~ubuntu-branches/ubuntu/precise/openssl/precise-proposed
» Revision
84
: .pc/CVE-2014-3571-1.patch/ssl/s3_pkt.c
« back to all changes in this revision
Viewing changes to .pc/CVE-2014-3571-1.patch/ssl/s3_pkt.c
- browse files at revision 84
- compare with another revision
- download diff
- download tarball
- view history from revision 84
- Committer: Package Import Robot
- Author(s): Marc Deslauriers
- Date: 2015-02-26 13:05:15 UTC
- mfrom: (83.1.10 precise-security)
- Revision ID: package-import@ubuntu.com-20150226130515-prolotzeftmrhqbr
Tags: 1.0.1-4ubuntu5.22
* Fix DTLS handshake on amd64 (LP: #1425914)
- debian/patches/lp1425914.patch: backport upstream patch that fixes
alignment issue causing an assert in ssl/ssl_ciph.c.
- debian/patches/lp1425914.patch: backport upstream patch that fixes
alignment issue causing an assert in ssl/ssl_ciph.c.
- files added:
- .pc/CVE-2010-5298.patch
- .pc/CVE-2010-5298.patch/ssl
- .pc/CVE-2013-4353.patch
- .pc/CVE-2013-4353.patch/ssl
- .pc/CVE-2013-6449.patch
- .pc/CVE-2013-6449.patch/ssl
- .pc/CVE-2013-6450.patch
- .pc/CVE-2013-6450.patch/crypto
- .pc/CVE-2013-6450.patch/crypto/evp
- .pc/CVE-2013-6450.patch/ssl
- .pc/CVE-2014-0076.patch
- .pc/CVE-2014-0076.patch/crypto
- .pc/CVE-2014-0076.patch/crypto/bn
- .pc/CVE-2014-0076.patch/crypto/ec
- .pc/CVE-2014-0076.patch/util
- .pc/CVE-2014-0160.patch
- .pc/CVE-2014-0160.patch/ssl
- .pc/CVE-2014-0195.patch
- .pc/CVE-2014-0195.patch/ssl
- .pc/CVE-2014-0198.patch
- .pc/CVE-2014-0198.patch/ssl
- .pc/CVE-2014-0221.patch
- .pc/CVE-2014-0221.patch/ssl
- .pc/CVE-2014-0224-1.patch
- .pc/CVE-2014-0224-1.patch/ssl
- .pc/CVE-2014-0224-2.patch
- .pc/CVE-2014-0224-2.patch/ssl
- .pc/CVE-2014-0224-3.patch
- .pc/CVE-2014-0224-3.patch/ssl
- .pc/CVE-2014-0224-regression.patch
- .pc/CVE-2014-0224-regression.patch/ssl
- .pc/CVE-2014-0224-regression2.patch
- .pc/CVE-2014-0224-regression2.patch/ssl
- .pc/CVE-2014-3470.patch
- .pc/CVE-2014-3470.patch/ssl
- .pc/CVE-2014-3505.patch
- .pc/CVE-2014-3505.patch/ssl
- .pc/CVE-2014-3506.patch
- .pc/CVE-2014-3506.patch/ssl
- .pc/CVE-2014-3507.patch
- .pc/CVE-2014-3507.patch/ssl
- .pc/CVE-2014-3508.patch
- .pc/CVE-2014-3508.patch/crypto
- .pc/CVE-2014-3508.patch/crypto/asn1
- .pc/CVE-2014-3508.patch/crypto/objects
- .pc/CVE-2014-3509.patch
- .pc/CVE-2014-3509.patch/ssl
- .pc/CVE-2014-3510.patch
- .pc/CVE-2014-3510.patch/ssl
- .pc/CVE-2014-3511.patch
- .pc/CVE-2014-3511.patch/ssl
- .pc/CVE-2014-3512.patch
- .pc/CVE-2014-3512.patch/crypto
- .pc/CVE-2014-3512.patch/crypto/srp
- .pc/CVE-2014-3513.patch
- .pc/CVE-2014-3513.patch/ssl
- .pc/CVE-2014-3513.patch/util
- .pc/CVE-2014-3567.patch
- .pc/CVE-2014-3567.patch/ssl
- .pc/CVE-2014-3568.patch
- .pc/CVE-2014-3568.patch/ssl
- .pc/CVE-2014-3569.patch
- .pc/CVE-2014-3569.patch/ssl
- .pc/CVE-2014-3570.patch
- .pc/CVE-2014-3570.patch/crypto
- .pc/CVE-2014-3570.patch/crypto/bn
- .pc/CVE-2014-3570.patch/crypto/bn/asm
- .pc/CVE-2014-3571-1.patch
- .pc/CVE-2014-3571-1.patch/ssl
- .pc/CVE-2014-3571-2.patch
- .pc/CVE-2014-3571-2.patch/ssl
- .pc/CVE-2014-3572.patch
- .pc/CVE-2014-3572.patch/ssl
- .pc/CVE-2014-5139.patch
- .pc/CVE-2014-5139.patch/ssl
- .pc/CVE-2014-8275.patch
- .pc/CVE-2014-8275.patch/crypto
- .pc/CVE-2014-8275.patch/crypto/asn1
- .pc/CVE-2014-8275.patch/crypto/dsa
- .pc/CVE-2014-8275.patch/crypto/ecdsa
- .pc/CVE-2014-8275.patch/crypto/x509
- .pc/CVE-2015-0204.patch
- .pc/CVE-2015-0204.patch/doc
- .pc/CVE-2015-0204.patch/doc/ssl
- .pc/CVE-2015-0204.patch/ssl
- .pc/CVE-2015-0205.patch
- .pc/CVE-2015-0205.patch/ssl
- .pc/CVE-2015-0206.patch
- .pc/CVE-2015-0206.patch/ssl
- .pc/lp1425914.patch
- .pc/lp1425914.patch/ssl
- .pc/no_default_rdrand.patch
- .pc/no_default_rdrand.patch/crypto
- .pc/no_default_rdrand.patch/crypto/engine
- .pc/tls_fallback_scsv_support.patch
- .pc/tls_fallback_scsv_support.patch/apps
- .pc/tls_fallback_scsv_support.patch/crypto
- .pc/tls_fallback_scsv_support.patch/crypto/err
- .pc/tls_fallback_scsv_support.patch/doc
- .pc/tls_fallback_scsv_support.patch/doc/apps
- .pc/tls_fallback_scsv_support.patch/doc/ssl
- .pc/tls_fallback_scsv_support.patch/ssl
- files removed:
- crypto/bn/asm/mips3.s
- files modified:
- .pc/applied-patches
added
removed
.pc/CVE-2014-3571-1.patch/ssl/s3_pkt.c
1
/* ssl/s3_pkt.c */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
* All rights reserved.
