]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/record/ssl3_record.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Convert the remaining functions in the record layer to use SSLfatal()
[thirdparty/openssl.git] / ssl / record / ssl3_record.c
CommitLineData
846e33c7 1/*
cf72c757 2 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
258f8721 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
258f8721
MC		 8 */
9
10#include "../ssl_locl.h"
68570797 11#include "internal/constant_time_locl.h"
02a36fda 12#include <openssl/rand.h>
c99c4c11 13#include "record_locl.h"
67dc995e 14#include "internal/cryptlib.h"
02a36fda
MC		 15
16static const unsigned char ssl3_pad_1[48] = {
17 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
18 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
19 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
20 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
21 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
22 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
23};
24
25static const unsigned char ssl3_pad_2[48] = {
26 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
27 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
28 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
29 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
30 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
31 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
32};
258f8721 33
6b41b3f5
MC		 34/*
35 * Clear the contents of an SSL3_RECORD but retain any memory allocated
36 */
5607b275 37void SSL3_RECORD_clear(SSL3_RECORD *r, size_t num_recs)
258f8721 38{
94777c9c 39 unsigned char *comp;
5607b275 40 size_t i;
6b41b3f5 41
94777c9c
MC		 42 for (i = 0; i < num_recs; i++) {
43 comp = r[i].comp;
44
45 memset(&r[i], 0, sizeof(*r));
46 r[i].comp = comp;
47 }
258f8721
MC		 48}
49
5607b275 50void SSL3_RECORD_release(SSL3_RECORD *r, size_t num_recs)
258f8721 51{
5607b275 52 size_t i;
94777c9c
MC		 53
54 for (i = 0; i < num_recs; i++) {
55 OPENSSL_free(r[i].comp);
56 r[i].comp = NULL;
57 }
258f8721
MC		 58}
59
258f8721
MC		 60void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
61{
e5bf62f7 62 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
258f8721 63}
fe589e61 64
94777c9c
MC		 65/*
66 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
67 * for us in the buffer.
68 */
ea71906e 69static int ssl3_record_app_data_waiting(SSL *s)
94777c9c
MC		 70{
71 SSL3_BUFFER *rbuf;
8e6d03ca 72 size_t left, len;
94777c9c
MC		 73 unsigned char *p;
74
75 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
76
77 p = SSL3_BUFFER_get_buf(rbuf);
78 if (p == NULL)
79 return 0;
80
81 left = SSL3_BUFFER_get_left(rbuf);
82
83 if (left < SSL3_RT_HEADER_LENGTH)
84 return 0;
85
86 p += SSL3_BUFFER_get_offset(rbuf);
87
88 /*
89 * We only check the type and record length, we will sanity check version
90 * etc later
91 */
92 if (*p != SSL3_RT_APPLICATION_DATA)
93 return 0;
94
95 p += 3;
96 n2s(p, len);
97
98 if (left < SSL3_RT_HEADER_LENGTH + len)
99 return 0;
100
101 return 1;
102}
103
196f2cbb 104int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send)
70ef40a0
MC		 105{
106 uint32_t max_early_data = s->max_early_data;
add8d0e9 107 SSL_SESSION *sess = s->session;
70ef40a0
MC		 108
109 /*
7daf7156 110 * If we are a client then we always use the max_early_data from the
add8d0e9
MC		 111 * session/psksession. Otherwise we go with the lowest out of the max early
112 * data set in the session and the configured max_early_data.
70ef40a0 113 */
add8d0e9
MC		 114 if (!s->server && sess->ext.max_early_data == 0) {
115 if (!ossl_assert(s->psksession != NULL
116 && s->psksession->ext.max_early_data > 0)) {
196f2cbb
MC		 117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK,
118 ERR_R_INTERNAL_ERROR);
add8d0e9
MC		 119 return 0;
120 }
121 sess = s->psksession;
122 }
123 if (!s->server
124 || (s->hit && sess->ext.max_early_data < s->max_early_data))
125 max_early_data = sess->ext.max_early_data;
70ef40a0
MC		 126
127 if (max_early_data == 0) {
196f2cbb
MC		 128 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
129 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
70ef40a0
MC		 130 return 0;
131 }
132
133 /* If we are dealing with ciphertext we need to allow for the overhead */
134 max_early_data += overhead;
135
7daf7156 136 if (s->early_data_count + length > max_early_data) {
196f2cbb
MC		 137 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE,
138 SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
70ef40a0
MC		 139 return 0;
140 }
7daf7156 141 s->early_data_count += length;
70ef40a0
MC		 142
143 return 1;
144}
145
fe589e61
MC		 146/*
147 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
148 * will be processed per call to ssl3_get_record. Without this limit an
149 * attacker could send empty records at a faster rate than we can process and
150 * cause ssl3_get_record to loop forever.
151 */
152#define MAX_EMPTY_RECORDS 32
153
32ec4153 154#define SSL2_RT_HEADER_LENGTH 2
fe589e61 155/*-
94777c9c 156 * Call this to get new input records.
fe589e61
MC		 157 * It will return <= 0 if more data is needed, normally due to an error
158 * or non-blocking IO.
94777c9c
MC		 159 * When it finishes, |numrpipes| records have been decoded. For each record 'i':
160 * rr[i].type - is the type of record
161 * rr[i].data, - data
162 * rr[i].length, - number of bytes
163 * Multiple records will only be returned if the record types are all
164 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
165 * |max_pipelines|
fe589e61
MC		 166 */
167/* used only by ssl3_read_bytes */
168int ssl3_get_record(SSL *s)
169{
196f2cbb 170 int enc_err, rret;
8e6d03ca
MC		 171 int i;
172 size_t more, n;
88858868 173 SSL3_RECORD *rr, *thisrr;
94777c9c 174 SSL3_BUFFER *rbuf;
fe589e61
MC		 175 SSL_SESSION *sess;
176 unsigned char *p;
177 unsigned char md[EVP_MAX_MD_SIZE];
6a149cee 178 unsigned int version;
72716e79
MC		 179 size_t mac_size;
180 int imac_size;
181 size_t num_recs = 0, max_recs, j;
6a149cee 182 PACKET pkt, sslv2pkt;
70ef40a0 183 size_t first_rec_len;
fe589e61
MC		 184
185 rr = RECORD_LAYER_get_rrec(&s->rlayer);
94777c9c
MC		 186 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
187 max_recs = s->max_pipelines;
188 if (max_recs == 0)
189 max_recs = 1;
fe589e61
MC		 190 sess = s->session;
191
94777c9c 192 do {
88858868
MC		 193 thisrr = &rr[num_recs];
194
94777c9c
MC		 195 /* check if we have the header */
196 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
197 (RECORD_LAYER_get_packet_length(&s->rlayer)
198 < SSL3_RT_HEADER_LENGTH)) {
6a149cee
MC		 199 size_t sslv2len;
200 unsigned int type;
201
8e6d03ca
MC		 202 rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
203 SSL3_BUFFER_get_len(rbuf), 0,
204 num_recs == 0 ? 1 : 0, &n);
205 if (rret <= 0)
206 return rret; /* error or non-blocking */
94777c9c
MC		 207 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
208
209 p = RECORD_LAYER_get_packet(&s->rlayer);
6a149cee
MC		 210 if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer),
211 RECORD_LAYER_get_packet_length(&s->rlayer))) {
196f2cbb
MC		 212 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
213 ERR_R_INTERNAL_ERROR);
214 return -1;
6a149cee
MC		 215 }
216 sslv2pkt = pkt;
217 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len)
218 || !PACKET_get_1(&sslv2pkt, &type)) {
196f2cbb
MC		 219 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
220 ERR_R_INTERNAL_ERROR);
221 return -1;
6a149cee 222 }
94777c9c 223 /*
78fcddbb 224 * The first record received by the server may be a V2ClientHello.
