1 /* ssl/record/ssl3_record.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "../ssl_locl.h"
113 #include "internal/constant_time_locl.h"
114 #include <openssl/rand.h>
115 #include "record_locl.h"
117 static const unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static const unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
136 * Clear the contents of an SSL3_RECORD but retain any memory allocated
138 void SSL3_RECORD_clear(SSL3_RECORD *r)
140 unsigned char *comp = r->comp;
142 memset(r, 0, sizeof(*r));
146 void SSL3_RECORD_release(SSL3_RECORD *r)
148 OPENSSL_free(r->comp);
152 int SSL3_RECORD_setup(SSL3_RECORD *r)
155 r->comp = (unsigned char *)
156 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
162 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
164 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
168 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
169 * will be processed per call to ssl3_get_record. Without this limit an
170 * attacker could send empty records at a faster rate than we can process and
171 * cause ssl3_get_record to loop forever.
173 #define MAX_EMPTY_RECORDS 32
175 #define SSL2_RT_HEADER_LENGTH 2
177 * Call this to get a new input record.
178 * It will return <= 0 if more data is needed, normally due to an error
179 * or non-blocking IO.
180 * When it finishes, one packet has been decoded and can be found in
181 * ssl->s3->rrec.type - is the type of record
182 * ssl->s3->rrec.data, - data
183 * ssl->s3->rrec.length, - number of bytes
185 /* used only by ssl3_read_bytes */
186 int ssl3_get_record(SSL *s)
188 int ssl_major, ssl_minor, al;
189 int enc_err, n, i, ret = -1;
193 unsigned char md[EVP_MAX_MD_SIZE];
197 unsigned empty_record_count = 0;
199 rr = RECORD_LAYER_get_rrec(&s->rlayer);
202 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
203 extra = SSL3_RT_MAX_EXTRA;
206 if (extra && !s->s3->init_extra) {
208 * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
209 * ssl3_setup_buffers() was done
211 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
216 /* check if we have the header */
217 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
218 (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) {
219 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
220 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
222 return (n); /* error or non-blocking */
223 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
225 p = RECORD_LAYER_get_packet(&s->rlayer);
228 * Check whether this is a regular record or an SSLv2 style record. The
229 * latter is only used in an initial ClientHello for old clients. We
230 * check s->read_hash and s->enc_read_ctx to ensure this does not apply
231 * during renegotiation
233 if (s->first_packet && s->server && !s->read_hash && !s->enc_read_ctx
234 && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
235 /* SSLv2 style record */
236 rr->type = SSL3_RT_HANDSHAKE;
237 rr->rec_version = SSL2_VERSION;
239 rr->length = ((p[0] & 0x7f) << 8) | p[1];
241 if (rr->length > SSL3_BUFFER_get_len(&s->rlayer.rbuf)
242 - SSL2_RT_HEADER_LENGTH) {
243 al = SSL_AD_RECORD_OVERFLOW;
244 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
248 if (rr->length < MIN_SSL2_RECORD_LEN) {
249 al = SSL_AD_HANDSHAKE_FAILURE;
250 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
254 /* SSLv3+ style record */
256 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
257 s->msg_callback_arg);
259 /* Pull apart the header into the SSL3_RECORD */
263 version = (ssl_major << 8) | ssl_minor;
264 rr->rec_version = version;
267 /* Lets check version */
268 if (!s->first_packet && version != s->version) {
269 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
270 if ((s->version & 0xFF00) == (version & 0xFF00)
271 && !s->enc_write_ctx && !s->write_hash) {
272 if (rr->type == SSL3_RT_ALERT) {
274 * The record is using an incorrect version number, but
275 * what we've got appears to be an alert. We haven't
276 * read the body yet to check whether its a fatal or
277 * not - but chances are it is. We probably shouldn't
278 * send a fatal alert back. We'll just end.
