summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h1853
-rw-r--r--src/lib/libssl/ssl2.h268
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h526
-rw-r--r--src/lib/libssl/ssl_algs.c111
-rw-r--r--src/lib/libssl/ssl_asn1.c398
-rw-r--r--src/lib/libssl/ssl_cert.c898
-rw-r--r--src/lib/libssl/ssl_ciph.c1139
-rw-r--r--src/lib/libssl/ssl_err.c462
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c2358
-rw-r--r--src/lib/libssl/ssl_locl.h623
-rw-r--r--src/lib/libssl/ssl_rsa.c817
-rw-r--r--src/lib/libssl/ssl_sess.c755
-rw-r--r--src/lib/libssl/ssl_stat.c502
-rw-r--r--src/lib/libssl/ssl_txt.c186
16 files changed, 0 insertions, 11049 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 99e188086b..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,1853 +0,0 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
113 *
114 * Redistribution and use in source and binary forms, with or without
115 * modification, are permitted provided that the following conditions
116 * are met:
117 *
118 * 1. Redistributions of source code must retain the above copyright
119 * notice, this list of conditions and the following disclaimer.
120 *
121 * 2. Redistributions in binary form must reproduce the above copyright
122 * notice, this list of conditions and the following disclaimer in
123 * the documentation and/or other materials provided with the
124 * distribution.
125 *
126 * 3. All advertising materials mentioning features or use of this
127 * software must display the following acknowledgment:
128 * "This product includes software developed by the OpenSSL Project
129 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
130 *
131 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
132 * endorse or promote products derived from this software without
133 * prior written permission. For written permission, please contact
134 * openssl-core@openssl.org.
135 *
136 * 5. Products derived from this software may not be called "OpenSSL"
137 * nor may "OpenSSL" appear in their names without prior written
138 * permission of the OpenSSL Project.
139 *
140 * 6. Redistributions of any form whatsoever must retain the following
141 * acknowledgment:
142 * "This product includes software developed by the OpenSSL Project
143 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
144 *
145 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
146 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
147 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
148 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
149 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
150 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
151 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
152 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
153 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
154 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
155 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
156 * OF THE POSSIBILITY OF SUCH DAMAGE.
157 * ====================================================================
158 *
159 * This product includes cryptographic software written by Eric Young
160 * (eay@cryptsoft.com). This product includes software written by Tim
161 * Hudson (tjh@cryptsoft.com).
162 *
163 */
164
165#ifndef HEADER_SSL_H
166#define HEADER_SSL_H
167
168#include <openssl/e_os2.h>
169
170#ifndef OPENSSL_NO_COMP
171#include <openssl/comp.h>
172#endif
173#ifndef OPENSSL_NO_BIO
174#include <openssl/bio.h>
175#endif
176#ifndef OPENSSL_NO_X509
177#include <openssl/x509.h>
178#endif
179#include <openssl/kssl.h>
180#include <openssl/safestack.h>
181#include <openssl/symhacks.h>
182
183#ifdef __cplusplus
184extern "C" {
185#endif
186
187/* SSLeay version number for ASN.1 encoding of the session information */
188/* Version 0 - initial version
189 * Version 1 - added the optional peer certificate
190 */
191#define SSL_SESSION_ASN1_VERSION 0x0001
192
193/* text strings for the ciphers */
194#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
195#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
196#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
197#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
198#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
199#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
200#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
201#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
202#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
203#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
204
205/* VRS Additional Kerberos5 entries
206 */
207#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
208#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
209#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
210#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
211#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
212#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
213#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
214#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
215
216#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
217#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
218#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
219#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
220#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
221#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
222
223#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
224#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
225#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
226#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
227#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
228#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
229#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
230
231#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
232#define SSL_MAX_SID_CTX_LENGTH 32
233
234#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
235#define SSL_MAX_KEY_ARG_LENGTH 8
236#define SSL_MAX_MASTER_KEY_LENGTH 48
237
238/* These are used to specify which ciphers to use and not to use */
239#define SSL_TXT_LOW "LOW"
240#define SSL_TXT_MEDIUM "MEDIUM"
241#define SSL_TXT_HIGH "HIGH"
242#define SSL_TXT_FIPS "FIPS"
243#define SSL_TXT_kFZA "kFZA"
244#define SSL_TXT_aFZA "aFZA"
245#define SSL_TXT_eFZA "eFZA"
246#define SSL_TXT_FZA "FZA"
247
248#define SSL_TXT_aNULL "aNULL"
249#define SSL_TXT_eNULL "eNULL"
250#define SSL_TXT_NULL "NULL"
251
252#define SSL_TXT_kKRB5 "kKRB5"
253#define SSL_TXT_aKRB5 "aKRB5"
254#define SSL_TXT_KRB5 "KRB5"
255
256#define SSL_TXT_kRSA "kRSA"
257#define SSL_TXT_kDHr "kDHr"
258#define SSL_TXT_kDHd "kDHd"
259#define SSL_TXT_kEDH "kEDH"
260#define SSL_TXT_aRSA "aRSA"
261#define SSL_TXT_aDSS "aDSS"
262#define SSL_TXT_aDH "aDH"
263#define SSL_TXT_DSS "DSS"
264#define SSL_TXT_DH "DH"
265#define SSL_TXT_EDH "EDH"
266#define SSL_TXT_ADH "ADH"
267#define SSL_TXT_RSA "RSA"
268#define SSL_TXT_DES "DES"
269#define SSL_TXT_3DES "3DES"
270#define SSL_TXT_RC4 "RC4"
271#define SSL_TXT_RC2 "RC2"
272#define SSL_TXT_IDEA "IDEA"
273#define SSL_TXT_AES "AES"
274#define SSL_TXT_MD5 "MD5"
275#define SSL_TXT_SHA1 "SHA1"
276#define SSL_TXT_SHA "SHA"
277#define SSL_TXT_EXP "EXP"
278#define SSL_TXT_EXPORT "EXPORT"
279#define SSL_TXT_EXP40 "EXPORT40"
280#define SSL_TXT_EXP56 "EXPORT56"
281#define SSL_TXT_SSLV2 "SSLv2"
282#define SSL_TXT_SSLV3 "SSLv3"
283#define SSL_TXT_TLSV1 "TLSv1"
284#define SSL_TXT_ALL "ALL"
285
286/*
287 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
288 * ciphers normally not being used.
289 * Example: "RC4" will activate all ciphers using RC4 including ciphers
290 * without authentication, which would normally disabled by DEFAULT (due
291 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
292 * will make sure that it is also disabled in the specific selection.
293 * COMPLEMENTOF* identifiers are portable between version, as adjustments
294 * to the default cipher setup will also be included here.
295 *
296 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
297 * DEFAULT gets, as only selection is being done and no sorting as needed
298 * for DEFAULT.
299 */
300#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
301#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
302
303/* The following cipher list is used by default.
304 * It also is substituted when an application-defined cipher list string
305 * starts with 'DEFAULT'. */
306#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
307
308/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
309#define SSL_SENT_SHUTDOWN 1
310#define SSL_RECEIVED_SHUTDOWN 2
311
312#ifdef __cplusplus
313}
314#endif
315
316#include <openssl/crypto.h>
317#include <openssl/lhash.h>
318#include <openssl/buffer.h>
319#include <openssl/pem.h>
320
321#ifdef __cplusplus
322extern "C" {
323#endif
324
325#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
326#define OPENSSL_NO_SSL2
327#endif
328
329#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
330#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
331
332/* This is needed to stop compilers complaining about the
333 * 'struct ssl_st *' function parameters used to prototype callbacks
334 * in SSL_CTX. */
335typedef struct ssl_st *ssl_crock_st;
336
337/* used to hold info on the particular ciphers used */
338typedef struct ssl_cipher_st
339 {
340 int valid;
341 const char *name; /* text name */
342 unsigned long id; /* id, 4 bytes, first is version */
343 unsigned long algorithms; /* what ciphers are used */
344 unsigned long algo_strength; /* strength and export flags */
345 unsigned long algorithm2; /* Extra flags */
346 int strength_bits; /* Number of bits really used */
347 int alg_bits; /* Number of bits for algorithm */
348 unsigned long mask; /* used for matching */
349 unsigned long mask_strength; /* also used for matching */
350 } SSL_CIPHER;
351
352DECLARE_STACK_OF(SSL_CIPHER)
353
354typedef struct ssl_st SSL;
355typedef struct ssl_ctx_st SSL_CTX;
356
357/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
358typedef struct ssl_method_st
359 {
360 int version;
361 int (*ssl_new)(SSL *s);
362 void (*ssl_clear)(SSL *s);
363 void (*ssl_free)(SSL *s);
364 int (*ssl_accept)(SSL *s);
365 int (*ssl_connect)(SSL *s);
366 int (*ssl_read)(SSL *s,void *buf,int len);
367 int (*ssl_peek)(SSL *s,void *buf,int len);
368 int (*ssl_write)(SSL *s,const void *buf,int len);
369 int (*ssl_shutdown)(SSL *s);
370 int (*ssl_renegotiate)(SSL *s);
371 int (*ssl_renegotiate_check)(SSL *s);
372 long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
373 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
374 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
375 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
376 int (*ssl_pending)(const SSL *s);
377 int (*num_ciphers)(void);
378 SSL_CIPHER *(*get_cipher)(unsigned ncipher);
379 struct ssl_method_st *(*get_ssl_method)(int version);
380 long (*get_timeout)(void);
381 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
382 int (*ssl_version)();
383 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
384 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
385 } SSL_METHOD;
386
387/* Lets make this into an ASN.1 type structure as follows
388 * SSL_SESSION_ID ::= SEQUENCE {
389 * version INTEGER, -- structure version number
390 * SSLversion INTEGER, -- SSL version number
391 * Cipher OCTET_STRING, -- the 3 byte cipher ID
392 * Session_ID OCTET_STRING, -- the Session ID
393 * Master_key OCTET_STRING, -- the master key
394 * KRB5_principal OCTET_STRING -- optional Kerberos principal
395 * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument
396 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
397 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
398 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
399 * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
400 * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer'
401 * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
402 * }
403 * Look in ssl/ssl_asn1.c for more details
404 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
405 */
406typedef struct ssl_session_st
407 {
408 int ssl_version; /* what ssl version session info is
409 * being kept in here? */
410
411 /* only really used in SSLv2 */
412 unsigned int key_arg_length;
413 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
414 int master_key_length;
415 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
416 /* session_id - valid? */
417 unsigned int session_id_length;
418 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
419 /* this is used to determine whether the session is being reused in
420 * the appropriate context. It is up to the application to set this,
421 * via SSL_new */
422 unsigned int sid_ctx_length;
423 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
424
425#ifndef OPENSSL_NO_KRB5
426 unsigned int krb5_client_princ_len;
427 unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
428#endif /* OPENSSL_NO_KRB5 */
429
430 int not_resumable;
431
432 /* The cert is the certificate used to establish this connection */
433 struct sess_cert_st /* SESS_CERT */ *sess_cert;
434
435 /* This is the cert for the other end.
436 * On clients, it will be the same as sess_cert->peer_key->x509
437 * (the latter is not enough as sess_cert is not retained
438 * in the external representation of sessions, see ssl_asn1.c). */
439 X509 *peer;
440 /* when app_verify_callback accepts a session where the peer's certificate
441 * is not ok, we must remember the error for session reuse: */
442 long verify_result; /* only for servers */
443
444 int references;
445 long timeout;
446 long time;
447
448 int compress_meth; /* Need to lookup the method */
449
450 SSL_CIPHER *cipher;
451 unsigned long cipher_id; /* when ASN.1 loaded, this
452 * needs to be used to load
453 * the 'cipher' structure */
454
455 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
456
457 CRYPTO_EX_DATA ex_data; /* application specific data */
458
459 /* These are used to make removal of session-ids more
460 * efficient and to implement a maximum cache size. */
461 struct ssl_session_st *prev,*next;
462 } SSL_SESSION;
463
464
465#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
466#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
467#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
468#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
469#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
470#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
471#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
472#define SSL_OP_TLS_D5_BUG 0x00000100L
473#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
474
475/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
476 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
477 * the workaround is not needed. Unfortunately some broken SSL/TLS
478 * implementations cannot handle it at all, which is why we include
479 * it in SSL_OP_ALL. */
480#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
481
482/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
483 * This used to be 0x000FFFFFL before 0.9.7. */
484#define SSL_OP_ALL 0x00000FFFL
485
486/* As server, disallow session resumption on renegotiation */
487#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
488/* If set, always create a new key when using tmp_dh parameters */
489#define SSL_OP_SINGLE_DH_USE 0x00100000L
490/* Set to always use the tmp_rsa key when doing RSA operations,
491 * even when this violates protocol specs */
492#define SSL_OP_EPHEMERAL_RSA 0x00200000L
493/* Set on servers to choose the cipher according to the server's
494 * preferences */
495#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
496/* If set, a server will allow a client to issue a SSLv3.0 version number
497 * as latest version supported in the premaster secret, even when TLSv1.0
498 * (version 3.1) was announced in the client hello. Normally this is
499 * forbidden to prevent version rollback attacks. */
500#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
501
502#define SSL_OP_NO_SSLv2 0x01000000L
503#define SSL_OP_NO_SSLv3 0x02000000L
504#define SSL_OP_NO_TLSv1 0x04000000L
505
506/* The next flag deliberately changes the ciphertest, this is a check
507 * for the PKCS#1 attack */
508#define SSL_OP_PKCS1_CHECK_1 0x08000000L
509#define SSL_OP_PKCS1_CHECK_2 0x10000000L
510#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
511#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
512
513
514/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
515 * when just a single record has been written): */
516#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
517/* Make it possible to retry SSL_write() with changed buffer location
518 * (buffer contents must stay the same!); this is not the default to avoid
519 * the misconception that non-blocking SSL_write() behaves like
520 * non-blocking write(): */
521#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
522/* Never bother the application with retries if the transport
523 * is blocking: */
524#define SSL_MODE_AUTO_RETRY 0x00000004L
525/* Don't attempt to automatically build certificate chain */
526#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
527
528
529/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
530 * they cannot be used to clear bits. */
531
532#define SSL_CTX_set_options(ctx,op) \
533 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
534#define SSL_CTX_get_options(ctx) \
535 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
536#define SSL_set_options(ssl,op) \
537 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
538#define SSL_get_options(ssl) \
539 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
540
541#define SSL_CTX_set_mode(ctx,op) \
542 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
543#define SSL_CTX_get_mode(ctx) \
544 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
545#define SSL_set_mode(ssl,op) \
546 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
547#define SSL_get_mode(ssl) \
548 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
549
550
551void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
552void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
553#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
554#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
555
556
557
558#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
559#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
560#else
561#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
562#endif
563
564#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
565
566/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
567 * them. It is used to override the generation of SSL/TLS session IDs in a
568 * server. Return value should be zero on an error, non-zero to proceed. Also,
569 * callbacks should themselves check if the id they generate is unique otherwise
570 * the SSL handshake will fail with an error - callbacks can do this using the
571 * 'ssl' value they're passed by;
572 * SSL_has_matching_session_id(ssl, id, *id_len)
573 * The length value passed in is set at the maximum size the session ID can be.
574 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
575 * can alter this length to be less if desired, but under SSLv2 session IDs are
576 * supposed to be fixed at 16 bytes so the id will be padded after the callback
577 * returns in this case. It is also an error for the callback to set the size to
578 * zero. */
579typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
580 unsigned int *id_len);
581
582typedef struct ssl_comp_st
583 {
584 int id;
585 char *name;
586#ifndef OPENSSL_NO_COMP
587 COMP_METHOD *method;
588#else
589 char *method;
590#endif
591 } SSL_COMP;
592
593DECLARE_STACK_OF(SSL_COMP)
594
595struct ssl_ctx_st
596 {
597 SSL_METHOD *method;
598
599 STACK_OF(SSL_CIPHER) *cipher_list;
600 /* same as above but sorted for lookup */
601 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
602
603 struct x509_store_st /* X509_STORE */ *cert_store;
604 struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */
605 /* Most session-ids that will be cached, default is
606 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
607 unsigned long session_cache_size;
608 struct ssl_session_st *session_cache_head;
609 struct ssl_session_st *session_cache_tail;
610
611 /* This can have one of 2 values, ored together,
612 * SSL_SESS_CACHE_CLIENT,
613 * SSL_SESS_CACHE_SERVER,
614 * Default is SSL_SESSION_CACHE_SERVER, which means only
615 * SSL_accept which cache SSL_SESSIONS. */
616 int session_cache_mode;
617
618 /* If timeout is not 0, it is the default timeout value set
619 * when SSL_new() is called. This has been put in to make
620 * life easier to set things up */
621 long session_timeout;
622
623 /* If this callback is not null, it will be called each
624 * time a session id is added to the cache. If this function
625 * returns 1, it means that the callback will do a
626 * SSL_SESSION_free() when it has finished using it. Otherwise,
627 * on 0, it means the callback has finished with it.
628 * If remove_session_cb is not null, it will be called when
629 * a session-id is removed from the cache. After the call,
630 * OpenSSL will SSL_SESSION_free() it. */
631 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
632 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
633 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
634 unsigned char *data,int len,int *copy);
635
636 struct
637 {
638 int sess_connect; /* SSL new conn - started */
639 int sess_connect_renegotiate;/* SSL reneg - requested */
640 int sess_connect_good; /* SSL new conne/reneg - finished */
641 int sess_accept; /* SSL new accept - started */
642 int sess_accept_renegotiate;/* SSL reneg - requested */
643 int sess_accept_good; /* SSL accept/reneg - finished */
644 int sess_miss; /* session lookup misses */
645 int sess_timeout; /* reuse attempt on timeouted session */
646 int sess_cache_full; /* session removed due to full cache */
647 int sess_hit; /* session reuse actually done */
648 int sess_cb_hit; /* session-id that was not
649 * in the cache was
650 * passed back via the callback. This
651 * indicates that the application is
652 * supplying session-id's from other
653 * processes - spooky :-) */
654 } stats;
655
656 int references;
657
658 /* if defined, these override the X509_verify_cert() calls */
659 int (*app_verify_callback)(X509_STORE_CTX *, void *);
660 void *app_verify_arg;
661 /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
662 * ('app_verify_callback' was called with just one argument) */
663
664 /* Default password callback. */
665 pem_password_cb *default_passwd_callback;
666
667 /* Default password callback user data. */
668 void *default_passwd_callback_userdata;
669
670 /* get client cert callback */
671 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
672
673 CRYPTO_EX_DATA ex_data;
674
675 const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
676 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
677 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
678
679 STACK_OF(X509) *extra_certs;
680 STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
681
682
683 /* Default values used when no per-SSL value is defined follow */
684
685 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
686
687 /* what we put in client cert requests */
688 STACK_OF(X509_NAME) *client_CA;
689
690
691 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
692
693 unsigned long options;
694 unsigned long mode;
695 long max_cert_list;
696
697 struct cert_st /* CERT */ *cert;
698 int read_ahead;
699
700 /* callback that allows applications to peek at protocol messages */
701 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
702 void *msg_callback_arg;
703
704 int verify_mode;
705 int verify_depth;
706 unsigned int sid_ctx_length;
707 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
708 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
709
710 /* Default generate session ID callback. */
711 GEN_SESSION_CB generate_session_id;
712
713 int purpose; /* Purpose setting */
714 int trust; /* Trust setting */
715
716 int quiet_shutdown;
717 };
718
719#define SSL_SESS_CACHE_OFF 0x0000
720#define SSL_SESS_CACHE_CLIENT 0x0001
721#define SSL_SESS_CACHE_SERVER 0x0002
722#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
723#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
724/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
725#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
726#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
727#define SSL_SESS_CACHE_NO_INTERNAL \
728 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
729
730 struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
731#define SSL_CTX_sess_number(ctx) \
732 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
733#define SSL_CTX_sess_connect(ctx) \
734 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
735#define SSL_CTX_sess_connect_good(ctx) \
736 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
737#define SSL_CTX_sess_connect_renegotiate(ctx) \
738 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
739#define SSL_CTX_sess_accept(ctx) \
740 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
741#define SSL_CTX_sess_accept_renegotiate(ctx) \
742 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
743#define SSL_CTX_sess_accept_good(ctx) \
744 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
745#define SSL_CTX_sess_hits(ctx) \
746 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
747#define SSL_CTX_sess_cb_hits(ctx) \
748 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
749#define SSL_CTX_sess_misses(ctx) \
750 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
751#define SSL_CTX_sess_timeouts(ctx) \
752 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
753#define SSL_CTX_sess_cache_full(ctx) \
754 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
755
756#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
757#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
758#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
759#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
760#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
761#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
762#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
763#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
764#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
765#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
766
767#define SSL_NOTHING 1
768#define SSL_WRITING 2
769#define SSL_READING 3
770#define SSL_X509_LOOKUP 4
771
772/* These will only be used when doing non-blocking IO */
773#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
774#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
775#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
776#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
777
778struct ssl_st
779 {
780 /* protocol version
781 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
782 */
783 int version;
784 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
785
786 SSL_METHOD *method; /* SSLv3 */
787
788 /* There are 2 BIO's even though they are normally both the
789 * same. This is so data can be read and written to different
790 * handlers */
791
792#ifndef OPENSSL_NO_BIO
793 BIO *rbio; /* used by SSL_read */
794 BIO *wbio; /* used by SSL_write */
795 BIO *bbio; /* used during session-id reuse to concatenate
796 * messages */
797#else
798 char *rbio; /* used by SSL_read */
799 char *wbio; /* used by SSL_write */
800 char *bbio;
801#endif
802 /* This holds a variable that indicates what we were doing
803 * when a 0 or -1 is returned. This is needed for
804 * non-blocking IO so we know what request needs re-doing when
805 * in SSL_accept or SSL_connect */
806 int rwstate;
807
808 /* true when we are actually in SSL_accept() or SSL_connect() */
809 int in_handshake;
810 int (*handshake_func)();
811
812 /* Imagine that here's a boolean member "init" that is
813 * switched as soon as SSL_set_{accept/connect}_state
814 * is called for the first time, so that "state" and
815 * "handshake_func" are properly initialized. But as
816 * handshake_func is == 0 until then, we use this
817 * test instead of an "init" member.
818 */
819
820 int server; /* are we the server side? - mostly used by SSL_clear*/
821
822 int new_session;/* 1 if we are to use a new session.
823 * 2 if we are a server and are inside a handshake
824 * (i.e. not just sending a HelloRequest)
825 * NB: For servers, the 'new' session may actually be a previously
826 * cached session or even the previous session unless
827 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
828 int quiet_shutdown;/* don't send shutdown packets */
829 int shutdown; /* we have shut things down, 0x01 sent, 0x02
830 * for received */
831 int state; /* where we are */
832 int rstate; /* where we are when reading */
833
834 BUF_MEM *init_buf; /* buffer used during init */
835 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
836 int init_num; /* amount read/written */
837 int init_off; /* amount read/written */
838
839 /* used internally to point at a raw packet */
840 unsigned char *packet;
841 unsigned int packet_length;
842
843 struct ssl2_state_st *s2; /* SSLv2 variables */
844 struct ssl3_state_st *s3; /* SSLv3 variables */
845
846 int read_ahead; /* Read as many input bytes as possible
847 * (for non-blocking reads) */
848
849 /* callback that allows applications to peek at protocol messages */
850 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
851 void *msg_callback_arg;
852
853 int hit; /* reusing a previous session */
854
855 int purpose; /* Purpose setting */
856 int trust; /* Trust setting */
857
858 /* crypto */
859 STACK_OF(SSL_CIPHER) *cipher_list;
860 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
861
862 /* These are the ones being used, the ones in SSL_SESSION are
863 * the ones to be 'copied' into these ones */
864
865 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
866 const EVP_MD *read_hash; /* used for mac generation */
867#ifndef OPENSSL_NO_COMP
868 COMP_CTX *expand; /* uncompress */
869#else
870 char *expand;
871#endif
872
873 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
874 const EVP_MD *write_hash; /* used for mac generation */
875#ifndef OPENSSL_NO_COMP
876 COMP_CTX *compress; /* compression */
877#else
878 char *compress;
879#endif
880
881 /* session info */
882
883 /* client cert? */
884 /* This is used to hold the server certificate used */
885 struct cert_st /* CERT */ *cert;
886
887 /* the session_id_context is used to ensure sessions are only reused
888 * in the appropriate context */
889 unsigned int sid_ctx_length;
890 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
891
892 /* This can also be in the session once a session is established */
893 SSL_SESSION *session;
894
895 /* Default generate session ID callback. */
896 GEN_SESSION_CB generate_session_id;
897
898 /* Used in SSL2 and SSL3 */
899 int verify_mode; /* 0 don't care about verify failure.
900 * 1 fail if verify fails */
901 int verify_depth;
902 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
903
904 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
905
906 int error; /* error bytes to be written */
907 int error_code; /* actual code */
908
909#ifndef OPENSSL_NO_KRB5
910 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
911#endif /* OPENSSL_NO_KRB5 */
912
913 SSL_CTX *ctx;
914 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
915 * and SSL_write() calls, good for nbio debuging :-) */
916 int debug;
917
918 /* extra application data */
919 long verify_result;
920 CRYPTO_EX_DATA ex_data;
921
922 /* for server side, keep the list of CA_dn we can use */
923 STACK_OF(X509_NAME) *client_CA;
924
925 int references;
926 unsigned long options; /* protocol behaviour */
927 unsigned long mode; /* API behaviour */
928 long max_cert_list;
929 int first_packet;
930 int client_version; /* what was passed, used for
931 * SSLv3/TLS rollback check */
932 };
933
934#ifdef __cplusplus
935}
936#endif
937
938#include <openssl/ssl2.h>
939#include <openssl/ssl3.h>
940#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
941#include <openssl/ssl23.h>
942
943#ifdef __cplusplus
944extern "C" {
945#endif
946
947/* compatibility */
948#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
949#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
950#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
951#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
952#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
953#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
954
955/* The following are the possible values for ssl->state are are
956 * used to indicate where we are up to in the SSL connection establishment.
957 * The macros that follow are about the only things you should need to use
958 * and even then, only when using non-blocking IO.
959 * It can also be useful to work out where you were when the connection
960 * failed */
961
962#define SSL_ST_CONNECT 0x1000
963#define SSL_ST_ACCEPT 0x2000
964#define SSL_ST_MASK 0x0FFF
965#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
966#define SSL_ST_BEFORE 0x4000
967#define SSL_ST_OK 0x03
968#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
969
970#define SSL_CB_LOOP 0x01
971#define SSL_CB_EXIT 0x02
972#define SSL_CB_READ 0x04
973#define SSL_CB_WRITE 0x08
974#define SSL_CB_ALERT 0x4000 /* used in callback */
975#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
976#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
977#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
978#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
979#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
980#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
981#define SSL_CB_HANDSHAKE_START 0x10
982#define SSL_CB_HANDSHAKE_DONE 0x20
983
984/* Is the SSL_connection established? */
985#define SSL_get_state(a) SSL_state(a)
986#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
987#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
988#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
989#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
990#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
991
992/* The following 2 states are kept in ssl->rstate when reads fail,
993 * you should not need these */
994#define SSL_ST_READ_HEADER 0xF0
995#define SSL_ST_READ_BODY 0xF1
996#define SSL_ST_READ_DONE 0xF2
997
998/* Obtain latest Finished message
999 * -- that we sent (SSL_get_finished)
1000 * -- that we expected from peer (SSL_get_peer_finished).
