X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record.c;h=fa7f5d94f74f18771b0f69f0c46e659651348150;hb=add8d0e9e0bb80728f4b89d15573bf2e70596ceb;hp=fc4723685c8b05aa55414cf8879fa9da5899706a;hpb=8f77fab82486c19ab48eee07718e190f76e6ea9a;p=openssl.git diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index fc4723685c..fa7f5d94f7 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -11,6 +11,7 @@ #include "internal/constant_time_locl.h" #include #include "record_locl.h" +#include "internal/cryptlib.h" static const unsigned char ssl3_pad_1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, @@ -100,6 +101,49 @@ static int ssl3_record_app_data_waiting(SSL *s) return 1; } +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) +{ + uint32_t max_early_data = s->max_early_data; + SSL_SESSION *sess = s->session; + + /* + * If we are a client then we always use the max_early_data from the + * session/psksession. Otherwise we go with the lowest out of the max early + * data set in the session and the configured max_early_data. + */ + if (!s->server && sess->ext.max_early_data == 0) { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLerr(SSL_F_EARLY_DATA_COUNT_OK, ERR_R_INTERNAL_ERROR); + return 0; + } + sess = s->psksession; + } + if (!s->server + || (s->hit && sess->ext.max_early_data < s->max_early_data)) + max_early_data = sess->ext.max_early_data; + + if (max_early_data == 0) { + if (al != NULL) + *al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + return 0; + } + + /* If we are dealing with ciphertext we need to allow for the overhead */ + max_early_data += overhead; + + if (s->early_data_count + length > max_early_data) { + if (al != NULL) + *al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + return 0; + } + s->early_data_count += length; + + return 1; +} + /* * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that * will be processed per call to ssl3_get_record. Without this limit an @@ -138,6 +182,7 @@ int ssl3_get_record(SSL *s) int imac_size; size_t num_recs = 0, max_recs, j; PACKET pkt, sslv2pkt; + size_t first_rec_len; rr = RECORD_LAYER_get_rrec(&s->rlayer); rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); @@ -173,7 +218,7 @@ int ssl3_get_record(SSL *s) sslv2pkt = pkt; if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) || !PACKET_get_1(&sslv2pkt, &type)) { - al = SSL_AD_INTERNAL_ERROR; + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); goto f_err; } @@ -205,17 +250,12 @@ int ssl3_get_record(SSL *s) } if (thisrr->length < MIN_SSL2_RECORD_LEN) { - al = SSL_AD_HANDSHAKE_FAILURE; + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); goto f_err; } } else { /* SSLv3+ style record */ - /* - * TODO(TLS1.3): This callback only provides the "outer" record - * type to the callback. Somehow we need to pass the "inner" - * record type - */ if (s->msg_callback) s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg); @@ -224,7 +264,7 @@ int ssl3_get_record(SSL *s) if (!PACKET_get_1(&pkt, &type) || !PACKET_get_net_2(&pkt, &version) || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { - al = SSL_AD_INTERNAL_ERROR; + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); goto f_err; } @@ -304,6 +344,31 @@ int ssl3_get_record(SSL *s) /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } + if (SSL_IS_TLS13(s)) { + if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { + al = SSL_AD_RECORD_OVERFLOW; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + goto f_err; + } + } else { + size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; + +#ifndef OPENSSL_NO_COMP + /* + * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH + * does not include the compression overhead anyway. + */ + if (s->expand == NULL) + len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; +#endif + + if (thisrr->length > len) { + al = SSL_AD_RECORD_OVERFLOW; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + goto f_err; + } + } + /* * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data. * Calculate how much more data we need to read for the rest of the @@ -352,13 +417,6 @@ int ssl3_get_record(SSL *s) * thisrr->length bytes of encrypted compressed stuff. */ - /* check is not needed I believe */ - if (thisrr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - /* decrypt in place in 'thisrr->input' */ thisrr->data = thisrr->input; thisrr->orig_len = thisrr->length; @@ -383,17 +441,16 @@ int ssl3_get_record(SSL *s) * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ - if (SSL_USE_ETM(s) && s->read_hash) { + if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) { + if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); goto f_err; } mac_size = (size_t)imac_size; - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; @@ -414,15 +471,35 @@ int ssl3_get_record(SSL *s) } } + first_rec_len = rr[0].length; + enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0); /*- * enc_err is: - * 0: (in non-constant time) if the record is publically invalid. + * 0: (in non-constant time) if the record is publicly invalid. * 1: if the padding is valid * -1: if the padding is invalid */ if (enc_err == 0) { + if (num_recs == 1 && ossl_statem_skip_early_data(s)) { + /* + * Valid early_data that we cannot decrypt might fail here as + * publicly invalid. We treat it like an empty record. + */ + + thisrr = &rr[0]; + + if (!early_data_count_ok(s, thisrr->length, + EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) + goto f_err; + + thisrr->length = 0; + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + RECORD_LAYER_reset_read_sequence(&s->rlayer); + return 1; + } al = SSL_AD_DECRYPTION_FAILED; SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; @@ -440,13 +517,17 @@ int ssl3_get_record(SSL *s) /* r->length is now the compressed data plus mac */ if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) { + (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ unsigned char *mac = NULL; unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); + goto f_err; + } for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; @@ -473,7 +554,11 @@ int ssl3_get_record(SSL *s) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size); + if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); + goto f_err; + } thisrr->length -= mac_size; } else { /* @@ -495,6 +580,27 @@ int ssl3_get_record(SSL *s) } if (enc_err < 0) { + if (num_recs == 1 && ossl_statem_skip_early_data(s)) { + /* + * We assume this is unreadable early_data - we treat it like an + * empty record + */ + + /* + * The record length may have been modified by the mac check above + * so we use the previously saved value + */ + if (!early_data_count_ok(s, first_rec_len, + EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) + goto f_err; + + thisrr = &rr[0]; + thisrr->length = 0; + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + RECORD_LAYER_reset_read_sequence(&s->rlayer); + return 1; + } /* * A separate 'decryption_failed' alert was introduced with TLS 1.0, * SSL 3.0 only has 'bad_record_mac'. But unless a decryption @@ -528,7 +634,8 @@ int ssl3_get_record(SSL *s) if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { size_t end; - if (thisrr->length == 0) { + if (thisrr->length == 0 + || thisrr->type != SSL3_RT_APPLICATION_DATA) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); goto f_err; @@ -548,6 +655,22 @@ int ssl3_get_record(SSL *s) SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); goto f_err; } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, + &thisrr->data[end], 1, s, s->msg_callback_arg); + } + + /* + * TLSv1.3 alert and handshake records are required to be non-zero in + * length. + */ + if (SSL_IS_TLS13(s) + && (thisrr->type == SSL3_RT_HANDSHAKE + || thisrr->type == SSL3_RT_ALERT) + && thisrr->length == 0) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_LENGTH); + goto f_err; } if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { @@ -579,6 +702,13 @@ int ssl3_get_record(SSL *s) } } + if (s->early_data_state == SSL_EARLY_DATA_READING) { + thisrr = &rr[0]; + if (thisrr->type == SSL3_RT_APPLICATION_DATA + && !early_data_count_ok(s, thisrr->length, 0, &al)) + goto f_err; + } + RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); return 1; @@ -641,7 +771,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) * -1: if the record's padding is invalid or, if sending, an internal error * occurred. */ -int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) +int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; @@ -656,7 +786,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) */ if (n_recs != 1) return 0; - if (send) { + if (sending) { ds = s->enc_write_ctx; if (s->enc_write_ctx == NULL) enc = NULL; @@ -680,7 +810,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) /* COMPRESS */ - if ((bs != 1) && send) { + if ((bs != 1) && sending) { i = bs - (l % bs); /* we need to add 'i-1' padding bytes */ @@ -694,7 +824,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) rec->input[l - 1] = (unsigned char)(i - 1); } - if (!send) { + if (!sending) { if (l == 0 || l % bs != 0) return 0; /* otherwise, rec->length >= bs */ @@ -711,7 +841,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) return -1; mac_size = (size_t)imac_size; } - if ((bs != 1) && !send) + if ((bs != 1) && !sending) return ssl3_cbc_remove_padding(rec, bs, mac_size); } return (1); @@ -728,7 +858,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send) * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, * an internal error occurred. */ -int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) +int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) { EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; @@ -739,10 +869,16 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) int imac_size; const EVP_CIPHER *enc; - if (send) { + if (n_recs == 0) + return 0; + + if (sending) { if (EVP_MD_CTX_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_write_ctx; if (s->enc_write_ctx == NULL) @@ -765,7 +901,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) */ SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; - } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { + } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; } @@ -775,7 +911,10 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) } else { if (EVP_MD_CTX_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_read_ctx; if (s->enc_read_ctx == NULL) @@ -811,14 +950,14 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) & EVP_CIPH_FLAG_AEAD_CIPHER) { unsigned char *seq; - seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer) + seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer) : RECORD_LAYER_get_read_sequence(&s->rlayer); if (SSL_IS_DTLS(s)) { /* DTLS does not support pipelining */ unsigned char dtlsseq[9], *p = dtlsseq; - s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) : + s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) : DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p); memcpy(p, &seq[2], 6); memcpy(buf[ctr], dtlsseq, 8); @@ -841,12 +980,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) if (pad <= 0) return -1; - if (send) { + if (sending) { reclen[ctr] += pad; recs[ctr].length += pad; } - } else if ((bs != 1) && send) { + } else if ((bs != 1) && sending) { padnum = bs - (reclen[ctr] % bs); /* Add weird padding of upto 256 bytes */ @@ -861,7 +1000,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) recs[ctr].length += padnum; } - if (!send) { + if (!sending) { if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) return 0; } @@ -898,7 +1037,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) ? (tmpr < 