283 * Send back error using their minor version number :-)
285 s->version = (unsigned short)version;
287 al = SSL_AD_PROTOCOL_VERSION;
291 if ((version >> 8) != SSL3_VERSION_MAJOR) {
292 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
297 SSL3_BUFFER_get_len(&s->rlayer.rbuf)
298 - SSL3_RT_HEADER_LENGTH) {
299 al = SSL_AD_RECORD_OVERFLOW;
300 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
305 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
309 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
310 * Calculate how much more data we need to read for the rest of the record
312 if (rr->rec_version == SSL2_VERSION) {
313 i = rr->length + SSL2_RT_HEADER_LENGTH - SSL3_RT_HEADER_LENGTH;
318 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
320 n = ssl3_read_n(s, i, i, 1);
322 return (n); /* error or non-blocking io */
325 /* set state for later operations */
326 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
329 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
330 * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
331 * and we have that many bytes in s->packet
333 if(rr->rec_version == SSL2_VERSION) {
334 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
336 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
340 * ok, we can now read from 's->packet' data into 'rr' rr->input points
341 * at rr->length bytes, which need to be copied into rr->data by either
342 * the decryption or by the decompression When the data is 'copied' into
343 * the rr->data buffer, rr->input will be pointed at the new buffer
347 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
348 * bytes of encrypted compressed stuff.
351 /* check is not needed I believe */
352 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
353 al = SSL_AD_RECORD_OVERFLOW;
354 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
358 /* decrypt in place in 'rr->input' */
359 rr->data = rr->input;
360 rr->orig_len = rr->length;
362 * If in encrypt-then-mac mode calculate mac from encrypted record. All
363 * the details below are public so no timing details can leak.
365 if (SSL_USE_ETM(s) && s->read_hash) {
367 mac_size = EVP_MD_CTX_size(s->read_hash);
368 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
369 if (rr->length < mac_size) {
370 al = SSL_AD_DECODE_ERROR;
371 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
374 rr->length -= mac_size;
375 mac = rr->data + rr->length;
376 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
377 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
378 al = SSL_AD_BAD_RECORD_MAC;
379 SSLerr(SSL_F_SSL3_GET_RECORD,
380 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
385 enc_err = s->method->ssl3_enc->enc(s, 0);
388 * 0: (in non-constant time) if the record is publically invalid.
389 * 1: if the padding is valid
390 * -1: if the padding is invalid
393 al = SSL_AD_DECRYPTION_FAILED;
394 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
398 printf("dec %d\n", rr->length);
401 for (z = 0; z < rr->length; z++)
402 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
407 /* r->length is now the compressed data plus mac */
408 if ((sess != NULL) &&
409 (s->enc_read_ctx != NULL) &&
410 (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
411 /* s->read_hash != NULL => mac_size != -1 */
412 unsigned char *mac = NULL;
413 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
414 mac_size = EVP_MD_CTX_size(s->read_hash);
415 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
418 * orig_len is the length of the record before any padding was
419 * removed. This is public information, as is the MAC in use,
420 * therefore we can safely process the record in a different amount
421 * of time if it's too short to possibly contain a MAC.
423 if (rr->orig_len < mac_size ||
424 /* CBC records must have a padding length byte too. */
425 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
426 rr->orig_len < mac_size + 1)) {
427 al = SSL_AD_DECODE_ERROR;
428 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
432 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
434 * We update the length so that the TLS header bytes can be
435 * constructed correctly but we need to extract the MAC in
436 * constant time from within the record, without leaking the
437 * contents of the padding bytes.
