Move the SCT List extension parser into libssl.
[openssl.git] / ssl / s3_pkt.c
index fcb3d17..b9e45c7 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
+#include <openssl/rand.h>
+
+#ifndef  EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+# define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
+#endif
+
+#if    defined(OPENSSL_SMALL_FOOTPRINT) || \
+       !(      defined(AES_ASM) &&     ( \
+               defined(__x86_64)       || defined(__x86_64__)  || \
+               defined(_M_AMD64)       || defined(_M_X64)      || \
+               defined(__INTEL__)      ) \
+       )
+# undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+# define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
+#endif
 
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len);
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-                             unsigned int len);
+                        unsigned int len, int create_empty_fragment);
 static int ssl3_get_record(SSL *s);
-static int do_compress(SSL *ssl);
-static int do_uncompress(SSL *ssl);
-static int do_change_cipher_spec(SSL *ssl);
 
-/* used only by ssl3_get_record */
-static int ssl3_read_n(SSL *s, int n, int max, int extend)
+int ssl3_read_n(SSL *s, int n, int max, int extend)
        {
        /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
         * packet by another n bytes.
@@ -135,67 +144,113 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
         * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
         * [plus s->packet_length bytes if extend == 1].)
         */
-       int i,off,newb;
+       int i,len,left;
+       long align=0;
+       unsigned char *pkt;
+       SSL3_BUFFER *rb;
+
+       if (n <= 0) return n;
+
+       rb    = &(s->s3->rbuf);
+       if (rb->buf == NULL)
+               if (!ssl3_setup_read_buffer(s))
+                       return -1;
+
+       left  = rb->left;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+       align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
+       align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
+#endif
 
        if (!extend)
                {
                /* start with empty packet ... */
-               if (s->s3->rbuf.left == 0)
-                       s->s3->rbuf.offset = 0;
-               s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
+               if (left == 0)
+                       rb->offset = align;
+               else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH)
+                       {
+                       /* check if next packet length is large
+                        * enough to justify payload alignment... */
+                       pkt = rb->buf + rb->offset;
+                       if (pkt[0] == SSL3_RT_APPLICATION_DATA
+                           && (pkt[3]<<8|pkt[4]) >= 128)
+                               {
+                               /* Note that even if packet is corrupted
+                                * and its length field is insane, we can
+                                * only be led to wrong decision about
+                                * whether memmove will occur or not.
+                                * Header values has no effect on memmove
+                                * arguments and therefore no buffer
+                                * overrun can be triggered. */
+                               memmove (rb->buf+align,pkt,left);
+                               rb->offset = align;
+                               }
+                       }
+               s->packet = rb->buf + rb->offset;
                s->packet_length = 0;
                /* ... now we can act as if 'extend' was set */
                }
 
+       /* For DTLS/UDP reads should not span multiple packets
+        * because the read operation returns the whole packet
+        * at once (as long as it fits into the buffer). */
+       if (SSL_IS_DTLS(s))
+               {
+               if (left > 0 && n > left)
+                       n = left;
+               }
+
        /* if there is enough in the buffer from a previous read, take some */
-       if (s->s3->rbuf.left >= (int)n)
+       if (left >= n)
                {
                s->packet_length+=n;
-               s->s3->rbuf.left-=n;
-               s->s3->rbuf.offset+=n;
+               rb->left=left-n;
+               rb->offset+=n;
                return(n);
                }
 
        /* else we need to read more data */
-       if (!s->read_ahead)
-               max=n;
 
-       {
-               /* avoid buffer overflow */
-               int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
-               if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                       max_max += SSL3_RT_MAX_EXTRA;
-               if (max > max_max)
-                       max = max_max;
-       }
-       if (n > max) /* does not happen */
+       len = s->packet_length;
+       pkt = rb->buf+align;
+       /* Move any available bytes to front of buffer:
+        * 'len' bytes already pointed to by 'packet',
+        * 'left' extra ones at the end */
+       if (s->packet != pkt) /* len > 0 */
+               {
+               memmove(pkt, s->packet, len+left);
+               s->packet = pkt;
+               rb->offset = len + align;
+               }
+
+       if (n > (int)(rb->len - rb->offset)) /* does not happen */
                {
-               SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
                return -1;
                }
 
-       off = s->packet_length;
-       newb = s->s3->rbuf.left;
-       /* Move any available bytes to front of buffer:
-        * 'off' bytes already pointed to by 'packet',
-        * 'newb' extra ones at the end */
-       if (s->packet != s->s3->rbuf.buf)
+       if (!s->read_ahead)
+               /* ignore max parameter */
+               max = n;
+       else
                {
-               /*  off > 0 */
-               memmove(s->s3->rbuf.buf, s->packet, off+newb);
-               s->packet = s->s3->rbuf.buf;
+               if (max < n)
+                       max = n;
+               if (max > (int)(rb->len - rb->offset))
+                       max = rb->len - rb->offset;
                }
 
-       while (newb < n)
+       while (left < n)
                {
-               /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
-                * to read in more until we have off+n (up to off+max if possible) */
+               /* Now we have len+left bytes at the front of s->s3->rbuf.buf
+                * and need to read in more until we have len+n (up to
+                * len+max if possible) */
 
                clear_sys_error();
                if (s->rbio != NULL)
                        {
                        s->rwstate=SSL_READING;
-                       i=BIO_read(s->rbio,     &(s->s3->rbuf.buf[off+newb]), max-newb);
+                       i=BIO_read(s->rbio,pkt+len+left, max-left);
                        }
                else
                        {
@@ -205,20 +260,38 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
 
                if (i <= 0)
                        {
-                       s->s3->rbuf.left = newb;
+                       rb->left = left;
+                       if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
+                               !SSL_IS_DTLS(s))
+                               if (len+left == 0)
+                                       ssl3_release_read_buffer(s);
                        return(i);
                        }
-               newb+=i;
+               left+=i;
+               /* reads should *never* span multiple packets for DTLS because
+                * the underlying transport protocol is message oriented as opposed
+                * to byte oriented as in the TLS case. */
+               if (SSL_IS_DTLS(s))
+                       {
+                       if (n > left)
+                               n = left; /* makes the while condition false */
+                       }
                }
 