94777c9c 225 */
78fcddbb 226 if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
6a149cee
MC		 227 && (sslv2len & 0x8000) != 0
228 && (type == SSL2_MT_CLIENT_HELLO)) {
be9c8deb
MC		 229 /*
230 * SSLv2 style record
231 *
232 * |num_recs| here will actually always be 0 because
233 * |num_recs > 0| only ever occurs when we are processing
234 * multiple app data records - which we know isn't the case here
235 * because it is an SSLv2ClientHello. We keep it using
236 * |num_recs| for the sake of consistency
237 */
88858868
MC		 238 thisrr->type = SSL3_RT_HANDSHAKE;
239 thisrr->rec_version = SSL2_VERSION;
94777c9c 240
88858868 241 thisrr->length = sslv2len & 0x7fff;
94777c9c 242
88858868 243 if (thisrr->length > SSL3_BUFFER_get_len(rbuf)
a230b26e 244 - SSL2_RT_HEADER_LENGTH) {
196f2cbb
MC		 245 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
246 SSL_R_PACKET_LENGTH_TOO_LONG);
247 return -1;
94777c9c 248 }
fe589e61 249
88858868 250 if (thisrr->length < MIN_SSL2_RECORD_LEN) {
196f2cbb
MC		 251 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
252 SSL_R_LENGTH_TOO_SHORT);
253 return -1;
94777c9c
MC		 254 }
255 } else {
256 /* SSLv3+ style record */
257 if (s->msg_callback)
258 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
259 s->msg_callback_arg);
260
261 /* Pull apart the header into the SSL3_RECORD */
6a149cee
MC		 262 if (!PACKET_get_1(&pkt, &type)
263 || !PACKET_get_net_2(&pkt, &version)
88858868 264 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) {
196f2cbb
MC		 265 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
266 ERR_R_INTERNAL_ERROR);
267 return -1;
6a149cee 268 }
88858868
MC		 269 thisrr->type = type;
270 thisrr->rec_version = version;
94777c9c 271
a2b97bdf 272 /*
beb30941
MC		 273 * Lets check version. In TLSv1.3 we ignore this field. For the
274 * ServerHello after an HRR we haven't actually selected TLSv1.3
275 * yet, but we still treat it as TLSv1.3, so we must check for
276 * that explicitly
a2b97bdf 277 */
657a43f6 278 if (!s->first_packet && !SSL_IS_TLS13(s)
a2b97bdf 279 && !s->hello_retry_request
6a149cee 280 && version != (unsigned int)s->version) {
94777c9c
MC		 281 if ((s->version & 0xFF00) == (version & 0xFF00)
282 && !s->enc_write_ctx && !s->write_hash) {
88858868 283 if (thisrr->type == SSL3_RT_ALERT) {
94777c9c
MC		 284 /*
285 * The record is using an incorrect version number,
286 * but what we've got appears to be an alert. We
287 * haven't read the body yet to check whether its a
288 * fatal or not - but chances are it is. We probably
289 * shouldn't send a fatal alert back. We'll just
290 * end.
291 */
196f2cbb
MC		 292 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
293 SSL_R_WRONG_VERSION_NUMBER);
294 return -1;
94777c9c 295 }
02db21df 296 /*
94777c9c 297 * Send back error using their minor version number :-)
02db21df 298 */
94777c9c 299 s->version = (unsigned short)version;
02db21df 300 }
196f2cbb
MC		 301 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD,
302 SSL_R_WRONG_VERSION_NUMBER);
303 return -1;
02db21df 304 }
32ec4153 305
94777c9c 306 if ((version >> 8) != SSL3_VERSION_MAJOR) {
a01c86a2 307 if (RECORD_LAYER_is_first_record(&s->rlayer)) {
94777c9c
MC		 308 /* Go back to start of packet, look at the five bytes
309 * that we have. */
310 p = RECORD_LAYER_get_packet(&s->rlayer);
311 if (strncmp((char *)p, "GET ", 4) == 0 ||
312 strncmp((char *)p, "POST ", 5) == 0 ||
313 strncmp((char *)p, "HEAD ", 5) == 0 ||
314 strncmp((char *)p, "PUT ", 4) == 0) {
196f2cbb
MC		 315 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
316 SSL_R_HTTP_REQUEST);
317 return -1;
94777c9c 318 } else if (strncmp((char *)p, "CONNE", 5) == 0) {
196f2cbb
MC		 319 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
320 SSL_R_HTTPS_PROXY_REQUEST);
321 return -1;
94777c9c 322 }
a01c86a2
MC		 323
324 /* Doesn't look like TLS - don't send an alert */
196f2cbb
MC		 325 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
326 SSL_R_WRONG_VERSION_NUMBER);
327 return -1;
a01c86a2 328 } else {
196f2cbb
MC		 329 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
330 SSL_F_SSL3_GET_RECORD,
331 SSL_R_WRONG_VERSION_NUMBER);
332 return -1;
124f6ff4
RJ		 333 }
334 }
32ec4153 335
e60ce9c4 336 if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL
88858868 337 && thisrr->type != SSL3_RT_APPLICATION_DATA) {
196f2cbb
MC		 338 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
339 SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
340 return -1;
e60ce9c4
MC		 341 }
342
88858868 343 if (thisrr->length >
a230b26e 344 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
196f2cbb
MC		 345 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
346 SSL_R_PACKET_LENGTH_TOO_LONG);
347 return -1;
94777c9c 348 }
32ec4153 349 }
94777c9c
MC		 350
351 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
fe589e61
MC		 352 }
353
43219695
MC		 354 if (SSL_IS_TLS13(s)) {
355 if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
196f2cbb
MC		 356 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
357 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
358 return -1;
43219695
MC		 359 }
360 } else {
361 size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
362
4f7b76bf
MC		 363#ifndef OPENSSL_NO_COMP
364 /*
365 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
366 * does not include the compression overhead anyway.
367 */
43219695
MC		 368 if (s->expand == NULL)
369 len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD;
4f7b76bf 370#endif
43219695
MC		 371
372 if (thisrr->length > len) {
196f2cbb
MC		 373 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
374 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
375 return -1;
43219695
MC		 376 }
377 }
378
94777c9c
MC		 379 /*
380 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
381 * Calculate how much more data we need to read for the rest of the
382 * record
383 */
88858868
MC		 384 if (thisrr->rec_version == SSL2_VERSION) {
385 more = thisrr->length + SSL2_RT_HEADER_LENGTH
94777c9c
MC		 386 - SSL3_RT_HEADER_LENGTH;
387 } else {
88858868 388 more = thisrr->length;
94777c9c 389 }
8e6d03ca 390 if (more > 0) {
94777c9c 391 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
fe589e61 392
8e6d03ca
MC		 393 rret = ssl3_read_n(s, more, more, 1, 0, &n);
394 if (rret <= 0)
395 return rret; /* error or non-blocking io */
94777c9c 396 }
32ec4153 397
94777c9c
MC		 398 /* set state for later operations */
399 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
fe589e61 400
94777c9c 401 /*
88858868
MC		 402 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH
403 * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH
404 * + thisrr->length and we have that many bytes in s->packet
94777c9c 405 */
88858868
MC		 406 if (thisrr->rec_version == SSL2_VERSION) {
407 thisrr->input =
94777c9c
MC		 408 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
409 } else {
88858868 410 thisrr->input =
94777c9c
MC		 411 &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
412 }
fe589e61 413
94777c9c 414 /*
88858868
MC		 415 * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input
416 * points at thisrr->length bytes, which need to be copied into
417 * thisrr->data by either the decryption or by the decompression When
418 * the data is 'copied' into the thisrr->data buffer, thisrr->input will
419 * be pointed at the new buffer
94777c9c 420 */
fe589e61 421
94777c9c 422 /*
88858868
MC		 423 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
424 * thisrr->length bytes of encrypted compressed stuff.
94777c9c 425 */
fe589e61 426
88858868
MC		 427 /* decrypt in place in 'thisrr->input' */
428 thisrr->data = thisrr->input;
429 thisrr->orig_len = thisrr->length;
255cfeac
MC		 430
431 /* Mark this record as not read by upper layers yet */
88858868 432 thisrr->read = 0;
255cfeac 433
94777c9c
MC		 434 num_recs++;
435
436 /* we have pulled in a full packet so zero things */
437 RECORD_LAYER_reset_packet_length(&s->rlayer);
78fcddbb 438 RECORD_LAYER_clear_first_record(&s->rlayer);
de0717eb 439 } while (num_recs < max_recs
88858868 440 && thisrr->type == SSL3_RT_APPLICATION_DATA
94777c9c
MC		 441 && SSL_USE_EXPLICIT_IV(s)
442 && s->enc_read_ctx != NULL
443 && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
a230b26e 444 & EVP_CIPH_FLAG_PIPELINE)
ea71906e 445 && ssl3_record_app_data_waiting(s));
fe589e61 446
fe589e61
MC		 447 /*
448 * If in encrypt-then-mac mode calculate mac from encrypted record. All
449 * the details below are public so no timing details can leak.
450 */
28a31a0a 451 if (SSL_READ_ETM(s) && s->read_hash) {
fe589e61 452 unsigned char *mac;
72716e79
MC		 453 /* TODO(size_t): convert this to do size_t properly */
454 imac_size = EVP_MD_CTX_size(s->read_hash);
b77f3ed1 455 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
196f2cbb
MC		 456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
457 ERR_LIB_EVP);
458 return -1;
72716e79
MC		 459 }
460 mac_size = (size_t)imac_size;
94777c9c 461 for (j = 0; j < num_recs; j++) {
88858868
MC		 462 thisrr = &rr[j];
463
464 if (thisrr->length < mac_size) {
196f2cbb
MC		 465 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
466 SSL_R_LENGTH_TOO_SHORT);
467 return -1;
94777c9c 468 }
88858868
MC		 469 thisrr->length -= mac_size;
470 mac = thisrr->data + thisrr->length;
471 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ );
a14aa99b 472 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
196f2cbb 473 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
94777c9c 474 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
196f2cbb 475 return -1;
94777c9c 476 }
fe589e61
MC		 477 }
478 }
479
70ef40a0
MC		 480 first_rec_len = rr[0].length;
481
94777c9c 482 enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
e60ce9c4 483
fe589e61
MC		 484 /*-
485 * enc_err is:
d781d247 486 * 0: (in non-constant time) if the record is publicly invalid.
fe589e61
MC		 487 * 1: if the padding is valid
488 * -1: if the padding is invalid
489 */
490 if (enc_err == 0) {
921d84a0
MC		 491 if (ossl_statem_in_error(s)) {
492 /* SSLfatal() already got called */
493 return -1;
494 }
0a87d0ac
MC		 495 if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
496 /*
d781d247
MC		 497 * Valid early_data that we cannot decrypt might fail here as
498 * publicly invalid. We treat it like an empty record.
