s3_pkt.c revision 279265
1/* ssl/s3_pkt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <limits.h> 114#include <errno.h> 115#define USE_SOCKETS 116#include "ssl_locl.h" 117#include <openssl/evp.h> 118#include <openssl/buffer.h> 119 120static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 121 unsigned int len, int create_empty_fragment); 122static int ssl3_get_record(SSL *s); 123 124int ssl3_read_n(SSL *s, int n, int max, int extend) 125 { 126 /* If extend == 0, obtain new n-byte packet; if extend == 1, increase 127 * packet by another n bytes. 128 * The packet will be in the sub-array of s->s3->rbuf.buf specified 129 * by s->packet and s->packet_length. 130 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf 131 * [plus s->packet_length bytes if extend == 1].) 132 */ 133 int i,off,newb; 134 135 if (!extend) 136 { 137 /* start with empty packet ... */ 138 if (s->s3->rbuf.left == 0) 139 s->s3->rbuf.offset = 0; 140 s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset; 141 s->packet_length = 0; 142 /* ... now we can act as if 'extend' was set */ 143 } 144 145 /* For DTLS/UDP reads should not span multiple packets 146 * because the read operation returns the whole packet 147 * at once (as long as it fits into the buffer). */ 148 if (SSL_version(s) == DTLS1_VERSION) 149 { 150 if (s->s3->rbuf.left == 0 && extend) 151 return 0; 152 if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left) 153 n = s->s3->rbuf.left; 154 } 155 156 /* if there is enough in the buffer from a previous read, take some */ 157 if (s->s3->rbuf.left >= (int)n) 158 { 159 s->packet_length+=n; 160 s->s3->rbuf.left-=n; 161 s->s3->rbuf.offset+=n; 162 return(n); 163 } 164 165 /* else we need to read more data */ 166 if (!s->read_ahead) 167 max=n; 168 169 { 170 /* avoid buffer overflow */ 171 int max_max = s->s3->rbuf.len - s->packet_length; 172 if (max > max_max) 173 max = max_max; 174 } 175 if (n > max) /* does not happen */ 176 { 177 SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR); 178 return -1; 179 } 180 181 off = s->packet_length; 182 newb = s->s3->rbuf.left; 183 /* Move any available bytes to front of buffer: 184 * 'off' bytes already pointed to by 'packet', 185 * 'newb' extra ones at the end */ 186 if (s->packet != s->s3->rbuf.buf) 187 { 188 /* off > 0 */ 189 memmove(s->s3->rbuf.buf, s->packet, off+newb); 190 s->packet = s->s3->rbuf.buf; 191 } 192 193 while (newb < n) 194 { 195 /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need 196 * to read in more until we have off+n (up to off+max if possible) */ 197 198 clear_sys_error(); 199 if (s->rbio != NULL) 200 { 201 s->rwstate=SSL_READING; 202 i=BIO_read(s->rbio, &(s->s3->rbuf.buf[off+newb]), max-newb); 203 } 204 else 205 { 206 SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET); 207 i = -1; 208 } 209 210 if (i <= 0) 211 { 212 s->s3->rbuf.left = newb; 213 return(i); 214 } 215 newb+=i; 216 /* reads should *never* span multiple packets for DTLS because 217 * the underlying transport protocol is message oriented as opposed 218 * to byte oriented as in the TLS case. */ 219 if (SSL_version(s) == DTLS1_VERSION) 220 { 221 if (n > newb) 222 n = newb; /* makes the while condition false */ 223 } 224 } 225 226 /* done reading, now the book-keeping */ 227 s->s3->rbuf.offset = off + n; 228 s->s3->rbuf.left = newb - n; 229 s->packet_length += n; 230 s->rwstate=SSL_NOTHING; 231 return(n); 232 } 233 234/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will 235 * be processed per call to ssl3_get_record. Without this limit an attacker 236 * could send empty records at a faster rate than we can process and cause 237 * ssl3_get_record to loop forever. */ 238#define MAX_EMPTY_RECORDS 32 239 240/* Call this to get a new input record. 241 * It will return <= 0 if more data is needed, normally due to an error 242 * or non-blocking IO. 243 * When it finishes, one packet has been decoded and can be found in 244 * ssl->s3->rrec.type - is the type of record 245 * ssl->s3->rrec.data, - data 246 * ssl->s3->rrec.length, - number of bytes 247 */ 248/* used only by ssl3_read_bytes */ 249static int ssl3_get_record(SSL *s) 250 { 251 int ssl_major,ssl_minor,al; 252 int enc_err,n,i,ret= -1; 253 SSL3_RECORD *rr; 254 SSL_SESSION *sess; 255 unsigned char *p; 256 unsigned char md[EVP_MAX_MD_SIZE]; 257 short version; 258 unsigned mac_size, orig_len; 259 size_t extra; 260 unsigned empty_record_count = 0; 261 262 rr= &(s->s3->rrec); 263 sess=s->session; 264 265 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) 266 extra=SSL3_RT_MAX_EXTRA; 267 else 268 extra=0; 269 if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE) 270 { 271 /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER 272 * set after ssl3_setup_buffers() was done */ 273 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); 274 return -1; 275 } 276 277again: 278 /* check if we have the header */ 279 if ( (s->rstate != SSL_ST_READ_BODY) || 280 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 281 { 282 n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 283 if (n <= 0) return(n); /* error or non-blocking */ 284 s->rstate=SSL_ST_READ_BODY; 285 286 p=s->packet; 287 288 /* Pull apart the header into the SSL3_RECORD */ 289 rr->type= *(p++); 290 ssl_major= *(p++); 291 ssl_minor= *(p++); 292 version=(ssl_major<<8)|ssl_minor; 293 n2s(p,rr->length); 294 295 /* Lets check version */ 296 if (!s->first_packet) 297 { 298 if (version != s->version) 299 { 300 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 301 if ((s->version & 0xFF00) == (version & 0xFF00)) 302 /* Send back error using their minor version number :-) */ 303 s->version = (unsigned short)version; 304 al=SSL_AD_PROTOCOL_VERSION; 305 goto f_err; 306 } 307 } 308 309 if ((version>>8) != SSL3_VERSION_MAJOR) 310 { 311 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 312 goto err; 313 } 314 315 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) 316 { 317 al=SSL_AD_RECORD_OVERFLOW; 318 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); 319 goto f_err; 320 } 321 322 /* now s->rstate == SSL_ST_READ_BODY */ 323 } 324 325 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 326 327 if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH) 328 { 329 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ 330 i=rr->length; 331 n=ssl3_read_n(s,i,i,1); 332 if (n <= 0) return(n); /* error or non-blocking io */ 333 /* now n == rr->length, 334 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */ 335 } 336 337 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ 338 339 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 340 * and we have that many bytes in s->packet 341 */ 342 rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); 343 344 /* ok, we can now read from 's->packet' data into 'rr' 345 * rr->input points at rr->length bytes, which 346 * need to be copied into rr->data by either 347 * the decryption or by the decompression 348 * When the data is 'copied' into the rr->data buffer, 349 * rr->input will be pointed at the new buffer */ 350 351 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] 352 * rr->length bytes of encrypted compressed stuff. */ 353 354 /* check is not needed I believe */ 355 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) 356 { 357 al=SSL_AD_RECORD_OVERFLOW; 358 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 359 goto f_err; 360 } 361 362 /* decrypt in place in 'rr->input' */ 363 rr->data=rr->input; 364 365 enc_err = s->method->ssl3_enc->enc(s,0); 366 /* enc_err is: 367 * 0: (in non-constant time) if the record is publically invalid. 368 * 1: if the padding is valid 369 * -1: if the padding is invalid */ 370 if (enc_err == 0) 371 { 372 al=SSL_AD_DECRYPTION_FAILED; 373 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 374 goto f_err; 375 } 376 377#ifdef TLS_DEBUG 378printf("dec %d\n",rr->length); 379{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 380printf("\n"); 381#endif 382 383 /* r->length is now the compressed data plus mac */ 384 if ((sess != NULL) && 385 (s->enc_read_ctx != NULL) && 386 (s->read_hash != NULL)) 387 { 388 /* s->read_hash != NULL => mac_size != -1 */ 389 unsigned char *mac = NULL; 390 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 391 mac_size=EVP_MD_size(s->read_hash); 392 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); 393 394 /* kludge: *_cbc_remove_padding passes padding length in rr->type */ 395 orig_len = rr->length+((unsigned int)rr->type>>8); 396 397 /* orig_len is the length of the record before any padding was 398 * removed. This is public information, as is the MAC in use, 399 * therefore we can safely process the record in a different 400 * amount of time if it's too short to possibly contain a MAC. 401 */ 402 if (orig_len < mac_size || 403 /* CBC records must have a padding length byte too. */ 404 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 405 orig_len < mac_size+1)) 406 { 407 al=SSL_AD_DECODE_ERROR; 408 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); 409 goto f_err; 410 } 411 412 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) 413 { 414 /* We update the length so that the TLS header bytes 415 * can be constructed correctly but we need to extract 416 * the MAC in constant time from within the record, 417 * without leaking the contents of the padding bytes. 