Changeset 94082 in vbox for trunk/src/libs/openssl-3.0.1/ssl/record
- Timestamp:
- Mar 3, 2022 7:17:34 PM (3 years ago)
- svn:sync-xref-src-repo-rev:
- 150325
- Location:
- trunk/src/libs/openssl-3.0.1
- Files:
-
- 1 deleted
- 9 edited
-
. (modified) (1 prop)
-
ssl/record/README (deleted)
-
ssl/record/dtls1_bitmap.c (modified) (1 diff)
-
ssl/record/rec_layer_d1.c (modified) (30 diffs)
-
ssl/record/rec_layer_s3.c (modified) (63 diffs)
-
ssl/record/record.h (modified) (4 diffs)
-
ssl/record/record_local.h (modified) (4 diffs)
-
ssl/record/ssl3_buffer.c (modified) (6 diffs)
-
ssl/record/ssl3_record.c (modified) (75 diffs)
-
ssl/record/ssl3_record_tls13.c (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/libs/openssl-3.0.1
- Property svn:mergeinfo
-
old new 12 12 /vendor/openssl/1.1.1c:131722-131725 13 13 /vendor/openssl/1.1.1k:145841-145843 14 /vendor/openssl/3.0.1:150323-150324 15 /vendor/openssl/current:147554-150322
-
- Property svn:mergeinfo
-
trunk/src/libs/openssl-3.0.1/ssl/record/dtls1_bitmap.c
r91772 r94082 2 2 * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at -
trunk/src/libs/openssl-3.0.1/ssl/record/rec_layer_d1.c
r91772 r94082 2 2 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 14 14 #include <openssl/buffer.h> 15 15 #include "record_local.h" 16 #include " ../packet_local.h"16 #include "internal/packet.h" 17 17 #include "internal/cryptlib.h" 18 18 … … 22 22 23 23 if ((d = OPENSSL_malloc(sizeof(*d))) == NULL) { 24 SSLerr(SSL_F_DTLS_RECORD_LAYER_NEW, ERR_R_MALLOC_FAILURE);24 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 25 25 return 0; 26 26 } … … 78 78 while ((item = pqueue_pop(d->processed_rcds.q)) != NULL) { 79 79 rdata = (DTLS1_RECORD_DATA *)item->data; 80 if (rl->s->options & SSL_OP_CLEANSE_PLAINTEXT) 81 OPENSSL_cleanse(rdata->rbuf.buf, rdata->rbuf.len); 80 82 OPENSSL_free(rdata->rbuf.buf); 81 83 OPENSSL_free(item->data); … … 85 87 while ((item = pqueue_pop(d->buffered_app_data.q)) != NULL) { 86 88 rdata = (DTLS1_RECORD_DATA *)item->data; 89 if (rl->s->options & SSL_OP_CLEANSE_PLAINTEXT) 90 OPENSSL_cleanse(rdata->rbuf.buf, rdata->rbuf.len); 87 91 OPENSSL_free(rdata->rbuf.buf); 88 92 OPENSSL_free(item->data); … … 154 158 OPENSSL_free(rdata); 155 159 pitem_free(item); 156 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD, 157 ERR_R_INTERNAL_ERROR); 160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 158 161 return -1; 159 162 } … … 263 266 * be the case because we already checked the epoch above 264 267 */ 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 266 SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, 267 ERR_R_INTERNAL_ERROR); 268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 268 269 return 0; 269 270 } … … 359 360 (type != SSL3_RT_HANDSHAKE)) || 360 361 (peek && (type != SSL3_RT_APPLICATION_DATA))) { 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, 362 ERR_R_INTERNAL_ERROR); 362 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 363 363 return -1; 364 364 } … … 378 378 379 379 /*- 380 * s->s3 ->rrec.type- is the type of record381 * s->s3 ->rrec.data, - data382 * s->s3 ->rrec.off, - offset into 'data' for next read383 * s->s3 ->rrec.length, - number of bytes.380 * s->s3.rrec.type - is the type of record 381 * s->s3.rrec.data, - data 382 * s->s3.rrec.off, - offset into 'data' for next read 383 * s->s3.rrec.length, - number of bytes. 384 384 */ 385 385 rr = s->rlayer.rrec; … … 446 446 /* we now have a packet which can be read and processed */ 447 447 448 if (s->s3 ->change_cipher_spec /* set when we receive ChangeCipherSpec,449 448 if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec, 449 * reset by ssl3_get_finished */ 450 450 && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) { 451 451 /* … … 489 489 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 490 490 (s->enc_read_ctx == NULL)) { 491 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,491 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 492 492 SSL_R_APP_DATA_IN_HANDSHAKE); 493 493 return -1; … … 518 518 SSL3_RECORD_set_read(rr); 519 519 } else { 520 if (s->options & SSL_OP_CLEANSE_PLAINTEXT) 521 OPENSSL_cleanse(&(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n); 520 522 SSL3_RECORD_sub_length(rr, n); 521 523 SSL3_RECORD_add_off(rr, n); … … 558 560 || !PACKET_get_1(&alert, &alert_descr) 559 561 || PACKET_remaining(&alert) != 0) { 560 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, 561 SSL_R_INVALID_ALERT); 562 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT); 562 563 return -1; 563 564 } … … 578 579 579 580 if (alert_level == SSL3_AL_WARNING) { 580 s->s3 ->warn_alert = alert_descr;581 s->s3.warn_alert = alert_descr; 581 582 SSL3_RECORD_set_read(rr); 582 583 583 584 s->rlayer.alert_count++; 584 585 if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { 585 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,586 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 586 587 SSL_R_TOO_MANY_WARN_ALERTS); 587 588 return -1; … … 608 609 } 609 610 } else if (alert_level == SSL3_AL_FATAL) { 610 char tmp[16];611 612 611 s->rwstate = SSL_NOTHING; 613 s->s3->fatal_alert = alert_descr; 614 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_READ_BYTES, 615 SSL_AD_REASON_OFFSET + alert_descr); 616 BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); 617 ERR_add_error_data(2, "SSL alert number ", tmp); 612 s->s3.fatal_alert = alert_descr; 613 SSLfatal_data(s, SSL_AD_NO_ALERT, 614 SSL_AD_REASON_OFFSET + alert_descr, 615 "SSL alert number %d", alert_descr); 618 616 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 619 617 SSL3_RECORD_set_read(rr); … … 621 619 return 0; 622 620 } else { 623 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_READ_BYTES, 624 SSL_R_UNKNOWN_ALERT_TYPE); 621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); 625 622 return -1; 626 623 } … … 706 703 */ 707 704 if (!ossl_assert(SSL_is_init_finished(s))) { 708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, 709 ERR_R_INTERNAL_ERROR); 705 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 710 706 return -1; 711 707 } … … 743 739 switch (SSL3_RECORD_get_type(rr)) { 744 740 default: 745 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, 746 SSL_R_UNEXPECTED_RECORD); 741 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); 747 742 return -1; 748 743 case SSL3_RT_CHANGE_CIPHER_SPEC: … … 754 749 * that should not happen when type != rr->type 755 750 */ 756 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, 757 ERR_R_INTERNAL_ERROR); 751 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR); 758 752 return -1; 759 753 case SSL3_RT_APPLICATION_DATA: … … 765 759 * started), we will indulge it. 766 760 */ 767 if (s->s3 ->in_read_app_data &&768 (s->s3 ->total_renegotiations != 0) &&761 if (s->s3.in_read_app_data && 762 (s->s3.total_renegotiations != 0) && 769 763 ossl_statem_app_data_allowed(s)) { 770 s->s3 ->in_read_app_data = 2;764 s->s3.in_read_app_data = 2; 771 765 return -1; 772 766 } else { 773 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, 774 SSL_R_UNEXPECTED_RECORD); 767 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); 775 768 return -1; 776 769 } … … 789 782 790 783 if (!ossl_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH)) { 791 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_WRITE_BYTES, 792 ERR_R_INTERNAL_ERROR); 784 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 793 785 return -1; 794 786 } … … 816 808 */ 817 809 if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { 818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 819 ERR_R_INTERNAL_ERROR); 810 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 820 811 return 0; 821 812 } 822 813 823 814 /* If we have an alert to send, lets send it */ 824 if (s->s3 ->alert_dispatch) {815 if (s->s3.alert_dispatch) { 825 816 i = s->method->ssl_dispatch_alert(s); 826 817 if (i <= 0) … … 833 824 834 825 if (len > ssl_get_max_send_fragment(s)) { 835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 836 SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); 826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); 837 827 return 0; 838 828 } … … 840 830 sess = s->session; 841 831 842 if ((sess == NULL) || 843 (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) 832 if ((sess == NULL) 833 || (s->enc_write_ctx == NULL) 834 || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) 844 835 clear = 1; 845 836 … … 847 838 mac_size = 0; 848 839 else { 849 mac_size = EVP_MD_CTX_ size(s->write_hash);840 mac_size = EVP_MD_CTX_get_size(s->write_hash); 850 841 if (mac_size < 0) { 851 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE,842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 852 843 SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); 853 844 return -1; … … 881 872 /* Explicit IV length, block ciphers appropriate version flag */ 882 873 if (s->enc_write_ctx) { 883 int mode = EVP_CIPHER_CTX_ mode(s->enc_write_ctx);874 int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); 884 875 if (mode == EVP_CIPH_CBC_MODE) { 885 eivlen = EVP_CIPHER_CTX_ iv_length(s->enc_write_ctx);876 eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); 886 877 if (eivlen <= 1) 887 878 eivlen = 0; … … 909 900 if (s->compress != NULL) { 910 901 if (!ssl3_do_compress(s, &wr)) { 911 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 912 SSL_R_COMPRESSION_FAILURE); 902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE); 913 903 return -1; 914 904 } … … 929 919 &(p[SSL3_RECORD_get_length(&wr) + eivlen]), 930 920 1)) { 931 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 932 ERR_R_INTERNAL_ERROR); 921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 933 922 return -1; 934 923 } … … 943 932 SSL3_RECORD_add_length(&wr, eivlen); 944 933 945 if (s->method->ssl3_enc->enc(s, &wr, 1, 1 ) < 1) {934 if (s->method->ssl3_enc->enc(s, &wr, 1, 1, NULL, mac_size) < 1) { 946 935 if (!ossl_statem_in_error(s)) { 947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 948 ERR_R_INTERNAL_ERROR); 936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 949 937 } 950 938 return -1; … … 954 942 if (!s->method->ssl3_enc->mac(s, &wr, 955 943 &(p[SSL3_RECORD_get_length(&wr)]), 1)) { 956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, 957 ERR_R_INTERNAL_ERROR); 944 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 958 945 return -1; 959 946 } -
trunk/src/libs/openssl-3.0.1/ssl/record/rec_layer_s3.c
r91772 r94082 2 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 16 16 #include <openssl/rand.h> 17 17 #include "record_local.h" 18 #include " ../packet_local.h"18 #include "internal/packet.h" 19 19 20 20 #if defined(OPENSSL_SMALL_FOOTPRINT) || \ 21 !( defined(AES NI_ASM) &&( \21 !( defined(AES_ASM) && ( \ 22 22 defined(__x86_64) || defined(__x86_64__) || \ 23 23 defined(_M_AMD64) || defined(_M_X64) ) \ … … 264 264 if (n > rb->len - rb->offset) { 265 265 /* does not happen */ 266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, 267 ERR_R_INTERNAL_ERROR); 266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 268 267 return -1; 269 268 } 270 269 271 /* We always act like read_ahead is set for DTLS */ 272 if (!s->rlayer.read_ahead && !SSL_IS_DTLS(s)) 270 /* 271 * Ktls always reads full records. 272 * Also, we always act like read_ahead is set for DTLS. 273 */ 274 if (!BIO_get_ktls_recv(s->rbio) && !s->rlayer.read_ahead 275 && !SSL_IS_DTLS(s)) { 273 276 /* ignore max parameter */ 274 277 max = n; 275 else {278 } else { 276 279 if (max < n) 277 280 max = n; … … 285 288 286 289 /* 287 * Now we have len+left bytes at the front of s->s3 ->rbuf.buf and290 * Now we have len+left bytes at the front of s->s3.rbuf.buf and 288 291 * need to read in more until we have len+n (up to len+max if 289 292 * possible) … … 293 296 if (s->rbio != NULL) { 294 297 s->rwstate = SSL_READING; 295 /* TODO(size_t): Convert this function */296 298 ret = BIO_read(s->rbio, pkt + len + left, max - left); 297 299 if (ret >= 0) 298 300 bioread = ret; 301 if (ret <= 0 302 && !BIO_should_retry(s->rbio) 303 && BIO_eof(s->rbio)) { 304 if (s->options & SSL_OP_IGNORE_UNEXPECTED_EOF) { 305 SSL_set_shutdown(s, SSL_RECEIVED_SHUTDOWN); 306 s->s3.warn_alert = SSL_AD_CLOSE_NOTIFY; 307 } else { 308 SSLfatal(s, SSL_AD_DECODE_ERROR, 309 SSL_R_UNEXPECTED_EOF_WHILE_READING); 310 } 311 } 299 312 } else { 300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, 301 SSL_R_READ_BIO_NOT_SET); 313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_READ_BIO_NOT_SET); 302 314 ret = -1; 303 315 } … … 361 373 if ((len < s->rlayer.wnum) 362 374 || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { 363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, 364 SSL_R_BAD_LENGTH); 375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); 365 376 return -1; 366 377 } … … 375 386 376 387 /* 377 * If we are supposed to be sending a KeyUpdate then go into init unless we 378 * have writes pending - in which case we should finish doing that first. 