| GCC Code Coverage Report | |||||||||||||||||||||
|
|||||||||||||||||||||
| Line | Branch | Exec | Source |
1 |
/* $OpenBSD: ssl_pkt.c,v 1.12 2017/05/07 04:22:24 beck Exp $ */ |
||
2 |
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
||
3 |
* All rights reserved. |
||
4 |
* |
||
5 |
* This package is an SSL implementation written |
||
6 |
* by Eric Young (eay@cryptsoft.com). |
||
7 |
* The implementation was written so as to conform with Netscapes SSL. |
||
8 |
* |
||
9 |
* This library is free for commercial and non-commercial use as long as |
||
10 |
* the following conditions are aheared to. The following conditions |
||
11 |
* apply to all code found in this distribution, be it the RC4, RSA, |
||
12 |
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
||
13 |
* included with this distribution is covered by the same copyright terms |
||
14 |
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
||
15 |
* |
||
16 |
* Copyright remains Eric Young's, and as such any Copyright notices in |
||
17 |
* the code are not to be removed. |
||
18 |
* If this package is used in a product, Eric Young should be given attribution |
||
19 |
* as the author of the parts of the library used. |
||
20 |
* This can be in the form of a textual message at program startup or |
||
21 |
* in documentation (online or textual) provided with the package. |
||
22 |
* |
||
23 |
* Redistribution and use in source and binary forms, with or without |
||
24 |
* modification, are permitted provided that the following conditions |
||
25 |
* are met: |
||
26 |
* 1. Redistributions of source code must retain the copyright |
||
27 |
* notice, this list of conditions and the following disclaimer. |
||
28 |
* 2. Redistributions in binary form must reproduce the above copyright |
||
29 |
* notice, this list of conditions and the following disclaimer in the |
||
30 |
* documentation and/or other materials provided with the distribution. |
||
31 |
* 3. All advertising materials mentioning features or use of this software |
||
32 |
* must display the following acknowledgement: |
||
33 |
* "This product includes cryptographic software written by |
||
34 |
* Eric Young (eay@cryptsoft.com)" |
||
35 |
* The word 'cryptographic' can be left out if the rouines from the library |
||
36 |
* being used are not cryptographic related :-). |
||
37 |
* 4. If you include any Windows specific code (or a derivative thereof) from |
||
38 |
* the apps directory (application code) you must include an acknowledgement: |
||
39 |
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
||
40 |
* |
||
41 |
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
||
42 |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
||
43 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
||
44 |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
||
45 |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
||
46 |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
||
47 |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
||
48 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
||
49 |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
||
50 |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
||
51 |
* SUCH DAMAGE. |
||
52 |
* |
||
53 |
* The licence and distribution terms for any publically available version or |
||
54 |
* derivative of this code cannot be changed. i.e. this code cannot simply be |
||
55 |
* copied and put under another distribution licence |
||
56 |
* [including the GNU Public Licence.] |
||
57 |
*/ |
||
58 |
/* ==================================================================== |
||
59 |
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. |
||
60 |
* |
||
61 |
* Redistribution and use in source and binary forms, with or without |
||
62 |
* modification, are permitted provided that the following conditions |
||
63 |
* are met: |
||
64 |
* |
||
65 |
* 1. Redistributions of source code must retain the above copyright |
||
66 |
* notice, this list of conditions and the following disclaimer. |
||
67 |
* |
||
68 |
* 2. Redistributions in binary form must reproduce the above copyright |
||
69 |
* notice, this list of conditions and the following disclaimer in |
||
70 |
* the documentation and/or other materials provided with the |
||
71 |
* distribution. |
||
72 |
* |
||
73 |
* 3. All advertising materials mentioning features or use of this |
||
74 |
* software must display the following acknowledgment: |
||
75 |
* "This product includes software developed by the OpenSSL Project |
||
76 |
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
||
77 |
* |
||
78 |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
||
79 |
* endorse or promote products derived from this software without |
||
80 |
* prior written permission. For written permission, please contact |
||
81 |
* openssl-core@openssl.org. |
||
82 |
* |
||
83 |
* 5. Products derived from this software may not be called "OpenSSL" |
||
84 |
* nor may "OpenSSL" appear in their names without prior written |
||
85 |
* permission of the OpenSSL Project. |
||
86 |
* |
||
87 |
* 6. Redistributions of any form whatsoever must retain the following |
||
88 |
* acknowledgment: |
||
89 |
* "This product includes software developed by the OpenSSL Project |
||
90 |
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
||
91 |
* |
||
92 |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
||
93 |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
||
94 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
||
95 |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
||
96 |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||
97 |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
||
98 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
||
99 |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
||
100 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
||
101 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
||
102 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
||
103 |
* OF THE POSSIBILITY OF SUCH DAMAGE. |
||
104 |
* ==================================================================== |
||
105 |
* |
||
106 |
* This product includes cryptographic software written by Eric Young |
||
107 |
* (eay@cryptsoft.com). This product includes software written by Tim |
||
108 |
* Hudson (tjh@cryptsoft.com). |
||
109 |
* |
||
110 |
*/ |
||
111 |
|||
112 |
#include <errno.h> |
||
113 |
#include <stdio.h> |
||
114 |
|||
115 |
#include "ssl_locl.h" |
||
116 |
|||
117 |
#include <openssl/buffer.h> |
||
118 |
#include <openssl/evp.h> |
||
119 |
|||
120 |
#include "bytestring.h" |
||
121 |
|||
122 |
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, |
||
123 |
unsigned int len, int create_empty_fragment); |
||
124 |
static int ssl3_get_record(SSL *s); |
||
125 |
|||
126 |
/* |
||
127 |
* Force a WANT_READ return for certain error conditions where |
||
128 |
* we don't want to spin internally. |
||
129 |
*/ |
||
130 |
static void |
||
131 |
ssl_force_want_read(SSL *s) |
||
132 |
{ |
||
133 |
BIO * bio; |
||
134 |
|||
135 |
bio = SSL_get_rbio(s); |
||
136 |
BIO_clear_retry_flags(bio); |
||
137 |
BIO_set_retry_read(bio); |
||
138 |
s->internal->rwstate = SSL_READING; |
||
139 |
} |
||
140 |
|||
141 |
/* |
||
142 |
* If extend == 0, obtain new n-byte packet; if extend == 1, increase |
||
143 |
* packet by another n bytes. |
||
