OLD | NEW |
| (Empty) |
1 /* ssl/s3_pkt.c */ | |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 * All rights reserved. | |
4 * | |
5 * This package is an SSL implementation written | |
6 * by Eric Young (eay@cryptsoft.com). | |
7 * The implementation was written so as to conform with Netscapes SSL. | |
8 * | |
9 * This library is free for commercial and non-commercial use as long as | |
10 * the following conditions are aheared to. The following conditions | |
11 * apply to all code found in this distribution, be it the RC4, RSA, | |
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 * included with this distribution is covered by the same copyright terms | |
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 * | |
16 * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 * the code are not to be removed. | |
18 * If this package is used in a product, Eric Young should be given attribution | |
19 * as the author of the parts of the library used. | |
20 * This can be in the form of a textual message at program startup or | |
21 * in documentation (online or textual) provided with the package. | |
22 * | |
23 * Redistribution and use in source and binary forms, with or without | |
24 * modification, are permitted provided that the following conditions | |
25 * are met: | |
26 * 1. Redistributions of source code must retain the copyright | |
27 * notice, this list of conditions and the following disclaimer. | |
28 * 2. Redistributions in binary form must reproduce the above copyright | |
29 * notice, this list of conditions and the following disclaimer in the | |
30 * documentation and/or other materials provided with the distribution. | |
31 * 3. All advertising materials mentioning features or use of this software | |
32 * must display the following acknowledgement: | |
33 * "This product includes cryptographic software written by | |
34 * Eric Young (eay@cryptsoft.com)" | |
35 * The word 'cryptographic' can be left out if the rouines from the library | |
36 * being used are not cryptographic related :-). | |
37 * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 * the apps directory (application code) you must include an acknowledgement: | |
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 * | |
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 * SUCH DAMAGE. | |
52 * | |
53 * The licence and distribution terms for any publically available version or | |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 * copied and put under another distribution licence | |
56 * [including the GNU Public Licence.] | |
57 */ | |
58 /* ==================================================================== | |
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | |
60 * | |
61 * Redistribution and use in source and binary forms, with or without | |
62 * modification, are permitted provided that the following conditions | |
63 * are met: | |
64 * | |
65 * 1. Redistributions of source code must retain the above copyright | |
66 * notice, this list of conditions and the following disclaimer. | |
67 * | |
68 * 2. Redistributions in binary form must reproduce the above copyright | |
69 * notice, this list of conditions and the following disclaimer in | |
70 * the documentation and/or other materials provided with the | |
71 * distribution. | |
72 * | |
73 * 3. All advertising materials mentioning features or use of this | |
74 * software must display the following acknowledgment: | |
75 * "This product includes software developed by the OpenSSL Project | |
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 * | |
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 * endorse or promote products derived from this software without | |
80 * prior written permission. For written permission, please contact | |
81 * openssl-core@openssl.org. | |
82 * | |
83 * 5. Products derived from this software may not be called "OpenSSL" | |
84 * nor may "OpenSSL" appear in their names without prior written | |
85 * permission of the OpenSSL Project. | |
86 * | |
87 * 6. Redistributions of any form whatsoever must retain the following | |
88 * acknowledgment: | |
89 * "This product includes software developed by the OpenSSL Project | |
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 * | |
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 * ==================================================================== | |
105 * | |
106 * This product includes cryptographic software written by Eric Young | |
107 * (eay@cryptsoft.com). This product includes software written by Tim | |
108 * Hudson (tjh@cryptsoft.com). | |
109 * | |
110 */ | |
111 | |
112 #include <stdio.h> | |
113 #include <errno.h> | |
114 #define USE_SOCKETS | |
115 #include "ssl_locl.h" | |
116 #include <openssl/evp.h> | |
117 #include <openssl/buffer.h> | |
118 #include <openssl/rand.h> | |
119 | |
120 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | |
121 unsigned int len, int create_empty_fragment); | |
122 static int ssl3_get_record(SSL *s); | |
123 | |
124 int ssl3_read_n(SSL *s, int n, int max, int extend) | |
125 { | |
126 /* If extend == 0, obtain new n-byte packet; if extend == 1, increase | |
127 * packet by another n bytes. | |
128 * The packet will be in the sub-array of s->s3->rbuf.buf specified | |
129 * by s->packet and s->packet_length. | |
130 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf | |
131 * [plus s->packet_length bytes if extend == 1].) | |
132 */ | |
133 int i,len,left; | |
134 long align=0; | |
135 unsigned char *pkt; | |
136 SSL3_BUFFER *rb; | |
137 | |
138 if (n <= 0) return n; | |
139 | |
140 rb = &(s->s3->rbuf); | |
141 if (rb->buf == NULL) | |
142 if (!ssl3_setup_read_buffer(s)) | |
143 return -1; | |
144 | |
145 left = rb->left; | |
146 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 | |
147 align = (long)rb->buf + SSL3_RT_HEADER_LENGTH; | |
148 align = (-align)&(SSL3_ALIGN_PAYLOAD-1); | |
149 #endif | |
150 | |
151 if (!extend) | |
152 { | |
153 /* start with empty packet ... */ | |
154 if (left == 0) | |
155 rb->offset = align; | |
156 else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) | |
157 { | |
158 /* check if next packet length is large | |
159 * enough to justify payload alignment... */ | |
160 pkt = rb->buf + rb->offset; | |
161 if (pkt[0] == SSL3_RT_APPLICATION_DATA | |
162 && (pkt[3]<<8|pkt[4]) >= 128) | |
163 { | |
