1 /* ssl/record/ssl3_record.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "../ssl_locl.h"
113 #include "internal/constant_time_locl.h"
114 #include <openssl/rand.h>
115 #include "record_locl.h"
117 static const unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static const unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
135 void SSL3_RECORD_clear(SSL3_RECORD *r)
137 memset(r->seq_num, 0, sizeof(r->seq_num));
140 void SSL3_RECORD_release(SSL3_RECORD *r)
142 OPENSSL_free(r->comp);
146 int SSL3_RECORD_setup(SSL3_RECORD *r)
149 r->comp = (unsigned char *)
150 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
156 void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
158 memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
162 * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
163 * will be processed per call to ssl3_get_record. Without this limit an
164 * attacker could send empty records at a faster rate than we can process and
165 * cause ssl3_get_record to loop forever.
167 #define MAX_EMPTY_RECORDS 32
169 #define SSL2_RT_HEADER_LENGTH 2
171 * Call this to get a new input record.
172 * It will return <= 0 if more data is needed, normally due to an error
173 * or non-blocking IO.
174 * When it finishes, one packet has been decoded and can be found in
175 * ssl->s3->rrec.type - is the type of record
176 * ssl->s3->rrec.data, - data
177 * ssl->s3->rrec.length, - number of bytes
179 /* used only by ssl3_read_bytes */
180 int ssl3_get_record(SSL *s)
182 int ssl_major, ssl_minor, al;
183 int enc_err, n, i, ret = -1;
187 unsigned char md[EVP_MAX_MD_SIZE];
191 unsigned empty_record_count = 0;
193 rr = RECORD_LAYER_get_rrec(&s->rlayer);
196 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
197 extra = SSL3_RT_MAX_EXTRA;
200 if (extra && !s->s3->init_extra) {
202 * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
203 * ssl3_setup_buffers() was done
205 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
210 /* check if we have the header */
211 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
212 (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) {
213 n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
214 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
216 return (n); /* error or non-blocking */
217 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
219 p = RECORD_LAYER_get_packet(&s->rlayer);
222 * Check whether this is a regular record or an SSLv2 style record. The
223 * latter is only used in an initial ClientHello for old clients.
225 if (s->first_packet && s->server && !s->read_hash && !s->enc_read_ctx
226 && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
227 /* SSLv2 style record */
229 s->msg_callback(0, SSL2_VERSION, 0, p + 2,
230 RECORD_LAYER_get_packet_length(&s->rlayer) - 2,
231 s, s->msg_callback_arg);
233 rr->type = SSL3_RT_HANDSHAKE;
234 rr->rec_version = SSL2_VERSION;
236 rr->length = ((p[0] & 0x7f) << 8) | p[1];
238 if (rr->length > SSL3_BUFFER_get_len(&s->rlayer.rbuf)
239 - SSL2_RT_HEADER_LENGTH) {
240 al = SSL_AD_RECORD_OVERFLOW;
241 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
245 if (rr->length < MIN_SSL2_RECORD_LEN) {
246 al = SSL_AD_HANDSHAKE_FAILURE;
247 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
251 /* SSLv3+ style record */
253 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
254 s->msg_callback_arg);
256 /* Pull apart the header into the SSL3_RECORD */
260 version = (ssl_major << 8) | ssl_minor;
261 rr->rec_version = version;
264 /* Lets check version */
265 if (!s->first_packet) {
266 if (version != s->version
267 && s->method->version != TLS_ANY_VERSION) {
268 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
269 if ((s->version & 0xFF00) == (version & 0xFF00)
270 && !s->enc_write_ctx && !s->write_hash)
272 * Send back error using their minor version number :-)
274 s->version = (unsigned short)version;
275 al = SSL_AD_PROTOCOL_VERSION;
280 if ((version >> 8) != SSL3_VERSION_MAJOR) {
281 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
286 SSL3_BUFFER_get_len(&s->rlayer.rbuf)
287 - SSL3_RT_HEADER_LENGTH) {
288 al = SSL_AD_RECORD_OVERFLOW;
289 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
294 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
298 * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
299 * Calculate how much more data we need to read for the rest of the record
301 if (rr->rec_version == SSL2_VERSION) {
302 i = rr->length + SSL2_RT_HEADER_LENGTH - SSL3_RT_HEADER_LENGTH;
307 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
309 n = ssl3_read_n(s, i, i, 1);
311 return (n); /* error or non-blocking io */
313 * now n == rr->length, and
314 * s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length
316 * s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
323 /* set state for later operations */
324 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
327 * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
328 * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
329 * and we have that many bytes in s->packet
331 if(rr->rec_version == SSL2_VERSION) {
332 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
334 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
338 * ok, we can now read from 's->packet' data into 'rr' rr->input points
339 * at rr->length bytes, which need to be copied into rr->data by either
340 * the decryption or by the decompression When the data is 'copied' into
341 * the rr->data buffer, rr->input will be pointed at the new buffer
345 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
346 * bytes of encrypted compressed stuff.