418 * */ 419 mac = mac_tmp; 420 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); 421 rr->length -= mac_size; 422 } 423 else 424 { 425 /* In this case there's no padding, so |orig_len| 426 * equals |rec->length| and we checked that there's 427 * enough bytes for |mac_size| above. */ 428 rr->length -= mac_size; 429 mac = &rr->data[rr->length]; 430 } 431 432 i=s->method->ssl3_enc->mac(s,md,0 /* not send */); 433 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) 434 enc_err = -1; 435 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) 436 enc_err = -1; 437 } 438 439 if (enc_err < 0) 440 { 441 /* A separate 'decryption_failed' alert was introduced with TLS 1.0, 442 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 443 * failure is directly visible from the ciphertext anyway, 444 * we should not reveal which kind of error occured -- this 445 * might become visible to an attacker (e.g. via a logfile) */ 446 al=SSL_AD_BAD_RECORD_MAC; 447 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 448 goto f_err; 449 } 450 451 /* r->length is now just compressed */ 452 if (s->expand != NULL) 453 { 454 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) 455 { 456 al=SSL_AD_RECORD_OVERFLOW; 457 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 458 goto f_err; 459 } 460 if (!ssl3_do_uncompress(s)) 461 { 462 al=SSL_AD_DECOMPRESSION_FAILURE; 463 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); 464 goto f_err; 465 } 466 } 467 468 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) 469 { 470 al=SSL_AD_RECORD_OVERFLOW; 471 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); 472 goto f_err; 473 } 474 475 rr->off=0; 476 /* So at this point the following is true 477 * ssl->s3->rrec.type is the type of record 478 * ssl->s3->rrec.length == number of bytes in record 479 * ssl->s3->rrec.off == offset to first valid byte 480 * ssl->s3->rrec.data == where to take bytes from, increment 481 * after use :-). 482 */ 483 484 /* we have pulled in a full packet so zero things */ 485 s->packet_length=0; 486 487 /* just read a 0 length packet */ 488 if (rr->length == 0) 489 { 490 empty_record_count++; 491 if (empty_record_count > MAX_EMPTY_RECORDS) 492 { 493 al=SSL_AD_UNEXPECTED_MESSAGE; 494 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL); 495 goto f_err; 496 } 497 goto again; 498 } 499 500 return(1); 501 502f_err: 503 ssl3_send_alert(s,SSL3_AL_FATAL,al); 504err: 505 return(ret); 506 } 507 508int ssl3_do_uncompress(SSL *ssl) 509 { 510#ifndef OPENSSL_NO_COMP 511 int i; 512 SSL3_RECORD *rr; 513 514 rr= &(ssl->s3->rrec); 515 i=COMP_expand_block(ssl->expand,rr->comp, 516 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length); 517 if (i < 0) 518 return(0); 519 else 520 rr->length=i; 521 rr->data=rr->comp; 522#endif 523 return(1); 524 } 525 526int ssl3_do_compress(SSL *ssl) 527 { 528#ifndef OPENSSL_NO_COMP 529 int i; 530 SSL3_RECORD *wr; 531 532 wr= &(ssl->s3->wrec); 533 i=COMP_compress_block(ssl->compress,wr->data, 534 SSL3_RT_MAX_COMPRESSED_LENGTH, 535 wr->input,(int)wr->length); 536 if (i < 0) 537 return(0); 538 else 539 wr->length=i; 540 541 wr->input=wr->data; 542#endif 543 return(1); 544 } 545 546/* Call this to write data in records of type 'type' 547 * It will return <= 0 if not all data has been sent or non-blocking IO. 548 */ 549int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) 550 { 551 const unsigned char *buf=buf_; 552 unsigned int n,nw; 553 int i,tot; 554 555 s->rwstate=SSL_NOTHING; 556 OPENSSL_assert(s->s3->wnum <= INT_MAX); 557 tot=s->s3->wnum; 558 s->s3->wnum=0; 559 560 if (SSL_in_init(s) && !s->in_handshake) 561 { 562 i=s->handshake_func(s); 563 if (i < 0) return(i); 564 if (i == 0) 565 { 566 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 567 return -1; 568 } 569 } 570 571 /* ensure that if we end up with a smaller value of data to write 572 * out than the the original len from a write which didn't complete 573 * for non-blocking I/O and also somehow ended up avoiding 574 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as 575 * it must never be possible to end up with (len-tot) as a large 576 * number that will then promptly send beyond the end of the users 577 * buffer ... so we trap and report the error in a way the user 578 * will notice 579 */ 580 if (len < tot) 581 { 582 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); 583 return(-1); 584 } 585 586 587 n=(len-tot); 588 for (;;) 589 { 590 if (n > SSL3_RT_MAX_PLAIN_LENGTH) 591 nw=SSL3_RT_MAX_PLAIN_LENGTH; 592 else 593 nw=n; 594 595 i=do_ssl3_write(s, type, &(buf[tot]), nw, 0); 596 if (i <= 0) 597 { 598 