1 files changed, 22 insertions, 112 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 859043a3ce..30ce78414d 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.84 2020/10/03 17:11:28 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.85 2020/10/03 17:35:16 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -310,130 +310,40 @@ dtls1_process_buffered_records(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-        int i, al;
+        SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
-        int enc_err;
+        uint8_t alert_desc;
-        SSL_SESSION *sess;
+        uint8_t *out;
-        SSL3_RECORD_INTERNAL *rr;
+        size_t out_len;
-        unsigned int mac_size, orig_len;
-        unsigned char md[EVP_MAX_MD_SIZE];
-        rr = &(S3I(s)->rrec);
-        sess = s->session;
-        /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
-         * and we have that many bytes in s->internal->packet
-         */
-        rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]);
-        /* ok, we can now read from 's->internal->packet' data into 'rr'
-         * rr->input points at rr->length bytes, which
-         * need to be copied into rr->data by either
-         * the decryption or by the decompression
-         * When the data is 'copied' into the rr->data buffer,
-         * rr->input will be pointed at the new buffer */
-        /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
-         * rr->length bytes of encrypted compressed stuff. */
-        /* check is not needed I believe */
-        if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
-                al = SSL_AD_RECORD_OVERFLOW;
-                SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-                goto f_err;
-        }
-        /* decrypt in place in 'rr->input' */
-        rr->data = rr->input;
-        /* enc_err is:
-         *    0: (in non-constant time) if the record is publically invalid.
-         *    1: if the padding is valid
-         *    -1: if the padding is invalid */
-        if ((enc_err = tls1_enc(s, 0)) == 0) {
-                /* For DTLS we simply ignore bad packets. */
-                rr->length = 0;
-                s->internal->packet_length = 0;
-                goto err;
-        }
-        /* r->length is now the compressed data plus mac */
+        tls12_record_layer_set_version(s->internal->rl, s->version);
-        if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+        tls12_record_layer_set_read_epoch(s->internal->rl, rr->epoch);
-            (EVP_MD_CTX_md(s->read_hash) != NULL)) {
-                /* s->read_hash != NULL => mac_size != -1 */
-                unsigned char *mac = NULL;
-                unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-                mac_size = EVP_MD_CTX_size(s->read_hash);
-                OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-                orig_len = rr->length + rr->padding_length;
-                /* orig_len is the length of the record before any padding was
-                 * removed. This is public information, as is the MAC in use,
-                 * therefore we can safely process the record in a different
-                 * amount of time if it's too short to possibly contain a MAC.
-                 */
-                if (orig_len < mac_size ||
-                        /* CBC records must have a padding length byte too. */
-                    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-                    orig_len < mac_size + 1)) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
-                        goto f_err;
-                }
-                if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
+        if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
-                        /* We update the length so that the TLS header bytes
+            s->internal->packet_length, &out, &out_len)) {
-                         * can be constructed correctly but we need to extract
+                tls12_record_layer_alert(s->internal->rl, &alert_desc);
-                         * the MAC in constant time from within the record,
-                         * without leaking the contents of the padding bytes.
-                         * */
-                        mac = mac_tmp;
-                        ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
-                        rr->length -= mac_size;
-                } else {
-                        /* In this case there's no padding, so |orig_len|
-                         * equals |rec->length| and we checked that there's
-                         * enough bytes for |mac_size| above. */
-                        rr->length -= mac_size;
-                        mac = &rr->data[rr->length];
-                }
-                i = tls1_mac(s, md, 0 /* not send */);
+                if (alert_desc == 0)
-                if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
+                        goto err;
-                        enc_err = -1;
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
-                        enc_err = -1;
-        }
-        if (enc_err < 0) {
+                if (alert_desc == SSL_AD_RECORD_OVERFLOW)
-                /* decryption failed, silently discard message */
+                        SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-                rr->length = 0;
+                else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
-                s->internal->packet_length = 0;
+                        SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                goto err;
-        }
-        if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
-                al = SSL_AD_RECORD_OVERFLOW;
-                SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
                goto f_err;
        }
+        rr->data = out;
+        rr->length = out_len;
        rr->off = 0;
-        /* So at this point the following is true
-         * ssl->s3->internal->rrec.type         is the type of record
-         * ssl->s3->internal->rrec.length       == number of bytes in record
-         * ssl->s3->internal->rrec.off  == offset to first valid byte
-         * ssl->s3->internal->rrec.data == where to take bytes from, increment
-         *                         after use :-).
