xref: /freebsd/crypto/openssl/ssl/s3_lib.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /* ssl/s3_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124 
125 #include <stdio.h>
126 #include <openssl/objects.h>
127 #include "ssl_locl.h"
128 #include "kssl_lcl.h"
129 #include <openssl/md5.h>
130 #ifndef OPENSSL_NO_DH
131 #include <openssl/dh.h>
132 #endif
133 #include <openssl/pq_compat.h>
134 
135 const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
136 
137 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
138 
139 /* list of available SSLv3 ciphers (sorted by id) */
140 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
141 /* The RSA ciphers */
142 /* Cipher 01 */
143 	{
144 	1,
145 	SSL3_TXT_RSA_NULL_MD5,
146 	SSL3_CK_RSA_NULL_MD5,
147 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
148 	SSL_NOT_EXP|SSL_STRONG_NONE,
149 	0,
150 	0,
151 	0,
152 	SSL_ALL_CIPHERS,
153 	SSL_ALL_STRENGTHS,
154 	},
155 /* Cipher 02 */
156 	{
157 	1,
158 	SSL3_TXT_RSA_NULL_SHA,
159 	SSL3_CK_RSA_NULL_SHA,
160 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
161 	SSL_NOT_EXP|SSL_STRONG_NONE,
162 	0,
163 	0,
164 	0,
165 	SSL_ALL_CIPHERS,
166 	SSL_ALL_STRENGTHS,
167 	},
168 /* Cipher 03 */
169 	{
170 	1,
171 	SSL3_TXT_RSA_RC4_40_MD5,
172 	SSL3_CK_RSA_RC4_40_MD5,
173 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
174 	SSL_EXPORT|SSL_EXP40,
175 	0,
176 	40,
177 	128,
178 	SSL_ALL_CIPHERS,
179 	SSL_ALL_STRENGTHS,
180 	},
181 /* Cipher 04 */
182 	{
183 	1,
184 	SSL3_TXT_RSA_RC4_128_MD5,
185 	SSL3_CK_RSA_RC4_128_MD5,
186 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
187 	SSL_NOT_EXP|SSL_MEDIUM,
188 	0,
189 	128,
190 	128,
191 	SSL_ALL_CIPHERS,
192 	SSL_ALL_STRENGTHS,
193 	},
194 /* Cipher 05 */
195 	{
196 	1,
197 	SSL3_TXT_RSA_RC4_128_SHA,
198 	SSL3_CK_RSA_RC4_128_SHA,
199 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
200 	SSL_NOT_EXP|SSL_MEDIUM,
201 	0,
202 	128,
203 	128,
204 	SSL_ALL_CIPHERS,
205 	SSL_ALL_STRENGTHS,
206 	},
207 /* Cipher 06 */
208 	{
209 	1,
210 	SSL3_TXT_RSA_RC2_40_MD5,
211 	SSL3_CK_RSA_RC2_40_MD5,
212 	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
213 	SSL_EXPORT|SSL_EXP40,
214 	0,
215 	40,
216 	128,
217 	SSL_ALL_CIPHERS,
218 	SSL_ALL_STRENGTHS,
219 	},
220 /* Cipher 07 */
221 #ifndef OPENSSL_NO_IDEA
222 	{
223 	1,
224 	SSL3_TXT_RSA_IDEA_128_SHA,
225 	SSL3_CK_RSA_IDEA_128_SHA,
226 	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
227 	SSL_NOT_EXP|SSL_MEDIUM,
228 	0,
229 	128,
230 	128,
231 	SSL_ALL_CIPHERS,
232 	SSL_ALL_STRENGTHS,
233 	},
234 #endif
235 /* Cipher 08 */
236 	{
237 	1,
238 	SSL3_TXT_RSA_DES_40_CBC_SHA,
239 	SSL3_CK_RSA_DES_40_CBC_SHA,
240 	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
241 	SSL_EXPORT|SSL_EXP40,
242 	0,
243 	40,
244 	56,
245 	SSL_ALL_CIPHERS,
246 	SSL_ALL_STRENGTHS,
247 	},
248 /* Cipher 09 */
249 	{
250 	1,
251 	SSL3_TXT_RSA_DES_64_CBC_SHA,
252 	SSL3_CK_RSA_DES_64_CBC_SHA,
253 	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
254 	SSL_NOT_EXP|SSL_LOW,
255 	0,
256 	56,
257 	56,
258 	SSL_ALL_CIPHERS,
259 	SSL_ALL_STRENGTHS,
260 	},
261 /* Cipher 0A */
262 	{
263 	1,
264 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
265 	SSL3_CK_RSA_DES_192_CBC3_SHA,
266 	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
267 	SSL_NOT_EXP|SSL_HIGH,
268 	0,
269 	168,
270 	168,
271 	SSL_ALL_CIPHERS,
272 	SSL_ALL_STRENGTHS,
273 	},
274 /* The DH ciphers */
275 /* Cipher 0B */
276 	{
277 	0,
278 	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
279 	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
280 	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
281 	SSL_EXPORT|SSL_EXP40,
282 	0,
283 	40,
284 	56,
285 	SSL_ALL_CIPHERS,
286 	SSL_ALL_STRENGTHS,
287 	},
288 /* Cipher 0C */
289 	{
290 	0,
291 	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
292 	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
293 	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
294 	SSL_NOT_EXP|SSL_LOW,
295 	0,
296 	56,
297 	56,
298 	SSL_ALL_CIPHERS,
299 	SSL_ALL_STRENGTHS,
300 	},
301 /* Cipher 0D */
302 	{
303 	0,
304 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
305 	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
306 	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
307 	SSL_NOT_EXP|SSL_HIGH,
308 	0,
309 	168,
310 	168,
311 	SSL_ALL_CIPHERS,
312 	SSL_ALL_STRENGTHS,
313 	},
314 /* Cipher 0E */
315 	{
316 	0,
317 	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
318 	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
319 	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
320 	SSL_EXPORT|SSL_EXP40,
321 	0,
322 	40,
323 	56,
324 	SSL_ALL_CIPHERS,
325 	SSL_ALL_STRENGTHS,
326 	},
327 /* Cipher 0F */
328 	{
329 	0,
330 	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
331 	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
332 	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
333 	SSL_NOT_EXP|SSL_LOW,
334 	0,
335 	56,
336 	56,
337 	SSL_ALL_CIPHERS,
338 	SSL_ALL_STRENGTHS,
339 	},
340 /* Cipher 10 */
341 	{
342 	0,
343 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
344 	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
345 	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
346 	SSL_NOT_EXP|SSL_HIGH,
347 	0,
348 	168,
349 	168,
350 	SSL_ALL_CIPHERS,
351 	SSL_ALL_STRENGTHS,
352 	},
353 
354 /* The Ephemeral DH ciphers */
355 /* Cipher 11 */
356 	{
357 	1,
358 	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
359 	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
360 	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
361 	SSL_EXPORT|SSL_EXP40,
362 	0,
363 	40,
364 	56,
365 	SSL_ALL_CIPHERS,
366 	SSL_ALL_STRENGTHS,
367 	},
368 /* Cipher 12 */
369 	{
370 	1,
371 	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
372 	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
373 	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
374 	SSL_NOT_EXP|SSL_LOW,
375 	0,
376 	56,
377 	56,
378 	SSL_ALL_CIPHERS,
379 	SSL_ALL_STRENGTHS,
380 	},
381 /* Cipher 13 */
382 	{
383 	1,
384 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
385 	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
386 	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
387 	SSL_NOT_EXP|SSL_HIGH,
388 	0,
389 	168,
390 	168,
391 	SSL_ALL_CIPHERS,
392 	SSL_ALL_STRENGTHS,
393 	},
394 /* Cipher 14 */
395 	{
396 	1,
397 	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
398 	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
399 	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
400 	SSL_EXPORT|SSL_EXP40,
401 	0,
402 	40,
403 	56,
404 	SSL_ALL_CIPHERS,
405 	SSL_ALL_STRENGTHS,
406 	},
407 /* Cipher 15 */
408 	{
409 	1,
410 	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
411 	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
412 	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
413 	SSL_NOT_EXP|SSL_LOW,
414 	0,
415 	56,
416 	56,
417 	SSL_ALL_CIPHERS,
418 	SSL_ALL_STRENGTHS,
419 	},
420 /* Cipher 16 */
421 	{
422 	1,
423 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
424 	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
425 	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
426 	SSL_NOT_EXP|SSL_HIGH,
427 	0,
428 	168,
429 	168,
430 	SSL_ALL_CIPHERS,
