Line data Source code
1 : /* ssl/s3_pkt.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 : /* ====================================================================
59 : * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 : *
61 : * Redistribution and use in source and binary forms, with or without
62 : * modification, are permitted provided that the following conditions
63 : * are met:
64 : *
65 : * 1. Redistributions of source code must retain the above copyright
66 : * notice, this list of conditions and the following disclaimer.
67 : *
68 : * 2. Redistributions in binary form must reproduce the above copyright
69 : * notice, this list of conditions and the following disclaimer in
70 : * the documentation and/or other materials provided with the
71 : * distribution.
72 : *
73 : * 3. All advertising materials mentioning features or use of this
74 : * software must display the following acknowledgment:
75 : * "This product includes software developed by the OpenSSL Project
76 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 : *
78 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 : * endorse or promote products derived from this software without
80 : * prior written permission. For written permission, please contact
81 : * openssl-core@openssl.org.
82 : *
83 : * 5. Products derived from this software may not be called "OpenSSL"
84 : * nor may "OpenSSL" appear in their names without prior written
85 : * permission of the OpenSSL Project.
86 : *
87 : * 6. Redistributions of any form whatsoever must retain the following
88 : * acknowledgment:
89 : * "This product includes software developed by the OpenSSL Project
90 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 : *
92 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 : * OF THE POSSIBILITY OF SUCH DAMAGE.
104 : * ====================================================================
105 : *
106 : * This product includes cryptographic software written by Eric Young
107 : * (eay@cryptsoft.com). This product includes software written by Tim
108 : * Hudson (tjh@cryptsoft.com).
109 : *
110 : */
111 :
112 : #include <stdio.h>
113 : #include <limits.h>
114 : #include <errno.h>
115 : #define USE_SOCKETS
116 : #include "ssl_locl.h"
117 : #include <openssl/evp.h>
118 : #include <openssl/buffer.h>
119 : #include <openssl/rand.h>
120 :
121 : #ifndef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
122 : # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
123 : #endif
124 :
125 : #if defined(OPENSSL_SMALL_FOOTPRINT) || \
126 : !( defined(AES_ASM) && ( \
127 : defined(__x86_64) || defined(__x86_64__) || \
128 : defined(_M_AMD64) || defined(_M_X64) || \
129 : defined(__INTEL__) ) \
130 : )
131 : # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
132 : # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
133 : #endif
134 :
135 : static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
136 : unsigned int len, int create_empty_fragment);
137 : static int ssl3_get_record(SSL *s);
138 :
139 33717 : int ssl3_read_n(SSL *s, int n, int max, int extend)
140 : {
141 : /*
142 : * If extend == 0, obtain new n-byte packet; if extend == 1, increase
143 : * packet by another n bytes. The packet will be in the sub-array of
144 : * s->s3->rbuf.buf specified by s->packet and s->packet_length. (If
145 : * s->read_ahead is set, 'max' bytes may be stored in rbuf [plus
146 : * s->packet_length bytes if extend == 1].)
147 : */
148 : int i, len, left;
149 : long align = 0;
150 : unsigned char *pkt;
151 : SSL3_BUFFER *rb;
152 :
153 33717 : if (n <= 0)
154 : return n;
155 :
156 33717 : rb = &(s->s3->rbuf);
157 33717 : if (rb->buf == NULL)
158 0 : if (!ssl3_setup_read_buffer(s))
159 : return -1;
160 :
161 33717 : left = rb->left;
162 : #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
163 33717 : align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
164 33717 : align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
165 : #endif
166 :
167 33717 : if (!extend) {
168 : /* start with empty packet ... */
169 20206 : if (left == 0)
170 20206 : rb->offset = align;
171 0 : else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
172 : /*
173 : * check if next packet length is large enough to justify payload
174 : * alignment...
175 : */
176 0 : pkt = rb->buf + rb->offset;
177 0 : if (pkt[0] == SSL3_RT_APPLICATION_DATA
178 0 : && (pkt[3] << 8 | pkt[4]) >= 128) {
179 : /*
180 : * Note that even if packet is corrupted and its length field
181 : * is insane, we can only be led to wrong decision about
182 : * whether memmove will occur or not. Header values has no
183 : * effect on memmove arguments and therefore no buffer
184 : * overrun can be triggered.
185 : */
186 0 : memmove(rb->buf + align, pkt, left);
187 0 : rb->offset = align;
188 : }
189 : }
190 20206 : s->packet = rb->buf + rb->offset;
191 20206 : s->packet_length = 0;
192 : /* ... now we can act as if 'extend' was set */
193 : }
194 :
195 : /*
196 : * For DTLS/UDP reads should not span multiple packets because the read
197 : * operation returns the whole packet at once (as long as it fits into
198 : * the buffer).
199 : */
200 33717 : if (SSL_IS_DTLS(s)) {
201 0 : if (left == 0 && extend)
202 : return 0;
203 0 : if (left > 0 && n > left)
204 : n = left;
205 : }
206 :
207 : /* if there is enough in the buffer from a previous read, take some */
208 33717 : if (left >= n) {
209 0 : s->packet_length += n;
210 0 : rb->left = left - n;
211 0 : rb->offset += n;
212 0 : return (n);
213 : }
214 :
215 : /* else we need to read more data */
216 :
217 33717 : len = s->packet_length;
218 33717 : pkt = rb->buf + align;
219 : /*
220 : * Move any available bytes to front of buffer: 'len' bytes already
221 : * pointed to by 'packet', 'left' extra ones at the end
222 : */
223 33717 : if (s->packet != pkt) { /* len > 0 */
224 0 : memmove(pkt, s->packet, len + left);
225 0 : s->packet = pkt;
226 0 : rb->offset = len + align;
227 : }
228 :
229 33717 : if (n > (int)(rb->len - rb->offset)) { /* does not happen */
230 0 : SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
231 0 : return -1;
232 : }
233 :
234 : /* We always act like read_ahead is set for DTLS */
235 33717 : if (!s->read_ahead && !SSL_IS_DTLS(s))
236 : /* ignore max parameter */
237 : max = n;
238 : else {
239 0 : if (max < n)
240 : max = n;
241 0 : if (max > (int)(rb->len - rb->offset))
242 : max = rb->len - rb->offset;
243 : }
244 :
245 53731 : while (left < n) {
246 : /*
247 : * Now we have len+left bytes at the front of s->s3->rbuf.buf and
248 : * need to read in more until we have len+n (up to len+max if
249 : * possible)
250 : */
251 :
252 35136 : clear_sys_error();
253 35136 : if (s->rbio != NULL) {
254 35136 : s->rwstate = SSL_READING;
255 35136 : i = BIO_read(s->rbio, pkt + len + left, max - left);
256 : } else {
257 0 : SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET);
258 : i = -1;
259 : }
260 :
261 35142 : if (i <= 0) {
262 15128 : rb->left = left;
263 15128 : if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
264 0 : if (len + left == 0)
265 0 : ssl3_release_read_buffer(s);
266 15128 : return (i);
267 : }
268 20014 : left += i;
269 : /*
270 : * reads should *never* span multiple packets for DTLS because the
271 : * underlying transport protocol is message oriented as opposed to
272 : * byte oriented as in the TLS case.
