2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "../ssl_local.h"
11 #include <openssl/trace.h>
12 #include <openssl/rand.h>
13 #include <openssl/core_names.h>
14 #include "record_local.h"
15 #include "internal/cryptlib.h"
17 static const unsigned char ssl3_pad_1
[48] = {
18 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
19 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
20 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
21 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
22 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
23 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
26 static const unsigned char ssl3_pad_2
[48] = {
27 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
28 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
29 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
30 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
31 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
32 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
36 * Clear the contents of an SSL3_RECORD but retain any memory allocated
38 void SSL3_RECORD_clear(SSL3_RECORD
*r
, size_t num_recs
)
43 for (i
= 0; i
< num_recs
; i
++) {
46 memset(&r
[i
], 0, sizeof(*r
));
51 void SSL3_RECORD_release(SSL3_RECORD
*r
, size_t num_recs
)
55 for (i
= 0; i
< num_recs
; i
++) {
56 OPENSSL_free(r
[i
].comp
);
61 void SSL3_RECORD_set_seq_num(SSL3_RECORD
*r
, const unsigned char *seq_num
)
63 memcpy(r
->seq_num
, seq_num
, SEQ_NUM_SIZE
);
67 * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
68 * for us in the buffer.
70 static int ssl3_record_app_data_waiting(SSL
*s
)
76 rbuf
= RECORD_LAYER_get_rbuf(&s
->rlayer
);
78 p
= SSL3_BUFFER_get_buf(rbuf
);
82 left
= SSL3_BUFFER_get_left(rbuf
);
84 if (left
< SSL3_RT_HEADER_LENGTH
)
87 p
+= SSL3_BUFFER_get_offset(rbuf
);
90 * We only check the type and record length, we will sanity check version
93 if (*p
!= SSL3_RT_APPLICATION_DATA
)
99 if (left
< SSL3_RT_HEADER_LENGTH
+ len
)
105 int early_data_count_ok(SSL
*s
, size_t length
, size_t overhead
, int send
)
107 uint32_t max_early_data
;
108 SSL_SESSION
*sess
= s
->session
;
111 * If we are a client then we always use the max_early_data from the
112 * session/psksession. Otherwise we go with the lowest out of the max early
113 * data set in the session and the configured max_early_data.
115 if (!s
->server
&& sess
->ext
.max_early_data
== 0) {
116 if (!ossl_assert(s
->psksession
!= NULL
117 && s
->psksession
->ext
.max_early_data
> 0)) {
118 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
121 sess
= s
->psksession
;
125 max_early_data
= sess
->ext
.max_early_data
;
126 else if (s
->ext
.early_data
!= SSL_EARLY_DATA_ACCEPTED
)
127 max_early_data
= s
->recv_max_early_data
;
129 max_early_data
= s
->recv_max_early_data
< sess
->ext
.max_early_data
130 ? s
->recv_max_early_data
: sess
->ext
.max_early_data
;
132 if (max_early_data
== 0) {
133 SSLfatal(s
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
134 SSL_R_TOO_MUCH_EARLY_DATA
);
138 /* If we are dealing with ciphertext we need to allow for the overhead */
139 max_early_data
+= overhead
;
141 if (s
->early_data_count
+ length
> max_early_data
) {
142 SSLfatal(s
, send
? SSL_AD_INTERNAL_ERROR
: SSL_AD_UNEXPECTED_MESSAGE
,
143 SSL_R_TOO_MUCH_EARLY_DATA
);
146 s
->early_data_count
+= length
;
152 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
153 * will be processed per call to ssl3_get_record. Without this limit an
154 * attacker could send empty records at a faster rate than we can process and
155 * cause ssl3_get_record to loop forever.
157 #define MAX_EMPTY_RECORDS 32
159 #define SSL2_RT_HEADER_LENGTH 2
161 * Call this to get new input records.
162 * It will return <= 0 if more data is needed, normally due to an error
163 * or non-blocking IO.
164 * When it finishes, |numrpipes| records have been decoded. For each record 'i':
165 * rr[i].type - is the type of record
167 * rr[i].length, - number of bytes
168 * Multiple records will only be returned if the record types are all
169 * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
172 /* used only by ssl3_read_bytes */
173 int ssl3_get_record(SSL
*s
)
178 SSL3_RECORD
*rr
, *thisrr
;
182 unsigned char md
[EVP_MAX_MD_SIZE
];
183 unsigned int version
;
186 size_t num_recs
= 0, max_recs
, j
;
187 PACKET pkt
, sslv2pkt
;
189 SSL_MAC_BUF
*macbufs
= NULL
;
192 rr
= RECORD_LAYER_get_rrec(&s
->rlayer
);
193 rbuf
= RECORD_LAYER_get_rbuf(&s
->rlayer
);
194 is_ktls_left
= (rbuf
->left
> 0);
195 max_recs
= s
->max_pipelines
;
201 thisrr
= &rr
[num_recs
];
203 /* check if we have the header */
204 if ((RECORD_LAYER_get_rstate(&s
->rlayer
) != SSL_ST_READ_BODY
) ||
205 (RECORD_LAYER_get_packet_length(&s
->rlayer
)
206 < SSL3_RT_HEADER_LENGTH
)) {
210 rret
= ssl3_read_n(s
, SSL3_RT_HEADER_LENGTH
,
211 SSL3_BUFFER_get_len(rbuf
), 0,
212 num_recs
== 0 ? 1 : 0, &n
);
214 #ifndef OPENSSL_NO_KTLS
215 if (!BIO_get_ktls_recv(s
->rbio
) || rret
== 0)
216 return rret
; /* error or non-blocking */
219 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
,
220 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
223 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
224 SSL_R_PACKET_LENGTH_TOO_LONG
);
227 SSLfatal(s
, SSL_AD_PROTOCOL_VERSION
,
228 SSL_R_WRONG_VERSION_NUMBER
);
236 RECORD_LAYER_set_rstate(&s
->rlayer
, SSL_ST_READ_BODY
);
238 p
= RECORD_LAYER_get_packet(&s
->rlayer
);
239 if (!PACKET_buf_init(&pkt
, RECORD_LAYER_get_packet(&s
->rlayer
),
240 RECORD_LAYER_get_packet_length(&s
->rlayer
))) {
241 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
245 if (!PACKET_get_net_2_len(&sslv2pkt
, &sslv2len
)
246 || !PACKET_get_1(&sslv2pkt
, &type
)) {
247 SSLfatal(s
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
251 * The first record received by the server may be a V2ClientHello.