164 /* Note that even if packet is corrupted | |
165 * and its length field is insane, we can | |
166 * only be led to wrong decision about | |
167 * whether memmove will occur or not. | |
168 * Header values has no effect on memmove | |
169 * arguments and therefore no buffer | |
170 * overrun can be triggered. */ | |
171 memmove (rb->buf+align,pkt,left); | |
172 rb->offset = align; | |
173 } | |
174 } | |
175 s->packet = rb->buf + rb->offset; | |
176 s->packet_length = 0; | |
177 /* ... now we can act as if 'extend' was set */ | |
178 } | |
179 | |
180 /* For DTLS/UDP reads should not span multiple packets | |
181 * because the read operation returns the whole packet | |
182 * at once (as long as it fits into the buffer). */ | |
183 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) | |
184 { | |
185 if (left > 0 && n > left) | |
186 n = left; | |
187 } | |
188 | |
189 /* if there is enough in the buffer from a previous read, take some */ | |
190 if (left >= n) | |
191 { | |
192 s->packet_length+=n; | |
193 rb->left=left-n; | |
194 rb->offset+=n; | |
195 return(n); | |
196 } | |
197 | |
198 /* else we need to read more data */ | |
199 | |
200 len = s->packet_length; | |
201 pkt = rb->buf+align; | |
202 /* Move any available bytes to front of buffer: | |
203 * 'len' bytes already pointed to by 'packet', | |
204 * 'left' extra ones at the end */ | |
205 if (s->packet != pkt) /* len > 0 */ | |
206 { | |
207 memmove(pkt, s->packet, len+left); | |
208 s->packet = pkt; | |
209 rb->offset = len + align; | |
210 } | |
211 | |
212 if (n > (int)(rb->len - rb->offset)) /* does not happen */ | |
213 { | |
214 SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR); | |
215 return -1; | |
216 } | |
217 | |
218 if (!s->read_ahead) | |
219 /* ignore max parameter */ | |
220 max = n; | |
221 else | |
222 { | |
223 if (max < n) | |
224 max = n; | |
225 if (max > (int)(rb->len - rb->offset)) | |
226 max = rb->len - rb->offset; | |
227 } | |
228 | |
229 while (left < n) | |
230 { | |
231 /* Now we have len+left bytes at the front of s->s3->rbuf.buf | |
232 * and need to read in more until we have len+n (up to | |
233 * len+max if possible) */ | |
234 | |
235 clear_sys_error(); | |
236 if (s->rbio != NULL) | |
237 { | |
238 s->rwstate=SSL_READING; | |
239 i=BIO_read(s->rbio,pkt+len+left, max-left); | |
240 } | |
241 else | |
242 { | |
243 SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET); | |
244 i = -1; | |
245 } | |
246 | |
247 if (i <= 0) | |
248 { | |
249 rb->left = left; | |
250 if (s->mode & SSL_MODE_RELEASE_BUFFERS && | |
251 SSL_version(s) != DTLS1_VERSION && SSL_version(s) !=
DTLS1_BAD_VER) | |
252 if (len+left == 0) | |
253 ssl3_release_read_buffer(s); | |
254 return(i); | |
255 } | |
256 left+=i; | |
257 /* reads should *never* span multiple packets for DTLS because | |
258 * the underlying transport protocol is message oriented as oppo
sed | |
259 * to byte oriented as in the TLS case. */ | |
260 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_B
AD_VER) | |
261 { | |
262 if (n > left) | |
263 n = left; /* makes the while condition false */ | |
264 } | |
265 } | |
266 | |
267 /* done reading, now the book-keeping */ | |
268 rb->offset += n; | |
269 rb->left = left - n; | |
270 s->packet_length += n; | |
271 s->rwstate=SSL_NOTHING; | |
272 return(n); | |
273 } | |
274 | |
275 /* Call this to get a new input record. | |
276 * It will return <= 0 if more data is needed, normally due to an error | |
277 * or non-blocking IO. | |
278 * When it finishes, one packet has been decoded and can be found in | |
279 * ssl->s3->rrec.type - is the type of record | |
280 * ssl->s3->rrec.data, - data | |
281 * ssl->s3->rrec.length, - number of bytes | |
282 */ | |
283 /* used only by ssl3_read_bytes */ | |
284 static int ssl3_get_record(SSL *s) | |
285 { | |
286 int ssl_major,ssl_minor,al; | |
287 int enc_err,n,i,ret= -1; | |
288 SSL3_RECORD *rr; | |
289 SSL_SESSION *sess; | |
290 unsigned char *p; | |
291 unsigned char md[EVP_MAX_MD_SIZE]; | |
292 short version; | |
293 unsigned mac_size, orig_len; | |
294 size_t extra; | |
295 | |
296 rr= &(s->s3->rrec); | |
297 sess=s->session; | |
298 | |
299 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) | |
300 extra=SSL3_RT_MAX_EXTRA; | |
301 else | |
302 extra=0; | |
303 if (extra && !s->s3->init_extra) | |
304 { | |
305 /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
306 * set after ssl3_setup_buffers() was done */ | |
307 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); | |
308 return -1; | |
309 } | |
310 | |
311 again: | |
312 /* check if we have the header */ | |
313 if ( (s->rstate != SSL_ST_READ_BODY) || | |
314 (s->packet_length < SSL3_RT_HEADER_LENGTH)) | |
315 { | |
316 n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); | |
317 if (n <= 0) return(n); /* error or non-blocking */ | |
318 s->rstate=SSL_ST_READ_BODY; | |
319 | |
320 p=s->packet; | |
321 | |
322 /* Pull apart the header into the SSL3_RECORD */ | |
323 rr->type= *(p++); | |
324 ssl_major= *(p++); | |
325 ssl_minor= *(p++); | |
326 version=(ssl_major<<8)|ssl_minor; | |
327 n2s(p,rr->length); | |
328 #if 0 | |
329 fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); | |
330 #endif | |
331 | |
332 /* Lets check version */ | |
333 if (!s->first_packet) | |
334 { | |
335 if (version != s->version) | |
336 { | |
337 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION
_NUMBER); | |
338 if ((s->version & 0xFF00) == (version & 0xFF00)) | |
339 /* Send back error using their minor ver
sion number :-) */ | |
340 s->version = (unsigned short)version; | |
341 al=SSL_AD_PROTOCOL_VERSION; | |
342 goto f_err; | |
343 } | |
344 } | |
345 | |
346 if ((version>>8) != SSL3_VERSION_MAJOR) | |
347 { | |
348 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER)
; | |
349 goto err; | |
350 } | |
351 | |
352 if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) | |
353 { | |
354 al=SSL_AD_RECORD_OVERFLOW; | |
355 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LON
G); | |
356 goto f_err; | |
357 } | |
358 | |
359 /* now s->rstate == SSL_ST_READ_BODY */ | |
360 } | |
361 | |
362 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | |
363 | |
364 if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH) | |
365 { | |
366 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ | |
367 i=rr->length; | |
368 n=ssl3_read_n(s,i,i,1); | |
