File: | src/lib/libssl/ssl_pkt.c |
Warning: | line 220, column 3 Null pointer passed as 1st argument to memory copy function |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: ssl_pkt.c,v 1.52 2021/10/25 10:14:48 jsing Exp $ */ | |||
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |||
3 | * All rights reserved. | |||
4 | * | |||
5 | * This package is an SSL implementation written | |||
6 | * by Eric Young (eay@cryptsoft.com). | |||
7 | * The implementation was written so as to conform with Netscapes SSL. | |||
8 | * | |||
9 | * This library is free for commercial and non-commercial use as long as | |||
10 | * the following conditions are aheared to. The following conditions | |||
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |||
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |||
13 | * included with this distribution is covered by the same copyright terms | |||
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |||
15 | * | |||
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |||
17 | * the code are not to be removed. | |||
18 | * If this package is used in a product, Eric Young should be given attribution | |||
19 | * as the author of the parts of the library used. | |||
20 | * This can be in the form of a textual message at program startup or | |||
21 | * in documentation (online or textual) provided with the package. | |||
22 | * | |||
23 | * Redistribution and use in source and binary forms, with or without | |||
24 | * modification, are permitted provided that the following conditions | |||
25 | * are met: | |||
26 | * 1. Redistributions of source code must retain the copyright | |||
27 | * notice, this list of conditions and the following disclaimer. | |||
28 | * 2. Redistributions in binary form must reproduce the above copyright | |||
29 | * notice, this list of conditions and the following disclaimer in the | |||
30 | * documentation and/or other materials provided with the distribution. | |||
31 | * 3. All advertising materials mentioning features or use of this software | |||
32 | * must display the following acknowledgement: | |||
33 | * "This product includes cryptographic software written by | |||
34 | * Eric Young (eay@cryptsoft.com)" | |||
35 | * The word 'cryptographic' can be left out if the rouines from the library | |||
36 | * being used are not cryptographic related :-). | |||
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |||
38 | * the apps directory (application code) you must include an acknowledgement: | |||
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |||
40 | * | |||
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |||
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||
51 | * SUCH DAMAGE. | |||
52 | * | |||
53 | * The licence and distribution terms for any publically available version or | |||
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |||
55 | * copied and put under another distribution licence | |||
56 | * [including the GNU Public Licence.] | |||
57 | */ | |||
58 | /* ==================================================================== | |||
59 | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | |||
60 | * | |||
61 | * Redistribution and use in source and binary forms, with or without | |||
62 | * modification, are permitted provided that the following conditions | |||
63 | * are met: | |||
64 | * | |||
65 | * 1. Redistributions of source code must retain the above copyright | |||
66 | * notice, this list of conditions and the following disclaimer. | |||
67 | * | |||
68 | * 2. Redistributions in binary form must reproduce the above copyright | |||
69 | * notice, this list of conditions and the following disclaimer in | |||
70 | * the documentation and/or other materials provided with the | |||
71 | * distribution. | |||
72 | * | |||
73 | * 3. All advertising materials mentioning features or use of this | |||
74 | * software must display the following acknowledgment: | |||
75 | * "This product includes software developed by the OpenSSL Project | |||
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |||
77 | * | |||
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |||
79 | * endorse or promote products derived from this software without | |||
80 | * prior written permission. For written permission, please contact | |||
81 | * openssl-core@openssl.org. | |||
82 | * | |||
83 | * 5. Products derived from this software may not be called "OpenSSL" | |||
84 | * nor may "OpenSSL" appear in their names without prior written | |||
85 | * permission of the OpenSSL Project. | |||
86 | * | |||
87 | * 6. Redistributions of any form whatsoever must retain the following | |||
88 | * acknowledgment: | |||
89 | * "This product includes software developed by the OpenSSL Project | |||
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |||
91 | * | |||
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |||
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |||
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |||
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |||
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |||
104 | * ==================================================================== | |||
105 | * | |||
106 | * This product includes cryptographic software written by Eric Young | |||
107 | * (eay@cryptsoft.com). This product includes software written by Tim | |||
108 | * Hudson (tjh@cryptsoft.com). | |||
109 | * | |||
110 | */ | |||
111 | ||||
112 | #include <errno(*__errno()).h> | |||
113 | #include <stdio.h> | |||
114 | ||||
115 | #include <openssl/buffer.h> | |||
116 | #include <openssl/evp.h> | |||
117 | ||||
118 | #include "bytestring.h" | |||
119 | #include "dtls_locl.h" | |||
120 | #include "ssl_locl.h" | |||
121 | ||||
122 | static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | |||
123 | unsigned int len); | |||
124 | static int ssl3_get_record(SSL *s); | |||
125 | ||||
126 | /* | |||
127 | * Force a WANT_READ return for certain error conditions where | |||
128 | * we don't want to spin internally. | |||
129 | */ | |||
130 | void | |||
131 | ssl_force_want_read(SSL *s) | |||
132 | { | |||
133 | BIO *bio; | |||
134 | ||||
135 | bio = SSL_get_rbio(s); | |||
136 | BIO_clear_retry_flags(bio)BIO_clear_flags(bio, ((0x01|0x02|0x04)|0x08)); | |||
137 | BIO_set_retry_read(bio)BIO_set_flags(bio, (0x01|0x08)); | |||
