13 files changed, 179 insertions, 73 deletions

diff --git a/lib/debug.c b/lib/debug.c
index 7a5c231780..a927e95fe4 100644
--- a/lib/debug.c
+++ b/lib/debug.c
@@ -24,10 +24,9 @@
 #include "gnutls_int.h"
 #include "gnutls_errors.h"
 
+#ifdef DEBUG
 
-static char hexconvtab[] = "0123456789abcdef";
-
-void dump_mpi(char* prefix, MPI a)
+void _gnutls_dump_mpi(char* prefix, MPI a)
 {
 	char buf[400];
 	size_t n = sizeof buf;
@@ -38,18 +37,18 @@ void dump_mpi(char* prefix, MPI a)
 }
 
 
-char *bin2hex(const unsigned char *old, const size_t oldlen)
+char *_gnutls_bin2hex(const unsigned char *old, const size_t oldlen)
 {
 	unsigned char *new = NULL;
 	int i, j;
 
-	new = malloc(oldlen * 2 * sizeof(char) + 1);
+	new = calloc(1, oldlen * 2 * sizeof(char) + 1);
 	if (!new)
 		return (new);
 
-	for (i = j = 0; i < oldlen; i++) {
-		new[j++] = hexconvtab[old[i] >> 4];
-		new[j++] = hexconvtab[old[i] & 15];
+	for (i = j = 0; j < oldlen; j+=2) {
+		sprintf(&new[j], "%.2x", old[i]);
+		i++;
 	}
 	new[j] = '\0';
 
@@ -57,7 +56,7 @@ char *bin2hex(const unsigned char *old, const size_t oldlen)
 }
 
 
-void _print_state(GNUTLS_STATE state)
+void _gnutls_print_state(GNUTLS_STATE state)
 {
 
 	fprintf(stderr, "GNUTLS State:\n");
@@ -83,7 +82,7 @@ void _print_state(GNUTLS_STATE state)
 
 }
 
-void _print_TLSCompressed(GNUTLSCompressed * compressed)
+void _gnutls_print_TLSCompressed(GNUTLSCompressed * compressed)
 {
 	fprintf(stderr, "TLSCompressed packet:\n");
 	fprintf(stderr, "type: %d\n", compressed->type);
@@ -91,12 +90,12 @@ void _print_TLSCompressed(GNUTLSCompressed * compressed)
 		compressed->version.minor);
 	fprintf(stderr, "length: %d\n", compressed->length);
 	fprintf(stderr, "fragment: %s\n",
-		bin2hex(compressed->fragment, compressed->length));
+		_gnutls_bin2hex(compressed->fragment, compressed->length));
 	fprintf(stderr, "\n");
 }
 
 
-void _print_TLSPlaintext(GNUTLSPlaintext * plaintext)
+void _gnutls_print_TLSPlaintext(GNUTLSPlaintext * plaintext)
 {
 	fprintf(stderr, "TLSPlaintext packet:\n");
 	fprintf(stderr, "type: %d\n", plaintext->type);
@@ -104,12 +103,12 @@ void _print_TLSPlaintext(GNUTLSPlaintext * plaintext)
 		plaintext->version.minor);
 	fprintf(stderr, "length: %d\n", plaintext->length);
 	fprintf(stderr, "fragment: %s\n",
-		bin2hex(plaintext->fragment, plaintext->length));
+		_gnutls_bin2hex(plaintext->fragment, plaintext->length));
 	fprintf(stderr, "\n");
 }
 
 
-void _print_TLSCiphertext(GNUTLSCiphertext * ciphertext)
+void _gnutls_print_TLSCiphertext(GNUTLSCiphertext * ciphertext)
 {
 
 	fprintf(stderr, "TLSCiphertext packet:\n");
@@ -119,11 +118,11 @@ void _print_TLSCiphertext(GNUTLSCiphertext * ciphertext)
 	fprintf(stderr, "length: %d\n", ciphertext->length);
 
 	fprintf(stderr, "fragment: %s\n",
-		bin2hex(ciphertext->fragment, ciphertext->length));
+		_gnutls_bin2hex(ciphertext->fragment, ciphertext->length));
 	fprintf(stderr, "\n");
 }
 
