Updates to the new SSL compression code
authorMark J. Cox <mark@openssl.org>
Tue, 16 Feb 1999 09:22:21 +0000 (09:22 +0000)
committerMark J. Cox <mark@openssl.org>
Tue, 16 Feb 1999 09:22:21 +0000 (09:22 +0000)
     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Fix so that the version number in the master secret, when passed
     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
     (because the server will not accept higher), that the version number
     is 0x03,0x01, not 0x03,0x00
     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Submitted by:
Reviewed by:
PR:

25 files changed:
CHANGES
ssl/s23_clnt.c
ssl/s23_pkt.c
ssl/s23_srvr.c
ssl/s2_clnt.c
ssl/s2_enc.c
ssl/s2_srvr.c
ssl/s3_clnt.c
ssl/s3_enc.c
ssl/s3_lib.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl.err
ssl/ssl.h
ssl/ssl3.h
ssl/ssl_algs.c
ssl/ssl_ciph.c
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_rsa.c
ssl/ssl_sess.c
ssl/ssl_txt.c
ssl/ssltest.c
ssl/t1_enc.c

diff --git a/CHANGES b/CHANGES
index 043c7552a76f587f655ee899b19a7d7a15387880..470435fe821ca2bbd4e04821a2c76ff2699e28c4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,15 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Updates to the new SSL compression code
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Fix so that the version number in the master secret, when passed
+     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
+     (because the server will not accept higher), that the version number
+     is 0x03,0x01, not 0x03,0x00
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
   *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
      leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
      in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c
index 1b4c06838bf5f0c5e571eef7b7cabeef8f0c8f71..c0948fd2da2769e4f3b36e72ee2d11dd33889a22 100644 (file)
@@ -136,6 +136,13 @@ SSL *s;
                case SSL_ST_BEFORE|SSL_ST_CONNECT:
                case SSL_ST_OK|SSL_ST_CONNECT:
 
+                       if (s->session != NULL)
+                               {
+                               SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
+                               ret= -1;
+                               goto end;
+                               }
+                       s->server=0;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        /* s->version=TLS1_VERSION; */
@@ -161,7 +168,7 @@ SSL *s;
                        ssl3_init_finished_mac(s);
 
                        s->state=SSL23_ST_CW_CLNT_HELLO_A;
-                       s->ctx->sess_connect++;
+                       s->ctx->stats.sess_connect++;
                        s->init_num=0;
                        break;
 
@@ -238,16 +245,19 @@ SSL *s;
                        {
                        *(d++)=TLS1_VERSION_MAJOR;
                        *(d++)=TLS1_VERSION_MINOR;
+                       s->client_version=TLS1_VERSION;
                        }
                else if (!(s->options & SSL_OP_NO_SSLv3))
                        {
                        *(d++)=SSL3_VERSION_MAJOR;
                        *(d++)=SSL3_VERSION_MINOR;
+                       s->client_version=SSL3_VERSION;
                        }
                else if (!(s->options & SSL_OP_NO_SSLv2))
                        {
                        *(d++)=SSL2_VERSION_MAJOR;
                        *(d++)=SSL2_VERSION_MINOR;
+                       s->client_version=SSL2_VERSION;
                        }
                else
                        {
index c25c3127725d20b16e5578c6eed88ab0f89ea5a7..99f909d50fa00257a43a7ac904b4004560a01ed7 100644 (file)
@@ -76,7 +76,7 @@ SSL *s;
                {
                s->rwstate=SSL_WRITING;
                i=BIO_write(s->wbio,&(buf[tot]),num);
-               if (i < 0)
+               if (i <= 0)
                        {
                        s->init_off=tot;
                        s->init_num=num;
index 6c8afeb8576a7bd8bb42c4149e417e69aa77fe3f..d1f49e5ac3ee574e54436ecb43bad1df25819e17 100644 (file)
@@ -134,6 +134,7 @@ SSL *s;
                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
                case SSL_ST_OK|SSL_ST_ACCEPT:
 
+                       s->server=1;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        /* s->version=SSL3_VERSION; */
@@ -157,7 +158,7 @@ SSL *s;
                        ssl3_init_finished_mac(s);
 
                        s->state=SSL23_ST_SR_CLNT_HELLO_A;
-                       s->ctx->sess_accept++;
+                       s->ctx->stats.sess_accept++;
                        s->init_num=0;
                        break;
 
@@ -203,8 +204,10 @@ SSL *s;
        unsigned int csl,sil,cl;
        int n=0,j,tls1=0;
        int type=0,use_sslv2_strong=0;
+       int v[2];
 
        /* read the initial header */
+       v[0]=v[1]=0;
        if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
                {
                if (!ssl3_setup_buffers(s)) goto err;
@@ -221,12 +224,14 @@ SSL *s;
                        /* SSLv2 header */
                        if ((p[3] == 0x00) && (p[4] == 0x02))
                                {
+                               v[0]=p[3]; v[1]=p[4];
                                /* SSLv2 */
                                if (!(s->options & SSL_OP_NO_SSLv2))
                                        type=1;
                                }
                        else if (p[3] == SSL3_VERSION_MAJOR)
                                {
+                               v[0]=p[3]; v[1]=p[4];
                                /* SSLv3/TLSv1 */
                                if (p[4] >= TLS1_VERSION_MINOR)
                                        {
@@ -307,6 +312,7 @@ SSL *s;
                         (p[1] == SSL3_VERSION_MAJOR) &&
                         (p[5] == SSL3_MT_CLIENT_HELLO))
                        {
+                       v[0]=p[1]; v[1]=p[2];
                        /* true SSLv3 or tls1 */
                        if (p[2] >= TLS1_VERSION_MINOR)
                                {
@@ -486,6 +492,7 @@ next_bit:
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_server_method();
                        }
+               s->client_version=(v[0]<<8)|v[1];
                s->handshake_func=s->method->ssl_accept;
                }
        
index 9c8037b48bf682eba5a394a9c46f4c849e996b76..bbac33cf360ca9a75f7eb4b0a940f147c0753de5 100644 (file)
@@ -146,6 +146,7 @@ SSL *s;
                case SSL_ST_BEFORE|SSL_ST_CONNECT:
                case SSL_ST_OK|SSL_ST_CONNECT:
 
+                       s->server=0;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        s->version=SSL2_VERSION;
@@ -166,7 +167,7 @@ SSL *s;
                        s->init_buf=buf;
                        s->init_num=0;
                        s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
-                       s->ctx->sess_connect++;
+                       s->ctx->stats.sess_connect++;
                        s->handshake_func=ssl2_connect;
                        BREAK;
 
@@ -249,8 +250,11 @@ SSL *s;
                        break;
 
                case SSL_ST_OK:
-                       BUF_MEM_free(s->init_buf);
-                       s->init_buf=NULL;
+                       if (s->init_buf != NULL)
+                               {
+                               BUF_MEM_free(s->init_buf);
+                               s->init_buf=NULL;
+                               }
                        s->init_num=0;
                /*      ERR_clear_error();*/
 
@@ -261,11 +265,11 @@ SSL *s;
                         */
 
                        ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
-                       if (s->hit) s->ctx->sess_hit++;
+                       if (s->hit) s->ctx->stats.sess_hit++;
 
                        ret=1;
                        /* s->server=0; */
-                       s->ctx->sess_connect_good++;
+                       s->ctx->stats.sess_connect_good++;
 
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 
@@ -538,7 +542,7 @@ SSL *s;
        if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
                {
 
-               if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+               if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
                        {
                        ssl2_return_error(s,SSL2_PE_NO_CIPHER);
                        SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
index b43056fa14fb33a4fcff99a38cef1925053f9fa9..63ebf2874887cf83d846cf2180b98bc95fb70bcc 100644 (file)
@@ -69,7 +69,7 @@ int client;
        EVP_MD *md;
        int num;
 
-       if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+       if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
                {
                ssl2_return_error(s,SSL2_PE_NO_CIPHER);
                SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
index 8580ac6a8d0ceb5612bf6708b16a61e4c83e5684..814e38f48039be60028cb238024040994c4dbb47 100644 (file)
@@ -155,6 +155,7 @@ SSL *s;
                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
                case SSL_ST_OK|SSL_ST_ACCEPT:
 
+                       s->server=1;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        s->version=SSL2_VERSION;
@@ -168,7 +169,7 @@ SSL *s;
                                { ret= -1; goto end; }
                        s->init_buf=buf;
                        s->init_num=0;
-                       s->ctx->sess_accept++;
+                       s->ctx->stats.sess_accept++;
                        s->handshake_func=ssl2_accept;
                        s->state=SSL2_ST_GET_CLIENT_HELLO_A;
                        BREAK;
@@ -295,13 +296,14 @@ SSL *s;
 
                case SSL_ST_OK:
                        BUF_MEM_free(s->init_buf);
+                       ssl_free_wbio_buffer(s);
                        s->init_buf=NULL;
                        s->init_num=0;
                /*      ERR_clear_error();*/
 
                        ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
 
-                       s->ctx->sess_accept_good++;
+                       s->ctx->stats.sess_accept_good++;
                        /* s->server=1; */
                        ret=1;
 
@@ -336,9 +338,6 @@ static int get_client_master_key(s)
 SSL *s;
        {
        int export,i,n,keya,ek;
-#if 0
-       int error=0;
-#endif
        unsigned char *p;
        SSL_CIPHER *cp;
        EVP_CIPHER *c;
@@ -404,7 +403,7 @@ SSL *s;
 
        export=(s->session->cipher->algorithms & SSL_EXP)?1:0;
        
-       if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+       if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
                {
                ssl2_return_error(s,SSL2_PE_NO_CIPHER);
                SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
index 363118835cfc705226dfe1073bcde703d2bbe011..b2649ed9986cc3297e04a10bdb26ac61f7add5d3 100644 (file)
@@ -134,7 +134,6 @@ SSL *s;
        long num1;
        void (*cb)()=NULL;
        int ret= -1;
-       BIO *under;
        int new_state,state,skip=0;;
 
        RAND_seed(&Time,sizeof(Time));
@@ -158,13 +157,14 @@ SSL *s;
                case SSL_ST_RENEGOTIATE:
                        s->new_session=1;
                        s->state=SSL_ST_CONNECT;
-                       s->ctx->sess_connect_renegotiate++;
+                       s->ctx->stats.sess_connect_renegotiate++;
                        /* break */
                case SSL_ST_BEFORE:
                case SSL_ST_CONNECT:
                case SSL_ST_BEFORE|SSL_ST_CONNECT:
                case SSL_ST_OK|SSL_ST_CONNECT:
 
+                       s->server=0;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        if ((s->version & 0xff00 ) != 0x0300)
@@ -197,7 +197,7 @@ SSL *s;
                        ssl3_init_finished_mac(s);
 
                        s->state=SSL3_ST_CW_CLNT_HELLO_A;
-                       s->ctx->sess_connect++;
+                       s->ctx->stats.sess_connect++;
                        s->init_num=0;
                        break;
 
@@ -326,6 +326,11 @@ SSL *s;
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
+                       if (s->s3->tmp.new_compression == NULL)
+                               s->session->compress_meth=0;
+                       else
+                               s->session->compress_meth=
+                                       s->s3->tmp.new_compression->id;
                        if (!s->method->ssl3_enc->setup_key_block(s))
                                {
                                ret= -1;
@@ -401,33 +406,28 @@ SSL *s;
                        /* clean a few things up */
                        ssl3_cleanup_key_block(s);
 