273 : */
274 20014 : if (SSL_IS_DTLS(s)) {
275 0 : if (n > left)
276 : n = left; /* makes the while condition false */
277 : }
278 : }
279 :
280 : /* done reading, now the book-keeping */
281 18595 : rb->offset += n;
282 18595 : rb->left = left - n;
283 18595 : s->packet_length += n;
284 18595 : s->rwstate = SSL_NOTHING;
285 18595 : return (n);
286 : }
287 :
288 : /*
289 : * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that
290 : * will be processed per call to ssl3_get_record. Without this limit an
291 : * attacker could send empty records at a faster rate than we can process and
292 : * cause ssl3_get_record to loop forever.
293 : */
294 : #define MAX_EMPTY_RECORDS 32
295 :
296 : /*-
297 : * Call this to get a new input record.
298 : * It will return <= 0 if more data is needed, normally due to an error
299 : * or non-blocking IO.
300 : * When it finishes, one packet has been decoded and can be found in
301 : * ssl->s3->rrec.type - is the type of record
302 : * ssl->s3->rrec.data, - data
303 : * ssl->s3->rrec.length, - number of bytes
304 : */
305 : /* used only by ssl3_read_bytes */
306 24424 : static int ssl3_get_record(SSL *s)
307 : {
308 : int ssl_major, ssl_minor, al;
309 : int enc_err, n, i, ret = -1;
310 : SSL3_RECORD *rr;
311 : SSL_SESSION *sess;
312 : unsigned char *p;
313 : unsigned char md[EVP_MAX_MD_SIZE];
314 : short version;
315 : unsigned mac_size, orig_len;
316 : size_t extra;
317 : unsigned empty_record_count = 0;
318 :
319 24424 : rr = &(s->s3->rrec);
320 24424 : sess = s->session;
321 :
322 24424 : if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
323 : extra = SSL3_RT_MAX_EXTRA;
324 : else
325 : extra = 0;
326 24424 : if (extra && !s->s3->init_extra) {
327 : /*
328 : * An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
329 : * ssl3_setup_buffers() was done
330 : */
331 0 : SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
332 0 : return -1;
333 : }
334 :
335 : again:
336 : /* check if we have the header */
337 28642 : if ((s->rstate != SSL_ST_READ_BODY) ||
338 4218 : (s->packet_length < SSL3_RT_HEADER_LENGTH)) {
339 20206 : n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
340 20207 : if (n <= 0)
341 : return (n); /* error or non-blocking */
342 9299 : s->rstate = SSL_ST_READ_BODY;
343 :
344 9299 : p = s->packet;
345 9299 : if (s->msg_callback)
346 0 : s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
347 : s->msg_callback_arg);
348 :
349 : /* Pull apart the header into the SSL3_RECORD */
350 9299 : rr->type = *(p++);
351 9299 : ssl_major = *(p++);
352 9299 : ssl_minor = *(p++);
353 9299 : version = (ssl_major << 8) | ssl_minor;
354 9299 : n2s(p, rr->length);
355 : #if 0
356 : fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
357 : #endif
358 :
359 : /* Lets check version */
360 9299 : if (!s->first_packet) {
361 8926 : if (version != s->version) {
362 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
363 0 : if ((s->version & 0xFF00) == (version & 0xFF00)
364 0 : && !s->enc_write_ctx && !s->write_hash) {
365 0 : if (rr->type == SSL3_RT_ALERT) {
366 : /*
367 : * The record is using an incorrect version number, but
368 : * what we've got appears to be an alert. We haven't
369 : * read the body yet to check whether its a fatal or
370 : * not - but chances are it is. We probably shouldn't
371 : * send a fatal alert back. We'll just end.
372 : */
373 : goto err;
374 : }
375 : /*
376 : * Send back error using their minor version number :-)
377 : */
378 0 : s->version = (unsigned short)version;
379 : }
380 : al = SSL_AD_PROTOCOL_VERSION;
381 : goto f_err;
382 : }
383 : }
384 :
385 9299 : if ((version >> 8) != SSL3_VERSION_MAJOR) {
386 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
387 0 : goto err;
388 : }
389 :
390 9299 : if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {
391 : al = SSL_AD_RECORD_OVERFLOW;
392 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
393 0 : goto f_err;
394 : }
395 :
396 : /* now s->rstate == SSL_ST_READ_BODY */
397 : }
398 :
399 : /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
400 :
401 13517 : if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) {
402 : /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
403 13517 : i = rr->length;
404 13517 : n = ssl3_read_n(s, i, i, 1);
405 13516 : if (n <= 0)
406 : return (n); /* error or non-blocking io */
407 : /*
408 : * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
409 : * + rr->length
410 : */
411 : }
412 :
413 9298 : s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
414 :
415 : /*
416 : * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
417 : * and we have that many bytes in s->packet
418 : */
419 9298 : rr->input = &(s->packet[SSL3_RT_HEADER_LENGTH]);
420 :
421 : /*
422 : * ok, we can now read from 's->packet' data into 'rr' rr->input points
423 : * at rr->length bytes, which need to be copied into rr->data by either
424 : * the decryption or by the decompression When the data is 'copied' into
425 : * the rr->data buffer, rr->input will be pointed at the new buffer
426 : */
427 :
428 : /*
429 : * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
430 : * bytes of encrypted compressed stuff.
431 : */
432 :
433 : /* check is not needed I believe */
434 9298 : if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
435 : al = SSL_AD_RECORD_OVERFLOW;
436 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
437 0 : goto f_err;
438 : }
439 :
440 : /* decrypt in place in 'rr->input' */
441 9298 : rr->data = rr->input;
442 :
443 9298 : enc_err = s->method->ssl3_enc->enc(s, 0);
444 : /*-
445 : * enc_err is:
446 : * 0: (in non-constant time) if the record is publically invalid.
447 : * 1: if the padding is valid
448 : * -1: if the padding is invalid
449 : */
450 9299 : if (enc_err == 0) {
451 : al = SSL_AD_DECRYPTION_FAILED;
452 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
453 0 : goto f_err;
454 : }
455 : #ifdef TLS_DEBUG
456 : printf("dec %d\n", rr->length);
457 : {
458 : unsigned int z;
459 : for (z = 0; z < rr->length; z++)
460 : printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n');
461 : }
462 : printf("\n");
463 : #endif
464 :
465 : /* r->length is now the compressed data plus mac */
466 18225 : if ((sess != NULL) &&
467 14908 : (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
468 : /* s->read_hash != NULL => mac_size != -1 */
469 : unsigned char *mac = NULL;
470 : unsigned char mac_tmp[EVP_MAX_MD_SIZE];
471 0 : mac_size = EVP_MD_CTX_size(s->read_hash);
472 0 : OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
473 :
474 : /*
475 : * kludge: *_cbc_remove_padding passes padding length in rr->type
476 : */
477 0 : orig_len = rr->length + ((unsigned int)rr->type >> 8);
478 :
479 : /*
480 : * orig_len is the length of the record before any padding was
481 : * removed. This is public information, as is the MAC in use,
482 : * therefore we can safely process the record in a different amount
483 : * of time if it's too short to possibly contain a MAC.
484 : */
485 0 : if (orig_len < mac_size ||
486 : /* CBC records must have a padding length byte too. */
487 0 : (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
488 0 : orig_len < mac_size + 1)) {
489 : al = SSL_AD_DECODE_ERROR;
490 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
491 0 : goto f_err;
492 : }
493 :
494 0 : if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
495 : /*
496 : * We update the length so that the TLS header bytes can be
497 : * constructed correctly but we need to extract the MAC in
498 : * constant time from within the record, without leaking the
499 : * contents of the padding bytes.
