s2_pkt.c revision 55715
1177957Sattilio/* ssl/s2_pkt.c */ 2177957Sattilio/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3177957Sattilio * All rights reserved. 4177957Sattilio * 5177957Sattilio * This package is an SSL implementation written 6177957Sattilio * by Eric Young (eay@cryptsoft.com). 7177957Sattilio * The implementation was written so as to conform with Netscapes SSL. 8177957Sattilio * 9177957Sattilio * This library is free for commercial and non-commercial use as long as 10177957Sattilio * the following conditions are aheared to. The following conditions 11177957Sattilio * apply to all code found in this distribution, be it the RC4, RSA, 12177957Sattilio * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13177957Sattilio * included with this distribution is covered by the same copyright terms 14177957Sattilio * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15177957Sattilio * 16177957Sattilio * Copyright remains Eric Young's, and as such any Copyright notices in 17177957Sattilio * the code are not to be removed. 18177957Sattilio * If this package is used in a product, Eric Young should be given attribution 19177957Sattilio * as the author of the parts of the library used. 20177957Sattilio * This can be in the form of a textual message at program startup or 21177957Sattilio * in documentation (online or textual) provided with the package. 22177957Sattilio * 23177957Sattilio * Redistribution and use in source and binary forms, with or without 24177957Sattilio * modification, are permitted provided that the following conditions 25177957Sattilio * are met: 26177957Sattilio * 1. Redistributions of source code must retain the copyright 27177957Sattilio * notice, this list of conditions and the following disclaimer. 28177957Sattilio * 2. Redistributions in binary form must reproduce the above copyright 29177957Sattilio * notice, this list of conditions and the following disclaimer in the 30177957Sattilio * documentation and/or other materials provided with the distribution. 31177957Sattilio * 3. All advertising materials mentioning features or use of this software 32177957Sattilio * must display the following acknowledgement: 33177957Sattilio * "This product includes cryptographic software written by 34177957Sattilio * Eric Young (eay@cryptsoft.com)" 35177957Sattilio * The word 'cryptographic' can be left out if the rouines from the library 36177957Sattilio * being used are not cryptographic related :-). 37177957Sattilio * 4. If you include any Windows specific code (or a derivative thereof) from 38177957Sattilio * the apps directory (application code) you must include an acknowledgement: 39177957Sattilio * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40177957Sattilio * 41200447Sattilio * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42177957Sattilio * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43177957Sattilio * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44177957Sattilio * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45177957Sattilio * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46177957Sattilio * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47177957Sattilio * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48177957Sattilio * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49177957Sattilio * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <stdio.h> 60#include <errno.h> 61#define USE_SOCKETS 