440 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
441 rr->length -= mac_size;
444 * In this case there's no padding, so |rec->orig_len| equals
445 * |rec->length| and we checked that there's enough bytes for
448 rr->length -= mac_size;
449 mac = &rr->data[rr->length];
452 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
453 if (i < 0 || mac == NULL
454 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
456 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
462 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
463 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
464 * failure is directly visible from the ciphertext anyway, we should
465 * not reveal which kind of error occurred -- this might become
466 * visible to an attacker (e.g. via a logfile)
468 al = SSL_AD_BAD_RECORD_MAC;
469 SSLerr(SSL_F_SSL3_GET_RECORD,
470 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
474 /* r->length is now just compressed */
475 if (s->expand != NULL) {
476 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
477 al = SSL_AD_RECORD_OVERFLOW;
478 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
481 if (!ssl3_do_uncompress(s)) {
482 al = SSL_AD_DECOMPRESSION_FAILURE;
483 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
488 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
489 al = SSL_AD_RECORD_OVERFLOW;
490 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
496 * So at this point the following is true
497 * ssl->s3->rrec.type is the type of record
498 * ssl->s3->rrec.length == number of bytes in record
499 * ssl->s3->rrec.off == offset to first valid byte
500 * ssl->s3->rrec.data == where to take bytes from, increment
504 /* we have pulled in a full packet so zero things */
505 RECORD_LAYER_reset_packet_length(&s->rlayer);
507 /* just read a 0 length packet */
508 if (rr->length == 0) {
509 empty_record_count++;
510 if (empty_record_count > MAX_EMPTY_RECORDS) {
511 al = SSL_AD_UNEXPECTED_MESSAGE;
512 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
521 ssl3_send_alert(s, SSL3_AL_FATAL, al);
526 int ssl3_do_uncompress(SSL *ssl)
528 #ifndef OPENSSL_NO_COMP
532 rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
533 i = COMP_expand_block(ssl->expand, rr->comp,
534 SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
545 int ssl3_do_compress(SSL *ssl)
547 #ifndef OPENSSL_NO_COMP
551 wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
552 i = COMP_compress_block(ssl->compress, wr->data,
553 SSL3_RT_MAX_COMPRESSED_LENGTH,
554 wr->input, (int)wr->length);
560 wr->input = wr->data;
566 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
569 * 0: (in non-constant time) if the record is publically invalid (i.e. too
571 * 1: if the record's padding is valid / the encryption was successful.
572 * -1: if the record's padding is invalid or, if sending, an internal error
575 int ssl3_enc(SSL *s, int send)
580 int bs, i, mac_size = 0;
581 const EVP_CIPHER *enc;
584 ds = s->enc_write_ctx;
585 rec = RECORD_LAYER_get_wrec(&s->rlayer);
586 if (s->enc_write_ctx == NULL)
589 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
591 ds = s->enc_read_ctx;
592 rec = RECORD_LAYER_get_rrec(&s->rlayer);
593 if (s->enc_read_ctx == NULL)
596 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
599 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
600 memmove(rec->data, rec->input, rec->length);
601 rec->input = rec->data;
604 bs = EVP_CIPHER_block_size(ds->cipher);
608 if ((bs != 1) && send) {
609 i = bs - ((int)l % bs);
611 /* we need to add 'i-1' padding bytes */
614 * the last of these zero bytes will be overwritten with the
617 memset(&rec->input[rec->length], 0, i);
619 rec->input[l - 1] = (i - 1);
623 if (l == 0 || l % bs != 0)
625 /* otherwise, rec->length >= bs */
628 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
631 if (EVP_MD_CTX_md(s->read_hash) != NULL)
632 mac_size = EVP_MD_CTX_size(s->read_hash);
633 if ((bs != 1) && !send)
634 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
640 * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
643 * 0: (in non-constant time) if the record is publically invalid (i.e. too
645 * 1: if the record's padding is valid / the encryption was successful.
646 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
647 * an internal error occurred.