349 /* check is not needed I believe */
350 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
351 al = SSL_AD_RECORD_OVERFLOW;
352 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
356 /* decrypt in place in 'rr->input' */
357 rr->data = rr->input;
358 rr->orig_len = rr->length;
360 * If in encrypt-then-mac mode calculate mac from encrypted record. All
361 * the details below are public so no timing details can leak.
363 if (SSL_USE_ETM(s) && s->read_hash) {
365 mac_size = EVP_MD_CTX_size(s->read_hash);
366 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
367 if (rr->length < mac_size) {
368 al = SSL_AD_DECODE_ERROR;
369 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
372 rr->length -= mac_size;
373 mac = rr->data + rr->length;
374 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
375 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
376 al = SSL_AD_BAD_RECORD_MAC;
377 SSLerr(SSL_F_SSL3_GET_RECORD,
378 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
383 enc_err = s->method->ssl3_enc->enc(s, 0);
386 * 0: (in non-constant time) if the record is publically invalid.
387 * 1: if the padding is valid
388 * -1: if the padding is invalid
391 al = SSL_AD_DECRYPTION_FAILED;
392 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
396 printf("dec %d\n", rr->length);
399 for (z = 0; z < rr->length; z++)
400 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
405 /* r->length is now the compressed data plus mac */
406 if ((sess != NULL) &&
407 (s->enc_read_ctx != NULL) &&
408 (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
409 /* s->read_hash != NULL => mac_size != -1 */
410 unsigned char *mac = NULL;
411 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
412 mac_size = EVP_MD_CTX_size(s->read_hash);
413 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
416 * orig_len is the length of the record before any padding was
417 * removed. This is public information, as is the MAC in use,
418 * therefore we can safely process the record in a different amount
419 * of time if it's too short to possibly contain a MAC.
421 if (rr->orig_len < mac_size ||
422 /* CBC records must have a padding length byte too. */
423 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
424 rr->orig_len < mac_size + 1)) {
425 al = SSL_AD_DECODE_ERROR;
426 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
430 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
432 * We update the length so that the TLS header bytes can be
433 * constructed correctly but we need to extract the MAC in
434 * constant time from within the record, without leaking the
435 * contents of the padding bytes.
438 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
439 rr->length -= mac_size;
442 * In this case there's no padding, so |rec->orig_len| equals
443 * |rec->length| and we checked that there's enough bytes for
446 rr->length -= mac_size;
447 mac = &rr->data[rr->length];
450 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
451 if (i < 0 || mac == NULL
452 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
454 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
460 * A separate 'decryption_failed' alert was introduced with TLS 1.0,
461 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
462 * failure is directly visible from the ciphertext anyway, we should
463 * not reveal which kind of error occurred -- this might become
464 * visible to an attacker (e.g. via a logfile)
466 al = SSL_AD_BAD_RECORD_MAC;
467 SSLerr(SSL_F_SSL3_GET_RECORD,
468 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
472 /* r->length is now just compressed */
473 if (s->expand != NULL) {
474 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
475 al = SSL_AD_RECORD_OVERFLOW;
476 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
479 if (!ssl3_do_uncompress(s)) {
480 al = SSL_AD_DECOMPRESSION_FAILURE;
481 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
486 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
487 al = SSL_AD_RECORD_OVERFLOW;
488 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
494 * So at this point the following is true
495 * ssl->s3->rrec.type is the type of record
496 * ssl->s3->rrec.length == number of bytes in record
497 * ssl->s3->rrec.off == offset to first valid byte
498 * ssl->s3->rrec.data == where to take bytes from, increment
502 /* we have pulled in a full packet so zero things */
503 RECORD_LAYER_reset_packet_length(&s->rlayer);
505 /* just read a 0 length packet */
506 if (rr->length == 0) {
507 empty_record_count++;
508 if (empty_record_count > MAX_EMPTY_RECORDS) {
509 al = SSL_AD_UNEXPECTED_MESSAGE;
510 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
519 ssl3_send_alert(s, SSL3_AL_FATAL, al);
524 int ssl3_do_uncompress(SSL *ssl)
526 #ifndef OPENSSL_NO_COMP
530 rr = RECORD_LAYER_get_rrec(&ssl->rlayer);
531 i = COMP_expand_block(ssl->expand, rr->comp,
532 SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
543 int ssl3_do_compress(SSL *ssl)
545 #ifndef OPENSSL_NO_COMP
549 wr = RECORD_LAYER_get_wrec(&ssl->rlayer);
550 i = COMP_compress_block(ssl->compress, wr->data,
551 SSL3_RT_MAX_COMPRESSED_LENGTH,
552 wr->input, (int)wr->length);
558 wr->input = wr->data;
564 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
567 * 0: (in non-constant time) if the record is publically invalid (i.e. too
569 * 1: if the record's padding is valid / the encryption was successful.
