Import of old SSLeay release: SSLeay 0.9.1b (unreleased)
diff --git a/ssl/KEYS b/ssl/KEYS
new file mode 100644
index 0000000..710d102
--- /dev/null
+++ b/ssl/KEYS
@@ -0,0 +1,28 @@
+EVP_PKEY_DSA
+EVP_PKEY_DSA2
+EVP_PKEY_DSA3
+EVP_PKEY_DSA4
+
+EVP_PKEY_RSA
+EVP_PKEY_RSA2
+
+valid DSA pkey types
+	NID_dsa
+	NID_dsaWithSHA
+	NID_dsaWithSHA1
+	NID_dsaWithSHA1_2
+
+valid RSA pkey types
+	NID_rsaEncryption
+	NID_rsa
+
+NID_dsaWithSHA	NID_dsaWithSHA			DSA		SHA
+NID_dsa		NID_dsaWithSHA1			DSA		SHA1
+NID_md2		NID_md2WithRSAEncryption	RSA-pkcs1	MD2
+NID_md5		NID_md5WithRSAEncryption	RSA-pkcs1	MD5
+NID_mdc2	NID_mdc2WithRSA			RSA-none	MDC2
+NID_ripemd160	NID_ripemd160WithRSA		RSA-pkcs1	RIPEMD160
+NID_sha		NID_shaWithRSAEncryption	RSA-pkcs1	SHA
+NID_sha1	NID_sha1WithRSAEncryption	RSA-pkcs1	SHA1
+:w
+
diff --git a/ssl/f b/ssl/f
index 8730ef5..9f4bfe8 100644
--- a/ssl/f
+++ b/ssl/f
@@ -1,40 +1,12 @@
-/* return the actual cipher being used */
-char *SSL_CIPHER_get_name(c)
-SSL_CIPHER *c;
-	{
-	if (c != NULL)
-		return(c->name);
-	return("UNKNOWN");
-	}
-
-/* number of bits for symetric cipher */
-int SSL_CIPHER_get_bits(c,alg_bits)
-SSL_CIPHER *c;
-int *alg_bits;
-	{
-	int ret=0,a=0;
-	EVP_CIPHER *enc;
-
-	if (c != NULL)
-		{
-		if (!ssl_cipher_get_evp(c,&enc,NULL))
-			return(0);
-
-		a=EVP_CIPHER_key_length(enc)*8;
-
-		if (s->session->cipher->algorithms & SSL_EXP)
-			{
-			if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
-				ret=64;
-			else
-				ret=40;
-			}
-		else
-			ret=a;
-		}
-
-	if (alg_bits != NULL) *alg_bits=a;
-	
-	return(ret);
-	}
-
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPTION_FAILED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_RECORD_OVERFLOW
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_UNKNOWN_CA);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_ACCESS_DENIED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECODE_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPT_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_EXPORT_RESTRICION);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_PROTOCOL_VERSION);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INTERNAL_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_USER_CANCLED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_NO_RENEGOTIATION);
diff --git a/ssl/f.mak b/ssl/f.mak
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ssl/f.mak
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index a4661eb..597cc87 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -179,7 +179,7 @@
 			ret=ssl23_get_server_hello(s);
 			if (ret >= 0) cb=NULL;
 			goto end;
-			break;
+			/* break; */
 
 		default:
 			SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
@@ -443,7 +443,7 @@
 			}
 
 		s->rwstate=SSL_NOTHING;
-		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,1000+p[6]);
+		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
 		goto err;
 		}
 	else
diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c
index e16f641..1eb2b3a 100644
--- a/ssl/s23_lib.c
+++ b/ssl/s23_lib.c
@@ -78,7 +78,7 @@
 static SSL_CIPHER *ssl23_get_cipher_by_char();
 #endif
 
-char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.7.0 30-Jan-1997";
+char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.9.1a 06-Jul-1998";
 
 static SSL_METHOD SSLv23_data= {
 	TLS1_VERSION,
@@ -92,6 +92,7 @@
 	ssl23_write,
 	ssl_undefined_function,
 	ssl_undefined_function,
+	ssl_ok,
 	ssl3_ctrl,
 	ssl3_ctx_ctrl,
 	ssl23_get_cipher_by_char,
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index c7b9ecb..888ffac 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -166,7 +166,7 @@
 			ret=ssl23_get_client_hello(s);
 			if (ret >= 0) cb=NULL;
 			goto end;
-			break;
+			/* break; */
 
 		default:
 			SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
@@ -237,9 +237,15 @@
 						{
 						s->state=SSL23_ST_SR_CLNT_HELLO_B;
 						}
+					else if (!(s->options & SSL_OP_NO_SSLv2))
+						{
+						type=1;
+						}
 					}
 				else if (!(s->options & SSL_OP_NO_SSLv3))
 					s->state=SSL23_ST_SR_CLNT_HELLO_B;
+				else if (!(s->options & SSL_OP_NO_SSLv2))
+					type=1;
 
 				if (s->options & SSL_OP_NON_EXPORT_FIRST)
 					{
@@ -313,15 +319,15 @@
 			else if (!(s->options & SSL_OP_NO_SSLv3))
 				type=3;
 			}
-		else if ((strncmp("GET ", p,4) == 0) ||
-			 (strncmp("POST ",p,5) == 0) ||
-			 (strncmp("HEAD ",p,5) == 0) ||
-			 (strncmp("PUT ", p,4) == 0))
+		else if ((strncmp("GET ", (char *)p,4) == 0) ||
+			 (strncmp("POST ",(char *)p,5) == 0) ||
+			 (strncmp("HEAD ",(char *)p,5) == 0) ||
+			 (strncmp("PUT ", (char *)p,4) == 0))
 			{
 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
 			goto err;
 			}
-		else if (strncmp("CONNECT",p,7) == 0)
+		else if (strncmp("CONNECT",(char *)p,7) == 0)
 			{
 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
 			goto err;
@@ -387,7 +393,7 @@
 			}
 		s2n(j,dd);
 
-		/* compression */
+		/* COMPRESSION */
 		*(d++)=1;
 		*(d++)=0;
 		
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 16df9ec..2170e29 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -268,7 +268,7 @@
 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 
 			goto end;
-			break;
+			/* break; */
 		default:
 			SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE);
 			return(-1);
@@ -587,6 +587,11 @@
 			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
 			return(-1);
 			}
+#ifdef PKCS1_CHECK
+		if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++;
+		if (s->options & SSL_OP_PKCS1_CHECK_2)
+			sess->master_key[clear]++;
+#endif
 		s2n(enc,p);
 		d+=enc;
 		karg=sess->key_arg_length;	
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 275eb52..172fc36 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -62,14 +62,12 @@
 #include "ssl_locl.h"
 
 #ifndef NOPROTO
-static int ssl2_ok(SSL *s);
 static long ssl2_default_timeout(void );
 #else
-static int ssl2_ok();
 static long ssl2_default_timeout();
 #endif
 
-char *ssl2_version_str="SSLv2 part of SSLeay 0.9.0b 29-Jun-1998";
+char *ssl2_version_str="SSLv2 part of SSLeay 0.9.1a 06-Jul-1998";
 
 #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
 
@@ -184,7 +182,8 @@
 	ssl2_peek,
 	ssl2_write,
 	ssl2_shutdown,
-	ssl2_ok,
+	ssl_ok,	/* NULL - renegotiate */
+	ssl_ok,	/* NULL - check renegotiate */
 	ssl2_ctrl,	/* local */
 	ssl2_ctx_ctrl,	/* local */
 	ssl2_get_cipher_by_char,
@@ -429,12 +428,6 @@
 		s->error=0; */
 	}
 
-static int ssl2_ok(s)
-SSL *s;
-	{
-	return(1);
-	}
-
 int ssl2_shutdown(s)
 SSL *s;
 	{
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 6de62e1..251bced 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -92,6 +92,13 @@
 		p+=i;
 		l=i;
 
+#ifdef WIN16
+		/* MSVC 1.5 does not clear the top bytes of the word unless
+		 * I do this.
+		 */
+		l&=0xffff;
+#endif
+
 		*(d++)=SSL3_MT_FINISHED;
 		l2n3(l,d);
 		s->init_num=(int)l+4;
@@ -236,6 +243,23 @@
 		X509_STORE_CTX_cleanup(&xs_ctx);
 		}
 
+	/* Thwate special :-) */
+	if (s->ctx->extra_certs != NULL)
+	for (i=0; i<sk_num(s->ctx->extra_certs); i++)
+		{
+		x=(X509 *)sk_value(s->ctx->extra_certs,i);
+		n=i2d_X509(x,NULL);
+		if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+			{
+			SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+			return(0);
+			}
+		p=(unsigned char *)&(buf->data[l]);
+		l2n3(n,p);
+		i2d_X509(x,&p);
+		l+=n+3;
+		}
+
 	l-=7;
 	p=(unsigned char *)&(buf->data[4]);
 	l2n3(l,p);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 940c6a4..d4ff1d9 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -430,7 +430,7 @@
 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 
 			goto end;
-			break;
+			/* break; */
 			
 		default:
 			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
@@ -478,7 +478,8 @@
 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
 		{
 		if ((s->session == NULL) ||
-			(s->session->ssl_version != s->version))
+			(s->session->ssl_version != s->version) ||
+			(s->session->not_resumable))
 			{
 			if (!ssl_get_new_session(s,0))
 				goto err;
@@ -488,7 +489,7 @@
 		p=s->s3->client_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(&(p[4]),SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -523,6 +524,7 @@
 		p+=i;
 
 		/* hardwire in the NULL compression algorithm. */
+		/* COMPRESSION */
 		*(p++)=1;
 		*(p++)=0;
 		
@@ -643,6 +645,7 @@
 	s->s3->tmp.new_cipher=c;
 
 	/* lets get the compression algorithm */
+	/* COMPRESSION */
 	j= *(p++);
 	if (j != 0)
 		{
@@ -771,7 +774,7 @@
 
 	pkey=X509_get_pubkey(x);
 
-	if (EVP_PKEY_missing_parameters(pkey))
+	if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
 		{
 		x=NULL;
 		al=SSL3_AL_FATAL;
@@ -998,6 +1001,13 @@
 		goto f_err;
 		}
 #endif
+	if (alg & SSL_aFZA)
+		{
+		al=SSL_AD_HANDSHAKE_FAILURE;
+		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
+		goto f_err;
+		}
+
 
 	/* p points to the next byte, there are 'n' bytes left */
 
@@ -1014,7 +1024,7 @@
 			/* wrong packet length */
 			al=SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
-			goto err;
+			goto f_err;
 			}
 
