summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h2075
-rw-r--r--src/lib/libssl/ssl2.h268
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h566
-rw-r--r--src/lib/libssl/ssl_algs.c132
-rw-r--r--src/lib/libssl/ssl_asn1.c500
-rw-r--r--src/lib/libssl/ssl_cert.c829
-rw-r--r--src/lib/libssl/ssl_ciph.c1387
-rw-r--r--src/lib/libssl/ssl_err.c518
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c2703
-rw-r--r--src/lib/libssl/ssl_locl.h982
-rw-r--r--src/lib/libssl/ssl_rsa.c779
-rw-r--r--src/lib/libssl/ssl_sess.c906
-rw-r--r--src/lib/libssl/ssl_stat.c506
-rw-r--r--src/lib/libssl/ssl_txt.c203
16 files changed, 0 insertions, 12507 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index ff8a128d3c..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2075 +0,0 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
113 *
114 * Redistribution and use in source and binary forms, with or without
115 * modification, are permitted provided that the following conditions
116 * are met:
117 *
118 * 1. Redistributions of source code must retain the above copyright
119 * notice, this list of conditions and the following disclaimer.
120 *
121 * 2. Redistributions in binary form must reproduce the above copyright
122 * notice, this list of conditions and the following disclaimer in
123 * the documentation and/or other materials provided with the
124 * distribution.
125 *
126 * 3. All advertising materials mentioning features or use of this
127 * software must display the following acknowledgment:
128 * "This product includes software developed by the OpenSSL Project
129 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
130 *
131 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
132 * endorse or promote products derived from this software without
133 * prior written permission. For written permission, please contact
134 * openssl-core@openssl.org.
135 *
136 * 5. Products derived from this software may not be called "OpenSSL"
137 * nor may "OpenSSL" appear in their names without prior written
138 * permission of the OpenSSL Project.
139 *
140 * 6. Redistributions of any form whatsoever must retain the following
141 * acknowledgment:
142 * "This product includes software developed by the OpenSSL Project
143 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
144 *
145 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
146 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
147 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
148 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
149 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
150 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
151 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
152 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
153 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
154 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
155 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
156 * OF THE POSSIBILITY OF SUCH DAMAGE.
157 * ====================================================================
158 *
159 * This product includes cryptographic software written by Eric Young
160 * (eay@cryptsoft.com). This product includes software written by Tim
161 * Hudson (tjh@cryptsoft.com).
162 *
163 */
164/* ====================================================================
165 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
166 * ECC cipher suite support in OpenSSL originally developed by
167 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
168 */
169
170#ifndef HEADER_SSL_H
171#define HEADER_SSL_H
172
173#include <openssl/e_os2.h>
174
175#ifndef OPENSSL_NO_COMP
176#include <openssl/comp.h>
177#endif
178#ifndef OPENSSL_NO_BIO
179#include <openssl/bio.h>
180#endif
181#ifndef OPENSSL_NO_DEPRECATED
182#ifndef OPENSSL_NO_X509
183#include <openssl/x509.h>
184#endif
185#include <openssl/crypto.h>
186#include <openssl/lhash.h>
187#include <openssl/buffer.h>
188#endif
189#include <openssl/pem.h>
190#include <openssl/hmac.h>
191
192#include <openssl/kssl.h>
193#include <openssl/safestack.h>
194#include <openssl/symhacks.h>
195
196#ifdef __cplusplus
197extern "C" {
198#endif
199
200/* SSLeay version number for ASN.1 encoding of the session information */
201/* Version 0 - initial version
202 * Version 1 - added the optional peer certificate
203 */
204#define SSL_SESSION_ASN1_VERSION 0x0001
205
206/* text strings for the ciphers */
207#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
208#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
209#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
210#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
211#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
212#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
213#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
214#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
215#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
216#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
217
218/* VRS Additional Kerberos5 entries
219 */
220#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
221#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
222#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
223#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
224#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
225#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
226#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
227#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
228
229#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
230#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
231#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
232#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
233#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
234#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
235
236#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
237#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
238#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
239#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
240#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
241#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
242#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
243
244#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
245#define SSL_MAX_SID_CTX_LENGTH 32
246
247#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
248#define SSL_MAX_KEY_ARG_LENGTH 8
249#define SSL_MAX_MASTER_KEY_LENGTH 48
250
251/* These are used to specify which ciphers to use and not to use */
252#define SSL_TXT_LOW "LOW"
253#define SSL_TXT_MEDIUM "MEDIUM"
254#define SSL_TXT_HIGH "HIGH"
255#define SSL_TXT_FIPS "FIPS"
256#define SSL_TXT_kFZA "kFZA"
257#define SSL_TXT_aFZA "aFZA"
258#define SSL_TXT_eFZA "eFZA"
259#define SSL_TXT_FZA "FZA"
260
261#define SSL_TXT_aNULL "aNULL"
262#define SSL_TXT_eNULL "eNULL"
263#define SSL_TXT_NULL "NULL"
264
265#define SSL_TXT_kKRB5 "kKRB5"
266#define SSL_TXT_aKRB5 "aKRB5"
267#define SSL_TXT_KRB5 "KRB5"
268
269#define SSL_TXT_kRSA "kRSA"
270#define SSL_TXT_kDHr "kDHr"
271#define SSL_TXT_kDHd "kDHd"
272#define SSL_TXT_kEDH "kEDH"
273#define SSL_TXT_aRSA "aRSA"
274#define SSL_TXT_aDSS "aDSS"
275#define SSL_TXT_aDH "aDH"
276#define SSL_TXT_DSS "DSS"
277#define SSL_TXT_DH "DH"
278#define SSL_TXT_EDH "EDH"
279#define SSL_TXT_ADH "ADH"
280#define SSL_TXT_RSA "RSA"
281#define SSL_TXT_DES "DES"
282#define SSL_TXT_3DES "3DES"
283#define SSL_TXT_RC4 "RC4"
284#define SSL_TXT_RC2 "RC2"
285#define SSL_TXT_IDEA "IDEA"
286#define SSL_TXT_SEED "SEED"
287#define SSL_TXT_AES "AES"
288#define SSL_TXT_CAMELLIA "CAMELLIA"
289#define SSL_TXT_MD5 "MD5"
290#define SSL_TXT_SHA1 "SHA1"
291#define SSL_TXT_SHA "SHA"
292#define SSL_TXT_EXP "EXP"
293#define SSL_TXT_EXPORT "EXPORT"
294#define SSL_TXT_EXP40 "EXPORT40"
295#define SSL_TXT_EXP56 "EXPORT56"
296#define SSL_TXT_SSLV2 "SSLv2"
297#define SSL_TXT_SSLV3 "SSLv3"
298#define SSL_TXT_TLSV1 "TLSv1"
299#define SSL_TXT_ALL "ALL"
300#define SSL_TXT_ECC "ECCdraft" /* ECC ciphersuites are not yet official */
301
302/*
303 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
304 * ciphers normally not being used.
305 * Example: "RC4" will activate all ciphers using RC4 including ciphers
306 * without authentication, which would normally disabled by DEFAULT (due
307 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
308 * will make sure that it is also disabled in the specific selection.
309 * COMPLEMENTOF* identifiers are portable between version, as adjustments
310 * to the default cipher setup will also be included here.
311 *
312 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
313 * DEFAULT gets, as only selection is being done and no sorting as needed
314 * for DEFAULT.
315 */
316#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
317#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
318
319/* The following cipher list is used by default.
320 * It also is substituted when an application-defined cipher list string
321 * starts with 'DEFAULT'. */
322#define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */
323
324/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
325#define SSL_SENT_SHUTDOWN 1
326#define SSL_RECEIVED_SHUTDOWN 2
327
328#ifdef __cplusplus
329}
330#endif
331
332#ifdef __cplusplus
333extern "C" {
334#endif
335
336#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
337#define OPENSSL_NO_SSL2
338#endif
339
340#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
341#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
342
343/* This is needed to stop compilers complaining about the
344 * 'struct ssl_st *' function parameters used to prototype callbacks
345 * in SSL_CTX. */
346typedef struct ssl_st *ssl_crock_st;
347
348/* used to hold info on the particular ciphers used */
349typedef struct ssl_cipher_st
350 {
351 int valid;
352 const char *name; /* text name */
353 unsigned long id; /* id, 4 bytes, first is version */
354 unsigned long algorithms; /* what ciphers are used */
355 unsigned long algo_strength; /* strength and export flags */
356 unsigned long algorithm2; /* Extra flags */
357 int strength_bits; /* Number of bits really used */
358 int alg_bits; /* Number of bits for algorithm */
359 unsigned long mask; /* used for matching */
360 unsigned long mask_strength; /* also used for matching */
361 } SSL_CIPHER;
362
363DECLARE_STACK_OF(SSL_CIPHER)
364
365/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
366typedef struct ssl_method_st
367 {
368 int version;
369 int (*ssl_new)(SSL *s);
370 void (*ssl_clear)(SSL *s);
371 void (*ssl_free)(SSL *s);
372 int (*ssl_accept)(SSL *s);
373 int (*ssl_connect)(SSL *s);
374 int (*ssl_read)(SSL *s,void *buf,int len);
375 int (*ssl_peek)(SSL *s,void *buf,int len);
376 int (*ssl_write)(SSL *s,const void *buf,int len);
377 int (*ssl_shutdown)(SSL *s);
378 int (*ssl_renegotiate)(SSL *s);
379 int (*ssl_renegotiate_check)(SSL *s);
380 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
381 max, int *ok);
382 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len,
383 int peek);
384 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
385 int (*ssl_dispatch_alert)(SSL *s);
386 long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
387 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
388 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
389 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
390 int (*ssl_pending)(const SSL *s);
391 int (*num_ciphers)(void);
392 SSL_CIPHER *(*get_cipher)(unsigned ncipher);
393 struct ssl_method_st *(*get_ssl_method)(int version);
394 long (*get_timeout)(void);
395 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
396 int (*ssl_version)(void);
397 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
398 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
399 } SSL_METHOD;
400
401/* Lets make this into an ASN.1 type structure as follows
402 * SSL_SESSION_ID ::= SEQUENCE {
403 * version INTEGER, -- structure version number
404 * SSLversion INTEGER, -- SSL version number
405 * Cipher OCTET_STRING, -- the 3 byte cipher ID
406 * Session_ID OCTET_STRING, -- the Session ID
407 * Master_key OCTET_STRING, -- the master key
408 * KRB5_principal OCTET_STRING -- optional Kerberos principal
409 * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument
410 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
411 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
412 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
413 * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
414 * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer'
415 * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
416 * }
417 * Look in ssl/ssl_asn1.c for more details
418 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
419 */
420typedef struct ssl_session_st
421 {
422 int ssl_version; /* what ssl version session info is
423 * being kept in here? */
424
425 /* only really used in SSLv2 */
426 unsigned int key_arg_length;
427 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
428 int master_key_length;
429 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
430 /* session_id - valid? */
431 unsigned int session_id_length;
432 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
433 /* this is used to determine whether the session is being reused in
434 * the appropriate context. It is up to the application to set this,
435 * via SSL_new */
436 unsigned int sid_ctx_length;
437 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
438
439#ifndef OPENSSL_NO_KRB5
440 unsigned int krb5_client_princ_len;
441 unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
442#endif /* OPENSSL_NO_KRB5 */
443
444 int not_resumable;
445
446 /* The cert is the certificate used to establish this connection */
447 struct sess_cert_st /* SESS_CERT */ *sess_cert;
448
449 /* This is the cert for the other end.
450 * On clients, it will be the same as sess_cert->peer_key->x509
451 * (the latter is not enough as sess_cert is not retained
452 * in the external representation of sessions, see ssl_asn1.c). */
453 X509 *peer;
454 /* when app_verify_callback accepts a session where the peer's certificate
455 * is not ok, we must remember the error for session reuse: */
456 long verify_result; /* only for servers */
457
458 int references;
459 long timeout;
460 long time;
461
462 int compress_meth; /* Need to lookup the method */
463
464 SSL_CIPHER *cipher;
465 unsigned long cipher_id; /* when ASN.1 loaded, this
466 * needs to be used to load
467 * the 'cipher' structure */
468
469 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
470
471 CRYPTO_EX_DATA ex_data; /* application specific data */
472
473 /* These are used to make removal of session-ids more
474 * efficient and to implement a maximum cache size. */
475 struct ssl_session_st *prev,*next;
476#ifndef OPENSSL_NO_TLSEXT
477 char *tlsext_hostname;
478 /* RFC4507 info */
479 unsigned char *tlsext_tick; /* Session ticket */
480 size_t tlsext_ticklen; /* Session ticket length */
481 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
482#endif
483 } SSL_SESSION;
484
485
486#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
487#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
488#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
489#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
490#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
491#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
492#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
493#define SSL_OP_TLS_D5_BUG 0x00000100L
494#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
495
496/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
497 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
498 * the workaround is not needed. Unfortunately some broken SSL/TLS
499 * implementations cannot handle it at all, which is why we include
500 * it in SSL_OP_ALL. */
501#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
502
503/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
504 * This used to be 0x000FFFFFL before 0.9.7. */
505#define SSL_OP_ALL 0x00000FFFL
506
507/* DTLS options */
508#define SSL_OP_NO_QUERY_MTU 0x00001000L
509/* Turn on Cookie Exchange (on relevant for servers) */
510#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
511/* Don't use RFC4507 ticket extension */
512#define SSL_OP_NO_TICKET 0x00004000L
513
514/* As server, disallow session resumption on renegotiation */
515#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
516/* If set, always create a new key when using tmp_ecdh parameters */
517#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
518/* If set, always create a new key when using tmp_dh parameters */
519#define SSL_OP_SINGLE_DH_USE 0x00100000L
520/* Set to always use the tmp_rsa key when doing RSA operations,
521 * even when this violates protocol specs */
522#define SSL_OP_EPHEMERAL_RSA 0x00200000L
523/* Set on servers to choose the cipher according to the server's
524 * preferences */
525#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
526/* If set, a server will allow a client to issue a SSLv3.0 version number
527 * as latest version supported in the premaster secret, even when TLSv1.0
528 * (version 3.1) was announced in the client hello. Normally this is
529 * forbidden to prevent version rollback attacks. */
530#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
531
532#define SSL_OP_NO_SSLv2 0x01000000L
533#define SSL_OP_NO_SSLv3 0x02000000L
534#define SSL_OP_NO_TLSv1 0x04000000L
535
536/* The next flag deliberately changes the ciphertest, this is a check
537 * for the PKCS#1 attack */
538#define SSL_OP_PKCS1_CHECK_1 0x08000000L
539#define SSL_OP_PKCS1_CHECK_2 0x10000000L
540#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
541#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
542
543
544/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
545 * when just a single record has been written): */
546#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
547/* Make it possible to retry SSL_write() with changed buffer location
548 * (buffer contents must stay the same!); this is not the default to avoid
549 * the misconception that non-blocking SSL_write() behaves like
550 * non-blocking write(): */
551#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
552/* Never bother the application with retries if the transport
553 * is blocking: */
554#define SSL_MODE_AUTO_RETRY 0x00000004L
555/* Don't attempt to automatically build certificate chain */
556#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
557
558
559/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
560 * they cannot be used to clear bits. */
561
562#define SSL_CTX_set_options(ctx,op) \
563 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
564#define SSL_CTX_get_options(ctx) \
565 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
566#define SSL_set_options(ssl,op) \
567 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
568#define SSL_get_options(ssl) \
569 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
570
571#define SSL_CTX_set_mode(ctx,op) \
572 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
573#define SSL_CTX_get_mode(ctx) \
574 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
575#define SSL_set_mode(ssl,op) \
576 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
577#define SSL_get_mode(ssl) \
578 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
579#define SSL_set_mtu(ssl, mtu) \
580 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
581
582
583void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
584void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
585#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
586#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
587
588
589
590#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
591#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
592#else
593#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
594#endif
595
596#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
597
598/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
599 * them. It is used to override the generation of SSL/TLS session IDs in a
600 * server. Return value should be zero on an error, non-zero to proceed. Also,
601 * callbacks should themselves check if the id they generate is unique otherwise
602 * the SSL handshake will fail with an error - callbacks can do this using the
603 * 'ssl' value they're passed by;
604 * SSL_has_matching_session_id(ssl, id, *id_len)
605 * The length value passed in is set at the maximum size the session ID can be.
606 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
607 * can alter this length to be less if desired, but under SSLv2 session IDs are
608 * supposed to be fixed at 16 bytes so the id will be padded after the callback
609 * returns in this case. It is also an error for the callback to set the size to
610 * zero. */
611typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
612 unsigned int *id_len);
613
614typedef struct ssl_comp_st
615 {
616 int id;
617 const char *name;
618#ifndef OPENSSL_NO_COMP
619 COMP_METHOD *method;
620#else
621 char *method;
622#endif
623 } SSL_COMP;
624
625DECLARE_STACK_OF(SSL_COMP)
626
627struct ssl_ctx_st
628 {
629 SSL_METHOD *method;
630
631 STACK_OF(SSL_CIPHER) *cipher_list;
632 /* same as above but sorted for lookup */
633 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
634
635 struct x509_store_st /* X509_STORE */ *cert_store;
636 struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */
637 /* Most session-ids that will be cached, default is
638 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
639 unsigned long session_cache_size;
640 struct ssl_session_st *session_cache_head;
641 struct ssl_session_st *session_cache_tail;
642
643 /* This can have one of 2 values, ored together,
644 * SSL_SESS_CACHE_CLIENT,
645 * SSL_SESS_CACHE_SERVER,
646 * Default is SSL_SESSION_CACHE_SERVER, which means only
647 * SSL_accept which cache SSL_SESSIONS. */
648 int session_cache_mode;
649
650 /* If timeout is not 0, it is the default timeout value set
651 * when SSL_new() is called. This has been put in to make
652 * life easier to set things up */
653 long session_timeout;
654
655 /* If this callback is not null, it will be called each
656 * time a session id is added to the cache. If this function
657 * returns 1, it means that the callback will do a
658 * SSL_SESSION_free() when it has finished using it. Otherwise,
659 * on 0, it means the callback has finished with it.
660 * If remove_session_cb is not null, it will be called when
661 * a session-id is removed from the cache. After the call,
662 * OpenSSL will SSL_SESSION_free() it. */
663 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
664 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
665 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
666 unsigned char *data,int len,int *copy);
667
668 struct
669 {
670 int sess_connect; /* SSL new conn - started */
671 int sess_connect_renegotiate;/* SSL reneg - requested */
672 int sess_connect_good; /* SSL new conne/reneg - finished */
673 int sess_accept; /* SSL new accept - started */
674 int sess_accept_renegotiate;/* SSL reneg - requested */
675 int sess_accept_good; /* SSL accept/reneg - finished */
676 int sess_miss; /* session lookup misses */
677 int sess_timeout; /* reuse attempt on timeouted session */
678 int sess_cache_full; /* session removed due to full cache */
679 int sess_hit; /* session reuse actually done */
680 int sess_cb_hit; /* session-id that was not
681 * in the cache was
682 * passed back via the callback. This
683 * indicates that the application is
684 * supplying session-id's from other
685 * processes - spooky :-) */
686 } stats;
687
688 int references;
689
690 /* if defined, these override the X509_verify_cert() calls */
691 int (*app_verify_callback)(X509_STORE_CTX *, void *);
692 void *app_verify_arg;
693 /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
694 * ('app_verify_callback' was called with just one argument) */
695
696 /* Default password callback. */
697 pem_password_cb *default_passwd_callback;
698
699 /* Default password callback user data. */
700 void *default_passwd_callback_userdata;
701
702 /* get client cert callback */
703 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
704
705 /* cookie generate callback */
706 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
707 unsigned int *cookie_len);
708
709 /* verify cookie callback */
710 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
711 unsigned int cookie_len);
712
713 CRYPTO_EX_DATA ex_data;
714
715 const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
716 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
717 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
718
719 STACK_OF(X509) *extra_certs;
720 STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
721
722
723 /* Default values used when no per-SSL value is defined follow */
724
725 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
726
727 /* what we put in client cert requests */
728 STACK_OF(X509_NAME) *client_CA;
729
730
731 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
732
733 unsigned long options;
734 unsigned long mode;
735 long max_cert_list;
736
737 struct cert_st /* CERT */ *cert;
738 int read_ahead;
739
740 /* callback that allows applications to peek at protocol messages */
741 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
742 void *msg_callback_arg;
743
744 int verify_mode;
745 unsigned int sid_ctx_length;
746 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
747 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
748
749 /* Default generate session ID callback. */
750 GEN_SESSION_CB generate_session_id;
751
752 X509_VERIFY_PARAM *param;
753
754#if 0
755 int purpose; /* Purpose setting */
756 int trust; /* Trust setting */
757#endif
758
759 int quiet_shutdown;
760
761#ifndef OPENSSL_ENGINE
762 /* Engine to pass requests for client certs to
763 */
764 ENGINE *client_cert_engine;
765#endif
766
767#ifndef OPENSSL_NO_TLSEXT
768 /* TLS extensions servername callback */
769 int (*tlsext_servername_callback)(SSL*, int *, void *);
770 void *tlsext_servername_arg;
771 /* RFC 4507 session ticket keys */
772 unsigned char tlsext_tick_key_name[16];
773 unsigned char tlsext_tick_hmac_key[16];
774 unsigned char tlsext_tick_aes_key[16];
775 /* Callback to support customisation of ticket key setting */
776 int (*tlsext_ticket_key_cb)(SSL *ssl,
777 unsigned char *name, unsigned char *iv,
778 EVP_CIPHER_CTX *ectx,
779 HMAC_CTX *hctx, int enc);
780
781 /* certificate status request info */
782 /* Callback for status request */
783 int (*tlsext_status_cb)(SSL *ssl, void *arg);
784 void *tlsext_status_arg;
785#endif
786
787 };
788
789#define SSL_SESS_CACHE_OFF 0x0000
790#define SSL_SESS_CACHE_CLIENT 0x0001
791#define SSL_SESS_CACHE_SERVER 0x0002
792#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
793#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
794/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
795#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
796#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
797#define SSL_SESS_CACHE_NO_INTERNAL \
798 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
799
800 struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
801#define SSL_CTX_sess_number(ctx) \
802 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
803#define SSL_CTX_sess_connect(ctx) \
804 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
805#define SSL_CTX_sess_connect_good(ctx) \
806 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
807#define SSL_CTX_sess_connect_renegotiate(ctx) \
808 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
809#define SSL_CTX_sess_accept(ctx) \
810 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
811#define SSL_CTX_sess_accept_renegotiate(ctx) \
812 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
813#define SSL_CTX_sess_accept_good(ctx) \
814 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
815#define SSL_CTX_sess_hits(ctx) \
816 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
817#define SSL_CTX_sess_cb_hits(ctx) \
818 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
819#define SSL_CTX_sess_misses(ctx) \
820 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
821#define SSL_CTX_sess_timeouts(ctx) \
822 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
823#define SSL_CTX_sess_cache_full(ctx) \
824 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
825
826void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
827int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
828void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
829void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
830void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
831SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
832void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
833void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
834void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
835int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
836#ifndef OPENSSL_NO_ENGINE
837int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
838#endif
839void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
840void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
841
842#define SSL_NOTHING 1
843#define SSL_WRITING 2
844#define SSL_READING 3
845#define SSL_X509_LOOKUP 4
846
847/* These will only be used when doing non-blocking IO */
848#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
849#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
850#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
851#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
852
853struct ssl_st
854 {
855 /* protocol version
856 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
857 */
858 int version;
859 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
860
861 SSL_METHOD *method; /* SSLv3 */
862
863 /* There are 2 BIO's even though they are normally both the
864 * same. This is so data can be read and written to different
865 * handlers */
866
867#ifndef OPENSSL_NO_BIO
868 BIO *rbio; /* used by SSL_read */
869 BIO *wbio; /* used by SSL_write */
870 BIO *bbio; /* used during session-id reuse to concatenate
871 * messages */
872#else
873 char *rbio; /* used by SSL_read */
874 char *wbio; /* used by SSL_write */
875 char *bbio;
876#endif
877 /* This holds a variable that indicates what we were doing
878 * when a 0 or -1 is returned. This is needed for
879 * non-blocking IO so we know what request needs re-doing when
880 * in SSL_accept or SSL_connect */
881 int rwstate;
882
883 /* true when we are actually in SSL_accept() or SSL_connect() */
884 int in_handshake;
885 int (*handshake_func)(SSL *);
886
887 /* Imagine that here's a boolean member "init" that is
888 * switched as soon as SSL_set_{accept/connect}_state
889 * is called for the first time, so that "state" and
890 * "handshake_func" are properly initialized. But as
891 * handshake_func is == 0 until then, we use this
892 * test instead of an "init" member.
893 */
894
895 int server; /* are we the server side? - mostly used by SSL_clear*/
896
897 int new_session;/* 1 if we are to use a new session.
