rec_layer_s3.c 59 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <limits.h>
  11. #include <errno.h>
  12. #include "../ssl_locl.h"
  13. #include <openssl/evp.h>
  14. #include <openssl/buffer.h>
  15. #include <openssl/rand.h>
  16. #include "record_locl.h"
  17. #include "../packet_locl.h"
  18. #if defined(OPENSSL_SMALL_FOOTPRINT) || \
  19. !( defined(AES_ASM) && ( \
  20. defined(__x86_64) || defined(__x86_64__) || \
  21. defined(_M_AMD64) || defined(_M_X64) ) \
  22. )
  23. # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
  24. # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
  25. #endif
  26. void RECORD_LAYER_init(RECORD_LAYER *rl, SSL *s)
  27. {
  28. rl->s = s;
  29. RECORD_LAYER_set_first_record(&s->rlayer);
  30. SSL3_RECORD_clear(rl->rrec, SSL_MAX_PIPELINES);
  31. }
  32. void RECORD_LAYER_clear(RECORD_LAYER *rl)
  33. {
  34. rl->rstate = SSL_ST_READ_HEADER;
  35. /*
  36. * Do I need to clear read_ahead? As far as I can tell read_ahead did not
  37. * previously get reset by SSL_clear...so I'll keep it that way..but is
  38. * that right?
  39. */
  40. rl->packet = NULL;
  41. rl->packet_length = 0;
  42. rl->wnum = 0;
  43. memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment));
  44. rl->handshake_fragment_len = 0;
  45. rl->wpend_tot = 0;
  46. rl->wpend_type = 0;
  47. rl->wpend_ret = 0;
  48. rl->wpend_buf = NULL;
  49. SSL3_BUFFER_clear(&rl->rbuf);
  50. ssl3_release_write_buffer(rl->s);
  51. rl->numrpipes = 0;
  52. SSL3_RECORD_clear(rl->rrec, SSL_MAX_PIPELINES);
  53. RECORD_LAYER_reset_read_sequence(rl);
  54. RECORD_LAYER_reset_write_sequence(rl);
  55. if (rl->d)
  56. DTLS_RECORD_LAYER_clear(rl);
  57. }
  58. void RECORD_LAYER_release(RECORD_LAYER *rl)
  59. {
  60. if (SSL3_BUFFER_is_initialised(&rl->rbuf))
  61. ssl3_release_read_buffer(rl->s);
  62. if (rl->numwpipes > 0)
  63. ssl3_release_write_buffer(rl->s);
  64. SSL3_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
  65. }
  66. /* Checks if we have unprocessed read ahead data pending */
  67. int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
  68. {
  69. return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
  70. }
  71. /* Checks if we have decrypted unread record data pending */
  72. int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
  73. {
  74. size_t curr_rec = 0, num_recs = RECORD_LAYER_get_numrpipes(rl);
  75. const SSL3_RECORD *rr = rl->rrec;
  76. while (curr_rec < num_recs && SSL3_RECORD_is_read(&rr[curr_rec]))
  77. curr_rec++;
  78. return curr_rec < num_recs;
  79. }
  80. int RECORD_LAYER_write_pending(const RECORD_LAYER *rl)
  81. {
  82. return (rl->numwpipes > 0)
  83. && SSL3_BUFFER_get_left(&rl->wbuf[rl->numwpipes - 1]) != 0;
  84. }
  85. void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
  86. {
  87. memset(rl->read_sequence, 0, sizeof(rl->read_sequence));
  88. }
  89. void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
  90. {
  91. memset(rl->write_sequence, 0, sizeof(rl->write_sequence));
  92. }
  93. size_t ssl3_pending(const SSL *s)
  94. {
  95. size_t i, num = 0;
  96. if (s->rlayer.rstate == SSL_ST_READ_BODY)
  97. return 0;
  98. for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) {
  99. if (SSL3_RECORD_get_type(&s->rlayer.rrec[i])
  100. != SSL3_RT_APPLICATION_DATA)
  101. return 0;
  102. num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]);
  103. }
  104. return num;
  105. }
  106. void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
  107. {
  108. ctx->default_read_buf_len = len;
  109. }
  110. void SSL_set_default_read_buffer_len(SSL *s, size_t len)
  111. {
  112. SSL3_BUFFER_set_default_len(RECORD_LAYER_get_rbuf(&s->rlayer), len);
  113. }
  114. const char *SSL_rstate_string_long(const SSL *s)
  115. {
  116. switch (s->rlayer.rstate) {
  117. case SSL_ST_READ_HEADER:
  118. return "read header";
  119. case SSL_ST_READ_BODY:
  120. return "read body";
  121. case SSL_ST_READ_DONE:
  122. return "read done";
  123. default:
  124. return "unknown";
  125. }
  126. }
  127. const char *SSL_rstate_string(const SSL *s)
  128. {
  129. switch (s->rlayer.rstate) {
  130. case SSL_ST_READ_HEADER:
  131. return "RH";
  132. case SSL_ST_READ_BODY:
  133. return "RB";
  134. case SSL_ST_READ_DONE:
  135. return "RD";
  136. default:
  137. return "unknown";
  138. }
  139. }
  140. /*
  141. * Return values are as per SSL_read()
  142. */
  143. int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
  144. size_t *readbytes)
  145. {
  146. /*
  147. * If extend == 0, obtain new n-byte packet; if extend == 1, increase
  148. * packet by another n bytes. The packet will be in the sub-array of
  149. * s->s3->rbuf.buf specified by s->packet and s->packet_length. (If
  150. * s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus
  151. * s->packet_length bytes if extend == 1].)
  152. * if clearold == 1, move the packet to the start of the buffer; if
  153. * clearold == 0 then leave any old packets where they were
  154. */
  155. size_t len, left, align = 0;
  156. unsigned char *pkt;
  157. SSL3_BUFFER *rb;
  158. if (n == 0)
  159. return 0;
  160. rb = &s->rlayer.rbuf;
  161. if (rb->buf == NULL)
  162. if (!ssl3_setup_read_buffer(s)) {
  163. /* SSLfatal() already called */
  164. return -1;
  165. }
  166. left = rb->left;
  167. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
  168. align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
  169. align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
  170. #endif
  171. if (!extend) {
  172. /* start with empty packet ... */
  173. if (left == 0)
  174. rb->offset = align;
  175. else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
  176. /*
  177. * check if next packet length is large enough to justify payload
  178. * alignment...
  179. */
  180. pkt = rb->buf + rb->offset;
  181. if (pkt[0] == SSL3_RT_APPLICATION_DATA
  182. && (pkt[3] << 8 | pkt[4]) >= 128) {
  183. /*
  184. * Note that even if packet is corrupted and its length field
  185. * is insane, we can only be led to wrong decision about
  186. * whether memmove will occur or not. Header values has no
  187. * effect on memmove arguments and therefore no buffer
  188. * overrun can be triggered.