369 if (n <= 0) return(n); /* error or non-blocking io */ | |
370 /* now n == rr->length, | |
371 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */ | |
372 } | |
373 | |
374 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ | |
375 | |
376 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
377 * and we have that many bytes in s->packet | |
378 */ | |
379 rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); | |
380 | |
381 /* ok, we can now read from 's->packet' data into 'rr' | |
382 * rr->input points at rr->length bytes, which | |
383 * need to be copied into rr->data by either | |
384 * the decryption or by the decompression | |
385 * When the data is 'copied' into the rr->data buffer, | |
386 * rr->input will be pointed at the new buffer */ | |
387 | |
388 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] | |
389 * rr->length bytes of encrypted compressed stuff. */ | |
390 | |
391 /* check is not needed I believe */ | |
392 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) | |
393 { | |
394 al=SSL_AD_RECORD_OVERFLOW; | |
395 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
396 goto f_err; | |
397 } | |
398 | |
399 /* decrypt in place in 'rr->input' */ | |
400 rr->data=rr->input; | |
401 | |
402 enc_err = s->method->ssl3_enc->enc(s,0); | |
403 /* enc_err is: | |
404 * 0: (in non-constant time) if the record is publically invalid. | |
405 * 1: if the padding is valid | |
406 * -1: if the padding is invalid */ | |
407 if (enc_err == 0) | |
408 { | |
409 al=SSL_AD_DECRYPTION_FAILED; | |
410 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); | |
411 goto f_err; | |
412 } | |
413 | |
414 #ifdef TLS_DEBUG | |
415 printf("dec %d\n",rr->length); | |
416 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1
)%16)?' ':'\n'); } | |
417 printf("\n"); | |
418 #endif | |
419 | |
420 /* r->length is now the compressed data plus mac */ | |
421 if ((sess != NULL) && | |
422 (s->enc_read_ctx != NULL) && | |
423 (EVP_MD_CTX_md(s->read_hash) != NULL)) | |
424 { | |
425 /* s->read_hash != NULL => mac_size != -1 */ | |
426 unsigned char *mac = NULL; | |
427 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; | |
428 mac_size=EVP_MD_CTX_size(s->read_hash); | |
429 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); | |
430 | |
431 /* kludge: *_cbc_remove_padding passes padding length in rr->typ
e */ | |
432 orig_len = rr->length+((unsigned int)rr->type>>8); | |
433 | |
434 /* orig_len is the length of the record before any padding was | |
435 * removed. This is public information, as is the MAC in use, | |
436 * therefore we can safely process the record in a different | |
437 * amount of time if it's too short to possibly contain a MAC. | |
438 */ | |
439 if (orig_len < mac_size || | |
440 /* CBC records must have a padding length byte too. */ | |
441 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &
& | |
442 orig_len < mac_size+1)) | |
443 { | |
444 al=SSL_AD_DECODE_ERROR; | |
445 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); | |
446 goto f_err; | |
447 } | |
448 | |
449 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) | |
450 { | |
451 /* We update the length so that the TLS header bytes | |
452 * can be constructed correctly but we need to extract | |
453 * the MAC in constant time from within the record, | |
454 * without leaking the contents of the padding bytes. | |
455 * */ | |
456 mac = mac_tmp; | |
457 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); | |
458 rr->length -= mac_size; | |
459 } | |
460 else | |
461 { | |
462 /* In this case there's no padding, so |orig_len| | |
463 * equals |rec->length| and we checked that there's | |
464 * enough bytes for |mac_size| above. */ | |
465 rr->length -= mac_size; | |
466 mac = &rr->data[rr->length]; | |
467 } | |
468 | |
469 i=s->method->ssl3_enc->mac(s,md,0 /* not send */); | |
470 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_s
ize) != 0) | |
471 enc_err = -1; | |
472 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) | |
473 enc_err = -1; | |
474 } | |
475 | |
476 if (enc_err < 0) | |
477 { | |
478 /* A separate 'decryption_failed' alert was introduced with TLS
1.0, | |
479 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | |
480 * failure is directly visible from the ciphertext anyway, | |
481 * we should not reveal which kind of error occured -- this | |
482 * might become visible to an attacker (e.g. via a logfile) */ | |
483 al=SSL_AD_BAD_RECORD_MAC; | |
484 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECO
RD_MAC); | |
485 goto f_err; | |
486 } | |
487 | |
488 /* r->length is now just compressed */ | |
489 if (s->expand != NULL) | |
490 { | |
491 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) | |
492 { | |
493 al=SSL_AD_RECORD_OVERFLOW; | |
494 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO
_LONG); | |
495 goto f_err; | |
496 } | |
497 if (!ssl3_do_uncompress(s)) | |
498 { | |
499 al=SSL_AD_DECOMPRESSION_FAILURE; | |
500 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); | |
501 goto f_err; | |
502 } | |
503 } | |
504 | |
505 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) | |
506 { | |
507 al=SSL_AD_RECORD_OVERFLOW; | |
508 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); | |
509 goto f_err; | |
510 } | |
511 | |
512 rr->off=0; | |
513 /* So at this point the following is true | |
514 * ssl->s3->rrec.type is the type of record | |
515 * ssl->s3->rrec.length == number of bytes in record | |
516 * ssl->s3->rrec.off == offset to first valid byte | |
517 * ssl->s3->rrec.data == where to take bytes from, increment | |
518 * after use :-). | |
519 */ | |
520 | |
521 /* we have pulled in a full packet so zero things */ | |
522 s->packet_length=0; | |
523 | |
524 /* just read a 0 length packet */ | |
525 if (rr->length == 0) goto again; | |
526 | |
527 #if 0 | |
528 fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length); | |
529 #endif | |
530 | |
531 return(1); | |
532 | |
533 f_err: | |
534 ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
535 err: | |
536 return(ret); | |
537 } | |
538 | |
539 int ssl3_do_uncompress(SSL *ssl) | |
540 { | |
541 #ifndef OPENSSL_NO_COMP | |
542 int i; | |
543 SSL3_RECORD *rr; | |
544 | |
545 rr= &(ssl->s3->rrec); | |
546 i=COMP_expand_block(ssl->expand,rr->comp, | |
547 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length); | |
548 if (i < 0) | |
549 return(0); | |
550 else | |
