1 /* ssl/record/ssl3_record.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "../ssl_locl.h"
113 #include "../../crypto/constant_time_locl.h"
114 #include <openssl/rand.h>
115 #include "record_locl.h"
117 static const unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static const unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
135 void SSL3_RECORD_clear(SSL3_RECORD *r)
137 memset(r->seq_num, 0, sizeof(r->seq_num));
140 void SSL3_RECORD_release(SSL3_RECORD *r)
142 OPENSSL_free(r->comp);
146 int SSL3_RECORD_setup(SSL3_RECORD *r)
149 r->comp = (unsigned char *)
150 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
156 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
158 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
162 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
163 * will be processed per call to ssl3_get_record. Without this limit an
164 * attacker could send empty records at a faster rate than we can process and
165 * cause ssl3_get_record to loop forever.
167 #define MAX_EMPTY_RECORDS 32
170 * Call this to get a new input record.
171 * It will return <= 0 if more data is needed, normally due to an error
172 * or non-blocking IO.
173 * When it finishes, one packet has been decoded and can be found in
174 * ssl->s3->rrec.type - is the type of record
175 * ssl->s3->rrec.data, - data
176 * ssl->s3->rrec.length, - number of bytes
178 /* used only by ssl3_read_bytes */
179 int ssl3_get_record(SSL *s)
181 int ssl_major, ssl_minor, al;
182 int enc_err, n, i, ret = -1;
186 unsigned char md[EVP_MAX_MD_SIZE];
190 unsigned empty_record_count = 0;
192 rr = RECORD_LAYER_get_rrec(&s->rlayer);
195 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
196 extra = SSL3_RT_MAX_EXTRA;
199 if (extra && !s->s3->init_extra) {
201 * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
202 * ssl3_setup_buffers() was done
204 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
209 /* check if we have the header */
210 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
211 (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) {
212 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
213 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
215 return (n); /* error or non-blocking */
216 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
218 p = RECORD_LAYER_get_packet(&s->rlayer);
220 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
221 s->msg_callback_arg);
223 /* Pull apart the header into the SSL3_RECORD */
227 version = (ssl_major << 8) | ssl_minor;
230 /* Lets check version */
231 if (!s->first_packet) {
232 if (version != s->version) {
233 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
234 if ((s->version & 0xFF00) == (version & 0xFF00)
235 && !s->enc_write_ctx && !s->write_hash)
237 * Send back error using their minor version number :-)
239 s->version = (unsigned short)version;
240 al = SSL_AD_PROTOCOL_VERSION;
245 if ((version >> 8) != SSL3_VERSION_MAJOR) {
246 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
251 SSL3_BUFFER_get_len(&s->rlayer.rbuf)
252 - SSL3_RT_HEADER_LENGTH) {
253 al = SSL_AD_RECORD_OVERFLOW;
254 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
258 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
261 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
264 RECORD_LAYER_get_packet_length(&s->rlayer) - SSL3_RT_HEADER_LENGTH) {
265 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
267 n = ssl3_read_n(s, i, i, 1);
269 return (n); /* error or non-blocking io */
271 * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
276 /* set state for later operations */
277 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
280 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
281 * and we have that many bytes in s->packet
283 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
286 * ok, we can now read from 's->packet' data into 'rr' rr->input points
287 * at rr->length bytes, which need to be copied into rr->data by either
288 * the decryption or by the decompression When the data is 'copied' into
289 * the rr->data buffer, rr->input will be pointed at the new buffer
293 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
294 * bytes of encrypted compressed stuff.
297 /* check is not needed I believe */
298 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
299 al = SSL_AD_RECORD_OVERFLOW;
300 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
304 /* decrypt in place in 'rr->input' */
305 rr->data = rr->input;
306 rr->orig_len = rr->length;
308 * If in encrypt-then-mac mode calculate mac from encrypted record. All
309 * the details below are public so no timing details can leak.