898 * 2 if we are a server and are inside a handshake
899 * (i.e. not just sending a HelloRequest)
900 * NB: For servers, the 'new' session may actually be a previously
901 * cached session or even the previous session unless
902 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
903 int quiet_shutdown;/* don't send shutdown packets */
904 int shutdown; /* we have shut things down, 0x01 sent, 0x02
905 * for received */
906 int state; /* where we are */
907 int rstate; /* where we are when reading */
908
909 BUF_MEM *init_buf; /* buffer used during init */
910 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
911 int init_num; /* amount read/written */
912 int init_off; /* amount read/written */
913
914 /* used internally to point at a raw packet */
915 unsigned char *packet;
916 unsigned int packet_length;
917
918 struct ssl2_state_st *s2; /* SSLv2 variables */
919 struct ssl3_state_st *s3; /* SSLv3 variables */
920 struct dtls1_state_st *d1; /* DTLSv1 variables */
921
922 int read_ahead; /* Read as many input bytes as possible
923 * (for non-blocking reads) */
924
925 /* callback that allows applications to peek at protocol messages */
926 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
927 void *msg_callback_arg;
928
929 int hit; /* reusing a previous session */
930
931 X509_VERIFY_PARAM *param;
932
933#if 0
934 int purpose; /* Purpose setting */
935 int trust; /* Trust setting */
936#endif
937
938 /* crypto */
939 STACK_OF(SSL_CIPHER) *cipher_list;
940 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
941
942 /* These are the ones being used, the ones in SSL_SESSION are
943 * the ones to be 'copied' into these ones */
944
945 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
946 const EVP_MD *read_hash; /* used for mac generation */
947#ifndef OPENSSL_NO_COMP
948 COMP_CTX *expand; /* uncompress */
949#else
950 char *expand;
951#endif
952
953 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
954 const EVP_MD *write_hash; /* used for mac generation */
955#ifndef OPENSSL_NO_COMP
956 COMP_CTX *compress; /* compression */
957#else
958 char *compress;
959#endif
960
961 /* session info */
962
963 /* client cert? */
964 /* This is used to hold the server certificate used */
965 struct cert_st /* CERT */ *cert;
966
967 /* the session_id_context is used to ensure sessions are only reused
968 * in the appropriate context */
969 unsigned int sid_ctx_length;
970 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
971
972 /* This can also be in the session once a session is established */
973 SSL_SESSION *session;
974
975 /* Default generate session ID callback. */
976 GEN_SESSION_CB generate_session_id;
977
978 /* Used in SSL2 and SSL3 */
979 int verify_mode; /* 0 don't care about verify failure.
980 * 1 fail if verify fails */
981 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
982
983 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
984
985 int error; /* error bytes to be written */
986 int error_code; /* actual code */
987
988#ifndef OPENSSL_NO_KRB5
989 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
990#endif /* OPENSSL_NO_KRB5 */
991
992 SSL_CTX *ctx;
993 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
994 * and SSL_write() calls, good for nbio debuging :-) */
995 int debug;
996
997 /* extra application data */
998 long verify_result;
999 CRYPTO_EX_DATA ex_data;
1000
1001 /* for server side, keep the list of CA_dn we can use */
1002 STACK_OF(X509_NAME) *client_CA;
1003
1004 int references;
1005 unsigned long options; /* protocol behaviour */
1006 unsigned long mode; /* API behaviour */
1007 long max_cert_list;
1008 int first_packet;
1009 int client_version; /* what was passed, used for
1010 * SSLv3/TLS rollback check */
1011#ifndef OPENSSL_NO_TLSEXT
1012 /* TLS extension debug callback */
1013 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1014 unsigned char *data, int len,
1015 void *arg);
1016 void *tlsext_debug_arg;
1017 char *tlsext_hostname;
1018 int servername_done; /* no further mod of servername
1019 0 : call the servername extension callback.
1020 1 : prepare 2, allow last ack just after in server callback.
1021 2 : don't call servername callback, no ack in server hello
1022 */
1023 /* certificate status request info */
1024 /* Status type or -1 if no status type */
1025 int tlsext_status_type;
1026 /* Expect OCSP CertificateStatus message */
1027 int tlsext_status_expected;
1028 /* OCSP status request only */
1029 STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
1030 X509_EXTENSIONS *tlsext_ocsp_exts;
1031 /* OCSP response received or to be sent */
1032 unsigned char *tlsext_ocsp_resp;
1033 int tlsext_ocsp_resplen;
1034
1035 /* RFC4507 session ticket expected to be received or sent */
1036 int tlsext_ticket_expected;
1037 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1038#define session_ctx initial_ctx
1039#else
1040#define session_ctx ctx
1041#endif
1042 };
1043
1044#ifdef __cplusplus
1045}
1046#endif
1047
1048#include <openssl/ssl2.h>
1049#include <openssl/ssl3.h>
1050#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
1051#include <openssl/dtls1.h> /* Datagram TLS */
1052#include <openssl/ssl23.h>
1053
1054#ifdef __cplusplus
1055extern "C" {
1056#endif
1057
1058/* compatibility */
1059#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
1060#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
1061#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
1062#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
1063#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
1064#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
1065
1066/* The following are the possible values for ssl->state are are
1067 * used to indicate where we are up to in the SSL connection establishment.
1068 * The macros that follow are about the only things you should need to use
1069 * and even then, only when using non-blocking IO.
1070 * It can also be useful to work out where you were when the connection
1071 * failed */
1072
1073#define SSL_ST_CONNECT 0x1000
1074#define SSL_ST_ACCEPT 0x2000
1075#define SSL_ST_MASK 0x0FFF
1076#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
1077#define SSL_ST_BEFORE 0x4000
1078#define SSL_ST_OK 0x03
1079#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
1080
1081#define SSL_CB_LOOP 0x01
1082#define SSL_CB_EXIT 0x02
1083#define SSL_CB_READ 0x04
1084#define SSL_CB_WRITE 0x08
1085#define SSL_CB_ALERT 0x4000 /* used in callback */
1086#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
1087#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
1088#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
1089#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
1090#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
1091#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
1092#define SSL_CB_HANDSHAKE_START 0x10
1093#define SSL_CB_HANDSHAKE_DONE 0x20
1094
1095/* Is the SSL_connection established? */
1096#define SSL_get_state(a) SSL_state(a)
1097#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
1098#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
1099#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
1100#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
1101#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
1102
1103/* The following 2 states are kept in ssl->rstate when reads fail,
1104 * you should not need these */
1105#define SSL_ST_READ_HEADER 0xF0
1106#define SSL_ST_READ_BODY 0xF1
1107#define SSL_ST_READ_DONE 0xF2
1108
1109/* Obtain latest Finished message
1110 * -- that we sent (SSL_get_finished)
1111 * -- that we expected from peer (SSL_get_peer_finished).
1112 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1113size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1114size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1115
1116/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1117 * are 'ored' with SSL_VERIFY_PEER if they are desired */
1118#define SSL_VERIFY_NONE 0x00
1119#define SSL_VERIFY_PEER 0x01
1120#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1121#define SSL_VERIFY_CLIENT_ONCE 0x04
1122
1123#define OpenSSL_add_ssl_algorithms() SSL_library_init()
1124#define SSLeay_add_ssl_algorithms() SSL_library_init()
1125
1126/* this is for backward compatibility */
1127#if 0 /* NEW_SSLEAY */
1128#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
1129#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1130#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
1131#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
1132#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
1133#endif
1134/* More backward compatibility */
1135#define SSL_get_cipher(s) \
1136 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1137#define SSL_get_cipher_bits(s,np) \
1138 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1139#define SSL_get_cipher_version(s) \
1140 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1141#define SSL_get_cipher_name(s) \
1142 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1143#define SSL_get_time(a) SSL_SESSION_get_time(a)
1144#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1145#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1146#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1147
1148#if 1 /*SSLEAY_MACROS*/
1149#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
1150#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
1151#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
1152 (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
1153#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) PEM_ASN1_read_bio_of(SSL_SESSION,d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,x,cb,u)
1154#define PEM_write_SSL_SESSION(fp,x) \
1155 PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
1156 PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
1157#define PEM_write_bio_SSL_SESSION(bp,x) \
1158 PEM_ASN1_write_bio_of(SSL_SESSION,i2d_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,x,NULL,NULL,0,NULL,NULL)
1159#endif
1160
1161#define SSL_AD_REASON_OFFSET 1000
1162/* These alert types are for SSLv3 and TLSv1 */
1163#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1164#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
1165#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
1166#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1167#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1168#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
1169#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
1170#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
1171#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1172#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1173#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1174#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1175#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1176#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
1177#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
1178#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
1179#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
1180#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1181#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
1182#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
1183#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
1184#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
1185#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1186#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1187#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
1188#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
1189#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
1190#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
1191
1192#define SSL_ERROR_NONE 0
1193#define SSL_ERROR_SSL 1
1194#define SSL_ERROR_WANT_READ 2
1195#define SSL_ERROR_WANT_WRITE 3
1196#define SSL_ERROR_WANT_X509_LOOKUP 4
1197#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
1198#define SSL_ERROR_ZERO_RETURN 6
1199#define SSL_ERROR_WANT_CONNECT 7
1200#define SSL_ERROR_WANT_ACCEPT 8
1201
1202#define SSL_CTRL_NEED_TMP_RSA 1
1203#define SSL_CTRL_SET_TMP_RSA 2
1204#define SSL_CTRL_SET_TMP_DH 3
1205#define SSL_CTRL_SET_TMP_ECDH 4
1206#define SSL_CTRL_SET_TMP_RSA_CB 5
1207#define SSL_CTRL_SET_TMP_DH_CB 6
1208#define SSL_CTRL_SET_TMP_ECDH_CB 7
1209
1210#define SSL_CTRL_GET_SESSION_REUSED 8
1211#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
1212#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
1213#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
1214#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
1215#define SSL_CTRL_GET_FLAGS 13
1216#define SSL_CTRL_EXTRA_CHAIN_CERT 14
1217
1218#define SSL_CTRL_SET_MSG_CALLBACK 15
1219#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
1220
1221/* only applies to datagram connections */
1222#define SSL_CTRL_SET_MTU 17
1223/* Stats */
1224#define SSL_CTRL_SESS_NUMBER 20
1225#define SSL_CTRL_SESS_CONNECT 21
1226#define SSL_CTRL_SESS_CONNECT_GOOD 22
1227#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1228#define SSL_CTRL_SESS_ACCEPT 24
1229#define SSL_CTRL_SESS_ACCEPT_GOOD 25
1230#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1231#define SSL_CTRL_SESS_HIT 27
1232#define SSL_CTRL_SESS_CB_HIT 28
1233#define SSL_CTRL_SESS_MISSES 29
1234#define SSL_CTRL_SESS_TIMEOUTS 30
1235#define SSL_CTRL_SESS_CACHE_FULL 31
1236#define SSL_CTRL_OPTIONS 32
1237#define SSL_CTRL_MODE 33
1238
1239#define SSL_CTRL_GET_READ_AHEAD 40
1240#define SSL_CTRL_SET_READ_AHEAD 41
1241#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1242#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1243#define SSL_CTRL_SET_SESS_CACHE_MODE 44
1244#define SSL_CTRL_GET_SESS_CACHE_MODE 45
1245
1246#define SSL_CTRL_GET_MAX_CERT_LIST 50
1247#define SSL_CTRL_SET_MAX_CERT_LIST 51
1248
1249/* see tls1.h for macros based on these */
1250#ifndef OPENSSL_NO_TLSEXT
1251#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
1252#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
1253#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
1254#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
1255#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
1256#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
1257#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
1258
1259#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
1260#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
1261#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
1262#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
1263#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
1264#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
1265#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
1266#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
1267#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1268
1269#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1270#endif
1271
1272#define SSL_session_reused(ssl) \
1273 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
1274#define SSL_num_renegotiations(ssl) \
1275 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1276#define SSL_clear_num_renegotiations(ssl) \
1277 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1278#define SSL_total_renegotiations(ssl) \
1279 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1280
1281#define SSL_CTX_need_tmp_RSA(ctx) \
1282 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1283#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
1284 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1285#define SSL_CTX_set_tmp_dh(ctx,dh) \
1286 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1287#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
1288 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1289
1290#define SSL_need_tmp_RSA(ssl) \
1291 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1292#define SSL_set_tmp_rsa(ssl,rsa) \
1293 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1294#define SSL_set_tmp_dh(ssl,dh) \
1295 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1296#define SSL_set_tmp_ecdh(ssl,ecdh) \
1297 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1298
1299#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1300 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1301
1302#ifndef OPENSSL_NO_BIO
1303BIO_METHOD *BIO_f_ssl(void);
1304BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
1305BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1306BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1307int BIO_ssl_copy_session_id(BIO *to,BIO *from);
1308void BIO_ssl_shutdown(BIO *ssl_bio);
1309
1310#endif
1311
1312int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1313SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
1314void SSL_CTX_free(SSL_CTX *);
1315long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1316long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1317X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1318void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1319int SSL_want(const SSL *s);
1320int SSL_clear(SSL *s);
1321
1322void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1323
1324SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1325int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1326char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1327const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1328
1329int SSL_get_fd(const SSL *s);
1330int SSL_get_rfd(const SSL *s);
1331int SSL_get_wfd(const SSL *s);
1332const char * SSL_get_cipher_list(const SSL *s,int n);
1333char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1334int SSL_get_read_ahead(const SSL * s);
1335int SSL_pending(const SSL *s);
1336#ifndef OPENSSL_NO_SOCK
1337int SSL_set_fd(SSL *s, int fd);
1338int SSL_set_rfd(SSL *s, int fd);
1339int SSL_set_wfd(SSL *s, int fd);
1340#endif
1341#ifndef OPENSSL_NO_BIO
1342void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1343BIO * SSL_get_rbio(const SSL *s);
1344BIO * SSL_get_wbio(const SSL *s);
1345#endif
1346int SSL_set_cipher_list(SSL *s, const char *str);
1347void SSL_set_read_ahead(SSL *s, int yes);
1348int SSL_get_verify_mode(const SSL *s);
1349int SSL_get_verify_depth(const SSL *s);
1350int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1351void SSL_set_verify(SSL *s, int mode,
1352 int (*callback)(int ok,X509_STORE_CTX *ctx));
1353void SSL_set_verify_depth(SSL *s, int depth);
1354#ifndef OPENSSL_NO_RSA
1355int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1356#endif
1357int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1358int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1359int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
1360int SSL_use_certificate(SSL *ssl, X509 *x);
1361int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1362
1363#ifndef OPENSSL_NO_STDIO
1364int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1365int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1366int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1367int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1368int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1369int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1370int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1371STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1372int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1373 const char *file);
1374#ifndef OPENSSL_SYS_VMS
1375#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
1376int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1377 const char *dir);
1378#endif
1379#endif
1380
1381#endif
1382
1383void SSL_load_error_strings(void );
1384const char *SSL_state_string(const SSL *s);
1385const char *SSL_rstate_string(const SSL *s);
1386const char *SSL_state_string_long(const SSL *s);
1387const char *SSL_rstate_string_long(const SSL *s);
1388long SSL_SESSION_get_time(const SSL_SESSION *s);
1389long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1390long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1391long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1392void SSL_copy_session_id(SSL *to,const SSL *from);
1393
1394SSL_SESSION *SSL_SESSION_new(void);
1395unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
1396int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
1397const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len);
1398#ifndef OPENSSL_NO_FP_API
1399int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1400#endif
1401#ifndef OPENSSL_NO_BIO
1402int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1403#endif
1404void SSL_SESSION_free(SSL_SESSION *ses);
1405int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
1406int SSL_set_session(SSL *to, SSL_SESSION *session);
1407int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1408int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
1409int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1410int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1411int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1412 unsigned int id_len);
1413SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char **pp,
1414 long length);
1415
1416#ifdef HEADER_X509_H
1417X509 * SSL_get_peer_certificate(const SSL *s);
1418#endif
1419
1420STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1421
1422int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1423int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1424int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1425void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1426 int (*callback)(int, X509_STORE_CTX *));
1427void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
1428void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
1429#ifndef OPENSSL_NO_RSA
1430int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1431#endif
1432int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1433int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1434int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
1435 const unsigned char *d, long len);
1436int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1437int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1438
1439void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1440void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1441
1442int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1443int SSL_check_private_key(const SSL *ctx);
1444
1445int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1446 unsigned int sid_ctx_len);
1447
1448SSL * SSL_new(SSL_CTX *ctx);
1449int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1450 unsigned int sid_ctx_len);
1451
1452int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1453int SSL_set_purpose(SSL *s, int purpose);
1454int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1455int SSL_set_trust(SSL *s, int trust);
1456
1457void SSL_free(SSL *ssl);
1458int SSL_accept(SSL *ssl);
1459int SSL_connect(SSL *ssl);
1460int SSL_read(SSL *ssl,void *buf,int num);
1461int SSL_peek(SSL *ssl,void *buf,int num);
1462int SSL_write(SSL *ssl,const void *buf,int num);
1463long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
1464long SSL_callback_ctrl(SSL *, int, void (*)(void));
1465long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1466long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1467
1468int SSL_get_error(const SSL *s,int ret_code);
1469const char *SSL_get_version(const SSL *s);
1470
1471/* This sets the 'default' SSL version that SSL_new() will create */
1472int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
1473
1474SSL_METHOD *SSLv2_method(void); /* SSLv2 */
1475SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
1476SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
1477
1478SSL_METHOD *SSLv3_method(void); /* SSLv3 */
1479SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
1480SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
1481
1482SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
1483SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
1484SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
1485
1486SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1487SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1488SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1489
1490SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1491SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1492SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
1493
1494STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1495
1496int SSL_do_handshake(SSL *s);
1497int SSL_renegotiate(SSL *s);
1498int SSL_renegotiate_pending(SSL *s);
1499int SSL_shutdown(SSL *s);
1500
1501SSL_METHOD *SSL_get_ssl_method(SSL *s);
1502int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
1503const char *SSL_alert_type_string_long(int value);
1504const char *SSL_alert_type_string(int value);
1505const char *SSL_alert_desc_string_long(int value);
1506const char *SSL_alert_desc_string(int value);
1507
1508void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1509void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1510STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1511STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1512int SSL_add_client_CA(SSL *ssl,X509 *x);
1513int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1514
1515void SSL_set_connect_state(SSL *s);
1516void SSL_set_accept_state(SSL *s);
1517
1518long SSL_get_default_timeout(const SSL *s);
1519
1520int SSL_library_init(void );
1521
1522char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
1523STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1524
1525SSL *SSL_dup(SSL *ssl);
1526
1527X509 *SSL_get_certificate(const SSL *ssl);
1528/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1529
1530void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1531int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1532void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1533int SSL_get_quiet_shutdown(const SSL *ssl);
1534void SSL_set_shutdown(SSL *ssl,int mode);
1535int SSL_get_shutdown(const SSL *ssl);
1536int SSL_version(const SSL *ssl);
1537int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1538int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1539 const char *CApath);
1540#define SSL_get0_session SSL_get_session /* just peek at pointer */
1541SSL_SESSION *SSL_get_session(const SSL *ssl);
1542SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1543SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1544SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1545void SSL_set_info_callback(SSL *ssl,
1546 void (*cb)(const SSL *ssl,int type,int val));
1547void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1548int SSL_state(const SSL *ssl);
1549
1550void SSL_set_verify_result(SSL *ssl,long v);
1551long SSL_get_verify_result(const SSL *ssl);
1552
1553int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1554void *SSL_get_ex_data(const SSL *ssl,int idx);
1555int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1556 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1557
1558int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1559void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1560int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1561 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1562
1563int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1564void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1565int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1566 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1567
1568int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1569
1570#define SSL_CTX_sess_set_cache_size(ctx,t) \
1571 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1572#define SSL_CTX_sess_get_cache_size(ctx) \
1573 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1574#define SSL_CTX_set_session_cache_mode(ctx,m) \
1575 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1576#define SSL_CTX_get_session_cache_mode(ctx) \
1577 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1578
1579#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1580#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1581#define SSL_CTX_get_read_ahead(ctx) \
1582 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1583#define SSL_CTX_set_read_ahead(ctx,m) \
1584 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1585#define SSL_CTX_get_max_cert_list(ctx) \
1586 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1587#define SSL_CTX_set_max_cert_list(ctx,m) \
1588 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1589#define SSL_get_max_cert_list(ssl) \
1590 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1591#define SSL_set_max_cert_list(ssl,m) \
1592 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1593
1594 /* NB: the keylength is only applicable when is_export is true */
1595#ifndef OPENSSL_NO_RSA
1596void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1597 RSA *(*cb)(SSL *ssl,int is_export,
1598 int keylength));
1599
1600void SSL_set_tmp_rsa_callback(SSL *ssl,
1601 RSA *(*cb)(SSL *ssl,int is_export,
1602 int keylength));
1603#endif
1604#ifndef OPENSSL_NO_DH
1605void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1606 DH *(*dh)(SSL *ssl,int is_export,
1607 int keylength));
1608void SSL_set_tmp_dh_callback(SSL *ssl,
1609 DH *(*dh)(SSL *ssl,int is_export,
1610 int keylength));
1611#endif
1612#ifndef OPENSSL_NO_ECDH
1613void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1614 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1615 int keylength));
1616void SSL_set_tmp_ecdh_callback(SSL *ssl,
1617 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1618 int keylength));
1619#endif
1620
1621#ifndef OPENSSL_NO_COMP
1622const COMP_METHOD *SSL_get_current_compression(SSL *s);
1623const COMP_METHOD *SSL_get_current_expansion(SSL *s);
1624const char *SSL_COMP_get_name(const COMP_METHOD *comp);
1625STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
1626int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
1627#else
1628const void *SSL_get_current_compression(SSL *s);
1629const void *SSL_get_current_expansion(SSL *s);
1630const char *SSL_COMP_get_name(const void *comp);
1631void *SSL_COMP_get_compression_methods(void);
1632int SSL_COMP_add_compression_method(int id,void *cm);
1633#endif
1634
1635/* BEGIN ERROR CODES */
1636/* The following lines are auto generated by the script mkerr.pl. Any changes
1637 * made after this point may be overwritten when the script is next run.
