s3_pkt.c 41 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482
  1. /* ssl/s3_pkt.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include <errno.h>
  113. #define USE_SOCKETS
  114. #include "ssl_locl.h"
  115. #include <openssl/evp.h>
  116. #include <openssl/buffer.h>
  117. #include <openssl/rand.h>
  118. static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  119. unsigned int len, int create_empty_fragment);
  120. static int ssl3_get_record(SSL *s);
  121. int ssl3_read_n(SSL *s, int n, int max, int extend)
  122. {
  123. /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
  124. * packet by another n bytes.
  125. * The packet will be in the sub-array of s->s3->rbuf.buf specified
  126. * by s->packet and s->packet_length.
  127. * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
  128. * [plus s->packet_length bytes if extend == 1].)
  129. */
  130. int i,len,left;
  131. long align=0;
  132. unsigned char *pkt;
  133. SSL3_BUFFER *rb;
  134. if (n <= 0) return n;
  135. rb = &(s->s3->rbuf);
  136. if (rb->buf == NULL)
  137. if (!ssl3_setup_read_buffer(s))
  138. return -1;
  139. left = rb->left;
  140. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
  141. align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
  142. align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
  143. #endif
  144. if (!extend)
  145. {
  146. /* start with empty packet ... */
  147. if (left == 0)
  148. rb->offset = align;
  149. else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
  150. {
  151. /* check if next packet length is large
  152. * enough to justify payload alignment... */
  153. pkt = rb->buf + rb->offset;
  154. if (pkt[0] == SSL3_RT_APPLICATION_DATA
  155. && (pkt[3]<<8|pkt[4]) >= 128)
  156. {
  157. /* Note that even if packet is corrupted
  158. * and its length field is insane, we can
  159. * only be led to wrong decision about
  160. * whether memmove will occur or not.
  161. * Header values has no effect on memmove
  162. * arguments and therefore no buffer
  163. * overrun can be triggered. */
  164. memmove (rb->buf+align,pkt,left);
  165. rb->offset = align;
  166. }
  167. }
  168. s->packet = rb->buf + rb->offset;
  169. s->packet_length = 0;
  170. /* ... now we can act as if 'extend' was set */
  171. }
  172. /* For DTLS/UDP reads should not span multiple packets
  173. * because the read operation returns the whole packet
  174. * at once (as long as it fits into the buffer). */
  175. if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
  176. {
  177. if (left > 0 && n > left)
  178. n = left;
  179. }
  180. /* if there is enough in the buffer from a previous read, take some */
  181. if (left >= n)
  182. {
  183. s->packet_length+=n;
  184. rb->left=left-n;
  185. rb->offset+=n;
  186. return(n);
  187. }
  188. /* else we need to read more data */
  189. len = s->packet_length;
  190. pkt = rb->buf+align;
  191. /* Move any available bytes to front of buffer:
  192. * 'len' bytes already pointed to by 'packet',
  193. * 'left' extra ones at the end */
  194. if (s->packet != pkt) /* len > 0 */
  195. {
  196. memmove(pkt, s->packet, len+left);
  197. s->packet = pkt;
  198. rb->offset = len + align;
  199. }
  200. if (n > (int)(rb->len - rb->offset)) /* does not happen */
  201. {
  202. SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
  203. return -1;
  204. }
  205. if (!s->read_ahead)
  206. /* ignore max parameter */
  207. max = n;
  208. else
  209. {
  210. if (max < n)
  211. max = n;
  212. if (max > (int)(rb->len - rb->offset))
  213. max = rb->len - rb->offset;
  214. }
  215. while (left < n)
  216. {
  217. /* Now we have len+left bytes at the front of s->s3->rbuf.buf
  218. * and need to read in more until we have len+n (up to
  219. * len+max if possible) */
  220. clear_sys_error();
  221. if (s->rbio != NULL)
  222. {
  223. s->rwstate=SSL_READING;
  224. i=BIO_read(s->rbio,pkt+len+left, max-left);
  225. }
  226. else
  227. {
  228. SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
  229. i = -1;
  230. }
  231. if (i <= 0)
  232. {
  233. rb->left = left;
  234. if (s->mode & SSL_MODE_RELEASE_BUFFERS)
  235. if (len+left == 0)
  236. ssl3_release_read_buffer(s);
  237. return(i);
  238. }
  239. left+=i;
  240. /* reads should *never* span multiple packets for DTLS because
  241. * the underlying transport protocol is message oriented as opposed
  242. * to byte oriented as in the TLS case. */
  243. if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
  244. {
  245. if (n > left)
  246. n = left; /* makes the while condition false */
  247. }
  248. }
  249. /* done reading, now the book-keeping */
  250. rb->offset += n;
  251. rb->left = left - n;
  252. s->packet_length += n;
  253. s->rwstate=SSL_NOTHING;
  254. return(n);
  255. }
  256. /* Call this to get a new input record.
  257. * It will return <= 0 if more data is needed, normally due to an error
  258. * or non-blocking IO.