-char* alert2str( int alert) {
+char* _gnutls_alert2str( int alert) {
 static char str[512];
 
 	switch(alert) {
@@ -205,7 +204,7 @@ static char str[512];
 }
 
 
-char* packet2str( int packet) {
+char* _gnutls_packet2str( int packet) {
 static char str[512];
 
 	switch(packet) {
@@ -229,3 +228,4 @@ static char str[512];
 	return str;	
 	
 }
+#endif
diff --git a/lib/debug.h b/lib/debug.h
index 6d14eff9f0..e55b3586be 100644
--- a/lib/debug.h
+++ b/lib/debug.h
@@ -1,6 +1,8 @@
-void _print_state(GNUTLS_STATE state);
-void _print_TLSCompressed(GNUTLSCompressed * compressed);
-void _print_TLSPlaintext(GNUTLSPlaintext * plaintext);
-void _print_TLSCiphertext( GNUTLSCiphertext *);
-char * bin2hex(const unsigned char *old, const size_t oldlen);
-void dump_mpi(char* prefix,MPI a);
+#ifdef DEBUG
+void _gnutls_print_state(GNUTLS_STATE state);
+void _gnutls_print_TLSCompressed(GNUTLSCompressed * compressed);
+void _gnutls_print_TLSPlaintext(GNUTLSPlaintext * plaintext);
+void _gnutls_print_TLSCiphertext( GNUTLSCiphertext *);
+char * _gnutls_bin2hex(const unsigned char *old, const size_t oldlen);
+void _gnutls_dump_mpi(char* prefix,MPI a);
+#endif
diff --git a/lib/gnutls.c b/lib/gnutls.c
index 9bc40f1773..147f8714fc 100644
--- a/lib/gnutls.c
+++ b/lib/gnutls.c
@@ -35,12 +35,28 @@
  */
 int _gnutls_valid_version(GNUTLS_STATE state, int major, int minor)
 {
+GNUTLS_Version ver = {0, major, minor};
 
-	if (state->connection_state.version.major == major && state->connection_state.version.minor == minor)
-		return 0;
+	if (_gnutls_version_is_supported(ver) > 0 ) {
+		return 0; /* supported */
+	}
 	return 1;
 }
 
+GNUTLS_Version gnutls_get_current_version(GNUTLS_STATE state) {
+GNUTLS_Version ver;
+	ver.local = state->connection_state.version.local;
+	ver.major = state->connection_state.version.major;
+	ver.minor = state->connection_state.version.minor;
+	return ver;
+}
+
+void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor) {
+	state->connection_state.version.local = local;
+	state->connection_state.version.major = major;
+	state->connection_state.version.minor = minor;
+}
+
 int gnutls_is_secure_memory(const void* mem) {
 	return 0;
 }
@@ -82,8 +98,7 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end)
 	(*state)->gnutls_internals.client_hash = 0;
 	(*state)->gnutls_internals.resumable = RESUME_TRUE;
 
-	(*state)->connection_state.version.major = GNUTLS_VERSION_MAJOR;
-	(*state)->connection_state.version.minor = GNUTLS_VERSION_MINOR;
+	gnutls_set_current_version ( (*state), 0, GNUTLS_DEFAULT_VERSION_MAJOR, GNUTLS_DEFAULT_VERSION_MINOR);
 
 	(*state)->gnutls_internals.KEY = NULL;
 	(*state)->gnutls_internals.client_Y = NULL;
@@ -131,7 +146,7 @@ int gnutls_deinit(GNUTLS_STATE * state)
 }
 