0a87d0ac 499 */
70ef40a0 500
0a87d0ac 501 thisrr = &rr[0];
70ef40a0
MC		 502
503 if (!early_data_count_ok(s, thisrr->length,
196f2cbb
MC		 504 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
505 /* SSLfatal() already called */
506 return -1;
507 }
70ef40a0 508
0a87d0ac
MC		 509 thisrr->length = 0;
510 thisrr->read = 1;
511 RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
67f78ead 512 RECORD_LAYER_reset_read_sequence(&s->rlayer);
0a87d0ac
MC		 513 return 1;
514 }
196f2cbb
MC		 515 SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
516 SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
517 return -1;
fe589e61 518 }
d63a5e5e 519#ifdef SSL_DEBUG
88858868 520 printf("dec %"OSSLzu"\n", rr[0].length);
fe589e61 521 {
eda75751 522 size_t z;
88858868
MC		 523 for (z = 0; z < rr[0].length; z++)
524 printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n');
fe589e61
MC		 525 }
526 printf("\n");
527#endif
528
529 /* r->length is now the compressed data plus mac */
530 if ((sess != NULL) &&
531 (s->enc_read_ctx != NULL) &&
28a31a0a 532 (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
fe589e61
MC		 533 /* s->read_hash != NULL => mac_size != -1 */
534 unsigned char *mac = NULL;
535 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
94777c9c 536
fe589e61 537 mac_size = EVP_MD_CTX_size(s->read_hash);
380a522f 538 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
196f2cbb
MC		 539 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
540 ERR_R_INTERNAL_ERROR);
541 return -1;
380a522f 542 }
fe589e61 543
a230b26e 544 for (j = 0; j < num_recs; j++) {
88858868 545 thisrr = &rr[j];
fe589e61 546 /*
94777c9c
MC		 547 * orig_len is the length of the record before any padding was
548 * removed. This is public information, as is the MAC in use,
549 * therefore we can safely process the record in a different amount
550 * of time if it's too short to possibly contain a MAC.
fe589e61 551 */
88858868 552 if (thisrr->orig_len < mac_size ||
94777c9c
MC		 553 /* CBC records must have a padding length byte too. */
554 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
88858868 555 thisrr->orig_len < mac_size + 1)) {
196f2cbb
MC		 556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,
557 SSL_R_LENGTH_TOO_SHORT);
558 return -1;
94777c9c 559 }
fe589e61 560
94777c9c
MC		 561 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
562 /*
563 * We update the length so that the TLS header bytes can be
564 * constructed correctly but we need to extract the MAC in
565 * constant time from within the record, without leaking the
566 * contents of the padding bytes.
567 */
568 mac = mac_tmp;
380a522f 569 if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) {
196f2cbb
MC		 570 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,
571 ERR_R_INTERNAL_ERROR);
572 return -1;
380a522f 573 }
88858868 574 thisrr->length -= mac_size;
94777c9c
MC		 575 } else {
576 /*
577 * In this case there's no padding, so |rec->orig_len| equals
578 * |rec->length| and we checked that there's enough bytes for
579 * |mac_size| above.
580 */
88858868
MC		 581 thisrr->length -= mac_size;
582 mac = &thisrr->data[thisrr->length];
94777c9c
MC		 583 }
584
88858868 585 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ );
a14aa99b 586 if (i == 0 || mac == NULL
94777c9c
MC		 587 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
588 enc_err = -1;
88858868 589 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
94777c9c
MC		 590 enc_err = -1;
591 }
fe589e61
MC		 592 }
593
594 if (enc_err < 0) {
921d84a0
MC		 595 if (ossl_statem_in_error(s)) {
596 /* We already called SSLfatal() */
597 return -1;
598 }
d781d247
MC		 599 if (num_recs == 1 && ossl_statem_skip_early_data(s)) {
600 /*
601 * We assume this is unreadable early_data - we treat it like an
602 * empty record
603 */
70ef40a0
MC		 604
605 /*
606 * The record length may have been modified by the mac check above
607 * so we use the previously saved value
608 */
609 if (!early_data_count_ok(s, first_rec_len,
196f2cbb
MC		 610 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
611 /* SSLfatal() already called */
612 return -1;
613 }
70ef40a0 614
d781d247
MC		 615 thisrr = &rr[0];
616 thisrr->length = 0;
617 thisrr->read = 1;
618 RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
67f78ead 619 RECORD_LAYER_reset_read_sequence(&s->rlayer);
d781d247
MC		 620 return 1;
621 }
fe589e61
MC		 622 /*
623 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
624 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
625 * failure is directly visible from the ciphertext anyway, we should
626 * not reveal which kind of error occurred -- this might become
627 * visible to an attacker (e.g. via a logfile)
628 */
196f2cbb
MC		 629 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
630 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
631 return -1;
fe589e61
MC		 632 }
633
94777c9c 634 for (j = 0; j < num_recs; j++) {
88858868
MC		 635 thisrr = &rr[j];
636
637 /* thisrr->length is now just compressed */
94777c9c 638 if (s->expand != NULL) {
88858868 639 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
196f2cbb
MC		 640 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
641 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
642 return -1;
94777c9c 643 }
88858868 644 if (!ssl3_do_uncompress(s, thisrr)) {
196f2cbb
MC		 645 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD,
646 SSL_R_BAD_DECOMPRESSION);
647 return -1;
94777c9c 648 }
fe589e61 649 }
94777c9c 650
e60ce9c4
MC		 651 if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
652 size_t end;
653
3c544acc
MC		 654 if (thisrr->length == 0
655 || thisrr->type != SSL3_RT_APPLICATION_DATA) {
196f2cbb
MC		 656 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
657 SSL_R_BAD_RECORD_TYPE);
658 return -1;
e60ce9c4
MC		 659 }
660
661 /* Strip trailing padding */
88858868
MC		 662 for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
663 end--)
e60ce9c4
MC		 664 continue;
665
88858868
MC		 666 thisrr->length = end;
667 thisrr->type = thisrr->data[end];
668 if (thisrr->type != SSL3_RT_APPLICATION_DATA
669 && thisrr->type != SSL3_RT_ALERT
670 && thisrr->type != SSL3_RT_HANDSHAKE) {
196f2cbb
MC		 671 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
672 SSL_R_BAD_RECORD_TYPE);
673 return -1;
e60ce9c4 674 }
ad5100bc
MC		 675 if (s->msg_callback)
676 s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
677 &thisrr->data[end], 1, s, s->msg_callback_arg);
e60ce9c4
MC		 678 }
679
9010b7bc
MC		 680 /*
681 * TLSv1.3 alert and handshake records are required to be non-zero in
682 * length.
683 */
fc4c15fa
MC		 684 if (SSL_IS_TLS13(s)
685 && (thisrr->type == SSL3_RT_HANDSHAKE
686 || thisrr->type == SSL3_RT_ALERT)
687 && thisrr->length == 0) {
196f2cbb
MC		 688 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
689 SSL_R_BAD_LENGTH);
690 return -1;
fc4c15fa
MC		 691 }
692
88858868 693 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
196f2cbb
MC		 694 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
695 SSL_R_DATA_LENGTH_TOO_LONG);
696 return -1;
fe589e61 697 }
fe589e61 698
cf72c757
F		 699 /* If received packet overflows current Max Fragment Length setting */
700 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
701 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
196f2cbb
MC		 702 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
703 SSL_R_DATA_LENGTH_TOO_LONG);
704 return -1;
cf72c757
F		 705 }
706
88858868 707 thisrr->off = 0;
94777c9c
MC		 708 /*-
709 * So at this point the following is true
88858868
MC		 710 * thisrr->type is the type of record
711 * thisrr->length == number of bytes in record
712 * thisrr->off == offset to first valid byte
713 * thisrr->data == where to take bytes from, increment after use :-).