  259. * When it finishes, one packet has been decoded and can be found in
  260. * ssl->s3->rrec.type - is the type of record
  261. * ssl->s3->rrec.data, - data
  262. * ssl->s3->rrec.length, - number of bytes
  263. */
  264. /* used only by ssl3_read_bytes */
  265. static int ssl3_get_record(SSL *s)
  266. {
  267. int ssl_major,ssl_minor,al;
  268. int enc_err,n,i,ret= -1;
  269. SSL3_RECORD *rr;
  270. SSL_SESSION *sess;
  271. unsigned char *p;
  272. unsigned char md[EVP_MAX_MD_SIZE];
  273. short version;
  274. int mac_size;
  275. int clear=0;
  276. size_t extra;
  277. int decryption_failed_or_bad_record_mac = 0;
  278. unsigned char *mac = NULL;
  279. rr= &(s->s3->rrec);
  280. sess=s->session;
  281. if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
  282. extra=SSL3_RT_MAX_EXTRA;
  283. else
  284. extra=0;
  285. if (extra && !s->s3->init_extra)
  286. {
  287. /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
  288. * set after ssl3_setup_buffers() was done */
  289. SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
  290. return -1;
  291. }
  292. again:
  293. /* check if we have the header */
  294. if ( (s->rstate != SSL_ST_READ_BODY) ||
  295. (s->packet_length < SSL3_RT_HEADER_LENGTH))
  296. {
  297. n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
  298. if (n <= 0) return(n); /* error or non-blocking */
  299. s->rstate=SSL_ST_READ_BODY;
  300. p=s->packet;
  301. /* Pull apart the header into the SSL3_RECORD */
  302. rr->type= *(p++);
  303. ssl_major= *(p++);
  304. ssl_minor= *(p++);
  305. version=(ssl_major<<8)|ssl_minor;
  306. n2s(p,rr->length);
  307. #if 0
  308. fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
  309. #endif
  310. /* Lets check version */
  311. if (!s->first_packet)
  312. {
  313. if (version != s->version)
  314. {
  315. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
  316. if ((s->version & 0xFF00) == (version & 0xFF00))
  317. /* Send back error using their minor version number :-) */
  318. s->version = (unsigned short)version;
  319. al=SSL_AD_PROTOCOL_VERSION;
  320. goto f_err;
  321. }
  322. }
  323. if ((version>>8) != SSL3_VERSION_MAJOR)
  324. {
  325. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
  326. goto err;
  327. }
  328. if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
  329. {
  330. al=SSL_AD_RECORD_OVERFLOW;
  331. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
  332. goto f_err;
  333. }
  334. /* now s->rstate == SSL_ST_READ_BODY */
  335. }
  336. /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
  337. if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
  338. {
  339. /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
  340. i=rr->length;
  341. n=ssl3_read_n(s,i,i,1);
  342. if (n <= 0) return(n); /* error or non-blocking io */
  343. /* now n == rr->length,
  344. * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
  345. }
  346. s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
  347. /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
  348. * and we have that many bytes in s->packet
  349. */
  350. rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
  351. /* ok, we can now read from 's->packet' data into 'rr'
  352. * rr->input points at rr->length bytes, which
  353. * need to be copied into rr->data by either
  354. * the decryption or by the decompression
  355. * When the data is 'copied' into the rr->data buffer,
  356. * rr->input will be pointed at the new buffer */
  357. /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
  358. * rr->length bytes of encrypted compressed stuff. */
  359. /* check is not needed I believe */
  360. if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
  361. {
  362. al=SSL_AD_RECORD_OVERFLOW;
  363. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
  364. goto f_err;
  365. }
  366. /* decrypt in place in 'rr->input' */
  367. rr->data=rr->input;
  368. enc_err = s->method->ssl3_enc->enc(s,0);
  369. if (enc_err <= 0)
  370. {
  371. if (enc_err == 0)
  372. /* SSLerr() and ssl3_send_alert() have been called */
  373. goto err;
  374. /* Otherwise enc_err == -1, which indicates bad padding
  375. * (rec->length has not been changed in this case).