1638 */
1639void ERR_load_SSL_strings(void);
1640
1641/* Error codes for the SSL functions. */
1642
1643/* Function codes. */
1644#define SSL_F_CLIENT_CERTIFICATE 100
1645#define SSL_F_CLIENT_FINISHED 167
1646#define SSL_F_CLIENT_HELLO 101
1647#define SSL_F_CLIENT_MASTER_KEY 102
1648#define SSL_F_D2I_SSL_SESSION 103
1649#define SSL_F_DO_DTLS1_WRITE 245
1650#define SSL_F_DO_SSL3_WRITE 104
1651#define SSL_F_DTLS1_ACCEPT 246
1652#define SSL_F_DTLS1_BUFFER_RECORD 247
1653#define SSL_F_DTLS1_CLIENT_HELLO 248
1654#define SSL_F_DTLS1_CONNECT 249
1655#define SSL_F_DTLS1_ENC 250
1656#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
1657#define SSL_F_DTLS1_GET_MESSAGE 252
1658#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
1659#define SSL_F_DTLS1_GET_RECORD 254
1660#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
1661#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 277
1662#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
1663#define SSL_F_DTLS1_PROCESS_RECORD 257
1664#define SSL_F_DTLS1_READ_BYTES 258
1665#define SSL_F_DTLS1_READ_FAILED 259
1666#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
1667#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
1668#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
1669#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
1670#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
1671#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
1672#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
1673#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
1674#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
1675#define SSL_F_GET_CLIENT_FINISHED 105
1676#define SSL_F_GET_CLIENT_HELLO 106
1677#define SSL_F_GET_CLIENT_MASTER_KEY 107
1678#define SSL_F_GET_SERVER_FINISHED 108
1679#define SSL_F_GET_SERVER_HELLO 109
1680#define SSL_F_GET_SERVER_VERIFY 110
1681#define SSL_F_I2D_SSL_SESSION 111
1682#define SSL_F_READ_N 112
1683#define SSL_F_REQUEST_CERTIFICATE 113
1684#define SSL_F_SERVER_FINISH 239
1685#define SSL_F_SERVER_HELLO 114
1686#define SSL_F_SERVER_VERIFY 240
1687#define SSL_F_SSL23_ACCEPT 115
1688#define SSL_F_SSL23_CLIENT_HELLO 116
1689#define SSL_F_SSL23_CONNECT 117
1690#define SSL_F_SSL23_GET_CLIENT_HELLO 118
1691#define SSL_F_SSL23_GET_SERVER_HELLO 119
1692#define SSL_F_SSL23_PEEK 237
1693#define SSL_F_SSL23_READ 120
1694#define SSL_F_SSL23_WRITE 121
1695#define SSL_F_SSL2_ACCEPT 122
1696#define SSL_F_SSL2_CONNECT 123
1697#define SSL_F_SSL2_ENC_INIT 124
1698#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
1699#define SSL_F_SSL2_PEEK 234
1700#define SSL_F_SSL2_READ 125
1701#define SSL_F_SSL2_READ_INTERNAL 236
1702#define SSL_F_SSL2_SET_CERTIFICATE 126
1703#define SSL_F_SSL2_WRITE 127
1704#define SSL_F_SSL3_ACCEPT 128
1705#define SSL_F_SSL3_CALLBACK_CTRL 233
1706#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1707#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1708#define SSL_F_SSL3_CLIENT_HELLO 131
1709#define SSL_F_SSL3_CONNECT 132
1710#define SSL_F_SSL3_CTRL 213
1711#define SSL_F_SSL3_CTX_CTRL 133
1712#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 279
1713#define SSL_F_SSL3_ENC 134
1714#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
1715#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
1716#define SSL_F_SSL3_GET_CERT_STATUS 288
1717#define SSL_F_SSL3_GET_CERT_VERIFY 136
1718#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
1719#define SSL_F_SSL3_GET_CLIENT_HELLO 138
1720#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
1721#define SSL_F_SSL3_GET_FINISHED 140
1722#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1723#define SSL_F_SSL3_GET_MESSAGE 142
1724#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
1725#define SSL_F_SSL3_GET_RECORD 143
1726#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1727#define SSL_F_SSL3_GET_SERVER_DONE 145
1728#define SSL_F_SSL3_GET_SERVER_HELLO 146
1729#define SSL_F_SSL3_NEW_SESSION_TICKET 284
1730#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
1731#define SSL_F_SSL3_PEEK 235
1732#define SSL_F_SSL3_READ_BYTES 148
1733#define SSL_F_SSL3_READ_N 149
1734#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
1735#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
1736#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
1737#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
1738#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
1739#define SSL_F_SSL3_SEND_SERVER_HELLO 242
1740#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
1741#define SSL_F_SSL3_SETUP_BUFFERS 156
1742#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
1743#define SSL_F_SSL3_WRITE_BYTES 158
1744#define SSL_F_SSL3_WRITE_PENDING 159
1745#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 272
1746#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
1747#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
1748#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 273
1749#define SSL_F_SSL_BAD_METHOD 160
1750#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1751#define SSL_F_SSL_CERT_DUP 221
1752#define SSL_F_SSL_CERT_INST 222
1753#define SSL_F_SSL_CERT_INSTANTIATE 214
1754#define SSL_F_SSL_CERT_NEW 162
1755#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
1756#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 274
1757#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
1758#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
1759#define SSL_F_SSL_CLEAR 164
1760#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
1761#define SSL_F_SSL_CREATE_CIPHER_LIST 166
1762#define SSL_F_SSL_CTRL 232
1763#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
1764#define SSL_F_SSL_CTX_NEW 169
1765#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
1766#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 278
1767#define SSL_F_SSL_CTX_SET_PURPOSE 226
1768#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
1769#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
1770#define SSL_F_SSL_CTX_SET_TRUST 229
1771#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
1772#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
1773#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
1774#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
1775#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
1776#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
1777#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
1778#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
1779#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
1780#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
1781#define SSL_F_SSL_DO_HANDSHAKE 180
1782#define SSL_F_SSL_GET_NEW_SESSION 181
1783#define SSL_F_SSL_GET_PREV_SESSION 217
1784#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
1785#define SSL_F_SSL_GET_SIGN_PKEY 183
1786#define SSL_F_SSL_INIT_WBIO_BUFFER 184
1787#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
1788#define SSL_F_SSL_NEW 186
1789#define SSL_F_SSL_PEEK 270
1790#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 275
1791#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 276
1792#define SSL_F_SSL_READ 223
1793#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
1794#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
1795#define SSL_F_SSL_SESSION_NEW 189
1796#define SSL_F_SSL_SESSION_PRINT_FP 190
1797#define SSL_F_SSL_SESS_CERT_NEW 225
1798#define SSL_F_SSL_SET_CERT 191
1799#define SSL_F_SSL_SET_CIPHER_LIST 271
1800#define SSL_F_SSL_SET_FD 192
1801#define SSL_F_SSL_SET_PKEY 193
1802#define SSL_F_SSL_SET_PURPOSE 227
1803#define SSL_F_SSL_SET_RFD 194
1804#define SSL_F_SSL_SET_SESSION 195
1805#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
1806#define SSL_F_SSL_SET_TRUST 228
1807#define SSL_F_SSL_SET_WFD 196
1808#define SSL_F_SSL_SHUTDOWN 224
1809#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
1810#define SSL_F_SSL_UNDEFINED_FUNCTION 197
1811#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
1812#define SSL_F_SSL_USE_CERTIFICATE 198
1813#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
1814#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
1815#define SSL_F_SSL_USE_PRIVATEKEY 201
1816#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
1817#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
1818#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
1819#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
1820#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
1821#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
1822#define SSL_F_SSL_WRITE 208
1823#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
1824#define SSL_F_TLS1_ENC 210
1825#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
1826#define SSL_F_WRITE_PENDING 212
1827
1828/* Reason codes. */
1829#define SSL_R_APP_DATA_IN_HANDSHAKE 100
1830#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
1831#define SSL_R_BAD_ALERT_RECORD 101
1832#define SSL_R_BAD_AUTHENTICATION_TYPE 102
1833#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
1834#define SSL_R_BAD_CHECKSUM 104
1835#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
1836#define SSL_R_BAD_DECOMPRESSION 107
1837#define SSL_R_BAD_DH_G_LENGTH 108
1838#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
1839#define SSL_R_BAD_DH_P_LENGTH 110
1840#define SSL_R_BAD_DIGEST_LENGTH 111
1841#define SSL_R_BAD_DSA_SIGNATURE 112
1842#define SSL_R_BAD_ECC_CERT 304
1843#define SSL_R_BAD_ECDSA_SIGNATURE 305
1844#define SSL_R_BAD_ECPOINT 306
1845#define SSL_R_BAD_HELLO_REQUEST 105
1846#define SSL_R_BAD_LENGTH 271
1847#define SSL_R_BAD_MAC_DECODE 113
1848#define SSL_R_BAD_MESSAGE_TYPE 114
1849#define SSL_R_BAD_PACKET_LENGTH 115
1850#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
1851#define SSL_R_BAD_RESPONSE_ARGUMENT 117
1852#define SSL_R_BAD_RSA_DECRYPT 118
1853#define SSL_R_BAD_RSA_ENCRYPT 119
1854#define SSL_R_BAD_RSA_E_LENGTH 120
1855#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
1856#define SSL_R_BAD_RSA_SIGNATURE 122
1857#define SSL_R_BAD_SIGNATURE 123
1858#define SSL_R_BAD_SSL_FILETYPE 124
1859#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
1860#define SSL_R_BAD_STATE 126
1861#define SSL_R_BAD_WRITE_RETRY 127
1862#define SSL_R_BIO_NOT_SET 128
1863#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
1864#define SSL_R_BN_LIB 130
1865#define SSL_R_CA_DN_LENGTH_MISMATCH 131
1866#define SSL_R_CA_DN_TOO_LONG 132
1867#define SSL_R_CCS_RECEIVED_EARLY 133
1868#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
1869#define SSL_R_CERT_LENGTH_MISMATCH 135
1870#define SSL_R_CHALLENGE_IS_DIFFERENT 136
1871#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
1872#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
1873#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
1874#define SSL_R_CLIENTHELLO_TLSEXT 157
1875#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
1876#define SSL_R_COMPRESSION_FAILURE 141
1877#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
1878#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
1879#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
1880#define SSL_R_CONNECTION_TYPE_NOT_SET 144
1881#define SSL_R_COOKIE_MISMATCH 308
1882#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
1883#define SSL_R_DATA_LENGTH_TOO_LONG 146
1884#define SSL_R_DECRYPTION_FAILED 147
1885#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
1886#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
1887#define SSL_R_DIGEST_CHECK_FAILED 149
1888#define SSL_R_DUPLICATE_COMPRESSION_ID 309
1889#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
1890#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
1891#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
1892#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
1893#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
1894#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
1895#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
1896#define SSL_R_HTTPS_PROXY_REQUEST 155
1897#define SSL_R_HTTP_REQUEST 156
1898#define SSL_R_ILLEGAL_PADDING 283
1899#define SSL_R_INVALID_CHALLENGE_LENGTH 158
1900#define SSL_R_INVALID_COMMAND 280
1901#define SSL_R_INVALID_PURPOSE 278
1902#define SSL_R_INVALID_STATUS_RESPONSE 316
1903#define SSL_R_INVALID_TICKET_KEYS_LENGTH 275
1904#define SSL_R_INVALID_TRUST 279
1905#define SSL_R_KEY_ARG_TOO_LONG 284
1906#define SSL_R_KRB5 285
1907#define SSL_R_KRB5_C_CC_PRINC 286
1908#define SSL_R_KRB5_C_GET_CRED 287
1909#define SSL_R_KRB5_C_INIT 288
1910#define SSL_R_KRB5_C_MK_REQ 289
1911#define SSL_R_KRB5_S_BAD_TICKET 290
1912#define SSL_R_KRB5_S_INIT 291
1913#define SSL_R_KRB5_S_RD_REQ 292
1914#define SSL_R_KRB5_S_TKT_EXPIRED 293
1915#define SSL_R_KRB5_S_TKT_NYV 294
1916#define SSL_R_KRB5_S_TKT_SKEW 295
1917#define SSL_R_LENGTH_MISMATCH 159
1918#define SSL_R_LENGTH_TOO_SHORT 160
1919#define SSL_R_LIBRARY_BUG 274
1920#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
1921#define SSL_R_MESSAGE_TOO_LONG 296
1922#define SSL_R_MISSING_DH_DSA_CERT 162
1923#define SSL_R_MISSING_DH_KEY 163
1924#define SSL_R_MISSING_DH_RSA_CERT 164
1925#define SSL_R_MISSING_DSA_SIGNING_CERT 165
1926#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
1927#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
1928#define SSL_R_MISSING_RSA_CERTIFICATE 168
1929#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
1930#define SSL_R_MISSING_RSA_SIGNING_CERT 170
1931#define SSL_R_MISSING_TMP_DH_KEY 171
1932#define SSL_R_MISSING_TMP_ECDH_KEY 311
1933#define SSL_R_MISSING_TMP_RSA_KEY 172
1934#define SSL_R_MISSING_TMP_RSA_PKEY 173
1935#define SSL_R_MISSING_VERIFY_MESSAGE 174
1936#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
1937#define SSL_R_NO_CERTIFICATES_RETURNED 176
1938#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
1939#define SSL_R_NO_CERTIFICATE_RETURNED 178
1940#define SSL_R_NO_CERTIFICATE_SET 179
1941#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
1942#define SSL_R_NO_CIPHERS_AVAILABLE 181
1943#define SSL_R_NO_CIPHERS_PASSED 182
1944#define SSL_R_NO_CIPHERS_SPECIFIED 183
1945#define SSL_R_NO_CIPHER_LIST 184
1946#define SSL_R_NO_CIPHER_MATCH 185
1947#define SSL_R_NO_CLIENT_CERT_METHOD 317
1948#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
1949#define SSL_R_NO_COMPRESSION_SPECIFIED 187
1950#define SSL_R_NO_METHOD_SPECIFIED 188
1951#define SSL_R_NO_PRIVATEKEY 189
1952#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
1953#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
1954#define SSL_R_NO_PUBLICKEY 192
1955#define SSL_R_NO_SHARED_CIPHER 193
1956#define SSL_R_NO_VERIFY_CALLBACK 194
1957#define SSL_R_NULL_SSL_CTX 195
1958#define SSL_R_NULL_SSL_METHOD_PASSED 196
1959#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
1960#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
1961#define SSL_R_PACKET_LENGTH_TOO_LONG 198
1962#define SSL_R_PARSE_TLSEXT 223
1963#define SSL_R_PATH_TOO_LONG 270
1964#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
1965#define SSL_R_PEER_ERROR 200
1966#define SSL_R_PEER_ERROR_CERTIFICATE 201
1967#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
1968#define SSL_R_PEER_ERROR_NO_CIPHER 203
1969#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
1970#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
1971#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
1972#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
1973#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
1974#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
1975#define SSL_R_PUBLIC_KEY_NOT_RSA 210
1976#define SSL_R_READ_BIO_NOT_SET 211
1977#define SSL_R_READ_TIMEOUT_EXPIRED 312
1978#define SSL_R_READ_WRONG_PACKET_TYPE 212
1979#define SSL_R_RECORD_LENGTH_MISMATCH 213
1980#define SSL_R_RECORD_TOO_LARGE 214
1981#define SSL_R_RECORD_TOO_SMALL 298
1982#define SSL_R_REQUIRED_CIPHER_MISSING 215
1983#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
1984#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
1985#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
1986#define SSL_R_SERVERHELLO_TLSEXT 224
1987#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
1988#define SSL_R_SHORT_READ 219
1989#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
1990#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
1991#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
1992#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 225
1993#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 226
1994#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
1995#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
1996#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
1997#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
1998#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
1999#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
2000#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
2001#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
2002#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
2003#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
2004#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
2005#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
2006#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
2007#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
2008#define SSL_R_SSL_HANDSHAKE_FAILURE 229
2009#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
2010#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
2011#define SSL_R_SSL_SESSION_ID_CONFLICT 302
2012#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
2013#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
2014#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
2015#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
2016#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
2017#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
2018#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
2019#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
2020#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
2021#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
2022#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
2023#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
2024#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
2025#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
2026#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
2027#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2028#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227
2029#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2030#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
2031#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
2032#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
2033#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
2034#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
2035#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
2036#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
2037#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
2038#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
2039#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
2040#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
2041#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
2042#define SSL_R_UNEXPECTED_MESSAGE 244
2043#define SSL_R_UNEXPECTED_RECORD 245
2044#define SSL_R_UNINITIALIZED 276
2045#define SSL_R_UNKNOWN_ALERT_TYPE 246
2046#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2047#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2048#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2049#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2050#define SSL_R_UNKNOWN_PKEY_TYPE 251
2051#define SSL_R_UNKNOWN_PROTOCOL 252
2052#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
2053#define SSL_R_UNKNOWN_SSL_VERSION 254
2054#define SSL_R_UNKNOWN_STATE 255
2055#define SSL_R_UNSUPPORTED_CIPHER 256
2056#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
2057#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
2058#define SSL_R_UNSUPPORTED_PROTOCOL 258
2059#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2060#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2061#define SSL_R_WRITE_BIO_NOT_SET 260
2062#define SSL_R_WRONG_CIPHER_RETURNED 261
2063#define SSL_R_WRONG_MESSAGE_TYPE 262
2064#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2065#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2066#define SSL_R_WRONG_SIGNATURE_SIZE 265
2067#define SSL_R_WRONG_SSL_VERSION 266
2068#define SSL_R_WRONG_VERSION_NUMBER 267
2069#define SSL_R_X509_LIB 268
2070#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
2071
2072#ifdef __cplusplus
2073}
2074#endif
2075#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 99a52ea0dd..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,268 +0,0 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#ifdef OPENSSL_SYS_MPE
137#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
138#else
139#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
140#endif
141#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
142
143#define SSL2_CHALLENGE_LENGTH 16
144/*#define SSL2_CHALLENGE_LENGTH 32 */
145#define SSL2_MIN_CHALLENGE_LENGTH 16
146#define SSL2_MAX_CHALLENGE_LENGTH 32
147#define SSL2_CONNECTION_ID_LENGTH 16
148#define SSL2_MAX_CONNECTION_ID_LENGTH 16
149#define SSL2_SSL_SESSION_ID_LENGTH 16
150#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
151#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
152#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
153
154#ifndef HEADER_SSL_LOCL_H
155#define CERT char
156#endif
157
158typedef struct ssl2_state_st
159 {
160 int three_byte_header;
161 int clear_text; /* clear text */
162 int escape; /* not used in SSLv2 */
163 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
164
165 /* non-blocking io info, used to make sure the same
166 * args were passwd */
167 unsigned int wnum; /* number of bytes sent so far */
168 int wpend_tot;
169 const unsigned char *wpend_buf;
170
171 int wpend_off; /* offset to data to write */
172 int wpend_len; /* number of bytes passwd to write */
173 int wpend_ret; /* number of bytes to return to caller */
174
175 /* buffer raw data */
176 int rbuf_left;
177 int rbuf_offs;
178 unsigned char *rbuf;
179 unsigned char *wbuf;
180
181 unsigned char *write_ptr;/* used to point to the start due to
182 * 2/3 byte header. */
183
184 unsigned int padding;
185 unsigned int rlength; /* passed to ssl2_enc */
186 int ract_data_length; /* Set when things are encrypted. */
187 unsigned int wlength; /* passed to ssl2_enc */
188 int wact_data_length; /* Set when things are decrypted. */
189 unsigned char *ract_data;
190 unsigned char *wact_data;
191 unsigned char *mac_data;
192
193 unsigned char *read_key;
194 unsigned char *write_key;
195
196 /* Stuff specifically to do with this SSL session */
197 unsigned int challenge_length;
198 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
199 unsigned int conn_id_length;
200 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
201 unsigned int key_material_length;
202 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
203
204 unsigned long read_sequence;
205 unsigned long write_sequence;
206
207 struct {
208 unsigned int conn_id_length;
209 unsigned int cert_type;
210 unsigned int cert_length;
211 unsigned int csl;
212 unsigned int clear;
213 unsigned int enc;
214 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
215 unsigned int cipher_spec_length;
216 unsigned int session_id_length;
217 unsigned int clen;
218 unsigned int rlen;
219 } tmp;
220 } SSL2_STATE;
221
222/* SSLv2 */
223/* client */
224#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
225#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
226#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
227#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
228#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
230#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
231#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
233#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
234#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
235#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
236#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
237#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
238#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
239#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
240#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
241#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
242/* server */
243#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
244#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
245#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
246#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
247#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
248#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
249#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
250#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
251#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
252#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
253#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
254#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
257#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
258#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
259#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
260#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
261#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
262#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
263
264#ifdef __cplusplus
265}
266#endif
267#endif
268
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index a1a19cbfcb..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,566 +0,0 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL3_H
118#define HEADER_SSL3_H
119
120#ifndef OPENSSL_NO_COMP
121#include <openssl/comp.h>
122#endif
123#include <openssl/buffer.h>
124#include <openssl/evp.h>
125#include <openssl/ssl.h>
126#include <openssl/pq_compat.h>
127
128#ifdef __cplusplus
129extern "C" {
130#endif
131
132#define SSL3_CK_RSA_NULL_MD5 0x03000001
133#define SSL3_CK_RSA_NULL_SHA 0x03000002
134#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
135#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
136#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
137#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
138#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
139#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
140#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
141#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
142
143#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
144#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
145#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
146#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
147#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
148#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
149
150#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
151#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
152#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
153#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
154#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
155#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
156
157#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
158#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
159#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
160#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
161#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
162
163#define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
164#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
165#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
166 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
167 of the ietf-tls list */
168#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
169#endif
170
171/* VRS Additional Kerberos5 entries
172 */
173#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
174#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
175#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
176#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
177#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
178#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
179#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
180#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
181
182#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
183#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
184#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
185#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
186#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
187#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
188
189#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
190#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
191#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
192#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
193#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
194#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
195#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
196#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
197#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
198#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
199
200#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
201#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
202#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
203#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
204#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
205#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
206
207#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
208#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
209#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
210#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
211#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
212#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
213
214#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
215#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
216#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
217#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
218#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
219
220#define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
221#define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
222#define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
223
224#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
225#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
226#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
227#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
228#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
229#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
230#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
231#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
232
233#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
234#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
235#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
236#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
237#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
238#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
239
240#define SSL3_SSL_SESSION_ID_LENGTH 32
241#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
242
243#define SSL3_MASTER_SECRET_SIZE 48
244#define SSL3_RANDOM_SIZE 32
245#define SSL3_SESSION_ID_SIZE 32
246#define SSL3_RT_HEADER_LENGTH 5
247
248/* Due to MS stuffing up, this can change.... */
249#if defined(OPENSSL_SYS_WIN16) || \
250 (defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32))
251#define SSL3_RT_MAX_EXTRA (14000)
252#else
253#define SSL3_RT_MAX_EXTRA (16384)
254#endif
255
256#define SSL3_RT_MAX_PLAIN_LENGTH 16384
257#ifdef OPENSSL_NO_COMP
258#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
259#else
260#define SSL3_RT_MAX_COMPRESSED_LENGTH (1024+SSL3_RT_MAX_PLAIN_LENGTH)
261#endif
262#define SSL3_RT_MAX_ENCRYPTED_LENGTH (1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
263#define SSL3_RT_MAX_PACKET_SIZE (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
264#define SSL3_RT_MAX_DATA_SIZE (1024*1024)
265
266#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
267#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
268
269#define SSL3_VERSION 0x0300
270#define SSL3_VERSION_MAJOR 0x03
271#define SSL3_VERSION_MINOR 0x00
272
273#define SSL3_RT_CHANGE_CIPHER_SPEC 20
274#define SSL3_RT_ALERT 21
275#define SSL3_RT_HANDSHAKE 22
276#define SSL3_RT_APPLICATION_DATA 23
277
278#define SSL3_AL_WARNING 1
279#define SSL3_AL_FATAL 2
280
281#define SSL3_AD_CLOSE_NOTIFY 0
282#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
283#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
284#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
285#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
286#define SSL3_AD_NO_CERTIFICATE 41
287#define SSL3_AD_BAD_CERTIFICATE 42
288#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
289#define SSL3_AD_CERTIFICATE_REVOKED 44
290#define SSL3_AD_CERTIFICATE_EXPIRED 45
291#define SSL3_AD_CERTIFICATE_UNKNOWN 46
292#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
293
294typedef struct ssl3_record_st
295 {
296/*r */ int type; /* type of record */
297/*rw*/ unsigned int length; /* How many bytes available */
298/*r */ unsigned int off; /* read/write offset into 'buf' */
299/*rw*/ unsigned char *data; /* pointer to the record data */
300/*rw*/ unsigned char *input; /* where the decode bytes are */
301/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
302/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
303/*r */ PQ_64BIT seq_num; /* sequence number, needed by DTLS1 */
304 } SSL3_RECORD;
305
306typedef struct ssl3_buffer_st
307 {
308 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
309 * see ssl3_setup_buffers() */
310 size_t len; /* buffer size */
311 int offset; /* where to 'copy from' */
312 int left; /* how many bytes left */
313 } SSL3_BUFFER;
314
315#define SSL3_CT_RSA_SIGN 1
316#define SSL3_CT_DSS_SIGN 2
317#define SSL3_CT_RSA_FIXED_DH 3
318#define SSL3_CT_DSS_FIXED_DH 4
319#define SSL3_CT_RSA_EPHEMERAL_DH 5
320#define SSL3_CT_DSS_EPHEMERAL_DH 6
321#define SSL3_CT_FORTEZZA_DMS 20
322/* SSL3_CT_NUMBER is used to size arrays and it must be large
323 * enough to contain all of the cert types defined either for
324 * SSLv3 and TLSv1.
