Avoid warnings on VC++ 2005.

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 72821a1fce6a138067eaed4e48b8a020cb33dfd4..b79ac1c9a28dd09f63e1291df22b7d400b86475c 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -110,33 +110,46 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifdef REF_CHECK
 #  include <assert.h>
 #endif
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
-OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+SSL3_ENC_METHOD ssl3_undef_enc_method={
        /* evil casts, but these functions are only called if there's a library bug */
        (int (*)(SSL *,int))ssl_undefined_function,
        (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
        ssl_undefined_function,
        (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
        (int (*)(SSL*, int))ssl_undefined_function,
-       (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
+       (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function,
+       0,      /* finish_mac_length */
+       (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
+       NULL,   /* client_finished_label */
+       0,      /* client_finished_label_len */
+       NULL,   /* server_finished_label */
+       0,      /* server_finished_label_len */
+       (int (*)(int))ssl_undefined_function
        };
 
 int SSL_clear(SSL *s)
        {
-       int state;
 
        if (s->method == NULL)
                {
@@ -144,6 +157,12 @@ int SSL_clear(SSL *s)
                return(0);
                }
 
+       if (ssl_clear_bad_session(s))
+               {
+               SSL_SESSION_free(s->session);
+               s->session=NULL;
+               }
+
        s->error=0;
        s->hit=0;
        s->shutdown=0;
@@ -161,7 +180,6 @@ int SSL_clear(SSL *s)
                }
 #endif
 
-       state=s->state; /* Keep to check if we throw away the session-id */
        s->type=0;
 
        s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
@@ -182,12 +200,6 @@ int SSL_clear(SSL *s)
 
        ssl_clear_cipher_ctx(s);
 
-       if (ssl_clear_bad_session(s))
-               {
-               SSL_SESSION_free(s->session);
-               s->session=NULL;
-               }
-
        s->first_packet=0;
 
 #if 1
@@ -207,7 +219,7 @@ int SSL_clear(SSL *s)
        }
 
 /** Used to change an SSL_CTXs default SSL method type */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
        {
        STACK_OF(SSL_CIPHER) *sk;
 
@@ -273,14 +285,25 @@ SSL *SSL_new(SSL_CTX *ctx)
        s->msg_callback=ctx->msg_callback;
        s->msg_callback_arg=ctx->msg_callback_arg;
        s->verify_mode=ctx->verify_mode;
+#if 0
        s->verify_depth=ctx->verify_depth;
+#endif
        s->sid_ctx_length=ctx->sid_ctx_length;
+       OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
        memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
        s->verify_callback=ctx->default_verify_callback;
        s->generate_session_id=ctx->generate_session_id;
+
+       s->param = X509_VERIFY_PARAM_new();
+       if (!s->param)
+               goto err;
+       X509_VERIFY_PARAM_inherit(s->param, ctx->param);
+#if 0
        s->purpose = ctx->purpose;
        s->trust = ctx->trust;
+#endif
        s->quiet_shutdown=ctx->quiet_shutdown;
+       s->max_send_fragment = ctx->max_send_fragment;
 
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->ctx=ctx;
@@ -316,7 +339,7 @@ err:
 int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
                                   unsigned int sid_ctx_len)
     {
-    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+    if(sid_ctx_len > sizeof ctx->sid_ctx)
        {
        SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
        return 0;
@@ -366,6 +389,10 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
         * any new session built out of this id/id_len and the ssl_version in
         * use by this SSL. */
        SSL_SESSION r, *p;
+
+       if(id_len > sizeof r.session_id)
+               return 0;
+
        r.ssl_version = ssl->version;
        r.session_id_length = id_len;
        memcpy(r.session_id, id, id_len);
@@ -389,22 +416,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
 
 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
        {
-       return X509_PURPOSE_set(&s->purpose, purpose);
+       return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
        }
 
 int SSL_set_purpose(SSL *s, int purpose)
        {
-       return X509_PURPOSE_set(&s->purpose, purpose);
+       return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
        }
 
