Reorder inclusion of header files:

[openssl.git] / ssl / s3_pkt.c
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c

index d76c5f9e597b47b03bfd3a9d3173848091e41a33..6ccea9aee5865955d5e65883edea47e76b8d8b14 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -56,7 +56,7 @@
   * [including the GNU Public Licence.]
   */
  /* ====================================================================
   * [including the GNU Public Licence.]
   */
  /* ====================================================================
- * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
@@ -112,12 +112,12 @@
  #include <stdio.h>
  #include <errno.h>
  #define USE_SOCKETS
  #include <stdio.h>
  #include <errno.h>
  #define USE_SOCKETS
+#include "ssl_locl.h"
  #include <openssl/evp.h>
  #include <openssl/buffer.h>
  #include <openssl/evp.h>
  #include <openssl/buffer.h>
-#include "ssl_locl.h"
  
  static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  
  static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len);
+                        unsigned int len, int create_empty_fragment);
  static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                               unsigned int len);
  static int ssl3_get_record(SSL *s);
  static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                               unsigned int len);
  static int ssl3_get_record(SSL *s);
@@ -162,15 +162,13 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
  
         {
                 /* avoid buffer overflow */
  
         {
                 /* avoid buffer overflow */
-               int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
-               if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                       max_max += SSL3_RT_MAX_EXTRA;
+               int max_max = s->s3->rbuf.len - s->packet_length;
                 if (max > max_max)
                         max = max_max;
         }
         if (n > max) /* does not happen */
                 {
                 if (max > max_max)
                         max = max_max;
         }
         if (n > max) /* does not happen */
                 {
-               SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
                 return -1;
                 }
  
                 return -1;
                 }
  
@@ -231,14 +229,15 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
  static int ssl3_get_record(SSL *s)
         {
         int ssl_major,ssl_minor,al;
  static int ssl3_get_record(SSL *s)
         {
         int ssl_major,ssl_minor,al;
-       int n,i,ret= -1;
+       int enc_err,n,i,ret= -1;
         SSL3_RECORD *rr;
         SSL_SESSION *sess;
         unsigned char *p;
         unsigned char md[EVP_MAX_MD_SIZE];
         short version;
         unsigned int mac_size;
         SSL3_RECORD *rr;
         SSL_SESSION *sess;
         unsigned char *p;
         unsigned char md[EVP_MAX_MD_SIZE];
         short version;
         unsigned int mac_size;
-       int clear=0,extra;
+       int clear=0;
+       size_t extra;
  
         rr= &(s->s3->rrec);
         sess=s->session;
  
         rr= &(s->s3->rrec);
         sess=s->session;
@@ -247,14 +246,20 @@ static int ssl3_get_record(SSL *s)
                 extra=SSL3_RT_MAX_EXTRA;
         else
                 extra=0;
                 extra=SSL3_RT_MAX_EXTRA;
         else
                 extra=0;
+       if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
+               {
+               /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
+                * set after ssl3_setup_buffers() was done */
+               SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+               return -1;
+               }
  
  again:
         /* check if we have the header */
         if (    (s->rstate != SSL_ST_READ_BODY) ||
                 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
                 {
  
  again:
         /* check if we have the header */
         if (    (s->rstate != SSL_ST_READ_BODY) ||
                 (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
                 {
-               n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
-                       SSL3_RT_MAX_PACKET_SIZE,0);
+               n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
                 if (n <= 0) return(n); /* error or non-blocking */
                 s->rstate=SSL_ST_READ_BODY;
  
                 if (n <= 0) return(n); /* error or non-blocking */
                 s->rstate=SSL_ST_READ_BODY;
  
@@ -291,8 +296,7 @@ again:
                         goto err;
                         }
  
                         goto err;
                         }
  
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+               if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
                         {
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
                         {
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
@@ -304,7 +308,7 @@ again:
  
         /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
  
  
         /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
  
-       if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
+       if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
                 {
                 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
                 i=rr->length;
                 {
                 /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
                 i=rr->length;
@@ -332,7 +336,7 @@ again:
          * rr->length bytes of encrypted compressed stuff. */
  
         /* check is not needed I believe */
          * rr->length bytes of encrypted compressed stuff. */
  