551 rr->length=i; | |
552 rr->data=rr->comp; | |
553 #endif | |
554 return(1); | |
555 } | |
556 | |
557 int ssl3_do_compress(SSL *ssl) | |
558 { | |
559 #ifndef OPENSSL_NO_COMP | |
560 int i; | |
561 SSL3_RECORD *wr; | |
562 | |
563 wr= &(ssl->s3->wrec); | |
564 i=COMP_compress_block(ssl->compress,wr->data, | |
565 SSL3_RT_MAX_COMPRESSED_LENGTH, | |
566 wr->input,(int)wr->length); | |
567 if (i < 0) | |
568 return(0); | |
569 else | |
570 wr->length=i; | |
571 | |
572 wr->input=wr->data; | |
573 #endif | |
574 return(1); | |
575 } | |
576 | |
577 /* Call this to write data in records of type 'type' | |
578 * It will return <= 0 if not all data has been sent or non-blocking IO. | |
579 */ | |
580 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) | |
581 { | |
582 const unsigned char *buf=buf_; | |
583 unsigned int tot,n,nw; | |
584 int i; | |
585 | |
586 s->rwstate=SSL_NOTHING; | |
587 tot=s->s3->wnum; | |
588 s->s3->wnum=0; | |
589 | |
590 if (SSL_in_init(s) && !s->in_handshake) | |
591 { | |
592 i=s->handshake_func(s); | |
593 if (i < 0) return(i); | |
594 if (i == 0) | |
595 { | |
596 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILUR
E); | |
597 return -1; | |
598 } | |
599 } | |
600 | |
601 n=(len-tot); | |
602 for (;;) | |
603 { | |
604 if (n > s->max_send_fragment) | |
605 nw=s->max_send_fragment; | |
606 else | |
607 nw=n; | |
608 | |
609 i=do_ssl3_write(s, type, &(buf[tot]), nw, 0); | |
610 if (i <= 0) | |
611 { | |
612 s->s3->wnum=tot; | |
613 return i; | |
614 } | |
615 | |
616 if ((i == (int)n) || | |
617 (type == SSL3_RT_APPLICATION_DATA && | |
618 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) | |
619 { | |
620 /* next chunk of data should get another prepended empty
fragment | |
621 * in ciphersuites with known-IV weakness: */ | |
622 s->s3->empty_fragment_done = 0; | |
623 | |
624 return tot+i; | |
625 } | |
626 | |
627 n-=i; | |
628 tot+=i; | |
629 } | |
630 } | |
631 | |
632 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | |
633 unsigned int len, int create_empty_fragment) | |
634 { | |
635 unsigned char *p,*plen; | |
636 int i,mac_size,clear=0; | |
637 int prefix_len=0; | |
638 int eivlen; | |
639 long align=0; | |
640 SSL3_RECORD *wr; | |
641 SSL3_BUFFER *wb=&(s->s3->wbuf); | |
642 SSL_SESSION *sess; | |
643 | |
644 | |
645 /* first check if there is a SSL3_BUFFER still being written | |
646 * out. This will happen with non blocking IO */ | |
647 if (wb->left != 0) | |
648 return(ssl3_write_pending(s,type,buf,len)); | |
649 | |
650 /* If we have an alert to send, lets send it */ | |
651 if (s->s3->alert_dispatch) | |
652 { | |
653 i=s->method->ssl_dispatch_alert(s); | |
654 if (i <= 0) | |
655 return(i); | |
656 /* if it went, fall through and send more stuff */ | |
657 } | |
658 | |
659 if (wb->buf == NULL) | |
660 if (!ssl3_setup_write_buffer(s)) | |
661 return -1; | |
662 | |
663 if (len == 0 && !create_empty_fragment) | |
664 return 0; | |
665 | |
666 wr= &(s->s3->wrec); | |
667 sess=s->session; | |
668 | |
669 if ( (sess == NULL) || | |
670 (s->enc_write_ctx == NULL) || | |
671 (EVP_MD_CTX_md(s->write_hash) == NULL)) | |
672 { | |
673 #if 1 | |
674 clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */ | |
675 #else | |
676 clear=1; | |
677 #endif | |
678 mac_size=0; | |
679 } | |
680 else | |
681 { | |
682 mac_size=EVP_MD_CTX_size(s->write_hash); | |
683 if (mac_size < 0) | |
684 goto err; | |
685 } | |
686 | |
687 /* 'create_empty_fragment' is true only when this function calls itself
*/ | |
688 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) | |
689 { | |
690 /* countermeasure against known-IV weakness in CBC ciphersuites | |
691 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ | |
692 | |
693 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_D
ATA) | |
694 { | |
695 /* recursive function call with 'create_empty_fragment'
set; | |
696 * this prepares and buffers the data for an empty fragm
ent | |
697 * (these 'prefix_len' bytes are sent out later | |
698 * together with the actual payload) */ | |
699 prefix_len = do_ssl3_write(s, type, buf, 0, 1); | |
700 if (prefix_len <= 0) | |
701 goto err; | |
702 | |
703 if (prefix_len > | |
704 (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) | |
705 { | |
706 /* insufficient space */ | |
707 SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR
); | |
708 goto err; | |
709 } | |
710 } | |
711 | |
712 s->s3->empty_fragment_done = 1; | |
713 } | |
714 | |
715 if (create_empty_fragment) | |
716 { | |
717 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 | |
718 /* extra fragment would be couple of cipher blocks, | |
719 * which would be multiple of SSL3_ALIGN_PAYLOAD, so | |
720 * if we want to align the real payload, then we can | |
721 * just pretent we simply have two headers. */ | |
722 align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH; | |
723 align = (-align)&(SSL3_ALIGN_PAYLOAD-1); | |
724 #endif | |
725 p = wb->buf + align; | |
726 wb->offset = align; | |
727 } | |
728 else if (prefix_len) | |
729 { | |
730 p = wb->buf + wb->offset + prefix_len; | |
731 } | |
732 else | |
733 { | |
734 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 | |
735 align = (long)wb->buf + SSL3_RT_HEADER_LENGTH; | |
736 align = (-align)&(SSL3_ALIGN_PAYLOAD-1); | |
737 #endif | |
738 p = wb->buf + align; | |
739 wb->offset = align; | |
740 } | |
741 | |
742 /* write the header */ | |
743 | |
744 *(p++)=type&0xff; | |
745 wr->type=type; | |
746 | |
747 *(p++)=(s->version>>8); | |
748 /* Some servers hang if iniatial client hello is larger than 256 | |
749 * bytes and record version number > TLS 1.0 | |
750 */ | |
751 if (s->state == SSL3_ST_CW_CLNT_HELLO_B | |
752 && !s->renegotiate | |
753 && TLS1_get_version(s) > TLS1_VERSION) | |
754 *(p++) = 0x1; | |
755 else | |
756 *(p++)=s->version&0xff; | |
757 | |
758 /* field where we are to write out packet length */ | |
759 plen=p; | |
760 p+=2; | |
761 /* Explicit IV length, block ciphers and TLS version 1.1 or later */ | |
762 if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) | |
763 { | |
764 int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); | |
765 if (mode == EVP_CIPH_CBC_MODE) | |
766 { | |
767 eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); | |
768 if (eivlen <= 1) | |
769 eivlen = 0; | |
770 } | |
771 /* Need explicit part of IV for GCM mode */ | |