  376. * To minimize information leaked via timing, we will perform
  377. * the MAC computation anyway. */
  378. decryption_failed_or_bad_record_mac = 1;
  379. }
  380. #ifdef TLS_DEBUG
  381. printf("dec %d\n",rr->length);
  382. { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
  383. printf("\n");
  384. #endif
  385. /* r->length is now the compressed data plus mac */
  386. if ( (sess == NULL) ||
  387. (s->enc_read_ctx == NULL) ||
  388. (EVP_MD_CTX_md(s->read_hash) == NULL))
  389. clear=1;
  390. if (!clear)
  391. {
  392. /* !clear => s->read_hash != NULL => mac_size != -1 */
  393. mac_size=EVP_MD_CTX_size(s->read_hash);
  394. OPENSSL_assert(mac_size >= 0);
  395. if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
  396. {
  397. #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
  398. al=SSL_AD_RECORD_OVERFLOW;
  399. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
  400. goto f_err;
  401. #else
  402. decryption_failed_or_bad_record_mac = 1;
  403. #endif
  404. }
  405. /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
  406. if (rr->length >= (unsigned int)mac_size)
  407. {
  408. rr->length -= mac_size;
  409. mac = &rr->data[rr->length];
  410. }
  411. else
  412. {
  413. /* record (minus padding) is too short to contain a MAC */
  414. #if 0 /* OK only for stream ciphers */
  415. al=SSL_AD_DECODE_ERROR;
  416. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
  417. goto f_err;
  418. #else
  419. decryption_failed_or_bad_record_mac = 1;
  420. rr->length = 0;
  421. #endif
  422. }
  423. i=s->method->ssl3_enc->mac(s,md,0);
  424. if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
  425. {
  426. decryption_failed_or_bad_record_mac = 1;
  427. }
  428. }
  429. if (decryption_failed_or_bad_record_mac)
  430. {
  431. /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
  432. * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
  433. * failure is directly visible from the ciphertext anyway,
  434. * we should not reveal which kind of error occured -- this
  435. * might become visible to an attacker (e.g. via a logfile) */
  436. al=SSL_AD_BAD_RECORD_MAC;
  437. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  438. goto f_err;
  439. }
  440. /* r->length is now just compressed */
  441. if (s->expand != NULL)
  442. {
  443. if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
  444. {
  445. al=SSL_AD_RECORD_OVERFLOW;
  446. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
  447. goto f_err;
  448. }
  449. if (!ssl3_do_uncompress(s))
  450. {
  451. al=SSL_AD_DECOMPRESSION_FAILURE;
  452. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
  453. goto f_err;
  454. }
  455. }
  456. if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
  457. {
  458. al=SSL_AD_RECORD_OVERFLOW;
  459. SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
  460. goto f_err;
  461. }
  462. rr->off=0;
  463. /* So at this point the following is true
  464. * ssl->s3->rrec.type is the type of record
  465. * ssl->s3->rrec.length == number of bytes in record
  466. * ssl->s3->rrec.off == offset to first valid byte
  467. * ssl->s3->rrec.data == where to take bytes from, increment
  468. * after use :-).
  469. */
  470. /* we have pulled in a full packet so zero things */
  471. s->packet_length=0;
  472. /* just read a 0 length packet */
  473. if (rr->length == 0) goto again;
  474. #if 0
  475. fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
  476. #endif
  477. return(1);
  478. f_err:
  479. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  480. err:
  481. return(ret);
  482. }
  483. int ssl3_do_uncompress(SSL *ssl)
  484. {
  485. #ifndef OPENSSL_NO_COMP
  486. int i;
  487. SSL3_RECORD *rr;
  488. rr= &(ssl->s3->rrec);
  489. i=COMP_expand_block(ssl->expand,rr->comp,
  490. SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
  491. if (i < 0)
  492. return(0);
  493. else
  494. rr->length=i;
  495. rr->data=rr->comp;
  496. #endif
  497. return(1);
  498. }
  499. int ssl3_do_compress(SSL *ssl)
  500. {
  501. #ifndef OPENSSL_NO_COMP
  502. int i;
  503. SSL3_RECORD *wr;
  504. wr= &(ssl->s3->wrec);
  505. i=COMP_compress_block(ssl->compress,wr->data,
  506. SSL3_RT_MAX_COMPRESSED_LENGTH,
  507. wr->input,(int)wr->length);
  508. if (i < 0)
  509. return(0);
  510. else
  511. wr->length=i;
  512. wr->input=wr->data;
  513. #endif
  514. return(1);
  515. }
  516. /* Call this to write data in records of type 'type'
  517. * It will return <= 0 if not all data has been sent or non-blocking IO.
  518. */
  519. int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
  520. {
  521. const unsigned char *buf=buf_;
  522. unsigned int tot,n,nw;
  523. int i;
  524. s->rwstate=SSL_NOTHING;
  525. tot=s->s3->wnum;
  526. s->s3->wnum=0;
  527. if (SSL_in_init(s) && !s->in_handshake)
  528. {
  529. i=s->handshake_func(s);
  530. if (i < 0) return(i);
  531. if (i == 0)
  532. {
  533. SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
  534. return -1;
  535. }
  536. }
  537. n=(len-tot);
  538. for (;;)
  539. {
  540. if (n > s->max_send_fragment)
  541. nw=s->max_send_fragment;
  542. else
  543. nw=n;
  544. i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
  545. if (i <= 0)
  546. {
  547. s->s3->wnum=tot;
  548. return i;
  549. }
  550. if ((i == (int)n) ||
  551. (type == SSL3_RT_APPLICATION_DATA &&
  552. (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
  553. {
  554. /* next chunk of data should get another prepended empty fragment
  555. * in ciphersuites with known-IV weakness: */
  556. s->s3->empty_fragment_done = 0;
  557. return tot+i;
  558. }
  559. n-=i;
  560. tot+=i;
  561. }
  562. }
  563. static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  564. unsigned int len, int create_empty_fragment)
  565. {
  566. unsigned char *p,*plen;
  567. int i,mac_size,clear=0;
  568. int prefix_len=0;
  569. int eivlen;
  570. long align=0;
  571. SSL3_RECORD *wr;
  572. SSL3_BUFFER *wb=&(s->s3->wbuf);
  573. SSL_SESSION *sess;
  574. if (wb->buf == NULL)
  575. if (!ssl3_setup_write_buffer(s))
  576. return -1;
  577. /* first check if there is a SSL3_BUFFER still being written
  578. * out. This will happen with non blocking IO */
  579. if (wb->left != 0)
  580. return(ssl3_write_pending(s,type,buf,len));
  581. /* If we have an alert to send, lets send it */
  582. if (s->s3->alert_dispatch)
  583. {
  584. i=s->method->ssl_dispatch_alert(s);
