Symaptic: os/ossrv/ssl/libssl/src/s3_pkt.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/s3_pkt.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111
sl@0	112	#include <stdio.h>
sl@0	113	#include <errno.h>
sl@0	114	#define USE_SOCKETS
sl@0	115	#include "ssl_locl.h"
sl@0	116	#include <openssl/evp.h>
sl@0	117	#include <openssl/buffer.h>
sl@0	118
sl@0	119	static int do_ssl3_write(SSL s, int type, const unsigned char buf,
sl@0	120	unsigned int len, int create_empty_fragment);
sl@0	121	static int ssl3_get_record(SSL *s);
sl@0	122
sl@0	123	int ssl3_read_n(SSL *s, int n, int max, int extend)
sl@0	124	{
sl@0	125	/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
sl@0	126	* packet by another n bytes.
sl@0	127	* The packet will be in the sub-array of s->s3->rbuf.buf specified
sl@0	128	* by s->packet and s->packet_length.
sl@0	129	* (If s->read_ahead is set, 'max' bytes may be stored in rbuf
sl@0	130	* [plus s->packet_length bytes if extend == 1].)
sl@0	131	*/
sl@0	132	int i,off,newb;
sl@0	133
sl@0	134	if (!extend)
sl@0	135	{
sl@0	136	/* start with empty packet ... */
sl@0	137	if (s->s3->rbuf.left == 0)
sl@0	138	s->s3->rbuf.offset = 0;
sl@0	139	s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
sl@0	140	s->packet_length = 0;
sl@0	141	/* ... now we can act as if 'extend' was set */
sl@0	142	}
sl@0	143
sl@0	144	/* extend reads should not span multiple packets for DTLS */
sl@0	145	if ( SSL_version(s) == DTLS1_VERSION &&
sl@0	146	extend)
sl@0	147	{
sl@0	148	if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
sl@0	149	n = s->s3->rbuf.left;
sl@0	150	}
sl@0	151
sl@0	152	/* if there is enough in the buffer from a previous read, take some */
sl@0	153	if (s->s3->rbuf.left >= (int)n)
sl@0	154	{
sl@0	155	s->packet_length+=n;
sl@0	156	s->s3->rbuf.left-=n;
sl@0	157	s->s3->rbuf.offset+=n;
sl@0	158	return(n);
sl@0	159	}
sl@0	160
sl@0	161	/* else we need to read more data */
sl@0	162	if (!s->read_ahead)
sl@0	163	max=n;
sl@0	164
sl@0	165	{
sl@0	166	/* avoid buffer overflow */
sl@0	167	int max_max = s->s3->rbuf.len - s->packet_length;
sl@0	168	if (max > max_max)
sl@0	169	max = max_max;
sl@0	170	}
sl@0	171	if (n > max) /* does not happen */
sl@0	172	{
sl@0	173	SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
sl@0	174	return -1;
sl@0	175	}
sl@0	176
sl@0	177	off = s->packet_length;
sl@0	178	newb = s->s3->rbuf.left;
sl@0	179	/* Move any available bytes to front of buffer:
sl@0	180	* 'off' bytes already pointed to by 'packet',
sl@0	181	* 'newb' extra ones at the end */
sl@0	182	if (s->packet != s->s3->rbuf.buf)
sl@0	183	{
sl@0	184	/* off > 0 */
sl@0	185	memmove(s->s3->rbuf.buf, s->packet, off+newb);
sl@0	186	s->packet = s->s3->rbuf.buf;
sl@0	187	}
sl@0	188
sl@0	189	while (newb < n)
sl@0	190	{
sl@0	191	/* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
sl@0	192	* to read in more until we have off+n (up to off+max if possible) */
sl@0	193
sl@0	194	clear_sys_error();
sl@0	195	if (s->rbio != NULL)
sl@0	196	{
sl@0	197	s->rwstate=SSL_READING;
sl@0	198	i=BIO_read(s->rbio, &(s->s3->rbuf.buf[off+newb]), max-newb);
sl@0	199	}
sl@0	200	else
sl@0	201	{
sl@0	202	SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
sl@0	203	i = -1;
sl@0	204	}
sl@0	205
sl@0	206	if (i <= 0)
sl@0	207	{
sl@0	208	s->s3->rbuf.left = newb;
sl@0	209	return(i);
sl@0	210	}
sl@0	211	newb+=i;
sl@0	212	}
sl@0	213
sl@0	214	/* done reading, now the book-keeping */
sl@0	215	s->s3->rbuf.offset = off + n;
sl@0	216	s->s3->rbuf.left = newb - n;
sl@0	217	s->packet_length += n;
sl@0	218	s->rwstate=SSL_NOTHING;
sl@0	219	return(n);
sl@0	220	}
sl@0	221
sl@0	222	/* Call this to get a new input record.
sl@0	223	* It will return <= 0 if more data is needed, normally due to an error
sl@0	224	* or non-blocking IO.
