1 files changed, 33 insertions, 133 deletions
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index c9c86471d3..02a476ea82 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.32 2020/10/03 17:35:16 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s)
 static int
 ssl3_read_n(SSL *s, int n, int max, int extend)
 {
+        SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
        int i, len, left;
        size_t align;
        unsigned char *pkt;
-        SSL3_BUFFER_INTERNAL *rb;
        if (n <= 0)
                return n;
-        rb = &(S3I(s)->rbuf);
        if (rb->buf == NULL)
                if (!ssl3_setup_read_buffer(s))
                        return -1;
@@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen)
 static int
 ssl3_get_record(SSL *s)
 {
-        int al;
+        SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
-        int enc_err, n, i, ret = -1;
+        SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
-        SSL3_RECORD_INTERNAL *rr;
+        uint8_t alert_desc;
-        SSL_SESSION *sess;
+        uint8_t *out;
-        unsigned char md[EVP_MAX_MD_SIZE];
+        size_t out_len;
-        unsigned int mac_size, orig_len;
+        int al, n;
+        int ret = -1;
-        rr = &(S3I(s)->rrec);
-        sess = s->session;
 again:
        /* check if we have the header */
@@ -387,17 +384,13 @@ ssl3_get_record(SSL *s)
                        goto err;
                }
-                if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) {
+                if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) {
                        al = SSL_AD_RECORD_OVERFLOW;
                        SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);
                        goto f_err;
                }
-                /* now s->internal->rstate == SSL_ST_READ_BODY */
        }
-        /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */
        n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);
        if (n <= 0)
                return (n);
@@ -406,133 +399,40 @@ ssl3_get_record(SSL *s)
        s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
-        /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+        /*
-         * and we have that many bytes in s->internal->packet
+         * A full record has now been read from the wire, which now needs
+         * to be processed.
         */
-        rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]);
+        tls12_record_layer_set_version(s->internal->rl, s->version);
-        /* ok, we can now read from 's->internal->packet' data into 'rr'
-         * rr->input points at rr->length bytes, which
-         * need to be copied into rr->data by either
-         * the decryption or by the decompression
-         * When the data is 'copied' into the rr->data buffer,
-         * rr->input will be pointed at the new buffer */
-        /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
-         * rr->length bytes of encrypted compressed stuff. */
-        /* check is not needed I believe */
-        if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
-                al = SSL_AD_RECORD_OVERFLOW;
-                SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-                goto f_err;
-        }
-        /* decrypt in place in 'rr->input' */
-        rr->data = rr->input;
-        /* enc_err is:
+        if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
-         *    0: (in non-constant time) if the record is publically invalid.
+            s->internal->packet_length, &out, &out_len)) {
-         *    1: if the padding is valid
+                tls12_record_layer_alert(s->internal->rl, &alert_desc);
-         *    -1: if the padding is invalid */
-        if ((enc_err = tls1_enc(s, 0)) == 0) {
-                al = SSL_AD_BAD_RECORD_MAC;
-                SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                goto f_err;
-        }
-        /* r->length is now the compressed data plus mac */
-        if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
-            (EVP_MD_CTX_md(s->read_hash) != NULL)) {
-                /* s->read_hash != NULL => mac_size != -1 */
-                unsigned char *mac = NULL;
-                unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-                mac_size = EVP_MD_CTX_size(s->read_hash);
-                OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-                orig_len = rr->length + rr->padding_length;
-                /* orig_len is the length of the record before any padding was
+                if (alert_desc == 0)
-                 * removed. This is public information, as is the MAC in use,
+                        goto err;
-                 * therefore we can safely process the record in a different
-                 * amount of time if it's too short to possibly contain a MAC.
-                 */
-                if (orig_len < mac_size ||
-                        /* CBC records must have a padding length byte too. */
-                    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-                    orig_len < mac_size + 1)) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
-                        goto f_err;
-                }
-                if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
-                        /* We update the length so that the TLS header bytes
-                         * can be constructed correctly but we need to extract
-                         * the MAC in constant time from within the record,
-                         * without leaking the contents of the padding bytes.
-                         * */
-                        mac = mac_tmp;
-                        ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
-                        rr->length -= mac_size;
-                } else {
-                        /* In this case there's no padding, so |orig_len|
-                         * equals |rec->length| and we checked that there's
-                         * enough bytes for |mac_size| above. */
-                        rr->length -= mac_size;
-                        mac = &rr->data[rr->length];
-                }
-                i = tls1_mac(s,md,0 /* not send */);
+                if (alert_desc == SSL_AD_RECORD_OVERFLOW)
-                if (i < 0 || mac == NULL ||
+                        SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-                    timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
+                else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
-                        enc_err = -1;
+                        SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                if (rr->length >
-                    SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
-                        enc_err = -1;
-        }
-        if (enc_err < 0) {
+                al = alert_desc;
-                /*
-                 * A separate 'decryption_failed' alert was introduced with
-                 * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a
-                 * decryption failure is directly visible from the ciphertext
-                 * anyway, we should not reveal which kind of error
-                 * occurred -- this might become visible to an attacker
-                 * (e.g. via a logfile)
-                 */
-                al = SSL_AD_BAD_RECORD_MAC;
-                SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                goto f_err;
-        }
-        if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
-                al = SSL_AD_RECORD_OVERFLOW;
-                SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
                goto f_err;
        }
+        rr->data = out;
+        rr->length = out_len;
        rr->off = 0;
-        /*
-         * So at this point the following is true
-         *
-         * ssl->s3->internal->rrec.type         is the type of record
-         * ssl->s3->internal->rrec.length       == number of bytes in record
-         * ssl->s3->internal->rrec.off  == offset to first valid byte
-         * ssl->s3->internal->rrec.data == where to take bytes from, increment
-         *                         after use :-).
