add SSL_CONF functions and documentation

4 files changed, 621 insertions, 3 deletions

diff --git a/ssl/Makefile b/ssl/Makefile
index 4ae661fca0..393dc7eaf6 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -29,7 +29,7 @@ LIBSRC=	\
 	d1_both.c d1_enc.c d1_srtp.c \
 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
-	ssl_asn1.c ssl_txt.c ssl_algs.c \
+	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
 	bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c
 LIBOBJ= \
 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
@@ -40,7 +40,7 @@ LIBOBJ= \
 	d1_both.o d1_enc.o d1_srtp.o\
 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
-	ssl_asn1.o ssl_txt.o ssl_algs.o \
+	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
 	bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o
 
 SRC= $(LIBSRC)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 88f828508f..3a8957a770 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -367,6 +367,7 @@ typedef struct ssl_method_st SSL_METHOD;
 typedef struct ssl_cipher_st SSL_CIPHER;
 typedef struct ssl_session_st SSL_SESSION;
 typedef struct tls_sigalgs_st TLS_SIGALGS;
+typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
 
 DECLARE_STACK_OF(SSL_CIPHER)
 
@@ -616,6 +617,9 @@ struct ssl_session_st
 #define SSL_OP_NO_TLSv1_2				0x08000000L
 #define SSL_OP_NO_TLSv1_1				0x10000000L
 
+#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|\
+	SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
+
 /* These next two were never actually used for anything since SSLeay
  * zap so we have some more flags.
  */
@@ -694,6 +698,12 @@ struct ssl_session_st
 /* Cert chain suitable to Suite B */
 #define CERT_PKEY_SUITEB	0x800
 
+#define SSL_CONF_FLAG_CMDLINE		0x1
+#define SSL_CONF_FLAG_FILE		0x2
+#define SSL_CONF_FLAG_CLIENT		0x4
+#define SSL_CONF_FLAG_SERVER		0x8
+#define SSL_CONF_FLAG_SHOW_ERRORS	0x10
+
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
 
@@ -2266,6 +2276,18 @@ void SSL_set_debug(SSL *s, int debug);
 int SSL_cache_hit(SSL *s);
 int SSL_is_server(SSL *s);
 
+SSL_CONF_CTX *SSL_CONF_CTX_new(void);
+void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
+unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
+unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags);
+int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre);
+
+void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
+void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
+
+int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
+int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
+
 #ifndef OPENSSL_NO_SSL_TRACE
 void SSL_trace(int write_p, int version, int content_type,
 		const void *buf, size_t len, SSL *ssl, void *arg);
@@ -2419,6 +2441,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CIPHER_STRENGTH_SORT			 231
 #define SSL_F_SSL_CLEAR					 164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
+#define SSL_F_SSL_CONF_CTX_CMD				 334
 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
 #define SSL_F_SSL_CTRL					 232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
@@ -2558,6 +2581,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_SSL_FILETYPE				 124
 #define SSL_R_BAD_SSL_SESSION_ID_LENGTH			 125
 #define SSL_R_BAD_STATE					 126
+#define SSL_R_BAD_VALUE					 384
 #define SSL_R_BAD_WRITE_RETRY				 127
 #define SSL_R_BIO_NOT_SET				 128
 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG			 129
@@ -2613,6 +2637,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
 #define SSL_R_INVALID_COMMAND				 280
 #define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341
+#define SSL_R_INVALID_NULL_CMD_NAME			 385
 #define SSL_R_INVALID_PURPOSE				 278
 #define SSL_R_INVALID_SRP_USERNAME			 357
 #define SSL_R_INVALID_STATUS_RESPONSE			 328
@@ -2797,6 +2822,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 247
 #define SSL_R_UNKNOWN_CIPHER_RETURNED			 248
 #define SSL_R_UNKNOWN_CIPHER_TYPE			 249
+#define SSL_R_UNKNOWN_CMD_NAME				 386
 #define SSL_R_UNKNOWN_DIGEST				 368
 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 250
 #define SSL_R_UNKNOWN_PKEY_TYPE				 251
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
new file mode 100644
index 0000000000..20e43a8d9b
--- /dev/null
+++ b/ssl/ssl_conf.c
@@ -0,0 +1,588 @@
+/*! \file ssl/ssl_conf.c
+ *  \brief SSL configuration functions
+ */
+/* ====================================================================
+ * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifdef REF_CHECK
+#  include <assert.h>
+#endif
+#include <stdio.h>
+#include "ssl_locl.h"
+#include <openssl/conf.h>
+#include <openssl/objects.h>
+
+/* structure holding name tables. This is used for pemitted elements in
+ * lists such as TLSv1 and single command line switches such as no_tls1
+ */
+
+typedef struct
+	{
+	const char *name;
+	int namelen;
+	unsigned int name_flags;
+	unsigned long option_value;
+	} ssl_flag_tbl;
+
+/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
+#define SSL_TFLAG_INV	0x1
+/* Flags refers to cert_flags not options */
+#define SSL_TFLAG_CERT	0x2
+/* Option can only be used for clients */
+#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
+/* Option can only be used for servers */
+#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
+#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER)
+
+#define SSL_FLAG_TBL(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
+#define SSL_FLAG_TBL_SRV(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
+#define SSL_FLAG_TBL_CLI(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
+#define SSL_FLAG_TBL_INV(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag}
+#define SSL_FLAG_TBL_SRV_INV(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag}
+#define SSL_FLAG_TBL_CERT(str, flag) \
+	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}
+
+/* Opaque structure containing SSL configuration context.
+ */
+
+struct ssl_conf_ctx_st
+	{
+	/* Various flags indicating (among other things) which options we
+	 * will recognise.
+	 */
+	unsigned int flags;
+	/* Prefix and length of commands */
+	char *prefix;
+	size_t prefixlen;
+	/* SSL_CTX or SSL structure to perform operations on */
+	SSL_CTX *ctx;
+	SSL *ssl;
+	/* Pointer to SSL or SSL_CTX options field or NULL if none */
+	unsigned long *poptions;
+	/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
+	unsigned int *pcert_flags;
+	/* Current flag table being worked on */
+	const ssl_flag_tbl *tbl;
+	/* Size of table */
+	size_t ntbl;
+	};
+
+static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
+				const char *name, int namelen, int onoff)
+	{
+	/* If name not relevant for context skip */
+	if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
+		return 0;
+	if (namelen == -1)
+		{
+		if (strcmp(tbl->name, name))
+			return 0;
+		}
+	else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen))
+		return 0;
+	if (cctx->poptions)
+		{
+		if (tbl->name_flags & SSL_TFLAG_INV)
+			onoff ^= 1;
+		if (tbl->name_flags & SSL_TFLAG_CERT)
+			{
+			if (onoff)
+				*cctx->pcert_flags |= tbl->option_value;
+			else
+				*cctx->pcert_flags &= ~tbl->option_value;
+			}
+		else
+			{
+			if (onoff)
+				*cctx->poptions |= tbl->option_value;
+			else
+				*cctx->poptions &= ~tbl->option_value;
+			}
+		}
+	return 1;
+	}
+
+static int ssl_set_option_list(const char *elem, int len, void *usr)
+	{
+	SSL_CONF_CTX *cctx = usr;
+	size_t i;
+	const ssl_flag_tbl *tbl;
+	int onoff = 1;
+	/* len == -1 indicates not being called in list context, just for
+	 * single command line switches, so don't allow +, -.
+	 */
+	if (len != -1)
+		{
+		if (*elem == '+')
+			{
+			elem++;
+			len--;
+			onoff = 1;
+			}
+		else if (*elem == '-')
+			{
+			elem++;
+			len--;
+			onoff = 0;
+			}
+		}
+	for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++)
+		{
+		if (ssl_match_option(cctx, tbl, elem, len, onoff))
+			return 1;
+		}
+	return 0;
+	}
+
+/* Single command line switches with no argument e.g. -no_ssl3 */
+static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
+	{
+	static const ssl_flag_tbl ssl_option_single[] =
+		{
+		SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2),
+		SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
+		SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
+		SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
+		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
+		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
+		SSL_FLAG_TBL("bugs", SSL_OP_ALL),
+		SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
+#ifndef OPENSSL_NO_TLSEXT
+		SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
+#endif
+		SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
+		SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+		SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
+		SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
+		SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+		SSL_FLAG_TBL_CERT("debug_broken_protocol", SSL_CERT_FLAG_BROKEN_PROTOCOL),
+#endif
+		};
+	cctx->tbl = ssl_option_single;
+	cctx->ntbl = sizeof(ssl_option_single)/sizeof(ssl_flag_tbl);
+	return ssl_set_option_list(cmd, -1, cctx);
+	}
+
+/* Set supported signature algorithms */
+static int cmd_sigalgs(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv;
+	if (cctx->ssl)
+		rv = SSL_set1_sigalgs_list(cctx->ssl, value);
+	/* NB: ctx == NULL performs syntax checking only */
+	else
+		rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
+	return rv > 0;
+	}
+/* Set supported client signature algorithms */
+static int cmd_client_sigalgs(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv;
+	if (cctx->ssl)
+		rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
+	/* NB: ctx == NULL performs syntax checking only */
+	else
+		rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
+	return rv > 0;
+	}
+
+static int cmd_curves(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv;
+	if (!(cctx->flags & SSL_CONF_FLAG_CLIENT))
+		return -2;
+	if (cctx->ssl)
+		rv = SSL_set1_curves_list(cctx->ssl, value);
+	/* NB: ctx == NULL performs syntax checking only */
+	else
+		rv = SSL_CTX_set1_curves_list(cctx->ctx, value);
+	return rv > 0;
+	}
+
+/* ECDH temporary parameters */
+static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int onoff = -1, rv = 1;
+	if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
+		return -2;
+	if (cctx->flags & SSL_CONF_FLAG_FILE)
+		{
+		if (*value == '+')
+			{
+			onoff = 1;
+			value++;
+			}
+		if (*value == '-')
+			{
+			onoff = 0;
+			value++;
+			}
+		if (strcasecmp(value, "automatic"))
+			return 0;
+		}
+	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
+		{
+		if (!strcmp(value, "auto"))
+			onoff = 1;
+		}
+
+	if (onoff != -1)
+		{
+		if (cctx->ctx)
+			rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff);
+		else if (cctx->ssl)
+			rv = SSL_set_ecdh_auto(cctx->ssl, onoff);
+		}
+	else
+		{
+		EC_KEY *ecdh;
+		int nid;