         /* check is not needed I believe */
-       if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
                 {
                 al=SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
                 {
                 al=SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
@@ -342,16 +346,23 @@ again:
         /* decrypt in place in 'rr->input' */
         rr->data=rr->input;
  
         /* decrypt in place in 'rr->input' */
         rr->data=rr->input;
  
-       if (!s->method->ssl3_enc->enc(s,0))
+       enc_err = s->method->ssl3_enc->enc(s,0);
+       if (enc_err <= 0)
                 {
                 {
-               al=SSL_AD_DECRYPT_ERROR;
-               goto f_err;
+               if (enc_err == 0)
+                       /* SSLerr() and ssl3_send_alert() have been called */
+                       goto err;
+
+               /* otherwise enc_err == -1 */
+               goto decryption_failed_or_bad_record_mac;
                 }
                 }
+
  #ifdef TLS_DEBUG
  printf("dec %d\n",rr->length);
  { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
  printf("\n");
  #endif
  #ifdef TLS_DEBUG
  printf("dec %d\n",rr->length);
  { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
  printf("\n");
  #endif
+
         /* r->length is now the compressed data plus mac */
         if (    (sess == NULL) ||
                 (s->enc_read_ctx == NULL) ||
         /* r->length is now the compressed data plus mac */
         if (    (sess == NULL) ||
                 (s->enc_read_ctx == NULL) ||
@@ -364,33 +375,37 @@ printf("\n");
  
                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
                         {
  
                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
                         {
+#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                         goto f_err;
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                         goto f_err;
+#else
+                       goto decryption_failed_or_bad_record_mac;
+#endif                 
                         }
                 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
                 if (rr->length < mac_size)
                         {
                         }
                 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
                 if (rr->length < mac_size)
                         {
+#if 0 /* OK only for stream ciphers */
                         al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
                         al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
+#else
+                       goto decryption_failed_or_bad_record_mac;
+#endif
                         }
                 rr->length-=mac_size;
                 i=s->method->ssl3_enc->mac(s,md,0);
                 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
                         {
                         }
                 rr->length-=mac_size;
                 i=s->method->ssl3_enc->mac(s,md,0);
                 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
                         {
-                       al=SSL_AD_BAD_RECORD_MAC;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
-                       ret= -1;
-                       goto f_err;
+                       goto decryption_failed_or_bad_record_mac;
                         }
                 }
  
         /* r->length is now just compressed */
         if (s->expand != NULL)
                 {
                         }
                 }
  
         /* r->length is now just compressed */
         if (s->expand != NULL)
                 {
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
                         {
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
                         {
                         al=SSL_AD_RECORD_OVERFLOW;
                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
@@ -404,7 +419,7 @@ printf("\n");
                         }
                 }
  
                         }
                 }
  
-       if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
                 {
                 al=SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
                 {
                 al=SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
@@ -427,6 +442,15 @@ printf("\n");
         if (rr->length == 0) goto again;
  
         return(1);
         if (rr->length == 0) goto again;
  
         return(1);
+
+decryption_failed_or_bad_record_mac:
+       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+        * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+        * failure is directly visible from the ciphertext anyway,
+        * we should not reveal which kind of error occured -- this
+        * might become visible to an attacker (e.g. via logfile) */
+       al=SSL_AD_BAD_RECORD_MAC;
+       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
  f_err:
         ssl3_send_alert(s,SSL3_AL_FATAL,al);
  err:
  f_err:
         ssl3_send_alert(s,SSL3_AL_FATAL,al);
  err:
@@ -488,7 +512,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                 if (i == 0)
                         {
                         SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                 if (i == 0)
                         {
                         SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                       return(-1);
+                       return -1;
                         }
                 }
  
                         }
                 }
  
@@ -500,18 +524,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                 else
                         nw=n;
  
                 else
                         nw=n;
  
