1 | /*
|
---|
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <assert.h>
|
---|
11 | #include "../ssl_locl.h"
|
---|
12 | #include "internal/constant_time_locl.h"
|
---|
13 | #include <openssl/rand.h>
|
---|
14 | #include "record_locl.h"
|
---|
15 |
|
---|
16 | static const unsigned char ssl3_pad_1[48] = {
|
---|
17 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
18 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
19 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
20 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
21 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
---|
22 | 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
|
---|
23 | };
|
---|
24 |
|
---|
25 | static const unsigned char ssl3_pad_2[48] = {
|
---|
26 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
27 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
28 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
29 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
30 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
---|
31 | 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
|
---|
32 | };
|
---|
33 |
|
---|
34 | /*
|
---|
35 | * Clear the contents of an SSL3_RECORD but retain any memory allocated
|
---|
36 | */
|
---|
37 | void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs)
|
---|
38 | {
|
---|
39 | unsigned char *comp;
|
---|
40 | unsigned int i;
|
---|
41 |
|
---|
42 | for (i = 0; i < num_recs; i++) {
|
---|
43 | comp = r[i].comp;
|
---|
44 |
|
---|
45 | memset(&r[i], 0, sizeof(*r));
|
---|
46 | r[i].comp = comp;
|
---|
47 | }
|
---|
48 | }
|
---|
49 |
|
---|
50 | void SSL3_RECORD_release(SSL3_RECORD *r, unsigned int num_recs)
|
---|
51 | {
|
---|
52 | unsigned int i;
|
---|
53 |
|
---|
54 | for (i = 0; i < num_recs; i++) {
|
---|
55 | OPENSSL_free(r[i].comp);
|
---|
56 | r[i].comp = NULL;
|
---|
57 | }
|
---|
58 | }
|
---|
59 |
|
---|
60 | void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
|
---|
61 | {
|
---|
62 | memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
|
---|
63 | }
|
---|
64 |
|
---|
65 | /*
|
---|
66 | * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
|
---|
67 | * for us in the buffer.
|
---|
68 | */
|
---|
69 | static int ssl3_record_app_data_waiting(SSL *s)
|
---|
70 | {
|
---|
71 | SSL3_BUFFER *rbuf;
|
---|
72 | int left, len;
|
---|
73 | unsigned char *p;
|
---|
74 |
|
---|
75 | rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
|
---|
76 |
|
---|
77 | p = SSL3_BUFFER_get_buf(rbuf);
|
---|
78 | if (p == NULL)
|
---|
79 | return 0;
|
---|
80 |
|
---|
81 | left = SSL3_BUFFER_get_left(rbuf);
|
---|
82 |
|
---|
83 | if (left < SSL3_RT_HEADER_LENGTH)
|
---|
84 | return 0;
|
---|
85 |
|
---|
86 | p += SSL3_BUFFER_get_offset(rbuf);
|
---|
87 |
|
---|
88 | /*
|
---|
89 | * We only check the type and record length, we will sanity check version
|
---|
90 | * etc later
|
---|
91 | */
|
---|
92 | if (*p != SSL3_RT_APPLICATION_DATA)
|
---|
93 | return 0;
|
---|
94 |
|
---|
95 | p += 3;
|
---|
96 | n2s(p, len);
|
---|
97 |
|
---|
98 | if (left < SSL3_RT_HEADER_LENGTH + len)
|
---|
99 | return 0;
|
---|
100 |
|
---|
101 | return 1;
|
---|
102 | }
|
---|
103 |
|
---|
104 | /*
|
---|
105 | * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
|
---|
106 | * will be processed per call to ssl3_get_record. Without this limit an
|
---|
107 | * attacker could send empty records at a faster rate than we can process and
|
---|
108 | * cause ssl3_get_record to loop forever.
|
---|
109 | */
|
---|
110 | #define MAX_EMPTY_RECORDS 32
|
---|
111 |
|
---|
112 | #define SSL2_RT_HEADER_LENGTH 2
|
---|
113 | /*-
|
---|
114 | * Call this to get new input records.
|
---|
115 | * It will return <= 0 if more data is needed, normally due to an error
|
---|
116 | * or non-blocking IO.
|
---|
117 | * When it finishes, |numrpipes| records have been decoded. For each record 'i':
|
---|
118 | * rr[i].type - is the type of record
|
---|
119 | * rr[i].data, - data
|
---|
120 | * rr[i].length, - number of bytes
|
---|
121 | * Multiple records will only be returned if the record types are all
|
---|
122 | * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
|
---|
123 | * |max_pipelines|
|
---|
124 | */
|
---|
125 | /* used only by ssl3_read_bytes */
|
---|
126 | int ssl3_get_record(SSL *s)
|
---|
127 | {
|
---|
128 | int ssl_major, ssl_minor, al;
|
---|
129 | int enc_err, n, i, ret = -1;
|
---|
130 | SSL3_RECORD *rr;
|
---|
131 | SSL3_BUFFER *rbuf;
|
---|
132 | SSL_SESSION *sess;
|
---|
133 | unsigned char *p;
|
---|
134 | unsigned char md[EVP_MAX_MD_SIZE];
|
---|
135 | short version;
|
---|
136 | unsigned mac_size;
|
---|
137 | int imac_size;
|
---|
138 | unsigned int num_recs = 0;
|
---|
139 | unsigned int max_recs;
|
---|
140 | unsigned int j;
|
---|
141 |
|
---|
142 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
143 | rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
|
---|
144 | max_recs = s->max_pipelines;
|
---|
145 | if (max_recs == 0)
|
---|
146 | max_recs = 1;
|
---|
147 | sess = s->session;
|
---|
148 |
|
---|
149 | do {
|
---|
150 | /* check if we have the header */
|
---|
151 | if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
|
---|
152 | (RECORD_LAYER_get_packet_length(&s->rlayer)
|
---|
153 | < SSL3_RT_HEADER_LENGTH)) {
|
---|
154 | n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
|
---|
155 | SSL3_BUFFER_get_len(rbuf), 0,
|
---|
156 | num_recs == 0 ? 1 : 0);
|
---|
157 | if (n <= 0)
|
---|
158 | return (n); /* error or non-blocking */
|
---|
159 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
|
---|
160 |
|
---|
161 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
162 |
|
---|
163 | /*
|
---|
164 | * The first record received by the server may be a V2ClientHello.
|
---|
165 | */
|
---|
166 | if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
|
---|
167 | && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
|
---|
168 | /*
|
---|
169 | * SSLv2 style record
|
---|
170 | *
|
---|
171 | * |num_recs| here will actually always be 0 because
|
---|
172 | * |num_recs > 0| only ever occurs when we are processing
|
---|
173 | * multiple app data records - which we know isn't the case here
|
---|
174 | * because it is an SSLv2ClientHello. We keep it using
|
---|
175 | * |num_recs| for the sake of consistency
|
---|
176 | */
|
---|
177 | rr[num_recs].type = SSL3_RT_HANDSHAKE;
|
---|
178 | rr[num_recs].rec_version = SSL2_VERSION;
|
---|
179 |
|
---|
180 | rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1];
|
---|
181 |
|
---|
182 | if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf)
|
---|
183 | - SSL2_RT_HEADER_LENGTH) {
|
---|
184 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
185 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
|
---|
186 | goto f_err;
|
---|
187 | }
|
---|
188 |
|
---|
189 | if (rr[num_recs].length < MIN_SSL2_RECORD_LEN) {
|
---|
190 | al = SSL_AD_HANDSHAKE_FAILURE;
|
---|
191 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
192 | goto f_err;
|
---|
193 | }
|
---|
194 | } else {
|
---|
195 | /* SSLv3+ style record */
|
---|
196 | if (s->msg_callback)
|
---|
197 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
|
---|
198 | s->msg_callback_arg);
|
---|
199 |
|
---|
200 | /* Pull apart the header into the SSL3_RECORD */
|
---|
201 | rr[num_recs].type = *(p++);
|
---|
202 | ssl_major = *(p++);
|
---|
203 | ssl_minor = *(p++);
|
---|
204 | version = (ssl_major << 8) | ssl_minor;
|
---|
205 | rr[num_recs].rec_version = version;
|
---|
206 | n2s(p, rr[num_recs].length);
|
---|
207 |
|
---|
208 | /* Lets check version */
|
---|
209 | if (!s->first_packet && version != s->version) {
|
---|
210 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
|
---|
211 | if ((s->version & 0xFF00) == (version & 0xFF00)
|
---|
212 | && !s->enc_write_ctx && !s->write_hash) {
|
---|
213 | if (rr->type == SSL3_RT_ALERT) {
|
---|
214 | /*
|
---|
215 | * The record is using an incorrect version number,
|
---|
216 | * but what we've got appears to be an alert. We
|
---|
217 | * haven't read the body yet to check whether its a
|
---|
218 | * fatal or not - but chances are it is. We probably
|
---|
219 | * shouldn't send a fatal alert back. We'll just
|
---|
220 | * end.