772 else if (mode == EVP_CIPH_GCM_MODE) | |
773 eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
774 else | |
775 eivlen = 0; | |
776 } | |
777 else if (s->aead_write_ctx != NULL && | |
778 s->aead_write_ctx->variable_nonce_included_in_record) | |
779 { | |
780 eivlen = s->aead_write_ctx->variable_nonce_len; | |
781 } | |
782 else | |
783 eivlen = 0; | |
784 | |
785 /* lets setup the record stuff. */ | |
786 wr->data=p + eivlen; | |
787 wr->length=(int)len; | |
788 wr->input=(unsigned char *)buf; | |
789 | |
790 /* we now 'read' from wr->input, wr->length bytes into | |
791 * wr->data */ | |
792 | |
793 /* first we compress */ | |
794 if (s->compress != NULL) | |
795 { | |
796 if (!ssl3_do_compress(s)) | |
797 { | |
798 SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE); | |
799 goto err; | |
800 } | |
801 } | |
802 else | |
803 { | |
804 memcpy(wr->data,wr->input,wr->length); | |
805 wr->input=wr->data; | |
806 } | |
807 | |
808 /* we should still have the output to wr->data and the input | |
809 * from wr->input. Length should be wr->length. | |
810 * wr->data still points in the wb->buf */ | |
811 | |
812 if (mac_size != 0) | |
813 { | |
814 if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0) | |
815 goto err; | |
816 wr->length+=mac_size; | |
817 } | |
818 | |
819 wr->input=p; | |
820 wr->data=p; | |
821 | |
822 if (eivlen) | |
823 { | |
824 /* if (RAND_pseudo_bytes(p, eivlen) <= 0) | |
825 goto err; */ | |
826 wr->length += eivlen; | |
827 } | |
828 | |
829 /* ssl3_enc can only have an error on read */ | |
830 s->method->ssl3_enc->enc(s,1); | |
831 | |
832 /* record length after mac and block padding */ | |
833 s2n(wr->length,plen); | |
834 | |
835 /* we should now have | |
836 * wr->data pointing to the encrypted data, which is | |
837 * wr->length long */ | |
838 wr->type=type; /* not needed but helps for debugging */ | |
839 wr->length+=SSL3_RT_HEADER_LENGTH; | |
840 | |
841 if (create_empty_fragment) | |
842 { | |
843 /* we are in a recursive call; | |
844 * just return the length, don't write out anything here | |
845 */ | |
846 return wr->length; | |
847 } | |
848 | |
849 /* now let's set up wb */ | |
850 wb->left = prefix_len + wr->length; | |
851 | |
852 /* memorize arguments so that ssl3_write_pending can detect bad write re
tries later */ | |
853 s->s3->wpend_tot=len; | |
854 s->s3->wpend_buf=buf; | |
855 s->s3->wpend_type=type; | |
856 s->s3->wpend_ret=len; | |
857 | |
858 /* we now just need to write the buffer */ | |
859 return ssl3_write_pending(s,type,buf,len); | |
860 err: | |
861 return -1; | |
862 } | |
863 | |
864 /* if s->s3->wbuf.left != 0, we need to call this */ | |
865 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, | |
866 unsigned int len) | |
867 { | |
868 int i; | |
869 SSL3_BUFFER *wb=&(s->s3->wbuf); | |
870 | |
871 /* XXXX */ | |
872 if ((s->s3->wpend_tot > (int)len) | |
873 || ((s->s3->wpend_buf != buf) && | |
874 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) | |
875 || (s->s3->wpend_type != type)) | |
876 { | |
877 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); | |
878 return(-1); | |
879 } | |
880 | |
881 for (;;) | |
882 { | |
883 clear_sys_error(); | |
884 if (s->wbio != NULL) | |
885 { | |
886 s->rwstate=SSL_WRITING; | |
887 i=BIO_write(s->wbio, | |
888 (char *)&(wb->buf[wb->offset]), | |
889 (unsigned int)wb->left); | |
890 } | |
891 else | |
892 { | |
893 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET); | |
894 i= -1; | |
895 } | |
896 if (i == wb->left) | |
897 { | |
898 wb->left=0; | |
899 wb->offset+=i; | |
900 if (s->mode & SSL_MODE_RELEASE_BUFFERS && | |
901 SSL_version(s) != DTLS1_VERSION && SSL_version(s) !=
DTLS1_BAD_VER) | |
902 ssl3_release_write_buffer(s); | |
903 s->rwstate=SSL_NOTHING; | |
904 return(s->s3->wpend_ret); | |
905 } | |
906 else if (i <= 0) { | |
907 if (s->version == DTLS1_VERSION || | |
908 s->version == DTLS1_BAD_VER) { | |
909 /* For DTLS, just drop it. That's kind of the wh
ole | |
910 point in using a datagram service */ | |
911 wb->left = 0; | |
912 } | |
913 return(i); | |
914 } | |
915 wb->offset+=i; | |
916 wb->left-=i; | |
917 } | |
918 } | |
919 | |
920 /* Return up to 'len' payload bytes received in 'type' records. | |
921 * 'type' is one of the following: | |
922 * | |
923 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |
924 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |
925 * - 0 (during a shutdown, no data has to be returned) | |
926 * | |
927 * If we don't have stored data to work from, read a SSL/TLS record first | |
928 * (possibly multiple records if we still don't have anything to return). | |
929 * | |
930 * This function must handle any surprises the peer may have for us, such as | |
931 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |
932 * a surprise, but handled as if it were), or renegotiation requests. | |
933 * Also if record payloads contain fragments too small to process, we store | |
934 * them until there is enough for the respective protocol (the record protocol | |
935 * may use arbitrary fragmentation and even interleaving): | |
936 * Change cipher spec protocol | |
937 * just 1 byte needed, no need for keeping anything stored | |
938 * Alert protocol | |
939 * 2 bytes needed (AlertLevel, AlertDescription) | |
940 * Handshake protocol | |
941 * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
942 * to detect unexpected Client Hello and Hello Request messages | |
943 * here, anything else is handled by higher layers | |
944 * Application data protocol | |
945 * none of our business | |
946 */ | |
947 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |
948 { | |
949 int al,i,j,ret; | |
950 unsigned int n; | |
951 SSL3_RECORD *rr; | |
952 void (*cb)(const SSL *ssl,int type2,int val)=NULL; | |
953 | |
954 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ | |
955 if (!ssl3_setup_read_buffer(s)) | |
956 return(-1); | |
957 | |
958 if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HAND
SHAKE) && type) || | |
959 (peek && (type != SSL3_RT_APPLICATION_DATA))) | |
960 { | |
961 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
962 return -1; | |
963 } | |
964 | |
965 if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0)) | |
966 /* (partially) satisfy request from storage */ | |
967 { | |
968 unsigned char *src = s->s3->handshake_fragment; | |
969 unsigned char *dst = buf; | |