sl@0	225	* When it finishes, one packet has been decoded and can be found in
sl@0	226	* ssl->s3->rrec.type - is the type of record
sl@0	227	* ssl->s3->rrec.data, - data
sl@0	228	* ssl->s3->rrec.length, - number of bytes
sl@0	229	*/
sl@0	230	/* used only by ssl3_read_bytes */
sl@0	231	static int ssl3_get_record(SSL *s)
sl@0	232	{
sl@0	233	int ssl_major,ssl_minor,al;
sl@0	234	int enc_err,n,i,ret= -1;
sl@0	235	SSL3_RECORD *rr;
sl@0	236	SSL_SESSION *sess;
sl@0	237	unsigned char *p;
sl@0	238	unsigned char md[EVP_MAX_MD_SIZE];
sl@0	239	short version;
sl@0	240	unsigned int mac_size;
sl@0	241	int clear=0;
sl@0	242	size_t extra;
sl@0	243	int decryption_failed_or_bad_record_mac = 0;
sl@0	244	unsigned char *mac = NULL;
sl@0	245
sl@0	246	rr= &(s->s3->rrec);
sl@0	247	sess=s->session;
sl@0	248
sl@0	249	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
sl@0	250	extra=SSL3_RT_MAX_EXTRA;
sl@0	251	else
sl@0	252	extra=0;
sl@0	253	if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
sl@0	254	{
sl@0	255	/* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
sl@0	256	* set after ssl3_setup_buffers() was done */
sl@0	257	SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
sl@0	258	return -1;
sl@0	259	}
sl@0	260
sl@0	261	again:
sl@0	262	/* check if we have the header */
sl@0	263	if ( (s->rstate != SSL_ST_READ_BODY) \|\|
sl@0	264	(s->packet_length < SSL3_RT_HEADER_LENGTH))
sl@0	265	{
sl@0	266	n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
sl@0	267	if (n <= 0) return(n); /* error or non-blocking */
sl@0	268	s->rstate=SSL_ST_READ_BODY;
sl@0	269
sl@0	270	p=s->packet;
sl@0	271
sl@0	272	/* Pull apart the header into the SSL3_RECORD */
sl@0	273	rr->type= *(p++);
sl@0	274	ssl_major= *(p++);
sl@0	275	ssl_minor= *(p++);
sl@0	276	version=(ssl_major<<8)\|ssl_minor;
sl@0	277	n2s(p,rr->length);
sl@0	278
sl@0	279	/* Lets check version */
sl@0	280	if (!s->first_packet)
sl@0	281	{
sl@0	282	if (version != s->version)
sl@0	283	{
sl@0	284	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
sl@0	285	/* Send back error using their
sl@0	286	* version number :-) */
sl@0	287	s->version=version;
sl@0	288	al=SSL_AD_PROTOCOL_VERSION;
sl@0	289	goto f_err;
sl@0	290	}
sl@0	291	}
sl@0	292
sl@0	293	if ((version>>8) != SSL3_VERSION_MAJOR)
sl@0	294	{
sl@0	295	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
sl@0	296	goto err;
sl@0	297	}
sl@0	298
sl@0	299	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
sl@0	300	{
sl@0	301	al=SSL_AD_RECORD_OVERFLOW;
sl@0	302	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
sl@0	303	goto f_err;
sl@0	304	}
sl@0	305
sl@0	306	/* now s->rstate == SSL_ST_READ_BODY */
sl@0	307	}
sl@0	308
sl@0	309	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
sl@0	310
sl@0	311	if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
sl@0	312	{
sl@0	313	/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
sl@0	314	i=rr->length;
sl@0	315	n=ssl3_read_n(s,i,i,1);
sl@0	316	if (n <= 0) return(n); /* error or non-blocking io */
sl@0	317	/* now n == rr->length,
sl@0	318	* and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
sl@0	319	}
sl@0	320
sl@0	321	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
sl@0	322
sl@0	323	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
sl@0	324	* and we have that many bytes in s->packet
sl@0	325	*/
sl@0	326	rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
sl@0	327
sl@0	328	/* ok, we can now read from 's->packet' data into 'rr'
sl@0	329	* rr->input points at rr->length bytes, which
sl@0	330	* need to be copied into rr->data by either
sl@0	331	* the decryption or by the decompression
sl@0	332	* When the data is 'copied' into the rr->data buffer,
sl@0	333	* rr->input will be pointed at the new buffer */
sl@0	334
sl@0	335	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
sl@0	336	* rr->length bytes of encrypted compressed stuff. */
sl@0	337
sl@0	338	/* check is not needed I believe */
sl@0	339	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
sl@0	340	{
sl@0	341	al=SSL_AD_RECORD_OVERFLOW;
sl@0	342	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
sl@0	343	goto f_err;
sl@0	344	}
sl@0	345
sl@0	346	/* decrypt in place in 'rr->input' */
sl@0	347	rr->data=rr->input;
sl@0	348
sl@0	349	enc_err = s->method->ssl3_enc->enc(s,0);
sl@0	350	if (enc_err <= 0)
sl@0	351	{
sl@0	352	if (enc_err == 0)
sl@0	353	/* SSLerr() and ssl3_send_alert() have been called */
sl@0	354	goto err;
sl@0	355
sl@0	356	/* Otherwise enc_err == -1, which indicates bad padding
sl@0	357	* (rec->length has not been changed in this case).
sl@0	358	* To minimize information leaked via timing, we will perform
sl@0	359	* the MAC computation anyway. */
sl@0	360	decryption_failed_or_bad_record_mac = 1;
sl@0	361	}
sl@0	362
sl@0	363	#ifdef TLS_DEBUG
sl@0	364	printf("dec %d\n",rr->length);
sl@0	365	{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
sl@0	366	printf("\n");
sl@0	367	#endif
sl@0	368
sl@0	369	/* r->length is now the compressed data plus mac */
sl@0	370	if ( (sess == NULL) \|\|
sl@0	371	(s->enc_read_ctx == NULL) \|\|
sl@0	372	(s->read_hash == NULL))
sl@0	373	clear=1;
sl@0	374
sl@0	375	if (!clear)
sl@0	376	{
sl@0	377	mac_size=EVP_MD_size(s->read_hash);
sl@0	378
sl@0	379	if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
sl@0	380	{
sl@0	381	#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
sl@0	382	al=SSL_AD_RECORD_OVERFLOW;
sl@0	383	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
sl@0	384	goto f_err;
sl@0	385	#else
sl@0	386	decryption_failed_or_bad_record_mac = 1;
sl@0	387	#endif
sl@0	388	}
sl@0	389	/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
sl@0	390	if (rr->length >= mac_size)
sl@0	391	{
sl@0	392	rr->length -= mac_size;
sl@0	393	mac = &rr->data[rr->length];
sl@0	394	}
sl@0	395	else
sl@0	396	{
sl@0	397	/* record (minus padding) is too short to contain a MAC */
sl@0	398	#if 0 /* OK only for stream ciphers */
sl@0	399	al=SSL_AD_DECODE_ERROR;
sl@0	400	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
sl@0	401	goto f_err;
sl@0	402	#else
sl@0	403	decryption_failed_or_bad_record_mac = 1;
sl@0	404	rr->length = 0;
sl@0	405	#endif
sl@0	406	}
sl@0	407	i=s->method->ssl3_enc->mac(s,md,0);
sl@0	408	if (mac == NULL \|\| memcmp(md, mac, mac_size) != 0)
sl@0	409	{
sl@0	410	decryption_failed_or_bad_record_mac = 1;
sl@0	411	}
sl@0	412	}
sl@0	413
sl@0	414	if (decryption_failed_or_bad_record_mac)
sl@0	415	{
sl@0	416	/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
sl@0	417	* SSL 3.0 only has 'bad_record_mac'. But unless a decryption
sl@0	418	* failure is directly visible from the ciphertext anyway,
sl@0	419	* we should not reveal which kind of error occured -- this
sl@0	420	* might become visible to an attacker (e.g. via a logfile) */
sl@0	421	al=SSL_AD_BAD_RECORD_MAC;
sl@0	422	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
sl@0	423	goto f_err;
sl@0	424	}
sl@0	425
sl@0	426	/* r->length is now just compressed */
sl@0	427	if (s->expand != NULL)
sl@0	428	{
sl@0	429	if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
sl@0	430	{
sl@0	431	al=SSL_AD_RECORD_OVERFLOW;
sl@0	432	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
sl@0	433	goto f_err;
sl@0	434	}
sl@0	435	if (!ssl3_do_uncompress(s))
sl@0	436	{
sl@0	437	al=SSL_AD_DECOMPRESSION_FAILURE;
sl@0	438	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
sl@0	439	goto f_err;
sl@0	440	}
sl@0	441	}
sl@0	442
sl@0	443	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
sl@0	444	{
sl@0	445	al=SSL_AD_RECORD_OVERFLOW;
sl@0	446	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	447	goto f_err;
sl@0	448	}
sl@0	449
sl@0	450	rr->off=0;
sl@0	451	/* So at this point the following is true
sl@0	452	* ssl->s3->rrec.type is the type of record
sl@0	453	* ssl->s3->rrec.length == number of bytes in record
sl@0	454	* ssl->s3->rrec.off == offset to first valid byte
sl@0	455	* ssl->s3->rrec.data == where to take bytes from, increment
sl@0	456	* after use :-).