        /* done reading, now the book-keeping */
-       s->s3->rbuf.offset = off + n;
-       s->s3->rbuf.left = newb - n;
+       rb->offset += n;
+       rb->left = left - n;
        s->packet_length += n;
        s->rwstate=SSL_NOTHING;
        return(n);
        }
 
+/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will
+ * be processed per call to ssl3_get_record. Without this limit an attacker
+ * could send empty records at a faster rate than we can process and cause
+ * ssl3_get_record to loop forever. */
+#define MAX_EMPTY_RECORDS 32
+
 /* Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
@@ -231,14 +304,15 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
 static int ssl3_get_record(SSL *s)
        {
        int ssl_major,ssl_minor,al;
-       int n,i,ret= -1;
+       int enc_err,n,i,ret= -1;
        SSL3_RECORD *rr;
        SSL_SESSION *sess;
        unsigned char *p;
        unsigned char md[EVP_MAX_MD_SIZE];
        short version;
-       unsigned int mac_size;
-       int clear=0,extra;
+       unsigned mac_size;
+       size_t extra;
+       unsigned empty_record_count = 0;
 
        rr= &(s->s3->rrec);
        sess=s->session;
@@ -247,18 +321,26 @@ static int ssl3_get_record(SSL *s)
                extra=SSL3_RT_MAX_EXTRA;
        else
                extra=0;
+       if (extra && !s->s3->init_extra)
+               {
+               /* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
+                * set after ssl3_setup_buffers() was done */
+               SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+               return -1;
+               }
 
 again:
        /* check if we have the header */
        if (    (s->rstate != SSL_ST_READ_BODY) ||
                (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
                {
-               n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
-                       SSL3_RT_MAX_PACKET_SIZE,0);
+               n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
                if (n <= 0) return(n); /* error or non-blocking */
                s->rstate=SSL_ST_READ_BODY;
 
                p=s->packet;
+               if (s->msg_callback)
+                       s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);
 
                /* Pull apart the header into the SSL3_RECORD */
                rr->type= *(p++);
@@ -266,20 +348,19 @@ again:
                ssl_minor= *(p++);
                version=(ssl_major<<8)|ssl_minor;
                n2s(p,rr->length);
+#if 0
+fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
+#endif
 
                /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                        {
                        if (version != s->version)
                                {
                                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
+                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
+                                       /* Send back error using their minor version number :-) */
+                                       s->version = (unsigned short)version;
                                al=SSL_AD_PROTOCOL_VERSION;
                                goto f_err;
                                }
@@ -291,8 +372,7 @@ again:
                        goto err;
                        }
 
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+               if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
@@ -304,7 +384,7 @@ again:
 
        /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
 
-       if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
+       if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
                {
                /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
                i=rr->length;
@@ -332,7 +412,7 @@ again:
         * rr->length bytes of encrypted compressed stuff. */
 
        /* check is not needed I believe */
-       if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
                {
                al=SSL_AD_RECORD_OVERFLOW;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
@@ -341,62 +421,125 @@ again:
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
+       rr->orig_len=rr->length;
+       /* If in encrypt-then-mac mode calculate mac from encrypted record.
+        * All the details below are public so no timing details can leak.
+        */
+       if (SSL_USE_ETM(s) && s->read_hash)
+               {
+               unsigned char *mac;
+               mac_size=EVP_MD_CTX_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+               if (rr->length < mac_size)
+                       {
+                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               rr->length -= mac_size;
+               mac = rr->data + rr->length;
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       {
+                       al=SSL_AD_BAD_RECORD_MAC;
+                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+                       goto f_err;
+                       }
+               }
 
-       if (!s->method->ssl3_enc->enc(s,0))
+       enc_err = s->method->ssl3_enc->enc(s,0);
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
+       if (enc_err == 0)
                {
-               al=SSL_AD_DECRYPT_ERROR;
+               al=SSL_AD_DECRYPTION_FAILED;
+               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
                goto f_err;
                }
+
 #ifdef TLS_DEBUG
 printf("dec %d\n",rr->length);
 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
 printf("\n");
 #endif
-       /* r->length is now the compressed data plus mac */
-       if (    (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (s->read_hash == NULL))
-               clear=1;
 
-       if (!clear)
+       /* r->length is now the compressed data plus mac */
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s))
                {
-               mac_size=EVP_MD_size(s->read_hash);
-
-               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-                       {
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-                       goto f_err;
-                       }
-               /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length < mac_size)
+               /* s->read_hash != NULL => mac_size != -1 */
+               unsigned char *mac = NULL;
+               unsigned char mac_tmp[EVP_MAX_MD_SIZE];
+               mac_size=EVP_MD_CTX_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
+
+               /* orig_len is the length of the record before any padding was
+                * removed. This is public information, as is the MAC in use,
+                * therefore we can safely process the record in a different
+                * amount of time if it's too short to possibly contain a MAC.
+                */
+               if (rr->orig_len < mac_size ||
+                   /* CBC records must have a padding length byte too. */
+                   (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    rr->orig_len < mac_size+1))
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
                        }
-               rr->length-=mac_size;
-               i=s->method->ssl3_enc->mac(s,md,0);
-               if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+
+               if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
                        {
-                       al=SSL_AD_BAD_RECORD_MAC;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
-                       ret= -1;
-                       goto f_err;
+                       /* We update the length so that the TLS header bytes
+                        * can be constructed correctly but we need to extract
+                        * the MAC in constant time from within the record,
+                        * without leaking the contents of the padding bytes.
+                        * */
+                       mac = mac_tmp;
+                       ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+                       rr->length -= mac_size;
+                       }
+               else
+                       {
+                       /* In this case there's no padding, so |rec->orig_len|
+                        * equals |rec->length| and we checked that there's
+                        * enough bytes for |mac_size| above. */
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
+
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       enc_err = -1;
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
+                       enc_err = -1;
+               }
+
+       if (enc_err < 0)
+               {
+               /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
+                * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+                * failure is directly visible from the ciphertext anyway,
+                * we should not reveal which kind of error occurred -- this
+                * might become visible to an attacker (e.g. via a logfile) */
+               al=SSL_AD_BAD_RECORD_MAC;
+               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+               goto f_err;
                }
 
