1/* ssl/s3_pkt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <errno.h> 114#define USE_SOCKETS 115#include "ssl_locl.h" 116#include <openssl/evp.h> 117#include <openssl/buffer.h> 118 119static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 120 unsigned int len, int create_empty_fragment); 121static int ssl3_get_record(SSL *s); 122 123int ssl3_read_n(SSL *s, int n, int max, int extend) 124 { 125 /* If extend == 0, obtain new n-byte packet; if extend == 1, increase 126 * packet by another n bytes. 127 * The packet will be in the sub-array of s->s3->rbuf.buf specified 128 * by s->packet and s->packet_length. 129 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf 130 * [plus s->packet_length bytes if extend == 1].) 131 */ 132 int i,off,newb; 133 134 if (!extend) 135 { 136 /* start with empty packet ... */ 137 if (s->s3->rbuf.left == 0) 138 s->s3->rbuf.offset = 0; 139 s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset; 140 s->packet_length = 0; 141 /* ... now we can act as if 'extend' was set */ 142 } 143 144 /* For DTLS/UDP reads should not span multiple packets 145 * because the read operation returns the whole packet 146 * at once (as long as it fits into the buffer). */ 147 if (SSL_version(s) == DTLS1_VERSION) 148 { 149 if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left) 150 n = s->s3->rbuf.left; 151 } 152 153 /* if there is enough in the buffer from a previous read, take some */ 154 if (s->s3->rbuf.left >= (int)n) 155 { 156 s->packet_length+=n; 157 s->s3->rbuf.left-=n; 158 s->s3->rbuf.offset+=n; 159 return(n); 160 } 161 162 /* else we need to read more data */ 163 if (!s->read_ahead) 164 max=n; 165 166 { 167 /* avoid buffer overflow */ 168 int max_max = s->s3->rbuf.len - s->packet_length; 169 if (max > max_max) 170 max = max_max; 171 } 172 if (n > max) /* does not happen */ 173 { 174 SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR); 175 return -1; 176 } 177 178 off = s->packet_length; 179 newb = s->s3->rbuf.left; 180 /* Move any available bytes to front of buffer: 181 * 'off' bytes already pointed to by 'packet', 182 * 'newb' extra ones at the end */ 183 if (s->packet != s->s3->rbuf.buf) 184 { 185 /* off > 0 */ 186 memmove(s->s3->rbuf.buf, s->packet, off+newb); 187 s->packet = s->s3->rbuf.buf; 188 } 189 190 while (newb < n) 191 { 192 /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need 193 * to read in more until we have off+n (up to off+max if possible) */ 194 195 clear_sys_error(); 196 if (s->rbio != NULL) 197 { 198 s->rwstate=SSL_READING; 199 i=BIO_read(s->rbio, &(s->s3->rbuf.buf[off+newb]), max-newb); 200 } 201 else 202 { 203 SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET); 204 i = -1; 205 } 206 207 if (i <= 0) 208 { 209 s->s3->rbuf.left = newb; 210 return(i); 211 } 212 newb+=i; 213 /* reads should *never* span multiple packets for DTLS because 214 * the underlying transport protocol is message oriented as opposed 215 * to byte oriented as in the TLS case. */ 216 if (SSL_version(s) == DTLS1_VERSION) 217 { 218 if (n > newb) 219 n = newb; /* makes the while condition false */ 220 } 221 } 222 223 /* done reading, now the book-keeping */ 224 s->s3->rbuf.offset = off + n; 225 s->s3->rbuf.left = newb - n; 226 s->packet_length += n; 227 s->rwstate=SSL_NOTHING; 228 return(n); 229 } 230 231/* Call this to get a new input record. 232 * It will return <= 0 if more data is needed, normally due to an error 233 * or non-blocking IO. 234 * When it finishes, one packet has been decoded and can be found in 235 * ssl->s3->rrec.type - is the type of record 236 * ssl->s3->rrec.data, - data 237 * ssl->s3->rrec.length, - number of bytes 238 */ 239/* used only by ssl3_read_bytes */ 240static int ssl3_get_record(SSL *s) 241 { 242 int ssl_major,ssl_minor,al; 243 int enc_err,n,i,ret= -1; 244 SSL3_RECORD *rr; 245 SSL_SESSION *sess; 246 unsigned char *p; 247 unsigned char md[EVP_MAX_MD_SIZE]; 248 short version; 249 unsigned mac_size, orig_len; 250 size_t extra; 251 252 rr= &(s->s3->rrec); 253 sess=s->session; 254 255 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) 256 extra=SSL3_RT_MAX_EXTRA; 257 else 258 extra=0; 259 if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE) 260 { 261 /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER 262 * set after ssl3_setup_buffers() was done */ 263 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); 264 return -1; 265 } 266 267again: 268 /* check if we have the header */ 269 if ( (s->rstate != SSL_ST_READ_BODY) || 270 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 271 { 272 