/src/botan/src/lib/tls/tls_record.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS Record Handling |
3 | | * (C) 2012,2013,2014,2015,2016,2019 Jack Lloyd |
4 | | * 2016 Juraj Somorovsky |
5 | | * 2016 Matthias Gierlings |
6 | | * |
7 | | * Botan is released under the Simplified BSD License (see license.txt) |
8 | | */ |
9 | | |
10 | | #include <botan/internal/tls_record.h> |
11 | | #include <botan/tls_ciphersuite.h> |
12 | | #include <botan/tls_exceptn.h> |
13 | | #include <botan/loadstor.h> |
14 | | #include <botan/internal/tls_seq_numbers.h> |
15 | | #include <botan/internal/tls_session_key.h> |
16 | | #include <botan/internal/rounding.h> |
17 | | #include <botan/internal/ct_utils.h> |
18 | | #include <botan/rng.h> |
19 | | |
20 | | #if defined(BOTAN_HAS_TLS_CBC) |
21 | | #include <botan/internal/tls_cbc.h> |
22 | | #endif |
23 | | |
24 | | namespace Botan { |
25 | | |
26 | | namespace TLS { |
27 | | |
28 | | Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version, |
29 | | Connection_Side side, |
30 | | bool our_side, |
31 | | const Ciphersuite& suite, |
32 | | const Session_Keys& keys, |
33 | | bool uses_encrypt_then_mac) : |
34 | | m_start_time(std::chrono::system_clock::now()) |
35 | 3.03k | { |
36 | 3.03k | m_nonce_format = suite.nonce_format(); |
37 | 3.03k | m_nonce_bytes_from_record = suite.nonce_bytes_from_record(version); |
38 | 3.03k | m_nonce_bytes_from_handshake = suite.nonce_bytes_from_handshake(); |
39 | 3.03k | |
40 | 3.03k | const secure_vector<uint8_t>& aead_key = keys.aead_key(side); |
41 | 3.03k | m_nonce = keys.nonce(side); |
42 | 3.03k | |
43 | 3.03k | BOTAN_ASSERT_NOMSG(m_nonce.size() == m_nonce_bytes_from_handshake); |
44 | 3.03k | |
45 | 3.03k | if(nonce_format() == Nonce_Format::CBC_MODE) |
46 | 1.37k | { |
47 | 1.37k | #if defined(BOTAN_HAS_TLS_CBC) |
48 | 1.37k | // legacy CBC+HMAC mode |
49 | 1.37k | auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + suite.mac_algo() + ")"); |
50 | 1.37k | auto cipher = BlockCipher::create_or_throw(suite.cipher_algo()); |
51 | 1.37k | |
52 | 1.37k | if(our_side) |
53 | 805 | { |
54 | 805 | m_aead.reset(new TLS_CBC_HMAC_AEAD_Encryption( |
55 | 805 | std::move(cipher), |
56 | 805 | std::move(mac), |
57 | 805 | suite.cipher_keylen(), |
58 | 805 | suite.mac_keylen(), |
59 | 805 | version, |
60 | 805 | uses_encrypt_then_mac)); |
61 | 805 | } |
62 | 569 | else |
63 | 569 | { |
64 | 569 | m_aead.reset(new TLS_CBC_HMAC_AEAD_Decryption( |
65 | 569 | std::move(cipher), |
66 | 569 | std::move(mac), |
67 | 569 | suite.cipher_keylen(), |
68 | 569 | suite.mac_keylen(), |
69 | 569 | version, |
70 | 569 | uses_encrypt_then_mac)); |
71 | 569 | } |
72 | 1.37k | |
73 | | #else |
74 | | BOTAN_UNUSED(uses_encrypt_then_mac); |
75 | | throw Internal_Error("Negotiated disabled TLS CBC+HMAC ciphersuite"); |
76 | | #endif |
77 | 1.37k | } |
78 | 1.66k | else |
79 | 1.66k | { |
80 | 1.66k | m_aead = AEAD_Mode::create_or_throw(suite.cipher_algo(), our_side ? ENCRYPTION : DECRYPTION); |
81 | 1.66k | } |
82 | 3.03k | |
83 | 3.03k | m_aead->set_key(aead_key); |
84 | 3.03k | } |
85 | | |
86 | | std::vector<uint8_t> Connection_Cipher_State::aead_nonce(uint64_t seq, RandomNumberGenerator& rng) |
87 | 2.58k | { |
88 | 2.58k | switch(m_nonce_format) |
89 | 2.58k | { |
90 | 1.11k | case Nonce_Format::CBC_MODE: |
91 | 1.11k | { |
92 | 1.11k | if(m_nonce.size()) |