|
---|
221 | */
|
---|
222 | goto err;
|
---|
223 | }
|
---|
224 | /*
|
---|
225 | * Send back error using their minor version number :-)
|
---|
226 | */
|
---|
227 | s->version = (unsigned short)version;
|
---|
228 | }
|
---|
229 | al = SSL_AD_PROTOCOL_VERSION;
|
---|
230 | goto f_err;
|
---|
231 | }
|
---|
232 |
|
---|
233 | if ((version >> 8) != SSL3_VERSION_MAJOR) {
|
---|
234 | if (RECORD_LAYER_is_first_record(&s->rlayer)) {
|
---|
235 | /* Go back to start of packet, look at the five bytes
|
---|
236 | * that we have. */
|
---|
237 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
238 | if (strncmp((char *)p, "GET ", 4) == 0 ||
|
---|
239 | strncmp((char *)p, "POST ", 5) == 0 ||
|
---|
240 | strncmp((char *)p, "HEAD ", 5) == 0 ||
|
---|
241 | strncmp((char *)p, "PUT ", 4) == 0) {
|
---|
242 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
|
---|
243 | goto err;
|
---|
244 | } else if (strncmp((char *)p, "CONNE", 5) == 0) {
|
---|
245 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
246 | SSL_R_HTTPS_PROXY_REQUEST);
|
---|
247 | goto err;
|
---|
248 | }
|
---|
249 |
|
---|
250 | /* Doesn't look like TLS - don't send an alert */
|
---|
251 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
252 | SSL_R_WRONG_VERSION_NUMBER);
|
---|
253 | goto err;
|
---|
254 | } else {
|
---|
255 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
256 | SSL_R_WRONG_VERSION_NUMBER);
|
---|
257 | al = SSL_AD_PROTOCOL_VERSION;
|
---|
258 | goto f_err;
|
---|
259 | }
|
---|
260 | }
|
---|
261 |
|
---|
262 | if (rr[num_recs].length >
|
---|
263 | SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
|
---|
264 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
265 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
|
---|
266 | goto f_err;
|
---|
267 | }
|
---|
268 | }
|
---|
269 |
|
---|
270 | /* now s->rlayer.rstate == SSL_ST_READ_BODY */
|
---|
271 | }
|
---|
272 |
|
---|
273 | /*
|
---|
274 | * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
|
---|
275 | * Calculate how much more data we need to read for the rest of the
|
---|
276 | * record
|
---|
277 | */
|
---|
278 | if (rr[num_recs].rec_version == SSL2_VERSION) {
|
---|
279 | i = rr[num_recs].length + SSL2_RT_HEADER_LENGTH
|
---|
280 | - SSL3_RT_HEADER_LENGTH;
|
---|
281 | } else {
|
---|
282 | i = rr[num_recs].length;
|
---|
283 | }
|
---|
284 | if (i > 0) {
|
---|
285 | /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
|
---|
286 |
|
---|
287 | n = ssl3_read_n(s, i, i, 1, 0);
|
---|
288 | if (n <= 0)
|
---|
289 | return (n); /* error or non-blocking io */
|
---|
290 | }
|
---|
291 |
|
---|
292 | /* set state for later operations */
|
---|
293 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
|
---|
294 |
|
---|
295 | /*
|
---|
296 | * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
|
---|
297 | * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
|
---|
298 | * and we have that many bytes in s->packet
|
---|
299 | */
|
---|
300 | if (rr[num_recs].rec_version == SSL2_VERSION) {
|
---|
301 | rr[num_recs].input =
|
---|
302 | &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
|
---|
303 | } else {
|
---|
304 | rr[num_recs].input =
|
---|
305 | &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
|
---|
306 | }
|
---|
307 |
|
---|
308 | /*
|
---|
309 | * ok, we can now read from 's->packet' data into 'rr' rr->input points
|
---|
310 | * at rr->length bytes, which need to be copied into rr->data by either
|
---|
311 | * the decryption or by the decompression When the data is 'copied' into
|
---|
312 | * the rr->data buffer, rr->input will be pointed at the new buffer
|
---|
313 | */
|
---|
314 |
|
---|
315 | /*
|
---|
316 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
|
---|
317 | * bytes of encrypted compressed stuff.
|
---|
318 | */
|
---|
319 |
|
---|
320 | /* check is not needed I believe */
|
---|
321 | if (rr[num_recs].length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
322 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
323 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
|
---|
324 | goto f_err;
|
---|
325 | }
|
---|
326 |
|
---|
327 | /* decrypt in place in 'rr->input' */
|
---|
328 | rr[num_recs].data = rr[num_recs].input;
|
---|
329 | rr[num_recs].orig_len = rr[num_recs].length;
|
---|
330 |
|
---|
331 | /* Mark this record as not read by upper layers yet */
|
---|
332 | rr[num_recs].read = 0;
|
---|
333 |
|
---|
334 | num_recs++;
|
---|
335 |
|
---|
336 | /* we have pulled in a full packet so zero things */
|
---|
337 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
338 | RECORD_LAYER_clear_first_record(&s->rlayer);
|
---|
339 | } while (num_recs < max_recs
|
---|
340 | && rr[num_recs - 1].type == SSL3_RT_APPLICATION_DATA
|
---|
341 | && SSL_USE_EXPLICIT_IV(s)
|
---|
342 | && s->enc_read_ctx != NULL
|
---|
343 | && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
|
---|
344 | & EVP_CIPH_FLAG_PIPELINE)
|
---|
345 | && ssl3_record_app_data_waiting(s));
|
---|
346 |
|
---|
347 | /*
|
---|
348 | * If in encrypt-then-mac mode calculate mac from encrypted record. All
|
---|
349 | * the details below are public so no timing details can leak.
|
---|
350 | */
|
---|
351 | if (SSL_READ_ETM(s) && s->read_hash) {
|
---|
352 | unsigned char *mac;
|
---|
353 |
|
---|
354 | imac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
355 | assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE);
|
---|
356 | if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) {
|
---|
357 | al = SSL_AD_INTERNAL_ERROR;
|
---|
358 | SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP);
|
---|
359 | goto f_err;
|
---|
360 | }
|
---|
361 | mac_size = (unsigned)imac_size;
|
---|
362 |
|
---|
363 | for (j = 0; j < num_recs; j++) {
|
---|
364 | if (rr[j].length < mac_size) {
|
---|
365 | al = SSL_AD_DECODE_ERROR;
|
---|
366 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
367 | goto f_err;
|
---|
368 | }
|
---|
369 | rr[j].length -= mac_size;
|
---|
370 | mac = rr[j].data + rr[j].length;
|
---|
371 | i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
|
---|
372 | if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
|
---|
373 | al = SSL_AD_BAD_RECORD_MAC;
|
---|
374 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
375 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
|
---|
376 | goto f_err;
|
---|
377 | }
|
---|
378 | }
|
---|
379 | }
|
---|
380 |
|
---|
381 | enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
|
---|
382 | /*-
|
---|
383 | * enc_err is:
|
---|
384 | * 0: (in non-constant time) if the record is publically invalid.
|
---|
385 | * 1: if the padding is valid
|
---|
386 | * -1: if the padding is invalid
|
---|
387 | */
|
---|
388 | if (enc_err == 0) {
|
---|
389 | al = SSL_AD_DECRYPTION_FAILED;
|
---|
390 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
|
---|
391 | goto f_err;
|
---|
392 | }
|
---|
393 | #ifdef SSL_DEBUG
|
---|
394 | printf("dec %d\n", rr->length);
|
---|
395 | {
|
---|
396 | unsigned int z;
|
---|
397 | for (z = 0; z < rr->length; z++)
|
---|
398 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
399 | }
|
---|
400 | printf("\n");
|
---|
401 | #endif
|
---|
402 |
|
---|
403 | /* r->length is now the compressed data plus mac */
|
---|
404 | if ((sess != NULL) &&
|
---|
405 | (s->enc_read_ctx != NULL) &&
|
---|
406 | (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
|
---|
407 | /* s->read_hash != NULL => mac_size != -1 */
|
---|
408 | unsigned char *mac = NULL;
|
---|
409 | unsigned char mac_tmp[EVP_MAX_MD_SIZE];
|
---|
410 |
|
---|
411 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
412 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
|
---|
413 |
|
---|
414 | for (j = 0; j < num_recs; j++) {
|
---|
415 | /*
|
---|
416 | * orig_len is the length of the record before any padding was
|
---|
417 | * removed. This is public information, as is the MAC in use,
|
---|
418 | * therefore we can safely process the record in a different amount
|
---|
419 | * of time if it's too short to possibly contain a MAC.