325 */
326#define SSL3_CT_NUMBER 7
327
328
329#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
330#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
331#define SSL3_FLAGS_POP_BUFFER 0x0004
332#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
333#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
334
335typedef struct ssl3_state_st
336 {
337 long flags;
338 int delay_buf_pop_ret;
339
340 unsigned char read_sequence[8];
341 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
342 unsigned char write_sequence[8];
343 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
344
345 unsigned char server_random[SSL3_RANDOM_SIZE];
346 unsigned char client_random[SSL3_RANDOM_SIZE];
347
348 /* flags for countermeasure against known-IV weakness */
349 int need_empty_fragments;
350 int empty_fragment_done;
351
352 SSL3_BUFFER rbuf; /* read IO goes into here */
353 SSL3_BUFFER wbuf; /* write IO goes into here */
354
355 SSL3_RECORD rrec; /* each decoded record goes in here */
356 SSL3_RECORD wrec; /* goes out from here */
357
358 /* storage for Alert/Handshake protocol data received but not
359 * yet processed by ssl3_read_bytes: */
360 unsigned char alert_fragment[2];
361 unsigned int alert_fragment_len;
362 unsigned char handshake_fragment[4];
363 unsigned int handshake_fragment_len;
364
365 /* partial write - check the numbers match */
366 unsigned int wnum; /* number of bytes sent so far */
367 int wpend_tot; /* number bytes written */
368 int wpend_type;
369 int wpend_ret; /* number of bytes submitted */
370 const unsigned char *wpend_buf;
371
372 /* used during startup, digest all incoming/outgoing packets */
373 EVP_MD_CTX finish_dgst1;
374 EVP_MD_CTX finish_dgst2;
375
376 /* this is set whenerver we see a change_cipher_spec message
377 * come in when we are not looking for one */
378 int change_cipher_spec;
379
380 int warn_alert;
381 int fatal_alert;
382 /* we allow one fatal and one warning alert to be outstanding,
383 * send close alert via the warning alert */
384 int alert_dispatch;
385 unsigned char send_alert[2];
386
387 /* This flag is set when we should renegotiate ASAP, basically when
388 * there is no more data in the read or write buffers */
389 int renegotiate;
390 int total_renegotiations;
391 int num_renegotiations;
392
393 int in_read_app_data;
394
395 struct {
396 /* actually only needs to be 16+20 */
397 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
398
399 /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
400 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
401 int finish_md_len;
402 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
403 int peer_finish_md_len;
404
405 unsigned long message_size;
406 int message_type;
407
408 /* used to hold the new cipher we are going to use */
409 SSL_CIPHER *new_cipher;
410#ifndef OPENSSL_NO_DH
411 DH *dh;
412#endif
413
414#ifndef OPENSSL_NO_ECDH
415 EC_KEY *ecdh; /* holds short lived ECDH key */
416#endif
417
418 /* used when SSL_ST_FLUSH_DATA is entered */
419 int next_state;
420
421 int reuse_message;
422
423 /* used for certificate requests */
424 int cert_req;
425 int ctype_num;
426 char ctype[SSL3_CT_NUMBER];
427 STACK_OF(X509_NAME) *ca_names;
428
429 int use_rsa_tmp;
430
431 int key_block_length;
432 unsigned char *key_block;
433
434 const EVP_CIPHER *new_sym_enc;
435 const EVP_MD *new_hash;
436#ifndef OPENSSL_NO_COMP
437 const SSL_COMP *new_compression;
438#else
439 char *new_compression;
440#endif
441 int cert_request;
442 } tmp;
443
444 } SSL3_STATE;
445
446
447/* SSLv3 */
448/*client */
449/* extra state */
450#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
451/* write to server */
452#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
453#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
454/* read from server */
455#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
456#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
457#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
458#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
459#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
460#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
461#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
462#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
463#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
464#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
465#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
466#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
467/* write to server */
468#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
469#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
470#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
471#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
472#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
473#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
474#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
475#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
476#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
477#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
478#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
479#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
480/* read from server */
481#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
482#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
483#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
484#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
485#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
486#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
487#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
488#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
489
490/* server */
491/* extra state */
492#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
493/* read from client */
494/* Do not change the number values, they do matter */
495#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
496#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
497#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
498/* write to client */
499#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
500#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
501#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
502#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
503#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
504#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
505#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
506#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
507#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
508#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
509#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
510#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
511#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
512#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
513#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
514/* read from client */
515#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
516#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
517#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
518#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
519#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
520#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
521#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
522#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
523#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
524#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
525/* write to client */
526#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
527#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
528#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
529#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
530#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
531#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
532#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
533#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
534
535#define SSL3_MT_HELLO_REQUEST 0
536#define SSL3_MT_CLIENT_HELLO 1
537#define SSL3_MT_SERVER_HELLO 2
538#define SSL3_MT_NEWSESSION_TICKET 4
539#define SSL3_MT_CERTIFICATE 11
540#define SSL3_MT_SERVER_KEY_EXCHANGE 12
541#define SSL3_MT_CERTIFICATE_REQUEST 13
542#define SSL3_MT_SERVER_DONE 14
543#define SSL3_MT_CERTIFICATE_VERIFY 15
544#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
545#define SSL3_MT_FINISHED 20
546#define SSL3_MT_CERTIFICATE_STATUS 22
547#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
548
549
550#define SSL3_MT_CCS 1
551
552/* These are used when changing over to a new cipher */
553#define SSL3_CC_READ 0x01
554#define SSL3_CC_WRITE 0x02
555#define SSL3_CC_CLIENT 0x10
556#define SSL3_CC_SERVER 0x20
557#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
558#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
559#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
560#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
561
562#ifdef __cplusplus
563}
564#endif
565#endif
566
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 4717c0e6e1..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,132 +0,0 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/lhash.h>
62#include "ssl_locl.h"
63
64int SSL_library_init(void)
65 {
66
67#ifndef OPENSSL_NO_DES
68 EVP_add_cipher(EVP_des_cbc());
69 EVP_add_cipher(EVP_des_ede3_cbc());
70#endif
71#ifndef OPENSSL_NO_IDEA
72 EVP_add_cipher(EVP_idea_cbc());
73#endif
74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4());
76#endif
77#ifndef OPENSSL_NO_RC2
78 EVP_add_cipher(EVP_rc2_cbc());
79#endif
80#ifndef OPENSSL_NO_AES
81 EVP_add_cipher(EVP_aes_128_cbc());
82 EVP_add_cipher(EVP_aes_192_cbc());
83 EVP_add_cipher(EVP_aes_256_cbc());
84#endif
85
86#ifndef OPENSSL_NO_CAMELLIA
87 EVP_add_cipher(EVP_camellia_128_cbc());
88 EVP_add_cipher(EVP_camellia_256_cbc());
89#endif
90
91#ifndef OPENSSL_NO_SEED
92 EVP_add_cipher(EVP_seed_cbc());
93#endif
94
95#ifndef OPENSSL_NO_MD2
96 EVP_add_digest(EVP_md2());
97#endif
98#ifndef OPENSSL_NO_MD5
99 EVP_add_digest(EVP_md5());
100 EVP_add_digest_alias(SN_md5,"ssl2-md5");
101 EVP_add_digest_alias(SN_md5,"ssl3-md5");
102#endif
103#ifndef OPENSSL_NO_SHA
104 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
105 EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
106 EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
107#endif
108#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
109 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
110 EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
111 EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
112 EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
113#endif
114#ifndef OPENSSL_NO_ECDSA
115 EVP_add_digest(EVP_ecdsa());
116#endif
117 /* If you want support for phased out ciphers, add the following */
118#if 0
119 EVP_add_digest(EVP_sha());
120 EVP_add_digest(EVP_dss());
121#endif
122#ifndef OPENSSL_NO_COMP
123 /* This will initialise the built-in compression algorithms.
124 The value returned is a STACK_OF(SSL_COMP), but that can
125 be discarded safely */
126 (void)SSL_COMP_get_compression_methods();
127#endif
128 /* initialize cipher/digest methods table */
129 ssl_load_ciphers();
130 return(1);
131 }
132
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index 0f9a3489dd..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,500 +0,0 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include "ssl_locl.h"
62#include <openssl/asn1_mac.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65
66typedef struct ssl_session_asn1_st
67 {
68 ASN1_INTEGER version;
69 ASN1_INTEGER ssl_version;
70 ASN1_OCTET_STRING cipher;
71 ASN1_OCTET_STRING master_key;
72 ASN1_OCTET_STRING session_id;
73 ASN1_OCTET_STRING session_id_context;
74 ASN1_OCTET_STRING key_arg;
75#ifndef OPENSSL_NO_KRB5
76 ASN1_OCTET_STRING krb5_princ;
77#endif /* OPENSSL_NO_KRB5 */
78 ASN1_INTEGER time;
79 ASN1_INTEGER timeout;
80 ASN1_INTEGER verify_result;
81#ifndef OPENSSL_NO_TLSEXT
82 ASN1_OCTET_STRING tlsext_hostname;
83 ASN1_INTEGER tlsext_tick_lifetime;
84 ASN1_OCTET_STRING tlsext_tick;
85#endif /* OPENSSL_NO_TLSEXT */
86 } SSL_SESSION_ASN1;
87
88int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
89 {
90#define LSIZE2 (sizeof(long)*2)
91 int v1=0,v2=0,v3=0,v4=0,v5=0;
92 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
93 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
94#ifndef OPENSSL_NO_TLSEXT
95 int v6=0,v9=0,v10=0;
96 unsigned char ibuf6[LSIZE2];
97#endif
98 long l;
99 SSL_SESSION_ASN1 a;
100 M_ASN1_I2D_vars(in);
101
102 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
103 return(0);
104
105 /* Note that I cheat in the following 2 assignments. I know
106 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
107 * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
108 * This is a bit evil but makes things simple, no dynamic allocation
109 * to clean up :-) */
110 a.version.length=LSIZE2;
111 a.version.type=V_ASN1_INTEGER;
112 a.version.data=ibuf1;
113 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
114
115 a.ssl_version.length=LSIZE2;
116 a.ssl_version.type=V_ASN1_INTEGER;
117 a.ssl_version.data=ibuf2;
118 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
119
120 a.cipher.type=V_ASN1_OCTET_STRING;
121 a.cipher.data=buf;
122
123 if (in->cipher == NULL)
124 l=in->cipher_id;
125 else
126 l=in->cipher->id;
127 if (in->ssl_version == SSL2_VERSION)
128 {
129 a.cipher.length=3;
130 buf[0]=((unsigned char)(l>>16L))&0xff;
131 buf[1]=((unsigned char)(l>> 8L))&0xff;
132 buf[2]=((unsigned char)(l ))&0xff;
133 }
134 else
135 {
136 a.cipher.length=2;
137 buf[0]=((unsigned char)(l>>8L))&0xff;
138 buf[1]=((unsigned char)(l ))&0xff;
139 }
140
141 a.master_key.length=in->master_key_length;
142 a.master_key.type=V_ASN1_OCTET_STRING;
143 a.master_key.data=in->master_key;
144
145 a.session_id.length=in->session_id_length;
146 a.session_id.type=V_ASN1_OCTET_STRING;
147 a.session_id.data=in->session_id;
148
149 a.session_id_context.length=in->sid_ctx_length;
150 a.session_id_context.type=V_ASN1_OCTET_STRING;
151 a.session_id_context.data=in->sid_ctx;
152
153 a.key_arg.length=in->key_arg_length;
154 a.key_arg.type=V_ASN1_OCTET_STRING;
155 a.key_arg.data=in->key_arg;
156
157#ifndef OPENSSL_NO_KRB5
158 if (in->krb5_client_princ_len)
159 {
160 a.krb5_princ.length=in->krb5_client_princ_len;
161 a.krb5_princ.type=V_ASN1_OCTET_STRING;
162 a.krb5_princ.data=in->krb5_client_princ;
163 }
164#endif /* OPENSSL_NO_KRB5 */
165
166 if (in->time != 0L)
167 {
168 a.time.length=LSIZE2;
169 a.time.type=V_ASN1_INTEGER;
170 a.time.data=ibuf3;
171 ASN1_INTEGER_set(&(a.time),in->time);
172 }
173
174 if (in->timeout != 0L)
175 {
176 a.timeout.length=LSIZE2;
177 a.timeout.type=V_ASN1_INTEGER;
178 a.timeout.data=ibuf4;
179 ASN1_INTEGER_set(&(a.timeout),in->timeout);
180 }
181
182 if (in->verify_result != X509_V_OK)
183 {
184 a.verify_result.length=LSIZE2;
185 a.verify_result.type=V_ASN1_INTEGER;
186 a.verify_result.data=ibuf5;
187 ASN1_INTEGER_set(&a.verify_result,in->verify_result);
188 }
189
190#ifndef OPENSSL_NO_TLSEXT
191 if (in->tlsext_hostname)
192 {
193 a.tlsext_hostname.length=strlen(in->tlsext_hostname);
194 a.tlsext_hostname.type=V_ASN1_OCTET_STRING;
195 a.tlsext_hostname.data=(unsigned char *)in->tlsext_hostname;
196 }
197 if (in->tlsext_tick)
198 {
199 a.tlsext_tick.length= in->tlsext_ticklen;
200 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
201 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
202 /* If we have a ticket set session ID to empty because
203 * it will be bogus. If liftime hint is -1 treat as a special
204 * case because the session is being used as a container
205 */
206 if (in->tlsext_ticklen && (in->tlsext_tick_lifetime_hint != -1))
207 a.session_id.length=0;
208 }
209 if (in->tlsext_tick_lifetime_hint > 0)
210 {
211 a.tlsext_tick_lifetime.length=LSIZE2;
212 a.tlsext_tick_lifetime.type=V_ASN1_INTEGER;
213 a.tlsext_tick_lifetime.data=ibuf6;
214 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
215 }
216#endif /* OPENSSL_NO_TLSEXT */
217 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
218 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
219 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
220 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
221 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
222#ifndef OPENSSL_NO_KRB5
223 if (in->krb5_client_princ_len)
224 M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
225#endif /* OPENSSL_NO_KRB5 */
226 if (in->key_arg_length > 0)
227 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
228 if (in->time != 0L)
229 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
230 if (in->timeout != 0L)
231 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
232 if (in->peer != NULL)
233 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
234 M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
235 if (in->verify_result != X509_V_OK)
236 M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
237
238#ifndef OPENSSL_NO_TLSEXT
239 if (in->tlsext_tick_lifetime_hint > 0)
240 M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
241 if (in->tlsext_tick)
242 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
243 if (in->tlsext_hostname)
244 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
245#endif /* OPENSSL_NO_TLSEXT */
246 M_ASN1_I2D_seq_total();
247
248 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
249 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
250 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
251 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
252 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
253#ifndef OPENSSL_NO_KRB5
254 if (in->krb5_client_princ_len)
255 M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
256#endif /* OPENSSL_NO_KRB5 */
257 if (in->key_arg_length > 0)
258 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
259 if (in->time != 0L)
260 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
261 if (in->timeout != 0L)
262 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
263 if (in->peer != NULL)
264 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
265 M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
266 v4);
267 if (in->verify_result != X509_V_OK)
268 M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
269#ifndef OPENSSL_NO_TLSEXT
270 if (in->tlsext_hostname)
271 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
272 if (in->tlsext_tick_lifetime_hint > 0)
273 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
274 if (in->tlsext_tick)
275 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
276#endif /* OPENSSL_NO_TLSEXT */
277 M_ASN1_I2D_finish();
278 }
279
280SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
281 long length)
282 {
283 int version,ssl_version=0,i;
284 long id;
285 ASN1_INTEGER ai,*aip;
286 ASN1_OCTET_STRING os,*osp;
287 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
288
289 aip= &ai;
290 osp= &os;
291
292 M_ASN1_D2I_Init();
293 M_ASN1_D2I_start_sequence();
294
295 ai.data=NULL; ai.length=0;
296 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
297 version=(int)ASN1_INTEGER_get(aip);
298 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
299
300 /* we don't care about the version right now :-) */
301 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
302 ssl_version=(int)ASN1_INTEGER_get(aip);
303 ret->ssl_version=ssl_version;
304 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
305
306 os.data=NULL; os.length=0;
307 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
308 if (ssl_version == SSL2_VERSION)
309 {
310 if (os.length != 3)
311 {
312 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
313 goto err;
314 }
315 id=0x02000000L|
316 ((unsigned long)os.data[0]<<16L)|
317 ((unsigned long)os.data[1]<< 8L)|
318 (unsigned long)os.data[2];
319 }
320 else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
321 {
322 if (os.length != 2)
323 {
324 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
325 goto err;
326 }
327 id=0x03000000L|
328 ((unsigned long)os.data[0]<<8L)|
329 (unsigned long)os.data[1];
330 }
331 else
332 {
333 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
334 return(NULL);
335 }
336
337 ret->cipher=NULL;
338 ret->cipher_id=id;
339
340 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
341 if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
342 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
343 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
344 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
345
346 if (os.length > i)
347 os.length = i;
348 if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
349 os.length = sizeof(ret->session_id);
350
351 ret->session_id_length=os.length;
352 OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
353 memcpy(ret->session_id,os.data,os.length);
354
355 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
356 if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
357 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
358 else
359 ret->master_key_length=os.length;
360 memcpy(ret->master_key,os.data,ret->master_key_length);
361
362 os.length=0;
363
364#ifndef OPENSSL_NO_KRB5
365 os.length=0;
366 M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
367 if (os.data)
368 {
369 if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
370 ret->krb5_client_princ_len=0;
371 else
372 ret->krb5_client_princ_len=os.length;
373 memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
374 OPENSSL_free(os.data);
375 os.data = NULL;
376 os.length = 0;
377 }
378 else
379 ret->krb5_client_princ_len=0;
380#endif /* OPENSSL_NO_KRB5 */
381
382 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
383 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
384 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
385 else
386 ret->key_arg_length=os.length;
387 memcpy(ret->key_arg,os.data,ret->key_arg_length);
388 if (os.data != NULL) OPENSSL_free(os.data);
389
390 ai.length=0;
391 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
392 if (ai.data != NULL)
393 {
394 ret->time=ASN1_INTEGER_get(aip);
395 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
396 }
397 else
398 ret->time=(unsigned long)time(NULL);
399
400 ai.length=0;
401 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
402 if (ai.data != NULL)
403 {
404 ret->timeout=ASN1_INTEGER_get(aip);
405 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
406 }
407 else
408 ret->timeout=3;
409
410 if (ret->peer != NULL)
411 {
412 X509_free(ret->peer);
413 ret->peer=NULL;
414 }
415 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
416
417 os.length=0;
418 os.data=NULL;
419 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
420
421 if(os.data != NULL)
422 {
423 if (os.length > SSL_MAX_SID_CTX_LENGTH)
424 {
425 ret->sid_ctx_length=os.length;
426 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
427 }
428 else
429 {
430 ret->sid_ctx_length=os.length;
431 memcpy(ret->sid_ctx,os.data,os.length);
432 }
433 OPENSSL_free(os.data); os.data=NULL; os.length=0;
434 }
435 else
436 ret->sid_ctx_length=0;
437
438 ai.length=0;
439 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
440 if (ai.data != NULL)
441 {
442 ret->verify_result=ASN1_INTEGER_get(aip);
443 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
444 }
445 else
446 ret->verify_result=X509_V_OK;
447
448#ifndef OPENSSL_NO_TLSEXT
449 os.length=0;
450 os.data=NULL;
451 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,6);
452 if (os.data)
453 {
454 ret->tlsext_hostname = BUF_strndup((char *)os.data, os.length);
455 OPENSSL_free(os.data);
456 os.data = NULL;
457 os.length = 0;
458 }
459 else
460 ret->tlsext_hostname=NULL;
461 ai.length=0;
462 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
463 if (ai.data != NULL)
464 {
465 ret->tlsext_tick_lifetime_hint=ASN1_INTEGER_get(aip);
466 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
467 }
468 else if (ret->tlsext_ticklen && ret->session_id_length)
469 ret->tlsext_tick_lifetime_hint = -1;
470 else
471 ret->tlsext_tick_lifetime_hint = 0;
472 os.length=0;
473 os.data=NULL;
474 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);
475 if (os.data)
476 {
477 ret->tlsext_tick = os.data;
478 ret->tlsext_ticklen = os.length;
479 os.data = NULL;
480 os.length = 0;
481#if 0
482 /* There are two ways to detect a resumed ticket sesion.
483 * One is to set a random session ID and then the server
484 * must return a match in ServerHello. This allows the normal
485 * client session ID matching to work.
486 */
487 if (ret->session_id_length == 0)
488 {
489 ret->session_id_length=SSL3_MAX_SSL_SESSION_ID_LENGTH;
490 RAND_pseudo_bytes(ret->session_id,
491 ret->session_id_length);
492 }
493#endif
494 }
495 else
496 ret->tlsext_tick=NULL;
497#endif /* OPENSSL_NO_TLSEXT */
498
499 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
500 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index a32b2d4446..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,829 +0,0 @@
1/*! \file ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <stdio.h>
118
119#include "e_os.h"
120#ifndef NO_SYS_TYPES_H
121# include <sys/types.h>
122#endif
123
124#include "o_dir.h"
125#include <openssl/objects.h>
126#include <openssl/bio.h>
127#include <openssl/pem.h>
128#include <openssl/x509v3.h>
129#ifndef OPENSSL_NO_DH
130#include <openssl/dh.h>
131#endif
132#include <openssl/bn.h>
133#include "ssl_locl.h"
134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136 {
137 static volatile int ssl_x509_store_ctx_idx= -1;
138 int got_write_lock = 0;
139
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141
142 if (ssl_x509_store_ctx_idx < 0)
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1;
147
148 if (ssl_x509_store_ctx_idx < 0)
149 {
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 }
154
155 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159
160 return ssl_x509_store_ctx_idx;
161 }
162
163CERT *ssl_cert_new(void)
164 {
165 CERT *ret;
166
167 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
168 if (ret == NULL)
169 {
170 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
171 return(NULL);
172 }
173 memset(ret,0,sizeof(CERT));
174
175 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
176 ret->references=1;
177
178 return(ret);
179 }
180
181CERT *ssl_cert_dup(CERT *cert)
182 {
183 CERT *ret;
184 int i;
185
186 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
187 if (ret == NULL)
188 {
189 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
190 return(NULL);
191 }
192
193 memset(ret, 0, sizeof(CERT));
194
195 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
196 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
197 * if you find that more readable */
198
199 ret->valid = cert->valid;
200 ret->mask = cert->mask;
201 ret->export_mask = cert->export_mask;
202
203#ifndef OPENSSL_NO_RSA
204 if (cert->rsa_tmp != NULL)
205 {
206 RSA_up_ref(cert->rsa_tmp);
207 ret->rsa_tmp = cert->rsa_tmp;
208 }
209 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
210#endif
211
212#ifndef OPENSSL_NO_DH
213 if (cert->dh_tmp != NULL)
214 {
215 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
216 if (ret->dh_tmp == NULL)
217 {
218 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
219 goto err;
220 }
221 if (cert->dh_tmp->priv_key)
222 {
223 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
224 if (!b)
225 {
226 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
227 goto err;
228 }
229 ret->dh_tmp->priv_key = b;
230 }
231 if (cert->dh_tmp->pub_key)
232 {
233 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
234 if (!b)
235 {
236 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
237 goto err;
238 }
239 ret->dh_tmp->pub_key = b;
240 }
241 }
242 ret->dh_tmp_cb = cert->dh_tmp_cb;
243#endif
244
245#ifndef OPENSSL_NO_ECDH
246 if (cert->ecdh_tmp)
247 {
248 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
249 if (ret->ecdh_tmp == NULL)
250 {
251 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
252 goto err;
253 }
254 }
255 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
256#endif
257
258 for (i = 0; i < SSL_PKEY_NUM; i++)
259 {
260 if (cert->pkeys[i].x509 != NULL)
261 {
262 ret->pkeys[i].x509 = cert->pkeys[i].x509;
263 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
264 CRYPTO_LOCK_X509);
265 }
266
267 if (cert->pkeys[i].privatekey != NULL)
268 {
269 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
270 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
271 CRYPTO_LOCK_EVP_PKEY);
272
273 switch(i)
274 {
275 /* If there was anything special to do for
276 * certain types of keys, we'd do it here.
277 * (Nothing at the moment, I think.) */
278
279 case SSL_PKEY_RSA_ENC:
280 case SSL_PKEY_RSA_SIGN:
281 /* We have an RSA key. */
282 break;
283
284 case SSL_PKEY_DSA_SIGN:
285 /* We have a DSA key. */
286 break;
287
288 case SSL_PKEY_DH_RSA:
289 case SSL_PKEY_DH_DSA:
290 /* We have a DH key. */
291 break;
292
293 case SSL_PKEY_ECC:
294 /* We have an ECC key */
295 break;
296
297 default:
298 /* Can't happen. */
299 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
300 }
301 }
302 }
303
304 /* ret->extra_certs *should* exist, but currently the own certificate
305 * chain is held inside SSL_CTX */
306
307 ret->references=1;
308
309 return(ret);
310
311#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
312err:
313#endif
314#ifndef OPENSSL_NO_RSA
315 if (ret->rsa_tmp != NULL)
316 RSA_free(ret->rsa_tmp);
317#endif
318#ifndef OPENSSL_NO_DH
319 if (ret->dh_tmp != NULL)
320 DH_free(ret->dh_tmp);
321#endif
322#ifndef OPENSSL_NO_ECDH
323 if (ret->ecdh_tmp != NULL)
324 EC_KEY_free(ret->ecdh_tmp);
325#endif
326
327 for (i = 0; i < SSL_PKEY_NUM; i++)
328 {
329 if (ret->pkeys[i].x509 != NULL)
330 X509_free(ret->pkeys[i].x509);
331 if (ret->pkeys[i].privatekey != NULL)
332 EVP_PKEY_free(ret->pkeys[i].privatekey);
333 }
334
335 return NULL;
336 }
337
338
339void ssl_cert_free(CERT *c)
340 {
341 int i;
342
343 if(c == NULL)
344 return;
345
346 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
347#ifdef REF_PRINT
348 REF_PRINT("CERT",c);
349#endif
350 if (i > 0) return;
351#ifdef REF_CHECK
352 if (i < 0)
353 {
354 fprintf(stderr,"ssl_cert_free, bad reference count\n");
355 abort(); /* ok */
356 }
357#endif
358
359#ifndef OPENSSL_NO_RSA
360 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
361#endif
362#ifndef OPENSSL_NO_DH
363 if (c->dh_tmp) DH_free(c->dh_tmp);
364#endif
365#ifndef OPENSSL_NO_ECDH
366 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
367#endif
368
369 for (i=0; i<SSL_PKEY_NUM; i++)
370 {
371 if (c->pkeys[i].x509 != NULL)
372 X509_free(c->pkeys[i].x509);
373 if (c->pkeys[i].privatekey != NULL)
374 EVP_PKEY_free(c->pkeys[i].privatekey);
375#if 0
376 if (c->pkeys[i].publickey != NULL)
377 EVP_PKEY_free(c->pkeys[i].publickey);
378#endif
379 }
380 OPENSSL_free(c);
381 }
382
383int ssl_cert_inst(CERT **o)
384 {
385 /* Create a CERT if there isn't already one
386 * (which cannot really happen, as it is initially created in
387 * SSL_CTX_new; but the earlier code usually allows for that one
388 * being non-existant, so we follow that behaviour, as it might
389 * turn out that there actually is a reason for it -- but I'm
390 * not sure that *all* of the existing code could cope with
391 * s->cert being NULL, otherwise we could do without the
392 * initialization in SSL_CTX_new).
