Home | History | Annotate | Download | only in ssl
      1 /* ssl/s3_pkt.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include <stdio.h>
    113 #include <errno.h>
    114 #define USE_SOCKETS
    115 #include "ssl_locl.h"
    116 #include <openssl/evp.h>
    117 #include <openssl/buffer.h>
    118 #include <openssl/rand.h>
    119 
    120 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
    121 			 unsigned int len, int create_empty_fragment);
    122 static int ssl3_get_record(SSL *s);
    123 
    124 int ssl3_read_n(SSL *s, int n, int max, int extend)
    125 	{
    126 	/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
    127 	 * packet by another n bytes.
    128 	 * The packet will be in the sub-array of s->s3->rbuf.buf specified
    129 	 * by s->packet and s->packet_length.
    130 	 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
    131 	 * [plus s->packet_length bytes if extend == 1].)
    132 	 */
    133 	int i,len,left;
    134 	long align=0;
    135 	unsigned char *pkt;
    136 	SSL3_BUFFER *rb;
    137 
    138 	if (n <= 0) return n;
    139 
    140 	rb    = &(s->s3->rbuf);
    141 	if (rb->buf == NULL)
    142 		if (!ssl3_setup_read_buffer(s))
    143 			return -1;
    144 
    145 	left  = rb->left;
    146 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
    147 	align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
    148 	align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
    149 #endif
    150 
    151 	if (!extend)
    152 		{
    153 		/* start with empty packet ... */
    154 		if (left == 0)
    155 			rb->offset = align;
    156 		else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
    157 			{
    158 			/* check if next packet length is large
    159 			 * enough to justify payload alignment... */
    160 			pkt = rb->buf + rb->offset;
    161 			if (pkt[0] == SSL3_RT_APPLICATION_DATA
    162 			    && (pkt[3]<<8|pkt[4]) >= 128)
    163 				{
    164 				/* Note that even if packet is corrupted
    165 				 * and its length field is insane, we can
    166 				 * only be led to wrong decision about
    167 				 * whether memmove will occur or not.
    168 				 * Header values has no effect on memmove
    169 				 * arguments and therefore no buffer
    170 				 * overrun can be triggered. */
    171 				memmove (rb->buf+align,pkt,left);
    172 				rb->offset = align;
    173 				}
    174 			}
    175 		s->packet = rb->buf + rb->offset;
    176 		s->packet_length = 0;
    177 		/* ... now we can act as if 'extend' was set */
    178 		}
    179 
    180 	/* For DTLS/UDP reads should not span multiple packets
    181 	 * because the read operation returns the whole packet
    182 	 * at once (as long as it fits into the buffer). */
    183 	if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
    184 		{
    185 		if (left > 0 && n > left)
    186 			n = left;
    187 		}
    188 
    189 	/* if there is enough in the buffer from a previous read, take some */
    190 	if (left >= n)
    191 		{
    192 		s->packet_length+=n;
    193 		rb->left=left-n;
    194 		rb->offset+=n;
    195 		return(n);
    196 		}
    197 
    198 	/* else we need to read more data */
    199 
    200 	len = s->packet_length;
    201 	pkt = rb->buf+align;
    202 	/* Move any available bytes to front of buffer:
    203 	 * 'len' bytes already pointed to by 'packet',
    204 	 * 'left' extra ones at the end */
    205 	if (s->packet != pkt) /* len > 0 */
    206 		{
    207 		memmove(pkt, s->packet, len+left);
    208 		s->packet = pkt;
    209 		rb->offset = len + align;
    210 		}
    211 
    212 	if (n > (int)(rb->len - rb->offset)) /* does not happen */
    213 		{
    214 		SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
    215 		return -1;
    216 		}
    217 
    218 	if (!s->read_ahead)
    219 		/* ignore max parameter */
    220 		max = n;
    221 	else
    222 		{
    223 		if (max < n)
    224 			max = n;
    225 		if (max > (int)(rb->len - rb->offset))
    226 			max = rb->len - rb->offset;
    227 		}
    228 
    229 	while (left < n)
    230 		{
    231 		/* Now we have len+left bytes at the front of s->s3->rbuf.buf
    232 		 * and need to read in more until we have len+n (up to
    233 		 * len+max if possible) */
    234 
    235 		clear_sys_error();
    236 		if (s->rbio != NULL)
    237 			{
    238 			s->rwstate=SSL_READING;
    239 			i=BIO_read(s->rbio,pkt+len+left, max-left);
    240 			}
    241 		else
    242 			{
    243 			SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
    244 			i = -1;
    245 			}
    246 
    247 		if (i <= 0)
    248 			{
    249 			rb->left = left;
    250 			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
    251 			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
    252 				if (len+left == 0)
    253 					ssl3_release_read_buffer(s);
    254 			return(i);
    255 			}
    256 		left+=i;
    257 		/* reads should *never* span multiple packets for DTLS because
    258 		 * the underlying transport protocol is message oriented as opposed
    259 		 * to byte oriented as in the TLS case. */
    260 		if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
    261 			{
    262 			if (n > left)
    263 				n = left; /* makes the while condition false */
    264 			}
    265 		}
    266 
    267 	/* done reading, now the book-keeping */
    268 	rb->offset += n;
    269 	rb->left = left - n;
    270 	s->packet_length += n;
    271 	s->rwstate=SSL_NOTHING;
    272 	return(n);
    273 	}
    274 
    275 /* Call this to get a new input record.
    276  * It will return <= 0 if more data is needed, normally due to an error
    277  * or non-blocking IO.