-                       BUF_MEM_free(s->init_buf);
-                       s->init_buf=NULL;
-
-                       if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+                       if (s->init_buf != NULL)
                                {
-                               /* remove buffering */
-                               under=BIO_pop(s->wbio);
-                               if (under != NULL)
-                                       s->wbio=under;
-                               else
-                                       abort(); /* ok */
-
-                               BIO_free(s->bbio);
-                               s->bbio=NULL;
+                               BUF_MEM_free(s->init_buf);
+                               s->init_buf=NULL;
                                }
-                       /* else do it later */
+
+                       /* If we are not 'joining' the last two packets,
+                        * remove the buffering now */
+                       if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+                               ssl_free_wbio_buffer(s);
+                       /* else do it later in ssl3_write */
 
                        s->init_num=0;
                        s->new_session=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
-                       if (s->hit) s->ctx->sess_hit++;
+                       if (s->hit) s->ctx->stats.sess_hit++;
 
                        ret=1;
                        /* s->server=0; */
                        s->handshake_func=ssl3_connect;
-                       s->ctx->sess_connect_good++;
+                       s->ctx->stats.sess_connect_good++;
 
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 
@@ -473,8 +473,9 @@ SSL *s;
        {
        unsigned char *buf;
        unsigned char *p,*d;
-       int i;
+       int i,j;
        unsigned long Time,l;
+       SSL_COMP *comp;
 
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
@@ -498,6 +499,7 @@ SSL *s;
 
                *(p++)=s->version>>8;
                *(p++)=s->version&0xff;
+               s->client_version=s->version;
 
                /* Random stuff */
                memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
@@ -525,10 +527,18 @@ SSL *s;
                s2n(i,p);
                p+=i;
 
-               /* hardwire in the NULL compression algorithm. */
                /* COMPRESSION */
-               *(p++)=1;
-               *(p++)=0;
+               if (s->ctx->comp_methods == NULL)
+                       j=0;
+               else
+                       j=sk_num(s->ctx->comp_methods);
+               *(p++)=1+j;
+               for (i=0; i<j; i++)
+                       {
+                       comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,i);
+                       *(p++)=comp->id;
+                       }
+               *(p++)=0; /* Add the NULL method */
                
                l=(p-d);
                d=buf;
@@ -556,6 +566,7 @@ SSL *s;
        int i,al,ok;
        unsigned int j;
        long n;
+       SSL_COMP *comp;
 
        n=ssl3_get_message(s,
                SSL3_ST_CR_SRVR_HELLO_A,
@@ -649,12 +660,21 @@ SSL *s;
        /* lets get the compression algorithm */
        /* COMPRESSION */
        j= *(p++);
-       if (j != 0)
+       if (j == 0)
+               comp=NULL;
+       else
+               comp=ssl3_comp_find(s->ctx->comp_methods,j);
+       
+       if ((j != 0) && (comp == NULL))
                {
                al=SSL_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                goto f_err;
                }
+       else
+               {
+               s->s3->tmp.new_compression=comp;
+               }
 
        if (p != (d+n))
                {
@@ -996,6 +1016,7 @@ SSL *s;
                /* else anonymous DH, so no certificate or pkey. */
 
                s->session->cert->dh_tmp=dh;
+               dh=NULL;
                }
        else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
                {
@@ -1326,8 +1347,8 @@ SSL *s;
                                rsa=pkey->pkey.rsa;
                                }
                                
-                       tmp_buf[0]=s->version>>8;
-                       tmp_buf[1]=s->version&0xff;
+                       tmp_buf[0]=s->client_version>>8;
+                       tmp_buf[1]=s->client_version&0xff;
                        RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
 
                        s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
index c5c9a3be429941e3a3a2fc0cbe5c24cd150c3b8c..a655e12becb172caa449d48ef79ba4dee6ad7166 100644 (file)
@@ -144,7 +144,10 @@ int which;
        exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
        c=s->s3->tmp.new_sym_enc;
        m=s->s3->tmp.new_hash;
-       comp=s->s3->tmp.new_compression;
+       if (s->s3->tmp.new_compression == NULL)
+               comp=NULL;
+       else
+               comp=s->s3->tmp.new_compression->method;
        key_block=s->s3->tmp.key_block;
 
        if (which & SSL3_CC_READ)
@@ -169,8 +172,9 @@ int which;
                                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
                                goto err2;
                                }
-                       s->s3->rrec.comp=(unsigned char *)
-                               Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
+                       if (s->s3->rrec.comp == NULL)
+                               s->s3->rrec.comp=(unsigned char *)
+                                       Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
@@ -280,11 +284,12 @@ SSL *s;
        EVP_CIPHER *c;
        EVP_MD *hash;
        int num,exp;
+       SSL_COMP *comp;
 
        if (s->s3->tmp.key_block_length != 0)
                return(1);
 
-       if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+       if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
                {
                SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                return(0);
@@ -292,11 +297,7 @@ SSL *s;
 
        s->s3->tmp.new_sym_enc=c;
        s->s3->tmp.new_hash=hash;
-#ifdef ZLIB
-       s->s3->tmp.new_compression=COMP_zlib();
-#endif
-/*     s->s3->tmp.new_compression=COMP_rle(); */
-/*     s->session->compress_meth= xxxxx */
+       s->s3->tmp.new_compression=comp;
 
        exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
 
@@ -454,7 +455,7 @@ unsigned char *p;
        unsigned char md_buf[EVP_MAX_MD_SIZE];
        EVP_MD_CTX ctx;
 
-       memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+       EVP_MD_CTX_copy(&ctx,in_ctx);
 
        n=EVP_MD_CTX_size(&ctx);
        npad=(48/n)*n;
index 495c1c334fe4b21c3fe5891581a60ac920d963b0..c64b760a445c896eabc82aec2e9fe6268247e4a1 100644 (file)
@@ -486,6 +486,12 @@ SSL *s;
        if (s->s3->tmp.ca_names != NULL)
                sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
 
+       if (s->s3->rrec.comp != NULL)
+               {
+               Free(s->s3->rrec.comp);
+               s->s3->rrec.comp=NULL;
+               }
+
        rp=s->s3->rbuf.buf;
        wp=s->s3->wbuf.buf;
 
@@ -493,11 +499,7 @@ SSL *s;
        if (rp != NULL) s->s3->rbuf.buf=rp;
        if (wp != NULL) s->s3->wbuf.buf=wp;
 
-       if (s->s3->rrec.comp != NULL)
-               {
-               Free(s->s3->rrec.comp);
-               s->s3->rrec.comp=NULL;
-               }
+       ssl_free_wbio_buffer(s);
 
        s->packet_length=0;
        s->s3->renegotiate=0;
@@ -844,7 +846,6 @@ const char *buf;
 int len;
        {
        int ret,n;
-       BIO *under;
 
 #if 0
        if (s->shutdown & SSL_SEND_SHUTDOWN)
@@ -878,15 +879,12 @@ int len;
                if (n <= 0) return(n);
                s->rwstate=SSL_NOTHING;
 
-               /* We have flushed the buffer */
-               under=BIO_pop(s->wbio);
-               s->wbio=under;
-               BIO_free(s->bbio);
-               s->bbio=NULL;
+               /* We have flushed the buffer, so remove it */
+               ssl_free_wbio_buffer(s);
+               s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+
                ret=s->s3->delay_buf_pop_ret;
                s->s3->delay_buf_pop_ret=0;
-
-               s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
                }
        else
                {
@@ -987,4 +985,3 @@ need to go to SSL_ST_ACCEPT.\1e
        return(ret);
        }
 
-
index b7edc8faf32ae4ddc1a0768b7f0dc967bcf2f173..f5350bf1b7928a11658c5123f74b0b1f3dc1b194 100644 (file)
@@ -872,7 +872,9 @@ start:
                        if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                                !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                                {
-                               s->state=SSL_ST_BEFORE;
+                               s->state=SSL_ST_BEFORE|(s->server)
+                                               ?SSL_ST_ACCEPT
+                                               :SSL_ST_CONNECT;
                                s->new_session=1;
                                }
                        n=s->handshake_func(s);
index a827a58d4932666d0c70f9be874b49f53a6c505f..a4c0744488405d4ffbb97cf774a2d39e770bb463 100644 (file)
@@ -135,7 +135,6 @@ SSL *s;
        long num1;
        int ret= -1;
        CERT *ct;
-       BIO *under;
        int new_state,state,skip=0;
 
        RAND_seed(&Time,sizeof(Time));
@@ -178,6 +177,7 @@ SSL *s;
                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
                case SSL_ST_OK|SSL_ST_ACCEPT:
 
+                       s->server=1;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
                        if ((s->version>>8) != 3)
@@ -217,11 +217,11 @@ SSL *s;
                                {
                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
                                ssl3_init_finished_mac(s);
-                               s->ctx->sess_accept++;
+                               s->ctx->stats.sess_accept++;
                                }
                        else
                                {
-                               s->ctx->sess_accept_renegotiate++;
+                               s->ctx->stats.sess_accept_renegotiate++;
                                s->state=SSL3_ST_SW_HELLO_REQ_A;
                                }
                        break;
@@ -240,15 +240,6 @@ SSL *s;
                        break;
 
                case SSL3_ST_SW_HELLO_REQ_C:
-                       /* remove buffering on output */
-                       under=BIO_pop(s->wbio);
-                       if (under != NULL)
-                               s->wbio=under;
-                       else
-                               abort(); /* ok */
-                       BIO_free(s->bbio);
-                       s->bbio=NULL;
-
                        s->state=SSL_ST_OK;
                        ret=1;
                        goto end;
@@ -480,20 +471,14 @@ SSL *s;
                        s->init_buf=NULL;
 
                        /* remove buffering on output */
-                       under=BIO_pop(s->wbio);
-                       if (under != NULL)
-                               s->wbio=under;
-                       else
-                               abort(); /* ok */
-                       BIO_free(s->bbio);
-                       s->bbio=NULL;
+                       ssl_free_wbio_buffer(s);
 
                        s->new_session=0;
                        s->init_num=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
 
-                       s->ctx->sess_accept_good++;
+                       s->ctx->stats.sess_accept_good++;
                        /* s->server=1; */
                        s->handshake_func=ssl3_accept;
                        ret=1;
@@ -567,8 +552,9 @@ SSL *s;
        int i,j,ok,al,ret= -1;
        long n;
        unsigned long id;
-       unsigned char *p,*d;
+       unsigned char *p,*d,*q;
        SSL_CIPHER *c;
+       SSL_COMP *comp=NULL;
        STACK *ciphers=NULL;
 
        /* We do this so that we will respond with our native type.
@@ -595,6 +581,7 @@ SSL *s;
        /* The version number has already been checked in ssl3_get_message.
         * I a native TLSv1/SSLv3 method, the match must be correct except
         * perhaps for the first message */
+/*     s->client_version=(((int)p[0])<<8)|(int)p[1]; */
        p+=2;
 
        /* load the client random */
@@ -653,9 +640,16 @@ SSL *s;
                j=0;
                id=s->session->cipher->id;
 
+#ifdef CIPHER_DEBUG
+               printf("client sent %d ciphers\n",sk_num(ciphers));
+#endif
                for (i=0; i<sk_num(ciphers); i++)
                        {
                        c=(SSL_CIPHER *)sk_value(ciphers,i);
+#ifdef CIPHER_DEBUG
+                       printf("client [%2d of %2d]:%s\n",
+                               i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+#endif
                        if (c->id == id)
                                {
                                j=1;
@@ -683,8 +677,11 @@ SSL *s;
 
        /* compression */
        i= *(p++);
+       q=p;
        for (j=0; j<i; j++)
+               {
                if (p[j] == 0) break;
+               }
 
        p+=i;
        if (j >= i)
@@ -695,6 +692,35 @@ SSL *s;
                goto f_err;
                }
 