-         */
        /* we have pulled in a full packet so zero things */
        s->internal->packet_length = 0;
        if (rr->length == 0) {
                /*
-                 * CBC countermeasures for known IV weaknesses
+                 * CBC countermeasures for known IV weaknesses can legitimately
-                 * can legitimately insert a single empty record,
+                 * insert a single empty record, so we allow ourselves to read
-                 * so we allow ourselves to read once past a single
+                 * once past a single empty record without forcing want_read.
-                 * empty record without forcing want_read.
                 */
                if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
                        SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);
@@ -543,15 +443,15 @@ ssl3_get_record(SSL *s)
                        return -1;
                }
                goto again;
-        } else {
-                s->internal->empty_record_count = 0;
        }
+        s->internal->empty_record_count = 0;
        return (1);
-f_err:
+ f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
-err:
+ err:
        return (ret);
 }

diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index c9c86471d3..02a476ea82 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.32 2020/10/03 17:35:16 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s)
149	static int	149	static int
150	ssl3_read_n(SSL *s, int n, int max, int extend)	150	ssl3_read_n(SSL *s, int n, int max, int extend)
151	{	151	{
		152	SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
152	int i, len, left;	153	int i, len, left;
153	size_t align;	154	size_t align;
154	unsigned char *pkt;	155	unsigned char *pkt;
155	SSL3_BUFFER_INTERNAL *rb;
156		156
157	if (n <= 0)	157	if (n <= 0)
158	return n;	158	return n;
159		159
160	rb = &(S3I(s)->rbuf);
161	if (rb->buf == NULL)	160	if (rb->buf == NULL)
162	if (!ssl3_setup_read_buffer(s))	161	if (!ssl3_setup_read_buffer(s))
163	return -1;	162	return -1;
@@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen)
327	static int	326	static int
328	ssl3_get_record(SSL *s)	327	ssl3_get_record(SSL *s)
329	{	328	{
330	int al;	329	SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf);
331	int enc_err, n, i, ret = -1;	330	SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec);
332	SSL3_RECORD_INTERNAL *rr;	331	uint8_t alert_desc;
333	SSL_SESSION *sess;	332	uint8_t *out;
334	unsigned char md[EVP_MAX_MD_SIZE];	333	size_t out_len;
335	unsigned int mac_size, orig_len;	334	int al, n;
336		335	int ret = -1;
337	rr = &(S3I(s)->rrec);
338	sess = s->session;
339		336
340	again:	337	again:
341	/* check if we have the header */	338	/* check if we have the header */
@@ -387,17 +384,13 @@ ssl3_get_record(SSL *s)
387	goto err;	384	goto err;
388	}	385	}
389		386
390	if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) {	387	if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) {
391	al = SSL_AD_RECORD_OVERFLOW;	388	al = SSL_AD_RECORD_OVERFLOW;
392	SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);	389	SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);
393	goto f_err;	390	goto f_err;
394	}	391	}
395
396	/* now s->internal->rstate == SSL_ST_READ_BODY */
397	}	392	}
398		393
399	/* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */
400
401	n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);	394	n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);
402	if (n <= 0)	395	if (n <= 0)
403	return (n);	396	return (n);
@@ -406,133 +399,40 @@ ssl3_get_record(SSL *s)
406		399
407	s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */	400	s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
408		401
409	/* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,	402	/*
410	* and we have that many bytes in s->internal->packet	403	* A full record has now been read from the wire, which now needs
		404	* to be processed.