  585. if (i <= 0)
  586. return(i);
  587. /* if it went, fall through and send more stuff */
  588. }
  589. if (len == 0 && !create_empty_fragment)
  590. return 0;
  591. wr= &(s->s3->wrec);
  592. sess=s->session;
  593. if ( (sess == NULL) ||
  594. (s->enc_write_ctx == NULL) ||
  595. (EVP_MD_CTX_md(s->write_hash) == NULL))
  596. clear=1;
  597. if (clear)
  598. mac_size=0;
  599. else
  600. {
  601. mac_size=EVP_MD_CTX_size(s->write_hash);
  602. if (mac_size < 0)
  603. goto err;
  604. }
  605. /* 'create_empty_fragment' is true only when this function calls itself */
  606. if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
  607. {
  608. /* countermeasure against known-IV weakness in CBC ciphersuites
  609. * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
  610. if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
  611. {
  612. /* recursive function call with 'create_empty_fragment' set;
  613. * this prepares and buffers the data for an empty fragment
  614. * (these 'prefix_len' bytes are sent out later
  615. * together with the actual payload) */
  616. prefix_len = do_ssl3_write(s, type, buf, 0, 1);
  617. if (prefix_len <= 0)
  618. goto err;
  619. if (prefix_len >
  620. (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
  621. {
  622. /* insufficient space */
  623. SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
  624. goto err;
  625. }
  626. }
  627. s->s3->empty_fragment_done = 1;
  628. }
  629. if (create_empty_fragment)
  630. {
  631. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
  632. /* extra fragment would be couple of cipher blocks,
  633. * which would be multiple of SSL3_ALIGN_PAYLOAD, so
  634. * if we want to align the real payload, then we can
  635. * just pretent we simply have two headers. */
  636. align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
  637. align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
  638. #endif
  639. p = wb->buf + align;
  640. wb->offset = align;
  641. }
  642. else if (prefix_len)
  643. {
  644. p = wb->buf + wb->offset + prefix_len;
  645. }
  646. else
  647. {
  648. #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
  649. align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
  650. align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
  651. #endif
  652. p = wb->buf + align;
  653. wb->offset = align;
  654. }
  655. /* write the header */
  656. *(p++)=type&0xff;
  657. wr->type=type;
  658. *(p++)=(s->version>>8);
  659. *(p++)=s->version&0xff;
  660. /* field where we are to write out packet length */
  661. plen=p;
  662. p+=2;
  663. /* Explicit IV length, block ciphers and TLS version 1.1 or later */
  664. if (s->enc_write_ctx && s->version >= TLS1_1_VERSION
  665. && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)
  666. {
  667. eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
  668. if (eivlen <= 1)
  669. eivlen = 0;
  670. }
  671. else
  672. eivlen = 0;
  673. /* lets setup the record stuff. */
  674. wr->data=p + eivlen;
  675. wr->length=(int)len;
  676. wr->input=(unsigned char *)buf;
  677. /* we now 'read' from wr->input, wr->length bytes into
  678. * wr->data */
  679. /* first we compress */
  680. if (s->compress != NULL)
  681. {
  682. if (!ssl3_do_compress(s))
  683. {
  684. SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
  685. goto err;
  686. }
  687. }
  688. else
  689. {
  690. memcpy(wr->data,wr->input,wr->length);
  691. wr->input=wr->data;
  692. }
  693. /* we should still have the output to wr->data and the input
  694. * from wr->input. Length should be wr->length.
  695. * wr->data still points in the wb->buf */
  696. if (mac_size != 0)
  697. {
  698. if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
  699. goto err;
  700. wr->length+=mac_size;
  701. }
  702. wr->input=p;
  703. wr->data=p;
  704. if (eivlen)
  705. {
  706. /* if (RAND_pseudo_bytes(p, eivlen) <= 0)
  707. goto err; */
  708. wr->length += eivlen;
  709. }
  710. /* ssl3_enc can only have an error on read */
  711. s->method->ssl3_enc->enc(s,1);
  712. /* record length after mac and block padding */
  713. s2n(wr->length,plen);
  714. /* we should now have
  715. * wr->data pointing to the encrypted data, which is
  716. * wr->length long */
  717. wr->type=type; /* not needed but helps for debugging */
  718. wr->length+=SSL3_RT_HEADER_LENGTH;
  719. if (create_empty_fragment)
  720. {
  721. /* we are in a recursive call;
  722. * just return the length, don't write out anything here
  723. */
  724. return wr->length;
  725. }
  726. /* now let's set up wb */
  727. wb->left = prefix_len + wr->length;
  728. /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
  729. s->s3->wpend_tot=len;
  730. s->s3->wpend_buf=buf;
  731. s->s3->wpend_type=type;
  732. s->s3->wpend_ret=len;
  733. /* we now just need to write the buffer */
  734. return ssl3_write_pending(s,type,buf,len);
  735. err:
  736. return -1;
  737. }
  738. /* if s->s3->wbuf.left != 0, we need to call this */
  739. int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
  740. unsigned int len)
  741. {
  742. int i;
  743. SSL3_BUFFER *wb=&(s->s3->wbuf);
  744. /* XXXX */
  745. if ((s->s3->wpend_tot > (int)len)
  746. || ((s->s3->wpend_buf != buf) &&
  747. !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
  748. || (s->s3->wpend_type != type))
  749. {
  750. SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
  751. return(-1);
  752. }
  753. for (;;)
  754. {
  755. clear_sys_error();
  756. if (s->wbio != NULL)
  757. {
  758. s->rwstate=SSL_WRITING;
  759. i=BIO_write(s->wbio,
  760. (char *)&(wb->buf[wb->offset]),
  761. (unsigned int)wb->left);
  762. }
  763. else
  764. {
  765. SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
  766. i= -1;
  767. }
  768. if (i == wb->left)
  769. {
  770. wb->left=0;
  771. wb->offset+=i;
  772. if (s->mode & SSL_MODE_RELEASE_BUFFERS)
  773. ssl3_release_write_buffer(s);
  774. s->rwstate=SSL_NOTHING;
  775. return(s->s3->wpend_ret);
  776. }
  777. else if (i <= 0) {
  778. if (s->version == DTLS1_VERSION ||
  779. s->version == DTLS1_BAD_VER) {
  780. /* For DTLS, just drop it. That's kind of the whole
  781. point in using a datagram service */
  782. wb->left = 0;
  783. }
  784. return(i);
  785. }
  786. wb->offset+=i;
  787. wb->left-=i;
  788. }
  789. }
  790. /* Return up to 'len' payload bytes received in 'type' records.