649 int tls1_enc(SSL *s, int send)
654 int bs, i, j, k, pad = 0, ret, mac_size = 0;
655 const EVP_CIPHER *enc;
658 if (EVP_MD_CTX_md(s->write_hash)) {
659 int n = EVP_MD_CTX_size(s->write_hash);
660 OPENSSL_assert(n >= 0);
662 ds = s->enc_write_ctx;
663 rec = RECORD_LAYER_get_wrec(&s->rlayer);
664 if (s->enc_write_ctx == NULL)
668 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
669 /* For TLSv1.1 and later explicit IV */
670 if (SSL_USE_EXPLICIT_IV(s)
671 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
672 ivlen = EVP_CIPHER_iv_length(enc);
676 if (rec->data != rec->input)
678 * we can't write into the input stream: Can this ever
682 "%s:%d: rec->data != rec->input\n",
684 else if (RAND_bytes(rec->input, ivlen) <= 0)
689 if (EVP_MD_CTX_md(s->read_hash)) {
690 int n = EVP_MD_CTX_size(s->read_hash);
691 OPENSSL_assert(n >= 0);
693 ds = s->enc_read_ctx;
694 rec = RECORD_LAYER_get_rrec(&s->rlayer);
695 if (s->enc_read_ctx == NULL)
698 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
701 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
702 memmove(rec->data, rec->input, rec->length);
703 rec->input = rec->data;
707 bs = EVP_CIPHER_block_size(ds->cipher);
709 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
710 unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
712 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
713 : RECORD_LAYER_get_read_sequence(&s->rlayer);
715 if (SSL_IS_DTLS(s)) {
716 unsigned char dtlsseq[9], *p = dtlsseq;
718 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
719 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
720 memcpy(p, &seq[2], 6);
721 memcpy(buf, dtlsseq, 8);
724 for (i = 7; i >= 0; i--) { /* increment */
732 buf[9] = (unsigned char)(s->version >> 8);
733 buf[10] = (unsigned char)(s->version);
734 buf[11] = rec->length >> 8;
735 buf[12] = rec->length & 0xff;
736 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
737 EVP_AEAD_TLS1_AAD_LEN, buf);
744 } else if ((bs != 1) && send) {
745 i = bs - ((int)l % bs);
747 /* Add weird padding of upto 256 bytes */
749 /* we need to add 'i' padding bytes of value j */
751 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
752 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
755 for (k = (int)l; k < (int)(l + i); k++)
762 if (l == 0 || l % bs != 0)
766 i = EVP_Cipher(ds, rec->data, rec->input, l);
767 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
770 return -1; /* AEAD can fail to verify MAC */
771 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
772 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
773 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
774 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
778 if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
779 mac_size = EVP_MD_CTX_size(s->read_hash);
780 if ((bs != 1) && !send)
781 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
788 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
791 unsigned char *mac_sec, *seq;
793 const EVP_MD_CTX *hash;
794 unsigned char *p, rec_char;
800 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
801 mac_sec = &(ssl->s3->write_mac_secret[0]);
802 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
803 hash = ssl->write_hash;
805 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
806 mac_sec = &(ssl->s3->read_mac_secret[0]);
807 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
808 hash = ssl->read_hash;
811 t = EVP_MD_CTX_size(hash);
815 npad = (48 / md_size) * md_size;
818 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
819 ssl3_cbc_record_digest_supported(hash)) {
821 * This is a CBC-encrypted record. We must avoid leaking any
822 * timing-side channel information about how many blocks of data we
823 * are hashing because that gives an attacker a timing-oracle.
827 * npad is, at most, 48 bytes and that's with MD5:
828 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
830 * With SHA-1 (the largest hash speced for SSLv3) the hash size
831 * goes up 4, but npad goes down by 8, resulting in a smaller
834 unsigned char header[75];
836 memcpy(header + j, mac_sec, md_size);
838 memcpy(header + j, ssl3_pad_1, npad);
840 memcpy(header + j, seq, 8);
842 header[j++] = rec->type;
843 header[j++] = rec->length >> 8;
844 header[j++] = rec->length & 0xff;
846 /* Final param == is SSLv3 */
847 ssl3_cbc_digest_record(hash,
850 rec->length + md_size, rec->orig_len,
851 mac_sec, md_size, 1);
853 unsigned int md_size_u;
854 /* Chop the digest off the end :-) */
855 EVP_MD_CTX_init(&md_ctx);
857 EVP_MD_CTX_copy_ex(&md_ctx, hash);
858 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
859 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
860 EVP_DigestUpdate(&md_ctx, seq, 8);
861 rec_char = rec->type;
862 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
865 EVP_DigestUpdate(&md_ctx, md, 2);
866 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
867 EVP_DigestFinal_ex(&md_ctx, md, NULL);
869 EVP_MD_CTX_copy_ex(&md_ctx, hash);
870 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
871 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
872 EVP_DigestUpdate(&md_ctx, md, md_size);
873 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
876 EVP_MD_CTX_cleanup(&md_ctx);
879 ssl3_record_sequence_update(seq);
883 int tls1_mac(SSL *ssl, unsigned char *md, int send)
890 EVP_MD_CTX hmac, *mac_ctx;
891 unsigned char header[13];
892 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
893 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
897 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
898 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
899 hash = ssl->write_hash;
901 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
902 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
903 hash = ssl->read_hash;
906 t = EVP_MD_CTX_size(hash);
907 OPENSSL_assert(t >= 0);
910 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
914 if (!EVP_MD_CTX_copy(&hmac, hash))
919 if (SSL_IS_DTLS(ssl)) {
920 unsigned char dtlsseq[8], *p = dtlsseq;
922 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
923 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
924 memcpy(p, &seq[2], 6);
926 memcpy(header, dtlsseq, 8);
928 memcpy(header, seq, 8);
930 header[8] = rec->type;
931 header[9] = (unsigned char)(ssl->version >> 8);
932 header[10] = (unsigned char)(ssl->version);
933 header[11] = (rec->length) >> 8;
934 header[12] = (rec->length) & 0xff;
936 if (!send && !SSL_USE_ETM(ssl) &&
937 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
938 ssl3_cbc_record_digest_supported(mac_ctx)) {
940 * This is a CBC-encrypted record. We must avoid leaking any
941 * timing-side channel information about how many blocks of data we
942 * are hashing because that gives an attacker a timing-oracle.
