Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/openssl/openssl.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGES9
-rw-r--r--ssl/s23_clnt.c12
-rw-r--r--ssl/s23_pkt.c2
-rw-r--r--ssl/s23_srvr.c9
-rw-r--r--ssl/s2_clnt.c16
-rw-r--r--ssl/s2_enc.c2
-rw-r--r--ssl/s2_srvr.c11
-rw-r--r--ssl/s3_clnt.c73
-rw-r--r--ssl/s3_enc.c21
-rw-r--r--ssl/s3_lib.c25
-rw-r--r--ssl/s3_pkt.c4
-rw-r--r--ssl/s3_srvr.c101
-rw-r--r--ssl/ssl.err257
-rw-r--r--ssl/ssl.h503
-rw-r--r--ssl/ssl3.h3
-rw-r--r--ssl/ssl_algs.c3
-rw-r--r--ssl/ssl_ciph.c90
-rw-r--r--ssl/ssl_err.c5
-rw-r--r--ssl/ssl_lib.c210
-rw-r--r--ssl/ssl_locl.h17
-rw-r--r--ssl/ssl_rsa.c4
-rw-r--r--ssl/ssl_sess.c48
-rw-r--r--ssl/ssl_txt.c17
-rw-r--r--ssl/ssltest.c2
-rw-r--r--ssl/t1_enc.c21
25 files changed, 964 insertions, 501 deletions
diff --git a/CHANGES b/CHANGES
index 043c7552a7..470435fe82 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,15 @@
Changes between 0.9.1c and 0.9.2
+ *) Updates to the new SSL compression code
+ [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+ *) Fix so that the version number in the master secret, when passed
+ via RSA, checks that if TLS was proposed, but we roll back to SSLv3
+ (because the server will not accept higher), that the version number
+ is 0x03,0x01, not 0x03,0x00
+ [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
*) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 1b4c06838b..c0948fd2da 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -136,6 +136,13 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ if (s->session != NULL)
+ {
+ SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
+ ret= -1;
+ goto end;
+ }
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
/* s->version=TLS1_VERSION; */
@@ -161,7 +168,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL23_ST_CW_CLNT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->init_num=0;
break;
@@ -238,16 +245,19 @@ SSL *s;
{
*(d++)=TLS1_VERSION_MAJOR;
*(d++)=TLS1_VERSION_MINOR;
+ s->client_version=TLS1_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
*(d++)=SSL3_VERSION_MAJOR;
*(d++)=SSL3_VERSION_MINOR;
+ s->client_version=SSL3_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv2))
{
*(d++)=SSL2_VERSION_MAJOR;
*(d++)=SSL2_VERSION_MINOR;
+ s->client_version=SSL2_VERSION;
}
else
{
diff --git a/ssl/s23_pkt.c b/ssl/s23_pkt.c
index c25c312772..99f909d50f 100644
--- a/ssl/s23_pkt.c
+++ b/ssl/s23_pkt.c
@@ -76,7 +76,7 @@ SSL *s;
{
s->rwstate=SSL_WRITING;
i=BIO_write(s->wbio,&(buf[tot]),num);
- if (i < 0)
+ if (i <= 0)
{
s->init_off=tot;
s->init_num=num;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6c8afeb857..d1f49e5ac3 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -134,6 +134,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
/* s->version=SSL3_VERSION; */
@@ -157,7 +158,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL23_ST_SR_CLNT_HELLO_A;
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
s->init_num=0;
break;
@@ -203,8 +204,10 @@ SSL *s;
unsigned int csl,sil,cl;
int n=0,j,tls1=0;
int type=0,use_sslv2_strong=0;
+ int v[2];
/* read the initial header */
+ v[0]=v[1]=0;
if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
{
if (!ssl3_setup_buffers(s)) goto err;
@@ -221,12 +224,14 @@ SSL *s;
/* SSLv2 header */
if ((p[3] == 0x00) && (p[4] == 0x02))
{
+ v[0]=p[3]; v[1]=p[4];
/* SSLv2 */
if (!(s->options & SSL_OP_NO_SSLv2))
type=1;
}
else if (p[3] == SSL3_VERSION_MAJOR)
{
+ v[0]=p[3]; v[1]=p[4];
/* SSLv3/TLSv1 */
if (p[4] >= TLS1_VERSION_MINOR)
{
@@ -307,6 +312,7 @@ SSL *s;
(p[1] == SSL3_VERSION_MAJOR) &&
(p[5] == SSL3_MT_CLIENT_HELLO))
{
+ v[0]=p[1]; v[1]=p[2];
/* true SSLv3 or tls1 */
if (p[2] >= TLS1_VERSION_MINOR)
{
@@ -486,6 +492,7 @@ next_bit:
s->version=SSL3_VERSION;
s->method=SSLv3_server_method();
}
+ s->client_version=(v[0]<<8)|v[1];
s->handshake_func=s->method->ssl_accept;
}
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 9c8037b48b..bbac33cf36 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -146,6 +146,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
s->version=SSL2_VERSION;
@@ -166,7 +167,7 @@ SSL *s;
s->init_buf=buf;
s->init_num=0;
s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->handshake_func=ssl2_connect;
BREAK;
@@ -249,8 +250,11 @@ SSL *s;
break;
case SSL_ST_OK:
- BUF_MEM_free(s->init_buf);
- s->init_buf=NULL;
+ if (s->init_buf != NULL)
+ {
+ BUF_MEM_free(s->init_buf);
+ s->init_buf=NULL;
+ }
s->init_num=0;
/* ERR_clear_error();*/
@@ -261,11 +265,11 @@ SSL *s;
*/
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
- if (s->hit) s->ctx->sess_hit++;
+ if (s->hit) s->ctx->stats.sess_hit++;
ret=1;
/* s->server=0; */
- s->ctx->sess_connect_good++;
+ s->ctx->stats.sess_connect_good++;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
@@ -538,7 +542,7 @@ SSL *s;
if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
{
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c
index b43056fa14..63ebf28748 100644
--- a/ssl/s2_enc.c
+++ b/ssl/s2_enc.c
@@ -69,7 +69,7 @@ int client;
EVP_MD *md;
int num;
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 8580ac6a8d..814e38f480 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -155,6 +155,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
s->version=SSL2_VERSION;
@@ -168,7 +169,7 @@ SSL *s;
{ ret= -1; goto end; }
s->init_buf=buf;
s->init_num=0;
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
s->handshake_func=ssl2_accept;
s->state=SSL2_ST_GET_CLIENT_HELLO_A;
BREAK;
@@ -295,13 +296,14 @@ SSL *s;
case SSL_ST_OK:
BUF_MEM_free(s->init_buf);
+ ssl_free_wbio_buffer(s);
s->init_buf=NULL;
s->init_num=0;
/* ERR_clear_error();*/
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
- s->ctx->sess_accept_good++;
+ s->ctx->stats.sess_accept_good++;
/* s->server=1; */
ret=1;
@@ -336,9 +338,6 @@ static int get_client_master_key(s)
SSL *s;
{
int export,i,n,keya,ek;
-#if 0
- int error=0;
-#endif
unsigned char *p;
SSL_CIPHER *cp;
EVP_CIPHER *c;
@@ -404,7 +403,7 @@ SSL *s;
export=(s->session->cipher->algorithms & SSL_EXP)?1:0;
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 363118835c..b2649ed998 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -134,7 +134,6 @@ SSL *s;
long num1;
void (*cb)()=NULL;
int ret= -1;
- BIO *under;
int new_state,state,skip=0;;
RAND_seed(&Time,sizeof(Time));
@@ -158,13 +157,14 @@ SSL *s;
case SSL_ST_RENEGOTIATE:
s->new_session=1;
s->state=SSL_ST_CONNECT;
- s->ctx->sess_connect_renegotiate++;
+ s->ctx->stats.sess_connect_renegotiate++;
/* break */
case SSL_ST_BEFORE:
case SSL_ST_CONNECT:
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
if ((s->version & 0xff00 ) != 0x0300)
@@ -197,7 +197,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL3_ST_CW_CLNT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->init_num=0;
break;
@@ -326,6 +326,11 @@ SSL *s;
s->init_num=0;
s->session->cipher=s->s3->tmp.new_cipher;
+ if (s->s3->tmp.new_compression == NULL)
+ s->session->compress_meth=0;
+ else
+ s->session->compress_meth=
+ s->s3->tmp.new_compression->id;
if (!s->method->ssl3_enc->setup_key_block(s))
{
ret= -1;
@@ -401,33 +406,28 @@ SSL *s;
/* clean a few things up */
ssl3_cleanup_key_block(s);
- BUF_MEM_free(s->init_buf);
- s->init_buf=NULL;
-
- if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+ if (s->init_buf != NULL)
