1 /* ssl/record/ssl3_record.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "../ssl_locl.h"
113 #include "../../crypto/constant_time_locl.h"
114 #include <openssl/rand.h>
115 #include "record_locl.h"
117 static const unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static const unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
135 void SSL3_RECORD_clear(SSL3_RECORD *r)
137 memset(r->seq_num, 0, sizeof(r->seq_num));
140 void SSL3_RECORD_release(SSL3_RECORD *r)
143 OPENSSL_free(r->comp);
147 int SSL3_RECORD_setup(SSL3_RECORD *r)
150 r->comp = (unsigned char *)
151 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
157 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
159 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
163 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
164 * will be processed per call to ssl3_get_record. Without this limit an
165 * attacker could send empty records at a faster rate than we can process and
166 * cause ssl3_get_record to loop forever.
168 #define MAX_EMPTY_RECORDS 32
171 * Call this to get a new input record.
172 * It will return <= 0 if more data is needed, normally due to an error
173 * or non-blocking IO.
174 * When it finishes, one packet has been decoded and can be found in
175 * ssl->s3->rrec.type - is the type of record
176 * ssl->s3->rrec.data, - data
177 * ssl->s3->rrec.length, - number of bytes
179 /* used only by ssl3_read_bytes */
180 int ssl3_get_record(SSL *s)
182 int ssl_major, ssl_minor, al;
183 int enc_err, n, i, ret = -1;
187 unsigned char md[EVP_MAX_MD_SIZE];
191 unsigned empty_record_count = 0;
193 rr = RECORD_LAYER_get_rrec(&s->rlayer);
196 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
197 extra = SSL3_RT_MAX_EXTRA;
200 if (extra && !s->s3->init_extra) {
202 * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
203 * ssl3_setup_buffers() was done
205 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
210 /* check if we have the header */
211 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
212 (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) {
213 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
214 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
216 return (n); /* error or non-blocking */
217 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
219 p = RECORD_LAYER_get_packet(&s->rlayer);
221 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
222 s->msg_callback_arg);
224 /* Pull apart the header into the SSL3_RECORD */
228 version = (ssl_major << 8) | ssl_minor;
231 /* Lets check version */
232 if (!s->first_packet) {
233 if (version != s->version) {
234 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
235 if ((s->version & 0xFF00) == (version & 0xFF00)
236 && !s->enc_write_ctx && !s->write_hash)
238 * Send back error using their minor version number :-)
240 s->version = (unsigned short)version;
241 al = SSL_AD_PROTOCOL_VERSION;
246 if ((version >> 8) != SSL3_VERSION_MAJOR) {
247 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
252 SSL3_BUFFER_get_len(&s->rlayer.rbuf)
253 - SSL3_RT_HEADER_LENGTH) {
254 al = SSL_AD_RECORD_OVERFLOW;
255 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
259 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
262 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
265 RECORD_LAYER_get_packet_length(&s->rlayer) - SSL3_RT_HEADER_LENGTH) {
266 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
268 n = ssl3_read_n(s, i, i, 1);
270 return (n); /* error or non-blocking io */
272 * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
277 /* set state for later operations */
278 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
281 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
282 * and we have that many bytes in s->packet
284 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
287 * ok, we can now read from 's->packet' data into 'rr' rr->input points
288 * at rr->length bytes, which need to be copied into rr->data by either
289 * the decryption or by the decompression When the data is 'copied' into
290 * the rr->data buffer, rr->input will be pointed at the new buffer
294 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
295 * bytes of encrypted compressed stuff.
298 /* check is not needed I believe */
299 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
300 al = SSL_AD_RECORD_OVERFLOW;
301 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
305 /* decrypt in place in 'rr->input' */
306 rr->data = rr->input;
307 rr->orig_len = rr->length;
309 * If in encrypt-then-mac mode calculate mac from encrypted record. All
310 * the details below are public so no timing details can leak.