s->s3->wnum=tot; 599 return i; 600 } 601 602 if ((i == (int)n) || 603 (type == SSL3_RT_APPLICATION_DATA && 604 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) 605 { 606 /* next chunk of data should get another prepended empty fragment 607 * in ciphersuites with known-IV weakness: */ 608 s->s3->empty_fragment_done = 0; 609 610 return tot+i; 611 } 612 613 n-=i; 614 tot+=i; 615 } 616 } 617 618static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 619 unsigned int len, int create_empty_fragment) 620 { 621 unsigned char *p,*plen; 622 int i,mac_size,clear=0; 623 int prefix_len = 0; 624 SSL3_RECORD *wr; 625 SSL3_BUFFER *wb; 626 SSL_SESSION *sess; 627 628 /* first check if there is a SSL3_BUFFER still being written 629 * out. This will happen with non blocking IO */ 630 if (s->s3->wbuf.left != 0) 631 return(ssl3_write_pending(s,type,buf,len)); 632 633 /* If we have an alert to send, lets send it */ 634 if (s->s3->alert_dispatch) 635 { 636 i=s->method->ssl_dispatch_alert(s); 637 if (i <= 0) 638 return(i); 639 /* if it went, fall through and send more stuff */ 640 } 641 642 if (len == 0 && !create_empty_fragment) 643 return 0; 644 645 wr= &(s->s3->wrec); 646 wb= &(s->s3->wbuf); 647 sess=s->session; 648 649 if ( (sess == NULL) || 650 (s->enc_write_ctx == NULL) || 651 (s->write_hash == NULL)) 652 clear=1; 653 654 if (clear) 655 mac_size=0; 656 else 657 mac_size=EVP_MD_size(s->write_hash); 658 659 /* 'create_empty_fragment' is true only when this function calls itself */ 660 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) 661 { 662 /* countermeasure against known-IV weakness in CBC ciphersuites 663 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ 664 665 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) 666 { 667 /* recursive function call with 'create_empty_fragment' set; 668 * this prepares and buffers the data for an empty fragment 669 * (these 'prefix_len' bytes are sent out later 670 * together with the actual payload) */ 671 prefix_len = do_ssl3_write(s, type, buf, 0, 1); 672 if (prefix_len <= 0) 673 goto err; 674 675 if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) 676 { 677 /* insufficient space */ 678 SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); 679 goto err; 680 } 681 } 682 683 s->s3->empty_fragment_done = 1; 684 } 685 686 p = wb->buf + prefix_len; 687 688 /* write the header */ 689 690 *(p++)=type&0xff; 691 wr->type=type; 692 693 *(p++)=(s->version>>8); 694 *(p++)=s->version&0xff; 695 696 /* field where we are to write out packet length */ 697 plen=p; 698 p+=2; 699 700 /* lets setup the record stuff. */ 701 wr->data=p; 702 wr->length=(int)len; 703 wr->input=(unsigned char *)buf; 704 705 /* we now 'read' from wr->input, wr->length bytes into 706 * wr->data */ 707 708 /* first we compress */ 709 if (s->compress != NULL) 710 { 711 if (!ssl3_do_compress(s)) 712 { 713 SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE); 714 goto err; 715 } 716 } 717 else 718 { 719 memcpy(wr->data,wr->input,wr->length); 720 wr->input=wr->data; 721 } 722 723 /* we should still have the output to wr->data and the input 724 * from wr->input. Length should be wr->length. 725 * wr->data still points in the wb->buf */ 726 727 if (mac_size != 0) 728 { 729 s->method->ssl3_enc->mac(s,&(p[wr->length]),1); 730 wr->length+=mac_size; 731 wr->input=p; 732 wr->data=p; 733 } 734 735 /* ssl3_enc can only have an error on read */ 736 s->method->ssl3_enc->enc(s,1); 737 738 /* record length after mac and block padding */ 739 s2n(wr->length,plen); 740 741 /* we should now have 742 * wr->data pointing to the encrypted data, which is 743 * wr->length long */ 744 wr->type=type; /* not needed but helps for debugging */ 745 wr->length+=SSL3_RT_HEADER_LENGTH; 746 747 if (create_empty_fragment) 748 { 749 /* we are in a recursive call; 750 * just return the length, don't write out anything here 751 */ 752 return wr->length; 753 } 754 755 /* now let's set up wb */ 756 wb->left = prefix_len + wr->length; 757 wb->offset = 0; 758 759 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ 760 s->s3->wpend_tot=len; 761 s->s3->wpend_buf=buf; 762 s->s3->wpend_type=type; 763 s->s3->wpend_ret=len; 764 765 /* we now just need to write the buffer */ 766 return ssl3_write_pending(s,type,buf,len); 767err: 768 return -1; 769 } 770 771/* if s->s3->wbuf.left != 0, we need to call this */ 772int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 773 unsigned int len) 774 { 775 int i; 776 777/* XXXX */ 778 if ((s->s3->wpend_tot > (int)len) 779 || ((s->s3->wpend_buf != buf) && 780 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) 781 || (s->s3->wpend_type != type)) 