    278  * When it finishes, one packet has been decoded and can be found in
    279  * ssl->s3->rrec.type    - is the type of record
    280  * ssl->s3->rrec.data, 	 - data
    281  * ssl->s3->rrec.length, - number of bytes
    282  */
    283 /* used only by ssl3_read_bytes */
    284 static int ssl3_get_record(SSL *s)
    285 	{
    286 	int ssl_major,ssl_minor,al;
    287 	int enc_err,n,i,ret= -1;
    288 	SSL3_RECORD *rr;
    289 	SSL_SESSION *sess;
    290 	unsigned char *p;
    291 	unsigned char md[EVP_MAX_MD_SIZE];
    292 	short version;
    293 	unsigned mac_size, orig_len;
    294 	size_t extra;
    295 
    296 	rr= &(s->s3->rrec);
    297 	sess=s->session;
    298 
    299 	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
    300 		extra=SSL3_RT_MAX_EXTRA;
    301 	else
    302 		extra=0;
    303 	if (extra && !s->s3->init_extra)
    304 		{
    305 		/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
    306 		 * set after ssl3_setup_buffers() was done */
    307 		SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
    308 		return -1;
    309 		}
    310 
    311 again:
    312 	/* check if we have the header */
    313 	if (	(s->rstate != SSL_ST_READ_BODY) ||
    314 		(s->packet_length < SSL3_RT_HEADER_LENGTH))
    315 		{
    316 		n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
    317 		if (n <= 0) return(n); /* error or non-blocking */
    318 		s->rstate=SSL_ST_READ_BODY;
    319 
    320 		p=s->packet;
    321 
    322 		/* Pull apart the header into the SSL3_RECORD */
    323 		rr->type= *(p++);
    324 		ssl_major= *(p++);
    325 		ssl_minor= *(p++);
    326 		version=(ssl_major<<8)|ssl_minor;
    327 		n2s(p,rr->length);
    328 #if 0
    329 fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
    330 #endif
    331 
    332 		/* Lets check version */
    333 		if (!s->first_packet)
    334 			{
    335 			if (version != s->version)
    336 				{
    337 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
    338                                 if ((s->version & 0xFF00) == (version & 0xFF00))
    339                                 	/* Send back error using their minor version number :-) */
    340 					s->version = (unsigned short)version;
    341 				al=SSL_AD_PROTOCOL_VERSION;
    342 				goto f_err;
    343 				}
    344 			}
    345 
    346 		if ((version>>8) != SSL3_VERSION_MAJOR)
    347 			{
    348 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
    349 			goto err;
    350 			}
    351 
    352 		if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
    353 			{
    354 			al=SSL_AD_RECORD_OVERFLOW;
    355 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
    356 			goto f_err;
    357 			}
    358 
    359 		/* now s->rstate == SSL_ST_READ_BODY */
    360 		}
    361 
    362 	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
    363 
    364 	if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
    365 		{
    366 		/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
    367 		i=rr->length;
    368 		n=ssl3_read_n(s,i,i,1);
    369 		if (n <= 0) return(n); /* error or non-blocking io */
    370 		/* now n == rr->length,
    371 		 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
    372 		}
    373 
    374 	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
    375 
    376 	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
    377 	 * and we have that many bytes in s->packet
    378 	 */
    379 	rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
    380 
    381 	/* ok, we can now read from 's->packet' data into 'rr'
    382 	 * rr->input points at rr->length bytes, which
    383 	 * need to be copied into rr->data by either
    384 	 * the decryption or by the decompression
    385 	 * When the data is 'copied' into the rr->data buffer,
    386 	 * rr->input will be pointed at the new buffer */
    387 
    388 	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
    389 	 * rr->length bytes of encrypted compressed stuff. */
    390 
    391 	/* check is not needed I believe */
    392 	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
    393 		{
    394 		al=SSL_AD_RECORD_OVERFLOW;
    395 		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
    396 		goto f_err;
    397 		}
    398 
    399 	/* decrypt in place in 'rr->input' */
    400 	rr->data=rr->input;
    401 
    402 	enc_err = s->method->ssl3_enc->enc(s,0);
    403 	/* enc_err is:
    404 	 *    0: (in non-constant time) if the record is publically invalid.
    405 	 *    1: if the padding is valid
    406 	 *    -1: if the padding is invalid */
    407 	if (enc_err == 0)
    408 		{
    409 		al=SSL_AD_DECRYPTION_FAILED;
    410 		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
    411 		goto f_err;
    412 		}
    413 
    414 #ifdef TLS_DEBUG
    415 printf("dec %d\n",rr->length);
    416 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
    417 printf("\n");
    418 #endif
    419 
    420 	/* r->length is now the compressed data plus mac */
    421 	if ((sess != NULL) &&
    422 	    (s->enc_read_ctx != NULL) &&
    423 	    (EVP_MD_CTX_md(s->read_hash) != NULL))
    424 		{
    425 		/* s->read_hash != NULL => mac_size != -1 */
    426 		unsigned char *mac = NULL;
    427 		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
    428 		mac_size=EVP_MD_CTX_size(s->read_hash);
    429 		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
    430 
    431 		/* kludge: *_cbc_remove_padding passes padding length in rr->type */
    432 		orig_len = rr->length+((unsigned int)rr->type>>8);
    433 
    434 		/* orig_len is the length of the record before any padding was
    435 		 * removed. This is public information, as is the MAC in use,
    436 		 * therefore we can safely process the record in a different
    437 		 * amount of time if it's too short to possibly contain a MAC.
    438 		 */
    439 		if (orig_len < mac_size ||
    440 		    /* CBC records must have a padding length byte too. */
    441 		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
    442 		     orig_len < mac_size+1))
    443 			{
    444 			al=SSL_AD_DECODE_ERROR;
    445 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
    446 			goto f_err;
    447 			}
    448 
    449 		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
    450 			{
    451 			/* We update the length so that the TLS header bytes
    452 			 * can be constructed correctly but we need to extract
    453 			 * the MAC in constant time from within the record,
    454 			 * without leaking the contents of the padding bytes.