253 if (s
->server
&& RECORD_LAYER_is_first_record(&s
->rlayer
)
254 && (sslv2len
& 0x8000) != 0
255 && (type
== SSL2_MT_CLIENT_HELLO
)) {
259 * |num_recs| here will actually always be 0 because
260 * |num_recs > 0| only ever occurs when we are processing
261 * multiple app data records - which we know isn't the case here
262 * because it is an SSLv2ClientHello. We keep it using
263 * |num_recs| for the sake of consistency
265 thisrr
->type
= SSL3_RT_HANDSHAKE
;
266 thisrr
->rec_version
= SSL2_VERSION
;
268 thisrr
->length
= sslv2len
& 0x7fff;
270 if (thisrr
->length
> SSL3_BUFFER_get_len(rbuf
)
271 - SSL2_RT_HEADER_LENGTH
) {
272 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
273 SSL_R_PACKET_LENGTH_TOO_LONG
);
277 if (thisrr
->length
< MIN_SSL2_RECORD_LEN
) {
278 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
282 /* SSLv3+ style record */
284 /* Pull apart the header into the SSL3_RECORD */
285 if (!PACKET_get_1(&pkt
, &type
)
286 || !PACKET_get_net_2(&pkt
, &version
)
287 || !PACKET_get_net_2_len(&pkt
, &thisrr
->length
)) {
289 s
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, 5, s
,
290 s
->msg_callback_arg
);
291 SSLfatal(s
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
295 thisrr
->rec_version
= version
;
298 s
->msg_callback(0, version
, SSL3_RT_HEADER
, p
, 5, s
,
299 s
->msg_callback_arg
);
302 * Lets check version. In TLSv1.3 we only check this field
303 * when encryption is occurring (see later check). For the
304 * ServerHello after an HRR we haven't actually selected TLSv1.3
305 * yet, but we still treat it as TLSv1.3, so we must check for
308 if (!s
->first_packet
&& !SSL_IS_TLS13(s
)
309 && s
->hello_retry_request
!= SSL_HRR_PENDING
310 && version
!= (unsigned int)s
->version
) {
311 if ((s
->version
& 0xFF00) == (version
& 0xFF00)
312 && !s
->enc_write_ctx
&& !s
->write_hash
) {
313 if (thisrr
->type
== SSL3_RT_ALERT
) {
315 * The record is using an incorrect version number,
316 * but what we've got appears to be an alert. We
317 * haven't read the body yet to check whether its a
318 * fatal or not - but chances are it is. We probably
319 * shouldn't send a fatal alert back. We'll just
322 SSLfatal(s
, SSL_AD_NO_ALERT
,
323 SSL_R_WRONG_VERSION_NUMBER
);
327 * Send back error using their minor version number :-)
329 s
->version
= (unsigned short)version
;
331 SSLfatal(s
, SSL_AD_PROTOCOL_VERSION
,
332 SSL_R_WRONG_VERSION_NUMBER
);
336 if ((version
>> 8) != SSL3_VERSION_MAJOR
) {
337 if (RECORD_LAYER_is_first_record(&s
->rlayer
)) {
338 /* Go back to start of packet, look at the five bytes
340 p
= RECORD_LAYER_get_packet(&s
->rlayer
);
341 if (strncmp((char *)p
, "GET ", 4) == 0 ||
342 strncmp((char *)p
, "POST ", 5) == 0 ||
343 strncmp((char *)p
, "HEAD ", 5) == 0 ||
344 strncmp((char *)p
, "PUT ", 4) == 0) {
345 SSLfatal(s
, SSL_AD_NO_ALERT
, SSL_R_HTTP_REQUEST
);
347 } else if (strncmp((char *)p
, "CONNE", 5) == 0) {
348 SSLfatal(s
, SSL_AD_NO_ALERT
,
349 SSL_R_HTTPS_PROXY_REQUEST
);
353 /* Doesn't look like TLS - don't send an alert */
354 SSLfatal(s
, SSL_AD_NO_ALERT
,
355 SSL_R_WRONG_VERSION_NUMBER
);
358 SSLfatal(s
, SSL_AD_PROTOCOL_VERSION
,
359 SSL_R_WRONG_VERSION_NUMBER
);
364 if (SSL_IS_TLS13(s
) && s
->enc_read_ctx
!= NULL
) {
365 if (thisrr
->type
!= SSL3_RT_APPLICATION_DATA
366 && (thisrr
->type
!= SSL3_RT_CHANGE_CIPHER_SPEC
367 || !SSL_IS_FIRST_HANDSHAKE(s
))
368 && (thisrr
->type
!= SSL3_RT_ALERT
369 || s
->statem
.enc_read_state
370 != ENC_READ_STATE_ALLOW_PLAIN_ALERTS
)) {
371 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
,
372 SSL_R_BAD_RECORD_TYPE
);
375 if (thisrr
->rec_version
!= TLS1_2_VERSION
) {
376 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
377 SSL_R_WRONG_VERSION_NUMBER
);
383 SSL3_BUFFER_get_len(rbuf
) - SSL3_RT_HEADER_LENGTH
) {
384 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
385 SSL_R_PACKET_LENGTH_TOO_LONG
);
390 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
393 if (SSL_IS_TLS13(s
)) {
394 if (thisrr
->length
> SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH
) {
395 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
396 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
400 size_t len
= SSL3_RT_MAX_ENCRYPTED_LENGTH
;
402 #ifndef OPENSSL_NO_COMP
404 * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH
405 * does not include the compression overhead anyway.
407 if (s
->expand
== NULL
)
408 len
-= SSL3_RT_MAX_COMPRESSED_OVERHEAD
;
411 if (thisrr
->length
> len
&& !BIO_get_ktls_recv(s
->rbio
)) {
412 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
413 SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
419 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
420 * Calculate how much more data we need to read for the rest of the
423 if (thisrr
->rec_version
== SSL2_VERSION
) {
424 more
= thisrr
->length
+ SSL2_RT_HEADER_LENGTH
425 - SSL3_RT_HEADER_LENGTH
;
427 more
= thisrr
->length
;
431 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
433 rret
= ssl3_read_n(s
, more
, more
, 1, 0, &n
);
435 return rret
; /* error or non-blocking io */
438 /* set state for later operations */
439 RECORD_LAYER_set_rstate(&s
->rlayer
, SSL_ST_READ_HEADER
);
442 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH
443 * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH
444 * + thisrr->length and we have that many bytes in s->packet
446 if (thisrr
->rec_version
== SSL2_VERSION
) {
448 &(RECORD_LAYER_get_packet(&s
->rlayer
)[SSL2_RT_HEADER_LENGTH
]);
451 &(RECORD_LAYER_get_packet(&s
->rlayer
)[SSL3_RT_HEADER_LENGTH
]);
455 * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input
456 * points at thisrr->length bytes, which need to be copied into
457 * thisrr->data by either the decryption or by the decompression When
458 * the data is 'copied' into the thisrr->data buffer, thisrr->input will
459 * be pointed at the new buffer
463 * We now have - encrypted [ MAC [ compressed [ plain ] ] ]
464 * thisrr->length bytes of encrypted compressed stuff.
