Fix source where indent will not be able to cope
[openssl.git] / ssl / s3_pkt.c
1 /* ssl/s3_pkt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <limits.h>
114 #include <errno.h>
115 #define USE_SOCKETS
116 #include "ssl_locl.h"
117 #include <openssl/evp.h>
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120
121 #ifndef  EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
122 # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
123 #endif
124
125 #if     defined(OPENSSL_SMALL_FOOTPRINT) || \
126         !(      defined(AES_ASM) &&     ( \
127                 defined(__x86_64)       || defined(__x86_64__)  || \
128                 defined(_M_AMD64)       || defined(_M_X64)      || \
129                 defined(__INTEL__)      ) \
130         )
131 # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
132 # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
133 #endif
134
135 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
136                          unsigned int len, int create_empty_fragment);
137 static int ssl3_get_record(SSL *s);
138
139 int ssl3_read_n(SSL *s, int n, int max, int extend)
140         {
141         /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
142          * packet by another n bytes.
143          * The packet will be in the sub-array of s->s3->rbuf.buf specified
144          * by s->packet and s->packet_length.
145          * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
146          * [plus s->packet_length bytes if extend == 1].)
147          */
148         int i,len,left;
149         long align=0;
150         unsigned char *pkt;
151         SSL3_BUFFER *rb;
152
153         if (n <= 0) return n;
154
155         rb    = &(s->s3->rbuf);
156         if (rb->buf == NULL)
157                 if (!ssl3_setup_read_buffer(s))
158                         return -1;
159
160         left  = rb->left;
161 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
162         align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
163         align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
164 #endif
165
166         if (!extend)
167                 {
168                 /* start with empty packet ... */
169                 if (left == 0)
170                         rb->offset = align;
171                 else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
172                         {
173                         /* check if next packet length is large
174                          * enough to justify payload alignment... */
175                         pkt = rb->buf + rb->offset;
176                         if (pkt[0] == SSL3_RT_APPLICATION_DATA
177                             && (pkt[3]<<8|pkt[4]) >= 128)
178                                 {
179                                 /* Note that even if packet is corrupted
180                                  * and its length field is insane, we can
181                                  * only be led to wrong decision about
182                                  * whether memmove will occur or not.
183                                  * Header values has no effect on memmove
184                                  * arguments and therefore no buffer
185                                  * overrun can be triggered. */
186                                 memmove (rb->buf+align,pkt,left);
187                                 rb->offset = align;
188                                 }
189                         }
190                 s->packet = rb->buf + rb->offset;
191                 s->packet_length = 0;
192                 /* ... now we can act as if 'extend' was set */
193                 }
194
195         /* For DTLS/UDP reads should not span multiple packets
196          * because the read operation returns the whole packet
197          * at once (as long as it fits into the buffer). */
198         if (SSL_IS_DTLS(s))
199                 {
200                 if (left == 0 && extend)
201                         return 0;
202                 if (left > 0 && n > left)
203                         n = left;
204                 }
205
206         /* if there is enough in the buffer from a previous read, take some */
207         if (left >= n)
208                 {
209                 s->packet_length+=n;
210                 rb->left=left-n;
211                 rb->offset+=n;
212                 return(n);
213                 }
214
215         /* else we need to read more data */
216
217         len = s->packet_length;
218         pkt = rb->buf+align;
219         /* Move any available bytes to front of buffer:
220          * 'len' bytes already pointed to by 'packet',
221          * 'left' extra ones at the end */
222         if (s->packet != pkt) /* len > 0 */
223                 {
224                 memmove(pkt, s->packet, len+left);
225                 s->packet = pkt;
226                 rb->offset = len + align;
227                 }
228
229         if (n > (int)(rb->len - rb->offset)) /* does not happen */
230                 {
231                 SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
232                 return -1;
233                 }
234
235         if (!s->read_ahead)
236                 /* ignore max parameter */
237                 max = n;
238         else
239                 {
240                 if (max < n)
241                         max = n;
242                 if (max > (int)(rb->len - rb->offset))
243                         max = rb->len - rb->offset;
244                 }
245
246         while (left < n)
247                 {
248                 /* Now we have len+left bytes at the front of s->s3->rbuf.buf
249                  * and need to read in more until we have len+n (up to
250                  * len+max if possible) */
251
252                 clear_sys_error();
253                 if (s->rbio != NULL)
254                         {
255                         s->rwstate=SSL_READING;
256                         i=BIO_read(s->rbio,pkt+len+left, max-left);
257                         }
258                 else
259                         {
260                         SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
261                         i = -1;
262                         }
263
264                 if (i <= 0)
265                         {
266                         rb->left = left;
267                         if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
268                                 !SSL_IS_DTLS(s))
269                                 if (len+left == 0)
270                                         ssl3_release_read_buffer(s);
271                         return(i);
272                         }
273                 left+=i;
274                 /* reads should *never* span multiple packets for DTLS because
275                  * the underlying transport protocol is message oriented as opposed
276                  * to byte oriented as in the TLS case. */
277                 if (SSL_IS_DTLS(s))
278                         {
279                         if (n > left)
280                                 n = left; /* makes the while condition false */
281                         }
282                 }
283
284         /* done reading, now the book-keeping */
285         rb->offset += n;
286         rb->left = left - n;
287         s->packet_length += n;
288         s->rwstate=SSL_NOTHING;
289         return(n);
290         }
291
292 /* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will
293  * be processed per call to ssl3_get_record. Without this limit an attacker
294  * could send empty records at a faster rate than we can process and cause
295  * ssl3_get_record to loop forever. */
296 #define MAX_EMPTY_RECORDS 32
297
298 /*-
299  * Call this to get a new input record.
300  * It will return <= 0 if more data is needed, normally due to an error
301  * or non-blocking IO.