94777c9c 714 */
fe589e61 715
94777c9c 716 /* just read a 0 length packet */
88858868 717 if (thisrr->length == 0) {
255cfeac
MC		 718 RECORD_LAYER_inc_empty_record_count(&s->rlayer);
719 if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
a230b26e 720 > MAX_EMPTY_RECORDS) {
196f2cbb
MC		 721 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,
722 SSL_R_RECORD_TOO_SMALL);
723 return -1;
94777c9c 724 }
255cfeac
MC		 725 } else {
726 RECORD_LAYER_reset_empty_record_count(&s->rlayer);
fe589e61 727 }
94777c9c 728 }
fe589e61 729
70ef40a0
MC		 730 if (s->early_data_state == SSL_EARLY_DATA_READING) {
731 thisrr = &rr[0];
732 if (thisrr->type == SSL3_RT_APPLICATION_DATA
196f2cbb
MC		 733 && !early_data_count_ok(s, thisrr->length, 0, 0)) {
734 /* SSLfatal already called */
735 return -1;
736 }
70ef40a0
MC		 737 }
738
94777c9c
MC		 739 RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs);
740 return 1;
fe589e61
MC		 741}
742
94777c9c 743int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
fe589e61
MC		 744{
745#ifndef OPENSSL_NO_COMP
746 int i;
fe589e61 747
0220fee4
MC		 748 if (rr->comp == NULL) {
749 rr->comp = (unsigned char *)
750 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
751 }
752 if (rr->comp == NULL)
753 return 0;
754
eda75751 755 /* TODO(size_t): Convert this call */
fe589e61 756 i = COMP_expand_block(ssl->expand, rr->comp,
a230b26e 757 SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
fe589e61 758 if (i < 0)
0220fee4 759 return 0;
fe589e61
MC		 760 else
761 rr->length = i;
762 rr->data = rr->comp;
763#endif
0220fee4 764 return 1;
fe589e61
MC		 765}
766
d102d9df 767int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
fe589e61
MC		 768{
769#ifndef OPENSSL_NO_COMP
770 int i;
fe589e61 771
eda75751 772 /* TODO(size_t): Convert this call */
fe589e61 773 i = COMP_compress_block(ssl->compress, wr->data,
c7c42022 774 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
fe589e61
MC		 775 wr->input, (int)wr->length);
776 if (i < 0)
26a7d938 777 return 0;
fe589e61
MC		 778 else
779 wr->length = i;
780
781 wr->input = wr->data;
782#endif
208fb891 783 return 1;
fe589e61
MC		 784}
785
02a36fda 786/*-
921d84a0
MC		 787 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call
788 * SSLfatal() for internal errors, but not otherwise.
02a36fda
MC		 789 *
790 * Returns:
791 * 0: (in non-constant time) if the record is publically invalid (i.e. too
792 * short etc).
793 * 1: if the record's padding is valid / the encryption was successful.
794 * -1: if the record's padding is invalid or, if sending, an internal error
795 * occurred.
796 */
aebe9e39 797int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending)
02a36fda
MC		 798{
799 SSL3_RECORD *rec;
800 EVP_CIPHER_CTX *ds;
eda75751 801 size_t l, i;
72716e79
MC		 802 size_t bs, mac_size = 0;
803 int imac_size;
02a36fda
MC		 804 const EVP_CIPHER *enc;
805
d102d9df 806 rec = inrecs;
37205971
MC		 807 /*
808 * We shouldn't ever be called with more than one record in the SSLv3 case
809 */
810 if (n_recs != 1)
811 return 0;
aebe9e39 812 if (sending) {
02a36fda 813 ds = s->enc_write_ctx;
02a36fda
MC		 814 if (s->enc_write_ctx == NULL)
815 enc = NULL;
816 else
817 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
818 } else {
819 ds = s->enc_read_ctx;
02a36fda
MC		 820 if (s->enc_read_ctx == NULL)
821 enc = NULL;
822 else
823 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
824 }
825
826 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
827 memmove(rec->data, rec->input, rec->length);
828 rec->input = rec->data;
829 } else {
830 l = rec->length;
eda75751 831 /* TODO(size_t): Convert this call */
846ec07d 832 bs = EVP_CIPHER_CTX_block_size(ds);
02a36fda
MC		 833
834 /* COMPRESS */
835
aebe9e39 836 if ((bs != 1) && sending) {
c08d12ca 837 i = bs - (l % bs);
02a36fda
MC		 838
839 /* we need to add 'i-1' padding bytes */
840 l += i;
841 /*
842 * the last of these zero bytes will be overwritten with the
843 * padding length.
844 */
845 memset(&rec->input[rec->length], 0, i);
846 rec->length += i;
c08d12ca 847 rec->input[l - 1] = (unsigned char)(i - 1);
02a36fda
MC		 848 }
849
aebe9e39 850 if (!sending) {
02a36fda
MC		 851 if (l == 0 || l % bs != 0)
852 return 0;
853 /* otherwise, rec->length >= bs */
854 }
855
eda75751 856 /* TODO(size_t): Convert this call */
c08d12ca 857 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1)
02a36fda
MC		 858 return -1;
859
72716e79
MC		 860 if (EVP_MD_CTX_md(s->read_hash) != NULL) {
861 /* TODO(size_t): convert me */
862 imac_size = EVP_MD_CTX_size(s->read_hash);
921d84a0
MC		 863 if (imac_size < 0) {
864 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC,
865 ERR_R_INTERNAL_ERROR);
72716e79 866 return -1;
921d84a0 867 }
72716e79
MC		 868 mac_size = (size_t)imac_size;
869 }
aebe9e39 870 if ((bs != 1) && !sending)
a773b52a 871 return ssl3_cbc_remove_padding(rec, bs, mac_size);
02a36fda 872 }
208fb891 873 return 1;
02a36fda
MC		 874}
875
72716e79 876#define MAX_PADDING 256
02a36fda 877/*-
921d84a0
MC		 878 * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for
879 * internal errors, but not otherwise.
02a36fda
MC		 880 *
881 * Returns:
882 * 0: (in non-constant time) if the record is publically invalid (i.e. too
883 * short etc).
884 * 1: if the record's padding is valid / the encryption was successful.
885 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
886 * an internal error occurred.
887 */
aebe9e39 888int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
02a36fda 889{
02a36fda 890 EVP_CIPHER_CTX *ds;
d102d9df
MC		 891 size_t reclen[SSL_MAX_PIPELINES];
892 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
72716e79
MC		 893 int i, pad = 0, ret, tmpr;
894 size_t bs, mac_size = 0, ctr, padnum, loop;
895 unsigned char padval;
896 int imac_size;
02a36fda
MC		 897 const EVP_CIPHER *enc;
898
921d84a0
MC		 899 if (n_recs == 0) {
900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
901 ERR_R_INTERNAL_ERROR);
a3004c82 902 return 0;
921d84a0 903 }
a3004c82 904
aebe9e39 905 if (sending) {
02a36fda
MC		 906 if (EVP_MD_CTX_md(s->write_hash)) {
907 int n = EVP_MD_CTX_size(s->write_hash);
380a522f 908 if (!ossl_assert(n >= 0)) {
921d84a0
MC		 909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
910 ERR_R_INTERNAL_ERROR);
380a522f
MC		 911 return -1;
912 }
02a36fda
MC		 913 }
914 ds = s->enc_write_ctx;
02a36fda
MC		 915 if (s->enc_write_ctx == NULL)
916 enc = NULL;
917 else {
918 int ivlen;
919 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
920 /* For TLSv1.1 and later explicit IV */
921 if (SSL_USE_EXPLICIT_IV(s)
922 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
923 ivlen = EVP_CIPHER_iv_length(enc);
924 else
925 ivlen = 0;
926 if (ivlen > 1) {
37205971 927 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 928 if (recs[ctr].data != recs[ctr].input) {
929 /*
930 * we can't write into the input stream: Can this ever
931 * happen?? (steve)
932 */
921d84a0
MC		 933 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
934 ERR_R_INTERNAL_ERROR);
d102d9df 935 return -1;
ae3947de 936 } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) {
921d84a0
MC		 937 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
938 ERR_R_INTERNAL_ERROR);
d102d9df
MC		 939 return -1;
940 }
941 }
02a36fda
MC		 942 }
943 }
944 } else {
945 if (EVP_MD_CTX_md(s->read_hash)) {
946 int n = EVP_MD_CTX_size(s->read_hash);
380a522f 947 if (!ossl_assert(n >= 0)) {
921d84a0
MC		 948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
949 ERR_R_INTERNAL_ERROR);
380a522f
MC		 950 return -1;
951 }
02a36fda
MC		 952 }
953 ds = s->enc_read_ctx;
02a36fda
MC		 954 if (s->enc_read_ctx == NULL)
955 enc = NULL;
956 else
957 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
958 }
959
02a36fda 960 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
37205971 961 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 962 memmove(recs[ctr].data, recs[ctr].input, recs[ctr].length);
963 recs[ctr].input = recs[ctr].data;
964 }
02a36fda
MC		 965 ret = 1;
966 } else {
d102d9df
MC		 967 bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds));
968
37205971 969 if (n_recs > 1) {
e8aa8b6c 970 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
a230b26e 971 & EVP_CIPH_FLAG_PIPELINE)) {
d102d9df
MC		 972 /*
973 * We shouldn't have been called with pipeline data if the
974 * cipher doesn't support pipelining
975 */
921d84a0
MC		 976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
977 SSL_R_PIPELINE_FAILURE);
d102d9df
MC		 978 return -1;
979 }
980 }
37205971 981 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 982 reclen[ctr] = recs[ctr].length;
983
984 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
a230b26e 985 & EVP_CIPH_FLAG_AEAD_CIPHER) {
d102d9df
MC		 986 unsigned char *seq;
987
aebe9e39 988 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
d102d9df
MC		 989 : RECORD_LAYER_get_read_sequence(&s->rlayer);
990
991 if (SSL_IS_DTLS(s)) {
992 /* DTLS does not support pipelining */
993 unsigned char dtlsseq[9], *p = dtlsseq;
994
aebe9e39 995 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
d102d9df
MC		 996 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
997 memcpy(p, &seq[2], 6);
998 memcpy(buf[ctr], dtlsseq, 8);
999 } else {
1000 memcpy(buf[ctr], seq, 8);
1001 for (i = 7; i >= 0; i--) { /* increment */
1002 ++seq[i];
1003 if (seq[i] != 0)
1004 break;
1005 }
1006 }
02a36fda 1007
d102d9df
MC		 1008 buf[ctr][8] = recs[ctr].type;
1009 buf[ctr][9] = (unsigned char)(s->version >> 8);
1010 buf[ctr][10] = (unsigned char)(s->version);
c08d12ca
MC		 1011 buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8);
1012 buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff);
d102d9df
MC		 1013 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
1014 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]);
921d84a0
MC		 1015 if (pad <= 0) {
1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1017 ERR_R_INTERNAL_ERROR);