144 |
* The packet will be in the sub-array of s->s3->rbuf.buf specified |
||
145 |
* by s->internal->packet and s->internal->packet_length. |
||
146 |
* (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf |
||
147 |
* [plus s->internal->packet_length bytes if extend == 1].) |
||
148 |
*/ |
||
149 |
static int |
||
150 |
ssl3_read_n(SSL *s, int n, int max, int extend) |
||
151 |
{ |
||
152 |
int i, len, left; |
||
153 |
size_t align; |
||
154 |
unsigned char *pkt; |
||
155 |
SSL3_BUFFER *rb; |
||
156 |
|||
157 |
✗✓ | 141868 |
if (n <= 0) |
158 |
return n; |
||
159 |
|||
160 |
70934 |
rb = &(s->s3->rbuf); |
|
161 |
✗✓ | 70934 |
if (rb->buf == NULL) |
162 |
if (!ssl3_setup_read_buffer(s)) |
||
163 |
return -1; |
||
164 |
|||
165 |
70934 |
left = rb->left; |
|
166 |
70934 |
align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH; |
|
167 |
70934 |
align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); |
|
168 |
|||
169 |
✓✓ | 70934 |
if (!extend) { |
170 |
/* start with empty packet ... */ |
||
171 |
✓✓ | 36891 |
if (left == 0) |
172 |
35907 |
rb->offset = align; |
|
173 |
✗✓ | 984 |
else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { |
174 |
/* check if next packet length is large |
||
175 |
* enough to justify payload alignment... */ |
||
176 |
pkt = rb->buf + rb->offset; |
||
177 |
if (pkt[0] == SSL3_RT_APPLICATION_DATA && |
||
178 |
(pkt[3]<<8|pkt[4]) >= 128) { |
||
179 |
/* Note that even if packet is corrupted |
||
180 |
* and its length field is insane, we can |
||
181 |
* only be led to wrong decision about |
||
182 |
* whether memmove will occur or not. |
||
183 |
* Header values has no effect on memmove |
||
184 |
* arguments and therefore no buffer |
||
185 |
* overrun can be triggered. */ |
||
186 |
memmove(rb->buf + align, pkt, left); |
||
187 |
rb->offset = align; |
||
188 |
} |
||
189 |
} |
||
190 |
36891 |
s->internal->packet = rb->buf + rb->offset; |
|
191 |
36891 |
s->internal->packet_length = 0; |
|
192 |
/* ... now we can act as if 'extend' was set */ |
||
193 |
36891 |
} |
|
194 |
|||
195 |
/* For DTLS/UDP reads should not span multiple packets |
||
196 |
* because the read operation returns the whole packet |
||
197 |
* at once (as long as it fits into the buffer). */ |
||
198 |
✗✓ | 141868 |
if (SSL_IS_DTLS(s)) { |
199 |
✗✗ | 70934 |
if (left > 0 && n > left) |
200 |
n = left; |
||
201 |
} |
||
202 |
|||
203 |
/* if there is enough in the buffer from a previous read, take some */ |
||
204 |
✗✓ | 70934 |
if (left >= n) { |
205 |
s->internal->packet_length += n; |
||
206 |
rb->left = left - n; |
||
207 |
rb->offset += n; |
||
208 |
return (n); |
||
209 |
} |
||
210 |
|||
211 |
/* else we need to read more data */ |
||
212 |
|||
213 |
70934 |
len = s->internal->packet_length; |
|
214 |
70934 |
pkt = rb->buf + align; |
|
215 |
/* Move any available bytes to front of buffer: |
||
216 |
* 'len' bytes already pointed to by 'packet', |
||
217 |
* 'left' extra ones at the end */ |
||
218 |
✗✓ | 70934 |
if (s->internal->packet != pkt) { |
219 |
/* len > 0 */ |
||
220 |
memmove(pkt, s->internal->packet, len + left); |
||
221 |
s->internal->packet = pkt; |
||
222 |
rb->offset = len + align; |
||
223 |
} |
||
224 |
|||
225 |
✗✓ | 70934 |
if (n > (int)(rb->len - rb->offset)) { |
226 |
/* does not happen */ |
||
227 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
228 |
return -1; |
||
229 |
} |
||
230 |
|||
231 |
✓✗ | 70934 |
if (!s->internal->read_ahead) { |
232 |
/* ignore max parameter */ |
||
233 |
max = n; |
||
234 |
70934 |
} else { |
|
235 |
if (max < n) |
||
236 |
max = n; |
||
237 |
if (max > (int)(rb->len - rb->offset)) |
||
238 |
max = rb->len - rb->offset; |
||
239 |
} |
||
240 |
|||
241 |
✓✓ | 134416 |
while (left < n) { |
242 |
/* Now we have len+left bytes at the front of s->s3->rbuf.buf |
||
243 |
* and need to read in more until we have len+n (up to |
||
244 |
* len+max if possible) */ |
||
245 |
|||
246 |
72934 |
errno = 0; |
|
247 |
✓✗ | 72934 |
if (s->rbio != NULL) { |
248 |
72934 |
s->internal->rwstate = SSL_READING; |
|
249 |
72934 |
i = BIO_read(s->rbio, pkt + len + left, max - left); |
|
250 |
72934 |
} else { |
|
251 |
SSLerror(s, SSL_R_READ_BIO_NOT_SET); |
||
252 |
i = -1; |
||
253 |
} |
||
254 |
|||
255 |
✓✓ | 72934 |
if (i <= 0) { |
256 |
9452 |
rb->left = left; |
|
257 |
✗✓✗✗ |
9452 |
if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && |
258 |
!SSL_IS_DTLS(s)) { |
||
259 |
if (len + left == 0) |
||
260 |
ssl3_release_read_buffer(s); |
||
261 |
} |
||
262 |
9452 |
return (i); |
|
263 |
} |
||
264 |
63482 |
left += i; |
|
265 |
|||
266 |
/* |
||
267 |
* reads should *never* span multiple packets for DTLS because |
||
268 |
* the underlying transport protocol is message oriented as |
||
269 |
* opposed to byte oriented as in the TLS case. |
||
270 |
*/ |
||
271 |
✓✓ | 63482 |
if (SSL_IS_DTLS(s)) { |
272 |
✓✓ | 1324 |
if (n > left) |
273 |
4 |
n = left; /* makes the while condition false */ |
|
274 |
} |
||
275 |
} |
||
276 |
|||
277 |
/* done reading, now the book-keeping */ |
||
278 |
61482 |
rb->offset += n; |
|
279 |
61482 |
rb->left = left - n; |
|
280 |
61482 |
s->internal->packet_length += n; |
|
281 |
61482 |
s->internal->rwstate = SSL_NOTHING; |
|
282 |
|||
283 |
61482 |
return (n); |
|
284 |
70934 |
} |
|
285 |
|||
286 |
int |
||
287 |
ssl3_packet_read(SSL *s, int plen) |
||
288 |
{ |
||
289 |
int n; |
||
290 |
|||
291 |
73782 |
n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0); |
|
292 |
✓✓ | 36891 |
if (n <= 0) |
293 |
6148 |
return n; |
|
294 |
✓✓ | 30743 |
if (s->internal->packet_length < plen) |
295 |
4 |
return s->internal->packet_length; |
|
296 |
|||
297 |
30739 |
return plen; |
|
298 |
36891 |
} |
|
299 |
|||
300 |
int |
||
301 |
ssl3_packet_extend(SSL *s, int plen) |
||
302 |
{ |
||
303 |
int rlen, n; |
||
304 |
|||
305 |
✓✓ | 68102 |
if (s->internal->packet_length >= plen) |
306 |
8 |
return plen; |
|
307 |
34043 |
rlen = plen - s->internal->packet_length; |
|
308 |
|||
309 |
34043 |
n = ssl3_read_n(s, rlen, rlen, 1); |
|
310 |
✓✓ | 34043 |
if (n <= 0) |
311 |
3304 |
return n; |
|
312 |
✗✓ | 30739 |
if (s->internal->packet_length < plen) |
313 |
return s->internal->packet_length; |
||
314 |
|||
315 |
30739 |
return plen; |
|
316 |
34051 |
} |
|
317 |
|||
318 |
/* Call this to get a new input record. |
||
319 |
* It will return <= 0 if more data is needed, normally due to an error |
||
320 |
* or non-blocking IO. |
||
321 |
* When it finishes, one packet has been decoded and can be found in |
||
322 |
* ssl->s3->internal->rrec.type - is the type of record |
||
323 |
* ssl->s3->internal->rrec.data, - data |
||
324 |
* ssl->s3->internal->rrec.length, - number of bytes |
||
325 |
*/ |
||
326 |
/* used only by ssl3_read_bytes */ |
||
327 |
static int |
||
328 |
ssl3_get_record(SSL *s) |
||
329 |
{ |
||
330 |
int al; |
||
331 |
int enc_err, n, i, ret = -1; |
||
332 |
SSL3_RECORD *rr; |
||
333 |
SSL_SESSION *sess; |
||
334 |
78382 |
unsigned char md[EVP_MAX_MD_SIZE]; |
|
335 |
unsigned mac_size, orig_len; |
||
336 |
|||
337 |
39191 |
rr = &(S3I(s)->rrec); |
|
338 |
39191 |
sess = s->session; |
|
339 |
|||
340 |
again: |
||
341 |
/* check if we have the header */ |
||
342 |
✓✓✗✓ |
42639 |
if ((s->internal->rstate != SSL_ST_READ_BODY) || |
343 |
3304 |
(s->internal->packet_length < SSL3_RT_HEADER_LENGTH)) { |
|
344 |
36031 |
CBS header; |
|
345 |
36031 |
uint16_t len, ssl_version; |
|
346 |
36031 |
uint8_t type; |
|
347 |
|||
348 |
36031 |
n = ssl3_packet_read(s, SSL3_RT_HEADER_LENGTH); |
|
349 |
✓✓ | 36031 |
if (n <= 0) |
350 |
5952 |
return (n); |
|
351 |
|||
352 |
30079 |
s->internal->mac_packet = 1; |
|
353 |
30079 |
s->internal->rstate = SSL_ST_READ_BODY; |
|
354 |
|||
355 |
✓✓✓✓ |
31223 |
if (s->server && s->internal->first_packet) { |
356 |
✗✓ | 216 |
if ((ret = ssl_server_legacy_first_packet(s)) != 1) |
357 |
return (ret); |
||
358 |
ret = -1; |
||
359 |
216 |
} |
|
360 |
|||
361 |
30079 |
CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); |
|
362 |
|||
363 |
/* Pull apart the header into the SSL3_RECORD */ |
||
364 |
✓✗✗✓ |
60158 |
if (!CBS_get_u8(&header, &type) || |
365 |
✓✗ | 30079 |
!CBS_get_u16(&header, &ssl_version) || |
366 |
30079 |
!CBS_get_u16(&header, &len)) { |
|
367 |
SSLerror(s, SSL_R_BAD_PACKET_LENGTH); |
||
368 |
goto err; |
||
369 |
} |
||
370 |
|||
371 |
30079 |
rr->type = type; |
|
372 |
30079 |
rr->length = len; |
|
373 |
|||
374 |
/* Lets check version */ |
||
375 |
✓✓✗✓ |
51813 |
if (!s->internal->first_packet && ssl_version != s->version) { |
376 |
SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); |
||
377 |
if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && |
||
378 |
!s->internal->enc_write_ctx && !s->internal->write_hash) |
||
379 |
/* Send back error using their minor version number :-) */ |
||
380 |
s->version = ssl_version; |
||
381 |
al = SSL_AD_PROTOCOL_VERSION; |
||
382 |
goto f_err; |
||
383 |
} |
||
384 |
|||
385 |
✗✓ | 30079 |
if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) { |
386 |
SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); |
||
387 |
goto err; |
||
388 |
} |
||
389 |
|||
390 |
✗✓ | 30079 |
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) { |
391 |
al = SSL_AD_RECORD_OVERFLOW; |
||
392 |
SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); |
||
393 |
goto f_err; |
||
394 |
} |
||
395 |
|||
396 |
/* now s->internal->rstate == SSL_ST_READ_BODY */ |
||
397 |
✓✗✗✓ |
102477 |
} |
398 |
|||
399 |
/* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ |
||
400 |
|||
401 |
33383 |
n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length); |
|
402 |
✓✓ | 33383 |
if (n <= 0) |
403 |
3304 |
return (n); |
|
404 |
✗✓ | 30079 |
if (n != SSL3_RT_HEADER_LENGTH + rr->length) |
405 |
return (n); |
||
406 |
|||
407 |
30079 |
s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ |
|
408 |
|||
409 |
/* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, |
||
410 |
* and we have that many bytes in s->internal->packet |
||
411 |
*/ |
||
412 |
30079 |
rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]); |
|
413 |
|||
414 |
/* ok, we can now read from 's->internal->packet' data into 'rr' |
||
415 |
* rr->input points at rr->length bytes, which |
||
416 |
* need to be copied into rr->data by either |
||
417 |
* the decryption or by the decompression |
||
418 |
* When the data is 'copied' into the rr->data buffer, |
||
419 |
* rr->input will be pointed at the new buffer */ |
||
420 |
|||
421 |
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ] |
||
422 |
* rr->length bytes of encrypted compressed stuff. */ |
||
423 |
|||
424 |
/* check is not needed I believe */ |
||
425 |
✗✓ | 30079 |
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { |
426 |
al = SSL_AD_RECORD_OVERFLOW; |
||
427 |
SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
||
428 |
goto f_err; |
||
429 |
} |
||
430 |
|||
431 |
/* decrypt in place in 'rr->input' */ |
||
432 |
30079 |
rr->data = rr->input; |
|
433 |
|||
434 |
30079 |
enc_err = s->method->internal->ssl3_enc->enc(s, 0); |
|
435 |
/* enc_err is: |
||
436 |
* 0: (in non-constant time) if the record is publically invalid. |
||
437 |
* 1: if the padding is valid |
||
438 |
* -1: if the padding is invalid */ |
||
439 |
✗✓ | 30079 |
if (enc_err == 0) { |
440 |
al = SSL_AD_DECRYPTION_FAILED; |
||
441 |
SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
||
442 |
goto f_err; |
||
443 |
} |
||
444 |
|||
445 |
|||
446 |
/* r->length is now the compressed data plus mac */ |
||
447 |
✓✓✓✓ ✓✓ |
60586 |
if ((sess != NULL) && (s->enc_read_ctx != NULL) && |
448 |
608 |
(EVP_MD_CTX_md(s->read_hash) != NULL)) { |
|
449 |
/* s->read_hash != NULL => mac_size != -1 */ |
||
450 |
unsigned char *mac = NULL; |
||
451 |
176 |
unsigned char mac_tmp[EVP_MAX_MD_SIZE]; |
|
452 |
|||
453 |
176 |
mac_size = EVP_MD_CTX_size(s->read_hash); |
|
454 |
✗✓ | 176 |
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
455 |
|||
456 |
/* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
||
457 |
176 |
orig_len = rr->length + ((unsigned int)rr->type >> 8); |
|
458 |
|||
459 |
/* orig_len is the length of the record before any padding was |
||
460 |
* removed. This is public information, as is the MAC in use, |
||
461 |
* therefore we can safely process the record in a different |
||
462 |
* amount of time if it's too short to possibly contain a MAC. |
||
463 |
*/ |
||
464 |
✓✗✗✓ |
336 |
if (orig_len < mac_size || |
465 |
/* CBC records must have a padding length byte too. */ |
||
466 |
✓✓ | 176 |
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
467 |
160 |
orig_len < mac_size + 1)) { |
|
468 |
al = SSL_AD_DECODE_ERROR; |
||
469 |
SSLerror(s, SSL_R_LENGTH_TOO_SHORT); |
||
470 |
goto f_err; |
||
471 |
} |
||
472 |
|||
473 |
✓✓ | 176 |
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { |
474 |
/* We update the length so that the TLS header bytes |
||
475 |
* can be constructed correctly but we need to extract |
||
476 |
* the MAC in constant time from within the record, |
||
477 |
* without leaking the contents of the padding bytes. |
||
478 |
* */ |
||
479 |
160 |
mac = mac_tmp; |
|
480 |
160 |
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); |
|
481 |
160 |
rr->length -= mac_size; |
|
482 |
160 |
} else { |
|
483 |
/* In this case there's no padding, so |orig_len| |
||
484 |
* equals |rec->length| and we checked that there's |
||
485 |
* enough bytes for |mac_size| above. */ |
||
486 |
16 |
rr->length -= mac_size; |
|
487 |
16 |
mac = &rr->data[rr->length]; |
|
488 |
} |
||
489 |
|||
490 |
176 |
i = tls1_mac(s,md,0 /* not send */); |
|
491 |
✓✗✗✓ |
352 |
if (i < 0 || mac == NULL || |
492 |
176 |
timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) |
|
493 |
enc_err = -1; |
||
494 |
✗✓ | 352 |
if (rr->length > |
495 |
176 |
SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) |
|
496 |
enc_err = -1; |
||
497 |
✓✗✓ | 528 |
} |
498 |
|||
499 |
✗✓ | 30079 |
if (enc_err < 0) { |
500 |
/* |
||
501 |
* A separate 'decryption_failed' alert was introduced with |
||
502 |
* TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a |
||
503 |
* decryption failure is directly visible from the ciphertext |
||
504 |
* anyway, we should not reveal which kind of error |
||
505 |
* occurred -- this might become visible to an attacker |
||
506 |
* (e.g. via a logfile) |
||
507 |
*/ |
||
508 |
al = SSL_AD_BAD_RECORD_MAC; |
||
509 |
SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); |
||
510 |
goto f_err; |
||
511 |
} |
||
512 |
|||
513 |
✗✓ | 30079 |
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { |
514 |
al = SSL_AD_RECORD_OVERFLOW; |
||
515 |
SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); |
||
516 |
goto f_err; |
||
517 |
} |
||
518 |
|||
519 |
30079 |
rr->off = 0; |
|
520 |
/* |
||
521 |
* So at this point the following is true |
||
522 |
* |
||
523 |
* ssl->s3->internal->rrec.type is the type of record |
||
524 |
* ssl->s3->internal->rrec.length == number of bytes in record |
||
525 |
* ssl->s3->internal->rrec.off == offset to first valid byte |
||
526 |
* ssl->s3->internal->rrec.data == where to take bytes from, increment |
||
527 |
* after use :-). |
||
528 |
*/ |
||
529 |
|||
530 |
/* we have pulled in a full packet so zero things */ |
||
531 |
30079 |
s->internal->packet_length = 0; |
|
532 |
|||
533 |
✓✓ | 30079 |
if (rr->length == 0) { |
534 |
/* |
||
535 |
* CBC countermeasures for known IV weaknesses |
||
536 |
* can legitimately insert a single empty record, |
||
537 |
* so we allow ourselves to read once past a single |
||
538 |
* empty record without forcing want_read. |
||
539 |
*/ |
||
540 |
✗✓ | 144 |
if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { |
541 |
SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); |
||
542 |
return -1; |
||
543 |
} |
||
544 |
✓✗ | 144 |
if (s->internal->empty_record_count > 1) { |
545 |
ssl_force_want_read(s); |
||
546 |
return -1; |
||
547 |
} |
||
548 |
goto again; |
||
549 |
} else { |
||
550 |
29935 |
s->internal->empty_record_count = 0; |
|
551 |
} |
||
552 |
|||
553 |
29935 |
return (1); |
|
554 |
|||
555 |
f_err: |
||
556 |
ssl3_send_alert(s, SSL3_AL_FATAL, al); |
||
557 |
err: |
||
558 |
return (ret); |
||
559 |
39191 |
} |
|
560 |
|||
561 |
/* Call this to write data in records of type 'type' |
||
562 |
* It will return <= 0 if not all data has been sent or non-blocking IO. |
||
563 |
*/ |
||
564 |
int |
||
565 |
ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) |
||
566 |
{ |
||
567 |
const unsigned char *buf = buf_; |
||
568 |
unsigned int tot, n, nw; |
||
569 |
int i; |
||
570 |
|||
571 |
✗✓ | 65816 |
if (len < 0) { |
572 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
573 |
return -1; |
||
574 |
} |
||
575 |
|||
576 |
32908 |
s->internal->rwstate = SSL_NOTHING; |
|
577 |
32908 |
tot = S3I(s)->wnum; |
|
578 |
32908 |
S3I(s)->wnum = 0; |
|
579 |
|||
580 |
✓✓✓✓ |
64976 |
if (SSL_in_init(s) && !s->internal->in_handshake) { |
581 |
5090 |
i = s->internal->handshake_func(s); |
|
582 |
✓✓ | 5090 |
if (i < 0) |
583 |
4800 |
return (i); |
|
584 |
✗✓ | 290 |
if (i == 0) { |
585 |
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
||
586 |
return -1; |
||
587 |
} |
||
588 |
} |
||
589 |
|||
590 |
✗✓ | 28108 |
if (len < tot) |
591 |
len = tot; |
||
592 |
28108 |
n = (len - tot); |
|
593 |
28108 |
for (;;) { |
|
594 |
✗✓ | 28108 |
if (n > s->max_send_fragment) |
595 |
nw = s->max_send_fragment; |
||
596 |
else |
||
597 |
nw = n; |
||
598 |
|||
599 |
28108 |
i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); |
|
600 |
✓✓ | 28108 |
if (i <= 0) { |
601 |
746 |
S3I(s)->wnum = tot; |
|
602 |
746 |
return i; |
|
603 |
} |
||
604 |
|||
605 |
✗✓✗✗ ✗✗ |
27362 |
if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && |
606 |
(s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { |
||
607 |
/* |
||
608 |
* Next chunk of data should get another prepended |
||
609 |
* empty fragment in ciphersuites with known-IV |
||
610 |
* weakness. |
||
611 |
*/ |
||
612 |
27362 |
S3I(s)->empty_fragment_done = 0; |
|
613 |
|||
614 |
27362 |
return tot + i; |
|
615 |
} |
||
616 |
|||
617 |
n -= i; |
||
618 |
tot += i; |
||
619 |
} |
||
620 |
32908 |
} |
|
621 |
|||
622 |
static int |
||
623 |
do_ssl3_write(SSL *s, int type, const unsigned char *buf, |
||
624 |
unsigned int len, int create_empty_fragment) |
||
625 |
{ |
||
626 |
unsigned char *p, *plen; |
||
627 |
int i, mac_size, clear = 0; |
||
628 |
int prefix_len = 0; |
||
629 |
int eivlen; |
||
630 |
size_t align; |
||
631 |
SSL3_RECORD *wr; |
||
632 |
57340 |
SSL3_BUFFER *wb = &(s->s3->wbuf); |
|
633 |
SSL_SESSION *sess; |
||
634 |
|||
635 |
✗✓ | 28670 |
if (wb->buf == NULL) |
636 |
if (!ssl3_setup_write_buffer(s)) |
||
637 |
return -1; |
||
638 |
|||
639 |
/* first check if there is a SSL3_BUFFER still being written |
||
640 |
* out. This will happen with non blocking IO */ |
||
641 |
✓✓ | 28670 |
if (wb->left != 0) |
642 |
744 |
return (ssl3_write_pending(s, type, buf, len)); |
|
643 |
|||
644 |
/* If we have an alert to send, lets send it */ |
||
645 |
✗✓ | 27926 |
if (s->s3->alert_dispatch) { |
646 |
i = s->method->ssl_dispatch_alert(s); |
||
647 |
if (i <= 0) |
||
648 |
return (i); |
||
649 |
/* if it went, fall through and send more stuff */ |
||
650 |
/* we may have released our buffer, so get it again */ |
||
651 |
if (wb->buf == NULL) |
||
652 |
if (!ssl3_setup_write_buffer(s)) |
||
653 |
return -1; |
||
654 |
} |
||
655 |
|||
656 |
✓✓ | 27926 |
if (len == 0 && !create_empty_fragment) |
657 |
2 |
return 0; |
|
658 |
|||
659 |
27924 |
wr = &(S3I(s)->wrec); |
|
660 |
27924 |
sess = s->session; |
|
661 |
|||
662 |
✓✗✓✓ ✓✓ |
56688 |
if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || |
663 |
840 |
(EVP_MD_CTX_md(s->internal->write_hash) == NULL)) { |
|
664 |
27660 |
clear = s->internal->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ |
|
665 |
mac_size = 0; |
||
666 |
27660 |
} else { |
|
667 |
264 |
mac_size = EVP_MD_CTX_size(s->internal->write_hash); |
|
668 |
✓✗ | 264 |
if (mac_size < 0) |
669 |
goto err; |
||
670 |
} |
||
671 |
|||
672 |
/* |
||
673 |
* 'create_empty_fragment' is true only when this function calls |
||
674 |
* itself. |
||
675 |
*/ |
||
676 |
✓✓✓✗ |
28620 |
if (!clear && !create_empty_fragment && !S3I(s)->empty_fragment_done) { |
677 |
/* |
||
678 |
* Countermeasure against known-IV weakness in CBC ciphersuites |
||
679 |
* (see http://www.openssl.org/~bodo/tls-cbc.txt) |
||
680 |
*/ |
||
681 |
✓✓ | 1392 |
if (S3I(s)->need_empty_fragments && |
682 |
696 |
type == SSL3_RT_APPLICATION_DATA) { |
|
683 |
/* recursive function call with 'create_empty_fragment' set; |
||
684 |
* this prepares and buffers the data for an empty fragment |
||
685 |
* (these 'prefix_len' bytes are sent out later |
||
686 |
* together with the actual payload) */ |
||
687 |
144 |
prefix_len = do_ssl3_write(s, type, buf, 0, 1); |
|
688 |
✓✗ | 144 |
if (prefix_len <= 0) |
689 |
goto err; |
||
690 |
|||
691 |
✗✓ | 144 |
if (prefix_len > |
692 |
(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { |
||
693 |
/* insufficient space */ |
||
694 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
695 |
goto err; |
||
696 |
} |
||
697 |
} |
||
698 |
|||
699 |
696 |
S3I(s)->empty_fragment_done = 1; |
|
700 |
696 |
} |
|
701 |
|||
702 |
✓✓ | 27924 |
if (create_empty_fragment) { |
703 |
/* extra fragment would be couple of cipher blocks, |
||
704 |
* which would be multiple of SSL3_ALIGN_PAYLOAD, so |
||
705 |
* if we want to align the real payload, then we can |
||
706 |
* just pretent we simply have two headers. */ |
||
707 |
144 |
align = (size_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH; |
|
708 |
144 |
align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); |
|
709 |
|||
710 |
144 |
p = wb->buf + align; |
|
711 |
144 |
wb->offset = align; |
|
712 |
✓✓ | 27924 |
} else if (prefix_len) { |
713 |
144 |
p = wb->buf + wb->offset + prefix_len; |
|
714 |
144 |
} else { |
|
715 |
27636 |
align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; |
|
716 |
27636 |
align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); |
|
717 |
|||
718 |
27636 |
p = wb->buf + align; |
|
719 |
27636 |
wb->offset = align; |
|
720 |
} |
||
721 |
|||
722 |
/* write the header */ |
||
723 |
|||
724 |
27924 |
*(p++) = type&0xff; |
|
725 |
27924 |
wr->type = type; |
|
726 |
|||
727 |
27924 |
*(p++) = (s->version >> 8); |
|
728 |
/* Some servers hang if iniatial client hello is larger than 256 |
||
729 |
* bytes and record version number > TLS 1.0 |
||
730 |
*/ |
||
731 |
✓✓✓✗ ✓✓ |
44262 |
if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate && |
732 |
✓✗ | 24507 |
TLS1_get_version(s) > TLS1_VERSION) |
733 |
8085 |
*(p++) = 0x1; |
|
734 |
else |
||
735 |
19839 |
*(p++) = s->version&0xff; |
|
736 |
|||
737 |
/* field where we are to write out packet length */ |
||
738 |
plen = p; |
||
739 |
27924 |
p += 2; |
|
740 |
|||
741 |
/* Explicit IV length. */ |
||
742 |
✓✓✓✓ |
28764 |
if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { |
743 |
264 |
int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx); |
|
744 |
✓✓ | 264 |
if (mode == EVP_CIPH_CBC_MODE) { |
745 |
240 |
eivlen = EVP_CIPHER_CTX_iv_length(s->internal->enc_write_ctx); |
|
746 |
240 |
if (eivlen <= 1) |
|
747 |
eivlen = 0; |
||
748 |
240 |
} |
|
749 |
/* Need explicit part of IV for GCM mode */ |
||
750 |
✗✓ | 24 |
else if (mode == EVP_CIPH_GCM_MODE) |
751 |
eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; |
||
752 |
else |
||
753 |
eivlen = 0; |
||
754 |
✓✓✓✓ |
36367 |
} else if (s->internal->aead_write_ctx != NULL && |
755 |
8443 |
s->internal->aead_write_ctx->variable_nonce_in_record) { |
|
756 |
8395 |
eivlen = s->internal->aead_write_ctx->variable_nonce_len; |
|
757 |
8395 |
} else |
|
758 |
eivlen = 0; |
||
759 |
|||
760 |
/* lets setup the record stuff. */ |
||
761 |
27924 |
wr->data = p + eivlen; |
|
762 |
27924 |
wr->length = (int)len; |
|
763 |
27924 |
wr->input = (unsigned char *)buf; |
|
764 |
|||
765 |
/* we now 'read' from wr->input, wr->length bytes into wr->data */ |
||
766 |
|||
767 |
27924 |
memcpy(wr->data, wr->input, wr->length); |
|
768 |
27924 |
wr->input = wr->data; |
|
769 |
|||
770 |
/* we should still have the output to wr->data and the input |
||
771 |
* from wr->input. Length should be wr->length. |
||
772 |
* wr->data still points in the wb->buf */ |
||
773 |
|||
774 |
✓✓ | 27924 |
if (mac_size != 0) { |
775 |
✓✗ | 528 |
if (tls1_mac(s, |
776 |
528 |
&(p[wr->length + eivlen]), 1) < 0) |
|
777 |
goto err; |
||
778 |
264 |
wr->length += mac_size; |
|
779 |
264 |
} |
|
780 |
|||
781 |
27924 |
wr->input = p; |
|
782 |
27924 |
wr->data = p; |
|
783 |
|||
784 |
✓✓ | 27924 |
if (eivlen) { |
785 |
/* if (RAND_pseudo_bytes(p, eivlen) <= 0) |
||
786 |
goto err; |
||
787 |
*/ |
||
788 |
8635 |
wr->length += eivlen; |
|
789 |
8635 |
} |
|
790 |
|||
791 |
/* ssl3_enc can only have an error on read */ |
||
792 |
27924 |
s->method->internal->ssl3_enc->enc(s, 1); |
|
793 |
|||
794 |
/* record length after mac and block padding */ |
||
795 |
27924 |
s2n(wr->length, plen); |
|
796 |
|||
797 |
/* we should now have |
||
798 |
* wr->data pointing to the encrypted data, which is |
||
799 |
* wr->length long */ |
||
800 |
27924 |
wr->type=type; /* not needed but helps for debugging */ |
|
801 |
27924 |
wr->length += SSL3_RT_HEADER_LENGTH; |
|
802 |
|||
803 |
✓✓ | 27924 |
if (create_empty_fragment) { |
804 |
/* we are in a recursive call; |
||
805 |
* just return the length, don't write out anything here |
||
806 |
*/ |
||
807 |
144 |
return wr->length; |
|
808 |
} |
||
809 |
|||
810 |
/* now let's set up wb */ |
||
811 |
27780 |
wb->left = prefix_len + wr->length; |
|
812 |
|||
813 |
/* memorize arguments so that ssl3_write_pending can detect |
||
814 |
* bad write retries later */ |
||
815 |
27780 |
S3I(s)->wpend_tot = len; |
|
816 |
27780 |
S3I(s)->wpend_buf = buf; |
|
817 |
27780 |
S3I(s)->wpend_type = type; |
|
818 |
27780 |
S3I(s)->wpend_ret = len; |
|
819 |
|||
820 |
/* we now just need to write the buffer */ |
||
821 |
27780 |
return ssl3_write_pending(s, type, buf, len); |
|
822 |
err: |
||
823 |
return -1; |
||
824 |
28670 |
} |
|
825 |
|||
826 |
/* if s->s3->wbuf.left != 0, we need to call this */ |
||
827 |
int |
||
828 |
ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) |
||
829 |
{ |
||
830 |
int i; |
||
831 |
58568 |
SSL3_BUFFER *wb = &(s->s3->wbuf); |
|
832 |
|||
833 |
/* XXXX */ |
||
834 |
✓✗✗✓ ✗✓ |
87852 |
if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && |
835 |
!(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || |
||
836 |
29284 |
(S3I(s)->wpend_type != type)) { |
|
837 |
SSLerror(s, SSL_R_BAD_WRITE_RETRY); |
||
838 |
return (-1); |
||
839 |
} |
||
840 |
|||
841 |
744 |
for (;;) { |
|
842 |
30028 |
errno = 0; |
|
843 |
✓✓ | 30028 |
if (s->wbio != NULL) { |
844 |
29740 |
s->internal->rwstate = SSL_WRITING; |
|
845 |
59480 |
i = BIO_write(s->wbio, |
|
846 |
29740 |
(char *)&(wb->buf[wb->offset]), |
|
847 |
29740 |
(unsigned int)wb->left); |
|
848 |
29740 |
} else { |
|
849 |
288 |
SSLerror(s, SSL_R_BIO_NOT_SET); |
|
850 |
i = -1; |
||
851 |
} |
||
852 |
✓✓ | 30028 |
if (i == wb->left) { |
853 |
28060 |
wb->left = 0; |
|
854 |
28060 |
wb->offset += i; |
|
855 |
✗✓✗✗ |
28060 |
if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && |
856 |
!SSL_IS_DTLS(s)) |
||
857 |
ssl3_release_write_buffer(s); |
||
858 |
28060 |
s->internal->rwstate = SSL_NOTHING; |
|
859 |
28060 |
return (S3I(s)->wpend_ret); |
|
860 |
✓✓ | 1968 |
} else if (i <= 0) { |
861 |
/* |
||
862 |
* For DTLS, just drop it. That's kind of the |
||
863 |
* whole point in using a datagram service. |
||
864 |
*/ |
||
865 |
✓✓ | 1224 |
if (SSL_IS_DTLS(s)) |
866 |
96 |
wb->left = 0; |
|
867 |
1224 |
return (i); |
|
868 |
} |
||
869 |
744 |
wb->offset += i; |
|
870 |
744 |
wb->left -= i; |
|
871 |
} |
||
872 |
29284 |
} |
|
873 |
|||
874 |
/* Return up to 'len' payload bytes received in 'type' records. |
||
875 |
* 'type' is one of the following: |
||
876 |
* |
||
877 |
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) |
||
878 |
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) |
||
879 |
* - 0 (during a shutdown, no data has to be returned) |
||
880 |
* |
||
881 |
* If we don't have stored data to work from, read a SSL/TLS record first |
||
882 |
* (possibly multiple records if we still don't have anything to return). |
||
883 |
* |
||
884 |
* This function must handle any surprises the peer may have for us, such as |
||
885 |
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really |
||
886 |
* a surprise, but handled as if it were), or renegotiation requests. |
||
887 |
* Also if record payloads contain fragments too small to process, we store |
||
888 |
* them until there is enough for the respective protocol (the record protocol |
||
889 |
* may use arbitrary fragmentation and even interleaving): |
||
890 |
* Change cipher spec protocol |
||
891 |
* just 1 byte needed, no need for keeping anything stored |
||
892 |
* Alert protocol |
||
893 |
* 2 bytes needed (AlertLevel, AlertDescription) |
||
894 |
* Handshake protocol |
||
895 |
* 4 bytes needed (HandshakeType, uint24 length) -- we just have |
||
896 |
* to detect unexpected Client Hello and Hello Request messages |
||
897 |
* here, anything else is handled by higher layers |
||
898 |
* Application data protocol |
||
899 |
* none of our business |
||
900 |
*/ |
||
901 |
int |
||
902 |
ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) |
||
903 |
{ |
||
904 |
void (*cb)(const SSL *ssl, int type2, int val) = NULL; |
||
905 |
int al, i, j, ret, rrcount = 0; |
||
906 |
unsigned int n; |
||
907 |
SSL3_RECORD *rr; |
||
908 |
|||
909 |
✓✓ | 111370 |
if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ |
910 |
✗✓ | 96 |
if (!ssl3_setup_read_buffer(s)) |
911 |
return (-1); |
||
912 |
|||
913 |
✗✓ | 55685 |
if (len < 0) { |
914 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
915 |
return -1; |
||
916 |
} |
||
917 |
|||
918 |
✓✗ | 111370 |
if ((type && type != SSL3_RT_APPLICATION_DATA && |
919 |
55685 |
type != SSL3_RT_HANDSHAKE) || |
|
920 |
✗✓ | 55685 |
(peek && (type != SSL3_RT_APPLICATION_DATA))) { |
921 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
922 |
return -1; |
||
923 |
} |
||
924 |
|||
925 |
✓✓✗✓ |
105154 |
if ((type == SSL3_RT_HANDSHAKE) && |
926 |
49469 |
(S3I(s)->handshake_fragment_len > 0)) { |
|
927 |
/* (partially) satisfy request from storage */ |
||
928 |
unsigned char *src = S3I(s)->handshake_fragment; |
||
929 |
unsigned char *dst = buf; |
||
930 |
unsigned int k; |
||
931 |
|||
932 |
/* peek == 0 */ |
||
933 |
n = 0; |
||
934 |
while ((len > 0) && (S3I(s)->handshake_fragment_len > 0)) { |
||
935 |
*dst++ = *src++; |
||
936 |
len--; |
||
937 |
S3I(s)->handshake_fragment_len--; |
||
938 |
n++; |
||
939 |
} |
||
940 |
/* move any remaining fragment bytes: */ |
||
941 |
for (k = 0; k < S3I(s)->handshake_fragment_len; k++) |
||
942 |
S3I(s)->handshake_fragment[k] = *src++; |
||
943 |
return n; |
||
944 |
} |
||
945 |
|||
946 |
/* |
||
947 |
* Now S3I(s)->handshake_fragment_len == 0 if |
||
948 |
* type == SSL3_RT_HANDSHAKE. |
||
949 |
*/ |
||
950 |
✓✓✓✓ |
61901 |
if (!s->internal->in_handshake && SSL_in_init(s)) { |
951 |
/* type == SSL3_RT_APPLICATION_DATA */ |
||
952 |
4800 |
i = s->internal->handshake_func(s); |
|
953 |
✓✓ | 4800 |
if (i < 0) |
954 |
4704 |
return (i); |
|
955 |
✗✓ | 96 |
if (i == 0) { |
956 |
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
||
957 |
return (-1); |
||
958 |
} |
||
959 |
} |
||
960 |
|||
961 |
start: |
||
962 |
/* |
||
963 |
* Do not process more than three consecutive records, otherwise the |
||
964 |
* peer can cause us to loop indefinitely. Instead, return with an |
||
965 |
* SSL_ERROR_WANT_READ so the caller can choose when to handle further |
||
966 |
* processing. In the future, the total number of non-handshake and |
||
967 |
* non-application data records per connection should probably also be |
||
968 |
* limited... |
||
969 |
*/ |
||
970 |
✗✓ | 59318 |
if (rrcount++ >= 3) { |
971 |
ssl_force_want_read(s); |
||
972 |
return -1; |
||
973 |
} |
||
974 |
|||
975 |
59318 |
s->internal->rwstate = SSL_NOTHING; |
|
976 |
|||
977 |
/* |
||
978 |
* S3I(s)->rrec.type - is the type of record |
||
979 |
* S3I(s)->rrec.data, - data |
||
980 |
* S3I(s)->rrec.off, - offset into 'data' for next read |
||
981 |
* S3I(s)->rrec.length, - number of bytes. |
||
982 |
*/ |
||
983 |
59318 |
rr = &(S3I(s)->rrec); |
|
984 |
|||
985 |
/* get new packet if necessary */ |
||
986 |
✓✓✓✓ |
82749 |
if ((rr->length == 0) || (s->internal->rstate == SSL_ST_READ_BODY)) { |
987 |
39191 |
ret = ssl3_get_record(s); |
|
988 |
✓✓ | 39191 |
if (ret <= 0) |
989 |
9256 |
return (ret); |
|
990 |
} |
||
991 |
|||
992 |
/* we now have a packet which can be read and processed */ |
||
993 |
|||
994 |
✗✓ | 66736 |
if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, |
995 |
* reset by ssl3_get_finished */ |
||
996 |
✓✓ | 66736 |
&& (rr->type != SSL3_RT_HANDSHAKE)) { |
997 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
998 |
SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
||
999 |
goto f_err; |
||
1000 |
} |
||
1001 |
|||
1002 |
/* If the other end has shut down, throw anything we read away |
||
1003 |
* (even in 'peek' mode) */ |
||
1004 |
✗✓ | 50062 |
if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { |
1005 |
rr->length = 0; |
||
1006 |
s->internal->rwstate = SSL_NOTHING; |
||
1007 |
return (0); |
||
1008 |
} |
||
1009 |
|||
1010 |
|||
1011 |
/* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ |
||
1012 |
✓✓ | 50062 |
if (type == rr->type) { |
1013 |
/* make sure that we are not getting application data when we |
||
1014 |
* are doing a handshake for the first time */ |
||
1015 |
✗✓✗✗ |
41725 |
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && |
1016 |
(s->enc_read_ctx == NULL)) { |
||
1017 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1018 |
SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); |
||
1019 |
goto f_err; |
||
1020 |
} |
||
1021 |
|||
1022 |
✗✓ | 41725 |
if (len <= 0) |
1023 |
return (len); |
||
1024 |
|||
1025 |
✓✓ | 41725 |
if ((unsigned int)len > rr->length) |
1026 |
384 |
n = rr->length; |
|
1027 |
else |
||
1028 |
n = (unsigned int)len; |
||
1029 |
|||
1030 |
41725 |
memcpy(buf, &(rr->data[rr->off]), n); |
|
1031 |
✓✗ | 41725 |
if (!peek) { |
1032 |
41725 |
memset(&(rr->data[rr->off]), 0, n); |
|
1033 |
41725 |
rr->length -= n; |
|
1034 |
41725 |
rr->off += n; |
|
1035 |
✓✓ | 41725 |
if (rr->length == 0) { |
1036 |
21598 |
s->internal->rstate = SSL_ST_READ_HEADER; |
|
1037 |
21598 |
rr->off = 0; |
|
1038 |
✗✓✗✗ |
21598 |
if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && |
1039 |
s->s3->rbuf.left == 0) |
||
1040 |
ssl3_release_read_buffer(s); |
||
1041 |
} |
||
1042 |
} |
||
1043 |
41725 |
return (n); |
|
1044 |
} |
||
1045 |
|||
1046 |
|||
1047 |
/* If we get here, then type != rr->type; if we have a handshake |
||
1048 |
* message, then it was unexpected (Hello Request or Client Hello). */ |
||
1049 |
|||
1050 |
{ |
||
1051 |
/* |
||
1052 |
* In case of record types for which we have 'fragment' |
||
1053 |
* storage, * fill that so that we can process the data |
||
1054 |
* at a fixed place. |
||
1055 |
*/ |
||
1056 |
unsigned int dest_maxlen = 0; |
||
1057 |
unsigned char *dest = NULL; |
||
1058 |
unsigned int *dest_len = NULL; |
||
1059 |
|||
1060 |
✗✓ | 8337 |
if (rr->type == SSL3_RT_HANDSHAKE) { |
1061 |
dest_maxlen = sizeof S3I(s)->handshake_fragment; |
||
1062 |
dest = S3I(s)->handshake_fragment; |
||
1063 |
dest_len = &S3I(s)->handshake_fragment_len; |
||
1064 |
✗✓ | 8337 |
} else if (rr->type == SSL3_RT_ALERT) { |
1065 |
dest_maxlen = sizeof S3I(s)->alert_fragment; |
||
1066 |
dest = S3I(s)->alert_fragment; |
||
1067 |
dest_len = &S3I(s)->alert_fragment_len; |
||
1068 |
} |
||
1069 |
✗✓ | 8337 |
if (dest_maxlen > 0) { |
1070 |
/* available space in 'dest' */ |
||
1071 |
n = dest_maxlen - *dest_len; |
||
1072 |
if (rr->length < n) |
||
1073 |
n = rr->length; /* available bytes */ |
||
1074 |
|||
1075 |
/* now move 'n' bytes: */ |
||
1076 |
while (n-- > 0) { |
||
1077 |
dest[(*dest_len)++] = rr->data[rr->off++]; |
||
1078 |
rr->length--; |
||
1079 |
} |
||
1080 |
|||
1081 |
if (*dest_len < dest_maxlen) |
||
1082 |
goto start; /* fragment was too small */ |
||
1083 |
} |
||
1084 |
✗✓ | 8337 |
} |
1085 |
|||
1086 |
/* S3I(s)->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; |
||
1087 |
* S3I(s)->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. |
||
1088 |
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ |
||
1089 |
|||
1090 |
/* If we are a client, check for an incoming 'Hello Request': */ |
||
1091 |
✓✓✗✓ ✗✗ |
16466 |
if ((!s->server) && (S3I(s)->handshake_fragment_len >= 4) && |
1092 |
(S3I(s)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && |
||
1093 |
(s->session != NULL) && (s->session->cipher != NULL)) { |
||
1094 |
S3I(s)->handshake_fragment_len = 0; |
||
1095 |
|||
1096 |
if ((S3I(s)->handshake_fragment[1] != 0) || |
||
1097 |
(S3I(s)->handshake_fragment[2] != 0) || |
||
1098 |
(S3I(s)->handshake_fragment[3] != 0)) { |
||
1099 |
al = SSL_AD_DECODE_ERROR; |
||
1100 |
SSLerror(s, SSL_R_BAD_HELLO_REQUEST); |
||
1101 |
goto f_err; |
||
1102 |
} |
||
1103 |
|||
1104 |
if (s->internal->msg_callback) |
||
1105 |
s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, |
||
1106 |
S3I(s)->handshake_fragment, 4, s, |
||
1107 |
s->internal->msg_callback_arg); |
||
1108 |
|||
1109 |
if (SSL_is_init_finished(s) && |
||
1110 |
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && |
||
1111 |
!S3I(s)->renegotiate) { |
||
1112 |
ssl3_renegotiate(s); |
||
1113 |
if (ssl3_renegotiate_check(s)) { |
||
1114 |
i = s->internal->handshake_func(s); |
||
1115 |
if (i < 0) |
||
1116 |
return (i); |
||
1117 |
if (i == 0) { |
||
1118 |
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
||
1119 |
return (-1); |
||
1120 |
} |
||
1121 |
|||
1122 |
if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { |
||
1123 |
if (s->s3->rbuf.left == 0) { |
||
1124 |
/* no read-ahead left? */ |
||
1125 |
/* In the case where we try to read application data, |
||
1126 |
* but we trigger an SSL handshake, we return -1 with |
||
1127 |
* the retry option set. Otherwise renegotiation may |
||
1128 |
* cause nasty problems in the blocking world */ |
||
1129 |
ssl_force_want_read(s); |
||
1130 |
return (-1); |
||
1131 |
} |
||
1132 |
} |
||
1133 |
} |
||
1134 |
} |
||
1135 |
/* we either finished a handshake or ignored the request, |
||
1136 |
* now try again to obtain the (application) data we were asked for */ |
||
1137 |
goto start; |
||
1138 |
} |
||
1139 |
/* Disallow client initiated renegotiation if configured. */ |
||
1140 |
✓✓✗✓ ✗✗ |
8545 |
if (s->server && SSL_is_init_finished(s) && |
1141 |
S3I(s)->handshake_fragment_len >= 4 && |
||
1142 |
S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO && |
||
1143 |
(s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) { |
||
1144 |
al = SSL_AD_NO_RENEGOTIATION; |
||
1145 |
goto f_err; |
||
1146 |
} |
||
1147 |
/* If we are a server and get a client hello when renegotiation isn't |
||
1148 |
* allowed send back a no renegotiation alert and carry on. |
||
1149 |
* WARNING: experimental code, needs reviewing (steve) |
||
1150 |
*/ |
||
1151 |
✓✓✗✗ |
8337 |
if (s->server && |
1152 |
✗✓ | 208 |
SSL_is_init_finished(s) && |
1153 |
!S3I(s)->send_connection_binding && |
||
1154 |
(S3I(s)->handshake_fragment_len >= 4) && |
||
1155 |
(S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && |
||
1156 |
(s->session != NULL) && (s->session->cipher != NULL)) { |
||
1157 |
/*S3I(s)->handshake_fragment_len = 0;*/ |
||
1158 |
rr->length = 0; |
||
1159 |
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); |
||
1160 |
goto start; |
||
1161 |
} |
||
1162 |
✗✓ | 8337 |
if (S3I(s)->alert_fragment_len >= 2) { |
1163 |
int alert_level = S3I(s)->alert_fragment[0]; |
||
1164 |
int alert_descr = S3I(s)->alert_fragment[1]; |
||
1165 |
|||
1166 |
S3I(s)->alert_fragment_len = 0; |
||
1167 |
|||
1168 |
if (s->internal->msg_callback) |
||
1169 |
s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, |
||
1170 |
S3I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); |
||
1171 |
|||
1172 |
if (s->internal->info_callback != NULL) |
||
1173 |
cb = s->internal->info_callback; |
||
1174 |
else if (s->ctx->internal->info_callback != NULL) |
||
1175 |
cb = s->ctx->internal->info_callback; |
||
1176 |
|||
1177 |
if (cb != NULL) { |
||
1178 |
j = (alert_level << 8) | alert_descr; |
||
1179 |
cb(s, SSL_CB_READ_ALERT, j); |
||
1180 |
} |
||
1181 |
|||
1182 |
if (alert_level == SSL3_AL_WARNING) { |
||
1183 |
S3I(s)->warn_alert = alert_descr; |
||
1184 |
if (alert_descr == SSL_AD_CLOSE_NOTIFY) { |
||
1185 |
s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; |
||
1186 |
return (0); |
||
1187 |
} |
||
1188 |
/* This is a warning but we receive it if we requested |
||
1189 |
* renegotiation and the peer denied it. Terminate with |
||
1190 |
* a fatal alert because if application tried to |
||
1191 |
* renegotiatie it presumably had a good reason and |
||
1192 |
* expects it to succeed. |
||
1193 |
* |
||
1194 |
* In future we might have a renegotiation where we |
||
1195 |
* don't care if the peer refused it where we carry on. |
||
1196 |
*/ |
||
1197 |
else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { |
||
1198 |
al = SSL_AD_HANDSHAKE_FAILURE; |
||
1199 |
SSLerror(s, SSL_R_NO_RENEGOTIATION); |
||
1200 |
goto f_err; |
||
1201 |
} |
||
1202 |
} else if (alert_level == SSL3_AL_FATAL) { |
||
1203 |
s->internal->rwstate = SSL_NOTHING; |
||
1204 |
S3I(s)->fatal_alert = alert_descr; |
||
1205 |
SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); |
||
1206 |
ERR_asprintf_error_data("SSL alert number %d", |
||
1207 |
alert_descr); |
||
1208 |
s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; |
||
1209 |
SSL_CTX_remove_session(s->ctx, s->session); |
||
1210 |
return (0); |
||
1211 |
} else { |
||
1212 |
al = SSL_AD_ILLEGAL_PARAMETER; |
||
1213 |
SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); |
||
1214 |
goto f_err; |
||
1215 |
} |
||
1216 |
|||
1217 |
goto start; |
||
1218 |
} |
||
1219 |
|||
1220 |
✗✓ | 8337 |
if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { |
1221 |
/* but we have not received a shutdown */ |
||
1222 |
s->internal->rwstate = SSL_NOTHING; |
||
1223 |
rr->length = 0; |
||
1224 |
return (0); |
||
1225 |
} |
||
1226 |
|||
1227 |
✓✗ | 8337 |
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
1228 |
/* 'Change Cipher Spec' is just a single byte, so we know |
||
1229 |
* exactly what the record payload has to look like */ |
||
1230 |
✓✗✓✗ ✗✓ |
25011 |
if ((rr->length != 1) || (rr->off != 0) || |
1231 |
8337 |
(rr->data[0] != SSL3_MT_CCS)) { |
|
1232 |
al = SSL_AD_ILLEGAL_PARAMETER; |
||
1233 |
SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); |
||
1234 |
goto f_err; |
||
1235 |
} |
||
1236 |
|||
1237 |
/* Check we have a cipher to change to */ |
||
1238 |
✗✓ | 8337 |
if (S3I(s)->hs.new_cipher == NULL) { |
1239 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1240 |
SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); |
||
1241 |
goto f_err; |
||
1242 |
} |
||
1243 |
|||
1244 |
/* Check that we should be receiving a Change Cipher Spec. */ |
||
1245 |
✗✓ | 8337 |
if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) { |
1246 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1247 |
SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); |
||
1248 |
goto f_err; |
||
1249 |
} |
||
1250 |
8337 |
s->s3->flags &= ~SSL3_FLAGS_CCS_OK; |
|
1251 |
|||
1252 |
8337 |
rr->length = 0; |
|
1253 |
|||
1254 |
✗✓ | 8337 |
if (s->internal->msg_callback) { |
1255 |
s->internal->msg_callback(0, s->version, |
||
1256 |
SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, |
||
1257 |
s->internal->msg_callback_arg); |
||
1258 |
} |
||
1259 |
|||
1260 |
8337 |
S3I(s)->change_cipher_spec = 1; |
|
1261 |
✓✗ | 8337 |
if (!ssl3_do_change_cipher_spec(s)) |
1262 |
goto err; |
||
1263 |
else |
||
1264 |
goto start; |
||
1265 |
} |
||
1266 |
|||
1267 |
/* Unexpected handshake message (Client Hello, or protocol violation) */ |
||
1268 |
if ((S3I(s)->handshake_fragment_len >= 4) && !s->internal->in_handshake) { |
||
1269 |
if (((S3I(s)->hs.state&SSL_ST_MASK) == SSL_ST_OK) && |
||
1270 |
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { |
||
1271 |
S3I(s)->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; |
||
1272 |
s->internal->renegotiate = 1; |
||
1273 |
s->internal->new_session = 1; |
||
1274 |
} |
||
1275 |
i = s->internal->handshake_func(s); |
||
1276 |
if (i < 0) |
||
1277 |
return (i); |
||
1278 |
if (i == 0) { |
||
1279 |
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
||
1280 |
return (-1); |
||
1281 |
} |
||
1282 |
|||
1283 |
if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { |
||
1284 |
if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ |
||
1285 |
/* In the case where we try to read application data, |
||
1286 |
* but we trigger an SSL handshake, we return -1 with |
||
1287 |
* the retry option set. Otherwise renegotiation may |
||
1288 |
* cause nasty problems in the blocking world */ |
||
1289 |
ssl_force_want_read(s); |
||
1290 |
return (-1); |
||
1291 |
} |
||
1292 |
} |
||
1293 |
goto start; |
||
1294 |
} |
||
1295 |
|||
1296 |
switch (rr->type) { |
||
1297 |
default: |
||
1298 |
/* |
||
1299 |
* TLS up to v1.1 just ignores unknown message types: |
||
1300 |
* TLS v1.2 give an unexpected message alert. |
||
1301 |
*/ |
||
1302 |
if (s->version >= TLS1_VERSION && |
||
1303 |
s->version <= TLS1_1_VERSION) { |
||
1304 |
rr->length = 0; |
||
1305 |
goto start; |
||
1306 |
} |
||
1307 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1308 |
SSLerror(s, SSL_R_UNEXPECTED_RECORD); |
||
1309 |
goto f_err; |
||
1310 |
case SSL3_RT_CHANGE_CIPHER_SPEC: |
||
1311 |
case SSL3_RT_ALERT: |
||
1312 |
case SSL3_RT_HANDSHAKE: |
||
1313 |
/* we already handled all of these, with the possible exception |
||
1314 |
* of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that |
||
1315 |
* should not happen when type != rr->type */ |
||
1316 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1317 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
1318 |
goto f_err; |
||
1319 |
case SSL3_RT_APPLICATION_DATA: |
||
1320 |
/* At this point, we were expecting handshake data, |
||
1321 |
* but have application data. If the library was |
||
1322 |
* running inside ssl3_read() (i.e. in_read_app_data |
||
1323 |
* is set) and it makes sense to read application data |
||
1324 |
* at this point (session renegotiation not yet started), |
||
1325 |
* we will indulge it. |
||
1326 |
*/ |
||
1327 |
if (S3I(s)->in_read_app_data && |
||
1328 |
(S3I(s)->total_renegotiations != 0) && |
||
1329 |
(((S3I(s)->hs.state & SSL_ST_CONNECT) && |
||
1330 |
(S3I(s)->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) && |
||
1331 |
(S3I(s)->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || |
||
1332 |
((S3I(s)->hs.state & SSL_ST_ACCEPT) && |
||
1333 |
(S3I(s)->hs.state <= SSL3_ST_SW_HELLO_REQ_A) && |
||
1334 |
(S3I(s)->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) { |
||
1335 |
S3I(s)->in_read_app_data = 2; |
||
1336 |
return (-1); |
||
1337 |
} else { |
||
1338 |
al = SSL_AD_UNEXPECTED_MESSAGE; |
||
1339 |
SSLerror(s, SSL_R_UNEXPECTED_RECORD); |
||
1340 |
goto f_err; |
||
1341 |
} |
||
1342 |
} |
||
1343 |
/* not reached */ |
||
1344 |
|||
1345 |
f_err: |
||
1346 |
ssl3_send_alert(s, SSL3_AL_FATAL, al); |
||
1347 |
err: |
||
1348 |
return (-1); |
||
1349 |
55685 |
} |
|
1350 |
|||
1351 |
int |
||
1352 |
ssl3_do_change_cipher_spec(SSL *s) |
||
1353 |
{ |
||
1354 |
int i; |
||
1355 |
const char *sender; |
||
1356 |
int slen; |
||
1357 |
|||
1358 |
✓✓ | 16866 |
if (S3I(s)->hs.state & SSL_ST_ACCEPT) |
1359 |
256 |
i = SSL3_CHANGE_CIPHER_SERVER_READ; |
|
1360 |
else |
||
1361 |
i = SSL3_CHANGE_CIPHER_CLIENT_READ; |
||
1362 |
|||
1363 |
✓✓ | 8433 |
if (S3I(s)->hs.key_block == NULL) { |
1364 |
✓✗✗✓ |
14596 |
if (s->session == NULL || s->session->master_key_length == 0) { |
1365 |
/* might happen if dtls1_read_bytes() calls this */ |
||
1366 |
SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); |
||
1367 |
return (0); |
||
1368 |
} |
||
1369 |
|||
1370 |
7298 |
s->session->cipher = S3I(s)->hs.new_cipher; |
|
1371 |
✗✓ | 7298 |
if (!tls1_setup_key_block(s)) |
1372 |
return (0); |
||
1373 |
} |
||
1374 |
|||
1375 |
✗✓ | 8433 |
if (!tls1_change_cipher_state(s, i)) |
1376 |
return (0); |
||
1377 |
|||
1378 |
/* we have to record the message digest at |
||
1379 |
* this point so we can get it before we read |
||
1380 |
* the finished message */ |
||
1381 |
✓✓ | 8433 |
if (S3I(s)->hs.state & SSL_ST_CONNECT) { |
1382 |
sender = TLS_MD_SERVER_FINISH_CONST; |
||
1383 |
slen = TLS_MD_SERVER_FINISH_CONST_SIZE; |
||
1384 |
8177 |
} else { |
|
1385 |
sender = TLS_MD_CLIENT_FINISH_CONST; |
||
1386 |
slen = TLS_MD_CLIENT_FINISH_CONST_SIZE; |
||
1387 |
} |
||
1388 |
|||
1389 |
8433 |
i = tls1_final_finish_mac(s, sender, slen, |
|
1390 |
8433 |
S3I(s)->tmp.peer_finish_md); |
|
1391 |
✗✓ | 8433 |
if (i == 0) { |
1392 |
SSLerror(s, ERR_R_INTERNAL_ERROR); |
||
1393 |
return 0; |
||
1394 |
} |
||
1395 |
8433 |
S3I(s)->tmp.peer_finish_md_len = i; |
|
1396 |
|||
1397 |
8433 |
return (1); |
|
1398 |
8433 |
} |
|
1399 |
|||
1400 |
int |
||
1401 |
ssl3_send_alert(SSL *s, int level, int desc) |
||
1402 |
{ |
||
1403 |
/* Map tls/ssl alert value to correct one */ |
||
1404 |
1028 |
desc = tls1_alert_code(desc); |
|
1405 |
✗✓ | 514 |
if (desc < 0) |
1406 |
return -1; |
||
1407 |
/* If a fatal one, remove from cache */ |
||
1408 |
✗✓✗✗ |
514 |
if ((level == 2) && (s->session != NULL)) |
1409 |
SSL_CTX_remove_session(s->ctx, s->session); |
||
1410 |
|||
1411 |
514 |
s->s3->alert_dispatch = 1; |
|
1412 |
514 |
s->s3->send_alert[0] = level; |
|
1413 |
514 |
s->s3->send_alert[1] = desc; |
|
1414 |
✓✗ | 514 |
if (s->s3->wbuf.left == 0) /* data still being written out? */ |
1415 |
514 |
return s->method->ssl_dispatch_alert(s); |
|
1416 |
|||
1417 |
/* else data is still being written out, we will get written |
||
1418 |
* some time in the future */ |
||
1419 |
return -1; |
||
1420 |
514 |
} |
|
1421 |
|||
1422 |
int |
||
1423 |
ssl3_dispatch_alert(SSL *s) |
||
1424 |
{ |
||
1425 |
int i, j; |
||
1426 |
void (*cb)(const SSL *ssl, int type, int val) = NULL; |
||
1427 |
|||
1428 |
836 |
s->s3->alert_dispatch = 0; |
|
1429 |
418 |
i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); |
|
1430 |
✓✓ | 418 |
if (i <= 0) { |
1431 |
384 |
s->s3->alert_dispatch = 1; |
|
1432 |
384 |
} else { |
|
1433 |
/* Alert sent to BIO. If it is important, flush it now. |
||
1434 |
* If the message does not get sent due to non-blocking IO, |
||
1435 |
* we will not worry too much. */ |
||
1436 |
✗✓ | 34 |
if (s->s3->send_alert[0] == SSL3_AL_FATAL) |
1437 |
(void)BIO_flush(s->wbio); |
||
1438 |
|||
1439 |
✗✓ | 34 |
if (s->internal->msg_callback) |
1440 |
s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, |
||
1441 |
s->s3->send_alert, 2, s, s->internal->msg_callback_arg); |
||
1442 |
|||
1443 |
✗✓ | 34 |
if (s->internal->info_callback != NULL) |
1444 |
cb = s->internal->info_callback; |
||
1445 |
✗✓ | 34 |
else if (s->ctx->internal->info_callback != NULL) |
1446 |
cb = s->ctx->internal->info_callback; |
||
1447 |
|||
1448 |
✗✓ | 34 |
if (cb != NULL) { |
1449 |
j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; |
||
1450 |
cb(s, SSL_CB_WRITE_ALERT, j); |
||
1451 |
} |
||
1452 |
} |
||
1453 |
418 |
return (i); |
|
1454 |
} |
| Generated by: GCOVR (Version 3.3) |