summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2013-07-22 14:40:46 +0000
committercvs2svn <admin@example.com>2013-07-22 14:40:46 +0000
commita774ec75c287e97bb3c5d6d173106c3ffc34cecd (patch)
treebd780ec06a0ecf4266671f44fd591dce8dafdf32 /src/lib/libssl/ssl
parent8672232afd26154405111b9f6b8a691a6e239d06 (diff)
downloadopenbsd-OPENBSD_5_4_BASE.tar.gz
openbsd-OPENBSD_5_4_BASE.tar.bz2
openbsd-OPENBSD_5_4_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_5_4_BASE'.OPENBSD_5_4_BASE
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h2573
-rw-r--r--src/lib/libssl/ssl2.h272
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h678
-rw-r--r--src/lib/libssl/ssl_algs.c149
-rw-r--r--src/lib/libssl/ssl_asn1.c642
-rw-r--r--src/lib/libssl/ssl_cert.c853
-rw-r--r--src/lib/libssl/ssl_ciph.c1852
-rw-r--r--src/lib/libssl/ssl_err.c609
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c3248
-rw-r--r--src/lib/libssl/ssl_locl.h1172
-rw-r--r--src/lib/libssl/ssl_rsa.c779
-rw-r--r--src/lib/libssl/ssl_sess.c1159
-rw-r--r--src/lib/libssl/ssl_stat.c567
-rw-r--r--src/lib/libssl/ssl_txt.c248
16 files changed, 0 insertions, 14954 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 8b0c2a2dac..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2573 +0,0 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_H
144#define HEADER_SSL_H
145
146#include <openssl/e_os2.h>
147
148#ifndef OPENSSL_NO_COMP
149#include <openssl/comp.h>
150#endif
151#ifndef OPENSSL_NO_BIO
152#include <openssl/bio.h>
153#endif
154#ifndef OPENSSL_NO_DEPRECATED
155#ifndef OPENSSL_NO_X509
156#include <openssl/x509.h>
157#endif
158#include <openssl/crypto.h>
159#include <openssl/lhash.h>
160#include <openssl/buffer.h>
161#endif
162#include <openssl/pem.h>
163#include <openssl/hmac.h>
164
165#include <openssl/kssl.h>
166#include <openssl/safestack.h>
167#include <openssl/symhacks.h>
168
169#ifdef __cplusplus
170extern "C" {
171#endif
172
173/* SSLeay version number for ASN.1 encoding of the session information */
174/* Version 0 - initial version
175 * Version 1 - added the optional peer certificate
176 */
177#define SSL_SESSION_ASN1_VERSION 0x0001
178
179/* text strings for the ciphers */
180#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
181#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
182#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
183#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
184#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
185#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
186#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
187#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
188#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
189#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
190
191/* VRS Additional Kerberos5 entries
192 */
193#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
194#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
195#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
196#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
197#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
198#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
199#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
200#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
201
202#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
203#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
204#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
205#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
206#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
207#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
208
209#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
210#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
211#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
212#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
213#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
214#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
215#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
216
217#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
218#define SSL_MAX_SID_CTX_LENGTH 32
219
220#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
221#define SSL_MAX_KEY_ARG_LENGTH 8
222#define SSL_MAX_MASTER_KEY_LENGTH 48
223
224
225/* These are used to specify which ciphers to use and not to use */
226
227#define SSL_TXT_EXP40 "EXPORT40"
228#define SSL_TXT_EXP56 "EXPORT56"
229#define SSL_TXT_LOW "LOW"
230#define SSL_TXT_MEDIUM "MEDIUM"
231#define SSL_TXT_HIGH "HIGH"
232#define SSL_TXT_FIPS "FIPS"
233
234#define SSL_TXT_kFZA "kFZA" /* unused! */
235#define SSL_TXT_aFZA "aFZA" /* unused! */
236#define SSL_TXT_eFZA "eFZA" /* unused! */
237#define SSL_TXT_FZA "FZA" /* unused! */
238
239#define SSL_TXT_aNULL "aNULL"
240#define SSL_TXT_eNULL "eNULL"
241#define SSL_TXT_NULL "NULL"
242
243#define SSL_TXT_kRSA "kRSA"
244#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
245#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
246#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */
247#define SSL_TXT_kEDH "kEDH"
248#define SSL_TXT_kKRB5 "kKRB5"
249#define SSL_TXT_kECDHr "kECDHr"
250#define SSL_TXT_kECDHe "kECDHe"
251#define SSL_TXT_kECDH "kECDH"
252#define SSL_TXT_kEECDH "kEECDH"
253#define SSL_TXT_kPSK "kPSK"
254#define SSL_TXT_kGOST "kGOST"
255#define SSL_TXT_kSRP "kSRP"
256
257#define SSL_TXT_aRSA "aRSA"
258#define SSL_TXT_aDSS "aDSS"
259#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */
260#define SSL_TXT_aECDH "aECDH"
261#define SSL_TXT_aKRB5 "aKRB5"
262#define SSL_TXT_aECDSA "aECDSA"
263#define SSL_TXT_aPSK "aPSK"
264#define SSL_TXT_aGOST94 "aGOST94"
265#define SSL_TXT_aGOST01 "aGOST01"
266#define SSL_TXT_aGOST "aGOST"
267
268#define SSL_TXT_DSS "DSS"
269#define SSL_TXT_DH "DH"
270#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
271#define SSL_TXT_ADH "ADH"
272#define SSL_TXT_RSA "RSA"
273#define SSL_TXT_ECDH "ECDH"
274#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
275#define SSL_TXT_AECDH "AECDH"
276#define SSL_TXT_ECDSA "ECDSA"
277#define SSL_TXT_KRB5 "KRB5"
278#define SSL_TXT_PSK "PSK"
279#define SSL_TXT_SRP "SRP"
280
281#define SSL_TXT_DES "DES"
282#define SSL_TXT_3DES "3DES"
283#define SSL_TXT_RC4 "RC4"
284#define SSL_TXT_RC2 "RC2"
285#define SSL_TXT_IDEA "IDEA"
286#define SSL_TXT_SEED "SEED"
287#define SSL_TXT_AES128 "AES128"
288#define SSL_TXT_AES256 "AES256"
289#define SSL_TXT_AES "AES"
290#define SSL_TXT_AES_GCM "AESGCM"
291#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
292#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
293#define SSL_TXT_CAMELLIA "CAMELLIA"
294
295#define SSL_TXT_MD5 "MD5"
296#define SSL_TXT_SHA1 "SHA1"
297#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
298#define SSL_TXT_GOST94 "GOST94"
299#define SSL_TXT_GOST89MAC "GOST89MAC"
300#define SSL_TXT_SHA256 "SHA256"
301#define SSL_TXT_SHA384 "SHA384"
302
303#define SSL_TXT_SSLV2 "SSLv2"
304#define SSL_TXT_SSLV3 "SSLv3"
305#define SSL_TXT_TLSV1 "TLSv1"
306#define SSL_TXT_TLSV1_1 "TLSv1.1"
307#define SSL_TXT_TLSV1_2 "TLSv1.2"
308
309#define SSL_TXT_EXP "EXP"
310#define SSL_TXT_EXPORT "EXPORT"
311
312#define SSL_TXT_ALL "ALL"
313
314/*
315 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
316 * ciphers normally not being used.
317 * Example: "RC4" will activate all ciphers using RC4 including ciphers
318 * without authentication, which would normally disabled by DEFAULT (due
319 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
320 * will make sure that it is also disabled in the specific selection.
321 * COMPLEMENTOF* identifiers are portable between version, as adjustments
322 * to the default cipher setup will also be included here.
323 *
324 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
325 * DEFAULT gets, as only selection is being done and no sorting as needed
326 * for DEFAULT.
327 */
328#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
329#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
330
331/* The following cipher list is used by default.
332 * It also is substituted when an application-defined cipher list string
333 * starts with 'DEFAULT'. */
334#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
335/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
336 * starts with a reasonable order, and all we have to do for DEFAULT is
337 * throwing out anonymous and unencrypted ciphersuites!
338 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
339 * some of them.)
340 */
341
342/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
343#define SSL_SENT_SHUTDOWN 1
344#define SSL_RECEIVED_SHUTDOWN 2
345
346#ifdef __cplusplus
347}
348#endif
349
350#ifdef __cplusplus
351extern "C" {
352#endif
353
354#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
355#define OPENSSL_NO_SSL2
356#endif
357
358#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
359#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
360
361/* This is needed to stop compilers complaining about the
362 * 'struct ssl_st *' function parameters used to prototype callbacks
363 * in SSL_CTX. */
364typedef struct ssl_st *ssl_crock_st;
365typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
366typedef struct ssl_method_st SSL_METHOD;
367typedef struct ssl_cipher_st SSL_CIPHER;
368typedef struct ssl_session_st SSL_SESSION;
369
370DECLARE_STACK_OF(SSL_CIPHER)
371
372/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
373typedef struct srtp_protection_profile_st
374 {
375 const char *name;
376 unsigned long id;
377 } SRTP_PROTECTION_PROFILE;
378
379DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
380
381typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
382typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
383
384
385#ifndef OPENSSL_NO_SSL_INTERN
386
387/* used to hold info on the particular ciphers used */
388struct ssl_cipher_st
389 {
390 int valid;
391 const char *name; /* text name */
392 unsigned long id; /* id, 4 bytes, first is version */
393
394 /* changed in 0.9.9: these four used to be portions of a single value 'algorithms' */
395 unsigned long algorithm_mkey; /* key exchange algorithm */
396 unsigned long algorithm_auth; /* server authentication */
397 unsigned long algorithm_enc; /* symmetric encryption */
398 unsigned long algorithm_mac; /* symmetric authentication */
399 unsigned long algorithm_ssl; /* (major) protocol version */
400
401 unsigned long algo_strength; /* strength and export flags */
402 unsigned long algorithm2; /* Extra flags */
403 int strength_bits; /* Number of bits really used */
404 int alg_bits; /* Number of bits for algorithm */
405 };
406
407
408/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
409struct ssl_method_st
410 {
411 int version;
412 int (*ssl_new)(SSL *s);
413 void (*ssl_clear)(SSL *s);
414 void (*ssl_free)(SSL *s);
415 int (*ssl_accept)(SSL *s);
416 int (*ssl_connect)(SSL *s);
417 int (*ssl_read)(SSL *s,void *buf,int len);
418 int (*ssl_peek)(SSL *s,void *buf,int len);
419 int (*ssl_write)(SSL *s,const void *buf,int len);
420 int (*ssl_shutdown)(SSL *s);
421 int (*ssl_renegotiate)(SSL *s);
422 int (*ssl_renegotiate_check)(SSL *s);
423 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
424 max, int *ok);
425 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len,
426 int peek);
427 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
428 int (*ssl_dispatch_alert)(SSL *s);
429 long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
430 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
431 const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
432 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
433 int (*ssl_pending)(const SSL *s);
434 int (*num_ciphers)(void);
435 const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
436 const struct ssl_method_st *(*get_ssl_method)(int version);
437 long (*get_timeout)(void);
438 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
439 int (*ssl_version)(void);
440 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
441 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
442 };
443
444/* Lets make this into an ASN.1 type structure as follows
445 * SSL_SESSION_ID ::= SEQUENCE {
446 * version INTEGER, -- structure version number
447 * SSLversion INTEGER, -- SSL version number
448 * Cipher OCTET STRING, -- the 3 byte cipher ID
449 * Session_ID OCTET STRING, -- the Session ID
450 * Master_key OCTET STRING, -- the master key
451 * KRB5_principal OCTET STRING -- optional Kerberos principal
452 * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
453 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
454 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
455 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
456 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
457 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
458 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
459 * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
460 * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
461 * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
462 * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
463 * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
464 * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
465 * }
466 * Look in ssl/ssl_asn1.c for more details
467 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
468 */
469struct ssl_session_st
470 {
471 int ssl_version; /* what ssl version session info is
472 * being kept in here? */
473
474 /* only really used in SSLv2 */
475 unsigned int key_arg_length;
476 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
477 int master_key_length;
478 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
479 /* session_id - valid? */
480 unsigned int session_id_length;
481 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
482 /* this is used to determine whether the session is being reused in
483 * the appropriate context. It is up to the application to set this,
484 * via SSL_new */
485 unsigned int sid_ctx_length;
486 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
487
488#ifndef OPENSSL_NO_KRB5
489 unsigned int krb5_client_princ_len;
490 unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
491#endif /* OPENSSL_NO_KRB5 */
492#ifndef OPENSSL_NO_PSK
493 char *psk_identity_hint;
494 char *psk_identity;
495#endif
496 int not_resumable;
497
498 /* The cert is the certificate used to establish this connection */
499 struct sess_cert_st /* SESS_CERT */ *sess_cert;
500
501 /* This is the cert for the other end.
502 * On clients, it will be the same as sess_cert->peer_key->x509
503 * (the latter is not enough as sess_cert is not retained
504 * in the external representation of sessions, see ssl_asn1.c). */
505 X509 *peer;
506 /* when app_verify_callback accepts a session where the peer's certificate
507 * is not ok, we must remember the error for session reuse: */
508 long verify_result; /* only for servers */
509
510 int references;
511 long timeout;
512 long time;
513
514 unsigned int compress_meth; /* Need to lookup the method */
515
516 const SSL_CIPHER *cipher;
517 unsigned long cipher_id; /* when ASN.1 loaded, this
518 * needs to be used to load
519 * the 'cipher' structure */
520
521 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
522
523 CRYPTO_EX_DATA ex_data; /* application specific data */
524
525 /* These are used to make removal of session-ids more
526 * efficient and to implement a maximum cache size. */
527 struct ssl_session_st *prev,*next;
528#ifndef OPENSSL_NO_TLSEXT
529 char *tlsext_hostname;
530#ifndef OPENSSL_NO_EC
531 size_t tlsext_ecpointformatlist_length;
532 unsigned char *tlsext_ecpointformatlist; /* peer's list */
533 size_t tlsext_ellipticcurvelist_length;
534 unsigned char *tlsext_ellipticcurvelist; /* peer's list */
535#endif /* OPENSSL_NO_EC */
536 /* RFC4507 info */
537 unsigned char *tlsext_tick; /* Session ticket */
538 size_t tlsext_ticklen; /* Session ticket length */
539 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
540#endif
541#ifndef OPENSSL_NO_SRP
542 char *srp_username;
543#endif
544 };
545
546#endif
547
548#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
549#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
550/* Allow initial connection to servers that don't support RI */
551#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
552#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
553#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
554#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
555#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
556#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
557#define SSL_OP_TLS_D5_BUG 0x00000100L
558#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
559
560/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
561 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
562 * the workaround is not needed. Unfortunately some broken SSL/TLS
563 * implementations cannot handle it at all, which is why we include
564 * it in SSL_OP_ALL. */
565#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
566
567/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
568 * This used to be 0x000FFFFFL before 0.9.7. */
569#define SSL_OP_ALL 0x80000BFFL
570
571/* DTLS options */
572#define SSL_OP_NO_QUERY_MTU 0x00001000L
573/* Turn on Cookie Exchange (on relevant for servers) */
574#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
575/* Don't use RFC4507 ticket extension */
576#define SSL_OP_NO_TICKET 0x00004000L
577/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
578#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
579
580/* As server, disallow session resumption on renegotiation */
581#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
582/* Don't use compression even if supported */
583#define SSL_OP_NO_COMPRESSION 0x00020000L
584/* Permit unsafe legacy renegotiation */
585#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
586/* If set, always create a new key when using tmp_ecdh parameters */
587#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
588/* If set, always create a new key when using tmp_dh parameters */
589#define SSL_OP_SINGLE_DH_USE 0x00100000L
590/* Set to always use the tmp_rsa key when doing RSA operations,
591 * even when this violates protocol specs */
592#define SSL_OP_EPHEMERAL_RSA 0x00200000L
593/* Set on servers to choose the cipher according to the server's
594 * preferences */
595#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
596/* If set, a server will allow a client to issue a SSLv3.0 version number
597 * as latest version supported in the premaster secret, even when TLSv1.0
598 * (version 3.1) was announced in the client hello. Normally this is
599 * forbidden to prevent version rollback attacks. */
600#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
601
602#define SSL_OP_NO_SSLv2 0x01000000L
603#define SSL_OP_NO_SSLv3 0x02000000L
604#define SSL_OP_NO_TLSv1 0x04000000L
605#define SSL_OP_NO_TLSv1_2 0x08000000L
606#define SSL_OP_NO_TLSv1_1 0x10000000L
607
608/* These next two were never actually used for anything since SSLeay
609 * zap so we have some more flags.
610 */
611/* The next flag deliberately changes the ciphertest, this is a check
612 * for the PKCS#1 attack */
613#define SSL_OP_PKCS1_CHECK_1 0x0
614#define SSL_OP_PKCS1_CHECK_2 0x0
615
616#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
617#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
618/* Make server add server-hello extension from early version of
619 * cryptopro draft, when GOST ciphersuite is negotiated.
620 * Required for interoperability with CryptoPro CSP 3.x
621 */
622#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
623
624/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
625 * when just a single record has been written): */
626#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
627/* Make it possible to retry SSL_write() with changed buffer location
628 * (buffer contents must stay the same!); this is not the default to avoid
629 * the misconception that non-blocking SSL_write() behaves like
630 * non-blocking write(): */
631#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
632/* Never bother the application with retries if the transport
633 * is blocking: */
634#define SSL_MODE_AUTO_RETRY 0x00000004L
635/* Don't attempt to automatically build certificate chain */
636#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
637/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
638 * TLS only.) "Released" buffers are put onto a free-list in the context
639 * or just freed (depending on the context's setting for freelist_max_len). */
640#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
641
642/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
643 * they cannot be used to clear bits. */
644
645#define SSL_CTX_set_options(ctx,op) \
646 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
647#define SSL_CTX_clear_options(ctx,op) \
648 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
649#define SSL_CTX_get_options(ctx) \
650 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
651#define SSL_set_options(ssl,op) \
652 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
653#define SSL_clear_options(ssl,op) \
654 SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
655#define SSL_get_options(ssl) \
656 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
657
658#define SSL_CTX_set_mode(ctx,op) \
659 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
660#define SSL_CTX_clear_mode(ctx,op) \
661 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
662#define SSL_CTX_get_mode(ctx) \
663 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
664#define SSL_clear_mode(ssl,op) \
665 SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
666#define SSL_set_mode(ssl,op) \
667 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
668#define SSL_get_mode(ssl) \
669 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
670#define SSL_set_mtu(ssl, mtu) \
671 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
672
673#define SSL_get_secure_renegotiation_support(ssl) \
674 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
675
676#ifndef OPENSSL_NO_HEARTBEATS
677#define SSL_heartbeat(ssl) \
678 SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
679#endif
680
681void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
682void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
683#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
684#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
685
686#ifndef OPENSSL_NO_SRP
687
688#ifndef OPENSSL_NO_SSL_INTERN
689
690typedef struct srp_ctx_st
691 {
692 /* param for all the callbacks */
693 void *SRP_cb_arg;
694 /* set client Hello login callback */
695 int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
696 /* set SRP N/g param callback for verification */
697 int (*SRP_verify_param_callback)(SSL *, void *);
698 /* set SRP client passwd callback */
699 char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
700
701 char *login;
702 BIGNUM *N,*g,*s,*B,*A;
703 BIGNUM *a,*b,*v;
704 char *info;
705 int strength;
706
707 unsigned long srp_Mask;
708 } SRP_CTX;
709
710#endif
711
712/* see tls_srp.c */
713int SSL_SRP_CTX_init(SSL *s);
714int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
715int SSL_SRP_CTX_free(SSL *ctx);
716int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
717int SSL_srp_server_param_with_username(SSL *s, int *ad);
718int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
719int SRP_Calc_A_param(SSL *s);
720int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
721
722#endif
723
724#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
725#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
726#else
727#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
728#endif
729
730#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
731
732/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
733 * them. It is used to override the generation of SSL/TLS session IDs in a
734 * server. Return value should be zero on an error, non-zero to proceed. Also,
735 * callbacks should themselves check if the id they generate is unique otherwise
736 * the SSL handshake will fail with an error - callbacks can do this using the
737 * 'ssl' value they're passed by;
738 * SSL_has_matching_session_id(ssl, id, *id_len)
739 * The length value passed in is set at the maximum size the session ID can be.
740 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
741 * can alter this length to be less if desired, but under SSLv2 session IDs are
742 * supposed to be fixed at 16 bytes so the id will be padded after the callback
743 * returns in this case. It is also an error for the callback to set the size to
744 * zero. */
745typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
746 unsigned int *id_len);
747
748typedef struct ssl_comp_st SSL_COMP;
749
750#ifndef OPENSSL_NO_SSL_INTERN
751
752struct ssl_comp_st
753 {
754 int id;
755 const char *name;
756#ifndef OPENSSL_NO_COMP
757 COMP_METHOD *method;
758#else
759 char *method;
760#endif
761 };
762
763DECLARE_STACK_OF(SSL_COMP)
764DECLARE_LHASH_OF(SSL_SESSION);
765
766struct ssl_ctx_st
767 {
768 const SSL_METHOD *method;
769
770 STACK_OF(SSL_CIPHER) *cipher_list;
771 /* same as above but sorted for lookup */
772 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
773
774 struct x509_store_st /* X509_STORE */ *cert_store;
775 LHASH_OF(SSL_SESSION) *sessions;
776 /* Most session-ids that will be cached, default is
777 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
778 unsigned long session_cache_size;
779 struct ssl_session_st *session_cache_head;
780 struct ssl_session_st *session_cache_tail;
781
782 /* This can have one of 2 values, ored together,
783 * SSL_SESS_CACHE_CLIENT,
784 * SSL_SESS_CACHE_SERVER,
785 * Default is SSL_SESSION_CACHE_SERVER, which means only
786 * SSL_accept which cache SSL_SESSIONS. */
787 int session_cache_mode;
788
789 /* If timeout is not 0, it is the default timeout value set
790 * when SSL_new() is called. This has been put in to make
791 * life easier to set things up */
792 long session_timeout;
793
794 /* If this callback is not null, it will be called each
795 * time a session id is added to the cache. If this function
796 * returns 1, it means that the callback will do a
797 * SSL_SESSION_free() when it has finished using it. Otherwise,
798 * on 0, it means the callback has finished with it.
799 * If remove_session_cb is not null, it will be called when
800 * a session-id is removed from the cache. After the call,
801 * OpenSSL will SSL_SESSION_free() it. */
802 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
803 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
804 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
805 unsigned char *data,int len,int *copy);
806
807 struct
808 {
809 int sess_connect; /* SSL new conn - started */
810 int sess_connect_renegotiate;/* SSL reneg - requested */
811 int sess_connect_good; /* SSL new conne/reneg - finished */
812 int sess_accept; /* SSL new accept - started */
813 int sess_accept_renegotiate;/* SSL reneg - requested */
814 int sess_accept_good; /* SSL accept/reneg - finished */
815 int sess_miss; /* session lookup misses */
816 int sess_timeout; /* reuse attempt on timeouted session */
817 int sess_cache_full; /* session removed due to full cache */
818 int sess_hit; /* session reuse actually done */
819 int sess_cb_hit; /* session-id that was not
820 * in the cache was
821 * passed back via the callback. This
822 * indicates that the application is
823 * supplying session-id's from other
824 * processes - spooky :-) */
825 } stats;
826
827 int references;
828
829 /* if defined, these override the X509_verify_cert() calls */
830 int (*app_verify_callback)(X509_STORE_CTX *, void *);
831 void *app_verify_arg;
832 /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
833 * ('app_verify_callback' was called with just one argument) */
834
835 /* Default password callback. */
836 pem_password_cb *default_passwd_callback;
837
838 /* Default password callback user data. */
839 void *default_passwd_callback_userdata;
840
841 /* get client cert callback */
842 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
843
844 /* cookie generate callback */
845 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
846 unsigned int *cookie_len);
847
848 /* verify cookie callback */
849 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
850 unsigned int cookie_len);
851
852 CRYPTO_EX_DATA ex_data;
853
854 const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
855 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
856 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
857
858 STACK_OF(X509) *extra_certs;
859 STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
860
861
862 /* Default values used when no per-SSL value is defined follow */
863
864 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
865
866 /* what we put in client cert requests */
867 STACK_OF(X509_NAME) *client_CA;
868
869
870 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
871
872 unsigned long options;
873 unsigned long mode;
874 long max_cert_list;
875
876 struct cert_st /* CERT */ *cert;
877 int read_ahead;
878
879 /* callback that allows applications to peek at protocol messages */
880 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
881 void *msg_callback_arg;
882
883 int verify_mode;
884 unsigned int sid_ctx_length;
885 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
886 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
887
888 /* Default generate session ID callback. */
889 GEN_SESSION_CB generate_session_id;
890
891 X509_VERIFY_PARAM *param;
892
893#if 0
894 int purpose; /* Purpose setting */
895 int trust; /* Trust setting */
896#endif
897
898 int quiet_shutdown;
899
900 /* Maximum amount of data to send in one fragment.
901 * actual record size can be more than this due to
902 * padding and MAC overheads.
903 */
904 unsigned int max_send_fragment;
905
906#ifndef OPENSSL_ENGINE
907 /* Engine to pass requests for client certs to
908 */
909 ENGINE *client_cert_engine;
910#endif
911
912#ifndef OPENSSL_NO_TLSEXT
913 /* TLS extensions servername callback */
914 int (*tlsext_servername_callback)(SSL*, int *, void *);
915 void *tlsext_servername_arg;
916 /* RFC 4507 session ticket keys */
917 unsigned char tlsext_tick_key_name[16];
918 unsigned char tlsext_tick_hmac_key[16];
919 unsigned char tlsext_tick_aes_key[16];
920 /* Callback to support customisation of ticket key setting */
921 int (*tlsext_ticket_key_cb)(SSL *ssl,
922 unsigned char *name, unsigned char *iv,
923 EVP_CIPHER_CTX *ectx,
924 HMAC_CTX *hctx, int enc);
925
926 /* certificate status request info */
927 /* Callback for status request */
928 int (*tlsext_status_cb)(SSL *ssl, void *arg);
929 void *tlsext_status_arg;
930 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
931 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
932 void *tlsext_opaque_prf_input_callback_arg;
933#endif
934
935#ifndef OPENSSL_NO_PSK
936 char *psk_identity_hint;
937 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
938 unsigned int max_identity_len, unsigned char *psk,
939 unsigned int max_psk_len);
940 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
941 unsigned char *psk, unsigned int max_psk_len);
942#endif
943
944#ifndef OPENSSL_NO_BUF_FREELISTS
945#define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32
946 unsigned int freelist_max_len;
947 struct ssl3_buf_freelist_st *wbuf_freelist;
948 struct ssl3_buf_freelist_st *rbuf_freelist;
949#endif
950#ifndef OPENSSL_NO_SRP
951 SRP_CTX srp_ctx; /* ctx for SRP authentication */
952#endif
953
954#ifndef OPENSSL_NO_TLSEXT
955# ifndef OPENSSL_NO_NEXTPROTONEG
956 /* Next protocol negotiation information */
957 /* (for experimental NPN extension). */
958
959 /* For a server, this contains a callback function by which the set of
960 * advertised protocols can be provided. */
961 int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
962 unsigned int *len, void *arg);
963 void *next_protos_advertised_cb_arg;
964 /* For a client, this contains a callback function that selects the
965 * next protocol from the list provided by the server. */
966 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
967 unsigned char *outlen,
968 const unsigned char *in,
969 unsigned int inlen,
970 void *arg);
971 void *next_proto_select_cb_arg;
972# endif
973 /* SRTP profiles we are willing to do from RFC 5764 */
974 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
975#endif
976 };
977
978#endif
979
980#define SSL_SESS_CACHE_OFF 0x0000
981#define SSL_SESS_CACHE_CLIENT 0x0001
982#define SSL_SESS_CACHE_SERVER 0x0002
983#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
984#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
985/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
986#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
987#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
988#define SSL_SESS_CACHE_NO_INTERNAL \
989 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
990
991LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
992#define SSL_CTX_sess_number(ctx) \
993 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
994#define SSL_CTX_sess_connect(ctx) \
995 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
996#define SSL_CTX_sess_connect_good(ctx) \
997 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
998#define SSL_CTX_sess_connect_renegotiate(ctx) \
999 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
1000#define SSL_CTX_sess_accept(ctx) \
1001 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
1002#define SSL_CTX_sess_accept_renegotiate(ctx) \
1003 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
1004#define SSL_CTX_sess_accept_good(ctx) \
1005 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
1006#define SSL_CTX_sess_hits(ctx) \
1007 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
1008#define SSL_CTX_sess_cb_hits(ctx) \
1009 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
1010#define SSL_CTX_sess_misses(ctx) \
1011 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
1012#define SSL_CTX_sess_timeouts(ctx) \
1013 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
1014#define SSL_CTX_sess_cache_full(ctx) \
1015 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
1016
1017void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
1018int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
1019void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
1020void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
1021void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
1022SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
1023void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
1024void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
1025void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
1026int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
1027#ifndef OPENSSL_NO_ENGINE
1028int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
1029#endif
1030void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
1031void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
1032#ifndef OPENSSL_NO_NEXTPROTONEG
1033void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
1034 int (*cb) (SSL *ssl,
1035 const unsigned char **out,
1036 unsigned int *outlen,
1037 void *arg),
1038 void *arg);
1039void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
1040 int (*cb) (SSL *ssl,
1041 unsigned char **out,
1042 unsigned char *outlen,
1043 const unsigned char *in,
1044 unsigned int inlen,
1045 void *arg),
1046 void *arg);
1047
1048int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1049 const unsigned char *in, unsigned int inlen,
1050 const unsigned char *client, unsigned int client_len);
1051void SSL_get0_next_proto_negotiated(const SSL *s,
1052 const unsigned char **data, unsigned *len);
1053
1054#define OPENSSL_NPN_UNSUPPORTED 0
1055#define OPENSSL_NPN_NEGOTIATED 1
1056#define OPENSSL_NPN_NO_OVERLAP 2
1057#endif
1058
1059#ifndef OPENSSL_NO_PSK
1060/* the maximum length of the buffer given to callbacks containing the
1061 * resulting identity/psk */
1062#define PSK_MAX_IDENTITY_LEN 128
1063#define PSK_MAX_PSK_LEN 256
1064void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
1065 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
1066 char *identity, unsigned int max_identity_len, unsigned char *psk,
1067 unsigned int max_psk_len));
1068void SSL_set_psk_client_callback(SSL *ssl,
1069 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
1070 char *identity, unsigned int max_identity_len, unsigned char *psk,
1071 unsigned int max_psk_len));
1072void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
1073 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1074 unsigned char *psk, unsigned int max_psk_len));
1075void SSL_set_psk_server_callback(SSL *ssl,
1076 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1077 unsigned char *psk, unsigned int max_psk_len));
1078int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
1079int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
1080const char *SSL_get_psk_identity_hint(const SSL *s);
1081const char *SSL_get_psk_identity(const SSL *s);
1082#endif
1083
1084#define SSL_NOTHING 1
1085#define SSL_WRITING 2
1086#define SSL_READING 3
1087#define SSL_X509_LOOKUP 4
1088
1089/* These will only be used when doing non-blocking IO */
1090#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
1091#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
1092#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
1093#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
1094
1095#define SSL_MAC_FLAG_READ_MAC_STREAM 1
1096#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
1097
1098#ifndef OPENSSL_NO_SSL_INTERN
1099
1100struct ssl_st
1101 {
1102 /* protocol version
1103 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
1104 */
1105 int version;
1106 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
1107
1108 const SSL_METHOD *method; /* SSLv3 */
1109
1110 /* There are 2 BIO's even though they are normally both the
1111 * same. This is so data can be read and written to different
1112 * handlers */
1113
1114#ifndef OPENSSL_NO_BIO
1115 BIO *rbio; /* used by SSL_read */
1116 BIO *wbio; /* used by SSL_write */
1117 BIO *bbio; /* used during session-id reuse to concatenate
1118 * messages */
1119#else
1120 char *rbio; /* used by SSL_read */
1121 char *wbio; /* used by SSL_write */
1122 char *bbio;
1123#endif
1124 /* This holds a variable that indicates what we were doing
1125 * when a 0 or -1 is returned. This is needed for
1126 * non-blocking IO so we know what request needs re-doing when
1127 * in SSL_accept or SSL_connect */
1128 int rwstate;
1129
1130 /* true when we are actually in SSL_accept() or SSL_connect() */
1131 int in_handshake;
1132 int (*handshake_func)(SSL *);
1133
1134 /* Imagine that here's a boolean member "init" that is
1135 * switched as soon as SSL_set_{accept/connect}_state
1136 * is called for the first time, so that "state" and
1137 * "handshake_func" are properly initialized. But as
1138 * handshake_func is == 0 until then, we use this
1139 * test instead of an "init" member.
1140 */
1141
1142 int server; /* are we the server side? - mostly used by SSL_clear*/
1143
1144 int new_session;/* Generate a new session or reuse an old one.
1145 * NB: For servers, the 'new' session may actually be a previously
1146 * cached session or even the previous session unless
1147 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
1148 int quiet_shutdown;/* don't send shutdown packets */
1149 int shutdown; /* we have shut things down, 0x01 sent, 0x02
1150 * for received */
1151 int state; /* where we are */
1152 int rstate; /* where we are when reading */
1153
1154 BUF_MEM *init_buf; /* buffer used during init */
1155 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
1156 int init_num; /* amount read/written */
1157 int init_off; /* amount read/written */
1158
1159 /* used internally to point at a raw packet */
1160 unsigned char *packet;
1161 unsigned int packet_length;
1162
1163 struct ssl2_state_st *s2; /* SSLv2 variables */
1164 struct ssl3_state_st *s3; /* SSLv3 variables */
1165 struct dtls1_state_st *d1; /* DTLSv1 variables */
1166
1167 int read_ahead; /* Read as many input bytes as possible
1168 * (for non-blocking reads) */
1169
1170 /* callback that allows applications to peek at protocol messages */
1171 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
1172 void *msg_callback_arg;
1173
1174 int hit; /* reusing a previous session */
1175
1176 X509_VERIFY_PARAM *param;
1177
1178#if 0
1179 int purpose; /* Purpose setting */
1180 int trust; /* Trust setting */
1181#endif
1182
1183 /* crypto */
1184 STACK_OF(SSL_CIPHER) *cipher_list;
1185 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1186
1187 /* These are the ones being used, the ones in SSL_SESSION are
1188 * the ones to be 'copied' into these ones */
1189 int mac_flags;
1190 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
1191 EVP_MD_CTX *read_hash; /* used for mac generation */
1192#ifndef OPENSSL_NO_COMP
1193 COMP_CTX *expand; /* uncompress */
1194#else
1195 char *expand;
1196#endif
1197
1198 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
1199 EVP_MD_CTX *write_hash; /* used for mac generation */
1200#ifndef OPENSSL_NO_COMP
1201 COMP_CTX *compress; /* compression */
1202#else
1203 char *compress;
1204#endif
1205
1206 /* session info */
1207
1208 /* client cert? */
1209 /* This is used to hold the server certificate used */
1210 struct cert_st /* CERT */ *cert;
1211
1212 /* the session_id_context is used to ensure sessions are only reused
1213 * in the appropriate context */
1214 unsigned int sid_ctx_length;
1215 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
1216
1217 /* This can also be in the session once a session is established */
1218 SSL_SESSION *session;
1219
1220 /* Default generate session ID callback. */
1221 GEN_SESSION_CB generate_session_id;
1222
1223 /* Used in SSL2 and SSL3 */
1224 int verify_mode; /* 0 don't care about verify failure.
1225 * 1 fail if verify fails */
1226 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
1227
1228 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
1229
1230 int error; /* error bytes to be written */
1231 int error_code; /* actual code */
1232
1233#ifndef OPENSSL_NO_KRB5
1234 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
1235#endif /* OPENSSL_NO_KRB5 */
1236
1237#ifndef OPENSSL_NO_PSK
1238 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
1239 unsigned int max_identity_len, unsigned char *psk,
1240 unsigned int max_psk_len);
1241 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1242 unsigned char *psk, unsigned int max_psk_len);
1243#endif
1244
1245 SSL_CTX *ctx;
1246 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
1247 * and SSL_write() calls, good for nbio debuging :-) */
1248 int debug;
1249
1250 /* extra application data */
1251 long verify_result;
1252 CRYPTO_EX_DATA ex_data;
1253
1254 /* for server side, keep the list of CA_dn we can use */
1255 STACK_OF(X509_NAME) *client_CA;
1256
1257 int references;
1258 unsigned long options; /* protocol behaviour */
1259 unsigned long mode; /* API behaviour */
1260 long max_cert_list;
1261 int first_packet;
1262 int client_version; /* what was passed, used for
1263 * SSLv3/TLS rollback check */
1264 unsigned int max_send_fragment;
1265#ifndef OPENSSL_NO_TLSEXT
1266 /* TLS extension debug callback */
1267 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1268 unsigned char *data, int len,
1269 void *arg);
1270 void *tlsext_debug_arg;
1271 char *tlsext_hostname;
1272 int servername_done; /* no further mod of servername
1273 0 : call the servername extension callback.
1274 1 : prepare 2, allow last ack just after in server callback.
1275 2 : don't call servername callback, no ack in server hello
1276 */
1277 /* certificate status request info */
1278 /* Status type or -1 if no status type */
1279 int tlsext_status_type;
1280 /* Expect OCSP CertificateStatus message */
1281 int tlsext_status_expected;
1282 /* OCSP status request only */
1283 STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
1284 X509_EXTENSIONS *tlsext_ocsp_exts;
1285 /* OCSP response received or to be sent */
1286 unsigned char *tlsext_ocsp_resp;
1287 int tlsext_ocsp_resplen;
1288
1289 /* RFC4507 session ticket expected to be received or sent */
1290 int tlsext_ticket_expected;
1291#ifndef OPENSSL_NO_EC
1292 size_t tlsext_ecpointformatlist_length;
1293 unsigned char *tlsext_ecpointformatlist; /* our list */
1294 size_t tlsext_ellipticcurvelist_length;
1295 unsigned char *tlsext_ellipticcurvelist; /* our list */
1296#endif /* OPENSSL_NO_EC */
1297
1298 /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
1299 void *tlsext_opaque_prf_input;
1300 size_t tlsext_opaque_prf_input_len;
1301
1302 /* TLS Session Ticket extension override */
1303 TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
1304
1305 /* TLS Session Ticket extension callback */
1306 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
1307 void *tls_session_ticket_ext_cb_arg;
1308
1309 /* TLS pre-shared secret session resumption */
1310 tls_session_secret_cb_fn tls_session_secret_cb;
1311 void *tls_session_secret_cb_arg;
1312
1313 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1314
1315#ifndef OPENSSL_NO_NEXTPROTONEG
1316 /* Next protocol negotiation. For the client, this is the protocol that
1317 * we sent in NextProtocol and is set when handling ServerHello
1318 * extensions.
1319 *
1320 * For a server, this is the client's selected_protocol from
1321 * NextProtocol and is set when handling the NextProtocol message,
1322 * before the Finished message. */
1323 unsigned char *next_proto_negotiated;
1324 unsigned char next_proto_negotiated_len;
1325#endif
1326
1327#define session_ctx initial_ctx
1328
1329 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
1330 SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
1331
1332 unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated?
1333 0: disabled
1334 1: enabled
1335 2: enabled, but not allowed to send Requests
1336 */
1337 unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
1338 unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
1339#else
1340#define session_ctx ctx
1341#endif /* OPENSSL_NO_TLSEXT */
1342
1343 int renegotiate;/* 1 if we are renegotiating.
1344 * 2 if we are a server and are inside a handshake
1345 * (i.e. not just sending a HelloRequest) */
1346
1347#ifndef OPENSSL_NO_SRP
1348 SRP_CTX srp_ctx; /* ctx for SRP authentication */
1349#endif
1350 };
1351
1352#endif
1353
1354#ifdef __cplusplus
1355}
1356#endif
1357
1358#include <openssl/ssl2.h>
1359#include <openssl/ssl3.h>
1360#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
1361#include <openssl/dtls1.h> /* Datagram TLS */
1362#include <openssl/ssl23.h>
1363#include <openssl/srtp.h> /* Support for the use_srtp extension */
1364
1365#ifdef __cplusplus
1366extern "C" {
1367#endif
1368
1369/* compatibility */
1370#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
1371#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
1372#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
1373#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
1374#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
1375#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
1376
1377/* The following are the possible values for ssl->state are are
1378 * used to indicate where we are up to in the SSL connection establishment.
1379 * The macros that follow are about the only things you should need to use
1380 * and even then, only when using non-blocking IO.
1381 * It can also be useful to work out where you were when the connection
1382 * failed */
1383
1384#define SSL_ST_CONNECT 0x1000
1385#define SSL_ST_ACCEPT 0x2000
1386#define SSL_ST_MASK 0x0FFF
1387#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
1388#define SSL_ST_BEFORE 0x4000
1389#define SSL_ST_OK 0x03
1390#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
1391
1392#define SSL_CB_LOOP 0x01
1393#define SSL_CB_EXIT 0x02
1394#define SSL_CB_READ 0x04
1395#define SSL_CB_WRITE 0x08
1396#define SSL_CB_ALERT 0x4000 /* used in callback */
1397#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
1398#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
1399#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
1400#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
1401#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
1402#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
1403#define SSL_CB_HANDSHAKE_START 0x10
1404#define SSL_CB_HANDSHAKE_DONE 0x20
1405
1406/* Is the SSL_connection established? */
1407#define SSL_get_state(a) SSL_state(a)
1408#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
1409#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
1410#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
1411#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
1412#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
1413
1414/* The following 2 states are kept in ssl->rstate when reads fail,
1415 * you should not need these */
1416#define SSL_ST_READ_HEADER 0xF0
1417#define SSL_ST_READ_BODY 0xF1
1418#define SSL_ST_READ_DONE 0xF2
1419
1420/* Obtain latest Finished message
1421 * -- that we sent (SSL_get_finished)
1422 * -- that we expected from peer (SSL_get_peer_finished).
1423 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1424size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1425size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1426
1427/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1428 * are 'ored' with SSL_VERIFY_PEER if they are desired */
1429#define SSL_VERIFY_NONE 0x00
1430#define SSL_VERIFY_PEER 0x01
1431#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1432#define SSL_VERIFY_CLIENT_ONCE 0x04
1433
1434#define OpenSSL_add_ssl_algorithms() SSL_library_init()
1435#define SSLeay_add_ssl_algorithms() SSL_library_init()
1436
1437/* this is for backward compatibility */
1438#if 0 /* NEW_SSLEAY */
1439#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
1440#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1441#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
1442#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
1443#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
1444#endif
1445/* More backward compatibility */
1446#define SSL_get_cipher(s) \
1447 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1448#define SSL_get_cipher_bits(s,np) \
1449 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1450#define SSL_get_cipher_version(s) \
1451 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1452#define SSL_get_cipher_name(s) \
1453 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1454#define SSL_get_time(a) SSL_SESSION_get_time(a)
1455#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1456#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1457#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1458
1459#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
1460#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
1461
1462DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1463
1464#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value from SSL_AD_... */
1465
1466/* These alert types are for SSLv3 and TLSv1 */
1467#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1468#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
1469#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
1470#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1471#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1472#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
1473#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
1474#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
1475#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1476#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1477#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1478#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1479#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1480#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
1481#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
1482#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
1483#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
1484#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1485#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
1486#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
1487#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
1488#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
1489#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1490#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1491#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
1492#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
1493#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
1494#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
1495#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
1496#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
1497
1498#define SSL_ERROR_NONE 0
1499#define SSL_ERROR_SSL 1
1500#define SSL_ERROR_WANT_READ 2
1501#define SSL_ERROR_WANT_WRITE 3
1502#define SSL_ERROR_WANT_X509_LOOKUP 4
1503#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
1504#define SSL_ERROR_ZERO_RETURN 6
1505#define SSL_ERROR_WANT_CONNECT 7
1506#define SSL_ERROR_WANT_ACCEPT 8
1507
1508#define SSL_CTRL_NEED_TMP_RSA 1
1509#define SSL_CTRL_SET_TMP_RSA 2
1510#define SSL_CTRL_SET_TMP_DH 3
1511#define SSL_CTRL_SET_TMP_ECDH 4
1512#define SSL_CTRL_SET_TMP_RSA_CB 5
1513#define SSL_CTRL_SET_TMP_DH_CB 6
1514#define SSL_CTRL_SET_TMP_ECDH_CB 7
1515
1516#define SSL_CTRL_GET_SESSION_REUSED 8
1517#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
1518#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
1519#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
1520#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
1521#define SSL_CTRL_GET_FLAGS 13
1522#define SSL_CTRL_EXTRA_CHAIN_CERT 14
1523
1524#define SSL_CTRL_SET_MSG_CALLBACK 15
1525#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
1526
1527/* only applies to datagram connections */
1528#define SSL_CTRL_SET_MTU 17
1529/* Stats */
1530#define SSL_CTRL_SESS_NUMBER 20
1531#define SSL_CTRL_SESS_CONNECT 21
1532#define SSL_CTRL_SESS_CONNECT_GOOD 22
1533#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1534#define SSL_CTRL_SESS_ACCEPT 24
1535#define SSL_CTRL_SESS_ACCEPT_GOOD 25
1536#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1537#define SSL_CTRL_SESS_HIT 27
1538#define SSL_CTRL_SESS_CB_HIT 28
1539#define SSL_CTRL_SESS_MISSES 29
1540#define SSL_CTRL_SESS_TIMEOUTS 30
1541#define SSL_CTRL_SESS_CACHE_FULL 31
1542#define SSL_CTRL_OPTIONS 32
1543#define SSL_CTRL_MODE 33
1544
1545#define SSL_CTRL_GET_READ_AHEAD 40
1546#define SSL_CTRL_SET_READ_AHEAD 41
1547#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1548#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1549#define SSL_CTRL_SET_SESS_CACHE_MODE 44
1550#define SSL_CTRL_GET_SESS_CACHE_MODE 45
1551
1552#define SSL_CTRL_GET_MAX_CERT_LIST 50
1553#define SSL_CTRL_SET_MAX_CERT_LIST 51
1554
1555#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
1556
1557/* see tls1.h for macros based on these */
1558#ifndef OPENSSL_NO_TLSEXT
1559#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
1560#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
1561#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
1562#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
1563#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
1564#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
1565#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
1566#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
1567#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
1568#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
1569#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
1570#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
1571#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
1572#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
1573#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
1574#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
1575#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
1576#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
1577#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1578
1579#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1580
1581#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
1582#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
1583#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
1584
1585#define SSL_CTRL_SET_SRP_ARG 78
1586#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
1587#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
1588#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
1589#ifndef OPENSSL_NO_HEARTBEATS
1590#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT 85
1591#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86
1592#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87
1593#endif
1594#endif
1595
1596#define DTLS_CTRL_GET_TIMEOUT 73
1597#define DTLS_CTRL_HANDLE_TIMEOUT 74
1598#define DTLS_CTRL_LISTEN 75
1599
1600#define SSL_CTRL_GET_RI_SUPPORT 76
1601#define SSL_CTRL_CLEAR_OPTIONS 77
1602#define SSL_CTRL_CLEAR_MODE 78
1603
1604#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1605#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1606
1607#define DTLSv1_get_timeout(ssl, arg) \
1608 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
1609#define DTLSv1_handle_timeout(ssl) \
1610 SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
1611#define DTLSv1_listen(ssl, peer) \
1612 SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
1613
1614#define SSL_session_reused(ssl) \
1615 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
1616#define SSL_num_renegotiations(ssl) \
1617 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1618#define SSL_clear_num_renegotiations(ssl) \
1619 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1620#define SSL_total_renegotiations(ssl) \
1621 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1622
1623#define SSL_CTX_need_tmp_RSA(ctx) \
1624 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1625#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
1626 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1627#define SSL_CTX_set_tmp_dh(ctx,dh) \
1628 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1629#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
1630 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1631
1632#define SSL_need_tmp_RSA(ssl) \
1633 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1634#define SSL_set_tmp_rsa(ssl,rsa) \
1635 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1636#define SSL_set_tmp_dh(ssl,dh) \
1637 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1638#define SSL_set_tmp_ecdh(ssl,ecdh) \
1639 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1640
1641#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1642 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1643#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
1644 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
1645#define SSL_CTX_clear_extra_chain_certs(ctx) \
1646 SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
1647
1648#ifndef OPENSSL_NO_BIO
1649BIO_METHOD *BIO_f_ssl(void);
1650BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
1651BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1652BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1653int BIO_ssl_copy_session_id(BIO *to,BIO *from);
1654void BIO_ssl_shutdown(BIO *ssl_bio);
1655
1656#endif
1657
1658int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1659SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1660void SSL_CTX_free(SSL_CTX *);
1661long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1662long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1663X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1664void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1665int SSL_want(const SSL *s);
1666int SSL_clear(SSL *s);
1667
1668void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1669
1670const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1671int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1672char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1673const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1674unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
1675
1676int SSL_get_fd(const SSL *s);
1677int SSL_get_rfd(const SSL *s);
1678int SSL_get_wfd(const SSL *s);
1679const char * SSL_get_cipher_list(const SSL *s,int n);
1680char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1681int SSL_get_read_ahead(const SSL * s);
1682int SSL_pending(const SSL *s);
1683#ifndef OPENSSL_NO_SOCK
1684int SSL_set_fd(SSL *s, int fd);
1685int SSL_set_rfd(SSL *s, int fd);
1686int SSL_set_wfd(SSL *s, int fd);
1687#endif
1688#ifndef OPENSSL_NO_BIO
1689void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1690BIO * SSL_get_rbio(const SSL *s);
1691BIO * SSL_get_wbio(const SSL *s);
1692#endif
1693int SSL_set_cipher_list(SSL *s, const char *str);
1694void SSL_set_read_ahead(SSL *s, int yes);
1695int SSL_get_verify_mode(const SSL *s);
1696int SSL_get_verify_depth(const SSL *s);
1697int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1698void SSL_set_verify(SSL *s, int mode,
1699 int (*callback)(int ok,X509_STORE_CTX *ctx));
1700void SSL_set_verify_depth(SSL *s, int depth);
1701#ifndef OPENSSL_NO_RSA
1702int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1703#endif
1704int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1705int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1706int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
1707int SSL_use_certificate(SSL *ssl, X509 *x);
1708int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1709
1710#ifndef OPENSSL_NO_STDIO
1711int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1712int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1713int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1714int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1715int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1716int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1717int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1718STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1719int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1720 const char *file);
1721#ifndef OPENSSL_SYS_VMS
1722#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
1723int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1724 const char *dir);
1725#endif
1726#endif
1727
1728#endif
1729
1730void SSL_load_error_strings(void );
1731const char *SSL_state_string(const SSL *s);
1732const char *SSL_rstate_string(const SSL *s);
1733const char *SSL_state_string_long(const SSL *s);
1734const char *SSL_rstate_string_long(const SSL *s);
1735long SSL_SESSION_get_time(const SSL_SESSION *s);
1736long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1737long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1738long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1739void SSL_copy_session_id(SSL *to,const SSL *from);
1740X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
1741int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
1742 unsigned int sid_ctx_len);
1743
1744SSL_SESSION *SSL_SESSION_new(void);
1745const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
1746 unsigned int *len);
1747unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
1748#ifndef OPENSSL_NO_FP_API
1749int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1750#endif
1751#ifndef OPENSSL_NO_BIO
1752int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1753#endif
1754void SSL_SESSION_free(SSL_SESSION *ses);
1755int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
1756int SSL_set_session(SSL *to, SSL_SESSION *session);
1757int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1758int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
1759int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1760int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1761int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1762 unsigned int id_len);
1763SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char **pp,
1764 long length);
1765
1766#ifdef HEADER_X509_H
1767X509 * SSL_get_peer_certificate(const SSL *s);
1768#endif
1769
1770STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1771
1772int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1773int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1774int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1775void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1776 int (*callback)(int, X509_STORE_CTX *));
1777void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
1778void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
1779#ifndef OPENSSL_NO_RSA
1780int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1781#endif
1782int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1783int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1784int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
1785 const unsigned char *d, long len);
1786int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1787int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1788
1789void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1790void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1791
1792int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1793int SSL_check_private_key(const SSL *ctx);
1794
1795int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1796 unsigned int sid_ctx_len);
1797
1798SSL * SSL_new(SSL_CTX *ctx);
1799int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1800 unsigned int sid_ctx_len);
1801
1802int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1803int SSL_set_purpose(SSL *s, int purpose);
1804int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1805int SSL_set_trust(SSL *s, int trust);
1806
1807int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1808int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1809
1810#ifndef OPENSSL_NO_SRP
1811int SSL_CTX_set_srp_username(SSL_CTX *ctx,char *name);
1812int SSL_CTX_set_srp_password(SSL_CTX *ctx,char *password);
1813int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1814int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
1815 char *(*cb)(SSL *,void *));
1816int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
1817 int (*cb)(SSL *,void *));
1818int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
1819 int (*cb)(SSL *,int *,void *));
1820int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1821
1822int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
1823 BIGNUM *sa, BIGNUM *v, char *info);
1824int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
1825 const char *grp);
1826
1827BIGNUM *SSL_get_srp_g(SSL *s);
1828BIGNUM *SSL_get_srp_N(SSL *s);
1829
1830char *SSL_get_srp_username(SSL *s);
1831char *SSL_get_srp_userinfo(SSL *s);
1832#endif
1833
1834void SSL_free(SSL *ssl);
1835int SSL_accept(SSL *ssl);
1836int SSL_connect(SSL *ssl);
1837int SSL_read(SSL *ssl,void *buf,int num);
1838int SSL_peek(SSL *ssl,void *buf,int num);
1839int SSL_write(SSL *ssl,const void *buf,int num);
1840long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
1841long SSL_callback_ctrl(SSL *, int, void (*)(void));
1842long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1843long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1844
1845int SSL_get_error(const SSL *s,int ret_code);
1846const char *SSL_get_version(const SSL *s);
1847
1848/* This sets the 'default' SSL version that SSL_new() will create */
1849int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1850
1851#ifndef OPENSSL_NO_SSL2
1852const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
1853const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
1854const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
1855#endif
1856
1857const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
1858const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
1859const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
1860
1861const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
1862const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
1863const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
1864
1865const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1866const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1867const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1868
1869const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
1870const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
1871const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */
1872
1873const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
1874const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
1875const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
1876
1877
1878const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1879const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1880const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
1881
1882STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1883
1884int SSL_do_handshake(SSL *s);
1885int SSL_renegotiate(SSL *s);
1886int SSL_renegotiate_abbreviated(SSL *s);
1887int SSL_renegotiate_pending(SSL *s);
1888int SSL_shutdown(SSL *s);
1889
1890const SSL_METHOD *SSL_get_ssl_method(SSL *s);
1891int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1892const char *SSL_alert_type_string_long(int value);
1893const char *SSL_alert_type_string(int value);
1894const char *SSL_alert_desc_string_long(int value);
1895const char *SSL_alert_desc_string(int value);
1896
1897void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1898void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1899STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1900STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1901int SSL_add_client_CA(SSL *ssl,X509 *x);
1902int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1903
1904void SSL_set_connect_state(SSL *s);
1905void SSL_set_accept_state(SSL *s);
1906
1907long SSL_get_default_timeout(const SSL *s);
1908
1909int SSL_library_init(void );
1910
1911char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
1912STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1913
1914SSL *SSL_dup(SSL *ssl);
1915
1916X509 *SSL_get_certificate(const SSL *ssl);
1917/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1918
1919void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1920int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1921void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1922int SSL_get_quiet_shutdown(const SSL *ssl);
1923void SSL_set_shutdown(SSL *ssl,int mode);
1924int SSL_get_shutdown(const SSL *ssl);
1925int SSL_version(const SSL *ssl);
1926int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1927int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1928 const char *CApath);
1929#define SSL_get0_session SSL_get_session /* just peek at pointer */
1930SSL_SESSION *SSL_get_session(const SSL *ssl);
1931SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1932SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1933SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1934void SSL_set_info_callback(SSL *ssl,
1935 void (*cb)(const SSL *ssl,int type,int val));
1936void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1937int SSL_state(const SSL *ssl);
1938void SSL_set_state(SSL *ssl, int state);
1939
1940void SSL_set_verify_result(SSL *ssl,long v);
1941long SSL_get_verify_result(const SSL *ssl);
1942
1943int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1944void *SSL_get_ex_data(const SSL *ssl,int idx);
1945int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1946 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1947
1948int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1949void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1950int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1951 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1952
1953int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1954void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1955int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1956 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1957
1958int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1959
1960#define SSL_CTX_sess_set_cache_size(ctx,t) \
1961 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1962#define SSL_CTX_sess_get_cache_size(ctx) \
1963 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1964#define SSL_CTX_set_session_cache_mode(ctx,m) \
1965 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1966#define SSL_CTX_get_session_cache_mode(ctx) \
1967 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1968
1969#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1970#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1971#define SSL_CTX_get_read_ahead(ctx) \
1972 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1973#define SSL_CTX_set_read_ahead(ctx,m) \
1974 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1975#define SSL_CTX_get_max_cert_list(ctx) \
1976 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1977#define SSL_CTX_set_max_cert_list(ctx,m) \
1978 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1979#define SSL_get_max_cert_list(ssl) \
1980 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1981#define SSL_set_max_cert_list(ssl,m) \
1982 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1983
1984#define SSL_CTX_set_max_send_fragment(ctx,m) \
1985 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1986#define SSL_set_max_send_fragment(ssl,m) \
1987 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1988
1989 /* NB: the keylength is only applicable when is_export is true */
1990#ifndef OPENSSL_NO_RSA
1991void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1992 RSA *(*cb)(SSL *ssl,int is_export,
1993 int keylength));
1994
1995void SSL_set_tmp_rsa_callback(SSL *ssl,
1996 RSA *(*cb)(SSL *ssl,int is_export,
1997 int keylength));
1998#endif
1999#ifndef OPENSSL_NO_DH
2000void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
2001 DH *(*dh)(SSL *ssl,int is_export,
2002 int keylength));
2003void SSL_set_tmp_dh_callback(SSL *ssl,
2004 DH *(*dh)(SSL *ssl,int is_export,
2005 int keylength));
2006#endif
2007#ifndef OPENSSL_NO_ECDH
2008void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
2009 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2010 int keylength));
2011void SSL_set_tmp_ecdh_callback(SSL *ssl,
2012 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2013 int keylength));
2014#endif
2015
2016#ifndef OPENSSL_NO_COMP
2017const COMP_METHOD *SSL_get_current_compression(SSL *s);
2018const COMP_METHOD *SSL_get_current_expansion(SSL *s);
2019const char *SSL_COMP_get_name(const COMP_METHOD *comp);
2020STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
2021int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
2022#else
2023const void *SSL_get_current_compression(SSL *s);
2024const void *SSL_get_current_expansion(SSL *s);
2025const char *SSL_COMP_get_name(const void *comp);
2026void *SSL_COMP_get_compression_methods(void);
2027int SSL_COMP_add_compression_method(int id,void *cm);
2028#endif
2029
2030/* TLS extensions functions */
2031int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
2032
2033int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
2034 void *arg);
2035
2036/* Pre-shared secret session resumption functions */
2037int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
2038
2039void SSL_set_debug(SSL *s, int debug);
2040int SSL_cache_hit(SSL *s);
2041
2042/* BEGIN ERROR CODES */
2043/* The following lines are auto generated by the script mkerr.pl. Any changes
2044 * made after this point may be overwritten when the script is next run.
2045 */
2046void ERR_load_SSL_strings(void);
2047
2048/* Error codes for the SSL functions. */
2049
2050/* Function codes. */
2051#define SSL_F_CLIENT_CERTIFICATE 100
2052#define SSL_F_CLIENT_FINISHED 167
2053#define SSL_F_CLIENT_HELLO 101
2054#define SSL_F_CLIENT_MASTER_KEY 102
2055#define SSL_F_D2I_SSL_SESSION 103
2056#define SSL_F_DO_DTLS1_WRITE 245
2057#define SSL_F_DO_SSL3_WRITE 104
2058#define SSL_F_DTLS1_ACCEPT 246
2059#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295
2060#define SSL_F_DTLS1_BUFFER_RECORD 247
2061#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316
2062#define SSL_F_DTLS1_CLIENT_HELLO 248
2063#define SSL_F_DTLS1_CONNECT 249
2064#define SSL_F_DTLS1_ENC 250
2065#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
2066#define SSL_F_DTLS1_GET_MESSAGE 252
2067#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
2068#define SSL_F_DTLS1_GET_RECORD 254
2069#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
2070#define SSL_F_DTLS1_HEARTBEAT 305
2071#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
2072#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
2073#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
2074#define SSL_F_DTLS1_PROCESS_RECORD 257
2075#define SSL_F_DTLS1_READ_BYTES 258
2076#define SSL_F_DTLS1_READ_FAILED 259
2077#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
2078#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
2079#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
2080#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
2081#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
2082#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
2083#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
2084#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
2085#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
2086#define SSL_F_GET_CLIENT_FINISHED 105
2087#define SSL_F_GET_CLIENT_HELLO 106
2088#define SSL_F_GET_CLIENT_MASTER_KEY 107
2089#define SSL_F_GET_SERVER_FINISHED 108
2090#define SSL_F_GET_SERVER_HELLO 109
2091#define SSL_F_GET_SERVER_VERIFY 110
2092#define SSL_F_I2D_SSL_SESSION 111
2093#define SSL_F_READ_N 112
2094#define SSL_F_REQUEST_CERTIFICATE 113
2095#define SSL_F_SERVER_FINISH 239
2096#define SSL_F_SERVER_HELLO 114
2097#define SSL_F_SERVER_VERIFY 240
2098#define SSL_F_SSL23_ACCEPT 115
2099#define SSL_F_SSL23_CLIENT_HELLO 116
2100#define SSL_F_SSL23_CONNECT 117
2101#define SSL_F_SSL23_GET_CLIENT_HELLO 118
2102#define SSL_F_SSL23_GET_SERVER_HELLO 119
2103#define SSL_F_SSL23_PEEK 237
2104#define SSL_F_SSL23_READ 120
2105#define SSL_F_SSL23_WRITE 121
2106#define SSL_F_SSL2_ACCEPT 122
2107#define SSL_F_SSL2_CONNECT 123
2108#define SSL_F_SSL2_ENC_INIT 124
2109#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
2110#define SSL_F_SSL2_PEEK 234
2111#define SSL_F_SSL2_READ 125
2112#define SSL_F_SSL2_READ_INTERNAL 236
2113#define SSL_F_SSL2_SET_CERTIFICATE 126
2114#define SSL_F_SSL2_WRITE 127
2115#define SSL_F_SSL3_ACCEPT 128
2116#define SSL_F_SSL3_ADD_CERT_TO_BUF 296
2117#define SSL_F_SSL3_CALLBACK_CTRL 233
2118#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
2119#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
2120#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
2121#define SSL_F_SSL3_CLIENT_HELLO 131
2122#define SSL_F_SSL3_CONNECT 132
2123#define SSL_F_SSL3_CTRL 213
2124#define SSL_F_SSL3_CTX_CTRL 133
2125#define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
2126#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
2127#define SSL_F_SSL3_ENC 134
2128#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
2129#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
2130#define SSL_F_SSL3_GET_CERT_STATUS 289
2131#define SSL_F_SSL3_GET_CERT_VERIFY 136
2132#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
2133#define SSL_F_SSL3_GET_CLIENT_HELLO 138
2134#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
2135#define SSL_F_SSL3_GET_FINISHED 140
2136#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
2137#define SSL_F_SSL3_GET_MESSAGE 142
2138#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
2139#define SSL_F_SSL3_GET_NEXT_PROTO 306
2140#define SSL_F_SSL3_GET_RECORD 143
2141#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
2142#define SSL_F_SSL3_GET_SERVER_DONE 145
2143#define SSL_F_SSL3_GET_SERVER_HELLO 146
2144#define SSL_F_SSL3_HANDSHAKE_MAC 285
2145#define SSL_F_SSL3_NEW_SESSION_TICKET 287
2146#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
2147#define SSL_F_SSL3_PEEK 235
2148#define SSL_F_SSL3_READ_BYTES 148
2149#define SSL_F_SSL3_READ_N 149
2150#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
2151#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
2152#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
2153#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
2154#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
2155#define SSL_F_SSL3_SEND_SERVER_HELLO 242
2156#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
2157#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
2158#define SSL_F_SSL3_SETUP_READ_BUFFER 156
2159#define SSL_F_SSL3_SETUP_WRITE_BUFFER 291
2160#define SSL_F_SSL3_WRITE_BYTES 158
2161#define SSL_F_SSL3_WRITE_PENDING 159
2162#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
2163#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
2164#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307
2165#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
2166#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
2167#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
2168#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
2169#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
2170#define SSL_F_SSL_BAD_METHOD 160
2171#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
2172#define SSL_F_SSL_CERT_DUP 221
2173#define SSL_F_SSL_CERT_INST 222
2174#define SSL_F_SSL_CERT_INSTANTIATE 214
2175#define SSL_F_SSL_CERT_NEW 162
2176#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
2177#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
2178#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
2179#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
2180#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
2181#define SSL_F_SSL_CLEAR 164
2182#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
2183#define SSL_F_SSL_CREATE_CIPHER_LIST 166
2184#define SSL_F_SSL_CTRL 232
2185#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
2186#define SSL_F_SSL_CTX_MAKE_PROFILES 309
2187#define SSL_F_SSL_CTX_NEW 169
2188#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
2189#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
2190#define SSL_F_SSL_CTX_SET_PURPOSE 226
2191#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
2192#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
2193#define SSL_F_SSL_CTX_SET_TRUST 229
2194#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
2195#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
2196#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
2197#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
2198#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
2199#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
2200#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
2201#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272
2202#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
2203#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
2204#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
2205#define SSL_F_SSL_DO_HANDSHAKE 180
2206#define SSL_F_SSL_GET_NEW_SESSION 181
2207#define SSL_F_SSL_GET_PREV_SESSION 217
2208#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
2209#define SSL_F_SSL_GET_SIGN_PKEY 183
2210#define SSL_F_SSL_INIT_WBIO_BUFFER 184
2211#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
2212#define SSL_F_SSL_NEW 186
2213#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
2214#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
2215#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
2216#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
2217#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
2218#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311
2219#define SSL_F_SSL_PEEK 270
2220#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
2221#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
2222#define SSL_F_SSL_READ 223
2223#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
2224#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
2225#define SSL_F_SSL_SESSION_NEW 189
2226#define SSL_F_SSL_SESSION_PRINT_FP 190
2227#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
2228#define SSL_F_SSL_SESS_CERT_NEW 225
2229#define SSL_F_SSL_SET_CERT 191
2230#define SSL_F_SSL_SET_CIPHER_LIST 271
2231#define SSL_F_SSL_SET_FD 192
2232#define SSL_F_SSL_SET_PKEY 193
2233#define SSL_F_SSL_SET_PURPOSE 227
2234#define SSL_F_SSL_SET_RFD 194
2235#define SSL_F_SSL_SET_SESSION 195
2236#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
2237#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294
2238#define SSL_F_SSL_SET_TRUST 228
2239#define SSL_F_SSL_SET_WFD 196
2240#define SSL_F_SSL_SHUTDOWN 224
2241#define SSL_F_SSL_SRP_CTX_INIT 313
2242#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
2243#define SSL_F_SSL_UNDEFINED_FUNCTION 197
2244#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
2245#define SSL_F_SSL_USE_CERTIFICATE 198
2246#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
2247#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
2248#define SSL_F_SSL_USE_PRIVATEKEY 201
2249#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
2250#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
2251#define SSL_F_SSL_USE_PSK_IDENTITY_HINT 273
2252#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
2253#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
2254#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
2255#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
2256#define SSL_F_SSL_WRITE 208
2257#define SSL_F_TLS1_CERT_VERIFY_MAC 286
2258#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
2259#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
2260#define SSL_F_TLS1_ENC 210
2261#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
2262#define SSL_F_TLS1_HEARTBEAT 315
2263#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
2264#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
2265#define SSL_F_TLS1_PRF 284
2266#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
2267#define SSL_F_WRITE_PENDING 212
2268
2269/* Reason codes. */
2270#define SSL_R_APP_DATA_IN_HANDSHAKE 100
2271#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
2272#define SSL_R_BAD_ALERT_RECORD 101
2273#define SSL_R_BAD_AUTHENTICATION_TYPE 102
2274#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
2275#define SSL_R_BAD_CHECKSUM 104
2276#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
2277#define SSL_R_BAD_DECOMPRESSION 107
2278#define SSL_R_BAD_DH_G_LENGTH 108
2279#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
2280#define SSL_R_BAD_DH_P_LENGTH 110
2281#define SSL_R_BAD_DIGEST_LENGTH 111
2282#define SSL_R_BAD_DSA_SIGNATURE 112
2283#define SSL_R_BAD_ECC_CERT 304
2284#define SSL_R_BAD_ECDSA_SIGNATURE 305
2285#define SSL_R_BAD_ECPOINT 306
2286#define SSL_R_BAD_HANDSHAKE_LENGTH 332
2287#define SSL_R_BAD_HELLO_REQUEST 105
2288#define SSL_R_BAD_LENGTH 271
2289#define SSL_R_BAD_MAC_DECODE 113
2290#define SSL_R_BAD_MAC_LENGTH 333
2291#define SSL_R_BAD_MESSAGE_TYPE 114
2292#define SSL_R_BAD_PACKET_LENGTH 115
2293#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
2294#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 316
2295#define SSL_R_BAD_RESPONSE_ARGUMENT 117
2296#define SSL_R_BAD_RSA_DECRYPT 118
2297#define SSL_R_BAD_RSA_ENCRYPT 119
2298#define SSL_R_BAD_RSA_E_LENGTH 120
2299#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
2300#define SSL_R_BAD_RSA_SIGNATURE 122
2301#define SSL_R_BAD_SIGNATURE 123
2302#define SSL_R_BAD_SRP_A_LENGTH 347
2303#define SSL_R_BAD_SRP_B_LENGTH 348
2304#define SSL_R_BAD_SRP_G_LENGTH 349
2305#define SSL_R_BAD_SRP_N_LENGTH 350
2306#define SSL_R_BAD_SRP_S_LENGTH 351
2307#define SSL_R_BAD_SRTP_MKI_VALUE 352
2308#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
2309#define SSL_R_BAD_SSL_FILETYPE 124
2310#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
2311#define SSL_R_BAD_STATE 126
2312#define SSL_R_BAD_WRITE_RETRY 127
2313#define SSL_R_BIO_NOT_SET 128
2314#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
2315#define SSL_R_BN_LIB 130
2316#define SSL_R_CA_DN_LENGTH_MISMATCH 131
2317#define SSL_R_CA_DN_TOO_LONG 132
2318#define SSL_R_CCS_RECEIVED_EARLY 133
2319#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
2320#define SSL_R_CERT_LENGTH_MISMATCH 135
2321#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2322#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
2323#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2324#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2325#define SSL_R_CLIENTHELLO_TLSEXT 226
2326#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
2327#define SSL_R_COMPRESSION_DISABLED 343
2328#define SSL_R_COMPRESSION_FAILURE 141
2329#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
2330#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
2331#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
2332#define SSL_R_CONNECTION_TYPE_NOT_SET 144
2333#define SSL_R_COOKIE_MISMATCH 308
2334#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
2335#define SSL_R_DATA_LENGTH_TOO_LONG 146
2336#define SSL_R_DECRYPTION_FAILED 147
2337#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
2338#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
2339#define SSL_R_DIGEST_CHECK_FAILED 149
2340#define SSL_R_DTLS_MESSAGE_TOO_BIG 334
2341#define SSL_R_DUPLICATE_COMPRESSION_ID 309
2342#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 317
2343#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318
2344#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
2345#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
2346#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
2347#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
2348#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
2349#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
2350#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
2351#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
2352#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
2353#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
2354#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
2355#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
2356#define SSL_R_HTTPS_PROXY_REQUEST 155
2357#define SSL_R_HTTP_REQUEST 156
2358#define SSL_R_ILLEGAL_PADDING 283
2359#define SSL_R_INCONSISTENT_COMPRESSION 340
2360#define SSL_R_INVALID_CHALLENGE_LENGTH 158
2361#define SSL_R_INVALID_COMMAND 280
2362#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
2363#define SSL_R_INVALID_PURPOSE 278
2364#define SSL_R_INVALID_SRP_USERNAME 357
2365#define SSL_R_INVALID_STATUS_RESPONSE 328
2366#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
2367#define SSL_R_INVALID_TRUST 279
2368#define SSL_R_KEY_ARG_TOO_LONG 284
2369#define SSL_R_KRB5 285
2370#define SSL_R_KRB5_C_CC_PRINC 286
2371#define SSL_R_KRB5_C_GET_CRED 287
2372#define SSL_R_KRB5_C_INIT 288
2373#define SSL_R_KRB5_C_MK_REQ 289
2374#define SSL_R_KRB5_S_BAD_TICKET 290
2375#define SSL_R_KRB5_S_INIT 291
2376#define SSL_R_KRB5_S_RD_REQ 292
2377#define SSL_R_KRB5_S_TKT_EXPIRED 293
2378#define SSL_R_KRB5_S_TKT_NYV 294
2379#define SSL_R_KRB5_S_TKT_SKEW 295
2380#define SSL_R_LENGTH_MISMATCH 159
2381#define SSL_R_LENGTH_TOO_SHORT 160
2382#define SSL_R_LIBRARY_BUG 274
2383#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
2384#define SSL_R_MESSAGE_TOO_LONG 296
2385#define SSL_R_MISSING_DH_DSA_CERT 162
2386#define SSL_R_MISSING_DH_KEY 163
2387#define SSL_R_MISSING_DH_RSA_CERT 164
2388#define SSL_R_MISSING_DSA_SIGNING_CERT 165
2389#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
2390#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
2391#define SSL_R_MISSING_RSA_CERTIFICATE 168
2392#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
2393#define SSL_R_MISSING_RSA_SIGNING_CERT 170
2394#define SSL_R_MISSING_SRP_PARAM 358
2395#define SSL_R_MISSING_TMP_DH_KEY 171
2396#define SSL_R_MISSING_TMP_ECDH_KEY 311
2397#define SSL_R_MISSING_TMP_RSA_KEY 172
2398#define SSL_R_MISSING_TMP_RSA_PKEY 173
2399#define SSL_R_MISSING_VERIFY_MESSAGE 174
2400#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2401#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2402#define SSL_R_NO_CERTIFICATES_RETURNED 176
2403#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
2404#define SSL_R_NO_CERTIFICATE_RETURNED 178
2405#define SSL_R_NO_CERTIFICATE_SET 179
2406#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
2407#define SSL_R_NO_CIPHERS_AVAILABLE 181
2408#define SSL_R_NO_CIPHERS_PASSED 182
2409#define SSL_R_NO_CIPHERS_SPECIFIED 183
2410#define SSL_R_NO_CIPHER_LIST 184
2411#define SSL_R_NO_CIPHER_MATCH 185
2412#define SSL_R_NO_CLIENT_CERT_METHOD 331
2413#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
2414#define SSL_R_NO_COMPRESSION_SPECIFIED 187
2415#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
2416#define SSL_R_NO_METHOD_SPECIFIED 188
2417#define SSL_R_NO_PRIVATEKEY 189
2418#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
2419#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
2420#define SSL_R_NO_PUBLICKEY 192
2421#define SSL_R_NO_RENEGOTIATION 339
2422#define SSL_R_NO_REQUIRED_DIGEST 324
2423#define SSL_R_NO_SHARED_CIPHER 193
2424#define SSL_R_NO_SRTP_PROFILES 359
2425#define SSL_R_NO_VERIFY_CALLBACK 194
2426#define SSL_R_NULL_SSL_CTX 195
2427#define SSL_R_NULL_SSL_METHOD_PASSED 196
2428#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
2429#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
2430#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
2431#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
2432#define SSL_R_PACKET_LENGTH_TOO_LONG 198
2433#define SSL_R_PARSE_TLSEXT 227
2434#define SSL_R_PATH_TOO_LONG 270
2435#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
2436#define SSL_R_PEER_ERROR 200
2437#define SSL_R_PEER_ERROR_CERTIFICATE 201
2438#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
2439#define SSL_R_PEER_ERROR_NO_CIPHER 203
2440#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
2441#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
2442#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
2443#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
2444#define SSL_R_PSK_IDENTITY_NOT_FOUND 223
2445#define SSL_R_PSK_NO_CLIENT_CB 224
2446#define SSL_R_PSK_NO_SERVER_CB 225
2447#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
2448#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
2449#define SSL_R_PUBLIC_KEY_NOT_RSA 210
2450#define SSL_R_READ_BIO_NOT_SET 211
2451#define SSL_R_READ_TIMEOUT_EXPIRED 312
2452#define SSL_R_READ_WRONG_PACKET_TYPE 212
2453#define SSL_R_RECORD_LENGTH_MISMATCH 213
2454#define SSL_R_RECORD_TOO_LARGE 214
2455#define SSL_R_RECORD_TOO_SMALL 298
2456#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335
2457#define SSL_R_RENEGOTIATION_ENCODING_ERR 336
2458#define SSL_R_RENEGOTIATION_MISMATCH 337
2459#define SSL_R_REQUIRED_CIPHER_MISSING 215
2460#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342
2461#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
2462#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
2463#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
2464#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
2465#define SSL_R_SERVERHELLO_TLSEXT 275
2466#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2467#define SSL_R_SHORT_READ 219
2468#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
2469#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
2470#define SSL_R_SRP_A_CALC 361
2471#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362
2472#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363
2473#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364
2474#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
2475#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
2476#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
2477#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319
2478#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320
2479#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
2480#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
2481#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
2482#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
2483#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
2484#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
2485#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
2486#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
2487#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
2488#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
2489#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
2490#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
2491#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
2492#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
2493#define SSL_R_SSL_HANDSHAKE_FAILURE 229
2494#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
2495#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
2496#define SSL_R_SSL_SESSION_ID_CONFLICT 302
2497#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
2498#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
2499#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
2500#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
2501#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
2502#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
2503#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
2504#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
2505#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
2506#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
2507#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
2508#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
2509#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
2510#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
2511#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
2512#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
2513#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
2514#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
2515#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
2516#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
2517#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2518#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
2519#define SSL_R_TLS_HEARTBEAT_PENDING 366
2520#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
2521#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
2522#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2523#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
2524#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
2525#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
2526#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
2527#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
2528#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
2529#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
2530#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
2531#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
2532#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
2533#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
2534#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
2535#define SSL_R_UNEXPECTED_MESSAGE 244
2536#define SSL_R_UNEXPECTED_RECORD 245
2537#define SSL_R_UNINITIALIZED 276
2538#define SSL_R_UNKNOWN_ALERT_TYPE 246
2539#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2540#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2541#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2542#define SSL_R_UNKNOWN_DIGEST 368
2543#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2544#define SSL_R_UNKNOWN_PKEY_TYPE 251
2545#define SSL_R_UNKNOWN_PROTOCOL 252
2546#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
2547#define SSL_R_UNKNOWN_SSL_VERSION 254
2548#define SSL_R_UNKNOWN_STATE 255
2549#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
2550#define SSL_R_UNSUPPORTED_CIPHER 256
2551#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
2552#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
2553#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
2554#define SSL_R_UNSUPPORTED_PROTOCOL 258
2555#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2556#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2557#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
2558#define SSL_R_WRITE_BIO_NOT_SET 260
2559#define SSL_R_WRONG_CIPHER_RETURNED 261
2560#define SSL_R_WRONG_MESSAGE_TYPE 262
2561#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2562#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2563#define SSL_R_WRONG_SIGNATURE_SIZE 265
2564#define SSL_R_WRONG_SIGNATURE_TYPE 370
2565#define SSL_R_WRONG_SSL_VERSION 266
2566#define SSL_R_WRONG_VERSION_NUMBER 267
2567#define SSL_R_X509_LIB 268
2568#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
2569
2570#ifdef __cplusplus
2571}
2572#endif
2573#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index eb25dcb0bf..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,272 +0,0 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#ifdef OPENSSL_SYS_MPE
137#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
138#else
139#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
140#endif
141#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
142
143#define SSL2_CHALLENGE_LENGTH 16
144/*#define SSL2_CHALLENGE_LENGTH 32 */
145#define SSL2_MIN_CHALLENGE_LENGTH 16
146#define SSL2_MAX_CHALLENGE_LENGTH 32
147#define SSL2_CONNECTION_ID_LENGTH 16
148#define SSL2_MAX_CONNECTION_ID_LENGTH 16
149#define SSL2_SSL_SESSION_ID_LENGTH 16
150#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
151#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
152#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
153
154#ifndef HEADER_SSL_LOCL_H
155#define CERT char
156#endif
157
158#ifndef OPENSSL_NO_SSL_INTERN
159
160typedef struct ssl2_state_st
161 {
162 int three_byte_header;
163 int clear_text; /* clear text */
164 int escape; /* not used in SSLv2 */
165 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
166
167 /* non-blocking io info, used to make sure the same
168 * args were passwd */
169 unsigned int wnum; /* number of bytes sent so far */
170 int wpend_tot;
171 const unsigned char *wpend_buf;
172
173 int wpend_off; /* offset to data to write */
174 int wpend_len; /* number of bytes passwd to write */
175 int wpend_ret; /* number of bytes to return to caller */
176
177 /* buffer raw data */
178 int rbuf_left;
179 int rbuf_offs;
180 unsigned char *rbuf;
181 unsigned char *wbuf;
182
183 unsigned char *write_ptr;/* used to point to the start due to
184 * 2/3 byte header. */
185
186 unsigned int padding;
187 unsigned int rlength; /* passed to ssl2_enc */
188 int ract_data_length; /* Set when things are encrypted. */
189 unsigned int wlength; /* passed to ssl2_enc */
190 int wact_data_length; /* Set when things are decrypted. */
191 unsigned char *ract_data;
192 unsigned char *wact_data;
193 unsigned char *mac_data;
194
195 unsigned char *read_key;
196 unsigned char *write_key;
197
198 /* Stuff specifically to do with this SSL session */
199 unsigned int challenge_length;
200 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
201 unsigned int conn_id_length;
202 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
203 unsigned int key_material_length;
204 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
205
206 unsigned long read_sequence;
207 unsigned long write_sequence;
208
209 struct {
210 unsigned int conn_id_length;
211 unsigned int cert_type;
212 unsigned int cert_length;
213 unsigned int csl;
214 unsigned int clear;
215 unsigned int enc;
216 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
217 unsigned int cipher_spec_length;
218 unsigned int session_id_length;
219 unsigned int clen;
220 unsigned int rlen;
221 } tmp;
222 } SSL2_STATE;
223
224#endif
225
226/* SSLv2 */
227/* client */
228#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
230#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
231#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
233#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
234#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
235#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
236#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
237#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
238#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
239#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
240#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
241#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
242#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
243#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
244#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
245#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
246/* server */
247#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
248#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
249#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
250#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
251#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
252#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
253#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
254#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
257#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
258#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
259#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
260#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
261#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
262#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
263#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
264#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
265#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
266#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
267
268#ifdef __cplusplus
269}
270#endif
271#endif
272
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 112e627de0..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,678 +0,0 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL3_H
118#define HEADER_SSL3_H
119
120#ifndef OPENSSL_NO_COMP
121#include <openssl/comp.h>
122#endif
123#include <openssl/buffer.h>
124#include <openssl/evp.h>
125#include <openssl/ssl.h>
126
127#ifdef __cplusplus
128extern "C" {
129#endif
130
131/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
132#define SSL3_CK_SCSV 0x030000FF
133
134#define SSL3_CK_RSA_NULL_MD5 0x03000001
135#define SSL3_CK_RSA_NULL_SHA 0x03000002
136#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
137#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
138#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
139#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
140#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
141#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
142#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
143#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
144
145#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
146#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
147#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
148#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
149#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
150#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
151
152#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
153#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
154#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
155#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
156#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
157#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
158
159#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
160#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
161#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
162#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
163#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
164
165#if 0
166 #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
167 #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
168 #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
169 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
170 of the ietf-tls list */
171 #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
172 #endif
173#endif
174
175/* VRS Additional Kerberos5 entries
176 */
177#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
178#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
179#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
180#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
181#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
182#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
183#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
184#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
185
186#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
187#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
188#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
189#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
190#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
191#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
192
193#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
194#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
195#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
196#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
197#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
198#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
199#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
200#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
201#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
202#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
203
204#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
205#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
206#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
207#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
208#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
209#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
210
211#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
212#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
213#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
214#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
215#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
216#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
217
218#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
219#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
220#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
221#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
222#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
223
224#if 0
225 #define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
226 #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
227 #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
228#endif
229
230#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
231#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
232#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
233#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
234#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
235#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
236#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
237#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
238
239#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
240#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
241#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
242#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
243#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
244#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
245
246#define SSL3_SSL_SESSION_ID_LENGTH 32
247#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
248
249#define SSL3_MASTER_SECRET_SIZE 48
250#define SSL3_RANDOM_SIZE 32
251#define SSL3_SESSION_ID_SIZE 32
252#define SSL3_RT_HEADER_LENGTH 5
253
254#ifndef SSL3_ALIGN_PAYLOAD
255 /* Some will argue that this increases memory footprint, but it's
256 * not actually true. Point is that malloc has to return at least
257 * 64-bit aligned pointers, meaning that allocating 5 bytes wastes
258 * 3 bytes in either case. Suggested pre-gaping simply moves these
259 * wasted bytes from the end of allocated region to its front,
260 * but makes data payload aligned, which improves performance:-) */
261# define SSL3_ALIGN_PAYLOAD 8
262#else
263# if (SSL3_ALIGN_PAYLOAD&(SSL3_ALIGN_PAYLOAD-1))!=0
264# error "insane SSL3_ALIGN_PAYLOAD"
265# undef SSL3_ALIGN_PAYLOAD
266# endif
267#endif
268
269/* This is the maximum MAC (digest) size used by the SSL library.
270 * Currently maximum of 20 is used by SHA1, but we reserve for
271 * future extension for 512-bit hashes.
272 */
273
274#define SSL3_RT_MAX_MD_SIZE 64
275
276/* Maximum block size used in all ciphersuites. Currently 16 for AES.
277 */
278
279#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16
280
281#define SSL3_RT_MAX_EXTRA (16384)
282
283/* Maximum plaintext length: defined by SSL/TLS standards */
284#define SSL3_RT_MAX_PLAIN_LENGTH 16384
285/* Maximum compression overhead: defined by SSL/TLS standards */
286#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024
287
288/* The standards give a maximum encryption overhead of 1024 bytes.
289 * In practice the value is lower than this. The overhead is the maximum
290 * number of padding bytes (256) plus the mac size.
291 */
292#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
293
294/* OpenSSL currently only uses a padding length of at most one block so
295 * the send overhead is smaller.
296 */
297
298#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
299 (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
300
301/* If compression isn't used don't include the compression overhead */
302
303#ifdef OPENSSL_NO_COMP
304#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
305#else
306#define SSL3_RT_MAX_COMPRESSED_LENGTH \
307 (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD)
308#endif
309#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
310 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
311#define SSL3_RT_MAX_PACKET_SIZE \
312 (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
313
314#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
315#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
316
317#define SSL3_VERSION 0x0300
318#define SSL3_VERSION_MAJOR 0x03
319#define SSL3_VERSION_MINOR 0x00
320
321#define SSL3_RT_CHANGE_CIPHER_SPEC 20
322#define SSL3_RT_ALERT 21
323#define SSL3_RT_HANDSHAKE 22
324#define SSL3_RT_APPLICATION_DATA 23
325#define TLS1_RT_HEARTBEAT 24
326
327#define SSL3_AL_WARNING 1
328#define SSL3_AL_FATAL 2
329
330#define SSL3_AD_CLOSE_NOTIFY 0
331#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
332#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
333#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
334#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
335#define SSL3_AD_NO_CERTIFICATE 41
336#define SSL3_AD_BAD_CERTIFICATE 42
337#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
338#define SSL3_AD_CERTIFICATE_REVOKED 44
339#define SSL3_AD_CERTIFICATE_EXPIRED 45
340#define SSL3_AD_CERTIFICATE_UNKNOWN 46
341#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
342
343#define TLS1_HB_REQUEST 1
344#define TLS1_HB_RESPONSE 2
345
346#ifndef OPENSSL_NO_SSL_INTERN
347
348typedef struct ssl3_record_st
349 {
350/*r */ int type; /* type of record */
351/*rw*/ unsigned int length; /* How many bytes available */
352/*r */ unsigned int off; /* read/write offset into 'buf' */
353/*rw*/ unsigned char *data; /* pointer to the record data */
354/*rw*/ unsigned char *input; /* where the decode bytes are */
355/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
356/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
357/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
358 } SSL3_RECORD;
359
360typedef struct ssl3_buffer_st
361 {
362 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
363 * see ssl3_setup_buffers() */
364 size_t len; /* buffer size */
365 int offset; /* where to 'copy from' */
366 int left; /* how many bytes left */
367 } SSL3_BUFFER;
368
369#endif
370
371#define SSL3_CT_RSA_SIGN 1
372#define SSL3_CT_DSS_SIGN 2
373#define SSL3_CT_RSA_FIXED_DH 3
374#define SSL3_CT_DSS_FIXED_DH 4
375#define SSL3_CT_RSA_EPHEMERAL_DH 5
376#define SSL3_CT_DSS_EPHEMERAL_DH 6
377#define SSL3_CT_FORTEZZA_DMS 20
378/* SSL3_CT_NUMBER is used to size arrays and it must be large
379 * enough to contain all of the cert types defined either for
380 * SSLv3 and TLSv1.
381 */
382#define SSL3_CT_NUMBER 9
383
384
385#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
386#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
387#define SSL3_FLAGS_POP_BUFFER 0x0004
388#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
389#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
390#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
391
392/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
393 * restart a handshake because of MS SGC and so prevents us
394 * from restarting the handshake in a loop. It's reset on a
395 * renegotiation, so effectively limits the client to one restart
396 * per negotiation. This limits the possibility of a DDoS
397 * attack where the client handshakes in a loop using SGC to
398 * restart. Servers which permit renegotiation can still be
399 * effected, but we can't prevent that.
400 */
401#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
402
403#ifndef OPENSSL_NO_SSL_INTERN
404
405typedef struct ssl3_state_st
406 {
407 long flags;
408 int delay_buf_pop_ret;
409
410 unsigned char read_sequence[8];
411 int read_mac_secret_size;
412 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
413 unsigned char write_sequence[8];
414 int write_mac_secret_size;
415 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
416
417 unsigned char server_random[SSL3_RANDOM_SIZE];
418 unsigned char client_random[SSL3_RANDOM_SIZE];
419
420 /* flags for countermeasure against known-IV weakness */
421 int need_empty_fragments;
422 int empty_fragment_done;
423
424 /* The value of 'extra' when the buffers were initialized */
425 int init_extra;
426
427 SSL3_BUFFER rbuf; /* read IO goes into here */
428 SSL3_BUFFER wbuf; /* write IO goes into here */
429
430 SSL3_RECORD rrec; /* each decoded record goes in here */
431 SSL3_RECORD wrec; /* goes out from here */
432
433 /* storage for Alert/Handshake protocol data received but not
434 * yet processed by ssl3_read_bytes: */
435 unsigned char alert_fragment[2];
436 unsigned int alert_fragment_len;
437 unsigned char handshake_fragment[4];
438 unsigned int handshake_fragment_len;
439
440 /* partial write - check the numbers match */
441 unsigned int wnum; /* number of bytes sent so far */
442 int wpend_tot; /* number bytes written */
443 int wpend_type;
444 int wpend_ret; /* number of bytes submitted */
445 const unsigned char *wpend_buf;
446
447 /* used during startup, digest all incoming/outgoing packets */
448 BIO *handshake_buffer;
449 /* When set of handshake digests is determined, buffer is hashed
450 * and freed and MD_CTX-es for all required digests are stored in
451 * this array */
452 EVP_MD_CTX **handshake_dgst;
453 /* this is set whenerver we see a change_cipher_spec message
454 * come in when we are not looking for one */
455 int change_cipher_spec;
456
457 int warn_alert;
458 int fatal_alert;
459 /* we allow one fatal and one warning alert to be outstanding,
460 * send close alert via the warning alert */
461 int alert_dispatch;
462 unsigned char send_alert[2];
463
464 /* This flag is set when we should renegotiate ASAP, basically when
465 * there is no more data in the read or write buffers */
466 int renegotiate;
467 int total_renegotiations;
468 int num_renegotiations;
469
470 int in_read_app_data;
471
472 /* Opaque PRF input as used for the current handshake.
473 * These fields are used only if TLSEXT_TYPE_opaque_prf_input is defined
474 * (otherwise, they are merely present to improve binary compatibility) */
475 void *client_opaque_prf_input;
476 size_t client_opaque_prf_input_len;
477 void *server_opaque_prf_input;
478 size_t server_opaque_prf_input_len;
479
480 struct {
481 /* actually only needs to be 16+20 */
482 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
483
484 /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
485 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
486 int finish_md_len;
487 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
488 int peer_finish_md_len;
489
490 unsigned long message_size;
491 int message_type;
492
493 /* used to hold the new cipher we are going to use */
494 const SSL_CIPHER *new_cipher;
495#ifndef OPENSSL_NO_DH
496 DH *dh;
497#endif
498
499#ifndef OPENSSL_NO_ECDH
500 EC_KEY *ecdh; /* holds short lived ECDH key */
501#endif
502
503 /* used when SSL_ST_FLUSH_DATA is entered */
504 int next_state;
505
506 int reuse_message;
507
508 /* used for certificate requests */
509 int cert_req;
510 int ctype_num;
511 char ctype[SSL3_CT_NUMBER];
512 STACK_OF(X509_NAME) *ca_names;
513
514 int use_rsa_tmp;
515
516 int key_block_length;
517 unsigned char *key_block;
518
519 const EVP_CIPHER *new_sym_enc;
520 const EVP_MD *new_hash;
521 int new_mac_pkey_type;
522 int new_mac_secret_size;
523#ifndef OPENSSL_NO_COMP
524 const SSL_COMP *new_compression;
525#else
526 char *new_compression;
527#endif
528 int cert_request;
529 } tmp;
530
531 /* Connection binding to prevent renegotiation attacks */
532 unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
533 unsigned char previous_client_finished_len;
534 unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
535 unsigned char previous_server_finished_len;
536 int send_connection_binding; /* TODOEKR */
537
538#ifndef OPENSSL_NO_NEXTPROTONEG
539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */
540 int next_proto_neg_seen;
541#endif
542 } SSL3_STATE;
543
544#endif
545
546/* SSLv3 */
547/*client */
548/* extra state */
549#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
550#ifndef OPENSSL_NO_SCTP
551#define DTLS1_SCTP_ST_CW_WRITE_SOCK (0x310|SSL_ST_CONNECT)
552#define DTLS1_SCTP_ST_CR_READ_SOCK (0x320|SSL_ST_CONNECT)
553#endif
554/* write to server */
555#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
556#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
557/* read from server */
558#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
559#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
560#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
561#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
562#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
563#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
564#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
565#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
566#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
567#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
568#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
569#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
570/* write to server */
571#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
572#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
573#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
574#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
575#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
576#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
577#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
578#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
579#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
580#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
581#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
582#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
583#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
584#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
585/* read from server */
586#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
587#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
588#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
589#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
590#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
591#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
592#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
593#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
594
595/* server */
596/* extra state */
597#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
598#ifndef OPENSSL_NO_SCTP
599#define DTLS1_SCTP_ST_SW_WRITE_SOCK (0x310|SSL_ST_ACCEPT)
600#define DTLS1_SCTP_ST_SR_READ_SOCK (0x320|SSL_ST_ACCEPT)
601#endif
602/* read from client */
603/* Do not change the number values, they do matter */
604#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
605#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
606#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
607/* write to client */
608#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
609#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
610#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
611#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
612#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
613#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
614#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
615#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
616#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
617#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
618#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
619#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
620#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
621#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
622#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
623/* read from client */
624#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
625#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
626#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
627#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
628#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
629#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
630#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
631#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
632#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
633#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
634#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
635#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
636/* write to client */
637#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
638#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
639#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
640#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
641#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
642#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
643#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
644#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
645
646#define SSL3_MT_HELLO_REQUEST 0
647#define SSL3_MT_CLIENT_HELLO 1
648#define SSL3_MT_SERVER_HELLO 2
649#define SSL3_MT_NEWSESSION_TICKET 4
650#define SSL3_MT_CERTIFICATE 11
651#define SSL3_MT_SERVER_KEY_EXCHANGE 12
652#define SSL3_MT_CERTIFICATE_REQUEST 13
653#define SSL3_MT_SERVER_DONE 14
654#define SSL3_MT_CERTIFICATE_VERIFY 15
655#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
656#define SSL3_MT_FINISHED 20
657#define SSL3_MT_CERTIFICATE_STATUS 22
658#define SSL3_MT_NEXT_PROTO 67
659#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
660
661
662#define SSL3_MT_CCS 1
663
664/* These are used when changing over to a new cipher */
665#define SSL3_CC_READ 0x01
666#define SSL3_CC_WRITE 0x02
667#define SSL3_CC_CLIENT 0x10
668#define SSL3_CC_SERVER 0x20
669#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
670#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
671#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
672#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
673
674#ifdef __cplusplus
675}
676#endif
677#endif
678
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index d443143c59..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,149 +0,0 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/lhash.h>
62#include "ssl_locl.h"
63
64int SSL_library_init(void)
65 {
66
67#ifndef OPENSSL_NO_DES
68 EVP_add_cipher(EVP_des_cbc());
69 EVP_add_cipher(EVP_des_ede3_cbc());
70#endif
71#ifndef OPENSSL_NO_IDEA
72 EVP_add_cipher(EVP_idea_cbc());
73#endif
74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4());
76#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
77 EVP_add_cipher(EVP_rc4_hmac_md5());
78#endif
79#endif
80#ifndef OPENSSL_NO_RC2
81 EVP_add_cipher(EVP_rc2_cbc());
82 /* Not actually used for SSL/TLS but this makes PKCS#12 work
83 * if an application only calls SSL_library_init().
84 */
85 EVP_add_cipher(EVP_rc2_40_cbc());
86#endif
87#ifndef OPENSSL_NO_AES
88 EVP_add_cipher(EVP_aes_128_cbc());
89 EVP_add_cipher(EVP_aes_192_cbc());
90 EVP_add_cipher(EVP_aes_256_cbc());
91 EVP_add_cipher(EVP_aes_128_gcm());
92 EVP_add_cipher(EVP_aes_256_gcm());
93#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
96#endif
97#endif
98#ifndef OPENSSL_NO_CAMELLIA
99 EVP_add_cipher(EVP_camellia_128_cbc());
100 EVP_add_cipher(EVP_camellia_256_cbc());
101#endif
102
103#ifndef OPENSSL_NO_SEED
104 EVP_add_cipher(EVP_seed_cbc());
105#endif
106
107#ifndef OPENSSL_NO_MD5
108 EVP_add_digest(EVP_md5());
109 EVP_add_digest_alias(SN_md5,"ssl2-md5");
110 EVP_add_digest_alias(SN_md5,"ssl3-md5");
111#endif
112#ifndef OPENSSL_NO_SHA
113 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
114 EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
115 EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
116#endif
117#ifndef OPENSSL_NO_SHA256
118 EVP_add_digest(EVP_sha224());
119 EVP_add_digest(EVP_sha256());
120#endif
121#ifndef OPENSSL_NO_SHA512
122 EVP_add_digest(EVP_sha384());
123 EVP_add_digest(EVP_sha512());
124#endif
125#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
126 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
127 EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
128 EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
129 EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
130#endif
131#ifndef OPENSSL_NO_ECDSA
132 EVP_add_digest(EVP_ecdsa());
133#endif
134 /* If you want support for phased out ciphers, add the following */
135#if 0
136 EVP_add_digest(EVP_sha());
137 EVP_add_digest(EVP_dss());
138#endif
139#ifndef OPENSSL_NO_COMP
140 /* This will initialise the built-in compression algorithms.
141 The value returned is a STACK_OF(SSL_COMP), but that can
142 be discarded safely */
143 (void)SSL_COMP_get_compression_methods();
144#endif
145 /* initialize cipher/digest methods table */
146 ssl_load_ciphers();
147 return(1);
148 }
149
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index 38540be1e5..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,642 +0,0 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <stdlib.h>
87#include "ssl_locl.h"
88#include <openssl/asn1_mac.h>
89#include <openssl/objects.h>
90#include <openssl/x509.h>
91
92typedef struct ssl_session_asn1_st
93 {
94 ASN1_INTEGER version;
95 ASN1_INTEGER ssl_version;
96 ASN1_OCTET_STRING cipher;
97 ASN1_OCTET_STRING comp_id;
98 ASN1_OCTET_STRING master_key;
99 ASN1_OCTET_STRING session_id;
100 ASN1_OCTET_STRING session_id_context;
101 ASN1_OCTET_STRING key_arg;
102#ifndef OPENSSL_NO_KRB5
103 ASN1_OCTET_STRING krb5_princ;
104#endif /* OPENSSL_NO_KRB5 */
105 ASN1_INTEGER time;
106 ASN1_INTEGER timeout;
107 ASN1_INTEGER verify_result;
108#ifndef OPENSSL_NO_TLSEXT
109 ASN1_OCTET_STRING tlsext_hostname;
110 ASN1_INTEGER tlsext_tick_lifetime;
111 ASN1_OCTET_STRING tlsext_tick;
112#endif /* OPENSSL_NO_TLSEXT */
113#ifndef OPENSSL_NO_PSK
114 ASN1_OCTET_STRING psk_identity_hint;
115 ASN1_OCTET_STRING psk_identity;
116#endif /* OPENSSL_NO_PSK */
117#ifndef OPENSSL_NO_SRP
118 ASN1_OCTET_STRING srp_username;
119#endif /* OPENSSL_NO_SRP */
120 } SSL_SESSION_ASN1;
121
122int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
123 {
124#define LSIZE2 (sizeof(long)*2)
125 int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0;
126 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
127 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
128#ifndef OPENSSL_NO_TLSEXT
129 int v6=0,v9=0,v10=0;
130 unsigned char ibuf6[LSIZE2];
131#endif
132#ifndef OPENSSL_NO_COMP
133 unsigned char cbuf;
134 int v11=0;
135#endif
136#ifndef OPENSSL_NO_SRP
137 int v12=0;
138#endif
139 long l;
140 SSL_SESSION_ASN1 a;
141 M_ASN1_I2D_vars(in);
142
143 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
144 return(0);
145
146 /* Note that I cheat in the following 2 assignments. I know
147 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
148 * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
149 * This is a bit evil but makes things simple, no dynamic allocation
150 * to clean up :-) */
151 a.version.length=LSIZE2;
152 a.version.type=V_ASN1_INTEGER;
153 a.version.data=ibuf1;
154 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
155
156 a.ssl_version.length=LSIZE2;
157 a.ssl_version.type=V_ASN1_INTEGER;
158 a.ssl_version.data=ibuf2;
159 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
160
161 a.cipher.type=V_ASN1_OCTET_STRING;
162 a.cipher.data=buf;
163
164 if (in->cipher == NULL)
165 l=in->cipher_id;
166 else
167 l=in->cipher->id;
168 if (in->ssl_version == SSL2_VERSION)
169 {
170 a.cipher.length=3;
171 buf[0]=((unsigned char)(l>>16L))&0xff;
172 buf[1]=((unsigned char)(l>> 8L))&0xff;
173 buf[2]=((unsigned char)(l ))&0xff;
174 }
175 else
176 {
177 a.cipher.length=2;
178 buf[0]=((unsigned char)(l>>8L))&0xff;
179 buf[1]=((unsigned char)(l ))&0xff;
180 }
181
182#ifndef OPENSSL_NO_COMP
183 if (in->compress_meth)
184 {
185 cbuf = (unsigned char)in->compress_meth;
186 a.comp_id.length = 1;
187 a.comp_id.type = V_ASN1_OCTET_STRING;
188 a.comp_id.data = &cbuf;
189 }
190#endif
191
192 a.master_key.length=in->master_key_length;
193 a.master_key.type=V_ASN1_OCTET_STRING;
194 a.master_key.data=in->master_key;
195
196 a.session_id.length=in->session_id_length;
197 a.session_id.type=V_ASN1_OCTET_STRING;
198 a.session_id.data=in->session_id;
199
200 a.session_id_context.length=in->sid_ctx_length;
201 a.session_id_context.type=V_ASN1_OCTET_STRING;
202 a.session_id_context.data=in->sid_ctx;
203
204 a.key_arg.length=in->key_arg_length;
205 a.key_arg.type=V_ASN1_OCTET_STRING;
206 a.key_arg.data=in->key_arg;
207
208#ifndef OPENSSL_NO_KRB5
209 if (in->krb5_client_princ_len)
210 {
211 a.krb5_princ.length=in->krb5_client_princ_len;
212 a.krb5_princ.type=V_ASN1_OCTET_STRING;
213 a.krb5_princ.data=in->krb5_client_princ;
214 }
215#endif /* OPENSSL_NO_KRB5 */
216
217 if (in->time != 0L)
218 {
219 a.time.length=LSIZE2;
220 a.time.type=V_ASN1_INTEGER;
221 a.time.data=ibuf3;
222 ASN1_INTEGER_set(&(a.time),in->time);
223 }
224
225 if (in->timeout != 0L)
226 {
227 a.timeout.length=LSIZE2;
228 a.timeout.type=V_ASN1_INTEGER;
229 a.timeout.data=ibuf4;
230 ASN1_INTEGER_set(&(a.timeout),in->timeout);
231 }
232
233 if (in->verify_result != X509_V_OK)
234 {
235 a.verify_result.length=LSIZE2;
236 a.verify_result.type=V_ASN1_INTEGER;
237 a.verify_result.data=ibuf5;
238 ASN1_INTEGER_set(&a.verify_result,in->verify_result);
239 }
240
241#ifndef OPENSSL_NO_TLSEXT
242 if (in->tlsext_hostname)
243 {
244 a.tlsext_hostname.length=strlen(in->tlsext_hostname);
245 a.tlsext_hostname.type=V_ASN1_OCTET_STRING;
246 a.tlsext_hostname.data=(unsigned char *)in->tlsext_hostname;
247 }
248 if (in->tlsext_tick)
249 {
250 a.tlsext_tick.length= in->tlsext_ticklen;
251 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
252 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
253 }
254 if (in->tlsext_tick_lifetime_hint > 0)
255 {
256 a.tlsext_tick_lifetime.length=LSIZE2;
257 a.tlsext_tick_lifetime.type=V_ASN1_INTEGER;
258 a.tlsext_tick_lifetime.data=ibuf6;
259 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
260 }
261#endif /* OPENSSL_NO_TLSEXT */
262#ifndef OPENSSL_NO_PSK
263 if (in->psk_identity_hint)
264 {
265 a.psk_identity_hint.length=strlen(in->psk_identity_hint);
266 a.psk_identity_hint.type=V_ASN1_OCTET_STRING;
267 a.psk_identity_hint.data=(unsigned char *)(in->psk_identity_hint);
268 }
269 if (in->psk_identity)
270 {
271 a.psk_identity.length=strlen(in->psk_identity);
272 a.psk_identity.type=V_ASN1_OCTET_STRING;
273 a.psk_identity.data=(unsigned char *)(in->psk_identity);
274 }
275#endif /* OPENSSL_NO_PSK */
276#ifndef OPENSSL_NO_SRP
277 if (in->srp_username)
278 {
279 a.srp_username.length=strlen(in->srp_username);
280 a.srp_username.type=V_ASN1_OCTET_STRING;
281 a.srp_username.data=(unsigned char *)(in->srp_username);
282 }
283#endif /* OPENSSL_NO_SRP */
284
285 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
286 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
287 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
288 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
289 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
290#ifndef OPENSSL_NO_KRB5
291 if (in->krb5_client_princ_len)
292 M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
293#endif /* OPENSSL_NO_KRB5 */
294 if (in->key_arg_length > 0)
295 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
296 if (in->time != 0L)
297 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
298 if (in->timeout != 0L)
299 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
300 if (in->peer != NULL)
301 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
302 M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
303 if (in->verify_result != X509_V_OK)
304 M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
305
306#ifndef OPENSSL_NO_TLSEXT
307 if (in->tlsext_tick_lifetime_hint > 0)
308 M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
309 if (in->tlsext_tick)
310 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
311 if (in->tlsext_hostname)
312 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
313#ifndef OPENSSL_NO_COMP
314 if (in->compress_meth)
315 M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
316#endif
317#endif /* OPENSSL_NO_TLSEXT */
318#ifndef OPENSSL_NO_PSK
319 if (in->psk_identity_hint)
320 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
321 if (in->psk_identity)
322 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
323#endif /* OPENSSL_NO_PSK */
324#ifndef OPENSSL_NO_SRP
325 if (in->srp_username)
326 M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
327#endif /* OPENSSL_NO_SRP */
328
329 M_ASN1_I2D_seq_total();
330
331 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
332 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
333 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
334 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
335 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
336#ifndef OPENSSL_NO_KRB5
337 if (in->krb5_client_princ_len)
338 M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
339#endif /* OPENSSL_NO_KRB5 */
340 if (in->key_arg_length > 0)
341 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
342 if (in->time != 0L)
343 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
344 if (in->timeout != 0L)
345 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
346 if (in->peer != NULL)
347 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
348 M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
349 v4);
350 if (in->verify_result != X509_V_OK)
351 M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
352#ifndef OPENSSL_NO_TLSEXT
353 if (in->tlsext_hostname)
354 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
355#endif /* OPENSSL_NO_TLSEXT */
356#ifndef OPENSSL_NO_PSK
357 if (in->psk_identity_hint)
358 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
359 if (in->psk_identity)
360 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
361#endif /* OPENSSL_NO_PSK */
362#ifndef OPENSSL_NO_TLSEXT
363 if (in->tlsext_tick_lifetime_hint > 0)
364 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
365 if (in->tlsext_tick)
366 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
367#endif /* OPENSSL_NO_TLSEXT */
368#ifndef OPENSSL_NO_COMP
369 if (in->compress_meth)
370 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
371#endif
372#ifndef OPENSSL_NO_SRP
373 if (in->srp_username)
374 M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
375#endif /* OPENSSL_NO_SRP */
376 M_ASN1_I2D_finish();
377 }
378
379SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
380 long length)
381 {
382 int ssl_version=0,i;
383 long id;
384 ASN1_INTEGER ai,*aip;
385 ASN1_OCTET_STRING os,*osp;
386 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
387
388 aip= &ai;
389 osp= &os;
390
391 M_ASN1_D2I_Init();
392 M_ASN1_D2I_start_sequence();
393
394 ai.data=NULL; ai.length=0;
395 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
396 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
397
398 /* we don't care about the version right now :-) */
399 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
400 ssl_version=(int)ASN1_INTEGER_get(aip);
401 ret->ssl_version=ssl_version;
402 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
403
404 os.data=NULL; os.length=0;
405 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
406 if (ssl_version == SSL2_VERSION)
407 {
408 if (os.length != 3)
409 {
410 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
411 goto err;
412 }
413 id=0x02000000L|
414 ((unsigned long)os.data[0]<<16L)|
415 ((unsigned long)os.data[1]<< 8L)|
416 (unsigned long)os.data[2];
417 }
418 else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
419 {
420 if (os.length != 2)
421 {
422 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
423 goto err;
424 }
425 id=0x03000000L|
426 ((unsigned long)os.data[0]<<8L)|
427 (unsigned long)os.data[1];
428 }
429 else
430 {
431 c.error=SSL_R_UNKNOWN_SSL_VERSION;
432 goto err;
433 }
434
435 ret->cipher=NULL;
436 ret->cipher_id=id;
437
438 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
439 if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
440 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
441 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
442 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
443
444 if (os.length > i)
445 os.length = i;
446 if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
447 os.length = sizeof(ret->session_id);
448
449 ret->session_id_length=os.length;
450 OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
451 memcpy(ret->session_id,os.data,os.length);
452
453 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
454 if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
455 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
456 else
457 ret->master_key_length=os.length;
458 memcpy(ret->master_key,os.data,ret->master_key_length);
459
460 os.length=0;
461
462#ifndef OPENSSL_NO_KRB5
463 os.length=0;
464 M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
465 if (os.data)
466 {
467 if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
468 ret->krb5_client_princ_len=0;
469 else
470 ret->krb5_client_princ_len=os.length;
471 memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
472 OPENSSL_free(os.data);
473 os.data = NULL;
474 os.length = 0;
475 }
476 else
477 ret->krb5_client_princ_len=0;
478#endif /* OPENSSL_NO_KRB5 */
479
480 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
481 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
482 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
483 else
484 ret->key_arg_length=os.length;
485 memcpy(ret->key_arg,os.data,ret->key_arg_length);
486 if (os.data != NULL) OPENSSL_free(os.data);
487
488 ai.length=0;
489 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
490 if (ai.data != NULL)
491 {
492 ret->time=ASN1_INTEGER_get(aip);
493 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
494 }
495 else
496 ret->time=(unsigned long)time(NULL);
497
498 ai.length=0;
499 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
500 if (ai.data != NULL)
501 {
502 ret->timeout=ASN1_INTEGER_get(aip);
503 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
504 }
505 else
506 ret->timeout=3;
507
508 if (ret->peer != NULL)
509 {
510 X509_free(ret->peer);
511 ret->peer=NULL;
512 }
513 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
514
515 os.length=0;
516 os.data=NULL;
517 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
518
519 if(os.data != NULL)
520 {
521 if (os.length > SSL_MAX_SID_CTX_LENGTH)
522 {
523 c.error=SSL_R_BAD_LENGTH;
524 goto err;
525 }
526 else
527 {
528 ret->sid_ctx_length=os.length;
529 memcpy(ret->sid_ctx,os.data,os.length);
530 }
531 OPENSSL_free(os.data); os.data=NULL; os.length=0;
532 }
533 else
534 ret->sid_ctx_length=0;
535
536 ai.length=0;
537 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
538 if (ai.data != NULL)
539 {
540 ret->verify_result=ASN1_INTEGER_get(aip);
541 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
542 }
543 else
544 ret->verify_result=X509_V_OK;
545
546#ifndef OPENSSL_NO_TLSEXT
547 os.length=0;
548 os.data=NULL;
549 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,6);
550 if (os.data)
551 {
552 ret->tlsext_hostname = BUF_strndup((char *)os.data, os.length);
553 OPENSSL_free(os.data);
554 os.data = NULL;
555 os.length = 0;
556 }
557 else
558 ret->tlsext_hostname=NULL;
559#endif /* OPENSSL_NO_TLSEXT */
560
561#ifndef OPENSSL_NO_PSK
562 os.length=0;
563 os.data=NULL;
564 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,7);
565 if (os.data)
566 {
567 ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length);
568 OPENSSL_free(os.data);
569 os.data = NULL;
570 os.length = 0;
571 }
572 else
573 ret->psk_identity_hint=NULL;
574
575 os.length=0;
576 os.data=NULL;
577 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,8);
578 if (os.data)
579 {
580 ret->psk_identity = BUF_strndup((char *)os.data, os.length);
581 OPENSSL_free(os.data);
582 os.data = NULL;
583 os.length = 0;
584 }
585 else
586 ret->psk_identity=NULL;
587#endif /* OPENSSL_NO_PSK */
588
589#ifndef OPENSSL_NO_TLSEXT
590 ai.length=0;
591 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
592 if (ai.data != NULL)
593 {
594 ret->tlsext_tick_lifetime_hint=ASN1_INTEGER_get(aip);
595 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
596 }
597 else if (ret->tlsext_ticklen && ret->session_id_length)
598 ret->tlsext_tick_lifetime_hint = -1;
599 else
600 ret->tlsext_tick_lifetime_hint=0;
601 os.length=0;
602 os.data=NULL;
603 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);
604 if (os.data)
605 {
606 ret->tlsext_tick = os.data;
607 ret->tlsext_ticklen = os.length;
608 os.data = NULL;
609 os.length = 0;
610 }
611 else
612 ret->tlsext_tick=NULL;
613#endif /* OPENSSL_NO_TLSEXT */
614#ifndef OPENSSL_NO_COMP
615 os.length=0;
616 os.data=NULL;
617 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,11);
618 if (os.data)
619 {
620 ret->compress_meth = os.data[0];
621 OPENSSL_free(os.data);
622 os.data = NULL;
623 }
624#endif
625
626#ifndef OPENSSL_NO_SRP
627 os.length=0;
628 os.data=NULL;
629 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,12);
630 if (os.data)
631 {
632 ret->srp_username = BUF_strndup((char *)os.data, os.length);
633 OPENSSL_free(os.data);
634 os.data = NULL;
635 os.length = 0;
636 }
637 else
638 ret->srp_username=NULL;
639#endif /* OPENSSL_NO_SRP */
640
641 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
642 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index 917be31876..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,853 +0,0 @@
1/*! \file ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <stdio.h>
118
119#include "e_os.h"
120#ifndef NO_SYS_TYPES_H
121# include <sys/types.h>
122#endif
123
124#include "o_dir.h"
125#include <openssl/objects.h>
126#include <openssl/bio.h>
127#include <openssl/pem.h>
128#include <openssl/x509v3.h>
129#ifndef OPENSSL_NO_DH
130#include <openssl/dh.h>
131#endif
132#include <openssl/bn.h>
133#include "ssl_locl.h"
134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136 {
137 static volatile int ssl_x509_store_ctx_idx= -1;
138 int got_write_lock = 0;
139
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141
142 if (ssl_x509_store_ctx_idx < 0)
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1;
147
148 if (ssl_x509_store_ctx_idx < 0)
149 {
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 }
154
155 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159
160 return ssl_x509_store_ctx_idx;
161 }
162
163static void ssl_cert_set_default_md(CERT *cert)
164 {
165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
168#endif
169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif
173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
175#endif
176 }
177
178CERT *ssl_cert_new(void)
179 {
180 CERT *ret;
181
182 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
183 if (ret == NULL)
184 {
185 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
186 return(NULL);
187 }
188 memset(ret,0,sizeof(CERT));
189
190 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
191 ret->references=1;
192 ssl_cert_set_default_md(ret);
193 return(ret);
194 }
195
196CERT *ssl_cert_dup(CERT *cert)
197 {
198 CERT *ret;
199 int i;
200
201 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
202 if (ret == NULL)
203 {
204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
205 return(NULL);
206 }
207
208 memset(ret, 0, sizeof(CERT));
209
210 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
211 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
212 * if you find that more readable */
213
214 ret->valid = cert->valid;
215 ret->mask_k = cert->mask_k;
216 ret->mask_a = cert->mask_a;
217 ret->export_mask_k = cert->export_mask_k;
218 ret->export_mask_a = cert->export_mask_a;
219
220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL)
222 {
223 RSA_up_ref(cert->rsa_tmp);
224 ret->rsa_tmp = cert->rsa_tmp;
225 }
226 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
227#endif
228
229#ifndef OPENSSL_NO_DH
230 if (cert->dh_tmp != NULL)
231 {
232 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
233 if (ret->dh_tmp == NULL)
234 {
235 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
236 goto err;
237 }
238 if (cert->dh_tmp->priv_key)
239 {
240 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
241 if (!b)
242 {
243 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
244 goto err;
245 }
246 ret->dh_tmp->priv_key = b;
247 }
248 if (cert->dh_tmp->pub_key)
249 {
250 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
251 if (!b)
252 {
253 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
254 goto err;
255 }
256 ret->dh_tmp->pub_key = b;
257 }
258 }
259 ret->dh_tmp_cb = cert->dh_tmp_cb;
260#endif
261
262#ifndef OPENSSL_NO_ECDH
263 if (cert->ecdh_tmp)
264 {
265 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
266 if (ret->ecdh_tmp == NULL)
267 {
268 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
269 goto err;
270 }
271 }
272 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
273#endif
274
275 for (i = 0; i < SSL_PKEY_NUM; i++)
276 {
277 if (cert->pkeys[i].x509 != NULL)
278 {
279 ret->pkeys[i].x509 = cert->pkeys[i].x509;
280 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
281 CRYPTO_LOCK_X509);
282 }
283
284 if (cert->pkeys[i].privatekey != NULL)
285 {
286 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
287 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
288 CRYPTO_LOCK_EVP_PKEY);
289
290 switch(i)
291 {
292 /* If there was anything special to do for
293 * certain types of keys, we'd do it here.
294 * (Nothing at the moment, I think.) */
295
296 case SSL_PKEY_RSA_ENC:
297 case SSL_PKEY_RSA_SIGN:
298 /* We have an RSA key. */
299 break;
300
301 case SSL_PKEY_DSA_SIGN:
302 /* We have a DSA key. */
303 break;
304
305 case SSL_PKEY_DH_RSA:
306 case SSL_PKEY_DH_DSA:
307 /* We have a DH key. */
308 break;
309
310 case SSL_PKEY_ECC:
311 /* We have an ECC key */
312 break;
313
314 default:
315 /* Can't happen. */
316 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
317 }
318 }
319 }
320
321 /* ret->extra_certs *should* exist, but currently the own certificate
322 * chain is held inside SSL_CTX */
323
324 ret->references=1;
325 /* Set digests to defaults. NB: we don't copy existing values as they
326 * will be set during handshake.
327 */
328 ssl_cert_set_default_md(ret);
329
330 return(ret);
331
332#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
333err:
334#endif
335#ifndef OPENSSL_NO_RSA
336 if (ret->rsa_tmp != NULL)
337 RSA_free(ret->rsa_tmp);
338#endif
339#ifndef OPENSSL_NO_DH
340 if (ret->dh_tmp != NULL)
341 DH_free(ret->dh_tmp);
342#endif
343#ifndef OPENSSL_NO_ECDH
344 if (ret->ecdh_tmp != NULL)
345 EC_KEY_free(ret->ecdh_tmp);
346#endif
347
348 for (i = 0; i < SSL_PKEY_NUM; i++)
349 {
350 if (ret->pkeys[i].x509 != NULL)
351 X509_free(ret->pkeys[i].x509);
352 if (ret->pkeys[i].privatekey != NULL)
353 EVP_PKEY_free(ret->pkeys[i].privatekey);
354 }
355
356 return NULL;
357 }
358
359
360void ssl_cert_free(CERT *c)
361 {
362 int i;
363
364 if(c == NULL)
365 return;
366
367 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
368#ifdef REF_PRINT
369 REF_PRINT("CERT",c);
370#endif
371 if (i > 0) return;
372#ifdef REF_CHECK
373 if (i < 0)
374 {
375 fprintf(stderr,"ssl_cert_free, bad reference count\n");
376 abort(); /* ok */
377 }
378#endif
379
380#ifndef OPENSSL_NO_RSA
381 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
382#endif
383#ifndef OPENSSL_NO_DH
384 if (c->dh_tmp) DH_free(c->dh_tmp);
385#endif
386#ifndef OPENSSL_NO_ECDH
387 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
388#endif
389
390 for (i=0; i<SSL_PKEY_NUM; i++)
391 {
392 if (c->pkeys[i].x509 != NULL)
393 X509_free(c->pkeys[i].x509);
394 if (c->pkeys[i].privatekey != NULL)
395 EVP_PKEY_free(c->pkeys[i].privatekey);
396#if 0
397 if (c->pkeys[i].publickey != NULL)
398 EVP_PKEY_free(c->pkeys[i].publickey);
399#endif
400 }
401 OPENSSL_free(c);
402 }
403
404int ssl_cert_inst(CERT **o)
405 {
406 /* Create a CERT if there isn't already one
407 * (which cannot really happen, as it is initially created in
408 * SSL_CTX_new; but the earlier code usually allows for that one
409 * being non-existant, so we follow that behaviour, as it might
410 * turn out that there actually is a reason for it -- but I'm
411 * not sure that *all* of the existing code could cope with
412 * s->cert being NULL, otherwise we could do without the
413 * initialization in SSL_CTX_new).
414 */
415
416 if (o == NULL)
417 {
418 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
419 return(0);
420 }
421 if (*o == NULL)
422 {
423 if ((*o = ssl_cert_new()) == NULL)
424 {
425 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
426 return(0);
427 }
428 }
429 return(1);
430 }
431
432
433SESS_CERT *ssl_sess_cert_new(void)
434 {
435 SESS_CERT *ret;
436
437 ret = OPENSSL_malloc(sizeof *ret);
438 if (ret == NULL)
439 {
440 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
441 return NULL;
442 }
443
444 memset(ret, 0 ,sizeof *ret);
445 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
446 ret->references = 1;
447
448 return ret;
449 }
450
451void ssl_sess_cert_free(SESS_CERT *sc)
452 {
453 int i;
454
455 if (sc == NULL)
456 return;
457
458 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
459#ifdef REF_PRINT
460 REF_PRINT("SESS_CERT", sc);
461#endif
462 if (i > 0)
463 return;
464#ifdef REF_CHECK
465 if (i < 0)
466 {
467 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
468 abort(); /* ok */
469 }
470#endif
471
472 /* i == 0 */
473 if (sc->cert_chain != NULL)
474 sk_X509_pop_free(sc->cert_chain, X509_free);
475 for (i = 0; i < SSL_PKEY_NUM; i++)
476 {
477 if (sc->peer_pkeys[i].x509 != NULL)
478 X509_free(sc->peer_pkeys[i].x509);
479#if 0 /* We don't have the peer's private key. These lines are just
480 * here as a reminder that we're still using a not-quite-appropriate
481 * data structure. */
482 if (sc->peer_pkeys[i].privatekey != NULL)
483 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
484#endif
485 }
486
487#ifndef OPENSSL_NO_RSA
488 if (sc->peer_rsa_tmp != NULL)
489 RSA_free(sc->peer_rsa_tmp);
490#endif
491#ifndef OPENSSL_NO_DH
492 if (sc->peer_dh_tmp != NULL)
493 DH_free(sc->peer_dh_tmp);
494#endif
495#ifndef OPENSSL_NO_ECDH
496 if (sc->peer_ecdh_tmp != NULL)
497 EC_KEY_free(sc->peer_ecdh_tmp);
498#endif
499
500 OPENSSL_free(sc);
501 }
502
503int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
504 {
505 sc->peer_cert_type = type;
506 return(1);
507 }
508
509int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
510 {
511 X509 *x;
512 int i;
513 X509_STORE_CTX ctx;
514
515 if ((sk == NULL) || (sk_X509_num(sk) == 0))
516 return(0);
517
518 x=sk_X509_value(sk,0);
519 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
520 {
521 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
522 return(0);
523 }
524#if 0
525 if (SSL_get_verify_depth(s) >= 0)
526 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
527#endif
528 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
529
530 /* We need to inherit the verify parameters. These can be determined by
531 * the context: if its a server it will verify SSL client certificates
532 * or vice versa.
533 */
534
535 X509_STORE_CTX_set_default(&ctx,
536 s->server ? "ssl_client" : "ssl_server");
537 /* Anything non-default in "param" should overwrite anything in the
538 * ctx.
539 */
540 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
541
542 if (s->verify_callback)
543 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
544
545 if (s->ctx->app_verify_callback != NULL)
546#if 1 /* new with OpenSSL 0.9.7 */
547 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
548#else
549 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
550#endif
551 else
552 {
553#ifndef OPENSSL_NO_X509_VERIFY
554 i=X509_verify_cert(&ctx);
555#else
556 i=0;
557 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
558 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
559#endif
560 }
561
562 s->verify_result=ctx.error;
563 X509_STORE_CTX_cleanup(&ctx);
564
565 return(i);
566 }
567
568static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
569 {
570 if (*ca_list != NULL)
571 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
572
573 *ca_list=name_list;
574 }
575
576STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
577 {
578 int i;
579 STACK_OF(X509_NAME) *ret;
580 X509_NAME *name;
581
582 ret=sk_X509_NAME_new_null();
583 for (i=0; i<sk_X509_NAME_num(sk); i++)
584 {
585 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
586 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
587 {
588 sk_X509_NAME_pop_free(ret,X509_NAME_free);
589 return(NULL);
590 }
591 }
592 return(ret);
593 }
594
595void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
596 {
597 set_client_CA_list(&(s->client_CA),name_list);
598 }
599
600void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
601 {
602 set_client_CA_list(&(ctx->client_CA),name_list);
603 }
604
605STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
606 {
607 return(ctx->client_CA);
608 }
609
610STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
611 {
612 if (s->type == SSL_ST_CONNECT)
613 { /* we are in the client */
614 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
615 (s->s3 != NULL))
616 return(s->s3->tmp.ca_names);
617 else
618 return(NULL);
619 }
620 else
621 {
622 if (s->client_CA != NULL)
623 return(s->client_CA);
624 else
625 return(s->ctx->client_CA);
626 }
627 }
628
629static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
630 {
631 X509_NAME *name;
632
633 if (x == NULL) return(0);
634 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
635 return(0);
636
637 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
638 return(0);
639
640 if (!sk_X509_NAME_push(*sk,name))
641 {
642 X509_NAME_free(name);
643 return(0);
644 }
645 return(1);
646 }
647
648int SSL_add_client_CA(SSL *ssl,X509 *x)
649 {
650 return(add_client_CA(&(ssl->client_CA),x));
651 }
652
653int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
654 {
655 return(add_client_CA(&(ctx->client_CA),x));
656 }
657
658static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
659 {
660 return(X509_NAME_cmp(*a,*b));
661 }
662
663#ifndef OPENSSL_NO_STDIO
664/*!
665 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
666 * it doesn't really have anything to do with clients (except that a common use
667 * for a stack of CAs is to send it to the client). Actually, it doesn't have
668 * much to do with CAs, either, since it will load any old cert.
669 * \param file the file containing one or more certs.
670 * \return a ::STACK containing the certs.
671 */
672STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
673 {
674 BIO *in;
675 X509 *x=NULL;
676 X509_NAME *xn=NULL;
677 STACK_OF(X509_NAME) *ret = NULL,*sk;
678
679 sk=sk_X509_NAME_new(xname_cmp);
680
681 in=BIO_new(BIO_s_file_internal());
682
683 if ((sk == NULL) || (in == NULL))
684 {
685 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
686 goto err;
687 }
688
689 if (!BIO_read_filename(in,file))
690 goto err;
691
692 for (;;)
693 {
694 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
695 break;
696 if (ret == NULL)
697 {
698 ret = sk_X509_NAME_new_null();
699 if (ret == NULL)
700 {
701 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
702 goto err;
703 }
704 }
705 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
706 /* check for duplicates */
707 xn=X509_NAME_dup(xn);
708 if (xn == NULL) goto err;
709 if (sk_X509_NAME_find(sk,xn) >= 0)
710 X509_NAME_free(xn);
711 else
712 {
713 sk_X509_NAME_push(sk,xn);
714 sk_X509_NAME_push(ret,xn);
715 }
716 }
717
718 if (0)
719 {
720err:
721 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
722 ret=NULL;
723 }
724 if (sk != NULL) sk_X509_NAME_free(sk);
725 if (in != NULL) BIO_free(in);
726 if (x != NULL) X509_free(x);
727 if (ret != NULL)
728 ERR_clear_error();
729 return(ret);
730 }
731#endif
732
733/*!
734 * Add a file of certs to a stack.
735 * \param stack the stack to add to.
736 * \param file the file to add from. All certs in this file that are not
737 * already in the stack will be added.
738 * \return 1 for success, 0 for failure. Note that in the case of failure some
739 * certs may have been added to \c stack.
740 */
741
742int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
743 const char *file)
744 {
745 BIO *in;
746 X509 *x=NULL;
747 X509_NAME *xn=NULL;
748 int ret=1;
749 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
750
751 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
752
753 in=BIO_new(BIO_s_file_internal());
754
755 if (in == NULL)
756 {
757 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
758 goto err;
759 }
760
761 if (!BIO_read_filename(in,file))
762 goto err;
763
764 for (;;)
765 {
766 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
767 break;
768 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
769 xn=X509_NAME_dup(xn);
770 if (xn == NULL) goto err;
771 if (sk_X509_NAME_find(stack,xn) >= 0)
772 X509_NAME_free(xn);
773 else
774 sk_X509_NAME_push(stack,xn);
775 }
776
777 ERR_clear_error();
778
779 if (0)
780 {
781err:
782 ret=0;
783 }
784 if(in != NULL)
785 BIO_free(in);
786 if(x != NULL)
787 X509_free(x);
788
789 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
790
791 return ret;
792 }
793
794/*!
795 * Add a directory of certs to a stack.
796 * \param stack the stack to append to.
797 * \param dir the directory to append from. All files in this directory will be
798 * examined as potential certs. Any that are acceptable to
799 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
800 * included.
801 * \return 1 for success, 0 for failure. Note that in the case of failure some
802 * certs may have been added to \c stack.
803 */
804
805int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
806 const char *dir)
807 {
808 OPENSSL_DIR_CTX *d = NULL;
809 const char *filename;
810 int ret = 0;
811
812 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
813
814 /* Note that a side effect is that the CAs will be sorted by name */
815
816 while((filename = OPENSSL_DIR_read(&d, dir)))
817 {
818 char buf[1024];
819 int r;
820
821 if(strlen(dir)+strlen(filename)+2 > sizeof buf)
822 {
823 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
824 goto err;
825 }
826
827#ifdef OPENSSL_SYS_VMS
828 r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
829#else
830 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
831#endif
832 if (r <= 0 || r >= (int)sizeof(buf))
833 goto err;
834 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
835 goto err;
836 }
837
838 if (errno)
839 {
840 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
841 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
842 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
843 goto err;
844 }
845
846 ret = 1;
847
848err:
849 if (d) OPENSSL_DIR_end(&d);
850 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
851 return ret;
852 }
853
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index 92d1e94d6a..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1852 +0,0 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#include <stdio.h>
144#include <openssl/objects.h>
145#ifndef OPENSSL_NO_COMP
146#include <openssl/comp.h>
147#endif
148#ifndef OPENSSL_NO_ENGINE
149#include <openssl/engine.h>
150#endif
151#include "ssl_locl.h"
152
153#define SSL_ENC_DES_IDX 0
154#define SSL_ENC_3DES_IDX 1
155#define SSL_ENC_RC4_IDX 2
156#define SSL_ENC_RC2_IDX 3
157#define SSL_ENC_IDEA_IDX 4
158#define SSL_ENC_NULL_IDX 5
159#define SSL_ENC_AES128_IDX 6
160#define SSL_ENC_AES256_IDX 7
161#define SSL_ENC_CAMELLIA128_IDX 8
162#define SSL_ENC_CAMELLIA256_IDX 9
163#define SSL_ENC_GOST89_IDX 10
164#define SSL_ENC_SEED_IDX 11
165#define SSL_ENC_AES128GCM_IDX 12
166#define SSL_ENC_AES256GCM_IDX 13
167#define SSL_ENC_NUM_IDX 14
168
169
170static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
171 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
172 };
173
174#define SSL_COMP_NULL_IDX 0
175#define SSL_COMP_ZLIB_IDX 1
176#define SSL_COMP_NUM_IDX 2
177
178static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
179
180#define SSL_MD_MD5_IDX 0
181#define SSL_MD_SHA1_IDX 1
182#define SSL_MD_GOST94_IDX 2
183#define SSL_MD_GOST89MAC_IDX 3
184#define SSL_MD_SHA256_IDX 4
185#define SSL_MD_SHA384_IDX 5
186/*Constant SSL_MAX_DIGEST equal to size of digests array should be
187 * defined in the
188 * ssl_locl.h */
189#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
190static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
191 NULL,NULL,NULL,NULL,NULL,NULL
192 };
193/* PKEY_TYPE for GOST89MAC is known in advance, but, because
194 * implementation is engine-provided, we'll fill it only if
195 * corresponding EVP_PKEY_METHOD is found
196 */
197static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
198 EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,
199 EVP_PKEY_HMAC,EVP_PKEY_HMAC
200 };
201
202static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
203 0,0,0,0,0,0
204 };
205
206static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
207 SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
208 SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
209 SSL_HANDSHAKE_MAC_SHA384
210 };
211
212#define CIPHER_ADD 1
213#define CIPHER_KILL 2
214#define CIPHER_DEL 3
215#define CIPHER_ORD 4
216#define CIPHER_SPECIAL 5
217
218typedef struct cipher_order_st
219 {
220 const SSL_CIPHER *cipher;
221 int active;
222 int dead;
223 struct cipher_order_st *next,*prev;
224 } CIPHER_ORDER;
225
226static const SSL_CIPHER cipher_aliases[]={
227 /* "ALL" doesn't include eNULL (must be specifically enabled) */
228 {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0},
229 /* "COMPLEMENTOFALL" */
230 {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
231
232 /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
233 {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
234
235 /* key exchange aliases
236 * (some of those using only a single bit here combine
237 * multiple key exchange algs according to the RFCs,
238 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
239 {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0},
240
241 {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
242 {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
243 {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
244 {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0},
245 {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
246
247 {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0},
248
249 {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0},
250 {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0},
251 {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
252 {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0},
253 {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
254
255 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
256 {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0},
257 {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
258
259 /* server authentication aliases */
260 {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
261 {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
262 {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
263 {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0},
264 {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0},
265 {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
266 {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0},
267 {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
268 {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
269 {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
270 {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
271 {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
272 {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
273
274 /* aliases combining key exchange and server authentication */
275 {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
276 {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
277 {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
278 {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
279 {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
280 {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
281 {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
282 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
283 {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0},
284
285
286 /* symmetric encryption aliases */
287 {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0},
288 {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0},
289 {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0},
290 {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0},
291 {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},
292 {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},
293 {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
294 {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
295 {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0},
296 {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0},
297 {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0},
298 {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
299 {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
300 {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
301
302 /* MAC aliases */
303 {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0},
304 {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
305 {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
306 {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
307 {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
308 {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0},
309 {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0},
310
311 /* protocol version aliases */
312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
315
316 /* export flag */
317 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
318 {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
319
320 /* strength classes */
321 {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0},
322 {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0},
323 {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
324 {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
325 {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
326 /* FIPS 140-2 approved ciphersuite */
327 {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0},
328 };
329/* Search for public key algorithm with given name and
330 * return its pkey_id if it is available. Otherwise return 0
331 */
332#ifdef OPENSSL_NO_ENGINE
333
334static int get_optional_pkey_id(const char *pkey_name)
335 {
336 const EVP_PKEY_ASN1_METHOD *ameth;
337 int pkey_id=0;
338 ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1);
339 if (ameth)
340 {
341 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
342 }
343 return pkey_id;
344 }
345
346#else
347
348static int get_optional_pkey_id(const char *pkey_name)
349 {
350 const EVP_PKEY_ASN1_METHOD *ameth;
351 ENGINE *tmpeng = NULL;
352 int pkey_id=0;
353 ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
354 if (ameth)
355 {
356 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
357 }
358 if (tmpeng) ENGINE_finish(tmpeng);
359 return pkey_id;
360 }
361
362#endif
363
364void ssl_load_ciphers(void)
365 {
366 ssl_cipher_methods[SSL_ENC_DES_IDX]=
367 EVP_get_cipherbyname(SN_des_cbc);
368 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
369 EVP_get_cipherbyname(SN_des_ede3_cbc);
370 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
371 EVP_get_cipherbyname(SN_rc4);
372 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
373 EVP_get_cipherbyname(SN_rc2_cbc);
374#ifndef OPENSSL_NO_IDEA
375 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
376 EVP_get_cipherbyname(SN_idea_cbc);
377#else
378 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
379#endif
380 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
381 EVP_get_cipherbyname(SN_aes_128_cbc);
382 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
383 EVP_get_cipherbyname(SN_aes_256_cbc);
384 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]=
385 EVP_get_cipherbyname(SN_camellia_128_cbc);
386 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]=
387 EVP_get_cipherbyname(SN_camellia_256_cbc);
388 ssl_cipher_methods[SSL_ENC_GOST89_IDX]=
389 EVP_get_cipherbyname(SN_gost89_cnt);
390 ssl_cipher_methods[SSL_ENC_SEED_IDX]=
391 EVP_get_cipherbyname(SN_seed_cbc);
392
393 ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
394 EVP_get_cipherbyname(SN_aes_128_gcm);
395 ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
396 EVP_get_cipherbyname(SN_aes_256_gcm);
397
398 ssl_digest_methods[SSL_MD_MD5_IDX]=
399 EVP_get_digestbyname(SN_md5);
400 ssl_mac_secret_size[SSL_MD_MD5_IDX]=
401 EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
402 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
403 ssl_digest_methods[SSL_MD_SHA1_IDX]=
404 EVP_get_digestbyname(SN_sha1);
405 ssl_mac_secret_size[SSL_MD_SHA1_IDX]=
406 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
407 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
408 ssl_digest_methods[SSL_MD_GOST94_IDX]=
409 EVP_get_digestbyname(SN_id_GostR3411_94);
410 if (ssl_digest_methods[SSL_MD_GOST94_IDX])
411 {
412 ssl_mac_secret_size[SSL_MD_GOST94_IDX]=
413 EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
414 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
415 }
416 ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
417 EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
418 ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
419 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
420 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
421 }
422
423 ssl_digest_methods[SSL_MD_SHA256_IDX]=
424 EVP_get_digestbyname(SN_sha256);
425 ssl_mac_secret_size[SSL_MD_SHA256_IDX]=
426 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
427 ssl_digest_methods[SSL_MD_SHA384_IDX]=
428 EVP_get_digestbyname(SN_sha384);
429 ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
430 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
431 }
432#ifndef OPENSSL_NO_COMP
433
434static int sk_comp_cmp(const SSL_COMP * const *a,
435 const SSL_COMP * const *b)
436 {
437 return((*a)->id-(*b)->id);
438 }
439
440static void load_builtin_compressions(void)
441 {
442 int got_write_lock = 0;
443
444 CRYPTO_r_lock(CRYPTO_LOCK_SSL);
445 if (ssl_comp_methods == NULL)
446 {
447 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
448 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
449 got_write_lock = 1;
450
451 if (ssl_comp_methods == NULL)
452 {
453 SSL_COMP *comp = NULL;
454
455 MemCheck_off();
456 ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
457 if (ssl_comp_methods != NULL)
458 {
459 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
460 if (comp != NULL)
461 {
462 comp->method=COMP_zlib();
463 if (comp->method
464 && comp->method->type == NID_undef)
465 OPENSSL_free(comp);
466 else
467 {
468 comp->id=SSL_COMP_ZLIB_IDX;
469 comp->name=comp->method->name;
470 sk_SSL_COMP_push(ssl_comp_methods,comp);
471 }
472 }
473 sk_SSL_COMP_sort(ssl_comp_methods);
474 }
475 MemCheck_on();
476 }
477 }
478
479 if (got_write_lock)
480 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
481 else
482 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
483 }
484#endif
485
486int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
487 const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
488 {
489 int i;
490 const SSL_CIPHER *c;
491
492 c=s->cipher;
493 if (c == NULL) return(0);
494 if (comp != NULL)
495 {
496 SSL_COMP ctmp;
497#ifndef OPENSSL_NO_COMP
498 load_builtin_compressions();
499#endif
500
501 *comp=NULL;
502 ctmp.id=s->compress_meth;
503 if (ssl_comp_methods != NULL)
504 {
505 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
506 if (i >= 0)
507 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
508 else
509 *comp=NULL;
510 }
511 }
512
513 if ((enc == NULL) || (md == NULL)) return(0);
514
515 switch (c->algorithm_enc)
516 {
517 case SSL_DES:
518 i=SSL_ENC_DES_IDX;
519 break;
520 case SSL_3DES:
521 i=SSL_ENC_3DES_IDX;
522 break;
523 case SSL_RC4:
524 i=SSL_ENC_RC4_IDX;
525 break;
526 case SSL_RC2:
527 i=SSL_ENC_RC2_IDX;
528 break;
529 case SSL_IDEA:
530 i=SSL_ENC_IDEA_IDX;
531 break;
532 case SSL_eNULL:
533 i=SSL_ENC_NULL_IDX;
534 break;
535 case SSL_AES128:
536 i=SSL_ENC_AES128_IDX;
537 break;
538 case SSL_AES256:
539 i=SSL_ENC_AES256_IDX;
540 break;
541 case SSL_CAMELLIA128:
542 i=SSL_ENC_CAMELLIA128_IDX;
543 break;
544 case SSL_CAMELLIA256:
545 i=SSL_ENC_CAMELLIA256_IDX;
546 break;
547 case SSL_eGOST2814789CNT:
548 i=SSL_ENC_GOST89_IDX;
549 break;
550 case SSL_SEED:
551 i=SSL_ENC_SEED_IDX;
552 break;
553 case SSL_AES128GCM:
554 i=SSL_ENC_AES128GCM_IDX;
555 break;
556 case SSL_AES256GCM:
557 i=SSL_ENC_AES256GCM_IDX;
558 break;
559 default:
560 i= -1;
561 break;
562 }
563
564 if ((i < 0) || (i > SSL_ENC_NUM_IDX))
565 *enc=NULL;
566 else
567 {
568 if (i == SSL_ENC_NULL_IDX)
569 *enc=EVP_enc_null();
570 else
571 *enc=ssl_cipher_methods[i];
572 }
573
574 switch (c->algorithm_mac)
575 {
576 case SSL_MD5:
577 i=SSL_MD_MD5_IDX;
578 break;
579 case SSL_SHA1:
580 i=SSL_MD_SHA1_IDX;
581 break;
582 case SSL_SHA256:
583 i=SSL_MD_SHA256_IDX;
584 break;
585 case SSL_SHA384:
586 i=SSL_MD_SHA384_IDX;
587 break;
588 case SSL_GOST94:
589 i = SSL_MD_GOST94_IDX;
590 break;
591 case SSL_GOST89MAC:
592 i = SSL_MD_GOST89MAC_IDX;
593 break;
594 default:
595 i= -1;
596 break;
597 }
598 if ((i < 0) || (i > SSL_MD_NUM_IDX))
599 {
600 *md=NULL;
601 if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
602 if (mac_secret_size!=NULL) *mac_secret_size = 0;
603 if (c->algorithm_mac == SSL_AEAD)
604 mac_pkey_type = NULL;
605 }
606 else
607 {
608 *md=ssl_digest_methods[i];
609 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
610 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
611 }
612
613 if ((*enc != NULL) &&
614 (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
615 (!mac_pkey_type||*mac_pkey_type != NID_undef))
616 {
617 const EVP_CIPHER *evp;
618
619 if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
620 s->ssl_version < TLS1_VERSION)
621 return 1;
622
623#ifdef OPENSSL_FIPS
624 if (FIPS_mode())
625 return 1;
626#endif
627
628 if (c->algorithm_enc == SSL_RC4 &&
629 c->algorithm_mac == SSL_MD5 &&
630 (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
631 *enc = evp, *md = NULL;
632 else if (c->algorithm_enc == SSL_AES128 &&
633 c->algorithm_mac == SSL_SHA1 &&
634 (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
635 *enc = evp, *md = NULL;
636 else if (c->algorithm_enc == SSL_AES256 &&
637 c->algorithm_mac == SSL_SHA1 &&
638 (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
639 *enc = evp, *md = NULL;
640 return(1);
641 }
642 else
643 return(0);
644 }
645
646int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
647{
648 if (idx <0||idx>=SSL_MD_NUM_IDX)
649 {
650 return 0;
651 }
652 *mask = ssl_handshake_digest_flag[idx];
653 if (*mask)
654 *md = ssl_digest_methods[idx];
655 else
656 *md = NULL;
657 return 1;
658}
659
660#define ITEM_SEP(a) \
661 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
662
663static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
664 CIPHER_ORDER **tail)
665 {
666 if (curr == *tail) return;
667 if (curr == *head)
668 *head=curr->next;
669 if (curr->prev != NULL)
670 curr->prev->next=curr->next;
671 if (curr->next != NULL)
672 curr->next->prev=curr->prev;
673 (*tail)->next=curr;
674 curr->prev= *tail;
675 curr->next=NULL;
676 *tail=curr;
677 }
678
679static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
680 CIPHER_ORDER **tail)
681 {
682 if (curr == *head) return;
683 if (curr == *tail)
684 *tail=curr->prev;
685 if (curr->next != NULL)
686 curr->next->prev=curr->prev;
687 if (curr->prev != NULL)
688 curr->prev->next=curr->next;
689 (*head)->prev=curr;
690 curr->next= *head;
691 curr->prev=NULL;
692 *head=curr;
693 }
694
695static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
696 {
697 *mkey = 0;
698 *auth = 0;
699 *enc = 0;
700 *mac = 0;
701 *ssl = 0;
702
703#ifdef OPENSSL_NO_RSA
704 *mkey |= SSL_kRSA;
705 *auth |= SSL_aRSA;
706#endif
707#ifdef OPENSSL_NO_DSA
708 *auth |= SSL_aDSS;
709#endif
710 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
711 *auth |= SSL_aDH;
712#ifdef OPENSSL_NO_DH
713 *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
714 *auth |= SSL_aDH;
715#endif
716#ifdef OPENSSL_NO_KRB5
717 *mkey |= SSL_kKRB5;
718 *auth |= SSL_aKRB5;
719#endif
720#ifdef OPENSSL_NO_ECDSA
721 *auth |= SSL_aECDSA;
722#endif
723#ifdef OPENSSL_NO_ECDH
724 *mkey |= SSL_kECDHe|SSL_kECDHr;
725 *auth |= SSL_aECDH;
726#endif
727#ifdef OPENSSL_NO_PSK
728 *mkey |= SSL_kPSK;
729 *auth |= SSL_aPSK;
730#endif
731#ifdef OPENSSL_NO_SRP
732 *mkey |= SSL_kSRP;
733#endif
734 /* Check for presence of GOST 34.10 algorithms, and if they
735 * do not present, disable appropriate auth and key exchange */
736 if (!get_optional_pkey_id("gost94")) {
737 *auth |= SSL_aGOST94;
738 }
739 if (!get_optional_pkey_id("gost2001")) {
740 *auth |= SSL_aGOST01;
741 }
742 /* Disable GOST key exchange if no GOST signature algs are available * */
743 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
744 *mkey |= SSL_kGOST;
745 }
746#ifdef SSL_FORBID_ENULL
747 *enc |= SSL_eNULL;
748#endif
749
750
751
752 *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
753 *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
754 *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
755 *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
756 *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
757 *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
758 *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
759 *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0;
760 *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
761 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
762 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
763 *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
764 *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0;
765
766 *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
767 *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
768 *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
769 *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
770 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
771 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
772
773 }
774
775static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
776 int num_of_ciphers,
777 unsigned long disabled_mkey, unsigned long disabled_auth,
778 unsigned long disabled_enc, unsigned long disabled_mac,
779 unsigned long disabled_ssl,
780 CIPHER_ORDER *co_list,
781 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
782 {
783 int i, co_list_num;
784 const SSL_CIPHER *c;
785
786 /*
787 * We have num_of_ciphers descriptions compiled in, depending on the
788 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
789 * These will later be sorted in a linked list with at most num
790 * entries.
791 */
792
793 /* Get the initial list of ciphers */
794 co_list_num = 0; /* actual count of ciphers */
795 for (i = 0; i < num_of_ciphers; i++)
796 {
797 c = ssl_method->get_cipher(i);
798 /* drop those that use any of that is not available */
799 if ((c != NULL) && c->valid &&
800#ifdef OPENSSL_FIPS
801 (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
802#endif
803 !(c->algorithm_mkey & disabled_mkey) &&
804 !(c->algorithm_auth & disabled_auth) &&
805 !(c->algorithm_enc & disabled_enc) &&
806 !(c->algorithm_mac & disabled_mac) &&
807 !(c->algorithm_ssl & disabled_ssl))
808 {
809 co_list[co_list_num].cipher = c;
810 co_list[co_list_num].next = NULL;
811 co_list[co_list_num].prev = NULL;
812 co_list[co_list_num].active = 0;
813 co_list_num++;
814#ifdef KSSL_DEBUG
815 printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
816#endif /* KSSL_DEBUG */
817 /*
818 if (!sk_push(ca_list,(char *)c)) goto err;
819 */
820 }
821 }
822
823 /*
824 * Prepare linked list from list entries
825 */
826 if (co_list_num > 0)
827 {
828 co_list[0].prev = NULL;
829
830 if (co_list_num > 1)
831 {
832 co_list[0].next = &co_list[1];
833
834 for (i = 1; i < co_list_num - 1; i++)
835 {
836 co_list[i].prev = &co_list[i - 1];
837 co_list[i].next = &co_list[i + 1];
838 }
839
840 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
841 }
842
843 co_list[co_list_num - 1].next = NULL;
844
845 *head_p = &co_list[0];
846 *tail_p = &co_list[co_list_num - 1];
847 }
848 }
849
850static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
851 int num_of_group_aliases,
852 unsigned long disabled_mkey, unsigned long disabled_auth,
853 unsigned long disabled_enc, unsigned long disabled_mac,
854 unsigned long disabled_ssl,
855 CIPHER_ORDER *head)
856 {
857 CIPHER_ORDER *ciph_curr;
858 const SSL_CIPHER **ca_curr;
859 int i;
860 unsigned long mask_mkey = ~disabled_mkey;
861 unsigned long mask_auth = ~disabled_auth;
862 unsigned long mask_enc = ~disabled_enc;
863 unsigned long mask_mac = ~disabled_mac;
864 unsigned long mask_ssl = ~disabled_ssl;
865
866 /*
867 * First, add the real ciphers as already collected
868 */
869 ciph_curr = head;
870 ca_curr = ca_list;
871 while (ciph_curr != NULL)
872 {
873 *ca_curr = ciph_curr->cipher;
874 ca_curr++;
875 ciph_curr = ciph_curr->next;
876 }
877
878 /*
879 * Now we add the available ones from the cipher_aliases[] table.
880 * They represent either one or more algorithms, some of which
881 * in any affected category must be supported (set in enabled_mask),
882 * or represent a cipher strength value (will be added in any case because algorithms=0).
883 */
884 for (i = 0; i < num_of_group_aliases; i++)
885 {
886 unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
887 unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
888 unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
889 unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
890 unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
891
892 if (algorithm_mkey)
893 if ((algorithm_mkey & mask_mkey) == 0)
894 continue;
895
896 if (algorithm_auth)
897 if ((algorithm_auth & mask_auth) == 0)
898 continue;
899
900 if (algorithm_enc)
901 if ((algorithm_enc & mask_enc) == 0)
902 continue;
903
904 if (algorithm_mac)
905 if ((algorithm_mac & mask_mac) == 0)
906 continue;
907
908 if (algorithm_ssl)
909 if ((algorithm_ssl & mask_ssl) == 0)
910 continue;
911
912 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
913 ca_curr++;
914 }
915
916 *ca_curr = NULL; /* end of list */
917 }
918
919static void ssl_cipher_apply_rule(unsigned long cipher_id,
920 unsigned long alg_mkey, unsigned long alg_auth,
921 unsigned long alg_enc, unsigned long alg_mac,
922 unsigned long alg_ssl,
923 unsigned long algo_strength,
924 int rule, int strength_bits,
925 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
926 {
927 CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
928 const SSL_CIPHER *cp;
929 int reverse = 0;
930
931#ifdef CIPHER_DEBUG
932 printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
933 rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
934#endif
935
936 if (rule == CIPHER_DEL)
937 reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
938
939 head = *head_p;
940 tail = *tail_p;
941
942 if (reverse)
943 {
944 curr = tail;
945 last = head;
946 }
947 else
948 {
949 curr = head;
950 last = tail;
951 }
952
953 curr2 = curr;
954 for (;;)
955 {
956 if ((curr == NULL) || (curr == last)) break;
957 curr = curr2;
958 curr2 = reverse ? curr->prev : curr->next;
959
960 cp = curr->cipher;
961
962 /*
963 * Selection criteria is either the value of strength_bits
964 * or the algorithms used.
965 */
966 if (strength_bits >= 0)
967 {
968 if (strength_bits != cp->strength_bits)
969 continue;
970 }
971 else
972 {
973#ifdef CIPHER_DEBUG
974 printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
975#endif
976
977 if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
978 continue;
979 if (alg_auth && !(alg_auth & cp->algorithm_auth))
980 continue;
981 if (alg_enc && !(alg_enc & cp->algorithm_enc))
982 continue;
983 if (alg_mac && !(alg_mac & cp->algorithm_mac))
984 continue;
985 if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
986 continue;
987 if ((algo_strength & SSL_EXP_MASK) && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
988 continue;
989 if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
990 continue;
991 }
992
993#ifdef CIPHER_DEBUG
994 printf("Action = %d\n", rule);
995#endif
996
997 /* add the cipher if it has not been added yet. */
998 if (rule == CIPHER_ADD)
999 {
1000 /* reverse == 0 */
1001 if (!curr->active)
1002 {
1003 ll_append_tail(&head, curr, &tail);
1004 curr->active = 1;
1005 }
1006 }
1007 /* Move the added cipher to this location */
1008 else if (rule == CIPHER_ORD)
1009 {
1010 /* reverse == 0 */
1011 if (curr->active)
1012 {
1013 ll_append_tail(&head, curr, &tail);
1014 }
1015 }
1016 else if (rule == CIPHER_DEL)
1017 {
1018 /* reverse == 1 */
1019 if (curr->active)
1020 {
1021 /* most recently deleted ciphersuites get best positions
1022 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1023 * works in reverse to maintain the order) */
1024 ll_append_head(&head, curr, &tail);
1025 curr->active = 0;
1026 }
1027 }
1028 else if (rule == CIPHER_KILL)
1029 {
1030 /* reverse == 0 */
1031 if (head == curr)
1032 head = curr->next;
1033 else
1034 curr->prev->next = curr->next;
1035 if (tail == curr)
1036 tail = curr->prev;
1037 curr->active = 0;
1038 if (curr->next != NULL)
1039 curr->next->prev = curr->prev;
1040 if (curr->prev != NULL)
1041 curr->prev->next = curr->next;
1042 curr->next = NULL;
1043 curr->prev = NULL;
1044 }
1045 }
1046
1047 *head_p = head;
1048 *tail_p = tail;
1049 }
1050
1051static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
1052 CIPHER_ORDER **tail_p)
1053 {
1054 int max_strength_bits, i, *number_uses;
1055 CIPHER_ORDER *curr;
1056
1057 /*
1058 * This routine sorts the ciphers with descending strength. The sorting
1059 * must keep the pre-sorted sequence, so we apply the normal sorting
1060 * routine as '+' movement to the end of the list.
1061 */
1062 max_strength_bits = 0;
1063 curr = *head_p;
1064 while (curr != NULL)
1065 {
1066 if (curr->active &&
1067 (curr->cipher->strength_bits > max_strength_bits))
1068 max_strength_bits = curr->cipher->strength_bits;
1069 curr = curr->next;
1070 }
1071
1072 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1073 if (!number_uses)
1074 {
1075 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
1076 return(0);
1077 }
1078 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1079
1080 /*
1081 * Now find the strength_bits values actually used
1082 */
1083 curr = *head_p;
1084 while (curr != NULL)
1085 {
1086 if (curr->active)
1087 number_uses[curr->cipher->strength_bits]++;
1088 curr = curr->next;
1089 }
1090 /*
1091 * Go through the list of used strength_bits values in descending
1092 * order.
1093 */
1094 for (i = max_strength_bits; i >= 0; i--)
1095 if (number_uses[i] > 0)
1096 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
1097
1098 OPENSSL_free(number_uses);
1099 return(1);
1100 }
1101
1102static int ssl_cipher_process_rulestr(const char *rule_str,
1103 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
1104 const SSL_CIPHER **ca_list)
1105 {
1106 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
1107 const char *l, *buf;
1108 int j, multi, found, rule, retval, ok, buflen;
1109 unsigned long cipher_id = 0;
1110 char ch;
1111
1112 retval = 1;
1113 l = rule_str;
1114 for (;;)
1115 {
1116 ch = *l;
1117
1118 if (ch == '\0')
1119 break; /* done */
1120 if (ch == '-')
1121 { rule = CIPHER_DEL; l++; }
1122 else if (ch == '+')
1123 { rule = CIPHER_ORD; l++; }
1124 else if (ch == '!')
1125 { rule = CIPHER_KILL; l++; }
1126 else if (ch == '@')
1127 { rule = CIPHER_SPECIAL; l++; }
1128 else
1129 { rule = CIPHER_ADD; }
1130
1131 if (ITEM_SEP(ch))
1132 {
1133 l++;
1134 continue;
1135 }
1136
1137 alg_mkey = 0;
1138 alg_auth = 0;
1139 alg_enc = 0;
1140 alg_mac = 0;
1141 alg_ssl = 0;
1142 algo_strength = 0;
1143
1144 for (;;)
1145 {
1146 ch = *l;
1147 buf = l;
1148 buflen = 0;
1149#ifndef CHARSET_EBCDIC
1150 while ( ((ch >= 'A') && (ch <= 'Z')) ||
1151 ((ch >= '0') && (ch <= '9')) ||
1152 ((ch >= 'a') && (ch <= 'z')) ||
1153 (ch == '-'))
1154#else
1155 while ( isalnum(ch) || (ch == '-'))
1156#endif
1157 {
1158 ch = *(++l);
1159 buflen++;
1160 }
1161
1162 if (buflen == 0)
1163 {
1164 /*
1165 * We hit something we cannot deal with,
1166 * it is no command or separator nor
1167 * alphanumeric, so we call this an error.
1168 */
1169 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1170 SSL_R_INVALID_COMMAND);
1171 retval = found = 0;
1172 l++;
1173 break;
1174 }
1175
1176 if (rule == CIPHER_SPECIAL)
1177 {
1178 found = 0; /* unused -- avoid compiler warning */
1179 break; /* special treatment */
1180 }
1181
1182 /* check for multi-part specification */
1183 if (ch == '+')
1184 {
1185 multi=1;
1186 l++;
1187 }
1188 else
1189 multi=0;
1190
1191 /*
1192 * Now search for the cipher alias in the ca_list. Be careful
1193 * with the strncmp, because the "buflen" limitation
1194 * will make the rule "ADH:SOME" and the cipher
1195 * "ADH-MY-CIPHER" look like a match for buflen=3.
1196 * So additionally check whether the cipher name found
1197 * has the correct length. We can save a strlen() call:
1198 * just checking for the '\0' at the right place is
1199 * sufficient, we have to strncmp() anyway. (We cannot
1200 * use strcmp(), because buf is not '\0' terminated.)
1201 */
1202 j = found = 0;
1203 cipher_id = 0;
1204 while (ca_list[j])
1205 {
1206 if (!strncmp(buf, ca_list[j]->name, buflen) &&
1207 (ca_list[j]->name[buflen] == '\0'))
1208 {
1209 found = 1;
1210 break;
1211 }
1212 else
1213 j++;
1214 }
1215
1216 if (!found)
1217 break; /* ignore this entry */
1218
1219 if (ca_list[j]->algorithm_mkey)
1220 {
1221 if (alg_mkey)
1222 {
1223 alg_mkey &= ca_list[j]->algorithm_mkey;
1224 if (!alg_mkey) { found = 0; break; }
1225 }
1226 else
1227 alg_mkey = ca_list[j]->algorithm_mkey;
1228 }
1229
1230 if (ca_list[j]->algorithm_auth)
1231 {
1232 if (alg_auth)
1233 {
1234 alg_auth &= ca_list[j]->algorithm_auth;
1235 if (!alg_auth) { found = 0; break; }
1236 }
1237 else
1238 alg_auth = ca_list[j]->algorithm_auth;
1239 }
1240
1241 if (ca_list[j]->algorithm_enc)
1242 {
1243 if (alg_enc)
1244 {
1245 alg_enc &= ca_list[j]->algorithm_enc;
1246 if (!alg_enc) { found = 0; break; }
1247 }
1248 else
1249 alg_enc = ca_list[j]->algorithm_enc;
1250 }
1251
1252 if (ca_list[j]->algorithm_mac)
1253 {
1254 if (alg_mac)
1255 {
1256 alg_mac &= ca_list[j]->algorithm_mac;
1257 if (!alg_mac) { found = 0; break; }
1258 }
1259 else
1260 alg_mac = ca_list[j]->algorithm_mac;
1261 }
1262
1263 if (ca_list[j]->algo_strength & SSL_EXP_MASK)
1264 {
1265 if (algo_strength & SSL_EXP_MASK)
1266 {
1267 algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK;
1268 if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; }
1269 }
1270 else
1271 algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
1272 }
1273
1274 if (ca_list[j]->algo_strength & SSL_STRONG_MASK)
1275 {
1276 if (algo_strength & SSL_STRONG_MASK)
1277 {
1278 algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1279 if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; }
1280 }
1281 else
1282 algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK;
1283 }
1284
1285 if (ca_list[j]->valid)
1286 {
1287 /* explicit ciphersuite found; its protocol version
1288 * does not become part of the search pattern!*/
1289
1290 cipher_id = ca_list[j]->id;
1291 }
1292 else
1293 {
1294 /* not an explicit ciphersuite; only in this case, the
1295 * protocol version is considered part of the search pattern */
1296
1297 if (ca_list[j]->algorithm_ssl)
1298 {
1299 if (alg_ssl)
1300 {
1301 alg_ssl &= ca_list[j]->algorithm_ssl;
1302 if (!alg_ssl) { found = 0; break; }
1303 }
1304 else
1305 alg_ssl = ca_list[j]->algorithm_ssl;
1306 }
1307 }
1308
1309 if (!multi) break;
1310 }
1311
1312 /*
1313 * Ok, we have the rule, now apply it
1314 */
1315 if (rule == CIPHER_SPECIAL)
1316 { /* special command */
1317 ok = 0;
1318 if ((buflen == 8) &&
1319 !strncmp(buf, "STRENGTH", 8))
1320 ok = ssl_cipher_strength_sort(head_p, tail_p);
1321 else
1322 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1323 SSL_R_INVALID_COMMAND);
1324 if (ok == 0)
1325 retval = 0;
1326 /*
1327 * We do not support any "multi" options
1328 * together with "@", so throw away the
1329 * rest of the command, if any left, until
1330 * end or ':' is found.
1331 */
1332 while ((*l != '\0') && !ITEM_SEP(*l))
1333 l++;
1334 }
1335 else if (found)
1336 {
1337 ssl_cipher_apply_rule(cipher_id,
1338 alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength,
1339 rule, -1, head_p, tail_p);
1340 }
1341 else
1342 {
1343 while ((*l != '\0') && !ITEM_SEP(*l))
1344 l++;
1345 }
1346 if (*l == '\0') break; /* done */
1347 }
1348
1349 return(retval);
1350 }
1351
1352STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1353 STACK_OF(SSL_CIPHER) **cipher_list,
1354 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1355 const char *rule_str)
1356 {
1357 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1358 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
1359 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
1360 const char *rule_p;
1361 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1362 const SSL_CIPHER **ca_list = NULL;
1363
1364 /*
1365 * Return with error if nothing to do.
1366 */
1367 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1368 return NULL;
1369
1370 /*
1371 * To reduce the work to do we only want to process the compiled
1372 * in algorithms, so we first get the mask of disabled ciphers.
1373 */
1374 ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
1375
1376 /*
1377 * Now we have to collect the available ciphers from the compiled
1378 * in ciphers. We cannot get more than the number compiled in, so
1379 * it is used for allocation.
1380 */
1381 num_of_ciphers = ssl_method->num_ciphers();
1382#ifdef KSSL_DEBUG
1383 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
1384#endif /* KSSL_DEBUG */
1385 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
1386 if (co_list == NULL)
1387 {
1388 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1389 return(NULL); /* Failure */
1390 }
1391
1392 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1393 disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
1394 co_list, &head, &tail);
1395
1396
1397 /* Now arrange all ciphers by preference: */
1398
1399 /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
1400 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1401 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1402
1403 /* AES is our preferred symmetric cipher */
1404 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1405
1406 /* Temporarily enable everything else for sorting */
1407 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1408
1409 /* Low priority for MD5 */
1410 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
1411
1412 /* Move anonymous ciphers to the end. Usually, these will remain disabled.
1413 * (For applications that allow them, they aren't too bad, but we prefer
1414 * authenticated ciphers.) */
1415 ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1416
1417 /* Move ciphers without forward secrecy to the end */
1418 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1419 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1420 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1421 ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1422 ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1423
1424 /* RC4 is sort-of broken -- move the the end */
1425 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1426
1427 /* Now sort by symmetric encryption strength. The above ordering remains
1428 * in force within each class */
1429 if (!ssl_cipher_strength_sort(&head, &tail))
1430 {
1431 OPENSSL_free(co_list);
1432 return NULL;
1433 }
1434
1435 /* Now disable everything (maintaining the ordering!) */
1436 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1437
1438
1439 /*
1440 * We also need cipher aliases for selecting based on the rule_str.
1441 * There might be two types of entries in the rule_str: 1) names
1442 * of ciphers themselves 2) aliases for groups of ciphers.
1443 * For 1) we need the available ciphers and for 2) the cipher
1444 * groups of cipher_aliases added together in one list (otherwise
1445 * we would be happy with just the cipher_aliases table).
1446 */
1447 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1448 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1449 ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
1450 if (ca_list == NULL)
1451 {
1452 OPENSSL_free(co_list);
1453 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1454 return(NULL); /* Failure */
1455 }
1456 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1457 disabled_mkey, disabled_auth, disabled_enc,
1458 disabled_mac, disabled_ssl, head);
1459
1460 /*
1461 * If the rule_string begins with DEFAULT, apply the default rule
1462 * before using the (possibly available) additional rules.
1463 */
1464 ok = 1;
1465 rule_p = rule_str;
1466 if (strncmp(rule_str,"DEFAULT",7) == 0)
1467 {
1468 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1469 &head, &tail, ca_list);
1470 rule_p += 7;
1471 if (*rule_p == ':')
1472 rule_p++;
1473 }
1474
1475 if (ok && (strlen(rule_p) > 0))
1476 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
1477
1478 OPENSSL_free((void *)ca_list); /* Not needed anymore */
1479
1480 if (!ok)
1481 { /* Rule processing failure */
1482 OPENSSL_free(co_list);
1483 return(NULL);
1484 }
1485
1486 /*
1487 * Allocate new "cipherstack" for the result, return with error
1488 * if we cannot get one.
1489 */
1490 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
1491 {
1492 OPENSSL_free(co_list);
1493 return(NULL);
1494 }
1495
1496 /*
1497 * The cipher selection for the list is done. The ciphers are added
1498 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1499 */
1500 for (curr = head; curr != NULL; curr = curr->next)
1501 {
1502#ifdef OPENSSL_FIPS
1503 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
1504#else
1505 if (curr->active)
1506#endif
1507 {
1508 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1509#ifdef CIPHER_DEBUG
1510 printf("<%s>\n",curr->cipher->name);
1511#endif
1512 }
1513 }
1514 OPENSSL_free(co_list); /* Not needed any longer */
1515
1516 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1517 if (tmp_cipher_list == NULL)
1518 {
1519 sk_SSL_CIPHER_free(cipherstack);
1520 return NULL;
1521 }
1522 if (*cipher_list != NULL)
1523 sk_SSL_CIPHER_free(*cipher_list);
1524 *cipher_list = cipherstack;
1525 if (*cipher_list_by_id != NULL)
1526 sk_SSL_CIPHER_free(*cipher_list_by_id);
1527 *cipher_list_by_id = tmp_cipher_list;
1528 (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
1529
1530 sk_SSL_CIPHER_sort(*cipher_list_by_id);
1531 return(cipherstack);
1532 }
1533
1534char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1535 {
1536 int is_export,pkl,kl;
1537 const char *ver,*exp_str;
1538 const char *kx,*au,*enc,*mac;
1539 unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
1540#ifdef KSSL_DEBUG
1541 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
1542#else
1543 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
1544#endif /* KSSL_DEBUG */
1545
1546 alg_mkey = cipher->algorithm_mkey;
1547 alg_auth = cipher->algorithm_auth;
1548 alg_enc = cipher->algorithm_enc;
1549 alg_mac = cipher->algorithm_mac;
1550 alg_ssl = cipher->algorithm_ssl;
1551
1552 alg2=cipher->algorithm2;
1553
1554 is_export=SSL_C_IS_EXPORT(cipher);
1555 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1556 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
1557 exp_str=is_export?" export":"";
1558
1559 if (alg_ssl & SSL_SSLV2)
1560 ver="SSLv2";
1561 else if (alg_ssl & SSL_SSLV3)
1562 ver="SSLv3";
1563 else if (alg_ssl & SSL_TLSV1_2)
1564 ver="TLSv1.2";
1565 else
1566 ver="unknown";
1567
1568 switch (alg_mkey)
1569 {
1570 case SSL_kRSA:
1571 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
1572 break;
1573 case SSL_kDHr:
1574 kx="DH/RSA";
1575 break;
1576 case SSL_kDHd:
1577 kx="DH/DSS";
1578 break;
1579 case SSL_kKRB5:
1580 kx="KRB5";
1581 break;
1582 case SSL_kEDH:
1583 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
1584 break;
1585 case SSL_kECDHr:
1586 kx="ECDH/RSA";
1587 break;
1588 case SSL_kECDHe:
1589 kx="ECDH/ECDSA";
1590 break;
1591 case SSL_kEECDH:
1592 kx="ECDH";
1593 break;
1594 case SSL_kPSK:
1595 kx="PSK";
1596 break;
1597 case SSL_kSRP:
1598 kx="SRP";
1599 break;
1600 default:
1601 kx="unknown";
1602 }
1603
1604 switch (alg_auth)
1605 {
1606 case SSL_aRSA:
1607 au="RSA";
1608 break;
1609 case SSL_aDSS:
1610 au="DSS";
1611 break;
1612 case SSL_aDH:
1613 au="DH";
1614 break;
1615 case SSL_aKRB5:
1616 au="KRB5";
1617 break;
1618 case SSL_aECDH:
1619 au="ECDH";
1620 break;
1621 case SSL_aNULL:
1622 au="None";
1623 break;
1624 case SSL_aECDSA:
1625 au="ECDSA";
1626 break;
1627 case SSL_aPSK:
1628 au="PSK";
1629 break;
1630 default:
1631 au="unknown";
1632 break;
1633 }
1634
1635 switch (alg_enc)
1636 {
1637 case SSL_DES:
1638 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
1639 break;
1640 case SSL_3DES:
1641 enc="3DES(168)";
1642 break;
1643 case SSL_RC4:
1644 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
1645 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
1646 break;
1647 case SSL_RC2:
1648 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
1649 break;
1650 case SSL_IDEA:
1651 enc="IDEA(128)";
1652 break;
1653 case SSL_eNULL:
1654 enc="None";
1655 break;
1656 case SSL_AES128:
1657 enc="AES(128)";
1658 break;
1659 case SSL_AES256:
1660 enc="AES(256)";
1661 break;
1662 case SSL_AES128GCM:
1663 enc="AESGCM(128)";
1664 break;
1665 case SSL_AES256GCM:
1666 enc="AESGCM(256)";
1667 break;
1668 case SSL_CAMELLIA128:
1669 enc="Camellia(128)";
1670 break;
1671 case SSL_CAMELLIA256:
1672 enc="Camellia(256)";
1673 break;
1674 case SSL_SEED:
1675 enc="SEED(128)";
1676 break;
1677 default:
1678 enc="unknown";
1679 break;
1680 }
1681
1682 switch (alg_mac)
1683 {
1684 case SSL_MD5:
1685 mac="MD5";
1686 break;
1687 case SSL_SHA1:
1688 mac="SHA1";
1689 break;
1690 case SSL_SHA256:
1691 mac="SHA256";
1692 break;
1693 case SSL_SHA384:
1694 mac="SHA384";
1695 break;
1696 case SSL_AEAD:
1697 mac="AEAD";
1698 break;
1699 default:
1700 mac="unknown";
1701 break;
1702 }
1703
1704 if (buf == NULL)
1705 {
1706 len=128;
1707 buf=OPENSSL_malloc(len);
1708 if (buf == NULL) return("OPENSSL_malloc Error");
1709 }
1710 else if (len < 128)
1711 return("Buffer too small");
1712
1713#ifdef KSSL_DEBUG
1714 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl);
1715#else
1716 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1717#endif /* KSSL_DEBUG */
1718 return(buf);
1719 }
1720
1721char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1722 {
1723 int i;
1724
1725 if (c == NULL) return("(NONE)");
1726 i=(int)(c->id>>24L);
1727 if (i == 3)
1728 return("TLSv1/SSLv3");
1729 else if (i == 2)
1730 return("SSLv2");
1731 else
1732 return("unknown");
1733 }
1734
1735/* return the actual cipher being used */
1736const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1737 {
1738 if (c != NULL)
1739 return(c->name);
1740 return("(NONE)");
1741 }
1742
1743/* number of bits for symmetric cipher */
1744int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1745 {
1746 int ret=0;
1747
1748 if (c != NULL)
1749 {
1750 if (alg_bits != NULL) *alg_bits = c->alg_bits;
1751 ret = c->strength_bits;
1752 }
1753 return(ret);
1754 }
1755
1756unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c)
1757 {
1758 return c->id;
1759 }
1760
1761SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1762 {
1763 SSL_COMP *ctmp;
1764 int i,nn;
1765
1766 if ((n == 0) || (sk == NULL)) return(NULL);
1767 nn=sk_SSL_COMP_num(sk);
1768 for (i=0; i<nn; i++)
1769 {
1770 ctmp=sk_SSL_COMP_value(sk,i);
1771 if (ctmp->id == n)
1772 return(ctmp);
1773 }
1774 return(NULL);
1775 }
1776
1777#ifdef OPENSSL_NO_COMP
1778void *SSL_COMP_get_compression_methods(void)
1779 {
1780 return NULL;
1781 }
1782int SSL_COMP_add_compression_method(int id, void *cm)
1783 {
1784 return 1;
1785 }
1786
1787const char *SSL_COMP_get_name(const void *comp)
1788 {
1789 return NULL;
1790 }
1791#else
1792STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1793 {
1794 load_builtin_compressions();
1795 return(ssl_comp_methods);
1796 }
1797
1798int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1799 {
1800 SSL_COMP *comp;
1801
1802 if (cm == NULL || cm->type == NID_undef)
1803 return 1;
1804
1805 /* According to draft-ietf-tls-compression-04.txt, the
1806 compression number ranges should be the following:
1807
1808 0 to 63: methods defined by the IETF
1809 64 to 192: external party methods assigned by IANA
1810 193 to 255: reserved for private use */
1811 if (id < 193 || id > 255)
1812 {
1813 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
1814 return 0;
1815 }
1816
1817 MemCheck_off();
1818 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
1819 comp->id=id;
1820 comp->method=cm;
1821 load_builtin_compressions();
1822 if (ssl_comp_methods
1823 && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
1824 {
1825 OPENSSL_free(comp);
1826 MemCheck_on();
1827 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
1828 return(1);
1829 }
1830 else if ((ssl_comp_methods == NULL)
1831 || !sk_SSL_COMP_push(ssl_comp_methods,comp))
1832 {
1833 OPENSSL_free(comp);
1834 MemCheck_on();
1835 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1836 return(1);
1837 }
1838 else
1839 {
1840 MemCheck_on();
1841 return(0);
1842 }
1843 }
1844
1845const char *SSL_COMP_get_name(const COMP_METHOD *comp)
1846 {
1847 if (comp)
1848 return comp->name;
1849 return NULL;
1850 }
1851
1852#endif
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 2577c6895a..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,609 +0,0 @@
1/* ssl/ssl_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ssl.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
70
71static ERR_STRING_DATA SSL_str_functs[]=
72 {
73{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"},
74{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"},
75{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
76{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
77{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
78{ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"},
79{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
81{ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
82{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"},
83{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"},
84{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"},
85{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
86{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
87{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
88{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"},
89{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
90{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"},
91{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"},
92{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
93{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
94{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
95{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
96{ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
97{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
98{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "DTLS1_READ_FAILED"},
99{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), "DTLS1_SEND_CERTIFICATE_REQUEST"},
100{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
101{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
102{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY), "DTLS1_SEND_CLIENT_VERIFY"},
103{ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST), "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
104{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
105{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "DTLS1_SEND_SERVER_HELLO"},
106{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
107{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "DTLS1_WRITE_APP_DATA_BYTES"},
108{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"},
109{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"},
110{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
111{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"},
112{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"},
113{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"},
114{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"},
115{ERR_FUNC(SSL_F_READ_N), "READ_N"},
116{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"},
117{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
118{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
119{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
120{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"},
121{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
122{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
123{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
124{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
125{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"},
126{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"},
127{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"},
128{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"},
129{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"},
130{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
131{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"},
132{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"},
133{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"},
134{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"},
135{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"},
136{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"},
137{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"},
138{ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"},
139{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
140{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
141{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
142{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
143{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
144{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
145{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
146{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
147{ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "SSL3_DIGEST_CACHED_RECORDS"},
148{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
149{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
150{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
151{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
152{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
153{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
154{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
155{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
156{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
157{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"},
158{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
159{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
160{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"},
161{ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO), "SSL3_GET_NEXT_PROTO"},
162{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
163{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
164{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
165{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
166{ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC), "ssl3_handshake_mac"},
167{ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
168{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"},
169{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"},
170{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
171{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
172{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
173{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
174{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
175{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
176{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"},
177{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"},
178{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
179{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
180{ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "SSL3_SETUP_READ_BUFFER"},
181{ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "SSL3_SETUP_WRITE_BUFFER"},
182{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
183{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
184{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
185{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
186{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"},
187{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
188{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
189{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
190{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
191{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"},
192{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
193{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
194{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
195{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
196{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
197{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"},
198{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
199{ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), "SSL_CHECK_SERVERHELLO_TLSEXT"},
200{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"},
201{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
202{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
203{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
204{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"},
205{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
206{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
207{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
208{ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"},
209{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
210{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
211{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
212{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
213{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
214{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
215{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"},
216{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
217{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
218{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"},
219{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
220{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
221{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
222{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
223{ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"},
224{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
225{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"},
226{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"},
227{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
231{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
232{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
233{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
234{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
235{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
236{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
237{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT), "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"},
238{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
239{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
240{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT), "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"},
241{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
242{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
243{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
244{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
245{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
246{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
247{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
248{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
249{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
250{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
251{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
252{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
253{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"},
254{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"},
255{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
256{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
257{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
258{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
259{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
260{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
261{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
262{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
263{ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
264{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
265{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
266{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"},
267{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
268{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
269{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
270{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
271{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
272{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
273{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
274{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
275{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
276{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
277{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
278{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
279{ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"},
280{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
281{ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
282{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
283{ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"},
284{ERR_FUNC(SSL_F_TLS1_HEARTBEAT), "SSL_F_TLS1_HEARTBEAT"},
285{ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
286{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
287{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
288{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
289{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
290{0,NULL}
291 };
292
293static ERR_STRING_DATA SSL_str_reasons[]=
294 {
295{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
296{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
297{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"},
298{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
299{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
300{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"},
301{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
302{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"},
303{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
304{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
305{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
306{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
307{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
308{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
309{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) ,"bad ecdsa signature"},
310{ERR_REASON(SSL_R_BAD_ECPOINT) ,"bad ecpoint"},
311{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) ,"bad handshake length"},
312{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
313{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
314{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
315{ERR_REASON(SSL_R_BAD_MAC_LENGTH) ,"bad mac length"},
316{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"},
317{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"},
318{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
319{ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH),"bad psk identity hint length"},
320{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
321{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"},
322{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"},
323{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"},
324{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
325{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
326{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
327{ERR_REASON(SSL_R_BAD_SRP_A_LENGTH) ,"bad srp a length"},
328{ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) ,"bad srp b length"},
329{ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) ,"bad srp g length"},
330{ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) ,"bad srp n length"},
331{ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) ,"bad srp s length"},
332{ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) ,"bad srtp mki value"},
333{ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
334{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
335{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
336{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
337{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"},
338{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
339{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
340{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
341{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
342{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
343{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
344{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
345{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
346{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
347{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
348{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
349{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
350{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
351{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
352{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"},
353{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
354{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
355{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
356{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
357{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
358{ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"},
359{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
360{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
361{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
362{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
363{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
364{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
365{ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
366{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
367{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT),"ecc cert not for key agreement"},
368{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
369{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
370{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
371{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
372{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
373{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
374{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
375{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
376{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
377{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
378{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
379{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
380{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
381{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
382{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
383{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
384{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
385{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
386{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
387{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
388{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
389{ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"},
390{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
391{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
392{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
393{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"},
394{ERR_REASON(SSL_R_KRB5) ,"krb5"},
395{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"},
396{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"},
397{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"},
398{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"},
399{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"},
400{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"},
401{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"},
402{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"},
403{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"},
404{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"},
405{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"},
406{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
407{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
408{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
409{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
410{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
411{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
412{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"},
413{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
414{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
415{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
416{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
417{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
418{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
419{ERR_REASON(SSL_R_MISSING_SRP_PARAM) ,"can't find SRP server param"},
420{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
421{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
422{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
423{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
424{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
425{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
426{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
427{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
428{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
429{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
430{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"},
431{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
432{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"},
433{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"},
434{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
435{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
436{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
437{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
438{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
439{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
440{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
441{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
442{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
443{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
444{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
445{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
446{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
447{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"},
448{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
449{ERR_REASON(SSL_R_NO_SRTP_PROFILES) ,"no srtp profiles"},
450{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
451{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
452{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
453{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
454{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
455{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
456{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
457{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
458{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
459{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
460{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
461{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
462{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
463{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
464{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"},
465{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
466{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
467{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
468{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"},
469{ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND),"psk identity not found"},
470{ERR_REASON(SSL_R_PSK_NO_CLIENT_CB) ,"psk no client cb"},
471{ERR_REASON(SSL_R_PSK_NO_SERVER_CB) ,"psk no server cb"},
472{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
473{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
474{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
475{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"},
476{ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) ,"read timeout expired"},
477{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
478{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
479{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
480{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
481{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
482{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
483{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
484{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
485{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
486{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
487{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
488{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
489{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
490{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
491{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
492{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
493{ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR),"signature algorithms error"},
494{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
495{ERR_REASON(SSL_R_SRP_A_CALC) ,"error with the srp params"},
496{ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES),"srtp could not allocate profiles"},
497{ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),"srtp protection profile list too long"},
498{ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),"srtp unknown protection profile"},
499{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
500{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
501{ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"},
502{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),"ssl3 ext invalid servername"},
503{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),"ssl3 ext invalid servername type"},
504{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
505{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
506{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
507{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
508{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
509{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
510{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
511{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
512{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
513{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
514{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
515{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
516{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
517{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
518{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
519{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
520{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
521{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
522{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
523{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
524{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
525{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
526{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
527{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
528{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
529{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
530{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
531{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
532{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
533{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
534{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
535{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
536{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
537{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),"tlsv1 bad certificate hash value"},
538{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),"tlsv1 bad certificate status response"},
539{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
540{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
541{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
542{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
543{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbearts"},
544{ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) ,"heartbeat request already pending"},
545{ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),"tls illegal exporter label"},
546{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
547{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
548{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
549{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
550{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
551{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
552{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
553{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
554{ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
555{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
556{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
557{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
558{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
559{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
560{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"},
561{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"},
562{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"},
563{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"},
564{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
565{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
566{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
567{ERR_REASON(SSL_R_UNKNOWN_DIGEST) ,"unknown digest"},
568{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
569{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
570{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
571{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
572{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
573{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
574{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
575{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
576{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
577{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
578{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
579{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
580{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
581{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
582{ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
583{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
584{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
585{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
586{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
587{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
588{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
589{ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE) ,"wrong signature type"},
590{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
591{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
592{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
593{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
594{0,NULL}
595 };
596
597#endif
598
599void ERR_load_SSL_strings(void)
600 {
601#ifndef OPENSSL_NO_ERR
602
603 if (ERR_func_error_string(SSL_str_functs[0].error) == NULL)
604 {
605 ERR_load_strings(0,SSL_str_functs);
606 ERR_load_strings(0,SSL_str_reasons);
607 }
608#endif
609 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/err.h>
61#include <openssl/ssl.h>
62
63void SSL_load_error_strings(void)
64 {
65#ifndef OPENSSL_NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index c91f0018e4..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,3248 +0,0 @@
1/*! \file ssl/ssl_lib.c
2 * \brief Version independent SSL functions.
3 */
4/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * All rights reserved.
6 *
7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL.
10 *
11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. All advertising materials mentioning features or use of this software
34 * must display the following acknowledgement:
35 * "This product includes cryptographic software written by
36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE.
54 *
55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence
58 * [including the GNU Public Licence.]
59 */
60/* ====================================================================
61 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions
65 * are met:
66 *
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 *
70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in
72 * the documentation and/or other materials provided with the
73 * distribution.
74 *
75 * 3. All advertising materials mentioning features or use of this
76 * software must display the following acknowledgment:
77 * "This product includes software developed by the OpenSSL Project
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
79 *
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
81 * endorse or promote products derived from this software without
82 * prior written permission. For written permission, please contact
83 * openssl-core@openssl.org.
84 *
85 * 5. Products derived from this software may not be called "OpenSSL"
86 * nor may "OpenSSL" appear in their names without prior written
87 * permission of the OpenSSL Project.
88 *
89 * 6. Redistributions of any form whatsoever must retain the following
90 * acknowledgment:
91 * "This product includes software developed by the OpenSSL Project
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
105 * OF THE POSSIBILITY OF SUCH DAMAGE.
106 * ====================================================================
107 *
108 * This product includes cryptographic software written by Eric Young
109 * (eay@cryptsoft.com). This product includes software written by Tim
110 * Hudson (tjh@cryptsoft.com).
111 *
112 */
113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */
118/* ====================================================================
119 * Copyright 2005 Nokia. All rights reserved.
120 *
121 * The portions of the attached software ("Contribution") is developed by
122 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
123 * license.
124 *
125 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
126 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
127 * support (see RFC 4279) to OpenSSL.
128 *
129 * No patent licenses or other rights except those expressly stated in
130 * the OpenSSL open source license shall be deemed granted or received
131 * expressly, by implication, estoppel, or otherwise.
132 *
133 * No assurances are provided by Nokia that the Contribution does not
134 * infringe the patent or other intellectual property rights of any third
135 * party or that the license provides you with all the necessary rights
136 * to make use of the Contribution.
137 *
138 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
139 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
140 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
141 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
142 * OTHERWISE.
143 */
144
145#ifdef REF_CHECK
146# include <assert.h>
147#endif
148#include <stdio.h>
149#include "ssl_locl.h"
150#include "kssl_lcl.h"
151#include <openssl/objects.h>
152#include <openssl/lhash.h>
153#include <openssl/x509v3.h>
154#include <openssl/rand.h>
155#include <openssl/ocsp.h>
156#ifndef OPENSSL_NO_DH
157#include <openssl/dh.h>
158#endif
159#ifndef OPENSSL_NO_ENGINE
160#include <openssl/engine.h>
161#endif
162
163const char *SSL_version_str=OPENSSL_VERSION_TEXT;
164
165SSL3_ENC_METHOD ssl3_undef_enc_method={
166 /* evil casts, but these functions are only called if there's a library bug */
167 (int (*)(SSL *,int))ssl_undefined_function,
168 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
169 ssl_undefined_function,
170 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
171 (int (*)(SSL*, int))ssl_undefined_function,
172 (int (*)(SSL *, const char*, int, unsigned char *))ssl_undefined_function,
173 0, /* finish_mac_length */
174 (int (*)(SSL *, int, unsigned char *))ssl_undefined_function,
175 NULL, /* client_finished_label */
176 0, /* client_finished_label_len */
177 NULL, /* server_finished_label */
178 0, /* server_finished_label_len */
179 (int (*)(int))ssl_undefined_function,
180 (int (*)(SSL *, unsigned char *, size_t, const char *,
181 size_t, const unsigned char *, size_t,
182 int use_context)) ssl_undefined_function,
183 };
184
185int SSL_clear(SSL *s)
186 {
187
188 if (s->method == NULL)
189 {
190 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
191 return(0);
192 }
193
194 if (ssl_clear_bad_session(s))
195 {
196 SSL_SESSION_free(s->session);
197 s->session=NULL;
198 }
199
200 s->error=0;
201 s->hit=0;
202 s->shutdown=0;
203
204#if 0 /* Disabled since version 1.10 of this file (early return not
205 * needed because SSL_clear is not called when doing renegotiation) */
206 /* This is set if we are doing dynamic renegotiation so keep
207 * the old cipher. It is sort of a SSL_clear_lite :-) */
208 if (s->renegotiate) return(1);
209#else
210 if (s->renegotiate)
211 {
212 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
213 return 0;
214 }
215#endif
216
217 s->type=0;
218
219 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
220
221 s->version=s->method->version;
222 s->client_version=s->version;
223 s->rwstate=SSL_NOTHING;
224 s->rstate=SSL_ST_READ_HEADER;
225#if 0
226 s->read_ahead=s->ctx->read_ahead;
227#endif
228
229 if (s->init_buf != NULL)
230 {
231 BUF_MEM_free(s->init_buf);
232 s->init_buf=NULL;
233 }
234
235 ssl_clear_cipher_ctx(s);
236 ssl_clear_hash_ctx(&s->read_hash);
237 ssl_clear_hash_ctx(&s->write_hash);
238
239 s->first_packet=0;
240
241#if 1
242 /* Check to see if we were changed into a different method, if
243 * so, revert back if we are not doing session-id reuse. */
244 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
245 {
246 s->method->ssl_free(s);
247 s->method=s->ctx->method;
248 if (!s->method->ssl_new(s))
249 return(0);
250 }
251 else
252#endif
253 s->method->ssl_clear(s);
254 return(1);
255 }
256
257/** Used to change an SSL_CTXs default SSL method type */
258int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
259 {
260 STACK_OF(SSL_CIPHER) *sk;
261
262 ctx->method=meth;
263
264 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
265 &(ctx->cipher_list_by_id),
266 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
267 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
268 {
269 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
270 return(0);
271 }
272 return(1);
273 }
274
275SSL *SSL_new(SSL_CTX *ctx)
276 {
277 SSL *s;
278
279 if (ctx == NULL)
280 {
281 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
282 return(NULL);
283 }
284 if (ctx->method == NULL)
285 {
286 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
287 return(NULL);
288 }
289
290 s=(SSL *)OPENSSL_malloc(sizeof(SSL));
291 if (s == NULL) goto err;
292 memset(s,0,sizeof(SSL));
293
294#ifndef OPENSSL_NO_KRB5
295 s->kssl_ctx = kssl_ctx_new();
296#endif /* OPENSSL_NO_KRB5 */
297
298 s->options=ctx->options;
299 s->mode=ctx->mode;
300 s->max_cert_list=ctx->max_cert_list;
301
302 if (ctx->cert != NULL)
303 {
304 /* Earlier library versions used to copy the pointer to
305 * the CERT, not its contents; only when setting new
306 * parameters for the per-SSL copy, ssl_cert_new would be
307 * called (and the direct reference to the per-SSL_CTX
308 * settings would be lost, but those still were indirectly
309 * accessed for various purposes, and for that reason they
310 * used to be known as s->ctx->default_cert).
311 * Now we don't look at the SSL_CTX's CERT after having
312 * duplicated it once. */
313
314 s->cert = ssl_cert_dup(ctx->cert);
315 if (s->cert == NULL)
316 goto err;
317 }
318 else
319 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
320
321 s->read_ahead=ctx->read_ahead;
322 s->msg_callback=ctx->msg_callback;
323 s->msg_callback_arg=ctx->msg_callback_arg;
324 s->verify_mode=ctx->verify_mode;
325#if 0
326 s->verify_depth=ctx->verify_depth;
327#endif
328 s->sid_ctx_length=ctx->sid_ctx_length;
329 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
330 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
331 s->verify_callback=ctx->default_verify_callback;
332 s->generate_session_id=ctx->generate_session_id;
333
334 s->param = X509_VERIFY_PARAM_new();
335 if (!s->param)
336 goto err;
337 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
338#if 0
339 s->purpose = ctx->purpose;
340 s->trust = ctx->trust;
341#endif
342 s->quiet_shutdown=ctx->quiet_shutdown;
343 s->max_send_fragment = ctx->max_send_fragment;
344
345 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
346 s->ctx=ctx;
347#ifndef OPENSSL_NO_TLSEXT
348 s->tlsext_debug_cb = 0;
349 s->tlsext_debug_arg = NULL;
350 s->tlsext_ticket_expected = 0;
351 s->tlsext_status_type = -1;
352 s->tlsext_status_expected = 0;
353 s->tlsext_ocsp_ids = NULL;
354 s->tlsext_ocsp_exts = NULL;
355 s->tlsext_ocsp_resp = NULL;
356 s->tlsext_ocsp_resplen = -1;
357 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
358 s->initial_ctx=ctx;
359# ifndef OPENSSL_NO_NEXTPROTONEG
360 s->next_proto_negotiated = NULL;
361# endif
362#endif
363
364 s->verify_result=X509_V_OK;
365
366 s->method=ctx->method;
367
368 if (!s->method->ssl_new(s))
369 goto err;
370
371 s->references=1;
372 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
373
374 SSL_clear(s);
375
376 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
377
378#ifndef OPENSSL_NO_PSK
379 s->psk_client_callback=ctx->psk_client_callback;
380 s->psk_server_callback=ctx->psk_server_callback;
381#endif
382
383 return(s);
384err:
385 if (s != NULL)
386 {
387 if (s->cert != NULL)
388 ssl_cert_free(s->cert);
389 if (s->ctx != NULL)
390 SSL_CTX_free(s->ctx); /* decrement reference count */
391 OPENSSL_free(s);
392 }
393 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
394 return(NULL);
395 }
396
397int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
398 unsigned int sid_ctx_len)
399 {
400 if(sid_ctx_len > sizeof ctx->sid_ctx)
401 {
402 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
403 return 0;
404 }
405 ctx->sid_ctx_length=sid_ctx_len;
406 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
407
408 return 1;
409 }
410
411int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
412 unsigned int sid_ctx_len)
413 {
414 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
415 {
416 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
417 return 0;
418 }
419 ssl->sid_ctx_length=sid_ctx_len;
420 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
421
422 return 1;
423 }
424
425int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
426 {
427 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
428 ctx->generate_session_id = cb;
429 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
430 return 1;
431 }
432
433int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
434 {
435 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
436 ssl->generate_session_id = cb;
437 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
438 return 1;
439 }
440
441int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
442 unsigned int id_len)
443 {
444 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
445 * we can "construct" a session to give us the desired check - ie. to
446 * find if there's a session in the hash table that would conflict with
447 * any new session built out of this id/id_len and the ssl_version in
448 * use by this SSL. */
449 SSL_SESSION r, *p;
450
451 if(id_len > sizeof r.session_id)
452 return 0;
453
454 r.ssl_version = ssl->version;
455 r.session_id_length = id_len;
456 memcpy(r.session_id, id, id_len);
457 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
458 * callback is calling us to check the uniqueness of a shorter ID, it
459 * must be compared as a padded-out ID because that is what it will be
460 * converted to when the callback has finished choosing it. */
461 if((r.ssl_version == SSL2_VERSION) &&
462 (id_len < SSL2_SSL_SESSION_ID_LENGTH))
463 {
464 memset(r.session_id + id_len, 0,
465 SSL2_SSL_SESSION_ID_LENGTH - id_len);
466 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
467 }
468
469 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
470 p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
471 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
472 return (p != NULL);
473 }
474
475int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
476 {
477 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
478 }
479
480int SSL_set_purpose(SSL *s, int purpose)
481 {
482 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
483 }
484
485int SSL_CTX_set_trust(SSL_CTX *s, int trust)
486 {
487 return X509_VERIFY_PARAM_set_trust(s->param, trust);
488 }
489
490int SSL_set_trust(SSL *s, int trust)
491 {
492 return X509_VERIFY_PARAM_set_trust(s->param, trust);
493 }
494
495int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
496 {
497 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
498 }
499
500int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
501 {
502 return X509_VERIFY_PARAM_set1(ssl->param, vpm);
503 }
504
505void SSL_free(SSL *s)
506 {
507 int i;
508
509 if(s == NULL)
510 return;
511
512 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
513#ifdef REF_PRINT
514 REF_PRINT("SSL",s);
515#endif
516 if (i > 0) return;
517#ifdef REF_CHECK
518 if (i < 0)
519 {
520 fprintf(stderr,"SSL_free, bad reference count\n");
521 abort(); /* ok */
522 }
523#endif
524
525 if (s->param)
526 X509_VERIFY_PARAM_free(s->param);
527
528 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
529
530 if (s->bbio != NULL)
531 {
532 /* If the buffering BIO is in place, pop it off */
533 if (s->bbio == s->wbio)
534 {
535 s->wbio=BIO_pop(s->wbio);
536 }
537 BIO_free(s->bbio);
538 s->bbio=NULL;
539 }
540 if (s->rbio != NULL)
541 BIO_free_all(s->rbio);
542 if ((s->wbio != NULL) && (s->wbio != s->rbio))
543 BIO_free_all(s->wbio);
544
545 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
546
547 /* add extra stuff */
548 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
549 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
550
551 /* Make the next call work :-) */
552 if (s->session != NULL)
553 {
554 ssl_clear_bad_session(s);
555 SSL_SESSION_free(s->session);
556 }
557
558 ssl_clear_cipher_ctx(s);
559 ssl_clear_hash_ctx(&s->read_hash);
560 ssl_clear_hash_ctx(&s->write_hash);
561
562 if (s->cert != NULL) ssl_cert_free(s->cert);
563 /* Free up if allocated */
564
565#ifndef OPENSSL_NO_TLSEXT
566 if (s->tlsext_hostname)
567 OPENSSL_free(s->tlsext_hostname);
568 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
569#ifndef OPENSSL_NO_EC
570 if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist);
571 if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist);
572#endif /* OPENSSL_NO_EC */
573 if (s->tlsext_opaque_prf_input) OPENSSL_free(s->tlsext_opaque_prf_input);
574 if (s->tlsext_ocsp_exts)
575 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
576 X509_EXTENSION_free);
577 if (s->tlsext_ocsp_ids)
578 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
579 if (s->tlsext_ocsp_resp)
580 OPENSSL_free(s->tlsext_ocsp_resp);
581#endif
582
583 if (s->client_CA != NULL)
584 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
585
586 if (s->method != NULL) s->method->ssl_free(s);
587
588 if (s->ctx) SSL_CTX_free(s->ctx);
589
590#ifndef OPENSSL_NO_KRB5
591 if (s->kssl_ctx != NULL)
592 kssl_ctx_free(s->kssl_ctx);
593#endif /* OPENSSL_NO_KRB5 */
594
595#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
596 if (s->next_proto_negotiated)
597 OPENSSL_free(s->next_proto_negotiated);
598#endif
599
600 if (s->srtp_profiles)
601 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
602
603 OPENSSL_free(s);
604 }
605
606void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
607 {
608 /* If the output buffering BIO is still in place, remove it
609 */
610 if (s->bbio != NULL)
611 {
612 if (s->wbio == s->bbio)
613 {
614 s->wbio=s->wbio->next_bio;
615 s->bbio->next_bio=NULL;
616 }
617 }
618 if ((s->rbio != NULL) && (s->rbio != rbio))
619 BIO_free_all(s->rbio);
620 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
621 BIO_free_all(s->wbio);
622 s->rbio=rbio;
623 s->wbio=wbio;
624 }
625
626BIO *SSL_get_rbio(const SSL *s)
627 { return(s->rbio); }
628
629BIO *SSL_get_wbio(const SSL *s)
630 { return(s->wbio); }
631
632int SSL_get_fd(const SSL *s)
633 {
634 return(SSL_get_rfd(s));
635 }
636
637int SSL_get_rfd(const SSL *s)
638 {
639 int ret= -1;
640 BIO *b,*r;
641
642 b=SSL_get_rbio(s);
643 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
644 if (r != NULL)
645 BIO_get_fd(r,&ret);
646 return(ret);
647 }
648
649int SSL_get_wfd(const SSL *s)
650 {
651 int ret= -1;
652 BIO *b,*r;
653
654 b=SSL_get_wbio(s);
655 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
656 if (r != NULL)
657 BIO_get_fd(r,&ret);
658 return(ret);
659 }
660
661#ifndef OPENSSL_NO_SOCK
662int SSL_set_fd(SSL *s,int fd)
663 {
664 int ret=0;
665 BIO *bio=NULL;
666
667 bio=BIO_new(BIO_s_socket());
668
669 if (bio == NULL)
670 {
671 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
672 goto err;
673 }
674 BIO_set_fd(bio,fd,BIO_NOCLOSE);
675 SSL_set_bio(s,bio,bio);
676 ret=1;
677err:
678 return(ret);
679 }
680
681int SSL_set_wfd(SSL *s,int fd)
682 {
683 int ret=0;
684 BIO *bio=NULL;
685
686 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
687 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
688 {
689 bio=BIO_new(BIO_s_socket());
690
691 if (bio == NULL)
692 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
693 BIO_set_fd(bio,fd,BIO_NOCLOSE);
694 SSL_set_bio(s,SSL_get_rbio(s),bio);
695 }
696 else
697 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
698 ret=1;
699err:
700 return(ret);
701 }
702
703int SSL_set_rfd(SSL *s,int fd)
704 {
705 int ret=0;
706 BIO *bio=NULL;
707
708 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
709 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
710 {
711 bio=BIO_new(BIO_s_socket());
712
713 if (bio == NULL)
714 {
715 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
716 goto err;
717 }
718 BIO_set_fd(bio,fd,BIO_NOCLOSE);
719 SSL_set_bio(s,bio,SSL_get_wbio(s));
720 }
721 else
722 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
723 ret=1;
724err:
725 return(ret);
726 }
727#endif
728
729
730/* return length of latest Finished message we sent, copy to 'buf' */
731size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
732 {
733 size_t ret = 0;
734
735 if (s->s3 != NULL)
736 {
737 ret = s->s3->tmp.finish_md_len;
738 if (count > ret)
739 count = ret;
740 memcpy(buf, s->s3->tmp.finish_md, count);
741 }
742 return ret;
743 }
744
745/* return length of latest Finished message we expected, copy to 'buf' */
746size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
747 {
748 size_t ret = 0;
749
750 if (s->s3 != NULL)
751 {
752 ret = s->s3->tmp.peer_finish_md_len;
753 if (count > ret)
754 count = ret;
755 memcpy(buf, s->s3->tmp.peer_finish_md, count);
756 }
757 return ret;
758 }
759
760
761int SSL_get_verify_mode(const SSL *s)
762 {
763 return(s->verify_mode);
764 }
765
766int SSL_get_verify_depth(const SSL *s)
767 {
768 return X509_VERIFY_PARAM_get_depth(s->param);
769 }
770
771int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
772 {
773 return(s->verify_callback);
774 }
775
776int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
777 {
778 return(ctx->verify_mode);
779 }
780
781int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
782 {
783 return X509_VERIFY_PARAM_get_depth(ctx->param);
784 }
785
786int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
787 {
788 return(ctx->default_verify_callback);
789 }
790
791void SSL_set_verify(SSL *s,int mode,
792 int (*callback)(int ok,X509_STORE_CTX *ctx))
793 {
794 s->verify_mode=mode;
795 if (callback != NULL)
796 s->verify_callback=callback;
797 }
798
799void SSL_set_verify_depth(SSL *s,int depth)
800 {
801 X509_VERIFY_PARAM_set_depth(s->param, depth);
802 }
803
804void SSL_set_read_ahead(SSL *s,int yes)
805 {
806 s->read_ahead=yes;
807 }
808
809int SSL_get_read_ahead(const SSL *s)
810 {
811 return(s->read_ahead);
812 }
813
814int SSL_pending(const SSL *s)
815 {
816 /* SSL_pending cannot work properly if read-ahead is enabled
817 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
818 * and it is impossible to fix since SSL_pending cannot report
819 * errors that may be observed while scanning the new data.
820 * (Note that SSL_pending() is often used as a boolean value,
821 * so we'd better not return -1.)
822 */
823 return(s->method->ssl_pending(s));
824 }
825
826X509 *SSL_get_peer_certificate(const SSL *s)
827 {
828 X509 *r;
829
830 if ((s == NULL) || (s->session == NULL))
831 r=NULL;
832 else
833 r=s->session->peer;
834
835 if (r == NULL) return(r);
836
837 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
838
839 return(r);
840 }
841
842STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
843 {
844 STACK_OF(X509) *r;
845
846 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
847 r=NULL;
848 else
849 r=s->session->sess_cert->cert_chain;
850
851 /* If we are a client, cert_chain includes the peer's own
852 * certificate; if we are a server, it does not. */
853
854 return(r);
855 }
856
857/* Now in theory, since the calling process own 't' it should be safe to
858 * modify. We need to be able to read f without being hassled */
859void SSL_copy_session_id(SSL *t,const SSL *f)
860 {
861 CERT *tmp;
862
863 /* Do we need to to SSL locking? */
864 SSL_set_session(t,SSL_get_session(f));
865
866 /* what if we are setup as SSLv2 but want to talk SSLv3 or
867 * vice-versa */
868 if (t->method != f->method)
869 {
870 t->method->ssl_free(t); /* cleanup current */
871 t->method=f->method; /* change method */
872 t->method->ssl_new(t); /* setup new */
873 }
874
875 tmp=t->cert;
876 if (f->cert != NULL)
877 {
878 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
879 t->cert=f->cert;
880 }
881 else
882 t->cert=NULL;
883 if (tmp != NULL) ssl_cert_free(tmp);
884 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
885 }
886
887/* Fix this so it checks all the valid key/cert options */
888int SSL_CTX_check_private_key(const SSL_CTX *ctx)
889 {
890 if ( (ctx == NULL) ||
891 (ctx->cert == NULL) ||
892 (ctx->cert->key->x509 == NULL))
893 {
894 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
895 return(0);
896 }
897 if (ctx->cert->key->privatekey == NULL)
898 {
899 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
900 return(0);
901 }
902 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
903 }
904
905/* Fix this function so that it takes an optional type parameter */
906int SSL_check_private_key(const SSL *ssl)
907 {
908 if (ssl == NULL)
909 {
910 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
911 return(0);
912 }
913 if (ssl->cert == NULL)
914 {
915 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
916 return 0;
917 }
918 if (ssl->cert->key->x509 == NULL)
919 {
920 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
921 return(0);
922 }
923 if (ssl->cert->key->privatekey == NULL)
924 {
925 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
926 return(0);
927 }
928 return(X509_check_private_key(ssl->cert->key->x509,
929 ssl->cert->key->privatekey));
930 }
931
932int SSL_accept(SSL *s)
933 {
934 if (s->handshake_func == 0)
935 /* Not properly initialized yet */
936 SSL_set_accept_state(s);
937
938 return(s->method->ssl_accept(s));
939 }
940
941int SSL_connect(SSL *s)
942 {
943 if (s->handshake_func == 0)
944 /* Not properly initialized yet */
945 SSL_set_connect_state(s);
946
947 return(s->method->ssl_connect(s));
948 }
949
950long SSL_get_default_timeout(const SSL *s)
951 {
952 return(s->method->get_timeout());
953 }
954
955int SSL_read(SSL *s,void *buf,int num)
956 {
957 if (s->handshake_func == 0)
958 {
959 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
960 return -1;
961 }
962
963 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
964 {
965 s->rwstate=SSL_NOTHING;
966 return(0);
967 }
968 return(s->method->ssl_read(s,buf,num));
969 }
970
971int SSL_peek(SSL *s,void *buf,int num)
972 {
973 if (s->handshake_func == 0)
974 {
975 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
976 return -1;
977 }
978
979 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
980 {
981 return(0);
982 }
983 return(s->method->ssl_peek(s,buf,num));
984 }
985
986int SSL_write(SSL *s,const void *buf,int num)
987 {
988 if (s->handshake_func == 0)
989 {
990 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
991 return -1;
992 }
993
994 if (s->shutdown & SSL_SENT_SHUTDOWN)
995 {
996 s->rwstate=SSL_NOTHING;
997 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
998 return(-1);
999 }
1000 return(s->method->ssl_write(s,buf,num));
1001 }
1002
1003int SSL_shutdown(SSL *s)
1004 {
1005 /* Note that this function behaves differently from what one might
1006 * expect. Return values are 0 for no success (yet),
1007 * 1 for success; but calling it once is usually not enough,
1008 * even if blocking I/O is used (see ssl3_shutdown).
1009 */
1010
1011 if (s->handshake_func == 0)
1012 {
1013 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
1014 return -1;
1015 }
1016
1017 if ((s != NULL) && !SSL_in_init(s))
1018 return(s->method->ssl_shutdown(s));
1019 else
1020 return(1);
1021 }
1022
1023int SSL_renegotiate(SSL *s)
1024 {
1025 if (s->renegotiate == 0)
1026 s->renegotiate=1;
1027
1028 s->new_session=1;
1029
1030 return(s->method->ssl_renegotiate(s));
1031 }
1032
1033int SSL_renegotiate_abbreviated(SSL *s)
1034 {
1035 if (s->renegotiate == 0)
1036 s->renegotiate=1;
1037
1038 s->new_session=0;
1039
1040 return(s->method->ssl_renegotiate(s));
1041 }
1042
1043int SSL_renegotiate_pending(SSL *s)
1044 {
1045 /* becomes true when negotiation is requested;
1046 * false again once a handshake has finished */
1047 return (s->renegotiate != 0);
1048 }
1049
1050long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1051 {
1052 long l;
1053
1054 switch (cmd)
1055 {
1056 case SSL_CTRL_GET_READ_AHEAD:
1057 return(s->read_ahead);
1058 case SSL_CTRL_SET_READ_AHEAD:
1059 l=s->read_ahead;
1060 s->read_ahead=larg;
1061 return(l);
1062
1063 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1064 s->msg_callback_arg = parg;
1065 return 1;
1066
1067 case SSL_CTRL_OPTIONS:
1068 return(s->options|=larg);
1069 case SSL_CTRL_CLEAR_OPTIONS:
1070 return(s->options&=~larg);
1071 case SSL_CTRL_MODE:
1072 return(s->mode|=larg);
1073 case SSL_CTRL_CLEAR_MODE:
1074 return(s->mode &=~larg);
1075 case SSL_CTRL_GET_MAX_CERT_LIST:
1076 return(s->max_cert_list);
1077 case SSL_CTRL_SET_MAX_CERT_LIST:
1078 l=s->max_cert_list;
1079 s->max_cert_list=larg;
1080 return(l);
1081 case SSL_CTRL_SET_MTU:
1082#ifndef OPENSSL_NO_DTLS1
1083 if (larg < (long)dtls1_min_mtu())
1084 return 0;
1085#endif
1086
1087 if (SSL_version(s) == DTLS1_VERSION ||
1088 SSL_version(s) == DTLS1_BAD_VER)
1089 {
1090 s->d1->mtu = larg;
1091 return larg;
1092 }
1093 return 0;
1094 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1095 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1096 return 0;
1097 s->max_send_fragment = larg;
1098 return 1;
1099 case SSL_CTRL_GET_RI_SUPPORT:
1100 if (s->s3)
1101 return s->s3->send_connection_binding;
1102 else return 0;
1103 default:
1104 return(s->method->ssl_ctrl(s,cmd,larg,parg));
1105 }
1106 }
1107
1108long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1109 {
1110 switch(cmd)
1111 {
1112 case SSL_CTRL_SET_MSG_CALLBACK:
1113 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1114 return 1;
1115
1116 default:
1117 return(s->method->ssl_callback_ctrl(s,cmd,fp));
1118 }
1119 }
1120
1121LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
1122 {
1123 return ctx->sessions;
1124 }
1125
1126long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1127 {
1128 long l;
1129
1130 switch (cmd)
1131 {
1132 case SSL_CTRL_GET_READ_AHEAD:
1133 return(ctx->read_ahead);
1134 case SSL_CTRL_SET_READ_AHEAD:
1135 l=ctx->read_ahead;
1136 ctx->read_ahead=larg;
1137 return(l);
1138
1139 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1140 ctx->msg_callback_arg = parg;
1141 return 1;
1142
1143 case SSL_CTRL_GET_MAX_CERT_LIST:
1144 return(ctx->max_cert_list);
1145 case SSL_CTRL_SET_MAX_CERT_LIST:
1146 l=ctx->max_cert_list;
1147 ctx->max_cert_list=larg;
1148 return(l);
1149
1150 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1151 l=ctx->session_cache_size;
1152 ctx->session_cache_size=larg;
1153 return(l);
1154 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1155 return(ctx->session_cache_size);
1156 case SSL_CTRL_SET_SESS_CACHE_MODE:
1157 l=ctx->session_cache_mode;
1158 ctx->session_cache_mode=larg;
1159 return(l);
1160 case SSL_CTRL_GET_SESS_CACHE_MODE:
1161 return(ctx->session_cache_mode);
1162
1163 case SSL_CTRL_SESS_NUMBER:
1164 return(lh_SSL_SESSION_num_items(ctx->sessions));
1165 case SSL_CTRL_SESS_CONNECT:
1166 return(ctx->stats.sess_connect);
1167 case SSL_CTRL_SESS_CONNECT_GOOD:
1168 return(ctx->stats.sess_connect_good);
1169 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1170 return(ctx->stats.sess_connect_renegotiate);
1171 case SSL_CTRL_SESS_ACCEPT:
1172 return(ctx->stats.sess_accept);
1173 case SSL_CTRL_SESS_ACCEPT_GOOD:
1174 return(ctx->stats.sess_accept_good);
1175 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1176 return(ctx->stats.sess_accept_renegotiate);
1177 case SSL_CTRL_SESS_HIT:
1178 return(ctx->stats.sess_hit);
1179 case SSL_CTRL_SESS_CB_HIT:
1180 return(ctx->stats.sess_cb_hit);
1181 case SSL_CTRL_SESS_MISSES:
1182 return(ctx->stats.sess_miss);
1183 case SSL_CTRL_SESS_TIMEOUTS:
1184 return(ctx->stats.sess_timeout);
1185 case SSL_CTRL_SESS_CACHE_FULL:
1186 return(ctx->stats.sess_cache_full);
1187 case SSL_CTRL_OPTIONS:
1188 return(ctx->options|=larg);
1189 case SSL_CTRL_CLEAR_OPTIONS:
1190 return(ctx->options&=~larg);
1191 case SSL_CTRL_MODE:
1192 return(ctx->mode|=larg);
1193 case SSL_CTRL_CLEAR_MODE:
1194 return(ctx->mode&=~larg);
1195 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1196 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1197 return 0;
1198 ctx->max_send_fragment = larg;
1199 return 1;
1200 default:
1201 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1202 }
1203 }
1204
1205long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1206 {
1207 switch(cmd)
1208 {
1209 case SSL_CTRL_SET_MSG_CALLBACK:
1210 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1211 return 1;
1212
1213 default:
1214 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1215 }
1216 }
1217
1218int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1219 {
1220 long l;
1221
1222 l=a->id-b->id;
1223 if (l == 0L)
1224 return(0);
1225 else
1226 return((l > 0)?1:-1);
1227 }
1228
1229int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1230 const SSL_CIPHER * const *bp)
1231 {
1232 long l;
1233
1234 l=(*ap)->id-(*bp)->id;
1235 if (l == 0L)
1236 return(0);
1237 else
1238 return((l > 0)?1:-1);
1239 }
1240
1241/** return a STACK of the ciphers available for the SSL and in order of
1242 * preference */
1243STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1244 {
1245 if (s != NULL)
1246 {
1247 if (s->cipher_list != NULL)
1248 {
1249 return(s->cipher_list);
1250 }
1251 else if ((s->ctx != NULL) &&
1252 (s->ctx->cipher_list != NULL))
1253 {
1254 return(s->ctx->cipher_list);
1255 }
1256 }
1257 return(NULL);
1258 }
1259
1260/** return a STACK of the ciphers available for the SSL and in order of
1261 * algorithm id */
1262STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1263 {
1264 if (s != NULL)
1265 {
1266 if (s->cipher_list_by_id != NULL)
1267 {
1268 return(s->cipher_list_by_id);
1269 }
1270 else if ((s->ctx != NULL) &&
1271 (s->ctx->cipher_list_by_id != NULL))
1272 {
1273 return(s->ctx->cipher_list_by_id);
1274 }
1275 }
1276 return(NULL);
1277 }
1278
1279/** The old interface to get the same thing as SSL_get_ciphers() */
1280const char *SSL_get_cipher_list(const SSL *s,int n)
1281 {
1282 SSL_CIPHER *c;
1283 STACK_OF(SSL_CIPHER) *sk;
1284
1285 if (s == NULL) return(NULL);
1286 sk=SSL_get_ciphers(s);
1287 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1288 return(NULL);
1289 c=sk_SSL_CIPHER_value(sk,n);
1290 if (c == NULL) return(NULL);
1291 return(c->name);
1292 }
1293
1294/** specify the ciphers to be used by default by the SSL_CTX */
1295int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1296 {
1297 STACK_OF(SSL_CIPHER) *sk;
1298
1299 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1300 &ctx->cipher_list_by_id,str);
1301 /* ssl_create_cipher_list may return an empty stack if it
1302 * was unable to find a cipher matching the given rule string
1303 * (for example if the rule string specifies a cipher which
1304 * has been disabled). This is not an error as far as
1305 * ssl_create_cipher_list is concerned, and hence
1306 * ctx->cipher_list and ctx->cipher_list_by_id has been
1307 * updated. */
1308 if (sk == NULL)
1309 return 0;
1310 else if (sk_SSL_CIPHER_num(sk) == 0)
1311 {
1312 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1313 return 0;
1314 }
1315 return 1;
1316 }
1317
1318/** specify the ciphers to be used by the SSL */
1319int SSL_set_cipher_list(SSL *s,const char *str)
1320 {
1321 STACK_OF(SSL_CIPHER) *sk;
1322
1323 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1324 &s->cipher_list_by_id,str);
1325 /* see comment in SSL_CTX_set_cipher_list */
1326 if (sk == NULL)
1327 return 0;
1328 else if (sk_SSL_CIPHER_num(sk) == 0)
1329 {
1330 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1331 return 0;
1332 }
1333 return 1;
1334 }
1335
1336/* works well for SSLv2, not so good for SSLv3 */
1337char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1338 {
1339 char *end;
1340 STACK_OF(SSL_CIPHER) *sk;
1341 SSL_CIPHER *c;
1342 size_t curlen = 0;
1343 int i;
1344
1345 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1346 (len < 2))
1347 return(NULL);
1348
1349 sk=s->session->ciphers;
1350 buf[0] = '\0';
1351 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1352 {
1353 c=sk_SSL_CIPHER_value(sk,i);
1354 end = buf + curlen;
1355 if (strlcat(buf, c->name, len) >= len ||
1356 (curlen = strlcat(buf, ":", len)) >= len)
1357 {
1358 /* remove truncated cipher from list */
1359 *end = '\0';
1360 break;
1361 }
1362 }
1363 /* remove trailing colon */
1364 if ((end = strrchr(buf, ':')) != NULL)
1365 *end = '\0';
1366 return(buf);
1367 }
1368
1369int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1370 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1371 {
1372 int i,j=0;
1373 SSL_CIPHER *c;
1374 unsigned char *q;
1375#ifndef OPENSSL_NO_KRB5
1376 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1377#endif /* OPENSSL_NO_KRB5 */
1378
1379 if (sk == NULL) return(0);
1380 q=p;
1381
1382 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1383 {
1384 c=sk_SSL_CIPHER_value(sk,i);
1385 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
1386 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
1387 (TLS1_get_client_version(s) < TLS1_2_VERSION))
1388 continue;
1389#ifndef OPENSSL_NO_KRB5
1390 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
1391 nokrb5)
1392 continue;
1393#endif /* OPENSSL_NO_KRB5 */
1394#ifndef OPENSSL_NO_PSK
1395 /* with PSK there must be client callback set */
1396 if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
1397 s->psk_client_callback == NULL)
1398 continue;
1399#endif /* OPENSSL_NO_PSK */
1400 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1401 p+=j;
1402 }
1403 /* If p == q, no ciphers and caller indicates an error. Otherwise
1404 * add SCSV if not renegotiating.
1405 */
1406 if (p != q && !s->renegotiate)
1407 {
1408 static SSL_CIPHER scsv =
1409 {
1410 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
1411 };
1412 j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
1413 p+=j;
1414#ifdef OPENSSL_RI_DEBUG
1415 fprintf(stderr, "SCSV sent by client\n");
1416#endif
1417 }
1418
1419 return(p-q);
1420 }
1421
1422STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1423 STACK_OF(SSL_CIPHER) **skp)
1424 {
1425 const SSL_CIPHER *c;
1426 STACK_OF(SSL_CIPHER) *sk;
1427 int i,n;
1428 if (s->s3)
1429 s->s3->send_connection_binding = 0;
1430
1431 n=ssl_put_cipher_by_char(s,NULL,NULL);
1432 if ((num%n) != 0)
1433 {
1434 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1435 return(NULL);
1436 }
1437 if ((skp == NULL) || (*skp == NULL))
1438 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1439 else
1440 {
1441 sk= *skp;
1442 sk_SSL_CIPHER_zero(sk);
1443 }
1444
1445 for (i=0; i<num; i+=n)
1446 {
1447 /* Check for SCSV */
1448 if (s->s3 && (n != 3 || !p[0]) &&
1449 (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
1450 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
1451 {
1452 /* SCSV fatal if renegotiating */
1453 if (s->renegotiate)
1454 {
1455 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1457 goto err;
1458 }
1459 s->s3->send_connection_binding = 1;
1460 p += n;
1461#ifdef OPENSSL_RI_DEBUG
1462 fprintf(stderr, "SCSV received by server\n");
1463#endif
1464 continue;
1465 }
1466
1467 c=ssl_get_cipher_by_char(s,p);
1468 p+=n;
1469 if (c != NULL)
1470 {
1471 if (!sk_SSL_CIPHER_push(sk,c))
1472 {
1473 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1474 goto err;
1475 }
1476 }
1477 }
1478
1479 if (skp != NULL)
1480 *skp=sk;
1481 return(sk);
1482err:
1483 if ((skp == NULL) || (*skp == NULL))
1484 sk_SSL_CIPHER_free(sk);
1485 return(NULL);
1486 }
1487
1488
1489#ifndef OPENSSL_NO_TLSEXT
1490/** return a servername extension value if provided in Client Hello, or NULL.
1491 * So far, only host_name types are defined (RFC 3546).
1492 */
1493
1494const char *SSL_get_servername(const SSL *s, const int type)
1495 {
1496 if (type != TLSEXT_NAMETYPE_host_name)
1497 return NULL;
1498
1499 return s->session && !s->tlsext_hostname ?
1500 s->session->tlsext_hostname :
1501 s->tlsext_hostname;
1502 }
1503
1504int SSL_get_servername_type(const SSL *s)
1505 {
1506 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
1507 return TLSEXT_NAMETYPE_host_name;
1508 return -1;
1509 }
1510
1511# ifndef OPENSSL_NO_NEXTPROTONEG
1512/* SSL_select_next_proto implements the standard protocol selection. It is
1513 * expected that this function is called from the callback set by
1514 * SSL_CTX_set_next_proto_select_cb.
1515 *
1516 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1517 * strings. The length byte itself is not included in the length. A byte
1518 * string of length 0 is invalid. No byte string may be truncated.
1519 *
1520 * The current, but experimental algorithm for selecting the protocol is:
1521 *
1522 * 1) If the server doesn't support NPN then this is indicated to the
1523 * callback. In this case, the client application has to abort the connection
1524 * or have a default application level protocol.
1525 *
1526 * 2) If the server supports NPN, but advertises an empty list then the
1527 * client selects the first protcol in its list, but indicates via the
1528 * API that this fallback case was enacted.
1529 *
1530 * 3) Otherwise, the client finds the first protocol in the server's list
1531 * that it supports and selects this protocol. This is because it's
1532 * assumed that the server has better information about which protocol
1533 * a client should use.
1534 *
1535 * 4) If the client doesn't support any of the server's advertised
1536 * protocols, then this is treated the same as case 2.
1537 *
1538 * It returns either
1539 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1540 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1541 */
1542int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
1543 {
1544 unsigned int i, j;
1545 const unsigned char *result;
1546 int status = OPENSSL_NPN_UNSUPPORTED;
1547
1548 /* For each protocol in server preference order, see if we support it. */
1549 for (i = 0; i < server_len; )
1550 {
1551 for (j = 0; j < client_len; )
1552 {
1553 if (server[i] == client[j] &&
1554 memcmp(&server[i+1], &client[j+1], server[i]) == 0)
1555 {
1556 /* We found a match */
1557 result = &server[i];
1558 status = OPENSSL_NPN_NEGOTIATED;
1559 goto found;
1560 }
1561 j += client[j];
1562 j++;
1563 }
1564 i += server[i];
1565 i++;
1566 }
1567
1568 /* There's no overlap between our protocols and the server's list. */
1569 result = client;
1570 status = OPENSSL_NPN_NO_OVERLAP;
1571
1572 found:
1573 *out = (unsigned char *) result + 1;
1574 *outlen = result[0];
1575 return status;
1576 }
1577
1578/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1579 * requested protocol for this connection and returns 0. If the client didn't
1580 * request any protocol, then *data is set to NULL.
1581 *
1582 * Note that the client can request any protocol it chooses. The value returned
1583 * from this function need not be a member of the list of supported protocols
1584 * provided by the callback.
1585 */
1586void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
1587 {
1588 *data = s->next_proto_negotiated;
1589 if (!*data) {
1590 *len = 0;
1591 } else {
1592 *len = s->next_proto_negotiated_len;
1593 }
1594}
1595
1596/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1597 * TLS server needs a list of supported protocols for Next Protocol
1598 * Negotiation. The returned list must be in wire format. The list is returned
1599 * by setting |out| to point to it and |outlen| to its length. This memory will
1600 * not be modified, but one should assume that the SSL* keeps a reference to
1601 * it.
1602 *
1603 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
1604 * such extension will be included in the ServerHello. */
1605void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1606 {
1607 ctx->next_protos_advertised_cb = cb;
1608 ctx->next_protos_advertised_cb_arg = arg;
1609 }
1610
1611/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1612 * client needs to select a protocol from the server's provided list. |out|
1613 * must be set to point to the selected protocol (which may be within |in|).
1614 * The length of the protocol name must be written into |outlen|. The server's
1615 * advertised protocols are provided in |in| and |inlen|. The callback can
1616 * assume that |in| is syntactically valid.
1617 *
1618 * The client must select a protocol. It is fatal to the connection if this
1619 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1620 */
1621void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1622 {
1623 ctx->next_proto_select_cb = cb;
1624 ctx->next_proto_select_cb_arg = arg;
1625 }
1626# endif
1627#endif
1628
1629int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1630 const char *label, size_t llen, const unsigned char *p, size_t plen,
1631 int use_context)
1632 {
1633 if (s->version < TLS1_VERSION)
1634 return -1;
1635
1636 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
1637 llen, p, plen,
1638 use_context);
1639 }
1640
1641static unsigned long ssl_session_hash(const SSL_SESSION *a)
1642 {
1643 unsigned long l;
1644
1645 l=(unsigned long)
1646 ((unsigned int) a->session_id[0] )|
1647 ((unsigned int) a->session_id[1]<< 8L)|
1648 ((unsigned long)a->session_id[2]<<16L)|
1649 ((unsigned long)a->session_id[3]<<24L);
1650 return(l);
1651 }
1652
1653/* NB: If this function (or indeed the hash function which uses a sort of
1654 * coarser function than this one) is changed, ensure
1655 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1656 * able to construct an SSL_SESSION that will collide with any existing session
1657 * with a matching session ID. */
1658static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1659 {
1660 if (a->ssl_version != b->ssl_version)
1661 return(1);
1662 if (a->session_id_length != b->session_id_length)
1663 return(1);
1664 return(memcmp(a->session_id,b->session_id,a->session_id_length));
1665 }
1666
1667/* These wrapper functions should remain rather than redeclaring
1668 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1669 * variable. The reason is that the functions aren't static, they're exposed via
1670 * ssl.h. */
1671static IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
1672static IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
1673
1674SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1675 {
1676 SSL_CTX *ret=NULL;
1677
1678 if (meth == NULL)
1679 {
1680 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1681 return(NULL);
1682 }
1683
1684#ifdef OPENSSL_FIPS
1685 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1686 {
1687 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1688 return NULL;
1689 }
1690#endif
1691
1692 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1693 {
1694 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1695 goto err;
1696 }
1697 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1698 if (ret == NULL)
1699 goto err;
1700
1701 memset(ret,0,sizeof(SSL_CTX));
1702
1703 ret->method=meth;
1704
1705 ret->cert_store=NULL;
1706 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1707 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1708 ret->session_cache_head=NULL;
1709 ret->session_cache_tail=NULL;
1710
1711 /* We take the system default */
1712 ret->session_timeout=meth->get_timeout();
1713
1714 ret->new_session_cb=0;
1715 ret->remove_session_cb=0;
1716 ret->get_session_cb=0;
1717 ret->generate_session_id=0;
1718
1719 memset((char *)&ret->stats,0,sizeof(ret->stats));
1720
1721 ret->references=1;
1722 ret->quiet_shutdown=0;
1723
1724/* ret->cipher=NULL;*/
1725/* ret->s2->challenge=NULL;
1726 ret->master_key=NULL;
1727 ret->key_arg=NULL;
1728 ret->s2->conn_id=NULL; */
1729
1730 ret->info_callback=NULL;
1731
1732 ret->app_verify_callback=0;
1733 ret->app_verify_arg=NULL;
1734
1735 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1736 ret->read_ahead=0;
1737 ret->msg_callback=0;
1738 ret->msg_callback_arg=NULL;
1739 ret->verify_mode=SSL_VERIFY_NONE;
1740#if 0
1741 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1742#endif
1743 ret->sid_ctx_length=0;
1744 ret->default_verify_callback=NULL;
1745 if ((ret->cert=ssl_cert_new()) == NULL)
1746 goto err;
1747
1748 ret->default_passwd_callback=0;
1749 ret->default_passwd_callback_userdata=NULL;
1750 ret->client_cert_cb=0;
1751 ret->app_gen_cookie_cb=0;
1752 ret->app_verify_cookie_cb=0;
1753
1754 ret->sessions=lh_SSL_SESSION_new();
1755 if (ret->sessions == NULL) goto err;
1756 ret->cert_store=X509_STORE_new();
1757 if (ret->cert_store == NULL) goto err;
1758
1759 ssl_create_cipher_list(ret->method,
1760 &ret->cipher_list,&ret->cipher_list_by_id,
1761 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
1762 if (ret->cipher_list == NULL
1763 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1764 {
1765 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1766 goto err2;
1767 }
1768
1769 ret->param = X509_VERIFY_PARAM_new();
1770 if (!ret->param)
1771 goto err;
1772
1773 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1774 {
1775 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1776 goto err2;
1777 }
1778 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1779 {
1780 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1781 goto err2;
1782 }
1783 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1784 {
1785 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1786 goto err2;
1787 }
1788
1789 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1790 goto err;
1791
1792 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1793
1794 ret->extra_certs=NULL;
1795 ret->comp_methods=SSL_COMP_get_compression_methods();
1796
1797 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1798
1799#ifndef OPENSSL_NO_TLSEXT
1800 ret->tlsext_servername_callback = 0;
1801 ret->tlsext_servername_arg = NULL;
1802 /* Setup RFC4507 ticket keys */
1803 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1804 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1805 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1806 ret->options |= SSL_OP_NO_TICKET;
1807
1808 ret->tlsext_status_cb = 0;
1809 ret->tlsext_status_arg = NULL;
1810
1811# ifndef OPENSSL_NO_NEXTPROTONEG
1812 ret->next_protos_advertised_cb = 0;
1813 ret->next_proto_select_cb = 0;
1814# endif
1815#endif
1816#ifndef OPENSSL_NO_PSK
1817 ret->psk_identity_hint=NULL;
1818 ret->psk_client_callback=NULL;
1819 ret->psk_server_callback=NULL;
1820#endif
1821#ifndef OPENSSL_NO_SRP
1822 SSL_CTX_SRP_CTX_init(ret);
1823#endif
1824#ifndef OPENSSL_NO_BUF_FREELISTS
1825 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1826 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1827 if (!ret->rbuf_freelist)
1828 goto err;
1829 ret->rbuf_freelist->chunklen = 0;
1830 ret->rbuf_freelist->len = 0;
1831 ret->rbuf_freelist->head = NULL;
1832 ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1833 if (!ret->wbuf_freelist)
1834 {
1835 OPENSSL_free(ret->rbuf_freelist);
1836 goto err;
1837 }
1838 ret->wbuf_freelist->chunklen = 0;
1839 ret->wbuf_freelist->len = 0;
1840 ret->wbuf_freelist->head = NULL;
1841#endif
1842#ifndef OPENSSL_NO_ENGINE
1843 ret->client_cert_engine = NULL;
1844#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
1845#define eng_strx(x) #x
1846#define eng_str(x) eng_strx(x)
1847 /* Use specific client engine automatically... ignore errors */
1848 {
1849 ENGINE *eng;
1850 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1851 if (!eng)
1852 {
1853 ERR_clear_error();
1854 ENGINE_load_builtin_engines();
1855 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1856 }
1857 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
1858 ERR_clear_error();
1859 }
1860#endif
1861#endif
1862 /* Default is to connect to non-RI servers. When RI is more widely
1863 * deployed might change this.
1864 */
1865 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
1866
1867 return(ret);
1868err:
1869 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1870err2:
1871 if (ret != NULL) SSL_CTX_free(ret);
1872 return(NULL);
1873 }
1874
1875#if 0
1876static void SSL_COMP_free(SSL_COMP *comp)
1877 { OPENSSL_free(comp); }
1878#endif
1879
1880#ifndef OPENSSL_NO_BUF_FREELISTS
1881static void
1882ssl_buf_freelist_free(SSL3_BUF_FREELIST *list)
1883 {
1884 SSL3_BUF_FREELIST_ENTRY *ent, *next;
1885 for (ent = list->head; ent; ent = next)
1886 {
1887 next = ent->next;
1888 OPENSSL_free(ent);
1889 }
1890 OPENSSL_free(list);
1891 }
1892#endif
1893
1894void SSL_CTX_free(SSL_CTX *a)
1895 {
1896 int i;
1897
1898 if (a == NULL) return;
1899
1900 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1901#ifdef REF_PRINT
1902 REF_PRINT("SSL_CTX",a);
1903#endif
1904 if (i > 0) return;
1905#ifdef REF_CHECK
1906 if (i < 0)
1907 {
1908 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1909 abort(); /* ok */
1910 }
1911#endif
1912
1913 if (a->param)
1914 X509_VERIFY_PARAM_free(a->param);
1915
1916 /*
1917 * Free internal session cache. However: the remove_cb() may reference
1918 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1919 * after the sessions were flushed.
1920 * As the ex_data handling routines might also touch the session cache,
1921 * the most secure solution seems to be: empty (flush) the cache, then
1922 * free ex_data, then finally free the cache.
1923 * (See ticket [openssl.org #212].)
1924 */
1925 if (a->sessions != NULL)
1926 SSL_CTX_flush_sessions(a,0);
1927
1928 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1929
1930 if (a->sessions != NULL)
1931 lh_SSL_SESSION_free(a->sessions);
1932
1933 if (a->cert_store != NULL)
1934 X509_STORE_free(a->cert_store);
1935 if (a->cipher_list != NULL)
1936 sk_SSL_CIPHER_free(a->cipher_list);
1937 if (a->cipher_list_by_id != NULL)
1938 sk_SSL_CIPHER_free(a->cipher_list_by_id);
1939 if (a->cert != NULL)
1940 ssl_cert_free(a->cert);
1941 if (a->client_CA != NULL)
1942 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1943 if (a->extra_certs != NULL)
1944 sk_X509_pop_free(a->extra_certs,X509_free);
1945#if 0 /* This should never be done, since it removes a global database */
1946 if (a->comp_methods != NULL)
1947 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1948#else
1949 a->comp_methods = NULL;
1950#endif
1951
1952 if (a->srtp_profiles)
1953 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1954
1955#ifndef OPENSSL_NO_PSK
1956 if (a->psk_identity_hint)
1957 OPENSSL_free(a->psk_identity_hint);
1958#endif
1959#ifndef OPENSSL_NO_SRP
1960 SSL_CTX_SRP_CTX_free(a);
1961#endif
1962#ifndef OPENSSL_NO_ENGINE
1963 if (a->client_cert_engine)
1964 ENGINE_finish(a->client_cert_engine);
1965#endif
1966
1967#ifndef OPENSSL_NO_BUF_FREELISTS
1968 if (a->wbuf_freelist)
1969 ssl_buf_freelist_free(a->wbuf_freelist);
1970 if (a->rbuf_freelist)
1971 ssl_buf_freelist_free(a->rbuf_freelist);
1972#endif
1973
1974 OPENSSL_free(a);
1975 }
1976
1977void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1978 {
1979 ctx->default_passwd_callback=cb;
1980 }
1981
1982void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1983 {
1984 ctx->default_passwd_callback_userdata=u;
1985 }
1986
1987void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1988 {
1989 ctx->app_verify_callback=cb;
1990 ctx->app_verify_arg=arg;
1991 }
1992
1993void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1994 {
1995 ctx->verify_mode=mode;
1996 ctx->default_verify_callback=cb;
1997 }
1998
1999void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
2000 {
2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2002 }
2003
2004void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2005 {
2006 CERT_PKEY *cpk;
2007 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
2008 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
2009 int rsa_tmp_export,dh_tmp_export,kl;
2010 unsigned long mask_k,mask_a,emask_k,emask_a;
2011 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
2012#ifndef OPENSSL_NO_ECDH
2013 int have_ecdh_tmp;
2014#endif
2015 X509 *x = NULL;
2016 EVP_PKEY *ecc_pkey = NULL;
2017 int signature_nid = 0, pk_nid = 0, md_nid = 0;
2018
2019 if (c == NULL) return;
2020
2021 kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
2022
2023#ifndef OPENSSL_NO_RSA
2024 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
2025 rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
2026 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
2027#else
2028 rsa_tmp=rsa_tmp_export=0;
2029#endif
2030#ifndef OPENSSL_NO_DH
2031 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
2032 dh_tmp_export=(c->dh_tmp_cb != NULL ||
2033 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
2034#else
2035 dh_tmp=dh_tmp_export=0;
2036#endif
2037
2038#ifndef OPENSSL_NO_ECDH
2039 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
2040#endif
2041 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
2042 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
2043 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2044 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
2045 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
2046 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
2047 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
2048 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
2049 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
2050 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2051 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
2052/* FIX THIS EAY EAY EAY */
2053 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
2054 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2055 cpk= &(c->pkeys[SSL_PKEY_ECC]);
2056 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
2057 mask_k=0;
2058 mask_a=0;
2059 emask_k=0;
2060 emask_a=0;
2061
2062
2063
2064#ifdef CIPHER_DEBUG
2065 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
2066 rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
2067 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
2068#endif
2069
2070 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
2071 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2072 mask_k |= SSL_kGOST;
2073 mask_a |= SSL_aGOST01;
2074 }
2075 cpk = &(c->pkeys[SSL_PKEY_GOST94]);
2076 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2077 mask_k |= SSL_kGOST;
2078 mask_a |= SSL_aGOST94;
2079 }
2080
2081 if (rsa_enc || (rsa_tmp && rsa_sign))
2082 mask_k|=SSL_kRSA;
2083 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
2084 emask_k|=SSL_kRSA;
2085
2086#if 0
2087 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
2088 if ( (dh_tmp || dh_rsa || dh_dsa) &&
2089 (rsa_enc || rsa_sign || dsa_sign))
2090 mask_k|=SSL_kEDH;
2091 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
2092 (rsa_enc || rsa_sign || dsa_sign))
2093 emask_k|=SSL_kEDH;
2094#endif
2095
2096 if (dh_tmp_export)
2097 emask_k|=SSL_kEDH;
2098
2099 if (dh_tmp)
2100 mask_k|=SSL_kEDH;
2101
2102 if (dh_rsa) mask_k|=SSL_kDHr;
2103 if (dh_rsa_export) emask_k|=SSL_kDHr;
2104
2105 if (dh_dsa) mask_k|=SSL_kDHd;
2106 if (dh_dsa_export) emask_k|=SSL_kDHd;
2107
2108 if (rsa_enc || rsa_sign)
2109 {
2110 mask_a|=SSL_aRSA;
2111 emask_a|=SSL_aRSA;
2112 }
2113
2114 if (dsa_sign)
2115 {
2116 mask_a|=SSL_aDSS;
2117 emask_a|=SSL_aDSS;
2118 }
2119
2120 mask_a|=SSL_aNULL;
2121 emask_a|=SSL_aNULL;
2122
2123#ifndef OPENSSL_NO_KRB5
2124 mask_k|=SSL_kKRB5;
2125 mask_a|=SSL_aKRB5;
2126 emask_k|=SSL_kKRB5;
2127 emask_a|=SSL_aKRB5;
2128#endif
2129
2130 /* An ECC certificate may be usable for ECDH and/or
2131 * ECDSA cipher suites depending on the key usage extension.
2132 */
2133 if (have_ecc_cert)
2134 {
2135 /* This call populates extension flags (ex_flags) */
2136 x = (c->pkeys[SSL_PKEY_ECC]).x509;
2137 X509_check_purpose(x, -1, 0);
2138 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
2139 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
2140 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
2141 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
2142 ecc_pkey = X509_get_pubkey(x);
2143 ecc_pkey_size = (ecc_pkey != NULL) ?
2144 EVP_PKEY_bits(ecc_pkey) : 0;
2145 EVP_PKEY_free(ecc_pkey);
2146 if ((x->sig_alg) && (x->sig_alg->algorithm))
2147 {
2148 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2149 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2150 }
2151#ifndef OPENSSL_NO_ECDH
2152 if (ecdh_ok)
2153 {
2154
2155 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
2156 {
2157 mask_k|=SSL_kECDHr;
2158 mask_a|=SSL_aECDH;
2159 if (ecc_pkey_size <= 163)
2160 {
2161 emask_k|=SSL_kECDHr;
2162 emask_a|=SSL_aECDH;
2163 }
2164 }
2165
2166 if (pk_nid == NID_X9_62_id_ecPublicKey)
2167 {
2168 mask_k|=SSL_kECDHe;
2169 mask_a|=SSL_aECDH;
2170 if (ecc_pkey_size <= 163)
2171 {
2172 emask_k|=SSL_kECDHe;
2173 emask_a|=SSL_aECDH;
2174 }
2175 }
2176 }
2177#endif
2178#ifndef OPENSSL_NO_ECDSA
2179 if (ecdsa_ok)
2180 {
2181 mask_a|=SSL_aECDSA;
2182 emask_a|=SSL_aECDSA;
2183 }
2184#endif
2185 }
2186
2187#ifndef OPENSSL_NO_ECDH
2188 if (have_ecdh_tmp)
2189 {
2190 mask_k|=SSL_kEECDH;
2191 emask_k|=SSL_kEECDH;
2192 }
2193#endif
2194
2195#ifndef OPENSSL_NO_PSK
2196 mask_k |= SSL_kPSK;
2197 mask_a |= SSL_aPSK;
2198 emask_k |= SSL_kPSK;
2199 emask_a |= SSL_aPSK;
2200#endif
2201
2202 c->mask_k=mask_k;
2203 c->mask_a=mask_a;
2204 c->export_mask_k=emask_k;
2205 c->export_mask_a=emask_a;
2206 c->valid=1;
2207 }
2208
2209/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
2210#define ku_reject(x, usage) \
2211 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
2212
2213#ifndef OPENSSL_NO_EC
2214
2215int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2216 {
2217 unsigned long alg_k, alg_a;
2218 EVP_PKEY *pkey = NULL;
2219 int keysize = 0;
2220 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2221 const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2222
2223 alg_k = cs->algorithm_mkey;
2224 alg_a = cs->algorithm_auth;
2225
2226 if (SSL_C_IS_EXPORT(cs))
2227 {
2228 /* ECDH key length in export ciphers must be <= 163 bits */
2229 pkey = X509_get_pubkey(x);
2230 if (pkey == NULL) return 0;
2231 keysize = EVP_PKEY_bits(pkey);
2232 EVP_PKEY_free(pkey);
2233 if (keysize > 163) return 0;
2234 }
2235
2236 /* This call populates the ex_flags field correctly */
2237 X509_check_purpose(x, -1, 0);
2238 if ((x->sig_alg) && (x->sig_alg->algorithm))
2239 {
2240 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2241 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2242 }
2243 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
2244 {
2245 /* key usage, if present, must allow key agreement */
2246 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
2247 {
2248 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2249 return 0;
2250 }
2251 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
2252 {
2253 /* signature alg must be ECDSA */
2254 if (pk_nid != NID_X9_62_id_ecPublicKey)
2255 {
2256 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2257 return 0;
2258 }
2259 }
2260 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
2261 {
2262 /* signature alg must be RSA */
2263
2264 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2265 {
2266 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2267 return 0;
2268 }
2269 }
2270 }
2271 if (alg_a & SSL_aECDSA)
2272 {
2273 /* key usage, if present, must allow signing */
2274 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
2275 {
2276 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2277 return 0;
2278 }
2279 }
2280
2281 return 1; /* all checks are ok */
2282 }
2283
2284#endif
2285
2286/* THIS NEEDS CLEANING UP */
2287X509 *ssl_get_server_send_cert(SSL *s)
2288 {
2289 unsigned long alg_k,alg_a;
2290 CERT *c;
2291 int i;
2292
2293 c=s->cert;
2294 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2295
2296 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2297 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2298
2299 if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2300 {
2301 /* we don't need to look at SSL_kEECDH
2302 * since no certificate is needed for
2303 * anon ECDH and for authenticated
2304 * EECDH, the check for the auth
2305 * algorithm will set i correctly
2306 * NOTE: For ECDH-RSA, we need an ECC
2307 * not an RSA cert but for EECDH-RSA
2308 * we need an RSA cert. Placing the
2309 * checks for SSL_kECDH before RSA
2310 * checks ensures the correct cert is chosen.
2311 */
2312 i=SSL_PKEY_ECC;
2313 }
2314 else if (alg_a & SSL_aECDSA)
2315 {
2316 i=SSL_PKEY_ECC;
2317 }
2318 else if (alg_k & SSL_kDHr)
2319 i=SSL_PKEY_DH_RSA;
2320 else if (alg_k & SSL_kDHd)
2321 i=SSL_PKEY_DH_DSA;
2322 else if (alg_a & SSL_aDSS)
2323 i=SSL_PKEY_DSA_SIGN;
2324 else if (alg_a & SSL_aRSA)
2325 {
2326 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
2327 i=SSL_PKEY_RSA_SIGN;
2328 else
2329 i=SSL_PKEY_RSA_ENC;
2330 }
2331 else if (alg_a & SSL_aKRB5)
2332 {
2333 /* VRS something else here? */
2334 return(NULL);
2335 }
2336 else if (alg_a & SSL_aGOST94)
2337 i=SSL_PKEY_GOST94;
2338 else if (alg_a & SSL_aGOST01)
2339 i=SSL_PKEY_GOST01;
2340 else /* if (alg_a & SSL_aNULL) */
2341 {
2342 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
2343 return(NULL);
2344 }
2345 if (c->pkeys[i].x509 == NULL) return(NULL);
2346
2347 return(c->pkeys[i].x509);
2348 }
2349
2350EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
2351 {
2352 unsigned long alg_a;
2353 CERT *c;
2354 int idx = -1;
2355
2356 alg_a = cipher->algorithm_auth;
2357 c=s->cert;
2358
2359 if ((alg_a & SSL_aDSS) &&
2360 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2361 idx = SSL_PKEY_DSA_SIGN;
2362 else if (alg_a & SSL_aRSA)
2363 {
2364 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2365 idx = SSL_PKEY_RSA_SIGN;
2366 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2367 idx = SSL_PKEY_RSA_ENC;
2368 }
2369 else if ((alg_a & SSL_aECDSA) &&
2370 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2371 idx = SSL_PKEY_ECC;
2372 if (idx == -1)
2373 {
2374 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2375 return(NULL);
2376 }
2377 if (pmd)
2378 *pmd = c->pkeys[idx].digest;
2379 return c->pkeys[idx].privatekey;
2380 }
2381
2382void ssl_update_cache(SSL *s,int mode)
2383 {
2384 int i;
2385
2386 /* If the session_id_length is 0, we are not supposed to cache it,
2387 * and it would be rather hard to do anyway :-) */
2388 if (s->session->session_id_length == 0) return;
2389
2390 i=s->session_ctx->session_cache_mode;
2391 if ((i & mode) && (!s->hit)
2392 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2393 || SSL_CTX_add_session(s->session_ctx,s->session))
2394 && (s->session_ctx->new_session_cb != NULL))
2395 {
2396 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
2397 if (!s->session_ctx->new_session_cb(s,s->session))
2398 SSL_SESSION_free(s->session);
2399 }
2400
2401 /* auto flush every 255 connections */
2402 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
2403 ((i & mode) == mode))
2404 {
2405 if ( (((mode & SSL_SESS_CACHE_CLIENT)
2406 ?s->session_ctx->stats.sess_connect_good
2407 :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff)
2408 {
2409 SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL));
2410 }
2411 }
2412 }
2413
2414const SSL_METHOD *SSL_get_ssl_method(SSL *s)
2415 {
2416 return(s->method);
2417 }
2418
2419int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2420 {
2421 int conn= -1;
2422 int ret=1;
2423
2424 if (s->method != meth)
2425 {
2426 if (s->handshake_func != NULL)
2427 conn=(s->handshake_func == s->method->ssl_connect);
2428
2429 if (s->method->version == meth->version)
2430 s->method=meth;
2431 else
2432 {
2433 s->method->ssl_free(s);
2434 s->method=meth;
2435 ret=s->method->ssl_new(s);
2436 }
2437
2438 if (conn == 1)
2439 s->handshake_func=meth->ssl_connect;
2440 else if (conn == 0)
2441 s->handshake_func=meth->ssl_accept;
2442 }
2443 return(ret);
2444 }
2445
2446int SSL_get_error(const SSL *s,int i)
2447 {
2448 int reason;
2449 unsigned long l;
2450 BIO *bio;
2451
2452 if (i > 0) return(SSL_ERROR_NONE);
2453
2454 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2455 * etc, where we do encode the error */
2456 if ((l=ERR_peek_error()) != 0)
2457 {
2458 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2459 return(SSL_ERROR_SYSCALL);
2460 else
2461 return(SSL_ERROR_SSL);
2462 }
2463
2464 if ((i < 0) && SSL_want_read(s))
2465 {
2466 bio=SSL_get_rbio(s);
2467 if (BIO_should_read(bio))
2468 return(SSL_ERROR_WANT_READ);
2469 else if (BIO_should_write(bio))
2470 /* This one doesn't make too much sense ... We never try
2471 * to write to the rbio, and an application program where
2472 * rbio and wbio are separate couldn't even know what it
2473 * should wait for.
2474 * However if we ever set s->rwstate incorrectly
2475 * (so that we have SSL_want_read(s) instead of
2476 * SSL_want_write(s)) and rbio and wbio *are* the same,
2477 * this test works around that bug; so it might be safer
2478 * to keep it. */
2479 return(SSL_ERROR_WANT_WRITE);
2480 else if (BIO_should_io_special(bio))
2481 {
2482 reason=BIO_get_retry_reason(bio);
2483 if (reason == BIO_RR_CONNECT)
2484 return(SSL_ERROR_WANT_CONNECT);
2485 else if (reason == BIO_RR_ACCEPT)
2486 return(SSL_ERROR_WANT_ACCEPT);
2487 else
2488 return(SSL_ERROR_SYSCALL); /* unknown */
2489 }
2490 }
2491
2492 if ((i < 0) && SSL_want_write(s))
2493 {
2494 bio=SSL_get_wbio(s);
2495 if (BIO_should_write(bio))
2496 return(SSL_ERROR_WANT_WRITE);
2497 else if (BIO_should_read(bio))
2498 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
2499 return(SSL_ERROR_WANT_READ);
2500 else if (BIO_should_io_special(bio))
2501 {
2502 reason=BIO_get_retry_reason(bio);
2503 if (reason == BIO_RR_CONNECT)
2504 return(SSL_ERROR_WANT_CONNECT);
2505 else if (reason == BIO_RR_ACCEPT)
2506 return(SSL_ERROR_WANT_ACCEPT);
2507 else
2508 return(SSL_ERROR_SYSCALL);
2509 }
2510 }
2511 if ((i < 0) && SSL_want_x509_lookup(s))
2512 {
2513 return(SSL_ERROR_WANT_X509_LOOKUP);
2514 }
2515
2516 if (i == 0)
2517 {
2518 if (s->version == SSL2_VERSION)
2519 {
2520 /* assume it is the socket being closed */
2521 return(SSL_ERROR_ZERO_RETURN);
2522 }
2523 else
2524 {
2525 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2526 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2527 return(SSL_ERROR_ZERO_RETURN);
2528 }
2529 }
2530 return(SSL_ERROR_SYSCALL);
2531 }
2532
2533int SSL_do_handshake(SSL *s)
2534 {
2535 int ret=1;
2536
2537 if (s->handshake_func == NULL)
2538 {
2539 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
2540 return(-1);
2541 }
2542
2543 s->method->ssl_renegotiate_check(s);
2544
2545 if (SSL_in_init(s) || SSL_in_before(s))
2546 {
2547 ret=s->handshake_func(s);
2548 }
2549 return(ret);
2550 }
2551
2552/* For the next 2 functions, SSL_clear() sets shutdown and so
2553 * one of these calls will reset it */
2554void SSL_set_accept_state(SSL *s)
2555 {
2556 s->server=1;
2557 s->shutdown=0;
2558 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
2559 s->handshake_func=s->method->ssl_accept;
2560 /* clear the current cipher */
2561 ssl_clear_cipher_ctx(s);
2562 ssl_clear_hash_ctx(&s->read_hash);
2563 ssl_clear_hash_ctx(&s->write_hash);
2564 }
2565
2566void SSL_set_connect_state(SSL *s)
2567 {
2568 s->server=0;
2569 s->shutdown=0;
2570 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
2571 s->handshake_func=s->method->ssl_connect;
2572 /* clear the current cipher */
2573 ssl_clear_cipher_ctx(s);
2574 ssl_clear_hash_ctx(&s->read_hash);
2575 ssl_clear_hash_ctx(&s->write_hash);
2576 }
2577
2578int ssl_undefined_function(SSL *s)
2579 {
2580 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2581 return(0);
2582 }
2583
2584int ssl_undefined_void_function(void)
2585 {
2586 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2587 return(0);
2588 }
2589
2590int ssl_undefined_const_function(const SSL *s)
2591 {
2592 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2593 return(0);
2594 }
2595
2596SSL_METHOD *ssl_bad_method(int ver)
2597 {
2598 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2599 return(NULL);
2600 }
2601
2602const char *SSL_get_version(const SSL *s)
2603 {
2604 if (s->version == TLS1_2_VERSION)
2605 return("TLSv1.2");
2606 else if (s->version == TLS1_1_VERSION)
2607 return("TLSv1.1");
2608 if (s->version == TLS1_VERSION)
2609 return("TLSv1");
2610 else if (s->version == SSL3_VERSION)
2611 return("SSLv3");
2612 else if (s->version == SSL2_VERSION)
2613 return("SSLv2");
2614 else
2615 return("unknown");
2616 }
2617
2618SSL *SSL_dup(SSL *s)
2619 {
2620 STACK_OF(X509_NAME) *sk;
2621 X509_NAME *xn;
2622 SSL *ret;
2623 int i;
2624
2625 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2626 return(NULL);
2627
2628 ret->version = s->version;
2629 ret->type = s->type;
2630 ret->method = s->method;
2631
2632 if (s->session != NULL)
2633 {
2634 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
2635 SSL_copy_session_id(ret,s);
2636 }
2637 else
2638 {
2639 /* No session has been established yet, so we have to expect
2640 * that s->cert or ret->cert will be changed later --
2641 * they should not both point to the same object,
2642 * and thus we can't use SSL_copy_session_id. */
2643
2644 ret->method->ssl_free(ret);
2645 ret->method = s->method;
2646 ret->method->ssl_new(ret);
2647
2648 if (s->cert != NULL)
2649 {
2650 if (ret->cert != NULL)
2651 {
2652 ssl_cert_free(ret->cert);
2653 }
2654 ret->cert = ssl_cert_dup(s->cert);
2655 if (ret->cert == NULL)
2656 goto err;
2657 }
2658
2659 SSL_set_session_id_context(ret,
2660 s->sid_ctx, s->sid_ctx_length);
2661 }
2662
2663 ret->options=s->options;
2664 ret->mode=s->mode;
2665 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
2666 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
2667 ret->msg_callback = s->msg_callback;
2668 ret->msg_callback_arg = s->msg_callback_arg;
2669 SSL_set_verify(ret,SSL_get_verify_mode(s),
2670 SSL_get_verify_callback(s));
2671 SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
2672 ret->generate_session_id = s->generate_session_id;
2673
2674 SSL_set_info_callback(ret,SSL_get_info_callback(s));
2675
2676 ret->debug=s->debug;
2677
2678 /* copy app data, a little dangerous perhaps */
2679 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
2680 goto err;
2681
2682 /* setup rbio, and wbio */
2683 if (s->rbio != NULL)
2684 {
2685 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2686 goto err;
2687 }
2688 if (s->wbio != NULL)
2689 {
2690 if (s->wbio != s->rbio)
2691 {
2692 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2693 goto err;
2694 }
2695 else
2696 ret->wbio=ret->rbio;
2697 }
2698 ret->rwstate = s->rwstate;
2699 ret->in_handshake = s->in_handshake;
2700 ret->handshake_func = s->handshake_func;
2701 ret->server = s->server;
2702 ret->renegotiate = s->renegotiate;
2703 ret->new_session = s->new_session;
2704 ret->quiet_shutdown = s->quiet_shutdown;
2705 ret->shutdown=s->shutdown;
2706 ret->state=s->state; /* SSL_dup does not really work at any state, though */
2707 ret->rstate=s->rstate;
2708 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2709 ret->hit=s->hit;
2710
2711 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2712
2713 /* dup the cipher_list and cipher_list_by_id stacks */
2714 if (s->cipher_list != NULL)
2715 {
2716 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2717 goto err;
2718 }
2719 if (s->cipher_list_by_id != NULL)
2720 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
2721 == NULL)
2722 goto err;
2723
2724 /* Dup the client_CA list */
2725 if (s->client_CA != NULL)
2726 {
2727 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2728 ret->client_CA=sk;
2729 for (i=0; i<sk_X509_NAME_num(sk); i++)
2730 {
2731 xn=sk_X509_NAME_value(sk,i);
2732 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
2733 {
2734 X509_NAME_free(xn);
2735 goto err;
2736 }
2737 }
2738 }
2739
2740 if (0)
2741 {
2742err:
2743 if (ret != NULL) SSL_free(ret);
2744 ret=NULL;
2745 }
2746 return(ret);
2747 }
2748
2749void ssl_clear_cipher_ctx(SSL *s)
2750 {
2751 if (s->enc_read_ctx != NULL)
2752 {
2753 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
2754 OPENSSL_free(s->enc_read_ctx);
2755 s->enc_read_ctx=NULL;
2756 }
2757 if (s->enc_write_ctx != NULL)
2758 {
2759 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
2760 OPENSSL_free(s->enc_write_ctx);
2761 s->enc_write_ctx=NULL;
2762 }
2763#ifndef OPENSSL_NO_COMP
2764 if (s->expand != NULL)
2765 {
2766 COMP_CTX_free(s->expand);
2767 s->expand=NULL;
2768 }
2769 if (s->compress != NULL)
2770 {
2771 COMP_CTX_free(s->compress);
2772 s->compress=NULL;
2773 }
2774#endif
2775 }
2776
2777/* Fix this function so that it takes an optional type parameter */
2778X509 *SSL_get_certificate(const SSL *s)
2779 {
2780 if (s->cert != NULL)
2781 return(s->cert->key->x509);
2782 else
2783 return(NULL);
2784 }
2785
2786/* Fix this function so that it takes an optional type parameter */
2787EVP_PKEY *SSL_get_privatekey(SSL *s)
2788 {
2789 if (s->cert != NULL)
2790 return(s->cert->key->privatekey);
2791 else
2792 return(NULL);
2793 }
2794
2795const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2796 {
2797 if ((s->session != NULL) && (s->session->cipher != NULL))
2798 return(s->session->cipher);
2799 return(NULL);
2800 }
2801#ifdef OPENSSL_NO_COMP
2802const void *SSL_get_current_compression(SSL *s)
2803 {
2804 return NULL;
2805 }
2806const void *SSL_get_current_expansion(SSL *s)
2807 {
2808 return NULL;
2809 }
2810#else
2811
2812const COMP_METHOD *SSL_get_current_compression(SSL *s)
2813 {
2814 if (s->compress != NULL)
2815 return(s->compress->meth);
2816 return(NULL);
2817 }
2818
2819const COMP_METHOD *SSL_get_current_expansion(SSL *s)
2820 {
2821 if (s->expand != NULL)
2822 return(s->expand->meth);
2823 return(NULL);
2824 }
2825#endif
2826
2827int ssl_init_wbio_buffer(SSL *s,int push)
2828 {
2829 BIO *bbio;
2830
2831 if (s->bbio == NULL)
2832 {
2833 bbio=BIO_new(BIO_f_buffer());
2834 if (bbio == NULL) return(0);
2835 s->bbio=bbio;
2836 }
2837 else
2838 {
2839 bbio=s->bbio;
2840 if (s->bbio == s->wbio)
2841 s->wbio=BIO_pop(s->wbio);
2842 }
2843 (void)BIO_reset(bbio);
2844/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2845 if (!BIO_set_read_buffer_size(bbio,1))
2846 {
2847 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
2848 return(0);
2849 }
2850 if (push)
2851 {
2852 if (s->wbio != bbio)
2853 s->wbio=BIO_push(bbio,s->wbio);
2854 }
2855 else
2856 {
2857 if (s->wbio == bbio)
2858 s->wbio=BIO_pop(bbio);
2859 }
2860 return(1);
2861 }
2862
2863void ssl_free_wbio_buffer(SSL *s)
2864 {
2865 if (s->bbio == NULL) return;
2866
2867 if (s->bbio == s->wbio)
2868 {
2869 /* remove buffering */
2870 s->wbio=BIO_pop(s->wbio);
2871#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
2872 assert(s->wbio != NULL);
2873#endif
2874 }
2875 BIO_free(s->bbio);
2876 s->bbio=NULL;
2877 }
2878
2879void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2880 {
2881 ctx->quiet_shutdown=mode;
2882 }
2883
2884int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2885 {
2886 return(ctx->quiet_shutdown);
2887 }
2888
2889void SSL_set_quiet_shutdown(SSL *s,int mode)
2890 {
2891 s->quiet_shutdown=mode;
2892 }
2893
2894int SSL_get_quiet_shutdown(const SSL *s)
2895 {
2896 return(s->quiet_shutdown);
2897 }
2898
2899void SSL_set_shutdown(SSL *s,int mode)
2900 {
2901 s->shutdown=mode;
2902 }
2903
2904int SSL_get_shutdown(const SSL *s)
2905 {
2906 return(s->shutdown);
2907 }
2908
2909int SSL_version(const SSL *s)
2910 {
2911 return(s->version);
2912 }
2913
2914SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2915 {
2916 return(ssl->ctx);
2917 }
2918
2919SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2920 {
2921 if (ssl->ctx == ctx)
2922 return ssl->ctx;
2923#ifndef OPENSSL_NO_TLSEXT
2924 if (ctx == NULL)
2925 ctx = ssl->initial_ctx;
2926#endif
2927 if (ssl->cert != NULL)
2928 ssl_cert_free(ssl->cert);
2929 ssl->cert = ssl_cert_dup(ctx->cert);
2930 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
2931 if (ssl->ctx != NULL)
2932 SSL_CTX_free(ssl->ctx); /* decrement reference count */
2933 ssl->ctx = ctx;
2934 return(ssl->ctx);
2935 }
2936
2937#ifndef OPENSSL_NO_STDIO
2938int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2939 {
2940 return(X509_STORE_set_default_paths(ctx->cert_store));
2941 }
2942
2943int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2944 const char *CApath)
2945 {
2946 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
2947 }
2948#endif
2949
2950void SSL_set_info_callback(SSL *ssl,
2951 void (*cb)(const SSL *ssl,int type,int val))
2952 {
2953 ssl->info_callback=cb;
2954 }
2955
2956/* One compiler (Diab DCC) doesn't like argument names in returned
2957 function pointer. */
2958void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2959 {
2960 return ssl->info_callback;
2961 }
2962
2963int SSL_state(const SSL *ssl)
2964 {
2965 return(ssl->state);
2966 }
2967
2968void SSL_set_state(SSL *ssl, int state)
2969 {
2970 ssl->state = state;
2971 }
2972
2973void SSL_set_verify_result(SSL *ssl,long arg)
2974 {
2975 ssl->verify_result=arg;
2976 }
2977
2978long SSL_get_verify_result(const SSL *ssl)
2979 {
2980 return(ssl->verify_result);
2981 }
2982
2983int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2984 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2985 {
2986 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
2987 new_func, dup_func, free_func);
2988 }
2989
2990int SSL_set_ex_data(SSL *s,int idx,void *arg)
2991 {
2992 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2993 }
2994
2995void *SSL_get_ex_data(const SSL *s,int idx)
2996 {
2997 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2998 }
2999
3000int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
3001 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
3002 {
3003 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3004 new_func, dup_func, free_func);
3005 }
3006
3007int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
3008 {
3009 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
3010 }
3011
3012void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
3013 {
3014 return(CRYPTO_get_ex_data(&s->ex_data,idx));
3015 }
3016
3017int ssl_ok(SSL *s)
3018 {
3019 return(1);
3020 }
3021
3022X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
3023 {
3024 return(ctx->cert_store);
3025 }
3026
3027void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
3028 {
3029 if (ctx->cert_store != NULL)
3030 X509_STORE_free(ctx->cert_store);
3031 ctx->cert_store=store;
3032 }
3033
3034int SSL_want(const SSL *s)
3035 {
3036 return(s->rwstate);
3037 }
3038
3039/*!
3040 * \brief Set the callback for generating temporary RSA keys.
3041 * \param ctx the SSL context.
3042 * \param cb the callback
3043 */
3044
3045#ifndef OPENSSL_NO_RSA
3046void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
3047 int is_export,
3048 int keylength))
3049 {
3050 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3051 }
3052
3053void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
3054 int is_export,
3055 int keylength))
3056 {
3057 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3058 }
3059#endif
3060
3061#ifdef DOXYGEN
3062/*!
3063 * \brief The RSA temporary key callback function.
3064 * \param ssl the SSL session.
3065 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
3066 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
3067 * of the required key in bits.
3068 * \return the temporary RSA key.
3069 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
3070 */
3071
3072RSA *cb(SSL *ssl,int is_export,int keylength)
3073 {}
3074#endif
3075
3076/*!
3077 * \brief Set the callback for generating temporary DH keys.
3078 * \param ctx the SSL context.
3079 * \param dh the callback
3080 */
3081
3082#ifndef OPENSSL_NO_DH
3083void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
3084 int keylength))
3085 {
3086 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3087 }
3088
3089void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
3090 int keylength))
3091 {
3092 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3093 }
3094#endif
3095
3096#ifndef OPENSSL_NO_ECDH
3097void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
3098 int keylength))
3099 {
3100 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3101 }
3102
3103void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
3104 int keylength))
3105 {
3106 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3107 }
3108#endif
3109
3110#ifndef OPENSSL_NO_PSK
3111int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3112 {
3113 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
3114 {
3115 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
3116 return 0;
3117 }
3118 if (ctx->psk_identity_hint != NULL)
3119 OPENSSL_free(ctx->psk_identity_hint);
3120 if (identity_hint != NULL)
3121 {
3122 ctx->psk_identity_hint = BUF_strdup(identity_hint);
3123 if (ctx->psk_identity_hint == NULL)
3124 return 0;
3125 }
3126 else
3127 ctx->psk_identity_hint = NULL;
3128 return 1;
3129 }
3130
3131int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3132 {
3133 if (s == NULL)
3134 return 0;
3135
3136 if (s->session == NULL)
3137 return 1; /* session not created yet, ignored */
3138
3139 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
3140 {
3141 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
3142 return 0;
3143 }
3144 if (s->session->psk_identity_hint != NULL)
3145 OPENSSL_free(s->session->psk_identity_hint);
3146 if (identity_hint != NULL)
3147 {
3148 s->session->psk_identity_hint = BUF_strdup(identity_hint);
3149 if (s->session->psk_identity_hint == NULL)
3150 return 0;
3151 }
3152 else
3153 s->session->psk_identity_hint = NULL;
3154 return 1;
3155 }
3156
3157const char *SSL_get_psk_identity_hint(const SSL *s)
3158 {
3159 if (s == NULL || s->session == NULL)
3160 return NULL;
3161 return(s->session->psk_identity_hint);
3162 }
3163
3164const char *SSL_get_psk_identity(const SSL *s)
3165 {
3166 if (s == NULL || s->session == NULL)
3167 return NULL;
3168 return(s->session->psk_identity);
3169 }
3170
3171void SSL_set_psk_client_callback(SSL *s,
3172 unsigned int (*cb)(SSL *ssl, const char *hint,
3173 char *identity, unsigned int max_identity_len, unsigned char *psk,
3174 unsigned int max_psk_len))
3175 {
3176 s->psk_client_callback = cb;
3177 }
3178
3179void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
3180 unsigned int (*cb)(SSL *ssl, const char *hint,
3181 char *identity, unsigned int max_identity_len, unsigned char *psk,
3182 unsigned int max_psk_len))
3183 {
3184 ctx->psk_client_callback = cb;
3185 }
3186
3187void SSL_set_psk_server_callback(SSL *s,
3188 unsigned int (*cb)(SSL *ssl, const char *identity,
3189 unsigned char *psk, unsigned int max_psk_len))
3190 {
3191 s->psk_server_callback = cb;
3192 }
3193
3194void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
3195 unsigned int (*cb)(SSL *ssl, const char *identity,
3196 unsigned char *psk, unsigned int max_psk_len))
3197 {
3198 ctx->psk_server_callback = cb;
3199 }
3200#endif
3201
3202void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3203 {
3204 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3205 }
3206void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3207 {
3208 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3209 }
3210
3211/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
3212 * vairable, freeing EVP_MD_CTX previously stored in that variable, if
3213 * any. If EVP_MD pointer is passed, initializes ctx with this md
3214 * Returns newly allocated ctx;
3215 */
3216
3217EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md)
3218{
3219 ssl_clear_hash_ctx(hash);
3220 *hash = EVP_MD_CTX_create();
3221 if (md) EVP_DigestInit_ex(*hash,md,NULL);
3222 return *hash;
3223}
3224void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3225{
3226
3227 if (*hash) EVP_MD_CTX_destroy(*hash);
3228 *hash=NULL;
3229}
3230
3231void SSL_set_debug(SSL *s, int debug)
3232 {
3233 s->debug = debug;
3234 }
3235
3236int SSL_cache_hit(SSL *s)
3237 {
3238 return s->hit;
3239 }
3240
3241#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3242#include "../crypto/bio/bss_file.c"
3243#endif
3244
3245IMPLEMENT_STACK_OF(SSL_CIPHER)
3246IMPLEMENT_STACK_OF(SSL_COMP)
3247IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3248 ssl_cipher_id);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index 7fc110df64..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,1172 +0,0 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_LOCL_H
144#define HEADER_SSL_LOCL_H
145#include <stdlib.h>
146#include <time.h>
147#include <string.h>
148#include <errno.h>
149
150#include "e_os.h"
151
152#include <openssl/buffer.h>
153#ifndef OPENSSL_NO_COMP
154#include <openssl/comp.h>
155#endif
156#include <openssl/bio.h>
157#include <openssl/stack.h>
158#ifndef OPENSSL_NO_RSA
159#include <openssl/rsa.h>
160#endif
161#ifndef OPENSSL_NO_DSA
162#include <openssl/dsa.h>
163#endif
164#include <openssl/err.h>
165#include <openssl/ssl.h>
166#include <openssl/symhacks.h>
167
168#ifdef OPENSSL_BUILD_SHLIBSSL
169# undef OPENSSL_EXTERN
170# define OPENSSL_EXTERN OPENSSL_EXPORT
171#endif
172
173#undef PKCS1_CHECK
174
175#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
176 l|=(((unsigned long)(*((c)++)))<< 8), \
177 l|=(((unsigned long)(*((c)++)))<<16), \
178 l|=(((unsigned long)(*((c)++)))<<24))
179
180/* NOTE - c is not incremented as per c2l */
181#define c2ln(c,l1,l2,n) { \
182 c+=n; \
183 l1=l2=0; \
184 switch (n) { \
185 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
186 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
187 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
188 case 5: l2|=((unsigned long)(*(--(c)))); \
189 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
190 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
191 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
192 case 1: l1|=((unsigned long)(*(--(c)))); \
193 } \
194 }
195
196#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
197 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
198 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
199 *((c)++)=(unsigned char)(((l)>>24)&0xff))
200
201#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
202 l|=((unsigned long)(*((c)++)))<<16, \
203 l|=((unsigned long)(*((c)++)))<< 8, \
204 l|=((unsigned long)(*((c)++))))
205
206#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
207 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
208 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
209 *((c)++)=(unsigned char)(((l) )&0xff))
210
211#define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
212 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
213 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
214 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
216 *((c)++)=(unsigned char)(((l) )&0xff))
217
218#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
219 *((c)++)=(unsigned char)(((l)>>48)&0xff), \
220 *((c)++)=(unsigned char)(((l)>>40)&0xff), \
221 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
222 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
223 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
224 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
225 *((c)++)=(unsigned char)(((l) )&0xff))
226
227#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
228 l|=((BN_ULLONG)(*((c)++)))<<32, \
229 l|=((BN_ULLONG)(*((c)++)))<<24, \
230 l|=((BN_ULLONG)(*((c)++)))<<16, \
231 l|=((BN_ULLONG)(*((c)++)))<< 8, \
232 l|=((BN_ULLONG)(*((c)++))))
233
234/* NOTE - c is not incremented as per l2c */
235#define l2cn(l1,l2,c,n) { \
236 c+=n; \
237 switch (n) { \
238 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
239 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
240 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
241 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
242 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
243 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
244 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
245 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
246 } \
247 }
248
249#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
250 (((unsigned int)(c[1])) )),c+=2)
251#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
252 c[1]=(unsigned char)(((s) )&0xff)),c+=2)
253
254#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
255 (((unsigned long)(c[1]))<< 8)| \
256 (((unsigned long)(c[2])) )),c+=3)
257
258#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
259 c[1]=(unsigned char)(((l)>> 8)&0xff), \
260 c[2]=(unsigned char)(((l) )&0xff)),c+=3)
261
262/* LOCAL STUFF */
263
264#define SSL_DECRYPT 0
265#define SSL_ENCRYPT 1
266
267#define TWO_BYTE_BIT 0x80
268#define SEC_ESC_BIT 0x40
269#define TWO_BYTE_MASK 0x7fff
270#define THREE_BYTE_MASK 0x3fff
271
272#define INC32(a) ((a)=((a)+1)&0xffffffffL)
273#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
274#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
275
276/*
277 * Define the Bitmasks for SSL_CIPHER.algorithms.
278 * This bits are used packed as dense as possible. If new methods/ciphers
279 * etc will be added, the bits a likely to change, so this information
280 * is for internal library use only, even though SSL_CIPHER.algorithms
281 * can be publicly accessed.
282 * Use the according functions for cipher management instead.
283 *
284 * The bit mask handling in the selection and sorting scheme in
285 * ssl_create_cipher_list() has only limited capabilities, reflecting
286 * that the different entities within are mutually exclusive:
287 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
288 */
289
290/* Bits for algorithm_mkey (key exchange algorithm) */
291#define SSL_kRSA 0x00000001L /* RSA key exchange */
292#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
293#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
294#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
295#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
296#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
297#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
298#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
299#define SSL_kPSK 0x00000100L /* PSK */
300#define SSL_kGOST 0x00000200L /* GOST key exchange */
301#define SSL_kSRP 0x00000400L /* SRP */
302
303/* Bits for algorithm_auth (server authentication) */
304#define SSL_aRSA 0x00000001L /* RSA auth */
305#define SSL_aDSS 0x00000002L /* DSS auth */
306#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
307#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
308#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
309#define SSL_aKRB5 0x00000020L /* KRB5 auth */
310#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
311#define SSL_aPSK 0x00000080L /* PSK auth */
312#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
313#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
314
315
316/* Bits for algorithm_enc (symmetric encryption) */
317#define SSL_DES 0x00000001L
318#define SSL_3DES 0x00000002L
319#define SSL_RC4 0x00000004L
320#define SSL_RC2 0x00000008L
321#define SSL_IDEA 0x00000010L
322#define SSL_eNULL 0x00000020L
323#define SSL_AES128 0x00000040L
324#define SSL_AES256 0x00000080L
325#define SSL_CAMELLIA128 0x00000100L
326#define SSL_CAMELLIA256 0x00000200L
327#define SSL_eGOST2814789CNT 0x00000400L
328#define SSL_SEED 0x00000800L
329#define SSL_AES128GCM 0x00001000L
330#define SSL_AES256GCM 0x00002000L
331
332#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
333#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
334
335
336/* Bits for algorithm_mac (symmetric authentication) */
337
338#define SSL_MD5 0x00000001L
339#define SSL_SHA1 0x00000002L
340#define SSL_GOST94 0x00000004L
341#define SSL_GOST89MAC 0x00000008L
342#define SSL_SHA256 0x00000010L
343#define SSL_SHA384 0x00000020L
344/* Not a real MAC, just an indication it is part of cipher */
345#define SSL_AEAD 0x00000040L
346
347/* Bits for algorithm_ssl (protocol version) */
348#define SSL_SSLV2 0x00000001L
349#define SSL_SSLV3 0x00000002L
350#define SSL_TLSV1 SSL_SSLV3 /* for now */
351#define SSL_TLSV1_2 0x00000004L
352
353
354/* Bits for algorithm2 (handshake digests and other extra flags) */
355
356#define SSL_HANDSHAKE_MAC_MD5 0x10
357#define SSL_HANDSHAKE_MAC_SHA 0x20
358#define SSL_HANDSHAKE_MAC_GOST94 0x40
359#define SSL_HANDSHAKE_MAC_SHA256 0x80
360#define SSL_HANDSHAKE_MAC_SHA384 0x100
361#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
362
363/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
364 * make sure to update this constant too */
365#define SSL_MAX_DIGEST 6
366
367#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
368
369#define TLS1_PRF_DGST_SHIFT 10
370#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
371#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
372#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
373#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
374#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
375#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
376
377/* Stream MAC for GOST ciphersuites from cryptopro draft
378 * (currently this also goes into algorithm2) */
379#define TLS1_STREAM_MAC 0x04
380
381
382
383/*
384 * Export and cipher strength information. For each cipher we have to decide
385 * whether it is exportable or not. This information is likely to change
386 * over time, since the export control rules are no static technical issue.
387 *
388 * Independent of the export flag the cipher strength is sorted into classes.
389 * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
390 * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
391 * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
392 * since SSL_EXP64 could be similar to SSL_LOW.
393 * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
394 * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
395 * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
396 * be possible.
397 */
398#define SSL_EXP_MASK 0x00000003L
399#define SSL_STRONG_MASK 0x000001fcL
400
401#define SSL_NOT_EXP 0x00000001L
402#define SSL_EXPORT 0x00000002L
403
404#define SSL_STRONG_NONE 0x00000004L
405#define SSL_EXP40 0x00000008L
406#define SSL_MICRO (SSL_EXP40)
407#define SSL_EXP56 0x00000010L
408#define SSL_MINI (SSL_EXP56)
409#define SSL_LOW 0x00000020L
410#define SSL_MEDIUM 0x00000040L
411#define SSL_HIGH 0x00000080L
412#define SSL_FIPS 0x00000100L
413
414/* we have used 000001ff - 23 bits left to go */
415
416/*
417 * Macros to check the export status and cipher strength for export ciphers.
418 * Even though the macros for EXPORT and EXPORT40/56 have similar names,
419 * their meaning is different:
420 * *_EXPORT macros check the 'exportable' status.
421 * *_EXPORT40/56 macros are used to check whether a certain cipher strength
422 * is given.
423 * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
424 * algorithm structure element to be passed (algorithms, algo_strength) and no
425 * typechecking can be done as they are all of type unsigned long, their
426 * direct usage is discouraged.
427 * Use the SSL_C_* macros instead.
428 */
429#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
430#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
431#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
432#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
433#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
434#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
435
436#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
437 (a) == SSL_DES ? 8 : 7)
438#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
439#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
440 (c)->algo_strength)
441#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
442
443
444
445
446/* Mostly for SSLv3 */
447#define SSL_PKEY_RSA_ENC 0
448#define SSL_PKEY_RSA_SIGN 1
449#define SSL_PKEY_DSA_SIGN 2
450#define SSL_PKEY_DH_RSA 3
451#define SSL_PKEY_DH_DSA 4
452#define SSL_PKEY_ECC 5
453#define SSL_PKEY_GOST94 6
454#define SSL_PKEY_GOST01 7
455#define SSL_PKEY_NUM 8
456
457/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
458 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
459 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
460 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
461 * SSL_aRSA <- RSA_ENC | RSA_SIGN
462 * SSL_aDSS <- DSA_SIGN
463 */
464
465/*
466#define CERT_INVALID 0
467#define CERT_PUBLIC_KEY 1
468#define CERT_PRIVATE_KEY 2
469*/
470
471#ifndef OPENSSL_NO_EC
472/* From ECC-TLS draft, used in encoding the curve type in
473 * ECParameters
474 */
475#define EXPLICIT_PRIME_CURVE_TYPE 1
476#define EXPLICIT_CHAR2_CURVE_TYPE 2
477#define NAMED_CURVE_TYPE 3
478#endif /* OPENSSL_NO_EC */
479
480typedef struct cert_pkey_st
481 {
482 X509 *x509;
483 EVP_PKEY *privatekey;
484 /* Digest to use when signing */
485 const EVP_MD *digest;
486 } CERT_PKEY;
487
488typedef struct cert_st
489 {
490 /* Current active set */
491 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
492 * Probably it would make more sense to store
493 * an index, not a pointer. */
494
495 /* The following masks are for the key and auth
496 * algorithms that are supported by the certs below */
497 int valid;
498 unsigned long mask_k;
499 unsigned long mask_a;
500 unsigned long export_mask_k;
501 unsigned long export_mask_a;
502#ifndef OPENSSL_NO_RSA
503 RSA *rsa_tmp;
504 RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
505#endif
506#ifndef OPENSSL_NO_DH
507 DH *dh_tmp;
508 DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
509#endif
510#ifndef OPENSSL_NO_ECDH
511 EC_KEY *ecdh_tmp;
512 /* Callback for generating ephemeral ECDH keys */
513 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
514#endif
515
516 CERT_PKEY pkeys[SSL_PKEY_NUM];
517
518 int references; /* >1 only if SSL_copy_session_id is used */
519 } CERT;
520
521
522typedef struct sess_cert_st
523 {
524 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
525
526 /* The 'peer_...' members are used only by clients. */
527 int peer_cert_type;
528
529 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
530 CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
531 /* Obviously we don't have the private keys of these,
532 * so maybe we shouldn't even use the CERT_PKEY type here. */
533
534#ifndef OPENSSL_NO_RSA
535 RSA *peer_rsa_tmp; /* not used for SSL 2 */
536#endif
537#ifndef OPENSSL_NO_DH
538 DH *peer_dh_tmp; /* not used for SSL 2 */
539#endif
540#ifndef OPENSSL_NO_ECDH
541 EC_KEY *peer_ecdh_tmp;
542#endif
543
544 int references; /* actually always 1 at the moment */
545 } SESS_CERT;
546
547
548/*#define MAC_DEBUG */
549
550/*#define ERR_DEBUG */
551/*#define ABORT_DEBUG */
552/*#define PKT_DEBUG 1 */
553/*#define DES_DEBUG */
554/*#define DES_OFB_DEBUG */
555/*#define SSL_DEBUG */
556/*#define RSA_DEBUG */
557/*#define IDEA_DEBUG */
558
559#define FP_ICC (int (*)(const void *,const void *))
560#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
561 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
562#define ssl_get_cipher_by_char(ssl,ptr) \
563 ((ssl)->method->get_cipher_by_char(ptr))
564
565/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
566 * It is a bit of a mess of functions, but hell, think of it as
567 * an opaque structure :-) */
568typedef struct ssl3_enc_method
569 {
570 int (*enc)(SSL *, int);
571 int (*mac)(SSL *, unsigned char *, int);
572 int (*setup_key_block)(SSL *);
573 int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
574 int (*change_cipher_state)(SSL *, int);
575 int (*final_finish_mac)(SSL *, const char *, int, unsigned char *);
576 int finish_mac_length;
577 int (*cert_verify_mac)(SSL *, int, unsigned char *);
578 const char *client_finished_label;
579 int client_finished_label_len;
580 const char *server_finished_label;
581 int server_finished_label_len;
582 int (*alert_value)(int);
583 int (*export_keying_material)(SSL *, unsigned char *, size_t,
584 const char *, size_t,
585 const unsigned char *, size_t,
586 int use_context);
587 } SSL3_ENC_METHOD;
588
589#ifndef OPENSSL_NO_COMP
590/* Used for holding the relevant compression methods loaded into SSL_CTX */
591typedef struct ssl3_comp_st
592 {
593 int comp_id; /* The identifier byte for this compression type */
594 char *name; /* Text name used for the compression type */
595 COMP_METHOD *method; /* The method :-) */
596 } SSL3_COMP;
597#endif
598
599#ifndef OPENSSL_NO_BUF_FREELISTS
600typedef struct ssl3_buf_freelist_st
601 {
602 size_t chunklen;
603 unsigned int len;
604 struct ssl3_buf_freelist_entry_st *head;
605 } SSL3_BUF_FREELIST;
606
607typedef struct ssl3_buf_freelist_entry_st
608 {
609 struct ssl3_buf_freelist_entry_st *next;
610 } SSL3_BUF_FREELIST_ENTRY;
611#endif
612
613extern SSL3_ENC_METHOD ssl3_undef_enc_method;
614OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[];
615OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
616
617
618SSL_METHOD *ssl_bad_method(int ver);
619
620extern SSL3_ENC_METHOD TLSv1_enc_data;
621extern SSL3_ENC_METHOD SSLv3_enc_data;
622extern SSL3_ENC_METHOD DTLSv1_enc_data;
623
624#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
625 s_get_meth) \
626const SSL_METHOD *func_name(void) \
627 { \
628 static const SSL_METHOD func_name##_data= { \
629 version, \
630 tls1_new, \
631 tls1_clear, \
632 tls1_free, \
633 s_accept, \
634 s_connect, \
635 ssl3_read, \
636 ssl3_peek, \
637 ssl3_write, \
638 ssl3_shutdown, \
639 ssl3_renegotiate, \
640 ssl3_renegotiate_check, \
641 ssl3_get_message, \
642 ssl3_read_bytes, \
643 ssl3_write_bytes, \
644 ssl3_dispatch_alert, \
645 ssl3_ctrl, \
646 ssl3_ctx_ctrl, \
647 ssl3_get_cipher_by_char, \
648 ssl3_put_cipher_by_char, \
649 ssl3_pending, \
650 ssl3_num_ciphers, \
651 ssl3_get_cipher, \
652 s_get_meth, \
653 tls1_default_timeout, \
654 &TLSv1_enc_data, \
655 ssl_undefined_void_function, \
656 ssl3_callback_ctrl, \
657 ssl3_ctx_callback_ctrl, \
658 }; \
659 return &func_name##_data; \
660 }
661
662#define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
663const SSL_METHOD *func_name(void) \
664 { \
665 static const SSL_METHOD func_name##_data= { \
666 SSL3_VERSION, \
667 ssl3_new, \
668 ssl3_clear, \
669 ssl3_free, \
670 s_accept, \
671 s_connect, \
672 ssl3_read, \
673 ssl3_peek, \
674 ssl3_write, \
675 ssl3_shutdown, \
676 ssl3_renegotiate, \
677 ssl3_renegotiate_check, \
678 ssl3_get_message, \
679 ssl3_read_bytes, \
680 ssl3_write_bytes, \
681 ssl3_dispatch_alert, \
682 ssl3_ctrl, \
683 ssl3_ctx_ctrl, \
684 ssl3_get_cipher_by_char, \
685 ssl3_put_cipher_by_char, \
686 ssl3_pending, \
687 ssl3_num_ciphers, \
688 ssl3_get_cipher, \
689 s_get_meth, \
690 ssl3_default_timeout, \
691 &SSLv3_enc_data, \
692 ssl_undefined_void_function, \
693 ssl3_callback_ctrl, \
694 ssl3_ctx_callback_ctrl, \
695 }; \
696 return &func_name##_data; \
697 }
698
699#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
700const SSL_METHOD *func_name(void) \
701 { \
702 static const SSL_METHOD func_name##_data= { \
703 TLS1_2_VERSION, \
704 tls1_new, \
705 tls1_clear, \
706 tls1_free, \
707 s_accept, \
708 s_connect, \
709 ssl23_read, \
710 ssl23_peek, \
711 ssl23_write, \
712 ssl_undefined_function, \
713 ssl_undefined_function, \
714 ssl_ok, \
715 ssl3_get_message, \
716 ssl3_read_bytes, \
717 ssl3_write_bytes, \
718 ssl3_dispatch_alert, \
719 ssl3_ctrl, \
720 ssl3_ctx_ctrl, \
721 ssl23_get_cipher_by_char, \
722 ssl23_put_cipher_by_char, \
723 ssl_undefined_const_function, \
724 ssl23_num_ciphers, \
725 ssl23_get_cipher, \
726 s_get_meth, \
727 ssl23_default_timeout, \
728 &ssl3_undef_enc_method, \
729 ssl_undefined_void_function, \
730 ssl3_callback_ctrl, \
731 ssl3_ctx_callback_ctrl, \
732 }; \
733 return &func_name##_data; \
734 }
735
736#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
737const SSL_METHOD *func_name(void) \
738 { \
739 static const SSL_METHOD func_name##_data= { \
740 SSL2_VERSION, \
741 ssl2_new, /* local */ \
742 ssl2_clear, /* local */ \
743 ssl2_free, /* local */ \
744 s_accept, \
745 s_connect, \
746 ssl2_read, \
747 ssl2_peek, \
748 ssl2_write, \
749 ssl2_shutdown, \
750 ssl_ok, /* NULL - renegotiate */ \
751 ssl_ok, /* NULL - check renegotiate */ \
752 NULL, /* NULL - ssl_get_message */ \
753 NULL, /* NULL - ssl_get_record */ \
754 NULL, /* NULL - ssl_write_bytes */ \
755 NULL, /* NULL - dispatch_alert */ \
756 ssl2_ctrl, /* local */ \
757 ssl2_ctx_ctrl, /* local */ \
758 ssl2_get_cipher_by_char, \
759 ssl2_put_cipher_by_char, \
760 ssl2_pending, \
761 ssl2_num_ciphers, \
762 ssl2_get_cipher, \
763 s_get_meth, \
764 ssl2_default_timeout, \
765 &ssl3_undef_enc_method, \
766 ssl_undefined_void_function, \
767 ssl2_callback_ctrl, /* local */ \
768 ssl2_ctx_callback_ctrl, /* local */ \
769 }; \
770 return &func_name##_data; \
771 }
772
773#define IMPLEMENT_dtls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
774const SSL_METHOD *func_name(void) \
775 { \
776 static const SSL_METHOD func_name##_data= { \
777 DTLS1_VERSION, \
778 dtls1_new, \
779 dtls1_clear, \
780 dtls1_free, \
781 s_accept, \
782 s_connect, \
783 ssl3_read, \
784 ssl3_peek, \
785 ssl3_write, \
786 dtls1_shutdown, \
787 ssl3_renegotiate, \
788 ssl3_renegotiate_check, \
789 dtls1_get_message, \
790 dtls1_read_bytes, \
791 dtls1_write_app_data_bytes, \
792 dtls1_dispatch_alert, \
793 dtls1_ctrl, \
794 ssl3_ctx_ctrl, \
795 ssl3_get_cipher_by_char, \
796 ssl3_put_cipher_by_char, \
797 ssl3_pending, \
798 ssl3_num_ciphers, \
799 dtls1_get_cipher, \
800 s_get_meth, \
801 dtls1_default_timeout, \
802 &DTLSv1_enc_data, \
803 ssl_undefined_void_function, \
804 ssl3_callback_ctrl, \
805 ssl3_ctx_callback_ctrl, \
806 }; \
807 return &func_name##_data; \
808 }
809
810void ssl_clear_cipher_ctx(SSL *s);
811int ssl_clear_bad_session(SSL *s);
812CERT *ssl_cert_new(void);
813CERT *ssl_cert_dup(CERT *cert);
814int ssl_cert_inst(CERT **o);
815void ssl_cert_free(CERT *c);
816SESS_CERT *ssl_sess_cert_new(void);
817void ssl_sess_cert_free(SESS_CERT *sc);
818int ssl_set_peer_cert_type(SESS_CERT *c, int type);
819int ssl_get_new_session(SSL *s, int session);
820int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
821int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
822DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
823 ssl_cipher_id);
824int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
825 const SSL_CIPHER * const *bp);
826STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
827 STACK_OF(SSL_CIPHER) **skp);
828int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
829 int (*put_cb)(const SSL_CIPHER *, unsigned char *));
830STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
831 STACK_OF(SSL_CIPHER) **pref,
832 STACK_OF(SSL_CIPHER) **sorted,
833 const char *rule_str);
834void ssl_update_cache(SSL *s, int mode);
835int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
836 const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
837int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
838int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
839int ssl_undefined_function(SSL *s);
840int ssl_undefined_void_function(void);
841int ssl_undefined_const_function(const SSL *s);
842X509 *ssl_get_server_send_cert(SSL *);
843EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
844int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
845void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
846STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
847int ssl_verify_alarm_type(long type);
848void ssl_load_ciphers(void);
849
850int ssl2_enc_init(SSL *s, int client);
851int ssl2_generate_key_material(SSL *s);
852void ssl2_enc(SSL *s,int send_data);
853void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
854const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
855int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
856int ssl2_part_read(SSL *s, unsigned long f, int i);
857int ssl2_do_write(SSL *s);
858int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
859void ssl2_return_error(SSL *s,int reason);
860void ssl2_write_error(SSL *s);
861int ssl2_num_ciphers(void);
862const SSL_CIPHER *ssl2_get_cipher(unsigned int u);
863int ssl2_new(SSL *s);
864void ssl2_free(SSL *s);
865int ssl2_accept(SSL *s);
866int ssl2_connect(SSL *s);
867int ssl2_read(SSL *s, void *buf, int len);
868int ssl2_peek(SSL *s, void *buf, int len);
869int ssl2_write(SSL *s, const void *buf, int len);
870int ssl2_shutdown(SSL *s);
871void ssl2_clear(SSL *s);
872long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
873long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
874long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
875long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
876int ssl2_pending(const SSL *s);
877long ssl2_default_timeout(void );
878
879const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
880int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
881void ssl3_init_finished_mac(SSL *s);
882int ssl3_send_server_certificate(SSL *s);
883int ssl3_send_newsession_ticket(SSL *s);
884int ssl3_send_cert_status(SSL *s);
885int ssl3_get_finished(SSL *s,int state_a,int state_b);
886int ssl3_setup_key_block(SSL *s);
887int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
888int ssl3_change_cipher_state(SSL *s,int which);
889void ssl3_cleanup_key_block(SSL *s);
890int ssl3_do_write(SSL *s,int type);
891int ssl3_send_alert(SSL *s,int level, int desc);
892int ssl3_generate_master_secret(SSL *s, unsigned char *out,
893 unsigned char *p, int len);
894int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
895long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
896int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
897int ssl3_num_ciphers(void);
898const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
899int ssl3_renegotiate(SSL *ssl);
900int ssl3_renegotiate_check(SSL *ssl);
901int ssl3_dispatch_alert(SSL *s);
902int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
903int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
904int ssl3_final_finish_mac(SSL *s, const char *sender, int slen,unsigned char *p);
905int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
906void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
907int ssl3_enc(SSL *s, int send_data);
908int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
909void ssl3_free_digest_list(SSL *s);
910unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
911SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
912 STACK_OF(SSL_CIPHER) *srvr);
913int ssl3_setup_buffers(SSL *s);
914int ssl3_setup_read_buffer(SSL *s);
915int ssl3_setup_write_buffer(SSL *s);
916int ssl3_release_read_buffer(SSL *s);
917int ssl3_release_write_buffer(SSL *s);
918int ssl3_digest_cached_records(SSL *s);
919int ssl3_new(SSL *s);
920void ssl3_free(SSL *s);
921int ssl3_accept(SSL *s);
922int ssl3_connect(SSL *s);
923int ssl3_read(SSL *s, void *buf, int len);
924int ssl3_peek(SSL *s, void *buf, int len);
925int ssl3_write(SSL *s, const void *buf, int len);
926int ssl3_shutdown(SSL *s);
927void ssl3_clear(SSL *s);
928long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
929long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
930long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
931long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
932int ssl3_pending(const SSL *s);
933
934void ssl3_record_sequence_update(unsigned char *seq);
935int ssl3_do_change_cipher_spec(SSL *ssl);
936long ssl3_default_timeout(void );
937
938int ssl23_num_ciphers(void );
939const SSL_CIPHER *ssl23_get_cipher(unsigned int u);
940int ssl23_read(SSL *s, void *buf, int len);
941int ssl23_peek(SSL *s, void *buf, int len);
942int ssl23_write(SSL *s, const void *buf, int len);
943int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
944const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
945long ssl23_default_timeout(void );
946
947long tls1_default_timeout(void);
948int dtls1_do_write(SSL *s,int type);
949int ssl3_read_n(SSL *s, int n, int max, int extend);
950int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
951int ssl3_do_compress(SSL *ssl);
952int ssl3_do_uncompress(SSL *ssl);
953int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
954 unsigned int len);
955unsigned char *dtls1_set_message_header(SSL *s,
956 unsigned char *p, unsigned char mt, unsigned long len,
957 unsigned long frag_off, unsigned long frag_len);
958
959int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
960int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
961
962int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
963int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
964unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
965int dtls1_read_failed(SSL *s, int code);
966int dtls1_buffer_message(SSL *s, int ccs);
967int dtls1_retransmit_message(SSL *s, unsigned short seq,
968 unsigned long frag_off, int *found);
969int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
970int dtls1_retransmit_buffered_messages(SSL *s);
971void dtls1_clear_record_buffer(SSL *s);
972void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
973void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
974void dtls1_reset_seq_numbers(SSL *s, int rw);
975long dtls1_default_timeout(void);
976struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
977int dtls1_check_timeout_num(SSL *s);
978int dtls1_handle_timeout(SSL *s);
979const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
980void dtls1_start_timer(SSL *s);
981void dtls1_stop_timer(SSL *s);
982int dtls1_is_timer_expired(SSL *s);
983void dtls1_double_timeout(SSL *s);
984int dtls1_send_newsession_ticket(SSL *s);
985unsigned int dtls1_min_mtu(void);
986
987/* some client-only functions */
988int ssl3_client_hello(SSL *s);
989int ssl3_get_server_hello(SSL *s);
990int ssl3_get_certificate_request(SSL *s);
991int ssl3_get_new_session_ticket(SSL *s);
992int ssl3_get_cert_status(SSL *s);
993int ssl3_get_server_done(SSL *s);
994int ssl3_send_client_verify(SSL *s);
995int ssl3_send_client_certificate(SSL *s);
996int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
997int ssl3_send_client_key_exchange(SSL *s);
998int ssl3_get_key_exchange(SSL *s);
999int ssl3_get_server_certificate(SSL *s);
1000int ssl3_check_cert_and_algorithm(SSL *s);
1001#ifndef OPENSSL_NO_TLSEXT
1002int ssl3_check_finished(SSL *s);
1003# ifndef OPENSSL_NO_NEXTPROTONEG
1004int ssl3_send_next_proto(SSL *s);
1005# endif
1006#endif
1007
1008int dtls1_client_hello(SSL *s);
1009int dtls1_send_client_certificate(SSL *s);
1010int dtls1_send_client_key_exchange(SSL *s);
1011int dtls1_send_client_verify(SSL *s);
1012
1013/* some server-only functions */
1014int ssl3_get_client_hello(SSL *s);
1015int ssl3_send_server_hello(SSL *s);
1016int ssl3_send_hello_request(SSL *s);
1017int ssl3_send_server_key_exchange(SSL *s);
1018int ssl3_send_certificate_request(SSL *s);
1019int ssl3_send_server_done(SSL *s);
1020int ssl3_check_client_hello(SSL *s);
1021int ssl3_get_client_certificate(SSL *s);
1022int ssl3_get_client_key_exchange(SSL *s);
1023int ssl3_get_cert_verify(SSL *s);
1024#ifndef OPENSSL_NO_NEXTPROTONEG
1025int ssl3_get_next_proto(SSL *s);
1026#endif
1027
1028int dtls1_send_hello_request(SSL *s);
1029int dtls1_send_server_hello(SSL *s);
1030int dtls1_send_server_certificate(SSL *s);
1031int dtls1_send_server_key_exchange(SSL *s);
1032int dtls1_send_certificate_request(SSL *s);
1033int dtls1_send_server_done(SSL *s);
1034
1035
1036
1037int ssl23_accept(SSL *s);
1038int ssl23_connect(SSL *s);
1039int ssl23_read_bytes(SSL *s, int n);
1040int ssl23_write_bytes(SSL *s);
1041
1042int tls1_new(SSL *s);
1043void tls1_free(SSL *s);
1044void tls1_clear(SSL *s);
1045long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1046long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
1047
1048int dtls1_new(SSL *s);
1049int dtls1_accept(SSL *s);
1050int dtls1_connect(SSL *s);
1051void dtls1_free(SSL *s);
1052void dtls1_clear(SSL *s);
1053long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1054int dtls1_shutdown(SSL *s);
1055
1056long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
1057int dtls1_get_record(SSL *s);
1058int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
1059 unsigned int len, int create_empty_fragement);
1060int dtls1_dispatch_alert(SSL *s);
1061int dtls1_enc(SSL *s, int snd);
1062
1063int ssl_init_wbio_buffer(SSL *s, int push);
1064void ssl_free_wbio_buffer(SSL *s);
1065
1066int tls1_change_cipher_state(SSL *s, int which);
1067int tls1_setup_key_block(SSL *s);
1068int tls1_enc(SSL *s, int snd);
1069int tls1_final_finish_mac(SSL *s,
1070 const char *str, int slen, unsigned char *p);
1071int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
1072int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1073int tls1_generate_master_secret(SSL *s, unsigned char *out,
1074 unsigned char *p, int len);
1075int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1076 const char *label, size_t llen,
1077 const unsigned char *p, size_t plen, int use_context);
1078int tls1_alert_code(int code);
1079int ssl3_alert_code(int code);
1080int ssl_ok(SSL *s);
1081
1082#ifndef OPENSSL_NO_ECDH
1083int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
1084#endif
1085
1086SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
1087
1088#ifndef OPENSSL_NO_EC
1089int tls1_ec_curve_id2nid(int curve_id);
1090int tls1_ec_nid2curve_id(int nid);
1091#endif /* OPENSSL_NO_EC */
1092
1093#ifndef OPENSSL_NO_TLSEXT
1094unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1095unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1096int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1097int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1098int ssl_prepare_clienthello_tlsext(SSL *s);
1099int ssl_prepare_serverhello_tlsext(SSL *s);
1100int ssl_check_clienthello_tlsext(SSL *s);
1101int ssl_check_serverhello_tlsext(SSL *s);
1102
1103#ifndef OPENSSL_NO_HEARTBEATS
1104int tls1_heartbeat(SSL *s);
1105int dtls1_heartbeat(SSL *s);
1106int tls1_process_heartbeat(SSL *s);
1107int dtls1_process_heartbeat(SSL *s);
1108#endif
1109
1110#ifdef OPENSSL_NO_SHA256
1111#define tlsext_tick_md EVP_sha1
1112#else
1113#define tlsext_tick_md EVP_sha256
1114#endif
1115int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1116 const unsigned char *limit, SSL_SESSION **ret);
1117
1118int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
1119 const EVP_MD *md);
1120int tls12_get_sigid(const EVP_PKEY *pk);
1121const EVP_MD *tls12_get_hash(unsigned char hash_alg);
1122
1123#endif
1124EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
1125void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
1126int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1127 int maxlen);
1128int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1129 int *al);
1130int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1131 int maxlen);
1132int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1133 int *al);
1134long ssl_get_algorithm2(SSL *s);
1135int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
1136int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
1137
1138int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1139int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1140int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1141int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1142
1143/* s3_cbc.c */
1144void ssl3_cbc_copy_mac(unsigned char* out,
1145 const SSL3_RECORD *rec,
1146 unsigned md_size,unsigned orig_len);
1147int ssl3_cbc_remove_padding(const SSL* s,
1148 SSL3_RECORD *rec,
1149 unsigned block_size,
1150 unsigned mac_size);
1151int tls1_cbc_remove_padding(const SSL* s,
1152 SSL3_RECORD *rec,
1153 unsigned block_size,
1154 unsigned mac_size);
1155char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1156void ssl3_cbc_digest_record(
1157 const EVP_MD_CTX *ctx,
1158 unsigned char* md_out,
1159 size_t* md_out_size,
1160 const unsigned char header[13],
1161 const unsigned char *data,
1162 size_t data_plus_mac_size,
1163 size_t data_plus_mac_plus_padding_size,
1164 const unsigned char *mac_secret,
1165 unsigned mac_secret_length,
1166 char is_sslv3);
1167
1168void tls_fips_digest_extra(
1169 const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
1170 const unsigned char *data, size_t data_len, size_t orig_len);
1171
1172#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index c0960b5712..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,779 +0,0 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
66
67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 if (x == NULL)
72 {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
74 return(0);
75 }
76 if (!ssl_cert_inst(&ssl->cert))
77 {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
79 return(0);
80 }
81 return(ssl_set_cert(ssl->cert,x));
82 }
83
84#ifndef OPENSSL_NO_STDIO
85int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret=0;
90 X509 *x=NULL;
91
92 in=BIO_new(BIO_s_file_internal());
93 if (in == NULL)
94 {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in,file) <= 0)
100 {
101 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
102 goto end;
103 }
104 if (type == SSL_FILETYPE_ASN1)
105 {
106 j=ERR_R_ASN1_LIB;
107 x=d2i_X509_bio(in,NULL);
108 }
109 else if (type == SSL_FILETYPE_PEM)
110 {
111 j=ERR_R_PEM_LIB;
112 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
113 }
114 else
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
117 goto end;
118 }
119
120 if (x == NULL)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
123 goto end;
124 }
125
126 ret=SSL_use_certificate(ssl,x);
127end:
128 if (x != NULL) X509_free(x);
129 if (in != NULL) BIO_free(in);
130 return(ret);
131 }
132#endif
133
134int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
135 {
136 X509 *x;
137 int ret;
138
139 x=d2i_X509(NULL,&d,(long)len);
140 if (x == NULL)
141 {
142 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
143 return(0);
144 }
145
146 ret=SSL_use_certificate(ssl,x);
147 X509_free(x);
148 return(ret);
149 }
150
151#ifndef OPENSSL_NO_RSA
152int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
153 {
154 EVP_PKEY *pkey;
155 int ret;
156
157 if (rsa == NULL)
158 {
159 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
160 return(0);
161 }
162 if (!ssl_cert_inst(&ssl->cert))
163 {
164 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
165 return(0);
166 }
167 if ((pkey=EVP_PKEY_new()) == NULL)
168 {
169 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
170 return(0);
171 }
172
173 RSA_up_ref(rsa);
174 EVP_PKEY_assign_RSA(pkey,rsa);
175
176 ret=ssl_set_pkey(ssl->cert,pkey);
177 EVP_PKEY_free(pkey);
178 return(ret);
179 }
180#endif
181
182static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
183 {
184 int i;
185
186 i=ssl_cert_type(NULL,pkey);
187 if (i < 0)
188 {
189 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
190 return(0);
191 }
192
193 if (c->pkeys[i].x509 != NULL)
194 {
195 EVP_PKEY *pktmp;
196 pktmp = X509_get_pubkey(c->pkeys[i].x509);
197 EVP_PKEY_copy_parameters(pktmp,pkey);
198 EVP_PKEY_free(pktmp);
199 ERR_clear_error();
200
201#ifndef OPENSSL_NO_RSA
202 /* Don't check the public/private key, this is mostly
203 * for smart cards. */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
206 ;
207 else
208#endif
209 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
210 {
211 X509_free(c->pkeys[i].x509);
212 c->pkeys[i].x509 = NULL;
213 return 0;
214 }
215 }
216
217 if (c->pkeys[i].privatekey != NULL)
218 EVP_PKEY_free(c->pkeys[i].privatekey);
219 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
220 c->pkeys[i].privatekey=pkey;
221 c->key= &(c->pkeys[i]);
222
223 c->valid=0;
224 return(1);
225 }
226
227#ifndef OPENSSL_NO_RSA
228#ifndef OPENSSL_NO_STDIO
229int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
230 {
231 int j,ret=0;
232 BIO *in;
233 RSA *rsa=NULL;
234
235 in=BIO_new(BIO_s_file_internal());
236 if (in == NULL)
237 {
238 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
239 goto end;
240 }
241
242 if (BIO_read_filename(in,file) <= 0)
243 {
244 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
245 goto end;
246 }
247 if (type == SSL_FILETYPE_ASN1)
248 {
249 j=ERR_R_ASN1_LIB;
250 rsa=d2i_RSAPrivateKey_bio(in,NULL);
251 }
252 else if (type == SSL_FILETYPE_PEM)
253 {
254 j=ERR_R_PEM_LIB;
255 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
256 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
257 }
258 else
259 {
260 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
261 goto end;
262 }
263 if (rsa == NULL)
264 {
265 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
266 goto end;
267 }
268 ret=SSL_use_RSAPrivateKey(ssl,rsa);
269 RSA_free(rsa);
270end:
271 if (in != NULL) BIO_free(in);
272 return(ret);
273 }
274#endif
275
276int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
277 {
278 int ret;
279 const unsigned char *p;
280 RSA *rsa;
281
282 p=d;
283 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
284 {
285 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
286 return(0);
287 }
288
289 ret=SSL_use_RSAPrivateKey(ssl,rsa);
290 RSA_free(rsa);
291 return(ret);
292 }
293#endif /* !OPENSSL_NO_RSA */
294
295int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
296 {
297 int ret;
298
299 if (pkey == NULL)
300 {
301 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
302 return(0);
303 }
304 if (!ssl_cert_inst(&ssl->cert))
305 {
306 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
307 return(0);
308 }
309 ret=ssl_set_pkey(ssl->cert,pkey);
310 return(ret);
311 }
312
313#ifndef OPENSSL_NO_STDIO
314int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
315 {
316 int j,ret=0;
317 BIO *in;
318 EVP_PKEY *pkey=NULL;
319
320 in=BIO_new(BIO_s_file_internal());
321 if (in == NULL)
322 {
323 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
324 goto end;
325 }
326
327 if (BIO_read_filename(in,file) <= 0)
328 {
329 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
330 goto end;
331 }
332 if (type == SSL_FILETYPE_PEM)
333 {
334 j=ERR_R_PEM_LIB;
335 pkey=PEM_read_bio_PrivateKey(in,NULL,
336 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
337 }
338 else if (type == SSL_FILETYPE_ASN1)
339 {
340 j = ERR_R_ASN1_LIB;
341 pkey = d2i_PrivateKey_bio(in,NULL);
342 }
343 else
344 {
345 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
346 goto end;
347 }
348 if (pkey == NULL)
349 {
350 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
351 goto end;
352 }
353 ret=SSL_use_PrivateKey(ssl,pkey);
354 EVP_PKEY_free(pkey);
355end:
356 if (in != NULL) BIO_free(in);
357 return(ret);
358 }
359#endif
360
361int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
362 {
363 int ret;
364 const unsigned char *p;
365 EVP_PKEY *pkey;
366
367 p=d;
368 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
369 {
370 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
371 return(0);
372 }
373
374 ret=SSL_use_PrivateKey(ssl,pkey);
375 EVP_PKEY_free(pkey);
376 return(ret);
377 }
378
379int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
380 {
381 if (x == NULL)
382 {
383 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
384 return(0);
385 }
386 if (!ssl_cert_inst(&ctx->cert))
387 {
388 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
389 return(0);
390 }
391 return(ssl_set_cert(ctx->cert, x));
392 }
393
394static int ssl_set_cert(CERT *c, X509 *x)
395 {
396 EVP_PKEY *pkey;
397 int i;
398
399 pkey=X509_get_pubkey(x);
400 if (pkey == NULL)
401 {
402 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
403 return(0);
404 }
405
406 i=ssl_cert_type(x,pkey);
407 if (i < 0)
408 {
409 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
410 EVP_PKEY_free(pkey);
411 return(0);
412 }
413
414 if (c->pkeys[i].privatekey != NULL)
415 {
416 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
417 ERR_clear_error();
418
419#ifndef OPENSSL_NO_RSA
420 /* Don't check the public/private key, this is mostly
421 * for smart cards. */
422 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
423 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
424 RSA_METHOD_FLAG_NO_CHECK))
425 ;
426 else
427#endif /* OPENSSL_NO_RSA */
428 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
429 {
430 /* don't fail for a cert/key mismatch, just free
431 * current private key (when switching to a different
432 * cert & key, first this function should be used,
433 * then ssl_set_pkey */
434 EVP_PKEY_free(c->pkeys[i].privatekey);
435 c->pkeys[i].privatekey=NULL;
436 /* clear error queue */
437 ERR_clear_error();
438 }
439 }
440
441 EVP_PKEY_free(pkey);
442
443 if (c->pkeys[i].x509 != NULL)
444 X509_free(c->pkeys[i].x509);
445 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
446 c->pkeys[i].x509=x;
447 c->key= &(c->pkeys[i]);
448
449 c->valid=0;
450 return(1);
451 }
452
453#ifndef OPENSSL_NO_STDIO
454int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
455 {
456 int j;
457 BIO *in;
458 int ret=0;
459 X509 *x=NULL;
460
461 in=BIO_new(BIO_s_file_internal());
462 if (in == NULL)
463 {
464 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
465 goto end;
466 }
467
468 if (BIO_read_filename(in,file) <= 0)
469 {
470 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
471 goto end;
472 }
473 if (type == SSL_FILETYPE_ASN1)
474 {
475 j=ERR_R_ASN1_LIB;
476 x=d2i_X509_bio(in,NULL);
477 }
478 else if (type == SSL_FILETYPE_PEM)
479 {
480 j=ERR_R_PEM_LIB;
481 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
482 }
483 else
484 {
485 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
486 goto end;
487 }
488
489 if (x == NULL)
490 {
491 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
492 goto end;
493 }
494
495 ret=SSL_CTX_use_certificate(ctx,x);
496end:
497 if (x != NULL) X509_free(x);
498 if (in != NULL) BIO_free(in);
499 return(ret);
500 }
501#endif
502
503int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
504 {
505 X509 *x;
506 int ret;
507
508 x=d2i_X509(NULL,&d,(long)len);
509 if (x == NULL)
510 {
511 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
512 return(0);
513 }
514
515 ret=SSL_CTX_use_certificate(ctx,x);
516 X509_free(x);
517 return(ret);
518 }
519
520#ifndef OPENSSL_NO_RSA
521int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
522 {
523 int ret;
524 EVP_PKEY *pkey;
525
526 if (rsa == NULL)
527 {
528 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
529 return(0);
530 }
531 if (!ssl_cert_inst(&ctx->cert))
532 {
533 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
534 return(0);
535 }
536 if ((pkey=EVP_PKEY_new()) == NULL)
537 {
538 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
539 return(0);
540 }
541
542 RSA_up_ref(rsa);
543 EVP_PKEY_assign_RSA(pkey,rsa);
544
545 ret=ssl_set_pkey(ctx->cert, pkey);
546 EVP_PKEY_free(pkey);
547 return(ret);
548 }
549
550#ifndef OPENSSL_NO_STDIO
551int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
552 {
553 int j,ret=0;
554 BIO *in;
555 RSA *rsa=NULL;
556
557 in=BIO_new(BIO_s_file_internal());
558 if (in == NULL)
559 {
560 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
561 goto end;
562 }
563
564 if (BIO_read_filename(in,file) <= 0)
565 {
566 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
567 goto end;
568 }
569 if (type == SSL_FILETYPE_ASN1)
570 {
571 j=ERR_R_ASN1_LIB;
572 rsa=d2i_RSAPrivateKey_bio(in,NULL);
573 }
574 else if (type == SSL_FILETYPE_PEM)
575 {
576 j=ERR_R_PEM_LIB;
577 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
578 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
579 }
580 else
581 {
582 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
583 goto end;
584 }
585 if (rsa == NULL)
586 {
587 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
588 goto end;
589 }
590 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
591 RSA_free(rsa);
592end:
593 if (in != NULL) BIO_free(in);
594 return(ret);
595 }
596#endif
597
598int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
599 {
600 int ret;
601 const unsigned char *p;
602 RSA *rsa;
603
604 p=d;
605 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
606 {
607 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
608 return(0);
609 }
610
611 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
612 RSA_free(rsa);
613 return(ret);
614 }
615#endif /* !OPENSSL_NO_RSA */
616
617int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
618 {
619 if (pkey == NULL)
620 {
621 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
622 return(0);
623 }
624 if (!ssl_cert_inst(&ctx->cert))
625 {
626 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
627 return(0);
628 }
629 return(ssl_set_pkey(ctx->cert,pkey));
630 }
631
632#ifndef OPENSSL_NO_STDIO
633int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
634 {
635 int j,ret=0;
636 BIO *in;
637 EVP_PKEY *pkey=NULL;
638
639 in=BIO_new(BIO_s_file_internal());
640 if (in == NULL)
641 {
642 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
643 goto end;
644 }
645
646 if (BIO_read_filename(in,file) <= 0)
647 {
648 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
649 goto end;
650 }
651 if (type == SSL_FILETYPE_PEM)
652 {
653 j=ERR_R_PEM_LIB;
654 pkey=PEM_read_bio_PrivateKey(in,NULL,
655 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
656 }
657 else if (type == SSL_FILETYPE_ASN1)
658 {
659 j = ERR_R_ASN1_LIB;
660 pkey = d2i_PrivateKey_bio(in,NULL);
661 }
662 else
663 {
664 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
665 goto end;
666 }
667 if (pkey == NULL)
668 {
669 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
670 goto end;
671 }
672 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
673 EVP_PKEY_free(pkey);
674end:
675 if (in != NULL) BIO_free(in);
676 return(ret);
677 }
678#endif
679
680int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
681 long len)
682 {
683 int ret;
684 const unsigned char *p;
685 EVP_PKEY *pkey;
686
687 p=d;
688 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
689 {
690 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
691 return(0);
692 }
693
694 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
695 EVP_PKEY_free(pkey);
696 return(ret);
697 }
698
699
700#ifndef OPENSSL_NO_STDIO
701/* Read a file that contains our certificate in "PEM" format,
702 * possibly followed by a sequence of CA certificates that should be
703 * sent to the peer in the Certificate message.
704 */
705int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
706 {
707 BIO *in;
708 int ret=0;
709 X509 *x=NULL;
710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712
713 in=BIO_new(BIO_s_file_internal());
714 if (in == NULL)
715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
717 goto end;
718 }
719
720 if (BIO_read_filename(in,file) <= 0)
721 {
722 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
723 goto end;
724 }
725
726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
727 if (x == NULL)
728 {
729 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
730 goto end;
731 }
732
733 ret=SSL_CTX_use_certificate(ctx,x);
734 if (ERR_peek_error() != 0)
735 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
736 if (ret)
737 {
738 /* If we could set up our certificate, now proceed to
739 * the CA certificates.
740 */
741 X509 *ca;
742 int r;
743 unsigned long err;
744
745 if (ctx->extra_certs != NULL)
746 {
747 sk_X509_pop_free(ctx->extra_certs, X509_free);
748 ctx->extra_certs = NULL;
749 }
750
751 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
752 != NULL)
753 {
754 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
755 if (!r)
756 {
757 X509_free(ca);
758 ret = 0;
759 goto end;
760 }
761 /* Note that we must not free r if it was successfully
762 * added to the chain (while we must free the main
763 * certificate, since its reference count is increased
764 * by SSL_CTX_use_certificate). */
765 }
766 /* When the while loop ends, it's usually just EOF. */
767 err = ERR_peek_last_error();
768 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
769 ERR_clear_error();
770 else
771 ret = 0; /* some real error */
772 }
773
774end:
775 if (x != NULL) X509_free(x);
776 if (in != NULL) BIO_free(in);
777 return(ret);
778 }
779#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index ad40fadd02..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,1159 +0,0 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <stdio.h>
139#include <openssl/lhash.h>
140#include <openssl/rand.h>
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144#include "ssl_locl.h"
145
146static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
147static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
148static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
149
150SSL_SESSION *SSL_get_session(const SSL *ssl)
151/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
152 {
153 return(ssl->session);
154 }
155
156SSL_SESSION *SSL_get1_session(SSL *ssl)
157/* variant of SSL_get_session: caller really gets something */
158 {
159 SSL_SESSION *sess;
160 /* Need to lock this all up rather than just use CRYPTO_add so that
161 * somebody doesn't free ssl->session between when we check it's
162 * non-null and when we up the reference count. */
163 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
164 sess = ssl->session;
165 if(sess)
166 sess->references++;
167 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
168 return(sess);
169 }
170
171int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
172 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
173 {
174 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
175 new_func, dup_func, free_func);
176 }
177
178int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
179 {
180 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
181 }
182
183void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
184 {
185 return(CRYPTO_get_ex_data(&s->ex_data,idx));
186 }
187
188SSL_SESSION *SSL_SESSION_new(void)
189 {
190 SSL_SESSION *ss;
191
192 ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
193 if (ss == NULL)
194 {
195 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
196 return(0);
197 }
198 memset(ss,0,sizeof(SSL_SESSION));
199
200 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
201 ss->references=1;
202 ss->timeout=60*5+4; /* 5 minute timeout by default */
203 ss->time=(unsigned long)time(NULL);
204 ss->prev=NULL;
205 ss->next=NULL;
206 ss->compress_meth=0;
207#ifndef OPENSSL_NO_TLSEXT
208 ss->tlsext_hostname = NULL;
209#ifndef OPENSSL_NO_EC
210 ss->tlsext_ecpointformatlist_length = 0;
211 ss->tlsext_ecpointformatlist = NULL;
212 ss->tlsext_ellipticcurvelist_length = 0;
213 ss->tlsext_ellipticcurvelist = NULL;
214#endif
215#endif
216 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
217#ifndef OPENSSL_NO_PSK
218 ss->psk_identity_hint=NULL;
219 ss->psk_identity=NULL;
220#endif
221#ifndef OPENSSL_NO_SRP
222 ss->srp_username=NULL;
223#endif
224 return(ss);
225 }
226
227const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
228 {
229 if(len)
230 *len = s->session_id_length;
231 return s->session_id;
232 }
233
234unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
235 {
236 return s->compress_meth;
237 }
238
239/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
240 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
241 * until we have no conflict is going to complete in one iteration pretty much
242 * "most" of the time (btw: understatement). So, if it takes us 10 iterations
243 * and we still can't avoid a conflict - well that's a reasonable point to call
244 * it quits. Either the RAND code is broken or someone is trying to open roughly
245 * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
246 * store that many sessions is perhaps a more interesting question ... */
247
248#define MAX_SESS_ID_ATTEMPTS 10
249static int def_generate_session_id(const SSL *ssl, unsigned char *id,
250 unsigned int *id_len)
251{
252 unsigned int retry = 0;
253 do
254 if (RAND_pseudo_bytes(id, *id_len) <= 0)
255 return 0;
256 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
257 (++retry < MAX_SESS_ID_ATTEMPTS));
258 if(retry < MAX_SESS_ID_ATTEMPTS)
259 return 1;
260 /* else - woops a session_id match */
261 /* XXX We should also check the external cache --
262 * but the probability of a collision is negligible, and
263 * we could not prevent the concurrent creation of sessions
264 * with identical IDs since we currently don't have means
265 * to atomically check whether a session ID already exists
266 * and make a reservation for it if it does not
267 * (this problem applies to the internal cache as well).
268 */
269 return 0;
270}
271
272int ssl_get_new_session(SSL *s, int session)
273 {
274 /* This gets used by clients and servers. */
275
276 unsigned int tmp;
277 SSL_SESSION *ss=NULL;
278 GEN_SESSION_CB cb = def_generate_session_id;
279
280 if ((ss=SSL_SESSION_new()) == NULL) return(0);
281
282 /* If the context has a default timeout, use it */
283 if (s->session_ctx->session_timeout == 0)
284 ss->timeout=SSL_get_default_timeout(s);
285 else
286 ss->timeout=s->session_ctx->session_timeout;
287
288 if (s->session != NULL)
289 {
290 SSL_SESSION_free(s->session);
291 s->session=NULL;
292 }
293
294 if (session)
295 {
296 if (s->version == SSL2_VERSION)
297 {
298 ss->ssl_version=SSL2_VERSION;
299 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
300 }
301 else if (s->version == SSL3_VERSION)
302 {
303 ss->ssl_version=SSL3_VERSION;
304 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
305 }
306 else if (s->version == TLS1_VERSION)
307 {
308 ss->ssl_version=TLS1_VERSION;
309 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
310 }
311 else if (s->version == TLS1_1_VERSION)
312 {
313 ss->ssl_version=TLS1_1_VERSION;
314 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
315 }
316 else if (s->version == TLS1_2_VERSION)
317 {
318 ss->ssl_version=TLS1_2_VERSION;
319 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
320 }
321 else if (s->version == DTLS1_BAD_VER)
322 {
323 ss->ssl_version=DTLS1_BAD_VER;
324 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
325 }
326 else if (s->version == DTLS1_VERSION)
327 {
328 ss->ssl_version=DTLS1_VERSION;
329 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
330 }
331 else
332 {
333 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
334 SSL_SESSION_free(ss);
335 return(0);
336 }
337#ifndef OPENSSL_NO_TLSEXT
338 /* If RFC4507 ticket use empty session ID */
339 if (s->tlsext_ticket_expected)
340 {
341 ss->session_id_length = 0;
342 goto sess_id_done;
343 }
344#endif
345 /* Choose which callback will set the session ID */
346 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
347 if(s->generate_session_id)
348 cb = s->generate_session_id;
349 else if(s->session_ctx->generate_session_id)
350 cb = s->session_ctx->generate_session_id;
351 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
352 /* Choose a session ID */
353 tmp = ss->session_id_length;
354 if(!cb(s, ss->session_id, &tmp))
355 {
356 /* The callback failed */
357 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
358 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
359 SSL_SESSION_free(ss);
360 return(0);
361 }
362 /* Don't allow the callback to set the session length to zero.
363 * nor set it higher than it was. */
364 if(!tmp || (tmp > ss->session_id_length))
365 {
366 /* The callback set an illegal length */
367 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
368 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
369 SSL_SESSION_free(ss);
370 return(0);
371 }
372 /* If the session length was shrunk and we're SSLv2, pad it */
373 if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
374 memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
375 else
376 ss->session_id_length = tmp;
377 /* Finally, check for a conflict */
378 if(SSL_has_matching_session_id(s, ss->session_id,
379 ss->session_id_length))
380 {
381 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
382 SSL_R_SSL_SESSION_ID_CONFLICT);
383 SSL_SESSION_free(ss);
384 return(0);
385 }
386#ifndef OPENSSL_NO_TLSEXT
387 sess_id_done:
388 if (s->tlsext_hostname) {
389 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
390 if (ss->tlsext_hostname == NULL) {
391 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
392 SSL_SESSION_free(ss);
393 return 0;
394 }
395 }
396#ifndef OPENSSL_NO_EC
397 if (s->tlsext_ecpointformatlist)
398 {
399 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
400 if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
401 {
402 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
403 SSL_SESSION_free(ss);
404 return 0;
405 }
406 ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
407 memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
408 }
409 if (s->tlsext_ellipticcurvelist)
410 {
411 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
412 if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
413 {
414 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
415 SSL_SESSION_free(ss);
416 return 0;
417 }
418 ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
419 memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
420 }
421#endif
422#endif
423 }
424 else
425 {
426 ss->session_id_length=0;
427 }
428
429 if (s->sid_ctx_length > sizeof ss->sid_ctx)
430 {
431 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
432 SSL_SESSION_free(ss);
433 return 0;
434 }
435 memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
436 ss->sid_ctx_length=s->sid_ctx_length;
437 s->session=ss;
438 ss->ssl_version=s->version;
439 ss->verify_result = X509_V_OK;
440
441 return(1);
442 }
443
444/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
445 * connection. It is only called by servers.
446 *
447 * session_id: points at the session ID in the ClientHello. This code will
448 * read past the end of this in order to parse out the session ticket
449 * extension, if any.
450 * len: the length of the session ID.
451 * limit: a pointer to the first byte after the ClientHello.
452 *
453 * Returns:
454 * -1: error
455 * 0: a session may have been found.
456 *
457 * Side effects:
458 * - If a session is found then s->session is pointed at it (after freeing an
459 * existing session if need be) and s->verify_result is set from the session.
460 * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
461 * if the server should issue a new session ticket (to 0 otherwise).
462 */
463int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
464 const unsigned char *limit)
465 {
466 /* This is used only by servers. */
467
468 SSL_SESSION *ret=NULL;
469 int fatal = 0;
470 int try_session_cache = 1;
471#ifndef OPENSSL_NO_TLSEXT
472 int r;
473#endif
474
475 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
476 goto err;
477
478 if (len == 0)
479 try_session_cache = 0;
480
481#ifndef OPENSSL_NO_TLSEXT
482 r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
483 switch (r)
484 {
485 case -1: /* Error during processing */
486 fatal = 1;
487 goto err;
488 case 0: /* No ticket found */
489 case 1: /* Zero length ticket found */
490 break; /* Ok to carry on processing session id. */
491 case 2: /* Ticket found but not decrypted. */
492 case 3: /* Ticket decrypted, *ret has been set. */
493 try_session_cache = 0;
494 break;
495 default:
496 abort();
497 }
498#endif
499
500 if (try_session_cache &&
501 ret == NULL &&
502 !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
503 {
504 SSL_SESSION data;
505 data.ssl_version=s->version;
506 data.session_id_length=len;
507 if (len == 0)
508 return 0;
509 memcpy(data.session_id,session_id,len);
510 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
511 ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
512 if (ret != NULL)
513 {
514 /* don't allow other threads to steal it: */
515 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
516 }
517 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
518 if (ret == NULL)
519 s->session_ctx->stats.sess_miss++;
520 }
521
522 if (try_session_cache &&
523 ret == NULL &&
524 s->session_ctx->get_session_cb != NULL)
525 {
526 int copy=1;
527
528 if ((ret=s->session_ctx->get_session_cb(s,session_id,len,&copy)))
529 {
530 s->session_ctx->stats.sess_cb_hit++;
531
532 /* Increment reference count now if the session callback
533 * asks us to do so (note that if the session structures
534 * returned by the callback are shared between threads,
535 * it must handle the reference count itself [i.e. copy == 0],
536 * or things won't be thread-safe). */
537 if (copy)
538 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
539
540 /* Add the externally cached session to the internal
541 * cache as well if and only if we are supposed to. */
542 if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
543 /* The following should not return 1, otherwise,
544 * things are very strange */
545 SSL_CTX_add_session(s->session_ctx,ret);
546 }
547 }
548
549 if (ret == NULL)
550 goto err;
551
552 /* Now ret is non-NULL and we own one of its reference counts. */
553
554 if (ret->sid_ctx_length != s->sid_ctx_length
555 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
556 {
557 /* We have the session requested by the client, but we don't
558 * want to use it in this context. */
559 goto err; /* treat like cache miss */
560 }
561
562 if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
563 {
564 /* We can't be sure if this session is being used out of
565 * context, which is especially important for SSL_VERIFY_PEER.
566 * The application should have used SSL[_CTX]_set_session_id_context.
567 *
568 * For this error case, we generate an error instead of treating
569 * the event like a cache miss (otherwise it would be easy for
570 * applications to effectively disable the session cache by
571 * accident without anyone noticing).
572 */
573
574 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
575 fatal = 1;
576 goto err;
577 }
578
579 if (ret->cipher == NULL)
580 {
581 unsigned char buf[5],*p;
582 unsigned long l;
583
584 p=buf;
585 l=ret->cipher_id;
586 l2n(l,p);
587 if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
588 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
589 else
590 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
591 if (ret->cipher == NULL)
592 goto err;
593 }
594
595 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
596 {
597 s->session_ctx->stats.sess_timeout++;
598 if (try_session_cache)
599 {
600 /* session was from the cache, so remove it */
601 SSL_CTX_remove_session(s->session_ctx,ret);
602 }
603 goto err;
604 }
605
606 s->session_ctx->stats.sess_hit++;
607
608 if (s->session != NULL)
609 SSL_SESSION_free(s->session);
610 s->session=ret;
611 s->verify_result = s->session->verify_result;
612 return 1;
613
614 err:
615 if (ret != NULL)
616 {
617 SSL_SESSION_free(ret);
618#ifndef OPENSSL_NO_TLSEXT
619 if (!try_session_cache)
620 {
621 /* The session was from a ticket, so we should
622 * issue a ticket for the new session */
623 s->tlsext_ticket_expected = 1;
624 }
625#endif
626 }
627 if (fatal)
628 return -1;
629 else
630 return 0;
631 }
632
633int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
634 {
635 int ret=0;
636 SSL_SESSION *s;
637
638 /* add just 1 reference count for the SSL_CTX's session cache
639 * even though it has two ways of access: each session is in a
640 * doubly linked list and an lhash */
641 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
642 /* if session c is in already in cache, we take back the increment later */
643
644 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
645 s=lh_SSL_SESSION_insert(ctx->sessions,c);
646
647 /* s != NULL iff we already had a session with the given PID.
648 * In this case, s == c should hold (then we did not really modify
649 * ctx->sessions), or we're in trouble. */
650 if (s != NULL && s != c)
651 {
652 /* We *are* in trouble ... */
653 SSL_SESSION_list_remove(ctx,s);
654 SSL_SESSION_free(s);
655 /* ... so pretend the other session did not exist in cache
656 * (we cannot handle two SSL_SESSION structures with identical
657 * session ID in the same cache, which could happen e.g. when
658 * two threads concurrently obtain the same session from an external
659 * cache) */
660 s = NULL;
661 }
662
663 /* Put at the head of the queue unless it is already in the cache */
664 if (s == NULL)
665 SSL_SESSION_list_add(ctx,c);
666
667 if (s != NULL)
668 {
669 /* existing cache entry -- decrement previously incremented reference
670 * count because it already takes into account the cache */
671
672 SSL_SESSION_free(s); /* s == c */
673 ret=0;
674 }
675 else
676 {
677 /* new cache entry -- remove old ones if cache has become too large */
678
679 ret=1;
680
681 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
682 {
683 while (SSL_CTX_sess_number(ctx) >
684 SSL_CTX_sess_get_cache_size(ctx))
685 {
686 if (!remove_session_lock(ctx,
687 ctx->session_cache_tail, 0))
688 break;
689 else
690 ctx->stats.sess_cache_full++;
691 }
692 }
693 }
694 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
695 return(ret);
696 }
697
698int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
699{
700 return remove_session_lock(ctx, c, 1);
701}
702
703static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
704 {
705 SSL_SESSION *r;
706 int ret=0;
707
708 if ((c != NULL) && (c->session_id_length != 0))
709 {
710 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
711 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
712 {
713 ret=1;
714 r=lh_SSL_SESSION_delete(ctx->sessions,c);
715 SSL_SESSION_list_remove(ctx,c);
716 }
717
718 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
719
720 if (ret)
721 {
722 r->not_resumable=1;
723 if (ctx->remove_session_cb != NULL)
724 ctx->remove_session_cb(ctx,r);
725 SSL_SESSION_free(r);
726 }
727 }
728 else
729 ret=0;
730 return(ret);
731 }
732
733void SSL_SESSION_free(SSL_SESSION *ss)
734 {
735 int i;
736
737 if(ss == NULL)
738 return;
739
740 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
741#ifdef REF_PRINT
742 REF_PRINT("SSL_SESSION",ss);
743#endif
744 if (i > 0) return;
745#ifdef REF_CHECK
746 if (i < 0)
747 {
748 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
749 abort(); /* ok */
750 }
751#endif
752
753 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
754
755 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
756 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
757 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
758 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
759 if (ss->peer != NULL) X509_free(ss->peer);
760 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
761#ifndef OPENSSL_NO_TLSEXT
762 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
763 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
764#ifndef OPENSSL_NO_EC
765 ss->tlsext_ecpointformatlist_length = 0;
766 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
767 ss->tlsext_ellipticcurvelist_length = 0;
768 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
769#endif /* OPENSSL_NO_EC */
770#endif
771#ifndef OPENSSL_NO_PSK
772 if (ss->psk_identity_hint != NULL)
773 OPENSSL_free(ss->psk_identity_hint);
774 if (ss->psk_identity != NULL)
775 OPENSSL_free(ss->psk_identity);
776#endif
777#ifndef OPENSSL_NO_SRP
778 if (ss->srp_username != NULL)
779 OPENSSL_free(ss->srp_username);
780#endif
781 OPENSSL_cleanse(ss,sizeof(*ss));
782 OPENSSL_free(ss);
783 }
784
785int SSL_set_session(SSL *s, SSL_SESSION *session)
786 {
787 int ret=0;
788 const SSL_METHOD *meth;
789
790 if (session != NULL)
791 {
792 meth=s->ctx->method->get_ssl_method(session->ssl_version);
793 if (meth == NULL)
794 meth=s->method->get_ssl_method(session->ssl_version);
795 if (meth == NULL)
796 {
797 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
798 return(0);
799 }
800
801 if (meth != s->method)
802 {
803 if (!SSL_set_ssl_method(s,meth))
804 return(0);
805 }
806
807#ifndef OPENSSL_NO_KRB5
808 if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
809 session->krb5_client_princ_len > 0)
810 {
811 s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
812 memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
813 session->krb5_client_princ_len);
814 s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
815 }
816#endif /* OPENSSL_NO_KRB5 */
817
818 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
819 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
820 if (s->session != NULL)
821 SSL_SESSION_free(s->session);
822 s->session=session;
823 s->verify_result = s->session->verify_result;
824 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
825 ret=1;
826 }
827 else
828 {
829 if (s->session != NULL)
830 {
831 SSL_SESSION_free(s->session);
832 s->session=NULL;
833 }
834
835 meth=s->ctx->method;
836 if (meth != s->method)
837 {
838 if (!SSL_set_ssl_method(s,meth))
839 return(0);
840 }
841 ret=1;
842 }
843 return(ret);
844 }
845
846long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
847 {
848 if (s == NULL) return(0);
849 s->timeout=t;
850 return(1);
851 }
852
853long SSL_SESSION_get_timeout(const SSL_SESSION *s)
854 {
855 if (s == NULL) return(0);
856 return(s->timeout);
857 }
858
859long SSL_SESSION_get_time(const SSL_SESSION *s)
860 {
861 if (s == NULL) return(0);
862 return(s->time);
863 }
864
865long SSL_SESSION_set_time(SSL_SESSION *s, long t)
866 {
867 if (s == NULL) return(0);
868 s->time=t;
869 return(t);
870 }
871
872X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
873 {
874 return s->peer;
875 }
876
877int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
878 unsigned int sid_ctx_len)
879 {
880 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
881 {
882 SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
883 return 0;
884 }
885 s->sid_ctx_length=sid_ctx_len;
886 memcpy(s->sid_ctx,sid_ctx,sid_ctx_len);
887
888 return 1;
889 }
890
891long SSL_CTX_set_timeout(SSL_CTX *s, long t)
892 {
893 long l;
894 if (s == NULL) return(0);
895 l=s->session_timeout;
896 s->session_timeout=t;
897 return(l);
898 }
899
900long SSL_CTX_get_timeout(const SSL_CTX *s)
901 {
902 if (s == NULL) return(0);
903 return(s->session_timeout);
904 }
905
906#ifndef OPENSSL_NO_TLSEXT
907int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
908 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
909 {
910 if (s == NULL) return(0);
911 s->tls_session_secret_cb = tls_session_secret_cb;
912 s->tls_session_secret_cb_arg = arg;
913 return(1);
914 }
915
916int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
917 void *arg)
918 {
919 if (s == NULL) return(0);
920 s->tls_session_ticket_ext_cb = cb;
921 s->tls_session_ticket_ext_cb_arg = arg;
922 return(1);
923 }
924
925int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
926 {
927 if (s->version >= TLS1_VERSION)
928 {
929 if (s->tlsext_session_ticket)
930 {
931 OPENSSL_free(s->tlsext_session_ticket);
932 s->tlsext_session_ticket = NULL;
933 }
934
935 s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
936 if (!s->tlsext_session_ticket)
937 {
938 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
939 return 0;
940 }
941
942 if (ext_data)
943 {
944 s->tlsext_session_ticket->length = ext_len;
945 s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
946 memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
947 }
948 else
949 {
950 s->tlsext_session_ticket->length = 0;
951 s->tlsext_session_ticket->data = NULL;
952 }
953
954 return 1;
955 }
956
957 return 0;
958 }
959#endif /* OPENSSL_NO_TLSEXT */
960
961typedef struct timeout_param_st
962 {
963 SSL_CTX *ctx;
964 long time;
965 LHASH_OF(SSL_SESSION) *cache;
966 } TIMEOUT_PARAM;
967
968static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
969 {
970 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
971 {
972 /* The reason we don't call SSL_CTX_remove_session() is to
973 * save on locking overhead */
974 (void)lh_SSL_SESSION_delete(p->cache,s);
975 SSL_SESSION_list_remove(p->ctx,s);
976 s->not_resumable=1;
977 if (p->ctx->remove_session_cb != NULL)
978 p->ctx->remove_session_cb(p->ctx,s);
979 SSL_SESSION_free(s);
980 }
981 }
982
983static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
984
985void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
986 {
987 unsigned long i;
988 TIMEOUT_PARAM tp;
989
990 tp.ctx=s;
991 tp.cache=s->sessions;
992 if (tp.cache == NULL) return;
993 tp.time=t;
994 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
995 i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
996 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
997 lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
998 TIMEOUT_PARAM, &tp);
999 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
1000 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1001 }
1002
1003int ssl_clear_bad_session(SSL *s)
1004 {
1005 if ( (s->session != NULL) &&
1006 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
1007 !(SSL_in_init(s) || SSL_in_before(s)))
1008 {
1009 SSL_CTX_remove_session(s->ctx,s->session);
1010 return(1);
1011 }
1012 else
1013 return(0);
1014 }
1015
1016/* locked by SSL_CTX in the calling function */
1017static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
1018 {
1019 if ((s->next == NULL) || (s->prev == NULL)) return;
1020
1021 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
1022 { /* last element in list */
1023 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
1024 { /* only one element in list */
1025 ctx->session_cache_head=NULL;
1026 ctx->session_cache_tail=NULL;
1027 }
1028 else
1029 {
1030 ctx->session_cache_tail=s->prev;
1031 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
1032 }
1033 }
1034 else
1035 {
1036 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
1037 { /* first element in list */
1038 ctx->session_cache_head=s->next;
1039 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1040 }
1041 else
1042 { /* middle of list */
1043 s->next->prev=s->prev;
1044 s->prev->next=s->next;
1045 }
1046 }
1047 s->prev=s->next=NULL;
1048 }
1049
1050static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
1051 {
1052 if ((s->next != NULL) && (s->prev != NULL))
1053 SSL_SESSION_list_remove(ctx,s);
1054
1055 if (ctx->session_cache_head == NULL)
1056 {
1057 ctx->session_cache_head=s;
1058 ctx->session_cache_tail=s;
1059 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1060 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
1061 }
1062 else
1063 {
1064 s->next=ctx->session_cache_head;
1065 s->next->prev=s;
1066 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1067 ctx->session_cache_head=s;
1068 }
1069 }
1070
1071void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1072 int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
1073 {
1074 ctx->new_session_cb=cb;
1075 }
1076
1077int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
1078 {
1079 return ctx->new_session_cb;
1080 }
1081
1082void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1083 void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
1084 {
1085 ctx->remove_session_cb=cb;
1086 }
1087
1088void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
1089 {
1090 return ctx->remove_session_cb;
1091 }
1092
1093void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
1094 SSL_SESSION *(*cb)(struct ssl_st *ssl,
1095 unsigned char *data,int len,int *copy))
1096 {
1097 ctx->get_session_cb=cb;
1098 }
1099
1100SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
1101 unsigned char *data,int len,int *copy)
1102 {
1103 return ctx->get_session_cb;
1104 }
1105
1106void SSL_CTX_set_info_callback(SSL_CTX *ctx,
1107 void (*cb)(const SSL *ssl,int type,int val))
1108 {
1109 ctx->info_callback=cb;
1110 }
1111
1112void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
1113 {
1114 return ctx->info_callback;
1115 }
1116
1117void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1118 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
1119 {
1120 ctx->client_cert_cb=cb;
1121 }
1122
1123int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
1124 {
1125 return ctx->client_cert_cb;
1126 }
1127
1128#ifndef OPENSSL_NO_ENGINE
1129int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1130 {
1131 if (!ENGINE_init(e))
1132 {
1133 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
1134 return 0;
1135 }
1136 if(!ENGINE_get_ssl_client_cert_function(e))
1137 {
1138 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
1139 ENGINE_finish(e);
1140 return 0;
1141 }
1142 ctx->client_cert_engine = e;
1143 return 1;
1144 }
1145#endif
1146
1147void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1148 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
1149 {
1150 ctx->app_gen_cookie_cb=cb;
1151 }
1152
1153void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1154 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
1155 {
1156 ctx->app_verify_cookie_cb=cb;
1157 }
1158
1159IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index 144b81e55f..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,567 +0,0 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include "ssl_locl.h"
87
88const char *SSL_state_string_long(const SSL *s)
89 {
90 const char *str;
91
92 switch (s->state)
93 {
94case SSL_ST_BEFORE: str="before SSL initialization"; break;
95case SSL_ST_ACCEPT: str="before accept initialization"; break;
96case SSL_ST_CONNECT: str="before connect initialization"; break;
97case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
98case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
99case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
100case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
101case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
102case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
103#ifndef OPENSSL_NO_SSL2
104case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
105case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
106case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
107case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
108case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
109case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
110case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
111case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
112case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
113case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
114case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
115case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
116case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
117case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
118case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
119case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
120case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
121case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
122case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
123case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
124case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
125case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
126case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
127case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
128case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
129case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
130case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
131case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
132case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
133case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
134case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
135case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
136case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
137case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
138case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
139case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
140case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
141case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
142#endif
143
144#ifndef OPENSSL_NO_SSL3
145/* SSLv3 additions */
146case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
147case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
148case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
149case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
150case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
151case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
152case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
153case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
154case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
155case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
156case SSL3_ST_CR_SESSION_TICKET_A: str="SSLv3 read server session ticket A";break;
157case SSL3_ST_CR_SESSION_TICKET_B: str="SSLv3 read server session ticket B";break;
158case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
159case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
160case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
161case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
162case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
163case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
164case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
165case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
166case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
167case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break;
168
169case SSL3_ST_CW_CHANGE_A:
170case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
171case SSL3_ST_CW_CHANGE_B:
172case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
173case SSL3_ST_CW_FINISHED_A:
174case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
175case SSL3_ST_CW_FINISHED_B:
176case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break;
177case SSL3_ST_CR_CHANGE_A:
178case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
179case SSL3_ST_CR_CHANGE_B:
180case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
181case SSL3_ST_CR_FINISHED_A:
182case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
183case SSL3_ST_CR_FINISHED_B:
184case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
185
186case SSL3_ST_CW_FLUSH:
187case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
188
189case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
190case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
191case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
192case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
193case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
194case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
195case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
196case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
197case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
198case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
199case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
200case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
201case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
202case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
203case SSL3_ST_SW_SESSION_TICKET_A: str="SSLv3 write session ticket A"; break;
204case SSL3_ST_SW_SESSION_TICKET_B: str="SSLv3 write session ticket B"; break;
205case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
206case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
207case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
208case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
209case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
210case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
211case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
212case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
213#endif
214
215#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
216/* SSLv2/v3 compatibility states */
217/* client */
218case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
219case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
220case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
221case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
222/* server */
223case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
224case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
225#endif
226
227/* DTLS */
228case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break;
229case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DTLS1 read hello verify request B"; break;
230case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DTLS1 write hello verify request A"; break;
231case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DTLS1 write hello verify request B"; break;
232
233default: str="unknown state"; break;
234 }
235 return(str);
236 }
237
238const char *SSL_rstate_string_long(const SSL *s)
239 {
240 const char *str;
241
242 switch (s->rstate)
243 {
244 case SSL_ST_READ_HEADER: str="read header"; break;
245 case SSL_ST_READ_BODY: str="read body"; break;
246 case SSL_ST_READ_DONE: str="read done"; break;
247 default: str="unknown"; break;
248 }
249 return(str);
250 }
251
252const char *SSL_state_string(const SSL *s)
253 {
254 const char *str;
255
256 switch (s->state)
257 {
258case SSL_ST_BEFORE: str="PINIT "; break;
259case SSL_ST_ACCEPT: str="AINIT "; break;
260case SSL_ST_CONNECT: str="CINIT "; break;
261case SSL_ST_OK: str="SSLOK "; break;
262#ifndef OPENSSL_NO_SSL2
263case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
264case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
265case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
266case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
267case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
268case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
269case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
270case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
271case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
272case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
273case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
274case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
275case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
276case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
277case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
278case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
279case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
280case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
281case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
282case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
283case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
284case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
285case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
286case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
287case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
288case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
289case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
290case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
291case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
292case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
293case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
294case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
295case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
296case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
297case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
298case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
299case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
300case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
301#endif
302
303#ifndef OPENSSL_NO_SSL3
304/* SSLv3 additions */
305case SSL3_ST_SW_FLUSH:
306case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
307case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
308case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
309case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
310case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
311case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
312case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
313case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
314case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
315case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
316case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
317case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
318case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
319case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
320case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
321case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
322case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
323case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
324case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
325case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
326case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
327
328case SSL3_ST_SW_CHANGE_A:
329case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
330case SSL3_ST_SW_CHANGE_B:
331case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
332case SSL3_ST_SW_FINISHED_A:
333case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
334case SSL3_ST_SW_FINISHED_B:
335case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
336case SSL3_ST_SR_CHANGE_A:
337case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
338case SSL3_ST_SR_CHANGE_B:
339case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
340case SSL3_ST_SR_FINISHED_A:
341case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
342case SSL3_ST_SR_FINISHED_B:
343case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
344
345case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
346case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
347case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
348case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
349case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
350case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
351case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
352case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
353case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
354case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
355case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
356case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
357case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
358case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
359case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
360case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
361case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
362case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
363case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
364case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
365case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
366case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
367#endif
368
369#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
370/* SSLv2/v3 compatibility states */
371/* client */
372case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
373case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
374case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
375case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
376/* server */
377case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
378case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
379#endif
380/* DTLS */
381case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break;
382case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break;
383case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DWCHVA"; break;
384case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DWCHVB"; break;
385
386default: str="UNKWN "; break;
387 }
388 return(str);
389 }
390
391const char *SSL_alert_type_string_long(int value)
392 {
393 value>>=8;
394 if (value == SSL3_AL_WARNING)
395 return("warning");
396 else if (value == SSL3_AL_FATAL)
397 return("fatal");
398 else
399 return("unknown");
400 }
401
402const char *SSL_alert_type_string(int value)
403 {
404 value>>=8;
405 if (value == SSL3_AL_WARNING)
406 return("W");
407 else if (value == SSL3_AL_FATAL)
408 return("F");
409 else
410 return("U");
411 }
412
413const char *SSL_alert_desc_string(int value)
414 {
415 const char *str;
416
417 switch (value & 0xff)
418 {
419 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
420 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
421 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
422 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
423 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
424 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
425 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
426 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
427 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
428 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
429 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
430 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
431 case TLS1_AD_DECRYPTION_FAILED: str="DC"; break;
432 case TLS1_AD_RECORD_OVERFLOW: str="RO"; break;
433 case TLS1_AD_UNKNOWN_CA: str="CA"; break;
434 case TLS1_AD_ACCESS_DENIED: str="AD"; break;
435 case TLS1_AD_DECODE_ERROR: str="DE"; break;
436 case TLS1_AD_DECRYPT_ERROR: str="CY"; break;
437 case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break;
438 case TLS1_AD_PROTOCOL_VERSION: str="PV"; break;
439 case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break;
440 case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
441 case TLS1_AD_USER_CANCELLED: str="US"; break;
442 case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
443 case TLS1_AD_UNSUPPORTED_EXTENSION: str="UE"; break;
444 case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str="CO"; break;
445 case TLS1_AD_UNRECOGNIZED_NAME: str="UN"; break;
446 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str="BR"; break;
447 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str="BH"; break;
448 case TLS1_AD_UNKNOWN_PSK_IDENTITY: str="UP"; break;
449 default: str="UK"; break;
450 }
451 return(str);
452 }
453
454const char *SSL_alert_desc_string_long(int value)
455 {
456 const char *str;
457
458 switch (value & 0xff)
459 {
460 case SSL3_AD_CLOSE_NOTIFY:
461 str="close notify";
462 break;
463 case SSL3_AD_UNEXPECTED_MESSAGE:
464 str="unexpected_message";
465 break;
466 case SSL3_AD_BAD_RECORD_MAC:
467 str="bad record mac";
468 break;
469 case SSL3_AD_DECOMPRESSION_FAILURE:
470 str="decompression failure";
471 break;
472 case SSL3_AD_HANDSHAKE_FAILURE:
473 str="handshake failure";
474 break;
475 case SSL3_AD_NO_CERTIFICATE:
476 str="no certificate";
477 break;
478 case SSL3_AD_BAD_CERTIFICATE:
479 str="bad certificate";
480 break;
481 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
482 str="unsupported certificate";
483 break;
484 case SSL3_AD_CERTIFICATE_REVOKED:
485 str="certificate revoked";
486 break;
487 case SSL3_AD_CERTIFICATE_EXPIRED:
488 str="certificate expired";
489 break;
490 case SSL3_AD_CERTIFICATE_UNKNOWN:
491 str="certificate unknown";
492 break;
493 case SSL3_AD_ILLEGAL_PARAMETER:
494 str="illegal parameter";
495 break;
496 case TLS1_AD_DECRYPTION_FAILED:
497 str="decryption failed";
498 break;
499 case TLS1_AD_RECORD_OVERFLOW:
500 str="record overflow";
501 break;
502 case TLS1_AD_UNKNOWN_CA:
503 str="unknown CA";
504 break;
505 case TLS1_AD_ACCESS_DENIED:
506 str="access denied";
507 break;
508 case TLS1_AD_DECODE_ERROR:
509 str="decode error";
510 break;
511 case TLS1_AD_DECRYPT_ERROR:
512 str="decrypt error";
513 break;
514 case TLS1_AD_EXPORT_RESTRICTION:
515 str="export restriction";
516 break;
517 case TLS1_AD_PROTOCOL_VERSION:
518 str="protocol version";
519 break;
520 case TLS1_AD_INSUFFICIENT_SECURITY:
521 str="insufficient security";
522 break;
523 case TLS1_AD_INTERNAL_ERROR:
524 str="internal error";
525 break;
526 case TLS1_AD_USER_CANCELLED:
527 str="user canceled";
528 break;
529 case TLS1_AD_NO_RENEGOTIATION:
530 str="no renegotiation";
531 break;
532 case TLS1_AD_UNSUPPORTED_EXTENSION:
533 str="unsupported extension";
534 break;
535 case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
536 str="certificate unobtainable";
537 break;
538 case TLS1_AD_UNRECOGNIZED_NAME:
539 str="unrecognized name";
540 break;
541 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
542 str="bad certificate status response";
543 break;
544 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
545 str="bad certificate hash value";
546 break;
547 case TLS1_AD_UNKNOWN_PSK_IDENTITY:
548 str="unknown PSK identity";
549 break;
550 default: str="unknown"; break;
551 }
552 return(str);
553 }
554
555const char *SSL_rstate_string(const SSL *s)
556 {
557 const char *str;
558
559 switch (s->rstate)
560 {
561 case SSL_ST_READ_HEADER:str="RH"; break;
562 case SSL_ST_READ_BODY: str="RB"; break;
563 case SSL_ST_READ_DONE: str="RD"; break;
564 default: str="unknown"; break;
565 }
566 return(str);
567 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 6479d52c0c..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,248 +0,0 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <openssl/buffer.h>
87#include "ssl_locl.h"
88
89#ifndef OPENSSL_NO_FP_API
90int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
91 {
92 BIO *b;
93 int ret;
94
95 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
96 {
97 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
98 return(0);
99 }
100 BIO_set_fp(b,fp,BIO_NOCLOSE);
101 ret=SSL_SESSION_print(b,x);
102 BIO_free(b);
103 return(ret);
104 }
105#endif
106
107int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
108 {
109 unsigned int i;
110 const char *s;
111
112 if (x == NULL) goto err;
113 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
114 if (x->ssl_version == SSL2_VERSION)
115 s="SSLv2";
116 else if (x->ssl_version == SSL3_VERSION)
117 s="SSLv3";
118 else if (x->ssl_version == TLS1_2_VERSION)
119 s="TLSv1.2";
120 else if (x->ssl_version == TLS1_1_VERSION)
121 s="TLSv1.1";
122 else if (x->ssl_version == TLS1_VERSION)
123 s="TLSv1";
124 else if (x->ssl_version == DTLS1_VERSION)
125 s="DTLSv1";
126 else if (x->ssl_version == DTLS1_BAD_VER)
127 s="DTLSv1-bad";
128 else
129 s="unknown";
130 if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err;
131
132 if (x->cipher == NULL)
133 {
134 if (((x->cipher_id) & 0xff000000) == 0x02000000)
135 {
136 if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0)
137 goto err;
138 }
139 else
140 {
141 if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0)
142 goto err;
143 }
144 }
145 else
146 {
147 if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
148 goto err;
149 }
150 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
151 for (i=0; i<x->session_id_length; i++)
152 {
153 if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
154 }
155 if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
156 for (i=0; i<x->sid_ctx_length; i++)
157 {
158 if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
159 goto err;
160 }
161 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
162 for (i=0; i<(unsigned int)x->master_key_length; i++)
163 {
164 if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
165 }
166 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
167 if (x->key_arg_length == 0)
168 {
169 if (BIO_puts(bp,"None") <= 0) goto err;
170 }
171 else
172 for (i=0; i<x->key_arg_length; i++)
173 {
174 if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
175 }
176#ifndef OPENSSL_NO_KRB5
177 if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
178 if (x->krb5_client_princ_len == 0)
179 {
180 if (BIO_puts(bp,"None") <= 0) goto err;
181 }
182 else
183 for (i=0; i<x->krb5_client_princ_len; i++)
184 {
185 if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
186 }
187#endif /* OPENSSL_NO_KRB5 */
188#ifndef OPENSSL_NO_PSK
189 if (BIO_puts(bp,"\n PSK identity: ") <= 0) goto err;
190 if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) goto err;
191 if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
192 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
193#endif
194#ifndef OPENSSL_NO_SRP
195 if (BIO_puts(bp,"\n SRP username: ") <= 0) goto err;
196 if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0) goto err;
197#endif
198#ifndef OPENSSL_NO_TLSEXT
199 if (x->tlsext_tick_lifetime_hint)
200 {
201 if (BIO_printf(bp,
202 "\n TLS session ticket lifetime hint: %ld (seconds)",
203 x->tlsext_tick_lifetime_hint) <=0)
204 goto err;
205 }
206 if (x->tlsext_tick)
207 {
208 if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err;
209 if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
210 goto err;
211 }
212#endif
213
214#ifndef OPENSSL_NO_COMP
215 if (x->compress_meth != 0)
216 {
217 SSL_COMP *comp = NULL;
218
219 ssl_cipher_get_evp(x,NULL,NULL,NULL,NULL,&comp);
220 if (comp == NULL)
221 {
222 if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
223 }
224 else
225 {
226 if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
227 }
228 }
229#endif
230 if (x->time != 0L)
231 {
232 if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err;
233 }
234 if (x->timeout != 0L)
235 {
236 if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err;
237 }
238 if (BIO_puts(bp,"\n") <= 0) goto err;
239
240 if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
241 if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
242 X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
243
244 return(1);
245err:
246 return(0);
247 }
248
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-09 07:28:24 +0000