1001 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1002size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1003size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1004
1005/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1006 * are 'ored' with SSL_VERIFY_PEER if they are desired */
1007#define SSL_VERIFY_NONE 0x00
1008#define SSL_VERIFY_PEER 0x01
1009#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1010#define SSL_VERIFY_CLIENT_ONCE 0x04
1011
1012#define OpenSSL_add_ssl_algorithms() SSL_library_init()
1013#define SSLeay_add_ssl_algorithms() SSL_library_init()
1014
1015/* this is for backward compatibility */
1016#if 0 /* NEW_SSLEAY */
1017#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
1018#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1019#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
1020#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
1021#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
1022#endif
1023/* More backward compatibility */
1024#define SSL_get_cipher(s) \
1025 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1026#define SSL_get_cipher_bits(s,np) \
1027 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1028#define SSL_get_cipher_version(s) \
1029 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1030#define SSL_get_cipher_name(s) \
1031 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1032#define SSL_get_time(a) SSL_SESSION_get_time(a)
1033#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1034#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1035#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1036
1037#if 1 /*SSLEAY_MACROS*/
1038#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
1039 (char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
1040 (bp),(unsigned char **)(s_id))
1041#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
1042 bp,(unsigned char *)s_id)
1043#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
1044 (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
1045#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
1046 (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
1047#define PEM_write_SSL_SESSION(fp,x) \
1048 PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
1049 PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
1050#define PEM_write_bio_SSL_SESSION(bp,x) \
1051 PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
1052 PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
1053#endif
1054
1055#define SSL_AD_REASON_OFFSET 1000
1056/* These alert types are for SSLv3 and TLSv1 */
1057#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1058#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
1059#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
1060#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1061#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1062#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
1063#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
1064#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
1065#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1066#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1067#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1068#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1069#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1070#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
1071#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
1072#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
1073#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
1074#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1075#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
1076#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
1077#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
1078#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
1079#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1080#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1081
1082#define SSL_ERROR_NONE 0
1083#define SSL_ERROR_SSL 1
1084#define SSL_ERROR_WANT_READ 2
1085#define SSL_ERROR_WANT_WRITE 3
1086#define SSL_ERROR_WANT_X509_LOOKUP 4
1087#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
1088#define SSL_ERROR_ZERO_RETURN 6
1089#define SSL_ERROR_WANT_CONNECT 7
1090#define SSL_ERROR_WANT_ACCEPT 8
1091
1092#define SSL_CTRL_NEED_TMP_RSA 1
1093#define SSL_CTRL_SET_TMP_RSA 2
1094#define SSL_CTRL_SET_TMP_DH 3
1095#define SSL_CTRL_SET_TMP_RSA_CB 4
1096#define SSL_CTRL_SET_TMP_DH_CB 5
1097
1098#define SSL_CTRL_GET_SESSION_REUSED 6
1099#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7
1100#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
1101#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
1102#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
1103#define SSL_CTRL_GET_FLAGS 11
1104#define SSL_CTRL_EXTRA_CHAIN_CERT 12
1105
1106#define SSL_CTRL_SET_MSG_CALLBACK 13
1107#define SSL_CTRL_SET_MSG_CALLBACK_ARG 14
1108
1109/* Stats */
1110#define SSL_CTRL_SESS_NUMBER 20
1111#define SSL_CTRL_SESS_CONNECT 21
1112#define SSL_CTRL_SESS_CONNECT_GOOD 22
1113#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1114#define SSL_CTRL_SESS_ACCEPT 24
1115#define SSL_CTRL_SESS_ACCEPT_GOOD 25
1116#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1117#define SSL_CTRL_SESS_HIT 27
1118#define SSL_CTRL_SESS_CB_HIT 28
1119#define SSL_CTRL_SESS_MISSES 29
1120#define SSL_CTRL_SESS_TIMEOUTS 30
1121#define SSL_CTRL_SESS_CACHE_FULL 31
1122#define SSL_CTRL_OPTIONS 32
1123#define SSL_CTRL_MODE 33
1124
1125#define SSL_CTRL_GET_READ_AHEAD 40
1126#define SSL_CTRL_SET_READ_AHEAD 41
1127#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1128#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1129#define SSL_CTRL_SET_SESS_CACHE_MODE 44
1130#define SSL_CTRL_GET_SESS_CACHE_MODE 45
1131
1132#define SSL_CTRL_GET_MAX_CERT_LIST 50
1133#define SSL_CTRL_SET_MAX_CERT_LIST 51
1134
1135#define SSL_session_reused(ssl) \
1136 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
1137#define SSL_num_renegotiations(ssl) \
1138 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1139#define SSL_clear_num_renegotiations(ssl) \
1140 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1141#define SSL_total_renegotiations(ssl) \
1142 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1143
1144#define SSL_CTX_need_tmp_RSA(ctx) \
1145 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1146#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
1147 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1148#define SSL_CTX_set_tmp_dh(ctx,dh) \
1149 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1150
1151#define SSL_need_tmp_RSA(ssl) \
1152 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1153#define SSL_set_tmp_rsa(ssl,rsa) \
1154 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1155#define SSL_set_tmp_dh(ssl,dh) \
1156 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1157
1158#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1159 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1160
1161#ifndef OPENSSL_NO_BIO
1162BIO_METHOD *BIO_f_ssl(void);
1163BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
1164BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1165BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1166int BIO_ssl_copy_session_id(BIO *to,BIO *from);
1167void BIO_ssl_shutdown(BIO *ssl_bio);
1168
1169#endif
1170
1171int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1172SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
1173void SSL_CTX_free(SSL_CTX *);
1174long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1175long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1176X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1177void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1178int SSL_want(const SSL *s);
1179int SSL_clear(SSL *s);
1180
1181void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1182
1183SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1184int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1185char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1186const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1187
1188int SSL_get_fd(const SSL *s);
1189int SSL_get_rfd(const SSL *s);
1190int SSL_get_wfd(const SSL *s);
1191const char * SSL_get_cipher_list(const SSL *s,int n);
1192char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1193int SSL_get_read_ahead(const SSL * s);
1194int SSL_pending(const SSL *s);
1195#ifndef OPENSSL_NO_SOCK
1196int SSL_set_fd(SSL *s, int fd);
1197int SSL_set_rfd(SSL *s, int fd);
1198int SSL_set_wfd(SSL *s, int fd);
1199#endif
1200#ifndef OPENSSL_NO_BIO
1201void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1202BIO * SSL_get_rbio(const SSL *s);
1203BIO * SSL_get_wbio(const SSL *s);
1204#endif
1205int SSL_set_cipher_list(SSL *s, const char *str);
1206void SSL_set_read_ahead(SSL *s, int yes);
1207int SSL_get_verify_mode(const SSL *s);
1208int SSL_get_verify_depth(const SSL *s);
1209int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1210void SSL_set_verify(SSL *s, int mode,
1211 int (*callback)(int ok,X509_STORE_CTX *ctx));
1212void SSL_set_verify_depth(SSL *s, int depth);
1213#ifndef OPENSSL_NO_RSA
1214int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1215#endif
1216int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1217int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1218int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
1219int SSL_use_certificate(SSL *ssl, X509 *x);
1220int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
1221
1222#ifndef OPENSSL_NO_STDIO
1223int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1224int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1225int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1226int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1227int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1228int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1229int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1230STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1231int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1232 const char *file);
1233#ifndef OPENSSL_SYS_VMS
1234#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
1235int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1236 const char *dir);
1237#endif
1238#endif
1239
1240#endif
1241
1242void SSL_load_error_strings(void );
1243const char *SSL_state_string(const SSL *s);
1244const char *SSL_rstate_string(const SSL *s);
1245const char *SSL_state_string_long(const SSL *s);
1246const char *SSL_rstate_string_long(const SSL *s);
1247long SSL_SESSION_get_time(const SSL_SESSION *s);
1248long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1249long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1250long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1251void SSL_copy_session_id(SSL *to,const SSL *from);
1252
1253SSL_SESSION *SSL_SESSION_new(void);
1254unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
1255int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
1256#ifndef OPENSSL_NO_FP_API
1257int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1258#endif
1259#ifndef OPENSSL_NO_BIO
1260int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1261#endif
1262void SSL_SESSION_free(SSL_SESSION *ses);
1263int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
1264int SSL_set_session(SSL *to, SSL_SESSION *session);
1265int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1266int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
1267int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1268int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1269int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1270 unsigned int id_len);
1271SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
1272 long length);
1273
1274#ifdef HEADER_X509_H
1275X509 * SSL_get_peer_certificate(const SSL *s);
1276#endif
1277
1278STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1279
1280int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1281int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1282int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1283void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1284 int (*callback)(int, X509_STORE_CTX *));
1285void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
1286void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
1287#ifndef OPENSSL_NO_RSA
1288int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1289#endif
1290int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
1291int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1292int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
1293 unsigned char *d, long len);
1294int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1295int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
1296
1297void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1298void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1299
1300int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1301int SSL_check_private_key(const SSL *ctx);
1302
1303int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1304 unsigned int sid_ctx_len);
1305
1306SSL * SSL_new(SSL_CTX *ctx);
1307int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1308 unsigned int sid_ctx_len);
1309
1310int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1311int SSL_set_purpose(SSL *s, int purpose);
1312int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1313int SSL_set_trust(SSL *s, int trust);
1314
1315void SSL_free(SSL *ssl);
1316int SSL_accept(SSL *ssl);
1317int SSL_connect(SSL *ssl);
1318int SSL_read(SSL *ssl,void *buf,int num);
1319int SSL_peek(SSL *ssl,void *buf,int num);
1320int SSL_write(SSL *ssl,const void *buf,int num);
1321long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
1322long SSL_callback_ctrl(SSL *, int, void (*)());
1323long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1324long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
1325
1326int SSL_get_error(const SSL *s,int ret_code);
1327const char *SSL_get_version(const SSL *s);
1328
1329/* This sets the 'default' SSL version that SSL_new() will create */
1330int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
1331
1332SSL_METHOD *SSLv2_method(void); /* SSLv2 */
1333SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
1334SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
1335
1336SSL_METHOD *SSLv3_method(void); /* SSLv3 */
1337SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
1338SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
1339
1340SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
1341SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
1342SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
1343
1344SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1345SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1346SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1347
1348STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1349
1350int SSL_do_handshake(SSL *s);
1351int SSL_renegotiate(SSL *s);
1352int SSL_renegotiate_pending(SSL *s);
1353int SSL_shutdown(SSL *s);
1354
1355SSL_METHOD *SSL_get_ssl_method(SSL *s);
1356int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
1357const char *SSL_alert_type_string_long(int value);
1358const char *SSL_alert_type_string(int value);
1359const char *SSL_alert_desc_string_long(int value);
1360const char *SSL_alert_desc_string(int value);
1361
1362void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1363void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1364STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1365STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1366int SSL_add_client_CA(SSL *ssl,X509 *x);
1367int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1368
1369void SSL_set_connect_state(SSL *s);
1370void SSL_set_accept_state(SSL *s);
1371
1372long SSL_get_default_timeout(const SSL *s);
1373
1374int SSL_library_init(void );
1375
1376char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
1377STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1378
1379SSL *SSL_dup(SSL *ssl);
1380
1381X509 *SSL_get_certificate(const SSL *ssl);
1382/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1383
1384void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1385int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1386void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1387int SSL_get_quiet_shutdown(const SSL *ssl);
1388void SSL_set_shutdown(SSL *ssl,int mode);
1389int SSL_get_shutdown(const SSL *ssl);
1390int SSL_version(const SSL *ssl);
1391int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1392int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1393 const char *CApath);
1394#define SSL_get0_session SSL_get_session /* just peek at pointer */
1395SSL_SESSION *SSL_get_session(const SSL *ssl);
1396SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1397SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1398void SSL_set_info_callback(SSL *ssl,
1399 void (*cb)(const SSL *ssl,int type,int val));
1400void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1401int SSL_state(const SSL *ssl);
1402
1403void SSL_set_verify_result(SSL *ssl,long v);
1404long SSL_get_verify_result(const SSL *ssl);
1405
1406int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1407void *SSL_get_ex_data(const SSL *ssl,int idx);
1408int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1409 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1410
1411int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1412void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1413int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1414 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1415
1416int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1417void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1418int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1419 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1420
1421int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1422
1423#define SSL_CTX_sess_set_cache_size(ctx,t) \
1424 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1425#define SSL_CTX_sess_get_cache_size(ctx) \
1426 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1427#define SSL_CTX_set_session_cache_mode(ctx,m) \
1428 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1429#define SSL_CTX_get_session_cache_mode(ctx) \
1430 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1431
1432#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1433#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1434#define SSL_CTX_get_read_ahead(ctx) \
1435 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1436#define SSL_CTX_set_read_ahead(ctx,m) \
1437 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1438#define SSL_CTX_get_max_cert_list(ctx) \
1439 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1440#define SSL_CTX_set_max_cert_list(ctx,m) \
1441 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1442#define SSL_get_max_cert_list(ssl) \
1443 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1444#define SSL_set_max_cert_list(ssl,m) \
1445 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1446
1447 /* NB: the keylength is only applicable when is_export is true */
1448#ifndef OPENSSL_NO_RSA
1449void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1450 RSA *(*cb)(SSL *ssl,int is_export,
1451 int keylength));
1452
1453void SSL_set_tmp_rsa_callback(SSL *ssl,
1454 RSA *(*cb)(SSL *ssl,int is_export,
1455 int keylength));
1456#endif
1457#ifndef OPENSSL_NO_DH
1458void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1459 DH *(*dh)(SSL *ssl,int is_export,
1460 int keylength));
1461void SSL_set_tmp_dh_callback(SSL *ssl,
1462 DH *(*dh)(SSL *ssl,int is_export,
1463 int keylength));
1464#endif
1465
1466#ifndef OPENSSL_NO_COMP
1467int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
1468#else
1469int SSL_COMP_add_compression_method(int id,char *cm);
1470#endif
1471
1472/* BEGIN ERROR CODES */
1473/* The following lines are auto generated by the script mkerr.pl. Any changes
1474 * made after this point may be overwritten when the script is next run.
1475 */
1476void ERR_load_SSL_strings(void);
1477
1478/* Error codes for the SSL functions. */
1479
1480/* Function codes. */
1481#define SSL_F_CLIENT_CERTIFICATE 100
1482#define SSL_F_CLIENT_FINISHED 238
1483#define SSL_F_CLIENT_HELLO 101
1484#define SSL_F_CLIENT_MASTER_KEY 102
1485#define SSL_F_D2I_SSL_SESSION 103
1486#define SSL_F_DO_SSL3_WRITE 104
1487#define SSL_F_GET_CLIENT_FINISHED 105
1488#define SSL_F_GET_CLIENT_HELLO 106
1489#define SSL_F_GET_CLIENT_MASTER_KEY 107
1490#define SSL_F_GET_SERVER_FINISHED 108
1491#define SSL_F_GET_SERVER_HELLO 109
1492#define SSL_F_GET_SERVER_VERIFY 110
1493#define SSL_F_I2D_SSL_SESSION 111
1494#define SSL_F_READ_N 112
1495#define SSL_F_REQUEST_CERTIFICATE 113
1496#define SSL_F_SERVER_FINISH 239
1497#define SSL_F_SERVER_HELLO 114
1498#define SSL_F_SERVER_VERIFY 240
1499#define SSL_F_SSL23_ACCEPT 115
1500#define SSL_F_SSL23_CLIENT_HELLO 116
1501#define SSL_F_SSL23_CONNECT 117
1502#define SSL_F_SSL23_GET_CLIENT_HELLO 118
1503#define SSL_F_SSL23_GET_SERVER_HELLO 119
1504#define SSL_F_SSL23_PEEK 237
1505#define SSL_F_SSL23_READ 120
1506#define SSL_F_SSL23_WRITE 121
1507#define SSL_F_SSL2_ACCEPT 122
1508#define SSL_F_SSL2_CONNECT 123
1509#define SSL_F_SSL2_ENC_INIT 124
1510#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
1511#define SSL_F_SSL2_PEEK 234
1512#define SSL_F_SSL2_READ 125
1513#define SSL_F_SSL2_READ_INTERNAL 236
1514#define SSL_F_SSL2_SET_CERTIFICATE 126
1515#define SSL_F_SSL2_WRITE 127
1516#define SSL_F_SSL3_ACCEPT 128
1517#define SSL_F_SSL3_CALLBACK_CTRL 233
1518#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1519#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1520#define SSL_F_SSL3_CLIENT_HELLO 131
1521#define SSL_F_SSL3_CONNECT 132
1522#define SSL_F_SSL3_CTRL 213
1523#define SSL_F_SSL3_CTX_CTRL 133
1524#define SSL_F_SSL3_ENC 134
1525#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
1526#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
1527#define SSL_F_SSL3_GET_CERT_VERIFY 136
1528#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
1529#define SSL_F_SSL3_GET_CLIENT_HELLO 138
1530#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
1531#define SSL_F_SSL3_GET_FINISHED 140
1532#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1533#define SSL_F_SSL3_GET_MESSAGE 142
1534#define SSL_F_SSL3_GET_RECORD 143
1535#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1536#define SSL_F_SSL3_GET_SERVER_DONE 145
1537#define SSL_F_SSL3_GET_SERVER_HELLO 146
1538#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
1539#define SSL_F_SSL3_PEEK 235
1540#define SSL_F_SSL3_READ_BYTES 148
1541#define SSL_F_SSL3_READ_N 149
1542#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
1543#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
1544#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
1545#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
1546#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
1547#define SSL_F_SSL3_SEND_SERVER_HELLO 242
1548#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
1549#define SSL_F_SSL3_SETUP_BUFFERS 156
1550#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
1551#define SSL_F_SSL3_WRITE_BYTES 158
1552#define SSL_F_SSL3_WRITE_PENDING 159
1553#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
1554#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
1555#define SSL_F_SSL_BAD_METHOD 160
1556#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1557#define SSL_F_SSL_CERT_DUP 221
1558#define SSL_F_SSL_CERT_INST 222
1559#define SSL_F_SSL_CERT_INSTANTIATE 214
1560#define SSL_F_SSL_CERT_NEW 162
1561#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
1562#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
1563#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
1564#define SSL_F_SSL_CLEAR 164
1565#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
1566#define SSL_F_SSL_CREATE_CIPHER_LIST 166
1567#define SSL_F_SSL_CTRL 232
1568#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
1569#define SSL_F_SSL_CTX_NEW 169
1570#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
1571#define SSL_F_SSL_CTX_SET_PURPOSE 226
1572#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
1573#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
1574#define SSL_F_SSL_CTX_SET_TRUST 229
1575#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
1576#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
1577#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
1578#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
1579#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
1580#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
1581#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
1582#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
1583#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
1584#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
1585#define SSL_F_SSL_DO_HANDSHAKE 180
1586#define SSL_F_SSL_GET_NEW_SESSION 181
1587#define SSL_F_SSL_GET_PREV_SESSION 217
1588#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
1589#define SSL_F_SSL_GET_SIGN_PKEY 183
1590#define SSL_F_SSL_INIT_WBIO_BUFFER 184
1591#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
1592#define SSL_F_SSL_NEW 186
1593#define SSL_F_SSL_READ 223
1594#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
1595#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
1596#define SSL_F_SSL_SESSION_NEW 189
1597#define SSL_F_SSL_SESSION_PRINT_FP 190
1598#define SSL_F_SSL_SESS_CERT_NEW 225
1599#define SSL_F_SSL_SET_CERT 191
1600#define SSL_F_SSL_SET_CIPHER_LIST 271
1601#define SSL_F_SSL_SET_FD 192
1602#define SSL_F_SSL_SET_PKEY 193
1603#define SSL_F_SSL_SET_PURPOSE 227
1604#define SSL_F_SSL_SET_RFD 194
1605#define SSL_F_SSL_SET_SESSION 195
1606#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
1607#define SSL_F_SSL_SET_TRUST 228
1608#define SSL_F_SSL_SET_WFD 196
1609#define SSL_F_SSL_SHUTDOWN 224
1610#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
1611#define SSL_F_SSL_UNDEFINED_FUNCTION 197
1612#define SSL_F_SSL_USE_CERTIFICATE 198
1613#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
1614#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
1615#define SSL_F_SSL_USE_PRIVATEKEY 201
1616#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
1617#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
1618#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
1619#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
1620#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
1621#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
1622#define SSL_F_SSL_WRITE 208
1623#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
1624#define SSL_F_TLS1_ENC 210
1625#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
1626#define SSL_F_WRITE_PENDING 212
1627
1628/* Reason codes. */
1629#define SSL_R_APP_DATA_IN_HANDSHAKE 100
1630#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
1631#define SSL_R_BAD_ALERT_RECORD 101
1632#define SSL_R_BAD_AUTHENTICATION_TYPE 102
1633#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
1634#define SSL_R_BAD_CHECKSUM 104
1635#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
1636#define SSL_R_BAD_DECOMPRESSION 107
1637#define SSL_R_BAD_DH_G_LENGTH 108
1638#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
1639#define SSL_R_BAD_DH_P_LENGTH 110
1640#define SSL_R_BAD_DIGEST_LENGTH 111
1641#define SSL_R_BAD_DSA_SIGNATURE 112
1642#define SSL_R_BAD_HELLO_REQUEST 105
1643#define SSL_R_BAD_LENGTH 271
1644#define SSL_R_BAD_MAC_DECODE 113
1645#define SSL_R_BAD_MESSAGE_TYPE 114
1646#define SSL_R_BAD_PACKET_LENGTH 115
1647#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
1648#define SSL_R_BAD_RESPONSE_ARGUMENT 117
1649#define SSL_R_BAD_RSA_DECRYPT 118
1650#define SSL_R_BAD_RSA_ENCRYPT 119
1651#define SSL_R_BAD_RSA_E_LENGTH 120
1652#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
1653#define SSL_R_BAD_RSA_SIGNATURE 122
1654#define SSL_R_BAD_SIGNATURE 123
1655#define SSL_R_BAD_SSL_FILETYPE 124
1656#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
1657#define SSL_R_BAD_STATE 126
1658#define SSL_R_BAD_WRITE_RETRY 127
1659#define SSL_R_BIO_NOT_SET 128
1660#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
1661#define SSL_R_BN_LIB 130
1662#define SSL_R_CA_DN_LENGTH_MISMATCH 131
1663#define SSL_R_CA_DN_TOO_LONG 132
1664#define SSL_R_CCS_RECEIVED_EARLY 133
1665#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
1666#define SSL_R_CERT_LENGTH_MISMATCH 135
1667#define SSL_R_CHALLENGE_IS_DIFFERENT 136
1668#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
1669#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
1670#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
1671#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
1672#define SSL_R_COMPRESSION_FAILURE 141
1673#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
1674#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
1675#define SSL_R_CONNECTION_TYPE_NOT_SET 144
1676#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
1677#define SSL_R_DATA_LENGTH_TOO_LONG 146
1678#define SSL_R_DECRYPTION_FAILED 147
1679#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
1680#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
1681#define SSL_R_DIGEST_CHECK_FAILED 149
1682#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
1683#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
1684#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
1685#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
1686#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
1687#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
1688#define SSL_R_HTTPS_PROXY_REQUEST 155
1689#define SSL_R_HTTP_REQUEST 156
1690#define SSL_R_ILLEGAL_PADDING 283
1691#define SSL_R_INVALID_CHALLENGE_LENGTH 158
1692#define SSL_R_INVALID_COMMAND 280
1693#define SSL_R_INVALID_PURPOSE 278
1694#define SSL_R_INVALID_TRUST 279
1695#define SSL_R_KEY_ARG_TOO_LONG 284
1696#define SSL_R_KRB5 285
1697#define SSL_R_KRB5_C_CC_PRINC 286
1698#define SSL_R_KRB5_C_GET_CRED 287
1699#define SSL_R_KRB5_C_INIT 288
1700#define SSL_R_KRB5_C_MK_REQ 289
1701#define SSL_R_KRB5_S_BAD_TICKET 290
1702#define SSL_R_KRB5_S_INIT 291
1703#define SSL_R_KRB5_S_RD_REQ 292
1704#define SSL_R_KRB5_S_TKT_EXPIRED 293
1705#define SSL_R_KRB5_S_TKT_NYV 294
1706#define SSL_R_KRB5_S_TKT_SKEW 295
1707#define SSL_R_LENGTH_MISMATCH 159
1708#define SSL_R_LENGTH_TOO_SHORT 160
1709#define SSL_R_LIBRARY_BUG 274
1710#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
1711#define SSL_R_MESSAGE_TOO_LONG 296
1712#define SSL_R_MISSING_DH_DSA_CERT 162
1713#define SSL_R_MISSING_DH_KEY 163
1714#define SSL_R_MISSING_DH_RSA_CERT 164
1715#define SSL_R_MISSING_DSA_SIGNING_CERT 165
1716#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
1717#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
1718#define SSL_R_MISSING_RSA_CERTIFICATE 168
1719#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
1720#define SSL_R_MISSING_RSA_SIGNING_CERT 170
1721#define SSL_R_MISSING_TMP_DH_KEY 171
1722#define SSL_R_MISSING_TMP_RSA_KEY 172
1723#define SSL_R_MISSING_TMP_RSA_PKEY 173
1724#define SSL_R_MISSING_VERIFY_MESSAGE 174
1725#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
1726#define SSL_R_NO_CERTIFICATES_RETURNED 176
1727#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
1728#define SSL_R_NO_CERTIFICATE_RETURNED 178
1729#define SSL_R_NO_CERTIFICATE_SET 179
1730#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
1731#define SSL_R_NO_CIPHERS_AVAILABLE 181
1732#define SSL_R_NO_CIPHERS_PASSED 182
1733#define SSL_R_NO_CIPHERS_SPECIFIED 183
1734#define SSL_R_NO_CIPHER_LIST 184
1735#define SSL_R_NO_CIPHER_MATCH 185
1736#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
1737#define SSL_R_NO_COMPRESSION_SPECIFIED 187
1738#define SSL_R_NO_METHOD_SPECIFIED 188
1739#define SSL_R_NO_PRIVATEKEY 189
1740#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
1741#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
1742#define SSL_R_NO_PUBLICKEY 192
1743#define SSL_R_NO_SHARED_CIPHER 193
1744#define SSL_R_NO_VERIFY_CALLBACK 194
1745#define SSL_R_NULL_SSL_CTX 195
1746#define SSL_R_NULL_SSL_METHOD_PASSED 196
1747#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
1748#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
1749#define SSL_R_PACKET_LENGTH_TOO_LONG 198
1750#define SSL_R_PATH_TOO_LONG 270
1751#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
1752#define SSL_R_PEER_ERROR 200
1753#define SSL_R_PEER_ERROR_CERTIFICATE 201
1754#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
1755#define SSL_R_PEER_ERROR_NO_CIPHER 203
1756#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
1757#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
1758#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
1759#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
1760#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
1761#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
1762#define SSL_R_PUBLIC_KEY_NOT_RSA 210
1763#define SSL_R_READ_BIO_NOT_SET 211
1764#define SSL_R_READ_WRONG_PACKET_TYPE 212
1765#define SSL_R_RECORD_LENGTH_MISMATCH 213
1766#define SSL_R_RECORD_TOO_LARGE 214
1767#define SSL_R_RECORD_TOO_SMALL 298
1768#define SSL_R_REQUIRED_CIPHER_MISSING 215
1769#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
1770#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
1771#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
1772#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
1773#define SSL_R_SHORT_READ 219
1774#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
1775#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
1776#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
1777#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
1778#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
1779#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
1780#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
1781#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
1782#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
1783#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
1784#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
1785#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
1786#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
1787#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
1788#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
1789#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
1790#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
1791#define SSL_R_SSL_HANDSHAKE_FAILURE 229
1792#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
1793#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
1794#define SSL_R_SSL_SESSION_ID_CONFLICT 302
1795#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
1796#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
1797#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
1798#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
1799#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
1800#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
1801#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
1802#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
1803#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
1804#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
1805#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
1806#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
1807#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
1808#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
1809#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
1810#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
1811#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
1812#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
1813#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
1814#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
1815#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
1816#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
1817#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
1818#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
1819#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
1820#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
1821#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
1822#define SSL_R_UNEXPECTED_MESSAGE 244
1823#define SSL_R_UNEXPECTED_RECORD 245
1824#define SSL_R_UNINITIALIZED 276
1825#define SSL_R_UNKNOWN_ALERT_TYPE 246
1826#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
1827#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
1828#define SSL_R_UNKNOWN_CIPHER_TYPE 249
1829#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
1830#define SSL_R_UNKNOWN_PKEY_TYPE 251
1831#define SSL_R_UNKNOWN_PROTOCOL 252
1832#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
1833#define SSL_R_UNKNOWN_SSL_VERSION 254
1834#define SSL_R_UNKNOWN_STATE 255
1835#define SSL_R_UNSUPPORTED_CIPHER 256
1836#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
1837#define SSL_R_UNSUPPORTED_PROTOCOL 258
1838#define SSL_R_UNSUPPORTED_SSL_VERSION 259
1839#define SSL_R_WRITE_BIO_NOT_SET 260
1840#define SSL_R_WRONG_CIPHER_RETURNED 261
1841#define SSL_R_WRONG_MESSAGE_TYPE 262
1842#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
1843#define SSL_R_WRONG_SIGNATURE_LENGTH 264
1844#define SSL_R_WRONG_SIGNATURE_SIZE 265
1845#define SSL_R_WRONG_SSL_VERSION 266
1846#define SSL_R_WRONG_VERSION_NUMBER 267
1847#define SSL_R_X509_LIB 268
1848#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
1849
1850#ifdef __cplusplus
1851}
1852#endif
1853#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 99a52ea0dd..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,268 +0,0 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#ifdef OPENSSL_SYS_MPE
137#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
138#else
139#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
140#endif
141#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
142
143#define SSL2_CHALLENGE_LENGTH 16
144/*#define SSL2_CHALLENGE_LENGTH 32 */
145#define SSL2_MIN_CHALLENGE_LENGTH 16
146#define SSL2_MAX_CHALLENGE_LENGTH 32
147#define SSL2_CONNECTION_ID_LENGTH 16
148#define SSL2_MAX_CONNECTION_ID_LENGTH 16
149#define SSL2_SSL_SESSION_ID_LENGTH 16
150#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
151#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
152#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
153
154#ifndef HEADER_SSL_LOCL_H
155#define CERT char
156#endif
157
158typedef struct ssl2_state_st
159 {
160 int three_byte_header;
161 int clear_text; /* clear text */
162 int escape; /* not used in SSLv2 */
163 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
164
165 /* non-blocking io info, used to make sure the same
166 * args were passwd */
167 unsigned int wnum; /* number of bytes sent so far */
168 int wpend_tot;
169 const unsigned char *wpend_buf;
170
171 int wpend_off; /* offset to data to write */
172 int wpend_len; /* number of bytes passwd to write */
173 int wpend_ret; /* number of bytes to return to caller */
174
175 /* buffer raw data */
176 int rbuf_left;
177 int rbuf_offs;
178 unsigned char *rbuf;
179 unsigned char *wbuf;
180
181 unsigned char *write_ptr;/* used to point to the start due to
182 * 2/3 byte header. */
183
184 unsigned int padding;
185 unsigned int rlength; /* passed to ssl2_enc */
186 int ract_data_length; /* Set when things are encrypted. */
187 unsigned int wlength; /* passed to ssl2_enc */
188 int wact_data_length; /* Set when things are decrypted. */
189 unsigned char *ract_data;
190 unsigned char *wact_data;
191 unsigned char *mac_data;
192
193 unsigned char *read_key;
194 unsigned char *write_key;
195
196 /* Stuff specifically to do with this SSL session */
197 unsigned int challenge_length;
198 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
199 unsigned int conn_id_length;
200 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
201 unsigned int key_material_length;
202 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
203
204 unsigned long read_sequence;
205 unsigned long write_sequence;
206
207 struct {
208 unsigned int conn_id_length;
209 unsigned int cert_type;
210 unsigned int cert_length;
211 unsigned int csl;
212 unsigned int clear;
213 unsigned int enc;
214 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
215 unsigned int cipher_spec_length;
216 unsigned int session_id_length;
217 unsigned int clen;
218 unsigned int rlen;
219 } tmp;
220 } SSL2_STATE;
221
222/* SSLv2 */
223/* client */
224#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
225#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
226#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
227#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
228#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
230#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
231#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
233#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
234#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
235#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
236#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
237#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
238#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
239#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
240#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
241#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
242/* server */
243#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
244#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
245#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
246#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
247#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
248#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
249#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
250#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
251#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
252#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
253#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
254#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
257#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
258#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
259#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
260#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
