X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record.c;h=36e8d86902eef93d88a010dcd1e35a37e437d35f;hp=4b36f49b6d5f34982abc4152b9efa5bc7fe876d3;hb=8f21260b09eca6226255763e1856c12fbc71985c;hpb=3c544acc385ac39b77873c9cfa77c4ae5df956b5 diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 4b36f49b6d..36e8d86902 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,17 +1,18 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -#include -#include "../ssl_locl.h" -#include "internal/constant_time_locl.h" +#include "../ssl_local.h" +#include "internal/constant_time.h" +#include #include -#include "record_locl.h" +#include "record_local.h" +#include "internal/cryptlib.h" static const unsigned char ssl3_pad_1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, @@ -101,23 +102,37 @@ static int ssl3_record_app_data_waiting(SSL *s) return 1; } -int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send) { - uint32_t max_early_data = s->max_early_data; + uint32_t max_early_data; + SSL_SESSION *sess = s->session; /* * If we are a client then we always use the max_early_data from the - * session. Otherwise we go with the lowest out of the max early data set in - * the session and the configured max_early_data. + * session/psksession. Otherwise we go with the lowest out of the max early + * data set in the session and the configured max_early_data. */ - if (!s->server || (s->hit - && s->session->ext.max_early_data < s->max_early_data)) - max_early_data = s->session->ext.max_early_data; + if (!s->server && sess->ext.max_early_data == 0) { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, + ERR_R_INTERNAL_ERROR); + return 0; + } + sess = s->psksession; + } + + if (!s->server) + max_early_data = sess->ext.max_early_data; + else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) + max_early_data = s->recv_max_early_data; + else + max_early_data = s->recv_max_early_data < sess->ext.max_early_data + ? s->recv_max_early_data : sess->ext.max_early_data; if (max_early_data == 0) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } @@ -125,9 +140,8 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) max_early_data += overhead; if (s->early_data_count + length > max_early_data) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } s->early_data_count += length; @@ -159,8 +173,7 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) /* used only by ssl3_read_bytes */ int ssl3_get_record(SSL *s) { - int al; - int enc_err, rret, ret = -1; + int enc_err, rret; int i; size_t more, n; SSL3_RECORD *rr, *thisrr; @@ -174,9 +187,11 @@ int ssl3_get_record(SSL *s) size_t num_recs = 0, max_recs, j; PACKET pkt, sslv2pkt; size_t first_rec_len; + int is_ktls_left; rr = RECORD_LAYER_get_rrec(&s->rlayer); rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); + is_ktls_left = (rbuf->left > 0); max_recs = s->max_pipelines; if (max_recs == 0) max_recs = 1; @@ -195,23 +210,47 @@ int ssl3_get_record(SSL *s) rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(rbuf), 0, num_recs == 0 ? 1 : 0, &n); - if (rret <= 0) - return rret; /* error or non-blocking */ + if (rret <= 0) { +#ifndef OPENSSL_NO_KTLS + if (!BIO_get_ktls_recv(s->rbio)) + return rret; /* error or non-blocking */ + switch (errno) { + case EBADMSG: + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, + SSL_F_SSL3_GET_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + break; + case EMSGSIZE: + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, + SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + break; + case EINVAL: + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + break; + default: + break; + } +#endif + return rret; + } RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); p = RECORD_LAYER_get_packet(&s->rlayer); if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), RECORD_LAYER_get_packet_length(&s->rlayer))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } sslv2pkt = pkt; if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) || !PACKET_get_1(&sslv2pkt, &type)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } /* * The first record received by the server may be a V2ClientHello. @@ -235,15 +274,15 @@ int ssl3_get_record(SSL *s) if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL2_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } if (thisrr->length < MIN_SSL2_RECORD_LEN) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } } else { /* SSLv3+ style record */ @@ -255,17 +294,23 @@ int ssl3_get_record(SSL *s) if (!PACKET_get_1(&pkt, &type) || !PACKET_get_net_2(&pkt, &version) || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } thisrr->type = type; thisrr->rec_version = version; - /* Lets check version. In TLSv1.3 