2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
112 #include "ssl_locl.h"
113 #ifndef OPENSSL_NO_SSL2
118 static int read_n(SSL
*s
, unsigned int n
, unsigned int max
,
119 unsigned int extend
);
120 static int do_ssl_write(SSL
*s
, const unsigned char *buf
, unsigned int len
);
121 static int write_pending(SSL
*s
, const unsigned char *buf
, unsigned int len
);
122 static int ssl_mt_error(int n
);
125 * SSL 2.0 imlementation for SSL_read/SSL_peek - This routine will return 0
126 * to len bytes, decrypted etc if required.
128 static int ssl2_read_internal(SSL
*s
, void *buf
, int len
, int peek
)
131 unsigned char mac
[MAX_MAC_SIZE
];
134 unsigned int mac_size
;
137 if (SSL_in_init(s
) && !s
->in_handshake
) {
138 n
= s
->handshake_func(s
);
142 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_SSL_HANDSHAKE_FAILURE
);
148 s
->rwstate
= SSL_NOTHING
;
152 if (s
->s2
->ract_data_length
!= 0) { /* read from buffer */
153 if (len
> s
->s2
->ract_data_length
)
154 n
= s
->s2
->ract_data_length
;
158 memcpy(buf
, s
->s2
->ract_data
, (unsigned int)n
);
160 s
->s2
->ract_data_length
-= n
;
161 s
->s2
->ract_data
+= n
;
162 if (s
->s2
->ract_data_length
== 0)
163 s
->rstate
= SSL_ST_READ_HEADER
;
170 * s->s2->ract_data_length == 0 Fill the buffer, then goto
174 if (s
->rstate
== SSL_ST_READ_HEADER
) {
175 if (s
->first_packet
) {
176 n
= read_n(s
, 5, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2, 0);
178 return (n
); /* error or non-blocking */
181 if (!((p
[0] & 0x80) && ((p
[2] == SSL2_MT_CLIENT_HELLO
) ||
182 (p
[2] == SSL2_MT_SERVER_HELLO
)))) {
183 SSLerr(SSL_F_SSL2_READ_INTERNAL
,
184 SSL_R_NON_SSLV2_INITIAL_PACKET
);
188 n
= read_n(s
, 2, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2, 0);
190 return (n
); /* error or non-blocking */
192 /* part read stuff */
194 s
->rstate
= SSL_ST_READ_BODY
;
201 s
->s2
->rlength
= (((unsigned int)p
[0]) << 8) | ((unsigned int)p
[1]);
202 if ((p
[0] & TWO_BYTE_BIT
)) { /* Two byte header? */
203 s
->s2
->three_byte_header
= 0;
204 s
->s2
->rlength
&= TWO_BYTE_MASK
;
206 s
->s2
->three_byte_header
= 1;
207 s
->s2
->rlength
&= THREE_BYTE_MASK
;
209 /* security >s2->escape */
210 s
->s2
->escape
= ((p
[0] & SEC_ESC_BIT
)) ? 1 : 0;
214 if (s
->rstate
== SSL_ST_READ_BODY
) {
215 n
= s
->s2
->rlength
+ 2 + s
->s2
->three_byte_header
;
216 if (n
> (int)s
->packet_length
) {
217 n
-= s
->packet_length
;
218 i
= read_n(s
, (unsigned int)n
, (unsigned int)n
, 1);
220 return (i
); /* ERROR */
224 s
->rstate
= SSL_ST_READ_HEADER
;
225 if (s
->s2
->three_byte_header
)
226 s
->s2
->padding
= *(p
++);
231 if (s
->s2
->clear_text
) {
234 s
->s2
->ract_data
= p
;
235 if (s
->s2
->padding
) {
236 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_ILLEGAL_PADDING
);
240 mac_size
= EVP_MD_size(s
->read_hash
);
241 OPENSSL_assert(mac_size
<= MAX_MAC_SIZE
);
243 s
->s2
->ract_data
= &p
[mac_size
];
244 if (s
->s2
->padding
+ mac_size
> s
->s2
->rlength
) {
245 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_ILLEGAL_PADDING
);
250 s
->s2
->ract_data_length
= s
->s2
->rlength
;
252 * added a check for length > max_size in case encryption was not
253 * turned on yet due to an error
255 if ((!s
->s2
->clear_text
) && (s
->s2
->rlength
>= mac_size
)) {
257 s
->s2
->ract_data_length
-= mac_size
;
259 s
->s2
->ract_data_length
-= s
->s2
->padding
;
260 if ((CRYPTO_memcmp(mac
, s
->s2
->mac_data
, mac_size
) != 0) ||
262 EVP_CIPHER_CTX_block_size(s
->enc_read_ctx
) != 0)) {
263 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_BAD_MAC_DECODE
);
267 INC32(s
->s2
->read_sequence
); /* expect next number */
268 /* s->s2->ract_data is now available for processing */
271 * Possibly the packet that we just read had 0 actual data bytes.
272 * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
273 * In this case, returning 0 would be interpreted by the caller as
274 * indicating EOF, so it's not a good idea. Instead, we just
275 * continue reading; thus ssl2_read_internal may have to process
276 * multiple packets before it can return. [Note that using select()
277 * for blocking sockets *never* guarantees that the next SSL_read
278 * will not block -- the available data may contain incomplete
279 * packets, and except for SSL 2, renegotiation can confuse things
283 goto ssl2_read_again
; /* This should really be "return
284 * ssl2_read(s,buf,len)", but that would
285 * allow for denial-of-service attacks if a C
286 * compiler is used that does not recognize
289 SSLerr(SSL_F_SSL2_READ_INTERNAL
, SSL_R_BAD_STATE
);
294 int ssl2_read(SSL
*s
, void *buf
, int len
)
296 return ssl2_read_internal(s
, buf
, len
, 0);
299 int ssl2_peek(SSL
*s
, void *buf
, int len
)
301 return ssl2_read_internal(s
, buf
, len
, 1);
304 static int read_n(SSL
*s
, unsigned int n
, unsigned int max
,
310 * if there is stuff still in the buffer from a previous read, and there
311 * is more than we want, take some.
313 if (s
->s2
->rbuf_left
>= (int)n
) {
315 s
->packet_length
+= n
;
317 s
->packet
= &(s
->s2
->rbuf
[s
->s2
->rbuf_offs
]);
318 s
->packet_length
= n
;
320 s
->s2
->rbuf_left
-= n
;
321 s
->s2
->rbuf_offs
+= n
;
327 if (max
> (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2))
328 max
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ 2;
331 * Else we want more than we have. First, if there is some left or we
335 if ((s
->s2
->rbuf_left
!= 0) || ((s
->packet_length
!= 0) && extend
)) {
336 newb
= s
->s2
->rbuf_left
;
338 off
= s
->packet_length
;
339 if (s
->packet
!= s
->s2
->rbuf
)
340 memcpy(s
->s2
->rbuf
, s
->packet
, (unsigned int)newb
+ off
);
341 } else if (s
->s2
->rbuf_offs
!= 0) {
342 memcpy(s
->s2
->rbuf
, &(s
->s2
->rbuf
[s
->s2
->rbuf_offs
]),
344 s
->s2
->rbuf_offs
= 0;
346 s
->s2
->rbuf_left
= 0;
351 * off is the offset to start writing too. r->s2->rbuf_offs is the
352 * 'unread data', now 0. newb is the number of new bytes so far
354 s
->packet
= s
->s2
->rbuf
;
355 while (newb
< (int)n
) {
357 if (s
->rbio
!= NULL
) {
358 s
->rwstate
= SSL_READING
;
359 i
= BIO_read(s
->rbio
, (char *)&(s
->s2
->rbuf
[off
+ newb
]),
362 SSLerr(SSL_F_READ_N
, SSL_R_READ_BIO_NOT_SET
);
370 s
->s2
->rbuf_left
+= newb
;
376 /* record unread data */
378 s
->s2
->rbuf_offs
= n
+ off
;
379 s
->s2
->rbuf_left
= newb
- n
;
381 s
->s2
->rbuf_offs
= 0;
382 s
->s2
->rbuf_left
= 0;
385 s
->packet_length
+= n
;
387 s
->packet_length
= n
;
388 s
->rwstate
= SSL_NOTHING
;
392 int ssl2_write(SSL
*s
, const void *_buf
, int len
)
394 const unsigned char *buf
= _buf
;
398 if (SSL_in_init(s
) && !s
->in_handshake
) {
399 i
= s
->handshake_func(s
);
403 SSLerr(SSL_F_SSL2_WRITE
, SSL_R_SSL_HANDSHAKE_FAILURE
);
415 s
->rwstate
= SSL_NOTHING
;
424 i
= do_ssl_write(s
, &(buf
[tot
]), n
);
429 if ((i
== (int)n
) || (s
->mode
& SSL_MODE_ENABLE_PARTIAL_WRITE
)) {
438 static int write_pending(SSL
*s
, const unsigned char *buf
, unsigned int len
)
442 /* s->s2->wpend_len != 0 MUST be true. */
445 * check that they have given us the same buffer to write
447 if ((s
->s2
->wpend_tot
> (int)len
) ||
448 ((s
->s2
->wpend_buf
!= buf
) &&
449 !(s
->mode
& SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
))) {
450 SSLerr(SSL_F_WRITE_PENDING
, SSL_R_BAD_WRITE_RETRY
);
456 if (s
->wbio
!= NULL
) {
457 s
->rwstate
= SSL_WRITING
;
458 i
= BIO_write(s
->wbio
,
459 (char *)&(s
->s2
->write_ptr
[s
->s2
->wpend_off
]),
460 (unsigned int)s
->s2
->wpend_len
);
462 SSLerr(SSL_F_WRITE_PENDING
, SSL_R_WRITE_BIO_NOT_SET
);
469 if (i
== s
->s2
->wpend_len
) {
470 s
->s2
->wpend_len
= 0;
471 s
->rwstate
= SSL_NOTHING
;
472 return (s
->s2
->wpend_ret
);
475 s
->s2
->wpend_off
+= i
;
476 s
->s2
->wpend_len
-= i
;
480 static int do_ssl_write(SSL
*s
, const unsigned char *buf
, unsigned int len
)
482 unsigned int j
, k
, olen
, p
, mac_size
, bs
;
483 register unsigned char *pp
;
488 * first check if there is data from an encryption waiting to be sent -
489 * it must be sent because the other end is waiting. This will happen
490 * with non-blocking IO. We print it and then return.
492 if (s
->s2
->wpend_len
!= 0)
493 return (write_pending(s
, buf
, len
));
495 /* set mac_size to mac size */
496 if (s
->s2
->clear_text
)
499 mac_size
= EVP_MD_size(s
->write_hash
);
501 /* lets set the pad p */
502 if (s
->s2
->clear_text
) {
503 if (len
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
)
504 len
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
;
506 s
->s2
->three_byte_header
= 0;
509 bs
= EVP_CIPHER_CTX_block_size(s
->enc_read_ctx
);
512 * Two-byte headers allow for a larger record length than three-byte
513 * headers, but we can't use them if we need padding or if we have to
514 * set the escape bit.
516 if ((j
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
) && (!s
->s2
->escape
)) {
517 if (j
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
)
518 j
= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
;
520 * set k to the max number of bytes with 2 byte header
523 /* how many data bytes? */
525 s
->s2
->three_byte_header
= 0;
527 } else if ((bs
<= 1) && (!s
->s2
->escape
)) {
529 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
530 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
532 s
->s2
->three_byte_header
= 0;
534 } else { /* we may have to use a 3 byte header */
537 * If s->s2->escape is not set, then
538 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
539 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
542 p
= (p
== 0) ? 0 : (bs
- p
);
544 s
->s2
->three_byte_header
= 1;
545 if (j
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
)
546 j
= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER
;
548 s
->s2
->three_byte_header
= (p
== 0) ? 0 : 1;
554 * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
555 * holds, and if s->s2->three_byte_header is set, then even
556 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
560 * mac_size is the number of MAC bytes len is the number of data bytes we
561 * are going to send p is the number of padding bytes (if it is a
562 * two-byte header, then p == 0)
565 s
->s2
->wlength
= len
;
567 s
->s2
->mac_data
= &(s
->s2
->wbuf
[3]);
568 s
->s2
->wact_data
= &(s
->s2
->wbuf
[3 + mac_size
]);
569 /* we copy the data into s->s2->wbuf */
570 memcpy(s
->s2
->wact_data
, buf
, len
);
572 memset(&(s
->s2
->wact_data
[len
]), 0, p
); /* arbitrary padding */
574 if (!s
->s2
->clear_text
) {
575 s
->s2
->wact_data_length
= len
+ p
;
576 ssl2_mac(s
, s
->s2
->mac_data
, 1);
577 s
->s2
->wlength
+= p
+ mac_size
;
581 /* package up the header */
582 s
->s2
->wpend_len
= s
->s2
->wlength
;
583 if (s
->s2
->three_byte_header
) { /* 3 byte header */
584 pp
= s
->s2
->mac_data
;
586 pp
[0] = (s
->s2
->wlength
>> 8) & (THREE_BYTE_MASK
>> 8);
588 pp
[0] |= SEC_ESC_BIT
;
589 pp
[1] = s
->s2
->wlength
& 0xff;
590 pp
[2] = s
->s2
->padding
;
591 s
->s2
->wpend_len
+= 3;
593 pp
= s
->s2
->mac_data
;
595 pp
[0] = ((s
->s2
->wlength
>> 8) & (TWO_BYTE_MASK
>> 8)) | TWO_BYTE_BIT
;
596 pp
[1] = s
->s2
->wlength
& 0xff;
597 s
->s2
->wpend_len
+= 2;
599 s
->s2
->write_ptr
= pp
;
601 INC32(s
->s2
->write_sequence
); /* expect next number */
603 /* lets try to actually write the data */
604 s
->s2
->wpend_tot
= olen
;
605 s
->s2
->wpend_buf
= buf
;
607 s
->s2
->wpend_ret
= len
;
609 s
->s2
->wpend_off
= 0;
610 return (write_pending(s
, buf
, olen
));
613 int ssl2_part_read(SSL
*s
, unsigned long f
, int i
)
619 /* ssl2_return_error(s); */
621 * for non-blocking io, this is not necessarily fatal
628 * Check for error. While there are recoverable errors, this
629 * function is not called when those must be expected; any error
630 * detected here is fatal.
632 if (s
->init_num
>= 3) {
633 p
= (unsigned char *)s
->init_buf
->data
;
634 if (p
[0] == SSL2_MT_ERROR
) {
635 j
= (p
[1] << 8) | p
[2];
636 SSLerr((int)f
, ssl_mt_error(j
));
639 memmove(p
, p
+ 3, s
->init_num
);
644 * If it's not an error message, we have some error anyway -- the
645 * message was shorter than expected. This too is treated as fatal
646 * (at least if SSL_get_error is asked for its opinion).
652 int ssl2_do_write(SSL
*s
)
656 ret
= ssl2_write(s
, &s
->init_buf
->data
[s
->init_off
], s
->init_num
);
657 if (ret
== s
->init_num
) {
659 s
->msg_callback(1, s
->version
, 0, s
->init_buf
->data
,
660 (size_t)(s
->init_off
+ s
->init_num
), s
,
661 s
->msg_callback_arg
);
671 static int ssl_mt_error(int n
)
676 case SSL2_PE_NO_CIPHER
:
677 ret
= SSL_R_PEER_ERROR_NO_CIPHER
;
679 case SSL2_PE_NO_CERTIFICATE
:
680 ret
= SSL_R_PEER_ERROR_NO_CERTIFICATE
;
682 case SSL2_PE_BAD_CERTIFICATE
:
683 ret
= SSL_R_PEER_ERROR_CERTIFICATE
;
685 case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE
:
686 ret
= SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
;
689 ret
= SSL_R_UNKNOWN_REMOTE_ERROR_TYPE
;
694 #else /* !OPENSSL_NO_SSL2 */
697 static void *dummy
= &dummy
;