Use enc_flags when deciding protocol variations.

	unsigned padding_length, good, to_check, i;

	unsigned padding_length, good, to_check, i;

	const unsigned overhead = 1 /* padding length byte */ + mac_size;

	const unsigned overhead = 1 /* padding length byte */ + mac_size;

	/* Check if version requires explicit IV */

	/* Check if version requires explicit IV */

	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)

	if (SSL_USE_EXPLICIT_IV(s))

		{

		{

		/* These lengths are all public so we can test them in

		/* These lengths are all public so we can test them in

		 * non-constant time.

		 * non-constant time.

			}

			}

		}

		}

	s->s3->tmp.new_cipher=c;

	s->s3->tmp.new_cipher=c;

	/* Don't digest cached records if TLS v1.2: we may need them for

	/* Don't digest cached records if no sigalgs: we may need them for

	 * client authentication.

	 * client authentication.

	 */

	 */

	if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))

	if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))

		goto f_err;

		goto f_err;

	/* lets get the compression algorithm */

	/* lets get the compression algorithm */

	/* COMPRESSION */

	/* COMPRESSION */

	/* if it was signed, check the signature */

	/* if it was signed, check the signature */

	if (pkey != NULL)

	if (pkey != NULL)

		{

		{

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

		if (SSL_USE_SIGALGS(s))

			{

			{

			int rv = tls12_check_peer_sigalg(&md, s, p, pkey);

			int rv = tls12_check_peer_sigalg(&md, s, p, pkey);

			if (rv == -1)

			if (rv == -1)

			}

			}

#ifndef OPENSSL_NO_RSA

#ifndef OPENSSL_NO_RSA

		if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)

		if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))

			{

			{

			int num;

			int num;

	for (i=0; i<ctype_num; i++)

	for (i=0; i<ctype_num; i++)

		s->s3->tmp.ctype[i]= p[i];

		s->s3->tmp.ctype[i]= p[i];

	p+=p[-1];

	p+=p[-1];

	if (TLS1_get_version(s) >= TLS1_2_VERSION)

	if (SSL_USE_SIGALGS(s))

		{

		{

		n2s(p, llen);

		n2s(p, llen);

		/* Check we have enough room for signature algorithms and

		/* Check we have enough room for signature algorithms and

		EVP_PKEY_sign_init(pctx);

		EVP_PKEY_sign_init(pctx);

		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)

		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)

			{

			{

			if (TLS1_get_version(s) < TLS1_2_VERSION)

			if (!SSL_USE_SIGALGS(s))

				s->method->ssl3_enc->cert_verify_mac(s,

				s->method->ssl3_enc->cert_verify_mac(s,

						NID_sha1,

						NID_sha1,

						&(data[MD5_DIGEST_LENGTH]));

						&(data[MD5_DIGEST_LENGTH]));

		/* For TLS v1.2 send signature algorithm and signature

		/* For TLS v1.2 send signature algorithm and signature

		 * using agreed digest and cached handshake records.

		 * using agreed digest and cached handshake records.

		 */

		 */

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

		if (SSL_USE_SIGALGS(s))

			{

			{

			long hdatalen = 0;

			long hdatalen = 0;

			void *hdata;

			void *hdata;

	if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)

	if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)

		return 0;

		return 0;

	/* If no suitable signature algorithm can't use certificate */

	/* If no suitable signature algorithm can't use certificate */

	if (TLS1_get_version(s) >= TLS1_2_VERSION && !s->cert->key->digest)

	if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)

		return 0;

		return 0;

	/* If strict mode check suitability of chain before using it.

	/* If strict mode check suitability of chain before using it.

	 * This also adjusts suite B digest if necessary.

	 * This also adjusts suite B digest if necessary.

		}

		}

	return(ret);

	return(ret);

	}

	}

/* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch

/* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF

 * to new SHA256 PRF and handshake macs

 * and handshake macs if required.

 */

 */

long ssl_get_algorithm2(SSL *s)

long ssl_get_algorithm2(SSL *s)

	{

	{

	long alg2 = s->s3->tmp.new_cipher->algorithm2;

	long alg2 = s->s3->tmp.new_cipher->algorithm2;

	if (TLS1_get_version(s) >= TLS1_2_VERSION &&

	if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF

	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))

	    && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))

		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;

		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;

	return alg2;

	return alg2;

	}

	}

	/* For DTLS/UDP reads should not span multiple packets

	/* For DTLS/UDP reads should not span multiple packets

	 * because the read operation returns the whole packet

	 * because the read operation returns the whole packet

	 * at once (as long as it fits into the buffer). */

	 * at once (as long as it fits into the buffer). */

	if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)

	if (SSL_IS_DTLS(s))

		{

		{

		if (left > 0 && n > left)

		if (left > 0 && n > left)

			n = left;

			n = left;

			{

			{

			rb->left = left;

			rb->left = left;

			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&

			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&

			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)

				!SSL_IS_DTLS(s))

				if (len+left == 0)

				if (len+left == 0)

					ssl3_release_read_buffer(s);

					ssl3_release_read_buffer(s);

			return(i);

			return(i);