379 */ 380 if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE) 388 * If we are supposed to be sending a KeyUpdate or NewSessionTicket then go 389 * into init unless we have writes pending - in which case we should finish 390 * doing that first. 391 */ 392 if (wb->left == 0 && (s->key_update != SSL_KEY_UPDATE_NONE 393 || s->ext.extra_tickets_expected > 0)) 381 394 ossl_statem_set_in_init(s, 1); 382 395 … … 419 432 * compromise is considered worthy. 420 433 */ 421 if (type == SSL3_RT_APPLICATION_DATA && 422 len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && 423 s->compress == NULL && s->msg_callback == NULL && 424 !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && 425 EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & 426 EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { 434 if (type == SSL3_RT_APPLICATION_DATA 435 && len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) 436 && s->compress == NULL 437 && s->msg_callback == NULL 438 && !SSL_WRITE_ETM(s) 439 && SSL_USE_EXPLICIT_IV(s) 440 && BIO_get_ktls_send(s->wbio) == 0 441 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) 442 & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) { 427 443 unsigned char aad[13]; 428 444 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; … … 465 481 } 466 482 467 if (s->s3 ->alert_dispatch) {483 if (s->s3.alert_dispatch) { 468 484 i = s->method->ssl_dispatch_alert(s); 469 485 if (i <= 0) { … … 567 583 * shouldn't get here 568 584 */ 569 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, 570 ERR_R_INTERNAL_ERROR); 585 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 571 586 return -1; 572 587 } 573 588 if (maxpipes == 0 574 589 || s->enc_write_ctx == NULL 575 || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx))576 & EVP_CIPH_FLAG_PIPELINE)590 || (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) 591 & EVP_CIPH_FLAG_PIPELINE) == 0 577 592 || !SSL_USE_EXPLICIT_IV(s)) 578 593 maxpipes = 1; 579 if (max_send_fragment == 0 || split_send_fragment == 0 580 || split_send_fragment > max_send_fragment) { 594 if (max_send_fragment == 0 595 || split_send_fragment == 0 596 || split_send_fragment > max_send_fragment) { 581 597 /* 582 598 * We should have prevented this when we set/get the split and max send 583 599 * fragments so we shouldn't get here 584 600 */ 585 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, 586 ERR_R_INTERNAL_ERROR); 601 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 587 602 return -1; 588 603 } … … 634 649 * in ciphersuites with known-IV weakness: 635 650 */ 636 s->s3 ->empty_fragment_done = 0;651 s->s3.empty_fragment_done = 0; 637 652 638 653 if (tmpwrit == n … … 680 695 681 696 /* If we have an alert to send, lets send it */ 682 if (s->s3 ->alert_dispatch) {697 if (s->s3.alert_dispatch) { 683 698 i = s->method->ssl_dispatch_alert(s); 684 699 if (i <= 0) { … … 701 716 sess = s->session; 702 717 703 if ((sess == NULL) || 704 (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) { 718 if ((sess == NULL) 719 || (s->enc_write_ctx == NULL) 720 || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) { 705 721 clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ 706 722 mac_size = 0; 707 723 } else { 708 /* TODO(siz_t): Convert me */ 709 mac_size = EVP_MD_CTX_size(s->write_hash); 724 mac_size = EVP_MD_CTX_get_size(s->write_hash); 710 725 if (mac_size < 0) { 711 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 712 ERR_R_INTERNAL_ERROR); 726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 713 727 goto err; 714 728 } … … 718 732 * 'create_empty_fragment' is true only when this function calls itself 719 733 */ 720 if (!clear && !create_empty_fragment && !s->s3 ->empty_fragment_done) {734 if (!clear && !create_empty_fragment && !s->s3.empty_fragment_done) { 721 735 /* 722 736 * countermeasure against known-IV weakness in CBC ciphersuites (see … … 724 738 */ 725 739 726 if (s->s3 ->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {740 if (s->s3.need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) { 727 741 /* 728 742 * recursive function call with 'create_empty_fragment' set; this … … 743 757 (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { 744 758 /* insufficient space */ 745 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 746 ERR_R_INTERNAL_ERROR); 759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 747 760 goto err; 748 761 } 749 762 } 750 763 751 s->s3->empty_fragment_done = 1; 764 s->s3.empty_fragment_done = 1; 765 } 766 767 if (BIO_get_ktls_send(s->wbio)) { 768 /* 769 * ktls doesn't modify the buffer, but to avoid a warning we need to 770 * discard the const qualifier. 771 * This doesn't leak memory because the buffers have been released when 772 * switching to ktls. 773 */ 774 SSL3_BUFFER_set_buf(&s->rlayer.wbuf[0], (unsigned char *)buf); 775 SSL3_BUFFER_set_offset(&s->rlayer.wbuf[0], 0); 776 SSL3_BUFFER_set_app_buffer(&s->rlayer.wbuf[0], 1); 777 goto wpacket_init_complete; 752 778 } 753 779 … … 767 793 SSL3_BUFFER_get_len(wb), 0) 768 794 || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) { 769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 770 ERR_R_INTERNAL_ERROR); 795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 771 796 goto err; 772 797 } … … 779 804 || !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb) 780 805 + prefix_len, NULL)) { 781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 782 ERR_R_INTERNAL_ERROR); 806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 783 807 goto err; 784 808 } … … 797 821 SSL3_BUFFER_get_len(wb), 0) 798 822 || !WPACKET_allocate_bytes(thispkt, align, NULL)) { 799 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 800 ERR_R_INTERNAL_ERROR); 823 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 801 824 goto err; 802 825 } … … 807 830 /* Explicit IV length, block ciphers appropriate version flag */ 808 831 if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) { 809 int mode = EVP_CIPHER_CTX_ mode(s->enc_write_ctx);832 int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); 810 833 if (mode == EVP_CIPH_CBC_MODE) { 811 /* TODO(size_t): Convert me */ 812 eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); 834 eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); 813 835 if (eivlen <= 1) 814 836 eivlen = 0; … … 820 842 } 821 843 } 844 845 wpacket_init_complete: 822 846 823 847 totlen = 0; … … 862 886 maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 863 887 864 /* write the header */ 865 if (!WPACKET_put_bytes_u8(thispkt, rectype) 888 /* 889 * When using offload kernel will write the header. 890 * Otherwise write the header now 891 */ 892 if (!BIO_get_ktls_send(s->wbio) 893 && (!WPACKET_put_bytes_u8(thispkt, rectype) 866 894 || !WPACKET_put_bytes_u16(thispkt, version) 867 895 || !WPACKET_start_sub_packet_u16(thispkt) … … 870 898 || (maxcomplen > 0 871 899 && !WPACKET_reserve_bytes(thispkt, maxcomplen, 872 &compressdata))) { 873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 874 ERR_R_INTERNAL_ERROR); 900 &compressdata)))) { 901 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 875 902 goto err; 876 903 } … … 891 918 if (!ssl3_do_compress(s, thiswr) 892 919 || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) { 893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 894 SSL_R_COMPRESSION_FAILURE); 920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COMPRESSION_FAILURE); 895 921 goto err; 896 922 } 897 923 } else { 898 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { 899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 900 ERR_R_INTERNAL_ERROR); 901 goto err; 902 } 903 SSL3_RECORD_reset_input(&wr[j]); 924 if (BIO_get_ktls_send(s->wbio)) { 925 SSL3_RECORD_reset_data(&wr[j]); 926 } else { 927 if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { 928 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 929 goto err; 930 } 931 SSL3_RECORD_reset_input(&wr[j]); 932 } 904 933 } 905 934 906 935 if (SSL_TREAT_AS_TLS13(s) 936 && !BIO_get_ktls_send(s->wbio) 907 937 && s->enc_write_ctx != NULL 908 938 && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS … … 911 941 912 942 if (!WPACKET_put_bytes_u8(thispkt, type)) { 913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 914 ERR_R_INTERNAL_ERROR); 943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 915 944 goto err; 916 945 } … … 945 974 padding = max_padding; 946 975 if (!WPACKET_memset(thispkt, 0, padding)) { 947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 948 977 ERR_R_INTERNAL_ERROR); 949 978 goto err; … … 960 989 */ 961 990 962 if (! SSL_WRITE_ETM(s) && mac_size != 0) {991 if (!BIO_get_ktls_send(s->wbio) && !SSL_WRITE_ETM(s) && mac_size != 0) { 963 992 unsigned char *mac; 964 993 965 994 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) 966 995 || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { 967 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 968 ERR_R_INTERNAL_ERROR); 996 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 969 997 goto err; 970 998 } … … 976 1004 * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. 977 1005 */ 978 if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE, 979 NULL) 980 /* 981 * We also need next the amount of bytes written to this 982 * sub-packet 983 */ 1006 if (!BIO_get_ktls_send(s->wbio)) { 1007 if (!WPACKET_reserve_bytes(thispkt, 1008 SSL_RT_MAX_CIPHER_BLOCK_SIZE, 1009 NULL) 1010 /* 1011 * We also need next the amount of bytes written to this 1012 * sub-packet 1013 */ 984 1014 || !WPACKET_get_length(thispkt, &len)) { 985 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 986 ERR_R_INTERNAL_ERROR); 1015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 987 1016 goto err; 988 }989 990 /* Get a pointer to the start of this record excluding header */991 recordstart = WPACKET_get_curr(thispkt) - len;992 993 SSL3_RECORD_set_data(thiswr, recordstart);994 SSL3_RECORD_reset_input(thiswr);995 SSL3_RECORD_set_length(thiswr, len);1017 } 1018 1019 /* Get a pointer to the start of this record excluding header */ 1020 recordstart = WPACKET_get_curr(thispkt) - len; 1021 SSL3_RECORD_set_data(thiswr, recordstart); 1022 SSL3_RECORD_reset_input(thiswr); 1023 SSL3_RECORD_set_length(thiswr, len); 1024 } 996 1025 } 997 1026 … … 1001 1030 * send early data - so we need to use the tls13enc function. 1002 1031 */ 1003 if (tls13_enc(s, wr, numpipes, 1 ) < 1) {1032 if (tls13_enc(s, wr, numpipes, 1, NULL, mac_size) < 1) { 1004 1033 if (!ossl_statem_in_error(s)) { 1005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1006 ERR_R_INTERNAL_ERROR); 1034 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 1035 } 1008 1036 goto err; 1009 1037 } 1010 1038 } else { 1011 if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) { 1012 if (!ossl_statem_in_error(s)) { 1013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1014 ERR_R_INTERNAL_ERROR); 1015 } 1016 goto err; 1039 if (!BIO_get_ktls_send(s->wbio)) { 1040 if (s->method->ssl3_enc->enc(s, wr, numpipes, 1, NULL, 1041 mac_size) < 1) { 1042 if (!ossl_statem_in_error(s)) { 1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1044 } 1045 goto err; 1046 } 1017 1047 } 1018 1048 } … … 1023 1053 thispkt = &pkt[j]; 1024 1054 thiswr = &wr[j]; 1055 1056 if (BIO_get_ktls_send(s->wbio)) 1057 goto mac_done; 1025 1058 1026 1059 /* Allocate bytes for the encryption overhead */ … … 1030 1063 || (thiswr->length > origlen 1031 1064 && !WPACKET_allocate_bytes(thispkt, 1032 thiswr->length - origlen, NULL))) {1033 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,1034 1065 thiswr->length - origlen, 1066 NULL))) { 1067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1035 1068 goto err; 1036 1069 } … … 1040 1073 if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) 1041 1074 || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { 1042 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1043 ERR_R_INTERNAL_ERROR); 1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1044 1076 goto err; 1045 1077 } … … 1049 1081 if (!WPACKET_get_length(thispkt, &len) 1050 1082 || !WPACKET_close(thispkt)) { 1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1052 ERR_R_INTERNAL_ERROR); 1083 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1053 1084 goto err; 1054 1085 } … … 1057 1088 recordstart = WPACKET_get_curr(thispkt) - len 1058 1089 - SSL3_RT_HEADER_LENGTH; 1059 s->msg_callback(1, 0, SSL3_RT_HEADER, recordstart,1090 s->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart, 1060 1091 SSL3_RT_HEADER_LENGTH, s, 1061 1092 s->msg_callback_arg); … … 1064 1095 unsigned char ctype = type; 1065 1096 1066 s->msg_callback(1, s->version, SSL3_RT_INNER_CONTENT_TYPE,1097 s->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE, 1067 1098 &ctype, 1, s, s->msg_callback_arg); 1068 1099 } … … 1070 1101 1071 1102 if (!WPACKET_finish(thispkt)) { 1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1073 ERR_R_INTERNAL_ERROR); 1103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1074 