431 	SSL_ALL_STRENGTHS,
432 	},
433 /* Cipher 17 */
434 	{
435 	1,
436 	SSL3_TXT_ADH_RC4_40_MD5,
437 	SSL3_CK_ADH_RC4_40_MD5,
438 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
439 	SSL_EXPORT|SSL_EXP40,
440 	0,
441 	40,
442 	128,
443 	SSL_ALL_CIPHERS,
444 	SSL_ALL_STRENGTHS,
445 	},
446 /* Cipher 18 */
447 	{
448 	1,
449 	SSL3_TXT_ADH_RC4_128_MD5,
450 	SSL3_CK_ADH_RC4_128_MD5,
451 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
452 	SSL_NOT_EXP|SSL_MEDIUM,
453 	0,
454 	128,
455 	128,
456 	SSL_ALL_CIPHERS,
457 	SSL_ALL_STRENGTHS,
458 	},
459 /* Cipher 19 */
460 	{
461 	1,
462 	SSL3_TXT_ADH_DES_40_CBC_SHA,
463 	SSL3_CK_ADH_DES_40_CBC_SHA,
464 	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
465 	SSL_EXPORT|SSL_EXP40,
466 	0,
467 	40,
468 	128,
469 	SSL_ALL_CIPHERS,
470 	SSL_ALL_STRENGTHS,
471 	},
472 /* Cipher 1A */
473 	{
474 	1,
475 	SSL3_TXT_ADH_DES_64_CBC_SHA,
476 	SSL3_CK_ADH_DES_64_CBC_SHA,
477 	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
478 	SSL_NOT_EXP|SSL_LOW,
479 	0,
480 	56,
481 	56,
482 	SSL_ALL_CIPHERS,
483 	SSL_ALL_STRENGTHS,
484 	},
485 /* Cipher 1B */
486 	{
487 	1,
488 	SSL3_TXT_ADH_DES_192_CBC_SHA,
489 	SSL3_CK_ADH_DES_192_CBC_SHA,
490 	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
491 	SSL_NOT_EXP|SSL_HIGH,
492 	0,
493 	168,
494 	168,
495 	SSL_ALL_CIPHERS,
496 	SSL_ALL_STRENGTHS,
497 	},
498 
499 /* Fortezza */
500 /* Cipher 1C */
501 	{
502 	0,
503 	SSL3_TXT_FZA_DMS_NULL_SHA,
504 	SSL3_CK_FZA_DMS_NULL_SHA,
505 	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
506 	SSL_NOT_EXP|SSL_STRONG_NONE,
507 	0,
508 	0,
509 	0,
510 	SSL_ALL_CIPHERS,
511 	SSL_ALL_STRENGTHS,
512 	},
513 
514 /* Cipher 1D */
515 	{
516 	0,
517 	SSL3_TXT_FZA_DMS_FZA_SHA,
518 	SSL3_CK_FZA_DMS_FZA_SHA,
519 	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
520 	SSL_NOT_EXP|SSL_STRONG_NONE,
521 	0,
522 	0,
523 	0,
524 	SSL_ALL_CIPHERS,
525 	SSL_ALL_STRENGTHS,
526 	},
527 
528 #if 0
529 /* Cipher 1E */
530 	{
531 	0,
532 	SSL3_TXT_FZA_DMS_RC4_SHA,
533 	SSL3_CK_FZA_DMS_RC4_SHA,
534 	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
535 	SSL_NOT_EXP|SSL_MEDIUM,
536 	0,
537 	128,
538 	128,
539 	SSL_ALL_CIPHERS,
540 	SSL_ALL_STRENGTHS,
541 	},
542 #endif
543 
544 #ifndef OPENSSL_NO_KRB5
545 /* The Kerberos ciphers
546 ** 20000107 VRS: And the first shall be last,
547 ** in hopes of avoiding the lynx ssl renegotiation problem.
548 */
549 /* Cipher 1E VRS */
550 	{
551 	1,
552 	SSL3_TXT_KRB5_DES_64_CBC_SHA,
553 	SSL3_CK_KRB5_DES_64_CBC_SHA,
554 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
555 	SSL_NOT_EXP|SSL_LOW,
556 	0,
557 	56,
558 	56,
559 	SSL_ALL_CIPHERS,
560 	SSL_ALL_STRENGTHS,
561 	},
562 
563 /* Cipher 1F VRS */
564 	{
565 	1,
566 	SSL3_TXT_KRB5_DES_192_CBC3_SHA,
567 	SSL3_CK_KRB5_DES_192_CBC3_SHA,
568 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
569 	SSL_NOT_EXP|SSL_HIGH,
570 	0,
571 	168,
572 	168,
573 	SSL_ALL_CIPHERS,
574 	SSL_ALL_STRENGTHS,
575 	},
576 
577 /* Cipher 20 VRS */
578 	{
579 	1,
580 	SSL3_TXT_KRB5_RC4_128_SHA,
581 	SSL3_CK_KRB5_RC4_128_SHA,
582 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
583 	SSL_NOT_EXP|SSL_MEDIUM,
584 	0,
585 	128,
586 	128,
587 	SSL_ALL_CIPHERS,
588 	SSL_ALL_STRENGTHS,
589 	},
590 
591 /* Cipher 21 VRS */
592 	{
593 	1,
594 	SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
595 	SSL3_CK_KRB5_IDEA_128_CBC_SHA,
596 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
597 	SSL_NOT_EXP|SSL_MEDIUM,
598 	0,
599 	128,
600 	128,
601 	SSL_ALL_CIPHERS,
602 	SSL_ALL_STRENGTHS,
603 	},
604 
605 /* Cipher 22 VRS */
606 	{
607 	1,
608 	SSL3_TXT_KRB5_DES_64_CBC_MD5,
609 	SSL3_CK_KRB5_DES_64_CBC_MD5,
610 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
611 	SSL_NOT_EXP|SSL_LOW,
612 	0,
613 	56,
614 	56,
615 	SSL_ALL_CIPHERS,
616 	SSL_ALL_STRENGTHS,
617 	},
618 
619 /* Cipher 23 VRS */
620 	{
621 	1,
622 	SSL3_TXT_KRB5_DES_192_CBC3_MD5,
623 	SSL3_CK_KRB5_DES_192_CBC3_MD5,
624 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
625 	SSL_NOT_EXP|SSL_HIGH,
626 	0,
627 	168,
628 	168,
629 	SSL_ALL_CIPHERS,
630 	SSL_ALL_STRENGTHS,
631 	},
632 
633 /* Cipher 24 VRS */
634 	{
635 	1,
636 	SSL3_TXT_KRB5_RC4_128_MD5,
637 	SSL3_CK_KRB5_RC4_128_MD5,
638 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
639 	SSL_NOT_EXP|SSL_MEDIUM,
640 	0,
641 	128,
642 	128,
643 	SSL_ALL_CIPHERS,
644 	SSL_ALL_STRENGTHS,
645 	},
646 
647 /* Cipher 25 VRS */
648 	{
649 	1,
650 	SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
651 	SSL3_CK_KRB5_IDEA_128_CBC_MD5,
652 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
653 	SSL_NOT_EXP|SSL_MEDIUM,
654 	0,
655 	128,
656 	128,
657 	SSL_ALL_CIPHERS,
658 	SSL_ALL_STRENGTHS,
659 	},
660 
661 /* Cipher 26 VRS */
662 	{
663 	1,
664 	SSL3_TXT_KRB5_DES_40_CBC_SHA,
665 	SSL3_CK_KRB5_DES_40_CBC_SHA,
666 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
667 	SSL_EXPORT|SSL_EXP40,
668 	0,
669 	40,
670 	56,
671 	SSL_ALL_CIPHERS,
672 	SSL_ALL_STRENGTHS,
673 	},
674 
675 /* Cipher 27 VRS */
676 	{
677 	1,
678 	SSL3_TXT_KRB5_RC2_40_CBC_SHA,
679 	SSL3_CK_KRB5_RC2_40_CBC_SHA,
680 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
681 	SSL_EXPORT|SSL_EXP40,
682 	0,
683 	40,
684 	128,
685 	SSL_ALL_CIPHERS,
686 	SSL_ALL_STRENGTHS,
687 	},
688 
689 /* Cipher 28 VRS */
690 	{
691 	1,
692 	SSL3_TXT_KRB5_RC4_40_SHA,
693 	SSL3_CK_KRB5_RC4_40_SHA,
694 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
695 	SSL_EXPORT|SSL_EXP40,
696 	0,
697 	40,
698 	128,
699 	SSL_ALL_CIPHERS,
700 	SSL_ALL_STRENGTHS,
701 	},
702 
703 /* Cipher 29 VRS */
704 	{
705 	1,
706 	SSL3_TXT_KRB5_DES_40_CBC_MD5,
707 	SSL3_CK_KRB5_DES_40_CBC_MD5,
708 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
709 	SSL_EXPORT|SSL_EXP40,
710 	0,
711 	40,
712 	56,
713 	SSL_ALL_CIPHERS,
714 	SSL_ALL_STRENGTHS,
715 	},
716 
717 /* Cipher 2A VRS */
718 	{
719 	1,
720 	SSL3_TXT_KRB5_RC2_40_CBC_MD5,
721 	SSL3_CK_KRB5_RC2_40_CBC_MD5,
722 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
723 	SSL_EXPORT|SSL_EXP40,
724 	0,
725 	40,
726 	128,
727 	SSL_ALL_CIPHERS,
728 	SSL_ALL_STRENGTHS,
729 	},
730 
731 /* Cipher 2B VRS */
732 	{
733 	1,
734 	SSL3_TXT_KRB5_RC4_40_MD5,
735 	SSL3_CK_KRB5_RC4_40_MD5,
736 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
737 	SSL_EXPORT|SSL_EXP40,
738 	0,
739 	40,
740 	128,
741 	SSL_ALL_CIPHERS,
742 	SSL_ALL_STRENGTHS,
743 	},
744 #endif	/* OPENSSL_NO_KRB5 */
745 /* New AES ciphersuites */
746 
747 /* Cipher 2F */
748 	{
749 	1,
750 	TLS1_TXT_RSA_WITH_AES_128_SHA,
751 	TLS1_CK_RSA_WITH_AES_128_SHA,
752 	SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
753 	SSL_NOT_EXP|SSL_HIGH,
754 	0,
755 	128,
756 	128,
757 	SSL_ALL_CIPHERS,
758 	SSL_ALL_STRENGTHS,
759 	},
760 /* Cipher 30 */
761 	{
762 	0,
763 	TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
764 	TLS1_CK_DH_DSS_WITH_AES_128_SHA,
765 	SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
766 	SSL_NOT_EXP|SSL_HIGH,
767 	0,
768 	128,
769 	128,
770 	SSL_ALL_CIPHERS,
771 	SSL_ALL_STRENGTHS,
772 	},
773 /* Cipher 31 */
774 	{
775 	0,
776 	TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
777 	TLS1_CK_DH_RSA_WITH_AES_128_SHA,
778 	SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
779 	SSL_NOT_EXP|SSL_HIGH,
780 	0,
781 	128,
782 	128,