467 /* decrypt in place in 'thisrr->input' */
468 thisrr
->data
= thisrr
->input
;
469 thisrr
->orig_len
= thisrr
->length
;
471 /* Mark this record as not read by upper layers yet */
476 /* we have pulled in a full packet so zero things */
477 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
478 RECORD_LAYER_clear_first_record(&s
->rlayer
);
479 } while (num_recs
< max_recs
480 && thisrr
->type
== SSL3_RT_APPLICATION_DATA
481 && SSL_USE_EXPLICIT_IV(s
)
482 && s
->enc_read_ctx
!= NULL
483 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s
->enc_read_ctx
))
484 & EVP_CIPH_FLAG_PIPELINE
) != 0
485 && ssl3_record_app_data_waiting(s
));
488 && thisrr
->type
== SSL3_RT_CHANGE_CIPHER_SPEC
489 && (SSL_IS_TLS13(s
) || s
->hello_retry_request
!= SSL_HRR_NONE
)
490 && SSL_IS_FIRST_HANDSHAKE(s
)) {
492 * CCS messages must be exactly 1 byte long, containing the value 0x01
494 if (thisrr
->length
!= 1 || thisrr
->data
[0] != 0x01) {
495 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
496 SSL_R_INVALID_CCS_MESSAGE
);
500 * CCS messages are ignored in TLSv1.3. We treat it like an empty
503 thisrr
->type
= SSL3_RT_HANDSHAKE
;
504 RECORD_LAYER_inc_empty_record_count(&s
->rlayer
);
505 if (RECORD_LAYER_get_empty_record_count(&s
->rlayer
)
506 > MAX_EMPTY_RECORDS
) {
507 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
,
508 SSL_R_UNEXPECTED_CCS_MESSAGE
);
512 RECORD_LAYER_set_numrpipes(&s
->rlayer
, 1);
518 * KTLS reads full records. If there is any data left,
519 * then it is from before enabling ktls
521 if (BIO_get_ktls_recv(s
->rbio
) && !is_ktls_left
)
522 goto skip_decryption
;
524 if (s
->read_hash
!= NULL
) {
525 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(s
->read_hash
);
528 imac_size
= EVP_MD_get_size(tmpmd
);
529 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
530 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
533 mac_size
= (size_t)imac_size
;
538 * If in encrypt-then-mac mode calculate mac from encrypted record. All
539 * the details below are public so no timing details can leak.
541 if (SSL_READ_ETM(s
) && s
->read_hash
) {
544 for (j
= 0; j
< num_recs
; j
++) {
547 if (thisrr
->length
< mac_size
) {
548 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
551 thisrr
->length
-= mac_size
;
552 mac
= thisrr
->data
+ thisrr
->length
;
553 i
= s
->method
->ssl3_enc
->mac(s
, thisrr
, md
, 0 /* not send */ );
554 if (i
== 0 || CRYPTO_memcmp(md
, mac
, mac_size
) != 0) {
555 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
,
556 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
561 * We've handled the mac now - there is no MAC inside the encrypted
568 macbufs
= OPENSSL_zalloc(sizeof(*macbufs
) * num_recs
);
569 if (macbufs
== NULL
) {
570 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_MALLOC_FAILURE
);
575 enc_err
= s
->method
->ssl3_enc
->enc(s
, rr
, num_recs
, 0, macbufs
, mac_size
);
579 * 0: if the record is publicly invalid, or an internal error, or AEAD
580 * decryption failed, or ETM decryption failed.
581 * 1: Success or MTE decryption failed (MAC will be randomised)
584 if (ossl_statem_in_error(s
)) {
585 /* SSLfatal() already got called */
588 if (num_recs
== 1 && ossl_statem_skip_early_data(s
)) {
590 * Valid early_data that we cannot decrypt will fail here. We treat
591 * it like an empty record.
596 if (!early_data_count_ok(s
, thisrr
->length
,
597 EARLY_DATA_CIPHERTEXT_OVERHEAD
, 0)) {
598 /* SSLfatal() already called */
604 RECORD_LAYER_set_numrpipes(&s
->rlayer
, 1);
605 RECORD_LAYER_reset_read_sequence(&s
->rlayer
);
609 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
,
610 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
613 OSSL_TRACE_BEGIN(TLS
) {
614 BIO_printf(trc_out
, "dec %lu\n", (unsigned long)rr
[0].length
);
615 BIO_dump_indent(trc_out
, rr
[0].data
, rr
[0].length
, 4);
616 } OSSL_TRACE_END(TLS
);
618 /* r->length is now the compressed data plus mac */
620 && (s
->enc_read_ctx
!= NULL
)
621 && (!SSL_READ_ETM(s
) && EVP_MD_CTX_get0_md(s
->read_hash
) != NULL
)) {
622 /* s->read_hash != NULL => mac_size != -1 */
624 for (j
= 0; j
< num_recs
; j
++) {
625 SSL_MAC_BUF
*thismb
= &macbufs
[j
];
628 i
= s
->method
->ssl3_enc
->mac(s
, thisrr
, md
, 0 /* not send */ );
629 if (i
== 0 || thismb
== NULL
|| thismb
->mac
== NULL
630 || CRYPTO_memcmp(md
, thismb
->mac
, (size_t)mac_size
) != 0)
632 if (thisrr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
638 if (ossl_statem_in_error(s
)) {
639 /* We already called SSLfatal() */
643 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
644 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
645 * failure is directly visible from the ciphertext anyway, we should
646 * not reveal which kind of error occurred -- this might become
647 * visible to an attacker (e.g. via a logfile)
649 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
,
650 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
656 for (j
= 0; j
< num_recs
; j
++) {
659 /* thisrr->length is now just compressed */
660 if (s
->expand
!= NULL
) {
661 if (thisrr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
662 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
663 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
666 if (!ssl3_do_uncompress(s
, thisrr
)) {
667 SSLfatal(s
, SSL_AD_DECOMPRESSION_FAILURE
,
668 SSL_R_BAD_DECOMPRESSION
);
674 && s
->enc_read_ctx
!= NULL
675 && thisrr
->type
!= SSL3_RT_ALERT
) {
678 if (thisrr
->length
== 0
679 || thisrr
->type
!= SSL3_RT_APPLICATION_DATA
) {
680 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
684 /* Strip trailing padding */
685 for (end
= thisrr
->length
- 1; end
> 0 && thisrr
->data
[end
] == 0;
689 thisrr
->length
= end
;
690 thisrr
->type
= thisrr
->data
[end
];
691 if (thisrr
->type
!= SSL3_RT_APPLICATION_DATA
692 && thisrr
->type
!= SSL3_RT_ALERT
693 && thisrr
->type
!= SSL3_RT_HANDSHAKE
) {
694 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_RECORD_TYPE
);
698 s
->msg_callback(0, s
->version
, SSL3_RT_INNER_CONTENT_TYPE
,
699 &thisrr
->data
[end
], 1, s
, s
->msg_callback_arg
);
703 * TLSv1.3 alert and handshake records are required to be non-zero in
707 && (thisrr
->type
== SSL3_RT_HANDSHAKE
708 || thisrr
->type
== SSL3_RT_ALERT
)
709 && thisrr
->length
== 0) {
710 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_BAD_LENGTH
);
714 if (thisrr
->length
> SSL3_RT_MAX_PLAIN_LENGTH
715 && !BIO_get_ktls_recv(s
->rbio
)) {
716 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
720 /* If received packet overflows current Max Fragment Length setting */
721 if (s
->session
!= NULL
&& USE_MAX_FRAGMENT_LENGTH_EXT(s
->session
)
722 && thisrr
->length
> GET_MAX_FRAGMENT_LENGTH(s
->session
)
723 && !BIO_get_ktls_recv(s
->rbio
)) {
724 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
730 * So at this point the following is true
731 * thisrr->type is the type of record
732 * thisrr->length == number of bytes in record
733 * thisrr->off == offset to first valid byte
734 * thisrr->data == where to take bytes from, increment after use :-).