570 * -1: if the record's padding is invalid or, if sending, an internal error
573 int ssl3_enc(SSL *s, int send)
578 int bs, i, mac_size = 0;
579 const EVP_CIPHER *enc;
582 ds = s->enc_write_ctx;
583 rec = RECORD_LAYER_get_wrec(&s->rlayer);
584 if (s->enc_write_ctx == NULL)
587 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
589 ds = s->enc_read_ctx;
590 rec = RECORD_LAYER_get_rrec(&s->rlayer);
591 if (s->enc_read_ctx == NULL)
594 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
597 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
598 memmove(rec->data, rec->input, rec->length);
599 rec->input = rec->data;
602 bs = EVP_CIPHER_block_size(ds->cipher);
606 if ((bs != 1) && send) {
607 i = bs - ((int)l % bs);
609 /* we need to add 'i-1' padding bytes */
612 * the last of these zero bytes will be overwritten with the
615 memset(&rec->input[rec->length], 0, i);
617 rec->input[l - 1] = (i - 1);
621 if (l == 0 || l % bs != 0)
623 /* otherwise, rec->length >= bs */
626 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
629 if (EVP_MD_CTX_md(s->read_hash) != NULL)
630 mac_size = EVP_MD_CTX_size(s->read_hash);
631 if ((bs != 1) && !send)
632 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
638 * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
641 * 0: (in non-constant time) if the record is publically invalid (i.e. too
643 * 1: if the record's padding is valid / the encryption was successful.
644 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
645 * an internal error occurred.
647 int tls1_enc(SSL *s, int send)
652 int bs, i, j, k, pad = 0, ret, mac_size = 0;
653 const EVP_CIPHER *enc;
656 if (EVP_MD_CTX_md(s->write_hash)) {
657 int n = EVP_MD_CTX_size(s->write_hash);
658 OPENSSL_assert(n >= 0);
660 ds = s->enc_write_ctx;
661 rec = RECORD_LAYER_get_wrec(&s->rlayer);
662 if (s->enc_write_ctx == NULL)
666 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
667 /* For TLSv1.1 and later explicit IV */
668 if (SSL_USE_EXPLICIT_IV(s)
669 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
670 ivlen = EVP_CIPHER_iv_length(enc);
674 if (rec->data != rec->input)
676 * we can't write into the input stream: Can this ever
680 "%s:%d: rec->data != rec->input\n",
682 else if (RAND_bytes(rec->input, ivlen) <= 0)
687 if (EVP_MD_CTX_md(s->read_hash)) {
688 int n = EVP_MD_CTX_size(s->read_hash);
689 OPENSSL_assert(n >= 0);
691 ds = s->enc_read_ctx;
692 rec = RECORD_LAYER_get_rrec(&s->rlayer);
693 if (s->enc_read_ctx == NULL)
696 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
699 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
700 memmove(rec->data, rec->input, rec->length);
701 rec->input = rec->data;
705 bs = EVP_CIPHER_block_size(ds->cipher);
707 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
708 unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
710 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
711 : RECORD_LAYER_get_read_sequence(&s->rlayer);
713 if (SSL_IS_DTLS(s)) {
714 unsigned char dtlsseq[9], *p = dtlsseq;
716 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
717 DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
718 memcpy(p, &seq[2], 6);
719 memcpy(buf, dtlsseq, 8);
722 for (i = 7; i >= 0; i--) { /* increment */
730 buf[9] = (unsigned char)(s->version >> 8);
731 buf[10] = (unsigned char)(s->version);
732 buf[11] = rec->length >> 8;
733 buf[12] = rec->length & 0xff;
734 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
735 EVP_AEAD_TLS1_AAD_LEN, buf);
742 } else if ((bs != 1) && send) {
743 i = bs - ((int)l % bs);
745 /* Add weird padding of upto 256 bytes */
747 /* we need to add 'i' padding bytes of value j */
749 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
750 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
753 for (k = (int)l; k < (int)(l + i); k++)
760 if (l == 0 || l % bs != 0)
764 i = EVP_Cipher(ds, rec->data, rec->input, l);
765 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER)
768 return -1; /* AEAD can fail to verify MAC */
769 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
770 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
771 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
