1 /* ssl/s3_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include "ssl_locl.h"
115 #include "kssl_lcl.h"
116 #include <openssl/md5.h>
117 
118 __RCSID("$MirOS: src/lib/libssl/src/ssl/s3_lib.c,v 1.4 2009/11/14 14:33:47 tg Exp $");
119 
120 const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
121 
122 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
123 
124 static long ssl3_default_timeout(void );
125 
126 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
127 /* The RSA ciphers */
128 /* Cipher 01 */
129 	{
130 	1,
131 	SSL3_TXT_RSA_NULL_MD5,
132 	SSL3_CK_RSA_NULL_MD5,
133 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
134 	SSL_NOT_EXP|SSL_STRONG_NONE,
135 	0,
136 	0,
137 	0,
138 	SSL_ALL_CIPHERS,
139 	SSL_ALL_STRENGTHS,
140 	},
141 /* Cipher 02 */
142 	{
143 	1,
144 	SSL3_TXT_RSA_NULL_SHA,
145 	SSL3_CK_RSA_NULL_SHA,
146 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
147 	SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
148 	0,
149 	0,
150 	0,
151 	SSL_ALL_CIPHERS,
152 	SSL_ALL_STRENGTHS,
153 	},
154 
155 /* anon DH */
156 /* Cipher 17 */
157 	{
158 	1,
159 	SSL3_TXT_ADH_RC4_40_MD5,
160 	SSL3_CK_ADH_RC4_40_MD5,
161 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
162 	SSL_EXPORT|SSL_EXP40,
163 	0,
164 	40,
165 	128,
166 	SSL_ALL_CIPHERS,
167 	SSL_ALL_STRENGTHS,
168 	},
169 /* Cipher 18 */
170 	{
171 	1,
172 	SSL3_TXT_ADH_RC4_128_MD5,
173 	SSL3_CK_ADH_RC4_128_MD5,
174 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
175 	SSL_NOT_EXP|SSL_MEDIUM,
176 	0,
177 	128,
178 	128,
179 	SSL_ALL_CIPHERS,
180 	SSL_ALL_STRENGTHS,
181 	},
182 /* Cipher 19 */
183 	{
184 	1,
185 	SSL3_TXT_ADH_DES_40_CBC_SHA,
186 	SSL3_CK_ADH_DES_40_CBC_SHA,
187 	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
188 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
189 	0,
190 	40,
191 	128,
192 	SSL_ALL_CIPHERS,
193 	SSL_ALL_STRENGTHS,
194 	},
195 /* Cipher 1A */
196 	{
197 	1,
198 	SSL3_TXT_ADH_DES_64_CBC_SHA,
199 	SSL3_CK_ADH_DES_64_CBC_SHA,
200 	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
201 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
202 	0,
203 	56,
204 	56,
205 	SSL_ALL_CIPHERS,
206 	SSL_ALL_STRENGTHS,
207 	},
208 /* Cipher 1B */
209 	{
210 	1,
211 	SSL3_TXT_ADH_DES_192_CBC_SHA,
212 	SSL3_CK_ADH_DES_192_CBC_SHA,
213 	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
214 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
215 	0,
216 	168,
217 	168,
218 	SSL_ALL_CIPHERS,
219 	SSL_ALL_STRENGTHS,
220 	},
221 
222 /* RSA again */
223 /* Cipher 03 */
224 	{
225 	1,
226 	SSL3_TXT_RSA_RC4_40_MD5,
227 	SSL3_CK_RSA_RC4_40_MD5,
228 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
229 	SSL_EXPORT|SSL_EXP40,
230 	0,
231 	40,
232 	128,
233 	SSL_ALL_CIPHERS,
234 	SSL_ALL_STRENGTHS,
235 	},
236 /* Cipher 04 */
237 	{
238 	1,
239 	SSL3_TXT_RSA_RC4_128_MD5,
240 	SSL3_CK_RSA_RC4_128_MD5,
241 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
242 	SSL_NOT_EXP|SSL_MEDIUM,
243 	0,
244 	128,
245 	128,
246 	SSL_ALL_CIPHERS,
247 	SSL_ALL_STRENGTHS,
248 	},
249 /* Cipher 05 */
250 	{
251 	1,
252 	SSL3_TXT_RSA_RC4_128_SHA,
253 	SSL3_CK_RSA_RC4_128_SHA,
254 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
255 	SSL_NOT_EXP|SSL_MEDIUM,
256 	0,
257 	128,
258 	128,
259 	SSL_ALL_CIPHERS,
260 	SSL_ALL_STRENGTHS,
261 	},
262 /* Cipher 06 */
263 	{
264 	1,
265 	SSL3_TXT_RSA_RC2_40_MD5,
266 	SSL3_CK_RSA_RC2_40_MD5,
267 	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
268 	SSL_EXPORT|SSL_EXP40,
269 	0,
270 	40,
271 	128,
272 	SSL_ALL_CIPHERS,
273 	SSL_ALL_STRENGTHS,
274 	},
275 /* Cipher 07 */
276 #ifndef OPENSSL_NO_IDEA
277 	{
278 	1,
279 	SSL3_TXT_RSA_IDEA_128_SHA,
280 	SSL3_CK_RSA_IDEA_128_SHA,
281 	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
282 	SSL_NOT_EXP|SSL_MEDIUM,
283 	0,
284 	128,
285 	128,
286 	SSL_ALL_CIPHERS,
287 	SSL_ALL_STRENGTHS,
288 	},
289 #endif
290 /* Cipher 08 */
291 	{
292 	1,
293 	SSL3_TXT_RSA_DES_40_CBC_SHA,
294 	SSL3_CK_RSA_DES_40_CBC_SHA,
295 	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
296 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
297 	0,
298 	40,
299 	56,
300 	SSL_ALL_CIPHERS,
301 	SSL_ALL_STRENGTHS,
302 	},
303 /* Cipher 09 */
304 	{
305 	1,
306 	SSL3_TXT_RSA_DES_64_CBC_SHA,
307 	SSL3_CK_RSA_DES_64_CBC_SHA,
308 	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
309 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
310 	0,
311 	56,
312 	56,
313 	SSL_ALL_CIPHERS,
314 	SSL_ALL_STRENGTHS,
315 	},
316 /* Cipher 0A */
317 	{
318 	1,
319 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
320 	SSL3_CK_RSA_DES_192_CBC3_SHA,
321 	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
322 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
323 	0,
324 	168,
325 	168,
326 	SSL_ALL_CIPHERS,
327 	SSL_ALL_STRENGTHS,
328 	},
329 
330 /*  The DH ciphers */
331 /* Cipher 0B */
332 	{
333 	0,
334 	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
335 	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
336 	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