 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
        {
-       return X509_TRUST_set(&s->trust, trust);
+       return X509_VERIFY_PARAM_set_trust(s->param, trust);
        }
 
 int SSL_set_trust(SSL *s, int trust)
        {
-       return X509_TRUST_set(&s->trust, trust);
+       return X509_VERIFY_PARAM_set_trust(s->param, trust);
        }
 
 void SSL_free(SSL *s)
@@ -427,6 +454,9 @@ void SSL_free(SSL *s)
                }
 #endif
 
+       if (s->param)
+               X509_VERIFY_PARAM_free(s->param);
+
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
 
        if (s->bbio != NULL)
@@ -469,6 +499,11 @@ void SSL_free(SSL *s)
 
        if (s->method != NULL) s->method->ssl_free(s);
 
+#ifndef        OPENSSL_NO_KRB5
+       if (s->kssl_ctx != NULL)
+               kssl_ctx_free(s->kssl_ctx);
+#endif /* OPENSSL_NO_KRB5 */
+
        OPENSSL_free(s);
        }
 
@@ -492,18 +527,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
        s->wbio=wbio;
        }
 
-BIO *SSL_get_rbio(SSL *s)
+BIO *SSL_get_rbio(const SSL *s)
        { return(s->rbio); }
 
-BIO *SSL_get_wbio(SSL *s)
+BIO *SSL_get_wbio(const SSL *s)
        { return(s->wbio); }
 
-int SSL_get_fd(SSL *s)
+int SSL_get_fd(const SSL *s)
        {
        return(SSL_get_rfd(s));
        }
 
-int SSL_get_rfd(SSL *s)
+int SSL_get_rfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -515,7 +550,7 @@ int SSL_get_rfd(SSL *s)
        return(ret);
        }
 
-int SSL_get_wfd(SSL *s)
+int SSL_get_wfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -597,7 +632,7 @@ err:
 
 
 /* return length of latest Finished message we sent, copy to 'buf' */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -612,7 +647,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
        }
 
 /* return length of latest Finished message we expected, copy to 'buf' */
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -627,32 +662,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
        }
 
 
-int SSL_get_verify_mode(SSL *s)
+int SSL_get_verify_mode(const SSL *s)
        {
        return(s->verify_mode);
        }
 
-int SSL_get_verify_depth(SSL *s)
+int SSL_get_verify_depth(const SSL *s)
        {
-       return(s->verify_depth);
+       return X509_VERIFY_PARAM_get_depth(s->param);
        }
 
-int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
+int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
        {
        return(s->verify_callback);
        }
 
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
        {
        return(ctx->verify_mode);
        }
 
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
        {
-       return(ctx->verify_depth);
+       return X509_VERIFY_PARAM_get_depth(ctx->param);
        }
 
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
        {
        return(ctx->default_verify_callback);
        }
@@ -667,7 +702,7 @@ void SSL_set_verify(SSL *s,int mode,
 
 void SSL_set_verify_depth(SSL *s,int depth)
        {
-       s->verify_depth=depth;
+       X509_VERIFY_PARAM_set_depth(s->param, depth);
        }
 
 void SSL_set_read_ahead(SSL *s,int yes)
@@ -675,12 +710,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
        s->read_ahead=yes;
        }
 
-int SSL_get_read_ahead(SSL *s)
+int SSL_get_read_ahead(const SSL *s)
        {
        return(s->read_ahead);
        }
 
-int SSL_pending(SSL *s)
+int SSL_pending(const SSL *s)
        {
        /* SSL_pending cannot work properly if read-ahead is enabled
         * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -692,7 +727,7 @@ int SSL_pending(SSL *s)
        return(s->method->ssl_pending(s));
        }
 
-X509 *SSL_get_peer_certificate(SSL *s)
+X509 *SSL_get_peer_certificate(const SSL *s)
        {
        X509 *r;
        
@@ -708,7 +743,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
        return(r);
        }
 