312 if (SSL_USE_ETM(s) && s->read_hash) {
314 mac_size = EVP_MD_CTX_size(s->read_hash);
315 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
316 if (rr->length < mac_size) {
317 al = SSL_AD_DECODE_ERROR;
318 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
321 rr->length -= mac_size;
322 mac = rr->data + rr->length;
323 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
324 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
325 al = SSL_AD_BAD_RECORD_MAC;
326 SSLerr(SSL_F_SSL3_GET_RECORD,
327 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
332 enc_err = s->method->ssl3_enc->enc(s, 0);
335 * 0: (in non-constant time) if the record is publically invalid.
336 * 1: if the padding is valid
337 * -1: if the padding is invalid
340 al = SSL_AD_DECRYPTION_FAILED;
341 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
345 printf("dec %d\n", rr->length);
348 for (z = 0; z < rr->length; z++)
349 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
354 /* r->length is now the compressed data plus mac */
355 if ((sess != NULL) &&
356 (s->enc_read_ctx != NULL) &&
357 (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
358 /* s->read_hash != NULL => mac_size != -1 */
359 unsigned char *mac = NULL;
360 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
361 mac_size = EVP_MD_CTX_size(s->read_hash);
362 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
365 * orig_len is the length of the record before any padding was
366 * removed. This is public information, as is the MAC in use,
367 * therefore we can safely process the record in a different amount
368 * of time if it's too short to possibly contain a MAC.
370 if (rr->orig_len < mac_size ||
371 /* CBC records must have a padding length byte too. */
372 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
373 rr->orig_len < mac_size + 1)) {
374 al = SSL_AD_DECODE_ERROR;
375 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
379 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
381 * We update the length so that the TLS header bytes can be
382 * constructed correctly but we need to extract the MAC in
383 * constant time from within the record, without leaking the
384 * contents of the padding bytes.
387 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
388 rr->length -= mac_size;
391 * In this case there's no padding, so |rec->orig_len| equals
392 * |rec->length| and we checked that there's enough bytes for
395 rr->length -= mac_size;
396 mac = &rr->data[rr->length];
399 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
400 if (i < 0 || mac == NULL
401 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
403 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
409 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
410 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
411 * failure is directly visible from the ciphertext anyway, we should
412 * not reveal which kind of error occurred -- this might become
413 * visible to an attacker (e.g. via a logfile)
415 al = SSL_AD_BAD_RECORD_MAC;
416 SSLerr(SSL_F_SSL3_GET_RECORD,
417 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
421 /* r->length is now just compressed */
422 if (s->expand != NULL) {
423 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
424 al = SSL_AD_RECORD_OVERFLOW;
425 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
428 if (!ssl3_do_uncompress(s)) {
429 al = SSL_AD_DECOMPRESSION_FAILURE;
430 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
435 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
436 al = SSL_AD_RECORD_OVERFLOW;
437 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
443 * So at this point the following is true
444 * ssl->s3->rrec.type is the type of record
445 * ssl->s3->rrec.length == number of bytes in record
446 * ssl->s3->rrec.off == offset to first valid byte
447 * ssl->s3->rrec.data == where to take bytes from, increment
451 /* we have pulled in a full packet so zero things */
452 RECORD_LAYER_reset_packet_length(&s->rlayer);
454 /* just read a 0 length packet */
455 if (rr->length == 0) {
456 empty_record_count++;
457 if (empty_record_count > MAX_EMPTY_RECORDS) {
458 al = SSL_AD_UNEXPECTED_MESSAGE;
459 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
468 ssl3_send_alert(s, SSL3_AL_FATAL, al);
473 int ssl3_do_uncompress(SSL *ssl)
475 #ifndef OPENSSL_NO_COMP
479 rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
480 i = COMP_expand_block(ssl->expand, rr->comp,
481 SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
492 int ssl3_do_compress(SSL *ssl)
494 #ifndef OPENSSL_NO_COMP
498 wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
499 i = COMP_compress_block(ssl->compress, wr->data,
500 SSL3_RT_MAX_COMPRESSED_LENGTH,
501 wr->input, (int)wr->length);
507 wr->input = wr->data;
513 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
516 * 0: (in non-constant time) if the record is publically invalid (i.e. too
518 * 1: if the record's padding is valid / the encryption was successful.