 #ifndef NO_RSA
@@ -1167,6 +1177,15 @@
 
 	/* get the CA RDNs */
 	n2s(p,llen);
+#if 0
+{
+FILE *out;
+out=fopen("/tmp/vsign.der","w");
+fwrite(p,1,llen,out);
+fclose(out);
+}
+#endif
+
 	if ((llen+ctype_num+2+1) != n)
 		{
 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
@@ -1286,7 +1305,7 @@
 		if (l & SSL_kRSA)
 			{
 			RSA *rsa;
-			unsigned char tmp_buf[48];
+			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
 
 			if (s->session->cert->rsa_tmp != NULL)
 				rsa=s->session->cert->rsa_tmp;
@@ -1315,6 +1334,10 @@
 				p+=2;
 			n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
 				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
+#ifdef PKCS1_CHECK
+			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
+			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
+#endif
 			if (n <= 0)
 				{
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
@@ -1331,8 +1354,8 @@
 			s->session->master_key_length=
 				s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
-					tmp_buf,48);
-			memset(tmp_buf,0,48);
+					tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
+			memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
 			}
 		else
 #endif
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index bbd9b63..116b096 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -136,7 +136,7 @@
 	unsigned char *ms,*key,*iv,*er1,*er2;
 	EVP_CIPHER_CTX *dd;
 	EVP_CIPHER *c;
-	SSL_COMPRESSION *comp;
+	COMP_METHOD *comp;
 	EVP_MD *m;
 	MD5_CTX md;
 	int exp,n,i,j,k;
@@ -155,7 +155,25 @@
 			goto err;
 		dd= s->enc_read_ctx;
 		s->read_hash=m;
-		s->read_compression=comp;
+		/* COMPRESS */
+		if (s->expand != NULL)
+			{
+			COMP_CTX_free(s->expand);
+			s->expand=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->expand=COMP_CTX_new(comp);
+			if (s->expand == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			s->s3->rrec.comp=(unsigned char *)
+				Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
+			if (s->s3->rrec.comp == NULL)
+				goto err;
+			}
 		memset(&(s->s3->read_sequence[0]),0,8);
 		mac_secret= &(s->s3->read_mac_secret[0]);
 		}
@@ -167,7 +185,21 @@
 			goto err;
 		dd= s->enc_write_ctx;
 		s->write_hash=m;
-		s->write_compression=comp;
+		/* COMPRESS */
+		if (s->compress != NULL)
+			{
+			COMP_CTX_free(s->compress);
+			s->compress=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->compress=COMP_CTX_new(comp);
+			if (s->compress == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			}
 		memset(&(s->s3->write_sequence[0]),0,8);
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
@@ -258,6 +290,11 @@
 
 	s->s3->tmp.new_sym_enc=c;
 	s->s3->tmp.new_hash=hash;
+#ifdef ZLIB
+	s->s3->tmp.new_compression=COMP_zlib();
+#endif
+/*	s->s3->tmp.new_compression=COMP_rle(); */
+/*	s->session->compress_meth= xxxxx */
 
 	exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
 
@@ -302,35 +339,28 @@
 	unsigned long l;
 	int bs,i;
 	EVP_CIPHER *enc;
-	SSL_COMPRESSION *comp;
 
 	if (send)
 		{
 		ds=s->enc_write_ctx;
 		rec= &(s->s3->wrec);
 		if (s->enc_write_ctx == NULL)
-			{ enc=NULL; comp=NULL; }
+			enc=NULL;
 		else
-			{
 			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
-			comp=s->write_compression;
-			}
 		}
 	else
 		{
 		ds=s->enc_read_ctx;
 		rec= &(s->s3->rrec);
 		if (s->enc_read_ctx == NULL)
-			{ enc=NULL; comp=NULL; }
+			enc=NULL;
 		else
-			{
 			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
-			comp=s->read_compression;
-			}
 		}
 
 	if ((s->session == NULL) || (ds == NULL) ||
-		((enc == NULL) && (comp == NULL)))
+		(enc == NULL))
 		{
 		memcpy(rec->data,rec->input,rec->length);
 		rec->input=rec->data;
@@ -340,6 +370,8 @@
 		l=rec->length;
 		bs=EVP_CIPHER_block_size(ds->cipher);
 
+		/* COMPRESS */
+
 		/* This should be using (bs-1) and bs instead of 7 and 8 */
 		if ((bs != 1) && send)
 			{
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0fd9450..41b1814 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -60,7 +60,7 @@
 #include "objects.h"
 #include "ssl_locl.h"
 
-char *ssl3_version_str="SSLv3 part of SSLeay 0.9.0b 29-Jun-1998";
+char *ssl3_version_str="SSLv3 part of SSLeay 0.9.1a 06-Jul-1998";
 
 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
 
@@ -384,6 +384,7 @@
 	ssl3_write,
 	ssl3_shutdown,
 	ssl3_renegotiate,
+	ssl3_renegotiate_check,
 	ssl3_ctrl,
 	ssl3_ctx_ctrl,
 	ssl3_get_cipher_by_char,
@@ -460,6 +461,8 @@
 		Free(s->s3->rbuf.buf);
 	if (s->s3->wbuf.buf != NULL)
 		Free(s->s3->wbuf.buf);
+	if (s->s3->rrec.comp != NULL)
+		Free(s->s3->rrec.comp);
 #ifndef NO_DH
 	if (s->s3->tmp.dh != NULL)
 		DH_free(s->s3->tmp.dh);
@@ -486,6 +489,13 @@
 	memset(s->s3,0,sizeof(SSL3_CTX));
 	if (rp != NULL) s->s3->rbuf.buf=rp;
 	if (wp != NULL) s->s3->wbuf.buf=wp;
+
+	if (s->s3->rrec.comp != NULL)
+		{
+		Free(s->s3->rrec.comp);
+		s->s3->rrec.comp=NULL;
+		}
+
 	s->packet_length=0;
 	s->s3->renegotiate=0;
 	s->s3->total_renegotiations=0;
@@ -519,6 +529,9 @@
 	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
 		ret=s->s3->total_renegotiations;
 		break;
+	case SSL_CTRL_GET_FLAGS:
+		ret=s->s3->flags;
+		break;
 	default:
 		break;
 		}
@@ -546,7 +559,7 @@
 			return(1);
 		else
 			return(0);
-		break;
+		/* break; */
 	case SSL_CTRL_SET_TMP_RSA:
 		{
 		RSA *rsa;
@@ -574,7 +587,7 @@
 			return(1);
 			}
 		}
-		break;
+		/* break; */
 	case SSL_CTRL_SET_TMP_RSA_CB:
 		cert->rsa_tmp_cb=(RSA *(*)())parg;
 		break;
@@ -583,6 +596,7 @@
 	case SSL_CTRL_SET_TMP_DH:
 		{
 		DH *new=NULL,*dh;
+		int rret=0;
 
 		dh=(DH *)parg;
 		if (	((new=DHparams_dup(dh)) == NULL) ||
@@ -590,21 +604,31 @@
 			{
 			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
 			if (new != NULL) DH_free(new);
-			return(0);
 			}
 		else
 			{
 			if (cert->dh_tmp != NULL)
 				DH_free(cert->dh_tmp);
 			cert->dh_tmp=new;
-			return(1);
+			rret=1;
 			}
+		return(rret);
 		}
-		break;
+		/*break; */
 	case SSL_CTRL_SET_TMP_DH_CB:
 		cert->dh_tmp_cb=(DH *(*)())parg;
 		break;
 #endif
+	/* A Thwate special :-) */
+	case SSL_CTRL_EXTRA_CHAIN_CERT:
+		if (ctx->extra_certs == NULL)
+			{
+			if ((ctx->extra_certs=sk_new_null()) == NULL)
+				return(0);
+			}
+		sk_push(ctx->extra_certs,(char *)parg);
+		break;
+
 	default:
 		return(0);
 		}
@@ -743,28 +767,30 @@
 #ifndef NO_DH
 	if (alg & (SSL_kDHr|SSL_kEDH))
 		{
-#ifndef NO_RSA
+#  ifndef NO_RSA
 		p[ret++]=SSL3_CT_RSA_FIXED_DH;
-#endif
-#ifndef NO_DSA
+#  endif
+#  ifndef NO_DSA
 		p[ret++]=SSL3_CT_DSS_FIXED_DH;
-#endif
+#  endif
 		}
 	if ((s->version == SSL3_VERSION) &&
 		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
 		{
-#ifndef NO_RSA
+#  ifndef NO_RSA
 		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
-#endif
-#ifndef NO_DSA
+#  endif
+#  ifndef NO_DSA
 		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
-#endif
+#  endif
 		}
 #endif /* !NO_DH */
 #ifndef NO_RSA
 	p[ret++]=SSL3_CT_RSA_SIGN;
 #endif
+#ifndef NO_DSA
 	p[ret++]=SSL3_CT_DSS_SIGN;
+#endif
 	return(ret);
 	}
 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 2385080..444263b 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -79,6 +79,18 @@
  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED);
  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN);
  * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPTION_FAILED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_RECORD_OVERFLOW);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_UNKNOWN_CA);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_ACCESS_DENIED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECODE_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPT_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_EXPORT_RESTRICION);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_PROTOCOL_VERSION);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INTERNAL_ERROR);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_USER_CANCLED);
+ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_NO_RENEGOTIATION);
  */
 
 #ifndef NOPROTO
@@ -213,7 +225,6 @@
 static int ssl3_get_record(s)
 SSL *s;
 	{
-	char tmp_buf[512];
 	int ssl_major,ssl_minor,al;
 	int n,i,ret= -1;
 	SSL3_BUFFER *rb;
@@ -331,7 +342,6 @@
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
-	memcpy(tmp_buf,rr->input,(rr->length > 512)?512:rr->length);
 
 	if (!s->method->ssl3_enc->enc(s,0))
 		{
@@ -340,7 +350,7 @@
 		}
 #ifdef TLS_DEBUG
 printf("dec %d\n",rr->length);
-{ int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
+{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
 printf("\n");
 #endif
 	/* r->length is now the compressed data plus mac */
@@ -378,7 +388,7 @@
 		}
 
 	/* r->length is now just compressed */
-	if ((sess != NULL) && (sess->read_compression != NULL))
+	if (s->expand != NULL)
 		{
 		if (rr->length > 
 			(unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
@@ -427,12 +437,37 @@
 static int do_uncompress(ssl)
 SSL *ssl;
 	{
+	int i;
+	SSL3_RECORD *rr;
+
+	rr= &(ssl->s3->rrec);
+	i=COMP_expand_block(ssl->expand,rr->comp,
+		SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
+	if (i < 0)
+		return(0);
+	else
+		rr->length=i;
+	rr->data=rr->comp;
+
 	return(1);
 	}
 
 static int do_compress(ssl)
 SSL *ssl;
 	{
+	int i;
+	SSL3_RECORD *wr;
+
+	wr= &(ssl->s3->wrec);
+	i=COMP_compress_block(ssl->compress,wr->data,
+		SSL3_RT_MAX_COMPRESSED_LENGTH,
+		wr->input,(int)wr->length);
+	if (i < 0)
+		return(0);
+	else
+		wr->length=i;
+
+	wr->input=wr->data;
 	return(1);
 	}
 
