416
412
rr->data=rr->input;
418
414
enc_err = s->method->ssl3_enc->enc(s,0);
416
* 0: (in non-constant time) if the record is publically invalid.
417
* 1: if the padding is valid
418
* -1: if the padding is invalid */
421
/* To minimize information leaked via timing, we will always
422
* perform all computations before discarding the message.
424
decryption_failed_or_bad_record_mac = 1;
421
/* For DTLS we simply ignore bad packets. */
423
s->packet_length = 0;
433
433
/* r->length is now the compressed data plus mac */
434
if ( (sess == NULL) ||
435
(s->enc_read_ctx == NULL) ||
436
(s->read_hash == NULL))
434
if ((sess != NULL) &&
435
(s->enc_read_ctx != NULL) &&
436
(EVP_MD_CTX_md(s->read_hash) != NULL))
441
/* !clear => s->read_hash != NULL => mac_size != -1 */
443
t=EVP_MD_CTX_size(s->read_hash);
444
OPENSSL_assert(t >= 0);
438
/* s->read_hash != NULL => mac_size != -1 */
439
unsigned char *mac = NULL;
440
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
441
mac_size=EVP_MD_CTX_size(s->read_hash);
442
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
444
/* kludge: *_cbc_remove_padding passes padding length in rr->type */
445
orig_len = rr->length+((unsigned int)rr->type>>8);
447
/* orig_len is the length of the record before any padding was
448
* removed. This is public information, as is the MAC in use,
449
* therefore we can safely process the record in a different
450
* amount of time if it's too short to possibly contain a MAC.
452
if (orig_len < mac_size ||
453
/* CBC records must have a padding length byte too. */
454
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
455
orig_len < mac_size+1))
457
al=SSL_AD_DECODE_ERROR;
458
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
462
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
464
/* We update the length so that the TLS header bytes
465
* can be constructed correctly but we need to extract
466
* the MAC in constant time from within the record,
467
* without leaking the contents of the padding bytes.
470
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
471
rr->length -= mac_size;
475
/* In this case there's no padding, so |orig_len|
476
* equals |rec->length| and we checked that there's
477
* enough bytes for |mac_size| above. */
478
rr->length -= mac_size;
479
mac = &rr->data[rr->length];
482
i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
483
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
447
485
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
449
#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
450
al=SSL_AD_RECORD_OVERFLOW;
451
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
454
decryption_failed_or_bad_record_mac = 1;
457
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
458
if (rr->length >= mac_size)
460
rr->length -= mac_size;
461
mac = &rr->data[rr->length];
465
i=s->method->ssl3_enc->mac(s,md,0);
466
if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
468
decryption_failed_or_bad_record_mac = 1;
472
if (decryption_failed_or_bad_record_mac)
474
491
/* decryption failed, silently discard message */