737 /* just read a 0 length packet */
738 if (thisrr
->length
== 0) {
739 RECORD_LAYER_inc_empty_record_count(&s
->rlayer
);
740 if (RECORD_LAYER_get_empty_record_count(&s
->rlayer
)
741 > MAX_EMPTY_RECORDS
) {
742 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_RECORD_TOO_SMALL
);
746 RECORD_LAYER_reset_empty_record_count(&s
->rlayer
);
750 if (s
->early_data_state
== SSL_EARLY_DATA_READING
) {
752 if (thisrr
->type
== SSL3_RT_APPLICATION_DATA
753 && !early_data_count_ok(s
, thisrr
->length
, 0, 0)) {
754 /* SSLfatal already called */
759 RECORD_LAYER_set_numrpipes(&s
->rlayer
, num_recs
);
762 if (macbufs
!= NULL
) {
763 for (j
= 0; j
< num_recs
; j
++) {
764 if (macbufs
[j
].alloced
)
765 OPENSSL_free(macbufs
[j
].mac
);
767 OPENSSL_free(macbufs
);
772 int ssl3_do_uncompress(SSL
*ssl
, SSL3_RECORD
*rr
)
774 #ifndef OPENSSL_NO_COMP
777 if (rr
->comp
== NULL
) {
778 rr
->comp
= (unsigned char *)
779 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH
);
781 if (rr
->comp
== NULL
)
784 i
= COMP_expand_block(ssl
->expand
, rr
->comp
,
785 SSL3_RT_MAX_PLAIN_LENGTH
, rr
->data
, (int)rr
->length
);
795 int ssl3_do_compress(SSL
*ssl
, SSL3_RECORD
*wr
)
797 #ifndef OPENSSL_NO_COMP
800 i
= COMP_compress_block(ssl
->compress
, wr
->data
,
801 (int)(wr
->length
+ SSL3_RT_MAX_COMPRESSED_OVERHEAD
),
802 wr
->input
, (int)wr
->length
);
808 wr
->input
= wr
->data
;
814 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Calls SSLfatal on
815 * internal error, but not otherwise. It is the responsibility of the caller to
816 * report a bad_record_mac
819 * 0: if the record is publicly invalid, or an internal error
820 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
822 int ssl3_enc(SSL
*s
, SSL3_RECORD
*inrecs
, size_t n_recs
, int sending
,
823 SSL_MAC_BUF
*mac
, size_t macsize
)
829 const EVP_CIPHER
*enc
;
833 * We shouldn't ever be called with more than one record in the SSLv3 case
838 ds
= s
->enc_write_ctx
;
839 if (s
->enc_write_ctx
== NULL
)
842 enc
= EVP_CIPHER_CTX_get0_cipher(s
->enc_write_ctx
);
844 ds
= s
->enc_read_ctx
;
845 if (s
->enc_read_ctx
== NULL
)
848 enc
= EVP_CIPHER_CTX_get0_cipher(s
->enc_read_ctx
);
851 if ((s
->session
== NULL
) || (ds
== NULL
) || (enc
== NULL
)) {
852 memmove(rec
->data
, rec
->input
, rec
->length
);
853 rec
->input
= rec
->data
;
855 int provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
858 bs
= EVP_CIPHER_CTX_get_block_size(ds
);
862 if ((bs
!= 1) && sending
&& !provided
) {
864 * We only do this for legacy ciphers. Provided ciphers add the
865 * padding on the provider side.
869 /* we need to add 'i-1' padding bytes */
872 * the last of these zero bytes will be overwritten with the
875 memset(&rec
->input
[rec
->length
], 0, i
);
877 rec
->input
[l
- 1] = (unsigned char)(i
- 1);
881 if (l
== 0 || l
% bs
!= 0) {
882 /* Publicly invalid */
885 /* otherwise, rec->length >= bs */
888 if (EVP_CIPHER_get0_provider(enc
) != NULL
) {
891 if (!EVP_CipherUpdate(ds
, rec
->data
, &outlen
, rec
->input
,
894 rec
->length
= outlen
;
896 if (!sending
&& mac
!= NULL
) {
897 /* Now get a pointer to the MAC */
898 OSSL_PARAM params
[2], *p
= params
;
903 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
906 *p
= OSSL_PARAM_construct_end();
908 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
909 /* Shouldn't normally happen */
910 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
915 if (EVP_Cipher(ds
, rec
->data
, rec
->input
, (unsigned int)l
) < 1) {
916 /* Shouldn't happen */
917 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
, ERR_R_INTERNAL_ERROR
);
922 return ssl3_cbc_remove_padding_and_mac(&rec
->length
,
925 (mac
!= NULL
) ? &mac
->mac
: NULL
,
926 (mac
!= NULL
) ? &mac
->alloced
: NULL
,
935 #define MAX_PADDING 256
937 * tls1_enc encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal
938 * error, but not otherwise. It is the responsibility of the caller to report
939 * a bad_record_mac - if appropriate (DTLS just drops the record).
942 * 0: if the record is publicly invalid, or an internal error, or AEAD
943 * decryption failed, or Encrypt-then-mac decryption failed.
944 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
946 int tls1_enc(SSL
*s
, SSL3_RECORD
*recs
, size_t n_recs
, int sending
,
947 SSL_MAC_BUF
*macs
, size_t macsize
)
950 size_t reclen
[SSL_MAX_PIPELINES
];
951 unsigned char buf
[SSL_MAX_PIPELINES
][EVP_AEAD_TLS1_AAD_LEN
];
952 int i
, pad
= 0, tmpr
;
953 size_t bs
, ctr
, padnum
, loop
;
954 unsigned char padval
;
955 const EVP_CIPHER
*enc
;
956 int tlstree_enc
= sending
? (s
->mac_flags
& SSL_MAC_FLAG_WRITE_MAC_TLSTREE
)
957 : (s
->mac_flags
& SSL_MAC_FLAG_READ_MAC_TLSTREE
);
960 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
965 if (EVP_MD_CTX_get0_md(s
->write_hash
)) {
966 int n
= EVP_MD_CTX_get_size(s
->write_hash
);
967 if (!ossl_assert(n
>= 0)) {
968 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
972 ds
= s
->enc_write_ctx
;
973 if (s
->enc_write_ctx
== NULL
)
978 enc
= EVP_CIPHER_CTX_get0_cipher(s
->enc_write_ctx
);
979 /* For TLSv1.1 and later explicit IV */
980 if (SSL_USE_EXPLICIT_IV(s
)
981 && EVP_CIPHER_get_mode(enc
) == EVP_CIPH_CBC_MODE
)
982 ivlen
= EVP_CIPHER_get_iv_length(enc
);
986 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
987 if (recs
[ctr
].data
!= recs
[ctr
].input
) {
989 * we can't write into the input stream: Can this ever
992 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
994 } else if (RAND_bytes_ex(s
->ctx
->libctx
, recs
[ctr
].input
,
996 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1003 if (EVP_MD_CTX_get0_md(s
->read_hash
)) {
1004 int n
= EVP_MD_CTX_get_size(s
->read_hash
);
1005 if (!ossl_assert(n
>= 0)) {
1006 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1010 ds
= s
->enc_read_ctx
;
1011 if (s
->enc_read_ctx
== NULL
)
1014 enc
= EVP_CIPHER_CTX_get0_cipher(s
->enc_read_ctx
);
1017 if ((s
->session
== NULL
) || (ds
== NULL
) || (enc
== NULL
)) {
1018 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1019 memmove(recs
[ctr
].data
, recs
[ctr
].input
, recs
[ctr
].length
);
1020 recs
[ctr
].input
= recs
[ctr
].data
;
1023 int provided
= (EVP_CIPHER_get0_provider(enc
) != NULL
);
1025 bs
= EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds
));
1028 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds
))
1029 & EVP_CIPH_FLAG_PIPELINE
) == 0) {
1031 * We shouldn't have been called with pipeline data if the
1032 * cipher doesn't support pipelining