sl@0	457	*/
sl@0	458
sl@0	459	/* we have pulled in a full packet so zero things */
sl@0	460	s->packet_length=0;
sl@0	461
sl@0	462	/* just read a 0 length packet */
sl@0	463	if (rr->length == 0) goto again;
sl@0	464
sl@0	465	return(1);
sl@0	466
sl@0	467	f_err:
sl@0	468	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	469	err:
sl@0	470	return(ret);
sl@0	471	}
sl@0	472
sl@0	473	int ssl3_do_uncompress(SSL *ssl)
sl@0	474	{
sl@0	475	#ifndef OPENSSL_NO_COMP
sl@0	476	int i;
sl@0	477	SSL3_RECORD *rr;
sl@0	478
sl@0	479	rr= &(ssl->s3->rrec);
sl@0	480	i=COMP_expand_block(ssl->expand,rr->comp,
sl@0	481	SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
sl@0	482	if (i < 0)
sl@0	483	return(0);
sl@0	484	else
sl@0	485	rr->length=i;
sl@0	486	rr->data=rr->comp;
sl@0	487	#endif
sl@0	488	return(1);
sl@0	489	}
sl@0	490
sl@0	491	int ssl3_do_compress(SSL *ssl)
sl@0	492	{
sl@0	493	#ifndef OPENSSL_NO_COMP
sl@0	494	int i;
sl@0	495	SSL3_RECORD *wr;
sl@0	496
sl@0	497	wr= &(ssl->s3->wrec);
sl@0	498	i=COMP_compress_block(ssl->compress,wr->data,
sl@0	499	SSL3_RT_MAX_COMPRESSED_LENGTH,
sl@0	500	wr->input,(int)wr->length);
sl@0	501	if (i < 0)
sl@0	502	return(0);
sl@0	503	else
sl@0	504	wr->length=i;
sl@0	505
sl@0	506	wr->input=wr->data;
sl@0	507	#endif
sl@0	508	return(1);
sl@0	509	}
sl@0	510
sl@0	511	/* Call this to write data in records of type 'type'
sl@0	512	* It will return <= 0 if not all data has been sent or non-blocking IO.
sl@0	513	*/
sl@0	514	int ssl3_write_bytes(SSL s, int type, const void buf_, int len)
sl@0	515	{
sl@0	516	const unsigned char *buf=buf_;
sl@0	517	unsigned int tot,n,nw;
sl@0	518	int i;
sl@0	519
sl@0	520	s->rwstate=SSL_NOTHING;
sl@0	521	tot=s->s3->wnum;
sl@0	522	s->s3->wnum=0;
sl@0	523
sl@0	524	if (SSL_in_init(s) && !s->in_handshake)
sl@0	525	{
sl@0	526	i=s->handshake_func(s);
sl@0	527	if (i < 0) return(i);
sl@0	528	if (i == 0)
sl@0	529	{
sl@0	530	SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
sl@0	531	return -1;
sl@0	532	}
sl@0	533	}
sl@0	534
sl@0	535	n=(len-tot);
sl@0	536	for (;;)
sl@0	537	{
sl@0	538	if (n > SSL3_RT_MAX_PLAIN_LENGTH)
sl@0	539	nw=SSL3_RT_MAX_PLAIN_LENGTH;
sl@0	540	else
sl@0	541	nw=n;
sl@0	542
sl@0	543	i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
sl@0	544	if (i <= 0)
sl@0	545	{
sl@0	546	s->s3->wnum=tot;
sl@0	547	return i;
sl@0	548	}
sl@0	549
sl@0	550	if ((i == (int)n) \|\|
sl@0	551	(type == SSL3_RT_APPLICATION_DATA &&
sl@0	552	(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
sl@0	553	{
sl@0	554	/* next chunk of data should get another prepended empty fragment
sl@0	555	* in ciphersuites with known-IV weakness: */
sl@0	556	s->s3->empty_fragment_done = 0;
sl@0	557
sl@0	558	return tot+i;
sl@0	559	}
sl@0	560
sl@0	561	n-=i;
sl@0	562	tot+=i;
sl@0	563	}
sl@0	564	}
sl@0	565
sl@0	566	static int do_ssl3_write(SSL s, int type, const unsigned char buf,
sl@0	567	unsigned int len, int create_empty_fragment)
sl@0	568	{
sl@0	569	unsigned char p,plen;
sl@0	570	int i,mac_size,clear=0;
sl@0	571	int prefix_len = 0;
sl@0	572	SSL3_RECORD *wr;
sl@0	573	SSL3_BUFFER *wb;
sl@0	574	SSL_SESSION *sess;
sl@0	575
sl@0	576	/* first check if there is a SSL3_BUFFER still being written
sl@0	577	* out. This will happen with non blocking IO */
sl@0	578	if (s->s3->wbuf.left != 0)
sl@0	579	return(ssl3_write_pending(s,type,buf,len));
sl@0	580
sl@0	581	/* If we have an alert to send, lets send it */
sl@0	582	if (s->s3->alert_dispatch)
sl@0	583	{
sl@0	584	i=s->method->ssl_dispatch_alert(s);
sl@0	585	if (i <= 0)
sl@0	586	return(i);
sl@0	587	/* if it went, fall through and send more stuff */
sl@0	588	}
sl@0	589
sl@0	590	if (len == 0 && !create_empty_fragment)
sl@0	591	return 0;
sl@0	592
sl@0	593	wr= &(s->s3->wrec);
sl@0	594	wb= &(s->s3->wbuf);
sl@0	595	sess=s->session;
sl@0	596
sl@0	597	if ( (sess == NULL) \|\|
sl@0	598	(s->enc_write_ctx == NULL) \|\|
sl@0	599	(s->write_hash == NULL))
sl@0	600	clear=1;
sl@0	601
sl@0	602	if (clear)
sl@0	603	mac_size=0;
sl@0	604	else
sl@0	605	mac_size=EVP_MD_size(s->write_hash);
sl@0	606
sl@0	607	/* 'create_empty_fragment' is true only when this function calls itself */
sl@0	608	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
sl@0	609	{
sl@0	610	/* countermeasure against known-IV weakness in CBC ciphersuites
sl@0	611	* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
sl@0	612
sl@0	613	if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
