i = s->method->ssl3_enc->final_finish_mac(s,
sender, slen,
s->s3->tmp.finish_md);
- if (i == 0)
+ if (i <= 0)
return 0;
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
s->s3->previous_server_finished_len = i;
}
- ssl_set_handshake_header(s, SSL3_MT_FINISHED, l);
+ if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, l)) {
+ SSLerr(SSL_F_SSL3_SEND_FINISHED, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
s->state = b;
}
/*-
* for these 2 messages, we need to
* ssl->enc_read_ctx re-init
- * ssl->s3->read_sequence zero
+ * ssl->rlayer.read_sequence zero
* ssl->s3->read_mac_secret re-init
* ssl->session->read_sym_enc assign
* ssl->session->read_compression assign
p = ssl_handshake_start(s);
l2n3(l, p);
l += 3;
- ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l);
+
+ if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l)) {
+ SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
return l + SSL_HM_HEADER_LENGTH(s);
}
}
*ok = 1;
s->state = stn;
- s->init_msg = s->init_buf->data + 4;
+ s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
s->init_num = (int)s->s3->tmp.message_size;
return s->init_num;
}
p = (unsigned char *)s->init_buf->data;
- if (s->state == st1) { /* s->init_num < 4 */
+ if (s->state == st1) {
+ /* s->init_num < SSL3_HM_HEADER_LENGTH */
int skip_message;
do {
- while (s->init_num < 4) {
+ while (s->init_num < SSL3_HM_HEADER_LENGTH) {
i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
- &p[s->init_num],
- 4 - s->init_num, 0);
+ &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, 0);
if (i <= 0) {
s->rwstate = SSL_READING;
*ok = 0;
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
- p, 4, s, s->msg_callback_arg);
+ p, SSL3_HM_HEADER_LENGTH, s,
+ s->msg_callback_arg);
}
- }
- while (skip_message);
-
- /* s->init_num == 4 */
+ } while (skip_message);
+ /* s->init_num == SSL3_HM_HEADER_LENGTH */
if ((mt >= 0) && (*p != mt)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
s->s3->tmp.message_type = *(p++);
- n2l3(p, l);
- if (l > (unsigned long)max) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
- goto f_err;
- }
- if (l > (INT_MAX - 4)) { /* BUF_MEM_grow takes an 'int' parameter */
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
- goto f_err;
- }
- if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) {
- SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
- goto err;
- }
- s->s3->tmp.message_size = l;
- s->state = stn;
+ if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+ /*
+ * Only happens with SSLv3+ in an SSLv2 backward compatible
+ * ClientHello
+ */
+ /*
+ * Total message size is the remaining record bytes to read
+ * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
+ */
+ l = RECORD_LAYER_get_rrec_length(&s->rlayer)
+ + SSL3_HM_HEADER_LENGTH;
+ if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l)) {
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+ goto err;
+ }
+ s->s3->tmp.message_size = l;
+ s->state = stn;
+
+ s->init_msg = s->init_buf->data;
+ s->init_num = SSL3_HM_HEADER_LENGTH;
+ } else {
+ n2l3(p, l);
+ if (l > (unsigned long)max) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+ /* BUF_MEM_grow takes an 'int' parameter */
+ if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+ if (l && !BUF_MEM_grow_clean(s->init_buf,
+ (int)l + SSL3_HM_HEADER_LENGTH)) {
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+ goto err;
+ }
+ s->s3->tmp.message_size = l;
+ s->state = stn;
- s->init_msg = s->init_buf->data + 4;
- s->init_num = 0;
+ s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
+ s->init_num = 0;
+ }
}
/* next state (stn) */
#endif
/* Feed this message into MAC computation. */
- ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
- if (s->msg_callback)
- s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
- (size_t)s->init_num + 4, s, s->msg_callback_arg);
+ if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
+ if (s->msg_callback)
+ s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
+ (size_t)s->init_num, s, s->msg_callback_arg);
+ } else {
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
+ s->init_num + SSL3_HM_HEADER_LENGTH);
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
+ (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
+ s->msg_callback_arg);
+ }
+
*ok = 1;
return s->init_num;
f_err:
return (al);
}
-#ifndef OPENSSL_NO_BUF_FREELISTS
-/*-
- * On some platforms, malloc() performance is bad enough that you can't just
- * free() and malloc() buffers all the time, so we need to use freelists from
- * unused buffers. Currently, each freelist holds memory chunks of only a
- * given size (list->chunklen); other sized chunks are freed and malloced.
- * This doesn't help much if you're using many different SSL option settings
- * with a given context. (The options affecting buffer size are
- * max_send_fragment, read buffer vs write buffer,
- * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and
- * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.) Using a separate freelist for every
- * possible size is not an option, since max_send_fragment can take on many
- * different values.
- *
- * If you are on a platform with a slow malloc(), and you're using SSL
- * connections with many different settings for these options, and you need to
- * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options:
- * - Link against a faster malloc implementation.
- * - Use a separate SSL_CTX for each option set.
- * - Improve this code.
- */
-static void *freelist_extract(SSL_CTX *ctx, int for_read, int sz)
-{
- SSL3_BUF_FREELIST *list;
- SSL3_BUF_FREELIST_ENTRY *ent = NULL;
- void *result = NULL;
-
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
- if (list != NULL && sz == (int)list->chunklen)
- ent = list->head;
- if (ent != NULL) {
- list->head = ent->next;
- result = ent;
- if (--list->len == 0)
- list->chunklen = 0;
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
- if (!result)
- result = OPENSSL_malloc(sz);
- return result;
-}
-
-static void freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem)
-{
- SSL3_BUF_FREELIST *list;
- SSL3_BUF_FREELIST_ENTRY *ent;
-
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
- if (list != NULL &&
- (sz == list->chunklen || list->chunklen == 0) &&
- list->len < ctx->freelist_max_len && sz >= sizeof(*ent)) {
- list->chunklen = sz;
- ent = mem;
- ent->next = list->head;
- list->head = ent;
- ++list->len;
- mem = NULL;
- }
-
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
- if (mem)
- OPENSSL_free(mem);
-}
-#else
-# define freelist_extract(c,fr,sz) OPENSSL_malloc(sz)
-# define freelist_insert(c,fr,sz,m) OPENSSL_free(m)
-#endif
-
-int ssl3_setup_read_buffer(SSL *s)
-{
- unsigned char *p;
- size_t len, align = 0, headerlen;
-
- if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
- headerlen = DTLS1_RT_HEADER_LENGTH;
- else
- headerlen = SSL3_RT_HEADER_LENGTH;
-
-#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
-#endif
-
- if (s->s3->rbuf.buf == NULL) {
- len = SSL3_RT_MAX_PLAIN_LENGTH
- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
- s->s3->init_extra = 1;
- len += SSL3_RT_MAX_EXTRA;
- }
-#ifndef OPENSSL_NO_COMP
- if (ssl_allow_compression(s))
- len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
- if ((p = freelist_extract(s->ctx, 1, len)) == NULL)
- goto err;
- s->s3->rbuf.buf = p;
- s->s3->rbuf.len = len;
- }
-
- s->packet = &(s->s3->rbuf.buf[0]);
- return 1;
-
- err:
- SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE);
- return 0;
-}
-
-int ssl3_setup_write_buffer(SSL *s)
-{
- unsigned char *p;
- size_t len, align = 0, headerlen;
-
- if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
- headerlen = DTLS1_RT_HEADER_LENGTH + 1;
- else
- headerlen = SSL3_RT_HEADER_LENGTH;
-
-#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
-#endif
-
- if (s->s3->wbuf.buf == NULL) {
- len = s->max_send_fragment
- + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
-#ifndef OPENSSL_NO_COMP
- if (ssl_allow_compression(s))
- len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
- if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
- len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
-
- if ((p = freelist_extract(s->ctx, 0, len)) == NULL)
- goto err;
- s->s3->wbuf.buf = p;
- s->s3->wbuf.len = len;
- }
-
- return 1;
-
- err:
- SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE);
- return 0;
-}
-
-int ssl3_setup_buffers(SSL *s)
-{
- if (!ssl3_setup_read_buffer(s))
- return 0;
- if (!ssl3_setup_write_buffer(s))
- return 0;
- return 1;
-}
-
-int ssl3_release_write_buffer(SSL *s)
-{
- if (s->s3->wbuf.buf != NULL) {
- freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf);
- s->s3->wbuf.buf = NULL;
- }
- return 1;
-}
-
-int ssl3_release_read_buffer(SSL *s)
-{
- if (s->s3->rbuf.buf != NULL) {
- freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf);
- s->s3->rbuf.buf = NULL;
- }
- return 1;
-}
-
int ssl_allow_compression(SSL *s)
{
if (s->options & SSL_OP_NO_COMPRESSION)
projects / openssl.git / blobdiff