500 : */
501 : mac = mac_tmp;
502 0 : ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
503 0 : rr->length -= mac_size;
504 : } else {
505 : /*
506 : * In this case there's no padding, so |orig_len| equals
507 : * |rec->length| and we checked that there's enough bytes for
508 : * |mac_size| above.
509 : */
510 0 : rr->length -= mac_size;
511 0 : mac = &rr->data[rr->length];
512 : }
513 :
514 0 : i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ );
515 0 : if (i < 0 || mac == NULL
516 0 : || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
517 : enc_err = -1;
518 0 : if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size)
519 : enc_err = -1;
520 : }
521 :
522 9299 : if (enc_err < 0) {
523 : /*
524 : * A separate 'decryption_failed' alert was introduced with TLS 1.0,
525 : * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
526 : * failure is directly visible from the ciphertext anyway, we should
527 : * not reveal which kind of error occured -- this might become
528 : * visible to an attacker (e.g. via a logfile)
529 : */
530 : al = SSL_AD_BAD_RECORD_MAC;
531 0 : SSLerr(SSL_F_SSL3_GET_RECORD,
532 : SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
533 0 : goto f_err;
534 : }
535 :
536 : /* r->length is now just compressed */
537 9299 : if (s->expand != NULL) {
538 0 : if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
539 : al = SSL_AD_RECORD_OVERFLOW;
540 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
541 0 : goto f_err;
542 : }
543 0 : if (!ssl3_do_uncompress(s)) {
544 : al = SSL_AD_DECOMPRESSION_FAILURE;
545 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
546 0 : goto f_err;
547 : }
548 : }
549 :
550 9299 : if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
551 : al = SSL_AD_RECORD_OVERFLOW;
552 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
553 0 : goto f_err;
554 : }
555 :
556 9299 : rr->off = 0;
557 : /*-
558 : * So at this point the following is true
559 : * ssl->s3->rrec.type is the type of record
560 : * ssl->s3->rrec.length == number of bytes in record
561 : * ssl->s3->rrec.off == offset to first valid byte
562 : * ssl->s3->rrec.data == where to take bytes from, increment
563 : * after use :-).
564 : */
565 :
566 : /* we have pulled in a full packet so zero things */
567 9299 : s->packet_length = 0;
568 :
569 : /* just read a 0 length packet */
570 9299 : if (rr->length == 0) {
571 0 : empty_record_count++;
572 0 : if (empty_record_count > MAX_EMPTY_RECORDS) {
573 : al = SSL_AD_UNEXPECTED_MESSAGE;
574 0 : SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
575 0 : goto f_err;
576 : }
577 : goto again;
578 : }
579 : #if 0
580 : fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type,
581 : rr->length);
582 : #endif
583 :
584 : return (1);
585 :
586 : f_err:
587 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
588 : err:
589 : return (ret);
590 : }
591 :
592 0 : int ssl3_do_uncompress(SSL *ssl)
593 : {
594 : #ifndef OPENSSL_NO_COMP
595 : int i;
596 : SSL3_RECORD *rr;
597 :
598 0 : rr = &(ssl->s3->rrec);
599 0 : i = COMP_expand_block(ssl->expand, rr->comp,
600 : SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
601 0 : (int)rr->length);
602 0 : if (i < 0)
603 : return (0);
604 : else
605 0 : rr->length = i;
606 0 : rr->data = rr->comp;
607 : #endif
608 0 : return (1);
609 : }
610 :
611 0 : int ssl3_do_compress(SSL *ssl)
612 : {
613 : #ifndef OPENSSL_NO_COMP
614 : int i;
615 : SSL3_RECORD *wr;
616 :
617 0 : wr = &(ssl->s3->wrec);
618 0 : i = COMP_compress_block(ssl->compress, wr->data,
619 : SSL3_RT_MAX_COMPRESSED_LENGTH,
620 0 : wr->input, (int)wr->length);
621 0 : if (i < 0)
622 : return (0);
623 : else
624 0 : wr->length = i;
625 :
626 0 : wr->input = wr->data;
627 : #endif
628 0 : return (1);
629 : }
630 :
631 : /*
632 : * Call this to write data in records of type 'type' It will return <= 0 if
633 : * not all data has been sent or non-blocking IO.
634 : */
635 9702 : int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
636 : {
637 : const unsigned char *buf = buf_;
638 : int tot;
639 : unsigned int n, nw;
640 : #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
641 : unsigned int max_send_fragment;
642 : #endif
643 9702 : SSL3_BUFFER *wb = &(s->s3->wbuf);
644 : int i;
645 :
646 9702 : s->rwstate = SSL_NOTHING;
647 9702 : OPENSSL_assert(s->s3->wnum <= INT_MAX);
648 9702 : tot = s->s3->wnum;
649 9702 : s->s3->wnum = 0;
650 :
651 9702 : if (SSL_in_init(s) && !s->in_handshake) {
652 0 : i = s->handshake_func(s);
653 0 : if (i < 0)
654 : return (i);
655 0 : if (i == 0) {
656 0 : SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
657 0 : return -1;
658 : }
659 : }
660 :
661 : /*
662 : * ensure that if we end up with a smaller value of data to write out
663 : * than the the original len from a write which didn't complete for
664 : * non-blocking I/O and also somehow ended up avoiding the check for
665 : * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
666 : * possible to end up with (len-tot) as a large number that will then
667 : * promptly send beyond the end of the users buffer ... so we trap and
668 : * report the error in a way the user will notice
669 : */
670 9702 : if (len < tot) {
671 0 : SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
672 0 : return (-1);
673 : }
674 :
675 : /*
676 : * first check if there is a SSL3_BUFFER still being written out. This
677 : * will happen with non blocking IO
678 : */
679 9702 : if (wb->left != 0) {
680 0 : i = ssl3_write_pending(s, type, &buf[tot], s->s3->wpend_tot);
681 0 : if (i <= 0) {
682 : /* XXX should we ssl3_release_write_buffer if i<0? */
683 0 : s->s3->wnum = tot;
684 0 : return i;
685 : }
686 0 : tot += i; /* this might be last fragment */
687 : }
688 : #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
689 : /*
690 : * Depending on platform multi-block can deliver several *times*
691 : * better performance. Downside is that it has to allocate
692 : * jumbo buffer to accomodate up to 8 records, but the
693 : * compromise is considered worthy.
