From b64270d1e45fe7f3241e4c9b6ce60d5ac89bc2e9 Mon Sep 17 00:00:00 2001 From: beck <> Date: Wed, 15 May 2002 02:29:21 +0000 Subject: OpenSSL 0.9.7 stable 2002 05 08 merge --- src/lib/libssl/s3_lib.c | 403 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 352 insertions(+), 51 deletions(-) (limited to 'src/lib/libssl/s3_lib.c') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index c32c06de32..686992406c 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -110,10 +110,10 @@ */ #include -#include -#include #include #include "ssl_locl.h" +#include "kssl_lcl.h" +#include const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; @@ -170,7 +170,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, @@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_LOW, 0, 56, 56, @@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, @@ -518,7 +518,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_RC4_SHA, SSL3_CK_FZA_DMS_RC4_SHA, SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, @@ -526,6 +526,97 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, +#ifndef OPENSSL_NO_KRB5 +/* The Kerberos ciphers +** 20000107 VRS: And the first shall be last, +** in hopes of avoiding the lynx ssl renegotiation problem. +*/ +/* Cipher 21 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_SHA, + SSL3_CK_KRB5_DES_40_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 22 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_MD5, + SSL3_CK_KRB5_DES_40_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 23 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_SHA, + SSL3_CK_KRB5_DES_64_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 24 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_MD5, + SSL3_CK_KRB5_DES_64_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 25 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_SHA, + SSL3_CK_KRB5_DES_192_CBC3_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 26 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_MD5, + SSL3_CK_KRB5_DES_192_CBC3_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +#endif /* OPENSSL_NO_KRB5 */ + + #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES /* New TLS Export CipherSuites */ /* Cipher 60 */ @@ -612,7 +703,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, @@ -620,6 +711,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS }, #endif + /* New AES ciphersuites */ + + /* Cipher 2F */ + { + 1, + TLS1_TXT_RSA_WITH_AES_128_SHA, + TLS1_CK_RSA_WITH_AES_128_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 30 */ + { + 0, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, + TLS1_CK_DH_DSS_WITH_AES_128_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 31 */ + { + 0, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, + TLS1_CK_DH_RSA_WITH_AES_128_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 32 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, + TLS1_CK_DHE_DSS_WITH_AES_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 33 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, + TLS1_CK_DHE_RSA_WITH_AES_128_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 34 */ + { + 1, + TLS1_TXT_ADH_WITH_AES_128_SHA, + TLS1_CK_ADH_WITH_AES_128_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 35 */ + { + 1, + TLS1_TXT_RSA_WITH_AES_256_SHA, + TLS1_CK_RSA_WITH_AES_256_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 36 */ + { + 0, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, + TLS1_CK_DH_DSS_WITH_AES_256_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 37 */ + { + 0, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, + TLS1_CK_DH_RSA_WITH_AES_256_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 38 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, + TLS1_CK_DHE_DSS_WITH_AES_256_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 39 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, + TLS1_CK_DHE_RSA_WITH_AES_256_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 3A */ + { + 1, + TLS1_TXT_ADH_WITH_AES_256_SHA, + TLS1_CK_ADH_WITH_AES_256_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, /* end of list */ }; @@ -693,6 +943,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) int ssl3_pending(SSL *s) { + if (s->rstate == SSL_ST_READ_BODY) + return 0; + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } @@ -702,6 +955,8 @@ int ssl3_new(SSL *s) if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); + EVP_MD_CTX_init(&s3->finish_dgst1); + EVP_MD_CTX_init(&s3->finish_dgst2); s->s3=s3; @@ -723,12 +978,14 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3->wbuf.buf); if (s->s3->rrec.comp != NULL) OPENSSL_free(s->s3->rrec.comp); -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); memset(s->s3,0,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; @@ -737,6 +994,7 @@ void ssl3_free(SSL *s) void ssl3_clear(SSL *s) { unsigned char *rp,*wp; + size_t rlen, wlen; ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) @@ -747,17 +1005,24 @@ void ssl3_clear(SSL *s) OPENSSL_free(s->s3->rrec.comp); s->s3->rrec.comp=NULL; } -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif - rp=s->s3->rbuf.buf; - wp=s->s3->wbuf.buf; + rp = s->s3->rbuf.buf; + wp = s->s3->wbuf.buf; + rlen = s->s3->rbuf.len; + wlen = s->s3->wbuf.len; + + EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); memset(s->s3,0,sizeof *s->s3); - if (rp != NULL) s->s3->rbuf.buf=rp; - if (wp != NULL) s->s3->wbuf.buf=wp; + s->s3->rbuf.buf = rp; + s->s3->wbuf.buf = wp; + s->s3->rbuf.len = rlen; + s->s3->wbuf.len = wlen; ssl_free_wbio_buffer(s); @@ -769,17 +1034,17 @@ void ssl3_clear(SSL *s) s->version=SSL3_VERSION; } -long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) +long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; -#if !defined(NO_DSA) || !defined(NO_RSA) +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB || #endif @@ -813,7 +1078,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) case SSL_CTRL_GET_FLAGS: ret=(int)(s->s3->flags); break; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || @@ -846,7 +1111,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; @@ -892,12 +1157,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) { int ret=0; -#if !defined(NO_DSA) || !defined(NO_RSA) +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH_CB || #endif 0) @@ -912,14 +1177,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -932,7 +1197,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) return(ret); } -long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) +long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { CERT *cert; @@ -940,7 +1205,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ( (cert->rsa_tmp == NULL) && ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || @@ -985,7 +1250,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; @@ -1042,14 +1307,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -1114,10 +1379,11 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) return(2); } -SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, - STACK_OF(SSL_CIPHER) *pref) +SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, + STACK_OF(SSL_CIPHER) *srvr) { SSL_CIPHER *c,*ret=NULL; + STACK_OF(SSL_CIPHER) *prio, *allow; int i,j,ok; CERT *cert; unsigned long alg,mask,emask; @@ -1125,26 +1391,62 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, /* Let's see which ciphers we can support */ cert=s->cert; - sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); +#if 0 + /* Do not set the compare functions, because this may lead to a + * reordering by "id". We want to keep the original ordering. + * We may pay a price in performance during sk_SSL_CIPHER_find(), + * but would have to pay with the price of sk_SSL_CIPHER_dup(). + */ + sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); + sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); +#endif #ifdef CIPHER_DEBUG - printf("Have:\n"); - for(i=0 ; i < sk_num(pref) ; ++i) + printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); + for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) { - c=(SSL_CIPHER *)sk_value(pref,i); + c=sk_SSL_CIPHER_value(srvr,i); + printf("%p:%s\n",c,c->name); + } + printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); + for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) + { + c=sk_SSL_CIPHER_value(clnt,i); printf("%p:%s\n",c,c->name); } #endif - for (i=0; ioptions & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio = srvr; + allow = clnt; + } + else + { + prio = clnt; + allow = srvr; + } + + for (i=0; imask; emask=cert->export_mask; +#ifdef KSSL_DEBUG + printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); +#endif /* KSSL_DEBUG */ + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); +#ifndef OPENSSL_NO_KRB5 + if (alg & SSL_KRB5) + { + if ( !kssl_keytab_is_available(s->kssl_ctx) ) + continue; + } +#endif /* OPENSSL_NO_KRB5 */ if (SSL_C_IS_EXPORT(c)) { ok=((alg & emask) == alg)?1:0; @@ -1164,10 +1466,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, if (!ok) continue; - j=sk_SSL_CIPHER_find(pref,c); + j=sk_SSL_CIPHER_find(allow,c); if (j >= 0) { - ret=sk_SSL_CIPHER_value(pref,j); + ret=sk_SSL_CIPHER_value(allow,j); break; } } @@ -1181,31 +1483,31 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg=s->s3->tmp.new_cipher->algorithms; -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { -# ifndef NO_RSA +# ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; # endif -# ifndef NO_DSA +# ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; # endif } if ((s->version == SSL3_VERSION) && (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { -# ifndef NO_RSA +# ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; # endif -# ifndef NO_DSA +# ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; # endif } -#endif /* !NO_DH */ -#ifndef NO_RSA +#endif /* !OPENSSL_NO_DH */ +#ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; #endif return(ret); @@ -1312,13 +1614,12 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); - if ((ret == -1) && (s->s3->in_read_app_data == 0)) + if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* ssl3_read_bytes decided to call s->handshake_func, which * called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data - * and thinks that application data makes sense here (signalled - * by resetting 'in_read_app_data', strangely); so disable + * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ s->in_handshake++; ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); -- cgit v1.2.3-55-g6feb