944 /* Final param == not SSLv3 */
945 ssl3_cbc_digest_record(mac_ctx,
948 rec->length + md_size, rec->orig_len,
949 ssl->s3->read_mac_secret,
950 ssl->s3->read_mac_secret_size, 0);
952 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
953 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
954 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
955 OPENSSL_assert(t > 0);
956 if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
957 tls_fips_digest_extra(ssl->enc_read_ctx,
959 rec->length, rec->orig_len);
963 EVP_MD_CTX_cleanup(&hmac);
965 fprintf(stderr, "seq=");
968 for (z = 0; z < 8; z++)
969 fprintf(stderr, "%02X ", seq[z]);
970 fprintf(stderr, "\n");
972 fprintf(stderr, "rec=");
975 for (z = 0; z < rec->length; z++)
976 fprintf(stderr, "%02X ", rec->data[z]);
977 fprintf(stderr, "\n");
981 if (!SSL_IS_DTLS(ssl)) {
982 for (i = 7; i >= 0; i--) {
991 for (z = 0; z < md_size; z++)
992 fprintf(stderr, "%02X ", md[z]);
993 fprintf(stderr, "\n");
1000 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
1001 * record in |rec| by updating |rec->length| in constant time.
1003 * block_size: the block size of the cipher used to encrypt the record.
1005 * 0: (in non-constant time) if the record is publicly invalid.
1006 * 1: if the padding was valid
1009 int ssl3_cbc_remove_padding(const SSL *s,
1011 unsigned block_size, unsigned mac_size)
1013 unsigned padding_length, good;
1014 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1017 * These lengths are all public so we can test them in non-constant time.
1019 if (overhead > rec->length)
1022 padding_length = rec->data[rec->length - 1];
1023 good = constant_time_ge(rec->length, padding_length + overhead);
1024 /* SSLv3 requires that the padding is minimal. */
1025 good &= constant_time_ge(block_size, padding_length + 1);
1026 rec->length -= good & (padding_length + 1);
1027 return constant_time_select_int(good, 1, -1);
1031 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1032 * record in |rec| in constant time and returns 1 if the padding is valid and
1033 * -1 otherwise. It also removes any explicit IV from the start of the record
1034 * without leaking any timing about whether there was enough space after the
1035 * padding was removed.
1037 * block_size: the block size of the cipher used to encrypt the record.
1039 * 0: (in non-constant time) if the record is publicly invalid.