we ignore this field */ + /* + * Lets check version. In TLSv1.3 we only check this field + * when encryption is occurring (see later check). For the + * ServerHello after an HRR we haven't actually selected TLSv1.3 + * yet, but we still treat it as TLSv1.3, so we must check for + * that explicitly + */ if (!s->first_packet && !SSL_IS_TLS13(s) + && s->hello_retry_request != SSL_HRR_PENDING && version != (unsigned int)s->version) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) { if (thisrr->type == SSL3_RT_ALERT) { @@ -277,15 +322,18 @@ int ssl3_get_record(SSL *s) * shouldn't send a fatal alert back. We'll just * end. */ - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } if ((version >> 8) != SSL3_VERSION_MAJOR) { @@ -297,38 +345,50 @@ int ssl3_get_record(SSL *s) strncmp((char *)p, "POST ", 5) == 0 || strncmp((char *)p, "HEAD ", 5) == 0 || strncmp((char *)p, "PUT ", 4) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTP_REQUEST); + return -1; } else if (strncmp((char *)p, "CONNE", 5) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_HTTPS_PROXY_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTPS_PROXY_REQUEST); + return -1; } /* Doesn't look like TLS - don't send an alert */ - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } else { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } } - if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL - && thisrr->type != SSL3_RT_APPLICATION_DATA) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) + && (thisrr->type != SSL3_RT_ALERT + || s->statem.enc_read_state + != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); + return -1; + } + if (thisrr->rec_version != TLS1_2_VERSION) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; + } } if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } } @@ -337,9 +397,9 @@ int ssl3_get_record(SSL *s) if (SSL_IS_TLS13(s)) { if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } else { size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; @@ -353,10 +413,10 @@ int ssl3_get_record(SSL *s) len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif - if (thisrr->length > len) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } @@ -371,6 +431,7 @@ int ssl3_get_record(SSL *s) } else { more = thisrr->length; } + if (more > 0) { /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ @@ -428,6 +489,43 @@ int ssl3_get_record(SSL *s) & EVP_CIPH_FLAG_PIPELINE) && ssl3_record_app_data_waiting(s)); + if (num_recs == 1 + && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC + && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE) + && SSL_IS_FIRST_HANDSHAKE(s)) { + /* + * CCS messages must be exactly 1 byte long, containing the value 0x01 + */ + if (thisrr->length != 1 || thisrr->data[0] != 0x01) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD, + SSL_R_INVALID_CCS_MESSAGE); + return -1; + } + /* + * CCS messages are ignored in TLSv1.3. We treat it like an empty + * handshake record + */ + thisrr->type = SSL3_RT_HANDSHAKE; + RECORD_LAYER_inc_empty_record_count(&s->rlayer); + if (RECORD_LAYER_get_empty_record_count(&s->rlayer) + > MAX_EMPTY_RECORDS) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_UNEXPECTED_CCS_MESSAGE); + return -1; + } + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + + return 1; + } + + /* + * KTLS reads full records. If there is any data left, + * then it is from before enabling ktls + */ + if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) + goto skip_decryption; + /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. @@ -436,29 +534,27 @@ int ssl3_get_record(SSL *s) unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); - assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE); - if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); - goto f_err; + if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_LIB_EVP); + return -1; } mac_size = (size_t)imac_size; for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; if (thisrr->length < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return -1; } } } @@ -474,6 +570,10 @@ int ssl3_get_record(SSL *s) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() already got called */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * Valid early_data that we cannot decrypt might fail here as @@ -483,8 +583,10 @@ int ssl3_get_record(SSL *s) thisrr = &rr[0]; if (!early_data_count_ok(s, thisrr->length, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr->length = 0; thisrr->read = 1; @@ -492,19 +594,14 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_reset_read_sequence(&s->rlayer); return 1; } - al = SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; - } -#ifdef SSL_DEBUG - printf("dec %"OSSLzu"\n", rr[0].length); - { - size_t z; - for (z = 0; z < rr[0].length; z++) - printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n'); + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, + SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + return -1; } - printf("\n"); -#endif + OSSL_TRACE_BEGIN(TLS) { + BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); + BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4); + } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ if ((sess != NULL) && @@ -515,7 +612,11 @@ int ssl3_get_record(SSL *s) unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; @@ -529,9 +630,9 @@ int ssl3_get_record(SSL *s) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && thisrr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -542,7 +643,11 @@ int ssl3_get_record(SSL *s) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size); + if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } thisrr->length -= mac_size; } else { /* @@ -564,6 +669,10 @@ int ssl3_get_record(SSL *s) } if (enc_err < 0) { + if (ossl_statem_in_error(s)) { + /* We already called SSLfatal() */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * We assume this is unreadable early_data - we treat it like an @@ -575,8 +684,10 @@ int ssl3_get_record(SSL *s) * so we use the previously saved value */ if (!early_data_count_ok(s, first_rec_len, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr = &rr[0]; thisrr->length = 0; @@ -592,37 +703,40 @@ int ssl3_get_record(SSL *s) * not reveal which kind of error occurred -- this might become * visible to an attacker (e.g. via a logfile) */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + return -1; } + skip_decryption: + for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; /* thisrr->length is now just compressed */ if (s->expand != NULL) { if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return -1; } if (!ssl3_do_uncompress(s, thisrr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_DECOMPRESSION); + return -1; } } - if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { size_t end; if (thisrr->length == 0 || thisrr->type != SSL3_RT_APPLICATION_DATA) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } /* Strip trailing padding */ @@ -635,19 +749,41 @@ int ssl3_get_record(SSL *s) if (thisrr->type != SSL3_RT_APPLICATION_DATA && thisrr->type != SSL3_RT_ALERT && thisrr->type != SSL3_RT_HANDSHAKE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, &thisrr->data[end], 1, s, s->msg_callback_arg); } - if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + /* + * TLSv1.3 alert and handshake records are required to be non-zero in + * length. + */ + if (SSL_IS_TLS13(s) + && (thisrr->type == SSL3_RT_HANDSHAKE + || thisrr->type == SSL3_RT_ALERT) + && thisrr->length == 0) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_LENGTH); + return -1; + } + + if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !BIO_get_ktls_recv(s->rbio)) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; + } + + /* If received packet overflows current Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + && !BIO_get_ktls_recv(s->rbio)) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; } thisrr->off = 0; @@ -664,9 +800,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_inc_empty_record_count(&s->rlayer); if (RECORD_LAYER_get_empty_record_count(&s->rlayer) > MAX_EMPTY_RECORDS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_RECORD_TOO_SMALL); + return -1; } } else { RECORD_LAYER_reset_empty_record_count(&s->rlayer); @@ -676,17 +812,14 @@ int ssl3_get_record(SSL *s) if (s->early_data_state == SSL_EARLY_DATA_READING) { thisrr = &rr[0]; if (thisrr->type == SSL3_RT_APPLICATION_DATA - && !early_data_count_ok(s, thisrr->length, 0, &al)) - goto f_err; + && !early_data_count_ok(s, thisrr->length, 0, 0)) { + /* SSLfatal already called */ + return -1; + } } RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); return 1; - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return ret; } int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) @@ -723,20 +856,21 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), wr->input, (int)wr->length); if (i < 0) - return (0); + return 0; else wr->length = i; wr->input = wr->data; #endif - return (1); + return 1; } /*- - * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs| + * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call + * SSLfatal() for internal errors, but not otherwise. * * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too + * 0: (in non-constant time) if the record is publicly invalid (i.e. too * short etc). * 1: if the record's padding is valid / the encryption was