{
- /* remove buffering */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
-
- BIO_free(s->bbio);
- s->bbio=NULL;
+ BUF_MEM_free(s->init_buf);
+ s->init_buf=NULL;
}
- /* else do it later */
+
+ /* If we are not 'joining' the last two packets,
+ * remove the buffering now */
+ if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+ ssl_free_wbio_buffer(s);
+ /* else do it later in ssl3_write */
s->init_num=0;
s->new_session=0;
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
- if (s->hit) s->ctx->sess_hit++;
+ if (s->hit) s->ctx->stats.sess_hit++;
ret=1;
/* s->server=0; */
s->handshake_func=ssl3_connect;
- s->ctx->sess_connect_good++;
+ s->ctx->stats.sess_connect_good++;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
@@ -473,8 +473,9 @@ SSL *s;
{
unsigned char *buf;
unsigned char *p,*d;
- int i;
+ int i,j;
unsigned long Time,l;
+ SSL_COMP *comp;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
@@ -498,6 +499,7 @@ SSL *s;
*(p++)=s->version>>8;
*(p++)=s->version&0xff;
+ s->client_version=s->version;
/* Random stuff */
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
@@ -525,10 +527,18 @@ SSL *s;
s2n(i,p);
p+=i;
- /* hardwire in the NULL compression algorithm. */
/* COMPRESSION */
- *(p++)=1;
- *(p++)=0;
+ if (s->ctx->comp_methods == NULL)
+ j=0;
+ else
+ j=sk_num(s->ctx->comp_methods);
+ *(p++)=1+j;
+ for (i=0; i<j; i++)
+ {
+ comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,i);
+ *(p++)=comp->id;
+ }
+ *(p++)=0; /* Add the NULL method */
l=(p-d);
d=buf;
@@ -556,6 +566,7 @@ SSL *s;
int i,al,ok;
unsigned int j;
long n;
+ SSL_COMP *comp;
n=ssl3_get_message(s,
SSL3_ST_CR_SRVR_HELLO_A,
@@ -649,12 +660,21 @@ SSL *s;
/* lets get the compression algorithm */
/* COMPRESSION */
j= *(p++);
- if (j != 0)
+ if (j == 0)
+ comp=NULL;
+ else
+ comp=ssl3_comp_find(s->ctx->comp_methods,j);
+
+ if ((j != 0) && (comp == NULL))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
goto f_err;
}
+ else
+ {
+ s->s3->tmp.new_compression=comp;
+ }
if (p != (d+n))
{
@@ -996,6 +1016,7 @@ SSL *s;
/* else anonymous DH, so no certificate or pkey. */
s->session->cert->dh_tmp=dh;
+ dh=NULL;
}
else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
{
@@ -1326,8 +1347,8 @@ SSL *s;
rsa=pkey->pkey.rsa;
}
- tmp_buf[0]=s->version>>8;
- tmp_buf[1]=s->version&0xff;
+ tmp_buf[0]=s->client_version>>8;
+ tmp_buf[1]=s->client_version&0xff;
RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index c5c9a3be42..a655e12bec 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -144,7 +144,10 @@ int which;
exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
- comp=s->s3->tmp.new_compression;
+ if (s->s3->tmp.new_compression == NULL)
+ comp=NULL;
+ else
+ comp=s->s3->tmp.new_compression->method;
key_block=s->s3->tmp.key_block;
if (which & SSL3_CC_READ)
@@ -169,8 +172,9 @@ int which;
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2;
}
- s->s3->rrec.comp=(unsigned char *)
- Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
+ if (s->s3->rrec.comp == NULL)
+ s->s3->rrec.comp=(unsigned char *)
+ Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
if (s->s3->rrec.comp == NULL)
goto err;
}
@@ -280,11 +284,12 @@ SSL *s;
EVP_CIPHER *c;
EVP_MD *hash;
int num,exp;
+ SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
return(1);
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+ if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
{
SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return(0);
@@ -292,11 +297,7 @@ SSL *s;
s->s3->tmp.new_sym_enc=c;
s->s3->tmp.new_hash=hash;
-#ifdef ZLIB
- s->s3->tmp.new_compression=COMP_zlib();
-#endif
-/* s->s3->tmp.new_compression=COMP_rle(); */
-/* s->session->compress_meth= xxxxx */
+ s->s3->tmp.new_compression=comp;
exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
@@ -454,7 +455,7 @@ unsigned char *p;
unsigned char md_buf[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
- memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in_ctx);
n=EVP_MD_CTX_size(&ctx);
npad=(48/n)*n;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 495c1c334f..c64b760a44 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -486,6 +486,12 @@ SSL *s;
if (s->s3->tmp.ca_names != NULL)
sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+ if (s->s3->rrec.comp != NULL)
+ {
+ Free(s->s3->rrec.comp);
+ s->s3->rrec.comp=NULL;
+ }
+
rp=s->s3->rbuf.buf;
wp=s->s3->wbuf.buf;
@@ -493,11 +499,7 @@ SSL *s;
if (rp != NULL) s->s3->rbuf.buf=rp;
if (wp != NULL) s->s3->wbuf.buf=wp;
- if (s->s3->rrec.comp != NULL)
- {
- Free(s->s3->rrec.comp);
- s->s3->rrec.comp=NULL;
- }
+ ssl_free_wbio_buffer(s);
s->packet_length=0;
s->s3->renegotiate=0;
@@ -844,7 +846,6 @@ const char *buf;
int len;
{
int ret,n;
- BIO *under;
#if 0
if (s->shutdown & SSL_SEND_SHUTDOWN)
@@ -878,15 +879,12 @@ int len;
if (n <= 0) return(n);
s->rwstate=SSL_NOTHING;
- /* We have flushed the buffer */
- under=BIO_pop(s->wbio);
- s->wbio=under;
- BIO_free(s->bbio);
- s->bbio=NULL;
+ /* We have flushed the buffer, so remove it */
+ ssl_free_wbio_buffer(s);
+ s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+
ret=s->s3->delay_buf_pop_ret;
s->s3->delay_buf_pop_ret=0;
-
- s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
}
else
{
@@ -987,4 +985,3 @@ need to go to SSL_ST_ACCEPT.
return(ret);
}
-
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index b7edc8faf3..f5350bf1b7 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -872,7 +872,9 @@ start:
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
{
- s->state=SSL_ST_BEFORE;
+ s->state=SSL_ST_BEFORE|(s->server)
+ ?SSL_ST_ACCEPT
+ :SSL_ST_CONNECT;
s->new_session=1;
}
n=s->handshake_func(s);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a827a58d49..a4c0744488 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -135,7 +135,6 @@ SSL *s;
long num1;
int ret= -1;
CERT *ct;
- BIO *under;
int new_state,state,skip=0;
RAND_seed(&Time,sizeof(Time));
@@ -178,6 +177,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
if ((s->version>>8) != 3)
@@ -217,11 +217,11 @@ SSL *s;
{
s->state=SSL3_ST_SR_CLNT_HELLO_A;
ssl3_init_finished_mac(s);
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
}
else
{
- s->ctx->sess_accept_renegotiate++;
+ s->ctx->stats.sess_accept_renegotiate++;
s->state=SSL3_ST_SW_HELLO_REQ_A;
}
break;
@@ -240,15 +240,6 @@ SSL *s;
break;
case SSL3_ST_SW_HELLO_REQ_C:
- /* remove buffering on output */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
- BIO_free(s->bbio);
- s->bbio=NULL;
-
s->state=SSL_ST_OK;
ret=1;
goto end;
@@ -480,20 +471,14 @@ SSL *s;
s->init_buf=NULL;
/* remove buffering on output */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
- BIO_free(s->bbio);
- s->bbio=NULL;
+ ssl_free_wbio_buffer(s);
s->new_session=0;
s->init_num=0;
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
- s->ctx->sess_accept_good++;
+ s->ctx->stats.sess_accept_good++;
/* s->server=1; */
s->handshake_func=ssl3_accept;
ret=1;
@@ -567,8 +552,9 @@ SSL *s;
int i,j,ok,al,ret= -1;
long n;
unsigned long id;
- unsigned char *p,*d;
+ unsigned char *p,*d,*q;
SSL_CIPHER *c;
+ SSL_COMP *comp=NULL;
STACK *ciphers=NULL;
/* We do this so that we will respond with our native type.
@@ -595,6 +581,7 @@ SSL *s;
/* The version number has already been checked in ssl3_get_message.
