1 /* ssl/record/ssl3_record.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "../ssl_locl.h"
113 #include "../../crypto/constant_time_locl.h"
114 #include <openssl/rand.h>
115 #include "record_locl.h"
117 static const unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static const unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
135 void SSL3_RECORD_clear(SSL3_RECORD *r)
137 memset(r->seq_num, 0, sizeof(r->seq_num));
140 void SSL3_RECORD_release(SSL3_RECORD *r)
143 OPENSSL_free(r->comp);
147 int SSL3_RECORD_setup(SSL3_RECORD *r)
150 r->comp = (unsigned char *)
151 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
157 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
159 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
163 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
164 * will be processed per call to ssl3_get_record. Without this limit an
165 * attacker could send empty records at a faster rate than we can process and
166 * cause ssl3_get_record to loop forever.
168 #define MAX_EMPTY_RECORDS 32
171 * Call this to get a new input record.
172 * It will return <= 0 if more data is needed, normally due to an error
173 * or non-blocking IO.
174 * When it finishes, one packet has been decoded and can be found in
175 * ssl->s3->rrec.type - is the type of record
176 * ssl->s3->rrec.data, - data
177 * ssl->s3->rrec.length, - number of bytes
179 /* used only by ssl3_read_bytes */
180 int ssl3_get_record(SSL *s)
182 int ssl_major, ssl_minor, al;
183 int enc_err, n, i, ret = -1;
187 unsigned char md[EVP_MAX_MD_SIZE];
191 unsigned empty_record_count = 0;
193 rr = RECORD_LAYER_get_rrec(&s->rlayer);
196 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
197 extra = SSL3_RT_MAX_EXTRA;
200 if (extra && !s->s3->init_extra) {
202 * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
203 * ssl3_setup_buffers() was done
205 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
210 /* check if we have the header */
211 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
212 (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) {
213 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
214 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
216 return (n); /* error or non-blocking */
217 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
219 p = RECORD_LAYER_get_packet(&s->rlayer);
221 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
222 s->msg_callback_arg);
224 /* Pull apart the header into the SSL3_RECORD */
228 version = (ssl_major << 8) | ssl_minor;
231 /* Lets check version */
232 if (!s->first_packet) {
233 if (version != s->version) {
234 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
235 if ((s->version & 0xFF00) == (version & 0xFF00)
236 && !s->enc_write_ctx && !s->write_hash)
238 * Send back error using their minor version number :-)
240 s->version = (unsigned short)version;
241 al = SSL_AD_PROTOCOL_VERSION;
246 if ((version >> 8) != SSL3_VERSION_MAJOR) {
247 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
252 SSL3_BUFFER_get_len(&s->rlayer.rbuf)
253 - SSL3_RT_HEADER_LENGTH) {
254 al = SSL_AD_RECORD_OVERFLOW;
255 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
259 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
262 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
265 RECORD_LAYER_get_packet_length(&s->rlayer) - SSL3_RT_HEADER_LENGTH) {
266 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
268 n = ssl3_read_n(s, i, i, 1);
270 return (n); /* error or non-blocking io */
272 * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
277 /* set state for later operations */
278 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
281 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
282 * and we have that many bytes in s->packet
284 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
287 * ok, we can now read from 's->packet' data into 'rr' rr->input points
288 * at rr->length bytes, which need to be copied into rr->data by either
289 * the decryption or by the decompression When the data is 'copied' into
290 * the rr->data buffer, rr->input will be pointed at the new buffer
294 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
295 * bytes of encrypted compressed stuff.
298 /* check is not needed I believe */
299 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
300 al = SSL_AD_RECORD_OVERFLOW;
301 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
305 /* decrypt in place in 'rr->input' */
306 rr->data = rr->input;
307 rr->orig_len = rr->length;
309 * If in encrypt-then-mac mode calculate mac from encrypted record. All
310 * the details below are public so no timing details can leak.