772 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
776 if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)
777 mac_size = EVP_MD_CTX_size(s->read_hash);
778 if ((bs != 1) && !send)
779 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
786 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
789 unsigned char *mac_sec, *seq;
791 const EVP_MD_CTX *hash;
792 unsigned char *p, rec_char;
798 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
799 mac_sec = &(ssl->s3->write_mac_secret[0]);
800 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
801 hash = ssl->write_hash;
803 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
804 mac_sec = &(ssl->s3->read_mac_secret[0]);
805 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
806 hash = ssl->read_hash;
809 t = EVP_MD_CTX_size(hash);
813 npad = (48 / md_size) * md_size;
816 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
817 ssl3_cbc_record_digest_supported(hash)) {
819 * This is a CBC-encrypted record. We must avoid leaking any
820 * timing-side channel information about how many blocks of data we
821 * are hashing because that gives an attacker a timing-oracle.
825 * npad is, at most, 48 bytes and that's with MD5:
826 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
828 * With SHA-1 (the largest hash speced for SSLv3) the hash size
829 * goes up 4, but npad goes down by 8, resulting in a smaller
832 unsigned char header[75];
834 memcpy(header + j, mac_sec, md_size);
836 memcpy(header + j, ssl3_pad_1, npad);
838 memcpy(header + j, seq, 8);
840 header[j++] = rec->type;
841 header[j++] = rec->length >> 8;
842 header[j++] = rec->length & 0xff;
844 /* Final param == is SSLv3 */
845 ssl3_cbc_digest_record(hash,
848 rec->length + md_size, rec->orig_len,
849 mac_sec, md_size, 1);
851 unsigned int md_size_u;
852 /* Chop the digest off the end :-) */
853 EVP_MD_CTX_init(&md_ctx);
855 EVP_MD_CTX_copy_ex(&md_ctx, hash);
856 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
857 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
858 EVP_DigestUpdate(&md_ctx, seq, 8);
859 rec_char = rec->type;
860 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
863 EVP_DigestUpdate(&md_ctx, md, 2);
864 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
865 EVP_DigestFinal_ex(&md_ctx, md, NULL);
867 EVP_MD_CTX_copy_ex(&md_ctx, hash);
868 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
869 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
870 EVP_DigestUpdate(&md_ctx, md, md_size);
871 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
874 EVP_MD_CTX_cleanup(&md_ctx);
877 ssl3_record_sequence_update(seq);
881 int tls1_mac(SSL *ssl, unsigned char *md, int send)
888 EVP_MD_CTX hmac, *mac_ctx;
889 unsigned char header[13];
890 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
891 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
895 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
896 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer);
897 hash = ssl->write_hash;
899 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
900 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer);
901 hash = ssl->read_hash;
904 t = EVP_MD_CTX_size(hash);
905 OPENSSL_assert(t >= 0);
908 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
912 if (!EVP_MD_CTX_copy(&hmac, hash))
917 if (SSL_IS_DTLS(ssl)) {
918 unsigned char dtlsseq[8], *p = dtlsseq;
920 s2n(send ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
921 DTLS_RECORD_LAYER_get_r_epoch(&ssl->rlayer), p);
922 memcpy(p, &seq[2], 6);
924 memcpy(header, dtlsseq, 8);
926 memcpy(header, seq, 8);
928 header[8] = rec->type;
929 header[9] = (unsigned char)(ssl->version >> 8);
930 header[10] = (unsigned char)(ssl->version);
931 header[11] = (rec->length) >> 8;
932 header[12] = (rec->length) & 0xff;
934 if (!send && !SSL_USE_ETM(ssl) &&
935 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
936 ssl3_cbc_record_digest_supported(mac_ctx)) {
938 * This is a CBC-encrypted record. We must avoid leaking any
939 * timing-side channel information about how many blocks of data we
940 * are hashing because that gives an attacker a timing-oracle.
