projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix some bugs and document others
[openssl.git] / ssl / ssl_lib.c
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index be091b1e75284f7f0834d96f56a20ac551ff46fa..f09e46c346664ec5c990d65e077fe6b5ac2737ee 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1,5 +1,7 @@
-/* ssl/ssl_lib.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/*! \file ssl/ssl_lib.c
+ *  \brief Version independent SSL functions.
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -57,42 +59,77 @@
  */
 
 #include <stdio.h>
-#include "objects.h"
-#include "lhash.h"
+#include <openssl/objects.h>
+#include <openssl/lhash.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
-#ifndef NOPROTO
-static unsigned long conn_hash(SSL_SESSION *a);
-#else
-static unsigned long conn_hash();
-#endif
+const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
-char *SSL_version_str="SSLeay 0.8.1b 29-Jun-1998";
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
+static int ssl_meth_num=0;
+static int ssl_ctx_meth_num=0;
+
+OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+       /* evil casts, but these functions are only called if there's a library bug */
+       (int (*)(SSL *,int))ssl_undefined_function,
+       (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
+       ssl_undefined_function,
+       (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
+       (int (*)(SSL*, int))ssl_undefined_function,
+       (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
+       };
+
+union rsa_fn_to_char_u
+       {
+       char *char_p;
+       RSA *(*fn_p)(SSL *, int, int);
+       };
 
-void SSL_clear(s)
-SSL *s;
+union dh_fn_to_char_u
+       {
+       char *char_p;
+       DH *(*fn_p)(SSL *, int, int);
+       };
+
+int SSL_clear(SSL *s)
        {
        int state;
 
-       if (s->method == NULL) return;
+       if (s->method == NULL)
+               {
+               SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
+               return(0);
+               }
 
        s->error=0;
        s->hit=0;
+       s->shutdown=0;
 
+#if 0 /* Disabled since version 1.10 of this file (early return not
+       * needed because SSL_clear is not called when doing renegotiation) */
        /* This is set if we are doing dynamic renegotiation so keep
         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-       if (s->new_session) return;
+       if (s->new_session) return(1);
+#else
+       if (s->new_session)
+               {
+               SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR);
+               return 0;
+               }
+#endif
 
        state=s->state; /* Keep to check if we throw away the session-id */
        s->type=0;
 
+       s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
+
        s->version=s->method->version;
+       s->client_version=s->version;
        s->rwstate=SSL_NOTHING;
-       s->state=SSL_ST_BEFORE;
        s->rstate=SSL_ST_READ_HEADER;
-       s->read_ahead=s->ctx->default_read_ahead;
-
-/*     s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
+       s->read_ahead=s->ctx->read_ahead;
 
        if (s->init_buf != NULL)
                {
@@ -108,24 +145,34 @@ SSL *s;
                s->session=NULL;
                }
 
-       s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
        s->first_packet=0;
 
-       s->method->ssl_clear(s);
+#if 1
+       /* Check to see if we were changed into a different method, if
+        * so, revert back if we are not doing session-id reuse. */
+       if ((s->session == NULL) && (s->method != s->ctx->method))
+               {
+               s->method->ssl_free(s);
+               s->method=s->ctx->method;
+               if (!s->method->ssl_new(s))
+                       return(0);
+               }
+       else
+#endif
+               s->method->ssl_clear(s);
+       return(1);
        }
 
-/* Used to change an SSL_CTXs default SSL method type */
-int SSL_CTX_set_ssl_version(ctx,meth)
-SSL_CTX *ctx;
-SSL_METHOD *meth;
+/** Used to change an SSL_CTXs default SSL method type */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
        {
-       STACK *sk;
+       STACK_OF(SSL_CIPHER) *sk;
 
        ctx->method=meth;
 
        sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
                &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
-       if ((sk == NULL) || (sk_num(sk) <= 0))
+       if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
                {
                SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
                return(0);
@@ -133,8 +180,7 @@ SSL_METHOD *meth;
        return(1);
        }
 
-SSL *SSL_new(ctx)
-SSL_CTX *ctx;
+SSL *SSL_new(SSL_CTX *ctx)
        {
        SSL *s;
 
@@ -153,16 +199,31 @@ SSL_CTX *ctx;
        if (s == NULL) goto err;
        memset(s,0,sizeof(SSL));
 
-       if (ctx->default_cert != NULL)
+       if (ctx->cert != NULL)
                {
-               CRYPTO_add(&ctx->default_cert->references,1,
-                       CRYPTO_LOCK_SSL_CERT);
-               s->cert=ctx->default_cert;
+               /* Earlier library versions used to copy the pointer to
+                * the CERT, not its contents; only when setting new
+                * parameters for the per-SSL copy, ssl_cert_new would be
+                * called (and the direct reference to the per-SSL_CTX
+                * settings would be lost, but those still were indirectly
+                * accessed for various purposes, and for that reason they
+                * used to be known as s->ctx->default_cert).
+                * Now we don't look at the SSL_CTX's CERT after having
+                * duplicated it once. */
+
+               s->cert = ssl_cert_dup(ctx->cert);
+               if (s->cert == NULL)
+                       goto err;
                }
        else
-               s->cert=NULL;
-       s->verify_mode=ctx->default_verify_mode;
+               s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
+       s->sid_ctx_length=ctx->sid_ctx_length;
+       memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
+       s->verify_mode=ctx->verify_mode;
+       s->verify_depth=ctx->verify_depth;
        s->verify_callback=ctx->default_verify_callback;
+       s->purpose = ctx->purpose;
+       s->trust = ctx->trust;
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->ctx=ctx;
 
@@ -171,23 +232,121 @@ SSL_CTX *ctx;
        s->method=ctx->method;
 
        if (!s->method->ssl_new(s))
-               {
-               SSL_CTX_free(ctx);
-               Free(s);
                goto err;
-               }
 
        s->quiet_shutdown=ctx->quiet_shutdown;
+       s->references=1;
+       s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
+       s->options=ctx->options;
+       s->mode=ctx->mode;
        SSL_clear(s);
+
+       CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
+
        return(s);
 err:
+       if (s != NULL)
+               {
+               if (s->cert != NULL)
+                       ssl_cert_free(s->cert);
+               if (s->ctx != NULL)
+                       SSL_CTX_free(s->ctx); /* decrement reference count */
+               Free(s);
+               }
        SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
        return(NULL);
        }
 
