s3_both.c revision 306196
1/* ssl/s3_both.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116 117#include <limits.h> 118#include <string.h> 119#include <stdio.h> 120#include "ssl_locl.h" 121#include <openssl/buffer.h> 122#include <openssl/rand.h> 123#include <openssl/objects.h> 124#include <openssl/evp.h> 125#include <openssl/x509.h> 126 127/* 128 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 129 * SSL3_RT_CHANGE_CIPHER_SPEC) 130 */ 131int ssl3_do_write(SSL *s, int type) 132{ 133 int ret; 134 135 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 136 s->init_num); 137 if (ret < 0) 138 return (-1); 139 if (type == SSL3_RT_HANDSHAKE) 140 /* 141 * should not be done for 'Hello Request's, but in that case we'll 142 * ignore the result anyway 143 */ 144 ssl3_finish_mac(s, (unsigned char *)&s->init_buf->data[s->init_off], 145 ret); 146 147 if (ret == s->init_num) { 148 if (s->msg_callback) 149 s->msg_callback(1, s->version, type, s->init_buf->data, 150 (size_t)(s->init_off + s->init_num), s, 151 s->msg_callback_arg); 152 return (1); 153 } 154 s->init_off += ret; 155 s->init_num -= ret; 156 return (0); 157} 158 159int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) 160{ 161 unsigned char *p, *d; 162 int i; 163 unsigned long l; 164 165 if (s->state == a) { 166 d = (unsigned char *)s->init_buf->data; 167 p = &(d[4]); 168 169 i = s->method->ssl3_enc->final_finish_mac(s, 170 sender, slen, 171 s->s3->tmp.finish_md); 172 if (i <= 0) 173 return 0; 174 s->s3->tmp.finish_md_len = i; 175 memcpy(p, s->s3->tmp.finish_md, i); 176 p += i; 177 l = i; 178 179 /* 180 * Copy the finished so we can use it for renegotiation checks 181 */ 182 if (s->type == SSL_ST_CONNECT) { 183 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 184 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, i); 185 s->s3->previous_client_finished_len = i; 186 } else { 187 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 188 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, i); 189 s->s3->previous_server_finished_len = i; 190 } 191 192#ifdef OPENSSL_SYS_WIN16 193 /* 194 * MSVC 1.5 does not clear the top bytes of the word unless I do 195 * this. 196 */ 197 l &= 0xffff; 198#endif 199 200 *(d++) = SSL3_MT_FINISHED; 201 l2n3(l, d); 202 s->init_num = (int)l + 4; 203 s->init_off = 0; 204 205 s->state = b; 206 } 207 208 /* SSL3_ST_SEND_xxxxxx_HELLO_B */ 209 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 210} 211 212#ifndef OPENSSL_NO_NEXTPROTONEG 213/* 214 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 215 * to far. 216 */ 217static void ssl3_take_mac(SSL *s) 218{ 219 const char *sender; 220 int slen; 221 /* 222 * If no new cipher setup return immediately: other functions will set 223 * the appropriate error. 224 */ 225 if (s->s3->tmp.new_cipher == NULL) 226 return; 227 if (s->state & SSL_ST_CONNECT) { 228 sender = s->method->ssl3_enc->server_finished_label; 229 slen = s->method->ssl3_enc->server_finished_label_len; 230 } else { 231 sender = s->method->ssl3_enc->client_finished_label; 232 slen = s->method->ssl3_enc->client_finished_label_len; 233 } 234 235 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 236 sender, 237 slen, 238 s->s3->tmp.peer_finish_md); 239} 240#endif 241 242int ssl3_get_finished(SSL *s, int a, int b) 243{ 244 int al, i, ok; 245 long n; 246 unsigned char *p; 247 248#ifdef OPENSSL_NO_NEXTPROTONEG 249 /* 250 * the mac has already been generated when we received the change cipher 251 * spec message and is in s->s3->tmp.peer_finish_md. 252 */ 253#endif 254 255 /* 64 argument should actually be 36+4 :-) */ 256 n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); 257 258 if (!ok) 259 return ((int)n); 260 261 /* If this occurs, we have missed a message */ 262 if (!s->s3->change_cipher_spec) { 263 al = SSL_AD_UNEXPECTED_MESSAGE; 264 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 265 goto f_err; 266 } 267 s->s3->change_cipher_spec = 0; 268 269 p = (unsigned char *)s->init_msg; 270 i = s->s3->tmp.peer_finish_md_len; 271 272 if (i != n) { 273 al = SSL_AD_DECODE_ERROR; 274 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 275 goto f_err; 276 } 277 278 if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { 279 al = SSL_AD_DECRYPT_ERROR; 280 SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 281 goto f_err; 282 } 283 284 /* 285 * Copy the finished so we can use it for renegotiation checks 286 */ 287 if (s->type == SSL_ST_ACCEPT) { 288 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 289 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, i); 290 s->s3->previous_client_finished_len = i; 291 } else { 292 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 293 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, i); 294 s->s3->previous_server_finished_len = i; 295 } 296 297 return (1); 298 f_err: 299 ssl3_send_alert(s, SSL3_AL_FATAL, al); 300 return (0); 301} 302 303/*- 304 * for these 2 messages, we need to 305 * ssl->enc_read_ctx re-init 306 * ssl->s3->read_sequence zero 307 * ssl->s3->read_mac_secret re-init 308 * ssl->session->read_sym_enc assign 309 * ssl->session->read_compression assign 310 * ssl->session->read_hash assign 311 */ 312int ssl3_send_change_cipher_spec(SSL *s, int a, int b) 313{ 314 unsigned char *p; 315 316 if (s->state == a) { 317 p = (unsigned char *)s->init_buf->data; 318 *p = SSL3_MT_CCS; 319 s->init_num = 1; 320 s->init_off = 0; 321 322 s->state = b; 323 } 324 325 /* SSL3_ST_CW_CHANGE_B */ 326 return (ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); 327} 328 329static int ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) 330{ 331 int n; 332 unsigned char *p; 333 334 n = i2d_X509(x, NULL); 335 if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { 336 SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); 337 return (-1); 338 } 339 p = (unsigned char *)&(buf->data[*l]); 340 l2n3(n, p); 341 i2d_X509(x, &p); 342 *l += n + 3; 343 344 return (0); 345} 346 347unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) 348{ 349 unsigned char *p; 350 int i; 351 unsigned long l = 7; 352 BUF_MEM *buf; 353 int no_chain; 354 355 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) 356 no_chain = 1; 357 else 358 no_chain = 0; 359 360 /* TLSv1 sends a chain with nothing in it, instead of an alert */ 361 buf = s->init_buf; 362 if (!BUF_MEM_grow_clean(buf, 10)) { 363 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB); 364 return (0); 365 } 366 if (x != NULL) { 367 if (no_chain) { 368 if (ssl3_add_cert_to_buf(buf, &l, x)) 369 return (0); 370 } else { 371 X509_STORE_CTX xs_ctx; 372 373 if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, x, NULL)) { 374 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB); 375 return (0); 376 } 377 X509_verify_cert(&xs_ctx); 378 /* Don't leave errors in the queue */ 379 ERR_clear_error(); 380 for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { 381 x = sk_X509_value(xs_ctx.chain, i); 382 383 if (ssl3_add_cert_to_buf(buf, &l, x)) { 384 X509_STORE_CTX_cleanup(&xs_ctx); 385 return 0; 386 } 387 } 388 X509_STORE_CTX_cleanup(&xs_ctx); 389 } 390 } 391 /* Thawte special :-) */ 392 for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { 393 x = sk_X509_value(s->ctx->extra_certs, i); 394 if (ssl3_add_cert_to_buf(buf, &l, x)) 395 return (0); 396 } 397 398 l -= 7; 399 p = (unsigned char *)&(buf->data[4]); 400 l2n3(l, p); 401 l += 3; 402 p = (unsigned char *)&(buf->data[0]); 403 *(p++) = SSL3_MT_CERTIFICATE; 404 l2n3(l, p); 405 l += 4; 406 return (l); 407} 408 409/* 410 * Obtain handshake message of message type 'mt' (any if mt == -1), maximum 411 * acceptable body length 'max'. The first four bytes (msg_type and length) 412 * are read in state 'st1', the body is read in state 'stn'. 413 */ 414long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 415{ 416 unsigned char *p; 417 unsigned long l; 418 long n; 419 int i, al; 420 421 if (s->s3->tmp.reuse_message) { 422 s->s3->tmp.reuse_message = 0; 423 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 424 al = SSL_AD_UNEXPECTED_MESSAGE; 425 SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 426 goto f_err; 427 } 428 *ok = 1; 429 s->state = stn; 430 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 431 s->init_num = (int)s->s3->tmp.message_size; 432 return s->init_num; 433 } 434 435 p = (unsigned char *)s->init_buf->data; 436 437 if (s->state == st1) { /* s->init_num < SSL3_HM_HEADER_LENGTH */ 438 int skip_message; 439 440 do { 441 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 442 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 443 &p[s->init_num], 444 SSL3_HM_HEADER_LENGTH - 445 s->init_num, 0); 446 if (i <= 0) { 447 s->rwstate = SSL_READING; 448 *ok = 0; 449 return i; 450 } 451 s->init_num += i; 452 } 453 454 skip_message = 0; 455 if (!s->server) 456 if (p[0] == SSL3_MT_HELLO_REQUEST) 457 /* 458 * The server may always send 'Hello Request' messages -- 459 * we are doing a handshake anyway now, so ignore them if 460 * their format is correct. Does not count for 'Finished' 461 * MAC. 462 */ 463 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 464 s->init_num = 0; 465 skip_message = 1; 466 467 if (s->msg_callback) 468 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 469 p, SSL3_HM_HEADER_LENGTH, s, 470 s->msg_callback_arg); 471 } 472 } 473 while (skip_message); 474 475 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 476 477 if ((mt >= 0) && (*p != mt)) { 478 al = SSL_AD_UNEXPECTED_MESSAGE; 479 SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 480 goto f_err; 481 } 482 if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) && 483 (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) { 484 /* 485 * At this point we have got an MS SGC second client hello (maybe 486 * we should always allow the client to start a new handshake?). 487 * We need to restart the mac. Don't increment 488 * {num,total}_renegotiations because we have not completed the 489 * handshake. 490 */ 491 ssl3_init_finished_mac(s); 492 } 493 494 s->s3->tmp.message_type = *(p++); 495 496 n2l3(p, l); 497 if (l > (unsigned long)max) { 498 al = SSL_AD_ILLEGAL_PARAMETER; 499 SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 500 goto f_err; 501 } 502 /* 503 * Make buffer slightly larger than message length as a precaution 504 * against small OOB reads e.g. CVE-2016-6306 505 */ 506 if (l 507 && !BUF_MEM_grow_clean(s->init_buf, 508 (int)l + SSL3_HM_HEADER_LENGTH + 16)) { 509 SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); 510 goto err; 511 } 512 s->s3->tmp.message_size = l; 513 s->state = stn; 514 515 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 516 s->init_num = 0; 517 } 518 519 /* next state (stn) */ 520 p = s->init_msg; 521 n = s->s3->tmp.message_size - s->init_num; 522 while (n > 0) { 523 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], 524 n, 0); 525 if (i <= 0) { 526 s->rwstate = SSL_READING; 527 *ok = 0; 528 return i; 529 } 530 s->init_num += i; 531 n -= i; 532 } 533 534#ifndef OPENSSL_NO_NEXTPROTONEG 535 /* 536 * If receiving Finished, record MAC of prior handshake messages for 537 * Finished verification. 538 */ 539 if (*s->init_buf->data == SSL3_MT_FINISHED) 540 ssl3_take_mac(s); 541#endif 542 543 /* Feed this message into MAC computation. */ 544 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 545 s->init_num + SSL3_HM_HEADER_LENGTH); 546 if (s->msg_callback) 547 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 548 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 549 s->msg_callback_arg); 550 *ok = 1; 551 return s->init_num; 552 f_err: 553 ssl3_send_alert(s, SSL3_AL_FATAL, al); 554 err: 555 *ok = 0; 556 return (-1); 557} 558 559int ssl_cert_type(X509 *x, EVP_PKEY *pkey) 560{ 561 EVP_PKEY *pk; 562 int ret = -1, i; 563 564 if (pkey == NULL) 565 pk = X509_get_pubkey(x); 566 else 567 pk = pkey; 568 if (pk == NULL) 569 goto err; 570 571 i = pk->type; 572 if (i == EVP_PKEY_RSA) { 573 ret = SSL_PKEY_RSA_ENC; 574 } else if (i == EVP_PKEY_DSA) { 575 ret = SSL_PKEY_DSA_SIGN; 576 } 577#ifndef OPENSSL_NO_EC 578 else if (i == EVP_PKEY_EC) { 579 ret = SSL_PKEY_ECC; 580 } 581#endif 582 else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) { 583 ret = SSL_PKEY_GOST94; 584 } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { 585 ret = SSL_PKEY_GOST01; 586 } 587 err: 588 if (!pkey) 589 EVP_PKEY_free(pk); 590 return (ret); 591} 592 593int ssl_verify_alarm_type(long type) 594{ 595 int al; 596 597 switch (type) { 598 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 599 case X509_V_ERR_UNABLE_TO_GET_CRL: 600 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 601 al = SSL_AD_UNKNOWN_CA; 602 break; 603 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 604 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 605 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 606 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 607 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 608 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 609 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 610 case X509_V_ERR_CERT_NOT_YET_VALID: 611 case X509_V_ERR_CRL_NOT_YET_VALID: 612 case X509_V_ERR_CERT_UNTRUSTED: 613 case X509_V_ERR_CERT_REJECTED: 614 al = SSL_AD_BAD_CERTIFICATE; 615 break; 616 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 617 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 618 al = SSL_AD_DECRYPT_ERROR; 619 break; 620 case X509_V_ERR_CERT_HAS_EXPIRED: 621 case X509_V_ERR_CRL_HAS_EXPIRED: 622 al = SSL_AD_CERTIFICATE_EXPIRED; 623 break; 624 case X509_V_ERR_CERT_REVOKED: 625 al = SSL_AD_CERTIFICATE_REVOKED; 626 break; 627 case X509_V_ERR_UNSPECIFIED: 628 case X509_V_ERR_OUT_OF_MEM: 629 case X509_V_ERR_INVALID_CALL: 630 case X509_V_ERR_STORE_LOOKUP: 631 al = SSL_AD_INTERNAL_ERROR; 632 break; 633 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 634 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 635 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 636 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 637 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 638 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 639 case X509_V_ERR_INVALID_CA: 640 al = SSL_AD_UNKNOWN_CA; 641 break; 642 case X509_V_ERR_APPLICATION_VERIFICATION: 643 al = SSL_AD_HANDSHAKE_FAILURE; 644 break; 645 case X509_V_ERR_INVALID_PURPOSE: 646 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 647 break; 648 default: 649 al = SSL_AD_CERTIFICATE_UNKNOWN; 650 break; 651 } 652 return (al); 653} 654 655#ifndef OPENSSL_NO_BUF_FREELISTS 656/*- 657 * On some platforms, malloc() performance is bad enough that you can't just 658 * free() and malloc() buffers all the time, so we need to use freelists from 659 * unused buffers. Currently, each freelist holds memory chunks of only a 660 * given size (list->chunklen); other sized chunks are freed and malloced. 661 * This doesn't help much if you're using many different SSL option settings 662 * with a given context. (The options affecting buffer size are 663 * max_send_fragment, read buffer vs write buffer, 664 * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and 665 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.) Using a separate freelist for every 666 * possible size is not an option, since max_send_fragment can take on many 667 * different values. 668 * 669 * If you are on a platform with a slow malloc(), and you're using SSL 670 * connections with many different settings for these options, and you need to 671 * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options: 672 * - Link against a faster malloc implementation. 673 * - Use a separate SSL_CTX for each option set. 674 * - Improve this code. 675 */ 676static void *freelist_extract(SSL_CTX *ctx, int for_read, int sz) 677{ 678 SSL3_BUF_FREELIST *list; 679 SSL3_BUF_FREELIST_ENTRY *ent = NULL; 680 void *result = NULL; 681 682 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 683 list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 684 if (list != NULL && sz == (int)list->chunklen) 685 ent = list->head; 686 if (ent != NULL) { 687 list->head = ent->next; 688 result = ent; 689 if (--list->len == 0) 690 list->chunklen = 0; 691 } 692 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 693 if (!result) 694 result = OPENSSL_malloc(sz); 695 return result; 696} 697 698static void freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem) 699{ 700 SSL3_BUF_FREELIST *list; 701 SSL3_BUF_FREELIST_ENTRY *ent; 702 703 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 704 list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 705 if (list != NULL && 706 (sz == list->chunklen || list->chunklen == 0) && 707 list->len < ctx->freelist_max_len && sz >= sizeof(*ent)) { 708 list->chunklen = sz; 709 ent = mem; 710 ent->next = list->head; 711 list->head = ent; 712 ++list->len; 713 mem = NULL; 714 } 715 716 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 717 if (mem) 718 OPENSSL_free(mem); 719} 720#else 721# define freelist_extract(c,fr,sz) OPENSSL_malloc(sz) 722# define freelist_insert(c,fr,sz,m) OPENSSL_free(m) 723#endif 724 725int ssl3_setup_read_buffer(SSL *s) 726{ 727 unsigned char *p; 728 size_t len, align = 0, headerlen; 729 730 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 731 headerlen = DTLS1_RT_HEADER_LENGTH; 732 else 733 headerlen = SSL3_RT_HEADER_LENGTH; 734 735#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 736 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 737#endif 738 739 if (s->s3->rbuf.buf == NULL) { 740 len = SSL3_RT_MAX_PLAIN_LENGTH 741 + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 742 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) { 743 s->s3->init_extra = 1; 744 len += SSL3_RT_MAX_EXTRA; 745 } 746#ifndef OPENSSL_NO_COMP 747 if (!(s->options & SSL_OP_NO_COMPRESSION)) 748 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 749#endif 750 if ((p = freelist_extract(s->ctx, 1, len)) == NULL) 751 goto err; 752 s->s3->rbuf.buf = p; 753 s->s3->rbuf.len = len; 754 } 755 756 s->packet = &(s->s3->rbuf.buf[0]); 757 return 1; 758 759 err: 760 SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); 761 return 0; 762} 763 764int ssl3_setup_write_buffer(SSL *s) 765{ 766 unsigned char *p; 767 size_t len, align = 0, headerlen; 768 769 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 770 headerlen = DTLS1_RT_HEADER_LENGTH + 1; 771 else 772 headerlen = SSL3_RT_HEADER_LENGTH; 773 774#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 775 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 776#endif 777 778 if (s->s3->wbuf.buf == NULL) { 779 len = s->max_send_fragment 780 + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 781#ifndef OPENSSL_NO_COMP 782 if (!(s->options & SSL_OP_NO_COMPRESSION)) 783 len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 784#endif 785 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 786 len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; 787 788 if ((p = freelist_extract(s->ctx, 0, len)) == NULL) 789 goto err; 790 s->s3->wbuf.buf = p; 791 s->s3->wbuf.len = len; 792 } 793 794 return 1; 795 796 err: 797 SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); 798 return 0; 799} 800 801int ssl3_setup_buffers(SSL *s) 802{ 803 if (!ssl3_setup_read_buffer(s)) 804 return 0; 805 if (!ssl3_setup_write_buffer(s)) 806 return 0; 807 return 1; 808} 809 810int ssl3_release_write_buffer(SSL *s) 811{ 812 if (s->s3->wbuf.buf != NULL) { 813 freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf); 814 s->s3->wbuf.buf = NULL; 815 } 816 return 1; 817} 818 819int ssl3_release_read_buffer(SSL *s) 820{ 821 if (s->s3->rbuf.buf != NULL) { 822 freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf); 823 s->s3->rbuf.buf = NULL; 824 } 825 return 1; 826} 827