From f9b0b45238851e8e0904408838a0b05ca1ee99b9 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 22 Dec 2011 15:14:32 +0000
Subject: [PATCH] New ctrl values to clear or retrieve extra chain certs from
 an SSL_CTX. New function to retrieve compression method from SSL_SESSION
 structure.

Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions
as they duplicate functionality of SSL_SESSION_get_id. Note: these functions
have never appeared in any release version of OpenSSL.
---
 apps/s_server.c |  9 +++++----
 ssl/s3_lib.c    | 12 ++++++++++++
 ssl/ssl.h       | 10 ++++++++--
 ssl/ssl_sess.c  | 15 +++++----------
 4 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 59e16ec348..4e9d420c44 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3002,10 +3002,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
 
 	sess = OPENSSL_malloc(sizeof(simple_ssl_session));
 
-	sess->idlen = SSL_SESSION_get_id_len(session);
+	SSL_SESSION_get_id(session, &sess->idlen);
 	sess->derlen = i2d_SSL_SESSION(session, NULL);
 
-	sess->id = BUF_memdup(SSL_SESSION_get0_id(session), sess->idlen);
+	sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
 
 	sess->der = OPENSSL_malloc(sess->derlen);
 	p = sess->der;
@@ -3038,8 +3038,9 @@ static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen,
 static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
 	{
 	simple_ssl_session *sess, *prev = NULL;
-	const unsigned char *id = SSL_SESSION_get0_id(session);
-	unsigned int idlen = SSL_SESSION_get_id_len(session);
+	const unsigned char *id;
+	unsigned int idlen;
+	id = SSL_SESSION_get_id(session, &idlen);	
 	for (sess = first; sess; sess = sess->next)
 		{
 		if (idlen == sess->idlen && !memcmp(sess->id, id, idlen))
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 972e7923cc..1b0bdb83e6 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3609,6 +3609,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		sk_X509_push(ctx->extra_certs,(X509 *)parg);
 		break;
 
+	case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
+		*(STACK_OF(X509) **)parg =  ctx->extra_certs;
+		break;
+
+	case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
+		if (ctx->extra_certs)
+			{
+			sk_X509_pop_free(ctx->extra_certs, X509_free);
+			ctx->extra_certs = NULL;
+			}
+		break;
+
 	default:
 		return(0);
 		}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index e7b6bc555b..e781015ccc 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1595,6 +1595,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_CLEAR_MODE			78
 #define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB	79
 
+#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS		82
+#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
+
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
@@ -1631,6 +1634,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
 #define SSL_CTX_add_extra_chain_cert(ctx,x509) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+#define SSL_CTX_get_extra_chain_cert(ctx,px509) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERT,0,px509)
+#define SSL_CTX_clear_extra_chain_cert(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERT,0,NULL)
 
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
@@ -1724,8 +1731,6 @@ long	SSL_SESSION_set_time(SSL_SESSION *s, long t);
 long	SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long	SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
 void	SSL_copy_session_id(SSL *to,const SSL *from);
-unsigned int SSL_SESSION_get_id_len(SSL_SESSION *s);
-const unsigned char *SSL_SESSION_get0_id(SSL_SESSION *s);
 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
 int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
 			       unsigned int sid_ctx_len);
@@ -1733,6 +1738,7 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
 SSL_SESSION *SSL_SESSION_new(void);
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
 					unsigned int *len);
+unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
 #ifndef OPENSSL_NO_FP_API
 int	SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
 #endif
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 74e8f7b99d..05e4fb9fda 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -231,6 +231,11 @@ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 	return s->session_id;
 	}
 
+unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
+	{
+	return s->compress_meth;
+	}
+
 /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
  * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
  * until we have no conflict is going to complete in one iteration pretty much
@@ -862,16 +867,6 @@ long SSL_SESSION_set_time(SSL_SESSION *s, long t)
 	return(t);
 	}
 
-unsigned int SSL_SESSION_get_id_len(SSL_SESSION *s)
-	{
-	return s->session_id_length;
-	}
-
-const unsigned char *SSL_SESSION_get0_id(SSL_SESSION *s)
-	{
-	return s->session_id;
-	}
-
 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
 	{
 	return s->peer;
-- 
2.50.1