@@ -552,7 +587,7 @@
 	 * wr->data */
 
 	/* first we compress */
-	if ((sess != NULL) && (sess->write_compression != NULL))
+	if (s->compress != NULL)
 		{
 		if (!do_compress(s))
 			{
@@ -786,7 +821,8 @@
 
 				s->rwstate=SSL_NOTHING;
 				s->s3->fatal_alert=n;
-				SSLerr(SSL_F_SSL3_READ_BYTES,1000+n);
+				SSLerr(SSL_F_SSL3_READ_BYTES,
+					SSL_AD_REASON_OFFSET+n);
 				sprintf(tmp,"%d",n);
 				ERR_add_error_data(2,"SSL alert number ",tmp);
 				s->shutdown|=SSL_RECEIVED_SHUTDOWN;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 64903af..743f8ea 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1259,7 +1259,7 @@
 		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
 
 #if 1
-		/* If a bad decrypt, use a dud master key */
+		/* If a bad decrypt, use a random master key */
 		if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
 			((p[0] != (s->version>>8)) ||
 			 (p[1] != (s->version & 0xff))))
diff --git a/ssl/ssl.err b/ssl/ssl.err
index c54326c..10ca9c5 100644
--- a/ssl/ssl.err
+++ b/ssl/ssl.err
@@ -105,11 +105,12 @@
 #define SSL_F_SSL_USE_RSAPRIVATEKEY			 201
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1		 202
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 203
-#define SSL_F_SSL_WRITE					 204
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE			 205
-#define SSL_F_TLS1_ENC					 206
-#define SSL_F_TLS1_SETUP_KEY_BLOCK			 207
-#define SSL_F_WRITE_PENDING				 208
+#define SSL_F_SSL_VERIFY_CERT_CHAIN			 204
+#define SSL_F_SSL_WRITE					 205
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE			 206
+#define SSL_F_TLS1_ENC					 207
+#define SSL_F_TLS1_SETUP_KEY_BLOCK			 208
+#define SSL_F_WRITE_PENDING				 209
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
@@ -154,83 +155,85 @@
 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
 #define SSL_R_COMPRESSION_FAILURE			 141
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT		 142
-#define SSL_R_CONNECTION_TYPE_NOT_SET			 143
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 144
-#define SSL_R_DATA_LENGTH_TOO_LONG			 145
-#define SSL_R_DECRYPTION_FAILED				 146
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 147
-#define SSL_R_DIGEST_CHECK_FAILED			 148
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 149
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 150
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE			 151
-#define SSL_R_EXTRA_DATA_IN_MESSAGE			 152
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 153
-#define SSL_R_HTTPS_PROXY_REQUEST			 154
-#define SSL_R_HTTP_REQUEST				 155
-#define SSL_R_INTERNAL_ERROR				 156
-#define SSL_R_INVALID_CHALLENGE_LENGTH			 157
-#define SSL_R_LENGTH_MISMATCH				 158
-#define SSL_R_LENGTH_TOO_SHORT				 159
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS			 160
-#define SSL_R_MISSING_DH_DSA_CERT			 161
-#define SSL_R_MISSING_DH_KEY				 162
-#define SSL_R_MISSING_DH_RSA_CERT			 163
-#define SSL_R_MISSING_DSA_SIGNING_CERT			 164
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 165
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 166
-#define SSL_R_MISSING_RSA_CERTIFICATE			 167
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 168
-#define SSL_R_MISSING_RSA_SIGNING_CERT			 169
-#define SSL_R_MISSING_TMP_DH_KEY			 170
-#define SSL_R_MISSING_TMP_RSA_KEY			 171
-#define SSL_R_MISSING_TMP_RSA_PKEY			 172
-#define SSL_R_MISSING_VERIFY_MESSAGE			 173
-#define SSL_R_NON_SSLV2_INITIAL_PACKET			 174
-#define SSL_R_NO_CERTIFICATES_RETURNED			 175
-#define SSL_R_NO_CERTIFICATE_ASSIGNED			 176
-#define SSL_R_NO_CERTIFICATE_RETURNED			 177
-#define SSL_R_NO_CERTIFICATE_SET			 178
-#define SSL_R_NO_CERTIFICATE_SPECIFIED			 179
-#define SSL_R_NO_CIPHERS_AVAILABLE			 180
-#define SSL_R_NO_CIPHERS_PASSED				 181
-#define SSL_R_NO_CIPHERS_SPECIFIED			 182
-#define SSL_R_NO_CIPHER_LIST				 183
-#define SSL_R_NO_CIPHER_MATCH				 184
-#define SSL_R_NO_CLIENT_CERT_RECEIVED			 185
-#define SSL_R_NO_COMPRESSION_SPECIFIED			 186
-#define SSL_R_NO_PRIVATEKEY				 187
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 188
-#define SSL_R_NO_PROTOCOLS_AVAILABLE			 189
-#define SSL_R_NO_PUBLICKEY				 190
-#define SSL_R_NO_SHARED_CIPHER				 191
-#define SSL_R_NULL_SSL_CTX				 192
-#define SSL_R_NULL_SSL_METHOD_PASSED			 193
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 194
-#define SSL_R_PACKET_LENGTH_TOO_LONG			 195
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 196
-#define SSL_R_PEER_ERROR				 197
-#define SSL_R_PEER_ERROR_CERTIFICATE			 198
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE			 199
-#define SSL_R_PEER_ERROR_NO_CIPHER			 200
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 201
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 202
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 203
-#define SSL_R_PROTOCOL_IS_SHUTDOWN			 204
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 205
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 206
-#define SSL_R_PUBLIC_KEY_NOT_RSA			 207
-#define SSL_R_READ_BIO_NOT_SET				 208
-#define SSL_R_READ_WRONG_PACKET_TYPE			 209
-#define SSL_R_RECORD_LENGTH_MISMATCH			 210
-#define SSL_R_RECORD_TOO_LARGE				 211
-#define SSL_R_REQUIRED_CIPHER_MISSING			 212
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 213
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 214
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 215
-#define SSL_R_SHORT_READ				 216
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 217
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 218
+#define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
+#define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
+#define SSL_R_CONNECTION_TYPE_NOT_SET			 144
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
+#define SSL_R_DATA_LENGTH_TOO_LONG			 146
+#define SSL_R_DECRYPTION_FAILED				 147
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
+#define SSL_R_DIGEST_CHECK_FAILED			 149
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
+#define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
+#define SSL_R_HTTPS_PROXY_REQUEST			 155
+#define SSL_R_HTTP_REQUEST				 156
+#define SSL_R_INTERNAL_ERROR				 157
+#define SSL_R_INVALID_CHALLENGE_LENGTH			 158
+#define SSL_R_LENGTH_MISMATCH				 159
+#define SSL_R_LENGTH_TOO_SHORT				 160
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS			 161
+#define SSL_R_MISSING_DH_DSA_CERT			 162
+#define SSL_R_MISSING_DH_KEY				 163
+#define SSL_R_MISSING_DH_RSA_CERT			 164
+#define SSL_R_MISSING_DSA_SIGNING_CERT			 165
+#define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
+#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
+#define SSL_R_MISSING_RSA_CERTIFICATE			 168
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 169
+#define SSL_R_MISSING_RSA_SIGNING_CERT			 170
+#define SSL_R_MISSING_TMP_DH_KEY			 171
+#define SSL_R_MISSING_TMP_RSA_KEY			 172
+#define SSL_R_MISSING_TMP_RSA_PKEY			 173
+#define SSL_R_MISSING_VERIFY_MESSAGE			 174
+#define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
+#define SSL_R_NO_CERTIFICATES_RETURNED			 176
+#define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
+#define SSL_R_NO_CERTIFICATE_RETURNED			 178
+#define SSL_R_NO_CERTIFICATE_SET			 179
+#define SSL_R_NO_CERTIFICATE_SPECIFIED			 180
+#define SSL_R_NO_CIPHERS_AVAILABLE			 181
+#define SSL_R_NO_CIPHERS_PASSED				 182
+#define SSL_R_NO_CIPHERS_SPECIFIED			 183
+#define SSL_R_NO_CIPHER_LIST				 184
+#define SSL_R_NO_CIPHER_MATCH				 185
+#define SSL_R_NO_CLIENT_CERT_RECEIVED			 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED			 187
+#define SSL_R_NO_PRIVATEKEY				 188
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 189
+#define SSL_R_NO_PROTOCOLS_AVAILABLE			 190
+#define SSL_R_NO_PUBLICKEY				 191
+#define SSL_R_NO_SHARED_CIPHER				 192
+#define SSL_R_NO_VERIFY_CALLBACK			 193
+#define SSL_R_NULL_SSL_CTX				 194
+#define SSL_R_NULL_SSL_METHOD_PASSED			 195
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 196
+#define SSL_R_PACKET_LENGTH_TOO_LONG			 197
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 198
+#define SSL_R_PEER_ERROR				 199
+#define SSL_R_PEER_ERROR_CERTIFICATE			 200
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE			 201
+#define SSL_R_PEER_ERROR_NO_CIPHER			 202
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 203
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 204
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 205
+#define SSL_R_PROTOCOL_IS_SHUTDOWN			 206
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 207
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 208
+#define SSL_R_PUBLIC_KEY_NOT_RSA			 209
+#define SSL_R_READ_BIO_NOT_SET				 210
+#define SSL_R_READ_WRONG_PACKET_TYPE			 211
+#define SSL_R_RECORD_LENGTH_MISMATCH			 212
+#define SSL_R_RECORD_TOO_LARGE				 213
+#define SSL_R_REQUIRED_CIPHER_MISSING			 214
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 215
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 216
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 217
+#define SSL_R_SHORT_READ				 218
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 219
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 220
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED		 1045
@@ -240,51 +243,64 @@
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		 1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		 1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE		 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 219
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 220
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 221
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 222
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 223
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 225
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 224
-#define SSL_R_SSL_HANDSHAKE_FAILURE			 225
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 226
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 227
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 228
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 230
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 231
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 232
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 233
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 234
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 235
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 236
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 237
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 238
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 239
-#define SSL_R_UNEXPECTED_MESSAGE			 240
-#define SSL_R_UNEXPECTED_RECORD				 241
-#define SSL_R_UNKNOWN_ALERT_TYPE			 242
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 243
-#define SSL_R_UNKNOWN_CIPHER_RETURNED			 244
-#define SSL_R_UNKNOWN_CIPHER_TYPE			 245
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 246
-#define SSL_R_UNKNOWN_PKEY_TYPE				 247
-#define SSL_R_UNKNOWN_PROTOCOL				 248
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 249
-#define SSL_R_UNKNOWN_SSL_VERSION			 250
-#define SSL_R_UNKNOWN_STATE				 251
-#define SSL_R_UNSUPPORTED_CIPHER			 252
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 253
-#define SSL_R_UNSUPPORTED_PROTOCOL			 254
-#define SSL_R_UNSUPPORTED_SSL_VERSION			 255
-#define SSL_R_WRITE_BIO_NOT_SET				 256
-#define SSL_R_WRONG_CIPHER_RETURNED			 257
-#define SSL_R_WRONG_MESSAGE_TYPE			 258
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 259
-#define SSL_R_WRONG_SIGNATURE_LENGTH			 260
-#define SSL_R_WRONG_SIGNATURE_SIZE			 261
-#define SSL_R_WRONG_SSL_VERSION				 262
-#define SSL_R_WRONG_VERSION_NUMBER			 263
-#define SSL_R_X509_LIB					 264
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 226
+#define SSL_R_SSL_HANDSHAKE_FAILURE			 227
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 228
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 229
+#define SSL_R_TLSV1_ALERT_ACCESS_DENIED			 1049
+#define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
+#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
+#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION		 1060
+#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
+#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
+#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
+#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		 1070
+#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		 1022
+#define SSL_R_TLSV1_ALERT_UNKNOWN_CA			 1048
+#define SSL_R_TLSV1_ALERT_USER_CANCLED			 1090
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 230
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 232
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 233
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 234
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 235
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 236
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 237
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 238
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 239
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 240
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 241
+#define SSL_R_UNEXPECTED_MESSAGE			 242
+#define SSL_R_UNEXPECTED_RECORD				 243
+#define SSL_R_UNKNOWN_ALERT_TYPE			 244
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 245
+#define SSL_R_UNKNOWN_CIPHER_RETURNED			 246
+#define SSL_R_UNKNOWN_CIPHER_TYPE			 247
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 248
+#define SSL_R_UNKNOWN_PKEY_TYPE				 249
+#define SSL_R_UNKNOWN_PROTOCOL				 250
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 251
+#define SSL_R_UNKNOWN_SSL_VERSION			 252
+#define SSL_R_UNKNOWN_STATE				 253
+#define SSL_R_UNSUPPORTED_CIPHER			 254
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 255
+#define SSL_R_UNSUPPORTED_PROTOCOL			 256
+#define SSL_R_UNSUPPORTED_SSL_VERSION			 257
+#define SSL_R_WRITE_BIO_NOT_SET				 258
+#define SSL_R_WRONG_CIPHER_RETURNED			 259
+#define SSL_R_WRONG_MESSAGE_TYPE			 260
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 261
+#define SSL_R_WRONG_SIGNATURE_LENGTH			 262
+#define SSL_R_WRONG_SIGNATURE_SIZE			 263
+#define SSL_R_WRONG_SSL_VERSION				 264
+#define SSL_R_WRONG_VERSION_NUMBER			 265
+#define SSL_R_X509_LIB					 266
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 267
diff --git a/ssl/ssl.h b/ssl/ssl.h
index cf8f965..a308481 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -124,6 +124,7 @@
 #define SSL_TXT_EXPORT		"EXPORT"
 #define SSL_TXT_SSLV2		"SSLv2"
 #define SSL_TXT_SSLV3		"SSLv3"
+#define SSL_TXT_TLSV1		"TLSv1"
 #define SSL_TXT_ALL		"ALL"
 
 /* 'DEFAULT' at the start of the cipher list insert the following string
@@ -178,6 +179,7 @@
 	int (*ssl_write)();
 	int (*ssl_shutdown)();
 	int (*ssl_renegotiate)();
+	int (*ssl_renegotiate_check)();
 	long (*ssl_ctrl)();
 	long (*ssl_ctx_ctrl)();
 	SSL_CIPHER *(*get_cipher_by_char)();
@@ -190,11 +192,6 @@
 	struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
 	} SSL_METHOD;
 
-typedef struct ssl_compression_st
-	{
-	char *stuff;
-	} SSL_COMPRESSION;
-
 /* Lets make this into an ASN.1 type structure as follows
  * SSL_SESSION_ID ::= SEQUENCE {
  *	version 		INTEGER,	-- structure version number
@@ -206,6 +203,7 @@
  *	Time [ 1 ] EXPLICIT	INTEGER,	-- optional Start Time
  *	Timeout [ 2 ] EXPLICIT	INTEGER,	-- optional Timeout ins seconds
  *	Peer [ 3 ] EXPLICIT	X509,		-- optional Peer Certificate
+ *	Compression [4] IMPLICIT ASN1_OBJECT	-- compression OID XXXXX
  *	}
  * Look in ssl/ssl_asn1.c for more details
  * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@@ -237,8 +235,11 @@
 	long timeout;
 	long time;
 
-	SSL_COMPRESSION *read_compression;
-	SSL_COMPRESSION *write_compression;
+#ifdef HEADER_COMP_H
+	COMP_CTX *compress_meth;
+#else
+	char *compress_meth;
+#endif
 
 	SSL_CIPHER *cipher;
 	unsigned long cipher_id;	/* when ASN.1 loaded, this
@@ -262,13 +263,17 @@
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
-#define	SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
+#define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
 
 /* If set, only use tmp_dh parameters once */
 #define SSL_OP_SINGLE_DH_USE				0x00100000L
 /* Set to also use the tmp_rsa key when doing RSA operations. */
 #define SSL_OP_EPHEMERAL_RSA				0x00200000L
 
+/* The next flag deliberatly changes the ciphertest, this is a check
+ * for the PKCS#1 attack */
+#define SSL_OP_PKCS1_CHECK_1				0x08000000L
+#define SSL_OP_PKCS1_CHECK_2				0x10000000L
 #define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L
 #define SSL_OP_NON_EXPORT_FIRST 			0x40000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x80000000L
@@ -385,6 +390,8 @@
 	EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
 	EVP_MD *md5;	/* For SSLv3/TLSv1 'ssl3-md5' */
 	EVP_MD *sha1;   /* For SSLv3/TLSv1 'ssl3->sha1' */
+
+	STACK *extra_certs;
 	} SSL_CTX;
 
 #define SSL_SESS_CACHE_OFF			0x0000
@@ -512,11 +519,19 @@
 
 	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
 	EVP_MD *read_hash;			/* used for mac generation */
-	SSL_COMPRESSION *read_compression;	/* compression */
+#ifdef HEADER_COMP_H
+	COMP_CTX *expand;			/* uncompress */
+#else
+	char *expand;
+#endif
 
 	EVP_CIPHER_CTX *enc_write_ctx;		/* cryptographic state */
 	EVP_MD *write_hash;			/* used for mac generation */
-	SSL_COMPRESSION *write_compression;	/* compression */
+#ifdef HEADER_COMP_H
+	COMP_CTX *compress;			/* compression */
+#else
+	char *compress;	
+#endif
 
 	/* session info */
 
@@ -660,6 +675,7 @@
 		PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL)
 #endif
 
+#define SSL_AD_REASON_OFFSET		1000
 /* These alert types are for SSLv3 and TLSv1 */
 #define SSL_AD_CLOSE_NOTIFY		SSL3_AD_CLOSE_NOTIFY
 #define SSL_AD_UNEXPECTED_MESSAGE	SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
@@ -706,6 +722,9 @@
 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS		8
 #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS	9
 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS	10
+#define SSL_CTRL_GET_FLAGS			11
+
+#define SSL_CTRL_EXTRA_CHAIN_CERT		11
 
 #define SSL_session_reused(ssl) \
 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
@@ -724,14 +743,17 @@
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
 
 /* For the next 2, the callbacks are 
- * RSA *tmp_rsa_cb(int export)
- * DH *tmp_dh_cb(int export)
+ * RSA *tmp_rsa_cb(SSL *ssl,int export)
+ * DH *tmp_dh_cb(SSL *ssl,int export)
  */
 #define SSL_CTX_set_tmp_rsa_callback(ctx,cb) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb)
 #define SSL_CTX_set_tmp_dh_callback(ctx,dh) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh)
 
+#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+
 #ifndef NOPROTO
 
 #ifdef HEADER_BIO_H
@@ -944,6 +966,8 @@
 int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
 	int (*dup_func)(), void (*free_func)());
 
+int SSL_get_ex_data_X509_STORE_CTX_idx(void );
+
 #else
 
 BIO_METHOD *BIO_f_ssl();
@@ -1120,6 +1144,7 @@
 
 #ifdef this_is_for_mk1mf_pl
 EVP *SSL_get_privatekey();
+#endif
 
 void SSL_CTX_set_quiet_shutdown();
 int SSL_CTX_get_quiet_shutdown();
@@ -1133,7 +1158,7 @@
 SSL_SESSION *SSL_get_session();
 SSL_CTX *SSL_get_SSL_CTX();
 void SSL_set_info_callback();
-int (*SSL_get_info_callback())();
+void (*SSL_get_info_callback())();
 int SSL_state();
 void SSL_set_verify_result();
 long SSL_get_verify_result();
@@ -1150,7 +1175,9 @@
 char *SSL_CTX_get_ex_data();
 int SSL_CTX_get_ex_new_index();
 
-#endif
+int SSL_get_ex_data_X509_STORE_CTX_idx();
+
+/* #endif */
 
 #endif
 
@@ -1262,11 +1289,12 @@
 #define SSL_F_SSL_USE_RSAPRIVATEKEY			 201
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1		 202
 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 203
-#define SSL_F_SSL_WRITE					 204
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE			 205
-#define SSL_F_TLS1_ENC					 206
-#define SSL_F_TLS1_SETUP_KEY_BLOCK			 207
-#define SSL_F_WRITE_PENDING				 208
+#define SSL_F_SSL_VERIFY_CERT_CHAIN			 204
+#define SSL_F_SSL_WRITE					 205
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE			 206
+#define SSL_F_TLS1_ENC					 207
+#define SSL_F_TLS1_SETUP_KEY_BLOCK			 208
+#define SSL_F_WRITE_PENDING				 209
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
@@ -1311,83 +1339,85 @@
 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
 #define SSL_R_COMPRESSION_FAILURE			 141
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT		 142
-#define SSL_R_CONNECTION_TYPE_NOT_SET			 143
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 144
-#define SSL_R_DATA_LENGTH_TOO_LONG			 145
-#define SSL_R_DECRYPTION_FAILED				 146
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 147
-#define SSL_R_DIGEST_CHECK_FAILED			 148
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 149
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 150
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE			 151
-#define SSL_R_EXTRA_DATA_IN_MESSAGE			 152
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 153
-#define SSL_R_HTTPS_PROXY_REQUEST			 154
-#define SSL_R_HTTP_REQUEST				 155
-#define SSL_R_INTERNAL_ERROR				 156
-#define SSL_R_INVALID_CHALLENGE_LENGTH			 157
-#define SSL_R_LENGTH_MISMATCH				 158
-#define SSL_R_LENGTH_TOO_SHORT				 159
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS			 160
-#define SSL_R_MISSING_DH_DSA_CERT			 161
-#define SSL_R_MISSING_DH_KEY				 162
-#define SSL_R_MISSING_DH_RSA_CERT			 163
-#define SSL_R_MISSING_DSA_SIGNING_CERT			 164
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 165
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 166
-#define SSL_R_MISSING_RSA_CERTIFICATE			 167
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 168
-#define SSL_R_MISSING_RSA_SIGNING_CERT			 169
-#define SSL_R_MISSING_TMP_DH_KEY			 170
-#define SSL_R_MISSING_TMP_RSA_KEY			 171
-#define SSL_R_MISSING_TMP_RSA_PKEY			 172
-#define SSL_R_MISSING_VERIFY_MESSAGE			 173
-#define SSL_R_NON_SSLV2_INITIAL_PACKET			 174
-#define SSL_R_NO_CERTIFICATES_RETURNED			 175
-#define SSL_R_NO_CERTIFICATE_ASSIGNED			 176
-#define SSL_R_NO_CERTIFICATE_RETURNED			 177
-#define SSL_R_NO_CERTIFICATE_SET			 178
-#define SSL_R_NO_CERTIFICATE_SPECIFIED			 179
-#define SSL_R_NO_CIPHERS_AVAILABLE			 180
-#define SSL_R_NO_CIPHERS_PASSED				 181
-#define SSL_R_NO_CIPHERS_SPECIFIED			 182
-#define SSL_R_NO_CIPHER_LIST				 183
-#define SSL_R_NO_CIPHER_MATCH				 184
-#define SSL_R_NO_CLIENT_CERT_RECEIVED			 185
-#define SSL_R_NO_COMPRESSION_SPECIFIED			 186
-#define SSL_R_NO_PRIVATEKEY				 187
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 188
-#define SSL_R_NO_PROTOCOLS_AVAILABLE			 189
-#define SSL_R_NO_PUBLICKEY				 190
-#define SSL_R_NO_SHARED_CIPHER				 191
-#define SSL_R_NULL_SSL_CTX				 192
-#define SSL_R_NULL_SSL_METHOD_PASSED			 193
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 194
-#define SSL_R_PACKET_LENGTH_TOO_LONG			 195
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 196
-#define SSL_R_PEER_ERROR				 197
-#define SSL_R_PEER_ERROR_CERTIFICATE			 198
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE			 199
-#define SSL_R_PEER_ERROR_NO_CIPHER			 200
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 201
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 202
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 203
-#define SSL_R_PROTOCOL_IS_SHUTDOWN			 204
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 205
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 206
-#define SSL_R_PUBLIC_KEY_NOT_RSA			 207
-#define SSL_R_READ_BIO_NOT_SET				 208
-#define SSL_R_READ_WRONG_PACKET_TYPE			 209
-#define SSL_R_RECORD_LENGTH_MISMATCH			 210
-#define SSL_R_RECORD_TOO_LARGE				 211
-#define SSL_R_REQUIRED_CIPHER_MISSING			 212
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 213
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 214
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 215
-#define SSL_R_SHORT_READ				 216
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 217
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 218
+#define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
+#define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
+#define SSL_R_CONNECTION_TYPE_NOT_SET			 144
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
+#define SSL_R_DATA_LENGTH_TOO_LONG			 146
+#define SSL_R_DECRYPTION_FAILED				 147
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
+#define SSL_R_DIGEST_CHECK_FAILED			 149
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
+#define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
+#define SSL_R_HTTPS_PROXY_REQUEST			 155
+#define SSL_R_HTTP_REQUEST				 156
+#define SSL_R_INTERNAL_ERROR				 157
+#define SSL_R_INVALID_CHALLENGE_LENGTH			 158
+#define SSL_R_LENGTH_MISMATCH				 159
+#define SSL_R_LENGTH_TOO_SHORT				 160
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS			 161
+#define SSL_R_MISSING_DH_DSA_CERT			 162
+#define SSL_R_MISSING_DH_KEY				 163
+#define SSL_R_MISSING_DH_RSA_CERT			 164
+#define SSL_R_MISSING_DSA_SIGNING_CERT			 165
+#define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
+#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
+#define SSL_R_MISSING_RSA_CERTIFICATE			 168
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 169
+#define SSL_R_MISSING_RSA_SIGNING_CERT			 170
+#define SSL_R_MISSING_TMP_DH_KEY			 171
+#define SSL_R_MISSING_TMP_RSA_KEY			 172
+#define SSL_R_MISSING_TMP_RSA_PKEY			 173
+#define SSL_R_MISSING_VERIFY_MESSAGE			 174
+#define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
+#define SSL_R_NO_CERTIFICATES_RETURNED			 176
+#define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
+#define SSL_R_NO_CERTIFICATE_RETURNED			 178
+#define SSL_R_NO_CERTIFICATE_SET			 179
+#define SSL_R_NO_CERTIFICATE_SPECIFIED			 180
+#define SSL_R_NO_CIPHERS_AVAILABLE			 181
+#define SSL_R_NO_CIPHERS_PASSED				 182
+#define SSL_R_NO_CIPHERS_SPECIFIED			 183
+#define SSL_R_NO_CIPHER_LIST				 184
+#define SSL_R_NO_CIPHER_MATCH				 185
+#define SSL_R_NO_CLIENT_CERT_RECEIVED			 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED			 187
+#define SSL_R_NO_PRIVATEKEY				 188
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 189
+#define SSL_R_NO_PROTOCOLS_AVAILABLE			 190
+#define SSL_R_NO_PUBLICKEY				 191
+#define SSL_R_NO_SHARED_CIPHER				 192
+#define SSL_R_NO_VERIFY_CALLBACK			 193
+#define SSL_R_NULL_SSL_CTX				 194
+#define SSL_R_NULL_SSL_METHOD_PASSED			 195
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 196
+#define SSL_R_PACKET_LENGTH_TOO_LONG			 197
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 198
+#define SSL_R_PEER_ERROR				 199
+#define SSL_R_PEER_ERROR_CERTIFICATE			 200
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE			 201
+#define SSL_R_PEER_ERROR_NO_CIPHER			 202
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 203
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 204
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 205
+#define SSL_R_PROTOCOL_IS_SHUTDOWN			 206
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 207
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 208
+#define SSL_R_PUBLIC_KEY_NOT_RSA			 209
+#define SSL_R_READ_BIO_NOT_SET				 210
+#define SSL_R_READ_WRONG_PACKET_TYPE			 211
+#define SSL_R_RECORD_LENGTH_MISMATCH			 212
+#define SSL_R_RECORD_TOO_LARGE				 213
+#define SSL_R_REQUIRED_CIPHER_MISSING			 214
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 215
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 216
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 217
+#define SSL_R_SHORT_READ				 218
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 219
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 220
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED		 1045
@@ -1397,54 +1427,67 @@
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		 1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		 1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE		 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 219
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 220
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 221
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 222
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 223
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 225
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 224
-#define SSL_R_SSL_HANDSHAKE_FAILURE			 225
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 226
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 227
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 228
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 230
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 231
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 232
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 233
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 234
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 235
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 236
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 237
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 238
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 239
-#define SSL_R_UNEXPECTED_MESSAGE			 240
-#define SSL_R_UNEXPECTED_RECORD				 241
-#define SSL_R_UNKNOWN_ALERT_TYPE			 242
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 243
-#define SSL_R_UNKNOWN_CIPHER_RETURNED			 244
-#define SSL_R_UNKNOWN_CIPHER_TYPE			 245
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 246
-#define SSL_R_UNKNOWN_PKEY_TYPE				 247
-#define SSL_R_UNKNOWN_PROTOCOL				 248
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 249
-#define SSL_R_UNKNOWN_SSL_VERSION			 250
-#define SSL_R_UNKNOWN_STATE				 251
-#define SSL_R_UNSUPPORTED_CIPHER			 252
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 253
-#define SSL_R_UNSUPPORTED_PROTOCOL			 254
-#define SSL_R_UNSUPPORTED_SSL_VERSION			 255
-#define SSL_R_WRITE_BIO_NOT_SET				 256
-#define SSL_R_WRONG_CIPHER_RETURNED			 257
-#define SSL_R_WRONG_MESSAGE_TYPE			 258
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 259
-#define SSL_R_WRONG_SIGNATURE_LENGTH			 260
-#define SSL_R_WRONG_SIGNATURE_SIZE			 261
-#define SSL_R_WRONG_SSL_VERSION				 262
-#define SSL_R_WRONG_VERSION_NUMBER			 263
-#define SSL_R_X509_LIB					 264
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 226
+#define SSL_R_SSL_HANDSHAKE_FAILURE			 227
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 228
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 229
+#define SSL_R_TLSV1_ALERT_ACCESS_DENIED			 1049
+#define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
+#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
+#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION		 1060
+#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
+#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
+#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
+#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		 1070
+#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		 1022
+#define SSL_R_TLSV1_ALERT_UNKNOWN_CA			 1048
+#define SSL_R_TLSV1_ALERT_USER_CANCLED			 1090
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 230
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 232
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 233
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 234
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 235
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 236
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 237
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 238
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 239
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 240
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 241
+#define SSL_R_UNEXPECTED_MESSAGE			 242
+#define SSL_R_UNEXPECTED_RECORD				 243
+#define SSL_R_UNKNOWN_ALERT_TYPE			 244
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 245
+#define SSL_R_UNKNOWN_CIPHER_RETURNED			 246
+#define SSL_R_UNKNOWN_CIPHER_TYPE			 247
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 248
+#define SSL_R_UNKNOWN_PKEY_TYPE				 249
+#define SSL_R_UNKNOWN_PROTOCOL				 250
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 251
+#define SSL_R_UNKNOWN_SSL_VERSION			 252
+#define SSL_R_UNKNOWN_STATE				 253
+#define SSL_R_UNSUPPORTED_CIPHER			 254
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 255
+#define SSL_R_UNSUPPORTED_PROTOCOL			 256
+#define SSL_R_UNSUPPORTED_SSL_VERSION			 257
+#define SSL_R_WRITE_BIO_NOT_SET				 258
+#define SSL_R_WRONG_CIPHER_RETURNED			 259
+#define SSL_R_WRONG_MESSAGE_TYPE			 260
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 261
+#define SSL_R_WRONG_SIGNATURE_LENGTH			 262
+#define SSL_R_WRONG_SIGNATURE_SIZE			 263
+#define SSL_R_WRONG_SSL_VERSION				 264
+#define SSL_R_WRONG_VERSION_NUMBER			 265
+#define SSL_R_X509_LIB					 266
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 267
  
 #ifdef  __cplusplus
 }
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 95772ee..7c5c94d 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -208,7 +208,7 @@
 /*r */	unsigned int off;	/* read/write offset into 'buf' */
 /*rw*/	unsigned char *data;	/* pointer to the record data */
 /*rw*/	unsigned char *input;	/* where the decode bytes are */
-/*rw*/	unsigned char *comp;	/* only used with decompression */
+/*r */	unsigned char *comp;	/* only used with decompression - malloc()ed */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
@@ -220,10 +220,6 @@
 /*rw*/	unsigned char *buf;	/* SSL3_RT_MAX_PACKET_SIZE bytes */
 	} SSL3_BUFFER;
 
-typedef struct ssl3_compression_st {
-	int nothing;
-	} SSL3_COMPRESSION;
-
 #define SSL3_CT_RSA_SIGN			1
 #define SSL3_CT_DSS_SIGN			2
 #define SSL3_CT_RSA_FIXED_DH			3
@@ -236,7 +232,7 @@
 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS	0x0001
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED	0x0002
 #define SSL3_FLAGS_POP_BUFFER			0x0004
-#define	TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+#define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 
 #if 0
 #define AD_CLOSE_NOTIFY			0
@@ -344,7 +340,11 @@
 
 		EVP_CIPHER *new_sym_enc;
 		EVP_MD *new_hash;
-		SSL_COMPRESSION *new_compression;
+#ifdef HEADER_COMP_H
+		COMP_METHOD *new_compression;
+#else
+		char *new_compression;
+#endif
 		int cert_request;
 		} tmp;
 	} SSL3_CTX;
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 65f3a59..92ec322 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -82,12 +82,12 @@
 #endif
 #ifndef NO_MD5
 	EVP_add_digest(EVP_md5());
-	EVP_add_alias(SN_md5,"ssl2-md5");
-	EVP_add_alias(SN_md5,"ssl3-md5");
+	EVP_add_digest_alias(SN_md5,"ssl2-md5");
+	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
 #ifndef NO_SHA1
 	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-	EVP_add_alias(SN_sha1,"ssl3-sha1");
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 #endif
 #if !defined(NO_SHA1) && !defined(NO_DSA)
 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c1cb86e..783c079 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -62,6 +62,18 @@
 #include "pem.h"
 #include "ssl_locl.h"
 
+int SSL_get_ex_data_X509_STORE_CTX_idx()
+	{
+	static int ssl_x509_store_ctx_idx= -1;
+
+	if (ssl_x509_store_ctx_idx < 0)
+		{
+		ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
+			0,"SSL for verifiy callback",NULL,NULL,NULL);
+		}
+	return(ssl_x509_store_ctx_idx);
+	}
+
 CERT *ssl_cert_new()
 	{
 	CERT *ret;
@@ -150,15 +162,24 @@
 
 	x=(X509 *)sk_value(sk,0);
 	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
-	X509_STORE_CTX_set_app_data(&ctx,(char *)s);
+	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
+		(char *)s);
 
 	if (s->ctx->app_verify_callback != NULL)
 		i=s->ctx->app_verify_callback(&ctx);
 	else
+		{
+#ifndef NO_X509_VERIFY
 		i=X509_verify_cert(&ctx);
+#else
+		i=0;
+		ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
+		SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
+#endif
+		}
 
-	X509_STORE_CTX_cleanup(&ctx);
 	s->verify_result=ctx.error;
+	X509_STORE_CTX_cleanup(&ctx);
 
 	return(i);
 	}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 8209944..87e384f 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -145,6 +145,7 @@
 	{0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK},
 	{0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK},
 	{0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK},
+	{0,SSL_TXT_TLSV1,0,SSL_SSLV3,0,SSL_SSL_MASK},
 	{0,SSL_TXT_LOW,  0,SSL_LOW,0,SSL_STRONG_MASK},
 	{0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
 	{0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK},
@@ -208,7 +209,6 @@
 	case SSL_eNULL:
 		i=SSL_ENC_NULL_IDX;
 		break;
-		break;
 	default:
 		i= -1;
 		break;
diff --git a/ssl/ssl_comp.c b/ssl/ssl_comp.c
new file mode 100644
index 0000000..7724ff5
--- /dev/null
+++ b/ssl/ssl_comp.c
@@ -0,0 +1,580 @@
+/* ssl/ssl_comp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "ssl_locl.h"
+
+#ifndef NOPROTO
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
+static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
+#else
+static void SSL_SESSION_list_remove();
+static void SSL_SESSION_list_add();
+#endif
+
+static int ssl_session_num=0;
+static STACK *ssl_session_meth=NULL;
+
+SSL_SESSION *SSL_get_session(ssl)
+SSL *ssl;
+	{
+	return(ssl->session);
+	}
+
+int SSL_SESSION_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
+long argl;
+char *argp;
+int (*new_func)();
+int (*dup_func)();
+void (*free_func)();
+        {
+        ssl_session_num++;
+        return(CRYPTO_get_ex_new_index(ssl_session_num-1,
+		&ssl_session_meth,
+                argl,argp,new_func,dup_func,free_func));
+        }
+
+int SSL_SESSION_set_ex_data(s,idx,arg)
+SSL_SESSION *s;
+int idx;
+char *arg;
+	{
+	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+	}
+
+char *SSL_SESSION_get_ex_data(s,idx)
+SSL_SESSION *s;
+int idx;
+	{
+	return(CRYPTO_get_ex_data(&s->ex_data,idx));
+	}
+
+SSL_SESSION *SSL_SESSION_new()
+	{
+	SSL_SESSION *ss;
+
+	ss=(SSL_SESSION *)Malloc(sizeof(SSL_SESSION));
+	if (ss == NULL)
+		{
+		SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	memset(ss,0,sizeof(SSL_SESSION));
+
+	ss->references=1;
+	ss->timeout=60*5+4; /* 5 minute timeout by default */
+	ss->time=time(NULL);
+	ss->prev=NULL;
+	ss->next=NULL;
+	CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+	return(ss);
+	}
+
+int ssl_get_new_session(s, session)
+SSL *s;
+int session;
+	{
+	SSL_SESSION *ss=NULL;
+
+	if ((ss=SSL_SESSION_new()) == NULL) return(0);
+
+	/* If the context has a default timeout, use it */
+	if (s->ctx->session_timeout != 0)
+		ss->timeout=SSL_get_default_timeout(s);
+
+	if (s->session != NULL)
+		{
+		SSL_SESSION_free(s->session);
+		s->session=NULL;
+		}
+
+	if (session)
+		{
+		if (s->version == SSL2_CLIENT_VERSION)
+			{
+			ss->ssl_version=SSL2_VERSION;
+			ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
+			}
+		else if (s->version == SSL3_VERSION)
+			{
+			ss->ssl_version=SSL3_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
+		else if (s->version == TLS1_VERSION)
+			{
+			ss->ssl_version=TLS1_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
+			SSL_SESSION_free(ss);
+			return(0);
+			}
+
+		for (;;)
+			{
+			SSL_SESSION *r;
+
+			RAND_bytes(ss->session_id,ss->session_id_length);
+			CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+			r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
+				(char *)ss);
+			CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+			if (r == NULL) break;
+			/* else - woops a session_id match */
+			}
+		}
+	else
+		{
+		ss->session_id_length=0;
+		}
+
+	s->session=ss;
+	ss->ssl_version=s->version;
+
+	return(1);
+	}
+
+int ssl_get_prev_session(s,session_id,len)
+SSL *s;
+unsigned char *session_id;
+int len;
+	{
+	SSL_SESSION *ret=NULL,data;
+
+	/* conn_init();*/
+	data.ssl_version=s->version;
+	data.session_id_length=len;
+	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
+		return(0);
+	memcpy(data.session_id,session_id,len);;
+
+	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+		{
+		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+		}
+
+	if (ret == NULL)
+		{
+		int copy=1;
+
+		s->ctx->sess_miss++;
+		ret=NULL;
+		if ((s->ctx->get_session_cb != NULL) &&
+			((ret=s->ctx->get_session_cb(s,session_id,len,&copy))
+				!= NULL))
+			{
+			s->ctx->sess_cb_hit++;
+
+			/* The following should not return 1, otherwise,
+			 * things are very strange */
+			SSL_CTX_add_session(s->ctx,ret);
+			/* auto free it */
+			if (!copy)
+				SSL_SESSION_free(ret);
+			}
+		if (ret == NULL) return(0);
+		}
+
+	if (ret->cipher == NULL)
+		{
+		char buf[5],*p;
+		unsigned long l;
+
+		p=buf;
+		l=ret->cipher_id;
+		l2n(l,p);
+		if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
+			ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
+		else 
+			ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
+		if (ret->cipher == NULL)
+			return(0);
+		}
+
+	/* If a thread got the session, then 'swaped', and another got
+	 * it and then due to a time-out decided to 'Free' it we could
+	 * be in trouble.  So I'll increment it now, then double decrement
+	 * later - am I speaking rubbish?. */
+	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+
+	if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
+		{
+		s->ctx->sess_timeout++;
+		/* remove it from the cache */
+		SSL_CTX_remove_session(s->ctx,ret);
+		SSL_SESSION_free(ret);		/* again to actually Free it */
+		return(0);
+		}
+
+	s->ctx->sess_hit++;
+
+	/* ret->time=time(NULL); */ /* rezero timeout? */
+	/* again, just leave the session 
+	 * if it is the same session, we have just incremented and
+	 * then decremented the reference count :-) */
+	if (s->session != NULL)
+		SSL_SESSION_free(s->session);
+	s->session=ret;
+	return(1);
+	}
+
+int SSL_CTX_add_session(ctx,c)
+SSL_CTX *ctx;
+SSL_SESSION *c;
+	{
+	int ret=0;
+	SSL_SESSION *s;
+
+	/* conn_init(); */
+	CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
+
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+	s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c);
+	
+	/* Put on the end of the queue unless it is already in the cache */
+	if (s == NULL)
+		SSL_SESSION_list_add(ctx,c);
+
+	/* If the same session if is being 're-added', Free the old
+	 * one when the last person stops using it.
+	 * This will also work if it is alread in the cache.
+	 * The references will go up and then down :-) */
+	if (s != NULL)
+		{
+		SSL_SESSION_free(s);
+		ret=0;
+		}
+	else
+		{
+		ret=1;
+
+		if (SSL_CTX_sess_get_cache_size(ctx) > 0)
+			{
+			while (SSL_CTX_sess_number(ctx) >
+				SSL_CTX_sess_get_cache_size(ctx))
+				{
+				if (!SSL_CTX_remove_session(ctx,
+					ctx->session_cache_tail))
+					break;
+				else
+					ctx->sess_cache_full++;
+				}
+			}
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+	return(ret);
+	}
+
+int SSL_CTX_remove_session(ctx,c)
+SSL_CTX *ctx;
+SSL_SESSION *c;
+	{
+	SSL_SESSION *r;
+	int ret=0;
+
+	if ((c != NULL) && (c->session_id_length != 0))
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+		r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
+		if (r != NULL)
+			{
+			ret=1;
+			SSL_SESSION_list_remove(ctx,c);
+			}
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+
+		if (ret)
+			{
+			r->not_resumable=1;
+			if (ctx->remove_session_cb != NULL)
+				ctx->remove_session_cb(ctx,r);
+			SSL_SESSION_free(r);
+			}
+		}
+	else
+		ret=0;
+	return(ret);
+	}
+
+void SSL_SESSION_free(ss)
+SSL_SESSION *ss;
+	{
+	int i;
+
+	i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
+#ifdef REF_PRINT
+	REF_PRINT("SSL_SESSION",ss);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+
+	CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+
+	memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
+	memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
+	memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+	if (ss->cert != NULL) ssl_cert_free(ss->cert);
+	if (ss->peer != NULL) X509_free(ss->peer);
+	if (ss->ciphers != NULL) sk_free(ss->ciphers);
+	memset(ss,0,sizeof(*ss));
+	Free(ss);
+	}
+
+int SSL_set_session(s, session)
+SSL *s;
+SSL_SESSION *session;
+	{
+	int ret=0;
+	SSL_METHOD *meth;
+
+	if (session != NULL)
+		{
+		meth=s->ctx->method->get_ssl_method(session->ssl_version);
+		if (meth == NULL)
+			meth=s->method->get_ssl_method(session->ssl_version);
+		if (meth == NULL)
+			{
+			SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
+			return(0);
+			}
+
+		if (meth != s->method)
+			{
+			if (!SSL_set_ssl_method(s,meth))
+				return(0);
+			session->timeout=SSL_get_default_timeout(s);
+			}
+
+		/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
+		CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
+		if (s->session != NULL)
+			SSL_SESSION_free(s->session);
+		s->session=session;
+		/* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
+		ret=1;
+		}
+	else
+		{
+		if (s->session != NULL)
+			{
+			SSL_SESSION_free(s->session);
+			s->session=NULL;
+			}
+		}
+	return(ret);
+	}
+
+long SSL_SESSION_set_timeout(s,t)
+SSL_SESSION *s;
+long t;
+	{
+	if (s == NULL) return(0);
+	s->timeout=t;
+	return(1);
+	}
+
+long SSL_SESSION_get_timeout(s)
+SSL_SESSION *s;
+	{
+	if (s == NULL) return(0);
+	return(s->timeout);
+	}
+
+long SSL_SESSION_get_time(s)
+SSL_SESSION *s;
+	{
+	if (s == NULL) return(0);
+	return(s->time);
+	}
+
+long SSL_SESSION_set_time(s,t)
+SSL_SESSION *s;
+long t;
+	{
+	if (s == NULL) return(0);
+	s->time=t;
+	return(t);
+	}
+
+typedef struct timeout_param_st
+	{
+	SSL_CTX *ctx;
+	long time;
+	LHASH *cache;
+	} TIMEOUT_PARAM;
+
+static void timeout(s,p)
+SSL_SESSION *s;
+TIMEOUT_PARAM *p;
+	{
+	if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
+		{
+		/* The reason we don't call SSL_CTX_remove_session() is to
+		 * save on locking overhead */
+		lh_delete(p->cache,(char *)s);
+		SSL_SESSION_list_remove(p->ctx,s);
+		s->not_resumable=1;
+		if (p->ctx->remove_session_cb != NULL)
+			p->ctx->remove_session_cb(p->ctx,s);
+		SSL_SESSION_free(s);
+		}
+	}
+
+void SSL_CTX_flush_sessions(s,t)
+SSL_CTX *s;
+long t;
+	{
+	unsigned long i;
+	TIMEOUT_PARAM tp;
+
+	tp.ctx=s;
+	tp.cache=SSL_CTX_sessions(s);
+	if (tp.cache == NULL) return;
+	tp.time=t;
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+	i=tp.cache->down_load;
+	tp.cache->down_load=0;
+	lh_doall_arg(tp.cache,(void (*)())timeout,(char *)&tp);
+	tp.cache->down_load=i;
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+	}
+
+int ssl_clear_bad_session(s)
+SSL *s;
+	{
+	if (	(s->session != NULL) &&
+		!(s->shutdown & SSL_SENT_SHUTDOWN) &&
+		!(SSL_in_init(s) || SSL_in_before(s)))
+		{
+		SSL_CTX_remove_session(s->ctx,s->session);
+		return(1);
+		}
+	else
+		return(0);
+	}
+
+/* locked by SSL_CTX in the calling function */
+static void SSL_SESSION_list_remove(ctx,s)
+SSL_CTX *ctx;
+SSL_SESSION *s;
+	{
+	if ((s->next == NULL) || (s->prev == NULL)) return;
+
+	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
+		{ /* last element in list */
+		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+			{ /* only one element in list */
+			ctx->session_cache_head=NULL;
+			ctx->session_cache_tail=NULL;
+			}
+		else
+			{
+			ctx->session_cache_tail=s->prev;
+			s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+			}
+		}
+	else
+		{
+		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+			{ /* first element in list */
+			ctx->session_cache_head=s->next;
+			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+			}
+		else
+			{ /* middle of list */
+			s->next->prev=s->prev;
+			s->prev->next=s->next;
+			}
+		}
+	s->prev=s->next=NULL;
+	}
+
+static void SSL_SESSION_list_add(ctx,s)
+SSL_CTX *ctx;
+SSL_SESSION *s;
+	{
+	if ((s->next != NULL) && (s->prev != NULL))
+		SSL_SESSION_list_remove(ctx,s);
+
+	if (ctx->session_cache_head == NULL)
+		{
+		ctx->session_cache_head=s;
+		ctx->session_cache_tail=s;
+		s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+		s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+		}
+	else
+		{
+		s->next=ctx->session_cache_head;
+		s->next->prev=s;
+		s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+		ctx->session_cache_head=s;
+		}
+	}
+
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index bcbb985..847f0f3 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -167,6 +167,7 @@
 {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0),	"SSL_use_RSAPrivateKey"},
 {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0),	"SSL_use_RSAPrivateKey_ASN1"},
 {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0),	"SSL_use_RSAPrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0),	"SSL_VERIFY_CERT_CHAIN"},
 {ERR_PACK(0,SSL_F_SSL_WRITE,0),	"SSL_write"},
 {ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0),	"TLS1_CHANGE_CIPHER_STATE"},
 {ERR_PACK(0,SSL_F_TLS1_ENC,0),	"TLS1_ENC"},
@@ -219,6 +220,7 @@
 {SSL_R_CIPHER_TABLE_SRC_ERROR            ,"cipher table src error"},
 {SSL_R_COMPRESSED_LENGTH_TOO_LONG        ,"compressed length too long"},
 {SSL_R_COMPRESSION_FAILURE               ,"compression failure"},
+{SSL_R_COMPRESSION_LIBRARY_ERROR         ,"compression library error"},
 {SSL_R_CONNECTION_ID_IS_DIFFERENT        ,"connection id is different"},
 {SSL_R_CONNECTION_TYPE_NOT_SET           ,"connection type not set"},
 {SSL_R_DATA_BETWEEN_CCS_AND_FINISHED     ,"data between ccs and finished"},
@@ -269,6 +271,7 @@
 {SSL_R_NO_PROTOCOLS_AVAILABLE            ,"no protocols available"},
 {SSL_R_NO_PUBLICKEY                      ,"no publickey"},
 {SSL_R_NO_SHARED_CIPHER                  ,"no shared cipher"},
+{SSL_R_NO_VERIFY_CALLBACK                ,"no verify callback"},
 {SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
 {SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
 {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
@@ -316,6 +319,18 @@
 {SSL_R_SSL_HANDSHAKE_FAILURE             ,"ssl handshake failure"},
 {SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS        ,"ssl library has no ciphers"},
 {SSL_R_SSL_SESSION_ID_IS_DIFFERENT       ,"ssl session id is different"},
+{SSL_R_TLSV1_ALERT_ACCESS_DENIED         ,"tlsv1 alert access denied"},
+{SSL_R_TLSV1_ALERT_DECODE_ERROR          ,"tlsv1 alert decode error"},
+{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED     ,"tlsv1 alert decryption failed"},
+{SSL_R_TLSV1_ALERT_DECRYPT_ERROR         ,"tlsv1 alert decrypt error"},
+{SSL_R_TLSV1_ALERT_EXPORT_RESTRICION     ,"tlsv1 alert export restricion"},
+{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
+{SSL_R_TLSV1_ALERT_INTERNAL_ERROR        ,"tlsv1 alert internal error"},
+{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION      ,"tlsv1 alert no renegotiation"},
+{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION      ,"tlsv1 alert protocol version"},
+{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW       ,"tlsv1 alert record overflow"},
+{SSL_R_TLSV1_ALERT_UNKNOWN_CA            ,"tlsv1 alert unknown ca"},
+{SSL_R_TLSV1_ALERT_USER_CANCLED          ,"tlsv1 alert user cancled"},
 {SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
 {SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
 {SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
@@ -353,6 +368,7 @@
 {SSL_R_WRONG_SSL_VERSION                 ,"wrong ssl version"},
 {SSL_R_WRONG_VERSION_NUMBER              ,"wrong version number"},
 {SSL_R_X509_LIB                          ,"x509 lib"},
+{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS  ,"x509 verification setup problems"},
 {0,NULL},
 	};
 