  189. */
  190. memmove(rb->buf + align, pkt, left);
  191. rb->offset = align;
  192. }
  193. }
  194. s->rlayer.packet = rb->buf + rb->offset;
  195. s->rlayer.packet_length = 0;
  196. /* ... now we can act as if 'extend' was set */
  197. }
  198. len = s->rlayer.packet_length;
  199. pkt = rb->buf + align;
  200. /*
  201. * Move any available bytes to front of buffer: 'len' bytes already
  202. * pointed to by 'packet', 'left' extra ones at the end
  203. */
  204. if (s->rlayer.packet != pkt && clearold == 1) {
  205. memmove(pkt, s->rlayer.packet, len + left);
  206. s->rlayer.packet = pkt;
  207. rb->offset = len + align;
  208. }
  209. /*
  210. * For DTLS/UDP reads should not span multiple packets because the read
  211. * operation returns the whole packet at once (as long as it fits into
  212. * the buffer).
  213. */
  214. if (SSL_IS_DTLS(s)) {
  215. if (left == 0 && extend)
  216. return 0;
  217. if (left > 0 && n > left)
  218. n = left;
  219. }
  220. /* if there is enough in the buffer from a previous read, take some */
  221. if (left >= n) {
  222. s->rlayer.packet_length += n;
  223. rb->left = left - n;
  224. rb->offset += n;
  225. *readbytes = n;
  226. return 1;
  227. }
  228. /* else we need to read more data */
  229. if (n > rb->len - rb->offset) {
  230. /* does not happen */
  231. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
  232. ERR_R_INTERNAL_ERROR);
  233. return -1;
  234. }
  235. /* We always act like read_ahead is set for DTLS */
  236. if (!s->rlayer.read_ahead && !SSL_IS_DTLS(s))
  237. /* ignore max parameter */
  238. max = n;
  239. else {
  240. if (max < n)
  241. max = n;
  242. if (max > rb->len - rb->offset)
  243. max = rb->len - rb->offset;
  244. }
  245. while (left < n) {
  246. size_t bioread = 0;
  247. int ret;
  248. /*
  249. * Now we have len+left bytes at the front of s->s3->rbuf.buf and
  250. * need to read in more until we have len+n (up to len+max if
  251. * possible)
  252. */
  253. clear_sys_error();
  254. if (s->rbio != NULL) {
  255. s->rwstate = SSL_READING;
  256. /* TODO(size_t): Convert this function */
  257. ret = BIO_read(s->rbio, pkt + len + left, max - left);
  258. if (ret >= 0)
  259. bioread = ret;
  260. } else {
  261. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
  262. SSL_R_READ_BIO_NOT_SET);
  263. ret = -1;
  264. }
  265. if (ret <= 0) {
  266. rb->left = left;
  267. if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
  268. if (len + left == 0)
  269. ssl3_release_read_buffer(s);
  270. return ret;
  271. }
  272. left += bioread;
  273. /*
  274. * reads should *never* span multiple packets for DTLS because the
  275. * underlying transport protocol is message oriented as opposed to
  276. * byte oriented as in the TLS case.
  277. */
  278. if (SSL_IS_DTLS(s)) {
  279. if (n > left)
  280. n = left; /* makes the while condition false */
  281. }
  282. }
  283. /* done reading, now the book-keeping */
  284. rb->offset += n;
  285. rb->left = left - n;
  286. s->rlayer.packet_length += n;
  287. s->rwstate = SSL_NOTHING;
  288. *readbytes = n;
  289. return 1;
  290. }
  291. /*
  292. * Call this to write data in records of type 'type' It will return <= 0 if
  293. * not all data has been sent or non-blocking IO.
  294. */
  295. int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
  296. size_t *written)
  297. {
  298. const unsigned char *buf = buf_;
  299. size_t tot;
  300. size_t n, max_send_fragment, split_send_fragment, maxpipes;
  301. #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
  302. size_t nw;
  303. #endif
  304. SSL3_BUFFER *wb = &s->rlayer.wbuf[0];
  305. int i;
  306. size_t tmpwrit;
  307. s->rwstate = SSL_NOTHING;
  308. tot = s->rlayer.wnum;
  309. /*
  310. * ensure that if we end up with a smaller value of data to write out
  311. * than the original len from a write which didn't complete for
  312. * non-blocking I/O and also somehow ended up avoiding the check for
  313. * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
  314. * possible to end up with (len-tot) as a large number that will then
  315. * promptly send beyond the end of the users buffer ... so we trap and
  316. * report the error in a way the user will notice
  317. */
  318. if ((len < s->rlayer.wnum)
  319. || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) {
  320. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
  321. SSL_R_BAD_LENGTH);
  322. return -1;
  323. }
  324. if (s->early_data_state == SSL_EARLY_DATA_WRITING
  325. && !early_data_count_ok(s, len, 0, 1)) {
  326. /* SSLfatal() already called */
  327. return -1;
  328. }
  329. s->rlayer.wnum = 0;
  330. /*
  331. * When writing early data on the server side we could be "in_init" in
  332. * between receiving the EoED and the CF - but we don't want to handle those
  333. * messages yet.
  334. */
  335. if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)
  336. && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) {
  337. i = s->handshake_func(s);
  338. /* SSLfatal() already called */
  339. if (i < 0)
  340. return i;
  341. if (i == 0) {
  342. return -1;
  343. }
  344. }
  345. /*
  346. * first check if there is a SSL3_BUFFER still being written out. This
  347. * will happen with non blocking IO
  348. */
  349. if (wb->left != 0) {
  350. /* SSLfatal() already called if appropriate */
  351. i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot,
  352. &tmpwrit);
  353. if (i <= 0) {
  354. /* XXX should we ssl3_release_write_buffer if i<0? */
  355. s->rlayer.wnum = tot;
  356. return i;
  357. }
  358. tot += tmpwrit; /* this might be last fragment */
  359. }
  360. #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
  361. /*
  362. * Depending on platform multi-block can deliver several *times*
  363. * better performance. Downside is that it has to allocate
  364. * jumbo buffer to accommodate up to 8 records, but the
  365. * compromise is considered worthy.