1040 * 1: if the padding was valid
1043 int tls1_cbc_remove_padding(const SSL *s,
1045 unsigned block_size, unsigned mac_size)
1047 unsigned padding_length, good, to_check, i;
1048 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1049 /* Check if version requires explicit IV */
1050 if (SSL_USE_EXPLICIT_IV(s)) {
1052 * These lengths are all public so we can test them in non-constant
1055 if (overhead + block_size > rec->length)
1057 /* We can now safely skip explicit IV */
1058 rec->data += block_size;
1059 rec->input += block_size;
1060 rec->length -= block_size;
1061 rec->orig_len -= block_size;
1062 } else if (overhead > rec->length)
1065 padding_length = rec->data[rec->length - 1];
1068 * NB: if compression is in operation the first packet may not be of even
1069 * length so the padding bug check cannot be performed. This bug
1070 * workaround has been around since SSLeay so hopefully it is either
1071 * fixed now or no buggy implementation supports compression [steve]
1073 if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
1074 /* First packet is even in size, so check */
1075 if ((CRYPTO_memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
1076 "\0\0\0\0\0\0\0\0", 8) == 0) &&
1077 !(padding_length & 1)) {
1078 s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
1080 if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
1085 if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
1086 /* padding is already verified */
1087 rec->length -= padding_length + 1;
1091 good = constant_time_ge(rec->length, overhead + padding_length);
1093 * The padding consists of a length byte at the end of the record and
1094 * then that many bytes of padding, all with the same value as the length
1095 * byte. Thus, with the length byte included, there are i+1 bytes of
1096 * padding. We can't check just |padding_length+1| bytes because that
1097 * leaks decrypted information. Therefore we always have to check the
1098 * maximum amount of padding possible. (Again, the length of the record
1099 * is public information so we can use it.)
1101 to_check = 255; /* maximum amount of padding. */
1102 if (to_check > rec->length - 1)
1103 to_check = rec->length - 1;
1105 for (i = 0; i < to_check; i++) {
1106 unsigned char mask = constant_time_ge_8(padding_length, i);
1107 unsigned char b = rec->data[rec->length - 1 - i];
1109 * The final |padding_length+1| bytes should all have the value
1110 * |padding_length|. Therefore the XOR should be zero.
1112 good &= ~(mask & (padding_length ^ b));
1116 * If any of the final |padding_length+1| bytes had the wrong value, one
1117 * or more of the lower eight bits of |good| will be cleared.
1119 good = constant_time_eq(0xff, good & 0xff);
1120 rec->length -= good & (padding_length + 1);
1122 return constant_time_select_int(good, 1, -1);
1126 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1127 * constant time (independent of the concrete value of rec->length, which may
1128 * vary within a 256-byte window).
1130 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1134 * rec->orig_len >= md_size
1135 * md_size <= EVP_MAX_MD_SIZE
1137 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1138 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1139 * a single or pair of cache-lines, then the variable memory accesses don't
1140 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1141 * not multi-core and are not considered vulnerable to cache-timing attacks.
1143 #define CBC_MAC_ROTATE_IN_PLACE
1145 void ssl3_cbc_copy_mac(unsigned char *out,
1146 const SSL3_RECORD *rec, unsigned md_size)
1148 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1149 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1150 unsigned char *rotated_mac;
1152 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1156 * mac_end is the index of |rec->data| just after the end of the MAC.
1158 unsigned mac_end = rec->length;
1159 unsigned mac_start = mac_end - md_size;
1161 * scan_start contains the number of bytes that we can ignore because the
1162 * MAC's position can only vary by 255 bytes.
1164 unsigned scan_start = 0;
1166 unsigned div_spoiler;
1167 unsigned rotate_offset;
1169 OPENSSL_assert(rec->orig_len >= md_size);
1170 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1172 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1173 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1176 /* This information is public so it's safe to branch based on it. */
1177 if (rec->orig_len > md_size + 255 + 1)
1178 scan_start = rec->orig_len - (md_size + 255 + 1);
1180 * div_spoiler contains a multiple of md_size that is used to cause the
1181 * modulo operation to be constant time. Without this, the time varies
1182 * based on the amount of padding when running on Intel chips at least.
1183 * The aim of right-shifting md_size is so that the compiler doesn't
1184 * figure out that it can remove div_spoiler as that would require it to
1185 * prove that md_size is always even, which I hope is beyond it.