337 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
338 	0,
339 	40,
340 	56,
341 	SSL_ALL_CIPHERS,
342 	SSL_ALL_STRENGTHS,
343 	},
344 /* Cipher 0C */
345 	{
346 	0,
347 	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
348 	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
349 	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
350 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
351 	0,
352 	56,
353 	56,
354 	SSL_ALL_CIPHERS,
355 	SSL_ALL_STRENGTHS,
356 	},
357 /* Cipher 0D */
358 	{
359 	0,
360 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
361 	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
362 	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
363 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
364 	0,
365 	168,
366 	168,
367 	SSL_ALL_CIPHERS,
368 	SSL_ALL_STRENGTHS,
369 	},
370 /* Cipher 0E */
371 	{
372 	0,
373 	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
374 	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
375 	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
376 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
377 	0,
378 	40,
379 	56,
380 	SSL_ALL_CIPHERS,
381 	SSL_ALL_STRENGTHS,
382 	},
383 /* Cipher 0F */
384 	{
385 	0,
386 	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
387 	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
388 	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
389 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
390 	0,
391 	56,
392 	56,
393 	SSL_ALL_CIPHERS,
394 	SSL_ALL_STRENGTHS,
395 	},
396 /* Cipher 10 */
397 	{
398 	0,
399 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
400 	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
401 	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
402 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
403 	0,
404 	168,
405 	168,
406 	SSL_ALL_CIPHERS,
407 	SSL_ALL_STRENGTHS,
408 	},
409 
410 /* The Ephemeral DH ciphers */
411 /* Cipher 11 */
412 	{
413 	1,
414 	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
415 	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
416 	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
417 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
418 	0,
419 	40,
420 	56,
421 	SSL_ALL_CIPHERS,
422 	SSL_ALL_STRENGTHS,
423 	},
424 /* Cipher 12 */
425 	{
426 	1,
427 	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
428 	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
429 	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
430 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
431 	0,
432 	56,
433 	56,
434 	SSL_ALL_CIPHERS,
435 	SSL_ALL_STRENGTHS,
436 	},
437 /* Cipher 13 */
438 	{
439 	1,
440 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
441 	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
442 	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
443 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
444 	0,
445 	168,
446 	168,
447 	SSL_ALL_CIPHERS,
448 	SSL_ALL_STRENGTHS,
449 	},
450 /* Cipher 14 */
451 	{
452 	1,
453 	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
454 	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
455 	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
456 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
457 	0,
458 	40,
459 	56,
460 	SSL_ALL_CIPHERS,
461 	SSL_ALL_STRENGTHS,
462 	},
463 /* Cipher 15 */
464 	{
465 	1,
466 	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
467 	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
468 	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
469 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
470 	0,
471 	56,
472 	56,
473 	SSL_ALL_CIPHERS,
474 	SSL_ALL_STRENGTHS,
475 	},
476 /* Cipher 16 */
477 	{
478 	1,
479 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
480 	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
481 	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
482 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
483 	0,
484 	168,
485 	168,
486 	SSL_ALL_CIPHERS,
487 	SSL_ALL_STRENGTHS,
488 	},
489 
490 /* Fortezza */
491 /* Cipher 1C */
492 	{
493 	0,
494 	SSL3_TXT_FZA_DMS_NULL_SHA,
495 	SSL3_CK_FZA_DMS_NULL_SHA,
496 	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
497 	SSL_NOT_EXP|SSL_STRONG_NONE,
498 	0,
499 	0,
500 	0,
501 	SSL_ALL_CIPHERS,
502 	SSL_ALL_STRENGTHS,
503 	},
504 
505 /* Cipher 1D */
506 	{
507 	0,
508 	SSL3_TXT_FZA_DMS_FZA_SHA,
509 	SSL3_CK_FZA_DMS_FZA_SHA,
510 	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
511 	SSL_NOT_EXP|SSL_STRONG_NONE,
512 	0,
513 	0,
514 	0,
515 	SSL_ALL_CIPHERS,
516 	SSL_ALL_STRENGTHS,
517 	},
518 
519 #if 0
520 /* Cipher 1E */
521 	{
522 	0,
523 	SSL3_TXT_FZA_DMS_RC4_SHA,
524 	SSL3_CK_FZA_DMS_RC4_SHA,
525 	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
526 	SSL_NOT_EXP|SSL_MEDIUM,
527 	0,
528 	128,
529 	128,
530 	SSL_ALL_CIPHERS,
531 	SSL_ALL_STRENGTHS,
532 	},
533 #endif
534 
535 #ifndef OPENSSL_NO_KRB5
536 /* The Kerberos ciphers
537 ** 20000107 VRS: And the first shall be last,
538 ** in hopes of avoiding the lynx ssl renegotiation problem.
