1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/s3_pkt.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,1311 @@
1.4 +/* ssl/s3_pkt.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 +
1.115 +#include <stdio.h>
1.116 +#include <errno.h>
1.117 +#define USE_SOCKETS
1.118 +#include "ssl_locl.h"
1.119 +#include <openssl/evp.h>
1.120 +#include <openssl/buffer.h>
1.121 +
1.122 +static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
1.123 + unsigned int len, int create_empty_fragment);
1.124 +static int ssl3_get_record(SSL *s);
1.125 +
1.126 +int ssl3_read_n(SSL *s, int n, int max, int extend)
1.127 + {
1.128 + /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
1.129 + * packet by another n bytes.
1.130 + * The packet will be in the sub-array of s->s3->rbuf.buf specified
1.131 + * by s->packet and s->packet_length.
1.132 + * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
1.133 + * [plus s->packet_length bytes if extend == 1].)
1.134 + */
1.135 + int i,off,newb;
1.136 +
1.137 + if (!extend)
1.138 + {
1.139 + /* start with empty packet ... */
1.140 + if (s->s3->rbuf.left == 0)
1.141 + s->s3->rbuf.offset = 0;
1.142 + s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
1.143 + s->packet_length = 0;
1.144 + /* ... now we can act as if 'extend' was set */
1.145 + }
1.146 +
1.147 + /* extend reads should not span multiple packets for DTLS */
1.148 + if ( SSL_version(s) == DTLS1_VERSION &&
1.149 + extend)
1.150 + {
1.151 + if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
1.152 + n = s->s3->rbuf.left;
1.153 + }
1.154 +
1.155 + /* if there is enough in the buffer from a previous read, take some */
1.156 + if (s->s3->rbuf.left >= (int)n)
1.157 + {
1.158 + s->packet_length+=n;
1.159 + s->s3->rbuf.left-=n;
1.160 + s->s3->rbuf.offset+=n;
1.161 + return(n);
1.162 + }
1.163 +
1.164 + /* else we need to read more data */
1.165 + if (!s->read_ahead)
1.166 + max=n;
1.167 +
1.168 + {
1.169 + /* avoid buffer overflow */
1.170 + int max_max = s->s3->rbuf.len - s->packet_length;
1.171 + if (max > max_max)
1.172 + max = max_max;
1.173 + }
1.174 + if (n > max) /* does not happen */
1.175 + {
1.176 + SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
1.177 + return -1;
1.178 + }
1.179 +
1.180 + off = s->packet_length;
1.181 + newb = s->s3->rbuf.left;
1.182 + /* Move any available bytes to front of buffer:
1.183 + * 'off' bytes already pointed to by 'packet',
1.184 + * 'newb' extra ones at the end */
1.185 + if (s->packet != s->s3->rbuf.buf)
1.186 + {
1.187 + /* off > 0 */
1.188 + memmove(s->s3->rbuf.buf, s->packet, off+newb);
1.189 + s->packet = s->s3->rbuf.buf;
1.190 + }
1.191 +
1.192 + while (newb < n)
1.193 + {
1.194 + /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
1.195 + * to read in more until we have off+n (up to off+max if possible) */
1.196 +
1.197 + clear_sys_error();
1.198 + if (s->rbio != NULL)
1.199 + {
1.200 + s->rwstate=SSL_READING;
1.201 + i=BIO_read(s->rbio, &(s->s3->rbuf.buf[off+newb]), max-newb);
1.202 + }
1.203 + else
1.204 + {
1.205 + SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
1.206 + i = -1;
1.207 + }
1.208 +
1.209 + if (i <= 0)
1.210 + {
1.211 + s->s3->rbuf.left = newb;
1.212 + return(i);
1.213 + }
1.214 + newb+=i;
1.215 + }
1.216 +
1.217 + /* done reading, now the book-keeping */
1.218 + s->s3->rbuf.offset = off + n;
1.219 + s->s3->rbuf.left = newb - n;
1.220 + s->packet_length += n;
1.221 + s->rwstate=SSL_NOTHING;
1.222 + return(n);
1.223 + }
1.224 +
1.225 +/* Call this to get a new input record.
1.226 + * It will return <= 0 if more data is needed, normally due to an error
1.227 + * or non-blocking IO.