1187 div_spoiler = md_size >> 1;
1188 div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
1189 rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
1191 memset(rotated_mac, 0, md_size);
1192 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1193 unsigned char mac_started = constant_time_ge_8(i, mac_start);
1194 unsigned char mac_ended = constant_time_ge_8(i, mac_end);
1195 unsigned char b = rec->data[i];
1196 rotated_mac[j++] |= b & mac_started & ~mac_ended;
1197 j &= constant_time_lt(j, md_size);
1200 /* Now rotate the MAC */
1201 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1203 for (i = 0; i < md_size; i++) {
1204 /* in case cache-line is 32 bytes, touch second line */
1205 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1206 out[j++] = rotated_mac[rotate_offset++];
1207 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1210 memset(out, 0, md_size);
1211 rotate_offset = md_size - rotate_offset;
1212 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1213 for (i = 0; i < md_size; i++) {
1214 for (j = 0; j < md_size; j++)
1215 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1217 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1222 int dtls1_process_record(SSL *s)
1228 unsigned int mac_size;
1229 unsigned char md[EVP_MAX_MD_SIZE];
1231 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1235 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1236 * and we have that many bytes in s->packet
1238 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1241 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1242 * at rr->length bytes, which need to be copied into rr->data by either
1243 * the decryption or by the decompression When the data is 'copied' into
1244 * the rr->data buffer, rr->input will be pointed at the new buffer
1248 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1249 * bytes of encrypted compressed stuff.
1252 /* check is not needed I believe */
1253 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1254 al = SSL_AD_RECORD_OVERFLOW;
1255 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1259 /* decrypt in place in 'rr->input' */
1260 rr->data = rr->input;
1261 rr->orig_len = rr->length;
1263 enc_err = s->method->ssl3_enc->enc(s, 0);
1266 * 0: (in non-constant time) if the record is publically invalid.
1267 * 1: if the padding is valid
1268 * -1: if the padding is invalid
1271 /* For DTLS we simply ignore bad packets. */
1273 RECORD_LAYER_reset_packet_length(&s->rlayer);
1277 printf("dec %d\n", rr->length);
1280 for (z = 0; z < rr->length; z++)
1281 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1286 /* r->length is now the compressed data plus mac */
1287 if ((sess != NULL) &&
1288 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1289 /* s->read_hash != NULL => mac_size != -1 */
1290 unsigned char *mac = NULL;
1291 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1292 mac_size = EVP_MD_CTX_size(s->read_hash);
1293 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1296 * orig_len is the length of the record before any padding was
1297 * removed. This is public information, as is the MAC in use,
1298 * therefore we can safely process the record in a different amount
1299 * of time if it's too short to possibly contain a MAC.
1301 if (rr->orig_len < mac_size ||
1302 /* CBC records must have a padding length byte too. */
1303 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1304 rr->orig_len < mac_size + 1)) {
1305 al = SSL_AD_DECODE_ERROR;
1306 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1310 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1312 * We update the length so that the TLS header bytes can be
1313 * constructed correctly but we need to extract the MAC in
1314 * constant time from within the record, without leaking the
1315 * contents of the padding bytes.
1318 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1319 rr->length -= mac_size;
1322 * In this case there's no padding, so |rec->orig_len| equals
1323 * |rec->length| and we checked that there's enough bytes for
1326 rr->length -= mac_size;
1327 mac = &rr->data[rr->length];
1330 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
1331 if (i < 0 || mac == NULL
1332 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1334 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1339 /* decryption failed, silently discard message */
1341 RECORD_LAYER_reset_packet_length(&s->rlayer);
1345 /* r->length is now just compressed */
1346 if (s->expand != NULL) {
1347 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1348 al = SSL_AD_RECORD_OVERFLOW;
1349 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1350 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1353 if (!ssl3_do_uncompress(s)) {
1354 al = SSL_AD_DECOMPRESSION_FAILURE;
1355 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1360 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1361 al = SSL_AD_RECORD_OVERFLOW;
1362 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1368 * So at this point the following is true
1369 * ssl->s3->rrec.type is the type of record
1370 * ssl->s3->rrec.length == number of bytes in record
1371 * ssl->s3->rrec.off == offset to first valid byte
1372 * ssl->s3->rrec.data == where to take bytes from, increment
1376 /* we have pulled in a full packet so zero things */
1377 RECORD_LAYER_reset_packet_length(&s->rlayer);
1381 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1388 * retrieve a buffered record that belongs to the current epoch, ie,
1391 #define dtls1_get_processed_record(s) \
1392 dtls1_retrieve_buffered_record((s), \
1393 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1396 * Call this to get a new input record.
1397 * It will return <= 0 if more data is needed, normally due to an error
1398 * or non-blocking IO.
1399 * When it finishes, one packet has been decoded and can be found in
1400 * ssl->s3->rrec.type - is the type of record
1401 * ssl->s3->rrec.data, - data
1402 * ssl->s3->rrec.length, - number of bytes
1404 /* used only by dtls1_read_bytes */
1405 int dtls1_get_record(SSL *s)
1407 int ssl_major, ssl_minor;
1410 unsigned char *p = NULL;
1411 unsigned short version;
1412 DTLS1_BITMAP *bitmap;
1413 unsigned int is_next_epoch;
1415 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1418 * The epoch may have changed. If so, process all the pending records.
1419 * This is a non-blocking operation.
1421 if (dtls1_process_buffered_records(s) < 0)
1424 /* if we're renegotiating, then there may be buffered records */
1425 if (dtls1_get_processed_record(s))
1428 /* get something from the wire */
1430 /* check if we have the header */
1431 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1432 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1433 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1434 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
1435 /* read timeout is handled by dtls1_read_bytes */
1437 return (n); /* error or non-blocking */
1439 /* this packet contained a partial record, dump it */
1440 if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
1441 RECORD_LAYER_reset_packet_length(&s->rlayer);
1445 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1447 p = RECORD_LAYER_get_packet(&s->rlayer);
1449 if (s->msg_callback)
1450 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1451 s, s->msg_callback_arg);
1453 /* Pull apart the header into the DTLS1_RECORD */
1457 version = (ssl_major << 8) | ssl_minor;
1459 /* sequence number is 64 bits, with top 2 bytes = epoch */
1462 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1467 /* Lets check version */
1468 if (!s->first_packet) {
1469 if (version != s->version) {
1470 /* unexpected version, silently discard */
1472 RECORD_LAYER_reset_packet_length(&s->rlayer);
1477 if ((version & 0xff00) != (s->version & 0xff00)) {
1478 /* wrong version, silently discard record */
1480 RECORD_LAYER_reset_packet_length(&s->rlayer);
1484 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1485 /* record too long, silently discard it */
1487 RECORD_LAYER_reset_packet_length(&s->rlayer);
1491 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1494 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1497 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1498 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1500 n = ssl3_read_n(s, i, i, 1);
1501 /* this packet contained a partial record, dump it */
1504 RECORD_LAYER_reset_packet_length(&s->rlayer);
1509 * now n == rr->length, and s->packet_length ==
1510 * DTLS1_RT_HEADER_LENGTH + rr->length
1513 /* set state for later operations */
1514 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1516 /* match epochs. NULL means the packet is dropped on the floor */
1517 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1518 if (bitmap == NULL) {
1520 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1521 goto again; /* get another record */
1523 #ifndef OPENSSL_NO_SCTP
1524 /* Only do replay check if no SCTP bio */
1525 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1528 * Check whether this is a repeat, or aged record. Don't check if
1529 * we're listening and this message is a ClientHello. They can look
1530 * as if they're replayed, since they arrive from different
1531 * connections and would be dropped unnecessarily.
1533 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
1534 RECORD_LAYER_get_packet_length(&s->rlayer)
1535 > DTLS1_RT_HEADER_LENGTH &&
1536 RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
1537 == SSL3_MT_CLIENT_HELLO) &&
1538 !dtls1_record_replay_check(s, bitmap)) {
1540 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1541 goto again; /* get another record */
1543 #ifndef OPENSSL_NO_SCTP
1547 /* just read a 0 length packet */
1548 if (rr->length == 0)
1552 * If this record is from the next epoch (either HM or ALERT), and a
1553 * handshake is currently in progress, buffer it since it cannot be
1554 * processed at this time. However, do not buffer anything while
1557 if (is_next_epoch) {
1558 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
1559 if (dtls1_buffer_record
1560 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1563 /* Mark receipt of record. */
1564 dtls1_record_bitmap_update(s, bitmap);
1567 RECORD_LAYER_reset_packet_length(&s->rlayer);
1571 if (!dtls1_process_record(s)) {
1573 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1574 goto again; /* get another record */
1576 dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
projects / openssl.git / blob