d102d9df 1018 return -1;
921d84a0 1019 }
d102d9df 1020
aebe9e39 1021 if (sending) {
d102d9df
MC		 1022 reclen[ctr] += pad;
1023 recs[ctr].length += pad;
02a36fda 1024 }
02a36fda 1025
aebe9e39 1026 } else if ((bs != 1) && sending) {
c08d12ca 1027 padnum = bs - (reclen[ctr] % bs);
02a36fda 1028
d102d9df 1029 /* Add weird padding of upto 256 bytes */
02a36fda 1030
921d84a0
MC		 1031 if (padnum > MAX_PADDING) {
1032 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1033 ERR_R_INTERNAL_ERROR);
72716e79 1034 return -1;
921d84a0 1035 }
72716e79 1036 /* we need to add 'padnum' padding bytes of value padval */
c08d12ca 1037 padval = (unsigned char)(padnum - 1);
72716e79
MC		 1038 for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++)
1039 recs[ctr].input[loop] = padval;
1040 reclen[ctr] += padnum;
1041 recs[ctr].length += padnum;
d102d9df
MC		 1042 }
1043
aebe9e39 1044 if (!sending) {
d102d9df
MC		 1045 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0)
1046 return 0;
1047 }
02a36fda 1048 }
37205971 1049 if (n_recs > 1) {
d102d9df 1050 unsigned char *data[SSL_MAX_PIPELINES];
02a36fda 1051
d102d9df 1052 /* Set the output buffers */
e8aa8b6c 1053 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 1054 data[ctr] = recs[ctr].data;
1055 }
1056 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
c08d12ca 1057 (int)n_recs, data) <= 0) {
921d84a0
MC		 1058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1059 SSL_R_PIPELINE_FAILURE);
1060 return -1;
d102d9df
MC		 1061 }
1062 /* Set the input buffers */
e8aa8b6c 1063 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 1064 data[ctr] = recs[ctr].input;
1065 }
1066 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
c08d12ca 1067 (int)n_recs, data) <= 0
d102d9df 1068 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
c08d12ca 1069 (int)n_recs, reclen) <= 0) {
921d84a0
MC		 1070 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1071 SSL_R_PIPELINE_FAILURE);
d102d9df
MC		 1072 return -1;
1073 }
02a36fda
MC		 1074 }
1075
c08d12ca
MC		 1076 /* TODO(size_t): Convert this call */
1077 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
1078 (unsigned int)reclen[0]);
d102d9df 1079 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
a230b26e 1080 & EVP_CIPH_FLAG_CUSTOM_CIPHER)
72716e79
MC		 1081 ? (tmpr < 0)
1082 : (tmpr == 0))
02a36fda 1083 return -1; /* AEAD can fail to verify MAC */
921d84a0 1084
aebe9e39 1085 if (sending == 0) {
e75c5a79 1086 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
37205971 1087 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 1088 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1089 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1090 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1091 }
e75c5a79 1092 } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
37205971 1093 for (ctr = 0; ctr < n_recs; ctr++) {
d102d9df
MC		 1094 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
1095 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
1096 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
1097 }
e75c5a79 1098 }
02a36fda 1099 }
02a36fda
MC		 1100
1101 ret = 1;
28a31a0a 1102 if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) {
72716e79 1103 imac_size = EVP_MD_CTX_size(s->read_hash);
921d84a0
MC		 1104 if (imac_size < 0) {
1105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1106 ERR_R_INTERNAL_ERROR);
72716e79 1107 return -1;
921d84a0 1108 }
72716e79
MC		 1109 mac_size = (size_t)imac_size;
1110 }
aebe9e39 1111 if ((bs != 1) && !sending) {
94777c9c 1112 int tmpret;
37205971 1113 for (ctr = 0; ctr < n_recs; ctr++) {
94777c9c 1114 tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
f9cf774c
MC		 1115 /*
1116 * If tmpret == 0 then this means publicly invalid so we can
1117 * short circuit things here. Otherwise we must respect constant
1118 * time behaviour.
1119 */
1120 if (tmpret == 0)
1121 return 0;
1122 ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
1123 ret, -1);
94777c9c
MC		 1124 }
1125 }
aebe9e39 1126 if (pad && !sending) {
37205971 1127 for (ctr = 0; ctr < n_recs; ctr++) {
94777c9c
MC		 1128 recs[ctr].length -= pad;
1129 }
d102d9df 1130 }
02a36fda
MC		 1131 }
1132 return ret;
1133}
1134
aebe9e39 1135int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
02a36fda 1136{
02a36fda 1137 unsigned char *mac_sec, *seq;
02a36fda
MC		 1138 const EVP_MD_CTX *hash;
1139 unsigned char *p, rec_char;
1140 size_t md_size;
c08d12ca 1141 size_t npad;
02a36fda
MC		 1142 int t;
1143
aebe9e39 1144 if (sending) {
02a36fda 1145 mac_sec = &(ssl->s3->write_mac_secret[0]);
de07f311 1146 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
02a36fda
MC		 1147 hash = ssl->write_hash;
1148 } else {
02a36fda 1149 mac_sec = &(ssl->s3->read_mac_secret[0]);
de07f311 1150 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
02a36fda
MC		 1151 hash = ssl->read_hash;
1152 }
1153
1154 t = EVP_MD_CTX_size(hash);
1155 if (t < 0)
a14aa99b 1156 return 0;
02a36fda
MC		 1157 md_size = t;
1158 npad = (48 / md_size) * md_size;
1159
aebe9e39 1160 if (!sending &&
02a36fda
MC		 1161 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1162 ssl3_cbc_record_digest_supported(hash)) {
1163 /*
1164 * This is a CBC-encrypted record. We must avoid leaking any
1165 * timing-side channel information about how many blocks of data we
1166 * are hashing because that gives an attacker a timing-oracle.
1167 */
1168
1169 /*-
1170 * npad is, at most, 48 bytes and that's with MD5:
1171 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
1172 *
1173 * With SHA-1 (the largest hash speced for SSLv3) the hash size
1174 * goes up 4, but npad goes down by 8, resulting in a smaller
1175 * total size.
1176 */
1177 unsigned char header[75];
c08d12ca 1178 size_t j = 0;
02a36fda
MC		 1179 memcpy(header + j, mac_sec, md_size);
1180 j += md_size;
1181 memcpy(header + j, ssl3_pad_1, npad);
1182 j += npad;
1183 memcpy(header + j, seq, 8);
1184 j += 8;
1185 header[j++] = rec->type;
c08d12ca
MC		 1186 header[j++] = (unsigned char)(rec->length >> 8);
1187 header[j++] = (unsigned char)(rec->length & 0xff);
02a36fda
MC		 1188
1189 /* Final param == is SSLv3 */
5f3d93e4
MC		 1190 if (ssl3_cbc_digest_record(hash,
1191 md, &md_size,
1192 header, rec->input,
1193 rec->length + md_size, rec->orig_len,
1194 mac_sec, md_size, 1) <= 0)
a14aa99b 1195 return 0;
02a36fda
MC		 1196 } else {
1197 unsigned int md_size_u;
1198 /* Chop the digest off the end :-) */
bfb0641f 1199 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
6e59a892
RL		 1200
1201 if (md_ctx == NULL)
a14aa99b 1202 return 0;
02a36fda 1203
02a36fda 1204 rec_char = rec->type;
02a36fda
MC		 1205 p = md;
1206 s2n(rec->length, p);
6e59a892 1207 if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
a230b26e
EK		 1208 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
1209 || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
1210 || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
1211 || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
1212 || EVP_DigestUpdate(md_ctx, md, 2) <= 0
1213 || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
1214 || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
1215 || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
1216 || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
1217 || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
1218 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
1219 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
bfb0641f 1220 EVP_MD_CTX_reset(md_ctx);
a14aa99b 1221 return 0;
5f3d93e4 1222 }
02a36fda 1223
bfb0641f 1224 EVP_MD_CTX_free(md_ctx);
02a36fda
MC		 1225 }
1226
1227 ssl3_record_sequence_update(seq);
a14aa99b 1228 return 1;
02a36fda
MC		 1229}
1230
aebe9e39 1231int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
02a36fda 1232{
02a36fda
MC		 1233 unsigned char *seq;
1234 EVP_MD_CTX *hash;
1235 size_t md_size;
1236 int i;
6e59a892 1237 EVP_MD_CTX *hmac = NULL, *mac_ctx;
02a36fda 1238 unsigned char header[13];
aebe9e39 1239 int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
02a36fda
MC		 1240 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
1241 int t;
1242
aebe9e39 1243 if (sending) {
de07f311 1244 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
02a36fda
MC		 1245 hash = ssl->write_hash;
1246 } else {
de07f311 1247 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
02a36fda
MC		 1248 hash = ssl->read_hash;
1249 }
1250
1251 t = EVP_MD_CTX_size(hash);
380a522f
MC		 1252 if (!ossl_assert(t >= 0))
1253 return 0;
02a36fda
MC		 1254 md_size = t;
1255
1256 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1257 if (stream_mac) {
1258 mac_ctx = hash;
1259 } else {
bfb0641f 1260 hmac = EVP_MD_CTX_new();
a230b26e 1261 if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
a14aa99b 1262 return 0;
6e59a892 1263 mac_ctx = hmac;
02a36fda
MC		 1264 }
1265
1266 if (SSL_IS_DTLS(ssl)) {
1267 unsigned char dtlsseq[8], *p = dtlsseq;
1268
aebe9e39 1269 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
78a39fe7 1270 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
02a36fda
MC		 1271 memcpy(p, &seq[2], 6);
1272
1273 memcpy(header, dtlsseq, 8);
1274 } else
1275 memcpy(header, seq, 8);
1276
1277 header[8] = rec->type;
1278 header[9] = (unsigned char)(ssl->version >> 8);
1279 header[10] = (unsigned char)(ssl->version);
348240c6
MC		 1280 header[11] = (unsigned char)(rec->length >> 8);
1281 header[12] = (unsigned char)(rec->length & 0xff);
02a36fda 1282
aebe9e39 1283 if (!sending && !SSL_READ_ETM(ssl) &&
02a36fda
MC		 1284 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1285 ssl3_cbc_record_digest_supported(mac_ctx)) {
1286 /*
1287 * This is a CBC-encrypted record. We must avoid leaking any
1288 * timing-side channel information about how many blocks of data we
1289 * are hashing because that gives an attacker a timing-oracle.