1.228 + * When it finishes, one packet has been decoded and can be found in
1.229 + * ssl->s3->rrec.type - is the type of record
1.230 + * ssl->s3->rrec.data, - data
1.231 + * ssl->s3->rrec.length, - number of bytes
1.232 + */
1.233 +/* used only by ssl3_read_bytes */
1.234 +static int ssl3_get_record(SSL *s)
1.235 + {
1.236 + int ssl_major,ssl_minor,al;
1.237 + int enc_err,n,i,ret= -1;
1.238 + SSL3_RECORD *rr;
1.239 + SSL_SESSION *sess;
1.240 + unsigned char *p;
1.241 + unsigned char md[EVP_MAX_MD_SIZE];
1.242 + short version;
1.243 + unsigned int mac_size;
1.244 + int clear=0;
1.245 + size_t extra;
1.246 + int decryption_failed_or_bad_record_mac = 0;
1.247 + unsigned char *mac = NULL;
1.248 +
1.249 + rr= &(s->s3->rrec);
1.250 + sess=s->session;
1.251 +
1.252 + if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
1.253 + extra=SSL3_RT_MAX_EXTRA;
1.254 + else
1.255 + extra=0;
1.256 + if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
1.257 + {
1.258 + /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
1.259 + * set after ssl3_setup_buffers() was done */
1.260 + SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
1.261 + return -1;
1.262 + }
1.263 +
1.264 +again:
1.265 + /* check if we have the header */
1.266 + if ( (s->rstate != SSL_ST_READ_BODY) ||
1.267 + (s->packet_length < SSL3_RT_HEADER_LENGTH))
1.268 + {
1.269 + n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
1.270 + if (n <= 0) return(n); /* error or non-blocking */
1.271 + s->rstate=SSL_ST_READ_BODY;
1.272 +
1.273 + p=s->packet;
1.274 +
1.275 + /* Pull apart the header into the SSL3_RECORD */
1.276 + rr->type= *(p++);
1.277 + ssl_major= *(p++);
1.278 + ssl_minor= *(p++);
1.279 + version=(ssl_major<<8)|ssl_minor;
1.280 + n2s(p,rr->length);
1.281 +
1.282 + /* Lets check version */
1.283 + if (!s->first_packet)
1.284 + {
1.285 + if (version != s->version)
1.286 + {
1.287 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
1.288 + /* Send back error using their
1.289 + * version number :-) */
1.290 + s->version=version;
1.291 + al=SSL_AD_PROTOCOL_VERSION;
1.292 + goto f_err;
1.293 + }
1.294 + }
1.295 +
1.296 + if ((version>>8) != SSL3_VERSION_MAJOR)
1.297 + {
1.298 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
1.299 + goto err;
1.300 + }
1.301 +
1.302 + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
1.303 + {
1.304 + al=SSL_AD_RECORD_OVERFLOW;
1.305 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
1.306 + goto f_err;
1.307 + }
1.308 +
1.309 + /* now s->rstate == SSL_ST_READ_BODY */
1.310 + }
1.311 +
1.312 + /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
1.313 +
1.314 + if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
1.315 + {
1.316 + /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
1.317 + i=rr->length;
1.318 + n=ssl3_read_n(s,i,i,1);
1.319 + if (n <= 0) return(n); /* error or non-blocking io */
1.320 + /* now n == rr->length,
1.321 + * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
1.322 + }
1.323 +
1.324 + s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
1.325 +
1.326 + /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1.327 + * and we have that many bytes in s->packet
1.328 + */
1.329 + rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
1.330 +
1.331 + /* ok, we can now read from 's->packet' data into 'rr'
1.332 + * rr->input points at rr->length bytes, which
1.333 + * need to be copied into rr->data by either
1.334 + * the decryption or by the decompression
1.335 + * When the data is 'copied' into the rr->data buffer,
1.336 + * rr->input will be pointed at the new buffer */
1.337 +
1.338 + /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
1.339 + * rr->length bytes of encrypted compressed stuff. */
1.340 +
1.341 + /* check is not needed I believe */
1.342 + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
1.343 + {
1.344 + al=SSL_AD_RECORD_OVERFLOW;
1.345 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1.346 + goto f_err;
1.347 + }
1.348 +
1.349 + /* decrypt in place in 'rr->input' */
1.350 + rr->data=rr->input;
1.351 +
1.352 + enc_err = s->method->ssl3_enc->enc(s,0);
1.353 + if (enc_err <= 0)
1.354 + {
1.355 + if (enc_err == 0)
1.356 + /* SSLerr() and ssl3_send_alert() have been called */
1.357 + goto err;
1.358 +
1.359 + /* Otherwise enc_err == -1, which indicates bad padding
1.360 + * (rec->length has not been changed in this case).
1.361 + * To minimize information leaked via timing, we will perform
1.362 + * the MAC computation anyway. */
1.363 + decryption_failed_or_bad_record_mac = 1;
1.364 + }
1.365 +
1.366 +#ifdef TLS_DEBUG
1.367 +printf("dec %d\n",rr->length);
1.368 +{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
1.369 +printf("\n");
1.370 +#endif
1.371 +
1.372 + /* r->length is now the compressed data plus mac */
1.373 + if ( (sess == NULL) ||
1.374 + (s->enc_read_ctx == NULL) ||
1.375 + (s->read_hash == NULL))
1.376 + clear=1;
1.377 +
1.378 + if (!clear)
1.379 + {
1.380 + mac_size=EVP_MD_size(s->read_hash);
1.381 +
1.382 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
1.383 + {
1.384 +#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
1.385 + al=SSL_AD_RECORD_OVERFLOW;
1.386 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
1.387 + goto f_err;
1.388 +#else
1.389 + decryption_failed_or_bad_record_mac = 1;
1.390 +#endif
1.391 + }