  366. */
  367. if (type == SSL3_RT_APPLICATION_DATA &&
  368. len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) &&
  369. s->compress == NULL && s->msg_callback == NULL &&
  370. !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
  371. EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) &
  372. EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
  373. unsigned char aad[13];
  374. EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
  375. size_t packlen;
  376. int packleni;
  377. /* minimize address aliasing conflicts */
  378. if ((max_send_fragment & 0xfff) == 0)
  379. max_send_fragment -= 512;
  380. if (tot == 0 || wb->buf == NULL) { /* allocate jumbo buffer */
  381. ssl3_release_write_buffer(s);
  382. packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
  383. EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
  384. (int)max_send_fragment, NULL);
  385. if (len >= 8 * max_send_fragment)
  386. packlen *= 8;
  387. else
  388. packlen *= 4;
  389. if (!ssl3_setup_write_buffer(s, 1, packlen)) {
  390. /* SSLfatal() already called */
  391. return -1;
  392. }
  393. } else if (tot == len) { /* done? */
  394. /* free jumbo buffer */
  395. ssl3_release_write_buffer(s);
  396. *written = tot;
  397. return 1;
  398. }
  399. n = (len - tot);
  400. for (;;) {
  401. if (n < 4 * max_send_fragment) {
  402. /* free jumbo buffer */
  403. ssl3_release_write_buffer(s);
  404. break;
  405. }
  406. if (s->s3->alert_dispatch) {
  407. i = s->method->ssl_dispatch_alert(s);
  408. if (i <= 0) {
  409. /* SSLfatal() already called if appropriate */
  410. s->rlayer.wnum = tot;
  411. return i;
  412. }
  413. }
  414. if (n >= 8 * max_send_fragment)
  415. nw = max_send_fragment * (mb_param.interleave = 8);
  416. else
  417. nw = max_send_fragment * (mb_param.interleave = 4);
  418. memcpy(aad, s->rlayer.write_sequence, 8);
  419. aad[8] = type;
  420. aad[9] = (unsigned char)(s->version >> 8);
  421. aad[10] = (unsigned char)(s->version);
  422. aad[11] = 0;
  423. aad[12] = 0;
  424. mb_param.out = NULL;
  425. mb_param.inp = aad;
  426. mb_param.len = nw;
  427. packleni = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
  428. EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
  429. sizeof(mb_param), &mb_param);
  430. packlen = (size_t)packleni;
  431. if (packleni <= 0 || packlen > wb->len) { /* never happens */
  432. /* free jumbo buffer */
  433. ssl3_release_write_buffer(s);
  434. break;
  435. }
  436. mb_param.out = wb->buf;
  437. mb_param.inp = &buf[tot];
  438. mb_param.len = nw;
  439. if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
  440. EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
  441. sizeof(mb_param), &mb_param) <= 0)
  442. return -1;
  443. s->rlayer.write_sequence[7] += mb_param.interleave;
  444. if (s->rlayer.write_sequence[7] < mb_param.interleave) {
  445. int j = 6;
  446. while (j >= 0 && (++s->rlayer.write_sequence[j--]) == 0) ;
  447. }
  448. wb->offset = 0;
  449. wb->left = packlen;
  450. s->rlayer.wpend_tot = nw;
  451. s->rlayer.wpend_buf = &buf[tot];
  452. s->rlayer.wpend_type = type;
  453. s->rlayer.wpend_ret = nw;
  454. i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit);
  455. if (i <= 0) {
  456. /* SSLfatal() already called if appropriate */
  457. if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
  458. /* free jumbo buffer */
  459. ssl3_release_write_buffer(s);
  460. }
  461. s->rlayer.wnum = tot;
  462. return i;
  463. }
  464. if (tmpwrit == n) {
  465. /* free jumbo buffer */
  466. ssl3_release_write_buffer(s);
  467. *written = tot + tmpwrit;
  468. return 1;
  469. }
  470. n -= tmpwrit;
  471. tot += tmpwrit;
  472. }
  473. } else
  474. #endif /* !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK */
  475. if (tot == len) { /* done? */
  476. if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
  477. ssl3_release_write_buffer(s);
  478. *written = tot;
  479. return 1;
  480. }
  481. n = (len - tot);
  482. max_send_fragment = ssl_get_max_send_fragment(s);
  483. split_send_fragment = ssl_get_split_send_fragment(s);
  484. /*
  485. * If max_pipelines is 0 then this means "undefined" and we default to
  486. * 1 pipeline. Similarly if the cipher does not support pipelined
  487. * processing then we also only use 1 pipeline, or if we're not using
  488. * explicit IVs
  489. */
  490. maxpipes = s->max_pipelines;
  491. if (maxpipes > SSL_MAX_PIPELINES) {
  492. /*
  493. * We should have prevented this when we set max_pipelines so we
  494. * shouldn't get here
  495. */
  496. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
  497. ERR_R_INTERNAL_ERROR);
  498. return -1;
  499. }
  500. if (maxpipes == 0
  501. || s->enc_write_ctx == NULL
  502. || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx))
  503. & EVP_CIPH_FLAG_PIPELINE)
  504. || !SSL_USE_EXPLICIT_IV(s))
  505. maxpipes = 1;
  506. if (max_send_fragment == 0 || split_send_fragment == 0
  507. || split_send_fragment > max_send_fragment) {
  508. /*
  509. * We should have prevented this when we set/get the split and max send
  510. * fragments so we shouldn't get here
  511. */
  512. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
  513. ERR_R_INTERNAL_ERROR);
  514. return -1;
  515. }
  516. for (;;) {
  517. size_t pipelens[SSL_MAX_PIPELINES], tmppipelen, remain;
  518. size_t numpipes, j;
  519. if (n == 0)
  520. numpipes = 1;
  521. else
  522. numpipes = ((n - 1) / split_send_fragment) + 1;
  523. if (numpipes > maxpipes)
  524. numpipes = maxpipes;
  525. if (n / numpipes >= max_send_fragment) {
  526. /*
  527. * We have enough data to completely fill all available
  528. * pipelines
  529. */
  530. for (j = 0; j < numpipes; j++) {
  531. pipelens[j] = max_send_fragment;
  532. }
  533. } else {
  534. /* We can partially fill all available pipelines */
  535. tmppipelen = n / numpipes;
  536. remain = n % numpipes;
  537. for (j = 0; j < numpipes; j++) {
  538. pipelens[j] = tmppipelen;
  539. if (j < remain)
  540. pipelens[j]++;
  541. }
  542. }
  543. i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0,
  544. &tmpwrit);
  545. if (i <= 0) {
  546. /* SSLfatal() already called if appropriate */
  547. /* XXX should we ssl3_release_write_buffer if i<0? */
  548. s->rlayer.wnum = tot;
  549. return i;
  550. }
  551. if (tmpwrit == n ||
  552. (type == SSL3_RT_APPLICATION_DATA &&
  553. (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
  554. /*
  555. * next chunk of data should get another prepended empty fragment
  556. * in ciphersuites with known-IV weakness:
  557. */
  558. s->s3->empty_fragment_done = 0;
  559. if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
  560. !SSL_IS_DTLS(s))
  561. ssl3_release_write_buffer(s);
  562. *written = tot + tmpwrit;
  563. return 1;
  564. }
  565. n -= tmpwrit;
  566. tot += tmpwrit;
  567. }
  568. }
  569. int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  570. size_t *pipelens, size_t numpipes,
  571. int create_empty_fragment, size_t *written)
  572. {
  573. WPACKET pkt[SSL_MAX_PIPELINES];
  574. SSL3_RECORD wr[SSL_MAX_PIPELINES];
  575. WPACKET *thispkt;
  576. SSL3_RECORD *thiswr;
  577. unsigned char *recordstart;
  578. int i, mac_size, clear = 0;
  579. size_t prefix_len = 0;
  580. int eivlen = 0;
  581. size_t align = 0;
  582. SSL3_BUFFER *wb;
  583. SSL_SESSION *sess;
  584. size_t totlen = 0, len, wpinited = 0;
  585. size_t j;
  586. for (j = 0; j < numpipes; j++)
  587. totlen += pipelens[j];
  588. /*
  589. * first check if there is a SSL3_BUFFER still being written out. This
  590. * will happen with non blocking IO
  591. */
  592. if (RECORD_LAYER_write_pending(&s->rlayer)) {
  593. /* Calls SSLfatal() as required */
  594. return ssl3_write_pending(s, type, buf, totlen, written);
  595. }
  596. /* If we have an alert to send, lets send it */
  597. if (s->s3->alert_dispatch) {
  598. i = s->method->ssl_dispatch_alert(s);
  599. if (i <= 0) {
  600. /* SSLfatal() already called if appropriate */
  601. return i;
  602. }
  603. /* if it went, fall through and send more stuff */
  604. }
  605. if (s->rlayer.numwpipes < numpipes) {
  606. if (!ssl3_setup_write_buffer(s, numpipes, 0)) {
  607. /* SSLfatal() already called */
  608. return -1;
  609. }
  610. }
  611. if (totlen == 0 && !create_empty_fragment)
  612. return 0;
  613. sess = s->session;
  614. if ((sess == NULL) ||
  615. (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) {
  616. clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
  617. mac_size = 0;
  618. } else {
  619. /* TODO(siz_t): Convert me */
  620. mac_size = EVP_MD_CTX_size(s->write_hash);
  621. if (mac_size < 0) {
  622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  623. ERR_R_INTERNAL_ERROR);
  624. goto err;
  625. }
  626. }
  627. /*
  628. * 'create_empty_fragment' is true only when this function calls itself
  629. */
  630. if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) {
  631. /*
  632. * countermeasure against known-IV weakness in CBC ciphersuites (see
  633. * http://www.openssl.org/~bodo/tls-cbc.txt)
  634. */
  635. if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
  636. /*
  637. * recursive function call with 'create_empty_fragment' set; this
  638. * prepares and buffers the data for an empty fragment (these
  639. * 'prefix_len' bytes are sent out later together with the actual
  640. * payload)
  641. */
  642. size_t tmppipelen = 0;
  643. int ret;
  644. ret = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1, &prefix_len);
  645. if (ret <= 0) {
  646. /* SSLfatal() already called if appropriate */
  647. goto err;
  648. }
  649. if (prefix_len >
  650. (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
  651. /* insufficient space */
  652. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  653. ERR_R_INTERNAL_ERROR);
  654. goto err;
  655. }
  656. }
  657. s->s3->empty_fragment_done = 1;
  658. }
  659. if (create_empty_fragment) {
  660. wb = &s->rlayer.wbuf[0];
  661. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
  662. /*
  663. * extra fragment would be couple of cipher blocks, which would be
  664. * multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real
  665. * payload, then we can just pretend we simply have two headers.