n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 273 if (n <= 0) return(n); /* error or non-blocking */ 274 s->rstate=SSL_ST_READ_BODY; 275 276 p=s->packet; 277 278 /* Pull apart the header into the SSL3_RECORD */ 279 rr->type= *(p++); 280 ssl_major= *(p++); 281 ssl_minor= *(p++); 282 version=(ssl_major<<8)|ssl_minor; 283 n2s(p,rr->length); 284 285 /* Lets check version */ 286 if (!s->first_packet) 287 { 288 if (version != s->version) 289 { 290 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 291 if ((s->version & 0xFF00) == (version & 0xFF00)) 292 /* Send back error using their minor version number :-) */ 293 s->version = (unsigned short)version; 294 al=SSL_AD_PROTOCOL_VERSION; 295 goto f_err; 296 } 297 } 298 299 if ((version>>8) != SSL3_VERSION_MAJOR) 300 { 301 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 302 goto err; 303 } 304 305 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) 306 { 307 al=SSL_AD_RECORD_OVERFLOW; 308 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); 309 goto f_err; 310 } 311 312 /* now s->rstate == SSL_ST_READ_BODY */ 313 } 314 315 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 316 317 if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH) 318 { 319 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ 320 i=rr->length; 321 n=ssl3_read_n(s,i,i,1); 322 if (n <= 0) return(n); /* error or non-blocking io */ 323 /* now n == rr->length, 324 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */ 325 } 326 327 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ 328 329 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 330 * and we have that many bytes in s->packet 331 */ 332 rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); 333 334 /* ok, we can now read from 's->packet' data into 'rr' 335 * rr->input points at rr->length bytes, which 336 * need to be copied into rr->data by either 337 * the decryption or by the decompression 338 * When the data is 'copied' into the rr->data buffer, 339 * rr->input will be pointed at the new buffer */ 340 341 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] 342 * rr->length bytes of encrypted compressed stuff. */ 343 344 /* check is not needed I believe */ 345 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) 346 { 347 al=SSL_AD_RECORD_OVERFLOW; 348 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 349 goto f_err; 350 } 351 352 /* decrypt in place in 'rr->input' */ 353 rr->data=rr->input; 354 355 enc_err = s->method->ssl3_enc->enc(s,0); 356 /* enc_err is: 357 * 0: (in non-constant time) if the record is publically invalid. 358 * 1: if the padding is valid 359 * -1: if the padding is invalid */ 360 if (enc_err == 0) 361 { 362 al=SSL_AD_DECRYPTION_FAILED; 363 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 364 goto f_err; 365 } 366 367#ifdef TLS_DEBUG 368printf("dec %d\n",rr->length); 369{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 370printf("\n"); 371#endif 372 373 /* r->length is now the compressed data plus mac */ 374 if ((sess != NULL) && 375 (s->enc_read_ctx != NULL) && 376 (s->read_hash != NULL)) 377 { 378 /* s->read_hash != NULL => mac_size != -1 */ 379 unsigned char *mac = NULL; 380 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 381 mac_size=EVP_MD_size(s->read_hash); 382 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); 383 384 /* kludge: *_cbc_remove_padding passes padding length in rr->type */ 385 orig_len = rr->length+((unsigned int)rr->type>>8); 386 387 /* orig_len is the length of the record before any padding was 388 * removed. This is public information, as is the MAC in use, 389 * therefore we can safely process the record in a different 390 * amount of time if it's too short to possibly contain a MAC. 391 */ 392 if (orig_len < mac_size || 393 /* CBC records must have a padding length byte too. */ 394 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 395 orig_len < mac_size+1)) 396 { 397 al=SSL_AD_DECODE_ERROR; 398 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); 399 goto f_err; 400 } 401 402 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) 403 { 404 /* We update the length so that the TLS header bytes 405 * can be constructed correctly but we need to extract 406 * the MAC in constant time from within the record, 407 * without leaking the contents of the padding bytes. 