1.392 + /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
1.393 + if (rr->length >= mac_size)
1.394 + {
1.395 + rr->length -= mac_size;
1.396 + mac = &rr->data[rr->length];
1.397 + }
1.398 + else
1.399 + {
1.400 + /* record (minus padding) is too short to contain a MAC */
1.401 +#if 0 /* OK only for stream ciphers */
1.402 + al=SSL_AD_DECODE_ERROR;
1.403 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
1.404 + goto f_err;
1.405 +#else
1.406 + decryption_failed_or_bad_record_mac = 1;
1.407 + rr->length = 0;
1.408 +#endif
1.409 + }
1.410 + i=s->method->ssl3_enc->mac(s,md,0);
1.411 + if (mac == NULL || memcmp(md, mac, mac_size) != 0)
1.412 + {
1.413 + decryption_failed_or_bad_record_mac = 1;
1.414 + }
1.415 + }
1.416 +
1.417 + if (decryption_failed_or_bad_record_mac)
1.418 + {
1.419 + /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
1.420 + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
1.421 + * failure is directly visible from the ciphertext anyway,
1.422 + * we should not reveal which kind of error occured -- this
1.423 + * might become visible to an attacker (e.g. via a logfile) */
1.424 + al=SSL_AD_BAD_RECORD_MAC;
1.425 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1.426 + goto f_err;
1.427 + }
1.428 +
1.429 + /* r->length is now just compressed */
1.430 + if (s->expand != NULL)
1.431 + {
1.432 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
1.433 + {
1.434 + al=SSL_AD_RECORD_OVERFLOW;
1.435 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1.436 + goto f_err;
1.437 + }
1.438 + if (!ssl3_do_uncompress(s))
1.439 + {
1.440 + al=SSL_AD_DECOMPRESSION_FAILURE;
1.441 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
1.442 + goto f_err;
1.443 + }
1.444 + }
1.445 +
1.446 + if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
1.447 + {
1.448 + al=SSL_AD_RECORD_OVERFLOW;
1.449 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
1.450 + goto f_err;
1.451 + }
1.452 +
1.453 + rr->off=0;
1.454 + /* So at this point the following is true
1.455 + * ssl->s3->rrec.type is the type of record
1.456 + * ssl->s3->rrec.length == number of bytes in record
1.457 + * ssl->s3->rrec.off == offset to first valid byte
1.458 + * ssl->s3->rrec.data == where to take bytes from, increment
1.459 + * after use :-).
1.460 + */
1.461 +
1.462 + /* we have pulled in a full packet so zero things */
1.463 + s->packet_length=0;
1.464 +
1.465 + /* just read a 0 length packet */
1.466 + if (rr->length == 0) goto again;
1.467 +
1.468 + return(1);
1.469 +
1.470 +f_err:
1.471 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.472 +err:
1.473 + return(ret);
1.474 + }
1.475 +
1.476 +int ssl3_do_uncompress(SSL *ssl)
1.477 + {
1.478 +#ifndef OPENSSL_NO_COMP
1.479 + int i;
1.480 + SSL3_RECORD *rr;
1.481 +
1.482 + rr= &(ssl->s3->rrec);
1.483 + i=COMP_expand_block(ssl->expand,rr->comp,
1.484 + SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
1.485 + if (i < 0)
1.486 + return(0);
1.487 + else
1.488 + rr->length=i;
1.489 + rr->data=rr->comp;
1.490 +#endif
1.491 + return(1);
1.492 + }
1.493 +
1.494 +int ssl3_do_compress(SSL *ssl)
1.495 + {
1.496 +#ifndef OPENSSL_NO_COMP
1.497 + int i;
1.498 + SSL3_RECORD *wr;
1.499 +
1.500 + wr= &(ssl->s3->wrec);
1.501 + i=COMP_compress_block(ssl->compress,wr->data,
1.502 + SSL3_RT_MAX_COMPRESSED_LENGTH,
1.503 + wr->input,(int)wr->length);
1.504 + if (i < 0)
1.505 + return(0);
1.506 + else
1.507 + wr->length=i;
1.508 +
1.509 + wr->input=wr->data;
1.510 +#endif
1.511 + return(1);
1.512 + }
1.513 +
1.514 +/* Call this to write data in records of type 'type'
1.515 + * It will return <= 0 if not all data has been sent or non-blocking IO.
1.516 + */
1.517 +int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
1.518 + {
1.519 + const unsigned char *buf=buf_;
1.520 + unsigned int tot,n,nw;
1.521 + int i;
1.522 +
1.523 + s->rwstate=SSL_NOTHING;
1.524 + tot=s->s3->wnum;
1.525 + s->s3->wnum=0;
1.526 +
1.527 + if (SSL_in_init(s) && !s->in_handshake)
1.528 + {
1.529 + i=s->handshake_func(s);
1.530 + if (i < 0) return(i);
1.531 + if (i == 0)
1.532 + {
1.533 + SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.534 + return -1;
1.535 + }
1.536 + }
1.537 +
1.538 + n=(len-tot);
1.539 + for (;;)
1.540 + {
1.541 + if (n > SSL3_RT_MAX_PLAIN_LENGTH)
1.542 + nw=SSL3_RT_MAX_PLAIN_LENGTH;
1.543 + else
1.544 + nw=n;
1.545 +
1.546 + i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
1.547 + if (i <= 0)
1.548 + {
1.549 + s->s3->wnum=tot;
1.550 + return i;
1.551 + }
1.552 +
1.553 + if ((i == (int)n) ||
1.554 + (type == SSL3_RT_APPLICATION_DATA &&
1.555 + (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
1.556 + {
1.557 + /* next chunk of data should get another prepended empty fragment
1.558 + * in ciphersuites with known-IV weakness: */
1.559 + s->s3->empty_fragment_done = 0;
1.560 +
1.561 + return tot+i;
1.562 + }
1.563 +
1.564 + n-=i;
1.565 + tot+=i;
1.566 + }
1.567 + }
1.568 +
1.569 +static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
1.570 + unsigned int len, int create_empty_fragment)
1.571 + {
1.572 + unsigned char *p,*plen;
1.573 + int i,mac_size,clear=0;
1.574 + int prefix_len = 0;
1.575 + SSL3_RECORD *wr;
1.576 + SSL3_BUFFER *wb;
1.577 + SSL_SESSION *sess;
1.578 +
1.579 + /* first check if there is a SSL3_BUFFER still being written
1.580 + * out. This will happen with non blocking IO */
