[PR3597] Advance to the next state variant when reusing messages.

[openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index bba8f3df571940f8f9ad5b8cda6fdaecce796944..8fedf5a80d7c64e4815dd1706f9cf7c039abaedb 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -574,7 +574,7 @@ printf("\n");
                if (empty_record_count > MAX_EMPTY_RECORDS)
                        {
                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
+                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL);
                        goto f_err;
                        }
                goto again;
@@ -643,6 +643,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 #endif
        SSL3_BUFFER *wb=&(s->s3->wbuf);
        int i;
+       unsigned int u_len = (unsigned int)len;
+
+       if (len < 0)
+               {
+               SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_NEGATIVE_LENGTH);
+               return -1;
+               }
 
        s->rwstate=SSL_NOTHING;
        OPENSSL_assert(s->s3->wnum <= INT_MAX);
@@ -697,7 +704,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         * compromise is considered worthy.
         */
        if (type==SSL3_RT_APPLICATION_DATA &&
-           len >= 4*(int)(max_send_fragment=s->max_send_fragment) &&
+           u_len >= 4*(max_send_fragment=s->max_send_fragment) &&
            s->compress==NULL && s->msg_callback==NULL &&
            !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
            EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
@@ -707,7 +714,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                int packlen;
 
                /* minimize address aliasing conflicts */
-               if ((max_send_fragment&0xffff) == 0)
+               if ((max_send_fragment&0xfff) == 0)
                        max_send_fragment -= 512;
 
                if (tot==0 || wb->buf==NULL)    /* allocate jumbo buffer */
@@ -718,7 +725,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                                        EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
                                        max_send_fragment,NULL);
 
-                       if (len>=8*(int)max_send_fragment)      packlen *= 8;
+                       if (u_len >= 8*max_send_fragment)       packlen *= 8;
                        else                            packlen *= 4;
 
                        wb->buf=OPENSSL_malloc(packlen);
@@ -1111,8 +1118,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                wr->length += eivlen;
                }
 
-       /* ssl3_enc can only have an error on read */
-       s->method->ssl3_enc->enc(s,1);
+       if(s->method->ssl3_enc->enc(s,1)<1) goto err;
 
        if (SSL_USE_ETM(s) && mac_size != 0)
                {
@@ -1247,7 +1253,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (!ssl3_setup_read_buffer(s))
                        return(-1);
 
-       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) ||
            (peek && (type != SSL3_RT_APPLICATION_DATA)))
                {
                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
@@ -1786,7 +1792,7 @@ int ssl3_send_alert(SSL *s, int level, int desc)
                desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
        if (desc < 0) return -1;
        /* If a fatal one, remove from cache */
-       if ((level == 2) && (s->session != NULL))
+       if ((level == SSL3_AL_FATAL) && (s->session != NULL))
                SSL_CTX_remove_session(s->ctx,s->session);
 
        s->s3->alert_dispatch=1;