Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
12 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 c2853382 编写于 作者: M Matt Caswell
浏览文件
操作

More record layer conversions to use SSLfatal() 

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
上级 99dd3740
隐藏空白更改
内联 并排
Showing with 194 addition and 129 deletion
ssl/d1_lib.c
浏览文件 @ c2853382
...@@ -378,7 +378,8 @@ int dtls1_check_timeout_num(SSL *s) ...@@ -378,7 +378,8 @@ int dtls1_check_timeout_num(SSL *s)
if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
/* fail the connection, enough alerts have been sent */ /* fail the connection, enough alerts have been sent */
SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED); SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_CHECK_TIMEOUT_NUM,
SSL_R_READ_TIMEOUT_EXPIRED);
return -1; return -1;
} }
...@@ -397,8 +398,10 @@ int dtls1_handle_timeout(SSL *s) ...@@ -397,8 +398,10 @@ int dtls1_handle_timeout(SSL *s)
else else
dtls1_double_timeout(s); dtls1_double_timeout(s);
if (dtls1_check_timeout_num(s) < 0) if (dtls1_check_timeout_num(s) < 0) {
/* SSLfatal() already called */
return -1; return -1;
}
s->d1->timeout.read_timeouts++; s->d1->timeout.read_timeouts++;
if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
...@@ -406,6 +409,7 @@ int dtls1_handle_timeout(SSL *s) ...@@ -406,6 +409,7 @@ int dtls1_handle_timeout(SSL *s)
} }
dtls1_start_timer(s); dtls1_start_timer(s);
/* Calls SSLfatal() if required */
return dtls1_retransmit_buffered_messages(s); return dtls1_retransmit_buffered_messages(s);
} }
......
ssl/record/rec_layer_d1.c
浏览文件 @ c2853382
...@@ -148,7 +148,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) ...@@ -148,7 +148,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
if (rdata == NULL || item == NULL) { if (rdata == NULL || item == NULL) {
OPENSSL_free(rdata); OPENSSL_free(rdata);
pitem_free(item); pitem_free(item);
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD,
ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
...@@ -175,7 +176,7 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) ...@@ -175,7 +176,7 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
memset(&s->rlayer.rrec, 0, sizeof(s->rlayer.rrec)); memset(&s->rlayer.rrec, 0, sizeof(s->rlayer.rrec));
if (!ssl3_setup_buffers(s)) { if (!ssl3_setup_buffers(s)) {
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata->rbuf.buf);
OPENSSL_free(rdata); OPENSSL_free(rdata);
pitem_free(item); pitem_free(item);
...@@ -184,7 +185,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) ...@@ -184,7 +185,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
/* insert should not fail, since duplicates are dropped */ /* insert should not fail, since duplicates are dropped */
if (pqueue_insert(queue->q, item) == NULL) { if (pqueue_insert(queue->q, item) == NULL) {
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD,
ERR_R_INTERNAL_ERROR);
OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata->rbuf.buf);
OPENSSL_free(rdata); OPENSSL_free(rdata);
pitem_free(item); pitem_free(item);
...@@ -258,8 +260,9 @@ int dtls1_process_buffered_records(SSL *s) ...@@ -258,8 +260,9 @@ int dtls1_process_buffered_records(SSL *s)
* current record is from a different epoch. But that cannot * current record is from a different epoch. But that cannot
* be the case because we already checked the epoch above * be the case because we already checked the epoch above
*/ */
SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
ERR_R_INTERNAL_ERROR); SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
#ifndef OPENSSL_NO_SCTP #ifndef OPENSSL_NO_SCTP
...@@ -277,6 +280,10 @@ int dtls1_process_buffered_records(SSL *s) ...@@ -277,6 +280,10 @@ int dtls1_process_buffered_records(SSL *s)
} }
if (!replayok || !dtls1_process_record(s, bitmap)) { if (!replayok || !dtls1_process_record(s, bitmap)) {
if (ossl_statem_in_error(s)) {
/* dtls1_process_record called SSLfatal() */
return -1;
}
/* dump this record */ /* dump this record */
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_reset_packet_length(&s->rlayer);
...@@ -284,8 +291,10 @@ int dtls1_process_buffered_records(SSL *s) ...@@ -284,8 +291,10 @@ int dtls1_process_buffered_records(SSL *s)
} }
if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds),
SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) {
/* SSLfatal() already called */
return 0; return 0;
}
} }
} }
...@@ -331,15 +340,17 @@ int dtls1_process_buffered_records(SSL *s) ...@@ -331,15 +340,17 @@ int dtls1_process_buffered_records(SSL *s)
int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
size_t len, int peek, size_t *readbytes) size_t len, int peek, size_t *readbytes)
{ {
int al, i, j, iret; int i, j, iret;
size_t n; size_t n;
SSL3_RECORD *rr; SSL3_RECORD *rr;
void (*cb) (const SSL *ssl, int type2, int val) = NULL; void (*cb) (const SSL *ssl, int type2, int val) = NULL;
if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) { if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) {
/* Not initialized yet */ /* Not initialized yet */
if (!ssl3_setup_buffers(s)) if (!ssl3_setup_buffers(s)) {
/* SSLfatal() already called */
return -1; return -1;
}
} }
if ((type && (type != SSL3_RT_APPLICATION_DATA) && if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
...@@ -353,12 +364,11 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -353,12 +364,11 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
{ {
/* type == SSL3_RT_APPLICATION_DATA */ /* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s); i = s->handshake_func(s);
/* SSLfatal() already called if appropriate */
if (i < 0) if (i < 0)
return i; return i;
if (i == 0) { if (i == 0)
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1; return -1;
}
} }
start: start:
...@@ -410,7 +420,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -410,7 +420,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
iret = dtls1_get_record(s); iret = dtls1_get_record(s);
if (iret <= 0) { if (iret <= 0) {
iret = dtls1_read_failed(s, iret); iret = dtls1_read_failed(s, iret);
/* anything other than a timeout is an error */ /*
* Anything other than a timeout is an error. SSLfatal() already
* called if appropriate.
*/
if (iret <= 0) if (iret <= 0)
return iret; return iret;
else else
...@@ -438,7 +451,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -438,7 +451,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
*/ */
if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data), if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data),
SSL3_RECORD_get_seq_num(rr)) < 0) { SSL3_RECORD_get_seq_num(rr)) < 0) {
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return -1; return -1;
} }
SSL3_RECORD_set_length(rr, 0); SSL3_RECORD_set_length(rr, 0);
...@@ -469,9 +482,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -469,9 +482,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
*/ */
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
(s->enc_read_ctx == NULL)) { (s->enc_read_ctx == NULL)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); SSL_R_APP_DATA_IN_HANDSHAKE);
goto f_err; return -1;
} }
if (recvd_type != NULL) if (recvd_type != NULL)
...@@ -526,9 +539,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -526,9 +539,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
|| !PACKET_get_1(&alert, &alert_level) || !PACKET_get_1(&alert, &alert_level)
|| !PACKET_get_1(&alert, &alert_descr) || !PACKET_get_1(&alert, &alert_descr)
|| PACKET_remaining(&alert) != 0) { || PACKET_remaining(&alert) != 0) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_INVALID_ALERT); SSL_R_INVALID_ALERT);
goto f_err; return -1;
} }
if (s->msg_callback) if (s->msg_callback)
...@@ -550,9 +563,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -550,9 +563,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->rlayer.alert_count++; s->rlayer.alert_count++;
if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); SSL_R_TOO_MANY_WARN_ALERTS);
goto f_err; return -1;
} }
if (alert_descr == SSL_AD_CLOSE_NOTIFY) { if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
...@@ -579,16 +592,17 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -579,16 +592,17 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->rwstate = SSL_NOTHING; s->rwstate = SSL_NOTHING;
s->s3->fatal_alert = alert_descr; s->s3->fatal_alert = alert_descr;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_READ_BYTES,
BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp); ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN; s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session); SSL_CTX_remove_session(s->session_ctx, s->session);
return 0; return 0;
} else { } else {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); SSL_R_UNKNOWN_ALERT_TYPE);
goto f_err; return -1;
} }
goto start; goto start;
...@@ -634,8 +648,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -634,8 +648,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* here, then retransmit our CCS and FINISHED. * here, then retransmit our CCS and FINISHED.
*/ */
if (msg_hdr.type == SSL3_MT_FINISHED) { if (msg_hdr.type == SSL3_MT_FINISHED) {
if (dtls1_check_timeout_num(s) < 0) if (dtls1_check_timeout_num(s) < 0) {
/* SSLfatal) already called */
return -1; return -1;
}
if (dtls1_retransmit_buffered_messages(s) <= 0) { if (dtls1_retransmit_buffered_messages(s) <= 0) {
/* Fail if we encountered a fatal error */ /* Fail if we encountered a fatal error */
...@@ -653,21 +669,20 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -653,21 +669,20 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* finished * finished
*/ */
if (!ossl_assert(SSL_is_init_finished(s))) { if (!ossl_assert(SSL_is_init_finished(s))) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return -1;
} }
/* We found handshake data, so we're going back into init */ /* We found handshake data, so we're going back into init */
ossl_statem_set_in_init(s, 1); ossl_statem_set_in_init(s, 1);
i = s->handshake_func(s); i = s->handshake_func(s);
/* SSLfatal() called if appropriate */
if (i < 0) if (i < 0)
return i; return i;
if (i == 0) { if (i == 0)
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1; return -1;
}
if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
...@@ -691,9 +706,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -691,9 +706,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
switch (SSL3_RECORD_get_type(rr)) { switch (SSL3_RECORD_get_type(rr)) {
default: default:
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); SSL_R_UNEXPECTED_RECORD);
goto f_err; return -1;
case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_CHANGE_CIPHER_SPEC:
case SSL3_RT_ALERT: case SSL3_RT_ALERT:
case SSL3_RT_HANDSHAKE: case SSL3_RT_HANDSHAKE:
...@@ -702,9 +717,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -702,9 +717,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
* that should not happen when type != rr->type * that should not happen when type != rr->type
*/ */
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return -1;
case SSL3_RT_APPLICATION_DATA: case SSL3_RT_APPLICATION_DATA:
/* /*
* At this point, we were expecting handshake data, but have * At this point, we were expecting handshake data, but have
...@@ -719,16 +734,12 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ...@@ -719,16 +734,12 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->s3->in_read_app_data = 2; s->s3->in_read_app_data = 2;
return -1; return -1;
} else { } else {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES,
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); SSL_R_UNEXPECTED_RECORD);
goto f_err; return -1;
} }
} }
/* not reached */ /* not reached */
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return -1;
} }
/* /*
...@@ -940,7 +951,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, ...@@ -940,7 +951,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
s->rlayer.wpend_type = type; s->rlayer.wpend_type = type;
s->rlayer.wpend_ret = len; s->rlayer.wpend_ret = len;
/* we now just need to write the buffer */ /* we now just need to write the buffer. Calls SSLfatal() as required. */
return ssl3_write_pending(s, type, buf, len, written); return ssl3_write_pending(s, type, buf, len, written);
err: err:
return -1; return -1;
......
ssl/record/rec_layer_s3.c
浏览文件 @ c2853382
...@@ -360,7 +360,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -360,7 +360,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
*/ */
if ((len < s->rlayer.wnum) if ((len < s->rlayer.wnum)
|| ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) {
SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
SSL_R_BAD_LENGTH);
return -1; return -1;
} }
...@@ -380,10 +381,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -380,10 +381,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s) if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)
&& s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) { && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) {
i = s->handshake_func(s); i = s->handshake_func(s);
/* SSLfatal() already called */
if (i < 0) if (i < 0)
return i; return i;
if (i == 0) { if (i == 0) {
SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
return -1; return -1;
} }
} }
...@@ -393,6 +394,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -393,6 +394,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
* will happen with non blocking IO * will happen with non blocking IO
*/ */
if (wb->left != 0) { if (wb->left != 0) {
/* SSLfatal() already called if appropriate */
i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot, i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot,
&tmpwrit); &tmpwrit);
if (i <= 0) { if (i <= 0) {
...@@ -437,7 +439,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -437,7 +439,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
packlen *= 4; packlen *= 4;
if (!ssl3_setup_write_buffer(s, 1, packlen)) { if (!ssl3_setup_write_buffer(s, 1, packlen)) {
SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE); /* SSLfatal() already called */
return -1; return -1;
} }
} else if (tot == len) { /* done? */ } else if (tot == len) { /* done? */
...@@ -458,6 +460,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -458,6 +460,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
if (s->s3->alert_dispatch) { if (s->s3->alert_dispatch) {
i = s->method->ssl_dispatch_alert(s); i = s->method->ssl_dispatch_alert(s);
if (i <= 0) { if (i <= 0) {
/* SSLfatal() already called if appropriate */
s->rlayer.wnum = tot; s->rlayer.wnum = tot;
return i; return i;
} }
...@@ -513,6 +516,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -513,6 +516,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit); i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit);
if (i <= 0) { if (i <= 0) {
/* SSLfatal() already called if appropriate */
if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) { if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
/* free jumbo buffer */ /* free jumbo buffer */
ssl3_release_write_buffer(s); ssl3_release_write_buffer(s);
...@@ -555,7 +559,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -555,7 +559,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
* We should have prevented this when we set max_pipelines so we * We should have prevented this when we set max_pipelines so we
* shouldn't get here * shouldn't get here
*/ */
SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
if (maxpipes == 0 if (maxpipes == 0
...@@ -570,7 +575,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -570,7 +575,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
* We should have prevented this when we set/get the split and max send * We should have prevented this when we set/get the split and max send
* fragments so we shouldn't get here * fragments so we shouldn't get here
*/ */
SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
...@@ -607,6 +613,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, ...@@ -607,6 +613,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0, i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0,
&tmpwrit); &tmpwrit);
if (i <= 0) { if (i <= 0) {
/* SSLfatal() already called if appropriate */
/* XXX should we ssl3_release_write_buffer if i<0? */ /* XXX should we ssl3_release_write_buffer if i<0? */
s->rlayer.wnum = tot; s->rlayer.wnum = tot;
return i; return i;
...@@ -658,20 +665,27 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -658,20 +665,27 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
* first check if there is a SSL3_BUFFER still being written out. This * first check if there is a SSL3_BUFFER still being written out. This
* will happen with non blocking IO * will happen with non blocking IO
*/ */
if (RECORD_LAYER_write_pending(&s->rlayer)) if (RECORD_LAYER_write_pending(&s->rlayer)) {
/* Calls SSLfatal() as required */
return ssl3_write_pending(s, type, buf, totlen, written); return ssl3_write_pending(s, type, buf, totlen, written);
}
/* If we have an alert to send, lets send it */ /* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch) { if (s->s3->alert_dispatch) {
i = s->method->ssl_dispatch_alert(s); i = s->method->ssl_dispatch_alert(s);
if (i <= 0) if (i <= 0) {
/* SSLfatal() already called if appropriate */
return i; return i;
}
/* if it went, fall through and send more stuff */ /* if it went, fall through and send more stuff */
} }
if (s->rlayer.numwpipes < numpipes) if (s->rlayer.numwpipes < numpipes) {
if (!ssl3_setup_write_buffer(s, numpipes, 0)) if (!ssl3_setup_write_buffer(s, numpipes, 0)) {
/* SSLfatal() already called */
return -1; return -1;
}
}
if (totlen == 0 && !create_empty_fragment) if (totlen == 0 && !create_empty_fragment)
return 0; return 0;
...@@ -685,8 +699,11 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -685,8 +699,11 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
} else { } else {
/* TODO(siz_t): Convert me */ /* TODO(siz_t): Convert me */
mac_size = EVP_MD_CTX_size(s->write_hash); mac_size = EVP_MD_CTX_size(s->write_hash);
if (mac_size < 0) if (mac_size < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
} }
/* /*
...@@ -709,13 +726,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -709,13 +726,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
int ret; int ret;
ret = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1, &prefix_len); ret = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1, &prefix_len);
if (ret <= 0) if (ret <= 0) {
/* SSLfatal() already called if appropriate */
goto err; goto err;
}
if (prefix_len > if (prefix_len >
(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
/* insufficient space */ /* insufficient space */
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
...@@ -738,7 +758,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -738,7 +758,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb), if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb),
SSL3_BUFFER_get_len(wb), 0) SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(&pkt[0], align, NULL)) { || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
wpinited = 1; wpinited = 1;
...@@ -749,7 +770,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -749,7 +770,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
SSL3_BUFFER_get_len(wb), 0) SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb) || !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb)
+ prefix_len, NULL)) { + prefix_len, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
wpinited = 1; wpinited = 1;
...@@ -766,7 +788,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -766,7 +788,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb), if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb),
SSL3_BUFFER_get_len(wb), 0) SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(thispkt, align, NULL)) { || !WPACKET_allocate_bytes(thispkt, align, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
wpinited++; wpinited++;
...@@ -831,7 +854,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -831,7 +854,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|| (maxcomplen > 0 || (maxcomplen > 0
&& !WPACKET_reserve_bytes(thispkt, maxcomplen, && !WPACKET_reserve_bytes(thispkt, maxcomplen,
&compressdata))) { &compressdata))) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -850,12 +874,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -850,12 +874,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (s->compress != NULL) { if (s->compress != NULL) {
if (!ssl3_do_compress(s, thiswr) if (!ssl3_do_compress(s, thiswr)
|| !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) { || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
SSL_R_COMPRESSION_FAILURE);
goto err; goto err;
} }
} else { } else {
if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
SSL3_RECORD_reset_input(&wr[j]); SSL3_RECORD_reset_input(&wr[j]);
...@@ -865,7 +891,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -865,7 +891,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
size_t rlen, max_send_fragment; size_t rlen, max_send_fragment;
if (!WPACKET_put_bytes_u8(thispkt, type)) { if (!WPACKET_put_bytes_u8(thispkt, type)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
SSL3_RECORD_add_length(thiswr, 1); SSL3_RECORD_add_length(thiswr, 1);
...@@ -898,7 +925,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -898,7 +925,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (padding > max_padding) if (padding > max_padding)
padding = max_padding; padding = max_padding;
if (!WPACKET_memset(thispkt, 0, padding)) { if (!WPACKET_memset(thispkt, 0, padding)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
SSL3_RECORD_add_length(thiswr, padding); SSL3_RECORD_add_length(thiswr, padding);
...@@ -917,7 +945,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -917,7 +945,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
|| !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
...@@ -934,7 +963,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -934,7 +963,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
* sub-packet * sub-packet
*/ */
|| !WPACKET_get_length(thispkt, &len)) { || !WPACKET_get_length(thispkt, &len)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -952,11 +982,17 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -952,11 +982,17 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
* We haven't actually negotiated the version yet, but we're trying to * We haven't actually negotiated the version yet, but we're trying to
* send early data - so we need to use the tls13enc function. * send early data - so we need to use the tls13enc function.
*/ */
if (tls13_enc(s, wr, numpipes, 1) < 1) if (tls13_enc(s, wr, numpipes, 1) < 1) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
} else { } else {
if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
} }
for (j = 0; j < numpipes; j++) { for (j = 0; j < numpipes; j++) {
...@@ -972,7 +1008,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -972,7 +1008,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|| (thiswr->length > origlen || (thiswr->length > origlen
&& !WPACKET_allocate_bytes(thispkt, && !WPACKET_allocate_bytes(thispkt,
thiswr->length - origlen, NULL))) { thiswr->length - origlen, NULL))) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
if (SSL_WRITE_ETM(s) && mac_size != 0) { if (SSL_WRITE_ETM(s) && mac_size != 0) {
...@@ -980,7 +1017,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -980,7 +1017,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
|| !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
SSL3_RECORD_add_length(thiswr, mac_size); SSL3_RECORD_add_length(thiswr, mac_size);
...@@ -988,7 +1026,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -988,7 +1026,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (!WPACKET_get_length(thispkt, &len) if (!WPACKET_get_length(thispkt, &len)
|| !WPACKET_close(thispkt)) { || !WPACKET_close(thispkt)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -1008,7 +1047,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -1008,7 +1047,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
} }
if (!WPACKET_finish(thispkt)) { if (!WPACKET_finish(thispkt)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -1027,7 +1067,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -1027,7 +1067,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
*/ */
if (j > 0) { if (j > 0) {
/* We should never be pipelining an empty fragment!! */ /* We should never be pipelining an empty fragment!! */
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
*written = SSL3_RECORD_get_length(thiswr); *written = SSL3_RECORD_get_length(thiswr);
...@@ -1072,7 +1113,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, ...@@ -1072,7 +1113,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
|| ((s->rlayer.wpend_buf != buf) && || ((s->rlayer.wpend_buf != buf) &&
!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
|| (s->rlayer.wpend_type != type)) { || (s->rlayer.wpend_type != type)) {
SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING,
SSL_R_BAD_WRITE_RETRY);
return -1; return -1;
} }
...@@ -1094,7 +1136,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, ...@@ -1094,7 +1136,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
if (i >= 0) if (i >= 0)
tmpwrit = i; tmpwrit = i;
} else { } else {
SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING,
SSL_R_BIO_NOT_SET);
i = -1; i = -1;
} }
if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
......
ssl/record/ssl3_record.c
浏览文件 @ c2853382
...@@ -1518,7 +1518,7 @@ int ssl3_cbc_copy_mac(unsigned char *out, ...@@ -1518,7 +1518,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,
int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
{ {
int i, al; int i;
int enc_err; int enc_err;
SSL_SESSION *sess; SSL_SESSION *sess;
SSL3_RECORD *rr; SSL3_RECORD *rr;
...@@ -1549,9 +1549,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1549,9 +1549,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
/* check is not needed I believe */ /* check is not needed I believe */
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
goto f_err; return 0;
} }
/* decrypt in place in 'rr->input' */ /* decrypt in place in 'rr->input' */
...@@ -1562,23 +1562,22 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1562,23 +1562,22 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
unsigned char *mac; unsigned char *mac;
mac_size = EVP_MD_CTX_size(s->read_hash); mac_size = EVP_MD_CTX_size(s->read_hash);
if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return 0;
} }
if (rr->orig_len < mac_size) { if (rr->orig_len < mac_size) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); SSL_R_LENGTH_TOO_SHORT);
goto f_err; return 0;
} }
rr->length -= mac_size; rr->length -= mac_size;
mac = rr->data + rr->length; mac = rr->data + rr->length;
i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ );
if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) {
al = SSL_AD_BAD_RECORD_MAC; SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,
SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
goto f_err; return 0;
} }
} }
...@@ -1593,7 +1592,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1593,7 +1592,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
/* For DTLS we simply ignore bad packets. */ /* For DTLS we simply ignore bad packets. */
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_reset_packet_length(&s->rlayer);
goto err; return 0;
} }
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
printf("dec %ld\n", rr->length); printf("dec %ld\n", rr->length);
...@@ -1615,15 +1614,15 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1615,15 +1614,15 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
/* TODO(size_t): Convert this to do size_t properly */ /* TODO(size_t): Convert this to do size_t properly */
imac_size = EVP_MD_CTX_size(s->read_hash); imac_size = EVP_MD_CTX_size(s->read_hash);
if (imac_size < 0) { if (imac_size < 0) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_LIB_EVP); ERR_LIB_EVP);
goto f_err; return 0;
} }
mac_size = (size_t)imac_size; mac_size = (size_t)imac_size;
if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return 0;
} }
/* /*
...@@ -1636,9 +1635,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1636,9 +1635,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
/* CBC records must have a padding length byte too. */ /* CBC records must have a padding length byte too. */
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
rr->orig_len < mac_size + 1)) { rr->orig_len < mac_size + 1)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); SSL_R_LENGTH_TOO_SHORT);
goto f_err; return 0;
} }
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
...@@ -1650,9 +1649,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1650,9 +1649,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
*/ */
mac = mac_tmp; mac = mac_tmp;
if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return 0;
} }
rr->length -= mac_size; rr->length -= mac_size;
} else { } else {
...@@ -1677,28 +1676,27 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1677,28 +1676,27 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
/* decryption failed, silently discard message */ /* decryption failed, silently discard message */
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_reset_packet_length(&s->rlayer);
goto err; return 0;
} }
/* r->length is now just compressed */ /* r->length is now just compressed */
if (s->expand != NULL) { if (s->expand != NULL) {
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
SSL_R_COMPRESSED_LENGTH_TOO_LONG); return 0;
goto f_err;
} }
if (!ssl3_do_uncompress(s, rr)) { if (!ssl3_do_uncompress(s, rr)) {
al = SSL_AD_DECOMPRESSION_FAILURE; SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
goto f_err; return 0;
} }
} }
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); SSL_R_DATA_LENGTH_TOO_LONG);
goto f_err; return 0;
} }
rr->off = 0; rr->off = 0;
...@@ -1718,11 +1716,6 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) ...@@ -1718,11 +1716,6 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
dtls1_record_bitmap_update(s, bitmap); dtls1_record_bitmap_update(s, bitmap);
return 1; return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
return 0;
} }
/* /*
...@@ -1760,8 +1753,10 @@ int dtls1_get_record(SSL *s) ...@@ -1760,8 +1753,10 @@ int dtls1_get_record(SSL *s)
* The epoch may have changed. If so, process all the pending records. * The epoch may have changed. If so, process all the pending records.
* This is a non-blocking operation. * This is a non-blocking operation.
*/ */
if (!dtls1_process_buffered_records(s)) if (!dtls1_process_buffered_records(s)) {
/* SSLfatal() already called */
return -1; return -1;
}
/* if we're renegotiating, then there may be buffered records */ /* if we're renegotiating, then there may be buffered records */
if (dtls1_get_processed_record(s)) if (dtls1_get_processed_record(s))
...@@ -1775,8 +1770,10 @@ int dtls1_get_record(SSL *s) ...@@ -1775,8 +1770,10 @@ int dtls1_get_record(SSL *s)
rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n);
/* read timeout is handled by dtls1_read_bytes */ /* read timeout is handled by dtls1_read_bytes */
if (rret <= 0) if (rret <= 0) {
/* SSLfatal() already called if appropriate */
return rret; /* error or non-blocking */ return rret; /* error or non-blocking */
}
/* this packet contained a partial record, dump it */ /* this packet contained a partial record, dump it */
if (RECORD_LAYER_get_packet_length(&s->rlayer) != if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
...@@ -1852,6 +1849,10 @@ int dtls1_get_record(SSL *s) ...@@ -1852,6 +1849,10 @@ int dtls1_get_record(SSL *s)
rret = ssl3_read_n(s, more, more, 1, 1, &n); rret = ssl3_read_n(s, more, more, 1, 1, &n);
/* this packet contained a partial record, dump it */ /* this packet contained a partial record, dump it */
if (rret <= 0 || n != more) { if (rret <= 0 || n != more) {
if (ossl_statem_in_error(s)) {
/* ssl3_read_n() called SSLfatal() */
return -1;
}
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again; goto again;
...@@ -1901,10 +1902,12 @@ int dtls1_get_record(SSL *s) ...@@ -1901,10 +1902,12 @@ int dtls1_get_record(SSL *s)
*/ */
if (is_next_epoch) { if (is_next_epoch) {
if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
if (dtls1_buffer_record if (dtls1_buffer_record (s,
(s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
rr->seq_num) < 0) rr->seq_num) < 0) {
/* SSLfatal() already called */
return -1; return -1;
}
} }
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_reset_packet_length(&s->rlayer);
...@@ -1912,6 +1915,10 @@ int dtls1_get_record(SSL *s) ...@@ -1912,6 +1915,10 @@ int dtls1_get_record(SSL *s)
} }
if (!dtls1_process_record(s, bitmap)) { if (!dtls1_process_record(s, bitmap)) {
if (ossl_statem_in_error(s)) {
/* dtls1_process_record() called SSLfatal */
return -1;
}
rr->length = 0; rr->length = 0;
RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
goto again; /* get another record */ goto again; /* get another record */
......
ssl/statem/statem_dtls.c
浏览文件 @ c2853382
...@@ -944,7 +944,7 @@ int dtls1_read_failed(SSL *s, int code) ...@@ -944,7 +944,7 @@ int dtls1_read_failed(SSL *s, int code)
return 0; return 0;
} }
if (!dtls1_is_timer_expired(s)) { if (!dtls1_is_timer_expired(s) || ossl_statem_in_error(s)) {
/* /*
* not a timeout, none of our business, let higher layers handle * not a timeout, none of our business, let higher layers handle
* this. in fact it's probably an error * this. in fact it's probably an error
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册