sl@0	614	{
sl@0	615	/* recursive function call with 'create_empty_fragment' set;
sl@0	616	* this prepares and buffers the data for an empty fragment
sl@0	617	* (these 'prefix_len' bytes are sent out later
sl@0	618	* together with the actual payload) */
sl@0	619	prefix_len = do_ssl3_write(s, type, buf, 0, 1);
sl@0	620	if (prefix_len <= 0)
sl@0	621	goto err;
sl@0	622
sl@0	623	if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
sl@0	624	{
sl@0	625	/* insufficient space */
sl@0	626	SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
sl@0	627	goto err;
sl@0	628	}
sl@0	629	}
sl@0	630
sl@0	631	s->s3->empty_fragment_done = 1;
sl@0	632	}
sl@0	633
sl@0	634	p = wb->buf + prefix_len;
sl@0	635
sl@0	636	/* write the header */
sl@0	637
sl@0	638	*(p++)=type&0xff;
sl@0	639	wr->type=type;
sl@0	640
sl@0	641	*(p++)=(s->version>>8);
sl@0	642	*(p++)=s->version&0xff;
sl@0	643
sl@0	644	/* field where we are to write out packet length */
sl@0	645	plen=p;
sl@0	646	p+=2;
sl@0	647
sl@0	648	/* lets setup the record stuff. */
sl@0	649	wr->data=p;
sl@0	650	wr->length=(int)len;
sl@0	651	wr->input=(unsigned char *)buf;
sl@0	652
sl@0	653	/* we now 'read' from wr->input, wr->length bytes into
sl@0	654	* wr->data */
sl@0	655
sl@0	656	/* first we compress */
sl@0	657	if (s->compress != NULL)
sl@0	658	{
sl@0	659	if (!ssl3_do_compress(s))
sl@0	660	{
sl@0	661	SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
sl@0	662	goto err;
sl@0	663	}
sl@0	664	}
sl@0	665	else
sl@0	666	{
sl@0	667	memcpy(wr->data,wr->input,wr->length);
sl@0	668	wr->input=wr->data;
sl@0	669	}
sl@0	670
sl@0	671	/* we should still have the output to wr->data and the input
sl@0	672	* from wr->input. Length should be wr->length.
sl@0	673	* wr->data still points in the wb->buf */
sl@0	674
sl@0	675	if (mac_size != 0)
sl@0	676	{
sl@0	677	s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
sl@0	678	wr->length+=mac_size;
sl@0	679	wr->input=p;
sl@0	680	wr->data=p;
sl@0	681	}
sl@0	682
sl@0	683	/* ssl3_enc can only have an error on read */
sl@0	684	s->method->ssl3_enc->enc(s,1);
sl@0	685
sl@0	686	/* record length after mac and block padding */
sl@0	687	s2n(wr->length,plen);
sl@0	688
sl@0	689	/* we should now have
sl@0	690	* wr->data pointing to the encrypted data, which is
sl@0	691	* wr->length long */
sl@0	692	wr->type=type; /* not needed but helps for debugging */
sl@0	693	wr->length+=SSL3_RT_HEADER_LENGTH;
sl@0	694
sl@0	695	if (create_empty_fragment)
sl@0	696	{
sl@0	697	/* we are in a recursive call;
sl@0	698	* just return the length, don't write out anything here
sl@0	699	*/
sl@0	700	return wr->length;
sl@0	701	}
sl@0	702
sl@0	703	/* now let's set up wb */
sl@0	704	wb->left = prefix_len + wr->length;
sl@0	705	wb->offset = 0;
sl@0	706
sl@0	707	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
sl@0	708	s->s3->wpend_tot=len;
sl@0	709	s->s3->wpend_buf=buf;
sl@0	710	s->s3->wpend_type=type;
sl@0	711	s->s3->wpend_ret=len;
sl@0	712
sl@0	713	/* we now just need to write the buffer */
sl@0	714	return ssl3_write_pending(s,type,buf,len);
sl@0	715	err:
sl@0	716	return -1;
sl@0	717	}
sl@0	718
sl@0	719	/* if s->s3->wbuf.left != 0, we need to call this */
sl@0	720	int ssl3_write_pending(SSL s, int type, const unsigned char buf,
sl@0	721	unsigned int len)
sl@0	722	{
sl@0	723	int i;
sl@0	724
sl@0	725	/* XXXX */
sl@0	726	if ((s->s3->wpend_tot > (int)len)
sl@0	727	\|\| ((s->s3->wpend_buf != buf) &&
sl@0	728	!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
sl@0	729	\|\| (s->s3->wpend_type != type))
sl@0	730	{
sl@0	731	SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
sl@0	732	return(-1);
sl@0	733	}
sl@0	734
sl@0	735	for (;;)
sl@0	736	{
sl@0	737	clear_sys_error();
sl@0	738	if (s->wbio != NULL)
sl@0	739	{
sl@0	740	s->rwstate=SSL_WRITING;
sl@0	741	i=BIO_write(s->wbio,
sl@0	742	(char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
sl@0	743	(unsigned int)s->s3->wbuf.left);
sl@0	744	}
sl@0	745	else
sl@0	746	{
sl@0	747	SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
sl@0	748	i= -1;
sl@0	749	}
sl@0	750	if (i == s->s3->wbuf.left)
sl@0	751	{
sl@0	752	s->s3->wbuf.left=0;
sl@0	753	s->rwstate=SSL_NOTHING;
sl@0	754	return(s->s3->wpend_ret);
sl@0	755	}
sl@0	756	else if (i <= 0)
sl@0	757	return(i);
sl@0	758	s->s3->wbuf.offset+=i;
sl@0	759	s->s3->wbuf.left-=i;
sl@0	760	}
sl@0	761	}
sl@0	762
sl@0	763	/* Return up to 'len' payload bytes received in 'type' records.