93 | 805 | { |
94 | 805 | std::vector<uint8_t> nonce; |
95 | 805 | nonce.swap(m_nonce); |
96 | 805 | return nonce; |
97 | 805 | } |
98 | 307 | std::vector<uint8_t> nonce(nonce_bytes_from_record()); |
99 | 307 | rng.randomize(nonce.data(), nonce.size()); |
100 | 307 | return nonce; |
101 | 307 | } |
102 | 599 | case Nonce_Format::AEAD_XOR_12: |
103 | 599 | { |
104 | 599 | std::vector<uint8_t> nonce(12); |
105 | 599 | store_be(seq, nonce.data() + 4); |
106 | 599 | xor_buf(nonce, m_nonce.data(), m_nonce.size()); |
107 | 599 | return nonce; |
108 | 307 | } |
109 | 869 | case Nonce_Format::AEAD_IMPLICIT_4: |
110 | 869 | { |
111 | 869 | BOTAN_ASSERT_NOMSG(m_nonce.size() == 4); |
112 | 869 | std::vector<uint8_t> nonce(12); |
113 | 869 | copy_mem(&nonce[0], m_nonce.data(), 4); |
114 | 869 | store_be(seq, &nonce[nonce_bytes_from_handshake()]); |
115 | 869 | return nonce; |
116 | 0 | } |
117 | 0 | } |
118 | 0 | |
119 | 0 | throw Invalid_State("Unknown nonce format specified"); |
120 | 0 | } |
121 | | |
122 | | std::vector<uint8_t> |
123 | | Connection_Cipher_State::aead_nonce(const uint8_t record[], size_t record_len, uint64_t seq) |
124 | 1.00k | { |
125 | 1.00k | switch(m_nonce_format) |
126 | 1.00k | { |
127 | 357 | case Nonce_Format::CBC_MODE: |
128 | 357 | { |
129 | 357 | if(nonce_bytes_from_record() == 0 && m_nonce.size()) |
130 | 0 | { |
131 | 0 | std::vector<uint8_t> nonce; |
132 | 0 | nonce.swap(m_nonce); |
133 | 0 | return nonce; |
134 | 0 | } |
135 | 357 | if(record_len < nonce_bytes_from_record()) |
136 | 15 | throw Decoding_Error("Invalid CBC packet too short to be valid"); |
137 | 342 | std::vector<uint8_t> nonce(record, record + nonce_bytes_from_record()); |
138 | 342 | return nonce; |
139 | 342 | } |
140 | 342 | case Nonce_Format::AEAD_XOR_12: |
141 | 265 | { |
142 | 265 | std::vector<uint8_t> nonce(12); |
143 | 265 | store_be(seq, nonce.data() + 4); |
144 | 265 | xor_buf(nonce, m_nonce.data(), m_nonce.size()); |
145 | 265 | return nonce; |
146 | 342 | } |
147 | 379 | case Nonce_Format::AEAD_IMPLICIT_4: |
148 | 379 | { |
149 | 379 | BOTAN_ASSERT_NOMSG(m_nonce.size() == 4); |
150 | 379 | if(record_len < nonce_bytes_from_record()) |
151 | 4 | throw Decoding_Error("Invalid AEAD packet too short to be valid"); |
152 | 375 | std::vector<uint8_t> nonce(12); |
153 | 375 | copy_mem(&nonce[0], m_nonce.data(), 4); |
154 | 375 | copy_mem(&nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record()); |
155 | 375 | return nonce; |
156 | 375 | } |
157 | 0 | } |
158 | 0 | |
159 | 0 | throw Invalid_State("Unknown nonce format specified"); |
160 | 0 | } |
161 | | |
162 | | std::vector<uint8_t> |
163 | | Connection_Cipher_State::format_ad(uint64_t msg_sequence, |
164 | | uint8_t msg_type, |
165 | | Protocol_Version version, |
166 | | uint16_t msg_length) |
167 | 3.54k | { |
168 | 3.54k | std::vector<uint8_t> ad(13); |
169 | 3.54k | |
170 | 3.54k | store_be(msg_sequence, &ad[0]); |
171 | 3.54k | ad[8] = msg_type; |
172 | 3.54k | ad[9] = version.major_version(); |
173 | 3.54k | ad[10] = version.minor_version(); |
174 | 3.54k | ad[11] = get_byte(0, msg_length); |
175 | 3.54k | ad[12] = get_byte(1, msg_length); |
176 | 3.54k | |
177 | 3.54k | return ad; |
178 | 3.54k | } |
179 | | |
180 | | namespace { |
181 | | |
182 | | inline void append_u16_len(secure_vector<uint8_t>& output, size_t len_field) |
183 | 99.0k | { |