  791. * 'type' is one of the following:
  792. *
  793. * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
  794. * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
  795. * - 0 (during a shutdown, no data has to be returned)
  796. *
  797. * If we don't have stored data to work from, read a SSL/TLS record first
  798. * (possibly multiple records if we still don't have anything to return).
  799. *
  800. * This function must handle any surprises the peer may have for us, such as
  801. * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
  802. * a surprise, but handled as if it were), or renegotiation requests.
  803. * Also if record payloads contain fragments too small to process, we store
  804. * them until there is enough for the respective protocol (the record protocol
  805. * may use arbitrary fragmentation and even interleaving):
  806. * Change cipher spec protocol
  807. * just 1 byte needed, no need for keeping anything stored
  808. * Alert protocol
  809. * 2 bytes needed (AlertLevel, AlertDescription)
  810. * Handshake protocol
  811. * 4 bytes needed (HandshakeType, uint24 length) -- we just have
  812. * to detect unexpected Client Hello and Hello Request messages
  813. * here, anything else is handled by higher layers
  814. * Application data protocol
  815. * none of our business
  816. */
  817. int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
  818. {
  819. int al,i,j,ret;
  820. unsigned int n;
  821. SSL3_RECORD *rr;
  822. void (*cb)(const SSL *ssl,int type2,int val)=NULL;
  823. if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
  824. if (!ssl3_setup_read_buffer(s))
  825. return(-1);
  826. if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
  827. (peek && (type != SSL3_RT_APPLICATION_DATA)))
  828. {
  829. SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
  830. return -1;
  831. }
  832. if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
  833. /* (partially) satisfy request from storage */
  834. {
  835. unsigned char *src = s->s3->handshake_fragment;
  836. unsigned char *dst = buf;
  837. unsigned int k;
  838. /* peek == 0 */
  839. n = 0;
  840. while ((len > 0) && (s->s3->handshake_fragment_len > 0))
  841. {
  842. *dst++ = *src++;
  843. len--; s->s3->handshake_fragment_len--;
  844. n++;
  845. }
  846. /* move any remaining fragment bytes: */
  847. for (k = 0; k < s->s3->handshake_fragment_len; k++)
  848. s->s3->handshake_fragment[k] = *src++;
  849. return n;
  850. }
  851. /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
  852. if (!s->in_handshake && SSL_in_init(s))
  853. {
  854. /* type == SSL3_RT_APPLICATION_DATA */
  855. i=s->handshake_func(s);
  856. if (i < 0) return(i);
  857. if (i == 0)
  858. {
  859. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
  860. return(-1);
  861. }
  862. }
  863. start:
  864. s->rwstate=SSL_NOTHING;
  865. /* s->s3->rrec.type - is the type of record
  866. * s->s3->rrec.data, - data
  867. * s->s3->rrec.off, - offset into 'data' for next read
  868. * s->s3->rrec.length, - number of bytes. */
  869. rr = &(s->s3->rrec);
  870. /* get new packet if necessary */
  871. if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
  872. {
  873. ret=ssl3_get_record(s);
  874. if (ret <= 0) return(ret);
  875. }
  876. /* we now have a packet which can be read and processed */
  877. if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
  878. * reset by ssl3_get_finished */
  879. && (rr->type != SSL3_RT_HANDSHAKE))
  880. {
  881. al=SSL_AD_UNEXPECTED_MESSAGE;
  882. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
  883. goto f_err;
  884. }
  885. /* If the other end has shut down, throw anything we read away
  886. * (even in 'peek' mode) */
  887. if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
  888. {
  889. rr->length=0;
  890. s->rwstate=SSL_NOTHING;
  891. return(0);
  892. }
  893. if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
  894. {
  895. /* make sure that we are not getting application data when we
  896. * are doing a handshake for the first time */
  897. if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
  898. (s->enc_read_ctx == NULL))
  899. {
  900. al=SSL_AD_UNEXPECTED_MESSAGE;
  901. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
  902. goto f_err;
  903. }
  904. if (len <= 0) return(len);
  905. if ((unsigned int)len > rr->length)
  906. n = rr->length;
  907. else
  908. n = (unsigned int)len;
  909. memcpy(buf,&(rr->data[rr->off]),n);
  910. if (!peek)
  911. {
  912. rr->length-=n;
  913. rr->off+=n;
  914. if (rr->length == 0)
  915. {
  916. s->rstate=SSL_ST_READ_HEADER;
  917. rr->off=0;
  918. if (s->mode & SSL_MODE_RELEASE_BUFFERS)
  919. ssl3_release_read_buffer(s);
  920. }
  921. }
  922. return(n);
  923. }
  924. /* If we get here, then type != rr->type; if we have a handshake
  925. * message, then it was unexpected (Hello Request or Client Hello). */
  926. /* In case of record types for which we have 'fragment' storage,
  927. * fill that so that we can process the data at a fixed place.