942 /* Final param == not SSLv3 */
943 ssl3_cbc_digest_record(mac_ctx,
946 rec->length + md_size, rec->orig_len,
947 ssl->s3->read_mac_secret,
948 ssl->s3->read_mac_secret_size, 0);
950 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
951 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
952 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
953 OPENSSL_assert(t > 0);
954 if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
955 tls_fips_digest_extra(ssl->enc_read_ctx,
957 rec->length, rec->orig_len);
961 EVP_MD_CTX_cleanup(&hmac);
963 fprintf(stderr, "seq=");
966 for (z = 0; z < 8; z++)
967 fprintf(stderr, "%02X ", seq[z]);
968 fprintf(stderr, "\n");
970 fprintf(stderr, "rec=");
973 for (z = 0; z < rec->length; z++)
974 fprintf(stderr, "%02X ", rec->data[z]);
975 fprintf(stderr, "\n");
979 if (!SSL_IS_DTLS(ssl)) {
980 for (i = 7; i >= 0; i--) {
989 for (z = 0; z < md_size; z++)
990 fprintf(stderr, "%02X ", md[z]);
991 fprintf(stderr, "\n");
998 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
999 * record in |rec| by updating |rec->length| in constant time.
1001 * block_size: the block size of the cipher used to encrypt the record.
1003 * 0: (in non-constant time) if the record is publicly invalid.
1004 * 1: if the padding was valid
1007 int ssl3_cbc_remove_padding(const SSL *s,
1009 unsigned block_size, unsigned mac_size)
1011 unsigned padding_length, good;
1012 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1015 * These lengths are all public so we can test them in non-constant time.
1017 if (overhead > rec->length)
1020 padding_length = rec->data[rec->length - 1];
1021 good = constant_time_ge(rec->length, padding_length + overhead);
1022 /* SSLv3 requires that the padding is minimal. */
1023 good &= constant_time_ge(block_size, padding_length + 1);
1024 rec->length -= good & (padding_length + 1);
1025 return constant_time_select_int(good, 1, -1);
1029 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
1030 * record in |rec| in constant time and returns 1 if the padding is valid and
1031 * -1 otherwise. It also removes any explicit IV from the start of the record
1032 * without leaking any timing about whether there was enough space after the
1033 * padding was removed.
1035 * block_size: the block size of the cipher used to encrypt the record.
1037 * 0: (in non-constant time) if the record is publicly invalid.
1038 * 1: if the padding was valid
1041 int tls1_cbc_remove_padding(const SSL *s,
1043 unsigned block_size, unsigned mac_size)
1045 unsigned padding_length, good, to_check, i;
1046 const unsigned overhead = 1 /* padding length byte */ + mac_size;
1047 /* Check if version requires explicit IV */
1048 if (SSL_USE_EXPLICIT_IV(s)) {
1050 * These lengths are all public so we can test them in non-constant
1053 if (overhead + block_size > rec->length)
1055 /* We can now safely skip explicit IV */
1056 rec->data += block_size;
1057 rec->input += block_size;
1058 rec->length -= block_size;
1059 rec->orig_len -= block_size;
1060 } else if (overhead > rec->length)
1063 padding_length = rec->data[rec->length - 1];
1066 * NB: if compression is in operation the first packet may not be of even
1067 * length so the padding bug check cannot be performed. This bug
1068 * workaround has been around since SSLeay so hopefully it is either
1069 * fixed now or no buggy implementation supports compression [steve]
1071 if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
1072 /* First packet is even in size, so check */
1073 if ((memcmp(RECORD_LAYER_get_read_sequence(&s->rlayer),
1074 "\0\0\0\0\0\0\0\0", 8) == 0) &&
1075 !(padding_length & 1)) {
1076 s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
1078 if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
1083 if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
1084 /* padding is already verified */
1085 rec->length -= padding_length + 1;
1089 good = constant_time_ge(rec->length, overhead + padding_length);
1091 * The padding consists of a length byte at the end of the record and
1092 * then that many bytes of padding, all with the same value as the length
1093 * byte. Thus, with the length byte included, there are i+1 bytes of
1094 * padding. We can't check just |padding_length+1| bytes because that
1095 * leaks decrypted information. Therefore we always have to check the
1096 * maximum amount of padding possible. (Again, the length of the record
1097 * is public information so we can use it.)
