s3_pkt.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
#include "ssl_locl.h"
unsigned int len, int create_empty_fragment);
unsigned int len);
static int ssl3_get_record(SSL *s);
/* used only by ssl3_get_record */
{
/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
* packet by another n bytes.
* The packet will be in the sub-array of s->s3->rbuf.buf specified
* by s->packet and s->packet_length.
* (If s->read_ahead is set, 'max' bytes may be stored in rbuf
* [plus s->packet_length bytes if extend == 1].)
*/
if (!extend)
{
/* start with empty packet ... */
s->packet_length = 0;
/* ... now we can act as if 'extend' was set */
}
/* if there is enough in the buffer from a previous read, take some */
{
s->packet_length+=n;
return(n);
}
/* else we need to read more data */
if (!s->read_ahead)
max=n;
{
/* avoid buffer overflow */
}
if (n > max) /* does not happen */
{
return -1;
}
off = s->packet_length;
/* Move any available bytes to front of buffer:
* 'off' bytes already pointed to by 'packet',
* 'newb' extra ones at the end */
{
/* off > 0 */
}
while (newb < n)
{
/* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
* to read in more until we have off+n (up to off+max if possible) */
{
s->rwstate=SSL_READING;
}
else
{
i = -1;
}
if (i <= 0)
{
return(i);
}
newb+=i;
}
/* done reading, now the book-keeping */
s->packet_length += n;
s->rwstate=SSL_NOTHING;
return(n);
}
/* Call this to get a new input record.
* It will return <= 0 if more data is needed, normally due to an error
* or non-blocking IO.
* When it finishes, one packet has been decoded and can be found in
* ssl->s3->rrec.type - is the type of record
* ssl->s3->rrec.data, - data
* ssl->s3->rrec.length, - number of bytes
*/
/* used only by ssl3_read_bytes */
static int ssl3_get_record(SSL *s)
{
unsigned char *p;
unsigned char md[EVP_MAX_MD_SIZE];
short version;
unsigned int mac_size;
int clear=0;
int decryption_failed_or_bad_record_mac = 0;
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
else
extra=0;
{
/* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
* set after ssl3_setup_buffers() was done */
return -1;
}
/* check if we have the header */
if ( (s->rstate != SSL_ST_READ_BODY) ||
(s->packet_length < SSL3_RT_HEADER_LENGTH))
{
if (n <= 0) return(n); /* error or non-blocking */
p=s->packet;
/* Pull apart the header into the SSL3_RECORD */
ssl_major= *(p++);
ssl_minor= *(p++);
/* Lets check version */
if (s->first_packet)
{
s->first_packet=0;
}
else
{
{
/* Send back error using their
* version number :-) */
goto f_err;
}
}
{
goto err;
}
{
goto f_err;
}
/* now s->rstate == SSL_ST_READ_BODY */
}
/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
{
/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
n=ssl3_read_n(s,i,i,1);
if (n <= 0) return(n); /* error or non-blocking io */
/* now n == rr->length,
* and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
}
/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
* and we have that many bytes in s->packet
*/
/* ok, we can now read from 's->packet' data into 'rr'
* rr->input points at rr->length bytes, which
* need to be copied into rr->data by either
* the decryption or by the decompression
* When the data is 'copied' into the rr->data buffer,
* rr->input will be pointed at the new buffer */
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
* rr->length bytes of encrypted compressed stuff. */
/* check is not needed I believe */
{
goto f_err;
}
/* decrypt in place in 'rr->input' */
if (enc_err <= 0)
{
if (enc_err == 0)
/* SSLerr() and ssl3_send_alert() have been called */
goto err;
/* Otherwise enc_err == -1, which indicates bad padding
* (rec->length has not been changed in this case).
* To minimize information leaked via timing, we will perform
* the MAC computation anyway. */
}
#ifdef TLS_DEBUG
printf("\n");
#endif
/* r->length is now the compressed data plus mac */
(s->enc_read_ctx == NULL) ||
clear=1;
if (!clear)
{
{
#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
goto f_err;
#else
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
{
}
else
{
/* record (minus padding) is too short to contain a MAC */
#if 0 /* OK only for stream ciphers */
goto f_err;
#else
#endif
}
{
}
}
{
/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption
* failure is directly visible from the ciphertext anyway,
* we should not reveal which kind of error occured -- this
* might become visible to an attacker (e.g. via a logfile) */
goto f_err;
}
/* r->length is now just compressed */
{
{
goto f_err;
}
if (!do_uncompress(s))
{
goto f_err;
}
}
{
goto f_err;
}
/* So at this point the following is true
* ssl->s3->rrec.type is the type of record
* ssl->s3->rrec.length == number of bytes in record
* ssl->s3->rrec.off == offset to first valid byte
* ssl->s3->rrec.data == where to take bytes from, increment
* after use :-).