  928. */
  929. {
  930. unsigned int dest_maxlen = 0;
  931. unsigned char *dest = NULL;
  932. unsigned int *dest_len = NULL;
  933. if (rr->type == SSL3_RT_HANDSHAKE)
  934. {
  935. dest_maxlen = sizeof s->s3->handshake_fragment;
  936. dest = s->s3->handshake_fragment;
  937. dest_len = &s->s3->handshake_fragment_len;
  938. }
  939. else if (rr->type == SSL3_RT_ALERT)
  940. {
  941. dest_maxlen = sizeof s->s3->alert_fragment;
  942. dest = s->s3->alert_fragment;
  943. dest_len = &s->s3->alert_fragment_len;
  944. }
  945. if (dest_maxlen > 0)
  946. {
  947. n = dest_maxlen - *dest_len; /* available space in 'dest' */
  948. if (rr->length < n)
  949. n = rr->length; /* available bytes */
  950. /* now move 'n' bytes: */
  951. while (n-- > 0)
  952. {
  953. dest[(*dest_len)++] = rr->data[rr->off++];
  954. rr->length--;
  955. }
  956. if (*dest_len < dest_maxlen)
  957. goto start; /* fragment was too small */
  958. }
  959. }
  960. /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
  961. * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
  962. * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
  963. /* If we are a client, check for an incoming 'Hello Request': */
  964. if ((!s->server) &&
  965. (s->s3->handshake_fragment_len >= 4) &&
  966. (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
  967. (s->session != NULL) && (s->session->cipher != NULL))
  968. {
  969. s->s3->handshake_fragment_len = 0;
  970. if ((s->s3->handshake_fragment[1] != 0) ||
  971. (s->s3->handshake_fragment[2] != 0) ||
  972. (s->s3->handshake_fragment[3] != 0))
  973. {
  974. al=SSL_AD_DECODE_ERROR;
  975. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
  976. goto f_err;
  977. }
  978. if (s->msg_callback)
  979. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
  980. if (SSL_is_init_finished(s) &&
  981. !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
  982. !s->s3->renegotiate)
  983. {
  984. ssl3_renegotiate(s);
  985. if (ssl3_renegotiate_check(s))
  986. {
  987. i=s->handshake_func(s);
  988. if (i < 0) return(i);
  989. if (i == 0)
  990. {
  991. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
  992. return(-1);
  993. }
  994. if (!(s->mode & SSL_MODE_AUTO_RETRY))
  995. {
  996. if (s->s3->rbuf.left == 0) /* no read-ahead left? */
  997. {
  998. BIO *bio;
  999. /* In the case where we try to read application data,
  1000. * but we trigger an SSL handshake, we return -1 with
  1001. * the retry option set. Otherwise renegotiation may
  1002. * cause nasty problems in the blocking world */
  1003. s->rwstate=SSL_READING;
  1004. bio=SSL_get_rbio(s);
  1005. BIO_clear_retry_flags(bio);
  1006. BIO_set_retry_read(bio);
  1007. return(-1);
  1008. }
  1009. }
  1010. }
  1011. }
  1012. /* we either finished a handshake or ignored the request,
  1013. * now try again to obtain the (application) data we were asked for */
  1014. goto start;
  1015. }
  1016. /* If we are a server and get a client hello when renegotiation isn't
  1017. * allowed send back a no renegotiation alert and carry on.