302  * When it finishes, one packet has been decoded and can be found in
303  * ssl->s3->rrec.type    - is the type of record
304  * ssl->s3->rrec.data,   - data
305  * ssl->s3->rrec.length, - number of bytes
306  */
307 /* used only by ssl3_read_bytes */
308 static int ssl3_get_record(SSL *s)
309         {
310         int ssl_major,ssl_minor,al;
311         int enc_err,n,i,ret= -1;
312         SSL3_RECORD *rr;
313         SSL_SESSION *sess;
314         unsigned char *p;
315         unsigned char md[EVP_MAX_MD_SIZE];
316         short version;
317         unsigned mac_size;
318         size_t extra;
319         unsigned empty_record_count = 0;
320
321         rr= &(s->s3->rrec);
322         sess=s->session;
323
324         if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
325                 extra=SSL3_RT_MAX_EXTRA;
326         else
327                 extra=0;
328         if (extra && !s->s3->init_extra)
329                 {
330                 /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
331                  * set after ssl3_setup_buffers() was done */
332                 SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
333                 return -1;
334                 }
335
336 again:
337         /* check if we have the header */
338         if (    (s->rstate != SSL_ST_READ_BODY) ||
339                 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
340                 {
341                 n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
342                 if (n <= 0) return(n); /* error or non-blocking */
343                 s->rstate=SSL_ST_READ_BODY;
344
345                 p=s->packet;
346                 if (s->msg_callback)
347                         s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);
348
349                 /* Pull apart the header into the SSL3_RECORD */
350                 rr->type= *(p++);
351                 ssl_major= *(p++);
352                 ssl_minor= *(p++);
353                 version=(ssl_major<<8)|ssl_minor;
354                 n2s(p,rr->length);
355 #if 0
356 fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
357 #endif
358
359                 /* Lets check version */
360                 if (!s->first_packet)
361                         {
362                         if (version != s->version)
363                                 {
364                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
365                                 if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
366                                         /* Send back error using their minor version number :-) */
367                                         s->version = (unsigned short)version;
368                                 al=SSL_AD_PROTOCOL_VERSION;
369                                 goto f_err;
370                                 }
371                         }
372
373                 if ((version>>8) != SSL3_VERSION_MAJOR)
374                         {
375                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
376                         goto err;
377                         }
378
379                 if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
380                         {
381                         al=SSL_AD_RECORD_OVERFLOW;
382                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
383                         goto f_err;
384                         }
385
386                 /* now s->rstate == SSL_ST_READ_BODY */
387                 }
388
389         /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
390
391         if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
392                 {
393                 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
394                 i=rr->length;
395                 n=ssl3_read_n(s,i,i,1);
396                 if (n <= 0) return(n); /* error or non-blocking io */
397                 /* now n == rr->length,
398                  * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
399                 }
400
401         s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
402
403         /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
404          * and we have that many bytes in s->packet
405          */
406         rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
407
408         /* ok, we can now read from 's->packet' data into 'rr'
409          * rr->input points at rr->length bytes, which
410          * need to be copied into rr->data by either
411          * the decryption or by the decompression
412          * When the data is 'copied' into the rr->data buffer,
413          * rr->input will be pointed at the new buffer */ 
414
415         /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
416          * rr->length bytes of encrypted compressed stuff. */
417
418         /* check is not needed I believe */
419         if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
420                 {
421                 al=SSL_AD_RECORD_OVERFLOW;
422                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
423                 goto f_err;
424                 }
425
426         /* decrypt in place in 'rr->input' */
427         rr->data=rr->input;
428         rr->orig_len=rr->length;
429         /* If in encrypt-then-mac mode calculate mac from encrypted record.
430          * All the details below are public so no timing details can leak.
431          */
432         if (SSL_USE_ETM(s) && s->read_hash)
433                 {
434                 unsigned char *mac;
435                 mac_size=EVP_MD_CTX_size(s->read_hash);
436                 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
437                 if (rr->length < mac_size)
438                         {
439                         al=SSL_AD_DECODE_ERROR;
440                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
441                         goto f_err;
442                         }
443                 rr->length -= mac_size;
444                 mac = rr->data + rr->length;
445                 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
446                 if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
447                         {
448                         al=SSL_AD_BAD_RECORD_MAC;
449                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
450                         goto f_err;
451                         }
452                 }
453
454         enc_err = s->method->ssl3_enc->enc(s,0);
455         /*-
456          * enc_err is:
457          *    0: (in non-constant time) if the record is publically invalid.
458          *    1: if the padding is valid
459          *    -1: if the padding is invalid 
460          */
461         if (enc_err == 0)
462                 {
463                 al=SSL_AD_DECRYPTION_FAILED;
464                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
465                 goto f_err;
466                 }
467
468 #ifdef TLS_DEBUG
469 printf("dec %d\n",rr->length);
470 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
471 printf("\n");
472 #endif
473
474         /* r->length is now the compressed data plus mac */
475         if ((sess != NULL) &&
476             (s->enc_read_ctx != NULL) &&
477             (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s))
478                 {
479                 /* s->read_hash != NULL => mac_size != -1 */
480                 unsigned char *mac = NULL;
481                 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
482                 mac_size=EVP_MD_CTX_size(s->read_hash);
483                 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
484
485                 /* orig_len is the length of the record before any padding was
486                  * removed. This is public information, as is the MAC in use,
487                  * therefore we can safely process the record in a different
488                  * amount of time if it's too short to possibly contain a MAC.
489                  */
490                 if (rr->orig_len < mac_size ||
491                     /* CBC records must have a padding length byte too. */
492                     (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
493                      rr->orig_len < mac_size+1))
494                         {
495                         al=SSL_AD_DECODE_ERROR;
496                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
497                         goto f_err;
498                         }
499
500                 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
501                         {
502                         /* We update the length so that the TLS header bytes
503                          * can be constructed correctly but we need to extract
504                          * the MAC in constant time from within the record,
505                          * without leaking the contents of the padding bytes.
506                          * */
507                         mac = mac_tmp;
508                         ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
509                         rr->length -= mac_size;
510                         }
511                 else
512                         {
513                         /* In this case there's no padding, so |rec->orig_len|
514                          * equals |rec->length| and we checked that there's
515                          * enough bytes for |mac_size| above. */
516                         rr->length -= mac_size;
517                         mac = &rr->data[rr->length];
518                         }
519
520                 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
521                 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
522                         enc_err = -1;
523                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
524                         enc_err = -1;
525                 }
526
527         if (enc_err < 0)
528                 {
529                 /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
530                  * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
531                  * failure is directly visible from the ciphertext anyway,
532                  * we should not reveal which kind of error occurred -- this
533                  * might become visible to an attacker (e.g. via a logfile) */
534                 al=SSL_AD_BAD_RECORD_MAC;
535                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
536                 goto f_err;
537                 }
538
539         /* r->length is now just compressed */
540         if (s->expand != NULL)
541                 {
542                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
543                         {
544                         al=SSL_AD_RECORD_OVERFLOW;
545                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
546                         goto f_err;
547                         }
548                 if (!ssl3_do_uncompress(s))
549                         {
550                         al=SSL_AD_DECOMPRESSION_FAILURE;
551                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
552                         goto f_err;
553                         }
554                 }
555
556         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
557                 {
558                 al=SSL_AD_RECORD_OVERFLOW;
559                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
560                 goto f_err;
561                 }
562
563         rr->off=0;
564         /*-
565          * So at this point the following is true
566          * ssl->s3->rrec.type   is the type of record
567          * ssl->s3->rrec.length == number of bytes in record
568          * ssl->s3->rrec.off    == offset to first valid byte
569          * ssl->s3->rrec.data   == where to take bytes from, increment
570          *                         after use :-).
571          */
572
573         /* we have pulled in a full packet so zero things */
574         s->packet_length=0;
575
576         /* just read a 0 length packet */
577         if (rr->length == 0)
578                 {
579                 empty_record_count++;
580                 if (empty_record_count > MAX_EMPTY_RECORDS)
581                         {
582                         al=SSL_AD_UNEXPECTED_MESSAGE;
583                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL);
584                         goto f_err;
585                         }
586                 goto again;
587                 }
588
589 #if 0
590 fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
591 #endif
592
593         return(1);
594
595 f_err:
596         ssl3_send_alert(s,SSL3_AL_FATAL,al);
597 err:
598         return(ret);
599         }
600
601 int ssl3_do_uncompress(SSL *ssl)
602         {
603 #ifndef OPENSSL_NO_COMP
604         int i;
605         SSL3_RECORD *rr;
606
607         rr= &(ssl->s3->rrec);
608         i=COMP_expand_block(ssl->expand,rr->comp,
609                 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
610         if (i < 0)
611                 return(0);
612         else
613                 rr->length=i;
614         rr->data=rr->comp;
615 #endif
616         return(1);
617         }
618
619 int ssl3_do_compress(SSL *ssl)
620         {
621 #ifndef OPENSSL_NO_COMP
622         int i;
623         SSL3_RECORD *wr;
624
625         wr= &(ssl->s3->wrec);
626         i=COMP_compress_block(ssl->compress,wr->data,
627                 SSL3_RT_MAX_COMPRESSED_LENGTH,
628                 wr->input,(int)wr->length);
629         if (i < 0)
630                 return(0);
631         else
632                 wr->length=i;
633
634         wr->input=wr->data;
635 #endif
636         return(1);
637         }
638
639 /* Call this to write data in records of type 'type'
640  * It will return <= 0 if not all data has been sent or non-blocking IO.
641  */
642 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
643         {
644         const unsigned char *buf=buf_;
645         int tot;
646         unsigned int n,nw;
647 #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
648         unsigned int max_send_fragment;
649 #endif
650         SSL3_BUFFER *wb=&(s->s3->wbuf);
651         int i;
652         unsigned int u_len = (unsigned int)len;
653
654         if (len < 0)
655                 {
656                 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_NEGATIVE_LENGTH);
657                 return -1;
658                 }
659
660         s->rwstate=SSL_NOTHING;
661         OPENSSL_assert(s->s3->wnum <= INT_MAX);
662         tot=s->s3->wnum;
663         s->s3->wnum=0;
664
665         if (SSL_in_init(s) && !s->in_handshake)
666                 {
667                 i=s->handshake_func(s);
668                 if (i < 0) return(i);
669                 if (i == 0)
670                         {
671                         SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
672                         return -1;
673                         }
674                 }
675
676         /* ensure that if we end up with a smaller value of data to write 
677          * out than the the original len from a write which didn't complete 
678          * for non-blocking I/O and also somehow ended up avoiding 
679          * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
680          * it must never be possible to end up with (len-tot) as a large
681          * number that will then promptly send beyond the end of the users
682          * buffer ... so we trap and report the error in a way the user
683          * will notice
684          */
685         if (len < tot)
686                 {
687                 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
688                 return(-1);
689                 }
690
691         /* first check if there is a SSL3_BUFFER still being written
692          * out.  This will happen with non blocking IO */
693         if (wb->left != 0)
694                 {
695                 i = ssl3_write_pending(s,type,&buf[tot],s->s3->wpend_tot);
696                 if (i<=0)
697                         {
698                         /* XXX should we ssl3_release_write_buffer if i<0? */
699                         s->s3->wnum=tot;
700                         return i;
701                         }
702                 tot += i;       /* this might be last fragment */
703                 }
704
705 #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
706         /*
707          * Depending on platform multi-block can deliver several *times*
708          * better performance. Downside is that it has to allocate
709          * jumbo buffer to accomodate up to 8 records, but the
710          * compromise is considered worthy.
711          */
712         if (type==SSL3_RT_APPLICATION_DATA &&
713             u_len >= 4*(max_send_fragment=s->max_send_fragment) &&
714             s->compress==NULL && s->msg_callback==NULL &&
715             !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
716             EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
717                 {
718                 unsigned char aad[13];
719                 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
720                 int packlen;
721
722                 /* minimize address aliasing conflicts */
723                 if ((max_send_fragment&0xfff) == 0)
724                         max_send_fragment -= 512;
725
726                 if (tot==0 || wb->buf==NULL)    /* allocate jumbo buffer */
727                         {
728                         ssl3_release_write_buffer(s);
729
730                         packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
731                                         EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
732                                         max_send_fragment,NULL);
733
734                         if (u_len >= 8*max_send_fragment)       packlen *= 8;
735                         else                            packlen *= 4;
736
737                         wb->buf=OPENSSL_malloc(packlen);
738                         wb->len=packlen;
739                         }
740                 else if (tot==len)              /* done? */
741                         {
742                         OPENSSL_free(wb->buf);  /* free jumbo buffer */
743                         wb->buf = NULL;
744                         return tot;
745                         }
746
747                 n=(len-tot);
748                 for (;;)
749                         {
750                         if (n < 4*max_send_fragment)
751                                 {
752                                 OPENSSL_free(wb->buf);  /* free jumbo buffer */
753                                 wb->buf = NULL;
754                                 break;
755                                 }
756
757                         if (s->s3->alert_dispatch)
758                                 {
759                                 i=s->method->ssl_dispatch_alert(s);
760                                 if (i <= 0)
761                                         {
762                                         s->s3->wnum=tot;
763                                         return i;
764                                         }
765                                 }
766
767                         if (n >= 8*max_send_fragment)
768                                 nw = max_send_fragment*(mb_param.interleave=8);
769                         else
770                                 nw = max_send_fragment*(mb_param.interleave=4);
771
772                         memcpy(aad,s->s3->write_sequence,8);
773                         aad[8]=type;
774                         aad[9]=(unsigned char)(s->version>>8);
775                         aad[10]=(unsigned char)(s->version);
776                         aad[11]=0;
777                         aad[12]=0;
778                         mb_param.out = NULL;
779                         mb_param.inp = aad;
780                         mb_param.len = nw;
781
782                         packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
783                                         EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
784                                         sizeof(mb_param),&mb_param);
785
786                         if (packlen<=0 || packlen>(int)wb->len) /* never happens */
787                                 {
788                                 OPENSSL_free(wb->buf);  /* free jumbo buffer */
789                                 wb->buf = NULL;
790                                 break;
791                                 }
792
793                         mb_param.out = wb->buf;
794                         mb_param.inp = &buf[tot];
795                         mb_param.len = nw;
796
797                         if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
798                                         EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
799                                         sizeof(mb_param),&mb_param)<=0)
800                                 return -1;
801
802                         s->s3->write_sequence[7] += mb_param.interleave;
803                         if (s->s3->write_sequence[7] < mb_param.interleave)
804                                 {
805                                 int j=6;
806                                 while (j>=0 && (++s->s3->write_sequence[j--])==0) ;
807                                 }
808
809                         wb->offset = 0;
810                         wb->left = packlen;
811
812                         s->s3->wpend_tot = nw;
813                         s->s3->wpend_buf = &buf[tot];
814                         s->s3->wpend_type= type;
815                         s->s3->wpend_ret = nw;
816
817                         i = ssl3_write_pending(s,type,&buf[tot],nw);
818                         if (i<=0)
819                                 {
820                                 if (i<0)
821                                         {
822                                         OPENSSL_free(wb->buf);
823                                         wb->buf = NULL;
824                                         }
825                                 s->s3->wnum=tot;
826                                 return i;
827                                 }
828                         if (i==(int)n)
829                                 {
830                                 OPENSSL_free(wb->buf);  /* free jumbo buffer */
831                                 wb->buf = NULL;
832                                 return tot+i;
833                                 }
834                         n-=i;
835                         tot+=i;
836                         }
837                 }
838         else
839 #endif
840         if (tot==len)           /* done? */
841                 {
842                 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
843                         !SSL_IS_DTLS(s))
844                         ssl3_release_write_buffer(s);
845
846                 return tot;
847                 }
848
849
850         n=(len-tot);
851         for (;;)
852                 {
853                 if (n > s->max_send_fragment)
854                         nw=s->max_send_fragment;
855                 else
856                         nw=n;
857
858                 i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
859                 if (i <= 0)
860                         {
861                         /* XXX should we ssl3_release_write_buffer if i<0? */
862                         s->s3->wnum=tot;
863                         return i;
864                         }
865
866                 if ((i == (int)n) ||
867                         (type == SSL3_RT_APPLICATION_DATA &&
868                          (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
869                         {
870                         /* next chunk of data should get another prepended empty fragment
871                          * in ciphersuites with known-IV weakness: */
872                         s->s3->empty_fragment_done = 0;
873
874                         if ((i==(int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
875                                 !SSL_IS_DTLS(s))
876                                 ssl3_release_write_buffer(s);
877
878                         return tot+i;
879                         }
880
881                 n-=i;
882                 tot+=i;
883                 }
884         }
885
886 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
887                          unsigned int len, int create_empty_fragment)
888         {
889         unsigned char *p,*plen;
890         int i,mac_size,clear=0;
891         int prefix_len=0;
892         int eivlen;
893         long align=0;
894         SSL3_RECORD *wr;
895         SSL3_BUFFER *wb=&(s->s3->wbuf);
896         SSL_SESSION *sess;
897
898
899         /* first check if there is a SSL3_BUFFER still being written
900          * out.  This will happen with non blocking IO */
901         if (wb->left != 0)
902                 return(ssl3_write_pending(s,type,buf,len));
903
904         /* If we have an alert to send, lets send it */
905         if (s->s3->alert_dispatch)
906                 {
907                 i=s->method->ssl_dispatch_alert(s);
908                 if (i <= 0)
909                         return(i);
910                 /* if it went, fall through and send more stuff */
911                 }
912
913         if (wb->buf == NULL)
914                 if (!ssl3_setup_write_buffer(s))
915                         return -1;
916
917         if (len == 0 && !create_empty_fragment)
918                 return 0;
919
920         wr= &(s->s3->wrec);
921         sess=s->session;
922
923         if (    (sess == NULL) ||
924                 (s->enc_write_ctx == NULL) ||
925                 (EVP_MD_CTX_md(s->write_hash) == NULL))
926                 {
927 #if 1
928                 clear=s->enc_write_ctx?0:1;     /* must be AEAD cipher */
929 #else
930                 clear=1;
931 #endif
932                 mac_size=0;
933                 }
934         else
935                 {
936                 mac_size=EVP_MD_CTX_size(s->write_hash);
937                 if (mac_size < 0)
938                         goto err;
939                 }
940
941 #if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
942         if (type==SSL3_RT_APPLICATION_DATA && s->compress==NULL &&
943             !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
944             EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
945                 do {
946                 unsigned char aad[13];
947                 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param = {NULL,aad,sizeof(aad),0};
948                 int packlen;
949
950                 memcpy(aad,s->s3->write_sequence,8);
951                 aad[8]=type;
952                 aad[9]=(unsigned char)(s->version>>8);
953                 aad[10]=(unsigned char)(s->version);
954                 aad[11]=(unsigned char)(len>>8);
955                 aad[12]=(unsigned char)len;
956                 packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
957                                 EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
958                                 sizeof(mb_param),&mb_param);
959
960                 if (packlen==0 || packlen > wb->len) break;
961
962                 mb_param.out = wb->buf;
963                 mb_param.inp = buf;
964                 mb_param.len = len;
965                 EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
966                                 EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
967                                 sizeof(mb_param),&mb_param);
968
969                 s->s3->write_sequence[7] += mb_param.interleave;
970                 if (s->s3->write_sequence[7] < mb_param.interleave)
971                         {
972                         int j=6;
973                         while (j>=0 && (++s->s3->write_sequence[j--])==0) ;
974                         }
975
976                 wb->offset=0;
977                 wb->left = packlen;
978
979                 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
980                 s->s3->wpend_tot=len;
981                 s->s3->wpend_buf=buf;
982                 s->s3->wpend_type=type;
983                 s->s3->wpend_ret=len;
984
985                 /* we now just need to write the buffer */
986                 return ssl3_write_pending(s,type,buf,len);
987                 } while (0);
988 #endif
989
990         /* 'create_empty_fragment' is true only when this function calls itself */
991         if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
992                 {
993                 /* countermeasure against known-IV weakness in CBC ciphersuites
994                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
995
996                 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
997                         {
998                         /* recursive function call with 'create_empty_fragment' set;
999                          * this prepares and buffers the data for an empty fragment
1000                          * (these 'prefix_len' bytes are sent out later
1001                          * together with the actual payload) */
1002                         prefix_len = do_ssl3_write(s, type, buf, 0, 1);
1003                         if (prefix_len <= 0)
1004                                 goto err;
1005
1006                         if (prefix_len >
1007                 (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
1008                                 {
1009                                 /* insufficient space */
1010                                 SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
1011                                 goto err;
1012                                 }
1013                         }
1014                 
1015                 s->s3->empty_fragment_done = 1;
1016                 }
1017
1018         if (create_empty_fragment)
1019                 {
1020 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
1021                 /* extra fragment would be couple of cipher blocks,
1022                  * which would be multiple of SSL3_ALIGN_PAYLOAD, so
1023                  * if we want to align the real payload, then we can
1024                  * just pretent we simply have two headers. */
1025                 align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
1026                 align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
1027 #endif
1028                 p = wb->buf + align;
1029                 wb->offset  = align;
1030                 }
1031         else if (prefix_len)
1032                 {
1033                 p = wb->buf + wb->offset + prefix_len;
1034                 }
1035         else
1036                 {
1037 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
1038                 align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
1039                 align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
1040 #endif
1041                 p = wb->buf + align;
1042                 wb->offset  = align;
1043                 }
1044
1045         /* write the header */
1046
1047         *(p++)=type&0xff;
1048         wr->type=type;
1049
1050         *(p++)=(s->version>>8);
1051         /* Some servers hang if iniatial client hello is larger than 256
1052          * bytes and record version number > TLS 1.0
1053          */
1054         if (s->state == SSL3_ST_CW_CLNT_HELLO_B
1055                                 && !s->renegotiate
1056                                 && TLS1_get_version(s) > TLS1_VERSION)
1057                 *(p++) = 0x1;
1058         else
1059                 *(p++)=s->version&0xff;
1060
1061         /* field where we are to write out packet length */
1062         plen=p; 
1063         p+=2;
1064         /* Explicit IV length, block ciphers appropriate version flag */
1065         if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s))
1066                 {
1067                 int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
1068                 if (mode == EVP_CIPH_CBC_MODE)
1069                         {
1070                         eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
1071                         if (eivlen <= 1)
1072                                 eivlen = 0;
1073                         }
1074                 /* Need explicit part of IV for GCM mode */
1075                 else if (mode == EVP_CIPH_GCM_MODE)
1076                         eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
1077                 else
1078                         eivlen = 0;
1079                 }
1080         else 
1081                 eivlen = 0;
1082
1083         /* lets setup the record stuff. */
1084         wr->data=p + eivlen;
1085         wr->length=(int)len;
1086         wr->input=(unsigned char *)buf;
1087
1088         /* we now 'read' from wr->input, wr->length bytes into
1089          * wr->data */
1090
1091         /* first we compress */
1092         if (s->compress != NULL)
1093                 {
1094                 if (!ssl3_do_compress(s))
1095                         {
1096                         SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
1097                         goto err;
1098                         }
1099                 }
1100         else
1101                 {
1102                 memcpy(wr->data,wr->input,wr->length);
1103                 wr->input=wr->data;
1104                 }
1105
1106         /* we should still have the output to wr->data and the input
1107          * from wr->input.  Length should be wr->length.
1108          * wr->data still points in the wb->buf */
1109
1110         if (!SSL_USE_ETM(s) && mac_size != 0)
1111                 {
1112                 if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
1113                         goto err;
1114                 wr->length+=mac_size;
1115                 }
1116
1117         wr->input=p;
1118         wr->data=p;
1119
1120         if (eivlen)
1121                 {
1122         /*      if (RAND_pseudo_bytes(p, eivlen) <= 0)
1123                         goto err; */
1124                 wr->length += eivlen;
1125                 }
1126
1127         if(s->method->ssl3_enc->enc(s,1)<1) goto err;
1128
1129         if (SSL_USE_ETM(s) && mac_size != 0)
1130                 {
1131                 if (s->method->ssl3_enc->mac(s,p + wr->length,1) < 0)
1132                         goto err;
1133                 wr->length+=mac_size;
1134                 }
1135
1136         /* record length after mac and block padding */
1137         s2n(wr->length,plen);
1138
1139         if (s->msg_callback)
1140                 s->msg_callback(1, 0, SSL3_RT_HEADER, plen - 5, 5, s, s->msg_callback_arg);
1141
1142         /* we should now have
1143          * wr->data pointing to the encrypted data, which is
1144          * wr->length long */
1145         wr->type=type; /* not needed but helps for debugging */
1146         wr->length+=SSL3_RT_HEADER_LENGTH;
1147
1148         if (create_empty_fragment)
1149                 {
1150                 /* we are in a recursive call;
1151                  * just return the length, don't write out anything here
1152                  */
1153                 return wr->length;
1154                 }
1155
1156         /* now let's set up wb */
1157         wb->left = prefix_len + wr->length;
1158
1159         /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1160         s->s3->wpend_tot=len;
1161         s->s3->wpend_buf=buf;
1162         s->s3->wpend_type=type;
1163         s->s3->wpend_ret=len;
1164
1165         /* we now just need to write the buffer */
1166         return ssl3_write_pending(s,type,buf,len);
1167 err:
1168         return -1;
1169         }
1170
1171 /* if s->s3->wbuf.left != 0, we need to call this */
1172 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1173         unsigned int len)
1174         {
1175         int i;
1176         SSL3_BUFFER *wb=&(s->s3->wbuf);
1177
1178 /* XXXX */
1179         if ((s->s3->wpend_tot > (int)len)
1180                 || ((s->s3->wpend_buf != buf) &&
1181                         !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
1182                 || (s->s3->wpend_type != type))
1183                 {
1184                 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
1185                 return(-1);
1186                 }
1187
1188         for (;;)
1189                 {
1190                 clear_sys_error();
1191                 if (s->wbio != NULL)
1192                         {
1193                         s->rwstate=SSL_WRITING;
1194                         i=BIO_write(s->wbio,
1195                                 (char *)&(wb->buf[wb->offset]),
1196                                 (unsigned int)wb->left);
1197                         }
1198                 else
1199                         {
1200                         SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
1201                         i= -1;
1202                         }
1203                 if (i == wb->left)
1204                         {
1205                         wb->left=0;
1206                         wb->offset+=i;
1207                         s->rwstate=SSL_NOTHING;
1208                         return(s->s3->wpend_ret);
1209                         }
1210                 else if (i <= 0) {
1211                         if (s->version == DTLS1_VERSION ||
1212                             s->version == DTLS1_BAD_VER) {
1213                                 /* For DTLS, just drop it. That's kind of the whole
1214                                    point in using a datagram service */
1215                                 wb->left = 0;
1216                         }
1217                         return(i);
1218                 }
1219                 wb->offset+=i;
1220                 wb->left-=i;
1221                 }
1222         }
1223
1224 /*-
1225  * Return up to 'len' payload bytes received in 'type' records.
1226  * 'type' is one of the following:
1227  *
1228  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
1229  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
1230  *   -  0 (during a shutdown, no data has to be returned)
1231  *
1232  * If we don't have stored data to work from, read a SSL/TLS record first
1233  * (possibly multiple records if we still don't have anything to return).
1234  *
1235  * This function must handle any surprises the peer may have for us, such as
1236  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
1237  * a surprise, but handled as if it were), or renegotiation requests.
1238  * Also if record payloads contain fragments too small to process, we store
1239  * them until there is enough for the respective protocol (the record protocol
1240  * may use arbitrary fragmentation and even interleaving):
1241  *     Change cipher spec protocol
1242  *             just 1 byte needed, no need for keeping anything stored
1243  *     Alert protocol
1244  *             2 bytes needed (AlertLevel, AlertDescription)
1245  *     Handshake protocol
1246  *             4 bytes needed (HandshakeType, uint24 length) -- we just have
1247  *             to detect unexpected Client Hello and Hello Request messages
1248  *             here, anything else is handled by higher layers
1249  *     Application data protocol
1250  *             none of our business
1251  */
1252 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1253         {
1254         int al,i,j,ret;
1255         unsigned int n;
1256         SSL3_RECORD *rr;
1257         void (*cb)(const SSL *ssl,int type2,int val)=NULL;
1258
1259         if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
1260                 if (!ssl3_setup_read_buffer(s))
1261                         return(-1);
1262
1263         if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) ||
1264             (peek && (type != SSL3_RT_APPLICATION_DATA)))
1265                 {
1266                 SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
1267                 return -1;
1268                 }
1269
1270         if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
1271                 /* (partially) satisfy request from storage */
1272                 {
1273                 unsigned char *src = s->s3->handshake_fragment;
1274                 unsigned char *dst = buf;
1275                 unsigned int k;
1276
1277                 /* peek == 0 */
1278                 n = 0;
1279                 while ((len > 0) && (s->s3->handshake_fragment_len > 0))
1280                         {
1281                         *dst++ = *src++;
1282                         len--; s->s3->handshake_fragment_len--;
1283                         n++;
1284                         }
1285                 /* move any remaining fragment bytes: */
1286                 for (k = 0; k < s->s3->handshake_fragment_len; k++)
1287                         s->s3->handshake_fragment[k] = *src++;
1288                 return n;
1289         }
1290
1291         /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
1292
1293         if (!s->in_handshake && SSL_in_init(s))
1294                 {
1295                 /* type == SSL3_RT_APPLICATION_DATA */
1296                 i=s->handshake_func(s);
1297                 if (i < 0) return(i);
1298                 if (i == 0)
1299                         {
1300                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1301                         return(-1);
1302                         }
1303                 }
1304 start:
1305         s->rwstate=SSL_NOTHING;
1306
1307         /*-
1308          * s->s3->rrec.type         - is the type of record
1309          * s->s3->rrec.data,    - data
1310          * s->s3->rrec.off,     - offset into 'data' for next read
1311          * s->s3->rrec.length,  - number of bytes. 
1312          */
1313         rr = &(s->s3->rrec);
1314
1315         /* get new packet if necessary */
1316         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
1317                 {
1318                 ret=ssl3_get_record(s);
1319                 if (ret <= 0) return(ret);
1320                 }
1321
1322         /* we now have a packet which can be read and processed */
1323
1324         if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1325                                        * reset by ssl3_get_finished */
1326                 && (rr->type != SSL3_RT_HANDSHAKE))
1327                 {
1328                 al=SSL_AD_UNEXPECTED_MESSAGE;
1329                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1330                 goto f_err;
1331                 }
1332
1333         /* If the other end has shut down, throw anything we read away
1334          * (even in 'peek' mode) */
1335         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1336                 {
1337                 rr->length=0;
1338                 s->rwstate=SSL_NOTHING;
1339                 return(0);
1340                 }
1341
1342
1343         if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1344                 {
1345                 /* make sure that we are not getting application data when we
1346                  * are doing a handshake for the first time */
1347                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1348                         (s->enc_read_ctx == NULL))
1349                         {
1350                         al=SSL_AD_UNEXPECTED_MESSAGE;
1351                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
1352                         goto f_err;
1353                         }
1354
1355                 if (len <= 0) return(len);
1356
1357                 if ((unsigned int)len > rr->length)
1358                         n = rr->length;
1359                 else
1360                         n = (unsigned int)len;
1361
1362                 memcpy(buf,&(rr->data[rr->off]),n);
1363                 if (!peek)
1364                         {
1365                         rr->length-=n;
1366                         rr->off+=n;
1367                         if (rr->length == 0)
1368                                 {
1369                                 s->rstate=SSL_ST_READ_HEADER;
1370                                 rr->off=0;
1371                                 if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
1372                                         ssl3_release_read_buffer(s);
1373                                 }
1374                         }
1375                 return(n);
1376                 }
1377
1378
1379         /* If we get here, then type != rr->type; if we have a handshake
1380          * message, then it was unexpected (Hello Request or Client Hello). */
1381
1382         /* In case of record types for which we have 'fragment' storage,
1383          * fill that so that we can process the data at a fixed place.
1384          */
1385                 {
1386                 unsigned int dest_maxlen = 0;
1387                 unsigned char *dest = NULL;
1388                 unsigned int *dest_len = NULL;
1389
1390                 if (rr->type == SSL3_RT_HANDSHAKE)
1391                         {
1392                         dest_maxlen = sizeof s->s3->handshake_fragment;
1393                         dest = s->s3->handshake_fragment;
1394                         dest_len = &s->s3->handshake_fragment_len;
1395                         }
1396                 else if (rr->type == SSL3_RT_ALERT)
1397                         {
1398                         dest_maxlen = sizeof s->s3->alert_fragment;
1399                         dest = s->s3->alert_fragment;
1400                         dest_len = &s->s3->alert_fragment_len;
1401                         }
1402 #ifndef OPENSSL_NO_HEARTBEATS
1403                 else if (rr->type == TLS1_RT_HEARTBEAT)
1404                         {
1405                         tls1_process_heartbeat(s);
1406
1407                         /* Exit and notify application to read again */
1408                         rr->length = 0;
1409                         s->rwstate=SSL_READING;
1410                         BIO_clear_retry_flags(SSL_get_rbio(s));
1411                         BIO_set_retry_read(SSL_get_rbio(s));
1412                         return(-1);
1413                         }
1414 #endif
1415
1416                 if (dest_maxlen > 0)
1417                         {
1418                         n = dest_maxlen - *dest_len; /* available space in 'dest' */
1419                         if (rr->length < n)
1420                                 n = rr->length; /* available bytes */
1421
1422                         /* now move 'n' bytes: */
1423                         while (n-- > 0)
1424                                 {
1425                                 dest[(*dest_len)++] = rr->data[rr->off++];
1426                                 rr->length--;
1427                                 }
1428
1429                         if (*dest_len < dest_maxlen)
1430                                 goto start; /* fragment was too small */
1431                         }
1432                 }
1433
1434         /*-
1435          * s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
1436          * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
1437          * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 
1438          */
1439
1440         /* If we are a client, check for an incoming 'Hello Request': */
1441         if ((!s->server) &&
1442                 (s->s3->handshake_fragment_len >= 4) &&
1443                 (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1444                 (s->session != NULL) && (s->session->cipher != NULL))
1445                 {
1446                 s->s3->handshake_fragment_len = 0;
1447
1448                 if ((s->s3->handshake_fragment[1] != 0) ||
1449                         (s->s3->handshake_fragment[2] != 0) ||
1450                         (s->s3->handshake_fragment[3] != 0))
1451                         {
1452                         al=SSL_AD_DECODE_ERROR;
1453                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1454                         goto f_err;
1455                         }
1456
1457                 if (s->msg_callback)
1458                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
1459
1460                 if (SSL_is_init_finished(s) &&
1461                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1462                         !s->s3->renegotiate)
1463                         {
1464                         ssl3_renegotiate(s);
1465                         if (ssl3_renegotiate_check(s))
1466                                 {
1467                                 i=s->handshake_func(s);
1468                                 if (i < 0) return(i);
1469                                 if (i == 0)
1470                                         {
1471                                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1472                                         return(-1);
1473                                         }
1474
1475                                 if (!(s->mode & SSL_MODE_AUTO_RETRY))
1476                                         {
1477                                         if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1478                                                 {
1479                                                 BIO *bio;
1480                                                 /* In the case where we try to read application data,
1481                                                  * but we trigger an SSL handshake, we return -1 with
1482                                                  * the retry option set.  Otherwise renegotiation may
1483                                                  * cause nasty problems in the blocking world */
1484                                                 s->rwstate=SSL_READING;
1485                                                 bio=SSL_get_rbio(s);
1486                                                 BIO_clear_retry_flags(bio);
1487                                                 BIO_set_retry_read(bio);
1488                                                 return(-1);
1489                                                 }
1490                                         }
1491                                 }
1492                         }
1493                 /* we either finished a handshake or ignored the request,
1494                  * now try again to obtain the (application) data we were asked for */
1495                 goto start;
1496                 }
1497         /* If we are a server and get a client hello when renegotiation isn't
1498          * allowed send back a no renegotiation alert and carry on.
1499          * WARNING: experimental code, needs reviewing (steve)
1500          */
1501         if (s->server &&
1502                 SSL_is_init_finished(s) &&
1503                 !s->s3->send_connection_binding &&
1504                 (s->version > SSL3_VERSION) &&
1505                 (s->s3->handshake_fragment_len >= 4) &&
1506                 (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
1507                 (s->session != NULL) && (s->session->cipher != NULL) &&
1508                 !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1509                 
1510                 {
1511                 /*s->s3->handshake_fragment_len = 0;*/
1512                 rr->length = 0;
1513                 ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1514                 goto start;
1515                 }
1516         if (s->s3->alert_fragment_len >= 2)
1517                 {
1518                 int alert_level = s->s3->alert_fragment[0];
1519                 int alert_descr = s->s3->alert_fragment[1];
1520
1521                 s->s3->alert_fragment_len = 0;
1522
1523                 if (s->msg_callback)
1524                         s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
1525
1526                 if (s->info_callback != NULL)
1527                         cb=s->info_callback;
1528                 else if (s->ctx->info_callback != NULL)
1529                         cb=s->ctx->info_callback;
1530
1531                 if (cb != NULL)
1532                         {
1533                         j = (alert_level << 8) | alert_descr;
1534                         cb(s, SSL_CB_READ_ALERT, j);
1535                         }
1536
1537                 if (alert_level == 1) /* warning */
1538                         {
1539                         s->s3->warn_alert = alert_descr;
1540                         if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1541                                 {
1542                                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1543                                 return(0);
1544                                 }
1545                         /* This is a warning but we receive it if we requested
1546                          * renegotiation and the peer denied it. Terminate with
1547                          * a fatal alert because if application tried to
1548                          * renegotiatie it presumably had a good reason and
1549                          * expects it to succeed.
1550                          *
1551                          * In future we might have a renegotiation where we
1552                          * don't care if the peer refused it where we carry on.
1553                          */
1554                         else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
1555                                 {
1556                                 al = SSL_AD_HANDSHAKE_FAILURE;
1557                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
1558                                 goto f_err;
1559                                 }
1560 #ifdef SSL_AD_MISSING_SRP_USERNAME
1561                         else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1562                                 return(0);
1563 #endif
1564                         }
1565                 else if (alert_level == 2) /* fatal */
1566                         {
1567                         char tmp[16];
1568
1569                         s->rwstate=SSL_NOTHING;
1570                         s->s3->fatal_alert = alert_descr;
1571                         SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1572                         BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1573                         ERR_add_error_data(2,"SSL alert number ",tmp);
1574                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1575                         SSL_CTX_remove_session(s->ctx,s->session);
1576                         return(0);
1577                         }
1578                 else
1579                         {
1580                         al=SSL_AD_ILLEGAL_PARAMETER;
1581                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1582                         goto f_err;
1583                         }
1584
1585                 goto start;
1586                 }
1587
1588         if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1589                 {
1590                 s->rwstate=SSL_NOTHING;
1591                 rr->length=0;
1592                 return(0);
1593                 }
1594
1595         if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1596                 {
1597                 /* 'Change Cipher Spec' is just a single byte, so we know
1598                  * exactly what the record payload has to look like */
1599                 if (    (rr->length != 1) || (rr->off != 0) ||
1600                         (rr->data[0] != SSL3_MT_CCS))
1601                         {
1602                         al=SSL_AD_ILLEGAL_PARAMETER;
1603                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1604                         goto f_err;
1605                         }
1606
1607                 /* Check we have a cipher to change to */
1608                 if (s->s3->tmp.new_cipher == NULL)
1609                         {
1610                         al=SSL_AD_UNEXPECTED_MESSAGE;
1611                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1612                         goto f_err;
1613                         }
1614
1615                 if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
1616                         {
1617                         al=SSL_AD_UNEXPECTED_MESSAGE;
1618                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
1619                         goto f_err;
1620                         }
1621
1622                 s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
1623
1624                 rr->length=0;
1625
1626                 if (s->msg_callback)
1627                         s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
1628
1629                 s->s3->change_cipher_spec=1;
1630                 if (!ssl3_do_change_cipher_spec(s))
1631                         goto err;
1632                 else
1633                         goto start;
1634                 }
1635
1636         /* Unexpected handshake message (Client Hello, or protocol violation) */
1637         if ((s->s3->handshake_fragment_len >= 4) &&     !s->in_handshake)
1638                 {
1639                 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1640                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1641                         {
1642 #if 0 /* worked only because C operator preferences are not as expected (and
1643        * because this is not really needed for clients except for detecting
1644        * protocol violations): */
1645                         s->state=SSL_ST_BEFORE|(s->server)
1646                                 ?SSL_ST_ACCEPT
1647                                 :SSL_ST_CONNECT;
1648 #else
1649                         s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1650 #endif
1651                         s->renegotiate=1;
1652                         s->new_session=1;
1653                         }
1654                 i=s->handshake_func(s);
1655                 if (i < 0) return(i);
1656                 if (i == 0)
1657                         {
1658                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1659                         return(-1);
1660                         }
1661
1662                 if (!(s->mode & SSL_MODE_AUTO_RETRY))
1663                         {
1664                         if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1665                                 {
1666                                 BIO *bio;
1667                                 /* In the case where we try to read application data,
1668                                  * but we trigger an SSL handshake, we return -1 with
1669                                  * the retry option set.  Otherwise renegotiation may
1670                                  * cause nasty problems in the blocking world */
1671                                 s->rwstate=SSL_READING;
1672                                 bio=SSL_get_rbio(s);
1673                                 BIO_clear_retry_flags(bio);
1674                                 BIO_set_retry_read(bio);
1675                                 return(-1);
1676                                 }
1677                         }
1678                 goto start;
1679                 }
1680
1681         switch (rr->type)
1682                 {
1683         default:
1684 #ifndef OPENSSL_NO_TLS
1685                 /* TLS up to v1.1 just ignores unknown message types:
1686                  * TLS v1.2 give an unexpected message alert.
1687                  */
1688                 if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
1689                         {
1690                         rr->length = 0;
1691                         goto start;
1692                         }
1693 #endif
1694                 al=SSL_AD_UNEXPECTED_MESSAGE;
1695                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1696                 goto f_err;
1697         case SSL3_RT_CHANGE_CIPHER_SPEC:
1698         case SSL3_RT_ALERT:
1699         case SSL3_RT_HANDSHAKE:
1700                 /* we already handled all of these, with the possible exception
1701                  * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1702                  * should not happen when type != rr->type */
1703                 al=SSL_AD_UNEXPECTED_MESSAGE;
1704                 SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
1705                 goto f_err;
1706         case SSL3_RT_APPLICATION_DATA:
1707                 /* At this point, we were expecting handshake data,
1708                  * but have application data.  If the library was
1709                  * running inside ssl3_read() (i.e. in_read_app_data
1710                  * is set) and it makes sense to read application data
1711                  * at this point (session renegotiation not yet started),
1712                  * we will indulge it.
1713                  */
1714                 if (s->s3->in_read_app_data &&
1715                         (s->s3->total_renegotiations != 0) &&
1716                         ((
1717                                 (s->state & SSL_ST_CONNECT) &&
1718                                 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1719                                 (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1720                                 ) || (
1721                                         (s->state & SSL_ST_ACCEPT) &&
1722                                         (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1723                                         (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1724                                         )
1725                                 ))
1726                         {
1727                         s->s3->in_read_app_data=2;
1728                         return(-1);
1729                         }
1730                 else
1731                         {
1732                         al=SSL_AD_UNEXPECTED_MESSAGE;
1733                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1734                         goto f_err;
1735                         }
1736                 }
1737         /* not reached */
1738
1739 f_err:
1740         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1741 err:
1742         return(-1);
1743         }
1744
1745 int ssl3_do_change_cipher_spec(SSL *s)
1746         {
1747         int i;
1748         const char *sender;
1749         int slen;
1750
1751         if (s->state & SSL_ST_ACCEPT)
1752                 i=SSL3_CHANGE_CIPHER_SERVER_READ;
1753         else
1754                 i=SSL3_CHANGE_CIPHER_CLIENT_READ;
1755
1756         if (s->s3->tmp.key_block == NULL)
1757                 {
1758                 if (s->session == NULL || s->session->master_key_length == 0)
1759                         {
1760                         /* might happen if dtls1_read_bytes() calls this */
1761                         SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
1762                         return (0);
1763                         }
1764
1765                 s->session->cipher=s->s3->tmp.new_cipher;
1766                 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
1767                 }
1768
1769         if (!s->method->ssl3_enc->change_cipher_state(s,i))
1770                 return(0);
1771
1772         /* we have to record the message digest at
1773          * this point so we can get it before we read
1774          * the finished message */
1775         if (s->state & SSL_ST_CONNECT)
1776                 {
1777                 sender=s->method->ssl3_enc->server_finished_label;
1778                 slen=s->method->ssl3_enc->server_finished_label_len;
1779                 }
1780         else
1781                 {
1782                 sender=s->method->ssl3_enc->client_finished_label;
1783                 slen=s->method->ssl3_enc->client_finished_label_len;
1784                 }
1785
1786         i = s->method->ssl3_enc->final_finish_mac(s,
1787                 sender,slen,s->s3->tmp.peer_finish_md);
1788         if (i == 0)
1789                 {
1790                 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1791                 return 0;
1792                 }
1793         s->s3->tmp.peer_finish_md_len = i;
1794
1795         return(1);
1796         }
1797
1798 int ssl3_send_alert(SSL *s, int level, int desc)
1799         {
1800         /* Map tls/ssl alert value to correct one */
1801         desc=s->method->ssl3_enc->alert_value(desc);
1802         if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
1803                 desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
1804         if (desc < 0) return -1;
1805         /* If a fatal one, remove from cache */
1806         if ((level == SSL3_AL_FATAL) && (s->session != NULL))
1807                 SSL_CTX_remove_session(s->ctx,s->session);
1808
1809         s->s3->alert_dispatch=1;
1810         s->s3->send_alert[0]=level;
1811         s->s3->send_alert[1]=desc;
1812         if (s->s3->wbuf.left == 0) /* data still being written out? */
1813                 return s->method->ssl_dispatch_alert(s);
1814         /* else data is still being written out, we will get written
1815          * some time in the future */
1816         return -1;
1817         }
1818
1819 int ssl3_dispatch_alert(SSL *s)
1820         {
1821         int i,j;
1822         void (*cb)(const SSL *ssl,int type,int val)=NULL;
1823
1824         s->s3->alert_dispatch=0;
1825         i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
1826         if (i <= 0)
1827                 {
1828                 s->s3->alert_dispatch=1;
1829                 }
1830         else
1831                 {
1832                 /* Alert sent to BIO.  If it is important, flush it now.
1833                  * If the message does not get sent due to non-blocking IO,
1834                  * we will not worry too much. */
1835                 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1836                         (void)BIO_flush(s->wbio);
1837
1838                 if (s->msg_callback)
1839                         s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
1840
1841                 if (s->info_callback != NULL)
1842                         cb=s->info_callback;
1843                 else if (s->ctx->info_callback != NULL)
1844                         cb=s->ctx->info_callback;
1845
1846                 if (cb != NULL)
1847                         {
1848                         j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1849                         cb(s,SSL_CB_WRITE_ALERT,j);
1850                         }
1851                 }
1852         return(i);
1853         }