-               i=do_ssl3_write(s,type,&(buf[tot]),nw);
+               i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
                 if (i <= 0)
                         {
                         s->s3->wnum=tot;
                 if (i <= 0)
                         {
                         s->s3->wnum=tot;
-                       return(i);
+                       return i;
                         }
  
                 if ((i == (int)n) ||
                         (type == SSL3_RT_APPLICATION_DATA &&
                          (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
                         {
                         }
  
                 if ((i == (int)n) ||
                         (type == SSL3_RT_APPLICATION_DATA &&
                          (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
                         {
-                       return(tot+i);
+                       /* next chunk of data should get another prepended empty fragment
+                        * in ciphersuites with known-IV weakness: */
+                       s->s3->empty_fragment_done = 0;
+                       
+                       return tot+i;
                         }
  
                 n-=i;
                         }
  
                 n-=i;
@@ -520,15 +548,16 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         }
  
  static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         }
  
  static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len)
+                        unsigned int len, int create_empty_fragment)
         {
         unsigned char *p,*plen;
         int i,mac_size,clear=0;
         {
         unsigned char *p,*plen;
         int i,mac_size,clear=0;
+       int prefix_len = 0;
         SSL3_RECORD *wr;
         SSL3_BUFFER *wb;
         SSL_SESSION *sess;
  
         SSL3_RECORD *wr;
         SSL3_BUFFER *wb;
         SSL_SESSION *sess;
  
-       /* first check is there is a SSL3_RECORD still being written
+       /* first check if there is a SSL3_BUFFER still being written
          * out.  This will happen with non blocking IO */
         if (s->s3->wbuf.left != 0)
                 return(ssl3_write_pending(s,type,buf,len));
          * out.  This will happen with non blocking IO */
         if (s->s3->wbuf.left != 0)
                 return(ssl3_write_pending(s,type,buf,len));
@@ -542,7 +571,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                 /* if it went, fall through and send more stuff */
                 }
  
                 /* if it went, fall through and send more stuff */
                 }
  
-       if (len == 0) return(len);
+       if (len == 0 && !create_empty_fragment)
+               return 0;
  
         wr= &(s->s3->wrec);
         wb= &(s->s3->wbuf);
  
         wr= &(s->s3->wrec);
         wb= &(s->s3->wbuf);
@@ -558,16 +588,44 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         else
                 mac_size=EVP_MD_size(s->write_hash);
  
         else
                 mac_size=EVP_MD_size(s->write_hash);
  
-       p=wb->buf;
+       /* 'create_empty_fragment' is true only when this function calls itself */
+       if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
+               {
+               /* countermeasure against known-IV weakness in CBC ciphersuites
+                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
+
+               if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
+                       {
+                       /* recursive function call with 'create_empty_fragment' set;
+                        * this prepares and buffers the data for an empty fragment
+                        * (these 'prefix_len' bytes are sent out later
+                        * together with the actual payload) */
+                       prefix_len = do_ssl3_write(s, type, buf, 0, 1);
+                       if (prefix_len <= 0)
+                               goto err;
+
+                       if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
+                               {
+                               /* insufficient space */
+                               SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+                       }
+               
+               s->s3->empty_fragment_done = 1;
+               }
+
+       p = wb->buf + prefix_len;
  
         /* write the header */
  
         /* write the header */
+
         *(p++)=type&0xff;
         wr->type=type;
  
         *(p++)=(s->version>>8);
         *(p++)=s->version&0xff;
  
         *(p++)=type&0xff;
         wr->type=type;
  
         *(p++)=(s->version>>8);
         *(p++)=s->version&0xff;
  
-       /* record where we are to write out packet length */
+       /* field where we are to write out packet length */
         plen=p; 
         p+=2;
  
         plen=p; 
         p+=2;
  
@@ -618,19 +676,28 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         wr->type=type; /* not needed but helps for debugging */
         wr->length+=SSL3_RT_HEADER_LENGTH;
  
         wr->type=type; /* not needed but helps for debugging */
         wr->length+=SSL3_RT_HEADER_LENGTH;
  
-       /* Now lets setup wb */
-       wb->left=wr->length;
-       wb->offset=0;
+       if (create_empty_fragment)
+               {
+               /* we are in a recursive call;
+                * just return the length, don't write out anything here
+                */
+               return wr->length;
+               }
  
  
+       /* now let's set up wb */
+       wb->left = prefix_len + wr->length;
+       wb->offset = 0;
+
+       /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
         s->s3->wpend_tot=len;
         s->s3->wpend_buf=buf;
         s->s3->wpend_type=type;
         s->s3->wpend_ret=len;
  
         /* we now just need to write the buffer */
         s->s3->wpend_tot=len;
         s->s3->wpend_buf=buf;
         s->s3->wpend_type=type;
         s->s3->wpend_ret=len;
  
         /* we now just need to write the buffer */
-       return(ssl3_write_pending(s,type,buf,len));
+       return ssl3_write_pending(s,type,buf,len);
  err:
  err:
-       return(-1);
+       return -1;
         }
  
  /* if s->s3->wbuf.left != 0, we need to call this */
         }
  
  /* if s->s3->wbuf.left != 0, we need to call this */
@@ -704,20 +771,21 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
   *     Application data protocol
   *             none of our business
   */
   *     Application data protocol
   *             none of our business
   */
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         {
         {
-       int al,i,j,n,ret;
+       int al,i,j,ret;
+       unsigned int n;
         SSL3_RECORD *rr;
         SSL3_RECORD *rr;
-       void (*cb)()=NULL;
-       BIO *bio;
+       void (*cb)(const SSL *ssl,int type2,int val)=NULL;
  
         if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
                 if (!ssl3_setup_buffers(s))
                         return(-1);
  
  
         if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
                 if (!ssl3_setup_buffers(s))
                         return(-1);
  
-       if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+           (peek && (type != SSL3_RT_APPLICATION_DATA)))
                 {
                 {
-               SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
                 return -1;
                 }
  
                 return -1;
                 }
  
@@ -726,7 +794,9 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
                 {
                 unsigned char *src = s->s3->handshake_fragment;
                 unsigned char *dst = buf;
                 {
                 unsigned char *src = s->s3->handshake_fragment;
                 unsigned char *dst = buf;
+               unsigned int k;
  
  
+               /* peek == 0 */
                 n = 0;
                 while ((len > 0) && (s->s3->handshake_fragment_len > 0))
                         {
                 n = 0;
                 while ((len > 0) && (s->s3->handshake_fragment_len > 0))
                         {
@@ -735,8 +805,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
                         n++;
                         }
                 /* move any remaining fragment bytes: */
                         n++;
                         }
                 /* move any remaining fragment bytes: */
-               for (i = 0; i < s->s3->handshake_fragment_len; i++)
-                       s->s3->handshake_fragment[i] = *src++;
+               for (k = 0; k < s->s3->handshake_fragment_len; k++)
+                       s->s3->handshake_fragment[k] = *src++;
                 return n;
         }
  
                 return n;
         }
  
@@ -762,7 +832,7 @@ start:
          * s->s3->rrec.length,  - number of bytes. */
         rr = &(s->s3->rrec);
  
          * s->s3->rrec.length,  - number of bytes. */
         rr = &(s->s3->rrec);
  
-       /* get new packet */
+       /* get new packet if necessary */
         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                 {
                 ret=ssl3_get_record(s);
         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                 {
                 ret=ssl3_get_record(s);
@@ -780,7 +850,8 @@ start:
                 goto err;
                 }
  
                 goto err;
                 }
  
-       /* If the other end has shutdown, throw anything we read away */
+       /* If the other end has shut down, throw anything we read away
+        * (even in 'peek' mode) */
         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                 {
                 rr->length=0;
         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                 {
                 rr->length=0;
@@ -804,17 +875,20 @@ start:
                 if (len <= 0) return(len);
  
                 if ((unsigned int)len > rr->length)
                 if (len <= 0) return(len);
  
                 if ((unsigned int)len > rr->length)
-                       n=rr->length;
+                       n = rr->length;
                 else
                 else
-                       n=len;
+                       n = (unsigned int)len;
  
  
-               memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
-               rr->length-=n;
-               rr->off+=n;
-               if (rr->length == 0)
+               memcpy(buf,&(rr->data[rr->off]),n);
+               if (!peek)
                         {
                         {
-                       s->rstate=SSL_ST_READ_HEADER;
-                       rr->off=0;
+                       rr->length-=n;
+                       rr->off+=n;
+                       if (rr->length == 0)
+                               {
+                               s->rstate=SSL_ST_READ_HEADER;
+                               rr->off=0;
+                               }
                         }
                 return(n);
                 }
                         }
                 return(n);
                 }
@@ -827,9 +901,9 @@ start:
          * fill that so that we can process the data at a fixed place.
          */
                 {
          * fill that so that we can process the data at a fixed place.
          */
                 {
-               int dest_maxlen = 0;
-               unsigned char *dest;
-               int *dest_len;
+               unsigned int dest_maxlen = 0;
+               unsigned char *dest = NULL;
+               unsigned int *dest_len = NULL;
  
                 if (rr->type == SSL3_RT_HANDSHAKE)
                         {
  
                 if (rr->type == SSL3_RT_HANDSHAKE)
                         {
@@ -883,6 +957,9 @@ start:
                         goto err;
                         }
  
                         goto err;
                         }
  
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
+
                 if (SSL_is_init_finished(s) &&
                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                         !s->s3->renegotiate)
                 if (SSL_is_init_finished(s) &&
                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                         !s->s3->renegotiate)
@@ -890,13 +967,30 @@ start:
                         ssl3_renegotiate(s);
                         if (ssl3_renegotiate_check(s))
                                 {
                         ssl3_renegotiate(s);
                         if (ssl3_renegotiate_check(s))
                                 {
-                               n=s->handshake_func(s);
-                               if (n < 0) return(n);
-                               if (n == 0)
+                               i=s->handshake_func(s);
+                               if (i < 0) return(i);
+                               if (i == 0)
                                         {
                                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                                         return(-1);
                                         }
                                         {
                                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                                         return(-1);
                                         }
+
+                               if (!(s->mode & SSL_MODE_AUTO_RETRY))
+                                       {
+                                       if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+                                               {
+                                               BIO *bio;
+                                               /* In the case where we try to read application data,
+                                                * but we trigger an SSL handshake, we return -1 with
+                                                * the retry option set.  Otherwise renegotiation may
+                                                * cause nasty problems in the blocking world */
+                                               s->rwstate=SSL_READING;
+                                               bio=SSL_get_rbio(s);
+                                               BIO_clear_retry_flags(bio);
+                                               BIO_set_retry_read(bio);
+                                               return(-1);
+                                               }
+                                       }
                                 }
                         }
                 /* we either finished a handshake or ignored the request,
                                 }
                         }
                 /* we either finished a handshake or ignored the request,
@@ -906,11 +1000,14 @@ start:
  
         if (s->s3->alert_fragment_len >= 2)
                 {
  
         if (s->s3->alert_fragment_len >= 2)
                 {
-               i = s->s3->alert_fragment[0];
-               n = s->s3->alert_fragment[1];
+               int alert_level = s->s3->alert_fragment[0];
+               int alert_descr = s->s3->alert_fragment[1];
  
                 s->s3->alert_fragment_len = 0;
  
  
                 s->s3->alert_fragment_len = 0;
  
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
+
                 if (s->info_callback != NULL)
                         cb=s->info_callback;
                 else if (s->ctx->info_callback != NULL)
                 if (s->info_callback != NULL)
                         cb=s->info_callback;
                 else if (s->ctx->info_callback != NULL)
@@ -918,28 +1015,27 @@ start:
  
                 if (cb != NULL)
                         {
  
                 if (cb != NULL)
                         {
-                       j=(i<<8)|n;
-                       cb(s,SSL_CB_READ_ALERT,j);
+                       j = (alert_level << 8) | alert_descr;
+                       cb(s, SSL_CB_READ_ALERT, j);
                         }
  
                         }
  
-               if (i == 1) /* warning */
+               if (alert_level == 1) /* warning */
                         {
                         {
-                       s->s3->warn_alert=n;
-                       if (n == SSL_AD_CLOSE_NOTIFY)
+                       s->s3->warn_alert = alert_descr;
+                       if (alert_descr == SSL_AD_CLOSE_NOTIFY)
                                 {
                                 {
-                               s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+                               s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                 return(0);
                                 }
                         }
                                 return(0);
                                 }
                         }
-               else if (i == 2) /* fatal */
+               else if (alert_level == 2) /* fatal */
                         {
                         char tmp[16];
  
                         s->rwstate=SSL_NOTHING;
                         {
                         char tmp[16];
  
                         s->rwstate=SSL_NOTHING;
-                       s->s3->fatal_alert=n;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,
-                               SSL_AD_REASON_OFFSET+n);
-                       sprintf(tmp,"%d",n);
+                       s->s3->fatal_alert = alert_descr;
+                       SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+                       BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
                         ERR_add_error_data(2,"SSL alert number ",tmp);
                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
                         SSL_CTX_remove_session(s->ctx,s->session);
                         ERR_add_error_data(2,"SSL alert number ",tmp);
                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
                         SSL_CTX_remove_session(s->ctx,s->session);
@@ -975,6 +1071,10 @@ start:
                         }
  
                 rr->length=0;
                         }
  
                 rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
+
                 s->s3->change_cipher_spec=1;
                 if (!do_change_cipher_spec(s))
                         goto err;
                 s->s3->change_cipher_spec=1;
                 if (!do_change_cipher_spec(s))
                         goto err;
@@ -988,39 +1088,52 @@ start:
                 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                         {
                 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                         {
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
                         s->state=SSL_ST_BEFORE|(s->server)
                                 ?SSL_ST_ACCEPT
                                 :SSL_ST_CONNECT;
                         s->state=SSL_ST_BEFORE|(s->server)
                                 ?SSL_ST_ACCEPT
                                 :SSL_ST_CONNECT;
+#else
+                       s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
                         s->new_session=1;
                         }
                         s->new_session=1;
                         }
-               n=s->handshake_func(s);
-               if (n < 0) return(n);
-               if (n == 0)
+               i=s->handshake_func(s);
+               if (i < 0) return(i);
+               if (i == 0)
                         {
                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                         return(-1);
                         }
  
                         {
                         SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                         return(-1);
                         }
  
-               /* In the case where we try to read application data
-                * the first time, but we trigger an SSL handshake, we
-                * return -1 with the retry option set.  I do this
-                * otherwise renegotiation can cause nasty problems 
-                * in the non-blocking world */
-
-               s->rwstate=SSL_READING;
-               bio=SSL_get_rbio(s);
-               BIO_clear_retry_flags(bio);
-               BIO_set_retry_read(bio);
-               return(-1);
+               if (!(s->mode & SSL_MODE_AUTO_RETRY))
+                       {
+                       if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+                               {
+                               BIO *bio;
+                               /* In the case where we try to read application data,
+                                * but we trigger an SSL handshake, we return -1 with
+                                * the retry option set.  Otherwise renegotiation may
+                                * cause nasty problems in the blocking world */
+                               s->rwstate=SSL_READING;
+                               bio=SSL_get_rbio(s);
+                               BIO_clear_retry_flags(bio);
+                               BIO_set_retry_read(bio);
+                               return(-1);
+                               }
+                       }
+               goto start;
                 }
  
         switch (rr->type)
                 {
         default:
                 }
  
         switch (rr->type)
                 {
         default:
-#ifndef NO_TLS
+#ifndef OPENSSL_NO_TLS
                 /* TLS just ignores unknown message types */
                 if (s->version == TLS1_VERSION)
                         {
                 /* TLS just ignores unknown message types */
                 if (s->version == TLS1_VERSION)
                         {
+                       rr->length = 0;
                         goto start;
                         }
  #endif
                         goto start;
                         }
  #endif
@@ -1034,14 +1147,14 @@ start:
                  * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
                  * should not happen when type != rr->type */
                 al=SSL_AD_UNEXPECTED_MESSAGE;
                  * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
                  * should not happen when type != rr->type */
                 al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
                 goto f_err;
         case SSL3_RT_APPLICATION_DATA:
                 /* At this point, we were expecting handshake data,
                  * but have application data.  If the library was
                  * running inside ssl3_read() (i.e. in_read_app_data
                  * is set) and it makes sense to read application data
                 goto f_err;
         case SSL3_RT_APPLICATION_DATA:
                 /* At this point, we were expecting handshake data,
                  * but have application data.  If the library was
                  * running inside ssl3_read() (i.e. in_read_app_data
                  * is set) and it makes sense to read application data
-                * at this point (session renegotation not yet started),
+                * at this point (session renegotiation not yet started),
                  * we will indulge it.
                  */
                 if (s->s3->in_read_app_data &&
                  * we will indulge it.
                  */
                 if (s->s3->in_read_app_data &&
@@ -1057,7 +1170,7 @@ start:
                                         )
                                 ))
                         {
                                         )
                                 ))
                         {
-                       s->s3->in_read_app_data=0;
+                       s->s3->in_read_app_data=2;
                         return(-1);
                         }
                 else
                         return(-1);
                         }
                 else
@@ -1117,30 +1230,12 @@ static int do_change_cipher_spec(SSL *s)
         return(1);
         }
  
         return(1);
         }
  
-/* send s->init_buf in records of type 'type' */
-int ssl3_do_write(SSL *s, int type)
-       {
-       int ret;
-
-       ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
-                            s->init_num);
-       if (ret < 0) return(-1);
-       if (type == SSL3_RT_HANDSHAKE)
-               /* should not be done for 'Hello Request's, but in that case
-                * we'll ignore the result anyway */
-               ssl3_finish_mac(s,&s->init_buf->data[s->init_off],ret);
-       
-       if (ret == s->init_num)
-               return(1);
-       s->init_off+=ret;
-       s->init_num-=ret;
-       return(0);
-       }
-
  void ssl3_send_alert(SSL *s, int level, int desc)
         {
         /* Map tls/ssl alert value to correct one */
         desc=s->method->ssl3_enc->alert_value(desc);
  void ssl3_send_alert(SSL *s, int level, int desc)
         {
         /* Map tls/ssl alert value to correct one */
         desc=s->method->ssl3_enc->alert_value(desc);
+       if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
+               desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
         if (desc < 0) return;
         /* If a fatal one, remove from cache */
         if ((level == 2) && (s->session != NULL))
         if (desc < 0) return;
         /* If a fatal one, remove from cache */
         if ((level == 2) && (s->session != NULL))
@@ -1149,7 +1244,7 @@ void ssl3_send_alert(SSL *s, int level, int desc)
         s->s3->alert_dispatch=1;
         s->s3->send_alert[0]=level;
         s->s3->send_alert[1]=desc;
         s->s3->alert_dispatch=1;
         s->s3->send_alert[0]=level;
         s->s3->send_alert[1]=desc;
-       if (s->s3->wbuf.left == 0) /* data still being written out */
+       if (s->s3->wbuf.left == 0) /* data still being written out? */
                 ssl3_dispatch_alert(s);
         /* else data is still being written out, we will get written
          * some time in the future */
                 ssl3_dispatch_alert(s);
         /* else data is still being written out, we will get written
          * some time in the future */
@@ -1158,22 +1253,25 @@ void ssl3_send_alert(SSL *s, int level, int desc)
  int ssl3_dispatch_alert(SSL *s)
         {
         int i,j;
  int ssl3_dispatch_alert(SSL *s)
         {
         int i,j;
-       void (*cb)()=NULL;
+       void (*cb)(const SSL *ssl,int type,int val)=NULL;
  
         s->s3->alert_dispatch=0;
  
         s->s3->alert_dispatch=0;
-       i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
+       i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
         if (i <= 0)
                 {
                 s->s3->alert_dispatch=1;
                 }
         else
                 {
         if (i <= 0)
                 {
                 s->s3->alert_dispatch=1;
                 }
         else
                 {
-               /* If it is important, send it now.  If the message
-                * does not get sent due to non-blocking IO, we will
-                * not worry too much. */
+               /* Alert sent to BIO.  If it is important, flush it now.
+                * If the message does not get sent due to non-blocking IO,
+                * we will not worry too much. */
                 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
                         (void)BIO_flush(s->wbio);
  
                 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
                         (void)BIO_flush(s->wbio);
  
+               if (s->msg_callback)
+                       s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
+
                 if (s->info_callback != NULL)
                         cb=s->info_callback;
                 else if (s->ctx->info_callback != NULL)
                 if (s->info_callback != NULL)
                         cb=s->info_callback;
                 else if (s->ctx->info_callback != NULL)