519 * -1: if the record's padding is invalid or, if sending, an internal error
522 int ssl3_enc(SSL *s, int send)
527 int bs, i, mac_size = 0;
528 const EVP_CIPHER *enc;
531 ds = s->enc_write_ctx;
532 rec = RECORD_LAYER_get_wrec(&s->rlayer);
533 if (s->enc_write_ctx == NULL)
536 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
538 ds = s->enc_read_ctx;
539 rec = RECORD_LAYER_get_rrec(&s->rlayer);
540 if (s->enc_read_ctx == NULL)
543 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
546 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
547 memmove(rec->data, rec->input, rec->length);
548 rec->input = rec->data;
551 bs = EVP_CIPHER_block_size(ds->cipher);
555 if ((bs != 1) && send) {
556 i = bs - ((int)l % bs);
558 /* we need to add 'i-1' padding bytes */
561 * the last of these zero bytes will be overwritten with the
564 memset(&rec->input[rec->length], 0, i);
566 rec->input[l - 1] = (i - 1);
570 if (l == 0 || l % bs != 0)
572 /* otherwise, rec->length >= bs */
575 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
578 if (EVP_MD_CTX_md(s->read_hash) != NULL)
579 mac_size = EVP_MD_CTX_size(s->read_hash);
580 if ((bs != 1) && !send)
581 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
587 * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
590 * 0: (in non-constant time) if the record is publically invalid (i.e. too
592 * 1: if the record's padding is valid / the encryption was successful.
593 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
594 * an internal error occurred.
596 int tls1_enc(SSL *s, int send)
601 int bs, i, j, k, pad = 0, ret, mac_size = 0;
602 const EVP_CIPHER *enc;
605 if (EVP_MD_CTX_md(s->write_hash)) {
606 int n = EVP_MD_CTX_size(s->write_hash);
607 OPENSSL_assert(n >= 0);
609 ds = s->enc_write_ctx;
610 rec = RECORD_LAYER_get_wrec(&s->rlayer);
611 if (s->enc_write_ctx == NULL)
615 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
616 /* For TLSv1.1 and later explicit IV */
617 if (SSL_USE_EXPLICIT_IV(s)
618 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
619 ivlen = EVP_CIPHER_iv_length(enc);
623 if (rec->data != rec->input)
625 * we can't write into the input stream: Can this ever
629 "%s:%d: rec->data != rec->input\n",
631 else if (RAND_bytes(rec->input, ivlen) <= 0)
636 if (EVP_MD_CTX_md(s->read_hash)) {
637 int n = EVP_MD_CTX_size(s->read_hash);
638 OPENSSL_assert(n >= 0);
640 ds = s->enc_read_ctx;
641 rec = RECORD_LAYER_get_rrec(&s->rlayer);
642 if (s->enc_read_ctx == NULL)
645 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
649 fprintf(stderr, "tls1_enc(%d)\n", send);
650 #endif /* KSSL_DEBUG */
652 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
653 memmove(rec->data, rec->input, rec->length);
654 rec->input = rec->data;
658 bs = EVP_CIPHER_block_size(ds->cipher);
660 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
661 unsigned char buf[13], *seq;
663 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
664 : RECORD_LAYER_get_read_sequence(&s->rlayer);
666 if (SSL_IS_DTLS(s)) {
667 unsigned char dtlsseq[9], *p = dtlsseq;
669 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
670 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
671 memcpy(p, &seq[2], 6);
672 memcpy(buf, dtlsseq, 8);
675 for (i = 7; i >= 0; i--) { /* increment */
683 buf[9] = (unsigned char)(s->version >> 8);
684 buf[10] = (unsigned char)(s->version);
685 buf[11] = rec->length >> 8;
686 buf[12] = rec->length & 0xff;
687 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
692 } else if ((bs != 1) && send) {
693 i = bs - ((int)l % bs);
695 /* Add weird padding of upto 256 bytes */
697 /* we need to add 'i' padding bytes of value j */
699 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
700 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
703 for (k = (int)l; k < (int)(l + i); k++)
712 "EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
713 ds, rec->data, rec->input, l);
715 "\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
716 ds->buf_len, ds->cipher->key_len, DES_KEY_SZ,
717 DES_SCHEDULE_SZ, ds->cipher->iv_len);
718 fprintf(stderr, "\t\tIV: ");
719 for (i = 0; i < ds->cipher->iv_len; i++)
720 fprintf(stderr, "%02X", ds->iv[i]);
721 fprintf(stderr, "\n");
722 fprintf(stderr, "\trec->input=");
723 for (ui = 0; ui < l; ui++)
724 fprintf(stderr, " %02x", rec->input[ui]);
725 fprintf(stderr, "\n");
727 #endif /* KSSL_DEBUG */
730 if (l == 0 || l % bs != 0)
734 i = EVP_Cipher(ds, rec->data, rec->input, l);
735 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
