Remove NOPROTO definitions and error code comments.
[openssl.git] / ssl / s3_pkt.c
1 /* ssl/s3_pkt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <errno.h>
61 #define USE_SOCKETS
62 #include <openssl/evp.h>
63 #include <openssl/buffer.h>
64 #include "ssl_locl.h"
65
66 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
67                          unsigned int len);
68 static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
69                               unsigned int len);
70 static int ssl3_get_record(SSL *s);
71 static int do_compress(SSL *ssl);
72 static int do_uncompress(SSL *ssl);
73 static int do_change_cipher_spec(SSL *ssl);
74 static int ssl3_read_n(SSL *s, int n, int max, int extend)
75         {
76         int i,off,newb;
77
78         /* if there is stuff still in the buffer from a previous read,
79          * and there is more than we want, take some. */
80         if (s->s3->rbuf.left >= (int)n)
81                 {
82                 if (extend)
83                         s->packet_length+=n;
84                 else
85                         {
86                         s->packet= &(s->s3->rbuf.buf[s->s3->rbuf.offset]);
87                         s->packet_length=n;
88                         }
89                 s->s3->rbuf.left-=n;
90                 s->s3->rbuf.offset+=n;
91                 return(n);
92                 }
93
94         /* else we need to read more data */
95         if (!s->read_ahead) max=n;
96         if (max > SSL3_RT_MAX_PACKET_SIZE)
97                 max=SSL3_RT_MAX_PACKET_SIZE;
98
99         /* First check if there is some left or we want to extend */
100         off=0;
101         if (    (s->s3->rbuf.left != 0) ||
102                 ((s->packet_length != 0) && extend))
103                 {
104                 newb=s->s3->rbuf.left;
105                 if (extend)
106                         {
107                         /* Copy bytes back to the front of the buffer 
108                          * Take the bytes already pointed to by 'packet'
109                          * and take the extra ones on the end. */
110                         off=s->packet_length;
111                         if (s->packet != s->s3->rbuf.buf)
112                                 memcpy(s->s3->rbuf.buf,s->packet,newb+off);
113                         }
114                 else if (s->s3->rbuf.offset != 0)
115                         { /* so the data is not at the start of the buffer */
116                         memcpy(s->s3->rbuf.buf,
117                                 &(s->s3->rbuf.buf[s->s3->rbuf.offset]),newb);
118                         s->s3->rbuf.offset=0;
119                         }
120
121                 s->s3->rbuf.left=0;
122                 }
123         else
124                 newb=0;
125
126         /* So we now have 'newb' bytes at the front of 
127          * s->s3->rbuf.buf and need to read some more in on the end
128          * We start reading into the buffer at 's->s3->rbuf.offset'
129          */
130         s->packet=s->s3->rbuf.buf;
131
132         while (newb < n)
133                 {
134                 clear_sys_error();
135                 if (s->rbio != NULL)
136                         {
137                         s->rwstate=SSL_READING;
138                         i=BIO_read(s->rbio,
139                                 (char *)&(s->s3->rbuf.buf[off+newb]),
140                                 max-newb);
141                         }
142                 else
143                         {
144                         SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
145                         i= -1;
146                         }
147
148                 if (i <= 0)
149                         {
150                         s->s3->rbuf.left+=newb;
151                         return(i);
152                         }
153                 newb+=i;
154                 }
155
156         /* record used data read */
157         if (newb > n)
158                 {
159                 s->s3->rbuf.offset=n+off;
160                 s->s3->rbuf.left=newb-n;
161                 }
162         else
163                 {
164                 s->s3->rbuf.offset=0;
165                 s->s3->rbuf.left=0;
166                 }
167
168         if (extend)
169                 s->packet_length+=n;
170         else
171                 s->packet_length+=n;
172         return(n);
173         }
174
175 /* Call this to get a new input record.
176  * It will return <= 0 if more data is needed, normally due to an error
177  * or non-blocking IO.