783 	SSL_ALL_CIPHERS,
784 	SSL_ALL_STRENGTHS,
785 	},
786 /* Cipher 32 */
787 	{
788 	1,
789 	TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
790 	TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
791 	SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
792 	SSL_NOT_EXP|SSL_HIGH,
793 	0,
794 	128,
795 	128,
796 	SSL_ALL_CIPHERS,
797 	SSL_ALL_STRENGTHS,
798 	},
799 /* Cipher 33 */
800 	{
801 	1,
802 	TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
803 	TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
804 	SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
805 	SSL_NOT_EXP|SSL_HIGH,
806 	0,
807 	128,
808 	128,
809 	SSL_ALL_CIPHERS,
810 	SSL_ALL_STRENGTHS,
811 	},
812 /* Cipher 34 */
813 	{
814 	1,
815 	TLS1_TXT_ADH_WITH_AES_128_SHA,
816 	TLS1_CK_ADH_WITH_AES_128_SHA,
817 	SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
818 	SSL_NOT_EXP|SSL_HIGH,
819 	0,
820 	128,
821 	128,
822 	SSL_ALL_CIPHERS,
823 	SSL_ALL_STRENGTHS,
824 	},
825 
826 /* Cipher 35 */
827 	{
828 	1,
829 	TLS1_TXT_RSA_WITH_AES_256_SHA,
830 	TLS1_CK_RSA_WITH_AES_256_SHA,
831 	SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
832 	SSL_NOT_EXP|SSL_HIGH,
833 	0,
834 	256,
835 	256,
836 	SSL_ALL_CIPHERS,
837 	SSL_ALL_STRENGTHS,
838 	},
839 /* Cipher 36 */
840 	{
841 	0,
842 	TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
843 	TLS1_CK_DH_DSS_WITH_AES_256_SHA,
844 	SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
845 	SSL_NOT_EXP|SSL_HIGH,
846 	0,
847 	256,
848 	256,
849 	SSL_ALL_CIPHERS,
850 	SSL_ALL_STRENGTHS,
851 	},
852 /* Cipher 37 */
853 	{
854 	0,
855 	TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
856 	TLS1_CK_DH_RSA_WITH_AES_256_SHA,
857 	SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
858 	SSL_NOT_EXP|SSL_HIGH,
859 	0,
860 	256,
861 	256,
862 	SSL_ALL_CIPHERS,
863 	SSL_ALL_STRENGTHS,
864 	},
865 /* Cipher 38 */
866 	{
867 	1,
868 	TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
869 	TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
870 	SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
871 	SSL_NOT_EXP|SSL_HIGH,
872 	0,
873 	256,
874 	256,
875 	SSL_ALL_CIPHERS,
876 	SSL_ALL_STRENGTHS,
877 	},
878 /* Cipher 39 */
879 	{
880 	1,
881 	TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
882 	TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
883 	SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
884 	SSL_NOT_EXP|SSL_HIGH,
885 	0,
886 	256,
887 	256,
888 	SSL_ALL_CIPHERS,
889 	SSL_ALL_STRENGTHS,
890 	},
891 	/* Cipher 3A */
892 	{
893 	1,
894 	TLS1_TXT_ADH_WITH_AES_256_SHA,
895 	TLS1_CK_ADH_WITH_AES_256_SHA,
896 	SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
897 	SSL_NOT_EXP|SSL_HIGH,
898 	0,
899 	256,
900 	256,
901 	SSL_ALL_CIPHERS,
902 	SSL_ALL_STRENGTHS,
903 	},
904 
905 #ifndef OPENSSL_NO_CAMELLIA
906 	/* Camellia ciphersuites from RFC4132 (128-bit portion) */
907 
908 	/* Cipher 41 */
909 	{
910 	1,
911 	TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
912 	TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
913 	SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
914 	SSL_NOT_EXP|SSL_HIGH,
915 	0,
916 	128,
917 	128,
918 	SSL_ALL_CIPHERS,
919 	SSL_ALL_STRENGTHS
920 	},
921 	/* Cipher 42 */
922 	{
923 	0, /* not implemented (non-ephemeral DH) */
924 	TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
925 	TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
926 	SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
927 	SSL_NOT_EXP|SSL_HIGH,
928 	0,
929 	128,
930 	128,
931 	SSL_ALL_CIPHERS,
932 	SSL_ALL_STRENGTHS
933 	},
934 	/* Cipher 43 */
935 	{
936 	0, /* not implemented (non-ephemeral DH) */
937 	TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
938 	TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
939 	SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
940 	SSL_NOT_EXP|SSL_HIGH,
941 	0,
942 	128,
943 	128,
944 	SSL_ALL_CIPHERS,
945 	SSL_ALL_STRENGTHS
946 	},
947 	/* Cipher 44 */
948 	{
949 	1,
950 	TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
951 	TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
952 	SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
953 	SSL_NOT_EXP|SSL_HIGH,
954 	0,
955 	128,
956 	128,
957 	SSL_ALL_CIPHERS,
958 	SSL_ALL_STRENGTHS
959 	},
960 	/* Cipher 45 */
961 	{
962 	1,
963 	TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
964 	TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
965 	SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
966 	SSL_NOT_EXP|SSL_HIGH,
967 	0,
968 	128,
969 	128,
970 	SSL_ALL_CIPHERS,
971 	SSL_ALL_STRENGTHS
972 	},
973 	/* Cipher 46 */
974 	{
975 	1,
976 	TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
977 	TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
978 	SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
979 	SSL_NOT_EXP|SSL_HIGH,
980 	0,
981 	128,
982 	128,
983 	SSL_ALL_CIPHERS,
984 	SSL_ALL_STRENGTHS
985 	},
986 #endif /* OPENSSL_NO_CAMELLIA */
987 
988 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
989 	/* New TLS Export CipherSuites from expired ID */
990 #if 0
991 	/* Cipher 60 */
992 	    {
993 	    1,
994 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
995 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
996 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
997 	    SSL_EXPORT|SSL_EXP56,
998 	    0,
999 	    56,
1000 	    128,
1001 	    SSL_ALL_CIPHERS,
1002 	    SSL_ALL_STRENGTHS,
1003 	    },
1004 	/* Cipher 61 */
1005 	    {
1006 	    1,
1007 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
1008 	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
1009 	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
1010 	    SSL_EXPORT|SSL_EXP56,
1011 	    0,
1012 	    56,
1013 	    128,
1014 	    SSL_ALL_CIPHERS,
1015 	    SSL_ALL_STRENGTHS,
1016 	    },
1017 #endif
1018 	/* Cipher 62 */
1019 	    {
1020 	    1,
1021 	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
1022 	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
1023 	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
1024 	    SSL_EXPORT|SSL_EXP56,
1025 	    0,
1026 	    56,
1027 	    56,
1028 	    SSL_ALL_CIPHERS,
1029 	    SSL_ALL_STRENGTHS,
1030 	    },
1031 	/* Cipher 63 */
1032 	    {
1033 	    1,
1034 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
1035 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
1036 	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
1037 	    SSL_EXPORT|SSL_EXP56,
1038 	    0,
1039 	    56,
1040 	    56,
1041 	    SSL_ALL_CIPHERS,
1042 	    SSL_ALL_STRENGTHS,
1043 	    },
1044 	/* Cipher 64 */
1045 	    {
1046 	    1,
1047 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
1048 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
1049 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1050 	    SSL_EXPORT|SSL_EXP56,
1051 	    0,
1052 	    56,
1053 	    128,
1054 	    SSL_ALL_CIPHERS,
1055 	    SSL_ALL_STRENGTHS,
1056 	    },
1057 	/* Cipher 65 */
1058 	    {
1059 	    1,
1060 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
1061 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
1062 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
1063 	    SSL_EXPORT|SSL_EXP56,
1064 	    0,
1065 	    56,
1066 	    128,
1067 	    SSL_ALL_CIPHERS,