|
---|
420 | */
|
---|
421 | if (rr[j].orig_len < mac_size ||
|
---|
422 | /* CBC records must have a padding length byte too. */
|
---|
423 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
424 | rr[j].orig_len < mac_size + 1)) {
|
---|
425 | al = SSL_AD_DECODE_ERROR;
|
---|
426 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
427 | goto f_err;
|
---|
428 | }
|
---|
429 |
|
---|
430 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
|
---|
431 | /*
|
---|
432 | * We update the length so that the TLS header bytes can be
|
---|
433 | * constructed correctly but we need to extract the MAC in
|
---|
434 | * constant time from within the record, without leaking the
|
---|
435 | * contents of the padding bytes.
|
---|
436 | */
|
---|
437 | mac = mac_tmp;
|
---|
438 | ssl3_cbc_copy_mac(mac_tmp, &rr[j], mac_size);
|
---|
439 | rr[j].length -= mac_size;
|
---|
440 | } else {
|
---|
441 | /*
|
---|
442 | * In this case there's no padding, so |rec->orig_len| equals
|
---|
443 | * |rec->length| and we checked that there's enough bytes for
|
---|
444 | * |mac_size| above.
|
---|
445 | */
|
---|
446 | rr[j].length -= mac_size;
|
---|
447 | mac = &rr[j].data[rr[j].length];
|
---|
448 | }
|
---|
449 |
|
---|
450 | i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ );
|
---|
451 | if (i < 0 || mac == NULL
|
---|
452 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
|
---|
453 | enc_err = -1;
|
---|
454 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
|
---|
455 | enc_err = -1;
|
---|
456 | }
|
---|
457 | }
|
---|
458 |
|
---|
459 | if (enc_err < 0) {
|
---|
460 | /*
|
---|
461 | * A separate 'decryption_failed' alert was introduced with TLS 1.0,
|
---|
462 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
|
---|
463 | * failure is directly visible from the ciphertext anyway, we should
|
---|
464 | * not reveal which kind of error occurred -- this might become
|
---|
465 | * visible to an attacker (e.g. via a logfile)
|
---|
466 | */
|
---|
467 | al = SSL_AD_BAD_RECORD_MAC;
|
---|
468 | SSLerr(SSL_F_SSL3_GET_RECORD,
|
---|
469 | SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
|
---|
470 | goto f_err;
|
---|
471 | }
|
---|
472 |
|
---|
473 | for (j = 0; j < num_recs; j++) {
|
---|
474 | /* rr[j].length is now just compressed */
|
---|
475 | if (s->expand != NULL) {
|
---|
476 | if (rr[j].length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
|
---|
477 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
478 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
|
---|
479 | goto f_err;
|
---|
480 | }
|
---|
481 | if (!ssl3_do_uncompress(s, &rr[j])) {
|
---|
482 | al = SSL_AD_DECOMPRESSION_FAILURE;
|
---|
483 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
|
---|
484 | goto f_err;
|
---|
485 | }
|
---|
486 | }
|
---|
487 |
|
---|
488 | if (rr[j].length > SSL3_RT_MAX_PLAIN_LENGTH) {
|
---|
489 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
490 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
|
---|
491 | goto f_err;
|
---|
492 | }
|
---|
493 |
|
---|
494 | rr[j].off = 0;
|
---|
495 | /*-
|
---|
496 | * So at this point the following is true
|
---|
497 | * rr[j].type is the type of record
|
---|
498 | * rr[j].length == number of bytes in record
|
---|
499 | * rr[j].off == offset to first valid byte
|
---|
500 | * rr[j].data == where to take bytes from, increment after use :-).
|
---|
501 | */
|
---|
502 |
|
---|
503 | /* just read a 0 length packet */
|
---|
504 | if (rr[j].length == 0) {
|
---|
505 | RECORD_LAYER_inc_empty_record_count(&s->rlayer);
|
---|
506 | if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
|
---|
507 | > MAX_EMPTY_RECORDS) {
|
---|
508 | al = SSL_AD_UNEXPECTED_MESSAGE;
|
---|
509 | SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
|
---|
510 | goto f_err;
|
---|
511 | }
|
---|
512 | } else {
|
---|
513 | RECORD_LAYER_reset_empty_record_count(&s->rlayer);
|
---|
514 | }
|
---|
515 | }
|
---|
516 |
|
---|
517 | RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
|
---|
518 | return 1;
|
---|
519 |
|
---|
520 | f_err:
|
---|
521 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
522 | err:
|
---|
523 | return ret;
|
---|
524 | }
|
---|
525 |
|
---|
526 | int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
|
---|
527 | {
|
---|
528 | #ifndef OPENSSL_NO_COMP
|
---|
529 | int i;
|
---|
530 |
|
---|
531 | if (rr->comp == NULL) {
|
---|
532 | rr->comp = (unsigned char *)
|
---|
533 | OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
|
---|
534 | }
|
---|
535 | if (rr->comp == NULL)
|
---|
536 | return 0;
|
---|
537 |
|
---|
538 | i = COMP_expand_block(ssl->expand, rr->comp,
|
---|
539 | SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
|
---|
540 | if (i < 0)
|
---|
541 | return 0;
|
---|
542 | else
|
---|
543 | rr->length = i;
|
---|
544 | rr->data = rr->comp;
|
---|
545 | #endif
|
---|
546 | return 1;
|
---|
547 | }
|
---|
548 |
|
---|
549 | int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
|
---|
550 | {
|
---|
551 | #ifndef OPENSSL_NO_COMP
|
---|
552 | int i;
|
---|
553 |
|
---|
554 | i = COMP_compress_block(ssl->compress, wr->data,
|
---|
555 | SSL3_RT_MAX_COMPRESSED_LENGTH,
|
---|
556 | wr->input, (int)wr->length);
|
---|
557 | if (i < 0)
|
---|
558 | return (0);
|
---|
559 | else
|
---|
560 | wr->length = i;
|
---|
561 |
|
---|
562 | wr->input = wr->data;
|
---|
563 | #endif
|
---|
564 | return (1);
|
---|
565 | }
|
---|
566 |
|
---|
567 | /*-
|
---|
568 | * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|
|
---|
569 | *
|
---|
570 | * Returns:
|
---|
571 | * 0: (in non-constant time) if the record is publically invalid (i.e. too
|
---|
572 | * short etc).
|
---|
573 | * 1: if the record's padding is valid / the encryption was successful.
|
---|
574 | * -1: if the record's padding is invalid or, if sending, an internal error
|
---|
575 | * occurred.
|
---|
576 | */
|
---|
577 | int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int send)
|
---|
578 | {
|
---|
579 | SSL3_RECORD *rec;
|
---|
580 | EVP_CIPHER_CTX *ds;
|
---|
581 | unsigned long l;
|
---|
582 | int bs, i, mac_size = 0;
|
---|
583 | const EVP_CIPHER *enc;
|
---|
584 |
|
---|
585 | rec = inrecs;
|
---|
586 | /*
|
---|
587 | * We shouldn't ever be called with more than one record in the SSLv3 case
|
---|
588 | */
|
---|
589 | if (n_recs != 1)
|
---|
590 | return 0;
|
---|
591 | if (send) {
|
---|
592 | ds = s->enc_write_ctx;
|
---|
593 | if (s->enc_write_ctx == NULL)
|
---|
594 | enc = NULL;
|
---|
595 | else
|
---|
596 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
|
---|
597 | } else {
|
---|
598 | ds = s->enc_read_ctx;
|
---|
599 | if (s->enc_read_ctx == NULL)
|
---|
600 | enc = NULL;
|
---|
601 | else
|
---|
602 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
|
---|
603 | }
|
---|
604 |
|
---|
605 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
|
---|
606 | memmove(rec->data, rec->input, rec->length);
|
---|
607 | rec->input = rec->data;
|
---|
608 | } else {
|
---|
609 | l = rec->length;
|
---|
610 | bs = EVP_CIPHER_CTX_block_size(ds);
|
---|
611 |
|
---|
612 | /* COMPRESS */
|
---|
613 |
|
---|
614 | if ((bs != 1) && send) {
|
---|
615 | i = bs - ((int)l % bs);
|
---|
616 |
|
---|
617 | /* we need to add 'i-1' padding bytes */
|
---|
618 | l += i;
|
---|
619 | /*
|
---|
620 | * the last of these zero bytes will be overwritten with the
|
---|
621 | * padding length.
|
---|
622 | */
|
---|
623 | memset(&rec->input[rec->length], 0, i);
|
---|
624 | rec->length += i;
|
---|
625 | rec->input[l - 1] = (i - 1);
|
---|
626 | }
|
---|
627 |
|
---|
628 | if (!send) {
|
---|
629 | if (l == 0 || l % bs != 0)
|
---|
630 | return 0;
|
---|
631 | /* otherwise, rec->length >= bs */
|
---|
632 | }
|
---|
633 |
|
---|
634 | if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
|
---|
635 | return -1;
|
---|
636 |
|
---|
637 | if (EVP_MD_CTX_md(s->read_hash) != NULL)
|
---|
638 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
639 | if ((bs != 1) && !send)
|
---|
640 | return ssl3_cbc_remove_padding(rec, bs, mac_size);
|
---|
641 | }
|
---|
642 | return (1);
|
---|
643 | }
|
---|
644 |
|
---|
645 | /*-
|
---|
646 | * tls1_enc encrypts/decrypts |n_recs| in |recs|.