312 if (SSL_USE_ETM(s) && s->read_hash) {
314 mac_size = EVP_MD_CTX_size(s->read_hash);
315 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
316 if (rr->length < mac_size) {
317 al = SSL_AD_DECODE_ERROR;
318 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
321 rr->length -= mac_size;
322 mac = rr->data + rr->length;
323 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
324 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
325 al = SSL_AD_BAD_RECORD_MAC;
326 SSLerr(SSL_F_SSL3_GET_RECORD,
327 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
332 enc_err = s->method->ssl3_enc->enc(s, 0);
335 * 0: (in non-constant time) if the record is publically invalid.
336 * 1: if the padding is valid
337 * -1: if the padding is invalid
340 al = SSL_AD_DECRYPTION_FAILED;
341 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
345 printf("dec %d\n", rr->length);
348 for (z = 0; z < rr->length; z++)
349 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
354 /* r->length is now the compressed data plus mac */
355 if ((sess != NULL) &&
356 (s->enc_read_ctx != NULL) &&
357 (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
358 /* s->read_hash != NULL => mac_size != -1 */
359 unsigned char *mac = NULL;
360 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
361 mac_size = EVP_MD_CTX_size(s->read_hash);
362 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
365 * orig_len is the length of the record before any padding was
366 * removed. This is public information, as is the MAC in use,
367 * therefore we can safely process the record in a different amount
368 * of time if it's too short to possibly contain a MAC.
370 if (rr->orig_len < mac_size ||
371 /* CBC records must have a padding length byte too. */
372 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
373 rr->orig_len < mac_size + 1)) {
374 al = SSL_AD_DECODE_ERROR;
375 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
379 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
381 * We update the length so that the TLS header bytes can be
382 * constructed correctly but we need to extract the MAC in
383 * constant time from within the record, without leaking the
384 * contents of the padding bytes.
387 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
388 rr->length -= mac_size;
391 * In this case there's no padding, so |rec->orig_len| equals
392 * |rec->length| and we checked that there's enough bytes for
395 rr->length -= mac_size;
396 mac = &rr->data[rr->length];
399 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
400 if (i < 0 || mac == NULL
401 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
403 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
409 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
410 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
411 * failure is directly visible from the ciphertext anyway, we should
412 * not reveal which kind of error occurred -- this might become
413 * visible to an attacker (e.g. via a logfile)
415 al = SSL_AD_BAD_RECORD_MAC;
416 SSLerr(SSL_F_SSL3_GET_RECORD,
417 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
421 /* r->length is now just compressed */
422 if (s->expand != NULL) {
423 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
424 al = SSL_AD_RECORD_OVERFLOW;
425 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
428 if (!ssl3_do_uncompress(s)) {
429 al = SSL_AD_DECOMPRESSION_FAILURE;
430 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
435 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
436 al = SSL_AD_RECORD_OVERFLOW;
437 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
443 * So at this point the following is true
444 * ssl->s3->rrec.type is the type of record
445 * ssl->s3->rrec.length == number of bytes in record
446 * ssl->s3->rrec.off == offset to first valid byte
447 * ssl->s3->rrec.data == where to take bytes from, increment
451 /* we have pulled in a full packet so zero things */
452 RECORD_LAYER_reset_packet_length(&s->rlayer);
454 /* just read a 0 length packet */
455 if (rr->length == 0) {
456 empty_record_count++;
457 if (empty_record_count > MAX_EMPTY_RECORDS) {
458 al = SSL_AD_UNEXPECTED_MESSAGE;
459 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
468 ssl3_send_alert(s, SSL3_AL_FATAL, al);
473 int ssl3_do_uncompress(SSL *ssl)
475 #ifndef OPENSSL_NO_COMP
479 rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
480 i = COMP_expand_block(ssl->expand, rr->comp,
481 SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
492 int ssl3_do_compress(SSL *ssl)
494 #ifndef OPENSSL_NO_COMP
498 wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
499 i = COMP_compress_block(ssl->compress, wr->data,
500 SSL3_RT_MAX_COMPRESSED_LENGTH,
501 wr->input, (int)wr->length);
507 wr->input = wr->data;
513 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
516 * 0: (in non-constant time) if the record is publically invalid (i.e. too
518 * 1: if the record's padding is valid / the encryption was successful.