62#include "ssl_locl.h" 63 64static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); 65static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); 66static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); 67static int ssl_mt_error(int n); 68int ssl2_peek(SSL *s, char *buf, int len) 69 { 70 int ret; 71 72 ret=ssl2_read(s,buf,len); 73 if (ret > 0) 74 { 75 s->s2->ract_data_length+=ret; 76 s->s2->ract_data-=ret; 77 } 78 return(ret); 79 } 80 81/* SSL_read - 82 * This routine will return 0 to len bytes, decrypted etc if required. 83 */ 84int ssl2_read(SSL *s, void *buf, int len) 85 { 86 int n; 87 unsigned char mac[MAX_MAC_SIZE]; 88 unsigned char *p; 89 int i; 90 unsigned int mac_size=0; 91 92ssl2_read_again: 93 if (SSL_in_init(s) && !s->in_handshake) 94 { 95 n=s->handshake_func(s); 96 if (n < 0) return(n); 97 if (n == 0) 98 { 99 SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE); 100 return(-1); 101 } 102 } 103 104 clear_sys_error(); 105 s->rwstate=SSL_NOTHING; 106 if (len <= 0) return(len); 107 108 if (s->s2->ract_data_length != 0) /* read from buffer */ 109 { 110 if (len > s->s2->ract_data_length) 111 n=s->s2->ract_data_length; 112 else 113 n=len; 114 115 memcpy(buf,s->s2->ract_data,(unsigned int)n); 116 s->s2->ract_data_length-=n; 117 s->s2->ract_data+=n; 118 if (s->s2->ract_data_length == 0) 119 s->rstate=SSL_ST_READ_HEADER; 120 return(n); 121 } 122 123 if (s->rstate == SSL_ST_READ_HEADER) 124 { 125 if (s->first_packet) 126 { 127 n=read_n(s,5,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0); 128 if (n <= 0) return(n); /* error or non-blocking */ 129 s->first_packet=0; 130 p=s->packet; 131 if (!((p[0] & 0x80) && ( 132 (p[2] == SSL2_MT_CLIENT_HELLO) || 133 (p[2] == SSL2_MT_SERVER_HELLO)))) 134 { 135 SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET); 136 return(-1); 137 } 138 } 139 else 140 { 141 n=read_n(s,2,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0); 142 if (n <= 0) return(n); /* error or non-blocking */ 143 } 144 /* part read stuff */ 145 146 s->rstate=SSL_ST_READ_BODY; 147 p=s->packet; 148 /* Do header */ 149 /*s->s2->padding=0;*/ 150 s->s2->escape=0; 151 s->s2->rlength=(((unsigned int)p[0])<<8)|((unsigned int)p[1]); 152 if ((p[0] & TWO_BYTE_BIT)) /* Two byte header? */ 153 { 154 s->s2->three_byte_header=0; 155 s->s2->rlength&=TWO_BYTE_MASK; 156 } 157 else 158 { 159 s->s2->three_byte_header=1; 160 s->s2->rlength&=THREE_BYTE_MASK; 161 162 /* security >s2->escape */ 163 s->s2->escape=((p[0] & SEC_ESC_BIT))?1:0; 164 } 165 } 166 167 if (s->rstate == SSL_ST_READ_BODY) 168 { 169 n=s->s2->rlength+2+s->s2->three_byte_header; 170 if (n > (int)s->packet_length) 171 { 172 n-=s->packet_length; 173 i=read_n(s,(unsigned int)n,(unsigned int)n,1); 174 if (i <= 0) return(i); /* ERROR */ 175 } 176 177 p= &(s->packet[2]); 178 s->rstate=SSL_ST_READ_HEADER; 179 if (s->s2->three_byte_header) 180 s->s2->padding= *(p++); 181 else s->s2->padding=0; 182 183 /* Data portion */ 184 if (s->s2->clear_text) 185 { 186 s->s2->mac_data=p; 187 s->s2->ract_data=p; 188 s->s2->pad_data=NULL; 189 } 190 else 191 { 192 mac_size=EVP_MD_size(s->read_hash); 193 s->s2->mac_data=p; 194 s->s2->ract_data= &p[mac_size]; 195 s->s2->pad_data= &p[mac_size+ 196 s->s2->rlength-s->s2->padding]; 197 } 198 199 s->s2->ract_data_length=s->s2->rlength; 200 /* added a check for length > max_size in case 201 * encryption was not turned on yet due to an error */ 202 if ((!s->s2->clear_text) && 203 (s->s2->rlength >= mac_size)) 204 { 205 ssl2_enc(s,0); 206 s->s2->ract_data_length-=mac_size; 207 ssl2_mac(s,mac,0); 208 s->s2->ract_data_length-=s->s2->padding; 209 if ( (memcmp(mac,s->s2->mac_data, 210 (unsigned int)mac_size) != 0) || 211 (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) 212 { 213 SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE); 214 return(-1); 215 } 216 } 217 INC32(s->s2->read_sequence); /* expect next number */ 218 /* s->s2->ract_data is now available for processing */ 219 220#if 1 221 /* How should we react when a packet containing 0 222 * bytes is received? (Note that SSLeay/OpenSSL itself 223 * never sends such packets; see ssl2_write.) 224 * Returning 0 would be interpreted by the caller as 225 * indicating EOF, so it's not a good idea. 226 * Instead, we just continue reading. Note that using 227 * select() for blocking sockets *never* guarantees 228 * that the next SSL_read will not block -- the available 229 * data may contain incomplete packets, and except for SSL 2 230 * renegotiation can confuse things even more. */ 231 232 goto ssl2_read_again; /* This should really be 233 * "return ssl2_read(s,buf,len)", 234 * but that would allow for 235 * denial-of-service attacks if a 236 * C compiler is used that does not 237 * recognize end-recursion. */ 238#else 239 /* If a 0 byte packet was sent, return 0, otherwise 240 * we play havoc with people using select with 241 * blocking sockets. Let them handle a packet at a time, 242 * they should really be using non-blocking sockets. */ 243 if (s->s2->ract_data_length == 0) 244 return(0); 245 return(ssl2_read(s,buf,len)); 246#endif 247 } 248 else 249 { 250 SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE); 251 return(-1); 252 } 253 } 254 255static int read_n(SSL *s, unsigned int n, unsigned int max, 256 unsigned int extend) 257 { 258 int i,off,newb; 259 260 /* if there is stuff still in the buffer from a previous read, 261 * and there is more than we want, take some. */ 262 if (s->s2->rbuf_left >= (int)n) 263 { 264 if (extend) 265 s->packet_length+=n; 266 else 267 { 268 s->packet= &(s->s2->rbuf[s->s2->rbuf_offs]); 269 s->packet_length=n; 270 } 271 s->s2->rbuf_left-=n; 272 s->s2->rbuf_offs+=n; 273 return(n); 274 } 275 276 if (!s->read_ahead) max=n; 277 if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) 278 max=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2; 279 280 281 /* Else we want more than we have. 282 * First, if there is some left or we want to extend */ 283 off=0; 284 if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend)) 285 { 286 newb=s->s2->rbuf_left; 287 if (extend) 288 { 289 off=s->packet_length; 290 if (s->packet != s->s2->rbuf) 291 memcpy(s->s2->rbuf,s->packet, 292 (unsigned int)newb+off); 293 } 294 else if (s->s2->rbuf_offs != 0) 295 { 296 memcpy(s->s2->rbuf,&(s->s2->rbuf[s->s2->rbuf_offs]), 297 (unsigned int)newb); 298 s->s2->rbuf_offs=0; 299 } 300 s->s2->rbuf_left=0; 301 } 302 else 303 newb=0; 304 305 /* off is the offset to start writing too. 306 * r->s2->rbuf_offs is the 'unread data', now 0. 