1034 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_PIPELINE_FAILURE
);
1038 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1039 reclen
[ctr
] = recs
[ctr
].length
;
1041 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds
))
1042 & EVP_CIPH_FLAG_AEAD_CIPHER
) != 0) {
1045 seq
= sending
? RECORD_LAYER_get_write_sequence(&s
->rlayer
)
1046 : RECORD_LAYER_get_read_sequence(&s
->rlayer
);
1048 if (SSL_IS_DTLS(s
)) {
1049 /* DTLS does not support pipelining */
1050 unsigned char dtlsseq
[9], *p
= dtlsseq
;
1052 s2n(sending
? DTLS_RECORD_LAYER_get_w_epoch(&s
->rlayer
) :
1053 DTLS_RECORD_LAYER_get_r_epoch(&s
->rlayer
), p
);
1054 memcpy(p
, &seq
[2], 6);
1055 memcpy(buf
[ctr
], dtlsseq
, 8);
1057 memcpy(buf
[ctr
], seq
, 8);
1058 for (i
= 7; i
>= 0; i
--) { /* increment */
1065 buf
[ctr
][8] = recs
[ctr
].type
;
1066 buf
[ctr
][9] = (unsigned char)(s
->version
>> 8);
1067 buf
[ctr
][10] = (unsigned char)(s
->version
);
1068 buf
[ctr
][11] = (unsigned char)(recs
[ctr
].length
>> 8);
1069 buf
[ctr
][12] = (unsigned char)(recs
[ctr
].length
& 0xff);
1070 pad
= EVP_CIPHER_CTX_ctrl(ds
, EVP_CTRL_AEAD_TLS1_AAD
,
1071 EVP_AEAD_TLS1_AAD_LEN
, buf
[ctr
]);
1073 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1079 recs
[ctr
].length
+= pad
;
1082 } else if ((bs
!= 1) && sending
&& !provided
) {
1084 * We only do this for legacy ciphers. Provided ciphers add the
1085 * padding on the provider side.
1087 padnum
= bs
- (reclen
[ctr
] % bs
);
1089 /* Add weird padding of up to 256 bytes */
1091 if (padnum
> MAX_PADDING
) {
1092 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1095 /* we need to add 'padnum' padding bytes of value padval */
1096 padval
= (unsigned char)(padnum
- 1);
1097 for (loop
= reclen
[ctr
]; loop
< reclen
[ctr
] + padnum
; loop
++)
1098 recs
[ctr
].input
[loop
] = padval
;
1099 reclen
[ctr
] += padnum
;
1100 recs
[ctr
].length
+= padnum
;
1104 if (reclen
[ctr
] == 0 || reclen
[ctr
] % bs
!= 0) {
1105 /* Publicly invalid */
1111 unsigned char *data
[SSL_MAX_PIPELINES
];
1113 /* Set the output buffers */
1114 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1115 data
[ctr
] = recs
[ctr
].data
;
1117 if (EVP_CIPHER_CTX_ctrl(ds
, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS
,
1118 (int)n_recs
, data
) <= 0) {
1119 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_PIPELINE_FAILURE
);
1122 /* Set the input buffers */
1123 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1124 data
[ctr
] = recs
[ctr
].input
;
1126 if (EVP_CIPHER_CTX_ctrl(ds
, EVP_CTRL_SET_PIPELINE_INPUT_BUFS
,
1127 (int)n_recs
, data
) <= 0
1128 || EVP_CIPHER_CTX_ctrl(ds
, EVP_CTRL_SET_PIPELINE_INPUT_LENS
,
1129 (int)n_recs
, reclen
) <= 0) {
1130 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_PIPELINE_FAILURE
);
1135 if (!SSL_IS_DTLS(s
) && tlstree_enc
) {
1137 int decrement_seq
= 0;
1140 * When sending, seq is incremented after MAC calculation.
1141 * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
1142 * Otherwise we have to decrease it in the implementation
1144 if (sending
&& !SSL_WRITE_ETM(s
))
1147 seq
= sending
? RECORD_LAYER_get_write_sequence(&s
->rlayer
)
1148 : RECORD_LAYER_get_read_sequence(&s
->rlayer
);
1149 if (EVP_CIPHER_CTX_ctrl(ds
, EVP_CTRL_TLSTREE
, decrement_seq
, seq
) <= 0) {
1150 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1158 /* Provided cipher - we do not support pipelining on this path */
1160 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1164 if (!EVP_CipherUpdate(ds
, recs
[0].data
, &outlen
, recs
[0].input
,
1165 (unsigned int)reclen
[0]))
1167 recs
[0].length
= outlen
;
1170 * The length returned from EVP_CipherUpdate above is the actual
1171 * payload length. We need to adjust the data/input ptr to skip over
1175 if (EVP_CIPHER_get_mode(enc
) == EVP_CIPH_GCM_MODE
) {
1176 recs
[0].data
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1177 recs
[0].input
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1178 } else if (EVP_CIPHER_get_mode(enc
) == EVP_CIPH_CCM_MODE
) {
1179 recs
[0].data
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1180 recs
[0].input
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1181 } else if (bs
!= 1 && SSL_USE_EXPLICIT_IV(s
)) {
1183 recs
[0].input
+= bs
;
1184 recs
[0].orig_len
-= bs
;
1187 /* Now get a pointer to the MAC (if applicable) */
1189 OSSL_PARAM params
[2], *p
= params
;
1192 macs
[0].alloced
= 0;
1194 *p
++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC
,
1195 (void **)&macs
[0].mac
,
1197 *p
= OSSL_PARAM_construct_end();
1199 if (!EVP_CIPHER_CTX_get_params(ds
, params
)) {
1200 /* Shouldn't normally happen */
1201 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1202 ERR_R_INTERNAL_ERROR
);
1210 tmpr
= EVP_Cipher(ds
, recs
[0].data
, recs
[0].input
,
1211 (unsigned int)reclen
[0]);
1212 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds
))
1213 & EVP_CIPH_FLAG_CUSTOM_CIPHER
) != 0
1216 /* AEAD can fail to verify MAC */
1221 /* Adjust the record to remove the explicit IV/MAC/Tag */
1222 if (EVP_CIPHER_get_mode(enc
) == EVP_CIPH_GCM_MODE
) {
1223 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1224 recs
[ctr
].data
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1225 recs
[ctr
].input
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1226 recs
[ctr
].length
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1228 } else if (EVP_CIPHER_get_mode(enc
) == EVP_CIPH_CCM_MODE
) {
1229 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1230 recs
[ctr
].data
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1231 recs
[ctr
].input
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1232 recs
[ctr
].length
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1236 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1237 if (bs
!= 1 && SSL_USE_EXPLICIT_IV(s
)) {
1238 if (recs
[ctr
].length
< bs
)
1240 recs
[ctr
].data
+= bs
;
1241 recs
[ctr
].input
+= bs
;
1242 recs
[ctr
].length
-= bs
;
1243 recs
[ctr
].orig_len
-= bs
;
1247 * If using Mac-then-encrypt, then this will succeed but
1248 * with a random MAC if padding is invalid
1250 if (!tls1_cbc_remove_padding_and_mac(&recs
[ctr
].length
,
1253 (macs
!= NULL
) ? &macs
[ctr
].mac
: NULL
,
1254 (macs
!= NULL
) ? &macs
[ctr
].alloced
1258 (EVP_CIPHER_get_flags(enc
)
1259 & EVP_CIPH_FLAG_AEAD_CIPHER
) != 0,
1264 for (ctr
= 0; ctr
< n_recs
; ctr
++) {
1265 recs
[ctr
].length
-= pad
;
1275 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
1276 * which ssl3_cbc_digest_record supports.