1104 goto err; 1075 1105 } 1076 1106 1077 /* 1078 * we should now have thiswr->data pointing to the encrypted data, which 1079 * is thiswr->length long 1080 */ 1081 SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for 1082 * debugging */ 1083 SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH); 1107 /* header is added by the kernel when using offload */ 1108 SSL3_RECORD_add_length(&wr[j], SSL3_RT_HEADER_LENGTH); 1084 1109 1085 1110 if (create_empty_fragment) { … … 1090 1115 if (j > 0) { 1091 1116 /* We should never be pipelining an empty fragment!! */ 1092 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, 1093 ERR_R_INTERNAL_ERROR); 1117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1094 1118 goto err; 1095 1119 } … … 1097 1121 return 1; 1098 1122 } 1123 1124 mac_done: 1125 /* 1126 * we should now have thiswr->data pointing to the encrypted data, which 1127 * is thiswr->length long 1128 */ 1129 SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for 1130 * debugging */ 1099 1131 1100 1132 /* now let's set up wb */ … … 1120 1152 } 1121 1153 1122 /* if s->s3 ->wbuf.left != 0, we need to call this1154 /* if s->s3.wbuf.left != 0, we need to call this 1123 1155 * 1124 1156 * Return values are as per SSL_write() … … 1136 1168 && (s->rlayer.wpend_buf != buf)) 1137 1169 || (s->rlayer.wpend_type != type)) { 1138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, 1139 SSL_R_BAD_WRITE_RETRY); 1170 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_WRITE_RETRY); 1140 1171 return -1; 1141 1172 } … … 1151 1182 if (s->wbio != NULL) { 1152 1183 s->rwstate = SSL_WRITING; 1153 /* TODO(size_t): Convert this call */ 1184 1185 /* 1186 * To prevent coalescing of control and data messages, 1187 * such as in buffer_write, we flush the BIO 1188 */ 1189 if (BIO_get_ktls_send(s->wbio) && type != SSL3_RT_APPLICATION_DATA) { 1190 i = BIO_flush(s->wbio); 1191 if (i <= 0) 1192 return i; 1193 BIO_set_ktls_ctrl_msg(s->wbio, type); 1194 } 1154 1195 i = BIO_write(s->wbio, (char *) 1155 1196 &(SSL3_BUFFER_get_buf(&wb[currbuf]) … … 1159 1200 tmpwrit = i; 1160 1201 } else { 1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, 1162 SSL_R_BIO_NOT_SET); 1202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET); 1163 1203 i = -1; 1164 1204 } 1165 if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { 1205 1206 /* 1207 * When an empty fragment is sent on a connection using KTLS, 1208 * it is sent as a write of zero bytes. If this zero byte 1209 * write succeeds, i will be 0 rather than a non-zero value. 1210 * Treat i == 0 as success rather than an error for zero byte 1211 * writes to permit this case. 1212 */ 1213 if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { 1166 1214 SSL3_BUFFER_set_left(&wb[currbuf], 0); 1167 1215 SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit); … … 1199 1247 * This function must handle any surprises the peer may have for us, such as 1200 1248 * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec 1201 * messages are treated as if they were handshake messages *if* the |rec d_type|1249 * messages are treated as if they were handshake messages *if* the |recvd_type| 1202 1250 * argument is non NULL. 1203 1251 * Also if record payloads contain fragments too small to process, we store … … 1239 1287 && (type != 1240 1288 SSL3_RT_APPLICATION_DATA))) { 1241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, 1242 ERR_R_INTERNAL_ERROR); 1289 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1243 1290 return -1; 1244 1291 } … … 1307 1354 if (num_recs == 0) { 1308 1355 /* Shouldn't happen */ 1309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, 1310 ERR_R_INTERNAL_ERROR); 1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1311 1357 return -1; 1312 1358 } … … 1327 1373 && SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE 1328 1374 && SSL_IS_TLS13(s)) { 1329 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,1375 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1330 1376 SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA); 1331 1377 return -1; … … 1342 1388 /* we now have a packet which can be read and processed */ 1343 1389 1344 if (s->s3 ->change_cipher_spec /* set when we receive ChangeCipherSpec,1345 1390 if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec, 1391 * reset by ssl3_get_finished */ 1346 1392 && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) { 1347 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,1393 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1348 1394 SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 1349 1395 return -1; … … 1375 1421 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 1376 1422 (s->enc_read_ctx == NULL)) { 1377 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1378 SSL_R_APP_DATA_IN_HANDSHAKE); 1423 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_APP_DATA_IN_HANDSHAKE); 1379 1424 return -1; 1380 1425 } … … 1383 1428 && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC 1384 1429 && s->rlayer.handshake_fragment_len > 0) { 1385 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1386 SSL_R_CCS_RECEIVED_EARLY); 1430 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 1387 1431 return -1; 1388 1432 } … … 1416 1460 SSL3_RECORD_set_read(rr); 1417 1461 } else { 1462 if (s->options & SSL_OP_CLEANSE_PLAINTEXT) 1463 OPENSSL_cleanse(&(rr->data[rr->off]), n); 1418 1464 SSL3_RECORD_sub_length(rr, n); 1419 1465 SSL3_RECORD_add_off(rr, n); … … 1460 1506 * |rr->type|. If not then something has gone horribly wrong 1461 1507 */ 1462 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, 1463 ERR_R_INTERNAL_ERROR); 1508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1464 1509 return -1; 1465 1510 } … … 1469 1514 /* 1470 1515 * If we've got this far and still haven't decided on what version 1471 * we're using then this must be a client side alert we're dealing with1472 * (we don't allow heartbeats yet). We shouldn't be receiving anything1473 * other than a ClientHelloif we are a server.1516 * we're using then this must be a client side alert we're dealing 1517 * with. We shouldn't be receiving anything other than a ClientHello 1518 * if we are a server. 1474 1519 */ 1475 1520 s->version = rr->rec_version; 1476 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1477 SSL_R_UNEXPECTED_MESSAGE); 1521 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 1478 1522 return -1; 1479 1523 } … … 1494 1538 || !PACKET_get_1(&alert, &alert_descr) 1495 1539 || PACKET_remaining(&alert) != 0) { 1496 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1497 SSL_R_INVALID_ALERT); 1540 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT); 1498 1541 return -1; 1499 1542 } … … 1515 1558 if (alert_level == SSL3_AL_WARNING 1516 1559 || (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED)) { 1517 s->s3 ->warn_alert = alert_descr;1560 s->s3.warn_alert = alert_descr; 1518 1561 SSL3_RECORD_set_read(rr); 1519 1562 1520 1563 s->rlayer.alert_count++; 1521 1564 if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { 1522 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,1565 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1523 1566 SSL_R_TOO_MANY_WARN_ALERTS); 1524 1567 return -1; … … 1537 1580 return 0; 1538 1581 } else if (alert_level == SSL3_AL_FATAL || is_tls13) { 1539 char tmp[16];1540 1541 1582 s->rwstate = SSL_NOTHING; 1542 s->s3->fatal_alert = alert_descr; 1543 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES, 1544 SSL_AD_REASON_OFFSET + alert_descr); 1545 BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); 1546 ERR_add_error_data(2, "SSL alert number ", tmp); 1583 s->s3.fatal_alert = alert_descr; 1584 SSLfatal_data(s, SSL_AD_NO_ALERT, 1585 SSL_AD_REASON_OFFSET + alert_descr, 1586 "SSL alert number %d", alert_descr); 1547 1587 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1548 1588 SSL3_RECORD_set_read(rr); … … 1558 1598 * the peer refused it where we carry on. 1559 1599 */ 1560 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL3_READ_BYTES, 1561 SSL_R_NO_RENEGOTIATION); 1600 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION); 1562 1601 return -1; 1563 1602 } else if (alert_level == SSL3_AL_WARNING) { … … 1566 1605 } 1567 1606 1568 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES, 1569 SSL_R_UNKNOWN_ALERT_TYPE); 1607 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); 1570 1608 return -1; 1571 1609 } … … 1605 1643 SSL3_RECORD_set_length(rr, 0); 1606 1644 SSL3_RECORD_set_read(rr); 1607 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,1645 SSLfatal(s, SSL_AD_NO_ALERT, 1608 1646 SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY); 1609 1647 return -1; … … 1640 1678 1641 1679 if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) { 1642 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1643 SSL_R_CCS_RECEIVED_EARLY); 1680 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 1644 1681 return -1; 1645 1682 } … … 1701 1738 * record types, using up resources processing them. 1702 1739 */ 1703 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1704 SSL_R_UNEXPECTED_RECORD); 1740 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); 1705 1741 return -1; 1706 1742 case SSL3_RT_CHANGE_CIPHER_SPEC: … … 1712 1748 * that should not happen when type != rr->type 1713 1749 */ 1714 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1715 ERR_R_INTERNAL_ERROR); 1750 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR); 1716 1751 return -1; 1717 1752 case SSL3_RT_APPLICATION_DATA: … … 1724 1759 */ 1725 1760 if (ossl_statem_app_data_allowed(s)) { 1726 s->s3 ->in_read_app_data = 2;1761 s->s3.in_read_app_data = 2; 1727 1762 return -1; 1728 1763 } else if (ossl_statem_skip_early_data(s)) { … … 1744 1779 goto start; 1745 1780 } else { 1746 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, 1747 SSL_R_UNEXPECTED_RECORD); 1781 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD); 1748 1782 return -1; 1749 1783 } -
trunk/src/libs/openssl-3.0.1/ssl/record/record.h
r91772 r94082 1 1 /* 2 * Copyright 1995-20 18The OpenSSL Project Authors. All Rights Reserved.2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 26 26 /* how many bytes left */ 27 27 size_t left; 28 /* 'buf' is from application for KTLS */ 29 int app_buffer; 28 30 } SSL3_BUFFER; 29 31 … … 177 179 *****************************************************************************/ 178 180 181 struct ssl_mac_buf_st { 182 unsigned char *mac; 183 int alloced; 184 }; 185 typedef struct ssl_mac_buf_st SSL_MAC_BUF; 186 179 187 #define MIN_SSL2_RECORD_LEN 9 180 188 … … 212 220 size_t *readbytes); 213 221 __owur int ssl3_setup_buffers(SSL *s); 214 __owur int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send); 222 __owur int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send, 223 SSL_MAC_BUF *mac, size_t macsize); 215 224 __owur int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send); 216 225 __owur int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, 217 226 size_t *written); 218 __owur int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send); 227 __owur int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, 228 SSL_MAC_BUF *mac, size_t macsize); 219 229 __owur int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send); 220 __owur int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send); 230 __owur int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send, 231 SSL_MAC_BUF *mac, size_t macsize); 221 232 int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl); 222 233 void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl); -
trunk/src/libs/openssl-3.0.1/ssl/record/record_local.h
r91772 r94082 1 1 /* 2 * Copyright 1995-20 18The OpenSSL Project Authors. All Rights Reserved.2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 66 66 #define SSL3_BUFFER_is_initialised(b) ((b)->buf != NULL) 67 67 #define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l)) 68 #define SSL3_BUFFER_set_app_buffer(b, l) ((b)->app_buffer = (l)) 69 #define SSL3_BUFFER_is_app_buffer(b) ((b)->app_buffer) 68 70 69 71 void SSL3_BUFFER_clear(SSL3_BUFFER *b); … … 89 91 #define SSL3_RECORD_set_input(r, i) ((r)->input = (i)) 90 92 #define SSL3_RECORD_reset_input(r) ((r)->input = (r)->data) 93 #define SSL3_RECORD_reset_data(r) ((r)->data = (r)->input) 91 94 #define SSL3_RECORD_get_seq_num(r) ((r)->seq_num) 92 95 #define SSL3_RECORD_get_off(r) ((r)->off) … … 105 108 __owur int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr); 106 109 __owur int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr); 107 int ssl3_cbc_copy_mac(unsigned char *out, 108 const SSL3_RECORD *rec, size_t md_size); 109 __owur int ssl3_cbc_remove_padding(SSL3_RECORD *rec, 110 size_t block_size, size_t mac_size); 111 __owur int tls1_cbc_remove_padding(const SSL *s, 112 SSL3_RECORD *rec, 113 size_t block_size, size_t mac_size); 110 __owur int ssl3_cbc_remove_padding_and_mac(size_t *reclen, 111 size_t origreclen, 112 unsigned char *recdata, 113 unsigned char **mac, 114 int *alloced, 115 size_t block_size, size_t mac_size, 116 OSSL_LIB_CTX *libctx); 117 __owur int tls1_cbc_remove_padding_and_mac(size_t *reclen, 118 size_t origreclen, 119 unsigned char *recdata, 120 unsigned char **mac, 121 int *alloced, 122 size_t block_size, size_t mac_size, 123 int aead, 124 OSSL_LIB_CTX *libctx); 114 125 int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); 115 126 __owur int dtls1_get_record(SSL *s); -
