typo
[openssl.git] / ssl / d1_pkt.c
index 5fe1321..aefd85d 100644 (file)
@@ -179,7 +179,6 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
        unsigned char *priority);
 static int dtls1_process_record(SSL *s);
-static void dtls1_clear_timeouts(SSL *s);
 
 /* copy buffered record into SSL structure */
 static int
@@ -377,14 +376,12 @@ static int
 dtls1_process_record(SSL *s)
 {
        int i,al;
-       int clear=0;
        int enc_err;
        SSL_SESSION *sess;
        SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
 
-
        rr= &(s->s3->rrec);
        sess = s->session;
 
@@ -413,16 +410,18 @@ dtls1_process_record(SSL *s)
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
+       rr->orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
-       if (enc_err <= 0)
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
+       if (enc_err == 0)
                {
-               /* decryption failed, silently discard message */
-               if (enc_err < 0)
-                       {
-                       rr->length = 0;
-                       s->packet_length = 0;
-                       }
+               /* For DTLS we simply ignore bad packets. */
+               rr->length = 0;
+               s->packet_length = 0;
                goto err;
                }
 
@@ -433,46 +432,64 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-       if (    (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (s->read_hash == NULL))
-               clear=1;
-
-       if (!clear)
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (EVP_MD_CTX_md(s->read_hash) != NULL))
                {
-               /* !clear => s->read_hash != NULL => mac_size != -1 */
-               int t;
-               t=EVP_MD_CTX_size(s->read_hash);
-               OPENSSL_assert(t >= 0);
-               mac_size=t;
-
-               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-                       {
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-                       goto f_err;
-#else
-                       goto err;
-#endif                 
-                       }
-               /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length < mac_size)
+               /* s->read_hash != NULL => mac_size != -1 */
+               unsigned char *mac = NULL;
+               unsigned char mac_tmp[EVP_MAX_MD_SIZE];
+               mac_size=EVP_MD_CTX_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+
+               /* orig_len is the length of the record before any padding was
+                * removed. This is public information, as is the MAC in use,
+                * therefore we can safely process the record in a different
+                * amount of time if it's too short to possibly contain a MAC.
+                */
+               if (rr->orig_len < mac_size ||
+                   /* CBC records must have a padding length byte too. */
+                   (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    rr->orig_len < mac_size+1))
                        {
-#if 0 /* OK only for stream ciphers */
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
-#else
-                       goto err;
-#endif
                        }
-               rr->length-=mac_size;
-               i=s->method->ssl3_enc->mac(s,md,0);
-               if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+
+               if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
+                       {
+                       /* We update the length so that the TLS header bytes
+                        * can be constructed correctly but we need to extract
+                        * the MAC in constant time from within the record,
+                        * without leaking the contents of the padding bytes.
+                        * */
+                       mac = mac_tmp;
+                       ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+                       rr->length -= mac_size;
+                       }
+               else
                        {
-                       goto err;
+                       /* In this case there's no padding, so |rec->orig_len|
+                        * equals |rec->length| and we checked that there's
+                        * enough bytes for |mac_size| above. */
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
+
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       enc_err = -1;
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+                       enc_err = -1;
+               }
+
+       if (enc_err < 0)
+               {
+               /* decryption failed, silently discard message */
+               rr->length = 0;
+               s->packet_length = 0;
+               goto err;
                }
 
        /* r->length is now just compressed */
@@ -570,6 +587,9 @@ again:
 
                p=s->packet;
 
+               if (s->msg_callback)
+                       s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
+
                /* Pull apart the header into the DTLS1_RECORD */
                rr->type= *(p++);
                ssl_major= *(p++);
@@ -695,7 +715,6 @@ again:
                goto again;   /* get another record */
                }
 