  666. */
  667. align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH;
  668. align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
  669. #endif
  670. SSL3_BUFFER_set_offset(wb, align);
  671. if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb),
  672. SSL3_BUFFER_get_len(wb), 0)
  673. || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) {
  674. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  675. ERR_R_INTERNAL_ERROR);
  676. goto err;
  677. }
  678. wpinited = 1;
  679. } else if (prefix_len) {
  680. wb = &s->rlayer.wbuf[0];
  681. if (!WPACKET_init_static_len(&pkt[0],
  682. SSL3_BUFFER_get_buf(wb),
  683. SSL3_BUFFER_get_len(wb), 0)
  684. || !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb)
  685. + prefix_len, NULL)) {
  686. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  687. ERR_R_INTERNAL_ERROR);
  688. goto err;
  689. }
  690. wpinited = 1;
  691. } else {
  692. for (j = 0; j < numpipes; j++) {
  693. thispkt = &pkt[j];
  694. wb = &s->rlayer.wbuf[j];
  695. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0
  696. align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
  697. align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
  698. #endif
  699. SSL3_BUFFER_set_offset(wb, align);
  700. if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb),
  701. SSL3_BUFFER_get_len(wb), 0)
  702. || !WPACKET_allocate_bytes(thispkt, align, NULL)) {
  703. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  704. ERR_R_INTERNAL_ERROR);
  705. goto err;
  706. }
  707. wpinited++;
  708. }
  709. }
  710. /* Explicit IV length, block ciphers appropriate version flag */
  711. if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) {
  712. int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
  713. if (mode == EVP_CIPH_CBC_MODE) {
  714. /* TODO(size_t): Convert me */
  715. eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
  716. if (eivlen <= 1)
  717. eivlen = 0;
  718. } else if (mode == EVP_CIPH_GCM_MODE) {
  719. /* Need explicit part of IV for GCM mode */
  720. eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
  721. } else if (mode == EVP_CIPH_CCM_MODE) {
  722. eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
  723. }
  724. }
  725. totlen = 0;
  726. /* Clear our SSL3_RECORD structures */
  727. memset(wr, 0, sizeof(wr));
  728. for (j = 0; j < numpipes; j++) {
  729. unsigned int version = SSL_TREAT_AS_TLS13(s) ? TLS1_2_VERSION
  730. : s->version;
  731. unsigned char *compressdata = NULL;
  732. size_t maxcomplen;
  733. unsigned int rectype;
  734. thispkt = &pkt[j];
  735. thiswr = &wr[j];
  736. /*
  737. * In TLSv1.3, once encrypting, we always use application data for the
  738. * record type
  739. */
  740. if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL)
  741. rectype = SSL3_RT_APPLICATION_DATA;
  742. else
  743. rectype = type;
  744. SSL3_RECORD_set_type(thiswr, rectype);
  745. /*
  746. * Some servers hang if initial client hello is larger than 256 bytes
  747. * and record version number > TLS 1.0
  748. */
  749. if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO
  750. && !s->renegotiate
  751. && TLS1_get_version(s) > TLS1_VERSION
  752. && s->hello_retry_request == SSL_HRR_NONE)
  753. version = TLS1_VERSION;
  754. SSL3_RECORD_set_rec_version(thiswr, version);
  755. maxcomplen = pipelens[j];
  756. if (s->compress != NULL)
  757. maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  758. /* write the header */
  759. if (!WPACKET_put_bytes_u8(thispkt, rectype)
  760. || !WPACKET_put_bytes_u16(thispkt, version)
  761. || !WPACKET_start_sub_packet_u16(thispkt)
  762. || (eivlen > 0
  763. && !WPACKET_allocate_bytes(thispkt, eivlen, NULL))
  764. || (maxcomplen > 0
  765. && !WPACKET_reserve_bytes(thispkt, maxcomplen,
  766. &compressdata))) {
  767. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  768. ERR_R_INTERNAL_ERROR);
  769. goto err;
  770. }
  771. /* lets setup the record stuff. */
  772. SSL3_RECORD_set_data(thiswr, compressdata);
  773. SSL3_RECORD_set_length(thiswr, pipelens[j]);
  774. SSL3_RECORD_set_input(thiswr, (unsigned char *)&buf[totlen]);
  775. totlen += pipelens[j];
  776. /*
  777. * we now 'read' from thiswr->input, thiswr->length bytes into
  778. * thiswr->data
  779. */
  780. /* first we compress */
  781. if (s->compress != NULL) {
  782. if (!ssl3_do_compress(s, thiswr)
  783. || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
  784. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  785. SSL_R_COMPRESSION_FAILURE);
  786. goto err;
  787. }
  788. } else {
  789. if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
  790. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  791. ERR_R_INTERNAL_ERROR);
  792. goto err;
  793. }
  794. SSL3_RECORD_reset_input(&wr[j]);
  795. }
  796. if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) {
  797. size_t rlen, max_send_fragment;
  798. if (!WPACKET_put_bytes_u8(thispkt, type)) {
  799. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  800. ERR_R_INTERNAL_ERROR);
  801. goto err;
  802. }
  803. SSL3_RECORD_add_length(thiswr, 1);
  804. /* Add TLS1.3 padding */
  805. max_send_fragment = ssl_get_max_send_fragment(s);
  806. rlen = SSL3_RECORD_get_length(thiswr);
  807. if (rlen < max_send_fragment) {
  808. size_t padding = 0;
  809. size_t max_padding = max_send_fragment - rlen;
  810. if (s->record_padding_cb != NULL) {
  811. padding = s->record_padding_cb(s, type, rlen, s->record_padding_arg);
  812. } else if (s->block_padding > 0) {
  813. size_t mask = s->block_padding - 1;
  814. size_t remainder;
  815. /* optimize for power of 2 */
  816. if ((s->block_padding & mask) == 0)
  817. remainder = rlen & mask;
  818. else
  819. remainder = rlen % s->block_padding;
  820. /* don't want to add a block of padding if we don't have to */
  821. if (remainder == 0)
  822. padding = 0;
  823. else
  824. padding = s->block_padding - remainder;
  825. }
  826. if (padding > 0) {
  827. /* do not allow the record to exceed max plaintext length */
  828. if (padding > max_padding)
  829. padding = max_padding;
  830. if (!WPACKET_memset(thispkt, 0, padding)) {
  831. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  832. ERR_R_INTERNAL_ERROR);
  833. goto err;
  834. }
  835. SSL3_RECORD_add_length(thiswr, padding);
  836. }
  837. }
  838. }
  839. /*
  840. * we should still have the output to thiswr->data and the input from
  841. * wr->input. Length should be thiswr->length. thiswr->data still points
  842. * in the wb->buf
  843. */
  844. if (!SSL_WRITE_ETM(s) && mac_size != 0) {
  845. unsigned char *mac;
  846. if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
  847. || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
  848. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  849. ERR_R_INTERNAL_ERROR);
  850. goto err;
  851. }
  852. }
  853. /*
  854. * Reserve some bytes for any growth that may occur during encryption.