1.581 + if (s->s3->wbuf.left != 0)
1.582 + return(ssl3_write_pending(s,type,buf,len));
1.583 +
1.584 + /* If we have an alert to send, lets send it */
1.585 + if (s->s3->alert_dispatch)
1.586 + {
1.587 + i=s->method->ssl_dispatch_alert(s);
1.588 + if (i <= 0)
1.589 + return(i);
1.590 + /* if it went, fall through and send more stuff */
1.591 + }
1.592 +
1.593 + if (len == 0 && !create_empty_fragment)
1.594 + return 0;
1.595 +
1.596 + wr= &(s->s3->wrec);
1.597 + wb= &(s->s3->wbuf);
1.598 + sess=s->session;
1.599 +
1.600 + if ( (sess == NULL) ||
1.601 + (s->enc_write_ctx == NULL) ||
1.602 + (s->write_hash == NULL))
1.603 + clear=1;
1.604 +
1.605 + if (clear)
1.606 + mac_size=0;
1.607 + else
1.608 + mac_size=EVP_MD_size(s->write_hash);
1.609 +
1.610 + /* 'create_empty_fragment' is true only when this function calls itself */
1.611 + if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
1.612 + {
1.613 + /* countermeasure against known-IV weakness in CBC ciphersuites
1.614 + * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
1.615 +
1.616 + if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
1.617 + {
1.618 + /* recursive function call with 'create_empty_fragment' set;
1.619 + * this prepares and buffers the data for an empty fragment
1.620 + * (these 'prefix_len' bytes are sent out later
1.621 + * together with the actual payload) */
1.622 + prefix_len = do_ssl3_write(s, type, buf, 0, 1);
1.623 + if (prefix_len <= 0)
1.624 + goto err;
1.625 +
1.626 + if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
1.627 + {
1.628 + /* insufficient space */
1.629 + SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
1.630 + goto err;
1.631 + }
1.632 + }
1.633 +
1.634 + s->s3->empty_fragment_done = 1;
1.635 + }
1.636 +
1.637 + p = wb->buf + prefix_len;
1.638 +
1.639 + /* write the header */
1.640 +
1.641 + *(p++)=type&0xff;
1.642 + wr->type=type;
1.643 +
1.644 + *(p++)=(s->version>>8);
1.645 + *(p++)=s->version&0xff;
1.646 +
1.647 + /* field where we are to write out packet length */
1.648 + plen=p;
1.649 + p+=2;
1.650 +
1.651 + /* lets setup the record stuff. */
1.652 + wr->data=p;
1.653 + wr->length=(int)len;
1.654 + wr->input=(unsigned char *)buf;
1.655 +
1.656 + /* we now 'read' from wr->input, wr->length bytes into
1.657 + * wr->data */
1.658 +
1.659 + /* first we compress */
1.660 + if (s->compress != NULL)
1.661 + {
1.662 + if (!ssl3_do_compress(s))
1.663 + {
1.664 + SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
1.665 + goto err;
1.666 + }
1.667 + }
1.668 + else
1.669 + {
1.670 + memcpy(wr->data,wr->input,wr->length);
1.671 + wr->input=wr->data;
1.672 + }
1.673 +
1.674 + /* we should still have the output to wr->data and the input
1.675 + * from wr->input. Length should be wr->length.
1.676 + * wr->data still points in the wb->buf */
1.677 +
1.678 + if (mac_size != 0)
1.679 + {
1.680 + s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
1.681 + wr->length+=mac_size;
1.682 + wr->input=p;
1.683 + wr->data=p;
1.684 + }
1.685 +
1.686 + /* ssl3_enc can only have an error on read */
1.687 + s->method->ssl3_enc->enc(s,1);
1.688 +
1.689 + /* record length after mac and block padding */
1.690 + s2n(wr->length,plen);
1.691 +
1.692 + /* we should now have
1.693 + * wr->data pointing to the encrypted data, which is
1.694 + * wr->length long */
1.695 + wr->type=type; /* not needed but helps for debugging */
1.696 + wr->length+=SSL3_RT_HEADER_LENGTH;
1.697 +
1.698 + if (create_empty_fragment)
1.699 + {
1.700 + /* we are in a recursive call;
1.701 + * just return the length, don't write out anything here
1.702 + */
1.703 + return wr->length;
1.704 + }
1.705 +
1.706 + /* now let's set up wb */
1.707 + wb->left = prefix_len + wr->length;
1.708 + wb->offset = 0;
1.709 +
1.710 + /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1.711 + s->s3->wpend_tot=len;
1.712 + s->s3->wpend_buf=buf;
1.713 + s->s3->wpend_type=type;
1.714 + s->s3->wpend_ret=len;
1.715 +
1.716 + /* we now just need to write the buffer */
1.717 + return ssl3_write_pending(s,type,buf,len);
1.718 +err:
1.719 + return -1;
1.720 + }
1.721 +
1.722 +/* if s->s3->wbuf.left != 0, we need to call this */
1.723 +int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1.724 + unsigned int len)
1.725 + {
1.726 + int i;
1.727 +
1.728 +/* XXXX */
1.729 + if ((s->s3->wpend_tot > (int)len)
1.730 + || ((s->s3->wpend_buf != buf) &&
1.731 + !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
1.732 + || (s->s3->wpend_type != type))
1.733 + {
1.734 + SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
1.735 + return(-1);
1.736 + }
1.737 +
1.738 + for (;;)
1.739 + {
1.740 + clear_sys_error();
1.741 + if (s->wbio != NULL)
1.742 + {
1.743 + s->rwstate=SSL_WRITING;
1.744 + i=BIO_write(s->wbio,
1.745 + (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
1.746 + (unsigned int)s->s3->wbuf.left);
1.747 + }
1.748 + else
1.749 + {
1.750 + SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
1.751 + i= -1;
1.752 + }
1.753 + if (i == s->s3->wbuf.left)
1.754 + {
1.755 + s->s3->wbuf.left=0;
1.756 + s->rwstate=SSL_NOTHING;
1.757 + return(s->s3->wpend_ret);
1.758 + }
1.759 + else if (i <= 0)
1.760 + return(i);
1.761 + s->s3->wbuf.offset+=i;
1.762 + s->s3->wbuf.left-=i;
1.763 + }
1.764 + }
1.765 +
1.766 +/* Return up to 'len' payload bytes received in 'type' records.