782 { 783 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); 784 return(-1); 785 } 786 787 for (;;) 788 { 789 clear_sys_error(); 790 if (s->wbio != NULL) 791 { 792 s->rwstate=SSL_WRITING; 793 i=BIO_write(s->wbio, 794 (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]), 795 (unsigned int)s->s3->wbuf.left); 796 } 797 else 798 { 799 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET); 800 i= -1; 801 } 802 if (i == s->s3->wbuf.left) 803 { 804 s->s3->wbuf.left=0; 805 s->rwstate=SSL_NOTHING; 806 return(s->s3->wpend_ret); 807 } 808 else if (i <= 0) { 809 if (s->version == DTLS1_VERSION || 810 s->version == DTLS1_BAD_VER) { 811 /* For DTLS, just drop it. That's kind of the whole 812 point in using a datagram service */ 813 s->s3->wbuf.left = 0; 814 } 815 return(i); 816 } 817 s->s3->wbuf.offset+=i; 818 s->s3->wbuf.left-=i; 819 } 820 } 821 822/* Return up to 'len' payload bytes received in 'type' records. 823 * 'type' is one of the following: 824 * 825 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 826 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 827 * - 0 (during a shutdown, no data has to be returned) 828 * 829 * If we don't have stored data to work from, read a SSL/TLS record first 830 * (possibly multiple records if we still don't have anything to return). 831 * 832 * This function must handle any surprises the peer may have for us, such as 833 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 834 * a surprise, but handled as if it were), or renegotiation requests. 835 * Also if record payloads contain fragments too small to process, we store 836 * them until there is enough for the respective protocol (the record protocol 837 * may use arbitrary fragmentation and even interleaving): 838 * Change cipher spec protocol 839 * just 1 byte needed, no need for keeping anything stored 840 * Alert protocol 841 * 2 bytes needed (AlertLevel, AlertDescription) 842 * Handshake protocol 843 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 844 * to detect unexpected Client Hello and Hello Request messages 845 * here, anything else is handled by higher layers 846 * Application data protocol 847 * none of our business 848 */ 849int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 850 { 851 int al,i,j,ret; 852 unsigned int n; 853 SSL3_RECORD *rr; 854 void (*cb)(const SSL *ssl,int type2,int val)=NULL; 855 856 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 857 if (!ssl3_setup_buffers(s)) 858 return(-1); 859 860 if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || 861 (peek && (type != SSL3_RT_APPLICATION_DATA))) 862 { 863 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); 864 return -1; 865 } 866 867 if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0)) 868 /* (partially) satisfy request from storage */ 869 { 870 unsigned char *src = s->s3->handshake_fragment; 871 unsigned char *dst = buf; 872 unsigned int k; 873 874 /* peek == 0 */ 875 n = 0; 876 while ((len > 0) && (s->s3->handshake_fragment_len > 0)) 877 { 878 *dst++ = *src++; 879 len--; s->s3->handshake_fragment_len--; 880 n++; 881 } 882 /* move any remaining fragment bytes: */ 883 for (k = 0; k < s->s3->handshake_fragment_len; k++) 884 s->s3->handshake_fragment[k] = *src++; 885 return n; 886 } 887 888 /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 889 890 if (!s->in_handshake && SSL_in_init(s)) 891 { 892 /* type == SSL3_RT_APPLICATION_DATA */ 893 i=s->handshake_func(s); 894 if (i < 0) return(i); 895 if (i == 0) 896 { 897 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 898 return(-1); 899 } 900 } 901start: 902 s->rwstate=SSL_NOTHING; 903 904 /* s->s3->rrec.type - is the type of record 905 * s->s3->rrec.data, - data 906 * s->s3->rrec.off, - offset into 'data' for next read 907 * s->s3->rrec.length, - number of bytes. */ 908 rr = &(s->s3->rrec); 909 910 /* get new packet if necessary */ 911 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 912 { 913 ret=ssl3_get_record(s); 914 if (ret <= 0) return(ret); 915 } 916 917 /* we now have a packet which can be read and processed */ 918 919 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 920 * reset by ssl3_get_finished */ 921 && (rr->type != SSL3_RT_HANDSHAKE)) 922 { 923 al=SSL_AD_UNEXPECTED_MESSAGE; 924 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 925 goto f_err; 926 } 927 928 /* If the other end has shut down, throw anything we read away 929 * (even in 'peek' mode) */ 930 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 931 { 932 rr->length=0; 933 s->rwstate=SSL_NOTHING; 934 return(0); 935 } 936 937 938 if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 939 { 940 /* make sure that we are not getting application data when we 941 * are doing a handshake for the first time */ 942 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 943 (s->enc_read_ctx == NULL)) 944 { 945 al=SSL_AD_UNEXPECTED_MESSAGE; 946 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); 947 goto f_err; 948 } 949 950 if (len <= 0) return(len); 951 952 if ((unsigned int)len > rr->length) 953 n = rr->length; 954 else 955 n = (unsigned int)len; 956 957 memcpy(buf,&(rr->data[rr->off]),n); 958 if (!peek) 959 { 960 rr->length-=n; 961 rr->off+=n; 962 if (rr->length == 0) 963 { 964 s->rstate=SSL_ST_READ_HEADER; 965 rr->off=0; 966 } 967 } 968 return(n); 969 } 970 971 972 /* If we get here, then type != rr->type; if we have a handshake 973 * message, then it was unexpected (Hello Request or Client Hello). */ 974 975 /* In case of record types for which we have 'fragment' storage, 976 * fill that so that we can process the data at a fixed place. 977 */ 978 { 979 unsigned int dest_maxlen = 0; 980 unsigned char *dest = NULL; 981 unsigned int *dest_len = NULL; 982 983 if (rr->type == SSL3_RT_HANDSHAKE) 984 { 985 dest_maxlen = sizeof s->s3->handshake_fragment; 986 dest = s->s3->handshake_fragment; 987 dest_len = &s->s3->handshake_fragment_len; 988 } 989 else if (rr->type == SSL3_RT_ALERT) 990 { 991 dest_maxlen = sizeof s->s3->alert_fragment; 992 dest = s->s3->alert_fragment; 993 dest_len = &s->s3->alert_fragment_len; 994 } 995 996 if (dest_maxlen > 0) 997 { 998 n = dest_maxlen - *dest_len; /* available space in 'dest' */ 999 if (rr->length < n) 1000 n = rr->length; /* available bytes */ 1001 1002 /* now move 'n' bytes: */ 1003 while (n-- > 0) 1004 { 1005 dest[(*dest_len)++] = rr->data[rr->off++]; 1006 rr->length--; 1007 } 1008 1009 if (*dest_len < dest_maxlen) 1010 goto start; /* fragment was too small */ 1011 } 1012 } 1013 1014 /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; 1015 * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. 1016 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ 1017 1018 /* If we are a client, check for an incoming 'Hello Request': */ 1019 if ((!s->server) && 1020 (s->s3->handshake_fragment_len >= 4) && 1021 (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 1022 (s->session != NULL) && (s->session->cipher != NULL)) 1023 { 1024 s->s3->handshake_fragment_len = 0; 1025 1026 if ((s->s3->handshake_fragment[1] != 0) || 1027 (s->s3->handshake_fragment[2] != 0) || 1028 (s->s3->handshake_fragment[3] != 0)) 1029 { 1030 al=SSL_AD_DECODE_ERROR; 1031 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 1032 goto f_err; 1033 } 1034 1035 if (s->msg_callback) 1036 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg); 1037 1038 if (SSL_is_init_finished(s) && 1039 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1040 !s->s3->renegotiate) 1041 { 1042 ssl3_renegotiate(s); 1043 if (ssl3_renegotiate_check(s)) 1044 { 1045 i=s->handshake_func(s); 1046 if (i < 0) return(i); 1047 if (i == 0) 1048 { 1049 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1050 return(-1); 1051 } 1052 1053 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1054 { 1055 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1056 { 1057 BIO *bio; 1058 /* In the case where we try to read application data, 1059 * but we trigger an SSL handshake, we return -1 with 1060 * the retry option set. Otherwise renegotiation may 1061 * cause nasty problems in the blocking world */ 1062 s->rwstate=SSL_READING; 1063 bio=SSL_get_rbio(s); 1064 BIO_clear_retry_flags(bio); 1065 BIO_set_retry_read(bio); 1066 return(-1); 1067 } 1068 } 1069 } 1070 } 1071 /* we either finished a handshake or ignored the request, 1072 * now try again to obtain the (application) data we were asked for */ 1073 goto start; 1074 } 1075 /* If we are a server and get a client hello when renegotiation isn't 1076 * allowed send back a no renegotiation alert and carry on. 1077 * WARNING: experimental code, needs reviewing (steve) 1078 */ 1079 if (s->server && 1080 SSL_is_init_finished(s) && 1081 !s->s3->send_connection_binding && 1082 (s->version > SSL3_VERSION) && 1083 (s->s3->handshake_fragment_len >= 4) && 1084 (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && 1085 (s->session != NULL) && (s->session->cipher != NULL) && 1086 !