  855. * This will be at most one cipher block or the tag length if using
  856. * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
  857. */
  858. if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE,
  859. NULL)
  860. /*
  861. * We also need next the amount of bytes written to this
  862. * sub-packet
  863. */
  864. || !WPACKET_get_length(thispkt, &len)) {
  865. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  866. ERR_R_INTERNAL_ERROR);
  867. goto err;
  868. }
  869. /* Get a pointer to the start of this record excluding header */
  870. recordstart = WPACKET_get_curr(thispkt) - len;
  871. SSL3_RECORD_set_data(thiswr, recordstart);
  872. SSL3_RECORD_reset_input(thiswr);
  873. SSL3_RECORD_set_length(thiswr, len);
  874. }
  875. if (s->early_data_state == SSL_EARLY_DATA_WRITING
  876. || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
  877. /*
  878. * We haven't actually negotiated the version yet, but we're trying to
  879. * send early data - so we need to use the tls13enc function.
  880. */
  881. if (tls13_enc(s, wr, numpipes, 1) < 1) {
  882. if (!ossl_statem_in_error(s)) {
  883. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  884. ERR_R_INTERNAL_ERROR);
  885. }
  886. goto err;
  887. }
  888. } else {
  889. if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) {
  890. if (!ossl_statem_in_error(s)) {
  891. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  892. ERR_R_INTERNAL_ERROR);
  893. }
  894. goto err;
  895. }
  896. }
  897. for (j = 0; j < numpipes; j++) {
  898. size_t origlen;
  899. thispkt = &pkt[j];
  900. thiswr = &wr[j];
  901. /* Allocate bytes for the encryption overhead */
  902. if (!WPACKET_get_length(thispkt, &origlen)
  903. /* Encryption should never shrink the data! */
  904. || origlen > thiswr->length
  905. || (thiswr->length > origlen
  906. && !WPACKET_allocate_bytes(thispkt,
  907. thiswr->length - origlen, NULL))) {
  908. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  909. ERR_R_INTERNAL_ERROR);
  910. goto err;
  911. }
  912. if (SSL_WRITE_ETM(s) && mac_size != 0) {
  913. unsigned char *mac;
  914. if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
  915. || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
  916. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  917. ERR_R_INTERNAL_ERROR);
  918. goto err;
  919. }
  920. SSL3_RECORD_add_length(thiswr, mac_size);
  921. }
  922. if (!WPACKET_get_length(thispkt, &len)
  923. || !WPACKET_close(thispkt)) {
  924. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  925. ERR_R_INTERNAL_ERROR);
  926. goto err;
  927. }
  928. if (s->msg_callback) {
  929. recordstart = WPACKET_get_curr(thispkt) - len
  930. - SSL3_RT_HEADER_LENGTH;
  931. s->msg_callback(1, 0, SSL3_RT_HEADER, recordstart,
  932. SSL3_RT_HEADER_LENGTH, s,
  933. s->msg_callback_arg);
  934. if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) {
  935. unsigned char ctype = type;
  936. s->msg_callback(1, s->version, SSL3_RT_INNER_CONTENT_TYPE,
  937. &ctype, 1, s, s->msg_callback_arg);
  938. }
  939. }
  940. if (!WPACKET_finish(thispkt)) {
  941. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  942. ERR_R_INTERNAL_ERROR);
  943. goto err;
  944. }
  945. /*
  946. * we should now have thiswr->data pointing to the encrypted data, which
  947. * is thiswr->length long
  948. */
  949. SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for
  950. * debugging */
  951. SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH);
  952. if (create_empty_fragment) {
  953. /*
  954. * we are in a recursive call; just return the length, don't write
  955. * out anything here
  956. */
  957. if (j > 0) {
  958. /* We should never be pipelining an empty fragment!! */
  959. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
  960. ERR_R_INTERNAL_ERROR);
  961. goto err;
  962. }
  963. *written = SSL3_RECORD_get_length(thiswr);
  964. return 1;
  965. }
  966. /* now let's set up wb */
  967. SSL3_BUFFER_set_left(&s->rlayer.wbuf[j],
  968. prefix_len + SSL3_RECORD_get_length(thiswr));
  969. }
  970. /*
  971. * memorize arguments so that ssl3_write_pending can detect bad write
  972. * retries later
  973. */
  974. s->rlayer.wpend_tot = totlen;
  975. s->rlayer.wpend_buf = buf;
  976. s->rlayer.wpend_type = type;
  977. s->rlayer.wpend_ret = totlen;
  978. /* we now just need to write the buffer */
  979. return ssl3_write_pending(s, type, buf, totlen, written);
  980. err:
  981. for (j = 0; j < wpinited; j++)
  982. WPACKET_cleanup(&pkt[j]);
  983. return -1;
  984. }
  985. /* if s->s3->wbuf.left != 0, we need to call this
  986. *
  987. * Return values are as per SSL_write()
  988. */
  989. int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
  990. size_t *written)
  991. {
  992. int i;
  993. SSL3_BUFFER *wb = s->rlayer.wbuf;
  994. size_t currbuf = 0;
  995. size_t tmpwrit = 0;
  996. if ((s->rlayer.wpend_tot > len)
  997. || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
  998. && (s->rlayer.wpend_buf != buf))
  999. || (s->rlayer.wpend_type != type)) {
  1000. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING,
  1001. SSL_R_BAD_WRITE_RETRY);
  1002. return -1;
  1003. }
  1004. for (;;) {
  1005. /* Loop until we find a buffer we haven't written out yet */
  1006. if (SSL3_BUFFER_get_left(&wb[currbuf]) == 0
  1007. && currbuf < s->rlayer.numwpipes - 1) {
  1008. currbuf++;
  1009. continue;
  1010. }
  1011. clear_sys_error();
  1012. if (s->wbio != NULL) {
  1013. s->rwstate = SSL_WRITING;
  1014. /* TODO(size_t): Convert this call */
  1015. i = BIO_write(s->wbio, (char *)
  1016. &(SSL3_BUFFER_get_buf(&wb[currbuf])
  1017. [SSL3_BUFFER_get_offset(&wb[currbuf])]),
  1018. (unsigned int)SSL3_BUFFER_get_left(&wb[currbuf]));
  1019. if (i >= 0)
  1020. tmpwrit = i;
  1021. } else {
  1022. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING,
  1023. SSL_R_BIO_NOT_SET);
  1024. i = -1;
  1025. }
  1026. if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
  1027. SSL3_BUFFER_set_left(&wb[currbuf], 0);
  1028. SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
  1029. if (currbuf + 1 < s->rlayer.numwpipes)
  1030. continue;
  1031. s->rwstate = SSL_NOTHING;
  1032. *written = s->rlayer.wpend_ret;
  1033. return 1;
  1034. } else if (i <= 0) {
  1035. if (SSL_IS_DTLS(s)) {
  1036. /*
  1037. * For DTLS, just drop it. That's kind of the whole point in
  1038. * using a datagram service
  1039. */
  1040. SSL3_BUFFER_set_left(&wb[currbuf], 0);
  1041. }
  1042. return i;
  1043. }
  1044. SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
  1045. SSL3_BUFFER_sub_left(&wb[currbuf], tmpwrit);
  1046. }
  1047. }
  1048. /*-
  1049. * Return up to 'len' payload bytes received in 'type' records.