1099 to_check = 255; /* maximum amount of padding. */
1100 if (to_check > rec->length - 1)
1101 to_check = rec->length - 1;
1103 for (i = 0; i < to_check; i++) {
1104 unsigned char mask = constant_time_ge_8(padding_length, i);
1105 unsigned char b = rec->data[rec->length - 1 - i];
1107 * The final |padding_length+1| bytes should all have the value
1108 * |padding_length|. Therefore the XOR should be zero.
1110 good &= ~(mask & (padding_length ^ b));
1114 * If any of the final |padding_length+1| bytes had the wrong value, one
1115 * or more of the lower eight bits of |good| will be cleared.
1117 good = constant_time_eq(0xff, good & 0xff);
1118 rec->length -= good & (padding_length + 1);
1120 return constant_time_select_int(good, 1, -1);
1124 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
1125 * constant time (independent of the concrete value of rec->length, which may
1126 * vary within a 256-byte window).
1128 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
1132 * rec->orig_len >= md_size
1133 * md_size <= EVP_MAX_MD_SIZE
1135 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
1136 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
1137 * a single or pair of cache-lines, then the variable memory accesses don't
1138 * actually affect the timing. CPUs with smaller cache-lines [if any] are
1139 * not multi-core and are not considered vulnerable to cache-timing attacks.
1141 #define CBC_MAC_ROTATE_IN_PLACE
1143 void ssl3_cbc_copy_mac(unsigned char *out,
1144 const SSL3_RECORD *rec, unsigned md_size)
1146 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1147 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
1148 unsigned char *rotated_mac;
1150 unsigned char rotated_mac[EVP_MAX_MD_SIZE];
1154 * mac_end is the index of |rec->data| just after the end of the MAC.
1156 unsigned mac_end = rec->length;
1157 unsigned mac_start = mac_end - md_size;
1159 * scan_start contains the number of bytes that we can ignore because the
1160 * MAC's position can only vary by 255 bytes.
1162 unsigned scan_start = 0;
1164 unsigned div_spoiler;
1165 unsigned rotate_offset;
1167 OPENSSL_assert(rec->orig_len >= md_size);
1168 OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
1170 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1171 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
1174 /* This information is public so it's safe to branch based on it. */
1175 if (rec->orig_len > md_size + 255 + 1)
1176 scan_start = rec->orig_len - (md_size + 255 + 1);
1178 * div_spoiler contains a multiple of md_size that is used to cause the
1179 * modulo operation to be constant time. Without this, the time varies
1180 * based on the amount of padding when running on Intel chips at least.
1181 * The aim of right-shifting md_size is so that the compiler doesn't
1182 * figure out that it can remove div_spoiler as that would require it to
1183 * prove that md_size is always even, which I hope is beyond it.
1185 div_spoiler = md_size >> 1;
1186 div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
1187 rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
1189 memset(rotated_mac, 0, md_size);
1190 for (i = scan_start, j = 0; i < rec->orig_len; i++) {
1191 unsigned char mac_started = constant_time_ge_8(i, mac_start);
1192 unsigned char mac_ended = constant_time_ge_8(i, mac_end);
1193 unsigned char b = rec->data[i];
1194 rotated_mac[j++] |= b & mac_started & ~mac_ended;
1195 j &= constant_time_lt(j, md_size);
1198 /* Now rotate the MAC */
1199 #if defined(CBC_MAC_ROTATE_IN_PLACE)
1201 for (i = 0; i < md_size; i++) {
1202 /* in case cache-line is 32 bytes, touch second line */
1203 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
1204 out[j++] = rotated_mac[rotate_offset++];
1205 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1208 memset(out, 0, md_size);
1209 rotate_offset = md_size - rotate_offset;
1210 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1211 for (i = 0; i < md_size; i++) {
1212 for (j = 0; j < md_size; j++)
1213 out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
1215 rotate_offset &= constant_time_lt(rotate_offset, md_size);
1220 int dtls1_process_record(SSL *s)
1226 unsigned int mac_size;
1227 unsigned char md[EVP_MAX_MD_SIZE];
1229 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1233 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1234 * and we have that many bytes in s->packet
1236 rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
1239 * ok, we can now read from 's->packet' data into 'rr' rr->input points
1240 * at rr->length bytes, which need to be copied into rr->data by either
1241 * the decryption or by the decompression When the data is 'copied' into
1242 * the rr->data buffer, rr->input will be pointed at the new buffer
1246 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
1247 * bytes of encrypted compressed stuff.
