Deprecate SSL_COMP_free_compression_methods() and make it a no-op

[openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index c8c7f0281c57e743534b8bbf0e7e877a505571ba..1faa2ea1605cab1faf6e1ff77e6b3dc18011a256 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -141,12 +141,8 @@
 
 #include <stdio.h>
 #include <openssl/objects.h>
-#ifndef OPENSSL_NO_COMP
-# include <openssl/comp.h>
-#endif
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/comp.h>
+#include <openssl/engine.h>
 #include "internal/threads.h"
 #include "ssl_locl.h"
 
@@ -214,7 +210,9 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
 
 static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
 
+#ifndef OPENSSL_NO_COMP
 static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
+#endif
 
 /*
  * Constant SSL_MAX_DIGEST equal to size of digests array should be defined
@@ -486,7 +484,9 @@ void ssl_load_ciphers(void)
 {
     size_t i;
     const ssl_cipher_table *t;
+
     disabled_enc_mask = 0;
+    ssl_sort_cipher_list();
     for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
         if (t->nid == NID_undef) {
             ssl_cipher_methods[i] = NULL;
@@ -621,7 +621,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 #ifndef OPENSSL_NO_COMP
         load_builtin_compressions();
 #endif
-
         *comp = NULL;
         ctmp.id = s->compress_meth;
         if (ssl_comp_methods != NULL) {
@@ -971,7 +970,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
                 continue;
             if (min_tls && (min_tls != cp->min_tls))
                 continue;
-            if (algo_strength && !(algo_strength & cp->algo_strength))
+            if ((algo_strength & SSL_STRONG_MASK)
+                && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
                 continue;
             if ((algo_strength & SSL_DEFAULT_MASK)
                 && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
@@ -1238,15 +1238,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                     alg_mac = ca_list[j]->algorithm_mac;
             }
 
-            if (ca_list[j]->algo_strength) {
-                if (algo_strength) {
-                    algo_strength &= ca_list[j]->algo_strength;
-                    if (!algo_strength) {
+            if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
+                if (algo_strength & SSL_STRONG_MASK) {
+                    algo_strength &=
+                        (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
+                        ~SSL_STRONG_MASK;
+                    if (!(algo_strength & SSL_STRONG_MASK)) {
                         found = 0;
                         break;
                     }
                 } else
-                    algo_strength = ca_list[j]->algo_strength;
+                    algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK;
             }
 
             if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
@@ -1819,6 +1821,13 @@ const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
 {
     if (c == NULL)
         return "(NONE)";
+
+    /*
+     * Backwards-compatibility crutch.  In almost all contexts we report TLS
+     * 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".
+     */
+    if (c->min_tls == TLS1_VERSION)
+        return "TLSv1.0";
     return ssl_protocol_to_string(c->min_tls);
 }
 
@@ -1874,9 +1883,6 @@ STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
 {
     return meths;
 }
-void SSL_COMP_free_compression_methods(void)
-{
-}
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 {
     return 1;
@@ -1902,7 +1908,7 @@ static void cmeth_free(SSL_COMP *cm)
     OPENSSL_free(cm);
 }
 
-void SSL_COMP_free_compression_methods(void)
+void ssl_comp_free_compression_methods_intern(void)
 {
     STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
     ssl_comp_methods = NULL;