		/* reads should *never* span multiple packets for DTLS because

		/* reads should *never* span multiple packets for DTLS because

		 * the underlying transport protocol is message oriented as opposed

		 * the underlying transport protocol is message oriented as opposed

		 * to byte oriented as in the TLS case. */

		 * to byte oriented as in the TLS case. */

		if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)

		if (SSL_IS_DTLS(s))

			{

			{

			if (n > left)

			if (n > left)

				n = left; /* makes the while condition false */

				n = left; /* makes the while condition false */

	/* field where we are to write out packet length */

	/* field where we are to write out packet length */

	plen=p; 

	plen=p; 

	p+=2;

	p+=2;

	/* Explicit IV length, block ciphers and TLS version 1.1 or later */

	/* Explicit IV length, block ciphers appropriate version flag */

	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)

	if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s))

		{

		{

		int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);

		int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);

		if (mode == EVP_CIPH_CBC_MODE)

		if (mode == EVP_CIPH_CBC_MODE)

			wb->left=0;

			wb->left=0;

			wb->offset+=i;

			wb->offset+=i;

			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&

			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&

			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)

				!SSL_IS_DTLS(s))

				ssl3_release_write_buffer(s);

				ssl3_release_write_buffer(s);

			s->rwstate=SSL_NOTHING;

			s->rwstate=SSL_NOTHING;

			return(s->s3->wpend_ret);

			return(s->s3->wpend_ret);

#endif

#endif

				s->init_num = 0;

				s->init_num = 0;

				}

				}

			else if (TLS1_get_version(s) >= TLS1_2_VERSION)

			else if (SSL_USE_SIGALGS(s))

				{

				{

				s->state=SSL3_ST_SR_CERT_VRFY_A;

				s->state=SSL3_ST_SR_CERT_VRFY_A;

				s->init_num=0;

				s->init_num=0;

				if (!s->session->peer)

				if (!s->session->peer)

					break;

					break;

				/* For TLS v1.2 freeze the handshake buffer

				/* For sigalgs freeze the handshake buffer

				 * at this point and digest cached records.

				 * at this point and digest cached records.

				 */

				 */

				if (!s->s3->handshake_buffer)

				if (!s->s3->handshake_buffer)

	p+=j;

	p+=j;

	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)

	if (SSL_IS_DTLS(s))

		{

		{

		/* cookie stuff */

		/* cookie stuff */

		cookie_len = *(p++);

		cookie_len = *(p++);

		s->s3->tmp.new_cipher=s->session->cipher;

		s->s3->tmp.new_cipher=s->session->cipher;

		}

		}

	if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))

	if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER))

		{

		{

		if (!ssl3_digest_cached_records(s))

		if (!ssl3_digest_cached_records(s))

			goto f_err;

			goto f_err;

			/* n is the length of the params, they start at &(d[4])

			/* n is the length of the params, they start at &(d[4])

			 * and p points to the space at the end. */

			 * and p points to the space at the end. */

#ifndef OPENSSL_NO_RSA

#ifndef OPENSSL_NO_RSA

			if (pkey->type == EVP_PKEY_RSA

			if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))

					&& TLS1_get_version(s) < TLS1_2_VERSION)

				{

				{

				q=md_buf;

				q=md_buf;

				j=0;

				j=0;

#endif

#endif

			if (md)

			if (md)

				{

				{

				/* For TLS1.2 and later send signature

				/* send signature algorithm */

				 * algorithm */

				if (SSL_USE_SIGALGS(s))

				if (TLS1_get_version(s) >= TLS1_2_VERSION)

					{

					{

					if (!tls12_get_sigandhash(p, pkey, md))

					if (!tls12_get_sigandhash(p, pkey, md))

						{

						{

					}

					}

				s2n(i,p);

				s2n(i,p);

				n+=i+2;

				n+=i+2;

				if (TLS1_get_version(s) >= TLS1_2_VERSION)

				if (SSL_USE_SIGALGS(s))

					n+= 2;

					n+= 2;

				}

				}

			else

			else

		p+=n;

		p+=n;

		n++;

		n++;

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

		if (SSL_USE_SIGALGS(s))

			{

			{

			const unsigned char *psigs;

			const unsigned char *psigs;

			nl = tls12_get_psigalgs(s, &psigs);

			nl = tls12_get_psigalgs(s, &psigs);

		} 

		} 

	else 

	else 

		{	

		{	

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

		if (SSL_USE_SIGALGS(s))

			{

			{

			int rv = tls12_check_peer_sigalg(&md, s, p, pkey);

			int rv = tls12_check_peer_sigalg(&md, s, p, pkey);

			if (rv == -1)

			if (rv == -1)

		goto f_err;

		goto f_err;

		}

		}

	if (TLS1_get_version(s) >= TLS1_2_VERSION)

	if (SSL_USE_SIGALGS(s))

		{

		{

		long hdatalen = 0;

		long hdatalen = 0;

		void *hdata;

		void *hdata;