diff options
Diffstat (limited to 'deps/openssl/openssl/ssl/d1_pkt.c')
| -rw-r--r-- | deps/openssl/openssl/ssl/d1_pkt.c | 120 |
1 files changed, 54 insertions, 66 deletions
diff --git a/deps/openssl/openssl/ssl/d1_pkt.c b/deps/openssl/openssl/ssl/d1_pkt.c index e3e9864dfa..0bf87be6d2 100644 --- a/deps/openssl/openssl/ssl/d1_pkt.c +++ b/deps/openssl/openssl/ssl/d1_pkt.c @@ -376,15 +376,11 @@ static int dtls1_process_record(SSL *s) { int i,al; - int clear=0; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; - unsigned int mac_size; + unsigned int mac_size, orig_len; unsigned char md[EVP_MAX_MD_SIZE]; - int decryption_failed_or_bad_record_mac = 0; - unsigned char *mac = NULL; - rr= &(s->s3->rrec); sess = s->session; @@ -416,12 +412,16 @@ dtls1_process_record(SSL *s) rr->data=rr->input; enc_err = s->method->ssl3_enc->enc(s,0); - if (enc_err <= 0) + /* enc_err is: + * 0: (in non-constant time) if the record is publically invalid. + * 1: if the padding is valid + * -1: if the padding is invalid */ + if (enc_err == 0) { - /* To minimize information leaked via timing, we will always - * perform all computations before discarding the message. - */ - decryption_failed_or_bad_record_mac = 1; + /* For DTLS we simply ignore bad packets. */ + rr->length = 0; + s->packet_length = 0; + goto err; } #ifdef TLS_DEBUG @@ -431,45 +431,62 @@ printf("\n"); #endif /* r->length is now the compressed data plus mac */ - if ( (sess == NULL) || - (s->enc_read_ctx == NULL) || - (s->read_hash == NULL)) - clear=1; - - if (!clear) + if ((sess != NULL) && + (s->enc_read_ctx != NULL) && + (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* !clear => s->read_hash != NULL => mac_size != -1 */ - int t; - t=EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(t >= 0); - mac_size=t; - - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) + /* s->read_hash != NULL => mac_size != -1 */ + unsigned char *mac = NULL; + unsigned char mac_tmp[EVP_MAX_MD_SIZE]; + mac_size=EVP_MD_CTX_size(s->read_hash); + OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + + /* kludge: *_cbc_remove_padding passes padding length in rr->type */ + orig_len = rr->length+((unsigned int)rr->type>>8); + + /* orig_len is the length of the record before any padding was + * removed. This is public information, as is the MAC in use, + * therefore we can safely process the record in a different + * amount of time if it's too short to possibly contain a MAC. + */ + if (orig_len < mac_size || + /* CBC records must have a padding length byte too. */ + (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && + orig_len < mac_size+1)) { -#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ - al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; -#endif } - /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length >= mac_size) + + if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { + /* We update the length so that the TLS header bytes + * can be constructed correctly but we need to extract + * the MAC in constant time from within the record, + * without leaking the contents of the padding bytes. + * */ + mac = mac_tmp; + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; - mac = &rr->data[rr->length]; } else - rr->length = 0; - i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) { - decryption_failed_or_bad_record_mac = 1; + /* In this case there's no padding, so |orig_len| + * equals |rec->length| and we checked that there's + * enough bytes for |mac_size| above. */ + rr->length -= mac_size; + mac = &rr->data[rr->length]; } + + i=s->method->ssl3_enc->mac(s,md,0 /* not send */); + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) + enc_err = -1; + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) + enc_err = -1; } - if (decryption_failed_or_bad_record_mac) + if (enc_err < 0) { /* decryption failed, silently discard message */ rr->length = 0; @@ -614,24 +631,6 @@ again: goto again; } - /* If we receive a valid record larger than the current buffer size, - * allocate some memory for it. - */ - if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH) - { - unsigned char *pp; - unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH; - if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL) - { - SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE); - return(-1); - } - p = pp + (p - s->s3->rbuf.buf); - s->s3->rbuf.buf=pp; - s->s3->rbuf.len=newlen; - s->packet= &(s->s3->rbuf.buf[0]); - } - /* now s->rstate == SSL_ST_READ_BODY */ } @@ -1470,7 +1469,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, SSL3_BUFFER *wb; SSL_SESSION *sess; int bs; - unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD; /* first check if there is a SSL3_BUFFER still being written * out. This will happen with non blocking IO */ @@ -1480,16 +1478,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, return(ssl3_write_pending(s,type,buf,len)); } - if (s->s3->wbuf.len < len_with_overhead) - { - if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) { - SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE); - goto err; - } - s->s3->wbuf.buf = p; - s->s3->wbuf.len = len_with_overhead; - } - /* If we have an alert to send, lets send it */ if (s->s3->alert_dispatch) { |