Reorder inclusion of header files:
[openssl.git] / ssl / s3_pkt.c
index 92d9a4a..6ccea9a 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
 
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len);
+                        unsigned int len, int create_empty_fragment);
 static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                              unsigned int len);
 static int ssl3_get_record(SSL *s);
@@ -162,15 +162,13 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
 
        {
                /* avoid buffer overflow */
-               int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
-               if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                       max_max += SSL3_RT_MAX_EXTRA;
+               int max_max = s->s3->rbuf.len - s->packet_length;
                if (max > max_max)
                        max = max_max;
        }
        if (n > max) /* does not happen */
                {
-               SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
                return -1;
                }
 
@@ -231,14 +229,15 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
 static int ssl3_get_record(SSL *s)
        {
        int ssl_major,ssl_minor,al;
-       int n,i,ret= -1;
+       int enc_err,n,i,ret= -1;
        SSL3_RECORD *rr;
        SSL_SESSION *sess;
        unsigned char *p;
        unsigned char md[EVP_MAX_MD_SIZE];
        short version;
        unsigned int mac_size;
-       int clear=0,extra;
+       int clear=0;
+       size_t extra;
 
        rr= &(s->s3->rrec);
        sess=s->session;
@@ -247,14 +246,20 @@ static int ssl3_get_record(SSL *s)
                extra=SSL3_RT_MAX_EXTRA;
        else
                extra=0;
+       if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
+               {
+               /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
+                * set after ssl3_setup_buffers() was done */
+               SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+               return -1;
+               }
 
 again:
        /* check if we have the header */
        if (    (s->rstate != SSL_ST_READ_BODY) ||
                (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
                {
-               n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
-                       SSL3_RT_MAX_PACKET_SIZE,0);
+               n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
                if (n <= 0) return(n); /* error or non-blocking */
                s->rstate=SSL_ST_READ_BODY;
 
@@ -291,8 +296,7 @@ again:
                        goto err;
                        }
 
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+               if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
@@ -304,7 +308,7 @@ again:
 
        /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
 
-       if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
+       if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
                {
                /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
                i=rr->length;
@@ -332,7 +336,7 @@ again:
         * rr->length bytes of encrypted compressed stuff. */
 
        /* check is not needed I believe */
-       if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
                {
                al=SSL_AD_RECORD_OVERFLOW;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
@@ -342,16 +346,23 @@ again:
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
 
-       if (!s->method->ssl3_enc->enc(s,0))
+       enc_err = s->method->ssl3_enc->enc(s,0);
+       if (enc_err <= 0)
                {
-               al=SSL_AD_DECRYPT_ERROR;
-               goto f_err;
+               if (enc_err == 0)
+                       /* SSLerr() and ssl3_send_alert() have been called */
+                       goto err;
+
+               /* otherwise enc_err == -1 */
+               goto decryption_failed_or_bad_record_mac;
                }
+
 #ifdef TLS_DEBUG
 printf("dec %d\n",rr->length);
 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
 printf("\n");
 #endif
+
        /* r->length is now the compressed data plus mac */
        if (    (sess == NULL) ||
                (s->enc_read_ctx == NULL) ||
@@ -364,33 +375,37 @@ printf("\n");
 
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
                        {
+#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                        goto f_err;
+#else
+                       goto decryption_failed_or_bad_record_mac;
+#endif                 
                        }
                /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
                if (rr->length < mac_size)
                        {
+#if 0 /* OK only for stream ciphers */
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
+#else
+                       goto decryption_failed_or_bad_record_mac;
+#endif
                        }
                rr->length-=mac_size;
                i=s->method->ssl3_enc->mac(s,md,0);
                if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
                        {
-                       al=SSL_AD_BAD_RECORD_MAC;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
-                       ret= -1;
-                       goto f_err;
+                       goto decryption_failed_or_bad_record_mac;
                        }
                }
 
        /* r->length is now just compressed */
        if (s->expand != NULL)
                {
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
@@ -404,7 +419,7 @@ printf("\n");
                        }
                }
 
-       if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
                {
                al=SSL_AD_RECORD_OVERFLOW;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
@@ -427,6 +442,15 @@ printf("\n");
        if (rr->length == 0) goto again;
 
        return(1);
+
+decryption_failed_or_bad_record_mac:
+       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+        * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+        * failure is directly visible from the ciphertext anyway,
+        * we should not reveal which kind of error occured -- this
+        * might become visible to an attacker (e.g. via logfile) */
+       al=SSL_AD_BAD_RECORD_MAC;
+       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -488,7 +512,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                if (i == 0)
                        {
                        SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                       return(-1);
+                       return -1;
                        }
                }
 
@@ -500,18 +524,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                else
                        nw=n;
 
-               i=do_ssl3_write(s,type,&(buf[tot]),nw);
+               i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
                if (i <= 0)
                        {
                        s->s3->wnum=tot;
-                       return(i);
+                       return i;
                        }
 
                if ((i == (int)n) ||
                        (type == SSL3_RT_APPLICATION_DATA &&
                         (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
                        {
-                       return(tot+i);
+                       /* next chunk of data should get another prepended empty fragment
+                        * in ciphersuites with known-IV weakness: */
+                       s->s3->empty_fragment_done = 0;
+                       
+                       return tot+i;
                        }
 
                n-=i;
@@ -520,15 +548,16 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        }
 
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len)
+                        unsigned int len, int create_empty_fragment)
        {
        unsigned char *p,*plen;
        int i,mac_size,clear=0;
+       int prefix_len = 0;
        SSL3_RECORD *wr;
        SSL3_BUFFER *wb;
        SSL_SESSION *sess;
 
-       /* first check is there is a SSL3_RECORD still being written
+       /* first check if there is a SSL3_BUFFER still being written
         * out.  This will happen with non blocking IO */
        if (s->s3->wbuf.left != 0)
                return(ssl3_write_pending(s,type,buf,len));
@@ -542,7 +571,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                /* if it went, fall through and send more stuff */
                }
 
-       if (len == 0) return(len);
+       if (len == 0 && !create_empty_fragment)
+               return 0;
 
        wr= &(s->s3->wrec);
        wb= &(s->s3->wbuf);
@@ -558,16 +588,44 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        else
                mac_size=EVP_MD_size(s->write_hash);
 
-       p=wb->buf;
+       /* 'create_empty_fragment' is true only when this function calls itself */
+       if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
+               {
+               /* countermeasure against known-IV weakness in CBC ciphersuites
+                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
+
+               if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
+                       {
+                       /* recursive function call with 'create_empty_fragment' set;
+                        * this prepares and buffers the data for an empty fragment
+                        * (these 'prefix_len' bytes are sent out later
+                        * together with the actual payload) */
+                       prefix_len = do_ssl3_write(s, type, buf, 0, 1);
+                       if (prefix_len <= 0)
+                               goto err;
+
+                       if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
+                               {
+                               /* insufficient space */
+                               SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+                       }
+               
+               s->s3->empty_fragment_done = 1;
+               }
+
+       p = wb->buf + prefix_len;
 
        /* write the header */
+
        *(p++)=type&0xff;
        wr->type=type;
 
        *(p++)=(s->version>>8);
        *(p++)=s->version&0xff;
 
-       /* record where we are to write out packet length */
+       /* field where we are to write out packet length */
        plen=p; 
        p+=2;
 
@@ -618,19 +676,28 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        wr->type=type; /* not needed but helps for debugging */
        wr->length+=SSL3_RT_HEADER_LENGTH;
 
-       /* Now lets setup wb */
-       wb->left=wr->length;
-       wb->offset=0;
+       if (create_empty_fragment)
+               {
+               /* we are in a recursive call;
+                * just return the length, don't write out anything here
+                */
+               return wr->length;
+               }
+
+       /* now let's set up wb */
+       wb->left = prefix_len + wr->length;
+       wb->offset = 0;
 
+       /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
        s->s3->wpend_tot=len;
        s->s3->wpend_buf=buf;
        s->s3->wpend_type=type;
        s->s3->wpend_ret=len;
 
        /* we now just need to write the buffer */
-       return(ssl3_write_pending(s,type,buf,len));
+       return ssl3_write_pending(s,type,buf,len);
 err:
-       return(-1);
+       return -1;
        }
 
 /* if s->s3->wbuf.left != 0, we need to call this */
@@ -709,21 +776,16 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
        int al,i,j,ret;
        unsigned int n;
        SSL3_RECORD *rr;
-       void (*cb)()=NULL;
-
-       if (peek)
-               {
-               SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_FIXME); /* proper implementation not yet completed */
-               return -1;
-               }
+       void (*cb)(const SSL *ssl,int type2,int val)=NULL;
 
        if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
                if (!ssl3_setup_buffers(s))
                        return(-1);
 
-       if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+           (peek && (type != SSL3_RT_APPLICATION_DATA)))
                {
-               SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
                return -1;
                }
 
@@ -734,6 +796,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                unsigned char *dst = buf;
                unsigned int k;
 
+               /* peek == 0 */
                n = 0;
                while ((len > 0) && (s->s3->handshake_fragment_len > 0))
                        {
@@ -769,7 +832,7 @@ start:
         * s->s3->rrec.length,  - number of bytes. */
        rr = &(s->s3->rrec);
 
-       /* get new packet */
+       /* get new packet if necessary */
        if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                {
                ret=ssl3_get_record(s);
@@ -787,7 +850,8 @@ start:
                goto err;
                }
 
-       /* If the other end has shutdown, throw anything we read away */
+       /* If the other end has shut down, throw anything we read away
+        * (even in 'peek' mode) */
        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                {
                rr->length=0;
@@ -816,12 +880,15 @@ start:
                        n = (unsigned int)len;
 
                memcpy(buf,&(rr->data[rr->off]),n);
-               rr->length-=n;
-               rr->off+=n;
-               if (rr->length == 0)
+               if (!peek)
                        {
-                       s->rstate=SSL_ST_READ_HEADER;
-                       rr->off=0;
+                       rr->length-=n;
+                       rr->off+=n;
+                       if (rr->length == 0)
+                               {
+                               s->rstate=SSL_ST_READ_HEADER;
+                               rr->off=0;
+                               }
                        }
                return(n);
                }
@@ -890,6 +957,9 @@ start:
                        goto err;
                        }
 
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
+
                if (SSL_is_init_finished(s) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
@@ -935,6 +1005,9 @@ start:
 
                s->s3->alert_fragment_len = 0;
 
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
+
                if (s->info_callback != NULL)
                        cb=s->info_callback;
                else if (s->ctx->info_callback != NULL)
@@ -998,6 +1071,10 @@ start:
                        }
 
                rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
+
                s->s3->change_cipher_spec=1;
                if (!do_change_cipher_spec(s))
                        goto err;
@@ -1052,10 +1129,11 @@ start:
        switch (rr->type)
                {
        default:
-#ifndef NO_TLS
+#ifndef OPENSSL_NO_TLS
                /* TLS just ignores unknown message types */
                if (s->version == TLS1_VERSION)
                        {
+                       rr->length = 0;
                        goto start;
                        }
 #endif
@@ -1069,7 +1147,7 @@ start:
                 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
                 * should not happen when type != rr->type */
                al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
                goto f_err;
        case SSL3_RT_APPLICATION_DATA:
                /* At this point, we were expecting handshake data,
@@ -1092,7 +1170,7 @@ start:
                                        )
                                ))
                        {
-                       s->s3->in_read_app_data=0;
+                       s->s3->in_read_app_data=2;
                        return(-1);
                        }
                else
@@ -1156,6 +1234,8 @@ void ssl3_send_alert(SSL *s, int level, int desc)
        {
        /* Map tls/ssl alert value to correct one */
        desc=s->method->ssl3_enc->alert_value(desc);
+       if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
+               desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
        if (desc < 0) return;
        /* If a fatal one, remove from cache */
        if ((level == 2) && (s->session != NULL))
@@ -1164,7 +1244,7 @@ void ssl3_send_alert(SSL *s, int level, int desc)
        s->s3->alert_dispatch=1;
        s->s3->send_alert[0]=level;
        s->s3->send_alert[1]=desc;
-       if (s->s3->wbuf.left == 0) /* data still being written out */
+       if (s->s3->wbuf.left == 0) /* data still being written out? */
                ssl3_dispatch_alert(s);
        /* else data is still being written out, we will get written
         * some time in the future */
@@ -1173,22 +1253,25 @@ void ssl3_send_alert(SSL *s, int level, int desc)
 int ssl3_dispatch_alert(SSL *s)
        {
        int i,j;
-       void (*cb)()=NULL;
+       void (*cb)(const SSL *ssl,int type,int val)=NULL;
 
        s->s3->alert_dispatch=0;
-       i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
+       i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
        if (i <= 0)
                {
                s->s3->alert_dispatch=1;
                }
        else
                {
-               /* If it is important, send it now.  If the message
-                * does not get sent due to non-blocking IO, we will
-                * not worry too much. */
+               /* Alert sent to BIO.  If it is important, flush it now.
+                * If the message does not get sent due to non-blocking IO,
+                * we will not worry too much. */
                if (s->s3->send_alert[0] == SSL3_AL_FATAL)
                        (void)BIO_flush(s->wbio);
 
+               if (s->msg_callback)
+                       s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
+
                if (s->info_callback != NULL)
                        cb=s->info_callback;
                else if (s->ctx->info_callback != NULL)