1290 */
1291 /* Final param == not SSLv3 */
5f3d93e4
MC		 1292 if (ssl3_cbc_digest_record(mac_ctx,
1293 md, &md_size,
1294 header, rec->input,
1295 rec->length + md_size, rec->orig_len,
1296 ssl->s3->read_mac_secret,
1297 ssl->s3->read_mac_secret_size, 0) <= 0) {
bfb0641f 1298 EVP_MD_CTX_free(hmac);
aabe3a35 1299 return 0;
5f3d93e4 1300 }
02a36fda 1301 } else {
eda75751 1302 /* TODO(size_t): Convert these calls */
5f3d93e4 1303 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
a230b26e
EK		 1304 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
1305 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
bfb0641f 1306 EVP_MD_CTX_free(hmac);
a14aa99b 1307 return 0;
5f3d93e4 1308 }
02a36fda
MC		 1309 }
1310
bfb0641f 1311 EVP_MD_CTX_free(hmac);
5f3d93e4 1312
d63a5e5e 1313#ifdef SSL_DEBUG
02a36fda
MC		 1314 fprintf(stderr, "seq=");
1315 {
1316 int z;
1317 for (z = 0; z < 8; z++)
1318 fprintf(stderr, "%02X ", seq[z]);
1319 fprintf(stderr, "\n");
1320 }
1321 fprintf(stderr, "rec=");
1322 {
eda75751 1323 size_t z;
02a36fda
MC		 1324 for (z = 0; z < rec->length; z++)
1325 fprintf(stderr, "%02X ", rec->data[z]);
1326 fprintf(stderr, "\n");
1327 }
1328#endif
1329
1330 if (!SSL_IS_DTLS(ssl)) {
1331 for (i = 7; i >= 0; i--) {
1332 ++seq[i];
1333 if (seq[i] != 0)
1334 break;
1335 }
1336 }
d63a5e5e 1337#ifdef SSL_DEBUG
02a36fda
MC		 1338 {
1339 unsigned int z;
1340 for (z = 0; z < md_size; z++)
1341 fprintf(stderr, "%02X ", md[z]);
1342 fprintf(stderr, "\n");
1343 }
1344#endif
a14aa99b 1345 return 1;
02a36fda
MC		 1346}
1347
1348/*-
1349 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
1350 * record in |rec| by updating |rec->length| in constant time.
1351 *
1352 * block_size: the block size of the cipher used to encrypt the record.
1353 * returns:
1354 * 0: (in non-constant time) if the record is publicly invalid.
1355 * 1: if the padding was valid
1356 * -1: otherwise.
1357 */
a773b52a 1358int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
72716e79 1359 size_t block_size, size_t mac_size)
02a36fda 1360{
72716e79 1361 size_t padding_length;
2688e7a0 1362 size_t good;
72716e79 1363 const size_t overhead = 1 /* padding length byte */ + mac_size;
02a36fda
MC		 1364
1365 /*
1366 * These lengths are all public so we can test them in non-constant time.
1367 */
1368 if (overhead > rec->length)
1369 return 0;
1370
1371 padding_length = rec->data[rec->length - 1];
2688e7a0 1372 good = constant_time_ge_s(rec->length, padding_length + overhead);
02a36fda 1373 /* SSLv3 requires that the padding is minimal. */
2688e7a0 1374 good &= constant_time_ge_s(block_size, padding_length + 1);
02a36fda 1375 rec->length -= good & (padding_length + 1);
2688e7a0 1376 return constant_time_select_int_s(good, 1, -1);
02a36fda
MC		 1377}
1378
1379/*-
1380 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1381 * record in |rec| in constant time and returns 1 if the padding is valid and
1382 * -1 otherwise. It also removes any explicit IV from the start of the record
1383 * without leaking any timing about whether there was enough space after the
1384 * padding was removed.
1385 *
1386 * block_size: the block size of the cipher used to encrypt the record.
1387 * returns:
1388 * 0: (in non-constant time) if the record is publicly invalid.
1389 * 1: if the padding was valid
1390 * -1: otherwise.
1391 */
1392int tls1_cbc_remove_padding(const SSL *s,
1393 SSL3_RECORD *rec,
72716e79 1394 size_t block_size, size_t mac_size)
02a36fda 1395{
2688e7a0 1396 size_t good;
72716e79
MC		 1397 size_t padding_length, to_check, i;
1398 const size_t overhead = 1 /* padding length byte */ + mac_size;
02a36fda
MC		 1399 /* Check if version requires explicit IV */
1400 if (SSL_USE_EXPLICIT_IV(s)) {
1401 /*
1402 * These lengths are all public so we can test them in non-constant
1403 * time.
1404 */
1405 if (overhead + block_size > rec->length)
1406 return 0;
1407 /* We can now safely skip explicit IV */
1408 rec->data += block_size;
1409 rec->input += block_size;
1410 rec->length -= block_size;
1411 rec->orig_len -= block_size;
1412 } else if (overhead > rec->length)
1413 return 0;
1414
1415 padding_length = rec->data[rec->length - 1];
1416
a230b26e
EK		 1417 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
1418 EVP_CIPH_FLAG_AEAD_CIPHER) {
02a36fda
MC		 1419 /* padding is already verified */
1420 rec->length -= padding_length + 1;
1421 return 1;
1422 }
1423
2688e7a0 1424 good = constant_time_ge_s(rec->length, overhead + padding_length);
02a36fda
MC		 1425 /*
1426 * The padding consists of a length byte at the end of the record and
1427 * then that many bytes of padding, all with the same value as the length
1428 * byte. Thus, with the length byte included, there are i+1 bytes of
1429 * padding. We can't check just |padding_length+1| bytes because that
1430 * leaks decrypted information. Therefore we always have to check the
1431 * maximum amount of padding possible. (Again, the length of the record
1432 * is public information so we can use it.)
1433 */
eea8723c
AL		 1434 to_check = 256; /* maximum amount of padding, inc length byte. */
1435 if (to_check > rec->length)
1436 to_check = rec->length;
02a36fda
MC		 1437
1438 for (i = 0; i < to_check; i++) {
2688e7a0 1439 unsigned char mask = constant_time_ge_8_s(padding_length, i);
02a36fda
MC		 1440 unsigned char b = rec->data[rec->length - 1 - i];
1441 /*
1442 * The final |padding_length+1| bytes should all have the value
1443 * |padding_length|. Therefore the XOR should be zero.
1444 */
1445 good &= ~(mask & (padding_length ^ b));
1446 }
1447
1448 /*
1449 * If any of the final |padding_length+1| bytes had the wrong value, one
1450 * or more of the lower eight bits of |good| will be cleared.
1451 */
2688e7a0 1452 good = constant_time_eq_s(0xff, good & 0xff);
02a36fda
MC		 1453 rec->length -= good & (padding_length + 1);
1454
2688e7a0 1455 return constant_time_select_int_s(good, 1, -1);
02a36fda
MC		 1456}
1457
1458/*-
1459 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1460 * constant time (independent of the concrete value of rec->length, which may
1461 * vary within a 256-byte window).