138 | ||||
139 | s->internal->rwstate = SSL_READING3; | |||
140 | } | |||
141 | ||||
142 | /* | |||
143 | * If extend == 0, obtain new n-byte packet; if extend == 1, increase | |||
144 | * packet by another n bytes. | |||
145 | * The packet will be in the sub-array of S3I(s)->rbuf.buf specified | |||
146 | * by s->internal->packet and s->internal->packet_length. | |||
147 | * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf | |||
148 | * [plus s->internal->packet_length bytes if extend == 1].) | |||
149 | */ | |||
150 | static int | |||
151 | ssl3_read_n(SSL *s, int n, int max, int extend) | |||
152 | { | |||
153 | SSL3_BUFFER_INTERNAL *rb = &(S3I(s)(s->s3->internal)->rbuf); | |||
154 | int i, len, left; | |||
155 | size_t align; | |||
156 | unsigned char *pkt; | |||
157 | ||||
158 | if (n <= 0) | |||
159 | return n; | |||
160 | ||||
161 | if (rb->buf == NULL((void*)0)) | |||
162 | if (!ssl3_setup_read_buffer(s)) | |||
163 | return -1; | |||
164 | ||||
165 | left = rb->left; | |||
166 | align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH5; | |||
167 | align = (-align) & (SSL3_ALIGN_PAYLOAD8 - 1); | |||
168 | ||||
169 | if (!extend
| |||
170 | /* start with empty packet ... */ | |||
171 | if (left == 0) | |||
172 | rb->offset = align; | |||
173 | else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH5) { | |||
174 | /* check if next packet length is large | |||
175 | * enough to justify payload alignment... */ | |||
176 | pkt = rb->buf + rb->offset; | |||
177 | if (pkt[0] == SSL3_RT_APPLICATION_DATA23 && | |||
178 | (pkt[3]<<8|pkt[4]) >= 128) { | |||
179 | /* Note that even if packet is corrupted | |||
180 | * and its length field is insane, we can | |||
181 | * only be led to wrong decision about | |||
182 | * whether memmove will occur or not. | |||
183 | * Header values has no effect on memmove | |||
184 | * arguments and therefore no buffer | |||
185 | * overrun can be triggered. */ | |||
186 | memmove(rb->buf + align, pkt, left); | |||
187 | rb->offset = align; | |||
188 | } | |||
189 | } | |||
190 | s->internal->packet = rb->buf + rb->offset; | |||
191 | s->internal->packet_length = 0; | |||
192 | /* ... now we can act as if 'extend' was set */ | |||
193 | } | |||
194 | ||||
195 | /* For DTLS/UDP reads should not span multiple packets | |||
196 | * because the read operation returns the whole packet | |||
197 | * at once (as long as it fits into the buffer). */ | |||
198 | if (SSL_is_dtls(s)) { | |||
199 | if (left > 0 && n > left) | |||
200 | n = left; | |||
201 | } | |||
202 | ||||
203 | /* if there is enough in the buffer from a previous read, take some */ | |||
204 | if (left >= n) { | |||
205 | s->internal->packet_length += n; | |||
206 | rb->left = left - n; | |||
207 | rb->offset += n; | |||
208 | return (n); | |||
209 | } | |||
210 | ||||
211 | /* else we need to read more data */ | |||
212 | ||||
213 | len = s->internal->packet_length; | |||
214 | pkt = rb->buf + align; | |||
215 | /* Move any available bytes to front of buffer: | |||
216 | * 'len' bytes already pointed to by 'packet', | |||
217 | * 'left' extra ones at the end */ | |||
218 | if (s->internal->packet != pkt) { | |||
219 | /* len > 0 */ | |||
220 | memmove(pkt, s->internal->packet, len + left); | |||
| ||||
221 | s->internal->packet = pkt; | |||
222 | rb->offset = len + align; | |||
223 | } | |||
224 | ||||
225 | if (n > (int)(rb->len - rb->offset)) { | |||
226 | /* does not happen */ | |||
227 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_pkt.c" , 227); | |||
228 | return -1; | |||
229 | } | |||
230 | ||||
231 | if (s->internal->read_ahead || SSL_is_dtls(s)) { | |||
232 | if (max < n) | |||
233 | max = n; | |||
234 | if (max > (int)(rb->len - rb->offset)) | |||
235 | max = rb->len - rb->offset; | |||
236 | } else { | |||
237 | /* ignore max parameter */ | |||
238 | max = n; | |||
239 | } | |||
240 | ||||
241 | while (left < n) { | |||
242 | /* Now we have len+left bytes at the front of S3I(s)->rbuf.buf | |||
243 | * and need to read in more until we have len+n (up to | |||
244 | * len+max if possible) */ | |||
245 | ||||
246 | errno(*__errno()) = 0; | |||
247 | if (s->rbio != NULL((void*)0)) { | |||
248 | s->internal->rwstate = SSL_READING3; | |||
249 | i = BIO_read(s->rbio, pkt + len + left, max - left); | |||
250 | } else { | |||
251 | SSLerror(s, SSL_R_READ_BIO_NOT_SET)SSL_error_internal(s, 211, "/usr/src/lib/libssl/ssl_pkt.c", 251 ); | |||
252 | i = -1; | |||
253 | } | |||
254 | ||||
255 | if (i <= 0) { | |||
256 | rb->left = left; | |||
257 | if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS0x00000010L && | |||
258 | !SSL_is_dtls(s)) { | |||
259 | if (len + left == 0) | |||
260 | ssl3_release_read_buffer(s); | |||
261 | } | |||
262 | return (i); | |||
263 | } | |||
264 | left += i; | |||
265 | ||||
266 | /* | |||
267 | * reads should *never* span multiple packets for DTLS because | |||
268 | * the underlying transport protocol is message oriented as | |||
269 | * opposed to byte oriented as in the TLS case. | |||
270 | */ | |||
271 | if (SSL_is_dtls(s)) { | |||
272 | if (n > left) | |||
273 | n = left; /* makes the while condition false */ | |||
274 | } | |||
275 | } | |||
276 | ||||
277 | /* done reading, now the book-keeping */ | |||
278 | rb->offset += n; | |||
279 | rb->left = left - n; | |||
280 | s->internal->packet_length += n; | |||
281 | s->internal->rwstate = SSL_NOTHING1; | |||
282 | ||||
283 | return (n); | |||
284 | } | |||
285 | ||||
286 | int | |||
287 | ssl3_packet_read(SSL *s, int plen) | |||
288 | { | |||
289 | int n; | |||
290 | ||||
291 | n = ssl3_read_n(s, plen, S3I(s)(s->s3->internal)->rbuf.len, 0); | |||
292 | if (n <= 0) | |||
293 | return n; | |||
294 | if (s->internal->packet_length < plen) | |||
295 | return s->internal->packet_length; | |||
296 | ||||
297 | return plen; | |||
298 | } | |||
299 | ||||
300 | int | |||
301 | ssl3_packet_extend(SSL *s, int plen) | |||
302 | { | |||
303 | int rlen, n; | |||
304 | ||||
305 | if (s->internal->packet_length >= plen) | |||
306 | return plen; | |||
307 | rlen = plen - s->internal->packet_length; | |||
308 | ||||
309 | n = ssl3_read_n(s, rlen, rlen, 1); | |||
310 | if (n <= 0) | |||
311 | return n; | |||
312 | if (s->internal->packet_length < plen) | |||
313 | return s->internal->packet_length; | |||
314 | ||||
315 | return plen; | |||
316 | } | |||
