X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=444e554c27c3cb6cd4fb7ca0e748d6119d010cbe;hp=b7bac8e10f083c934b3cd6046ffd61f6873bc4dd;hb=8de421b6d9ee7cf72a11e35a74553fcdf1d8708f;hpb=d02b48c63a58ea4367a0e905979f140b7d090f86 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index b7bac8e10f..444e554c27 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,5 +1,5 @@ /* ssl/s3_lib.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written @@ -60,7 +60,7 @@ #include "objects.h" #include "ssl_locl.h" -char *ssl3_version_str="SSLv3 part of SSLeay 0.8.1b 29-Jun-1998"; +const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) @@ -97,7 +97,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -115,7 +115,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -131,8 +131,8 @@ SSL_CIPHER ssl3_ciphers[]={ /* Cipher 1B */ { 1, - SSL3_TXT_ADH_DES_196_CBC_SHA, - SSL3_CK_ADH_DES_196_CBC_SHA, + SSL3_TXT_ADH_DES_192_CBC_SHA, + SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, @@ -144,7 +144,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -171,7 +171,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -189,7 +189,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -218,7 +218,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -245,7 +245,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -274,7 +274,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -301,7 +301,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -355,11 +355,92 @@ SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, }, +#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES + /* New TLS Export CipherSuites */ + /* Cipher 60 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 61 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 62 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 63 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 64 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 65 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 66 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, + TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, +#endif + /* end of list */ }; +static SSL3_ENC_METHOD SSLv3_enc_data={ + ssl3_enc, + ssl3_mac, + ssl3_setup_key_block, + ssl3_generate_master_secret, + ssl3_change_cipher_state, + ssl3_final_finish_mac, + MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, + ssl3_cert_verify_mac, + SSL3_MD_CLIENT_FINISHED_CONST,4, + SSL3_MD_SERVER_FINISHED_CONST,4, + ssl3_alert_code, + }; + static SSL_METHOD SSLv3_data= { - 3, + SSL3_VERSION, ssl3_new, ssl3_clear, ssl3_free, @@ -370,6 +451,7 @@ static SSL_METHOD SSLv3_data= { ssl3_write, ssl3_shutdown, ssl3_renegotiate, + ssl3_renegotiate_check, ssl3_ctrl, ssl3_ctx_ctrl, ssl3_get_cipher_by_char, @@ -379,6 +461,7 @@ static SSL_METHOD SSLv3_data= { ssl3_get_cipher, ssl_bad_method, ssl3_default_timeout, + &SSLv3_enc_data, }; static long ssl3_default_timeout() @@ -420,14 +503,18 @@ SSL *s; SSL3_CTX *s3; if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err; + memset(s3,0,sizeof(SSL3_CTX)); s->s3=s3; + /* s->s3->tmp.ca_names=NULL; s->s3->tmp.key_block=NULL; + s->s3->tmp.key_block_length=0; s->s3->rbuf.buf=NULL; s->s3->wbuf.buf=NULL; + */ - ssl3_clear(s); + s->method->ssl_clear(s); return(1); err: return(0); @@ -436,17 +523,22 @@ err: void ssl3_free(s) SSL *s; { + if(s == NULL) + return; + ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) Free(s->s3->rbuf.buf); if (s->s3->wbuf.buf != NULL) Free(s->s3->wbuf.buf); + if (s->s3->rrec.comp != NULL) + Free(s->s3->rrec.comp); #ifndef NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif if (s->s3->tmp.ca_names != NULL) - sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); memset(s->s3,0,sizeof(SSL3_CTX)); Free(s->s3); s->s3=NULL; @@ -459,22 +551,29 @@ SSL *s; ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) - sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + + if (s->s3->rrec.comp != NULL) + { + Free(s->s3->rrec.comp); + s->s3->rrec.comp=NULL; + } rp=s->s3->rbuf.buf; wp=s->s3->wbuf.buf; memset(s->s3,0,sizeof(SSL3_CTX)); - if (rp != NULL) - { - s->packet= &(s->s3->rbuf.buf[0]); - s->s3->rbuf.buf=rp; - s->s3->wbuf.buf=wp; - } - else - s->packet=NULL; + if (rp != NULL) s->s3->rbuf.buf=rp; + if (wp != NULL) s->s3->wbuf.buf=wp; + + ssl_free_wbio_buffer(s); + s->packet_length=0; - s->version=3; + s->s3->renegotiate=0; + s->s3->total_renegotiations=0; + s->s3->num_renegotiations=0; + s->s3->in_read_app_data=0; + s->version=SSL3_VERSION; } long ssl3_ctrl(s,cmd,larg,parg) @@ -483,7 +582,115 @@ int cmd; long larg; char *parg; { - return(0); + int ret=0; + +#if !defined(NO_DSA) || !defined(NO_RSA) + if ( +#ifndef NO_RSA + cmd == SSL_CTRL_SET_TMP_RSA || + cmd == SSL_CTRL_SET_TMP_RSA_CB || +#endif +#ifndef NO_DSA + cmd == SSL_CTRL_SET_TMP_DH || + cmd == SSL_CTRL_SET_TMP_DH_CB || +#endif + 0) + { + if (!ssl_cert_instantiate(&s->cert, s->ctx->default_cert)) + { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); + return(0); + } + } +#endif + + switch (cmd) + { + case SSL_CTRL_GET_SESSION_REUSED: + ret=s->hit; + break; + case SSL_CTRL_GET_CLIENT_CERT_REQUEST: + break; + case SSL_CTRL_GET_NUM_RENEGOTIATIONS: + ret=s->s3->num_renegotiations; + break; + case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: + ret=s->s3->num_renegotiations; + s->s3->num_renegotiations=0; + break; + case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: + ret=s->s3->total_renegotiations; + break; + case SSL_CTRL_GET_FLAGS: + ret=(int)(s->s3->flags); + break; +#ifndef NO_RSA + case SSL_CTRL_NEED_TMP_RSA: + if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && + ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || + (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) + ret = 1; + break; + case SSL_CTRL_SET_TMP_RSA: + { + RSA *rsa = (RSA *)parg; + if (rsa == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + return(ret); + } + if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); + return(ret); + } + if (s->cert->rsa_tmp != NULL) + RSA_free(s->cert->rsa_tmp); + s->cert->rsa_tmp = rsa; + ret = 1; + } + break; + case SSL_CTRL_SET_TMP_RSA_CB: +#ifndef NOPROTO + s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))parg; +#else + s->cert->rsa_tmp_cb = (RSA *(*)())parg; +#endif + break; +#endif +#ifndef NO_DH + case SSL_CTRL_SET_TMP_DH: + { + DH *dh = (DH *)parg; + if (dh == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + return(ret); + } + if ((dh = DHparams_dup(dh)) == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + return(ret); + } + if (!DH_generate_key(dh)) { + DH_free(dh); + SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + return(ret); + } + if (s->cert->dh_tmp != NULL) + DH_free(s->cert->dh_tmp); + s->cert->dh_tmp = dh; + ret = 1; + } + break; + case SSL_CTRL_SET_TMP_DH_CB: +#ifndef NOPROTO + s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))parg; +#else + s->cert->dh_tmp_cb = (DH *(*)())parg; +#endif + break; +#endif + default: + break; + } + return(ret); } long ssl3_ctx_ctrl(ctx,cmd,larg,parg) @@ -507,7 +714,7 @@ char *parg; return(1); else return(0); - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA: { RSA *rsa; @@ -535,15 +742,20 @@ char *parg; return(1); } } - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA_CB: +#ifndef NOPROTO + cert->rsa_tmp_cb=(RSA *(*)(SSL *, int, int))parg; +#else cert->rsa_tmp_cb=(RSA *(*)())parg; +#endif break; #endif #ifndef NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; + int rret=0; dh=(DH *)parg; if ( ((new=DHparams_dup(dh)) == NULL) || @@ -551,21 +763,35 @@ char *parg; { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); if (new != NULL) DH_free(new); - return(0); } else { if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp=new; - return(1); + rret=1; } + return(rret); } - break; + /*break; */ case SSL_CTRL_SET_TMP_DH_CB: +#ifndef NOPROTO + cert->dh_tmp_cb=(DH *(*)(SSL *, int, int))parg; +#else cert->dh_tmp_cb=(DH *(*)())parg; +#endif break; #endif + /* A Thawte special :-) */ + case SSL_CTRL_EXTRA_CHAIN_CERT: + if (ctx->extra_certs == NULL) + { + if ((ctx->extra_certs=sk_X509_new_null()) == NULL) + return(0); + } + sk_X509_push(ctx->extra_certs,(X509 *)parg); + break; + default: return(0); } @@ -575,7 +801,7 @@ char *parg; /* This function needs to check if the ciphers required are actually * available */ SSL_CIPHER *ssl3_get_cipher_by_char(p) -unsigned char *p; +const unsigned char *p; { static int init=1; static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; @@ -608,7 +834,7 @@ unsigned char *p; } int ssl3_put_cipher_by_char(c,p) -SSL_CIPHER *c; +const SSL_CIPHER *c; unsigned char *p; { long l; @@ -623,49 +849,6 @@ unsigned char *p; return(2); } -void ssl3_generate_key_block(s,km,num) -SSL *s; -unsigned char *km; -int num; - { - MD5_CTX m5; - SHA_CTX s1; - unsigned char buf[8],smd[SHA_DIGEST_LENGTH]; - unsigned char c='A'; - int i,j,k; - - k=0; - for (i=0; isession->master_key, - s->session->master_key_length); - SHA1_Update(&s1,s->s3->server_random,SSL3_RANDOM_SIZE); - SHA1_Update(&s1,s->s3->client_random,SSL3_RANDOM_SIZE); - SHA1_Final( smd,&s1); - - MD5_Init( &m5); - MD5_Update(&m5,s->session->master_key, - s->session->master_key_length); - MD5_Update(&m5,smd,SHA_DIGEST_LENGTH); - if ((i+MD5_DIGEST_LENGTH) > num) - { - MD5_Final(smd,&m5); - memcpy(km,smd,(num-i)); - } - else - MD5_Final(km,&m5); - - km+=MD5_DIGEST_LENGTH; - } - memset(smd,0,SHA_DIGEST_LENGTH); - } - int ssl3_part_read(s,i) SSL *s; int i; @@ -685,7 +868,8 @@ int i; SSL_CIPHER *ssl3_choose_cipher(s,have,pref) SSL *s; -STACK *have,*pref; +STACK_OF(SSL_CIPHER) *have; +STACK_OF(SSL_CIPHER) *pref; { SSL_CIPHER *c,*ret=NULL; int i,j,ok; @@ -698,37 +882,49 @@ STACK *have,*pref; else cert=s->ctx->default_cert; - ssl_set_cert_masks(cert); - mask=cert->mask; - emask=cert->export_mask; - - sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); + sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); + +#ifdef CIPHER_DEBUG + printf("Have:\n"); + for(i=0 ; i < sk_num(pref) ; ++i) + { + c=(SSL_CIPHER *)sk_value(pref,i); + printf("%p:%s\n",c,c->name); + } +#endif - for (i=0; ictx->default_cert,c); + mask=cert->mask; + emask=cert->export_mask; + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); - if (alg & SSL_EXPORT) + if (SSL_IS_EXPORT(c->algorithms)) { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); + printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, + c,c->name); #endif } else { ok=((alg & mask) == alg)?1:0; #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); + printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, + c->name); #endif } if (!ok) continue; - j=sk_find(pref,(char *)c); + j=sk_SSL_CIPHER_find(pref,c); if (j >= 0) { - ret=(SSL_CIPHER *)sk_value(pref,j); + ret=sk_SSL_CIPHER_value(pref,j); break; } } @@ -747,27 +943,30 @@ unsigned char *p; #ifndef NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; -#endif +# endif } - if (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)) + if ((s->version == SSL3_VERSION) && + (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; -#endif +# endif } #endif /* !NO_DH */ #ifndef NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif -/* p[ret++]=SSL3_CT_DSS_SIGN; */ +#ifndef NO_DSA + p[ret++]=SSL3_CT_DSS_SIGN; +#endif return(ret); } @@ -787,7 +986,7 @@ SSL *s; { s->shutdown|=SSL_SENT_SHUTDOWN; #if 1 - ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_CLOSE_NOTIFY); + ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); #endif /* our shutdown alert has been sent now, and if it still needs * to be written, s->s3->alert_dispatch will be true */ @@ -818,7 +1017,6 @@ const char *buf; int len; { int ret,n; - BIO *under; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) @@ -827,7 +1025,8 @@ int len; return(0); } #endif - errno=0; + clear_sys_error(); + if (s->s3->renegotiate) ssl3_renegotiate_check(s); /* This is an experimental flag that sends the * last handshake message in the same packet as the first @@ -840,7 +1039,7 @@ int len; if (s->s3->delay_buf_pop_ret == 0) { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, - (char *)buf,len); + buf,len); if (ret <= 0) return(ret); s->s3->delay_buf_pop_ret=ret; @@ -851,22 +1050,20 @@ int len; if (n <= 0) return(n); s->rwstate=SSL_NOTHING; - /* We have flushed the buffer */ - under=BIO_pop(s->wbio); - s->wbio=under; - BIO_free(s->bbio); - s->bbio=NULL; + /* We have flushed the buffer, so remove it */ + ssl_free_wbio_buffer(s); + s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; + ret=s->s3->delay_buf_pop_ret; s->s3->delay_buf_pop_ret=0; - - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; } else { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, - (char *)buf,len); + buf,len); if (ret <= 0) return(ret); } + return(ret); } @@ -875,8 +1072,24 @@ SSL *s; char *buf; int len; { - errno=0; - return(ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len)); + int ret; + + clear_sys_error(); + if (s->s3->renegotiate) ssl3_renegotiate_check(s); + s->s3->in_read_app_data=1; + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + if ((ret == -1) && (s->s3->in_read_app_data == 0)) + { + ERR_get_error(); /* clear the error */ + s->s3->in_read_app_data=0; + s->in_handshake++; + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + s->in_handshake--; + } + else + s->s3->in_read_app_data=0; + + return(ret); } int ssl3_peek(s,buf,len) @@ -889,7 +1102,12 @@ int len; rr= &(s->s3->rrec); if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - return(0); + { + n=ssl3_read(s,buf,1); + if (n <= 0) return(n); + rr->length++; + rr->off--; + } if ((unsigned int)len > rr->length) n=rr->length; @@ -908,8 +1126,33 @@ SSL *s; if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); - if (!SSL_in_init(s)) - s->state=SSL_ST_RENEGOTIATE; + s->s3->renegotiate=1; return(1); } +int ssl3_renegotiate_check(s) +SSL *s; + { + int ret=0; + + if (s->s3->renegotiate) + { + if ( (s->s3->rbuf.left == 0) && + (s->s3->wbuf.left == 0) && + !SSL_in_init(s)) + { +/* +if we are the server, and we have sent a 'RENEGOTIATE' message, we +need to go to SSL_ST_ACCEPT. +*/ + /* SSL_ST_ACCEPT */ + s->state=SSL_ST_RENEGOTIATE; + s->s3->renegotiate=0; + s->s3->num_renegotiations++; + s->s3->total_renegotiations++; + ret=1; + } + } + return(ret); + } +