Remove some unnecessary OPENSSL_FIPS references

[openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4d87d2dbc4bf7f4b0b8a8f13c39e9cf41fe79e9b..1599d7971ca496a4e4a4c3f99708f2c12195f732 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -203,7 +203,7 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
        0,0,0,0,0,0
        };
 
-static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
+static const int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
        SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
        SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
        SSL_HANDSHAKE_MAC_SHA384
@@ -230,27 +230,29 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_CMPALL,0,  0,0,SSL_eNULL,0,0,0,0,0,0},
 
        /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
-       {0,SSL_TXT_CMPDEF,0,  SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
+       {0,SSL_TXT_CMPDEF,0,  SSL_kDHE|SSL_kECDHE,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
 
        /* key exchange aliases
         * (some of those using only a single bit here combine
         * multiple key exchange algs according to the RFCs,
-        * e.g. kEDH combines DHE_DSS and DHE_RSA) */
+        * e.g. kDHE combines DHE_DSS and DHE_RSA) */
        {0,SSL_TXT_kRSA,0,    SSL_kRSA,  0,0,0,0,0,0,0,0},
 
        {0,SSL_TXT_kDHr,0,    SSL_kDHr,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kDHd,0,    SSL_kDHd,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kDH,0,     SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0},
-       {0,SSL_TXT_kEDH,0,    SSL_kEDH,  0,0,0,0,0,0,0,0},
-       {0,SSL_TXT_DH,0,      SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kEDH,0,    SSL_kDHE,  0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kDHE,0,    SSL_kDHE,  0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_DH,0,      SSL_kDHr|SSL_kDHd|SSL_kDHE,0,0,0,0,0,0,0,0},
 
        {0,SSL_TXT_kKRB5,0,   SSL_kKRB5, 0,0,0,0,0,0,0,0},
 
        {0,SSL_TXT_kECDHr,0,  SSL_kECDHr,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kECDHe,0,  SSL_kECDHe,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kECDH,0,   SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
-       {0,SSL_TXT_kEECDH,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},
-       {0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kEECDH,0,  SSL_kECDHE,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kECDHE,0,  SSL_kECDHE,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kECDHE,0,0,0,0,0,0,0,0},
 
         {0,SSL_TXT_kPSK,0,    SSL_kPSK,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kSRP,0,    SSL_kSRP,  0,0,0,0,0,0,0,0},
@@ -270,15 +272,18 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
        {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
        {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
+       {0,SSL_TXT_aSRP,0,    0,SSL_aSRP,  0,0,0,0,0,0,0},
 
        /* aliases combining key exchange and server authentication */
-       {0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
-       {0,SSL_TXT_EECDH,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_EDH,0,     SSL_kDHE,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_DHE,0,     SSL_kDHE,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_EECDH,0,   SSL_kECDHE,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ECDHE,0,   SSL_kECDHE,~SSL_aNULL,0,0,0,0,0,0,0},
        {0,SSL_TXT_NULL,0,    0,0,SSL_eNULL, 0,0,0,0,0,0},
        {0,SSL_TXT_KRB5,0,    SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
        {0,SSL_TXT_RSA,0,     SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
-       {0,SSL_TXT_ADH,0,     SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
-       {0,SSL_TXT_AECDH,0,   SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ADH,0,     SSL_kDHE,SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_AECDH,0,   SSL_kECDHE,SSL_aNULL,0,0,0,0,0,0,0},
         {0,SSL_TXT_PSK,0,     SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
        {0,SSL_TXT_SRP,0,     SSL_kSRP,0,0,0,0,0,0,0,0},
 
@@ -309,7 +314,6 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_SHA384,0,    0,0,0,SSL_SHA384,  0,0,0,0,0},
 
        /* protocol version aliases */
-       {0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
        {0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
        {0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
        {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
@@ -326,6 +330,21 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
        /* FIPS 140-2 approved ciphersuite */
        {0,SSL_TXT_FIPS,0,    0,0,~SSL_eNULL,0,0,SSL_FIPS,  0,0,0},
+
+        /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
+       {0,SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
+
        };
 /* Search for public key algorithm with given name and 
  * return its pkey_id if it is available. Otherwise return 0
@@ -485,7 +504,7 @@ static void load_builtin_compressions(void)
 #endif
 
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-            const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
+            const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp, int use_etm)
        {
        int i;
        const SSL_CIPHER *c;
@@ -562,7 +581,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                break;
                }
 
-       if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+       if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
                *enc=NULL;
        else
                {
@@ -596,7 +615,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                i= -1;
                break;
                }
-       if ((i < 0) || (i > SSL_MD_NUM_IDX))
+       if ((i < 0) || (i >= SSL_MD_NUM_IDX))
        {
                *md=NULL; 
                if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
@@ -617,14 +636,15 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                {
                const EVP_CIPHER *evp;
 
+               if (use_etm)
+                       return 1;
+
                if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
                    s->ssl_version < TLS1_VERSION)
                        return 1;
 