307 * newb is the number of new bytes so far 308 */ 309 s->packet=s->s2->rbuf; 310 while (newb < (int)n) 311 { 312 clear_sys_error(); 313 if (s->rbio != NULL) 314 { 315 s->rwstate=SSL_READING; 316 i=BIO_read(s->rbio,(char *)&(s->s2->rbuf[off+newb]), 317 max-newb); 318 } 319 else 320 { 321 SSLerr(SSL_F_READ_N,SSL_R_READ_BIO_NOT_SET); 322 i= -1; 323 } 324#ifdef PKT_DEBUG 325 if (s->debug & 0x01) sleep(1); 326#endif 327 if (i <= 0) 328 { 329 s->s2->rbuf_left+=newb; 330 return(i); 331 } 332 newb+=i; 333 } 334 335 /* record unread data */ 336 if (newb > (int)n) 337 { 338 s->s2->rbuf_offs=n+off; 339 s->s2->rbuf_left=newb-n; 340 } 341 else 342 { 343 s->s2->rbuf_offs=0; 344 s->s2->rbuf_left=0; 345 } 346 if (extend) 347 s->packet_length+=n; 348 else 349 s->packet_length=n; 350 s->rwstate=SSL_NOTHING; 351 return(n); 352 } 353 354int ssl2_write(SSL *s, const void *_buf, int len) 355 { 356 const unsigned char *buf=_buf; 357 unsigned int n,tot; 358 int i; 359 360 if (SSL_in_init(s) && !s->in_handshake) 361 { 362 i=s->handshake_func(s); 363 if (i < 0) return(i); 364 if (i == 0) 365 { 366 SSLerr(SSL_F_SSL2_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE); 367 return(-1); 368 } 369 } 370 371 if (s->error) 372 { 373 ssl2_write_error(s); 374 if (s->error) 375 return(-1); 376 } 377 378 clear_sys_error(); 379 s->rwstate=SSL_NOTHING; 380 if (len <= 0) return(len); 381 382 tot=s->s2->wnum; 383 s->s2->wnum=0; 384 385 n=(len-tot); 386 for (;;) 387 { 388 i=do_ssl_write(s,&(buf[tot]),n); 389 if (i <= 0) 390 { 391 s->s2->wnum=tot; 392 return(i); 393 } 394 if ((i == (int)n) || 395 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)) 396 { 397 return(tot+i); 398 } 399 400 n-=i; 401 tot+=i; 402 } 403 } 404 405static int write_pending(SSL *s, const unsigned char *buf, unsigned int len) 406 { 407 int i; 408 409 /* s->s2->wpend_len != 0 MUST be true. */ 410 411 /* check that they have given us the same buffer to 412 * write */ 413 if ((s->s2->wpend_tot > (int)len) || 414 ((s->s2->wpend_buf != buf) && 415 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))) 416 { 417 SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); 418 return(-1); 419 } 420 421 for (;;) 422 { 423 clear_sys_error(); 424 if (s->wbio != NULL) 425 { 426 s->rwstate=SSL_WRITING; 427 i=BIO_write(s->wbio, 428 (char *)&(s->s2->write_ptr[s->s2->wpend_off]), 429 (unsigned int)s->s2->wpend_len); 430 } 431 else 432 { 433 SSLerr(SSL_F_WRITE_PENDING,SSL_R_WRITE_BIO_NOT_SET); 434 i= -1; 435 } 436#ifdef PKT_DEBUG 437 if (s->debug & 0x01) sleep(1); 438#endif 439 if (i == s->s2->wpend_len) 440 { 441 s->s2->wpend_len=0; 442 s->rwstate=SSL_NOTHING; 443 return(s->s2->wpend_ret); 444 } 445 else if (i <= 0) 446 return(i); 447 s->s2->wpend_off+=i; 448 s->s2->wpend_len-=i; 449 } 450 } 451 452static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) 453 { 454 unsigned int j,k,olen,p,mac_size,bs; 455 register unsigned char *pp; 456 457 olen=len; 458 459 /* first check if there is data from an encryption waiting to 460 * be sent - it must be sent because the other end is waiting. 461 * This will happen with non-blocking IO. We print it and then 462 * return. 463 */ 464 if (s->s2->wpend_len != 0) return(write_pending(s,buf,len)); 465 466 /* set mac_size to mac size */ 467 if (s->s2->clear_text) 468 mac_size=0; 469 else 470 mac_size=EVP_MD_size(s->write_hash); 471 472 /* lets set the pad p */ 473 if (s->s2->clear_text) 474 { 475 if (len > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) 476 len=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER; 477 p=0; 478 s->s2->three_byte_header=0; 479 /* len=len; */ 480 } 481 else 482 { 483 bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); 484 j=len+mac_size; 485 if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && 486 (!s->s2->escape)) 487 { 488 if (j > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) 489 j=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER; 490 /* set k to the max number of bytes with 2 491 * byte header */ 492 k=j-(j%bs); 493 /* how many data bytes? */ 494 len=k-mac_size; 495 s->s2->three_byte_header=0; 496 p=0; 497 } 498 else if ((bs <= 1) && (!s->s2->escape)) 499 { 500 /* len=len; */ 501 s->s2->three_byte_header=0; 502 p=0; 503 } 504 else /* 3 byte header */ 505 { 506 /*len=len; */ 507 p=(j%bs); 508 p=(p == 0)?0:(bs-p); 509 if (s->s2->escape) 510 s->s2->three_byte_header=1; 511 else 512 s->s2->three_byte_header=(p == 0)?0:1; 513 } 514 } 515 /* mac_size is the number of MAC bytes 516 * len is the number of data bytes we are going to send 517 * p is the number of padding bytes 518 * if p == 0, it is a 2 byte header */ 519 520 s->s2->wlength=len; 521 s->s2->padding=p; 522 s->s2->mac_data= &(s->s2->wbuf[3]); 523 s->s2->wact_data= &(s->s2->wbuf[3+mac_size]); 524 /* we copy the data into s->s2->wbuf */ 525 memcpy(s->s2->wact_data,buf,len); 526#ifdef PURIFY 527 if (p) 528 memset(&(s->s2->wact_data[len]),0,p); 529#endif 530 531 if (!s->s2->clear_text) 532 { 533 s->s2->wact_data_length=len+p; 534 ssl2_mac(s,s->s2->mac_data,1); 535 s->s2->wlength+=p+mac_size; 536 ssl2_enc(s,1); 537 } 538 539 /* package up the header */ 540 s->s2->wpend_len=s->s2->wlength; 541 if (s->s2->three_byte_header) /* 3 byte header */ 542 { 543 pp=s->s2->mac_data; 544 pp-=3; 545 pp[0]=(s->s2->wlength>>8)&(THREE_BYTE_MASK>>8); 546 if (s->s2->escape) pp[0]|=SEC_ESC_BIT; 547 pp[1]=s->s2->wlength&0xff; 548 pp[2]=s->s2->padding; 549 s->s2->wpend_len+=3; 550 } 551 else 552 { 553 pp=s->s2->mac_data; 554 pp-=2; 555 pp[0]=((s->s2->wlength>>8)&(TWO_BYTE_MASK>>8))|TWO_BYTE_BIT; 556 pp[1]=s->s2->wlength&0xff; 557 s->s2->wpend_len+=2; 558 } 559 s->s2->write_ptr=pp; 560 561 INC32(s->s2->write_sequence); /* expect next number */ 562 563 /* lets try to actually write the data */ 564 s->s2->wpend_tot=olen; 565 s->s2->wpend_buf=buf; 566 567 s->s2->wpend_ret=len; 568 569 s->s2->wpend_off=0; 570 return(write_pending(s,buf,olen)); 571 } 572 573int ssl2_part_read(SSL *s, unsigned long f, int i) 574 { 575 unsigned char *p; 576 int j; 577 578 /* check for error */ 579 if ((s->init_num == 0) && (i >= 3)) 580 { 581 p=(unsigned char *)s->init_buf->data; 582 if (p[0] == SSL2_MT_ERROR) 583 { 584 j=(p[1]<<8)|p[2]; 585 SSLerr((int)f,ssl_mt_error(j)); 586 } 587 } 588 589 if (i < 0) 590 { 591 /* ssl2_return_error(s); */ 592 /* for non-blocking io, 593 * this is not fatal */ 594 return(i); 595 } 596 else 597 { 598 s->init_num+=i; 599 return(0); 600 } 601 } 602 603int ssl2_do_write(SSL *s) 604 { 605 int ret; 606 607 ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num); 608 if (ret == s->init_num) 609 return(1); 610 if (ret < 0) 611 return(-1); 612 s->init_off+=ret; 613 s->init_num-=ret; 614 return(0); 615 } 616 617static int ssl_mt_error(int n) 618 { 619 int ret; 620 621 switch (n) 622 { 623 case SSL2_PE_NO_CIPHER: 624 ret=SSL_R_PEER_ERROR_NO_CIPHER; 625 break; 626 case SSL2_PE_NO_CERTIFICATE: 627 ret=SSL_R_PEER_ERROR_NO_CERTIFICATE; 628 break; 629 case SSL2_PE_BAD_CERTIFICATE: 630 ret=SSL_R_PEER_ERROR_CERTIFICATE; 631 break; 632 case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE: 633 ret=SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE; 634 break; 635 default: 636 ret=SSL_R_UNKNOWN_REMOTE_ERROR_TYPE; 637 break; 638 } 639 return(ret); 640 } 641