X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=14b2f13ae2e9d271f740bbdb10e3a8647894d3b8;hp=47768cc281e8fdc6eb81fde8c5f3dc51d2f60947;hb=063a8905bfd53f3cc12a01789efc23c0ea6af053;hpb=a0aae68cf6f3383f248c0e1991973224f2e4498f

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 47768cc281..14b2f13ae2 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -110,10 +110,10 @@
  */
 
 #include <stdio.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
+#include "kssl_lcl.h"
+#include <openssl/md5.h>
 
 const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
 
@@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_NULL_MD5,
 	SSL3_CK_RSA_NULL_MD5,
 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_STRONG_NONE,
 	0,
 	0,
 	0,
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_NULL_SHA,
 	SSL3_CK_RSA_NULL_SHA,
 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_STRONG_NONE,
 	0,
 	0,
 	0,
@@ -170,7 +170,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_ADH_RC4_128_MD5,
 	SSL3_CK_ADH_RC4_128_MD5,
 	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_MEDIUM,
 	0,
 	128,
 	128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_ADH_DES_64_CBC_SHA,
 	SSL3_CK_ADH_DES_64_CBC_SHA,
 	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_ADH_DES_192_CBC_SHA,
 	SSL3_CK_ADH_DES_192_CBC_SHA,
 	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
@@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_FZA_DMS_NULL_SHA,
 	SSL3_CK_FZA_DMS_NULL_SHA,
 	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_STRONG_NONE,
 	0,
 	0,
 	0,
@@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_FZA_DMS_FZA_SHA,
 	SSL3_CK_FZA_DMS_FZA_SHA,
 	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_STRONG_NONE,
 	0,
 	0,
 	0,
@@ -518,7 +518,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_FZA_DMS_RC4_SHA,
 	SSL3_CK_FZA_DMS_RC4_SHA,
 	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP,
+	SSL_NOT_EXP|SSL_MEDIUM,
 	0,
 	128,
 	128,
@@ -526,7 +526,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_ALL_STRENGTHS,
 	},
 
-#ifndef NO_KRB5
+#ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers
 ** 20000107 VRS: And the first shall be last,
 ** in hopes of avoiding the lynx ssl renegotiation problem.
@@ -614,7 +614,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
-#endif	/* NO_KRB5 */
+#endif	/* OPENSSL_NO_KRB5 */
+
+
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
 	/* New TLS Export CipherSuites */
 	/* Cipher 60 */
@@ -701,7 +703,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
 	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP,
+	    SSL_NOT_EXP|SSL_MEDIUM,
 	    0,
 	    128,
 	    128,
@@ -709,6 +711,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    SSL_ALL_STRENGTHS
 	    },
 #endif
+	/* New AES ciphersuites */
+
+	/* Cipher 2F */
+	    {
+	    1,
+	    TLS1_TXT_RSA_WITH_AES_128_SHA,
+	    TLS1_CK_RSA_WITH_AES_128_SHA,
+	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 30 */
+	    {
+	    0,
+	    TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
+	    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
+	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 31 */
+	    {
+	    0,
+	    TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
+	    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
+	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 32 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
+	    TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
+	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 33 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
+	    TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 34 */
+	    {
+	    1,
+	    TLS1_TXT_ADH_WITH_AES_128_SHA,
+	    TLS1_CK_ADH_WITH_AES_128_SHA,
+	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_MEDIUM,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+
+	/* Cipher 35 */
+	    {
+	    1,
+	    TLS1_TXT_RSA_WITH_AES_256_SHA,
+	    TLS1_CK_RSA_WITH_AES_256_SHA,
+	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 36 */
+	    {
+	    0,
+	    TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
+	    TLS1_CK_DH_DSS_WITH_AES_256_SHA,
+	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 37 */
+	    {
+	    0,
+	    TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
+	    TLS1_CK_DH_RSA_WITH_AES_256_SHA,
+	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 38 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
+	    TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
+	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 39 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
+	    TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 3A */
+	    {
+	    1,
+	    TLS1_TXT_ADH_WITH_AES_256_SHA,
+	    TLS1_CK_ADH_WITH_AES_256_SHA,
+	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP|SSL_HIGH,
+	    0,
+	    256,
+	    256,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
 
 /* end of list */
 	};
@@ -782,6 +943,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 
 int ssl3_pending(SSL *s)
 	{
+	if (s->rstate == SSL_ST_READ_BODY)
+		return 0;
+	
 	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
 	}
 
@@ -791,6 +955,8 @@ int ssl3_new(SSL *s)
 
 	if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
 	memset(s3,0,sizeof *s3);
+	EVP_MD_CTX_init(&s3->finish_dgst1);
+	EVP_MD_CTX_init(&s3->finish_dgst2);
 
 	s->s3=s3;
 
@@ -812,12 +978,14 @@ void ssl3_free(SSL *s)
 		OPENSSL_free(s->s3->wbuf.buf);
 	if (s->s3->rrec.comp != NULL)
 		OPENSSL_free(s->s3->rrec.comp);
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	if (s->s3->tmp.dh != NULL)
 		DH_free(s->s3->tmp.dh);
 #endif
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
 	memset(s->s3,0,sizeof *s->s3);
 	OPENSSL_free(s->s3);
 	s->s3=NULL;
@@ -826,6 +994,7 @@ void ssl3_free(SSL *s)
 void ssl3_clear(SSL *s)
 	{
 	unsigned char *rp,*wp;
+	size_t rlen, wlen;
 
 	ssl3_cleanup_key_block(s);
 	if (s->s3->tmp.ca_names != NULL)
@@ -836,17 +1005,24 @@ void ssl3_clear(SSL *s)
 		OPENSSL_free(s->s3->rrec.comp);
 		s->s3->rrec.comp=NULL;
 		}
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	if (s->s3->tmp.dh != NULL)
 		DH_free(s->s3->tmp.dh);
 #endif
 
-	rp=s->s3->rbuf.buf;
-	wp=s->s3->wbuf.buf;
+	rp = s->s3->rbuf.buf;
+	wp = s->s3->wbuf.buf;
+	rlen = s->s3->rbuf.len;
+ 	wlen = s->s3->wbuf.len;
+
+	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
 
 	memset(s->s3,0,sizeof *s->s3);
-	if (rp != NULL) s->s3->rbuf.buf=rp;
-	if (wp != NULL) s->s3->wbuf.buf=wp;
+	s->s3->rbuf.buf = rp;
+	s->s3->wbuf.buf = wp;
+	s->s3->rbuf.len = rlen;
+ 	s->s3->wbuf.len = wlen;
 
 	ssl_free_wbio_buffer(s);
 
@@ -858,17 +1034,17 @@ void ssl3_clear(SSL *s)
 	s->version=SSL3_VERSION;
 	}
 
-long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
+long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	{
 	int ret=0;
 
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
 	if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	    cmd == SSL_CTRL_SET_TMP_RSA ||
 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 	    cmd == SSL_CTRL_SET_TMP_DH ||
 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
 #endif
@@ -902,7 +1078,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
 	case SSL_CTRL_GET_FLAGS:
 		ret=(int)(s->s3->flags);
 		break;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	case SSL_CTRL_NEED_TMP_RSA:
 		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
 		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -935,7 +1111,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
 		}
 		break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	case SSL_CTRL_SET_TMP_DH:
 		{
 			DH *dh = (DH *)parg;
@@ -981,12 +1157,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
 	{
 	int ret=0;
 
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
 	if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
 #endif
 		0)
@@ -1001,14 +1177,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
 
 	switch (cmd)
 		{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	case SSL_CTRL_SET_TMP_RSA_CB:
 		{
 		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
 		}
 		break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	case SSL_CTRL_SET_TMP_DH_CB:
 		{
 		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -1021,7 +1197,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
 	return(ret);
 	}
 
-long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	{
 	CERT *cert;
 
@@ -1029,7 +1205,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
 
 	switch (cmd)
 		{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	case SSL_CTRL_NEED_TMP_RSA:
 		if (	(cert->rsa_tmp == NULL) &&
 			((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -1074,7 +1250,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
 		}
 		break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	case SSL_CTRL_SET_TMP_DH:
 		{
 		DH *new=NULL,*dh;
@@ -1131,14 +1307,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
 
 	switch (cmd)
 		{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	case SSL_CTRL_SET_TMP_RSA_CB:
 		{
 		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
 		}
 		break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	case SSL_CTRL_SET_TMP_DH_CB:
 		{
 		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -1203,10 +1379,11 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	return(2);
 	}
 
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
-	     STACK_OF(SSL_CIPHER) *pref)
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+	     STACK_OF(SSL_CIPHER) *srvr)
 	{
 	SSL_CIPHER *c,*ret=NULL;
+	STACK_OF(SSL_CIPHER) *prio, *allow;
 	int i,j,ok;
 	CERT *cert;
 	unsigned long alg,mask,emask;
@@ -1214,20 +1391,45 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
 	/* Let's see which ciphers we can support */
 	cert=s->cert;
 
-	sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+#if 0
+	/* Do not set the compare functions, because this may lead to a
+	 * reordering by "id". We want to keep the original ordering.
+	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
+	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
+	 */
+	sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
+	sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
+#endif
 
 #ifdef CIPHER_DEBUG
-        printf("Have %d from %p:\n", sk_SSL_CIPHER_num(pref), pref);
-        for(i=0 ; i < sk_SSL_CIPHER_num(pref) ; ++i)
+        printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
+        for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
+	    {
+	    c=sk_SSL_CIPHER_value(srvr,i);
+	    printf("%p:%s\n",c,c->name);
+	    }
+        printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
+        for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
 	    {
-	    c=sk_SSL_CIPHER_value(pref,i);
+	    c=sk_SSL_CIPHER_value(clnt,i);
 	    printf("%p:%s\n",c,c->name);
 	    }
 #endif
 
-	for (i=0; i<sk_SSL_CIPHER_num(have); i++)
+	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+	    {
+	    prio = srvr;
+	    allow = clnt;
+	    }
+	else
+	    {
+	    prio = clnt;
+	    allow = srvr;
+	    }
+
+	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
 		{
-		c=sk_SSL_CIPHER_value(have,i);
+		c=sk_SSL_CIPHER_value(prio,i);
 
 		ssl_set_cert_masks(cert,c);
 		mask=cert->mask;
@@ -1238,6 +1440,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
 #endif    /* KSSL_DEBUG */
 
 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+#ifndef OPENSSL_NO_KRB5
+                if (alg & SSL_KRB5) 
+                        {
+                        if ( !kssl_keytab_is_available(s->kssl_ctx) )
+                            continue;
+                        }
+#endif /* OPENSSL_NO_KRB5 */
 		if (SSL_C_IS_EXPORT(c))
 			{
 			ok=((alg & emask) == alg)?1:0;
@@ -1257,10 +1466,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
 
 		if (!ok) continue;
 	
-		j=sk_SSL_CIPHER_find(pref,c);
+		j=sk_SSL_CIPHER_find(allow,c);
 		if (j >= 0)
 			{
-			ret=sk_SSL_CIPHER_value(pref,j);
+			ret=sk_SSL_CIPHER_value(allow,j);
 			break;
 			}
 		}
@@ -1274,31 +1483,31 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 
 	alg=s->s3->tmp.new_cipher->algorithms;
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	if (alg & (SSL_kDHr|SSL_kEDH))
 		{
-#  ifndef NO_RSA
+#  ifndef OPENSSL_NO_RSA
 		p[ret++]=SSL3_CT_RSA_FIXED_DH;
 #  endif
-#  ifndef NO_DSA
+#  ifndef OPENSSL_NO_DSA
 		p[ret++]=SSL3_CT_DSS_FIXED_DH;
 #  endif
 		}
 	if ((s->version == SSL3_VERSION) &&
 		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
 		{
-#  ifndef NO_RSA
+#  ifndef OPENSSL_NO_RSA
 		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
 #  endif
-#  ifndef NO_DSA
+#  ifndef OPENSSL_NO_DSA
 		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
 #  endif
 		}
-#endif /* !NO_DH */
-#ifndef NO_RSA
+#endif /* !OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_RSA
 	p[ret++]=SSL3_CT_RSA_SIGN;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 	p[ret++]=SSL3_CT_DSS_SIGN;
 #endif
 	return(ret);
@@ -1405,13 +1614,12 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
 	s->s3->in_read_app_data=1;
 	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
-	if ((ret == -1) && (s->s3->in_read_app_data == 0))
+	if ((ret == -1) && (s->s3->in_read_app_data == 2))
 		{
 		/* ssl3_read_bytes decided to call s->handshake_func, which
 		 * called ssl3_read_bytes to read handshake data.
 		 * However, ssl3_read_bytes actually found application data
-		 * and thinks that application data makes sense here (signalled
-		 * by resetting 'in_read_app_data', strangely); so disable
+		 * and thinks that application data makes sense here; so disable
 		 * handshake processing and try to read application data again. */
 		s->in_handshake++;
 		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
@@ -1428,7 +1636,7 @@ int ssl3_read(SSL *s, void *buf, int len)
 	return ssl3_read_internal(s, buf, len, 0);
 	}
 
-int ssl3_peek(SSL *s, char *buf, int len)
+int ssl3_peek(SSL *s, void *buf, int len)
 	{
 	return ssl3_read_internal(s, buf, len, 1);
 	}