393 */
394
395 if (o == NULL)
396 {
397 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
398 return(0);
399 }
400 if (*o == NULL)
401 {
402 if ((*o = ssl_cert_new()) == NULL)
403 {
404 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
405 return(0);
406 }
407 }
408 return(1);
409 }
410
411
412SESS_CERT *ssl_sess_cert_new(void)
413 {
414 SESS_CERT *ret;
415
416 ret = OPENSSL_malloc(sizeof *ret);
417 if (ret == NULL)
418 {
419 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
420 return NULL;
421 }
422
423 memset(ret, 0 ,sizeof *ret);
424 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
425 ret->references = 1;
426
427 return ret;
428 }
429
430void ssl_sess_cert_free(SESS_CERT *sc)
431 {
432 int i;
433
434 if (sc == NULL)
435 return;
436
437 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
438#ifdef REF_PRINT
439 REF_PRINT("SESS_CERT", sc);
440#endif
441 if (i > 0)
442 return;
443#ifdef REF_CHECK
444 if (i < 0)
445 {
446 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
447 abort(); /* ok */
448 }
449#endif
450
451 /* i == 0 */
452 if (sc->cert_chain != NULL)
453 sk_X509_pop_free(sc->cert_chain, X509_free);
454 for (i = 0; i < SSL_PKEY_NUM; i++)
455 {
456 if (sc->peer_pkeys[i].x509 != NULL)
457 X509_free(sc->peer_pkeys[i].x509);
458#if 0 /* We don't have the peer's private key. These lines are just
459 * here as a reminder that we're still using a not-quite-appropriate
460 * data structure. */
461 if (sc->peer_pkeys[i].privatekey != NULL)
462 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
463#endif
464 }
465
466#ifndef OPENSSL_NO_RSA
467 if (sc->peer_rsa_tmp != NULL)
468 RSA_free(sc->peer_rsa_tmp);
469#endif
470#ifndef OPENSSL_NO_DH
471 if (sc->peer_dh_tmp != NULL)
472 DH_free(sc->peer_dh_tmp);
473#endif
474#ifndef OPENSSL_NO_ECDH
475 if (sc->peer_ecdh_tmp != NULL)
476 EC_KEY_free(sc->peer_ecdh_tmp);
477#endif
478
479 OPENSSL_free(sc);
480 }
481
482int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
483 {
484 sc->peer_cert_type = type;
485 return(1);
486 }
487
488int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
489 {
490 X509 *x;
491 int i;
492 X509_STORE_CTX ctx;
493
494 if ((sk == NULL) || (sk_X509_num(sk) == 0))
495 return(0);
496
497 x=sk_X509_value(sk,0);
498 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
499 {
500 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
501 return(0);
502 }
503 if (s->param)
504 X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
505 s->param);
506#if 0
507 if (SSL_get_verify_depth(s) >= 0)
508 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
509#endif
510 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
511
512 /* We need to inherit the verify parameters. These can be determined by
513 * the context: if its a server it will verify SSL client certificates
514 * or vice versa.
515 */
516
517 X509_STORE_CTX_set_default(&ctx,
518 s->server ? "ssl_client" : "ssl_server");
519
520 if (s->verify_callback)
521 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
522
523 if (s->ctx->app_verify_callback != NULL)
524#if 1 /* new with OpenSSL 0.9.7 */
525 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
526#else
527 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
528#endif
529 else
530 {
531#ifndef OPENSSL_NO_X509_VERIFY
532 i=X509_verify_cert(&ctx);
533#else
534 i=0;
535 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
536 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
537#endif
538 }
539
540 s->verify_result=ctx.error;
541 X509_STORE_CTX_cleanup(&ctx);
542
543 return(i);
544 }
545
546static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
547 {
548 if (*ca_list != NULL)
549 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
550
551 *ca_list=name_list;
552 }
553
554STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
555 {
556 int i;
557 STACK_OF(X509_NAME) *ret;
558 X509_NAME *name;
559
560 ret=sk_X509_NAME_new_null();
561 for (i=0; i<sk_X509_NAME_num(sk); i++)
562 {
563 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
564 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
565 {
566 sk_X509_NAME_pop_free(ret,X509_NAME_free);
567 return(NULL);
568 }
569 }
570 return(ret);
571 }
572
573void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
574 {
575 set_client_CA_list(&(s->client_CA),name_list);
576 }
577
578void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
579 {
580 set_client_CA_list(&(ctx->client_CA),name_list);
581 }
582
583STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
584 {
585 return(ctx->client_CA);
586 }
587
588STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
589 {
590 if (s->type == SSL_ST_CONNECT)
591 { /* we are in the client */
592 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
593 (s->s3 != NULL))
594 return(s->s3->tmp.ca_names);
595 else
596 return(NULL);
597 }
598 else
599 {
600 if (s->client_CA != NULL)
601 return(s->client_CA);
602 else
603 return(s->ctx->client_CA);
604 }
605 }
606
607static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
608 {
609 X509_NAME *name;
610
611 if (x == NULL) return(0);
612 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
613 return(0);
614
615 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
616 return(0);
617
618 if (!sk_X509_NAME_push(*sk,name))
619 {
620 X509_NAME_free(name);
621 return(0);
622 }
623 return(1);
624 }
625
626int SSL_add_client_CA(SSL *ssl,X509 *x)
627 {
628 return(add_client_CA(&(ssl->client_CA),x));
629 }
630
631int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
632 {
633 return(add_client_CA(&(ctx->client_CA),x));
634 }
635
636static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
637 {
638 return(X509_NAME_cmp(*a,*b));
639 }
640
641#ifndef OPENSSL_NO_STDIO
642/*!
643 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
644 * it doesn't really have anything to do with clients (except that a common use
645 * for a stack of CAs is to send it to the client). Actually, it doesn't have
646 * much to do with CAs, either, since it will load any old cert.
647 * \param file the file containing one or more certs.
648 * \return a ::STACK containing the certs.
649 */
650STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
651 {
652 BIO *in;
653 X509 *x=NULL;
654 X509_NAME *xn=NULL;
655 STACK_OF(X509_NAME) *ret = NULL,*sk;
656
657 sk=sk_X509_NAME_new(xname_cmp);
658
659 in=BIO_new(BIO_s_file_internal());
660
661 if ((sk == NULL) || (in == NULL))
662 {
663 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
664 goto err;
665 }
666
667 if (!BIO_read_filename(in,file))
668 goto err;
669
670 for (;;)
671 {
672 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
673 break;
674 if (ret == NULL)
675 {
676 ret = sk_X509_NAME_new_null();
677 if (ret == NULL)
678 {
679 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
680 goto err;
681 }
682 }
683 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
684 /* check for duplicates */
685 xn=X509_NAME_dup(xn);
686 if (xn == NULL) goto err;
687 if (sk_X509_NAME_find(sk,xn) >= 0)
688 X509_NAME_free(xn);
689 else
690 {
691 sk_X509_NAME_push(sk,xn);
692 sk_X509_NAME_push(ret,xn);
693 }
694 }
695
696 if (0)
697 {
698err:
699 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
700 ret=NULL;
701 }
702 if (sk != NULL) sk_X509_NAME_free(sk);
703 if (in != NULL) BIO_free(in);
704 if (x != NULL) X509_free(x);
705 if (ret != NULL)
706 ERR_clear_error();
707 return(ret);
708 }
709#endif
710
711/*!
712 * Add a file of certs to a stack.
713 * \param stack the stack to add to.
714 * \param file the file to add from. All certs in this file that are not
715 * already in the stack will be added.
716 * \return 1 for success, 0 for failure. Note that in the case of failure some
717 * certs may have been added to \c stack.
718 */
719
720int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
721 const char *file)
722 {
723 BIO *in;
724 X509 *x=NULL;
725 X509_NAME *xn=NULL;
726 int ret=1;
727 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
728
729 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
730
731 in=BIO_new(BIO_s_file_internal());
732
733 if (in == NULL)
734 {
735 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
736 goto err;
737 }
738
739 if (!BIO_read_filename(in,file))
740 goto err;
741
742 for (;;)
743 {
744 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
745 break;
746 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
747 xn=X509_NAME_dup(xn);
748 if (xn == NULL) goto err;
749 if (sk_X509_NAME_find(stack,xn) >= 0)
750 X509_NAME_free(xn);
751 else
752 sk_X509_NAME_push(stack,xn);
753 }
754
755 if (0)
756 {
757err:
758 ret=0;
759 }
760 if(in != NULL)
761 BIO_free(in);
762 if(x != NULL)
763 X509_free(x);
764
765 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
766
767 return ret;
768 }
769
770/*!
771 * Add a directory of certs to a stack.
772 * \param stack the stack to append to.
773 * \param dir the directory to append from. All files in this directory will be
774 * examined as potential certs. Any that are acceptable to
775 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
776 * included.
777 * \return 1 for success, 0 for failure. Note that in the case of failure some
778 * certs may have been added to \c stack.
779 */
780
781int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
782 const char *dir)
783 {
784 OPENSSL_DIR_CTX *d = NULL;
785 const char *filename;
786 int ret = 0;
787
788 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
789
790 /* Note that a side effect is that the CAs will be sorted by name */
791
792 while((filename = OPENSSL_DIR_read(&d, dir)))
793 {
794 char buf[1024];
795 int r;
796
797 if(strlen(dir)+strlen(filename)+2 > sizeof buf)
798 {
799 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
800 goto err;
801 }
802
803#ifdef OPENSSL_SYS_VMS
804 r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
805#else
806 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
807#endif
808 if (r <= 0 || r >= (int)sizeof(buf))
809 goto err;
810 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
811 goto err;
812 }
813
814 if (errno)
815 {
816 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
817 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
818 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
819 goto err;
820 }
821
822 ret = 1;
823
824err:
825 if (d) OPENSSL_DIR_end(&d);
826 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
827 return ret;
828 }
829
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index e9c9a08306..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1387 +0,0 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116#include <stdio.h>
117#include <openssl/objects.h>
118#ifndef OPENSSL_NO_COMP
119#include <openssl/comp.h>
120#endif
121
122#include "ssl_locl.h"
123
124#define SSL_ENC_DES_IDX 0
125#define SSL_ENC_3DES_IDX 1
126#define SSL_ENC_RC4_IDX 2
127#define SSL_ENC_RC2_IDX 3
128#define SSL_ENC_IDEA_IDX 4
129#define SSL_ENC_eFZA_IDX 5
130#define SSL_ENC_NULL_IDX 6
131#define SSL_ENC_AES128_IDX 7
132#define SSL_ENC_AES256_IDX 8
133#define SSL_ENC_CAMELLIA128_IDX 9
134#define SSL_ENC_CAMELLIA256_IDX 10
135#define SSL_ENC_SEED_IDX 11
136#define SSL_ENC_NUM_IDX 12
137
138
139static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
140 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
141 };
142
143#define SSL_COMP_NULL_IDX 0
144#define SSL_COMP_ZLIB_IDX 1
145#define SSL_COMP_NUM_IDX 2
146
147static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
148
149#define SSL_MD_MD5_IDX 0
150#define SSL_MD_SHA1_IDX 1
151#define SSL_MD_NUM_IDX 2
152static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
153 NULL,NULL,
154 };
155
156#define CIPHER_ADD 1
157#define CIPHER_KILL 2
158#define CIPHER_DEL 3
159#define CIPHER_ORD 4
160#define CIPHER_SPECIAL 5
161
162typedef struct cipher_order_st
163 {
164 SSL_CIPHER *cipher;
165 int active;
166 int dead;
167 struct cipher_order_st *next,*prev;
168 } CIPHER_ORDER;
169
170static const SSL_CIPHER cipher_aliases[]={
171 /* Don't include eNULL unless specifically enabled. */
172 /* Don't include ECC in ALL because these ciphers are not yet official. */
173 {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
174 /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */
175 {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
176 {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
177 {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
178 {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
179 {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
180 {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
181 {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
182 {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
183 {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
184 {0,SSL_TXT_ECC, 0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0},
185 {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
186 {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
187 {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
188 {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
189 {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
190 {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
191 {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
192 {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
193
194 {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
195 {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
196 {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
197 {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
198#ifndef OPENSSL_NO_IDEA
199 {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
200#endif
201 {0,SSL_TXT_SEED,0,SSL_SEED, 0,0,0,0,SSL_ENC_MASK,0},
202 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
203 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
204 {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
205 {0,SSL_TXT_CAMELLIA,0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0},
206
207 {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
208 {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
209 {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
210
211 {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
212 {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
213 {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
214 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
215 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
216
217 {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
218 {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
219 {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
220
221 {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
222 {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
223 {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
224 {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
225 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
226 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
227 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
228 {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
229 };
230
231void ssl_load_ciphers(void)
232 {
233 ssl_cipher_methods[SSL_ENC_DES_IDX]=
234 EVP_get_cipherbyname(SN_des_cbc);
235 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
236 EVP_get_cipherbyname(SN_des_ede3_cbc);
237 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
238 EVP_get_cipherbyname(SN_rc4);
239 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
240 EVP_get_cipherbyname(SN_rc2_cbc);
241#ifndef OPENSSL_NO_IDEA
242 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
243 EVP_get_cipherbyname(SN_idea_cbc);
244#else
245 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
246#endif
247 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
248 EVP_get_cipherbyname(SN_aes_128_cbc);
249 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
250 EVP_get_cipherbyname(SN_aes_256_cbc);
251 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]=
252 EVP_get_cipherbyname(SN_camellia_128_cbc);
253 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]=
254 EVP_get_cipherbyname(SN_camellia_256_cbc);
255 ssl_cipher_methods[SSL_ENC_SEED_IDX]=
256 EVP_get_cipherbyname(SN_seed_cbc);
257
258 ssl_digest_methods[SSL_MD_MD5_IDX]=
259 EVP_get_digestbyname(SN_md5);
260 ssl_digest_methods[SSL_MD_SHA1_IDX]=
261 EVP_get_digestbyname(SN_sha1);
262 }
263
264
265#ifndef OPENSSL_NO_COMP
266
267static int sk_comp_cmp(const SSL_COMP * const *a,
268 const SSL_COMP * const *b)
269 {
270 return((*a)->id-(*b)->id);
271 }
272
273static void load_builtin_compressions(void)
274 {
275 int got_write_lock = 0;
276
277 CRYPTO_r_lock(CRYPTO_LOCK_SSL);
278 if (ssl_comp_methods == NULL)
279 {
280 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
281 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
282 got_write_lock = 1;
283
284 if (ssl_comp_methods == NULL)
285 {
286 SSL_COMP *comp = NULL;
287
288 MemCheck_off();
289 ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
290 if (ssl_comp_methods != NULL)
291 {
292 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
293 if (comp != NULL)
294 {
295 comp->method=COMP_zlib();
296 if (comp->method
297 && comp->method->type == NID_undef)
298 OPENSSL_free(comp);
299 else
300 {
301 comp->id=SSL_COMP_ZLIB_IDX;
302 comp->name=comp->method->name;
303 sk_SSL_COMP_push(ssl_comp_methods,comp);
304 }
305 }
306 }
307 MemCheck_on();
308 }
309 }
310
311 if (got_write_lock)
312 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
313 else
314 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
315 }
316#endif
317
318int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
319 const EVP_MD **md, SSL_COMP **comp)
320 {
321 int i;
322 SSL_CIPHER *c;
323
324 c=s->cipher;
325 if (c == NULL) return(0);
326 if (comp != NULL)
327 {
328 SSL_COMP ctmp;
329#ifndef OPENSSL_NO_COMP
330 load_builtin_compressions();
331#endif
332
333 *comp=NULL;
334 ctmp.id=s->compress_meth;
335 if (ssl_comp_methods != NULL)
336 {
337 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
338 if (i >= 0)
339 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
340 else
341 *comp=NULL;
342 }
343 }
344
345 if ((enc == NULL) || (md == NULL)) return(0);
346
347 switch (c->algorithms & SSL_ENC_MASK)
348 {
349 case SSL_DES:
350 i=SSL_ENC_DES_IDX;
351 break;
352 case SSL_3DES:
353 i=SSL_ENC_3DES_IDX;
354 break;
355 case SSL_RC4:
356 i=SSL_ENC_RC4_IDX;
357 break;
358 case SSL_RC2:
359 i=SSL_ENC_RC2_IDX;
360 break;
361 case SSL_IDEA:
362 i=SSL_ENC_IDEA_IDX;
363 break;
364 case SSL_eNULL:
365 i=SSL_ENC_NULL_IDX;
366 break;
367 case SSL_AES:
368 switch(c->alg_bits)
369 {
370 case 128: i=SSL_ENC_AES128_IDX; break;
371 case 256: i=SSL_ENC_AES256_IDX; break;
372 default: i=-1; break;
373 }
374 break;
375 case SSL_CAMELLIA:
376 switch(c->alg_bits)
377 {
378 case 128: i=SSL_ENC_CAMELLIA128_IDX; break;
379 case 256: i=SSL_ENC_CAMELLIA256_IDX; break;
380 default: i=-1; break;
381 }
382 break;
383 case SSL_SEED:
384 i=SSL_ENC_SEED_IDX;
385 break;
386
387 default:
388 i= -1;
389 break;
390 }
391
392 if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
393 *enc=NULL;
394 else
395 {
396 if (i == SSL_ENC_NULL_IDX)
397 *enc=EVP_enc_null();
398 else
399 *enc=ssl_cipher_methods[i];
400 }
401
402 switch (c->algorithms & SSL_MAC_MASK)
403 {
404 case SSL_MD5:
405 i=SSL_MD_MD5_IDX;
406 break;
407 case SSL_SHA1:
408 i=SSL_MD_SHA1_IDX;
409 break;
410 default:
411 i= -1;
412 break;
413 }
414 if ((i < 0) || (i >= SSL_MD_NUM_IDX))
415 *md=NULL;
416 else
417 *md=ssl_digest_methods[i];
418
419 if ((*enc != NULL) && (*md != NULL))
420 return(1);
421 else
422 return(0);
423 }
424
425#define ITEM_SEP(a) \
426 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
427
428static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
429 CIPHER_ORDER **tail)
430 {
431 if (curr == *tail) return;
432 if (curr == *head)
433 *head=curr->next;
434 if (curr->prev != NULL)
435 curr->prev->next=curr->next;
436 if (curr->next != NULL) /* should always be true */
437 curr->next->prev=curr->prev;
438 (*tail)->next=curr;
439 curr->prev= *tail;
440 curr->next=NULL;
441 *tail=curr;
442 }
443
444struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9,
445 * where 128-bit and 256-bit algorithms simply will get
446 * separate bits. */
447 unsigned long mask; /* everything except m256 */
448 unsigned long m256; /* applies to 256-bit algorithms only */
449};
450
451static struct disabled_masks ssl_cipher_get_disabled(void)
452 {
453 unsigned long mask;
454 unsigned long m256;
455 struct disabled_masks ret;
456
457 mask = SSL_kFZA;
458#ifdef OPENSSL_NO_RSA
459 mask |= SSL_aRSA|SSL_kRSA;
460#endif
461#ifdef OPENSSL_NO_DSA
462 mask |= SSL_aDSS;
463#endif
464#ifdef OPENSSL_NO_DH
465 mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
466#endif
467#ifdef OPENSSL_NO_KRB5
468 mask |= SSL_kKRB5|SSL_aKRB5;
469#endif
470#ifdef OPENSSL_NO_ECDH
471 mask |= SSL_kECDH|SSL_kECDHE;
472#endif
473#ifdef SSL_FORBID_ENULL
474 mask |= SSL_eNULL;
475#endif
476
477 mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
478 mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
479 mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
480 mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
481 mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
482 mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
483 mask |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0;
484
485 mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
486 mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
487
488 /* finally consider algorithms where mask and m256 differ */
489 m256 = mask;
490 mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
491 mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0;
492 m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0;
493 m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0;
494
495 ret.mask = mask;
496 ret.m256 = m256;
497 return ret;
498 }
499
500static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
501 int num_of_ciphers, unsigned long mask, unsigned long m256,
502 CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
503 CIPHER_ORDER **tail_p)
504 {
505 int i, co_list_num;
506 SSL_CIPHER *c;
507
508 /*
509 * We have num_of_ciphers descriptions compiled in, depending on the
510 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
511 * These will later be sorted in a linked list with at most num
512 * entries.
513 */
514
515 /* Get the initial list of ciphers */
516 co_list_num = 0; /* actual count of ciphers */
517 for (i = 0; i < num_of_ciphers; i++)
518 {
519 c = ssl_method->get_cipher(i);
520#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
521 /* drop those that use any of that is not available */
522#ifdef OPENSSL_FIPS
523 if ((c != NULL) && c->valid && !IS_MASKED(c)
524 && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
525#else
526 if ((c != NULL) && c->valid && !IS_MASKED(c))
527#endif
528 {
529 co_list[co_list_num].cipher = c;
530 co_list[co_list_num].next = NULL;
531 co_list[co_list_num].prev = NULL;
532 co_list[co_list_num].active = 0;
533 co_list_num++;
534#ifdef KSSL_DEBUG
535 printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
536#endif /* KSSL_DEBUG */
537 /*
538 if (!sk_push(ca_list,(char *)c)) goto err;
539 */
540 }
541 }
542
543 /*
544 * Prepare linked list from list entries
545 */
546 for (i = 1; i < co_list_num - 1; i++)
547 {
548 co_list[i].prev = &(co_list[i-1]);
549 co_list[i].next = &(co_list[i+1]);
550 }
551 if (co_list_num > 0)
552 {
553 (*head_p) = &(co_list[0]);
554 (*head_p)->prev = NULL;
555 (*head_p)->next = &(co_list[1]);
556 (*tail_p) = &(co_list[co_list_num - 1]);
557 (*tail_p)->prev = &(co_list[co_list_num - 2]);
558 (*tail_p)->next = NULL;
559 }
560 }
561
562static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
563 int num_of_group_aliases, unsigned long mask,
564 CIPHER_ORDER *head)
565 {
566 CIPHER_ORDER *ciph_curr;
567 SSL_CIPHER **ca_curr;
568 int i;
569
570 /*
571 * First, add the real ciphers as already collected
572 */
573 ciph_curr = head;
574 ca_curr = ca_list;
575 while (ciph_curr != NULL)
576 {
577 *ca_curr = ciph_curr->cipher;
578 ca_curr++;
579 ciph_curr = ciph_curr->next;
580 }
581
582 /*
583 * Now we add the available ones from the cipher_aliases[] table.
584 * They represent either an algorithm, that must be fully
585 * supported (not match any bit in mask) or represent a cipher
586 * strength value (will be added in any case because algorithms=0).
587 */
588 for (i = 0; i < num_of_group_aliases; i++)
589 {
590 if ((i == 0) || /* always fetch "ALL" */
591 !(cipher_aliases[i].algorithms & mask))
592 {
593 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
594 ca_curr++;
595 }
596 }
597
598 *ca_curr = NULL; /* end of list */
599 }
600
601static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version,
602 unsigned long algorithms, unsigned long mask,
603 unsigned long algo_strength, unsigned long mask_strength,
604 int rule, int strength_bits, CIPHER_ORDER *co_list,
605 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
606 {
607 CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
608 SSL_CIPHER *cp;
609 unsigned long ma, ma_s;
610
611#ifdef CIPHER_DEBUG
612 printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
613 rule, algorithms, mask, algo_strength, mask_strength,
614 strength_bits);
615#endif
616
617 curr = head = *head_p;
618 curr2 = head;
619 tail2 = tail = *tail_p;
620 for (;;)
621 {
622 if ((curr == NULL) || (curr == tail2)) break;
623 curr = curr2;
624 curr2 = curr->next;
625
626 cp = curr->cipher;
627
628 /* If explicit cipher suite, match only that one for its own protocol version.