|
---|
647 | *
|
---|
648 | * Returns:
|
---|
649 | * 0: (in non-constant time) if the record is publically invalid (i.e. too
|
---|
650 | * short etc).
|
---|
651 | * 1: if the record's padding is valid / the encryption was successful.
|
---|
652 | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
|
---|
653 | * an internal error occurred.
|
---|
654 | */
|
---|
655 | int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
|
---|
656 | {
|
---|
657 | EVP_CIPHER_CTX *ds;
|
---|
658 | size_t reclen[SSL_MAX_PIPELINES];
|
---|
659 | unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
|
---|
660 | int bs, i, j, k, pad = 0, ret, mac_size = 0;
|
---|
661 | const EVP_CIPHER *enc;
|
---|
662 | unsigned int ctr;
|
---|
663 |
|
---|
664 | if (send) {
|
---|
665 | if (EVP_MD_CTX_md(s->write_hash)) {
|
---|
666 | int n = EVP_MD_CTX_size(s->write_hash);
|
---|
667 | OPENSSL_assert(n >= 0);
|
---|
668 | }
|
---|
669 | ds = s->enc_write_ctx;
|
---|
670 | if (s->enc_write_ctx == NULL)
|
---|
671 | enc = NULL;
|
---|
672 | else {
|
---|
673 | int ivlen;
|
---|
674 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
|
---|
675 | /* For TLSv1.1 and later explicit IV */
|
---|
676 | if (SSL_USE_EXPLICIT_IV(s)
|
---|
677 | && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
|
---|
678 | ivlen = EVP_CIPHER_iv_length(enc);
|
---|
679 | else
|
---|
680 | ivlen = 0;
|
---|
681 | if (ivlen > 1) {
|
---|
682 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
683 | if (recs[ctr].data != recs[ctr].input) {
|
---|
684 | /*
|
---|
685 | * we can't write into the input stream: Can this ever
|
---|
686 | * happen?? (steve)
|
---|
687 | */
|
---|
688 | SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
|
---|
689 | return -1;
|
---|
690 | } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
|
---|
691 | SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR);
|
---|
692 | return -1;
|
---|
693 | }
|
---|
694 | }
|
---|
695 | }
|
---|
696 | }
|
---|
697 | } else {
|
---|
698 | if (EVP_MD_CTX_md(s->read_hash)) {
|
---|
699 | int n = EVP_MD_CTX_size(s->read_hash);
|
---|
700 | OPENSSL_assert(n >= 0);
|
---|
701 | }
|
---|
702 | ds = s->enc_read_ctx;
|
---|
703 | if (s->enc_read_ctx == NULL)
|
---|
704 | enc = NULL;
|
---|
705 | else
|
---|
706 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
|
---|
707 | }
|
---|
708 |
|
---|
709 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
|
---|
710 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
711 | memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
|
---|
712 | recs[ctr].input = recs[ctr].data;
|
---|
713 | }
|
---|
714 | ret = 1;
|
---|
715 | } else {
|
---|
716 | bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
|
---|
717 |
|
---|
718 | if (n_recs > 1) {
|
---|
719 | if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
720 | & EVP_CIPH_FLAG_PIPELINE)) {
|
---|
721 | /*
|
---|
722 | * We shouldn't have been called with pipeline data if the
|
---|
723 | * cipher doesn't support pipelining
|
---|
724 | */
|
---|
725 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
726 | return -1;
|
---|
727 | }
|
---|
728 | }
|
---|
729 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
730 | reclen[ctr] = recs[ctr].length;
|
---|
731 |
|
---|
732 | if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
733 | & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
---|
734 | unsigned char *seq;
|
---|
735 |
|
---|
736 | seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
|
---|
737 | : RECORD_LAYER_get_read_sequence(&s->rlayer);
|
---|
738 |
|
---|
739 | if (SSL_IS_DTLS(s)) {
|
---|
740 | /* DTLS does not support pipelining */
|
---|
741 | unsigned char dtlsseq[9], *p = dtlsseq;
|
---|
742 |
|
---|
743 | s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
|
---|
744 | DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
|
---|
745 | memcpy(p, &seq[2], 6);
|
---|
746 | memcpy(buf[ctr], dtlsseq, 8);
|
---|
747 | } else {
|
---|
748 | memcpy(buf[ctr], seq, 8);
|
---|
749 | for (i = 7; i >= 0; i--) { /* increment */
|
---|
750 | ++seq[i];
|
---|
751 | if (seq[i] != 0)
|
---|
752 | break;
|
---|
753 | }
|
---|
754 | }
|
---|
755 |
|
---|
756 | buf[ctr][8] = recs[ctr].type;
|
---|
757 | buf[ctr][9] = (unsigned char)(s->version >> 8);
|
---|
758 | buf[ctr][10] = (unsigned char)(s->version);
|
---|
759 | buf[ctr][11] = recs[ctr].length >> 8;
|
---|
760 | buf[ctr][12] = recs[ctr].length & 0xff;
|
---|
761 | pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
|
---|
762 | EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
|
---|
763 | if (pad <= 0)
|
---|
764 | return -1;
|
---|
765 |
|
---|
766 | if (send) {
|
---|
767 | reclen[ctr] += pad;
|
---|
768 | recs[ctr].length += pad;
|
---|
769 | }
|
---|
770 |
|
---|
771 | } else if ((bs != 1) && send) {
|
---|
772 | i = bs - ((int)reclen[ctr] % bs);
|
---|
773 |
|
---|
774 | /* Add weird padding of upto 256 bytes */
|
---|
775 |
|
---|
776 | /* we need to add 'i' padding bytes of value j */
|
---|
777 | j = i - 1;
|
---|
778 | for (k = (int)reclen[ctr]; k < (int)(reclen[ctr] + i); k++)
|
---|
779 | recs[ctr].input[k] = j;
|
---|
780 | reclen[ctr] += i;
|
---|
781 | recs[ctr].length += i;
|
---|
782 | }
|
---|
783 |
|
---|
784 | if (!send) {
|
---|
785 | if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
|
---|
786 | return 0;
|
---|
787 | }
|
---|
788 | }
|
---|
789 | if (n_recs > 1) {
|
---|
790 | unsigned char *data[SSL_MAX_PIPELINES];
|
---|
791 |
|
---|
792 | /* Set the output buffers */
|
---|
793 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
794 | data[ctr] = recs[ctr].data;
|
---|
795 | }
|
---|
796 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
|
---|
797 | n_recs, data) <= 0) {
|
---|
798 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
799 | }
|
---|
800 | /* Set the input buffers */
|
---|
801 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
802 | data[ctr] = recs[ctr].input;
|
---|
803 | }
|
---|
804 | if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
|
---|
805 | n_recs, data) <= 0
|
---|
806 | || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
|
---|
807 | n_recs, reclen) <= 0) {
|
---|
808 | SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
|
---|
809 | return -1;
|
---|
810 | }
|
---|
811 | }
|
---|
812 |
|
---|
813 | i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]);
|
---|
814 | if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
|
---|
815 | & EVP_CIPH_FLAG_CUSTOM_CIPHER)
|
---|
816 | ? (i < 0)
|
---|
817 | : (i == 0))
|
---|
818 | return -1; /* AEAD can fail to verify MAC */
|
---|
819 | if (send == 0) {
|
---|
820 | if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
|
---|
821 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
822 | recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
823 | recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
824 | recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
|
---|
825 | }
|
---|
826 | } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
|
---|
827 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
828 | recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
829 | recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
830 | recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
|
---|
831 | }
|
---|
832 | }
|
---|
833 | }
|
---|
834 |
|
---|
835 | ret = 1;
|
---|
836 | if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
|
---|
837 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
838 | if ((bs != 1) && !send) {
|
---|
839 | int tmpret;
|
---|
840 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
841 | tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
|
---|
842 | /*
|
---|
843 | * If tmpret == 0 then this means publicly invalid so we can
|
---|
844 | * short circuit things here. Otherwise we must respect constant
|
---|
845 | * time behaviour.