1.767 + * 'type' is one of the following:
1.768 + *
1.769 + * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
1.770 + * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
1.771 + * - 0 (during a shutdown, no data has to be returned)
1.772 + *
1.773 + * If we don't have stored data to work from, read a SSL/TLS record first
1.774 + * (possibly multiple records if we still don't have anything to return).
1.775 + *
1.776 + * This function must handle any surprises the peer may have for us, such as
1.777 + * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
1.778 + * a surprise, but handled as if it were), or renegotiation requests.
1.779 + * Also if record payloads contain fragments too small to process, we store
1.780 + * them until there is enough for the respective protocol (the record protocol
1.781 + * may use arbitrary fragmentation and even interleaving):
1.782 + * Change cipher spec protocol
1.783 + * just 1 byte needed, no need for keeping anything stored
1.784 + * Alert protocol
1.785 + * 2 bytes needed (AlertLevel, AlertDescription)
1.786 + * Handshake protocol
1.787 + * 4 bytes needed (HandshakeType, uint24 length) -- we just have
1.788 + * to detect unexpected Client Hello and Hello Request messages
1.789 + * here, anything else is handled by higher layers
1.790 + * Application data protocol
1.791 + * none of our business
1.792 + */
1.793 +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1.794 + {
1.795 + int al,i,j,ret;
1.796 + unsigned int n;
1.797 + SSL3_RECORD *rr;
1.798 + void (*cb)(const SSL *ssl,int type2,int val)=NULL;
1.799 +
1.800 + if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
1.801 + if (!ssl3_setup_buffers(s))
1.802 + return(-1);
1.803 +
1.804 + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
1.805 + (peek && (type != SSL3_RT_APPLICATION_DATA)))
1.806 + {
1.807 + SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
1.808 + return -1;
1.809 + }
1.810 +
1.811 + if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
1.812 + /* (partially) satisfy request from storage */
1.813 + {
1.814 + unsigned char *src = s->s3->handshake_fragment;
1.815 + unsigned char *dst = buf;
1.816 + unsigned int k;
1.817 +
1.818 + /* peek == 0 */
1.819 + n = 0;
1.820 + while ((len > 0) && (s->s3->handshake_fragment_len > 0))
1.821 + {
1.822 + *dst++ = *src++;
1.823 + len--; s->s3->handshake_fragment_len--;
1.824 + n++;
1.825 + }
1.826 + /* move any remaining fragment bytes: */
1.827 + for (k = 0; k < s->s3->handshake_fragment_len; k++)
1.828 + s->s3->handshake_fragment[k] = *src++;
1.829 + return n;
1.830 + }
1.831 +
1.832 + /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
1.833 +
1.834 + if (!s->in_handshake && SSL_in_init(s))
1.835 + {
1.836 + /* type == SSL3_RT_APPLICATION_DATA */
1.837 + i=s->handshake_func(s);
1.838 + if (i < 0) return(i);
1.839 + if (i == 0)
1.840 + {
1.841 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.842 + return(-1);
1.843 + }
1.844 + }
1.845 +start:
1.846 + s->rwstate=SSL_NOTHING;
1.847 +
1.848 + /* s->s3->rrec.type - is the type of record
1.849 + * s->s3->rrec.data, - data
1.850 + * s->s3->rrec.off, - offset into 'data' for next read
1.851 + * s->s3->rrec.length, - number of bytes. */
1.852 + rr = &(s->s3->rrec);
1.853 +
1.854 + /* get new packet if necessary */
1.855 + if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
1.856 + {
1.857 + ret=ssl3_get_record(s);
1.858 + if (ret <= 0) return(ret);
1.859 + }
1.860 +
1.861 + /* we now have a packet which can be read and processed */
1.862 +
1.863 + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1.864 + * reset by ssl3_get_finished */
1.865 + && (rr->type != SSL3_RT_HANDSHAKE))
1.866 + {
1.867 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.868 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1.869 + goto f_err;
1.870 + }
1.871 +
1.872 + /* If the other end has shut down, throw anything we read away
1.873 + * (even in 'peek' mode) */
1.874 + if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1.875 + {
1.876 + rr->length=0;
1.877 + s->rwstate=SSL_NOTHING;
1.878 + return(0);
1.879 + }
1.880 +
1.881 +
1.882 + if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1.883 + {
1.884 + /* make sure that we are not getting application data when we
1.885 + * are doing a handshake for the first time */
1.886 + if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1.887 + (s->enc_read_ctx == NULL))
1.888 + {
1.889 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.890 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
1.891 + goto f_err;
1.892 + }
1.893 +
1.894 + if (len <= 0) return(len);
1.895 +
1.896 + if ((unsigned int)len > rr->length)
1.897 + n = rr->length;
1.898 + else
1.899 + n = (unsigned int)len;
1.900 +
1.901 + memcpy(buf,&(rr->data[rr->off]),n);
1.902 + if (!peek)
1.903 + {
1.904 + rr->length-=n;
1.905 + rr->off+=n;
1.906 + if (rr->length == 0)
1.907 + {
1.908 + s->rstate=SSL_ST_READ_HEADER;
1.909 + rr->off=0;
1.910 + }
1.911 + }
1.912 + return(n);
1.913 + }
1.914 +
1.915 +
1.916 + /* If we get here, then type != rr->type; if we have a handshake
1.917 + * message, then it was unexpected (Hello Request or Client Hello). */
1.918 +
1.919 + /* In case of record types for which we have 'fragment' storage,
1.920 + * fill that so that we can process the data at a fixed place.