* I a native TLSv1/SSLv3 method, the match must be correct except
* perhaps for the first message */
+/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */
p+=2;
/* load the client random */
@@ -653,9 +640,16 @@ SSL *s;
j=0;
id=s->session->cipher->id;
+#ifdef CIPHER_DEBUG
+ printf("client sent %d ciphers\n",sk_num(ciphers));
+#endif
for (i=0; i<sk_num(ciphers); i++)
{
c=(SSL_CIPHER *)sk_value(ciphers,i);
+#ifdef CIPHER_DEBUG
+ printf("client [%2d of %2d]:%s\n",
+ i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+#endif
if (c->id == id)
{
j=1;
@@ -683,8 +677,11 @@ SSL *s;
/* compression */
i= *(p++);
+ q=p;
for (j=0; j<i; j++)
+ {
if (p[j] == 0) break;
+ }
p+=i;
if (j >= i)
@@ -695,6 +692,35 @@ SSL *s;
goto f_err;
}
+ /* Worst case, we will use the NULL compression, but if we have other
+ * options, we will now look for them. We have i-1 compression
+ * algorithms from the client, starting at q. */
+ s->s3->tmp.new_compression=NULL;
+ if (s->ctx->comp_methods != NULL)
+ { /* See if we have a match */
+ int m,nn,o,v,done=0;
+
+ nn=sk_num(s->ctx->comp_methods);
+ for (m=0; m<nn; m++)
+ {
+ comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,m);
+ v=comp->id;
+ for (o=0; o<i; o++)
+ {
+ if (v == q[o])
+ {
+ done=1;
+ break;
+ }
+ }
+ if (done) break;
+ }
+ if (done)
+ s->s3->tmp.new_compression=comp;
+ else
+ comp=NULL;
+ }
+
/* TLS does not mind if there is extra stuff */
if (s->version == SSL3_VERSION)
{
@@ -708,13 +734,12 @@ SSL *s;
}
}
- /* do nothing with compression */
-
/* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
* pick a cipher */
if (!s->hit)
{
+ s->session->compress_meth=(comp == NULL)?0:comp->id;
if (s->session->ciphers != NULL)
sk_free(s->session->ciphers);
s->session->ciphers=ciphers;
@@ -835,7 +860,10 @@ SSL *s;
p+=i;
/* put the compression method */
- *(p++)=0;
+ if (s->s3->tmp.new_compression == NULL)
+ *(p++)=0;
+ else
+ *(p++)=s->s3->tmp.new_compression->id;
/* do the header */
l=(p-d);
@@ -1266,13 +1294,26 @@ SSL *s;
#if 1
/* If a bad decrypt, use a random master key */
if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
- ((p[0] != (s->version>>8)) ||
- (p[1] != (s->version & 0xff))))
+ ((p[0] != (s->client_version>>8)) ||
+ (p[1] != (s->client_version & 0xff))))
{
- p[0]=(s->version>>8);
- p[1]=(s->version & 0xff);
- RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
- i=SSL_MAX_MASTER_KEY_LENGTH;
+ int bad=1;
+
+ if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
+ (p[0] == (s->version>>8)) &&
+ (p[1] == 0))
+ {
+ if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
+ bad=0;
+ }
+ if (bad)
+ {
+ p[0]=(s->version>>8);
+ p[1]=(s->version & 0xff);
+ RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+ i=SSL_MAX_MASTER_KEY_LENGTH;
+ }
+ /* else, an SSLeay bug, ssl only server, tls client */
}
#else
if (i != SSL_MAX_MASTER_KEY_LENGTH)
diff --git a/ssl/ssl.err b/ssl/ssl.err
index 10ca9c5342..84256f905a 100644
--- a/ssl/ssl.err
+++ b/ssl/ssl.err
@@ -65,52 +65,55 @@
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
#define SSL_F_SSL_CERT_NEW 162
#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
-#define SSL_F_SSL_CREATE_CIPHER_LIST 164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165
-#define SSL_F_SSL_CTX_NEW 166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION 167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE 168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176
-#define SSL_F_SSL_DO_HANDSHAKE 177
-#define SSL_F_SSL_GET_NEW_SESSION 178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT 179
-#define SSL_F_SSL_GET_SIGN_PKEY 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER 181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182
-#define SSL_F_SSL_NEW 183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185
-#define SSL_F_SSL_SESSION_NEW 186
-#define SSL_F_SSL_SESSION_PRINT_FP 187
-#define SSL_F_SSL_SET_CERT 188
-#define SSL_F_SSL_SET_FD 189
-#define SSL_F_SSL_SET_PKEY 190
-#define SSL_F_SSL_SET_RFD 191
-#define SSL_F_SSL_SET_SESSION 192
-#define SSL_F_SSL_SET_WFD 193
-#define SSL_F_SSL_UNDEFINED_FUNCTION 194
-#define SSL_F_SSL_USE_CERTIFICATE 195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE 197
-#define SSL_F_SSL_USE_PRIVATEKEY 198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY 201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203
-#define SSL_F_SSL_VERIFY_CERT_CHAIN 204
-#define SSL_F_SSL_WRITE 205
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206
-#define SSL_F_TLS1_ENC 207
-#define SSL_F_TLS1_SETUP_KEY_BLOCK 208
-#define SSL_F_WRITE_PENDING 209
+#define SSL_F_SSL_CLEAR 164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
+#define SSL_F_SSL_CREATE_CIPHER_LIST 166
+#define SSL_F_SSL_CTX_ADD_COMPRESSION 167
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
+#define SSL_F_SSL_CTX_NEW 169
+#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
+#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
+#define SSL_F_SSL_DO_HANDSHAKE 180
+#define SSL_F_SSL_GET_NEW_SESSION 181
+#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
+#define SSL_F_SSL_GET_SIGN_PKEY 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER 184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+#define SSL_F_SSL_NEW 186
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
+#define SSL_F_SSL_SESSION_NEW 189
+#define SSL_F_SSL_SESSION_PRINT_FP 190
+#define SSL_F_SSL_SET_CERT 191
+#define SSL_F_SSL_SET_FD 192
+#define SSL_F_SSL_SET_PKEY 193
+#define SSL_F_SSL_SET_RFD 194
+#define SSL_F_SSL_SET_SESSION 195
+#define SSL_F_SSL_SET_WFD 196
+#define SSL_F_SSL_UNDEFINED_FUNCTION 197
+#define SSL_F_SSL_USE_CERTIFICATE 198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
+#define SSL_F_SSL_USE_PRIVATEKEY 201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
+#define SSL_F_SSL_WRITE 208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
+#define SSL_F_TLS1_ENC 210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
+#define SSL_F_WRITE_PENDING 212
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
@@ -201,39 +204,41 @@
#define SSL_R_NO_CIPHER_MATCH 185
#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
#define SSL_R_NO_COMPRESSION_SPECIFIED 187
-#define SSL_R_NO_PRIVATEKEY 188
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 190
-#define SSL_R_NO_PUBLICKEY 191
-#define SSL_R_NO_SHARED_CIPHER 192
-#define SSL_R_NO_VERIFY_CALLBACK 193
-#define SSL_R_NULL_SSL_CTX 194
-#define SSL_R_NULL_SSL_METHOD_PASSED 195
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196
-#define SSL_R_PACKET_LENGTH_TOO_LONG 197
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198
-#define SSL_R_PEER_ERROR 199
-#define SSL_R_PEER_ERROR_CERTIFICATE 200
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201
-#define SSL_R_PEER_ERROR_NO_CIPHER 202
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 206
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208
-#define SSL_R_PUBLIC_KEY_NOT_RSA 209
-#define SSL_R_READ_BIO_NOT_SET 210
-#define SSL_R_READ_WRONG_PACKET_TYPE 211
-#define SSL_R_RECORD_LENGTH_MISMATCH 212
-#define SSL_R_RECORD_TOO_LARGE 213
-#define SSL_R_REQUIRED_CIPHER_MISSING 214
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217
-#define SSL_R_SHORT_READ 218
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220
+#define SSL_R_NO_METHOD_SPECIFIED 188
+#define SSL_R_NO_PRIVATEKEY 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
+#define SSL_R_NO_PUBLICKEY 192
+#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_VERIFY_CALLBACK 194
+#define SSL_R_NULL_SSL_CTX 195
+#define SSL_R_NULL_SSL_METHOD_PASSED 196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
+#define SSL_R_PACKET_LENGTH_TOO_LONG 198
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
+#define SSL_R_PEER_ERROR 200
+#define SSL_R_PEER_ERROR_CERTIFICATE 201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
+#define SSL_R_PEER_ERROR_NO_CIPHER 203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
+#define SSL_R_PUBLIC_KEY_NOT_RSA 210
+#define SSL_R_READ_BIO_NOT_SET 211
+#define SSL_R_READ_WRONG_PACKET_TYPE 212
+#define SSL_R_RECORD_LENGTH_MISMATCH 213
+#define SSL_R_RECORD_TOO_LARGE 214
+#define SSL_R_REQUIRED_CIPHER_MISSING 215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
+#define SSL_R_SHORT_READ 219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
@@ -243,17 +248,17 @@
#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227
#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226
-#define SSL_R_SSL_HANDSHAKE_FAILURE 227
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
+#define SSL_R_SSL_HANDSHAKE_FAILURE 229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
@@ -266,41 +271,41 @@
#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241
-#define SSL_R_UNEXPECTED_MESSAGE 242
-#define SSL_R_UNEXPECTED_RECORD 243
-#define SSL_R_UNKNOWN_ALERT_TYPE 244
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 246