        /* r->length is now just compressed */
        if (s->expand != NULL)
                {
-               if (rr->length > 
-                       (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
                        goto f_err;
                        }
-               if (!do_uncompress(s))
+               if (!ssl3_do_uncompress(s))
                        {
                        al=SSL_AD_DECOMPRESSION_FAILURE;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
@@ -404,7 +547,7 @@ printf("\n");
                        }
                }
 
-       if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
+       if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
                {
                al=SSL_AD_RECORD_OVERFLOW;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
@@ -424,17 +567,33 @@ printf("\n");
        s->packet_length=0;
 
        /* just read a 0 length packet */
-       if (rr->length == 0) goto again;
+       if (rr->length == 0)
+               {
+               empty_record_count++;
+               if (empty_record_count > MAX_EMPTY_RECORDS)
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_TOO_MANY_EMPTY_FRAGMENTS);
+                       goto f_err;
+                       }
+               goto again;
+               }
+
+#if 0
+fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
+#endif
 
        return(1);
+
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
        return(ret);
        }
 
-static int do_uncompress(SSL *ssl)
+int ssl3_do_uncompress(SSL *ssl)
        {
+#ifndef OPENSSL_NO_COMP
        int i;
        SSL3_RECORD *rr;
 
@@ -446,12 +605,13 @@ static int do_uncompress(SSL *ssl)
        else
                rr->length=i;
        rr->data=rr->comp;
-
+#endif
        return(1);
        }
 
-static int do_compress(SSL *ssl)
+int ssl3_do_compress(SSL *ssl)
        {
+#ifndef OPENSSL_NO_COMP
        int i;
        SSL3_RECORD *wr;
 
@@ -465,6 +625,7 @@ static int do_compress(SSL *ssl)
                wr->length=i;
 
        wr->input=wr->data;
+#endif
        return(1);
        }
 
@@ -474,7 +635,12 @@ static int do_compress(SSL *ssl)
 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        {
        const unsigned char *buf=buf_;
-       unsigned int tot,n,nw;
+       int tot;
+       unsigned int n,nw;
+#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+       unsigned int max_send_fragment;
+#endif
+       SSL3_BUFFER *wb=&(s->s3->wbuf);
        int i;
 
        s->rwstate=SSL_NOTHING;
@@ -488,33 +654,197 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                if (i == 0)
                        {
                        SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                       return(-1);
+                       return -1;
+                       }
+               }
+
+       /* first check if there is a SSL3_BUFFER still being written
+        * out.  This will happen with non blocking IO */
+       if (wb->left != 0)
+               {
+               i = ssl3_write_pending(s,type,&buf[tot],s->s3->wpend_tot);
+               if (i<=0)
+                       {
+                       /* XXX should we ssl3_release_write_buffer if i<0? */
+                       s->s3->wnum=tot;
+                       return i;
                        }
+               tot += i;       /* this might be last fragment */
+               }
+
+#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+       /*
+        * Depending on platform multi-block can deliver several *times*
+        * better performance. Downside is that it has to allocate
+        * jumbo buffer to accomodate up to 8 records, but the
+        * compromise is considered worthy.
+        */
+       if (type==SSL3_RT_APPLICATION_DATA &&
+           len >= 4*(max_send_fragment=s->max_send_fragment) &&
+           s->compress==NULL && s->msg_callback==NULL &&
+           !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
+           EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
+               {
+               unsigned char aad[13];
+               EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
+               int packlen;
+
+               /* minimize address aliasing conflicts */
+               if ((max_send_fragment&0xffff) == 0)
+                       max_send_fragment -= 512;
+
+               if (tot==0 || wb->buf==NULL)    /* allocate jumbo buffer */
+                       {
+                       ssl3_release_write_buffer(s);
+
+                       packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
+                                       EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
+                                       max_send_fragment,NULL);
+
+                       if (len>=8*max_send_fragment)   packlen *= 8;
+                       else                            packlen *= 4;
+
+                       wb->buf=OPENSSL_malloc(packlen);
+                       wb->len=packlen;
+                       }
+               else if (tot==len)              /* done? */
+                       {
+                       OPENSSL_free(wb->buf);  /* free jumbo buffer */
+                       wb->buf = NULL;
+                       return tot;
+                       }
+
+               n=(len-tot);
+               for (;;)
+                       {
+                       if (n < 4*max_send_fragment)
+                               {
+                               OPENSSL_free(wb->buf);  /* free jumbo buffer */
+                               wb->buf = NULL;
+                               break;
+                               }
+
+                       if (s->s3->alert_dispatch)
+                               {
+                               i=s->method->ssl_dispatch_alert(s);
+                               if (i <= 0)
+                                       {
+                                       s->s3->wnum=tot;
+                                       return i;
+                                       }
+                               }
+
+                       if (n >= 8*max_send_fragment)
+                               nw = max_send_fragment*(mb_param.interleave=8);
+                       else
+                               nw = max_send_fragment*(mb_param.interleave=4);
+
+                       memcpy(aad,s->s3->write_sequence,8);
+                       aad[8]=type;
+                       aad[9]=(unsigned char)(s->version>>8);
+                       aad[10]=(unsigned char)(s->version);
+                       aad[11]=0;
+                       aad[12]=0;
+                       mb_param.out = NULL;
+                       mb_param.inp = aad;
+                       mb_param.len = nw;
+
+                       packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
+                                       EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
+                                       sizeof(mb_param),&mb_param);
+
+                       if (packlen<=0 || packlen>wb->len)      /* never happens */
+                               {
+                               OPENSSL_free(wb->buf);  /* free jumbo buffer */
+                               wb->buf = NULL;
+                               break;
+                               }
+
+                       mb_param.out = wb->buf;
+                       mb_param.inp = &buf[tot];
+                       mb_param.len = nw;
+
+                       if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
+                                       EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
+                                       sizeof(mb_param),&mb_param)<=0)
+                               return -1;
+
+                       s->s3->write_sequence[7] += mb_param.interleave;
+                       if (s->s3->write_sequence[7] < mb_param.interleave)
+                               {
+                               int j=6;
+                               while (j>=0 && (++s->s3->write_sequence[j--])==0) ;
+                               }
+
+                       wb->offset = 0;
+                       wb->left = packlen;
+
+                       s->s3->wpend_tot = nw;
+                       s->s3->wpend_buf = &buf[tot];
+                       s->s3->wpend_type= type;
+                       s->s3->wpend_ret = nw;
+
+                       i = ssl3_write_pending(s,type,&buf[tot],nw);
+                       if (i<=0)
+                               {
+                               if (i<0)
+                                       {
+                                       OPENSSL_free(wb->buf);
+                                       wb->buf = NULL;
+                                       }
+                               s->s3->wnum=tot;
+                               return i;
+                               }
+                       if (i==(int)n)
+                               {
+                               OPENSSL_free(wb->buf);  /* free jumbo buffer */
+                               wb->buf = NULL;
+                               return tot+i;
+                               }
+                       n-=i;
+                       tot+=i;
+                       }
+               }
+       else
+#endif
+       if (tot==len)           /* done? */
+               {
+               if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
+                       !SSL_IS_DTLS(s))
+                       ssl3_release_write_buffer(s);
+
+               return tot;
                }
 
        n=(len-tot);
        for (;;)
                {
-               if (n > SSL3_RT_MAX_PLAIN_LENGTH)
-                       nw=SSL3_RT_MAX_PLAIN_LENGTH;
+               if (n > s->max_send_fragment)
+                       nw=s->max_send_fragment;
                else
                        nw=n;
 
-               i=do_ssl3_write(s,type,&(buf[tot]),nw);
+               i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
                if (i <= 0)
                        {
+                       /* XXX should we ssl3_release_write_buffer if i<0? */
                        s->s3->wnum=tot;
-                       return(i);
+                       return i;
                        }
 
-               if (type == SSL3_RT_HANDSHAKE)
-                       ssl3_finish_mac(s,&(buf[tot]),i);
-
                if ((i == (int)n) ||
                        (type == SSL3_RT_APPLICATION_DATA &&
                         (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
                        {
-                       return(tot+i);
+                       /* next chunk of data should get another prepended empty fragment
+                        * in ciphersuites with known-IV weakness: */
+                       s->s3->empty_fragment_done = 0;
+
+                       if ((i==(int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
+                               !SSL_IS_DTLS(s))
+                               ssl3_release_write_buffer(s);
+
+                       return tot+i;
                        }
 
                n-=i;
@@ -523,59 +853,203 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        }
 
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                        unsigned int len)
+                        unsigned int len, int create_empty_fragment)
        {
        unsigned char *p,*plen;
        int i,mac_size,clear=0;
+       int prefix_len=0;
+       int eivlen;
+       long align=0;
        SSL3_RECORD *wr;
-       SSL3_BUFFER *wb;
+       SSL3_BUFFER *wb=&(s->s3->wbuf);
        SSL_SESSION *sess;
 
-       /* first check is there is a SSL3_RECORD still being written
+       if (wb->buf == NULL)
+               if (!ssl3_setup_write_buffer(s))
+                       return -1;
+
+       /* first check if there is a SSL3_BUFFER still being written
         * out.  This will happen with non blocking IO */
-       if (s->s3->wbuf.left != 0)
+       if (wb->left != 0)
                return(ssl3_write_pending(s,type,buf,len));
 
        /* If we have an alert to send, lets send it */
        if (s->s3->alert_dispatch)
                {
-               i=ssl3_dispatch_alert(s);
+               i=s->method->ssl_dispatch_alert(s);
                if (i <= 0)
                        return(i);
                /* if it went, fall through and send more stuff */
                }
 
-       if (len == 0) return(len);
+       if (len == 0 && !create_empty_fragment)
+               return 0;
 
        wr= &(s->s3->wrec);
-       wb= &(s->s3->wbuf);
        sess=s->session;
 
        if (    (sess == NULL) ||
                (s->enc_write_ctx == NULL) ||
-               (s->write_hash == NULL))
+               (EVP_MD_CTX_md(s->write_hash) == NULL))
+               {
+#if 1
+               clear=s->enc_write_ctx?0:1;     /* must be AEAD cipher */
+#else
                clear=1;
-
-       if (clear)
+#endif
                mac_size=0;
+               }
        else
-               mac_size=EVP_MD_size(s->write_hash);
+               {
+               mac_size=EVP_MD_CTX_size(s->write_hash);
+               if (mac_size < 0)
+                       goto err;
+               }
+
+#if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+       if (type==SSL3_RT_APPLICATION_DATA && s->compress==NULL &&
+           !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && /*!SSL_IS_DTLS(s) &&*/
+           EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
+               do {
+               unsigned char aad[13];
+               EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param = {NULL,aad,sizeof(aad),0};
+               int packlen;
+
+               memcpy(aad,s->s3->write_sequence,8);
+               aad[8]=type;
+               aad[9]=(unsigned char)(s->version>>8);
+               aad[10]=(unsigned char)(s->version);
+               aad[11]=(unsigned char)(len>>8);
+               aad[12]=(unsigned char)len;
+               packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
+                               EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
+                               sizeof(mb_param),&mb_param);
+
+               if (packlen==0 || packlen > wb->len) break;
+
+               mb_param.out = wb->buf;
+               mb_param.inp = buf;
+               mb_param.len = len;
+               EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
+                               EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
+                               sizeof(mb_param),&mb_param);
+
+               s->s3->write_sequence[7] += mb_param.interleave;
+               if (s->s3->write_sequence[7] < mb_param.interleave)
+                       {
+                       int j=6;
+                       while (j>=0 && (++s->s3->write_sequence[j--])==0) ;
+                       }
+
+               wb->offset=0;
+               wb->left = packlen;
+
+               /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
+               s->s3->wpend_tot=len;
+               s->s3->wpend_buf=buf;
+               s->s3->wpend_type=type;
+               s->s3->wpend_ret=len;
+
+               /* we now just need to write the buffer */
+               return ssl3_write_pending(s,type,buf,len);
+               } while (0);
+#endif
+
+       /* 'create_empty_fragment' is true only when this function calls itself */
+       if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
+               {
+               /* countermeasure against known-IV weakness in CBC ciphersuites
+                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
 
-       p=wb->buf;
+               if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
+                       {
+                       /* recursive function call with 'create_empty_fragment' set;
+                        * this prepares and buffers the data for an empty fragment
+                        * (these 'prefix_len' bytes are sent out later
+                        * together with the actual payload) */
+                       prefix_len = do_ssl3_write(s, type, buf, 0, 1);
+                       if (prefix_len <= 0)
+                               goto err;
+
+                       if (prefix_len >
+               (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
+                               {
+                               /* insufficient space */
+                               SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+                       }
+               
+               s->s3->empty_fragment_done = 1;
+               }
+
+       if (create_empty_fragment)
+               {
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+               /* extra fragment would be couple of cipher blocks,
+                * which would be multiple of SSL3_ALIGN_PAYLOAD, so
+                * if we want to align the real payload, then we can
+                * just pretent we simply have two headers. */
+               align = (long)wb->buf + 2*SSL3_RT_HEADER_LENGTH;
+               align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
+#endif
+               p = wb->buf + align;
+               wb->offset  = align;
+               }
+       else if (prefix_len)
+               {
+               p = wb->buf + wb->offset + prefix_len;
+               }
+       else
+               {
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+               align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
+               align = (-align)&(SSL3_ALIGN_PAYLOAD-1);
+#endif
+               p = wb->buf + align;
+               wb->offset  = align;
+               }
 
        /* write the header */
+
        *(p++)=type&0xff;
        wr->type=type;
 
        *(p++)=(s->version>>8);
-       *(p++)=s->version&0xff;
+       /* Some servers hang if iniatial client hello is larger than 256
+        * bytes and record version number > TLS 1.0
+        */
+       if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+                               && !s->renegotiate
+                               && TLS1_get_version(s) > TLS1_VERSION)
+               *(p++) = 0x1;
+       else
+               *(p++)=s->version&0xff;
 
-       /* record where we are to write out packet length */
+       /* field where we are to write out packet length */
        plen=p; 
        p+=2;
+       /* Explicit IV length, block ciphers appropriate version flag */
+       if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s))
+               {
+               int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+               if (mode == EVP_CIPH_CBC_MODE)
+                       {
+                       eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+                       if (eivlen <= 1)
+                               eivlen = 0;
+                       }
+               /* Need explicit part of IV for GCM mode */
+               else if (mode == EVP_CIPH_GCM_MODE)
+                       eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+               else
+                       eivlen = 0;
+               }
+       else 
+               eivlen = 0;
 
        /* lets setup the record stuff. */
-       wr->data=p;
+       wr->data=p + eivlen;
        wr->length=(int)len;
        wr->input=(unsigned char *)buf;
 
@@ -585,7 +1059,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        /* first we compress */
        if (s->compress != NULL)
                {
-               if (!do_compress(s))
+               if (!ssl3_do_compress(s))
                        {
                        SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
                        goto err;
@@ -601,46 +1075,74 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         * from wr->input.  Length should be wr->length.
         * wr->data still points in the wb->buf */
 
-       if (mac_size != 0)
+       if (!SSL_USE_ETM(s) && mac_size != 0)
                {
-               s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
+               if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
+                       goto err;
                wr->length+=mac_size;
-               wr->input=p;
-               wr->data=p;
+               }
+
+       wr->input=p;
+       wr->data=p;
+
+       if (eivlen)
+               {
+       /*      if (RAND_pseudo_bytes(p, eivlen) <= 0)
+                       goto err; */
+               wr->length += eivlen;
                }
 
        /* ssl3_enc can only have an error on read */
        s->method->ssl3_enc->enc(s,1);
 
+       if (SSL_USE_ETM(s) && mac_size != 0)
+               {
+               if (s->method->ssl3_enc->mac(s,p + wr->length,1) < 0)
+                       goto err;
+               wr->length+=mac_size;
+               }
+
        /* record length after mac and block padding */
        s2n(wr->length,plen);
 
+       if (s->msg_callback)
+               s->msg_callback(1, 0, SSL3_RT_HEADER, plen - 5, 5, s, s->msg_callback_arg);
+
        /* we should now have
         * wr->data pointing to the encrypted data, which is
         * wr->length long */
        wr->type=type; /* not needed but helps for debugging */
        wr->length+=SSL3_RT_HEADER_LENGTH;
 
-       /* Now lets setup wb */
-       wb->left=wr->length;
-       wb->offset=0;
+       if (create_empty_fragment)
+               {
+               /* we are in a recursive call;
+                * just return the length, don't write out anything here
+                */
+               return wr->length;
+               }
+
+       /* now let's set up wb */
+       wb->left = prefix_len + wr->length;
 
+       /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
        s->s3->wpend_tot=len;
        s->s3->wpend_buf=buf;
        s->s3->wpend_type=type;
        s->s3->wpend_ret=len;
 
        /* we now just need to write the buffer */
-       return(ssl3_write_pending(s,type,buf,len));
+       return ssl3_write_pending(s,type,buf,len);
 err:
-       return(-1);
+       return -1;
        }
 
 /* if s->s3->wbuf.left != 0, we need to call this */
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-                             unsigned int len)
+int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+       unsigned int len)
        {
        int i;
+       SSL3_BUFFER *wb=&(s->s3->wbuf);
 
 /* XXXX */
        if ((s->s3->wpend_tot > (int)len)
@@ -659,24 +1161,32 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                        {
                        s->rwstate=SSL_WRITING;
                        i=BIO_write(s->wbio,
-                               (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
-                               (unsigned int)s->s3->wbuf.left);
+                               (char *)&(wb->buf[wb->offset]),
+                               (unsigned int)wb->left);
                        }
                else
                        {
                        SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
                        i= -1;
                        }
-               if (i == s->s3->wbuf.left)
+               if (i == wb->left)
                        {
-                       s->s3->wbuf.left=0;
+                       wb->left=0;
+                       wb->offset+=i;
                        s->rwstate=SSL_NOTHING;
                        return(s->s3->wpend_ret);
                        }
-               else if (i <= 0)
+               else if (i <= 0) {
+                       if (s->version == DTLS1_VERSION ||
+                           s->version == DTLS1_BAD_VER) {
+                               /* For DTLS, just drop it. That's kind of the whole
+                                  point in using a datagram service */
+                               wb->left = 0;
+                       }
                        return(i);
-               s->s3->wbuf.offset+=i;
-               s->s3->wbuf.left-=i;
+               }
+               wb->offset+=i;
+               wb->left-=i;
                }
        }
 
@@ -707,20 +1217,21 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
  *     Application data protocol
  *             none of our business
  */
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
        {
-       int al,i,j,n,ret;
+       int al,i,j,ret;
+       unsigned int n;
        SSL3_RECORD *rr;
-       void (*cb)()=NULL;
-       BIO *bio;
+       void (*cb)(const SSL *ssl,int type2,int val)=NULL;
 
        if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
-               if (!ssl3_setup_buffers(s))
+               if (!ssl3_setup_read_buffer(s))
                        return(-1);
 
-       if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+           (peek && (type != SSL3_RT_APPLICATION_DATA)))
                {
-               SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
                return -1;
                }
 
@@ -729,7 +1240,9 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
                {
                unsigned char *src = s->s3->handshake_fragment;
                unsigned char *dst = buf;
+               unsigned int k;
 
+               /* peek == 0 */
                n = 0;
                while ((len > 0) && (s->s3->handshake_fragment_len > 0))
                        {
@@ -738,9 +1251,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
                        n++;
                        }
                /* move any remaining fragment bytes: */
-               for (i = 0; i < s->s3->handshake_fragment_len; i++)
-                       s->s3->handshake_fragment[i] = *src++;
-               ssl3_finish_mac(s, buf, n);
+               for (k = 0; k < s->s3->handshake_fragment_len; k++)
+                       s->s3->handshake_fragment[k] = *src++;
                return n;
        }
 
@@ -766,7 +1278,7 @@ start:
         * s->s3->rrec.length,  - number of bytes. */
        rr = &(s->s3->rrec);
 
-       /* get new packet */
+       /* get new packet if necessary */
        if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                {
                ret=ssl3_get_record(s);
@@ -781,10 +1293,11 @@ start:
                {
                al=SSL_AD_UNEXPECTED_MESSAGE;
                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-               goto err;
+               goto f_err;
                }
 
-       /* If the other end has shutdown, throw anything we read away */
+       /* If the other end has shut down, throw anything we read away
+        * (even in 'peek' mode) */
        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                {
                rr->length=0;
@@ -808,21 +1321,23 @@ start:
                if (len <= 0) return(len);
 
                if ((unsigned int)len > rr->length)
-                       n=rr->length;
+                       n = rr->length;
                else
-                       n=len;
+                       n = (unsigned int)len;
 
-               memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
-               rr->length-=n;
-               rr->off+=n;
-               if (rr->length == 0)
+               memcpy(buf,&(rr->data[rr->off]),n);
+               if (!peek)
                        {
-                       s->rstate=SSL_ST_READ_HEADER;
-                       rr->off=0;
+                       rr->length-=n;
+                       rr->off+=n;
+                       if (rr->length == 0)
+                               {
+                               s->rstate=SSL_ST_READ_HEADER;
+                               rr->off=0;
+                               if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+                                       ssl3_release_read_buffer(s);
+                               }
                        }
-
-               if (type == SSL3_RT_HANDSHAKE)
-                       ssl3_finish_mac(s,buf,n);
                return(n);
                }
 
@@ -834,9 +1349,9 @@ start:
         * fill that so that we can process the data at a fixed place.
         */
                {
-               int dest_maxlen = 0;
-               unsigned char *dest;
-               int *dest_len;
+               unsigned int dest_maxlen = 0;
+               unsigned char *dest = NULL;
+               unsigned int *dest_len = NULL;
 
                if (rr->type == SSL3_RT_HANDSHAKE)
                        {
@@ -850,6 +1365,19 @@ start:
                        dest = s->s3->alert_fragment;
                        dest_len = &s->s3->alert_fragment_len;
                        }
+#ifndef OPENSSL_NO_HEARTBEATS
+               else if (rr->type == TLS1_RT_HEARTBEAT)
+                       {
+                       tls1_process_heartbeat(s);
+
+                       /* Exit and notify application to read again */
+                       rr->length = 0;
+                       s->rwstate=SSL_READING;
+                       BIO_clear_retry_flags(SSL_get_rbio(s));
+                       BIO_set_retry_read(SSL_get_rbio(s));
+                       return(-1);
+                       }
+#endif
 
                if (dest_maxlen > 0)
                        {
@@ -887,9 +1415,12 @@ start:
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
-                       goto err;
+                       goto f_err;
                        }
 
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
+
                if (SSL_is_init_finished(s) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
@@ -897,27 +1428,65 @@ start:
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
                                {
-                               n=s->handshake_func(s);
-                               if (n < 0) return(n);
-                               if (n == 0)
+                               i=s->handshake_func(s);
+                               if (i < 0) return(i);
+                               if (i == 0)
                                        {
                                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                                        return(-1);
                                        }
+
+                               if (!(s->mode & SSL_MODE_AUTO_RETRY))
+                                       {
+                                       if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+                                               {
+                                               BIO *bio;
+                                               /* In the case where we try to read application data,
+                                                * but we trigger an SSL handshake, we return -1 with
+                                                * the retry option set.  Otherwise renegotiation may
+                                                * cause nasty problems in the blocking world */
+                                               s->rwstate=SSL_READING;
+                                               bio=SSL_get_rbio(s);
+                                               BIO_clear_retry_flags(bio);
+                                               BIO_set_retry_read(bio);
+                                               return(-1);
+                                               }
+                                       }
                                }
                        }
                /* we either finished a handshake or ignored the request,
                 * now try again to obtain the (application) data we were asked for */
                goto start;
                }
-
+       /* If we are a server and get a client hello when renegotiation isn't
+        * allowed send back a no renegotiation alert and carry on.
+        * WARNING: experimental code, needs reviewing (steve)
+        */
+       if (s->server &&
+               SSL_is_init_finished(s) &&
+               !s->s3->send_connection_binding &&
+               (s->version > SSL3_VERSION) &&
+               (s->s3->handshake_fragment_len >= 4) &&
+               (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
+               (s->session != NULL) && (s->session->cipher != NULL) &&
+               !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               
+               {
+               /*s->s3->handshake_fragment_len = 0;*/
+               rr->length = 0;
+               ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+               goto start;
+               }
        if (s->s3->alert_fragment_len >= 2)
                {
-               i = s->s3->alert_fragment[0];
-               n = s->s3->alert_fragment[1];
+               int alert_level = s->s3->alert_fragment[0];
+               int alert_descr = s->s3->alert_fragment[1];
 
                s->s3->alert_fragment_len = 0;
 
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
+
                if (s->info_callback != NULL)
                        cb=s->info_callback;
                else if (s->ctx->info_callback != NULL)
@@ -925,28 +1494,46 @@ start:
 
                if (cb != NULL)
                        {
-                       j=(i<<8)|n;
-                       cb(s,SSL_CB_READ_ALERT,j);
+                       j = (alert_level << 8) | alert_descr;
+                       cb(s, SSL_CB_READ_ALERT, j);
                        }
 
-               if (i == 1) /* warning */
+               if (alert_level == 1) /* warning */
                        {
-                       s->s3->warn_alert=n;
-                       if (n == SSL_AD_CLOSE_NOTIFY)
+                       s->s3->warn_alert = alert_descr;
+                       if (alert_descr == SSL_AD_CLOSE_NOTIFY)
                                {
-                               s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+                               s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                return(0);
                                }
+                       /* This is a warning but we receive it if we requested
+                        * renegotiation and the peer denied it. Terminate with
+                        * a fatal alert because if application tried to
+                        * renegotiatie it presumably had a good reason and
+                        * expects it to succeed.
+                        *
+                        * In future we might have a renegotiation where we
+                        * don't care if the peer refused it where we carry on.
+                        */
+                       else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
+                               {
+                               al = SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
+                               goto f_err;
+                               }
+#ifdef SSL_AD_MISSING_SRP_USERNAME
+                       else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
+                               return(0);
+#endif
                        }
-               else if (i == 2) /* fatal */
+               else if (alert_level == 2) /* fatal */
                        {
                        char tmp[16];
 
                        s->rwstate=SSL_NOTHING;
-                       s->s3->fatal_alert=n;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,
-                               SSL_AD_REASON_OFFSET+n);
-                       sprintf(tmp,"%d",n);
+                       s->s3->fatal_alert = alert_descr;
+                       SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+                       BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
                        ERR_add_error_data(2,"SSL alert number ",tmp);
                        s->shutdown|=SSL_RECEIVED_SHUTDOWN;
                        SSL_CTX_remove_session(s->ctx,s->session);
@@ -976,14 +1563,26 @@ start:
                if (    (rr->length != 1) || (rr->off != 0) ||
                        (rr->data[0] != SSL3_MT_CCS))
                        {
-                       i=SSL_AD_ILLEGAL_PARAMETER;
+                       al=SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                       goto err;
+                       goto f_err;
+                       }
+
+               /* Check we have a cipher to change to */
+               if (s->s3->tmp.new_cipher == NULL)
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
                        }
 
                rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
+
                s->s3->change_cipher_spec=1;
-               if (!do_change_cipher_spec(s))
+               if (!ssl3_do_change_cipher_spec(s))
                        goto err;
                else
                        goto start;
@@ -995,39 +1594,55 @@ start:
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                        {
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
                        s->state=SSL_ST_BEFORE|(s->server)
                                ?SSL_ST_ACCEPT
                                :SSL_ST_CONNECT;
+#else
+                       s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+                       s->renegotiate=1;
                        s->new_session=1;
                        }
-               n=s->handshake_func(s);
-               if (n < 0) return(n);
-               if (n == 0)
+               i=s->handshake_func(s);
+               if (i < 0) return(i);
+               if (i == 0)
                        {
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                        return(-1);
                        }
 
-               /* In the case where we try to read application data
-                * the first time, but we trigger an SSL handshake, we
-                * return -1 with the retry option set.  I do this
-                * otherwise renegotiation can cause nasty problems 
-                * in the non-blocking world */
-
-               s->rwstate=SSL_READING;
-               bio=SSL_get_rbio(s);
-               BIO_clear_retry_flags(bio);
-               BIO_set_retry_read(bio);
-               return(-1);
+               if (!(s->mode & SSL_MODE_AUTO_RETRY))
+                       {
+                       if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+                               {
+                               BIO *bio;
+                               /* In the case where we try to read application data,
+                                * but we trigger an SSL handshake, we return -1 with
+                                * the retry option set.  Otherwise renegotiation may
+                                * cause nasty problems in the blocking world */
+                               s->rwstate=SSL_READING;
+                               bio=SSL_get_rbio(s);
+                               BIO_clear_retry_flags(bio);
+                               BIO_set_retry_read(bio);
+                               return(-1);
+                               }
+                       }
+               goto start;
                }
 
        switch (rr->type)
                {
        default:
-#ifndef NO_TLS
-               /* TLS just ignores unknown message types */
-               if (s->version == TLS1_VERSION)
+#ifndef OPENSSL_NO_TLS
+               /* TLS up to v1.1 just ignores unknown message types:
+                * TLS v1.2 give an unexpected message alert.
+                */
+               if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
                        {
+                       rr->length = 0;
                        goto start;
                        }
 #endif
@@ -1041,14 +1656,14 @@ start:
                 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
                 * should not happen when type != rr->type */
                al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
                goto f_err;
        case SSL3_RT_APPLICATION_DATA:
                /* At this point, we were expecting handshake data,
                 * but have application data.  If the library was
                 * running inside ssl3_read() (i.e. in_read_app_data
                 * is set) and it makes sense to read application data
-                * at this point (session renegotation not yet started),
+                * at this point (session renegotiation not yet started),
                 * we will indulge it.
                 */
                if (s->s3->in_read_app_data &&
@@ -1064,7 +1679,7 @@ start:
                                        )
                                ))
                        {
-                       s->s3->in_read_app_data=0;
+                       s->s3->in_read_app_data=2;
                        return(-1);
                        }
                else
@@ -1082,7 +1697,7 @@ err:
        return(-1);
        }
 
-static int do_change_cipher_spec(SSL *s)
+int ssl3_do_change_cipher_spec(SSL *s)
        {
        int i;
        const char *sender;
@@ -1095,6 +1710,13 @@ static int do_change_cipher_spec(SSL *s)
 
        if (s->s3->tmp.key_block == NULL)
                {
+               if (s->session == NULL) 
+                       {
+                       /* might happen if dtls1_read_bytes() calls this */
+                       SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                       return (0);
+                       }
+
                s->session->cipher=s->s3->tmp.new_cipher;
                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                }
@@ -1116,34 +1738,25 @@ static int do_change_cipher_spec(SSL *s)
                slen=s->method->ssl3_enc->client_finished_label_len;
                }
 
-       s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
-               &(s->s3->finish_dgst1),
-               &(s->s3->finish_dgst2),
+       i = s->method->ssl3_enc->final_finish_mac(s,
                sender,slen,s->s3->tmp.peer_finish_md);
+       if (i == 0)
+               {
+               SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+               return 0;
+               }
+       s->s3->tmp.peer_finish_md_len = i;
 
        return(1);
        }
 
-/* send s->init_buf in records of type 'type' */
-int ssl3_do_write(SSL *s, int type)
-       {
-       int ret;
-
-       ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
-                            s->init_num);
-       if (ret == s->init_num)
-               return(1);
-       if (ret < 0) return(-1);
-       s->init_off+=ret;
-       s->init_num-=ret;
-       return(0);
-       }
-
-void ssl3_send_alert(SSL *s, int level, int desc)
+int ssl3_send_alert(SSL *s, int level, int desc)
        {
        /* Map tls/ssl alert value to correct one */
        desc=s->method->ssl3_enc->alert_value(desc);
-       if (desc < 0) return;
+       if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
+               desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
+       if (desc < 0) return -1;
        /* If a fatal one, remove from cache */
        if ((level == 2) && (s->session != NULL))
                SSL_CTX_remove_session(s->ctx,s->session);
@@ -1151,31 +1764,35 @@ void ssl3_send_alert(SSL *s, int level, int desc)
        s->s3->alert_dispatch=1;
        s->s3->send_alert[0]=level;
        s->s3->send_alert[1]=desc;
-       if (s->s3->wbuf.left == 0) /* data still being written out */
-               ssl3_dispatch_alert(s);
+       if (s->s3->wbuf.left == 0) /* data still being written out? */
+               return s->method->ssl_dispatch_alert(s);
        /* else data is still being written out, we will get written
         * some time in the future */
+       return -1;
        }
 
 int ssl3_dispatch_alert(SSL *s)
        {
        int i,j;
-       void (*cb)()=NULL;
+       void (*cb)(const SSL *ssl,int type,int val)=NULL;
 
        s->s3->alert_dispatch=0;
-       i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
+       i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
        if (i <= 0)
                {
                s->s3->alert_dispatch=1;
                }
        else
                {
-               /* If it is important, send it now.  If the message
-                * does not get sent due to non-blocking IO, we will
-                * not worry too much. */
+               /* Alert sent to BIO.  If it is important, flush it now.
+                * If the message does not get sent due to non-blocking IO,
+                * we will not worry too much. */
                if (s->s3->send_alert[0] == SSL3_AL_FATAL)
                        (void)BIO_flush(s->wbio);
 
+               if (s->msg_callback)
+                       s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
+
                if (s->info_callback != NULL)
                        cb=s->info_callback;
                else if (s->ctx->info_callback != NULL)