xref: /freebsd/crypto/openssl/ssl/s3_lib.c (revision d056fa046c6a91b90cd98165face0e42a33a5173)
1 /* ssl/s3_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include "ssl_locl.h"
115 #include "kssl_lcl.h"
116 #include <openssl/md5.h>
117 
118 const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
119 
120 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
121 
122 static long ssl3_default_timeout(void );
123 
124 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
125 /* The RSA ciphers */
126 /* Cipher 01 */
127 	{
128 	1,
129 	SSL3_TXT_RSA_NULL_MD5,
130 	SSL3_CK_RSA_NULL_MD5,
131 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
132 	SSL_NOT_EXP|SSL_STRONG_NONE,
133 	0,
134 	0,
135 	0,
136 	SSL_ALL_CIPHERS,
137 	SSL_ALL_STRENGTHS,
138 	},
139 /* Cipher 02 */
140 	{
141 	1,
142 	SSL3_TXT_RSA_NULL_SHA,
143 	SSL3_CK_RSA_NULL_SHA,
144 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
145 	SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
146 	0,
147 	0,
148 	0,
149 	SSL_ALL_CIPHERS,
150 	SSL_ALL_STRENGTHS,
151 	},
152 
153 /* anon DH */
154 /* Cipher 17 */
155 	{
156 	1,
157 	SSL3_TXT_ADH_RC4_40_MD5,
158 	SSL3_CK_ADH_RC4_40_MD5,
159 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
160 	SSL_EXPORT|SSL_EXP40,
161 	0,
162 	40,
163 	128,
164 	SSL_ALL_CIPHERS,
165 	SSL_ALL_STRENGTHS,
166 	},
167 /* Cipher 18 */
168 	{
169 	1,
170 	SSL3_TXT_ADH_RC4_128_MD5,
171 	SSL3_CK_ADH_RC4_128_MD5,
172 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
173 	SSL_NOT_EXP|SSL_MEDIUM,
174 	0,
175 	128,
176 	128,
177 	SSL_ALL_CIPHERS,
178 	SSL_ALL_STRENGTHS,
179 	},
180 /* Cipher 19 */
181 	{
182 	1,
183 	SSL3_TXT_ADH_DES_40_CBC_SHA,
184 	SSL3_CK_ADH_DES_40_CBC_SHA,
185 	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
186 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
187 	0,
188 	40,
189 	128,
190 	SSL_ALL_CIPHERS,
191 	SSL_ALL_STRENGTHS,
192 	},
193 /* Cipher 1A */
194 	{
195 	1,
196 	SSL3_TXT_ADH_DES_64_CBC_SHA,
197 	SSL3_CK_ADH_DES_64_CBC_SHA,
198 	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
199 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
200 	0,
201 	56,
202 	56,
203 	SSL_ALL_CIPHERS,
204 	SSL_ALL_STRENGTHS,
205 	},
206 /* Cipher 1B */
207 	{
208 	1,
209 	SSL3_TXT_ADH_DES_192_CBC_SHA,
210 	SSL3_CK_ADH_DES_192_CBC_SHA,
211 	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
212 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
213 	0,
214 	168,
215 	168,
216 	SSL_ALL_CIPHERS,
217 	SSL_ALL_STRENGTHS,
218 	},
219 
220 /* RSA again */
221 /* Cipher 03 */
222 	{
223 	1,
224 	SSL3_TXT_RSA_RC4_40_MD5,
225 	SSL3_CK_RSA_RC4_40_MD5,
226 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
227 	SSL_EXPORT|SSL_EXP40,
228 	0,
229 	40,
230 	128,
231 	SSL_ALL_CIPHERS,
232 	SSL_ALL_STRENGTHS,
233 	},
234 /* Cipher 04 */
235 	{
236 	1,
237 	SSL3_TXT_RSA_RC4_128_MD5,
238 	SSL3_CK_RSA_RC4_128_MD5,
239 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
240 	SSL_NOT_EXP|SSL_MEDIUM,
241 	0,
242 	128,
243 	128,
244 	SSL_ALL_CIPHERS,
245 	SSL_ALL_STRENGTHS,
246 	},
247 /* Cipher 05 */
248 	{
249 	1,
250 	SSL3_TXT_RSA_RC4_128_SHA,
251 	SSL3_CK_RSA_RC4_128_SHA,
252 	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
253 	SSL_NOT_EXP|SSL_MEDIUM,
254 	0,
255 	128,
256 	128,
257 	SSL_ALL_CIPHERS,
258 	SSL_ALL_STRENGTHS,
259 	},
260 /* Cipher 06 */
261 	{
262 	1,
263 	SSL3_TXT_RSA_RC2_40_MD5,
264 	SSL3_CK_RSA_RC2_40_MD5,
265 	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
266 	SSL_EXPORT|SSL_EXP40,
267 	0,
268 	40,
269 	128,
270 	SSL_ALL_CIPHERS,
271 	SSL_ALL_STRENGTHS,
272 	},
273 /* Cipher 07 */
274 #ifndef OPENSSL_NO_IDEA
275 	{
276 	1,
277 	SSL3_TXT_RSA_IDEA_128_SHA,
278 	SSL3_CK_RSA_IDEA_128_SHA,
279 	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
280 	SSL_NOT_EXP|SSL_MEDIUM,
281 	0,
282 	128,
283 	128,
284 	SSL_ALL_CIPHERS,
285 	SSL_ALL_STRENGTHS,
286 	},
287 #endif
288 /* Cipher 08 */
289 	{
290 	1,
291 	SSL3_TXT_RSA_DES_40_CBC_SHA,
292 	SSL3_CK_RSA_DES_40_CBC_SHA,
293 	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
294 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
295 	0,
296 	40,
297 	56,
298 	SSL_ALL_CIPHERS,
299 	SSL_ALL_STRENGTHS,
300 	},
301 /* Cipher 09 */
302 	{
303 	1,
304 	SSL3_TXT_RSA_DES_64_CBC_SHA,
305 	SSL3_CK_RSA_DES_64_CBC_SHA,
306 	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
307 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
308 	0,
309 	56,
310 	56,
311 	SSL_ALL_CIPHERS,
312 	SSL_ALL_STRENGTHS,
313 	},
314 /* Cipher 0A */
315 	{
316 	1,
317 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
318 	SSL3_CK_RSA_DES_192_CBC3_SHA,
319 	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
320 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
321 	0,
322 	168,
323 	168,
324 	SSL_ALL_CIPHERS,
325 	SSL_ALL_STRENGTHS,
326 	},
327 
328 /*  The DH ciphers */
329 /* Cipher 0B */
330 	{
331 	0,
332 	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
333 	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
334 	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