539 */
540 /* Cipher 1E VRS */
541 	{
542 	1,
543 	SSL3_TXT_KRB5_DES_64_CBC_SHA,
544 	SSL3_CK_KRB5_DES_64_CBC_SHA,
545 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
546 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
547 	0,
548 	56,
549 	56,
550 	SSL_ALL_CIPHERS,
551 	SSL_ALL_STRENGTHS,
552 	},
553 
554 /* Cipher 1F VRS */
555 	{
556 	1,
557 	SSL3_TXT_KRB5_DES_192_CBC3_SHA,
558 	SSL3_CK_KRB5_DES_192_CBC3_SHA,
559 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
560 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
561 	0,
562 	168,
563 	168,
564 	SSL_ALL_CIPHERS,
565 	SSL_ALL_STRENGTHS,
566 	},
567 
568 /* Cipher 20 VRS */
569 	{
570 	1,
571 	SSL3_TXT_KRB5_RC4_128_SHA,
572 	SSL3_CK_KRB5_RC4_128_SHA,
573 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
574 	SSL_NOT_EXP|SSL_MEDIUM,
575 	0,
576 	128,
577 	128,
578 	SSL_ALL_CIPHERS,
579 	SSL_ALL_STRENGTHS,
580 	},
581 
582 /* Cipher 21 VRS */
583 	{
584 	1,
585 	SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
586 	SSL3_CK_KRB5_IDEA_128_CBC_SHA,
587 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
588 	SSL_NOT_EXP|SSL_MEDIUM,
589 	0,
590 	128,
591 	128,
592 	SSL_ALL_CIPHERS,
593 	SSL_ALL_STRENGTHS,
594 	},
595 
596 /* Cipher 22 VRS */
597 	{
598 	1,
599 	SSL3_TXT_KRB5_DES_64_CBC_MD5,
600 	SSL3_CK_KRB5_DES_64_CBC_MD5,
601 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
602 	SSL_NOT_EXP|SSL_LOW,
603 	0,
604 	56,
605 	56,
606 	SSL_ALL_CIPHERS,
607 	SSL_ALL_STRENGTHS,
608 	},
609 
610 /* Cipher 23 VRS */
611 	{
612 	1,
613 	SSL3_TXT_KRB5_DES_192_CBC3_MD5,
614 	SSL3_CK_KRB5_DES_192_CBC3_MD5,
615 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
616 	SSL_NOT_EXP|SSL_HIGH,
617 	0,
618 	168,
619 	168,
620 	SSL_ALL_CIPHERS,
621 	SSL_ALL_STRENGTHS,
622 	},
623 
624 /* Cipher 24 VRS */
625 	{
626 	1,
627 	SSL3_TXT_KRB5_RC4_128_MD5,
628 	SSL3_CK_KRB5_RC4_128_MD5,
629 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
630 	SSL_NOT_EXP|SSL_MEDIUM,
631 	0,
632 	128,
633 	128,
634 	SSL_ALL_CIPHERS,
635 	SSL_ALL_STRENGTHS,
636 	},
637 
638 /* Cipher 25 VRS */
639 	{
640 	1,
641 	SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
642 	SSL3_CK_KRB5_IDEA_128_CBC_MD5,
643 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
644 	SSL_NOT_EXP|SSL_MEDIUM,
645 	0,
646 	128,
647 	128,
648 	SSL_ALL_CIPHERS,
649 	SSL_ALL_STRENGTHS,
650 	},
651 
652 /* Cipher 26 VRS */
653 	{
654 	1,
655 	SSL3_TXT_KRB5_DES_40_CBC_SHA,
656 	SSL3_CK_KRB5_DES_40_CBC_SHA,
657 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
658 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
659 	0,
660 	40,
661 	56,
662 	SSL_ALL_CIPHERS,
663 	SSL_ALL_STRENGTHS,
664 	},
665 
666 /* Cipher 27 VRS */
667 	{
668 	1,
669 	SSL3_TXT_KRB5_RC2_40_CBC_SHA,
670 	SSL3_CK_KRB5_RC2_40_CBC_SHA,
671 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
672 	SSL_EXPORT|SSL_EXP40,
673 	0,
674 	40,
675 	128,
676 	SSL_ALL_CIPHERS,
677 	SSL_ALL_STRENGTHS,
678 	},
679 
680 /* Cipher 28 VRS */
681 	{
682 	1,
683 	SSL3_TXT_KRB5_RC4_40_SHA,
684 	SSL3_CK_KRB5_RC4_40_SHA,
685 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
686 	SSL_EXPORT|SSL_EXP40,
687 	0,
688 	40,
689 	128,
690 	SSL_ALL_CIPHERS,
691 	SSL_ALL_STRENGTHS,
692 	},
693 
694 /* Cipher 29 VRS */
695 	{
696 	1,
697 	SSL3_TXT_KRB5_DES_40_CBC_MD5,
698 	SSL3_CK_KRB5_DES_40_CBC_MD5,
699 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
700 	SSL_EXPORT|SSL_EXP40,
701 	0,
702 	40,
703 	56,
704 	SSL_ALL_CIPHERS,
705 	SSL_ALL_STRENGTHS,
706 	},
707 
708 /* Cipher 2A VRS */
709 	{
710 	1,
711 	SSL3_TXT_KRB5_RC2_40_CBC_MD5,
712 	SSL3_CK_KRB5_RC2_40_CBC_MD5,
713 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
714 	SSL_EXPORT|SSL_EXP40,
715 	0,
716 	40,
717 	128,
718 	SSL_ALL_CIPHERS,
719 	SSL_ALL_STRENGTHS,
720 	},
721 
722 /* Cipher 2B VRS */
723 	{
724 	1,
725 	SSL3_TXT_KRB5_RC4_40_MD5,
726 	SSL3_CK_KRB5_RC4_40_MD5,
727 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
728 	SSL_EXPORT|SSL_EXP40,
729 	0,
730 	40,
731 	128,
732 	SSL_ALL_CIPHERS,
733 	SSL_ALL_STRENGTHS,
734 	},
735 #endif	/* OPENSSL_NO_KRB5 */
736 
737 
738 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
739 	/* New TLS Export CipherSuites from expired ID */
740 #if 0
741 	/* Cipher 60 */
742 	    {
743 	    1,
744 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
745 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
746 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
747 	    SSL_EXPORT|SSL_EXP56,
748 	    0,
749 	    56,
750 	    128,
751 	    SSL_ALL_CIPHERS,
752 	    SSL_ALL_STRENGTHS,
753 	    },
754 	/* Cipher 61 */
755 	    {
756 	    1,
757 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
758 	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
759 	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
760 	    SSL_EXPORT|SSL_EXP56,
761 	    0,
762 	    56,
763 	    128,
764 	    SSL_ALL_CIPHERS,
765 	    SSL_ALL_STRENGTHS,
766 	    },
767 #endif
768 	/* Cipher 62 */
769 	    {
770 	    1,
771 	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
772 	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
773 	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
774 	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
775 	    0,
776 	    56,
777 	    56,
778 	    SSL_ALL_CIPHERS,
779 	    SSL_ALL_STRENGTHS,
780 	    },
781 	/* Cipher 63 */
782 	    {
783 	    1,
784 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
785 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
786 	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