sl@0	764	* 'type' is one of the following:
sl@0	765	*
sl@0	766	* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
sl@0	767	* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
sl@0	768	* - 0 (during a shutdown, no data has to be returned)
sl@0	769	*
sl@0	770	* If we don't have stored data to work from, read a SSL/TLS record first
sl@0	771	* (possibly multiple records if we still don't have anything to return).
sl@0	772	*
sl@0	773	* This function must handle any surprises the peer may have for us, such as
sl@0	774	* Alert records (e.g. close_notify), ChangeCipherSpec records (not really
sl@0	775	* a surprise, but handled as if it were), or renegotiation requests.
sl@0	776	* Also if record payloads contain fragments too small to process, we store
sl@0	777	* them until there is enough for the respective protocol (the record protocol
sl@0	778	* may use arbitrary fragmentation and even interleaving):
sl@0	779	* Change cipher spec protocol
sl@0	780	* just 1 byte needed, no need for keeping anything stored
sl@0	781	* Alert protocol
sl@0	782	* 2 bytes needed (AlertLevel, AlertDescription)
sl@0	783	* Handshake protocol
sl@0	784	* 4 bytes needed (HandshakeType, uint24 length) -- we just have
sl@0	785	* to detect unexpected Client Hello and Hello Request messages
sl@0	786	* here, anything else is handled by higher layers
sl@0	787	* Application data protocol
sl@0	788	* none of our business
sl@0	789	*/
sl@0	790	int ssl3_read_bytes(SSL s, int type, unsigned char buf, int len, int peek)
sl@0	791	{
sl@0	792	int al,i,j,ret;
sl@0	793	unsigned int n;
sl@0	794	SSL3_RECORD *rr;
sl@0	795	void (cb)(const SSL ssl,int type2,int val)=NULL;
sl@0	796
sl@0	797	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
sl@0	798	if (!ssl3_setup_buffers(s))
sl@0	799	return(-1);
sl@0	800
sl@0	801	if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) \|\|
sl@0	802	(peek && (type != SSL3_RT_APPLICATION_DATA)))
sl@0	803	{
sl@0	804	SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
sl@0	805	return -1;
sl@0	806	}
sl@0	807
sl@0	808	if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
sl@0	809	/* (partially) satisfy request from storage */
sl@0	810	{
sl@0	811	unsigned char *src = s->s3->handshake_fragment;
sl@0	812	unsigned char *dst = buf;
sl@0	813	unsigned int k;
sl@0	814
sl@0	815	/* peek == 0 */
sl@0	816	n = 0;
sl@0	817	while ((len > 0) && (s->s3->handshake_fragment_len > 0))
sl@0	818	{
sl@0	819	dst++ = src++;
sl@0	820	len--; s->s3->handshake_fragment_len--;
sl@0	821	n++;
sl@0	822	}
sl@0	823	/* move any remaining fragment bytes: */
sl@0	824	for (k = 0; k < s->s3->handshake_fragment_len; k++)
sl@0	825	s->s3->handshake_fragment[k] = *src++;
sl@0	826	return n;
sl@0	827	}
sl@0	828
sl@0	829	/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
sl@0	830
sl@0	831	if (!s->in_handshake && SSL_in_init(s))
sl@0	832	{
sl@0	833	/* type == SSL3_RT_APPLICATION_DATA */
sl@0	834	i=s->handshake_func(s);
sl@0	835	if (i < 0) return(i);
sl@0	836	if (i == 0)
sl@0	837	{
sl@0	838	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
sl@0	839	return(-1);
sl@0	840	}
sl@0	841	}
sl@0	842	start:
sl@0	843	s->rwstate=SSL_NOTHING;
sl@0	844
sl@0	845	/* s->s3->rrec.type - is the type of record
sl@0	846	* s->s3->rrec.data, - data
sl@0	847	* s->s3->rrec.off, - offset into 'data' for next read
sl@0	848	* s->s3->rrec.length, - number of bytes. */
sl@0	849	rr = &(s->s3->rrec);
sl@0	850
sl@0	851	/* get new packet if necessary */
sl@0	852	if ((rr->length == 0) \|\| (s->rstate == SSL_ST_READ_BODY))
sl@0	853	{
sl@0	854	ret=ssl3_get_record(s);
sl@0	855	if (ret <= 0) return(ret);
sl@0	856	}
sl@0	857
sl@0	858	/* we now have a packet which can be read and processed */
sl@0	859
sl@0	860	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
sl@0	861	* reset by ssl3_get_finished */
sl@0	862	&& (rr->type != SSL3_RT_HANDSHAKE))
sl@0	863	{
sl@0	864	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	865	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
sl@0	866	goto f_err;
sl@0	867	}
sl@0	868
sl@0	869	/* If the other end has shut down, throw anything we read away
sl@0	870	* (even in 'peek' mode) */
sl@0	871	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
sl@0	872	{
sl@0	873	rr->length=0;
sl@0	874	s->rwstate=SSL_NOTHING;
sl@0	875	return(0);
sl@0	876	}
sl@0	877
sl@0	878
sl@0	879	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
sl@0	880	{
sl@0	881	/* make sure that we are not getting application data when we
sl@0	882	* are doing a handshake for the first time */
sl@0	883	if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
sl@0	884	(s->enc_read_ctx == NULL))
sl@0	885	{
sl@0	886	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	887	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
sl@0	888	goto f_err;
sl@0	889	}
sl@0	890
sl@0	891	if (len <= 0) return(len);
sl@0	892
sl@0	893	if ((unsigned int)len > rr->length)
sl@0	894	n = rr->length;
sl@0	895	else
sl@0	896	n = (unsigned int)len;
sl@0	897
sl@0	898	memcpy(buf,&(rr->data[rr->off]),n);
sl@0	899	if (!peek)
sl@0	900	{
sl@0	901	rr->length-=n;
sl@0	902	rr->off+=n;
sl@0	903	if (rr->length == 0)
sl@0	904	{
sl@0	905	s->rstate=SSL_ST_READ_HEADER;
sl@0	906	rr->off=0;
sl@0	907	}
sl@0	908	}
sl@0	909	return(n);
sl@0	910	}
sl@0	911
sl@0	912
sl@0	913	/* If we get here, then type != rr->type; if we have a handshake
sl@0	914	* message, then it was unexpected (Hello Request or Client Hello). */
sl@0	915
sl@0	916	/* In case of record types for which we have 'fragment' storage,
sl@0	917	* fill that so that we can process the data at a fixed place.