-void SSL_free(s)
-SSL *s;
+int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
+                                  unsigned int sid_ctx_len)
+    {
+    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+       {
+       SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+       return 0;
+       }
+    ctx->sid_ctx_length=sid_ctx_len;
+    memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
+
+    return 1;
+    }
+
+int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+                              unsigned int sid_ctx_len)
+    {
+    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+       {
+       SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+       return 0;
+       }
+    ssl->sid_ctx_length=sid_ctx_len;
+    memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
+
+    return 1;
+    }
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
+{
+       if(X509_PURPOSE_get_by_id(purpose) == -1) {
+               SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+               return 0;
+       }
+       s->purpose = purpose;
+       return 1;
+}
+
+int SSL_set_purpose(SSL *s, int purpose)
+{
+       if(X509_PURPOSE_get_by_id(purpose) == -1) {
+               SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+               return 0;
+       }
+       s->purpose = purpose;
+       return 1;
+}
+       
+int SSL_CTX_set_trust(SSL_CTX *s, int trust)
+{
+       if(X509_TRUST_get_by_id(trust) == -1) {
+               SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
+               return 0;
+       }
+       s->trust = trust;
+       return 1;
+}
+
+int SSL_set_trust(SSL *s, int trust)
+{
+       if(X509_TRUST_get_by_id(trust) == -1) {
+               SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
+               return 0;
+       }
+       s->trust = trust;
+       return 1;
+}
+
+void SSL_free(SSL *s)
        {
+       int i;
+
+       if(s == NULL)
+           return;
+
+       i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
+#ifdef REF_PRINT
+       REF_PRINT("SSL",s);
+#endif
+       if (i > 0) return;
+#ifdef REF_CHECK
+       if (i < 0)
+               {
+               fprintf(stderr,"SSL_free, bad reference count\n");
+               abort(); /* ok */
+               }
+#endif
+
+       CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data);
+
        if (s->bbio != NULL)
                {
                /* If the buffering BIO is in place, pop it off */
@@ -196,6 +355,7 @@ SSL *s;
                        s->wbio=BIO_pop(s->wbio);
                        }
                BIO_free(s->bbio);
+               s->bbio=NULL;
                }
        if (s->rbio != NULL)
                BIO_free_all(s->rbio);
@@ -205,8 +365,8 @@ SSL *s;
        if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
 
        /* add extra stuff */
-       if (s->cipher_list != NULL) sk_free(s->cipher_list);
-       if (s->cipher_list_by_id != NULL) sk_free(s->cipher_list_by_id);
+       if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
+       if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
 
        /* Make the next call work :-) */
        if (s->session != NULL)
@@ -223,17 +383,14 @@ SSL *s;
        if (s->ctx) SSL_CTX_free(s->ctx);
 
        if (s->client_CA != NULL)
-               sk_pop_free(s->client_CA,X509_NAME_free);
+               sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
 
        if (s->method != NULL) s->method->ssl_free(s);
 
-       Free((char *)s);
+       Free(s);
        }
 
-void SSL_set_bio(s, rbio,wbio)
-SSL *s;
-BIO *rbio;
-BIO *wbio;
+void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
        {
        /* If the output buffering BIO is still in place, remove it
         */
@@ -253,16 +410,13 @@ BIO *wbio;
        s->wbio=wbio;
        }
 
-BIO *SSL_get_rbio(s)
-SSL *s;
+BIO *SSL_get_rbio(SSL *s)
        { return(s->rbio); }
 
-BIO *SSL_get_wbio(s)
-SSL *s;
+BIO *SSL_get_wbio(SSL *s)
        { return(s->wbio); }
 
-int SSL_get_fd(s)
-SSL *s;
+int SSL_get_fd(SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -275,9 +429,7 @@ SSL *s;
        }
 
 #ifndef NO_SOCK
-int SSL_set_fd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_fd(SSL *s,int fd)
        {
        int ret=0;
        BIO *bio=NULL;
@@ -296,101 +448,145 @@ err:
        return(ret);
        }
 
-int SSL_set_wfd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_wfd(SSL *s,int fd)
        {
        int ret=0;
        BIO *bio=NULL;
 
-       bio=BIO_new(BIO_s_socket());
+       if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
+               || ((int)BIO_get_fd(s->rbio,NULL) != fd))
+               {
+               bio=BIO_new(BIO_s_socket());
 
-       if (bio == NULL)
-               { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
-       BIO_set_fd(bio,fd,BIO_NOCLOSE);
-       SSL_set_bio(s,SSL_get_rbio(s),bio);
+               if (bio == NULL)
+                       { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
+               BIO_set_fd(bio,fd,BIO_NOCLOSE);
+               SSL_set_bio(s,SSL_get_rbio(s),bio);
+               }
+       else
+               SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
        ret=1;
 err:
        return(ret);
        }
 
-int SSL_set_rfd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_rfd(SSL *s,int fd)
        {
        int ret=0;
        BIO *bio=NULL;
 
-       bio=BIO_new(BIO_s_socket());
-
-       if (bio == NULL)
+       if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
+               || ((int)BIO_get_fd(s->wbio,NULL) != fd))
                {
-               SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
-               goto err;
+               bio=BIO_new(BIO_s_socket());
+
+               if (bio == NULL)
+                       {
+                       SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
+                       goto err;
+                       }
+               BIO_set_fd(bio,fd,BIO_NOCLOSE);
+               SSL_set_bio(s,bio,SSL_get_wbio(s));
                }
-       BIO_set_fd(bio,fd,BIO_NOCLOSE);
-       SSL_set_bio(s,bio,SSL_get_wbio(s));
+       else
+               SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
        ret=1;
 err:
        return(ret);
        }
 #endif
 
-int SSL_get_verify_mode(s)
-SSL *s;
+
+/* return length of latest Finished message we sent, copy to 'buf' */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+       {
+       size_t ret = 0;
+       
+       if (s->s3 != NULL)
+               {
+               ret = s->s3->tmp.finish_md_len;
+               if (count > ret)
+                       count = ret;
+               memcpy(buf, s->s3->tmp.finish_md, count);
+               }
+       return ret;
+       }
+
+/* return length of latest Finished message we expected, copy to 'buf' */
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+       {
+       size_t ret = 0;
+       
+       if (s->s3 != NULL)
+               {
+               ret = s->s3->tmp.peer_finish_md_len;
+               if (count > ret)
+                       count = ret;
+               memcpy(buf, s->s3->tmp.peer_finish_md, count);
+               }
+       return ret;
+       }
+
+
+int SSL_get_verify_mode(SSL *s)
        {
        return(s->verify_mode);
        }
 
-int (*SSL_get_verify_callback(s))()
-SSL *s;
+int SSL_get_verify_depth(SSL *s)
+       {
+       return(s->verify_depth);
+       }
+
+int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
        {
        return(s->verify_callback);
        }
 
-int SSL_CTX_get_verify_mode(ctx)
-SSL_CTX *ctx;
+int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
        {
-       return(ctx->default_verify_mode);
+       return(ctx->verify_mode);
        }
 
-int (*SSL_CTX_get_verify_callback(ctx))()
-SSL_CTX *ctx;
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+       {
+       return(ctx->verify_depth);
+       }
+
+int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
        {
        return(ctx->default_verify_callback);
        }
 
-void SSL_set_verify(s, mode, callback)
-SSL *s;
-int mode;
-int (*callback)();
+void SSL_set_verify(SSL *s,int mode,
+                   int (*callback)(int ok,X509_STORE_CTX *ctx))
        {
        s->verify_mode=mode;
        if (callback != NULL)
                s->verify_callback=callback;
        }
 
-void SSL_set_read_ahead(s, yes)
-SSL *s;
-int yes;
+void SSL_set_verify_depth(SSL *s,int depth)
+       {
+       s->verify_depth=depth;
+       }
+
+void SSL_set_read_ahead(SSL *s,int yes)
        {
        s->read_ahead=yes;
        }
 