970 unsigned int k; | |
971 | |
972 /* peek == 0 */ | |
973 n = 0; | |
974 while ((len > 0) && (s->s3->handshake_fragment_len > 0)) | |
975 { | |
976 *dst++ = *src++; | |
977 len--; s->s3->handshake_fragment_len--; | |
978 n++; | |
979 } | |
980 /* move any remaining fragment bytes: */ | |
981 for (k = 0; k < s->s3->handshake_fragment_len; k++) | |
982 s->s3->handshake_fragment[k] = *src++; | |
983 return n; | |
984 } | |
985 | |
986 /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
*/ | |
987 | |
988 if (!s->in_handshake && SSL_in_init(s)) | |
989 { | |
990 /* type == SSL3_RT_APPLICATION_DATA */ | |
991 i=s->handshake_func(s); | |
992 if (i < 0) return(i); | |
993 if (i == 0) | |
994 { | |
995 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE
); | |
996 return(-1); | |
997 } | |
998 } | |
999 start: | |
1000 s->rwstate=SSL_NOTHING; | |
1001 | |
1002 /* s->s3->rrec.type - is the type of record | |
1003 * s->s3->rrec.data, - data | |
1004 * s->s3->rrec.off, - offset into 'data' for next read | |
1005 * s->s3->rrec.length, - number of bytes. */ | |
1006 rr = &(s->s3->rrec); | |
1007 | |
1008 /* get new packet if necessary */ | |
1009 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) | |
1010 { | |
1011 ret=ssl3_get_record(s); | |
1012 if (ret <= 0) return(ret); | |
1013 } | |
1014 | |
1015 /* we now have a packet which can be read and processed */ | |
1016 | |
1017 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | |
1018 * reset by ssl3_get_finished */ | |
1019 && (rr->type != SSL3_RT_HANDSHAKE)) | |
1020 { | |
1021 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1022 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
); | |
1023 goto f_err; | |
1024 } | |
1025 | |
1026 /* If the other end has shut down, throw anything we read away | |
1027 * (even in 'peek' mode) */ | |
1028 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) | |
1029 { | |
1030 rr->length=0; | |
1031 s->rwstate=SSL_NOTHING; | |
1032 return(0); | |
1033 } | |
1034 | |
1035 | |
1036 if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE *
/ | |
1037 { | |
1038 /* make sure that we are not getting application data when we | |
1039 * are doing a handshake for the first time */ | |
1040 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && | |
1041 (s->enc_read_ctx == NULL)) | |
1042 { | |
1043 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1044 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE
); | |
1045 goto f_err; | |
1046 } | |
1047 | |
1048 if (len <= 0) return(len); | |
1049 | |
1050 if ((unsigned int)len > rr->length) | |
1051 n = rr->length; | |
1052 else | |
1053 n = (unsigned int)len; | |
1054 | |
1055 memcpy(buf,&(rr->data[rr->off]),n); | |
1056 if (!peek) | |
1057 { | |
1058 rr->length-=n; | |
1059 rr->off+=n; | |
1060 if (rr->length == 0) | |
1061 { | |
1062 s->rstate=SSL_ST_READ_HEADER; | |
1063 rr->off=0; | |
1064 if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3-
>rbuf.left == 0) | |
1065 ssl3_release_read_buffer(s); | |
1066 } | |
1067 } | |
1068 return(n); | |
1069 } | |
1070 | |
1071 | |
1072 /* If we get here, then type != rr->type; if we have a handshake | |
1073 * message, then it was unexpected (Hello Request or Client Hello). */ | |
1074 | |
1075 /* In case of record types for which we have 'fragment' storage, | |
1076 * fill that so that we can process the data at a fixed place. | |
1077 */ | |
1078 { | |
1079 unsigned int dest_maxlen = 0; | |
1080 unsigned char *dest = NULL; | |
1081 unsigned int *dest_len = NULL; | |
1082 | |
1083 if (rr->type == SSL3_RT_HANDSHAKE) | |
1084 { | |
1085 dest_maxlen = sizeof s->s3->handshake_fragment; | |
1086 dest = s->s3->handshake_fragment; | |
1087 dest_len = &s->s3->handshake_fragment_len; | |
1088 } | |
1089 else if (rr->type == SSL3_RT_ALERT) | |
1090 { | |
1091 dest_maxlen = sizeof s->s3->alert_fragment; | |
1092 dest = s->s3->alert_fragment; | |
1093 dest_len = &s->s3->alert_fragment_len; | |
1094 } | |
1095 #ifndef OPENSSL_NO_HEARTBEATS | |
1096 else if (rr->type == TLS1_RT_HEARTBEAT) | |
1097 { | |
1098 tls1_process_heartbeat(s); | |
1099 | |
1100 /* Exit and notify application to read again */ | |
1101 rr->length = 0; | |
1102 s->rwstate=SSL_READING; | |
1103 BIO_clear_retry_flags(SSL_get_rbio(s)); | |
1104 BIO_set_retry_read(SSL_get_rbio(s)); | |
1105 return(-1); | |
1106 } | |
1107 #endif | |
1108 | |
1109 if (dest_maxlen > 0) | |
1110 { | |
1111 n = dest_maxlen - *dest_len; /* available space in 'dest
' */ | |
1112 if (rr->length < n) | |
1113 n = rr->length; /* available bytes */ | |
1114 | |
1115 /* now move 'n' bytes: */ | |
1116 while (n-- > 0) | |
1117 { | |
1118 dest[(*dest_len)++] = rr->data[rr->off++]; | |
1119 rr->length--; | |
1120 } | |
1121 | |
1122 if (*dest_len < dest_maxlen) | |
1123 goto start; /* fragment was too small */ | |
1124 } | |
1125 } | |
1126 | |
1127 /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAK
E; | |
1128 * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. | |
1129 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ | |
1130 | |
1131 /* If we are a client, check for an incoming 'Hello Request': */ | |
1132 if ((!s->server) && | |
1133 (s->s3->handshake_fragment_len >= 4) && | |
1134 (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && | |
1135 (s->session != NULL) && (s->session->cipher != NULL)) | |
1136 { | |
1137 s->s3->handshake_fragment_len = 0; | |
1138 | |
1139 if ((s->s3->handshake_fragment[1] != 0) || | |
1140 (s->s3->handshake_fragment[2] != 0) || | |
1141 (s->s3->handshake_fragment[3] != 0)) | |
1142 { | |
1143 al=SSL_AD_DECODE_ERROR; | |
1144 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); | |
1145 goto f_err; | |
1146 } | |
1147 | |
1148 if (s->msg_callback) | |
1149 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3-
>handshake_fragment, 4, s, s->msg_callback_arg); | |
1150 | |
1151 if (SSL_is_init_finished(s) && | |
1152 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | |
1153 !s->s3->renegotiate) | |
1154 { | |
1155 ssl3_renegotiate(s); | |
1156 if (ssl3_renegotiate_check(s)) | |
1157 { | |
1158 i=s->handshake_func(s); | |
1159 if (i < 0) return(i); | |
1160 if (i == 0) | |
1161 { | |
1162 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_H
ANDSHAKE_FAILURE); | |
1163 return(-1); | |
1164 } | |
1165 | |
1166 if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
1167 { | |
1168 if (s->s3->rbuf.left == 0) /* no read-ah