 
-void *_gnutls_cal_PRF_A(MACAlgorithm algorithm, void *secret, int secret_size, void *seed, int seed_size)
+void *_gnutls_cal_PRF_A(GNUTLS_STATE state, MACAlgorithm algorithm, void *secret, int secret_size, void *seed, int seed_size)
 {
 	GNUTLS_MAC_HANDLE td1;
 
@@ -144,7 +159,7 @@ void *_gnutls_cal_PRF_A(MACAlgorithm algorithm, void *secret, int secret_size, v
 /* Produces "total_bytes" bytes using the hash algorithm specified.
  * (used in the PRF function)
  */
-svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, opaque * seed, int seed_size, int total_bytes)
+svoid *gnutls_P_hash(GNUTLS_STATE state, MACAlgorithm algorithm, opaque * secret, int secret_size, opaque * seed, int seed_size, int total_bytes)
 {
 
 	GNUTLS_MAC_HANDLE td2;
@@ -170,7 +185,7 @@ svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, o
 		td2 = gnutls_hmac_init(algorithm, secret, secret_size);
 
 		/* here we calculate A(i+1) */
-		Atmp = _gnutls_cal_PRF_A(algorithm, secret, secret_size, A, A_size);
+		Atmp = _gnutls_cal_PRF_A(state, algorithm, secret, secret_size, A, A_size);
 		A_size = blocksize;
 		gnutls_free(A);
 		A = Atmp;
@@ -198,7 +213,7 @@ svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, o
 /* The PRF function expands a given secret 
  * needed by the TLS specification
  */
-svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label, int label_size, opaque * seed, int seed_size, int total_bytes)
+svoid *gnutls_PRF(GNUTLS_STATE state, opaque * secret, int secret_size, uint8 * label, int label_size, opaque * seed, int seed_size, int total_bytes)
 {
 	int l_s, i, s_seed_size;
 	char *o1, *o2;
@@ -219,8 +234,8 @@ svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label, int label_siz
 		l_s++;
 	}
 
-	o1 = gnutls_P_hash(GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes);
-	o2 = gnutls_P_hash(GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes);
+	o1 = gnutls_P_hash(state, GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes);
+	o2 = gnutls_P_hash(state, GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes);
 
 	gnutls_free(s_seed);
 
@@ -256,7 +271,7 @@ int _gnutls_set_keys(GNUTLS_STATE state)
 	memmove(&random[32], state->security_parameters.client_random, 32);
 
 	key_block =
-	    gnutls_PRF(state->security_parameters.master_secret, 48,
+	    gnutls_PRF(state, state->security_parameters.master_secret, 48,
 		       keyexp, strlen(keyexp), random, 64, 2 * hash_size + 2 * key_size + 2 * IV_size);
 
 	state->cipher_specs.client_write_mac_secret = secure_malloc(hash_size);
@@ -391,7 +406,7 @@ ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, char *data
 		}
 #ifdef HARD_DEBUG
 		fprintf(stderr, "Send Packet[%d] %s(%d) with length: %d\n",
-			(int) state->connection_state.write_sequence_number, packet2str(gcipher->type), gcipher->type, gcipher->length);
+			(int) state->connection_state.write_sequence_number, _gnutls_packet2str(gcipher->type), gcipher->type, gcipher->length);
 #endif
 #ifdef WORDS_BIGENDIAN
 		length = gcipher->length;
@@ -601,6 +616,8 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data
 		state->gnutls_internals.resumable = RESUME_FALSE;
 		gnutls_assert();
 		return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+	} else {
+		gnutls_set_current_version(state, 0, gcipher.version.major, gcipher.version.minor);
 	}
 
 	if (Read(cd, &gcipher.length, 2) != 2) {
@@ -615,9 +632,9 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data
 