-         */
-        /* we have pulled in a full packet so zero things */
        s->internal->packet_length = 0;
        return (1);
-f_err:
+ f_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
+        ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc);
-err:
+ err:
        return (0);
 }

diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 859043a3ce..30ce78414d 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_pkt.c,v 1.84 2020/10/03 17:11:28 jsing Exp $ */	1	/* $OpenBSD: d1_pkt.c,v 1.85 2020/10/03 17:35:16 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -310,130 +310,40 @@ dtls1_process_buffered_records(SSL *s)
310	static int	310	static int
311	dtls1_process_record(SSL *s)	311	dtls1_process_record(SSL *s)
312	{	312	{
313	int i, al;	313	SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
314	int enc_err;	314	uint8_t alert_desc;
315	SSL_SESSION *sess;	315	uint8_t *out;
316	SSL3_RECORD_INTERNAL *rr;	316	size_t out_len;
317	unsigned int mac_size, orig_len;
318	unsigned char md[EVP_MAX_MD_SIZE];
319
320	rr = &(S3I(s)->rrec);
321	sess = s->session;
322
323	/* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
324	* and we have that many bytes in s->internal->packet
325	*/
326	rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]);
327
328	/* ok, we can now read from 's->internal->packet' data into 'rr'
329	* rr->input points at rr->length bytes, which
330	* need to be copied into rr->data by either
331	* the decryption or by the decompression
332	* When the data is 'copied' into the rr->data buffer,
333	* rr->input will be pointed at the new buffer */
334
335	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
336	* rr->length bytes of encrypted compressed stuff. */
337
338	/* check is not needed I believe */
339	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
340	al = SSL_AD_RECORD_OVERFLOW;
341	SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
342	goto f_err;
343	}
344
345	/* decrypt in place in 'rr->input' */
346	rr->data = rr->input;
347
348	/* enc_err is:
349	* 0: (in non-constant time) if the record is publically invalid.
350	* 1: if the padding is valid
351	* -1: if the padding is invalid */
352	if ((enc_err = tls1_enc(s, 0)) == 0) {
353	/* For DTLS we simply ignore bad packets. */
354	rr->length = 0;
355	s->internal->packet_length = 0;
356	goto err;
357	}
358		317
359	/* r->length is now the compressed data plus mac */	318	tls12_record_layer_set_version(s->internal->rl, s->version);
360	if ((sess != NULL) && (s->enc_read_ctx != NULL) &&	319	tls12_record_layer_set_read_epoch(s->internal->rl, rr->epoch);
361	(EVP_MD_CTX_md(s->read_hash) != NULL)) {
362	/* s->read_hash != NULL => mac_size != -1 */
363	unsigned char *mac = NULL;
364	unsigned char mac_tmp[EVP_MAX_MD_SIZE];
365	mac_size = EVP_MD_CTX_size(s->read_hash);
366	OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
367
368	orig_len = rr->length + rr->padding_length;
369
370	/* orig_len is the length of the record before any padding was
371	* removed. This is public information, as is the MAC in use,
372	* therefore we can safely process the record in a different
373	* amount of time if it's too short to possibly contain a MAC.
374	*/
375	if (orig_len < mac_size \|\|
376	/* CBC records must have a padding length byte too. */
377	(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
378	orig_len < mac_size + 1)) {
379	al = SSL_AD_DECODE_ERROR;
380	SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
381	goto f_err;
382	}
383		320
384	if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {	321	if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
385	/* We update the length so that the TLS header bytes	322	s->internal->packet_length, &out, &out_len)) {
386	* can be constructed correctly but we need to extract	323	tls12_record_layer_alert(s->internal->rl, &alert_desc);
387	* the MAC in constant time from within the record,
388	* without leaking the contents of the padding bytes.
389	* */
390	mac = mac_tmp;
391	ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
392	rr->length -= mac_size;
393	} else {
394	/* In this case there's no padding, so \|orig_len\|
395	* equals \|rec->length\| and we checked that there's
396	* enough bytes for \|mac_size\| above. */
397	rr->length -= mac_size;
398	mac = &rr->data[rr->length];
399	}
400		324
401	i = tls1_mac(s, md, 0 /* not send */);	325	if (alert_desc == 0)
402	if (i < 0 \|\| mac == NULL \|\| timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)	326	goto err;
403	enc_err = -1;
404	if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
405	enc_err = -1;
406	}
407		327
408	if (enc_err < 0) {	328	if (alert_desc == SSL_AD_RECORD_OVERFLOW)
409	/* decryption failed, silently discard message */	329	SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
410	rr->length = 0;	330	else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
411	s->internal->packet_length = 0;	331	SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
412	goto err;
413	}
414		332
415	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
416	al = SSL_AD_RECORD_OVERFLOW;
417	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
418	goto f_err;	333	goto f_err;
419	}	334	}
420		335
		336	rr->data = out;
		337	rr->length = out_len;
421	rr->off = 0;	338	rr->off = 0;
422	/* So at this point the following is true
423	* ssl->s3->internal->rrec.type is the type of record
424	* ssl->s3->internal->rrec.length == number of bytes in record
425	* ssl->s3->internal->rrec.off == offset to first valid byte
426	* ssl->s3->internal->rrec.data == where to take bytes from, increment
427	* after use :-).
428	*/
429		339
430	/* we have pulled in a full packet so zero things */
431	s->internal->packet_length = 0;	340	s->internal->packet_length = 0;
		341
432	return (1);	342	return (1);
433		343
434	f_err:	344	f_err:
435	ssl3_send_alert(s, SSL3_AL_FATAL, al);	345	ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc);
436	err:	346	err:
437	return (0);	347	return (0);
438	}	348	}
439		349