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
        {
        STACK_OF(X509) *r;
        
@@ -725,7 +760,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
 
 /* Now in theory, since the calling process own 't' it should be safe to
  * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(SSL *t,SSL *f)
+void SSL_copy_session_id(SSL *t,const SSL *f)
        {
        CERT *tmp;
 
@@ -754,7 +789,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
        }
 
 /* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(SSL_CTX *ctx)
+int SSL_CTX_check_private_key(const SSL_CTX *ctx)
        {
        if (    (ctx == NULL) ||
                (ctx->cert == NULL) ||
@@ -772,7 +807,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
        }
 
 /* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(SSL *ssl)
+int SSL_check_private_key(const SSL *ssl)
        {
        if (ssl == NULL)
                {
@@ -816,7 +851,7 @@ int SSL_connect(SSL *s)
        return(s->method->ssl_connect(s));
        }
 
-long SSL_get_default_timeout(SSL *s)
+long SSL_get_default_timeout(const SSL *s)
        {
        return(s->method->get_timeout());
        }
@@ -841,7 +876,7 @@ int SSL_peek(SSL *s,void *buf,int num)
        {
        if (s->handshake_func == 0)
                {
-               SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+               SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
                return -1;
                }
 
@@ -891,7 +926,10 @@ int SSL_shutdown(SSL *s)
 
 int SSL_renegotiate(SSL *s)
        {
-       s->new_session=1;
+       if (s->new_session == 0)
+               {
+               s->new_session=1;
+               }
        return(s->method->ssl_renegotiate(s));
        }
 
@@ -929,12 +967,24 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                l=s->max_cert_list;
                s->max_cert_list=larg;
                return(l);
+       case SSL_CTRL_SET_MTU:
+               if (SSL_version(s) == DTLS1_VERSION)
+                       {
+                       s->d1->mtu = larg;
+                       return larg;
+                       }
+               return 0;
+       case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
+               if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+                       return 0;
+               s->max_send_fragment = larg;
+               return 1;
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
        }
 
-long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
        {
        switch(cmd)
                {
@@ -1017,12 +1067,17 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
                return(ctx->options|=larg);
        case SSL_CTRL_MODE:
                return(ctx->mode|=larg);
+       case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
+               if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+                       return 0;
+               ctx->max_send_fragment = larg;
+               return 1;
        default:
                return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
                }
        }
 
-long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
        {
        switch(cmd)
                {
@@ -1060,16 +1115,19 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 
 /** return a STACK of the ciphers available for the SSL and in order of
  * preference */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
        {
-       if ((s != NULL) && (s->cipher_list != NULL))
-               {
-               return(s->cipher_list);
-               }
-       else if ((s->ctx != NULL) &&
-               (s->ctx->cipher_list != NULL))
+       if (s != NULL)
                {
-               return(s->ctx->cipher_list);
+               if (s->cipher_list != NULL)
+                       {
+                       return(s->cipher_list);
+                       }
+               else if ((s->ctx != NULL) &&
+                       (s->ctx->cipher_list != NULL))
+                       {
+                       return(s->ctx->cipher_list);
+                       }
                }
        return(NULL);
        }
@@ -1078,20 +1136,23 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
  * algorithm id */
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
        {
-       if ((s != NULL) && (s->cipher_list_by_id != NULL))
-               {
-               return(s->cipher_list_by_id);
-               }
-       else if ((s != NULL) && (s->ctx != NULL) &&
-               (s->ctx->cipher_list_by_id != NULL))
+       if (s != NULL)
                {
-               return(s->ctx->cipher_list_by_id);
+               if (s->cipher_list_by_id != NULL)
+                       {
+                       return(s->cipher_list_by_id);
+                       }
+               else if ((s->ctx != NULL) &&
+                       (s->ctx->cipher_list_by_id != NULL))
+                       {
+                       return(s->ctx->cipher_list_by_id);
+                       }
                }
        return(NULL);
        }
 
