X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record.c;h=213f00104d488e8f6e1de7d6f48064532299c3ab;hb=921d84a0ad2e70ad91b6e1b06573e97162387f8a;hp=bba0cc0f0b42e856d6f565f6e0f36e8123a4cc1d;hpb=380a522f689252e7f19e0c44ea49461ec7bd040f;p=oweals%2Fopenssl.git diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index bba0cc0f0b..213f00104d 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,11 +7,11 @@ * https://www.openssl.org/source/license.html */ -#include #include "../ssl_locl.h" #include "internal/constant_time_locl.h" #include #include "record_locl.h" +#include "internal/cryptlib.h" static const unsigned char ssl3_pad_1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, @@ -101,23 +101,32 @@ static int ssl3_record_app_data_waiting(SSL *s) return 1; } -int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send) { uint32_t max_early_data = s->max_early_data; + SSL_SESSION *sess = s->session; /* * If we are a client then we always use the max_early_data from the - * session. Otherwise we go with the lowest out of the max early data set in - * the session and the configured max_early_data. + * session/psksession. Otherwise we go with the lowest out of the max early + * data set in the session and the configured max_early_data. */ - if (!s->server || (s->hit - && s->session->ext.max_early_data < s->max_early_data)) - max_early_data = s->session->ext.max_early_data; + if (!s->server && sess->ext.max_early_data == 0) { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, + ERR_R_INTERNAL_ERROR); + return 0; + } + sess = s->psksession; + } + if (!s->server + || (s->hit && sess->ext.max_early_data < s->max_early_data)) + max_early_data = sess->ext.max_early_data; if (max_early_data == 0) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } @@ -125,9 +134,8 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) max_early_data += overhead; if (s->early_data_count + length > max_early_data) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } s->early_data_count += length; @@ -159,8 +167,7 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) /* used only by ssl3_read_bytes */ int ssl3_get_record(SSL *s) { - int al; - int enc_err, rret, ret = -1; + int enc_err, rret; int i; size_t more, n; SSL3_RECORD *rr, *thisrr; @@ -202,16 +209,16 @@ int ssl3_get_record(SSL *s) p = RECORD_LAYER_get_packet(&s->rlayer); if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), RECORD_LAYER_get_packet_length(&s->rlayer))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } sslv2pkt = pkt; if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) || !PACKET_get_1(&sslv2pkt, &type)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } /* * The first record received by the server may be a V2ClientHello. @@ -235,15 +242,15 @@ int ssl3_get_record(SSL *s) if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL2_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } if (thisrr->length < MIN_SSL2_RECORD_LEN) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } } else { /* SSLv3+ style record */ @@ -255,17 +262,22 @@ int ssl3_get_record(SSL *s) if (!PACKET_get_1(&pkt, &type) || !PACKET_get_net_2(&pkt, &version) || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } thisrr->type = type; thisrr->rec_version = version; - /* Lets check version. In TLSv1.3 we ignore this field */ + /* + * Lets check version. In TLSv1.3 we ignore this field. For the + * ServerHello after an HRR we haven't actually selected TLSv1.3 + * yet, but we still treat it as TLSv1.3, so we must check for + * that explicitly + */ if (!s->first_packet && !SSL_IS_TLS13(s) + && !s->hello_retry_request && version != (unsigned int)s->version) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) { if (thisrr->type == SSL3_RT_ALERT) { @@ -277,15 +289,18 @@ int ssl3_get_record(SSL *s) * shouldn't send a fatal alert back. We'll just * end. */ - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } if ((version >> 8) != SSL3_VERSION_MAJOR) { @@ -297,38 +312,39 @@ int ssl3_get_record(SSL *s) strncmp((char *)p, "POST ", 5) == 0 || strncmp((char *)p, "HEAD ", 5) == 0 || strncmp((char *)p, "PUT ", 4) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTP_REQUEST); + return -1; } else if (strncmp((char *)p, "CONNE", 5) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_HTTPS_PROXY_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTPS_PROXY_REQUEST); + return -1; } /* Doesn't look like TLS - don't send an alert */ - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } else { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } } if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL && thisrr->type != SSL3_RT_APPLICATION_DATA) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); + return -1; } if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } } @@ -337,9 +353,9 @@ int ssl3_get_record(SSL *s) if (SSL_IS_TLS13(s)) { if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } else { size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; @@ -354,9 +370,9 @@ int ssl3_get_record(SSL *s) #endif if (thisrr->length > len) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } @@ -436,29 +452,27 @@ int ssl3_get_record(SSL *s) unsigned char *mac; /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); - assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE); - if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); - goto f_err; + if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_LIB_EVP); + return -1; } mac_size = (size_t)imac_size; for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; if (thisrr->length < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return -1; } } } @@ -474,6 +488,10 @@ int ssl3_get_record(SSL *s) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() already got called */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * Valid early_data that we cannot decrypt might fail here as @@ -483,8 +501,10 @@ int ssl3_get_record(SSL *s) thisrr = &rr[0]; if (!early_data_count_ok(s, thisrr->length, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr->length = 0; thisrr->read = 1; @@ -492,9 +512,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_reset_read_sequence(&s->rlayer); return 1; } - al = SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; + SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD, + SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + return -1; } #ifdef SSL_DEBUG printf("dec %"OSSLzu"\n", rr[0].length); @@ -516,9 +536,9 @@ int ssl3_get_record(SSL *s) mac_size = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } for (j = 0; j < num_recs; j++) { @@ -533,9 +553,9 @@ int ssl3_get_record(SSL *s) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && thisrr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -547,9 +567,9 @@ int ssl3_get_record(SSL *s) */ mac = mac_tmp; if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } thisrr->length -= mac_size; } else { @@ -572,6 +592,10 @@ int ssl3_get_record(SSL *s) } if (enc_err < 0) { + if (ossl_statem_in_error(s)) { + /* We already called SSLfatal() */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * We assume this is unreadable early_data - we treat it like an @@ -583,8 +607,10 @@ int ssl3_get_record(SSL *s) * so we use the previously saved value */ if (!early_data_count_ok(s, first_rec_len, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr = &rr[0]; thisrr->length = 0; @@ -600,10 +626,9 @@ int ssl3_get_record(SSL *s) * not reveal which kind of error occurred -- this might become * visible to an attacker (e.g. via a logfile) */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + return -1; } for (j = 0; j < num_recs; j++) { @@ -612,14 +637,14 @@ int ssl3_get_record(SSL *s) /* thisrr->length is now just compressed */ if (s->expand != NULL) { if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return -1; } if (!ssl3_do_uncompress(s, thisrr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_DECOMPRESSION); + return -1; } } @@ -628,9 +653,9 @@ int ssl3_get_record(SSL *s) if (thisrr->length == 0 || thisrr->type != SSL3_RT_APPLICATION_DATA) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } /* Strip trailing padding */ @@ -643,9 +668,9 @@ int ssl3_get_record(SSL *s) if (thisrr->type != SSL3_RT_APPLICATION_DATA && thisrr->type != SSL3_RT_ALERT && thisrr->type != SSL3_RT_HANDSHAKE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, @@ -660,15 +685,23 @@ int ssl3_get_record(SSL *s) && (thisrr->type == SSL3_RT_HANDSHAKE || thisrr->type == SSL3_RT_ALERT) && thisrr->length == 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_LENGTH); + return -1; } if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; + } + + /* If received packet overflows current Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; } thisrr->off = 0; @@ -685,9 +718,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_inc_empty_record_count(&s->rlayer); if (RECORD_LAYER_get_empty_record_count(&s->rlayer) > MAX_EMPTY_RECORDS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_RECORD_TOO_SMALL); + return -1; } } else { RECORD_LAYER_reset_empty_record_count(&s->rlayer); @@ -697,17 +730,14 @@ int ssl3_get_record(SSL *s) if (s->early_data_state == SSL_EARLY_DATA_READING) { thisrr = &rr[0]; if (thisrr->type == SSL3_RT_APPLICATION_DATA - && !early_data_count_ok(s, thisrr->length, 0, &al)) - goto f_err; + && !early_data_count_ok(s, thisrr->length, 0, 0)) { + /* SSLfatal already called */ + return -1; + } } RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); return 1; - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return ret; } int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) @@ -744,17 +774,18 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), wr->input, (int)wr->length); if (i < 0) - return (0); + return 0; else wr->length = i; wr->input = wr->data; #endif - return (1); + return 1; } /*- - * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs| + * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call + * SSLfatal() for internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -829,19 +860,23 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) if (EVP_MD_CTX_md(s->read_hash) != NULL) { /* TODO(size_t): convert me */ imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) return ssl3_cbc_remove_padding(rec, bs, mac_size); } - return (1); + return 1; } #define MAX_PADDING 256 /*- - * tls1_enc encrypts/decrypts |n_recs| in |recs|. + * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -861,14 +896,18 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) int imac_size; const EVP_CIPHER *enc; - if (n_recs == 0) + if (n_recs == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return 0; + } if (sending) { if (EVP_MD_CTX_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); if (!ossl_assert(n >= 0)) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -891,10 +930,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * we can't write into the input stream: Can this ever * happen?? (steve) */ - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; - } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -904,7 +945,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (EVP_MD_CTX_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(n >= 0)) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -931,7 +973,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining */ - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -969,8 +1012,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); - if (pad <= 0) + if (pad <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } if (sending) { reclen[ctr] += pad; @@ -982,8 +1028,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) /* Add weird padding of upto 256 bytes */ - if (padnum > MAX_PADDING) + if (padnum > MAX_PADDING) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } /* we need to add 'padnum' padding bytes of value padval */ padval = (unsigned char)(padnum - 1); for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) @@ -1006,7 +1055,9 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, (int)n_recs, data) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); + return -1; } /* Set the input buffers */ for (ctr = 0; ctr < n_recs; ctr++) { @@ -1016,7 +1067,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) (int)n_recs, data) <= 0 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, (int)n_recs, reclen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -1029,6 +1081,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ? (tmpr < 0) : (tmpr == 0)) return -1; /* AEAD can fail to verify MAC */ + if (sending == 0) { if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { @@ -1048,8 +1101,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ret = 1; if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) { @@ -1496,7 +1552,7 @@ int ssl3_cbc_copy_mac(unsigned char *out, int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) { - int i, al; + int i; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; @@ -1527,9 +1583,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return 0; } /* decrypt in place in 'rr->input' */ @@ -1540,23 +1596,22 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) unsigned char *mac; mac_size = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } if (rr->orig_len < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } rr->length -= mac_size; mac = rr->data + rr->length; i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return 0; } } @@ -1568,10 +1623,14 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() got called */ + return 0; + } /* For DTLS we simply ignore bad packets. */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } #ifdef SSL_DEBUG printf("dec %ld\n", rr->length); @@ -1593,15 +1652,15 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* TODO(size_t): Convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_LIB_EVP); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_LIB_EVP); + return 0; } mac_size = (size_t)imac_size; if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } /* @@ -1614,9 +1673,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && rr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -1628,9 +1687,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) */ mac = mac_tmp; if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } rr->length -= mac_size; } else { @@ -1655,28 +1714,27 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* decryption failed, silently discard message */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } /* r->length is now just compressed */ if (s->expand != NULL) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, - SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return 0; } if (!ssl3_do_uncompress(s, rr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, + SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); + return 0; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return 0; } rr->off = 0; @@ -1695,12 +1753,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* Mark receipt of record. */ dtls1_record_bitmap_update(s, bitmap); - return (1); - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return (0); + return 1; } /* @@ -1738,8 +1791,10 @@ int dtls1_get_record(SSL *s) * The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ - if (!dtls1_process_buffered_records(s)) + if (!dtls1_process_buffered_records(s)) { + /* SSLfatal() already called */ return -1; + } /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -1753,8 +1808,10 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); /* read timeout is handled by dtls1_read_bytes */ - if (rret <= 0) + if (rret <= 0) { + /* SSLfatal() already called if appropriate */ return rret; /* error or non-blocking */ + } /* this packet contained a partial record, dump it */ if (RECORD_LAYER_get_packet_length(&s->rlayer) != @@ -1809,6 +1866,15 @@ int dtls1_get_record(SSL *s) goto again; } + /* If received packet overflows own-client Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + /* record too long, silently discard it */ + rr->length = 0; + RECORD_LAYER_reset_packet_length(&s->rlayer); + goto again; + } + /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } @@ -1821,6 +1887,10 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ if (rret <= 0 || n != more) { + if (ossl_statem_in_error(s)) { + /* ssl3_read_n() called SSLfatal() */ + return -1; + } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; @@ -1870,10 +1940,12 @@ int dtls1_get_record(SSL *s) */ if (is_next_epoch) { if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { - if (dtls1_buffer_record - (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), - rr->seq_num) < 0) + if (dtls1_buffer_record (s, + &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), + rr->seq_num) < 0) { + /* SSLfatal() already called */ return -1; + } } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); @@ -1881,11 +1953,15 @@ int dtls1_get_record(SSL *s) } if (!dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record() called SSLfatal */ + return -1; + } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } - return (1); + return 1; }