311 if (SSL_USE_ETM(s) && s->read_hash) {
313 mac_size = EVP_MD_CTX_size(s->read_hash);
314 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
315 if (rr->length < mac_size) {
316 al = SSL_AD_DECODE_ERROR;
317 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
320 rr->length -= mac_size;
321 mac = rr->data + rr->length;
322 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
323 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
324 al = SSL_AD_BAD_RECORD_MAC;
325 SSLerr(SSL_F_SSL3_GET_RECORD,
326 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
331 enc_err = s->method->ssl3_enc->enc(s, 0);
334 * 0: (in non-constant time) if the record is publically invalid.
335 * 1: if the padding is valid
336 * -1: if the padding is invalid
339 al = SSL_AD_DECRYPTION_FAILED;
340 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
344 printf("dec %d\n", rr->length);
347 for (z = 0; z < rr->length; z++)
348 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
353 /* r->length is now the compressed data plus mac */
354 if ((sess != NULL) &&
355 (s->enc_read_ctx != NULL) &&
356 (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
357 /* s->read_hash != NULL => mac_size != -1 */
358 unsigned char *mac = NULL;
359 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
360 mac_size = EVP_MD_CTX_size(s->read_hash);
361 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
364 * orig_len is the length of the record before any padding was
365 * removed. This is public information, as is the MAC in use,
366 * therefore we can safely process the record in a different amount
367 * of time if it's too short to possibly contain a MAC.
369 if (rr->orig_len < mac_size ||
370 /* CBC records must have a padding length byte too. */
371 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
372 rr->orig_len < mac_size + 1)) {
373 al = SSL_AD_DECODE_ERROR;
374 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
378 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
380 * We update the length so that the TLS header bytes can be
381 * constructed correctly but we need to extract the MAC in
382 * constant time from within the record, without leaking the
383 * contents of the padding bytes.
386 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
387 rr->length -= mac_size;
390 * In this case there's no padding, so |rec->orig_len| equals
391 * |rec->length| and we checked that there's enough bytes for
394 rr->length -= mac_size;
395 mac = &rr->data[rr->length];
398 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
399 if (i < 0 || mac == NULL
400 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
402 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
408 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
409 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
410 * failure is directly visible from the ciphertext anyway, we should
411 * not reveal which kind of error occurred -- this might become
412 * visible to an attacker (e.g. via a logfile)
414 al = SSL_AD_BAD_RECORD_MAC;
415 SSLerr(SSL_F_SSL3_GET_RECORD,
416 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
420 /* r->length is now just compressed */
421 if (s->expand != NULL) {
422 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
423 al = SSL_AD_RECORD_OVERFLOW;
424 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
427 if (!ssl3_do_uncompress(s)) {
428 al = SSL_AD_DECOMPRESSION_FAILURE;
429 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
434 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
435 al = SSL_AD_RECORD_OVERFLOW;
436 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
442 * So at this point the following is true
443 * ssl->s3->rrec.type is the type of record
444 * ssl->s3->rrec.length == number of bytes in record
445 * ssl->s3->rrec.off == offset to first valid byte
446 * ssl->s3->rrec.data == where to take bytes from, increment
450 /* we have pulled in a full packet so zero things */
451 RECORD_LAYER_reset_packet_length(&s->rlayer);
453 /* just read a 0 length packet */
454 if (rr->length == 0) {
455 empty_record_count++;
456 if (empty_record_count > MAX_EMPTY_RECORDS) {
457 al = SSL_AD_UNEXPECTED_MESSAGE;
458 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
467 ssl3_send_alert(s, SSL3_AL_FATAL, al);
472 int ssl3_do_uncompress(SSL *ssl)
474 #ifndef OPENSSL_NO_COMP
478 rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
479 i = COMP_expand_block(ssl->expand, rr->comp,
480 SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
491 int ssl3_do_compress(SSL *ssl)
493 #ifndef OPENSSL_NO_COMP
497 wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
498 i = COMP_compress_block(ssl->compress, wr->data,
499 SSL3_RT_MAX_COMPRESSED_LENGTH,
500 wr->input, (int)wr->length);
506 wr->input = wr->data;
512 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
515 * 0: (in non-constant time) if the record is publically invalid (i.e. too
517 * 1: if the record's padding is valid / the encryption was successful.