-int SSL_get_read_ahead(s)
-SSL *s;
+int SSL_get_read_ahead(SSL *s)
        {
        return(s->read_ahead);
        }
 
-int SSL_pending(s)
-SSL *s;
+int SSL_pending(SSL *s)
        {
        return(s->method->ssl_pending(s));
        }
 
-X509 *SSL_get_peer_certificate(s)
-SSL *s;
+X509 *SSL_get_peer_certificate(SSL *s)
        {
        X509 *r;
        
@@ -406,23 +602,21 @@ SSL *s;
        return(r);
        }
 
-STACK *SSL_get_peer_cert_chain(s)
-SSL *s;
+STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
        {
-       STACK *r;
+       STACK_OF(X509) *r;
        
-       if ((s == NULL) || (s->session == NULL) || (s->session->cert == NULL))
+       if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
                r=NULL;
        else
-               r=s->session->cert->cert_chain;
+               r=s->session->sess_cert->cert_chain;
 
        return(r);
        }
 
 /* Now in theory, since the calling process own 't' it should be safe to
  * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(t,f)
-SSL *t,*f;
+void SSL_copy_session_id(SSL *t,SSL *f)
        {
        CERT *tmp;
 
@@ -447,28 +641,29 @@ SSL *t,*f;
        else
                t->cert=NULL;
        if (tmp != NULL) ssl_cert_free(tmp);
+       SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
        }
 
-int SSL_CTX_check_private_key(ctx)
-SSL_CTX *ctx;
+/* Fix this so it checks all the valid key/cert options */
+int SSL_CTX_check_private_key(SSL_CTX *ctx)
        {
        if (    (ctx == NULL) ||
-               (ctx->default_cert == NULL) ||
-               (ctx->default_cert->key->x509 == NULL))
+               (ctx->cert == NULL) ||
+               (ctx->cert->key->x509 == NULL))
                {
                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
                return(0);
                }
-       if      (ctx->default_cert->key->privatekey == NULL)
+       if      (ctx->cert->key->privatekey == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
                return(0);
                }
-       return(X509_check_private_key(ctx->default_cert->key->x509, ctx->default_cert->key->privatekey));
+       return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
        }
 
-int SSL_check_private_key(ssl)
-SSL *ssl;
+/* Fix this function so that it takes an optional type parameter */
+int SSL_check_private_key(SSL *ssl)
        {
        if (ssl == NULL)
                {
@@ -476,7 +671,10 @@ SSL *ssl;
                return(0);
                }
        if (ssl->cert == NULL)
-               return(SSL_CTX_check_private_key(ssl->ctx));
+               {
+                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+               return 0;
+               }
        if (ssl->cert->key->x509 == NULL)
                {
                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
@@ -491,29 +689,37 @@ SSL *ssl;
                ssl->cert->key->privatekey));
        }
 
-int SSL_accept(s)
-SSL *s;
+int SSL_accept(SSL *s)
        {
+       if (s->handshake_func == 0)
+               /* Not properly initialized yet */
+               SSL_set_accept_state(s);
+
        return(s->method->ssl_accept(s));
        }
 
-int SSL_connect(s)
-SSL *s;
+int SSL_connect(SSL *s)
        {
+       if (s->handshake_func == 0)
+               /* Not properly initialized yet */
+               SSL_set_connect_state(s);
+
        return(s->method->ssl_connect(s));
        }
 
-long SSL_get_default_timeout(s)
-SSL *s;
+long SSL_get_default_timeout(SSL *s)
        {
        return(s->method->get_timeout());
        }
 
-int SSL_read(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_read(SSL *s,char *buf,int num)
        {
+       if (s->handshake_func == 0)
+               {
+               SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+               return -1;
+               }
+
        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                {
                s->rwstate=SSL_NOTHING;
@@ -522,10 +728,7 @@ int num;
        return(s->method->ssl_read(s,buf,num));
        }
 
-int SSL_peek(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_peek(SSL *s,char *buf,int num)
        {
        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
                {
@@ -534,11 +737,14 @@ int num;
        return(s->method->ssl_peek(s,buf,num));
        }
 
-int SSL_write(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_write(SSL *s,const char *buf,int num)
        {
+       if (s->handshake_func == 0)
+               {
+               SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
+               return -1;
+               }
+
        if (s->shutdown & SSL_SENT_SHUTDOWN)
                {
                s->rwstate=SSL_NOTHING;
@@ -548,41 +754,131 @@ int num;
        return(s->method->ssl_write(s,buf,num));
        }
 
-int SSL_shutdown(s)
-SSL *s;
+int SSL_shutdown(SSL *s)
        {
+       /* Note that this function behaves differently from what one might
+        * expect.  Return values are 0 for no success (yet),
+        * 1 for success; but calling it once is usually not enough,
+        * even if blocking I/O is used (see ssl3_shutdown).
+        */
+
+       if (s->handshake_func == 0)
+               {
+               SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
+               return -1;
+               }
+
        if ((s != NULL) && !SSL_in_init(s))
                return(s->method->ssl_shutdown(s));
        else
                return(1);
        }
 
-int SSL_renegotiate(s)
-SSL *s;
+int SSL_renegotiate(SSL *s)
        {
+       s->new_session=1;
        return(s->method->ssl_renegotiate(s));
        }
 
-long SSL_ctrl(s,cmd,larg,parg)
-SSL *s;
-int cmd;
-long larg;
-char *parg;
+long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
+       {
+       long l;
+
+       switch (cmd)
+               {
+       case SSL_CTRL_GET_READ_AHEAD:
+               return(s->read_ahead);
+       case SSL_CTRL_SET_READ_AHEAD:
+               l=s->read_ahead;
+               s->read_ahead=larg;
+               return(l);
+       case SSL_CTRL_OPTIONS:
+               return(s->options|=larg);
+       case SSL_CTRL_MODE:
+               return(s->mode|=larg);
+       default:
+               return(s->method->ssl_ctrl(s,cmd,larg,parg));
+               }
+       }
+
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+       {
+       switch(cmd)
+               {
+       default:
+               return(s->method->ssl_callback_ctrl(s,cmd,fp));
+               }
+       }
+
+long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
        {
-       return(s->method->ssl_ctrl(s,cmd,larg,parg));
+       long l;
+
+       switch (cmd)
+               {
+       case SSL_CTRL_GET_READ_AHEAD:
+               return(ctx->read_ahead);
+       case SSL_CTRL_SET_READ_AHEAD:
+               l=ctx->read_ahead;
+               ctx->read_ahead=larg;
+               return(l);
+
+       case SSL_CTRL_SET_SESS_CACHE_SIZE:
+               l=ctx->session_cache_size;
+               ctx->session_cache_size=larg;
+               return(l);
+       case SSL_CTRL_GET_SESS_CACHE_SIZE:
+               return(ctx->session_cache_size);
+       case SSL_CTRL_SET_SESS_CACHE_MODE:
+               l=ctx->session_cache_mode;
+               ctx->session_cache_mode=larg;
+               return(l);
+       case SSL_CTRL_GET_SESS_CACHE_MODE:
+               return(ctx->session_cache_mode);
+
+       case SSL_CTRL_SESS_NUMBER:
+               return(ctx->sessions->num_items);
+       case SSL_CTRL_SESS_CONNECT:
+               return(ctx->stats.sess_connect);
+       case SSL_CTRL_SESS_CONNECT_GOOD:
+               return(ctx->stats.sess_connect_good);
+       case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
+               return(ctx->stats.sess_connect_renegotiate);
+       case SSL_CTRL_SESS_ACCEPT:
+               return(ctx->stats.sess_accept);
+       case SSL_CTRL_SESS_ACCEPT_GOOD:
+               return(ctx->stats.sess_accept_good);
+       case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
+               return(ctx->stats.sess_accept_renegotiate);
+       case SSL_CTRL_SESS_HIT:
+               return(ctx->stats.sess_hit);
+       case SSL_CTRL_SESS_CB_HIT:
+               return(ctx->stats.sess_cb_hit);
+       case SSL_CTRL_SESS_MISSES:
+               return(ctx->stats.sess_miss);
+       case SSL_CTRL_SESS_TIMEOUTS:
+               return(ctx->stats.sess_timeout);
+       case SSL_CTRL_SESS_CACHE_FULL:
+               return(ctx->stats.sess_cache_full);
+       case SSL_CTRL_OPTIONS:
+               return(ctx->options|=larg);
+       case SSL_CTRL_MODE:
+               return(ctx->mode|=larg);
+       default:
+               return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+               }
        }
 