0) : (tmpr == 0)) return -1; /* AEAD can fail to verify MAC */ - if (send == 0) { + if (sending == 0) { if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; @@ -915,13 +1054,13 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) } ret = 1; - if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { + if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) return -1; mac_size = (size_t)imac_size; } - if ((bs != 1) && !send) { + if ((bs != 1) && !sending) { int tmpret; for (ctr = 0; ctr < n_recs; ctr++) { tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size); @@ -936,7 +1075,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) ret, -1); } } - if (pad && !send) { + if (pad && !sending) { for (ctr = 0; ctr < n_recs; ctr++) { recs[ctr].length -= pad; } @@ -945,7 +1084,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) return ret; } -int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) +int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) { unsigned char *mac_sec, *seq; const EVP_MD_CTX *hash; @@ -954,7 +1093,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) size_t npad; int t; - if (send) { + if (sending) { mac_sec = &(ssl->s3->write_mac_secret[0]); seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); hash = ssl->write_hash; @@ -970,7 +1109,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) md_size = t; npad = (48 / md_size) * md_size; - if (!send && + if (!sending && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && ssl3_cbc_record_digest_supported(hash)) { /* @@ -1041,7 +1180,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) return 1; } -int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) +int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) { unsigned char *seq; EVP_MD_CTX *hash; @@ -1049,11 +1188,11 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) int i; EVP_MD_CTX *hmac = NULL, *mac_ctx; unsigned char header[13]; - int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) + int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); int t; - if (send) { + if (sending) { seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); hash = ssl->write_hash; } else { @@ -1062,7 +1201,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) } t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); + if (!ossl_assert(t >= 0)) + return 0; md_size = t; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ @@ -1078,7 +1218,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) if (SSL_IS_DTLS(ssl)) { unsigned char dtlsseq[8], *p = dtlsseq; - s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) : + s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) : DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p); memcpy(p, &seq[2], 6); @@ -1092,7 +1232,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) header[11] = (unsigned char)(rec->length >> 8); header[12] = (unsigned char)(rec->length & 0xff); - if (!send && !SSL_USE_ETM(ssl) && + if (!sending && !SSL_READ_ETM(ssl) && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && ssl3_cbc_record_digest_supported(mac_ctx)) { /* @@ -1108,7 +1248,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) ssl->s3->read_mac_secret, ssl->s3->read_mac_secret_size, 0) <= 0) { EVP_MD_CTX_free(hmac); - return -1; + return 0; } } else { /* TODO(size_t): Convert these calls */ @@ -1118,13 +1258,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) EVP_MD_CTX_free(hmac); return 0; } - if (!send && !SSL_USE_ETM(ssl) && FIPS_mode()) - if (!tls_fips_digest_extra(ssl->enc_read_ctx, - mac_ctx, rec->input, - rec->length, rec->orig_len)) { - EVP_MD_CTX_free(hmac); - return 0; - } } EVP_MD_CTX_free(hmac); @@ -1294,7 +1427,7 @@ int tls1_cbc_remove_padding(const SSL *s, */ #define CBC_MAC_ROTATE_IN_PLACE -void ssl3_cbc_copy_mac(unsigned char *out, +int ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec, size_t md_size) { #if defined(CBC_MAC_ROTATE_IN_PLACE) @@ -1318,8 +1451,9 @@ void ssl3_cbc_copy_mac(unsigned char *out, size_t i, j; size_t rotate_offset; - OPENSSL_assert(rec->orig_len >= md_size); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(rec->orig_len >= md_size + && md_size <= EVP_MAX_MD_SIZE)) + return 0; #if defined(CBC_MAC_ROTATE_IN_PLACE) rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63); @@ -1364,6 +1498,8 @@ void ssl3_cbc_copy_mac(unsigned char *out, rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #endif + + return 1; } int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) @@ -1408,10 +1544,14 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) rr->data = rr->input; rr->orig_len = rr->length; - if (SSL_USE_ETM(s) && s->read_hash) { + if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (rr->orig_len < mac_size) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); @@ -1452,7 +1592,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) #endif /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && !SSL_USE_ETM(s) && + if ((sess != NULL) && !SSL_READ_ETM(s) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ unsigned char *mac = NULL; @@ -1466,7 +1606,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) goto f_err; } mac_size = (size_t)imac_size; - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); + goto f_err; + } /* * orig_len is the length of the record before any padding was @@ -1491,7 +1635,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); + if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); + goto f_err; + } rr->length -= mac_size; } else { /* @@ -1564,8 +1712,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) } /* - * retrieve a buffered record that belongs to the current epoch, ie, - * processed + * Retrieve a buffered record that belongs to the current epoch, i.e. processed */ #define dtls1_get_processed_record(s) \ dtls1_retrieve_buffered_record((s), \