519 * -1: if the record's padding is invalid or, if sending, an internal error
522 int ssl3_enc(SSL *s, int send)
527 int bs, i, mac_size = 0;
528 const EVP_CIPHER *enc;
531 ds = s->enc_write_ctx;
532 rec = RECORD_LAYER_get_wrec(&s->rlayer);
533 if (s->enc_write_ctx == NULL)
536 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
538 ds = s->enc_read_ctx;
539 rec = RECORD_LAYER_get_rrec(&s->rlayer);
540 if (s->enc_read_ctx == NULL)
543 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
546 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
547 memmove(rec->data, rec->input, rec->length);
548 rec->input = rec->data;
551 bs = EVP_CIPHER_block_size(ds->cipher);
555 if ((bs != 1) && send) {
556 i = bs - ((int)l % bs);
558 /* we need to add 'i-1' padding bytes */
561 * the last of these zero bytes will be overwritten with the
564 memset(&rec->input[rec->length], 0, i);
566 rec->input[l - 1] = (i - 1);
570 if (l == 0 || l % bs != 0)
572 /* otherwise, rec->length >= bs */
575 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
578 if (EVP_MD_CTX_md(s->read_hash) != NULL)
579 mac_size = EVP_MD_CTX_size(s->read_hash);
580 if ((bs != 1) && !send)
581 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
587 * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
590 * 0: (in non-constant time) if the record is publically invalid (i.e. too
592 * 1: if the record's padding is valid / the encryption was successful.
593 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
594 * an internal error occurred.
596 int tls1_enc(SSL *s, int send)
601 int bs, i, j, k, pad = 0, ret, mac_size = 0;
602 const EVP_CIPHER *enc;
605 if (EVP_MD_CTX_md(s->write_hash)) {
606 int n = EVP_MD_CTX_size(s->write_hash);
607 OPENSSL_assert(n >= 0);
609 ds = s->enc_write_ctx;
610 rec = RECORD_LAYER_get_wrec(&s->rlayer);
611 if (s->enc_write_ctx == NULL)
615 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
616 /* For TLSv1.1 and later explicit IV */
617 if (SSL_USE_EXPLICIT_IV(s)
618 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
619 ivlen = EVP_CIPHER_iv_length(enc);
623 if (rec->data != rec->input)
625 * we can't write into the input stream: Can this ever
629 "%s:%d: rec->data != rec->input\n",
631 else if (RAND_bytes(rec->input, ivlen) <= 0)
636 if (EVP_MD_CTX_md(s->read_hash)) {
637 int n = EVP_MD_CTX_size(s->read_hash);
638 OPENSSL_assert(n >= 0);
640 ds = s->enc_read_ctx;
641 rec = RECORD_LAYER_get_rrec(&s->rlayer);
642 if (s->enc_read_ctx == NULL)
645 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
649 fprintf(stderr, "tls1_enc(%d)\n", send);
650 #endif /* KSSL_DEBUG */
652 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
653 memmove(rec->data, rec->input, rec->length);
654 rec->input = rec->data;
658 bs = EVP_CIPHER_block_size(ds->cipher);
660 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
661 unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
663 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
664 : RECORD_LAYER_get_read_sequence(&s->rlayer);
666 if (SSL_IS_DTLS(s)) {
667 unsigned char dtlsseq[9], *p = dtlsseq;
669 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
670 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
671 memcpy(p, &seq[2], 6);
672 memcpy(buf, dtlsseq, 8);
675 for (i = 7; i >= 0; i--) { /* increment */
683 buf[9] = (unsigned char)(s->version >> 8);
684 buf[10] = (unsigned char)(s->version);
685 buf[11] = rec->length >> 8;
686 buf[12] = rec->length & 0xff;
687 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
688 EVP_AEAD_TLS1_AAD_LEN, buf);
695 } else if ((bs != 1) && send) {
696 i = bs - ((int)l % bs);
698 /* Add weird padding of upto 256 bytes */
700 /* we need to add 'i' padding bytes of value j */
702 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
703 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
706 for (k = (int)l; k < (int)(l + i); k++)
715 "EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
716 ds, rec->data, rec->input, l);
718 "\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
719 ds->buf_len, ds->cipher->key_len, DES_KEY_SZ,
720 DES_SCHEDULE_SZ, ds->cipher->iv_len);
721 fprintf(stderr, "\t\tIV: ");
722 for (i = 0; i < ds->cipher->iv_len; i++)
723 fprintf(stderr, "%02X", ds->iv[i]);
724 fprintf(stderr, "\n");
725 fprintf(stderr, "\trec->input=");
726 for (ui = 0; ui < l; ui++)
727 fprintf(stderr, " %02x", rec->input[ui]);
728 fprintf(stderr, "\n");
730 #endif /* KSSL_DEBUG */
733 if (l == 0 || l % bs != 0)
737 i = EVP_Cipher(ds, rec->data, rec->input, l);