1068 	    SSL_ALL_STRENGTHS,
1069 	    },
1070 	/* Cipher 66 */
1071 	    {
1072 	    1,
1073 	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
1074 	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
1075 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
1076 	    SSL_NOT_EXP|SSL_MEDIUM,
1077 	    0,
1078 	    128,
1079 	    128,
1080 	    SSL_ALL_CIPHERS,
1081 	    SSL_ALL_STRENGTHS
1082 	    },
1083 #endif
1084 
1085 #ifndef OPENSSL_NO_CAMELLIA
1086 	/* Camellia ciphersuites from RFC4132 (256-bit portion) */
1087 
1088 	/* Cipher 84 */
1089 	{
1090 	1,
1091 	TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
1092 	TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
1093 	SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1094 	SSL_NOT_EXP|SSL_HIGH,
1095 	0,
1096 	256,
1097 	256,
1098 	SSL_ALL_CIPHERS,
1099 	SSL_ALL_STRENGTHS
1100 	},
1101 	/* Cipher 85 */
1102 	{
1103 	0, /* not implemented (non-ephemeral DH) */
1104 	TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
1105 	TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
1106 	SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1107 	SSL_NOT_EXP|SSL_HIGH,
1108 	0,
1109 	256,
1110 	256,
1111 	SSL_ALL_CIPHERS,
1112 	SSL_ALL_STRENGTHS
1113 	},
1114 	/* Cipher 86 */
1115 	{
1116 	0, /* not implemented (non-ephemeral DH) */
1117 	TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
1118 	TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
1119 	SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1120 	SSL_NOT_EXP|SSL_HIGH,
1121 	0,
1122 	256,
1123 	256,
1124 	SSL_ALL_CIPHERS,
1125 	SSL_ALL_STRENGTHS
1126 	},
1127 	/* Cipher 87 */
1128 	{
1129 	1,
1130 	TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
1131 	TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
1132 	SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1133 	SSL_NOT_EXP|SSL_HIGH,
1134 	0,
1135 	256,
1136 	256,
1137 	SSL_ALL_CIPHERS,
1138 	SSL_ALL_STRENGTHS
1139 	},
1140 	/* Cipher 88 */
1141 	{
1142 	1,
1143 	TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
1144 	TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
1145 	SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1146 	SSL_NOT_EXP|SSL_HIGH,
1147 	0,
1148 	256,
1149 	256,
1150 	SSL_ALL_CIPHERS,
1151 	SSL_ALL_STRENGTHS
1152 	},
1153 	/* Cipher 89 */
1154 	{
1155 	1,
1156 	TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
1157 	TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
1158 	SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
1159 	SSL_NOT_EXP|SSL_HIGH,
1160 	0,
1161 	256,
1162 	256,
1163 	SSL_ALL_CIPHERS,
1164 	SSL_ALL_STRENGTHS
1165 	},
1166 #endif /* OPENSSL_NO_CAMELLIA */
1167 
1168 #ifndef OPENSSL_NO_ECDH
1169 	/* Cipher C001 */
1170 	    {
1171             1,
1172             TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
1173             TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
1174             SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1175             SSL_NOT_EXP,
1176             0,
1177             0,
1178             0,
1179             SSL_ALL_CIPHERS,
1180             SSL_ALL_STRENGTHS,
1181             },
1182 
1183 	/* Cipher C002 */
1184 	    {
1185             1,
1186             TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
1187             TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
1188             SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1189             SSL_NOT_EXP,
1190             0,
1191             128,
1192             128,
1193             SSL_ALL_CIPHERS,
1194             SSL_ALL_STRENGTHS,
1195             },
1196 
1197 	/* Cipher C003 */
1198 	    {
1199             1,
1200             TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1201             TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1202             SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
1203             SSL_NOT_EXP|SSL_HIGH,
1204             0,
1205             168,
1206             168,
1207             SSL_ALL_CIPHERS,
1208             SSL_ALL_STRENGTHS,
1209             },
1210 
1211 	/* Cipher C004 */
1212 	    {
1213             1,
1214             TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1215             TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1216             SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1217             SSL_NOT_EXP|SSL_HIGH,
1218             0,
1219             128,
1220             128,
1221             SSL_ALL_CIPHERS,
1222             SSL_ALL_STRENGTHS,
1223             },
1224 
1225 	/* Cipher C005 */
1226 	    {
1227             1,
1228             TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1229             TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1230             SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1231             SSL_NOT_EXP|SSL_HIGH,
1232             0,
1233             256,
1234             256,
1235             SSL_ALL_CIPHERS,
1236             SSL_ALL_STRENGTHS,
1237             },
1238 
1239 	/* Cipher C006 */
1240 	    {
1241             1,
1242             TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
1243             TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
1244             SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1245             SSL_NOT_EXP,
1246             0,
1247             0,
1248             0,
1249             SSL_ALL_CIPHERS,
1250             SSL_ALL_STRENGTHS,
1251             },
1252 
1253 	/* Cipher C007 */
1254 	    {
1255             1,
1256             TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
1257             TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
1258             SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1259             SSL_NOT_EXP,
1260             0,
1261             128,
1262             128,
1263             SSL_ALL_CIPHERS,
1264             SSL_ALL_STRENGTHS,
1265             },
1266 
1267 	/* Cipher C008 */
1268 	    {
1269             1,
1270             TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
1271             TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
1272             SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
1273             SSL_NOT_EXP|SSL_HIGH,
1274             0,
1275             168,
1276             168,
1277             SSL_ALL_CIPHERS,
1278             SSL_ALL_STRENGTHS,
1279             },
1280 
1281 	/* Cipher C009 */
1282 	    {
1283             1,
1284             TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1285             TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1286             SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1287             SSL_NOT_EXP|SSL_HIGH,
1288             0,
1289             128,
1290             128,
1291             SSL_ALL_CIPHERS,
1292             SSL_ALL_STRENGTHS,
1293             },
1294 
1295 	/* Cipher C00A */
1296 	    {
1297             1,
1298             TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1299             TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1300             SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1301             SSL_NOT_EXP|SSL_HIGH,
1302             0,
1303             256,
1304             256,