trunk/src/libs/openssl-3.0.1/ssl/record/ssl3_buffer.c
r91772 r94082 2 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 67 67 * alert. 68 68 */ 69 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_SETUP_READ_BUFFER, 70 ERR_R_MALLOC_FAILURE); 69 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE); 71 70 return 0; 72 71 } … … 111 110 SSL3_BUFFER *thiswb = &wb[currpipe]; 112 111 113 if (thiswb-> buf != NULL && thiswb->len != len) {112 if (thiswb->len != len) { 114 113 OPENSSL_free(thiswb->buf); 115 114 thiswb->buf = NULL; /* force reallocation */ … … 117 116 118 117 if (thiswb->buf == NULL) { 119 p = OPENSSL_malloc(len); 120 if (p == NULL) { 121 s->rlayer.numwpipes = currpipe; 122 /* 123 * We've got a malloc failure, and we're still initialising 124 * buffers. We assume we're so doomed that we won't even be able 125 * to send an alert. 126 */ 127 SSLfatal(s, SSL_AD_NO_ALERT, 128 SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); 129 return 0; 118 if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio)) { 119 p = OPENSSL_malloc(len); 120 if (p == NULL) { 121 s->rlayer.numwpipes = currpipe; 122 /* 123 * We've got a malloc failure, and we're still initialising 124 * buffers. We assume we're so doomed that we won't even be able 125 * to send an alert. 126 */ 127 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_MALLOC_FAILURE); 128 return 0; 129 } 130 } else { 131 p = NULL; 130 132 } 131 133 memset(thiswb, 0, sizeof(SSL3_BUFFER)); … … 160 162 wb = &RECORD_LAYER_get_wbuf(&s->rlayer)[pipes - 1]; 161 163 162 OPENSSL_free(wb->buf); 164 if (SSL3_BUFFER_is_app_buffer(wb)) 165 SSL3_BUFFER_set_app_buffer(wb, 0); 166 else 167 OPENSSL_free(wb->buf); 163 168 wb->buf = NULL; 164 169 pipes--; … … 173 178 174 179 b = RECORD_LAYER_get_rbuf(&s->rlayer); 180 if (s->options & SSL_OP_CLEANSE_PLAINTEXT) 181 OPENSSL_cleanse(b->buf, b->len); 175 182 OPENSSL_free(b->buf); 176 183 b->buf = NULL; -
trunk/src/libs/openssl-3.0.1/ssl/record/ssl3_record.c
r91772 r94082 2 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 9 9 10 10 #include "../ssl_local.h" 11 #include "internal/constant_time.h"11 #include <openssl/trace.h> 12 12 #include <openssl/rand.h> 13 #include <openssl/core_names.h> 13 14 #include "record_local.h" 14 15 #include "internal/cryptlib.h" … … 115 116 if (!ossl_assert(s->psksession != NULL 116 117 && s->psksession->ext.max_early_data > 0)) { 117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, 118 ERR_R_INTERNAL_ERROR); 118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 119 119 return 0; 120 120 } … … 132 132 if (max_early_data == 0) { 133 133 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, 134 SSL_ F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);134 SSL_R_TOO_MUCH_EARLY_DATA); 135 135 return 0; 136 136 } … … 141 141 if (s->early_data_count + length > max_early_data) { 142 142 SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, 143 SSL_ F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);143 SSL_R_TOO_MUCH_EARLY_DATA); 144 144 return 0; 145 145 } … … 182 182 unsigned char md[EVP_MAX_MD_SIZE]; 183 183 unsigned int version; 184 size_t mac_size ;184 size_t mac_size = 0; 185 185 int imac_size; 186 186 size_t num_recs = 0, max_recs, j; 187 187 PACKET pkt, sslv2pkt; 188 size_t first_rec_len; 188 int is_ktls_left; 189 SSL_MAC_BUF *macbufs = NULL; 190 int ret = -1; 189 191 190 192 rr = RECORD_LAYER_get_rrec(&s->rlayer); 191 193 rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); 194 is_ktls_left = (rbuf->left > 0); 192 195 max_recs = s->max_pipelines; 193 196 if (max_recs == 0) … … 208 211 SSL3_BUFFER_get_len(rbuf), 0, 209 212 num_recs == 0 ? 1 : 0, &n); 210 if (rret <= 0) 211 return rret; /* error or non-blocking */ 213 if (rret <= 0) { 214 #ifndef OPENSSL_NO_KTLS 215 if (!BIO_get_ktls_recv(s->rbio) || rret == 0) 216 return rret; /* error or non-blocking */ 217 switch (errno) { 218 case EBADMSG: 219 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, 220 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 221 break; 222 case EMSGSIZE: 223 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 224 SSL_R_PACKET_LENGTH_TOO_LONG); 225 break; 226 case EINVAL: 227 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 228 SSL_R_WRONG_VERSION_NUMBER); 229 break; 230 default: 231 break; 232 } 233 #endif 234 return rret; 235 } 212 236 RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); 213 237 … … 215 239 if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), 216 240 RECORD_LAYER_get_packet_length(&s->rlayer))) { 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 218 ERR_R_INTERNAL_ERROR); 241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 219 242 return -1; 220 243 } … … 222 245 if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) 223 246 || !PACKET_get_1(&sslv2pkt, &type)) { 224 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 225 ERR_R_INTERNAL_ERROR); 247 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); 226 248 return -1; 227 249 } … … 248 270 if (thisrr->length > SSL3_BUFFER_get_len(rbuf) 249 271 - SSL2_RT_HEADER_LENGTH) { 250 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,272 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 251 273 SSL_R_PACKET_LENGTH_TOO_LONG); 252 274 return -1; … … 254 276 255 277 if (thisrr->length < MIN_SSL2_RECORD_LEN) { 256 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 257 SSL_R_LENGTH_TOO_SHORT); 278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 258 279 return -1; 259 280 } 260 281 } else { 261 282 /* SSLv3+ style record */ 262 if (s->msg_callback)263 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,264 s->msg_callback_arg);265 283 266 284 /* Pull apart the header into the SSL3_RECORD */ … … 268 286 || !PACKET_get_net_2(&pkt, &version) 269 287 || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { 270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 271 ERR_R_INTERNAL_ERROR); 288 if (s->msg_callback) 289 s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, 290 s->msg_callback_arg); 291 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); 272 292 return -1; 273 293 } 274 294 thisrr->type = type; 275 295 thisrr->rec_version = version; 296 297 if (s->msg_callback) 298 s->msg_callback(0, version, SSL3_RT_HEADER, p, 5, s, 299 s->msg_callback_arg); 276 300 277 301 /* … … 296 320 * end. 297 321 */ 298 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,322 SSLfatal(s, SSL_AD_NO_ALERT, 299 323 SSL_R_WRONG_VERSION_NUMBER); 300 324 return -1; … … 305 329 s->version = (unsigned short)version; 306 330 } 307 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD,331 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 308 332 SSL_R_WRONG_VERSION_NUMBER); 309 333 return -1; … … 319 343 strncmp((char *)p, "HEAD ", 5) == 0 || 320 344 strncmp((char *)p, "PUT ", 4) == 0) { 321 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, 322 SSL_R_HTTP_REQUEST); 345 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_HTTP_REQUEST); 323 346 return -1; 324 347 } else if (strncmp((char *)p, "CONNE", 5) == 0) { 325 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,348 SSLfatal(s, SSL_AD_NO_ALERT, 326 349 SSL_R_HTTPS_PROXY_REQUEST); 327 350 return -1; … … 329 352 330 353 /* Doesn't look like TLS - don't send an alert */ 331 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,354 SSLfatal(s, SSL_AD_NO_ALERT, 332 355 SSL_R_WRONG_VERSION_NUMBER); 333 356 return -1; 334 357 } else { 335 358 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 336 SSL_F_SSL3_GET_RECORD,337 359 SSL_R_WRONG_VERSION_NUMBER); 338 360 return -1; … … 348 370 != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) { 349 371 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 350 SSL_ F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);372 SSL_R_BAD_RECORD_TYPE); 351 373 return -1; 352 374 } 353 375 if (thisrr->rec_version != TLS1_2_VERSION) { 354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,376 SSLfatal(s, SSL_AD_DECODE_ERROR, 355 377 SSL_R_WRONG_VERSION_NUMBER); 356 378 return -1; … … 360 382 if (thisrr->length > 361 383 SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { 362 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,384 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 363 385 SSL_R_PACKET_LENGTH_TOO_LONG); 364 386 return -1; … … 371 393 if (SSL_IS_TLS13(s)) { 372 394 if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { 373 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,395 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 374 396 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 375 397 return -1; … … 387 409 #endif 388 410 389 if (thisrr->length > len ) {390 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,411 if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) { 412 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 391 413 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 392 414 return -1; … … 405 427 more = thisrr->length; 406 428 } 429 407 430 if (more > 0) { 408 431 /* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ … … 458 481 && SSL_USE_EXPLICIT_IV(s) 459 482 && s->enc_read_ctx != NULL 460 && (EVP_CIPHER_ flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))461 & EVP_CIPH_FLAG_PIPELINE) 483 && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx)) 484 & EVP_CIPH_FLAG_PIPELINE) != 0 462 485 && ssl3_record_app_data_waiting(s)); 463 486 … … 470 493 */ 471 494 if (thisrr->length != 1 || thisrr->data[0] != 0x01) { 472 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD,495 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 473 496 SSL_R_INVALID_CCS_MESSAGE); 474 497 return -1; … … 482 505 if (RECORD_LAYER_get_empty_record_count(&s->rlayer) 483 506 > MAX_EMPTY_RECORDS) { 484 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD,507 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 485 508 SSL_R_UNEXPECTED_CCS_MESSAGE); 486 509 return -1; … … 490 513 491 514 return 1; 515 } 516 517 /* 518 * KTLS reads full records. If there is any data left, 519 * then it is from before enabling ktls 520 */ 521 if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) 522 goto skip_decryption; 523 524 if (s->read_hash != NULL) { 525 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); 526 527 if (tmpmd != NULL) { 528 imac_size = EVP_MD_get_size(tmpmd); 529 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { 530 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 531 return -1; 532 } 533 mac_size = (size_t)imac_size; 534 } 492 535 } 493 536 … … 498 541 if (SSL_READ_ETM(s) && s->read_hash) { 499 542 unsigned char *mac; 500 /* TODO(size_t): convert this to do size_t properly */ 501 imac_size = EVP_MD_CTX_size(s->read_hash); 502 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { 503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, 504 ERR_LIB_EVP); 505 return -1; 506 } 507 mac_size = (size_t)imac_size; 543 508 544 for (j = 0; j < num_recs; j++) { 509 545 thisrr = &rr[j]; 510 546 511 547 if (thisrr->length < mac_size) { 512 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, 513 SSL_R_LENGTH_TOO_SHORT); 548 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 514 549 return -1; 515 550 } … … 518 553 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); 519 554 if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { 520 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,521 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);555 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, 556 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 522 557 return -1; 523 558 } 524 559 } 525 } 526 527 first_rec_len = rr[0].length; 528 529 enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0); 560 /* 561 * We've handled the mac now - there is no MAC inside the encrypted 562 * record 563 */ 564 mac_size = 0; 565 } 566 567 if (mac_size > 0) { 568 macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs); 569 if (macbufs == NULL) { 570 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 571 return -1; 572 } 573 } 574 575 enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0, macbufs, mac_size); 530 576 531 577 /*- 532 578 * enc_err is: 533 * 0: (in non-constant time) if the record is publicly invalid.534 * 1: if the padding is valid535 * -1: if the padding is invalid579 * 0: if the record is publicly invalid, or an internal error, or AEAD 580 * decryption failed, or ETM decryption failed. 