738 return -1; /* AEAD can fail to verify MAC */
739 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
740 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
741 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
742 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
747 fprintf(stderr, "\trec->data=");
748 for (i = 0; i < l; i++)
749 fprintf(stderr, " %02x", rec->data[i]);
750 fprintf(stderr, "\n");
752 #endif /* KSSL_DEBUG */
755 if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
756 mac_size = EVP_MD_CTX_size(s->read_hash);
757 if ((bs != 1) && !send)
758 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
765 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
768 unsigned char *mac_sec, *seq;
770 const EVP_MD_CTX *hash;
771 unsigned char *p, rec_char;
777 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
778 mac_sec = &(ssl->s3->write_mac_secret[0]);
779 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
780 hash = ssl->write_hash;
782 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
783 mac_sec = &(ssl->s3->read_mac_secret[0]);
784 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
785 hash = ssl->read_hash;
788 t = EVP_MD_CTX_size(hash);
792 npad = (48 / md_size) * md_size;
795 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
796 ssl3_cbc_record_digest_supported(hash)) {
798 * This is a CBC-encrypted record. We must avoid leaking any
799 * timing-side channel information about how many blocks of data we
800 * are hashing because that gives an attacker a timing-oracle.
804 * npad is, at most, 48 bytes and that's with MD5:
805 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
807 * With SHA-1 (the largest hash speced for SSLv3) the hash size
808 * goes up 4, but npad goes down by 8, resulting in a smaller
811 unsigned char header[75];
813 memcpy(header + j, mac_sec, md_size);
815 memcpy(header + j, ssl3_pad_1, npad);
817 memcpy(header + j, seq, 8);
819 header[j++] = rec->type;
820 header[j++] = rec->length >> 8;
821 header[j++] = rec->length & 0xff;
823 /* Final param == is SSLv3 */
824 ssl3_cbc_digest_record(hash,
827 rec->length + md_size, rec->orig_len,
828 mac_sec, md_size, 1);
830 unsigned int md_size_u;
831 /* Chop the digest off the end :-) */
832 EVP_MD_CTX_init(&md_ctx);
834 EVP_MD_CTX_copy_ex(&md_ctx, hash);
835 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
836 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
837 EVP_DigestUpdate(&md_ctx, seq, 8);
838 rec_char = rec->type;
839 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
842 EVP_DigestUpdate(&md_ctx, md, 2);
843 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
844 EVP_DigestFinal_ex(&md_ctx, md, NULL);
846 EVP_MD_CTX_copy_ex(&md_ctx, hash);
847 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
848 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
849 EVP_DigestUpdate(&md_ctx, md, md_size);
850 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
853 EVP_MD_CTX_cleanup(&md_ctx);
856 ssl3_record_sequence_update(seq);
860 int tls1_mac(SSL *ssl, unsigned char *md, int send)
867 EVP_MD_CTX hmac, *mac_ctx;
868 unsigned char header[13];
869 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
870 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
874 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
875 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
876 hash = ssl->write_hash;
878 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
879 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
880 hash = ssl->read_hash;
883 t = EVP_MD_CTX_size(hash);
884 OPENSSL_assert(t >= 0);
887 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
891 if (!EVP_MD_CTX_copy(&hmac, hash))
896 if (SSL_IS_DTLS(ssl)) {
897 unsigned char dtlsseq[8], *p = dtlsseq;
899 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
900 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
901 memcpy(p, &seq[2], 6);
903 memcpy(header, dtlsseq, 8);
905 memcpy(header, seq, 8);
907 header[8] = rec->type;
908 header[9] = (unsigned char)(ssl->version >> 8);
909 header[10] = (unsigned char)(ssl->version);
910 header[11] = (rec->length) >> 8;
911 header[12] = (rec->length) & 0xff;
913 if (!send && !SSL_USE_ETM(ssl) &&
914 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
915 ssl3_cbc_record_digest_supported(mac_ctx)) {
917 * This is a CBC-encrypted record. We must avoid leaking any
918 * timing-side channel information about how many blocks of data we
919 * are hashing because that gives an attacker a timing-oracle.