sl@0	918	*/
sl@0	919	{
sl@0	920	unsigned int dest_maxlen = 0;
sl@0	921	unsigned char *dest = NULL;
sl@0	922	unsigned int *dest_len = NULL;
sl@0	923
sl@0	924	if (rr->type == SSL3_RT_HANDSHAKE)
sl@0	925	{
sl@0	926	dest_maxlen = sizeof s->s3->handshake_fragment;
sl@0	927	dest = s->s3->handshake_fragment;
sl@0	928	dest_len = &s->s3->handshake_fragment_len;
sl@0	929	}
sl@0	930	else if (rr->type == SSL3_RT_ALERT)
sl@0	931	{
sl@0	932	dest_maxlen = sizeof s->s3->alert_fragment;
sl@0	933	dest = s->s3->alert_fragment;
sl@0	934	dest_len = &s->s3->alert_fragment_len;
sl@0	935	}
sl@0	936
sl@0	937	if (dest_maxlen > 0)
sl@0	938	{
sl@0	939	n = dest_maxlen - dest_len; / available space in 'dest' */
sl@0	940	if (rr->length < n)
sl@0	941	n = rr->length; /* available bytes */
sl@0	942
sl@0	943	/* now move 'n' bytes: */
sl@0	944	while (n-- > 0)
sl@0	945	{
sl@0	946	dest[(*dest_len)++] = rr->data[rr->off++];
sl@0	947	rr->length--;
sl@0	948	}
sl@0	949
sl@0	950	if (*dest_len < dest_maxlen)
sl@0	951	goto start; /* fragment was too small */
sl@0	952	}
sl@0	953	}
sl@0	954
sl@0	955	/* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
sl@0	956	* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
sl@0	957	* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
sl@0	958
sl@0	959	/* If we are a client, check for an incoming 'Hello Request': */
sl@0	960	if ((!s->server) &&
sl@0	961	(s->s3->handshake_fragment_len >= 4) &&
sl@0	962	(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
sl@0	963	(s->session != NULL) && (s->session->cipher != NULL))
sl@0	964	{
sl@0	965	s->s3->handshake_fragment_len = 0;
sl@0	966
sl@0	967	if ((s->s3->handshake_fragment[1] != 0) \|\|
sl@0	968	(s->s3->handshake_fragment[2] != 0) \|\|
sl@0	969	(s->s3->handshake_fragment[3] != 0))
sl@0	970	{
sl@0	971	al=SSL_AD_DECODE_ERROR;
sl@0	972	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
sl@0	973	goto f_err;
sl@0	974	}
sl@0	975
sl@0	976	if (s->msg_callback)
sl@0	977	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
sl@0	978
sl@0	979	if (SSL_is_init_finished(s) &&
sl@0	980	!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
sl@0	981	!s->s3->renegotiate)
sl@0	982	{
sl@0	983	ssl3_renegotiate(s);
sl@0	984	if (ssl3_renegotiate_check(s))
sl@0	985	{
sl@0	986	i=s->handshake_func(s);
sl@0	987	if (i < 0) return(i);
sl@0	988	if (i == 0)
sl@0	989	{
sl@0	990	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
sl@0	991	return(-1);
sl@0	992	}
sl@0	993
sl@0	994	if (!(s->mode & SSL_MODE_AUTO_RETRY))
sl@0	995	{
sl@0	996	if (s->s3->rbuf.left == 0) /* no read-ahead left? */
sl@0	997	{
sl@0	998	BIO *bio;
sl@0	999	/* In the case where we try to read application data,
sl@0	1000	* but we trigger an SSL handshake, we return -1 with
sl@0	1001	* the retry option set. Otherwise renegotiation may
sl@0	1002	* cause nasty problems in the blocking world */
sl@0	1003	s->rwstate=SSL_READING;
sl@0	1004	bio=SSL_get_rbio(s);
sl@0	1005	BIO_clear_retry_flags(bio);
sl@0	1006	BIO_set_retry_read(bio);
sl@0	1007	return(-1);
sl@0	1008	}
sl@0	1009	}
sl@0	1010	}
sl@0	1011	}
sl@0	1012	/* we either finished a handshake or ignored the request,
sl@0	1013	* now try again to obtain the (application) data we were asked for */
sl@0	1014	goto start;
sl@0	1015	}
sl@0	1016
sl@0	1017	if (s->s3->alert_fragment_len >= 2)
sl@0	1018	{
sl@0	1019	int alert_level = s->s3->alert_fragment[0];
sl@0	1020	int alert_descr = s->s3->alert_fragment[1];
sl@0	1021
sl@0	1022	s->s3->alert_fragment_len = 0;
sl@0	1023
sl@0	1024	if (s->msg_callback)
sl@0	1025	s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
sl@0	1026
sl@0	1027	if (s->info_callback != NULL)
sl@0	1028	cb=s->info_callback;
sl@0	1029	else if (s->ctx->info_callback != NULL)
sl@0	1030	cb=s->ctx->info_callback;
sl@0	1031
sl@0	1032	if (cb != NULL)
sl@0	1033	{
sl@0	1034	j = (alert_level << 8) \| alert_descr;
sl@0	1035	cb(s, SSL_CB_READ_ALERT, j);
sl@0	1036	}
sl@0	1037
sl@0	1038	if (alert_level == 1) /* warning */
sl@0	1039	{
sl@0	1040	s->s3->warn_alert = alert_descr;
sl@0	1041	if (alert_descr == SSL_AD_CLOSE_NOTIFY)
sl@0	1042	{
sl@0	1043	s->shutdown \|= SSL_RECEIVED_SHUTDOWN;
sl@0	1044	return(0);
sl@0	1045	}
sl@0	1046	}
sl@0	1047	else if (alert_level == 2) /* fatal */
sl@0	1048	{
sl@0	1049	char tmp[16];
sl@0	1050
sl@0	1051	s->rwstate=SSL_NOTHING;
sl@0	1052	s->s3->fatal_alert = alert_descr;
sl@0	1053	SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
sl@0	1054	BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
sl@0	1055	ERR_add_error_data(2,"SSL alert number ",tmp);