-#define SSL_R_UNKNOWN_CIPHER_TYPE 247
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248
-#define SSL_R_UNKNOWN_PKEY_TYPE 249
-#define SSL_R_UNKNOWN_PROTOCOL 250
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251
-#define SSL_R_UNKNOWN_SSL_VERSION 252
-#define SSL_R_UNKNOWN_STATE 253
-#define SSL_R_UNSUPPORTED_CIPHER 254
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255
-#define SSL_R_UNSUPPORTED_PROTOCOL 256
-#define SSL_R_UNSUPPORTED_SSL_VERSION 257
-#define SSL_R_WRITE_BIO_NOT_SET 258
-#define SSL_R_WRONG_CIPHER_RETURNED 259
-#define SSL_R_WRONG_MESSAGE_TYPE 260
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261
-#define SSL_R_WRONG_SIGNATURE_LENGTH 262
-#define SSL_R_WRONG_SIGNATURE_SIZE 263
-#define SSL_R_WRONG_SSL_VERSION 264
-#define SSL_R_WRONG_VERSION_NUMBER 265
-#define SSL_R_X509_LIB 266
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
+#define SSL_R_UNEXPECTED_MESSAGE 244
+#define SSL_R_UNEXPECTED_RECORD 245
+#define SSL_R_UNKNOWN_ALERT_TYPE 246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
+#define SSL_R_UNKNOWN_CIPHER_TYPE 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
+#define SSL_R_UNKNOWN_PKEY_TYPE 251
+#define SSL_R_UNKNOWN_PROTOCOL 252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
+#define SSL_R_UNKNOWN_SSL_VERSION 254
+#define SSL_R_UNKNOWN_STATE 255
+#define SSL_R_UNSUPPORTED_CIPHER 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_PROTOCOL 258
+#define SSL_R_UNSUPPORTED_SSL_VERSION 259
+#define SSL_R_WRITE_BIO_NOT_SET 260
+#define SSL_R_WRONG_CIPHER_RETURNED 261
+#define SSL_R_WRONG_MESSAGE_TYPE 262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
+#define SSL_R_WRONG_SIGNATURE_LENGTH 264
+#define SSL_R_WRONG_SIGNATURE_SIZE 265
+#define SSL_R_WRONG_SSL_VERSION 266
+#define SSL_R_WRONG_VERSION_NUMBER 267
+#define SSL_R_X509_LIB 268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 92b7695e61..689122db02 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1,3 +1,15 @@
+#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
+#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
+#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
+#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
+#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
+#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
+#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
+#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
+
+#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
+#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
+
/* ssl/ssl.h */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
@@ -193,6 +205,7 @@ typedef struct ssl_method_st
struct ssl_method_st *(*get_ssl_method)(int version);
long (*get_timeout)(void);
struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
+ int (*ssl_version)();
} SSL_METHOD;
/* Lets make this into an ASN.1 type structure as follows
@@ -238,11 +251,7 @@ typedef struct ssl_session_st
long timeout;
long time;
-#ifdef HEADER_COMP_H
- COMP_CTX *compress_meth;
-#else
- char *compress_meth;
-#endif
+ int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
@@ -267,6 +276,7 @@ typedef struct ssl_session_st
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
+#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L
/* If set, only use tmp_dh parameters once */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
@@ -282,22 +292,32 @@ typedef struct ssl_session_st
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L
#define SSL_OP_ALL 0x000FFFFFL
-#define SSL_CTX_set_options(ctx,op) ((ctx)->options|=(op))
-#define SSL_set_options(ssl,op) ((ssl)->options|=(op))
+#define SSL_CTX_set_options(ctx,op) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_CTX_get_options(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_set_options(ssl,op) \
+ SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_get_options(ssl) \
+ SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
-/* Normally you will only use these if your application wants to use
- * the certificate store in other places, perhaps PKCS7 */
-#define SSL_CTX_get_cert_store(ctx) ((ctx)->cert_store)
-#define SSL_CTX_set_cert_store(ctx,cs) \
- (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs))
-
-
#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
+typedef struct ssl_comp_st
+{
+ int id;
+ char *name;
+#ifdef HEADER_COMP_H
+ COMP_METHOD *method;
+#else
+ char *method;
+#endif
+} SSL_COMP;
+
struct ssl_ctx_st
{
SSL_METHOD *method;
@@ -347,46 +367,50 @@ struct ssl_ctx_st
SSL_SESSION *(*get_session_cb)();
#endif
- int sess_connect; /* SSL new connection - started */
- int sess_connect_renegotiate;/* SSL renegotiatene - requested */
- int sess_connect_good; /* SSL new connection/renegotiate - finished */
- int sess_accept; /* SSL new accept - started */
- int sess_accept_renegotiate;/* SSL renegotiatene - requested */
- int sess_accept_good; /* SSL accept/renegotiate - finished */
- int sess_miss; /* session lookup misses */
- int sess_timeout; /* session reuse attempt on timeouted session */
- int sess_cache_full; /* session removed due to full cache */
- int sess_hit; /* session reuse actually done */
- int sess_cb_hit; /* session-id that was not in the cache was
- * passed back via the callback. This
- * indicates that the application is supplying
- * session-id's from other processes -
- * spooky :-) */
+ struct
+ {
+ int sess_connect; /* SSL new conn - started */
+ int sess_connect_renegotiate;/* SSL reneg - requested */
+ int sess_connect_good; /* SSL new conne/reneg - finished */
+ int sess_accept; /* SSL new accept - started */
+ int sess_accept_renegotiate;/* SSL reneg - requested */
+ int sess_accept_good; /* SSL accept/reneg - finished */
+ int sess_miss; /* session lookup misses */
+ int sess_timeout; /* reuse attempt on timeouted session */
+ int sess_cache_full; /* session removed due to full cache */
+ int sess_hit; /* session reuse actually done */
+ int sess_cb_hit; /* session-id that was not
+ * in the cache was
+ * passed back via the callback. This
+ * indicates that the application is
+ * supplying session-id's from other
+ * processes - spooky :-) */
+ } stats;
int references;
- void (*info_callback)();
+/**/ void (*info_callback)();
/* if defined, these override the X509_verify_cert() calls */
- int (*app_verify_callback)();
- char *app_verify_arg;
+/**/ int (*app_verify_callback)();
+/**/ char *app_verify_arg;
/* default values to use in SSL structures */
- struct cert_st /* CERT */ *default_cert;
- int default_read_ahead;
- int default_verify_mode;
- int (*default_verify_callback)();
+/**/ struct cert_st /* CERT */ *default_cert;
+/**/ int read_ahead;
+/**/ int verify_mode;
+/**/ int (*default_verify_callback)();
/* Default password callback. */
- int (*default_passwd_callback)();
+/**/ int (*default_passwd_callback)();
/* get client cert callback */
- int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
+/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
/* what we put in client requests */
STACK *client_CA;
- int quiet_shutdown;
+/**/ int quiet_shutdown;
CRYPTO_EX_DATA ex_data;
@@ -395,6 +419,7 @@ struct ssl_ctx_st
EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
STACK *extra_certs;
+ STACK *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
};
#define SSL_SESS_CACHE_OFF 0x0000
@@ -407,41 +432,30 @@ struct ssl_ctx_st
* defined, this will still get called. */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
-#define SSL_CTX_sessions(ctx) ((ctx)->sessions)
-/* You will need to include lhash.h to access the following #define */
-#define SSL_CTX_sess_number(ctx) ((ctx)->sessions->num_items)
-#define SSL_CTX_sess_connect(ctx) ((ctx)->sess_connect)
-#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good)
-#define SSL_CTX_sess_accept(ctx) ((ctx)->sess_accept)
-#define SSL_CTX_sess_accept_renegotiate(ctx) ((ctx)->sess_accept_renegotiate)
-#define SSL_CTX_sess_connect_renegotiate(ctx) ((ctx)->sess_connect_renegotiate)
-#define SSL_CTX_sess_accept_good(ctx) ((ctx)->sess_accept_good)
-#define SSL_CTX_sess_hits(ctx) ((ctx)->sess_hit)
-#define SSL_CTX_sess_cb_hits(ctx) ((ctx)->sess_cb_hit)
-#define SSL_CTX_sess_misses(ctx) ((ctx)->sess_miss)
-#define SSL_CTX_sess_timeouts(ctx) ((ctx)->sess_timeout)
-#define SSL_CTX_sess_cache_full(ctx) ((ctx)->sess_cache_full)
-
-#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t))
-#define SSL_CTX_sess_get_cache_size(ctx) ((ctx)->session_cache_size)
-
-#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
-#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
-#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
-#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
-#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
-#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
-#define SSL_CTX_set_session_cache_mode(ctx,m) ((ctx)->session_cache_mode=(m))