335 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
336 	0,
337 	40,
338 	56,
339 	SSL_ALL_CIPHERS,
340 	SSL_ALL_STRENGTHS,
341 	},
342 /* Cipher 0C */
343 	{
344 	0,
345 	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
346 	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
347 	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
348 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
349 	0,
350 	56,
351 	56,
352 	SSL_ALL_CIPHERS,
353 	SSL_ALL_STRENGTHS,
354 	},
355 /* Cipher 0D */
356 	{
357 	0,
358 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
359 	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
360 	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
361 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
362 	0,
363 	168,
364 	168,
365 	SSL_ALL_CIPHERS,
366 	SSL_ALL_STRENGTHS,
367 	},
368 /* Cipher 0E */
369 	{
370 	0,
371 	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
372 	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
373 	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
374 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
375 	0,
376 	40,
377 	56,
378 	SSL_ALL_CIPHERS,
379 	SSL_ALL_STRENGTHS,
380 	},
381 /* Cipher 0F */
382 	{
383 	0,
384 	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
385 	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
386 	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
387 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
388 	0,
389 	56,
390 	56,
391 	SSL_ALL_CIPHERS,
392 	SSL_ALL_STRENGTHS,
393 	},
394 /* Cipher 10 */
395 	{
396 	0,
397 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
398 	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
399 	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
400 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
401 	0,
402 	168,
403 	168,
404 	SSL_ALL_CIPHERS,
405 	SSL_ALL_STRENGTHS,
406 	},
407 
408 /* The Ephemeral DH ciphers */
409 /* Cipher 11 */
410 	{
411 	1,
412 	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
413 	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
414 	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
415 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
416 	0,
417 	40,
418 	56,
419 	SSL_ALL_CIPHERS,
420 	SSL_ALL_STRENGTHS,
421 	},
422 /* Cipher 12 */
423 	{
424 	1,
425 	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
426 	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
427 	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
428 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
429 	0,
430 	56,
431 	56,
432 	SSL_ALL_CIPHERS,
433 	SSL_ALL_STRENGTHS,
434 	},
435 /* Cipher 13 */
436 	{
437 	1,
438 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
439 	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
440 	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
441 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
442 	0,
443 	168,
444 	168,
445 	SSL_ALL_CIPHERS,
446 	SSL_ALL_STRENGTHS,
447 	},
448 /* Cipher 14 */
449 	{
450 	1,
451 	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
452 	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
453 	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
454 	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
455 	0,
456 	40,
457 	56,
458 	SSL_ALL_CIPHERS,
459 	SSL_ALL_STRENGTHS,
460 	},
461 /* Cipher 15 */
462 	{
463 	1,
464 	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
465 	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
466 	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
467 	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
468 	0,
469 	56,
470 	56,
471 	SSL_ALL_CIPHERS,
472 	SSL_ALL_STRENGTHS,
473 	},
474 /* Cipher 16 */
475 	{
476 	1,
477 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
478 	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
479 	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
480 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
481 	0,
482 	168,
483 	168,
484 	SSL_ALL_CIPHERS,
485 	SSL_ALL_STRENGTHS,
486 	},
487 
488 /* Fortezza */
489 /* Cipher 1C */
490 	{
491 	0,
492 	SSL3_TXT_FZA_DMS_NULL_SHA,
493 	SSL3_CK_FZA_DMS_NULL_SHA,
494 	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
495 	SSL_NOT_EXP|SSL_STRONG_NONE,
496 	0,
497 	0,
498 	0,
499 	SSL_ALL_CIPHERS,
500 	SSL_ALL_STRENGTHS,
501 	},
502 
503 /* Cipher 1D */
504 	{
505 	0,
506 	SSL3_TXT_FZA_DMS_FZA_SHA,
507 	SSL3_CK_FZA_DMS_FZA_SHA,
508 	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
509 	SSL_NOT_EXP|SSL_STRONG_NONE,
510 	0,
511 	0,
512 	0,
513 	SSL_ALL_CIPHERS,
514 	SSL_ALL_STRENGTHS,
515 	},
516 
517 #if 0
518 /* Cipher 1E */
519 	{
520 	0,
521 	SSL3_TXT_FZA_DMS_RC4_SHA,
522 	SSL3_CK_FZA_DMS_RC4_SHA,
523 	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
524 	SSL_NOT_EXP|SSL_MEDIUM,
525 	0,
526 	128,
527 	128,
528 	SSL_ALL_CIPHERS,
529 	SSL_ALL_STRENGTHS,
530 	},
531 #endif
532 
533 #ifndef OPENSSL_NO_KRB5
534 /* The Kerberos ciphers
535 ** 20000107 VRS: And the first shall be last,
536 ** in hopes of avoiding the lynx ssl renegotiation problem.