|
---|
846 | */
|
---|
847 | if (tmpret == 0)
|
---|
848 | return 0;
|
---|
849 | ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
|
---|
850 | ret, -1);
|
---|
851 | }
|
---|
852 | }
|
---|
853 | if (pad && !send) {
|
---|
854 | for (ctr = 0; ctr < n_recs; ctr++) {
|
---|
855 | recs[ctr].length -= pad;
|
---|
856 | }
|
---|
857 | }
|
---|
858 | }
|
---|
859 | return ret;
|
---|
860 | }
|
---|
861 |
|
---|
862 | int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
|
---|
863 | {
|
---|
864 | unsigned char *mac_sec, *seq;
|
---|
865 | const EVP_MD_CTX *hash;
|
---|
866 | unsigned char *p, rec_char;
|
---|
867 | size_t md_size;
|
---|
868 | int npad;
|
---|
869 | int t;
|
---|
870 |
|
---|
871 | if (send) {
|
---|
872 | mac_sec = &(ssl->s3->write_mac_secret[0]);
|
---|
873 | seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
|
---|
874 | hash = ssl->write_hash;
|
---|
875 | } else {
|
---|
876 | mac_sec = &(ssl->s3->read_mac_secret[0]);
|
---|
877 | seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
|
---|
878 | hash = ssl->read_hash;
|
---|
879 | }
|
---|
880 |
|
---|
881 | t = EVP_MD_CTX_size(hash);
|
---|
882 | if (t < 0)
|
---|
883 | return -1;
|
---|
884 | md_size = t;
|
---|
885 | npad = (48 / md_size) * md_size;
|
---|
886 |
|
---|
887 | if (!send &&
|
---|
888 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
889 | ssl3_cbc_record_digest_supported(hash)) {
|
---|
890 | /*
|
---|
891 | * This is a CBC-encrypted record. We must avoid leaking any
|
---|
892 | * timing-side channel information about how many blocks of data we
|
---|
893 | * are hashing because that gives an attacker a timing-oracle.
|
---|
894 | */
|
---|
895 |
|
---|
896 | /*-
|
---|
897 | * npad is, at most, 48 bytes and that's with MD5:
|
---|
898 | * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
|
---|
899 | *
|
---|
900 | * With SHA-1 (the largest hash speced for SSLv3) the hash size
|
---|
901 | * goes up 4, but npad goes down by 8, resulting in a smaller
|
---|
902 | * total size.
|
---|
903 | */
|
---|
904 | unsigned char header[75];
|
---|
905 | unsigned j = 0;
|
---|
906 | memcpy(header + j, mac_sec, md_size);
|
---|
907 | j += md_size;
|
---|
908 | memcpy(header + j, ssl3_pad_1, npad);
|
---|
909 | j += npad;
|
---|
910 | memcpy(header + j, seq, 8);
|
---|
911 | j += 8;
|
---|
912 | header[j++] = rec->type;
|
---|
913 | header[j++] = rec->length >> 8;
|
---|
914 | header[j++] = rec->length & 0xff;
|
---|
915 |
|
---|
916 | /* Final param == is SSLv3 */
|
---|
917 | if (ssl3_cbc_digest_record(hash,
|
---|
918 | md, &md_size,
|
---|
919 | header, rec->input,
|
---|
920 | rec->length + md_size, rec->orig_len,
|
---|
921 | mac_sec, md_size, 1) <= 0)
|
---|
922 | return -1;
|
---|
923 | } else {
|
---|
924 | unsigned int md_size_u;
|
---|
925 | /* Chop the digest off the end :-) */
|
---|
926 | EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
|
---|
927 |
|
---|
928 | if (md_ctx == NULL)
|
---|
929 | return -1;
|
---|
930 |
|
---|
931 | rec_char = rec->type;
|
---|
932 | p = md;
|
---|
933 | s2n(rec->length, p);
|
---|
934 | if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
|
---|
935 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
|
---|
936 | || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
|
---|
937 | || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
|
---|
938 | || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
|
---|
939 | || EVP_DigestUpdate(md_ctx, md, 2) <= 0
|
---|
940 | || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
|
---|
941 | || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
|
---|
942 | || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
|
---|
943 | || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
|
---|
944 | || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
|
---|
945 | || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
|
---|
946 | || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
|
---|
947 | EVP_MD_CTX_reset(md_ctx);
|
---|
948 | return -1;
|
---|
949 | }
|
---|
950 | md_size = md_size_u;
|
---|
951 |
|
---|
952 | EVP_MD_CTX_free(md_ctx);
|
---|
953 | }
|
---|
954 |
|
---|
955 | ssl3_record_sequence_update(seq);
|
---|
956 | return (md_size);
|
---|
957 | }
|
---|
958 |
|
---|
959 | int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
|
---|
960 | {
|
---|
961 | unsigned char *seq;
|
---|
962 | EVP_MD_CTX *hash;
|
---|
963 | size_t md_size;
|
---|
964 | int i;
|
---|
965 | EVP_MD_CTX *hmac = NULL, *mac_ctx;
|
---|
966 | unsigned char header[13];
|
---|
967 | int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
|
---|
968 | : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
|
---|
969 | int t;
|
---|
970 |
|
---|
971 | if (send) {
|
---|
972 | seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
|
---|
973 | hash = ssl->write_hash;
|
---|
974 | } else {
|
---|
975 | seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
|
---|
976 | hash = ssl->read_hash;
|
---|
977 | }
|
---|
978 |
|
---|
979 | t = EVP_MD_CTX_size(hash);
|
---|
980 | OPENSSL_assert(t >= 0);
|
---|
981 | md_size = t;
|
---|
982 |
|
---|
983 | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
|
---|
984 | if (stream_mac) {
|
---|
985 | mac_ctx = hash;
|
---|
986 | } else {
|
---|
987 | hmac = EVP_MD_CTX_new();
|
---|
988 | if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
|
---|
989 | return -1;
|
---|
990 | mac_ctx = hmac;
|
---|
991 | }
|
---|
992 |
|
---|
993 | if (SSL_IS_DTLS(ssl)) {
|
---|
994 | unsigned char dtlsseq[8], *p = dtlsseq;
|
---|
995 |
|
---|
996 | s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
|
---|
997 | DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
|
---|
998 | memcpy(p, &seq[2], 6);
|
---|
999 |
|
---|
1000 | memcpy(header, dtlsseq, 8);
|
---|
1001 | } else
|
---|
1002 | memcpy(header, seq, 8);
|
---|
1003 |
|
---|
1004 | header[8] = rec->type;
|
---|
1005 | header[9] = (unsigned char)(ssl->version >> 8);
|
---|
1006 | header[10] = (unsigned char)(ssl->version);
|
---|
1007 | header[11] = (rec->length) >> 8;
|
---|
1008 | header[12] = (rec->length) & 0xff;
|
---|
1009 |
|
---|
1010 | if (!send && !SSL_READ_ETM(ssl) &&
|
---|
1011 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
1012 | ssl3_cbc_record_digest_supported(mac_ctx)) {
|
---|
1013 | /*
|
---|
1014 | * This is a CBC-encrypted record. We must avoid leaking any
|
---|
1015 | * timing-side channel information about how many blocks of data we
|
---|
1016 | * are hashing because that gives an attacker a timing-oracle.
|
---|
1017 | */
|
---|
1018 | /* Final param == not SSLv3 */
|
---|
1019 | if (ssl3_cbc_digest_record(mac_ctx,
|
---|
1020 | md, &md_size,
|
---|
1021 | header, rec->input,
|
---|
1022 | rec->length + md_size, rec->orig_len,
|
---|
1023 | ssl->s3->read_mac_secret,
|
---|
1024 | ssl->s3->read_mac_secret_size, 0) <= 0) {
|
---|
1025 | EVP_MD_CTX_free(hmac);
|
---|
1026 | return -1;
|
---|
1027 | }
|
---|
1028 | } else {
|
---|
1029 | if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
|
---|
1030 | || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
|
---|
1031 | || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
|
---|
1032 | EVP_MD_CTX_free(hmac);
|
---|
1033 | return -1;
|
---|
1034 | }
|
---|
1035 | if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
|
---|
1036 | if (!tls_fips_digest_extra(ssl->enc_read_ctx,
|
---|
1037 | mac_ctx, rec->input,
|
---|
1038 | rec->length, rec->orig_len)) {
|
---|
1039 | EVP_MD_CTX_free(hmac);
|
---|
1040 | return -1;
|
---|
1041 | }
|
---|
1042 | }
|
---|
1043 |
|
---|
1044 | EVP_MD_CTX_free(hmac);
|
---|
1045 |
|
---|
1046 | #ifdef SSL_DEBUG
|
---|
1047 | fprintf(stderr, "seq=");
|
---|
1048 | {
|
---|
1049 | int z;
|
---|
1050 | for (z = 0; z < 8; z++)
|
---|
1051 | fprintf(stderr, "%02X ", seq[z]);
|
---|
1052 | fprintf(stderr, "\n");
|
---|
1053 | }
|
---|
1054 | fprintf(stderr, "rec=");
|
---|
1055 | {
|
---|
1056 | unsigned int z;
|
---|
1057 | for (z = 0; z < rec->length; z++)
|
---|
1058 | fprintf(stderr, "%02X ", rec->data[z]);
|
---|
1059 | fprintf(stderr, "\n");
|
---|
1060 | }
|
---|
1061 | #endif
|
---|
1062 |
|
---|
1063 | if (!SSL_IS_DTLS(ssl)) {
|
---|
1064 | for (i = 7; i >= 0; i--) {
|
---|
1065 | ++seq[i];
|
---|
1066 | if (seq[i] != 0)
|
---|
1067 | break;
|
---|
1068 | }
|
---|
1069 | }
|
---|
1070 | #ifdef SSL_DEBUG
|
---|
1071 | {
|
---|
1072 | unsigned int z;
|
---|
1073 | for (z = 0; z < md_size; z++)
|
---|
1074 | fprintf(stderr, "%02X ", md[z]);
|
---|
1075 | fprintf(stderr, "\n");
|
---|
1076 | }
|
---|
1077 | #endif
|
---|
1078 | return (md_size);
|
---|
1079 | }
|
---|
1080 |
|
---|
1081 | /*-
|
---|
1082 | * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
|
---|
1083 | * record in |rec| by updating |rec->length| in constant time.