1278 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX
*ctx
)
1280 switch (EVP_MD_CTX_get_type(ctx
)) {
1293 int n_ssl3_mac(SSL
*ssl
, SSL3_RECORD
*rec
, unsigned char *md
, int sending
)
1295 unsigned char *mac_sec
, *seq
;
1296 const EVP_MD_CTX
*hash
;
1297 unsigned char *p
, rec_char
;
1303 mac_sec
= &(ssl
->s3
.write_mac_secret
[0]);
1304 seq
= RECORD_LAYER_get_write_sequence(&ssl
->rlayer
);
1305 hash
= ssl
->write_hash
;
1307 mac_sec
= &(ssl
->s3
.read_mac_secret
[0]);
1308 seq
= RECORD_LAYER_get_read_sequence(&ssl
->rlayer
);
1309 hash
= ssl
->read_hash
;
1312 t
= EVP_MD_CTX_get_size(hash
);
1316 npad
= (48 / md_size
) * md_size
;
1319 && EVP_CIPHER_CTX_get_mode(ssl
->enc_read_ctx
) == EVP_CIPH_CBC_MODE
1320 && ssl3_cbc_record_digest_supported(hash
)) {
1321 #ifdef OPENSSL_NO_DEPRECATED_3_0
1325 * This is a CBC-encrypted record. We must avoid leaking any
1326 * timing-side channel information about how many blocks of data we
1327 * are hashing because that gives an attacker a timing-oracle.
1331 * npad is, at most, 48 bytes and that's with MD5:
1332 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
1334 * With SHA-1 (the largest hash speced for SSLv3) the hash size
1335 * goes up 4, but npad goes down by 8, resulting in a smaller
1338 unsigned char header
[75];
1340 memcpy(header
+ j
, mac_sec
, md_size
);
1342 memcpy(header
+ j
, ssl3_pad_1
, npad
);
1344 memcpy(header
+ j
, seq
, 8);
1346 header
[j
++] = rec
->type
;
1347 header
[j
++] = (unsigned char)(rec
->length
>> 8);
1348 header
[j
++] = (unsigned char)(rec
->length
& 0xff);
1350 /* Final param == is SSLv3 */
1351 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash
),
1354 rec
->length
, rec
->orig_len
,
1355 mac_sec
, md_size
, 1) <= 0)
1359 unsigned int md_size_u
;
1360 /* Chop the digest off the end :-) */
1361 EVP_MD_CTX
*md_ctx
= EVP_MD_CTX_new();
1366 rec_char
= rec
->type
;
1368 s2n(rec
->length
, p
);
1369 if (EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
1370 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
1371 || EVP_DigestUpdate(md_ctx
, ssl3_pad_1
, npad
) <= 0
1372 || EVP_DigestUpdate(md_ctx
, seq
, 8) <= 0
1373 || EVP_DigestUpdate(md_ctx
, &rec_char
, 1) <= 0
1374 || EVP_DigestUpdate(md_ctx
, md
, 2) <= 0
1375 || EVP_DigestUpdate(md_ctx
, rec
->input
, rec
->length
) <= 0
1376 || EVP_DigestFinal_ex(md_ctx
, md
, NULL
) <= 0
1377 || EVP_MD_CTX_copy_ex(md_ctx
, hash
) <= 0
1378 || EVP_DigestUpdate(md_ctx
, mac_sec
, md_size
) <= 0
1379 || EVP_DigestUpdate(md_ctx
, ssl3_pad_2
, npad
) <= 0
1380 || EVP_DigestUpdate(md_ctx
, md
, md_size
) <= 0
1381 || EVP_DigestFinal_ex(md_ctx
, md
, &md_size_u
) <= 0) {
1382 EVP_MD_CTX_free(md_ctx
);
1386 EVP_MD_CTX_free(md_ctx
);
1389 ssl3_record_sequence_update(seq
);
1393 int tls1_mac(SSL
*ssl
, SSL3_RECORD
*rec
, unsigned char *md
, int sending
)
1399 EVP_MD_CTX
*hmac
= NULL
, *mac_ctx
;
1400 unsigned char header
[13];
1401 int stream_mac
= sending
? (ssl
->mac_flags
& SSL_MAC_FLAG_WRITE_MAC_STREAM
)
1402 : (ssl
->mac_flags
& SSL_MAC_FLAG_READ_MAC_STREAM
);
1403 int tlstree_mac
= sending
? (ssl
->mac_flags
& SSL_MAC_FLAG_WRITE_MAC_TLSTREE
)
1404 : (ssl
->mac_flags
& SSL_MAC_FLAG_READ_MAC_TLSTREE
);
1408 seq
= RECORD_LAYER_get_write_sequence(&ssl
->rlayer
);
1409 hash
= ssl
->write_hash
;
1411 seq
= RECORD_LAYER_get_read_sequence(&ssl
->rlayer
);
1412 hash
= ssl
->read_hash
;
1415 t
= EVP_MD_CTX_get_size(hash
);
1416 if (!ossl_assert(t
>= 0))
1420 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1424 hmac
= EVP_MD_CTX_new();
1425 if (hmac
== NULL
|| !EVP_MD_CTX_copy(hmac
, hash
)) {
1426 EVP_MD_CTX_free(hmac
);
1432 if (!SSL_IS_DTLS(ssl
) && tlstree_mac
&& EVP_MD_CTX_ctrl(mac_ctx
, EVP_MD_CTRL_TLSTREE
, 0, seq
) <= 0) {
1433 EVP_MD_CTX_free(hmac
);
1437 if (SSL_IS_DTLS(ssl
)) {
1438 unsigned char dtlsseq
[8], *p
= dtlsseq
;
1440 s2n(sending
? DTLS_RECORD_LAYER_get_w_epoch(&ssl
->rlayer
) :
1441 DTLS_RECORD_LAYER_get_r_epoch(&ssl
->rlayer
), p
);
1442 memcpy(p
, &seq
[2], 6);
1444 memcpy(header
, dtlsseq
, 8);
1446 memcpy(header
, seq
, 8);
1448 header
[8] = rec
->type
;
1449 header
[9] = (unsigned char)(ssl
->version
>> 8);
1450 header
[10] = (unsigned char)(ssl
->version
);
1451 header
[11] = (unsigned char)(rec
->length
>> 8);
1452 header
[12] = (unsigned char)(rec
->length
& 0xff);
1454 if (!sending
&& !SSL_READ_ETM(ssl
)
1455 && EVP_CIPHER_CTX_get_mode(ssl
->enc_read_ctx
) == EVP_CIPH_CBC_MODE
1456 && ssl3_cbc_record_digest_supported(mac_ctx
)) {
1457 OSSL_PARAM tls_hmac_params
[2], *p
= tls_hmac_params
;
1459 *p
++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE
,
1461 *p
++ = OSSL_PARAM_construct_end();
1463 if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx
),
1468 if (EVP_DigestSignUpdate(mac_ctx
, header
, sizeof(header
)) <= 0
1469 || EVP_DigestSignUpdate(mac_ctx
, rec
->input
, rec
->length
) <= 0
1470 || EVP_DigestSignFinal(mac_ctx
, md
, &md_size
) <= 0) {
1471 EVP_MD_CTX_free(hmac
);
1475 EVP_MD_CTX_free(hmac
);
1477 OSSL_TRACE_BEGIN(TLS
) {
1478 BIO_printf(trc_out
, "seq:\n");
1479 BIO_dump_indent(trc_out
, seq
, 8, 4);
1480 BIO_printf(trc_out
, "rec:\n");
1481 BIO_dump_indent(trc_out
, rec
->data
, rec
->length
, 4);
1482 } OSSL_TRACE_END(TLS
