Add Next Protocol Negotiation.

[openssl.git] / ssl / s3_pkt.c
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c

index ce7dc366fb413508cbc28ec0374919c409882f78..08a7233b4ce77327e4d893f21aac7ecc008bab70 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -115,6 +115,7 @@
  #include "ssl_locl.h"
  #include <openssl/evp.h>
  #include <openssl/buffer.h>
+#include <openssl/rand.h>
  
  static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                          unsigned int len, int create_empty_fragment);
@@ -160,7 +161,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
                         if (pkt[0] == SSL3_RT_APPLICATION_DATA
                             && (pkt[3]<<8|pkt[4]) >= 128)
                                 {
-                               /* Note that even if packet is corrupted
+                               /* Note that even if packet is corrupted
                                  * and its length field is insane, we can
                                  * only be led to wrong decision about
                                  * whether memmove will occur or not.
@@ -176,11 +177,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
                 /* ... now we can act as if 'extend' was set */
                 }
  
-       /* extend reads should not span multiple packets for DTLS */
-       if ( SSL_version(s) == DTLS1_VERSION &&
-               extend)
+       /* For DTLS/UDP reads should not span multiple packets
+        * because the read operation returns the whole packet
+        * at once (as long as it fits into the buffer). */
+       if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
                 {
-               if ( left > 0 && n > left)
+               if (left > 0 && n > left)
                         n = left;
                 }
  
@@ -207,15 +209,22 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
                 rb->offset = len + align;
                 }
  
-       max = rb->len - rb->offset;
-       if (n > max) /* does not happen */
+       if (n > (int)(rb->len - rb->offset)) /* does not happen */
                 {
                 SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
                 return -1;
                 }
  
         if (!s->read_ahead)
-               max=n;
+               /* ignore max parameter */
+               max = n;
+       else
+               {
+               if (max < n)
+                       max = n;
+               if (max > (int)(rb->len - rb->offset))
+                       max = rb->len - rb->offset;
+               }
  
         while (left < n)
                 {
@@ -244,6 +253,14 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
                         return(i);
                         }
                 left+=i;
+               /* reads should *never* span multiple packets for DTLS because
+                * the underlying transport protocol is message oriented as opposed
+                * to byte oriented as in the TLS case. */
+               if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+                       {
+                       if (n > left)
+                               n = left; /* makes the while condition false */
+                       }
                 }
  
         /* done reading, now the book-keeping */
@@ -320,9 +337,9 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
                         if (version != s->version)
                                 {
                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
+                                if ((s->version & 0xFF00) == (version & 0xFF00))
+                                       /* Send back error using their minor version number :-) */
+                                       s->version = (unsigned short)version;
                                 al=SSL_AD_PROTOCOL_VERSION;
                                 goto f_err;
                                 }
@@ -613,6 +630,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         unsigned char *p,*plen;
         int i,mac_size,clear=0;
         int prefix_len=0;
+       int eivlen;
         long align=0;
         SSL3_RECORD *wr;
         SSL3_BUFFER *wb=&(s->s3->wbuf);
@@ -722,9 +740,18 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         /* field where we are to write out packet length */
         plen=p; 
         p+=2;
+       /* Explicit IV length, block ciphers and TLS version 1.1 or later */
+       if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
+               {
+               eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+               if (eivlen <= 1)
+                       eivlen = 0;
+               }
+       else 
+               eivlen = 0;
  
         /* lets setup the record stuff. */
-       wr->data=p;
+       wr->data=p + eivlen;
         wr->length=(int)len;
         wr->input=(unsigned char *)buf;
  
@@ -752,11 +779,19 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  
         if (mac_size != 0)
                 {
-               if (s->method->ssl3_enc->mac(s,&(p[wr->length]),1) < 0)
+               if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
                         goto err;
                 wr->length+=mac_size;
-               wr->input=p;
-               wr->data=p;
+               }
+
+       wr->input=p;
+       wr->data=p;
+
+       if (eivlen)
+               {
+       /*      if (RAND_pseudo_bytes(p, eivlen) <= 0)
+                       goto err; */
+               wr->length += eivlen;
                 }
  
         /* ssl3_enc can only have an error on read */
@@ -836,9 +871,9 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                         return(s->s3->wpend_ret);
                         }
                 else if (i <= 0) {
-                       if (s->version == DTLS1_VERSION) {
-                               /* For DTLS, just drop it. That's kind of the wh
-ole
+                       if (s->version == DTLS1_VERSION ||
+                           s->version == DTLS1_BAD_VER) {
+                               /* For DTLS, just drop it. That's kind of the whole
                                    point in using a datagram service */
                                 wb->left = 0;
                         }
@@ -1104,7 +1139,25 @@ start:
                  * now try again to obtain the (application) data we were asked for */
                 goto start;
                 }
-
+       /* If we are a server and get a client hello when renegotiation isn't
+        * allowed send back a no renegotiation alert and carry on.
+        * WARNING: experimental code, needs reviewing (steve)
+        */
+       if (s->server &&
+               SSL_is_init_finished(s) &&
+               !s->s3->send_connection_binding &&
+               (s->version > SSL3_VERSION) &&
+               (s->s3->handshake_fragment_len >= 4) &&
+               (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
+               (s->session != NULL) && (s->session->cipher != NULL) &&
+               !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               
+               {
+               /*s->s3->handshake_fragment_len = 0;*/
+               rr->length = 0;
+               ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+               goto start;
+               }
         if (s->s3->alert_fragment_len >= 2)
                 {
                 int alert_level = s->s3->alert_fragment[0];
@@ -1134,6 +1187,21 @@ start:
                                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                 return(0);
                                 }
+                       /* This is a warning but we receive it if we requested
+                        * renegotiation and the peer denied it. Terminate with
+                        * a fatal alert because if application tried to
+                        * renegotiatie it presumably had a good reason and
+                        * expects it to succeed.
+                        *
+                        * In future we might have a renegotiation where we
+                        * don't care if the peer refused it where we carry on.
+                        */
+                       else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
+                               {
+                               al = SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
+                               goto f_err;
+                               }
                         }
                 else if (alert_level == 2) /* fatal */
                         {
@@ -1246,7 +1314,7 @@ start:
         default:
  #ifndef OPENSSL_NO_TLS
                 /* TLS just ignores unknown message types */
-               if (s->version == TLS1_VERSION)
+               if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
                         {
                         rr->length = 0;
                         goto start;
@@ -1306,8 +1374,10 @@ err:
  int ssl3_do_change_cipher_spec(SSL *s)
         {
         int i;
+#ifdef OPENSSL_NO_NPN
         const char *sender;
         int slen;
+#endif
  
         if (s->state & SSL_ST_ACCEPT)
                 i=SSL3_CHANGE_CIPHER_SERVER_READ;
@@ -1330,6 +1400,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
         if (!s->method->ssl3_enc->change_cipher_state(s,i))
                 return(0);
  
+#ifdef OPENSSL_NO_NPN
         /* we have to record the message digest at
          * this point so we can get it before we read
          * the finished message */
@@ -1346,17 +1417,18 @@ int ssl3_do_change_cipher_spec(SSL *s)
  
         s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
                 sender,slen,s->s3->tmp.peer_finish_md);
+#endif
  
         return(1);
         }
  
-void ssl3_send_alert(SSL *s, int level, int desc)
+int ssl3_send_alert(SSL *s, int level, int desc)
         {
         /* Map tls/ssl alert value to correct one */
         desc=s->method->ssl3_enc->alert_value(desc);
         if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
                 desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
-       if (desc < 0) return;
+       if (desc < 0) return -1;
         /* If a fatal one, remove from cache */
         if ((level == 2) && (s->session != NULL))
                 SSL_CTX_remove_session(s->ctx,s->session);
@@ -1365,9 +1437,10 @@ void ssl3_send_alert(SSL *s, int level, int desc)
         s->s3->send_alert[0]=level;
         s->s3->send_alert[1]=desc;
         if (s->s3->wbuf.left == 0) /* data still being written out? */
-               s->method->ssl_dispatch_alert(s);
+               return s->method->ssl_dispatch_alert(s);
         /* else data is still being written out, we will get written
          * some time in the future */
+       return -1;
         }
  
  int ssl3_dispatch_alert(SSL *s)