-long SSL_CTX_ctrl(ctx,cmd,larg,parg)
-SSL_CTX *ctx;
-int cmd;
-long larg;
-char *parg;
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
        {
-       return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+       switch(cmd)
+               {
+       default:
+               return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
+               }
        }
 
-int ssl_cipher_id_cmp(a,b)
-SSL_CIPHER *a,*b;
+int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b)
        {
        long l;
 
@@ -593,8 +889,7 @@ SSL_CIPHER *a,*b;
                return((l > 0)?1:-1);
        }
 
-int ssl_cipher_ptr_id_cmp(ap,bp)
-SSL_CIPHER **ap,**bp;
+int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp)
        {
        long l;
 
@@ -605,16 +900,15 @@ SSL_CIPHER **ap,**bp;
                return((l > 0)?1:-1);
        }
 
-/* return a STACK of the ciphers available for the SSL and in order of
+/** return a STACK of the ciphers available for the SSL and in order of
  * preference */
-STACK *SSL_get_ciphers(s)
-SSL *s;
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
        {
        if ((s != NULL) && (s->cipher_list != NULL))
                {
                return(s->cipher_list);
                }
-       else if ((s != NULL) && (s->ctx != NULL) &&
+       else if ((s->ctx != NULL) &&
                (s->ctx->cipher_list != NULL))
                {
                return(s->ctx->cipher_list);
@@ -622,10 +916,9 @@ SSL *s;
        return(NULL);
        }
 
-/* return a STACK of the ciphers available for the SSL and in order of
+/** return a STACK of the ciphers available for the SSL and in order of
  * algorithm id */
-STACK *ssl_get_ciphers_by_id(s)
-SSL *s;
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
        {
        if ((s != NULL) && (s->cipher_list_by_id != NULL))
                {
@@ -639,29 +932,25 @@ SSL *s;
        return(NULL);
        }
 
-/* The old interface to get the same thing as SSL_get_ciphers() */
-char *SSL_get_cipher_list(s,n)
-SSL *s;
-int n;
+/** The old interface to get the same thing as SSL_get_ciphers() */
+const char *SSL_get_cipher_list(SSL *s,int n)
        {
        SSL_CIPHER *c;
-       STACK *sk;
+       STACK_OF(SSL_CIPHER) *sk;
 
        if (s == NULL) return(NULL);
        sk=SSL_get_ciphers(s);
-       if ((sk == NULL) || (sk_num(sk) <= n))
+       if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
                return(NULL);
-       c=(SSL_CIPHER *)sk_value(sk,n);
+       c=sk_SSL_CIPHER_value(sk,n);
        if (c == NULL) return(NULL);
        return(c->name);
        }
 
-/* specify the ciphers to be used by defaut by the SSL_CTX */
-int SSL_CTX_set_cipher_list(ctx,str)
-SSL_CTX *ctx;
-char *str;
+/** specify the ciphers to be used by default by the SSL_CTX */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
        {
-       STACK *sk;
+       STACK_OF(SSL_CIPHER) *sk;
        
        sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
                &ctx->cipher_list_by_id,str);
@@ -669,12 +958,10 @@ char *str;
        return((sk == NULL)?0:1);
        }
 
-/* specify the ciphers to be used by the SSL */
-int SSL_set_cipher_list(s, str)
-SSL *s;
-char *str;
+/** specify the ciphers to be used by the SSL */
+int SSL_set_cipher_list(SSL *s,const char *str)
        {
-       STACK *sk;
+       STACK_OF(SSL_CIPHER) *sk;
        
        sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
                &s->cipher_list_by_id,str);
@@ -683,13 +970,11 @@ char *str;
        }
 
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
        {
-       char *p,*cp;
-       STACK *sk;
+       char *p;
+       const char *cp;
+       STACK_OF(SSL_CIPHER) *sk;
        SSL_CIPHER *c;
        int i;
 
@@ -699,13 +984,14 @@ int len;
 
        p=buf;
        sk=s->session->ciphers;
-       len--;
-       for (i=0; i<sk_num(sk); i++)
+       for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
-               c=(SSL_CIPHER *)sk_value(sk,i);
+               /* Decrement for either the ':' or a '\0' */
+               len--;
+               c=sk_SSL_CIPHER_value(sk,i);
                for (cp=c->name; *cp; )
                        {
-                       if (--len == 0)
+                       if (len-- == 0)
                                {
                                *p='\0';
                                return(buf);
@@ -719,10 +1005,7 @@ int len;
        return(buf);
        }
 
-int ssl_cipher_list_to_bytes(s,sk,p)
-SSL *s;
-STACK *sk;
-unsigned char *p;
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
        {
        int i,j=0;
        SSL_CIPHER *c;
@@ -731,23 +1014,20 @@ unsigned char *p;
        if (sk == NULL) return(0);
        q=p;
 
-       for (i=0; i<sk_num(sk); i++)
+       for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
-               c=(SSL_CIPHER *)sk_value(sk,i);
+               c=sk_SSL_CIPHER_value(sk,i);
                j=ssl_put_cipher_by_char(s,c,p);
                p+=j;
                }
        return(p-q);
        }
 