408 * */ 409 mac = mac_tmp; 410 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); 411 rr->length -= mac_size; 412 } 413 else 414 { 415 /* In this case there's no padding, so |orig_len| 416 * equals |rec->length| and we checked that there's 417 * enough bytes for |mac_size| above. */ 418 rr->length -= mac_size; 419 mac = &rr->data[rr->length]; 420 } 421 422 i=s->method->ssl3_enc->mac(s,md,0 /* not send */); 423 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) 424 enc_err = -1; 425 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) 426 enc_err = -1; 427 } 428 429 if (enc_err < 0) 430 { 431 /* A separate 'decryption_failed' alert was introduced with TLS 1.0, 432 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 433 * failure is directly visible from the ciphertext anyway, 434 * we should not reveal which kind of error occured -- this 435 * might become visible to an attacker (e.g. via a logfile) */ 436 al=SSL_AD_BAD_RECORD_MAC; 437 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 438 goto f_err; 439 } 440 441 /* r->length is now just compressed */ 442 if (s->expand != NULL) 443 { 444 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) 445 { 446 al=SSL_AD_RECORD_OVERFLOW; 447 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 448 goto f_err; 449 } 450 if (!ssl3_do_uncompress(s)) 451 { 452 al=SSL_AD_DECOMPRESSION_FAILURE; 453 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); 454 goto f_err; 455 } 456 } 457 458 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) 459 { 460 al=SSL_AD_RECORD_OVERFLOW; 461 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); 462 goto f_err; 463 } 464 465 rr->off=0; 466 /* So at this point the following is true 467 * ssl->s3->rrec.type is the type of record 468 * ssl->s3->rrec.length == number of bytes in record 469 * ssl->s3->rrec.off == offset to first valid byte 470 * ssl->s3->rrec.data == where to take bytes from, increment 471 * after use :-). 472 */ 473 474 /* we have pulled in a full packet so zero things */ 475 s->packet_length=0; 476 477 /* just read a 0 length packet */ 478 if (rr->length == 0) goto again; 479 480 return(1); 481 482f_err: 483 ssl3_send_alert(s,SSL3_AL_FATAL,al); 484err: 485 return(ret); 486 } 487 488int ssl3_do_uncompress(SSL *ssl) 489 { 490#ifndef OPENSSL_NO_COMP 491 int i; 492 SSL3_RECORD *rr; 493 494 rr= &(ssl->s3->rrec); 495 i=COMP_expand_block(ssl->expand,rr->comp, 496 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length); 497 if (i < 0) 498 return(0); 499 else 500 rr->length=i; 501 rr->data=rr->comp; 502#endif 503 return(1); 504 } 505 506int ssl3_do_compress(SSL *ssl) 507 { 508#ifndef OPENSSL_NO_COMP 509 int i; 510 SSL3_RECORD *wr; 511 512 wr= &(ssl->s3->wrec); 513 i=COMP_compress_block(ssl->compress,wr->data, 514 SSL3_RT_MAX_COMPRESSED_LENGTH, 515 wr->input,(int)wr->length); 516 if (i < 0) 517 return(0); 518 else 519 wr->length=i; 520 521 wr->input=wr->data; 522#endif 523 return(1); 524 } 525 526/* Call this to write data in records of type 'type' 527 * It will return <= 0 if not all data has been sent or non-blocking IO. 528 */ 529int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) 530 { 531 const unsigned char *buf=buf_; 532 unsigned int n,nw; 533 int i,tot; 534 535 s->rwstate=SSL_NOTHING; 536 OPENSSL_assert(s->s3->wnum < INT_MAX); 537 tot=s->s3->wnum; 538 s->s3->wnum=0; 539 540 if (SSL_in_init(s) && !s->in_handshake) 541 { 542 i=s->handshake_func(s); 543 if (i < 0) return(i); 544 if (i == 0) 545 { 546 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 547 return -1; 548 } 549 } 550 551 /* ensure that if we end up with a smaller value of data to write 552 * out than the the original len from a write which didn't complete 553 * for non-blocking I/O and also somehow ended up avoiding 554 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as 555 * it must never be possible to end up with (len-tot) as a large 556 * number that will then promptly send beyond the end of the users 557 * buffer ... so we trap and report the error in a way the user 558 * will notice 559 */ 560 if (len < tot) 561 { 562 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); 563 return(-1); 564 } 565 566 567 n=(len-tot); 568 for (;;) 569 { 570 if (n > SSL3_RT_MAX_PLAIN_LENGTH) 571 nw=SSL3_RT_MAX_PLAIN_LENGTH; 572 else 573 nw=n; 574 575 i=do_ssl3_write(s, type, &(buf[tot]), nw, 0); 576 if (i <= 0) 577 { 578 s->s3->wnum=tot; 579 return i; 580 } 581 582 if ((i == (int)n) || 583 (type == SSL3_RT_APPLICATION_DATA && 584 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) 585 { 586 /* next chunk of data should get another prepended empty fragment 587 * in ciphersuites with known-IV weakness: */ 588 s->s3->empty_fragment_done = 0; 589 590 return tot+i; 591 } 592 593 n-=i; 594 tot+=i; 595 } 596 } 597 