317 | ||||
318 | /* Call this to get a new input record. | |||
319 | * It will return <= 0 if more data is needed, normally due to an error | |||
320 | * or non-blocking IO. | |||
321 | * When it finishes, one packet has been decoded and can be found in | |||
322 | * ssl->s3->internal->rrec.type - is the type of record | |||
323 | * ssl->s3->internal->rrec.data, - data | |||
324 | * ssl->s3->internal->rrec.length, - number of bytes | |||
325 | */ | |||
326 | /* used only by ssl3_read_bytes */ | |||
327 | static int | |||
328 | ssl3_get_record(SSL *s) | |||
329 | { | |||
330 | SSL3_BUFFER_INTERNAL *rb = &(S3I(s)(s->s3->internal)->rbuf); | |||
331 | SSL3_RECORD_INTERNAL *rr = &(S3I(s)(s->s3->internal)->rrec); | |||
332 | uint8_t alert_desc; | |||
333 | uint8_t *out; | |||
334 | size_t out_len; | |||
335 | int al, n; | |||
336 | int ret = -1; | |||
337 | ||||
338 | again: | |||
339 | /* check if we have the header */ | |||
340 | if ((s->internal->rstate
| |||
341 | (s->internal->packet_length < SSL3_RT_HEADER_LENGTH5)) { | |||
342 | CBS header; | |||
343 | uint16_t len, ssl_version; | |||
344 | uint8_t type; | |||
345 | ||||
346 | n = ssl3_packet_read(s, SSL3_RT_HEADER_LENGTH5); | |||
347 | if (n <= 0) | |||
348 | return (n); | |||
349 | ||||
350 | s->internal->mac_packet = 1; | |||
351 | s->internal->rstate = SSL_ST_READ_BODY0xF1; | |||
352 | ||||
353 | if (s->server && s->internal->first_packet) { | |||
354 | if ((ret = ssl_server_legacy_first_packet(s)) != 1) | |||
355 | return (ret); | |||
356 | ret = -1; | |||
357 | } | |||
358 | ||||
359 | CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH5); | |||
360 | ||||
361 | /* Pull apart the header into the SSL3_RECORD_INTERNAL */ | |||
362 | if (!CBS_get_u8(&header, &type) || | |||
363 | !CBS_get_u16(&header, &ssl_version) || | |||
364 | !CBS_get_u16(&header, &len)) { | |||
365 | SSLerror(s, SSL_R_BAD_PACKET_LENGTH)SSL_error_internal(s, 115, "/usr/src/lib/libssl/ssl_pkt.c", 365 ); | |||
366 | goto err; | |||
367 | } | |||
368 | ||||
369 | rr->type = type; | |||
370 | rr->length = len; | |||
371 | ||||
372 | /* Lets check version */ | |||
373 | if (!s->internal->first_packet && ssl_version != s->version) { | |||
374 | if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && | |||
375 | !tls12_record_layer_write_protected(s->internal->rl)) { | |||
376 | /* Send back error using their minor version number :-) */ | |||
377 | s->version = ssl_version; | |||
378 | } | |||
379 | SSLerror(s, SSL_R_WRONG_VERSION_NUMBER)SSL_error_internal(s, 267, "/usr/src/lib/libssl/ssl_pkt.c", 379 ); | |||
380 | al = SSL_AD_PROTOCOL_VERSION70; | |||
381 | goto fatal_err; | |||
382 | } | |||
383 | ||||
384 | if ((ssl_version >> 8) != SSL3_VERSION_MAJOR0x03) { | |||
385 | SSLerror(s, SSL_R_WRONG_VERSION_NUMBER)SSL_error_internal(s, 267, "/usr/src/lib/libssl/ssl_pkt.c", 385 ); | |||
386 | goto err; | |||
387 | } | |||
388 | ||||
389 | if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH5) { | |||
390 | al = SSL_AD_RECORD_OVERFLOW22; | |||
391 | SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG)SSL_error_internal(s, 198, "/usr/src/lib/libssl/ssl_pkt.c", 391 ); | |||
392 | goto fatal_err; | |||
393 | } | |||
394 | } | |||
395 | ||||
396 | n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH5 + rr->length); | |||
397 | if (n <= 0) | |||
398 | return (n); | |||
399 | if (n != SSL3_RT_HEADER_LENGTH5 + rr->length) | |||
400 | return (n); | |||
401 | ||||
402 | s->internal->rstate = SSL_ST_READ_HEADER0xF0; /* set state for later operations */ | |||
403 | ||||
404 | /* | |||
405 | * A full record has now been read from the wire, which now needs | |||
406 | * to be processed. | |||
407 | */ | |||
408 | tls12_record_layer_set_version(s->internal->rl, s->version); | |||
409 | ||||
410 | if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, | |||
411 | s->internal->packet_length, &out, &out_len)) { | |||
412 | tls12_record_layer_alert(s->internal->rl, &alert_desc); | |||
413 | ||||
414 | if (alert_desc == 0) | |||
415 | goto err; | |||
416 | ||||
417 | if (alert_desc == SSL_AD_RECORD_OVERFLOW22) | |||
418 | SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG)SSL_error_internal(s, 150, "/usr/src/lib/libssl/ssl_pkt.c", 418 ); | |||
419 | else if (alert_desc == SSL_AD_BAD_RECORD_MAC20) | |||
420 | SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC)SSL_error_internal(s, 281, "/usr/src/lib/libssl/ssl_pkt.c", 420 ); | |||
421 | ||||
422 | al = alert_desc; | |||
423 | goto fatal_err; | |||
424 | } | |||
425 | ||||
426 | rr->data = out; | |||
427 | rr->length = out_len; | |||
428 | rr->off = 0; | |||
429 | ||||
430 | /* we have pulled in a full packet so zero things */ | |||
431 | s->internal->packet_length = 0; | |||
432 | ||||
433 | if (rr->length == 0) { | |||
434 | /* | |||
435 | * Zero-length fragments are only permitted for application | |||
436 | * data, as per RFC 5246 section 6.2.1. | |||
437 | */ | |||
438 | if (rr->type != SSL3_RT_APPLICATION_DATA23) { | |||
439 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_pkt.c", 439 ); | |||
440 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
441 | goto fatal_err; | |||
442 | } | |||
443 | ||||
444 | /* | |||
445 | * CBC countermeasures for known IV weaknesses can legitimately | |||
446 | * insert a single empty record, so we allow ourselves to read | |||
447 | * once past a single empty record without forcing want_read. | |||
448 | */ | |||
449 | if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS32) { | |||
450 | SSLerror(s, SSL_R_PEER_BEHAVING_BADLY)SSL_error_internal(s, 666, "/usr/src/lib/libssl/ssl_pkt.c", 450 ); | |||
451 | return -1; | |||
452 | } | |||
453 | if (s->internal->empty_record_count > 1) { | |||
454 | ssl_force_want_read(s); | |||
455 | return -1; | |||
456 | } | |||
457 | goto again; | |||
458 | } | |||
459 | ||||
460 | s->internal->empty_record_count = 0; | |||
461 | ||||
462 | return (1); | |||
463 | ||||
464 | fatal_err: | |||
465 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); | |||
466 | err: | |||
467 | return (ret); | |||
468 | } | |||
469 | ||||
470 | /* Call this to write data in records of type 'type' | |||
471 | * It will return <= 0 if not all data has been sent or non-blocking IO. | |||
472 | */ | |||
473 | int | |||
474 | ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) | |||
475 | { | |||