1462 *
1463 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1464 * this function.
1465 *
1466 * On entry:
1467 * rec->orig_len >= md_size
1468 * md_size <= EVP_MAX_MD_SIZE
1469 *
1470 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1471 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1472 * a single or pair of cache-lines, then the variable memory accesses don't
1473 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1474 * not multi-core and are not considered vulnerable to cache-timing attacks.
1475 */
1476#define CBC_MAC_ROTATE_IN_PLACE
1477
380a522f 1478int ssl3_cbc_copy_mac(unsigned char *out,
72716e79 1479 const SSL3_RECORD *rec, size_t md_size)
02a36fda
MC		 1480{
1481#if defined(CBC_MAC_ROTATE_IN_PLACE)
1482 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1483 unsigned char *rotated_mac;
1484#else
1485 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1486#endif
1487
1488 /*
1489 * mac_end is the index of |rec->data| just after the end of the MAC.
1490 */
72716e79
MC		 1491 size_t mac_end = rec->length;
1492 size_t mac_start = mac_end - md_size;
8f77fab8 1493 size_t in_mac;
02a36fda
MC		 1494 /*
1495 * scan_start contains the number of bytes that we can ignore because the
1496 * MAC's position can only vary by 255 bytes.
1497 */
72716e79 1498 size_t scan_start = 0;
2688e7a0 1499 size_t i, j;
2688e7a0 1500 size_t rotate_offset;
02a36fda 1501
380a522f
MC		 1502 if (!ossl_assert(rec->orig_len >= md_size
1503 && md_size <= EVP_MAX_MD_SIZE))
1504 return 0;
02a36fda
MC		 1505
1506#if defined(CBC_MAC_ROTATE_IN_PLACE)
1507 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1508#endif
1509
1510 /* This information is public so it's safe to branch based on it. */
1511 if (rec->orig_len > md_size + 255 + 1)
1512 scan_start = rec->orig_len - (md_size + 255 + 1);
02a36fda 1513
8f77fab8
AP		 1514 in_mac = 0;
1515 rotate_offset = 0;
02a36fda
MC		 1516 memset(rotated_mac, 0, md_size);
1517 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
8f77fab8
AP		 1518 size_t mac_started = constant_time_eq_s(i, mac_start);
1519 size_t mac_ended = constant_time_lt_s(i, mac_end);
02a36fda 1520 unsigned char b = rec->data[i];
8f77fab8
AP		 1521
1522 in_mac |= mac_started;
1523 in_mac &= mac_ended;
1524 rotate_offset |= j & mac_started;
1525 rotated_mac[j++] |= b & in_mac;
2688e7a0 1526 j &= constant_time_lt_s(j, md_size);
02a36fda
MC		 1527 }
1528
1529 /* Now rotate the MAC */
1530#if defined(CBC_MAC_ROTATE_IN_PLACE)
1531 j = 0;
1532 for (i = 0; i < md_size; i++) {
1533 /* in case cache-line is 32 bytes, touch second line */
1534 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1535 out[j++] = rotated_mac[rotate_offset++];
2688e7a0 1536 rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
02a36fda
MC		 1537 }
1538#else
1539 memset(out, 0, md_size);
1540 rotate_offset = md_size - rotate_offset;
2688e7a0 1541 rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
02a36fda
MC		 1542 for (i = 0; i < md_size; i++) {
1543 for (j = 0; j < md_size; j++)
2688e7a0 1544 out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset);
02a36fda 1545 rotate_offset++;
2688e7a0 1546 rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
02a36fda
MC		 1547 }
1548#endif
380a522f
MC		 1549
1550 return 1;
02a36fda
MC		 1551}
1552
1fb9fdc3 1553int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
fe589e61 1554{
c2853382 1555 int i;
fe589e61
MC		 1556 int enc_err;
1557 SSL_SESSION *sess;
1558 SSL3_RECORD *rr;
72716e79
MC		 1559 int imac_size;
1560 size_t mac_size;
fe589e61
MC		 1561 unsigned char md[EVP_MAX_MD_SIZE];
1562
1563 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1564 sess = s->session;
1565
1566 /*
1567 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1568 * and we have that many bytes in s->packet
1569 */
7a7048af 1570 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
fe589e61
MC		 1571
1572 /*
1573 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1574 * at rr->length bytes, which need to be copied into rr->data by either
1575 * the decryption or by the decompression When the data is 'copied' into
1576 * the rr->data buffer, rr->input will be pointed at the new buffer
1577 */
1578
1579 /*
1580 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1581 * bytes of encrypted compressed stuff.
1582 */
1583
1584 /* check is not needed I believe */
1585 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
c2853382
MC		 1586 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
1587 SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1588 return 0;
fe589e61
MC		 1589 }
1590
1591 /* decrypt in place in 'rr->input' */
1592 rr->data = rr->input;
1593 rr->orig_len = rr->length;
1594
28a31a0a 1595 if (SSL_READ_ETM(s) && s->read_hash) {
e23d5071
DW		 1596 unsigned char *mac;
1597 mac_size = EVP_MD_CTX_size(s->read_hash);
380a522f 1598 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
c2853382
MC		 1599 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1600 ERR_R_INTERNAL_ERROR);
1601 return 0;
380a522f 1602 }
e23d5071 1603 if (rr->orig_len < mac_size) {
c2853382
MC		 1604 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1605 SSL_R_LENGTH_TOO_SHORT);
1606 return 0;
e23d5071
DW		 1607 }
1608 rr->length -= mac_size;
1609 mac = rr->data + rr->length;
1610 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
a14aa99b 1611 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
c2853382 1612 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD,
e23d5071 1613 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
c2853382 1614 return 0;
e23d5071
DW		 1615 }
1616 }
1617
d102d9df 1618 enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
fe589e61
MC		 1619 /*-
1620 * enc_err is:
1621 * 0: (in non-constant time) if the record is publically invalid.
1622 * 1: if the padding is valid
1623 * -1: if the padding is invalid
1624 */
1625 if (enc_err == 0) {
921d84a0
MC		 1626 if (ossl_statem_in_error(s)) {
1627 /* SSLfatal() got called */
1628 return 0;
1629 }
fe589e61
MC		 1630 /* For DTLS we simply ignore bad packets. */
1631 rr->length = 0;
7a7048af 1632 RECORD_LAYER_reset_packet_length(&s->rlayer);
c2853382 1633 return 0;
fe589e61 1634 }
d63a5e5e 1635#ifdef SSL_DEBUG
eda75751 1636 printf("dec %ld\n", rr->length);
fe589e61 1637 {
eda75751 1638 size_t z;
fe589e61
MC		 1639 for (z = 0; z < rr->length; z++)
1640 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1641 }
1642 printf("\n");
1643#endif
1644
1645 /* r->length is now the compressed data plus mac */
28a31a0a 1646 if ((sess != NULL) && !SSL_READ_ETM(s) &&
fe589e61
MC		 1647 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1648 /* s->read_hash != NULL => mac_size != -1 */
1649 unsigned char *mac = NULL;
1650 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
72716e79
MC		 1651
1652 /* TODO(size_t): Convert this to do size_t properly */
1653 imac_size = EVP_MD_CTX_size(s->read_hash);
1654 if (imac_size < 0) {
c2853382
MC		 1655 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1656 ERR_LIB_EVP);
1657 return 0;
72716e79
MC		 1658 }
1659 mac_size = (size_t)imac_size;
380a522f 1660 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
c2853382
MC		 1661 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1662 ERR_R_INTERNAL_ERROR);
1663 return 0;
380a522f 1664 }
fe589e61
MC		 1665
1666 /*
1667 * orig_len is the length of the record before any padding was
1668 * removed. This is public information, as is the MAC in use,
1669 * therefore we can safely process the record in a different amount
1670 * of time if it's too short to possibly contain a MAC.
1671 */
1672 if (rr->orig_len < mac_size ||
1673 /* CBC records must have a padding length byte too. */
1674 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1675 rr->orig_len < mac_size + 1)) {
c2853382
MC		 1676 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1677 SSL_R_LENGTH_TOO_SHORT);
1678 return 0;
fe589e61
MC		 1679 }
1680
1681 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1682 /*
1683 * We update the length so that the TLS header bytes can be
1684 * constructed correctly but we need to extract the MAC in
1685 * constant time from within the record, without leaking the
1686 * contents of the padding bytes.
1687 */
1688 mac = mac_tmp;
380a522f 1689 if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) {
c2853382
MC		 1690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
1691 ERR_R_INTERNAL_ERROR);
1692 return 0;
380a522f 1693 }
fe589e61
MC		 1694 rr->length -= mac_size;
1695 } else {
1696 /*
1697 * In this case there's no padding, so |rec->orig_len| equals
1698 * |rec->length| and we checked that there's enough bytes for
1699 * |mac_size| above.