|
---|
1084 | *
|
---|
1085 | * block_size: the block size of the cipher used to encrypt the record.
|
---|
1086 | * returns:
|
---|
1087 | * 0: (in non-constant time) if the record is publicly invalid.
|
---|
1088 | * 1: if the padding was valid
|
---|
1089 | * -1: otherwise.
|
---|
1090 | */
|
---|
1091 | int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
|
---|
1092 | unsigned block_size, unsigned mac_size)
|
---|
1093 | {
|
---|
1094 | unsigned padding_length, good;
|
---|
1095 | const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
---|
1096 |
|
---|
1097 | /*
|
---|
1098 | * These lengths are all public so we can test them in non-constant time.
|
---|
1099 | */
|
---|
1100 | if (overhead > rec->length)
|
---|
1101 | return 0;
|
---|
1102 |
|
---|
1103 | padding_length = rec->data[rec->length - 1];
|
---|
1104 | good = constant_time_ge(rec->length, padding_length + overhead);
|
---|
1105 | /* SSLv3 requires that the padding is minimal. */
|
---|
1106 | good &= constant_time_ge(block_size, padding_length + 1);
|
---|
1107 | rec->length -= good & (padding_length + 1);
|
---|
1108 | return constant_time_select_int(good, 1, -1);
|
---|
1109 | }
|
---|
1110 |
|
---|
1111 | /*-
|
---|
1112 | * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
|
---|
1113 | * record in |rec| in constant time and returns 1 if the padding is valid and
|
---|
1114 | * -1 otherwise. It also removes any explicit IV from the start of the record
|
---|
1115 | * without leaking any timing about whether there was enough space after the
|
---|
1116 | * padding was removed.
|
---|
1117 | *
|
---|
1118 | * block_size: the block size of the cipher used to encrypt the record.
|
---|
1119 | * returns:
|
---|
1120 | * 0: (in non-constant time) if the record is publicly invalid.
|
---|
1121 | * 1: if the padding was valid
|
---|
1122 | * -1: otherwise.
|
---|
1123 | */
|
---|
1124 | int tls1_cbc_remove_padding(const SSL *s,
|
---|
1125 | SSL3_RECORD *rec,
|
---|
1126 | unsigned block_size, unsigned mac_size)
|
---|
1127 | {
|
---|
1128 | unsigned padding_length, good, to_check, i;
|
---|
1129 | const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
---|
1130 | /* Check if version requires explicit IV */
|
---|
1131 | if (SSL_USE_EXPLICIT_IV(s)) {
|
---|
1132 | /*
|
---|
1133 | * These lengths are all public so we can test them in non-constant
|
---|
1134 | * time.
|
---|
1135 | */
|
---|
1136 | if (overhead + block_size > rec->length)
|
---|
1137 | return 0;
|
---|
1138 | /* We can now safely skip explicit IV */
|
---|
1139 | rec->data += block_size;
|
---|
1140 | rec->input += block_size;
|
---|
1141 | rec->length -= block_size;
|
---|
1142 | rec->orig_len -= block_size;
|
---|
1143 | } else if (overhead > rec->length)
|
---|
1144 | return 0;
|
---|
1145 |
|
---|
1146 | padding_length = rec->data[rec->length - 1];
|
---|
1147 |
|
---|
1148 | if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
|
---|
1149 | EVP_CIPH_FLAG_AEAD_CIPHER) {
|
---|
1150 | /* padding is already verified */
|
---|
1151 | rec->length -= padding_length + 1;
|
---|
1152 | return 1;
|
---|
1153 | }
|
---|
1154 |
|
---|
1155 | good = constant_time_ge(rec->length, overhead + padding_length);
|
---|
1156 | /*
|
---|
1157 | * The padding consists of a length byte at the end of the record and
|
---|
1158 | * then that many bytes of padding, all with the same value as the length
|
---|
1159 | * byte. Thus, with the length byte included, there are i+1 bytes of
|
---|
1160 | * padding. We can't check just |padding_length+1| bytes because that
|
---|
1161 | * leaks decrypted information. Therefore we always have to check the
|
---|
1162 | * maximum amount of padding possible. (Again, the length of the record
|
---|
1163 | * is public information so we can use it.)
|
---|
1164 | */
|
---|
1165 | to_check = 256; /* maximum amount of padding, inc length byte. */
|
---|
1166 | if (to_check > rec->length)
|
---|
1167 | to_check = rec->length;
|
---|
1168 |
|
---|
1169 | for (i = 0; i < to_check; i++) {
|
---|
1170 | unsigned char mask = constant_time_ge_8(padding_length, i);
|
---|
1171 | unsigned char b = rec->data[rec->length - 1 - i];
|
---|
1172 | /*
|
---|
1173 | * The final |padding_length+1| bytes should all have the value
|
---|
1174 | * |padding_length|. Therefore the XOR should be zero.
|
---|
1175 | */
|
---|
1176 | good &= ~(mask & (padding_length ^ b));
|
---|
1177 | }
|
---|
1178 |
|
---|
1179 | /*
|
---|
1180 | * If any of the final |padding_length+1| bytes had the wrong value, one
|
---|
1181 | * or more of the lower eight bits of |good| will be cleared.
|
---|
1182 | */
|
---|
1183 | good = constant_time_eq(0xff, good & 0xff);
|
---|
1184 | rec->length -= good & (padding_length + 1);
|
---|
1185 |
|
---|
1186 | return constant_time_select_int(good, 1, -1);
|
---|
1187 | }
|
---|
1188 |
|
---|
1189 | /*-
|
---|
1190 | * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
|
---|
1191 | * constant time (independent of the concrete value of rec->length, which may
|
---|
1192 | * vary within a 256-byte window).
|
---|
1193 | *
|
---|
1194 | * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
|
---|
1195 | * this function.
|
---|
1196 | *
|
---|
1197 | * On entry:
|
---|
1198 | * rec->orig_len >= md_size
|
---|
1199 | * md_size <= EVP_MAX_MD_SIZE
|
---|
1200 | *
|
---|
1201 | * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
|
---|
1202 | * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
|
---|
1203 | * a single or pair of cache-lines, then the variable memory accesses don't
|
---|
1204 | * actually affect the timing. CPUs with smaller cache-lines [if any] are
|
---|
1205 | * not multi-core and are not considered vulnerable to cache-timing attacks.
|
---|
1206 | */
|
---|
1207 | #define CBC_MAC_ROTATE_IN_PLACE
|
---|
1208 |
|
---|
1209 | void ssl3_cbc_copy_mac(unsigned char *out,
|
---|
1210 | const SSL3_RECORD *rec, unsigned md_size)
|
---|
1211 | {
|
---|
1212 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
1213 | unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
|
---|
1214 | unsigned char *rotated_mac;
|
---|
1215 | #else
|
---|
1216 | unsigned char rotated_mac[EVP_MAX_MD_SIZE];
|
---|
1217 | #endif
|
---|
1218 |
|
---|
1219 | /*
|
---|
1220 | * mac_end is the index of |rec->data| just after the end of the MAC.
|
---|
1221 | */
|
---|
1222 | unsigned mac_end = rec->length;
|
---|
1223 | unsigned mac_start = mac_end - md_size;
|
---|
1224 | unsigned in_mac;
|
---|
1225 | /*
|
---|
1226 | * scan_start contains the number of bytes that we can ignore because the
|
---|
1227 | * MAC's position can only vary by 255 bytes.