 #ifdef HARD_DEBUG
 	fprintf(stderr, "Expected Packet[%d] %s(%d) with length: %d\n",
-		(int) state->connection_state.read_sequence_number, packet2str(type), type, sizeofdata);
+		(int) state->connection_state.read_sequence_number, _gnutls_packet2str(type), type, sizeofdata);
 	fprintf(stderr, "Received Packet[%d] %s(%d) with length: %d\n",
-		(int) state->connection_state.read_sequence_number, packet2str(gcipher.type), gcipher.type, gcipher.length);
+		(int) state->connection_state.read_sequence_number, _gnutls_packet2str(gcipher.type), gcipher.type, gcipher.length);
 #endif
 
 	if (gcipher.length > 18432) {	/* 2^14+2048 */
@@ -698,7 +715,7 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data
 		switch (gcipher.type) {
 		case GNUTLS_ALERT:
 #ifdef HARD_DEBUG
-			fprintf(stderr, "Alert[%d|%d] - %s - was received\n", tmpdata[0], tmpdata[1], alert2str((int)tmpdata[1]));
+			fprintf(stderr, "Alert[%d|%d] - %s - was received\n", tmpdata[0], tmpdata[1], _gnutls_alert2str((int)tmpdata[1]));
 #endif
 			state->gnutls_internals.last_alert = tmpdata[1];
 
diff --git a/lib/gnutls.h b/lib/gnutls.h
index d0b25f6059..6e71e32b0e 100644
--- a/lib/gnutls.h
+++ b/lib/gnutls.h
@@ -52,6 +52,8 @@ void gnutls_set_cipher_priority( int num, ...);
 void gnutls_set_kx_priority( int num, ...);
 void gnutls_set_mac_priority( int num, ...);
 
+/* set our version - local is 0x00 for TLS 1.0 and SSL3 */
+void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor); 
 
 #define	GNUTLS_E_MAC_FAILED -1
 #define	GNUTLS_E_UNKNOWN_CIPHER -2
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 663853d882..fc9b1e4f1e 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -22,6 +22,36 @@
 #include "gnutls_int.h"
 #include "gnutls_algorithms.h"
 
+/* TLS Versions */
+#define GNUTLS_VERSION_ENTRY( name, supported) \
+	{ #name, name, supported }
+
+typedef struct {
+	char *name;
+	GNUTLS_Version id;
+	int supported; /* 0 not supported, > 0 is supported */
+} gnutls_version_entry;
+
+#define GNUTLS_SSLv3 { 0, 3, 0 }
+#define GNUTLS_WTLS1 { 1, 1, 0 }
+#define GNUTLS_TLS1  { 0, 3, 1 }
+
+static gnutls_version_entry sup_versions[] = {
+	GNUTLS_VERSION_ENTRY(GNUTLS_SSLv3, 0),
+	GNUTLS_VERSION_ENTRY(GNUTLS_WTLS1, 0),
+	GNUTLS_VERSION_ENTRY(GNUTLS_TLS1, 1),
+	{0}
+};
+
+#define GNUTLS_VERSION_LOOP(b) \
+        gnutls_version_entry *p; \
+                for(p = sup_versions; p->name != NULL; p++) { b ; }
+
+#define GNUTLS_VERSION_ALG_LOOP(a) \
+                        GNUTLS_VERSION_LOOP( if( memcmp( &p->id, &version, 2)==0) { a; break; } )
+
+
+
 #define GNUTLS_CIPHER_ENTRY(name, blksize, keysize, block, iv, priority) \
 	{ #name, name, blksize, keysize, block, iv, priority }
 
@@ -188,7 +218,6 @@ static gnutls_cipher_suite_entry cs_algorithms[] = {
 
 
 
-
 /* Generic Functions */
 
 /* this function makes the whole string lowercase */
@@ -490,6 +519,29 @@ int _gnutls_kx_is_ok(KXAlgorithm algorithm)
 