+		nid = EC_curve_nist2nid(value);
+		if (nid == NID_undef)
+			nid = OBJ_sn2nid(value);
+		if (nid == 0)
+			return 0;
+		ecdh = EC_KEY_new_by_curve_name(nid);
+		if (!ecdh)
+			return 0;
+		if (cctx->ctx)
+			rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
+		else if (cctx->ssl)
+			rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
+		EC_KEY_free(ecdh);
+		}
+
+	return rv > 0;
+	}
+
+static int cmd_cipher_list(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv = 1;
+	if (cctx->ctx)
+		rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
+	if (cctx->ssl)
+		rv = SSL_set_cipher_list(cctx->ssl, value);
+	return rv;
+	}
+
+static int cmd_protocol(SSL_CONF_CTX *cctx, const char *value)
+	{
+	static const ssl_flag_tbl ssl_protocol_list[] =
+		{
+		SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
+		SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
+		SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
+		SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
+		SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
+		SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
+		};
+	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
+		return -2;
+	cctx->tbl = ssl_protocol_list;
+	cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl);
+	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+	}
+
+static int cmd_options(SSL_CONF_CTX *cctx, const char *value)
+	{
+	static const ssl_flag_tbl ssl_option_list[] =
+		{
+		SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
+		SSL_FLAG_TBL_INV("EmptyFragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
+		SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
+		SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
+		SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
+		SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
+		SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
+		SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+		};
+	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
+		return -2;
+	if (value == NULL)
+		return -3;
+	cctx->tbl = ssl_option_list;
+	cctx->ntbl = sizeof(ssl_option_list)/sizeof(ssl_flag_tbl);
+	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+	}
+
+typedef struct
+	{
+	int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
+	const char *str_file;
+	const char *str_cmdline;
+	} ssl_conf_cmd_tbl;
+
+/* Table of supported patameters */
+
+static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
+	{cmd_sigalgs,		"SignatureAlgorithms", "sigalgs"},
+	{cmd_client_sigalgs,	"ClientSignatureAlgorithms", "client_sigalgs"},
+	{cmd_curves,		"Curves", "curves"},
+	{cmd_ecdhparam,		"ECDHParameters", "named_curve"},
+	{cmd_cipher_list,	"CipherString", "cipher"},
+	{cmd_protocol,		"Protocol", NULL},
+	{cmd_options,		"Options", NULL},
+};
+
+int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
+	{
+	ssl_conf_cmd_tbl *t, *runcmd = NULL;
+	size_t i;
+	if (cmd == NULL)
+		{
+		SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_INVALID_NULL_CMD_NAME);
+		return 0;
+		}
+	/* If a prefix is set, check and skip */
+	if (cctx->prefix)
+		{
+		if (strlen(cmd) <= cctx->prefixlen)
+			return -2;
+		if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
+			strncmp(cmd, cctx->prefix, cctx->prefixlen))
+			return -2;
+		if (cctx->flags & SSL_CONF_FLAG_FILE &&
+			strncasecmp(cmd, cctx->prefix, cctx->prefixlen))
+			return -2;
+		cmd += cctx->prefixlen;
+		}
+	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
+		{
+		if (*cmd != '-' || !cmd[1])
+			return -2;
+		cmd++;
+		}
+
+	/* Look for matching parameter name in table */
+	for (i = 0, t = ssl_conf_cmds;
+		i < sizeof(ssl_conf_cmds)/sizeof(ssl_conf_cmd_tbl); i++, t++)
+		{
+		if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
+			{
+			if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))
+				{
+				runcmd = t;
+				break;
+				}
+			}
+		if (cctx->flags & SSL_CONF_FLAG_FILE)
+			{
+			if (t->str_file && !strcasecmp(t->str_file, cmd))
+				{
+				runcmd = t;
+				break;
+				}
+			}
+		}
+
+	if (runcmd)
+		{
+		if (value == NULL)
+			return -3;
+		if (t->cmd(cctx, value))
+			return 2;
+		if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
+			{
+			SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_BAD_VALUE);
+			ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
+			}
+		return -1;
+		}
+
+	if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
+		{
+		if (ctrl_str_option(cctx, cmd))
+			return 1;
+		}
+
+	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
+		{
+		SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_UNKNOWN_CMD_NAME);
+		ERR_add_error_data(2, "cmd=", cmd);
+		}
+
+	return -2;
+	}
+
+int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv)
+	{
+	int rv;
+	const char *arg, *argn;
+	if (pargc && *pargc == 0)
+		return 0;
+	if (!pargc || *pargc > 0)
+		arg = **pargv;
+	if (arg == NULL)
+		return 0;
+	if (!pargc || *pargc > 1)
+		argn = (*pargv)[1];
+	else
+		argn = NULL;
+	cctx->flags &= ~SSL_CONF_FLAG_FILE;
+	cctx->flags |= SSL_CONF_FLAG_CMDLINE;
+	rv = SSL_CONF_cmd(cctx, arg, argn);
+	if (rv > 0)
+		{
+		/* Success: update pargc, pargv */
+		(*pargv) += rv;
+		if (pargc)
+			(*pargc) -= rv;
+		return rv;
+		}
+	/* Unknown swicth: indicate no arguments processed */
+	if (rv == -2)
+		return 0;
+	/* Some error occurred processing command, return fatal error */
+	if (rv == 0)
+		return -1;
+	return rv;
+	}
+
+SSL_CONF_CTX *SSL_CONF_CTX_new(void)
+	{
+	SSL_CONF_CTX *ret;
+	ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX));
+	if (ret)
+		{
+		ret->flags = 0;
+		ret->prefix = NULL;
+		ret->prefixlen = 0;
+		ret->ssl = NULL;
+		ret->ctx = NULL;
+		ret->poptions = NULL;
+		ret->pcert_flags = NULL;
+		ret->tbl = NULL;
+		ret->ntbl = 0;
+		}
+	return ret;
+	}
+
+void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
+	{
+	if (cctx)
+		{
+		if (cctx->prefix)
+			OPENSSL_free(cctx->prefix);
+		OPENSSL_free(cctx);
+		}
+	}
+
+unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
+	{
+	cctx->flags |= flags;
+	return cctx->flags;
+	}
+
+unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
+	{
+	cctx->flags &= ~flags;
+	return cctx->flags;
+	}
+
+int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre)
+	{
+	char *tmp = NULL;
+	if (pre)
+		{
+		tmp = BUF_strdup(pre);
+		if (tmp == NULL)
+			return 0;
+		}
+	if (cctx->prefix)
+		OPENSSL_free(cctx->prefix);
+	cctx->prefix = tmp;
+	if (tmp)
+		cctx->prefixlen = strlen(tmp);
+	else
+		cctx->prefixlen = 0;
+	return 1;
+	}
+
+void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
+	{
+	cctx->ssl = ssl;
+	cctx->ctx = NULL;
+	if (ssl)
+		{
+		cctx->poptions = &ssl->options;
+		cctx->pcert_flags = &ssl->cert->cert_flags;
+		}
+	else
+		{
+		cctx->poptions = NULL;
+		cctx->pcert_flags = NULL;
+		}
+	}
+
+void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
+	{
+	cctx->ctx = ctx;
+	cctx->ssl = NULL;
+	if (ctx)
+		{
+		cctx->poptions = &ctx->options;
+		cctx->pcert_flags = &ctx->cert->cert_flags;
+		}
+	else
+		{
+		cctx->poptions = NULL;
+		cctx->pcert_flags = NULL;
+		}
+	}
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index a816af0775..5654def3f3 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2012 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -208,6 +208,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),	"SSL_CIPHER_STRENGTH_SORT"},
 {ERR_FUNC(SSL_F_SSL_CLEAR),	"SSL_clear"},
 {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),	"SSL_COMP_add_compression_method"},
+{ERR_FUNC(SSL_F_SSL_CONF_CTX_CMD),	"SSL_CONF_CTX_cmd"},
 {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),	"ssl_create_cipher_list"},
 {ERR_FUNC(SSL_F_SSL_CTRL),	"SSL_ctrl"},
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),	"SSL_CTX_check_private_key"},
@@ -350,6 +351,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      ,"bad ssl filetype"},
 {ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
 {ERR_REASON(SSL_R_BAD_STATE)             ,"bad state"},
+{ERR_REASON(SSL_R_BAD_VALUE)             ,"bad value"},
 {ERR_REASON(SSL_R_BAD_WRITE_RETRY)       ,"bad write retry"},
 {ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
 {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
@@ -405,6 +407,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
+{ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME) ,"invalid null cmd name"},
 {ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
 {ERR_REASON(SSL_R_INVALID_SRP_USERNAME)  ,"invalid srp username"},
 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
@@ -589,6 +592,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
+{ERR_REASON(SSL_R_UNKNOWN_CMD_NAME)      ,"unknown cmd name"},
 {ERR_REASON(SSL_R_UNKNOWN_DIGEST)        ,"unknown digest"},
 {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
 {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE)     ,"unknown pkey type"},