787 	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
788 	    0,
789 	    56,
790 	    56,
791 	    SSL_ALL_CIPHERS,
792 	    SSL_ALL_STRENGTHS,
793 	    },
794 	/* Cipher 64 */
795 	    {
796 	    1,
797 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
798 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
799 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
800 	    SSL_EXPORT|SSL_EXP56,
801 	    0,
802 	    56,
803 	    128,
804 	    SSL_ALL_CIPHERS,
805 	    SSL_ALL_STRENGTHS,
806 	    },
807 	/* Cipher 65 */
808 	    {
809 	    1,
810 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
811 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
812 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
813 	    SSL_EXPORT|SSL_EXP56,
814 	    0,
815 	    56,
816 	    128,
817 	    SSL_ALL_CIPHERS,
818 	    SSL_ALL_STRENGTHS,
819 	    },
820 	/* Cipher 66 */
821 	    {
822 	    1,
823 	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
824 	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
825 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
826 	    SSL_NOT_EXP|SSL_MEDIUM,
827 	    0,
828 	    128,
829 	    128,
830 	    SSL_ALL_CIPHERS,
831 	    SSL_ALL_STRENGTHS
832 	    },
833 #endif
834 	/* New AES ciphersuites */
835 
836 	/* Cipher 2F */
837 	    {
838 	    1,
839 	    TLS1_TXT_RSA_WITH_AES_128_SHA,
840 	    TLS1_CK_RSA_WITH_AES_128_SHA,
841 	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
842 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
843 	    0,
844 	    128,
845 	    128,
846 	    SSL_ALL_CIPHERS,
847 	    SSL_ALL_STRENGTHS,
848 	    },
849 	/* Cipher 30 */
850 	    {
851 	    0,
852 	    TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
853 	    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
854 	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
855 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
856 	    0,
857 	    128,
858 	    128,
859 	    SSL_ALL_CIPHERS,
860 	    SSL_ALL_STRENGTHS,
861 	    },
862 	/* Cipher 31 */
863 	    {
864 	    0,
865 	    TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
866 	    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
867 	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
868 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
869 	    0,
870 	    128,
871 	    128,
872 	    SSL_ALL_CIPHERS,
873 	    SSL_ALL_STRENGTHS,
874 	    },
875 	/* Cipher 32 */
876 	    {
877 	    1,
878 	    TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
879 	    TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
880 	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
881 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
882 	    0,
883 	    128,
884 	    128,
885 	    SSL_ALL_CIPHERS,
886 	    SSL_ALL_STRENGTHS,
887 	    },
888 	/* Cipher 33 */
889 	    {
890 	    1,
891 	    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
892 	    TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
893 	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
894 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
895 	    0,
896 	    128,
897 	    128,
898 	    SSL_ALL_CIPHERS,
899 	    SSL_ALL_STRENGTHS,
900 	    },
901 	/* Cipher 34 */
902 	    {
903 	    1,
904 	    TLS1_TXT_ADH_WITH_AES_128_SHA,
905 	    TLS1_CK_ADH_WITH_AES_128_SHA,
906 	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
907 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
908 	    0,
909 	    128,
910 	    128,
911 	    SSL_ALL_CIPHERS,
912 	    SSL_ALL_STRENGTHS,
913 	    },
914 
915 	/* Cipher 35 */
916 	    {
917 	    1,
918 	    TLS1_TXT_RSA_WITH_AES_256_SHA,
919 	    TLS1_CK_RSA_WITH_AES_256_SHA,
920 	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
921 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
922 	    0,
923 	    256,
924 	    256,
925 	    SSL_ALL_CIPHERS,
926 	    SSL_ALL_STRENGTHS,
927 	    },
928 	/* Cipher 36 */
929 	    {
930 	    0,
931 	    TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
932 	    TLS1_CK_DH_DSS_WITH_AES_256_SHA,
933 	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
934 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
935 	    0,
936 	    256,
937 	    256,
938 	    SSL_ALL_CIPHERS,
939 	    SSL_ALL_STRENGTHS,
940 	    },
941 	/* Cipher 37 */
942 	    {
943 	    0,
944 	    TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
945 	    TLS1_CK_DH_RSA_WITH_AES_256_SHA,
946 	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
947 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
948 	    0,
949 	    256,
950 	    256,
951 	    SSL_ALL_CIPHERS,
952 	    SSL_ALL_STRENGTHS,
953 	    },
954 	/* Cipher 38 */
955 	    {
956 	    1,
957 	    TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
958 	    TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
959 	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
960 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
961 	    0,
962 	    256,
963 	    256,
964 	    SSL_ALL_CIPHERS,
965 	    SSL_ALL_STRENGTHS,
966 	    },
967 	/* Cipher 39 */
968 	    {
969 	    1,
970 	    TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
971 	    TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
972 	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
973 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
974 	    0,
975 	    256,
976 	    256,
977 	    SSL_ALL_CIPHERS,
978 	    SSL_ALL_STRENGTHS,
979 	    },
980 	/* Cipher 3A */
981 	    {
982 	    1,
983 	    TLS1_TXT_ADH_WITH_AES_256_SHA,