537 */
538 /* Cipher 1E VRS */
539 	{
540 	1,
541 	SSL3_TXT_KRB5_DES_64_CBC_SHA,
542 	SSL3_CK_KRB5_DES_64_CBC_SHA,
543 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
544 	SSL_NOT_EXP|SSL_LOW,
545 	0,
546 	56,
547 	56,
548 	SSL_ALL_CIPHERS,
549 	SSL_ALL_STRENGTHS,
550 	},
551 
552 /* Cipher 1F VRS */
553 	{
554 	1,
555 	SSL3_TXT_KRB5_DES_192_CBC3_SHA,
556 	SSL3_CK_KRB5_DES_192_CBC3_SHA,
557 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
558 	SSL_NOT_EXP|SSL_HIGH,
559 	0,
560 	112,
561 	168,
562 	SSL_ALL_CIPHERS,
563 	SSL_ALL_STRENGTHS,
564 	},
565 
566 /* Cipher 20 VRS */
567 	{
568 	1,
569 	SSL3_TXT_KRB5_RC4_128_SHA,
570 	SSL3_CK_KRB5_RC4_128_SHA,
571 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
572 	SSL_NOT_EXP|SSL_MEDIUM,
573 	0,
574 	128,
575 	128,
576 	SSL_ALL_CIPHERS,
577 	SSL_ALL_STRENGTHS,
578 	},
579 
580 /* Cipher 21 VRS */
581 	{
582 	1,
583 	SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
584 	SSL3_CK_KRB5_IDEA_128_CBC_SHA,
585 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
586 	SSL_NOT_EXP|SSL_MEDIUM,
587 	0,
588 	128,
589 	128,
590 	SSL_ALL_CIPHERS,
591 	SSL_ALL_STRENGTHS,
592 	},
593 
594 /* Cipher 22 VRS */
595 	{
596 	1,
597 	SSL3_TXT_KRB5_DES_64_CBC_MD5,
598 	SSL3_CK_KRB5_DES_64_CBC_MD5,
599 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
600 	SSL_NOT_EXP|SSL_LOW,
601 	0,
602 	56,
603 	56,
604 	SSL_ALL_CIPHERS,
605 	SSL_ALL_STRENGTHS,
606 	},
607 
608 /* Cipher 23 VRS */
609 	{
610 	1,
611 	SSL3_TXT_KRB5_DES_192_CBC3_MD5,
612 	SSL3_CK_KRB5_DES_192_CBC3_MD5,
613 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
614 	SSL_NOT_EXP|SSL_HIGH,
615 	0,
616 	112,
617 	168,
618 	SSL_ALL_CIPHERS,
619 	SSL_ALL_STRENGTHS,
620 	},
621 
622 /* Cipher 24 VRS */
623 	{
624 	1,
625 	SSL3_TXT_KRB5_RC4_128_MD5,
626 	SSL3_CK_KRB5_RC4_128_MD5,
627 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
628 	SSL_NOT_EXP|SSL_MEDIUM,
629 	0,
630 	128,
631 	128,
632 	SSL_ALL_CIPHERS,
633 	SSL_ALL_STRENGTHS,
634 	},
635 
636 /* Cipher 25 VRS */
637 	{
638 	1,
639 	SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
640 	SSL3_CK_KRB5_IDEA_128_CBC_MD5,
641 	SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
642 	SSL_NOT_EXP|SSL_MEDIUM,
643 	0,
644 	128,
645 	128,
646 	SSL_ALL_CIPHERS,
647 	SSL_ALL_STRENGTHS,
648 	},
649 
650 /* Cipher 26 VRS */
651 	{
652 	1,
653 	SSL3_TXT_KRB5_DES_40_CBC_SHA,
654 	SSL3_CK_KRB5_DES_40_CBC_SHA,
655 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
656 	SSL_EXPORT|SSL_EXP40,
657 	0,
658 	40,
659 	56,
660 	SSL_ALL_CIPHERS,
661 	SSL_ALL_STRENGTHS,
662 	},
663 
664 /* Cipher 27 VRS */
665 	{
666 	1,
667 	SSL3_TXT_KRB5_RC2_40_CBC_SHA,
668 	SSL3_CK_KRB5_RC2_40_CBC_SHA,
669 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
670 	SSL_EXPORT|SSL_EXP40,
671 	0,
672 	40,
673 	128,
674 	SSL_ALL_CIPHERS,
675 	SSL_ALL_STRENGTHS,
676 	},
677 
678 /* Cipher 28 VRS */
679 	{
680 	1,
681 	SSL3_TXT_KRB5_RC4_40_SHA,
682 	SSL3_CK_KRB5_RC4_40_SHA,
683 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
684 	SSL_EXPORT|SSL_EXP40,
685 	0,
686 	128,
687 	128,
688 	SSL_ALL_CIPHERS,
689 	SSL_ALL_STRENGTHS,
690 	},
691 
692 /* Cipher 29 VRS */
693 	{
694 	1,
695 	SSL3_TXT_KRB5_DES_40_CBC_MD5,
696 	SSL3_CK_KRB5_DES_40_CBC_MD5,
697 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
698 	SSL_EXPORT|SSL_EXP40,
699 	0,
700 	40,
701 	56,
702 	SSL_ALL_CIPHERS,
703 	SSL_ALL_STRENGTHS,
704 	},
705 
706 /* Cipher 2A VRS */
707 	{
708 	1,
709 	SSL3_TXT_KRB5_RC2_40_CBC_MD5,
710 	SSL3_CK_KRB5_RC2_40_CBC_MD5,
711 	SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
712 	SSL_EXPORT|SSL_EXP40,
713 	0,
714 	40,
715 	128,
716 	SSL_ALL_CIPHERS,
717 	SSL_ALL_STRENGTHS,
718 	},
719 
720 /* Cipher 2B VRS */
721 	{
722 	1,
723 	SSL3_TXT_KRB5_RC4_40_MD5,
724 	SSL3_CK_KRB5_RC4_40_MD5,
725 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
726 	SSL_EXPORT|SSL_EXP40,
727 	0,
728 	128,
729 	128,
730 	SSL_ALL_CIPHERS,
731 	SSL_ALL_STRENGTHS,
732 	},
733 #endif	/* OPENSSL_NO_KRB5 */
734 
735 
736 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
737 	/* New TLS Export CipherSuites */
738 	/* Cipher 60 */
739 	    {
740 	    1,
741 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
742 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
743 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
744 	    SSL_EXPORT|SSL_EXP56,
745 	    0,
746 	    56,
747 	    128,
748 	    SSL_ALL_CIPHERS,
749 	    SSL_ALL_STRENGTHS,
750 	    },
751 	/* Cipher 61 */
752 	    {
753 	    1,
754 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
755 	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
756 	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
757 	    SSL_EXPORT|SSL_EXP56,
758 	    0,
759 	    56,
760 	    128,
761 	    SSL_ALL_CIPHERS,
762 	    SSL_ALL_STRENGTHS,
763 	    },
764 	/* Cipher 62 */
765 	    {
766 	    1,
767 	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
768 	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
769 	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
770 	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
771 	    0,
772 	    56,
773 	    56,
774 	    SSL_ALL_CIPHERS,
775 	    SSL_ALL_STRENGTHS,
776 	    },
777 	/* Cipher 63 */
778 	    {
779 	    1,
780 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
781 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