694 : */
695 : if (type == SSL3_RT_APPLICATION_DATA &&
696 : len >= 4 * (int)(max_send_fragment = s->max_send_fragment) &&
697 : s->compress == NULL && s->msg_callback == NULL &&
698 : SSL_USE_EXPLICIT_IV(s) &&
699 : EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
700 : EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
701 : unsigned char aad[13];
702 : EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
703 : int packlen;
704 :
705 : /* minimize address aliasing conflicts */
706 : if ((max_send_fragment & 0xfff) == 0)
707 : max_send_fragment -= 512;
708 :
709 : if (tot == 0 || wb->buf == NULL) { /* allocate jumbo buffer */
710 : ssl3_release_write_buffer(s);
711 :
712 : packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
713 : EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
714 : max_send_fragment, NULL);
715 :
716 : if (len >= 8 * (int)max_send_fragment)
717 : packlen *= 8;
718 : else
719 : packlen *= 4;
720 :
721 : wb->buf = OPENSSL_malloc(packlen);
722 : if (!wb->buf) {
723 : SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE);
724 : return -1;
725 : }
726 : wb->len = packlen;
727 : } else if (tot == len) { /* done? */
728 : OPENSSL_free(wb->buf); /* free jumbo buffer */
729 : wb->buf = NULL;
730 : return tot;
731 : }
732 :
733 : n = (len - tot);
734 : for (;;) {
735 : if (n < 4 * max_send_fragment) {
736 : OPENSSL_free(wb->buf); /* free jumbo buffer */
737 : wb->buf = NULL;
738 : break;
739 : }
740 :
741 : if (s->s3->alert_dispatch) {
742 : i = s->method->ssl_dispatch_alert(s);
743 : if (i <= 0) {
744 : s->s3->wnum = tot;
745 : return i;
746 : }
747 : }
748 :
749 : if (n >= 8 * max_send_fragment)
750 : nw = max_send_fragment * (mb_param.interleave = 8);
751 : else
752 : nw = max_send_fragment * (mb_param.interleave = 4);
753 :
754 : memcpy(aad, s->s3->write_sequence, 8);
755 : aad[8] = type;
756 : aad[9] = (unsigned char)(s->version >> 8);
757 : aad[10] = (unsigned char)(s->version);
758 : aad[11] = 0;
759 : aad[12] = 0;
760 : mb_param.out = NULL;
761 : mb_param.inp = aad;
762 : mb_param.len = nw;
763 :
764 : packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
765 : EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
766 : sizeof(mb_param), &mb_param);
767 :
768 : if (packlen <= 0 || packlen > (int)wb->len) { /* never happens */
769 : OPENSSL_free(wb->buf); /* free jumbo buffer */
770 : wb->buf = NULL;
771 : break;
772 : }
773 :
774 : mb_param.out = wb->buf;
775 : mb_param.inp = &buf[tot];
776 : mb_param.len = nw;
777 :
778 : if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
779 : EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
780 : sizeof(mb_param), &mb_param) <= 0)
781 : return -1;
782 :
783 : s->s3->write_sequence[7] += mb_param.interleave;
784 : if (s->s3->write_sequence[7] < mb_param.interleave) {
785 : int j = 6;
786 : while (j >= 0 && (++s->s3->write_sequence[j--]) == 0) ;
787 : }
788 :
789 : wb->offset = 0;
790 : wb->left = packlen;
791 :
792 : s->s3->wpend_tot = nw;
793 : s->s3->wpend_buf = &buf[tot];
794 : s->s3->wpend_type = type;
795 : s->s3->wpend_ret = nw;
796 :
797 : i = ssl3_write_pending(s, type, &buf[tot], nw);
798 : if (i <= 0) {
799 : if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
800 : OPENSSL_free(wb->buf);
801 : wb->buf = NULL;
802 : }
803 : s->s3->wnum = tot;
804 : return i;
805 : }
806 : if (i == (int)n) {
807 : OPENSSL_free(wb->buf); /* free jumbo buffer */
808 : wb->buf = NULL;
809 : return tot + i;
810 : }
811 : n -= i;
812 : tot += i;
813 : }
814 : } else
815 : #endif
816 9702 : if (tot == len) { /* done? */
817 0 : if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
818 0 : ssl3_release_write_buffer(s);
819 :
820 0 : return tot;
821 : }
822 :
823 9702 : n = (len - tot);
824 : for (;;) {
825 9702 : if (n > s->max_send_fragment)
826 : nw = s->max_send_fragment;
827 : else
828 : nw = n;
829 :
830 9702 : i = do_ssl3_write(s, type, &(buf[tot]), nw, 0);
831 9702 : if (i <= 0) {
832 : /* XXX should we ssl3_release_write_buffer if i<0? */
833 0 : s->s3->wnum = tot;
834 0 : return i;
835 : }
836 :
837 9702 : if ((i == (int)n) ||
838 0 : (type == SSL3_RT_APPLICATION_DATA &&
839 0 : (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
840 : /*
841 : * next chunk of data should get another prepended empty fragment
842 : * in ciphersuites with known-IV weakness:
843 : */
844 9702 : s->s3->empty_fragment_done = 0;
845 :
846 9702 : if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
847 0 : !SSL_IS_DTLS(s))
848 0 : ssl3_release_write_buffer(s);
849 :
850 9702 : return tot + i;
851 : }
852 :
853 0 : n -= i;
854 0 : tot += i;
855 0 : }
856 : }
857 :
858 9702 : static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
859 : unsigned int len, int create_empty_fragment)
860 : {
861 : unsigned char *p, *plen;
862 : int i, mac_size, clear = 0;
863 : int prefix_len = 0;
864 : int eivlen;
865 : long align = 0;
866 : SSL3_RECORD *wr;
867 9702 : SSL3_BUFFER *wb = &(s->s3->wbuf);
868 : SSL_SESSION *sess;
869 :
870 : /*
871 : * first check if there is a SSL3_BUFFER still being written out. This
872 : * will happen with non blocking IO
873 : */
874 9702 : if (wb->left != 0)
875 0 : return (ssl3_write_pending(s, type, buf, len));
876 :
877 : /* If we have an alert to send, lets send it */
878 9702 : if (s->s3->alert_dispatch) {
879 0 : i = s->method->ssl_dispatch_alert(s);
880 0 : if (i <= 0)
881 : return (i);
882 : /* if it went, fall through and send more stuff */
883 : }
884 :
885 9702 : if (wb->buf == NULL)
886 0 : if (!ssl3_setup_write_buffer(s))
887 : return -1;
888 :
889 9702 : if (len == 0 && !create_empty_fragment)
890 : return 0;
891 :
892 9702 : wr = &(s->s3->wrec);
893 9702 : sess = s->session;
894 :
895 19404 : if ((sess == NULL) ||
896 16065 : (s->enc_write_ctx == NULL) ||
897 6363 : (EVP_MD_CTX_md(s->write_hash) == NULL)) {
898 : #if 1
899 9702 : clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
900 : #else
901 : clear = 1;
902 : #endif
903 9702 : mac_size = 0;
904 : } else {
905 0 : mac_size = EVP_MD_CTX_size(s->write_hash);
906 0 : if (mac_size < 0)
907 : goto err;
908 : }
909 :
910 : /*
911 : * 'create_empty_fragment' is true only when this function calls itself
912 : */
913 9702 : if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) {
914 : /*
915 : * countermeasure against known-IV weakness in CBC ciphersuites (see
916 : * http://www.openssl.org/~bodo/tls-cbc.txt)
917 : */
918 :
919 6363 : if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
920 : /*
921 : * recursive function call with 'create_empty_fragment' set; this
922 : * prepares and buffers the data for an empty fragment (these
923 : * 'prefix_len' bytes are sent out later together with the actual
924 : * payload)
925 : */
926 0 : prefix_len = do_ssl3_write(s, type, buf, 0, 1);
927 0 : if (prefix_len <= 0)
928 : goto err;
929 :
930 0 : if (prefix_len >
931 : (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
932 : {
933 : /* insufficient space */
934 0 : SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
935 0 : goto err;
936 : }
937 : }
938 :
939 6363 : s->s3->empty_fragment_done = 1;
940 : }
941 :
942 9702 : if (create_empty_fragment) {
943 : #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
944 : /*
945 : * extra fragment would be couple of cipher blocks, which would be
946 : * multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real
947 : * payload, then we can just pretent we simply have two headers.
