Work with -pedantic!
[openssl.git] / ssl / s3_pkt.c
1 /* ssl/s3_pkt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <errno.h>
61 #define USE_SOCKETS
62 #include "evp.h"
63 #include "buffer.h"
64 #include "ssl_locl.h"
65
66 /* SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER);
67  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE);
68  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE);
69  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
70  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE);
71  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE);
72  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_RECORD_MAC);
73  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE);
74  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE);
75  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_NO_CERTIFICATE);
76  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_CERTIFICATE);
77  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE);
78  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED);
79  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED);
80  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN);
81  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
82  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPTION_FAILED);
83  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_RECORD_OVERFLOW);
84  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_UNKNOWN_CA);
85  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_ACCESS_DENIED);
86  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECODE_ERROR);
87  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPT_ERROR);
88  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_EXPORT_RESTRICION);
89  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_PROTOCOL_VERSION);
90  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY);
91  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INTERNAL_ERROR);
92  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_USER_CANCLED);
93  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_NO_RENEGOTIATION);
94  */
95
96 #ifndef NOPROTO
97 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
98                          unsigned int len);
99 static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
100                               unsigned int len);
101 static int ssl3_get_record(SSL *s);
102 static int do_compress(SSL *ssl);
103 static int do_uncompress(SSL *ssl);
104 static int do_change_cipher_spec(SSL *ssl);
105 #else
106 static int do_ssl3_write();
107 static int ssl3_write_pending();
108 static int ssl3_get_record();
109 static int do_compress();
110 static int do_uncompress();
111 static int do_change_cipher_spec();
112 #endif
113
114 static int ssl3_read_n(SSL *s, int n, int max, int extend)
115         {
116         int i,off,newb;
117
118         /* if there is stuff still in the buffer from a previous read,
119          * and there is more than we want, take some. */
120         if (s->s3->rbuf.left >= (int)n)
121                 {
122                 if (extend)
123                         s->packet_length+=n;
124                 else
125                         {
126                         s->packet= &(s->s3->rbuf.buf[s->s3->rbuf.offset]);
127                         s->packet_length=n;
128                         }
129                 s->s3->rbuf.left-=n;
130                 s->s3->rbuf.offset+=n;
131                 return(n);
132                 }
133
134         /* else we need to read more data */
135         if (!s->read_ahead) max=n;
136         if (max > SSL3_RT_MAX_PACKET_SIZE)
137                 max=SSL3_RT_MAX_PACKET_SIZE;
138
139         /* First check if there is some left or we want to extend */
140         off=0;
141         if (    (s->s3->rbuf.left != 0) ||
142                 ((s->packet_length != 0) && extend))
143                 {
144                 newb=s->s3->rbuf.left;
145                 if (extend)
146                         {
147                         /* Copy bytes back to the front of the buffer 
148                          * Take the bytes already pointed to by 'packet'
149                          * and take the extra ones on the end. */
150                         off=s->packet_length;
151                         if (s->packet != s->s3->rbuf.buf)
152                                 memcpy(s->s3->rbuf.buf,s->packet,newb+off);
153                         }
154                 else if (s->s3->rbuf.offset != 0)
155                         { /* so the data is not at the start of the buffer */
156                         memcpy(s->s3->rbuf.buf,
157                                 &(s->s3->rbuf.buf[s->s3->rbuf.offset]),newb);
158                         s->s3->rbuf.offset=0;
159                         }
160
161                 s->s3->rbuf.left=0;
162                 }
163         else
164                 newb=0;
165
166         /* So we now have 'newb' bytes at the front of 
167          * s->s3->rbuf.buf and need to read some more in on the end
168          * We start reading into the buffer at 's->s3->rbuf.offset'
169          */
170         s->packet=s->s3->rbuf.buf;
171
172         while (newb < n)
173                 {
174                 clear_sys_error();
175                 if (s->rbio != NULL)
176                         {
177                         s->rwstate=SSL_READING;
178                         i=BIO_read(s->rbio,
179                                 (char *)&(s->s3->rbuf.buf[off+newb]),
180                                 max-newb);
181                         }
182                 else
183                         {
184                         SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
185                         i= -1;
186                         }
187
188                 if (i <= 0)
189                         {
190                         s->s3->rbuf.left+=newb;
191                         return(i);
192                         }
193                 newb+=i;
194                 }
195
196         /* record used data read */
197         if (newb > n)
198                 {
199                 s->s3->rbuf.offset=n+off;
200                 s->s3->rbuf.left=newb-n;
201                 }
202         else
203                 {
204                 s->s3->rbuf.offset=0;
205                 s->s3->rbuf.left=0;
206                 }
207
208         if (extend)
209                 s->packet_length+=n;
210         else
211                 s->packet_length+=n;
212         return(n);
213         }
214
215 /* Call this to get a new input record.
216  * It will return <= 0 if more data is needed, normally due to an error
217  * or non-blocking IO.
218  * When it finishes, one packet has been decoded and can be found in
219  * ssl->s3->rrec.type   - is the type of record
220  * ssl->s3->rrec.data,  - data
221  * ssl->s3->rrec.length, - number of bytes
222  */
223 static int ssl3_get_record(SSL *s)
224         {
225         int ssl_major,ssl_minor,al;
226         int n,i,ret= -1;
227         SSL3_BUFFER *rb;
228         SSL3_RECORD *rr;
229         SSL_SESSION *sess;
230         unsigned char *p;
231         unsigned char md[EVP_MAX_MD_SIZE];
232         short version;
233         unsigned int mac_size;
234         int clear=0,extra;
235
236         rr= &(s->s3->rrec);
237         rb= &(s->s3->rbuf);
238         sess=s->session;
239
240         if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
241                 extra=SSL3_RT_MAX_EXTRA;
242         else
243                 extra=0;
244
245 again:
246         /* check if we have the header */
247         if (    (s->rstate != SSL_ST_READ_BODY) ||
248                 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
249                 {
250                 n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
251                         SSL3_RT_MAX_PACKET_SIZE,0);
252                 if (n <= 0) return(n); /* error or non-blocking */
253                 s->rstate=SSL_ST_READ_BODY;
254
255                 p=s->packet;
256
257                 /* Pull apart the header into the SSL3_RECORD */
258                 rr->type= *(p++);
259                 ssl_major= *(p++);
260                 ssl_minor= *(p++);
261                 version=(ssl_major<<8)|ssl_minor;
262                 n2s(p,rr->length);
263
264                 /* Lets check version */
265                 if (s->first_packet)
266                         {
267                         s->first_packet=0;
268                         }
269                 else
270                         {
271                         if (version != s->version)
272                                 {
273                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
274                                 /* Send back error using their
275                                  * version number :-) */
276                                 s->version=version;
277                                 al=SSL_AD_PROTOCOL_VERSION;
278                                 goto f_err;
279                                 }
280                         }
281
282                 if ((version>>8) != SSL3_VERSION_MAJOR)
283                         {
284                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
285                         goto err;
286                         }
287
288                 if (rr->length > 
289                         (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
290                         {
291                         al=SSL_AD_RECORD_OVERFLOW;
292                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
293                         goto f_err;
294                         }
295
296                 s->rstate=SSL_ST_READ_BODY;
297                 }
298
299         /* get and decode the data */
300         if (s->rstate == SSL_ST_READ_BODY)
301                 {
302                 if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
303                         {
304                         i=rr->length;
305                         /*-(s->packet_length-SSL3_RT_HEADER_LENGTH); */
306                         n=ssl3_read_n(s,i,i,1);
307                         if (n <= 0) return(n); /* error or non-blocking io */
308                         }
309                 s->rstate=SSL_ST_READ_HEADER;
310                 }
311
312         /* At this point, we have the data in s->packet and there should be
313          * s->packet_length bytes, we must not 'overrun' this buffer :-)
314          * One of the following functions will copy the data from the
315          * s->packet buffer */
316
317         rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
318
319         /* ok, we can now read from 's->packet' data into 'rr'
320          * rr->input points at rr->length bytes, which
321          * need to be copied into rr->data by either
322          * the decryption or by the decompression
323          * When the data is 'copied' into the rr->data buffer,
324          * rr->input will be pointed at the new buffer */ 
325
326         /* Set the state for the following operations */
327         s->rstate=SSL_ST_READ_HEADER;
328
329         /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
330          * rr->length bytes of encrypted compressed stuff. */
331
332         /* check is not needed I belive */
333         if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
334                 {
335                 al=SSL_AD_RECORD_OVERFLOW;
336                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
337                 goto f_err;
338                 }
339
340         /* decrypt in place in 'rr->input' */
341         rr->data=rr->input;
342
343         if (!s->method->ssl3_enc->enc(s,0))
344                 {
345                 al=SSL_AD_DECRYPT_ERROR;
346                 goto f_err;
347                 }
348 #ifdef TLS_DEBUG
349 printf("dec %d\n",rr->length);
350 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
351 printf("\n");
352 #endif
353         /* r->length is now the compressed data plus mac */
354         if (    (sess == NULL) ||
355                 (s->enc_read_ctx == NULL) ||
356                 (s->read_hash == NULL))
357                 clear=1;
358
359         if (!clear)
360                 {
361                 mac_size=EVP_MD_size(s->read_hash);
362
363                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
364                         {
365                         al=SSL_AD_RECORD_OVERFLOW;
366                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
367                         goto f_err;
368                         }
369                 /* check MAC for rr->input' */
370                 if (rr->length < mac_size)
371                         {
372                         al=SSL_AD_DECODE_ERROR;
373                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
374                         goto f_err;
375                         }
376                 rr->length-=mac_size;
377                 i=s->method->ssl3_enc->mac(s,md,0);
378                 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
379                         {
380                         al=SSL_AD_BAD_RECORD_MAC;
381                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
382                         ret= -1;
383                         goto f_err;
384                         }
385                 }
386
387         /* r->length is now just compressed */
388         if (s->expand != NULL)
389                 {
390                 if (rr->length > 
391                         (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
392                         {
393                         al=SSL_AD_RECORD_OVERFLOW;
394                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
395                         goto f_err;
396                         }
397                 if (!do_uncompress(s))
398                         {
399                         al=SSL_AD_DECOMPRESSION_FAILURE;
400                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
401                         goto f_err;
402                         }
403                 }
404
405         if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
406                 {
407                 al=SSL_AD_RECORD_OVERFLOW;
408                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
409                 goto f_err;
410                 }
411
412         rr->off=0;
413         /* So at this point the following is true
414          * ssl->s3->rrec.type   is the type of record
415          * ssl->s3->rrec.length == number of bytes in record
416          * ssl->s3->rrec.off    == offset to first valid byte
417          * ssl->s3->rrec.data   == where to take bytes from, increment
418          *                         after use :-).
419          */
420
421         /* we have pulled in a full packet so zero things */
422         s->packet_length=0;
423
424         /* just read a 0 length packet */
425         if (rr->length == 0) goto again;
426
427         return(1);
428 f_err:
429         ssl3_send_alert(s,SSL3_AL_FATAL,al);
430 err:
431         return(ret);
432         }
433
434 static int do_uncompress(SSL *ssl)
435         {
436         int i;
437         SSL3_RECORD *rr;
438
439         rr= &(ssl->s3->rrec);
440         i=COMP_expand_block(ssl->expand,rr->comp,
441                 SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
442         if (i < 0)
443                 return(0);
444         else
445                 rr->length=i;
446         rr->data=rr->comp;
447
448         return(1);
449         }
450
451 static int do_compress(SSL *ssl)
452         {
453         int i;
454         SSL3_RECORD *wr;
455
456         wr= &(ssl->s3->wrec);
457         i=COMP_compress_block(ssl->compress,wr->data,
458                 SSL3_RT_MAX_COMPRESSED_LENGTH,
459                 wr->input,(int)wr->length);
460         if (i < 0)
461                 return(0);
462         else
463                 wr->length=i;
464
465         wr->input=wr->data;
466         return(1);
467         }
468
469 /* Call this to write data
470  * It will return <= 0 if not all data has been sent or non-blocking IO.
471  */
472 int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
473         {
474         const unsigned char *buf=_buf;
475         unsigned int tot,n,nw;
476         int i;
477
478         s->rwstate=SSL_NOTHING;
479         tot=s->s3->wnum;
480         s->s3->wnum=0;
481
482         if (SSL_in_init(s) && !s->in_handshake)
483                 {
484                 i=s->handshake_func(s);
485                 if (i < 0) return(i);
486                 if (i == 0)
487                         {
488                         SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
489                         return(-1);
490                         }
491                 }
492
493         n=(len-tot);
494         for (;;)
495                 {
496                 if (n > SSL3_RT_MAX_PLAIN_LENGTH)
497                         nw=SSL3_RT_MAX_PLAIN_LENGTH;
498                 else
499                         nw=n;
500                         
501                 i=do_ssl3_write(s,type,&(buf[tot]),nw);
502                 if (i <= 0)
503                         {
504                         s->s3->wnum=tot;
505                         return(i);
506                         }
507
508                 if (type == SSL3_RT_HANDSHAKE)
509                         ssl3_finish_mac(s,&(buf[tot]),i);
510
511                 if (i == (int)n) return(tot+i);
512
513                 n-=i;
514                 tot+=i;
515                 }
516         }
517
518 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
519                          unsigned int len)
520         {
521         unsigned char *p,*plen;
522         int i,mac_size,clear=0;
523         SSL3_RECORD *wr;
524         SSL3_BUFFER *wb;
525         SSL_SESSION *sess;
526
527         /* first check is there is a SSL3_RECORD still being written
528          * out.  This will happen with non blocking IO */
529         if (s->s3->wbuf.left != 0)
530                 return(ssl3_write_pending(s,type,buf,len));
531
532         /* If we have an alert to send, lets send it */
533         if (s->s3->alert_dispatch)
534                 {
535                 i=ssl3_dispatch_alert(s);
536                 if (i <= 0)
537                         return(i);
538                 /* if it went, fall through and send more stuff */
539                 }
540
541         if (len <= 0) return(len);
542         
543         wr= &(s->s3->wrec);
544         wb= &(s->s3->wbuf);
545         sess=s->session;
546
547         if (    (sess == NULL) ||
548                 (s->enc_write_ctx == NULL) ||
549                 (s->write_hash == NULL))
550                 clear=1;
551
552         if (clear)
553                 mac_size=0;
554         else
555                 mac_size=EVP_MD_size(s->write_hash);
556
557         p=wb->buf;
558
559         /* write the header */
560         *(p++)=type&0xff;
561         wr->type=type;
562
563         *(p++)=(s->version>>8);
564         *(p++)=s->version&0xff;
565         
566         /* record where we are to write out packet length */
567         plen=p; 
568         p+=2;
569         
570         /* lets setup the record stuff. */
571         wr->data=p;
572         wr->length=(int)len;
573         wr->input=(unsigned char *)buf;
574
575         /* we now 'read' from wr->input, wr->length bytes into
576          * wr->data */
577
578         /* first we compress */
579         if (s->compress != NULL)
580                 {
581                 if (!do_compress(s))
582                         {
583                         SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
584                         goto err;
585                         }
586                 }
587         else
588                 {
589                 memcpy(wr->data,wr->input,wr->length);
590                 wr->input=wr->data;
591                 }
592
593         /* we should still have the output to wr->data and the input
594          * from wr->input.  Length should be wr->length.
595          * wr->data still points in the wb->buf */
596
597         if (mac_size != 0)
598                 {
599                 s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
600                 wr->length+=mac_size;
601                 wr->input=p;
602                 wr->data=p;
603                 }
604
605         /* ssl3_enc can only have an error on read */
606         s->method->ssl3_enc->enc(s,1);
607
608         /* record length after mac and block padding */
609         s2n(wr->length,plen);
610
611         /* we should now have
612          * wr->data pointing to the encrypted data, which is
613          * wr->length long */
614         wr->type=type; /* not needed but helps for debugging */
615         wr->length+=SSL3_RT_HEADER_LENGTH;
616
617         /* Now lets setup wb */
618         wb->left=wr->length;
619         wb->offset=0;
620
621         s->s3->wpend_tot=len;
622         s->s3->wpend_buf=buf;
623         s->s3->wpend_type=type;
624         s->s3->wpend_ret=len;
625
626         /* we now just need to write the buffer */
627         return(ssl3_write_pending(s,type,buf,len));
628 err:
629         return(-1);
630         }
631
632 /* if s->s3->wbuf.left != 0, we need to call this */
633 static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
634                               unsigned int len)
635         {
636         int i;
637
638 /* XXXX */
639         if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf)
640                 || (s->s3->wpend_type != type))
641                 {
642                 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
643                 return(-1);
644                 }
645
646         for (;;)
647                 {
648                 clear_sys_error();
649                 if (s->wbio != NULL)
650                         {
651                         s->rwstate=SSL_WRITING;
652                         i=BIO_write(s->wbio,
653                                 (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
654                                 (unsigned int)s->s3->wbuf.left);
655                         }
656                 else
657                         {
658                         SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
659                         i= -1;
660                         }
661                 if (i == s->s3->wbuf.left)
662                         {
663                         s->s3->wbuf.left=0;
664                         s->rwstate=SSL_NOTHING;
665                         return(s->s3->wpend_ret);
666                         }
667                 else if (i <= 0)
668                         return(i);
669                 s->s3->wbuf.offset+=i;
670                 s->s3->wbuf.left-=i;
671                 }
672         }
673
674 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
675         {
676         int al,i,j,n,ret;
677         SSL3_RECORD *rr;
678         void (*cb)()=NULL;
679         BIO *bio;
680
681         if (s->s3->rbuf.buf == NULL) /* Not initialize yet */
682                 if (!ssl3_setup_buffers(s))
683                         return(-1);
684
685         if (!s->in_handshake && SSL_in_init(s))
686                 {
687                 i=s->handshake_func(s);
688                 if (i < 0) return(i);
689                 if (i == 0)
690                         {
691                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
692                         return(-1);
693                         }
694                 }
695 start:
696         s->rwstate=SSL_NOTHING;
697
698         /* s->s3->rrec.type     - is the type of record
699          * s->s3->rrec.data,    - data
700          * s->s3->rrec.off,     - ofset into 'data' for next read
701          * s->s3->rrec.length,  - number of bytes. */
702         rr= &(s->s3->rrec);
703
704         /* get new packet */
705         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
706                 {
707                 ret=ssl3_get_record(s);
708                 if (ret <= 0) return(ret);
709                 }
710
711         /* we now have a packet which can be read and processed */
712
713         if (s->s3->change_cipher_spec && (rr->type != SSL3_RT_HANDSHAKE))
714                 {
715                 al=SSL_AD_UNEXPECTED_MESSAGE;
716                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
717                 goto err;
718                 }
719
720         /* If the other end has shutdown, throw anything we read away */
721         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
722                 {
723                 rr->length=0;
724                 s->rwstate=SSL_NOTHING;
725                 return(0);
726                 }
727
728         /* Check for an incoming 'Client Request' message */
729         if ((rr->type == SSL3_RT_HANDSHAKE) && (rr->length == 4) &&
730                 (rr->data[0] == SSL3_MT_CLIENT_REQUEST) &&
731                 (s->session != NULL) && (s->session->cipher != NULL))
732                 {
733                 if ((rr->data[1] != 0) || (rr->data[2] != 0) ||
734                         (rr->data[3] != 0))
735                         {
736                         al=SSL_AD_DECODE_ERROR;
737                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CLIENT_REQUEST);
738                         goto err;
739                         }
740
741                 if (SSL_is_init_finished(s) &&
742                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
743                         !s->s3->renegotiate)
744                         {
745                         ssl3_renegotiate(s);
746                         if (ssl3_renegotiate_check(s))
747                                 {
748                                 n=s->handshake_func(s);
749                                 if (n < 0) return(n);
750                                 if (n == 0)
751                                         {
752                                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
753                                         return(-1);
754                                         }
755                                 }
756                         }
757                 rr->length=0;
758 /* ZZZ */       goto start;
759                 }
760
761         /* if it is not the type we want, or we have shutdown and want
762          * the peer shutdown */
763         if ((rr->type != type) || (s->shutdown & SSL_SENT_SHUTDOWN))
764                 {
765                 if (rr->type == SSL3_RT_ALERT)
766                         {
767                         if ((rr->length != 2) || (rr->off != 0))
768                                 {
769                                 al=SSL_AD_DECODE_ERROR;
770                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_ALERT_RECORD);
771                                 goto f_err;
772                                 }
773
774                         i=rr->data[0];
775                         n=rr->data[1];
776
777                         /* clear from buffer */
778                         rr->length=0;
779
780                         if (s->info_callback != NULL)
781                                 cb=s->info_callback;
782                         else if (s->ctx->info_callback != NULL)
783                                 cb=s->ctx->info_callback;
784
785                         if (cb != NULL)
786                                 {
787                                 j=(i<<8)|n;
788                                 cb(s,SSL_CB_READ_ALERT,j);
789                                 }
790
791                         if (i == 1)
792                                 {
793                                 s->s3->warn_alert=n;
794                                 if (n == SSL_AD_CLOSE_NOTIFY)
795                                         {
796                                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
797                                         return(0);
798                                         }
799                                 }
800                         else if (i == 2)
801                                 {
802                                 char tmp[16];
803
804                                 s->rwstate=SSL_NOTHING;
805                                 s->s3->fatal_alert=n;
806                                 SSLerr(SSL_F_SSL3_READ_BYTES,
807                                         SSL_AD_REASON_OFFSET+n);
808                                 sprintf(tmp,"%d",n);
809                                 ERR_add_error_data(2,"SSL alert number ",tmp);
810                                 s->shutdown|=SSL_RECEIVED_SHUTDOWN;
811                                 SSL_CTX_remove_session(s->ctx,s->session);
812                                 return(0);
813                                 }
814                         else
815                                 {
816                                 al=SSL_AD_ILLEGAL_PARAMETER;
817                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
818                                 goto f_err;
819                                 }
820
821                         rr->length=0;
822                         goto start;
823                         }
824
825                 if (s->shutdown & SSL_SENT_SHUTDOWN)
826                         {
827                         s->rwstate=SSL_NOTHING;
828                         rr->length=0;
829                         return(0);
830                         }
831
832                 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
833                         {
834                         if (    (rr->length != 1) || (rr->off != 0) ||
835                                 (rr->data[0] != SSL3_MT_CCS))
836                                 {
837                                 i=SSL_AD_ILLEGAL_PARAMETER;
838                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
839                                 goto err;
840                                 }
841
842                         rr->length=0;
843                         s->s3->change_cipher_spec=1;
844                         if (!do_change_cipher_spec(s))
845                                 goto err;
846                         else
847                                 goto start;
848                         }
849
850                 /* else we have a handshake */
851                 if ((rr->type == SSL3_RT_HANDSHAKE) &&
852                         !s->in_handshake)
853                         {
854                         if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
855                                 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
856                                 {
857                                 s->state=SSL_ST_BEFORE|(s->server)
858                                                 ?SSL_ST_ACCEPT
859                                                 :SSL_ST_CONNECT;
860                                 s->new_session=1;
861                                 }
862                         n=s->handshake_func(s);
863                         if (n < 0) return(n);
864                         if (n == 0)
865                                 {
866                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
867                                 return(-1);
868                                 }
869
870                         /* In the case where we try to read application data
871                          * the first time, but we trigger an SSL handshake, we
872                          * return -1 with the retry option set.  I do this
873                          * otherwise renegotiation can cause nasty problems 
874                          * in the non-blocking world */
875
876                         s->rwstate=SSL_READING;
877                         bio=SSL_get_rbio(s);
878                         BIO_clear_retry_flags(bio);
879                         BIO_set_retry_read(bio);
880                         return(-1);
881                         }
882
883                 switch (rr->type)
884                         {
885                 default:
886 #ifndef NO_TLS
887                         /* TLS just ignores unknown message types */
888                         if (s->version == TLS1_VERSION)
889                                 {
890                                 goto start;
891                                 }
892 #endif
893                 case SSL3_RT_CHANGE_CIPHER_SPEC:
894                 case SSL3_RT_ALERT:
895                 case SSL3_RT_HANDSHAKE:
896                         al=SSL_AD_UNEXPECTED_MESSAGE;
897                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
898                         goto f_err;
899                 case SSL3_RT_APPLICATION_DATA:
900                         /* At this point, we were expecting something else,
901                          * but have application data.  What we do is set the
902                          * error, and return -1.  On the way out, if the
903                          * library was running inside ssl3_read() and it makes
904                          * sense to read application data at this point, we
905                          * will indulge it.  This will mostly happen during
906                          * session renegotiation.
907                          */
908                         if (s->s3->in_read_app_data &&
909                                 (s->s3->total_renegotiations != 0) &&
910                                 ((
911                                   (s->state & SSL_ST_CONNECT) &&
912                                   (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
913                                   (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
914                                  ) || (
915                                   (s->state & SSL_ST_ACCEPT) &&
916                                   (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
917                                   (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
918                                  )
919                                 ))
920                                 {
921                                 s->s3->in_read_app_data=0;
922                                 return(-1);
923                                 }
924                         else
925                                 {
926                                 al=SSL_AD_UNEXPECTED_MESSAGE;
927                                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
928                                 goto f_err;
929                                 }
930                         }
931                 }
932
933         /* make sure that we are not getting application data when we
934          * are doing a handshake for the first time */
935         if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
936                 (s->enc_read_ctx == NULL))
937                 {
938                 al=SSL_AD_UNEXPECTED_MESSAGE;
939                 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
940                 goto f_err;
941                 }
942
943         if (len <= 0) return(len);
944
945         if ((unsigned int)len > rr->length)
946                 n=rr->length;
947         else
948                 n=len;
949
950         memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
951         rr->length-=n;
952         rr->off+=n;
953         if (rr->length <= 0)
954                 {
955                 s->rstate=SSL_ST_READ_HEADER;
956                 rr->off=0;
957                 }
958
959         if (type == SSL3_RT_HANDSHAKE)
960                 ssl3_finish_mac(s,buf,n);
961         return(n);
962 f_err:
963         ssl3_send_alert(s,SSL3_AL_FATAL,al);
964 err:
965         return(-1);
966         }
967
968 static int do_change_cipher_spec(SSL *s)
969         {
970         int i;
971         unsigned char *sender;
972         int slen;
973
974         if (s->state & SSL_ST_ACCEPT)
975                 i=SSL3_CHANGE_CIPHER_SERVER_READ;
976         else
977                 i=SSL3_CHANGE_CIPHER_CLIENT_READ;
978
979         if (s->s3->tmp.key_block == NULL)
980                 {
981                 s->session->cipher=s->s3->tmp.new_cipher;
982                 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
983                 }
984
985         if (!s->method->ssl3_enc->change_cipher_state(s,i))
986                 return(0);
987
988         /* we have to record the message digest at
989          * this point so we can get it before we read
990          * the finished message */
991         if (s->state & SSL_ST_CONNECT)
992                 {
993                 sender=s->method->ssl3_enc->server_finished;
994                 slen=s->method->ssl3_enc->server_finished_len;
995                 }
996         else
997                 {
998                 sender=s->method->ssl3_enc->client_finished;
999                 slen=s->method->ssl3_enc->client_finished_len;
1000                 }
1001
1002         s->method->ssl3_enc->final_finish_mac(s,
1003                 &(s->s3->finish_dgst1),
1004                 &(s->s3->finish_dgst2),
1005                 sender,slen,&(s->s3->tmp.finish_md[0]));
1006
1007         return(1);
1008         }
1009
1010 int ssl3_do_write(SSL *s, int type)
1011         {
1012         int ret;
1013
1014         ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
1015                              s->init_num);
1016         if (ret == s->init_num)
1017                 return(1);
1018         if (ret < 0) return(-1);
1019         s->init_off+=ret;
1020         s->init_num-=ret;
1021         return(0);
1022         }
1023
1024 void ssl3_send_alert(SSL *s, int level, int desc)
1025         {
1026         /* Map tls/ssl alert value to correct one */
1027         desc=s->method->ssl3_enc->alert_value(desc);
1028         if (desc < 0) return;
1029         /* If a fatal one, remove from cache */
1030         if ((level == 2) && (s->session != NULL))
1031                 SSL_CTX_remove_session(s->ctx,s->session);
1032
1033         s->s3->alert_dispatch=1;
1034         s->s3->send_alert[0]=level;
1035         s->s3->send_alert[1]=desc;
1036         if (s->s3->wbuf.left == 0) /* data still being written out */
1037                 ssl3_dispatch_alert(s);
1038         /* else data is still being written out, we will get written
1039          * some time in the future */
1040         }
1041
1042 int ssl3_dispatch_alert(SSL *s)
1043         {
1044         int i,j;
1045         void (*cb)()=NULL;
1046
1047         s->s3->alert_dispatch=0;
1048         i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
1049         if (i <= 0)
1050                 {
1051                 s->s3->alert_dispatch=1;
1052                 }
1053         else
1054                 {
1055                 /* If it is important, send it now.  If the message
1056                  * does not get sent due to non-blocking IO, we will
1057                  * not worry too much. */
1058                 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1059                         BIO_flush(s->wbio);
1060
1061                 if (s->info_callback != NULL)
1062                         cb=s->info_callback;
1063                 else if (s->ctx->info_callback != NULL)
1064                         cb=s->ctx->info_callback;
1065                 
1066                 if (cb != NULL)
1067                         {
1068                         j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1069                         cb(s,SSL_CB_WRITE_ALERT,j);
1070                         }
1071                 }
1072         return(i);
1073         }
1074