-STACK *ssl_bytes_to_cipher_list(s,p,num,skp)
-SSL *s;
-unsigned char *p;
-int num;
-STACK **skp;
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
+                                              STACK_OF(SSL_CIPHER) **skp)
        {
        SSL_CIPHER *c;
-       STACK *sk;
+       STACK_OF(SSL_CIPHER) *sk;
        int i,n;
 
        n=ssl_put_cipher_by_char(s,NULL,NULL);
@@ -757,11 +1037,11 @@ STACK **skp;
                return(NULL);
                }
        if ((skp == NULL) || (*skp == NULL))
-               sk=sk_new(NULL); /* change perhaps later */
+               sk=sk_SSL_CIPHER_new(NULL); /* change perhaps later */
        else
                {
                sk= *skp;
-               sk_zero(sk);
+               sk_SSL_CIPHER_zero(sk);
                }
 
        for (i=0; i<num; i+=n)
@@ -770,7 +1050,7 @@ STACK **skp;
                p+=n;
                if (c != NULL)
                        {
-                       if (!sk_push(sk,(char *)c))
+                       if (!sk_SSL_CIPHER_push(sk,c))
                                {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
                                goto err;
@@ -783,43 +1063,46 @@ STACK **skp;
        return(sk);
 err:
        if ((skp == NULL) || (*skp == NULL))
-               sk_free(sk);
+               sk_SSL_CIPHER_free(sk);
        return(NULL);
        }
 
-static unsigned long conn_hash(a)
-SSL_SESSION *a;
+unsigned long SSL_SESSION_hash(SSL_SESSION *a)
        {
        unsigned long l;
 
-       l=      (a->session_id[0]     )|(a->session_id[1]<< 8L)|
-               (a->session_id[1]<<16L)|(a->session_id[2]<<24L);
+       l=(unsigned long)
+               ((unsigned int) a->session_id[0]     )|
+               ((unsigned int) a->session_id[1]<< 8L)|
+               ((unsigned long)a->session_id[2]<<16L)|
+               ((unsigned long)a->session_id[3]<<24L);
        return(l);
        }
 
-static int session_cmp(a, b)
-SSL_SESSION *a;
-SSL_SESSION *b;
+int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
        {
-       int i;
-
-       i=a->session_id_length - b->session_id_length;
-       if (i == 0)
-               return(memcmp(a->session_id,b->session_id,
-                       a->session_id_length));
-       else    return(1);
+       if (a->ssl_version != b->ssl_version)
+               return(1);
+       if (a->session_id_length != b->session_id_length)
+               return(1);
+       return(memcmp(a->session_id,b->session_id,a->session_id_length));
        }
 
-SSL_CTX *SSL_CTX_new(meth)
-SSL_METHOD *meth;
+SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        {
-       SSL_CTX *ret;
+       SSL_CTX *ret=NULL;
        
        if (meth == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
                return(NULL);
                }
+
+       if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+               goto err;
+               }
        ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX));
        if (ret == NULL)
                goto err;
@@ -830,6 +1113,9 @@ SSL_METHOD *meth;
 
        ret->cert_store=NULL;
        ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
+       ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
+       ret->session_cache_head=NULL;
+       ret->session_cache_tail=NULL;
 
        /* We take the system default */
        ret->session_timeout=meth->get_timeout();
@@ -838,14 +1124,7 @@ SSL_METHOD *meth;
        ret->remove_session_cb=NULL;
        ret->get_session_cb=NULL;
 
-       ret->sess_connect=0;
-       ret->sess_connect_good=0;
-       ret->sess_accept=0;
-       ret->sess_accept_good=0;
-       ret->sess_miss=0;
-       ret->sess_timeout=0;
-       ret->sess_hit=0;
-       ret->sess_cb_hit=0;
+       memset((char *)&ret->stats,0,sizeof(ret->stats));
 
        ret->references=1;
        ret->quiet_shutdown=0;
@@ -861,16 +1140,18 @@ SSL_METHOD *meth;
        ret->app_verify_callback=NULL;
        ret->app_verify_arg=NULL;
 
-       ret->default_read_ahead=0;
-       ret->default_verify_mode=SSL_VERIFY_NONE;
+       ret->read_ahead=0;
+       ret->verify_mode=SSL_VERIFY_NONE;
+       ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
        ret->default_verify_callback=NULL;
-       if ((ret->default_cert=ssl_cert_new()) == NULL)
+       if ((ret->cert=ssl_cert_new()) == NULL)
                goto err;
 
        ret->default_passwd_callback=NULL;
+       ret->default_passwd_callback_userdata=NULL;
        ret->client_cert_cb=NULL;
 
-       ret->sessions=lh_new(conn_hash,session_cmp);
+       ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp);
        if (ret->sessions == NULL) goto err;
        ret->cert_store=X509_STORE_new();
        if (ret->cert_store == NULL) goto err;
@@ -878,15 +1159,37 @@ SSL_METHOD *meth;
        ssl_create_cipher_list(ret->method,
                &ret->cipher_list,&ret->cipher_list_by_id,
                SSL_DEFAULT_CIPHER_LIST);
-       if ((ret->cipher_list == NULL) || (sk_num(ret->cipher_list) <= 0))
+       if (ret->cipher_list == NULL
+           || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
                goto err2;
                }
 
-       if ((ret->client_CA=sk_new_null()) == NULL)
+       if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
+               goto err2;
+               }
+       if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+               goto err2;
+               }
+       if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+               goto err2;
+               }
+
+       if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
                goto err;
 
+       CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
+
+       ret->extra_certs=NULL;
+       ret->comp_methods=SSL_COMP_get_compression_methods();
+
        return(ret);
 err:
        SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -895,14 +1198,19 @@ err2:
        return(NULL);
        }
 
-void SSL_CTX_free(a)
-SSL_CTX *a;
+static void SSL_COMP_free(SSL_COMP *comp)
+    { Free(comp); }
+
+void SSL_CTX_free(SSL_CTX *a)
        {
        int i;
 
        if (a == NULL) return;
 
        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
+#ifdef REF_PRINT
+       REF_PRINT("SSL_CTX",a);
+#endif
        if (i > 0) return;
 #ifdef REF_CHECK
        if (i < 0)
@@ -911,6 +1219,7 @@ SSL_CTX *a;
                abort(); /* ok */
                }
 #endif
+       CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
 
        if (a->sessions != NULL)
                {
@@ -920,96 +1229,108 @@ SSL_CTX *a;
        if (a->cert_store != NULL)
                X509_STORE_free(a->cert_store);
        if (a->cipher_list != NULL)
-               sk_free(a->cipher_list);
+               sk_SSL_CIPHER_free(a->cipher_list);
        if (a->cipher_list_by_id != NULL)
-               sk_free(a->cipher_list_by_id);
-       if (a->default_cert != NULL)
-               ssl_cert_free(a->default_cert);
+               sk_SSL_CIPHER_free(a->cipher_list_by_id);
+       if (a->cert != NULL)
+               ssl_cert_free(a->cert);
        if (a->client_CA != NULL)
-               sk_pop_free(a->client_CA,X509_NAME_free);
-       Free((char *)a);
+               sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
+       if (a->extra_certs != NULL)
+               sk_X509_pop_free(a->extra_certs,X509_free);
+       if (a->comp_methods != NULL)
+               sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
+       Free(a);
        }
 
-void SSL_CTX_set_default_passwd_cb(ctx,cb)
-SSL_CTX *ctx;
-int (*cb)();
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
        {
        ctx->default_passwd_callback=cb;
        }
 
-void SSL_CTX_set_cert_verify_cb(ctx,cb,arg)
-SSL_CTX *ctx;
-int (*cb)();
-char *arg;
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
+       {
+       ctx->default_passwd_callback_userdata=u;
+       }
+
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg)
        {
+       /* now
+        *     int (*cb)(X509_STORE_CTX *),
+        * but should be
+        *     int (*cb)(X509_STORE_CTX *, void *arg)
+        */
        ctx->app_verify_callback=cb;
-       ctx->app_verify_arg=arg;
+       ctx->app_verify_arg=arg; /* never used */
        }
 
-void SSL_CTX_set_verify(ctx,mode,cb)
-SSL_CTX *ctx;
-int mode;
-int (*cb)();
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
        {
-       ctx->default_verify_mode=mode;
+       ctx->verify_mode=mode;
        ctx->default_verify_callback=cb;
        /* This needs cleaning up EAY EAY EAY */
        X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
        }
 
-void ssl_set_cert_masks(c)
-CERT *c;
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+       {
+       ctx->verify_depth=depth;
+       }
+
+void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        {
        CERT_PKEY *cpk;
        int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
        int rsa_enc_export,dh_rsa_export,dh_dsa_export;
-       int rsa_tmp_export,dh_tmp_export;
+       int rsa_tmp_export,dh_tmp_export,kl;
        unsigned long mask,emask;
 
-       if ((c == NULL) || (c->valid)) return;
+       if (c == NULL) return;
+
+       kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
 
 #ifndef NO_RSA
-       rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0;
-       rsa_tmp_export=((c->rsa_tmp_cb != NULL) ||
-               (rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0;
+       rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
+       rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
+               (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
 #else
        rsa_tmp=rsa_tmp_export=0;
 #endif
 #ifndef NO_DH
-       dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0;
-       dh_tmp_export=((c->dh_tmp_cb != NULL) ||
-               (dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0;
+       dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
+       dh_tmp_export=(c->dh_tmp_cb != NULL ||
+               (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
 #else
        dh_tmp=dh_tmp_export=0;
 #endif
 
        cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
-       rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-       rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+       rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+       rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-       rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+       rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
        cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-       dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+       dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
        cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
-       dh_rsa=  ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-       dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+       dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
 /* FIX THIS EAY EAY EAY */
-       dh_dsa=  ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-       dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+       dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
 
        mask=0;
        emask=0;
 
 #ifdef CIPHER_DEBUG
-       printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
-               rsa_tmp,dh_tmp,
-               rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
+       printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+               rsa_tmp,rsa_tmp_export,dh_tmp,
+               rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
 
        if (rsa_enc || (rsa_tmp && rsa_sign))
                mask|=SSL_kRSA;
-       if (rsa_enc_export || (rsa_tmp_export && rsa_sign))
+       if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
                emask|=SSL_kRSA;
 
 #if 0
@@ -1057,18 +1378,17 @@ CERT *c;
        }
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(s)
-SSL *s;
+X509 *ssl_get_server_send_cert(SSL *s)
        {
        unsigned long alg,mask,kalg;
        CERT *c;
-       int i,export;
+       int i,is_export;
 
        c=s->cert;
-       ssl_set_cert_masks(c);
+       ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
        alg=s->s3->tmp.new_cipher->algorithms;
-       export=(alg & SSL_EXPORT)?1:0;
-       mask=(export)?c->export_mask:c->mask;
+       is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+       mask=is_export?c->export_mask:c->mask;
        kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 
        if      (kalg & SSL_kDHr)
@@ -1093,9 +1413,7 @@ SSL *s;
        return(c->pkeys[i].x509);
        }
 
-EVP_PKEY *ssl_get_sign_pkey(s,cipher)
-SSL *s;
-SSL_CIPHER *cipher;
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
        {
        unsigned long alg;
        CERT *c;
@@ -1122,37 +1440,44 @@ SSL_CIPHER *cipher;
                }
        }
 
-void ssl_update_cache(s,mode)
-SSL *s;
-int mode;
+void ssl_update_cache(SSL *s,int mode)
        {
+       int i;
+
+       /* If the session_id_length is 0, we are not supposed to cache it,
+        * and it would be rather hard to do anyway :-) */
+       if (s->session->session_id_length == 0) return;
+
        if ((s->ctx->session_cache_mode & mode)
                && (!s->hit)
                && SSL_CTX_add_session(s->ctx,s->session)
                && (s->ctx->new_session_cb != NULL))
                {
-               CRYPTO_add(&s->session->references,1,
-                       CRYPTO_LOCK_SSL_SESSION);
+               CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
                if (!s->ctx->new_session_cb(s,s->session))
                        SSL_SESSION_free(s->session);
                }
 
        /* auto flush every 255 connections */
-       if ((!(s->ctx->session_cache_mode &
-               SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
-               ((s->ctx->sess_connect_good & 0xff) == 0))
-               SSL_CTX_flush_sessions(s->ctx,time(NULL));
+       i=s->ctx->session_cache_mode;
+       if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
+               ((i & mode) == mode))
+               {
+               if (  (((mode & SSL_SESS_CACHE_CLIENT)
+                       ?s->ctx->stats.sess_connect_good
+                       :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
+                       {
+                       SSL_CTX_flush_sessions(s->ctx,time(NULL));
+                       }
+               }
        }
 
-SSL_METHOD *SSL_get_ssl_method(s)
-SSL *s;
+SSL_METHOD *SSL_get_ssl_method(SSL *s)
        {
        return(s->method);
        }
 
-int SSL_set_ssl_method(s,meth)
-SSL *s;
-SSL_METHOD *meth;
+int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
        {
        int conn= -1;
        int ret=1;
@@ -1179,17 +1504,23 @@ SSL_METHOD *meth;
        return(ret);
        }
 
-int SSL_get_error(s,i)
-SSL *s;
-int i;
+int SSL_get_error(SSL *s,int i)
        {
        int reason;
+       unsigned long l;
        BIO *bio;
 
        if (i > 0) return(SSL_ERROR_NONE);
 
-       if (ERR_peek_error() != 0)
-               return(SSL_ERROR_SSL);
+       /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
+        * etc, where we do encode the error */
+       if ((l=ERR_peek_error()) != 0)
+               {
+               if (ERR_GET_LIB(l) == ERR_LIB_SYS)
+                       return(SSL_ERROR_SYSCALL);
+               else
+                       return(SSL_ERROR_SSL);
+               }
 
        if ((i < 0) && SSL_want_read(s))
                {
@@ -1197,6 +1528,15 @@ int i;
                if (BIO_should_read(bio))
                        return(SSL_ERROR_WANT_READ);
                else if (BIO_should_write(bio))
+                       /* This one doesn't make too much sense ... We never try
+                        * to write to the rbio, and an application program where
+                        * rbio and wbio are separate couldn't even know what it
+                        * should wait for.
+                        * However if we ever set s->rwstate incorrectly
+                        * (so that we have SSL_want_read(s) instead of
+                        * SSL_want_write(s)) and rbio and wbio *are* the same,
+                        * this test works around that bug; so it might be safer
+                        * to keep it. */
                        return(SSL_ERROR_WANT_WRITE);
                else if (BIO_should_io_special(bio))
                        {
@@ -1214,6 +1554,7 @@ int i;
                if (BIO_should_write(bio))
                        return(SSL_ERROR_WANT_WRITE);
                else if (BIO_should_read(bio))
+                       /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
                        return(SSL_ERROR_WANT_READ);
                else if (BIO_should_io_special(bio))
                        {
@@ -1231,7 +1572,7 @@ int i;
 
        if (i == 0)
                {
-               if (s->version == 2)
+               if (s->version == SSL2_VERSION)
                        {
                        /* assume it is the socket being closed */
                        return(SSL_ERROR_ZERO_RETURN);
@@ -1239,32 +1580,37 @@ int i;
                else
                        {
                        if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
-                               (s->s3->warn_alert == SSL3_AD_CLOSE_NOTIFY))
+                               (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
                                return(SSL_ERROR_ZERO_RETURN);
                        }
                }
        return(SSL_ERROR_SYSCALL);
        }
 
-int SSL_do_handshake(s)
-SSL *s;
+int SSL_do_handshake(SSL *s)
        {
+       int ret=1;
+
        if (s->handshake_func == NULL)
                {
-               SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
                return(-1);
                }
+
+       s->method->ssl_renegotiate_check(s);
+
        if (SSL_in_init(s) || SSL_in_before(s))
-               return(s->handshake_func(s));
-       else
-               return(1);
+               {
+               ret=s->handshake_func(s);
+               }
+       return(ret);
        }
 
 /* For the next 2 functions, SSL_clear() sets shutdown and so
  * one of these calls will reset it */
-void SSL_set_accept_state(s)
-SSL *s;
+void SSL_set_accept_state(SSL *s)
        {
+       s->server=1;
        s->shutdown=0;
        s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
        s->handshake_func=s->method->ssl_accept;
@@ -1272,9 +1618,9 @@ SSL *s;
        ssl_clear_cipher_ctx(s);
        }
 
-void SSL_set_connect_state(s)
-SSL *s;
+void SSL_set_connect_state(SSL *s)
        {
+       s->server=0;
        s->shutdown=0;
        s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
        s->handshake_func=s->method->ssl_connect;
@@ -1282,54 +1628,79 @@ SSL *s;
        ssl_clear_cipher_ctx(s);
        }
 
-int ssl_undefined_function(s)
-SSL *s;
+int ssl_undefined_function(SSL *s)
        {
        SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return(0);
        }
 
-SSL_METHOD *ssl_bad_method(ver)
-int ver;
+SSL_METHOD *ssl_bad_method(int ver)
        {
        SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return(NULL);
        }
 
-char *SSL_get_version(s)
-SSL *s;
+const char *SSL_get_version(SSL *s)
        {
-       if (s->version == 3)
+       if (s->version == TLS1_VERSION)
+               return("TLSv1");
+       else if (s->version == SSL3_VERSION)
                return("SSLv3");
-       else if (s->version == 2)
+       else if (s->version == SSL2_VERSION)
                return("SSLv2");
        else
                return("unknown");
        }
 
-SSL *SSL_dup(s)
-SSL *s;
-        {
-       STACK *sk;
+SSL *SSL_dup(SSL *s)
+       {
+       STACK_OF(X509_NAME) *sk;
        X509_NAME *xn;
-        SSL *ret;
+       SSL *ret;
        int i;
                 
-       if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) return(NULL);
+       if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
+           return(NULL);
                          
-       /* This copies version, session-id, SSL_METHOD and 'cert' */
-       SSL_copy_session_id(ret,s);
+       if (s->session != NULL)
+               {
+               /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
+               SSL_copy_session_id(ret,s);
+               }
+       else
+               {
+               /* No session has been established yet, so we have to expect
+                * that s->cert or ret->cert will be changed later --
+                * they should not both point to the same object,
+                * and thus we can't use SSL_copy_session_id. */
+
+               ret->method = s->method;
+               ret->method->ssl_new(ret);
+
+               if (s->cert != NULL)
+                       {
+                       ret->cert = ssl_cert_dup(s->cert);
+                       if (ret->cert == NULL)
+                               goto err;
+                       }
+                               
+               SSL_set_session_id_context(ret,
+                       s->sid_ctx, s->sid_ctx_length);
+               }
 
        SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
        SSL_set_verify(ret,SSL_get_verify_mode(s),
                SSL_get_verify_callback(s));
+       SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
 
        SSL_set_info_callback(ret,SSL_get_info_callback(s));
        
        ret->debug=s->debug;
+       ret->options=s->options;
 
        /* copy app data, a little dangerous perhaps */
-       SSL_set_app_data(ret,SSL_get_app_data(s));
+       if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data))
+               goto err;
 
        /* setup rbio, and wbio */
        if (s->rbio != NULL)
@@ -1341,7 +1712,7 @@ SSL *s;
                {
                if (s->wbio != s->rbio)
                        {
-                       if (!BIO_dup_state(s->wbio,(char *)&ret->rbio))
+                       if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
                                goto err;
                        }
                else
@@ -1351,23 +1722,23 @@ SSL *s;
        /* dup the cipher_list and cipher_list_by_id stacks */
        if (s->cipher_list != NULL)
                {
-               if ((ret->cipher_list=sk_dup(s->cipher_list)) == NULL)
+               if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
                        goto err;
                }
        if (s->cipher_list_by_id != NULL)
-               if ((ret->cipher_list_by_id=sk_dup(s->cipher_list_by_id))
+               if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
                        == NULL)
                        goto err;
 
        /* Dup the client_CA list */
        if (s->client_CA != NULL)
                {
-               if ((sk=sk_dup(s->client_CA)) == NULL) goto err;
+               if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
                ret->client_CA=sk;
-               for (i=0; i<sk_num(sk); i++)
+               for (i=0; i<sk_X509_NAME_num(sk); i++)
                        {
-                       xn=(X509_NAME *)sk_value(sk,i);
-                       if ((sk_value(sk,i)=(char *)X509_NAME_dup(xn)) == NULL)
+                       xn=sk_X509_NAME_value(sk,i);
+                       if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
                                {
                                X509_NAME_free(xn);
                                goto err;
@@ -1378,6 +1749,7 @@ SSL *s;
        ret->shutdown=s->shutdown;
        ret->state=s->state;
        ret->handshake_func=s->handshake_func;
+       ret->server=s->server;
 
        if (0)
                {
@@ -1388,25 +1760,34 @@ err:
        return(ret);
        }
 