261#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
262#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
263
264#ifdef __cplusplus
265}
266#endif
267#endif
268
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 1153aeda74..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,526 +0,0 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#ifndef HEADER_SSL3_H
113#define HEADER_SSL3_H
114
115#ifndef OPENSSL_NO_COMP
116#include <openssl/comp.h>
117#endif
118#include <openssl/buffer.h>
119#include <openssl/evp.h>
120#include <openssl/ssl.h>
121
122#ifdef __cplusplus
123extern "C" {
124#endif
125
126#define SSL3_CK_RSA_NULL_MD5 0x03000001
127#define SSL3_CK_RSA_NULL_SHA 0x03000002
128#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
129#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
130#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
131#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
132#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
133#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
134#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
135#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
136
137#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
138#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
139#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
140#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
141#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
142#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
143
144#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
145#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
146#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
147#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
148#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
149#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
150
151#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
152#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
153#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
154#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
155#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
156
157#define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
158#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
159#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
160 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
161 of the ietf-tls list */
162#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
163#endif
164
165/* VRS Additional Kerberos5 entries
166 */
167#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
168#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
169#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
170#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
171#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
172#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
173#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
174#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
175
176#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
177#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
178#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
179#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
180#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
181#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
182
183#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
184#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
185#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
186#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
187#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
188#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
189#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
190#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
191#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
192#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
193
194#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
195#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
196#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
197#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
198#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
199#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
200
201#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
202#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
203#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
204#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
205#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
206#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
207
208#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
209#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
210#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
211#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
212#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
213
214#define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
215#define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
216#define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
217
218#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
219#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
220#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
221#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
222#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
223#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
224#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
225#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
226
227#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
228#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
229#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
230#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
231#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
232#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
233
234#define SSL3_SSL_SESSION_ID_LENGTH 32
235#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
236
237#define SSL3_MASTER_SECRET_SIZE 48
238#define SSL3_RANDOM_SIZE 32
239#define SSL3_SESSION_ID_SIZE 32
240#define SSL3_RT_HEADER_LENGTH 5
241
242/* Due to MS stuffing up, this can change.... */
243#if defined(OPENSSL_SYS_WIN16) || \
244 (defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32))
245#define SSL3_RT_MAX_EXTRA (14000)
246#else
247#define SSL3_RT_MAX_EXTRA (16384)
248#endif
249
250#define SSL3_RT_MAX_PLAIN_LENGTH 16384
251#define SSL3_RT_MAX_COMPRESSED_LENGTH (1024+SSL3_RT_MAX_PLAIN_LENGTH)
252#define SSL3_RT_MAX_ENCRYPTED_LENGTH (1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
253#define SSL3_RT_MAX_PACKET_SIZE (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
254#define SSL3_RT_MAX_DATA_SIZE (1024*1024)
255
256#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
257#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
258
259#define SSL3_VERSION 0x0300
260#define SSL3_VERSION_MAJOR 0x03
261#define SSL3_VERSION_MINOR 0x00
262
263#define SSL3_RT_CHANGE_CIPHER_SPEC 20
264#define SSL3_RT_ALERT 21
265#define SSL3_RT_HANDSHAKE 22
266#define SSL3_RT_APPLICATION_DATA 23
267
268#define SSL3_AL_WARNING 1
269#define SSL3_AL_FATAL 2
270
271#define SSL3_AD_CLOSE_NOTIFY 0
272#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
273#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
274#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
275#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
276#define SSL3_AD_NO_CERTIFICATE 41
277#define SSL3_AD_BAD_CERTIFICATE 42
278#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
279#define SSL3_AD_CERTIFICATE_REVOKED 44
280#define SSL3_AD_CERTIFICATE_EXPIRED 45
281#define SSL3_AD_CERTIFICATE_UNKNOWN 46
282#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
283
284typedef struct ssl3_record_st
285 {
286/*r */ int type; /* type of record */
287/*rw*/ unsigned int length; /* How many bytes available */
288/*r */ unsigned int off; /* read/write offset into 'buf' */
289/*rw*/ unsigned char *data; /* pointer to the record data */
290/*rw*/ unsigned char *input; /* where the decode bytes are */
291/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
292 } SSL3_RECORD;
293
294typedef struct ssl3_buffer_st
295 {
296 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
297 * see ssl3_setup_buffers() */
298 size_t len; /* buffer size */
299 int offset; /* where to 'copy from' */
300 int left; /* how many bytes left */
301 } SSL3_BUFFER;
302
303#define SSL3_CT_RSA_SIGN 1
304#define SSL3_CT_DSS_SIGN 2
305#define SSL3_CT_RSA_FIXED_DH 3
306#define SSL3_CT_DSS_FIXED_DH 4
307#define SSL3_CT_RSA_EPHEMERAL_DH 5
308#define SSL3_CT_DSS_EPHEMERAL_DH 6
309#define SSL3_CT_FORTEZZA_DMS 20
310#define SSL3_CT_NUMBER 7
311
312#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
313#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
314#define SSL3_FLAGS_POP_BUFFER 0x0004
315#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
316
317typedef struct ssl3_state_st
318 {
319 long flags;
320 int delay_buf_pop_ret;
321
322 unsigned char read_sequence[8];
323 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
324 unsigned char write_sequence[8];
325 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
326
327 unsigned char server_random[SSL3_RANDOM_SIZE];
328 unsigned char client_random[SSL3_RANDOM_SIZE];
329
330 /* flags for countermeasure against known-IV weakness */
331 int need_empty_fragments;
332 int empty_fragment_done;
333
334 SSL3_BUFFER rbuf; /* read IO goes into here */
335 SSL3_BUFFER wbuf; /* write IO goes into here */
336
337 SSL3_RECORD rrec; /* each decoded record goes in here */
338 SSL3_RECORD wrec; /* goes out from here */
339
340 /* storage for Alert/Handshake protocol data received but not
341 * yet processed by ssl3_read_bytes: */
342 unsigned char alert_fragment[2];
343 unsigned int alert_fragment_len;
344 unsigned char handshake_fragment[4];
345 unsigned int handshake_fragment_len;
346
347 /* partial write - check the numbers match */
348 unsigned int wnum; /* number of bytes sent so far */
349 int wpend_tot; /* number bytes written */
350 int wpend_type;
351 int wpend_ret; /* number of bytes submitted */
352 const unsigned char *wpend_buf;
353
354 /* used during startup, digest all incoming/outgoing packets */
355 EVP_MD_CTX finish_dgst1;
356 EVP_MD_CTX finish_dgst2;
357
358 /* this is set whenerver we see a change_cipher_spec message
359 * come in when we are not looking for one */
360 int change_cipher_spec;
361
362 int warn_alert;
363 int fatal_alert;
364 /* we allow one fatal and one warning alert to be outstanding,
365 * send close alert via the warning alert */
366 int alert_dispatch;
367 unsigned char send_alert[2];
368
369 /* This flag is set when we should renegotiate ASAP, basically when
370 * there is no more data in the read or write buffers */
371 int renegotiate;
372 int total_renegotiations;
373 int num_renegotiations;
374
375 int in_read_app_data;
376
377 struct {
378 /* actually only needs to be 16+20 */
379 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
380
381 /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
382 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
383 int finish_md_len;
384 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
385 int peer_finish_md_len;
386
387 unsigned long message_size;
388 int message_type;
389
390 /* used to hold the new cipher we are going to use */
391 SSL_CIPHER *new_cipher;
392#ifndef OPENSSL_NO_DH
393 DH *dh;
394#endif
395 /* used when SSL_ST_FLUSH_DATA is entered */
396 int next_state;
397
398 int reuse_message;
399
400 /* used for certificate requests */
401 int cert_req;
402 int ctype_num;
403 char ctype[SSL3_CT_NUMBER];
404 STACK_OF(X509_NAME) *ca_names;
405
406 int use_rsa_tmp;
407
408 int key_block_length;
409 unsigned char *key_block;
410
411 const EVP_CIPHER *new_sym_enc;
412 const EVP_MD *new_hash;
413#ifndef OPENSSL_NO_COMP
414 const SSL_COMP *new_compression;
415#else
416 char *new_compression;
417#endif
418 int cert_request;
419 } tmp;
420
421 } SSL3_STATE;
422
423/* SSLv3 */
424/*client */
425/* extra state */
426#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
427/* write to server */
428#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
429#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
430/* read from server */
431#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
432#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
433#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
434#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
435#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
436#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
437#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
438#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
439#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
440#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
441/* write to server */
442#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
443#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
444#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
445#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
446#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
447#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
448#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
449#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
450#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
451#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
452#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
453#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
454/* read from server */
455#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
456#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
457#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
458#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
459
460/* server */
461/* extra state */
462#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
463/* read from client */
464/* Do not change the number values, they do matter */
465#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
466#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
467#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
468/* write to client */
469#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
470#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
471#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
472#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
473#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
474#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
475#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
476#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
477#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
478#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
479#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
480#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
481#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
482/* read from client */
483#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
484#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
485#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
486#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
487#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
488#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
489#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
490#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
491#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
492#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
493/* write to client */
494#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
495#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
496#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
497#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
498
499#define SSL3_MT_HELLO_REQUEST 0
500#define SSL3_MT_CLIENT_HELLO 1
501#define SSL3_MT_SERVER_HELLO 2
502#define SSL3_MT_CERTIFICATE 11
503#define SSL3_MT_SERVER_KEY_EXCHANGE 12
504#define SSL3_MT_CERTIFICATE_REQUEST 13
505#define SSL3_MT_SERVER_DONE 14
506#define SSL3_MT_CERTIFICATE_VERIFY 15
507#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
508#define SSL3_MT_FINISHED 20
509
510#define SSL3_MT_CCS 1
511
512/* These are used when changing over to a new cipher */
513#define SSL3_CC_READ 0x01
514#define SSL3_CC_WRITE 0x02
515#define SSL3_CC_CLIENT 0x10
516#define SSL3_CC_SERVER 0x20
517#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
518#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
519#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
520#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
521
522#ifdef __cplusplus
523}
524#endif
525#endif
526
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 3d1299ee7b..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,111 +0,0 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/lhash.h>
62#include "ssl_locl.h"
63
64int SSL_library_init(void)
65 {
66
67#ifndef OPENSSL_NO_DES
68 EVP_add_cipher(EVP_des_cbc());
69 EVP_add_cipher(EVP_des_ede3_cbc());
70#endif
71#ifndef OPENSSL_NO_IDEA
72 EVP_add_cipher(EVP_idea_cbc());
73#endif
74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4());
76#endif
77#ifndef OPENSSL_NO_RC2
78 EVP_add_cipher(EVP_rc2_cbc());
79#endif
80#ifndef OPENSSL_NO_AES
81 EVP_add_cipher(EVP_aes_128_cbc());
82 EVP_add_cipher(EVP_aes_192_cbc());
83 EVP_add_cipher(EVP_aes_256_cbc());
84#endif
85#ifndef OPENSSL_NO_MD2
86 EVP_add_digest(EVP_md2());
87#endif
88#ifndef OPENSSL_NO_MD5
89 EVP_add_digest(EVP_md5());
90 EVP_add_digest_alias(SN_md5,"ssl2-md5");
91 EVP_add_digest_alias(SN_md5,"ssl3-md5");
92#endif
93#ifndef OPENSSL_NO_SHA
94 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
95 EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
96 EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
97#endif
98#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
99 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
100 EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
101 EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
102 EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
103#endif
104 /* If you want support for phased out ciphers, add the following */
105#if 0
106 EVP_add_digest(EVP_sha());
107 EVP_add_digest(EVP_dss());
108#endif
109 return(1);
110 }
111
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index fc5fcce108..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,398 +0,0 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include "ssl_locl.h"
62#include <openssl/asn1_mac.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65
66typedef struct ssl_session_asn1_st
67 {
68 ASN1_INTEGER version;
69 ASN1_INTEGER ssl_version;
70 ASN1_OCTET_STRING cipher;
71 ASN1_OCTET_STRING master_key;
72 ASN1_OCTET_STRING session_id;
73 ASN1_OCTET_STRING session_id_context;
74 ASN1_OCTET_STRING key_arg;
75#ifndef OPENSSL_NO_KRB5
76 ASN1_OCTET_STRING krb5_princ;
77#endif /* OPENSSL_NO_KRB5 */
78 ASN1_INTEGER time;
79 ASN1_INTEGER timeout;
80 ASN1_INTEGER verify_result;
81 } SSL_SESSION_ASN1;
82
83int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
84 {
85#define LSIZE2 (sizeof(long)*2)
86 int v1=0,v2=0,v3=0,v4=0,v5=0;
87 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
88 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
89 long l;
90 SSL_SESSION_ASN1 a;
91 M_ASN1_I2D_vars(in);
92
93 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
94 return(0);
95
96 /* Note that I cheat in the following 2 assignments. I know
97 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
98 * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
99 * This is a bit evil but makes things simple, no dynamic allocation
100 * to clean up :-) */
101 a.version.length=LSIZE2;
102 a.version.type=V_ASN1_INTEGER;
103 a.version.data=ibuf1;
104 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
105
106 a.ssl_version.length=LSIZE2;
107 a.ssl_version.type=V_ASN1_INTEGER;
108 a.ssl_version.data=ibuf2;
109 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
110
111 a.cipher.type=V_ASN1_OCTET_STRING;
112 a.cipher.data=buf;
113
114 if (in->cipher == NULL)
115 l=in->cipher_id;
116 else
117 l=in->cipher->id;
118 if (in->ssl_version == SSL2_VERSION)
119 {
120 a.cipher.length=3;
121 buf[0]=((unsigned char)(l>>16L))&0xff;
122 buf[1]=((unsigned char)(l>> 8L))&0xff;
123 buf[2]=((unsigned char)(l ))&0xff;
124 }
125 else
126 {
127 a.cipher.length=2;
128 buf[0]=((unsigned char)(l>>8L))&0xff;
129 buf[1]=((unsigned char)(l ))&0xff;
130 }
131
132 a.master_key.length=in->master_key_length;
133 a.master_key.type=V_ASN1_OCTET_STRING;
134 a.master_key.data=in->master_key;
135
136 a.session_id.length=in->session_id_length;
137 a.session_id.type=V_ASN1_OCTET_STRING;
138 a.session_id.data=in->session_id;
139
140 a.session_id_context.length=in->sid_ctx_length;
141 a.session_id_context.type=V_ASN1_OCTET_STRING;
142 a.session_id_context.data=in->sid_ctx;
143
144 a.key_arg.length=in->key_arg_length;
145 a.key_arg.type=V_ASN1_OCTET_STRING;
146 a.key_arg.data=in->key_arg;
147
148#ifndef OPENSSL_NO_KRB5
149 if (in->krb5_client_princ_len)
150 {
151 a.krb5_princ.length=in->krb5_client_princ_len;
152 a.krb5_princ.type=V_ASN1_OCTET_STRING;
153 a.krb5_princ.data=in->krb5_client_princ;
154 }
155#endif /* OPENSSL_NO_KRB5 */
156
157 if (in->time != 0L)
158 {
159 a.time.length=LSIZE2;
160 a.time.type=V_ASN1_INTEGER;
161 a.time.data=ibuf3;
162 ASN1_INTEGER_set(&(a.time),in->time);
163 }
164
165 if (in->timeout != 0L)
166 {
167 a.timeout.length=LSIZE2;
168 a.timeout.type=V_ASN1_INTEGER;
169 a.timeout.data=ibuf4;
170 ASN1_INTEGER_set(&(a.timeout),in->timeout);
171 }
172
173 if (in->verify_result != X509_V_OK)
174 {
175 a.verify_result.length=LSIZE2;
176 a.verify_result.type=V_ASN1_INTEGER;
177 a.verify_result.data=ibuf5;
178 ASN1_INTEGER_set(&a.verify_result,in->verify_result);
179 }
180
181
182 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
183 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
184 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
185 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
186 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
187#ifndef OPENSSL_NO_KRB5
188 if (in->krb5_client_princ_len)
189 M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
190#endif /* OPENSSL_NO_KRB5 */
191 if (in->key_arg_length > 0)
192 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
193 if (in->time != 0L)
194 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
195 if (in->timeout != 0L)
196 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
197 if (in->peer != NULL)
198 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
199 M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
200 if (in->verify_result != X509_V_OK)
201 M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
202
203 M_ASN1_I2D_seq_total();
204
205 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
206 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
207 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
208 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
209 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
210#ifndef OPENSSL_NO_KRB5
211 if (in->krb5_client_princ_len)
212 M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
213#endif /* OPENSSL_NO_KRB5 */
214 if (in->key_arg_length > 0)
215 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
216 if (in->time != 0L)
217 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
218 if (in->timeout != 0L)
219 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
220 if (in->peer != NULL)
221 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
222 M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
223 v4);
224 if (in->verify_result != X509_V_OK)
225 M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
226 M_ASN1_I2D_finish();
227 }
228
229SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
230 long length)
231 {
232 int version,ssl_version=0,i;
233 long id;
234 ASN1_INTEGER ai,*aip;
235 ASN1_OCTET_STRING os,*osp;
236 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
237
238 aip= &ai;
239 osp= &os;
240
241 M_ASN1_D2I_Init();
242 M_ASN1_D2I_start_sequence();
243
244 ai.data=NULL; ai.length=0;
245 M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
246 version=(int)ASN1_INTEGER_get(aip);
247 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
248
249 /* we don't care about the version right now :-) */
250 M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
251 ssl_version=(int)ASN1_INTEGER_get(aip);
252 ret->ssl_version=ssl_version;
253 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
254
255 os.data=NULL; os.length=0;
256 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
257 if (ssl_version == SSL2_VERSION)
258 {
259 if (os.length != 3)
260 {
261 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
262 goto err;
263 }
264 id=0x02000000L|
265 ((unsigned long)os.data[0]<<16L)|
266 ((unsigned long)os.data[1]<< 8L)|
267 (unsigned long)os.data[2];
268 }
269 else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
270 {
271 if (os.length != 2)
272 {
273 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
274 goto err;
275 }
276 id=0x03000000L|
277 ((unsigned long)os.data[0]<<8L)|
278 (unsigned long)os.data[1];
279 }
280 else
281 {
282 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
283 return(NULL);
284 }
285
286 ret->cipher=NULL;
287 ret->cipher_id=id;
288
289 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
290 if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
291 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
292 else /* if (ssl_version == SSL2_VERSION_MAJOR) */
293 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
294
295 if (os.length > i)
296 os.length = i;
297 if (os.length > sizeof ret->session_id) /* can't happen */
298 os.length = sizeof ret->session_id;
299
300 ret->session_id_length=os.length;
301 OPENSSL_assert(os.length <= sizeof ret->session_id);
302 memcpy(ret->session_id,os.data,os.length);
303
304 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
305 if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
306 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
307 else
308 ret->master_key_length=os.length;
309 memcpy(ret->master_key,os.data,ret->master_key_length);
310
311 os.length=0;
312
313#ifndef OPENSSL_NO_KRB5
314 os.length=0;
315 M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
316 if (os.data)
317 {
318 if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
319 ret->krb5_client_princ_len=0;
320 else
321 ret->krb5_client_princ_len=os.length;
322 memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
323 OPENSSL_free(os.data);
324 os.data = NULL;
325 os.length = 0;
326 }
327 else
328 ret->krb5_client_princ_len=0;
329#endif /* OPENSSL_NO_KRB5 */
330
331 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
332 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
333 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
334 else
335 ret->key_arg_length=os.length;
336 memcpy(ret->key_arg,os.data,ret->key_arg_length);
337 if (os.data != NULL) OPENSSL_free(os.data);
338
339 ai.length=0;
340 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
341 if (ai.data != NULL)
342 {
343 ret->time=ASN1_INTEGER_get(aip);
344 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
345 }
346 else
347 ret->time=(unsigned long)time(NULL);
348
349 ai.length=0;
350 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
351 if (ai.data != NULL)
352 {
353 ret->timeout=ASN1_INTEGER_get(aip);
354 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
355 }
356 else
357 ret->timeout=3;
358
359 if (ret->peer != NULL)
360 {
361 X509_free(ret->peer);
362 ret->peer=NULL;
363 }
364 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
365
366 os.length=0;
367 os.data=NULL;
368 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
369
370 if(os.data != NULL)
371 {
372 if (os.length > SSL_MAX_SID_CTX_LENGTH)
373 {
374 ret->sid_ctx_length=os.length;
375 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
376 }
377 else
378 {
379 ret->sid_ctx_length=os.length;
380 memcpy(ret->sid_ctx,os.data,os.length);
381 }
382 OPENSSL_free(os.data); os.data=NULL; os.length=0;
383 }
384 else
385 ret->sid_ctx_length=0;
386
387 ai.length=0;
388 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
389 if (ai.data != NULL)
390 {
391 ret->verify_result=ASN1_INTEGER_get(aip);
392 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
393 }
394 else
395 ret->verify_result=X509_V_OK;
396
397 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
398 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index b779e6bb4d..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,898 +0,0 @@
1/*! \file ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@OpenSSL.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 */
106
107#include <stdio.h>
108
109#include "e_os.h"
110#ifndef NO_SYS_TYPES_H
111# include <sys/types.h>
112#endif
113
114#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
115#include <dirent.h>
116#endif
117
118#if defined(WIN32)
119#include <windows.h>
120#include <tchar.h>
121#endif
122
123#ifdef NeXT
124#include <sys/dir.h>
125#define dirent direct
126#endif
127
128#include <openssl/objects.h>
129#include <openssl/bio.h>
130#include <openssl/pem.h>
131#include <openssl/x509v3.h>
132#include "ssl_locl.h"
133#include <openssl/fips.h>
134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136 {
137 static volatile int ssl_x509_store_ctx_idx= -1;
138
139 if (ssl_x509_store_ctx_idx < 0)
140 {
141 /* any write lock will do; usually this branch
142 * will only be taken once anyway */
143 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
144
145 if (ssl_x509_store_ctx_idx < 0)
146 {
147 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
148 0,"SSL for verify callback",NULL,NULL,NULL);
149 }
150
151 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
152 }
153 return ssl_x509_store_ctx_idx;
154 }
155
156CERT *ssl_cert_new(void)
157 {
158 CERT *ret;
159
160 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
161 if (ret == NULL)
162 {
163 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
164 return(NULL);
165 }
166 memset(ret,0,sizeof(CERT));
167
168 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
169 ret->references=1;
170
171 return(ret);
172 }
173
174CERT *ssl_cert_dup(CERT *cert)
175 {
176 CERT *ret;
177 int i;
178
179 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
180 if (ret == NULL)
181 {
182 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
183 return(NULL);
184 }
185
186 memset(ret, 0, sizeof(CERT));
187
188 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
189 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
190 * if you find that more readable */
191
192 ret->valid = cert->valid;
193 ret->mask = cert->mask;
194 ret->export_mask = cert->export_mask;
195
196#ifndef OPENSSL_NO_RSA
197 if (cert->rsa_tmp != NULL)
198 {
199 RSA_up_ref(cert->rsa_tmp);
200 ret->rsa_tmp = cert->rsa_tmp;
201 }
202 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
203#endif
204
205#ifndef OPENSSL_NO_DH
206 if (cert->dh_tmp != NULL)
207 {
208 /* DH parameters don't have a reference count */
209 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
210 if (ret->dh_tmp == NULL)
211 {
212 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
213 goto err;
214 }
215 if (cert->dh_tmp->priv_key)
216 {
217 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
218 if (!b)
219 {
220 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
221 goto err;
222 }
223 ret->dh_tmp->priv_key = b;
224 }
225 if (cert->dh_tmp->pub_key)
226 {
227 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
228 if (!b)
229 {
230 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
231 goto err;
232 }
233 ret->dh_tmp->pub_key = b;
234 }
235 }
236 ret->dh_tmp_cb = cert->dh_tmp_cb;
237#endif
238
239 for (i = 0; i < SSL_PKEY_NUM; i++)
240 {
241 if (cert->pkeys[i].x509 != NULL)
242 {
243 ret->pkeys[i].x509 = cert->pkeys[i].x509;
244 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
245 CRYPTO_LOCK_X509);
246 }
247
248 if (cert->pkeys[i].privatekey != NULL)
249 {
250 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
251 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
252 CRYPTO_LOCK_EVP_PKEY);
253
254 switch(i)
255 {
256 /* If there was anything special to do for
257 * certain types of keys, we'd do it here.
258 * (Nothing at the moment, I think.) */
259
260 case SSL_PKEY_RSA_ENC:
261 case SSL_PKEY_RSA_SIGN:
262 /* We have an RSA key. */
263 break;
264
265 case SSL_PKEY_DSA_SIGN:
266 /* We have a DSA key. */
267 break;
268
269 case SSL_PKEY_DH_RSA:
270 case SSL_PKEY_DH_DSA:
271 /* We have a DH key. */
272 break;
273
274 default:
275 /* Can't happen. */
276 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
277 }
278 }
279 }
280
281 /* ret->extra_certs *should* exist, but currently the own certificate
282 * chain is held inside SSL_CTX */
283
284 ret->references=1;
285
286 return(ret);
287
288#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
289err:
290#endif
291#ifndef OPENSSL_NO_RSA
292 if (ret->rsa_tmp != NULL)
293 RSA_free(ret->rsa_tmp);
294#endif
295#ifndef OPENSSL_NO_DH
296 if (ret->dh_tmp != NULL)
297 DH_free(ret->dh_tmp);
298#endif
299
300 for (i = 0; i < SSL_PKEY_NUM; i++)
301 {
302 if (ret->pkeys[i].x509 != NULL)
303 X509_free(ret->pkeys[i].x509);
304 if (ret->pkeys[i].privatekey != NULL)
305 EVP_PKEY_free(ret->pkeys[i].privatekey);
306 }
307
308 return NULL;
309 }
310
311
312void ssl_cert_free(CERT *c)
313 {
314 int i;
315
316 if(c == NULL)
317 return;
318
319 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
320#ifdef REF_PRINT
321 REF_PRINT("CERT",c);
322#endif
323 if (i > 0) return;
324#ifdef REF_CHECK
325 if (i < 0)
326 {
327 fprintf(stderr,"ssl_cert_free, bad reference count\n");
328 abort(); /* ok */
329 }
330#endif
331
332#ifndef OPENSSL_NO_RSA
333 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
334#endif
335#ifndef OPENSSL_NO_DH
336 if (c->dh_tmp) DH_free(c->dh_tmp);
337#endif
338
339 for (i=0; i<SSL_PKEY_NUM; i++)
340 {
341 if (c->pkeys[i].x509 != NULL)
342 X509_free(c->pkeys[i].x509);
343 if (c->pkeys[i].privatekey != NULL)
344 EVP_PKEY_free(c->pkeys[i].privatekey);
345#if 0
346 if (c->pkeys[i].publickey != NULL)
347 EVP_PKEY_free(c->pkeys[i].publickey);
348#endif
349 }
350 OPENSSL_free(c);
351 }
352
353int ssl_cert_inst(CERT **o)
354 {
355 /* Create a CERT if there isn't already one
356 * (which cannot really happen, as it is initially created in
357 * SSL_CTX_new; but the earlier code usually allows for that one
358 * being non-existant, so we follow that behaviour, as it might
359 * turn out that there actually is a reason for it -- but I'm
360 * not sure that *all* of the existing code could cope with
361 * s->cert being NULL, otherwise we could do without the
362 * initialization in SSL_CTX_new).
363 */
364
365 if (o == NULL)
366 {
367 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
368 return(0);
369 }
370 if (*o == NULL)
371 {
372 if ((*o = ssl_cert_new()) == NULL)
373 {
374 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
375 return(0);
376 }
377 }
378 return(1);
379 }
380
381
382SESS_CERT *ssl_sess_cert_new(void)
383 {
384 SESS_CERT *ret;
385
386 ret = OPENSSL_malloc(sizeof *ret);
387 if (ret == NULL)
388 {
389 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
390 return NULL;
391 }
392
393 memset(ret, 0 ,sizeof *ret);
394 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
395 ret->references = 1;
396
397 return ret;
398 }
399
400void ssl_sess_cert_free(SESS_CERT *sc)
401 {
402 int i;
403
404 if (sc == NULL)
405 return;
406
407 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
408#ifdef REF_PRINT
409 REF_PRINT("SESS_CERT", sc);
410#endif
411 if (i > 0)
412 return;
413#ifdef REF_CHECK
414 if (i < 0)
415 {
416 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
417 abort(); /* ok */
418 }
419#endif
420
421 /* i == 0 */
422 if (sc->cert_chain != NULL)
423 sk_X509_pop_free(sc->cert_chain, X509_free);
424 for (i = 0; i < SSL_PKEY_NUM; i++)
425 {
426 if (sc->peer_pkeys[i].x509 != NULL)
427 X509_free(sc->peer_pkeys[i].x509);
428#if 0 /* We don't have the peer's private key. These lines are just
429 * here as a reminder that we're still using a not-quite-appropriate
430 * data structure. */
431 if (sc->peer_pkeys[i].privatekey != NULL)
432 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
433#endif
434 }
435
436#ifndef OPENSSL_NO_RSA
437 if (sc->peer_rsa_tmp != NULL)
438 RSA_free(sc->peer_rsa_tmp);
439#endif
440#ifndef OPENSSL_NO_DH
441 if (sc->peer_dh_tmp != NULL)
442 DH_free(sc->peer_dh_tmp);
443#endif
444
445 OPENSSL_free(sc);
446 }
447
448int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
449 {
450 sc->peer_cert_type = type;
451 return(1);
452 }
453
454int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
455 {
456 X509 *x;
457 int i;
458 X509_STORE_CTX ctx;
459
460 if ((sk == NULL) || (sk_X509_num(sk) == 0))
461 return(0);
462
463 x=sk_X509_value(sk,0);
464 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
465 {
466 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
467 return(0);
468 }
469 if (SSL_get_verify_depth(s) >= 0)
470 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
471 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
472
473 /* We need to set the verify purpose. The purpose can be determined by
474 * the context: if its a server it will verify SSL client certificates
475 * or vice versa.
476 */
477 if (s->server)
478 i = X509_PURPOSE_SSL_CLIENT;
479 else
480 i = X509_PURPOSE_SSL_SERVER;
481
482 X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
483
484 if (s->verify_callback)
485 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
486
487 if (s->ctx->app_verify_callback != NULL)
488#if 1 /* new with OpenSSL 0.9.7 */
489 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
490#else
491 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
492#endif
493 else
494 {
495#ifndef OPENSSL_NO_X509_VERIFY
496 i=X509_verify_cert(&ctx);
497#else
498 i=0;
499 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
500 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
501#endif
502 }
503
504 s->verify_result=ctx.error;
505 X509_STORE_CTX_cleanup(&ctx);
506
507 return(i);
508 }
509
510static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
511 {
512 if (*ca_list != NULL)
513 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
514
515 *ca_list=name_list;
516 }
517
518STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
519 {
520 int i;
521 STACK_OF(X509_NAME) *ret;
522 X509_NAME *name;
523
524 ret=sk_X509_NAME_new_null();
525 for (i=0; i<sk_X509_NAME_num(sk); i++)
526 {
527 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
528 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
529 {
530 sk_X509_NAME_pop_free(ret,X509_NAME_free);
531 return(NULL);
532 }
533 }
534 return(ret);
535 }
536
537void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
538 {
539 set_client_CA_list(&(s->client_CA),name_list);
540 }
541
542void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
543 {
544 set_client_CA_list(&(ctx->client_CA),name_list);
545 }
546
547STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
548 {
549 return(ctx->client_CA);
550 }
551
552STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
553 {
554 if (s->type == SSL_ST_CONNECT)
555 { /* we are in the client */
556 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
557 (s->s3 != NULL))
558 return(s->s3->tmp.ca_names);
559 else
560 return(NULL);
561 }
562 else
563 {
564 if (s->client_CA != NULL)
565 return(s->client_CA);
566 else
567 return(s->ctx->client_CA);
568 }
569 }
570
571static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
572 {
573 X509_NAME *name;
574
575 if (x == NULL) return(0);
576 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
577 return(0);
578
579 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
580 return(0);
581
582 if (!sk_X509_NAME_push(*sk,name))
583 {
584 X509_NAME_free(name);
585 return(0);
586 }
587 return(1);
588 }
589
590int SSL_add_client_CA(SSL *ssl,X509 *x)
591 {
592 return(add_client_CA(&(ssl->client_CA),x));
593 }
594
595int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
596 {
597 return(add_client_CA(&(ctx->client_CA),x));
598 }
599
600static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
601 {
602 return(X509_NAME_cmp(*a,*b));
603 }
604
605#ifndef OPENSSL_NO_STDIO
606/*!
607 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
608 * it doesn't really have anything to do with clients (except that a common use
609 * for a stack of CAs is to send it to the client). Actually, it doesn't have
610 * much to do with CAs, either, since it will load any old cert.
611 * \param file the file containing one or more certs.
612 * \return a ::STACK containing the certs.
613 */
614STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
615 {
616 BIO *in;
617 X509 *x=NULL;
618 X509_NAME *xn=NULL;
619 STACK_OF(X509_NAME) *ret = NULL,*sk;
620
621 sk=sk_X509_NAME_new(xname_cmp);
622
623 in=BIO_new(BIO_s_file_internal());
624
625 if ((sk == NULL) || (in == NULL))
626 {
627 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
628 goto err;
629 }
630
631 if (!BIO_read_filename(in,file))
632 goto err;
633
634 for (;;)
635 {
636 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
637 break;
638 if (ret == NULL)
639 {
640 ret = sk_X509_NAME_new_null();
641 if (ret == NULL)
642 {
643 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
644 goto err;
645 }
646 }
647 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
648 /* check for duplicates */
649 xn=X509_NAME_dup(xn);
650 if (xn == NULL) goto err;
651 if (sk_X509_NAME_find(sk,xn) >= 0)
652 X509_NAME_free(xn);
653 else
654 {
655 sk_X509_NAME_push(sk,xn);
656 sk_X509_NAME_push(ret,xn);
657 }
658 }
659
660 if (0)
661 {
662err:
663 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
664 ret=NULL;
665 }
666 if (sk != NULL) sk_X509_NAME_free(sk);
667 if (in != NULL) BIO_free(in);
668 if (x != NULL) X509_free(x);
669 if (ret != NULL)
670 ERR_clear_error();
671 return(ret);
672 }
673#endif
674
675/*!
676 * Add a file of certs to a stack.
677 * \param stack the stack to add to.
678 * \param file the file to add from. All certs in this file that are not
679 * already in the stack will be added.
680 * \return 1 for success, 0 for failure. Note that in the case of failure some
681 * certs may have been added to \c stack.
