2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "ssl_locl.h"
113 #ifndef OPENSSL_NO_SSL2
118 static int read_n(SSL
*s
, unsigned int n
, unsigned int max
,
119 unsigned int extend
);
120 static int n_do_ssl_write(SSL
*s
, const unsigned char *buf
, unsigned int len
);
121 static int write_pending(SSL
*s
, const unsigned char *buf
, unsigned int len
);
122 static int ssl_mt_error(int n
);
125 * SSL 2.0 imlementation for SSL_read/SSL_peek - This routine will return 0
126 * to len bytes, decrypted etc if required.
128 static int ssl2_read_internal(SSL
*s
, void *buf
, int len
, int peek
)
131 unsigned char mac
[MAX_MAC_SIZE
];
137 if (SSL_in_init(s
) && !s
->in_handshake
) {
138 n
= s
->handshake_func(s
);
142 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_SSL_HANDSHAKE_FAILURE
);
148 s
->rwstate
= SSL_NOTHING
;
152 if (s
->s2
->ract_data_length
!= 0) { /* read from buffer */
153 if (len
> s
->s2
->ract_data_length
)
154 n
= s
->s2
->ract_data_length
;
158 memcpy(buf
, s
->s2
->ract_data
, (unsigned int)n
);
160 s
->s2
->ract_data_length
-= n
;
161 s
->s2
->ract_data
+= n
;
162 if (s
->s2
->ract_data_length
== 0)
163 s
->rstate
= SSL_ST_READ_HEADER
;
170 * s->s2->ract_data_length == 0 Fill the buffer, then goto
174 if (s
->rstate
== SSL_ST_READ_HEADER
) {
175 if (s
->first_packet
) {
176 n
= read_n(s
, 5, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2, 0);
178 return (n
); /* error or non-blocking */
181 if (!((p
[0] & 0x80) && ((p
[2] == SSL2_MT_CLIENT_HELLO
) ||
182 (p
[2] == SSL2_MT_SERVER_HELLO
)))) {
183 SSLerr(SSL_F_SSL2_READ_INTERNAL
,
184 SSL_R_NON_SSLV2_INITIAL_PACKET
);
188 n
= read_n(s
, 2, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2, 0);
190 return (n
); /* error or non-blocking */
192 /* part read stuff */
194 s
->rstate
= SSL_ST_READ_BODY
;
201 s
->s2
->rlength
= (((unsigned int)p
[0]) << 8) | ((unsigned int)p
[1]);
202 if ((p
[0] & TWO_BYTE_BIT
)) { /* Two byte header? */
203 s
->s2
->three_byte_header
= 0;
204 s
->s2
->rlength
&= TWO_BYTE_MASK
;
206 s
->s2
->three_byte_header
= 1;
207 s
->s2
->rlength
&= THREE_BYTE_MASK
;
209 /* security >s2->escape */
210 s
->s2
->escape
= ((p
[0] & SEC_ESC_BIT
)) ? 1 : 0;
214 if (s
->rstate
== SSL_ST_READ_BODY
) {
215 n
= s
->s2
->rlength
+ 2 + s
->s2
->three_byte_header
;
216 if (n
> (int)s
->packet_length
) {
217 n
-= s
->packet_length
;
218 i
= read_n(s
, (unsigned int)n
, (unsigned int)n
, 1);
220 return (i
); /* ERROR */
224 s
->rstate
= SSL_ST_READ_HEADER
;
225 if (s
->s2
->three_byte_header
)
226 s
->s2
->padding
= *(p
++);
231 if (s
->s2
->clear_text
) {
234 s
->s2
->ract_data
= p
;
235 if (s
->s2
->padding
) {
236 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_ILLEGAL_PADDING
);
240 mac_size
= EVP_MD_CTX_size(s
->read_hash
);
243 OPENSSL_assert(mac_size
<= MAX_MAC_SIZE
);
245 s
->s2
->ract_data
= &p
[mac_size
];
246 if (s
->s2
->padding
+ mac_size
> s
->s2
->rlength
) {
247 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_ILLEGAL_PADDING
);
252 s
->s2
->ract_data_length
= s
->s2
->rlength
;
254 * added a check for length > max_size in case encryption was not
255 * turned on yet due to an error
257 if ((!s
->s2
->clear_text
) &&
258 (s
->s2
->rlength
>= (unsigned int)mac_size
)) {
259 if (!ssl2_enc(s
, 0)) {
260 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_DECRYPTION_FAILED
);
263 s
->s2
->ract_data_length
-= mac_size
;
265 s
->s2
->ract_data_length
-= s
->s2
->padding
;
266 if ((CRYPTO_memcmp(mac
, s
->s2
->mac_data
, mac_size
) != 0) ||
268 EVP_CIPHER_CTX_block_size(s
->enc_read_ctx
) != 0)) {
269 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_BAD_MAC_DECODE
);
273 INC32(s
->s2
->read_sequence
); /* expect next number */
274 /* s->s2->ract_data is now available for processing */
277 * Possibly the packet that we just read had 0 actual data bytes.
278 * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
279 * In this case, returning 0 would be interpreted by the caller as
280 * indicating EOF, so it's not a good idea. Instead, we just
281 * continue reading; thus ssl2_read_internal may have to process
282 * multiple packets before it can return. [Note that using select()
283 * for blocking sockets *never* guarantees that the next SSL_read
284 * will not block -- the available data may contain incomplete
285 * packets, and except for SSL 2, renegotiation can confuse things
289 goto ssl2_read_again
; /* This should really be "return
290 * ssl2_read(s,buf,len)", but that would
291 * allow for denial-of-service attacks if a C
292 * compiler is used that does not recognize
295 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_BAD_STATE
);
300 int ssl2_read(SSL
*s
, void *buf
, int len
)
302 return ssl2_read_internal(s
, buf
, len
, 0);
305 int ssl2_peek(SSL
*s
, void *buf
, int len
)
307 return ssl2_read_internal(s
, buf
, len
, 1);
310 static int read_n(SSL
*s
, unsigned int n
, unsigned int max
,
316 * if there is stuff still in the buffer from a previous read, and there
317 * is more than we want, take some.
319 if (s
->s2
->rbuf_left
>= (int)n
) {
321 s
->packet_length
+= n
;
323 s
->packet
= &(s
->s2
->rbuf
[s
->s2
->rbuf_offs
]);
324 s
->packet_length
= n
;
326 s
->s2
->rbuf_left
-= n
;
327 s
->s2
->rbuf_offs
+= n
;
333 if (max
> (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2))
334 max
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2;
337 * Else we want more than we have. First, if there is some left or we
341 if ((s
->s2
->rbuf_left
!= 0) || ((s
->packet_length
!= 0) && extend
)) {
342 newb
= s
->s2
->rbuf_left
;
344 off
= s
->packet_length
;
345 if (s
->packet
!= s
->s2
->rbuf
)
346 memcpy(s
->s2
->rbuf
, s
->packet
, (unsigned int)newb
+ off
);
347 } else if (s
->s2
->rbuf_offs
!= 0) {
348 memcpy(s
->s2
->rbuf
, &(s
->s2
->rbuf
[s
->s2
->rbuf_offs
]),
350 s
->s2
->rbuf_offs
= 0;
352 s
->s2
->rbuf_left
= 0;
357 * off is the offset to start writing too. r->s2->rbuf_offs is the
358 * 'unread data', now 0. newb is the number of new bytes so far
360 s
->packet
= s
->s2
->rbuf
;
361 while (newb
< (int)n
) {
363 if (s
->rbio
!= NULL
) {
364 s
->rwstate
= SSL_READING
;
365 i
= BIO_read(s
->rbio
, (char *)&(s
->s2
->rbuf
[off
+ newb
]),
368 SSLerr(SSL_F_READ_N
, SSL_R_READ_BIO_NOT_SET
);
376 s
->s2
->rbuf_left
+= newb
;
382 /* record unread data */
384 s
->s2
->rbuf_offs
= n
+ off
;
385 s
->s2
->rbuf_left
= newb
- n
;
387 s
->s2
->rbuf_offs
= 0;
388 s
->s2
->rbuf_left
= 0;
391 s
->packet_length
+= n
;
393 s
->packet_length
= n
;
394 s
->rwstate
= SSL_NOTHING
;
398 int ssl2_write(SSL
*s
, const void *_buf
, int len
)
400 const unsigned char *buf
= _buf
;
404 if (SSL_in_init(s
) && !s
->in_handshake
) {
405 i
= s
->handshake_func(s
);
409 SSLerr(SSL_F_SSL2_WRITE
, SSL_R_SSL_HANDSHAKE_FAILURE
);
421 s
->rwstate
= SSL_NOTHING
;
430 i
= n_do_ssl_write(s
, &(buf
[tot
]), n
);
435 if ((i
== (int)n
) || (s
->mode
& SSL_MODE_ENABLE_PARTIAL_WRITE
)) {
444 static int write_pending(SSL
*s
, const unsigned char *buf
, unsigned int len
)
448 /* s->s2->wpend_len != 0 MUST be true. */
451 * check that they have given us the same buffer to write
453 if ((s
->s2
->wpend_tot
> (int)len
) ||
454 ((s
->s2
->wpend_buf
!= buf
) &&
455 !(s
->mode
& SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
))) {
456 SSLerr(SSL_F_WRITE_PENDING
, SSL_R_BAD_WRITE_RETRY
);
462 if (s
->wbio
!= NULL
) {
463 s
->rwstate
= SSL_WRITING
;
464 i
= BIO_write(s
->wbio
,
465 (char *)&(s
->s2
->write_ptr
[s
->s2
->wpend_off
]),
466 (unsigned int)s
->s2
->wpend_len
);
468 SSLerr(SSL_F_WRITE_PENDING
, SSL_R_WRITE_BIO_NOT_SET
);
475 if (i
== s
->s2
->wpend_len
) {
476 s
->s2
->wpend_len
= 0;
477 s
->rwstate
= SSL_NOTHING
;
478 return (s
->s2
->wpend_ret
);
481 s
->s2
->wpend_off
+= i
;
482 s
->s2
->wpend_len
-= i
;
486 static int n_do_ssl_write(SSL
*s
, const unsigned char *buf
, unsigned int len
)
488 unsigned int j
, k
, olen
, p
, bs
;
490 register unsigned char *pp
;
495 * first check if there is data from an encryption waiting to be sent -
496 * it must be sent because the other end is waiting. This will happen
497 * with non-blocking IO. We print it and then return.
499 if (s
->s2
->wpend_len
!= 0)
500 return (write_pending(s
, buf
, len
));
502 /* set mac_size to mac size */
503 if (s
->s2
->clear_text
)
506 mac_size
= EVP_MD_CTX_size(s
->write_hash
);
511 /* lets set the pad p */
512 if (s
->s2
->clear_text
) {
513 if (len
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
)
514 len
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
;
516 s
->s2
->three_byte_header
= 0;
519 bs
= EVP_CIPHER_CTX_block_size(s
->enc_read_ctx
);
522 * Two-byte headers allow for a larger record length than three-byte
523 * headers, but we can't use them if we need padding or if we have to
524 * set the escape bit.
526 if ((j
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
) && (!s
->s2
->escape
)) {
527 if (j
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
)
528 j
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
;
530 * set k to the max number of bytes with 2 byte header
533 /* how many data bytes? */
535 s
->s2
->three_byte_header
= 0;
537 } else if ((bs
<= 1) && (!s
->s2
->escape
)) {
539 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
540 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
542 s
->s2
->three_byte_header
= 0;
544 } else { /* we may have to use a 3 byte header */
547 * If s->s2->escape is not set, then
548 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
549 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
552 p
= (p
== 0) ? 0 : (bs
- p
);
554 s
->s2
->three_byte_header
= 1;
555 if (j
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
)
556 j
= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
;
558 s
->s2
->three_byte_header
= (p
== 0) ? 0 : 1;
564 * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
565 * holds, and if s->s2->three_byte_header is set, then even
566 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
570 * mac_size is the number of MAC bytes len is the number of data bytes we
571 * are going to send p is the number of padding bytes (if it is a
572 * two-byte header, then p == 0)
575 s
->s2
->wlength
= len
;
577 s
->s2
->mac_data
= &(s
->s2
->wbuf
[3]);
578 s
->s2
->wact_data
= &(s
->s2
->wbuf
[3 + mac_size
]);
581 * It would be clearer to write this as follows:
582 * if (mac_size + len + p > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
583 * However |len| is user input that could in theory be very large. We
584 * know |mac_size| and |p| are small, so to avoid any possibility of
585 * overflow we write it like this.
587 * In theory this should never fail because the logic above should have
588 * modified |len| if it is too big. But we are being cautious.
590 if (len
> (SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
- (mac_size
+ p
))) {
593 /* we copy the data into s->s2->wbuf */
594 memcpy(s
->s2
->wact_data
, buf
, len
);
596 memset(&(s
->s2
->wact_data
[len
]), 0, p
); /* arbitrary padding */
598 if (!s
->s2
->clear_text
) {
599 s
->s2
->wact_data_length
= len
+ p
;
600 ssl2_mac(s
, s
->s2
->mac_data
, 1);
601 s
->s2
->wlength
+= p
+ mac_size
;
602 if (ssl2_enc(s
, 1) < 1)
606 /* package up the header */
607 s
->s2
->wpend_len
= s
->s2
->wlength
;
608 if (s
->s2
->three_byte_header
) { /* 3 byte header */
609 pp
= s
->s2
->mac_data
;
611 pp
[0] = (s
->s2
->wlength
>> 8) & (THREE_BYTE_MASK
>> 8);
613 pp
[0] |= SEC_ESC_BIT
;
614 pp
[1] = s
->s2
->wlength
& 0xff;
615 pp
[2] = s
->s2
->padding
;
616 s
->s2
->wpend_len
+= 3;
618 pp
= s
->s2
->mac_data
;
620 pp
[0] = ((s
->s2
->wlength
>> 8) & (TWO_BYTE_MASK
>> 8)) | TWO_BYTE_BIT
;
621 pp
[1] = s
->s2
->wlength
& 0xff;
622 s
->s2
->wpend_len
+= 2;
624 s
->s2
->write_ptr
= pp
;
626 INC32(s
->s2
->write_sequence
); /* expect next number */
628 /* lets try to actually write the data */
629 s
->s2
->wpend_tot
= olen
;
630 s
->s2
->wpend_buf
= buf
;
632 s
->s2
->wpend_ret
= len
;
634 s
->s2
->wpend_off
= 0;
635 return (write_pending(s
, buf
, olen
));
638 int ssl2_part_read(SSL
*s
, unsigned long f
, int i
)
644 /* ssl2_return_error(s); */
646 * for non-blocking io, this is not necessarily fatal
653 * Check for error. While there are recoverable errors, this
654 * function is not called when those must be expected; any error
655 * detected here is fatal.
657 if (s
->init_num
>= 3) {
658 p
= (unsigned char *)s
->init_buf
->data
;
659 if (p
[0] == SSL2_MT_ERROR
) {
660 j
= (p
[1] << 8) | p
[2];
661 SSLerr((int)f
, ssl_mt_error(j
));
664 memmove(p
, p
+ 3, s
->init_num
);
669 * If it's not an error message, we have some error anyway -- the
670 * message was shorter than expected. This too is treated as fatal
671 * (at least if SSL_get_error is asked for its opinion).
677 int ssl2_do_write(SSL
*s
)
681 ret
= ssl2_write(s
, &s
->init_buf
->data
[s
->init_off
], s
->init_num
);
682 if (ret
== s
->init_num
) {
684 s
->msg_callback(1, s
->version
, 0, s
->init_buf
->data
,
685 (size_t)(s
->init_off
+ s
->init_num
), s
,
686 s
->msg_callback_arg
);
696 static int ssl_mt_error(int n
)
701 case SSL2_PE_NO_CIPHER
:
702 ret
= SSL_R_PEER_ERROR_NO_CIPHER
;
704 case SSL2_PE_NO_CERTIFICATE
:
705 ret
= SSL_R_PEER_ERROR_NO_CERTIFICATE
;
707 case SSL2_PE_BAD_CERTIFICATE
:
708 ret
= SSL_R_PEER_ERROR_CERTIFICATE
;
710 case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE
:
711 ret
= SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
;
714 ret
= SSL_R_UNKNOWN_REMOTE_ERROR_TYPE
;
719 #else /* !OPENSSL_NO_SSL2 */
722 static void *dummy
= &dummy
;