948 : */
949 0 : align = (long)wb->buf + 2 * SSL3_RT_HEADER_LENGTH;
950 0 : align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
951 : #endif
952 0 : p = wb->buf + align;
953 0 : wb->offset = align;
954 9702 : } else if (prefix_len) {
955 0 : p = wb->buf + wb->offset + prefix_len;
956 : } else {
957 : #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
958 9702 : align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
959 9702 : align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
960 : #endif
961 9702 : p = wb->buf + align;
962 9702 : wb->offset = align;
963 : }
964 :
965 : /* write the header */
966 :
967 9702 : *(p++) = type & 0xff;
968 9702 : wr->type = type;
969 :
970 9702 : *(p++) = (s->version >> 8);
971 : /*
972 : * Some servers hang if iniatial client hello is larger than 256 bytes
973 : * and record version number > TLS 1.0
974 : */
975 9702 : if (s->state == SSL3_ST_CW_CLNT_HELLO_B
976 373 : && !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION)
977 373 : *(p++) = 0x1;
978 : else
979 9329 : *(p++) = s->version & 0xff;
980 :
981 : /* field where we are to write out packet length */
982 : plen = p;
983 9702 : p += 2;
984 : /* Explicit IV length, block ciphers appropriate version flag */
985 9702 : if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
986 6363 : int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
987 6363 : if (mode == EVP_CIPH_CBC_MODE) {
988 0 : eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
989 0 : if (eivlen <= 1)
990 : eivlen = 0;
991 : }
992 : /* Need explicit part of IV for GCM mode */
993 6363 : else if (mode == EVP_CIPH_GCM_MODE)
994 : eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
995 : else
996 : eivlen = 0;
997 : } else
998 : eivlen = 0;
999 :
1000 : /* lets setup the record stuff. */
1001 9702 : wr->data = p + eivlen;
1002 9702 : wr->length = (int)len;
1003 9702 : wr->input = (unsigned char *)buf;
1004 :
1005 : /*
1006 : * we now 'read' from wr->input, wr->length bytes into wr->data
1007 : */
1008 :
1009 : /* first we compress */
1010 9702 : if (s->compress != NULL) {
1011 0 : if (!ssl3_do_compress(s)) {
1012 0 : SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
1013 0 : goto err;
1014 : }
1015 : } else {
1016 9702 : memcpy(wr->data, wr->input, wr->length);
1017 9702 : wr->input = wr->data;
1018 : }
1019 :
1020 : /*
1021 : * we should still have the output to wr->data and the input from
1022 : * wr->input. Length should be wr->length. wr->data still points in the
1023 : * wb->buf
1024 : */
1025 :
1026 9702 : if (mac_size != 0) {
1027 0 : if (s->method->ssl3_enc->mac(s, &(p[wr->length + eivlen]), 1) < 0)
1028 : goto err;
1029 0 : wr->length += mac_size;
1030 : }
1031 :
1032 9702 : wr->input = p;
1033 9702 : wr->data = p;
1034 :
1035 9702 : if (eivlen) {
1036 : /*
1037 : * if (RAND_pseudo_bytes(p, eivlen) <= 0) goto err;
1038 : */
1039 6363 : wr->length += eivlen;
1040 : }
1041 :
1042 9702 : if (s->method->ssl3_enc->enc(s, 1) < 1)
1043 : goto err;
1044 :
1045 : /* record length after mac and block padding */
1046 9702 : s2n(wr->length, plen);
1047 :
1048 9702 : if (s->msg_callback)
1049 0 : s->msg_callback(1, 0, SSL3_RT_HEADER, plen - 5, 5, s,
1050 : s->msg_callback_arg);
1051 :
1052 : /*
1053 : * we should now have wr->data pointing to the encrypted data, which is
1054 : * wr->length long
1055 : */
1056 9702 : wr->type = type; /* not needed but helps for debugging */
1057 9702 : wr->length += SSL3_RT_HEADER_LENGTH;
1058 :
1059 9702 : if (create_empty_fragment) {
1060 : /*
1061 : * we are in a recursive call; just return the length, don't write
1062 : * out anything here
1063 : */
1064 0 : return wr->length;
1065 : }
1066 :
1067 : /* now let's set up wb */
1068 9702 : wb->left = prefix_len + wr->length;
1069 :
1070 : /*
1071 : * memorize arguments so that ssl3_write_pending can detect bad write
1072 : * retries later
1073 : */
1074 9702 : s->s3->wpend_tot = len;
1075 9702 : s->s3->wpend_buf = buf;
1076 9702 : s->s3->wpend_type = type;
1077 9702 : s->s3->wpend_ret = len;
1078 :
1079 : /* we now just need to write the buffer */
1080 9702 : return ssl3_write_pending(s, type, buf, len);
1081 : err:
1082 : return -1;
1083 : }
1084 :
1085 : /* if s->s3->wbuf.left != 0, we need to call this */
1086 9702 : int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1087 : unsigned int len)
1088 : {
1089 : int i;
1090 9702 : SSL3_BUFFER *wb = &(s->s3->wbuf);
1091 :
1092 : /* XXXX */
1093 9702 : if ((s->s3->wpend_tot > (int)len)
1094 9702 : || ((s->s3->wpend_buf != buf) &&
1095 0 : !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
1096 9702 : || (s->s3->wpend_type != type)) {
1097 0 : SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);
1098 0 : return (-1);
1099 : }
1100 :
1101 : for (;;) {
1102 9702 : clear_sys_error();
1103 9702 : if (s->wbio != NULL) {
1104 9702 : s->rwstate = SSL_WRITING;
1105 19404 : i = BIO_write(s->wbio,
1106 9702 : (char *)&(wb->buf[wb->offset]),
1107 : (unsigned int)wb->left);
1108 : } else {
1109 0 : SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET);
1110 : i = -1;
1111 : }
1112 9702 : if (i == wb->left) {
1113 9702 : wb->left = 0;
1114 9702 : wb->offset += i;
1115 9702 : s->rwstate = SSL_NOTHING;
1116 9702 : return (s->s3->wpend_ret);
1117 0 : } else if (i <= 0) {
1118 0 : if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
1119 : /*
1120 : * For DTLS, just drop it. That's kind of the whole point in
1121 : * using a datagram service
1122 : */
1123 0 : wb->left = 0;
1124 : }
1125 0 : return (i);
1126 : }
1127 0 : wb->offset += i;
1128 0 : wb->left -= i;
1129 0 : }
1130 : }
1131 :
1132 : /*-
1133 : * Return up to 'len' payload bytes received in 'type' records.
1134 : * 'type' is one of the following:
1135 : *
1136 : * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
1137 : * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
1138 : * - 0 (during a shutdown, no data has to be returned)
1139 : *
1140 : * If we don't have stored data to work from, read a SSL/TLS record first
1141 : * (possibly multiple records if we still don't have anything to return).
1142 : *
1143 : * This function must handle any surprises the peer may have for us, such as
1144 : * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
1145 : * a surprise, but handled as if it were), or renegotiation requests.