629 * Usual selection criteria will be used for similar ciphersuites from other version! */
630
631 if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version)
632 {
633 if (cp->id != cipher_id)
634 continue;
635 }
636
637 /*
638 * Selection criteria is either the number of strength_bits
639 * or the algorithm used.
640 */
641 else if (strength_bits == -1)
642 {
643 ma = mask & cp->algorithms;
644 ma_s = mask_strength & cp->algo_strength;
645
646#ifdef CIPHER_DEBUG
647 printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
648 printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
649#endif
650 /*
651 * Select: if none of the mask bit was met from the
652 * cipher or not all of the bits were met, the
653 * selection does not apply.
654 */
655 if (((ma == 0) && (ma_s == 0)) ||
656 ((ma & algorithms) != ma) ||
657 ((ma_s & algo_strength) != ma_s))
658 continue; /* does not apply */
659 }
660 else if (strength_bits != cp->strength_bits)
661 continue; /* does not apply */
662
663#ifdef CIPHER_DEBUG
664 printf("Action = %d\n", rule);
665#endif
666
667 /* add the cipher if it has not been added yet. */
668 if (rule == CIPHER_ADD)
669 {
670 if (!curr->active)
671 {
672 int add_this_cipher = 1;
673
674 if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0))
675 {
676 /* Make sure "ECCdraft" ciphersuites are activated only if
677 * *explicitly* requested, but not implicitly (such as
678 * as part of the "AES" alias). */
679
680 add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0 || cipher_id != 0;
681 }
682
683 if (add_this_cipher)
684 {
685 ll_append_tail(&head, curr, &tail);
686 curr->active = 1;
687 }
688 }
689 }
690 /* Move the added cipher to this location */
691 else if (rule == CIPHER_ORD)
692 {
693 if (curr->active)
694 {
695 ll_append_tail(&head, curr, &tail);
696 }
697 }
698 else if (rule == CIPHER_DEL)
699 curr->active = 0;
700 else if (rule == CIPHER_KILL)
701 {
702 if (head == curr)
703 head = curr->next;
704 else
705 curr->prev->next = curr->next;
706 if (tail == curr)
707 tail = curr->prev;
708 curr->active = 0;
709 if (curr->next != NULL)
710 curr->next->prev = curr->prev;
711 if (curr->prev != NULL)
712 curr->prev->next = curr->next;
713 curr->next = NULL;
714 curr->prev = NULL;
715 }
716 }
717
718 *head_p = head;
719 *tail_p = tail;
720 }
721
722static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
723 CIPHER_ORDER **head_p,
724 CIPHER_ORDER **tail_p)
725 {
726 int max_strength_bits, i, *number_uses;
727 CIPHER_ORDER *curr;
728
729 /*
730 * This routine sorts the ciphers with descending strength. The sorting
731 * must keep the pre-sorted sequence, so we apply the normal sorting
732 * routine as '+' movement to the end of the list.
733 */
734 max_strength_bits = 0;
735 curr = *head_p;
736 while (curr != NULL)
737 {
738 if (curr->active &&
739 (curr->cipher->strength_bits > max_strength_bits))
740 max_strength_bits = curr->cipher->strength_bits;
741 curr = curr->next;
742 }
743
744 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
745 if (!number_uses)
746 {
747 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
748 return(0);
749 }
750 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
751
752 /*
753 * Now find the strength_bits values actually used
754 */
755 curr = *head_p;
756 while (curr != NULL)
757 {
758 if (curr->active)
759 number_uses[curr->cipher->strength_bits]++;
760 curr = curr->next;
761 }
762 /*
763 * Go through the list of used strength_bits values in descending
764 * order.
765 */
766 for (i = max_strength_bits; i >= 0; i--)
767 if (number_uses[i] > 0)
768 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i,
769 co_list, head_p, tail_p);
770
771 OPENSSL_free(number_uses);
772 return(1);
773 }
774
775static int ssl_cipher_process_rulestr(const char *rule_str,
776 CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
777 CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
778 {
779 unsigned long algorithms, mask, algo_strength, mask_strength;
780 const char *l, *start, *buf;
781 int j, multi, found, rule, retval, ok, buflen;
782 unsigned long cipher_id = 0, ssl_version = 0;
783 char ch;
784
785 retval = 1;
786 l = rule_str;
787 for (;;)
788 {
789 ch = *l;
790
791 if (ch == '\0')
792 break; /* done */
793 if (ch == '-')
794 { rule = CIPHER_DEL; l++; }
795 else if (ch == '+')
796 { rule = CIPHER_ORD; l++; }
797 else if (ch == '!')
798 { rule = CIPHER_KILL; l++; }
799 else if (ch == '@')
800 { rule = CIPHER_SPECIAL; l++; }
801 else
802 { rule = CIPHER_ADD; }
803
804 if (ITEM_SEP(ch))
805 {
806 l++;
807 continue;
808 }
809
810 algorithms = mask = algo_strength = mask_strength = 0;
811
812 start=l;
813 for (;;)
814 {
815 ch = *l;
816 buf = l;
817 buflen = 0;
818#ifndef CHARSET_EBCDIC
819 while ( ((ch >= 'A') && (ch <= 'Z')) ||
820 ((ch >= '0') && (ch <= '9')) ||
821 ((ch >= 'a') && (ch <= 'z')) ||
822 (ch == '-'))
823#else
824 while ( isalnum(ch) || (ch == '-'))
825#endif
826 {
827 ch = *(++l);
828 buflen++;
829 }
830
831 if (buflen == 0)
832 {
833 /*
834 * We hit something we cannot deal with,
835 * it is no command or separator nor
836 * alphanumeric, so we call this an error.
837 */
838 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
839 SSL_R_INVALID_COMMAND);
840 retval = found = 0;
841 l++;
842 break;
843 }
844
845 if (rule == CIPHER_SPECIAL)
846 {
847 found = 0; /* unused -- avoid compiler warning */
848 break; /* special treatment */
849 }
850
851 /* check for multi-part specification */
852 if (ch == '+')
853 {
854 multi=1;
855 l++;
856 }
857 else
858 multi=0;
859
860 /*
861 * Now search for the cipher alias in the ca_list. Be careful
862 * with the strncmp, because the "buflen" limitation
863 * will make the rule "ADH:SOME" and the cipher
864 * "ADH-MY-CIPHER" look like a match for buflen=3.
865 * So additionally check whether the cipher name found
866 * has the correct length. We can save a strlen() call:
867 * just checking for the '\0' at the right place is
868 * sufficient, we have to strncmp() anyway. (We cannot
869 * use strcmp(), because buf is not '\0' terminated.)
870 */
871 j = found = 0;
872 cipher_id = 0;
873 ssl_version = 0;
874 while (ca_list[j])
875 {
876 if (!strncmp(buf, ca_list[j]->name, buflen) &&
877 (ca_list[j]->name[buflen] == '\0'))
878 {
879 found = 1;
880 break;
881 }
882 else
883 j++;
884 }
885 if (!found)
886 break; /* ignore this entry */
887
888 /* New algorithms:
889 * 1 - any old restrictions apply outside new mask
890 * 2 - any new restrictions apply outside old mask
891 * 3 - enforce old & new where masks intersect
892 */
893 algorithms = (algorithms & ~ca_list[j]->mask) | /* 1 */
894 (ca_list[j]->algorithms & ~mask) | /* 2 */
895 (algorithms & ca_list[j]->algorithms); /* 3 */
896 mask |= ca_list[j]->mask;
897 algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
898 (ca_list[j]->algo_strength & ~mask_strength) |
899 (algo_strength & ca_list[j]->algo_strength);
900 mask_strength |= ca_list[j]->mask_strength;
901
902 /* explicit ciphersuite found */
903 if (ca_list[j]->valid)
904 {
905 cipher_id = ca_list[j]->id;
906 ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK;
907 break;
908 }
909
910 if (!multi) break;
911 }
912
913 /*
914 * Ok, we have the rule, now apply it
915 */
916 if (rule == CIPHER_SPECIAL)
917 { /* special command */
918 ok = 0;
919 if ((buflen == 8) &&
920 !strncmp(buf, "STRENGTH", 8))
921 ok = ssl_cipher_strength_sort(co_list,
922 head_p, tail_p);
923 else
924 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
925 SSL_R_INVALID_COMMAND);
926 if (ok == 0)
927 retval = 0;
928 /*
929 * We do not support any "multi" options
930 * together with "@", so throw away the
931 * rest of the command, if any left, until
932 * end or ':' is found.
933 */
934 while ((*l != '\0') && !ITEM_SEP(*l))
935 l++;
936 }
937 else if (found)
938 {
939 ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask,
940 algo_strength, mask_strength, rule, -1,
941 co_list, head_p, tail_p);
942 }
943 else
944 {
945 while ((*l != '\0') && !ITEM_SEP(*l))
946 l++;
947 }
948 if (*l == '\0') break; /* done */
949 }
950
951 return(retval);
952 }
953
954STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
955 STACK_OF(SSL_CIPHER) **cipher_list,
956 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
957 const char *rule_str)
958 {
959 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
960 unsigned long disabled_mask;
961 unsigned long disabled_m256;
962 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
963 const char *rule_p;
964 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
965 SSL_CIPHER **ca_list = NULL;
966
967 /*
968 * Return with error if nothing to do.
969 */
970 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
971 return NULL;
972
973 /*
974 * To reduce the work to do we only want to process the compiled
975 * in algorithms, so we first get the mask of disabled ciphers.
976 */
977 {
978 struct disabled_masks d;
979 d = ssl_cipher_get_disabled();
980 disabled_mask = d.mask;
981 disabled_m256 = d.m256;
982 }
983
984 /*
985 * Now we have to collect the available ciphers from the compiled
986 * in ciphers. We cannot get more than the number compiled in, so
987 * it is used for allocation.
988 */
989 num_of_ciphers = ssl_method->num_ciphers();
990#ifdef KSSL_DEBUG
991 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
992#endif /* KSSL_DEBUG */
993 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
994 if (co_list == NULL)
995 {
996 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
997 return(NULL); /* Failure */
998 }
999
1000 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
1001 disabled_m256, co_list, &head, &tail);
1002
1003 /*
1004 * We also need cipher aliases for selecting based on the rule_str.
1005 * There might be two types of entries in the rule_str: 1) names
1006 * of ciphers themselves 2) aliases for groups of ciphers.
1007 * For 1) we need the available ciphers and for 2) the cipher
1008 * groups of cipher_aliases added together in one list (otherwise
1009 * we would be happy with just the cipher_aliases table).
1010 */
1011 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1012 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1013 ca_list =
1014 (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
1015 if (ca_list == NULL)
1016 {
1017 OPENSSL_free(co_list);
1018 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1019 return(NULL); /* Failure */
1020 }
1021 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1022 (disabled_mask & disabled_m256), head);
1023
1024 /*
1025 * If the rule_string begins with DEFAULT, apply the default rule
1026 * before using the (possibly available) additional rules.
1027 */
1028 ok = 1;
1029 rule_p = rule_str;
1030 if (strncmp(rule_str,"DEFAULT",7) == 0)
1031 {
1032 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1033 co_list, &head, &tail, ca_list);
1034 rule_p += 7;
1035 if (*rule_p == ':')
1036 rule_p++;
1037 }
1038
1039 if (ok && (strlen(rule_p) > 0))
1040 ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
1041 ca_list);
1042
1043 OPENSSL_free(ca_list); /* Not needed anymore */
1044
1045 if (!ok)
1046 { /* Rule processing failure */
1047 OPENSSL_free(co_list);
1048 return(NULL);
1049 }
1050 /*
1051 * Allocate new "cipherstack" for the result, return with error
1052 * if we cannot get one.
1053 */
1054 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
1055 {
1056 OPENSSL_free(co_list);
1057 return(NULL);
1058 }
1059
1060 /*
1061 * The cipher selection for the list is done. The ciphers are added
1062 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1063 */
1064 for (curr = head; curr != NULL; curr = curr->next)
1065 {
1066#ifdef OPENSSL_FIPS
1067 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
1068#else
1069 if (curr->active)
1070#endif
1071 {
1072 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1073#ifdef CIPHER_DEBUG
1074 printf("<%s>\n",curr->cipher->name);
1075#endif
1076 }
1077 }
1078 OPENSSL_free(co_list); /* Not needed any longer */
1079
1080 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1081 if (tmp_cipher_list == NULL)
1082 {
1083 sk_SSL_CIPHER_free(cipherstack);
1084 return NULL;
1085 }
1086 if (*cipher_list != NULL)
1087 sk_SSL_CIPHER_free(*cipher_list);
1088 *cipher_list = cipherstack;
1089 if (*cipher_list_by_id != NULL)
1090 sk_SSL_CIPHER_free(*cipher_list_by_id);
1091 *cipher_list_by_id = tmp_cipher_list;
1092 (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
1093
1094 return(cipherstack);
1095 }
1096
1097char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
1098 {
1099 int is_export,pkl,kl;
1100 const char *ver,*exp_str;
1101 const char *kx,*au,*enc,*mac;
1102 unsigned long alg,alg2,alg_s;
1103#ifdef KSSL_DEBUG
1104 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
1105#else
1106 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
1107#endif /* KSSL_DEBUG */
1108
1109 alg=cipher->algorithms;
1110 alg_s=cipher->algo_strength;
1111 alg2=cipher->algorithm2;
1112
1113 is_export=SSL_C_IS_EXPORT(cipher);
1114 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1115 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
1116 exp_str=is_export?" export":"";
1117
1118 if (alg & SSL_SSLV2)
1119 ver="SSLv2";
1120 else if (alg & SSL_SSLV3)
1121 ver="SSLv3";
1122 else
1123 ver="unknown";
1124
1125 switch (alg&SSL_MKEY_MASK)
1126 {
1127 case SSL_kRSA:
1128 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
1129 break;
1130 case SSL_kDHr:
1131 kx="DH/RSA";
1132 break;
1133 case SSL_kDHd:
1134 kx="DH/DSS";
1135 break;
1136 case SSL_kKRB5: /* VRS */
1137 case SSL_KRB5: /* VRS */
1138 kx="KRB5";
1139 break;
1140 case SSL_kFZA:
1141 kx="Fortezza";
1142 break;
1143 case SSL_kEDH:
1144 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
1145 break;
1146 case SSL_kECDH:
1147 case SSL_kECDHE:
1148 kx=is_export?"ECDH(<=163)":"ECDH";
1149 break;
1150 default:
1151 kx="unknown";
1152 }
1153
1154 switch (alg&SSL_AUTH_MASK)
1155 {
1156 case SSL_aRSA:
1157 au="RSA";
1158 break;
1159 case SSL_aDSS:
1160 au="DSS";
1161 break;
1162 case SSL_aDH:
1163 au="DH";
1164 break;
1165 case SSL_aKRB5: /* VRS */
1166 case SSL_KRB5: /* VRS */
1167 au="KRB5";
1168 break;
1169 case SSL_aFZA:
1170 case SSL_aNULL:
1171 au="None";
1172 break;
1173 case SSL_aECDSA:
1174 au="ECDSA";
1175 break;
1176 default:
1177 au="unknown";
1178 break;
1179 }
1180
1181 switch (alg&SSL_ENC_MASK)
1182 {
1183 case SSL_DES:
1184 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
1185 break;
1186 case SSL_3DES:
1187 enc="3DES(168)";
1188 break;
1189 case SSL_RC4:
1190 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
1191 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
1192 break;
1193 case SSL_RC2:
1194 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
1195 break;
1196 case SSL_IDEA:
1197 enc="IDEA(128)";
1198 break;
1199 case SSL_eFZA:
1200 enc="Fortezza";
1201 break;
1202 case SSL_eNULL:
1203 enc="None";
1204 break;
1205 case SSL_AES:
1206 switch(cipher->strength_bits)
1207 {
1208 case 128: enc="AES(128)"; break;
1209 case 192: enc="AES(192)"; break;
1210 case 256: enc="AES(256)"; break;
1211 default: enc="AES(?""?""?)"; break;
1212 }
1213 break;
1214 case SSL_CAMELLIA:
1215 switch(cipher->strength_bits)
1216 {
1217 case 128: enc="Camellia(128)"; break;
1218 case 256: enc="Camellia(256)"; break;
1219 default: enc="Camellia(?""?""?)"; break;
1220 }
1221 break;
1222 case SSL_SEED:
1223 enc="SEED(128)";
1224 break;
1225
1226 default:
1227 enc="unknown";
1228 break;
1229 }
1230
1231 switch (alg&SSL_MAC_MASK)
1232 {
1233 case SSL_MD5:
1234 mac="MD5";
1235 break;
1236 case SSL_SHA1:
1237 mac="SHA1";
1238 break;
1239 default:
1240 mac="unknown";
1241 break;
1242 }
1243
1244 if (buf == NULL)
1245 {
1246 len=128;
1247 buf=OPENSSL_malloc(len);
1248 if (buf == NULL) return("OPENSSL_malloc Error");
1249 }
1250 else if (len < 128)
1251 return("Buffer too small");
1252
1253#ifdef KSSL_DEBUG
1254 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
1255#else
1256 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1257#endif /* KSSL_DEBUG */
1258 return(buf);
1259 }
1260
1261char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1262 {
1263 int i;
1264
1265 if (c == NULL) return("(NONE)");
1266 i=(int)(c->id>>24L);
1267 if (i == 3)
1268 return("TLSv1/SSLv3");
1269 else if (i == 2)
1270 return("SSLv2");
1271 else
1272 return("unknown");
1273 }
1274
1275/* return the actual cipher being used */
1276const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1277 {
1278 if (c != NULL)
1279 return(c->name);
1280 return("(NONE)");
1281 }
1282
1283/* number of bits for symmetric cipher */
1284int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1285 {
1286 int ret=0;
1287
1288 if (c != NULL)
1289 {
1290 if (alg_bits != NULL) *alg_bits = c->alg_bits;
1291 ret = c->strength_bits;
1292 }
1293 return(ret);
1294 }
1295
1296SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1297 {
1298 SSL_COMP *ctmp;
1299 int i,nn;
1300
1301 if ((n == 0) || (sk == NULL)) return(NULL);
1302 nn=sk_SSL_COMP_num(sk);
1303 for (i=0; i<nn; i++)
1304 {
1305 ctmp=sk_SSL_COMP_value(sk,i);
1306 if (ctmp->id == n)
1307 return(ctmp);
1308 }
1309 return(NULL);
1310 }
1311
1312#ifdef OPENSSL_NO_COMP
1313void *SSL_COMP_get_compression_methods(void)
1314 {
1315 return NULL;
1316 }
1317int SSL_COMP_add_compression_method(int id, void *cm)
1318 {
1319 return 1;
1320 }
1321
1322const char *SSL_COMP_get_name(const void *comp)
1323 {
1324 return NULL;
1325 }
1326#else
1327STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1328 {
1329 load_builtin_compressions();
1330 return(ssl_comp_methods);
1331 }
1332
1333int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1334 {
1335 SSL_COMP *comp;
1336
1337 if (cm == NULL || cm->type == NID_undef)
1338 return 1;
1339
1340 /* According to draft-ietf-tls-compression-04.txt, the
1341 compression number ranges should be the following:
1342
1343 0 to 63: methods defined by the IETF
1344 64 to 192: external party methods assigned by IANA
1345 193 to 255: reserved for private use */
1346 if (id < 193 || id > 255)
1347 {
1348 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
1349 return 0;
1350 }
1351
1352 MemCheck_off();
1353 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
1354 comp->id=id;
1355 comp->method=cm;
1356 load_builtin_compressions();
1357 if (ssl_comp_methods
1358 && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
1359 {
1360 OPENSSL_free(comp);
1361 MemCheck_on();
1362 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
1363 return(1);
1364 }
1365 else if ((ssl_comp_methods == NULL)
1366 || !sk_SSL_COMP_push(ssl_comp_methods,comp))
1367 {
1368 OPENSSL_free(comp);
1369 MemCheck_on();
1370 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1371 return(1);
1372 }
1373 else
1374 {
1375 MemCheck_on();
1376 return(0);
1377 }
1378 }
1379
1380const char *SSL_COMP_get_name(const COMP_METHOD *comp)
1381 {
1382 if (comp)
1383 return comp->name;
1384 return NULL;
1385 }
1386
1387#endif
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 24a994fe01..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,518 +0,0 @@
1/* ssl/ssl_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ssl.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
70
71static ERR_STRING_DATA SSL_str_functs[]=
72 {
73{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"},
74{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"},
75{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
76{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
77{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
78{ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"},
79{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
81{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"},
82{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"},
83{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
84{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
85{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
86{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"},
87{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
88{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"},
89{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
90{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
91{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
92{ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
93{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
94{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "DTLS1_READ_FAILED"},
95{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), "DTLS1_SEND_CERTIFICATE_REQUEST"},
96{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
97{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
98{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY), "DTLS1_SEND_CLIENT_VERIFY"},
99{ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST), "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
100{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
101{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "DTLS1_SEND_SERVER_HELLO"},
102{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
103{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "DTLS1_WRITE_APP_DATA_BYTES"},
104{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"},
105{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"},
106{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
107{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"},
108{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"},
109{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"},
110{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"},
111{ERR_FUNC(SSL_F_READ_N), "READ_N"},
112{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"},
113{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
114{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
115{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
116{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"},
117{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
118{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
119{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
120{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
121{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"},
122{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"},
123{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"},
124{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"},
125{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"},
126{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
127{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"},
128{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"},
129{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"},
130{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"},
131{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"},
132{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"},
133{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"},
134{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
135{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
136{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
137{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
138{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
139{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
140{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
141{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
142{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
143{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
144{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
145{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
146{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
147{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
148{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
149{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
150{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"},
151{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
152{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
153{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"},
154{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
155{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
156{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
157{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
158{ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
159{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"},
160{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"},
161{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
162{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
163{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
164{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
165{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
166{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
167{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"},
168{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"},
169{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
170{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS), "SSL3_SETUP_BUFFERS"},
171{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
172{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
173{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
174{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
175{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
176{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
177{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
178{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
179{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
180{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
181{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
182{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
183{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"},
184{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
185{ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), "SSL_CHECK_SERVERHELLO_TLSEXT"},
186{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
187{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
188{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
189{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"},
190{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
191{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
192{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
193{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
194{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
195{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
196{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
197{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
198{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
199{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"},
200{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
201{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
202{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"},
203{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
204{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
205{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
206{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
207{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
208{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"},
209{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"},
210{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
211{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
212{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
213{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
214{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
215{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
216{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
217{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
218{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
219{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
220{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
221{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
222{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
223{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
224{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
225{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
226{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
227{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
228{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
229{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"},
230{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"},
231{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
232{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
233{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
234{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
235{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
236{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
237{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
238{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
239{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
240{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"},
241{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
242{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
243{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
244{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
245{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
246{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
247{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
248{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
249{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
250{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
251{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
252{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
253{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
254{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
255{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
256{0,NULL}
257 };
258
259static ERR_STRING_DATA SSL_str_reasons[]=
260 {
261{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
262{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
263{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"},
264{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
265{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
266{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"},
267{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
268{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"},
269{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
270{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
271{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
272{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
273{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
274{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
275{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) ,"bad ecdsa signature"},
276{ERR_REASON(SSL_R_BAD_ECPOINT) ,"bad ecpoint"},
277{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
278{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
279{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
280{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"},
281{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"},
282{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
283{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
284{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"},
285{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"},
286{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"},
287{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
288{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
289{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
290{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
291{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
292{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
293{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"},
294{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
295{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
296{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
297{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
298{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
299{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
300{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
301{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
302{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
303{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
304{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
305{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
306{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
307{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
308{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
309{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
310{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
311{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
312{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
313{ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"},
314{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
315{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
316{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
317{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
318{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
319{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
320{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
321{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
322{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
323{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
324{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
325{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
326{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
327{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
328{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
329{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
330{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
331{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
332{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
333{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
334{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
335{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
336{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
337{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"},
338{ERR_REASON(SSL_R_KRB5) ,"krb5"},
339{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"},
340{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"},
341{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"},
342{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"},
343{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"},
344{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"},
345{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"},
346{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"},
347{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"},
348{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"},
349{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"},
350{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
351{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
352{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
353{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
354{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
355{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
356{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"},
357{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
358{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
359{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
360{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
361{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
362{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
363{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
364{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
365{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
366{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
367{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
368{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
369{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
370{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
371{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
372{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"},
373{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
374{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"},
375{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"},
376{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
377{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
378{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
379{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
380{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
381{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
382{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
383{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
384{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
385{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
386{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
387{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
388{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
389{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
390{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
391{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
392{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
393{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
394{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
395{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
396{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
397{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
398{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
399{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
400{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"},
401{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
402{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
403{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
404{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"},
405{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
406{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
407{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
408{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"},
409{ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) ,"read timeout expired"},
410{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
411{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
412{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
413{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
414{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
415{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
416{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
417{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
418{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
419{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
420{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
421{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
422{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
423{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
424{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),"ssl3 ext invalid servername"},
425{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),"ssl3 ext invalid servername type"},
426{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
427{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
428{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
429{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
430{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
431{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
432{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
433{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
434{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
435{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
436{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
437{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
438{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
439{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
440{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
441{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
442{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
443{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
444{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
445{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
446{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
447{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
448{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
449{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
450{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
451{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
452{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
453{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
454{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
455{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
456{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
457{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
458{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
459{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
460{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
461{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
462{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
463{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
464{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
465{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
466{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
467{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
468{ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
469{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
470{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
471{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
472{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
473{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
474{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"},
475{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"},
476{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"},
477{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"},
478{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
479{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
480{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
481{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
482{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
483{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
484{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
485{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
486{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
487{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
488{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
489{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
490{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
491{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
492{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
493{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
494{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
495{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
496{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
497{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
498{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
499{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
500{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
501{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
502{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
503{0,NULL}
504 };
505
506#endif
507
508void ERR_load_SSL_strings(void)
509 {
510#ifndef OPENSSL_NO_ERR
511
512 if (ERR_func_error_string(SSL_str_functs[0].error) == NULL)
513 {
514 ERR_load_strings(0,SSL_str_functs);
515 ERR_load_strings(0,SSL_str_reasons);
516 }
517#endif
518 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/err.h>
61#include <openssl/ssl.h>
62
63void SSL_load_error_strings(void)
64 {
65#ifndef OPENSSL_NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index 1a961a9e9e..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,2703 +0,0 @@
1/*! \file ssl/ssl_lib.c
2 * \brief Version independent SSL functions.