178  * When it finishes, one packet has been decoded and can be found in
179  * ssl->s3->rrec.type   - is the type of record
180  * ssl->s3->rrec.data,  - data
181  * ssl->s3->rrec.length, - number of bytes
182  */
183 static int ssl3_get_record(SSL *s)
184         {
185         int ssl_major,ssl_minor,al;
186         int n,i,ret= -1;
187         SSL3_BUFFER *rb;
188         SSL3_RECORD *rr;
189         SSL_SESSION *sess;
190         unsigned char *p;
191         unsigned char md[EVP_MAX_MD_SIZE];
192         short version;
193         unsigned int mac_size;
194         int clear=0,extra;
195
196         rr= &(s->s3->rrec);
197         rb= &(s->s3->rbuf);
198         sess=s->session;
199
200         if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
201                 extra=SSL3_RT_MAX_EXTRA;
202         else
203                 extra=0;
204
205 again:
206         /* check if we have the header */
207         if (    (s->rstate != SSL_ST_READ_BODY) ||
208                 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
209                 {
210                 n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
211                         SSL3_RT_MAX_PACKET_SIZE,0);
212                 if (n <= 0) return(n); /* error or non-blocking */
213                 s->rstate=SSL_ST_READ_BODY;
214
215                 p=s->packet;
216
217                 /* Pull apart the header into the SSL3_RECORD */
218                 rr->type= *(p++);
219                 ssl_major= *(p++);
220                 ssl_minor= *(p++);
221                 version=(ssl_major<<8)|ssl_minor;
222                 n2s(p,rr->length);
223
224                 /* Lets check version */
225                 if (s->first_packet)
226                         {
227                         s->first_packet=0;
228                         }
229                 else
230                         {
231                         if (version != s->version)
232                                 {
233                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
234                                 /* Send back error using their
235                                  * version number :-) */
236                                 s->version=version;
237                                 al=SSL_AD_PROTOCOL_VERSION;
238                                 goto f_err;
239                                 }
240                         }
241
242                 if ((version>>8) != SSL3_VERSION_MAJOR)
243                         {
244                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
245                         goto err;
246                         }
247
248                 if (rr->length > 
249                         (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
250                         {
251                         al=SSL_AD_RECORD_OVERFLOW;
252                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
253                         goto f_err;
254                         }
255
256                 s->rstate=SSL_ST_READ_BODY;
257                 }
258
259         /* get and decode the data */
260         if (s->rstate == SSL_ST_READ_BODY)
261                 {
262                 if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
263                         {
264                         i=rr->length;
265                         /*-(s->packet_length-SSL3_RT_HEADER_LENGTH); */
266                         n=ssl3_read_n(s,i,i,1);
267                         if (n <= 0) return(n); /* error or non-blocking io */
268                         }
269                 s->rstate=SSL_ST_READ_HEADER;
270                 }
271
272         /* At this point, we have the data in s->packet and there should be
273          * s->packet_length bytes, we must not 'overrun' this buffer :-)
274          * One of the following functions will copy the data from the
275          * s->packet buffer */
276
277         rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
278
279         /* ok, we can now read from 's->packet' data into 'rr'
280          * rr->input points at rr->length bytes, which
281          * need to be copied into rr->data by either
282          * the decryption or by the decompression
283          * When the data is 'copied' into the rr->data buffer,
284          * rr->input will be pointed at the new buffer */ 
285
286         /* Set the state for the following operations */
287         s->rstate=SSL_ST_READ_HEADER;
288
289         /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
290          * rr->length bytes of encrypted compressed stuff. */
291
292         /* check is not needed I belive */
293         if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
294                 {
295                 al=SSL_AD_RECORD_OVERFLOW;
296                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
297                 goto f_err;
298                 }
299
300         /* decrypt in place in 'rr->input' */
301         rr->data=rr->input;
302
303         if (!s->method->ssl3_enc->enc(s,0))
304                 {
305                 al=SSL_AD_DECRYPT_ERROR;
306                 goto f_err;
307                 }
308 #ifdef TLS_DEBUG
309 printf("dec %d\n",rr->length);
310 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
311 printf("\n");
312 #endif
313         /* r->length is now the compressed data plus mac */
314         if (    (sess == NULL) ||
315                 (s->enc_read_ctx == NULL) ||
316                 (s->read_hash == NULL))
317                 clear=1;
318
319         if (!clear)
320                 {
321                 mac_size=EVP_MD_size(s->read_hash);
322
323                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
324                         {
325                         al=SSL_AD_RECORD_OVERFLOW;
326                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
327                         goto f_err;
328                         }
329                 /* check MAC for rr->input' */
330                 if (rr->length < mac_size)
331                         {
332                         al=SSL_AD_DECODE_ERROR;
333                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
334                         goto f_err;
335                         }
336                 rr->length-=mac_size;
337                 i=s->method->ssl3_enc->mac(s,md,0);
338                 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
339                         {
340                         al=SSL_AD_BAD_RECORD_MAC;
341                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
342                         ret= -1;
343                         goto f_err;
344                         }
345                 }
346
347         /* r->length is now just compressed */
348         if (s->expand != NULL)
349                 {
350                 if (rr->length > 
351                         (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
352                         {
353                         al=SSL_AD_RECORD_OVERFLOW;
354                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
355                         goto f_err;
356                         }
357                 if (!do_uncompress(s))
358                         {
359                         al=SSL_AD_DECOMPRESSION_FAILURE;
360                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
361                         goto f_err;
362                         }
363                 }
364
365         if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
366                 {
367                 al=SSL_AD_RECORD_OVERFLOW;
368                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
369                 goto f_err;
370                 }
371
372         rr->off=0;
373         /* So at this point the following is true
374          * ssl->s3->rrec.type   is the type of record
375          * ssl->s3->rrec.length == number of bytes in record
376          * ssl->s3->rrec.off    == offset to first valid byte
377          * ssl->s3->rrec.data   == where to take bytes from, increment
378          *                         after use :-).
379          */
380
381         /* we have pulled in a full packet so zero things */
382         s->packet_length=0;
383
384         /* just read a 0 length packet */
385         if (rr->length == 0) goto again;
386
387         return(1);
388 f_err:
389         ssl3_send_alert(s,SSL3_AL_FATAL,al);
390 err:
391         return(ret);
392         }
393
394 static int do_uncompress(SSL *ssl)
395         {
396         int i;
397         SSL3_RECORD *rr;
398
399         rr= &(ssl->s3->rrec);
400         i=COMP_expand_block(ssl->expand,rr->comp,
401                 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
402         if (i < 0)
403                 return(0);
404         else
405                 rr->length=i;
406         rr->data=rr->comp;
407
408         return(1);
409         }
410
411 static int do_compress(SSL *ssl)
412         {
413         int i;
414         SSL3_RECORD *wr;
415
416         wr= &(ssl->s3->wrec);
417         i=COMP_compress_block(ssl->compress,wr->data,
418                 SSL3_RT_MAX_COMPRESSED_LENGTH,
419                 wr->input,(int)wr->length);
420         if (i < 0)
421                 return(0);
422         else
423                 wr->length=i;
424
425         wr->input=wr->data;
426         return(1);
427         }
428
429 /* Call this to write data
430  * It will return <= 0 if not all data has been sent or non-blocking IO.
431  */
432 int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
433         {
434         const unsigned char *buf=_buf;
435         unsigned int tot,n,nw;
436         int i;
437
438         s->rwstate=SSL_NOTHING;
439         tot=s->s3->wnum;
440         s->s3->wnum=0;
441
442         if (SSL_in_init(s) && !s->in_handshake)
443                 {
444                 i=s->handshake_func(s);
445                 if (i < 0) return(i);
446                 if (i == 0)
447                         {
448                         SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
449                         return(-1);
450                         }
451                 }
452
453         n=(len-tot);
454         for (;;)
455                 {
456                 if (n > SSL3_RT_MAX_PLAIN_LENGTH)
457                         nw=SSL3_RT_MAX_PLAIN_LENGTH;
458                 else
459                         nw=n;
460                         
461                 i=do_ssl3_write(s,type,&(buf[tot]),nw);
462                 if (i <= 0)
463                         {
464                         s->s3->wnum=tot;
465                         return(i);
466                         }
467
468                 if (type == SSL3_RT_HANDSHAKE)
469                         ssl3_finish_mac(s,&(buf[tot]),i);
470
471                 if (i == (int)n) return(tot+i);
472
473                 n-=i;
474                 tot+=i;
475                 }
476         }
477
478 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
479                          unsigned int len)
480         {
481         unsigned char *p,*plen;
482         int i,mac_size,clear=0;
483         SSL3_RECORD *wr;
484         SSL3_BUFFER *wb;
485         SSL_SESSION *sess;
486
487         /* first check is there is a SSL3_RECORD still being written
488          * out.  This will happen with non blocking IO */
489         if (s->s3->wbuf.left != 0)
490                 return(ssl3_write_pending(s,type,buf,len));
491
492         /* If we have an alert to send, lets send it */
493         if (s->s3->alert_dispatch)
494                 {
495                 i=ssl3_dispatch_alert(s);
496                 if (i <= 0)
497                         return(i);
498                 /* if it went, fall through and send more stuff */
499                 }
500
501         if (len <= 0) return(len);
502         
503         wr= &(s->s3->wrec);
504         wb= &(s->s3->wbuf);
505         sess=s->session;
506
507         if (    (sess == NULL) ||
508                 (s->enc_write_ctx == NULL) ||
509                 (s->write_hash == NULL))
510                 clear=1;
511
512         if (clear)
513                 mac_size=0;
514         else
515                 mac_size=EVP_MD_size(s->write_hash);
516
517         p=wb->buf;
518
519         /* write the header */
520         *(p++)=type&0xff;
521         wr->type=type;
522
523         *(p++)=(s->version>>8);
524         *(p++)=s->version&0xff;
525         
526         /* record where we are to write out packet length */
527         plen=p; 
528         p+=2;
529         
530         /* lets setup the record stuff. */
531         wr->data=p;
532         wr->length=(int)len;
533         wr->input=(unsigned char *)buf;
534
535         /* we now 'read' from wr->input, wr->length bytes into
536          * wr->data */
537
538         /* first we compress */
539         if (s->compress != NULL)
540                 {
541                 if (!do_compress(s))
542                         {
543                         SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
544                         goto err;
545                         }
546                 }
547         else
548                 {
549                 memcpy(wr->data,wr->input,wr->length);
550                 wr->input=wr->data;
551                 }
552
553         /* we should still have the output to wr->data and the input
554          * from wr->input.  Length should be wr->length.
555          * wr->data still points in the wb->buf */
556
557         if (mac_size != 0)
558                 {
559                 s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
560                 wr->length+=mac_size;
561                 wr->input=p;
562                 wr->data=p;
563                 }
564
565         /* ssl3_enc can only have an error on read */
566         s->method->ssl3_enc->enc(s,1);
567
568         /* record length after mac and block padding */
569         s2n(wr->length,plen);
570
571         /* we should now have
572          * wr->data pointing to the encrypted data, which is
573          * wr->length long */
574         wr->type=type; /* not needed but helps for debugging */
575         wr->length+=SSL3_RT_HEADER_LENGTH;
576
577         /* Now lets setup wb */
578         wb->left=wr->length;
579         wb->offset=0;
580
581         s->s3->wpend_tot=len;
582         s->s3->wpend_buf=buf;
583         s->s3->wpend_type=type;
584         s->s3->wpend_ret=len;
585
586         /* we now just need to write the buffer */
587         return(ssl3_write_pending(s,type,buf,len));
588 err:
589         return(-1);
590         }
591
592 /* if s->s3->wbuf.left != 0, we need to call this */
593 static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
594                               unsigned int len)
595         {
596         int i;
597
598 /* XXXX */
599         if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf)
600                 || (s->s3->wpend_type != type))
601                 {
602                 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
603                 return(-1);
604                 }
605
606         for (;;)
607                 {
608                 clear_sys_error();
609                 if (s->wbio != NULL)
610                         {
611                         s->rwstate=SSL_WRITING;
612                         i=BIO_write(s->wbio,
613                                 (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
614                                 (unsigned int)s->s3->wbuf.left);
615                         }
616                 else
617                         {
618                         SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
619                         i= -1;
620                         }
621                 if (i == s->s3->wbuf.left)
622                         {
623                         s->s3->wbuf.left=0;
624                         s->rwstate=SSL_NOTHING;
625                         return(s->s3->wpend_ret);
626                         }
627                 else if (i <= 0)
628                         return(i);
629                 s->s3->wbuf.offset+=i;
630                 s->s3->wbuf.left-=i;
631                 }
632         }
633
634 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
635         {
636         int al,i,j,n,ret;
637         SSL3_RECORD *rr;
638         void (*cb)()=NULL;
639         BIO *bio;
640
641         if (s->s3->rbuf.buf == NULL) /* Not initialize yet */
642                 if (!ssl3_setup_buffers(s))
643                         return(-1);
644
645         if (!s->in_handshake && SSL_in_init(s))
646                 {
647                 i=s->handshake_func(s);
648                 if (i < 0) return(i);
649                 if (i == 0)
650                         {
651                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
652                         return(-1);
653                         }
654                 }
655 start:
656         s->rwstate=SSL_NOTHING;
657
658         /* s->s3->rrec.type     - is the type of record
659          * s->s3->rrec.data,    - data
660          * s->s3->rrec.off,     - ofset into 'data' for next read
661          * s->s3->rrec.length,  - number of bytes. */
662         rr= &(s->s3->rrec);
663
664         /* get new packet */
665         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
666                 {
667                 ret=ssl3_get_record(s);
668                 if (ret <= 0) return(ret);
669                 }
670
671         /* we now have a packet which can be read and processed */
672
673         if (s->s3->change_cipher_spec && (rr->type != SSL3_RT_HANDSHAKE))
674                 {
675                 al=SSL_AD_UNEXPECTED_MESSAGE;
676                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
677                 goto err;
678                 }
679
680         /* If the other end has shutdown, throw anything we read away */
681         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
682                 {
683                 rr->length=0;
684                 s->rwstate=SSL_NOTHING;
685                 return(0);
686                 }
687
688         /* Check for an incoming 'Client Request' message */
689         if ((rr->type == SSL3_RT_HANDSHAKE) && (rr->length == 4) &&
690                 (rr->data[0] == SSL3_MT_CLIENT_REQUEST) &&
691                 (s->session != NULL) && (s->session->cipher != NULL))
692                 {
693                 if ((rr->data[1] != 0) || (rr->data[2] != 0) ||
694                         (rr->data[3] != 0))
695                         {
696                         al=SSL_AD_DECODE_ERROR;
697                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CLIENT_REQUEST);
698                         goto err;
699                         }
700
701                 if (SSL_is_init_finished(s) &&
702                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
703                         !s->s3->renegotiate)
704                         {
705                         ssl3_renegotiate(s);
706                         if (ssl3_renegotiate_check(s))
707                                 {
708                                 n=s->handshake_func(s);
709                                 if (n < 0) return(n);
710                                 if (n == 0)
711                                         {
712                                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
713                                         return(-1);
714                                         }
715                                 }
716                         }
717                 rr->length=0;
718 /* ZZZ */       goto start;
719                 }
720
721         /* if it is not the type we want, or we have shutdown and want
722          * the peer shutdown */
723         if ((rr->type != type) || (s->shutdown & SSL_SENT_SHUTDOWN))
724                 {
725                 if (rr->type == SSL3_RT_ALERT)
726                         {
727                         if ((rr->length != 2) || (rr->off != 0))
728                                 {
729                                 al=SSL_AD_DECODE_ERROR;
730                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_ALERT_RECORD);
731                                 goto f_err;
732                                 }
733
734                         i=rr->data[0];
735                         n=rr->data[1];
736
737                         /* clear from buffer */
738                         rr->length=0;
739
740                         if (s->info_callback != NULL)
741                                 cb=s->info_callback;
742                         else if (s->ctx->info_callback != NULL)
743                                 cb=s->ctx->info_callback;
744
745                         if (cb != NULL)
746                                 {
747                                 j=(i<<8)|n;
748                                 cb(s,SSL_CB_READ_ALERT,j);
749                                 }
750
751                         if (i == 1)
752                                 {
753                                 s->s3->warn_alert=n;
754                                 if (n == SSL_AD_CLOSE_NOTIFY)
755                                         {
756                                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
757                                         return(0);
758                                         }
759                                 }
760                         else if (i == 2)
761                                 {
762                                 char tmp[16];
763
764                                 s->rwstate=SSL_NOTHING;
765                                 s->s3->fatal_alert=n;
766                                 SSLerr(SSL_F_SSL3_READ_BYTES,
767                                         SSL_AD_REASON_OFFSET+n);
768                                 sprintf(tmp,"%d",n);
769                                 ERR_add_error_data(2,"SSL alert number ",tmp);
770                                 s->shutdown|=SSL_RECEIVED_SHUTDOWN;
771                                 SSL_CTX_remove_session(s->ctx,s->session);
772                                 return(0);
773                                 }
774                         else
775                                 {
776                                 al=SSL_AD_ILLEGAL_PARAMETER;
777                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
778                                 goto f_err;
779                                 }
780
781                         rr->length=0;
782                         goto start;
783                         }
784
785                 if (s->shutdown & SSL_SENT_SHUTDOWN)
786                         {
787                         s->rwstate=SSL_NOTHING;
788                         rr->length=0;
789                         return(0);
790                         }
791
792                 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
793                         {
794                         if (    (rr->length != 1) || (rr->off != 0) ||
795                                 (rr->data[0] != SSL3_MT_CCS))
796                                 {
797                                 i=SSL_AD_ILLEGAL_PARAMETER;
798                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
799                                 goto err;
800                                 }
801
802                         rr->length=0;
803                         s->s3->change_cipher_spec=1;
804                         if (!do_change_cipher_spec(s))
805                                 goto err;
806                         else
807                                 goto start;
808                         }
809
810                 /* else we have a handshake */
811                 if ((rr->type == SSL3_RT_HANDSHAKE) &&
812                         !s->in_handshake)
813                         {
814                         if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
815                                 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
816                                 {
817                                 s->state=SSL_ST_BEFORE|(s->server)
818                                                 ?SSL_ST_ACCEPT
819                                                 :SSL_ST_CONNECT;
820                                 s->new_session=1;
821                                 }
822                         n=s->handshake_func(s);
823                         if (n < 0) return(n);
824                         if (n == 0)
825                                 {
826                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
827                                 return(-1);
828                                 }
829
830                         /* In the case where we try to read application data
831                          * the first time, but we trigger an SSL handshake, we
832                          * return -1 with the retry option set.  I do this
833                          * otherwise renegotiation can cause nasty problems 
834                          * in the non-blocking world */
835
836                         s->rwstate=SSL_READING;
837                         bio=SSL_get_rbio(s);
838                         BIO_clear_retry_flags(bio);
839                         BIO_set_retry_read(bio);
840                         return(-1);
841                         }
842
843                 switch (rr->type)
844                         {
845                 default:
846 #ifndef NO_TLS
847                         /* TLS just ignores unknown message types */
848                         if (s->version == TLS1_VERSION)
849                                 {
850                                 goto start;
851                                 }
852 #endif
853                 case SSL3_RT_CHANGE_CIPHER_SPEC:
854                 case SSL3_RT_ALERT:
855                 case SSL3_RT_HANDSHAKE:
856                         al=SSL_AD_UNEXPECTED_MESSAGE;
857                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
858                         goto f_err;
859                 case SSL3_RT_APPLICATION_DATA:
860                         /* At this point, we were expecting something else,
861                          * but have application data.  What we do is set the
862                          * error, and return -1.  On the way out, if the
863                          * library was running inside ssl3_read() and it makes
864                          * sense to read application data at this point, we
865                          * will indulge it.  This will mostly happen during
866                          * session renegotiation.
867                          */
868                         if (s->s3->in_read_app_data &&
869                                 (s->s3->total_renegotiations != 0) &&
870                                 ((
871                                   (s->state & SSL_ST_CONNECT) &&
872                                   (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
873                                   (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
874                                  ) || (
875                                   (s->state & SSL_ST_ACCEPT) &&
876                                   (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
877                                   (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
878                                  )
879                                 ))
880                                 {
881                                 s->s3->in_read_app_data=0;
882                                 return(-1);
883                                 }
884                         else
885                                 {
886                                 al=SSL_AD_UNEXPECTED_MESSAGE;
887                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
888                                 goto f_err;
889                                 }
890                         }
891                 }
892
893         /* make sure that we are not getting application data when we
894          * are doing a handshake for the first time */
895         if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
896                 (s->enc_read_ctx == NULL))
897                 {
898                 al=SSL_AD_UNEXPECTED_MESSAGE;
899                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
900                 goto f_err;
901                 }
902
903         if (len <= 0) return(len);
904
905         if ((unsigned int)len > rr->length)
906                 n=rr->length;
907         else
908                 n=len;
909
910         memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
911         rr->length-=n;
912         rr->off+=n;
913         if (rr->length <= 0)
914                 {
915                 s->rstate=SSL_ST_READ_HEADER;
916                 rr->off=0;
917                 }
918
919         if (type == SSL3_RT_HANDSHAKE)
920                 ssl3_finish_mac(s,buf,n);
921         return(n);
922 f_err:
923         ssl3_send_alert(s,SSL3_AL_FATAL,al);
924 err:
925         return(-1);
926         }
927
928 static int do_change_cipher_spec(SSL *s)
929         {
930         int i;
931         unsigned char *sender;
932         int slen;
933
934         if (s->state & SSL_ST_ACCEPT)
935                 i=SSL3_CHANGE_CIPHER_SERVER_READ;
936         else
937                 i=SSL3_CHANGE_CIPHER_CLIENT_READ;
938
939         if (s->s3->tmp.key_block == NULL)
940                 {
941                 s->session->cipher=s->s3->tmp.new_cipher;
942                 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
943                 }
944
945         if (!s->method->ssl3_enc->change_cipher_state(s,i))
946                 return(0);
947
948         /* we have to record the message digest at
949          * this point so we can get it before we read
950          * the finished message */
951         if (s->state & SSL_ST_CONNECT)
952                 {
953                 sender=s->method->ssl3_enc->server_finished;
954                 slen=s->method->ssl3_enc->server_finished_len;
955                 }
956         else
957                 {
958                 sender=s->method->ssl3_enc->client_finished;
959                 slen=s->method->ssl3_enc->client_finished_len;
960                 }
961
962         s->method->ssl3_enc->final_finish_mac(s,
963                 &(s->s3->finish_dgst1),
964                 &(s->s3->finish_dgst2),
965                 sender,slen,&(s->s3->tmp.finish_md[0]));
966
967         return(1);
968         }
969
970 int ssl3_do_write(SSL *s, int type)
971         {
972         int ret;
973
974         ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
975                              s->init_num);
976         if (ret == s->init_num)
977                 return(1);
978         if (ret < 0) return(-1);
979         s->init_off+=ret;
980         s->init_num-=ret;
981         return(0);
982         }
983
984 void ssl3_send_alert(SSL *s, int level, int desc)
985         {
986         /* Map tls/ssl alert value to correct one */
987         desc=s->method->ssl3_enc->alert_value(desc);
988         if (desc < 0) return;
989         /* If a fatal one, remove from cache */
990         if ((level == 2) && (s->session != NULL))
991                 SSL_CTX_remove_session(s->ctx,s->session);
992
993         s->s3->alert_dispatch=1;
994         s->s3->send_alert[0]=level;
995         s->s3->send_alert[1]=desc;
996         if (s->s3->wbuf.left == 0) /* data still being written out */
997                 ssl3_dispatch_alert(s);
998         /* else data is still being written out, we will get written
999          * some time in the future */
1000         }
1001
1002 int ssl3_dispatch_alert(SSL *s)
1003         {
1004         int i,j;
1005         void (*cb)()=NULL;
1006
1007         s->s3->alert_dispatch=0;
1008         i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
1009         if (i <= 0)
1010                 {
1011                 s->s3->alert_dispatch=1;
1012                 }
1013         else
1014                 {
1015                 /* If it is important, send it now.  If the message
1016                  * does not get sent due to non-blocking IO, we will
1017                  * not worry too much. */
1018                 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1019                         BIO_flush(s->wbio);
1020
1021                 if (s->info_callback != NULL)
1022                         cb=s->info_callback;
1023                 else if (s->ctx->info_callback != NULL)
1024                         cb=s->ctx->info_callback;
1025                 
1026                 if (cb != NULL)
1027                         {
1028                         j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1029                         cb(s,SSL_CB_WRITE_ALERT,j);
1030                         }
1031                 }
1032         return(i);
1033         }
1034