476 | const unsigned char *buf = buf_; | |||
477 | unsigned int tot, n, nw; | |||
478 | int i; | |||
479 | ||||
480 | if (len < 0) { | |||
481 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_pkt.c" , 481); | |||
482 | return -1; | |||
483 | } | |||
484 | ||||
485 | s->internal->rwstate = SSL_NOTHING1; | |||
486 | tot = S3I(s)(s->s3->internal)->wnum; | |||
487 | S3I(s)(s->s3->internal)->wnum = 0; | |||
488 | ||||
489 | if (SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000)) && !s->internal->in_handshake) { | |||
490 | i = s->internal->handshake_func(s); | |||
491 | if (i < 0) | |||
492 | return (i); | |||
493 | if (i == 0) { | |||
494 | SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE)SSL_error_internal(s, 229, "/usr/src/lib/libssl/ssl_pkt.c", 494 ); | |||
495 | return -1; | |||
496 | } | |||
497 | } | |||
498 | ||||
499 | if (len < tot) | |||
500 | len = tot; | |||
501 | n = (len - tot); | |||
502 | for (;;) { | |||
503 | if (n > s->max_send_fragment) | |||
504 | nw = s->max_send_fragment; | |||
505 | else | |||
506 | nw = n; | |||
507 | ||||
508 | i = do_ssl3_write(s, type, &(buf[tot]), nw); | |||
509 | if (i <= 0) { | |||
510 | S3I(s)(s->s3->internal)->wnum = tot; | |||
511 | return i; | |||
512 | } | |||
513 | ||||
514 | if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA23 && | |||
515 | (s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE0x00000001L))) { | |||
516 | /* | |||
517 | * Next chunk of data should get another prepended | |||
518 | * empty fragment in ciphersuites with known-IV | |||
519 | * weakness. | |||
520 | */ | |||
521 | S3I(s)(s->s3->internal)->empty_fragment_done = 0; | |||
522 | ||||
523 | return tot + i; | |||
524 | } | |||
525 | ||||
526 | n -= i; | |||
527 | tot += i; | |||
528 | } | |||
529 | } | |||
530 | ||||
531 | static int | |||
532 | do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
533 | { | |||
534 | SSL3_BUFFER_INTERNAL *wb = &(S3I(s)(s->s3->internal)->wbuf); | |||
535 | SSL_SESSION *sess = s->session; | |||
536 | int need_empty_fragment = 0; | |||
537 | size_t align, out_len; | |||
538 | uint16_t version; | |||
539 | CBB cbb; | |||
540 | int ret; | |||
541 | ||||
542 | memset(&cbb, 0, sizeof(cbb)); | |||
543 | ||||
544 | if (wb->buf == NULL((void*)0)) | |||
545 | if (!ssl3_setup_write_buffer(s)) | |||
546 | return -1; | |||
547 | ||||
548 | /* | |||
549 | * First check if there is a SSL3_BUFFER_INTERNAL still being written | |||
550 | * out. This will happen with non blocking IO. | |||
551 | */ | |||
552 | if (wb->left != 0) | |||
553 | return (ssl3_write_pending(s, type, buf, len)); | |||
554 | ||||
555 | /* If we have an alert to send, let's send it. */ | |||
556 | if (S3I(s)(s->s3->internal)->alert_dispatch) { | |||
557 | if ((ret = ssl3_dispatch_alert(s)) <= 0) | |||
558 | return (ret); | |||
559 | /* If it went, fall through and send more stuff. */ | |||
560 | ||||
561 | /* We may have released our buffer, if so get it again. */ | |||
562 | if (wb->buf == NULL((void*)0)) | |||
563 | if (!ssl3_setup_write_buffer(s)) | |||
564 | return -1; | |||
565 | } | |||
566 | ||||
567 | if (len == 0) | |||
568 | return 0; | |||
569 | ||||
570 | /* | |||
571 | * Some servers hang if initial client hello is larger than 256 | |||
572 | * bytes and record version number > TLS 1.0. | |||
573 | */ | |||
574 | version = s->version; | |||
575 | if (S3I(s)(s->s3->internal)->hs.state == SSL3_ST_CW_CLNT_HELLO_B(0x111|0x1000) && | |||
576 | !s->internal->renegotiate && | |||
577 | S3I(s)(s->s3->internal)->hs.our_max_tls_version > TLS1_VERSION0x0301) | |||
578 | version = TLS1_VERSION0x0301; | |||
579 | ||||
580 | /* | |||
581 | * Countermeasure against known-IV weakness in CBC ciphersuites | |||
582 | * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this | |||
583 | * is unnecessary for AEAD. | |||
584 | */ | |||
585 | if (sess != NULL((void*)0) && tls12_record_layer_write_protected(s->internal->rl)) { | |||
586 | if (S3I(s)(s->s3->internal)->need_empty_fragments && | |||
587 | !S3I(s)(s->s3->internal)->empty_fragment_done && | |||
588 | type == SSL3_RT_APPLICATION_DATA23) | |||
589 | need_empty_fragment = 1; | |||
590 | } | |||
591 | ||||
592 | /* | |||
593 | * An extra fragment would be a couple of cipher blocks, which would | |||
594 | * be a multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real | |||
595 | * payload, then we can just simply pretend we have two headers. | |||
596 | */ | |||
597 | align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH5; | |||
598 | if (need_empty_fragment) | |||
599 | align += SSL3_RT_HEADER_LENGTH5; | |||
600 | align = (-align) & (SSL3_ALIGN_PAYLOAD8 - 1); | |||
601 | wb->offset = align; | |||
602 | ||||
603 | if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) | |||
604 | goto err; | |||
605 | ||||
606 | tls12_record_layer_set_version(s->internal->rl, version); | |||
607 | ||||
608 | if (need_empty_fragment) { | |||
609 | if (!tls12_record_layer_seal_record(s->internal->rl, type, | |||
610 | buf, 0, &cbb)) | |||
611 | goto err; | |||
612 | S3I(s)(s->s3->internal)->empty_fragment_done = 1; | |||
613 | } | |||
614 | ||||
615 | if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) | |||
616 | goto err; | |||
617 | ||||
618 | if (!CBB_finish(&cbb, NULL((void*)0), &out_len)) | |||
619 | goto err; | |||
620 | ||||
621 | wb->left = out_len; | |||
622 | ||||
623 | /* | |||
624 | * Memorize arguments so that ssl3_write_pending can detect | |||
625 | * bad write retries later. | |||
626 | */ | |||
627 | S3I(s)(s->s3->internal)->wpend_tot = len; | |||
628 | S3I(s)(s->s3->internal)->wpend_buf = buf; | |||
629 | S3I(s)(s->s3->internal)->wpend_type = type; | |||
630 | S3I(s)(s->s3->internal)->wpend_ret = len; | |||
631 | ||||
632 | /* We now just need to write the buffer. */ | |||
633 | return ssl3_write_pending(s, type, buf, len); | |||
634 | ||||
635 | err: | |||
636 | CBB_cleanup(&cbb); | |||
637 | ||||
638 | return -1; | |||
639 | } | |||
640 | ||||
641 | /* if S3I(s)->wbuf.left != 0, we need to call this */ | |||
642 | int | |||
643 | ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
644 | { | |||
645 | int i; | |||
646 | SSL3_BUFFER_INTERNAL *wb = &(S3I(s)(s->s3->internal)->wbuf); | |||
647 | ||||
648 | /* XXXX */ | |||
649 | if ((S3I(s)(s->s3->internal)->wpend_tot > (int)len) || ((S3I(s)(s->s3->internal)->wpend_buf != buf) && | |||