  1018. * WARNING: experimental code, needs reviewing (steve)
  1019. */
  1020. if (s->server &&
  1021. SSL_is_init_finished(s) &&
  1022. !s->s3->send_connection_binding &&
  1023. (s->version > SSL3_VERSION) &&
  1024. (s->s3->handshake_fragment_len >= 4) &&
  1025. (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
  1026. (s->session != NULL) && (s->session->cipher != NULL) &&
  1027. !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  1028. {
  1029. /*s->s3->handshake_fragment_len = 0;*/
  1030. rr->length = 0;
  1031. ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1032. goto start;
  1033. }
  1034. if (s->s3->alert_fragment_len >= 2)
  1035. {
  1036. int alert_level = s->s3->alert_fragment[0];
  1037. int alert_descr = s->s3->alert_fragment[1];
  1038. s->s3->alert_fragment_len = 0;
  1039. if (s->msg_callback)
  1040. s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
  1041. if (s->info_callback != NULL)
  1042. cb=s->info_callback;
  1043. else if (s->ctx->info_callback != NULL)
  1044. cb=s->ctx->info_callback;
  1045. if (cb != NULL)
  1046. {
  1047. j = (alert_level << 8) | alert_descr;
  1048. cb(s, SSL_CB_READ_ALERT, j);
  1049. }
  1050. if (alert_level == 1) /* warning */
  1051. {
  1052. s->s3->warn_alert = alert_descr;
  1053. if (alert_descr == SSL_AD_CLOSE_NOTIFY)
  1054. {
  1055. s->shutdown |= SSL_RECEIVED_SHUTDOWN;
  1056. return(0);
  1057. }
  1058. /* This is a warning but we receive it if we requested
  1059. * renegotiation and the peer denied it. Terminate with
  1060. * a fatal alert because if application tried to
  1061. * renegotiatie it presumably had a good reason and
  1062. * expects it to succeed.
  1063. *
  1064. * In future we might have a renegotiation where we
  1065. * don't care if the peer refused it where we carry on.
  1066. */
  1067. else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
  1068. {
  1069. al = SSL_AD_HANDSHAKE_FAILURE;
  1070. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
  1071. goto f_err;
  1072. }
  1073. }
  1074. else if (alert_level == 2) /* fatal */
  1075. {
  1076. char tmp[16];
  1077. s->rwstate=SSL_NOTHING;
  1078. s->s3->fatal_alert = alert_descr;
  1079. SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
  1080. BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
  1081. ERR_add_error_data(2,"SSL alert number ",tmp);
  1082. s->shutdown|=SSL_RECEIVED_SHUTDOWN;
  1083. SSL_CTX_remove_session(s->ctx,s->session);
  1084. return(0);
  1085. }
  1086. else
  1087. {
  1088. al=SSL_AD_ILLEGAL_PARAMETER;
  1089. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
  1090. goto f_err;
  1091. }
  1092. goto start;
  1093. }
  1094. if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
  1095. {
  1096. s->rwstate=SSL_NOTHING;
  1097. rr->length=0;
  1098. return(0);
  1099. }
  1100. if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
  1101. {
  1102. /* 'Change Cipher Spec' is just a single byte, so we know
  1103. * exactly what the record payload has to look like */
  1104. if ( (rr->length != 1) || (rr->off != 0) ||
  1105. (rr->data[0] != SSL3_MT_CCS))
  1106. {
  1107. al=SSL_AD_ILLEGAL_PARAMETER;
  1108. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
  1109. goto f_err;
  1110. }
  1111. /* Check we have a cipher to change to */
  1112. if (s->s3->tmp.new_cipher == NULL)
  1113. {
  1114. al=SSL_AD_UNEXPECTED_MESSAGE;
  1115. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
  1116. goto f_err;
  1117. }
  1118. rr->length=0;
  1119. if (s->msg_callback)
  1120. s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
  1121. s->s3->change_cipher_spec=1;
  1122. if (!ssl3_do_change_cipher_spec(s))
  1123. goto err;
  1124. else
  1125. goto start;
  1126. }
  1127. /* Unexpected handshake message (Client Hello, or protocol violation) */
  1128. if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
  1129. {
  1130. if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
  1131. !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
  1132. {
  1133. #if 0 /* worked only because C operator preferences are not as expected (and
  1134. * because this is not really needed for clients except for detecting
  1135. * protocol violations): */
  1136. s->state=SSL_ST_BEFORE|(s->server)
  1137. ?SSL_ST_ACCEPT
  1138. :SSL_ST_CONNECT;
  1139. #else
  1140. s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
  1141. #endif
  1142. s->renegotiate=1;
  1143. s->new_session=1;
  1144. }
  1145. i=s->handshake_func(s);
  1146. if (i < 0) return(i);
  1147. if (i == 0)
  1148. {
  1149. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
  1150. return(-1);
  1151. }
  1152. if (!(s->mode & SSL_MODE_AUTO_RETRY))
  1153. {
  1154. if (s->s3->rbuf.left == 0) /* no read-ahead left? */
  1155. {
  1156. BIO *bio;
  1157. /* In the case where we try to read application data,
  1158. * but we trigger an SSL handshake, we return -1 with
  1159. * the retry option set. Otherwise renegotiation may
  1160. * cause nasty problems in the blocking world */
  1161. s->rwstate=SSL_READING;
  1162. bio=SSL_get_rbio(s);
  1163. BIO_clear_retry_flags(bio);
  1164. BIO_set_retry_read(bio);
  1165. return(-1);
  1166. }
  1167. }
  1168. goto start;
  1169. }
  1170. switch (rr->type)
  1171. {
  1172. default:
  1173. #ifndef OPENSSL_NO_TLS
  1174. /* TLS just ignores unknown message types */
  1175. if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
  1176. {
  1177. rr->length = 0;
  1178. goto start;
  1179. }
  1180. #endif
  1181. al=SSL_AD_UNEXPECTED_MESSAGE;
  1182. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
  1183. goto f_err;
  1184. case SSL3_RT_CHANGE_CIPHER_SPEC:
  1185. case SSL3_RT_ALERT:
  1186. case SSL3_RT_HANDSHAKE:
  1187. /* we already handled all of these, with the possible exception
  1188. * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
  1189. * should not happen when type != rr->type */
  1190. al=SSL_AD_UNEXPECTED_MESSAGE;
  1191. SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
  1192. goto f_err;
  1193. case SSL3_RT_APPLICATION_DATA:
  1194. /* At this point, we were expecting handshake data,
  1195. * but have application data. If the library was
  1196. * running inside ssl3_read() (i.e. in_read_app_data
  1197. * is set) and it makes sense to read application data
  1198. * at this point (session renegotiation not yet started),
  1199. * we will indulge it.
