 1;
|
---|
| 1490 |
|
---|
| 1491 | /* get something from the wire */
|
---|
| 1492 |
|
---|
| 1493 | /* check if we have the header */
|
---|
| 1494 | if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
|
---|
| 1495 | (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
|
---|
| 1496 | n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
|
---|
| 1497 | SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
|
---|
| 1498 | /* read timeout is handled by dtls1_read_bytes */
|
---|
| 1499 | if (n <= 0)
|
---|
| 1500 | return (n); /* error or non-blocking */
|
---|
| 1501 |
|
---|
| 1502 | /* this packet contained a partial record, dump it */
|
---|
| 1503 | if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
|
---|
| 1504 | DTLS1_RT_HEADER_LENGTH) {
|
---|
| 1505 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1506 | goto again;
|
---|
| 1507 | }
|
---|
| 1508 |
|
---|
| 1509 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
|
---|
| 1510 |
|
---|
| 1511 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
| 1512 |
|
---|
| 1513 | if (s->msg_callback)
|
---|
| 1514 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
|
---|
| 1515 | s, s->msg_callback_arg);
|
---|
| 1516 |
|
---|
| 1517 | /* Pull apart the header into the DTLS1_RECORD */
|
---|
| 1518 | rr->type = *(p++);
|
---|
| 1519 | ssl_major = *(p++);
|
---|
| 1520 | ssl_minor = *(p++);
|
---|
| 1521 | version = (ssl_major << 8) | ssl_minor;
|
---|
| 1522 |
|
---|
| 1523 | /* sequence number is 64 bits, with top 2 bytes = epoch */
|
---|
| 1524 | n2s(p, rr->epoch);
|
---|
| 1525 |
|
---|
| 1526 | memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
|
---|
| 1527 | p += 6;
|
---|
| 1528 |
|
---|
| 1529 | n2s(p, rr->length);
|
---|
| 1530 |
|
---|
| 1531 | /* Lets check version */
|
---|
| 1532 | if (!s->first_packet) {
|
---|
| 1533 | if (version != s->version) {
|
---|
| 1534 | /* unexpected version, silently discard */
|
---|
| 1535 | rr->length = 0;
|
---|
| 1536 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1537 | goto again;
|
---|
| 1538 | }
|
---|
| 1539 | }
|
---|
| 1540 |
|
---|
| 1541 | if ((version & 0xff00) != (s->version & 0xff00)) {
|
---|
| 1542 | /* wrong version, silently discard record */
|
---|
| 1543 | rr->length = 0;
|
---|
| 1544 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1545 | goto again;
|
---|
| 1546 | }
|
---|
| 1547 |
|
---|
| 1548 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
| 1549 | /* record too long, silently discard it */
|
---|
| 1550 | rr->length = 0;
|
---|
| 1551 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1552 | goto again;
|
---|
| 1553 | }
|
---|
| 1554 |
|
---|
| 1555 | /* now s->rlayer.rstate == SSL_ST_READ_BODY */
|
---|
| 1556 | }
|
---|
| 1557 |
|
---|
| 1558 | /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
|
---|
| 1559 |
|
---|
| 1560 | if (rr->length >
|
---|
| 1561 | RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
|
---|
| 1562 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
|
---|
| 1563 | i = rr->length;
|
---|
| 1564 | n = ssl3_read_n(s, i, i, 1, 1);
|
---|
| 1565 | /* this packet contained a partial record, dump it */
|
---|
| 1566 | if (n != i) {
|
---|
| 1567 | rr->length = 0;
|
---|
| 1568 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1569 | goto again;
|
---|
| 1570 | }
|
---|
| 1571 |
|
---|
| 1572 | /*
|
---|
| 1573 | * now n == rr->length, and s->packet_length ==
|
---|
| 1574 | * DTLS1_RT_HEADER_LENGTH + rr->length
|
---|
| 1575 | */
|
---|
| 1576 | }
|
---|
| 1577 | /* set state for later operations */
|
---|
| 1578 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
|
---|
| 1579 |
|
---|
| 1580 | /* match epochs. NULL means the packet is dropped on the floor */
|
---|
| 1581 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
|
---|
| 1582 | if (bitmap == NULL) {
|
---|
| 1583 | rr->length = 0;
|
---|
| 1584 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
| 1585 | goto again; /* get another record */
|
---|
| 1586 | }
|
---|
| 1587 | #ifndef OPENSSL_NO_SCTP
|
---|
| 1588 | /* Only do replay check if no SCTP bio */
|
---|
| 1589 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
|
---|
| 1590 | #endif
|
---|
| 1591 | /* Check whether this is a repeat, or aged record. */
|
---|
| 1592 | /*
|
---|
| 1593 | * TODO: Does it make sense to have replay protection in epoch 0 where
|
---|
| 1594 | * we have no integrity negotiated yet?
|
---|
| 1595 | */
|
---|
| 1596 | if (!dtls1_record_replay_check(s, bitmap)) {
|
---|
| 1597 | rr->length = 0;
|
---|
| 1598 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
| 1599 | goto again; /* get another record */
|
---|
| 1600 | }
|
---|
| 1601 | #ifndef OPENSSL_NO_SCTP
|
---|
| 1602 | }
|
---|
| 1603 | #endif
|
---|
| 1604 |
|
---|
| 1605 | /* just read a 0 length packet */
|
---|
| 1606 | if (rr->length == 0)
|
---|
| 1607 | goto again;
|
---|
| 1608 |
|
---|
| 1609 | /*
|
---|
| 1610 | * If this record is from the next epoch (either HM or ALERT), and a
|
---|
| 1611 | * handshake is currently in progress, buffer it since it cannot be
|
---|
| 1612 | * processed at this time.
|
---|
| 1613 | */
|
---|
| 1614 | if (is_next_epoch) {
|
---|
| 1615 | if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
|
---|
| 1616 | if (dtls1_buffer_record
|
---|
| 1617 | (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
|
---|
| 1618 | rr->seq_num) < 0)
|
---|
| 1619 | return -1;
|
---|
| 1620 | }
|
---|
| 1621 | rr->length = 0;
|
---|
| 1622 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
| 1623 | goto again;
|
---|
| 1624 | }
|
---|
| 1625 |
|
---|
| 1626 | if (!dtls1_process_record(s, bitmap)) {
|
---|
| 1627 | rr->length = 0;
|
---|
| 1628 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
| 1629 | goto again; /* get another record */
|
---|
| 1630 | }
|
---|
| 1631 |
|
---|
| 1632 | return (1);
|
---|
| 1633 |
|
---|
| 1634 | }
|
---|