ead left? */ | |
1169 { | |
1170 BIO *bio; | |
1171 /* In the case where we try to r
ead application data, | |
1172 * but we trigger an SSL handsha
ke, we return -1 with | |
1173 * the retry option set. Otherw
ise renegotiation may | |
1174 * cause nasty problems in the b
locking world */ | |
1175 s->rwstate=SSL_READING; | |
1176 bio=SSL_get_rbio(s); | |
1177 BIO_clear_retry_flags(bio); | |
1178 BIO_set_retry_read(bio); | |
1179 return(-1); | |
1180 } | |
1181 } | |
1182 } | |
1183 } | |
1184 /* we either finished a handshake or ignored the request, | |
1185 * now try again to obtain the (application) data we were asked
for */ | |
1186 goto start; | |
1187 } | |
1188 /* If we are a server and get a client hello when renegotiation isn't | |
1189 * allowed send back a no renegotiation alert and carry on. | |
1190 * WARNING: experimental code, needs reviewing (steve) | |
1191 */ | |
1192 if (s->server && | |
1193 SSL_is_init_finished(s) && | |
1194 !s->s3->send_connection_binding && | |
1195 (s->version > SSL3_VERSION) && | |
1196 (s->s3->handshake_fragment_len >= 4) && | |
1197 (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && | |
1198 (s->session != NULL) && (s->session->cipher != NULL) && | |
1199 !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | |
1200 | |
1201 { | |
1202 /*s->s3->handshake_fragment_len = 0;*/ | |
1203 rr->length = 0; | |
1204 ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); | |
1205 goto start; | |
1206 } | |
1207 if (s->s3->alert_fragment_len >= 2) | |
1208 { | |
1209 int alert_level = s->s3->alert_fragment[0]; | |
1210 int alert_descr = s->s3->alert_fragment[1]; | |
1211 | |
1212 s->s3->alert_fragment_len = 0; | |
1213 | |
1214 if (s->msg_callback) | |
1215 s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->ale
rt_fragment, 2, s, s->msg_callback_arg); | |
1216 | |
1217 if (s->info_callback != NULL) | |
1218 cb=s->info_callback; | |
1219 else if (s->ctx->info_callback != NULL) | |
1220 cb=s->ctx->info_callback; | |
1221 | |
1222 if (cb != NULL) | |
1223 { | |
1224 j = (alert_level << 8) | alert_descr; | |
1225 cb(s, SSL_CB_READ_ALERT, j); | |
1226 } | |
1227 | |
1228 if (alert_level == 1) /* warning */ | |
1229 { | |
1230 s->s3->warn_alert = alert_descr; | |
1231 if (alert_descr == SSL_AD_CLOSE_NOTIFY) | |
1232 { | |
1233 s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
1234 return(0); | |
1235 } | |
1236 /* This is a warning but we receive it if we requested | |
1237 * renegotiation and the peer denied it. Terminate with | |
1238 * a fatal alert because if application tried to | |
1239 * renegotiatie it presumably had a good reason and | |
1240 * expects it to succeed. | |
1241 * | |
1242 * In future we might have a renegotiation where we | |
1243 * don't care if the peer refused it where we carry on. | |
1244 */ | |
1245 else if (alert_descr == SSL_AD_NO_RENEGOTIATION) | |
1246 { | |
1247 al = SSL_AD_HANDSHAKE_FAILURE; | |
1248 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIAT
ION); | |
1249 goto f_err; | |
1250 } | |
1251 #ifdef SSL_AD_MISSING_SRP_USERNAME | |
1252 else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) | |
1253 return(0); | |
1254 #endif | |
1255 } | |
1256 else if (alert_level == 2) /* fatal */ | |
1257 { | |
1258 char tmp[16]; | |
1259 | |
1260 s->rwstate=SSL_NOTHING; | |
1261 s->s3->fatal_alert = alert_descr; | |
1262 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + ale
rt_descr); | |
1263 BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); | |
1264 ERR_add_error_data(2,"SSL alert number ",tmp); | |
1265 s->shutdown|=SSL_RECEIVED_SHUTDOWN; | |
1266 SSL_CTX_remove_session(s->ctx,s->session); | |
1267 return(0); | |
1268 } | |
1269 else | |
1270 { | |
1271 al=SSL_AD_ILLEGAL_PARAMETER; | |
1272 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); | |
1273 goto f_err; | |
1274 } | |
1275 | |
1276 goto start; | |
1277 } | |
1278 | |
1279 if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutd
own */ | |
1280 { | |
1281 s->rwstate=SSL_NOTHING; | |
1282 rr->length=0; | |
1283 return(0); | |
1284 } | |
1285 | |
1286 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1287 { | |
1288 /* 'Change Cipher Spec' is just a single byte, so we know | |
1289 * exactly what the record payload has to look like */ | |
1290 if ( (rr->length != 1) || (rr->off != 0) || | |
1291 (rr->data[0] != SSL3_MT_CCS)) | |
1292 { | |
1293 al=SSL_AD_ILLEGAL_PARAMETER; | |
1294 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPE
C); | |
1295 goto f_err; | |
1296 } | |
1297 | |
1298 /* Check we have a cipher to change to */ | |
1299 if (s->s3->tmp.new_cipher == NULL) | |
1300 { | |
1301 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1302 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); | |
1303 goto f_err; | |
1304 } | |
1305 | |
1306 if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) | |
1307 { | |
1308 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1309 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); | |
1310 goto f_err; | |
1311 } | |
1312 | |
1313 s->s3->flags &= ~SSL3_FLAGS_CCS_OK; | |
1314 | |
1315 rr->length=0; | |
1316 | |
1317 if (s->msg_callback) | |
1318 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPE
C, rr->data, 1, s, s->msg_callback_arg); | |
1319 | |
1320 s->s3->change_cipher_spec=1; | |
1321 if (!ssl3_do_change_cipher_spec(s)) | |
1322 goto err; | |
1323 else | |
1324 goto start; | |
1325 } | |
1326 | |
1327 /* Unexpected handshake message (Client Hello, or protocol violation) */ | |
1328 if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) | |
1329 { | |
1330 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && | |
1331 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) | |
1332 { | |
1333 #if 0 /* worked only because C operator preferences are not as expected (and | |
1334 * because this is not really needed for clients except for detecting | |
1335 * protocol violations): */ | |
1336 s->state=SSL_ST_BEFORE|(s->server) | |
1337 ?SSL_ST_ACCEPT | |
1338 :SSL_ST_CONNECT; | |
1339 #else | |
1340 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | |
1341 #endif | |
1342 s->renegotiate=1; | |
1343 s->new_session=1; | |
1344 } | |
1345 i=s->handshake_func(s); | |
1346 if (i < 0) return(i); | |
1347 if (i == 0) | |
1348 { | |
1349 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE
); | |
1350 return(-1); | |