184 | 99.0k | const uint16_t len16 = static_cast<uint16_t>(len_field); |
185 | 99.0k | BOTAN_ASSERT_EQUAL(len_field, len16, "No truncation"); |
186 | 99.0k | output.push_back(get_byte(0, len16)); |
187 | 99.0k | output.push_back(get_byte(1, len16)); |
188 | 99.0k | } |
189 | | |
190 | | void write_record_header(secure_vector<uint8_t>& output, |
191 | | uint8_t record_type, |
192 | | Protocol_Version version, |
193 | | uint64_t record_sequence) |
194 | 99.0k | { |
195 | 99.0k | output.clear(); |
196 | 99.0k | |
197 | 99.0k | output.push_back(record_type); |
198 | 99.0k | output.push_back(version.major_version()); |
199 | 99.0k | output.push_back(version.minor_version()); |
200 | 99.0k | |
201 | 99.0k | if(version.is_datagram_protocol()) |
202 | 7.22k | { |
203 | 65.0k | for(size_t i = 0; i != 8; ++i) |
204 | 57.8k | output.push_back(get_byte(i, record_sequence)); |
205 | 7.22k | } |
206 | 99.0k | } |
207 | | |
208 | | } |
209 | | |
210 | | void write_unencrypted_record(secure_vector<uint8_t>& output, |
211 | | uint8_t record_type, |
212 | | Protocol_Version version, |
213 | | uint64_t record_sequence, |
214 | | const uint8_t* message, |
215 | | size_t message_len) |
216 | 96.4k | { |
217 | 96.4k | if(record_type == APPLICATION_DATA) |
218 | 0 | throw Internal_Error("Writing an unencrypted TLS application data record"); |
219 | 96.4k | write_record_header(output, record_type, version, record_sequence); |
220 | 96.4k | append_u16_len(output, message_len); |
221 | 96.4k | output.insert(output.end(), message, message + message_len); |
222 | 96.4k | } |
223 | | |
224 | | void write_record(secure_vector<uint8_t>& output, |
225 | | uint8_t record_type, |
226 | | Protocol_Version version, |
227 | | uint64_t record_sequence, |
228 | | const uint8_t* message, |
229 | | size_t message_len, |
230 | | Connection_Cipher_State& cs, |
231 | | RandomNumberGenerator& rng) |
232 | 2.58k | { |
233 | 2.58k | write_record_header(output, record_type, version, record_sequence); |
234 | 2.58k | |
235 | 2.58k | AEAD_Mode& aead = cs.aead(); |
236 | 2.58k | std::vector<uint8_t> aad = cs.format_ad(record_sequence, record_type, version, static_cast<uint16_t>(message_len)); |
237 | 2.58k | |
238 | 2.58k | const size_t ctext_size = aead.output_length(message_len); |
239 | 2.58k | |
240 | 2.58k | const size_t rec_size = ctext_size + cs.nonce_bytes_from_record(); |
241 | 2.58k | |
242 | 2.58k | aead.set_ad(aad); |
243 | 2.58k | |
244 | 2.58k | const std::vector<uint8_t> nonce = cs.aead_nonce(record_sequence, rng); |
245 | 2.58k | |
246 | 2.58k | append_u16_len(output, rec_size); |
247 | 2.58k | |
248 | 2.58k | if(cs.nonce_bytes_from_record() > 0) |
249 | 1.98k | { |
250 | 1.98k | if(cs.nonce_format() == Nonce_Format::CBC_MODE) |
251 | 1.11k | output += nonce; |
252 | 869 | else |
253 | 869 | output += std::make_pair(&nonce[cs.nonce_bytes_from_handshake()], cs.nonce_bytes_from_record()); |
254 | 1.98k | } |
255 | 2.58k | |
256 | 2.58k | const size_t header_size = output.size(); |
257 | 2.58k | output += std::make_pair(message, message_len); |
258 | 2.58k | |
259 | 2.58k | aead.start(nonce); |
260 | 2.58k | aead.finish(output, header_size); |
261 | 2.58k | |
262 | 2.58k | BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE, |
263 | 2.58k | "Produced ciphertext larger than protocol allows"); |
264 | 2.58k | } |
265 | | |
266 | | namespace { |
267 | | |