682 */
683
684int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
685 const char *file)
686 {
687 BIO *in;
688 X509 *x=NULL;
689 X509_NAME *xn=NULL;
690 int ret=1;
691 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
692
693 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
694
695 in=BIO_new(BIO_s_file_internal());
696
697 if (in == NULL)
698 {
699 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
700 goto err;
701 }
702
703 if (!BIO_read_filename(in,file))
704 goto err;
705
706 for (;;)
707 {
708 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
709 break;
710 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
711 xn=X509_NAME_dup(xn);
712 if (xn == NULL) goto err;
713 if (sk_X509_NAME_find(stack,xn) >= 0)
714 X509_NAME_free(xn);
715 else
716 sk_X509_NAME_push(stack,xn);
717 }
718
719 if (0)
720 {
721err:
722 ret=0;
723 }
724 if(in != NULL)
725 BIO_free(in);
726 if(x != NULL)
727 X509_free(x);
728
729 sk_X509_NAME_set_cmp_func(stack,oldcmp);
730
731 return ret;
732 }
733
734/*!
735 * Add a directory of certs to a stack.
736 * \param stack the stack to append to.
737 * \param dir the directory to append from. All files in this directory will be
738 * examined as potential certs. Any that are acceptable to
739 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
740 * included.
741 * \return 1 for success, 0 for failure. Note that in the case of failure some
742 * certs may have been added to \c stack.
743 */
744
745#ifndef OPENSSL_SYS_WIN32
746#ifndef OPENSSL_SYS_VMS /* XXXX This may be fixed in the future */
747#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
748
749int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
750 const char *dir)
751 {
752 DIR *d;
753 struct dirent *dstruct;
754 int ret = 0;
755
756 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
757 d = opendir(dir);
758
759 /* Note that a side effect is that the CAs will be sorted by name */
760 if(!d)
761 {
762 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
763 ERR_add_error_data(3, "opendir('", dir, "')");
764 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
765 goto err;
766 }
767
768 while((dstruct=readdir(d)))
769 {
770 char buf[1024];
771 int r;
772
773 if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
774 {
775 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
776 goto err;
777 }
778
779 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
780 if (r <= 0 || r >= sizeof buf)
781 goto err;
782 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
783 goto err;
784 }
785 ret = 1;
786
787err:
788 if (d) closedir(d);
789 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
790 return ret;
791 }
792
793#endif
794#endif
795
796#else /* OPENSSL_SYS_WIN32 */
797
798#if defined(_WIN32_WCE)
799# ifndef UNICODE
800# error "WinCE comes in UNICODE flavor only..."
801# endif
802# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
803# define OPENSSL_NO_MULTIBYTE
804# endif
805# ifndef FindFirstFile
806# define FindFirstFile FindFirstFileW
807# endif
808# ifndef FindNextFile
809# define FindNextFile FindNextFileW
810# endif
811#endif
812
813int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
814 const char *dir)
815 {
816 WIN32_FIND_DATA FindFileData;
817 HANDLE hFind;
818 int ret = 0;
819 TCHAR *wdir = NULL;
820 size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
821 char buf[1024],*slash;
822
823 if (len_0 > (sizeof(buf)-14)) /* 14 is just some value... */
824 {
825 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
826 return ret;
827 }
828
829 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
830
831 if (sizeof(TCHAR) != sizeof(char))
832 {
833 wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
834 if (wdir == NULL)
835 goto err_noclose;
836#ifndef OPENSSL_NO_MULTIBYTE
837 if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
838 (WCHAR *)wdir,len_0))
839#endif
840 for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
841
842 hFind = FindFirstFile(wdir, &FindFileData);
843 }
844 else hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
845
846 /* Note that a side effect is that the CAs will be sorted by name */
847 if(hFind == INVALID_HANDLE_VALUE)
848 {
849 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
850 ERR_add_error_data(3, "opendir('", dir, "')");
851 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
852 goto err_noclose;
853 }
854
855 strncpy(buf,dir,sizeof(buf)); /* strcpy is safe too... */
856 buf[len_0-1]='/'; /* no trailing zero! */
857 slash=buf+len_0;
858
859 do {
860 const TCHAR *fnam=FindFileData.cFileName;
861 size_t flen_0=_tcslen(fnam)+1;
862
863 if (flen_0 > (sizeof(buf)-len_0))
864 {
865 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
866 goto err;
867 }
868 /* else strcpy would be safe too... */
869
870 if (sizeof(TCHAR) != sizeof(char))
871 {
872#ifndef OPENSSL_NO_MULTIBYTE
873 if (!WideCharToMultiByte(CP_ACP,0,
874 (WCHAR *)fnam,flen_0,
875 slash,sizeof(buf)-len_0,
876 NULL,0))
877#endif
878 for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
879 }
880 else strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
881
882 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
883 goto err;
884 }
885 while (FindNextFile(hFind, &FindFileData) != FALSE);
886 ret = 1;
887
888err:
889 FindClose(hFind);
890err_noclose:
891 if (wdir != NULL)
892 free(wdir);
893
894 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
895 return ret;
896 }
897
898#endif
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index f622180c69..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1139 +0,0 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/comp.h>
62#include <openssl/fips.h>
63#include "ssl_locl.h"
64
65#define SSL_ENC_DES_IDX 0
66#define SSL_ENC_3DES_IDX 1
67#define SSL_ENC_RC4_IDX 2
68#define SSL_ENC_RC2_IDX 3
69#define SSL_ENC_IDEA_IDX 4
70#define SSL_ENC_eFZA_IDX 5
71#define SSL_ENC_NULL_IDX 6
72#define SSL_ENC_AES128_IDX 7
73#define SSL_ENC_AES256_IDX 8
74#define SSL_ENC_NUM_IDX 9
75
76static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
77 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
78 };
79
80static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
81
82#define SSL_MD_MD5_IDX 0
83#define SSL_MD_SHA1_IDX 1
84#define SSL_MD_NUM_IDX 2
85static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
86 NULL,NULL,
87 };
88
89#define CIPHER_ADD 1
90#define CIPHER_KILL 2
91#define CIPHER_DEL 3
92#define CIPHER_ORD 4
93#define CIPHER_SPECIAL 5
94
95typedef struct cipher_order_st
96 {
97 SSL_CIPHER *cipher;
98 int active;
99 int dead;
100 struct cipher_order_st *next,*prev;
101 } CIPHER_ORDER;
102
103static const SSL_CIPHER cipher_aliases[]={
104 /* Don't include eNULL unless specifically enabled. */
105 {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
106 {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
107 {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
108 {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
109 {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
110 {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
111 {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
112 {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
113 {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
114 {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
115 {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
116
117 {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
118 {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
119 {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
120 {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
121 {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
122 {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
123 {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
124
125 {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
126 {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
127 {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
128 {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
129#ifndef OPENSSL_NO_IDEA
130 {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
131#endif
132 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
133 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
134 {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
135
136 {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
137 {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
138 {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
139
140 {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
141 {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
142 {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
143 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
144 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
145
146 {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
147 {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
148 {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
149
150 {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
151 {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
152 {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
153 {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
154 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
155 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
156 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
157 {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
158 };
159
160static int init_ciphers=1;
161
162static void load_ciphers(void)
163 {
164 ssl_cipher_methods[SSL_ENC_DES_IDX]=
165 EVP_get_cipherbyname(SN_des_cbc);
166 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
167 EVP_get_cipherbyname(SN_des_ede3_cbc);
168 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
169 EVP_get_cipherbyname(SN_rc4);
170 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
171 EVP_get_cipherbyname(SN_rc2_cbc);
172#ifndef OPENSSL_NO_IDEA
173 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
174 EVP_get_cipherbyname(SN_idea_cbc);
175#else
176 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
177#endif
178 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
179 EVP_get_cipherbyname(SN_aes_128_cbc);
180 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
181 EVP_get_cipherbyname(SN_aes_256_cbc);
182
183 ssl_digest_methods[SSL_MD_MD5_IDX]=
184 EVP_get_digestbyname(SN_md5);
185 ssl_digest_methods[SSL_MD_SHA1_IDX]=
186 EVP_get_digestbyname(SN_sha1);
187 init_ciphers=0;
188 }
189
190int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
191 const EVP_MD **md, SSL_COMP **comp)
192 {
193 int i;
194 SSL_CIPHER *c;
195
196 c=s->cipher;
197 if (c == NULL) return(0);
198 if (comp != NULL)
199 {
200 SSL_COMP ctmp;
201
202 if (s->compress_meth == 0)
203 *comp=NULL;
204 else if (ssl_comp_methods == NULL)
205 {
206 /* bad */
207 *comp=NULL;
208 }
209 else
210 {
211
212 ctmp.id=s->compress_meth;
213 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
214 if (i >= 0)
215 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
216 else
217 *comp=NULL;
218 }
219 }
220
221 if ((enc == NULL) || (md == NULL)) return(0);
222
223 switch (c->algorithms & SSL_ENC_MASK)
224 {
225 case SSL_DES:
226 i=SSL_ENC_DES_IDX;
227 break;
228 case SSL_3DES:
229 i=SSL_ENC_3DES_IDX;
230 break;
231 case SSL_RC4:
232 i=SSL_ENC_RC4_IDX;
233 break;
234 case SSL_RC2:
235 i=SSL_ENC_RC2_IDX;
236 break;
237 case SSL_IDEA:
238 i=SSL_ENC_IDEA_IDX;
239 break;
240 case SSL_eNULL:
241 i=SSL_ENC_NULL_IDX;
242 break;
243 case SSL_AES:
244 switch(c->alg_bits)
245 {
246 case 128: i=SSL_ENC_AES128_IDX; break;
247 case 256: i=SSL_ENC_AES256_IDX; break;
248 default: i=-1; break;
249 }
250 break;
251 default:
252 i= -1;
253 break;
254 }
255
256 if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
257 *enc=NULL;
258 else
259 {
260 if (i == SSL_ENC_NULL_IDX)
261 *enc=EVP_enc_null();
262 else
263 *enc=ssl_cipher_methods[i];
264 }
265
266 switch (c->algorithms & SSL_MAC_MASK)
267 {
268 case SSL_MD5:
269 i=SSL_MD_MD5_IDX;
270 break;
271 case SSL_SHA1:
272 i=SSL_MD_SHA1_IDX;
273 break;
274 default:
275 i= -1;
276 break;
277 }
278 if ((i < 0) || (i >= SSL_MD_NUM_IDX))
279 *md=NULL;
280 else
281 *md=ssl_digest_methods[i];
282
283 if ((*enc != NULL) && (*md != NULL))
284 return(1);
285 else
286 return(0);
287 }
288
289#define ITEM_SEP(a) \
290 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
291
292static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
293 CIPHER_ORDER **tail)
294 {
295 if (curr == *tail) return;
296 if (curr == *head)
297 *head=curr->next;
298 if (curr->prev != NULL)
299 curr->prev->next=curr->next;
300 if (curr->next != NULL) /* should always be true */
301 curr->next->prev=curr->prev;
302 (*tail)->next=curr;
303 curr->prev= *tail;
304 curr->next=NULL;
305 *tail=curr;
306 }
307
308static unsigned long ssl_cipher_get_disabled(void)
309 {
310 unsigned long mask;
311
312 mask = SSL_kFZA;
313#ifdef OPENSSL_NO_RSA
314 mask |= SSL_aRSA|SSL_kRSA;
315#endif
316#ifdef OPENSSL_NO_DSA
317 mask |= SSL_aDSS;
318#endif
319#ifdef OPENSSL_NO_DH
320 mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
321#endif
322#ifdef OPENSSL_NO_KRB5
323 mask |= SSL_kKRB5|SSL_aKRB5;
324#endif
325
326#ifdef SSL_FORBID_ENULL
327 mask |= SSL_eNULL;
328#endif
329
330 mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
331 mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
332 mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
333 mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
334 mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
335 mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
336 mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
337
338 mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
339 mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
340
341 return(mask);
342 }
343
344static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
345 int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
346 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
347 {
348 int i, co_list_num;
349 SSL_CIPHER *c;
350
351 /*
352 * We have num_of_ciphers descriptions compiled in, depending on the
353 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
354 * These will later be sorted in a linked list with at most num
355 * entries.
356 */
357
358 /* Get the initial list of ciphers */
359 co_list_num = 0; /* actual count of ciphers */
360 for (i = 0; i < num_of_ciphers; i++)
361 {
362 c = ssl_method->get_cipher(i);
363 /* drop those that use any of that is not available */
364#ifdef OPENSSL_FIPS
365 if ((c != NULL) && c->valid && !(c->algorithms & mask)
366 && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
367#else
368 if ((c != NULL) && c->valid && !(c->algorithms & mask))
369#endif
370 {
371 co_list[co_list_num].cipher = c;
372 co_list[co_list_num].next = NULL;
373 co_list[co_list_num].prev = NULL;
374 co_list[co_list_num].active = 0;
375 co_list_num++;
376#ifdef KSSL_DEBUG
377 printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
378#endif /* KSSL_DEBUG */
379 /*
380 if (!sk_push(ca_list,(char *)c)) goto err;
381 */
382 }
383 }
384
385 /*
386 * Prepare linked list from list entries
387 */
388 for (i = 1; i < co_list_num - 1; i++)
389 {
390 co_list[i].prev = &(co_list[i-1]);
391 co_list[i].next = &(co_list[i+1]);
392 }
393 if (co_list_num > 0)
394 {
395 (*head_p) = &(co_list[0]);
396 (*head_p)->prev = NULL;
397 (*head_p)->next = &(co_list[1]);
398 (*tail_p) = &(co_list[co_list_num - 1]);
399 (*tail_p)->prev = &(co_list[co_list_num - 2]);
400 (*tail_p)->next = NULL;
401 }
402 }
403
404static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
405 int num_of_group_aliases, unsigned long mask,
406 CIPHER_ORDER *head)
407 {
408 CIPHER_ORDER *ciph_curr;
409 SSL_CIPHER **ca_curr;
410 int i;
411
412 /*
413 * First, add the real ciphers as already collected
414 */
415 ciph_curr = head;
416 ca_curr = ca_list;
417 while (ciph_curr != NULL)
418 {
419 *ca_curr = ciph_curr->cipher;
420 ca_curr++;
421 ciph_curr = ciph_curr->next;
422 }
423
424 /*
425 * Now we add the available ones from the cipher_aliases[] table.
426 * They represent either an algorithm, that must be fully
427 * supported (not match any bit in mask) or represent a cipher
428 * strength value (will be added in any case because algorithms=0).
429 */
430 for (i = 0; i < num_of_group_aliases; i++)
431 {
432 if ((i == 0) || /* always fetch "ALL" */
433 !(cipher_aliases[i].algorithms & mask))
434 {
435 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
436 ca_curr++;
437 }
438 }
439
440 *ca_curr = NULL; /* end of list */
441 }
442
443static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
444 unsigned long algo_strength, unsigned long mask_strength,
445 int rule, int strength_bits, CIPHER_ORDER *co_list,
446 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
447 {
448 CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
449 SSL_CIPHER *cp;
450 unsigned long ma, ma_s;
451
452#ifdef CIPHER_DEBUG
453 printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
454 rule, algorithms, mask, algo_strength, mask_strength,
455 strength_bits);
456#endif
457
458 curr = head = *head_p;
459 curr2 = head;
460 tail2 = tail = *tail_p;
461 for (;;)
462 {
463 if ((curr == NULL) || (curr == tail2)) break;
464 curr = curr2;
465 curr2 = curr->next;
466
467 cp = curr->cipher;
468
469 /*
470 * Selection criteria is either the number of strength_bits
471 * or the algorithm used.
472 */
473 if (strength_bits == -1)
474 {
475 ma = mask & cp->algorithms;
476 ma_s = mask_strength & cp->algo_strength;
477
478#ifdef CIPHER_DEBUG
479 printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
480 printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
481#endif
482 /*
483 * Select: if none of the mask bit was met from the
484 * cipher or not all of the bits were met, the
485 * selection does not apply.
486 */
487 if (((ma == 0) && (ma_s == 0)) ||
488 ((ma & algorithms) != ma) ||
489 ((ma_s & algo_strength) != ma_s))
490 continue; /* does not apply */
491 }
492 else if (strength_bits != cp->strength_bits)
493 continue; /* does not apply */
494
495#ifdef CIPHER_DEBUG
496 printf("Action = %d\n", rule);
497#endif
498
499 /* add the cipher if it has not been added yet. */
500 if (rule == CIPHER_ADD)
501 {
502 if (!curr->active)
503 {
504 ll_append_tail(&head, curr, &tail);
505 curr->active = 1;
506 }
507 }
508 /* Move the added cipher to this location */
509 else if (rule == CIPHER_ORD)
510 {
511 if (curr->active)
512 {
513 ll_append_tail(&head, curr, &tail);
514 }
515 }
516 else if (rule == CIPHER_DEL)
517 curr->active = 0;
518 else if (rule == CIPHER_KILL)
519 {
520 if (head == curr)
521 head = curr->next;
522 else
523 curr->prev->next = curr->next;
524 if (tail == curr)
525 tail = curr->prev;
526 curr->active = 0;
527 if (curr->next != NULL)
528 curr->next->prev = curr->prev;
529 if (curr->prev != NULL)
530 curr->prev->next = curr->next;
531 curr->next = NULL;
532 curr->prev = NULL;
533 }
534 }
535
536 *head_p = head;
537 *tail_p = tail;
538 }
539
540static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
541 CIPHER_ORDER **head_p,
542 CIPHER_ORDER **tail_p)
543 {
544 int max_strength_bits, i, *number_uses;
545 CIPHER_ORDER *curr;
546
547 /*
548 * This routine sorts the ciphers with descending strength. The sorting
549 * must keep the pre-sorted sequence, so we apply the normal sorting
550 * routine as '+' movement to the end of the list.
551 */
552 max_strength_bits = 0;
553 curr = *head_p;
554 while (curr != NULL)
555 {
556 if (curr->active &&
557 (curr->cipher->strength_bits > max_strength_bits))
558 max_strength_bits = curr->cipher->strength_bits;
559 curr = curr->next;
560 }
561
562 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
563 if (!number_uses)
564 {
565 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
566 return(0);
567 }
568 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
569
570 /*
571 * Now find the strength_bits values actually used
572 */
573 curr = *head_p;
574 while (curr != NULL)
575 {
576 if (curr->active)
577 number_uses[curr->cipher->strength_bits]++;
578 curr = curr->next;
579 }
580 /*
581 * Go through the list of used strength_bits values in descending
582 * order.
583 */
584 for (i = max_strength_bits; i >= 0; i--)
585 if (number_uses[i] > 0)
586 ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
587 co_list, head_p, tail_p);
588
589 OPENSSL_free(number_uses);
590 return(1);
591 }
592
593static int ssl_cipher_process_rulestr(const char *rule_str,
594 CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
595 CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
596 {
597 unsigned long algorithms, mask, algo_strength, mask_strength;
598 const char *l, *start, *buf;
599 int j, multi, found, rule, retval, ok, buflen;
600 char ch;
601
602 retval = 1;
603 l = rule_str;
604 for (;;)
605 {
606 ch = *l;
607
608 if (ch == '\0')
609 break; /* done */
610 if (ch == '-')
611 { rule = CIPHER_DEL; l++; }
612 else if (ch == '+')
613 { rule = CIPHER_ORD; l++; }
614 else if (ch == '!')
615 { rule = CIPHER_KILL; l++; }
616 else if (ch == '@')
617 { rule = CIPHER_SPECIAL; l++; }
618 else
619 { rule = CIPHER_ADD; }
620
621 if (ITEM_SEP(ch))
622 {
623 l++;
624 continue;
625 }
626
627 algorithms = mask = algo_strength = mask_strength = 0;
628
629 start=l;
630 for (;;)
631 {
632 ch = *l;
633 buf = l;
634 buflen = 0;
635#ifndef CHARSET_EBCDIC
636 while ( ((ch >= 'A') && (ch <= 'Z')) ||
637 ((ch >= '0') && (ch <= '9')) ||
638 ((ch >= 'a') && (ch <= 'z')) ||
639 (ch == '-'))
640#else
641 while ( isalnum(ch) || (ch == '-'))
642#endif
643 {
644 ch = *(++l);
645 buflen++;
646 }
647
648 if (buflen == 0)
649 {
650 /*
651 * We hit something we cannot deal with,
652 * it is no command or separator nor
653 * alphanumeric, so we call this an error.
654 */
655 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
656 SSL_R_INVALID_COMMAND);
657 retval = found = 0;
658 l++;
659 break;
660 }
661
662 if (rule == CIPHER_SPECIAL)
663 {
664 found = 0; /* unused -- avoid compiler warning */
665 break; /* special treatment */
666 }
667
668 /* check for multi-part specification */
669 if (ch == '+')
670 {
671 multi=1;
672 l++;
673 }
674 else
675 multi=0;
676
677 /*
678 * Now search for the cipher alias in the ca_list. Be careful
679 * with the strncmp, because the "buflen" limitation
680 * will make the rule "ADH:SOME" and the cipher
681 * "ADH-MY-CIPHER" look like a match for buflen=3.
682 * So additionally check whether the cipher name found
683 * has the correct length. We can save a strlen() call:
684 * just checking for the '\0' at the right place is
685 * sufficient, we have to strncmp() anyway. (We cannot
686 * use strcmp(), because buf is not '\0' terminated.)
687 */
688 j = found = 0;
689 while (ca_list[j])
690 {
691 if (!strncmp(buf, ca_list[j]->name, buflen) &&
692 (ca_list[j]->name[buflen] == '\0'))
693 {
694 found = 1;
695 break;
696 }
697 else
698 j++;
699 }
700 if (!found)
701 break; /* ignore this entry */
702
703 /* New algorithms:
704 * 1 - any old restrictions apply outside new mask
705 * 2 - any new restrictions apply outside old mask
706 * 3 - enforce old & new where masks intersect
707 */
708 algorithms = (algorithms & ~ca_list[j]->mask) | /* 1 */
709 (ca_list[j]->algorithms & ~mask) | /* 2 */
710 (algorithms & ca_list[j]->algorithms); /* 3 */
711 mask |= ca_list[j]->mask;
712 algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
713 (ca_list[j]->algo_strength & ~mask_strength) |
714 (algo_strength & ca_list[j]->algo_strength);
715 mask_strength |= ca_list[j]->mask_strength;
716
717 if (!multi) break;
718 }
719
720 /*
721 * Ok, we have the rule, now apply it
722 */
723 if (rule == CIPHER_SPECIAL)
724 { /* special command */
725 ok = 0;
726 if ((buflen == 8) &&
727 !strncmp(buf, "STRENGTH", 8))
728 ok = ssl_cipher_strength_sort(co_list,
729 head_p, tail_p);
730 else
731 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
732 SSL_R_INVALID_COMMAND);
733 if (ok == 0)
734 retval = 0;
735 /*
736 * We do not support any "multi" options
737 * together with "@", so throw away the
738 * rest of the command, if any left, until
739 * end or ':' is found.
740 */
741 while ((*l != '\0') && ITEM_SEP(*l))
742 l++;
743 }
744 else if (found)
745 {
746 ssl_cipher_apply_rule(algorithms, mask,
747 algo_strength, mask_strength, rule, -1,
748 co_list, head_p, tail_p);
749 }
750 else
751 {
752 while ((*l != '\0') && ITEM_SEP(*l))
753 l++;
754 }
755 if (*l == '\0') break; /* done */
756 }
757
758 return(retval);
759 }
760
761STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
762 STACK_OF(SSL_CIPHER) **cipher_list,
763 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
764 const char *rule_str)
765 {
766 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
767 unsigned long disabled_mask;
768 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
769 const char *rule_p;
770 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
771 SSL_CIPHER **ca_list = NULL;
772
773 /*
774 * Return with error if nothing to do.
775 */
776 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
777 return NULL;
778
779 if (init_ciphers)
780 {
781 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
782 if (init_ciphers) load_ciphers();
783 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
784 }
785
786 /*
787 * To reduce the work to do we only want to process the compiled
788 * in algorithms, so we first get the mask of disabled ciphers.
789 */
790 disabled_mask = ssl_cipher_get_disabled();
791
792 /*
793 * Now we have to collect the available ciphers from the compiled
794 * in ciphers. We cannot get more than the number compiled in, so
795 * it is used for allocation.
796 */
797 num_of_ciphers = ssl_method->num_ciphers();
798#ifdef KSSL_DEBUG
799 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
800#endif /* KSSL_DEBUG */
801 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
802 if (co_list == NULL)
803 {
804 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
805 return(NULL); /* Failure */
806 }
807
808 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
809 co_list, &head, &tail);
810
811 /*
812 * We also need cipher aliases for selecting based on the rule_str.
813 * There might be two types of entries in the rule_str: 1) names
814 * of ciphers themselves 2) aliases for groups of ciphers.
815 * For 1) we need the available ciphers and for 2) the cipher
816 * groups of cipher_aliases added together in one list (otherwise
817 * we would be happy with just the cipher_aliases table).
818 */
819 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
820 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
821 ca_list =
822 (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
823 if (ca_list == NULL)
824 {
825 OPENSSL_free(co_list);
826 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
827 return(NULL); /* Failure */
828 }
829 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
830 head);
831
832 /*
833 * If the rule_string begins with DEFAULT, apply the default rule
834 * before using the (possibly available) additional rules.
835 */
836 ok = 1;
837 rule_p = rule_str;
838 if (strncmp(rule_str,"DEFAULT",7) == 0)
839 {
840 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
841 co_list, &head, &tail, ca_list);
842 rule_p += 7;
843 if (*rule_p == ':')
844 rule_p++;
845 }
846
847 if (ok && (strlen(rule_p) > 0))
848 ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
849 ca_list);
850
851 OPENSSL_free(ca_list); /* Not needed anymore */
852
853 if (!ok)
854 { /* Rule processing failure */
855 OPENSSL_free(co_list);
856 return(NULL);
857 }
858 /*
859 * Allocate new "cipherstack" for the result, return with error
860 * if we cannot get one.
861 */
862 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
863 {
864 OPENSSL_free(co_list);
865 return(NULL);
866 }
867
868 /*
869 * The cipher selection for the list is done. The ciphers are added
870 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
871 */
872 for (curr = head; curr != NULL; curr = curr->next)
873 {
874#ifdef OPENSSL_FIPS
875 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
876#else
877 if (curr->active)
878#endif
879 {
880 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
881#ifdef CIPHER_DEBUG
882 printf("<%s>\n",curr->cipher->name);
883#endif
884 }
885 }
886 OPENSSL_free(co_list); /* Not needed any longer */
887
888 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
889 if (tmp_cipher_list == NULL)
890 {
891 sk_SSL_CIPHER_free(cipherstack);
892 return NULL;
893 }
894 if (*cipher_list != NULL)
895 sk_SSL_CIPHER_free(*cipher_list);
896 *cipher_list = cipherstack;
897 if (*cipher_list_by_id != NULL)
898 sk_SSL_CIPHER_free(*cipher_list_by_id);
899 *cipher_list_by_id = tmp_cipher_list;
900 sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
901
902 return(cipherstack);
903 }
904
905char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
906 {
907 int is_export,pkl,kl;
908 char *ver,*exp_str;
909 char *kx,*au,*enc,*mac;
910 unsigned long alg,alg2,alg_s;
911#ifdef KSSL_DEBUG
912 static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
913#else
914 static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
915#endif /* KSSL_DEBUG */
916
917 alg=cipher->algorithms;
918 alg_s=cipher->algo_strength;
919 alg2=cipher->algorithm2;
920
921 is_export=SSL_C_IS_EXPORT(cipher);
922 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
923 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
924 exp_str=is_export?" export":"";
925
926 if (alg & SSL_SSLV2)
927 ver="SSLv2";
928 else if (alg & SSL_SSLV3)
929 ver="SSLv3";
930 else
931 ver="unknown";
932
933 switch (alg&SSL_MKEY_MASK)
934 {
935 case SSL_kRSA:
936 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
937 break;
938 case SSL_kDHr:
939 kx="DH/RSA";
940 break;
941 case SSL_kDHd:
942 kx="DH/DSS";
943 break;
944 case SSL_kKRB5: /* VRS */
945 case SSL_KRB5: /* VRS */
946 kx="KRB5";
947 break;
948 case SSL_kFZA:
949 kx="Fortezza";
950 break;
951 case SSL_kEDH:
952 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
953 break;
954 default:
955 kx="unknown";
956 }
957
958 switch (alg&SSL_AUTH_MASK)
959 {
960 case SSL_aRSA:
961 au="RSA";
962 break;
963 case SSL_aDSS:
964 au="DSS";
965 break;
966 case SSL_aDH:
967 au="DH";
968 break;
969 case SSL_aKRB5: /* VRS */
970 case SSL_KRB5: /* VRS */
971 au="KRB5";
972 break;
973 case SSL_aFZA:
974 case SSL_aNULL:
975 au="None";
976 break;
977 default:
978 au="unknown";
979 break;
980 }
981
982 switch (alg&SSL_ENC_MASK)
983 {
984 case SSL_DES:
985 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
986 break;
987 case SSL_3DES:
988 enc="3DES(168)";
989 break;
990 case SSL_RC4:
991 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
992 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
993 break;
994 case SSL_RC2:
995 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
996 break;
997 case SSL_IDEA:
998 enc="IDEA(128)";
999 break;
1000 case SSL_eFZA:
1001 enc="Fortezza";
1002 break;
1003 case SSL_eNULL:
1004 enc="None";
1005 break;
1006 case SSL_AES:
1007 switch(cipher->strength_bits)
1008 {
1009 case 128: enc="AES(128)"; break;
1010 case 192: enc="AES(192)"; break;
1011 case 256: enc="AES(256)"; break;
1012 default: enc="AES(?""?""?)"; break;
1013 }
1014 break;
1015 default:
1016 enc="unknown";
1017 break;
1018 }
1019
1020 switch (alg&SSL_MAC_MASK)
1021 {
1022 case SSL_MD5:
1023 mac="MD5";
1024 break;
1025 case SSL_SHA1:
1026 mac="SHA1";
1027 break;
1028 default:
1029 mac="unknown";
1030 break;
1031 }
1032
1033 if (buf == NULL)
1034 {
1035 len=128;
1036 buf=OPENSSL_malloc(len);
1037 if (buf == NULL) return("OPENSSL_malloc Error");
1038 }
1039 else if (len < 128)
1040 return("Buffer too small");
1041
1042#ifdef KSSL_DEBUG
1043 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
1044#else
1045 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1046#endif /* KSSL_DEBUG */
1047 return(buf);
1048 }
1049
1050char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1051 {
1052 int i;
1053
1054 if (c == NULL) return("(NONE)");
1055 i=(int)(c->id>>24L);
1056 if (i == 3)
1057 return("TLSv1/SSLv3");
1058 else if (i == 2)
1059 return("SSLv2");
1060 else
1061 return("unknown");
1062 }
1063
1064/* return the actual cipher being used */
1065const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1066 {
1067 if (c != NULL)
1068 return(c->name);
1069 return("(NONE)");
1070 }
1071
1072/* number of bits for symmetric cipher */
1073int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1074 {
1075 int ret=0;
1076
1077 if (c != NULL)
1078 {
1079 if (alg_bits != NULL) *alg_bits = c->alg_bits;
1080 ret = c->strength_bits;
1081 }
1082 return(ret);
1083 }
1084
1085SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1086 {
1087 SSL_COMP *ctmp;
1088 int i,nn;
1089
1090 if ((n == 0) || (sk == NULL)) return(NULL);
1091 nn=sk_SSL_COMP_num(sk);
1092 for (i=0; i<nn; i++)
1093 {
1094 ctmp=sk_SSL_COMP_value(sk,i);
1095 if (ctmp->id == n)
1096 return(ctmp);
1097 }
1098 return(NULL);
1099 }
1100
1101static int sk_comp_cmp(const SSL_COMP * const *a,
1102 const SSL_COMP * const *b)
1103 {
1104 return((*a)->id-(*b)->id);
1105 }
1106
1107STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1108 {
1109 return(ssl_comp_methods);
1110 }
1111
1112int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1113 {
1114 SSL_COMP *comp;
1115 STACK_OF(SSL_COMP) *sk;
1116
1117 if (cm == NULL || cm->type == NID_undef)
1118 return 1;
1119
1120 MemCheck_off();
1121 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
1122 comp->id=id;
1123 comp->method=cm;
1124 if (ssl_comp_methods == NULL)
1125 sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
1126 else
1127 sk=ssl_comp_methods;
1128 if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
1129 {
1130 MemCheck_on();
1131 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1132 return(1);
1133 }
1134 else
1135 {
1136 MemCheck_on();
1137 return(0);
1138 }
1139 }
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 4bcf591298..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,462 +0,0 @@
1/* ssl/ssl_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ssl.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
70
71static ERR_STRING_DATA SSL_str_functs[]=
72 {
73{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"},
74{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"},
75{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
76{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
77{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
78{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
79{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"},
80{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"},
81{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
82{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"},
83{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"},
84{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"},
85{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"},
86{ERR_FUNC(SSL_F_READ_N), "READ_N"},
87{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"},
88{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
89{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
90{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
91{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"},
92{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
93{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
94{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
95{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
96{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"},
97{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"},
98{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"},
99{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"},
100{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"},
101{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
102{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"},
103{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"},
104{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"},
105{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"},
106{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"},
107{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"},
108{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"},
109{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
110{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
111{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
112{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
113{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
114{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
115{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
116{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
117{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
118{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
119{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
120{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
121{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
122{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
123{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"},
124{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
125{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
126{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
127{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
128{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
129{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
130{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"},
131{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"},
132{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
133{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
134{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
135{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
136{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
137{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
138{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"},
139{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"},
140{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
141{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS), "SSL3_SETUP_BUFFERS"},
142{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
143{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
144{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
145{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
146{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
147{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
148{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
149{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
150{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
151{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
152{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"},
153{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
154{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
155{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
156{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
157{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"},
158{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
159{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
160{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
161{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
162{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
163{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
164{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
165{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
166{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"},
167{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
168{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
169{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"},
170{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
171{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
172{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
173{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
174{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
175{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"},
176{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"},
177{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
178{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
179{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
180{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
181{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
182{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
183{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
184{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
185{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
186{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
187{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
188{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
189{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
190{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
191{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
192{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
193{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"},
194{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"},
195{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
196{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
197{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
198{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
199{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
200{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
201{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
202{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
203{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
204{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
205{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
206{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
207{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
208{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
209{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
210{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
211{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
212{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
213{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
214{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
215{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
216{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
217{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
218{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
219{0,NULL}
220 };
221
222static ERR_STRING_DATA SSL_str_reasons[]=
223 {
224{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
225{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
226{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"},
227{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
228{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
229{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"},
230{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
231{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"},
232{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
233{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
234{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
235{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
236{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
237{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
238{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
239{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
240{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"},
241{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"},
242{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
243{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
244{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"},
245{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"},
246{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"},
247{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
248{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
249{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
250{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
251{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
252{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
253{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"},
254{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
255{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
256{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
257{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
258{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
259{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
260{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
261{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
262{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
263{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
264{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
265{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
266{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
267{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
268{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
269{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
270{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
271{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
272{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
273{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
274{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
275{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
276{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
277{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
278{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
279{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
280{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
281{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
282{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
283{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
284{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
285{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
286{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
287{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
288{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
289{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
290{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"},
291{ERR_REASON(SSL_R_KRB5) ,"krb5"},
292{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"},
293{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"},
294{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"},
295{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"},
296{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"},
297{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"},
298{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"},
299{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"},
300{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"},
301{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"},
302{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"},
303{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
304{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
305{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
306{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
307{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
308{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
309{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"},
310{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
311{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
312{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
313{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
314{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
315{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
316{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
317{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
318{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
319{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
320{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
321{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
322{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
323{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
324{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"},
325{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
326{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"},
327{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"},
328{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
329{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
330{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
331{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
332{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
333{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
334{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
335{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
336{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
337{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
338{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
339{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
340{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
341{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
342{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
343{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
344{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
345{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
346{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
347{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
348{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
349{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
350{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"},
351{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
352{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
353{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
354{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"},
355{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
356{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
357{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
358{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"},
359{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
360{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
361{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
362{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
363{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
364{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
365{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
366{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
367{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
368{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
369{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
370{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
371{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
372{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
373{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
374{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
375{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
376{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
377{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
378{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
379{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
380{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
381{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
382{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
383{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
384{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
385{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
386{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
387{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
388{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
389{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
390{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
391{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
392{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
393{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
394{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
395{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
396{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
397{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
398{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
399{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
400{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
401{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
402{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
403{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
404{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
405{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
406{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
407{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
408{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
409{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
410{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
411{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
412{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
413{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
414{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
415{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
416{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
417{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"},
418{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"},
419{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"},
420{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"},
421{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
422{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
423{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
424{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
425{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
426{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
427{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
428{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
429{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
430{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
431{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
432{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
433{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
434{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
435{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
436{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
437{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
438{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
439{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
440{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
441{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
442{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
443{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
444{0,NULL}
445 };
446
447#endif
448
449void ERR_load_SSL_strings(void)
450 {
451 static int init=1;
452
453 if (init)
454 {
455 init=0;
456#ifndef OPENSSL_NO_ERR
457 ERR_load_strings(0,SSL_str_functs);
458 ERR_load_strings(0,SSL_str_reasons);
459#endif
460
461 }
462 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/err.h>
61#include <openssl/ssl.h>
62
63void SSL_load_error_strings(void)
64 {
65#ifndef OPENSSL_NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index 2bd9a5af86..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,2358 +0,0 @@
1/*! \file ssl/ssl_lib.c
2 * \brief Version independent SSL functions.