4
*
5
* This package is an SSL implementation written
6
* by Eric Young (eay@cryptsoft.com).
7
* The implementation was written so as to conform with Netscapes SSL.
8
*
9
* This library is free for commercial and non-commercial use as long as
10
* the following conditions are aheared to. The following conditions
11
* apply to all code found in this distribution, be it the RC4, RSA,
12
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13
* included with this distribution is covered by the same copyright terms
14
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
*
16
* Copyright remains Eric Young's, and as such any Copyright notices in
17
* the code are not to be removed.
18
* If this package is used in a product, Eric Young should be given attribution
19
* as the author of the parts of the library used.
20
* This can be in the form of a textual message at program startup or
21
* in documentation (online or textual) provided with the package.
22
*
23
* Redistribution and use in source and binary forms, with or without
24
* modification, are permitted provided that the following conditions
25
* are met:
26
* 1. Redistributions of source code must retain the copyright
27
* notice, this list of conditions and the following disclaimer.
28
* 2. Redistributions in binary form must reproduce the above copyright
29
* notice, this list of conditions and the following disclaimer in the
30
* documentation and/or other materials provided with the distribution.
31
* 3. All advertising materials mentioning features or use of this software
32
* must display the following acknowledgement:
33
* "This product includes cryptographic software written by
34
* Eric Young (eay@cryptsoft.com)"
35
* The word 'cryptographic' can be left out if the rouines from the library
36
* being used are not cryptographic related :-).
37
* 4. If you include any Windows specific code (or a derivative thereof) from
38
* the apps directory (application code) you must include an acknowledgement:
39
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
*
41
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
* SUCH DAMAGE.
52
*
53
* The licence and distribution terms for any publically available version or
54
* derivative of this code cannot be changed. i.e. this code cannot simply be
55
* copied and put under another distribution licence
56
* [including the GNU Public Licence.]
57
*/
58
/* ====================================================================
59
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60
*
61
* Redistribution and use in source and binary forms, with or without
62
* modification, are permitted provided that the following conditions
63
* are met:
64
*
65
* 1. Redistributions of source code must retain the above copyright
66
* notice, this list of conditions and the following disclaimer.
67
*
68
* 2. Redistributions in binary form must reproduce the above copyright
69
* notice, this list of conditions and the following disclaimer in
70
* the documentation and/or other materials provided with the
71
* distribution.
72
*
73
* 3. All advertising materials mentioning features or use of this
74
* software must display the following acknowledgment:
75
* "This product includes software developed by the OpenSSL Project
76
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77
*
78
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
* endorse or promote products derived from this software without
80
* prior written permission. For written permission, please contact
81
* openssl-core@openssl.org.
82
*
83
* 5. Products derived from this software may not be called "OpenSSL"
84
* nor may "OpenSSL" appear in their names without prior written
85
* permission of the OpenSSL Project.
86
*
87
* 6. Redistributions of any form whatsoever must retain the following
88
* acknowledgment:
89
* "This product includes software developed by the OpenSSL Project
90
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91
*
92
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
* OF THE POSSIBILITY OF SUCH DAMAGE.
104
* ====================================================================
105
*
106
* This product includes cryptographic software written by Eric Young
107
* (eay@cryptsoft.com). This product includes software written by Tim
108
* Hudson (tjh@cryptsoft.com).
109
*
110
*/
111
112
#include <stdio.h>
113
#include <errno.h>
114
#define USE_SOCKETS
115
#include "ssl_locl.h"
116
#include <openssl/evp.h>
117
#include <openssl/buffer.h>
118
#include <openssl/rand.h>
119
120
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
121
unsigned int len, int create_empty_fragment);
122
static int ssl3_get_record(SSL *s);
123
124
int ssl3_read_n(SSL *s, int n, int max, int extend)
125
{
126
/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
127
* packet by another n bytes.
128
* The packet will be in the sub-array of s->s3->rbuf.buf specified
129
* by s->packet and s->packet_length.
130
* (If s->read_ahead is set, 'max' bytes may be stored in rbuf
131
* [plus s->packet_length bytes if extend == 1].)
132
*/
133
int i,len,left;
134
long align=0;
135
unsigned char *pkt;
136
SSL3_BUFFER *rb;
137
138
if (n <= 0) return n;
139
140
rb = &(s->s3->rbuf);
141
if (rb->buf == NULL)
142
if (!ssl3_setup_read_buffer(s))
143
return -1;
144
145
left = rb->left;
146
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
147
align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
148
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
149
#endif
150
151
if (!extend)
152
{
153
/* start with empty packet ... */
154
if (left == 0)
155
rb->offset = align;
156
else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
157
{
158
/* check if next packet length is large
159
* enough to justify payload alignment... */
160
pkt = rb->buf + rb->offset;
161
if (pkt[0] == SSL3_RT_APPLICATION_DATA
162
&& (pkt[3]<<8|pkt[4]) >= 128)
163
{
164
/* Note that even if packet is corrupted
165
* and its length field is insane, we can
166
* only be led to wrong decision about
167
* whether memmove will occur or not.
