Implement known-IV countermeasure.

Fix length checks in ssl3_get_client_hello().

Use s->s3->in_read_app_data differently to fix ssl3_read_internal().

ssl/s3_lib.c

@@ -994,6 +994,7 @@ void ssl3_free(SSL *s)
 void ssl3_clear(SSL *s)
 	{
 	unsigned char *rp,*wp;
+	size_t rlen, wlen;
 
 	ssl3_cleanup_key_block(s);
 	if (s->s3->tmp.ca_names != NULL)
@@ -1009,15 +1010,19 @@ void ssl3_clear(SSL *s)
 		DH_free(s->s3->tmp.dh);
 #endif
 
-	rp=s->s3->rbuf.buf;
-	wp=s->s3->wbuf.buf;
+	rp = s->s3->rbuf.buf;
+	wp = s->s3->wbuf.buf;
+	rlen = s->s3->rbuf.len;
+ 	wlen = s->s3->wbuf.len;
 
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
 
 	memset(s->s3,0,sizeof *s->s3);
-	if (rp != NULL) s->s3->rbuf.buf=rp;
-	if (wp != NULL) s->s3->wbuf.buf=wp;
+	s->s3->rbuf.buf = rp;
+	s->s3->wbuf.buf = wp;
+	s->s3->rbuf.len = rlen;
+ 	s->s3->wbuf.len = wlen;
 
 	ssl_free_wbio_buffer(s);
 
@@ -1609,13 +1614,12 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
 	s->s3->in_read_app_data=1;
 	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
-	if ((ret == -1) && (s->s3->in_read_app_data == 0))
+	if ((ret == -1) && (s->s3->in_read_app_data == 2))
 		{
 		/* ssl3_read_bytes decided to call s->handshake_func, which
 		 * called ssl3_read_bytes to read handshake data.
 		 * However, ssl3_read_bytes actually found application data
-		 * and thinks that application data makes sense here (signalled
-		 * by resetting 'in_read_app_data', strangely); so disable
+		 * and thinks that application data makes sense here; so disable
 		 * handshake processing and try to read application data again. */
 		s->in_handshake++;
 		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);