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1087 1088 { 1089 /*s->s3->handshake_fragment_len = 0;*/ 1090 rr->length = 0; 1091 ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 1092 goto start; 1093 } 1094 if (s->s3->alert_fragment_len >= 2) 1095 { 1096 int alert_level = s->s3->alert_fragment[0]; 1097 int alert_descr = s->s3->alert_fragment[1]; 1098 1099 s->s3->alert_fragment_len = 0; 1100 1101 if (s->msg_callback) 1102 s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg); 1103 1104 if (s->info_callback != NULL) 1105 cb=s->info_callback; 1106 else if (s->ctx->info_callback != NULL) 1107 cb=s->ctx->info_callback; 1108 1109 if (cb != NULL) 1110 { 1111 j = (alert_level << 8) | alert_descr; 1112 cb(s, SSL_CB_READ_ALERT, j); 1113 } 1114 1115 if (alert_level == 1) /* warning */ 1116 { 1117 s->s3->warn_alert = alert_descr; 1118 if (alert_descr == SSL_AD_CLOSE_NOTIFY) 1119 { 1120 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1121 return(0); 1122 } 1123 /* This is a warning but we receive it if we requested 1124 * renegotiation and the peer denied it. Terminate with 1125 * a fatal alert because if application tried to 1126 * renegotiatie it presumably had a good reason and 1127 * expects it to succeed. 1128 * 1129 * In future we might have a renegotiation where we 1130 * don't care if the peer refused it where we carry on. 1131 */ 1132 else if (alert_descr == SSL_AD_NO_RENEGOTIATION) 1133 { 1134 al = SSL_AD_HANDSHAKE_FAILURE; 1135 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); 1136 goto f_err; 1137 } 1138 } 1139 else if (alert_level == 2) /* fatal */ 1140 { 1141 char tmp[16]; 1142 1143 s->rwstate=SSL_NOTHING; 1144 s->s3->fatal_alert = alert_descr; 1145 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); 1146 BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); 1147 ERR_add_error_data(2,"SSL alert number ",tmp); 1148 s->shutdown|=SSL_RECEIVED_SHUTDOWN; 1149 SSL_CTX_remove_session(s->ctx,s->session); 1150 return(0); 1151 } 1152 else 1153 { 1154 al=SSL_AD_ILLEGAL_PARAMETER; 1155 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); 1156 goto f_err; 1157 } 1158 1159 goto start; 1160 } 1161 1162 if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ 1163 { 1164 s->rwstate=SSL_NOTHING; 1165 rr->length=0; 1166 return(0); 1167 } 1168 1169 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1170 { 1171 /* 'Change Cipher Spec' is just a single byte, so we know 1172 * exactly what the record payload has to look like */ 1173 if ( (rr->length != 1) || (rr->off != 0) || 1174 (rr->data[0] != SSL3_MT_CCS)) 1175 { 1176 al=SSL_AD_ILLEGAL_PARAMETER; 1177 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 1178 goto f_err; 1179 } 1180 1181 /* Check we have a cipher to change to */ 1182 if (s->s3->tmp.new_cipher == NULL) 1183 { 1184 al=SSL_AD_UNEXPECTED_MESSAGE; 1185 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); 1186 goto f_err; 1187 } 1188 1189 if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) 1190 { 1191 al=SSL_AD_UNEXPECTED_MESSAGE; 1192 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); 1193 goto f_err; 1194 } 1195 1196 s->s3->flags &= ~SSL3_FLAGS_CCS_OK; 1197 1198 rr->length=0; 1199 1200 if (s->msg_callback) 1201 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg); 1202 1203 s->s3->change_cipher_spec=1; 1204 if (!ssl3_do_change_cipher_spec(s)) 1205 goto err; 1206 else 1207 goto start; 1208 } 1209 1210 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1211 if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) 1212 { 1213 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1214 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1215 { 1216#if 0 /* worked only because C operator preferences are not as expected (and 1217 * because this is not really needed for clients except for detecting 1218 * protocol violations): */ 1219 s->state=SSL_ST_BEFORE|(s->server) 1220 ?SSL_ST_ACCEPT 1221 :SSL_ST_CONNECT; 1222#else 1223 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1224#endif 1225 s->new_session=1; 1226 } 1227 i=s->handshake_func(s); 1228 if (i < 0) return(i); 1229 if (i == 0) 1230 { 1231 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1232 return(-1); 1233 } 1234 1235 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1236 { 1237 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1238 { 1239 BIO *bio; 1240 /* In the case where we try to read application data, 1241 * but we trigger an SSL handshake, we return -1 with 1242 * the retry option set. Otherwise renegotiation may 1243 * cause nasty problems in the blocking world */ 1244 s->rwstate=SSL_READING; 1245 bio=SSL_get_rbio(s); 1246 BIO_clear_retry_flags(bio); 1247 BIO_set_retry_read(bio); 1248 return(-1); 1249 } 1250 } 1251 goto start; 1252 } 1253 1254 switch (rr->type) 1255 { 1256 default: 1257#ifndef OPENSSL_NO_TLS 1258 /* TLS just ignores unknown message types */ 1259 if (s->version == TLS1_VERSION) 1260 { 1261 rr->length = 0; 1262 goto start; 1263 } 1264#endif 1265 al=SSL_AD_UNEXPECTED_MESSAGE; 