);
1484 if (!SSL_IS_DTLS(ssl
)) {
1485 for (i
= 7; i
>= 0; i
--) {
1491 OSSL_TRACE_BEGIN(TLS
) {
1492 BIO_printf(trc_out
, "md:\n");
1493 BIO_dump_indent(trc_out
, md
, md_size
, 4);
1494 } OSSL_TRACE_END(TLS
);
1498 int dtls1_process_record(SSL
*s
, DTLS1_BITMAP
*bitmap
)
1505 size_t mac_size
= 0;
1506 unsigned char md
[EVP_MAX_MD_SIZE
];
1507 size_t max_plain_length
= SSL3_RT_MAX_PLAIN_LENGTH
;
1508 SSL_MAC_BUF macbuf
= { NULL
, 0 };
1511 rr
= RECORD_LAYER_get_rrec(&s
->rlayer
);
1515 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1516 * and we have that many bytes in s->packet
1518 rr
->input
= &(RECORD_LAYER_get_packet(&s
->rlayer
)[DTLS1_RT_HEADER_LENGTH
]);
1521 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1522 * at rr->length bytes, which need to be copied into rr->data by either
1523 * the decryption or by the decompression When the data is 'copied' into
1524 * the rr->data buffer, rr->input will be pointed at the new buffer
1528 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1529 * bytes of encrypted compressed stuff.
1532 /* check is not needed I believe */
1533 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
1534 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
, SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
1538 /* decrypt in place in 'rr->input' */
1539 rr
->data
= rr
->input
;
1540 rr
->orig_len
= rr
->length
;
1542 if (s
->read_hash
!= NULL
) {
1543 const EVP_MD
*tmpmd
= EVP_MD_CTX_get0_md(s
->read_hash
);
1545 if (tmpmd
!= NULL
) {
1546 imac_size
= EVP_MD_get_size(tmpmd
);
1547 if (!ossl_assert(imac_size
>= 0 && imac_size
<= EVP_MAX_MD_SIZE
)) {
1548 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
1551 mac_size
= (size_t)imac_size
;
1555 if (SSL_READ_ETM(s
) && s
->read_hash
) {
1558 if (rr
->orig_len
< mac_size
) {
1559 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
1562 rr
->length
-= mac_size
;
1563 mac
= rr
->data
+ rr
->length
;
1564 i
= s
->method
->ssl3_enc
->mac(s
, rr
, md
, 0 /* not send */ );
1565 if (i
== 0 || CRYPTO_memcmp(md
, mac
, (size_t)mac_size
) != 0) {
1566 SSLfatal(s
, SSL_AD_BAD_RECORD_MAC
,
1567 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
1571 * We've handled the mac now - there is no MAC inside the encrypted
1578 * Set a mark around the packet decryption attempt. This is DTLS, so
1579 * bad packets are just ignored, and we don't want to leave stray
1580 * errors in the queue from processing bogus junk that we ignored.
1583 enc_err
= s
->method
->ssl3_enc
->enc(s
, rr
, 1, 0, &macbuf
, mac_size
);
1587 * 0: if the record is publicly invalid, or an internal error, or AEAD
1588 * decryption failed, or ETM decryption failed.
1589 * 1: Success or MTE decryption failed (MAC will be randomised)
1593 if (ossl_statem_in_error(s
)) {
1594 /* SSLfatal() got called */
1597 /* For DTLS we simply ignore bad packets. */
1599 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1602 ERR_clear_last_mark();
1603 OSSL_TRACE_BEGIN(TLS
) {
1604 BIO_printf(trc_out
, "dec %zd\n", rr
->length
);
1605 BIO_dump_indent(trc_out
, rr
->data
, rr
->length
, 4);
1606 } OSSL_TRACE_END(TLS
);
1608 /* r->length is now the compressed data plus mac */
1611 && (s
->enc_read_ctx
!= NULL
)
1612 && (EVP_MD_CTX_get0_md(s
->read_hash
) != NULL
)) {
1613 /* s->read_hash != NULL => mac_size != -1 */
1615 i
= s
->method
->ssl3_enc
->mac(s
, rr
, md
, 0 /* not send */ );
1616 if (i
== 0 || macbuf
.mac
== NULL
1617 || CRYPTO_memcmp(md
, macbuf
.mac
, mac_size
) != 0)
1619 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
1624 /* decryption failed, silently discard message */
1626 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1630 /* r->length is now just compressed */
1631 if (s
->expand
!= NULL
) {
1632 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
1633 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
,
1634 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
1637 if (!ssl3_do_uncompress(s
, rr
)) {
1638 SSLfatal(s
, SSL_AD_DECOMPRESSION_FAILURE
, SSL_R_BAD_DECOMPRESSION
);
1643 /* use current Max Fragment Length setting if applicable */
1644 if (s
->session
!= NULL
&& USE_MAX_FRAGMENT_LENGTH_EXT(s
->session
))
1645 max_plain_length
= GET_MAX_FRAGMENT_LENGTH(s
->session
);
1647 /* send overflow if the plaintext is too long now it has passed MAC */
1648 if (rr
->length
> max_plain_length
) {
1649 SSLfatal(s
, SSL_AD_RECORD_OVERFLOW
, SSL_R_DATA_LENGTH_TOO_LONG
);
1655 * So at this point the following is true
1656 * ssl->s3.rrec.type is the type of record
1657 * ssl->s3.rrec.length == number of bytes in record
1658 * ssl->s3.rrec.off == offset to first valid byte
1659 * ssl->s3.rrec.data == where to take bytes from, increment
1663 /* we have pulled in a full packet so zero things */
1664 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1666 /* Mark receipt of record. */
1667 dtls1_record_bitmap_update(s
, bitmap
);
1672 OPENSSL_free(macbuf
.mac
);
1677 * Retrieve a buffered record that belongs to the current epoch, i.e. processed
1679 #define dtls1_get_processed_record(s) \
1680 dtls1_retrieve_buffered_record((s), \
1681 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1684 * Call this to get a new input record.
1685 * It will return <= 0 if more data is needed, normally due to an error
1686 * or non-blocking IO.
1687 * When it finishes, one packet has been decoded and can be found in
1688 * ssl->s3.rrec.type - is the type of record
1689 * ssl->s3.rrec.data - data
1690 * ssl->s3.rrec.length - number of bytes
1692 /* used only by dtls1_read_bytes */
1693 int dtls1_get_record(SSL
*s
)
1695 int ssl_major
, ssl_minor
;
1699 unsigned char *p
= NULL
;
1700 unsigned short version
;
1701 DTLS1_BITMAP
*bitmap
;
1702 unsigned int is_next_epoch
;
1704 rr
= RECORD_LAYER_get_rrec(&s
->rlayer
);
1708 * The epoch may have changed. If so, process all the pending records.
1709 * This is a non-blocking operation.
1711 if (!dtls1_process_buffered_records(s
)) {
1712 /* SSLfatal() already called */
1716 /* if we're renegotiating, then there may be buffered records */
1717 if (dtls1_get_processed_record(s
))
1720 /* get something from the wire */
1722 /* check if we have the header */
1723 if ((RECORD_LAYER_get_rstate(&s
->rlayer
) != SSL_ST_READ_BODY
) ||
1724 (RECORD_LAYER_get_packet_length(&s
->rlayer
) < DTLS1_RT_HEADER_LENGTH
)) {
1725 rret
= ssl3_read_n(s
, DTLS1_RT_HEADER_LENGTH
,
1726 SSL3_BUFFER_get_len(&s
->rlayer
.rbuf
), 0, 1, &n
);
1727 /* read timeout is handled by dtls1_read_bytes */
1729 /* SSLfatal() already called if appropriate */
1730 return rret
; /* error or non-blocking */
1733 /* this packet contained a partial record, dump it */
1734 if (RECORD_LAYER_get_packet_length(&s
->rlayer
) !=
1735 DTLS1_RT_HEADER_LENGTH
) {
1736 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1740 RECORD_LAYER_set_rstate(&s
->rlayer
, SSL_ST_READ_BODY
);
1742 p
= RECORD_LAYER_get_packet(&s
->rlayer
);
1744 if (s
->msg_callback
)
1745 s
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, DTLS1_RT_HEADER_LENGTH
,
1746 s
, s
->msg_callback_arg
);
1748 /* Pull apart the header into the DTLS1_RECORD */
1752 version
= (ssl_major
<< 8) | ssl_minor
;
1754 /* sequence number is 64 bits, with top 2 bytes = epoch */
1757 memcpy(&(RECORD_LAYER_get_read_sequence(&s
->rlayer
)[2]), p
, 6);
1764 * Lets check the version. We tolerate alerts that don't have the exact
1765 * version number (e.g. because of protocol version errors)
1767 if (!s
->first_packet
&& rr
->type
!= SSL3_RT_ALERT
) {
1768 if (version
!= s
->version
) {
1769 /* unexpected version, silently discard */
1772 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1777 if ((version
& 0xff00) != (s
->version
& 0xff00)) {
1778 /* wrong version, silently discard record */
1781 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1785 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
1786 /* record too long, silently discard it */
1789 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1793 /* If received packet overflows own-client Max Fragment Length setting */
1794 if (s
->session
!= NULL
&& USE_MAX_FRAGMENT_LENGTH_EXT(s
->session
)
1795 && rr
->length
> GET_MAX_FRAGMENT_LENGTH(s
->session
) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
) {
1796 /* record too long, silently discard it */
1799 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1803 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1806 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1809 RECORD_LAYER_get_packet_length(&s
->rlayer
) - DTLS1_RT_HEADER_LENGTH
) {
1810 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1812 rret
= ssl3_read_n(s
, more
, more
, 1, 1, &n
);
1813 /* this packet contained a partial record, dump it */
1814 if (rret
<= 0 || n
!= more
) {
1815 if (ossl_statem_in_error(s
)) {
1816 /* ssl3_read_n() called SSLfatal() */
1821 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1826 * now n == rr->length, and s->packet_length ==
1827 * DTLS1_RT_HEADER_LENGTH + rr->length
1830 /* set state for later operations */
1831 RECORD_LAYER_set_rstate(&s
->rlayer
, SSL_ST_READ_HEADER
);
1833 /* match epochs. NULL means the packet is dropped on the floor */
1834 bitmap
= dtls1_get_bitmap(s
, rr
, &is_next_epoch
);
1835 if (bitmap
== NULL
) {
1837 RECORD_LAYER_reset_packet_length(&s
->rlayer
); /* dump this record */
1838 goto again
; /* get another record */
1840 #ifndef OPENSSL_NO_SCTP
1841 /* Only do replay check if no SCTP bio */
1842 if (!BIO_dgram_is_sctp(SSL_get_rbio(s
))) {
1844 /* Check whether this is a repeat, or aged record. */
1845 if (!dtls1_record_replay_check(s
, bitmap
)) {
1848 RECORD_LAYER_reset_packet_length(&s
->rlayer
); /* dump this record */
1849 goto again
; /* get another record */
1851 #ifndef OPENSSL_NO_SCTP
1855 /* just read a 0 length packet */
1856 if (rr
->length
== 0) {
1862 * If this record is from the next epoch (either HM or ALERT), and a
1863 * handshake is currently in progress, buffer it since it cannot be
1864 * processed at this time.
1866 if (is_next_epoch
) {
1867 if ((SSL_in_init(s
) || ossl_statem_get_in_handshake(s
))) {
1868 if (dtls1_buffer_record (s
,
1869 &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s
->rlayer
)),
1871 /* SSLfatal() already called */
1877 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
1881 if (!dtls1_process_record(s
, bitmap
)) {
1882 if (ossl_statem_in_error(s
)) {
1883 /* dtls1_process_record() called SSLfatal */
1888 RECORD_LAYER_reset_packet_length(&s
->rlayer
); /* dump this record */
1889 goto again
; /* get another record */
1896 int dtls_buffer_listen_record(SSL
*s
, size_t len
, unsigned char *seq
, size_t off
)
1900 rr
= RECORD_LAYER_get_rrec(&s
->rlayer
);
1901 memset(rr
, 0, sizeof(SSL3_RECORD
));
1904 rr
->type
= SSL3_RT_HANDSHAKE
;
1905 memcpy(rr
->seq_num
, seq
, sizeof(rr
->seq_num
));
1908 s
->rlayer
.packet
= RECORD_LAYER_get_rbuf(&s
->rlayer
)->buf
;
1909 s
->rlayer
.packet_length
= DTLS1_RT_HEADER_LENGTH
+ len
;
1910 rr
->data
= s
->rlayer
.packet
+ DTLS1_RT_HEADER_LENGTH
;
1912 if (dtls1_buffer_record(s
, &(s
->rlayer
.d
->processed_rcds
),
1913 SSL3_RECORD_get_seq_num(s
->rlayer
.rrec
)) <= 0) {
1914 /* SSLfatal() already called */