 }
 
+/* Version Functions */
+int _gnutls_version_cmp(GNUTLS_Version ver1, GNUTLS_Version ver2) {
+	if (ver1.major!=ver2.major) return 1;
+	if (ver1.minor!=ver2.minor) return 1;
+	if (ver1.local!=ver2.local) return 1;
+	return 0;
+}
+
+int _gnutls_version_ssl3(GNUTLS_Version ver) {
+	if (ver.major!=3) return 1;
+	if (ver.minor!=0) return 1;
+	if (ver.local!=0) return 1;
+	return 0;
+}
+
+int _gnutls_version_is_supported(const GNUTLS_Version version)
+{
+	size_t ret = 0;
+	GNUTLS_VERSION_ALG_LOOP(ret = p->supported);
+	return ret;
+}
+
+
 /* Cipher Suite's functions */
 BulkCipherAlgorithm _gnutls_cipher_suite_get_cipher_algo(const GNUTLS_CipherSuite
 							 suite)
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 7e5cc8e695..96f80303a3 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -1,3 +1,6 @@
+/* functions for version */
+int _gnutls_version_is_supported(const GNUTLS_Version version);
+
 /* functions for macs */
 int   _gnutls_mac_get_digest_size(MACAlgorithm algorithm);
 char* _gnutls_mac_get_name(MACAlgorithm algorithm);
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 09734194da..e0257a58ca 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -343,7 +343,11 @@ int i;
 			rand = gcry_random_bytes(1, GCRY_WEAK_RANDOM);
 
 			/* make rand a multiple of blocksize */
-			rand[0] = (rand[0]%(255/blocksize))*blocksize;
+			if (_gnutls_version_ssl3(state->connection_state.version)==0) {
+				rand[0]=0;
+			} else {
+				rand[0] = (rand[0]%(255/blocksize))*blocksize;
+			}
 			
 			length =
 			    compressed->length +
@@ -370,7 +374,7 @@ int i;
 			    compressed->version.major;
 			ciphertext->version.minor =
 			    compressed->version.minor;
-
+			
 			gcry_free(rand);
 		break;
 	default:
diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c
index 208b887229..65bc84eef7 100644
--- a/lib/gnutls_dh.c
+++ b/lib/gnutls_dh.c
@@ -73,9 +73,11 @@ MPI gnutls_calc_dh_secret(MPI * ret_x)
 	size_t n = sizeof diffie_hellman_group1_prime;
 
 	if (gcry_mpi_scan(&prime, GCRYMPI_FMT_USG,
-			  diffie_hellman_group1_prime, &n))
+			  diffie_hellman_group1_prime, &n)) {
+		gnutls_assert();
 		abort();
-	/*dump_mpi(stderr, "prime=", prime ); */
+	}
+	/*_gnutls_dump_mpi(stderr, "prime=", prime ); */
 
 	g = mpi_set_ui(NULL, 2);
 	x = mpi_new(X_SIZE);	/* FIXME: allocate in secure memory */
@@ -123,8 +125,10 @@ MPI gnutls_get_dh_params(MPI * ret_p)
 	size_t n = sizeof diffie_hellman_group1_prime;
 
 	if (gcry_mpi_scan(&prime, GCRYMPI_FMT_USG,
-			  diffie_hellman_group1_prime, &n))
+			  diffie_hellman_group1_prime, &n)) {
+		gnutls_assert();
 		abort();
+	}
 
 	g = mpi_set_ui(NULL, 2);
 
@@ -146,7 +150,7 @@ MPI gnutls_calc_dh_key(MPI f, MPI x)
 		gnutls_assert();
 		abort();
 	}
-	/*dump_mpi(stderr, "prime=", prime ); */
+	/*_gnutls_dump_mpi(stderr, "prime=", prime ); */
 
 	k = gcry_mpi_alloc_like(prime);
 /*	k = mpi_new(E_SIZE);	 FIXME: allocate in secure memory */
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index a04bbc3580..b2490ceb37 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -63,7 +63,7 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state)
 			state->gnutls_internals.client_md_sha1, 20);
 
 		data =
-		    gnutls_PRF(state->security_parameters.master_secret,
+		    gnutls_PRF(state, state->security_parameters.master_secret,
 			       48, CLIENT_MSG, strlen(CLIENT_MSG), concat,
 			       36, 12);
 	} else {		/* server */
@@ -72,7 +72,7 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state)
 			state->gnutls_internals.server_md_sha1, 20);
 
 		data =
-		    gnutls_PRF(state->security_parameters.master_secret,
+		    gnutls_PRF(state, state->security_parameters.master_secret,
 			       48, SERVER_MSG, strlen(SERVER_MSG), concat,
 			       36, 12);
 	}
@@ -111,7 +111,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state)
 			state->gnutls_internals.server_md_sha1, 20);
 
 		data =
-		    gnutls_PRF(state->security_parameters.master_secret,
+		    gnutls_PRF(state, state->security_parameters.master_secret,
 			       48, SERVER_MSG, strlen(SERVER_MSG), concat,
 			       36, 12);
 	} else {		/* server */
@@ -120,7 +120,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state)
 			state->gnutls_internals.client_md_sha1, 20);
 
 		data =
-		    gnutls_PRF(state->security_parameters.master_secret,
+		    gnutls_PRF(state, state->security_parameters.master_secret,
 			       48, CLIENT_MSG, strlen(CLIENT_MSG), concat,
 			       36, 12);
 	}
@@ -621,7 +621,7 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen,
 #ifdef HARD_DEBUG
 		fprintf(stderr, "SessionID length: %d\n", session_id_len);
 		fprintf(stderr, "SessionID: %s\n",
-			bin2hex(&data[pos], session_id_len));
+			_gnutls_bin2hex(&data[pos], session_id_len));
 #endif
 		pos += session_id_len;
 
@@ -679,7 +679,6 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen,
 #ifdef DEBUG
 		fprintf(stderr, "Client's version: %d.%d\n", data[pos], data[pos+1]);
 #endif
-
 		if ( _gnutls_valid_version( state, data[pos], data[pos+1]) != 0) {
 			gnutls_assert();
 			return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
@@ -1076,7 +1075,7 @@ int _gnutls_generate_session_id(char **session_id, uint8 * len)
 	*len = 32;
 
 #ifdef HARD_DEBUG
-	fprintf(stderr, "SessionID: %s\n", bin2hex(*session_id, 32));
+	fprintf(stderr, "SessionID: %s\n", _gnutls_bin2hex(*session_id, 32));
 #endif
 	return 0;
 }
diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c
index a2856c173b..a0a9c1b9f1 100644
--- a/lib/gnutls_hash_int.c
+++ b/lib/gnutls_hash_int.c
@@ -37,7 +37,7 @@ GNUTLS_HASH_HANDLE ret;
 			break;
 		case GNUTLS_MAC_SHA:
 #ifdef USE_MHASH
-			ret = mhash_init_m( MHASH_SHA1, gnutls_malloc);
+			ret = mhash_init( MHASH_SHA1);
 #else
 			ret = gcry_md_open( GCRY_MD_SHA1, 0);
 #endif
@@ -45,7 +45,7 @@ GNUTLS_HASH_HANDLE ret;
 			break;
 		case GNUTLS_MAC_MD5:
 #ifdef USE_MHASH
-			ret = mhash_init_m( MHASH_MD5, gnutls_malloc);
+			ret = mhash_init( MHASH_MD5);
 #else
 			ret = gcry_md_open( GCRY_MD_MD5, 0);
 #endif
@@ -96,7 +96,7 @@ int gnutls_hash(GNUTLS_HASH_HANDLE handle, void* text, int textlen) {
 	return 0;
 }
 
-void* gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle) {
+void* gnutls_hash_deinit( GNUTLS_HASH_HANDLE handle) {
 char* mac;
 int maclen;
 char* ret;
@@ -116,7 +116,7 @@ char* ret;
 }
 
 
-GNUTLS_MAC_HANDLE gnutls_hmac_init(MACAlgorithm algorithm, char* key, int keylen) {
+GNUTLS_MAC_HANDLE _gnutls_hmac_init( MACAlgorithm algorithm, char* key, int keylen, int dp) {
 GNUTLS_MAC_HANDLE ret;
 
 	switch (algorithm) {
@@ -125,7 +125,11 @@ GNUTLS_MAC_HANDLE ret;
 			break;
 		case GNUTLS_MAC_SHA:
 #ifdef USE_MHASH
-			ret = mhash_hmac_init_m( MHASH_SHA1, key, keylen, 0, gnutls_malloc);
+			if (dp==0) {
+				ret = mhash_hmac_init( MHASH_SHA1, key, keylen, 0);
+			} else {
+				ret = mhash_hmac_init_dp( MHASH_SHA1, key, keylen, 0);
+			}
 #else
 			ret = gcry_md_open( GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
 #endif
@@ -133,7 +137,11 @@ GNUTLS_MAC_HANDLE ret;
 			break;
 		case GNUTLS_MAC_MD5:
 #ifdef USE_MHASH
-			ret = mhash_hmac_init_m( MHASH_MD5, key, keylen, 0, gnutls_malloc);
+			if (dp==0) {
+				ret = mhash_hmac_init( MHASH_MD5, key, keylen, 0);
+			} else {
+				ret = mhash_hmac_init_dp( MHASH_MD5, key, keylen, 0);
+			}
 #else
 			ret = gcry_md_open( GCRY_MD_MD5, GCRY_MD_FLAG_HMAC);
 #endif
@@ -189,13 +197,17 @@ int gnutls_hmac(GNUTLS_MAC_HANDLE handle, void* text, int textlen) {
 
 }
 
-void* gnutls_hmac_deinit(GNUTLS_MAC_HANDLE handle) {
+void* _gnutls_hmac_deinit( GNUTLS_MAC_HANDLE handle, int dp) {
 char* mac;
 int maclen;
 char* ret;
 
 #ifdef USE_MHASH
-    ret = mhash_hmac_end(handle);
+    if (dp==0) {
+	    ret = mhash_hmac_end(handle);
+    } else {
+    	    ret = mhash_hmac_end_dp(handle);
+    }
 #else
     maclen = gcry_md_get_algo_dlen(gcry_md_get_algo(handle));
     ret = gnutls_malloc( maclen);
diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h
index fc94fe661e..4b73696cb9 100644
--- a/lib/gnutls_hash_int.h
+++ b/lib/gnutls_hash_int.h
@@ -21,10 +21,10 @@
 #define GNUTLS_HASH_FAILED NULL
 #define GNUTLS_MAC_FAILED NULL
 
-GNUTLS_MAC_HANDLE gnutls_hmac_init(MACAlgorithm algorithm, char* key, int keylen);
+GNUTLS_MAC_HANDLE _gnutls_hmac_init( MACAlgorithm algorithm, char* key, int keylen, int dp);
 int gnutls_hmac_get_algo_len(MACAlgorithm algorithm);
 int gnutls_hmac(GNUTLS_HASH_HANDLE handle, void* text, int textlen);
-void* gnutls_hmac_deinit(GNUTLS_HASH_HANDLE handle);
+void* _gnutls_hmac_deinit( GNUTLS_HASH_HANDLE handle, int dp);
 
 GNUTLS_HASH_HANDLE gnutls_hash_init(MACAlgorithm algorithm);
 int gnutls_hash_get_algo_len(MACAlgorithm algorithm);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index b5b5c6e009..430880e2f3 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -2,9 +2,9 @@
 
 #define GNUTLS_INT_H
 
-#undef HARD_DEBUG
-#undef READ_DEBUG
-#undef WRITE_DEBUG
+//#define HARD_DEBUG
+//#define READ_DEBUG
+//#define WRITE_DEBUG
 #define DEBUG
 