1.921 + */
1.922 + {
1.923 + unsigned int dest_maxlen = 0;
1.924 + unsigned char *dest = NULL;
1.925 + unsigned int *dest_len = NULL;
1.926 +
1.927 + if (rr->type == SSL3_RT_HANDSHAKE)
1.928 + {
1.929 + dest_maxlen = sizeof s->s3->handshake_fragment;
1.930 + dest = s->s3->handshake_fragment;
1.931 + dest_len = &s->s3->handshake_fragment_len;
1.932 + }
1.933 + else if (rr->type == SSL3_RT_ALERT)
1.934 + {
1.935 + dest_maxlen = sizeof s->s3->alert_fragment;
1.936 + dest = s->s3->alert_fragment;
1.937 + dest_len = &s->s3->alert_fragment_len;
1.938 + }
1.939 +
1.940 + if (dest_maxlen > 0)
1.941 + {
1.942 + n = dest_maxlen - *dest_len; /* available space in 'dest' */
1.943 + if (rr->length < n)
1.944 + n = rr->length; /* available bytes */
1.945 +
1.946 + /* now move 'n' bytes: */
1.947 + while (n-- > 0)
1.948 + {
1.949 + dest[(*dest_len)++] = rr->data[rr->off++];
1.950 + rr->length--;
1.951 + }
1.952 +
1.953 + if (*dest_len < dest_maxlen)
1.954 + goto start; /* fragment was too small */
1.955 + }
1.956 + }
1.957 +
1.958 + /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
1.959 + * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
1.960 + * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1.961 +
1.962 + /* If we are a client, check for an incoming 'Hello Request': */
1.963 + if ((!s->server) &&
1.964 + (s->s3->handshake_fragment_len >= 4) &&
1.965 + (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1.966 + (s->session != NULL) && (s->session->cipher != NULL))
1.967 + {
1.968 + s->s3->handshake_fragment_len = 0;
1.969 +
1.970 + if ((s->s3->handshake_fragment[1] != 0) ||
1.971 + (s->s3->handshake_fragment[2] != 0) ||
1.972 + (s->s3->handshake_fragment[3] != 0))
1.973 + {
1.974 + al=SSL_AD_DECODE_ERROR;
1.975 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1.976 + goto f_err;
1.977 + }
1.978 +
1.979 + if (s->msg_callback)
1.980 + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
1.981 +
1.982 + if (SSL_is_init_finished(s) &&
1.983 + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1.984 + !s->s3->renegotiate)
1.985 + {
1.986 + ssl3_renegotiate(s);
1.987 + if (ssl3_renegotiate_check(s))
1.988 + {
1.989 + i=s->handshake_func(s);
1.990 + if (i < 0) return(i);
1.991 + if (i == 0)
1.992 + {
1.993 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.994 + return(-1);
1.995 + }
1.996 +
1.997 + if (!(s->mode & SSL_MODE_AUTO_RETRY))
1.998 + {
1.999 + if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1.1000 + {
1.1001 + BIO *bio;
1.1002 + /* In the case where we try to read application data,
1.1003 + * but we trigger an SSL handshake, we return -1 with
1.1004 + * the retry option set. Otherwise renegotiation may
1.1005 + * cause nasty problems in the blocking world */
1.1006 + s->rwstate=SSL_READING;
1.1007 + bio=SSL_get_rbio(s);
1.1008 + BIO_clear_retry_flags(bio);
1.1009 + BIO_set_retry_read(bio);
1.1010 + return(-1);
1.1011 + }
1.1012 + }
1.1013 + }
1.1014 + }
1.1015 + /* we either finished a handshake or ignored the request,
1.1016 + * now try again to obtain the (application) data we were asked for */
1.1017 + goto start;
1.1018 + }
1.1019 +
1.1020 + if (s->s3->alert_fragment_len >= 2)
1.1021 + {
1.1022 + int alert_level = s->s3->alert_fragment[0];
1.1023 + int alert_descr = s->s3->alert_fragment[1];
1.1024 +
1.1025 + s->s3->alert_fragment_len = 0;
1.1026 +
1.1027 + if (s->msg_callback)
1.1028 + s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
1.1029 +
1.1030 + if (s->info_callback != NULL)
1.1031 + cb=s->info_callback;
1.1032 + else if (s->ctx->info_callback != NULL)
1.1033 + cb=s->ctx->info_callback;
1.1034 +
1.1035 + if (cb != NULL)
1.1036 + {
1.1037 + j = (alert_level << 8) | alert_descr;
1.1038 + cb(s, SSL_CB_READ_ALERT, j);
1.1039 + }
1.1040 +
1.1041 + if (alert_level == 1) /* warning */
1.1042 + {
1.1043 + s->s3->warn_alert = alert_descr;
1.1044 + if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1.1045 + {
1.1046 + s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1.1047 + return(0);
1.1048 + }
1.1049 + }
1.1050 + else if (alert_level == 2) /* fatal */
1.1051 + {
1.1052 + char tmp[16];
1.1053 +
1.1054 + s->rwstate=SSL_NOTHING;
1.1055 + s->s3->fatal_alert = alert_descr;
1.1056 + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1.1057 + BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1.1058 + ERR_add_error_data(2,"SSL alert number ",tmp);