-#define SSL_CTX_get_session_cache_mode(ctx) ((ctx)->session_cache_mode)
-#define SSL_CTX_set_timeout(ctx,t) ((ctx)->session_timeout=(t))
-#define SSL_CTX_get_timeout(ctx) ((ctx)->session_timeout)
-
-#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
-#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
-#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m))
-
-#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
-#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
+#define SSL_CTX_sess_number(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
+#define SSL_CTX_sess_connect(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
+#define SSL_CTX_sess_connect_good(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
+#define SSL_CTX_sess_connect_renegotiate(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
+#define SSL_CTX_sess_accept_renegotiate(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept_good(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
+#define SSL_CTX_sess_hits(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
+#define SSL_CTX_sess_cb_hits(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
+#define SSL_CTX_sess_misses(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
+#define SSL_CTX_sess_timeouts(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
+#define SSL_CTX_sess_cache_full(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
#define SSL_NOTHING 1
#define SSL_WRITING 2
@@ -449,11 +463,10 @@ struct ssl_ctx_st
#define SSL_X509_LOOKUP 4
/* These will only be used when doing non-blocking IO */
-#define SSL_want(s) ((s)->rwstate)
-#define SSL_want_nothing(s) ((s)->rwstate == SSL_NOTHING)
-#define SSL_want_read(s) ((s)->rwstate == SSL_READING)
-#define SSL_want_write(s) ((s)->rwstate == SSL_WRITING)
-#define SSL_want_x509_lookup(s) ((s)->rwstate == SSL_X509_LOOKUP)
+#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
+#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
+#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
+#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
struct ssl_st
{
@@ -490,7 +503,7 @@ struct ssl_st
int in_handshake;
int (*handshake_func)();
-/* int server;*/ /* are we the server side? */
+ int server; /* are we the server side? - mostly used by SSL_clear*/
int new_session;/* 1 if we are to use a new session */
int quiet_shutdown;/* don't send shutdown packets */
@@ -569,6 +582,8 @@ struct ssl_st
int references;
unsigned long options;
int first_packet;
+ int client_version; /* what was passed, used for
+ * SSLv3/TLS rolback check */
};
#include "ssl2.h"
@@ -634,6 +649,8 @@ struct ssl_st
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
#define SSL_VERIFY_CLIENT_ONCE 0x04
+#define SSLeay_add_ssl_algorithms() SSL_library_init()
+
/* this is for backward compatablility */
#if 0 /* NEW_SSLEAY */
#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
@@ -726,8 +743,29 @@ struct ssl_st
#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
#define SSL_CTRL_GET_FLAGS 11
-
-#define SSL_CTRL_EXTRA_CHAIN_CERT 11
+#define SSL_CTRL_EXTRA_CHAIN_CERT 12
+
+/* Stats */
+#define SSL_CTRL_SESS_NUMBER 20
+#define SSL_CTRL_SESS_CONNECT 21
+#define SSL_CTRL_SESS_CONNECT_GOOD 22
+#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
+#define SSL_CTRL_SESS_ACCEPT 24
+#define SSL_CTRL_SESS_ACCEPT_GOOD 25
+#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
+#define SSL_CTRL_SESS_HIT 27
+#define SSL_CTRL_SESS_CB_HIT 28
+#define SSL_CTRL_SESS_MISSES 29
+#define SSL_CTRL_SESS_TIMEOUTS 30
+#define SSL_CTRL_SESS_CACHE_FULL 31
+#define SSL_CTRL_OPTIONS 32
+
+#define SSL_CTRL_GET_READ_AHEAD 40
+#define SSL_CTRL_SET_READ_AHEAD 41
+#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
+#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
+#define SSL_CTRL_SET_SESS_CACHE_MODE 44
+#define SSL_CTRL_GET_SESS_CACHE_MODE 45
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
@@ -763,7 +801,13 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
int SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
-void SSL_clear(SSL *s);
+long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
+long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
+int SSL_want(SSL *s);
+int SSL_clear(SSL *s);
+
void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
SSL_CIPHER *SSL_get_current_cipher(SSL *s);
@@ -796,7 +840,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
-int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);
+int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
#ifndef NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type);
@@ -860,7 +904,6 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx);
int SSL_check_private_key(SSL *ctx);
SSL * SSL_new(SSL_CTX *ctx);
-void SSL_clear(SSL *s);
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
@@ -917,7 +960,7 @@ void SSL_set_accept_state(SSL *s);
long SSL_get_default_timeout(SSL *s);
-void SSLeay_add_ssl_algorithms(void );
+int SSL_library_init(void );
char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
STACK *SSL_dup_CA_list(STACK *sk);
@@ -962,6 +1005,22 @@ int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int SSL_get_ex_data_X509_STORE_CTX_idx(void );
+#define SSL_CTX_sess_set_cache_size(ctx,t) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
+#define SSL_CTX_sess_get_cache_size(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
+#define SSL_CTX_set_session_cache_mode(ctx,m) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
+#define SSL_CTX_get_session_cache_mode(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
+
+#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
+#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
+#define SSL_CTX_get_read_ahead(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
+#define SSL_CTX_set_read_ahead(ctx,m) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+
/* For the next 2, the callbacks are
* RSA *tmp_rsa_cb(SSL *ssl,int export)
* DH *tmp_dh_cb(SSL *ssl,int export)
@@ -970,6 +1029,12 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*cb)(SSL *ssl,int export));
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export));
+#ifdef HEADER_COMP_H
+int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
+#else
+int SSL_COMP_add_compression_method(int id,char *cm);
+#endif
+
#else
BIO_METHOD *BIO_f_ssl();
@@ -979,6 +1044,12 @@ BIO *BIO_new_buffer_ssl_connect();
int BIO_ssl_copy_session_id();
void BIO_ssl_shutdown();
+long SSL_CTX_set_timeout();
+long SSL_CTX_get_timeout();
+X509_STORE *SSL_CTX_get_cert_store();
+void SSL_CTX_set_cert_store();
+int SSL_want();
+
int SSL_CTX_set_cipher_list();
SSL_CTX *SSL_CTX_new();
void SSL_CTX_free();
@@ -1134,7 +1205,7 @@ void SSL_set_accept_state();
long SSL_get_default_timeout();
-void SSLeay_add_ssl_algorithms();
+int SSL_library_init();
char *SSL_CIPHER_description();
STACK *SSL_dup_CA_list();
@@ -1178,6 +1249,7 @@ char *SSL_CTX_get_ex_data();
int SSL_CTX_get_ex_new_index();
int SSL_get_ex_data_X509_STORE_CTX_idx();
+int SSL_COMP_add_compression_method();
/* For the next 2, the callbacks are
* RSA *tmp_rsa_cb(SSL *ssl,int export)
@@ -1258,52 +1330,55 @@ void SSL_CTX_set_tmp_dh_callback();
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
#define SSL_F_SSL_CERT_NEW 162
#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
-#define SSL_F_SSL_CREATE_CIPHER_LIST 164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165
-#define SSL_F_SSL_CTX_NEW 166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION 167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE 168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176
-#define SSL_F_SSL_DO_HANDSHAKE 177
-#define SSL_F_SSL_GET_NEW_SESSION 178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT 179
-#define SSL_F_SSL_GET_SIGN_PKEY 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER 181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182
-#define SSL_F_SSL_NEW 183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185
-#define SSL_F_SSL_SESSION_NEW 186
-#define SSL_F_SSL_SESSION_PRINT_FP 187
-#define SSL_F_SSL_SET_CERT 188
-#define SSL_F_SSL_SET_FD 189
-#define SSL_F_SSL_SET_PKEY 190
-#define SSL_F_SSL_SET_RFD 191
-#define SSL_F_SSL_SET_SESSION 192
-#define SSL_F_SSL_SET_WFD 193
-#define SSL_F_SSL_UNDEFINED_FUNCTION 194
-#define SSL_F_SSL_USE_CERTIFICATE 195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE 197
-#define SSL_F_SSL_USE_PRIVATEKEY 198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY 201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203
-#define SSL_F_SSL_VERIFY_CERT_CHAIN 204
-#define SSL_F_SSL_WRITE 205
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206
-#define SSL_F_TLS1_ENC 207
-#define SSL_F_TLS1_SETUP_KEY_BLOCK 208
-#define SSL_F_WRITE_PENDING 209
+#define SSL_F_SSL_CLEAR 164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
+#define SSL_F_SSL_CREATE_CIPHER_LIST 166
+#define SSL_F_SSL_CTX_ADD_COMPRESSION 167
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
+#define SSL_F_SSL_CTX_NEW 169
+#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
+#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
+#define SSL_F_SSL_DO_HANDSHAKE 180
+#define SSL_F_SSL_GET_NEW_SESSION 181
+#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
+#define SSL_F_SSL_GET_SIGN_PKEY 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER 184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+#define SSL_F_SSL_NEW 186
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
+#define SSL_F_SSL_SESSION_NEW 189
+#define SSL_F_SSL_SESSION_PRINT_FP 190
+#define SSL_F_SSL_SET_CERT 191
+#define SSL_F_SSL_SET_FD 192
+#define SSL_F_SSL_SET_PKEY 193
+#define SSL_F_SSL_SET_RFD 194
+#define SSL_F_SSL_SET_SESSION 195
+#define SSL_F_SSL_SET_WFD 196
+#define SSL_F_SSL_UNDEFINED_FUNCTION 197
+#define SSL_F_SSL_USE_CERTIFICATE 198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
+#define SSL_F_SSL_USE_PRIVATEKEY 201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
+#define SSL_F_SSL_WRITE 208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
+#define SSL_F_TLS1_ENC 210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
+#define SSL_F_WRITE_PENDING 212
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
@@ -1394,39 +1469,41 @@ void SSL_CTX_set_tmp_dh_callback();
#define SSL_R_NO_CIPHER_MATCH 185
#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
#define SSL_R_NO_COMPRESSION_SPECIFIED 187
-#define SSL_R_NO_PRIVATEKEY 188
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 190
-#define SSL_R_NO_PUBLICKEY 191
-#define SSL_R_NO_SHARED_CIPHER 192
-#define SSL_R_NO_VERIFY_CALLBACK 193
-#define SSL_R_NULL_SSL_CTX 194
-#define SSL_R_NULL_SSL_METHOD_PASSED 195
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196
-#define SSL_R_PACKET_LENGTH_TOO_LONG 197
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198
-#define SSL_R_PEER_ERROR 199
-#define SSL_R_PEER_ERROR_CERTIFICATE 200
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201
-#define SSL_R_PEER_ERROR_NO_CIPHER 202
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 206
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208
-#define SSL_R_PUBLIC_KEY_NOT_RSA 209
-#define SSL_R_READ_BIO_NOT_SET 210
-#define SSL_R_READ_WRONG_PACKET_TYPE 211
-#define SSL_R_RECORD_LENGTH_MISMATCH 212
-#define SSL_R_RECORD_TOO_LARGE 213
-#define SSL_R_REQUIRED_CIPHER_MISSING 214
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217
-#define SSL_R_SHORT_READ 218
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220
+#define SSL_R_NO_METHOD_SPECIFIED 188
+#define SSL_R_NO_PRIVATEKEY 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
+#define SSL_R_NO_PUBLICKEY 192
+#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_VERIFY_CALLBACK 194
+#define SSL_R_NULL_SSL_CTX 195
+#define SSL_R_NULL_SSL_METHOD_PASSED 196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
+#define SSL_R_PACKET_LENGTH_TOO_LONG 198
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
+#define SSL_R_PEER_ERROR 200
+#define SSL_R_PEER_ERROR_CERTIFICATE 201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
+#define SSL_R_PEER_ERROR_NO_CIPHER 203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
+#define SSL_R_PUBLIC_KEY_NOT_RSA 210
+#define SSL_R_READ_BIO_NOT_SET 211
+#define SSL_R_READ_WRONG_PACKET_TYPE 212
+#define SSL_R_RECORD_LENGTH_MISMATCH 213
+#define SSL_R_RECORD_TOO_LARGE 214
+#define SSL_R_REQUIRED_CIPHER_MISSING 215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
+#define SSL_R_SHORT_READ 219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
@@ -1436,17 +1513,17 @@ void SSL_CTX_set_tmp_dh_callback();
#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227
#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226
-#define SSL_R_SSL_HANDSHAKE_FAILURE 227
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
+#define SSL_R_SSL_HANDSHAKE_FAILURE 229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
@@ -1459,44 +1536,44 @@ void SSL_CTX_set_tmp_dh_callback();
#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241
-#define SSL_R_UNEXPECTED_MESSAGE 242
-#define SSL_R_UNEXPECTED_RECORD 243
-#define SSL_R_UNKNOWN_ALERT_TYPE 244
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 246
-#define SSL_R_UNKNOWN_CIPHER_TYPE 247
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248
-#define SSL_R_UNKNOWN_PKEY_TYPE 249
-#define SSL_R_UNKNOWN_PROTOCOL 250
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251
-#define SSL_R_UNKNOWN_SSL_VERSION 252
-#define SSL_R_UNKNOWN_STATE 253
-#define SSL_R_UNSUPPORTED_CIPHER 254
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255
-#define SSL_R_UNSUPPORTED_PROTOCOL 256
-#define SSL_R_UNSUPPORTED_SSL_VERSION 257
-#define SSL_R_WRITE_BIO_NOT_SET 258
-#define SSL_R_WRONG_CIPHER_RETURNED 259
-#define SSL_R_WRONG_MESSAGE_TYPE 260
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261
-#define SSL_R_WRONG_SIGNATURE_LENGTH 262
-#define SSL_R_WRONG_SIGNATURE_SIZE 263
-#define SSL_R_WRONG_SSL_VERSION 264
-#define SSL_R_WRONG_VERSION_NUMBER 265
-#define SSL_R_X509_LIB 266
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
+#define SSL_R_UNEXPECTED_MESSAGE 244
+#define SSL_R_UNEXPECTED_RECORD 245
+#define SSL_R_UNKNOWN_ALERT_TYPE 246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
+#define SSL_R_UNKNOWN_CIPHER_TYPE 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
+#define SSL_R_UNKNOWN_PKEY_TYPE 251
+#define SSL_R_UNKNOWN_PROTOCOL 252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
+#define SSL_R_UNKNOWN_SSL_VERSION 254
+#define SSL_R_UNKNOWN_STATE 255
+#define SSL_R_UNSUPPORTED_CIPHER 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_PROTOCOL 258
+#define SSL_R_UNSUPPORTED_SSL_VERSION 259
+#define SSL_R_WRITE_BIO_NOT_SET 260
+#define SSL_R_WRONG_CIPHER_RETURNED 261
+#define SSL_R_WRONG_MESSAGE_TYPE 262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
+#define SSL_R_WRONG_SIGNATURE_LENGTH 264
+#define SSL_R_WRONG_SIGNATURE_SIZE 265
+#define SSL_R_WRONG_SSL_VERSION 266
+#define SSL_R_WRONG_VERSION_NUMBER 267
+#define SSL_R_X509_LIB 268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
#ifdef __cplusplus
}
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 7c5c94d7c9..cf8238c1eb 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -341,12 +341,13 @@ typedef struct ssl3_ctx_st
EVP_CIPHER *new_sym_enc;
EVP_MD *new_hash;
#ifdef HEADER_COMP_H
- COMP_METHOD *new_compression;
+ SSL_COMP *new_compression;
#else
char *new_compression;
#endif
int cert_request;
} tmp;
+
} SSL3_CTX;
/* SSLv3 */
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 92ec322dae..31809582bd 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -61,7 +61,7 @@
#include "lhash.h"
#include "ssl_locl.h"
-void SSLeay_add_ssl_algorithms()
+int SSL_library_init()
{
#ifndef NO_DES
EVP_add_cipher(EVP_des_cbc());
@@ -98,5 +98,6 @@ void SSLeay_add_ssl_algorithms()
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
+ return(1);
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 87e384f8f7..30501cb700 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -58,6 +58,7 @@
#include <stdio.h>
#include "objects.h"
+#include "comp.h"
#include "ssl_locl.h"
#define SSL_ENC_DES_IDX 0
@@ -73,6 +74,8 @@ static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
NULL,NULL,NULL,NULL,NULL,NULL,
};
+static STACK /* SSL_COMP */ *ssl_comp_methods=NULL;
+
#define SSL_MD_MD5_IDX 0
#define SSL_MD_SHA1_IDX 1
#define SSL_MD_NUM_IDX 2
@@ -180,14 +183,41 @@ static void load_ciphers()
EVP_get_digestbyname(SN_sha1);
}
-int ssl_cipher_get_evp(c,enc,md)
-SSL_CIPHER *c;
+int ssl_cipher_get_evp(s,enc,md,comp)
+SSL_SESSION *s;
EVP_CIPHER **enc;
EVP_MD **md;
+SSL_COMP **comp;
{
int i;
+ SSL_CIPHER *c;
+ c=s->cipher;
if (c == NULL) return(0);
+ if (comp != NULL)
+ {
+ SSL_COMP ctmp;
+
+ if (s->compress_meth == 0)
+ *comp=NULL;
+ else if (ssl_comp_methods == NULL)
+ {
+ /* bad */
+ *comp=NULL;
+ }
+ else
+ {
+
+ ctmp.id=s->compress_meth;
+ i=sk_find(ssl_comp_methods,(char *)&ctmp);
+ if (i >= 0)
+ *comp=(SSL_COMP *)sk_value(ssl_comp_methods,i);
+ else
+ *comp=NULL;
+ }
+ }
+
+ if ((enc == NULL) || (md == NULL)) return(0);
switch (c->algorithms & SSL_ENC_MASK)
{
@@ -730,10 +760,12 @@ int *alg_bits;
int ret=0,a=0;
EVP_CIPHER *enc;
EVP_MD *md;
+ SSL_SESSION ss;
if (c != NULL)
{
- if (!ssl_cipher_get_evp(c,&enc,&md))
+ ss.cipher=c;
+ if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
return(0);
a=EVP_CIPHER_key_length(enc)*8;
@@ -756,3 +788,55 @@ int *alg_bits;
return(ret);
}
+SSL_COMP *ssl3_comp_find(sk,n)
+STACK *sk;
+int n;
+ {
+ SSL_COMP *ctmp;
+ int i,nn;
+
+ if ((n == 0) || (sk == NULL)) return(NULL);
+ nn=sk_num(sk);
+ for (i=0; i<nn; i++)
+ {
+ ctmp=(SSL_COMP *)sk_value(sk,i);
+ if (ctmp->id == n)
+ return(ctmp);
+ }
+ return(NULL);
+ }
+
+static int sk_comp_cmp(a,b)
+SSL_COMP **a,**b;
+ {
+ return((*a)->id-(*b)->id);
+ }
+
+STACK *SSL_COMP_get_compression_methods()
+ {
+ return(ssl_comp_methods);
+ }
+
+int SSL_COMP_add_compression_method(id,cm)
+int id;
+COMP_METHOD *cm;
+ {
+ SSL_COMP *comp;
+ STACK *sk;
+
+ comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
+ comp->id=id;
+ comp->method=cm;
+ if (ssl_comp_methods == NULL)
+ sk=ssl_comp_methods=sk_new(sk_comp_cmp);
+ else
+ sk=ssl_comp_methods;
+ if ((sk == NULL) || !sk_push(sk,(char *)comp))
+ {
+ SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ else
+ return(1);
+ }
+
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 847f0f3f8a..5f3d94d496 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -127,7 +127,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"},
{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"},
{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"},
+{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"},
{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CTX_ADD_COMPRESSION,0), "SSL_CTX_ADD_COMPRESSION"},
{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"},
{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"},
{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"},
@@ -266,6 +269,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_NO_CIPHER_MATCH ,"no cipher match"},
{SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"},
{SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"},
+{SSL_R_NO_METHOD_SPECIFIED ,"no method specified"},
{SSL_R_NO_PRIVATEKEY ,"no privatekey"},
{SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"},
{SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"},
@@ -298,6 +302,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"},
{SSL_R_SHORT_READ ,"short read"},
{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
+{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"},
{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"},
{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"},
{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c9a2285199..2019a400ff 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -77,30 +77,37 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
ssl_undefined_function,
};
-void SSL_clear(s)
+int SSL_clear(s)
SSL *s;
{
int state;
- if (s->method == NULL) return;
+ if (s->method == NULL)
+ {
+ SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
+ return(0);
+ }
s->error=0;
s->hit=0;
+ s->shutdown=0;
+#if 0
/* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-) */
- if (s->new_session) return;
+ if (s->new_session) return(1);
+#endif
state=s->state; /* Keep to check if we throw away the session-id */
s->type=0;
+ s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
+
s->version=s->method->version;
+ s->client_version=s->version;
s->rwstate=SSL_NOTHING;
- s->state=SSL_ST_BEFORE;
s->rstate=SSL_ST_READ_HEADER;
- s->read_ahead=s->ctx->default_read_ahead;
-
-/* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
+ s->read_ahead=s->ctx->read_ahead;
if (s->init_buf != NULL)
{
@@ -116,10 +123,22 @@ SSL *s;
s->session=NULL;
}
- s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
s->first_packet=0;
- s->method->ssl_clear(s);
+#if 1
+ /* Check to see if we were changed into a different method, if
+ * so, revert back if we are not doing session-id reuse. */
+ if ((s->session == NULL) && (s->method != s->ctx->method))
+ {
+ s->method->ssl_free(s);
+ s->method=s->ctx->method;
+ if (!s->method->ssl_new(s))
+ return(0);
+ }
+ else
+#endif
+ s->method->ssl_clear(s);
+ return(1);
}
/* Used to change an SSL_CTXs default SSL method type */
@@ -169,7 +188,7 @@ SSL_CTX *ctx;
}
else
s->cert=NULL;
- s->verify_mode=ctx->default_verify_mode;
+ s->verify_mode=ctx->verify_mode;
s->verify_callback=ctx->default_verify_callback;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
@@ -187,6 +206,7 @@ SSL_CTX *ctx;
s->quiet_shutdown=ctx->quiet_shutdown;
s->references=1;
+ s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
s->options=ctx->options;
SSL_clear(s);
@@ -251,11 +271,6 @@ SSL *s;
ssl_clear_cipher_ctx(s);
- if (s->expand != NULL)
- COMP_CTX_free(s->expand);
- if (s->compress != NULL)
- COMP_CTX_free(s->compress);
-
if (s->cert != NULL) ssl_cert_free(s->cert);
/* Free up if allocated */
@@ -402,7 +417,7 @@ SSL *s;
int SSL_CTX_get_verify_mode(ctx)
SSL_CTX *ctx;
{
- return(ctx->default_verify_mode);
+ return(ctx->verify_mode);
}
int (*SSL_CTX_get_verify_callback(ctx))()
@@ -623,7 +638,22 @@ int cmd;
long larg;
char *parg;
{
- return(s->method->ssl_ctrl(s,cmd,larg,parg));
+ long l;
+
+ switch (cmd)
+ {
+ case SSL_CTRL_GET_READ_AHEAD:
+ return(s->read_ahead);
+ case SSL_CTRL_SET_READ_AHEAD:
+ l=s->read_ahead;
+ s->read_ahead=larg;
+ return(l);
+ case SSL_CTRL_OPTIONS:
+ return(s->options|=larg);
+ default:
+ return(s->method->ssl_ctrl(s,cmd,larg,parg));
+ }
+ return(0);
}
long SSL_CTX_ctrl(ctx,cmd,larg,parg)
@@ -632,7 +662,60 @@ int cmd;
long larg;
char *parg;
{
- return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+ long l;
+
+ switch (cmd)
+ {
+ case SSL_CTRL_GET_READ_AHEAD:
+ return(ctx->read_ahead);
+ case SSL_CTRL_SET_READ_AHEAD:
+ l=ctx->read_ahead;
+ ctx->read_ahead=larg;
+ return(l);
+
+ case SSL_CTRL_SET_SESS_CACHE_SIZE:
+ l=ctx->session_cache_size;
+ ctx->session_cache_size=larg;
+ return(l);
+ case SSL_CTRL_GET_SESS_CACHE_SIZE:
+ return(ctx->session_cache_size);
+ case SSL_CTRL_SET_SESS_CACHE_MODE:
+ l=ctx->session_cache_mode;
+ ctx->session_cache_mode=larg;
+ return(l);
+ case SSL_CTRL_GET_SESS_CACHE_MODE:
+ return(ctx->session_cache_mode);
+
+ case SSL_CTRL_SESS_NUMBER:
+ return(ctx->sessions->num_items);
+ case SSL_CTRL_SESS_CONNECT:
+ return(ctx->stats.sess_connect);
+ case SSL_CTRL_SESS_CONNECT_GOOD:
+ return(ctx->stats.sess_connect_good);
+ case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
+ return(ctx->stats.sess_connect_renegotiate);
+ case SSL_CTRL_SESS_ACCEPT:
+ return(ctx->stats.sess_accept);
+ case SSL_CTRL_SESS_ACCEPT_GOOD:
+ return(ctx->stats.sess_accept_good);
+ case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
+ return(ctx->stats.sess_accept_renegotiate);
+ case SSL_CTRL_SESS_HIT:
+ return(ctx->stats.sess_hit);
+ case SSL_CTRL_SESS_CB_HIT:
+ return(ctx->stats.sess_cb_hit);
+ case SSL_CTRL_SESS_MISSES:
+ return(ctx->stats.sess_miss);
+ case SSL_CTRL_SESS_TIMEOUTS:
+ return(ctx->stats.sess_timeout);
+ case SSL_CTRL_SESS_CACHE_FULL:
+ return(ctx->stats.sess_cache_full);
+ case SSL_CTRL_OPTIONS:
+ return(ctx->options|=larg);
+ default:
+ return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+ }
+ return(0);
}
int ssl_cipher_id_cmp(a,b)
@@ -903,17 +986,7 @@ SSL_METHOD *meth;
ret->remove_session_cb=NULL;
ret->get_session_cb=NULL;
- ret->sess_connect=0;
- ret->sess_connect_good=0;
- ret->sess_accept=0;
- ret->sess_accept_renegotiate=0;
- ret->sess_connect_renegotiate=0;
- ret->sess_accept_good=0;
- ret->sess_miss=0;
- ret->sess_timeout=0;
- ret->sess_cache_full=0;
- ret->sess_hit=0;
- ret->sess_cb_hit=0;
+ memset((char *)&ret->stats,0,sizeof(ret->stats));
ret->references=1;
ret->quiet_shutdown=0;
@@ -929,8 +1002,8 @@ SSL_METHOD *meth;
ret->app_verify_callback=NULL;
ret->app_verify_arg=NULL;
- ret->default_read_ahead=0;
- ret->default_verify_mode=SSL_VERIFY_NONE;
+ ret->read_ahead=0;
+ ret->verify_mode=SSL_VERIFY_NONE;
ret->default_verify_callback=NULL;
if ((ret->default_cert=ssl_cert_new()) == NULL)
goto err;
@@ -974,6 +1047,7 @@ SSL_METHOD *meth;
CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
ret->extra_certs=NULL;
+ ret->comp_methods=SSL_COMP_get_compression_methods();
return(ret);
err:
@@ -1021,6 +1095,8 @@ SSL_CTX *a;
sk_pop_free(a->client_CA,X509_NAME_free);
if (a->extra_certs != NULL)
sk_pop_free(a->extra_certs,X509_free);
+ if (a->comp_methods != NULL)
+ sk_pop_free(a->comp_methods,free);
Free((char *)a);
}
@@ -1049,7 +1125,7 @@ int (*cb)(int, X509_STORE_CTX *);
int (*cb)();
#endif
{
- ctx->default_verify_mode=mode;
+ ctx->verify_mode=mode;
ctx->default_verify_callback=cb;
/* This needs cleaning up EAY EAY EAY */
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
@@ -1246,8 +1322,8 @@ int mode;
((i & mode) == mode))
{
if ( (((mode & SSL_SESS_CACHE_CLIENT)
- ?s->ctx->sess_connect_good
- :s->ctx->sess_accept_good) & 0xff) == 0xff)
+ ?s->ctx->stats.sess_connect_good
+ :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
{
SSL_CTX_flush_sessions(s->ctx,time(NULL));
}
@@ -1294,12 +1370,20 @@ SSL *s;
int i;
{
int reason;
+ unsigned long l;
BIO *bio;
if (i > 0) return(SSL_ERROR_NONE);
- if (ERR_peek_error() != 0)
- return(SSL_ERROR_SSL);
+ /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
+ * etc, where we do encode the error */
+ if ((l=ERR_peek_error()) != 0)
+ {
+ if (ERR_GET_LIB(l) == ERR_LIB_SYS)
+ return(SSL_ERROR_SYSCALL);
+ else
+ return(SSL_ERROR_SSL);
+ }
if ((i < 0) && SSL_want_read(s))
{
@@ -1381,6 +1465,7 @@ SSL *s;