518 * -1: if the record's padding is invalid or, if sending, an internal error
521 int ssl3_enc(SSL *s, int send)
526 int bs, i, mac_size = 0;
527 const EVP_CIPHER *enc;
530 ds = s->enc_write_ctx;
531 rec = RECORD_LAYER_get_wrec(&s->rlayer);
532 if (s->enc_write_ctx == NULL)
535 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
537 ds = s->enc_read_ctx;
538 rec = RECORD_LAYER_get_rrec(&s->rlayer);
539 if (s->enc_read_ctx == NULL)
542 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
545 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
546 memmove(rec->data, rec->input, rec->length);
547 rec->input = rec->data;
550 bs = EVP_CIPHER_block_size(ds->cipher);
554 if ((bs != 1) && send) {
555 i = bs - ((int)l % bs);
557 /* we need to add 'i-1' padding bytes */
560 * the last of these zero bytes will be overwritten with the
563 memset(&rec->input[rec->length], 0, i);
565 rec->input[l - 1] = (i - 1);
569 if (l == 0 || l % bs != 0)
571 /* otherwise, rec->length >= bs */
574 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
577 if (EVP_MD_CTX_md(s->read_hash) != NULL)
578 mac_size = EVP_MD_CTX_size(s->read_hash);
579 if ((bs != 1) && !send)
580 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
586 * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
589 * 0: (in non-constant time) if the record is publically invalid (i.e. too
591 * 1: if the record's padding is valid / the encryption was successful.
592 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
593 * an internal error occurred.
595 int tls1_enc(SSL *s, int send)
600 int bs, i, j, k, pad = 0, ret, mac_size = 0;
601 const EVP_CIPHER *enc;
604 if (EVP_MD_CTX_md(s->write_hash)) {
605 int n = EVP_MD_CTX_size(s->write_hash);
606 OPENSSL_assert(n >= 0);
608 ds = s->enc_write_ctx;
609 rec = RECORD_LAYER_get_wrec(&s->rlayer);
610 if (s->enc_write_ctx == NULL)
614 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
615 /* For TLSv1.1 and later explicit IV */
616 if (SSL_USE_EXPLICIT_IV(s)
617 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
618 ivlen = EVP_CIPHER_iv_length(enc);
622 if (rec->data != rec->input)
624 * we can't write into the input stream: Can this ever
628 "%s:%d: rec->data != rec->input\n",
630 else if (RAND_bytes(rec->input, ivlen) <= 0)
635 if (EVP_MD_CTX_md(s->read_hash)) {
636 int n = EVP_MD_CTX_size(s->read_hash);
637 OPENSSL_assert(n >= 0);
639 ds = s->enc_read_ctx;
640 rec = RECORD_LAYER_get_rrec(&s->rlayer);
641 if (s->enc_read_ctx == NULL)
644 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
648 fprintf(stderr, "tls1_enc(%d)\n", send);
649 #endif /* KSSL_DEBUG */
651 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
652 memmove(rec->data, rec->input, rec->length);
653 rec->input = rec->data;
657 bs = EVP_CIPHER_block_size(ds->cipher);
659 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
660 unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
662 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
663 : RECORD_LAYER_get_read_sequence(&s->rlayer);
665 if (SSL_IS_DTLS(s)) {
666 unsigned char dtlsseq[9], *p = dtlsseq;
668 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
669 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
670 memcpy(p, &seq[2], 6);
671 memcpy(buf, dtlsseq, 8);
674 for (i = 7; i >= 0; i--) { /* increment */
682 buf[9] = (unsigned char)(s->version >> 8);
683 buf[10] = (unsigned char)(s->version);
684 buf[11] = rec->length >> 8;
685 buf[12] = rec->length & 0xff;
686 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
687 EVP_AEAD_TLS1_AAD_LEN, buf);
694 } else if ((bs != 1) && send) {
695 i = bs - ((int)l % bs);
697 /* Add weird padding of upto 256 bytes */
699 /* we need to add 'i' padding bytes of value j */
701 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
702 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
705 for (k = (int)l; k < (int)(l + i); k++)
714 "EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
715 ds, rec->data, rec->input, l);
717 "\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
718 ds->buf_len, ds->cipher->key_len, DES_KEY_SZ,
719 DES_SCHEDULE_SZ, ds->cipher->iv_len);
720 fprintf(stderr, "\t\tIV: ");
721 for (i = 0; i < ds->cipher->iv_len; i++)
722 fprintf(stderr, "%02X", ds->iv[i]);
723 fprintf(stderr, "\n");
724 fprintf(stderr, "\trec->input=");
725 for (ui = 0; ui < l; ui++)
726 fprintf(stderr, " %02x", rec->input[ui]);
727 fprintf(stderr, "\n");
729 #endif /* KSSL_DEBUG */
732 if (l == 0 || l % bs != 0)
736 i = EVP_Cipher(ds, rec->data, rec->input, l);