 #define MAX32 4294967295
@@ -135,6 +135,7 @@ typedef struct {
 
 
 typedef struct {
+	uint8 local;
 	uint8 major;
 	uint8 minor;
 } GNUTLS_Version;
@@ -203,8 +204,8 @@ enum ContentType { GNUTLS_CHANGE_CIPHER_SPEC=20, GNUTLS_ALERT, GNUTLS_HANDSHAKE,
 		GNUTLS_APPLICATION_DATA };
 typedef enum ContentType ContentType;
 
-#define GNUTLS_VERSION_MAJOR 3
-#define GNUTLS_VERSION_MINOR 1
+#define GNUTLS_DEFAULT_VERSION_MAJOR 3
+#define GNUTLS_DEFAULT_VERSION_MINOR 1
 
 typedef struct {
 	uint8 major;
@@ -284,14 +285,24 @@ typedef struct {
 /* functions */
 int _gnutls_send_alert( int cd, GNUTLS_STATE state, AlertLevel level, AlertDescription desc);
 int gnutls_close(int cd, GNUTLS_STATE state);
-svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label,
+svoid *gnutls_PRF(GNUTLS_STATE state, opaque * secret, int secret_size, uint8 * label,
 		  int label_size, opaque * seed, int seed_size,
 		  int total_bytes);
 int _gnutls_valid_version( GNUTLS_STATE state, int major, int minor);
+void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor);
+GNUTLS_Version gnutls_get_current_version(GNUTLS_STATE state);
 int _gnutls_set_keys(GNUTLS_STATE state);
 ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, char* data, size_t sizeofdata);
 ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char* data, size_t sizeofdata);
 int _gnutls_send_change_cipher_spec(int cd, GNUTLS_STATE state);
-
+int _gnutls_version_cmp(GNUTLS_Version ver1, GNUTLS_Version ver2);
+int _gnutls_version_ssl3(GNUTLS_Version ver);
+
+#define gnutls_hmac_init(x,y,z) _gnutls_version_ssl3(state->connection_state.version) ? \
+				_gnutls_hmac_init(x,y,z,1) : \
+				_gnutls_hmac_init(x,y,z,0)
+#define gnutls_hmac_deinit(x) _gnutls_version_ssl3(state->connection_state.version) ? \
+				_gnutls_hmac_deinit(x,1) : \
+				_gnutls_hmac_deinit(x,0)
 
 #endif /* GNUTLS_INT_H */
diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c
index a470d3a429..73e9053ec4 100644
--- a/lib/gnutls_kx.c
+++ b/lib/gnutls_kx.c
@@ -207,12 +207,12 @@ int _gnutls_send_client_kx_message(int cd, GNUTLS_STATE state)
 	}
 
 	master =
-	    gnutls_PRF(premaster, premaster_size,
+	    gnutls_PRF(state, premaster, premaster_size,
 		       MASTER_SECRET, strlen(MASTER_SECRET), random, 64,
 		       48);
 	secure_free(premaster);
 #ifdef HARD_DEBUG
-	fprintf(stderr, "MASTER SECRET: %s\n", bin2hex(master, 48));
+	fprintf(stderr, "MASTER SECRET: %s\n", _gnutls_bin2hex(master, 48));
 #endif
 	memmove(state->security_parameters.master_secret, master, 48);
 	secure_free(master);
@@ -449,11 +449,11 @@ int _gnutls_recv_client_kx_message(int cd, GNUTLS_STATE state)
 	}
 
 	master =
-	    gnutls_PRF(premaster, premaster_size,
+	    gnutls_PRF(state, premaster, premaster_size,
 		       MASTER_SECRET, strlen(MASTER_SECRET),
 		       random, 64, 48); secure_free(premaster);
 #ifdef HARD_DEBUG
-	fprintf(stderr, "master secret: %s\n", bin2hex(master, 48));
+	fprintf(stderr, "master secret: %s\n", _gnutls_bin2hex(master, 48));
 #endif
 	memmove(state->security_parameters.master_secret, master, 48);
 	secure_free(master);