+       /* Worst case, we will use the NULL compression, but if we have other
+        * options, we will now look for them.  We have i-1 compression
+        * algorithms from the client, starting at q. */
+       s->s3->tmp.new_compression=NULL;
+       if (s->ctx->comp_methods != NULL)
+               { /* See if we have a match */
+               int m,nn,o,v,done=0;
+
+               nn=sk_num(s->ctx->comp_methods);
+               for (m=0; m<nn; m++)
+                       {
+                       comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,m);
+                       v=comp->id;
+                       for (o=0; o<i; o++)
+                               {
+                               if (v == q[o])
+                                       {
+                                       done=1;
+                                       break;
+                                       }
+                               }
+                       if (done) break;
+                       }
+               if (done)
+                       s->s3->tmp.new_compression=comp;
+               else
+                       comp=NULL;
+               }
+
        /* TLS does not mind if there is extra stuff */
        if (s->version == SSL3_VERSION)
                {
@@ -708,13 +734,12 @@ SSL *s;
                        }
                }
 
-       /* do nothing with compression */
-
        /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
         * pick a cipher */
 
        if (!s->hit)
                {
+               s->session->compress_meth=(comp == NULL)?0:comp->id;
                if (s->session->ciphers != NULL)
                        sk_free(s->session->ciphers);
                s->session->ciphers=ciphers;
@@ -835,7 +860,10 @@ SSL *s;
                p+=i;
 
                /* put the compression method */
-               *(p++)=0;
+               if (s->s3->tmp.new_compression == NULL)
+                       *(p++)=0;
+               else
+                       *(p++)=s->s3->tmp.new_compression->id;
 
                /* do the header */
                l=(p-d);
@@ -1266,13 +1294,26 @@ SSL *s;
 #if 1
                /* If a bad decrypt, use a random master key */
                if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
-                       ((p[0] != (s->version>>8)) ||
-                        (p[1] != (s->version & 0xff))))
+                       ((p[0] != (s->client_version>>8)) ||
+                        (p[1] != (s->client_version & 0xff))))
                        {
-                       p[0]=(s->version>>8);
-                       p[1]=(s->version & 0xff);
-                       RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
-                       i=SSL_MAX_MASTER_KEY_LENGTH;
+                       int bad=1;
+
+                       if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
+                               (p[0] == (s->version>>8)) &&
+                               (p[1] == 0))
+                               {
+                               if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
+                                       bad=0;
+                               }
+                       if (bad)
+                               {
+                               p[0]=(s->version>>8);
+                               p[1]=(s->version & 0xff);
+                               RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+                               i=SSL_MAX_MASTER_KEY_LENGTH;
+                               }
+                       /* else, an SSLeay bug, ssl only server, tls client */
                        }
 #else
                if (i != SSL_MAX_MASTER_KEY_LENGTH)
index 10ca9c534276c572dbb16bbfbad2361dcd3fe80c..84256f905adc127b08ce66a8861f092e3bac9e0d 100644 (file)
 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST                  161
 #define SSL_F_SSL_CERT_NEW                              162
 #define SSL_F_SSL_CHECK_PRIVATE_KEY                     163
-#define SSL_F_SSL_CREATE_CIPHER_LIST                    164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         165
-#define SSL_F_SSL_CTX_NEW                               166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION                   167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE                   168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1              169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE              170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY                    171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1               172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE               173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                         174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1            175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE            176
-#define SSL_F_SSL_DO_HANDSHAKE                          177
-#define SSL_F_SSL_GET_NEW_SESSION                       178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT                  179
-#define SSL_F_SSL_GET_SIGN_PKEY                                 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER                      181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   182
-#define SSL_F_SSL_NEW                                   183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                   184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                    185
-#define SSL_F_SSL_SESSION_NEW                           186
-#define SSL_F_SSL_SESSION_PRINT_FP                      187
-#define SSL_F_SSL_SET_CERT                              188
-#define SSL_F_SSL_SET_FD                                189
-#define SSL_F_SSL_SET_PKEY                              190
-#define SSL_F_SSL_SET_RFD                               191
-#define SSL_F_SSL_SET_SESSION                           192
-#define SSL_F_SSL_SET_WFD                               193
-#define SSL_F_SSL_UNDEFINED_FUNCTION                    194
-#define SSL_F_SSL_USE_CERTIFICATE                       195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1                  196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE                  197
-#define SSL_F_SSL_USE_PRIVATEKEY                        198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                   199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE                   200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY                     201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                203
-#define SSL_F_SSL_VERIFY_CERT_CHAIN                     204
-#define SSL_F_SSL_WRITE                                         205
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE                  206
-#define SSL_F_TLS1_ENC                                  207
-#define SSL_F_TLS1_SETUP_KEY_BLOCK                      208
-#define SSL_F_WRITE_PENDING                             209
+#define SSL_F_SSL_CLEAR                                         164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD           165
+#define SSL_F_SSL_CREATE_CIPHER_LIST                    166
+#define SSL_F_SSL_CTX_ADD_COMPRESSION                   167
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
+#define SSL_F_SSL_CTX_NEW                               169
+#define SSL_F_SSL_CTX_SET_SSL_VERSION                   170
+#define SSL_F_SSL_CTX_USE_CERTIFICATE                   171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1              172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE              173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY                    174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1               175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE               176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                         177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1            178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE            179
+#define SSL_F_SSL_DO_HANDSHAKE                          180
+#define SSL_F_SSL_GET_NEW_SESSION                       181
+#define SSL_F_SSL_GET_SERVER_SEND_CERT                  182
+#define SSL_F_SSL_GET_SIGN_PKEY                                 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER                      184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   185
+#define SSL_F_SSL_NEW                                   186
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                   187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                    188
+#define SSL_F_SSL_SESSION_NEW                           189
+#define SSL_F_SSL_SESSION_PRINT_FP                      190
+#define SSL_F_SSL_SET_CERT                              191
+#define SSL_F_SSL_SET_FD                                192
+#define SSL_F_SSL_SET_PKEY                              193
+#define SSL_F_SSL_SET_RFD                               194
+#define SSL_F_SSL_SET_SESSION                           195
+#define SSL_F_SSL_SET_WFD                               196
+#define SSL_F_SSL_UNDEFINED_FUNCTION                    197
+#define SSL_F_SSL_USE_CERTIFICATE                       198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1                  199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE                  200
+#define SSL_F_SSL_USE_PRIVATEKEY                        201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                   202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE                   203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY                     204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN                     207
+#define SSL_F_SSL_WRITE                                         208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
+#define SSL_F_TLS1_ENC                                  210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
+#define SSL_F_WRITE_PENDING                             212
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE                     100
 #define SSL_R_NO_CIPHER_MATCH                           185
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                   186
 #define SSL_R_NO_COMPRESSION_SPECIFIED                  187
-#define SSL_R_NO_PRIVATEKEY                             188
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                   189
-#define SSL_R_NO_PROTOCOLS_AVAILABLE                    190
-#define SSL_R_NO_PUBLICKEY                              191
-#define SSL_R_NO_SHARED_CIPHER                          192
-#define SSL_R_NO_VERIFY_CALLBACK                        193
-#define SSL_R_NULL_SSL_CTX                              194
-#define SSL_R_NULL_SSL_METHOD_PASSED                    195
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           196
-#define SSL_R_PACKET_LENGTH_TOO_LONG                    197
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 198
-#define SSL_R_PEER_ERROR                                199
-#define SSL_R_PEER_ERROR_CERTIFICATE                    200
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE                         201
-#define SSL_R_PEER_ERROR_NO_CIPHER                      202
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE   203
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                   204
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS                 205
-#define SSL_R_PROTOCOL_IS_SHUTDOWN                      206
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                  207
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                     208
-#define SSL_R_PUBLIC_KEY_NOT_RSA                        209
-#define SSL_R_READ_BIO_NOT_SET                          210
-#define SSL_R_READ_WRONG_PACKET_TYPE                    211
-#define SSL_R_RECORD_LENGTH_MISMATCH                    212
-#define SSL_R_RECORD_TOO_LARGE                          213
-#define SSL_R_REQUIRED_CIPHER_MISSING                   214
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                215
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  216
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                217
-#define SSL_R_SHORT_READ                                218
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     219
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                         220
+#define SSL_R_NO_METHOD_SPECIFIED                       188
+#define SSL_R_NO_PRIVATEKEY                             189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                   190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE                    191
+#define SSL_R_NO_PUBLICKEY                              192
+#define SSL_R_NO_SHARED_CIPHER                          193
+#define SSL_R_NO_VERIFY_CALLBACK                        194
+#define SSL_R_NULL_SSL_CTX                              195
+#define SSL_R_NULL_SSL_METHOD_PASSED                    196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
+#define SSL_R_PACKET_LENGTH_TOO_LONG                    198
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 199
+#define SSL_R_PEER_ERROR                                200
+#define SSL_R_PEER_ERROR_CERTIFICATE                    201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE                         202
+#define SSL_R_PEER_ERROR_NO_CIPHER                      203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE   204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                   205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS                 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN                      207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                  208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                     209
+#define SSL_R_PUBLIC_KEY_NOT_RSA                        210
+#define SSL_R_READ_BIO_NOT_SET                          211
+#define SSL_R_READ_WRONG_PACKET_TYPE                    212
+#define SSL_R_RECORD_LENGTH_MISMATCH                    213
+#define SSL_R_RECORD_TOO_LARGE                          214
+#define SSL_R_REQUIRED_CIPHER_MISSING                   215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                218
+#define SSL_R_SHORT_READ                                219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE              221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                         222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE               1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                1020
 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED           1045
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE             1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER             1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE        221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE     222
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER          223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE        223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE     224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER          225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE            1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE     225
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE     227
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE       1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION        226
-#define SSL_R_SSL_HANDSHAKE_FAILURE                     227
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                228
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               229
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION        228
+#define SSL_R_SSL_HANDSHAKE_FAILURE                     229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                230
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               231
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED                         1049
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR                  1050
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED             1021
 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW               1022
 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA                    1048
 #define SSL_R_TLSV1_ALERT_USER_CANCLED                  1090
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      230
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   232
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           233
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                         234
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY              235
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS              236
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS      237
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                         238
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES          239
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES          240
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES                 241
-#define SSL_R_UNEXPECTED_MESSAGE                        242
-#define SSL_R_UNEXPECTED_RECORD                                 243
-#define SSL_R_UNKNOWN_ALERT_TYPE                        244
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                  245
-#define SSL_R_UNKNOWN_CIPHER_RETURNED                   246
-#define SSL_R_UNKNOWN_CIPHER_TYPE                       247
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                         248
-#define SSL_R_UNKNOWN_PKEY_TYPE                                 249
-#define SSL_R_UNKNOWN_PROTOCOL                          250
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         251
-#define SSL_R_UNKNOWN_SSL_VERSION                       252
-#define SSL_R_UNKNOWN_STATE                             253
-#define SSL_R_UNSUPPORTED_CIPHER                        254
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 255
-#define SSL_R_UNSUPPORTED_PROTOCOL                      256
-#define SSL_R_UNSUPPORTED_SSL_VERSION                   257
-#define SSL_R_WRITE_BIO_NOT_SET                                 258
-#define SSL_R_WRONG_CIPHER_RETURNED                     259
-#define SSL_R_WRONG_MESSAGE_TYPE                        260
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  261
-#define SSL_R_WRONG_SIGNATURE_LENGTH                    262
-#define SSL_R_WRONG_SIGNATURE_SIZE                      263
-#define SSL_R_WRONG_SSL_VERSION                                 264
-#define SSL_R_WRONG_VERSION_NUMBER                      265
-#define SSL_R_X509_LIB                                  266
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS          267
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                         236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY              237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS              238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS      239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                         240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES          241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES          242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES                 243
+#define SSL_R_UNEXPECTED_MESSAGE                        244
+#define SSL_R_UNEXPECTED_RECORD                                 245
+#define SSL_R_UNKNOWN_ALERT_TYPE                        246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                  247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED                   248
+#define SSL_R_UNKNOWN_CIPHER_TYPE                       249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                         250
+#define SSL_R_UNKNOWN_PKEY_TYPE                                 251
+#define SSL_R_UNKNOWN_PROTOCOL                          252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         253
+#define SSL_R_UNKNOWN_SSL_VERSION                       254
+#define SSL_R_UNKNOWN_STATE                             255
+#define SSL_R_UNSUPPORTED_CIPHER                        256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 257
+#define SSL_R_UNSUPPORTED_PROTOCOL                      258
+#define SSL_R_UNSUPPORTED_SSL_VERSION                   259
+#define SSL_R_WRITE_BIO_NOT_SET                                 260
+#define SSL_R_WRONG_CIPHER_RETURNED                     261
+#define SSL_R_WRONG_MESSAGE_TYPE                        262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  263
+#define SSL_R_WRONG_SIGNATURE_LENGTH                    264
+#define SSL_R_WRONG_SIGNATURE_SIZE                      265
+#define SSL_R_WRONG_SSL_VERSION                                 266
+#define SSL_R_WRONG_VERSION_NUMBER                      267
+#define SSL_R_X509_LIB                                  268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS          269
index 92b7695e6189c6bbf2524e2dac7c8e574469e9b1..689122db029e5c87068e6a0218840e0a9b03ced9 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1,3 +1,15 @@
+#define SSL_CTX_sess_set_new_cb(ctx,cb)        ((ctx)->new_session_cb=(cb))
+#define SSL_CTX_sess_get_new_cb(ctx)   ((ctx)->new_session_cb)
+#define SSL_CTX_sess_set_remove_cb(ctx,cb)     ((ctx)->remove_session_cb=(cb))
+#define SSL_CTX_sess_get_remove_cb(ctx)        ((ctx)->remove_session_cb)
+#define SSL_CTX_sess_set_get_cb(ctx,cb)        ((ctx)->get_session_cb=(cb))
+#define SSL_CTX_sess_get_get_cb(ctx)   ((ctx)->get_session_cb)
+#define SSL_CTX_set_info_callback(ctx,cb)      ((ctx)->info_callback=(cb))
+#define SSL_CTX_get_info_callback(ctx)         ((ctx)->info_callback)
+
+#define SSL_CTX_set_client_cert_cb(ctx,cb)     ((ctx)->client_cert_cb=(cb))
+#define SSL_CTX_get_client_cert_cb(ctx)                ((ctx)->client_cert_cb)
+
 /* ssl/ssl.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
@@ -193,6 +205,7 @@ typedef struct ssl_method_st
        struct ssl_method_st *(*get_ssl_method)(int version);
        long (*get_timeout)(void);
        struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
+       int (*ssl_version)();
        } SSL_METHOD;
 
