1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/s3_both.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,622 @@
1.4 +/* ssl/s3_both.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 +/* ====================================================================
1.115 + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
1.116 + * ECC cipher suite support in OpenSSL originally developed by
1.117 + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
1.118 + */
1.119 +
1.120 +#include <limits.h>
1.121 +#include <string.h>
1.122 +#include <stdio.h>
1.123 +#include "ssl_locl.h"
1.124 +#include <openssl/buffer.h>
1.125 +#include <openssl/rand.h>
1.126 +#include <openssl/objects.h>
1.127 +#include <openssl/evp.h>
1.128 +#include <openssl/x509.h>
1.129 +
1.130 +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
1.131 +int ssl3_do_write(SSL *s, int type)
1.132 + {
1.133 + int ret;
1.134 +
1.135 + ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
1.136 + s->init_num);
1.137 + if (ret < 0) return(-1);
1.138 + if (type == SSL3_RT_HANDSHAKE)
1.139 + /* should not be done for 'Hello Request's, but in that case
1.140 + * we'll ignore the result anyway */
1.141 + ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
1.142 +
1.143 + if (ret == s->init_num)
1.144 + {
1.145 + if (s->msg_callback)
1.146 + s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
1.147 + return(1);
1.148 + }
1.149 + s->init_off+=ret;
1.150 + s->init_num-=ret;
1.151 + return(0);
1.152 + }
1.153 +
1.154 +int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
1.155 + {
1.156 + unsigned char *p,*d;
1.157 + int i;
1.158 + unsigned long l;
1.159 +
1.160 + if (s->state == a)
1.161 + {
1.162 + d=(unsigned char *)s->init_buf->data;
1.163 + p= &(d[4]);
1.164 +
1.165 + i=s->method->ssl3_enc->final_finish_mac(s,
1.166 + &(s->s3->finish_dgst1),
1.167 + &(s->s3->finish_dgst2),
1.168 + sender,slen,s->s3->tmp.finish_md);
1.169 + s->s3->tmp.finish_md_len = i;
1.170 + memcpy(p, s->s3->tmp.finish_md, i);
1.171 + p+=i;
1.172 + l=i;
1.173 +
1.174 +#ifdef OPENSSL_SYS_WIN16
1.175 + /* MSVC 1.5 does not clear the top bytes of the word unless
1.176 + * I do this.
1.177 + */
1.178 + l&=0xffff;
1.179 +#endif
1.180 +
1.181 + *(d++)=SSL3_MT_FINISHED;
1.182 + l2n3(l,d);
1.183 + s->init_num=(int)l+4;
1.184 + s->init_off=0;
1.185 +
1.186 + s->state=b;
1.187 + }
1.188 +
1.189 + /* SSL3_ST_SEND_xxxxxx_HELLO_B */
1.190 + return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1.191 + }
1.192 +
1.193 +int ssl3_get_finished(SSL *s, int a, int b)
1.194 + {
1.195 + int al,i,ok;
1.196 + long n;
1.197 + unsigned char *p;
1.198 +
1.199 + /* the mac has already been generated when we received the
1.200 + * change cipher spec message and is in s->s3->tmp.peer_finish_md
1.201 + */
1.202 +
1.203 + n=s->method->ssl_get_message(s,
1.204 + a,
1.205 + b,
1.206 + SSL3_MT_FINISHED,
1.207 + 64, /* should actually be 36+4 :-) */
1.208 + &ok);
1.209 +
1.210 + if (!ok) return((int)n);
1.211 +
1.212 + /* If this occurs, we have missed a message */
1.213 + if (!s->s3->change_cipher_spec)
1.214 + {
1.215 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.216 + SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_GOT_A_FIN_BEFORE_A_CCS);
1.217 + goto f_err;
1.218 + }
1.219 + s->s3->change_cipher_spec=0;
1.220 +
1.221 + p = (unsigned char *)s->init_msg;
1.222 + i = s->s3->tmp.peer_finish_md_len;
1.223 +
1.224 + if (i != n)
1.225 + {
1.226 + al=SSL_AD_DECODE_ERROR;
1.227 + SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
1.228 + goto f_err;
1.229 + }
1.230 +
1.231 + if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
1.232 + {
1.233 + al=SSL_AD_DECRYPT_ERROR;
1.234 + SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
1.235 + goto f_err;
1.236 + }
1.237 +
1.238 + return(1);
1.239 +f_err:
1.240 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.241 + return(0);
1.242 + }
1.243 +
1.244 +/* for these 2 messages, we need to
1.245 + * ssl->enc_read_ctx re-init
1.246 + * ssl->s3->read_sequence zero
1.247 + * ssl->s3->read_mac_secret re-init
1.248 + * ssl->session->read_sym_enc assign
1.249 + * ssl->session->read_compression assign
1.250 + * ssl->session->read_hash assign
1.251 + */
1.252 +int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
1.253 + {
1.254 + unsigned char *p;
1.255 +
1.256 + if (s->state == a)
1.257 + {
1.258 + p=(unsigned char *)s->init_buf->data;
1.259 + *p=SSL3_MT_CCS;
1.260 + s->init_num=1;
1.261 + s->init_off=0;
1.262 +
1.263 + s->state=b;
1.264 + }
1.265 +
1.266 + /* SSL3_ST_CW_CHANGE_B */
1.267 + return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
1.268 + }
1.269 +
1.270 +unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
1.271 + {
1.272 + unsigned char *p;
1.273 + int n,i;
1.274 + unsigned long l=7;
1.275 + BUF_MEM *buf;
1.276 + X509_STORE_CTX xs_ctx;
1.277 + X509_OBJECT obj;
1.278 +
1.279 + int no_chain;
1.280 +
1.281 + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
1.282 + no_chain = 1;
1.283 + else
1.284 + no_chain = 0;
1.285 +
1.286 + /* TLSv1 sends a chain with nothing in it, instead of an alert */
1.287 + buf=s->init_buf;
1.288 + if (!BUF_MEM_grow_clean(buf,10))
1.289 + {
1.290 + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
1.291 + return(0);
1.292 + }
1.293 + if (x != NULL)
1.294 + {
1.295 + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
1.296 + {
1.297 + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
1.298 + return(0);
1.299 + }
1.300 +
1.301 + for (;;)
1.302 + {
1.303 + n=i2d_X509(x,NULL);
1.304 + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
1.305 + {
1.306 + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
1.307 + return(0);
1.308 + }
1.309 + p=(unsigned char *)&(buf->data[l]);
1.310 + l2n3(n,p);
1.311 + i2d_X509(x,&p);
1.312 + l+=n+3;
1.313 +
1.314 + if (no_chain)
1.315 + break;
1.316 +
1.317 + if (X509_NAME_cmp(X509_get_subject_name(x),
1.318 + X509_get_issuer_name(x)) == 0) break;
1.319 +
1.320 + i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
1.321 + X509_get_issuer_name(x),&obj);
1.322 + if (i <= 0) break;
1.323 + x=obj.data.x509;
1.324 + /* Count is one too high since the X509_STORE_get uped the
1.325 + * ref count */
1.326 + X509_free(x);
1.327 + }
1.328 + if (!no_chain)
1.329 + X509_STORE_CTX_cleanup(&xs_ctx);
1.330 + }
1.331 +
1.332 + /* Thawte special :-) */
1.333 + if (s->ctx->extra_certs != NULL)
1.334 + for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
1.335 + {
1.336 + x=sk_X509_value(s->ctx->extra_certs,i);
1.337 + n=i2d_X509(x,NULL);
1.338 + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
1.339 + {
1.340 + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
1.341 + return(0);
1.342 + }
1.343 + p=(unsigned char *)&(buf->data[l]);
1.344 + l2n3(n,p);
1.345 + i2d_X509(x,&p);
1.346 + l+=n+3;
1.347 + }
1.348 +
1.349 + l-=7;
1.350 + p=(unsigned char *)&(buf->data[4]);
1.351 + l2n3(l,p);
1.352 + l+=3;
1.353 + p=(unsigned char *)&(buf->data[0]);
1.354 + *(p++)=SSL3_MT_CERTIFICATE;
1.355 + l2n3(l,p);
1.356 + l+=4;
1.357 + return(l);
1.358 + }
1.359 +
1.360 +/* Obtain handshake message of message type 'mt' (any if mt == -1),
1.361 + * maximum acceptable body length 'max'.
1.362 + * The first four bytes (msg_type and length) are read in state 'st1',
1.363 + * the body is read in state 'stn'.
1.364 + */
1.365 +long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
1.366 + {
1.367 + unsigned char *p;
1.368 + unsigned long l;
1.369 + long n;
1.370 + int i,al;
1.371 +
1.372 + if (s->s3->tmp.reuse_message)
1.373 + {
1.374 + s->s3->tmp.reuse_message=0;
1.375 + if ((mt >= 0) && (s->s3->tmp.message_type != mt))
1.376 + {
1.377 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.378 + SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
1.379 + goto f_err;
1.380 + }
1.381 + *ok=1;
1.382 + s->init_msg = s->init_buf->data + 4;
1.383 + s->init_num = (int)s->s3->tmp.message_size;
1.384 + return s->init_num;
1.385 + }
1.386 +
1.387 + p=(unsigned char *)s->init_buf->data;
1.388 +
1.389 + if (s->state == st1) /* s->init_num < 4 */
1.390 + {
1.391 + int skip_message;
1.392 +
1.393 + do
1.394 + {
1.395 + while (s->init_num < 4)
1.396 + {
1.397 + i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
1.398 + &p[s->init_num],4 - s->init_num, 0);
1.399 + if (i <= 0)
1.400 + {
1.401 + s->rwstate=SSL_READING;
1.402 + *ok = 0;
1.403 + return i;
1.404 + }
1.405 + s->init_num+=i;
1.406 + }
1.407 +
1.408 + skip_message = 0;
1.409 + if (!s->server)
1.410 + if (p[0] == SSL3_MT_HELLO_REQUEST)
1.411 + /* The server may always send 'Hello Request' messages --
1.412 + * we are doing a handshake anyway now, so ignore them
1.413 + * if their format is correct. Does not count for
1.414 + * 'Finished' MAC. */
1.415 + if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
1.416 + {
1.417 + s->init_num = 0;
1.418 + skip_message = 1;
1.419 +
1.420 + if (s->msg_callback)
1.421 + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg);
1.422 + }
1.423 + }
1.424 + while (skip_message);
1.425 +
1.426 + /* s->init_num == 4 */
1.427 +
1.428 + if ((mt >= 0) && (*p != mt))
1.429 + {
1.430 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.431 + SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
1.432 + goto f_err;
1.433 + }
1.434 + if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
1.435 + (st1 == SSL3_ST_SR_CERT_A) &&
1.436 + (stn == SSL3_ST_SR_CERT_B))
1.437 + {
1.438 + /* At this point we have got an MS SGC second client
1.439 + * hello (maybe we should always allow the client to
1.440 + * start a new handshake?). We need to restart the mac.
1.441 + * Don't increment {num,total}_renegotiations because
1.442 + * we have not completed the handshake. */
1.443 + ssl3_init_finished_mac(s);
1.444 + }
1.445 +
1.446 + s->s3->tmp.message_type= *(p++);
1.447 +
1.448 + n2l3(p,l);
1.449 + if (l > (unsigned long)max)
1.450 + {
1.451 + al=SSL_AD_ILLEGAL_PARAMETER;
1.452 + SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
1.453 + goto f_err;
1.454 + }
1.455 + if (l > (INT_MAX-4)) /* BUF_MEM_grow takes an 'int' parameter */
1.456 + {
1.457 + al=SSL_AD_ILLEGAL_PARAMETER;
1.458 + SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
1.459 + goto f_err;
1.460 + }
1.461 + if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
1.462 + {
1.463 + SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
1.464 + goto err;
1.465 + }
1.466 + s->s3->tmp.message_size=l;
1.467 + s->state=stn;
1.468 +
1.469 + s->init_msg = s->init_buf->data + 4;
1.470 + s->init_num = 0;
1.471 + }
1.472 +
1.473 + /* next state (stn) */
1.474 + p = s->init_msg;
1.475 + n = s->s3->tmp.message_size - s->init_num;
1.476 + while (n > 0)
1.477 + {
1.478 + i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
1.479 + if (i <= 0)
1.480 + {
1.481 + s->rwstate=SSL_READING;
1.482 + *ok = 0;
1.483 + return i;
1.484 + }
1.485 + s->init_num += i;
1.486 + n -= i;
1.487 + }
1.488 + ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
1.489 + if (s->msg_callback)
1.490 + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
1.491 + *ok=1;
1.492 + return s->init_num;
1.493 +f_err:
1.494 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.495 +err:
1.496 + *ok=0;
1.497 + return(-1);
1.498 + }
1.499 +
1.500 +int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
1.501 + {
1.502 + EVP_PKEY *pk;
1.503 + int ret= -1,i;
1.504 +
1.505 + if (pkey == NULL)
1.506 + pk=X509_get_pubkey(x);
1.507 + else
1.508 + pk=pkey;
1.509 + if (pk == NULL) goto err;
1.510 +
1.511 + i=pk->type;
1.512 + if (i == EVP_PKEY_RSA)
1.513 + {
1.514 + ret=SSL_PKEY_RSA_ENC;
1.515 + }
1.516 + else if (i == EVP_PKEY_DSA)
1.517 + {
1.518 + ret=SSL_PKEY_DSA_SIGN;
1.519 + }
1.520 +#ifndef OPENSSL_NO_EC
1.521 + else if (i == EVP_PKEY_EC)
1.522 + {
1.523 + ret = SSL_PKEY_ECC;
1.524 + }
1.525 +#endif
1.526 +
1.527 +err:
1.528 + if(!pkey) EVP_PKEY_free(pk);
1.529 + return(ret);
1.530 + }
1.531 +
1.532 +int ssl_verify_alarm_type(long type)
1.533 + {
1.534 + int al;
1.535 +
1.536 + switch(type)
1.537 + {
1.538 + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
1.539 + case X509_V_ERR_UNABLE_TO_GET_CRL:
1.540 + case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
1.541 + al=SSL_AD_UNKNOWN_CA;
1.542 + break;
1.543 + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
1.544 + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
1.545 + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
1.546 + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
1.547 + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
1.548 + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
1.549 + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
1.550 + case X509_V_ERR_CERT_NOT_YET_VALID:
1.551 + case X509_V_ERR_CRL_NOT_YET_VALID:
1.552 + case X509_V_ERR_CERT_UNTRUSTED:
1.553 + case X509_V_ERR_CERT_REJECTED:
1.554 + al=SSL_AD_BAD_CERTIFICATE;
1.555 + break;
1.556 + case X509_V_ERR_CERT_SIGNATURE_FAILURE:
1.557 + case X509_V_ERR_CRL_SIGNATURE_FAILURE:
1.558 + al=SSL_AD_DECRYPT_ERROR;
1.559 + break;
1.560 + case X509_V_ERR_CERT_HAS_EXPIRED:
1.561 + case X509_V_ERR_CRL_HAS_EXPIRED:
1.562 + al=SSL_AD_CERTIFICATE_EXPIRED;
1.563 + break;
1.564 + case X509_V_ERR_CERT_REVOKED:
1.565 + al=SSL_AD_CERTIFICATE_REVOKED;
1.566 + break;
1.567 + case X509_V_ERR_OUT_OF_MEM:
1.568 + al=SSL_AD_INTERNAL_ERROR;
1.569 + break;
1.570 + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1.571 + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
1.572 + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
1.573 + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
1.574 + case X509_V_ERR_CERT_CHAIN_TOO_LONG:
1.575 + case X509_V_ERR_PATH_LENGTH_EXCEEDED:
1.576 + case X509_V_ERR_INVALID_CA:
1.577 + al=SSL_AD_UNKNOWN_CA;
1.578 + break;
1.579 + case X509_V_ERR_APPLICATION_VERIFICATION:
1.580 + al=SSL_AD_HANDSHAKE_FAILURE;
1.581 + break;
1.582 + case X509_V_ERR_INVALID_PURPOSE:
1.583 + al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1.584 + break;
1.585 + default:
1.586 + al=SSL_AD_CERTIFICATE_UNKNOWN;
1.587 + break;
1.588 + }
1.589 + return(al);
1.590 + }
1.591 +
1.592 +int ssl3_setup_buffers(SSL *s)
1.593 + {
1.594 + unsigned char *p;
1.595 + unsigned int extra;
1.596 + size_t len;
1.597 +
1.598 + if (s->s3->rbuf.buf == NULL)
1.599 + {
1.600 + if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
1.601 + extra=SSL3_RT_MAX_EXTRA;
1.602 + else
1.603 + extra=0;
1.604 + len = SSL3_RT_MAX_PACKET_SIZE + extra;
1.605 + if ((p=OPENSSL_malloc(len)) == NULL)
1.606 + goto err;
1.607 + s->s3->rbuf.buf = p;
1.608 + s->s3->rbuf.len = len;
1.609 + }
1.610 +
1.611 + if (s->s3->wbuf.buf == NULL)
1.612 + {
1.613 + len = SSL3_RT_MAX_PACKET_SIZE;
1.614 + len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */
1.615 + if ((p=OPENSSL_malloc(len)) == NULL)
1.616 + goto err;
1.617 + s->s3->wbuf.buf = p;
1.618 + s->s3->wbuf.len = len;
1.619 + }
1.620 + s->packet= &(s->s3->rbuf.buf[0]);
1.621 + return(1);
1.622 +err:
1.623 + SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);
1.624 + return(0);
1.625 + }