598static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 599 unsigned int len, int create_empty_fragment) 600 { 601 unsigned char *p,*plen; 602 int i,mac_size,clear=0; 603 int prefix_len = 0; 604 SSL3_RECORD *wr; 605 SSL3_BUFFER *wb; 606 SSL_SESSION *sess; 607 608 /* first check if there is a SSL3_BUFFER still being written 609 * out. This will happen with non blocking IO */ 610 if (s->s3->wbuf.left != 0) 611 return(ssl3_write_pending(s,type,buf,len)); 612 613 /* If we have an alert to send, lets send it */ 614 if (s->s3->alert_dispatch) 615 { 616 i=s->method->ssl_dispatch_alert(s); 617 if (i <= 0) 618 return(i); 619 /* if it went, fall through and send more stuff */ 620 } 621 622 if (len == 0 && !create_empty_fragment) 623 return 0; 624 625 wr= &(s->s3->wrec); 626 wb= &(s->s3->wbuf); 627 sess=s->session; 628 629 if ( (sess == NULL) || 630 (s->enc_write_ctx == NULL) || 631 (s->write_hash == NULL)) 632 clear=1; 633 634 if (clear) 635 mac_size=0; 636 else 637 mac_size=EVP_MD_size(s->write_hash); 638 639 /* 'create_empty_fragment' is true only when this function calls itself */ 640 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) 641 { 642 /* countermeasure against known-IV weakness in CBC ciphersuites 643 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ 644 645 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) 646 { 647 /* recursive function call with 'create_empty_fragment' set; 648 * this prepares and buffers the data for an empty fragment 649 * (these 'prefix_len' bytes are sent out later 650 * together with the actual payload) */ 651 prefix_len = do_ssl3_write(s, type, buf, 0, 1); 652 if (prefix_len <= 0) 653 goto err; 654 655 if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) 656 { 657 /* insufficient space */ 658 SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); 659 goto err; 660 } 661 } 662 663 s->s3->empty_fragment_done = 1; 664 } 665 666 p = wb->buf + prefix_len; 667 668 /* write the header */ 669 670 *(p++)=type&0xff; 671 wr->type=type; 672 673 *(p++)=(s->version>>8); 674 *(p++)=s->version&0xff; 675 676 /* field where we are to write out packet length */ 677 plen=p; 678 p+=2; 679 680 /* lets setup the record stuff. */ 681 wr->data=p; 682 wr->length=(int)len; 683 wr->input=(unsigned char *)buf; 684 685 /* we now 'read' from wr->input, wr->length bytes into 686 * wr->data */ 687 688 /* first we compress */ 689 if (s->compress != NULL) 690 { 691 if (!ssl3_do_compress(s)) 692 { 693 SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE); 694 goto err; 695 } 696 } 697 else 698 { 699 memcpy(wr->data,wr->input,wr->length); 700 wr->input=wr->data; 701 } 702 703 /* we should still have the output to wr->data and the input 704 * from wr->input. Length should be wr->length. 705 * wr->data still points in the wb->buf */ 706 707 if (mac_size != 0) 708 { 709 s->method->ssl3_enc->mac(s,&(p[wr->length]),1); 710 wr->length+=mac_size; 711 wr->input=p; 712 wr->data=p; 713 } 714 715 /* ssl3_enc can only have an error on read */ 716 s->method->ssl3_enc->enc(s,1); 717 718 /* record length after mac and block padding */ 719 s2n(wr->length,plen); 720 721 /* we should now have 722 * wr->data pointing to the encrypted data, which is 723 * wr->length long */ 724 wr->type=type; /* not needed but helps for debugging */ 725 wr->length+=SSL3_RT_HEADER_LENGTH; 726 727 if (create_empty_fragment) 728 { 729 /* we are in a recursive call; 730 * just return the length, don't write out anything here 731 */ 732 return wr->length; 733 } 734 735 /* now let's set up wb */ 736 wb->left = prefix_len + wr->length; 737 wb->offset = 0; 738 739 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ 740 s->s3->wpend_tot=len; 741 s->s3->wpend_buf=buf; 742 s->s3->wpend_type=type; 743 s->s3->wpend_ret=len; 744 745 /* we now just need to write the buffer */ 746 return ssl3_write_pending(s,type,buf,len); 747err: 748 return -1; 749 } 750 751/* if s->s3->wbuf.left != 0, we need to call this */ 752int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 753 unsigned int len) 754 { 755 int i; 756 757/* XXXX */ 758 if ((s->s3->wpend_tot > (int)len) 759 || ((s->s3->wpend_buf != buf) && 760 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) 761 || (s->s3->wpend_type != type)) 762 { 763 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); 764 return(-1); 765 } 766 767 for (;;) 768 { 769 clear_sys_error(); 770 if (s->wbio != NULL) 771 { 772 s->rwstate=SSL_WRITING; 773 i=BIO_write(s->wbio, 774 (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]), 775 (unsigned int)s->s3->wbuf.left); 776 } 777 else 778 { 779 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET); 780 i= -1; 781 } 782 if (i == s->s3->wbuf.left) 783 { 784 s->s3->wbuf.left=0; 785 s->rwstate=SSL_NOTHING; 786 return(s->s3->wpend_ret); 787 } 788 else if (i <= 0) { 789 if (s->version == DTLS1_VERSION || 790 s->version == DTLS1_BAD_VER) { 791 /* For DTLS, just drop it. That's kind of the whole 792 point in using a datagram service */ 793 s->s3->wbuf.left = 0; 794 } 795 return(i); 796 } 797 s->s3->wbuf.offset+=i; 798 s->s3->wbuf.left-=i; 799 } 800 } 801 802/* Return up to 'len' payload bytes received in 'type' records. 