 /** The old interface to get the same thing as SSL_get_ciphers() */
-const char *SSL_get_cipher_list(SSL *s,int n)
+const char *SSL_get_cipher_list(const SSL *s,int n)
        {
        SSL_CIPHER *c;
        STACK_OF(SSL_CIPHER) *sk;
@@ -1112,8 +1173,21 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
        
        sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
                &ctx->cipher_list_by_id,str);
-/* XXXX */
-       return((sk == NULL)?0:1);
+       /* ssl_create_cipher_list may return an empty stack if it
+        * was unable to find a cipher matching the given rule string
+        * (for example if the rule string specifies a cipher which
+        * has been disabled). This is not an error as far as 
+        * ssl_create_cipher_list is concerned, and hence 
+        * ctx->cipher_list and ctx->cipher_list_by_id has been
+        * updated. */
+       if (sk == NULL)
+               return 0;
+       else if (sk_SSL_CIPHER_num(sk) == 0)
+               {
+               SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+               return 0;
+               }
+       return 1;
        }
 
 /** specify the ciphers to be used by the SSL */
@@ -1123,12 +1197,19 @@ int SSL_set_cipher_list(SSL *s,const char *str)
        
        sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
                &s->cipher_list_by_id,str);
-/* XXXX */
-       return((sk == NULL)?0:1);
+       /* see comment in SSL_CTX_set_cipher_list */
+       if (sk == NULL)
+               return 0;
+       else if (sk_SSL_CIPHER_num(sk) == 0)
+               {
+               SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+               return 0;
+               }
+       return 1;
        }
 
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
+char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        {
        char *p;
        const char *cp;
@@ -1163,7 +1244,8 @@ char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
        return(buf);
        }
 
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
+                             int (*put_cb)(const SSL_CIPHER *, unsigned char *))
        {
        int i,j=0;
        SSL_CIPHER *c;
@@ -1182,7 +1264,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
                 if ((c->algorithms & SSL_KRB5) && nokrb5)
                     continue;
 #endif /* OPENSSL_NO_KRB5 */                    
-               j=ssl_put_cipher_by_char(s,c,p);
+
+               j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
                p+=j;
                }
        return(p-q);
@@ -1232,7 +1315,7 @@ err:
        return(NULL);
        }
 
-unsigned long SSL_SESSION_hash(SSL_SESSION *a)
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
        {
        unsigned long l;
 
@@ -1249,7 +1332,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
  * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
  * able to construct an SSL_SESSION that will collide with any existing session
  * with a matching session ID. */
-int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
+int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
        {
        if (a->ssl_version != b->ssl_version)
                return(1);
@@ -1265,7 +1348,7 @@ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
 static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
 static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
 
-SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
+SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        {
        SSL_CTX *ret=NULL;
        
@@ -1313,7 +1396,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        ret->key_arg=NULL;
        ret->s2->conn_id=NULL; */
 
-       ret->info_callback=0;
+       ret->info_callback=NULL;
 
        ret->app_verify_callback=0;
        ret->app_verify_arg=NULL;
@@ -1323,7 +1406,9 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        ret->msg_callback=0;
        ret->msg_callback_arg=NULL;
        ret->verify_mode=SSL_VERIFY_NONE;
+#if 0
        ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
+#endif
        ret->sid_ctx_length=0;
        ret->default_verify_callback=NULL;
        if ((ret->cert=ssl_cert_new()) == NULL)
@@ -1332,6 +1417,8 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        ret->default_passwd_callback=0;
        ret->default_passwd_callback_userdata=NULL;
        ret->client_cert_cb=0;
+       ret->app_gen_cookie_cb=0;
+       ret->app_verify_cookie_cb=0;
 
        ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
                        LHASH_COMP_FN(SSL_SESSION_cmp));
@@ -1349,6 +1436,10 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                goto err2;
                }
 
+       ret->param = X509_VERIFY_PARAM_new();
+       if (!ret->param)
+               goto err;
+
        if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
@@ -1373,6 +1464,8 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        ret->extra_certs=NULL;
        ret->comp_methods=SSL_COMP_get_compression_methods();
 
+       ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+
        return(ret);
 err:
        SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1404,13 +1497,27 @@ void SSL_CTX_free(SSL_CTX *a)
                abort(); /* ok */
                }
 #endif
-       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
 
+       if (a->param)
+               X509_VERIFY_PARAM_free(a->param);
+
+       /*
+        * Free internal session cache. However: the remove_cb() may reference
+        * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+        * after the sessions were flushed.
+        * As the ex_data handling routines might also touch the session cache,
+        * the most secure solution seems to be: empty (flush) the cache, then
+        * free ex_data, then finally free the cache.
+        * (See ticket [openssl.org #212].)
+        */
        if (a->sessions != NULL)
-               {
                SSL_CTX_flush_sessions(a,0);
+
+       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+
+       if (a->sessions != NULL)
                lh_free(a->sessions);
-               }
+
        if (a->cert_store != NULL)
                X509_STORE_free(a->cert_store);
        if (a->cipher_list != NULL)
@@ -1442,15 +1549,10 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
        ctx->default_passwd_callback_userdata=u;
        }
 
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg)
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
        {
-       /* now
-        *     int (*cb)(X509_STORE_CTX *),
-        * but should be
-        *     int (*cb)(X509_STORE_CTX *, void *arg)
-        */
        ctx->app_verify_callback=cb;
-       ctx->app_verify_arg=arg; /* never used */
+       ctx->app_verify_arg=arg;
        }
 
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
@@ -1461,7 +1563,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
 
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
        {
-       ctx->verify_depth=depth;
+       X509_VERIFY_PARAM_set_depth(ctx->param, depth);
        }
 
 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
@@ -1471,6 +1573,13 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        int rsa_enc_export,dh_rsa_export,dh_dsa_export;
        int rsa_tmp_export,dh_tmp_export,kl;
        unsigned long mask,emask;
+       int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+#ifndef OPENSSL_NO_ECDH
+       int have_ecdh_tmp;
+#endif
+       X509 *x = NULL;
+       EVP_PKEY *ecc_pkey = NULL;
+       int signature_nid = 0;
 
        if (c == NULL) return;
 
@@ -1491,6 +1600,9 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        dh_tmp=dh_tmp_export=0;
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+       have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
+#endif
        cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
        rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
        rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
@@ -1505,7 +1617,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 /* FIX THIS EAY EAY EAY */
        dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
-
+       cpk= &(c->pkeys[SSL_PKEY_ECC]);
+       have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
        mask=0;
        emask=0;
 
@@ -1562,11 +1675,127 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        emask|=SSL_kKRB5|SSL_aKRB5;
 #endif
 
+       /* An ECC certificate may be usable for ECDH and/or
+        * ECDSA cipher suites depending on the key usage extension.
+        */
+       if (have_ecc_cert)
+               {
+                /* This call populates extension flags (ex_flags) */
+               x = (c->pkeys[SSL_PKEY_ECC]).x509;
+               X509_check_purpose(x, -1, 0);
+               ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
+                   (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+               ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
+                   (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+               ecc_pkey = X509_get_pubkey(x);
+               ecc_pkey_size = (ecc_pkey != NULL) ? 
+                   EVP_PKEY_bits(ecc_pkey) : 0;
+               EVP_PKEY_free(ecc_pkey);
+               if ((x->sig_alg) && (x->sig_alg->algorithm))
+                       signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+#ifndef OPENSSL_NO_ECDH
+               if (ecdh_ok)
+                       {
+                       if ((signature_nid == NID_md5WithRSAEncryption) ||
+                           (signature_nid == NID_md4WithRSAEncryption) ||
+                           (signature_nid == NID_md2WithRSAEncryption))
+                               {
+                               mask|=SSL_kECDH|SSL_aRSA;
+                               if (ecc_pkey_size <= 163)
+                                       emask|=SSL_kECDH|SSL_aRSA;
+                               }
+                       if (signature_nid == NID_ecdsa_with_SHA1)
+                               {
+                               mask|=SSL_kECDH|SSL_aECDSA;
+                               if (ecc_pkey_size <= 163)
+                                       emask|=SSL_kECDH|SSL_aECDSA;
+                               }
+                       }
+#endif
+#ifndef OPENSSL_NO_ECDSA
+               if (ecdsa_ok)
+                       {
+                       mask|=SSL_aECDSA;
+                       emask|=SSL_aECDSA;
+                       }
+#endif
+               }
+
+#ifndef OPENSSL_NO_ECDH
+       if (have_ecdh_tmp)
+               {
+               mask|=SSL_kECDHE;
+               emask|=SSL_kECDHE;
+               }
+#endif
        c->mask=mask;
        c->export_mask=emask;
        c->valid=1;
        }
 
+/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
+#define ku_reject(x, usage) \
+       (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+
+int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
+       {
+       unsigned long alg = cs->algorithms;
+       EVP_PKEY *pkey = NULL;
+       int keysize = 0;
+       int signature_nid = 0;
+
+       if (SSL_C_IS_EXPORT(cs))
+               {
+               /* ECDH key length in export ciphers must be <= 163 bits */
+               pkey = X509_get_pubkey(x);
+               if (pkey == NULL) return 0;
+               keysize = EVP_PKEY_bits(pkey);
+               EVP_PKEY_free(pkey);
+               if (keysize > 163) return 0;
+               }
+
+       /* This call populates the ex_flags field correctly */
+       X509_check_purpose(x, -1, 0);
+       if ((x->sig_alg) && (x->sig_alg->algorithm))
+               signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+       if (alg & SSL_kECDH) 
+               {
+               /* key usage, if present, must allow key agreement */
+               if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
+                       {
+                       return 0;
+                       }
+               if (alg & SSL_aECDSA) 
+                       {
+                       /* signature alg must be ECDSA */
+                       if (signature_nid != NID_ecdsa_with_SHA1)
+                               {
+                               return 0;
+                               }
+                       }
+               if (alg & SSL_aRSA)
+                       {
+                       /* signature alg must be RSA */
+                       if ((signature_nid != NID_md5WithRSAEncryption) &&
+                           (signature_nid != NID_md4WithRSAEncryption) &&
+                           (signature_nid != NID_md2WithRSAEncryption))
+                               {
+                               return 0;
+                               }
+                       }
+               } 
+       else if (alg & SSL_aECDSA)
+               {
+               /* key usage, if present, must allow signing */
+               if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
+                       {
+                       return 0;
+                       }
+               }
+
+       return 1;  /* all checks are ok */
+       }
+
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
        {
@@ -1581,7 +1810,26 @@ X509 *ssl_get_server_send_cert(SSL *s)
        mask=is_export?c->export_mask:c->mask;
        kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 
-       if      (kalg & SSL_kDHr)
+       if (kalg & SSL_kECDH)
+               {
+               /* we don't need to look at SSL_kECDHE 
+                * since no certificate is needed for
+                * anon ECDH and for authenticated
+                * ECDHE, the check for the auth 
+                * algorithm will set i correctly
+                * NOTE: For ECDH-RSA, we need an ECC
+                * not an RSA cert but for ECDHE-RSA
+                * we need an RSA cert. Placing the
+                * checks for SSL_kECDH before RSA
+                * checks ensures the correct cert is chosen.
+                */
+               i=SSL_PKEY_ECC;
+               }
+       else if (kalg & SSL_aECDSA)
+               {
+               i=SSL_PKEY_ECC;
+               }
+       else if (kalg & SSL_kDHr)
                i=SSL_PKEY_DH_RSA;
        else if (kalg & SSL_kDHd)
                i=SSL_PKEY_DH_DSA;
@@ -1605,6 +1853,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
                return(NULL);
                }
        if (c->pkeys[i].x509 == NULL) return(NULL);
+
        return(c->pkeys[i].x509);
        }
 