|
---|
1228 | */
|
---|
1229 | unsigned scan_start = 0;
|
---|
1230 | unsigned i, j;
|
---|
1231 | unsigned rotate_offset;
|
---|
1232 |
|
---|
1233 | OPENSSL_assert(rec->orig_len >= md_size);
|
---|
1234 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
|
---|
1235 |
|
---|
1236 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
1237 | rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
|
---|
1238 | #endif
|
---|
1239 |
|
---|
1240 | /* This information is public so it's safe to branch based on it. */
|
---|
1241 | if (rec->orig_len > md_size + 255 + 1)
|
---|
1242 | scan_start = rec->orig_len - (md_size + 255 + 1);
|
---|
1243 |
|
---|
1244 | in_mac = 0;
|
---|
1245 | rotate_offset = 0;
|
---|
1246 | memset(rotated_mac, 0, md_size);
|
---|
1247 | for (i = scan_start, j = 0; i < rec->orig_len; i++) {
|
---|
1248 | unsigned mac_started = constant_time_eq(i, mac_start);
|
---|
1249 | unsigned mac_ended = constant_time_lt(i, mac_end);
|
---|
1250 | unsigned char b = rec->data[i];
|
---|
1251 |
|
---|
1252 | in_mac |= mac_started;
|
---|
1253 | in_mac &= mac_ended;
|
---|
1254 | rotate_offset |= j & mac_started;
|
---|
1255 | rotated_mac[j++] |= b & in_mac;
|
---|
1256 | j &= constant_time_lt(j, md_size);
|
---|
1257 | }
|
---|
1258 |
|
---|
1259 | /* Now rotate the MAC */
|
---|
1260 | #if defined(CBC_MAC_ROTATE_IN_PLACE)
|
---|
1261 | j = 0;
|
---|
1262 | for (i = 0; i < md_size; i++) {
|
---|
1263 | /* in case cache-line is 32 bytes, touch second line */
|
---|
1264 | ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
|
---|
1265 | out[j++] = rotated_mac[rotate_offset++];
|
---|
1266 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
1267 | }
|
---|
1268 | #else
|
---|
1269 | memset(out, 0, md_size);
|
---|
1270 | rotate_offset = md_size - rotate_offset;
|
---|
1271 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
1272 | for (i = 0; i < md_size; i++) {
|
---|
1273 | for (j = 0; j < md_size; j++)
|
---|
1274 | out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
|
---|
1275 | rotate_offset++;
|
---|
1276 | rotate_offset &= constant_time_lt(rotate_offset, md_size);
|
---|
1277 | }
|
---|
1278 | #endif
|
---|
1279 | }
|
---|
1280 |
|
---|
1281 | int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
|
---|
1282 | {
|
---|
1283 | int i, al;
|
---|
1284 | int enc_err;
|
---|
1285 | SSL_SESSION *sess;
|
---|
1286 | SSL3_RECORD *rr;
|
---|
1287 | unsigned int mac_size;
|
---|
1288 | unsigned char md[EVP_MAX_MD_SIZE];
|
---|
1289 |
|
---|
1290 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
1291 | sess = s->session;
|
---|
1292 |
|
---|
1293 | /*
|
---|
1294 | * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
|
---|
1295 | * and we have that many bytes in s->packet
|
---|
1296 | */
|
---|
1297 | rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
|
---|
1298 |
|
---|
1299 | /*
|
---|
1300 | * ok, we can now read from 's->packet' data into 'rr' rr->input points
|
---|
1301 | * at rr->length bytes, which need to be copied into rr->data by either
|
---|
1302 | * the decryption or by the decompression When the data is 'copied' into
|
---|
1303 | * the rr->data buffer, rr->input will be pointed at the new buffer
|
---|
1304 | */
|
---|
1305 |
|
---|
1306 | /*
|
---|
1307 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
|
---|
1308 | * bytes of encrypted compressed stuff.
|
---|
1309 | */
|
---|
1310 |
|
---|
1311 | /* check is not needed I believe */
|
---|
1312 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
1313 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
1314 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
|
---|
1315 | goto f_err;
|
---|
1316 | }
|
---|
1317 |
|
---|
1318 | /* decrypt in place in 'rr->input' */
|
---|
1319 | rr->data = rr->input;
|
---|
1320 | rr->orig_len = rr->length;
|
---|
1321 |
|
---|
1322 | enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
|
---|
1323 | /*-
|
---|
1324 | * enc_err is:
|
---|
1325 | * 0: (in non-constant time) if the record is publically invalid.
|
---|
1326 | * 1: if the padding is valid
|
---|
1327 | * -1: if the padding is invalid
|
---|
1328 | */
|
---|
1329 | if (enc_err == 0) {
|
---|
1330 | /* For DTLS we simply ignore bad packets. */
|
---|
1331 | rr->length = 0;
|
---|
1332 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1333 | goto err;
|
---|
1334 | }
|
---|
1335 | #ifdef SSL_DEBUG
|
---|
1336 | printf("dec %d\n", rr->length);
|
---|
1337 | {
|
---|
1338 | unsigned int z;
|
---|
1339 | for (z = 0; z < rr->length; z++)
|
---|
1340 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
1341 | }
|
---|
1342 | printf("\n");
|
---|
1343 | #endif
|
---|
1344 |
|
---|
1345 | /* r->length is now the compressed data plus mac */
|
---|
1346 | if ((sess != NULL) &&
|
---|
1347 | (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
|
---|
1348 | /* s->read_hash != NULL => mac_size != -1 */
|
---|
1349 | unsigned char *mac = NULL;
|
---|
1350 | unsigned char mac_tmp[EVP_MAX_MD_SIZE];
|
---|
1351 | mac_size = EVP_MD_CTX_size(s->read_hash);
|
---|
1352 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
|
---|
1353 |
|
---|
1354 | /*
|
---|
1355 | * orig_len is the length of the record before any padding was
|
---|
1356 | * removed. This is public information, as is the MAC in use,
|
---|
1357 | * therefore we can safely process the record in a different amount
|
---|
1358 | * of time if it's too short to possibly contain a MAC.
|
---|
1359 | */
|
---|
1360 | if (rr->orig_len < mac_size ||
|
---|
1361 | /* CBC records must have a padding length byte too. */
|
---|
1362 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
---|
1363 | rr->orig_len < mac_size + 1)) {
|
---|
1364 | al = SSL_AD_DECODE_ERROR;
|
---|
1365 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
|
---|
1366 | goto f_err;
|
---|
1367 | }
|
---|
1368 |
|
---|
1369 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
|
---|
1370 | /*
|
---|
1371 | * We update the length so that the TLS header bytes can be
|
---|
1372 | * constructed correctly but we need to extract the MAC in
|
---|
1373 | * constant time from within the record, without leaking the
|
---|
1374 | * contents of the padding bytes.
|
---|
1375 | */
|
---|
1376 | mac = mac_tmp;
|
---|
1377 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
|
---|
1378 | rr->length -= mac_size;
|
---|
1379 | } else {
|
---|
1380 | /*
|
---|
1381 | * In this case there's no padding, so |rec->orig_len| equals
|
---|
1382 | * |rec->length| and we checked that there's enough bytes for
|
---|
1383 | * |mac_size| above.
|
---|
1384 | */
|
---|
1385 | rr->length -= mac_size;
|
---|
1386 | mac = &rr->data[rr->length];
|
---|
1387 | }
|
---|
1388 |
|
---|
1389 | i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
|
---|
1390 | if (i < 0 || mac == NULL
|
---|
1391 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
|
---|
1392 | enc_err = -1;
|
---|
1393 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
|
---|
1394 | enc_err = -1;
|
---|
1395 | }
|
---|
1396 |
|
---|
1397 | if (enc_err < 0) {
|
---|
1398 | /* decryption failed, silently discard message */
|
---|
1399 | rr->length = 0;
|
---|
1400 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1401 | goto err;
|
---|
1402 | }
|
---|
1403 |
|
---|
1404 | /* r->length is now just compressed */
|
---|
1405 | if (s->expand != NULL) {
|
---|
1406 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
|
---|
1407 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
1408 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
|
---|
1409 | SSL_R_COMPRESSED_LENGTH_TOO_LONG);
|
---|
1410 | goto f_err;
|
---|
1411 | }
|
---|
1412 | if (!ssl3_do_uncompress(s, rr)) {
|
---|
1413 | al = SSL_AD_DECOMPRESSION_FAILURE;
|
---|
1414 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
|
---|
1415 | goto f_err;
|
---|
1416 | }
|
---|
1417 | }
|
---|
1418 |
|
---|
1419 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
|
---|
1420 | al = SSL_AD_RECORD_OVERFLOW;
|
---|
1421 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
|
---|
1422 | goto f_err;
|
---|
1423 | }
|
---|
1424 |
|
---|
1425 | rr->off = 0;
|
---|
1426 | /*-
|
---|
1427 | * So at this point the following is true
|
---|
1428 | * ssl->s3->rrec.type is the type of record
|
---|
1429 | * ssl->s3->rrec.length == number of bytes in record
|
---|
1430 | * ssl->s3->rrec.off == offset to first valid byte
|
---|
1431 | * ssl->s3->rrec.data == where to take bytes from, increment
|
---|
1432 | * after use :-).