803 * 'type' is one of the following: 804 * 805 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 806 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 807 * - 0 (during a shutdown, no data has to be returned) 808 * 809 * If we don't have stored data to work from, read a SSL/TLS record first 810 * (possibly multiple records if we still don't have anything to return). 811 * 812 * This function must handle any surprises the peer may have for us, such as 813 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 814 * a surprise, but handled as if it were), or renegotiation requests. 815 * Also if record payloads contain fragments too small to process, we store 816 * them until there is enough for the respective protocol (the record protocol 817 * may use arbitrary fragmentation and even interleaving): 818 * Change cipher spec protocol 819 * just 1 byte needed, no need for keeping anything stored 820 * Alert protocol 821 * 2 bytes needed (AlertLevel, AlertDescription) 822 * Handshake protocol 823 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 824 * to detect unexpected Client Hello and Hello Request messages 825 * here, anything else is handled by higher layers 826 * Application data protocol 827 * none of our business 828 */ 829int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 830 { 831 int al,i,j,ret; 832 unsigned int n; 833 SSL3_RECORD *rr; 834 void (*cb)(const SSL *ssl,int type2,int val)=NULL; 835 836 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 837 if (!ssl3_setup_buffers(s)) 838 return(-1); 839 840 if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || 841 (peek && (type != SSL3_RT_APPLICATION_DATA))) 842 { 843 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); 844 return -1; 845 } 846 847 if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0)) 848 /* (partially) satisfy request from storage */ 849 { 850 unsigned char *src = s->s3->handshake_fragment; 851 unsigned char *dst = buf; 852 unsigned int k; 853 854 /* peek == 0 */ 855 n = 0; 856 while ((len > 0) && (s->s3->handshake_fragment_len > 0)) 857 { 858 *dst++ = *src++; 859 len--; s->s3->handshake_fragment_len--; 860 n++; 861 } 862 /* move any remaining fragment bytes: */ 863 for (k = 0; k < s->s3->handshake_fragment_len; k++) 864 s->s3->handshake_fragment[k] = *src++; 865 return n; 866 } 867 868 /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 869 870 if (!s->in_handshake && SSL_in_init(s)) 871 { 872 /* type == SSL3_RT_APPLICATION_DATA */ 873 i=s->handshake_func(s); 874 if (i < 0) return(i); 875 if (i == 0) 876 { 877 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 878 return(-1); 879 } 880 } 881start: 882 s->rwstate=SSL_NOTHING; 883 884 /* s->s3->rrec.type - is the type of record 885 * s->s3->rrec.data, - data 886 * s->s3->rrec.off, - offset into 'data' for next read 887 * s->s3->rrec.length, - number of bytes. */ 888 rr = &(s->s3->rrec); 889 890 /* get new packet if necessary */ 891 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 892 { 893 ret=ssl3_get_record(s); 894 if (ret <= 0) return(ret); 895 } 896 897 /* we now have a packet which can be read and processed */ 898 899 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 900 * reset by ssl3_get_finished */ 901 && (rr->type != SSL3_RT_HANDSHAKE)) 902 { 903 al=SSL_AD_UNEXPECTED_MESSAGE; 904 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 905 goto f_err; 906 } 907 908 /* If the other end has shut down, throw anything we read away 909 * (even in 'peek' mode) */ 910 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 911 { 912 rr->length=0; 913 s->rwstate=SSL_NOTHING; 914 return(0); 915 } 916 917 918 if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 919 { 920 /* make sure that we are not getting application data when we 921 * are doing a handshake for the first time */ 922 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 923 (s->enc_read_ctx == NULL)) 924 { 925 al=SSL_AD_UNEXPECTED_MESSAGE; 