@@ -1628,6 +1877,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
                else
                        return(NULL);
                }
+       else if ((alg & SSL_aECDSA) &&
+                (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
+               return(c->pkeys[SSL_PKEY_ECC].privatekey);
        else /* if (alg & SSL_aNULL) */
                {
                SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
@@ -1643,9 +1895,10 @@ void ssl_update_cache(SSL *s,int mode)
         * and it would be rather hard to do anyway :-) */
        if (s->session->session_id_length == 0) return;
 
-       if ((s->ctx->session_cache_mode & mode)
-               && (!s->hit)
-               && SSL_CTX_add_session(s->ctx,s->session)
+       i=s->ctx->session_cache_mode;
+       if ((i & mode) && (!s->hit)
+               && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
+                   || SSL_CTX_add_session(s->ctx,s->session))
                && (s->ctx->new_session_cb != NULL))
                {
                CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -1654,7 +1907,6 @@ void ssl_update_cache(SSL *s,int mode)
                }
 
        /* auto flush every 255 connections */
-       i=s->ctx->session_cache_mode;
        if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
                ((i & mode) == mode))
                {
@@ -1662,17 +1914,17 @@ void ssl_update_cache(SSL *s,int mode)
                        ?s->ctx->stats.sess_connect_good
                        :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
                        {
-                       SSL_CTX_flush_sessions(s->ctx,time(NULL));
+                       SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
                        }
                }
        }
 
-SSL_METHOD *SSL_get_ssl_method(SSL *s)
+const SSL_METHOD *SSL_get_ssl_method(SSL *s)
        {
        return(s->method);
        }
 
-int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
+int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
        {
        int conn= -1;
        int ret=1;
@@ -1699,7 +1951,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
        return(ret);
        }
 
-int SSL_get_error(SSL *s,int i)
+int SSL_get_error(const SSL *s,int i)
        {
        int reason;
        unsigned long l;
@@ -1833,13 +2085,25 @@ int ssl_undefined_function(SSL *s)
        return(0);
        }
 
+int ssl_undefined_void_function(void)
+       {
+       SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+       return(0);
+       }
+
+int ssl_undefined_const_function(const SSL *s)
+       {
+       SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+       return(0);
+       }
+
 SSL_METHOD *ssl_bad_method(int ver)
        {
        SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return(NULL);
        }
 
-const char *SSL_get_version(SSL *s)
+const char *SSL_get_version(const SSL *s)
        {
        if (s->version == TLS1_VERSION)
                return("TLSv1");
@@ -1877,6 +2141,7 @@ SSL *SSL_dup(SSL *s)
                 * they should not both point to the same object,
                 * and thus we can't use SSL_copy_session_id. */
 
+               ret->method->ssl_free(ret);
                ret->method = s->method;
                ret->method->ssl_new(ret);
 
@@ -1941,8 +2206,8 @@ SSL *SSL_dup(SSL *s)
        ret->rstate=s->rstate;
        ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
        ret->hit=s->hit;
-       ret->purpose=s->purpose;
-       ret->trust=s->trust;
+
+       X509_VERIFY_PARAM_inherit(ret->param, s->param);
 
        /* dup the cipher_list and cipher_list_by_id stacks */
        if (s->cipher_list != NULL)
@@ -1994,6 +2259,7 @@ void ssl_clear_cipher_ctx(SSL *s)
                OPENSSL_free(s->enc_write_ctx);
                s->enc_write_ctx=NULL;
                }
+#ifndef OPENSSL_NO_COMP
        if (s->expand != NULL)
                {
                COMP_CTX_free(s->expand);
@@ -2004,10 +2270,11 @@ void ssl_clear_cipher_ctx(SSL *s)
                COMP_CTX_free(s->compress);
                s->compress=NULL;
                }
+#endif
        }
 
 /* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(SSL *s)
+X509 *SSL_get_certificate(const SSL *s)
        {
        if (s->cert != NULL)
                return(s->cert->key->x509);
@@ -2024,12 +2291,37 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
                return(NULL);
        }
 
-SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
        {
        if ((s->session != NULL) && (s->session->cipher != NULL))
                return(s->session->cipher);
        return(NULL);
        }
+#ifdef OPENSSL_NO_COMP
+const void *SSL_get_current_compression(SSL *s)
+       {
+       return NULL;
+       }
+const void *SSL_get_current_expansion(SSL *s)
+       {
+       return NULL;
+       }
+#else
+
+const COMP_METHOD *SSL_get_current_compression(SSL *s)
+       {
+       if (s->compress != NULL)
+               return(s->compress->meth);
+       return(NULL);
+       }
+
+const COMP_METHOD *SSL_get_current_expansion(SSL *s)
+       {
+       if (s->expand != NULL)
+               return(s->expand->meth);
+       return(NULL);
+       }
+#endif
 
 int ssl_init_wbio_buffer(SSL *s,int push)
        {
@@ -2088,7 +2380,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
        ctx->quiet_shutdown=mode;
        }
 
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
        {
        return(ctx->quiet_shutdown);
        }
@@ -2098,7 +2390,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
        s->quiet_shutdown=mode;
        }
 
-int SSL_get_quiet_shutdown(SSL *s)
+int SSL_get_quiet_shutdown(const SSL *s)
        {
        return(s->quiet_shutdown);
        }
@@ -2108,17 +2400,17 @@ void SSL_set_shutdown(SSL *s,int mode)
        s->shutdown=mode;
        }
 
-int SSL_get_shutdown(SSL *s)
+int SSL_get_shutdown(const SSL *s)
        {
        return(s->shutdown);
        }
 
-int SSL_version(SSL *s)
+int SSL_version(const SSL *s)
        {
        return(s->version);
        }
 
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
        {
        return(ssl->ctx);
        }
@@ -2136,17 +2428,20 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
        }
 #endif
 
-void SSL_set_info_callback(SSL *ssl,void (*cb)())
+void SSL_set_info_callback(SSL *ssl,
+                          void (*cb)(const SSL *ssl,int type,int val))
        {
        ssl->info_callback=cb;
        }
 
-void (*SSL_get_info_callback(SSL *ssl))(void)
+/* One compiler (Diab DCC) doesn't like argument names in returned
+   function pointer.  */
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
        {
-       return((void (*)())ssl->info_callback);
+       return ssl->info_callback;
        }
 
-int SSL_state(SSL *ssl)
+int SSL_state(const SSL *ssl)
        {
        return(ssl->state);
        }
@@ -2156,7 +2451,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
        ssl->verify_result=arg;
        }
 
-long SSL_get_verify_result(SSL *ssl)
+long SSL_get_verify_result(const SSL *ssl)
        {
        return(ssl->verify_result);
        }
@@ -2173,7 +2468,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
 
-void *SSL_get_ex_data(SSL *s,int idx)
+void *SSL_get_ex_data(const SSL *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2190,7 +2485,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
 
-void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2200,7 +2495,7 @@ int ssl_ok(SSL *s)
        return(1);
        }
 
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
        {
        return(ctx->cert_store);
        }
@@ -2212,7 +2507,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
        ctx->cert_store=store;
        }
 
-int SSL_want(SSL *s)
+int SSL_want(const SSL *s)
        {
        return(s->rwstate);
        }
@@ -2228,14 +2523,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
                                                          int is_export,
                                                          int keylength))
     {
-    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
     }
 
 void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
                                                  int is_export,
                                                  int keylength))
     {
-    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
     }
 #endif
 
@@ -2264,24 +2559,38 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
                                                        int keylength))
        {
-       SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+       SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
        }
 
 void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
                                                int keylength))
        {
-       SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+       SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
+       }
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+                                                       int keylength))
+       {
+       SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
+       }
+
+void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+                                               int keylength))
+       {
+       SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
        }
 #endif
 
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
        {
-       SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+       SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
        }
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
        {
-       SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+       SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
        }