1.1059 + s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1.1060 + SSL_CTX_remove_session(s->ctx,s->session);
1.1061 + return(0);
1.1062 + }
1.1063 + else
1.1064 + {
1.1065 + al=SSL_AD_ILLEGAL_PARAMETER;
1.1066 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1.1067 + goto f_err;
1.1068 + }
1.1069 +
1.1070 + goto start;
1.1071 + }
1.1072 +
1.1073 + if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1.1074 + {
1.1075 + s->rwstate=SSL_NOTHING;
1.1076 + rr->length=0;
1.1077 + return(0);
1.1078 + }
1.1079 +
1.1080 + if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1.1081 + {
1.1082 + /* 'Change Cipher Spec' is just a single byte, so we know
1.1083 + * exactly what the record payload has to look like */
1.1084 + if ( (rr->length != 1) || (rr->off != 0) ||
1.1085 + (rr->data[0] != SSL3_MT_CCS))
1.1086 + {
1.1087 + al=SSL_AD_ILLEGAL_PARAMETER;
1.1088 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1.1089 + goto f_err;
1.1090 + }
1.1091 +
1.1092 + /* Check we have a cipher to change to */
1.1093 + if (s->s3->tmp.new_cipher == NULL)
1.1094 + {
1.1095 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1096 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1.1097 + goto f_err;
1.1098 + }
1.1099 +
1.1100 + rr->length=0;
1.1101 +
1.1102 + if (s->msg_callback)
1.1103 + s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
1.1104 +
1.1105 + s->s3->change_cipher_spec=1;
1.1106 + if (!ssl3_do_change_cipher_spec(s))
1.1107 + goto err;
1.1108 + else
1.1109 + goto start;
1.1110 + }
1.1111 +
1.1112 + /* Unexpected handshake message (Client Hello, or protocol violation) */
1.1113 + if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
1.1114 + {
1.1115 + if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1.1116 + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1.1117 + {
1.1118 +#if 0 /* worked only because C operator preferences are not as expected (and
1.1119 + * because this is not really needed for clients except for detecting
1.1120 + * protocol violations): */
1.1121 + s->state=SSL_ST_BEFORE|(s->server)
1.1122 + ?SSL_ST_ACCEPT
1.1123 + :SSL_ST_CONNECT;
1.1124 +#else
1.1125 + s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1.1126 +#endif
1.1127 + s->new_session=1;
1.1128 + }
1.1129 + i=s->handshake_func(s);
1.1130 + if (i < 0) return(i);
1.1131 + if (i == 0)
1.1132 + {
1.1133 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.1134 + return(-1);
1.1135 + }
1.1136 +
1.1137 + if (!(s->mode & SSL_MODE_AUTO_RETRY))
1.1138 + {
1.1139 + if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1.1140 + {
1.1141 + BIO *bio;
1.1142 + /* In the case where we try to read application data,
1.1143 + * but we trigger an SSL handshake, we return -1 with
1.1144 + * the retry option set. Otherwise renegotiation may
1.1145 + * cause nasty problems in the blocking world */
1.1146 + s->rwstate=SSL_READING;
1.1147 + bio=SSL_get_rbio(s);
1.1148 + BIO_clear_retry_flags(bio);
1.1149 + BIO_set_retry_read(bio);
1.1150 + return(-1);
1.1151 + }
1.1152 + }
1.1153 + goto start;
1.1154 + }
1.1155 +
1.1156 + switch (rr->type)
1.1157 + {
1.1158 + default:
1.1159 +#ifndef OPENSSL_NO_TLS
1.1160 + /* TLS just ignores unknown message types */
1.1161 + if (s->version == TLS1_VERSION)
1.1162 + {
1.1163 + rr->length = 0;
1.1164 + goto start;
1.1165 + }
1.1166 +#endif
1.1167 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1168 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1.1169 + goto f_err;
1.1170 + case SSL3_RT_CHANGE_CIPHER_SPEC:
1.1171 + case SSL3_RT_ALERT:
1.1172 + case SSL3_RT_HANDSHAKE:
1.1173 + /* we already handled all of these, with the possible exception
1.1174 + * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1.1175 + * should not happen when type != rr->type */
1.1176 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1177 + SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
1.1178 + goto f_err;
1.1179 + case SSL3_RT_APPLICATION_DATA:
1.1180 + /* At this point, we were expecting handshake data,
1.1181 + * but have application data. If the library was
1.1182 + * running inside ssl3_read() (i.e. in_read_app_data
1.1183 + * is set) and it makes sense to read application data
1.1184 + * at this point (session renegotiation not yet started),
1.1185 + * we will indulge it.