*/
/* we have pulled in a full packet so zero things */
s->packet_length=0;
/* just read a 0 length packet */
return(1);
err:
return(ret);
}
{
int i;
if (i < 0)
return(0);
else
return(1);
}
{
int i;
if (i < 0)
return(0);
else
return(1);
}
/* Call this to write data in records of type 'type'
* It will return <= 0 if not all data has been sent or non-blocking IO.
*/
{
int i;
s->rwstate=SSL_NOTHING;
if (SSL_in_init(s) && !s->in_handshake)
{
i=s->handshake_func(s);
if (i < 0) return(i);
if (i == 0)
{
return -1;
}
}
for (;;)
{
if (n > SSL3_RT_MAX_PLAIN_LENGTH)
else
nw=n;
if (i <= 0)
{
return i;
}
if ((i == (int)n) ||
(type == SSL3_RT_APPLICATION_DATA &&
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
{
/* next chunk of data should get another prepended empty fragment
* in ciphersuites with known-IV weakness: */
s->s3->empty_fragment_done = 0;
return tot+i;
}
n-=i;
tot+=i;
}
}
unsigned int len, int create_empty_fragment)
{
unsigned char *p,*plen;
int prefix_len = 0;
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch)
{
i=ssl3_dispatch_alert(s);
if (i <= 0)
return(i);
/* if it went, fall through and send more stuff */
}
if (len == 0 && !create_empty_fragment)
return 0;
(s->enc_write_ctx == NULL) ||
(s->write_hash == NULL))
clear=1;
if (clear)
mac_size=0;
else
/* 'create_empty_fragment' is true only when this function calls itself */
{
/* countermeasure against known-IV weakness in CBC ciphersuites
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
{
/* recursive function call with 'create_empty_fragment' set;
* this prepares and buffers the data for an empty fragment
* (these 'prefix_len' bytes are sent out later
* together with the actual payload) */
if (prefix_len <= 0)
goto err;
{
/* insufficient space */
goto err;
}
}
}
/* write the header */
*(p++)=type&0xff;
*(p++)=(s->version>>8);
*(p++)=s->version&0xff;
/* field where we are to write out packet length */
plen=p;
p+=2;
/* lets setup the record stuff. */
/* we now 'read' from wr->input, wr->length bytes into
* wr->data */
/* first we compress */
{
if (!do_compress(s))
{
goto err;
}
}
else
{
}
/* we should still have the output to wr->data and the input
* from wr->input. Length should be wr->length.
* wr->data still points in the wb->buf */
if (mac_size != 0)
{
}
/* ssl3_enc can only have an error on read */
/* record length after mac and block padding */
/* we should now have
* wr->data pointing to the encrypted data, which is
* wr->length long */
{
/* we are in a recursive call;
* just return the length, don't write out anything here
*/
}
/* now let's set up wb */
/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
/* we now just need to write the buffer */
err:
return -1;
}
/* if s->s3->wbuf.left != 0, we need to call this */
unsigned int len)
{
int i;
/* XXXX */
!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
{
return(-1);
}
for (;;)
{
{
s->rwstate=SSL_WRITING;
}
else
{
i= -1;
}
{
s->rwstate=SSL_NOTHING;
}
else if (i <= 0)
return(i);
}
}
/* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
* - 0 (during a shutdown, no data has to be returned)
*
* (possibly multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really
* a surprise, but handled as if it were), or renegotiation requests.
* Also if record payloads contain fragments too small to process, we store
* them until there is enough for the respective protocol (the record protocol
* may use arbitrary fragmentation and even interleaving):
* Change cipher spec protocol
* just 1 byte needed, no need for keeping anything stored
* Alert protocol
* 2 bytes needed (AlertLevel, AlertDescription)
* Handshake protocol
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
* to detect unexpected Client Hello and Hello Request messages
* here, anything else is handled by higher layers
* Application data protocol
* none of our business
*/
{
unsigned int n;
if (!ssl3_setup_buffers(s))
return(-1);
{
return -1;
}
/* (partially) satisfy request from storage */
{
unsigned int k;
/* peek == 0 */
n = 0;
{
n++;
}
/* move any remaining fragment bytes: */
for (k = 0; k < s->s3->handshake_fragment_len; k++)
return n;
}
/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
if (!s->in_handshake && SSL_in_init(s))
{
/* type == SSL3_RT_APPLICATION_DATA */
i=s->handshake_func(s);
if (i < 0) return(i);
if (i == 0)
{
return(-1);
}
}
s->rwstate=SSL_NOTHING;
/* s->s3->rrec.type - is the type of record
* s->s3->rrec.data, - data
* s->s3->rrec.off, - offset into 'data' for next read
* s->s3->rrec.length, - number of bytes. */
/* get new packet if necessary */
{
ret=ssl3_get_record(s);
}
/* we now have a packet which can be read and processed */
* reset by ssl3_get_finished */
{
goto err;
}
/* If the other end has shut down, throw anything we read away
* (even in 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
s->rwstate=SSL_NOTHING;
return(0);
}
{
/* make sure that we are not getting application data when we
* are doing a handshake for the first time */
(s->enc_read_ctx == NULL))
{
goto f_err;
}
else
n = (unsigned int)len;
if (!peek)
{
{
}
}
return(n);
}
/* If we get here, then type != rr->type; if we have a handshake
* message, then it was unexpected (Hello Request or Client Hello). */
/* In case of record types for which we have 'fragment' storage,
* fill that so that we can process the data at a fixed place.
*/
{
unsigned int dest_maxlen = 0;
{
}
{
}
if (dest_maxlen > 0)
{
/* now move 'n' bytes: */
while (n-- > 0)
{
}
if (*dest_len < dest_maxlen)
goto start; /* fragment was too small */
}
}
/* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
/* If we are a client, check for an incoming 'Hello Request': */
if ((!s->server) &&
{
s->s3->handshake_fragment_len = 0;
{
goto err;
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
if (SSL_is_init_finished(s) &&
!s->s3->renegotiate)
{
ssl3_renegotiate(s);
if (ssl3_renegotiate_check(s))
{
i=s->handshake_func(s);
if (i < 0) return(i);
if (i == 0)
{
return(-1);
}
if (!(s->mode & SSL_MODE_AUTO_RETRY))
{
{
/* In the case where we try to read application data,
* but we trigger an SSL handshake, we return -1 with
* the retry option set. Otherwise renegotiation may
* cause nasty problems in the blocking world */
s->rwstate=SSL_READING;
bio=SSL_get_rbio(s);
return(-1);
}
}
}
}
/* we either finished a handshake or ignored the request,
* now try again to obtain the (application) data we were asked for */
goto start;
}
{
s->s3->alert_fragment_len = 0;
if (s->msg_callback)
if (s->info_callback != NULL)
cb=s->info_callback;
{
cb(s, SSL_CB_READ_ALERT, j);
}
{
if (alert_descr == SSL_AD_CLOSE_NOTIFY)
{
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return(0);
}
}
{
char tmp[16];
s->rwstate=SSL_NOTHING;
return(0);
}
else
{
goto f_err;
}
goto start;
}
{
s->rwstate=SSL_NOTHING;
return(0);
}
{
/* 'Change Cipher Spec' is just a single byte, so we know
* exactly what the record payload has to look like */
{
goto err;
}
/* Check we have a cipher to change to */
{
goto err;
}
if (s->msg_callback)
if (!do_change_cipher_spec(s))
goto err;
else
goto start;
}
/* Unexpected handshake message (Client Hello, or protocol violation) */
{
{
#if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting
* protocol violations): */
#else
#endif
s->new_session=1;
}
i=s->handshake_func(s);
if (i < 0) return(i);
if (i == 0)
{
return(-1);
}
if (!(s->mode & SSL_MODE_AUTO_RETRY))
{
{
/* In the case where we try to read application data,
* but we trigger an SSL handshake, we return -1 with
* the retry option set. Otherwise renegotiation may
* cause nasty problems in the blocking world */
s->rwstate=SSL_READING;
bio=SSL_get_rbio(s);
return(-1);
}
}
goto start;
}
{
default:
#ifndef OPENSSL_NO_TLS
/* TLS just ignores unknown message types */
if (s->version == TLS1_VERSION)
{
goto start;
}
#endif
goto f_err;
case SSL3_RT_ALERT:
case SSL3_RT_HANDSHAKE:
/* we already handled all of these, with the possible exception
* of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
* should not happen when type != rr->type */
goto f_err;
case SSL3_RT_APPLICATION_DATA:
/* At this point, we were expecting handshake data,
* but have application data. If the library was
* running inside ssl3_read() (i.e. in_read_app_data
* is set) and it makes sense to read application data
* at this point (session renegotiation not yet started),
* we will indulge it.
*/
if (s->s3->in_read_app_data &&
(s->s3->total_renegotiations != 0) &&
((
(s->state & SSL_ST_CONNECT) &&
(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
) || (
(s->state & SSL_ST_ACCEPT) &&
(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
)
))
{
return(-1);
}
else
{
goto f_err;
}
}
/* not reached */
err:
return(-1);
}
static int do_change_cipher_spec(SSL *s)
{
int i;
const char *sender;
int slen;
if (s->state & SSL_ST_ACCEPT)
else
{
}
return(0);
/* we have to record the message digest at
* this point so we can get it before we read
* the finished message */
if (s->state & SSL_ST_CONNECT)
{
}
else
{
}
&(s->s3->finish_dgst1),
&(s->s3->finish_dgst2),
return(1);
}
{
if (desc < 0) return;
/* If a fatal one, remove from cache */
/* else data is still being written out, we will get written
* some time in the future */
}
int ssl3_dispatch_alert(SSL *s)
{
int i,j;
s->s3->alert_dispatch=0;
if (i <= 0)
{
}
else
{
/* Alert sent to BIO. If it is important, flush it now.
* If the message does not get sent due to non-blocking IO,
* we will not worry too much. */
if (s->msg_callback)
if (s->info_callback != NULL)
cb=s->info_callback;
{
cb(s,SSL_CB_WRITE_ALERT,j);
}
}
return(i);
}