• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com). */
108 
109 #include <openssl/ssl.h>
110 
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdio.h>
114 #include <string.h>
115 
116 #include <openssl/buf.h>
117 #include <openssl/err.h>
118 #include <openssl/evp.h>
119 #include <openssl/mem.h>
120 #include <openssl/rand.h>
121 
122 #include "internal.h"
123 
124 
125 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len);
126 
127 /* kMaxWarningAlerts is the number of consecutive warning alerts that will be
128  * processed. */
129 static const uint8_t kMaxWarningAlerts = 4;
130 
131 /* ssl3_get_record reads a new input record. On success, it places it in
132  * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
133  * more data is needed. */
ssl3_get_record(SSL * ssl)134 static int ssl3_get_record(SSL *ssl) {
135   int ret;
136 again:
137   /* Ensure the buffer is large enough to decrypt in-place. */
138   ret = ssl_read_buffer_extend_to(ssl, ssl_record_prefix_len(ssl));
139   if (ret <= 0) {
140     return ret;
141   }
142   assert(ssl_read_buffer_len(ssl) >= ssl_record_prefix_len(ssl));
143 
144   uint8_t *out = ssl_read_buffer(ssl) + ssl_record_prefix_len(ssl);
145   size_t max_out = ssl_read_buffer_len(ssl) - ssl_record_prefix_len(ssl);
146   uint8_t type, alert;
147   size_t len, consumed;
148   switch (tls_open_record(ssl, &type, out, &len, &consumed, &alert, max_out,
149                           ssl_read_buffer(ssl), ssl_read_buffer_len(ssl))) {
150     case ssl_open_record_success:
151       ssl_read_buffer_consume(ssl, consumed);
152 
153       if (len > 0xffff) {
154         OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
155         return -1;
156       }
157 
158       SSL3_RECORD *rr = &ssl->s3->rrec;
159       rr->type = type;
160       rr->length = (uint16_t)len;
161       rr->data = out;
162       return 1;
163 
164     case ssl_open_record_partial:
165       ret = ssl_read_buffer_extend_to(ssl, consumed);
166       if (ret <= 0) {
167         return ret;
168       }
169       goto again;
170 
171     case ssl_open_record_discard:
172       ssl_read_buffer_consume(ssl, consumed);
173       goto again;
174 
175     case ssl_open_record_error:
176       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
177       return -1;
178   }
179 
180   assert(0);
181   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
182   return -1;
183 }
184 
ssl3_write_app_data(SSL * ssl,const void * buf,int len)185 int ssl3_write_app_data(SSL *ssl, const void *buf, int len) {
186   return ssl3_write_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len);
187 }
188 
189 /* Call this to write data in records of type |type|. It will return <= 0 if
190  * not all data has been sent or non-blocking IO. */
ssl3_write_bytes(SSL * ssl,int type,const void * buf_,int len)191 int ssl3_write_bytes(SSL *ssl, int type, const void *buf_, int len) {
192   const uint8_t *buf = buf_;
193   unsigned int tot, n, nw;
194   int i;
195 
196   ssl->rwstate = SSL_NOTHING;
197   assert(ssl->s3->wnum <= INT_MAX);
198   tot = ssl->s3->wnum;
199   ssl->s3->wnum = 0;
200 
201   if (!ssl->in_handshake && SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
202     i = ssl->handshake_func(ssl);
203     if (i < 0) {
204       return i;
205     }
206     if (i == 0) {
207       OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
208       return -1;
209     }
210   }
211 
212   /* Ensure that if we end up with a smaller value of data to write out than
213    * the the original len from a write which didn't complete for non-blocking
214    * I/O and also somehow ended up avoiding the check for this in
215    * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
216    * end up with (len-tot) as a large number that will then promptly send
217    * beyond the end of the users buffer ... so we trap and report the error in
218    * a way the user will notice. */
219   if (len < 0 || (size_t)len < tot) {
220     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
221     return -1;
222   }
223 
224   n = (len - tot);
225   for (;;) {
226     /* max contains the maximum number of bytes that we can put into a
227      * record. */
228     unsigned max = ssl->max_send_fragment;
229     if (n > max) {
230       nw = max;
231     } else {
232       nw = n;
233     }
234 
235     i = do_ssl3_write(ssl, type, &buf[tot], nw);
236     if (i <= 0) {
237       ssl->s3->wnum = tot;
238       return i;
239     }
240 
241     if (i == (int)n || (type == SSL3_RT_APPLICATION_DATA &&
242                         (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
243       return tot + i;
244     }
245 
246     n -= i;
247     tot += i;
248   }
249 }
250 
ssl3_write_pending(SSL * ssl,int type,const uint8_t * buf,unsigned int len)251 static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf,
252                               unsigned int len) {
253   if (ssl->s3->wpend_tot > (int)len ||
254       (ssl->s3->wpend_buf != buf &&
255        !(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
256       ssl->s3->wpend_type != type) {
257     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_WRITE_RETRY);
258     return -1;
259   }
260 
261   int ret = ssl_write_buffer_flush(ssl);
262   if (ret <= 0) {
263     return ret;
264   }
265   return ssl->s3->wpend_ret;
266 }
267 
268 /* do_ssl3_write writes an SSL record of the given type. */
do_ssl3_write(SSL * ssl,int type,const uint8_t * buf,unsigned len)269 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
270   /* If there is still data from the previous record, flush it. */
271   if (ssl_write_buffer_is_pending(ssl)) {
272     return ssl3_write_pending(ssl, type, buf, len);
273   }
274 
275   /* If we have an alert to send, lets send it */
276   if (ssl->s3->alert_dispatch) {
277     int ret = ssl->method->ssl_dispatch_alert(ssl);
278     if (ret <= 0) {
279       return ret;
280     }
281     /* if it went, fall through and send more stuff */
282   }
283 
284   if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
285     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
286     return -1;
287   }
288 
289   if (len == 0) {
290     return 0;
291   }
292 
293   size_t max_out = len + ssl_max_seal_overhead(ssl);
294   if (max_out < len) {
295     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
296     return -1;
297   }
298   uint8_t *out;
299   size_t ciphertext_len;
300   if (!ssl_write_buffer_init(ssl, &out, max_out) ||
301       !tls_seal_record(ssl, out, &ciphertext_len, max_out, type, buf, len)) {
302     return -1;
303   }
304   ssl_write_buffer_set_len(ssl, ciphertext_len);
305 
306   /* memorize arguments so that ssl3_write_pending can detect bad write retries
307    * later */
308   ssl->s3->wpend_tot = len;
309   ssl->s3->wpend_buf = buf;
310   ssl->s3->wpend_type = type;
311   ssl->s3->wpend_ret = len;
312 
313   /* we now just need to write the buffer */
314   return ssl3_write_pending(ssl, type, buf, len);
315 }
316 
ssl3_read_app_data(SSL * ssl,uint8_t * buf,int len,int peek)317 int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek) {
318   return ssl3_read_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len, peek);
319 }
320 
ssl3_read_change_cipher_spec(SSL * ssl)321 int ssl3_read_change_cipher_spec(SSL *ssl) {
322   uint8_t byte;
323   int ret = ssl3_read_bytes(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, &byte, 1 /* len */,
324                             0 /* no peek */);
325   if (ret <= 0) {
326     return ret;
327   }
328   assert(ret == 1);
329 
330   if (ssl->s3->rrec.length != 0 || byte != SSL3_MT_CCS) {
331     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);
332     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
333     return -1;
334   }
335 
336   if (ssl->msg_callback != NULL) {
337     ssl->msg_callback(0, ssl->version, SSL3_RT_CHANGE_CIPHER_SPEC, &byte, 1,
338                       ssl, ssl->msg_callback_arg);
339   }
340 
341   return 1;
342 }
343 
ssl3_read_close_notify(SSL * ssl)344 void ssl3_read_close_notify(SSL *ssl) {
345   ssl3_read_bytes(ssl, 0, NULL, 0, 0);
346 }
347 
ssl3_can_renegotiate(SSL * ssl)348 static int ssl3_can_renegotiate(SSL *ssl) {
349   switch (ssl->renegotiate_mode) {
350     case ssl_renegotiate_never:
351       return 0;
352     case ssl_renegotiate_once:
353       return ssl->s3->total_renegotiations == 0;
354     case ssl_renegotiate_freely:
355       return 1;
356     case ssl_renegotiate_ignore:
357       return 1;
358   }
359 
360   assert(0);
361   return 0;
362 }
363 
364 /* Return up to 'len' payload bytes received in 'type' records.
365  * 'type' is one of the following:
366  *
367  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
368  *   -  SSL3_RT_CHANGE_CIPHER_SPEC (when ssl3_read_change_cipher_spec calls us)
369  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read_app_data calls us)
370  *   -  0 (during a shutdown, no data has to be returned)
371  *
372  * If we don't have stored data to work from, read a SSL/TLS record first
373  * (possibly multiple records if we still don't have anything to return).
374  *
375  * This function must handle any surprises the peer may have for us, such as
376  * Alert records (e.g. close_notify) or renegotiation requests. */
ssl3_read_bytes(SSL * ssl,int type,uint8_t * buf,int len,int peek)377 int ssl3_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek) {
378   int al, i, ret;
379   unsigned int n;
380   SSL3_RECORD *rr;
381   void (*cb)(const SSL *ssl, int type, int value) = NULL;
382 
383   if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE &&
384        type != SSL3_RT_CHANGE_CIPHER_SPEC) ||
385       (peek && type != SSL3_RT_APPLICATION_DATA)) {
386     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
387     return -1;
388   }
389 
390   /* This may require multiple iterations. False Start will cause
391    * |ssl->handshake_func| to signal success one step early, but the handshake
392    * must be completely finished before other modes are accepted.
393    *
394    * TODO(davidben): Move this check up to a higher level. */
395   while (!ssl->in_handshake && SSL_in_init(ssl)) {
396     assert(type == SSL3_RT_APPLICATION_DATA);
397     i = ssl->handshake_func(ssl);
398     if (i < 0) {
399       return i;
400     }
401     if (i == 0) {
402       OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
403       return -1;
404     }
405   }
406 
407 start:
408   ssl->rwstate = SSL_NOTHING;
409 
410   /* ssl->s3->rrec.type    - is the type of record
411    * ssl->s3->rrec.data    - data
412    * ssl->s3->rrec.off     - offset into 'data' for next read
413    * ssl->s3->rrec.length  - number of bytes. */
414   rr = &ssl->s3->rrec;
415 
416   /* get new packet if necessary */
417   if (rr->length == 0) {
418     ret = ssl3_get_record(ssl);
419     if (ret <= 0) {
420       return ret;
421     }
422   }
423 
424   /* we now have a packet which can be read and processed */
425 
426   /* If the other end has shut down, throw anything we read away (even in
427    * 'peek' mode) */
428   if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
429     rr->length = 0;
430     ssl->rwstate = SSL_NOTHING;
431     return 0;
432   }
433 
434   if (type != 0 && type == rr->type) {
435     ssl->s3->warning_alert_count = 0;
436 
437     /* Make sure that we are not getting application data when we are doing a
438      * handshake for the first time. */
439     if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA &&
440         ssl->aead_read_ctx == NULL) {
441       /* TODO(davidben): Is this check redundant with the handshake_func
442        * check? */
443       al = SSL_AD_UNEXPECTED_MESSAGE;
444       OPENSSL_PUT_ERROR(SSL, SSL_R_APP_DATA_IN_HANDSHAKE);
445       goto f_err;
446     }
447 
448     /* Discard empty records. */
449     if (rr->length == 0) {
450       goto start;
451     }
452 
453     if (len <= 0) {
454       return len;
455     }
456 
457     if ((unsigned int)len > rr->length) {
458       n = rr->length;
459     } else {
460       n = (unsigned int)len;
461     }
462 
463     memcpy(buf, rr->data, n);
464     if (!peek) {
465       rr->length -= n;
466       rr->data += n;
467       if (rr->length == 0) {
468         /* The record has been consumed, so we may now clear the buffer. */
469         ssl_read_buffer_discard(ssl);
470       }
471     }
472 
473     return n;
474   }
475 
476   /* Process unexpected records. */
477 
478   if (type == SSL3_RT_APPLICATION_DATA && rr->type == SSL3_RT_HANDSHAKE) {
479     /* If peer renegotiations are disabled, all out-of-order handshake records
480      * are fatal. Renegotiations as a server are never supported. */
481     if (ssl->server || !ssl3_can_renegotiate(ssl)) {
482       al = SSL_AD_NO_RENEGOTIATION;
483       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
484       goto f_err;
485     }
486 
487     /* This must be a HelloRequest, possibly fragmented over multiple records.
488      * Consume data from the handshake protocol until it is complete. */
489     static const uint8_t kHelloRequest[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
490     while (ssl->s3->hello_request_len < sizeof(kHelloRequest)) {
491       if (rr->length == 0) {
492         /* Get a new record. */
493         goto start;
494       }
495       if (rr->data[0] != kHelloRequest[ssl->s3->hello_request_len]) {
496         al = SSL_AD_DECODE_ERROR;
497         OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
498         goto f_err;
499       }
500       rr->data++;
501       rr->length--;
502       ssl->s3->hello_request_len++;
503     }
504     ssl->s3->hello_request_len = 0;
505 
506     if (ssl->msg_callback) {
507       ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, kHelloRequest,
508                       sizeof(kHelloRequest), ssl, ssl->msg_callback_arg);
509     }
510 
511     if (!SSL_is_init_finished(ssl) || !ssl->s3->initial_handshake_complete) {
512       /* This cannot happen. If a handshake is in progress, |type| must be
513        * |SSL3_RT_HANDSHAKE|. */
514       assert(0);
515       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
516       goto err;
517     }
518 
519     if (ssl->renegotiate_mode == ssl_renegotiate_ignore) {
520       goto start;
521     }
522 
523     /* Renegotiation is only supported at quiescent points in the application
524      * protocol, namely in HTTPS, just before reading the HTTP response. Require
525      * the record-layer be idle and avoid complexities of sending a handshake
526      * record while an application_data record is being written. */
527     if (ssl_write_buffer_is_pending(ssl)) {
528       al = SSL_AD_NO_RENEGOTIATION;
529       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
530       goto f_err;
531     }
532 
533     /* Begin a new handshake. */
534     ssl->s3->total_renegotiations++;
535     ssl->state = SSL_ST_CONNECT;
536     i = ssl->handshake_func(ssl);
537     if (i < 0) {
538       return i;
539     }
540     if (i == 0) {
541       OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
542       return -1;
543     }
544 
545     /* The handshake completed synchronously. Continue reading records. */
546     goto start;
547   }
548 
549   /* If an alert record, process one alert out of the record. Note that we allow
550    * a single record to contain multiple alerts. */
551   if (rr->type == SSL3_RT_ALERT) {
552     /* Alerts may not be fragmented. */
553     if (rr->length < 2) {
554       al = SSL_AD_DECODE_ERROR;
555       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
556       goto f_err;
557     }
558 
559     if (ssl->msg_callback) {
560       ssl->msg_callback(0, ssl->version, SSL3_RT_ALERT, rr->data, 2, ssl,
561                         ssl->msg_callback_arg);
562     }
563     const uint8_t alert_level = rr->data[0];
564     const uint8_t alert_descr = rr->data[1];
565     rr->length -= 2;
566     rr->data += 2;
567 
568     if (ssl->info_callback != NULL) {
569       cb = ssl->info_callback;
570     } else if (ssl->ctx->info_callback != NULL) {
571       cb = ssl->ctx->info_callback;
572     }
573 
574     if (cb != NULL) {
575       uint16_t alert = (alert_level << 8) | alert_descr;
576       cb(ssl, SSL_CB_READ_ALERT, alert);
577     }
578 
579     if (alert_level == SSL3_AL_WARNING) {
580       ssl->s3->warn_alert = alert_descr;
581       if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
582         ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
583         return 0;
584       }
585 
586       /* This is a warning but we receive it if we requested renegotiation and
587        * the peer denied it. Terminate with a fatal alert because if
588        * application tried to renegotiatie it presumably had a good reason and
589        * expects it to succeed.
590        *
591        * In future we might have a renegotiation where we don't care if the
592        * peer refused it where we carry on. */
593       else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
594         al = SSL_AD_HANDSHAKE_FAILURE;
595         OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
596         goto f_err;
597       }
598 
599       ssl->s3->warning_alert_count++;
600       if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
601         al = SSL_AD_UNEXPECTED_MESSAGE;
602         OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
603         goto f_err;
604       }
605     } else if (alert_level == SSL3_AL_FATAL) {
606       char tmp[16];
607 
608       ssl->rwstate = SSL_NOTHING;
609       ssl->s3->fatal_alert = alert_descr;
610       OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
611       BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
612       ERR_add_error_data(2, "SSL alert number ", tmp);
613       ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
614       SSL_CTX_remove_session(ssl->ctx, ssl->session);
615       return 0;
616     } else {
617       al = SSL_AD_ILLEGAL_PARAMETER;
618       OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
619       goto f_err;
620     }
621 
622     goto start;
623   }
624 
625   if (ssl->shutdown & SSL_SENT_SHUTDOWN) {
626     /* close_notify has been sent, so discard all records other than alerts. */
627     rr->length = 0;
628     goto start;
629   }
630 
631   al = SSL_AD_UNEXPECTED_MESSAGE;
632   OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
633 
634 f_err:
635   ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
636 err:
637   return -1;
638 }
639 
ssl3_do_change_cipher_spec(SSL * ssl)640 int ssl3_do_change_cipher_spec(SSL *ssl) {
641   int i;
642 
643   if (ssl->state & SSL_ST_ACCEPT) {
644     i = SSL3_CHANGE_CIPHER_SERVER_READ;
645   } else {
646     i = SSL3_CHANGE_CIPHER_CLIENT_READ;
647   }
648 
649   if (ssl->s3->tmp.key_block == NULL) {
650     if (ssl->session == NULL || ssl->session->master_key_length == 0) {
651       /* might happen if dtls1_read_bytes() calls this */
652       OPENSSL_PUT_ERROR(SSL, SSL_R_CCS_RECEIVED_EARLY);
653       return 0;
654     }
655 
656     ssl->session->cipher = ssl->s3->tmp.new_cipher;
657     if (!ssl->enc_method->setup_key_block(ssl)) {
658       return 0;
659     }
660   }
661 
662   if (!ssl->enc_method->change_cipher_state(ssl, i)) {
663     return 0;
664   }
665 
666   return 1;
667 }
668 
ssl3_send_alert(SSL * ssl,int level,int desc)669 int ssl3_send_alert(SSL *ssl, int level, int desc) {
670   /* Map tls/ssl alert value to correct one */
671   desc = ssl->enc_method->alert_value(desc);
672   if (ssl->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) {
673     /* SSL 3.0 does not have protocol_version alerts */
674     desc = SSL_AD_HANDSHAKE_FAILURE;
675   }
676   if (desc < 0) {
677     return -1;
678   }
679 
680   /* If a fatal one, remove from cache */
681   if (level == 2 && ssl->session != NULL) {
682     SSL_CTX_remove_session(ssl->ctx, ssl->session);
683   }
684 
685   ssl->s3->alert_dispatch = 1;
686   ssl->s3->send_alert[0] = level;
687   ssl->s3->send_alert[1] = desc;
688   if (!ssl_write_buffer_is_pending(ssl)) {
689     /* Nothing is being written out, so the alert may be dispatched
690      * immediately. */
691     return ssl->method->ssl_dispatch_alert(ssl);
692   }
693 
694   /* else data is still being written out, we will get written some time in the
695    * future */
696   return -1;
697 }
698 
ssl3_dispatch_alert(SSL * ssl)699 int ssl3_dispatch_alert(SSL *ssl) {
700   int i, j;
701   void (*cb)(const SSL *ssl, int type, int value) = NULL;
702 
703   ssl->s3->alert_dispatch = 0;
704   i = do_ssl3_write(ssl, SSL3_RT_ALERT, &ssl->s3->send_alert[0], 2);
705   if (i <= 0) {
706     ssl->s3->alert_dispatch = 1;
707   } else {
708     /* Alert sent to BIO.  If it is important, flush it now. If the message
709      * does not get sent due to non-blocking IO, we will not worry too much. */
710     if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
711       BIO_flush(ssl->wbio);
712     }
713 
714     if (ssl->msg_callback) {
715       ssl->msg_callback(1, ssl->version, SSL3_RT_ALERT, ssl->s3->send_alert, 2,
716                         ssl, ssl->msg_callback_arg);
717     }
718 
719     if (ssl->info_callback != NULL) {
720       cb = ssl->info_callback;
721     } else if (ssl->ctx->info_callback != NULL) {
722       cb = ssl->ctx->info_callback;
723     }
724 
725     if (cb != NULL) {
726       j = (ssl->s3->send_alert[0] << 8) | ssl->s3->send_alert[1];
727       cb(ssl, SSL_CB_WRITE_ALERT, j);
728     }
729   }
730 
731   return i;
732 }
733