Add function to free compression methods.

[openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4d87d2dbc4bf7f4b0b8a8f13c39e9cf41fe79e9b..c8057aa85defb1be93e9df30648864ddfc3ce5ab 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -638,6 +638,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                         c->algorithm_mac == SSL_SHA1 &&
                         (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
                        *enc = evp, *md = NULL;
+               else if (c->algorithm_enc == SSL_AES128 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
+               else if (c->algorithm_enc == SSL_AES256 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
                return(1);
                }
        else
@@ -1350,7 +1358,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 
        return(retval);
        }
-
+#ifndef OPENSSL_NO_EC
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                        const char **prule_str)
        {
@@ -1377,11 +1385,15 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 
        if (!suiteb_flags)
                return 1;
-       /* Check version */
+       /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
 
-       if (meth->version != TLS1_2_VERSION)
+       if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
                {
-               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+               if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
+                       SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               else
+                       SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
                                SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
                return 0;
                }
@@ -1405,6 +1417,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
        c->ecdh_tmp_auto = 1;
        return 1;
        }
+#endif
 
 
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1424,10 +1437,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
                return NULL;
-
+#ifndef OPENSSL_NO_EC
        if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
                return NULL;
-
+#endif
 
        /*
         * To reduce the work to do we only want to process the compiled
@@ -1857,6 +1870,25 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
        return(ssl_comp_methods);
        }
 
+STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths)
+       {
+       STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
+       ssl_comp_methods = meths;
+       return old_meths;
+       }
+
+static void cmeth_free(SSL_COMP *cm)
+       {
+       OPENSSL_free(cm);
+       }
+
+void SSL_COMP_free_compression_methods(void)
+       {
+       STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
+       ssl_comp_methods = NULL;
+       sk_SSL_COMP_pop_free(old_meths, cmeth_free);
+       }
+
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
        {
        SSL_COMP *comp;