@@ -362,8 +378,8 @@
 	{
 	static int init=1;
 
-	if (init);
-		{;
+	if (init)
+		{
 		init=0;
 #ifndef NO_ERR
 		ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f562ec6..b163398 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -61,7 +61,7 @@
 #include "lhash.h"
 #include "ssl_locl.h"
 
-char *SSL_version_str="SSLeay 0.9.0b 29-Jun-1998";
+char *SSL_version_str="SSLeay 0.9.1a 06-Jul-1998";
 
 static STACK *ssl_meth=NULL;
 static STACK *ssl_ctx_meth=NULL;
@@ -248,6 +248,11 @@
 
 	ssl_clear_cipher_ctx(s);
 
+	if (s->expand != NULL)
+		COMP_CTX_free(s->expand);
+	if (s->compress != NULL)
+		COMP_CTX_free(s->compress);
+
 	if (s->cert != NULL) ssl_cert_free(s->cert);
 	/* Free up if allocated */
 
@@ -839,8 +844,11 @@
 	{
 	unsigned long l;
 
-	l=      (a->session_id[0]     )|(a->session_id[1]<< 8L)|
-		(a->session_id[2]<<16L)|(a->session_id[3]<<24L);
+	l=(unsigned long)
+		((unsigned int) a->session_id[0]     )|
+		((unsigned int) a->session_id[1]<< 8L)|
+		((unsigned long)a->session_id[2]<<16L)|
+		((unsigned long)a->session_id[3]<<24L);
 	return(l);
 	}
 
@@ -858,13 +866,19 @@
 SSL_CTX *SSL_CTX_new(meth)
 SSL_METHOD *meth;
 	{
-	SSL_CTX *ret;
+	SSL_CTX *ret=NULL;
 	
 	if (meth == NULL)
 		{
 		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
 		return(NULL);
 		}
+
+	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+		goto err;
+		}
 	ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX));
 	if (ret == NULL)
 		goto err;
@@ -956,6 +970,8 @@
 
 	CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
 
+	ret->extra_certs=NULL;
+
 	return(ret);
 err:
 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1000,6 +1016,8 @@
 		ssl_cert_free(a->default_cert);
 	if (a->client_CA != NULL)
 		sk_pop_free(a->client_CA,X509_NAME_free);
+	if (a->extra_certs != NULL)
+		sk_pop_free(a->extra_certs,X509_free);
 	Free((char *)a);
 	}
 
@@ -1341,7 +1359,9 @@
 		SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
 		return(-1);
 		}
-	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
+
+	s->method->ssl_renegotiate_check(s);
+
 	if (SSL_in_init(s) || SSL_in_before(s))
 		{
 		ret=s->handshake_func(s);
@@ -1615,6 +1635,7 @@
 	return(ssl->ctx);
 	}
 
+#ifndef NO_STDIO
 int SSL_CTX_set_default_verify_paths(ctx)
 SSL_CTX *ctx;
 	{
@@ -1628,6 +1649,7 @@
 	{
 	return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
 	}
+#endif
 
 void SSL_set_info_callback(ssl,cb)
 SSL *ssl;
@@ -1639,7 +1661,7 @@
 void (*SSL_get_info_callback(ssl))()
 SSL *ssl;
 	{
-	return(ssl->info_callback);
+	return((void (*)())ssl->info_callback);
 	}
 
 int SSL_state(ssl)
@@ -1715,6 +1737,12 @@
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
 
+int ssl_ok(s)
+SSL *s;
+	{
+	return(1);
+	}
+
 #if defined(_WINDLL) && defined(WIN16)
 #include "../crypto/bio/bss_file.c"
 #endif
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index b295170..71d4c08 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -66,6 +66,7 @@
 #include "e_os.h"
 
 #include "buffer.h"
+#include "comp.h"
 #include "bio.h"
 #include "crypto.h"
 #include "evp.h"
@@ -74,6 +75,7 @@
 #include "err.h"
 #include "ssl.h"
 
+#define PKCS1_CHECK
 
 #define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
 			 l|=(((unsigned long)(*((c)++)))<< 8), \
@@ -126,18 +128,18 @@
 				} \
 			}
 
-#define n2s(c,s)	(s =((unsigned int)(*((c)++)))<< 8, \
-			 s|=((unsigned int)(*((c)++))))
-#define s2n(s,c)	(*((c)++)=(unsigned char)(((s)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((s)    )&0xff))
+#define n2s(c,s)	((s=(((unsigned int)(c[0]))<< 8)| \
+			    (((unsigned int)(c[1]))    )),c+=2)
+#define s2n(s,c)	((c[0]=(unsigned char)(((s)>> 8)&0xff), \
+			  c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
 
-#define n2l3(c,l)	(l =((unsigned long)(*((c)++)))<<16, \
-			 l|=((unsigned long)(*((c)++)))<< 8, \
-			 l|=((unsigned long)(*((c)++))))
+#define n2l3(c,l)	((l =(((unsigned long)(c[0]))<<16)| \
+			     (((unsigned long)(c[1]))<< 8)| \
+			     (((unsigned long)(c[2]))    )),c+=3)
 
-#define l2n3(l,c)	(*((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)    )&0xff))
+#define l2n3(l,c)	((c[0]=(unsigned char)(((l)>>16)&0xff), \
+			  c[1]=(unsigned char)(((l)>> 8)&0xff), \
+			  c[2]=(unsigned char)(((l)    )&0xff)),c+=3)
 
 /* LOCAL STUFF */
 
@@ -313,6 +315,14 @@
 	int (*alert_value)();
 	} SSL3_ENC_METHOD;
 
+/* Used for holding the relevent compression methods loaded into SSL_CTX */
+typedef struct ssl3_comp_st
+	{
+	int comp_id;	/* The identifer byte for this compression type */
+	char *name;	/* Text name used for the compression type */
+	COMP_METHOD *method; /* The method :-) */
+	} SSL3_COMP;
+
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 extern SSL_CIPHER ssl2_ciphers[];
 extern SSL_CIPHER ssl3_ciphers[];
@@ -431,7 +441,6 @@
 long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
 SSL_METHOD *tlsv1_base_method(void );
 
-
 int ssl_init_wbio_buffer(SSL *s, int push);
 
 int tls1_change_cipher_state(SSL *s, int which);
@@ -445,6 +454,7 @@
 	unsigned char *p, int len);
 int tls1_alert_code(int code);
 int ssl3_alert_code(int code);
+int ssl_ok(SSL *s);
 
 
 #else
@@ -556,3 +566,19 @@
 #endif
 
 #endif
+int ssl3_cert_verify_mac();
+int ssl3_alert_code();
+int tls1_new();
+void tls1_free();
+void tls1_clear();
+long tls1_ctrl();
+SSL_METHOD *tlsv1_base_method();
+int tls1_change_cipher_state();
+int tls1_setup_key_block();
+int tls1_enc();
+int tls1_final_finish_mac();
+int tls1_cert_verify_mac();
+int tls1_mac();
+int tls1_generate_master_secret();
+int tls1_alert_code();
+int ssl_ok();
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 140475e..a8a62f1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -229,6 +229,10 @@
 
 	if (c->pkeys[i].x509 != NULL)
 		{
+		EVP_PKEY_copy_parameters(
+			X509_get_pubkey(c->pkeys[i].x509),pkey);
+		ERR_clear_error();
+
 #ifndef NO_RSA
 		/* Don't check the public/private key, this is mostly
 		 * for smart cards. */
@@ -504,6 +508,19 @@
 
 	if (c->pkeys[i].privatekey != NULL)
 		{
+		EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
+		ERR_clear_error();
+
+#ifndef NO_RSA
+		/* Don't check the public/private key, this is mostly
+		 * for smart cards. */
+		if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
+			(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
+			 RSA_METHOD_FLAG_NO_CHECK))
+			 ok=1;
+		else
+#endif
+		{
 		if (!X509_check_private_key(x,c->pkeys[i].privatekey))
 			{
 			if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
@@ -527,6 +544,7 @@
 			}
 		else
 			ok=1;
+		} /* NO_RSA */
 		}
 	else
 		ok=1;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 8212600..d4978a7 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -69,7 +69,7 @@
 static void SSL_SESSION_list_add();
 #endif
 
-static ssl_session_num=0;
+static int ssl_session_num=0;
 static STACK *ssl_session_meth=NULL;
 
 SSL_SESSION *SSL_get_session(ssl)
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index f9dca4e..ff68691 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -361,6 +361,7 @@
 
 	if (bio_stdout != NULL) BIO_free(bio_stdout);
 
+	ERR_free_strings();
 	ERR_remove_state(0);
 	EVP_cleanup();
 	CRYPTO_mem_leaks(bio_err);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index fbdd3bf..893c0bc 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -155,7 +155,7 @@
 	memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
 	p+=SSL3_RANDOM_SIZE;
 
-	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,
+	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
 		s->session->master_key,s->session->master_key_length,
 		km,tmp,num);
 	}
@@ -175,7 +175,7 @@
 	int client_write;
 	EVP_CIPHER_CTX *dd;
 	EVP_CIPHER *c;
-	SSL_COMPRESSION *comp;
+	COMP_METHOD *comp;
 	EVP_MD *m;
 	int exp,n,i,j,k,exp_label_len;
 
@@ -193,7 +193,24 @@
 			goto err;
 		dd= s->enc_read_ctx;
 		s->read_hash=m;
-		s->read_compression=comp;
+		if (s->expand != NULL)
+			{
+			COMP_CTX_free(s->expand);
+			s->expand=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->expand=COMP_CTX_new(comp);
+			if (s->expand == NULL)
+				{
+				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			s->s3->rrec.comp=(unsigned char *)
+				Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+			if (s->s3->rrec.comp == NULL)
+				goto err;
+			}
 		memset(&(s->s3->read_sequence[0]),0,8);
 		mac_secret= &(s->s3->read_mac_secret[0]);
 		}
@@ -205,7 +222,20 @@
 			goto err;
 		dd= s->enc_write_ctx;
 		s->write_hash=m;
-		s->write_compression=comp;
+		if (s->compress != NULL)
+			{
+			COMP_CTX_free(s->compress);
+			s->compress=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->compress=COMP_CTX_new(comp);
+			if (s->compress == NULL)
+				{
+				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			}
 		memset(&(s->s3->write_sequence[0]),0,8);
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
@@ -262,7 +292,7 @@
 		p+=SSL3_RANDOM_SIZE;
 		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
 		p+=SSL3_RANDOM_SIZE;
-		tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,key,j,
+		tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
 			tmp1,tmp2,EVP_CIPHER_key_length(c));
 		key=tmp1;
 
@@ -277,7 +307,7 @@
 			memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
 			p+=SSL3_RANDOM_SIZE;
 			tls1_PRF(s->ctx->md5,s->ctx->sha1,
-				buf,p-buf,"",0,iv1,iv2,k*2);
+				buf,(int)(p-buf),"",0,iv1,iv2,k*2);
 			if (client_write)
 				iv=iv1;
 			else
@@ -374,7 +404,6 @@
 	unsigned long l;
 	int bs,i,ii,j,k,n=0;
 	EVP_CIPHER *enc;
-	SSL_COMPRESSION *comp;
 
 	if (send)
 		{
@@ -383,12 +412,9 @@
 		ds=s->enc_write_ctx;
 		rec= &(s->s3->wrec);
 		if (s->enc_write_ctx == NULL)
-			{ enc=NULL; comp=NULL; }
+			enc=NULL;
 		else
-			{
 			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
-			comp=s->write_compression;
-			}
 		}
 	else
 		{
@@ -397,16 +423,13 @@
 		ds=s->enc_read_ctx;
 		rec= &(s->s3->rrec);
 		if (s->enc_read_ctx == NULL)
-			{ enc=NULL; comp=NULL; }
+			enc=NULL;
 		else
-			{
 			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
-			comp=s->read_compression;
-			}
 		}
 
 	if ((s->session == NULL) || (ds == NULL) ||
-		((enc == NULL) && (comp == NULL)))
+		(enc == NULL))
 		{
 		memcpy(rec->data,rec->input,rec->length);
 		rec->input=rec->data;
@@ -507,7 +530,7 @@
 	EVP_DigestFinal(&ctx,q,&i);
 	q+=i;
 
-	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,q-buf,
+	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
 		s->session->master_key,s->session->master_key_length,
 		out,buf2,12);
 	memset(&ctx,0,sizeof(EVP_MD_CTX));
@@ -560,20 +583,20 @@
 
 #ifdef TLS_DEBUG
 printf("sec=");
-{int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
 printf("seq=");
 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
 printf("buf=");
 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
 printf("rec=");
-{int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
 #endif
 
 	for (i=7; i>=0; i--)
 		if (++seq[i]) break; 
 
 #ifdef TLS_DEBUG
-{int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
 #endif
 	return(md_size);
 	}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f9fbfa4..2a319cd 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -60,7 +60,7 @@
 #include "objects.h"
 #include "ssl_locl.h"
 
-char *tls1_version_str="TLSv1 part of SSLeay 0.9.0b 29-Jun-1998";
+char *tls1_version_str="TLSv1 part of SSLeay 0.9.1a 06-Jul-1998";
 
 #ifndef NO_PROTO
 static long tls1_default_timeout(void);
@@ -94,6 +94,7 @@
 	ssl3_write,
 	ssl3_shutdown,
 	ssl3_renegotiate,
+	ssl3_renegotiate_check,
 	ssl3_ctrl,
 	ssl3_ctx_ctrl,
 	ssl3_get_cipher_by_char,