581 * 1: Success or MTE decryption failed (MAC will be randomised) 536 582 */ 537 583 if (enc_err == 0) { 538 584 if (ossl_statem_in_error(s)) { 539 585 /* SSLfatal() already got called */ 540 return -1;586 goto end; 541 587 } 542 588 if (num_recs == 1 && ossl_statem_skip_early_data(s)) { 543 589 /* 544 * Valid early_data that we cannot decrypt might fail here as545 * publicly invalid. We treatit like an empty record.590 * Valid early_data that we cannot decrypt will fail here. We treat 591 * it like an empty record. 546 592 */ 547 593 … … 551 597 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { 552 598 /* SSLfatal() already called */ 553 return -1;599 goto end; 554 600 } 555 601 … … 558 604 RECORD_LAYER_set_numrpipes(&s->rlayer, 1); 559 605 RECORD_LAYER_reset_read_sequence(&s->rlayer); 560 return 1; 561 } 562 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, 563 SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 564 return -1; 565 } 566 #ifdef SSL_DEBUG 567 printf("dec %lu\n", (unsigned long)rr[0].length); 568 { 569 size_t z; 570 for (z = 0; z < rr[0].length; z++) 571 printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n'); 572 } 573 printf("\n"); 574 #endif 606 ret = 1; 607 goto end; 608 } 609 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, 610 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 611 goto end; 612 } 613 OSSL_TRACE_BEGIN(TLS) { 614 BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); 615 BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4); 616 } OSSL_TRACE_END(TLS); 575 617 576 618 /* r->length is now the compressed data plus mac */ 577 if ((sess != NULL) &&578 (s->enc_read_ctx != NULL) &&579 (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {619 if ((sess != NULL) 620 && (s->enc_read_ctx != NULL) 621 && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { 580 622 /* s->read_hash != NULL => mac_size != -1 */ 581 unsigned char *mac = NULL;582 unsigned char mac_tmp[EVP_MAX_MD_SIZE];583 584 mac_size = EVP_MD_CTX_size(s->read_hash);585 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {586 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,587 ERR_R_INTERNAL_ERROR);588 return -1;589 }590 623 591 624 for (j = 0; j < num_recs; j++) { 625 SSL_MAC_BUF *thismb = &macbufs[j]; 592 626 thisrr = &rr[j]; 593 /*594 * orig_len is the length of the record before any padding was595 * removed. This is public information, as is the MAC in use,596 * therefore we can safely process the record in a different amount597 * of time if it's too short to possibly contain a MAC.598 */599 if (thisrr->orig_len < mac_size ||600 /* CBC records must have a padding length byte too. */601 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&602 thisrr->orig_len < mac_size + 1)) {603 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD,604 SSL_R_LENGTH_TOO_SHORT);605 return -1;606 }607 608 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {609 /*610 * We update the length so that the TLS header bytes can be611 * constructed correctly but we need to extract the MAC in612 * constant time from within the record, without leaking the613 * contents of the padding bytes.614 */615 mac = mac_tmp;616 if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) {617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD,618 ERR_R_INTERNAL_ERROR);619 return -1;620 }621 thisrr->length -= mac_size;622 } else {623 /*624 * In this case there's no padding, so |rec->orig_len| equals625 * |rec->length| and we checked that there's enough bytes for626 * |mac_size| above.627 */628 thisrr->length -= mac_size;629 mac = &thisrr->data[thisrr->length];630 }631 627 632 628 i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); 633 if (i == 0 || mac == NULL634 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)635 enc_err = -1;629 if (i == 0 || thismb == NULL || thismb->mac == NULL 630 || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0) 631 enc_err = 0; 636 632 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 637 enc_err = -1;638 } 639 } 640 641 if (enc_err <0) {633 enc_err = 0; 634 } 635 } 636 637 if (enc_err == 0) { 642 638 if (ossl_statem_in_error(s)) { 643 639 /* We already called SSLfatal() */ 644 return -1; 645 } 646 if (num_recs == 1 && ossl_statem_skip_early_data(s)) { 647 /* 648 * We assume this is unreadable early_data - we treat it like an 649 * empty record 650 */ 651 652 /* 653 * The record length may have been modified by the mac check above 654 * so we use the previously saved value 655 */ 656 if (!early_data_count_ok(s, first_rec_len, 657 EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { 658 /* SSLfatal() already called */ 659 return -1; 660 } 661 662 thisrr = &rr[0]; 663 thisrr->length = 0; 664 thisrr->read = 1; 665 RECORD_LAYER_set_numrpipes(&s->rlayer, 1); 666 RECORD_LAYER_reset_read_sequence(&s->rlayer); 667 return 1; 640 goto end; 668 641 } 669 642 /* … … 674 647 * visible to an attacker (e.g. via a logfile) 675 648 */ 676 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,649 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, 677 650 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 678 return -1; 679 } 651 goto end; 652 } 653 654 skip_decryption: 680 655 681 656 for (j = 0; j < num_recs; j++) { … … 685 660 if (s->expand != NULL) { 686 661 if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 687 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,662 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 688 663 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 689 return -1;664 goto end; 690 665 } 691 666 if (!ssl3_do_uncompress(s, thisrr)) { 692 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD,667 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, 693 668 SSL_R_BAD_DECOMPRESSION); 694 return -1;669 goto end; 695 670 } 696 671 } … … 703 678 if (thisrr->length == 0 704 679 || thisrr->type != SSL3_RT_APPLICATION_DATA) { 705 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 706 SSL_R_BAD_RECORD_TYPE); 707 return -1; 680 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); 681 goto end; 708 682 } 709 683 … … 718 692 && thisrr->type != SSL3_RT_ALERT 719 693 && thisrr->type != SSL3_RT_HANDSHAKE) { 720 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 721 SSL_R_BAD_RECORD_TYPE); 722 return -1; 694 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); 695 goto end; 723 696 } 724 697 if (s->msg_callback) … … 735 708 || thisrr->type == SSL3_RT_ALERT) 736 709 && thisrr->length == 0) { 737 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 738 SSL_R_BAD_LENGTH); 739 return -1; 740 } 741 742 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { 743 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, 744 SSL_R_DATA_LENGTH_TOO_LONG); 745 return -1; 710 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_LENGTH); 711 goto end; 712 } 713 714 if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH 715 && !BIO_get_ktls_recv(s->rbio)) { 716 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); 717 goto end; 746 718 } 747 719 748 720 /* If received packet overflows current Max Fragment Length setting */ 749 721 if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 750 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) ) {751 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,752 753 return -1;722 && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) 723 && !BIO_get_ktls_recv(s->rbio)) { 724 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); 725 goto end; 754 726 } 755 727 … … 768 740 if (RECORD_LAYER_get_empty_record_count(&s->rlayer) 769 741 > MAX_EMPTY_RECORDS) { 770 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, 771 SSL_R_RECORD_TOO_SMALL); 772 return -1; 742 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_RECORD_TOO_SMALL); 743 goto end; 773 744 } 774 745 } else { … … 782 753 && !early_data_count_ok(s, thisrr->length, 0, 0)) { 783 754 /* SSLfatal already called */ 784 return -1;755 goto end; 785 756 } 786 757 } 787 758 788 759 RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); 789 return 1; 760 ret = 1; 761 end: 762 if (macbufs != NULL) { 763 for (j = 0; j < num_recs; j++) { 764 if (macbufs[j].alloced) 765 OPENSSL_free(macbufs[j].mac); 766 } 767 OPENSSL_free(macbufs); 768 } 769 return ret; 790 770 } 791 771 … … 802 782 return 0; 803 783 804 /* TODO(size_t): Convert this call */805 784 i = COMP_expand_block(ssl->expand, rr->comp, 806 785 SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length); … … 819 798 int i; 820 799 821 /* TODO(size_t): Convert this call */822 800 i = COMP_compress_block(ssl->compress, wr->data, 823 801 (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), … … 834 812 835 813 /*- 836 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call 837 * SSLfatal() for internal errors, but not otherwise. 814 * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Calls SSLfatal on 815 * internal error, but not otherwise. It is the responsibility of the caller to 816 * report a bad_record_mac 838 817 * 839 818 * Returns: 840 * 0: (in non-constant time) if the record is publicly invalid (i.e. too 841 * short etc). 842 * 1: if the record's padding is valid / the encryption was successful. 843 * -1: if the record's padding is invalid or, if sending, an internal error 844 * occurred. 819 * 0: if the record is publicly invalid, or an internal error 820 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) 845 821 */ 846 int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) 822 int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, 823 SSL_MAC_BUF *mac, size_t macsize) 847 824 { 848 825 SSL3_RECORD *rec; 849 826 EVP_CIPHER_CTX *ds; 850 827 size_t l, i; 851 size_t bs, mac_size = 0; 852 int imac_size; 828 size_t bs; 853 829 const EVP_CIPHER *enc; 854 830 … … 864 840 enc = NULL; 865 841 else 866 enc = EVP_CIPHER_CTX_ cipher(s->enc_write_ctx);842 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); 867 843 } else { 868 844 ds = s->enc_read_ctx; … … 870 846 enc = NULL; 871 847 else 872 enc = EVP_CIPHER_CTX_ cipher(s->enc_read_ctx);848 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); 873 849 } 874 850 … … 877 853 rec->input = rec->data; 878 854 } else { 855 int provided = (EVP_CIPHER_get0_provider(enc) != NULL); 856 879 857 l = rec->length; 880 /* TODO(size_t): Convert this call */ 881 bs = EVP_CIPHER_CTX_block_size(ds); 858 bs = EVP_CIPHER_CTX_get_block_size(ds); 882 859 883 860 /* COMPRESS */ 884 861 885 if ((bs != 1) && sending) { 862 if ((bs != 1) && sending && !provided) { 863 /* 864 * We only do this for legacy ciphers. Provided ciphers add the 865 * padding on the provider side. 866 */ 886 867 i = bs - (l % bs); 887 868 … … 898 879 899 880 if (!sending) { 900 if (l == 0 || l % bs != 0) 881 if (l == 0 || l % bs != 0) { 882 /* Publicly invalid */ 901 883 return 0; 884 } 902 885 /* otherwise, rec->length >= bs */ 903 886 } 904 887 905 /* TODO(size_t): Convert this call */ 906 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) 907 return -1; 908 909 if (EVP_MD_CTX_md(s->read_hash) != NULL) { 910 /* TODO(size_t): convert me */ 911 imac_size = EVP_MD_CTX_size(s->read_hash); 912 if (imac_size < 0) { 913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, 914 ERR_R_INTERNAL_ERROR); 915 return -1; 916 } 917 mac_size = (size_t)imac_size; 918 } 919 if ((bs != 1) && !sending) 920 return ssl3_cbc_remove_padding(rec, bs, mac_size); 888 if (EVP_CIPHER_get0_provider(enc) != NULL) { 889 int outlen; 890 891 if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input, 892 (unsigned int)l)) 893 return 0; 894 rec->length = outlen; 895 896 if (!sending && mac != NULL) { 897 /* Now get a pointer to the MAC */ 898 OSSL_PARAM params[2], *p = params; 899 900 /* Get the MAC */ 901 mac->alloced = 0; 902 903 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC, 904 (void **)&mac->mac, 905 macsize); 906 *p = OSSL_PARAM_construct_end(); 907 908 if (!EVP_CIPHER_CTX_get_params(ds, params)) { 909 /* Shouldn't normally happen */ 910 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 911 return 0; 912 } 913 } 914 } else { 915 if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) { 916 /* Shouldn't happen */ 917 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR); 918 return 0; 919 } 920 921 if (!sending) 922 return ssl3_cbc_remove_padding_and_mac(&rec->length, 923 rec->orig_len, 924 rec->data, 925 (mac != NULL) ? &mac->mac : NULL, 926 (mac != NULL) ? &mac->alloced : NULL, 927 bs, 928 macsize, 929 s->ctx->libctx); 930 } 921 931 } 922 932 return 1; … … 925 935 #define MAX_PADDING 256 926 936 /*- 927 * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for 928 * internal errors, but not otherwise. 937 * tls1_enc encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal 938 * error, but not otherwise. It is the responsibility of the caller to report 939 * a bad_record_mac - if appropriate (DTLS just drops the record). 929 940 * 930 941 * Returns: 931 * 0: (in non-constant time) if the record is publicly invalid (i.e. too 932 * short etc). 