1700 */
1701 rr->length -= mac_size;
1702 mac = &rr->data[rr->length];
1703 }
1704
d102d9df 1705 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
a14aa99b 1706 if (i == 0 || mac == NULL
72716e79 1707 || CRYPTO_memcmp(md, mac, mac_size) != 0)
fe589e61
MC		 1708 enc_err = -1;
1709 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1710 enc_err = -1;
1711 }
1712
1713 if (enc_err < 0) {
1714 /* decryption failed, silently discard message */
1715 rr->length = 0;
7a7048af 1716 RECORD_LAYER_reset_packet_length(&s->rlayer);
c2853382 1717 return 0;
fe589e61
MC		 1718 }
1719
1720 /* r->length is now just compressed */
1721 if (s->expand != NULL) {
1722 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
c2853382
MC		 1723 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
1724 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1725 return 0;
fe589e61 1726 }
94777c9c 1727 if (!ssl3_do_uncompress(s, rr)) {
c2853382
MC		 1728 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE,
1729 SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1730 return 0;
fe589e61
MC		 1731 }
1732 }
1733
1734 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
c2853382
MC		 1735 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
1736 SSL_R_DATA_LENGTH_TOO_LONG);
1737 return 0;
fe589e61
MC		 1738 }
1739
1740 rr->off = 0;
1741 /*-
1742 * So at this point the following is true
1743 * ssl->s3->rrec.type is the type of record
1744 * ssl->s3->rrec.length == number of bytes in record
1745 * ssl->s3->rrec.off == offset to first valid byte
1746 * ssl->s3->rrec.data == where to take bytes from, increment
1747 * after use :-).
1748 */
1749
1750 /* we have pulled in a full packet so zero things */
7a7048af 1751 RECORD_LAYER_reset_packet_length(&s->rlayer);
1fb9fdc3
MC		 1752
1753 /* Mark receipt of record. */
1754 dtls1_record_bitmap_update(s, bitmap);
1755
208fb891 1756 return 1;
fe589e61
MC		 1757}
1758
fe589e61 1759/*
69687aa8 1760 * Retrieve a buffered record that belongs to the current epoch, i.e. processed
fe589e61
MC		 1761 */
1762#define dtls1_get_processed_record(s) \
1763 dtls1_retrieve_buffered_record((s), \
cb2ce7ab 1764 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
fe589e61
MC		 1765
1766/*-
1767 * Call this to get a new input record.
1768 * It will return <= 0 if more data is needed, normally due to an error
1769 * or non-blocking IO.
1770 * When it finishes, one packet has been decoded and can be found in
1771 * ssl->s3->rrec.type - is the type of record
1772 * ssl->s3->rrec.data, - data
1773 * ssl->s3->rrec.length, - number of bytes
1774 */
1775/* used only by dtls1_read_bytes */
1776int dtls1_get_record(SSL *s)
1777{
1778 int ssl_major, ssl_minor;
8e6d03ca
MC		 1779 int rret;
1780 size_t more, n;
fe589e61
MC		 1781 SSL3_RECORD *rr;
1782 unsigned char *p = NULL;
1783 unsigned short version;
1784 DTLS1_BITMAP *bitmap;
1785 unsigned int is_next_epoch;
1786
1787 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1788
738ad946 1789 again:
fe589e61
MC		 1790 /*
1791 * The epoch may have changed. If so, process all the pending records.
1792 * This is a non-blocking operation.
1793 */
c2853382
MC		 1794 if (!dtls1_process_buffered_records(s)) {
1795 /* SSLfatal() already called */
fe589e61 1796 return -1;
c2853382 1797 }
fe589e61
MC		 1798
1799 /* if we're renegotiating, then there may be buffered records */
1800 if (dtls1_get_processed_record(s))
1801 return 1;
1802
1803 /* get something from the wire */
738ad946 1804
fe589e61 1805 /* check if we have the header */
295c3f41 1806 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
7a7048af 1807 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
8e6d03ca
MC		 1808 rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1809 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n);
fe589e61 1810 /* read timeout is handled by dtls1_read_bytes */
c2853382
MC		 1811 if (rret <= 0) {
1812 /* SSLfatal() already called if appropriate */
8e6d03ca 1813 return rret; /* error or non-blocking */
c2853382 1814 }
fe589e61
MC		 1815
1816 /* this packet contained a partial record, dump it */
a230b26e
EK		 1817 if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
1818 DTLS1_RT_HEADER_LENGTH) {
7a7048af 1819 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1820 goto again;
1821 }
1822
295c3f41 1823 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
fe589e61 1824
7a7048af 1825 p = RECORD_LAYER_get_packet(&s->rlayer);
fe589e61
MC		 1826
1827 if (s->msg_callback)
1828 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1829 s, s->msg_callback_arg);
1830
1831 /* Pull apart the header into the DTLS1_RECORD */
1832 rr->type = *(p++);
1833 ssl_major = *(p++);
1834 ssl_minor = *(p++);
1835 version = (ssl_major << 8) | ssl_minor;
1836
1837 /* sequence number is 64 bits, with top 2 bytes = epoch */
1838 n2s(p, rr->epoch);
1839
de07f311 1840 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
fe589e61
MC		 1841 p += 6;
1842
1843 n2s(p, rr->length);
1844
1845 /* Lets check version */
1846 if (!s->first_packet) {
1847 if (version != s->version) {
1848 /* unexpected version, silently discard */
1849 rr->length = 0;
7a7048af 1850 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1851 goto again;
1852 }
1853 }
1854
1855 if ((version & 0xff00) != (s->version & 0xff00)) {
1856 /* wrong version, silently discard record */
1857 rr->length = 0;
7a7048af 1858 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1859 goto again;
1860 }
1861
1862 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1863 /* record too long, silently discard it */
1864 rr->length = 0;
7a7048af 1865 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1866 goto again;
1867 }
1868
cf72c757
F		 1869 /* If received packet overflows own-client Max Fragment Length setting */
1870 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1871 && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
1872 /* record too long, silently discard it */
1873 rr->length = 0;
1874 RECORD_LAYER_reset_packet_length(&s->rlayer);
1875 goto again;
1876 }
1877
295c3f41 1878 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
fe589e61
MC		 1879 }
1880
295c3f41 1881 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
fe589e61 1882
7a7048af
MC		 1883 if (rr->length >
1884 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
fe589e61 1885 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
8e6d03ca
MC		 1886 more = rr->length;
1887 rret = ssl3_read_n(s, more, more, 1, 1, &n);
fe589e61 1888 /* this packet contained a partial record, dump it */
8e6d03ca 1889 if (rret <= 0 || n != more) {
c2853382
MC		 1890 if (ossl_statem_in_error(s)) {
1891 /* ssl3_read_n() called SSLfatal() */
1892 return -1;
1893 }
fe589e61 1894 rr->length = 0;
7a7048af 1895 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1896 goto again;
1897 }
1898
1899 /*
1900 * now n == rr->length, and s->packet_length ==
1901 * DTLS1_RT_HEADER_LENGTH + rr->length
1902 */
1903 }
295c3f41
MC		 1904 /* set state for later operations */
1905 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
fe589e61
MC		 1906
1907 /* match epochs. NULL means the packet is dropped on the floor */
1908 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1909 if (bitmap == NULL) {
1910 rr->length = 0;
a230b26e 1911 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
fe589e61
MC		 1912 goto again; /* get another record */
1913 }
1914#ifndef OPENSSL_NO_SCTP
1915 /* Only do replay check if no SCTP bio */
1916 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1917#endif
912c89c5 1918 /* Check whether this is a repeat, or aged record. */
1fb9fdc3
MC		 1919 /*
1920 * TODO: Does it make sense to have replay protection in epoch 0 where
1921 * we have no integrity negotiated yet?
1922 */
912c89c5 1923 if (!dtls1_record_replay_check(s, bitmap)) {
fe589e61 1924 rr->length = 0;
7a7048af 1925 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
fe589e61
MC		 1926 goto again; /* get another record */
1927 }
1928#ifndef OPENSSL_NO_SCTP
1929 }
1930#endif
1931
1932 /* just read a 0 length packet */
1933 if (rr->length == 0)
1934 goto again;
1935
1936 /*
1937 * If this record is from the next epoch (either HM or ALERT), and a
1938 * handshake is currently in progress, buffer it since it cannot be
912c89c5 1939 * processed at this time.
fe589e61
MC		 1940 */
1941 if (is_next_epoch) {
024f543c 1942 if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
c2853382
MC		 1943 if (dtls1_buffer_record (s,
1944 &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1945 rr->seq_num) < 0) {
1946 /* SSLfatal() already called */
fe589e61 1947 return -1;
c2853382 1948 }
fe589e61
MC		 1949 }
1950 rr->length = 0;
7a7048af 1951 RECORD_LAYER_reset_packet_length(&s->rlayer);
fe589e61
MC		 1952 goto again;
1953 }
1954
1fb9fdc3 1955 if (!dtls1_process_record(s, bitmap)) {
c2853382
MC		 1956 if (ossl_statem_in_error(s)) {
1957 /* dtls1_process_record() called SSLfatal */
1958 return -1;
1959 }
fe589e61 1960 rr->length = 0;
a230b26e 1961 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
fe589e61
MC		 1962 goto again; /* get another record */
1963 }
fe589e61 1964
208fb891 1965 return 1;
fe589e61
MC		 1966
1967}
A mirror of the official openssl repository