268 | | size_t fill_buffer_to(secure_vector<uint8_t>& readbuf, |
269 | | const uint8_t*& input, |
270 | | size_t& input_size, |
271 | | size_t& input_consumed, |
272 | | size_t desired) |
273 | 290k | { |
274 | 290k | if(readbuf.size() >= desired) |
275 | 462 | return 0; // already have it |
276 | 289k | |
277 | 289k | const size_t taken = std::min(input_size, desired - readbuf.size()); |
278 | 289k | |
279 | 289k | readbuf.insert(readbuf.end(), input, input + taken); |
280 | 289k | input_consumed += taken; |
281 | 289k | input_size -= taken; |
282 | 289k | input += taken; |
283 | 289k | |
284 | 289k | return (desired - readbuf.size()); // how many bytes do we still need? |
285 | 289k | } |
286 | | |
287 | | void decrypt_record(secure_vector<uint8_t>& output, |
288 | | uint8_t record_contents[], size_t record_len, |
289 | | uint64_t record_sequence, |
290 | | Protocol_Version record_version, |
291 | | Record_Type record_type, |
292 | | Connection_Cipher_State& cs) |
293 | 1.00k | { |
294 | 1.00k | AEAD_Mode& aead = cs.aead(); |
295 | 1.00k | |
296 | 1.00k | const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence); |
297 | 1.00k | const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()]; |
298 | 1.00k | const size_t msg_length = record_len - cs.nonce_bytes_from_record(); |
299 | 1.00k | |
300 | 1.00k | /* |
301 | 1.00k | * This early rejection is based just on public information (length of the |
302 | 1.00k | * encrypted packet) and so does not leak any information. We used to use |
303 | 1.00k | * decode_error here which really is more appropriate, but that confuses some |
304 | 1.00k | * tools which are attempting automated detection of padding oracles, |
305 | 1.00k | * including older versions of TLS-Attacker. |
306 | 1.00k | */ |
307 | 1.00k | if(msg_length < aead.minimum_final_size()) |
308 | 21 | throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag"); |
309 | 980 | |
310 | 980 | const size_t ptext_size = aead.output_length(msg_length); |
311 | 980 | |
312 | 980 | aead.set_associated_data_vec( |
313 | 980 | cs.format_ad(record_sequence, |
314 | 980 | static_cast<uint8_t>(record_type), |
315 | 980 | record_version, |
316 | 980 | static_cast<uint16_t>(ptext_size)) |
317 | 980 | ); |
318 | 980 | |
319 | 980 | aead.start(nonce); |
320 | 980 | |
321 | 980 | output.assign(msg, msg + msg_length); |
322 | 980 | aead.finish(output, 0); |
323 | 980 | } |
324 | | |
325 | | Record_Header read_tls_record(secure_vector<uint8_t>& readbuf, |
326 | | const uint8_t input[], |
327 | | size_t input_len, |
328 | | size_t& consumed, |
329 | | secure_vector<uint8_t>& recbuf, |
330 | | Connection_Sequence_Numbers* sequence_numbers, |
331 | | get_cipherstate_fn get_cipherstate) |
332 | 144k | { |
333 | 144k | if(readbuf.size() < TLS_HEADER_SIZE) // header incomplete? |
334 | 144k | { |
335 | 144k | if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE)) |
336 | 662 | { |
337 | 662 | return Record_Header(needed); |
338 | 662 | } |
339 | 144k | |
340 | 144k | BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE, "Have an entire header"); |
341 | 144k | } |
342 | 144k | |
343 | 144k | const Protocol_Version version(readbuf[1], readbuf[2]); |
344 | 144k | |
345 | 144k | if(version.is_datagram_protocol()) |
346 | 87 | throw TLS_Exception(Alert::PROTOCOL_VERSION, |
347 | 87 | "Expected TLS but got a record with DTLS version"); |