    455 			 * */
    456 			mac = mac_tmp;
    457 			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
    458 			rr->length -= mac_size;
    459 			}
    460 		else
    461 			{
    462 			/* In this case there's no padding, so |orig_len|
    463 			 * equals |rec->length| and we checked that there's
    464 			 * enough bytes for |mac_size| above. */
    465 			rr->length -= mac_size;
    466 			mac = &rr->data[rr->length];
    467 			}
    468 
    469 		i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
    470 		if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
    471 			enc_err = -1;
    472 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
    473 			enc_err = -1;
    474 		}
    475 
    476 	if (enc_err < 0)
    477 		{
    478 		/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
    479 		 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
    480 		 * failure is directly visible from the ciphertext anyway,
    481 		 * we should not reveal which kind of error occured -- this
    482 		 * might become visible to an attacker (e.g. via a logfile) */
    483 		al=SSL_AD_BAD_RECORD_MAC;
    484 		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
    485 		goto f_err;
    486 		}
    487 
    488 	/* r->length is now just compressed */
    489 	if (s->expand != NULL)
    490 		{
    491 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
    492 			{
    493 			al=SSL_AD_RECORD_OVERFLOW;
    494 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
    495 			goto f_err;
    496 			}
    497 		if (!ssl3_do_uncompress(s))
    498 			{
    499 			al=SSL_AD_DECOMPRESSION_FAILURE;
    500 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
    501 			goto f_err;
    502 			}
    503 		}
    504 
    505 	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
    506 		{
    507 		al=SSL_AD_RECORD_OVERFLOW;
    508 		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
    509 		goto f_err;
    510 		}
    511 
    512 	rr->off=0;
    513 	/* So at this point the following is true
    514 	 * ssl->s3->rrec.type 	is the type of record
    515 	 * ssl->s3->rrec.length	== number of bytes in record
    516 	 * ssl->s3->rrec.off	== offset to first valid byte
    517 	 * ssl->s3->rrec.data	== where to take bytes from, increment
    518 	 *			   after use :-).
    519 	 */
    520 
    521 	/* we have pulled in a full packet so zero things */
    522 	s->packet_length=0;
    523 
    524 	/* just read a 0 length packet */
    525 	if (rr->length == 0) goto again;
    526 
    527 #if 0
    528 fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
    529 #endif
    530 
    531 	return(1);
    532 
    533 f_err:
    534 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
    535 err:
    536 	return(ret);
    537 	}
    538 
    539 int ssl3_do_uncompress(SSL *ssl)
    540 	{
    541 #ifndef OPENSSL_NO_COMP
    542 	int i;
    543 	SSL3_RECORD *rr;
    544 
    545 	rr= &(ssl->s3->rrec);
    546 	i=COMP_expand_block(ssl->expand,rr->comp,
    547 		SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
    548 	if (i < 0)
    549 		return(0);
    550 	else
    551 		rr->length=i;
    552 	rr->data=rr->comp;
    553 #endif
    554 	return(1);
    555 	}
    556 
    557 int ssl3_do_compress(SSL *ssl)
    558 	{
    559 #ifndef OPENSSL_NO_COMP
    560 	int i;
    561 	SSL3_RECORD *wr;
    562 
    563 	wr= &(ssl->s3->wrec);
    564 	i=COMP_compress_block(ssl->compress,wr->data,
    565 		SSL3_RT_MAX_COMPRESSED_LENGTH,
    566 		wr->input,(int)wr->length);
    567 	if (i < 0)
    568 		return(0);
    569 	else
    570 		wr->length=i;
    571 
    572 	wr->input=wr->data;
    573 #endif
    574 	return(1);
    575 	}
    576 
    577 /* Call this to write data in records of type 'type'
    578  * It will return <= 0 if not all data has been sent or non-blocking IO.
    579  */
    580 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
    581 	{
    582 	const unsigned char *buf=buf_;
    583 	unsigned int tot,n,nw;
    584 	int i;
    585 
    586 	s->rwstate=SSL_NOTHING;
    587 	tot=s->s3->wnum;
    588 	s->s3->wnum=0;
    589 
    590 	if (SSL_in_init(s) && !s->in_handshake)
    591 		{
    592 		i=s->handshake_func(s);
    593 		if (i < 0) return(i);
    594 		if (i == 0)
    595 			{
    596 			SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
    597 			return -1;
    598 			}
    599 		}
    600 
    601 	n=(len-tot);
    602 	for (;;)
    603 		{
    604 		if (n > s->max_send_fragment)
    605 			nw=s->max_send_fragment;
    606 		else
    607 			nw=n;
    608 
    609 		i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
    610 		if (i <= 0)
    611 			{
    612 			s->s3->wnum=tot;
    613 			return i;
    614 			}
    615 
    616 		if ((i == (int)n) ||
    617 			(type == SSL3_RT_APPLICATION_DATA &&
    618 			 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
    619 			{
    620 			/* next chunk of data should get another prepended empty fragment
    621 			 * in ciphersuites with known-IV weakness: */
    622 			s->s3->empty_fragment_done = 0;
    623 
    624 			return tot+i;
    625 			}
    626 
    627 		n-=i;
    628 		tot+=i;
    629 		}
    630 	}
    631 
    632 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
    633 			 unsigned int len, int create_empty_fragment)
    634 	{
    635 	unsigned char *p,*plen;
    636 	int i,mac_size,clear=0;
    637 	int prefix_len=0;
    638 	int eivlen;
    639 	long align=0;
    640 	SSL3_RECORD *wr;
    641 	SSL3_BUFFER *wb=&(s->s3->wbuf);
    642 	SSL_SESSION *sess;
    643 
    644  	if (wb->buf == NULL)
    645 		if (!ssl3_setup_write_buffer(s))
    646 			return -1;
    647 
    648 	/* first check if there is a SSL3_BUFFER still being written
    649 	 * out.  This will happen with non blocking IO */
    650 	if (wb->left != 0)
    651 		return(ssl3_write_pending(s,type,buf,len));
    652 
    653 	/* If we have an alert to send, lets send it */
    654 	if (s->s3->alert_dispatch)
    655 		{
    656 		i=s->method->ssl_dispatch_alert(s);
    657 		if (i <= 0)
    658 			return(i);
    659 		/* if it went, fall through and send more stuff */
    660 		}
    661 
    662 	if (len == 0 && !create_empty_fragment)
    663 		return 0;
    664 
    665 	wr= &(s->s3->wrec);
    666 	sess=s->session;
    667 
    668 	if (	(sess == NULL) ||
    669 		(s->enc_write_ctx == NULL) ||
    670 		(EVP_MD_CTX_md(s->write_hash) == NULL))
    671 		{
    672 #if 1
    673 		clear=s->enc_write_ctx?0:1;	/* must be AEAD cipher */
    674 #else
    675 		clear=1;
    676 #endif
    677 		mac_size=0;
    678 		}
    679 	else
    680 		{
    681 		mac_size=EVP_MD_CTX_size(s->write_hash);
    682 		if (mac_size < 0)
    683 			goto err;
    684 		}
    685 
    686 	/* 'create_empty_fragment' is true only when this function calls itself */
    687 	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
    688 		{
    689 		/* countermeasure against known-IV weakness in CBC ciphersuites
    690 		 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
    691 