1146 : * Also if record payloads contain fragments too small to process, we store
1147 : * them until there is enough for the respective protocol (the record protocol
1148 : * may use arbitrary fragmentation and even interleaving):
1149 : * Change cipher spec protocol
1150 : * just 1 byte needed, no need for keeping anything stored
1151 : * Alert protocol
1152 : * 2 bytes needed (AlertLevel, AlertDescription)
1153 : * Handshake protocol
1154 : * 4 bytes needed (HandshakeType, uint24 length) -- we just have
1155 : * to detect unexpected Client Hello and Hello Request messages
1156 : * here, anything else is handled by higher layers
1157 : * Application data protocol
1158 : * none of our business
1159 : */
1160 28036 : int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1161 : {
1162 : int al, i, j, ret;
1163 : unsigned int n;
1164 : SSL3_RECORD *rr;
1165 : void (*cb) (const SSL *ssl, int type2, int val) = NULL;
1166 :
1167 28036 : if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
1168 0 : if (!ssl3_setup_read_buffer(s))
1169 : return (-1);
1170 :
1171 28037 : if ((type && (type != SSL3_RT_APPLICATION_DATA)
1172 35417 : && (type != SSL3_RT_HANDSHAKE)) || (peek
1173 28037 : && (type !=
1174 : SSL3_RT_APPLICATION_DATA))) {
1175 0 : SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
1176 0 : return -1;
1177 : }
1178 :
1179 28037 : if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
1180 : /* (partially) satisfy request from storage */
1181 : {
1182 0 : unsigned char *src = s->s3->handshake_fragment;
1183 : unsigned char *dst = buf;
1184 : unsigned int k;
1185 :
1186 : /* peek == 0 */
1187 : n = 0;
1188 0 : while ((len > 0) && (s->s3->handshake_fragment_len > 0)) {
1189 0 : *dst++ = *src++;
1190 0 : len--;
1191 0 : s->s3->handshake_fragment_len--;
1192 0 : n++;
1193 : }
1194 : /* move any remaining fragment bytes: */
1195 0 : for (k = 0; k < s->s3->handshake_fragment_len; k++)
1196 0 : s->s3->handshake_fragment[k] = *src++;
1197 0 : return n;
1198 : }
1199 :
1200 : /*
1201 : * Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
1202 : */
1203 :
1204 28037 : if (!s->in_handshake && SSL_in_init(s)) {
1205 : /* type == SSL3_RT_APPLICATION_DATA */
1206 0 : i = s->handshake_func(s);
1207 0 : if (i < 0)
1208 : return (i);
1209 0 : if (i == 0) {
1210 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
1211 0 : return (-1);
1212 : }
1213 : }
1214 : start:
1215 28769 : s->rwstate = SSL_NOTHING;
1216 :
1217 : /*-
1218 : * s->s3->rrec.type - is the type of record
1219 : * s->s3->rrec.data, - data
1220 : * s->s3->rrec.off, - offset into 'data' for next read
1221 : * s->s3->rrec.length, - number of bytes.
1222 : */
1223 28769 : rr = &(s->s3->rrec);
1224 :
1225 : /* get new packet if necessary */
1226 28769 : if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) {
1227 24424 : ret = ssl3_get_record(s);
1228 24419 : if (ret <= 0)
1229 : return (ret);
1230 : }
1231 :
1232 : /* we now have a packet which can be read and processed */
1233 :
1234 13644 : if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1235 : * reset by ssl3_get_finished */
1236 1464 : && (rr->type != SSL3_RT_HANDSHAKE)) {
1237 : al = SSL_AD_UNEXPECTED_MESSAGE;
1238 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1239 0 : goto f_err;
1240 : }
1241 :
1242 : /*
1243 : * If the other end has shut down, throw anything we read away (even in
1244 : * 'peek' mode)
1245 : */
1246 13644 : if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1247 0 : rr->length = 0;
1248 0 : s->rwstate = SSL_NOTHING;
1249 0 : return (0);
1250 : }
1251 :
1252 13644 : if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or
1253 : * SSL3_RT_HANDSHAKE */
1254 : /*
1255 : * make sure that we are not getting application data when we are
1256 : * doing a handshake for the first time
1257 : */
1258 12912 : if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1259 0 : (s->enc_read_ctx == NULL)) {
1260 : al = SSL_AD_UNEXPECTED_MESSAGE;
1261 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
1262 0 : goto f_err;
1263 : }
1264 :
1265 12912 : if (len <= 0)
1266 : return (len);
1267 :
1268 12912 : if ((unsigned int)len > rr->length)
1269 : n = rr->length;
1270 : else
1271 : n = (unsigned int)len;
1272 :
1273 12912 : memcpy(buf, &(rr->data[rr->off]), n);
1274 12912 : if (!peek) {
1275 12911 : rr->length -= n;
1276 12911 : rr->off += n;
1277 12911 : if (rr->length == 0) {
1278 8566 : s->rstate = SSL_ST_READ_HEADER;
1279 8566 : rr->off = 0;
1280 8566 : if (s->mode & SSL_MODE_RELEASE_BUFFERS
1281 0 : && s->s3->rbuf.left == 0)
1282 0 : ssl3_release_read_buffer(s);
1283 : }
1284 : }
1285 12911 : return (n);
1286 : }
1287 :
1288 : /*
1289 : * If we get here, then type != rr->type; if we have a handshake message,
1290 : * then it was unexpected (Hello Request or Client Hello).
1291 : */
1292 :
1293 : /*
1294 : * In case of record types for which we have 'fragment' storage, fill
1295 : * that so that we can process the data at a fixed place.