411	*/	405	*/
412	rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]);	406	tls12_record_layer_set_version(s->internal->rl, s->version);
413
414	/* ok, we can now read from 's->internal->packet' data into 'rr'
415	* rr->input points at rr->length bytes, which
416	* need to be copied into rr->data by either
417	* the decryption or by the decompression
418	* When the data is 'copied' into the rr->data buffer,
419	* rr->input will be pointed at the new buffer */
420
421	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
422	* rr->length bytes of encrypted compressed stuff. */
423
424	/* check is not needed I believe */
425	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
426	al = SSL_AD_RECORD_OVERFLOW;
427	SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
428	goto f_err;
429	}
430
431	/* decrypt in place in 'rr->input' */
432	rr->data = rr->input;
433		407
434	/* enc_err is:	408	if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet,
435	* 0: (in non-constant time) if the record is publically invalid.	409	s->internal->packet_length, &out, &out_len)) {
436	* 1: if the padding is valid	410	tls12_record_layer_alert(s->internal->rl, &alert_desc);
437	* -1: if the padding is invalid */
438	if ((enc_err = tls1_enc(s, 0)) == 0) {
439	al = SSL_AD_BAD_RECORD_MAC;
440	SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
441	goto f_err;
442	}
443
444	/* r->length is now the compressed data plus mac */
445	if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
446	(EVP_MD_CTX_md(s->read_hash) != NULL)) {
447	/* s->read_hash != NULL => mac_size != -1 */
448	unsigned char *mac = NULL;
449	unsigned char mac_tmp[EVP_MAX_MD_SIZE];
450
451	mac_size = EVP_MD_CTX_size(s->read_hash);
452	OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
453
454	orig_len = rr->length + rr->padding_length;
455		411
456	/* orig_len is the length of the record before any padding was	412	if (alert_desc == 0)
457	* removed. This is public information, as is the MAC in use,	413	goto err;
458	* therefore we can safely process the record in a different
459	* amount of time if it's too short to possibly contain a MAC.
460	*/
461	if (orig_len < mac_size \|\|
462	/* CBC records must have a padding length byte too. */
463	(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
464	orig_len < mac_size + 1)) {
465	al = SSL_AD_DECODE_ERROR;
466	SSLerror(s, SSL_R_LENGTH_TOO_SHORT);
467	goto f_err;
468	}
469
470	if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
471	/* We update the length so that the TLS header bytes
472	* can be constructed correctly but we need to extract
473	* the MAC in constant time from within the record,
474	* without leaking the contents of the padding bytes.
475	* */
476	mac = mac_tmp;
477	ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
478	rr->length -= mac_size;
479	} else {
480	/* In this case there's no padding, so \|orig_len\|
481	* equals \|rec->length\| and we checked that there's
482	* enough bytes for \|mac_size\| above. */
483	rr->length -= mac_size;
484	mac = &rr->data[rr->length];
485	}
486		414
487	i = tls1_mac(s,md,0 /* not send */);	415	if (alert_desc == SSL_AD_RECORD_OVERFLOW)
488	if (i < 0 \|\| mac == NULL \|\|	416	SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
489	timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)	417	else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
490	enc_err = -1;	418	SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
491	if (rr->length >
492	SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
493	enc_err = -1;
494	}
495		419
496	if (enc_err < 0) {	420	al = alert_desc;
497	/*
498	* A separate 'decryption_failed' alert was introduced with
499	* TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a
500	* decryption failure is directly visible from the ciphertext
501	* anyway, we should not reveal which kind of error
502	* occurred -- this might become visible to an attacker
503	* (e.g. via a logfile)
504	*/
505	al = SSL_AD_BAD_RECORD_MAC;
506	SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
507	goto f_err;
508	}
509
510	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
511	al = SSL_AD_RECORD_OVERFLOW;
512	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
513	goto f_err;	421	goto f_err;
514	}	422	}
515		423
		424	rr->data = out;
		425	rr->length = out_len;
516	rr->off = 0;	426	rr->off = 0;
517	/*
518	* So at this point the following is true
519	*
520	* ssl->s3->internal->rrec.type is the type of record
521	* ssl->s3->internal->rrec.length == number of bytes in record
522	* ssl->s3->internal->rrec.off == offset to first valid byte
523	* ssl->s3->internal->rrec.data == where to take bytes from, increment
524	* after use :-).
525	*/
526		427
527	/* we have pulled in a full packet so zero things */	428	/* we have pulled in a full packet so zero things */
528	s->internal->packet_length = 0;	429	s->internal->packet_length = 0;
529		430
530	if (rr->length == 0) {	431	if (rr->length == 0) {
531	/*	432	/*
532	* CBC countermeasures for known IV weaknesses	433	* CBC countermeasures for known IV weaknesses can legitimately
533	* can legitimately insert a single empty record,	434	* insert a single empty record, so we allow ourselves to read
534	* so we allow ourselves to read once past a single	435	* once past a single empty record without forcing want_read.
535	* empty record without forcing want_read.
536	*/	436	*/
537	if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {	437	if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
538	SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);	438	SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);
@@ -543,15 +443,15 @@ ssl3_get_record(SSL *s)
543	return -1;	443	return -1;
544	}	444	}
545	goto again;	445	goto again;
546	} else {
547	s->internal->empty_record_count = 0;
548	}	446	}
549		447
		448	s->internal->empty_record_count = 0;
		449
550	return (1);	450	return (1);
551		451
552	f_err:	452	f_err:
553	ssl3_send_alert(s, SSL3_AL_FATAL, al);	453	ssl3_send_alert(s, SSL3_AL_FATAL, al);
554	err:	454	err:
555	return (ret);	455	return (ret);
556	}	456	}
557		457