sl@0	1056	s->shutdown\|=SSL_RECEIVED_SHUTDOWN;
sl@0	1057	SSL_CTX_remove_session(s->ctx,s->session);
sl@0	1058	return(0);
sl@0	1059	}
sl@0	1060	else
sl@0	1061	{
sl@0	1062	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	1063	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
sl@0	1064	goto f_err;
sl@0	1065	}
sl@0	1066
sl@0	1067	goto start;
sl@0	1068	}
sl@0	1069
sl@0	1070	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
sl@0	1071	{
sl@0	1072	s->rwstate=SSL_NOTHING;
sl@0	1073	rr->length=0;
sl@0	1074	return(0);
sl@0	1075	}
sl@0	1076
sl@0	1077	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
sl@0	1078	{
sl@0	1079	/* 'Change Cipher Spec' is just a single byte, so we know
sl@0	1080	* exactly what the record payload has to look like */
sl@0	1081	if ( (rr->length != 1) \|\| (rr->off != 0) \|\|
sl@0	1082	(rr->data[0] != SSL3_MT_CCS))
sl@0	1083	{
sl@0	1084	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	1085	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
sl@0	1086	goto f_err;
sl@0	1087	}
sl@0	1088
sl@0	1089	/* Check we have a cipher to change to */
sl@0	1090	if (s->s3->tmp.new_cipher == NULL)
sl@0	1091	{
sl@0	1092	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	1093	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
sl@0	1094	goto f_err;
sl@0	1095	}
sl@0	1096
sl@0	1097	rr->length=0;
sl@0	1098
sl@0	1099	if (s->msg_callback)
sl@0	1100	s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
sl@0	1101
sl@0	1102	s->s3->change_cipher_spec=1;
sl@0	1103	if (!ssl3_do_change_cipher_spec(s))
sl@0	1104	goto err;
sl@0	1105	else
sl@0	1106	goto start;
sl@0	1107	}
sl@0	1108
sl@0	1109	/* Unexpected handshake message (Client Hello, or protocol violation) */
sl@0	1110	if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
sl@0	1111	{
sl@0	1112	if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
sl@0	1113	!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
sl@0	1114	{
sl@0	1115	#if 0 /* worked only because C operator preferences are not as expected (and
sl@0	1116	* because this is not really needed for clients except for detecting
sl@0	1117	* protocol violations): */
sl@0	1118	s->state=SSL_ST_BEFORE\|(s->server)
sl@0	1119	?SSL_ST_ACCEPT
sl@0	1120	:SSL_ST_CONNECT;
sl@0	1121	#else
sl@0	1122	s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
sl@0	1123	#endif
sl@0	1124	s->new_session=1;
sl@0	1125	}
sl@0	1126	i=s->handshake_func(s);
sl@0	1127	if (i < 0) return(i);
sl@0	1128	if (i == 0)
sl@0	1129	{
sl@0	1130	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
sl@0	1131	return(-1);
sl@0	1132	}
sl@0	1133
sl@0	1134	if (!(s->mode & SSL_MODE_AUTO_RETRY))
sl@0	1135	{
sl@0	1136	if (s->s3->rbuf.left == 0) /* no read-ahead left? */
sl@0	1137	{
sl@0	1138	BIO *bio;
sl@0	1139	/* In the case where we try to read application data,
sl@0	1140	* but we trigger an SSL handshake, we return -1 with
sl@0	1141	* the retry option set. Otherwise renegotiation may
sl@0	1142	* cause nasty problems in the blocking world */
sl@0	1143	s->rwstate=SSL_READING;
sl@0	1144	bio=SSL_get_rbio(s);
sl@0	1145	BIO_clear_retry_flags(bio);
sl@0	1146	BIO_set_retry_read(bio);
sl@0	1147	return(-1);
sl@0	1148	}
sl@0	1149	}
sl@0	1150	goto start;
sl@0	1151	}
sl@0	1152
sl@0	1153	switch (rr->type)
sl@0	1154	{
sl@0	1155	default:
sl@0	1156	#ifndef OPENSSL_NO_TLS
sl@0	1157	/* TLS just ignores unknown message types */
sl@0	1158	if (s->version == TLS1_VERSION)
sl@0	1159	{
sl@0	1160	rr->length = 0;
sl@0	1161	goto start;
sl@0	1162	}
sl@0	1163	#endif
sl@0	1164	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	1165	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
sl@0	1166	goto f_err;
sl@0	1167	case SSL3_RT_CHANGE_CIPHER_SPEC:
sl@0	1168	case SSL3_RT_ALERT:
sl@0	1169	case SSL3_RT_HANDSHAKE:
sl@0	1170	/* we already handled all of these, with the possible exception
sl@0	1171	* of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
sl@0	1172	* should not happen when type != rr->type */
sl@0	1173	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	1174	SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
sl@0	1175	goto f_err;
sl@0	1176	case SSL3_RT_APPLICATION_DATA:
sl@0	1177	/* At this point, we were expecting handshake data,
sl@0	1178	* but have application data. If the library was
sl@0	1179	* running inside ssl3_read() (i.e. in_read_app_data
sl@0	1180	* is set) and it makes sense to read application data
sl@0	1181	* at this point (session renegotiation not yet started),
sl@0	1182	* we will indulge it.