984 	    TLS1_CK_ADH_WITH_AES_256_SHA,
985 	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
986 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
987 	    0,
988 	    256,
989 	    256,
990 	    SSL_ALL_CIPHERS,
991 	    SSL_ALL_STRENGTHS,
992 	    },
993 
994 /* end of list */
995 	};
996 
997 static SSL3_ENC_METHOD SSLv3_enc_data={
998 	ssl3_enc,
999 	ssl3_mac,
1000 	ssl3_setup_key_block,
1001 	ssl3_generate_master_secret,
1002 	ssl3_change_cipher_state,
1003 	ssl3_final_finish_mac,
1004 	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1005 	ssl3_cert_verify_mac,
1006 	SSL3_MD_CLIENT_FINISHED_CONST,4,
1007 	SSL3_MD_SERVER_FINISHED_CONST,4,
1008 	ssl3_alert_code,
1009 	};
1010 
1011 static SSL_METHOD SSLv3_data= {
1012 	SSL3_VERSION,
1013 	ssl3_new,
1014 	ssl3_clear,
1015 	ssl3_free,
1016 	ssl_undefined_function,
1017 	ssl_undefined_function,
1018 	ssl3_read,
1019 	ssl3_peek,
1020 	ssl3_write,
1021 	ssl3_shutdown,
1022 	ssl3_renegotiate,
1023 	ssl3_renegotiate_check,
1024 	ssl3_ctrl,
1025 	ssl3_ctx_ctrl,
1026 	ssl3_get_cipher_by_char,
1027 	ssl3_put_cipher_by_char,
1028 	ssl3_pending,
1029 	ssl3_num_ciphers,
1030 	ssl3_get_cipher,
1031 	ssl_bad_method,
1032 	ssl3_default_timeout,
1033 	&SSLv3_enc_data,
1034 	ssl_undefined_function,
1035 	ssl3_callback_ctrl,
1036 	ssl3_ctx_callback_ctrl,
1037 	};
1038 
ssl3_default_timeout(void)1039 static long ssl3_default_timeout(void)
1040 	{
1041 	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
1042 	 * is way too long for http, the cache would over fill */
1043 	return(60*60*2);
1044 	}
1045 
sslv3_base_method(void)1046 SSL_METHOD *sslv3_base_method(void)
1047 	{
1048 	return(&SSLv3_data);
1049 	}
1050 
ssl3_num_ciphers(void)1051 int ssl3_num_ciphers(void)
1052 	{
1053 	return(SSL3_NUM_CIPHERS);
1054 	}
1055 
ssl3_get_cipher(unsigned int u)1056 SSL_CIPHER *ssl3_get_cipher(unsigned int u)
1057 	{
1058 	if (u < SSL3_NUM_CIPHERS)
1059 		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
1060 	else
1061 		return(NULL);
1062 	}
1063 
ssl3_pending(const SSL * s)1064 int ssl3_pending(const SSL *s)
1065 	{
1066 	if (s->rstate == SSL_ST_READ_BODY)
1067 		return 0;
1068 
1069 	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
1070 	}
1071 
ssl3_new(SSL * s)1072 int ssl3_new(SSL *s)
1073 	{
1074 	SSL3_STATE *s3;
1075 
1076 	if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
1077 	memset(s3,0,sizeof *s3);
1078 	EVP_MD_CTX_init(&s3->finish_dgst1);
1079 	EVP_MD_CTX_init(&s3->finish_dgst2);
1080 
1081 	s->s3=s3;
1082 
1083 	s->method->ssl_clear(s);
1084 	return(1);
1085 err:
1086 	return(0);
1087 	}
1088 
ssl3_free(SSL * s)1089 void ssl3_free(SSL *s)
1090 	{
1091 	if(s == NULL)
1092 	    return;
1093 
1094 	ssl3_cleanup_key_block(s);
1095 	if (s->s3->rbuf.buf != NULL)
1096 		OPENSSL_free(s->s3->rbuf.buf);
1097 	if (s->s3->wbuf.buf != NULL)
1098 		OPENSSL_free(s->s3->wbuf.buf);
1099 	if (s->s3->rrec.comp != NULL)
1100 		OPENSSL_free(s->s3->rrec.comp);
1101 #ifndef OPENSSL_NO_DH
1102 	if (s->s3->tmp.dh != NULL)
1103 		DH_free(s->s3->tmp.dh);
1104 #endif
1105 	if (s->s3->tmp.ca_names != NULL)
1106 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1107 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1108 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1109 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
1110 	OPENSSL_free(s->s3);
1111 	s->s3=NULL;
1112 	}
1113 
ssl3_clear(SSL * s)1114 void ssl3_clear(SSL *s)
1115 	{
1116 	unsigned char *rp,*wp;
1117 	size_t rlen, wlen;
1118 
1119 	ssl3_cleanup_key_block(s);
1120 	if (s->s3->tmp.ca_names != NULL)
1121 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1122 
1123 	if (s->s3->rrec.comp != NULL)
1124 		{
1125 		OPENSSL_free(s->s3->rrec.comp);
1126 		s->s3->rrec.comp=NULL;
1127 		}
1128 #ifndef OPENSSL_NO_DH
1129 	if (s->s3->tmp.dh != NULL)
1130 		DH_free(s->s3->tmp.dh);
1131 #endif
1132 
1133 	rp = s->s3->rbuf.buf;
1134 	wp = s->s3->wbuf.buf;
1135 	rlen = s->s3->rbuf.len;
1136  	wlen = s->s3->wbuf.len;
1137 
1138 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1139 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1140 
1141 	memset(s->s3,0,sizeof *s->s3);
1142 	s->s3->rbuf.buf = rp;
1143 	s->s3->wbuf.buf = wp;
1144 	s->s3->rbuf.len = rlen;
1145  	s->s3->wbuf.len = wlen;
1146 
1147 	ssl_free_wbio_buffer(s);
1148 
1149 	s->packet_length=0;
1150 	s->s3->renegotiate=0;
1151 	s->s3->total_renegotiations=0;
1152 	s->s3->num_renegotiations=0;
1153 	s->s3->in_read_app_data=0;
1154 	s->version=SSL3_VERSION;
1155 	}
1156 
ssl3_ctrl(SSL * s,int cmd,long larg,void * parg)1157 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1158 	{
1159 	int ret=0;
1160 
1161 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1162 	if (
1163 #ifndef OPENSSL_NO_RSA
1164 	    cmd == SSL_CTRL_SET_TMP_RSA ||
1165 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1166 #endif
1167 #ifndef OPENSSL_NO_DSA
1168 	    cmd == SSL_CTRL_SET_TMP_DH ||
1169 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1170 #endif
1171 		0)
1172 		{
1173 		if (!ssl_cert_inst(&s->cert))
1174 		    	{
1175 			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
1176 			return(0);
1177 			}
1178 		}
1179 #endif
1180 
1181 	switch (cmd)
1182 		{
1183 	case SSL_CTRL_GET_SESSION_REUSED:
1184 		ret=s->hit;
1185 		break;
1186 	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
1187 		break;
1188 	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1189 		ret=s->s3->num_renegotiations;
1190 		break;
1191 	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1192 		ret=s->s3->num_renegotiations;