 /* Lets make this into an ASN.1 type structure as follows
@@ -238,11 +251,7 @@ typedef struct ssl_session_st
        long timeout;
        long time;
 
-#ifdef HEADER_COMP_H
-       COMP_CTX *compress_meth;
-#else
-       char *compress_meth;
-#endif
+       int compress_meth;              /* Need to lookup the method */
 
        SSL_CIPHER *cipher;
        unsigned long cipher_id;        /* when ASN.1 loaded, this
@@ -267,6 +276,7 @@ typedef struct ssl_session_st
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L
+#define SSL_OP_TLS_ROLLBACK_BUG                                0x00000400L
 
 /* If set, only use tmp_dh parameters once */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L
@@ -282,22 +292,32 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG         0x80000000L
 #define SSL_OP_ALL                                     0x000FFFFFL
 
-#define SSL_CTX_set_options(ctx,op)    ((ctx)->options|=(op))
-#define SSL_set_options(ssl,op)                ((ssl)->options|=(op))
+#define SSL_CTX_set_options(ctx,op) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_CTX_get_options(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_set_options(ssl,op) \
+       SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_get_options(ssl) \
+        SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
 
 #define SSL_OP_NO_SSLv2                                        0x01000000L
 #define SSL_OP_NO_SSLv3                                        0x02000000L
 #define SSL_OP_NO_TLSv1                                        0x04000000L
 
-/* Normally you will only use these if your application wants to use
- * the certificate store in other places, perhaps PKCS7 */
-#define SSL_CTX_get_cert_store(ctx)     ((ctx)->cert_store)
-#define SSL_CTX_set_cert_store(ctx,cs) \
-                (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs))
-
-
 #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT     (1024*20)
 
+typedef struct ssl_comp_st
+{
+    int id;
+    char *name;
+#ifdef HEADER_COMP_H
+    COMP_METHOD *method;
+#else
+    char *method;
+#endif
+} SSL_COMP;
+
 struct ssl_ctx_st
        {
        SSL_METHOD *method;
@@ -347,46 +367,50 @@ struct ssl_ctx_st
        SSL_SESSION *(*get_session_cb)();
 #endif
 
-       int sess_connect;       /* SSL new connection - started */
-       int sess_connect_renegotiate;/* SSL renegotiatene  - requested */
-       int sess_connect_good;  /* SSL new connection/renegotiate - finished */
-       int sess_accept;        /* SSL new accept - started */
-       int sess_accept_renegotiate;/* SSL renegotiatene - requested */
-       int sess_accept_good;   /* SSL accept/renegotiate - finished */
-       int sess_miss;          /* session lookup misses  */
-       int sess_timeout;       /* session reuse attempt on timeouted session */
-       int sess_cache_full;    /* session removed due to full cache */
-       int sess_hit;           /* session reuse actually done */
-       int sess_cb_hit;        /* session-id that was not in the cache was
-                                * passed back via the callback.  This
-                                * indicates that the application is supplying
-                                * session-id's from other processes -
-                                * spooky :-) */
+       struct
+               {
+               int sess_connect;       /* SSL new conn - started */
+               int sess_connect_renegotiate;/* SSL reneg - requested */
+               int sess_connect_good;  /* SSL new conne/reneg - finished */
+               int sess_accept;        /* SSL new accept - started */
+               int sess_accept_renegotiate;/* SSL reneg - requested */
+               int sess_accept_good;   /* SSL accept/reneg - finished */
+               int sess_miss;          /* session lookup misses  */
+               int sess_timeout;       /* reuse attempt on timeouted session */
+               int sess_cache_full;    /* session removed due to full cache */
+               int sess_hit;           /* session reuse actually done */
+               int sess_cb_hit;        /* session-id that was not
+                                        * in the cache was
+                                        * passed back via the callback.  This
+                                        * indicates that the application is
+                                        * supplying session-id's from other
+                                        * processes - spooky :-) */
+               } stats;
 
        int references;
 
-       void (*info_callback)();
+/**/   void (*info_callback)();
 
        /* if defined, these override the X509_verify_cert() calls */
-       int (*app_verify_callback)();
-       char *app_verify_arg;
+/**/   int (*app_verify_callback)();
+/**/   char *app_verify_arg;
 
        /* default values to use in SSL structures */
-       struct cert_st /* CERT */ *default_cert;
-       int default_read_ahead;
-       int default_verify_mode;
-       int (*default_verify_callback)();
+/**/   struct cert_st /* CERT */ *default_cert;
+/**/   int read_ahead;
+/**/   int verify_mode;
+/**/   int (*default_verify_callback)();
 
        /* Default password callback. */
-       int (*default_passwd_callback)();
+/**/   int (*default_passwd_callback)();
 
        /* get client cert callback */
-       int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
+/**/   int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
 
        /* what we put in client requests */
        STACK *client_CA;
 
-       int quiet_shutdown;
+/**/   int quiet_shutdown;
 
        CRYPTO_EX_DATA ex_data;
 
@@ -395,6 +419,7 @@ struct ssl_ctx_st
        EVP_MD *sha1;   /* For SSLv3/TLSv1 'ssl3->sha1' */
 
        STACK *extra_certs;
+        STACK *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
        };
 
 #define SSL_SESS_CACHE_OFF                     0x0000
@@ -407,41 +432,30 @@ struct ssl_ctx_st
  * defined, this will still get called. */
 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP      0x0100
 
-#define SSL_CTX_sessions(ctx)          ((ctx)->sessions)
-/* You will need to include lhash.h to access the following #define */
-#define SSL_CTX_sess_number(ctx)       ((ctx)->sessions->num_items)
-#define SSL_CTX_sess_connect(ctx)      ((ctx)->sess_connect)
-#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good)
-#define SSL_CTX_sess_accept(ctx)       ((ctx)->sess_accept)
-#define SSL_CTX_sess_accept_renegotiate(ctx)   ((ctx)->sess_accept_renegotiate)
-#define SSL_CTX_sess_connect_renegotiate(ctx)  ((ctx)->sess_connect_renegotiate)
-#define SSL_CTX_sess_accept_good(ctx)  ((ctx)->sess_accept_good)
-#define SSL_CTX_sess_hits(ctx)         ((ctx)->sess_hit)
-#define SSL_CTX_sess_cb_hits(ctx)      ((ctx)->sess_cb_hit)
-#define SSL_CTX_sess_misses(ctx)       ((ctx)->sess_miss)
-#define SSL_CTX_sess_timeouts(ctx)     ((ctx)->sess_timeout)
-#define SSL_CTX_sess_cache_full(ctx)   ((ctx)->sess_cache_full)
-
-#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t))
-#define SSL_CTX_sess_get_cache_size(ctx)   ((ctx)->session_cache_size)
-
-#define SSL_CTX_sess_set_new_cb(ctx,cb)        ((ctx)->new_session_cb=(cb))
-#define SSL_CTX_sess_get_new_cb(ctx)   ((ctx)->new_session_cb)
-#define SSL_CTX_sess_set_remove_cb(ctx,cb)     ((ctx)->remove_session_cb=(cb))
-#define SSL_CTX_sess_get_remove_cb(ctx)        ((ctx)->remove_session_cb)
-#define SSL_CTX_sess_set_get_cb(ctx,cb)        ((ctx)->get_session_cb=(cb))
-#define SSL_CTX_sess_get_get_cb(ctx)   ((ctx)->get_session_cb)
-#define SSL_CTX_set_session_cache_mode(ctx,m)  ((ctx)->session_cache_mode=(m))
-#define SSL_CTX_get_session_cache_mode(ctx)    ((ctx)->session_cache_mode)
-#define SSL_CTX_set_timeout(ctx,t)     ((ctx)->session_timeout=(t))
-#define SSL_CTX_get_timeout(ctx)       ((ctx)->session_timeout)
-
-#define SSL_CTX_set_info_callback(ctx,cb)      ((ctx)->info_callback=(cb))
-#define SSL_CTX_get_info_callback(ctx)         ((ctx)->info_callback)
-#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m))
-
-#define SSL_CTX_set_client_cert_cb(ctx,cb)     ((ctx)->client_cert_cb=(cb))
-#define SSL_CTX_get_client_cert_cb(ctx)                ((ctx)->client_cert_cb)
+#define SSL_CTX_sess_number(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
+#define SSL_CTX_sess_connect(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
+#define SSL_CTX_sess_connect_good(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
+#define SSL_CTX_sess_connect_renegotiate(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
+#define SSL_CTX_sess_accept_renegotiate(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept_good(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
+#define SSL_CTX_sess_hits(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
+#define SSL_CTX_sess_cb_hits(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
+#define SSL_CTX_sess_misses(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
+#define SSL_CTX_sess_timeouts(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
+#define SSL_CTX_sess_cache_full(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
 