  1050. * 'type' is one of the following:
  1051. *
  1052. * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
  1053. * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
  1054. * - 0 (during a shutdown, no data has to be returned)
  1055. *
  1056. * If we don't have stored data to work from, read a SSL/TLS record first
  1057. * (possibly multiple records if we still don't have anything to return).
  1058. *
  1059. * This function must handle any surprises the peer may have for us, such as
  1060. * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
  1061. * messages are treated as if they were handshake messages *if* the |recd_type|
  1062. * argument is non NULL.
  1063. * Also if record payloads contain fragments too small to process, we store
  1064. * them until there is enough for the respective protocol (the record protocol
  1065. * may use arbitrary fragmentation and even interleaving):
  1066. * Change cipher spec protocol
  1067. * just 1 byte needed, no need for keeping anything stored
  1068. * Alert protocol
  1069. * 2 bytes needed (AlertLevel, AlertDescription)
  1070. * Handshake protocol
  1071. * 4 bytes needed (HandshakeType, uint24 length) -- we just have
  1072. * to detect unexpected Client Hello and Hello Request messages
  1073. * here, anything else is handled by higher layers
  1074. * Application data protocol
  1075. * none of our business
  1076. */
  1077. int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
  1078. size_t len, int peek, size_t *readbytes)
  1079. {
  1080. int i, j, ret;
  1081. size_t n, curr_rec, num_recs, totalbytes;
  1082. SSL3_RECORD *rr;
  1083. SSL3_BUFFER *rbuf;
  1084. void (*cb) (const SSL *ssl, int type2, int val) = NULL;
  1085. rbuf = &s->rlayer.rbuf;
  1086. if (!SSL3_BUFFER_is_initialised(rbuf)) {
  1087. /* Not initialized yet */
  1088. if (!ssl3_setup_read_buffer(s)) {
  1089. /* SSLfatal() already called */
  1090. return -1;
  1091. }
  1092. }
  1093. if ((type && (type != SSL3_RT_APPLICATION_DATA)
  1094. && (type != SSL3_RT_HANDSHAKE)) || (peek
  1095. && (type !=
  1096. SSL3_RT_APPLICATION_DATA))) {
  1097. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES,
  1098. ERR_R_INTERNAL_ERROR);
  1099. return -1;
  1100. }
  1101. if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0))
  1102. /* (partially) satisfy request from storage */
  1103. {
  1104. unsigned char *src = s->rlayer.handshake_fragment;
  1105. unsigned char *dst = buf;
  1106. unsigned int k;
  1107. /* peek == 0 */
  1108. n = 0;
  1109. while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) {
  1110. *dst++ = *src++;
  1111. len--;
  1112. s->rlayer.handshake_fragment_len--;
  1113. n++;
  1114. }
  1115. /* move any remaining fragment bytes: */
  1116. for (k = 0; k < s->rlayer.handshake_fragment_len; k++)
  1117. s->rlayer.handshake_fragment[k] = *src++;
  1118. if (recvd_type != NULL)
  1119. *recvd_type = SSL3_RT_HANDSHAKE;
  1120. *readbytes = n;
  1121. return 1;
  1122. }
  1123. /*
  1124. * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
  1125. */
  1126. if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) {
  1127. /* type == SSL3_RT_APPLICATION_DATA */
  1128. i = s->handshake_func(s);
  1129. /* SSLfatal() already called */
  1130. if (i < 0)
  1131. return i;
  1132. if (i == 0)
  1133. return -1;
  1134. }
  1135. start:
  1136. s->rwstate = SSL_NOTHING;
  1137. /*-
  1138. * For each record 'i' up to |num_recs]
  1139. * rr[i].type - is the type of record
  1140. * rr[i].data, - data
  1141. * rr[i].off, - offset into 'data' for next read
  1142. * rr[i].length, - number of bytes.
  1143. */
  1144. rr = s->rlayer.rrec;
  1145. num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);
  1146. do {
  1147. /* get new records if necessary */
  1148. if (num_recs == 0) {
  1149. ret = ssl3_get_record(s);
  1150. if (ret <= 0) {
  1151. /* SSLfatal() already called if appropriate */
  1152. return ret;
  1153. }
  1154. num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);
  1155. if (num_recs == 0) {
  1156. /* Shouldn't happen */
  1157. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES,
  1158. ERR_R_INTERNAL_ERROR);
  1159. return -1;
  1160. }
  1161. }
  1162. /* Skip over any records we have already read */
  1163. for (curr_rec = 0;
  1164. curr_rec < num_recs && SSL3_RECORD_is_read(&rr[curr_rec]);
  1165. curr_rec++) ;
  1166. if (curr_rec == num_recs) {
  1167. RECORD_LAYER_set_numrpipes(&s->rlayer, 0);
  1168. num_recs = 0;
  1169. curr_rec = 0;
  1170. }
  1171. } while (num_recs == 0);
  1172. rr = &rr[curr_rec];
  1173. /*
  1174. * Reset the count of consecutive warning alerts if we've got a non-empty
  1175. * record that isn't an alert.