933 * 1: if the record's padding is valid / the encryption was successful. 934 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 935 * an internal error occurred. 942 * 0: if the record is publicly invalid, or an internal error, or AEAD 943 * decryption failed, or Encrypt-then-mac decryption failed. 944 * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) 936 945 */ 937 int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) 946 int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, 947 SSL_MAC_BUF *macs, size_t macsize) 938 948 { 939 949 EVP_CIPHER_CTX *ds; 940 950 size_t reclen[SSL_MAX_PIPELINES]; 941 951 unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; 942 int i, pad = 0, ret,tmpr;943 size_t bs, mac_size = 0,ctr, padnum, loop;952 int i, pad = 0, tmpr; 953 size_t bs, ctr, padnum, loop; 944 954 unsigned char padval; 945 int imac_size;946 955 const EVP_CIPHER *enc; 956 int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) 957 : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); 947 958 948 959 if (n_recs == 0) { 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 950 ERR_R_INTERNAL_ERROR); 960 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 951 961 return 0; 952 962 } 953 963 954 964 if (sending) { 955 if (EVP_MD_CTX_ md(s->write_hash)) {956 int n = EVP_MD_CTX_ size(s->write_hash);965 if (EVP_MD_CTX_get0_md(s->write_hash)) { 966 int n = EVP_MD_CTX_get_size(s->write_hash); 957 967 if (!ossl_assert(n >= 0)) { 958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 959 ERR_R_INTERNAL_ERROR); 960 return -1; 968 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 969 return 0; 961 970 } 962 971 } … … 966 975 else { 967 976 int ivlen; 968 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 977 978 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); 969 979 /* For TLSv1.1 and later explicit IV */ 970 980 if (SSL_USE_EXPLICIT_IV(s) 971 && EVP_CIPHER_ mode(enc) == EVP_CIPH_CBC_MODE)972 ivlen = EVP_CIPHER_ iv_length(enc);981 && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE) 982 ivlen = EVP_CIPHER_get_iv_length(enc); 973 983 else 974 984 ivlen = 0; … … 980 990 * happen?? (steve) 981 991 */ 982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 983 ERR_R_INTERNAL_ERROR); 984 return -1; 985 } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { 986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 987 ERR_R_INTERNAL_ERROR); 988 return -1; 992 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 993 return 0; 994 } else if (RAND_bytes_ex(s->ctx->libctx, recs[ctr].input, 995 ivlen, 0) <= 0) { 996 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 997 return 0; 989 998 } 990 999 } … … 992 1001 } 993 1002 } else { 994 if (EVP_MD_CTX_ md(s->read_hash)) {995 int n = EVP_MD_CTX_ size(s->read_hash);1003 if (EVP_MD_CTX_get0_md(s->read_hash)) { 1004 int n = EVP_MD_CTX_get_size(s->read_hash); 996 1005 if (!ossl_assert(n >= 0)) { 997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 998 ERR_R_INTERNAL_ERROR); 999 return -1; 1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 return 0; 1000 1008 } 1001 1009 } … … 1004 1012 enc = NULL; 1005 1013 else 1006 enc = EVP_CIPHER_CTX_ cipher(s->enc_read_ctx);1014 enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); 1007 1015 } 1008 1016 … … 1012 1020 recs[ctr].input = recs[ctr].data; 1013 1021 } 1014 ret = 1;1015 1022 } else { 1016 bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds)); 1023 int provided = (EVP_CIPHER_get0_provider(enc) != NULL); 1024 1025 bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); 1017 1026 1018 1027 if (n_recs > 1) { 1019 if ( !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))1020 & EVP_CIPH_FLAG_PIPELINE) ) {1028 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) 1029 & EVP_CIPH_FLAG_PIPELINE) == 0) { 1021 1030 /* 1022 1031 * We shouldn't have been called with pipeline data if the 1023 1032 * cipher doesn't support pipelining 1024 1033 */ 1025 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1026 SSL_R_PIPELINE_FAILURE); 1027 return -1; 1034 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); 1035 return 0; 1028 1036 } 1029 1037 } … … 1031 1039 reclen[ctr] = recs[ctr].length; 1032 1040 1033 if ( EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))1034 & EVP_CIPH_FLAG_AEAD_CIPHER) {1041 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) 1042 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) { 1035 1043 unsigned char *seq; 1036 1044 … … 1040 1048 if (SSL_IS_DTLS(s)) { 1041 1049 /* DTLS does not support pipelining */ 1042 unsigned char dtlsseq[ 9], *p = dtlsseq;1050 unsigned char dtlsseq[8], *p = dtlsseq; 1043 1051 1044 1052 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) : … … 1063 1071 EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); 1064 1072 if (pad <= 0) { 1065 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1066 ERR_R_INTERNAL_ERROR); 1067 return -1; 1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1074 return 0; 1068 1075 } 1069 1076 … … 1073 1080 } 1074 1081 1075 } else if ((bs != 1) && sending) { 1082 } else if ((bs != 1) && sending && !provided) { 1083 /* 1084 * We only do this for legacy ciphers. Provided ciphers add the 1085 * padding on the provider side. 1086 */ 1076 1087 padnum = bs - (reclen[ctr] % bs); 1077 1088 … … 1079 1090 1080 1091 if (padnum > MAX_PADDING) { 1081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1082 ERR_R_INTERNAL_ERROR); 1083 return -1; 1092 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1093 return 0; 1084 1094 } 1085 1095 /* we need to add 'padnum' padding bytes of value padval */ … … 1092 1102 1093 1103 if (!sending) { 1094 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) 1104 if (reclen[ctr] == 0 || reclen[ctr] % bs != 0) { 1105 /* Publicly invalid */ 1095 1106 return 0; 1107 } 1096 1108 } 1097 1109 } … … 1105 1117 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, 1106 1118 (int)n_recs, data) <= 0) { 1107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1108 SSL_R_PIPELINE_FAILURE); 1109 return -1; 1119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); 1120 return 0; 1110 1121 } 1111 1122 /* Set the input buffers */ … … 1117 1128 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, 1118 1129 (int)n_recs, reclen) <= 0) { 1119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1120 SSL_R_PIPELINE_FAILURE); 1121 return -1; 1122 } 1123 } 1124 1125 /* TODO(size_t): Convert this call */ 1126 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, 1127 (unsigned int)reclen[0]); 1128 if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) 1129 & EVP_CIPH_FLAG_CUSTOM_CIPHER) 1130 ? (tmpr < 0) 1131 : (tmpr == 0)) 1132 return -1; /* AEAD can fail to verify MAC */ 1133 1134 if (sending == 0) { 1135 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { 1130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PIPELINE_FAILURE); 1131 return 0; 1132 } 1133 } 1134 1135 if (!SSL_IS_DTLS(s) && tlstree_enc) { 1136 unsigned char *seq; 1137 int decrement_seq = 0; 1138 1139 /* 1140 * When sending, seq is incremented after MAC calculation. 1141 * So if we are in ETM mode, we use seq 'as is' in the ctrl-function. 1142 * Otherwise we have to decrease it in the implementation 1143 */ 1144 if (sending && !SSL_WRITE_ETM(s)) 1145 decrement_seq = 1; 1146 1147 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer) 1148 : RECORD_LAYER_get_read_sequence(&s->rlayer); 1149 if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0) { 1150 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1151 return 0; 1152 } 1153 } 1154 1155 if (provided) { 1156 int outlen; 1157 1158 /* Provided cipher - we do not support pipelining on this path */ 1159 if (n_recs > 1) { 1160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1161 return 0; 1162 } 1163 1164 if (!EVP_CipherUpdate(ds, recs[0].data, &outlen, recs[0].input, 1165 (unsigned int)reclen[0])) 1166 return 0; 1167 recs[0].length = outlen; 1168 1169 /* 1170 * The length returned from EVP_CipherUpdate above is the actual 1171 * payload length. We need to adjust the data/input ptr to skip over 1172 * any explicit IV 1173 */ 1174 if (!sending) { 1175 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { 1176 recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1177 recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1178 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { 1179 recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1180 recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1181 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) { 1182 recs[0].data += bs; 1183 recs[0].input += bs; 1184 recs[0].orig_len -= bs; 1185 } 1186 1187 /* Now get a pointer to the MAC (if applicable) */ 1188 if (macs != NULL) { 1189 OSSL_PARAM params[2], *p = params; 1190 1191 /* Get the MAC */ 1192 macs[0].alloced = 0; 1193 1194 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC, 1195 (void **)&macs[0].mac, 1196 macsize); 1197 *p = OSSL_PARAM_construct_end(); 1198 1199 if (!EVP_CIPHER_CTX_get_params(ds, params)) { 1200 /* Shouldn't normally happen */ 1201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1202 ERR_R_INTERNAL_ERROR); 1203 return 0; 1204 } 1205 } 1206 } 1207 } else { 1208 /* Legacy cipher */ 1209 1210 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, 1211 (unsigned int)reclen[0]); 1212 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) 1213 & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0 1214 ? (tmpr < 0) 1215 : (tmpr == 0)) { 1216 /* AEAD can fail to verify MAC */ 1217 return 0; 1218 } 1219 1220 if (!sending) { 1136 1221 for (ctr = 0; ctr < n_recs; ctr++) { 1137 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1138 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1139 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1222 /* Adjust the record to remove the explicit IV/MAC/Tag */ 1223 if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { 1224 recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1225 recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1226 recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1227 } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { 1228 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1229 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1230 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN; 1231 } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) { 1232 if (recs[ctr].length < bs) 1233 return 0; 1234 recs[ctr].data += bs; 1235 recs[ctr].input += bs; 1236 recs[ctr].length -= bs; 1237 recs[ctr].orig_len -= bs; 1238 } 1239 1240 /* 1241 * If using Mac-then-encrypt, then this will succeed but 1242 * with a random MAC if padding is invalid 1243 */ 1244 if (!tls1_cbc_remove_padding_and_mac(&recs[ctr].length, 1245 recs[ctr].orig_len, 1246 recs[ctr].data, 1247 (macs != NULL) ? &macs[ctr].mac : NULL, 1248 (macs != NULL) ? &macs[ctr].alloced 1249 : NULL, 1250 bs, 1251 pad ? (size_t)pad : macsize, 1252 (EVP_CIPHER_get_flags(enc) 1253 & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, 1254 s->ctx->libctx)) 1255 return 0; 1140 1256 } 1141 } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) { 1142 for (ctr = 0; ctr < n_recs; ctr++) { 1143 recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1144 recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; 1145 recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN; 1146 } 1147 } 1148 } 1149 1150 ret = 1; 1151 if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { 1152 imac_size = EVP_MD_CTX_size(s->read_hash); 1153 if (imac_size < 0) { 1154 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, 1155 ERR_R_INTERNAL_ERROR); 1156 return -1; 1157 } 1158 mac_size = (size_t)imac_size; 1159 } 1160 if ((bs != 1) && !sending) { 1161 int tmpret; 1162 for (ctr = 0; ctr < n_recs; ctr++) { 1163 tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size); 1164 /* 1165 * If tmpret == 0 then this means publicly invalid so we can 1166 * short circuit things here. Otherwise we must respect constant 1167 * time behaviour. 1168 */ 1169 if (tmpret == 0) 1170 return 0; 1171 ret = constant_time_select_int(constant_time_eq_int(tmpret, 1), 1172 ret, -1); 1173 } 1174 } 1175 if (pad && !sending) { 1176 for (ctr = 0; ctr < n_recs; ctr++) { 1177 recs[ctr].length -= pad; 1178 } 1179 } 1180 } 1181 return ret; 1257 } 1258 } 1259 } 1260 return 1; 1261 } 1262 1263 /* 1264 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function 1265 * which ssl3_cbc_digest_record supports. 