168
* Header values has no effect on memmove
169
* arguments and therefore no buffer
170
* overrun can be triggered. */
171
memmove (rb->buf+align,pkt,left);
172
rb->offset = align;
173
}
174
}
175
s->packet = rb->buf + rb->offset;
176
s->packet_length = 0;
177
/* ... now we can act as if 'extend' was set */
178
}
179
180
/* For DTLS/UDP reads should not span multiple packets
181
* because the read operation returns the whole packet
182
* at once (as long as it fits into the buffer). */
183
if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
184
{
185
if (left > 0 && n > left)
186
n = left;
187
}
188
189
/* if there is enough in the buffer from a previous read, take some */
190
if (left >= n)
191
{
192
s->packet_length+=n;
193
rb->left=left-n;
194
rb->offset+=n;
195
return(n);
196
}
197
198
/* else we need to read more data */
199
200
len = s->packet_length;
201
pkt = rb->buf+align;
202
/* Move any available bytes to front of buffer:
203
* 'len' bytes already pointed to by 'packet',
204
* 'left' extra ones at the end */
205
if (s->packet != pkt) /* len > 0 */
206
{
207
memmove(pkt, s->packet, len+left);
208
s->packet = pkt;
209
rb->offset = len + align;
210
}
211
212
if (n > (int)(rb->len - rb->offset)) /* does not happen */
213
{
214
SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
215
return -1;
216
}
217
218
if (!s->read_ahead)
219
/* ignore max parameter */
220
max = n;
221
else
222
{
223
if (max < n)
224
max = n;
225
if (max > (int)(rb->len - rb->offset))
226
max = rb->len - rb->offset;
227
}
228
229
while (left < n)
230
{
231
/* Now we have len+left bytes at the front of s->s3->rbuf.buf
232
* and need to read in more until we have len+n (up to
233
* len+max if possible) */
234
235
clear_sys_error();
236
if (s->rbio != NULL)
237
{
238
s->rwstate=SSL_READING;
239
i=BIO_read(s->rbio,pkt+len+left, max-left);
240
}
241
else
242
{
243
SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
244
i = -1;
245
}
246
247
if (i <= 0)
248
{
249
rb->left = left;
250
if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
251
SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
252
if (len+left == 0)
253
ssl3_release_read_buffer(s);
254
return(i);
255
}
256
left+=i;
257
/* reads should *never* span multiple packets for DTLS because
258
* the underlying transport protocol is message oriented as opposed
259
* to byte oriented as in the TLS case. */
260
if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
261
{
262
if (n > left)
263
n = left; /* makes the while condition false */
264
}
265
}
266
267
/* done reading, now the book-keeping */
268
rb->offset += n;
269
rb->left = left - n;
270
s->packet_length += n;
271
s->rwstate=SSL_NOTHING;
272
return(n);
273
}
274
275
/* Call this to get a new input record.
276
* It will return <= 0 if more data is needed, normally due to an error
277
* or non-blocking IO.
278
* When it finishes, one packet has been decoded and can be found in
279
* ssl->s3->rrec.type - is the type of record
280
* ssl->s3->rrec.data, - data
281
* ssl->s3->rrec.length, - number of bytes
282
*/
283
/* used only by ssl3_read_bytes */
284
static int ssl3_get_record(SSL *s)
285
{
286
int ssl_major,ssl_minor,al;
287
int enc_err,n,i,ret= -1;
288
SSL3_RECORD *rr;
289
SSL_SESSION *sess;
290
unsigned char *p;
291
unsigned char md[EVP_MAX_MD_SIZE];
292
short version;
293
unsigned mac_size, orig_len;
294
size_t extra;
295
296
rr= &(s->s3->rrec);
297
sess=s->session;
298
299
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
300
extra=SSL3_RT_MAX_EXTRA;
301
else
302
extra=0;
303
if (extra && !s->s3->init_extra)
304
{
305
/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
306
* set after ssl3_setup_buffers() was done */
307
SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
308
return -1;
309
}
310
311
again:
312
/* check if we have the header */
313
if ( (s->rstate != SSL_ST_READ_BODY) ||
314
(s->packet_length < SSL3_RT_HEADER_LENGTH))
315
{
316
n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
317
if (n <= 0) return(n); /* error or non-blocking */
318
s->rstate=SSL_ST_READ_BODY;
319
320
p=s->packet;
321
322
/* Pull apart the header into the SSL3_RECORD */
323
rr->type= *(p++);
324
ssl_major= *(p++);
325
ssl_minor= *(p++);
326
version=(ssl_major<<8)|ssl_minor;
327
n2s(p,rr->length);
328
#if 0
329
fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
330
#endif
331
332
/* Lets check version */
333
if (!s->first_packet)
334
{
335
if (version != s->version)
336
{
337
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
338
if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
339
/* Send back error using their minor version number :-) */
340
s->version = (unsigned short)version;
341
al=SSL_AD_PROTOCOL_VERSION;
342
goto f_err;
343
}
344
}
345
346
if ((version>>8) != SSL3_VERSION_MAJOR)
347
{
348
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
349
goto err;
350
}
351
352
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
353
{
354
al=SSL_AD_RECORD_OVERFLOW;
355
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
356
goto f_err;
357
}
358
359
/* now s->rstate == SSL_ST_READ_BODY */
360
}
361
362
/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
363
364
if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
365
{
366
/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
367
i=rr->length;
368
n=ssl3_read_n(s,i,i,1);
369
if (n <= 0) return(n); /* error or non-blocking io */
370
/* now n == rr->length,
371
* and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
372
}
373
374
s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
375
376
/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
377
* and we have that many bytes in s->packet
378
*/
379
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
380
381
/* ok, we can now read from 's->packet' data into 'rr'
382
* rr->input points at rr->length bytes, which
383
* need to be copied into rr->data by either
384
* the decryption or by the decompression
385
* When the data is 'copied' into the rr->data buffer,
386
* rr->input will be pointed at the new buffer */
387
388
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
389
* rr->length bytes of encrypted compressed stuff. */
390
391
/* check is not needed I believe */
392
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
393
{
394
al=SSL_AD_RECORD_OVERFLOW;
395
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
396
goto f_err;
397
}
398
399
/* decrypt in place in 'rr->input' */
400
rr->data=rr->input;
401
402
enc_err = s->method->ssl3_enc->enc(s,0);
403
/* enc_err is:
404
* 0: (in non-constant time) if the record is publically invalid.
405
* 1: if the padding is valid
406
* -1: if the padding is invalid */
407
if (enc_err == 0)
408
{
409
al=SSL_AD_DECRYPTION_FAILED;
410
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
411
goto f_err;
412
}
413
414
#ifdef TLS_DEBUG
415
printf("dec %d\n",rr->length);
416
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
417
printf("\n");
418
#endif
419
420
/* r->length is now the compressed data plus mac */
421
if ((sess != NULL) &&
422
(s->enc_read_ctx != NULL) &&
423
(EVP_MD_CTX_md(s->read_hash) != NULL))
424
{
425
/* s->read_hash != NULL => mac_size != -1 */
426
unsigned char *mac = NULL;
427
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
428
mac_size=EVP_MD_CTX_size(s->read_hash);
429
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
430
431
/* kludge: *_cbc_remove_padding passes padding length in rr->type */
432
orig_len = rr->length+((unsigned int)rr->type>>8);
433
434
/* orig_len is the length of the record before any padding was
435
* removed. This is public information, as is the MAC in use,
436
* therefore we can safely process the record in a different
437
* amount of time if it's too short to possibly contain a MAC.
438
*/
439
if (orig_len < mac_size ||
440
/* CBC records must have a padding length byte too. */
441
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
442
orig_len < mac_size+1))
443
{
444
al=SSL_AD_DECODE_ERROR;
445
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
446
goto f_err;
447
}
448
449
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
450
{
451
/* We update the length so that the TLS header bytes
452
* can be constructed correctly but we need to extract
453
* the MAC in constant time from within the record,
454
* without leaking the contents of the padding bytes.
455
* */
456
mac = mac_tmp;
457
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
458
rr->length -= mac_size;
459
}
460
else
461
{
462
/* In this case there's no padding, so |orig_len|
463
* equals |rec->length| and we checked that there's
464
* enough bytes for |mac_size| above. */
465
rr->length -= mac_size;
466
mac = &rr->data[rr->length];
467
}
468
469
i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
470
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
471
enc_err = -1;
472
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
473
enc_err = -1;
474
}
475
476
if (enc_err < 0)
477
{
478
/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
479
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption
480
* failure is directly visible from the ciphertext anyway,
481
* we should not reveal which kind of error occured -- this
482
* might become visible to an attacker (e.g. via a logfile) */
483
al=SSL_AD_BAD_RECORD_MAC;
484
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
485
goto f_err;
486
}
487
488
/* r->length is now just compressed */
489
if (s->expand != NULL)
490
{
491
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
492
{
493
al=SSL_AD_RECORD_OVERFLOW;
494
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
495
goto f_err;
496
}
497
if (!ssl3_do_uncompress(s))
498
{
499
al=SSL_AD_DECOMPRESSION_FAILURE;
500
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
501
goto f_err;
502
}
503
}
504
505
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
506
{
507
al=SSL_AD_RECORD_OVERFLOW;
508
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
509
goto f_err;
510
}
511
512
rr->off=0;
513
/* So at this point the following is true
514
* ssl->s3->rrec.type is the type of record
515
* ssl->s3->rrec.length == number of bytes in record
516
* ssl->s3->rrec.off == offset to first valid byte
517
* ssl->s3->rrec.data == where to take bytes from, increment
518
* after use :-).
519
*/
520
521
/* we have pulled in a full packet so zero things */
522
s->packet_length=0;
523
524
/* just read a 0 length packet */
525
if (rr->length == 0) goto again;
526
527
#if 0
528
fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
529
#endif
530
531
return(1);
532
533
f_err:
534
ssl3_send_alert(s,SSL3_AL_FATAL,al);
535
err:
536
return(ret);
537
}
538
539
int ssl3_do_uncompress(SSL *ssl)
540
{
541
#ifndef OPENSSL_NO_COMP
542
int i;
543
SSL3_RECORD *rr;
544
545
rr= &(ssl->s3->rrec);
546
i=COMP_expand_block(ssl->expand,rr->comp,
547
SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
548
if (i < 0)
549
return(0);
550
else
551
rr->length=i;
552
rr->data=rr->comp;
553
#endif
554
return(1);
555
}
556
557
int ssl3_do_compress(SSL *ssl)
558
{
559
#ifndef OPENSSL_NO_COMP
560
int i;
561
SSL3_RECORD *wr;
562
563
wr= &(ssl->s3->wrec);
564
i=COMP_compress_block(ssl->compress,wr->data,
565
SSL3_RT_MAX_COMPRESSED_LENGTH,
566
wr->input,(int)wr->length);
567
if (i < 0)
568
return(0);
569
else
570
wr->length=i;
571
572
wr->input=wr->data;
573
#endif
574
return(1);
575
}
576
577
/* Call this to write data in records of type 'type'
578
* It will return <= 0 if not all data has been sent or non-blocking IO.
579
*/
580
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
581
{
582
const unsigned char *buf=buf_;
583
unsigned int tot,n,nw;
584
int i;
585
586
s->rwstate=SSL_NOTHING;
587
tot=s->s3->wnum;
588
s->s3->wnum=0;
589
590
if (SSL_in_init(s) && !s->in_handshake)
591
{
592
i=s->handshake_func(s);
593
if (i < 0) return(i);
594
if (i == 0)
595
{
596
SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
597
return -1;
598
}
599
}
600
601
n=(len-tot);
602
for (;;)
603
{
604
if (n > s->max_send_fragment)
605
nw=s->max_send_fragment;
606
else
607
nw=n;
608
609
i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
610
if (i <= 0)
611
{
612
s->s3->wnum=tot;
613
return i;
614
}
615
616
if ((i == (int)n) ||
617
(type == SSL3_RT_APPLICATION_DATA &&
618
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
619
{
620
/* next chunk of data should get another prepended empty fragment
621
* in ciphersuites with known-IV weakness: */
622
s->s3->empty_fragment_done = 0;
623
624
return tot+i;
625
}
626
627
n-=i;
628
tot+=i;
629
}
630
}
631
632
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
633
unsigned int len, int create_empty_fragment)
634
{
635
unsigned char *p,*plen;
636
int i,mac_size,clear=0;
637
int prefix_len=0;
638
int eivlen;
639
long align=0;
640
SSL3_RECORD *wr;
641
SSL3_BUFFER *wb=&(s->s3->wbuf);
642
SSL_SESSION *sess;
643
644
if (wb->buf == NULL)
645
if (!ssl3_setup_write_buffer(s))
646
return -1;
647
648
/* first check if there is a SSL3_BUFFER still being written
649
* out. This will happen with non blocking IO */
650
if (wb->left != 0)
651
return(ssl3_write_pending(s,type,buf,len));
652
653
/* If we have an alert to send, lets send it */
654
if (s->s3->alert_dispatch)
655
{
656
i=s->method->ssl_dispatch_alert(s);
657
if (i <= 0)
658
return(i);
659
/* if it went, fall through and send more stuff */
660
/* we may have released our buffer, so get it again */
661
if (wb->buf == NULL)
662
if (!ssl3_setup_write_buffer(s))
663
return -1;
664
}
665
666
if (len == 0 && !create_empty_fragment)
667
return 0;
668
669
wr= &(s->s3->wrec);
670
sess=s->session;
671
672
if ( (sess == NULL) ||
673
(s->enc_write_ctx == NULL) ||
674
(EVP_MD_CTX_md(s->write_hash) == NULL))
675
{
676
#if 1
677
clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */
678
#else
679
clear=1;
680
#endif
681
mac_size=0;
682
}
683
else
684
{
685
mac_size=EVP_MD_CTX_size(s->write_hash);
686
if (mac_size < 0)
687
goto err;
688
}
689
690
/* 'create_empty_fragment' is true only when this function calls itself */
691
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
692
{
693
/* countermeasure against known-IV weakness in CBC ciphersuites
694
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
695
696
if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
697
{
698
/* recursive function call with 'create_empty_fragment' set;
699
* this prepares and buffers the data for an empty fragment
700
* (these 'prefix_len' bytes are sent out later
701
* together with the actual payload) */
702
prefix_len = do_ssl3_write(s, type, buf, 0, 1);
703
if (prefix_len <= 0)
704
goto err;
705
706
if (prefix_len >
707
(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
708
{
709
/* insufficient space */
710
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
711
goto err;
712
}
713
}
714
715
s->s3->empty_fragment_done = 1;
716
}
717
718
if (create_empty_fragment)
719
{
720
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
721
/* extra fragment would be couple of cipher blocks,
722
* which would be multiple of SSL3_ALIGN_PAYLOAD, so
723
* if we want to align the real payload, then we can
724
* just pretent we simply have two headers. */
725
align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
726
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
727
#endif
728
p = wb->buf + align;
729
wb->offset = align;
730
}
731
else if (prefix_len)
732
{
733
p = wb->buf + wb->offset + prefix_len;
734
}
735
else
736
{
737
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
738
align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
739
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
740
#endif
741
p = wb->buf + align;
742
wb->offset = align;
743
}
744
745
/* write the header */
746
747
*(p++)=type&0xff;
748
wr->type=type;
749
750
*(p++)=(s->version>>8);
751
/* Some servers hang if iniatial client hello is larger than 256
752
* bytes and record version number > TLS 1.0
753
*/
754
if (s->state == SSL3_ST_CW_CLNT_HELLO_B
755
&& !s->renegotiate
756
&& TLS1_get_version(s) > TLS1_VERSION)
757
*(p++) = 0x1;
758
else
759
*(p++)=s->version&0xff;
760
761
/* field where we are to write out packet length */
762
plen=p;
763
p+=2;
764
/* Explicit IV length, block ciphers and TLS version 1.1 or later */
765
if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
766
{
767
int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
768
if (mode == EVP_CIPH_CBC_MODE)
769
{
770
eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
771
if (eivlen <= 1)
772
eivlen = 0;
773
}
774
/* Need explicit part of IV for GCM mode */
775
else if (mode == EVP_CIPH_GCM_MODE)
776
eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
777
else
778
eivlen = 0;
779
}
780
else
781
eivlen = 0;
782
783
/* lets setup the record stuff. */
784
wr->data=p + eivlen;
785
wr->length=(int)len;
786
wr->input=(unsigned char *)buf;
787
788
/* we now 'read' from wr->input, wr->length bytes into
789
* wr->data */
790
791
/* first we compress */
792
if (s->compress != NULL)
793
{
794
if (!ssl3_do_compress(s))
795
{
796
SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
797
goto err;
798
}
799
}
800
else
801
{
802
memcpy(wr->data,wr->input,wr->length);
803
wr->input=wr->data;
804
}
805
806
/* we should still have the output to wr->data and the input
807
* from wr->input. Length should be wr->length.
808
* wr->data still points in the wb->buf */
809
810
if (mac_size != 0)
811
{
812
if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
813
goto err;
814
wr->length+=mac_size;
815
}
816
817
wr->input=p;
818
wr->data=p;
819
820
if (eivlen)
821
{
822
/* if (RAND_pseudo_bytes(p, eivlen) <= 0)
823
goto err; */
824
wr->length += eivlen;
825
}
826
827
/* ssl3_enc can only have an error on read */
828
s->method->ssl3_enc->enc(s,1);
829
830
/* record length after mac and block padding */
831
s2n(wr->length,plen);
832
833
/* we should now have
834
* wr->data pointing to the encrypted data, which is
835
* wr->length long */
836
wr->type=type; /* not needed but helps for debugging */
837
wr->length+=SSL3_RT_HEADER_LENGTH;
838
839
if (create_empty_fragment)
840
{
841
/* we are in a recursive call;
842
* just return the length, don't write out anything here
843
*/
844
return wr->length;
845
}
846
847
/* now let's set up wb */
848
wb->left = prefix_len + wr->length;
849
850
/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
851
s->s3->wpend_tot=len;
852
s->s3->wpend_buf=buf;
853
s->s3->wpend_type=type;
854
s->s3->wpend_ret=len;
855
856
/* we now just need to write the buffer */
857
return ssl3_write_pending(s,type,buf,len);
858
err:
859
return -1;
860
}
861
862
/* if s->s3->wbuf.left != 0, we need to call this */
863
int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
864
unsigned int len)
865
{
866
int i;
867
SSL3_BUFFER *wb=&(s->s3->wbuf);
868
869
/* XXXX */
870
if ((s->s3->wpend_tot > (int)len)
871
|| ((s->s3->wpend_buf != buf) &&
872
!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
873
|| (s->s3->wpend_type != type))
874
{
875
SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
876
return(-1);
877
}
878
879
for (;;)
880
{
881
clear_sys_error();
882
if (s->wbio != NULL)
883
{
884
s->rwstate=SSL_WRITING;
885
i=BIO_write(s->wbio,
886
(char *)&(wb->buf[wb->offset]),
887
(unsigned int)wb->left);
888
}
889
else
890
{
891
SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
892
i= -1;
893
}
894
if (i == wb->left)
895
{
896
wb->left=0;
897
wb->offset+=i;
898
if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
899
SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
900
ssl3_release_write_buffer(s);
901
s->rwstate=SSL_NOTHING;
902
return(s->s3->wpend_ret);
903
}
904
else if (i <= 0) {
905
if (s->version == DTLS1_VERSION ||
906
s->version == DTLS1_BAD_VER) {
907
/* For DTLS, just drop it. That's kind of the whole
908
point in using a datagram service */
909
wb->left = 0;
910
}
911
return(i);
912
}
913
wb->offset+=i;
914
wb->left-=i;
915
}
916
}
917
918
/* Return up to 'len' payload bytes received in 'type' records.
919
* 'type' is one of the following:
920
*
921
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
922
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
923
* - 0 (during a shutdown, no data has to be returned)
924
*
925
* If we don't have stored data to work from, read a SSL/TLS record first
926
* (possibly multiple records if we still don't have anything to return).
927
*
928
* This function must handle any surprises the peer may have for us, such as
929
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really
930
* a surprise, but handled as if it were), or renegotiation requests.
931
* Also if record payloads contain fragments too small to process, we store
932
* them until there is enough for the respective protocol (the record protocol
933
* may use arbitrary fragmentation and even interleaving):
934
* Change cipher spec protocol
935
* just 1 byte needed, no need for keeping anything stored
936
* Alert protocol
937
* 2 bytes needed (AlertLevel, AlertDescription)
938
* Handshake protocol
939
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
940
* to detect unexpected Client Hello and Hello Request messages
941
* here, anything else is handled by higher layers
942
* Application data protocol
943
* none of our business
944
*/
945
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
946
{
947
int al,i,j,ret;
948
unsigned int n;
949
SSL3_RECORD *rr;
950
void (*cb)(const SSL *ssl,int type2,int val)=NULL;
951
952
if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
953
if (!ssl3_setup_read_buffer(s))
954
return(-1);
955
956
if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
957
(peek && (type != SSL3_RT_APPLICATION_DATA)))
958
{
959
SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
960
return -1;
961
}
962
963
if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
964
/* (partially) satisfy request from storage */
965
{
966
unsigned char *src = s->s3->handshake_fragment;
967
unsigned char *dst = buf;
968
unsigned int k;
969
970
/* peek == 0 */
971
n = 0;
972
while ((len > 0) && (s->s3->handshake_fragment_len > 0))
973
{
974
*dst++ = *src++;
975
len--; s->s3->handshake_fragment_len--;
976
n++;
977
}
978
/* move any remaining fragment bytes: */
979
for (k = 0; k < s->s3->handshake_fragment_len; k++)
980
s->s3->handshake_fragment[k] = *src++;
981
return n;
982
}
983
984
/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
985
986
if (!s->in_handshake && SSL_in_init(s))
987
{
988
/* type == SSL3_RT_APPLICATION_DATA */
989
i=s->handshake_func(s);
990
if (i < 0) return(i);
991
if (i == 0)
992
{
993
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
994
return(-1);
995
}
996
}
997
start:
998
s->rwstate=SSL_NOTHING;
999
1000
/* s->s3->rrec.type - is the type of record
1001
* s->s3->rrec.data, - data
1002
* s->s3->rrec.off, - offset into 'data' for next read
1003
* s->s3->rrec.length, - number of bytes. */
1004
rr = &(s->s3->rrec);
1005
1006
/* get new packet if necessary */
1007
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
1008
{
1009
ret=ssl3_get_record(s);
1010
if (ret <= 0) return(ret);
1011
}
1012
1013
/* we now have a packet which can be read and processed */
1014
1015
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1016
* reset by ssl3_get_finished */
1017
&& (rr->type != SSL3_RT_HANDSHAKE))
1018
{
1019
al=SSL_AD_UNEXPECTED_MESSAGE;
1020
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1021
goto f_err;
1022
}
1023
1024
/* If the other end has shut down, throw anything we read away
1025
* (even in 'peek' mode) */
1026
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1027
{
1028
rr->length=0;
1029
s->rwstate=SSL_NOTHING;
1030
return(0);
1031
}
1032
1033
1034
if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1035
{
1036
/* make sure that we are not getting application data when we
1037
* are doing a handshake for the first time */
1038
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1039
(s->enc_read_ctx == NULL))
1040
{
1041
al=SSL_AD_UNEXPECTED_MESSAGE;
1042
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
1043
goto f_err;
1044
}
1045
1046
if (len <= 0) return(len);
1047
1048
if ((unsigned int)len > rr->length)
1049
n = rr->length;
1050
else
1051
n = (unsigned int)len;
1052
1053
memcpy(buf,&(rr->data[rr->off]),n);
1054
if (!peek)
1055
{
1056
rr->length-=n;
1057
rr->off+=n;
1058
if (rr->length == 0)
1059
{
1060
s->rstate=SSL_ST_READ_HEADER;
1061
rr->off=0;
1062
if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
1063
ssl3_release_read_buffer(s);
1064
}
1065
}
1066
return(n);
1067
}
1068
1069
1070
/* If we get here, then type != rr->type; if we have a handshake
1071
* message, then it was unexpected (Hello Request or Client Hello). */
1072
1073
/* In case of record types for which we have 'fragment' storage,
1074
* fill that so that we can process the data at a fixed place.
1075
*/
1076
{
1077
unsigned int dest_maxlen = 0;
1078
unsigned char *dest = NULL;
1079
unsigned int *dest_len = NULL;
1080
1081
if (rr->type == SSL3_RT_HANDSHAKE)
1082
{
1083
dest_maxlen = sizeof s->s3->handshake_fragment;
1084
dest = s->s3->handshake_fragment;
1085
dest_len = &s->s3->handshake_fragment_len;
1086
}
1087
else if (rr->type == SSL3_RT_ALERT)
1088
{
1089
dest_maxlen = sizeof s->s3->alert_fragment;
1090
dest = s->s3->alert_fragment;
1091
dest_len = &s->s3->alert_fragment_len;
1092
}
1093
#ifndef OPENSSL_NO_HEARTBEATS
1094
else if (rr->type == TLS1_RT_HEARTBEAT)
1095
{
1096
tls1_process_heartbeat(s);
1097
1098
/* Exit and notify application to read again */
1099
rr->length = 0;
1100
s->rwstate=SSL_READING;
1101
BIO_clear_retry_flags(SSL_get_rbio(s));
1102
BIO_set_retry_read(SSL_get_rbio(s));
1103
return(-1);
1104
}
1105
#endif
1106
1107
if (dest_maxlen > 0)
1108
{
1109
n = dest_maxlen - *dest_len; /* available space in 'dest' */
1110
if (rr->length < n)
1111
n = rr->length; /* available bytes */
1112
1113
/* now move 'n' bytes: */
1114
while (n-- > 0)
1115
{
1116
dest[(*dest_len)++] = rr->data[rr->off++];
1117
rr->length--;
1118
}
1119
1120
if (*dest_len < dest_maxlen)
1121
goto start; /* fragment was too small */
1122
}
1123
}
1124
1125
/* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
1126
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
1127
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1128
1129
/* If we are a client, check for an incoming 'Hello Request': */
1130
if ((!s->server) &&
1131
(s->s3->handshake_fragment_len >= 4) &&
1132
(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1133
(s->session != NULL) && (s->session->cipher != NULL))
1134
{
1135
s->s3->handshake_fragment_len = 0;
1136
1137
if ((s->s3->handshake_fragment[1] != 0) ||
1138
(s->s3->handshake_fragment[2] != 0) ||
1139
(s->s3->handshake_fragment[3] != 0))
1140
{
1141
al=SSL_AD_DECODE_ERROR;
1142
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1143
goto f_err;
1144
}
1145
1146
if (s->msg_callback)
1147
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
1148
1149
if (SSL_is_init_finished(s) &&
1150
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1151
!s->s3->renegotiate)
1152
{
1153
ssl3_renegotiate(s);
1154
if (ssl3_renegotiate_check(s))
1155
{
1156
i=s->handshake_func(s);
1157
if (i < 0) return(i);
1158
if (i == 0)
1159
{
1160
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1161
return(-1);
1162
}
1163
1164
if (!(s->mode & SSL_MODE_AUTO_RETRY))
1165
{
1166
if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1167
{
1168
BIO *bio;
1169
/* In the case where we try to read application data,
1170
* but we trigger an SSL handshake, we return -1 with
1171
* the retry option set. Otherwise renegotiation may
1172
* cause nasty problems in the blocking world */
1173
s->rwstate=SSL_READING;
1174
bio=SSL_get_rbio(s);
1175
BIO_clear_retry_flags(bio);
1176
BIO_set_retry_read(bio);
1177
return(-1);
1178
}
1179
}
1180
}
1181
}
1182
/* we either finished a handshake or ignored the request,
1183
* now try again to obtain the (application) data we were asked for */
1184
goto start;
1185
}
1186
/* If we are a server and get a client hello when renegotiation isn't
1187
* allowed send back a no renegotiation alert and carry on.
1188
* WARNING: experimental code, needs reviewing (steve)
1189
*/
1190
if (s->server &&
1191
SSL_is_init_finished(s) &&
1192
!s->s3->send_connection_binding &&
1193
(s->version > SSL3_VERSION) &&
1194
(s->s3->handshake_fragment_len >= 4) &&
1195
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
1196
(s->session != NULL) && (s->session->cipher != NULL) &&
1197
!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1198
1199
{
1200
/*s->s3->handshake_fragment_len = 0;*/
1201
rr->length = 0;
1202
ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1203
goto start;
1204
}
1205
if (s->s3->alert_fragment_len >= 2)
1206
{
1207
int alert_level = s->s3->alert_fragment[0];
1208
int alert_descr = s->s3->alert_fragment[1];
1209
1210
s->s3->alert_fragment_len = 0;
1211
1212
if (s->msg_callback)
1213
s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
1214
1215
if (s->info_callback != NULL)
1216
cb=s->info_callback;
1217
else if (s->ctx->info_callback != NULL)
1218
cb=s->ctx->info_callback;
1219
1220
if (cb != NULL)
1221
{
1222
j = (alert_level << 8) | alert_descr;
1223
cb(s, SSL_CB_READ_ALERT, j);
1224
}
1225
1226
if (alert_level == 1) /* warning */
1227
{
1228
s->s3->warn_alert = alert_descr;
1229
if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1230
{
1231
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1232
return(0);
1233
}
1234
/* This is a warning but we receive it if we requested
1235
* renegotiation and the peer denied it. Terminate with
1236
* a fatal alert because if application tried to
1237
* renegotiatie it presumably had a good reason and
1238
* expects it to succeed.
1239
*
1240
* In future we might have a renegotiation where we
1241
* don't care if the peer refused it where we carry on.
1242
*/
1243
else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
1244
{
1245
al = SSL_AD_HANDSHAKE_FAILURE;
1246
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
1247
goto f_err;
1248
}
1249
#ifdef SSL_AD_MISSING_SRP_USERNAME
1250
if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1251
return(0);
1252
#endif
1253
}
1254
else if (alert_level == 2) /* fatal */
1255
{
1256
char tmp[16];
1257
1258
s->rwstate=SSL_NOTHING;
1259
s->s3->fatal_alert = alert_descr;
1260
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1261
BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1262
ERR_add_error_data(2,"SSL alert number ",tmp);
1263
s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1264
SSL_CTX_remove_session(s->ctx,s->session);
1265
return(0);
1266
}
1267
else
1268
{
1269
al=SSL_AD_ILLEGAL_PARAMETER;
1270
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1271
goto f_err;
1272
}
1273
1274
goto start;
1275
}
1276
1277
if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1278
{
1279
s->rwstate=SSL_NOTHING;
1280
rr->length=0;
1281
return(0);
1282
}
1283
1284
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1285
{
1286
/* 'Change Cipher Spec' is just a single byte, so we know
1287
* exactly what the record payload has to look like */
1288
if ( (rr->length != 1) || (rr->off != 0) ||
1289
(rr->data[0] != SSL3_MT_CCS))
1290
{
1291
al=SSL_AD_ILLEGAL_PARAMETER;
1292
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1293
goto f_err;
1294
}
1295
1296
/* Check we have a cipher to change to */
1297
if (s->s3->tmp.new_cipher == NULL)
1298
{
1299
al=SSL_AD_UNEXPECTED_MESSAGE;
1300
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1301
goto f_err;
1302
}
1303
1304
if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
1305
{
1306
al=SSL_AD_UNEXPECTED_MESSAGE;
1307
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1308
goto f_err;
1309
}
1310
1311
s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
1312
1313
rr->length=0;
1314
1315
if (s->msg_callback)
1316
s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
1317
1318
s->s3->change_cipher_spec=1;
1319
if (!ssl3_do_change_cipher_spec(s))
1320
goto err;
1321
else
1322
goto start;
1323
}
1324
1325
/* Unexpected handshake message (Client Hello, or protocol violation) */
1326
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
1327
{
1328
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1329
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1330
{
1331
#if 0 /* worked only because C operator preferences are not as expected (and
1332
* because this is not really needed for clients except for detecting
1333
* protocol violations): */
1334
s->state=SSL_ST_BEFORE|(s->server)
1335
?SSL_ST_ACCEPT
1336
:SSL_ST_CONNECT;
1337
#else
1338
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1339
#endif
1340
s->renegotiate=1;
1341
s->new_session=1;
1342
}
1343
i=s->handshake_func(s);
1344
if (i < 0) return(i);
1345
if (i == 0)
1346
{
1347
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1348
return(-1);
1349
}
1350
1351
if (!(s->mode & SSL_MODE_AUTO_RETRY))
1352
{
1353
if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1354
{
1355
BIO *bio;
1356
/* In the case where we try to read application data,
1357
* but we trigger an SSL handshake, we return -1 with
1358
* the retry option set. Otherwise renegotiation may
1359
* cause nasty problems in the blocking world */
1360
s->rwstate=SSL_READING;
1361
bio=SSL_get_rbio(s);
1362
BIO_clear_retry_flags(bio);
1363
BIO_set_retry_read(bio);
1364
return(-1);
1365
}
1366
}
1367
goto start;
1368
}
1369
1370
switch (rr->type)
1371
{
1372
default:
1373
#ifndef OPENSSL_NO_TLS
1374
/* TLS up to v1.1 just ignores unknown message types:
1375
* TLS v1.2 give an unexpected message alert.