737 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
740 return -1; /* AEAD can fail to verify MAC */
741 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
742 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
743 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
744 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
749 fprintf(stderr, "\trec->data=");
750 for (i = 0; i < l; i++)
751 fprintf(stderr, " %02x", rec->data[i]);
752 fprintf(stderr, "\n");
754 #endif /* KSSL_DEBUG */
757 if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
758 mac_size = EVP_MD_CTX_size(s->read_hash);
759 if ((bs != 1) && !send)
760 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
767 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
770 unsigned char *mac_sec, *seq;
772 const EVP_MD_CTX *hash;
773 unsigned char *p, rec_char;
779 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
780 mac_sec = &(ssl->s3->write_mac_secret[0]);
781 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
782 hash = ssl->write_hash;
784 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
785 mac_sec = &(ssl->s3->read_mac_secret[0]);
786 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
787 hash = ssl->read_hash;
790 t = EVP_MD_CTX_size(hash);
794 npad = (48 / md_size) * md_size;
797 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
798 ssl3_cbc_record_digest_supported(hash)) {
800 * This is a CBC-encrypted record. We must avoid leaking any
801 * timing-side channel information about how many blocks of data we
802 * are hashing because that gives an attacker a timing-oracle.
806 * npad is, at most, 48 bytes and that's with MD5:
807 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
809 * With SHA-1 (the largest hash speced for SSLv3) the hash size
810 * goes up 4, but npad goes down by 8, resulting in a smaller
813 unsigned char header[75];
815 memcpy(header + j, mac_sec, md_size);
817 memcpy(header + j, ssl3_pad_1, npad);
819 memcpy(header + j, seq, 8);
821 header[j++] = rec->type;
822 header[j++] = rec->length >> 8;
823 header[j++] = rec->length & 0xff;
825 /* Final param == is SSLv3 */
826 ssl3_cbc_digest_record(hash,
829 rec->length + md_size, rec->orig_len,
830 mac_sec, md_size, 1);
832 unsigned int md_size_u;
833 /* Chop the digest off the end :-) */
834 EVP_MD_CTX_init(&md_ctx);
836 EVP_MD_CTX_copy_ex(&md_ctx, hash);
837 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
838 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
839 EVP_DigestUpdate(&md_ctx, seq, 8);
840 rec_char = rec->type;
841 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
844 EVP_DigestUpdate(&md_ctx, md, 2);
845 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
846 EVP_DigestFinal_ex(&md_ctx, md, NULL);
848 EVP_MD_CTX_copy_ex(&md_ctx, hash);
849 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
850 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
851 EVP_DigestUpdate(&md_ctx, md, md_size);
852 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
855 EVP_MD_CTX_cleanup(&md_ctx);
858 ssl3_record_sequence_update(seq);
862 int tls1_mac(SSL *ssl, unsigned char *md, int send)
869 EVP_MD_CTX hmac, *mac_ctx;
870 unsigned char header[13];
871 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
872 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
876 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
877 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
878 hash = ssl->write_hash;
880 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
881 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
882 hash = ssl->read_hash;
885 t = EVP_MD_CTX_size(hash);
886 OPENSSL_assert(t >= 0);
889 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
893 if (!EVP_MD_CTX_copy(&hmac, hash))
898 if (SSL_IS_DTLS(ssl)) {
899 unsigned char dtlsseq[8], *p = dtlsseq;
901 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
902 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
903 memcpy(p, &seq[2], 6);
905 memcpy(header, dtlsseq, 8);
907 memcpy(header, seq, 8);
909 header[8] = rec->type;
910 header[9] = (unsigned char)(ssl->version >> 8);
911 header[10] = (unsigned char)(ssl->version);
912 header[11] = (rec->length) >> 8;
913 header[12] = (rec->length) & 0xff;
915 if (!send && !SSL_USE_ETM(ssl) &&
916 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
917 ssl3_cbc_record_digest_supported(mac_ctx)) {
919 * This is a CBC-encrypted record. We must avoid leaking any
920 * timing-side channel information about how many blocks of data we
921 * are hashing because that gives an attacker a timing-oracle.