-void ssl_clear_cipher_ctx(s)
-SSL *s;
+void ssl_clear_cipher_ctx(SSL *s)
        {
-        if (s->enc_read_ctx != NULL)
-                {
-                EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
-                Free(s->enc_read_ctx);
-                s->enc_read_ctx=NULL;
-                }
-        if (s->enc_write_ctx != NULL)
-                {
-                EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
-                Free(s->enc_write_ctx);
-                s->enc_write_ctx=NULL;
-                }
+       if (s->enc_read_ctx != NULL)
+               {
+               EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
+               Free(s->enc_read_ctx);
+               s->enc_read_ctx=NULL;
+               }
+       if (s->enc_write_ctx != NULL)
+               {
+               EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
+               Free(s->enc_write_ctx);
+               s->enc_write_ctx=NULL;
+               }
+       if (s->expand != NULL)
+               {
+               COMP_CTX_free(s->expand);
+               s->expand=NULL;
+               }
+       if (s->compress != NULL)
+               {
+               COMP_CTX_free(s->compress);
+               s->compress=NULL;
+               }
        }
 
-X509 *SSL_get_certificate(s)
-SSL *s;
+/* Fix this function so that it takes an optional type parameter */
+X509 *SSL_get_certificate(SSL *s)
        {
        if (s->cert != NULL)
                return(s->cert->key->x509);
@@ -1414,8 +1795,8 @@ SSL *s;
                return(NULL);
        }
 
-EVP_PKEY *SSL_get_privatekey(s)
-SSL *s;
+/* Fix this function so that it takes an optional type parameter */
+EVP_PKEY *SSL_get_privatekey(SSL *s)
        {
        if (s->cert != NULL)
                return(s->cert->key->privatekey);
@@ -1423,11 +1804,264 @@ SSL *s;
                return(NULL);
        }
 
-SSL_CIPHER *SSL_get_current_cipher(s)
-SSL *s;
+SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+       {
+       if ((s->session != NULL) && (s->session->cipher != NULL))
+               return(s->session->cipher);
+       return(NULL);
+       }
+
+int ssl_init_wbio_buffer(SSL *s,int push)
+       {
+       BIO *bbio;
+
+       if (s->bbio == NULL)
+               {
+               bbio=BIO_new(BIO_f_buffer());
+               if (bbio == NULL) return(0);
+               s->bbio=bbio;
+               }
+       else
+               {
+               bbio=s->bbio;
+               if (s->bbio == s->wbio)
+                       s->wbio=BIO_pop(s->wbio);
+               }
+       (void)BIO_reset(bbio);
+/*     if (!BIO_set_write_buffer_size(bbio,16*1024)) */
+       if (!BIO_set_read_buffer_size(bbio,1))
+               {
+               SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
+               return(0);
+               }
+       if (push)
+               {
+               if (s->wbio != bbio)
+                       s->wbio=BIO_push(bbio,s->wbio);
+               }
+       else
+               {
+               if (s->wbio == bbio)
+                       s->wbio=BIO_pop(bbio);
+               }
+       return(1);
+       }
+
+void ssl_free_wbio_buffer(SSL *s)
+       {
+       BIO *under;
+
+       if (s->bbio == NULL) return;
+
+       if (s->bbio == s->wbio)
+               {
+               /* remove buffering */
+               under=BIO_pop(s->wbio);
+               if (under != NULL)
+                       s->wbio=under;
+               else
+                       abort(); /* ok */
+               }
+       BIO_free(s->bbio);
+       s->bbio=NULL;
+       }
+       
+void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
+       {
+       ctx->quiet_shutdown=mode;
+       }
+
+int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+       {
+       return(ctx->quiet_shutdown);
+       }
+
+void SSL_set_quiet_shutdown(SSL *s,int mode)
+       {
+       s->quiet_shutdown=mode;
+       }
+
+int SSL_get_quiet_shutdown(SSL *s)
+       {
+       return(s->quiet_shutdown);
+       }
+
+void SSL_set_shutdown(SSL *s,int mode)
+       {
+       s->shutdown=mode;
+       }
+
+int SSL_get_shutdown(SSL *s)
+       {
+       return(s->shutdown);
+       }
+
+int SSL_version(SSL *s)
+       {
+       return(s->version);
+       }
+
+SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+       {
+       return(ssl->ctx);
+       }
+
+#ifndef NO_STDIO
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
+       {
+       return(X509_STORE_set_default_paths(ctx->cert_store));
+       }
+
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+               const char *CApath)
+       {
+       return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
+       }
+#endif
+
+void SSL_set_info_callback(SSL *ssl,void (*cb)())
+       {
+       ssl->info_callback=cb;
+       }
+
+void (*SSL_get_info_callback(SSL *ssl))(void)
+       {
+       return((void (*)())ssl->info_callback);
+       }
+
+int SSL_state(SSL *ssl)
+       {
+       return(ssl->state);
+       }
+
+void SSL_set_verify_result(SSL *ssl,long arg)
+       {
+       ssl->verify_result=arg;
+       }
+
+long SSL_get_verify_result(SSL *ssl)
+       {
+       return(ssl->verify_result);
+       }
+
+int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+                        CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
+       {
+       ssl_meth_num++;
+       return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
+               &ssl_meth,argl,argp,new_func,dup_func,free_func));
+       }
+
+int SSL_set_ex_data(SSL *s,int idx,void *arg)
        {
-        if ((s->session != NULL) && (s->session->cipher != NULL))
-                return(s->session->cipher);
-        return(NULL);
+       return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
 
+void *SSL_get_ex_data(SSL *s,int idx)
+       {
+       return(CRYPTO_get_ex_data(&s->ex_data,idx));
+       }
+
+int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+                            CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
+       {
+       ssl_ctx_meth_num++;
+       return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
+               &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func));
+       }
+
+int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
+       {
+       return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+       }
+
+void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+       {
+       return(CRYPTO_get_ex_data(&s->ex_data,idx));
+       }
+
+int ssl_ok(SSL *s)
+       {
+       return(1);
+       }
+
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+       {
+       return(ctx->cert_store);
+       }
+
+void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
+       {
+       if (ctx->cert_store != NULL)
+               X509_STORE_free(ctx->cert_store);
+       ctx->cert_store=store;
+       }
+
+int SSL_want(SSL *s)
+       {
+       return(s->rwstate);
+       }
+
+/*!
+ * \brief Set the callback for generating temporary RSA keys.
+ * \param ctx the SSL context.
+ * \param cb the callback
+ */
+
+#ifndef NO_RSA
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
+                                                         int is_export,
+                                                         int keylength))
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
+
+void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
+                                                 int is_export,
+                                                 int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
+#endif
+
+#ifdef DOXYGEN
+/*!
+ * \brief The RSA temporary key callback function.
+ * \param ssl the SSL session.
+ * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
+ * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
+ * of the required key in bits.
+ * \return the temporary RSA key.
+ * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
+ */
+
+RSA *cb(SSL *ssl,int is_export,int keylength)
+    {}
+#endif
+
+/*!
+ * \brief Set the callback for generating temporary DH keys.
+ * \param ctx the SSL context.
+ * \param dh the callback
+ */
+
+#ifndef NO_DH
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
+                                                       int keylength))
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
+
+void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
+                                               int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
+#endif
+
+#if defined(_WINDLL) && defined(WIN16)
+#include "../crypto/bio/bss_file.c"
+#endif
+
+IMPLEMENT_STACK_OF(SSL_CIPHER)
+IMPLEMENT_STACK_OF(SSL_COMP)
Unnamed repository; edit this file 'description' to name the repository.