diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2 openssl-fips-0.9.8e/ssl/d1_pkt.c --- openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2 2012-01-16 11:00:34.242797904 +0100 +++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2012-01-18 15:45:25.144865068 +0100 @@ -134,7 +134,7 @@ static int dtls1_record_needs_buffering( unsigned short *priority, unsigned long *offset); #endif static int dtls1_buffer_record(SSL *s, record_pqueue *q, - PQ_64BIT priority); + PQ_64BIT *priority); static int dtls1_process_record(SSL *s); #if PQ_64BIT_IS_INTEGER static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); @@ -156,13 +156,16 @@ dtls1_copy_record(SSL *s, pitem *item) s->packet_length = rdata->packet_length; memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); + + /* Set proper sequence number for mac calculation */ + memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); return(1); } static int -dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) +dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT *priority) { DTLS1_RECORD_DATA *rdata; pitem *item; @@ -172,7 +175,7 @@ dtls1_buffer_record(SSL *s, record_pqueu return 0; rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); - item = pitem_new(priority, rdata); + item = pitem_new(*priority, rdata); if (rdata == NULL || item == NULL) { if (rdata != NULL) OPENSSL_free(rdata); @@ -253,9 +256,6 @@ dtls1_process_buffered_records(SSL *s) item = pqueue_peek(s->d1->unprocessed_rcds.q); if (item) { - DTLS1_RECORD_DATA *rdata; - rdata = (DTLS1_RECORD_DATA *)item->data; - /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) return(1); /* Nothing to do. */ @@ -267,7 +267,7 @@ dtls1_process_buffered_records(SSL *s) if ( ! dtls1_process_record(s)) return(0); dtls1_buffer_record(s, &(s->d1->processed_rcds), - s->s3->rrec.seq_num); + &s->s3->rrec.seq_num); } } @@ -328,13 +328,15 @@ dtls1_get_buffered_record(SSL *s) static int dtls1_process_record(SSL *s) { - int i,al; + int al; int clear=0; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= &(s->s3->rrec); @@ -369,12 +371,10 @@ dtls1_process_record(SSL *s) enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) { - if (enc_err == 0) - /* SSLerr() and ssl3_send_alert() have been called */ - goto err; - - /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + /* To minimize information leaked via timing, we will always + * perform all computations before discarding the message. + */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -400,28 +400,32 @@ if ( (sess == NULL) || SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length < mac_size) + if (rr->length >= mac_size) { -#if 0 /* OK only for stream ciphers */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; -#else - goto decryption_failed_or_bad_record_mac; -#endif + rr->length -= mac_size; + mac = &rr->data[rr->length]; } - rr->length-=mac_size; - i=s->method->ssl3_enc->mac(s,md,0); - if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) + else + rr->length = 0; + s->method->ssl3_enc->mac(s,md,0); + if (mac == NULL || memcmp(md, mac, mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* decryption failed, silently discard message */ + rr->length = 0; + s->packet_length = 0; + goto err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { @@ -460,14 +464,6 @@ if ( (sess == NULL) || dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: @@ -486,22 +482,19 @@ err: /* used only by dtls1_read_bytes */ int dtls1_get_record(SSL *s) { - int ssl_major,ssl_minor,al; + int ssl_major,ssl_minor; int i,n; SSL3_RECORD *rr; - SSL_SESSION *sess; - unsigned char *p; + unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr= &(s->s3->rrec); - sess=s->session; /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ - if ( ! dtls1_process_buffered_records(s)) - return 0; + dtls1_process_buffered_records(s); /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -517,7 +510,12 @@ again: /* read timeout is handled by dtls1_read_bytes */ if (n <= 0) return(n); /* error or non-blocking */ - OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); + /* this packet contained a partial record, dump it */ + if (s->packet_length != DTLS1_RT_HEADER_LENGTH) + { + s->packet_length = 0; + goto again; + } s->rstate=SSL_ST_READ_BODY; @@ -542,27 +540,28 @@ again: { if (version != s->version && version != DTLS1_BAD_VER) { - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - /* Send back error using their - * version number :-) */ - s->version=version; - al=SSL_AD_PROTOCOL_VERSION; - goto f_err; + /* unexpected version, silently discard */ + rr->length = 0; + s->packet_length = 0; + goto again; } } if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - goto err; + /* wrong version, silently discard record */ + rr->length = 0; + s->packet_length = 0; + goto again; } if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + /* record too long, silently discard it */ + rr->length = 0; + s->packet_length = 0; + goto again; } s->client_version = version; @@ -581,6 +580,7 @@ again: /* this packet contained a partial record, dump it */ if ( n != i) { + rr->length = 0; s->packet_length = 0; goto again; } @@ -594,6 +594,7 @@ again: bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if ( bitmap == NULL) { + rr->length = 0; s->packet_length = 0; /* dump this record */ goto again; /* get another record */ } @@ -601,6 +602,7 @@ again: /* check whether this is a repeat, or aged record */ if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { + rr->length = 0; s->packet_length=0; /* dump this record */ goto again; /* get another record */ } @@ -615,21 +617,22 @@ again: if (is_next_epoch) { dtls1_record_bitmap_update(s, bitmap); - dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num); + rr->length = 0; s->packet_length = 0; goto again; } - if ( ! dtls1_process_record(s)) - return(0); + if (!dtls1_process_record(s)) + { + rr->length = 0; + s->packet_length=0; /* dump this record */ + goto again; /* get another record */ + } dtls1_clear_timeouts(s); /* done waiting */ return(1); -f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); -err: - return(0); } /* Return up to 'len' payload bytes received in 'type' records.