1266 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1267 goto f_err; 1268 case SSL3_RT_CHANGE_CIPHER_SPEC: 1269 case SSL3_RT_ALERT: 1270 case SSL3_RT_HANDSHAKE: 1271 /* we already handled all of these, with the possible exception 1272 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1273 * should not happen when type != rr->type */ 1274 al=SSL_AD_UNEXPECTED_MESSAGE; 1275 SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR); 1276 goto f_err; 1277 case SSL3_RT_APPLICATION_DATA: 1278 /* At this point, we were expecting handshake data, 1279 * but have application data. If the library was 1280 * running inside ssl3_read() (i.e. in_read_app_data 1281 * is set) and it makes sense to read application data 1282 * at this point (session renegotiation not yet started), 1283 * we will indulge it. 1284 */ 1285 if (s->s3->in_read_app_data && 1286 (s->s3->total_renegotiations != 0) && 1287 (( 1288 (s->state & SSL_ST_CONNECT) && 1289 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1290 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1291 ) || ( 1292 (s->state & SSL_ST_ACCEPT) && 1293 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1294 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1295 ) 1296 )) 1297 { 1298 s->s3->in_read_app_data=2; 1299 return(-1); 1300 } 1301 else 1302 { 1303 al=SSL_AD_UNEXPECTED_MESSAGE; 1304 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1305 goto f_err; 1306 } 1307 } 1308 /* not reached */ 1309 1310f_err: 1311 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1312err: 1313 return(-1); 1314 } 1315 1316int ssl3_do_change_cipher_spec(SSL *s) 1317 { 1318 int i; 1319 const char *sender; 1320 int slen; 1321 1322 if (s->state & SSL_ST_ACCEPT) 1323 i=SSL3_CHANGE_CIPHER_SERVER_READ; 1324 else 1325 i=SSL3_CHANGE_CIPHER_CLIENT_READ; 1326 1327 if (s->s3->tmp.key_block == NULL) 1328 { 1329 if (s->session == NULL || s->session->master_key_length == 0) 1330 { 1331 /* might happen if dtls1_read_bytes() calls this */ 1332 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); 1333 return (0); 1334 } 1335 1336 s->session->cipher=s->s3->tmp.new_cipher; 1337 if (!s->method->ssl3_enc->setup_key_block(s)) return(0); 1338 } 1339 1340 if (!s->method->ssl3_enc->change_cipher_state(s,i)) 1341 return(0); 1342 1343 /* we have to record the message digest at 1344 * this point so we can get it before we read 1345 * the finished message */ 1346 if (s->state & SSL_ST_CONNECT) 1347 { 1348 sender=s->method->ssl3_enc->server_finished_label; 1349 slen=s->method->ssl3_enc->server_finished_label_len; 1350 } 1351 else 1352 { 1353 sender=s->method->ssl3_enc->client_finished_label; 1354 slen=s->method->ssl3_enc->client_finished_label_len; 1355 } 1356 1357 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 1358 &(s->s3->finish_dgst1), 1359 &(s->s3->finish_dgst2), 1360 sender,slen,s->s3->tmp.peer_finish_md); 1361 1362 return(1); 1363 } 1364 1365int ssl3_send_alert(SSL *s, int level, int desc) 1366 { 1367 /* Map tls/ssl alert value to correct one */ 1368 desc=s->method->ssl3_enc->alert_value(desc); 1369 if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) 1370 desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */ 1371 if (desc < 0) return -1; 1372 /* If a fatal one, remove from cache */ 1373 if ((level == 2) && (s->session != NULL)) 1374 SSL_CTX_remove_session(s->ctx,s->session); 1375 1376 s->s3->alert_dispatch=1; 1377 s->s3->send_alert[0]=level; 1378 s->s3->send_alert[1]=desc; 1379 if (s->s3->wbuf.left == 0) /* data still being written out? */ 1380 return s->method->ssl_dispatch_alert(s); 1381 /* else data is still being written out, we will get written 1382 * some time in the future */ 1383 return -1; 1384 } 1385 1386int ssl3_dispatch_alert(SSL *s) 1387 { 1388 int i,j; 1389 void (*cb)(const SSL *ssl,int type,int val)=NULL; 1390 1391 s->s3->alert_dispatch=0; 1392 i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); 1393 if (i <= 0) 1394 { 1395 s->s3->alert_dispatch=1; 1396 } 1397 else 1398 { 1399 /* Alert sent to BIO. If it is important, flush it now. 1400 * If the message does not get sent due to non-blocking IO, 1401 * we will not worry too much. */ 1402 if (s->s3->send_alert[0] == SSL3_AL_FATAL) 1403 (void)BIO_flush(s->wbio); 1404 1405 if (s->msg_callback) 1406 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg); 1407 1408 if (s->info_callback != NULL) 1409 cb=s->info_callback; 1410 else if (s->ctx->info_callback != NULL) 1411 cb=s->ctx->info_callback; 1412 1413 if (cb != NULL) 1414 { 1415 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1416 cb(s,SSL_CB_WRITE_ALERT,j); 1417 } 1418 } 1419 return(i); 1420 } 1421