926 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); 927 goto f_err; 928 } 929 930 if (len <= 0) return(len); 931 932 if ((unsigned int)len > rr->length) 933 n = rr->length; 934 else 935 n = (unsigned int)len; 936 937 memcpy(buf,&(rr->data[rr->off]),n); 938 if (!peek) 939 { 940 rr->length-=n; 941 rr->off+=n; 942 if (rr->length == 0) 943 { 944 s->rstate=SSL_ST_READ_HEADER; 945 rr->off=0; 946 } 947 } 948 return(n); 949 } 950 951 952 /* If we get here, then type != rr->type; if we have a handshake 953 * message, then it was unexpected (Hello Request or Client Hello). */ 954 955 /* In case of record types for which we have 'fragment' storage, 956 * fill that so that we can process the data at a fixed place. 957 */ 958 { 959 unsigned int dest_maxlen = 0; 960 unsigned char *dest = NULL; 961 unsigned int *dest_len = NULL; 962 963 if (rr->type == SSL3_RT_HANDSHAKE) 964 { 965 dest_maxlen = sizeof s->s3->handshake_fragment; 966 dest = s->s3->handshake_fragment; 967 dest_len = &s->s3->handshake_fragment_len; 968 } 969 else if (rr->type == SSL3_RT_ALERT) 970 { 971 dest_maxlen = sizeof s->s3->alert_fragment; 972 dest = s->s3->alert_fragment; 973 dest_len = &s->s3->alert_fragment_len; 974 } 975 976 if (dest_maxlen > 0) 977 { 978 n = dest_maxlen - *dest_len; /* available space in 'dest' */ 979 if (rr->length < n) 980 n = rr->length; /* available bytes */ 981 982 /* now move 'n' bytes: */ 983 while (n-- > 0) 984 { 985 dest[(*dest_len)++] = rr->data[rr->off++]; 986 rr->length--; 987 } 988 989 if (*dest_len < dest_maxlen) 990 goto start; /* fragment was too small */ 991 } 992 } 993 994 /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; 995 * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. 996 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ 997 998 /* If we are a client, check for an incoming 'Hello Request': */ 999 if ((!s->server) && 1000 (s->s3->handshake_fragment_len >= 4) && 1001 (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 1002 (s->session != NULL) && (s->session->cipher != NULL)) 1003 { 1004 s->s3->handshake_fragment_len = 0; 1005 1006 if ((s->s3->handshake_fragment[1] != 0) || 1007 (s->s3->handshake_fragment[2] != 0) || 1008 (s->s3->handshake_fragment[3] != 0)) 1009 { 1010 al=SSL_AD_DECODE_ERROR; 1011 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 1012 goto f_err; 1013 } 1014 1015 if (s->msg_callback) 1016 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg); 1017 1018 if (SSL_is_init_finished(s) && 1019 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1020 !s->s3->renegotiate) 1021 { 1022 ssl3_renegotiate(s); 1023 if (ssl3_renegotiate_check(s)) 1024 { 1025 i=s->handshake_func(s); 1026 if (i < 0) return(i); 1027 if (i == 0) 1028 { 1029 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1030 return(-1); 1031 } 1032 1033 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1034 { 1035 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1036 { 1037 BIO *bio; 1038 /* In the case where we try to read application data, 1039 * but we trigger an SSL handshake, we return -1 with 1040 * the retry option set. Otherwise renegotiation may 1041 * cause nasty problems in the blocking world */ 1042 s->rwstate=SSL_READING; 1043 bio=SSL_get_rbio(s); 1044 BIO_clear_retry_flags(bio); 1045 BIO_set_retry_read(bio); 1046 return(-1); 1047 } 1048 } 1049 } 1050 } 1051 /* we either finished a handshake or ignored the request, 1052 * now try again to obtain the (application) data we were asked for */ 1053 goto start; 1054 } 1055 /* If we are a server and get a client hello when renegotiation isn't 1056 * allowed send back a no renegotiation alert and carry on. 1057 * WARNING: experimental code, needs reviewing (steve) 1058 */ 1059 if (s->server && 1060 SSL_is_init_finished(s) && 1061 !s->s3->send_connection_binding && 1062 (s->version > SSL3_VERSION) && 1063 (s->s3->handshake_fragment_len >= 4) && 1064 (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && 1065 (s->session != NULL) && (s->session->cipher != NULL) && 1066 !