1193 		s->s3->num_renegotiations=0;
1194 		break;
1195 	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1196 		ret=s->s3->total_renegotiations;
1197 		break;
1198 	case SSL_CTRL_GET_FLAGS:
1199 		ret=(int)(s->s3->flags);
1200 		break;
1201 #ifndef OPENSSL_NO_RSA
1202 	case SSL_CTRL_NEED_TMP_RSA:
1203 		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
1204 		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1205 		     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
1206 			ret = 1;
1207 		break;
1208 	case SSL_CTRL_SET_TMP_RSA:
1209 		{
1210 			RSA *rsa = (RSA *)parg;
1211 			if (rsa == NULL)
1212 				{
1213 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1214 				return(ret);
1215 				}
1216 			if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
1217 				{
1218 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
1219 				return(ret);
1220 				}
1221 			if (s->cert->rsa_tmp != NULL)
1222 				RSA_free(s->cert->rsa_tmp);
1223 			s->cert->rsa_tmp = rsa;
1224 			ret = 1;
1225 		}
1226 		break;
1227 	case SSL_CTRL_SET_TMP_RSA_CB:
1228 		{
1229 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1230 		return(ret);
1231 		}
1232 		break;
1233 #endif
1234 #ifndef OPENSSL_NO_DH
1235 	case SSL_CTRL_SET_TMP_DH:
1236 		{
1237 			DH *dh = (DH *)parg;
1238 			if (dh == NULL)
1239 				{
1240 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1241 				return(ret);
1242 				}
1243 			if ((dh = DHparams_dup(dh)) == NULL)
1244 				{
1245 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1246 				return(ret);
1247 				}
1248 			if (!(s->options & SSL_OP_SINGLE_DH_USE))
1249 				{
1250 				if (!DH_generate_key(dh))
1251 					{
1252 					DH_free(dh);
1253 					SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1254 					return(ret);
1255 					}
1256 				}
1257 			if (s->cert->dh_tmp != NULL)
1258 				DH_free(s->cert->dh_tmp);
1259 			s->cert->dh_tmp = dh;
1260 			ret = 1;
1261 		}
1262 		break;
1263 	case SSL_CTRL_SET_TMP_DH_CB:
1264 		{
1265 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1266 		return(ret);
1267 		}
1268 		break;
1269 #endif
1270 	default:
1271 		break;
1272 		}
1273 	return(ret);
1274 	}
1275 
ssl3_callback_ctrl(SSL * s,int cmd,void (* fp)())1276 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
1277 	{
1278 	int ret=0;
1279 
1280 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1281 	if (
1282 #ifndef OPENSSL_NO_RSA
1283 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1284 #endif
1285 #ifndef OPENSSL_NO_DSA
1286 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1287 #endif
1288 		0)
1289 		{
1290 		if (!ssl_cert_inst(&s->cert))
1291 			{
1292 			SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
1293 			return(0);
1294 			}
1295 		}
1296 #endif
1297 
1298 	switch (cmd)
1299 		{
1300 #ifndef OPENSSL_NO_RSA
1301 	case SSL_CTRL_SET_TMP_RSA_CB:
1302 		{
1303 		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1304 		}
1305 		break;
1306 #endif
1307 #ifndef OPENSSL_NO_DH
1308 	case SSL_CTRL_SET_TMP_DH_CB:
1309 		{
1310 		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1311 		}
1312 		break;
1313 #endif
1314 	default:
1315 		break;
1316 		}
1317 	return(ret);
1318 	}
1319 
ssl3_ctx_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)1320 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1321 	{
1322 	CERT *cert;
1323 
1324 	cert=ctx->cert;
1325 
1326 	switch (cmd)
1327 		{
1328 #ifndef OPENSSL_NO_RSA
1329 	case SSL_CTRL_NEED_TMP_RSA:
1330 		if (	(cert->rsa_tmp == NULL) &&
1331 			((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1332 			 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
1333 			)
1334 			return(1);
1335 		else
1336 			return(0);
1337 		/* break; */
1338 	case SSL_CTRL_SET_TMP_RSA:
1339 		{
1340 		RSA *rsa;
1341 		int i;
1342 
1343 		rsa=(RSA *)parg;
1344 		i=1;
1345 		if (rsa == NULL)
1346 			i=0;
1347 		else
1348 			{
1349 			if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
1350 				i=0;
1351 			}
1352 		if (!i)
1353 			{
1354 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
1355 			return(0);
1356 			}
1357 		else
1358 			{
1359 			if (cert->rsa_tmp != NULL)
1360 				RSA_free(cert->rsa_tmp);
1361 			cert->rsa_tmp=rsa;
1362 			return(1);
1363 			}
1364 		}
1365 		/* break; */
1366 	case SSL_CTRL_SET_TMP_RSA_CB:
1367 		{
1368 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1369 		return(0);
1370 		}
1371 		break;
1372 #endif
1373 #ifndef OPENSSL_NO_DH
1374 	case SSL_CTRL_SET_TMP_DH:
1375 		{
1376 		DH *new=NULL,*dh;
1377 
1378 		dh=(DH *)parg;
1379 		if ((new=DHparams_dup(dh)) == NULL)
1380 			{
1381 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1382 			return 0;
1383 			}
1384 		if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
1385 			{
1386 			if (!DH_generate_key(new))
1387 				{
1388 				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1389 				DH_free(new);
1390 				return 0;
1391 				}
1392 			}
1393 		if (cert->dh_tmp != NULL)
1394 			DH_free(cert->dh_tmp);
1395 		cert->dh_tmp=new;
1396 		return 1;
1397 		}
1398 		/*break; */
1399 	case SSL_CTRL_SET_TMP_DH_CB:
1400 		{
1401 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1402 		return(0);
1403 		}
1404 		break;
1405 #endif
1406 	/* A Thawte special :-) */
1407 	case SSL_CTRL_EXTRA_CHAIN_CERT:
1408 		if (ctx->extra_certs == NULL)
1409 			{
1410 			if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
1411 				return(0);
1412 			}
1413 		sk_X509_push(ctx->extra_certs,(X509 *)parg);
1414 		break;
1415 
1416 	default:
1417 		return(0);
1418 		}
1419 	return(1);
1420 	}
1421 
ssl3_ctx_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)())1422 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
1423 	{
1424 	CERT *cert;
1425 
1426 	cert=ctx->cert;
1427 
1428 	switch (cmd)
1429 		{
1430 #ifndef OPENSSL_NO_RSA
1431 	case SSL_CTRL_SET_TMP_RSA_CB:
1432 		{
1433 		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1434 		}
1435 		break;
1436 #endif
1437 #ifndef OPENSSL_NO_DH
1438 	case SSL_CTRL_SET_TMP_DH_CB:
1439 		{
1440 		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1441 		}
1442 		break;
1443 #endif
1444 	default:
1445 		return(0);
1446 		}
1447 	return(1);
1448 	}
1449 
1450 /* This function needs to check if the ciphers required are actually
1451  * available */
ssl3_get_cipher_by_char(const unsigned char * p)1452 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
1453 	{
1454 	static int init=1;
1455 	static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
1456 	SSL_CIPHER c,*cp= &c,**cpp;
1457 	unsigned long id;
1458 	int i;
1459 
1460 	if (init)
1461 		{
1462 		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
1463 
1464 		if (init)
1465 			{
1466 			for (i=0; i<SSL3_NUM_CIPHERS; i++)
1467 				sorted[i]= &(ssl3_ciphers[i]);
1468 
1469 			qsort(sorted,
1470 				SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
1471 				FP_ICC ssl_cipher_ptr_id_cmp);
1472 
1473 			init=0;
1474 			}
1475 
1476 		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
1477 		}
1478 
1479 	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
1480 	c.id=id;
1481 	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
1482 		(char *)sorted,
1483 		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
1484 		FP_ICC ssl_cipher_ptr_id_cmp);
1485 	if ((cpp == NULL) || !(*cpp)->valid)
1486 		return(NULL);
1487 	else
1488 		return(*cpp);
1489 	}
1490 
ssl3_put_cipher_by_char(const SSL_CIPHER * c,unsigned char * p)1491 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
1492 	{
1493 	long l;
1494 
1495 	if (p != NULL)
1496 		{
1497 		l=c->id;
1498 		if ((l & 0xff000000) != 0x03000000) return(0);
1499 		p[0]=((unsigned char)(l>> 8L))&0xFF;
1500 		p[1]=((unsigned char)(l     ))&0xFF;
1501 		}
1502 	return(2);
1503 	}
1504 
ssl3_choose_cipher(SSL * s,STACK_OF (SSL_CIPHER)* clnt,STACK_OF (SSL_CIPHER)* srvr)1505 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
1506 	     STACK_OF(SSL_CIPHER) *srvr)
1507 	{
1508 	SSL_CIPHER *c,*ret=NULL;
1509 	STACK_OF(SSL_CIPHER) *prio, *allow;
1510 	int i,j,ok;
1511 	CERT *cert;
1512 	unsigned long alg,mask,emask;
1513 
1514 	/* Let's see which ciphers we can support */
1515 	cert=s->cert;
1516 
1517 #if 0
1518 	/* Do not set the compare functions, because this may lead to a
1519 	 * reordering by "id". We want to keep the original ordering.
1520 	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
1521 	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
1522 	 */
1523 	sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
1524 	sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
1525 #endif
1526 
1527 #ifdef CIPHER_DEBUG
1528         printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
1529         for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
1530 	    {
1531 	    c=sk_SSL_CIPHER_value(srvr,i);
1532 	    printf("%p:%s\n",c,c->name);
1533 	    }
1534         printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
1535         for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
1536 	    {
1537 	    c=sk_SSL_CIPHER_value(clnt,i);
1538 	    printf("%p:%s\n",c,c->name);
1539 	    }
1540 #endif
1541 
1542 	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
1543 	    {
1544 	    prio = srvr;
1545 	    allow = clnt;
1546 	    }
1547 	else
1548 	    {
1549 	    prio = clnt;
1550 	    allow = srvr;
1551 	    }
1552 
1553 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
1554 		{
1555 		c=sk_SSL_CIPHER_value(prio,i);
1556 
1557 		ssl_set_cert_masks(cert,c);
1558 		mask=cert->mask;
1559 		emask=cert->export_mask;
1560 
1561 #ifdef KSSL_DEBUG
1562 		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
1563 #endif    /* KSSL_DEBUG */
1564 
1565 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1566 #ifndef OPENSSL_NO_KRB5
1567                 if (alg & SSL_KRB5)
1568                         {
1569                         if ( !kssl_keytab_is_available(s->kssl_ctx) )
1570                             continue;
1571                         }
1572 #endif /* OPENSSL_NO_KRB5 */
1573 		if (SSL_C_IS_EXPORT(c))
1574 			{
1575 			ok=((alg & emask) == alg)?1:0;
1576 #ifdef CIPHER_DEBUG
1577 			printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
1578 			       c,c->name);
1579 #endif
1580 			}
1581 		else
1582 			{
1583 			ok=((alg & mask) == alg)?1:0;
1584 #ifdef CIPHER_DEBUG
1585 			printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
1586 			       c->name);
1587 #endif
1588 			}
1589 
1590 		if (!ok) continue;
1591 
1592 		j=sk_SSL_CIPHER_find(allow,c);
1593 		if (j >= 0)
1594 			{
1595 			ret=sk_SSL_CIPHER_value(allow,j);
1596 			break;
1597 			}
1598 		}
1599 	return(ret);
1600 	}
1601 
ssl3_get_req_cert_type(SSL * s,unsigned char * p)1602 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
1603 	{
1604 	int ret=0;
1605 	unsigned long alg;
1606 
1607 	alg=s->s3->tmp.new_cipher->algorithms;
1608 
1609 #ifndef OPENSSL_NO_DH
1610 	if (alg & (SSL_kDHr|SSL_kEDH))
1611 		{
1612 #  ifndef OPENSSL_NO_RSA
1613 		p[ret++]=SSL3_CT_RSA_FIXED_DH;
1614 #  endif
1615 #  ifndef OPENSSL_NO_DSA
1616 		p[ret++]=SSL3_CT_DSS_FIXED_DH;
1617 #  endif
1618 		}
1619 	if ((s->version == SSL3_VERSION) &&
1620 		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
1621 		{
1622 #  ifndef OPENSSL_NO_RSA
1623 		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
1624 #  endif
1625 #  ifndef OPENSSL_NO_DSA
1626 		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
1627 #  endif
1628 		}
1629 #endif /* !OPENSSL_NO_DH */
1630 #ifndef OPENSSL_NO_RSA
1631 	p[ret++]=SSL3_CT_RSA_SIGN;
1632 #endif
1633 #ifndef OPENSSL_NO_DSA
1634 	p[ret++]=SSL3_CT_DSS_SIGN;
1635 #endif
1636 	return(ret);
1637 	}
1638 
ssl3_shutdown(SSL * s)1639 int ssl3_shutdown(SSL *s)
1640 	{
1641 
1642 	/* Don't do anything much if we have not done the handshake or
1643 	 * we don't want to send messages :-) */
1644 	if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
1645 		{
1646 		s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1647 		return(1);
1648 		}
1649 
1650 	if (!(s->shutdown & SSL_SENT_SHUTDOWN))
1651 		{
1652 		s->shutdown|=SSL_SENT_SHUTDOWN;
1653 #if 1
1654 		ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
1655 #endif
1656 		/* our shutdown alert has been sent now, and if it still needs
1657 	 	 * to be written, s->s3->alert_dispatch will be true */
1658 		}
1659 	else if (s->s3->alert_dispatch)
1660 		{
1661 		/* resend it if not sent */
1662 #if 1
1663 		ssl3_dispatch_alert(s);
1664 #endif
1665 		}
1666 	else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
1667 		{
1668 		/* If we are waiting for a close from our peer, we are closed */
1669 		ssl3_read_bytes(s,0,NULL,0,0);
1670 		}
1671 
1672 	if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
1673 		!s->s3->alert_dispatch)
1674 		return(1);
1675 	else
1676 		return(0);
1677 	}
1678 
ssl3_write(SSL * s,const void * buf,int len)1679 int ssl3_write(SSL *s, const void *buf, int len)
1680 	{
1681 	int ret,n;
1682 
1683 #if 0
1684 	if (s->shutdown & SSL_SEND_SHUTDOWN)
1685 		{
1686 		s->rwstate=SSL_NOTHING;
1687 		return(0);
1688 		}
1689 #endif
1690 	clear_sys_error();
1691 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1692 
1693 	/* This is an experimental flag that sends the
1694 	 * last handshake message in the same packet as the first
1695 	 * use data - used to see if it helps the TCP protocol during
1696 	 * session-id reuse */
1697 	/* The second test is because the buffer may have been removed */
1698 	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
1699 		{
1700 		/* First time through, we write into the buffer */
1701 		if (s->s3->delay_buf_pop_ret == 0)
1702 			{
1703 			ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
1704 					     buf,len);
1705 			if (ret <= 0) return(ret);
1706 
1707 			s->s3->delay_buf_pop_ret=ret;
1708 			}
1709 
1710 		s->rwstate=SSL_WRITING;
1711 		n=BIO_flush(s->wbio);
1712 		if (n <= 0) return(n);
1713 		s->rwstate=SSL_NOTHING;
1714 
1715 		/* We have flushed the buffer, so remove it */
1716 		ssl_free_wbio_buffer(s);
1717 		s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
1718 
1719 		ret=s->s3->delay_buf_pop_ret;
1720 		s->s3->delay_buf_pop_ret=0;
1721 		}
1722 	else
1723 		{
1724 		ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
1725 				     buf,len);
1726 		if (ret <= 0) return(ret);
1727 		}
1728 
1729 	return(ret);
1730 	}
1731 
ssl3_read_internal(SSL * s,void * buf,int len,int peek)1732 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
1733 	{
1734 	int ret;
1735 
1736 	clear_sys_error();
1737 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1738 	s->s3->in_read_app_data=1;
1739 	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
1740 	if ((ret == -1) && (s->s3->in_read_app_data == 2))
1741 		{
1742 		/* ssl3_read_bytes decided to call s->handshake_func, which
1743 		 * called ssl3_read_bytes to read handshake data.
1744 		 * However, ssl3_read_bytes actually found application data
1745 		 * and thinks that application data makes sense here; so disable
1746 		 * handshake processing and try to read application data again. */
1747 		s->in_handshake++;
1748 		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
1749 		s->in_handshake--;
1750 		}
1751 	else
1752 		s->s3->in_read_app_data=0;
1753 
1754 	return(ret);
1755 	}
1756 
ssl3_read(SSL * s,void * buf,int len)1757 int ssl3_read(SSL *s, void *buf, int len)
1758 	{
1759 	return ssl3_read_internal(s, buf, len, 0);
1760 	}
1761 
ssl3_peek(SSL * s,void * buf,int len)1762 int ssl3_peek(SSL *s, void *buf, int len)
1763 	{
1764 	return ssl3_read_internal(s, buf, len, 1);
1765 	}
1766 
ssl3_renegotiate(SSL * s)1767 int ssl3_renegotiate(SSL *s)
1768 	{
1769 	if (s->handshake_func == NULL)
1770 		return(1);
1771 
1772 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
1773 		return(0);
1774 
1775 	if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1776 		return(0);
1777 
1778 	s->s3->renegotiate=1;
1779 	return(1);
1780 	}
1781 
ssl3_renegotiate_check(SSL * s)1782 int ssl3_renegotiate_check(SSL *s)
1783 	{
1784 	int ret=0;
1785 
1786 	if (s->s3->renegotiate)
1787 		{
1788 		if (	(s->s3->rbuf.left == 0) &&
1789 			(s->s3->wbuf.left == 0) &&
1790 			!SSL_in_init(s))
1791 			{
1792 /*
1793 if we are the server, and we have sent a 'RENEGOTIATE' message, we
1794 need to go to SSL_ST_ACCEPT.
1795 */
1796 			/* SSL_ST_ACCEPT */
1797 			s->state=SSL_ST_RENEGOTIATE;
1798 			s->s3->renegotiate=0;
1799 			s->s3->num_renegotiations++;
1800 			s->s3->total_renegotiations++;
1801 			ret=1;
1802 			}
1803 		}
1804 	return(ret);
1805 	}
1806 
1807