-#ifdef OPENSSL_FIPS
                if (FIPS_mode())
                        return 1;
-#endif
 
                if      (c->algorithm_enc == SSL_RC4 &&
                         c->algorithm_mac == SSL_MD5 &&
@@ -638,6 +658,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                         c->algorithm_mac == SSL_SHA1 &&
                         (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
                        *enc = evp, *md = NULL;
+               else if (c->algorithm_enc == SSL_AES128 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
+               else if (c->algorithm_enc == SSL_AES256 &&
+                        c->algorithm_mac == SSL_SHA256 &&
+                        (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+                       *enc = evp, *md = NULL;
                return(1);
                }
        else
@@ -709,7 +737,7 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
        *auth |= SSL_aDSS;
 #endif
 #ifdef OPENSSL_NO_DH
-       *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
+       *mkey |= SSL_kDHr|SSL_kDHd|SSL_kDHE;
        *auth |= SSL_aDH;
 #endif
 #ifdef OPENSSL_NO_KRB5
@@ -784,7 +812,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 
        /*
         * We have num_of_ciphers descriptions compiled in, depending on the
-        * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+        * method selected (SSLv3, TLSv1 etc).
         * These will later be sorted in a linked list with at most num
         * entries.
         */
@@ -796,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
                if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
                    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
                    !(c->algorithm_mkey & disabled_mkey) &&
                    !(c->algorithm_auth & disabled_auth) &&
                    !(c->algorithm_enc & disabled_enc) &&
@@ -923,7 +949,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
                int rule, int strength_bits,
                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
        {
-       CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
+       CIPHER_ORDER *head, *tail, *curr, *next, *last;
        const SSL_CIPHER *cp;
        int reverse = 0;
 
@@ -940,21 +966,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 
        if (reverse)
                {
-               curr = tail;
+               next = tail;
                last = head;
                }
        else
                {
-               curr = head;
+               next = head;
                last = tail;
                }
 
-       curr2 = curr;
+       curr = NULL;
        for (;;)
                {
-               if ((curr == NULL) || (curr == last)) break;
-               curr = curr2;
-               curr2 = reverse ? curr->prev : curr->next;
+               if (curr == last) break;
+
+               curr = next;
+
+               if (curr == NULL) break;
+
+               next = reverse ? curr->prev : curr->next;
 
                cp = curr->cipher;
 
@@ -1103,7 +1133,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
 
 static int ssl_cipher_process_rulestr(const char *rule_str,
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
-                const SSL_CIPHER **ca_list)
+                const SSL_CIPHER **ca_list, CERT *c)
        {
        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
        const char *l, *buf;
@@ -1152,9 +1182,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        while ( ((ch >= 'A') && (ch <= 'Z')) ||
                                ((ch >= '0') && (ch <= '9')) ||
                                ((ch >= 'a') && (ch <= 'z')) ||
-                                (ch == '-') || (ch == '.'))
+                                (ch == '-') || (ch == '.')  ||
+                                (ch == '='))
 #else
-                       while ( isalnum(ch) || (ch == '-') || (ch == '.'))
+                       while ( isalnum(ch) || (ch == '-') || (ch == '.') ||
+                               (ch == '='))
 #endif
                                 {
                                 ch = *(++l);
@@ -1320,6 +1352,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        if ((buflen == 8) &&
                                !strncmp(buf, "STRENGTH", 8))
                                ok = ssl_cipher_strength_sort(head_p, tail_p);
+                       else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9))
+                               {
+                               int level = buf[9] - '0';
+                               if (level < 0 || level > 5)
+                                       {
+                                       SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                                               SSL_R_INVALID_COMMAND);
+                                       }
+                               else
+                                       {
+                                       c->sec_level = level;
+                                       ok = 1;
+                                       }
+                               }
                        else
                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
                                        SSL_R_INVALID_COMMAND);
@@ -1350,7 +1396,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 
        return(retval);
        }
-
+#ifndef OPENSSL_NO_EC
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                        const char **prule_str)
        {
@@ -1377,11 +1423,15 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 
        if (!suiteb_flags)
                return 1;
-       /* Check version */
+       /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
 
-       if (meth->version != TLS1_2_VERSION)
+       if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
                {
-               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+               if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
+                       SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               else
+                       SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
                                SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
                return 0;
                }
@@ -1405,7 +1455,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
        c->ecdh_tmp_auto = 1;
        return 1;
        }
-
+#endif
 
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1424,10 +1474,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
                return NULL;
-
+#ifndef OPENSSL_NO_EC
        if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
                return NULL;
-
+#endif
 
        /*
         * To reduce the work to do we only want to process the compiled
@@ -1459,8 +1509,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        /* Now arrange all ciphers by preference: */
 
        /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
-       ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-       ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+       ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+       ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
 
        /* AES is our preferred symmetric cipher */
        ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
@@ -1528,14 +1578,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        if (strncmp(rule_str,"DEFAULT",7) == 0)
                {
                ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-                       &head, &tail, ca_list);
+                       &head, &tail, ca_list, c);
                rule_p += 7;
                if (*rule_p == ':')
                        rule_p++;
                }
 
        if (ok && (strlen(rule_p) > 0))
-               ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
+               ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
 
        OPENSSL_free((void *)ca_list);  /* Not needed anymore */
 
@@ -1561,13 +1611,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
-#ifdef OPENSSL_FIPS
                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-               if (curr->active)
-#endif
                        {
-                       sk_SSL_CIPHER_push(cipherstack, curr->cipher);
+                       if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
+                               {
+                               OPENSSL_free(co_list);
+                               sk_SSL_CIPHER_free(cipherstack);
+                               return NULL;
+                               }
 #ifdef CIPHER_DEBUG
                        printf("<%s>\n",curr->cipher->name);
 #endif
@@ -1598,7 +1649,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        int is_export,pkl,kl;
        const char *ver,*exp_str;
        const char *kx,*au,*enc,*mac;
-       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
+       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl;
 #ifdef KSSL_DEBUG
        static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
@@ -1611,16 +1662,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        alg_mac = cipher->algorithm_mac;
        alg_ssl = cipher->algorithm_ssl;
 
-       alg2=cipher->algorithm2;
-
        is_export=SSL_C_IS_EXPORT(cipher);
        pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
        kl=SSL_C_EXPORT_KEYLENGTH(cipher);
        exp_str=is_export?" export":"";
        
-       if (alg_ssl & SSL_SSLV2)
-               ver="SSLv2";
-       else if (alg_ssl & SSL_SSLV3)
+       if (alg_ssl & SSL_SSLV3)
                ver="SSLv3";
        else if (alg_ssl & SSL_TLSV1_2)
                ver="TLSv1.2";
@@ -1641,7 +1688,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
         case SSL_kKRB5:
                kx="KRB5";
                break;
-       case SSL_kEDH:
+       case SSL_kDHE:
                kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
                break;
        case SSL_kECDHr:
@@ -1650,7 +1697,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kECDHe:
                kx="ECDH/ECDSA";
                break;
-       case SSL_kEECDH:
+       case SSL_kECDHE:
                kx="ECDH";
                break;
        case SSL_kPSK:
@@ -1659,6 +1706,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kSRP:
                kx="SRP";
                break;
+       case SSL_kGOST:
+               kx="GOST";
+               break;
        default:
                kx="unknown";
                }
@@ -1689,6 +1739,15 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_aPSK:
                au="PSK";
                break;
+       case SSL_aSRP:
+               au="SRP";
+               break;
+       case SSL_aGOST94:
+               au="GOST94";
+               break;
+       case SSL_aGOST01:
+               au="GOST01";
+               break;
        default:
                au="unknown";
                break;
@@ -1703,8 +1762,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
                enc="3DES(168)";
                break;
        case SSL_RC4:
-               enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
-                 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+               enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)"):"RC4(128)";
                break;
        case SSL_RC2:
                enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
@@ -1736,6 +1794,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_SEED:
                enc="SEED(128)";
                break;
+       case SSL_eGOST2814789CNT:
+               enc="GOST89(256)";
+               break;
        default:
                enc="unknown";
                break;
@@ -1758,6 +1819,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AEAD:
                mac="AEAD";
                break;
+       case SSL_GOST89MAC:
+               mac="GOST89";
+               break;
+       case SSL_GOST94:
+               mac="GOST94";
+               break;
        default:
                mac="unknown";
                break;
@@ -1788,8 +1855,6 @@ char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
        i=(int)(c->id>>24L);
        if (i == 3)
                return("TLSv1/SSLv3");
-       else if (i == 2)
-               return("SSLv2");
        else
                return("unknown");
        }
@@ -1857,6 +1922,25 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
        return(ssl_comp_methods);
        }
 
+STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths)
+       {
+       STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
+       ssl_comp_methods = meths;
+       return old_meths;
+       }
+
+static void cmeth_free(SSL_COMP *cm)
+       {
+       OPENSSL_free(cm);
+       }
+
+void SSL_COMP_free_compression_methods(void)
+       {
+       STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
+       ssl_comp_methods = NULL;
+       sk_SSL_COMP_pop_free(old_meths, cmeth_free);
+       }
+
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
        {
        SSL_COMP *comp;
@@ -1921,13 +2005,13 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
 
        if (alg_k & (SSL_kECDHr|SSL_kECDHe))
                {
-               /* we don't need to look at SSL_kEECDH
+               /* we don't need to look at SSL_kECDHE
                 * since no certificate is needed for
                 * anon ECDH and for authenticated
-                * EECDH, the check for the auth
+                * ECDHE, the check for the auth
                 * algorithm will set i correctly
                 * NOTE: For ECDH-RSA, we need an ECC
-                * not an RSA cert but for EECDH-RSA
+                * not an RSA cert but for ECDHE-RSA
                 * we need an RSA cert. Placing the
                 * checks for SSL_kECDH before RSA
                 * checks ensures the correct cert is chosen.