921 /* Final param == not SSLv3 */
922 ssl3_cbc_digest_record(mac_ctx,
925 rec->length + md_size, rec->orig_len,
926 ssl->s3->read_mac_secret,
927 ssl->s3->read_mac_secret_size, 0);
929 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
930 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
931 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
932 OPENSSL_assert(t > 0);
933 if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
934 tls_fips_digest_extra(ssl->enc_read_ctx,
936 rec->length, rec->orig_len);
940 EVP_MD_CTX_cleanup(&hmac);
942 fprintf(stderr, "seq=");
945 for (z = 0; z < 8; z++)
946 fprintf(stderr, "%02X ", seq[z]);
947 fprintf(stderr, "\n");
949 fprintf(stderr, "rec=");
952 for (z = 0; z < rec->length; z++)
953 fprintf(stderr, "%02X ", rec->data[z]);
954 fprintf(stderr, "\n");
958 if (!SSL_IS_DTLS(ssl)) {
959 for (i = 7; i >= 0; i--) {
968 for (z = 0; z < md_size; z++)
969 fprintf(stderr, "%02X ", md[z]);
970 fprintf(stderr, "\n");
977 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
978 * record in |rec| by updating |rec->length| in constant time.
980 * block_size: the block size of the cipher used to encrypt the record.
982 * 0: (in non-constant time) if the record is publicly invalid.
983 * 1: if the padding was valid
986 int ssl3_cbc_remove_padding(const SSL *s,
988 unsigned block_size, unsigned mac_size)
990 unsigned padding_length, good;
991 const unsigned overhead = 1 /* padding length byte */ + mac_size;
994 * These lengths are all public so we can test them in non-constant time.
996 if (overhead > rec->length)
999 padding_length = rec->data[rec->length - 1];
1000 good = constant_time_ge(rec->length, padding_length + overhead);
1001 /* SSLv3 requires that the padding is minimal. */
1002 good &= constant_time_ge(block_size, padding_length + 1);
1003 rec->length -= good & (padding_length + 1);
1004 return constant_time_select_int(good, 1, -1);
1008 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1009 * record in |rec| in constant time and returns 1 if the padding is valid and
1010 * -1 otherwise. It also removes any explicit IV from the start of the record
1011 * without leaking any timing about whether there was enough space after the
1012 * padding was removed.
1014 * block_size: the block size of the cipher used to encrypt the record.
1016 * 0: (in non-constant time) if the record is publicly invalid.