1.1186 + */
1.1187 + if (s->s3->in_read_app_data &&
1.1188 + (s->s3->total_renegotiations != 0) &&
1.1189 + ((
1.1190 + (s->state & SSL_ST_CONNECT) &&
1.1191 + (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1.1192 + (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1.1193 + ) || (
1.1194 + (s->state & SSL_ST_ACCEPT) &&
1.1195 + (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1.1196 + (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1.1197 + )
1.1198 + ))
1.1199 + {
1.1200 + s->s3->in_read_app_data=2;
1.1201 + return(-1);
1.1202 + }
1.1203 + else
1.1204 + {
1.1205 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1206 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1.1207 + goto f_err;
1.1208 + }
1.1209 + }
1.1210 + /* not reached */
1.1211 +
1.1212 +f_err:
1.1213 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.1214 +err:
1.1215 + return(-1);
1.1216 + }
1.1217 +
1.1218 +int ssl3_do_change_cipher_spec(SSL *s)
1.1219 + {
1.1220 + int i;
1.1221 + const char *sender;
1.1222 + int slen;
1.1223 +
1.1224 + if (s->state & SSL_ST_ACCEPT)
1.1225 + i=SSL3_CHANGE_CIPHER_SERVER_READ;
1.1226 + else
1.1227 + i=SSL3_CHANGE_CIPHER_CLIENT_READ;
1.1228 +
1.1229 + if (s->s3->tmp.key_block == NULL)
1.1230 + {
1.1231 + s->session->cipher=s->s3->tmp.new_cipher;
1.1232 + if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
1.1233 + }
1.1234 +
1.1235 + if (!s->method->ssl3_enc->change_cipher_state(s,i))
1.1236 + return(0);
1.1237 +
1.1238 + /* we have to record the message digest at
1.1239 + * this point so we can get it before we read
1.1240 + * the finished message */
1.1241 + if (s->state & SSL_ST_CONNECT)
1.1242 + {
1.1243 + sender=s->method->ssl3_enc->server_finished_label;
1.1244 + slen=s->method->ssl3_enc->server_finished_label_len;
1.1245 + }
1.1246 + else
1.1247 + {
1.1248 + sender=s->method->ssl3_enc->client_finished_label;
1.1249 + slen=s->method->ssl3_enc->client_finished_label_len;
1.1250 + }
1.1251 +
1.1252 + s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
1.1253 + &(s->s3->finish_dgst1),
1.1254 + &(s->s3->finish_dgst2),
1.1255 + sender,slen,s->s3->tmp.peer_finish_md);
1.1256 +
1.1257 + return(1);
1.1258 + }
1.1259 +
1.1260 +void ssl3_send_alert(SSL *s, int level, int desc)
1.1261 + {
1.1262 + /* Map tls/ssl alert value to correct one */
1.1263 + desc=s->method->ssl3_enc->alert_value(desc);
1.1264 + if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
1.1265 + desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
1.1266 + if (desc < 0) return;
1.1267 + /* If a fatal one, remove from cache */
1.1268 + if ((level == 2) && (s->session != NULL))
1.1269 + SSL_CTX_remove_session(s->ctx,s->session);
1.1270 +
1.1271 + s->s3->alert_dispatch=1;
1.1272 + s->s3->send_alert[0]=level;
1.1273 + s->s3->send_alert[1]=desc;
1.1274 + if (s->s3->wbuf.left == 0) /* data still being written out? */
1.1275 + s->method->ssl_dispatch_alert(s);
1.1276 + /* else data is still being written out, we will get written
1.1277 + * some time in the future */
1.1278 + }
1.1279 +
1.1280 +int ssl3_dispatch_alert(SSL *s)
1.1281 + {
1.1282 + int i,j;
1.1283 + void (*cb)(const SSL *ssl,int type,int val)=NULL;
1.1284 +
1.1285 + s->s3->alert_dispatch=0;
1.1286 + i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
1.1287 + if (i <= 0)
1.1288 + {
1.1289 + s->s3->alert_dispatch=1;
1.1290 + }
1.1291 + else
1.1292 + {
1.1293 + /* Alert sent to BIO. If it is important, flush it now.
1.1294 + * If the message does not get sent due to non-blocking IO,
1.1295 + * we will not worry too much. */
1.1296 + if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1.1297 + (void)BIO_flush(s->wbio);
1.1298 +
1.1299 + if (s->msg_callback)
1.1300 + s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
1.1301 +
1.1302 + if (s->info_callback != NULL)
1.1303 + cb=s->info_callback;
1.1304 + else if (s->ctx->info_callback != NULL)
1.1305 + cb=s->ctx->info_callback;
1.1306 +
1.1307 + if (cb != NULL)
1.1308 + {
1.1309 + j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1.1310 + cb(s,SSL_CB_WRITE_ALERT,j);
1.1311 + }
1.1312 + }
1.1313 + return(i);
1.1314 + }