1266 */ 1267 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) 1268 { 1269 switch (EVP_MD_CTX_get_type(ctx)) { 1270 case NID_md5: 1271 case NID_sha1: 1272 case NID_sha224: 1273 case NID_sha256: 1274 case NID_sha384: 1275 case NID_sha512: 1276 return 1; 1277 default: 1278 return 0; 1279 } 1182 1280 } 1183 1281 … … 1192 1290 1193 1291 if (sending) { 1194 mac_sec = &(ssl->s3 ->write_mac_secret[0]);1292 mac_sec = &(ssl->s3.write_mac_secret[0]); 1195 1293 seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); 1196 1294 hash = ssl->write_hash; 1197 1295 } else { 1198 mac_sec = &(ssl->s3 ->read_mac_secret[0]);1296 mac_sec = &(ssl->s3.read_mac_secret[0]); 1199 1297 seq = RECORD_LAYER_get_read_sequence(&ssl->rlayer); 1200 1298 hash = ssl->read_hash; 1201 1299 } 1202 1300 1203 t = EVP_MD_CTX_ size(hash);1301 t = EVP_MD_CTX_get_size(hash); 1204 1302 if (t < 0) 1205 1303 return 0; … … 1207 1305 npad = (48 / md_size) * md_size; 1208 1306 1209 if (!sending && 1210 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1211 ssl3_cbc_record_digest_supported(hash)) { 1307 if (!sending 1308 && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE 1309 && ssl3_cbc_record_digest_supported(hash)) { 1310 #ifdef OPENSSL_NO_DEPRECATED_3_0 1311 return 0; 1312 #else 1212 1313 /* 1213 1314 * This is a CBC-encrypted record. We must avoid leaking any … … 1237 1338 1238 1339 /* Final param == is SSLv3 */ 1239 if (ssl3_cbc_digest_record( hash,1340 if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash), 1240 1341 md, &md_size, 1241 1342 header, rec->input, 1242 rec->length + md_size, rec->orig_len,1343 rec->length, rec->orig_len, 1243 1344 mac_sec, md_size, 1) <= 0) 1244 1345 return 0; 1346 #endif 1245 1347 } else { 1246 1348 unsigned int md_size_u; … … 1286 1388 EVP_MD_CTX *hmac = NULL, *mac_ctx; 1287 1389 unsigned char header[13]; 1288 int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) 1289 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); 1390 int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) 1391 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM); 1392 int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) 1393 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); 1290 1394 int t; 1291 1395 … … 1298 1402 } 1299 1403 1300 t = EVP_MD_CTX_ size(hash);1404 t = EVP_MD_CTX_get_size(hash); 1301 1405 if (!ossl_assert(t >= 0)) 1302 1406 return 0; … … 1315 1419 } 1316 1420 1421 if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) { 1422 EVP_MD_CTX_free(hmac); 1423 return 0; 1424 } 1425 1317 1426 if (SSL_IS_DTLS(ssl)) { 1318 1427 unsigned char dtlsseq[8], *p = dtlsseq; … … 1332 1441 header[12] = (unsigned char)(rec->length & 0xff); 1333 1442 1334 if (!sending && !SSL_READ_ETM(ssl) && 1335 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1336 ssl3_cbc_record_digest_supported(mac_ctx)) { 1337 /* 1338 * This is a CBC-encrypted record. We must avoid leaking any 1339 * timing-side channel information about how many blocks of data we 1340 * are hashing because that gives an attacker a timing-oracle. 1341 */ 1342 /* Final param == not SSLv3 */ 1343 if (ssl3_cbc_digest_record(mac_ctx, 1344 md, &md_size, 1345 header, rec->input, 1346 rec->length + md_size, rec->orig_len, 1347 ssl->s3->read_mac_secret, 1348 ssl->s3->read_mac_secret_size, 0) <= 0) { 1349 EVP_MD_CTX_free(hmac); 1443 if (!sending && !SSL_READ_ETM(ssl) 1444 && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE 1445 && ssl3_cbc_record_digest_supported(mac_ctx)) { 1446 OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params; 1447 1448 *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, 1449 &rec->orig_len); 1450 *p++ = OSSL_PARAM_construct_end(); 1451 1452 if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx), 1453 tls_hmac_params)) 1350 1454 return 0; 1351 } 1352 } else { 1353 /* TODO(size_t): Convert these calls */ 1354 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 1355 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 1356 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { 1357 EVP_MD_CTX_free(hmac); 1358 return 0; 1359 } 1455 } 1456 1457 if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 1458 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 1459 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { 1460 EVP_MD_CTX_free(hmac); 1461 return 0; 1360 1462 } 1361 1463 1362 1464 EVP_MD_CTX_free(hmac); 1363 1465 1364 #ifdef SSL_DEBUG 1365 fprintf(stderr, "seq="); 1366 { 1367 int z; 1368 for (z = 0; z < 8; z++) 1369 fprintf(stderr, "%02X ", seq[z]); 1370 fprintf(stderr, "\n"); 1371 } 1372 fprintf(stderr, "rec="); 1373 { 1374 size_t z; 1375 for (z = 0; z < rec->length; z++) 1376 fprintf(stderr, "%02X ", rec->data[z]); 1377 fprintf(stderr, "\n"); 1378 } 1379 #endif 1466 OSSL_TRACE_BEGIN(TLS) { 1467 BIO_printf(trc_out, "seq:\n"); 1468 BIO_dump_indent(trc_out, seq, 8, 4); 1469 BIO_printf(trc_out, "rec:\n"); 1470 BIO_dump_indent(trc_out, rec->data, rec->length, 4); 1471 } OSSL_TRACE_END(TLS); 1380 1472 1381 1473 if (!SSL_IS_DTLS(ssl)) { … … 1386 1478 } 1387 1479 } 1388 #ifdef SSL_DEBUG 1389 { 1390 unsigned int z; 1391 for (z = 0; z < md_size; z++) 1392 fprintf(stderr, "%02X ", md[z]); 1393 fprintf(stderr, "\n"); 1394 } 1395 #endif 1396 return 1; 1397 } 1398 1399 /*- 1400 * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC 1401 * record in |rec| by updating |rec->length| in constant time. 1402 * 1403 * block_size: the block size of the cipher used to encrypt the record. 1404 * returns: 1405 * 0: (in non-constant time) if the record is publicly invalid. 1406 * 1: if the padding was valid 1407 * -1: otherwise. 1408 */ 1409 int ssl3_cbc_remove_padding(SSL3_RECORD *rec, 1410 size_t block_size, size_t mac_size) 1411 { 1412 size_t padding_length; 1413 size_t good; 1414 const size_t overhead = 1 /* padding length byte */ + mac_size; 1415 1416 /* 1417 * These lengths are all public so we can test them in non-constant time. 1418 */ 1419 if (overhead > rec->length) 1420 return 0; 1421 1422 padding_length = rec->data[rec->length - 1]; 1423 good = constant_time_ge_s(rec->length, padding_length + overhead); 1424 /* SSLv3 requires that the padding is minimal. */ 1425 good &= constant_time_ge_s(block_size, padding_length + 1); 1426 rec->length -= good & (padding_length + 1); 1427 return constant_time_select_int_s(good, 1, -1); 1428 } 1429 1430 /*- 1431 * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC 1432 * record in |rec| in constant time and returns 1 if the padding is valid and 1433 * -1 otherwise. It also removes any explicit IV from the start of the record 1434 * without leaking any timing about whether there was enough space after the 1435 * padding was removed. 1436 * 1437 * block_size: the block size of the cipher used to encrypt the record. 1438 * returns: 1439 * 0: (in non-constant time) if the record is publicly invalid. 1440 * 1: if the padding was valid 1441 * -1: otherwise. 1442 */ 1443 int tls1_cbc_remove_padding(const SSL *s, 1444 SSL3_RECORD *rec, 1445 size_t block_size, size_t mac_size) 1446 { 1447 size_t good; 1448 size_t padding_length, to_check, i; 1449 const size_t overhead = 1 /* padding length byte */ + mac_size; 1450 /* Check if version requires explicit IV */ 1451 if (SSL_USE_EXPLICIT_IV(s)) { 1452 /* 1453 * These lengths are all public so we can test them in non-constant 1454 * time. 1455 */ 1456 if (overhead + block_size > rec->length) 1457 return 0; 1458 /* We can now safely skip explicit IV */ 1459 rec->data += block_size; 1460 rec->input += block_size; 1461 rec->length -= block_size; 1462 rec->orig_len -= block_size; 1463 } else if (overhead > rec->length) 1464 return 0; 1465 1466 padding_length = rec->data[rec->length - 1]; 1467 1468 if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & 1469 EVP_CIPH_FLAG_AEAD_CIPHER) { 1470 /* padding is already verified */ 1471 rec->length -= padding_length + 1; 1472 return 1; 1473 } 1474 1475 good = constant_time_ge_s(rec->length, overhead + padding_length); 1476 /* 1477 * The padding consists of a length byte at the end of the record and 1478 * then that many bytes of padding, all with the same value as the length 1479 * byte. Thus, with the length byte included, there are i+1 bytes of 1480 * padding. We can't check just |padding_length+1| bytes because that 1481 * leaks decrypted information. Therefore we always have to check the 1482 * maximum amount of padding possible. (Again, the length of the record 1483 * is public information so we can use it.) 1484 */ 1485 to_check = 256; /* maximum amount of padding, inc length byte. */ 1486 if (to_check > rec->length) 1487 to_check = rec->length; 1488 1489 for (i = 0; i < to_check; i++) { 1490 unsigned char mask = constant_time_ge_8_s(padding_length, i); 1491 unsigned char b = rec->data[rec->length - 1 - i]; 1492 /* 1493 * The final |padding_length+1| bytes should all have the value 1494 * |padding_length|. Therefore the XOR should be zero. 1495 */ 1496 good &= ~(mask & (padding_length ^ b)); 1497 } 1498 1499 /* 1500 * If any of the final |padding_length+1| bytes had the wrong value, one 1501 * or more of the lower eight bits of |good| will be cleared. 1502 */ 1503 good = constant_time_eq_s(0xff, good & 0xff); 1504 rec->length -= good & (padding_length + 1); 1505 1506 return constant_time_select_int_s(good, 1, -1); 1507 } 1508 1509 /*- 1510 * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in 1511 * constant time (independent of the concrete value of rec->length, which may 1512 * vary within a 256-byte window). 1513 * 1514 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to 1515 * this function. 1516 * 1517 * On entry: 1518 * rec->orig_len >= md_size 1519 * md_size <= EVP_MAX_MD_SIZE 1520 * 1521 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with 1522 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into 1523 * a single or pair of cache-lines, then the variable memory accesses don't 1524 * actually affect the timing. CPUs with smaller cache-lines [if any] are 1525 * not multi-core and are not considered vulnerable to cache-timing attacks. 1526 */ 1527 #define CBC_MAC_ROTATE_IN_PLACE 1528 1529 int ssl3_cbc_copy_mac(unsigned char *out, 1530 const SSL3_RECORD *rec, size_t md_size) 1531 { 1532 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1533 unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; 1534 unsigned char *rotated_mac; 1535 #else 1536 unsigned char rotated_mac[EVP_MAX_MD_SIZE]; 1537 #endif 1538 1539 /* 1540 * mac_end is the index of |rec->data| just after the end of the MAC. 1541 */ 1542 size_t mac_end = rec->length; 1543 size_t mac_start = mac_end - md_size; 1544 size_t in_mac; 1545 /* 1546 * scan_start contains the number of bytes that we can ignore because the 1547 * MAC's position can only vary by 255 bytes. 1548 */ 1549 size_t scan_start = 0; 1550 size_t i, j; 1551 size_t rotate_offset; 1552 1553 if (!ossl_assert(rec->orig_len >= md_size 1554 && md_size <= EVP_MAX_MD_SIZE)) 1555 return 0; 1556 1557 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1558 rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63); 1559 #endif 1560 1561 /* This information is public so it's safe to branch based on it. */ 1562 if (rec->orig_len > md_size + 255 + 1) 1563 scan_start = rec->orig_len - (md_size + 255 + 1); 1564 1565 in_mac = 0; 1566 rotate_offset = 0; 1567 memset(rotated_mac, 0, md_size); 1568 for (i = scan_start, j = 0; i < rec->orig_len; i++) { 1569 size_t mac_started = constant_time_eq_s(i, mac_start); 1570 size_t mac_ended = constant_time_lt_s(i, mac_end); 1571 unsigned char b = rec->data[i]; 1572 1573 in_mac |= mac_started; 1574 in_mac &= mac_ended; 1575 rotate_offset |= j & mac_started; 1576 rotated_mac[j++] |= b & in_mac; 1577 j &= constant_time_lt_s(j, md_size); 1578 } 1579 1580 /* Now rotate the MAC */ 1581 #if defined(CBC_MAC_ROTATE_IN_PLACE) 1582 j = 0; 1583 for (i = 0; i < md_size; i++) { 1584 /* in case cache-line is 32 bytes, touch second line */ 1585 ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; 1586 out[j++] = rotated_mac[rotate_offset++]; 1587 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1588 } 1589 #else 1590 memset(out, 0, md_size); 1591 rotate_offset = md_size - rotate_offset; 1592 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1593 for (i = 0; i < md_size; i++) { 1594 for (j = 0; j < md_size; j++) 1595 out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset); 1596 rotate_offset++; 1597 rotate_offset &= constant_time_lt_s(rotate_offset, md_size); 1598 } 1599 #endif 1600 1480 OSSL_TRACE_BEGIN(TLS) { 1481 BIO_printf(trc_out, "md:\n"); 1482 BIO_dump_indent(trc_out, md, md_size, 4); 1483 } OSSL_TRACE_END(TLS); 1601 1484 return 1; 1602 1485 } … … 1609 1492 SSL3_RECORD *rr; 1610 1493 int imac_size; 1611 size_t mac_size ;1494 size_t mac_size = 0; 1612 1495 unsigned char md[EVP_MAX_MD_SIZE]; 1613 1496 size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH; 1497 SSL_MAC_BUF macbuf = { NULL, 0 }; 1498 int ret = 0; 1614 1499 1615 1500 rr = RECORD_LAYER_get_rrec(&s->rlayer); … … 1636 1521 /* check is not needed I believe */ 1637 1522 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 1638 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, 1639 SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 1523 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 1640 1524 return 0; 1641 1525 } … … 1645 1529 rr->orig_len = rr->length; 1646 1530 1531 if (s->read_hash != NULL) { 1532 const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); 1533 1534 if (tmpmd != NULL) { 1535 imac_size = EVP_MD_get_size(tmpmd); 1536 if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { 1537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 1538 return -1; 1539 } 1540 mac_size = (size_t)imac_size; 1541 } 1542 } 1543 1647 1544 if (SSL_READ_ETM(s) && s->read_hash) { 1648 1545 unsigned char *mac; 1649 mac_size = EVP_MD_CTX_size(s->read_hash); 1650 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { 1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1652 ERR_R_INTERNAL_ERROR); 1653 return 0; 1654 } 1546 1655 1547 if (rr->orig_len < mac_size) { 1656 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, 1657 SSL_R_LENGTH_TOO_SHORT); 1548 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 1658 1549 return 0; 1659 1550 } … … 1662 1553 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); 1663 1554 if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { 1664 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD,1665 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);1555 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, 1556 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 1666 1557 return 0; 1667 1558 } 1668 } 1669 1670 enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0); 1559 /* 1560 * We've handled the mac now - there is no MAC inside the encrypted 1561 * record 1562 */ 1563 mac_size = 0; 1564 } 1565 1566 /* 1567 * Set a mark around the packet decryption attempt. This is DTLS, so 1568 * bad packets are just ignored, and we don't want to leave stray 1569 * errors in the queue from processing bogus junk that we ignored. 