1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). */ 108 109 #include <openssl/ssl.h> 110 111 #include <assert.h> 112 #include <limits.h> 113 #include <stdio.h> 114 #include <string.h> 115 116 #include <openssl/buf.h> 117 #include <openssl/err.h> 118 #include <openssl/evp.h> 119 #include <openssl/mem.h> 120 #include <openssl/rand.h> 121 122 #include "internal.h" 123 124 125 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len); 126 127 /* kMaxWarningAlerts is the number of consecutive warning alerts that will be 128 * processed. */ 129 static const uint8_t kMaxWarningAlerts = 4; 130 131 /* ssl3_get_record reads a new input record. On success, it places it in 132 * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if 133 * more data is needed. */ 134 static int ssl3_get_record(SSL *ssl) { 135 int ret; 136 again: 137 /* Ensure the buffer is large enough to decrypt in-place. */ 138 ret = ssl_read_buffer_extend_to(ssl, ssl_record_prefix_len(ssl)); 139 if (ret <= 0) { 140 return ret; 141 } 142 assert(ssl_read_buffer_len(ssl) >= ssl_record_prefix_len(ssl)); 143 144 uint8_t *out = ssl_read_buffer(ssl) + ssl_record_prefix_len(ssl); 145 size_t max_out = ssl_read_buffer_len(ssl) - ssl_record_prefix_len(ssl); 146 uint8_t type, alert; 147 size_t len, consumed; 148 switch (tls_open_record(ssl, &type, out, &len, &consumed, &alert, max_out, 149 ssl_read_buffer(ssl), ssl_read_buffer_len(ssl))) { 150 case ssl_open_record_success: 151 ssl_read_buffer_consume(ssl, consumed); 152 153 if (len > 0xffff) { 154 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 155 return -1; 156 } 157 158 SSL3_RECORD *rr = &ssl->s3->rrec; 159 rr->type = type; 160 rr->length = (uint16_t)len; 161 rr->data = out; 162 return 1; 163 164 case ssl_open_record_partial: 165 ret = ssl_read_buffer_extend_to(ssl, consumed); 166 if (ret <= 0) { 167 return ret; 168 } 169 goto again; 170 171 case ssl_open_record_discard: 172 ssl_read_buffer_consume(ssl, consumed); 173 goto again; 174 175 case ssl_open_record_error: 176 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 177 return -1; 178 } 179 180 assert(0); 181 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 182 return -1; 183 } 184 185 int ssl3_write_app_data(SSL *ssl, const void *buf, int len) { 186 return ssl3_write_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len); 187 } 188 189 /* Call this to write data in records of type |type|. It will return <= 0 if 190 * not all data has been sent or non-blocking IO. */ 191 int ssl3_write_bytes(SSL *ssl, int type, const void *buf_, int len) { 192 const uint8_t *buf = buf_; 193 unsigned int tot, n, nw; 194 int i; 195 196 ssl->rwstate = SSL_NOTHING; 197 assert(ssl->s3->wnum <= INT_MAX); 198 tot = ssl->s3->wnum; 199 ssl->s3->wnum = 0; 200 201 if (!ssl->in_handshake && SSL_in_init(ssl) && !SSL_in_false_start(ssl)) { 202 i = ssl->handshake_func(ssl); 203 if (i < 0) { 204 return i; 205 } 206 if (i == 0) { 207 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 208 return -1; 209 } 210 } 211 212 /* Ensure that if we end up with a smaller value of data to write out than 213 * the the original len from a write which didn't complete for non-blocking 214 * I/O and also somehow ended up avoiding the check for this in 215 * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to 216 * end up with (len-tot) as a large number that will then promptly send 217 * beyond the end of the users buffer ... so we trap and report the error in 218 * a way the user will notice. */ 219 if (len < 0 || (size_t)len < tot) { 220 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH); 221 return -1; 222 } 223 224 n = (len - tot); 225 for (;;) { 226 /* max contains the maximum number of bytes that we can put into a 227 * record. */ 228 unsigned max = ssl->max_send_fragment; 229 if (n > max) { 230 nw = max; 231 } else { 232 nw = n; 233 } 234 235 i = do_ssl3_write(ssl, type, &buf[tot], nw); 236 if (i <= 0) { 237 ssl->s3->wnum = tot; 238 return i; 239 } 240 241 if (i == (int)n || (type == SSL3_RT_APPLICATION_DATA && 242 (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { 243 return tot + i; 244 } 245 246 n -= i; 247 tot += i; 248 } 249 } 250 251 static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf, 252 unsigned int len) { 253 if (ssl->s3->wpend_tot > (int)len || 254 (ssl->s3->wpend_buf != buf && 255 !(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || 256 ssl->s3->wpend_type != type) { 257 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_WRITE_RETRY); 258 return -1; 259 } 260 261 int ret = ssl_write_buffer_flush(ssl); 262 if (ret <= 0) { 263 return ret; 264 } 265 return ssl->s3->wpend_ret; 266 } 267 268 /* do_ssl3_write writes an SSL record of the given type. */ 269 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { 270 /* If there is still data from the previous record, flush it. */ 271 if (ssl_write_buffer_is_pending(ssl)) { 272 return ssl3_write_pending(ssl, type, buf, len); 273 } 274 275 /* If we have an alert to send, lets send it */ 276 if (ssl->s3->alert_dispatch) { 277 int ret = ssl->method->ssl_dispatch_alert(ssl); 278 if (ret <= 0) { 279 return ret; 280 } 281 /* if it went, fall through and send more stuff */ 282 } 283 284 if (len > SSL3_RT_MAX_PLAIN_LENGTH) { 285 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 286 return -1; 287 } 288 289 if (len == 0) { 290 return 0; 291 } 292 293 size_t max_out = len + ssl_max_seal_overhead(ssl); 294 if (max_out < len) { 295 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 296 return -1; 297 } 298 uint8_t *out; 299 size_t ciphertext_len; 300 if (!ssl_write_buffer_init(ssl, &out, max_out) || 301 !tls_seal_record(ssl, out, &ciphertext_len, max_out, type, buf, len)) { 302 return -1; 303 } 304 ssl_write_buffer_set_len(ssl, ciphertext_len); 305 306 /* memorize arguments so that ssl3_write_pending can detect bad write retries 307 * later */ 308 ssl->s3->wpend_tot = len; 309 ssl->s3->wpend_buf = buf; 310 ssl->s3->wpend_type = type; 311 ssl->s3->wpend_ret = len; 312 313 /* we now just need to write the buffer */ 314 return ssl3_write_pending(ssl, type, buf, len); 315 } 316 317 int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek) { 318 return ssl3_read_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len, peek); 319 } 320 321 int ssl3_read_change_cipher_spec(SSL *ssl) { 322 uint8_t byte; 323 int ret = ssl3_read_bytes(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, &byte, 1 /* len */, 324 0 /* no peek */); 325 if (ret <= 0) { 326 return ret; 327 } 328 assert(ret == 1); 329 330 if (ssl->s3->rrec.length != 0 || byte != SSL3_MT_CCS) { 331 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC); 332 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 333 return -1; 334 } 335 336 if (ssl->msg_callback != NULL) { 337 ssl->msg_callback(0, ssl->version, SSL3_RT_CHANGE_CIPHER_SPEC, &byte, 1, 338 ssl, ssl->msg_callback_arg); 339 } 340 341 return 1; 342 } 343 344 void ssl3_read_close_notify(SSL *ssl) { 345 ssl3_read_bytes(ssl, 0, NULL, 0, 0); 346 } 347 348 static int ssl3_can_renegotiate(SSL *ssl) { 349 switch (ssl->renegotiate_mode) { 350 case ssl_renegotiate_never: 351 return 0; 352 case ssl_renegotiate_once: 353 return ssl->s3->total_renegotiations == 0; 354 case ssl_renegotiate_freely: 355 return 1; 356 case ssl_renegotiate_ignore: 357 return 1; 358 } 359 360 assert(0); 361 return 0; 362 } 363 364 /* Return up to 'len' payload bytes received in 'type' records. 365 * 'type' is one of the following: 366 * 367 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 368 * - SSL3_RT_CHANGE_CIPHER_SPEC (when ssl3_read_change_cipher_spec calls us) 369 * - SSL3_RT_APPLICATION_DATA (when ssl3_read_app_data calls us) 370 * - 0 (during a shutdown, no data has to be returned) 371 * 372 * If we don't have stored data to work from, read a SSL/TLS record first 373 * (possibly multiple records if we still don't have anything to return). 374 * 375 * This function must handle any surprises the peer may have for us, such as 376 * Alert records (e.g. close_notify) or renegotiation requests. */ 377 int ssl3_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek) { 378 int al, i, ret; 379 unsigned int n; 380 SSL3_RECORD *rr; 381 void (*cb)(const SSL *ssl, int type, int value) = NULL; 382 383 if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE && 384 type != SSL3_RT_CHANGE_CIPHER_SPEC) || 385 (peek && type != SSL3_RT_APPLICATION_DATA)) { 386 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 387 return -1; 388 } 389 390 /* This may require multiple iterations. False Start will cause 391 * |ssl->handshake_func| to signal success one step early, but the handshake 392 * must be completely finished before other modes are accepted. 393 * 394 * TODO(davidben): Move this check up to a higher level. */ 395 while (!ssl->in_handshake && SSL_in_init(ssl)) { 396 assert(type == SSL3_RT_APPLICATION_DATA); 397 i = ssl->handshake_func(ssl); 398 if (i < 0) { 399 return i; 400 } 401 if (i == 0) { 402 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 403 return -1; 404 } 405 } 406 407 start: 408 ssl->rwstate = SSL_NOTHING; 409 410 /* ssl->s3->rrec.type - is the type of record 411 * ssl->s3->rrec.data - data 412 * ssl->s3->rrec.off - offset into 'data' for next read 413 * ssl->s3->rrec.length - number of bytes. */ 414 rr = &ssl->s3->rrec; 415 416 /* get new packet if necessary */ 417 if (rr->length == 0) { 418 ret = ssl3_get_record(ssl); 419 if (ret <= 0) { 420 return ret; 421 } 422 } 423 424 /* we now have a packet which can be read and processed */ 425 426 /* If the other end has shut down, throw anything we read away (even in 427 * 'peek' mode) */ 428 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) { 429 rr->length = 0; 430 ssl->rwstate = SSL_NOTHING; 431 return 0; 432 } 433 434 if (type != 0 && type == rr->type) { 435 ssl->s3->warning_alert_count = 0; 436 437 /* Make sure that we are not getting application data when we are doing a 438 * handshake for the first time. */ 439 if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA && 440 ssl->aead_read_ctx == NULL) { 441 /* TODO(davidben): Is this check redundant with the handshake_func 442 * check? */ 443 al = SSL_AD_UNEXPECTED_MESSAGE; 444 OPENSSL_PUT_ERROR(SSL, SSL_R_APP_DATA_IN_HANDSHAKE); 445 goto f_err; 446 } 447 448 /* Discard empty records. */ 449 if (rr->length == 0) { 450 goto start; 451 } 452 453 if (len <= 0) { 454 return len; 455 } 456 457 if ((unsigned int)len > rr->length) { 458 n = rr->length; 459 } else { 460 n = (unsigned int)len; 461 } 462 463 memcpy(buf, rr->data, n); 464 if (!peek) { 465 rr->length -= n; 466 rr->data += n; 467 if (rr->length == 0) { 468 /* The record has been consumed, so we may now clear the buffer. */ 469 ssl_read_buffer_discard(ssl); 470 } 471 } 472 473 return n; 474 } 475 476 /* Process unexpected records. */ 477 478 if (type == SSL3_RT_APPLICATION_DATA && rr->type == SSL3_RT_HANDSHAKE) { 479 /* If peer renegotiations are disabled, all out-of-order handshake records 480 * are fatal. Renegotiations as a server are never supported. */ 481 if (ssl->server || !ssl3_can_renegotiate(ssl)) { 482 al = SSL_AD_NO_RENEGOTIATION; 483 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 484 goto f_err; 485 } 486 487 /* This must be a HelloRequest, possibly fragmented over multiple records. 488 * Consume data from the handshake protocol until it is complete. */ 489 static const uint8_t kHelloRequest[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0}; 490 while (ssl->s3->hello_request_len < sizeof(kHelloRequest)) { 491 if (rr->length == 0) { 492 /* Get a new record. */ 493 goto start; 494 } 495 if (rr->data[0] != kHelloRequest[ssl->s3->hello_request_len]) { 496 al = SSL_AD_DECODE_ERROR; 497 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST); 498 goto f_err; 499 } 500 rr->data++; 501 rr->length--; 502 ssl->s3->hello_request_len++; 503 } 504 ssl->s3->hello_request_len = 0; 505 506 if (ssl->msg_callback) { 507 ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, kHelloRequest, 508 sizeof(kHelloRequest), ssl, ssl->msg_callback_arg); 509 } 510 511 if (!SSL_is_init_finished(ssl) || !ssl->s3->initial_handshake_complete) { 512 /* This cannot happen. If a handshake is in progress, |type| must be 513 * |SSL3_RT_HANDSHAKE|. */ 514 assert(0); 515 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 516 goto err; 517 } 518 519 if (ssl->renegotiate_mode == ssl_renegotiate_ignore) { 520 goto start; 521 } 522 523 /* Renegotiation is only supported at quiescent points in the application 524 * protocol, namely in HTTPS, just before reading the HTTP response. Require 525 * the record-layer be idle and avoid complexities of sending a handshake 526 * record while an application_data record is being written. */ 527 if (ssl_write_buffer_is_pending(ssl)) { 528 al = SSL_AD_NO_RENEGOTIATION; 529 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 530 goto f_err; 531 } 532 533 /* Begin a new handshake. */ 534 ssl->s3->total_renegotiations++; 535 ssl->state = SSL_ST_CONNECT; 536 i = ssl->handshake_func(ssl); 537 if (i < 0) { 538 return i; 539 } 540 if (i == 0) { 541 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 542 return -1; 543 } 544 545 /* The handshake completed synchronously. Continue reading records. */ 546 goto start; 547 } 548 549 /* If an alert record, process one alert out of the record. Note that we allow 550 * a single record to contain multiple alerts. */ 551 if (rr->type == SSL3_RT_ALERT) { 552 /* Alerts may not be fragmented. */ 553 if (rr->length < 2) { 554 al = SSL_AD_DECODE_ERROR; 555 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); 556 goto f_err; 557 } 558 559 if (ssl->msg_callback) { 560 ssl->msg_callback(0, ssl->version, SSL3_RT_ALERT, rr->data, 2, ssl, 561 ssl->msg_callback_arg); 562 } 563 const uint8_t alert_level = rr->data[0]; 564 const uint8_t alert_descr = rr->data[1]; 565 rr->length -= 2; 566 rr->data += 2; 567 568 if (ssl->info_callback != NULL) { 569 cb = ssl->info_callback; 570 } else if (ssl->ctx->info_callback != NULL) { 571 cb = ssl->ctx->info_callback; 572 } 573 574 if (cb != NULL) { 575 uint16_t alert = (alert_level << 8) | alert_descr; 576 cb(ssl, SSL_CB_READ_ALERT, alert); 577 } 578 579 if (alert_level == SSL3_AL_WARNING) { 580 ssl->s3->warn_alert = alert_descr; 581 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 582 ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; 583 return 0; 584 } 585 586 /* This is a warning but we receive it if we requested renegotiation and 587 * the peer denied it. Terminate with a fatal alert because if 588 * application tried to renegotiatie it presumably had a good reason and 589 * expects it to succeed. 590 * 591 * In future we might have a renegotiation where we don't care if the 592 * peer refused it where we carry on. */ 593 else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { 594 al = SSL_AD_HANDSHAKE_FAILURE; 595 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 596 goto f_err; 597 } 598 599 ssl->s3->warning_alert_count++; 600 if (ssl->s3->warning_alert_count > kMaxWarningAlerts) { 601 al = SSL_AD_UNEXPECTED_MESSAGE; 602 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS); 603 goto f_err; 604 } 605 } else if (alert_level == SSL3_AL_FATAL) { 606 char tmp[16]; 607 608 ssl->rwstate = SSL_NOTHING; 609 ssl->s3->fatal_alert = alert_descr; 610 OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr); 611 BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); 612 ERR_add_error_data(2, "SSL alert number ", tmp); 613 ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; 614 SSL_CTX_remove_session(ssl->ctx, ssl->session); 615 return 0; 616 } else { 617 al = SSL_AD_ILLEGAL_PARAMETER; 618 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE); 619 goto f_err; 620 } 621 622 goto start; 623 } 624 625 if (ssl->shutdown & SSL_SENT_SHUTDOWN) { 626 /* close_notify has been sent, so discard all records other than alerts. */ 627 rr->length = 0; 628 goto start; 629 } 630 631 al = SSL_AD_UNEXPECTED_MESSAGE; 632 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); 633 634 f_err: 635 ssl3_send_alert(ssl, SSL3_AL_FATAL, al); 636 err: 637 return -1; 638 } 639 640 int ssl3_do_change_cipher_spec(SSL *ssl) { 641 int i; 642 643 if (ssl->state & SSL_ST_ACCEPT) { 644 i = SSL3_CHANGE_CIPHER_SERVER_READ; 645 } else { 646 i = SSL3_CHANGE_CIPHER_CLIENT_READ; 647 } 648 649 if (ssl->s3->tmp.key_block == NULL) { 650 if (ssl->session == NULL || ssl->session->master_key_length == 0) { 651 /* might happen if dtls1_read_bytes() calls this */ 652 OPENSSL_PUT_ERROR(SSL, SSL_R_CCS_RECEIVED_EARLY); 653 return 0; 654 } 655 656 ssl->session->cipher = ssl->s3->tmp.new_cipher; 657 if (!ssl->enc_method->setup_key_block(ssl)) { 658 return 0; 659 } 660 } 661 662 if (!ssl->enc_method->change_cipher_state(ssl, i)) { 663 return 0; 664 } 665 666 return 1; 667 } 668 669 int ssl3_send_alert(SSL *ssl, int level, int desc) { 670 /* Map tls/ssl alert value to correct one */ 671 desc = ssl->enc_method->alert_value(desc); 672 if (ssl->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) { 673 /* SSL 3.0 does not have protocol_version alerts */ 674 desc = SSL_AD_HANDSHAKE_FAILURE; 675 } 676 if (desc < 0) { 677 return -1; 678 } 679 680 /* If a fatal one, remove from cache */ 681 if (level == 2 && ssl->session != NULL) { 682 SSL_CTX_remove_session(ssl->ctx, ssl->session); 683 } 684 685 ssl->s3->alert_dispatch = 1; 686 ssl->s3->send_alert[0] = level; 687 ssl->s3->send_alert[1] = desc; 688 if (!ssl_write_buffer_is_pending(ssl)) { 689 /* Nothing is being written out, so the alert may be dispatched 690 * immediately. */ 691 return ssl->method->ssl_dispatch_alert(ssl); 692 } 693 694 /* else data is still being written out, we will get written some time in the 695 * future */ 696 return -1; 697 } 698 699 int ssl3_dispatch_alert(SSL *ssl) { 700 int i, j; 701 void (*cb)(const SSL *ssl, int type, int value) = NULL; 702 703 ssl->s3->alert_dispatch = 0; 704 i = do_ssl3_write(ssl, SSL3_RT_ALERT, &ssl->s3->send_alert[0], 2); 705 if (i <= 0) { 706 ssl->s3->alert_dispatch = 1; 707 } else { 708 /* Alert sent to BIO. If it is important, flush it now. If the message 709 * does not get sent due to non-blocking IO, we will not worry too much. */ 710 if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { 711 BIO_flush(ssl->wbio); 712 } 713 714 if (ssl->msg_callback) { 715 ssl->msg_callback(1, ssl->version, SSL3_RT_ALERT, ssl->s3->send_alert, 2, 716 ssl, ssl->msg_callback_arg); 717 } 718 719 if (ssl->info_callback != NULL) { 720 cb = ssl->info_callback; 721 } else if (ssl->ctx->info_callback != NULL) { 722 cb = ssl->ctx->info_callback; 723 } 724 725 if (cb != NULL) { 726 j = (ssl->s3->send_alert[0] << 8) | ssl->s3->send_alert[1]; 727 cb(ssl, SSL_CB_WRITE_ALERT, j); 728 } 729 } 730 731 return i; 732 } 733