782 	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
783 	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
784 	    0,
785 	    56,
786 	    56,
787 	    SSL_ALL_CIPHERS,
788 	    SSL_ALL_STRENGTHS,
789 	    },
790 	/* Cipher 64 */
791 	    {
792 	    1,
793 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
794 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
795 	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
796 	    SSL_EXPORT|SSL_EXP56,
797 	    0,
798 	    56,
799 	    128,
800 	    SSL_ALL_CIPHERS,
801 	    SSL_ALL_STRENGTHS,
802 	    },
803 	/* Cipher 65 */
804 	    {
805 	    1,
806 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
807 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
808 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
809 	    SSL_EXPORT|SSL_EXP56,
810 	    0,
811 	    56,
812 	    128,
813 	    SSL_ALL_CIPHERS,
814 	    SSL_ALL_STRENGTHS,
815 	    },
816 	/* Cipher 66 */
817 	    {
818 	    1,
819 	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
820 	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
821 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
822 	    SSL_NOT_EXP|SSL_MEDIUM,
823 	    0,
824 	    128,
825 	    128,
826 	    SSL_ALL_CIPHERS,
827 	    SSL_ALL_STRENGTHS
828 	    },
829 #endif
830 	/* New AES ciphersuites */
831 
832 	/* Cipher 2F */
833 	    {
834 	    1,
835 	    TLS1_TXT_RSA_WITH_AES_128_SHA,
836 	    TLS1_CK_RSA_WITH_AES_128_SHA,
837 	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
838 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
839 	    0,
840 	    128,
841 	    128,
842 	    SSL_ALL_CIPHERS,
843 	    SSL_ALL_STRENGTHS,
844 	    },
845 	/* Cipher 30 */
846 	    {
847 	    0,
848 	    TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
849 	    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
850 	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
851 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
852 	    0,
853 	    128,
854 	    128,
855 	    SSL_ALL_CIPHERS,
856 	    SSL_ALL_STRENGTHS,
857 	    },
858 	/* Cipher 31 */
859 	    {
860 	    0,
861 	    TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
862 	    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
863 	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
864 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
865 	    0,
866 	    128,
867 	    128,
868 	    SSL_ALL_CIPHERS,
869 	    SSL_ALL_STRENGTHS,
870 	    },
871 	/* Cipher 32 */
872 	    {
873 	    1,
874 	    TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
875 	    TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
876 	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
877 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
878 	    0,
879 	    128,
880 	    128,
881 	    SSL_ALL_CIPHERS,
882 	    SSL_ALL_STRENGTHS,
883 	    },
884 	/* Cipher 33 */
885 	    {
886 	    1,
887 	    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
888 	    TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
889 	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
890 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
891 	    0,
892 	    128,
893 	    128,
894 	    SSL_ALL_CIPHERS,
895 	    SSL_ALL_STRENGTHS,
896 	    },
897 	/* Cipher 34 */
898 	    {
899 	    1,
900 	    TLS1_TXT_ADH_WITH_AES_128_SHA,
901 	    TLS1_CK_ADH_WITH_AES_128_SHA,
902 	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
903 	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
904 	    0,
905 	    128,
906 	    128,
907 	    SSL_ALL_CIPHERS,
908 	    SSL_ALL_STRENGTHS,
909 	    },
910 
911 	/* Cipher 35 */
912 	    {
913 	    1,
914 	    TLS1_TXT_RSA_WITH_AES_256_SHA,
915 	    TLS1_CK_RSA_WITH_AES_256_SHA,
916 	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
917 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
918 	    0,
919 	    256,
920 	    256,
921 	    SSL_ALL_CIPHERS,
922 	    SSL_ALL_STRENGTHS,
923 	    },
924 	/* Cipher 36 */
925 	    {
926 	    0,
927 	    TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
928 	    TLS1_CK_DH_DSS_WITH_AES_256_SHA,
929 	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
930 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
931 	    0,
932 	    256,
933 	    256,
934 	    SSL_ALL_CIPHERS,
935 	    SSL_ALL_STRENGTHS,
936 	    },
937 	/* Cipher 37 */
938 	    {
939 	    0,
940 	    TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
941 	    TLS1_CK_DH_RSA_WITH_AES_256_SHA,
942 	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
943 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
944 	    0,
945 	    256,
946 	    256,
947 	    SSL_ALL_CIPHERS,
948 	    SSL_ALL_STRENGTHS,
949 	    },
950 	/* Cipher 38 */
951 	    {
952 	    1,
953 	    TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
954 	    TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
955 	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
956 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
957 	    0,
958 	    256,
959 	    256,
960 	    SSL_ALL_CIPHERS,
961 	    SSL_ALL_STRENGTHS,
962 	    },
963 	/* Cipher 39 */
964 	    {
965 	    1,
966 	    TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
967 	    TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
968 	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
969 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
970 	    0,
971 	    256,
972 	    256,
973 	    SSL_ALL_CIPHERS,
974 	    SSL_ALL_STRENGTHS,
975 	    },
976 	/* Cipher 3A */
977 	    {
978 	    1,
979 	    TLS1_TXT_ADH_WITH_AES_256_SHA,
980 	    TLS1_CK_ADH_WITH_AES_256_SHA,
981 	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
982 	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
983 	    0,
984 	    256,
985 	    256,
986 	    SSL_ALL_CIPHERS,
987 	    SSL_ALL_STRENGTHS,
988 	    },
989 
990 /* end of list */
991 	};
992 
993 static SSL3_ENC_METHOD SSLv3_enc_data={
994 	ssl3_enc,
995 	ssl3_mac,
996 	ssl3_setup_key_block,
997 	ssl3_generate_master_secret,
998 	ssl3_change_cipher_state,
999 	ssl3_final_finish_mac,
1000 	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1001 	ssl3_cert_verify_mac,
1002 	SSL3_MD_CLIENT_FINISHED_CONST,4,
1003 	SSL3_MD_SERVER_FINISHED_CONST,4,
1004 	ssl3_alert_code,
1005 	};
1006 
1007 static SSL_METHOD SSLv3_data= {
1008 	SSL3_VERSION,
1009 	ssl3_new,
1010 	ssl3_clear,
1011 	ssl3_free,
1012 	ssl_undefined_function,
1013 	ssl_undefined_function,
1014 	ssl3_read,
1015 	ssl3_peek,
1016 	ssl3_write,
1017 	ssl3_shutdown,
1018 	ssl3_renegotiate,
1019 	ssl3_renegotiate_check,
1020 	ssl3_ctrl,
1021 	ssl3_ctx_ctrl,
1022 	ssl3_get_cipher_by_char,
1023 	ssl3_put_cipher_by_char,
1024 	ssl3_pending,
1025 	ssl3_num_ciphers,
1026 	ssl3_get_cipher,
1027 	ssl_bad_method,
1028 	ssl3_default_timeout,
1029 	&SSLv3_enc_data,
1030 	ssl_undefined_function,
1031 	ssl3_callback_ctrl,
1032 	ssl3_ctx_callback_ctrl,
1033 	};
1034 
1035 static long ssl3_default_timeout(void)
1036 	{
1037 	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
1038 	 * is way too long for http, the cache would over fill */
1039 	return(60*60*2);
1040 	}
1041 
1042 SSL_METHOD *sslv3_base_method(void)
1043 	{
1044 	return(&SSLv3_data);
1045 	}
1046 
1047 int ssl3_num_ciphers(void)
1048 	{
1049 	return(SSL3_NUM_CIPHERS);
1050 	}
1051 
1052 SSL_CIPHER *ssl3_get_cipher(unsigned int u)
1053 	{
1054 	if (u < SSL3_NUM_CIPHERS)
1055 		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
1056 	else
1057 		return(NULL);
1058 	}
1059 
1060 int ssl3_pending(SSL *s)
1061 	{
1062 	if (s->rstate == SSL_ST_READ_BODY)
1063 		return 0;
1064 
1065 	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
1066 	}
1067 
1068 int ssl3_new(SSL *s)
1069 	{
1070 	SSL3_STATE *s3;
1071 
1072 	if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
1073 	memset(s3,0,sizeof *s3);
1074 	EVP_MD_CTX_init(&s3->finish_dgst1);
1075 	EVP_MD_CTX_init(&s3->finish_dgst2);
1076 
1077 	s->s3=s3;
1078 
1079 	s->method->ssl_clear(s);
1080 	return(1);
1081 err:
1082 	return(0);
1083 	}
1084 
1085 void ssl3_free(SSL *s)
1086 	{
1087 	if(s == NULL)
1088 	    return;
1089 
1090 	ssl3_cleanup_key_block(s);
1091 	if (s->s3->rbuf.buf != NULL)
1092 		OPENSSL_free(s->s3->rbuf.buf);
1093 	if (s->s3->wbuf.buf != NULL)
1094 		OPENSSL_free(s->s3->wbuf.buf);
1095 	if (s->s3->rrec.comp != NULL)
1096 		OPENSSL_free(s->s3->rrec.comp);
1097 #ifndef OPENSSL_NO_DH
1098 	if (s->s3->tmp.dh != NULL)
1099 		DH_free(s->s3->tmp.dh);
1100 #endif
1101 	if (s->s3->tmp.ca_names != NULL)
1102 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1103 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1104 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1105 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
1106 	OPENSSL_free(s->s3);
1107 	s->s3=NULL;
1108 	}
1109 
1110 void ssl3_clear(SSL *s)
1111 	{
1112 	unsigned char *rp,*wp;
1113 	size_t rlen, wlen;
1114 
1115 	ssl3_cleanup_key_block(s);
1116 	if (s->s3->tmp.ca_names != NULL)
1117 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1118 
1119 	if (s->s3->rrec.comp != NULL)
1120 		{
1121 		OPENSSL_free(s->s3->rrec.comp);
1122 		s->s3->rrec.comp=NULL;
1123 		}
1124 #ifndef OPENSSL_NO_DH
1125 	if (s->s3->tmp.dh != NULL)
1126 		DH_free(s->s3->tmp.dh);
1127 #endif
1128 
1129 	rp = s->s3->rbuf.buf;
1130 	wp = s->s3->wbuf.buf;
1131 	rlen = s->s3->rbuf.len;
1132  	wlen = s->s3->wbuf.len;
1133 
1134 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1135 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1136 
1137 	memset(s->s3,0,sizeof *s->s3);
1138 	s->s3->rbuf.buf = rp;
1139 	s->s3->wbuf.buf = wp;
1140 	s->s3->rbuf.len = rlen;
1141  	s->s3->wbuf.len = wlen;
1142 
1143 	ssl_free_wbio_buffer(s);
1144 
1145 	s->packet_length=0;
1146 	s->s3->renegotiate=0;
1147 	s->s3->total_renegotiations=0;
1148 	s->s3->num_renegotiations=0;
1149 	s->s3->in_read_app_data=0;
1150 	s->version=SSL3_VERSION;
1151 	}
1152 
1153 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1154 	{
1155 	int ret=0;
1156 
1157 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1158 	if (
1159 #ifndef OPENSSL_NO_RSA
1160 	    cmd == SSL_CTRL_SET_TMP_RSA ||
1161 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1162 #endif
1163 #ifndef OPENSSL_NO_DSA
1164 	    cmd == SSL_CTRL_SET_TMP_DH ||
1165 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1166 #endif
1167 		0)
1168 		{
1169 		if (!ssl_cert_inst(&s->cert))
1170 		    	{
1171 			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
1172 			return(0);
1173 			}
1174 		}
1175 #endif
1176 
1177 	switch (cmd)
1178 		{
1179 	case SSL_CTRL_GET_SESSION_REUSED:
1180 		ret=s->hit;
1181 		break;
1182 	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
1183 		break;
1184 	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1185 		ret=s->s3->num_renegotiations;
1186 		break;
1187 	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1188 		ret=s->s3->num_renegotiations;
1189 		s->s3->num_renegotiations=0;
1190 		break;
1191 	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1192 		ret=s->s3->total_renegotiations;
1193 		break;
1194 	case SSL_CTRL_GET_FLAGS:
1195 		ret=(int)(s->s3->flags);
1196 		break;
1197 #ifndef OPENSSL_NO_RSA
1198 	case SSL_CTRL_NEED_TMP_RSA:
1199 		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
1200 		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1201 		     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
1202 			ret = 1;
1203 		break;
1204 	case SSL_CTRL_SET_TMP_RSA:
1205 		{
1206 			RSA *rsa = (RSA *)parg;
1207 			if (rsa == NULL)
1208 				{
1209 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1210 				return(ret);
1211 				}
1212 			if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
1213 				{
1214 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
1215 				return(ret);
1216 				}
1217 			if (s->cert->rsa_tmp != NULL)
1218 				RSA_free(s->cert->rsa_tmp);
1219 			s->cert->rsa_tmp = rsa;
1220 			ret = 1;
1221 		}
1222 		break;
1223 	case SSL_CTRL_SET_TMP_RSA_CB:
1224 		{
1225 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1226 		return(ret);
1227 		}
1228 		break;
1229 #endif
1230 #ifndef OPENSSL_NO_DH
1231 	case SSL_CTRL_SET_TMP_DH:
1232 		{
1233 			DH *dh = (DH *)parg;
1234 			if (dh == NULL)
1235 				{
1236 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1237 				return(ret);
1238 				}
1239 			if ((dh = DHparams_dup(dh)) == NULL)
1240 				{
1241 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1242 				return(ret);
1243 				}
1244 			if (!(s->options & SSL_OP_SINGLE_DH_USE))
1245 				{
1246 				if (!DH_generate_key(dh))
1247 					{
1248 					DH_free(dh);
1249 					SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
1250 					return(ret);
1251 					}
1252 				}
1253 			if (s->cert->dh_tmp != NULL)
1254 				DH_free(s->cert->dh_tmp);
1255 			s->cert->dh_tmp = dh;
1256 			ret = 1;
1257 		}
1258 		break;
1259 	case SSL_CTRL_SET_TMP_DH_CB:
1260 		{
1261 		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1262 		return(ret);
1263 		}
1264 		break;
1265 #endif
1266 	default:
1267 		break;
1268 		}
1269 	return(ret);
1270 	}
1271 
1272 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
1273 	{
1274 	int ret=0;
1275 
1276 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
1277 	if (
1278 #ifndef OPENSSL_NO_RSA
1279 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
1280 #endif
1281 #ifndef OPENSSL_NO_DSA
1282 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
1283 #endif
1284 		0)
1285 		{
1286 		if (!ssl_cert_inst(&s->cert))
1287 			{
1288 			SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
1289 			return(0);
1290 			}
1291 		}
1292 #endif
1293 
1294 	switch (cmd)
1295 		{
1296 #ifndef OPENSSL_NO_RSA
1297 	case SSL_CTRL_SET_TMP_RSA_CB:
1298 		{
1299 		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1300 		}
1301 		break;
1302 #endif
1303 #ifndef OPENSSL_NO_DH
1304 	case SSL_CTRL_SET_TMP_DH_CB:
1305 		{
1306 		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1307 		}
1308 		break;
1309 #endif
1310 	default:
1311 		break;
1312 		}
1313 	return(ret);
1314 	}
1315 
1316 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1317 	{
1318 	CERT *cert;
1319 
1320 	cert=ctx->cert;
1321 
1322 	switch (cmd)
1323 		{
1324 #ifndef OPENSSL_NO_RSA
1325 	case SSL_CTRL_NEED_TMP_RSA:
1326 		if (	(cert->rsa_tmp == NULL) &&
1327 			((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
1328 			 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
1329 			)
1330 			return(1);
1331 		else
1332 			return(0);
1333 		/* break; */
1334 	case SSL_CTRL_SET_TMP_RSA:
1335 		{
1336 		RSA *rsa;
1337 		int i;
1338 
1339 		rsa=(RSA *)parg;
1340 		i=1;
1341 		if (rsa == NULL)
1342 			i=0;
1343 		else
1344 			{
1345 			if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
1346 				i=0;
1347 			}
1348 		if (!i)
1349 			{
1350 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
1351 			return(0);
1352 			}
1353 		else
1354 			{
1355 			if (cert->rsa_tmp != NULL)
1356 				RSA_free(cert->rsa_tmp);
1357 			cert->rsa_tmp=rsa;
1358 			return(1);
1359 			}
1360 		}
1361 		/* break; */
1362 	case SSL_CTRL_SET_TMP_RSA_CB:
1363 		{
1364 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1365 		return(0);
1366 		}
1367 		break;
1368 #endif
1369 #ifndef OPENSSL_NO_DH
1370 	case SSL_CTRL_SET_TMP_DH:
1371 		{
1372 		DH *new=NULL,*dh;
1373 
1374 		dh=(DH *)parg;
1375 		if ((new=DHparams_dup(dh)) == NULL)
1376 			{
1377 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1378 			return 0;
1379 			}
1380 		if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
1381 			{
1382 			if (!DH_generate_key(new))
1383 				{
1384 				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
1385 				DH_free(new);
1386 				return 0;
1387 				}
1388 			}
1389 		if (cert->dh_tmp != NULL)
1390 			DH_free(cert->dh_tmp);
1391 		cert->dh_tmp=new;
1392 		return 1;
1393 		}
1394 		/*break; */
1395 	case SSL_CTRL_SET_TMP_DH_CB:
1396 		{
1397 		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1398 		return(0);
1399 		}
1400 		break;
1401 #endif
1402 	/* A Thawte special :-) */
1403 	case SSL_CTRL_EXTRA_CHAIN_CERT:
1404 		if (ctx->extra_certs == NULL)
1405 			{
1406 			if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
1407 				return(0);
1408 			}
1409 		sk_X509_push(ctx->extra_certs,(X509 *)parg);
1410 		break;
1411 
1412 	default:
1413 		return(0);
1414 		}
1415 	return(1);
1416 	}
1417 
1418 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
1419 	{
1420 	CERT *cert;
1421 
1422 	cert=ctx->cert;
1423 
1424 	switch (cmd)
1425 		{
1426 #ifndef OPENSSL_NO_RSA
1427 	case SSL_CTRL_SET_TMP_RSA_CB:
1428 		{
1429 		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1430 		}
1431 		break;
1432 #endif
1433 #ifndef OPENSSL_NO_DH
1434 	case SSL_CTRL_SET_TMP_DH_CB:
1435 		{
1436 		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1437 		}
1438 		break;
1439 #endif
1440 	default:
1441 		return(0);
1442 		}
1443 	return(1);
1444 	}
1445 
1446 /* This function needs to check if the ciphers required are actually
1447  * available */
1448 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
1449 	{
1450 	static int init=1;
1451 	static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
1452 	SSL_CIPHER c,*cp= &c,**cpp;
1453 	unsigned long id;
1454 	int i;
1455 
1456 	if (init)
1457 		{
1458 		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
1459 
1460 		if (init)
1461 			{
1462 			for (i=0; i<SSL3_NUM_CIPHERS; i++)
1463 				sorted[i]= &(ssl3_ciphers[i]);
1464 
1465 			qsort(sorted,
1466 				SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
1467 				FP_ICC ssl_cipher_ptr_id_cmp);
1468 
1469 			init=0;
1470 			}
1471 
1472 		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
1473 		}
1474 
1475 	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
1476 	c.id=id;
1477 	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
1478 		(char *)sorted,
1479 		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
1480 		FP_ICC ssl_cipher_ptr_id_cmp);
1481 	if ((cpp == NULL) || !(*cpp)->valid)
1482 		return(NULL);
1483 	else
1484 		return(*cpp);
1485 	}
1486 
1487 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
1488 	{
1489 	long l;
1490 
1491 	if (p != NULL)
1492 		{
1493 		l=c->id;
1494 		if ((l & 0xff000000) != 0x03000000) return(0);
1495 		p[0]=((unsigned char)(l>> 8L))&0xFF;
1496 		p[1]=((unsigned char)(l     ))&0xFF;
1497 		}
1498 	return(2);
1499 	}
1500 
1501 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
1502 	     STACK_OF(SSL_CIPHER) *srvr)
1503 	{
1504 	SSL_CIPHER *c,*ret=NULL;
1505 	STACK_OF(SSL_CIPHER) *prio, *allow;
1506 	int i,j,ok;
1507 	CERT *cert;
1508 	unsigned long alg,mask,emask;
1509 
1510 	/* Let's see which ciphers we can support */
1511 	cert=s->cert;
1512 
1513 #if 0
1514 	/* Do not set the compare functions, because this may lead to a
1515 	 * reordering by "id". We want to keep the original ordering.
1516 	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
1517 	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
1518 	 */
1519 	sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
1520 	sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
1521 #endif
1522 
1523 #ifdef CIPHER_DEBUG
1524         printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
1525         for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
1526 	    {
1527 	    c=sk_SSL_CIPHER_value(srvr,i);
1528 	    printf("%p:%s\n",c,c->name);
1529 	    }
1530         printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
1531         for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
1532 	    {
1533 	    c=sk_SSL_CIPHER_value(clnt,i);
1534 	    printf("%p:%s\n",c,c->name);
1535 	    }
1536 #endif
1537 
1538 	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
1539 	    {
1540 	    prio = srvr;
1541 	    allow = clnt;
1542 	    }
1543 	else
1544 	    {
1545 	    prio = clnt;
1546 	    allow = srvr;
1547 	    }
1548 
1549 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
1550 		{
1551 		c=sk_SSL_CIPHER_value(prio,i);
1552 
1553 		ssl_set_cert_masks(cert,c);
1554 		mask=cert->mask;
1555 		emask=cert->export_mask;
1556 
1557 #ifdef KSSL_DEBUG
1558 		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
1559 #endif    /* KSSL_DEBUG */
1560 
1561 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1562 #ifndef OPENSSL_NO_KRB5
1563                 if (alg & SSL_KRB5)
1564                         {
1565                         if ( !kssl_keytab_is_available(s->kssl_ctx) )
1566                             continue;
1567                         }
1568 #endif /* OPENSSL_NO_KRB5 */
1569 		if (SSL_C_IS_EXPORT(c))
1570 			{
1571 			ok=((alg & emask) == alg)?1:0;
1572 #ifdef CIPHER_DEBUG
1573 			printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
1574 			       c,c->name);
1575 #endif
1576 			}
1577 		else
1578 			{
1579 			ok=((alg & mask) == alg)?1:0;
1580 #ifdef CIPHER_DEBUG
1581 			printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
1582 			       c->name);
1583 #endif
1584 			}
1585 
1586 		if (!ok) continue;
1587 
1588 		j=sk_SSL_CIPHER_find(allow,c);
1589 		if (j >= 0)
1590 			{
1591 			ret=sk_SSL_CIPHER_value(allow,j);
1592 			break;
1593 			}
1594 		}
1595 	return(ret);
1596 	}
1597 
1598 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
1599 	{
1600 	int ret=0;
1601 	unsigned long alg;
1602 
1603 	alg=s->s3->tmp.new_cipher->algorithms;
1604 
1605 #ifndef OPENSSL_NO_DH
1606 	if (alg & (SSL_kDHr|SSL_kEDH))
1607 		{
1608 #  ifndef OPENSSL_NO_RSA
1609 		p[ret++]=SSL3_CT_RSA_FIXED_DH;
1610 #  endif
1611 #  ifndef OPENSSL_NO_DSA
1612 		p[ret++]=SSL3_CT_DSS_FIXED_DH;
1613 #  endif
1614 		}
1615 	if ((s->version == SSL3_VERSION) &&
1616 		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
1617 		{
1618 #  ifndef OPENSSL_NO_RSA
1619 		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
1620 #  endif
1621 #  ifndef OPENSSL_NO_DSA
1622 		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
1623 #  endif
1624 		}
1625 #endif /* !OPENSSL_NO_DH */
1626 #ifndef OPENSSL_NO_RSA
1627 	p[ret++]=SSL3_CT_RSA_SIGN;
1628 #endif
1629 #ifndef OPENSSL_NO_DSA
1630 	p[ret++]=SSL3_CT_DSS_SIGN;
1631 #endif
1632 	return(ret);
1633 	}
1634 
1635 int ssl3_shutdown(SSL *s)
1636 	{
1637 
1638 	/* Don't do anything much if we have not done the handshake or
1639 	 * we don't want to send messages :-) */
1640 	if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
1641 		{
1642 		s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1643 		return(1);
1644 		}
1645 
1646 	if (!(s->shutdown & SSL_SENT_SHUTDOWN))
1647 		{
1648 		s->shutdown|=SSL_SENT_SHUTDOWN;
1649 #if 1
1650 		ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
1651 #endif
1652 		/* our shutdown alert has been sent now, and if it still needs
1653 	 	 * to be written, s->s3->alert_dispatch will be true */
1654 		}
1655 	else if (s->s3->alert_dispatch)
1656 		{
1657 		/* resend it if not sent */
1658 #if 1
1659 		ssl3_dispatch_alert(s);
1660 #endif
1661 		}
1662 	else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
1663 		{
1664 		/* If we are waiting for a close from our peer, we are closed */
1665 		ssl3_read_bytes(s,0,NULL,0,0);
1666 		}
1667 
1668 	if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
1669 		!s->s3->alert_dispatch)
1670 		return(1);
1671 	else
1672 		return(0);
1673 	}
1674 
1675 int ssl3_write(SSL *s, const void *buf, int len)
1676 	{
1677 	int ret,n;
1678 
1679 #if 0
1680 	if (s->shutdown & SSL_SEND_SHUTDOWN)
1681 		{
1682 		s->rwstate=SSL_NOTHING;
1683 		return(0);
1684 		}
1685 #endif
1686 	clear_sys_error();
1687 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1688 
1689 	/* This is an experimental flag that sends the
1690 	 * last handshake message in the same packet as the first
1691 	 * use data - used to see if it helps the TCP protocol during
1692 	 * session-id reuse */
1693 	/* The second test is because the buffer may have been removed */
1694 	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
1695 		{
1696 		/* First time through, we write into the buffer */
1697 		if (s->s3->delay_buf_pop_ret == 0)
1698 			{
1699 			ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
1700 					     buf,len);
1701 			if (ret <= 0) return(ret);
1702 
1703 			s->s3->delay_buf_pop_ret=ret;
1704 			}
1705 
1706 		s->rwstate=SSL_WRITING;
1707 		n=BIO_flush(s->wbio);
1708 		if (n <= 0) return(n);
1709 		s->rwstate=SSL_NOTHING;
1710 
1711 		/* We have flushed the buffer, so remove it */
1712 		ssl_free_wbio_buffer(s);
1713 		s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
1714 
1715 		ret=s->s3->delay_buf_pop_ret;
1716 		s->s3->delay_buf_pop_ret=0;
1717 		}
1718 	else
1719 		{
1720 		ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
1721 				     buf,len);
1722 		if (ret <= 0) return(ret);
1723 		}
1724 
1725 	return(ret);
1726 	}
1727 
1728 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
1729 	{
1730 	int ret;
1731 
1732 	clear_sys_error();
1733 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1734 	s->s3->in_read_app_data=1;
1735 	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
1736 	if ((ret == -1) && (s->s3->in_read_app_data == 2))
1737 		{
1738 		/* ssl3_read_bytes decided to call s->handshake_func, which
1739 		 * called ssl3_read_bytes to read handshake data.
1740 		 * However, ssl3_read_bytes actually found application data
1741 		 * and thinks that application data makes sense here; so disable
1742 		 * handshake processing and try to read application data again. */
1743 		s->in_handshake++;
1744 		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
1745 		s->in_handshake--;
1746 		}
1747 	else
1748 		s->s3->in_read_app_data=0;
1749 
1750 	return(ret);
1751 	}
1752 
1753 int ssl3_read(SSL *s, void *buf, int len)
1754 	{
1755 	return ssl3_read_internal(s, buf, len, 0);
1756 	}
1757 
1758 int ssl3_peek(SSL *s, void *buf, int len)
1759 	{
1760 	return ssl3_read_internal(s, buf, len, 1);
1761 	}
1762 
1763 int ssl3_renegotiate(SSL *s)
1764 	{
1765 	if (s->handshake_func == NULL)
1766 		return(1);
1767 
1768 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
1769 		return(0);
1770 
1771 	s->s3->renegotiate=1;
1772 	return(1);
1773 	}
1774 
1775 int ssl3_renegotiate_check(SSL *s)
1776 	{
1777 	int ret=0;
1778 
1779 	if (s->s3->renegotiate)
1780 		{
1781 		if (	(s->s3->rbuf.left == 0) &&
1782 			(s->s3->wbuf.left == 0) &&
1783 			!SSL_in_init(s))
1784 			{
1785 /*
1786 if we are the server, and we have sent a 'RENEGOTIATE' message, we
1787 need to go to SSL_ST_ACCEPT.
1788 */
1789 			/* SSL_ST_ACCEPT */
1790 			s->state=SSL_ST_RENEGOTIATE;
1791 			s->s3->renegotiate=0;
1792 			s->s3->num_renegotiations++;
1793 			s->s3->total_renegotiations++;
1794 			ret=1;
1795 			}
1796 		}
1797 	return(ret);
1798 	}
1799 
1800