738 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
741 return -1; /* AEAD can fail to verify MAC */
742 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
743 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
744 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
745 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
750 fprintf(stderr, "\trec->data=");
751 for (i = 0; i < l; i++)
752 fprintf(stderr, " %02x", rec->data[i]);
753 fprintf(stderr, "\n");
755 #endif /* KSSL_DEBUG */
758 if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
759 mac_size = EVP_MD_CTX_size(s->read_hash);
760 if ((bs != 1) && !send)
761 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
768 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
771 unsigned char *mac_sec, *seq;
773 const EVP_MD_CTX *hash;
774 unsigned char *p, rec_char;
780 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
781 mac_sec = &(ssl->s3->write_mac_secret[0]);
782 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
783 hash = ssl->write_hash;
785 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
786 mac_sec = &(ssl->s3->read_mac_secret[0]);
787 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
788 hash = ssl->read_hash;
791 t = EVP_MD_CTX_size(hash);
795 npad = (48 / md_size) * md_size;
798 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
799 ssl3_cbc_record_digest_supported(hash)) {
801 * This is a CBC-encrypted record. We must avoid leaking any
802 * timing-side channel information about how many blocks of data we
803 * are hashing because that gives an attacker a timing-oracle.
807 * npad is, at most, 48 bytes and that's with MD5:
808 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
810 * With SHA-1 (the largest hash speced for SSLv3) the hash size
811 * goes up 4, but npad goes down by 8, resulting in a smaller
814 unsigned char header[75];
816 memcpy(header + j, mac_sec, md_size);
818 memcpy(header + j, ssl3_pad_1, npad);
820 memcpy(header + j, seq, 8);
822 header[j++] = rec->type;
823 header[j++] = rec->length >> 8;
824 header[j++] = rec->length & 0xff;
826 /* Final param == is SSLv3 */
827 ssl3_cbc_digest_record(hash,
830 rec->length + md_size, rec->orig_len,
831 mac_sec, md_size, 1);
833 unsigned int md_size_u;
834 /* Chop the digest off the end :-) */
835 EVP_MD_CTX_init(&md_ctx);
837 EVP_MD_CTX_copy_ex(&md_ctx, hash);
838 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
839 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
840 EVP_DigestUpdate(&md_ctx, seq, 8);
841 rec_char = rec->type;
842 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
845 EVP_DigestUpdate(&md_ctx, md, 2);
846 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
847 EVP_DigestFinal_ex(&md_ctx, md, NULL);
849 EVP_MD_CTX_copy_ex(&md_ctx, hash);
850 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
851 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
852 EVP_DigestUpdate(&md_ctx, md, md_size);
853 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
856 EVP_MD_CTX_cleanup(&md_ctx);
859 ssl3_record_sequence_update(seq);
863 int tls1_mac(SSL *ssl, unsigned char *md, int send)
870 EVP_MD_CTX hmac, *mac_ctx;
871 unsigned char header[13];
872 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
873 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
877 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
878 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
879 hash = ssl->write_hash;
881 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
882 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
883 hash = ssl->read_hash;
886 t = EVP_MD_CTX_size(hash);
887 OPENSSL_assert(t >= 0);
890 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
894 if (!EVP_MD_CTX_copy(&hmac, hash))
899 if (SSL_IS_DTLS(ssl)) {
900 unsigned char dtlsseq[8], *p = dtlsseq;
902 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
903 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
904 memcpy(p, &seq[2], 6);
906 memcpy(header, dtlsseq, 8);
908 memcpy(header, seq, 8);
910 header[8] = rec->type;
911 header[9] = (unsigned char)(ssl->version >> 8);
912 header[10] = (unsigned char)(ssl->version);
913 header[11] = (rec->length) >> 8;
914 header[12] = (rec->length) & 0xff;
916 if (!send && !SSL_USE_ETM(ssl) &&
917 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
918 ssl3_cbc_record_digest_supported(mac_ctx)) {
920 * This is a CBC-encrypted record. We must avoid leaking any
921 * timing-side channel information about how many blocks of data we
922 * are hashing because that gives an attacker a timing-oracle.