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1067 1068 { 1069 /*s->s3->handshake_fragment_len = 0;*/ 1070 rr->length = 0; 1071 ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 1072 goto start; 1073 } 1074 if (s->s3->alert_fragment_len >= 2) 1075 { 1076 int alert_level = s->s3->alert_fragment[0]; 1077 int alert_descr = s->s3->alert_fragment[1]; 1078 1079 s->s3->alert_fragment_len = 0; 1080 1081 if (s->msg_callback) 1082 s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg); 1083 1084 if (s->info_callback != NULL) 1085 cb=s->info_callback; 1086 else if (s->ctx->info_callback != NULL) 1087 cb=s->ctx->info_callback; 1088 1089 if (cb != NULL) 1090 { 1091 j = (alert_level << 8) | alert_descr; 1092 cb(s, SSL_CB_READ_ALERT, j); 1093 } 1094 1095 if (alert_level == 1) /* warning */ 1096 { 1097 s->s3->warn_alert = alert_descr; 1098 if (alert_descr == SSL_AD_CLOSE_NOTIFY) 1099 { 1100 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1101 return(0); 1102 } 1103 /* This is a warning but we receive it if we requested 1104 * renegotiation and the peer denied it. Terminate with 1105 * a fatal alert because if application tried to 1106 * renegotiatie it presumably had a good reason and 1107 * expects it to succeed. 1108 * 1109 * In future we might have a renegotiation where we 1110 * don't care if the peer refused it where we carry on. 1111 */ 1112 else if (alert_descr == SSL_AD_NO_RENEGOTIATION) 1113 { 1114 al = SSL_AD_HANDSHAKE_FAILURE; 1115 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); 1116 goto f_err; 1117 } 1118 } 1119 else if (alert_level == 2) /* fatal */ 1120 { 1121 char tmp[16]; 1122 1123 s->rwstate=SSL_NOTHING; 1124 s->s3->fatal_alert = alert_descr; 1125 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); 1126 BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); 1127 ERR_add_error_data(2,"SSL alert number ",tmp); 1128 s->shutdown|=SSL_RECEIVED_SHUTDOWN; 1129 SSL_CTX_remove_session(s->ctx,s->session); 1130 return(0); 1131 } 1132 else 1133 { 1134 al=SSL_AD_ILLEGAL_PARAMETER; 1135 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); 1136 goto f_err; 1137 } 1138 1139 goto start; 1140 } 1141 1142 if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ 1143 { 1144 s->rwstate=SSL_NOTHING; 1145 rr->length=0; 1146 return(0); 1147 } 1148 1149 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1150 { 1151 /* 'Change Cipher Spec' is just a single byte, so we know 1152 * exactly what the record payload has to look like */ 1153 if ( (rr->length != 1) || (rr->off != 0) || 1154 (rr->data[0] != SSL3_MT_CCS)) 1155 { 1156 al=SSL_AD_ILLEGAL_PARAMETER; 1157 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 1158 goto f_err; 1159 } 1160 1161 /* Check we have a cipher to change to */ 1162 if (s->s3->tmp.new_cipher == NULL) 1163 { 1164 al=SSL_AD_UNEXPECTED_MESSAGE; 1165 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); 1166 goto f_err; 1167 } 1168 1169 if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) 1170 { 1171 al=SSL_AD_UNEXPECTED_MESSAGE; 1172 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); 1173 goto f_err; 1174 } 1175 1176 s->s3->flags &= ~SSL3_FLAGS_CCS_OK; 1177 1178 rr->length=0; 1179 1180 if (s->msg_callback) 1181 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg); 1182 1183 s->s3->change_cipher_spec=1; 1184 if (!ssl3_do_change_cipher_spec(s)) 1185 goto err; 1186 else 1187 goto start; 1188 } 1189 1190 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1191 if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) 1192 { 1193 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1194 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1195 { 1196#if 0 /* worked only because C operator preferences are not as expected (and 1197 * because this is not really needed for clients except for detecting 1198 * protocol violations): */ 1199 s->state=SSL_ST_BEFORE|(s->server) 1200 ?SSL_ST_ACCEPT 1201 :SSL_ST_CONNECT; 1202#else 1203 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1204#endif 1205 s->new_session=1; 1206 } 1207 i=s->handshake_func(s); 1208 if (i < 0) return(i); 1209 if (i == 0) 1210 { 1211 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1212 return(-1); 1213 } 1214 1215 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1216 { 1217 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1218 { 1219 BIO *bio; 1220 /* In the case where we try to read application data, 1221 * but we trigger an SSL handshake, we return -1 with 1222 * the retry option set. Otherwise renegotiation may 1223 * cause nasty problems in the blocking world */ 1224 s->rwstate=SSL_READING; 1225 bio=SSL_get_rbio(s); 1226 BIO_clear_retry_flags(bio); 1227 BIO_set_retry_read(bio); 1228 return(-1); 1229 } 1230 } 1231 goto start; 1232 } 1233 1234 switch (rr->type) 1235 { 1236 default: 1237#ifndef OPENSSL_NO_TLS 1238 /* TLS just ignores unknown message types */ 1239 if (s->version == TLS1_VERSION) 1240 { 1241 rr->length = 0; 1242 goto start; 1243 } 1244#endif 1245 al=SSL_AD_UNEXPECTED_MESSAGE; 1246 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1247 goto f_err; 1248 