  1200. */
  1201. if (s->s3->in_read_app_data &&
  1202. (s->s3->total_renegotiations != 0) &&
  1203. ((
  1204. (s->state & SSL_ST_CONNECT) &&
  1205. (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
  1206. (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
  1207. ) || (
  1208. (s->state & SSL_ST_ACCEPT) &&
  1209. (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
  1210. (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
  1211. )
  1212. ))
  1213. {
  1214. s->s3->in_read_app_data=2;
  1215. return(-1);
  1216. }
  1217. else
  1218. {
  1219. al=SSL_AD_UNEXPECTED_MESSAGE;
  1220. SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
  1221. goto f_err;
  1222. }
  1223. }
  1224. /* not reached */
  1225. f_err:
  1226. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1227. err:
  1228. return(-1);
  1229. }
  1230. int ssl3_do_change_cipher_spec(SSL *s)
  1231. {
  1232. int i;
  1233. #ifdef OPENSSL_NO_NEXTPROTONEG
  1234. const char *sender;
  1235. int slen;
  1236. #endif
  1237. if (s->state & SSL_ST_ACCEPT)
  1238. i=SSL3_CHANGE_CIPHER_SERVER_READ;
  1239. else
  1240. i=SSL3_CHANGE_CIPHER_CLIENT_READ;
  1241. if (s->s3->tmp.key_block == NULL)
  1242. {
  1243. if (s->session == NULL)
  1244. {
  1245. /* might happen if dtls1_read_bytes() calls this */
  1246. SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
  1247. return (0);
  1248. }
  1249. s->session->cipher=s->s3->tmp.new_cipher;
  1250. if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
  1251. }
  1252. if (!s->method->ssl3_enc->change_cipher_state(s,i))
  1253. return(0);
  1254. #ifdef OPENSSL_NO_NEXTPROTONEG
  1255. /* we have to record the message digest at
  1256. * this point so we can get it before we read
  1257. * the finished message */
  1258. if (s->state & SSL_ST_CONNECT)
  1259. {
  1260. sender=s->method->ssl3_enc->server_finished_label;
  1261. slen=s->method->ssl3_enc->server_finished_label_len;
  1262. }
  1263. else
  1264. {
  1265. sender=s->method->ssl3_enc->client_finished_label;
  1266. slen=s->method->ssl3_enc->client_finished_label_len;
  1267. }
  1268. s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
  1269. sender,slen,s->s3->tmp.peer_finish_md);
  1270. #endif
  1271. return(1);
  1272. }
  1273. int ssl3_send_alert(SSL *s, int level, int desc)
  1274. {
  1275. /* Map tls/ssl alert value to correct one */
  1276. desc=s->method->ssl3_enc->alert_value(desc);
  1277. if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
  1278. desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
  1279. if (desc < 0) return -1;
  1280. /* If a fatal one, remove from cache */
  1281. if ((level == 2) && (s->session != NULL))
  1282. SSL_CTX_remove_session(s->ctx,s->session);
  1283. s->s3->alert_dispatch=1;
  1284. s->s3->send_alert[0]=level;
  1285. s->s3->send_alert[1]=desc;
  1286. if (s->s3->wbuf.left == 0) /* data still being written out? */
  1287. return s->method->ssl_dispatch_alert(s);
  1288. /* else data is still being written out, we will get written
  1289. * some time in the future */
  1290. return -1;
  1291. }
  1292. int ssl3_dispatch_alert(SSL *s)
  1293. {
  1294. int i,j;
  1295. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  1296. s->s3->alert_dispatch=0;
  1297. i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
  1298. if (i <= 0)
  1299. {
  1300. s->s3->alert_dispatch=1;
  1301. }
  1302. else
  1303. {
  1304. /* Alert sent to BIO. If it is important, flush it now.
  1305. * If the message does not get sent due to non-blocking IO,
  1306. * we will not worry too much. */
  1307. if (s->s3->send_alert[0] == SSL3_AL_FATAL)
  1308. (void)BIO_flush(s->wbio);
  1309. if (s->msg_callback)
  1310. s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
  1311. if (s->info_callback != NULL)
  1312. cb=s->info_callback;
  1313. else if (s->ctx->info_callback != NULL)
  1314. cb=s->ctx->info_callback;
  1315. if (cb != NULL)
  1316. {
  1317. j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
  1318. cb(s,SSL_CB_WRITE_ALERT,j);
  1319. }
  1320. }
  1321. return(i);
  1322. }