650 | !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER0x00000002L)) || | |||
651 | (S3I(s)(s->s3->internal)->wpend_type != type)) { | |||
652 | SSLerror(s, SSL_R_BAD_WRITE_RETRY)SSL_error_internal(s, 127, "/usr/src/lib/libssl/ssl_pkt.c", 652 ); | |||
653 | return (-1); | |||
654 | } | |||
655 | ||||
656 | for (;;) { | |||
657 | errno(*__errno()) = 0; | |||
658 | if (s->wbio != NULL((void*)0)) { | |||
659 | s->internal->rwstate = SSL_WRITING2; | |||
660 | i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]), | |||
661 | (unsigned int)wb->left); | |||
662 | } else { | |||
663 | SSLerror(s, SSL_R_BIO_NOT_SET)SSL_error_internal(s, 128, "/usr/src/lib/libssl/ssl_pkt.c", 663 ); | |||
664 | i = -1; | |||
665 | } | |||
666 | if (i == wb->left) { | |||
667 | wb->left = 0; | |||
668 | wb->offset += i; | |||
669 | if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS0x00000010L && | |||
670 | !SSL_is_dtls(s)) | |||
671 | ssl3_release_write_buffer(s); | |||
672 | s->internal->rwstate = SSL_NOTHING1; | |||
673 | return (S3I(s)(s->s3->internal)->wpend_ret); | |||
674 | } else if (i <= 0) { | |||
675 | /* | |||
676 | * For DTLS, just drop it. That's kind of the | |||
677 | * whole point in using a datagram service. | |||
678 | */ | |||
679 | if (SSL_is_dtls(s)) | |||
680 | wb->left = 0; | |||
681 | return (i); | |||
682 | } | |||
683 | wb->offset += i; | |||
684 | wb->left -= i; | |||
685 | } | |||
686 | } | |||
687 | ||||
688 | /* Return up to 'len' payload bytes received in 'type' records. | |||
689 | * 'type' is one of the following: | |||
690 | * | |||
691 | * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |||
692 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |||
693 | * - 0 (during a shutdown, no data has to be returned) | |||
694 | * | |||
695 | * If we don't have stored data to work from, read a SSL/TLS record first | |||
696 | * (possibly multiple records if we still don't have anything to return). | |||
697 | * | |||
698 | * This function must handle any surprises the peer may have for us, such as | |||
699 | * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |||
700 | * a surprise, but handled as if it were), or renegotiation requests. | |||
701 | * Also if record payloads contain fragments too small to process, we store | |||
702 | * them until there is enough for the respective protocol (the record protocol | |||
703 | * may use arbitrary fragmentation and even interleaving): | |||
704 | * Change cipher spec protocol | |||
705 | * just 1 byte needed, no need for keeping anything stored | |||
706 | * Alert protocol | |||
707 | * 2 bytes needed (AlertLevel, AlertDescription) | |||
708 | * Handshake protocol | |||
709 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |||
710 | * to detect unexpected Client Hello and Hello Request messages | |||
711 | * here, anything else is handled by higher layers | |||
712 | * Application data protocol | |||
713 | * none of our business | |||
714 | */ | |||
715 | int | |||
716 | ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |||
717 | { | |||
718 | int al, i, ret; | |||
719 | int rrcount = 0; | |||
720 | unsigned int n; | |||
721 | SSL3_RECORD_INTERNAL *rr; | |||
722 | ||||
723 | if (S3I(s)(s->s3->internal)->rbuf.buf == NULL((void*)0)) /* Not initialized yet */ | |||
| ||||
724 | if (!ssl3_setup_read_buffer(s)) | |||
725 | return (-1); | |||
726 | ||||
727 | if (len < 0) { | |||
728 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_pkt.c" , 728); | |||
729 | return -1; | |||
730 | } | |||
731 | ||||
732 | if ((type && type != SSL3_RT_APPLICATION_DATA23 && | |||
733 | type != SSL3_RT_HANDSHAKE22) || | |||
734 | (peek && (type != SSL3_RT_APPLICATION_DATA23))) { | |||
735 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_pkt.c" , 735); | |||
736 | return -1; | |||
737 | } | |||
738 | ||||
739 | if ((type
| |||
740 | (S3I(s)(s->s3->internal)->handshake_fragment_len > 0)) { | |||
741 | /* (partially) satisfy request from storage */ | |||
742 | unsigned char *src = S3I(s)(s->s3->internal)->handshake_fragment; | |||
743 | unsigned char *dst = buf; | |||
744 | unsigned int k; | |||
745 | ||||
746 | /* peek == 0 */ | |||
747 | n = 0; | |||
748 | while ((len > 0) && (S3I(s)(s->s3->internal)->handshake_fragment_len > 0)) { | |||
749 | *dst++ = *src++; | |||
750 | len--; | |||
751 | S3I(s)(s->s3->internal)->handshake_fragment_len--; | |||
752 | n++; | |||
753 | } | |||
754 | /* move any remaining fragment bytes: */ | |||
755 | for (k = 0; k < S3I(s)(s->s3->internal)->handshake_fragment_len; k++) | |||
756 | S3I(s)(s->s3->internal)->handshake_fragment[k] = *src++; | |||
757 | return n; | |||
758 | } | |||
759 | ||||
760 | /* | |||
761 | * Now S3I(s)->handshake_fragment_len == 0 if | |||
762 | * type == SSL3_RT_HANDSHAKE. | |||
763 | */ | |||
764 | if (!s->internal->in_handshake && SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000))) { | |||
765 | /* type == SSL3_RT_APPLICATION_DATA */ | |||
766 | i = s->internal->handshake_func(s); | |||
767 | if (i < 0) | |||
768 | return (i); | |||
769 | if (i == 0) { | |||
770 | SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE)SSL_error_internal(s, 229, "/usr/src/lib/libssl/ssl_pkt.c", 770 ); | |||
771 | return (-1); | |||
772 | } | |||
773 | } | |||
774 | ||||
775 | start: | |||
776 | /* | |||
777 | * Do not process more than three consecutive records, otherwise the | |||
778 | * peer can cause us to loop indefinitely. Instead, return with an | |||
779 | * SSL_ERROR_WANT_READ so the caller can choose when to handle further | |||
780 | * processing. In the future, the total number of non-handshake and | |||
781 | * non-application data records per connection should probably also be | |||
782 | * limited... | |||
783 | */ | |||
784 | if (rrcount++ >= 3) { | |||
785 | ssl_force_want_read(s); | |||
786 | return -1; | |||
787 | } | |||
788 | ||||
789 | s->internal->rwstate = SSL_NOTHING1; | |||
790 | ||||
791 | /* | |||
792 | * S3I(s)->rrec.type - is the type of record | |||
793 | * S3I(s)->rrec.data, - data | |||
794 | * S3I(s)->rrec.off, - offset into 'data' for next read | |||
795 | * S3I(s)->rrec.length, - number of bytes. | |||
796 | */ | |||
797 | rr = &(S3I(s)(s->s3->internal)->rrec); | |||
798 | ||||
799 | /* get new packet if necessary */ | |||
800 | if ((rr->length == 0) || (s->internal->rstate == SSL_ST_READ_BODY0xF1)) { | |||