348 | 143k | |
349 | 143k | const size_t record_size = make_uint16(readbuf[TLS_HEADER_SIZE-2], |
350 | 143k | readbuf[TLS_HEADER_SIZE-1]); |
351 | 143k | |
352 | 143k | if(record_size > MAX_CIPHERTEXT_SIZE) |
353 | 317 | throw TLS_Exception(Alert::RECORD_OVERFLOW, |
354 | 317 | "Received a record that exceeds maximum size"); |
355 | 143k | |
356 | 143k | if(record_size == 0) |
357 | 93 | throw TLS_Exception(Alert::DECODE_ERROR, |
358 | 93 | "Received a completely empty record"); |
359 | 143k | |
360 | 143k | if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE + record_size)) |
361 | 497 | { |
362 | 497 | return Record_Header(needed); |
363 | 497 | } |
364 | 143k | |
365 | 143k | BOTAN_ASSERT_EQUAL(static_cast<size_t>(TLS_HEADER_SIZE) + record_size, |
366 | 143k | readbuf.size(), |
367 | 143k | "Have the full record"); |
368 | 143k | |
369 | 143k | const Record_Type type = static_cast<Record_Type>(readbuf[0]); |
370 | 143k | |
371 | 143k | uint16_t epoch = 0; |
372 | 143k | |
373 | 143k | uint64_t sequence = 0; |
374 | 143k | if(sequence_numbers) |
375 | 136k | { |
376 | 136k | sequence = sequence_numbers->next_read_sequence(); |
377 | 136k | epoch = sequence_numbers->current_read_epoch(); |
378 | 136k | } |
379 | 6.97k | else |
380 | 6.97k | { |
381 | 6.97k | // server initial handshake case |
382 | 6.97k | epoch = 0; |
383 | 6.97k | } |
384 | 143k | |
385 | 143k | if(epoch == 0) // Unencrypted initial handshake |
386 | 142k | { |
387 | 142k | recbuf.assign(readbuf.begin() + TLS_HEADER_SIZE, readbuf.begin() + TLS_HEADER_SIZE + record_size); |
388 | 142k | readbuf.clear(); |
389 | 142k | return Record_Header(sequence, version, type); |
390 | 142k | } |
391 | 1.00k | |
392 | 1.00k | // Otherwise, decrypt, check MAC, return plaintext |
393 | 1.00k | auto cs = get_cipherstate(epoch); |
394 | 1.00k | |
395 | 1.00k | BOTAN_ASSERT(cs, "Have cipherstate for this epoch"); |
396 | 1.00k | |
397 | 1.00k | decrypt_record(recbuf, |
398 | 1.00k | &readbuf[TLS_HEADER_SIZE], |
399 | 1.00k | record_size, |
400 | 1.00k | sequence, |
401 | 1.00k | version, |
402 | 1.00k | type, |
403 | 1.00k | *cs); |
404 | 1.00k | |
405 | 1.00k | if(sequence_numbers) |
406 | 0 | sequence_numbers->read_accept(sequence); |
407 | 1.00k | |
408 | 1.00k | readbuf.clear(); |
409 | 1.00k | return Record_Header(sequence, version, type); |
410 | 1.00k | } |
411 | | |
412 | | Record_Header read_dtls_record(secure_vector<uint8_t>& readbuf, |
413 | | const uint8_t input[], |
414 | | size_t input_len, |
415 | | size_t& consumed, |
416 | | secure_vector<uint8_t>& recbuf, |
417 | | Connection_Sequence_Numbers* sequence_numbers, |
418 | | get_cipherstate_fn get_cipherstate, |
419 | | bool allow_epoch0_restart) |
420 | 1.12k | { |
421 | 1.12k | if(readbuf.size() < DTLS_HEADER_SIZE) // header incomplete? |
422 | 1.12k | { |
423 | 1.12k | if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE)) |
424 | 35 | { |
425 | 35 | readbuf.clear(); |
426 | 35 | return Record_Header(0); |
427 | 35 | } |
428 | 1.08k | |
429 | 1.08k | BOTAN_ASSERT_EQUAL(readbuf.size(), DTLS_HEADER_SIZE, "Have an entire header"); |
430 | 1.08k | } |
431 | 1.12k | |
432 | 1.12k | const Protocol_Version version(readbuf[1], readbuf[2]); |
433 | 1.08k | |
434 | 1.08k | if(version.is_datagram_protocol() == false) |
435 | 3 | { |
436 | 3 | readbuf.clear(); |