3 */
4/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * All rights reserved.
6 *
7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL.
10 *
11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. All advertising materials mentioning features or use of this software
34 * must display the following acknowledgement:
35 * "This product includes cryptographic software written by
36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE.
54 *
55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence
58 * [including the GNU Public Licence.]
59 */
60/* ====================================================================
61 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions
65 * are met:
66 *
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 *
70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in
72 * the documentation and/or other materials provided with the
73 * distribution.
74 *
75 * 3. All advertising materials mentioning features or use of this
76 * software must display the following acknowledgment:
77 * "This product includes software developed by the OpenSSL Project
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
79 *
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
81 * endorse or promote products derived from this software without
82 * prior written permission. For written permission, please contact
83 * openssl-core@openssl.org.
84 *
85 * 5. Products derived from this software may not be called "OpenSSL"
86 * nor may "OpenSSL" appear in their names without prior written
87 * permission of the OpenSSL Project.
88 *
89 * 6. Redistributions of any form whatsoever must retain the following
90 * acknowledgment:
91 * "This product includes software developed by the OpenSSL Project
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
105 * OF THE POSSIBILITY OF SUCH DAMAGE.
106 * ====================================================================
107 *
108 * This product includes cryptographic software written by Eric Young
109 * (eay@cryptsoft.com). This product includes software written by Tim
110 * Hudson (tjh@cryptsoft.com).
111 *
112 */
113
114
115#ifdef REF_CHECK
116# include <assert.h>
117#endif
118#include <stdio.h>
119#include "ssl_locl.h"
120#include "kssl_lcl.h"
121#include <openssl/objects.h>
122#include <openssl/lhash.h>
123#include <openssl/x509v3.h>
124#include <openssl/fips.h>
125
126const char *SSL_version_str=OPENSSL_VERSION_TEXT;
127
128SSL3_ENC_METHOD ssl3_undef_enc_method={
129 /* evil casts, but these functions are only called if there's a library bug */
130 (int (*)(SSL *,int))ssl_undefined_function,
131 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
132 ssl_undefined_function,
133 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
134 (int (*)(SSL*, int))ssl_undefined_function,
135 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
136 };
137
138int SSL_clear(SSL *s)
139 {
140
141 if (s->method == NULL)
142 {
143 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
144 return(0);
145 }
146
147 if (ssl_clear_bad_session(s))
148 {
149 SSL_SESSION_free(s->session);
150 s->session=NULL;
151 }
152
153 s->error=0;
154 s->hit=0;
155 s->shutdown=0;
156
157#if 0 /* Disabled since version 1.10 of this file (early return not
158 * needed because SSL_clear is not called when doing renegotiation) */
159 /* This is set if we are doing dynamic renegotiation so keep
160 * the old cipher. It is sort of a SSL_clear_lite :-) */
161 if (s->new_session) return(1);
162#else
163 if (s->new_session)
164 {
165 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
166 return 0;
167 }
168#endif
169
170 s->type=0;
171
172 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
173
174 s->version=s->method->version;
175 s->client_version=s->version;
176 s->rwstate=SSL_NOTHING;
177 s->rstate=SSL_ST_READ_HEADER;
178#if 0
179 s->read_ahead=s->ctx->read_ahead;
180#endif
181
182 if (s->init_buf != NULL)
183 {
184 BUF_MEM_free(s->init_buf);
185 s->init_buf=NULL;
186 }
187
188 ssl_clear_cipher_ctx(s);
189
190 s->first_packet=0;
191
192#if 1
193 /* Check to see if we were changed into a different method, if
194 * so, revert back if we are not doing session-id reuse. */
195 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
196 {
197 s->method->ssl_free(s);
198 s->method=s->ctx->method;
199 if (!s->method->ssl_new(s))
200 return(0);
201 }
202 else
203#endif
204 s->method->ssl_clear(s);
205 return(1);
206 }
207
208/** Used to change an SSL_CTXs default SSL method type */
209int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
210 {
211 STACK_OF(SSL_CIPHER) *sk;
212
213 ctx->method=meth;
214
215 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
216 &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
217 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
218 {
219 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
220 return(0);
221 }
222 return(1);
223 }
224
225SSL *SSL_new(SSL_CTX *ctx)
226 {
227 SSL *s;
228
229 if (ctx == NULL)
230 {
231 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
232 return(NULL);
233 }
234 if (ctx->method == NULL)
235 {
236 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
237 return(NULL);
238 }
239
240 s=(SSL *)OPENSSL_malloc(sizeof(SSL));
241 if (s == NULL) goto err;
242 memset(s,0,sizeof(SSL));
243
244#ifndef OPENSSL_NO_KRB5
245 s->kssl_ctx = kssl_ctx_new();
246#endif /* OPENSSL_NO_KRB5 */
247
248 s->options=ctx->options;
249 s->mode=ctx->mode;
250 s->max_cert_list=ctx->max_cert_list;
251
252 if (ctx->cert != NULL)
253 {
254 /* Earlier library versions used to copy the pointer to
255 * the CERT, not its contents; only when setting new
256 * parameters for the per-SSL copy, ssl_cert_new would be
257 * called (and the direct reference to the per-SSL_CTX
258 * settings would be lost, but those still were indirectly
259 * accessed for various purposes, and for that reason they
260 * used to be known as s->ctx->default_cert).
261 * Now we don't look at the SSL_CTX's CERT after having
262 * duplicated it once. */
263
264 s->cert = ssl_cert_dup(ctx->cert);
265 if (s->cert == NULL)
266 goto err;
267 }
268 else
269 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
270
271 s->read_ahead=ctx->read_ahead;
272 s->msg_callback=ctx->msg_callback;
273 s->msg_callback_arg=ctx->msg_callback_arg;
274 s->verify_mode=ctx->verify_mode;
275 s->verify_depth=ctx->verify_depth;
276 s->sid_ctx_length=ctx->sid_ctx_length;
277 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
278 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
279 s->verify_callback=ctx->default_verify_callback;
280 s->generate_session_id=ctx->generate_session_id;
281 s->purpose = ctx->purpose;
282 s->trust = ctx->trust;
283 s->quiet_shutdown=ctx->quiet_shutdown;
284
285 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
286 s->ctx=ctx;
287
288 s->verify_result=X509_V_OK;
289
290 s->method=ctx->method;
291
292 if (!s->method->ssl_new(s))
293 goto err;
294
295 s->references=1;
296 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
297
298 SSL_clear(s);
299
300 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
301
302 return(s);
303err:
304 if (s != NULL)
305 {
306 if (s->cert != NULL)
307 ssl_cert_free(s->cert);
308 if (s->ctx != NULL)
309 SSL_CTX_free(s->ctx); /* decrement reference count */
310 OPENSSL_free(s);
311 }
312 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
313 return(NULL);
314 }
315
316int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
317 unsigned int sid_ctx_len)
318 {
319 if(sid_ctx_len > sizeof ctx->sid_ctx)
320 {
321 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
322 return 0;
323 }
324 ctx->sid_ctx_length=sid_ctx_len;
325 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
326
327 return 1;
328 }
329
330int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
331 unsigned int sid_ctx_len)
332 {
333 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
334 {
335 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
336 return 0;
337 }
338 ssl->sid_ctx_length=sid_ctx_len;
339 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
340
341 return 1;
342 }
343
344int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
345 {
346 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
347 ctx->generate_session_id = cb;
348 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
349 return 1;
350 }
351
352int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
353 {
354 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
355 ssl->generate_session_id = cb;
356 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
357 return 1;
358 }
359
360int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
361 unsigned int id_len)
362 {
363 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
364 * we can "construct" a session to give us the desired check - ie. to
365 * find if there's a session in the hash table that would conflict with
366 * any new session built out of this id/id_len and the ssl_version in
367 * use by this SSL. */
368 SSL_SESSION r, *p;
369
370 if(id_len > sizeof r.session_id)
371 return 0;
372
373 r.ssl_version = ssl->version;
374 r.session_id_length = id_len;
375 memcpy(r.session_id, id, id_len);
376 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
377 * callback is calling us to check the uniqueness of a shorter ID, it
378 * must be compared as a padded-out ID because that is what it will be
379 * converted to when the callback has finished choosing it. */
380 if((r.ssl_version == SSL2_VERSION) &&
381 (id_len < SSL2_SSL_SESSION_ID_LENGTH))
382 {
383 memset(r.session_id + id_len, 0,
384 SSL2_SSL_SESSION_ID_LENGTH - id_len);
385 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
386 }
387
388 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
389 p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
390 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
391 return (p != NULL);
392 }
393
394int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
395 {
396 return X509_PURPOSE_set(&s->purpose, purpose);
397 }
398
399int SSL_set_purpose(SSL *s, int purpose)
400 {
401 return X509_PURPOSE_set(&s->purpose, purpose);
402 }
403
404int SSL_CTX_set_trust(SSL_CTX *s, int trust)
405 {
406 return X509_TRUST_set(&s->trust, trust);
407 }
408
409int SSL_set_trust(SSL *s, int trust)
410 {
411 return X509_TRUST_set(&s->trust, trust);
412 }
413
414void SSL_free(SSL *s)
415 {
416 int i;
417
418 if(s == NULL)
419 return;
420
421 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
422#ifdef REF_PRINT
423 REF_PRINT("SSL",s);
424#endif
425 if (i > 0) return;
426#ifdef REF_CHECK
427 if (i < 0)
428 {
429 fprintf(stderr,"SSL_free, bad reference count\n");
430 abort(); /* ok */
431 }
432#endif
433
434 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
435
436 if (s->bbio != NULL)
437 {
438 /* If the buffering BIO is in place, pop it off */
439 if (s->bbio == s->wbio)
440 {
441 s->wbio=BIO_pop(s->wbio);
442 }
443 BIO_free(s->bbio);
444 s->bbio=NULL;
445 }
446 if (s->rbio != NULL)
447 BIO_free_all(s->rbio);
448 if ((s->wbio != NULL) && (s->wbio != s->rbio))
449 BIO_free_all(s->wbio);
450
451 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
452
453 /* add extra stuff */
454 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
455 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
456
457 /* Make the next call work :-) */
458 if (s->session != NULL)
459 {
460 ssl_clear_bad_session(s);
461 SSL_SESSION_free(s->session);
462 }
463
464 ssl_clear_cipher_ctx(s);
465
466 if (s->cert != NULL) ssl_cert_free(s->cert);
467 /* Free up if allocated */
468
469 if (s->ctx) SSL_CTX_free(s->ctx);
470
471 if (s->client_CA != NULL)
472 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
473
474 if (s->method != NULL) s->method->ssl_free(s);
475
476#ifndef OPENSSL_NO_KRB5
477 if (s->kssl_ctx != NULL)
478 kssl_ctx_free(s->kssl_ctx);
479#endif /* OPENSSL_NO_KRB5 */
480
481 OPENSSL_free(s);
482 }
483
484void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
485 {
486 /* If the output buffering BIO is still in place, remove it
487 */
488 if (s->bbio != NULL)
489 {
490 if (s->wbio == s->bbio)
491 {
492 s->wbio=s->wbio->next_bio;
493 s->bbio->next_bio=NULL;
494 }
495 }
496 if ((s->rbio != NULL) && (s->rbio != rbio))
497 BIO_free_all(s->rbio);
498 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
499 BIO_free_all(s->wbio);
500 s->rbio=rbio;
501 s->wbio=wbio;
502 }
503
504BIO *SSL_get_rbio(const SSL *s)
505 { return(s->rbio); }
506
507BIO *SSL_get_wbio(const SSL *s)
508 { return(s->wbio); }
509
510int SSL_get_fd(const SSL *s)
511 {
512 return(SSL_get_rfd(s));
513 }
514
515int SSL_get_rfd(const SSL *s)
516 {
517 int ret= -1;
518 BIO *b,*r;
519
520 b=SSL_get_rbio(s);
521 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
522 if (r != NULL)
523 BIO_get_fd(r,&ret);
524 return(ret);
525 }
526
527int SSL_get_wfd(const SSL *s)
528 {
529 int ret= -1;
530 BIO *b,*r;
531
532 b=SSL_get_wbio(s);
533 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
534 if (r != NULL)
535 BIO_get_fd(r,&ret);
536 return(ret);
537 }
538
539#ifndef OPENSSL_NO_SOCK
540int SSL_set_fd(SSL *s,int fd)
541 {
542 int ret=0;
543 BIO *bio=NULL;
544
545 bio=BIO_new(BIO_s_socket());
546
547 if (bio == NULL)
548 {
549 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
550 goto err;
551 }
552 BIO_set_fd(bio,fd,BIO_NOCLOSE);
553 SSL_set_bio(s,bio,bio);
554 ret=1;
555err:
556 return(ret);
557 }
558
559int SSL_set_wfd(SSL *s,int fd)
560 {
561 int ret=0;
562 BIO *bio=NULL;
563
564 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
565 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
566 {
567 bio=BIO_new(BIO_s_socket());
568
569 if (bio == NULL)
570 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
571 BIO_set_fd(bio,fd,BIO_NOCLOSE);
572 SSL_set_bio(s,SSL_get_rbio(s),bio);
573 }
574 else
575 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
576 ret=1;
577err:
578 return(ret);
579 }
580
581int SSL_set_rfd(SSL *s,int fd)
582 {
583 int ret=0;
584 BIO *bio=NULL;
585
586 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
587 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
588 {
589 bio=BIO_new(BIO_s_socket());
590
591 if (bio == NULL)
592 {
593 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
594 goto err;
595 }
596 BIO_set_fd(bio,fd,BIO_NOCLOSE);
597 SSL_set_bio(s,bio,SSL_get_wbio(s));
598 }
599 else
600 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
601 ret=1;
602err:
603 return(ret);
604 }
605#endif
606
607
608/* return length of latest Finished message we sent, copy to 'buf' */
609size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
610 {
611 size_t ret = 0;
612
613 if (s->s3 != NULL)
614 {
615 ret = s->s3->tmp.finish_md_len;
616 if (count > ret)
617 count = ret;
618 memcpy(buf, s->s3->tmp.finish_md, count);
619 }
620 return ret;
621 }
622
623/* return length of latest Finished message we expected, copy to 'buf' */
624size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
625 {
626 size_t ret = 0;
627
628 if (s->s3 != NULL)
629 {
630 ret = s->s3->tmp.peer_finish_md_len;
631 if (count > ret)
632 count = ret;
633 memcpy(buf, s->s3->tmp.peer_finish_md, count);
634 }
635 return ret;
636 }
637
638
639int SSL_get_verify_mode(const SSL *s)
640 {
641 return(s->verify_mode);
642 }
643
644int SSL_get_verify_depth(const SSL *s)
645 {
646 return(s->verify_depth);
647 }
648
649int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
650 {
651 return(s->verify_callback);
652 }
653
654int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
655 {
656 return(ctx->verify_mode);
657 }
658
659int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
660 {
661 return(ctx->verify_depth);
662 }
663
664int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
665 {
666 return(ctx->default_verify_callback);
667 }
668
669void SSL_set_verify(SSL *s,int mode,
670 int (*callback)(int ok,X509_STORE_CTX *ctx))
671 {
672 s->verify_mode=mode;
673 if (callback != NULL)
674 s->verify_callback=callback;
675 }
676
677void SSL_set_verify_depth(SSL *s,int depth)
678 {
679 s->verify_depth=depth;
680 }
681
682void SSL_set_read_ahead(SSL *s,int yes)
683 {
684 s->read_ahead=yes;
685 }
686
687int SSL_get_read_ahead(const SSL *s)
688 {
689 return(s->read_ahead);
690 }
691
692int SSL_pending(const SSL *s)
693 {
694 /* SSL_pending cannot work properly if read-ahead is enabled
695 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
696 * and it is impossible to fix since SSL_pending cannot report
697 * errors that may be observed while scanning the new data.
698 * (Note that SSL_pending() is often used as a boolean value,
699 * so we'd better not return -1.)
700 */
701 return(s->method->ssl_pending(s));
702 }
703
704X509 *SSL_get_peer_certificate(const SSL *s)
705 {
706 X509 *r;
707
708 if ((s == NULL) || (s->session == NULL))
709 r=NULL;
710 else
711 r=s->session->peer;
712
713 if (r == NULL) return(r);
714
715 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
716
717 return(r);
718 }
719
720STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
721 {
722 STACK_OF(X509) *r;
723
724 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
725 r=NULL;
726 else
727 r=s->session->sess_cert->cert_chain;
728
729 /* If we are a client, cert_chain includes the peer's own
730 * certificate; if we are a server, it does not. */
731
732 return(r);
733 }
734
735/* Now in theory, since the calling process own 't' it should be safe to
736 * modify. We need to be able to read f without being hassled */
737void SSL_copy_session_id(SSL *t,const SSL *f)
738 {
739 CERT *tmp;
740
741 /* Do we need to to SSL locking? */
742 SSL_set_session(t,SSL_get_session(f));
743
744 /* what if we are setup as SSLv2 but want to talk SSLv3 or
745 * vice-versa */
746 if (t->method != f->method)
747 {
748 t->method->ssl_free(t); /* cleanup current */
749 t->method=f->method; /* change method */
750 t->method->ssl_new(t); /* setup new */
751 }
752
753 tmp=t->cert;
754 if (f->cert != NULL)
755 {
756 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
757 t->cert=f->cert;
758 }
759 else
760 t->cert=NULL;
761 if (tmp != NULL) ssl_cert_free(tmp);
762 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
763 }
764
765/* Fix this so it checks all the valid key/cert options */
766int SSL_CTX_check_private_key(const SSL_CTX *ctx)
767 {
768 if ( (ctx == NULL) ||
769 (ctx->cert == NULL) ||
770 (ctx->cert->key->x509 == NULL))
771 {
772 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
773 return(0);
774 }
775 if (ctx->cert->key->privatekey == NULL)
776 {
777 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
778 return(0);
779 }
780 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
781 }
782
783/* Fix this function so that it takes an optional type parameter */
784int SSL_check_private_key(const SSL *ssl)
785 {
786 if (ssl == NULL)
787 {
788 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
789 return(0);
790 }
791 if (ssl->cert == NULL)
792 {
793 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
794 return 0;
795 }
796 if (ssl->cert->key->x509 == NULL)
797 {
798 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
799 return(0);
800 }
801 if (ssl->cert->key->privatekey == NULL)
802 {
803 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
804 return(0);
805 }
806 return(X509_check_private_key(ssl->cert->key->x509,
807 ssl->cert->key->privatekey));
808 }
809
810int SSL_accept(SSL *s)
811 {
812 if (s->handshake_func == 0)
813 /* Not properly initialized yet */
814 SSL_set_accept_state(s);
815
816 return(s->method->ssl_accept(s));
817 }
818
819int SSL_connect(SSL *s)
820 {
821 if (s->handshake_func == 0)
822 /* Not properly initialized yet */
823 SSL_set_connect_state(s);
824
825 return(s->method->ssl_connect(s));
826 }
827
828long SSL_get_default_timeout(const SSL *s)
829 {
830 return(s->method->get_timeout());
831 }
832
833int SSL_read(SSL *s,void *buf,int num)
834 {
835 if (s->handshake_func == 0)
836 {
837 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
838 return -1;
839 }
840
841 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
842 {
843 s->rwstate=SSL_NOTHING;
844 return(0);
845 }
846 return(s->method->ssl_read(s,buf,num));
847 }
848
849int SSL_peek(SSL *s,void *buf,int num)
850 {
851 if (s->handshake_func == 0)
852 {
853 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
854 return -1;
855 }
856
857 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
858 {
859 return(0);
860 }
861 return(s->method->ssl_peek(s,buf,num));
862 }
863
864int SSL_write(SSL *s,const void *buf,int num)
865 {
866 if (s->handshake_func == 0)
867 {
868 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
869 return -1;
870 }
871
872 if (s->shutdown & SSL_SENT_SHUTDOWN)
873 {
874 s->rwstate=SSL_NOTHING;
875 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
876 return(-1);
877 }
878 return(s->method->ssl_write(s,buf,num));
879 }
880
881int SSL_shutdown(SSL *s)
882 {
883 /* Note that this function behaves differently from what one might
884 * expect. Return values are 0 for no success (yet),
885 * 1 for success; but calling it once is usually not enough,
886 * even if blocking I/O is used (see ssl3_shutdown).
887 */
888
889 if (s->handshake_func == 0)
890 {
891 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
892 return -1;
893 }
894
895 if ((s != NULL) && !SSL_in_init(s))
896 return(s->method->ssl_shutdown(s));
897 else
898 return(1);
899 }
900
901int SSL_renegotiate(SSL *s)
902 {
903 if (s->new_session == 0)
904 {
905 s->new_session=1;
906 }
907 return(s->method->ssl_renegotiate(s));
908 }
909
910int SSL_renegotiate_pending(SSL *s)
911 {
912 /* becomes true when negotiation is requested;
913 * false again once a handshake has finished */
914 return (s->new_session != 0);
915 }
916
917long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
918 {
919 long l;
920
921 switch (cmd)
922 {
923 case SSL_CTRL_GET_READ_AHEAD:
924 return(s->read_ahead);
925 case SSL_CTRL_SET_READ_AHEAD:
926 l=s->read_ahead;
927 s->read_ahead=larg;
928 return(l);
929
930 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
931 s->msg_callback_arg = parg;
932 return 1;
933
934 case SSL_CTRL_OPTIONS:
935 return(s->options|=larg);
936 case SSL_CTRL_MODE:
937 return(s->mode|=larg);
938 case SSL_CTRL_GET_MAX_CERT_LIST:
939 return(s->max_cert_list);
940 case SSL_CTRL_SET_MAX_CERT_LIST:
941 l=s->max_cert_list;
942 s->max_cert_list=larg;
943 return(l);
944 default:
945 return(s->method->ssl_ctrl(s,cmd,larg,parg));
946 }
947 }
948
949long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
950 {
951 switch(cmd)
952 {
953 case SSL_CTRL_SET_MSG_CALLBACK:
954 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
955 return 1;
956
957 default:
958 return(s->method->ssl_callback_ctrl(s,cmd,fp));
959 }
960 }
961
962struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
963 {
964 return ctx->sessions;
965 }
966
967long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
968 {
969 long l;
970
971 switch (cmd)
972 {
973 case SSL_CTRL_GET_READ_AHEAD:
974 return(ctx->read_ahead);
975 case SSL_CTRL_SET_READ_AHEAD:
976 l=ctx->read_ahead;
977 ctx->read_ahead=larg;
978 return(l);
979
980 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
981 ctx->msg_callback_arg = parg;
982 return 1;
983
984 case SSL_CTRL_GET_MAX_CERT_LIST:
985 return(ctx->max_cert_list);
986 case SSL_CTRL_SET_MAX_CERT_LIST:
987 l=ctx->max_cert_list;
988 ctx->max_cert_list=larg;
989 return(l);
990
991 case SSL_CTRL_SET_SESS_CACHE_SIZE:
992 l=ctx->session_cache_size;
993 ctx->session_cache_size=larg;
994 return(l);
995 case SSL_CTRL_GET_SESS_CACHE_SIZE:
996 return(ctx->session_cache_size);
997 case SSL_CTRL_SET_SESS_CACHE_MODE:
998 l=ctx->session_cache_mode;
999 ctx->session_cache_mode=larg;
1000 return(l);
1001 case SSL_CTRL_GET_SESS_CACHE_MODE:
1002 return(ctx->session_cache_mode);
1003
1004 case SSL_CTRL_SESS_NUMBER:
1005 return(ctx->sessions->num_items);
1006 case SSL_CTRL_SESS_CONNECT:
1007 return(ctx->stats.sess_connect);
1008 case SSL_CTRL_SESS_CONNECT_GOOD:
1009 return(ctx->stats.sess_connect_good);
1010 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1011 return(ctx->stats.sess_connect_renegotiate);
1012 case SSL_CTRL_SESS_ACCEPT:
1013 return(ctx->stats.sess_accept);
1014 case SSL_CTRL_SESS_ACCEPT_GOOD:
1015 return(ctx->stats.sess_accept_good);
1016 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1017 return(ctx->stats.sess_accept_renegotiate);
1018 case SSL_CTRL_SESS_HIT:
1019 return(ctx->stats.sess_hit);
1020 case SSL_CTRL_SESS_CB_HIT:
1021 return(ctx->stats.sess_cb_hit);
1022 case SSL_CTRL_SESS_MISSES:
1023 return(ctx->stats.sess_miss);
1024 case SSL_CTRL_SESS_TIMEOUTS:
1025 return(ctx->stats.sess_timeout);
1026 case SSL_CTRL_SESS_CACHE_FULL:
1027 return(ctx->stats.sess_cache_full);
1028 case SSL_CTRL_OPTIONS:
1029 return(ctx->options|=larg);
1030 case SSL_CTRL_MODE:
1031 return(ctx->mode|=larg);
1032 default:
1033 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1034 }
1035 }
1036
1037long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
1038 {
1039 switch(cmd)
1040 {
1041 case SSL_CTRL_SET_MSG_CALLBACK:
1042 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1043 return 1;
1044
1045 default:
1046 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1047 }
1048 }
1049
1050int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1051 {
1052 long l;
1053
1054 l=a->id-b->id;
1055 if (l == 0L)
1056 return(0);
1057 else
1058 return((l > 0)?1:-1);
1059 }
1060
1061int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1062 const SSL_CIPHER * const *bp)
1063 {
1064 long l;
1065
1066 l=(*ap)->id-(*bp)->id;
1067 if (l == 0L)
1068 return(0);
1069 else
1070 return((l > 0)?1:-1);
1071 }
1072
1073/** return a STACK of the ciphers available for the SSL and in order of
1074 * preference */
1075STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1076 {
1077 if (s != NULL)
1078 {
1079 if (s->cipher_list != NULL)
1080 {
1081 return(s->cipher_list);
1082 }
1083 else if ((s->ctx != NULL) &&
1084 (s->ctx->cipher_list != NULL))
1085 {
1086 return(s->ctx->cipher_list);
1087 }
1088 }
1089 return(NULL);
1090 }
1091
1092/** return a STACK of the ciphers available for the SSL and in order of
1093 * algorithm id */
1094STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1095 {
1096 if (s != NULL)
1097 {
1098 if (s->cipher_list_by_id != NULL)
1099 {
1100 return(s->cipher_list_by_id);
1101 }
1102 else if ((s->ctx != NULL) &&
1103 (s->ctx->cipher_list_by_id != NULL))
1104 {
1105 return(s->ctx->cipher_list_by_id);
1106 }
1107 }
1108 return(NULL);
1109 }
1110
1111/** The old interface to get the same thing as SSL_get_ciphers() */
1112const char *SSL_get_cipher_list(const SSL *s,int n)
1113 {
1114 SSL_CIPHER *c;
1115 STACK_OF(SSL_CIPHER) *sk;
1116
1117 if (s == NULL) return(NULL);
1118 sk=SSL_get_ciphers(s);
1119 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1120 return(NULL);
1121 c=sk_SSL_CIPHER_value(sk,n);
1122 if (c == NULL) return(NULL);
1123 return(c->name);
1124 }
1125
1126/** specify the ciphers to be used by default by the SSL_CTX */
1127int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1128 {
1129 STACK_OF(SSL_CIPHER) *sk;
1130
1131 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1132 &ctx->cipher_list_by_id,str);
1133 /* ssl_create_cipher_list may return an empty stack if it
1134 * was unable to find a cipher matching the given rule string
1135 * (for example if the rule string specifies a cipher which
1136 * has been disabled). This is not an error as far as
1137 * ssl_create_cipher_list is concerned, and hence
1138 * ctx->cipher_list and ctx->cipher_list_by_id has been
1139 * updated. */
1140 if (sk == NULL)
1141 return 0;
1142 else if (sk_SSL_CIPHER_num(sk) == 0)
1143 {
1144 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1145 return 0;
1146 }
1147 return 1;
1148 }
1149
1150/** specify the ciphers to be used by the SSL */
1151int SSL_set_cipher_list(SSL *s,const char *str)
1152 {
1153 STACK_OF(SSL_CIPHER) *sk;
1154
1155 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1156 &s->cipher_list_by_id,str);
1157 /* see comment in SSL_CTX_set_cipher_list */
1158 if (sk == NULL)
1159 return 0;
1160 else if (sk_SSL_CIPHER_num(sk) == 0)
1161 {
1162 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1163 return 0;
1164 }
1165 return 1;
1166 }
1167
1168/* works well for SSLv2, not so good for SSLv3 */
1169char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1170 {
1171 char *p;
1172 const char *cp;
1173 STACK_OF(SSL_CIPHER) *sk;
1174 SSL_CIPHER *c;
1175 int i;
1176
1177 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1178 (len < 2))
1179 return(NULL);
1180
1181 p=buf;
1182 sk=s->session->ciphers;
1183 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1184 {
1185 /* Decrement for either the ':' or a '\0' */
1186 len--;
1187 c=sk_SSL_CIPHER_value(sk,i);
1188 for (cp=c->name; *cp; )
1189 {
1190 if (len-- == 0)
1191 {
1192 *p='\0';
1193 return(buf);
1194 }
1195 else
1196 *(p++)= *(cp++);
1197 }
1198 *(p++)=':';
1199 }
1200 p[-1]='\0';
1201 return(buf);
1202 }
1203
1204int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1205 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1206 {
1207 int i,j=0;
1208 SSL_CIPHER *c;
1209 unsigned char *q;
1210#ifndef OPENSSL_NO_KRB5
1211 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1212#endif /* OPENSSL_NO_KRB5 */
1213
1214 if (sk == NULL) return(0);
1215 q=p;
1216
1217 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1218 {
1219 c=sk_SSL_CIPHER_value(sk,i);
1220#ifndef OPENSSL_NO_KRB5
1221 if ((c->algorithms & SSL_KRB5) && nokrb5)
1222 continue;
1223#endif /* OPENSSL_NO_KRB5 */
1224
1225 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1226 p+=j;
1227 }
1228 return(p-q);
1229 }
1230
1231STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1232 STACK_OF(SSL_CIPHER) **skp)
1233 {
1234 SSL_CIPHER *c;
1235 STACK_OF(SSL_CIPHER) *sk;
1236 int i,n;
1237
1238 n=ssl_put_cipher_by_char(s,NULL,NULL);
1239 if ((num%n) != 0)
1240 {
1241 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1242 return(NULL);
1243 }
1244 if ((skp == NULL) || (*skp == NULL))
1245 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1246 else
1247 {
1248 sk= *skp;
1249 sk_SSL_CIPHER_zero(sk);
1250 }
1251
1252 for (i=0; i<num; i+=n)
1253 {
1254 c=ssl_get_cipher_by_char(s,p);
1255 p+=n;
1256 if (c != NULL)
1257 {
1258 if (!sk_SSL_CIPHER_push(sk,c))
1259 {
1260 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1261 goto err;
1262 }
1263 }
1264 }
1265
1266 if (skp != NULL)
1267 *skp=sk;
1268 return(sk);
1269err:
1270 if ((skp == NULL) || (*skp == NULL))
1271 sk_SSL_CIPHER_free(sk);
1272 return(NULL);
1273 }
1274
1275unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1276 {
1277 unsigned long l;
1278
1279 l=(unsigned long)
1280 ((unsigned int) a->session_id[0] )|
1281 ((unsigned int) a->session_id[1]<< 8L)|
1282 ((unsigned long)a->session_id[2]<<16L)|
1283 ((unsigned long)a->session_id[3]<<24L);
1284 return(l);
1285 }
1286
1287/* NB: If this function (or indeed the hash function which uses a sort of
1288 * coarser function than this one) is changed, ensure
1289 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1290 * able to construct an SSL_SESSION that will collide with any existing session
1291 * with a matching session ID. */
1292int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1293 {
1294 if (a->ssl_version != b->ssl_version)
1295 return(1);
1296 if (a->session_id_length != b->session_id_length)
1297 return(1);
1298 return(memcmp(a->session_id,b->session_id,a->session_id_length));
1299 }
1300
1301/* These wrapper functions should remain rather than redeclaring
1302 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1303 * variable. The reason is that the functions aren't static, they're exposed via
1304 * ssl.h. */
1305static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
1306static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
1307
1308SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1309 {
1310 SSL_CTX *ret=NULL;
1311
1312 if (meth == NULL)
1313 {
1314 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1315 return(NULL);
1316 }
1317
1318#ifdef OPENSSL_FIPS
1319 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1320 {
1321 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1322 return NULL;
1323 }
1324#endif
1325
1326 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1327 {
1328 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1329 goto err;
1330 }
1331 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1332 if (ret == NULL)
1333 goto err;
1334
1335 memset(ret,0,sizeof(SSL_CTX));
1336
1337 ret->method=meth;
1338
1339 ret->cert_store=NULL;
1340 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1341 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1342 ret->session_cache_head=NULL;
1343 ret->session_cache_tail=NULL;
1344
1345 /* We take the system default */
1346 ret->session_timeout=meth->get_timeout();
1347
1348 ret->new_session_cb=0;
1349 ret->remove_session_cb=0;
1350 ret->get_session_cb=0;
1351 ret->generate_session_id=0;
1352
1353 memset((char *)&ret->stats,0,sizeof(ret->stats));
1354
1355 ret->references=1;
1356 ret->quiet_shutdown=0;
1357
1358/* ret->cipher=NULL;*/
1359/* ret->s2->challenge=NULL;
1360 ret->master_key=NULL;
1361 ret->key_arg=NULL;
1362 ret->s2->conn_id=NULL; */
1363
1364 ret->info_callback=NULL;
1365
1366 ret->app_verify_callback=0;
1367 ret->app_verify_arg=NULL;
1368
1369 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1370 ret->read_ahead=0;
1371 ret->msg_callback=0;
1372 ret->msg_callback_arg=NULL;
1373 ret->verify_mode=SSL_VERIFY_NONE;
1374 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1375 ret->sid_ctx_length=0;
1376 ret->default_verify_callback=NULL;
1377 if ((ret->cert=ssl_cert_new()) == NULL)
1378 goto err;
1379
1380 ret->default_passwd_callback=0;
1381 ret->default_passwd_callback_userdata=NULL;
1382 ret->client_cert_cb=0;
1383
1384 ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
1385 LHASH_COMP_FN(SSL_SESSION_cmp));
1386 if (ret->sessions == NULL) goto err;
1387 ret->cert_store=X509_STORE_new();
1388 if (ret->cert_store == NULL) goto err;
1389
1390 ssl_create_cipher_list(ret->method,
1391 &ret->cipher_list,&ret->cipher_list_by_id,
1392 SSL_DEFAULT_CIPHER_LIST);
1393 if (ret->cipher_list == NULL
1394 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1395 {
1396 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1397 goto err2;
1398 }
1399
1400 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1401 {
1402 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1403 goto err2;
1404 }
1405 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1406 {
1407 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1408 goto err2;
1409 }
1410 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1411 {
1412 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1413 goto err2;
1414 }
1415
1416 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1417 goto err;
1418
1419 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1420
1421 ret->extra_certs=NULL;
1422 ret->comp_methods=SSL_COMP_get_compression_methods();
1423
1424 return(ret);
1425err:
1426 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1427err2:
1428 if (ret != NULL) SSL_CTX_free(ret);
1429 return(NULL);
1430 }
1431
1432#if 0
1433static void SSL_COMP_free(SSL_COMP *comp)
1434 { OPENSSL_free(comp); }
1435#endif
1436
1437void SSL_CTX_free(SSL_CTX *a)
1438 {
1439 int i;
1440
1441 if (a == NULL) return;
1442
1443 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1444#ifdef REF_PRINT
1445 REF_PRINT("SSL_CTX",a);
1446#endif
1447 if (i > 0) return;
1448#ifdef REF_CHECK
1449 if (i < 0)
1450 {
1451 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1452 abort(); /* ok */
1453 }
1454#endif
1455
1456 /*
1457 * Free internal session cache. However: the remove_cb() may reference
1458 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1459 * after the sessions were flushed.
1460 * As the ex_data handling routines might also touch the session cache,
1461 * the most secure solution seems to be: empty (flush) the cache, then
1462 * free ex_data, then finally free the cache.
1463 * (See ticket [openssl.org #212].)
1464 */
1465 if (a->sessions != NULL)
1466 SSL_CTX_flush_sessions(a,0);
1467
1468 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1469
1470 if (a->sessions != NULL)
1471 lh_free(a->sessions);
1472
1473 if (a->cert_store != NULL)
1474 X509_STORE_free(a->cert_store);
1475 if (a->cipher_list != NULL)
1476 sk_SSL_CIPHER_free(a->cipher_list);
1477 if (a->cipher_list_by_id != NULL)
1478 sk_SSL_CIPHER_free(a->cipher_list_by_id);
1479 if (a->cert != NULL)
1480 ssl_cert_free(a->cert);
1481 if (a->client_CA != NULL)
1482 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1483 if (a->extra_certs != NULL)
1484 sk_X509_pop_free(a->extra_certs,X509_free);
1485#if 0 /* This should never be done, since it removes a global database */
1486 if (a->comp_methods != NULL)
1487 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1488#else
1489 a->comp_methods = NULL;
1490#endif
1491 OPENSSL_free(a);
1492 }
1493
1494void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1495 {
1496 ctx->default_passwd_callback=cb;
1497 }
1498
1499void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1500 {
1501 ctx->default_passwd_callback_userdata=u;
1502 }
1503
1504void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1505 {
1506 ctx->app_verify_callback=cb;
1507 ctx->app_verify_arg=arg;
1508 }
1509
1510void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1511 {
1512 ctx->verify_mode=mode;
1513 ctx->default_verify_callback=cb;
1514 }
1515
1516void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
1517 {
1518 ctx->verify_depth=depth;
1519 }
1520
1521void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1522 {
1523 CERT_PKEY *cpk;
1524 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
1525 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1526 int rsa_tmp_export,dh_tmp_export,kl;
1527 unsigned long mask,emask;
1528
1529 if (c == NULL) return;
1530
1531 kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1532
1533#ifndef OPENSSL_NO_RSA
1534 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1535 rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
1536 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1537#else
1538 rsa_tmp=rsa_tmp_export=0;
1539#endif
1540#ifndef OPENSSL_NO_DH
1541 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1542 dh_tmp_export=(c->dh_tmp_cb != NULL ||
1543 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
1544#else
1545 dh_tmp=dh_tmp_export=0;
1546#endif
1547
1548 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1549 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
1550 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1551 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
1552 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1553 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1554 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1555 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
1556 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1557 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1558 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
1559/* FIX THIS EAY EAY EAY */
1560 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1561 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1562
1563 mask=0;
1564 emask=0;
1565
1566#ifdef CIPHER_DEBUG
1567 printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1568 rsa_tmp,rsa_tmp_export,dh_tmp,
1569 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
1570#endif
1571
1572 if (rsa_enc || (rsa_tmp && rsa_sign))
1573 mask|=SSL_kRSA;
1574 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
1575 emask|=SSL_kRSA;
1576
1577#if 0
1578 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1579 if ( (dh_tmp || dh_rsa || dh_dsa) &&
1580 (rsa_enc || rsa_sign || dsa_sign))
1581 mask|=SSL_kEDH;
1582 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
1583 (rsa_enc || rsa_sign || dsa_sign))
1584 emask|=SSL_kEDH;
1585#endif
1586
1587 if (dh_tmp_export)
1588 emask|=SSL_kEDH;
1589
1590 if (dh_tmp)
1591 mask|=SSL_kEDH;
1592
1593 if (dh_rsa) mask|=SSL_kDHr;
1594 if (dh_rsa_export) emask|=SSL_kDHr;
1595
1596 if (dh_dsa) mask|=SSL_kDHd;
1597 if (dh_dsa_export) emask|=SSL_kDHd;
1598
1599 if (rsa_enc || rsa_sign)
1600 {
1601 mask|=SSL_aRSA;
1602 emask|=SSL_aRSA;
1603 }
1604
1605 if (dsa_sign)
1606 {
1607 mask|=SSL_aDSS;
1608 emask|=SSL_aDSS;
1609 }
1610
1611 mask|=SSL_aNULL;
1612 emask|=SSL_aNULL;
1613
1614#ifndef OPENSSL_NO_KRB5
1615 mask|=SSL_kKRB5|SSL_aKRB5;
1616 emask|=SSL_kKRB5|SSL_aKRB5;
1617#endif
1618
1619 c->mask=mask;
1620 c->export_mask=emask;
1621 c->valid=1;
1622 }
1623
1624/* THIS NEEDS CLEANING UP */
1625X509 *ssl_get_server_send_cert(SSL *s)
1626 {
1627 unsigned long alg,mask,kalg;
1628 CERT *c;
1629 int i,is_export;
1630
1631 c=s->cert;
1632 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
1633 alg=s->s3->tmp.new_cipher->algorithms;
1634 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
1635 mask=is_export?c->export_mask:c->mask;
1636 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1637
1638 if (kalg & SSL_kDHr)
1639 i=SSL_PKEY_DH_RSA;
1640 else if (kalg & SSL_kDHd)
1641 i=SSL_PKEY_DH_DSA;
1642 else if (kalg & SSL_aDSS)
1643 i=SSL_PKEY_DSA_SIGN;
1644 else if (kalg & SSL_aRSA)
1645 {
1646 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
1647 i=SSL_PKEY_RSA_SIGN;
1648 else
1649 i=SSL_PKEY_RSA_ENC;
1650 }
1651 else if (kalg & SSL_aKRB5)
1652 {
1653 /* VRS something else here? */
1654 return(NULL);
1655 }
1656 else /* if (kalg & SSL_aNULL) */
1657 {
1658 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
1659 return(NULL);
1660 }
1661 if (c->pkeys[i].x509 == NULL) return(NULL);
1662 return(c->pkeys[i].x509);
1663 }
1664
1665EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
1666 {
1667 unsigned long alg;
1668 CERT *c;
1669
1670 alg=cipher->algorithms;
1671 c=s->cert;
1672
1673 if ((alg & SSL_aDSS) &&
1674 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
1675 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
1676 else if (alg & SSL_aRSA)
1677 {
1678 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
1679 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
1680 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
1681 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
1682 else
1683 return(NULL);
1684 }
1685 else /* if (alg & SSL_aNULL) */
1686 {
1687 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
1688 return(NULL);
1689 }
1690 }
1691
1692void ssl_update_cache(SSL *s,int mode)
1693 {
1694 int i;
1695
1696 /* If the session_id_length is 0, we are not supposed to cache it,
1697 * and it would be rather hard to do anyway :-) */
1698 if (s->session->session_id_length == 0) return;
1699
1700 i=s->ctx->session_cache_mode;
1701 if ((i & mode) && (!s->hit)
1702 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
1703 || SSL_CTX_add_session(s->ctx,s->session))
1704 && (s->ctx->new_session_cb != NULL))
1705 {
1706 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
1707 if (!s->ctx->new_session_cb(s,s->session))
1708 SSL_SESSION_free(s->session);
1709 }
1710
1711 /* auto flush every 255 connections */
1712 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
1713 ((i & mode) == mode))
1714 {
1715 if ( (((mode & SSL_SESS_CACHE_CLIENT)
1716 ?s->ctx->stats.sess_connect_good
1717 :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
1718 {
1719 SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
1720 }
1721 }
1722 }
1723
1724SSL_METHOD *SSL_get_ssl_method(SSL *s)
1725 {
1726 return(s->method);
1727 }
1728
1729int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
1730 {
1731 int conn= -1;
1732 int ret=1;
1733
1734 if (s->method != meth)
1735 {
1736 if (s->handshake_func != NULL)
1737 conn=(s->handshake_func == s->method->ssl_connect);
1738
1739 if (s->method->version == meth->version)
1740 s->method=meth;
1741 else
1742 {
1743 s->method->ssl_free(s);
1744 s->method=meth;
1745 ret=s->method->ssl_new(s);
1746 }
1747
1748 if (conn == 1)
1749 s->handshake_func=meth->ssl_connect;
1750 else if (conn == 0)
1751 s->handshake_func=meth->ssl_accept;
1752 }
1753 return(ret);
1754 }
1755
1756int SSL_get_error(const SSL *s,int i)
1757 {
1758 int reason;
1759 unsigned long l;
1760 BIO *bio;
1761
1762 if (i > 0) return(SSL_ERROR_NONE);
1763
1764 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
1765 * etc, where we do encode the error */
1766 if ((l=ERR_peek_error()) != 0)
1767 {
1768 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
1769 return(SSL_ERROR_SYSCALL);
1770 else
1771 return(SSL_ERROR_SSL);
1772 }
1773
1774 if ((i < 0) && SSL_want_read(s))
1775 {
1776 bio=SSL_get_rbio(s);
1777 if (BIO_should_read(bio))
1778 return(SSL_ERROR_WANT_READ);
1779 else if (BIO_should_write(bio))
1780 /* This one doesn't make too much sense ... We never try
1781 * to write to the rbio, and an application program where
1782 * rbio and wbio are separate couldn't even know what it
1783 * should wait for.
1784 * However if we ever set s->rwstate incorrectly
1785 * (so that we have SSL_want_read(s) instead of
1786 * SSL_want_write(s)) and rbio and wbio *are* the same,
1787 * this test works around that bug; so it might be safer
1788 * to keep it. */
1789 return(SSL_ERROR_WANT_WRITE);
1790 else if (BIO_should_io_special(bio))
1791 {
1792 reason=BIO_get_retry_reason(bio);
1793 if (reason == BIO_RR_CONNECT)
1794 return(SSL_ERROR_WANT_CONNECT);
1795 else if (reason == BIO_RR_ACCEPT)
1796 return(SSL_ERROR_WANT_ACCEPT);
1797 else
1798 return(SSL_ERROR_SYSCALL); /* unknown */
1799 }
1800 }
1801
1802 if ((i < 0) && SSL_want_write(s))
1803 {
1804 bio=SSL_get_wbio(s);
1805 if (BIO_should_write(bio))
1806 return(SSL_ERROR_WANT_WRITE);
1807 else if (BIO_should_read(bio))
1808 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
1809 return(SSL_ERROR_WANT_READ);
1810 else if (BIO_should_io_special(bio))
1811 {
1812 reason=BIO_get_retry_reason(bio);
1813 if (reason == BIO_RR_CONNECT)
1814 return(SSL_ERROR_WANT_CONNECT);
1815 else if (reason == BIO_RR_ACCEPT)
1816 return(SSL_ERROR_WANT_ACCEPT);
1817 else
1818 return(SSL_ERROR_SYSCALL);
1819 }
1820 }
1821 if ((i < 0) && SSL_want_x509_lookup(s))
1822 {
1823 return(SSL_ERROR_WANT_X509_LOOKUP);
1824 }
1825
1826 if (i == 0)
1827 {
1828 if (s->version == SSL2_VERSION)
1829 {
1830 /* assume it is the socket being closed */
1831 return(SSL_ERROR_ZERO_RETURN);
1832 }
1833 else
1834 {
1835 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
1836 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
1837 return(SSL_ERROR_ZERO_RETURN);
1838 }
1839 }
1840 return(SSL_ERROR_SYSCALL);
1841 }
1842
1843int SSL_do_handshake(SSL *s)
1844 {
1845 int ret=1;
1846
1847 if (s->handshake_func == NULL)
1848 {
1849 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
1850 return(-1);
1851 }
1852
1853 s->method->ssl_renegotiate_check(s);
1854
1855 if (SSL_in_init(s) || SSL_in_before(s))
1856 {
1857 ret=s->handshake_func(s);
1858 }
1859 return(ret);
1860 }
1861
1862/* For the next 2 functions, SSL_clear() sets shutdown and so
1863 * one of these calls will reset it */
1864void SSL_set_accept_state(SSL *s)
1865 {
1866 s->server=1;
1867 s->shutdown=0;
1868 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
1869 s->handshake_func=s->method->ssl_accept;
1870 /* clear the current cipher */
1871 ssl_clear_cipher_ctx(s);
1872 }
1873
1874void SSL_set_connect_state(SSL *s)
1875 {
1876 s->server=0;
1877 s->shutdown=0;
1878 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
1879 s->handshake_func=s->method->ssl_connect;
1880 /* clear the current cipher */
1881 ssl_clear_cipher_ctx(s);
1882 }
1883
1884int ssl_undefined_function(SSL *s)
1885 {
1886 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1887 return(0);
1888 }
1889
1890int ssl_undefined_const_function(const SSL *s)
1891 {
1892 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1893 return(0);
1894 }
1895
1896SSL_METHOD *ssl_bad_method(int ver)
1897 {
1898 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1899 return(NULL);
1900 }
1901
1902const char *SSL_get_version(const SSL *s)
1903 {
1904 if (s->version == TLS1_VERSION)
1905 return("TLSv1");
1906 else if (s->version == SSL3_VERSION)
1907 return("SSLv3");
1908 else if (s->version == SSL2_VERSION)
1909 return("SSLv2");
1910 else
1911 return("unknown");
1912 }
1913
1914SSL *SSL_dup(SSL *s)
1915 {
1916 STACK_OF(X509_NAME) *sk;
1917 X509_NAME *xn;
1918 SSL *ret;
1919 int i;
1920
1921 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
1922 return(NULL);
1923
1924 ret->version = s->version;
1925 ret->type = s->type;
1926 ret->method = s->method;
1927
1928 if (s->session != NULL)
1929 {
1930 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
1931 SSL_copy_session_id(ret,s);
1932 }
1933 else
1934 {
1935 /* No session has been established yet, so we have to expect
1936 * that s->cert or ret->cert will be changed later --
1937 * they should not both point to the same object,
1938 * and thus we can't use SSL_copy_session_id. */
1939
1940 ret->method->ssl_free(ret);
1941 ret->method = s->method;
1942 ret->method->ssl_new(ret);
1943
1944 if (s->cert != NULL)
1945 {
1946 if (ret->cert != NULL)
1947 {
1948 ssl_cert_free(ret->cert);
1949 }
1950 ret->cert = ssl_cert_dup(s->cert);
1951 if (ret->cert == NULL)
1952 goto err;
1953 }
1954
1955 SSL_set_session_id_context(ret,
1956 s->sid_ctx, s->sid_ctx_length);
1957 }
1958
1959 ret->options=s->options;
1960 ret->mode=s->mode;
1961 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
1962 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
1963 ret->msg_callback = s->msg_callback;
1964 ret->msg_callback_arg = s->msg_callback_arg;
1965 SSL_set_verify(ret,SSL_get_verify_mode(s),
1966 SSL_get_verify_callback(s));
1967 SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
1968 ret->generate_session_id = s->generate_session_id;
1969
1970 SSL_set_info_callback(ret,SSL_get_info_callback(s));
1971
1972 ret->debug=s->debug;
1973
1974 /* copy app data, a little dangerous perhaps */
1975 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
1976 goto err;
1977
1978 /* setup rbio, and wbio */
1979 if (s->rbio != NULL)
1980 {
1981 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
1982 goto err;
1983 }
1984 if (s->wbio != NULL)
1985 {
1986 if (s->wbio != s->rbio)
1987 {
1988 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
1989 goto err;
1990 }
1991 else
1992 ret->wbio=ret->rbio;
1993 }
1994 ret->rwstate = s->rwstate;
1995 ret->in_handshake = s->in_handshake;
1996 ret->handshake_func = s->handshake_func;
1997 ret->server = s->server;
1998 ret->new_session = s->new_session;
1999 ret->quiet_shutdown = s->quiet_shutdown;
2000 ret->shutdown=s->shutdown;
2001 ret->state=s->state; /* SSL_dup does not really work at any state, though */
2002 ret->rstate=s->rstate;
2003 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2004 ret->hit=s->hit;
2005 ret->purpose=s->purpose;
2006 ret->trust=s->trust;
2007
2008 /* dup the cipher_list and cipher_list_by_id stacks */
2009 if (s->cipher_list != NULL)
2010 {
2011 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2012 goto err;
2013 }
2014 if (s->cipher_list_by_id != NULL)
2015 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
2016 == NULL)
2017 goto err;
2018
2019 /* Dup the client_CA list */
2020 if (s->client_CA != NULL)
2021 {
2022 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2023 ret->client_CA=sk;
2024 for (i=0; i<sk_X509_NAME_num(sk); i++)
2025 {
2026 xn=sk_X509_NAME_value(sk,i);
2027 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
2028 {
2029 X509_NAME_free(xn);
2030 goto err;
2031 }
2032 }
2033 }
2034
2035 if (0)
2036 {
2037err:
2038 if (ret != NULL) SSL_free(ret);
2039 ret=NULL;
2040 }
2041 return(ret);
2042 }
2043
2044void ssl_clear_cipher_ctx(SSL *s)
2045 {
2046 if (s->enc_read_ctx != NULL)
2047 {
2048 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
2049 OPENSSL_free(s->enc_read_ctx);
2050 s->enc_read_ctx=NULL;
2051 }
2052 if (s->enc_write_ctx != NULL)
2053 {
2054 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
2055 OPENSSL_free(s->enc_write_ctx);
2056 s->enc_write_ctx=NULL;
2057 }
2058 if (s->expand != NULL)
2059 {
2060 COMP_CTX_free(s->expand);
2061 s->expand=NULL;
2062 }
2063 if (s->compress != NULL)
2064 {
2065 COMP_CTX_free(s->compress);
2066 s->compress=NULL;
2067 }
2068 }
2069
2070/* Fix this function so that it takes an optional type parameter */
2071X509 *SSL_get_certificate(const SSL *s)
2072 {
2073 if (s->cert != NULL)
2074 return(s->cert->key->x509);
2075 else
2076 return(NULL);
2077 }
2078
2079/* Fix this function so that it takes an optional type parameter */
2080EVP_PKEY *SSL_get_privatekey(SSL *s)
2081 {
2082 if (s->cert != NULL)
2083 return(s->cert->key->privatekey);
2084 else
2085 return(NULL);
2086 }
2087
2088SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2089 {
2090 if ((s->session != NULL) && (s->session->cipher != NULL))
2091 return(s->session->cipher);
2092 return(NULL);
2093 }
2094
2095int ssl_init_wbio_buffer(SSL *s,int push)
2096 {
2097 BIO *bbio;
2098
2099 if (s->bbio == NULL)
2100 {
2101 bbio=BIO_new(BIO_f_buffer());
2102 if (bbio == NULL) return(0);
2103 s->bbio=bbio;
2104 }
2105 else
2106 {
2107 bbio=s->bbio;
2108 if (s->bbio == s->wbio)
2109 s->wbio=BIO_pop(s->wbio);
2110 }
2111 (void)BIO_reset(bbio);
2112/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2113 if (!BIO_set_read_buffer_size(bbio,1))
2114 {
2115 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
2116 return(0);
2117 }
2118 if (push)
2119 {
2120 if (s->wbio != bbio)
2121 s->wbio=BIO_push(bbio,s->wbio);
2122 }
2123 else
2124 {
2125 if (s->wbio == bbio)
2126 s->wbio=BIO_pop(bbio);
2127 }
2128 return(1);
2129 }
2130
2131void ssl_free_wbio_buffer(SSL *s)
2132 {
2133 if (s->bbio == NULL) return;
2134
2135 if (s->bbio == s->wbio)
2136 {
2137 /* remove buffering */
2138 s->wbio=BIO_pop(s->wbio);
2139#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
2140 assert(s->wbio != NULL);
2141#endif
2142 }
2143 BIO_free(s->bbio);
2144 s->bbio=NULL;
2145 }
2146
2147void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2148 {
2149 ctx->quiet_shutdown=mode;
2150 }
2151
2152int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2153 {
2154 return(ctx->quiet_shutdown);
2155 }
2156
2157void SSL_set_quiet_shutdown(SSL *s,int mode)
2158 {
2159 s->quiet_shutdown=mode;
2160 }
2161
2162int SSL_get_quiet_shutdown(const SSL *s)
2163 {
2164 return(s->quiet_shutdown);
2165 }
2166
2167void SSL_set_shutdown(SSL *s,int mode)
2168 {
2169 s->shutdown=mode;
2170 }
2171
2172int SSL_get_shutdown(const SSL *s)
2173 {
2174 return(s->shutdown);
2175 }
2176
2177int SSL_version(const SSL *s)
2178 {
2179 return(s->version);
2180 }
2181
2182SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2183 {
2184 return(ssl->ctx);
2185 }
2186
2187#ifndef OPENSSL_NO_STDIO
2188int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2189 {
2190 return(X509_STORE_set_default_paths(ctx->cert_store));
2191 }
2192
2193int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2194 const char *CApath)
2195 {
2196 int r;
2197 r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
2198 return r;
2199 }
2200#endif
2201
2202void SSL_set_info_callback(SSL *ssl,
2203 void (*cb)(const SSL *ssl,int type,int val))
2204 {
2205 ssl->info_callback=cb;
2206 }
2207
2208void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
2209 {
2210 return ssl->info_callback;
2211 }
2212
2213int SSL_state(const SSL *ssl)
2214 {
2215 return(ssl->state);
2216 }
2217
2218void SSL_set_verify_result(SSL *ssl,long arg)
2219 {
2220 ssl->verify_result=arg;
2221 }
2222
2223long SSL_get_verify_result(const SSL *ssl)
2224 {
2225 return(ssl->verify_result);
2226 }
2227
2228int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2229 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2230 {
2231 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
2232 new_func, dup_func, free_func);
2233 }
2234
2235int SSL_set_ex_data(SSL *s,int idx,void *arg)
2236 {
2237 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2238 }
2239
2240void *SSL_get_ex_data(const SSL *s,int idx)
2241 {
2242 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2243 }
2244
2245int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2246 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2247 {
2248 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
2249 new_func, dup_func, free_func);
2250 }
2251
2252int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
2253 {
2254 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2255 }
2256
2257void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
2258 {
2259 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2260 }
2261
2262int ssl_ok(SSL *s)
2263 {
2264 return(1);
2265 }
2266
2267X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
2268 {
2269 return(ctx->cert_store);
2270 }
2271
2272void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
2273 {
2274 if (ctx->cert_store != NULL)
2275 X509_STORE_free(ctx->cert_store);
2276 ctx->cert_store=store;
2277 }
2278
2279int SSL_want(const SSL *s)
2280 {
2281 return(s->rwstate);
2282 }
2283
2284/*!
2285 * \brief Set the callback for generating temporary RSA keys.
2286 * \param ctx the SSL context.
2287 * \param cb the callback
2288 */
2289
2290#ifndef OPENSSL_NO_RSA
2291void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
2292 int is_export,
2293 int keylength))
2294 {
2295 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
2296 }
2297
2298void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
2299 int is_export,
2300 int keylength))
2301 {
2302 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
2303 }
2304#endif
2305
2306#ifdef DOXYGEN
2307/*!
2308 * \brief The RSA temporary key callback function.
2309 * \param ssl the SSL session.
2310 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
2311 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
2312 * of the required key in bits.
2313 * \return the temporary RSA key.
2314 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
2315 */
2316
2317RSA *cb(SSL *ssl,int is_export,int keylength)
2318 {}
2319#endif
2320
2321/*!
2322 * \brief Set the callback for generating temporary DH keys.
2323 * \param ctx the SSL context.
2324 * \param dh the callback
2325 */
2326
2327#ifndef OPENSSL_NO_DH
2328void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
2329 int keylength))
2330 {
2331 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
2332 }
2333
2334void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
2335 int keylength))
2336 {
2337 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
2338 }
2339#endif
2340
2341
2342void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2343 {
2344 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
2345 }
2346void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2347 {
2348 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
2349 }
2350
2351
2352
2353#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
2354#include "../crypto/bio/bss_file.c"
2355#endif
2356
2357IMPLEMENT_STACK_OF(SSL_CIPHER)
2358IMPLEMENT_STACK_OF(SSL_COMP)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index 6a0b7595f4..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,623 +0,0 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#ifndef HEADER_SSL_LOCL_H
113#define HEADER_SSL_LOCL_H
114#include <stdlib.h>
115#include <time.h>
116#include <string.h>
117#include <errno.h>
118
119#include "e_os.h"
120
121#include <openssl/buffer.h>
122#include <openssl/comp.h>
123#include <openssl/bio.h>
124#include <openssl/crypto.h>
125#include <openssl/evp.h>
126#include <openssl/stack.h>
127#include <openssl/x509.h>
128#include <openssl/err.h>
129#include <openssl/ssl.h>
130#include <openssl/symhacks.h>
131
132#ifdef OPENSSL_BUILD_SHLIBSSL
133# undef OPENSSL_EXTERN
134# define OPENSSL_EXTERN OPENSSL_EXPORT
135#endif
136
137#define PKCS1_CHECK
138
139#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
140 l|=(((unsigned long)(*((c)++)))<< 8), \
141 l|=(((unsigned long)(*((c)++)))<<16), \
142 l|=(((unsigned long)(*((c)++)))<<24))
143
144/* NOTE - c is not incremented as per c2l */
145#define c2ln(c,l1,l2,n) { \
146 c+=n; \
147 l1=l2=0; \
148 switch (n) { \
149 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
150 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
151 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
152 case 5: l2|=((unsigned long)(*(--(c)))); \
153 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
154 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
155 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
156 case 1: l1|=((unsigned long)(*(--(c)))); \
157 } \
158 }
159
160#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
161 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
162 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
163 *((c)++)=(unsigned char)(((l)>>24)&0xff))
164
165#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
166 l|=((unsigned long)(*((c)++)))<<16, \
167 l|=((unsigned long)(*((c)++)))<< 8, \
168 l|=((unsigned long)(*((c)++))))
169
170#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
171 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
172 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
173 *((c)++)=(unsigned char)(((l) )&0xff))
174
175/* NOTE - c is not incremented as per l2c */
176#define l2cn(l1,l2,c,n) { \
177 c+=n; \
178 switch (n) { \
179 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
180 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
181 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
182 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
183 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
184 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
185 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
186 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
187 } \
188 }
189
190#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
191 (((unsigned int)(c[1])) )),c+=2)
192#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
193 c[1]=(unsigned char)(((s) )&0xff)),c+=2)
194
195#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
196 (((unsigned long)(c[1]))<< 8)| \
197 (((unsigned long)(c[2])) )),c+=3)
198
199#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
200 c[1]=(unsigned char)(((l)>> 8)&0xff), \
201 c[2]=(unsigned char)(((l) )&0xff)),c+=3)
202
203/* LOCAL STUFF */
204
205#define SSL_DECRYPT 0
206#define SSL_ENCRYPT 1
207
208#define TWO_BYTE_BIT 0x80
209#define SEC_ESC_BIT 0x40
210#define TWO_BYTE_MASK 0x7fff
211#define THREE_BYTE_MASK 0x3fff
212
213#define INC32(a) ((a)=((a)+1)&0xffffffffL)
214#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
215#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
216
217/*
218 * Define the Bitmasks for SSL_CIPHER.algorithms.
219 * This bits are used packed as dense as possible. If new methods/ciphers
220 * etc will be added, the bits a likely to change, so this information
221 * is for internal library use only, even though SSL_CIPHER.algorithms
222 * can be publicly accessed.
223 * Use the according functions for cipher management instead.
224 *
225 * The bit mask handling in the selection and sorting scheme in
226 * ssl_create_cipher_list() has only limited capabilities, reflecting
227 * that the different entities within are mutually exclusive:
228 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
229 */
230#define SSL_MKEY_MASK 0x0000003FL
231#define SSL_kRSA 0x00000001L /* RSA key exchange */
232#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
233#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
234#define SSL_kFZA 0x00000008L
235#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
236#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */
237#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
238
239#define SSL_AUTH_MASK 0x00000FC0L
240#define SSL_aRSA 0x00000040L /* Authenticate with RSA */
241#define SSL_aDSS 0x00000080L /* Authenticate with DSS */
242#define SSL_DSS SSL_aDSS
243#define SSL_aFZA 0x00000100L
244#define SSL_aNULL 0x00000200L /* no Authenticate, ADH */
245#define SSL_aDH 0x00000400L /* no Authenticate, ADH */
246#define SSL_aKRB5 0x00000800L /* Authenticate with KRB5 */
247
248#define SSL_NULL (SSL_eNULL)
249#define SSL_ADH (SSL_kEDH|SSL_aNULL)
250#define SSL_RSA (SSL_kRSA|SSL_aRSA)
251#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
252#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
253#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
254
255#define SSL_ENC_MASK 0x0087F000L
256#define SSL_DES 0x00001000L
257#define SSL_3DES 0x00002000L
258#define SSL_RC4 0x00004000L
259#define SSL_RC2 0x00008000L
260#define SSL_IDEA 0x00010000L
261#define SSL_eFZA 0x00020000L
262#define SSL_eNULL 0x00040000L
263#define SSL_AES 0x00800000L
264
265#define SSL_MAC_MASK 0x00180000L
266#define SSL_MD5 0x00080000L
267#define SSL_SHA1 0x00100000L
268#define SSL_SHA (SSL_SHA1)
269
270#define SSL_SSL_MASK 0x00600000L
271#define SSL_SSLV2 0x00200000L
272#define SSL_SSLV3 0x00400000L
273#define SSL_TLSV1 SSL_SSLV3 /* for now */
274
275/* we have used 007fffff - 9 bits left to go */
276
277/*
278 * Export and cipher strength information. For each cipher we have to decide
279 * whether it is exportable or not. This information is likely to change
280 * over time, since the export control rules are no static technical issue.
281 *
282 * Independent of the export flag the cipher strength is sorted into classes.
283 * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
284 * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
285 * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
286 * since SSL_EXP64 could be similar to SSL_LOW.
287 * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
288 * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
289 * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
290 * be possible.
291 */
292#define SSL_EXP_MASK 0x00000003L
293#define SSL_NOT_EXP 0x00000001L
294#define SSL_EXPORT 0x00000002L
295
296#define SSL_STRONG_MASK 0x000000fcL
297#define SSL_STRONG_NONE 0x00000004L
298#define SSL_EXP40 0x00000008L
299#define SSL_MICRO (SSL_EXP40)
300#define SSL_EXP56 0x00000010L
301#define SSL_MINI (SSL_EXP56)
302#define SSL_LOW 0x00000020L
303#define SSL_MEDIUM 0x00000040L
304#define SSL_HIGH 0x00000080L
305#define SSL_FIPS 0x00000100L
306
307/* we have used 000001ff - 23 bits left to go */
308
309/*
310 * Macros to check the export status and cipher strength for export ciphers.
311 * Even though the macros for EXPORT and EXPORT40/56 have similar names,
312 * their meaning is different:
313 * *_EXPORT macros check the 'exportable' status.
314 * *_EXPORT40/56 macros are used to check whether a certain cipher strength
315 * is given.
316 * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
317 * algorithm structure element to be passed (algorithms, algo_strength) and no
318 * typechecking can be done as they are all of type unsigned long, their
319 * direct usage is discouraged.
320 * Use the SSL_C_* macros instead.
321 */
322#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
323#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
324#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
325#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
326#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
327#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
328
329#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
330 ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
331#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
332#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms, \
333 (c)->algo_strength)
334#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
335
336
337#define SSL_ALL 0xffffffffL
338#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
339 SSL_MAC_MASK)
340#define SSL_ALL_STRENGTHS (SSL_EXP_MASK|SSL_STRONG_MASK)
341
342/* Mostly for SSLv3 */
343#define SSL_PKEY_RSA_ENC 0
344#define SSL_PKEY_RSA_SIGN 1
345#define SSL_PKEY_DSA_SIGN 2
346#define SSL_PKEY_DH_RSA 3
347#define SSL_PKEY_DH_DSA 4
348#define SSL_PKEY_NUM 5
349
350/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
351 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
352 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
353 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
354 * SSL_aRSA <- RSA_ENC | RSA_SIGN
355 * SSL_aDSS <- DSA_SIGN
356 */
357
358/*
359#define CERT_INVALID 0
360#define CERT_PUBLIC_KEY 1
361#define CERT_PRIVATE_KEY 2
362*/
363
364typedef struct cert_pkey_st
365 {
366 X509 *x509;
367 EVP_PKEY *privatekey;
368 } CERT_PKEY;
369
370typedef struct cert_st
371 {
372 /* Current active set */
373 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
374 * Probably it would make more sense to store
375 * an index, not a pointer. */
376
377 /* The following masks are for the key and auth
378 * algorithms that are supported by the certs below */
379 int valid;
380 unsigned long mask;
381 unsigned long export_mask;
382#ifndef OPENSSL_NO_RSA
383 RSA *rsa_tmp;
384 RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
385#endif
386#ifndef OPENSSL_NO_DH
387 DH *dh_tmp;
388 DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
389#endif
390
391 CERT_PKEY pkeys[SSL_PKEY_NUM];
392
393 int references; /* >1 only if SSL_copy_session_id is used */
394 } CERT;
395
396
397typedef struct sess_cert_st
398 {
399 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
400
401 /* The 'peer_...' members are used only by clients. */
402 int peer_cert_type;
403
404 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
405 CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
406 /* Obviously we don't have the private keys of these,
407 * so maybe we shouldn't even use the CERT_PKEY type here. */
408
409#ifndef OPENSSL_NO_RSA
410 RSA *peer_rsa_tmp; /* not used for SSL 2 */
411#endif
412#ifndef OPENSSL_NO_DH
413 DH *peer_dh_tmp; /* not used for SSL 2 */
414#endif
415
416 int references; /* actually always 1 at the moment */
417 } SESS_CERT;
418
419
420/*#define MAC_DEBUG */
421
422/*#define ERR_DEBUG */
423/*#define ABORT_DEBUG */
424/*#define PKT_DEBUG 1 */
425/*#define DES_DEBUG */
426/*#define DES_OFB_DEBUG */
427/*#define SSL_DEBUG */
428/*#define RSA_DEBUG */
429/*#define IDEA_DEBUG */
430
431#define FP_ICC (int (*)(const void *,const void *))
432#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
433 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
434#define ssl_get_cipher_by_char(ssl,ptr) \
435 ((ssl)->method->get_cipher_by_char(ptr))
436
437/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
438 * It is a bit of a mess of functions, but hell, think of it as
439 * an opaque structure :-) */
440typedef struct ssl3_enc_method
441 {
442 int (*enc)(SSL *, int);
443 int (*mac)(SSL *, unsigned char *, int);
444 int (*setup_key_block)(SSL *);
445 int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
446 int (*change_cipher_state)(SSL *, int);
447 int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
448 int finish_mac_length;
449 int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
450 const char *client_finished_label;
451 int client_finished_label_len;
452 const char *server_finished_label;
453 int server_finished_label_len;
454 int (*alert_value)(int);
455 } SSL3_ENC_METHOD;
456
457/* Used for holding the relevant compression methods loaded into SSL_CTX */
458typedef struct ssl3_comp_st
459 {
460 int comp_id; /* The identifier byte for this compression type */
461 char *name; /* Text name used for the compression type */
462 COMP_METHOD *method; /* The method :-) */
463 } SSL3_COMP;
464
465extern SSL3_ENC_METHOD ssl3_undef_enc_method;
466OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
467OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
468
469#ifdef OPENSSL_SYS_VMS
470#undef SSL_COMP_get_compression_methods
471#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
472#endif
473
474
475SSL_METHOD *ssl_bad_method(int ver);
476SSL_METHOD *sslv2_base_method(void);
477SSL_METHOD *sslv23_base_method(void);
478SSL_METHOD *sslv3_base_method(void);
479
480void ssl_clear_cipher_ctx(SSL *s);
481int ssl_clear_bad_session(SSL *s);
482CERT *ssl_cert_new(void);
483CERT *ssl_cert_dup(CERT *cert);
484int ssl_cert_inst(CERT **o);
485void ssl_cert_free(CERT *c);
486SESS_CERT *ssl_sess_cert_new(void);
487void ssl_sess_cert_free(SESS_CERT *sc);
488int ssl_set_peer_cert_type(SESS_CERT *c, int type);
489int ssl_get_new_session(SSL *s, int session);
490int ssl_get_prev_session(SSL *s, unsigned char *session,int len);
491int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
492int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
493 const SSL_CIPHER * const *bp);
494STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
495 STACK_OF(SSL_CIPHER) **skp);
496int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
497 int (*put_cb)(const SSL_CIPHER *, unsigned char *));
498STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
499 STACK_OF(SSL_CIPHER) **pref,
500 STACK_OF(SSL_CIPHER) **sorted,
501 const char *rule_str);
502void ssl_update_cache(SSL *s, int mode);
503int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
504 const EVP_MD **md,SSL_COMP **comp);
505int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
506int ssl_undefined_function(SSL *s);
507int ssl_undefined_const_function(const SSL *s);
508X509 *ssl_get_server_send_cert(SSL *);
509EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
510int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
511void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
512STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
513int ssl_verify_alarm_type(long type);
514
515int ssl2_enc_init(SSL *s, int client);
516int ssl2_generate_key_material(SSL *s);
517void ssl2_enc(SSL *s,int send_data);
518void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
519SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
520int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
521int ssl2_part_read(SSL *s, unsigned long f, int i);
522int ssl2_do_write(SSL *s);
523int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
524void ssl2_return_error(SSL *s,int reason);
525void ssl2_write_error(SSL *s);
526int ssl2_num_ciphers(void);
527SSL_CIPHER *ssl2_get_cipher(unsigned int u);
528int ssl2_new(SSL *s);
529void ssl2_free(SSL *s);
530int ssl2_accept(SSL *s);
531int ssl2_connect(SSL *s);
532int ssl2_read(SSL *s, void *buf, int len);
533int ssl2_peek(SSL *s, void *buf, int len);
534int ssl2_write(SSL *s, const void *buf, int len);
535int ssl2_shutdown(SSL *s);
536void ssl2_clear(SSL *s);
537long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
538long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
539long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
540long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
541int ssl2_pending(const SSL *s);
542
543SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
544int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
545void ssl3_init_finished_mac(SSL *s);
546int ssl3_send_server_certificate(SSL *s);
547int ssl3_get_finished(SSL *s,int state_a,int state_b);
548int ssl3_setup_key_block(SSL *s);
549int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
550int ssl3_change_cipher_state(SSL *s,int which);
551void ssl3_cleanup_key_block(SSL *s);
552int ssl3_do_write(SSL *s,int type);
553void ssl3_send_alert(SSL *s,int level, int desc);
554int ssl3_generate_master_secret(SSL *s, unsigned char *out,
555 unsigned char *p, int len);
556int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
557long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
558int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
559int ssl3_num_ciphers(void);
560SSL_CIPHER *ssl3_get_cipher(unsigned int u);
561int ssl3_renegotiate(SSL *ssl);
562int ssl3_renegotiate_check(SSL *ssl);
563int ssl3_dispatch_alert(SSL *s);
564int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
565int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
566int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
567 const char *sender, int slen,unsigned char *p);
568int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
569void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
570int ssl3_enc(SSL *s, int send_data);
571int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
572unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
573SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
574 STACK_OF(SSL_CIPHER) *srvr);
575int ssl3_setup_buffers(SSL *s);
576int ssl3_new(SSL *s);
577void ssl3_free(SSL *s);
578int ssl3_accept(SSL *s);
579int ssl3_connect(SSL *s);
580int ssl3_read(SSL *s, void *buf, int len);
581int ssl3_peek(SSL *s, void *buf, int len);
582int ssl3_write(SSL *s, const void *buf, int len);
583int ssl3_shutdown(SSL *s);
584void ssl3_clear(SSL *s);
585long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
586long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
587long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
588long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
589int ssl3_pending(const SSL *s);
590
591int ssl23_accept(SSL *s);
592int ssl23_connect(SSL *s);
593int ssl23_read_bytes(SSL *s, int n);
594int ssl23_write_bytes(SSL *s);
595
596int tls1_new(SSL *s);
597void tls1_free(SSL *s);
598void tls1_clear(SSL *s);
599long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
600long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
601SSL_METHOD *tlsv1_base_method(void );
602
603int ssl_init_wbio_buffer(SSL *s, int push);
604void ssl_free_wbio_buffer(SSL *s);
605
606int tls1_change_cipher_state(SSL *s, int which);
607int tls1_setup_key_block(SSL *s);
608int tls1_enc(SSL *s, int snd);
609int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
610 const char *str, int slen, unsigned char *p);
611int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
612int tls1_mac(SSL *ssl, unsigned char *md, int snd);
613int tls1_generate_master_secret(SSL *s, unsigned char *out,
614 unsigned char *p, int len);
615int tls1_alert_code(int code);
616int ssl3_alert_code(int code);
617int ssl_ok(SSL *s);
618
619SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
620STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
621
622
623#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index fb0bd4d045..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,817 +0,0 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
66
67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 if (x == NULL)
72 {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
74 return(0);
75 }
76 if (!ssl_cert_inst(&ssl->cert))
77 {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
79 return(0);
80 }
81 return(ssl_set_cert(ssl->cert,x));
82 }
83
84#ifndef OPENSSL_NO_STDIO
85int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret=0;
90 X509 *x=NULL;
91
92 in=BIO_new(BIO_s_file_internal());
93 if (in == NULL)
94 {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in,file) <= 0)
100 {
101 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
102 goto end;
103 }
104 if (type == SSL_FILETYPE_ASN1)
105 {
106 j=ERR_R_ASN1_LIB;
107 x=d2i_X509_bio(in,NULL);
108 }
109 else if (type == SSL_FILETYPE_PEM)
110 {
111 j=ERR_R_PEM_LIB;
112 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
113 }
114 else
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
117 goto end;
118 }
119
120 if (x == NULL)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
123 goto end;
124 }
125
126 ret=SSL_use_certificate(ssl,x);
127end:
128 if (x != NULL) X509_free(x);
129 if (in != NULL) BIO_free(in);
130 return(ret);
131 }
132#endif
133
134int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
135 {
136 X509 *x;
137 int ret;
138
139 x=d2i_X509(NULL,&d,(long)len);
140 if (x == NULL)
141 {
142 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
143 return(0);
144 }
145
146 ret=SSL_use_certificate(ssl,x);
147 X509_free(x);
148 return(ret);
149 }
150
151#ifndef OPENSSL_NO_RSA
152int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
153 {
154 EVP_PKEY *pkey;
155 int ret;
156
157 if (rsa == NULL)
158 {
159 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
160 return(0);
161 }
162 if (!ssl_cert_inst(&ssl->cert))
163 {
164 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
165 return(0);
166 }
167 if ((pkey=EVP_PKEY_new()) == NULL)
168 {
169 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
170 return(0);
171 }
172
173 RSA_up_ref(rsa);
174 EVP_PKEY_assign_RSA(pkey,rsa);
175
176 ret=ssl_set_pkey(ssl->cert,pkey);
177 EVP_PKEY_free(pkey);
178 return(ret);
179 }
180#endif
181
182static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
183 {
184 int i,ok=0,bad=0;
185
186 i=ssl_cert_type(NULL,pkey);
187 if (i < 0)
188 {
189 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
190 return(0);
191 }
192
193 if (c->pkeys[i].x509 != NULL)
194 {
195 EVP_PKEY *pktmp;
196 pktmp = X509_get_pubkey(c->pkeys[i].x509);
197 EVP_PKEY_copy_parameters(pktmp,pkey);
198 EVP_PKEY_free(pktmp);
199 ERR_clear_error();
200
201#ifndef OPENSSL_NO_RSA
202 /* Don't check the public/private key, this is mostly
203 * for smart cards. */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) &
206 RSA_METHOD_FLAG_NO_CHECK))
207 ok=1;
208 else
209#endif
210 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
211 {
212 if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
213 {
214 i=(i == SSL_PKEY_DH_RSA)?
215 SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
216
217 if (c->pkeys[i].x509 == NULL)
218 ok=1;
219 else
220 {
221 if (!X509_check_private_key(
222 c->pkeys[i].x509,pkey))
223 bad=1;
224 else
225 ok=1;
226 }
227 }
228 else
229 bad=1;
230 }
231 else
232 ok=1;
233 }
234 else
235 ok=1;
236
237 if (bad)
238 {
239 X509_free(c->pkeys[i].x509);
240 c->pkeys[i].x509=NULL;
241 return(0);
242 }
243
244 ERR_clear_error(); /* make sure no error from X509_check_private_key()
245 * is left if we have chosen to ignore it */
246 if (c->pkeys[i].privatekey != NULL)
247 EVP_PKEY_free(c->pkeys[i].privatekey);
248 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
249 c->pkeys[i].privatekey=pkey;
250 c->key= &(c->pkeys[i]);
251
252 c->valid=0;
253 return(1);
254 }
255
256#ifndef OPENSSL_NO_RSA
257#ifndef OPENSSL_NO_STDIO
258int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
259 {
260 int j,ret=0;
261 BIO *in;
262 RSA *rsa=NULL;
263
264 in=BIO_new(BIO_s_file_internal());
265 if (in == NULL)
266 {
267 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
268 goto end;
269 }
270
271 if (BIO_read_filename(in,file) <= 0)
272 {
273 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
274 goto end;
275 }
276 if (type == SSL_FILETYPE_ASN1)
277 {
278 j=ERR_R_ASN1_LIB;
279 rsa=d2i_RSAPrivateKey_bio(in,NULL);
280 }
281 else if (type == SSL_FILETYPE_PEM)
282 {
283 j=ERR_R_PEM_LIB;
284 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
285 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
286 }
287 else
288 {
289 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
290 goto end;
291 }
292 if (rsa == NULL)
293 {
294 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
295 goto end;
296 }
297 ret=SSL_use_RSAPrivateKey(ssl,rsa);
298 RSA_free(rsa);
299end:
300 if (in != NULL) BIO_free(in);
301 return(ret);
302 }
303#endif
304
305int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
306 {
307 int ret;
308 const unsigned char *p;
309 RSA *rsa;
310
311 p=d;
312 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
313 {
314 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
315 return(0);
316 }
317
318 ret=SSL_use_RSAPrivateKey(ssl,rsa);
319 RSA_free(rsa);
320 return(ret);
321 }
322#endif /* !OPENSSL_NO_RSA */
323
324int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
325 {
326 int ret;
327
328 if (pkey == NULL)
329 {
330 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
331 return(0);
332 }
333 if (!ssl_cert_inst(&ssl->cert))
334 {
335 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
336 return(0);
337 }
338 ret=ssl_set_pkey(ssl->cert,pkey);
339 return(ret);
340 }
341
342#ifndef OPENSSL_NO_STDIO
343int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
344 {
345 int j,ret=0;
346 BIO *in;
347 EVP_PKEY *pkey=NULL;
348
349 in=BIO_new(BIO_s_file_internal());
350 if (in == NULL)
351 {
352 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
353 goto end;
354 }
355
356 if (BIO_read_filename(in,file) <= 0)
357 {
358 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
359 goto end;
360 }
361 if (type == SSL_FILETYPE_PEM)
362 {
363 j=ERR_R_PEM_LIB;
364 pkey=PEM_read_bio_PrivateKey(in,NULL,
365 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
366 }
367 else
368 {
369 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
370 goto end;
371 }
372 if (pkey == NULL)
373 {
374 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
375 goto end;
376 }
377 ret=SSL_use_PrivateKey(ssl,pkey);
378 EVP_PKEY_free(pkey);
379end:
380 if (in != NULL) BIO_free(in);
381 return(ret);
382 }
383#endif
384
385int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
386 {
387 int ret;
388 unsigned char *p;
389 EVP_PKEY *pkey;
390
391 p=d;
392 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
393 {
394 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
395 return(0);
396 }
397
398 ret=SSL_use_PrivateKey(ssl,pkey);
399 EVP_PKEY_free(pkey);
400 return(ret);
401 }
402
403int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
404 {
405 if (x == NULL)
406 {
407 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
408 return(0);
409 }
410 if (!ssl_cert_inst(&ctx->cert))
411 {
412 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
413 return(0);
414 }
415 return(ssl_set_cert(ctx->cert, x));
416 }
417
418static int ssl_set_cert(CERT *c, X509 *x)
419 {
420 EVP_PKEY *pkey;
421 int i,ok=0,bad=0;
422
423 pkey=X509_get_pubkey(x);
424 if (pkey == NULL)
425 {
426 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
427 return(0);
428 }
429
430 i=ssl_cert_type(x,pkey);
431 if (i < 0)
432 {
433 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
434 EVP_PKEY_free(pkey);
435 return(0);
436 }
437
438 if (c->pkeys[i].privatekey != NULL)
439 {
440 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
441 ERR_clear_error();
442
443#ifndef OPENSSL_NO_RSA
444 /* Don't check the public/private key, this is mostly
445 * for smart cards. */
446 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
447 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
448 RSA_METHOD_FLAG_NO_CHECK))
449 ok=1;
450 else
451#endif
452 {
453 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
454 {
455 if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
456 {
457 i=(i == SSL_PKEY_DH_RSA)?
458 SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
459
460 if (c->pkeys[i].privatekey == NULL)
461 ok=1;
462 else
463 {
464 if (!X509_check_private_key(x,
465 c->pkeys[i].privatekey))
466 bad=1;
467 else
468 ok=1;
469 }
470 }
471 else
472 bad=1;
473 }
474 else
475 ok=1;
476 } /* OPENSSL_NO_RSA */
477 }
478 else
479 ok=1;
480
481 EVP_PKEY_free(pkey);
482 if (bad)
483 {
484 EVP_PKEY_free(c->pkeys[i].privatekey);
485 c->pkeys[i].privatekey=NULL;
486 }
487
488 if (c->pkeys[i].x509 != NULL)
489 X509_free(c->pkeys[i].x509);
490 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
491 c->pkeys[i].x509=x;
492 c->key= &(c->pkeys[i]);
493
494 c->valid=0;
495 return(1);
496 }
497
498#ifndef OPENSSL_NO_STDIO
499int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
500 {
501 int j;
502 BIO *in;
503 int ret=0;
504 X509 *x=NULL;
505
506 in=BIO_new(BIO_s_file_internal());
507 if (in == NULL)
508 {
509 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
510 goto end;
511 }
512
513 if (BIO_read_filename(in,file) <= 0)
514 {
515 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
516 goto end;
517 }
518 if (type == SSL_FILETYPE_ASN1)
519 {
520 j=ERR_R_ASN1_LIB;
521 x=d2i_X509_bio(in,NULL);
522 }
523 else if (type == SSL_FILETYPE_PEM)
524 {
525 j=ERR_R_PEM_LIB;
526 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
527 }
528 else
529 {
530 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
531 goto end;
532 }
533
534 if (x == NULL)
535 {
536 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
537 goto end;
538 }
539
540 ret=SSL_CTX_use_certificate(ctx,x);
541end:
542 if (x != NULL) X509_free(x);
543 if (in != NULL) BIO_free(in);
544 return(ret);
545 }
546#endif
547
548int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
549 {
550 X509 *x;
551 int ret;
552
553 x=d2i_X509(NULL,&d,(long)len);
554 if (x == NULL)
555 {
556 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
557 return(0);
558 }
559
560 ret=SSL_CTX_use_certificate(ctx,x);
561 X509_free(x);
562 return(ret);
563 }
564
565#ifndef OPENSSL_NO_RSA
566int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
567 {
568 int ret;
569 EVP_PKEY *pkey;
570
571 if (rsa == NULL)
572 {
573 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
574 return(0);
575 }
576 if (!ssl_cert_inst(&ctx->cert))
577 {
578 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
579 return(0);
580 }
581 if ((pkey=EVP_PKEY_new()) == NULL)
582 {
583 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
584 return(0);
585 }
586
587 RSA_up_ref(rsa);
588 EVP_PKEY_assign_RSA(pkey,rsa);
589
590 ret=ssl_set_pkey(ctx->cert, pkey);
591 EVP_PKEY_free(pkey);
592 return(ret);
593 }
594
595#ifndef OPENSSL_NO_STDIO
596int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
597 {
598 int j,ret=0;
599 BIO *in;
600 RSA *rsa=NULL;
601
602 in=BIO_new(BIO_s_file_internal());
603 if (in == NULL)
604 {
605 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
606 goto end;
607 }
608
609 if (BIO_read_filename(in,file) <= 0)
610 {
611 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
612 goto end;
613 }
614 if (type == SSL_FILETYPE_ASN1)
615 {
616 j=ERR_R_ASN1_LIB;
617 rsa=d2i_RSAPrivateKey_bio(in,NULL);
618 }
619 else if (type == SSL_FILETYPE_PEM)
620 {
621 j=ERR_R_PEM_LIB;
622 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
623 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
624 }
625 else
626 {
627 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
628 goto end;
629 }
630 if (rsa == NULL)
631 {
632 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
633 goto end;
634 }
635 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
636 RSA_free(rsa);
637end:
638 if (in != NULL) BIO_free(in);
639 return(ret);
640 }
641#endif
642
643int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
644 {
645 int ret;
646 const unsigned char *p;
647 RSA *rsa;
648
649 p=d;
650 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
651 {
652 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
653 return(0);
654 }
655
656 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
657 RSA_free(rsa);
658 return(ret);
659 }
660#endif /* !OPENSSL_NO_RSA */
661
662int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
663 {
664 if (pkey == NULL)
665 {
666 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
667 return(0);
668 }
669 if (!ssl_cert_inst(&ctx->cert))
670 {
671 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
672 return(0);
673 }
674 return(ssl_set_pkey(ctx->cert,pkey));
675 }
676
677#ifndef OPENSSL_NO_STDIO
678int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
679 {
680 int j,ret=0;
681 BIO *in;
682 EVP_PKEY *pkey=NULL;
683
684 in=BIO_new(BIO_s_file_internal());
685 if (in == NULL)
686 {
687 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
688 goto end;
689 }
690
691 if (BIO_read_filename(in,file) <= 0)
692 {
693 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
694 goto end;
695 }
696 if (type == SSL_FILETYPE_PEM)
697 {
698 j=ERR_R_PEM_LIB;
699 pkey=PEM_read_bio_PrivateKey(in,NULL,
700 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
701 }
702 else
703 {
704 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
705 goto end;
706 }
707 if (pkey == NULL)
708 {
709 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
710 goto end;
711 }
712 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
713 EVP_PKEY_free(pkey);
714end:
715 if (in != NULL) BIO_free(in);
716 return(ret);
717 }
718#endif
719
720int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
721 long len)
722 {
723 int ret;
724 unsigned char *p;
725 EVP_PKEY *pkey;
726
727 p=d;
728 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
729 {
730 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
731 return(0);
732 }
733
734 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
735 EVP_PKEY_free(pkey);
736 return(ret);
737 }
738
739
740#ifndef OPENSSL_NO_STDIO
741/* Read a file that contains our certificate in "PEM" format,
742 * possibly followed by a sequence of CA certificates that should be
743 * sent to the peer in the Certificate message.
744 */
745int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
746 {
747 BIO *in;
748 int ret=0;
749 X509 *x=NULL;
750
751 in=BIO_new(BIO_s_file_internal());
752 if (in == NULL)
753 {
754 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
755 goto end;
756 }
757
758 if (BIO_read_filename(in,file) <= 0)
759 {
760 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
761 goto end;
762 }
763
764 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
765 if (x == NULL)
766 {
767 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
768 goto end;
769 }
770
771 ret=SSL_CTX_use_certificate(ctx,x);
772 if (ERR_peek_error() != 0)
773 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
774 if (ret)
775 {
776 /* If we could set up our certificate, now proceed to
777 * the CA certificates.
778 */
779 X509 *ca;
780 int r;
781 unsigned long err;
782
783 if (ctx->extra_certs != NULL)
784 {
785 sk_X509_pop_free(ctx->extra_certs, X509_free);
786 ctx->extra_certs = NULL;
787 }
788
789 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
790 != NULL)
791 {
792 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
793 if (!r)
794 {
795 X509_free(ca);
796 ret = 0;
797 goto end;
798 }
799 /* Note that we must not free r if it was successfully
800 * added to the chain (while we must free the main
801 * certificate, since its reference count is increased
802 * by SSL_CTX_use_certificate). */
803 }
804 /* When the while loop ends, it's usually just EOF. */
805 err = ERR_peek_last_error();
806 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
807 ERR_clear_error();
808 else
809 ret = 0; /* some real error */
810 }
811
812end:
813 if (x != NULL) X509_free(x);
814 if (in != NULL) BIO_free(in);
815 return(ret);
816 }
817#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 2ba8b9612e..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,755 +0,0 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/lhash.h>
61#include <openssl/rand.h>
62#include "ssl_locl.h"
63
64static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
65static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
66static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
67
68SSL_SESSION *SSL_get_session(const SSL *ssl)
69/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
70 {
71 return(ssl->session);
72 }
73
74SSL_SESSION *SSL_get1_session(SSL *ssl)
75/* variant of SSL_get_session: caller really gets something */
76 {
77 SSL_SESSION *sess;
78 /* Need to lock this all up rather than just use CRYPTO_add so that
79 * somebody doesn't free ssl->session between when we check it's
80 * non-null and when we up the reference count. */
81 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
82 sess = ssl->session;
83 if(sess)
84 sess->references++;
85 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
86 return(sess);
87 }
88
89int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
90 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
91 {
92 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
93 new_func, dup_func, free_func);
94 }
95
96int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
97 {
98 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
99 }
100
101void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
102 {
103 return(CRYPTO_get_ex_data(&s->ex_data,idx));
104 }
105
106SSL_SESSION *SSL_SESSION_new(void)
107 {
108 SSL_SESSION *ss;
109
110 ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
111 if (ss == NULL)
112 {
113 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
114 return(0);
115 }
116 memset(ss,0,sizeof(SSL_SESSION));
117
118 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
119 ss->references=1;
120 ss->timeout=60*5+4; /* 5 minute timeout by default */
121 ss->time=(unsigned long)time(NULL);
122 ss->prev=NULL;
123 ss->next=NULL;
124 ss->compress_meth=0;
125 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
126 return(ss);
127 }
128
129/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
130 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
131 * until we have no conflict is going to complete in one iteration pretty much
132 * "most" of the time (btw: understatement). So, if it takes us 10 iterations
133 * and we still can't avoid a conflict - well that's a reasonable point to call
134 * it quits. Either the RAND code is broken or someone is trying to open roughly
135 * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
136 * store that many sessions is perhaps a more interesting question ... */
137
138#define MAX_SESS_ID_ATTEMPTS 10
139static int def_generate_session_id(const SSL *ssl, unsigned char *id,
140 unsigned int *id_len)
141{
142 unsigned int retry = 0;
143 do
144 if(RAND_pseudo_bytes(id, *id_len) <= 0)
145 return 0;
146 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
147 (++retry < MAX_SESS_ID_ATTEMPTS));
148 if(retry < MAX_SESS_ID_ATTEMPTS)
149 return 1;
150 /* else - woops a session_id match */
151 /* XXX We should also check the external cache --
152 * but the probability of a collision is negligible, and
153 * we could not prevent the concurrent creation of sessions
154 * with identical IDs since we currently don't have means
155 * to atomically check whether a session ID already exists
156 * and make a reservation for it if it does not
157 * (this problem applies to the internal cache as well).
158 */
159 return 0;
160}
161
162int ssl_get_new_session(SSL *s, int session)
163 {
164 /* This gets used by clients and servers. */
165
166 unsigned int tmp;
167 SSL_SESSION *ss=NULL;
168 GEN_SESSION_CB cb = def_generate_session_id;
169
170 if ((ss=SSL_SESSION_new()) == NULL) return(0);
171
172 /* If the context has a default timeout, use it */
173 if (s->ctx->session_timeout == 0)
174 ss->timeout=SSL_get_default_timeout(s);
175 else
176 ss->timeout=s->ctx->session_timeout;
177
178 if (s->session != NULL)
179 {
180 SSL_SESSION_free(s->session);
181 s->session=NULL;
182 }
183
184 if (session)
185 {
186 if (s->version == SSL2_VERSION)
187 {
188 ss->ssl_version=SSL2_VERSION;
189 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
190 }
191 else if (s->version == SSL3_VERSION)
192 {
193 ss->ssl_version=SSL3_VERSION;
194 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
195 }
196 else if (s->version == TLS1_VERSION)
197 {
198 ss->ssl_version=TLS1_VERSION;
199 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
200 }
201 else
202 {
203 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
204 SSL_SESSION_free(ss);
205 return(0);
206 }
207 /* Choose which callback will set the session ID */
208 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
209 if(s->generate_session_id)
210 cb = s->generate_session_id;
211 else if(s->ctx->generate_session_id)
212 cb = s->ctx->generate_session_id;
213 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
214 /* Choose a session ID */
215 tmp = ss->session_id_length;
216 if(!cb(s, ss->session_id, &tmp))
217 {
218 /* The callback failed */
219 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
220 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
221 SSL_SESSION_free(ss);
222 return(0);
223 }
224 /* Don't allow the callback to set the session length to zero.
225 * nor set it higher than it was. */
226 if(!tmp || (tmp > ss->session_id_length))
227 {
228 /* The callback set an illegal length */
229 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
230 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
231 SSL_SESSION_free(ss);
232 return(0);
233 }
234 /* If the session length was shrunk and we're SSLv2, pad it */
235 if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
236 memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
237 else
238 ss->session_id_length = tmp;
239 /* Finally, check for a conflict */
240 if(SSL_has_matching_session_id(s, ss->session_id,
241 ss->session_id_length))
242 {
243 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
244 SSL_R_SSL_SESSION_ID_CONFLICT);
245 SSL_SESSION_free(ss);
246 return(0);
247 }
248 }
249 else
250 {
251 ss->session_id_length=0;
252 }
253
254 if (s->sid_ctx_length > sizeof ss->sid_ctx)
255 {
256 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
257 SSL_SESSION_free(ss);
258 return 0;
259 }
260 memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
261 ss->sid_ctx_length=s->sid_ctx_length;
262 s->session=ss;
263 ss->ssl_version=s->version;
264 ss->verify_result = X509_V_OK;
265
266 return(1);
267 }
268
269int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
270 {
271 /* This is used only by servers. */
272
273 SSL_SESSION *ret=NULL,data;
274 int fatal = 0;
275
276 data.ssl_version=s->version;
277 data.session_id_length=len;
278 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
279 goto err;
280 memcpy(data.session_id,session_id,len);
281
282 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
283 {
284 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
285 ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
286 if (ret != NULL)
287 /* don't allow other threads to steal it: */
288 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
289 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
290 }
291
292 if (ret == NULL)
293 {
294 int copy=1;
295
296 s->ctx->stats.sess_miss++;
297 ret=NULL;
298 if (s->ctx->get_session_cb != NULL
299 && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
300 != NULL)
301 {
302 s->ctx->stats.sess_cb_hit++;
303
304 /* Increment reference count now if the session callback
305 * asks us to do so (note that if the session structures
306 * returned by the callback are shared between threads,
307 * it must handle the reference count itself [i.e. copy == 0],
308 * or things won't be thread-safe). */
309 if (copy)
310 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
311
312 /* Add the externally cached session to the internal
313 * cache as well if and only if we are supposed to. */
314 if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
315 /* The following should not return 1, otherwise,
316 * things are very strange */
317 SSL_CTX_add_session(s->ctx,ret);
318 }
319 if (ret == NULL)
320 goto err;
321 }
322
323 /* Now ret is non-NULL, and we own one of its reference counts. */
324
325 if((s->verify_mode&SSL_VERIFY_PEER)
326 && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
327 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
328 {
329 /* We've found the session named by the client, but we don't
330 * want to use it in this context. */
331
332 if (s->sid_ctx_length == 0)
333 {
334 /* application should have used SSL[_CTX]_set_session_id_context
335 * -- we could tolerate this and just pretend we never heard
336 * of this session, but then applications could effectively
337 * disable the session cache by accident without anyone noticing */
338
339 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
340 fatal = 1;
341 goto err;
342 }
343 else
344 {
345#if 0 /* The client cannot always know when a session is not appropriate,
346 * so we shouldn't generate an error message. */
347
348 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
349#endif
350 goto err; /* treat like cache miss */
351 }
352 }
353
354 if (ret->cipher == NULL)
355 {
356 unsigned char buf[5],*p;
357 unsigned long l;
358
359 p=buf;
360 l=ret->cipher_id;
361 l2n(l,p);
362 if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
363 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
364 else
365 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
366 if (ret->cipher == NULL)
367 goto err;
368 }
369
370
371#if 0 /* This is way too late. */
372
373 /* If a thread got the session, then 'swaped', and another got
374 * it and then due to a time-out decided to 'OPENSSL_free' it we could
375 * be in trouble. So I'll increment it now, then double decrement
376 * later - am I speaking rubbish?. */
377 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
378#endif
379
380 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
381 {
382 s->ctx->stats.sess_timeout++;
383 /* remove it from the cache */
384 SSL_CTX_remove_session(s->ctx,ret);
385 goto err;
386 }
387
388 s->ctx->stats.sess_hit++;
389
390 /* ret->time=time(NULL); */ /* rezero timeout? */
391 /* again, just leave the session
392 * if it is the same session, we have just incremented and
393 * then decremented the reference count :-) */
394 if (s->session != NULL)
395 SSL_SESSION_free(s->session);
396 s->session=ret;
397 s->verify_result = s->session->verify_result;
398 return(1);
399
400 err:
401 if (ret != NULL)
402 SSL_SESSION_free(ret);
403 if (fatal)
404 return -1;
405 else
406 return 0;
407 }
408
409int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
410 {
411 int ret=0;
412 SSL_SESSION *s;
413
414 /* add just 1 reference count for the SSL_CTX's session cache
415 * even though it has two ways of access: each session is in a
416 * doubly linked list and an lhash */
417 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
418 /* if session c is in already in cache, we take back the increment later */
419
420 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
421 s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
422
423 /* s != NULL iff we already had a session with the given PID.
424 * In this case, s == c should hold (then we did not really modify
425 * ctx->sessions), or we're in trouble. */
426 if (s != NULL && s != c)
427 {
428 /* We *are* in trouble ... */
429 SSL_SESSION_list_remove(ctx,s);
430 SSL_SESSION_free(s);
431 /* ... so pretend the other session did not exist in cache
432 * (we cannot handle two SSL_SESSION structures with identical
433 * session ID in the same cache, which could happen e.g. when
434 * two threads concurrently obtain the same session from an external
435 * cache) */
436 s = NULL;
437 }
438
439 /* Put at the head of the queue unless it is already in the cache */
440 if (s == NULL)
441 SSL_SESSION_list_add(ctx,c);
442
443 if (s != NULL)
444 {
445 /* existing cache entry -- decrement previously incremented reference
446 * count because it already takes into account the cache */
447
448 SSL_SESSION_free(s); /* s == c */
449 ret=0;
450 }
451 else
452 {
453 /* new cache entry -- remove old ones if cache has become too large */
454
455 ret=1;
456
457 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
458 {
459 while (SSL_CTX_sess_number(ctx) >
460 SSL_CTX_sess_get_cache_size(ctx))
461 {
462 if (!remove_session_lock(ctx,
463 ctx->session_cache_tail, 0))
464 break;
465 else
466 ctx->stats.sess_cache_full++;
467 }
468 }
469 }
470 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
471 return(ret);
472 }
473
474int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
475{
476 return remove_session_lock(ctx, c, 1);
477}
478
479static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
480 {
481 SSL_SESSION *r;
482 int ret=0;
483
484 if ((c != NULL) && (c->session_id_length != 0))
485 {
486 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
487 if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
488 {
489 ret=1;
490 r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
491 SSL_SESSION_list_remove(ctx,c);
492 }
493
494 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
495
496 if (ret)
497 {
498 r->not_resumable=1;
499 if (ctx->remove_session_cb != NULL)
500 ctx->remove_session_cb(ctx,r);
501 SSL_SESSION_free(r);
502 }
503 }
504 else
505 ret=0;
506 return(ret);
507 }
508
509void SSL_SESSION_free(SSL_SESSION *ss)
510 {
511 int i;
512
513 if(ss == NULL)
514 return;
515
516 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
517#ifdef REF_PRINT
518 REF_PRINT("SSL_SESSION",ss);
519#endif
520 if (i > 0) return;
521#ifdef REF_CHECK
522 if (i < 0)
523 {
524 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
525 abort(); /* ok */
526 }
527#endif
528
529 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
530
531 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
532 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
533 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
534 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
535 if (ss->peer != NULL) X509_free(ss->peer);
536 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
537 OPENSSL_cleanse(ss,sizeof(*ss));
538 OPENSSL_free(ss);
539 }
540
541int SSL_set_session(SSL *s, SSL_SESSION *session)
542 {
543 int ret=0;
544 SSL_METHOD *meth;
545
546 if (session != NULL)
547 {
548 meth=s->ctx->method->get_ssl_method(session->ssl_version);
549 if (meth == NULL)
550 meth=s->method->get_ssl_method(session->ssl_version);
551 if (meth == NULL)
552 {
553 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
554 return(0);
555 }
556
557 if (meth != s->method)
558 {
559 if (!SSL_set_ssl_method(s,meth))
560 return(0);
561 if (s->ctx->session_timeout == 0)
562 session->timeout=SSL_get_default_timeout(s);
563 else
564 session->timeout=s->ctx->session_timeout;
565 }
566
567#ifndef OPENSSL_NO_KRB5
568 if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
569 session->krb5_client_princ_len > 0)
570 {
571 s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
572 memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
573 session->krb5_client_princ_len);
574 s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
575 }
576#endif /* OPENSSL_NO_KRB5 */
577
578 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
579 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
580 if (s->session != NULL)
581 SSL_SESSION_free(s->session);
582 s->session=session;
583 s->verify_result = s->session->verify_result;
584 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
585 ret=1;
586 }
587 else
588 {
589 if (s->session != NULL)
590 {
591 SSL_SESSION_free(s->session);
592 s->session=NULL;
593 }
594
595 meth=s->ctx->method;
596 if (meth != s->method)
597 {
598 if (!SSL_set_ssl_method(s,meth))
599 return(0);
600 }
601 ret=1;
602 }
603 return(ret);
604 }
605
606long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
607 {
608 if (s == NULL) return(0);
609 s->timeout=t;
610 return(1);
611 }
612
613long SSL_SESSION_get_timeout(const SSL_SESSION *s)
614 {
615 if (s == NULL) return(0);
616 return(s->timeout);
617 }
618
619long SSL_SESSION_get_time(const SSL_SESSION *s)
620 {
621 if (s == NULL) return(0);
622 return(s->time);
623 }
624
625long SSL_SESSION_set_time(SSL_SESSION *s, long t)
626 {
627 if (s == NULL) return(0);
628 s->time=t;
629 return(t);
630 }
631
632long SSL_CTX_set_timeout(SSL_CTX *s, long t)
633 {
634 long l;
635 if (s == NULL) return(0);
636 l=s->session_timeout;
637 s->session_timeout=t;
638 return(l);
639 }
640
641long SSL_CTX_get_timeout(const SSL_CTX *s)
642 {
643 if (s == NULL) return(0);
644 return(s->session_timeout);
645 }
646
647typedef struct timeout_param_st
648 {
649 SSL_CTX *ctx;
650 long time;
651 LHASH *cache;
652 } TIMEOUT_PARAM;
653
654static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
655 {
656 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
657 {
658 /* The reason we don't call SSL_CTX_remove_session() is to
659 * save on locking overhead */
660 lh_delete(p->cache,s);
661 SSL_SESSION_list_remove(p->ctx,s);
662 s->not_resumable=1;
663 if (p->ctx->remove_session_cb != NULL)
664 p->ctx->remove_session_cb(p->ctx,s);
665 SSL_SESSION_free(s);
666 }
667 }
668
669static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *)
670
671void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
672 {
673 unsigned long i;
674 TIMEOUT_PARAM tp;
675
676 tp.ctx=s;
677 tp.cache=s->sessions;
678 if (tp.cache == NULL) return;
679 tp.time=t;
680 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
681 i=tp.cache->down_load;
682 tp.cache->down_load=0;
683 lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);
684 tp.cache->down_load=i;
685 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
686 }
687
688int ssl_clear_bad_session(SSL *s)
689 {
690 if ( (s->session != NULL) &&
691 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
692 !(SSL_in_init(s) || SSL_in_before(s)))
693 {
694 SSL_CTX_remove_session(s->ctx,s->session);
695 return(1);
696 }
697 else
698 return(0);
699 }
700
701/* locked by SSL_CTX in the calling function */
702static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
703 {
704 if ((s->next == NULL) || (s->prev == NULL)) return;
705
706 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
707 { /* last element in list */
708 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
709 { /* only one element in list */
710 ctx->session_cache_head=NULL;
711 ctx->session_cache_tail=NULL;
712 }
713 else
714 {
715 ctx->session_cache_tail=s->prev;
716 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
717 }
718 }
719 else
720 {
721 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
722 { /* first element in list */
723 ctx->session_cache_head=s->next;
724 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
725 }
726 else
727 { /* middle of list */
728 s->next->prev=s->prev;
729 s->prev->next=s->next;
730 }
731 }
732 s->prev=s->next=NULL;
733 }
734
735static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
736 {
737 if ((s->next != NULL) && (s->prev != NULL))
738 SSL_SESSION_list_remove(ctx,s);
739
740 if (ctx->session_cache_head == NULL)
741 {
742 ctx->session_cache_head=s;
743 ctx->session_cache_tail=s;
744 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
745 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
746 }
747 else
748 {
749 s->next=ctx->session_cache_head;
750 s->next->prev=s;
751 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
752 ctx->session_cache_head=s;
753 }
754 }
755
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index b16d253081..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,502 +0,0 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61
62const char *SSL_state_string_long(const SSL *s)
63 {
64 const char *str;
65
66 switch (s->state)
67 {
68case SSL_ST_BEFORE: str="before SSL initialization"; break;
69case SSL_ST_ACCEPT: str="before accept initialization"; break;
70case SSL_ST_CONNECT: str="before connect initialization"; break;
71case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
72case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
73case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
74case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
75case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
76case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
77#ifndef OPENSSL_NO_SSL2
78case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
79case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
80case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
81case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
82case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
83case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
84case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
85case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
86case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
87case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
88case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
89case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
90case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
91case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
92case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
93case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
94case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
95case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
96case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
97case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
98case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
99case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
100case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
101case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
102case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
103case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
104case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
105case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
106case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
107case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
108case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
109case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
110case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
111case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
112case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
113case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
114case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
115case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
116#endif
117
118#ifndef OPENSSL_NO_SSL3
119/* SSLv3 additions */
120case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
121case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
122case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
123case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
124case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
125case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
126case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
127case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
128case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
129case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
130case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
131case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
132case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
133case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
134case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
135case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
136case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
137case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
138case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
139case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break;
140
141case SSL3_ST_CW_CHANGE_A:
142case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
143case SSL3_ST_CW_CHANGE_B:
144case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
145case SSL3_ST_CW_FINISHED_A:
146case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
147case SSL3_ST_CW_FINISHED_B:
148case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break;
149case SSL3_ST_CR_CHANGE_A:
150case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
151case SSL3_ST_CR_CHANGE_B:
152case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
153case SSL3_ST_CR_FINISHED_A:
154case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
155case SSL3_ST_CR_FINISHED_B:
156case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
157
158case SSL3_ST_CW_FLUSH:
159case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
160
161case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
162case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
163case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
164case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
165case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
166case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
167case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
168case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
169case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
170case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
171case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
172case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
173case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
174case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
175case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
176case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
177case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
178case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
179case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
180case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
181case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
182case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
183#endif
184
185#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
186/* SSLv2/v3 compatibility states */
187/* client */
188case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
189case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
190case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
191case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
192/* server */
193case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
194case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
195#endif
196
197default: str="unknown state"; break;
198 }
199 return(str);
200 }
201
202const char *SSL_rstate_string_long(const SSL *s)
203 {
204 const char *str;
205
206 switch (s->rstate)
207 {
208 case SSL_ST_READ_HEADER: str="read header"; break;
209 case SSL_ST_READ_BODY: str="read body"; break;
210 case SSL_ST_READ_DONE: str="read done"; break;
211 default: str="unknown"; break;
212 }
213 return(str);
214 }
215
216const char *SSL_state_string(const SSL *s)
217 {
218 const char *str;
219
220 switch (s->state)
221 {
222case SSL_ST_BEFORE: str="PINIT "; break;
223case SSL_ST_ACCEPT: str="AINIT "; break;
224case SSL_ST_CONNECT: str="CINIT "; break;
225case SSL_ST_OK: str="SSLOK "; break;
226#ifndef OPENSSL_NO_SSL2
227case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
228case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
229case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
230case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
231case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
232case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
233case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
234case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
235case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
236case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
237case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
238case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
239case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
240case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
241case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
242case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
243case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
244case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
245case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
246case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
247case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
248case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
249case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
250case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
251case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
252case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
253case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
254case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
255case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
256case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
257case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
258case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
259case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
260case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
261case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
262case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
263case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
264case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
265#endif
266
267#ifndef OPENSSL_NO_SSL3
268/* SSLv3 additions */
269case SSL3_ST_SW_FLUSH:
270case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
271case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
272case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
273case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
274case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
275case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
276case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
277case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
278case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
279case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
280case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
281case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
282case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
283case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
284case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
285case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
286case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
287case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
288case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
289case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
290case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
291
292case SSL3_ST_SW_CHANGE_A:
293case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
294case SSL3_ST_SW_CHANGE_B:
295case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
296case SSL3_ST_SW_FINISHED_A:
297case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
298case SSL3_ST_SW_FINISHED_B:
299case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
300case SSL3_ST_SR_CHANGE_A:
301case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
302case SSL3_ST_SR_CHANGE_B:
303case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
304case SSL3_ST_SR_FINISHED_A:
305case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
306case SSL3_ST_SR_FINISHED_B:
307case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
308
309case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
310case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
311case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
312case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
313case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
314case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
315case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
316case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
317case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
318case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
319case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
320case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
321case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
322case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
323case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
324case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
325case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
326case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
327case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
328case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
329case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
330case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
331#endif
332
333#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
334/* SSLv2/v3 compatibility states */
335/* client */
336case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
337case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
338case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
339case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
340/* server */
341case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
342case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
343#endif
344
345default: str="UNKWN "; break;
346 }
347 return(str);
348 }
349
350const char *SSL_alert_type_string_long(int value)
351 {
352 value>>=8;
353 if (value == SSL3_AL_WARNING)
354 return("warning");
355 else if (value == SSL3_AL_FATAL)
356 return("fatal");
357 else
358 return("unknown");
359 }
360
361const char *SSL_alert_type_string(int value)
362 {
363 value>>=8;
364 if (value == SSL3_AL_WARNING)
365 return("W");
366 else if (value == SSL3_AL_FATAL)
367 return("F");
368 else
369 return("U");
370 }
371
372const char *SSL_alert_desc_string(int value)
373 {
374 const char *str;
375
376 switch (value & 0xff)
377 {
378 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
379 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
380 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
381 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
382 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
383 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
384 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
385 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
386 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
387 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
388 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
389 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
390 case TLS1_AD_DECRYPTION_FAILED: str="DC"; break;
391 case TLS1_AD_RECORD_OVERFLOW: str="RO"; break;
392 case TLS1_AD_UNKNOWN_CA: str="CA"; break;
393 case TLS1_AD_ACCESS_DENIED: str="AD"; break;
394 case TLS1_AD_DECODE_ERROR: str="DE"; break;
395 case TLS1_AD_DECRYPT_ERROR: str="CY"; break;
396 case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break;
397 case TLS1_AD_PROTOCOL_VERSION: str="PV"; break;
398 case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break;
399 case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
400 case TLS1_AD_USER_CANCELLED: str="US"; break;
401 case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
402 default: str="UK"; break;
403 }
404 return(str);
405 }
406
407const char *SSL_alert_desc_string_long(int value)
408 {
409 const char *str;
410
411 switch (value & 0xff)
412 {
413 case SSL3_AD_CLOSE_NOTIFY:
414 str="close notify";
415 break;
416 case SSL3_AD_UNEXPECTED_MESSAGE:
417 str="unexpected_message";
418 break;
419 case SSL3_AD_BAD_RECORD_MAC:
420 str="bad record mac";
421 break;
422 case SSL3_AD_DECOMPRESSION_FAILURE:
423 str="decompression failure";
424 break;
425 case SSL3_AD_HANDSHAKE_FAILURE:
426 str="handshake failure";
427 break;
428 case SSL3_AD_NO_CERTIFICATE:
429 str="no certificate";
430 break;
431 case SSL3_AD_BAD_CERTIFICATE:
432 str="bad certificate";
433 break;
434 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
435 str="unsupported certificate";
436 break;
437 case SSL3_AD_CERTIFICATE_REVOKED:
438 str="certificate revoked";
439 break;
440 case SSL3_AD_CERTIFICATE_EXPIRED:
441 str="certificate expired";
442 break;
443 case SSL3_AD_CERTIFICATE_UNKNOWN:
444 str="certificate unknown";
445 break;
446 case SSL3_AD_ILLEGAL_PARAMETER:
447 str="illegal parameter";
448 break;
449 case TLS1_AD_DECRYPTION_FAILED:
450 str="decryption failed";
451 break;
452 case TLS1_AD_RECORD_OVERFLOW:
453 str="record overflow";
454 break;
455 case TLS1_AD_UNKNOWN_CA:
456 str="unknown CA";
457 break;
458 case TLS1_AD_ACCESS_DENIED:
459 str="access denied";
460 break;
461 case TLS1_AD_DECODE_ERROR:
462 str="decode error";
463 break;
464 case TLS1_AD_DECRYPT_ERROR:
465 str="decrypt error";
466 break;
467 case TLS1_AD_EXPORT_RESTRICTION:
468 str="export restriction";
469 break;
470 case TLS1_AD_PROTOCOL_VERSION:
471 str="protocol version";
472 break;
473 case TLS1_AD_INSUFFICIENT_SECURITY:
474 str="insufficient security";
475 break;
476 case TLS1_AD_INTERNAL_ERROR:
477 str="internal error";
478 break;
479 case TLS1_AD_USER_CANCELLED:
480 str="user canceled";
481 break;
482 case TLS1_AD_NO_RENEGOTIATION:
483 str="no renegotiation";
484 break;
485 default: str="unknown"; break;
486 }
487 return(str);
488 }
489
490const char *SSL_rstate_string(const SSL *s)
491 {
492 const char *str;
493
494 switch (s->rstate)
495 {
496 case SSL_ST_READ_HEADER:str="RH"; break;
497 case SSL_ST_READ_BODY: str="RB"; break;
498 case SSL_ST_READ_DONE: str="RD"; break;
499 default: str="unknown"; break;
500 }
501 return(str);
502 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 8655a31333..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,186 +0,0 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/buffer.h>
61#include "ssl_locl.h"
62
63#ifndef OPENSSL_NO_FP_API
64int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
65 {
66 BIO *b;
67 int ret;
68
69 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
70 {
71 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
72 return(0);
73 }
74 BIO_set_fp(b,fp,BIO_NOCLOSE);
75 ret=SSL_SESSION_print(b,x);
76 BIO_free(b);
77 return(ret);
78 }
79#endif
80
81int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
82 {
83 unsigned int i;
84 char *s;
85
86 if (x == NULL) goto err;
87 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
88 if (x->ssl_version == SSL2_VERSION)
89 s="SSLv2";
90 else if (x->ssl_version == SSL3_VERSION)
91 s="SSLv3";
92 else if (x->ssl_version == TLS1_VERSION)
93 s="TLSv1";
94 else
95 s="unknown";
96 if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err;
97
98 if (x->cipher == NULL)
99 {
100 if (((x->cipher_id) & 0xff000000) == 0x02000000)
101 {
102 if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0)
103 goto err;
104 }
105 else
106 {
107 if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0)
108 goto err;
109 }
110 }
111 else
112 {
113 if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
114 goto err;
115 }
116 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
117 for (i=0; i<x->session_id_length; i++)
118 {
119 if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
120 }
121 if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
122 for (i=0; i<x->sid_ctx_length; i++)
123 {
124 if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
125 goto err;
126 }
127 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
128 for (i=0; i<(unsigned int)x->master_key_length; i++)
129 {
130 if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
131 }
132 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
133 if (x->key_arg_length == 0)
134 {
135 if (BIO_puts(bp,"None") <= 0) goto err;
136 }
137 else
138 for (i=0; i<x->key_arg_length; i++)
139 {
140 if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
141 }
142#ifndef OPENSSL_NO_KRB5
143 if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
144 if (x->krb5_client_princ_len == 0)
145 {
146 if (BIO_puts(bp,"None") <= 0) goto err;
147 }
148 else
149 for (i=0; i<x->krb5_client_princ_len; i++)
150 {
151 if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
152 }
153#endif /* OPENSSL_NO_KRB5 */
154 if (x->compress_meth != 0)
155 {
156 SSL_COMP *comp;
157
158 ssl_cipher_get_evp(x,NULL,NULL,&comp);
159 if (comp == NULL)
160 {
161 if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
162 }
163 else
164 {
165 if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
166 }
167 }
168 if (x->time != 0L)
169 {
170 if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err;
171 }
172 if (x->timeout != 0L)
173 {
174 if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err;
175 }
176 if (BIO_puts(bp,"\n") <= 0) goto err;
177
178 if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
179 if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
180 X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
181
182 return(1);
183err:
184 return(0);
185 }
186
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 23:38:18 +0000