sl@0	1183	*/
sl@0	1184	if (s->s3->in_read_app_data &&
sl@0	1185	(s->s3->total_renegotiations != 0) &&
sl@0	1186	((
sl@0	1187	(s->state & SSL_ST_CONNECT) &&
sl@0	1188	(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
sl@0	1189	(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
sl@0	1190	) \|\| (
sl@0	1191	(s->state & SSL_ST_ACCEPT) &&
sl@0	1192	(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
sl@0	1193	(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
sl@0	1194	)
sl@0	1195	))
sl@0	1196	{
sl@0	1197	s->s3->in_read_app_data=2;
sl@0	1198	return(-1);
sl@0	1199	}
sl@0	1200	else
sl@0	1201	{
sl@0	1202	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	1203	SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
sl@0	1204	goto f_err;
sl@0	1205	}
sl@0	1206	}
sl@0	1207	/* not reached */
sl@0	1208
sl@0	1209	f_err:
sl@0	1210	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1211	err:
sl@0	1212	return(-1);
sl@0	1213	}
sl@0	1214
sl@0	1215	int ssl3_do_change_cipher_spec(SSL *s)
sl@0	1216	{
sl@0	1217	int i;
sl@0	1218	const char *sender;
sl@0	1219	int slen;
sl@0	1220
sl@0	1221	if (s->state & SSL_ST_ACCEPT)
sl@0	1222	i=SSL3_CHANGE_CIPHER_SERVER_READ;
sl@0	1223	else
sl@0	1224	i=SSL3_CHANGE_CIPHER_CLIENT_READ;
sl@0	1225
sl@0	1226	if (s->s3->tmp.key_block == NULL)
sl@0	1227	{
sl@0	1228	s->session->cipher=s->s3->tmp.new_cipher;
sl@0	1229	if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
sl@0	1230	}
sl@0	1231
sl@0	1232	if (!s->method->ssl3_enc->change_cipher_state(s,i))
sl@0	1233	return(0);
sl@0	1234
sl@0	1235	/* we have to record the message digest at
sl@0	1236	* this point so we can get it before we read
sl@0	1237	* the finished message */
sl@0	1238	if (s->state & SSL_ST_CONNECT)
sl@0	1239	{
sl@0	1240	sender=s->method->ssl3_enc->server_finished_label;
sl@0	1241	slen=s->method->ssl3_enc->server_finished_label_len;
sl@0	1242	}
sl@0	1243	else
sl@0	1244	{
sl@0	1245	sender=s->method->ssl3_enc->client_finished_label;
sl@0	1246	slen=s->method->ssl3_enc->client_finished_label_len;
sl@0	1247	}
sl@0	1248
sl@0	1249	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
sl@0	1250	&(s->s3->finish_dgst1),
sl@0	1251	&(s->s3->finish_dgst2),
sl@0	1252	sender,slen,s->s3->tmp.peer_finish_md);
sl@0	1253
sl@0	1254	return(1);
sl@0	1255	}
sl@0	1256
sl@0	1257	void ssl3_send_alert(SSL *s, int level, int desc)
sl@0	1258	{
sl@0	1259	/* Map tls/ssl alert value to correct one */
sl@0	1260	desc=s->method->ssl3_enc->alert_value(desc);
sl@0	1261	if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
sl@0	1262	desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
sl@0	1263	if (desc < 0) return;
sl@0	1264	/* If a fatal one, remove from cache */
sl@0	1265	if ((level == 2) && (s->session != NULL))
sl@0	1266	SSL_CTX_remove_session(s->ctx,s->session);
sl@0	1267
sl@0	1268	s->s3->alert_dispatch=1;
sl@0	1269	s->s3->send_alert[0]=level;
sl@0	1270	s->s3->send_alert[1]=desc;
sl@0	1271	if (s->s3->wbuf.left == 0) /* data still being written out? */
sl@0	1272	s->method->ssl_dispatch_alert(s);
sl@0	1273	/* else data is still being written out, we will get written
sl@0	1274	* some time in the future */
sl@0	1275	}
sl@0	1276
sl@0	1277	int ssl3_dispatch_alert(SSL *s)
sl@0	1278	{
sl@0	1279	int i,j;
sl@0	1280	void (cb)(const SSL ssl,int type,int val)=NULL;
sl@0	1281
sl@0	1282	s->s3->alert_dispatch=0;
sl@0	1283	i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
sl@0	1284	if (i <= 0)
sl@0	1285	{
sl@0	1286	s->s3->alert_dispatch=1;
sl@0	1287	}
sl@0	1288	else
sl@0	1289	{
sl@0	1290	/* Alert sent to BIO. If it is important, flush it now.
sl@0	1291	* If the message does not get sent due to non-blocking IO,
sl@0	1292	* we will not worry too much. */
sl@0	1293	if (s->s3->send_alert[0] == SSL3_AL_FATAL)
sl@0	1294	(void)BIO_flush(s->wbio);
sl@0	1295
sl@0	1296	if (s->msg_callback)
sl@0	1297	s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
sl@0	1298
sl@0	1299	if (s->info_callback != NULL)
sl@0	1300	cb=s->info_callback;
sl@0	1301	else if (s->ctx->info_callback != NULL)
sl@0	1302	cb=s->ctx->info_callback;
sl@0	1303
sl@0	1304	if (cb != NULL)
sl@0	1305	{
sl@0	1306	j=(s->s3->send_alert[0]<<8)\|s->s3->send_alert[1];
sl@0	1307	cb(s,SSL_CB_WRITE_ALERT,j);
sl@0	1308	}
sl@0	1309	}
sl@0	1310	return(i);
sl@0	1311	}

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--