  1176. */
  1177. if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT
  1178. && SSL3_RECORD_get_length(rr) != 0)
  1179. s->rlayer.alert_count = 0;
  1180. /* we now have a packet which can be read and processed */
  1181. if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
  1182. * reset by ssl3_get_finished */
  1183. && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) {
  1184. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1185. SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
  1186. return -1;
  1187. }
  1188. /*
  1189. * If the other end has shut down, throw anything we read away (even in
  1190. * 'peek' mode)
  1191. */
  1192. if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
  1193. SSL3_RECORD_set_length(rr, 0);
  1194. s->rwstate = SSL_NOTHING;
  1195. return 0;
  1196. }
  1197. if (type == SSL3_RECORD_get_type(rr)
  1198. || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
  1199. && type == SSL3_RT_HANDSHAKE && recvd_type != NULL
  1200. && !SSL_IS_TLS13(s))) {
  1201. /*
  1202. * SSL3_RT_APPLICATION_DATA or
  1203. * SSL3_RT_HANDSHAKE or
  1204. * SSL3_RT_CHANGE_CIPHER_SPEC
  1205. */
  1206. /*
  1207. * make sure that we are not getting application data when we are
  1208. * doing a handshake for the first time
  1209. */
  1210. if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
  1211. (s->enc_read_ctx == NULL)) {
  1212. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1213. SSL_R_APP_DATA_IN_HANDSHAKE);
  1214. return -1;
  1215. }
  1216. if (type == SSL3_RT_HANDSHAKE
  1217. && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
  1218. && s->rlayer.handshake_fragment_len > 0) {
  1219. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1220. SSL_R_CCS_RECEIVED_EARLY);
  1221. return -1;
  1222. }
  1223. if (recvd_type != NULL)
  1224. *recvd_type = SSL3_RECORD_get_type(rr);
  1225. if (len == 0) {
  1226. /*
  1227. * Mark a zero length record as read. This ensures multiple calls to
  1228. * SSL_read() with a zero length buffer will eventually cause
  1229. * SSL_pending() to report data as being available.
  1230. */
  1231. if (SSL3_RECORD_get_length(rr) == 0)
  1232. SSL3_RECORD_set_read(rr);
  1233. return 0;
  1234. }
  1235. totalbytes = 0;
  1236. do {
  1237. if (len - totalbytes > SSL3_RECORD_get_length(rr))
  1238. n = SSL3_RECORD_get_length(rr);
  1239. else
  1240. n = len - totalbytes;
  1241. memcpy(buf, &(rr->data[rr->off]), n);
  1242. buf += n;
  1243. if (peek) {
  1244. /* Mark any zero length record as consumed CVE-2016-6305 */
  1245. if (SSL3_RECORD_get_length(rr) == 0)
  1246. SSL3_RECORD_set_read(rr);
  1247. } else {
  1248. SSL3_RECORD_sub_length(rr, n);
  1249. SSL3_RECORD_add_off(rr, n);
  1250. if (SSL3_RECORD_get_length(rr) == 0) {
  1251. s->rlayer.rstate = SSL_ST_READ_HEADER;
  1252. SSL3_RECORD_set_off(rr, 0);
  1253. SSL3_RECORD_set_read(rr);
  1254. }
  1255. }
  1256. if (SSL3_RECORD_get_length(rr) == 0
  1257. || (peek && n == SSL3_RECORD_get_length(rr))) {
  1258. curr_rec++;
  1259. rr++;
  1260. }
  1261. totalbytes += n;
  1262. } while (type == SSL3_RT_APPLICATION_DATA && curr_rec < num_recs
  1263. && totalbytes < len);
  1264. if (totalbytes == 0) {
  1265. /* We must have read empty records. Get more data */
  1266. goto start;
  1267. }
  1268. if (!peek && curr_rec == num_recs
  1269. && (s->mode & SSL_MODE_RELEASE_BUFFERS)
  1270. && SSL3_BUFFER_get_left(rbuf) == 0)
  1271. ssl3_release_read_buffer(s);
  1272. *readbytes = totalbytes;
  1273. return 1;
  1274. }
  1275. /*
  1276. * If we get here, then type != rr->type; if we have a handshake message,
  1277. * then it was unexpected (Hello Request or Client Hello) or invalid (we
  1278. * were actually expecting a CCS).
  1279. */
  1280. /*
  1281. * Lets just double check that we've not got an SSLv2 record
  1282. */
  1283. if (rr->rec_version == SSL2_VERSION) {
  1284. /*
  1285. * Should never happen. ssl3_get_record() should only give us an SSLv2
  1286. * record back if this is the first packet and we are looking for an
  1287. * initial ClientHello. Therefore |type| should always be equal to
  1288. * |rr->type|. If not then something has gone horribly wrong
  1289. */
  1290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES,
  1291. ERR_R_INTERNAL_ERROR);
  1292. return -1;
  1293. }
  1294. if (s->method->version == TLS_ANY_VERSION
  1295. && (s->server || rr->type != SSL3_RT_ALERT)) {
  1296. /*
  1297. * If we've got this far and still haven't decided on what version
  1298. * we're using then this must be a client side alert we're dealing with
  1299. * (we don't allow heartbeats yet). We shouldn't be receiving anything
  1300. * other than a ClientHello if we are a server.
  1301. */
  1302. s->version = rr->rec_version;
  1303. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1304. SSL_R_UNEXPECTED_MESSAGE);
  1305. return -1;
  1306. }
  1307. /*
  1308. * In case of record types for which we have 'fragment' storage, fill
  1309. * that so that we can process the data at a fixed place.
  1310. */
  1311. {
  1312. size_t dest_maxlen = 0;
  1313. unsigned char *dest = NULL;
  1314. size_t *dest_len = NULL;
  1315. if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
  1316. dest_maxlen = sizeof(s->rlayer.handshake_fragment);
  1317. dest = s->rlayer.handshake_fragment;
  1318. dest_len = &s->rlayer.handshake_fragment_len;
  1319. }
  1320. if (dest_maxlen > 0) {
  1321. n = dest_maxlen - *dest_len; /* available space in 'dest' */
  1322. if (SSL3_RECORD_get_length(rr) < n)
  1323. n = SSL3_RECORD_get_length(rr); /* available bytes */
  1324. /* now move 'n' bytes: */
  1325. memcpy(dest + *dest_len,
  1326. SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n);
  1327. SSL3_RECORD_add_off(rr, n);
  1328. SSL3_RECORD_sub_length(rr, n);
  1329. *dest_len += n;
  1330. if (SSL3_RECORD_get_length(rr) == 0)
  1331. SSL3_RECORD_set_read(rr);
  1332. if (*dest_len < dest_maxlen)
  1333. goto start; /* fragment was too small */
  1334. }
  1335. }
  1336. /*-
  1337. * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
  1338. * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
  1339. */
  1340. if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
  1341. unsigned int alert_level, alert_descr;
  1342. unsigned char *alert_bytes = SSL3_RECORD_get_data(rr)
  1343. + SSL3_RECORD_get_off(rr);
  1344. PACKET alert;
  1345. if (!PACKET_buf_init(&alert, alert_bytes, SSL3_RECORD_get_length(rr))
  1346. || !PACKET_get_1(&alert, &alert_level)
  1347. || !PACKET_get_1(&alert, &alert_descr)
  1348. || PACKET_remaining(&alert) != 0) {
  1349. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1350. SSL_R_INVALID_ALERT);
  1351. return -1;
  1352. }
  1353. if (s->msg_callback)
  1354. s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, s,
  1355. s->msg_callback_arg);
  1356. if (s->info_callback != NULL)
  1357. cb = s->info_callback;
  1358. else if (s->ctx->info_callback != NULL)
  1359. cb = s->ctx->info_callback;
  1360. if (cb != NULL) {
  1361. j = (alert_level << 8) | alert_descr;
  1362. cb(s, SSL_CB_READ_ALERT, j);
  1363. }
  1364. if (alert_level == SSL3_AL_WARNING) {
  1365. s->s3->warn_alert = alert_descr;
  1366. SSL3_RECORD_set_read(rr);
  1367. s->rlayer.alert_count++;
  1368. if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
  1369. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1370. SSL_R_TOO_MANY_WARN_ALERTS);
  1371. return -1;
  1372. }
  1373. if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
  1374. s->shutdown |= SSL_RECEIVED_SHUTDOWN;
  1375. return 0;
  1376. }
  1377. /*
  1378. * Apart from close_notify the only other warning alert in TLSv1.3
  1379. * is user_cancelled - which we just ignore.