1017 * 1: if the padding was valid
1020 int tls1_cbc_remove_padding(const SSL *s,
1022 unsigned block_size, unsigned mac_size)
1024 unsigned padding_length, good, to_check, i;
1025 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1026 /* Check if version requires explicit IV */
1027 if (SSL_USE_EXPLICIT_IV(s)) {
1029 * These lengths are all public so we can test them in non-constant
1032 if (overhead + block_size > rec->length)
1034 /* We can now safely skip explicit IV */
1035 rec->data += block_size;
1036 rec->input += block_size;
1037 rec->length -= block_size;
1038 rec->orig_len -= block_size;
1039 } else if (overhead > rec->length)
1042 padding_length = rec->data[rec->length - 1];
1045 * NB: if compression is in operation the first packet may not be of even
1046 * length so the padding bug check cannot be performed. This bug
1047 * workaround has been around since SSLeay so hopefully it is either
1048 * fixed now or no buggy implementation supports compression [steve]
1050 if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
1051 /* First packet is even in size, so check */
1052 if ((memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
1053 "\0\0\0\0\0\0\0\0", 8) == 0) &&
1054 !(padding_length & 1)) {
1055 s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
1057 if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
1062 if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
1063 /* padding is already verified */
1064 rec->length -= padding_length + 1;
1068 good = constant_time_ge(rec->length, overhead + padding_length);
1070 * The padding consists of a length byte at the end of the record and
1071 * then that many bytes of padding, all with the same value as the length
1072 * byte. Thus, with the length byte included, there are i+1 bytes of
1073 * padding. We can't check just |padding_length+1| bytes because that
1074 * leaks decrypted information. Therefore we always have to check the
1075 * maximum amount of padding possible. (Again, the length of the record
1076 * is public information so we can use it.)
1078 to_check = 255; /* maximum amount of padding. */
1079 if (to_check > rec->length - 1)
1080 to_check = rec->length - 1;
1082 for (i = 0; i < to_check; i++) {
1083 unsigned char mask = constant_time_ge_8(padding_length, i);
1084 unsigned char b = rec->data[rec->length - 1 - i];
1086 * The final |padding_length+1| bytes should all have the value
1087 * |padding_length|. Therefore the XOR should be zero.
1089 good &= ~(mask & (padding_length ^ b));
1093 * If any of the final |padding_length+1| bytes had the wrong value, one
1094 * or more of the lower eight bits of |good| will be cleared.
1096 good = constant_time_eq(0xff, good & 0xff);
1097 rec->length -= good & (padding_length + 1);
1099 return constant_time_select_int(good, 1, -1);
1103 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1104 * constant time (independent of the concrete value of rec->length, which may
1105 * vary within a 256-byte window).
1107 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1111 * rec->orig_len >= md_size
1112 * md_size <= EVP_MAX_MD_SIZE
1114 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1115 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1116 * a single or pair of cache-lines, then the variable memory accesses don't
1117 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1118 * not multi-core and are not considered vulnerable to cache-timing attacks.
1120 #define CBC_MAC_ROTATE_IN_PLACE
1122 void ssl3_cbc_copy_mac(unsigned char *out,
1123 const SSL3_RECORD *rec, unsigned md_size)
1125 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1126 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1127 unsigned char *rotated_mac;
1129 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1133 * mac_end is the index of |rec->data| just after the end of the MAC.
1135 unsigned mac_end = rec->length;
1136 unsigned mac_start = mac_end - md_size;
1138 * scan_start contains the number of bytes that we can ignore because the
1139 * MAC's position can only vary by 255 bytes.
1141 unsigned scan_start = 0;
1143 unsigned div_spoiler;
1144 unsigned rotate_offset;
1146 OPENSSL_assert(rec->orig_len >= md_size);
1147 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1149 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1150 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1153 /* This information is public so it's safe to branch based on it. */
1154 if (rec->orig_len > md_size + 255 + 1)
1155 scan_start = rec->orig_len - (md_size + 255 + 1);
1157 * div_spoiler contains a multiple of md_size that is used to cause the
1158 * modulo operation to be constant time. Without this, the time varies
1159 * based on the amount of padding when running on Intel chips at least.
1160 * The aim of right-shifting md_size is so that the compiler doesn't
1161 * figure out that it can remove div_spoiler as that would require it to
1162 * prove that md_size is always even, which I hope is beyond it.