1296 : */
1297 : {
1298 : unsigned int dest_maxlen = 0;
1299 : unsigned char *dest = NULL;
1300 : unsigned int *dest_len = NULL;
1301 :
1302 732 : if (rr->type == SSL3_RT_HANDSHAKE) {
1303 : dest_maxlen = sizeof s->s3->handshake_fragment;
1304 0 : dest = s->s3->handshake_fragment;
1305 0 : dest_len = &s->s3->handshake_fragment_len;
1306 732 : } else if (rr->type == SSL3_RT_ALERT) {
1307 : dest_maxlen = sizeof s->s3->alert_fragment;
1308 0 : dest = s->s3->alert_fragment;
1309 0 : dest_len = &s->s3->alert_fragment_len;
1310 : }
1311 : #ifndef OPENSSL_NO_HEARTBEATS
1312 732 : else if (rr->type == TLS1_RT_HEARTBEAT) {
1313 0 : tls1_process_heartbeat(s);
1314 :
1315 : /* Exit and notify application to read again */
1316 0 : rr->length = 0;
1317 0 : s->rwstate = SSL_READING;
1318 0 : BIO_clear_retry_flags(SSL_get_rbio(s));
1319 0 : BIO_set_retry_read(SSL_get_rbio(s));
1320 0 : return (-1);
1321 : }
1322 : #endif
1323 :
1324 732 : if (dest_maxlen > 0) {
1325 0 : n = dest_maxlen - *dest_len; /* available space in 'dest' */
1326 0 : if (rr->length < n)
1327 : n = rr->length; /* available bytes */
1328 :
1329 : /* now move 'n' bytes: */
1330 0 : while (n-- > 0) {
1331 0 : dest[(*dest_len)++] = rr->data[rr->off++];
1332 0 : rr->length--;
1333 : }
1334 :
1335 0 : if (*dest_len < dest_maxlen)
1336 : goto start; /* fragment was too small */
1337 : }
1338 : }
1339 :
1340 : /*-
1341 : * s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
1342 : * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
1343 : * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
1344 : */
1345 :
1346 : /* If we are a client, check for an incoming 'Hello Request': */
1347 1097 : if ((!s->server) &&
1348 365 : (s->s3->handshake_fragment_len >= 4) &&
1349 0 : (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1350 0 : (s->session != NULL) && (s->session->cipher != NULL)) {
1351 0 : s->s3->handshake_fragment_len = 0;
1352 :
1353 0 : if ((s->s3->handshake_fragment[1] != 0) ||
1354 0 : (s->s3->handshake_fragment[2] != 0) ||
1355 : (s->s3->handshake_fragment[3] != 0)) {
1356 : al = SSL_AD_DECODE_ERROR;
1357 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);
1358 0 : goto f_err;
1359 : }
1360 :
1361 0 : if (s->msg_callback)
1362 0 : s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1363 0 : s->s3->handshake_fragment, 4, s,
1364 : s->msg_callback_arg);
1365 :
1366 0 : if (SSL_is_init_finished(s) &&
1367 0 : !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1368 0 : !s->s3->renegotiate) {
1369 0 : ssl3_renegotiate(s);
1370 0 : if (ssl3_renegotiate_check(s)) {
1371 0 : i = s->handshake_func(s);
1372 0 : if (i < 0)
1373 : return (i);
1374 0 : if (i == 0) {
1375 0 : SSLerr(SSL_F_SSL3_READ_BYTES,
1376 : SSL_R_SSL_HANDSHAKE_FAILURE);
1377 0 : return (-1);
1378 : }
1379 :
1380 0 : if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
1381 0 : if (s->s3->rbuf.left == 0) { /* no read-ahead left? */
1382 : BIO *bio;
1383 : /*
1384 : * In the case where we try to read application data,
1385 : * but we trigger an SSL handshake, we return -1 with
1386 : * the retry option set. Otherwise renegotiation may
1387 : * cause nasty problems in the blocking world
1388 : */
1389 0 : s->rwstate = SSL_READING;
1390 0 : bio = SSL_get_rbio(s);
1391 0 : BIO_clear_retry_flags(bio);
1392 0 : BIO_set_retry_read(bio);
1393 0 : return (-1);
1394 : }
1395 : }
1396 : }
1397 : }
1398 : /*
1399 : * we either finished a handshake or ignored the request, now try
1400 : * again to obtain the (application) data we were asked for
1401 : */
1402 : goto start;
1403 : }
1404 : /*
1405 : * If we are a server and get a client hello when renegotiation isn't
1406 : * allowed send back a no renegotiation alert and carry on. WARNING:
1407 : * experimental code, needs reviewing (steve)
1408 : */
1409 1099 : if (s->server &&
1410 367 : SSL_is_init_finished(s) &&
1411 0 : !s->s3->send_connection_binding &&
1412 0 : (s->version > SSL3_VERSION) &&
1413 0 : (s->s3->handshake_fragment_len >= 4) &&
1414 0 : (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
1415 0 : (s->session != NULL) && (s->session->cipher != NULL) &&
1416 0 : !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1417 : /*
1418 : * s->s3->handshake_fragment_len = 0;
1419 : */
1420 0 : rr->length = 0;
1421 0 : ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1422 0 : goto start;
1423 : }
1424 732 : if (s->s3->alert_fragment_len >= 2) {
1425 0 : int alert_level = s->s3->alert_fragment[0];
1426 0 : int alert_descr = s->s3->alert_fragment[1];
1427 :
1428 0 : s->s3->alert_fragment_len = 0;
1429 :
1430 0 : if (s->msg_callback)
1431 0 : s->msg_callback(0, s->version, SSL3_RT_ALERT,
1432 0 : s->s3->alert_fragment, 2, s, s->msg_callback_arg);
1433 :
1434 0 : if (s->info_callback != NULL)
1435 : cb = s->info_callback;
1436 0 : else if (s->ctx->info_callback != NULL)
1437 : cb = s->ctx->info_callback;
1438 :
1439 0 : if (cb != NULL) {
1440 0 : j = (alert_level << 8) | alert_descr;
1441 0 : cb(s, SSL_CB_READ_ALERT, j);
1442 : }
1443 :
1444 0 : if (alert_level == SSL3_AL_WARNING) {
1445 0 : s->s3->warn_alert = alert_descr;
1446 0 : if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
1447 0 : s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1448 0 : return (0);
1449 : }
1450 : /*
1451 : * This is a warning but we receive it if we requested
1452 : * renegotiation and the peer denied it. Terminate with a fatal
1453 : * alert because if application tried to renegotiatie it
1454 : * presumably had a good reason and expects it to succeed. In
1455 : * future we might have a renegotiation where we don't care if
1456 : * the peer refused it where we carry on.
1457 : */
1458 0 : else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
1459 : al = SSL_AD_HANDSHAKE_FAILURE;
1460 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);
1461 0 : goto f_err;
1462 : }
1463 : #ifdef SSL_AD_MISSING_SRP_USERNAME
1464 : else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1465 : return (0);
1466 : #endif
1467 0 : } else if (alert_level == SSL3_AL_FATAL) {
1468 : char tmp[16];
1469 :
1470 0 : s->rwstate = SSL_NOTHING;
1471 0 : s->s3->fatal_alert = alert_descr;
1472 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1473 0 : BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
1474 0 : ERR_add_error_data(2, "SSL alert number ", tmp);
1475 0 : s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1476 0 : SSL_CTX_remove_session(s->ctx, s->session);
1477 : return (0);
1478 : } else {
1479 : al = SSL_AD_ILLEGAL_PARAMETER;
1480 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
1481 0 : goto f_err;
1482 : }
1483 :
1484 : goto start;
1485 : }
1486 :
1487 732 : if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
1488 : * shutdown */
1489 0 : s->rwstate = SSL_NOTHING;
1490 0 : rr->length = 0;
1491 0 : return (0);
1492 : }
1493 :
1494 732 : if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1495 : /*
1496 : * 'Change Cipher Spec' is just a single byte, so we know exactly
1497 : * what the record payload has to look like
1498 : */
1499 1464 : if ((rr->length != 1) || (rr->off != 0) ||
1500 732 : (rr->data[0] != SSL3_MT_CCS)) {
1501 : al = SSL_AD_ILLEGAL_PARAMETER;
1502 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
1503 0 : goto f_err;
1504 : }
1505 :
1506 : /* Check we have a cipher to change to */
1507 732 : if (s->s3->tmp.new_cipher == NULL) {
1508 : al = SSL_AD_UNEXPECTED_MESSAGE;
1509 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
1510 0 : goto f_err;
1511 : }
1512 :
1513 732 : if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
1514 : al = SSL_AD_UNEXPECTED_MESSAGE;
1515 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
1516 0 : goto f_err;
1517 : }
1518 :
1519 732 : s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
1520 :
1521 732 : rr->length = 0;
1522 :
1523 732 : if (s->msg_callback)
1524 0 : s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1525 : rr->data, 1, s, s->msg_callback_arg);
1526 :
1527 732 : s->s3->change_cipher_spec = 1;
1528 732 : if (!ssl3_do_change_cipher_spec(s))
1529 : goto err;
1530 : else
1531 : goto start;
1532 : }
1533 :
1534 : /*
1535 : * Unexpected handshake message (Client Hello, or protocol violation)
1536 : */
1537 0 : if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
1538 0 : if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
1539 0 : !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
1540 : #if 0 /* worked only because C operator preferences
1541 : * are not as expected (and because this is
1542 : * not really needed for clients except for
1543 : * detecting protocol violations): */
1544 : s->state = SSL_ST_BEFORE | (s->server)
1545 : ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1546 : #else
1547 0 : s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1548 : #endif
1549 0 : s->renegotiate = 1;
1550 0 : s->new_session = 1;
1551 : }
1552 0 : i = s->handshake_func(s);
1553 0 : if (i < 0)
1554 : return (i);
1555 0 : if (i == 0) {
1556 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
1557 0 : return (-1);
1558 : }
1559 :
1560 0 : if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
1561 0 : if (s->s3->rbuf.left == 0) { /* no read-ahead left? */
1562 : BIO *bio;
1563 : /*
1564 : * In the case where we try to read application data, but we
1565 : * trigger an SSL handshake, we return -1 with the retry
1566 : * option set. Otherwise renegotiation may cause nasty
1567 : * problems in the blocking world
1568 : */
1569 0 : s->rwstate = SSL_READING;
1570 0 : bio = SSL_get_rbio(s);
1571 0 : BIO_clear_retry_flags(bio);
1572 0 : BIO_set_retry_read(bio);
1573 0 : return (-1);
1574 : }
1575 : }
1576 : goto start;
1577 : }
1578 :
1579 0 : switch (rr->type) {
1580 : default:
1581 : #ifndef OPENSSL_NO_TLS
1582 : /*
1583 : * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
1584 : * an unexpected message alert.