|
---|
1433 | */
|
---|
1434 |
|
---|
1435 | /* we have pulled in a full packet so zero things */
|
---|
1436 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1437 |
|
---|
1438 | /* Mark receipt of record. */
|
---|
1439 | dtls1_record_bitmap_update(s, bitmap);
|
---|
1440 |
|
---|
1441 | return (1);
|
---|
1442 |
|
---|
1443 | f_err:
|
---|
1444 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
1445 | err:
|
---|
1446 | return (0);
|
---|
1447 | }
|
---|
1448 |
|
---|
1449 | /*
|
---|
1450 | * retrieve a buffered record that belongs to the current epoch, ie,
|
---|
1451 | * processed
|
---|
1452 | */
|
---|
1453 | #define dtls1_get_processed_record(s) \
|
---|
1454 | dtls1_retrieve_buffered_record((s), \
|
---|
1455 | &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
|
---|
1456 |
|
---|
1457 | /*-
|
---|
1458 | * Call this to get a new input record.
|
---|
1459 | * It will return <= 0 if more data is needed, normally due to an error
|
---|
1460 | * or non-blocking IO.
|
---|
1461 | * When it finishes, one packet has been decoded and can be found in
|
---|
1462 | * ssl->s3->rrec.type - is the type of record
|
---|
1463 | * ssl->s3->rrec.data, - data
|
---|
1464 | * ssl->s3->rrec.length, - number of bytes
|
---|
1465 | */
|
---|
1466 | /* used only by dtls1_read_bytes */
|
---|
1467 | int dtls1_get_record(SSL *s)
|
---|
1468 | {
|
---|
1469 | int ssl_major, ssl_minor;
|
---|
1470 | int i, n;
|
---|
1471 | SSL3_RECORD *rr;
|
---|
1472 | unsigned char *p = NULL;
|
---|
1473 | unsigned short version;
|
---|
1474 | DTLS1_BITMAP *bitmap;
|
---|
1475 | unsigned int is_next_epoch;
|
---|
1476 |
|
---|
1477 | rr = RECORD_LAYER_get_rrec(&s->rlayer);
|
---|
1478 |
|
---|
1479 | again:
|
---|
1480 | /*
|
---|
1481 | * The epoch may have changed. If so, process all the pending records.
|
---|
1482 | * This is a non-blocking operation.
|
---|
1483 | */
|
---|
1484 | if (!dtls1_process_buffered_records(s))
|
---|
1485 | return -1;
|
---|
1486 |
|
---|
1487 | /* if we're renegotiating, then there may be buffered records */
|
---|
1488 | if (dtls1_get_processed_record(s))
|
---|
1489 | return 1;
|
---|
1490 |
|
---|
1491 | /* get something from the wire */
|
---|
1492 |
|
---|
1493 | /* check if we have the header */
|
---|
1494 | if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
|
---|
1495 | (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
|
---|
1496 | n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
|
---|
1497 | SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
|
---|
1498 | /* read timeout is handled by dtls1_read_bytes */
|
---|
1499 | if (n <= 0)
|
---|
1500 | return (n); /* error or non-blocking */
|
---|
1501 |
|
---|
1502 | /* this packet contained a partial record, dump it */
|
---|
1503 | if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
|
---|
1504 | DTLS1_RT_HEADER_LENGTH) {
|
---|
1505 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1506 | goto again;
|
---|
1507 | }
|
---|
1508 |
|
---|
1509 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
|
---|
1510 |
|
---|
1511 | p = RECORD_LAYER_get_packet(&s->rlayer);
|
---|
1512 |
|
---|
1513 | if (s->msg_callback)
|
---|
1514 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
|
---|
1515 | s, s->msg_callback_arg);
|
---|
1516 |
|
---|
1517 | /* Pull apart the header into the DTLS1_RECORD */
|
---|
1518 | rr->type = *(p++);
|
---|
1519 | ssl_major = *(p++);
|
---|
1520 | ssl_minor = *(p++);
|
---|
1521 | version = (ssl_major << 8) | ssl_minor;
|
---|
1522 |
|
---|
1523 | /* sequence number is 64 bits, with top 2 bytes = epoch */
|
---|
1524 | n2s(p, rr->epoch);
|
---|
1525 |
|
---|
1526 | memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
|
---|
1527 | p += 6;
|
---|
1528 |
|
---|
1529 | n2s(p, rr->length);
|
---|
1530 |
|
---|
1531 | /* Lets check version */
|
---|
1532 | if (!s->first_packet) {
|
---|
1533 | if (version != s->version) {
|
---|
1534 | /* unexpected version, silently discard */
|
---|
1535 | rr->length = 0;
|
---|
1536 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1537 | goto again;
|
---|
1538 | }
|
---|
1539 | }
|
---|
1540 |
|
---|
1541 | if ((version & 0xff00) != (s->version & 0xff00)) {
|
---|
1542 | /* wrong version, silently discard record */
|
---|
1543 | rr->length = 0;
|
---|
1544 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1545 | goto again;
|
---|
1546 | }
|
---|
1547 |
|
---|
1548 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
|
---|
1549 | /* record too long, silently discard it */
|
---|
1550 | rr->length = 0;
|
---|
1551 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1552 | goto again;
|
---|
1553 | }
|
---|
1554 |
|
---|
1555 | /* now s->rlayer.rstate == SSL_ST_READ_BODY */
|
---|
1556 | }
|
---|
1557 |
|
---|
1558 | /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
|
---|
1559 |
|
---|
1560 | if (rr->length >
|
---|
1561 | RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
|
---|
1562 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
|
---|
1563 | i = rr->length;
|
---|
1564 | n = ssl3_read_n(s, i, i, 1, 1);
|
---|
1565 | /* this packet contained a partial record, dump it */
|
---|
1566 | if (n != i) {
|
---|
1567 | rr->length = 0;
|
---|
1568 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1569 | goto again;
|
---|
1570 | }
|
---|
1571 |
|
---|
1572 | /*
|
---|
1573 | * now n == rr->length, and s->packet_length ==
|
---|
1574 | * DTLS1_RT_HEADER_LENGTH + rr->length
|
---|
1575 | */
|
---|
1576 | }
|
---|
1577 | /* set state for later operations */
|
---|
1578 | RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
|
---|
1579 |
|
---|
1580 | /* match epochs. NULL means the packet is dropped on the floor */
|
---|
1581 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
|
---|
1582 | if (bitmap == NULL) {
|
---|
1583 | rr->length = 0;
|
---|
1584 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
1585 | goto again; /* get another record */
|
---|
1586 | }
|
---|
1587 | #ifndef OPENSSL_NO_SCTP
|
---|
1588 | /* Only do replay check if no SCTP bio */
|
---|
1589 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
|
---|
1590 | #endif
|
---|
1591 | /* Check whether this is a repeat, or aged record. */
|
---|
1592 | /*
|
---|
1593 | * TODO: Does it make sense to have replay protection in epoch 0 where
|
---|
1594 | * we have no integrity negotiated yet?
|
---|
1595 | */
|
---|
1596 | if (!dtls1_record_replay_check(s, bitmap)) {
|
---|
1597 | rr->length = 0;
|
---|
1598 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
1599 | goto again; /* get another record */
|
---|
1600 | }
|
---|
1601 | #ifndef OPENSSL_NO_SCTP
|
---|
1602 | }
|
---|
1603 | #endif
|
---|
1604 |
|
---|
1605 | /* just read a 0 length packet */
|
---|
1606 | if (rr->length == 0)
|
---|
1607 | goto again;
|
---|
1608 |
|
---|
1609 | /*
|
---|
1610 | * If this record is from the next epoch (either HM or ALERT), and a
|
---|
1611 | * handshake is currently in progress, buffer it since it cannot be
|
---|
1612 | * processed at this time.
|
---|
1613 | */
|
---|
1614 | if (is_next_epoch) {
|
---|
1615 | if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
|
---|
1616 | if (dtls1_buffer_record
|
---|
1617 | (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
|
---|
1618 | rr->seq_num) < 0)
|
---|
1619 | return -1;
|
---|
1620 | }
|
---|
1621 | rr->length = 0;
|
---|
1622 | RECORD_LAYER_reset_packet_length(&s->rlayer);
|
---|
1623 | goto again;
|
---|
1624 | }
|
---|
1625 |
|
---|
1626 | if (!dtls1_process_record(s, bitmap)) {
|
---|
1627 | rr->length = 0;
|
---|
1628 | RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
|
---|
1629 | goto again; /* get another record */
|
---|
1630 | }
|
---|
1631 |
|
---|
1632 | return (1);
|
---|
1633 |
|
---|
1634 | }
|
---|