void SSL_set_accept_state(s)
SSL *s;
{
+ s->server=1;
s->shutdown=0;
s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
s->handshake_func=s->method->ssl_accept;
@@ -1391,6 +1476,7 @@ SSL *s;
void SSL_set_connect_state(s)
SSL *s;
{
+ s->server=0;
s->shutdown=0;
s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
s->handshake_func=s->method->ssl_connect;
@@ -1498,6 +1584,7 @@ SSL *s;
ret->shutdown=s->shutdown;
ret->state=s->state;
ret->handshake_func=s->handshake_func;
+ ret->server=s->server;
if (0)
{
@@ -1523,6 +1610,16 @@ SSL *s;
Free(s->enc_write_ctx);
s->enc_write_ctx=NULL;
}
+ if (s->expand != NULL)
+ {
+ COMP_CTX_free(s->expand);
+ s->expand=NULL;
+ }
+ if (s->compress != NULL)
+ {
+ COMP_CTX_free(s->compress);
+ s->compress=NULL;
+ }
}
/* Fix this function so that it takes an optional type parameter */
@@ -1590,6 +1687,26 @@ int push;
}
return(1);
}
+
+void ssl_free_wbio_buffer(s)
+SSL *s;
+ {
+ BIO *under;
+
+ if (s->bbio == NULL) return;
+
+ if (s->bbio == s->wbio)
+ {
+ /* remove buffering */
+ under=BIO_pop(s->wbio);
+ if (under != NULL)
+ s->wbio=under;
+ else
+ abort(); /* ok */
+ }
+ BIO_free(s->bbio);
+ s->bbio=NULL;
+ }
void SSL_CTX_set_quiet_shutdown(ctx,mode)
SSL_CTX *ctx;
@@ -1750,6 +1867,27 @@ SSL *s;
return(1);
}
+X509_STORE *SSL_CTX_get_cert_store(ctx)
+SSL_CTX *ctx;
+ {
+ return(ctx->cert_store);
+ }
+
+void SSL_CTX_set_cert_store(ctx,store)
+SSL_CTX *ctx;
+X509_STORE *store;
+ {
+ if (ctx->cert_store != NULL)
+ X509_STORE_free(ctx->cert_store);
+ ctx->cert_store=store;
+ }
+
+int SSL_want(s)
+SSL *s;
+ {
+ return(s->rwstate);
+ }
+
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export))
{ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f2442544e3..1a907514d9 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -348,7 +348,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p);
STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref,
STACK **sorted,char *str);
void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md);
+int ssl_cipher_get_evp(SSL_SESSION *s, EVP_CIPHER **enc, EVP_MD **md,
+ SSL_COMP **comp);
int ssl_verify_cert_chain(SSL *s,STACK *sk);
int ssl_undefined_function(SSL *s);
X509 *ssl_get_server_send_cert(SSL *);
@@ -442,6 +443,7 @@ long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
SSL_METHOD *tlsv1_base_method(void );
int ssl_init_wbio_buffer(SSL *s, int push);
+void ssl_free_wbio_buffer(SSL *s);
int tls1_change_cipher_state(SSL *s, int which);
int tls1_setup_key_block(SSL *s);
@@ -456,6 +458,9 @@ int tls1_alert_code(int code);
int ssl3_alert_code(int code);
int ssl_ok(SSL *s);
+SSL_COMP *ssl3_comp_find(STACK *sk, int n);
+STACK *SSL_COMP_get_compression_methods(void);
+
#else
@@ -562,10 +567,8 @@ int ssl23_read_bytes();
int ssl23_write_bytes();
int ssl_init_wbio_buffer();
+void ssl_free_wbio_buffer();
-#endif
-
-#endif
int ssl3_cert_verify_mac();
int ssl3_alert_code();
int tls1_new();
@@ -582,3 +585,9 @@ int tls1_mac();
int tls1_generate_master_secret();
int tls1_alert_code();
int ssl_ok();
+SSL_COMP *ssl3_comp_find();
+STACK *SSL_COMP_get_compression_methods();
+
+#endif
+
+#endif
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 745a8ec24f..43c51bc2b5 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -152,10 +152,10 @@ end:
}
#endif
-int SSL_use_certificate_ASN1(ssl, len, d)
+int SSL_use_certificate_ASN1(ssl, d,len)
SSL *ssl;
-int len;
unsigned char *d;
+int len;
{
X509 *x;
int ret;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 95cd7fed8a..adaab3545f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -123,6 +123,7 @@ SSL_SESSION *SSL_SESSION_new()
ss->time=time(NULL);
ss->prev=NULL;
ss->next=NULL;
+ ss->compress_meth=0;
CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
return(ss);
}
@@ -136,8 +137,10 @@ int session;
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */
- if (s->ctx->session_timeout != 0)
+ if (s->ctx->session_timeout == 0)
ss->timeout=SSL_get_default_timeout(s);
+ else
+ ss->timeout=s->ctx->session_timeout;
if (s->session != NULL)
{
@@ -218,13 +221,13 @@ int len;
{
int copy=1;
- s->ctx->sess_miss++;
+ s->ctx->stats.sess_miss++;
ret=NULL;
if ((s->ctx->get_session_cb != NULL) &&
((ret=s->ctx->get_session_cb(s,session_id,len,&copy))
!= NULL))
{
- s->ctx->sess_cb_hit++;
+ s->ctx->stats.sess_cb_hit++;
/* The following should not return 1, otherwise,
* things are very strange */
@@ -260,14 +263,14 @@ int len;
if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
{
- s->ctx->sess_timeout++;
+ s->ctx->stats.sess_timeout++;
/* remove it from the cache */
SSL_CTX_remove_session(s->ctx,ret);
SSL_SESSION_free(ret); /* again to actually Free it */
return(0);
}
- s->ctx->sess_hit++;
+ s->ctx->stats.sess_hit++;
/* ret->time=time(NULL); */ /* rezero timeout? */
/* again, just leave the session
@@ -318,7 +321,7 @@ SSL_SESSION *c;
ctx->session_cache_tail))
break;
else
- ctx->sess_cache_full++;
+ ctx->stats.sess_cache_full++;
}
}
}
@@ -413,7 +416,10 @@ SSL_SESSION *session;
{
if (!SSL_set_ssl_method(s,meth))
return(0);
- session->timeout=SSL_get_default_timeout(s);
+ if (s->ctx->session_timeout == 0)
+ session->timeout=SSL_get_default_timeout(s);
+ else
+ session->timeout=s->ctx->session_timeout;
}
/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
@@ -431,6 +437,14 @@ SSL_SESSION *session;
SSL_SESSION_free(s->session);
s->session=NULL;
}
+
+ meth=s->ctx->method;
+ if (meth != s->method)
+ {
+ if (!SSL_set_ssl_method(s,meth))
+ return(0);
+ }
+ ret=1;
}
return(ret);
}
@@ -467,6 +481,24 @@ long t;
return(t);
}
+long SSL_CTX_set_timeout(s,t)
+SSL_CTX *s;
+long t;
+ {
+ long l;
+ if (s == NULL) return(0);
+ l=s->session_timeout;
+ s->session_timeout=t;
+ return(l);
+ }
+
+long SSL_CTX_get_timeout(s)
+SSL_CTX *s;
+ {
+ if (s == NULL) return(0);
+ return(s->session_timeout);
+ }
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
@@ -499,7 +531,7 @@ long t;
TIMEOUT_PARAM tp;
tp.ctx=s;
- tp.cache=SSL_CTX_sessions(s);
+ tp.cache=s->sessions;
if (tp.cache == NULL) return;
tp.time=t;
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index ce60e1a6dd..e41b738f5c 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -133,6 +133,23 @@ SSL_SESSION *x;
sprintf(str,"%02X",x->key_arg[i]);
if (BIO_puts(bp,str) <= 0) goto err;
}
+ if (x->compress_meth != 0)
+ {
+ SSL_COMP *comp;
+
+ ssl_cipher_get_evp(x,NULL,NULL,&comp);
+ if (comp == NULL)
+ {
+ sprintf(str,"\n Compression: %d",x->compress_meth);
+ if (BIO_puts(bp,str) <= 0) goto err;
+ }
+ else
+ {
+ sprintf(str,"\n Compression: %d (%s)",
+ comp->id,comp->method->name);
+ if (BIO_puts(bp,str) <= 0) goto err;
+ }
+ }
if (x->time != 0L)
{
sprintf(str,"\n Start Time: %ld",x->time);
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index ff686913d7..4662770e38 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -243,7 +243,7 @@ bad:
/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
- SSLeay_add_ssl_algorithms();
+ SSL_library_init();
SSL_load_error_strings();
#if !defined(NO_SSL2) && !defined(NO_SSL3)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index ac9da4da3a..f228295bba 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include "comp.h"
#include "evp.h"
#include "hmac.h"
#include "ssl_locl.h"
@@ -175,7 +176,7 @@ int which;
int client_write;
EVP_CIPHER_CTX *dd;
EVP_CIPHER *c;
- COMP_METHOD *comp;
+ SSL_COMP *comp;
EVP_MD *m;
int exp,n,i,j,k,exp_label_len,cl;
@@ -200,14 +201,15 @@ int which;
}
if (comp != NULL)
{
- s->expand=COMP_CTX_new(comp);
+ s->expand=COMP_CTX_new(comp->method);
if (s->expand == NULL)
{
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2;
}
- s->s3->rrec.comp=(unsigned char *)
- Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+ if (s->s3->rrec.comp == NULL)
+ s->s3->rrec.comp=(unsigned char *)
+ Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
if (s->s3->rrec.comp == NULL)
goto err;
}
@@ -229,7 +231,7 @@ int which;
}
if (comp != NULL)
{
- s->compress=COMP_CTX_new(comp);
+ s->compress=COMP_CTX_new(comp->method);
if (s->compress == NULL)
{
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
@@ -346,11 +348,12 @@ SSL *s;
EVP_CIPHER *c;
EVP_MD *hash;
int num,exp;
+ SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
return(1);
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+ if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
{
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return(0);
@@ -504,7 +507,7 @@ unsigned char *out;
unsigned int ret;
EVP_MD_CTX ctx;
- memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in_ctx);
EVP_DigestFinal(&ctx,out,&ret);
return((int)ret);
}
@@ -525,10 +528,10 @@ unsigned char *out;
memcpy(q,str,slen);
q+=slen;
- memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in1_ctx);
EVP_DigestFinal(&ctx,q,&i);
q+=i;
- memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in2_ctx);
EVP_DigestFinal(&ctx,q,&i);
q+=i;
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-09 22:35:35 +0300