successful. * -1: if the record's padding is invalid or, if sending, an internal error @@ -808,22 +942,26 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) if (EVP_MD_CTX_md(s->read_hash) != NULL) { /* TODO(size_t): convert me */ imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) return ssl3_cbc_remove_padding(rec, bs, mac_size); } - return (1); + return 1; } #define MAX_PADDING 256 /*- - * tls1_enc encrypts/decrypts |n_recs| in |recs|. + * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. * * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too + * 0: (in non-constant time) if the record is publicly invalid (i.e. too * short etc). * 1: if the record's padding is valid / the encryption was successful. * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, @@ -840,13 +978,20 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) int imac_size; const EVP_CIPHER *enc; - if (n_recs == 0) + if (n_recs == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return 0; + } if (sending) { if (EVP_MD_CTX_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_write_ctx; if (s->enc_write_ctx == NULL) @@ -867,10 +1012,13 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * we can't write into the input stream: Can this ever * happen?? (steve) */ - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; - } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + } else if (RAND_bytes_ex(s->ctx->libctx, recs[ctr].input, + ivlen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -879,7 +1027,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } else { if (EVP_MD_CTX_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_read_ctx; if (s->enc_read_ctx == NULL) @@ -904,7 +1056,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining */ - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -942,8 +1095,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); - if (pad <= 0) + if (pad <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } if (sending) { reclen[ctr] += pad; @@ -953,10 +1109,13 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } else if ((bs != 1) && sending) { padnum = bs - (reclen[ctr] % bs); - /* Add weird padding of upto 256 bytes */ + /* Add weird padding of up to 256 bytes */ - if (padnum > MAX_PADDING) + if (padnum > MAX_PADDING) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } /* we need to add 'padnum' padding bytes of value padval */ padval = (unsigned char)(padnum - 1); for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) @@ -979,7 +1138,9 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, (int)n_recs, data) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); + return -1; } /* Set the input buffers */ for (ctr = 0; ctr < n_recs; ctr++) { @@ -989,7 +1150,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) (int)n_recs, data) <= 0 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, (int)n_recs, reclen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -1002,6 +1164,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ? (tmpr < 0) : (tmpr == 0)) return -1; /* AEAD can fail to verify MAC */ + if (sending == 0) { if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { @@ -1021,8 +1184,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ret = 1; if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) { @@ -1059,11 +1225,11 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) int t; if (sending) { - mac_sec = &(ssl->s3->write_mac_secret[0]); + mac_sec = &(ssl->s3.write_mac_secret[0]); seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); hash = ssl->write_hash; } else { - mac_sec = &(ssl->s3->read_mac_secret[0]); + mac_sec = &(ssl->s3.read_mac_secret[0]); seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer); hash = ssl->read_hash; } @@ -1134,7 +1300,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { - EVP_MD_CTX_reset(md_ctx); + EVP_MD_CTX_free(md_ctx); return 0; } @@ -1166,7 +1332,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) } t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); + if (!ossl_assert(t >= 0)) + return 0; md_size = t; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ @@ -1174,8 +1341,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) mac_ctx = hash; } else { hmac = EVP_MD_CTX_new(); - if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) + if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { + EVP_MD_CTX_free(hmac); return 0; + } mac_ctx = hmac; } @@ -1209,10 +1378,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) md, &md_size, header, rec->input, rec->length + md_size, rec->orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, 0) <= 0) { + ssl->s3.read_mac_secret, + ssl->s3.read_mac_secret_size, 