1164 div_spoiler = md_size >> 1;
1165 div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
1166 rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
1168 memset(rotated_mac, 0, md_size);
1169 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1170 unsigned char mac_started = constant_time_ge_8(i, mac_start);
1171 unsigned char mac_ended = constant_time_ge_8(i, mac_end);
1172 unsigned char b = rec->data[i];
1173 rotated_mac[j++] |= b & mac_started & ~mac_ended;
1174 j &= constant_time_lt(j, md_size);
1177 /* Now rotate the MAC */
1178 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1180 for (i = 0; i < md_size; i++) {
1181 /* in case cache-line is 32 bytes, touch second line */
1182 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1183 out[j++] = rotated_mac[rotate_offset++];
1184 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1187 memset(out, 0, md_size);
1188 rotate_offset = md_size - rotate_offset;
1189 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1190 for (i = 0; i < md_size; i++) {
1191 for (j = 0; j < md_size; j++)
1192 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1194 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1199 int dtls1_process_record(SSL *s)
1205 unsigned int mac_size;
1206 unsigned char md[EVP_MAX_MD_SIZE];
1208 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1212 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1213 * and we have that many bytes in s->packet
1215 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1218 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1219 * at rr->length bytes, which need to be copied into rr->data by either
1220 * the decryption or by the decompression When the data is 'copied' into
1221 * the rr->data buffer, rr->input will be pointed at the new buffer
1225 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1226 * bytes of encrypted compressed stuff.
1229 /* check is not needed I believe */
1230 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1231 al = SSL_AD_RECORD_OVERFLOW;
1232 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1236 /* decrypt in place in 'rr->input' */
1237 rr->data = rr->input;
1238 rr->orig_len = rr->length;
1240 enc_err = s->method->ssl3_enc->enc(s, 0);
1243 * 0: (in non-constant time) if the record is publically invalid.
1244 * 1: if the padding is valid
1245 * -1: if the padding is invalid
1248 /* For DTLS we simply ignore bad packets. */
1250 RECORD_LAYER_reset_packet_length(&s->rlayer);
1254 printf("dec %d\n", rr->length);
1257 for (z = 0; z < rr->length; z++)
1258 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1263 /* r->length is now the compressed data plus mac */
1264 if ((sess != NULL) &&
1265 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1266 /* s->read_hash != NULL => mac_size != -1 */
1267 unsigned char *mac = NULL;
1268 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1269 mac_size = EVP_MD_CTX_size(s->read_hash);
1270 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1273 * orig_len is the length of the record before any padding was
1274 * removed. This is public information, as is the MAC in use,
1275 * therefore we can safely process the record in a different amount
1276 * of time if it's too short to possibly contain a MAC.
1278 if (rr->orig_len < mac_size ||
1279 /* CBC records must have a padding length byte too. */
1280 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1281 rr->orig_len < mac_size + 1)) {
1282 al = SSL_AD_DECODE_ERROR;
1283 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1287 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1289 * We update the length so that the TLS header bytes can be
1290 * constructed correctly but we need to extract the MAC in
1291 * constant time from within the record, without leaking the
1292 * contents of the padding bytes.
1295 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1296 rr->length -= mac_size;
1299 * In this case there's no padding, so |rec->orig_len| equals
1300 * |rec->length| and we checked that there's enough bytes for
1303 rr->length -= mac_size;
1304 mac = &rr->data[rr->length];
1307 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
1308 if (i < 0 || mac == NULL
1309 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1311 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1316 /* decryption failed, silently discard message */
1318 RECORD_LAYER_reset_packet_length(&s->rlayer);
1322 /* r->length is now just compressed */
1323 if (s->expand != NULL) {
1324 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1325 al = SSL_AD_RECORD_OVERFLOW;
1326 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1327 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1330 if (!ssl3_do_uncompress(s)) {
1331 al = SSL_AD_DECOMPRESSION_FAILURE;
1332 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1337 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1338 al = SSL_AD_RECORD_OVERFLOW;
1339 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1345 * So at this point the following is true
1346 * ssl->s3->rrec.type is the type of record
1347 * ssl->s3->rrec.length == number of bytes in record
1348 * ssl->s3->rrec.off == offset to first valid byte
1349 * ssl->s3->rrec.data == where to take bytes from, increment
1353 /* we have pulled in a full packet so zero things */
1354 RECORD_LAYER_reset_packet_length(&s->rlayer);
1358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1365 * retrieve a buffered record that belongs to the current epoch, ie,
1368 #define dtls1_get_processed_record(s) \
1369 dtls1_retrieve_buffered_record((s), \
1370 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1373 * Call this to get a new input record.
1374 * It will return <= 0 if more data is needed, normally due to an error
1375 * or non-blocking IO.