1250 /* check is not needed I believe */
1251 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1252 al = SSL_AD_RECORD_OVERFLOW;
1253 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1257 /* decrypt in place in 'rr->input' */
1258 rr->data = rr->input;
1259 rr->orig_len = rr->length;
1261 enc_err = s->method->ssl3_enc->enc(s, 0);
1264 * 0: (in non-constant time) if the record is publically invalid.
1265 * 1: if the padding is valid
1266 * -1: if the padding is invalid
1269 /* For DTLS we simply ignore bad packets. */
1271 RECORD_LAYER_reset_packet_length(&s->rlayer);
1275 printf("dec %d\n", rr->length);
1278 for (z = 0; z < rr->length; z++)
1279 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
1284 /* r->length is now the compressed data plus mac */
1285 if ((sess != NULL) &&
1286 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
1287 /* s->read_hash != NULL => mac_size != -1 */
1288 unsigned char *mac = NULL;
1289 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1290 mac_size = EVP_MD_CTX_size(s->read_hash);
1291 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1294 * orig_len is the length of the record before any padding was
1295 * removed. This is public information, as is the MAC in use,
1296 * therefore we can safely process the record in a different amount
1297 * of time if it's too short to possibly contain a MAC.
1299 if (rr->orig_len < mac_size ||
1300 /* CBC records must have a padding length byte too. */
1301 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1302 rr->orig_len < mac_size + 1)) {
1303 al = SSL_AD_DECODE_ERROR;
1304 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
1308 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
1310 * We update the length so that the TLS header bytes can be
1311 * constructed correctly but we need to extract the MAC in
1312 * constant time from within the record, without leaking the
1313 * contents of the padding bytes.
1316 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
1317 rr->length -= mac_size;
1320 * In this case there's no padding, so |rec->orig_len| equals
1321 * |rec->length| and we checked that there's enough bytes for
1324 rr->length -= mac_size;
1325 mac = &rr->data[rr->length];
1328 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
1329 if (i < 0 || mac == NULL
1330 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1332 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
1337 /* decryption failed, silently discard message */
1339 RECORD_LAYER_reset_packet_length(&s->rlayer);
1343 /* r->length is now just compressed */
1344 if (s->expand != NULL) {
1345 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
1346 al = SSL_AD_RECORD_OVERFLOW;
1347 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
1348 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1351 if (!ssl3_do_uncompress(s)) {
1352 al = SSL_AD_DECOMPRESSION_FAILURE;
1353 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
1358 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
1359 al = SSL_AD_RECORD_OVERFLOW;
1360 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
1366 * So at this point the following is true
1367 * ssl->s3->rrec.type is the type of record
1368 * ssl->s3->rrec.length == number of bytes in record
1369 * ssl->s3->rrec.off == offset to first valid byte
1370 * ssl->s3->rrec.data == where to take bytes from, increment
1374 /* we have pulled in a full packet so zero things */
1375 RECORD_LAYER_reset_packet_length(&s->rlayer);
1379 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1386 * retrieve a buffered record that belongs to the current epoch, ie,
1389 #define dtls1_get_processed_record(s) \
1390 dtls1_retrieve_buffered_record((s), \
1391 &(DTLS_RECORD_LAYER_get_processed_rcds(&s->rlayer)))
1394 * Call this to get a new input record.
1395 * It will return <= 0 if more data is needed, normally due to an error
1396 * or non-blocking IO.