437 | 3 | return Record_Header(0); |
438 | 3 | } |
439 | 1.08k | |
440 | 1.08k | const size_t record_size = make_uint16(readbuf[DTLS_HEADER_SIZE-2], |
441 | 1.08k | readbuf[DTLS_HEADER_SIZE-1]); |
442 | 1.08k | |
443 | 1.08k | if(record_size > MAX_CIPHERTEXT_SIZE) |
444 | 5 | { |
445 | 5 | // Too large to be valid, ignore it |
446 | 5 | readbuf.clear(); |
447 | 5 | return Record_Header(0); |
448 | 5 | } |
449 | 1.08k | |
450 | 1.08k | if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE + record_size)) |
451 | 23 | { |
452 | 23 | // Truncated packet? |
453 | 23 | readbuf.clear(); |
454 | 23 | return Record_Header(0); |
455 | 23 | } |
456 | 1.05k | |
457 | 1.05k | BOTAN_ASSERT_EQUAL(static_cast<size_t>(DTLS_HEADER_SIZE) + record_size, readbuf.size(), |
458 | 1.05k | "Have the full record"); |
459 | 1.05k | |
460 | 1.05k | const Record_Type type = static_cast<Record_Type>(readbuf[0]); |
461 | 1.05k | |
462 | 1.05k | const uint64_t sequence = load_be<uint64_t>(&readbuf[3], 0); |
463 | 1.05k | const uint16_t epoch = (sequence >> 48); |
464 | 1.05k | |
465 | 1.05k | const bool already_seen = sequence_numbers && sequence_numbers->already_seen(sequence); |
466 | 1.05k | |
467 | 1.05k | if(already_seen && !(epoch == 0 && allow_epoch0_restart)) |
468 | 44 | { |
469 | 44 | readbuf.clear(); |
470 | 44 | return Record_Header(0); |
471 | 44 | } |
472 | 1.01k | |
473 | 1.01k | if(epoch == 0) // Unencrypted initial handshake |
474 | 936 | { |
475 | 936 | recbuf.assign(readbuf.begin() + DTLS_HEADER_SIZE, readbuf.begin() + DTLS_HEADER_SIZE + record_size); |
476 | 936 | readbuf.clear(); |
477 | 936 | if(sequence_numbers) |
478 | 304 | sequence_numbers->read_accept(sequence); |
479 | 936 | return Record_Header(sequence, version, type); |
480 | 936 | } |
481 | 77 | |
482 | 77 | try |
483 | 77 | { |
484 | 77 | // Otherwise, decrypt, check MAC, return plaintext |
485 | 77 | auto cs = get_cipherstate(epoch); |
486 | 77 | |
487 | 77 | BOTAN_ASSERT(cs, "Have cipherstate for this epoch"); |
488 | 77 | |
489 | 77 | decrypt_record(recbuf, |
490 | 77 | &readbuf[DTLS_HEADER_SIZE], |
491 | 77 | record_size, |
492 | 77 | sequence, |
493 | 77 | version, |
494 | 77 | type, |
495 | 77 | *cs); |
496 | 77 | } |
497 | 77 | catch(std::exception&) |
498 | 77 | { |
499 | 77 | readbuf.clear(); |
500 | 77 | return Record_Header(0); |
501 | 77 | } |
502 | 0 | |
503 | 0 | if(sequence_numbers) |
504 | 0 | sequence_numbers->read_accept(sequence); |
505 | 0 |
|
506 | 0 | readbuf.clear(); |
507 | 0 | return Record_Header(sequence, version, type); |
508 | 0 | } |
509 | | |
510 | | } |
511 | | |
512 | | Record_Header read_record(bool is_datagram, |
513 | | secure_vector<uint8_t>& readbuf, |
514 | | const uint8_t input[], |
515 | | size_t input_len, |
516 | | size_t& consumed, |
517 | | secure_vector<uint8_t>& recbuf, |
518 | | Connection_Sequence_Numbers* sequence_numbers, |
519 | | get_cipherstate_fn get_cipherstate, |
520 | | bool allow_epoch0_restart) |
521 | 145k | { |
522 | 145k | if(is_datagram) |
523 | 1.12k | return read_dtls_record(readbuf, input, input_len, consumed, |
524 | 1.12k | recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart); |
525 | 144k | else |
526 | 144k | return read_tls_record(readbuf, input, input_len, consumed, |
527 | 144k | recbuf, sequence_numbers, get_cipherstate); |
528 | 145k | } |
529 | | |
530 | | } |
531 | | |
532 | | } |