801 | ret = ssl3_get_record(s); | |||
802 | if (ret <= 0) | |||
803 | return (ret); | |||
804 | } | |||
805 | ||||
806 | /* we now have a packet which can be read and processed */ | |||
807 | ||||
808 | if (S3I(s)(s->s3->internal)->change_cipher_spec /* set when we receive ChangeCipherSpec, | |||
809 | * reset by ssl3_get_finished */ | |||
810 | && (rr->type != SSL3_RT_HANDSHAKE22)) { | |||
811 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
812 | SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED)SSL_error_internal(s, 145, "/usr/src/lib/libssl/ssl_pkt.c", 812 ); | |||
813 | goto fatal_err; | |||
814 | } | |||
815 | ||||
816 | /* If the other end has shut down, throw anything we read away | |||
817 | * (even in 'peek' mode) */ | |||
818 | if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN2) { | |||
819 | rr->length = 0; | |||
820 | s->internal->rwstate = SSL_NOTHING1; | |||
821 | return (0); | |||
822 | } | |||
823 | ||||
824 | ||||
825 | /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ | |||
826 | if (type == rr->type) { | |||
827 | /* make sure that we are not getting application data when we | |||
828 | * are doing a handshake for the first time */ | |||
829 | if (SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000)) && type == SSL3_RT_APPLICATION_DATA23 && | |||
830 | !tls12_record_layer_read_protected(s->internal->rl)) { | |||
831 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
832 | SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE)SSL_error_internal(s, 100, "/usr/src/lib/libssl/ssl_pkt.c", 832 ); | |||
833 | goto fatal_err; | |||
834 | } | |||
835 | ||||
836 | if (len <= 0) | |||
837 | return (len); | |||
838 | ||||
839 | if ((unsigned int)len > rr->length) | |||
840 | n = rr->length; | |||
841 | else | |||
842 | n = (unsigned int)len; | |||
843 | ||||
844 | memcpy(buf, &(rr->data[rr->off]), n); | |||
845 | if (!peek) { | |||
846 | memset(&(rr->data[rr->off]), 0, n); | |||
847 | rr->length -= n; | |||
848 | rr->off += n; | |||
849 | if (rr->length == 0) { | |||
850 | s->internal->rstate = SSL_ST_READ_HEADER0xF0; | |||
851 | rr->off = 0; | |||
852 | if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS0x00000010L && | |||
853 | S3I(s)(s->s3->internal)->rbuf.left == 0) | |||
854 | ssl3_release_read_buffer(s); | |||
855 | } | |||
856 | } | |||
857 | return (n); | |||
858 | } | |||
859 | ||||
860 | ||||
861 | /* If we get here, then type != rr->type; if we have a handshake | |||
862 | * message, then it was unexpected (Hello Request or Client Hello). */ | |||
863 | ||||
864 | { | |||
865 | /* | |||
866 | * In case of record types for which we have 'fragment' | |||
867 | * storage, * fill that so that we can process the data | |||
868 | * at a fixed place. | |||
869 | */ | |||
870 | unsigned int dest_maxlen = 0; | |||
871 | unsigned char *dest = NULL((void*)0); | |||
872 | unsigned int *dest_len = NULL((void*)0); | |||
873 | ||||
874 | if (rr->type == SSL3_RT_HANDSHAKE22) { | |||
875 | dest_maxlen = sizeof S3I(s)(s->s3->internal)->handshake_fragment; | |||
876 | dest = S3I(s)(s->s3->internal)->handshake_fragment; | |||
877 | dest_len = &S3I(s)(s->s3->internal)->handshake_fragment_len; | |||
878 | } else if (rr->type == SSL3_RT_ALERT21) { | |||
879 | dest_maxlen = sizeof S3I(s)(s->s3->internal)->alert_fragment; | |||
880 | dest = S3I(s)(s->s3->internal)->alert_fragment; | |||
881 | dest_len = &S3I(s)(s->s3->internal)->alert_fragment_len; | |||
882 | } | |||
883 | if (dest_maxlen
| |||
884 | /* available space in 'dest' */ | |||
885 | n = dest_maxlen - *dest_len; | |||
886 | if (rr->length < n) | |||
887 | n = rr->length; /* available bytes */ | |||
888 | ||||
889 | /* now move 'n' bytes: */ | |||
890 | while (n-- > 0) { | |||
891 | dest[(*dest_len)++] = rr->data[rr->off++]; | |||
892 | rr->length--; | |||
893 | } | |||
894 | ||||
895 | if (*dest_len < dest_maxlen) | |||
896 | goto start; /* fragment was too small */ | |||
897 | } | |||
898 | } | |||
899 | ||||
900 | /* S3I(s)->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; | |||
901 | * S3I(s)->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. | |||
902 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ | |||
903 | ||||
904 | /* If we are a client, check for an incoming 'Hello Request': */ | |||
905 | if ((!s->server) && (S3I(s)(s->s3->internal)->handshake_fragment_len >= 4) && | |||
906 | (S3I(s)(s->s3->internal)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST0) && | |||
907 | (s->session != NULL((void*)0)) && (s->session->cipher != NULL((void*)0))) { | |||
908 | S3I(s)(s->s3->internal)->handshake_fragment_len = 0; | |||
909 | ||||
910 | if ((S3I(s)(s->s3->internal)->handshake_fragment[1] != 0) || | |||
911 | (S3I(s)(s->s3->internal)->handshake_fragment[2] != 0) || | |||
912 | (S3I(s)(s->s3->internal)->handshake_fragment[3] != 0)) { | |||
913 | al = SSL_AD_DECODE_ERROR50; | |||
914 | SSLerror(s, SSL_R_BAD_HELLO_REQUEST)SSL_error_internal(s, 105, "/usr/src/lib/libssl/ssl_pkt.c", 914 ); | |||
915 | goto fatal_err; | |||
916 | } | |||
917 | ||||
918 | ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE22, | |||
919 | S3I(s)(s->s3->internal)->handshake_fragment, 4); | |||
920 | ||||
921 | if (SSL_is_init_finished(s)(SSL_state((s)) == 0x03) && | |||
922 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS0x0001) && | |||
923 | !S3I(s)(s->s3->internal)->renegotiate) { | |||
924 | ssl3_renegotiate(s); | |||
925 | if (ssl3_renegotiate_check(s)) { | |||
926 | i = s->internal->handshake_func(s); | |||
927 | if (i < 0) | |||
928 | return (i); | |||
929 | if (i == 0) { | |||
930 | SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE)SSL_error_internal(s, 229, "/usr/src/lib/libssl/ssl_pkt.c", 930 ); | |||
931 | return (-1); | |||
932 | } | |||
933 | ||||
934 | if (!(s->internal->mode & SSL_MODE_AUTO_RETRY0x00000004L)) { | |||
935 | if (S3I(s)(s->s3->internal)->rbuf.left == 0) { | |||
936 | ssl_force_want_read(s); | |||
937 | return (-1); | |||
938 | } | |||
939 | } | |||
940 | } | |||
941 | } | |||
942 | /* we either finished a handshake or ignored the request, | |||
943 | * now try again to obtain the (application) data we were asked for */ | |||
944 | goto start; | |||
945 | } | |||
946 | /* Disallow client initiated renegotiation if configured. */ | |||
947 | if (s->server
| |||
948 | S3I(s)(s->s3->internal)->handshake_fragment_len >= 4 && | |||
949 | S3I(s)(s->s3->internal)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO1 && | |||
950 | (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION0x00020000L)) { | |||
951 | al = SSL_AD_NO_RENEGOTIATION100; | |||
952 | goto fatal_err; | |||
953 | } | |||
954 | /* If we are a server and get a client hello when renegotiation isn't | |||
955 | * allowed send back a no renegotiation alert and carry on. | |||
956 | * WARNING: experimental code, needs reviewing (steve) | |||
957 | */ | |||
958 | if (s->server
| |||
959 | SSL_is_init_finished(s)(SSL_state((s)) == 0x03) && | |||
960 | !S3I(s)(s->s3->internal)->send_connection_binding && | |||
961 | (S3I(s)(s->s3->internal)->handshake_fragment_len >= 4) && | |||
962 | (S3I(s)(s->s3->internal)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO1) && | |||
963 | (s->session != NULL((void*)0)) && (s->session->cipher != NULL((void*)0))) { | |||
964 | /*S3I(s)->handshake_fragment_len = 0;*/ | |||
965 | rr->length = 0; | |||
966 | ssl3_send_alert(s, SSL3_AL_WARNING1, SSL_AD_NO_RENEGOTIATION100); | |||
967 | goto start; | |||
968 | } | |||
969 | if (S3I(s)(s->s3->internal)->alert_fragment_len >= 2) { | |||
970 | int alert_level = S3I(s)(s->s3->internal)->alert_fragment[0]; | |||
971 | int alert_descr = S3I(s)(s->s3->internal)->alert_fragment[1]; | |||
972 | ||||
973 | S3I(s)(s->s3->internal)->alert_fragment_len = 0; | |||
974 | ||||
975 | ssl_msg_callback(s, 0, SSL3_RT_ALERT21, | |||
976 | S3I(s)(s->s3->internal)->alert_fragment, 2); | |||
977 | ||||
978 | ssl_info_callback(s, SSL_CB_READ_ALERT(0x4000|0x04), | |||
979 | (alert_level << 8) | alert_descr); | |||
980 | ||||
981 | if (alert_level == SSL3_AL_WARNING1) { | |||
982 | S3I(s)(s->s3->internal)->warn_alert = alert_descr; | |||
983 | if (alert_descr == SSL_AD_CLOSE_NOTIFY0) { | |||
984 | s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN2; | |||
985 | return (0); | |||
986 | } | |||
987 | /* This is a warning but we receive it if we requested | |||
988 | * renegotiation and the peer denied it. Terminate with | |||
989 | * a fatal alert because if application tried to | |||
990 | * renegotiatie it presumably had a good reason and | |||
991 | * expects it to succeed. | |||
992 | * | |||
993 | * In future we might have a renegotiation where we | |||
994 | * don't care if the peer refused it where we carry on. | |||
995 | */ | |||
996 | else if (alert_descr == SSL_AD_NO_RENEGOTIATION100) { | |||
997 | al = SSL_AD_HANDSHAKE_FAILURE40; | |||
998 | SSLerror(s, SSL_R_NO_RENEGOTIATION)SSL_error_internal(s, 339, "/usr/src/lib/libssl/ssl_pkt.c", 998 ); | |||
999 | goto fatal_err; | |||
1000 | } | |||
1001 | } else if (alert_level == SSL3_AL_FATAL2) { | |||
1002 | s->internal->rwstate = SSL_NOTHING1; | |||
1003 | S3I(s)(s->s3->internal)->fatal_alert = alert_descr; | |||
1004 | SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr)SSL_error_internal(s, 1000 + alert_descr, "/usr/src/lib/libssl/ssl_pkt.c" , 1004); | |||
1005 | ERR_asprintf_error_data("SSL alert number %d", | |||
1006 | alert_descr); | |||
1007 | s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN2; | |||
1008 | SSL_CTX_remove_session(s->ctx, s->session); | |||
1009 | return (0); | |||
1010 | } else { | |||
1011 | al = SSL_AD_ILLEGAL_PARAMETER47; | |||
1012 | SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE)SSL_error_internal(s, 246, "/usr/src/lib/libssl/ssl_pkt.c", 1012 ); | |||
1013 | goto fatal_err; | |||
1014 | } | |||
1015 | ||||
1016 | goto start; | |||
1017 | } | |||
1018 | ||||
1019 | if (s->internal->shutdown & SSL_SENT_SHUTDOWN1) { | |||
1020 | /* but we have not received a shutdown */ | |||
1021 | s->internal->rwstate = SSL_NOTHING1; | |||
1022 | rr->length = 0; | |||
1023 | return (0); | |||
1024 | } | |||
1025 | ||||
1026 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC20) { | |||
1027 | /* 'Change Cipher Spec' is just a single byte, so we know | |||
1028 | * exactly what the record payload has to look like */ | |||
1029 | if ((rr->length != 1) || (rr->off != 0) || | |||
1030 | (rr->data[0] != SSL3_MT_CCS1)) { | |||
1031 | al = SSL_AD_ILLEGAL_PARAMETER47; | |||
1032 | SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC)SSL_error_internal(s, 103, "/usr/src/lib/libssl/ssl_pkt.c", 1032 ); | |||
1033 | goto fatal_err; | |||
1034 | } | |||
1035 | ||||
1036 | /* Check we have a cipher to change to */ | |||
1037 | if (S3I(s)(s->s3->internal)->hs.cipher == NULL((void*)0)) { | |||
1038 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
1039 | SSLerror(s, SSL_R_CCS_RECEIVED_EARLY)SSL_error_internal(s, 133, "/usr/src/lib/libssl/ssl_pkt.c", 1039 ); | |||
1040 | goto fatal_err; | |||
1041 | } | |||
1042 | ||||
1043 | /* Check that we should be receiving a Change Cipher Spec. */ | |||
1044 | if (!(s->s3->flags & SSL3_FLAGS_CCS_OK0x0080)) { | |||
1045 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
1046 | SSLerror(s, SSL_R_CCS_RECEIVED_EARLY)SSL_error_internal(s, 133, "/usr/src/lib/libssl/ssl_pkt.c", 1046 ); | |||
1047 | goto fatal_err; | |||
1048 | } | |||
1049 | s->s3->flags &= ~SSL3_FLAGS_CCS_OK0x0080; | |||
1050 | ||||
1051 | rr->length = 0; | |||
1052 | ||||
1053 | ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC20, rr->data, 1); | |||
1054 | ||||
1055 | S3I(s)(s->s3->internal)->change_cipher_spec = 1; | |||
1056 | if (!ssl3_do_change_cipher_spec(s)) | |||
1057 | goto err; | |||
1058 | else | |||
1059 | goto start; | |||
1060 | } | |||
1061 | ||||
1062 | /* Unexpected handshake message (Client Hello, or protocol violation) */ | |||
1063 | if ((S3I(s)(s->s3->internal)->handshake_fragment_len >= 4) && !s->internal->in_handshake) { | |||
1064 | if (((S3I(s)(s->s3->internal)->hs.state&SSL_ST_MASK0x0FFF) == SSL_ST_OK0x03) && | |||
1065 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS0x0001)) { | |||
1066 | S3I(s)(s->s3->internal)->hs.state = s->server ? SSL_ST_ACCEPT0x2000 : SSL_ST_CONNECT0x1000; | |||
1067 | s->internal->renegotiate = 1; | |||
1068 | s->internal->new_session = 1; | |||
1069 | } | |||
1070 | i = s->internal->handshake_func(s); | |||
1071 | if (i < 0) | |||
1072 | return (i); | |||
1073 | if (i == 0) { | |||
1074 | SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE)SSL_error_internal(s, 229, "/usr/src/lib/libssl/ssl_pkt.c", 1074 ); | |||
1075 | return (-1); | |||
1076 | } | |||
1077 | ||||
1078 | if (!(s->internal->mode & SSL_MODE_AUTO_RETRY0x00000004L)) { | |||
1079 | if (S3I(s)(s->s3->internal)->rbuf.left == 0) { | |||
1080 | ssl_force_want_read(s); | |||
1081 | return (-1); | |||
1082 | } | |||
1083 | } | |||
1084 | goto start; | |||
1085 | } | |||
1086 | ||||
1087 | switch (rr->type) { | |||
1088 | default: | |||
1089 | /* | |||
1090 | * TLS up to v1.1 just ignores unknown message types: | |||
1091 | * TLS v1.2 give an unexpected message alert. | |||
1092 | */ | |||
1093 | if (s->version >= TLS1_VERSION0x0301 && | |||
1094 | s->version <= TLS1_1_VERSION0x0302) { | |||
1095 | rr->length = 0; | |||
1096 | goto start; | |||
1097 | } | |||
1098 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
1099 | SSLerror(s, SSL_R_UNEXPECTED_RECORD)SSL_error_internal(s, 245, "/usr/src/lib/libssl/ssl_pkt.c", 1099 ); | |||
1100 | goto fatal_err; | |||
1101 | case SSL3_RT_CHANGE_CIPHER_SPEC20: | |||
1102 | case SSL3_RT_ALERT21: | |||
1103 | case SSL3_RT_HANDSHAKE22: | |||
1104 | /* we already handled all of these, with the possible exception | |||
1105 | * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that | |||
1106 | * should not happen when type != rr->type */ | |||
1107 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
1108 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_pkt.c" , 1108); | |||
1109 | goto fatal_err; | |||
1110 | case SSL3_RT_APPLICATION_DATA23: | |||
1111 | /* At this point, we were expecting handshake data, | |||
1112 | * but have application data. If the library was | |||
1113 | * running inside ssl3_read() (i.e. in_read_app_data | |||
1114 | * is set) and it makes sense to read application data | |||
1115 | * at this point (session renegotiation not yet started), | |||
1116 | * we will indulge it. | |||
1117 | */ | |||
1118 | if (S3I(s)(s->s3->internal)->in_read_app_data && | |||
1119 | (S3I(s)(s->s3->internal)->total_renegotiations != 0) && | |||
1120 | (((S3I(s)(s->s3->internal)->hs.state & SSL_ST_CONNECT0x1000) && | |||
1121 | (S3I(s)(s->s3->internal)->hs.state >= SSL3_ST_CW_CLNT_HELLO_A(0x110|0x1000)) && | |||
1122 | (S3I(s)(s->s3->internal)->hs.state <= SSL3_ST_CR_SRVR_HELLO_A(0x120|0x1000))) || | |||
1123 | ((S3I(s)(s->s3->internal)->hs.state & SSL_ST_ACCEPT0x2000) && | |||
1124 | (S3I(s)(s->s3->internal)->hs.state <= SSL3_ST_SW_HELLO_REQ_A(0x120|0x2000)) && | |||
1125 | (S3I(s)(s->s3->internal)->hs.state >= SSL3_ST_SR_CLNT_HELLO_A(0x110|0x2000))))) { | |||
1126 | S3I(s)(s->s3->internal)->in_read_app_data = 2; | |||
1127 | return (-1); | |||
1128 | } else { | |||
1129 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
1130 | SSLerror(s, SSL_R_UNEXPECTED_RECORD)SSL_error_internal(s, 245, "/usr/src/lib/libssl/ssl_pkt.c", 1130 ); | |||
1131 | goto fatal_err; | |||
1132 | } | |||
1133 | } | |||
1134 | /* not reached */ | |||
1135 | ||||
1136 | fatal_err: | |||
1137 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); | |||
1138 | err: | |||
1139 | return (-1); | |||
1140 | } | |||
1141 | ||||
1142 | int | |||
1143 | ssl3_do_change_cipher_spec(SSL *s) | |||
1144 | { | |||
1145 | if (S3I(s)(s->s3->internal)->hs.tls12.key_block == NULL((void*)0)) { | |||
1146 | if (s->session == NULL((void*)0) || s->session->master_key_length == 0) { | |||
1147 | /* might happen if dtls1_read_bytes() calls this */ | |||
1148 | SSLerror(s, SSL_R_CCS_RECEIVED_EARLY)SSL_error_internal(s, 133, "/usr/src/lib/libssl/ssl_pkt.c", 1148 ); | |||
1149 | return (0); | |||
1150 | } | |||
1151 | ||||
1152 | s->session->cipher = S3I(s)(s->s3->internal)->hs.cipher; | |||
1153 | if (!tls1_setup_key_block(s)) | |||
1154 | return (0); | |||
1155 | } | |||
1156 | ||||
1157 | if (!tls1_change_read_cipher_state(s)) | |||
1158 | return (0); | |||
1159 | ||||
1160 | /* | |||
1161 | * We have to record the message digest at this point so we can get it | |||
1162 | * before we read the finished message. | |||
1163 | */ | |||
1164 | if (!tls12_derive_peer_finished(s)) | |||
1165 | return (0); | |||
1166 | ||||
1167 | return (1); | |||
1168 | } | |||
1169 | ||||
1170 | static int | |||
1171 | ssl3_write_alert(SSL *s) | |||
1172 | { | |||
1173 | if (SSL_is_dtls(s)) | |||
1174 | return do_dtls1_write(s, SSL3_RT_ALERT21, S3I(s)(s->s3->internal)->send_alert, | |||
1175 | sizeof(S3I(s)(s->s3->internal)->send_alert)); | |||
1176 | ||||
1177 | return do_ssl3_write(s, SSL3_RT_ALERT21, S3I(s)(s->s3->internal)->send_alert, | |||
1178 | sizeof(S3I(s)(s->s3->internal)->send_alert)); | |||
1179 | } | |||
1180 | ||||
1181 | int | |||
1182 | ssl3_send_alert(SSL *s, int level, int desc) | |||
1183 | { | |||
1184 | /* If alert is fatal, remove session from cache. */ | |||
1185 | if (level == SSL3_AL_FATAL2) | |||
1186 | SSL_CTX_remove_session(s->ctx, s->session); | |||
1187 | ||||
1188 | S3I(s)(s->s3->internal)->alert_dispatch = 1; | |||
1189 | S3I(s)(s->s3->internal)->send_alert[0] = level; | |||
1190 | S3I(s)(s->s3->internal)->send_alert[1] = desc; | |||
1191 | ||||
1192 | /* | |||
1193 | * If data is still being written out, the alert will be dispatched at | |||
1194 | * some point in the future. | |||
1195 | */ | |||
1196 | if (S3I(s)(s->s3->internal)->wbuf.left != 0) | |||
1197 | return -1; | |||
1198 | ||||
1199 | return ssl3_dispatch_alert(s); | |||
1200 | } | |||
1201 | ||||
1202 | int | |||
1203 | ssl3_dispatch_alert(SSL *s) | |||
1204 | { | |||
1205 | int ret; | |||
1206 | ||||
1207 | S3I(s)(s->s3->internal)->alert_dispatch = 0; | |||
1208 | if ((ret = ssl3_write_alert(s)) <= 0) { | |||
1209 | S3I(s)(s->s3->internal)->alert_dispatch = 1; | |||
1210 | return ret; | |||
1211 | } | |||
1212 | ||||
1213 | /* | |||
1214 | * Alert sent to BIO. If it is important, flush it now. | |||
1215 | * If the message does not get sent due to non-blocking IO, | |||
1216 | * we will not worry too much. | |||
1217 | */ | |||
1218 | if (S3I(s)(s->s3->internal)->send_alert[0] == SSL3_AL_FATAL2) | |||
1219 | (void)BIO_flush(s->wbio)(int)BIO_ctrl(s->wbio,11,0,((void*)0)); | |||
1220 | ||||
1221 | ssl_msg_callback(s, 1, SSL3_RT_ALERT21, S3I(s)(s->s3->internal)->send_alert, 2); | |||
1222 | ||||
1223 | ssl_info_callback(s, SSL_CB_WRITE_ALERT(0x4000|0x08), | |||
1224 | (S3I(s)(s->s3->internal)->send_alert[0] << 8) | S3I(s)(s->s3->internal)->send_alert[1]); | |||
1225 | ||||
1226 | return ret; | |||
1227 | } |