0) <= 0) { EVP_MD_CTX_free(hmac); - return -1; + return 0; } } else { /* TODO(size_t): Convert these calls */ @@ -1226,22 +1395,12 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) EVP_MD_CTX_free(hmac); -#ifdef SSL_DEBUG - fprintf(stderr, "seq="); - { - int z; - for (z = 0; z < 8; z++) - fprintf(stderr, "%02X ", seq[z]); - fprintf(stderr, "\n"); - } - fprintf(stderr, "rec="); - { - size_t z; - for (z = 0; z < rec->length; z++) - fprintf(stderr, "%02X ", rec->data[z]); - fprintf(stderr, "\n"); - } -#endif + OSSL_TRACE_BEGIN(TLS) { + BIO_printf(trc_out, "seq:\n"); + BIO_dump_indent(trc_out, seq, 8, 4); + BIO_printf(trc_out, "rec:\n"); + BIO_dump_indent(trc_out, rec->data, rec->length, 4); + } OSSL_TRACE_END(TLS); if (!SSL_IS_DTLS(ssl)) { for (i = 7; i >= 0; i--) { @@ -1250,14 +1409,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) break; } } -#ifdef SSL_DEBUG - { - unsigned int z; - for (z = 0; z < md_size; z++) - fprintf(stderr, "%02X ", md[z]); - fprintf(stderr, "\n"); - } -#endif + OSSL_TRACE_BEGIN(TLS) { + BIO_printf(trc_out, "md:\n"); + BIO_dump_indent(trc_out, md, md_size, 4); + } OSSL_TRACE_END(TLS); return 1; } @@ -1391,7 +1546,7 @@ int tls1_cbc_remove_padding(const SSL *s, */ #define CBC_MAC_ROTATE_IN_PLACE -void ssl3_cbc_copy_mac(unsigned char *out, +int ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec, size_t md_size) { #if defined(CBC_MAC_ROTATE_IN_PLACE) @@ -1415,8 +1570,9 @@ void ssl3_cbc_copy_mac(unsigned char *out, size_t i, j; size_t rotate_offset; - OPENSSL_assert(rec->orig_len >= md_size); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(rec->orig_len >= md_size + && md_size <= EVP_MAX_MD_SIZE)) + return 0; #if defined(CBC_MAC_ROTATE_IN_PLACE) rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63); @@ -1461,11 +1617,13 @@ void ssl3_cbc_copy_mac(unsigned char *out, rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #endif + + return 1; } int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) { - int i, al; + int i; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; @@ -1496,9 +1654,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return 0; } /* decrypt in place in 'rr->input' */ @@ -1508,45 +1666,47 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } if (rr->orig_len < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } rr->length -= mac_size; mac = rr->data + rr->length; i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return 0; } } enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0); /*- * enc_err is: - * 0: (in non-constant time) if the record is publically invalid. + * 0: (in non-constant time) if the record is publicly invalid. * 1: if the padding is valid * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() got called */ + return 0; + } /* For DTLS we simply ignore bad packets. */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; - } -#ifdef SSL_DEBUG - printf("dec %ld\n", rr->length); - { - size_t z; - for (z = 0; z < rr->length; z++) - printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); + return 0; } - printf("\n"); -#endif + OSSL_TRACE_BEGIN(TLS) { + BIO_printf(trc_out, "dec %zd\n", rr->length); + BIO_dump_indent(trc_out, rr->data, rr->length, 4); + } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ if ((sess != NULL) && !SSL_READ_ETM(s) && @@ -1558,12 +1718,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* TODO(size_t): Convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_LIB_EVP); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_LIB_EVP); + return 0; } mac_size = (size_t)imac_size; - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } /* * orig_len is the length of the record before any padding was @@ -1575,9 +1739,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && rr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -1588,7 +1752,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); + if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } rr->length -= mac_size; } else { /* @@ -1612,38 +1780,37 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* decryption failed, silently discard message */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } /* r->length is now just compressed */ if (s->expand != NULL) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, - SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return 0; } if (!ssl3_do_uncompress(s, rr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, + SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); + return 0; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return 0; } rr->off = 0; /*- * So at this point the following is true - * ssl->s3->rrec.type is the type of record - * ssl->s3->rrec.length == number