case SSL3_RT_CHANGE_CIPHER_SPEC: 1249 case SSL3_RT_ALERT: 1250 case SSL3_RT_HANDSHAKE: 1251 /* we already handled all of these, with the possible exception 1252 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1253 * should not happen when type != rr->type */ 1254 al=SSL_AD_UNEXPECTED_MESSAGE; 1255 SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR); 1256 goto f_err; 1257 case SSL3_RT_APPLICATION_DATA: 1258 /* At this point, we were expecting handshake data, 1259 * but have application data. If the library was 1260 * running inside ssl3_read() (i.e. in_read_app_data 1261 * is set) and it makes sense to read application data 1262 * at this point (session renegotiation not yet started), 1263 * we will indulge it. 1264 */ 1265 if (s->s3->in_read_app_data && 1266 (s->s3->total_renegotiations != 0) && 1267 (( 1268 (s->state & SSL_ST_CONNECT) && 1269 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1270 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1271 ) || ( 1272 (s->state & SSL_ST_ACCEPT) && 1273 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1274 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1275 ) 1276 )) 1277 { 1278 s->s3->in_read_app_data=2; 1279 return(-1); 1280 } 1281 else 1282 { 1283 al=SSL_AD_UNEXPECTED_MESSAGE; 1284 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1285 goto f_err; 1286 } 1287 } 1288 /* not reached */ 1289 1290f_err: 1291 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1292err: 1293 return(-1); 1294 } 1295 1296int ssl3_do_change_cipher_spec(SSL *s) 1297 { 1298 int i; 1299 const char *sender; 1300 int slen; 1301 1302 if (s->state & SSL_ST_ACCEPT) 1303 i=SSL3_CHANGE_CIPHER_SERVER_READ; 1304 else 1305 i=SSL3_CHANGE_CIPHER_CLIENT_READ; 1306 1307 if (s->s3->tmp.key_block == NULL) 1308 { 1309 if (s->session == NULL || s->session->master_key_length == 0) 1310 { 1311 /* might happen if dtls1_read_bytes() calls this */ 1312 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); 1313 return (0); 1314 } 1315 1316 s->session->cipher=s->s3->tmp.new_cipher; 1317 if (!s->method->ssl3_enc->setup_key_block(s)) return(0); 1318 } 1319 1320 if (!s->method->ssl3_enc->change_cipher_state(s,i)) 1321 return(0); 1322 1323 /* we have to record the message digest at 1324 * this point so we can get it before we read 1325 * the finished message */ 1326 if (s->state & SSL_ST_CONNECT) 1327 { 1328 sender=s->method->ssl3_enc->server_finished_label; 1329 slen=s->method->ssl3_enc->server_finished_label_len; 1330 } 1331 else 1332 { 1333 sender=s->method->ssl3_enc->client_finished_label; 1334 slen=s->method->ssl3_enc->client_finished_label_len; 1335 } 1336 1337 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 1338 &(s->s3->finish_dgst1), 1339 &(s->s3->finish_dgst2), 1340 sender,slen,s->s3->tmp.peer_finish_md); 1341 1342 return(1); 1343 } 1344 1345int ssl3_send_alert(SSL *s, int level, int desc) 1346 { 1347 /* Map tls/ssl alert value to correct one */ 1348 desc=s->method->ssl3_enc->alert_value(desc); 1349 if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) 1350 desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */ 1351 if (desc < 0) return -1; 1352 /* If a fatal one, remove from cache */ 1353 if ((level == 2) && (s->session != NULL)) 1354 SSL_CTX_remove_session(s->ctx,s->session); 1355 1356 s->s3->alert_dispatch=1; 1357 s->s3->send_alert[0]=level; 1358 s->s3->send_alert[1]=desc; 1359 if (s->s3->wbuf.left == 0) /* data still being written out? */ 1360 return s->method->ssl_dispatch_alert(s); 1361 /* else data is still being written out, we will get written 1362 * some time in the future */ 1363 return -1; 1364 } 1365 1366int ssl3_dispatch_alert(SSL *s) 1367 { 1368 int i,j; 1369 void (*cb)(const SSL *ssl,int type,int val)=NULL; 1370 1371 s->s3->alert_dispatch=0; 1372 i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); 1373 if (i <= 0) 1374 { 1375 s->s3->alert_dispatch=1; 1376 } 1377 else 1378 { 1379 /* Alert sent to BIO. If it is important, flush it now. 1380 * If the message does not get sent due to non-blocking IO, 1381 * we will not worry too much. */ 1382 if (s->s3->send_alert[0] == SSL3_AL_FATAL) 1383 (void)BIO_flush(s->wbio); 1384 1385 if (s->msg_callback) 1386 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg); 1387 1388 if (s->info_callback != NULL) 1389 cb=s->info_callback; 1390 else if (s->ctx->info_callback != NULL) 1391 cb=s->ctx->info_callback; 1392 1393 if (cb != NULL) 1394 { 1395 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1396 cb(s,SSL_CB_WRITE_ALERT,j); 1397 } 1398 } 1399 return(i); 1400 } 1401