  1380. */
  1381. if (SSL_IS_TLS13(s) && alert_descr != SSL_AD_USER_CANCELLED) {
  1382. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES,
  1383. SSL_R_UNKNOWN_ALERT_TYPE);
  1384. return -1;
  1385. }
  1386. /*
  1387. * This is a warning but we receive it if we requested
  1388. * renegotiation and the peer denied it. Terminate with a fatal
  1389. * alert because if application tried to renegotiate it
  1390. * presumably had a good reason and expects it to succeed. In
  1391. * future we might have a renegotiation where we don't care if
  1392. * the peer refused it where we carry on.
  1393. */
  1394. if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
  1395. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL3_READ_BYTES,
  1396. SSL_R_NO_RENEGOTIATION);
  1397. return -1;
  1398. }
  1399. } else if (alert_level == SSL3_AL_FATAL) {
  1400. char tmp[16];
  1401. s->rwstate = SSL_NOTHING;
  1402. s->s3->fatal_alert = alert_descr;
  1403. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,
  1404. SSL_AD_REASON_OFFSET + alert_descr);
  1405. BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
  1406. ERR_add_error_data(2, "SSL alert number ", tmp);
  1407. s->shutdown |= SSL_RECEIVED_SHUTDOWN;
  1408. SSL3_RECORD_set_read(rr);
  1409. SSL_CTX_remove_session(s->session_ctx, s->session);
  1410. return 0;
  1411. } else {
  1412. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES,
  1413. SSL_R_UNKNOWN_ALERT_TYPE);
  1414. return -1;
  1415. }
  1416. goto start;
  1417. }
  1418. if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
  1419. * shutdown */
  1420. s->rwstate = SSL_NOTHING;
  1421. SSL3_RECORD_set_length(rr, 0);
  1422. SSL3_RECORD_set_read(rr);
  1423. return 0;
  1424. }
  1425. if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
  1426. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1427. SSL_R_CCS_RECEIVED_EARLY);
  1428. return -1;
  1429. }
  1430. /*
  1431. * Unexpected handshake message (ClientHello, NewSessionTicket (TLS1.3) or
  1432. * protocol violation)
  1433. */
  1434. if ((s->rlayer.handshake_fragment_len >= 4)
  1435. && !ossl_statem_get_in_handshake(s)) {
  1436. int ined = (s->early_data_state == SSL_EARLY_DATA_READING);
  1437. /* We found handshake data, so we're going back into init */
  1438. ossl_statem_set_in_init(s, 1);
  1439. i = s->handshake_func(s);
  1440. /* SSLfatal() already called if appropriate */
  1441. if (i < 0)
  1442. return i;
  1443. if (i == 0) {
  1444. return -1;
  1445. }
  1446. /*
  1447. * If we were actually trying to read early data and we found a
  1448. * handshake message, then we don't want to continue to try and read
  1449. * the application data any more. It won't be "early" now.
  1450. */
  1451. if (ined)
  1452. return -1;
  1453. if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
  1454. if (SSL3_BUFFER_get_left(rbuf) == 0) {
  1455. /* no read-ahead left? */
  1456. BIO *bio;
  1457. /*
  1458. * In the case where we try to read application data, but we
  1459. * trigger an SSL handshake, we return -1 with the retry
  1460. * option set. Otherwise renegotiation may cause nasty
  1461. * problems in the blocking world
  1462. */
  1463. s->rwstate = SSL_READING;
  1464. bio = SSL_get_rbio(s);
  1465. BIO_clear_retry_flags(bio);
  1466. BIO_set_retry_read(bio);
  1467. return -1;
  1468. }
  1469. }
  1470. goto start;
  1471. }
  1472. switch (SSL3_RECORD_get_type(rr)) {
  1473. default:
  1474. /*
  1475. * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
  1476. * TLS 1.2 says you MUST send an unexpected message alert. We use the
  1477. * TLS 1.2 behaviour for all protocol versions to prevent issues where
  1478. * no progress is being made and the peer continually sends unrecognised
  1479. * record types, using up resources processing them.
  1480. */
  1481. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1482. SSL_R_UNEXPECTED_RECORD);
  1483. return -1;
  1484. case SSL3_RT_CHANGE_CIPHER_SPEC:
  1485. case SSL3_RT_ALERT:
  1486. case SSL3_RT_HANDSHAKE:
  1487. /*
  1488. * we already handled all of these, with the possible exception of
  1489. * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
  1490. * that should not happen when type != rr->type
  1491. */
  1492. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1493. ERR_R_INTERNAL_ERROR);
  1494. return -1;
  1495. case SSL3_RT_APPLICATION_DATA:
  1496. /*
  1497. * At this point, we were expecting handshake data, but have
  1498. * application data. If the library was running inside ssl3_read()
  1499. * (i.e. in_read_app_data is set) and it makes sense to read
  1500. * application data at this point (session renegotiation not yet
  1501. * started), we will indulge it.
  1502. */
  1503. if (ossl_statem_app_data_allowed(s)) {
  1504. s->s3->in_read_app_data = 2;
  1505. return -1;
  1506. } else if (ossl_statem_skip_early_data(s)) {
  1507. /*
  1508. * This can happen after a client sends a CH followed by early_data,
  1509. * but the server responds with a HelloRetryRequest. The server
  1510. * reads the next record from the client expecting to find a
  1511. * plaintext ClientHello but gets a record which appears to be
  1512. * application data. The trial decrypt "works" because null
  1513. * decryption was applied. We just skip it and move on to the next
  1514. * record.
  1515. */
  1516. if (!early_data_count_ok(s, rr->length,
  1517. EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) {
  1518. /* SSLfatal() already called */
  1519. return -1;
  1520. }
  1521. SSL3_RECORD_set_read(rr);
  1522. goto start;
  1523. } else {
  1524. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
  1525. SSL_R_UNEXPECTED_RECORD);
  1526. return -1;
  1527. }
  1528. }
  1529. }
  1530. void ssl3_record_sequence_update(unsigned char *seq)
  1531. {
  1532. int i;
  1533. for (i = 7; i >= 0; i--) {
  1534. ++seq[i];
  1535. if (seq[i] != 0)
  1536. break;
  1537. }
  1538. }
  1539. /*
  1540. * Returns true if the current rrec was sent in SSLv2 backwards compatible
  1541. * format and false otherwise.
  1542. */
  1543. int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl)
  1544. {
  1545. return SSL3_RECORD_is_sslv2_record(&rl->rrec[0]);
  1546. }
  1547. /*
  1548. * Returns the length in bytes of the current rrec
  1549. */
  1550. size_t RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl)
  1551. {
  1552. return SSL3_RECORD_get_length(&rl->rrec[0]);
  1553. }