3 */
4/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * All rights reserved.
6 *
7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL.
10 *
11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. All advertising materials mentioning features or use of this software
34 * must display the following acknowledgement:
35 * "This product includes cryptographic software written by
36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE.
54 *
55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence
58 * [including the GNU Public Licence.]
59 */
60/* ====================================================================
61 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions
65 * are met:
66 *
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 *
70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in
72 * the documentation and/or other materials provided with the
73 * distribution.
74 *
75 * 3. All advertising materials mentioning features or use of this
76 * software must display the following acknowledgment:
77 * "This product includes software developed by the OpenSSL Project
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
79 *
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
81 * endorse or promote products derived from this software without
82 * prior written permission. For written permission, please contact
83 * openssl-core@openssl.org.
84 *
85 * 5. Products derived from this software may not be called "OpenSSL"
86 * nor may "OpenSSL" appear in their names without prior written
87 * permission of the OpenSSL Project.
88 *
89 * 6. Redistributions of any form whatsoever must retain the following
90 * acknowledgment:
91 * "This product includes software developed by the OpenSSL Project
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
105 * OF THE POSSIBILITY OF SUCH DAMAGE.
106 * ====================================================================
107 *
108 * This product includes cryptographic software written by Eric Young
109 * (eay@cryptsoft.com). This product includes software written by Tim
110 * Hudson (tjh@cryptsoft.com).
111 *
112 */
113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */
118
119#ifdef REF_CHECK
120# include <assert.h>
121#endif
122#include <stdio.h>
123#include "ssl_locl.h"
124#include "kssl_lcl.h"
125#include <openssl/objects.h>
126#include <openssl/lhash.h>
127#include <openssl/x509v3.h>
128#include <openssl/rand.h>
129#include <openssl/ocsp.h>
130#ifndef OPENSSL_NO_DH
131#include <openssl/dh.h>
132#endif
133#ifndef OPENSSL_NO_ENGINE
134#include <openssl/engine.h>
135#endif
136
137const char *SSL_version_str=OPENSSL_VERSION_TEXT;
138
139SSL3_ENC_METHOD ssl3_undef_enc_method={
140 /* evil casts, but these functions are only called if there's a library bug */
141 (int (*)(SSL *,int))ssl_undefined_function,
142 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
143 ssl_undefined_function,
144 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
145 (int (*)(SSL*, int))ssl_undefined_function,
146 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function,
147 0, /* finish_mac_length */
148 (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
149 NULL, /* client_finished_label */
150 0, /* client_finished_label_len */
151 NULL, /* server_finished_label */
152 0, /* server_finished_label_len */
153 (int (*)(int))ssl_undefined_function
154 };
155
156int SSL_clear(SSL *s)
157 {
158
159 if (s->method == NULL)
160 {
161 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
162 return(0);
163 }
164
165 if (ssl_clear_bad_session(s))
166 {
167 SSL_SESSION_free(s->session);
168 s->session=NULL;
169 }
170
171 s->error=0;
172 s->hit=0;
173 s->shutdown=0;
174
175#if 0 /* Disabled since version 1.10 of this file (early return not
176 * needed because SSL_clear is not called when doing renegotiation) */
177 /* This is set if we are doing dynamic renegotiation so keep
178 * the old cipher. It is sort of a SSL_clear_lite :-) */
179 if (s->new_session) return(1);
180#else
181 if (s->new_session)
182 {
183 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
184 return 0;
185 }
186#endif
187
188 s->type=0;
189
190 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
191
192 s->version=s->method->version;
193 s->client_version=s->version;
194 s->rwstate=SSL_NOTHING;
195 s->rstate=SSL_ST_READ_HEADER;
196#if 0
197 s->read_ahead=s->ctx->read_ahead;
198#endif
199
200 if (s->init_buf != NULL)
201 {
202 BUF_MEM_free(s->init_buf);
203 s->init_buf=NULL;
204 }
205
206 ssl_clear_cipher_ctx(s);
207
208 s->first_packet=0;
209
210#if 1
211 /* Check to see if we were changed into a different method, if
212 * so, revert back if we are not doing session-id reuse. */
213 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
214 {
215 s->method->ssl_free(s);
216 s->method=s->ctx->method;
217 if (!s->method->ssl_new(s))
218 return(0);
219 }
220 else
221#endif
222 s->method->ssl_clear(s);
223 return(1);
224 }
225
226/** Used to change an SSL_CTXs default SSL method type */
227int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
228 {
229 STACK_OF(SSL_CIPHER) *sk;
230
231 ctx->method=meth;
232
233 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
234 &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
235 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
236 {
237 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
238 return(0);
239 }
240 return(1);
241 }
242
243SSL *SSL_new(SSL_CTX *ctx)
244 {
245 SSL *s;
246
247 if (ctx == NULL)
248 {
249 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
250 return(NULL);
251 }
252 if (ctx->method == NULL)
253 {
254 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
255 return(NULL);
256 }
257
258 s=(SSL *)OPENSSL_malloc(sizeof(SSL));
259 if (s == NULL) goto err;
260 memset(s,0,sizeof(SSL));
261
262#ifndef OPENSSL_NO_KRB5
263 s->kssl_ctx = kssl_ctx_new();
264#endif /* OPENSSL_NO_KRB5 */
265
266 s->options=ctx->options;
267 s->mode=ctx->mode;
268 s->max_cert_list=ctx->max_cert_list;
269
270 if (ctx->cert != NULL)
271 {
272 /* Earlier library versions used to copy the pointer to
273 * the CERT, not its contents; only when setting new
274 * parameters for the per-SSL copy, ssl_cert_new would be
275 * called (and the direct reference to the per-SSL_CTX
276 * settings would be lost, but those still were indirectly
277 * accessed for various purposes, and for that reason they
278 * used to be known as s->ctx->default_cert).
279 * Now we don't look at the SSL_CTX's CERT after having
280 * duplicated it once. */
281
282 s->cert = ssl_cert_dup(ctx->cert);
283 if (s->cert == NULL)
284 goto err;
285 }
286 else
287 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
288
289 s->read_ahead=ctx->read_ahead;
290 s->msg_callback=ctx->msg_callback;
291 s->msg_callback_arg=ctx->msg_callback_arg;
292 s->verify_mode=ctx->verify_mode;
293#if 0
294 s->verify_depth=ctx->verify_depth;
295#endif
296 s->sid_ctx_length=ctx->sid_ctx_length;
297 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
298 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
299 s->verify_callback=ctx->default_verify_callback;
300 s->generate_session_id=ctx->generate_session_id;
301
302 s->param = X509_VERIFY_PARAM_new();
303 if (!s->param)
304 goto err;
305 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
306#if 0
307 s->purpose = ctx->purpose;
308 s->trust = ctx->trust;
309#endif
310 s->quiet_shutdown=ctx->quiet_shutdown;
311
312 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
313 s->ctx=ctx;
314#ifndef OPENSSL_NO_TLSEXT
315 s->tlsext_debug_cb = 0;
316 s->tlsext_debug_arg = NULL;
317 s->tlsext_ticket_expected = 0;
318 s->tlsext_status_type = -1;
319 s->tlsext_status_expected = 0;
320 s->tlsext_ocsp_ids = NULL;
321 s->tlsext_ocsp_exts = NULL;
322 s->tlsext_ocsp_resp = NULL;
323 s->tlsext_ocsp_resplen = -1;
324 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
325 s->initial_ctx=ctx;
326#endif
327 s->verify_result=X509_V_OK;
328
329 s->method=ctx->method;
330
331 if (!s->method->ssl_new(s))
332 goto err;
333
334 s->references=1;
335 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
336
337 SSL_clear(s);
338
339 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
340
341 return(s);
342err:
343 if (s != NULL)
344 {
345 if (s->cert != NULL)
346 ssl_cert_free(s->cert);
347 if (s->ctx != NULL)
348 SSL_CTX_free(s->ctx); /* decrement reference count */
349 OPENSSL_free(s);
350 }
351 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
352 return(NULL);
353 }
354
355int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
356 unsigned int sid_ctx_len)
357 {
358 if(sid_ctx_len > sizeof ctx->sid_ctx)
359 {
360 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
361 return 0;
362 }
363 ctx->sid_ctx_length=sid_ctx_len;
364 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
365
366 return 1;
367 }
368
369int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
370 unsigned int sid_ctx_len)
371 {
372 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
373 {
374 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
375 return 0;
376 }
377 ssl->sid_ctx_length=sid_ctx_len;
378 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
379
380 return 1;
381 }
382
383int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
384 {
385 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
386 ctx->generate_session_id = cb;
387 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
388 return 1;
389 }
390
391int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
392 {
393 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
394 ssl->generate_session_id = cb;
395 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
396 return 1;
397 }
398
399int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
400 unsigned int id_len)
401 {
402 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
403 * we can "construct" a session to give us the desired check - ie. to
404 * find if there's a session in the hash table that would conflict with
405 * any new session built out of this id/id_len and the ssl_version in
406 * use by this SSL. */
407 SSL_SESSION r, *p;
408
409 if(id_len > sizeof r.session_id)
410 return 0;
411
412 r.ssl_version = ssl->version;
413 r.session_id_length = id_len;
414 memcpy(r.session_id, id, id_len);
415 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
416 * callback is calling us to check the uniqueness of a shorter ID, it
417 * must be compared as a padded-out ID because that is what it will be
418 * converted to when the callback has finished choosing it. */
419 if((r.ssl_version == SSL2_VERSION) &&
420 (id_len < SSL2_SSL_SESSION_ID_LENGTH))
421 {
422 memset(r.session_id + id_len, 0,
423 SSL2_SSL_SESSION_ID_LENGTH - id_len);
424 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
425 }
426
427 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
428 p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
429 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
430 return (p != NULL);
431 }
432
433int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
434 {
435 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
436 }
437
438int SSL_set_purpose(SSL *s, int purpose)
439 {
440 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
441 }
442
443int SSL_CTX_set_trust(SSL_CTX *s, int trust)
444 {
445 return X509_VERIFY_PARAM_set_trust(s->param, trust);
446 }
447
448int SSL_set_trust(SSL *s, int trust)
449 {
450 return X509_VERIFY_PARAM_set_trust(s->param, trust);
451 }
452
453void SSL_free(SSL *s)
454 {
455 int i;
456
457 if(s == NULL)
458 return;
459
460 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
461#ifdef REF_PRINT
462 REF_PRINT("SSL",s);
463#endif
464 if (i > 0) return;
465#ifdef REF_CHECK
466 if (i < 0)
467 {
468 fprintf(stderr,"SSL_free, bad reference count\n");
469 abort(); /* ok */
470 }
471#endif
472
473 if (s->param)
474 X509_VERIFY_PARAM_free(s->param);
475
476 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
477
478 if (s->bbio != NULL)
479 {
480 /* If the buffering BIO is in place, pop it off */
481 if (s->bbio == s->wbio)
482 {
483 s->wbio=BIO_pop(s->wbio);
484 }
485 BIO_free(s->bbio);
486 s->bbio=NULL;
487 }
488 if (s->rbio != NULL)
489 BIO_free_all(s->rbio);
490 if ((s->wbio != NULL) && (s->wbio != s->rbio))
491 BIO_free_all(s->wbio);
492
493 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
494
495 /* add extra stuff */
496 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
497 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
498
499 /* Make the next call work :-) */
500 if (s->session != NULL)
501 {
502 ssl_clear_bad_session(s);
503 SSL_SESSION_free(s->session);
504 }
505
506 ssl_clear_cipher_ctx(s);
507
508 if (s->cert != NULL) ssl_cert_free(s->cert);
509 /* Free up if allocated */
510
511 if (s->ctx) SSL_CTX_free(s->ctx);
512#ifndef OPENSSL_NO_TLSEXT
513 if (s->tlsext_hostname)
514 OPENSSL_free(s->tlsext_hostname);
515 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
516 if (s->tlsext_ocsp_exts)
517 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
518 X509_EXTENSION_free);
519 if (s->tlsext_ocsp_ids)
520 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
521 if (s->tlsext_ocsp_resp)
522 OPENSSL_free(s->tlsext_ocsp_resp);
523#endif
524 if (s->client_CA != NULL)
525 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
526
527 if (s->method != NULL) s->method->ssl_free(s);
528
529#ifndef OPENSSL_NO_KRB5
530 if (s->kssl_ctx != NULL)
531 kssl_ctx_free(s->kssl_ctx);
532#endif /* OPENSSL_NO_KRB5 */
533
534 OPENSSL_free(s);
535 }
536
537void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
538 {
539 /* If the output buffering BIO is still in place, remove it
540 */
541 if (s->bbio != NULL)
542 {
543 if (s->wbio == s->bbio)
544 {
545 s->wbio=s->wbio->next_bio;
546 s->bbio->next_bio=NULL;
547 }
548 }
549 if ((s->rbio != NULL) && (s->rbio != rbio))
550 BIO_free_all(s->rbio);
551 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
552 BIO_free_all(s->wbio);
553 s->rbio=rbio;
554 s->wbio=wbio;
555 }
556
557BIO *SSL_get_rbio(const SSL *s)
558 { return(s->rbio); }
559
560BIO *SSL_get_wbio(const SSL *s)
561 { return(s->wbio); }
562
563int SSL_get_fd(const SSL *s)
564 {
565 return(SSL_get_rfd(s));
566 }
567
568int SSL_get_rfd(const SSL *s)
569 {
570 int ret= -1;
571 BIO *b,*r;
572
573 b=SSL_get_rbio(s);
574 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
575 if (r != NULL)
576 BIO_get_fd(r,&ret);
577 return(ret);
578 }
579
580int SSL_get_wfd(const SSL *s)
581 {
582 int ret= -1;
583 BIO *b,*r;
584
585 b=SSL_get_wbio(s);
586 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
587 if (r != NULL)
588 BIO_get_fd(r,&ret);
589 return(ret);
590 }
591
592#ifndef OPENSSL_NO_SOCK
593int SSL_set_fd(SSL *s,int fd)
594 {
595 int ret=0;
596 BIO *bio=NULL;
597
598 bio=BIO_new(BIO_s_socket());
599
600 if (bio == NULL)
601 {
602 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
603 goto err;
604 }
605 BIO_set_fd(bio,fd,BIO_NOCLOSE);
606 SSL_set_bio(s,bio,bio);
607 ret=1;
608err:
609 return(ret);
610 }
611
612int SSL_set_wfd(SSL *s,int fd)
613 {
614 int ret=0;
615 BIO *bio=NULL;
616
617 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
618 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
619 {
620 bio=BIO_new(BIO_s_socket());
621
622 if (bio == NULL)
623 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
624 BIO_set_fd(bio,fd,BIO_NOCLOSE);
625 SSL_set_bio(s,SSL_get_rbio(s),bio);
626 }
627 else
628 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
629 ret=1;
630err:
631 return(ret);
632 }
633
634int SSL_set_rfd(SSL *s,int fd)
635 {
636 int ret=0;
637 BIO *bio=NULL;
638
639 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
640 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
641 {
642 bio=BIO_new(BIO_s_socket());
643
644 if (bio == NULL)
645 {
646 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
647 goto err;
648 }
649 BIO_set_fd(bio,fd,BIO_NOCLOSE);
650 SSL_set_bio(s,bio,SSL_get_wbio(s));
651 }
652 else
653 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
654 ret=1;
655err:
656 return(ret);
657 }
658#endif
659
660
661/* return length of latest Finished message we sent, copy to 'buf' */
662size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
663 {
664 size_t ret = 0;
665
666 if (s->s3 != NULL)
667 {
668 ret = s->s3->tmp.finish_md_len;
669 if (count > ret)
670 count = ret;
671 memcpy(buf, s->s3->tmp.finish_md, count);
672 }
673 return ret;
674 }
675
676/* return length of latest Finished message we expected, copy to 'buf' */
677size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
678 {
679 size_t ret = 0;
680
681 if (s->s3 != NULL)
682 {
683 ret = s->s3->tmp.peer_finish_md_len;
684 if (count > ret)
685 count = ret;
686 memcpy(buf, s->s3->tmp.peer_finish_md, count);
687 }
688 return ret;
689 }
690
691
692int SSL_get_verify_mode(const SSL *s)
693 {
694 return(s->verify_mode);
695 }
696
697int SSL_get_verify_depth(const SSL *s)
698 {
699 return X509_VERIFY_PARAM_get_depth(s->param);
700 }
701
702int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
703 {
704 return(s->verify_callback);
705 }
706
707int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
708 {
709 return(ctx->verify_mode);
710 }
711
712int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
713 {
714 return X509_VERIFY_PARAM_get_depth(ctx->param);
715 }
716
717int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
718 {
719 return(ctx->default_verify_callback);
720 }
721
722void SSL_set_verify(SSL *s,int mode,
723 int (*callback)(int ok,X509_STORE_CTX *ctx))
724 {
725 s->verify_mode=mode;
726 if (callback != NULL)
727 s->verify_callback=callback;
728 }
729
730void SSL_set_verify_depth(SSL *s,int depth)
731 {
732 X509_VERIFY_PARAM_set_depth(s->param, depth);
733 }
734
735void SSL_set_read_ahead(SSL *s,int yes)
736 {
737 s->read_ahead=yes;
738 }
739
740int SSL_get_read_ahead(const SSL *s)
741 {
742 return(s->read_ahead);
743 }
744
745int SSL_pending(const SSL *s)
746 {
747 /* SSL_pending cannot work properly if read-ahead is enabled
748 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
749 * and it is impossible to fix since SSL_pending cannot report
750 * errors that may be observed while scanning the new data.
751 * (Note that SSL_pending() is often used as a boolean value,
752 * so we'd better not return -1.)
753 */
754 return(s->method->ssl_pending(s));
755 }
756
757X509 *SSL_get_peer_certificate(const SSL *s)
758 {
759 X509 *r;
760
761 if ((s == NULL) || (s->session == NULL))
762 r=NULL;
763 else
764 r=s->session->peer;
765
766 if (r == NULL) return(r);
767
768 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
769
770 return(r);
771 }
772
773STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
774 {
775 STACK_OF(X509) *r;
776
777 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
778 r=NULL;
779 else
780 r=s->session->sess_cert->cert_chain;
781
782 /* If we are a client, cert_chain includes the peer's own
783 * certificate; if we are a server, it does not. */
784
785 return(r);
786 }
787
788/* Now in theory, since the calling process own 't' it should be safe to
789 * modify. We need to be able to read f without being hassled */
790void SSL_copy_session_id(SSL *t,const SSL *f)
791 {
792 CERT *tmp;
793
794 /* Do we need to to SSL locking? */
795 SSL_set_session(t,SSL_get_session(f));
796
797 /* what if we are setup as SSLv2 but want to talk SSLv3 or
798 * vice-versa */
799 if (t->method != f->method)
800 {
801 t->method->ssl_free(t); /* cleanup current */
802 t->method=f->method; /* change method */
803 t->method->ssl_new(t); /* setup new */
804 }
805
806 tmp=t->cert;
807 if (f->cert != NULL)
808 {
809 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
810 t->cert=f->cert;
811 }
812 else
813 t->cert=NULL;
814 if (tmp != NULL) ssl_cert_free(tmp);
815 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
816 }
817
818/* Fix this so it checks all the valid key/cert options */
819int SSL_CTX_check_private_key(const SSL_CTX *ctx)
820 {
821 if ( (ctx == NULL) ||
822 (ctx->cert == NULL) ||
823 (ctx->cert->key->x509 == NULL))
824 {
825 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
826 return(0);
827 }
828 if (ctx->cert->key->privatekey == NULL)
829 {
830 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
831 return(0);
832 }
833 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
834 }
835
836/* Fix this function so that it takes an optional type parameter */
837int SSL_check_private_key(const SSL *ssl)
838 {
839 if (ssl == NULL)
840 {
841 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
842 return(0);
843 }
844 if (ssl->cert == NULL)
845 {
846 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
847 return 0;
848 }
849 if (ssl->cert->key->x509 == NULL)
850 {
851 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
852 return(0);
853 }
854 if (ssl->cert->key->privatekey == NULL)
855 {
856 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
857 return(0);
858 }
859 return(X509_check_private_key(ssl->cert->key->x509,
860 ssl->cert->key->privatekey));
861 }
862
863int SSL_accept(SSL *s)
864 {
865 if (s->handshake_func == 0)
866 /* Not properly initialized yet */
867 SSL_set_accept_state(s);
868
869 return(s->method->ssl_accept(s));
870 }
871
872int SSL_connect(SSL *s)
873 {
874 if (s->handshake_func == 0)
875 /* Not properly initialized yet */
876 SSL_set_connect_state(s);
877
878 return(s->method->ssl_connect(s));
879 }
880
881long SSL_get_default_timeout(const SSL *s)
882 {
883 return(s->method->get_timeout());
884 }
885
886int SSL_read(SSL *s,void *buf,int num)
887 {
888 if (s->handshake_func == 0)
889 {
890 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
891 return -1;
892 }
893
894 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
895 {
896 s->rwstate=SSL_NOTHING;
897 return(0);
898 }
899 return(s->method->ssl_read(s,buf,num));
900 }
901
902int SSL_peek(SSL *s,void *buf,int num)
903 {
904 if (s->handshake_func == 0)
905 {
906 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
907 return -1;
908 }
909
910 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
911 {
912 return(0);
913 }
914 return(s->method->ssl_peek(s,buf,num));
915 }
916
917int SSL_write(SSL *s,const void *buf,int num)
918 {
919 if (s->handshake_func == 0)
920 {
921 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
922 return -1;
923 }
924
925 if (s->shutdown & SSL_SENT_SHUTDOWN)
926 {
927 s->rwstate=SSL_NOTHING;
928 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
929 return(-1);
930 }
931 return(s->method->ssl_write(s,buf,num));
932 }
933
934int SSL_shutdown(SSL *s)
935 {
936 /* Note that this function behaves differently from what one might
937 * expect. Return values are 0 for no success (yet),
938 * 1 for success; but calling it once is usually not enough,
939 * even if blocking I/O is used (see ssl3_shutdown).