923 /* Final param == not SSLv3 */
924 ssl3_cbc_digest_record(mac_ctx,
927 rec->length + md_size, rec->orig_len,
928 ssl->s3->read_mac_secret,
929 ssl->s3->read_mac_secret_size, 0);
931 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
932 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
933 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
934 OPENSSL_assert(t > 0);
935 if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
936 tls_fips_digest_extra(ssl->enc_read_ctx,
938 rec->length, rec->orig_len);
942 EVP_MD_CTX_cleanup(&hmac);
944 fprintf(stderr, "seq=");
947 for (z = 0; z < 8; z++)
948 fprintf(stderr, "%02X ", seq[z]);
949 fprintf(stderr, "\n");
951 fprintf(stderr, "rec=");
954 for (z = 0; z < rec->length; z++)
955 fprintf(stderr, "%02X ", rec->data[z]);
956 fprintf(stderr, "\n");
960 if (!SSL_IS_DTLS(ssl)) {
961 for (i = 7; i >= 0; i--) {
970 for (z = 0; z < md_size; z++)
971 fprintf(stderr, "%02X ", md[z]);
972 fprintf(stderr, "\n");
979 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
980 * record in |rec| by updating |rec->length| in constant time.
982 * block_size: the block size of the cipher used to encrypt the record.
984 * 0: (in non-constant time) if the record is publicly invalid.
985 * 1: if the padding was valid
988 int ssl3_cbc_remove_padding(const SSL *s,
990 unsigned block_size, unsigned mac_size)
992 unsigned padding_length, good;
993 const unsigned overhead = 1 /* padding length byte */ + mac_size;
996 * These lengths are all public so we can test them in non-constant time.
998 if (overhead > rec->length)
1001 padding_length = rec->data[rec->length - 1];
1002 good = constant_time_ge(rec->length, padding_length + overhead);
1003 /* SSLv3 requires that the padding is minimal. */
1004 good &= constant_time_ge(block_size, padding_length + 1);
1005 rec->length -= good & (padding_length + 1);
1006 return constant_time_select_int(good, 1, -1);
1010 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1011 * record in |rec| in constant time and returns 1 if the padding is valid and
1012 * -1 otherwise. It also removes any explicit IV from the start of the record
1013 * without leaking any timing about whether there was enough space after the
1014 * padding was removed.
1016 * block_size: the block size of the cipher used to encrypt the record.
1018 * 0: (in non-constant time) if the record is publicly invalid.
