X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=c1895dda88ae04821714669f33d691530fb58519;hp=a827a58d4932666d0c70f9be874b49f53a6c505f;hb=93d8bfcdc4aa7f0811b8168456d7eafceaefe593;hpb=a8236c8c322101c273d14c62282f264555e147c4

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a827a58d49..c1895dda88 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -57,52 +57,32 @@
  */
 
 #define REUSE_CIPHER_BUG
+#define NETSCAPE_HANG_BUG
+
 
 #include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
-#include "x509.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
 #include "ssl_locl.h"
 
-#define BREAK	break
-/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
- */
-
-#ifndef NOPROTO
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
+static int ssl3_check_client_hello(SSL *s);
 static int ssl3_send_server_hello(SSL *s);
 static int ssl3_send_server_key_exchange(SSL *s);
 static int ssl3_send_certificate_request(SSL *s);
 static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
 static int ssl3_get_client_key_exchange(SSL *s);
 static int ssl3_get_client_certificate(SSL *s);
+static int ssl3_get_cert_verify(SSL *s);
 static int ssl3_send_hello_request(SSL *s);
 
-#else
-
-static SSL_METHOD *ssl3_get_server_method();
-static int ssl3_get_client_hello();
-static int ssl3_send_server_hello();
-static int ssl3_send_server_key_exchange();
-static int ssl3_send_certificate_request();
-static int ssl3_send_server_done();
-static int ssl3_get_cert_verify();
-static int ssl3_get_client_key_exchange();
-static int ssl3_get_client_certificate();
-static int ssl3_send_hello_request();
-
-#endif
-
-static SSL_METHOD *ssl3_get_server_method(ver)
-int ver;
+static SSL_METHOD *ssl3_get_server_method(int ver)
 	{
 	if (ver == SSL3_VERSION)
 		return(SSLv3_server_method());
@@ -110,35 +90,32 @@ int ver;
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv3_server_method()
+SSL_METHOD *SSLv3_server_method(void)
 	{
 	static int init=1;
 	static SSL_METHOD SSLv3_server_data;
 
 	if (init)
 		{
-		init=0;
 		memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
 			sizeof(SSL_METHOD));
 		SSLv3_server_data.ssl_accept=ssl3_accept;
 		SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+		init=0;
 		}
 	return(&SSLv3_server_data);
 	}
 
-int ssl3_accept(s)
-SSL *s;
+int ssl3_accept(SSL *s)
 	{
 	BUF_MEM *buf;
 	unsigned long l,Time=time(NULL);
 	void (*cb)()=NULL;
 	long num1;
 	int ret= -1;
-	CERT *ct;
-	BIO *under;
 	int new_state,state,skip=0;
 
-	RAND_seed(&Time,sizeof(Time));
+	RAND_add(&Time,sizeof(Time),0);
 	ERR_clear_error();
 	clear_sys_error();
 
@@ -151,17 +128,11 @@ SSL *s;
 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 	s->in_handshake++;
 
-#ifdef undef
-	/* FIX THIS EAY EAY EAY */
-	/* we don't actually need a cert, we just need a cert or a DH_tmp */
-	if (((s->session == NULL) || (s->session->cert == NULL)) &&
-		(s->cert == NULL))
+	if (s->cert == NULL)
 		{
 		SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
-		ret= -1;
-		goto end;
+		return(-1);
 		}
-#endif
 
 	for (;;)
 		{
@@ -178,11 +149,11 @@ SSL *s;
 		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
 		case SSL_ST_OK|SSL_ST_ACCEPT:
 
+			s->server=1;
 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
 			if ((s->version>>8) != 3)
 				abort();
-			/* s->version=SSL3_VERSION; */
 			s->type=SSL_ST_ACCEPT;
 
 			if (s->init_buf == NULL)
@@ -215,13 +186,13 @@ SSL *s;
 
 			if (s->state != SSL_ST_RENEGOTIATE)
 				{
-				s->state=SSL3_ST_SR_CLNT_HELLO_A;
 				ssl3_init_finished_mac(s);
-				s->ctx->sess_accept++;
+				s->state=SSL3_ST_SR_CLNT_HELLO_A;
+				s->ctx->stats.sess_accept++;
 				}
 			else
 				{
-				s->ctx->sess_accept_renegotiate++;
+				s->ctx->stats.sess_accept_renegotiate++;
 				s->state=SSL3_ST_SW_HELLO_REQ_A;
 				}
 			break;
@@ -240,15 +211,6 @@ SSL *s;
 			break;
 
 		case SSL3_ST_SW_HELLO_REQ_C:
-			/* remove buffering on output */
-			under=BIO_pop(s->wbio);
-			if (under != NULL)
-				s->wbio=under;
-			else
-				abort(); /* ok */
-			BIO_free(s->bbio);
-			s->bbio=NULL;
-
 			s->state=SSL_ST_OK;
 			ret=1;
 			goto end;
@@ -294,20 +256,6 @@ SSL *s;
 		case SSL3_ST_SW_KEY_EXCH_A:
 		case SSL3_ST_SW_KEY_EXCH_B:
 			l=s->s3->tmp.new_cipher->algorithms;
-			if (s->session->cert == NULL)
-				{
-				if (s->cert != NULL)
-					{
-					CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
-					s->session->cert=s->cert;
-					}
-				else
-					{
-					CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
-					s->session->cert=s->ctx->default_cert;
-					}
-				}
-			ct=s->session->cert;
 
 			/* clear this, it may get reset by
 			 * send_server_key_exchange */
@@ -318,16 +266,16 @@ SSL *s;
 
 			/* only send if a DH key exchange, fortezza or
 			 * RSA but we have a sign only certificate */
-			if ( s->s3->tmp.use_rsa_tmp ||
-			    (l & (SSL_DH|SSL_kFZA)) ||
-			    ((l & SSL_kRSA) &&
-			     ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
-			      ((l & SSL_EXPORT) &&
-			       (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
-			      )
-			     )
+			if (s->s3->tmp.use_rsa_tmp
+			    || (l & (SSL_DH|SSL_kFZA))
+			    || ((l & SSL_kRSA)
+				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
+					)
+				    )
+				)
 			    )
-			   )
 				{
 				ret=ssl3_send_server_key_exchange(s);
 				if (ret <= 0) goto end;
@@ -341,9 +289,19 @@ SSL *s;
 
 		case SSL3_ST_SW_CERT_REQ_A:
 		case SSL3_ST_SW_CERT_REQ_B:
-			if (!(s->verify_mode & SSL_VERIFY_PEER) ||
+			if (/* don't request cert unless asked for it: */
+				!(s->verify_mode & SSL_VERIFY_PEER) ||
+				/* if SSL_VERIFY_CLIENT_ONCE is set,
+				 * don't request cert during re-negotiation: */
 				((s->session->peer != NULL) &&
-				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
+				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
+				/* never request cert in anonymous ciphersuites
+				 * (see section "Certificate request" in SSL 3 drafts
+				 * and in RFC 2246): */
+				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+				 /* ... except when the application insists on verification
+				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
+				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
 				{
 				/* no cert request */
 				skip=1;
@@ -355,7 +313,12 @@ SSL *s;
 				s->s3->tmp.cert_request=1;
 				ret=ssl3_send_certificate_request(s);
 				if (ret <= 0) goto end;
+#ifndef NETSCAPE_HANG_BUG
 				s->state=SSL3_ST_SW_SRVR_DONE_A;
+#else
+				s->state=SSL3_ST_SW_FLUSH;
+				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+#endif
 				s->init_num=0;
 				}
 			break;
@@ -385,12 +348,20 @@ SSL *s;
 
 		case SSL3_ST_SR_CERT_A:
 		case SSL3_ST_SR_CERT_B:
-			/* could be sent for a DH cert, even if we
-			 * have not asked for it :-) */
-			ret=ssl3_get_client_certificate(s);
-			if (ret <= 0) goto end;
-			s->init_num=0;
-			s->state=SSL3_ST_SR_KEY_EXCH_A;
+			/* Check for second client hello (MS SGC) */
+			ret = ssl3_check_client_hello(s);
+			if (ret <= 0)
+				goto end;
+			if (ret == 2)
+				s->state = SSL3_ST_SR_CLNT_HELLO_C;
+			else {
+				/* could be sent for a DH cert, even if we
+				 * have not asked for it :-) */
+				ret=ssl3_get_client_certificate(s);
+				if (ret <= 0) goto end;
+				s->init_num=0;
+				s->state=SSL3_ST_SR_KEY_EXCH_A;
+			}
 			break;
 
 		case SSL3_ST_SR_KEY_EXCH_A:
@@ -404,10 +375,10 @@ SSL *s;
 			 * a client cert, it can be verified */ 
 			s->method->ssl3_enc->cert_verify_mac(s,
 				&(s->s3->finish_dgst1),
-				&(s->s3->tmp.finish_md[0]));
+				&(s->s3->tmp.cert_verify_md[0]));
 			s->method->ssl3_enc->cert_verify_mac(s,
 				&(s->s3->finish_dgst2),
-				&(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
+				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
 
 			break;
 
@@ -461,8 +432,8 @@ SSL *s;
 		case SSL3_ST_SW_FINISHED_B:
 			ret=ssl3_send_finished(s,
 				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
-				s->method->ssl3_enc->server_finished,
-				s->method->ssl3_enc->server_finished_len);
+				s->method->ssl3_enc->server_finished_label,
+				s->method->ssl3_enc->server_finished_label_len);
 			if (ret <= 0) goto end;
 			s->state=SSL3_ST_SW_FLUSH;
 			if (s->hit)
@@ -480,20 +451,14 @@ SSL *s;
 			s->init_buf=NULL;
 
 			/* remove buffering on output */
-			under=BIO_pop(s->wbio);
-			if (under != NULL)
-				s->wbio=under;
-			else
-				abort(); /* ok */
-			BIO_free(s->bbio);
-			s->bbio=NULL;
+			ssl_free_wbio_buffer(s);
 
 			s->new_session=0;
 			s->init_num=0;
 
 			ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
 
-			s->ctx->sess_accept_good++;
+			s->ctx->stats.sess_accept_good++;
 			/* s->server=1; */
 			s->handshake_func=ssl3_accept;
 			ret=1;
@@ -538,15 +503,14 @@ end:
 	return(ret);
 	}
 
-static int ssl3_send_hello_request(s)
-SSL *s;
+static int ssl3_send_hello_request(SSL *s)
 	{
 	unsigned char *p;
 
 	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
 		{
 		p=(unsigned char *)s->init_buf->data;
-		*(p++)=SSL3_MT_CLIENT_REQUEST;
+		*(p++)=SSL3_MT_HELLO_REQUEST;
 		*(p++)=0;
 		*(p++)=0;
 		*(p++)=0;
@@ -561,15 +525,46 @@ SSL *s;
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_get_client_hello(s)
-SSL *s;
+static int ssl3_check_client_hello(SSL *s)
+	{
+	int ok;
+	long n;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CERT_A,
+		SSL3_ST_SR_CERT_B,
+		-1,
+		SSL3_RT_MAX_PLAIN_LENGTH,
+		&ok);
+	if (!ok) return((int)n);
+	s->s3->tmp.reuse_message = 1;
+	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+		{
+		/* Throw away what we have done so far in the current handshake,
+		 * which will now be aborted. (A full SSL_clear would be too much.)
+		 * I hope that tmp.dh is the only thing that may need to be cleared
+		 * when a handshake is not completed ... */
+#ifndef NO_DH
+		if (s->s3->tmp.dh != NULL)
+			{
+			DH_free(s->s3->tmp.dh);
+			s->s3->tmp.dh = NULL;
+			}
+#endif
+		return 2;
+		}
+	return 1;
+}
+
+static int ssl3_get_client_hello(SSL *s)
 	{
 	int i,j,ok,al,ret= -1;
 	long n;
 	unsigned long id;
-	unsigned char *p,*d;
+	unsigned char *p,*d,*q;
 	SSL_CIPHER *c;
-	STACK *ciphers=NULL;
+	SSL_COMP *comp=NULL;
+	STACK_OF(SSL_CIPHER) *ciphers=NULL;
 
 	/* We do this so that we will respond with our native type.
 	 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -592,9 +587,9 @@ SSL *s;
 	if (!ok) return((int)n);
 	d=p=(unsigned char *)s->init_buf->data;
 
-	/* The version number has already been checked in ssl3_get_message.
-	 * I a native TLSv1/SSLv3 method, the match must be correct except
-	 * perhaps for the first message */
+	/* use version from inside client hello, not from record header
+	 * (may differ: see RFC 2246, Appendix E, second paragraph) */
+	s->client_version=(((int)p[0])<<8)|(int)p[1];
 	p+=2;
 
 	/* load the client random */
@@ -617,7 +612,9 @@ SSL *s;
 			{ /* previous session */
 			s->hit=1;
 			}
-		else
+		else if (i == -1)
+			goto err;
+		else /* i == 0 */
 			{
 			if (!ssl_get_new_session(s,1))
 				goto err;
@@ -653,9 +650,16 @@ SSL *s;
 		j=0;
 		id=s->session->cipher->id;
 
-		for (i=0; i<sk_num(ciphers); i++)
+#ifdef CIPHER_DEBUG
+		printf("client sent %d ciphers\n",sk_num(ciphers));
+#endif
+		for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
 			{
-			c=(SSL_CIPHER *)sk_value(ciphers,i);
+			c=sk_SSL_CIPHER_value(ciphers,i);
+#ifdef CIPHER_DEBUG
+			printf("client [%2d of %2d]:%s\n",
+				i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+#endif
 			if (c->id == id)
 				{
 				j=1;
@@ -664,11 +668,11 @@ SSL *s;
 			}
 		if (j == 0)
 			{
-			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
+			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 				{
 				/* Very bad for multi-threading.... */
-				s->session->cipher=
-					(SSL_CIPHER *)sk_value(ciphers,0);
+				s->session->cipher=sk_SSL_CIPHER_value(ciphers,
+								       0);
 				}
 			else
 				{
@@ -683,8 +687,11 @@ SSL *s;
 
 	/* compression */
 	i= *(p++);
+	q=p;
 	for (j=0; j<i; j++)
+		{
 		if (p[j] == 0) break;
+		}
 
 	p+=i;
 	if (j >= i)
@@ -695,6 +702,35 @@ SSL *s;
 		goto f_err;
 		}
 
+	/* Worst case, we will use the NULL compression, but if we have other
+	 * options, we will now look for them.  We have i-1 compression
+	 * algorithms from the client, starting at q. */
+	s->s3->tmp.new_compression=NULL;
+	if (s->ctx->comp_methods != NULL)
+		{ /* See if we have a match */
+		int m,nn,o,v,done=0;
+
+		nn=sk_SSL_COMP_num(s->ctx->comp_methods);
+		for (m=0; m<nn; m++)
+			{
+			comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
+			v=comp->id;
+			for (o=0; o<i; o++)
+				{
+				if (v == q[o])
+					{
+					done=1;
+					break;
+					}
+				}
+			if (done) break;
+			}
+		if (done)
+			s->s3->tmp.new_compression=comp;
+		else
+			comp=NULL;
+		}
+
 	/* TLS does not mind if there is extra stuff */
 	if (s->version == SSL3_VERSION)
 		{
@@ -708,15 +744,14 @@ SSL *s;
 			}
 		}
 
-	/* do nothing with compression */
-
 	/* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
 	 * pick a cipher */
 
 	if (!s->hit)
 		{
+		s->session->compress_meth=(comp == NULL)?0:comp->id;
 		if (s->session->ciphers != NULL)
-			sk_free(s->session->ciphers);
+			sk_SSL_CIPHER_free(s->session->ciphers);
 		s->session->ciphers=ciphers;
 		if (ciphers == NULL)
 			{
@@ -726,7 +761,7 @@ SSL *s;
 			}
 		ciphers=NULL;
 		c=ssl3_choose_cipher(s,s->session->ciphers,
-			ssl_get_ciphers_by_id(s));
+				     ssl_get_ciphers_by_id(s));
 
 		if (c == NULL)
 			{
@@ -740,19 +775,19 @@ SSL *s;
 		{
 		/* Session-id reuse */
 #ifdef REUSE_CIPHER_BUG
-		STACK *sk;
+		STACK_OF(SSL_CIPHER) *sk;
 		SSL_CIPHER *nc=NULL;
 		SSL_CIPHER *ec=NULL;
 
 		if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
 			{
 			sk=s->session->ciphers;
-			for (i=0; i<sk_num(sk); i++)
+			for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 				{
-				c=(SSL_CIPHER *)sk_value(sk,i);
+				c=sk_SSL_CIPHER_value(sk,i);
 				if (c->algorithms & SSL_eNULL)
 					nc=c;
-				if (c->algorithms & SSL_EXP)
+				if (SSL_C_IS_EXPORT(c))
 					ec=c;
 				}
 			if (nc != NULL)
@@ -774,7 +809,7 @@ SSL *s;
 	 * compression		- basically ignored right now
 	 * ssl version is set	- sslv3
 	 * s->session		- The ssl session has been setup.
-	 * s->hit		- sesson reuse flag
+	 * s->hit		- session reuse flag
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
@@ -785,12 +820,11 @@ f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
 		}
 err:
-	if (ciphers != NULL) sk_free(ciphers);
+	if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
 	return(ret);
 	}
 
-static int ssl3_send_server_hello(s)
-SSL *s;
+static int ssl3_send_server_hello(SSL *s)
 	{
 	unsigned char *buf;
 	unsigned char *p,*d;
@@ -803,7 +837,7 @@ SSL *s;
 		p=s->s3->server_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
 
@@ -835,7 +869,10 @@ SSL *s;
 		p+=i;
 
 		/* put the compression method */
-		*(p++)=0;
+		if (s->s3->tmp.new_compression == NULL)
+			*(p++)=0;
+		else
+			*(p++)=s->s3->tmp.new_compression->id;
 
 		/* do the header */
 		l=(p-d);
@@ -853,8 +890,7 @@ SSL *s;
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_send_server_done(s)
-SSL *s;
+static int ssl3_send_server_done(SSL *s)
 	{
 	unsigned char *p;
 
@@ -878,17 +914,17 @@ SSL *s;
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_send_server_key_exchange(s)
-SSL *s;
+static int ssl3_send_server_key_exchange(SSL *s)
 	{
 #ifndef NO_RSA
 	unsigned char *q;
 	int j,num;
 	RSA *rsa;
 	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	unsigned int u;
 #endif
 #ifndef NO_DH
-	DH *dh,*dhp;
+	DH *dh=NULL,*dhp;
 #endif
 	EVP_PKEY *pkey;
 	unsigned char *p,*d;
@@ -904,7 +940,7 @@ SSL *s;
 	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
 		{
 		type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
-		cert=s->session->cert;
+		cert=s->cert;
 
 		buf=s->init_buf;
 
@@ -914,11 +950,17 @@ SSL *s;
 		if (type & SSL_kRSA)
 			{
 			rsa=cert->rsa_tmp;
-			if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
+			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
 				{
-				rsa=s->ctx->default_cert->rsa_tmp_cb(s,
-					!(s->s3->tmp.new_cipher->algorithms
-					  &SSL_NOT_EXP));
+				rsa=s->cert->rsa_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				if(rsa == NULL)
+				{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+					goto f_err;
+				}
 				CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
 				cert->rsa_tmp=rsa;
 				}
@@ -938,16 +980,24 @@ SSL *s;
 			if (type & SSL_kEDH)
 			{
 			dhp=cert->dh_tmp;
-			if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
-				dhp=cert->dh_tmp_cb(s,
-					!(s->s3->tmp.new_cipher->algorithms
-					  &SSL_NOT_EXP));
+			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
+				dhp=s->cert->dh_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL)
 				{
 				al=SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 				goto f_err;
 				}
+
+			if (s->s3->tmp.dh != NULL)
+				{
+				DH_free(dh);
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+				goto err;
+				}
+
 			if ((dh=DHparams_dup(dhp)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
@@ -1047,15 +1097,14 @@ SSL *s;
 					q+=i;
 					j+=i;
 					}
-				i=RSA_private_encrypt(j,md_buf,&(p[2]),
-					pkey->pkey.rsa,RSA_PKCS1_PADDING);
-				if (i <= 0)
+				if (RSA_sign(NID_md5_sha1, md_buf, j,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0)
 					{
 					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
 					goto err;
 					}
-				s2n(i,p);
-				n+=i+2;
+				s2n(u,p);
+				n+=u+2;
 				}
 			else
 #endif
@@ -1095,7 +1144,7 @@ SSL *s;
 		s->init_off=0;
 		}
 
-	/* SSL3_ST_SW_KEY_EXCH_B */
+	s->state = SSL3_ST_SW_KEY_EXCH_B;
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -1103,12 +1152,11 @@ err:
 	return(-1);
 	}
 
-static int ssl3_send_certificate_request(s)
-SSL *s;
+static int ssl3_send_certificate_request(SSL *s)
 	{
 	unsigned char *p,*d;
 	int i,j,nl,off,n;
-	STACK *sk=NULL;
+	STACK_OF(X509_NAME) *sk=NULL;
 	X509_NAME *name;
 	BUF_MEM *buf;
 
@@ -1133,9 +1181,9 @@ SSL *s;
 		nl=0;
 		if (sk != NULL)
 			{
-			for (i=0; i<sk_num(sk); i++)
+			for (i=0; i<sk_X509_NAME_num(sk); i++)
 				{
-				name=(X509_NAME *)sk_value(sk,i);
+				name=sk_X509_NAME_value(sk,i);
 				j=i2d_X509_NAME(name,NULL);
 				if (!BUF_MEM_grow(buf,4+n+j+2))
 					{
@@ -1173,6 +1221,17 @@ SSL *s;
 
 		s->init_num=n+4;
 		s->init_off=0;
+#ifdef NETSCAPE_HANG_BUG
+		p=(unsigned char *)s->init_buf->data + s->init_num;
+
+		/* do the header */
+		*(p++)=SSL3_MT_SERVER_DONE;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+		s->init_num += 4;
+#endif
+
 		}
 
 	/* SSL3_ST_SW_CERT_REQ_B */
@@ -1181,15 +1240,16 @@ err:
 	return(-1);
 	}
 
-static int ssl3_get_client_key_exchange(s)
-SSL *s;
+static int ssl3_get_client_key_exchange(SSL *s)
 	{
 	int i,al,ok;
 	long n;
 	unsigned long l;
 	unsigned char *p;
+#ifndef NO_RSA
 	RSA *rsa=NULL;
 	EVP_PKEY *pkey=NULL;
+#endif
 #ifndef NO_DH
 	BIGNUM *pub=NULL;
 	DH *dh_srvr;
@@ -1213,12 +1273,8 @@ SSL *s;
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
 			{
-			if ((s->session->cert != NULL) &&
-				(s->session->cert->rsa_tmp != NULL))
-				rsa=s->session->cert->rsa_tmp;
-			else if ((s->ctx->default_cert != NULL) &&
-				(s->ctx->default_cert->rsa_tmp != NULL))
-				rsa=s->ctx->default_cert->rsa_tmp;
+			if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
+				rsa=s->cert->rsa_tmp;
 			/* Don't do a callback because rsa_tmp should
 			 * be sent already */
 			if (rsa == NULL)
@@ -1263,18 +1319,6 @@ SSL *s;
 
 		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
 
-#if 1
-		/* If a bad decrypt, use a random master key */
-		if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
-			((p[0] != (s->version>>8)) ||
-			 (p[1] != (s->version & 0xff))))
-			{
-			p[0]=(s->version>>8);
-			p[1]=(s->version & 0xff);
-			RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
-			i=SSL_MAX_MASTER_KEY_LENGTH;
-			}
-#else
 		if (i != SSL_MAX_MASTER_KEY_LENGTH)
 			{
 			al=SSL_AD_DECODE_ERROR;
@@ -1282,13 +1326,23 @@ SSL *s;
 			goto f_err;
 			}
 
-		if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
+		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
 			{
-			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
-			goto f_err;
+			/* The premaster secret must contain the same version number as the
+			 * ClientHello to detect version rollback attacks (strangely, the
+			 * protocol does not offer such protection for DH ciphersuites).
+			 * However, buggy clients exist that send the negotiated protocol
+			 * version instead if the server does not support the requested
+			 * protocol version.
+			 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
+			if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+				(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+				{
+				al=SSL_AD_DECODE_ERROR;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+				goto f_err;
+				}
 			}
-#endif
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
@@ -1375,8 +1429,7 @@ err:
 	return(-1);
 	}
 
-static int ssl3_get_cert_verify(s)
-SSL *s;
+static int ssl3_get_cert_verify(SSL *s)
 	{
 	EVP_PKEY *pkey=NULL;
 	unsigned char *p;
@@ -1462,16 +1515,16 @@ SSL *s;
 #ifndef NO_RSA 
 	if (pkey->type == EVP_PKEY_RSA)
 		{
-		i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
+		i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
+			MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 
+							pkey->pkey.rsa);
 		if (i < 0)
 			{
 			al=SSL_AD_DECRYPT_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
 			goto f_err;
 			}
-		if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
-			memcmp(&(s->s3->tmp.finish_md[0]),p,
-				MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
+		if (i == 0)
 			{
 			al=SSL_AD_DECRYPT_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
@@ -1484,7 +1537,7 @@ SSL *s;
 		if (pkey->type == EVP_PKEY_DSA)
 		{
 		j=DSA_verify(pkey->save_type,
-			&(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
+			&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
 			SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
 		if (j <= 0)
 			{
@@ -1514,14 +1567,13 @@ end:
 	return(ret);
 	}
 
-static int ssl3_get_client_certificate(s)
-SSL *s;
+static int ssl3_get_client_certificate(SSL *s)
 	{
 	int i,ok,al,ret= -1;
 	X509 *x=NULL;
 	unsigned long l,nc,llen,n;
 	unsigned char *p,*d,*q;
-	STACK *sk=NULL;
+	STACK_OF(X509) *sk=NULL;
 
 	n=ssl3_get_message(s,
 		SSL3_ST_SR_CERT_A,
@@ -1545,7 +1597,7 @@ SSL *s;
 			al=SSL_AD_HANDSHAKE_FAILURE;
 			goto f_err;
 			}
-		/* If tls asked for a client cert we must return a 0 list */
+		/* If tls asked for a client cert, the client must return a 0 list */
 		if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
@@ -1564,7 +1616,7 @@ SSL *s;
 		}
 	d=p=(unsigned char *)s->init_buf->data;
 
-	if ((sk=sk_new_null()) == NULL)
+	if ((sk=sk_X509_new_null()) == NULL)
 		{
 		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -1600,7 +1652,7 @@ SSL *s;
 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
 			goto f_err;
 			}
-		if (!sk_push(sk,(char *)x))
+		if (!sk_X509_push(sk,x))
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
 			goto err;
@@ -1609,7 +1661,7 @@ SSL *s;
 		nc+=l+3;
 		}
 
-	if (sk_num(sk) <= 0)
+	if (sk_X509_num(sk) <= 0)
 		{
 		/* TLS does not mind 0 certs returned */
 		if (s->version == SSL3_VERSION)
@@ -1638,10 +1690,29 @@ SSL *s;
 			}
 		}
 
-	/* This should not be needed */
-	if (s->session->peer != NULL)
+	if (s->session->peer != NULL) /* This should not be needed */
 		X509_free(s->session->peer);
-	s->session->peer=(X509 *)sk_shift(sk);
+	s->session->peer=sk_X509_shift(sk);
+	s->session->verify_result = s->verify_result;
+
+	/* With the current implementation, sess_cert will always be NULL
+	 * when we arrive here. */
+	if (s->session->sess_cert == NULL)
+		{
+		s->session->sess_cert = ssl_sess_cert_new();
+		if (s->session->sess_cert == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	if (s->session->sess_cert->cert_chain != NULL)
+		sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+	s->session->sess_cert->cert_chain=sk;
+	/* Inconsistency alert: cert_chain does *not* include the
+	 * peer's own certificate, while we do include it in s3_clnt.c */
+
+	sk=NULL;
 
 	ret=1;
 	if (0)
@@ -1651,12 +1722,11 @@ f_err:
 		}
 err:
 	if (x != NULL) X509_free(x);
-	if (sk != NULL) sk_pop_free(sk,X509_free);
+	if (sk != NULL) sk_X509_pop_free(sk,X509_free);
 	return(ret);
 	}
 
-int ssl3_send_server_certificate(s)
-SSL *s;
+int ssl3_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
 	X509 *x;