 #define SSL_NOTHING    1
 #define SSL_WRITING    2
@@ -449,11 +463,10 @@ struct ssl_ctx_st
 #define SSL_X509_LOOKUP        4
 
 /* These will only be used when doing non-blocking IO */
-#define SSL_want(s)            ((s)->rwstate)
-#define SSL_want_nothing(s)    ((s)->rwstate == SSL_NOTHING)
-#define SSL_want_read(s)       ((s)->rwstate == SSL_READING)
-#define SSL_want_write(s)      ((s)->rwstate == SSL_WRITING)
-#define SSL_want_x509_lookup(s)        ((s)->rwstate == SSL_X509_LOOKUP)
+#define SSL_want_nothing(s)    (SSL_want(s) == SSL_NOTHING)
+#define SSL_want_read(s)       (SSL_want(s) == SSL_READING)
+#define SSL_want_write(s)      (SSL_want(s) == SSL_WRITING)
+#define SSL_want_x509_lookup(s)        (SSL_want(s) == SSL_X509_LOOKUP)
 
 struct ssl_st
        {
@@ -490,7 +503,7 @@ struct ssl_st
        int in_handshake;
        int (*handshake_func)();
 
-/*     int server;*/   /* are we the server side? */
+       int server;     /* are we the server side? - mostly used by SSL_clear*/
 
        int new_session;/* 1 if we are to use a new session */
        int quiet_shutdown;/* don't send shutdown packets */
@@ -569,6 +582,8 @@ struct ssl_st
        int references;
        unsigned long options;
        int first_packet;
+       int client_version;     /* what was passed, used for
+                                * SSLv3/TLS rolback check */
        };
 
 #include "ssl2.h"
@@ -634,6 +649,8 @@ struct ssl_st
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT        0x02
 #define SSL_VERIFY_CLIENT_ONCE         0x04
 
+#define SSLeay_add_ssl_algorithms()    SSL_library_init()
+
 /* this is for backward compatablility */
 #if 0 /* NEW_SSLEAY */
 #define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
@@ -726,8 +743,29 @@ struct ssl_st
 #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS      9
 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS      10
 #define SSL_CTRL_GET_FLAGS                     11
-
-#define SSL_CTRL_EXTRA_CHAIN_CERT              11
+#define SSL_CTRL_EXTRA_CHAIN_CERT              12
+
+/* Stats */
+#define SSL_CTRL_SESS_NUMBER                   20
+#define SSL_CTRL_SESS_CONNECT                  21
+#define SSL_CTRL_SESS_CONNECT_GOOD             22
+#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE      23
+#define SSL_CTRL_SESS_ACCEPT                   24
+#define SSL_CTRL_SESS_ACCEPT_GOOD              25
+#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE       26
+#define SSL_CTRL_SESS_HIT                      27
+#define SSL_CTRL_SESS_CB_HIT                   28
+#define SSL_CTRL_SESS_MISSES                   29
+#define SSL_CTRL_SESS_TIMEOUTS                 30
+#define SSL_CTRL_SESS_CACHE_FULL               31
+#define SSL_CTRL_OPTIONS                       32
+
+#define SSL_CTRL_GET_READ_AHEAD                        40
+#define SSL_CTRL_SET_READ_AHEAD                        41
+#define SSL_CTRL_SET_SESS_CACHE_SIZE           42
+#define SSL_CTRL_GET_SESS_CACHE_SIZE           43
+#define SSL_CTRL_SET_SESS_CACHE_MODE           44
+#define SSL_CTRL_GET_SESS_CACHE_MODE           45
 
 #define SSL_session_reused(ssl) \
        SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
@@ -763,7 +801,13 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
 int    SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void   SSL_CTX_free(SSL_CTX *);
-void   SSL_clear(SSL *s);
+long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
+long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
+int SSL_want(SSL *s);
+int    SSL_clear(SSL *s);
+
 void   SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
 
 SSL_CIPHER *SSL_get_current_cipher(SSL *s);
@@ -796,7 +840,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
 int    SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
 int    SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
 int    SSL_use_certificate(SSL *ssl, X509 *x);
-int    SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);
+int    SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
 
 #ifndef NO_STDIO
 int    SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type);
@@ -860,7 +904,6 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx);
 int SSL_check_private_key(SSL *ctx);
 
 SSL *  SSL_new(SSL_CTX *ctx);
-void    SSL_clear(SSL *s);
 void   SSL_free(SSL *ssl);
 int    SSL_accept(SSL *ssl);
 int    SSL_connect(SSL *ssl);
@@ -917,7 +960,7 @@ void SSL_set_accept_state(SSL *s);
 
 long SSL_get_default_timeout(SSL *s);
 
-void SSLeay_add_ssl_algorithms(void );
+int SSL_library_init(void );
 
 char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
 STACK *SSL_dup_CA_list(STACK *sk);
@@ -962,6 +1005,22 @@ int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void );
 
+#define SSL_CTX_sess_set_cache_size(ctx,t) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
+#define SSL_CTX_sess_get_cache_size(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
+#define SSL_CTX_set_session_cache_mode(ctx,m) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
+#define SSL_CTX_get_session_cache_mode(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
+
+#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
+#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
+#define SSL_CTX_get_read_ahead(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
+#define SSL_CTX_set_read_ahead(ctx,m) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+
 /* For the next 2, the callbacks are 
  * RSA *tmp_rsa_cb(SSL *ssl,int export)
  * DH *tmp_dh_cb(SSL *ssl,int export)
@@ -970,6 +1029,12 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
                                  RSA *(*cb)(SSL *ssl,int export));
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export));
 
+#ifdef HEADER_COMP_H
+int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
+#else
+int SSL_COMP_add_compression_method(int id,char *cm);
+#endif
+
 #else
 
 BIO_METHOD *BIO_f_ssl();
@@ -979,6 +1044,12 @@ BIO *BIO_new_buffer_ssl_connect();
 int BIO_ssl_copy_session_id();
 void BIO_ssl_shutdown();
 
+long SSL_CTX_set_timeout();
+long SSL_CTX_get_timeout();
+X509_STORE *SSL_CTX_get_cert_store();
+void SSL_CTX_set_cert_store();
+int SSL_want();
+
 int    SSL_CTX_set_cipher_list();
 SSL_CTX *SSL_CTX_new();
 void   SSL_CTX_free();
@@ -1134,7 +1205,7 @@ void SSL_set_accept_state();
 
 long SSL_get_default_timeout();
 
-void SSLeay_add_ssl_algorithms();
+int SSL_library_init();
 
 char *SSL_CIPHER_description();
 STACK *SSL_dup_CA_list();
@@ -1178,6 +1249,7 @@ char *SSL_CTX_get_ex_data();
 int SSL_CTX_get_ex_new_index();
 
 int SSL_get_ex_data_X509_STORE_CTX_idx();
+int SSL_COMP_add_compression_method();
 
 /* For the next 2, the callbacks are 
  * RSA *tmp_rsa_cb(SSL *ssl,int export)
@@ -1258,52 +1330,55 @@ void SSL_CTX_set_tmp_dh_callback();
 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST                  161
 #define SSL_F_SSL_CERT_NEW                              162
 #define SSL_F_SSL_CHECK_PRIVATE_KEY                     163
-#define SSL_F_SSL_CREATE_CIPHER_LIST                    164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         165
-#define SSL_F_SSL_CTX_NEW                               166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION                   167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE                   168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1              169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE              170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY                    171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1               172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE               173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                         174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1            175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE            176
-#define SSL_F_SSL_DO_HANDSHAKE                          177
-#define SSL_F_SSL_GET_NEW_SESSION                       178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT                  179
-#define SSL_F_SSL_GET_SIGN_PKEY                                 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER                      181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   182
-#define SSL_F_SSL_NEW                                   183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                   184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                    185
-#define SSL_F_SSL_SESSION_NEW                           186
-#define SSL_F_SSL_SESSION_PRINT_FP                      187
-#define SSL_F_SSL_SET_CERT                              188
-#define SSL_F_SSL_SET_FD                                189
-#define SSL_F_SSL_SET_PKEY                              190
-#define SSL_F_SSL_SET_RFD                               191
-#define SSL_F_SSL_SET_SESSION                           192
-#define SSL_F_SSL_SET_WFD                               193
-#define SSL_F_SSL_UNDEFINED_FUNCTION                    194
-#define SSL_F_SSL_USE_CERTIFICATE                       195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1                  196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE                  197
-#define SSL_F_SSL_USE_PRIVATEKEY                        198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                   199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE                   200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY                     201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                203
-#define SSL_F_SSL_VERIFY_CERT_CHAIN                     204
-#define SSL_F_SSL_WRITE                                         205
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE                  206
-#define SSL_F_TLS1_ENC                                  207
-#define SSL_F_TLS1_SETUP_KEY_BLOCK                      208
-#define SSL_F_WRITE_PENDING                             209
+#define SSL_F_SSL_CLEAR                                         164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD           165
+#define SSL_F_SSL_CREATE_CIPHER_LIST                    166
+#define SSL_F_SSL_CTX_ADD_COMPRESSION                   167
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
+#define SSL_F_SSL_CTX_NEW                               169
+#define SSL_F_SSL_CTX_SET_SSL_VERSION                   170
+#define SSL_F_SSL_CTX_USE_CERTIFICATE                   171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1              172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE              173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY                    174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1               175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE               176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                         177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1            178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE            179
+#define SSL_F_SSL_DO_HANDSHAKE                          180
+#define SSL_F_SSL_GET_NEW_SESSION                       181
+#define SSL_F_SSL_GET_SERVER_SEND_CERT                  182
+#define SSL_F_SSL_GET_SIGN_PKEY                                 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER                      184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   185
+#define SSL_F_SSL_NEW                                   186
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                   187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                    188
+#define SSL_F_SSL_SESSION_NEW                           189
+#define SSL_F_SSL_SESSION_PRINT_FP                      190
+#define SSL_F_SSL_SET_CERT                              191
+#define SSL_F_SSL_SET_FD                                192
+#define SSL_F_SSL_SET_PKEY                              193
+#define SSL_F_SSL_SET_RFD                               194
+#define SSL_F_SSL_SET_SESSION                           195
+#define SSL_F_SSL_SET_WFD                               196
+#define SSL_F_SSL_UNDEFINED_FUNCTION                    197
+#define SSL_F_SSL_USE_CERTIFICATE                       198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1                  199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE                  200
+#define SSL_F_SSL_USE_PRIVATEKEY                        201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                   202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE                   203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY                     204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN                     207
+#define SSL_F_SSL_WRITE                                         208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
+#define SSL_F_TLS1_ENC                                  210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
+#define SSL_F_WRITE_PENDING                             212
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE                     100
@@ -1394,39 +1469,41 @@ void SSL_CTX_set_tmp_dh_callback();
 #define SSL_R_NO_CIPHER_MATCH                           185
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                   186
 #define SSL_R_NO_COMPRESSION_SPECIFIED                  187
-#define SSL_R_NO_PRIVATEKEY                             188
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                   189
-#define SSL_R_NO_PROTOCOLS_AVAILABLE                    190
-#define SSL_R_NO_PUBLICKEY                              191
-#define SSL_R_NO_SHARED_CIPHER                          192
-#define SSL_R_NO_VERIFY_CALLBACK                        193
-#define SSL_R_NULL_SSL_CTX                              194
-#define SSL_R_NULL_SSL_METHOD_PASSED                    195
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           196
-#define SSL_R_PACKET_LENGTH_TOO_LONG                    197
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 198
-#define SSL_R_PEER_ERROR                                199
-#define SSL_R_PEER_ERROR_CERTIFICATE                    200
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE                         201
-#define SSL_R_PEER_ERROR_NO_CIPHER                      202
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE   203
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                   204
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS                 205
-#define SSL_R_PROTOCOL_IS_SHUTDOWN                      206
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                  207
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                     208
-#define SSL_R_PUBLIC_KEY_NOT_RSA                        209
-#define SSL_R_READ_BIO_NOT_SET                          210
-#define SSL_R_READ_WRONG_PACKET_TYPE                    211
-#define SSL_R_RECORD_LENGTH_MISMATCH                    212
-#define SSL_R_RECORD_TOO_LARGE                          213
-#define SSL_R_REQUIRED_CIPHER_MISSING                   214
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                215
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  216
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                217
-#define SSL_R_SHORT_READ                                218
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     219
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                         220
+#define SSL_R_NO_METHOD_SPECIFIED                       188
+#define SSL_R_NO_PRIVATEKEY                             189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                   190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE                    191
+#define SSL_R_NO_PUBLICKEY                              192
+#define SSL_R_NO_SHARED_CIPHER                          193
+#define SSL_R_NO_VERIFY_CALLBACK                        194
+#define SSL_R_NULL_SSL_CTX                              195
+#define SSL_R_NULL_SSL_METHOD_PASSED                    196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
+#define SSL_R_PACKET_LENGTH_TOO_LONG                    198
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 199
+#define SSL_R_PEER_ERROR                                200
+#define SSL_R_PEER_ERROR_CERTIFICATE                    201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE                         202
+#define SSL_R_PEER_ERROR_NO_CIPHER                      203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE   204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                   205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS                 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN                      207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                  208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                     209
+#define SSL_R_PUBLIC_KEY_NOT_RSA                        210
+#define SSL_R_READ_BIO_NOT_SET                          211
+#define SSL_R_READ_WRONG_PACKET_TYPE                    212
+#define SSL_R_RECORD_LENGTH_MISMATCH                    213
+#define SSL_R_RECORD_TOO_LARGE                          214
+#define SSL_R_REQUIRED_CIPHER_MISSING                   215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                218
+#define SSL_R_SHORT_READ                                219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE              221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                         222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE               1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                1020
 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED           1045
@@ -1436,17 +1513,17 @@ void SSL_CTX_set_tmp_dh_callback();
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE             1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER             1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE        221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE     222
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER          223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE        223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE     224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER          225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE            1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE     225
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE     227
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE       1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION        226
-#define SSL_R_SSL_HANDSHAKE_FAILURE                     227
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                228
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               229
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION        228
+#define SSL_R_SSL_HANDSHAKE_FAILURE                     229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                230
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               231
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED                         1049
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR                  1050
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED             1021
@@ -1459,44 +1536,44 @@ void SSL_CTX_set_tmp_dh_callback();
 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW               1022
 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA                    1048
 #define SSL_R_TLSV1_ALERT_USER_CANCLED                  1090
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      230
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   232
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           233
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                         234
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY              235
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS              236
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS      237
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                         238
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES          239
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES          240
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES                 241
-#define SSL_R_UNEXPECTED_MESSAGE                        242
-#define SSL_R_UNEXPECTED_RECORD                                 243
-#define SSL_R_UNKNOWN_ALERT_TYPE                        244
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                  245
-#define SSL_R_UNKNOWN_CIPHER_RETURNED                   246
-#define SSL_R_UNKNOWN_CIPHER_TYPE                       247
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                         248
-#define SSL_R_UNKNOWN_PKEY_TYPE                                 249
-#define SSL_R_UNKNOWN_PROTOCOL                          250
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         251
-#define SSL_R_UNKNOWN_SSL_VERSION                       252
-#define SSL_R_UNKNOWN_STATE                             253
-#define SSL_R_UNSUPPORTED_CIPHER                        254
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 255
-#define SSL_R_UNSUPPORTED_PROTOCOL                      256
-#define SSL_R_UNSUPPORTED_SSL_VERSION                   257
-#define SSL_R_WRITE_BIO_NOT_SET                                 258
-#define SSL_R_WRONG_CIPHER_RETURNED                     259
-#define SSL_R_WRONG_MESSAGE_TYPE                        260
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  261
-#define SSL_R_WRONG_SIGNATURE_LENGTH                    262
-#define SSL_R_WRONG_SIGNATURE_SIZE                      263
-#define SSL_R_WRONG_SSL_VERSION                                 264
-#define SSL_R_WRONG_VERSION_NUMBER                      265
-#define SSL_R_X509_LIB                                  266
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS          267
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                         236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY              237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS              238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS      239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                         240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES          241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES          242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES                 243
+#define SSL_R_UNEXPECTED_MESSAGE                        244
+#define SSL_R_UNEXPECTED_RECORD                                 245
+#define SSL_R_UNKNOWN_ALERT_TYPE                        246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                  247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED                   248
+#define SSL_R_UNKNOWN_CIPHER_TYPE                       249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                         250
+#define SSL_R_UNKNOWN_PKEY_TYPE                                 251
+#define SSL_R_UNKNOWN_PROTOCOL                          252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         253
+#define SSL_R_UNKNOWN_SSL_VERSION                       254
+#define SSL_R_UNKNOWN_STATE                             255
+#define SSL_R_UNSUPPORTED_CIPHER                        256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 257
+#define SSL_R_UNSUPPORTED_PROTOCOL                      258
+#define SSL_R_UNSUPPORTED_SSL_VERSION                   259
+#define SSL_R_WRITE_BIO_NOT_SET                                 260
+#define SSL_R_WRONG_CIPHER_RETURNED                     261
+#define SSL_R_WRONG_MESSAGE_TYPE                        262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  263
+#define SSL_R_WRONG_SIGNATURE_LENGTH                    264
+#define SSL_R_WRONG_SIGNATURE_SIZE                      265
+#define SSL_R_WRONG_SSL_VERSION                                 266
+#define SSL_R_WRONG_VERSION_NUMBER                      267
+#define SSL_R_X509_LIB                                  268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS          269
  
 #ifdef  __cplusplus
 }
index 7c5c94d7c90789040e3caa939251934ccb6fcaaa..cf8238c1ebcc83be02535cb4d5c52c653a0649d1 100644 (file)
@@ -341,12 +341,13 @@ typedef struct ssl3_ctx_st
                EVP_CIPHER *new_sym_enc;
                EVP_MD *new_hash;
 #ifdef HEADER_COMP_H
-               COMP_METHOD *new_compression;
+               SSL_COMP *new_compression;
 #else
                char *new_compression;
 #endif
                int cert_request;
                } tmp;
+
        } SSL3_CTX;
 
 /* SSLv3 */
index 92ec322dae8b46eab03d36f2b4a9be07e27251be..31809582bd4294a645620eaf04b3ab1aa86c930b 100644 (file)
@@ -61,7 +61,7 @@
 #include "lhash.h"
 #include "ssl_locl.h"
 
-void SSLeay_add_ssl_algorithms()
+int SSL_library_init()
        {
 #ifndef NO_DES
        EVP_add_cipher(EVP_des_cbc());
@@ -98,5 +98,6 @@ void SSLeay_add_ssl_algorithms()
        EVP_add_digest(EVP_sha());
        EVP_add_digest(EVP_dss());
 #endif
+       return(1);
        }
 
index 87e384f8f745a2db632a62c20de247ad3fb032fe..30501cb70048d2d86de613b2afcba3e34e2a5e48 100644 (file)
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include "objects.h"
+#include "comp.h"
 #include "ssl_locl.h"
 
 #define SSL_ENC_DES_IDX                0
@@ -73,6 +74,8 @@ static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
        NULL,NULL,NULL,NULL,NULL,NULL,
        };
 
+static STACK /* SSL_COMP */ *ssl_comp_methods=NULL;
+
 #define SSL_MD_MD5_IDX 0
 #define SSL_MD_SHA1_IDX        1
 #define SSL_MD_NUM_IDX 2
@@ -180,14 +183,41 @@ static void load_ciphers()
                EVP_get_digestbyname(SN_sha1);
        }
 
-int ssl_cipher_get_evp(c,enc,md)
-SSL_CIPHER *c;
+int ssl_cipher_get_evp(s,enc,md,comp)
+SSL_SESSION *s;
 EVP_CIPHER **enc;
 EVP_MD **md;
+SSL_COMP **comp;
        {
        int i;
+       SSL_CIPHER *c;
 
+       c=s->cipher;
        if (c == NULL) return(0);
+       if (comp != NULL)
+               {
+               SSL_COMP ctmp;
+
+               if (s->compress_meth == 0)
+                       *comp=NULL;
+               else if (ssl_comp_methods == NULL)
+                       {
+                       /* bad */
+                       *comp=NULL;
+                       }
+               else
+                       {
+
+                       ctmp.id=s->compress_meth;
+                       i=sk_find(ssl_comp_methods,(char *)&ctmp);
+                       if (i >= 0)
+                               *comp=(SSL_COMP *)sk_value(ssl_comp_methods,i);
+                       else
+                               *comp=NULL;
+                       }
+               }
+
+       if ((enc == NULL) || (md == NULL)) return(0);
 
        switch (c->algorithms & SSL_ENC_MASK)
                {
@@ -730,10 +760,12 @@ int *alg_bits;
        int ret=0,a=0;
        EVP_CIPHER *enc;
        EVP_MD *md;
+       SSL_SESSION ss;
 
        if (c != NULL)
                {
-               if (!ssl_cipher_get_evp(c,&enc,&md))
+               ss.cipher=c;
+               if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
                        return(0);
 
                a=EVP_CIPHER_key_length(enc)*8;
@@ -756,3 +788,55 @@ int *alg_bits;
        return(ret);
        }
 
+SSL_COMP *ssl3_comp_find(sk,n)
+STACK *sk;
+int n;
+       {
+       SSL_COMP *ctmp;
+       int i,nn;
+
+       if ((n == 0) || (sk == NULL)) return(NULL);
+       nn=sk_num(sk);
+       for (i=0; i<nn; i++)
+               {
+               ctmp=(SSL_COMP *)sk_value(sk,i);
+               if (ctmp->id == n)
+                       return(ctmp);
+               }
+       return(NULL);
+       }
+
+static int sk_comp_cmp(a,b)
+SSL_COMP **a,**b;
+       {
+       return((*a)->id-(*b)->id);
+       }
+
+STACK *SSL_COMP_get_compression_methods()
+       {
+       return(ssl_comp_methods);
+       }
+
+int SSL_COMP_add_compression_method(id,cm)
+int id;
+COMP_METHOD *cm;
+       {
+       SSL_COMP *comp;
+       STACK *sk;
+
+       comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
+       comp->id=id;
+       comp->method=cm;
+       if (ssl_comp_methods == NULL)
+               sk=ssl_comp_methods=sk_new(sk_comp_cmp);
+       else
+               sk=ssl_comp_methods;
+       if ((sk == NULL) || !sk_push(sk,(char *)comp))
+               {
+               SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+               return(0);
+               }
+       else
+               return(1);
+       }
+
index 847f0f3f8a660261218ad61e771ea0636cfa3508..5f3d94d496a34cc8597d9372824146abfa925ade 100644 (file)
@@ -127,7 +127,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"},
 {ERR_PACK(0,SSL_F_SSL_CERT_NEW,0),     "SSL_CERT_NEW"},
 {ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0),    "SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CLEAR,0),        "SSL_clear"},
+{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),  "SSL_COMP_add_compression_method"},
 {ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),   "SSL_CREATE_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CTX_ADD_COMPRESSION,0),  "SSL_CTX_ADD_COMPRESSION"},
 {ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0),        "SSL_CTX_check_private_key"},
 {ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),      "SSL_CTX_new"},
 {ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),  "SSL_CTX_set_ssl_version"},
@@ -266,6 +269,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_NO_CIPHER_MATCH                   ,"no cipher match"},
 {SSL_R_NO_CLIENT_CERT_RECEIVED           ,"no client cert received"},
 {SSL_R_NO_COMPRESSION_SPECIFIED          ,"no compression specified"},
+{SSL_R_NO_METHOD_SPECIFIED               ,"no method specified"},
 {SSL_R_NO_PRIVATEKEY                     ,"no privatekey"},
 {SSL_R_NO_PRIVATE_KEY_ASSIGNED           ,"no private key assigned"},
 {SSL_R_NO_PROTOCOLS_AVAILABLE            ,"no protocols available"},
@@ -298,6 +302,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_REUSE_CIPHER_LIST_NOT_ZERO        ,"reuse cipher list not zero"},
 {SSL_R_SHORT_READ                        ,"short read"},
 {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
+{SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
 {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
 {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
 {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
index c9a228519951651109e1d91301a66897467eb879..2019a400ffd3966b13fc168ce508f50c746a9d42 100644 (file)
@@ -77,30 +77,37 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
        ssl_undefined_function,
        };
 
-void SSL_clear(s)
+int SSL_clear(s)
 SSL *s;
        {
        int state;
 
-       if (s->method == NULL) return;
+       if (s->method == NULL)
+               {
+               SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
+               return(0);
+               }
 
        s->error=0;
        s->hit=0;
+       s->shutdown=0;
 
+#if 0
        /* This is set if we are doing dynamic renegotiation so keep
         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-       if (s->new_session) return;
+       if (s->new_session) return(1);
+#endif
 
        state=s->state; /* Keep to check if we throw away the session-id */
        s->type=0;
 
+       s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
+
        s->version=s->method->version;
+       s->client_version=s->version;
        s->rwstate=SSL_NOTHING;
-       s->state=SSL_ST_BEFORE;
        s->rstate=SSL_ST_READ_HEADER;
-       s->read_ahead=s->ctx->default_read_ahead;
-
-/*     s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
+       s->read_ahead=s->ctx->read_ahead;
 
        if (s->init_buf != NULL)
                {
@@ -116,10 +123,22 @@ SSL *s;
                s->session=NULL;
                }
 
-       s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
        s->first_packet=0;
 
-       s->method->ssl_clear(s);
+#if 1
+       /* Check to see if we were changed into a different method, if
+        * so, revert back if we are not doing session-id reuse. */
+       if ((s->session == NULL) && (s->method != s->ctx->method))
+               {
+               s->method->ssl_free(s);
+               s->method=s->ctx->method;
+               if (!s->method->ssl_new(s))
+                       return(0);
+               }
+       else
+#endif
+               s->method->ssl_clear(s);
+       return(1);
        }
 
 /* Used to change an SSL_CTXs default SSL method type */
@@ -169,7 +188,7 @@ SSL_CTX *ctx;
                }
        else
                s->cert=NULL;
-       s->verify_mode=ctx->default_verify_mode;
+       s->verify_mode=ctx->verify_mode;
        s->verify_callback=ctx->default_verify_callback;
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->ctx=ctx;
@@ -187,6 +206,7 @@ SSL_CTX *ctx;
 
        s->quiet_shutdown=ctx->quiet_shutdown;
        s->references=1;
+       s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
        s->options=ctx->options;
        SSL_clear(s);
 
@@ -251,11 +271,6 @@ SSL *s;
 
        ssl_clear_cipher_ctx(s);
 
-       if (s->expand != NULL)
-               COMP_CTX_free(s->expand);
-       if (s->compress != NULL)
-               COMP_CTX_free(s->compress);
-
        if (s->cert != NULL) ssl_cert_free(s->cert);
        /* Free up if allocated */
 
@@ -402,7 +417,7 @@ SSL *s;
 int SSL_CTX_get_verify_mode(ctx)
 SSL_CTX *ctx;
        {
-       return(ctx->default_verify_mode);
+       return(ctx->verify_mode);
        }
 
 int (*SSL_CTX_get_verify_callback(ctx))()
@@ -623,7 +638,22 @@ int cmd;
 long larg;
 char *parg;
        {
-       return(s->method->ssl_ctrl(s,cmd,larg,parg));
+       long l;
+
+       switch (cmd)
+               {
+       case SSL_CTRL_GET_READ_AHEAD:
+               return(s->read_ahead);
+       case SSL_CTRL_SET_READ_AHEAD:
+               l=s->read_ahead;
+               s->read_ahead=larg;
+               return(l);
+       case SSL_CTRL_OPTIONS:
+               return(s->options|=larg);
+       default:
+               return(s->method->ssl_ctrl(s,cmd,larg,parg));
+               }
+       return(0);
        }
 
 long SSL_CTX_ctrl(ctx,cmd,larg,parg)
@@ -632,7 +662,60 @@ int cmd;
 long larg;
 char *parg;
        {
-       return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+       long l;
+
+       switch (cmd)
+               {
+       case SSL_CTRL_GET_READ_AHEAD:
+               return(ctx->read_ahead);
+       case SSL_CTRL_SET_READ_AHEAD:
+               l=ctx->read_ahead;
+               ctx->read_ahead=larg;
+               return(l);
+
+       case SSL_CTRL_SET_SESS_CACHE_SIZE:
+               l=ctx->session_cache_size;
+               ctx->session_cache_size=larg;
+               return(l);
+       case SSL_CTRL_GET_SESS_CACHE_SIZE:
+               return(ctx->session_cache_size);
+       case SSL_CTRL_SET_SESS_CACHE_MODE:
+               l=ctx->session_cache_mode;
+               ctx->session_cache_mode=larg;
+               return(l);
+       case SSL_CTRL_GET_SESS_CACHE_MODE:
+               return(ctx->session_cache_mode);
+
+       case SSL_CTRL_SESS_NUMBER:
+               return(ctx->sessions->num_items);
+       case SSL_CTRL_SESS_CONNECT:
+               return(ctx->stats.sess_connect);
+       case SSL_CTRL_SESS_CONNECT_GOOD:
+               return(ctx->stats.sess_connect_good);
+       case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
+               return(ctx->stats.sess_connect_renegotiate);
+       case SSL_CTRL_SESS_ACCEPT:
+               return(ctx->stats.sess_accept);
+       case SSL_CTRL_SESS_ACCEPT_GOOD:
+               return(ctx->stats.sess_accept_good);
+       case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
+               return(ctx->stats.sess_accept_renegotiate);
+       case SSL_CTRL_SESS_HIT:
+               return(ctx->stats.sess_hit);
+       case SSL_CTRL_SESS_CB_HIT:
+               return(ctx->stats.sess_cb_hit);
+       case SSL_CTRL_SESS_MISSES:
+               return(ctx->stats.sess_miss);
+       case SSL_CTRL_SESS_TIMEOUTS:
+               return(ctx->stats.sess_timeout);
+       case SSL_CTRL_SESS_CACHE_FULL:
+               return(ctx->stats.sess_cache_full);
+       case SSL_CTRL_OPTIONS:
+               return(ctx->options|=larg);
+       default:
+               return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+               }
+       return(0);
        }
 
 int ssl_cipher_id_cmp(a,b)
@@ -903,17 +986,7 @@ SSL_METHOD *meth;
        ret->remove_session_cb=NULL;
        ret->get_session_cb=NULL;
 
-       ret->sess_connect=0;
-       ret->sess_connect_good=0;
-       ret->sess_accept=0;
-       ret->sess_accept_renegotiate=0;
-       ret->sess_connect_renegotiate=0;
-       ret->sess_accept_good=0;
-       ret->sess_miss=0;
-       ret->sess_timeout=0;
-       ret->sess_cache_full=0;
-       ret->sess_hit=0;
-       ret->sess_cb_hit=0;
+       memset((char *)&ret->stats,0,sizeof(ret->stats));
 
        ret->references=1;
        ret->quiet_shutdown=0;
@@ -929,8 +1002,8 @@ SSL_METHOD *meth;
        ret->app_verify_callback=NULL;
        ret->app_verify_arg=NULL;
 
-       ret->default_read_ahead=0;
-       ret->default_verify_mode=SSL_VERIFY_NONE;
+       ret->read_ahead=0;
+       ret->verify_mode=SSL_VERIFY_NONE;
        ret->default_verify_callback=NULL;
        if ((ret->default_cert=ssl_cert_new()) == NULL)
                goto err;
@@ -974,6 +1047,7 @@ SSL_METHOD *meth;
        CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
 
        ret->extra_certs=NULL;
+       ret->comp_methods=SSL_COMP_get_compression_methods();
 
        return(ret);
 err:
@@ -1021,6 +1095,8 @@ SSL_CTX *a;
                sk_pop_free(a->client_CA,X509_NAME_free);
        if (a->extra_certs != NULL)
                sk_pop_free(a->extra_certs,X509_free);
+       if (a->comp_methods != NULL)
+               sk_pop_free(a->comp_methods,free);
        Free((char *)a);
        }
 
@@ -1049,7 +1125,7 @@ int (*cb)(int, X509_STORE_CTX *);
 int (*cb)();
 #endif
        {
-       ctx->default_verify_mode=mode;
+       ctx->verify_mode=mode;
        ctx->default_verify_callback=cb;
        /* This needs cleaning up EAY EAY EAY */
        X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
@@ -1246,8 +1322,8 @@ int mode;
                ((i & mode) == mode))
                {
                if (  (((mode & SSL_SESS_CACHE_CLIENT)
-                       ?s->ctx->sess_connect_good
-                       :s->ctx->sess_accept_good) & 0xff) == 0xff)
+                       ?s->ctx->stats.sess_connect_good
+                       :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
                        {
                        SSL_CTX_flush_sessions(s->ctx,time(NULL));
                        }
@@ -1294,12 +1370,20 @@ SSL *s;
 int i;
        {
        int reason;
+       unsigned long l;
        BIO *bio;
 
        if (i > 0) return(SSL_ERROR_NONE);
 
-       if (ERR_peek_error() != 0)
-               return(SSL_ERROR_SSL);
+       /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
+        * etc, where we do encode the error */
+       if ((l=ERR_peek_error()) != 0)
+               {
+               if (ERR_GET_LIB(l) == ERR_LIB_SYS)
+                       return(SSL_ERROR_SYSCALL);
+               else
+                       return(SSL_ERROR_SSL);
+               }
 
        if ((i < 0) && SSL_want_read(s))
                {
@@ -1381,6 +1465,7 @@ SSL *s;
 void SSL_set_accept_state(s)
 SSL *s;
        {
+       s->server=1;
        s->shutdown=0;
        s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
        s->handshake_func=s->method->ssl_accept;
@@ -1391,6 +1476,7 @@ SSL *s;
 void SSL_set_connect_state(s)
 SSL *s;
        {
+       s->server=0;
        s->shutdown=0;
        s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
        s->handshake_func=s->method->ssl_connect;
@@ -1498,6 +1584,7 @@ SSL *s;
        ret->shutdown=s->shutdown;
        ret->state=s->state;
        ret->handshake_func=s->handshake_func;
+       ret->server=s->server;
 
        if (0)
                {
@@ -1523,6 +1610,16 @@ SSL *s;
                 Free(s->enc_write_ctx);
                 s->enc_write_ctx=NULL;
                 }
+       if (s->expand != NULL)
+               {
+               COMP_CTX_free(s->expand);
+               s->expand=NULL;
+               }
+       if (s->compress != NULL)
+               {
+               COMP_CTX_free(s->compress);
+               s->compress=NULL;
+               }
        }
 