1019 * 1: if the padding was valid
1022 int tls1_cbc_remove_padding(const SSL *s,
1024 unsigned block_size, unsigned mac_size)
1026 unsigned padding_length, good, to_check, i;
1027 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1028 /* Check if version requires explicit IV */
1029 if (SSL_USE_EXPLICIT_IV(s)) {
1031 * These lengths are all public so we can test them in non-constant
1034 if (overhead + block_size > rec->length)
1036 /* We can now safely skip explicit IV */
1037 rec->data += block_size;
1038 rec->input += block_size;
1039 rec->length -= block_size;
1040 rec->orig_len -= block_size;
1041 } else if (overhead > rec->length)
1044 padding_length = rec->data[rec->length - 1];
1047 * NB: if compression is in operation the first packet may not be of even
1048 * length so the padding bug check cannot be performed. This bug
1049 * workaround has been around since SSLeay so hopefully it is either
1050 * fixed now or no buggy implementation supports compression [steve]
1052 if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
1053 /* First packet is even in size, so check */
1054 if ((memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
1055 "\0\0\0\0\0\0\0\0", 8) == 0) &&
1056 !(padding_length & 1)) {
1057 s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
1059 if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
1064 if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
1065 /* padding is already verified */
1066 rec->length -= padding_length + 1;
1070 good = constant_time_ge(rec->length, overhead + padding_length);
1072 * The padding consists of a length byte at the end of the record and
1073 * then that many bytes of padding, all with the same value as the length
1074 * byte. Thus, with the length byte included, there are i+1 bytes of
1075 * padding. We can't check just |padding_length+1| bytes because that
1076 * leaks decrypted information. Therefore we always have to check the
1077 * maximum amount of padding possible. (Again, the length of the record
1078 * is public information so we can use it.)
1080 to_check = 255; /* maximum amount of padding. */
1081 if (to_check > rec->length - 1)
1082 to_check = rec->length - 1;
1084 for (i = 0; i < to_check; i++) {
1085 unsigned char mask = constant_time_ge_8(padding_length, i);
1086 unsigned char b = rec->data[rec->length - 1 - i];
1088 * The final |padding_length+1| bytes should all have the value
1089 * |padding_length|. Therefore the XOR should be zero.
1091 good &= ~(mask & (padding_length ^ b));
1095 * If any of the final |padding_length+1| bytes had the wrong value, one
1096 * or more of the lower eight bits of |good| will be cleared.
1098 good = constant_time_eq(0xff, good & 0xff);
1099 rec->length -= good & (padding_length + 1);
1101 return constant_time_select_int(good, 1, -1);
1105 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1106 * constant time (independent of the concrete value of rec->length, which may
1107 * vary within a 256-byte window).
1109 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1113 * rec->orig_len >= md_size
1114 * md_size <= EVP_MAX_MD_SIZE
1116 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1117 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1118 * a single or pair of cache-lines, then the variable memory accesses don't
1119 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1120 * not multi-core and are not considered vulnerable to cache-timing attacks.
1122 #define CBC_MAC_ROTATE_IN_PLACE
1124 void ssl3_cbc_copy_mac(unsigned char *out,
1125 const SSL3_RECORD *rec, unsigned md_size)
1127 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1128 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1129 unsigned char *rotated_mac;
1131 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1135 * mac_end is the index of |rec->data| just after the end of the MAC.
1137 unsigned mac_end = rec->length;
1138 unsigned mac_start = mac_end - md_size;
1140 * scan_start contains the number of bytes that we can ignore because the
1141 * MAC's position can only vary by 255 bytes.
1143 unsigned scan_start = 0;
1145 unsigned div_spoiler;
1146 unsigned rotate_offset;
1148 OPENSSL_assert(rec->orig_len >= md_size);
1149 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1151 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1152 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1155 /* This information is public so it's safe to branch based on it. */
1156 if (rec->orig_len > md_size + 255 + 1)
1157 scan_start = rec->orig_len - (md_size + 255 + 1);
1159 * div_spoiler contains a multiple of md_size that is used to cause the
1160 * modulo operation to be constant time. Without this, the time varies
1161 * based on the amount of padding when running on Intel chips at least.
1162 * The aim of right-shifting md_size is so that the compiler doesn't
1163 * figure out that it can remove div_spoiler as that would require it to
1164 * prove that md_size is always even, which I hope is beyond it.
1166 div_spoiler = md_size >> 1;
1167 div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
1168 rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
1170 memset(rotated_mac, 0, md_size);
1171 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1172 unsigned char mac_started = constant_time_ge_8(i, mac_start);
1173 unsigned char mac_ended = constant_time_ge_8(i, mac_end);
1174 unsigned char b = rec->data[i];
1175 rotated_mac[j++] |= b & mac_started & ~mac_ended;
1176 j &= constant_time_lt(j, md_size);
1179 /* Now rotate the MAC */
1180 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1182 for (i = 0; i < md_size; i++) {
1183 /* in case cache-line is 32 bytes, touch second line */
1184 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1185 out[j++] = rotated_mac[rotate_offset++];
1186 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1189 memset(out, 0, md_size);
1190 rotate_offset = md_size - rotate_offset;
1191 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1192 for (i = 0; i < md_size; i++) {
1193 for (j = 0; j < md_size; j++)
1194 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1196 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1201 int dtls1_process_record(SSL *s)
1207 unsigned int mac_size;
1208 unsigned char md[EVP_MAX_MD_SIZE];
1210 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1214 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1215 * and we have that many bytes in s->packet
1217 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1220 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1221 * at rr->length bytes, which need to be copied into rr->data by either
1222 * the decryption or by the decompression When the data is 'copied' into
1223 * the rr->data buffer, rr->input will be pointed at the new buffer
1227 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1228 * bytes of encrypted compressed stuff.
1231 /* check is not needed I believe */
1232 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1233 al = SSL_AD_RECORD_OVERFLOW;
1234 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1238 /* decrypt in place in 'rr->input' */
1239 rr->data = rr->input;
1240 rr->orig_len = rr->length;
1242 enc_err = s->method->ssl3_enc->enc(s, 0);
1245 * 0: (in non-constant time) if the record is publically invalid.
1246 * 1: if the padding is valid
1247 * -1: if the padding is invalid
1250 /* For DTLS we simply ignore bad packets. */
1252 RECORD_LAYER_reset_packet_length(&s->rlayer);
1256 printf("dec %d\n", rr->length);
1259 for (z = 0; z < rr->length; z++)
1260 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1265 /* r->length is now the compressed data plus mac */
1266 if ((sess != NULL) &&
1267 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1268 /* s->read_hash != NULL => mac_size != -1 */
1269 unsigned char *mac = NULL;
1270 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1271 mac_size = EVP_MD_CTX_size(s->read_hash);
1272 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1275 * orig_len is the length of the record before any padding was
1276 * removed. This is public information, as is the MAC in use,
1277 * therefore we can safely process the record in a different amount
1278 * of time if it's too short to possibly contain a MAC.
1280 if (rr->orig_len < mac_size ||
1281 /* CBC records must have a padding length byte too. */
1282 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1283 rr->orig_len < mac_size + 1)) {
1284 al = SSL_AD_DECODE_ERROR;
1285 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1289 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1291 * We update the length so that the TLS header bytes can be
1292 * constructed correctly but we need to extract the MAC in
1293 * constant time from within the record, without leaking the
1294 * contents of the padding bytes.
1297 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1298 rr->length -= mac_size;
1301 * In this case there's no padding, so |rec->orig_len| equals
1302 * |rec->length| and we checked that there's enough bytes for
1305 rr->length -= mac_size;
1306 mac = &rr->data[rr->length];
1309 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
1310 if (i < 0 || mac == NULL
1311 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1313 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1318 /* decryption failed, silently discard message */
1320 RECORD_LAYER_reset_packet_length(&s->rlayer);
1324 /* r->length is now just compressed */
1325 if (s->expand != NULL) {
1326 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1327 al = SSL_AD_RECORD_OVERFLOW;
1328 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1329 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1332 if (!ssl3_do_uncompress(s)) {
1333 al = SSL_AD_DECOMPRESSION_FAILURE;
1334 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1339 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1340 al = SSL_AD_RECORD_OVERFLOW;
1341 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1347 * So at this point the following is true
1348 * ssl->s3->rrec.type is the type of record
1349 * ssl->s3->rrec.length == number of bytes in record
1350 * ssl->s3->rrec.off == offset to first valid byte
1351 * ssl->s3->rrec.data == where to take bytes from, increment
1355 /* we have pulled in a full packet so zero things */
1356 RECORD_LAYER_reset_packet_length(&s->rlayer);
1360 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1367 * retrieve a buffered record that belongs to the current epoch, ie,
1370 #define dtls1_get_processed_record(s) \
1371 dtls1_retrieve_buffered_record((s), \
1372 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1375 * Call this to get a new input record.
1376 * It will return <= 0 if more data is needed, normally due to an error
1377 * or non-blocking IO.
1378 * When it finishes, one packet has been decoded and can be found in
1379 * ssl->s3->rrec.type - is the type of record
1380 * ssl->s3->rrec.data, - data
1381 * ssl->s3->rrec.length, - number of bytes
1383 /* used only by dtls1_read_bytes */
1384 int dtls1_get_record(SSL *s)
1386 int ssl_major, ssl_minor;
1389 unsigned char *p = NULL;
1390 unsigned short version;
1391 DTLS1_BITMAP *bitmap;
1392 unsigned int is_next_epoch;
1394 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1397 * The epoch may have changed. If so, process all the pending records.
1398 * This is a non-blocking operation.
1400 if (dtls1_process_buffered_records(s) < 0)
1403 /* if we're renegotiating, then there may be buffered records */
1404 if (dtls1_get_processed_record(s))
1407 /* get something from the wire */
1409 /* check if we have the header */
1410 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1411 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1412 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1413 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
1414 /* read timeout is handled by dtls1_read_bytes */
1416 return (n); /* error or non-blocking */
1418 /* this packet contained a partial record, dump it */
1419 if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
1420 RECORD_LAYER_reset_packet_length(&s->rlayer);
1424 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1426 p = RECORD_LAYER_get_packet(&s->rlayer);
1428 if (s->msg_callback)
1429 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1430 s, s->msg_callback_arg);
1432 /* Pull apart the header into the DTLS1_RECORD */
1436 version = (ssl_major << 8) | ssl_minor;
1438 /* sequence number is 64 bits, with top 2 bytes = epoch */
1441 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1446 /* Lets check version */
1447 if (!s->first_packet) {
1448 if (version != s->version) {
1449 /* unexpected version, silently discard */
1451 RECORD_LAYER_reset_packet_length(&s->rlayer);
1456 if ((version & 0xff00) != (s->version & 0xff00)) {
1457 /* wrong version, silently discard record */
1459 RECORD_LAYER_reset_packet_length(&s->rlayer);
1463 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1464 /* record too long, silently discard it */
1466 RECORD_LAYER_reset_packet_length(&s->rlayer);
1470 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1473 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1476 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1477 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1479 n = ssl3_read_n(s, i, i, 1);
1480 /* this packet contained a partial record, dump it */
1483 RECORD_LAYER_reset_packet_length(&s->rlayer);
1488 * now n == rr->length, and s->packet_length ==
1489 * DTLS1_RT_HEADER_LENGTH + rr->length
1492 /* set state for later operations */
1493 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1495 /* match epochs. NULL means the packet is dropped on the floor */
1496 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1497 if (bitmap == NULL) {
1499 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1500 goto again; /* get another record */
1502 #ifndef OPENSSL_NO_SCTP
1503 /* Only do replay check if no SCTP bio */
1504 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1507 * Check whether this is a repeat, or aged record. Don't check if
1508 * we're listening and this message is a ClientHello. They can look
1509 * as if they're replayed, since they arrive from different
1510 * connections and would be dropped unnecessarily.
1512 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
1513 RECORD_LAYER_get_packet_length(&s->rlayer)
1514 > DTLS1_RT_HEADER_LENGTH &&
1515 RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
1516 == SSL3_MT_CLIENT_HELLO) &&
1517 !dtls1_record_replay_check(s, bitmap)) {
1519 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1520 goto again; /* get another record */
1522 #ifndef OPENSSL_NO_SCTP
1526 /* just read a 0 length packet */
1527 if (rr->length == 0)
1531 * If this record is from the next epoch (either HM or ALERT), and a
1532 * handshake is currently in progress, buffer it since it cannot be
1533 * processed at this time. However, do not buffer anything while
1536 if (is_next_epoch) {
1537 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
1538 if (dtls1_buffer_record
1539 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1542 /* Mark receipt of record. */
1543 dtls1_record_bitmap_update(s, bitmap);
1546 RECORD_LAYER_reset_packet_length(&s->rlayer);
1550 if (!dtls1_process_record(s)) {
1552 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1553 goto again; /* get another record */
1555 dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */