int ssl3_send_alert(SSL *ssl, int level, int desc) {
/* It is illegal to send an alert when we've already sent a closing one. */
if (ssl->s3->send_shutdown != ssl_shutdown_none) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
}
if (level == SSL3_AL_FATAL) {
if (ssl->session != NULL) {
SSL_CTX_remove_session(ssl->ctx, ssl->session);
}
ssl->s3->send_shutdown = ssl_shutdown_fatal_alert;
} else if (level == SSL3_AL_WARNING && desc == SSL_AD_CLOSE_NOTIFY) {
ssl->s3->send_shutdown = ssl_shutdown_close_notify;
}
ssl->s3->alert_dispatch = 1;
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(ssl)) {
/* Nothing is being written out, so the alert may be dispatched
* immediately. */
return ssl->method->dispatch_alert(ssl);
}
/* The alert will be dispatched later. */
return -1;
}
int ssl3_send_alert(SSL *s, int level, int desc)
{
/* Map tls/ssl alert value to correct one */
desc = s->method->ssl3_enc->alert_value(desc);
if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have
* protocol_version alerts */
if (desc < 0)
return -1;
/* If a fatal one, remove from cache */
if ((level == SSL3_AL_FATAL) && (s->session != NULL))
SSL_CTX_remove_session(s->ctx, s->session);
s->s3->alert_dispatch = 1;
s->s3->send_alert[0] = level;
s->s3->send_alert[1] = desc;
if (!RECORD_LAYER_write_pending(&s->rlayer)) {
/* data still being written out? */
return s->method->ssl_dispatch_alert(s);
}
/*
* else data is still being written out, we will get written some time in
* the future
*/
return -1;
}
static int openssl_ssl_ctx_sessions(lua_State*L)
{
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
if (lua_isstring(L, 2))
{
size_t s;
unsigned char* sid_ctx = (unsigned char*)luaL_checklstring(L, 2, &s);
int ret = SSL_CTX_set_session_id_context(ctx, sid_ctx, s);
lua_pushboolean(L, ret);
return 1;
}
else
{
SSL_SESSION *s = CHECK_OBJECT(2, SSL_SESSION, "openssl.ssl_session");
int add = 1;
if (!lua_isnoneornil(L, 3))
add = auxiliar_checkboolean(L, 3);
if (add)
add = SSL_CTX_add_session(ctx, s);
else
add = SSL_CTX_remove_session(ctx, s);
lua_pushboolean(L, add);
return 1;
}
}
int ssl3_send_alert(SSL *s, int level, int desc) {
/* Map tls/ssl alert value to correct one */
desc = s->enc_method->alert_value(desc);
if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) {
/* SSL 3.0 does not have protocol_version alerts */
desc = SSL_AD_HANDSHAKE_FAILURE;
}
if (desc < 0) {
return -1;
}
/* If a fatal one, remove from cache */
if (level == 2 && s->session != NULL) {
SSL_CTX_remove_session(s->ctx, s->session);
}
s->s3->alert_dispatch = 1;
s->s3->send_alert[0] = level;
s->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(s)) {
/* Nothing is being written out, so the alert may be dispatched
* immediately. */
return s->method->ssl_dispatch_alert(s);
}
/* else data is still being written out, we will get written some time in the
* future */
return -1;
}
BOOL tls_send_alert(rdpTls* tls)
{
if (!tls)
return FALSE;
if (!tls->ssl)
return TRUE;
if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
{
/**
* OpenSSL doesn't really expose an API for sending a TLS alert manually.
*
* The following code disables the sending of the default "close notify"
* and then proceeds to force sending a custom TLS alert before shutting down.
*
* Manually sending a TLS alert is necessary in certain cases,
* like when server-side NLA results in an authentication failure.
*/
SSL_set_quiet_shutdown(tls->ssl, 1);
if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (tls->ssl->session))
SSL_CTX_remove_session(tls->ssl->ctx, tls->ssl->session);
tls->ssl->s3->alert_dispatch = 1;
tls->ssl->s3->send_alert[0] = tls->alertLevel;
tls->ssl->s3->send_alert[1] = tls->alertDescription;
if (tls->ssl->s3->wbuf.left == 0)
tls->ssl->method->ssl_dispatch_alert(tls->ssl);
}
return TRUE;
}
int ssl_clear_bad_session(SSL *ssl) {
if (ssl->session != NULL && !(ssl->shutdown & SSL_SENT_SHUTDOWN) &&
!SSL_in_init(ssl)) {
SSL_CTX_remove_session(ssl->ctx, ssl->session);
return 1;
}
return 0;
}
int ssl_clear_bad_session(SSL *s)
{
if ((s->session != NULL) &&
!(s->shutdown & SSL_SENT_SHUTDOWN) &&
!(SSL_in_init(s) || SSL_in_before(s))) {
SSL_CTX_remove_session(s->session_ctx, s->session);
return (1);
} else
return (0);
}
void ssl_teardown(SSL_CTX *ctx, SSL * conn ){
SSL_SESSION *session = NULL;
session = SSL_get_session (conn);
if (session)
SSL_CTX_remove_session (ctx, session);
if (conn)
SSL_free (conn);
}
/*
* call-seq:
* ctx.session_remove(session) -> true | false
*
*/
static VALUE
ossl_sslctx_session_remove(VALUE self, VALUE arg)
{
SSL_CTX *ctx;
SSL_SESSION *sess;
Data_Get_Struct(self, SSL_CTX, ctx);
SafeGetSSLSession(arg, sess);
return SSL_CTX_remove_session(ctx, sess) == 1 ? Qtrue : Qfalse;
}
static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
{
SSL_SESSION *session = SSL_get_session(TLScontext->con);
SSL_CTX_remove_session(ctx, session);
if (TLScontext->cache_type == 0 || TLScontext->serverid == 0)
return;
if (TLScontext->log_level >= 2)
acl_msg_info("remove session %s from client cache", TLScontext->serverid);
tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid);
}
static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
{
SSL_SESSION *session = SSL_get_session(TLScontext->con);
SSL_CTX_remove_session(ctx, session);
if (TLScontext->cache_type == 0 || TLScontext->serverid == 0)
return;
if (TLScontext->log_mask & TLS_LOG_CACHE)
/* serverid contains transport:addr:port information */
msg_info("remove session %s from client cache", TLScontext->serverid);
tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid);
}
BOOL tls_send_alert(rdpTls* tls)
{
if (!tls)
return FALSE;
if (!tls->ssl)
return TRUE;
/**
* FIXME: The following code does not work on OpenSSL > 1.1.0 because the
* SSL struct is opaqe now
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
{
/**
* OpenSSL doesn't really expose an API for sending a TLS alert manually.
*
* The following code disables the sending of the default "close notify"
* and then proceeds to force sending a custom TLS alert before shutting down.
*
* Manually sending a TLS alert is necessary in certain cases,
* like when server-side NLA results in an authentication failure.
*/
SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);
SSL_set_quiet_shutdown(tls->ssl, 1);
if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
SSL_CTX_remove_session(ssl_ctx, ssl_session);
tls->ssl->s3->alert_dispatch = 1;
tls->ssl->s3->send_alert[0] = tls->alertLevel;
tls->ssl->s3->send_alert[1] = tls->alertDescription;
if (tls->ssl->s3->wbuf.left == 0)
tls->ssl->method->ssl_dispatch_alert(tls->ssl);
}
#endif
return TRUE;
}
int ssl3_send_alert(SSL *ssl, int level, int desc) {
/* If a fatal one, remove from cache */
if (level == 2 && ssl->session != NULL) {
SSL_CTX_remove_session(ssl->ctx, ssl->session);
}
ssl->s3->alert_dispatch = 1;
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(ssl)) {
/* Nothing is being written out, so the alert may be dispatched
* immediately. */
return ssl->method->ssl_dispatch_alert(ssl);
}
/* else data is still being written out, we will get written some time in the
* future */
return -1;
}
int eaptls_fail(EAP_HANDLER *handler, int peap_flag)
{
EAPTLS_PACKET reply;
tls_session_t *tls_session = handler->opaque;
reply.code = EAPTLS_FAIL;
reply.length = TLS_HEADER_LEN;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
/*
* Force the session to NOT be cached.
*/
SSL_CTX_remove_session(tls_session->ctx, tls_session->ssl->session);
eaptls_compose(handler->eap_ds, &reply);
return 1;
}
static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
{
VSTRING *cache_id;
SSL_SESSION *session = SSL_get_session(TLScontext->con);
SSL_CTX_remove_session(ctx, session);
if (TLScontext->cache_type == 0)
return;
GEN_CACHE_ID(cache_id, session->session_id, session->session_id_length,
TLScontext->serverid);
if (TLScontext->log_level >= 2)
msg_info("%s: remove session %s from %s cache", TLScontext->namaddr,
STR(cache_id), TLScontext->cache_type);
tls_mgr_delete(TLScontext->cache_type, STR(cache_id));
vstring_free(cache_id);
}
/* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when dtls1_get_message calls us)
* - SSL3_RT_CHANGE_CIPHER_SPEC (when dtls1_read_change_cipher_spec calls us)
* - SSL3_RT_APPLICATION_DATA (when dtls1_read_app_data calls us)
*
* If we don't have stored data to work from, read a DTLS record first (possibly
* multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify) and out of records. */
int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) {
int al, i, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb)(const SSL *ssl, int type, int value) = NULL;
if ((type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE &&
type != SSL3_RT_CHANGE_CIPHER_SPEC) ||
(peek && type != SSL3_RT_APPLICATION_DATA)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
if (!s->in_handshake && SSL_in_init(s)) {
/* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s);
if (i < 0) {
return i;
}
if (i == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1;
}
}
start:
s->rwstate = SSL_NOTHING;
/* s->s3->rrec.type - is the type of record
* s->s3->rrec.data - data
* s->s3->rrec.off - offset into 'data' for next read
* s->s3->rrec.length - number of bytes. */
rr = &s->s3->rrec;
/* Check for timeout */
if (DTLSv1_handle_timeout(s) > 0) {
goto start;
}
/* get new packet if necessary */
if (rr->length == 0) {
ret = dtls1_get_record(s);
if (ret <= 0) {
ret = dtls1_read_failed(s, ret);
/* anything other than a timeout is an error */
if (ret <= 0) {
return ret;
} else {
goto start;
}
}
}
/* we now have a packet which can be read and processed */
/* If the other end has shut down, throw anything we read away (even in
* 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
rr->length = 0;
s->rwstate = SSL_NOTHING;
return 0;
}
if (type == rr->type) {
/* Make sure that we are not getting application data when we
* are doing a handshake for the first time. */
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
(s->aead_read_ctx == NULL)) {
/* TODO(davidben): Is this check redundant with the handshake_func
* check? */
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_APP_DATA_IN_HANDSHAKE);
goto f_err;
}
/* Discard empty records. */
if (rr->length == 0) {
goto start;
}
if (len <= 0) {
return len;
}
if ((unsigned int)len > rr->length) {
n = rr->length;
} else {
n = (unsigned int)len;
}
memcpy(buf, rr->data, n);
if (!peek) {
rr->length -= n;
rr->data += n;
if (rr->length == 0) {
/* The record has been consumed, so we may now clear the buffer. */
ssl_read_buffer_discard(s);
}
}
return n;
}
/* If we get here, then type != rr->type. */
/* If an alert record, process one alert out of the record. Note that we allow
* a single record to contain multiple alerts. */
if (rr->type == SSL3_RT_ALERT) {
/* Alerts may not be fragmented. */
if (rr->length < 2) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
goto f_err;
}
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_ALERT, rr->data, 2, s,
s->msg_callback_arg);
}
const uint8_t alert_level = rr->data[0];
const uint8_t alert_descr = rr->data[1];
rr->length -= 2;
rr->data += 2;
if (s->info_callback != NULL) {
cb = s->info_callback;
} else if (s->ctx->info_callback != NULL) {
cb = s->ctx->info_callback;
}
if (cb != NULL) {
uint16_t alert = (alert_level << 8) | alert_descr;
cb(s, SSL_CB_READ_ALERT, alert);
}
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
s->s3->fatal_alert = alert_descr;
OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->ctx, s->session);
return 0;
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
goto f_err;
}
goto start;
}
/* Cross-epoch records are discarded, but we may receive out-of-order
* application data between ChangeCipherSpec and Finished or a ChangeCipherSpec
* before the appropriate point in the handshake. Those must be silently
* discarded.
*
* However, only allow the out-of-order records in the correct epoch.
* Application data must come in the encrypted epoch, and ChangeCipherSpec in
* the unencrypted epoch (we never renegotiate). Other cases fall through and
* fail with a fatal error. */
if ((rr->type == SSL3_RT_APPLICATION_DATA && s->aead_read_ctx != NULL) ||
(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC && s->aead_read_ctx == NULL)) {
rr->length = 0;
goto start;
}
if (rr->type == SSL3_RT_HANDSHAKE) {
if (type != SSL3_RT_APPLICATION_DATA) {
/* Out-of-order handshake record while looking for ChangeCipherSpec. Drop
* it silently. */
assert(type == SSL3_RT_CHANGE_CIPHER_SPEC);
rr->length = 0;
goto start;
}
/* Parse the first fragment header to determine if this is a pre-CCS or
* post-CCS handshake record. DTLS resets handshake message numbers on each
* handshake, so renegotiations and retransmissions are ambiguous. */
if (rr->length < DTLS1_HM_HEADER_LENGTH) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);
goto f_err;
}
struct hm_header_st msg_hdr;
dtls1_get_message_header(rr->data, &msg_hdr);
if (msg_hdr.type == SSL3_MT_FINISHED) {
if (msg_hdr.frag_off == 0) {
/* Retransmit our last flight of messages. If the peer sends the second
* Finished, they may not have received ours. Only do this for the
* first fragment, in case the Finished was fragmented. */
if (dtls1_check_timeout_num(s) < 0) {
return -1;
}
dtls1_retransmit_buffered_messages(s);
}
rr->length = 0;
goto start;
}
/* Otherwise, this is a pre-CCS handshake message from an unsupported
* renegotiation attempt. Fall through to the error path. */
}
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return -1;
}
static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
SSL *serverssl2 = NULL, *clientssl2 = NULL;
#ifndef OPENSSL_NO_TLS1_1
SSL *serverssl3 = NULL, *clientssl3 = NULL;
#endif
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
#ifndef OPENSSL_NO_TLS1_2
/* Only allow TLS1.2 so we can force a connection failure later */
SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
#endif
/* Set up session cache */
if (fix.use_ext_cache) {
SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
}
if (fix.use_int_cache) {
/* Also covers instance where both are set */
SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
} else {
SSL_CTX_set_session_cache_mode(cctx,
SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
}
if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,
NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl1, clientssl1)) {
printf("Unable to create SSL connection\n");
goto end;
}
sess1 = SSL_get1_session(clientssl1);
if (sess1 == NULL) {
printf("Unexpected NULL session\n");
goto end;
}
if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) {
/* Should have failed because it should already be in the cache */
printf("Unexpected success adding session to cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) {
printf("Session not added to cache\n");
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) {
printf("Unable to create second SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl2, clientssl2)) {
printf("Unable to create second SSL connection\n");
goto end;
}
sess2 = SSL_get1_session(clientssl2);
if (sess2 == NULL) {
printf("Unexpected NULL session from clientssl2\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) {
printf("Remove session callback unexpectedly called\n");
goto end;
}
/*
* This should clear sess2 from the cache because it is a "bad" session. See
* SSL_set_session() documentation.
*/
if (!SSL_set_session(clientssl2, sess1)) {
printf("Unexpected failure setting session\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) {
printf("Failed to call callback to remove session\n");
goto end;
}
if (SSL_get_session(clientssl2) != sess1) {
printf("Unexpected session found\n");
goto end;
}
if (fix.use_int_cache) {
if (!SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache\n");
goto end;
}
if (!SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected failure removing session from cache\n");
goto end;
}
/* This is for the purposes of internal cache testing...ignore the
* counter for external cache
*/
if (fix.use_ext_cache)
remove_called--;
}
/* This shouldn't be in the cache so should fail */
if (SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected success removing session from cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
/* Force a connection failure */
SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) {
printf("Unable to create third SSL objects\n");
goto end;
}
if (!SSL_set_session(clientssl3, sess1)) {
printf("Unable to set session for third connection\n");
goto end;
}
/* This should fail because of the mismatched protocol versions */
if (create_ssl_connection(serverssl3, clientssl3)) {
printf("Unable to create third SSL connection\n");
goto end;
}
/* We should have automatically removed the session from the cache */
if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache #2\n");
goto end;
}
#endif
testresult = 1;
end:
SSL_free(serverssl1);
SSL_free(clientssl1);
SSL_free(serverssl2);
SSL_free(clientssl2);
#ifndef OPENSSL_NO_TLS1_1
SSL_free(serverssl3);
SSL_free(clientssl3);
#endif
SSL_SESSION_free(sess1);
SSL_SESSION_free(sess2);
/*
* Check if we need to remove any sessions up-refed for the external cache
*/
if (new_called >= 1)
SSL_SESSION_free(sess1);
if (new_called >= 2)
SSL_SESSION_free(sess2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
/*
* Do authentication, by letting EAP-TLS do most of the work.
*/
static int eaptls_authenticate(void *arg, EAP_HANDLER *handler)
{
eaptls_status_t status;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
REQUEST *request = handler->request;
eap_tls_t *inst = (eap_tls_t *) arg;
RDEBUG2("Authenticate");
status = eaptls_process(handler);
RDEBUG2("eaptls_process returned %d\n", status);
switch (status) {
/*
* EAP-TLS handshake was successful, return an
* EAP-TLS-Success packet here.
*/
case EAPTLS_SUCCESS:
break;
/*
* The TLS code is still working on the TLS
* exchange, and it's a valid TLS request.
* do nothing.
*/
case EAPTLS_HANDLED:
return 1;
/*
* Handshake is done, proceed with decoding tunneled
* data.
*/
case EAPTLS_OK:
RDEBUG2("Received unexpected tunneled data after successful handshake.");
#ifndef NDEBUG
if ((debug_flag > 2) && fr_log_fp) {
unsigned int i;
unsigned int data_len;
unsigned char buffer[1024];
data_len = (tls_session->record_minus)(&tls_session->dirty_in,
buffer, sizeof(buffer));
log_debug(" Tunneled data (%u bytes)\n", data_len);
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, " %x: ", i);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
fprintf(fr_log_fp, "%02x ", buffer[i]);
}
fprintf(fr_log_fp, "\n");
}
#endif
eaptls_fail(handler, 0);
return 0;
break;
/*
* Anything else: fail.
*
* Also, remove the session from the cache so that
* the client can't re-use it.
*/
default:
if (inst->conf->session_cache_enable) {
SSL_CTX_remove_session(inst->ctx,
tls_session->ssl->session);
}
return 0;
}
/*
* New sessions cause some additional information to be
* cached.
*/
if (!SSL_session_reused(tls_session->ssl)) {
/*
* FIXME: Store miscellaneous data.
*/
RDEBUG2("Adding user data to cached session");
#if 0
SSL_SESSION_set_ex_data(tls_session->ssl->session,
ssl_session_idx_user_session, session_data);
#endif
} else {
/*
* FIXME: Retrieve miscellaneous data.
*/
#if 0
data = SSL_SESSION_get_ex_data(tls_session->ssl->session,
ssl_session_idx_user_session);
if (!session_data) {
radlog_request(L_ERR, 0, request,
"No user session data in cached session - "
" REJECTING");
return 0;
}
#endif
RDEBUG2("Retrieved session data from cached session");
}
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
}
/*
* To process the TLS,
* INCOMING DATA:
* 1. EAP-TLS should get the compelete TLS data from the peer.
* 2. Store that data in a data structure with any other required info
* 3. Handle that data structure to the TLS module.
* 4. TLS module will perform its operations on the data and
* handle back to EAP-TLS
*
* OUTGOING DATA:
* 1. EAP-TLS if necessary will fragment it and send it to the
* destination.
*
* During EAP-TLS initialization, TLS Context object will be
* initialized and stored. For every new authentication
* requests, TLS will open a new session object and that session
* object should be maintained even after the session is
* completed for session resumption. (Probably later as a feature
* as we donot know who maintains these session objects ie,
* SSL_CTX (internally) or TLS module(explicitly). If TLS module,
* then how to let SSL API know about these sessions.)
*/
static eaptls_status_t eaptls_operation(eaptls_status_t status,
EAP_HANDLER *handler)
{
tls_session_t *tls_session;
tls_session = (tls_session_t *)handler->opaque;
if ((status == EAPTLS_MORE_FRAGMENTS) ||
(status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) ||
(status == EAPTLS_FIRST_FRAGMENT)) {
/*
* Send the ACK.
*/
eaptls_send_ack(handler->eap_ds, tls_session->peap_flag);
return EAPTLS_HANDLED;
}
/*
* We have the complete TLS-data or TLS-message.
*
* Clean the dirty message.
*
* Authenticate the user and send
* Success/Failure.
*
* If more info
* is required then send another request.
*/
if (!tls_handshake_recv(handler->request, tls_session)) {
DEBUG2("TLS receive handshake failed during operation");
SSL_CTX_remove_session(tls_session->ctx, tls_session->ssl->session);
return EAPTLS_FAIL;
}
/*
* FIXME: return success/fail.
*
* TLS proper can decide what to do, then.
*/
if (tls_session->dirty_out.used > 0) {
eaptls_request(handler->eap_ds, tls_session);
return EAPTLS_HANDLED;
}
/*
* If there is no data to send i.e
* dirty_out.used <=0 and if the SSL
* handshake is finished, then return a
* EPTLS_SUCCESS
*/
if (SSL_is_init_finished(tls_session->ssl)) {
/*
* Init is finished. The rest is
* application data.
*/
tls_session->info.content_type = application_data;
return EAPTLS_SUCCESS;
}
/*
* Who knows what happened...
*/
DEBUG2("TLS failed during operation");
return EAPTLS_FAIL;
}
/* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
* - 0 (during a shutdown, no data has to be returned)
*
* If we don't have stored data to work from, read a SSL/TLS record first
* (possibly multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really
* a surprise, but handled as if it were), or renegotiation requests.
* Also if record payloads contain fragments too small to process, we store
* them until there is enough for the respective protocol (the record protocol
* may use arbitrary fragmentation and even interleaving):
* Change cipher spec protocol
* just 1 byte needed, no need for keeping anything stored
* Alert protocol
* 2 bytes needed (AlertLevel, AlertDescription)
* Handshake protocol
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
* to detect unexpected Client Hello and Hello Request messages
* here, anything else is handled by higher layers
* Application data protocol
* none of our business
*/
int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek) {
int al, i, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb)(const SSL *ssl, int type2, int val) = NULL;
if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) ||
(peek && type != SSL3_RT_APPLICATION_DATA)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
if (type == SSL3_RT_HANDSHAKE && s->s3->handshake_fragment_len > 0) {
/* (partially) satisfy request from storage */
uint8_t *src = s->s3->handshake_fragment;
uint8_t *dst = buf;
unsigned int k;
/* peek == 0 */
n = 0;
while (len > 0 && s->s3->handshake_fragment_len > 0) {
*dst++ = *src++;
len--;
s->s3->handshake_fragment_len--;
n++;
}
/* move any remaining fragment bytes: */
for (k = 0; k < s->s3->handshake_fragment_len; k++) {
s->s3->handshake_fragment[k] = *src++;
}
return n;
}
/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
/* This may require multiple iterations. False Start will cause
* |s->handshake_func| to signal success one step early, but the handshake
* must be completely finished before other modes are accepted.
*
* TODO(davidben): Move this check up to a higher level. */
while (!s->in_handshake && SSL_in_init(s)) {
assert(type == SSL3_RT_APPLICATION_DATA);
i = s->handshake_func(s);
if (i < 0) {
return i;
}
if (i == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1;
}
}
start:
s->rwstate = SSL_NOTHING;
/* s->s3->rrec.type - is the type of record
* s->s3->rrec.data - data
* s->s3->rrec.off - offset into 'data' for next read
* s->s3->rrec.length - number of bytes. */
rr = &s->s3->rrec;
/* get new packet if necessary */
if (rr->length == 0) {
ret = ssl3_get_record(s);
if (ret <= 0) {
return ret;
}
}
/* we now have a packet which can be read and processed */
/* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by
* ssl3_get_finished. */
if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&
rr->type != SSL3_RT_ALERT) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
goto f_err;
}
/* If we are expecting a ChangeCipherSpec, it is illegal to receive a
* Handshake record. */
if (rr->type == SSL3_RT_HANDSHAKE && (s->s3->flags & SSL3_FLAGS_EXPECT_CCS)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_RECORD_BEFORE_CCS);
goto f_err;
}
/* If the other end has shut down, throw anything we read away (even in
* 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
rr->length = 0;
s->rwstate = SSL_NOTHING;
return 0;
}
if (type != 0 && type == rr->type) {
s->s3->warning_alert_count = 0;
/* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
/* make sure that we are not getting application data when we are doing a
* handshake for the first time */
if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
s->aead_read_ctx == NULL) {
/* TODO(davidben): Is this check redundant with the handshake_func
* check? */
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_APP_DATA_IN_HANDSHAKE);
goto f_err;
}
/* Discard empty records. */
if (rr->length == 0) {
goto start;
}
if (len <= 0) {
return len;
}
if ((unsigned int)len > rr->length) {
n = rr->length;
} else {
n = (unsigned int)len;
}
memcpy(buf, &(rr->data[rr->off]), n);
if (!peek) {
rr->length -= n;
rr->off += n;
if (rr->length == 0) {
rr->off = 0;
/* The record has been consumed, so we may now clear the buffer. */
ssl_read_buffer_discard(s);
}
}
return n;
}
/* Process unexpected records. */
if (rr->type == SSL3_RT_HANDSHAKE) {
/* If peer renegotiations are disabled, all out-of-order handshake records
* are fatal. Renegotiations as a server are never supported. */
if (s->server || !ssl3_can_renegotiate(s)) {
al = SSL_AD_NO_RENEGOTIATION;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
/* HelloRequests may be fragmented across multiple records. */
const size_t size = sizeof(s->s3->handshake_fragment);
const size_t avail = size - s->s3->handshake_fragment_len;
const size_t todo = (rr->length < avail) ? rr->length : avail;
memcpy(s->s3->handshake_fragment + s->s3->handshake_fragment_len,
&rr->data[rr->off], todo);
rr->off += todo;
rr->length -= todo;
s->s3->handshake_fragment_len += todo;
if (s->s3->handshake_fragment_len < size) {
goto start; /* fragment was too small */
}
/* Parse out and consume a HelloRequest. */
if (s->s3->handshake_fragment[0] != SSL3_MT_HELLO_REQUEST ||
s->s3->handshake_fragment[1] != 0 ||
s->s3->handshake_fragment[2] != 0 ||
s->s3->handshake_fragment[3] != 0) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
goto f_err;
}
s->s3->handshake_fragment_len = 0;
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
}
if (!SSL_is_init_finished(s) || !s->s3->initial_handshake_complete) {
/* This cannot happen. If a handshake is in progress, |type| must be
* |SSL3_RT_HANDSHAKE|. */
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
/* Renegotiation is only supported at quiescent points in the application
* protocol, namely in HTTPS, just before reading the HTTP response. Require
* the record-layer be idle and avoid complexities of sending a handshake
* record while an application_data record is being written. */
if (ssl_write_buffer_is_pending(s)) {
al = SSL_AD_NO_RENEGOTIATION;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
/* Begin a new handshake. */
s->s3->total_renegotiations++;
s->state = SSL_ST_CONNECT;
i = s->handshake_func(s);
if (i < 0) {
return i;
}
if (i == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1;
}
/* The handshake completed synchronously. Continue reading records. */
goto start;
}
/* If an alert record, process one alert out of the record. Note that we allow
* a single record to contain multiple alerts. */
if (rr->type == SSL3_RT_ALERT) {
/* Alerts may not be fragmented. */
if (rr->length < 2) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
goto f_err;
}
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,
s->msg_callback_arg);
}
const uint8_t alert_level = rr->data[rr->off++];
const uint8_t alert_descr = rr->data[rr->off++];
rr->length -= 2;
if (s->info_callback != NULL) {
cb = s->info_callback;
} else if (s->ctx->info_callback != NULL) {
cb = s->ctx->info_callback;
}
if (cb != NULL) {
uint16_t alert = (alert_level << 8) | alert_descr;
cb(s, SSL_CB_READ_ALERT, alert);
}
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
/* This is a warning but we receive it if we requested renegotiation and
* the peer denied it. Terminate with a fatal alert because if
* application tried to renegotiatie it presumably had a good reason and
* expects it to succeed.
*
* In future we might have a renegotiation where we don't care if the
* peer refused it where we carry on. */
else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
al = SSL_AD_HANDSHAKE_FAILURE;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
s->s3->warning_alert_count++;
if (s->s3->warning_alert_count > kMaxWarningAlerts) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
goto f_err;
}
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
s->s3->fatal_alert = alert_descr;
OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->ctx, s->session);
return 0;
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
goto f_err;
}
goto start;
}
if (s->shutdown & SSL_SENT_SHUTDOWN) {
/* close_notify has been sent, so discard all records other than alerts. */
rr->length = 0;
goto start;
}
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
/* 'Change Cipher Spec' is just a single byte, so we know exactly what the
* record payload has to look like */
if (rr->length != 1 || rr->off != 0 || rr->data[0] != SSL3_MT_CCS) {
al = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);
goto f_err;
}
/* Check we have a cipher to change to */
if (s->s3->tmp.new_cipher == NULL) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_CCS_RECEIVED_EARLY);
goto f_err;
}
if (!(s->s3->flags & SSL3_FLAGS_EXPECT_CCS)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_CCS_RECEIVED_EARLY);
goto f_err;
}
s->s3->flags &= ~SSL3_FLAGS_EXPECT_CCS;
rr->length = 0;
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s,
s->msg_callback_arg);
}
s->s3->change_cipher_spec = 1;
if (!ssl3_do_change_cipher_spec(s)) {
goto err;
} else {
goto start;
}
}
/* We already handled these. */
assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT &&
rr->type != SSL3_RT_HANDSHAKE);
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
return -1;
}
/*-
* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
* - 0 (during a shutdown, no data has to be returned)
*
* If we don't have stored data to work from, read a SSL/TLS record first
* (possibly multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
* messages are treated as if they were handshake messages *if* the |recd_type|
* argument is non NULL.
* Also if record payloads contain fragments too small to process, we store
* them until there is enough for the respective protocol (the record protocol
* may use arbitrary fragmentation and even interleaving):
* Change cipher spec protocol
* just 1 byte needed, no need for keeping anything stored
* Alert protocol
* 2 bytes needed (AlertLevel, AlertDescription)
* Handshake protocol
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
* to detect unexpected Client Hello and Hello Request messages
* here, anything else is handled by higher layers
* Application data protocol
* none of our business
*/
int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
size_t len, int peek, size_t *readbytes)
{
int i, j, iret;
size_t n;
SSL3_RECORD *rr;
void (*cb) (const SSL *ssl, int type2, int val) = NULL;
if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) {
/* Not initialized yet */
if (!ssl3_setup_buffers(s)) {
/* SSLfatal() already called */
return -1;
}
}
if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
(type != SSL3_RT_HANDSHAKE)) ||
(peek && (type != SSL3_RT_APPLICATION_DATA))) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES,
ERR_R_INTERNAL_ERROR);
return -1;
}
if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) {
/* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s);
/* SSLfatal() already called if appropriate */
if (i < 0)
return i;
if (i == 0)
return -1;
}
start:
s->rwstate = SSL_NOTHING;
/*-
* s->s3.rrec.type - is the type of record
* s->s3.rrec.data, - data
* s->s3.rrec.off, - offset into 'data' for next read
* s->s3.rrec.length, - number of bytes.
*/
rr = s->rlayer.rrec;
/*
* We are not handshaking and have no data yet, so process data buffered
* during the last handshake in advance, if any.
*/
if (SSL_is_init_finished(s) && SSL3_RECORD_get_length(rr) == 0) {
pitem *item;
item = pqueue_pop(s->rlayer.d->buffered_app_data.q);
if (item) {
#ifndef OPENSSL_NO_SCTP
/* Restore bio_dgram_sctp_rcvinfo struct */
if (BIO_dgram_is_sctp(SSL_get_rbio(s))) {
DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *)item->data;
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO,
sizeof(rdata->recordinfo), &rdata->recordinfo);
}
#endif
dtls1_copy_record(s, item);
OPENSSL_free(item->data);
pitem_free(item);
}
}
/* Check for timeout */
if (dtls1_handle_timeout(s) > 0) {
goto start;
} else if (ossl_statem_in_error(s)) {
/* dtls1_handle_timeout() has failed with a fatal error */
return -1;
}
/* get new packet if necessary */
if ((SSL3_RECORD_get_length(rr) == 0)
|| (s->rlayer.rstate == SSL_ST_READ_BODY)) {
RECORD_LAYER_set_numrpipes(&s->rlayer, 0);
iret = dtls1_get_record(s);
if (iret <= 0) {
iret = dtls1_read_failed(s, iret);
/*
* Anything other than a timeout is an error. SSLfatal() already
* called if appropriate.
*/
if (iret <= 0)
return iret;
else
goto start;
}
RECORD_LAYER_set_numrpipes(&s->rlayer, 1);
}
/*
* Reset the count of consecutive warning alerts if we've got a non-empty
* record that isn't an alert.
*/
if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT
&& SSL3_RECORD_get_length(rr) != 0)
s->rlayer.alert_count = 0;
/* we now have a packet which can be read and processed */
if (s->s3.change_cipher_spec /* set when we receive ChangeCipherSpec,
* reset by ssl3_get_finished */
&& (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) {
/*
* We now have application data between CCS and Finished. Most likely
* the packets were reordered on their way, so buffer the application
* data for later processing rather than dropping the connection.
*/
if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data),
SSL3_RECORD_get_seq_num(rr)) < 0) {
/* SSLfatal() already called */
return -1;
}
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
goto start;
}
/*
* If the other end has shut down, throw anything we read away (even in
* 'peek' mode)
*/
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
s->rwstate = SSL_NOTHING;
return 0;
}
if (type == SSL3_RECORD_get_type(rr)
|| (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
&& type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
/*
* SSL3_RT_APPLICATION_DATA or
* SSL3_RT_HANDSHAKE or
* SSL3_RT_CHANGE_CIPHER_SPEC
*/
/*
* make sure that we are not getting application data when we are
* doing a handshake for the first time
*/
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
(s->enc_read_ctx == NULL)) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSL_R_APP_DATA_IN_HANDSHAKE);
return -1;
}
if (recvd_type != NULL)
*recvd_type = SSL3_RECORD_get_type(rr);
if (len == 0) {
/*
* Mark a zero length record as read. This ensures multiple calls to
* SSL_read() with a zero length buffer will eventually cause
* SSL_pending() to report data as being available.
*/
if (SSL3_RECORD_get_length(rr) == 0)
SSL3_RECORD_set_read(rr);
return 0;
}
if (len > SSL3_RECORD_get_length(rr))
n = SSL3_RECORD_get_length(rr);
else
n = len;
memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n);
if (peek) {
if (SSL3_RECORD_get_length(rr) == 0)
SSL3_RECORD_set_read(rr);
} else {
SSL3_RECORD_sub_length(rr, n);
SSL3_RECORD_add_off(rr, n);
if (SSL3_RECORD_get_length(rr) == 0) {
s->rlayer.rstate = SSL_ST_READ_HEADER;
SSL3_RECORD_set_off(rr, 0);
SSL3_RECORD_set_read(rr);
}
}
#ifndef OPENSSL_NO_SCTP
/*
* We might had to delay a close_notify alert because of reordered
* app data. If there was an alert and there is no message to read
* anymore, finally set shutdown.
*/
if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
s->d1->shutdown_received
&& !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
#endif
*readbytes = n;
return 1;
}
/*
* If we get here, then type != rr->type; if we have a handshake message,
* then it was unexpected (Hello Request or Client Hello).
*/
if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
unsigned int alert_level, alert_descr;
unsigned char *alert_bytes = SSL3_RECORD_get_data(rr)
+ SSL3_RECORD_get_off(rr);
PACKET alert;
if (!PACKET_buf_init(&alert, alert_bytes, SSL3_RECORD_get_length(rr))
|| !PACKET_get_1(&alert, &alert_level)
|| !PACKET_get_1(&alert, &alert_descr)
|| PACKET_remaining(&alert) != 0) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSL_R_INVALID_ALERT);
return -1;
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, s,
s->msg_callback_arg);
if (s->info_callback != NULL)
cb = s->info_callback;
else if (s->ctx->info_callback != NULL)
cb = s->ctx->info_callback;
if (cb != NULL) {
j = (alert_level << 8) | alert_descr;
cb(s, SSL_CB_READ_ALERT, j);
}
if (alert_level == SSL3_AL_WARNING) {
s->s3.warn_alert = alert_descr;
SSL3_RECORD_set_read(rr);
s->rlayer.alert_count++;
if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSL_R_TOO_MANY_WARN_ALERTS);
return -1;
}
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
#ifndef OPENSSL_NO_SCTP
/*
* With SCTP and streams the socket may deliver app data
* after a close_notify alert. We have to check this first so
* that nothing gets discarded.
*/
if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->d1->shutdown_received = 1;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
BIO_set_retry_read(SSL_get_rbio(s));
return -1;
}
#endif
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
s->s3.fatal_alert = alert_descr;
SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_READ_BYTES,
SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL3_RECORD_set_read(rr);
SSL_CTX_remove_session(s->session_ctx, s->session);
return 0;
} else {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_READ_BYTES,
SSL_R_UNKNOWN_ALERT_TYPE);
return -1;
}
goto start;
}
if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
* shutdown */
s->rwstate = SSL_NOTHING;
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
return 0;
}
if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
/*
* We can't process a CCS now, because previous handshake messages
* are still missing, so just drop it.
*/
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
goto start;
}
/*
* Unexpected handshake message (Client Hello, or protocol violation)
*/
if ((SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) &&
!ossl_statem_get_in_handshake(s)) {
struct hm_header_st msg_hdr;
/*
* This may just be a stale retransmit. Also sanity check that we have
* at least enough record bytes for a message header
*/
if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch
|| SSL3_RECORD_get_length(rr) < DTLS1_HM_HEADER_LENGTH) {
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
goto start;
}
dtls1_get_message_header(rr->data, &msg_hdr);
/*
* If we are server, we may have a repeated FINISHED of the client
* here, then retransmit our CCS and FINISHED.
*/
if (msg_hdr.type == SSL3_MT_FINISHED) {
if (dtls1_check_timeout_num(s) < 0) {
/* SSLfatal) already called */
return -1;
}
if (dtls1_retransmit_buffered_messages(s) <= 0) {
/* Fail if we encountered a fatal error */
if (ossl_statem_in_error(s))
return -1;
}
SSL3_RECORD_set_length(rr, 0);
SSL3_RECORD_set_read(rr);
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
/* no read-ahead left? */
BIO *bio;
s->rwstate = SSL_READING;
bio = SSL_get_rbio(s);
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return -1;
}
}
goto start;
}
/*
* To get here we must be trying to read app data but found handshake
* data. But if we're trying to read app data, and we're not in init
* (which is tested for at the top of this function) then init must be
* finished
*/
if (!ossl_assert(SSL_is_init_finished(s))) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES,
ERR_R_INTERNAL_ERROR);
return -1;
}
/* We found handshake data, so we're going back into init */
ossl_statem_set_in_init(s, 1);
i = s->handshake_func(s);
/* SSLfatal() called if appropriate */
if (i < 0)
return i;
if (i == 0)
return -1;
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
/* no read-ahead left? */
BIO *bio;
/*
* In the case where we try to read application data, but we
* trigger an SSL handshake, we return -1 with the retry
* option set. Otherwise renegotiation may cause nasty
* problems in the blocking world
*/
s->rwstate = SSL_READING;
bio = SSL_get_rbio(s);
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return -1;
}
}
goto start;
}
switch (SSL3_RECORD_get_type(rr)) {
default:
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSL_R_UNEXPECTED_RECORD);
return -1;
case SSL3_RT_CHANGE_CIPHER_SPEC:
case SSL3_RT_ALERT:
case SSL3_RT_HANDSHAKE:
/*
* we already handled all of these, with the possible exception of
* SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
* that should not happen when type != rr->type
*/
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
ERR_R_INTERNAL_ERROR);
return -1;
case SSL3_RT_APPLICATION_DATA:
/*
* At this point, we were expecting handshake data, but have
* application data. If the library was running inside ssl3_read()
* (i.e. in_read_app_data is set) and it makes sense to read
* application data at this point (session renegotiation not yet
* started), we will indulge it.
*/
if (s->s3.in_read_app_data &&
(s->s3.total_renegotiations != 0) &&
ossl_statem_app_data_allowed(s)) {
s->s3.in_read_app_data = 2;
return -1;
} else {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSL_R_UNEXPECTED_RECORD);
return -1;
}
}
/* not reached */
}
/*-
* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
* connection. It is only called by servers.
*
* hello: The parsed ClientHello data
*
* Returns:
* -1: fatal error
* 0: no session found
* 1: a session may have been found.
*
* Side effects:
* - If a session is found then s->session is pointed at it (after freeing an
* existing session if need be) and s->verify_result is set from the session.
* - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise).
*/
int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
{
/* This is used only by servers. */
SSL_SESSION *ret = NULL;
int fatal = 0;
int try_session_cache = 0;
TICKET_RETURN r;
if (SSL_IS_TLS13(s)) {
if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
NULL, 0, al)
|| !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
hello->pre_proc_exts, NULL, 0, al))
return -1;
ret = s->session;
} else {
/* sets s->ext.ticket_expected */
r = tls_get_ticket_from_client(s, hello, &ret);
switch (r) {
case TICKET_FATAL_ERR_MALLOC:
case TICKET_FATAL_ERR_OTHER:
fatal = 1;
goto err;
case TICKET_NONE:
case TICKET_EMPTY:
try_session_cache = 1;
break;
case TICKET_NO_DECRYPT:
case TICKET_SUCCESS:
case TICKET_SUCCESS_RENEW:
break;
}
}
if (try_session_cache &&
ret == NULL &&
!(s->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
data.ssl_version = s->version;
memcpy(data.session_id, hello->session_id, hello->session_id_len);
data.session_id_length = hello->session_id_len;
CRYPTO_THREAD_read_lock(s->session_ctx->lock);
ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
if (ret != NULL) {
/* don't allow other threads to steal it: */
SSL_SESSION_up_ref(ret);
}
CRYPTO_THREAD_unlock(s->session_ctx->lock);
if (ret == NULL)
s->session_ctx->stats.sess_miss++;
}
if (try_session_cache &&
ret == NULL && s->session_ctx->get_session_cb != NULL) {
int copy = 1;
ret = s->session_ctx->get_session_cb(s, hello->session_id,
hello->session_id_len,
©);
if (ret != NULL) {
s->session_ctx->stats.sess_cb_hit++;
/*
* Increment reference count now if the session callback asks us
* to do so (note that if the session structures returned by the
* callback are shared between threads, it must handle the
* reference count itself [i.e. copy == 0], or things won't be
* thread-safe).
*/
if (copy)
SSL_SESSION_up_ref(ret);
/*
* Add the externally cached session to the internal cache as
* well if and only if we are supposed to.
*/
if (!
(s->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
/*
* The following should not return 1, otherwise, things are
* very strange
*/
if (SSL_CTX_add_session(s->session_ctx, ret))
goto err;
}
}
}
if (ret == NULL)
goto err;
/* Now ret is non-NULL and we own one of its reference counts. */
/* Check TLS version consistency */
if (ret->ssl_version != s->version)
goto err;
if (ret->sid_ctx_length != s->sid_ctx_length
|| memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
/*
* We have the session requested by the client, but we don't want to
* use it in this context.
*/
goto err; /* treat like cache miss */
}
if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
/*
* We can't be sure if this session is being used out of context,
* which is especially important for SSL_VERIFY_PEER. The application
* should have used SSL[_CTX]_set_session_id_context. For this error
* case, we generate an error instead of treating the event like a
* cache miss (otherwise it would be easy for applications to
* effectively disable the session cache by accident without anyone
* noticing).
*/
SSLerr(SSL_F_SSL_GET_PREV_SESSION,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
fatal = 1;
goto err;
}
if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */
s->session_ctx->stats.sess_timeout++;
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->session_ctx, ret);
}
goto err;
}
/* Check extended master secret extension consistency */
if (ret->flags & SSL_SESS_FLAG_EXTMS) {
/* If old session includes extms, but new does not: abort handshake */
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_INCONSISTENT_EXTMS);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
fatal = 1;
goto err;
}
} else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
/* If new session includes extms, but old does not: do not resume */
goto err;
}
if (!SSL_IS_TLS13(s)) {
/* We already did this for TLS1.3 */
SSL_SESSION_free(s->session);
s->session = ret;
}
s->session_ctx->stats.sess_hit++;
s->verify_result = s->session->verify_result;
return 1;
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
/* In TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_IS_TLS13(s))
s->session = NULL;
if (!try_session_cache) {
/*
* The session was from a ticket, so we should issue a ticket for
* the new session
*/
s->ext.ticket_expected = 1;
}
}
if (fatal) {
*al = SSL_AD_INTERNAL_ERROR;
return -1;
}
return 0;
}
/* ssl_lookup_session looks up |session_id| in the session cache and sets
* |*out_session| to an |SSL_SESSION| object if found. The caller takes
* ownership of the result. */
static enum ssl_session_result_t ssl_lookup_session(
SSL *ssl, SSL_SESSION **out_session, const uint8_t *session_id,
size_t session_id_len) {
*out_session = NULL;
if (session_id_len == 0 || session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
return ssl_session_success;
}
SSL_SESSION *session = NULL;
/* Try the internal cache, if it exists. */
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
data.ssl_version = ssl->version;
data.session_id_length = session_id_len;
OPENSSL_memcpy(data.session_id, session_id, session_id_len);
CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock);
session = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data);
if (session != NULL) {
SSL_SESSION_up_ref(session);
}
/* TODO(davidben): This should probably move it to the front of the list. */
CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock);
}
/* Fall back to the external cache, if it exists. */
if (session == NULL &&
ssl->session_ctx->get_session_cb != NULL) {
int copy = 1;
session = ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id,
session_id_len, ©);
if (session == NULL) {
return ssl_session_success;
}
if (session == SSL_magic_pending_session_ptr()) {
return ssl_session_retry;
}
/* Increment reference count now if the session callback asks us to do so
* (note that if the session structures returned by the callback are shared
* between threads, it must handle the reference count itself [i.e. copy ==
* 0], or things won't be thread-safe). */
if (copy) {
SSL_SESSION_up_ref(session);
}
/* Add the externally cached session to the internal cache if necessary. */
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
SSL_CTX_add_session(ssl->session_ctx, session);
}
}
if (session != NULL &&
!ssl_session_is_time_valid(ssl, session)) {
/* The session was from the cache, so remove it. */
SSL_CTX_remove_session(ssl->session_ctx, session);
SSL_SESSION_free(session);
session = NULL;
}
*out_session = session;
return ssl_session_success;
}
enum ssl_session_result_t ssl_get_prev_session(
SSL *ssl, SSL_SESSION **out_session, int *out_send_ticket,
const struct ssl_early_callback_ctx *ctx) {
/* This is used only by servers. */
assert(ssl->server);
SSL_SESSION *session = NULL;
int renew_ticket = 0;
/* If tickets are disabled, always behave as if no tickets are present. */
const uint8_t *ticket = NULL;
size_t ticket_len = 0;
const int tickets_supported =
!(SSL_get_options(ssl) & SSL_OP_NO_TICKET) &&
ssl->version > SSL3_VERSION &&
SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_session_ticket,
&ticket, &ticket_len);
int from_cache = 0;
if (tickets_supported && ticket_len > 0) {
if (!tls_process_ticket(ssl, &session, &renew_ticket, ticket, ticket_len,
ctx->session_id, ctx->session_id_len)) {
return ssl_session_error;
}
} else {
/* The client didn't send a ticket, so the session ID is a real ID. */
enum ssl_session_result_t lookup_ret = ssl_lookup_session(
ssl, &session, ctx->session_id, ctx->session_id_len);
if (lookup_ret != ssl_session_success) {
return lookup_ret;
}
from_cache = 1;
}
if (session == NULL ||
session->sid_ctx_length != ssl->sid_ctx_length ||
memcmp(session->sid_ctx, ssl->sid_ctx, ssl->sid_ctx_length) != 0) {
/* The client did not offer a suitable ticket or session ID. If supported,
* the new session should use a ticket. */
goto no_session;
}
if ((ssl->verify_mode & SSL_VERIFY_PEER) && ssl->sid_ctx_length == 0) {
/* We can't be sure if this session is being used out of context, which is
* especially important for SSL_VERIFY_PEER. The application should have
* used SSL[_CTX]_set_session_id_context.
*
* For this error case, we generate an error instead of treating the event
* like a cache miss (otherwise it would be easy for applications to
* effectively disable the session cache by accident without anyone
* noticing). */
OPENSSL_PUT_ERROR(SSL, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
SSL_SESSION_free(session);
return ssl_session_error;
}
if (session->timeout < (long)(time(NULL) - session->time)) {
if (from_cache) {
/* The session was from the cache, so remove it. */
SSL_CTX_remove_session(ssl->initial_ctx, session);
}
goto no_session;
}
*out_session = session;
*out_send_ticket = renew_ticket;
return ssl_session_success;
no_session:
*out_session = NULL;
*out_send_ticket = tickets_supported;
SSL_SESSION_free(session);
return ssl_session_success;
}
/* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
* - SSL3_RT_CHANGE_CIPHER_SPEC (when ssl3_read_change_cipher_spec calls us)
* - SSL3_RT_APPLICATION_DATA (when ssl3_read_app_data calls us)
* - 0 (during a shutdown, no data has to be returned)
*
* If we don't have stored data to work from, read a SSL/TLS record first
* (possibly multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify) or renegotiation requests. */
int ssl3_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek) {
int al, i, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb)(const SSL *ssl, int type, int value) = NULL;
if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE &&
type != SSL3_RT_CHANGE_CIPHER_SPEC) ||
(peek && type != SSL3_RT_APPLICATION_DATA)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
start:
ssl->rwstate = SSL_NOTHING;
/* ssl->s3->rrec.type - is the type of record
* ssl->s3->rrec.data - data
* ssl->s3->rrec.off - offset into 'data' for next read
* ssl->s3->rrec.length - number of bytes. */
rr = &ssl->s3->rrec;
/* get new packet if necessary */
if (rr->length == 0) {
ret = ssl3_get_record(ssl);
if (ret <= 0) {
return ret;
}
}
/* we now have a packet which can be read and processed */
/* If the other end has shut down, throw anything we read away (even in
* 'peek' mode) */
if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
rr->length = 0;
ssl->rwstate = SSL_NOTHING;
return 0;
}
if (type != 0 && type == rr->type) {
ssl->s3->warning_alert_count = 0;
/* Make sure that we are not getting application data when we are doing a
* handshake for the first time. */
if (SSL_in_init(ssl) && type == SSL3_RT_APPLICATION_DATA &&
ssl->s3->aead_read_ctx == NULL) {
/* TODO(davidben): Is this check redundant with the handshake_func
* check? */
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_APP_DATA_IN_HANDSHAKE);
goto f_err;
}
/* Discard empty records. */
if (rr->length == 0) {
goto start;
}
if (len <= 0) {
return len;
}
if ((unsigned int)len > rr->length) {
n = rr->length;
} else {
n = (unsigned int)len;
}
memcpy(buf, rr->data, n);
if (!peek) {
rr->length -= n;
rr->data += n;
if (rr->length == 0) {
/* The record has been consumed, so we may now clear the buffer. */
ssl_read_buffer_discard(ssl);
}
}
return n;
}
/* Process unexpected records. */
if (type == SSL3_RT_APPLICATION_DATA && rr->type == SSL3_RT_HANDSHAKE) {
/* If peer renegotiations are disabled, all out-of-order handshake records
* are fatal. Renegotiations as a server are never supported. */
if (ssl->server || !ssl3_can_renegotiate(ssl)) {
al = SSL_AD_NO_RENEGOTIATION;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
/* This must be a HelloRequest, possibly fragmented over multiple records.
* Consume data from the handshake protocol until it is complete. */
static const uint8_t kHelloRequest[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
while (ssl->s3->hello_request_len < sizeof(kHelloRequest)) {
if (rr->length == 0) {
/* Get a new record. */
goto start;
}
if (rr->data[0] != kHelloRequest[ssl->s3->hello_request_len]) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
goto f_err;
}
rr->data++;
rr->length--;
ssl->s3->hello_request_len++;
}
ssl->s3->hello_request_len = 0;
if (ssl->msg_callback) {
ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, kHelloRequest,
sizeof(kHelloRequest), ssl, ssl->msg_callback_arg);
}
if (!SSL_is_init_finished(ssl) || !ssl->s3->initial_handshake_complete) {
/* This cannot happen. If a handshake is in progress, |type| must be
* |SSL3_RT_HANDSHAKE|. */
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
if (ssl->renegotiate_mode == ssl_renegotiate_ignore) {
goto start;
}
/* Renegotiation is only supported at quiescent points in the application
* protocol, namely in HTTPS, just before reading the HTTP response. Require
* the record-layer be idle and avoid complexities of sending a handshake
* record while an application_data record is being written. */
if (ssl_write_buffer_is_pending(ssl)) {
al = SSL_AD_NO_RENEGOTIATION;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
/* Begin a new handshake. */
ssl->s3->total_renegotiations++;
ssl->state = SSL_ST_CONNECT;
i = ssl->handshake_func(ssl);
if (i < 0) {
return i;
}
if (i == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1;
}
/* The handshake completed synchronously. Continue reading records. */
goto start;
}
/* If an alert record, process one alert out of the record. Note that we allow
* a single record to contain multiple alerts. */
if (rr->type == SSL3_RT_ALERT) {
/* Alerts may not be fragmented. */
if (rr->length < 2) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
goto f_err;
}
if (ssl->msg_callback) {
ssl->msg_callback(0, ssl->version, SSL3_RT_ALERT, rr->data, 2, ssl,
ssl->msg_callback_arg);
}
const uint8_t alert_level = rr->data[0];
const uint8_t alert_descr = rr->data[1];
rr->length -= 2;
rr->data += 2;
if (ssl->info_callback != NULL) {
cb = ssl->info_callback;
} else if (ssl->ctx->info_callback != NULL) {
cb = ssl->ctx->info_callback;
}
if (cb != NULL) {
uint16_t alert = (alert_level << 8) | alert_descr;
cb(ssl, SSL_CB_READ_ALERT, alert);
}
if (alert_level == SSL3_AL_WARNING) {
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
ssl->s3->clean_shutdown = 1;
ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
/* This is a warning but we receive it if we requested renegotiation and
* the peer denied it. Terminate with a fatal alert because if
* application tried to renegotiatie it presumably had a good reason and
* expects it to succeed.
*
* In future we might have a renegotiation where we don't care if the
* peer refused it where we carry on. */
else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
al = SSL_AD_HANDSHAKE_FAILURE;
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
ssl->s3->warning_alert_count++;
if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);
goto f_err;
}
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
ssl->rwstate = SSL_NOTHING;
OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(ssl->ctx, ssl->session);
return 0;
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);
goto f_err;
}
goto start;
}
if (ssl->shutdown & SSL_SENT_SHUTDOWN) {
/* close_notify has been sent, so discard all records other than alerts. */
rr->length = 0;
goto start;
}
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
f_err:
ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
err:
return -1;
}
/*-
* Return up to 'len' payload bytes received in 'type' records.
* 'type' is one of the following:
*
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
* - 0 (during a shutdown, no data has to be returned)
*
* If we don't have stored data to work from, read a SSL/TLS record first
* (possibly multiple records if we still don't have anything to return).
*
* This function must handle any surprises the peer may have for us, such as
* Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
* messages are treated as if they were handshake messages *if* the |recd_type|
* argument is non NULL.
* Also if record payloads contain fragments too small to process, we store
* them until there is enough for the respective protocol (the record protocol
* may use arbitrary fragmentation and even interleaving):
* Change cipher spec protocol
* just 1 byte needed, no need for keeping anything stored
* Alert protocol
* 2 bytes needed (AlertLevel, AlertDescription)
* Handshake protocol
* 4 bytes needed (HandshakeType, uint24 length) -- we just have
* to detect unexpected Client Hello and Hello Request messages
* here, anything else is handled by higher layers
* Application data protocol
* none of our business
*/
int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
int len, int peek)
{
int al, i, j, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb) (const SSL *ssl, int type2, int val) = NULL;
if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) {
/* Not initialized yet */
if (!ssl3_setup_buffers(s))
return (-1);
}
if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
(type != SSL3_RT_HANDSHAKE)) ||
(peek && (type != SSL3_RT_APPLICATION_DATA))) {
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
return -1;
}
/*
* check whether there's a handshake message (client hello?) waiting
*/
if ((ret = have_handshake_fragment(s, type, buf, len))) {
*recvd_type = SSL3_RT_HANDSHAKE;
return ret;
}
/*
* Now s->rlayer.d->handshake_fragment_len == 0 if
* type == SSL3_RT_HANDSHAKE.
*/
if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s))
{
/* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s);
if (i < 0)
return (i);
if (i == 0) {
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return (-1);
}
}
start:
s->rwstate = SSL_NOTHING;
/*-
* s->s3->rrec.type - is the type of record
* s->s3->rrec.data, - data
* s->s3->rrec.off, - offset into 'data' for next read
* s->s3->rrec.length, - number of bytes.
*/
rr = s->rlayer.rrec;
/*
* We are not handshaking and have no data yet, so process data buffered
* during the last handshake in advance, if any.
*/
if (SSL_is_init_finished(s) && SSL3_RECORD_get_length(rr) == 0) {
pitem *item;
item = pqueue_pop(s->rlayer.d->buffered_app_data.q);
if (item) {
#ifndef OPENSSL_NO_SCTP
/* Restore bio_dgram_sctp_rcvinfo struct */
if (BIO_dgram_is_sctp(SSL_get_rbio(s))) {
DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *)item->data;
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO,
sizeof(rdata->recordinfo), &rdata->recordinfo);
}
#endif
dtls1_copy_record(s, item);
OPENSSL_free(item->data);
pitem_free(item);
}
}
/* Check for timeout */
if (dtls1_handle_timeout(s) > 0)
goto start;
/* get new packet if necessary */
if ((SSL3_RECORD_get_length(rr) == 0)
|| (s->rlayer.rstate == SSL_ST_READ_BODY)) {
ret = dtls1_get_record(s);
if (ret <= 0) {
ret = dtls1_read_failed(s, ret);
/* anything other than a timeout is an error */
if (ret <= 0)
return (ret);
else
goto start;
}
}
/*
* Reset the count of consecutive warning alerts if we've got a non-empty
* record that isn't an alert.
*/
if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT
&& SSL3_RECORD_get_length(rr) != 0)
s->rlayer.alert_count = 0;
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
* reset by ssl3_get_finished */
&& (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) {
/*
* We now have application data between CCS and Finished. Most likely
* the packets were reordered on their way, so buffer the application
* data for later processing rather than dropping the connection.
*/
if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data),
SSL3_RECORD_get_seq_num(rr)) < 0) {
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
return -1;
}
SSL3_RECORD_set_length(rr, 0);
goto start;
}
/*
* If the other end has shut down, throw anything we read away (even in
* 'peek' mode)
*/
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
SSL3_RECORD_set_length(rr, 0);
s->rwstate = SSL_NOTHING;
return (0);
}
if (type == SSL3_RECORD_get_type(rr)
|| (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
&& type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
/*
* SSL3_RT_APPLICATION_DATA or
* SSL3_RT_HANDSHAKE or
* SSL3_RT_CHANGE_CIPHER_SPEC
*/
/*
* make sure that we are not getting application data when we are
* doing a handshake for the first time
*/
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
(s->enc_read_ctx == NULL)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
goto f_err;
}
if (recvd_type != NULL)
*recvd_type = SSL3_RECORD_get_type(rr);
if (len <= 0)
return (len);
if ((unsigned int)len > SSL3_RECORD_get_length(rr))
n = SSL3_RECORD_get_length(rr);
else
n = (unsigned int)len;
memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n);
if (!peek) {
SSL3_RECORD_sub_length(rr, n);
SSL3_RECORD_add_off(rr, n);
if (SSL3_RECORD_get_length(rr) == 0) {
s->rlayer.rstate = SSL_ST_READ_HEADER;
SSL3_RECORD_set_off(rr, 0);
}
}
#ifndef OPENSSL_NO_SCTP
/*
* We might had to delay a close_notify alert because of reordered
* app data. If there was an alert and there is no message to read
* anymore, finally set shutdown.
*/
if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
s->d1->shutdown_received
&& !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return (0);
}
#endif
return (n);
}
/*
* If we get here, then type != rr->type; if we have a handshake message,
* then it was unexpected (Hello Request or Client Hello).
*/
/*
* In case of record types for which we have 'fragment' storage, fill
* that so that we can process the data at a fixed place.
*/
{
unsigned int k, dest_maxlen = 0;
unsigned char *dest = NULL;
unsigned int *dest_len = NULL;
if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
dest_maxlen = sizeof s->rlayer.d->handshake_fragment;
dest = s->rlayer.d->handshake_fragment;
dest_len = &s->rlayer.d->handshake_fragment_len;
} else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
dest_maxlen = sizeof(s->rlayer.d->alert_fragment);
dest = s->rlayer.d->alert_fragment;
dest_len = &s->rlayer.d->alert_fragment_len;
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (SSL3_RECORD_get_type(rr) == DTLS1_RT_HEARTBEAT) {
/* We allow a 0 return */
if (dtls1_process_heartbeat(s, SSL3_RECORD_get_data(rr),
SSL3_RECORD_get_length(rr)) < 0) {
return -1;
}
/* Exit and notify application to read again */
SSL3_RECORD_set_length(rr, 0);
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
BIO_set_retry_read(SSL_get_rbio(s));
return (-1);
}
#endif
/* else it's a CCS message, or application data or wrong */
else if (SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC) {
/*
* Application data while renegotiating is allowed. Try again
* reading.
*/
if (SSL3_RECORD_get_type(rr) == SSL3_RT_APPLICATION_DATA) {
BIO *bio;
s->s3->in_read_app_data = 2;
bio = SSL_get_rbio(s);
s->rwstate = SSL_READING;
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return (-1);
}
/* Not certain if this is the right error handling */
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
goto f_err;
}
if (dest_maxlen > 0) {
/*
* XDTLS: In a pathological case, the Client Hello may be
* fragmented--don't always expect dest_maxlen bytes
*/
if (SSL3_RECORD_get_length(rr) < dest_maxlen) {
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
/*
* for normal alerts rr->length is 2, while
* dest_maxlen is 7 if we were to handle this
* non-existing alert...
*/
FIX ME;
#endif
s->rlayer.rstate = SSL_ST_READ_HEADER;
SSL3_RECORD_set_length(rr, 0);
goto start;
}
/* now move 'n' bytes: */
for (k = 0; k < dest_maxlen; k++) {
dest[k] = SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)];
SSL3_RECORD_add_off(rr, 1);
SSL3_RECORD_add_length(rr, -1);
}
*dest_len = dest_maxlen;
}
}
/*-
* s->rlayer.d->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
* s->rlayer.d->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
*/
/* If we are a client, check for an incoming 'Hello Request': */
if ((!s->server) &&
(s->rlayer.d->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
(s->rlayer.d->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
(s->session != NULL) && (s->session->cipher != NULL)) {
s->rlayer.d->handshake_fragment_len = 0;
if ((s->rlayer.d->handshake_fragment[1] != 0) ||
(s->rlayer.d->handshake_fragment[2] != 0) ||
(s->rlayer.d->handshake_fragment[3] != 0)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);
goto f_err;
}
/*
* no need to check sequence number on HELLO REQUEST messages
*/
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
s->rlayer.d->handshake_fragment, 4, s,
s->msg_callback_arg);
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
!s->s3->renegotiate) {
s->d1->handshake_read_seq++;
s->new_session = 1;
ssl3_renegotiate(s);
if (ssl3_renegotiate_check(s)) {
i = s->handshake_func(s);
if (i < 0)
return (i);
if (i == 0) {
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return (-1);
}
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
/* no read-ahead left? */
BIO *bio;
/*
* In the case where we try to read application data,
* but we trigger an SSL handshake, we return -1 with
* the retry option set. Otherwise renegotiation may
* cause nasty problems in the blocking world
*/
s->rwstate = SSL_READING;
bio = SSL_get_rbio(s);
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return (-1);
}
}
}
}
/*
* we either finished a handshake or ignored the request, now try
* again to obtain the (application) data we were asked for
*/
goto start;
}
if (s->rlayer.d->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) {
int alert_level = s->rlayer.d->alert_fragment[0];
int alert_descr = s->rlayer.d->alert_fragment[1];
s->rlayer.d->alert_fragment_len = 0;
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_ALERT,
s->rlayer.d->alert_fragment, 2, s,
s->msg_callback_arg);
if (s->info_callback != NULL)
cb = s->info_callback;
else if (s->ctx->info_callback != NULL)
cb = s->ctx->info_callback;
if (cb != NULL) {
j = (alert_level << 8) | alert_descr;
cb(s, SSL_CB_READ_ALERT, j);
}
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
s->rlayer.alert_count++;
if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
goto f_err;
}
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
#ifndef OPENSSL_NO_SCTP
/*
* With SCTP and streams the socket may deliver app data
* after a close_notify alert. We have to check this first so
* that nothing gets discarded.
*/
if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->d1->shutdown_received = 1;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
BIO_set_retry_read(SSL_get_rbio(s));
return -1;
}
#endif
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return (0);
}
#if 0
/* XXX: this is a possible improvement in the future */
/* now check if it's a missing record */
if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
unsigned short seq;
unsigned int frag_off;
unsigned char *p = &(s->rlayer.d->alert_fragment[2]);
n2s(p, seq);
n2l3(p, frag_off);
dtls1_retransmit_message(s,
dtls1_get_queue_priority
(frag->msg_header.seq, 0), frag_off,
&found);
if (!found && SSL_in_init(s)) {
/*
* fprintf( stderr,"in init = %d\n", SSL_in_init(s));
*/
/*
* requested a message not yet sent, send an alert
* ourselves
*/
ssl3_send_alert(s, SSL3_AL_WARNING,
DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
}
}
#endif
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
s->s3->fatal_alert = alert_descr;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session);
return (0);
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
goto f_err;
}
goto start;
}
if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
* shutdown */
s->rwstate = SSL_NOTHING;
SSL3_RECORD_set_length(rr, 0);
return (0);
}
if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
/*
* We can't process a CCS now, because previous handshake messages
* are still missing, so just drop it.
*/
SSL3_RECORD_set_length(rr, 0);
goto start;
}
/*
* Unexpected handshake message (Client Hello, or protocol violation)
*/
if ((s->rlayer.d->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
!ossl_statem_get_in_handshake(s)) {
struct hm_header_st msg_hdr;
/* this may just be a stale retransmit */
dtls1_get_message_header(rr->data, &msg_hdr);
if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch) {
SSL3_RECORD_set_length(rr, 0);
goto start;
}
/*
* If we are server, we may have a repeated FINISHED of the client
* here, then retransmit our CCS and FINISHED.
*/
if (msg_hdr.type == SSL3_MT_FINISHED) {
if (dtls1_check_timeout_num(s) < 0)
return -1;
dtls1_retransmit_buffered_messages(s);
SSL3_RECORD_set_length(rr, 0);
goto start;
}
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
ossl_statem_set_in_init(s, 1);
s->renegotiate = 1;
s->new_session = 1;
}
i = s->handshake_func(s);
if (i < 0)
return (i);
if (i == 0) {
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return (-1);
}
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
/* no read-ahead left? */
BIO *bio;
/*
* In the case where we try to read application data, but we
* trigger an SSL handshake, we return -1 with the retry
* option set. Otherwise renegotiation may cause nasty
* problems in the blocking world
*/
s->rwstate = SSL_READING;
bio = SSL_get_rbio(s);
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return (-1);
}
}
goto start;
}
switch (SSL3_RECORD_get_type(rr)) {
default:
/* TLS just ignores unknown message types */
if (s->version == TLS1_VERSION) {
SSL3_RECORD_set_length(rr, 0);
goto start;
}
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
goto f_err;
case SSL3_RT_CHANGE_CIPHER_SPEC:
case SSL3_RT_ALERT:
case SSL3_RT_HANDSHAKE:
/*
* we already handled all of these, with the possible exception of
* SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
* that should not happen when type != rr->type
*/
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
goto f_err;
case SSL3_RT_APPLICATION_DATA:
/*
* At this point, we were expecting handshake data, but have
* application data. If the library was running inside ssl3_read()
* (i.e. in_read_app_data is set) and it makes sense to read
* application data at this point (session renegotiation not yet
* started), we will indulge it.
*/
if (s->s3->in_read_app_data &&
(s->s3->total_renegotiations != 0) &&
ossl_statem_app_data_allowed(s)) {
s->s3->in_read_app_data = 2;
return (-1);
} else {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
goto f_err;
}
}
/* not reached */
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return (-1);
}
/*-
* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
* connection. It is only called by servers.
*
* hello: The parsed ClientHello data
*
* Returns:
* -1: fatal error
* 0: no session found
* 1: a session may have been found.
*
* Side effects:
* - If a session is found then s->session is pointed at it (after freeing an
* existing session if need be) and s->verify_result is set from the session.
* - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise).
*/
int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
{
/* This is used only by servers. */
SSL_SESSION *ret = NULL;
int fatal = 0;
int try_session_cache = 0;
SSL_TICKET_STATUS r;
if (SSL_IS_TLS13(s)) {
/*
* By default we will send a new ticket. This can be overridden in the
* ticket processing.
*/
s->ext.ticket_expected = 1;
if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
NULL, 0)
|| !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
hello->pre_proc_exts, NULL, 0))
return -1;
ret = s->session;
} else {
/* sets s->ext.ticket_expected */
r = tls_get_ticket_from_client(s, hello, &ret);
switch (r) {
case SSL_TICKET_FATAL_ERR_MALLOC:
case SSL_TICKET_FATAL_ERR_OTHER:
fatal = 1;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
ERR_R_INTERNAL_ERROR);
goto err;
case SSL_TICKET_NONE:
case SSL_TICKET_EMPTY:
if (hello->session_id_len > 0) {
try_session_cache = 1;
ret = lookup_sess_in_cache(s, hello->session_id,
hello->session_id_len);
}
break;
case SSL_TICKET_NO_DECRYPT:
case SSL_TICKET_SUCCESS:
case SSL_TICKET_SUCCESS_RENEW:
break;
}
}
if (ret == NULL)
goto err;
/* Now ret is non-NULL and we own one of its reference counts. */
/* Check TLS version consistency */
if (ret->ssl_version != s->version)
goto err;
if (ret->sid_ctx_length != s->sid_ctx_length
|| memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
/*
* We have the session requested by the client, but we don't want to
* use it in this context.
*/
goto err; /* treat like cache miss */
}
if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
/*
* We can't be sure if this session is being used out of context,
* which is especially important for SSL_VERIFY_PEER. The application
* should have used SSL[_CTX]_set_session_id_context. For this error
* case, we generate an error instead of treating the event like a
* cache miss (otherwise it would be easy for applications to
* effectively disable the session cache by accident without anyone
* noticing).
*/
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
fatal = 1;
goto err;
}
if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */
tsan_counter(&s->session_ctx->stats.sess_timeout);
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->session_ctx, ret);
}
goto err;
}
/* Check extended master secret extension consistency */
if (ret->flags & SSL_SESS_FLAG_EXTMS) {
/* If old session includes extms, but new does not: abort handshake */
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION,
SSL_R_INCONSISTENT_EXTMS);
fatal = 1;
goto err;
}
} else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
/* If new session includes extms, but old does not: do not resume */
goto err;
}
if (!SSL_IS_TLS13(s)) {
/* We already did this for TLS1.3 */
SSL_SESSION_free(s->session);
s->session = ret;
}
tsan_counter(&s->session_ctx->stats.sess_hit);
s->verify_result = s->session->verify_result;
return 1;
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
/* In TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_IS_TLS13(s))
s->session = NULL;
if (!try_session_cache) {
/*
* The session was from a ticket, so we should issue a ticket for
* the new session
*/
s->ext.ticket_expected = 1;
}
}
if (fatal)
return -1;
return 0;
}
int eaptls_success(EAP_HANDLER *handler, int peap_flag)
{
EAPTLS_PACKET reply;
VALUE_PAIR *vp, *vps = NULL;
REQUEST *request = handler->request;
tls_session_t *tls_session = handler->opaque;
reply.code = EAPTLS_SUCCESS;
reply.length = TLS_HEADER_LEN;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
/*
* If there's no session resumption, delete the entry
* from the cache. This means either it's disabled
* globally for this SSL context, OR we were told to
* disable it for this user.
*
* This also means you can't turn it on just for one
* user.
*/
if ((!tls_session->allow_session_resumption) ||
(((vp = pairfind(request->config_items, 1127)) != NULL) &&
(vp->vp_integer == 0))) {
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
tls_session->allow_session_resumption = 0;
/*
* If we're in a resumed session and it's
* not allowed,
*/
if (SSL_session_reused(tls_session->ssl)) {
RDEBUG("FAIL: Forcibly stopping session resumption as it is not allowed.");
return eaptls_fail(handler, peap_flag);
}
/*
* Else resumption IS allowed, so we store the
* user data in the cache.
*/
} else if (!SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Saving response in the cache");
vp = paircopy2(request->reply->vps, PW_USER_NAME);
pairadd(&vps, vp);
vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
pairadd(&vps, vp);
if (vps) {
SSL_SESSION_set_ex_data(tls_session->ssl->session,
eaptls_session_idx, vps);
} else {
RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
eaptls_session_idx);
if (!vp) {
RDEBUG("WARNING: No information in cached session!");
return eaptls_fail(handler, peap_flag);
} else {
RDEBUG("Adding cached attributes to the reply:");
debug_pair_list(vp);
pairadd(&request->reply->vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) pairadd(&request->packet->vps, vp);
}
}
/*
* Call compose AFTER checking for cached data.
*/
eaptls_compose(handler->eap_ds, &reply);
/*
* Automatically generate MPPE keying material.
*/
if (tls_session->prf_label) {
eaptls_gen_mppe_keys(&handler->request->reply->vps,
tls_session->ssl, tls_session->prf_label);
} else {
RDEBUG("WARNING: Not adding MPPE keys because there is no PRF label");
}
return 1;
}
/*
* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
* connection. It is only called by servers.
*
* session_id: points at the session ID in the ClientHello. This code will
* read past the end of this in order to parse out the session ticket
* extension, if any.
* len: the length of the session ID.
* limit: a pointer to the first byte after the ClientHello.
*
* Returns:
* -1: error
* 0: a session may have been found.
*
* Side effects:
* - If a session is found then s->session is pointed at it (after freeing
* an existing session if need be) and s->verify_result is set from the
* session.
* - Both for new and resumed sessions, s->internal->tlsext_ticket_expected is set
* to 1 if the server should issue a new session ticket (to 0 otherwise).
*/
int
ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
const unsigned char *limit)
{
SSL_SESSION *ret = NULL;
int fatal = 0;
int try_session_cache = 1;
int r;
/* This is used only by servers. */
if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
goto err;
if (len == 0)
try_session_cache = 0;
/* Sets s->internal->tlsext_ticket_expected. */
r = tls1_process_ticket(s, session_id, len, limit, &ret);
switch (r) {
case -1: /* Error during processing */
fatal = 1;
goto err;
case 0: /* No ticket found */
case 1: /* Zero length ticket found */
break; /* Ok to carry on processing session id. */
case 2: /* Ticket found but not decrypted. */
case 3: /* Ticket decrypted, *ret has been set. */
try_session_cache = 0;
break;
default:
abort();
}
if (try_session_cache && ret == NULL &&
!(s->session_ctx->internal->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
data.ssl_version = s->version;
data.session_id_length = len;
memcpy(data.session_id, session_id, len);
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data);
if (ret != NULL) {
/* Don't allow other threads to steal it. */
CRYPTO_add(&ret->references, 1,
CRYPTO_LOCK_SSL_SESSION);
}
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
if (ret == NULL)
s->session_ctx->internal->stats.sess_miss++;
}
if (try_session_cache && ret == NULL &&
s->session_ctx->internal->get_session_cb != NULL) {
int copy = 1;
if ((ret = s->session_ctx->internal->get_session_cb(s,
session_id, len, ©))) {
s->session_ctx->internal->stats.sess_cb_hit++;
/*
* Increment reference count now if the session
* callback asks us to do so (note that if the session
* structures returned by the callback are shared
* between threads, it must handle the reference count
* itself [i.e. copy == 0], or things won't be
* thread-safe).
*/
if (copy)
CRYPTO_add(&ret->references, 1,
CRYPTO_LOCK_SSL_SESSION);
/*
* Add the externally cached session to the internal
* cache as well if and only if we are supposed to.
*/
if (!(s->session_ctx->internal->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE))
/*
* The following should not return 1,
* otherwise, things are very strange.
*/
SSL_CTX_add_session(s->session_ctx, ret);
}
}
if (ret == NULL)
goto err;
/* Now ret is non-NULL and we own one of its reference counts. */
if (ret->sid_ctx_length != s->sid_ctx_length ||
timingsafe_memcmp(ret->sid_ctx,
s->sid_ctx, ret->sid_ctx_length) != 0) {
/* We have the session requested by the client, but we don't
* want to use it in this context. */
goto err; /* treat like cache miss */
}
if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
/*
* We can't be sure if this session is being used out of
* context, which is especially important for SSL_VERIFY_PEER.
* The application should have used
* SSL[_CTX]_set_session_id_context.
*
* For this error case, we generate an error instead of treating
* the event like a cache miss (otherwise it would be easy for
* applications to effectively disable the session cache by
* accident without anyone noticing).
*/
SSLerror(s, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
fatal = 1;
goto err;
}
if (ret->cipher == NULL) {
ret->cipher = ssl3_get_cipher_by_id(ret->cipher_id);
if (ret->cipher == NULL)
goto err;
}
if (ret->timeout < (time(NULL) - ret->time)) {
/* timeout */
s->session_ctx->internal->stats.sess_timeout++;
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->session_ctx, ret);
}
goto err;
}
s->session_ctx->internal->stats.sess_hit++;
if (s->session != NULL)
SSL_SESSION_free(s->session);
s->session = ret;
s->verify_result = s->session->verify_result;
return 1;
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
if (!try_session_cache) {
/*
* The session was from a ticket, so we should
* issue a ticket for the new session.
*/
s->internal->tlsext_ticket_expected = 1;
}
}
if (fatal)
return -1;
else
return 0;
}
/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
* connection. It is only called by servers.
*
* ctx: contains the early callback context, which is the result of a
* shallow parse of the ClientHello.
*
* Returns:
* -1: error
* 0: a session may have been found.
*
* Side effects:
* - If a session is found then s->session is pointed at it (after freeing an
* existing session if need be) and s->verify_result is set from the session.
* - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise). */
int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx) {
/* This is used only by servers. */
SSL_SESSION *ret = NULL;
int fatal = 0;
int try_session_cache = 1;
int r;
if (ctx->session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
goto err;
}
if (ctx->session_id_len == 0) {
try_session_cache = 0;
}
r = tls1_process_ticket(s, ctx, &ret); /* sets s->tlsext_ticket_expected */
switch (r) {
case -1: /* Error during processing */
fatal = 1;
goto err;
case 0: /* No ticket found */
case 1: /* Zero length ticket found */
break; /* Ok to carry on processing session id. */
case 2: /* Ticket found but not decrypted. */
case 3: /* Ticket decrypted, *ret has been set. */
try_session_cache = 0;
break;
default:
abort();
}
if (try_session_cache && ret == NULL &&
!(s->initial_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
data.ssl_version = s->version;
data.session_id_length = ctx->session_id_len;
if (ctx->session_id_len == 0) {
return 0;
}
memcpy(data.session_id, ctx->session_id, ctx->session_id_len);
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
ret = SSL_SESSION_up_ref(lh_SSL_SESSION_retrieve(s->initial_ctx->sessions,
&data));
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
}
if (try_session_cache && ret == NULL &&
s->initial_ctx->get_session_cb != NULL) {
int copy = 1;
ret = s->initial_ctx->get_session_cb(s, (uint8_t *)ctx->session_id,
ctx->session_id_len, ©);
if (ret != NULL) {
if (ret == SSL_magic_pending_session_ptr()) {
/* This is a magic value which indicates that the callback needs to
* unwind the stack and figure out the session asynchronously. */
return PENDING_SESSION;
}
/* Increment reference count now if the session callback asks us to do so
* (note that if the session structures returned by the callback are
* shared between threads, it must handle the reference count itself
* [i.e. copy == 0], or things won't be thread-safe). */
if (copy) {
SSL_SESSION_up_ref(ret);
}
/* Add the externally cached session to the internal cache as well if and
* only if we are supposed to. */
if (!(s->initial_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
/* The following should not return 1, otherwise, things are very
* strange */
SSL_CTX_add_session(s->initial_ctx, ret);
}
}
}
if (ret == NULL) {
goto err;
}
/* Now ret is non-NULL and we own one of its reference counts. */
if (ret->sid_ctx_length != s->sid_ctx_length ||
memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
/* We have the session requested by the client, but we don't want to use it
* in this context. */
goto err; /* treat like cache miss */
}
if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
/* We can't be sure if this session is being used out of context, which is
* especially important for SSL_VERIFY_PEER. The application should have
* used SSL[_CTX]_set_session_id_context.
*
* For this error case, we generate an error instead of treating the event
* like a cache miss (otherwise it would be easy for applications to
* effectively disable the session cache by accident without anyone
* noticing). */
OPENSSL_PUT_ERROR(SSL, ssl_get_prev_session,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
fatal = 1;
goto err;
}
if (ret->timeout < (long)(time(NULL) - ret->time)) {
/* timeout */
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->initial_ctx, ret);
}
goto err;
}
if (s->session != NULL) {
SSL_SESSION_free(s->session);
}
s->session = ret;
s->verify_result = s->session->verify_result;
return 1;
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
if (!try_session_cache) {
/* The session was from a ticket, so we should
* issue a ticket for the new session */
s->tlsext_ticket_expected = 1;
}
}
if (fatal) {
return -1;
}
return 0;
}