1570 */ 1571 ERR_set_mark(); 1572 enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0, &macbuf, mac_size); 1573 1671 1574 /*- 1672 1575 * enc_err is: 1673 * 0: (in non-constant time) if the record is publicly invalid.1674 * 1: if the padding is valid1675 * -1: if the padding is invalid1576 * 0: if the record is publicly invalid, or an internal error, or AEAD 1577 * decryption failed, or ETM decryption failed. 1578 * 1: Success or MTE decryption failed (MAC will be randomised) 1676 1579 */ 1677 1580 if (enc_err == 0) { 1581 ERR_pop_to_mark(); 1678 1582 if (ossl_statem_in_error(s)) { 1679 1583 /* SSLfatal() got called */ 1680 return 0;1584 goto end; 1681 1585 } 1682 1586 /* For DTLS we simply ignore bad packets. */ 1683 1587 rr->length = 0; 1684 1588 RECORD_LAYER_reset_packet_length(&s->rlayer); 1685 return 0; 1686 } 1687 #ifdef SSL_DEBUG 1688 printf("dec %ld\n", rr->length); 1689 { 1690 size_t z; 1691 for (z = 0; z < rr->length; z++) 1692 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); 1693 } 1694 printf("\n"); 1695 #endif 1589 goto end; 1590 } 1591 ERR_clear_last_mark(); 1592 OSSL_TRACE_BEGIN(TLS) { 1593 BIO_printf(trc_out, "dec %zd\n", rr->length); 1594 BIO_dump_indent(trc_out, rr->data, rr->length, 4); 1595 } OSSL_TRACE_END(TLS); 1696 1596 1697 1597 /* r->length is now the compressed data plus mac */ 1698 if ((sess != NULL) && !SSL_READ_ETM(s) && 1699 (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { 1598 if ((sess != NULL) 1599 && !SSL_READ_ETM(s) 1600 && (s->enc_read_ctx != NULL) 1601 && (EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { 1700 1602 /* s->read_hash != NULL => mac_size != -1 */ 1701 unsigned char *mac = NULL;1702 unsigned char mac_tmp[EVP_MAX_MD_SIZE];1703 1704 /* TODO(size_t): Convert this to do size_t properly */1705 imac_size = EVP_MD_CTX_size(s->read_hash);1706 if (imac_size < 0) {1707 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,1708 ERR_LIB_EVP);1709 return 0;1710 }1711 mac_size = (size_t)imac_size;1712 if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {1713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,1714 ERR_R_INTERNAL_ERROR);1715 return 0;1716 }1717 1718 /*1719 * orig_len is the length of the record before any padding was1720 * removed. This is public information, as is the MAC in use,1721 * therefore we can safely process the record in a different amount1722 * of time if it's too short to possibly contain a MAC.1723 */1724 if (rr->orig_len < mac_size ||1725 /* CBC records must have a padding length byte too. */1726 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&1727 rr->orig_len < mac_size + 1)) {1728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,1729 SSL_R_LENGTH_TOO_SHORT);1730 return 0;1731 }1732 1733 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {1734 /*1735 * We update the length so that the TLS header bytes can be1736 * constructed correctly but we need to extract the MAC in1737 * constant time from within the record, without leaking the1738 * contents of the padding bytes.1739 */1740 mac = mac_tmp;1741 if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) {1742 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,1743 ERR_R_INTERNAL_ERROR);1744 return 0;1745 }1746 rr->length -= mac_size;1747 } else {1748 /*1749 * In this case there's no padding, so |rec->orig_len| equals1750 * |rec->length| and we checked that there's enough bytes for1751 * |mac_size| above.1752 */1753 rr->length -= mac_size;1754 mac = &rr->data[rr->length];1755 }1756 1603 1757 1604 i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); 1758 if (i == 0 || mac == NULL1759 || CRYPTO_memcmp(md, mac , mac_size) != 0)1760 enc_err = -1;1605 if (i == 0 || macbuf.mac == NULL 1606 || CRYPTO_memcmp(md, macbuf.mac, mac_size) != 0) 1607 enc_err = 0; 1761 1608 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 1762 enc_err = -1;1763 } 1764 1765 if (enc_err <0) {1609 enc_err = 0; 1610 } 1611 1612 if (enc_err == 0) { 1766 1613 /* decryption failed, silently discard message */ 1767 1614 rr->length = 0; 1768 1615 RECORD_LAYER_reset_packet_length(&s->rlayer); 1769 return 0;1616 goto end; 1770 1617 } 1771 1618 … … 1773 1620 if (s->expand != NULL) { 1774 1621 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 1775 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,1622 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, 1776 1623 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 1777 return 0;1624 goto end; 1778 1625 } 1779 1626 if (!ssl3_do_uncompress(s, rr)) { 1780 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, 1781 SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); 1782 return 0; 1627 SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_R_BAD_DECOMPRESSION); 1628 goto end; 1783 1629 } 1784 1630 } … … 1790 1636 /* send overflow if the plaintext is too long now it has passed MAC */ 1791 1637 if (rr->length > max_plain_length) { 1792 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, 1793 SSL_R_DATA_LENGTH_TOO_LONG); 1794 return 0; 1638 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); 1639 goto end; 1795 1640 } 1796 1641 … … 1798 1643 /*- 1799 1644 * So at this point the following is true 1800 * ssl->s3 ->rrec.type is the type of record1801 * ssl->s3 ->rrec.length == number of bytes in record1802 * ssl->s3 ->rrec.off == offset to first valid byte1803 * ssl->s3 ->rrec.data == where to take bytes from, increment1804 * 1645 * ssl->s3.rrec.type is the type of record 1646 * ssl->s3.rrec.length == number of bytes in record 1647 * ssl->s3.rrec.off == offset to first valid byte 1648 * ssl->s3.rrec.data == where to take bytes from, increment 1649 * after use :-). 1805 1650 */ 1806 1651 … … 1811 1656 dtls1_record_bitmap_update(s, bitmap); 1812 1657 1813 return 1; 1658 ret = 1; 1659 end: 1660 if (macbuf.alloced) 1661 OPENSSL_free(macbuf.mac); 1662 return ret; 1814 1663 } 1815 1664 … … 1826 1675 * or non-blocking IO. 1827 1676 * When it finishes, one packet has been decoded and can be found in 1828 * ssl->s3 ->rrec.type - is the type of record1829 * ssl->s3 ->rrec.data,- data1830 * ssl->s3 ->rrec.length,- number of bytes1677 * ssl->s3.rrec.type - is the type of record 1678 * ssl->s3.rrec.data - data 1679 * ssl->s3.rrec.length - number of bytes 1831 1680 */ 1832 1681 /* used only by dtls1_read_bytes */ … … 1983 1832 #endif 1984 1833 /* Check whether this is a repeat, or aged record. */ 1985 /*1986 * TODO: Does it make sense to have replay protection in epoch 0 where1987 * we have no integrity negotiated yet?1988 */1989 1834 if (!dtls1_record_replay_check(s, bitmap)) { 1990 1835 rr->length = 0; -
trunk/src/libs/openssl-3.0.1/ssl/record/ssl3_record_tls13.c
r91772 r94082 1 1 /* 2 * Copyright 2016-20 18The OpenSSL Project Authors. All Rights Reserved.2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3 3 * 4 * Licensed under the OpenSSL license(the "License"). You may not use4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 5 * this file except in compliance with the License. You can obtain a copy 6 6 * in the file LICENSE in the source distribution or at … … 13 13 14 14 /*- 15 * tls13_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for 16 * internal errors, but not otherwise. 15 * tls13_enc encrypts/decrypts |n_recs| in |recs|. Calls SSLfatal on internal 16 * error, but not otherwise. It is the responsibility of the caller to report 17 * a bad_record_mac. 17 18 * 18 19 * Returns: 19 * 0: (in non-constant time) if the record is publicly invalid (i.e. too 20 * short etc). 21 * 1: if the record encryption was successful. 22 * -1: if the record's AEAD-authenticator is invalid or, if sending, 23 * an internal error occurred. 20 * 0: On failure 21 * 1: if the record encryption/decryption was successful. 24 22 */ 25 int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) 23 int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, 24 ossl_unused SSL_MAC_BUF *mac, ossl_unused size_t macsize) 26 25 { 27 26 EVP_CIPHER_CTX *ctx; … … 37 36 if (n_recs != 1) { 38 37 /* Should not happen */ 39 /* TODO(TLS1.3): Support pipelining */ 40 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 41 ERR_R_INTERNAL_ERROR); 42 return -1; 38 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 39 return 0; 43 40 } 44 41 … … 65 62 } 66 63 67 ivlen = EVP_CIPHER_CTX_ iv_length(ctx);64 ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); 68 65 69 66 if (s->early_data_state == SSL_EARLY_DATA_WRITING … … 74 71 if (!ossl_assert(s->psksession != NULL 75 72 && s->psksession->ext.max_early_data > 0)) { 76 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 77 ERR_R_INTERNAL_ERROR); 78 return -1; 73 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 74 return 0; 79 75 } 80 76 alg_enc = s->psksession->cipher->algorithm_enc; … … 85 81 * be NULL 86 82 */ 87 if (!ossl_assert(s->s3->tmp.new_cipher != NULL)) { 88 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 89 ERR_R_INTERNAL_ERROR); 90 return -1; 83 if (!ossl_assert(s->s3.tmp.new_cipher != NULL)) { 84 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 85 return 0; 91 86 } 92 alg_enc = s->s3 ->tmp.new_cipher->algorithm_enc;87 alg_enc = s->s3.tmp.new_cipher->algorithm_enc; 93 88 } 94 89 … … 100 95 if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, 101 96 NULL) <= 0) { 102 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 103 ERR_R_INTERNAL_ERROR); 104 return -1; 97 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 98 return 0; 105 99 } 106 100 } else if (alg_enc & SSL_AESGCM) { … … 109 103 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; 110 104 } else { 111 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 112 ERR_R_INTERNAL_ERROR); 113 return -1; 105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 106 return 0; 114 107 } 115 108 … … 127 120 if (ivlen < SEQ_NUM_SIZE) { 128 121 /* Should not happen */ 129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 130 ERR_R_INTERNAL_ERROR); 131 return -1; 122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 123 return 0; 132 124 } 133 125 offset = ivlen - SEQ_NUM_SIZE; … … 144 136 if (loop == 0) { 145 137 /* Sequence has wrapped */ 146 return -1;138 return 0; 147 139 } 148 140 149 /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */150 141 if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 151 142 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 152 143 taglen, 153 144 rec->data + rec->length) <= 0)) { 154 return -1; 145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 146 return 0; 155 147 } 156 148 … … 163 155 || hdrlen != SSL3_RT_HEADER_LENGTH 164 156 || !WPACKET_finish(&wpkt)) { 157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 165 158 WPACKET_cleanup(&wpkt); 166 return -1;159 return 0; 167 160 } 168 161 … … 180 173 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 181 174 || (size_t)(lenu + lenf) != rec->length) { 182 return -1;175 return 0; 183 176 } 184 177 if (sending) { … … 186 179 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, 187 180 rec->data + rec->length) <= 0) { 188 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, 189 ERR_R_INTERNAL_ERROR); 190 return -1; 181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 182 return 0; 191 183 } 192 184 rec->length += taglen;
Note:
See TracChangeset
for help on using the changeset viewer.