924 /* Final param == not SSLv3 */
925 ssl3_cbc_digest_record(mac_ctx,
928 rec->length + md_size, rec->orig_len,
929 ssl->s3->read_mac_secret,
930 ssl->s3->read_mac_secret_size, 0);
932 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
933 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
934 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
935 OPENSSL_assert(t > 0);
936 if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
937 tls_fips_digest_extra(ssl->enc_read_ctx,
939 rec->length, rec->orig_len);
943 EVP_MD_CTX_cleanup(&hmac);
945 fprintf(stderr, "seq=");
948 for (z = 0; z < 8; z++)
949 fprintf(stderr, "%02X ", seq[z]);
950 fprintf(stderr, "\n");
952 fprintf(stderr, "rec=");
955 for (z = 0; z < rec->length; z++)
956 fprintf(stderr, "%02X ", rec->data[z]);
957 fprintf(stderr, "\n");
961 if (!SSL_IS_DTLS(ssl)) {
962 for (i = 7; i >= 0; i--) {
971 for (z = 0; z < md_size; z++)
972 fprintf(stderr, "%02X ", md[z]);
973 fprintf(stderr, "\n");
980 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
981 * record in |rec| by updating |rec->length| in constant time.
983 * block_size: the block size of the cipher used to encrypt the record.
985 * 0: (in non-constant time) if the record is publicly invalid.
986 * 1: if the padding was valid
989 int ssl3_cbc_remove_padding(const SSL *s,
991 unsigned block_size, unsigned mac_size)
993 unsigned padding_length, good;
994 const unsigned overhead = 1 /* padding length byte */ + mac_size;
997 * These lengths are all public so we can test them in non-constant time.
999 if (overhead > rec->length)
1002 padding_length = rec->data[rec->length - 1];
1003 good = constant_time_ge(rec->length, padding_length + overhead);
1004 /* SSLv3 requires that the padding is minimal. */
1005 good &= constant_time_ge(block_size, padding_length + 1);
1006 rec->length -= good & (padding_length + 1);
1007 return constant_time_select_int(good, 1, -1);
1011 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1012 * record in |rec| in constant time and returns 1 if the padding is valid and
1013 * -1 otherwise. It also removes any explicit IV from the start of the record
1014 * without leaking any timing about whether there was enough space after the
1015 * padding was removed.
1017 * block_size: the block size of the cipher used to encrypt the record.
1019 * 0: (in non-constant time) if the record is publicly invalid.
1020 * 1: if the padding was valid
1023 int tls1_cbc_remove_padding(const SSL *s,
1025 unsigned block_size, unsigned mac_size)
1027 unsigned padding_length, good, to_check, i;
1028 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1029 /* Check if version requires explicit IV */
1030 if (SSL_USE_EXPLICIT_IV(s)) {
1032 * These lengths are all public so we can test them in non-constant
1035 if (overhead + block_size > rec->length)
1037 /* We can now safely skip explicit IV */
1038 rec->data += block_size;
1039 rec->input += block_size;
1040 rec->length -= block_size;
1041 rec->orig_len -= block_size;
1042 } else if (overhead > rec->length)
1045 padding_length = rec->data[rec->length - 1];
1048 * NB: if compression is in operation the first packet may not be of even
1049 * length so the padding bug check cannot be performed. This bug
1050 * workaround has been around since SSLeay so hopefully it is either
1051 * fixed now or no buggy implementation supports compression [steve]
1053 if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
1054 /* First packet is even in size, so check */
1055 if ((memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
1056 "\0\0\0\0\0\0\0\0", 8) == 0) &&
1057 !(padding_length & 1)) {
1058 s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
1060 if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
1065 if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
1066 /* padding is already verified */
1067 rec->length -= padding_length + 1;
1071 good = constant_time_ge(rec->length, overhead + padding_length);
1073 * The padding consists of a length byte at the end of the record and
1074 * then that many bytes of padding, all with the same value as the length
1075 * byte. Thus, with the length byte included, there are i+1 bytes of
1076 * padding. We can't check just |padding_length+1| bytes because that
1077 * leaks decrypted information. Therefore we always have to check the
1078 * maximum amount of padding possible. (Again, the length of the record
1079 * is public information so we can use it.)
1081 to_check = 255; /* maximum amount of padding. */
1082 if (to_check > rec->length - 1)
1083 to_check = rec->length - 1;
1085 for (i = 0; i < to_check; i++) {
1086 unsigned char mask = constant_time_ge_8(padding_length, i);
1087 unsigned char b = rec->data[rec->length - 1 - i];
1089 * The final |padding_length+1| bytes should all have the value
1090 * |padding_length|. Therefore the XOR should be zero.
1092 good &= ~(mask & (padding_length ^ b));
1096 * If any of the final |padding_length+1| bytes had the wrong value, one
1097 * or more of the lower eight bits of |good| will be cleared.
1099 good = constant_time_eq(0xff, good & 0xff);
1100 rec->length -= good & (padding_length + 1);
1102 return constant_time_select_int(good, 1, -1);
1106 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1107 * constant time (independent of the concrete value of rec->length, which may
1108 * vary within a 256-byte window).
1110 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1114 * rec->orig_len >= md_size
1115 * md_size <= EVP_MAX_MD_SIZE
1117 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1118 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1119 * a single or pair of cache-lines, then the variable memory accesses don't
1120 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1121 * not multi-core and are not considered vulnerable to cache-timing attacks.
1123 #define CBC_MAC_ROTATE_IN_PLACE
1125 void ssl3_cbc_copy_mac(unsigned char *out,
1126 const SSL3_RECORD *rec, unsigned md_size)
1128 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1129 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1130 unsigned char *rotated_mac;
1132 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1136 * mac_end is the index of |rec->data| just after the end of the MAC.
1138 unsigned mac_end = rec->length;
1139 unsigned mac_start = mac_end - md_size;
1141 * scan_start contains the number of bytes that we can ignore because the
1142 * MAC's position can only vary by 255 bytes.
1144 unsigned scan_start = 0;
1146 unsigned div_spoiler;
1147 unsigned rotate_offset;
1149 OPENSSL_assert(rec->orig_len >= md_size);
1150 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1152 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1153 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1156 /* This information is public so it's safe to branch based on it. */
1157 if (rec->orig_len > md_size + 255 + 1)
1158 scan_start = rec->orig_len - (md_size + 255 + 1);
1160 * div_spoiler contains a multiple of md_size that is used to cause the
1161 * modulo operation to be constant time. Without this, the time varies
1162 * based on the amount of padding when running on Intel chips at least.
1163 * The aim of right-shifting md_size is so that the compiler doesn't
1164 * figure out that it can remove div_spoiler as that would require it to
1165 * prove that md_size is always even, which I hope is beyond it.
1167 div_spoiler = md_size >> 1;
1168 div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
1169 rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
1171 memset(rotated_mac, 0, md_size);
1172 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1173 unsigned char mac_started = constant_time_ge_8(i, mac_start);
1174 unsigned char mac_ended = constant_time_ge_8(i, mac_end);
1175 unsigned char b = rec->data[i];
1176 rotated_mac[j++] |= b & mac_started & ~mac_ended;
1177 j &= constant_time_lt(j, md_size);
1180 /* Now rotate the MAC */
1181 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1183 for (i = 0; i < md_size; i++) {
1184 /* in case cache-line is 32 bytes, touch second line */
1185 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1186 out[j++] = rotated_mac[rotate_offset++];
1187 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1190 memset(out, 0, md_size);
1191 rotate_offset = md_size - rotate_offset;
1192 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1193 for (i = 0; i < md_size; i++) {
1194 for (j = 0; j < md_size; j++)
1195 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1197 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1202 int dtls1_process_record(SSL *s)
1208 unsigned int mac_size;
1209 unsigned char md[EVP_MAX_MD_SIZE];
1211 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1215 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1216 * and we have that many bytes in s->packet
1218 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1221 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1222 * at rr->length bytes, which need to be copied into rr->data by either
1223 * the decryption or by the decompression When the data is 'copied' into
1224 * the rr->data buffer, rr->input will be pointed at the new buffer
1228 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1229 * bytes of encrypted compressed stuff.
1232 /* check is not needed I believe */
1233 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1234 al = SSL_AD_RECORD_OVERFLOW;
1235 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1239 /* decrypt in place in 'rr->input' */
1240 rr->data = rr->input;
1241 rr->orig_len = rr->length;
1243 enc_err = s->method->ssl3_enc->enc(s, 0);
1246 * 0: (in non-constant time) if the record is publically invalid.
1247 * 1: if the padding is valid
1248 * -1: if the padding is invalid
1251 /* For DTLS we simply ignore bad packets. */
1253 RECORD_LAYER_reset_packet_length(&s->rlayer);
1257 printf("dec %d\n", rr->length);
1260 for (z = 0; z < rr->length; z++)
1261 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1266 /* r->length is now the compressed data plus mac */
1267 if ((sess != NULL) &&
1268 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1269 /* s->read_hash != NULL => mac_size != -1 */
1270 unsigned char *mac = NULL;
1271 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1272 mac_size = EVP_MD_CTX_size(s->read_hash);
1273 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1276 * orig_len is the length of the record before any padding was
1277 * removed. This is public information, as is the MAC in use,
1278 * therefore we can safely process the record in a different amount
1279 * of time if it's too short to possibly contain a MAC.
1281 if (rr->orig_len < mac_size ||
1282 /* CBC records must have a padding length byte too. */
1283 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1284 rr->orig_len < mac_size + 1)) {
1285 al = SSL_AD_DECODE_ERROR;
1286 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1290 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1292 * We update the length so that the TLS header bytes can be
1293 * constructed correctly but we need to extract the MAC in
1294 * constant time from within the record, without leaking the
1295 * contents of the padding bytes.
1298 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1299 rr->length -= mac_size;
1302 * In this case there's no padding, so |rec->orig_len| equals
1303 * |rec->length| and we checked that there's enough bytes for
1306 rr->length -= mac_size;
1307 mac = &rr->data[rr->length];
1310 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
1311 if (i < 0 || mac == NULL
1312 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1314 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1319 /* decryption failed, silently discard message */
1321 RECORD_LAYER_reset_packet_length(&s->rlayer);
1325 /* r->length is now just compressed */
1326 if (s->expand != NULL) {
1327 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1328 al = SSL_AD_RECORD_OVERFLOW;
1329 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1330 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1333 if (!ssl3_do_uncompress(s)) {
1334 al = SSL_AD_DECOMPRESSION_FAILURE;
1335 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1340 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1341 al = SSL_AD_RECORD_OVERFLOW;
1342 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1348 * So at this point the following is true
1349 * ssl->s3->rrec.type is the type of record
1350 * ssl->s3->rrec.length == number of bytes in record
1351 * ssl->s3->rrec.off == offset to first valid byte
1352 * ssl->s3->rrec.data == where to take bytes from, increment
1356 /* we have pulled in a full packet so zero things */
1357 RECORD_LAYER_reset_packet_length(&s->rlayer);
1361 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1368 * retrieve a buffered record that belongs to the current epoch, ie,
1371 #define dtls1_get_processed_record(s) \
1372 dtls1_retrieve_buffered_record((s), \
1373 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1376 * Call this to get a new input record.
1377 * It will return <= 0 if more data is needed, normally due to an error
1378 * or non-blocking IO.
1379 * When it finishes, one packet has been decoded and can be found in
1380 * ssl->s3->rrec.type - is the type of record
1381 * ssl->s3->rrec.data, - data
1382 * ssl->s3->rrec.length, - number of bytes
1384 /* used only by dtls1_read_bytes */
1385 int dtls1_get_record(SSL *s)
1387 int ssl_major, ssl_minor;
1390 unsigned char *p = NULL;
1391 unsigned short version;
1392 DTLS1_BITMAP *bitmap;
1393 unsigned int is_next_epoch;
1395 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1398 * The epoch may have changed. If so, process all the pending records.
1399 * This is a non-blocking operation.
1401 if (dtls1_process_buffered_records(s) < 0)
1404 /* if we're renegotiating, then there may be buffered records */
1405 if (dtls1_get_processed_record(s))
1408 /* get something from the wire */
1410 /* check if we have the header */
1411 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1412 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1413 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1414 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
1415 /* read timeout is handled by dtls1_read_bytes */
1417 return (n); /* error or non-blocking */
1419 /* this packet contained a partial record, dump it */
1420 if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
1421 RECORD_LAYER_reset_packet_length(&s->rlayer);
1425 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1427 p = RECORD_LAYER_get_packet(&s->rlayer);
1429 if (s->msg_callback)
1430 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1431 s, s->msg_callback_arg);
1433 /* Pull apart the header into the DTLS1_RECORD */
1437 version = (ssl_major << 8) | ssl_minor;
1439 /* sequence number is 64 bits, with top 2 bytes = epoch */
1442 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1447 /* Lets check version */
1448 if (!s->first_packet) {
1449 if (version != s->version) {
1450 /* unexpected version, silently discard */
1452 RECORD_LAYER_reset_packet_length(&s->rlayer);
1457 if ((version & 0xff00) != (s->version & 0xff00)) {
1458 /* wrong version, silently discard record */
1460 RECORD_LAYER_reset_packet_length(&s->rlayer);
1464 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1465 /* record too long, silently discard it */
1467 RECORD_LAYER_reset_packet_length(&s->rlayer);
1471 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1474 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1477 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1478 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1480 n = ssl3_read_n(s, i, i, 1);
1481 /* this packet contained a partial record, dump it */
1484 RECORD_LAYER_reset_packet_length(&s->rlayer);
1489 * now n == rr->length, and s->packet_length ==
1490 * DTLS1_RT_HEADER_LENGTH + rr->length
1493 /* set state for later operations */
1494 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1496 /* match epochs. NULL means the packet is dropped on the floor */
1497 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1498 if (bitmap == NULL) {
1500 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1501 goto again; /* get another record */
1503 #ifndef OPENSSL_NO_SCTP
1504 /* Only do replay check if no SCTP bio */
1505 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1508 * Check whether this is a repeat, or aged record. Don't check if
1509 * we're listening and this message is a ClientHello. They can look
1510 * as if they're replayed, since they arrive from different
1511 * connections and would be dropped unnecessarily.
1513 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
1514 RECORD_LAYER_get_packet_length(&s->rlayer)
1515 > DTLS1_RT_HEADER_LENGTH &&
1516 RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
1517 == SSL3_MT_CLIENT_HELLO) &&
1518 !dtls1_record_replay_check(s, bitmap)) {
1520 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1521 goto again; /* get another record */
1523 #ifndef OPENSSL_NO_SCTP
1527 /* just read a 0 length packet */
1528 if (rr->length == 0)
1532 * If this record is from the next epoch (either HM or ALERT), and a
1533 * handshake is currently in progress, buffer it since it cannot be
1534 * processed at this time. However, do not buffer anything while
1537 if (is_next_epoch) {
1538 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
1539 if (dtls1_buffer_record
1540 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1543 /* Mark receipt of record. */
1544 dtls1_record_bitmap_update(s, bitmap);
1547 RECORD_LAYER_reset_packet_length(&s->rlayer);
1551 if (!dtls1_process_record(s)) {
1553 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1554 goto again; /* get another record */
1556 dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */