kris
/
boringssl
1
0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
1462 コミット
12 ブランチ
38 MiB
 
 
 
 
 
 
ツリー: b0eef0aee9
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'b0eef0aee9' から
${ noResults }
boringssl/ssl/s3_pkt.c

1139 行
38 KiB
Raw Blame 履歴 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <assert.h>

  110. #include <limits.h>

  111. #include <stdio.h>

  112. #include <string.h>

  113. 

  114. #include <openssl/buf.h>

  115. #include <openssl/err.h>

  116. #include <openssl/evp.h>

  117. #include <openssl/mem.h>

  118. #include <openssl/rand.h>

  119. 

  120. #include "internal.h"

  121. 

  122. 

  123. static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,

  124.                          char fragment);

  125. static int ssl3_get_record(SSL *s);

  126. 

  127. int ssl3_read_n(SSL *s, int n, int extend) {

  128.   /* If |extend| is 0, obtain new n-byte packet;

  129.    * if |extend| is 1, increase packet by another n bytes.

  130.    *

  131.    * The packet will be in the sub-array of |s->s3->rbuf.buf| specified by

  132.    * |s->packet| and |s->packet_length|. (If DTLS and |extend| is 0, additional

  133.    * bytes will be read into |rbuf|, up to the size of the buffer.)

  134.    *

  135.    * TODO(davidben): |dtls1_get_record| and |ssl3_get_record| have very

  136.    * different needs. Separate the two record layers. In DTLS, |BIO_read| is

  137.    * called at most once, and only when |extend| is 0. In TLS, the buffer never

  138.    * contains more than one record. */

  139.   int i, len, left;

  140.   uintptr_t align = 0;

  141.   uint8_t *pkt;

  142.   SSL3_BUFFER *rb;

  143. 

  144.   if (n <= 0) {

  145.     return n;

  146.   }

  147. 

  148.   rb = &s->s3->rbuf;

  149.   if (rb->buf == NULL && !ssl3_setup_read_buffer(s)) {

  150.     return -1;

  151.   }

  152. 

  153.   left = rb->left;

  154. 

  155.   align = (uintptr_t)rb->buf + SSL3_RT_HEADER_LENGTH;

  156.   align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);

  157. 

  158.   if (!extend) {

  159.     /* start with empty packet ... */

  160.     if (left == 0) {

  161.       rb->offset = align;

  162.     } else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {

  163.       /* check if next packet length is large enough to justify payload

  164.        * alignment... */

  165.       pkt = rb->buf + rb->offset;

  166.       if (pkt[0] == SSL3_RT_APPLICATION_DATA && (pkt[3] << 8 | pkt[4]) >= 128) {

  167.         /* Note that even if packet is corrupted and its length field is

  168.          * insane, we can only be led to wrong decision about whether memmove

  169.          * will occur or not. Header values has no effect on memmove arguments

  170.          * and therefore no buffer overrun can be triggered. */

  171.         memmove(rb->buf + align, pkt, left);

  172.         rb->offset = align;

  173.       }

  174.     }

  175.     s->packet = rb->buf + rb->offset;

  176.     s->packet_length = 0;

  177.     /* ... now we can act as if 'extend' was set */

  178.   }

  179. 

  180.   /* In DTLS, if there is leftover data from the previous packet or |extend| is

  181.    * true, clamp to the previous read. DTLS records may not span packet

  182.    * boundaries. */

  183.   if (SSL_IS_DTLS(s) && n > left && (left > 0 || extend)) {

  184.     n = left;

  185.   }

  186. 

  187.   /* if there is enough in the buffer from a previous read, take some */

  188.   if (left >= n) {

  189.     s->packet_length += n;

  190.     rb->left = left - n;

  191.     rb->offset += n;

  192.     return n;

  193.   }

  194. 

  195.   /* else we need to read more data */

  196. 

  197.   len = s->packet_length;

  198.   pkt = rb->buf + align;

  199.   /* Move any available bytes to front of buffer: |len| bytes already pointed

  200.    * to by |packet|, |left| extra ones at the end. */

  201.   if (s->packet != pkt) {

  202.     /* len > 0 */

  203.     memmove(pkt, s->packet, len + left);

  204.     s->packet = pkt;

  205.     rb->offset = len + align;

  206.   }

  207. 

  208.   if (n > (int)(rb->len - rb->offset)) {

  209.     OPENSSL_PUT_ERROR(SSL, ssl3_read_n, ERR_R_INTERNAL_ERROR);

  210.     return -1;

  211.   }

  212. 

  213.   int max = n;

  214.   if (SSL_IS_DTLS(s) && !extend) {

  215.     max = rb->len - rb->offset;

  216.   }

  217. 

  218.   while (left < n) {

  219.     /* Now we have len+left bytes at the front of s->s3->rbuf.buf and need to

  220.      * read in more until we have len+n (up to len+max if possible). */

  221.     ERR_clear_system_error();

  222.     if (s->rbio != NULL) {

  223.       s->rwstate = SSL_READING;

  224.       i = BIO_read(s->rbio, pkt + len + left, max - left);

  225.     } else {

  226.       OPENSSL_PUT_ERROR(SSL, ssl3_read_n, SSL_R_READ_BIO_NOT_SET);

  227.       i = -1;

  228.     }

  229. 

  230.     if (i <= 0) {

  231.       rb->left = left;

  232.       if (len + left == 0) {

  233.         ssl3_release_read_buffer(s);

  234.       }

  235.       return i;

  236.     }

  237.     left += i;

  238.     /* reads should *never* span multiple packets for DTLS because the

  239.      * underlying transport protocol is message oriented as opposed to byte

  240.      * oriented as in the TLS case. */

  241.     if (SSL_IS_DTLS(s) && n > left) {

  242.       n = left; /* makes the while condition false */

  243.     }

  244.   }

  245. 

  246.   /* done reading, now the book-keeping */

  247.   rb->offset += n;

  248.   rb->left = left - n;

  249.   s->packet_length += n;

  250.   s->rwstate = SSL_NOTHING;

  251. 

  252.   return n;

  253. }

  254. 

  255. /* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will

  256.  * be processed per call to ssl3_get_record. Without this limit an attacker

  257.  * could send empty records at a faster rate than we can process and cause

  258.  * ssl3_get_record to loop forever. */

  259. #define MAX_EMPTY_RECORDS 32

  260. 

  261. /* Call this to get a new input record. It will return <= 0 if more data is

  262.  * needed, normally due to an error or non-blocking IO. When it finishes, one

  263.  * packet has been decoded and can be found in

  264.  * ssl->s3->rrec.type    - is the type of record

  265.  * ssl->s3->rrec.data    - data

  266.  * ssl->s3->rrec.length  - number of bytes */

  267. /* used only by ssl3_read_bytes */

  268. static int ssl3_get_record(SSL *s) {

  269.   uint8_t ssl_major, ssl_minor;

  270.   int al, n, i, ret = -1;

  271.   SSL3_RECORD *rr = &s->s3->rrec;

  272.   uint8_t *p;

  273.   uint16_t version;

  274.   size_t extra;

  275.   unsigned empty_record_count = 0;

  276. 

  277. again:

  278.   /* check if we have the header */

  279.   if (s->rstate != SSL_ST_READ_BODY ||

  280.       s->packet_length < SSL3_RT_HEADER_LENGTH) {

  281.     n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, 0);

  282.     if (n <= 0) {

  283.       return n; /* error or non-blocking */

  284.     }

  285.     s->rstate = SSL_ST_READ_BODY;

  286. 

  287.     /* Some bytes were read, so the read buffer must be existant and

  288.      * |s->s3->init_extra| is defined. */

  289.     assert(s->s3->rbuf.buf != NULL);

  290.     extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;

  291. 

  292.     p = s->packet;

  293.     if (s->msg_callback) {

  294.       s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);

  295.     }

  296. 

  297.     /* Pull apart the header into the SSL3_RECORD */

  298.     rr->type = *(p++);

  299.     ssl_major = *(p++);

  300.     ssl_minor = *(p++);

  301.     version = (((uint16_t)ssl_major) << 8) | ssl_minor;

  302.     n2s(p, rr->length);

  303. 

  304.     if (s->s3->have_version && version != s->version) {

  305.       OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_WRONG_VERSION_NUMBER);

  306.       al = SSL_AD_PROTOCOL_VERSION;

  307.       goto f_err;

  308.     }

  309. 

  310.     if ((version >> 8) != SSL3_VERSION_MAJOR) {

  311.       OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_WRONG_VERSION_NUMBER);

  312.       goto err;

  313.     }

  314. 

  315.     if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {

  316.       al = SSL_AD_RECORD_OVERFLOW;

  317.       OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);

  318.       goto f_err;

  319.     }

  320. 

  321.     /* now s->rstate == SSL_ST_READ_BODY */

  322.   } else {

  323.     /* |packet_length| is non-zero and |s->rstate| is |SSL_ST_READ_BODY|. The

  324.      * read buffer must be existant and |s->s3->init_extra| is defined. */

  325.     assert(s->s3->rbuf.buf != NULL);

  326.     extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;

  327.   }

  328. 

  329.   /* s->rstate == SSL_ST_READ_BODY, get and decode the data */

  330. 

  331.   if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) {

  332.     /* now s->packet_length == SSL3_RT_HEADER_LENGTH */

  333.     i = rr->length;

  334.     n = ssl3_read_n(s, i, 1);

  335.     if (n <= 0) {

  336.       /* Error or non-blocking IO. Now |n| == |rr->length|, and

  337.        * |s->packet_length| == |SSL3_RT_HEADER_LENGTH| + |rr->length|. */

  338.       return n;

  339.     }

  340.   }

  341. 

  342.   s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */

  343. 

  344.   /* |rr->data| points to |rr->length| bytes of ciphertext in |s->packet|. */

  345.   rr->data = &s->packet[SSL3_RT_HEADER_LENGTH];

  346. 

  347.   /* Decrypt the packet in-place.

  348.    *

  349.    * TODO(davidben): This assumes |s->version| is the same as the record-layer

  350.    * version which isn't always true, but it only differs with the NULL cipher

  351.    * which ignores the parameter. */

  352.   size_t plaintext_len;

  353.   if (!SSL_AEAD_CTX_open(s->aead_read_ctx, rr->data, &plaintext_len, rr->length,

  354.                          rr->type, s->version, s->s3->read_sequence, rr->data,

  355.                          rr->length)) {

  356.     al = SSL_AD_BAD_RECORD_MAC;

  357.     OPENSSL_PUT_ERROR(SSL, ssl3_get_record,

  358.                       SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);

  359.     goto f_err;

  360.   }

  361.   if (!ssl3_record_sequence_update(s->s3->read_sequence, 8)) {

  362.     goto err;

  363.   }

  364.   if (plaintext_len > SSL3_RT_MAX_PLAIN_LENGTH + extra) {

  365.     al = SSL_AD_RECORD_OVERFLOW;

  366.     OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_DATA_LENGTH_TOO_LONG);

  367.     goto f_err;

  368.   }

  369.   assert(plaintext_len <= (1u << 16));

  370.   rr->length = plaintext_len;

  371. 

  372.   rr->off = 0;

  373.   /* So at this point the following is true:

  374.    * ssl->s3->rrec.type is the type of record;

  375.    * ssl->s3->rrec.length is the number of bytes in the record;

  376.    * ssl->s3->rrec.off is the offset to first valid byte;

  377.    * ssl->s3->rrec.data the first byte of the record body. */

  378. 

  379.   /* we have pulled in a full packet so zero things */

  380.   s->packet_length = 0;

  381. 

  382.   /* just read a 0 length packet */

  383.   if (rr->length == 0) {

  384.     empty_record_count++;

  385.     if (empty_record_count > MAX_EMPTY_RECORDS) {

  386.       al = SSL_AD_UNEXPECTED_MESSAGE;

  387.       OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);

  388.       goto f_err;

  389.     }

  390.     goto again;

  391.   }

  392. 

  393.   return 1;

  394. 

  395. f_err:

  396.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  397. err:

  398.   return ret;

  399. }

  400. 

  401. int ssl3_write_app_data(SSL *ssl, const void *buf, int len) {

  402.   return ssl3_write_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len);

  403. }

  404. 

  405. /* Call this to write data in records of type |type|. It will return <= 0 if

  406.  * not all data has been sent or non-blocking IO. */

  407. int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {

  408.   const uint8_t *buf = buf_;

  409.   unsigned int tot, n, nw;

  410.   int i;

  411. 

  412.   s->rwstate = SSL_NOTHING;

  413.   assert(s->s3->wnum <= INT_MAX);

  414.   tot = s->s3->wnum;

  415.   s->s3->wnum = 0;

  416. 

  417.   if (!s->in_handshake && SSL_in_init(s) && !SSL_in_false_start(s)) {

  418.     i = s->handshake_func(s);

  419.     if (i < 0) {

  420.       return i;

  421.     }

  422.     if (i == 0) {

  423.       OPENSSL_PUT_ERROR(SSL, ssl3_write_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);

  424.       return -1;

  425.     }

  426.   }

  427. 

  428.   /* Ensure that if we end up with a smaller value of data to write out than

  429.    * the the original len from a write which didn't complete for non-blocking

  430.    * I/O and also somehow ended up avoiding the check for this in

  431.    * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to

  432.    * end up with (len-tot) as a large number that will then promptly send

  433.    * beyond the end of the users buffer ... so we trap and report the error in

  434.    * a way the user will notice. */

  435.   if (len < 0 || (size_t)len < tot) {

  436.     OPENSSL_PUT_ERROR(SSL, ssl3_write_bytes, SSL_R_BAD_LENGTH);

  437.     return -1;

  438.   }

  439. 

  440.   int record_split_done = 0;

  441.   n = (len - tot);

  442.   for (;;) {

  443.     /* max contains the maximum number of bytes that we can put into a

  444.      * record. */

  445.     unsigned max = s->max_send_fragment;

  446.     /* fragment is true if do_ssl3_write should send the first byte in its own

  447.      * record in order to randomise a CBC IV. */

  448.     int fragment = 0;

  449.     if (!record_split_done && s->s3->need_record_splitting &&

  450.         type == SSL3_RT_APPLICATION_DATA) {

  451.       /* Only the the first record per write call needs to be split. The

  452.        * remaining plaintext was determined before the IV was randomized. */

  453.       fragment = 1;

  454.       record_split_done = 1;

  455.     }

  456.     if (n > max) {

  457.       nw = max;

  458.     } else {

  459.       nw = n;

  460.     }

  461. 

  462.     i = do_ssl3_write(s, type, &buf[tot], nw, fragment);

  463.     if (i <= 0) {

  464.       s->s3->wnum = tot;

  465.       return i;

  466.     }

  467. 

  468.     if (i == (int)n || (type == SSL3_RT_APPLICATION_DATA &&

  469.                         (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {

  470.       return tot + i;

  471.     }

  472. 

  473.     n -= i;

  474.     tot += i;

  475.   }

  476. }

  477. 

  478. /* ssl3_seal_record seals a new record of type |type| and plaintext |in| and

  479.  * writes it to |out|. At most |max_out| bytes will be written. It returns one

  480.  * on success and zero on error. On success, it updates the write sequence

  481.  * number. */

  482. static int ssl3_seal_record(SSL *s, uint8_t *out, size_t *out_len,

  483.                             size_t max_out, uint8_t type, const uint8_t *in,

  484.                             size_t in_len) {

  485.   if (max_out < SSL3_RT_HEADER_LENGTH) {

  486.     OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, SSL_R_BUFFER_TOO_SMALL);

  487.     return 0;

  488.   }

  489. 

  490.   out[0] = type;

  491. 

  492.   /* Some servers hang if initial ClientHello is larger than 256 bytes and

  493.    * record version number > TLS 1.0. */

  494.   uint16_t wire_version = s->version;

  495.   if (!s->s3->have_version && s->version > SSL3_VERSION) {

  496.     wire_version = TLS1_VERSION;

  497.   }

  498.   out[1] = wire_version >> 8;

  499.   out[2] = wire_version & 0xff;

  500. 

  501.   size_t ciphertext_len;

  502.   if (!SSL_AEAD_CTX_seal(s->aead_write_ctx, out + SSL3_RT_HEADER_LENGTH,

  503.                          &ciphertext_len, max_out - SSL3_RT_HEADER_LENGTH,

  504.                          type, wire_version, s->s3->write_sequence, in,

  505.                          in_len) ||

  506.       !ssl3_record_sequence_update(s->s3->write_sequence, 8)) {

  507.     return 0;

  508.   }

  509. 

  510.   if (ciphertext_len >= 1 << 16) {

  511.     OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, ERR_R_OVERFLOW);

  512.     return 0;

  513.   }

  514.   out[3] = ciphertext_len >> 8;

  515.   out[4] = ciphertext_len & 0xff;

  516. 

  517.   *out_len = SSL3_RT_HEADER_LENGTH + ciphertext_len;

  518. 

  519.  if (s->msg_callback) {

  520.    s->msg_callback(1 /* write */, 0, SSL3_RT_HEADER, out, SSL3_RT_HEADER_LENGTH,

  521.                    s, s->msg_callback_arg);

  522.  }

  523. 

  524.   return 1;

  525. }

  526. 

  527. /* do_ssl3_write writes an SSL record of the given type. If |fragment| is 1

  528.  * then it splits the record into a one byte record and a record with the rest

  529.  * of the data in order to randomise a CBC IV. */

  530. static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,

  531.                          char fragment) {

  532.   SSL3_BUFFER *wb = &s->s3->wbuf;

  533. 

  534.   /* first check if there is a SSL3_BUFFER still being written out. This will

  535.    * happen with non blocking IO */

  536.   if (wb->left != 0) {

  537.     return ssl3_write_pending(s, type, buf, len);

  538.   }

  539. 

  540.   /* If we have an alert to send, lets send it */

  541.   if (s->s3->alert_dispatch) {

  542.     int ret = s->method->ssl_dispatch_alert(s);

  543.     if (ret <= 0) {

  544.       return ret;

  545.     }

  546.     /* if it went, fall through and send more stuff */

  547.   }

  548. 

  549.   if (wb->buf == NULL && !ssl3_setup_write_buffer(s)) {

  550.     return -1;

  551.   }

  552. 

  553.   if (len == 0) {

  554.     return 0;

  555.   }

  556.   if (len == 1) {

  557.     /* No sense in fragmenting a one-byte record. */

  558.     fragment = 0;

  559.   }

  560. 

  561.   /* Align the output so the ciphertext is aligned to |SSL3_ALIGN_PAYLOAD|. */

  562.   uintptr_t align;

  563.   if (fragment) {

  564.     /* Only CBC-mode ciphers require fragmenting. CBC-mode ciphertext is a

  565.      * multiple of the block size which we may assume is aligned. Thus we only

  566.      * need to account for a second copy of the record header. */

  567.     align = (uintptr_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH;

  568.   } else {

  569.     align = (uintptr_t)wb->buf + SSL3_RT_HEADER_LENGTH;

  570.   }

  571.   align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);

  572.   uint8_t *out = wb->buf + align;

  573.   wb->offset = align;

  574.   size_t max_out = wb->len - wb->offset;

  575. 

  576.   const uint8_t *orig_buf = buf;

  577.   unsigned int orig_len = len;

  578.   size_t fragment_len = 0;

  579.   if (fragment) {

  580.     /* Write the first byte in its own record as a countermeasure against

  581.      * known-IV weaknesses in CBC ciphersuites. (See

  582.      * http://www.openssl.org/~bodo/tls-cbc.txt.) */

  583.     if (!ssl3_seal_record(s, out, &fragment_len, max_out, type, buf, 1)) {

  584.       return -1;

  585.     }

  586.     out += fragment_len;

  587.     max_out -= fragment_len;

  588.     buf++;

  589.     len--;

  590.   }

  591. 

  592.   assert((((uintptr_t)out + SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1))

  593.          == 0);

  594.   size_t ciphertext_len;

  595.   if (!ssl3_seal_record(s, out, &ciphertext_len, max_out, type, buf, len)) {

  596.     return -1;

  597.   }

  598.   ciphertext_len += fragment_len;

  599. 

  600.   /* now let's set up wb */

  601.   wb->left = ciphertext_len;

  602. 

  603.   /* memorize arguments so that ssl3_write_pending can detect bad write retries

  604.    * later */

  605.   s->s3->wpend_tot = orig_len;

  606.   s->s3->wpend_buf = orig_buf;

  607.   s->s3->wpend_type = type;

  608.   s->s3->wpend_ret = orig_len;

  609. 

  610.   /* we now just need to write the buffer */

  611.   return ssl3_write_pending(s, type, orig_buf, orig_len);

  612. }

  613. 

  614. /* if s->s3->wbuf.left != 0, we need to call this */

  615. int ssl3_write_pending(SSL *s, int type, const uint8_t *buf, unsigned int len) {

  616.   int i;

  617.   SSL3_BUFFER *wb = &(s->s3->wbuf);

  618. 

  619.   if (s->s3->wpend_tot > (int)len ||

  620.       (s->s3->wpend_buf != buf &&

  621.        !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||

  622.       s->s3->wpend_type != type) {

  623.     OPENSSL_PUT_ERROR(SSL, ssl3_write_pending, SSL_R_BAD_WRITE_RETRY);

  624.     return -1;

  625.   }

  626. 

  627.   for (;;) {

  628.     ERR_clear_system_error();

  629.     if (s->wbio != NULL) {

  630.       s->rwstate = SSL_WRITING;

  631.       i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]),

  632.                     (unsigned int)wb->left);

  633.     } else {

  634.       OPENSSL_PUT_ERROR(SSL, ssl3_write_pending, SSL_R_BIO_NOT_SET);

  635.       i = -1;

  636.     }

  637.     if (i == wb->left) {

  638.       wb->left = 0;

  639.       wb->offset += i;

  640.       ssl3_release_write_buffer(s);

  641.       s->rwstate = SSL_NOTHING;

  642.       return s->s3->wpend_ret;

  643.     } else if (i <= 0) {

  644.       if (SSL_IS_DTLS(s)) {

  645.         /* For DTLS, just drop it. That's kind of the whole point in

  646.          * using a datagram service */

  647.         wb->left = 0;

  648.       }

  649.       return i;

  650.     }

  651.     /* TODO(davidben): This codepath is used in DTLS, but the write

  652.      * payload may not split across packets. */

  653.     wb->offset += i;

  654.     wb->left -= i;

  655.   }

  656. }

  657. 

  658. /* ssl3_expect_change_cipher_spec informs the record layer that a

  659.  * ChangeCipherSpec record is required at this point. If a Handshake record is

  660.  * received before ChangeCipherSpec, the connection will fail. Moreover, if

  661.  * there are unprocessed handshake bytes, the handshake will also fail and the

  662.  * function returns zero. Otherwise, the function returns one. */

  663. int ssl3_expect_change_cipher_spec(SSL *s) {

  664.   if (s->s3->handshake_fragment_len > 0 || s->s3->tmp.reuse_message) {

  665.     OPENSSL_PUT_ERROR(SSL, ssl3_expect_change_cipher_spec,

  666.                       SSL_R_UNPROCESSED_HANDSHAKE_DATA);

  667.     return 0;

  668.   }

  669. 

  670.   s->s3->flags |= SSL3_FLAGS_EXPECT_CCS;

  671.   return 1;

  672. }

  673. 

  674. int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek) {

  675.   return ssl3_read_bytes(ssl, SSL3_RT_APPLICATION_DATA, buf, len, peek);

  676. }

  677. 

  678. void ssl3_read_close_notify(SSL *ssl) {

  679.   ssl3_read_bytes(ssl, 0, NULL, 0, 0);

  680. }

  681. 

  682. /* Return up to 'len' payload bytes received in 'type' records.

  683.  * 'type' is one of the following:

  684.  *

  685.  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)

  686.  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)

  687.  *   -  0 (during a shutdown, no data has to be returned)

  688.  *

  689.  * If we don't have stored data to work from, read a SSL/TLS record first

  690.  * (possibly multiple records if we still don't have anything to return).

  691.  *

  692.  * This function must handle any surprises the peer may have for us, such as

  693.  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really

  694.  * a surprise, but handled as if it were), or renegotiation requests.

  695.  * Also if record payloads contain fragments too small to process, we store

  696.  * them until there is enough for the respective protocol (the record protocol

  697.  * may use arbitrary fragmentation and even interleaving):

  698.  *     Change cipher spec protocol

  699.  *             just 1 byte needed, no need for keeping anything stored

  700.  *     Alert protocol

  701.  *             2 bytes needed (AlertLevel, AlertDescription)

  702.  *     Handshake protocol

  703.  *             4 bytes needed (HandshakeType, uint24 length) -- we just have

  704.  *             to detect unexpected Client Hello and Hello Request messages

  705.  *             here, anything else is handled by higher layers

  706.  *     Application data protocol

  707.  *             none of our business

  708.  */

  709. int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek) {

  710.   int al, i, ret;

  711.   unsigned int n;

  712.   SSL3_RECORD *rr;

  713.   void (*cb)(const SSL *ssl, int type2, int val) = NULL;

  714. 

  715.   if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) ||

  716.       (peek && type != SSL3_RT_APPLICATION_DATA)) {

  717.     OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, ERR_R_INTERNAL_ERROR);

  718.     return -1;

  719.   }

  720. 

  721.   if (type == SSL3_RT_HANDSHAKE && s->s3->handshake_fragment_len > 0) {

  722.     /* (partially) satisfy request from storage */

  723.     uint8_t *src = s->s3->handshake_fragment;

  724.     uint8_t *dst = buf;

  725.     unsigned int k;

  726. 

  727.     /* peek == 0 */

  728.     n = 0;

  729.     while (len > 0 && s->s3->handshake_fragment_len > 0) {

  730.       *dst++ = *src++;

  731.       len--;

  732.       s->s3->handshake_fragment_len--;

  733.       n++;

  734.     }

  735.     /* move any remaining fragment bytes: */

  736.     for (k = 0; k < s->s3->handshake_fragment_len; k++) {

  737.       s->s3->handshake_fragment[k] = *src++;

  738.     }

  739.     return n;

  740.   }

  741. 

  742.   /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */

  743. 

  744.   /* This may require multiple iterations. False Start will cause

  745.    * |s->handshake_func| to signal success one step early, but the handshake

  746.    * must be completely finished before other modes are accepted.

  747.    *

  748.    * TODO(davidben): Move this check up to a higher level. */

  749.   while (!s->in_handshake && SSL_in_init(s)) {

  750.     assert(type == SSL3_RT_APPLICATION_DATA);

  751.     i = s->handshake_func(s);

  752.     if (i < 0) {

  753.       return i;

  754.     }

  755.     if (i == 0) {

  756.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);

  757.       return -1;

  758.     }

  759.   }

  760. 

  761. start:

  762.   s->rwstate = SSL_NOTHING;

  763. 

  764.   /* s->s3->rrec.type    - is the type of record

  765.    * s->s3->rrec.data    - data

  766.    * s->s3->rrec.off     - offset into 'data' for next read

  767.    * s->s3->rrec.length  - number of bytes. */

  768.   rr = &s->s3->rrec;

  769. 

  770.   /* get new packet if necessary */

  771.   if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) {

  772.     ret = ssl3_get_record(s);

  773.     if (ret <= 0) {

  774.       return ret;

  775.     }

  776.   }

  777. 

  778.   /* we now have a packet which can be read and processed */

  779. 

  780.   /* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by

  781.    * ssl3_get_finished. */

  782.   if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&

  783.       rr->type != SSL3_RT_ALERT) {

  784.     al = SSL_AD_UNEXPECTED_MESSAGE;

  785.     OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes,

  786.                       SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);

  787.     goto f_err;

  788.   }

  789. 

  790.   /* If we are expecting a ChangeCipherSpec, it is illegal to receive a

  791.    * Handshake record. */

  792.   if (rr->type == SSL3_RT_HANDSHAKE && (s->s3->flags & SSL3_FLAGS_EXPECT_CCS)) {

  793.     al = SSL_AD_UNEXPECTED_MESSAGE;

  794.     OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_HANDSHAKE_RECORD_BEFORE_CCS);

  795.     goto f_err;

  796.   }

  797. 

  798.   /* If the other end has shut down, throw anything we read away (even in

  799.    * 'peek' mode) */

  800.   if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {

  801.     rr->length = 0;

  802.     s->rwstate = SSL_NOTHING;

  803.     return 0;

  804.   }

  805. 

  806.   if (type == rr->type) {

  807.     /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */

  808.     /* make sure that we are not getting application data when we are doing a

  809.      * handshake for the first time */

  810.     if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&

  811.         s->aead_read_ctx == NULL) {

  812.       /* TODO(davidben): Is this check redundant with the handshake_func

  813.        * check? */

  814.       al = SSL_AD_UNEXPECTED_MESSAGE;

  815.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_APP_DATA_IN_HANDSHAKE);

  816.       goto f_err;

  817.     }

  818. 

  819.     if (len <= 0) {

  820.       return len;

  821.     }

  822. 

  823.     if ((unsigned int)len > rr->length) {

  824.       n = rr->length;

  825.     } else {

  826.       n = (unsigned int)len;

  827.     }

  828. 

  829.     memcpy(buf, &(rr->data[rr->off]), n);

  830.     if (!peek) {

  831.       rr->length -= n;

  832.       rr->off += n;

  833.       if (rr->length == 0) {

  834.         s->rstate = SSL_ST_READ_HEADER;

  835.         rr->off = 0;

  836.         if (s->s3->rbuf.left == 0) {

  837.           ssl3_release_read_buffer(s);

  838.         }

  839.       }

  840.     }

  841. 

  842.     return n;

  843.   }

  844. 

  845.   /* Process unexpected records. */

  846. 

  847.   if (rr->type == SSL3_RT_HANDSHAKE) {

  848.     /* If peer renegotiations are disabled, all out-of-order handshake records

  849.      * are fatal. Renegotiations as a server are never supported. */

  850.     if (!s->accept_peer_renegotiations || s->server) {

  851.       al = SSL_AD_NO_RENEGOTIATION;

  852.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);

  853.       goto f_err;

  854.     }

  855. 

  856.     /* HelloRequests may be fragmented across multiple records. */

  857.     const size_t size = sizeof(s->s3->handshake_fragment);

  858.     const size_t avail = size - s->s3->handshake_fragment_len;

  859.     const size_t todo = (rr->length < avail) ? rr->length : avail;

  860.     memcpy(s->s3->handshake_fragment + s->s3->handshake_fragment_len,

  861.            &rr->data[rr->off], todo);

  862.     rr->off += todo;

  863.     rr->length -= todo;

  864.     s->s3->handshake_fragment_len += todo;

  865.     if (s->s3->handshake_fragment_len < size) {

  866.       goto start; /* fragment was too small */

  867.     }

  868. 

  869.     /* Parse out and consume a HelloRequest. */

  870.     if (s->s3->handshake_fragment[0] != SSL3_MT_HELLO_REQUEST ||

  871.         s->s3->handshake_fragment[1] != 0 ||

  872.         s->s3->handshake_fragment[2] != 0 ||

  873.         s->s3->handshake_fragment[3] != 0) {

  874.       al = SSL_AD_DECODE_ERROR;

  875.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_HELLO_REQUEST);

  876.       goto f_err;

  877.     }

  878.     s->s3->handshake_fragment_len = 0;

  879. 

  880.     if (s->msg_callback) {

  881.       s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,

  882.                       s->s3->handshake_fragment, 4, s, s->msg_callback_arg);

  883.     }

  884. 

  885.     if (!SSL_is_init_finished(s) || !s->s3->initial_handshake_complete) {

  886.       /* This cannot happen. If a handshake is in progress, |type| must be

  887.        * |SSL3_RT_HANDSHAKE|. */

  888.       assert(0);

  889.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, ERR_R_INTERNAL_ERROR);

  890.       goto err;

  891.     }

  892. 

  893.     /* Renegotiation is only supported at quiescent points in the application

  894.      * protocol, namely in HTTPS, just before reading the HTTP response. Require

  895.      * the record-layer be idle and avoid complexities of sending a handshake

  896.      * record while an application_data record is being written. */

  897.     if (s->s3->wbuf.left != 0 || s->s3->rbuf.left != 0) {

  898.       al = SSL_AD_NO_RENEGOTIATION;

  899.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);

  900.       goto f_err;

  901.     }

  902. 

  903.     /* Begin a new handshake. */

  904.     s->state = SSL_ST_CONNECT;

  905.     i = s->handshake_func(s);

  906.     if (i < 0) {

  907.       return i;

  908.     }

  909.     if (i == 0) {

  910.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);

  911.       return -1;

  912.     }

  913. 

  914.     /* The handshake completed synchronously. Continue reading records. */

  915.     goto start;

  916.   }

  917. 

  918.   /* If an alert record, process one alert out of the record. Note that we allow

  919.    * a single record to contain multiple alerts. */

  920.   if (rr->type == SSL3_RT_ALERT) {

  921.     /* Alerts may not be fragmented. */

  922.     if (rr->length < 2) {

  923.       al = SSL_AD_DECODE_ERROR;

  924.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);

  925.       goto f_err;

  926.     }

  927. 

  928.     if (s->msg_callback) {

  929.       s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,

  930.                       s->msg_callback_arg);

  931.     }

  932.     const uint8_t alert_level = rr->data[rr->off++];

  933.     const uint8_t alert_descr = rr->data[rr->off++];

  934.     rr->length -= 2;

  935. 

  936.     if (s->info_callback != NULL) {

  937.       cb = s->info_callback;

  938.     } else if (s->ctx->info_callback != NULL) {

  939.       cb = s->ctx->info_callback;

  940.     }

  941. 

  942.     if (cb != NULL) {

  943.       uint16_t alert = (alert_level << 8) | alert_descr;

  944.       cb(s, SSL_CB_READ_ALERT, alert);

  945.     }

  946. 

  947.     if (alert_level == SSL3_AL_WARNING) {

  948.       s->s3->warn_alert = alert_descr;

  949.       if (alert_descr == SSL_AD_CLOSE_NOTIFY) {

  950.         s->shutdown |= SSL_RECEIVED_SHUTDOWN;

  951.         return 0;

  952.       }

  953. 

  954.       /* This is a warning but we receive it if we requested renegotiation and

  955.        * the peer denied it. Terminate with a fatal alert because if

  956.        * application tried to renegotiatie it presumably had a good reason and

  957.        * expects it to succeed.

  958.        *

  959.        * In future we might have a renegotiation where we don't care if the

  960.        * peer refused it where we carry on. */

  961.       else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {

  962.         al = SSL_AD_HANDSHAKE_FAILURE;

  963.         OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);

  964.         goto f_err;

  965.       }

  966.     } else if (alert_level == SSL3_AL_FATAL) {

  967.       char tmp[16];

  968. 

  969.       s->rwstate = SSL_NOTHING;

  970.       s->s3->fatal_alert = alert_descr;

  971.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes,

  972.                         SSL_AD_REASON_OFFSET + alert_descr);

  973.       BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);

  974.       ERR_add_error_data(2, "SSL alert number ", tmp);

  975.       s->shutdown |= SSL_RECEIVED_SHUTDOWN;

  976.       SSL_CTX_remove_session(s->ctx, s->session);

  977.       return 0;

  978.     } else {

  979.       al = SSL_AD_ILLEGAL_PARAMETER;

  980.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNKNOWN_ALERT_TYPE);

  981.       goto f_err;

  982.     }

  983. 

  984.     goto start;

  985.   }

  986. 

  987.   if (s->shutdown & SSL_SENT_SHUTDOWN) {

  988.     /* but we have not received a shutdown */

  989.     s->rwstate = SSL_NOTHING;

  990.     rr->length = 0;

  991.     return 0;

  992.   }

  993. 

  994.   if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {

  995.     /* 'Change Cipher Spec' is just a single byte, so we know exactly what the

  996.      * record payload has to look like */

  997.     if (rr->length != 1 || rr->off != 0 || rr->data[0] != SSL3_MT_CCS) {

  998.       al = SSL_AD_ILLEGAL_PARAMETER;

  999.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_CHANGE_CIPHER_SPEC);

  1000.       goto f_err;

  1001.     }

  1002. 

  1003.     /* Check we have a cipher to change to */

  1004.     if (s->s3->tmp.new_cipher == NULL) {

  1005.       al = SSL_AD_UNEXPECTED_MESSAGE;

  1006.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_CCS_RECEIVED_EARLY);

  1007.       goto f_err;

  1008.     }

  1009. 

  1010.     if (!(s->s3->flags & SSL3_FLAGS_EXPECT_CCS)) {

  1011.       al = SSL_AD_UNEXPECTED_MESSAGE;

  1012.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_CCS_RECEIVED_EARLY);

  1013.       goto f_err;

  1014.     }

  1015. 

  1016.     s->s3->flags &= ~SSL3_FLAGS_EXPECT_CCS;

  1017. 

  1018.     rr->length = 0;

  1019. 

  1020.     if (s->msg_callback) {

  1021.       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s,

  1022.                       s->msg_callback_arg);

  1023.     }

  1024. 

  1025.     s->s3->change_cipher_spec = 1;

  1026.     if (!ssl3_do_change_cipher_spec(s)) {

  1027.       goto err;

  1028.     } else {

  1029.       goto start;

  1030.     }

  1031.   }

  1032. 

  1033.   /* We already handled these. */

  1034.   assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT &&

  1035.          rr->type != SSL3_RT_HANDSHAKE);

  1036. 

  1037.   al = SSL_AD_UNEXPECTED_MESSAGE;

  1038.   OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);

  1039. 

  1040. f_err:

  1041.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  1042. err:

  1043.   return -1;

  1044. }

  1045. 

  1046. int ssl3_do_change_cipher_spec(SSL *s) {

  1047.   int i;

  1048. 

  1049.   if (s->state & SSL_ST_ACCEPT) {

  1050.     i = SSL3_CHANGE_CIPHER_SERVER_READ;

  1051.   } else {

  1052.     i = SSL3_CHANGE_CIPHER_CLIENT_READ;

  1053.   }

  1054. 

  1055.   if (s->s3->tmp.key_block == NULL) {

  1056.     if (s->session == NULL || s->session->master_key_length == 0) {

  1057.       /* might happen if dtls1_read_bytes() calls this */

  1058.       OPENSSL_PUT_ERROR(SSL, ssl3_do_change_cipher_spec,

  1059.                         SSL_R_CCS_RECEIVED_EARLY);

  1060.       return 0;

  1061.     }

  1062. 

  1063.     s->session->cipher = s->s3->tmp.new_cipher;

  1064.     if (!s->enc_method->setup_key_block(s)) {

  1065.       return 0;

  1066.     }

  1067.   }

  1068. 

  1069.   if (!s->enc_method->change_cipher_state(s, i)) {

  1070.     return 0;

  1071.   }

  1072. 

  1073.   return 1;

  1074. }

  1075. 

  1076. int ssl3_send_alert(SSL *s, int level, int desc) {

  1077.   /* Map tls/ssl alert value to correct one */

  1078.   desc = s->enc_method->alert_value(desc);

  1079.   if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) {

  1080.     /* SSL 3.0 does not have protocol_version alerts */

  1081.     desc = SSL_AD_HANDSHAKE_FAILURE;

  1082.   }

  1083.   if (desc < 0) {

  1084.     return -1;

  1085.   }

  1086. 

  1087.   /* If a fatal one, remove from cache */

  1088.   if (level == 2 && s->session != NULL) {

  1089.     SSL_CTX_remove_session(s->ctx, s->session);

  1090.   }

  1091. 

  1092.   s->s3->alert_dispatch = 1;

  1093.   s->s3->send_alert[0] = level;

  1094.   s->s3->send_alert[1] = desc;

  1095.   if (s->s3->wbuf.left == 0) {

  1096.     /* data is still being written out. */

  1097.     return s->method->ssl_dispatch_alert(s);

  1098.   }

  1099. 

  1100.   /* else data is still being written out, we will get written some time in the

  1101.    * future */

  1102.   return -1;

  1103. }

  1104. 

  1105. int ssl3_dispatch_alert(SSL *s) {

  1106.   int i, j;

  1107.   void (*cb)(const SSL *ssl, int type, int val) = NULL;

  1108. 

  1109.   s->s3->alert_dispatch = 0;

  1110.   i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);

  1111.   if (i <= 0) {

  1112.     s->s3->alert_dispatch = 1;

  1113.   } else {

  1114.     /* Alert sent to BIO.  If it is important, flush it now. If the message

  1115.      * does not get sent due to non-blocking IO, we will not worry too much. */

  1116.     if (s->s3->send_alert[0] == SSL3_AL_FATAL) {

  1117.       BIO_flush(s->wbio);

  1118.     }

  1119. 

  1120.     if (s->msg_callback) {

  1121.       s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s,

  1122.                       s->msg_callback_arg);

  1123.     }

  1124. 

  1125.     if (s->info_callback != NULL) {

  1126.       cb = s->info_callback;

  1127.     } else if (s->ctx->info_callback != NULL) {

  1128.       cb = s->ctx->info_callback;

  1129.     }

  1130. 

  1131.     if (cb != NULL) {

  1132.       j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1];

  1133.       cb(s, SSL_CB_WRITE_ALERT, j);

  1134.     }

  1135.   }

  1136. 

  1137.   return i;

  1138. }