-       dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
 
        }
@@ -829,6 +848,12 @@ start:
                        }
                }
 
+       if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
+               {
+               rr->length = 0;
+               goto start;
+               }
+
        /* we now have a packet which can be read and processed */
 
        if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -937,6 +962,19 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
+#ifndef OPENSSL_NO_HEARTBEATS
+               else if (rr->type == TLS1_RT_HEARTBEAT)
+                       {
+                       dtls1_process_heartbeat(s);
+
+                       /* Exit and notify application to read again */
+                       rr->length = 0;
+                       s->rwstate=SSL_READING;
+                       BIO_clear_retry_flags(SSL_get_rbio(s));
+                       BIO_set_retry_read(SSL_get_rbio(s));
+                       return(-1);
+                       }
+#endif
                /* else it's a CCS message, or application data or wrong */
                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
                        {
@@ -1020,6 +1058,7 @@ start:
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
                        {
+                       s->d1->handshake_read_seq++;
                        s->new_session = 1;
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
@@ -1234,6 +1273,9 @@ start:
                 */
                if (msg_hdr.type == SSL3_MT_FINISHED)
                        {
+                       if (dtls1_check_timeout_num(s) < 0)
+                               return -1;
+
                        dtls1_retransmit_buffered_messages(s);
                        rr->length = 0;
                        goto start;
@@ -1431,10 +1473,10 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        unsigned char *p,*pseq;
        int i,mac_size,clear=0;
        int prefix_len = 0;
+       int eivlen;
        SSL3_RECORD *wr;
        SSL3_BUFFER *wb;
        SSL_SESSION *sess;
-       int bs;
 
        /* first check if there is a SSL3_BUFFER still being written
         * out.  This will happen with non blocking IO */
@@ -1511,26 +1553,46 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        *(p++)=type&0xff;
        wr->type=type;
-
-       *(p++)=(s->version>>8);
-       *(p++)=s->version&0xff;
+       /* Special case: for hello verify request, client version 1.0 and
+        * we haven't decided which version to use yet send back using 
+        * version 1.0 header: otherwise some clients will ignore it.
+        */
+       if (s->method->version == DTLS_ANY_VERSION)
+               {
+               *(p++)=DTLS1_VERSION>>8;
+               *(p++)=DTLS1_VERSION&0xff;
+               }
+       else
+               {
+               *(p++)=s->version>>8;
+               *(p++)=s->version&0xff;
+               }
 
        /* field where we are to write out packet epoch, seq num and len */
        pseq=p; 
        p+=10;
 
-       /* lets setup the record stuff. */
-
-       /* Make space for the explicit IV in case of CBC.
-        * (this is a bit of a boundary violation, but what the heck).
-        */
-       if ( s->enc_write_ctx && 
-               (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
-               bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
-       else
-               bs = 0;
+       /* Explicit IV length, block ciphers appropriate version flag */
+       if (s->enc_write_ctx)
+               {
+               int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+               if (mode == EVP_CIPH_CBC_MODE)
+                       {
+                       eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+                       if (eivlen <= 1)
+                               eivlen = 0;
+                       }
+               /* Need explicit part of IV for GCM mode */
+               else if (mode == EVP_CIPH_GCM_MODE)
+                       eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+               else
+                       eivlen = 0;
+               }
+       else 
+               eivlen = 0;
 
-       wr->data=p + bs;  /* make room for IV in case of CBC */
+       /* lets setup the record stuff. */
+       wr->data=p + eivlen;  /* make room for IV in case of CBC */
        wr->length=(int)len;
        wr->input=(unsigned char *)buf;
 
@@ -1558,7 +1620,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (mac_size != 0)
                {
-               if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
+               if(s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
                        goto err;
                wr->length+=mac_size;
                }
@@ -1567,15 +1629,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        wr->input=p;
        wr->data=p;
 
-
-       /* ssl3_enc can only have an error on read */
-       if (bs) /* bs != 0 in case of CBC */
-               {
-               RAND_pseudo_bytes(p,bs);
-               /* master IV and last CBC residue stand for
-                * the rest of randomness */
-               wr->length += bs;
-               }
+       if (eivlen)
+               wr->length += eivlen;
 
        s->method->ssl3_enc->enc(s,1);
 
@@ -1595,6 +1650,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        pseq+=6;
        s2n(wr->length,pseq);
 
+       if (s->msg_callback)
+               s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
+
        /* we should now have
         * wr->data pointing to the encrypted data, which is
         * wr->length long */
@@ -1857,10 +1915,3 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
 
        memset(seq, 0x00, seq_bytes);
        }
-
-
-static void
-dtls1_clear_timeouts(SSL *s)
-       {
-       memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
-       }