1397 * When it finishes, one packet has been decoded and can be found in
1398 * ssl->s3->rrec.type - is the type of record
1399 * ssl->s3->rrec.data, - data
1400 * ssl->s3->rrec.length, - number of bytes
1402 /* used only by dtls1_read_bytes */
1403 int dtls1_get_record(SSL *s)
1405 int ssl_major, ssl_minor;
1408 unsigned char *p = NULL;
1409 unsigned short version;
1410 DTLS1_BITMAP *bitmap;
1411 unsigned int is_next_epoch;
1413 rr = RECORD_LAYER_get_rrec(&s->rlayer);
1416 * The epoch may have changed. If so, process all the pending records.
1417 * This is a non-blocking operation.
1419 if (dtls1_process_buffered_records(s) < 0)
1422 /* if we're renegotiating, then there may be buffered records */
1423 if (dtls1_get_processed_record(s))
1426 /* get something from the wire */
1428 /* check if we have the header */
1429 if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
1430 (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
1431 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
1432 SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0);
1433 /* read timeout is handled by dtls1_read_bytes */
1435 return (n); /* error or non-blocking */
1437 /* this packet contained a partial record, dump it */
1438 if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
1439 RECORD_LAYER_reset_packet_length(&s->rlayer);
1443 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
1445 p = RECORD_LAYER_get_packet(&s->rlayer);
1447 if (s->msg_callback)
1448 s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH,
1449 s, s->msg_callback_arg);
1451 /* Pull apart the header into the DTLS1_RECORD */
1455 version = (ssl_major << 8) | ssl_minor;
1457 /* sequence number is 64 bits, with top 2 bytes = epoch */
1460 memcpy(&(RECORD_LAYER_get_read_sequence(&s->rlayer)[2]), p, 6);
1465 /* Lets check version */
1466 if (!s->first_packet) {
1467 if (version != s->version) {
1468 /* unexpected version, silently discard */
1470 RECORD_LAYER_reset_packet_length(&s->rlayer);
1475 if ((version & 0xff00) != (s->version & 0xff00)) {
1476 /* wrong version, silently discard record */
1478 RECORD_LAYER_reset_packet_length(&s->rlayer);
1482 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
1483 /* record too long, silently discard it */
1485 RECORD_LAYER_reset_packet_length(&s->rlayer);
1489 /* now s->rlayer.rstate == SSL_ST_READ_BODY */
1492 /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
1495 RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
1496 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1498 n = ssl3_read_n(s, i, i, 1);
1499 /* this packet contained a partial record, dump it */
1502 RECORD_LAYER_reset_packet_length(&s->rlayer);
1507 * now n == rr->length, and s->packet_length ==
1508 * DTLS1_RT_HEADER_LENGTH + rr->length
1511 /* set state for later operations */
1512 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
1514 /* match epochs. NULL means the packet is dropped on the floor */
1515 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1516 if (bitmap == NULL) {
1518 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1519 goto again; /* get another record */
1521 #ifndef OPENSSL_NO_SCTP
1522 /* Only do replay check if no SCTP bio */
1523 if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
1526 * Check whether this is a repeat, or aged record. Don't check if
1527 * we're listening and this message is a ClientHello. They can look
1528 * as if they're replayed, since they arrive from different
1529 * connections and would be dropped unnecessarily.
1531 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
1532 RECORD_LAYER_get_packet_length(&s->rlayer)
1533 > DTLS1_RT_HEADER_LENGTH &&
1534 RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]
1535 == SSL3_MT_CLIENT_HELLO) &&
1536 !dtls1_record_replay_check(s, bitmap)) {
1538 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1539 goto again; /* get another record */
1541 #ifndef OPENSSL_NO_SCTP
1545 /* just read a 0 length packet */
1546 if (rr->length == 0)
1550 * If this record is from the next epoch (either HM or ALERT), and a
1551 * handshake is currently in progress, buffer it since it cannot be
1552 * processed at this time. However, do not buffer anything while
1555 if (is_next_epoch) {
1556 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
1557 if (dtls1_buffer_record
1558 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
1561 /* Mark receipt of record. */
1562 dtls1_record_bitmap_update(s, bitmap);
1565 RECORD_LAYER_reset_packet_length(&s->rlayer);
1569 if (!dtls1_process_record(s)) {
1571 RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
1572 goto again; /* get another record */
1574 dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */