2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5
* This package is an SSL implementation written
6
* by Eric Young (eay@cryptsoft.com).
7
* The implementation was written so as to conform with Netscapes SSL.
9
* This library is free for commercial and non-commercial use as long as
10
* the following conditions are aheared to. The following conditions
11
* apply to all code found in this distribution, be it the RC4, RSA,
12
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13
* included with this distribution is covered by the same copyright terms
14
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
16
* Copyright remains Eric Young's, and as such any Copyright notices in
17
* the code are not to be removed.
18
* If this package is used in a product, Eric Young should be given attribution
19
* as the author of the parts of the library used.
20
* This can be in the form of a textual message at program startup or
21
* in documentation (online or textual) provided with the package.
23
* Redistribution and use in source and binary forms, with or without
24
* modification, are permitted provided that the following conditions
26
* 1. Redistributions of source code must retain the copyright
27
* notice, this list of conditions and the following disclaimer.
28
* 2. Redistributions in binary form must reproduce the above copyright
29
* notice, this list of conditions and the following disclaimer in the
30
* documentation and/or other materials provided with the distribution.
31
* 3. All advertising materials mentioning features or use of this software
32
* must display the following acknowledgement:
33
* "This product includes cryptographic software written by
34
* Eric Young (eay@cryptsoft.com)"
35
* The word 'cryptographic' can be left out if the rouines from the library
36
* being used are not cryptographic related :-).
37
* 4. If you include any Windows specific code (or a derivative thereof) from
38
* the apps directory (application code) you must include an acknowledgement:
39
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53
* The licence and distribution terms for any publically available version or
54
* derivative of this code cannot be changed. i.e. this code cannot simply be
55
* copied and put under another distribution licence
56
* [including the GNU Public Licence.]
58
/* ====================================================================
59
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
61
* Redistribution and use in source and binary forms, with or without
62
* modification, are permitted provided that the following conditions
65
* 1. Redistributions of source code must retain the above copyright
66
* notice, this list of conditions and the following disclaimer.
68
* 2. Redistributions in binary form must reproduce the above copyright
69
* notice, this list of conditions and the following disclaimer in
70
* the documentation and/or other materials provided with the
73
* 3. All advertising materials mentioning features or use of this
74
* software must display the following acknowledgment:
75
* "This product includes software developed by the OpenSSL Project
76
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
* endorse or promote products derived from this software without
80
* prior written permission. For written permission, please contact
81
* openssl-core@openssl.org.
83
* 5. Products derived from this software may not be called "OpenSSL"
84
* nor may "OpenSSL" appear in their names without prior written
85
* permission of the OpenSSL Project.
87
* 6. Redistributions of any form whatsoever must retain the following
89
* "This product includes software developed by the OpenSSL Project
90
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
* OF THE POSSIBILITY OF SUCH DAMAGE.
104
* ====================================================================
106
* This product includes cryptographic software written by Eric Young
107
* (eay@cryptsoft.com). This product includes software written by Tim
108
* Hudson (tjh@cryptsoft.com).
115
#include "ssl_locl.h"
116
#include <openssl/evp.h>
117
#include <openssl/buffer.h>
118
#include <openssl/rand.h>
120
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
121
unsigned int len, int create_empty_fragment);
122
static int ssl3_get_record(SSL *s);
124
int ssl3_read_n(SSL *s, int n, int max, int extend)
126
/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
127
* packet by another n bytes.
128
* The packet will be in the sub-array of s->s3->rbuf.buf specified
129
* by s->packet and s->packet_length.
130
* (If s->read_ahead is set, 'max' bytes may be stored in rbuf
131
* [plus s->packet_length bytes if extend == 1].)
138
if (n <= 0) return n;
142
if (!ssl3_setup_read_buffer(s))
146
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
147
align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
148
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
153
/* start with empty packet ... */
156
else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
158
/* check if next packet length is large
159
* enough to justify payload alignment... */
160
pkt = rb->buf + rb->offset;
161
if (pkt[0] == SSL3_RT_APPLICATION_DATA
162
&& (pkt[3]<<8|pkt[4]) >= 128)
164
/* Note that even if packet is corrupted
165
* and its length field is insane, we can
166
* only be led to wrong decision about
167
* whether memmove will occur or not.
168
* Header values has no effect on memmove
169
* arguments and therefore no buffer
170
* overrun can be triggered. */
171
memmove (rb->buf+align,pkt,left);
175
s->packet = rb->buf + rb->offset;
176
s->packet_length = 0;
177
/* ... now we can act as if 'extend' was set */
180
/* For DTLS/UDP reads should not span multiple packets
181
* because the read operation returns the whole packet
182
* at once (as long as it fits into the buffer). */
183
if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
185
if (left > 0 && n > left)
189
/* if there is enough in the buffer from a previous read, take some */
198
/* else we need to read more data */
200
len = s->packet_length;
202
/* Move any available bytes to front of buffer:
203
* 'len' bytes already pointed to by 'packet',
204
* 'left' extra ones at the end */
205
if (s->packet != pkt) /* len > 0 */
207
memmove(pkt, s->packet, len+left);
209
rb->offset = len + align;
212
if (n > (int)(rb->len - rb->offset)) /* does not happen */
214
SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
219
/* ignore max parameter */
225
if (max > (int)(rb->len - rb->offset))
226
max = rb->len - rb->offset;
231
/* Now we have len+left bytes at the front of s->s3->rbuf.buf
232
* and need to read in more until we have len+n (up to
233
* len+max if possible) */
238
s->rwstate=SSL_READING;
239
i=BIO_read(s->rbio,pkt+len+left, max-left);
243
SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
250
if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
251
SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
253
ssl3_release_read_buffer(s);
257
/* reads should *never* span multiple packets for DTLS because
258
* the underlying transport protocol is message oriented as opposed
259
* to byte oriented as in the TLS case. */
260
if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
263
n = left; /* makes the while condition false */
267
/* done reading, now the book-keeping */
270
s->packet_length += n;
271
s->rwstate=SSL_NOTHING;
275
/* Call this to get a new input record.
276
* It will return <= 0 if more data is needed, normally due to an error
277
* or non-blocking IO.
278
* When it finishes, one packet has been decoded and can be found in
279
* ssl->s3->rrec.type - is the type of record
280
* ssl->s3->rrec.data, - data
281
* ssl->s3->rrec.length, - number of bytes
283
/* used only by ssl3_read_bytes */
284
static int ssl3_get_record(SSL *s)
286
int ssl_major,ssl_minor,al;
287
int enc_err,n,i,ret= -1;
291
unsigned char md[EVP_MAX_MD_SIZE];
293
unsigned mac_size, orig_len;
299
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
300
extra=SSL3_RT_MAX_EXTRA;
303
if (extra && !s->s3->init_extra)
305
/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
306
* set after ssl3_setup_buffers() was done */
307
SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
312
/* check if we have the header */
313
if ( (s->rstate != SSL_ST_READ_BODY) ||
314
(s->packet_length < SSL3_RT_HEADER_LENGTH))
316
n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
317
if (n <= 0) return(n); /* error or non-blocking */
318
s->rstate=SSL_ST_READ_BODY;
322
/* Pull apart the header into the SSL3_RECORD */
326
version=(ssl_major<<8)|ssl_minor;
329
fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
332
/* Lets check version */
333
if (!s->first_packet)
335
if (version != s->version)
337
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
338
if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
339
/* Send back error using their minor version number :-) */
340
s->version = (unsigned short)version;
341
al=SSL_AD_PROTOCOL_VERSION;
346
if ((version>>8) != SSL3_VERSION_MAJOR)
348
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
352
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
354
al=SSL_AD_RECORD_OVERFLOW;
355
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
359
/* now s->rstate == SSL_ST_READ_BODY */
362
/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
364
if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
366
/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
368
n=ssl3_read_n(s,i,i,1);
369
if (n <= 0) return(n); /* error or non-blocking io */
370
/* now n == rr->length,
371
* and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
374
s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
376
/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
377
* and we have that many bytes in s->packet
379
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
381
/* ok, we can now read from 's->packet' data into 'rr'
382
* rr->input points at rr->length bytes, which
383
* need to be copied into rr->data by either
384
* the decryption or by the decompression
385
* When the data is 'copied' into the rr->data buffer,
386
* rr->input will be pointed at the new buffer */
388
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
389
* rr->length bytes of encrypted compressed stuff. */
391
/* check is not needed I believe */
392
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
394
al=SSL_AD_RECORD_OVERFLOW;
395
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
399
/* decrypt in place in 'rr->input' */
402
enc_err = s->method->ssl3_enc->enc(s,0);
404
* 0: (in non-constant time) if the record is publically invalid.
405
* 1: if the padding is valid
406
* -1: if the padding is invalid */
409
al=SSL_AD_DECRYPTION_FAILED;
410
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
415
printf("dec %d\n",rr->length);
416
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
420
/* r->length is now the compressed data plus mac */
421
if ((sess != NULL) &&
422
(s->enc_read_ctx != NULL) &&
423
(EVP_MD_CTX_md(s->read_hash) != NULL))
425
/* s->read_hash != NULL => mac_size != -1 */
426
unsigned char *mac = NULL;
427
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
428
mac_size=EVP_MD_CTX_size(s->read_hash);
429
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
431
/* kludge: *_cbc_remove_padding passes padding length in rr->type */
432
orig_len = rr->length+((unsigned int)rr->type>>8);
434
/* orig_len is the length of the record before any padding was
435
* removed. This is public information, as is the MAC in use,
436
* therefore we can safely process the record in a different
437
* amount of time if it's too short to possibly contain a MAC.
439
if (orig_len < mac_size ||
440
/* CBC records must have a padding length byte too. */
441
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
442
orig_len < mac_size+1))
444
al=SSL_AD_DECODE_ERROR;
445
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
449
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
451
/* We update the length so that the TLS header bytes
452
* can be constructed correctly but we need to extract
453
* the MAC in constant time from within the record,
454
* without leaking the contents of the padding bytes.
457
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
458
rr->length -= mac_size;
462
/* In this case there's no padding, so |orig_len|
463
* equals |rec->length| and we checked that there's
464
* enough bytes for |mac_size| above. */
465
rr->length -= mac_size;
466
mac = &rr->data[rr->length];
469
i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
470
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
472
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
478
/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
479
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption
480
* failure is directly visible from the ciphertext anyway,
481
* we should not reveal which kind of error occured -- this
482
* might become visible to an attacker (e.g. via a logfile) */
483
al=SSL_AD_BAD_RECORD_MAC;
484
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
488
/* r->length is now just compressed */
489
if (s->expand != NULL)
491
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
493
al=SSL_AD_RECORD_OVERFLOW;
494
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
497
if (!ssl3_do_uncompress(s))
499
al=SSL_AD_DECOMPRESSION_FAILURE;
500
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
505
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
507
al=SSL_AD_RECORD_OVERFLOW;
508
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
513
/* So at this point the following is true
514
* ssl->s3->rrec.type is the type of record
515
* ssl->s3->rrec.length == number of bytes in record
516
* ssl->s3->rrec.off == offset to first valid byte
517
* ssl->s3->rrec.data == where to take bytes from, increment
521
/* we have pulled in a full packet so zero things */
524
/* just read a 0 length packet */
525
if (rr->length == 0) goto again;
528
fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
534
ssl3_send_alert(s,SSL3_AL_FATAL,al);
539
int ssl3_do_uncompress(SSL *ssl)
541
#ifndef OPENSSL_NO_COMP
545
rr= &(ssl->s3->rrec);
546
i=COMP_expand_block(ssl->expand,rr->comp,
547
SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
557
int ssl3_do_compress(SSL *ssl)
559
#ifndef OPENSSL_NO_COMP
563
wr= &(ssl->s3->wrec);
564
i=COMP_compress_block(ssl->compress,wr->data,
565
SSL3_RT_MAX_COMPRESSED_LENGTH,
566
wr->input,(int)wr->length);
577
/* Call this to write data in records of type 'type'
578
* It will return <= 0 if not all data has been sent or non-blocking IO.
580
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
582
const unsigned char *buf=buf_;
583
unsigned int tot,n,nw;
586
s->rwstate=SSL_NOTHING;
590
if (SSL_in_init(s) && !s->in_handshake)
592
i=s->handshake_func(s);
593
if (i < 0) return(i);
596
SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
604
if (n > s->max_send_fragment)
605
nw=s->max_send_fragment;
609
i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
617
(type == SSL3_RT_APPLICATION_DATA &&
618
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
620
/* next chunk of data should get another prepended empty fragment
621
* in ciphersuites with known-IV weakness: */
622
s->s3->empty_fragment_done = 0;
632
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
633
unsigned int len, int create_empty_fragment)
635
unsigned char *p,*plen;
636
int i,mac_size,clear=0;
641
SSL3_BUFFER *wb=&(s->s3->wbuf);
645
if (!ssl3_setup_write_buffer(s))
648
/* first check if there is a SSL3_BUFFER still being written
649
* out. This will happen with non blocking IO */
651
return(ssl3_write_pending(s,type,buf,len));
653
/* If we have an alert to send, lets send it */
654
if (s->s3->alert_dispatch)
656
i=s->method->ssl_dispatch_alert(s);
659
/* if it went, fall through and send more stuff */
660
/* we may have released our buffer, so get it again */
662
if (!ssl3_setup_write_buffer(s))
666
if (len == 0 && !create_empty_fragment)
672
if ( (sess == NULL) ||
673
(s->enc_write_ctx == NULL) ||
674
(EVP_MD_CTX_md(s->write_hash) == NULL))
677
clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */
685
mac_size=EVP_MD_CTX_size(s->write_hash);
690
/* 'create_empty_fragment' is true only when this function calls itself */
691
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
693
/* countermeasure against known-IV weakness in CBC ciphersuites
694
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
696
if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
698
/* recursive function call with 'create_empty_fragment' set;
699
* this prepares and buffers the data for an empty fragment
700
* (these 'prefix_len' bytes are sent out later
701
* together with the actual payload) */
702
prefix_len = do_ssl3_write(s, type, buf, 0, 1);
707
(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
709
/* insufficient space */
710
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
715
s->s3->empty_fragment_done = 1;
718
if (create_empty_fragment)
720
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
721
/* extra fragment would be couple of cipher blocks,
722
* which would be multiple of SSL3_ALIGN_PAYLOAD, so
723
* if we want to align the real payload, then we can
724
* just pretent we simply have two headers. */
725
align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
726
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
733
p = wb->buf + wb->offset + prefix_len;
737
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
738
align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
739
align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
745
/* write the header */
750
*(p++)=(s->version>>8);
751
/* Some servers hang if iniatial client hello is larger than 256
752
* bytes and record version number > TLS 1.0
754
if (s->state == SSL3_ST_CW_CLNT_HELLO_B
756
&& TLS1_get_version(s) > TLS1_VERSION)
759
*(p++)=s->version&0xff;
761
/* field where we are to write out packet length */
764
/* Explicit IV length, block ciphers and TLS version 1.1 or later */
765
if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
767
int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
768
if (mode == EVP_CIPH_CBC_MODE)
770
eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
774
/* Need explicit part of IV for GCM mode */
775
else if (mode == EVP_CIPH_GCM_MODE)
776
eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
783
/* lets setup the record stuff. */
786
wr->input=(unsigned char *)buf;
788
/* we now 'read' from wr->input, wr->length bytes into
791
/* first we compress */
792
if (s->compress != NULL)
794
if (!ssl3_do_compress(s))
796
SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
802
memcpy(wr->data,wr->input,wr->length);
806
/* we should still have the output to wr->data and the input
807
* from wr->input. Length should be wr->length.
808
* wr->data still points in the wb->buf */
812
if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
814
wr->length+=mac_size;
822
/* if (RAND_pseudo_bytes(p, eivlen) <= 0)
824
wr->length += eivlen;
827
/* ssl3_enc can only have an error on read */
828
s->method->ssl3_enc->enc(s,1);
830
/* record length after mac and block padding */
831
s2n(wr->length,plen);
833
/* we should now have
834
* wr->data pointing to the encrypted data, which is
836
wr->type=type; /* not needed but helps for debugging */
837
wr->length+=SSL3_RT_HEADER_LENGTH;
839
if (create_empty_fragment)
841
/* we are in a recursive call;
842
* just return the length, don't write out anything here
847
/* now let's set up wb */
848
wb->left = prefix_len + wr->length;
850
/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
851
s->s3->wpend_tot=len;
852
s->s3->wpend_buf=buf;
853
s->s3->wpend_type=type;
854
s->s3->wpend_ret=len;
856
/* we now just need to write the buffer */
857
return ssl3_write_pending(s,type,buf,len);
862
/* if s->s3->wbuf.left != 0, we need to call this */
863
int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
867
SSL3_BUFFER *wb=&(s->s3->wbuf);
870
if ((s->s3->wpend_tot > (int)len)
871
|| ((s->s3->wpend_buf != buf) &&
872
!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
873
|| (s->s3->wpend_type != type))
875
SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
884
s->rwstate=SSL_WRITING;
886
(char *)&(wb->buf[wb->offset]),
887
(unsigned int)wb->left);
891
SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
898
if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
899
SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
900
ssl3_release_write_buffer(s);
901
s->rwstate=SSL_NOTHING;
902
return(s->s3->wpend_ret);
905
if (s->version == DTLS1_VERSION ||
906
s->version == DTLS1_BAD_VER) {
907
/* For DTLS, just drop it. That's kind of the whole
908
point in using a datagram service */
918
/* Return up to 'len' payload bytes received in 'type' records.
919
* 'type' is one of the following:
921
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
922
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
923
* - 0 (during a shutdown, no data has to be returned)
925
* If we don't have stored data to work from, read a SSL/TLS record first
926
* (possibly multiple records if we still don't have anything to return).
928
* This function must handle any surprises the peer may have for us, such as
929
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really
930
* a surprise, but handled as if it were), or renegotiation requests.
931
* Also if record payloads contain fragments too small to process, we store
932
* them until there is enough for the respective protocol (the record protocol
933
* may use arbitrary fragmentation and even interleaving):
934
* Change cipher spec protocol
935
* just 1 byte needed, no need for keeping anything stored
937
* 2 bytes needed (AlertLevel, AlertDescription)
939
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
940
* to detect unexpected Client Hello and Hello Request messages
941
* here, anything else is handled by higher layers
942
* Application data protocol
943
* none of our business
945
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
950
void (*cb)(const SSL *ssl,int type2,int val)=NULL;
952
if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
953
if (!ssl3_setup_read_buffer(s))
956
if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
957
(peek && (type != SSL3_RT_APPLICATION_DATA)))
959
SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
963
if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
964
/* (partially) satisfy request from storage */
966
unsigned char *src = s->s3->handshake_fragment;
967
unsigned char *dst = buf;
972
while ((len > 0) && (s->s3->handshake_fragment_len > 0))
975
len--; s->s3->handshake_fragment_len--;
978
/* move any remaining fragment bytes: */
979
for (k = 0; k < s->s3->handshake_fragment_len; k++)
980
s->s3->handshake_fragment[k] = *src++;
984
/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
986
if (!s->in_handshake && SSL_in_init(s))
988
/* type == SSL3_RT_APPLICATION_DATA */
989
i=s->handshake_func(s);
990
if (i < 0) return(i);
993
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
998
s->rwstate=SSL_NOTHING;
1000
/* s->s3->rrec.type - is the type of record
1001
* s->s3->rrec.data, - data
1002
* s->s3->rrec.off, - offset into 'data' for next read
1003
* s->s3->rrec.length, - number of bytes. */
1004
rr = &(s->s3->rrec);
1006
/* get new packet if necessary */
1007
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
1009
ret=ssl3_get_record(s);
1010
if (ret <= 0) return(ret);
1013
/* we now have a packet which can be read and processed */
1015
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1016
* reset by ssl3_get_finished */
1017
&& (rr->type != SSL3_RT_HANDSHAKE))
1019
al=SSL_AD_UNEXPECTED_MESSAGE;
1020
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1024
/* If the other end has shut down, throw anything we read away
1025
* (even in 'peek' mode) */
1026
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1029
s->rwstate=SSL_NOTHING;
1034
if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1036
/* make sure that we are not getting application data when we
1037
* are doing a handshake for the first time */
1038
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1039
(s->enc_read_ctx == NULL))
1041
al=SSL_AD_UNEXPECTED_MESSAGE;
1042
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
1046
if (len <= 0) return(len);
1048
if ((unsigned int)len > rr->length)
1051
n = (unsigned int)len;
1053
memcpy(buf,&(rr->data[rr->off]),n);
1058
if (rr->length == 0)
1060
s->rstate=SSL_ST_READ_HEADER;
1062
if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
1063
ssl3_release_read_buffer(s);
1070
/* If we get here, then type != rr->type; if we have a handshake
1071
* message, then it was unexpected (Hello Request or Client Hello). */
1073
/* In case of record types for which we have 'fragment' storage,
1074
* fill that so that we can process the data at a fixed place.
1077
unsigned int dest_maxlen = 0;
1078
unsigned char *dest = NULL;
1079
unsigned int *dest_len = NULL;
1081
if (rr->type == SSL3_RT_HANDSHAKE)
1083
dest_maxlen = sizeof s->s3->handshake_fragment;
1084
dest = s->s3->handshake_fragment;
1085
dest_len = &s->s3->handshake_fragment_len;
1087
else if (rr->type == SSL3_RT_ALERT)
1089
dest_maxlen = sizeof s->s3->alert_fragment;
1090
dest = s->s3->alert_fragment;
1091
dest_len = &s->s3->alert_fragment_len;
1093
#ifndef OPENSSL_NO_HEARTBEATS
1094
else if (rr->type == TLS1_RT_HEARTBEAT)
1096
tls1_process_heartbeat(s);
1098
/* Exit and notify application to read again */
1100
s->rwstate=SSL_READING;
1101
BIO_clear_retry_flags(SSL_get_rbio(s));
1102
BIO_set_retry_read(SSL_get_rbio(s));
1107
if (dest_maxlen > 0)
1109
n = dest_maxlen - *dest_len; /* available space in 'dest' */
1111
n = rr->length; /* available bytes */
1113
/* now move 'n' bytes: */
1116
dest[(*dest_len)++] = rr->data[rr->off++];
1120
if (*dest_len < dest_maxlen)
1121
goto start; /* fragment was too small */
1125
/* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
1126
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
1127
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1129
/* If we are a client, check for an incoming 'Hello Request': */
1131
(s->s3->handshake_fragment_len >= 4) &&
1132
(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1133
(s->session != NULL) && (s->session->cipher != NULL))
1135
s->s3->handshake_fragment_len = 0;
1137
if ((s->s3->handshake_fragment[1] != 0) ||
1138
(s->s3->handshake_fragment[2] != 0) ||
1139
(s->s3->handshake_fragment[3] != 0))
1141
al=SSL_AD_DECODE_ERROR;
1142
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1146
if (s->msg_callback)
1147
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
1149
if (SSL_is_init_finished(s) &&
1150
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1151
!s->s3->renegotiate)
1153
ssl3_renegotiate(s);
1154
if (ssl3_renegotiate_check(s))
1156
i=s->handshake_func(s);
1157
if (i < 0) return(i);
1160
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1164
if (!(s->mode & SSL_MODE_AUTO_RETRY))
1166
if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1169
/* In the case where we try to read application data,
1170
* but we trigger an SSL handshake, we return -1 with
1171
* the retry option set. Otherwise renegotiation may
1172
* cause nasty problems in the blocking world */
1173
s->rwstate=SSL_READING;
1174
bio=SSL_get_rbio(s);
1175
BIO_clear_retry_flags(bio);
1176
BIO_set_retry_read(bio);
1182
/* we either finished a handshake or ignored the request,
1183
* now try again to obtain the (application) data we were asked for */
1186
/* If we are a server and get a client hello when renegotiation isn't
1187
* allowed send back a no renegotiation alert and carry on.
1188
* WARNING: experimental code, needs reviewing (steve)
1191
SSL_is_init_finished(s) &&
1192
!s->s3->send_connection_binding &&
1193
(s->version > SSL3_VERSION) &&
1194
(s->s3->handshake_fragment_len >= 4) &&
1195
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
1196
(s->session != NULL) && (s->session->cipher != NULL) &&
1197
!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1200
/*s->s3->handshake_fragment_len = 0;*/
1202
ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1205
if (s->s3->alert_fragment_len >= 2)
1207
int alert_level = s->s3->alert_fragment[0];
1208
int alert_descr = s->s3->alert_fragment[1];
1210
s->s3->alert_fragment_len = 0;
1212
if (s->msg_callback)
1213
s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
1215
if (s->info_callback != NULL)
1216
cb=s->info_callback;
1217
else if (s->ctx->info_callback != NULL)
1218
cb=s->ctx->info_callback;
1222
j = (alert_level << 8) | alert_descr;
1223
cb(s, SSL_CB_READ_ALERT, j);
1226
if (alert_level == 1) /* warning */
1228
s->s3->warn_alert = alert_descr;
1229
if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1231
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1234
/* This is a warning but we receive it if we requested
1235
* renegotiation and the peer denied it. Terminate with
1236
* a fatal alert because if application tried to
1237
* renegotiatie it presumably had a good reason and
1238
* expects it to succeed.
1240
* In future we might have a renegotiation where we
1241
* don't care if the peer refused it where we carry on.
1243
else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
1245
al = SSL_AD_HANDSHAKE_FAILURE;
1246
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
1249
#ifdef SSL_AD_MISSING_SRP_USERNAME
1250
if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1254
else if (alert_level == 2) /* fatal */
1258
s->rwstate=SSL_NOTHING;
1259
s->s3->fatal_alert = alert_descr;
1260
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1261
BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1262
ERR_add_error_data(2,"SSL alert number ",tmp);
1263
s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1264
SSL_CTX_remove_session(s->ctx,s->session);
1269
al=SSL_AD_ILLEGAL_PARAMETER;
1270
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1277
if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1279
s->rwstate=SSL_NOTHING;
1284
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1286
/* 'Change Cipher Spec' is just a single byte, so we know
1287
* exactly what the record payload has to look like */
1288
if ( (rr->length != 1) || (rr->off != 0) ||
1289
(rr->data[0] != SSL3_MT_CCS))
1291
al=SSL_AD_ILLEGAL_PARAMETER;
1292
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1296
/* Check we have a cipher to change to */
1297
if (s->s3->tmp.new_cipher == NULL)
1299
al=SSL_AD_UNEXPECTED_MESSAGE;
1300
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1304
if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
1306
al=SSL_AD_UNEXPECTED_MESSAGE;
1307
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1311
s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
1315
if (s->msg_callback)
1316
s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
1318
s->s3->change_cipher_spec=1;
1319
if (!ssl3_do_change_cipher_spec(s))
1325
/* Unexpected handshake message (Client Hello, or protocol violation) */
1326
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
1328
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1329
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1331
#if 0 /* worked only because C operator preferences are not as expected (and
1332
* because this is not really needed for clients except for detecting
1333
* protocol violations): */
1334
s->state=SSL_ST_BEFORE|(s->server)
1338
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1343
i=s->handshake_func(s);
1344
if (i < 0) return(i);
1347
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1351
if (!(s->mode & SSL_MODE_AUTO_RETRY))
1353
if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1356
/* In the case where we try to read application data,
1357
* but we trigger an SSL handshake, we return -1 with
1358
* the retry option set. Otherwise renegotiation may
1359
* cause nasty problems in the blocking world */
1360
s->rwstate=SSL_READING;
1361
bio=SSL_get_rbio(s);
1362
BIO_clear_retry_flags(bio);
1363
BIO_set_retry_read(bio);
1373
#ifndef OPENSSL_NO_TLS
1374
/* TLS up to v1.1 just ignores unknown message types:
1375
* TLS v1.2 give an unexpected message alert.
1377
if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
1383
al=SSL_AD_UNEXPECTED_MESSAGE;
1384
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1386
case SSL3_RT_CHANGE_CIPHER_SPEC:
1388
case SSL3_RT_HANDSHAKE:
1389
/* we already handled all of these, with the possible exception
1390
* of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1391
* should not happen when type != rr->type */
1392
al=SSL_AD_UNEXPECTED_MESSAGE;
1393
SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
1395
case SSL3_RT_APPLICATION_DATA:
1396
/* At this point, we were expecting handshake data,
1397
* but have application data. If the library was
1398
* running inside ssl3_read() (i.e. in_read_app_data
1399
* is set) and it makes sense to read application data
1400
* at this point (session renegotiation not yet started),
1401
* we will indulge it.
1403
if (s->s3->in_read_app_data &&
1404
(s->s3->total_renegotiations != 0) &&
1406
(s->state & SSL_ST_CONNECT) &&
1407
(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1408
(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1410
(s->state & SSL_ST_ACCEPT) &&
1411
(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1412
(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1416
s->s3->in_read_app_data=2;
1421
al=SSL_AD_UNEXPECTED_MESSAGE;
1422
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1429
ssl3_send_alert(s,SSL3_AL_FATAL,al);
1434
int ssl3_do_change_cipher_spec(SSL *s)
1440
if (s->state & SSL_ST_ACCEPT)
1441
i=SSL3_CHANGE_CIPHER_SERVER_READ;
1443
i=SSL3_CHANGE_CIPHER_CLIENT_READ;
1445
if (s->s3->tmp.key_block == NULL)
1447
if (s->session == NULL || s->session->master_key_length == 0)
1449
/* might happen if dtls1_read_bytes() calls this */
1450
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
1454
s->session->cipher=s->s3->tmp.new_cipher;
1455
if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
1458
if (!s->method->ssl3_enc->change_cipher_state(s,i))
1461
/* we have to record the message digest at
1462
* this point so we can get it before we read
1463
* the finished message */
1464
if (s->state & SSL_ST_CONNECT)
1466
sender=s->method->ssl3_enc->server_finished_label;
1467
slen=s->method->ssl3_enc->server_finished_label_len;
1471
sender=s->method->ssl3_enc->client_finished_label;
1472
slen=s->method->ssl3_enc->client_finished_label_len;
1475
i = s->method->ssl3_enc->final_finish_mac(s,
1476
sender,slen,s->s3->tmp.peer_finish_md);
1479
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1482
s->s3->tmp.peer_finish_md_len = i;
1487
int ssl3_send_alert(SSL *s, int level, int desc)
1489
/* Map tls/ssl alert value to correct one */
1490
desc=s->method->ssl3_enc->alert_value(desc);
1491
if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
1492
desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
1493
if (desc < 0) return -1;
1494
/* If a fatal one, remove from cache */
1495
if ((level == 2) && (s->session != NULL))
1496
SSL_CTX_remove_session(s->ctx,s->session);
1498
s->s3->alert_dispatch=1;
1499
s->s3->send_alert[0]=level;
1500
s->s3->send_alert[1]=desc;
1501
if (s->s3->wbuf.left == 0) /* data still being written out? */
1502
return s->method->ssl_dispatch_alert(s);
1503
/* else data is still being written out, we will get written
1504
* some time in the future */
1508
int ssl3_dispatch_alert(SSL *s)
1511
void (*cb)(const SSL *ssl,int type,int val)=NULL;
1513
s->s3->alert_dispatch=0;
1514
i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
1517
s->s3->alert_dispatch=1;
1521
/* Alert sent to BIO. If it is important, flush it now.
1522
* If the message does not get sent due to non-blocking IO,
1523
* we will not worry too much. */
1524
if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1525
(void)BIO_flush(s->wbio);
1527
if (s->msg_callback)
1528
s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
1530
if (s->info_callback != NULL)
1531
cb=s->info_callback;
1532
else if (s->ctx->info_callback != NULL)
1533
cb=s->ctx->info_callback;
1537
j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1538
cb(s,SSL_CB_WRITE_ALERT,j);