1351 } | |
1352 | |
1353 if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
1354 { | |
1355 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ | |
1356 { | |
1357 BIO *bio; | |
1358 /* In the case where we try to read application
data, | |
1359 * but we trigger an SSL handshake, we return -1
with | |
1360 * the retry option set. Otherwise renegotiatio
n may | |
1361 * cause nasty problems in the blocking world */ | |
1362 s->rwstate=SSL_READING; | |
1363 bio=SSL_get_rbio(s); | |
1364 BIO_clear_retry_flags(bio); | |
1365 BIO_set_retry_read(bio); | |
1366 return(-1); | |
1367 } | |
1368 } | |
1369 goto start; | |
1370 } | |
1371 | |
1372 switch (rr->type) | |
1373 { | |
1374 default: | |
1375 #ifndef OPENSSL_NO_TLS | |
1376 /* TLS up to v1.1 just ignores unknown message types: | |
1377 * TLS v1.2 give an unexpected message alert. | |
1378 */ | |
1379 if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) | |
1380 { | |
1381 rr->length = 0; | |
1382 goto start; | |
1383 } | |
1384 #endif | |
1385 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1386 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); | |
1387 goto f_err; | |
1388 case SSL3_RT_CHANGE_CIPHER_SPEC: | |
1389 case SSL3_RT_ALERT: | |
1390 case SSL3_RT_HANDSHAKE: | |
1391 /* we already handled all of these, with the possible exception | |
1392 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that | |
1393 * should not happen when type != rr->type */ | |
1394 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1395 SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR); | |
1396 goto f_err; | |
1397 case SSL3_RT_APPLICATION_DATA: | |
1398 /* At this point, we were expecting handshake data, | |
1399 * but have application data. If the library was | |
1400 * running inside ssl3_read() (i.e. in_read_app_data | |
1401 * is set) and it makes sense to read application data | |
1402 * at this point (session renegotiation not yet started), | |
1403 * we will indulge it. | |
1404 */ | |
1405 if (s->s3->in_read_app_data && | |
1406 (s->s3->total_renegotiations != 0) && | |
1407 (( | |
1408 (s->state & SSL_ST_CONNECT) && | |
1409 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && | |
1410 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) | |
1411 ) || ( | |
1412 (s->state & SSL_ST_ACCEPT) && | |
1413 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && | |
1414 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) | |
1415 ) | |
1416 )) | |
1417 { | |
1418 s->s3->in_read_app_data=2; | |
1419 return(-1); | |
1420 } | |
1421 else | |
1422 { | |
1423 al=SSL_AD_UNEXPECTED_MESSAGE; | |
1424 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); | |
1425 goto f_err; | |
1426 } | |
1427 } | |
1428 /* not reached */ | |
1429 | |
1430 f_err: | |
1431 ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
1432 err: | |
1433 return(-1); | |
1434 } | |
1435 | |
1436 int ssl3_do_change_cipher_spec(SSL *s) | |
1437 { | |
1438 int i; | |
1439 const char *sender; | |
1440 int slen; | |
1441 | |
1442 if (s->state & SSL_ST_ACCEPT) | |
1443 i=SSL3_CHANGE_CIPHER_SERVER_READ; | |
1444 else | |
1445 i=SSL3_CHANGE_CIPHER_CLIENT_READ; | |
1446 | |
1447 if (s->s3->tmp.key_block == NULL) | |
1448 { | |
1449 if (s->session == NULL || s->session->master_key_length == 0) | |
1450 { | |
1451 /* might happen if dtls1_read_bytes() calls this */ | |
1452 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIV
ED_EARLY); | |
1453 return (0); | |
1454 } | |
1455 | |
1456 s->session->cipher=s->s3->tmp.new_cipher; | |
1457 if (!s->method->ssl3_enc->setup_key_block(s)) return(0); | |
1458 } | |
1459 | |
1460 if (!s->method->ssl3_enc->change_cipher_state(s,i)) | |
1461 return(0); | |
1462 | |
1463 /* we have to record the message digest at | |
1464 * this point so we can get it before we read | |
1465 * the finished message */ | |
1466 if (s->state & SSL_ST_CONNECT) | |
1467 { | |
1468 sender=s->method->ssl3_enc->server_finished_label; | |
1469 slen=s->method->ssl3_enc->server_finished_label_len; | |
1470 } | |
1471 else | |
1472 { | |
1473 sender=s->method->ssl3_enc->client_finished_label; | |
1474 slen=s->method->ssl3_enc->client_finished_label_len; | |
1475 } | |
1476 | |
1477 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, | |
1478 sender,slen,s->s3->tmp.peer_finish_md); | |
1479 | |
1480 return(1); | |
1481 } | |
1482 | |
1483 int ssl3_send_alert(SSL *s, int level, int desc) | |
1484 { | |
1485 /* Map tls/ssl alert value to correct one */ | |
1486 desc=s->method->ssl3_enc->alert_value(desc); | |
1487 if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) | |
1488 desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protoc
ol_version alerts */ | |
1489 if (desc < 0) return -1; | |
1490 /* If a fatal one, remove from cache */ | |
1491 if ((level == 2) && (s->session != NULL)) | |
1492 SSL_CTX_remove_session(s->ctx,s->session); | |
1493 | |
1494 s->s3->alert_dispatch=1; | |
1495 s->s3->send_alert[0]=level; | |
1496 s->s3->send_alert[1]=desc; | |
1497 if (s->s3->wbuf.left == 0) /* data still being written out? */ | |
1498 return s->method->ssl_dispatch_alert(s); | |
1499 /* else data is still being written out, we will get written | |
1500 * some time in the future */ | |
1501 return -1; | |
1502 } | |
1503 | |
1504 int ssl3_dispatch_alert(SSL *s) | |
1505 { | |
1506 int i,j; | |
1507 void (*cb)(const SSL *ssl,int type,int val)=NULL; | |
1508 | |
1509 s->s3->alert_dispatch=0; | |
1510 i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); | |
1511 if (i <= 0) | |
1512 { | |
1513 s->s3->alert_dispatch=1; | |
1514 } | |
1515 else | |
1516 { | |
1517 /* Alert sent to BIO. If it is important, flush it now. | |
1518 * If the message does not get sent due to non-blocking IO, | |
1519 * we will not worry too much. */ | |
1520 if (s->s3->send_alert[0] == SSL3_AL_FATAL) | |
1521 (void)BIO_flush(s->wbio); | |
1522 | |
1523 if (s->msg_callback) | |
1524 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->sen
d_alert, 2, s, s->msg_callback_arg); | |
1525 | |
1526 if (s->info_callback != NULL) | |
1527 cb=s->info_callback; | |
1528 else if (s->ctx->info_callback != NULL) | |
1529 cb=s->ctx->info_callback; | |
1530 | |
1531 if (cb != NULL) | |
1532 { | |
1533 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; | |
1534 cb(s,SSL_CB_WRITE_ALERT,j); | |
1535 } | |
1536 } | |
1537 return(i); | |
1538 } | |
OLD | NEW |