1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/ssl_lib.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,2621 @@
1.4 +/*! \file ssl/ssl_lib.c
1.5 + * \brief Version independent SSL functions.
1.6 + */
1.7 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.8 + * All rights reserved.
1.9 + *
1.10 + * This package is an SSL implementation written
1.11 + * by Eric Young (eay@cryptsoft.com).
1.12 + * The implementation was written so as to conform with Netscapes SSL.
1.13 + *
1.14 + * This library is free for commercial and non-commercial use as long as
1.15 + * the following conditions are aheared to. The following conditions
1.16 + * apply to all code found in this distribution, be it the RC4, RSA,
1.17 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.18 + * included with this distribution is covered by the same copyright terms
1.19 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.20 + *
1.21 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.22 + * the code are not to be removed.
1.23 + * If this package is used in a product, Eric Young should be given attribution
1.24 + * as the author of the parts of the library used.
1.25 + * This can be in the form of a textual message at program startup or
1.26 + * in documentation (online or textual) provided with the package.
1.27 + *
1.28 + * Redistribution and use in source and binary forms, with or without
1.29 + * modification, are permitted provided that the following conditions
1.30 + * are met:
1.31 + * 1. Redistributions of source code must retain the copyright
1.32 + * notice, this list of conditions and the following disclaimer.
1.33 + * 2. Redistributions in binary form must reproduce the above copyright
1.34 + * notice, this list of conditions and the following disclaimer in the
1.35 + * documentation and/or other materials provided with the distribution.
1.36 + * 3. All advertising materials mentioning features or use of this software
1.37 + * must display the following acknowledgement:
1.38 + * "This product includes cryptographic software written by
1.39 + * Eric Young (eay@cryptsoft.com)"
1.40 + * The word 'cryptographic' can be left out if the rouines from the library
1.41 + * being used are not cryptographic related :-).
1.42 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.43 + * the apps directory (application code) you must include an acknowledgement:
1.44 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.45 + *
1.46 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.47 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.48 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.49 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.50 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.51 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.52 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.53 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.54 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.55 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.56 + * SUCH DAMAGE.
1.57 + *
1.58 + * The licence and distribution terms for any publically available version or
1.59 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.60 + * copied and put under another distribution licence
1.61 + * [including the GNU Public Licence.]
1.62 + */
1.63 +/* ====================================================================
1.64 + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
1.65 + *
1.66 + * Redistribution and use in source and binary forms, with or without
1.67 + * modification, are permitted provided that the following conditions
1.68 + * are met:
1.69 + *
1.70 + * 1. Redistributions of source code must retain the above copyright
1.71 + * notice, this list of conditions and the following disclaimer.
1.72 + *
1.73 + * 2. Redistributions in binary form must reproduce the above copyright
1.74 + * notice, this list of conditions and the following disclaimer in
1.75 + * the documentation and/or other materials provided with the
1.76 + * distribution.
1.77 + *
1.78 + * 3. All advertising materials mentioning features or use of this
1.79 + * software must display the following acknowledgment:
1.80 + * "This product includes software developed by the OpenSSL Project
1.81 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.82 + *
1.83 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.84 + * endorse or promote products derived from this software without
1.85 + * prior written permission. For written permission, please contact
1.86 + * openssl-core@openssl.org.
1.87 + *
1.88 + * 5. Products derived from this software may not be called "OpenSSL"
1.89 + * nor may "OpenSSL" appear in their names without prior written
1.90 + * permission of the OpenSSL Project.
1.91 + *
1.92 + * 6. Redistributions of any form whatsoever must retain the following
1.93 + * acknowledgment:
1.94 + * "This product includes software developed by the OpenSSL Project
1.95 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.96 + *
1.97 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.98 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.99 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.100 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.101 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.102 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.103 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.104 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.105 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.106 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.107 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.108 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.109 + * ====================================================================
1.110 + *
1.111 + * This product includes cryptographic software written by Eric Young
1.112 + * (eay@cryptsoft.com). This product includes software written by Tim
1.113 + * Hudson (tjh@cryptsoft.com).
1.114 + *
1.115 + */
1.116 +/* ====================================================================
1.117 + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
1.118 + * ECC cipher suite support in OpenSSL originally developed by
1.119 + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
1.120 + */
1.121 +/*
1.122 + © Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
1.123 + */
1.124 +
1.125 +#ifdef REF_CHECK
1.126 +# include <assert.h>
1.127 +#endif
1.128 +#include <stdio.h>
1.129 +#include "ssl_locl.h"
1.130 +#include "kssl_lcl.h"
1.131 +#include <openssl/objects.h>
1.132 +#include <openssl/lhash.h>
1.133 +#include <openssl/x509v3.h>
1.134 +#ifndef OPENSSL_NO_DH
1.135 +#include <openssl/dh.h>
1.136 +#endif
1.137 +
1.138 +#ifdef EMULATOR
1.139 + #include "libssl_wsd.h"
1.140 +#endif
1.141 +
1.142 +const char *SSL_version_str=OPENSSL_VERSION_TEXT;
1.143 +
1.144 +#ifdef EMULATOR
1.145 + GET_GLOBAL_VAR_FROM_TLS(ssl3_undef_enc_method,ssl_lib,SSL3_ENC_METHOD)
1.146 +
1.147 + #define ssl3_undef_enc_method (GET_WSD_VAR_NAME(ssl3_undef_enc_method,ssl_lib,g)())
1.148 +#endif
1.149 +
1.150 +#ifndef EMULATOR
1.151 +SSL3_ENC_METHOD ssl3_undef_enc_method={
1.152 +#else
1.153 +const SSL3_ENC_METHOD temp_ssl3_undef_enc_method={
1.154 +#endif
1.155 + /* evil casts, but these functions are only called if there's a library bug */
1.156 + (int (*)(SSL *,int))ssl_undefined_function,
1.157 + (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
1.158 + ssl_undefined_function,
1.159 + (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
1.160 + (int (*)(SSL*, int))ssl_undefined_function,
1.161 + (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function,
1.162 + 0, /* finish_mac_length */
1.163 + (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
1.164 + NULL, /* client_finished_label */
1.165 + 0, /* client_finished_label_len */
1.166 + NULL, /* server_finished_label */
1.167 + 0, /* server_finished_label_len */
1.168 + (int (*)(int))ssl_undefined_function
1.169 + };
1.170 +
1.171 +EXPORT_C int SSL_clear(SSL *s)
1.172 + {
1.173 +
1.174 + if (s->method == NULL)
1.175 + {
1.176 + SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
1.177 + return(0);
1.178 + }
1.179 +
1.180 + if (ssl_clear_bad_session(s))
1.181 + {
1.182 + SSL_SESSION_free(s->session);
1.183 + s->session=NULL;
1.184 + }
1.185 +
1.186 + s->error=0;
1.187 + s->hit=0;
1.188 + s->shutdown=0;
1.189 +
1.190 +#if 0 /* Disabled since version 1.10 of this file (early return not
1.191 + * needed because SSL_clear is not called when doing renegotiation) */
1.192 + /* This is set if we are doing dynamic renegotiation so keep
1.193 + * the old cipher. It is sort of a SSL_clear_lite :-) */
1.194 + if (s->new_session) return(1);
1.195 +#else
1.196 + if (s->new_session)
1.197 + {
1.198 + SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
1.199 + return 0;
1.200 + }
1.201 +#endif
1.202 +
1.203 + s->type=0;
1.204 +
1.205 + s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
1.206 +
1.207 + s->version=s->method->version;
1.208 + s->client_version=s->version;
1.209 + s->rwstate=SSL_NOTHING;
1.210 + s->rstate=SSL_ST_READ_HEADER;
1.211 +#if 0
1.212 + s->read_ahead=s->ctx->read_ahead;
1.213 +#endif
1.214 +
1.215 + if (s->init_buf != NULL)
1.216 + {
1.217 + BUF_MEM_free(s->init_buf);
1.218 + s->init_buf=NULL;
1.219 + }
1.220 +
1.221 + ssl_clear_cipher_ctx(s);
1.222 +
1.223 + s->first_packet=0;
1.224 +
1.225 +#if 1
1.226 + /* Check to see if we were changed into a different method, if
1.227 + * so, revert back if we are not doing session-id reuse. */
1.228 + if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
1.229 + {
1.230 + s->method->ssl_free(s);
1.231 + s->method=s->ctx->method;
1.232 + if (!s->method->ssl_new(s))
1.233 + return(0);
1.234 + }
1.235 + else
1.236 +#endif
1.237 + s->method->ssl_clear(s);
1.238 + return(1);
1.239 + }
1.240 +
1.241 +/** Used to change an SSL_CTXs default SSL method type */
1.242 +EXPORT_C int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
1.243 + {
1.244 + STACK_OF(SSL_CIPHER) *sk;
1.245 +
1.246 + ctx->method=meth;
1.247 +
1.248 + sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
1.249 + &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
1.250 + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
1.251 + {
1.252 + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
1.253 + return(0);
1.254 + }
1.255 + return(1);
1.256 + }
1.257 +
1.258 +EXPORT_C SSL *SSL_new(SSL_CTX *ctx)
1.259 + {
1.260 + SSL *s;
1.261 +
1.262 + if (ctx == NULL)
1.263 + {
1.264 + SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
1.265 + return(NULL);
1.266 + }
1.267 + if (ctx->method == NULL)
1.268 + {
1.269 + SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
1.270 + return(NULL);
1.271 + }
1.272 +
1.273 + s=(SSL *)OPENSSL_malloc(sizeof(SSL));
1.274 + if (s == NULL) goto err;
1.275 + memset(s,0,sizeof(SSL));
1.276 +
1.277 +#ifndef OPENSSL_NO_KRB5
1.278 + s->kssl_ctx = kssl_ctx_new();
1.279 +#endif /* OPENSSL_NO_KRB5 */
1.280 +
1.281 + s->options=ctx->options;
1.282 + s->mode=ctx->mode;
1.283 + s->max_cert_list=ctx->max_cert_list;
1.284 +
1.285 + if (ctx->cert != NULL)
1.286 + {
1.287 + /* Earlier library versions used to copy the pointer to
1.288 + * the CERT, not its contents; only when setting new
1.289 + * parameters for the per-SSL copy, ssl_cert_new would be
1.290 + * called (and the direct reference to the per-SSL_CTX
1.291 + * settings would be lost, but those still were indirectly
1.292 + * accessed for various purposes, and for that reason they
1.293 + * used to be known as s->ctx->default_cert).
1.294 + * Now we don't look at the SSL_CTX's CERT after having
1.295 + * duplicated it once. */
1.296 +
1.297 + s->cert = ssl_cert_dup(ctx->cert);
1.298 + if (s->cert == NULL)
1.299 + goto err;
1.300 + }
1.301 + else
1.302 + s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
1.303 +
1.304 + s->read_ahead=ctx->read_ahead;
1.305 + s->msg_callback=ctx->msg_callback;
1.306 + s->msg_callback_arg=ctx->msg_callback_arg;
1.307 + s->verify_mode=ctx->verify_mode;
1.308 +#if 0
1.309 + s->verify_depth=ctx->verify_depth;
1.310 +#endif
1.311 + s->sid_ctx_length=ctx->sid_ctx_length;
1.312 + OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
1.313 + memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
1.314 + s->verify_callback=ctx->default_verify_callback;
1.315 + s->generate_session_id=ctx->generate_session_id;
1.316 +
1.317 + s->param = X509_VERIFY_PARAM_new();
1.318 + if (!s->param)
1.319 + goto err;
1.320 + X509_VERIFY_PARAM_inherit(s->param, ctx->param);
1.321 +#if 0
1.322 + s->purpose = ctx->purpose;
1.323 + s->trust = ctx->trust;
1.324 +#endif
1.325 + s->quiet_shutdown=ctx->quiet_shutdown;
1.326 +
1.327 + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
1.328 + s->ctx=ctx;
1.329 +
1.330 + s->verify_result=X509_V_OK;
1.331 +
1.332 + s->method=ctx->method;
1.333 +
1.334 + if (!s->method->ssl_new(s))
1.335 + goto err;
1.336 +
1.337 + s->references=1;
1.338 + s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
1.339 +
1.340 + SSL_clear(s);
1.341 +
1.342 + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1.343 +
1.344 + return(s);
1.345 +err:
1.346 + if (s != NULL)
1.347 + {
1.348 + if (s->cert != NULL)
1.349 + ssl_cert_free(s->cert);
1.350 + if (s->ctx != NULL)
1.351 + SSL_CTX_free(s->ctx); /* decrement reference count */
1.352 + OPENSSL_free(s);
1.353 + }
1.354 + SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
1.355 + return(NULL);
1.356 + }
1.357 +
1.358 +EXPORT_C int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1.359 + unsigned int sid_ctx_len)
1.360 + {
1.361 + if(sid_ctx_len > sizeof ctx->sid_ctx)
1.362 + {
1.363 + SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1.364 + return 0;
1.365 + }
1.366 + ctx->sid_ctx_length=sid_ctx_len;
1.367 + memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
1.368 +
1.369 + return 1;
1.370 + }
1.371 +
1.372 +EXPORT_C int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1.373 + unsigned int sid_ctx_len)
1.374 + {
1.375 + if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
1.376 + {
1.377 + SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1.378 + return 0;
1.379 + }
1.380 + ssl->sid_ctx_length=sid_ctx_len;
1.381 + memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
1.382 +
1.383 + return 1;
1.384 + }
1.385 +
1.386 +EXPORT_C int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
1.387 + {
1.388 + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1.389 + ctx->generate_session_id = cb;
1.390 + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1.391 + return 1;
1.392 + }
1.393 +
1.394 +EXPORT_C int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
1.395 + {
1.396 + CRYPTO_w_lock(CRYPTO_LOCK_SSL);
1.397 + ssl->generate_session_id = cb;
1.398 + CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
1.399 + return 1;
1.400 + }
1.401 +
1.402 +EXPORT_C int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1.403 + unsigned int id_len)
1.404 + {
1.405 + /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
1.406 + * we can "construct" a session to give us the desired check - ie. to
1.407 + * find if there's a session in the hash table that would conflict with
1.408 + * any new session built out of this id/id_len and the ssl_version in
1.409 + * use by this SSL. */
1.410 + SSL_SESSION r, *p;
1.411 +
1.412 + if(id_len > sizeof r.session_id)
1.413 + return 0;
1.414 +
1.415 + r.ssl_version = ssl->version;
1.416 + r.session_id_length = id_len;
1.417 + memcpy(r.session_id, id, id_len);
1.418 + /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
1.419 + * callback is calling us to check the uniqueness of a shorter ID, it
1.420 + * must be compared as a padded-out ID because that is what it will be
1.421 + * converted to when the callback has finished choosing it. */
1.422 + if((r.ssl_version == SSL2_VERSION) &&
1.423 + (id_len < SSL2_SSL_SESSION_ID_LENGTH))
1.424 + {
1.425 + memset(r.session_id + id_len, 0,
1.426 + SSL2_SSL_SESSION_ID_LENGTH - id_len);
1.427 + r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
1.428 + }
1.429 +
1.430 + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1.431 + p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
1.432 + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1.433 + return (p != NULL);
1.434 + }
1.435 +
1.436 +EXPORT_C int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
1.437 + {
1.438 + return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1.439 + }
1.440 +
1.441 +EXPORT_C int SSL_set_purpose(SSL *s, int purpose)
1.442 + {
1.443 + return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1.444 + }
1.445 +
1.446 +EXPORT_C int SSL_CTX_set_trust(SSL_CTX *s, int trust)
1.447 + {
1.448 + return X509_VERIFY_PARAM_set_trust(s->param, trust);
1.449 + }
1.450 +
1.451 +EXPORT_C int SSL_set_trust(SSL *s, int trust)
1.452 + {
1.453 + return X509_VERIFY_PARAM_set_trust(s->param, trust);
1.454 + }
1.455 +
1.456 +EXPORT_C void SSL_free(SSL *s)
1.457 + {
1.458 + int i;
1.459 +
1.460 + if(s == NULL)
1.461 + return;
1.462 +
1.463 + i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
1.464 +#ifdef REF_PRINT
1.465 + REF_PRINT("SSL",s);
1.466 +#endif
1.467 + if (i > 0) return;
1.468 +#ifdef REF_CHECK
1.469 + if (i < 0)
1.470 + {
1.471 + fprintf(stderr,"SSL_free, bad reference count\n");
1.472 + abort(); /* ok */
1.473 + }
1.474 +#endif
1.475 +
1.476 + if (s->param)
1.477 + X509_VERIFY_PARAM_free(s->param);
1.478 +
1.479 + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1.480 +
1.481 + if (s->bbio != NULL)
1.482 + {
1.483 + /* If the buffering BIO is in place, pop it off */
1.484 + if (s->bbio == s->wbio)
1.485 + {
1.486 + s->wbio=BIO_pop(s->wbio);
1.487 + }
1.488 + BIO_free(s->bbio);
1.489 + s->bbio=NULL;
1.490 + }
1.491 + if (s->rbio != NULL)
1.492 + BIO_free_all(s->rbio);
1.493 + if ((s->wbio != NULL) && (s->wbio != s->rbio))
1.494 + BIO_free_all(s->wbio);
1.495 +
1.496 + if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
1.497 +
1.498 + /* add extra stuff */
1.499 + if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
1.500 + if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
1.501 +
1.502 + /* Make the next call work :-) */
1.503 + if (s->session != NULL)
1.504 + {
1.505 + ssl_clear_bad_session(s);
1.506 + SSL_SESSION_free(s->session);
1.507 + }
1.508 +
1.509 + ssl_clear_cipher_ctx(s);
1.510 +
1.511 + if (s->cert != NULL) ssl_cert_free(s->cert);
1.512 + /* Free up if allocated */
1.513 +
1.514 + if (s->ctx) SSL_CTX_free(s->ctx);
1.515 + if (s->client_CA != NULL)
1.516 + sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
1.517 +
1.518 + if (s->method != NULL) s->method->ssl_free(s);
1.519 +
1.520 +#ifndef OPENSSL_NO_KRB5
1.521 + if (s->kssl_ctx != NULL)
1.522 + kssl_ctx_free(s->kssl_ctx);
1.523 +#endif /* OPENSSL_NO_KRB5 */
1.524 +
1.525 + OPENSSL_free(s);
1.526 + }
1.527 +
1.528 +EXPORT_C void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
1.529 + {
1.530 + /* If the output buffering BIO is still in place, remove it
1.531 + */
1.532 + if (s->bbio != NULL)
1.533 + {
1.534 + if (s->wbio == s->bbio)
1.535 + {
1.536 + s->wbio=s->wbio->next_bio;
1.537 + s->bbio->next_bio=NULL;
1.538 + }
1.539 + }
1.540 + if ((s->rbio != NULL) && (s->rbio != rbio))
1.541 + BIO_free_all(s->rbio);
1.542 + if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
1.543 + BIO_free_all(s->wbio);
1.544 + s->rbio=rbio;
1.545 + s->wbio=wbio;
1.546 + }
1.547 +
1.548 +EXPORT_C BIO *SSL_get_rbio(const SSL *s)
1.549 + { return(s->rbio); }
1.550 +
1.551 +EXPORT_C BIO *SSL_get_wbio(const SSL *s)
1.552 + { return(s->wbio); }
1.553 +
1.554 +EXPORT_C int SSL_get_fd(const SSL *s)
1.555 + {
1.556 + return(SSL_get_rfd(s));
1.557 + }
1.558 +
1.559 +EXPORT_C int SSL_get_rfd(const SSL *s)
1.560 + {
1.561 + int ret= -1;
1.562 + BIO *b,*r;
1.563 +
1.564 + b=SSL_get_rbio(s);
1.565 + r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
1.566 + if (r != NULL)
1.567 + BIO_get_fd(r,&ret);
1.568 + return(ret);
1.569 + }
1.570 +
1.571 +EXPORT_C int SSL_get_wfd(const SSL *s)
1.572 + {
1.573 + int ret= -1;
1.574 + BIO *b,*r;
1.575 +
1.576 + b=SSL_get_wbio(s);
1.577 + r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
1.578 + if (r != NULL)
1.579 + BIO_get_fd(r,&ret);
1.580 + return(ret);
1.581 + }
1.582 +
1.583 +#ifndef OPENSSL_NO_SOCK
1.584 +EXPORT_C int SSL_set_fd(SSL *s,int fd)
1.585 + {
1.586 + int ret=0;
1.587 + BIO *bio=NULL;
1.588 +
1.589 + bio=BIO_new(BIO_s_socket());
1.590 +
1.591 + if (bio == NULL)
1.592 + {
1.593 + SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
1.594 + goto err;
1.595 + }
1.596 + BIO_set_fd(bio,fd,BIO_NOCLOSE);
1.597 + SSL_set_bio(s,bio,bio);
1.598 + ret=1;
1.599 +err:
1.600 + return(ret);
1.601 + }
1.602 +
1.603 +EXPORT_C int SSL_set_wfd(SSL *s,int fd)
1.604 + {
1.605 + int ret=0;
1.606 + BIO *bio=NULL;
1.607 +
1.608 + if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
1.609 + || ((int)BIO_get_fd(s->rbio,NULL) != fd))
1.610 + {
1.611 + bio=BIO_new(BIO_s_socket());
1.612 +
1.613 + if (bio == NULL)
1.614 + { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
1.615 + BIO_set_fd(bio,fd,BIO_NOCLOSE);
1.616 + SSL_set_bio(s,SSL_get_rbio(s),bio);
1.617 + }
1.618 + else
1.619 + SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
1.620 + ret=1;
1.621 +err:
1.622 + return(ret);
1.623 + }
1.624 +
1.625 +EXPORT_C int SSL_set_rfd(SSL *s,int fd)
1.626 + {
1.627 + int ret=0;
1.628 + BIO *bio=NULL;
1.629 +
1.630 + if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
1.631 + || ((int)BIO_get_fd(s->wbio,NULL) != fd))
1.632 + {
1.633 + bio=BIO_new(BIO_s_socket());
1.634 +
1.635 + if (bio == NULL)
1.636 + {
1.637 + SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
1.638 + goto err;
1.639 + }
1.640 + BIO_set_fd(bio,fd,BIO_NOCLOSE);
1.641 + SSL_set_bio(s,bio,SSL_get_wbio(s));
1.642 + }
1.643 + else
1.644 + SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
1.645 + ret=1;
1.646 +err:
1.647 + return(ret);
1.648 + }
1.649 +#endif
1.650 +
1.651 +
1.652 +/* return length of latest Finished message we sent, copy to 'buf' */
1.653 +EXPORT_C size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1.654 + {
1.655 + size_t ret = 0;
1.656 +
1.657 + if (s->s3 != NULL)
1.658 + {
1.659 + ret = s->s3->tmp.finish_md_len;
1.660 + if (count > ret)
1.661 + count = ret;
1.662 + memcpy(buf, s->s3->tmp.finish_md, count);
1.663 + }
1.664 + return ret;
1.665 + }
1.666 +
1.667 +/* return length of latest Finished message we expected, copy to 'buf' */
1.668 +EXPORT_C size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1.669 + {
1.670 + size_t ret = 0;
1.671 +
1.672 + if (s->s3 != NULL)
1.673 + {
1.674 + ret = s->s3->tmp.peer_finish_md_len;
1.675 + if (count > ret)
1.676 + count = ret;
1.677 + memcpy(buf, s->s3->tmp.peer_finish_md, count);
1.678 + }
1.679 + return ret;
1.680 + }
1.681 +
1.682 +
1.683 +EXPORT_C int SSL_get_verify_mode(const SSL *s)
1.684 + {
1.685 + return(s->verify_mode);
1.686 + }
1.687 +
1.688 +EXPORT_C int SSL_get_verify_depth(const SSL *s)
1.689 + {
1.690 + return X509_VERIFY_PARAM_get_depth(s->param);
1.691 + }
1.692 +
1.693 +EXPORT_C int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
1.694 + {
1.695 + return(s->verify_callback);
1.696 + }
1.697 +
1.698 +EXPORT_C int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1.699 + {
1.700 + return(ctx->verify_mode);
1.701 + }
1.702 +
1.703 +EXPORT_C int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1.704 + {
1.705 + return X509_VERIFY_PARAM_get_depth(ctx->param);
1.706 + }
1.707 +
1.708 +EXPORT_C int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
1.709 + {
1.710 + return(ctx->default_verify_callback);
1.711 + }
1.712 +
1.713 +EXPORT_C void SSL_set_verify(SSL *s,int mode,
1.714 + int (*callback)(int ok,X509_STORE_CTX *ctx))
1.715 + {
1.716 + s->verify_mode=mode;
1.717 + if (callback != NULL)
1.718 + s->verify_callback=callback;
1.719 + }
1.720 +
1.721 +EXPORT_C void SSL_set_verify_depth(SSL *s,int depth)
1.722 + {
1.723 + X509_VERIFY_PARAM_set_depth(s->param, depth);
1.724 + }
1.725 +
1.726 +EXPORT_C void SSL_set_read_ahead(SSL *s,int yes)
1.727 + {
1.728 + s->read_ahead=yes;
1.729 + }
1.730 +
1.731 +EXPORT_C int SSL_get_read_ahead(const SSL *s)
1.732 + {
1.733 + return(s->read_ahead);
1.734 + }
1.735 +
1.736 +EXPORT_C int SSL_pending(const SSL *s)
1.737 + {
1.738 + /* SSL_pending cannot work properly if read-ahead is enabled
1.739 + * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
1.740 + * and it is impossible to fix since SSL_pending cannot report
1.741 + * errors that may be observed while scanning the new data.
1.742 + * (Note that SSL_pending() is often used as a boolean value,
1.743 + * so we'd better not return -1.)
1.744 + */
1.745 + return(s->method->ssl_pending(s));
1.746 + }
1.747 +
1.748 +EXPORT_C X509 *SSL_get_peer_certificate(const SSL *s)
1.749 + {
1.750 + X509 *r;
1.751 +
1.752 + if ((s == NULL) || (s->session == NULL))
1.753 + r=NULL;
1.754 + else
1.755 + r=s->session->peer;
1.756 +
1.757 + if (r == NULL) return(r);
1.758 +
1.759 + CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
1.760 +
1.761 + return(r);
1.762 + }
1.763 +
1.764 +EXPORT_C STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
1.765 + {
1.766 + STACK_OF(X509) *r;
1.767 +
1.768 + if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
1.769 + r=NULL;
1.770 + else
1.771 + r=s->session->sess_cert->cert_chain;
1.772 +
1.773 + /* If we are a client, cert_chain includes the peer's own
1.774 + * certificate; if we are a server, it does not. */
1.775 +
1.776 + return(r);
1.777 + }
1.778 +
1.779 +/* Now in theory, since the calling process own 't' it should be safe to
1.780 + * modify. We need to be able to read f without being hassled */
1.781 +EXPORT_C void SSL_copy_session_id(SSL *t,const SSL *f)
1.782 + {
1.783 + CERT *tmp;
1.784 +
1.785 + /* Do we need to to SSL locking? */
1.786 + SSL_set_session(t,SSL_get_session(f));
1.787 +
1.788 + /* what if we are setup as SSLv2 but want to talk SSLv3 or
1.789 + * vice-versa */
1.790 + if (t->method != f->method)
1.791 + {
1.792 + t->method->ssl_free(t); /* cleanup current */
1.793 + t->method=f->method; /* change method */
1.794 + t->method->ssl_new(t); /* setup new */
1.795 + }
1.796 +
1.797 + tmp=t->cert;
1.798 + if (f->cert != NULL)
1.799 + {
1.800 + CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
1.801 + t->cert=f->cert;
1.802 + }
1.803 + else
1.804 + t->cert=NULL;
1.805 + if (tmp != NULL) ssl_cert_free(tmp);
1.806 + SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
1.807 + }
1.808 +
1.809 +/* Fix this so it checks all the valid key/cert options */
1.810 +EXPORT_C int SSL_CTX_check_private_key(const SSL_CTX *ctx)
1.811 + {
1.812 + if ( (ctx == NULL) ||
1.813 + (ctx->cert == NULL) ||
1.814 + (ctx->cert->key->x509 == NULL))
1.815 + {
1.816 + SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
1.817 + return(0);
1.818 + }
1.819 + if (ctx->cert->key->privatekey == NULL)
1.820 + {
1.821 + SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1.822 + return(0);
1.823 + }
1.824 + return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
1.825 + }
1.826 +
1.827 +/* Fix this function so that it takes an optional type parameter */
1.828 +EXPORT_C int SSL_check_private_key(const SSL *ssl)
1.829 + {
1.830 + if (ssl == NULL)
1.831 + {
1.832 + SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
1.833 + return(0);
1.834 + }
1.835 + if (ssl->cert == NULL)
1.836 + {
1.837 + SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
1.838 + return 0;
1.839 + }
1.840 + if (ssl->cert->key->x509 == NULL)
1.841 + {
1.842 + SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
1.843 + return(0);
1.844 + }
1.845 + if (ssl->cert->key->privatekey == NULL)
1.846 + {
1.847 + SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1.848 + return(0);
1.849 + }
1.850 + return(X509_check_private_key(ssl->cert->key->x509,
1.851 + ssl->cert->key->privatekey));
1.852 + }
1.853 +
1.854 +EXPORT_C int SSL_accept(SSL *s)
1.855 + {
1.856 + if (s->handshake_func == 0)
1.857 + /* Not properly initialized yet */
1.858 + SSL_set_accept_state(s);
1.859 +
1.860 + return(s->method->ssl_accept(s));
1.861 + }
1.862 +
1.863 +EXPORT_C int SSL_connect(SSL *s)
1.864 + {
1.865 + if (s->handshake_func == 0)
1.866 + /* Not properly initialized yet */
1.867 + SSL_set_connect_state(s);
1.868 +
1.869 + return(s->method->ssl_connect(s));
1.870 + }
1.871 +
1.872 +EXPORT_C long SSL_get_default_timeout(const SSL *s)
1.873 + {
1.874 + return(s->method->get_timeout());
1.875 + }
1.876 +
1.877 +EXPORT_C int SSL_read(SSL *s,void *buf,int num)
1.878 + {
1.879 + if (s->handshake_func == 0)
1.880 + {
1.881 + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
1.882 + return -1;
1.883 + }
1.884 +
1.885 + if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1.886 + {
1.887 + s->rwstate=SSL_NOTHING;
1.888 + return(0);
1.889 + }
1.890 + return(s->method->ssl_read(s,buf,num));
1.891 + }
1.892 +
1.893 +EXPORT_C int SSL_peek(SSL *s,void *buf,int num)
1.894 + {
1.895 + if (s->handshake_func == 0)
1.896 + {
1.897 + SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
1.898 + return -1;
1.899 + }
1.900 +
1.901 + if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1.902 + {
1.903 + return(0);
1.904 + }
1.905 + return(s->method->ssl_peek(s,buf,num));
1.906 + }
1.907 +
1.908 +EXPORT_C int SSL_write(SSL *s,const void *buf,int num)
1.909 + {
1.910 + if (s->handshake_func == 0)
1.911 + {
1.912 + SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
1.913 + return -1;
1.914 + }
1.915 +
1.916 + if (s->shutdown & SSL_SENT_SHUTDOWN)
1.917 + {
1.918 + s->rwstate=SSL_NOTHING;
1.919 + SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
1.920 + return(-1);
1.921 + }
1.922 + return(s->method->ssl_write(s,buf,num));
1.923 + }
1.924 +
1.925 +EXPORT_C int SSL_shutdown(SSL *s)
1.926 + {
1.927 + /* Note that this function behaves differently from what one might
1.928 + * expect. Return values are 0 for no success (yet),
1.929 + * 1 for success; but calling it once is usually not enough,
1.930 + * even if blocking I/O is used (see ssl3_shutdown).
1.931 + */
1.932 +
1.933 + if (s->handshake_func == 0)
1.934 + {
1.935 + SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
1.936 + return -1;
1.937 + }
1.938 +
1.939 + if ((s != NULL) && !SSL_in_init(s))
1.940 + return(s->method->ssl_shutdown(s));
1.941 + else
1.942 + return(1);
1.943 + }
1.944 +
1.945 +EXPORT_C int SSL_renegotiate(SSL *s)
1.946 + {
1.947 + if (s->new_session == 0)
1.948 + {
1.949 + s->new_session=1;
1.950 + }
1.951 + return(s->method->ssl_renegotiate(s));
1.952 + }
1.953 +
1.954 +EXPORT_C int SSL_renegotiate_pending(SSL *s)
1.955 + {
1.956 + /* becomes true when negotiation is requested;
1.957 + * false again once a handshake has finished */
1.958 + return (s->new_session != 0);
1.959 + }
1.960 +
1.961 +EXPORT_C long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1.962 + {
1.963 + long l;
1.964 +
1.965 + switch (cmd)
1.966 + {
1.967 + case SSL_CTRL_GET_READ_AHEAD:
1.968 + return(s->read_ahead);
1.969 + case SSL_CTRL_SET_READ_AHEAD:
1.970 + l=s->read_ahead;
1.971 + s->read_ahead=larg;
1.972 + return(l);
1.973 +
1.974 + case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1.975 + s->msg_callback_arg = parg;
1.976 + return 1;
1.977 +
1.978 + case SSL_CTRL_OPTIONS:
1.979 + return(s->options|=larg);
1.980 + case SSL_CTRL_MODE:
1.981 + return(s->mode|=larg);
1.982 + case SSL_CTRL_GET_MAX_CERT_LIST:
1.983 + return(s->max_cert_list);
1.984 + case SSL_CTRL_SET_MAX_CERT_LIST:
1.985 + l=s->max_cert_list;
1.986 + s->max_cert_list=larg;
1.987 + return(l);
1.988 + case SSL_CTRL_SET_MTU:
1.989 + if (SSL_version(s) == DTLS1_VERSION)
1.990 + {
1.991 + s->d1->mtu = larg;
1.992 + return larg;
1.993 + }
1.994 + return 0;
1.995 + default:
1.996 + return(s->method->ssl_ctrl(s,cmd,larg,parg));
1.997 + }
1.998 + }
1.999 +
1.1000 +EXPORT_C long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1.1001 + {
1.1002 + switch(cmd)
1.1003 + {
1.1004 + case SSL_CTRL_SET_MSG_CALLBACK:
1.1005 + s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1.1006 + return 1;
1.1007 +
1.1008 + default:
1.1009 + return(s->method->ssl_callback_ctrl(s,cmd,fp));
1.1010 + }
1.1011 + }
1.1012 +
1.1013 +EXPORT_C struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
1.1014 + {
1.1015 + return ctx->sessions;
1.1016 + }
1.1017 +
1.1018 +EXPORT_C long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1.1019 + {
1.1020 + long l;
1.1021 +
1.1022 + switch (cmd)
1.1023 + {
1.1024 + case SSL_CTRL_GET_READ_AHEAD:
1.1025 + return(ctx->read_ahead);
1.1026 + case SSL_CTRL_SET_READ_AHEAD:
1.1027 + l=ctx->read_ahead;
1.1028 + ctx->read_ahead=larg;
1.1029 + return(l);
1.1030 +
1.1031 + case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1.1032 + ctx->msg_callback_arg = parg;
1.1033 + return 1;
1.1034 +
1.1035 + case SSL_CTRL_GET_MAX_CERT_LIST:
1.1036 + return(ctx->max_cert_list);
1.1037 + case SSL_CTRL_SET_MAX_CERT_LIST:
1.1038 + l=ctx->max_cert_list;
1.1039 + ctx->max_cert_list=larg;
1.1040 + return(l);
1.1041 +
1.1042 + case SSL_CTRL_SET_SESS_CACHE_SIZE:
1.1043 + l=ctx->session_cache_size;
1.1044 + ctx->session_cache_size=larg;
1.1045 + return(l);
1.1046 + case SSL_CTRL_GET_SESS_CACHE_SIZE:
1.1047 + return(ctx->session_cache_size);
1.1048 + case SSL_CTRL_SET_SESS_CACHE_MODE:
1.1049 + l=ctx->session_cache_mode;
1.1050 + ctx->session_cache_mode=larg;
1.1051 + return(l);
1.1052 + case SSL_CTRL_GET_SESS_CACHE_MODE:
1.1053 + return(ctx->session_cache_mode);
1.1054 +
1.1055 + case SSL_CTRL_SESS_NUMBER:
1.1056 + return(ctx->sessions->num_items);
1.1057 + case SSL_CTRL_SESS_CONNECT:
1.1058 + return(ctx->stats.sess_connect);
1.1059 + case SSL_CTRL_SESS_CONNECT_GOOD:
1.1060 + return(ctx->stats.sess_connect_good);
1.1061 + case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1.1062 + return(ctx->stats.sess_connect_renegotiate);
1.1063 + case SSL_CTRL_SESS_ACCEPT:
1.1064 + return(ctx->stats.sess_accept);
1.1065 + case SSL_CTRL_SESS_ACCEPT_GOOD:
1.1066 + return(ctx->stats.sess_accept_good);
1.1067 + case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1.1068 + return(ctx->stats.sess_accept_renegotiate);
1.1069 + case SSL_CTRL_SESS_HIT:
1.1070 + return(ctx->stats.sess_hit);
1.1071 + case SSL_CTRL_SESS_CB_HIT:
1.1072 + return(ctx->stats.sess_cb_hit);
1.1073 + case SSL_CTRL_SESS_MISSES:
1.1074 + return(ctx->stats.sess_miss);
1.1075 + case SSL_CTRL_SESS_TIMEOUTS:
1.1076 + return(ctx->stats.sess_timeout);
1.1077 + case SSL_CTRL_SESS_CACHE_FULL:
1.1078 + return(ctx->stats.sess_cache_full);
1.1079 + case SSL_CTRL_OPTIONS:
1.1080 + return(ctx->options|=larg);
1.1081 + case SSL_CTRL_MODE:
1.1082 + return(ctx->mode|=larg);
1.1083 + default:
1.1084 + return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1.1085 + }
1.1086 + }
1.1087 +
1.1088 +EXPORT_C long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1.1089 + {
1.1090 + switch(cmd)
1.1091 + {
1.1092 + case SSL_CTRL_SET_MSG_CALLBACK:
1.1093 + ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1.1094 + return 1;
1.1095 +
1.1096 + default:
1.1097 + return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1.1098 + }
1.1099 + }
1.1100 +
1.1101 +int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1.1102 + {
1.1103 + long l;
1.1104 +
1.1105 + l=a->id-b->id;
1.1106 + if (l == 0L)
1.1107 + return(0);
1.1108 + else
1.1109 + return((l > 0)?1:-1);
1.1110 + }
1.1111 +
1.1112 +int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1.1113 + const SSL_CIPHER * const *bp)
1.1114 + {
1.1115 + long l;
1.1116 +
1.1117 + l=(*ap)->id-(*bp)->id;
1.1118 + if (l == 0L)
1.1119 + return(0);
1.1120 + else
1.1121 + return((l > 0)?1:-1);
1.1122 + }
1.1123 +
1.1124 +/** return a STACK of the ciphers available for the SSL and in order of
1.1125 + * preference */
1.1126 +EXPORT_C STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1.1127 + {
1.1128 + if (s != NULL)
1.1129 + {
1.1130 + if (s->cipher_list != NULL)
1.1131 + {
1.1132 + return(s->cipher_list);
1.1133 + }
1.1134 + else if ((s->ctx != NULL) &&
1.1135 + (s->ctx->cipher_list != NULL))
1.1136 + {
1.1137 + return(s->ctx->cipher_list);
1.1138 + }
1.1139 + }
1.1140 + return(NULL);
1.1141 + }
1.1142 +
1.1143 +/** return a STACK of the ciphers available for the SSL and in order of
1.1144 + * algorithm id */
1.1145 +STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1.1146 + {
1.1147 + if (s != NULL)
1.1148 + {
1.1149 + if (s->cipher_list_by_id != NULL)
1.1150 + {
1.1151 + return(s->cipher_list_by_id);
1.1152 + }
1.1153 + else if ((s->ctx != NULL) &&
1.1154 + (s->ctx->cipher_list_by_id != NULL))
1.1155 + {
1.1156 + return(s->ctx->cipher_list_by_id);
1.1157 + }
1.1158 + }
1.1159 + return(NULL);
1.1160 + }
1.1161 +
1.1162 +/** The old interface to get the same thing as SSL_get_ciphers() */
1.1163 +EXPORT_C const char *SSL_get_cipher_list(const SSL *s,int n)
1.1164 + {
1.1165 + SSL_CIPHER *c;
1.1166 + STACK_OF(SSL_CIPHER) *sk;
1.1167 +
1.1168 + if (s == NULL) return(NULL);
1.1169 + sk=SSL_get_ciphers(s);
1.1170 + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1.1171 + return(NULL);
1.1172 + c=sk_SSL_CIPHER_value(sk,n);
1.1173 + if (c == NULL) return(NULL);
1.1174 + return(c->name);
1.1175 + }
1.1176 +
1.1177 +/** specify the ciphers to be used by default by the SSL_CTX */
1.1178 +EXPORT_C int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1.1179 + {
1.1180 + STACK_OF(SSL_CIPHER) *sk;
1.1181 +
1.1182 + sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1.1183 + &ctx->cipher_list_by_id,str);
1.1184 + /* ssl_create_cipher_list may return an empty stack if it
1.1185 + * was unable to find a cipher matching the given rule string
1.1186 + * (for example if the rule string specifies a cipher which
1.1187 + * has been disabled). This is not an error as far as
1.1188 + * ssl_create_cipher_list is concerned, and hence
1.1189 + * ctx->cipher_list and ctx->cipher_list_by_id has been
1.1190 + * updated. */
1.1191 + if (sk == NULL)
1.1192 + return 0;
1.1193 + else if (sk_SSL_CIPHER_num(sk) == 0)
1.1194 + {
1.1195 + SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1.1196 + return 0;
1.1197 + }
1.1198 + return 1;
1.1199 + }
1.1200 +
1.1201 +/** specify the ciphers to be used by the SSL */
1.1202 +EXPORT_C int SSL_set_cipher_list(SSL *s,const char *str)
1.1203 + {
1.1204 + STACK_OF(SSL_CIPHER) *sk;
1.1205 +
1.1206 + sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1.1207 + &s->cipher_list_by_id,str);
1.1208 + /* see comment in SSL_CTX_set_cipher_list */
1.1209 + if (sk == NULL)
1.1210 + return 0;
1.1211 + else if (sk_SSL_CIPHER_num(sk) == 0)
1.1212 + {
1.1213 + SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1.1214 + return 0;
1.1215 + }
1.1216 + return 1;
1.1217 + }
1.1218 +
1.1219 +/* works well for SSLv2, not so good for SSLv3 */
1.1220 +EXPORT_C char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1.1221 + {
1.1222 + char *p;
1.1223 + STACK_OF(SSL_CIPHER) *sk;
1.1224 + SSL_CIPHER *c;
1.1225 + int i;
1.1226 +
1.1227 + if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1.1228 + (len < 2))
1.1229 + return(NULL);
1.1230 +
1.1231 + p=buf;
1.1232 + sk=s->session->ciphers;
1.1233 + for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1.1234 + {
1.1235 + int n;
1.1236 +
1.1237 + c=sk_SSL_CIPHER_value(sk,i);
1.1238 + n=strlen(c->name);
1.1239 + if (n+1 > len)
1.1240 + {
1.1241 + if (p != buf)
1.1242 + --p;
1.1243 + *p='\0';
1.1244 + return buf;
1.1245 + }
1.1246 + strcpy(p,c->name);
1.1247 + p+=n;
1.1248 + *(p++)=':';
1.1249 + len-=n+1;
1.1250 + }
1.1251 + p[-1]='\0';
1.1252 + return(buf);
1.1253 + }
1.1254 +
1.1255 +int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1.1256 + int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1.1257 + {
1.1258 + int i,j=0;
1.1259 + SSL_CIPHER *c;
1.1260 + unsigned char *q;
1.1261 +#ifndef OPENSSL_NO_KRB5
1.1262 + int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1.1263 +#endif /* OPENSSL_NO_KRB5 */
1.1264 +
1.1265 + if (sk == NULL) return(0);
1.1266 + q=p;
1.1267 +
1.1268 + for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1.1269 + {
1.1270 + c=sk_SSL_CIPHER_value(sk,i);
1.1271 +#ifndef OPENSSL_NO_KRB5
1.1272 + if ((c->algorithms & SSL_KRB5) && nokrb5)
1.1273 + continue;
1.1274 +#endif /* OPENSSL_NO_KRB5 */
1.1275 +
1.1276 + j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1.1277 + p+=j;
1.1278 + }
1.1279 + return(p-q);
1.1280 + }
1.1281 +
1.1282 +STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1.1283 + STACK_OF(SSL_CIPHER) **skp)
1.1284 + {
1.1285 + SSL_CIPHER *c;
1.1286 + STACK_OF(SSL_CIPHER) *sk;
1.1287 + int i,n;
1.1288 +
1.1289 + n=ssl_put_cipher_by_char(s,NULL,NULL);
1.1290 + if ((num%n) != 0)
1.1291 + {
1.1292 + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1.1293 + return(NULL);
1.1294 + }
1.1295 + if ((skp == NULL) || (*skp == NULL))
1.1296 + sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1.1297 + else
1.1298 + {
1.1299 + sk= *skp;
1.1300 + sk_SSL_CIPHER_zero(sk);
1.1301 + }
1.1302 +
1.1303 + for (i=0; i<num; i+=n)
1.1304 + {
1.1305 + c=ssl_get_cipher_by_char(s,p);
1.1306 + p+=n;
1.1307 + if (c != NULL)
1.1308 + {
1.1309 + if (!sk_SSL_CIPHER_push(sk,c))
1.1310 + {
1.1311 + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1.1312 + goto err;
1.1313 + }
1.1314 + }
1.1315 + }
1.1316 +
1.1317 + if (skp != NULL)
1.1318 + *skp=sk;
1.1319 + return(sk);
1.1320 +err:
1.1321 + if ((skp == NULL) || (*skp == NULL))
1.1322 + sk_SSL_CIPHER_free(sk);
1.1323 + return(NULL);
1.1324 + }
1.1325 +
1.1326 +
1.1327 +EXPORT_C unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1.1328 + {
1.1329 + unsigned long l;
1.1330 +
1.1331 + l=(unsigned long)
1.1332 + ((unsigned int) a->session_id[0] )|
1.1333 + ((unsigned int) a->session_id[1]<< 8L)|
1.1334 + ((unsigned long)a->session_id[2]<<16L)|
1.1335 + ((unsigned long)a->session_id[3]<<24L);
1.1336 + return(l);
1.1337 + }
1.1338 +
1.1339 +/* NB: If this function (or indeed the hash function which uses a sort of
1.1340 + * coarser function than this one) is changed, ensure
1.1341 + * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1.1342 + * able to construct an SSL_SESSION that will collide with any existing session
1.1343 + * with a matching session ID. */
1.1344 +EXPORT_C int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1.1345 + {
1.1346 + if (a->ssl_version != b->ssl_version)
1.1347 + return(1);
1.1348 + if (a->session_id_length != b->session_id_length)
1.1349 + return(1);
1.1350 + return(memcmp(a->session_id,b->session_id,a->session_id_length));
1.1351 + }
1.1352 +
1.1353 +/* These wrapper functions should remain rather than redeclaring
1.1354 + * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1.1355 + * variable. The reason is that the functions aren't static, they're exposed via
1.1356 + * ssl.h. */
1.1357 +static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
1.1358 +static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
1.1359 +
1.1360 +EXPORT_C SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1.1361 + {
1.1362 + SSL_CTX *ret=NULL;
1.1363 +
1.1364 + if (meth == NULL)
1.1365 + {
1.1366 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1.1367 + return(NULL);
1.1368 + }
1.1369 +
1.1370 + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1.1371 + {
1.1372 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1.1373 + goto err;
1.1374 + }
1.1375 + ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1.1376 + if (ret == NULL)
1.1377 + goto err;
1.1378 +
1.1379 + memset(ret,0,sizeof(SSL_CTX));
1.1380 +
1.1381 + ret->method=meth;
1.1382 +
1.1383 + ret->cert_store=NULL;
1.1384 + ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1.1385 + ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1.1386 + ret->session_cache_head=NULL;
1.1387 + ret->session_cache_tail=NULL;
1.1388 +
1.1389 + /* We take the system default */
1.1390 + ret->session_timeout=meth->get_timeout();
1.1391 +
1.1392 + ret->new_session_cb=0;
1.1393 + ret->remove_session_cb=0;
1.1394 + ret->get_session_cb=0;
1.1395 + ret->generate_session_id=0;
1.1396 +
1.1397 + memset((char *)&ret->stats,0,sizeof(ret->stats));
1.1398 +
1.1399 + ret->references=1;
1.1400 + ret->quiet_shutdown=0;
1.1401 +
1.1402 +/* ret->cipher=NULL;*/
1.1403 +/* ret->s2->challenge=NULL;
1.1404 + ret->master_key=NULL;
1.1405 + ret->key_arg=NULL;
1.1406 + ret->s2->conn_id=NULL; */
1.1407 +
1.1408 + ret->info_callback=NULL;
1.1409 +
1.1410 + ret->app_verify_callback=0;
1.1411 + ret->app_verify_arg=NULL;
1.1412 +
1.1413 + ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1.1414 + ret->read_ahead=0;
1.1415 + ret->msg_callback=0;
1.1416 + ret->msg_callback_arg=NULL;
1.1417 + ret->verify_mode=SSL_VERIFY_NONE;
1.1418 +#if 0
1.1419 + ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1.1420 +#endif
1.1421 + ret->sid_ctx_length=0;
1.1422 + ret->default_verify_callback=NULL;
1.1423 + if ((ret->cert=ssl_cert_new()) == NULL)
1.1424 + goto err;
1.1425 +
1.1426 + ret->default_passwd_callback=0;
1.1427 + ret->default_passwd_callback_userdata=NULL;
1.1428 + ret->client_cert_cb=0;
1.1429 + ret->app_gen_cookie_cb=0;
1.1430 + ret->app_verify_cookie_cb=0;
1.1431 +
1.1432 + ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
1.1433 + LHASH_COMP_FN(SSL_SESSION_cmp));
1.1434 + if (ret->sessions == NULL) goto err;
1.1435 + ret->cert_store=X509_STORE_new();
1.1436 + if (ret->cert_store == NULL) goto err;
1.1437 +
1.1438 + ssl_create_cipher_list(ret->method,
1.1439 + &ret->cipher_list,&ret->cipher_list_by_id,
1.1440 + SSL_DEFAULT_CIPHER_LIST);
1.1441 + if (ret->cipher_list == NULL
1.1442 + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1.1443 + {
1.1444 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1.1445 + goto err2;
1.1446 + }
1.1447 +
1.1448 + ret->param = X509_VERIFY_PARAM_new();
1.1449 + if (!ret->param)
1.1450 + goto err;
1.1451 +
1.1452 + if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1.1453 + {
1.1454 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1.1455 + goto err2;
1.1456 + }
1.1457 + if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1.1458 + {
1.1459 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1.1460 + goto err2;
1.1461 + }
1.1462 + if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1.1463 + {
1.1464 + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1.1465 + goto err2;
1.1466 + }
1.1467 +
1.1468 + if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1.1469 + goto err;
1.1470 +
1.1471 + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1.1472 +
1.1473 + ret->extra_certs=NULL;
1.1474 + ret->comp_methods=SSL_COMP_get_compression_methods();
1.1475 +
1.1476 + return(ret);
1.1477 +err:
1.1478 + SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1.1479 +err2:
1.1480 + if (ret != NULL) SSL_CTX_free(ret);
1.1481 + return(NULL);
1.1482 + }
1.1483 +
1.1484 +#if 0
1.1485 +static void SSL_COMP_free(SSL_COMP *comp)
1.1486 + { OPENSSL_free(comp); }
1.1487 +#endif
1.1488 +
1.1489 +EXPORT_C void SSL_CTX_free(SSL_CTX *a)
1.1490 + {
1.1491 + int i;
1.1492 +
1.1493 + if (a == NULL) return;
1.1494 +
1.1495 + i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1.1496 +#ifdef REF_PRINT
1.1497 + REF_PRINT("SSL_CTX",a);
1.1498 +#endif
1.1499 + if (i > 0) return;
1.1500 +#ifdef REF_CHECK
1.1501 + if (i < 0)
1.1502 + {
1.1503 + fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1.1504 + abort(); /* ok */
1.1505 + }
1.1506 +#endif
1.1507 +
1.1508 + if (a->param)
1.1509 + X509_VERIFY_PARAM_free(a->param);
1.1510 +
1.1511 + /*
1.1512 + * Free internal session cache. However: the remove_cb() may reference
1.1513 + * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1.1514 + * after the sessions were flushed.
1.1515 + * As the ex_data handling routines might also touch the session cache,
1.1516 + * the most secure solution seems to be: empty (flush) the cache, then
1.1517 + * free ex_data, then finally free the cache.
1.1518 + * (See ticket [openssl.org #212].)
1.1519 + */
1.1520 + if (a->sessions != NULL)
1.1521 + SSL_CTX_flush_sessions(a,0);
1.1522 +
1.1523 + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1.1524 +
1.1525 + if (a->sessions != NULL)
1.1526 + lh_free(a->sessions);
1.1527 +
1.1528 + if (a->cert_store != NULL)
1.1529 + X509_STORE_free(a->cert_store);
1.1530 + if (a->cipher_list != NULL)
1.1531 + sk_SSL_CIPHER_free(a->cipher_list);
1.1532 + if (a->cipher_list_by_id != NULL)
1.1533 + sk_SSL_CIPHER_free(a->cipher_list_by_id);
1.1534 + if (a->cert != NULL)
1.1535 + ssl_cert_free(a->cert);
1.1536 + if (a->client_CA != NULL)
1.1537 + sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1.1538 + if (a->extra_certs != NULL)
1.1539 + sk_X509_pop_free(a->extra_certs,X509_free);
1.1540 +#if 0 /* This should never be done, since it removes a global database */
1.1541 + if (a->comp_methods != NULL)
1.1542 + sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1.1543 +#else
1.1544 + a->comp_methods = NULL;
1.1545 +#endif
1.1546 + OPENSSL_free(a);
1.1547 + }
1.1548 +
1.1549 +EXPORT_C void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1.1550 + {
1.1551 + ctx->default_passwd_callback=cb;
1.1552 + }
1.1553 +
1.1554 +EXPORT_C void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1.1555 + {
1.1556 + ctx->default_passwd_callback_userdata=u;
1.1557 + }
1.1558 +
1.1559 +EXPORT_C void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1.1560 + {
1.1561 + ctx->app_verify_callback=cb;
1.1562 + ctx->app_verify_arg=arg;
1.1563 + }
1.1564 +
1.1565 +EXPORT_C void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1.1566 + {
1.1567 + ctx->verify_mode=mode;
1.1568 + ctx->default_verify_callback=cb;
1.1569 + }
1.1570 +
1.1571 +EXPORT_C void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
1.1572 + {
1.1573 + X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1.1574 + }
1.1575 +
1.1576 +void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1.1577 + {
1.1578 + CERT_PKEY *cpk;
1.1579 + int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
1.1580 + int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1.1581 + int rsa_tmp_export,dh_tmp_export,kl;
1.1582 + unsigned long mask,emask;
1.1583 + int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
1.1584 +#ifndef OPENSSL_NO_ECDH
1.1585 + int have_ecdh_tmp;
1.1586 +#endif
1.1587 + X509 *x = NULL;
1.1588 + EVP_PKEY *ecc_pkey = NULL;
1.1589 + int signature_nid = 0;
1.1590 +
1.1591 + if (c == NULL) return;
1.1592 +
1.1593 + kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1.1594 +
1.1595 +#ifndef OPENSSL_NO_RSA
1.1596 + rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1.1597 + rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
1.1598 + (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1.1599 +#else
1.1600 + rsa_tmp=rsa_tmp_export=0;
1.1601 +#endif
1.1602 +#ifndef OPENSSL_NO_DH
1.1603 + dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1.1604 + dh_tmp_export=(c->dh_tmp_cb != NULL ||
1.1605 + (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
1.1606 +#else
1.1607 + dh_tmp=dh_tmp_export=0;
1.1608 +#endif
1.1609 +
1.1610 +#ifndef OPENSSL_NO_ECDH
1.1611 + have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
1.1612 +#endif
1.1613 + cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1.1614 + rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
1.1615 + rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1.1616 + cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
1.1617 + rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1.1618 + cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1.1619 + dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1.1620 + cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
1.1621 + dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1.1622 + dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1.1623 + cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
1.1624 +/* FIX THIS EAY EAY EAY */
1.1625 + dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1.1626 + dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1.1627 + cpk= &(c->pkeys[SSL_PKEY_ECC]);
1.1628 + have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
1.1629 + mask=0;
1.1630 + emask=0;
1.1631 +
1.1632 +#ifdef CIPHER_DEBUG
1.1633 + printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1.1634 + rsa_tmp,rsa_tmp_export,dh_tmp,
1.1635 + rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
1.1636 +#endif
1.1637 +
1.1638 + if (rsa_enc || (rsa_tmp && rsa_sign))
1.1639 + mask|=SSL_kRSA;
1.1640 + if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
1.1641 + emask|=SSL_kRSA;
1.1642 +
1.1643 +#if 0
1.1644 + /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1.1645 + if ( (dh_tmp || dh_rsa || dh_dsa) &&
1.1646 + (rsa_enc || rsa_sign || dsa_sign))
1.1647 + mask|=SSL_kEDH;
1.1648 + if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
1.1649 + (rsa_enc || rsa_sign || dsa_sign))
1.1650 + emask|=SSL_kEDH;
1.1651 +#endif
1.1652 +
1.1653 + if (dh_tmp_export)
1.1654 + emask|=SSL_kEDH;
1.1655 +
1.1656 + if (dh_tmp)
1.1657 + mask|=SSL_kEDH;
1.1658 +
1.1659 + if (dh_rsa) mask|=SSL_kDHr;
1.1660 + if (dh_rsa_export) emask|=SSL_kDHr;
1.1661 +
1.1662 + if (dh_dsa) mask|=SSL_kDHd;
1.1663 + if (dh_dsa_export) emask|=SSL_kDHd;
1.1664 +
1.1665 + if (rsa_enc || rsa_sign)
1.1666 + {
1.1667 + mask|=SSL_aRSA;
1.1668 + emask|=SSL_aRSA;
1.1669 + }
1.1670 +
1.1671 + if (dsa_sign)
1.1672 + {
1.1673 + mask|=SSL_aDSS;
1.1674 + emask|=SSL_aDSS;
1.1675 + }
1.1676 +
1.1677 + mask|=SSL_aNULL;
1.1678 + emask|=SSL_aNULL;
1.1679 +
1.1680 +#ifndef OPENSSL_NO_KRB5
1.1681 + mask|=SSL_kKRB5|SSL_aKRB5;
1.1682 + emask|=SSL_kKRB5|SSL_aKRB5;
1.1683 +#endif
1.1684 +
1.1685 + /* An ECC certificate may be usable for ECDH and/or
1.1686 + * ECDSA cipher suites depending on the key usage extension.
1.1687 + */
1.1688 + if (have_ecc_cert)
1.1689 + {
1.1690 + /* This call populates extension flags (ex_flags) */
1.1691 + x = (c->pkeys[SSL_PKEY_ECC]).x509;
1.1692 + X509_check_purpose(x, -1, 0);
1.1693 + ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1.1694 + (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
1.1695 + ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1.1696 + (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
1.1697 + ecc_pkey = X509_get_pubkey(x);
1.1698 + ecc_pkey_size = (ecc_pkey != NULL) ?
1.1699 + EVP_PKEY_bits(ecc_pkey) : 0;
1.1700 + EVP_PKEY_free(ecc_pkey);
1.1701 + if ((x->sig_alg) && (x->sig_alg->algorithm))
1.1702 + signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1.1703 +#ifndef OPENSSL_NO_ECDH
1.1704 + if (ecdh_ok)
1.1705 + {
1.1706 + if ((signature_nid == NID_md5WithRSAEncryption) ||
1.1707 + (signature_nid == NID_md4WithRSAEncryption) ||
1.1708 + (signature_nid == NID_md2WithRSAEncryption))
1.1709 + {
1.1710 + mask|=SSL_kECDH|SSL_aRSA;
1.1711 + if (ecc_pkey_size <= 163)
1.1712 + emask|=SSL_kECDH|SSL_aRSA;
1.1713 + }
1.1714 + if (signature_nid == NID_ecdsa_with_SHA1)
1.1715 + {
1.1716 + mask|=SSL_kECDH|SSL_aECDSA;
1.1717 + if (ecc_pkey_size <= 163)
1.1718 + emask|=SSL_kECDH|SSL_aECDSA;
1.1719 + }
1.1720 + }
1.1721 +#endif
1.1722 +#ifndef OPENSSL_NO_ECDSA
1.1723 + if (ecdsa_ok)
1.1724 + {
1.1725 + mask|=SSL_aECDSA;
1.1726 + emask|=SSL_aECDSA;
1.1727 + }
1.1728 +#endif
1.1729 + }
1.1730 +
1.1731 +#ifndef OPENSSL_NO_ECDH
1.1732 + if (have_ecdh_tmp)
1.1733 + {
1.1734 + mask|=SSL_kECDHE;
1.1735 + emask|=SSL_kECDHE;
1.1736 + }
1.1737 +#endif
1.1738 + c->mask=mask;
1.1739 + c->export_mask=emask;
1.1740 + c->valid=1;
1.1741 + }
1.1742 +
1.1743 +/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
1.1744 +#define ku_reject(x, usage) \
1.1745 + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
1.1746 +
1.1747 +int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
1.1748 + {
1.1749 + unsigned long alg = cs->algorithms;
1.1750 + EVP_PKEY *pkey = NULL;
1.1751 + int keysize = 0;
1.1752 + int signature_nid = 0;
1.1753 +
1.1754 + if (SSL_C_IS_EXPORT(cs))
1.1755 + {
1.1756 + /* ECDH key length in export ciphers must be <= 163 bits */
1.1757 + pkey = X509_get_pubkey(x);
1.1758 + if (pkey == NULL) return 0;
1.1759 + keysize = EVP_PKEY_bits(pkey);
1.1760 + EVP_PKEY_free(pkey);
1.1761 + if (keysize > 163) return 0;
1.1762 + }
1.1763 +
1.1764 + /* This call populates the ex_flags field correctly */
1.1765 + X509_check_purpose(x, -1, 0);
1.1766 + if ((x->sig_alg) && (x->sig_alg->algorithm))
1.1767 + signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1.1768 + if (alg & SSL_kECDH)
1.1769 + {
1.1770 + /* key usage, if present, must allow key agreement */
1.1771 + if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
1.1772 + {
1.1773 + return 0;
1.1774 + }
1.1775 + if (alg & SSL_aECDSA)
1.1776 + {
1.1777 + /* signature alg must be ECDSA */
1.1778 + if (signature_nid != NID_ecdsa_with_SHA1)
1.1779 + {
1.1780 + return 0;
1.1781 + }
1.1782 + }
1.1783 + if (alg & SSL_aRSA)
1.1784 + {
1.1785 + /* signature alg must be RSA */
1.1786 + if ((signature_nid != NID_md5WithRSAEncryption) &&
1.1787 + (signature_nid != NID_md4WithRSAEncryption) &&
1.1788 + (signature_nid != NID_md2WithRSAEncryption))
1.1789 + {
1.1790 + return 0;
1.1791 + }
1.1792 + }
1.1793 + }
1.1794 + else if (alg & SSL_aECDSA)
1.1795 + {
1.1796 + /* key usage, if present, must allow signing */
1.1797 + if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
1.1798 + {
1.1799 + return 0;
1.1800 + }
1.1801 + }
1.1802 +
1.1803 + return 1; /* all checks are ok */
1.1804 + }
1.1805 +
1.1806 +/* THIS NEEDS CLEANING UP */
1.1807 +X509 *ssl_get_server_send_cert(SSL *s)
1.1808 + {
1.1809 + unsigned long alg,mask,kalg;
1.1810 + CERT *c;
1.1811 + int i,is_export;
1.1812 +
1.1813 + c=s->cert;
1.1814 + ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
1.1815 + alg=s->s3->tmp.new_cipher->algorithms;
1.1816 + is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
1.1817 + mask=is_export?c->export_mask:c->mask;
1.1818 + kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1.1819 +
1.1820 + if (kalg & SSL_kECDH)
1.1821 + {
1.1822 + /* we don't need to look at SSL_kECDHE
1.1823 + * since no certificate is needed for
1.1824 + * anon ECDH and for authenticated
1.1825 + * ECDHE, the check for the auth
1.1826 + * algorithm will set i correctly
1.1827 + * NOTE: For ECDH-RSA, we need an ECC
1.1828 + * not an RSA cert but for ECDHE-RSA
1.1829 + * we need an RSA cert. Placing the
1.1830 + * checks for SSL_kECDH before RSA
1.1831 + * checks ensures the correct cert is chosen.
1.1832 + */
1.1833 + i=SSL_PKEY_ECC;
1.1834 + }
1.1835 + else if (kalg & SSL_aECDSA)
1.1836 + {
1.1837 + i=SSL_PKEY_ECC;
1.1838 + }
1.1839 + else if (kalg & SSL_kDHr)
1.1840 + i=SSL_PKEY_DH_RSA;
1.1841 + else if (kalg & SSL_kDHd)
1.1842 + i=SSL_PKEY_DH_DSA;
1.1843 + else if (kalg & SSL_aDSS)
1.1844 + i=SSL_PKEY_DSA_SIGN;
1.1845 + else if (kalg & SSL_aRSA)
1.1846 + {
1.1847 + if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
1.1848 + i=SSL_PKEY_RSA_SIGN;
1.1849 + else
1.1850 + i=SSL_PKEY_RSA_ENC;
1.1851 + }
1.1852 + else if (kalg & SSL_aKRB5)
1.1853 + {
1.1854 + /* VRS something else here? */
1.1855 + return(NULL);
1.1856 + }
1.1857 + else /* if (kalg & SSL_aNULL) */
1.1858 + {
1.1859 + SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
1.1860 + return(NULL);
1.1861 + }
1.1862 + if (c->pkeys[i].x509 == NULL) return(NULL);
1.1863 +
1.1864 + return(c->pkeys[i].x509);
1.1865 + }
1.1866 +
1.1867 +EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
1.1868 + {
1.1869 + unsigned long alg;
1.1870 + CERT *c;
1.1871 +
1.1872 + alg=cipher->algorithms;
1.1873 + c=s->cert;
1.1874 +
1.1875 + if ((alg & SSL_aDSS) &&
1.1876 + (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
1.1877 + return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
1.1878 + else if (alg & SSL_aRSA)
1.1879 + {
1.1880 + if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
1.1881 + return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
1.1882 + else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
1.1883 + return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
1.1884 + else
1.1885 + return(NULL);
1.1886 + }
1.1887 + else if ((alg & SSL_aECDSA) &&
1.1888 + (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
1.1889 + return(c->pkeys[SSL_PKEY_ECC].privatekey);
1.1890 + else /* if (alg & SSL_aNULL) */
1.1891 + {
1.1892 + SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
1.1893 + return(NULL);
1.1894 + }
1.1895 + }
1.1896 +
1.1897 +void ssl_update_cache(SSL *s,int mode)
1.1898 + {
1.1899 + int i;
1.1900 +
1.1901 + /* If the session_id_length is 0, we are not supposed to cache it,
1.1902 + * and it would be rather hard to do anyway :-) */
1.1903 + if (s->session->session_id_length == 0) return;
1.1904 +
1.1905 + i=s->ctx->session_cache_mode;
1.1906 + if ((i & mode) && (!s->hit)
1.1907 + && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
1.1908 + || SSL_CTX_add_session(s->ctx,s->session))
1.1909 + && (s->ctx->new_session_cb != NULL))
1.1910 + {
1.1911 + CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
1.1912 + if (!s->ctx->new_session_cb(s,s->session))
1.1913 + SSL_SESSION_free(s->session);
1.1914 + }
1.1915 +
1.1916 + /* auto flush every 255 connections */
1.1917 + if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
1.1918 + ((i & mode) == mode))
1.1919 + {
1.1920 + if ( (((mode & SSL_SESS_CACHE_CLIENT)
1.1921 + ?s->ctx->stats.sess_connect_good
1.1922 + :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
1.1923 + {
1.1924 + SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
1.1925 + }
1.1926 + }
1.1927 + }
1.1928 +
1.1929 +EXPORT_C SSL_METHOD *SSL_get_ssl_method(SSL *s)
1.1930 + {
1.1931 + return(s->method);
1.1932 + }
1.1933 +
1.1934 +EXPORT_C int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
1.1935 + {
1.1936 + int conn= -1;
1.1937 + int ret=1;
1.1938 +
1.1939 + if (s->method != meth)
1.1940 + {
1.1941 + if (s->handshake_func != NULL)
1.1942 + conn=(s->handshake_func == s->method->ssl_connect);
1.1943 +
1.1944 + if (s->method->version == meth->version)
1.1945 + s->method=meth;
1.1946 + else
1.1947 + {
1.1948 + s->method->ssl_free(s);
1.1949 + s->method=meth;
1.1950 + ret=s->method->ssl_new(s);
1.1951 + }
1.1952 +
1.1953 + if (conn == 1)
1.1954 + s->handshake_func=meth->ssl_connect;
1.1955 + else if (conn == 0)
1.1956 + s->handshake_func=meth->ssl_accept;
1.1957 + }
1.1958 + return(ret);
1.1959 + }
1.1960 +
1.1961 +EXPORT_C int SSL_get_error(const SSL *s,int i)
1.1962 + {
1.1963 + int reason;
1.1964 + unsigned long l;
1.1965 + BIO *bio;
1.1966 +
1.1967 + if (i > 0) return(SSL_ERROR_NONE);
1.1968 +
1.1969 + /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
1.1970 + * etc, where we do encode the error */
1.1971 + if ((l=ERR_peek_error()) != 0)
1.1972 + {
1.1973 + if (ERR_GET_LIB(l) == ERR_LIB_SYS)
1.1974 + return(SSL_ERROR_SYSCALL);
1.1975 + else
1.1976 + return(SSL_ERROR_SSL);
1.1977 + }
1.1978 +
1.1979 + if ((i < 0) && SSL_want_read(s))
1.1980 + {
1.1981 + bio=SSL_get_rbio(s);
1.1982 + if (BIO_should_read(bio))
1.1983 + return(SSL_ERROR_WANT_READ);
1.1984 + else if (BIO_should_write(bio))
1.1985 + /* This one doesn't make too much sense ... We never try
1.1986 + * to write to the rbio, and an application program where
1.1987 + * rbio and wbio are separate couldn't even know what it
1.1988 + * should wait for.
1.1989 + * However if we ever set s->rwstate incorrectly
1.1990 + * (so that we have SSL_want_read(s) instead of
1.1991 + * SSL_want_write(s)) and rbio and wbio *are* the same,
1.1992 + * this test works around that bug; so it might be safer
1.1993 + * to keep it. */
1.1994 + return(SSL_ERROR_WANT_WRITE);
1.1995 + else if (BIO_should_io_special(bio))
1.1996 + {
1.1997 + reason=BIO_get_retry_reason(bio);
1.1998 + if (reason == BIO_RR_CONNECT)
1.1999 + return(SSL_ERROR_WANT_CONNECT);
1.2000 + else if (reason == BIO_RR_ACCEPT)
1.2001 + return(SSL_ERROR_WANT_ACCEPT);
1.2002 + else
1.2003 + return(SSL_ERROR_SYSCALL); /* unknown */
1.2004 + }
1.2005 + }
1.2006 +
1.2007 + if ((i < 0) && SSL_want_write(s))
1.2008 + {
1.2009 + bio=SSL_get_wbio(s);
1.2010 + if (BIO_should_write(bio))
1.2011 + return(SSL_ERROR_WANT_WRITE);
1.2012 + else if (BIO_should_read(bio))
1.2013 + /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
1.2014 + return(SSL_ERROR_WANT_READ);
1.2015 + else if (BIO_should_io_special(bio))
1.2016 + {
1.2017 + reason=BIO_get_retry_reason(bio);
1.2018 + if (reason == BIO_RR_CONNECT)
1.2019 + return(SSL_ERROR_WANT_CONNECT);
1.2020 + else if (reason == BIO_RR_ACCEPT)
1.2021 + return(SSL_ERROR_WANT_ACCEPT);
1.2022 + else
1.2023 + return(SSL_ERROR_SYSCALL);
1.2024 + }
1.2025 + }
1.2026 + if ((i < 0) && SSL_want_x509_lookup(s))
1.2027 + {
1.2028 + return(SSL_ERROR_WANT_X509_LOOKUP);
1.2029 + }
1.2030 +
1.2031 + if (i == 0)
1.2032 + {
1.2033 + if (s->version == SSL2_VERSION)
1.2034 + {
1.2035 + /* assume it is the socket being closed */
1.2036 + return(SSL_ERROR_ZERO_RETURN);
1.2037 + }
1.2038 + else
1.2039 + {
1.2040 + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
1.2041 + (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
1.2042 + return(SSL_ERROR_ZERO_RETURN);
1.2043 + }
1.2044 + }
1.2045 + return(SSL_ERROR_SYSCALL);
1.2046 + }
1.2047 +
1.2048 +EXPORT_C int SSL_do_handshake(SSL *s)
1.2049 + {
1.2050 + int ret=1;
1.2051 +
1.2052 + if (s->handshake_func == NULL)
1.2053 + {
1.2054 + SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
1.2055 + return(-1);
1.2056 + }
1.2057 +
1.2058 + s->method->ssl_renegotiate_check(s);
1.2059 +
1.2060 + if (SSL_in_init(s) || SSL_in_before(s))
1.2061 + {
1.2062 + ret=s->handshake_func(s);
1.2063 + }
1.2064 + return(ret);
1.2065 + }
1.2066 +
1.2067 +/* For the next 2 functions, SSL_clear() sets shutdown and so
1.2068 + * one of these calls will reset it */
1.2069 +EXPORT_C void SSL_set_accept_state(SSL *s)
1.2070 + {
1.2071 + s->server=1;
1.2072 + s->shutdown=0;
1.2073 + s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
1.2074 + s->handshake_func=s->method->ssl_accept;
1.2075 + /* clear the current cipher */
1.2076 + ssl_clear_cipher_ctx(s);
1.2077 + }
1.2078 +
1.2079 +EXPORT_C void SSL_set_connect_state(SSL *s)
1.2080 + {
1.2081 + s->server=0;
1.2082 + s->shutdown=0;
1.2083 + s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
1.2084 + s->handshake_func=s->method->ssl_connect;
1.2085 + /* clear the current cipher */
1.2086 + ssl_clear_cipher_ctx(s);
1.2087 + }
1.2088 +
1.2089 +int ssl_undefined_function(SSL *s)
1.2090 + {
1.2091 + SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1.2092 + return(0);
1.2093 + }
1.2094 +
1.2095 +int ssl_undefined_void_function(void)
1.2096 + {
1.2097 + SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1.2098 + return(0);
1.2099 + }
1.2100 +
1.2101 +int ssl_undefined_const_function(const SSL *s)
1.2102 + {
1.2103 + SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1.2104 + return(0);
1.2105 + }
1.2106 +
1.2107 +SSL_METHOD *ssl_bad_method(int ver)
1.2108 + {
1.2109 + SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1.2110 + return(NULL);
1.2111 + }
1.2112 +
1.2113 +EXPORT_C const char *SSL_get_version(const SSL *s)
1.2114 + {
1.2115 + if (s->version == TLS1_VERSION)
1.2116 + return("TLSv1");
1.2117 + else if (s->version == SSL3_VERSION)
1.2118 + return("SSLv3");
1.2119 + else if (s->version == SSL2_VERSION)
1.2120 + return("SSLv2");
1.2121 + else
1.2122 + return("unknown");
1.2123 + }
1.2124 +
1.2125 +EXPORT_C SSL *SSL_dup(SSL *s)
1.2126 + {
1.2127 + STACK_OF(X509_NAME) *sk;
1.2128 + X509_NAME *xn;
1.2129 + SSL *ret;
1.2130 + int i;
1.2131 +
1.2132 + if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
1.2133 + return(NULL);
1.2134 +
1.2135 + ret->version = s->version;
1.2136 + ret->type = s->type;
1.2137 + ret->method = s->method;
1.2138 +
1.2139 + if (s->session != NULL)
1.2140 + {
1.2141 + /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
1.2142 + SSL_copy_session_id(ret,s);
1.2143 + }
1.2144 + else
1.2145 + {
1.2146 + /* No session has been established yet, so we have to expect
1.2147 + * that s->cert or ret->cert will be changed later --
1.2148 + * they should not both point to the same object,
1.2149 + * and thus we can't use SSL_copy_session_id. */
1.2150 +
1.2151 + ret->method->ssl_free(ret);
1.2152 + ret->method = s->method;
1.2153 + ret->method->ssl_new(ret);
1.2154 +
1.2155 + if (s->cert != NULL)
1.2156 + {
1.2157 + if (ret->cert != NULL)
1.2158 + {
1.2159 + ssl_cert_free(ret->cert);
1.2160 + }
1.2161 + ret->cert = ssl_cert_dup(s->cert);
1.2162 + if (ret->cert == NULL)
1.2163 + goto err;
1.2164 + }
1.2165 +
1.2166 + SSL_set_session_id_context(ret,
1.2167 + s->sid_ctx, s->sid_ctx_length);
1.2168 + }
1.2169 +
1.2170 + ret->options=s->options;
1.2171 + ret->mode=s->mode;
1.2172 + SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
1.2173 + SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
1.2174 + ret->msg_callback = s->msg_callback;
1.2175 + ret->msg_callback_arg = s->msg_callback_arg;
1.2176 + SSL_set_verify(ret,SSL_get_verify_mode(s),
1.2177 + SSL_get_verify_callback(s));
1.2178 + SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
1.2179 + ret->generate_session_id = s->generate_session_id;
1.2180 +
1.2181 + SSL_set_info_callback(ret,SSL_get_info_callback(s));
1.2182 +
1.2183 + ret->debug=s->debug;
1.2184 +
1.2185 + /* copy app data, a little dangerous perhaps */
1.2186 + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
1.2187 + goto err;
1.2188 +
1.2189 + /* setup rbio, and wbio */
1.2190 + if (s->rbio != NULL)
1.2191 + {
1.2192 + if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
1.2193 + goto err;
1.2194 + }
1.2195 + if (s->wbio != NULL)
1.2196 + {
1.2197 + if (s->wbio != s->rbio)
1.2198 + {
1.2199 + if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
1.2200 + goto err;
1.2201 + }
1.2202 + else
1.2203 + ret->wbio=ret->rbio;
1.2204 + }
1.2205 + ret->rwstate = s->rwstate;
1.2206 + ret->in_handshake = s->in_handshake;
1.2207 + ret->handshake_func = s->handshake_func;
1.2208 + ret->server = s->server;
1.2209 + ret->new_session = s->new_session;
1.2210 + ret->quiet_shutdown = s->quiet_shutdown;
1.2211 + ret->shutdown=s->shutdown;
1.2212 + ret->state=s->state; /* SSL_dup does not really work at any state, though */
1.2213 + ret->rstate=s->rstate;
1.2214 + ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
1.2215 + ret->hit=s->hit;
1.2216 +
1.2217 + X509_VERIFY_PARAM_inherit(ret->param, s->param);
1.2218 +
1.2219 + /* dup the cipher_list and cipher_list_by_id stacks */
1.2220 + if (s->cipher_list != NULL)
1.2221 + {
1.2222 + if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
1.2223 + goto err;
1.2224 + }
1.2225 + if (s->cipher_list_by_id != NULL)
1.2226 + if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
1.2227 + == NULL)
1.2228 + goto err;
1.2229 +
1.2230 + /* Dup the client_CA list */
1.2231 + if (s->client_CA != NULL)
1.2232 + {
1.2233 + if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
1.2234 + ret->client_CA=sk;
1.2235 + for (i=0; i<sk_X509_NAME_num(sk); i++)
1.2236 + {
1.2237 + xn=sk_X509_NAME_value(sk,i);
1.2238 + if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
1.2239 + {
1.2240 + X509_NAME_free(xn);
1.2241 + goto err;
1.2242 + }
1.2243 + }
1.2244 + }
1.2245 +
1.2246 + if (0)
1.2247 + {
1.2248 +err:
1.2249 + if (ret != NULL) SSL_free(ret);
1.2250 + ret=NULL;
1.2251 + }
1.2252 + return(ret);
1.2253 + }
1.2254 +
1.2255 +void ssl_clear_cipher_ctx(SSL *s)
1.2256 + {
1.2257 + if (s->enc_read_ctx != NULL)
1.2258 + {
1.2259 + EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
1.2260 + OPENSSL_free(s->enc_read_ctx);
1.2261 + s->enc_read_ctx=NULL;
1.2262 + }
1.2263 + if (s->enc_write_ctx != NULL)
1.2264 + {
1.2265 + EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
1.2266 + OPENSSL_free(s->enc_write_ctx);
1.2267 + s->enc_write_ctx=NULL;
1.2268 + }
1.2269 +#ifndef OPENSSL_NO_COMP
1.2270 + if (s->expand != NULL)
1.2271 + {
1.2272 + COMP_CTX_free(s->expand);
1.2273 + s->expand=NULL;
1.2274 + }
1.2275 + if (s->compress != NULL)
1.2276 + {
1.2277 + COMP_CTX_free(s->compress);
1.2278 + s->compress=NULL;
1.2279 + }
1.2280 +#endif
1.2281 + }
1.2282 +
1.2283 +/* Fix this function so that it takes an optional type parameter */
1.2284 +EXPORT_C X509 *SSL_get_certificate(const SSL *s)
1.2285 + {
1.2286 + if (s->cert != NULL)
1.2287 + return(s->cert->key->x509);
1.2288 + else
1.2289 + return(NULL);
1.2290 + }
1.2291 +
1.2292 +/* Fix this function so that it takes an optional type parameter */
1.2293 +EXPORT_C EVP_PKEY *SSL_get_privatekey(SSL *s)
1.2294 + {
1.2295 + if (s->cert != NULL)
1.2296 + return(s->cert->key->privatekey);
1.2297 + else
1.2298 + return(NULL);
1.2299 + }
1.2300 +
1.2301 +EXPORT_C SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
1.2302 + {
1.2303 + if ((s->session != NULL) && (s->session->cipher != NULL))
1.2304 + return(s->session->cipher);
1.2305 + return(NULL);
1.2306 + }
1.2307 +#ifdef OPENSSL_NO_COMP
1.2308 +EXPORT_C const void *SSL_get_current_compression(SSL *s)
1.2309 + {
1.2310 + return NULL;
1.2311 + }
1.2312 +EXPORT_C const void *SSL_get_current_expansion(SSL *s)
1.2313 + {
1.2314 + return NULL;
1.2315 + }
1.2316 +#else
1.2317 +
1.2318 +EXPORT_C const COMP_METHOD *SSL_get_current_compression(SSL *s)
1.2319 + {
1.2320 + if (s->compress != NULL)
1.2321 + return(s->compress->meth);
1.2322 + return(NULL);
1.2323 + }
1.2324 +
1.2325 +EXPORT_C const COMP_METHOD *SSL_get_current_expansion(SSL *s)
1.2326 + {
1.2327 + if (s->expand != NULL)
1.2328 + return(s->expand->meth);
1.2329 + return(NULL);
1.2330 + }
1.2331 +#endif
1.2332 +
1.2333 +int ssl_init_wbio_buffer(SSL *s,int push)
1.2334 + {
1.2335 + BIO *bbio;
1.2336 +
1.2337 + if (s->bbio == NULL)
1.2338 + {
1.2339 + bbio=BIO_new(BIO_f_buffer());
1.2340 + if (bbio == NULL) return(0);
1.2341 + s->bbio=bbio;
1.2342 + }
1.2343 + else
1.2344 + {
1.2345 + bbio=s->bbio;
1.2346 + if (s->bbio == s->wbio)
1.2347 + s->wbio=BIO_pop(s->wbio);
1.2348 + }
1.2349 + (void)BIO_reset(bbio);
1.2350 +/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
1.2351 + if (!BIO_set_read_buffer_size(bbio,1))
1.2352 + {
1.2353 + SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
1.2354 + return(0);
1.2355 + }
1.2356 + if (push)
1.2357 + {
1.2358 + if (s->wbio != bbio)
1.2359 + s->wbio=BIO_push(bbio,s->wbio);
1.2360 + }
1.2361 + else
1.2362 + {
1.2363 + if (s->wbio == bbio)
1.2364 + s->wbio=BIO_pop(bbio);
1.2365 + }
1.2366 + return(1);
1.2367 + }
1.2368 +
1.2369 +void ssl_free_wbio_buffer(SSL *s)
1.2370 + {
1.2371 + if (s->bbio == NULL) return;
1.2372 +
1.2373 + if (s->bbio == s->wbio)
1.2374 + {
1.2375 + /* remove buffering */
1.2376 + s->wbio=BIO_pop(s->wbio);
1.2377 +#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
1.2378 + assert(s->wbio != NULL);
1.2379 +#endif
1.2380 + }
1.2381 + BIO_free(s->bbio);
1.2382 + s->bbio=NULL;
1.2383 + }
1.2384 +
1.2385 +EXPORT_C void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
1.2386 + {
1.2387 + ctx->quiet_shutdown=mode;
1.2388 + }
1.2389 +
1.2390 +EXPORT_C int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
1.2391 + {
1.2392 + return(ctx->quiet_shutdown);
1.2393 + }
1.2394 +
1.2395 +EXPORT_C void SSL_set_quiet_shutdown(SSL *s,int mode)
1.2396 + {
1.2397 + s->quiet_shutdown=mode;
1.2398 + }
1.2399 +
1.2400 +EXPORT_C int SSL_get_quiet_shutdown(const SSL *s)
1.2401 + {
1.2402 + return(s->quiet_shutdown);
1.2403 + }
1.2404 +
1.2405 +EXPORT_C void SSL_set_shutdown(SSL *s,int mode)
1.2406 + {
1.2407 + s->shutdown=mode;
1.2408 + }
1.2409 +
1.2410 +EXPORT_C int SSL_get_shutdown(const SSL *s)
1.2411 + {
1.2412 + return(s->shutdown);
1.2413 + }
1.2414 +
1.2415 +EXPORT_C int SSL_version(const SSL *s)
1.2416 + {
1.2417 + return(s->version);
1.2418 + }
1.2419 +
1.2420 +EXPORT_C SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
1.2421 + {
1.2422 + return(ssl->ctx);
1.2423 + }
1.2424 +
1.2425 +EXPORT_C SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
1.2426 + {
1.2427 + if (ssl->ctx == ctx)
1.2428 + return ssl->ctx;
1.2429 +
1.2430 + if (ssl->cert != NULL)
1.2431 + ssl_cert_free(ssl->cert);
1.2432 + ssl->cert = ssl_cert_dup(ctx->cert);
1.2433 + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
1.2434 + if (ssl->ctx != NULL)
1.2435 + SSL_CTX_free(ssl->ctx); /* decrement reference count */
1.2436 + ssl->ctx = ctx;
1.2437 + return(ssl->ctx);
1.2438 + }
1.2439 +#ifndef OPENSSL_NO_STDIO
1.2440 +EXPORT_C int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
1.2441 + {
1.2442 + return(X509_STORE_set_default_paths(ctx->cert_store));
1.2443 + }
1.2444 +
1.2445 +EXPORT_C int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1.2446 + const char *CApath)
1.2447 + {
1.2448 + return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
1.2449 + }
1.2450 +#endif
1.2451 +
1.2452 +EXPORT_C void SSL_set_info_callback(SSL *ssl,
1.2453 + void (*cb)(const SSL *ssl,int type,int val))
1.2454 + {
1.2455 + ssl->info_callback=cb;
1.2456 + }
1.2457 +
1.2458 +/* One compiler (Diab DCC) doesn't like argument names in returned
1.2459 + function pointer. */
1.2460 +EXPORT_C void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
1.2461 + {
1.2462 + return ssl->info_callback;
1.2463 + }
1.2464 +
1.2465 +EXPORT_C int SSL_state(const SSL *ssl)
1.2466 + {
1.2467 + return(ssl->state);
1.2468 + }
1.2469 +
1.2470 +EXPORT_C void SSL_set_verify_result(SSL *ssl,long arg)
1.2471 + {
1.2472 + ssl->verify_result=arg;
1.2473 + }
1.2474 +
1.2475 +EXPORT_C long SSL_get_verify_result(const SSL *ssl)
1.2476 + {
1.2477 + return(ssl->verify_result);
1.2478 + }
1.2479 +
1.2480 +EXPORT_C int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
1.2481 + CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
1.2482 + {
1.2483 + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
1.2484 + new_func, dup_func, free_func);
1.2485 + }
1.2486 +
1.2487 +EXPORT_C int SSL_set_ex_data(SSL *s,int idx,void *arg)
1.2488 + {
1.2489 + return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
1.2490 + }
1.2491 +
1.2492 +EXPORT_C void *SSL_get_ex_data(const SSL *s,int idx)
1.2493 + {
1.2494 + return(CRYPTO_get_ex_data(&s->ex_data,idx));
1.2495 + }
1.2496 +
1.2497 +EXPORT_C int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
1.2498 + CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
1.2499 + {
1.2500 + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
1.2501 + new_func, dup_func, free_func);
1.2502 + }
1.2503 +
1.2504 +EXPORT_C int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
1.2505 + {
1.2506 + return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
1.2507 + }
1.2508 +
1.2509 +EXPORT_C void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
1.2510 + {
1.2511 + return(CRYPTO_get_ex_data(&s->ex_data,idx));
1.2512 + }
1.2513 +
1.2514 +int ssl_ok(SSL *s)
1.2515 + {
1.2516 + return(1);
1.2517 + }
1.2518 +
1.2519 +EXPORT_C X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
1.2520 + {
1.2521 + return(ctx->cert_store);
1.2522 + }
1.2523 +
1.2524 +EXPORT_C void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
1.2525 + {
1.2526 + if (ctx->cert_store != NULL)
1.2527 + X509_STORE_free(ctx->cert_store);
1.2528 + ctx->cert_store=store;
1.2529 + }
1.2530 +
1.2531 +EXPORT_C int SSL_want(const SSL *s)
1.2532 + {
1.2533 + return(s->rwstate);
1.2534 + }
1.2535 +
1.2536 +/*!
1.2537 + * \brief Set the callback for generating temporary RSA keys.
1.2538 + * \param ctx the SSL context.
1.2539 + * \param cb the callback
1.2540 + */
1.2541 +
1.2542 +#ifndef OPENSSL_NO_RSA
1.2543 +EXPORT_C void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
1.2544 + int is_export,
1.2545 + int keylength))
1.2546 + {
1.2547 + SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
1.2548 + }
1.2549 +
1.2550 +EXPORT_C void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
1.2551 + int is_export,
1.2552 + int keylength))
1.2553 + {
1.2554 + SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
1.2555 + }
1.2556 +#endif
1.2557 +
1.2558 +#ifdef DOXYGEN
1.2559 +/*!
1.2560 + * \brief The RSA temporary key callback function.
1.2561 + * \param ssl the SSL session.
1.2562 + * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
1.2563 + * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
1.2564 + * of the required key in bits.
1.2565 + * \return the temporary RSA key.
1.2566 + * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
1.2567 + */
1.2568 +
1.2569 +RSA *cb(SSL *ssl,int is_export,int keylength)
1.2570 + {}
1.2571 +#endif
1.2572 +
1.2573 +/*!
1.2574 + * \brief Set the callback for generating temporary DH keys.
1.2575 + * \param ctx the SSL context.
1.2576 + * \param dh the callback
1.2577 + */
1.2578 +
1.2579 +#ifndef OPENSSL_NO_DH
1.2580 +EXPORT_C void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
1.2581 + int keylength))
1.2582 + {
1.2583 + SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
1.2584 + }
1.2585 +
1.2586 +EXPORT_C void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
1.2587 + int keylength))
1.2588 + {
1.2589 + SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
1.2590 + }
1.2591 +#endif
1.2592 +
1.2593 +#ifndef OPENSSL_NO_ECDH
1.2594 +EXPORT_C void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1.2595 + int keylength))
1.2596 + {
1.2597 + SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
1.2598 + }
1.2599 +
1.2600 +EXPORT_C void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1.2601 + int keylength))
1.2602 + {
1.2603 + SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
1.2604 + }
1.2605 +#endif
1.2606 +
1.2607 +
1.2608 +EXPORT_C void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
1.2609 + {
1.2610 + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
1.2611 + }
1.2612 +EXPORT_C void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
1.2613 + {
1.2614 + SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
1.2615 + }
1.2616 +
1.2617 +
1.2618 +
1.2619 +#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
1.2620 +#include "../crypto/bio/bss_file.c"
1.2621 +#endif
1.2622 +
1.2623 +IMPLEMENT_STACK_OF(SSL_CIPHER)
1.2624 +IMPLEMENT_STACK_OF(SSL_COMP)