1585 : */
1586 0 : if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
1587 0 : rr->length = 0;
1588 0 : goto start;
1589 : }
1590 : #endif
1591 : al = SSL_AD_UNEXPECTED_MESSAGE;
1592 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
1593 0 : goto f_err;
1594 : case SSL3_RT_CHANGE_CIPHER_SPEC:
1595 : case SSL3_RT_ALERT:
1596 : case SSL3_RT_HANDSHAKE:
1597 : /*
1598 : * we already handled all of these, with the possible exception of
1599 : * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
1600 : * happen when type != rr->type
1601 : */
1602 : al = SSL_AD_UNEXPECTED_MESSAGE;
1603 0 : SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
1604 0 : goto f_err;
1605 : case SSL3_RT_APPLICATION_DATA:
1606 : /*
1607 : * At this point, we were expecting handshake data, but have
1608 : * application data. If the library was running inside ssl3_read()
1609 : * (i.e. in_read_app_data is set) and it makes sense to read
1610 : * application data at this point (session renegotiation not yet
1611 : * started), we will indulge it.
1612 : */
1613 0 : if (s->s3->in_read_app_data &&
1614 0 : (s->s3->total_renegotiations != 0) &&
1615 0 : (((s->state & SSL_ST_CONNECT) &&
1616 0 : (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1617 : (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1618 0 : ) || ((s->state & SSL_ST_ACCEPT) &&
1619 0 : (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1620 : (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1621 : )
1622 : )) {
1623 0 : s->s3->in_read_app_data = 2;
1624 0 : return (-1);
1625 : } else {
1626 : al = SSL_AD_UNEXPECTED_MESSAGE;
1627 0 : SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
1628 0 : goto f_err;
1629 : }
1630 : }
1631 : /* not reached */
1632 :
1633 : f_err:
1634 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
1635 : err:
1636 : return (-1);
1637 : }
1638 :
1639 732 : int ssl3_do_change_cipher_spec(SSL *s)
1640 : {
1641 : int i;
1642 : const char *sender;
1643 : int slen;
1644 :
1645 732 : if (s->state & SSL_ST_ACCEPT)
1646 : i = SSL3_CHANGE_CIPHER_SERVER_READ;
1647 : else
1648 : i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1649 :
1650 732 : if (s->s3->tmp.key_block == NULL) {
1651 367 : if (s->session == NULL || s->session->master_key_length == 0) {
1652 : /* might happen if dtls1_read_bytes() calls this */
1653 0 : SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
1654 : SSL_R_CCS_RECEIVED_EARLY);
1655 0 : return (0);
1656 : }
1657 :
1658 367 : s->session->cipher = s->s3->tmp.new_cipher;
1659 367 : if (!s->method->ssl3_enc->setup_key_block(s))
1660 : return (0);
1661 : }
1662 :
1663 732 : if (!s->method->ssl3_enc->change_cipher_state(s, i))
1664 : return (0);
1665 :
1666 : /*
1667 : * we have to record the message digest at this point so we can get it
1668 : * before we read the finished message
1669 : */
1670 732 : if (s->state & SSL_ST_CONNECT) {
1671 365 : sender = s->method->ssl3_enc->server_finished_label;
1672 365 : slen = s->method->ssl3_enc->server_finished_label_len;
1673 : } else {
1674 367 : sender = s->method->ssl3_enc->client_finished_label;
1675 367 : slen = s->method->ssl3_enc->client_finished_label_len;
1676 : }
1677 :
1678 1464 : i = s->method->ssl3_enc->final_finish_mac(s,
1679 : sender, slen,
1680 732 : s->s3->tmp.peer_finish_md);
1681 732 : if (i == 0) {
1682 0 : SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1683 0 : return 0;
1684 : }
1685 732 : s->s3->tmp.peer_finish_md_len = i;
1686 :
1687 732 : return (1);
1688 : }
1689 :
1690 0 : int ssl3_send_alert(SSL *s, int level, int desc)
1691 : {
1692 : /* Map tls/ssl alert value to correct one */
1693 0 : desc = s->method->ssl3_enc->alert_value(desc);
1694 0 : if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
1695 : desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have
1696 : * protocol_version alerts */
1697 0 : if (desc < 0)
1698 : return -1;
1699 : /* If a fatal one, remove from cache */
1700 0 : if ((level == 2) && (s->session != NULL))
1701 0 : SSL_CTX_remove_session(s->ctx, s->session);
1702 :
1703 0 : s->s3->alert_dispatch = 1;
1704 0 : s->s3->send_alert[0] = level;
1705 0 : s->s3->send_alert[1] = desc;
1706 0 : if (s->s3->wbuf.left == 0) /* data still being written out? */
1707 0 : return s->method->ssl_dispatch_alert(s);
1708 : /*
1709 : * else data is still being written out, we will get written some time in
1710 : * the future
1711 : */
1712 : return -1;
1713 : }
1714 :
1715 0 : int ssl3_dispatch_alert(SSL *s)
1716 : {
1717 : int i, j;
1718 : void (*cb) (const SSL *ssl, int type, int val) = NULL;
1719 :
1720 0 : s->s3->alert_dispatch = 0;
1721 0 : i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
1722 0 : if (i <= 0) {
1723 0 : s->s3->alert_dispatch = 1;
1724 : } else {
1725 : /*
1726 : * Alert sent to BIO. If it is important, flush it now. If the
1727 : * message does not get sent due to non-blocking IO, we will not
1728 : * worry too much.
1729 : */
1730 0 : if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1731 0 : (void)BIO_flush(s->wbio);
1732 :
1733 0 : if (s->msg_callback)
1734 0 : s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,
1735 : 2, s, s->msg_callback_arg);
1736 :
1737 0 : if (s->info_callback != NULL)
1738 : cb = s->info_callback;
1739 0 : else if (s->ctx->info_callback != NULL)
1740 : cb = s->ctx->info_callback;
1741 :
1742 0 : if (cb != NULL) {
1743 0 : j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1];
1744 0 : cb(s, SSL_CB_WRITE_ALERT, j);
1745 : }
1746 : }
1747 0 : return (i);
1748 : }
|