1376 * When it finishes, one packet has been decoded and can be found in
1377 * ssl->s3->rrec.type - is the type of record
1378 * ssl->s3->rrec.data, - data
1379 * ssl->s3->rrec.length, - number of bytes
1381 /* used only by dtls1_read_bytes */
1382 int dtls1_get_record(SSL *s)
1384 int ssl_major, ssl_minor;
1387 unsigned char *p = NULL;
1388 unsigned short version;
1389 DTLS1_BITMAP *bitmap;
1390 unsigned int is_next_epoch;
1392 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1395 * The epoch may have changed. If so, process all the pending records.
1396 * This is a non-blocking operation.
1398 if (dtls1_process_buffered_records(s) < 0)
1401 /* if we're renegotiating, then there may be buffered records */
1402 if (dtls1_get_processed_record(s))
1405 /* get something from the wire */
1407 /* check if we have the header */
1408 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1409 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1410 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1411 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
1412 /* read timeout is handled by dtls1_read_bytes */
1414 return (n); /* error or non-blocking */
1416 /* this packet contained a partial record, dump it */
1417 if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
1418 RECORD_LAYER_reset_packet_length(&s->rlayer);
1422 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1424 p = RECORD_LAYER_get_packet(&s->rlayer);
1426 if (s->msg_callback)
1427 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1428 s, s->msg_callback_arg);
1430 /* Pull apart the header into the DTLS1_RECORD */
1434 version = (ssl_major << 8) | ssl_minor;
1436 /* sequence number is 64 bits, with top 2 bytes = epoch */
1439 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1444 /* Lets check version */
1445 if (!s->first_packet) {
1446 if (version != s->version) {
1447 /* unexpected version, silently discard */
1449 RECORD_LAYER_reset_packet_length(&s->rlayer);
1454 if ((version & 0xff00) != (s->version & 0xff00)) {
1455 /* wrong version, silently discard record */
1457 RECORD_LAYER_reset_packet_length(&s->rlayer);
1461 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1462 /* record too long, silently discard it */
1464 RECORD_LAYER_reset_packet_length(&s->rlayer);
1468 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1471 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1474 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1475 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1477 n = ssl3_read_n(s, i, i, 1);
1478 /* this packet contained a partial record, dump it */
1481 RECORD_LAYER_reset_packet_length(&s->rlayer);
1486 * now n == rr->length, and s->packet_length ==
1487 * DTLS1_RT_HEADER_LENGTH + rr->length
1490 /* set state for later operations */
1491 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1493 /* match epochs. NULL means the packet is dropped on the floor */
1494 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1495 if (bitmap == NULL) {
1497 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1498 goto again; /* get another record */
1500 #ifndef OPENSSL_NO_SCTP
1501 /* Only do replay check if no SCTP bio */
1502 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1505 * Check whether this is a repeat, or aged record. Don't check if
1506 * we're listening and this message is a ClientHello. They can look
1507 * as if they're replayed, since they arrive from different
1508 * connections and would be dropped unnecessarily.
1510 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
1511 RECORD_LAYER_get_packet_length(&s->rlayer)
1512 > DTLS1_RT_HEADER_LENGTH &&
1513 RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
1514 == SSL3_MT_CLIENT_HELLO) &&
1515 !dtls1_record_replay_check(s, bitmap)) {
1517 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1518 goto again; /* get another record */
1520 #ifndef OPENSSL_NO_SCTP
1524 /* just read a 0 length packet */
1525 if (rr->length == 0)
1529 * If this record is from the next epoch (either HM or ALERT), and a
1530 * handshake is currently in progress, buffer it since it cannot be
1531 * processed at this time. However, do not buffer anything while
1534 if (is_next_epoch) {
1535 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
1536 if (dtls1_buffer_record
1537 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1540 /* Mark receipt of record. */
1541 dtls1_record_bitmap_update(s, bitmap);
1544 RECORD_LAYER_reset_packet_length(&s->rlayer);
1548 if (!dtls1_process_record(s)) {
1550 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1551 goto again; /* get another record */
1553 dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */