Home | History | Annotate | Download | only in ssl
      1 /* ssl/s3_both.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 /* ====================================================================
    112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
    113  * ECC cipher suite support in OpenSSL originally developed by
    114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
    115  */
    116 
    117 #include <limits.h>
    118 #include <string.h>
    119 #include <stdio.h>
    120 #include "ssl_locl.h"
    121 #include <openssl/buffer.h>
    122 #include <openssl/rand.h>
    123 #include <openssl/objects.h>
    124 #include <openssl/evp.h>
    125 #include <openssl/x509.h>
    126 
    127 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
    128 int ssl3_do_write(SSL *s, int type)
    129 	{
    130 	int ret;
    131 
    132 	ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
    133 	                     s->init_num);
    134 	if (ret < 0) return(-1);
    135 	if (type == SSL3_RT_HANDSHAKE)
    136 		/* should not be done for 'Hello Request's, but in that case
    137 		 * we'll ignore the result anyway */
    138 		ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
    139 
    140 	if (ret == s->init_num)
    141 		{
    142 		if (s->msg_callback)
    143 			s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
    144 		return(1);
    145 		}
    146 	s->init_off+=ret;
    147 	s->init_num-=ret;
    148 	return(0);
    149 	}
    150 
    151 int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
    152 	{
    153 	unsigned char *p,*d;
    154 	int i;
    155 	unsigned long l;
    156 
    157 	if (s->state == a)
    158 		{
    159 		d=(unsigned char *)s->init_buf->data;
    160 		p= &(d[4]);
    161 
    162 		i=s->method->ssl3_enc->final_finish_mac(s,
    163 			sender,slen,s->s3->tmp.finish_md);
    164 		s->s3->tmp.finish_md_len = i;
    165 		memcpy(p, s->s3->tmp.finish_md, i);
    166 		p+=i;
    167 		l=i;
    168 
    169                 /* Copy the finished so we can use it for
    170                    renegotiation checks */
    171                 if(s->type == SSL_ST_CONNECT)
    172                         {
    173                          OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
    174                          memcpy(s->s3->previous_client_finished,
    175                              s->s3->tmp.finish_md, i);
    176                          s->s3->previous_client_finished_len=i;
    177                         }
    178                 else
    179                         {
    180                         OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
    181                         memcpy(s->s3->previous_server_finished,
    182                             s->s3->tmp.finish_md, i);
    183                         s->s3->previous_server_finished_len=i;
    184                         }
    185 
    186 #ifdef OPENSSL_SYS_WIN16
    187 		/* MSVC 1.5 does not clear the top bytes of the word unless
    188 		 * I do this.
    189 		 */
    190 		l&=0xffff;
    191 #endif
    192 
    193 		*(d++)=SSL3_MT_FINISHED;
    194 		l2n3(l,d);
    195 		s->init_num=(int)l+4;
    196 		s->init_off=0;
    197 
    198 		s->state=b;
    199 		}
    200 
    201 	/* SSL3_ST_SEND_xxxxxx_HELLO_B */
    202 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
    203 	}
    204 
    205 #ifndef OPENSSL_NO_NEXTPROTONEG
    206 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
    207 static void ssl3_take_mac(SSL *s)
    208 	{
    209 	const char *sender;
    210 	int slen;
    211 
    212 	if (s->state & SSL_ST_CONNECT)
    213 		{
    214 		sender=s->method->ssl3_enc->server_finished_label;
    215 		slen=s->method->ssl3_enc->server_finished_label_len;
    216 		}
    217 	else
    218 		{
    219 		sender=s->method->ssl3_enc->client_finished_label;
    220 		slen=s->method->ssl3_enc->client_finished_label_len;
    221 		}
    222 
    223 	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
    224 		sender,slen,s->s3->tmp.peer_finish_md);
    225 	}
    226 #endif
    227 
    228 int ssl3_get_finished(SSL *s, int a, int b)
    229 	{
    230 	int al,i,ok;
    231 	long n;
    232 	unsigned char *p;
    233 
    234 #ifdef OPENSSL_NO_NEXTPROTONEG
    235 	/* the mac has already been generated when we received the
    236 	 * change cipher spec message and is in s->s3->tmp.peer_finish_md.
    237 	 */
    238 #endif
    239 
    240 	n=s->method->ssl_get_message(s,
    241 		a,
    242 		b,
    243 		SSL3_MT_FINISHED,
    244 		64, /* should actually be 36+4 :-) */
    245 		&ok);
    246 
    247 	if (!ok) return((int)n);
    248 
    249 	/* If this occurs, we have missed a message */
    250 	if (!s->s3->change_cipher_spec)
    251 		{
    252 		al=SSL_AD_UNEXPECTED_MESSAGE;
    253 		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_GOT_A_FIN_BEFORE_A_CCS);
    254 		goto f_err;
    255 		}
    256 	s->s3->change_cipher_spec=0;
    257 
    258 	p = (unsigned char *)s->init_msg;
    259 	i = s->s3->tmp.peer_finish_md_len;
    260 
    261 	if (i != n)
    262 		{
    263 		al=SSL_AD_DECODE_ERROR;
    264 		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
    265 		goto f_err;
    266 		}
    267 
    268 	if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
    269 		{
    270 		al=SSL_AD_DECRYPT_ERROR;
    271 		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
    272 		goto f_err;
    273 		}
    274 
    275         /* Copy the finished so we can use it for
    276            renegotiation checks */
    277         if(s->type == SSL_ST_ACCEPT)
    278                 {
    279                 OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
    280                 memcpy(s->s3->previous_client_finished,
    281                     s->s3->tmp.peer_finish_md, i);
    282                 s->s3->previous_client_finished_len=i;
    283                 }
    284         else
    285                 {
    286                 OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
    287                 memcpy(s->s3->previous_server_finished,
    288                     s->s3->tmp.peer_finish_md, i);
    289                 s->s3->previous_server_finished_len=i;
    290                 }
    291 
    292 	return(1);
    293 f_err:
    294 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
    295 	return(0);
    296 	}
    297 
    298 /* for these 2 messages, we need to
    299  * ssl->enc_read_ctx			re-init
    300  * ssl->s3->read_sequence		zero
    301  * ssl->s3->read_mac_secret		re-init
    302  * ssl->session->read_sym_enc		assign
    303  * ssl->session->read_compression	assign
    304  * ssl->session->read_hash		assign
    305  */
    306 int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
    307 	{
    308 	unsigned char *p;
    309 
    310 	if (s->state == a)
    311 		{
    312 		p=(unsigned char *)s->init_buf->data;
    313 		*p=SSL3_MT_CCS;
    314 		s->init_num=1;
    315 		s->init_off=0;
    316 
    317 		s->state=b;
    318 		}
    319 
    320 	/* SSL3_ST_CW_CHANGE_B */
    321 	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
    322 	}
    323 
    324 static int ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
    325 	{
    326 	int n;
    327 	unsigned char *p;
    328 
    329 	n=i2d_X509(x,NULL);
    330 	if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
    331 		{
    332 		SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF,ERR_R_BUF_LIB);
    333 		return(-1);
    334 		}
    335 	p=(unsigned char *)&(buf->data[*l]);
    336 	l2n3(n,p);
    337 	i2d_X509(x,&p);
    338 	*l+=n+3;
    339 
    340 	return(0);
    341 	}
    342 
    343 unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
    344 	{
    345 	unsigned char *p;
    346 	int i;
    347 	unsigned long l=7;
    348 	BUF_MEM *buf;
    349 	int no_chain;
    350 	STACK_OF(X509) *cert_chain;
    351 
    352 	cert_chain = SSL_get_certificate_chain(s, x);
    353 
    354 	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain)
    355 		no_chain = 1;
    356 	else
    357 		no_chain = 0;
    358 
    359 	/* TLSv1 sends a chain with nothing in it, instead of an alert */
    360 	buf=s->init_buf;
    361 	if (!BUF_MEM_grow_clean(buf,10))
    362 		{
    363 		SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
    364 		return(0);
    365 		}
    366 	if (x != NULL)
    367 		{
    368 		if (no_chain)
    369 			{
    370 			if (ssl3_add_cert_to_buf(buf, &l, x))
    371 				return(0);
    372 			}
    373 		else
    374 			{
    375 			X509_STORE_CTX xs_ctx;
    376 
    377 			if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
    378 				{
    379 				SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
    380 				return(0);
    381 				}
    382 			X509_verify_cert(&xs_ctx);
    383 			/* Don't leave errors in the queue */
    384 			ERR_clear_error();
    385 			for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
    386 				{
    387 				x = sk_X509_value(xs_ctx.chain, i);
    388 
    389 				if (ssl3_add_cert_to_buf(buf, &l, x))
    390 					{
    391 					X509_STORE_CTX_cleanup(&xs_ctx);
    392 					return 0;
    393 					}
    394 				}
    395 			X509_STORE_CTX_cleanup(&xs_ctx);
    396 			}
    397 		}
    398 	/* Thawte special :-) */
    399 	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
    400 		{
    401 		x=sk_X509_value(s->ctx->extra_certs,i);
    402 		if (ssl3_add_cert_to_buf(buf, &l, x))
    403 			return(0);
    404 		}
    405 
    406 	for (i=0; i<sk_X509_num(cert_chain); i++)
    407 		if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i)))
    408 			return(0);
    409 
    410 	l-=7;
    411 	p=(unsigned char *)&(buf->data[4]);
    412 	l2n3(l,p);
    413 	l+=3;
    414 	p=(unsigned char *)&(buf->data[0]);
    415 	*(p++)=SSL3_MT_CERTIFICATE;
    416 	l2n3(l,p);
    417 	l+=4;
    418 	return(l);
    419 	}
    420 
    421 /* Obtain handshake message of message type 'mt' (any if mt == -1),
    422  * maximum acceptable body length 'max'.
    423  * The first four bytes (msg_type and length) are read in state 'st1',
    424  * the body is read in state 'stn'.
    425  */
    426 long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
    427 	{
    428 	unsigned char *p;
    429 	unsigned long l;
    430 	long n;
    431 	int i,al;
    432 
    433 	if (s->s3->tmp.reuse_message)
    434 		{
    435 		s->s3->tmp.reuse_message=0;
    436 		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
    437 			{
    438 			al=SSL_AD_UNEXPECTED_MESSAGE;
    439 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
    440 			goto f_err;
    441 			}
    442 		*ok=1;
    443 		s->init_msg = s->init_buf->data + 4;
    444 		s->init_num = (int)s->s3->tmp.message_size;
    445 		return s->init_num;
    446 		}
    447 
    448 	p=(unsigned char *)s->init_buf->data;
    449 
    450 	if (s->state == st1) /* s->init_num < 4 */
    451 		{
    452 		int skip_message;
    453 
    454 		do
    455 			{
    456 			while (s->init_num < 4)
    457 				{
    458 				i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
    459 					&p[s->init_num],4 - s->init_num, 0);
    460 				if (i <= 0)
    461 					{
    462 					s->rwstate=SSL_READING;
    463 					*ok = 0;
    464 					return i;
    465 					}
    466 				s->init_num+=i;
    467 				}
    468 
    469 			skip_message = 0;
    470 			if (!s->server)
    471 				if (p[0] == SSL3_MT_HELLO_REQUEST)
    472 					/* The server may always send 'Hello Request' messages --
    473 					 * we are doing a handshake anyway now, so ignore them
    474 					 * if their format is correct. Does not count for
    475 					 * 'Finished' MAC. */
    476 					if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
    477 						{
    478 						s->init_num = 0;
    479 						skip_message = 1;
    480 
    481 						if (s->msg_callback)
    482 							s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg);
    483 						}
    484 			}
    485 		while (skip_message);
    486 
    487 		/* s->init_num == 4 */
    488 
    489 		if ((mt >= 0) && (*p != mt))
    490 			{
    491 			al=SSL_AD_UNEXPECTED_MESSAGE;
    492 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
    493 			goto f_err;
    494 			}
    495 		if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
    496 					(st1 == SSL3_ST_SR_CERT_A) &&
    497 					(stn == SSL3_ST_SR_CERT_B))
    498 			{
    499 			/* At this point we have got an MS SGC second client
    500 			 * hello (maybe we should always allow the client to
    501 			 * start a new handshake?). We need to restart the mac.
    502 			 * Don't increment {num,total}_renegotiations because
    503 			 * we have not completed the handshake. */
    504 			ssl3_init_finished_mac(s);
    505 			}
    506 
    507 		s->s3->tmp.message_type= *(p++);
    508 
    509 		n2l3(p,l);
    510 		if (l > (unsigned long)max)
    511 			{
    512 			al=SSL_AD_ILLEGAL_PARAMETER;
    513 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
    514 			goto f_err;
    515 			}
    516 		if (l > (INT_MAX-4)) /* BUF_MEM_grow takes an 'int' parameter */
    517 			{
    518 			al=SSL_AD_ILLEGAL_PARAMETER;
    519 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
    520 			goto f_err;
    521 			}
    522 		if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
    523 			{
    524 			SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
    525 			goto err;
    526 			}
    527 		s->s3->tmp.message_size=l;
    528 		s->state=stn;
    529 
    530 		s->init_msg = s->init_buf->data + 4;
    531 		s->init_num = 0;
    532 		}
    533 
    534 	/* next state (stn) */
    535 	p = s->init_msg;
    536 	n = s->s3->tmp.message_size - s->init_num;
    537 	while (n > 0)
    538 		{
    539 		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
    540 		if (i <= 0)
    541 			{
    542 			s->rwstate=SSL_READING;
    543 			*ok = 0;
    544 			return i;
    545 			}
    546 		s->init_num += i;
    547 		n -= i;
    548 		}
    549 
    550 #ifndef OPENSSL_NO_NEXTPROTONEG
    551 	/* If receiving Finished, record MAC of prior handshake messages for
    552 	 * Finished verification. */
    553 	if (*s->init_buf->data == SSL3_MT_FINISHED)
    554 		ssl3_take_mac(s);
    555 #endif
    556 
    557 	/* Feed this message into MAC computation. */
    558 	if (*(unsigned char*)s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS)
    559 		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
    560 	if (s->msg_callback)
    561 		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
    562 	*ok=1;
    563 	return s->init_num;
    564 f_err:
    565 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
    566 err:
    567 	*ok=0;
    568 	return(-1);
    569 	}
    570 
    571 int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
    572 	{
    573 	EVP_PKEY *pk;
    574 	int ret= -1,i;
    575 
    576 	if (pkey == NULL)
    577 		pk=X509_get_pubkey(x);
    578 	else
    579 		pk=pkey;
    580 	if (pk == NULL) goto err;
    581 
    582 	i=pk->type;
    583 	if (i == EVP_PKEY_RSA)
    584 		{
    585 		ret=SSL_PKEY_RSA_ENC;
    586 		}
    587 	else if (i == EVP_PKEY_DSA)
    588 		{
    589 		ret=SSL_PKEY_DSA_SIGN;
    590 		}
    591 #ifndef OPENSSL_NO_EC
    592 	else if (i == EVP_PKEY_EC)
    593 		{
    594 		ret = SSL_PKEY_ECC;
    595 		}
    596 #endif
    597 	else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc)
    598 		{
    599 		ret = SSL_PKEY_GOST94;
    600 		}
    601 	else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc)
    602 		{
    603 		ret = SSL_PKEY_GOST01;
    604 		}
    605 err:
    606 	if(!pkey) EVP_PKEY_free(pk);
    607 	return(ret);
    608 	}
    609 
    610 int ssl_verify_alarm_type(long type)
    611 	{
    612 	int al;
    613 
    614 	switch(type)
    615 		{
    616 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
    617 	case X509_V_ERR_UNABLE_TO_GET_CRL:
    618 	case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
    619 		al=SSL_AD_UNKNOWN_CA;
    620 		break;
    621 	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
    622 	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
    623 	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
    624 	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
    625 	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
    626 	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
    627 	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
    628 	case X509_V_ERR_CERT_NOT_YET_VALID:
    629 	case X509_V_ERR_CRL_NOT_YET_VALID:
    630 	case X509_V_ERR_CERT_UNTRUSTED:
    631 	case X509_V_ERR_CERT_REJECTED:
    632 		al=SSL_AD_BAD_CERTIFICATE;
    633 		break;
    634 	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
    635 	case X509_V_ERR_CRL_SIGNATURE_FAILURE:
    636 		al=SSL_AD_DECRYPT_ERROR;
    637 		break;
    638 	case X509_V_ERR_CERT_HAS_EXPIRED:
    639 	case X509_V_ERR_CRL_HAS_EXPIRED:
    640 		al=SSL_AD_CERTIFICATE_EXPIRED;
    641 		break;
    642 	case X509_V_ERR_CERT_REVOKED:
    643 		al=SSL_AD_CERTIFICATE_REVOKED;
    644 		break;
    645 	case X509_V_ERR_OUT_OF_MEM:
    646 		al=SSL_AD_INTERNAL_ERROR;
    647 		break;
    648 	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
    649 	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
    650 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
    651 	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
    652 	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
    653 	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
    654 	case X509_V_ERR_INVALID_CA:
    655 		al=SSL_AD_UNKNOWN_CA;
    656 		break;
    657 	case X509_V_ERR_APPLICATION_VERIFICATION:
    658 		al=SSL_AD_HANDSHAKE_FAILURE;
    659 		break;
    660 	case X509_V_ERR_INVALID_PURPOSE:
    661 		al=SSL_AD_UNSUPPORTED_CERTIFICATE;
    662 		break;
    663 	default:
    664 		al=SSL_AD_CERTIFICATE_UNKNOWN;
    665 		break;
    666 		}
    667 	return(al);
    668 	}
    669 
    670 #ifndef OPENSSL_NO_BUF_FREELISTS
    671 /* On some platforms, malloc() performance is bad enough that you can't just
    672  * free() and malloc() buffers all the time, so we need to use freelists from
    673  * unused buffers.  Currently, each freelist holds memory chunks of only a
    674  * given size (list->chunklen); other sized chunks are freed and malloced.
    675  * This doesn't help much if you're using many different SSL option settings
    676  * with a given context.  (The options affecting buffer size are
    677  * max_send_fragment, read buffer vs write buffer,
    678  * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and
    679  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.)  Using a separate freelist for every
    680  * possible size is not an option, since max_send_fragment can take on many
    681  * different values.
    682  *
    683  * If you are on a platform with a slow malloc(), and you're using SSL
    684  * connections with many different settings for these options, and you need to
    685  * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options:
    686  *    - Link against a faster malloc implementation.
    687  *    - Use a separate SSL_CTX for each option set.
    688  *    - Improve this code.
    689  */
    690 static void *
    691 freelist_extract(SSL_CTX *ctx, int for_read, int sz)
    692 	{
    693 	SSL3_BUF_FREELIST *list;
    694 	SSL3_BUF_FREELIST_ENTRY *ent = NULL;
    695 	void *result = NULL;
    696 
    697 	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
    698 	list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
    699 	if (list != NULL && sz == (int)list->chunklen)
    700 		ent = list->head;
    701 	if (ent != NULL)
    702 		{
    703 		list->head = ent->next;
    704 		result = ent;
    705 		if (--list->len == 0)
    706 			list->chunklen = 0;
    707 		}
    708 	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
    709 	if (!result)
    710 		result = OPENSSL_malloc(sz);
    711 	return result;
    712 }
    713 
    714 static void
    715 freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem)
    716 	{
    717 	SSL3_BUF_FREELIST *list;
    718 	SSL3_BUF_FREELIST_ENTRY *ent;
    719 
    720 	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
    721 	list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist;
    722 	if (list != NULL &&
    723 	    (sz == list->chunklen || list->chunklen == 0) &&
    724 	    list->len < ctx->freelist_max_len &&
    725 	    sz >= sizeof(*ent))
    726 		{
    727 		list->chunklen = sz;
    728 		ent = mem;
    729 		ent->next = list->head;
    730 		list->head = ent;
    731 		++list->len;
    732 		mem = NULL;
    733 		}
    734 
    735 	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
    736 	if (mem)
    737 		OPENSSL_free(mem);
    738 	}
    739 #else
    740 #define freelist_extract(c,fr,sz) OPENSSL_malloc(sz)
    741 #define freelist_insert(c,fr,sz,m) OPENSSL_free(m)
    742 #endif
    743 
    744 int ssl3_setup_read_buffer(SSL *s)
    745 	{
    746 	unsigned char *p;
    747 	size_t len,align=0,headerlen;
    748 
    749 	if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
    750 		headerlen = DTLS1_RT_HEADER_LENGTH;
    751 	else
    752 		headerlen = SSL3_RT_HEADER_LENGTH;
    753 
    754 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
    755 	align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
    756 #endif
    757 
    758 	if (s->s3->rbuf.buf == NULL)
    759 		{
    760 		len = SSL3_RT_MAX_PLAIN_LENGTH
    761 			+ SSL3_RT_MAX_ENCRYPTED_OVERHEAD
    762 			+ headerlen + align;
    763 		if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
    764 			{
    765 			s->s3->init_extra = 1;
    766 			len += SSL3_RT_MAX_EXTRA;
    767 			}
    768 #ifndef OPENSSL_NO_COMP
    769 		if (!(s->options & SSL_OP_NO_COMPRESSION))
    770 			len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
    771 #endif
    772 		if ((p=freelist_extract(s->ctx, 1, len)) == NULL)
    773 			goto err;
    774 		s->s3->rbuf.buf = p;
    775 		s->s3->rbuf.len = len;
    776 		}
    777 
    778 	s->packet= &(s->s3->rbuf.buf[0]);
    779 	return 1;
    780 
    781 err:
    782 	SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER,ERR_R_MALLOC_FAILURE);
    783 	return 0;
    784 	}
    785 
    786 int ssl3_setup_write_buffer(SSL *s)
    787 	{
    788 	unsigned char *p;
    789 	size_t len,align=0,headerlen;
    790 
    791 	if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
    792 		headerlen = DTLS1_RT_HEADER_LENGTH + 1;
    793 	else
    794 		headerlen = SSL3_RT_HEADER_LENGTH;
    795 
    796 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
    797 	align = (-SSL3_RT_HEADER_LENGTH)&(SSL3_ALIGN_PAYLOAD-1);
    798 #endif
    799 
    800 	if (s->s3->wbuf.buf == NULL)
    801 		{
    802 		len = s->max_send_fragment
    803 			+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
    804 			+ headerlen + align;
    805 #ifndef OPENSSL_NO_COMP
    806 		if (!(s->options & SSL_OP_NO_COMPRESSION))
    807 			len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
    808 #endif
    809 		if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
    810 			len += headerlen + align
    811 				+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
    812 
    813 		if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
    814 			goto err;
    815 		s->s3->wbuf.buf = p;
    816 		s->s3->wbuf.len = len;
    817 		}
    818 
    819 	return 1;
    820 
    821 err:
    822 	SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER,ERR_R_MALLOC_FAILURE);
    823 	return 0;
    824 	}
    825 
    826 
    827 int ssl3_setup_buffers(SSL *s)
    828 	{
    829 	if (!ssl3_setup_read_buffer(s))
    830 		return 0;
    831 	if (!ssl3_setup_write_buffer(s))
    832 		return 0;
    833 	return 1;
    834 	}
    835 
    836 int ssl3_release_write_buffer(SSL *s)
    837 	{
    838 	if (s->s3->wbuf.buf != NULL)
    839 		{
    840 		freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf);
    841 		s->s3->wbuf.buf = NULL;
    842 		}
    843 	return 1;
    844 	}
    845 
    846 int ssl3_release_read_buffer(SSL *s)
    847 	{
    848 	if (s->s3->rbuf.buf != NULL)
    849 		{
    850 		freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf);
    851 		s->s3->rbuf.buf = NULL;
    852 		}
    853 	return 1;
    854 	}
    855 
    856