1305             SSL_ALL_CIPHERS,
1306             SSL_ALL_STRENGTHS,
1307             },
1308 
1309 	/* Cipher C00B */
1310 	    {
1311             1,
1312             TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
1313             TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
1314             SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1315             SSL_NOT_EXP,
1316             0,
1317             0,
1318             0,
1319             SSL_ALL_CIPHERS,
1320             SSL_ALL_STRENGTHS,
1321             },
1322 
1323 	/* Cipher C00C */
1324 	    {
1325             1,
1326             TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
1327             TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
1328             SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1329             SSL_NOT_EXP,
1330             0,
1331             128,
1332             128,
1333             SSL_ALL_CIPHERS,
1334             SSL_ALL_STRENGTHS,
1335             },
1336 
1337 	/* Cipher C00D */
1338 	    {
1339             1,
1340             TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1341             TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1342             SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
1343             SSL_NOT_EXP|SSL_HIGH,
1344             0,
1345             168,
1346             168,
1347             SSL_ALL_CIPHERS,
1348             SSL_ALL_STRENGTHS,
1349             },
1350 
1351 	/* Cipher C00E */
1352 	    {
1353             1,
1354             TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
1355             TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
1356             SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1357             SSL_NOT_EXP|SSL_HIGH,
1358             0,
1359             128,
1360             128,
1361             SSL_ALL_CIPHERS,
1362             SSL_ALL_STRENGTHS,
1363             },
1364 
1365 	/* Cipher C00F */
1366 	    {
1367             1,
1368             TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
1369             TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
1370             SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1371             SSL_NOT_EXP|SSL_HIGH,
1372             0,
1373             256,
1374             256,
1375             SSL_ALL_CIPHERS,
1376             SSL_ALL_STRENGTHS,
1377             },
1378 
1379 	/* Cipher C010 */
1380 	    {
1381             1,
1382             TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1383             TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1384             SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1385             SSL_NOT_EXP,
1386             0,
1387             0,
1388             0,
1389             SSL_ALL_CIPHERS,
1390             SSL_ALL_STRENGTHS,
1391             },
1392 
1393 	/* Cipher C011 */
1394 	    {
1395             1,
1396             TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1397             TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1398             SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1399             SSL_NOT_EXP,
1400             0,
1401             128,
1402             128,
1403             SSL_ALL_CIPHERS,
1404             SSL_ALL_STRENGTHS,
1405             },
1406 
1407 	/* Cipher C012 */
1408 	    {
1409             1,
1410             TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1411             TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1412             SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
1413             SSL_NOT_EXP|SSL_HIGH,
1414             0,
1415             168,
1416             168,
1417             SSL_ALL_CIPHERS,
1418             SSL_ALL_STRENGTHS,
1419             },
1420 
1421 	/* Cipher C013 */
1422 	    {
1423             1,
1424             TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1425             TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1426             SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1427             SSL_NOT_EXP|SSL_HIGH,
1428             0,
1429             128,
1430             128,
1431             SSL_ALL_CIPHERS,
1432             SSL_ALL_STRENGTHS,
1433             },
1434 
1435 	/* Cipher C014 */
1436 	    {
1437             1,
1438             TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1439             TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1440             SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1441             SSL_NOT_EXP|SSL_HIGH,
1442             0,
1443             256,
1444             256,
1445             SSL_ALL_CIPHERS,
1446             SSL_ALL_STRENGTHS,
1447             },
1448 
1449 	/* Cipher C015 */
1450             {
1451             1,
1452             TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1453             TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1454             SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1455             SSL_NOT_EXP,
1456             0,
1457             0,
1458             0,
1459             SSL_ALL_CIPHERS,
1460             SSL_ALL_STRENGTHS,
1461 	    },
1462 
1463 	/* Cipher C016 */
1464             {
1465             1,
1466             TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1467             TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1468             SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
1469             SSL_NOT_EXP,
1470             0,
1471             128,
1472             128,
1473             SSL_ALL_CIPHERS,
1474             SSL_ALL_STRENGTHS,
1475 	    },
1476 
1477 	/* Cipher C017 */
1478 	    {
1479             1,
1480             TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1481             TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1482             SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
1483             SSL_NOT_EXP|SSL_HIGH,
1484             0,
1485             168,
1486             168,
1487             SSL_ALL_CIPHERS,
1488             SSL_ALL_STRENGTHS,
1489             },
1490 
1491 	/* Cipher C018 */
1492 	    {
1493             1,
1494             TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1495             TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1496             SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
1497             SSL_NOT_EXP|SSL_HIGH,
1498             0,
1499             128,
1500             128,
1501             SSL_ALL_CIPHERS,
1502             SSL_ALL_STRENGTHS,
1503             },
1504 
1505 	/* Cipher C019 */
1506 	    {
1507             1,
1508             TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1509             TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1510             SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
1511             SSL_NOT_EXP|SSL_HIGH,
1512             0,
1513             256,
1514             256,
1515             SSL_ALL_CIPHERS,
1516             SSL_ALL_STRENGTHS,
1517             },
1518 #endif	/* OPENSSL_NO_ECDH */
1519 
1520 
1521 /* end of list */
1522 	};
1523 
1524 SSL3_ENC_METHOD SSLv3_enc_data={
1525 	ssl3_enc,
1526 	ssl3_mac,
1527 	ssl3_setup_key_block,
1528 	ssl3_generate_master_secret,
1529 	ssl3_change_cipher_state,
1530 	ssl3_final_finish_mac,
1531 	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1532 	ssl3_cert_verify_mac,
1533 	SSL3_MD_CLIENT_FINISHED_CONST,4,
1534 	SSL3_MD_SERVER_FINISHED_CONST,4,
1535 	ssl3_alert_code,
1536 	};
1537 
1538 long ssl3_default_timeout(void)
1539 	{
1540 	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
1541 	 * is way too long for http, the cache would over fill */
1542 	return(60*60*2);
1543 	}
1544 
1545 IMPLEMENT_ssl3_meth_func(sslv3_base_method,
1546 			ssl_undefined_function,
1547 			ssl_undefined_function,
1548 			ssl_bad_method)
1549 
1550 int ssl3_num_ciphers(void)
1551 	{
1552 	return(SSL3_NUM_CIPHERS);
1553 	}
1554 
1555 SSL_CIPHER *ssl3_get_cipher(unsigned int u)
1556 	{
1557 	if (u < SSL3_NUM_CIPHERS)
1558 		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
1559 	else
1560 		return(NULL);
1561 	}
1562 
1563 int ssl3_pending(const SSL *s)
1564 	{
1565 	if (s->rstate == SSL_ST_READ_BODY)
1566 		return 0;
1567 
1568 	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
1569 	}
1570 
1571 int ssl3_new(SSL *s)
1572 	{
1573 	SSL3_STATE *s3;
1574 
1575 	if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
1576 	memset(s3,0,sizeof *s3);
1577 	EVP_MD_CTX_init(&s3->finish_dgst1);
1578 	EVP_MD_CTX_init(&s3->finish_dgst2);
1579 	pq_64bit_init(&(s3->rrec.seq_num));
1580 	pq_64bit_init(&(s3->wrec.seq_num));
1581 
1582 	s->s3=s3;
1583 
1584 	s->method->ssl_clear(s);
1585 	return(1);
1586 err:
1587 	return(0);
1588 	}
1589 
1590 void ssl3_free(SSL *s)
1591 	{
1592 	if(s == NULL)
1593 	    return;
1594 
1595 	ssl3_cleanup_key_block(s);
1596 	if (s->s3->rbuf.buf != NULL)
1597 		OPENSSL_free(s->s3->rbuf.buf);
1598 	if (s->s3->wbuf.buf != NULL)
1599 		OPENSSL_free(s->s3->wbuf.buf);
1600 	if (s->s3->rrec.comp != NULL)
1601 		OPENSSL_free(s->s3->rrec.comp);
1602 #ifndef OPENSSL_NO_DH
1603 	if (s->s3->tmp.dh != NULL)
1604 		DH_free(s->s3->tmp.dh);
1605 #endif
1606 #ifndef OPENSSL_NO_ECDH
1607 	if (s->s3->tmp.ecdh != NULL)
1608 		EC_KEY_free(s->s3->tmp.ecdh);
1609 #endif
1610 
1611 	if (s->s3->tmp.ca_names != NULL)
1612 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1613 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1614 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1615 	pq_64bit_free(&(s->s3->rrec.seq_num));
1616 	pq_64bit_free(&(s->s3->wrec.seq_num));
1617 
1618 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
1619 	OPENSSL_free(s->s3);
1620 	s->s3=NULL;
1621 	}
1622 
1623 void ssl3_clear(SSL *s)
1624 	{
1625 	unsigned char *rp,*wp;
1626 	size_t rlen, wlen;
1627 
1628 	ssl3_cleanup_key_block(s);
1629 	if (s->s3->tmp.ca_names != NULL)
1630 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1631 
1632 	if (s->s3->rrec.comp != NULL)
1633 		{
1634 		OPENSSL_free(s->s3->rrec.comp);
1635 		s->s3->rrec.comp=NULL;
1636 		}
1637 #ifndef OPENSSL_NO_DH
1638 	if (s->s3->tmp.dh != NULL)
1639 		DH_free(s->s3->tmp.dh);
1640 #endif
1641 #ifndef OPENSSL_NO_ECDH
1642 	if (s->s3->tmp.ecdh != NULL)
1643 		EC_KEY_free(s->s3->tmp.ecdh);
1644 #endif
1645 
1646 	rp = s->s3->rbuf.buf;
1647 	wp = s->s3->wbuf.buf;
1648 	rlen = s->s3->rbuf.len;
1649  	wlen = s->s3->wbuf.len;
1650 
1651 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1652 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1653 
1654 	memset(s->s3,0,sizeof *s->s3);
1655 	s->s3->rbuf.buf = rp;
1656 	s->s3->wbuf.buf = wp;
1657 	s->s3->rbuf.len = rlen;
1658  	s->s3->wbuf.len = wlen;
1659 
1660 	ssl_free_wbio_buffer(s);
1661 
1662 	s->packet_length=0;
1663 	s->s3->renegotiate=0;
1664 	s->s3->total_renegotiations=0;
1665 	s->s3->num_renegotiations=0;
1666 	s->s3->in_read_app_data=0;
1667 	s->version=SSL3_VERSION;
1668 	}
1669 
1670 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1671 	{
1672 	int ret=0;
1673 
1674 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1675 	if (
1676 #ifndef OPENSSL_NO_RSA
1677 	    cmd == SSL_CTRL_SET_TMP_RSA ||
1678 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1679 #endif
1680 #ifndef OPENSSL_NO_DSA
1681 	    cmd == SSL_CTRL_SET_TMP_DH ||
1682 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1683 #endif
1684 		0)
1685 		{
1686 		if (!ssl_cert_inst(&s->cert))
1687 		    	{
1688 			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
1689 			return(0);
1690 			}
1691 		}
1692 #endif
1693 
1694 	switch (cmd)
1695 		{
1696 	case SSL_CTRL_GET_SESSION_REUSED:
1697 		ret=s->hit;
1698 		break;
1699 	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
1700 		break;
1701 	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1702 		ret=s->s3->num_renegotiations;
1703 		break;
1704 	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1705 		ret=s->s3->num_renegotiations;
1706 		s->s3->num_renegotiations=0;
1707 		break;
1708 	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1709 		ret=s->s3->total_renegotiations;
1710 		break;
1711 	case SSL_CTRL_GET_FLAGS:
1712 		ret=(int)(s->s3->flags);
1713 		break;
1714 #ifndef OPENSSL_NO_RSA
1715 	case SSL_CTRL_NEED_TMP_RSA:
1716 		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
1717 		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1718 		     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
1719 			ret = 1;
1720 		break;
1721 	case SSL_CTRL_SET_TMP_RSA:
1722 		{
1723 			RSA *rsa = (RSA *)parg;
1724 			if (rsa == NULL)
1725 				{
1726 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1727 				return(ret);
1728 				}
1729 			if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
1730 				{
1731 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
1732 				return(ret);
1733 				}
1734 			if (s->cert->rsa_tmp != NULL)
1735 				RSA_free(s->cert->rsa_tmp);
1736 			s->cert->rsa_tmp = rsa;
1737 			ret = 1;
1738 		}
1739 		break;
1740 	case SSL_CTRL_SET_TMP_RSA_CB:
1741 		{
1742 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1743 		return(ret);
1744 		}
1745 		break;
1746 #endif
1747 #ifndef OPENSSL_NO_DH
1748 	case SSL_CTRL_SET_TMP_DH:
1749 		{
1750 			DH *dh = (DH *)parg;
1751 			if (dh == NULL)
1752 				{
1753 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1754 				return(ret);
1755 				}
1756 			if ((dh = DHparams_dup(dh)) == NULL)
1757 				{
1758 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1759 				return(ret);
1760 				}
1761 			if (!(s->options & SSL_OP_SINGLE_DH_USE))
1762 				{
1763 				if (!DH_generate_key(dh))
1764 					{
1765 					DH_free(dh);
1766 					SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1767 					return(ret);
1768 					}
1769 				}
1770 			if (s->cert->dh_tmp != NULL)
1771 				DH_free(s->cert->dh_tmp);
1772 			s->cert->dh_tmp = dh;
1773 			ret = 1;
1774 		}
1775 		break;
1776 	case SSL_CTRL_SET_TMP_DH_CB:
1777 		{
1778 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1779 		return(ret);
1780 		}
1781 		break;
1782 #endif
1783 #ifndef OPENSSL_NO_ECDH
1784 	case SSL_CTRL_SET_TMP_ECDH:
1785 		{
1786 		EC_KEY *ecdh = NULL;
1787 
1788 		if (parg == NULL)
1789 			{
1790 			SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1791 			return(ret);
1792 			}
1793 		if (!EC_KEY_up_ref((EC_KEY *)parg))
1794 			{
1795 			SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
1796 			return(ret);
1797 			}
1798 		ecdh = (EC_KEY *)parg;
1799 		if (!(s->options & SSL_OP_SINGLE_ECDH_USE))
1800 			{
1801 			if (!EC_KEY_generate_key(ecdh))
1802 				{
1803 				EC_KEY_free(ecdh);
1804 				SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
1805 				return(ret);
1806 				}
1807 			}
1808 		if (s->cert->ecdh_tmp != NULL)
1809 			EC_KEY_free(s->cert->ecdh_tmp);
1810 		s->cert->ecdh_tmp = ecdh;
1811 		ret = 1;
1812 		}
1813 		break;
1814 	case SSL_CTRL_SET_TMP_ECDH_CB:
1815 		{
1816 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1817 		return(ret);
1818 		}
1819 		break;
1820 #endif /* !OPENSSL_NO_ECDH */
1821 	default:
1822 		break;
1823 		}
1824 	return(ret);
1825 	}
1826 
1827 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1828 	{
1829 	int ret=0;
1830 
1831 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1832 	if (
1833 #ifndef OPENSSL_NO_RSA
1834 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1835 #endif
1836 #ifndef OPENSSL_NO_DSA
1837 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1838 #endif
1839 		0)
1840 		{
1841 		if (!ssl_cert_inst(&s->cert))
1842 			{
1843 			SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
1844 			return(0);
1845 			}
1846 		}
1847 #endif
1848 
1849 	switch (cmd)
1850 		{
1851 #ifndef OPENSSL_NO_RSA
1852 	case SSL_CTRL_SET_TMP_RSA_CB:
1853 		{
1854 		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1855 		}
1856 		break;
1857 #endif
1858 #ifndef OPENSSL_NO_DH
1859 	case SSL_CTRL_SET_TMP_DH_CB:
1860 		{
1861 		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1862 		}
1863 		break;
1864 #endif
1865 #ifndef OPENSSL_NO_ECDH
1866 	case SSL_CTRL_SET_TMP_ECDH_CB:
1867 		{
1868 		s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
1869 		}
1870 		break;
1871 #endif
1872 	default:
1873 		break;
1874 		}
1875 	return(ret);
1876 	}
1877 
1878 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1879 	{
1880 	CERT *cert;
1881 
1882 	cert=ctx->cert;
1883 
1884 	switch (cmd)
1885 		{
1886 #ifndef OPENSSL_NO_RSA
1887 	case SSL_CTRL_NEED_TMP_RSA:
1888 		if (	(cert->rsa_tmp == NULL) &&
1889 			((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1890 			 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
1891 			)
1892 			return(1);
1893 		else
1894 			return(0);
1895 		/* break; */
1896 	case SSL_CTRL_SET_TMP_RSA:
1897 		{
1898 		RSA *rsa;
1899 		int i;
1900 
1901 		rsa=(RSA *)parg;
1902 		i=1;
1903 		if (rsa == NULL)
1904 			i=0;
1905 		else
1906 			{
1907 			if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
1908 				i=0;
1909 			}
1910 		if (!i)
1911 			{
1912 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
1913 			return(0);
1914 			}
1915 		else
1916 			{
1917 			if (cert->rsa_tmp != NULL)
1918 				RSA_free(cert->rsa_tmp);
1919 			cert->rsa_tmp=rsa;
1920 			return(1);
1921 			}
1922 		}
1923 		/* break; */
1924 	case SSL_CTRL_SET_TMP_RSA_CB:
1925 		{
1926 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1927 		return(0);
1928 		}
1929 		break;
1930 #endif
1931 #ifndef OPENSSL_NO_DH
1932 	case SSL_CTRL_SET_TMP_DH:
1933 		{
1934 		DH *new=NULL,*dh;
1935 
1936 		dh=(DH *)parg;
1937 		if ((new=DHparams_dup(dh)) == NULL)
1938 			{
1939 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1940 			return 0;
1941 			}
1942 		if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
1943 			{
1944 			if (!DH_generate_key(new))
1945 				{
1946 				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1947 				DH_free(new);
1948 				return 0;
1949 				}
1950 			}
1951 		if (cert->dh_tmp != NULL)
1952 			DH_free(cert->dh_tmp);
1953 		cert->dh_tmp=new;
1954 		return 1;
1955 		}
1956 		/*break; */
1957 	case SSL_CTRL_SET_TMP_DH_CB:
1958 		{
1959 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1960 		return(0);
1961 		}
1962 		break;
1963 #endif
1964 #ifndef OPENSSL_NO_ECDH
1965 	case SSL_CTRL_SET_TMP_ECDH:
1966 		{
1967 		EC_KEY *ecdh = NULL;
1968 
1969 		if (parg == NULL)
1970 			{
1971 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
1972 			return 0;
1973 			}
1974 		ecdh = EC_KEY_dup((EC_KEY *)parg);
1975 		if (ecdh == NULL)
1976 			{
1977 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB);
1978 			return 0;
1979 			}
1980 		if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE))
1981 			{
1982 			if (!EC_KEY_generate_key(ecdh))
1983 				{
1984 				EC_KEY_free(ecdh);
1985 				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
1986 				return 0;
1987 				}
1988 			}
1989 
1990 		if (cert->ecdh_tmp != NULL)
1991 			{
1992 			EC_KEY_free(cert->ecdh_tmp);
1993 			}
1994 		cert->ecdh_tmp = ecdh;
1995 		return 1;
1996 		}
1997 		/* break; */
1998 	case SSL_CTRL_SET_TMP_ECDH_CB:
1999 		{
2000 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2001 		return(0);
2002 		}
2003 		break;
2004 #endif /* !OPENSSL_NO_ECDH */
2005 	/* A Thawte special :-) */
2006 	case SSL_CTRL_EXTRA_CHAIN_CERT:
2007 		if (ctx->extra_certs == NULL)
2008 			{
2009 			if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
2010 				return(0);
2011 			}
2012 		sk_X509_push(ctx->extra_certs,(X509 *)parg);
2013 		break;
2014 
2015 	default:
2016 		return(0);
2017 		}
2018 	return(1);
2019 	}
2020 
2021 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2022 	{
2023 	CERT *cert;
2024 
2025 	cert=ctx->cert;
2026 
2027 	switch (cmd)
2028 		{
2029 #ifndef OPENSSL_NO_RSA
2030 	case SSL_CTRL_SET_TMP_RSA_CB:
2031 		{
2032 		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
2033 		}
2034 		break;
2035 #endif
2036 #ifndef OPENSSL_NO_DH
2037 	case SSL_CTRL_SET_TMP_DH_CB:
2038 		{
2039 		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2040 		}
2041 		break;
2042 #endif
2043 #ifndef OPENSSL_NO_ECDH
2044 	case SSL_CTRL_SET_TMP_ECDH_CB:
2045 		{
2046 		cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2047 		}
2048 		break;
2049 #endif
2050 	default:
2051 		return(0);
2052 		}
2053 	return(1);
2054 	}
2055 
2056 /* This function needs to check if the ciphers required are actually
2057  * available */
2058 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
2059 	{
2060 	SSL_CIPHER c,*cp;
2061 	unsigned long id;
2062 
2063 	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
2064 	c.id=id;
2065 	cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
2066 		(char *)ssl3_ciphers,
2067 		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER),
2068 		FP_ICC ssl_cipher_id_cmp);
2069 	if (cp == NULL || cp->valid == 0)
2070 		return NULL;
2071 	else
2072 		return cp;
2073 	}
2074 
2075 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
2076 	{
2077 	long l;
2078 
2079 	if (p != NULL)
2080 		{
2081 		l=c->id;
2082 		if ((l & 0xff000000) != 0x03000000) return(0);
2083 		p[0]=((unsigned char)(l>> 8L))&0xFF;
2084 		p[1]=((unsigned char)(l     ))&0xFF;
2085 		}
2086 	return(2);
2087 	}
2088 
2089 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2090 	     STACK_OF(SSL_CIPHER) *srvr)
2091 	{
2092 	SSL_CIPHER *c,*ret=NULL;
2093 	STACK_OF(SSL_CIPHER) *prio, *allow;
2094 	int i,j,ok;
2095 	CERT *cert;
2096 	unsigned long alg,mask,emask;
2097 
2098 	/* Let's see which ciphers we can support */
2099 	cert=s->cert;
2100 
2101 #if 0
2102 	/* Do not set the compare functions, because this may lead to a
2103 	 * reordering by "id". We want to keep the original ordering.
2104 	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2105 	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2106 	 */
2107 	sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
2108 	sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
2109 #endif
2110 
2111 #ifdef CIPHER_DEBUG
2112         printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
2113         for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
2114 	    {
2115 	    c=sk_SSL_CIPHER_value(srvr,i);
2116 	    printf("%p:%s\n",c,c->name);
2117 	    }
2118         printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
2119         for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
2120 	    {
2121 	    c=sk_SSL_CIPHER_value(clnt,i);
2122 	    printf("%p:%s\n",c,c->name);
2123 	    }
2124 #endif
2125 
2126 	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
2127 	    {
2128 	    prio = srvr;
2129 	    allow = clnt;
2130 	    }
2131 	else
2132 	    {
2133 	    prio = clnt;
2134 	    allow = srvr;
2135 	    }
2136 
2137 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
2138 		{
2139 		c=sk_SSL_CIPHER_value(prio,i);
2140 
2141 		ssl_set_cert_masks(cert,c);
2142 		mask=cert->mask;
2143 		emask=cert->export_mask;
2144 
2145 #ifdef KSSL_DEBUG
2146 		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
2147 #endif    /* KSSL_DEBUG */
2148 
2149 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
2150 #ifndef OPENSSL_NO_KRB5
2151                 if (alg & SSL_KRB5)
2152                         {
2153                         if ( !kssl_keytab_is_available(s->kssl_ctx) )
2154                             continue;
2155                         }
2156 #endif /* OPENSSL_NO_KRB5 */
2157 		if (SSL_C_IS_EXPORT(c))
2158 			{
2159 			ok=((alg & emask) == alg)?1:0;
2160 #ifdef CIPHER_DEBUG
2161 			printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
2162 			       c,c->name);
2163 #endif
2164 			}
2165 		else
2166 			{
2167 			ok=((alg & mask) == alg)?1:0;
2168 #ifdef CIPHER_DEBUG
2169 			printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
2170 			       c->name);
2171 #endif
2172 			}
2173 
2174 		if (!ok) continue;
2175 		j=sk_SSL_CIPHER_find(allow,c);
2176 		if (j >= 0)
2177 			{
2178 			ret=sk_SSL_CIPHER_value(allow,j);
2179 			break;
2180 			}
2181 		}
2182 	return(ret);
2183 	}
2184 
2185 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
2186 	{
2187 	int ret=0;
2188 	unsigned long alg;
2189 
2190 	alg=s->s3->tmp.new_cipher->algorithms;
2191 
2192 #ifndef OPENSSL_NO_DH
2193 	if (alg & (SSL_kDHr|SSL_kEDH))
2194 		{
2195 #  ifndef OPENSSL_NO_RSA
2196 		p[ret++]=SSL3_CT_RSA_FIXED_DH;
2197 #  endif
2198 #  ifndef OPENSSL_NO_DSA
2199 		p[ret++]=SSL3_CT_DSS_FIXED_DH;
2200 #  endif
2201 		}
2202 	if ((s->version == SSL3_VERSION) &&
2203 		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
2204 		{
2205 #  ifndef OPENSSL_NO_RSA
2206 		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
2207 #  endif
2208 #  ifndef OPENSSL_NO_DSA
2209 		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
2210 #  endif
2211 		}
2212 #endif /* !OPENSSL_NO_DH */
2213 #ifndef OPENSSL_NO_RSA
2214 	p[ret++]=SSL3_CT_RSA_SIGN;
2215 #endif
2216 #ifndef OPENSSL_NO_DSA
2217 	p[ret++]=SSL3_CT_DSS_SIGN;
2218 #endif
2219 #ifndef OPENSSL_NO_ECDH
2220 	/* We should ask for fixed ECDH certificates only
2221 	 * for SSL_kECDH (and not SSL_kECDHE)
2222 	 */
2223 	if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION))
2224 		{
2225 		p[ret++]=TLS_CT_RSA_FIXED_ECDH;
2226 		p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
2227 		}
2228 #endif
2229 
2230 #ifndef OPENSSL_NO_ECDSA
2231 	/* ECDSA certs can be used with RSA cipher suites as well
2232 	 * so we don't need to check for SSL_kECDH or SSL_kECDHE
2233 	 */
2234 	if (s->version >= TLS1_VERSION)
2235 		{
2236 		p[ret++]=TLS_CT_ECDSA_SIGN;
2237 		}
2238 #endif
2239 	return(ret);
2240 	}
2241 
2242 int ssl3_shutdown(SSL *s)
2243 	{
2244 
2245 	/* Don't do anything much if we have not done the handshake or
2246 	 * we don't want to send messages :-) */
2247 	if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
2248 		{
2249 		s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2250 		return(1);
2251 		}
2252 
2253 	if (!(s->shutdown & SSL_SENT_SHUTDOWN))
2254 		{
2255 		s->shutdown|=SSL_SENT_SHUTDOWN;
2256 #if 1
2257 		ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
2258 #endif
2259 		/* our shutdown alert has been sent now, and if it still needs
2260 	 	 * to be written, s->s3->alert_dispatch will be true */
2261 		}
2262 	else if (s->s3->alert_dispatch)
2263 		{
2264 		/* resend it if not sent */
2265 #if 1
2266 		s->method->ssl_dispatch_alert(s);
2267 #endif
2268 		}
2269 	else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
2270 		{
2271 		/* If we are waiting for a close from our peer, we are closed */
2272 		s->method->ssl_read_bytes(s,0,NULL,0,0);
2273 		}
2274 
2275 	if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2276 		!s->s3->alert_dispatch)
2277 		return(1);
2278 	else
2279 		return(0);
2280 	}
2281 
2282 int ssl3_write(SSL *s, const void *buf, int len)
2283 	{
2284 	int ret,n;
2285 
2286 #if 0
2287 	if (s->shutdown & SSL_SEND_SHUTDOWN)
2288 		{
2289 		s->rwstate=SSL_NOTHING;
2290 		return(0);
2291 		}
2292 #endif
2293 	clear_sys_error();
2294 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
2295 
2296 	/* This is an experimental flag that sends the
2297 	 * last handshake message in the same packet as the first
2298 	 * use data - used to see if it helps the TCP protocol during
2299 	 * session-id reuse */
2300 	/* The second test is because the buffer may have been removed */
2301 	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
2302 		{
2303 		/* First time through, we write into the buffer */
2304 		if (s->s3->delay_buf_pop_ret == 0)
2305 			{
2306 			ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
2307 					     buf,len);
2308 			if (ret <= 0) return(ret);
2309 
2310 			s->s3->delay_buf_pop_ret=ret;
2311 			}
2312 
2313 		s->rwstate=SSL_WRITING;
2314 		n=BIO_flush(s->wbio);
2315 		if (n <= 0) return(n);
2316 		s->rwstate=SSL_NOTHING;
2317 
2318 		/* We have flushed the buffer, so remove it */
2319 		ssl_free_wbio_buffer(s);
2320 		s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
2321 
2322 		ret=s->s3->delay_buf_pop_ret;
2323 		s->s3->delay_buf_pop_ret=0;
2324 		}
2325 	else
2326 		{
2327 		ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA,
2328 			buf,len);
2329 		if (ret <= 0) return(ret);
2330 		}
2331 
2332 	return(ret);
2333 	}
2334 
2335 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2336 	{
2337 	int ret;
2338 
2339 	clear_sys_error();
2340 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
2341 	s->s3->in_read_app_data=1;
2342 	ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
2343 	if ((ret == -1) && (s->s3->in_read_app_data == 2))
2344 		{
2345 		/* ssl3_read_bytes decided to call s->handshake_func, which
2346 		 * called ssl3_read_bytes to read handshake data.
2347 		 * However, ssl3_read_bytes actually found application data
2348 		 * and thinks that application data makes sense here; so disable
2349 		 * handshake processing and try to read application data again. */
2350 		s->in_handshake++;
2351 		ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
2352 		s->in_handshake--;
2353 		}
2354 	else
2355 		s->s3->in_read_app_data=0;
2356 
2357 	return(ret);
2358 	}
2359 
2360 int ssl3_read(SSL *s, void *buf, int len)
2361 	{
2362 	return ssl3_read_internal(s, buf, len, 0);
2363 	}
2364 
2365 int ssl3_peek(SSL *s, void *buf, int len)
2366 	{
2367 	return ssl3_read_internal(s, buf, len, 1);
2368 	}
2369 
2370 int ssl3_renegotiate(SSL *s)
2371 	{
2372 	if (s->handshake_func == NULL)
2373 		return(1);
2374 
2375 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2376 		return(0);
2377 
2378 	s->s3->renegotiate=1;
2379 	return(1);
2380 	}
2381 
2382 int ssl3_renegotiate_check(SSL *s)
2383 	{
2384 	int ret=0;
2385 
2386 	if (s->s3->renegotiate)
2387 		{
2388 		if (	(s->s3->rbuf.left == 0) &&
2389 			(s->s3->wbuf.left == 0) &&
2390 			!SSL_in_init(s))
2391 			{
2392 /*
2393 if we are the server, and we have sent a 'RENEGOTIATE' message, we
2394 need to go to SSL_ST_ACCEPT.
2395 */
2396 			/* SSL_ST_ACCEPT */
2397 			s->state=SSL_ST_RENEGOTIATE;
2398 			s->s3->renegotiate=0;
2399 			s->s3->num_renegotiations++;
2400 			s->s3->total_renegotiations++;
2401 			ret=1;
2402 			}
2403 		}
2404 	return(ret);
2405 	}
2406 
2407