    692 		if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
    693 			{
    694 			/* recursive function call with 'create_empty_fragment' set;
    695 			 * this prepares and buffers the data for an empty fragment
    696 			 * (these 'prefix_len' bytes are sent out later
    697 			 * together with the actual payload) */
    698 			prefix_len = do_ssl3_write(s, type, buf, 0, 1);
    699 			if (prefix_len <= 0)
    700 				goto err;
    701 
    702 			if (prefix_len >
    703 		(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
    704 				{
    705 				/* insufficient space */
    706 				SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
    707 				goto err;
    708 				}
    709 			}
    710 
    711 		s->s3->empty_fragment_done = 1;
    712 		}
    713 
    714 	if (create_empty_fragment)
    715 		{
    716 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
    717 		/* extra fragment would be couple of cipher blocks,
    718 		 * which would be multiple of SSL3_ALIGN_PAYLOAD, so
    719 		 * if we want to align the real payload, then we can
    720 		 * just pretent we simply have two headers. */
    721 		align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
    722 		align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
    723 #endif
    724 		p = wb->buf + align;
    725 		wb->offset  = align;
    726 		}
    727 	else if (prefix_len)
    728 		{
    729 		p = wb->buf + wb->offset + prefix_len;
    730 		}
    731 	else
    732 		{
    733 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
    734 		align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
    735 		align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
    736 #endif
    737 		p = wb->buf + align;
    738 		wb->offset  = align;
    739 		}
    740 
    741 	/* write the header */
    742 
    743 	*(p++)=type&0xff;
    744 	wr->type=type;
    745 
    746 	*(p++)=(s->version>>8);
    747 	/* Some servers hang if iniatial client hello is larger than 256
    748 	 * bytes and record version number > TLS 1.0
    749 	 */
    750 	if (s->state == SSL3_ST_CW_CLNT_HELLO_B
    751 				&& !s->renegotiate
    752 				&& TLS1_get_version(s) > TLS1_VERSION)
    753 		*(p++) = 0x1;
    754 	else
    755 		*(p++)=s->version&0xff;
    756 
    757 	/* field where we are to write out packet length */
    758 	plen=p;
    759 	p+=2;
    760 	/* Explicit IV length, block ciphers and TLS version 1.1 or later */
    761 	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
    762 		{
    763 		int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
    764 		if (mode == EVP_CIPH_CBC_MODE)
    765 			{
    766 			eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
    767 			if (eivlen <= 1)
    768 				eivlen = 0;
    769 			}
    770 		/* Need explicit part of IV for GCM mode */
    771 		else if (mode == EVP_CIPH_GCM_MODE)
    772 			eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
    773 		else
    774 			eivlen = 0;
    775 		}
    776 	else
    777 		eivlen = 0;
    778 
    779 	/* lets setup the record stuff. */
    780 	wr->data=p + eivlen;
    781 	wr->length=(int)len;
    782 	wr->input=(unsigned char *)buf;
    783 
    784 	/* we now 'read' from wr->input, wr->length bytes into
    785 	 * wr->data */
    786 
    787 	/* first we compress */
    788 	if (s->compress != NULL)
    789 		{
    790 		if (!ssl3_do_compress(s))
    791 			{
    792 			SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
    793 			goto err;
    794 			}
    795 		}
    796 	else
    797 		{
    798 		memcpy(wr->data,wr->input,wr->length);
    799 		wr->input=wr->data;
    800 		}
    801 
    802 	/* we should still have the output to wr->data and the input
    803 	 * from wr->input.  Length should be wr->length.
    804 	 * wr->data still points in the wb->buf */
    805 
    806 	if (mac_size != 0)
    807 		{
    808 		if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
    809 			goto err;
    810 		wr->length+=mac_size;
    811 		}
    812 
    813 	wr->input=p;
    814 	wr->data=p;
    815 
    816 	if (eivlen)
    817 		{
    818 	/*	if (RAND_pseudo_bytes(p, eivlen) <= 0)
    819 			goto err; */
    820 		wr->length += eivlen;
    821 		}
    822 
    823 	/* ssl3_enc can only have an error on read */
    824 	s->method->ssl3_enc->enc(s,1);
    825 
    826 	/* record length after mac and block padding */
    827 	s2n(wr->length,plen);
    828 
    829 	/* we should now have
    830 	 * wr->data pointing to the encrypted data, which is
    831 	 * wr->length long */
    832 	wr->type=type; /* not needed but helps for debugging */
    833 	wr->length+=SSL3_RT_HEADER_LENGTH;
    834 
    835 	if (create_empty_fragment)
    836 		{
    837 		/* we are in a recursive call;
    838 		 * just return the length, don't write out anything here
    839 		 */
    840 		return wr->length;
    841 		}
    842 
    843 	/* now let's set up wb */
    844 	wb->left = prefix_len + wr->length;
    845 
    846 	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
    847 	s->s3->wpend_tot=len;
    848 	s->s3->wpend_buf=buf;
    849 	s->s3->wpend_type=type;
    850 	s->s3->wpend_ret=len;
    851 
    852 	/* we now just need to write the buffer */
    853 	return ssl3_write_pending(s,type,buf,len);
    854 err:
    855 	return -1;
    856 	}
    857 
    858 /* if s->s3->wbuf.left != 0, we need to call this */
    859 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
    860 	unsigned int len)
    861 	{
    862 	int i;
    863 	SSL3_BUFFER *wb=&(s->s3->wbuf);
    864 
    865 /* XXXX */
    866 	if ((s->s3->wpend_tot > (int)len)
    867 		|| ((s->s3->wpend_buf != buf) &&
    868 			!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
    869 		|| (s->s3->wpend_type != type))
    870 		{
    871 		SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
    872 		return(-1);
    873 		}
    874 
    875 	for (;;)
    876 		{
    877 		clear_sys_error();
    878 		if (s->wbio != NULL)
    879 			{
    880 			s->rwstate=SSL_WRITING;
    881 			i=BIO_write(s->wbio,
    882 				(char *)&(wb->buf[wb->offset]),
    883 				(unsigned int)wb->left);
    884 			}
    885 		else
    886 			{
    887 			SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
    888 			i= -1;
    889 			}
    890 		if (i == wb->left)
    891 			{
    892 			wb->left=0;
    893 			wb->offset+=i;
    894 			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
    895 			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
    896 				ssl3_release_write_buffer(s);
    897 			s->rwstate=SSL_NOTHING;
    898 			return(s->s3->wpend_ret);
    899 			}
    900 		else if (i <= 0) {
    901 			if (s->version == DTLS1_VERSION ||
    902 			    s->version == DTLS1_BAD_VER) {
    903 				/* For DTLS, just drop it. That's kind of the whole
    904 				   point in using a datagram service */
    905 				wb->left = 0;
    906 			}
    907 			return(i);
    908 		}
    909 		wb->offset+=i;
    910 		wb->left-=i;
    911 		}
    912 	}
    913 
    914 /* Return up to 'len' payload bytes received in 'type' records.
    915  * 'type' is one of the following:
    916  *
    917  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
    918  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
    919  *   -  0 (during a shutdown, no data has to be returned)
    920  *
    921  * If we don't have stored data to work from, read a SSL/TLS record first
    922  * (possibly multiple records if we still don't have anything to return).
    923  *
    924  * This function must handle any surprises the peer may have for us, such as
    925  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
    926  * a surprise, but handled as if it were), or renegotiation requests.
    927  * Also if record payloads contain fragments too small to process, we store
    928  * them until there is enough for the respective protocol (the record protocol
    929  * may use arbitrary fragmentation and even interleaving):
    930  *     Change cipher spec protocol
    931  *             just 1 byte needed, no need for keeping anything stored
    932  *     Alert protocol
    933  *             2 bytes needed (AlertLevel, AlertDescription)
    934  *     Handshake protocol
    935  *             4 bytes needed (HandshakeType, uint24 length) -- we just have
    936  *             to detect unexpected Client Hello and Hello Request messages
    937  *             here, anything else is handled by higher layers
    938  *     Application data protocol
    939  *             none of our business
    940  */
    941 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
    942 	{
    943 	int al,i,j,ret;
    944 	unsigned int n;
    945 	SSL3_RECORD *rr;
    946 	void (*cb)(const SSL *ssl,int type2,int val)=NULL;
    947 
    948 	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
    949 		if (!ssl3_setup_read_buffer(s))
    950 			return(-1);
    951 
    952 	if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
    953 	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
    954 		{
    955 		SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
    956 		return -1;
    957 		}
    958 
    959 	if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
    960 		/* (partially) satisfy request from storage */
    961 		{
    962 		unsigned char *src = s->s3->handshake_fragment;
    963 		unsigned char *dst = buf;
    964 		unsigned int k;
    965 
    966 		/* peek == 0 */
    967 		n = 0;
    968 		while ((len > 0) && (s->s3->handshake_fragment_len > 0))
    969 			{
    970 			*dst++ = *src++;
    971 			len--; s->s3->handshake_fragment_len--;
    972 			n++;
    973 			}
    974 		/* move any remaining fragment bytes: */
    975 		for (k = 0; k < s->s3->handshake_fragment_len; k++)
    976 			s->s3->handshake_fragment[k] = *src++;
    977 		return n;
    978 	}
    979 
    980 	/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
    981 
    982 	if (!s->in_handshake && SSL_in_init(s))
    983 		{
    984 		/* type == SSL3_RT_APPLICATION_DATA */
    985 		i=s->handshake_func(s);
    986 		if (i < 0) return(i);
    987 		if (i == 0)
    988 			{
    989 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
    990 			return(-1);
    991 			}
    992 		}
    993 start:
    994 	s->rwstate=SSL_NOTHING;
    995 
    996 	/* s->s3->rrec.type	    - is the type of record
    997 	 * s->s3->rrec.data,    - data
    998 	 * s->s3->rrec.off,     - offset into 'data' for next read
    999 	 * s->s3->rrec.length,  - number of bytes. */
   1000 	rr = &(s->s3->rrec);
   1001 
   1002 	/* get new packet if necessary */
   1003 	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
   1004 		{
   1005 		ret=ssl3_get_record(s);
   1006 		if (ret <= 0) return(ret);
   1007 		}
   1008 
   1009 	/* we now have a packet which can be read and processed */
   1010 
   1011 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
   1012 	                               * reset by ssl3_get_finished */
   1013 		&& (rr->type != SSL3_RT_HANDSHAKE))
   1014 		{
   1015 		al=SSL_AD_UNEXPECTED_MESSAGE;
   1016 		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
   1017 		goto f_err;
   1018 		}
   1019 
   1020 	/* If the other end has shut down, throw anything we read away
   1021 	 * (even in 'peek' mode) */
   1022 	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
   1023 		{
   1024 		rr->length=0;
   1025 		s->rwstate=SSL_NOTHING;
   1026 		return(0);
   1027 		}
   1028 
   1029 
   1030 	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
   1031 		{
   1032 		/* make sure that we are not getting application data when we
   1033 		 * are doing a handshake for the first time */
   1034 		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
   1035 			(s->enc_read_ctx == NULL))
   1036 			{
   1037 			al=SSL_AD_UNEXPECTED_MESSAGE;
   1038 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
   1039 			goto f_err;
   1040 			}
   1041 
   1042 		if (len <= 0) return(len);
   1043 
   1044 		if ((unsigned int)len > rr->length)
   1045 			n = rr->length;
   1046 		else
   1047 			n = (unsigned int)len;
   1048 
   1049 		memcpy(buf,&(rr->data[rr->off]),n);
   1050 		if (!peek)
   1051 			{
   1052 			rr->length-=n;
   1053 			rr->off+=n;
   1054 			if (rr->length == 0)
   1055 				{
   1056 				s->rstate=SSL_ST_READ_HEADER;
   1057 				rr->off=0;
   1058 				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
   1059 					ssl3_release_read_buffer(s);
   1060 				}
   1061 			}
   1062 		return(n);
   1063 		}
   1064 
   1065 
   1066 	/* If we get here, then type != rr->type; if we have a handshake
   1067 	 * message, then it was unexpected (Hello Request or Client Hello). */
   1068 
   1069 	/* In case of record types for which we have 'fragment' storage,
   1070 	 * fill that so that we can process the data at a fixed place.
   1071 	 */
   1072 		{
   1073 		unsigned int dest_maxlen = 0;
   1074 		unsigned char *dest = NULL;
   1075 		unsigned int *dest_len = NULL;
   1076 
   1077 		if (rr->type == SSL3_RT_HANDSHAKE)
   1078 			{
   1079 			dest_maxlen = sizeof s->s3->handshake_fragment;
   1080 			dest = s->s3->handshake_fragment;
   1081 			dest_len = &s->s3->handshake_fragment_len;
   1082 			}
   1083 		else if (rr->type == SSL3_RT_ALERT)
   1084 			{
   1085 			dest_maxlen = sizeof s->s3->alert_fragment;
   1086 			dest = s->s3->alert_fragment;
   1087 			dest_len = &s->s3->alert_fragment_len;
   1088 			}
   1089 #ifndef OPENSSL_NO_HEARTBEATS
   1090 		else if (rr->type == TLS1_RT_HEARTBEAT)
   1091 			{
   1092 			tls1_process_heartbeat(s);
   1093 
   1094 			/* Exit and notify application to read again */
   1095 			rr->length = 0;
   1096 			s->rwstate=SSL_READING;
   1097 			BIO_clear_retry_flags(SSL_get_rbio(s));
   1098 			BIO_set_retry_read(SSL_get_rbio(s));
   1099 			return(-1);
   1100 			}
   1101 #endif
   1102 
   1103 		if (dest_maxlen > 0)
   1104 			{
   1105 			n = dest_maxlen - *dest_len; /* available space in 'dest' */
   1106 			if (rr->length < n)
   1107 				n = rr->length; /* available bytes */
   1108 
   1109 			/* now move 'n' bytes: */
   1110 			while (n-- > 0)
   1111 				{
   1112 				dest[(*dest_len)++] = rr->data[rr->off++];
   1113 				rr->length--;
   1114 				}
   1115 
   1116 			if (*dest_len < dest_maxlen)
   1117 				goto start; /* fragment was too small */
   1118 			}
   1119 		}
   1120 
   1121 	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
   1122 	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
   1123 	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
   1124 
   1125 	/* If we are a client, check for an incoming 'Hello Request': */
   1126 	if ((!s->server) &&
   1127 		(s->s3->handshake_fragment_len >= 4) &&
   1128 		(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
   1129 		(s->session != NULL) && (s->session->cipher != NULL))
   1130 		{
   1131 		s->s3->handshake_fragment_len = 0;
   1132 
   1133 		if ((s->s3->handshake_fragment[1] != 0) ||
   1134 			(s->s3->handshake_fragment[2] != 0) ||
   1135 			(s->s3->handshake_fragment[3] != 0))
   1136 			{
   1137 			al=SSL_AD_DECODE_ERROR;
   1138 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
   1139 			goto f_err;
   1140 			}
   1141 
   1142 		if (s->msg_callback)
   1143 			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
   1144 
   1145 		if (SSL_is_init_finished(s) &&
   1146 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
   1147 			!s->s3->renegotiate)
   1148 			{
   1149 			ssl3_renegotiate(s);
   1150 			if (ssl3_renegotiate_check(s))
   1151 				{
   1152 				i=s->handshake_func(s);
   1153 				if (i < 0) return(i);
   1154 				if (i == 0)
   1155 					{
   1156 					SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
   1157 					return(-1);
   1158 					}
   1159 
   1160 				if (!(s->mode & SSL_MODE_AUTO_RETRY))
   1161 					{
   1162 					if (s->s3->rbuf.left == 0) /* no read-ahead left? */
   1163 						{
   1164 						BIO *bio;
   1165 						/* In the case where we try to read application data,
   1166 						 * but we trigger an SSL handshake, we return -1 with
   1167 						 * the retry option set.  Otherwise renegotiation may
   1168 						 * cause nasty problems in the blocking world */
   1169 						s->rwstate=SSL_READING;
   1170 						bio=SSL_get_rbio(s);
   1171 						BIO_clear_retry_flags(bio);
   1172 						BIO_set_retry_read(bio);
   1173 						return(-1);
   1174 						}
   1175 					}
   1176 				}
   1177 			}
   1178 		/* we either finished a handshake or ignored the request,
   1179 		 * now try again to obtain the (application) data we were asked for */
   1180 		goto start;
   1181 		}
   1182 	/* If we are a server and get a client hello when renegotiation isn't
   1183 	 * allowed send back a no renegotiation alert and carry on.
   1184 	 * WARNING: experimental code, needs reviewing (steve)
   1185 	 */
   1186 	if (s->server &&
   1187 		SSL_is_init_finished(s) &&
   1188     		!s->s3->send_connection_binding &&
   1189 		(s->version > SSL3_VERSION) &&
   1190 		(s->s3->handshake_fragment_len >= 4) &&
   1191 		(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
   1192 		(s->session != NULL) && (s->session->cipher != NULL) &&
   1193 		!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1194 
   1195 		{
   1196 		/*s->s3->handshake_fragment_len = 0;*/
   1197 		rr->length = 0;
   1198 		ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
   1199 		goto start;
   1200 		}
   1201 	if (s->s3->alert_fragment_len >= 2)
   1202 		{
   1203 		int alert_level = s->s3->alert_fragment[0];
   1204 		int alert_descr = s->s3->alert_fragment[1];
   1205 
   1206 		s->s3->alert_fragment_len = 0;
   1207 
   1208 		if (s->msg_callback)
   1209 			s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
   1210 
   1211 		if (s->info_callback != NULL)
   1212 			cb=s->info_callback;
   1213 		else if (s->ctx->info_callback != NULL)
   1214 			cb=s->ctx->info_callback;
   1215 
   1216 		if (cb != NULL)
   1217 			{
   1218 			j = (alert_level << 8) | alert_descr;
   1219 			cb(s, SSL_CB_READ_ALERT, j);
   1220 			}
   1221 
   1222 		if (alert_level == 1) /* warning */
   1223 			{
   1224 			s->s3->warn_alert = alert_descr;
   1225 			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
   1226 				{
   1227 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
   1228 				return(0);
   1229 				}
   1230 			/* This is a warning but we receive it if we requested
   1231 			 * renegotiation and the peer denied it. Terminate with
   1232 			 * a fatal alert because if application tried to
   1233 			 * renegotiatie it presumably had a good reason and
   1234 			 * expects it to succeed.
   1235 			 *
   1236 			 * In future we might have a renegotiation where we
   1237 			 * don't care if the peer refused it where we carry on.
   1238 			 */
   1239 			else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
   1240 				{
   1241 				al = SSL_AD_HANDSHAKE_FAILURE;
   1242 				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
   1243 				goto f_err;
   1244 				}
   1245 #ifdef SSL_AD_MISSING_SRP_USERNAME
   1246 			else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
   1247 				return(0);
   1248 #endif
   1249 			}
   1250 		else if (alert_level == 2) /* fatal */
   1251 			{
   1252 			char tmp[16];
   1253 
   1254 			s->rwstate=SSL_NOTHING;
   1255 			s->s3->fatal_alert = alert_descr;
   1256 			SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
   1257 			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
   1258 			ERR_add_error_data(2,"SSL alert number ",tmp);
   1259 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
   1260 			SSL_CTX_remove_session(s->ctx,s->session);
   1261 			return(0);
   1262 			}
   1263 		else
   1264 			{
   1265 			al=SSL_AD_ILLEGAL_PARAMETER;
   1266 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
   1267 			goto f_err;
   1268 			}
   1269 
   1270 		goto start;
   1271 		}
   1272 
   1273 	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
   1274 		{
   1275 		s->rwstate=SSL_NOTHING;
   1276 		rr->length=0;
   1277 		return(0);
   1278 		}
   1279 
   1280 	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
   1281 		{
   1282 		/* 'Change Cipher Spec' is just a single byte, so we know
   1283 		 * exactly what the record payload has to look like */
   1284 		if (	(rr->length != 1) || (rr->off != 0) ||
   1285 			(rr->data[0] != SSL3_MT_CCS))
   1286 			{
   1287 			al=SSL_AD_ILLEGAL_PARAMETER;
   1288 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
   1289 			goto f_err;
   1290 			}
   1291 
   1292 		/* Check we have a cipher to change to */
   1293 		if (s->s3->tmp.new_cipher == NULL)
   1294 			{
   1295 			al=SSL_AD_UNEXPECTED_MESSAGE;
   1296 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
   1297 			goto f_err;
   1298 			}
   1299 
   1300 		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
   1301 			{
   1302 			al=SSL_AD_UNEXPECTED_MESSAGE;
   1303 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_CCS);
   1304 			goto f_err;
   1305 			}
   1306 
   1307 		rr->length=0;
   1308 
   1309 		if (s->msg_callback)
   1310 			s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
   1311 
   1312 		s->s3->change_cipher_spec=1;
   1313 		if (!ssl3_do_change_cipher_spec(s))
   1314 			goto err;
   1315 		else
   1316 			goto start;
   1317 		}
   1318 
   1319 	/* Unexpected handshake message (Client Hello, or protocol violation) */
   1320 	if ((s->s3->handshake_fragment_len >= 4) &&	!s->in_handshake)
   1321 		{
   1322 		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
   1323 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
   1324 			{
   1325 #if 0 /* worked only because C operator preferences are not as expected (and
   1326        * because this is not really needed for clients except for detecting
   1327        * protocol violations): */
   1328 			s->state=SSL_ST_BEFORE|(s->server)
   1329 				?SSL_ST_ACCEPT
   1330 				:SSL_ST_CONNECT;
   1331 #else
   1332 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
   1333 #endif
   1334 			s->renegotiate=1;
   1335 			s->new_session=1;
   1336 			}
   1337 		i=s->handshake_func(s);
   1338 		if (i < 0) return(i);
   1339 		if (i == 0)
   1340 			{
   1341 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
   1342 			return(-1);
   1343 			}
   1344 
   1345 		if (!(s->mode & SSL_MODE_AUTO_RETRY))
   1346 			{
   1347 			if (s->s3->rbuf.left == 0) /* no read-ahead left? */
   1348 				{
   1349 				BIO *bio;
   1350 				/* In the case where we try to read application data,
   1351 				 * but we trigger an SSL handshake, we return -1 with
   1352 				 * the retry option set.  Otherwise renegotiation may
   1353 				 * cause nasty problems in the blocking world */
   1354 				s->rwstate=SSL_READING;
   1355 				bio=SSL_get_rbio(s);
   1356 				BIO_clear_retry_flags(bio);
   1357 				BIO_set_retry_read(bio);
   1358 				return(-1);
   1359 				}
   1360 			}
   1361 		goto start;
   1362 		}
   1363 
   1364 	switch (rr->type)
   1365 		{
   1366 	default:
   1367 #ifndef OPENSSL_NO_TLS
   1368 		/* TLS up to v1.1 just ignores unknown message types:
   1369 		 * TLS v1.2 give an unexpected message alert.
   1370 		 */
   1371 		if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
   1372 			{
   1373 			rr->length = 0;
   1374 			goto start;
   1375 			}
   1376 #endif
   1377 		al=SSL_AD_UNEXPECTED_MESSAGE;
   1378 		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
   1379 		goto f_err;
   1380 	case SSL3_RT_CHANGE_CIPHER_SPEC:
   1381 	case SSL3_RT_ALERT:
   1382 	case SSL3_RT_HANDSHAKE:
   1383 		/* we already handled all of these, with the possible exception
   1384 		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
   1385 		 * should not happen when type != rr->type */
   1386 		al=SSL_AD_UNEXPECTED_MESSAGE;
   1387 		SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
   1388 		goto f_err;
   1389 	case SSL3_RT_APPLICATION_DATA:
   1390 		/* At this point, we were expecting handshake data,
   1391 		 * but have application data.  If the library was
   1392 		 * running inside ssl3_read() (i.e. in_read_app_data
   1393 		 * is set) and it makes sense to read application data
   1394 		 * at this point (session renegotiation not yet started),
   1395 		 * we will indulge it.
   1396 		 */
   1397 		if (s->s3->in_read_app_data &&
   1398 			(s->s3->total_renegotiations != 0) &&
   1399 			((
   1400 				(s->state & SSL_ST_CONNECT) &&
   1401 				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
   1402 				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
   1403 				) || (
   1404 					(s->state & SSL_ST_ACCEPT) &&
   1405 					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
   1406 					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
   1407 					)
   1408 				))
   1409 			{
   1410 			s->s3->in_read_app_data=2;
   1411 			return(-1);
   1412 			}
   1413 		else
   1414 			{
   1415 			al=SSL_AD_UNEXPECTED_MESSAGE;
   1416 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
   1417 			goto f_err;
   1418 			}
   1419 		}
   1420 	/* not reached */
   1421 
   1422 f_err:
   1423 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
   1424 err:
   1425 	return(-1);
   1426 	}
   1427 
   1428 int ssl3_do_change_cipher_spec(SSL *s)
   1429 	{
   1430 	int i;
   1431 	const char *sender;
   1432 	int slen;
   1433 
   1434 	if (s->state & SSL_ST_ACCEPT)
   1435 		i=SSL3_CHANGE_CIPHER_SERVER_READ;
   1436 	else
   1437 		i=SSL3_CHANGE_CIPHER_CLIENT_READ;
   1438 
   1439 	if (s->s3->tmp.key_block == NULL)
   1440 		{
   1441 		if (s->session->master_key_length == 0)
   1442 			{
   1443 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_UNEXPECTED_CCS);
   1444 			return (0);
   1445 			}
   1446 		if (s->session == NULL)
   1447 			{
   1448 			/* might happen if dtls1_read_bytes() calls this */
   1449 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
   1450 			return (0);
   1451 			}
   1452 
   1453 		s->session->cipher=s->s3->tmp.new_cipher;
   1454 		if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
   1455 		}
   1456 
   1457 	if (!s->method->ssl3_enc->change_cipher_state(s,i))
   1458 		return(0);
   1459 
   1460 	/* we have to record the message digest at
   1461 	 * this point so we can get it before we read
   1462 	 * the finished message */
   1463 	if (s->state & SSL_ST_CONNECT)
   1464 		{
   1465 		sender=s->method->ssl3_enc->server_finished_label;
   1466 		slen=s->method->ssl3_enc->server_finished_label_len;
   1467 		}
   1468 	else
   1469 		{
   1470 		sender=s->method->ssl3_enc->client_finished_label;
   1471 		slen=s->method->ssl3_enc->client_finished_label_len;
   1472 		}
   1473 
   1474 	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
   1475 		sender,slen,s->s3->tmp.peer_finish_md);
   1476 
   1477 	return(1);
   1478 	}
   1479 
   1480 int ssl3_send_alert(SSL *s, int level, int desc)
   1481 	{
   1482 	/* Map tls/ssl alert value to correct one */
   1483 	desc=s->method->ssl3_enc->alert_value(desc);
   1484 	if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
   1485 		desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
   1486 	if (desc < 0) return -1;
   1487 	/* If a fatal one, remove from cache */
   1488 	if ((level == 2) && (s->session != NULL))
   1489 		SSL_CTX_remove_session(s->ctx,s->session);
   1490 
   1491 	s->s3->alert_dispatch=1;
   1492 	s->s3->send_alert[0]=level;
   1493 	s->s3->send_alert[1]=desc;
   1494 	if (s->s3->wbuf.left == 0) /* data still being written out? */
   1495 		return s->method->ssl_dispatch_alert(s);
   1496 	/* else data is still being written out, we will get written
   1497 	 * some time in the future */
   1498 	return -1;
   1499 	}
   1500 
   1501 int ssl3_dispatch_alert(SSL *s)
   1502 	{
   1503 	int i,j;
   1504 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
   1505 
   1506 	s->s3->alert_dispatch=0;
   1507 	i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
   1508 	if (i <= 0)
   1509 		{
   1510 		s->s3->alert_dispatch=1;
   1511 		}
   1512 	else
   1513 		{
   1514 		/* Alert sent to BIO.  If it is important, flush it now.
   1515 		 * If the message does not get sent due to non-blocking IO,
   1516 		 * we will not worry too much. */
   1517 		if (s->s3->send_alert[0] == SSL3_AL_FATAL)
   1518 			(void)BIO_flush(s->wbio);
   1519 
   1520 		if (s->msg_callback)
   1521 			s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
   1522 
   1523 		if (s->info_callback != NULL)
   1524 			cb=s->info_callback;
   1525 		else if (s->ctx->info_callback != NULL)
   1526 			cb=s->ctx->info_callback;
   1527 
   1528 		if (cb != NULL)
   1529 			{
   1530 			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
   1531 			cb(s,SSL_CB_WRITE_ALERT,j);
   1532 			}
   1533 		}
   1534 	return(i);
   1535 	}
   1536