 /* Fix this function so that it takes an optional type parameter */
@@ -1590,6 +1687,26 @@ int push;
                }
        return(1);
        }
+
+void ssl_free_wbio_buffer(s)
+SSL *s;
+       {
+       BIO *under;
+
+       if (s->bbio == NULL) return;
+
+       if (s->bbio == s->wbio)
+               {
+               /* remove buffering */
+               under=BIO_pop(s->wbio);
+               if (under != NULL)
+                       s->wbio=under;
+               else
+                       abort(); /* ok */
+               }
+       BIO_free(s->bbio);
+       s->bbio=NULL;
+       }
        
 void SSL_CTX_set_quiet_shutdown(ctx,mode)
 SSL_CTX *ctx;
@@ -1750,6 +1867,27 @@ SSL *s;
        return(1);
        }
 
+X509_STORE *SSL_CTX_get_cert_store(ctx)
+SSL_CTX *ctx;
+       {
+       return(ctx->cert_store);
+       }
+
+void SSL_CTX_set_cert_store(ctx,store)
+SSL_CTX *ctx;
+X509_STORE *store;
+       {
+       if (ctx->cert_store != NULL)
+               X509_STORE_free(ctx->cert_store);
+       ctx->cert_store=store;
+       }
+
+int SSL_want(s)
+SSL *s;
+       {
+       return(s->rwstate);
+       }
+
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export))
     { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
 
index f2442544e3a7bba27c5e918eaa2cb0eaecb2e778..1a907514d997446d9ea323dfcf87601d6bf9e789 100644 (file)
@@ -348,7 +348,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p);
 STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref,
        STACK **sorted,char *str);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md);
+int ssl_cipher_get_evp(SSL_SESSION *s, EVP_CIPHER **enc, EVP_MD **md,
+       SSL_COMP **comp);
 int ssl_verify_cert_chain(SSL *s,STACK *sk);
 int ssl_undefined_function(SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
@@ -442,6 +443,7 @@ long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
 SSL_METHOD *tlsv1_base_method(void );
 
 int ssl_init_wbio_buffer(SSL *s, int push);
+void ssl_free_wbio_buffer(SSL *s);
 
 int tls1_change_cipher_state(SSL *s, int which);
 int tls1_setup_key_block(SSL *s);
@@ -456,6 +458,9 @@ int tls1_alert_code(int code);
 int ssl3_alert_code(int code);
 int ssl_ok(SSL *s);
 
+SSL_COMP *ssl3_comp_find(STACK *sk, int n);
+STACK *SSL_COMP_get_compression_methods(void);
+
 
 #else
 
@@ -562,10 +567,8 @@ int ssl23_read_bytes();
 int ssl23_write_bytes();
 
 int ssl_init_wbio_buffer();
+void ssl_free_wbio_buffer();
 
-#endif
-
-#endif
 int ssl3_cert_verify_mac();
 int ssl3_alert_code();
 int tls1_new();
@@ -582,3 +585,9 @@ int tls1_mac();
 int tls1_generate_master_secret();
 int tls1_alert_code();
 int ssl_ok();
+SSL_COMP *ssl3_comp_find();
+STACK *SSL_COMP_get_compression_methods();
+
+#endif
+
+#endif
index 745a8ec24f85b15f255f1051a5c67e0324147f45..43c51bc2b53bd23fd6dca0f1e6762f757644cd8e 100644 (file)
@@ -152,10 +152,10 @@ end:
        }
 #endif
 
-int SSL_use_certificate_ASN1(ssl, len, d)
+int SSL_use_certificate_ASN1(ssl, d,len)
 SSL *ssl;
-int len;
 unsigned char *d;
+int len;
        {
        X509 *x;
        int ret;
index 95cd7fed8ad31170047144ff7ba84c918c4c3f5c..adaab3545fa9dd27d52bd6e27689950420d274e4 100644 (file)
@@ -123,6 +123,7 @@ SSL_SESSION *SSL_SESSION_new()
        ss->time=time(NULL);
        ss->prev=NULL;
        ss->next=NULL;
+       ss->compress_meth=0;
        CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
        return(ss);
        }
@@ -136,8 +137,10 @@ int session;
        if ((ss=SSL_SESSION_new()) == NULL) return(0);
 
        /* If the context has a default timeout, use it */
-       if (s->ctx->session_timeout != 0)
+       if (s->ctx->session_timeout == 0)
                ss->timeout=SSL_get_default_timeout(s);
+       else
+               ss->timeout=s->ctx->session_timeout;
 
        if (s->session != NULL)
                {
@@ -218,13 +221,13 @@ int len;
                {
                int copy=1;
 
-               s->ctx->sess_miss++;
+               s->ctx->stats.sess_miss++;
                ret=NULL;
                if ((s->ctx->get_session_cb != NULL) &&
                        ((ret=s->ctx->get_session_cb(s,session_id,len,&copy))
                                != NULL))
                        {
-                       s->ctx->sess_cb_hit++;
+                       s->ctx->stats.sess_cb_hit++;
 
                        /* The following should not return 1, otherwise,
                         * things are very strange */
@@ -260,14 +263,14 @@ int len;
 
        if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
                {
-               s->ctx->sess_timeout++;
+               s->ctx->stats.sess_timeout++;
                /* remove it from the cache */
                SSL_CTX_remove_session(s->ctx,ret);
                SSL_SESSION_free(ret);          /* again to actually Free it */
                return(0);
                }
 
-       s->ctx->sess_hit++;
+       s->ctx->stats.sess_hit++;
 
        /* ret->time=time(NULL); */ /* rezero timeout? */
        /* again, just leave the session 
@@ -318,7 +321,7 @@ SSL_SESSION *c;
                                        ctx->session_cache_tail))
                                        break;
                                else
-                                       ctx->sess_cache_full++;
+                                       ctx->stats.sess_cache_full++;
                                }
                        }
                }
@@ -413,7 +416,10 @@ SSL_SESSION *session;
                        {
                        if (!SSL_set_ssl_method(s,meth))
                                return(0);
-                       session->timeout=SSL_get_default_timeout(s);
+                       if (s->ctx->session_timeout == 0)
+                               session->timeout=SSL_get_default_timeout(s);
+                       else
+                               session->timeout=s->ctx->session_timeout;
                        }
 
                /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
@@ -431,6 +437,14 @@ SSL_SESSION *session;
                        SSL_SESSION_free(s->session);
                        s->session=NULL;
                        }
+
+               meth=s->ctx->method;
+               if (meth != s->method)
+                       {
+                       if (!SSL_set_ssl_method(s,meth))
+                               return(0);
+                       }
+               ret=1;
                }
        return(ret);
        }
@@ -467,6 +481,24 @@ long t;
        return(t);
        }
 
+long SSL_CTX_set_timeout(s,t)
+SSL_CTX *s;
+long t;
+       {
+       long l;
+       if (s == NULL) return(0);
+       l=s->session_timeout;
+       s->session_timeout=t;
+       return(l);
+       }
+
+long SSL_CTX_get_timeout(s)
+SSL_CTX *s;
+       {
+       if (s == NULL) return(0);
+       return(s->session_timeout);
+       }
+
 typedef struct timeout_param_st
        {
        SSL_CTX *ctx;
@@ -499,7 +531,7 @@ long t;
        TIMEOUT_PARAM tp;
 
        tp.ctx=s;
-       tp.cache=SSL_CTX_sessions(s);
+       tp.cache=s->sessions;
        if (tp.cache == NULL) return;
        tp.time=t;
        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
index ce60e1a6dd1eed7a889d2f449657c21e3b77e991..e41b738f5c9181cc9af4dbd910b06d8f3969558c 100644 (file)
@@ -133,6 +133,23 @@ SSL_SESSION *x;
                        sprintf(str,"%02X",x->key_arg[i]);
                        if (BIO_puts(bp,str) <= 0) goto err;
                        }
+       if (x->compress_meth != 0)
+               {
+               SSL_COMP *comp;
+
+               ssl_cipher_get_evp(x,NULL,NULL,&comp);
+               if (comp == NULL)
+                       {
+                       sprintf(str,"\n   Compression: %d",x->compress_meth);
+                       if (BIO_puts(bp,str) <= 0) goto err;
+                       }
+               else
+                       {
+                       sprintf(str,"\n   Compression: %d (%s)",
+                               comp->id,comp->method->name);
+                       if (BIO_puts(bp,str) <= 0) goto err;
+                       }
+               }       
        if (x->time != 0L)
                {
                sprintf(str,"\n    Start Time: %ld",x->time);
index ff686913d72022af6f45a53315324d33caa3d74f..4662770e3833dec0c81f9cacd0a53657ef624951 100644 (file)
@@ -243,7 +243,7 @@ bad:
 
 /*     if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
 
-       SSLeay_add_ssl_algorithms();
+       SSL_library_init();
        SSL_load_error_strings();
 
 #if !defined(NO_SSL2) && !defined(NO_SSL3)
index ac9da4da3ae85714215580b216c9c704aee480c9..f228295bba557b63d5703f3f0ec04b63db5e5f63 100644 (file)
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include "comp.h"
 #include "evp.h"
 #include "hmac.h"
 #include "ssl_locl.h"
@@ -175,7 +176,7 @@ int which;
        int client_write;
        EVP_CIPHER_CTX *dd;
        EVP_CIPHER *c;
-       COMP_METHOD *comp;
+       SSL_COMP *comp;
        EVP_MD *m;
        int exp,n,i,j,k,exp_label_len,cl;
 
@@ -200,14 +201,15 @@ int which;
                        }
                if (comp != NULL)
                        {
-                       s->expand=COMP_CTX_new(comp);
+                       s->expand=COMP_CTX_new(comp->method);
                        if (s->expand == NULL)
                                {
                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
                                goto err2;
                                }
-                       s->s3->rrec.comp=(unsigned char *)
-                               Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+                       if (s->s3->rrec.comp == NULL)
+                               s->s3->rrec.comp=(unsigned char *)
+                                       Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
@@ -229,7 +231,7 @@ int which;
                        }
                if (comp != NULL)
                        {
-                       s->compress=COMP_CTX_new(comp);
+                       s->compress=COMP_CTX_new(comp->method);
                        if (s->compress == NULL)
                                {
                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
@@ -346,11 +348,12 @@ SSL *s;
        EVP_CIPHER *c;
        EVP_MD *hash;
        int num,exp;
+       SSL_COMP *comp;
 
        if (s->s3->tmp.key_block_length != 0)
                return(1);
 
-       if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+       if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
                {
                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                return(0);
@@ -504,7 +507,7 @@ unsigned char *out;
        unsigned int ret;
        EVP_MD_CTX ctx;
 
-       memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+       EVP_MD_CTX_copy(&ctx,in_ctx);
        EVP_DigestFinal(&ctx,out,&ret);
        return((int)ret);
        }
@@ -525,10 +528,10 @@ unsigned char *out;
        memcpy(q,str,slen);
        q+=slen;
 
-       memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX));
+       EVP_MD_CTX_copy(&ctx,in1_ctx);
        EVP_DigestFinal(&ctx,q,&i);
        q+=i;
-       memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX));
+       EVP_MD_CTX_copy(&ctx,in2_ctx);
        EVP_DigestFinal(&ctx,q,&i);
        q+=i;