of bytes in record - * ssl->s3->rrec.off == offset to first valid byte - * ssl->s3->rrec.data == where to take bytes from, increment - * after use :-). + * ssl->s3.rrec.type is the type of record + * ssl->s3.rrec.length == number of bytes in record + * ssl->s3.rrec.off == offset to first valid byte + * ssl->s3.rrec.data == where to take bytes from, increment + * after use :-). */ /* we have pulled in a full packet so zero things */ @@ -1652,12 +1819,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* Mark receipt of record. */ dtls1_record_bitmap_update(s, bitmap); - return (1); - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return (0); + return 1; } /* @@ -1672,9 +1834,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->rrec.type - is the type of record - * ssl->s3->rrec.data, - data - * ssl->s3->rrec.length, - number of bytes + * ssl->s3.rrec.type - is the type of record + * ssl->s3.rrec.data - data + * ssl->s3.rrec.length - number of bytes */ /* used only by dtls1_read_bytes */ int dtls1_get_record(SSL *s) @@ -1695,8 +1857,10 @@ int dtls1_get_record(SSL *s) * The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ - if (!dtls1_process_buffered_records(s)) + if (!dtls1_process_buffered_records(s)) { + /* SSLfatal() already called */ return -1; + } /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -1710,8 +1874,10 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); /* read timeout is handled by dtls1_read_bytes */ - if (rret <= 0) + if (rret <= 0) { + /* SSLfatal() already called if appropriate */ return rret; /* error or non-blocking */ + } /* this packet contained a partial record, dump it */ if (RECORD_LAYER_get_packet_length(&s->rlayer) != @@ -1741,12 +1907,17 @@ int dtls1_get_record(SSL *s) p += 6; n2s(p, rr->length); + rr->read = 0; - /* Lets check version */ - if (!s->first_packet) { + /* + * Lets check the version. We tolerate alerts that don't have the exact + * version number (e.g. because of protocol version errors) + */ + if (!s->first_packet && rr->type != SSL3_RT_ALERT) { if (version != s->version) { /* unexpected version, silently discard */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1755,6 +1926,7 @@ int dtls1_get_record(SSL *s) if ((version & 0xff00) != (s->version & 0xff00)) { /* wrong version, silently discard record */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1762,6 +1934,17 @@ int dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { /* record too long, silently discard it */ rr->length = 0; + rr->read = 1; + RECORD_LAYER_reset_packet_length(&s->rlayer); + goto again; + } + + /* If received packet overflows own-client Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + /* record too long, silently discard it */ + rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1778,7 +1961,12 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ if (rret <= 0 || n != more) { + if (ossl_statem_in_error(s)) { + /* ssl3_read_n() called SSLfatal() */ + return -1; + } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1809,6 +1997,7 @@ int dtls1_get_record(SSL *s) */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1817,8 +2006,10 @@ int dtls1_get_record(SSL *s) #endif /* just read a 0 length packet */ - if (rr->length == 0) + if (rr->length == 0) { + rr->read = 1; goto again; + } /* * If this record is from the next epoch (either HM or ALERT), and a @@ -1827,22 +2018,55 @@ int dtls1_get_record(SSL *s) */ if (is_next_epoch) { if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { - if (dtls1_buffer_record - (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), - rr->seq_num) < 0) + if (dtls1_buffer_record (s, + &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), + rr->seq_num) < 0) { + /* SSLfatal() already called */ return -1; + } } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } if (!dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record() called SSLfatal */ + return -1; + } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } - return (1); + return 1; + +} + +int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, size_t off) +{ + SSL3_RECORD *rr; + + rr = RECORD_LAYER_get_rrec(&s->rlayer); + memset(rr, 0, sizeof(SSL3_RECORD)); + + rr->length = len; + rr->type = SSL3_RT_HANDSHAKE; + memcpy(rr->seq_num, seq, sizeof(rr->seq_num)); + rr->off = off; + s->rlayer.packet = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; + s->rlayer.packet_length = DTLS1_RT_HEADER_LENGTH + len; + rr->data = s->rlayer.packet + DTLS1_RT_HEADER_LENGTH; + + if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), + SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <= 0) { + /* SSLfatal() already called */ + return 0; + } + + return 1; }