1376
*/
1377
if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
1378
{
1379
rr->length = 0;
1380
goto start;
1381
}
1382
#endif
1383
al=SSL_AD_UNEXPECTED_MESSAGE;
1384
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1385
goto f_err;
1386
case SSL3_RT_CHANGE_CIPHER_SPEC:
1387
case SSL3_RT_ALERT:
1388
case SSL3_RT_HANDSHAKE:
1389
/* we already handled all of these, with the possible exception
1390
* of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1391
* should not happen when type != rr->type */
1392
al=SSL_AD_UNEXPECTED_MESSAGE;
1393
SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
1394
goto f_err;
1395
case SSL3_RT_APPLICATION_DATA:
1396
/* At this point, we were expecting handshake data,
1397
* but have application data. If the library was
1398
* running inside ssl3_read() (i.e. in_read_app_data
1399
* is set) and it makes sense to read application data
1400
* at this point (session renegotiation not yet started),
1401
* we will indulge it.
1402
*/
1403
if (s->s3->in_read_app_data &&
1404
(s->s3->total_renegotiations != 0) &&
1405
((
1406
(s->state & SSL_ST_CONNECT) &&
1407
(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1408
(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1409
) || (
1410
(s->state & SSL_ST_ACCEPT) &&
1411
(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1412
(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1413
)
1414
))
1415
{
1416
s->s3->in_read_app_data=2;
1417
return(-1);
1418
}
1419
else
1420
{
1421
al=SSL_AD_UNEXPECTED_MESSAGE;
1422
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1423
goto f_err;
1424
}
1425
}
1426
/* not reached */
1427
1428
f_err:
1429
ssl3_send_alert(s,SSL3_AL_FATAL,al);
1430
err:
1431
return(-1);
1432
}
1433
1434
int ssl3_do_change_cipher_spec(SSL *s)
1435
{
1436
int i;
1437
const char *sender;
1438
int slen;
1439
1440
if (s->state & SSL_ST_ACCEPT)
1441
i=SSL3_CHANGE_CIPHER_SERVER_READ;
1442
else
1443
i=SSL3_CHANGE_CIPHER_CLIENT_READ;
1444
1445
if (s->s3->tmp.key_block == NULL)
1446
{
1447
if (s->session == NULL || s->session->master_key_length == 0)
1448
{
1449
/* might happen if dtls1_read_bytes() calls this */
1450
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
1451
return (0);
1452
}
1453
1454
s->session->cipher=s->s3->tmp.new_cipher;
1455
if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
1456
}
1457
1458
if (!s->method->ssl3_enc->change_cipher_state(s,i))
1459
return(0);
1460
1461
/* we have to record the message digest at
1462
* this point so we can get it before we read
1463
* the finished message */
1464
if (s->state & SSL_ST_CONNECT)
1465
{
1466
sender=s->method->ssl3_enc->server_finished_label;
1467
slen=s->method->ssl3_enc->server_finished_label_len;
1468
}
1469
else
1470
{
1471
sender=s->method->ssl3_enc->client_finished_label;
1472
slen=s->method->ssl3_enc->client_finished_label_len;
1473
}
1474
1475
i = s->method->ssl3_enc->final_finish_mac(s,
1476
sender,slen,s->s3->tmp.peer_finish_md);
1477
if (i == 0)
1478
{
1479
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1480
return 0;
1481
}
1482
s->s3->tmp.peer_finish_md_len = i;
1483
1484
return(1);
1485
}
1486
1487
int ssl3_send_alert(SSL *s, int level, int desc)
1488
{
1489
/* Map tls/ssl alert value to correct one */
1490
desc=s->method->ssl3_enc->alert_value(desc);
1491
if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
1492
desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
1493
if (desc < 0) return -1;
1494
/* If a fatal one, remove from cache */
1495
if ((level == 2) && (s->session != NULL))
1496
SSL_CTX_remove_session(s->ctx,s->session);
1497
1498
s->s3->alert_dispatch=1;
1499
s->s3->send_alert[0]=level;
1500
s->s3->send_alert[1]=desc;
1501
if (s->s3->wbuf.left == 0) /* data still being written out? */
1502
return s->method->ssl_dispatch_alert(s);
1503
/* else data is still being written out, we will get written
1504
* some time in the future */
1505
return -1;
1506
}
1507
1508
int ssl3_dispatch_alert(SSL *s)
1509
{
1510
int i,j;
1511
void (*cb)(const SSL *ssl,int type,int val)=NULL;
1512
1513
s->s3->alert_dispatch=0;
1514
i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
1515
if (i <= 0)
1516
{
1517
s->s3->alert_dispatch=1;
1518
}
1519
else
1520
{
1521
/* Alert sent to BIO. If it is important, flush it now.
1522
* If the message does not get sent due to non-blocking IO,
1523
* we will not worry too much. */
1524
if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1525
(void)BIO_flush(s->wbio);
1526
1527
if (s->msg_callback)
1528
s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
1529
1530
if (s->info_callback != NULL)
1531
cb=s->info_callback;
1532
else if (s->ctx->info_callback != NULL)
1533
cb=s->ctx->info_callback;
1534
1535
if (cb != NULL)
1536
{
1537
j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1538
cb(s,SSL_CB_WRITE_ALERT,j);
1539
}
1540
}
1541
return(i);
1542
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1