940 */
941
942 if (s->handshake_func == 0)
943 {
944 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
945 return -1;
946 }
947
948 if ((s != NULL) && !SSL_in_init(s))
949 return(s->method->ssl_shutdown(s));
950 else
951 return(1);
952 }
953
954int SSL_renegotiate(SSL *s)
955 {
956 if (s->new_session == 0)
957 {
958 s->new_session=1;
959 }
960 return(s->method->ssl_renegotiate(s));
961 }
962
963int SSL_renegotiate_pending(SSL *s)
964 {
965 /* becomes true when negotiation is requested;
966 * false again once a handshake has finished */
967 return (s->new_session != 0);
968 }
969
970long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
971 {
972 long l;
973
974 switch (cmd)
975 {
976 case SSL_CTRL_GET_READ_AHEAD:
977 return(s->read_ahead);
978 case SSL_CTRL_SET_READ_AHEAD:
979 l=s->read_ahead;
980 s->read_ahead=larg;
981 return(l);
982
983 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
984 s->msg_callback_arg = parg;
985 return 1;
986
987 case SSL_CTRL_OPTIONS:
988 return(s->options|=larg);
989 case SSL_CTRL_MODE:
990 return(s->mode|=larg);
991 case SSL_CTRL_GET_MAX_CERT_LIST:
992 return(s->max_cert_list);
993 case SSL_CTRL_SET_MAX_CERT_LIST:
994 l=s->max_cert_list;
995 s->max_cert_list=larg;
996 return(l);
997 case SSL_CTRL_SET_MTU:
998 if (SSL_version(s) == DTLS1_VERSION)
999 {
1000 s->d1->mtu = larg;
1001 return larg;
1002 }
1003 return 0;
1004 default:
1005 return(s->method->ssl_ctrl(s,cmd,larg,parg));
1006 }
1007 }
1008
1009long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1010 {
1011 switch(cmd)
1012 {
1013 case SSL_CTRL_SET_MSG_CALLBACK:
1014 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1015 return 1;
1016
1017 default:
1018 return(s->method->ssl_callback_ctrl(s,cmd,fp));
1019 }
1020 }
1021
1022struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
1023 {
1024 return ctx->sessions;
1025 }
1026
1027long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1028 {
1029 long l;
1030
1031 switch (cmd)
1032 {
1033 case SSL_CTRL_GET_READ_AHEAD:
1034 return(ctx->read_ahead);
1035 case SSL_CTRL_SET_READ_AHEAD:
1036 l=ctx->read_ahead;
1037 ctx->read_ahead=larg;
1038 return(l);
1039
1040 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1041 ctx->msg_callback_arg = parg;
1042 return 1;
1043
1044 case SSL_CTRL_GET_MAX_CERT_LIST:
1045 return(ctx->max_cert_list);
1046 case SSL_CTRL_SET_MAX_CERT_LIST:
1047 l=ctx->max_cert_list;
1048 ctx->max_cert_list=larg;
1049 return(l);
1050
1051 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1052 l=ctx->session_cache_size;
1053 ctx->session_cache_size=larg;
1054 return(l);
1055 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1056 return(ctx->session_cache_size);
1057 case SSL_CTRL_SET_SESS_CACHE_MODE:
1058 l=ctx->session_cache_mode;
1059 ctx->session_cache_mode=larg;
1060 return(l);
1061 case SSL_CTRL_GET_SESS_CACHE_MODE:
1062 return(ctx->session_cache_mode);
1063
1064 case SSL_CTRL_SESS_NUMBER:
1065 return(ctx->sessions->num_items);
1066 case SSL_CTRL_SESS_CONNECT:
1067 return(ctx->stats.sess_connect);
1068 case SSL_CTRL_SESS_CONNECT_GOOD:
1069 return(ctx->stats.sess_connect_good);
1070 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1071 return(ctx->stats.sess_connect_renegotiate);
1072 case SSL_CTRL_SESS_ACCEPT:
1073 return(ctx->stats.sess_accept);
1074 case SSL_CTRL_SESS_ACCEPT_GOOD:
1075 return(ctx->stats.sess_accept_good);
1076 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1077 return(ctx->stats.sess_accept_renegotiate);
1078 case SSL_CTRL_SESS_HIT:
1079 return(ctx->stats.sess_hit);
1080 case SSL_CTRL_SESS_CB_HIT:
1081 return(ctx->stats.sess_cb_hit);
1082 case SSL_CTRL_SESS_MISSES:
1083 return(ctx->stats.sess_miss);
1084 case SSL_CTRL_SESS_TIMEOUTS:
1085 return(ctx->stats.sess_timeout);
1086 case SSL_CTRL_SESS_CACHE_FULL:
1087 return(ctx->stats.sess_cache_full);
1088 case SSL_CTRL_OPTIONS:
1089 return(ctx->options|=larg);
1090 case SSL_CTRL_MODE:
1091 return(ctx->mode|=larg);
1092 default:
1093 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1094 }
1095 }
1096
1097long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1098 {
1099 switch(cmd)
1100 {
1101 case SSL_CTRL_SET_MSG_CALLBACK:
1102 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1103 return 1;
1104
1105 default:
1106 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1107 }
1108 }
1109
1110int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1111 {
1112 long l;
1113
1114 l=a->id-b->id;
1115 if (l == 0L)
1116 return(0);
1117 else
1118 return((l > 0)?1:-1);
1119 }
1120
1121int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1122 const SSL_CIPHER * const *bp)
1123 {
1124 long l;
1125
1126 l=(*ap)->id-(*bp)->id;
1127 if (l == 0L)
1128 return(0);
1129 else
1130 return((l > 0)?1:-1);
1131 }
1132
1133/** return a STACK of the ciphers available for the SSL and in order of
1134 * preference */
1135STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1136 {
1137 if (s != NULL)
1138 {
1139 if (s->cipher_list != NULL)
1140 {
1141 return(s->cipher_list);
1142 }
1143 else if ((s->ctx != NULL) &&
1144 (s->ctx->cipher_list != NULL))
1145 {
1146 return(s->ctx->cipher_list);
1147 }
1148 }
1149 return(NULL);
1150 }
1151
1152/** return a STACK of the ciphers available for the SSL and in order of
1153 * algorithm id */
1154STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1155 {
1156 if (s != NULL)
1157 {
1158 if (s->cipher_list_by_id != NULL)
1159 {
1160 return(s->cipher_list_by_id);
1161 }
1162 else if ((s->ctx != NULL) &&
1163 (s->ctx->cipher_list_by_id != NULL))
1164 {
1165 return(s->ctx->cipher_list_by_id);
1166 }
1167 }
1168 return(NULL);
1169 }
1170
1171/** The old interface to get the same thing as SSL_get_ciphers() */
1172const char *SSL_get_cipher_list(const SSL *s,int n)
1173 {
1174 SSL_CIPHER *c;
1175 STACK_OF(SSL_CIPHER) *sk;
1176
1177 if (s == NULL) return(NULL);
1178 sk=SSL_get_ciphers(s);
1179 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1180 return(NULL);
1181 c=sk_SSL_CIPHER_value(sk,n);
1182 if (c == NULL) return(NULL);
1183 return(c->name);
1184 }
1185
1186/** specify the ciphers to be used by default by the SSL_CTX */
1187int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1188 {
1189 STACK_OF(SSL_CIPHER) *sk;
1190
1191 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1192 &ctx->cipher_list_by_id,str);
1193 /* ssl_create_cipher_list may return an empty stack if it
1194 * was unable to find a cipher matching the given rule string
1195 * (for example if the rule string specifies a cipher which
1196 * has been disabled). This is not an error as far as
1197 * ssl_create_cipher_list is concerned, and hence
1198 * ctx->cipher_list and ctx->cipher_list_by_id has been
1199 * updated. */
1200 if (sk == NULL)
1201 return 0;
1202 else if (sk_SSL_CIPHER_num(sk) == 0)
1203 {
1204 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1205 return 0;
1206 }
1207 return 1;
1208 }
1209
1210/** specify the ciphers to be used by the SSL */
1211int SSL_set_cipher_list(SSL *s,const char *str)
1212 {
1213 STACK_OF(SSL_CIPHER) *sk;
1214
1215 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1216 &s->cipher_list_by_id,str);
1217 /* see comment in SSL_CTX_set_cipher_list */
1218 if (sk == NULL)
1219 return 0;
1220 else if (sk_SSL_CIPHER_num(sk) == 0)
1221 {
1222 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1223 return 0;
1224 }
1225 return 1;
1226 }
1227
1228/* works well for SSLv2, not so good for SSLv3 */
1229char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1230 {
1231 char *end;
1232 STACK_OF(SSL_CIPHER) *sk;
1233 SSL_CIPHER *c;
1234 size_t curlen = 0;
1235 int i;
1236
1237 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1238 (len < 2))
1239 return(NULL);
1240
1241 sk=s->session->ciphers;
1242 buf[0] = '\0';
1243 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1244 {
1245 c=sk_SSL_CIPHER_value(sk,i);
1246 end = buf + curlen;
1247 if (strlcat(buf, c->name, len) >= len ||
1248 (curlen = strlcat(buf, ":", len)) >= len)
1249 {
1250 /* remove truncated cipher from list */
1251 *end = '\0';
1252 break;
1253 }
1254 }
1255 /* remove trailing colon */
1256 if ((end = strrchr(buf, ':')) != NULL)
1257 *end = '\0';
1258 return(buf);
1259 }
1260
1261int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1262 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1263 {
1264 int i,j=0;
1265 SSL_CIPHER *c;
1266 unsigned char *q;
1267#ifndef OPENSSL_NO_KRB5
1268 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1269#endif /* OPENSSL_NO_KRB5 */
1270
1271 if (sk == NULL) return(0);
1272 q=p;
1273
1274 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1275 {
1276 c=sk_SSL_CIPHER_value(sk,i);
1277#ifndef OPENSSL_NO_KRB5
1278 if ((c->algorithms & SSL_KRB5) && nokrb5)
1279 continue;
1280#endif /* OPENSSL_NO_KRB5 */
1281
1282 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1283 p+=j;
1284 }
1285 return(p-q);
1286 }
1287
1288STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1289 STACK_OF(SSL_CIPHER) **skp)
1290 {
1291 SSL_CIPHER *c;
1292 STACK_OF(SSL_CIPHER) *sk;
1293 int i,n;
1294
1295 n=ssl_put_cipher_by_char(s,NULL,NULL);
1296 if ((num%n) != 0)
1297 {
1298 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1299 return(NULL);
1300 }
1301 if ((skp == NULL) || (*skp == NULL))
1302 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1303 else
1304 {
1305 sk= *skp;
1306 sk_SSL_CIPHER_zero(sk);
1307 }
1308
1309 for (i=0; i<num; i+=n)
1310 {
1311 c=ssl_get_cipher_by_char(s,p);
1312 p+=n;
1313 if (c != NULL)
1314 {
1315 if (!sk_SSL_CIPHER_push(sk,c))
1316 {
1317 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1318 goto err;
1319 }
1320 }
1321 }
1322
1323 if (skp != NULL)
1324 *skp=sk;
1325 return(sk);
1326err:
1327 if ((skp == NULL) || (*skp == NULL))
1328 sk_SSL_CIPHER_free(sk);
1329 return(NULL);
1330 }
1331
1332#ifndef OPENSSL_NO_TLSEXT
1333/** return a servername extension value if provided in Client Hello, or NULL.
1334 * So far, only host_name types are defined (RFC 3546).
1335 */
1336
1337const char *SSL_get_servername(const SSL *s, const int type)
1338 {
1339 if (type != TLSEXT_NAMETYPE_host_name)
1340 return NULL;
1341
1342 return s->session && !s->tlsext_hostname ?
1343 s->session->tlsext_hostname :
1344 s->tlsext_hostname;
1345 }
1346
1347int SSL_get_servername_type(const SSL *s)
1348 {
1349 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
1350 return TLSEXT_NAMETYPE_host_name;
1351 return -1;
1352 }
1353#endif
1354
1355unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1356 {
1357 unsigned long l;
1358
1359 l=(unsigned long)
1360 ((unsigned int) a->session_id[0] )|
1361 ((unsigned int) a->session_id[1]<< 8L)|
1362 ((unsigned long)a->session_id[2]<<16L)|
1363 ((unsigned long)a->session_id[3]<<24L);
1364 return(l);
1365 }
1366
1367/* NB: If this function (or indeed the hash function which uses a sort of
1368 * coarser function than this one) is changed, ensure
1369 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1370 * able to construct an SSL_SESSION that will collide with any existing session
1371 * with a matching session ID. */
1372int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1373 {
1374 if (a->ssl_version != b->ssl_version)
1375 return(1);
1376 if (a->session_id_length != b->session_id_length)
1377 return(1);
1378 return(memcmp(a->session_id,b->session_id,a->session_id_length));
1379 }
1380
1381/* These wrapper functions should remain rather than redeclaring
1382 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1383 * variable. The reason is that the functions aren't static, they're exposed via
1384 * ssl.h. */
1385static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
1386static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
1387
1388SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1389 {
1390 SSL_CTX *ret=NULL;
1391
1392 if (meth == NULL)
1393 {
1394 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1395 return(NULL);
1396 }
1397
1398#ifdef OPENSSL_FIPS
1399 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1400 {
1401 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1402 return NULL;
1403 }
1404#endif
1405
1406 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1407 {
1408 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1409 goto err;
1410 }
1411 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1412 if (ret == NULL)
1413 goto err;
1414
1415 memset(ret,0,sizeof(SSL_CTX));
1416
1417 ret->method=meth;
1418
1419 ret->cert_store=NULL;
1420 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1421 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1422 ret->session_cache_head=NULL;
1423 ret->session_cache_tail=NULL;
1424
1425 /* We take the system default */
1426 ret->session_timeout=meth->get_timeout();
1427
1428 ret->new_session_cb=0;
1429 ret->remove_session_cb=0;
1430 ret->get_session_cb=0;
1431 ret->generate_session_id=0;
1432
1433 memset((char *)&ret->stats,0,sizeof(ret->stats));
1434
1435 ret->references=1;
1436 ret->quiet_shutdown=0;
1437
1438/* ret->cipher=NULL;*/
1439/* ret->s2->challenge=NULL;
1440 ret->master_key=NULL;
1441 ret->key_arg=NULL;
1442 ret->s2->conn_id=NULL; */
1443
1444 ret->info_callback=NULL;
1445
1446 ret->app_verify_callback=0;
1447 ret->app_verify_arg=NULL;
1448
1449 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1450 ret->read_ahead=0;
1451 ret->msg_callback=0;
1452 ret->msg_callback_arg=NULL;
1453 ret->verify_mode=SSL_VERIFY_NONE;
1454#if 0
1455 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1456#endif
1457 ret->sid_ctx_length=0;
1458 ret->default_verify_callback=NULL;
1459 if ((ret->cert=ssl_cert_new()) == NULL)
1460 goto err;
1461
1462 ret->default_passwd_callback=0;
1463 ret->default_passwd_callback_userdata=NULL;
1464 ret->client_cert_cb=0;
1465 ret->app_gen_cookie_cb=0;
1466 ret->app_verify_cookie_cb=0;
1467
1468 ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
1469 LHASH_COMP_FN(SSL_SESSION_cmp));
1470 if (ret->sessions == NULL) goto err;
1471 ret->cert_store=X509_STORE_new();
1472 if (ret->cert_store == NULL) goto err;
1473
1474 ssl_create_cipher_list(ret->method,
1475 &ret->cipher_list,&ret->cipher_list_by_id,
1476 SSL_DEFAULT_CIPHER_LIST);
1477 if (ret->cipher_list == NULL
1478 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1479 {
1480 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1481 goto err2;
1482 }
1483
1484 ret->param = X509_VERIFY_PARAM_new();
1485 if (!ret->param)
1486 goto err;
1487
1488 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1489 {
1490 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1491 goto err2;
1492 }
1493 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1494 {
1495 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1496 goto err2;
1497 }
1498 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1499 {
1500 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1501 goto err2;
1502 }
1503
1504 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1505 goto err;
1506
1507 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1508
1509 ret->extra_certs=NULL;
1510 ret->comp_methods=SSL_COMP_get_compression_methods();
1511
1512#ifndef OPENSSL_NO_TLSEXT
1513 ret->tlsext_servername_callback = 0;
1514 ret->tlsext_servername_arg = NULL;
1515 /* Setup RFC4507 ticket keys */
1516 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1517 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1518 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1519 ret->options |= SSL_OP_NO_TICKET;
1520
1521 ret->tlsext_status_cb = 0;
1522 ret->tlsext_status_arg = NULL;
1523
1524#endif
1525
1526#ifndef OPENSSL_NO_ENGINE
1527 ret->client_cert_engine = NULL;
1528#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
1529#define eng_strx(x) #x
1530#define eng_str(x) eng_strx(x)
1531 /* Use specific client engine automatically... ignore errors */
1532 {
1533 ENGINE *eng;
1534 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1535 if (!eng)
1536 {
1537 ERR_clear_error();
1538 ENGINE_load_builtin_engines();
1539 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1540 }
1541 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
1542 ERR_clear_error();
1543 }
1544#endif
1545#endif
1546
1547 return(ret);
1548err:
1549 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1550err2:
1551 if (ret != NULL) SSL_CTX_free(ret);
1552 return(NULL);
1553 }
1554
1555#if 0
1556static void SSL_COMP_free(SSL_COMP *comp)
1557 { OPENSSL_free(comp); }
1558#endif
1559
1560void SSL_CTX_free(SSL_CTX *a)
1561 {
1562 int i;
1563
1564 if (a == NULL) return;
1565
1566 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1567#ifdef REF_PRINT
1568 REF_PRINT("SSL_CTX",a);
1569#endif
1570 if (i > 0) return;
1571#ifdef REF_CHECK
1572 if (i < 0)
1573 {
1574 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1575 abort(); /* ok */
1576 }
1577#endif
1578
1579 if (a->param)
1580 X509_VERIFY_PARAM_free(a->param);
1581
1582 /*
1583 * Free internal session cache. However: the remove_cb() may reference
1584 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1585 * after the sessions were flushed.
1586 * As the ex_data handling routines might also touch the session cache,
1587 * the most secure solution seems to be: empty (flush) the cache, then
1588 * free ex_data, then finally free the cache.
1589 * (See ticket [openssl.org #212].)
1590 */
1591 if (a->sessions != NULL)
1592 SSL_CTX_flush_sessions(a,0);
1593
1594 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1595
1596 if (a->sessions != NULL)
1597 lh_free(a->sessions);
1598
1599 if (a->cert_store != NULL)
1600 X509_STORE_free(a->cert_store);
1601 if (a->cipher_list != NULL)
1602 sk_SSL_CIPHER_free(a->cipher_list);
1603 if (a->cipher_list_by_id != NULL)
1604 sk_SSL_CIPHER_free(a->cipher_list_by_id);
1605 if (a->cert != NULL)
1606 ssl_cert_free(a->cert);
1607 if (a->client_CA != NULL)
1608 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1609 if (a->extra_certs != NULL)
1610 sk_X509_pop_free(a->extra_certs,X509_free);
1611#if 0 /* This should never be done, since it removes a global database */
1612 if (a->comp_methods != NULL)
1613 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1614#else
1615 a->comp_methods = NULL;
1616#endif
1617#ifndef OPENSSL_NO_ENGINE
1618 if (a->client_cert_engine)
1619 ENGINE_finish(a->client_cert_engine);
1620#endif
1621 OPENSSL_free(a);
1622 }
1623
1624void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1625 {
1626 ctx->default_passwd_callback=cb;
1627 }
1628
1629void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1630 {
1631 ctx->default_passwd_callback_userdata=u;
1632 }
1633
1634void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1635 {
1636 ctx->app_verify_callback=cb;
1637 ctx->app_verify_arg=arg;
1638 }
1639
1640void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1641 {
1642 ctx->verify_mode=mode;
1643 ctx->default_verify_callback=cb;
1644 }
1645
1646void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
1647 {
1648 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1649 }
1650
1651void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1652 {
1653 CERT_PKEY *cpk;
1654 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
1655 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1656 int rsa_tmp_export,dh_tmp_export,kl;
1657 unsigned long mask,emask;
1658 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
1659#ifndef OPENSSL_NO_ECDH
1660 int have_ecdh_tmp;
1661#endif
1662 X509 *x = NULL;
1663 EVP_PKEY *ecc_pkey = NULL;
1664 int signature_nid = 0;
1665
1666 if (c == NULL) return;
1667
1668 kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1669
1670#ifndef OPENSSL_NO_RSA
1671 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1672 rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
1673 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1674#else
1675 rsa_tmp=rsa_tmp_export=0;
1676#endif
1677#ifndef OPENSSL_NO_DH
1678 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1679 dh_tmp_export=(c->dh_tmp_cb != NULL ||
1680 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
1681#else
1682 dh_tmp=dh_tmp_export=0;
1683#endif
1684
1685#ifndef OPENSSL_NO_ECDH
1686 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
1687#endif
1688 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1689 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
1690 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1691 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
1692 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1693 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1694 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1695 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
1696 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1697 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1698 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
1699/* FIX THIS EAY EAY EAY */
1700 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1701 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1702 cpk= &(c->pkeys[SSL_PKEY_ECC]);
1703 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
1704 mask=0;
1705 emask=0;
1706
1707#ifdef CIPHER_DEBUG
1708 printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1709 rsa_tmp,rsa_tmp_export,dh_tmp,
1710 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
1711#endif
1712
1713 if (rsa_enc || (rsa_tmp && rsa_sign))
1714 mask|=SSL_kRSA;
1715 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
1716 emask|=SSL_kRSA;
1717
1718#if 0
1719 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1720 if ( (dh_tmp || dh_rsa || dh_dsa) &&
1721 (rsa_enc || rsa_sign || dsa_sign))
1722 mask|=SSL_kEDH;
1723 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
1724 (rsa_enc || rsa_sign || dsa_sign))
1725 emask|=SSL_kEDH;
1726#endif
1727
1728 if (dh_tmp_export)
1729 emask|=SSL_kEDH;
1730
1731 if (dh_tmp)
1732 mask|=SSL_kEDH;
1733
1734 if (dh_rsa) mask|=SSL_kDHr;
1735 if (dh_rsa_export) emask|=SSL_kDHr;
1736
1737 if (dh_dsa) mask|=SSL_kDHd;
1738 if (dh_dsa_export) emask|=SSL_kDHd;
1739
1740 if (rsa_enc || rsa_sign)
1741 {
1742 mask|=SSL_aRSA;
1743 emask|=SSL_aRSA;
1744 }
1745
1746 if (dsa_sign)
1747 {
1748 mask|=SSL_aDSS;
1749 emask|=SSL_aDSS;
1750 }
1751
1752 mask|=SSL_aNULL;
1753 emask|=SSL_aNULL;
1754
1755#ifndef OPENSSL_NO_KRB5
1756 mask|=SSL_kKRB5|SSL_aKRB5;
1757 emask|=SSL_kKRB5|SSL_aKRB5;
1758#endif
1759
1760 /* An ECC certificate may be usable for ECDH and/or
1761 * ECDSA cipher suites depending on the key usage extension.
1762 */
1763 if (have_ecc_cert)
1764 {
1765 /* This call populates extension flags (ex_flags) */
1766 x = (c->pkeys[SSL_PKEY_ECC]).x509;
1767 X509_check_purpose(x, -1, 0);
1768 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1769 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
1770 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1771 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
1772 ecc_pkey = X509_get_pubkey(x);
1773 ecc_pkey_size = (ecc_pkey != NULL) ?
1774 EVP_PKEY_bits(ecc_pkey) : 0;
1775 EVP_PKEY_free(ecc_pkey);
1776 if ((x->sig_alg) && (x->sig_alg->algorithm))
1777 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1778#ifndef OPENSSL_NO_ECDH
1779 if (ecdh_ok)
1780 {
1781 if ((signature_nid == NID_md5WithRSAEncryption) ||
1782 (signature_nid == NID_md4WithRSAEncryption) ||
1783 (signature_nid == NID_md2WithRSAEncryption))
1784 {
1785 mask|=SSL_kECDH|SSL_aRSA;
1786 if (ecc_pkey_size <= 163)
1787 emask|=SSL_kECDH|SSL_aRSA;
1788 }
1789 if (signature_nid == NID_ecdsa_with_SHA1)
1790 {
1791 mask|=SSL_kECDH|SSL_aECDSA;
1792 if (ecc_pkey_size <= 163)
1793 emask|=SSL_kECDH|SSL_aECDSA;
1794 }
1795 }
1796#endif
1797#ifndef OPENSSL_NO_ECDSA
1798 if (ecdsa_ok)
1799 {
1800 mask|=SSL_aECDSA;
1801 emask|=SSL_aECDSA;
1802 }
1803#endif
1804 }
1805
1806#ifndef OPENSSL_NO_ECDH
1807 if (have_ecdh_tmp)
1808 {
1809 mask|=SSL_kECDHE;
1810 emask|=SSL_kECDHE;
1811 }
1812#endif
1813 c->mask=mask;
1814 c->export_mask=emask;
1815 c->valid=1;
1816 }
1817
1818/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
1819#define ku_reject(x, usage) \
1820 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
1821
1822int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
1823 {
1824 unsigned long alg = cs->algorithms;
1825 EVP_PKEY *pkey = NULL;
1826 int keysize = 0;
1827 int signature_nid = 0;
1828
1829 if (SSL_C_IS_EXPORT(cs))
1830 {
1831 /* ECDH key length in export ciphers must be <= 163 bits */
1832 pkey = X509_get_pubkey(x);
1833 if (pkey == NULL) return 0;
1834 keysize = EVP_PKEY_bits(pkey);
1835 EVP_PKEY_free(pkey);
1836 if (keysize > 163) return 0;
1837 }
1838
1839 /* This call populates the ex_flags field correctly */
1840 X509_check_purpose(x, -1, 0);
1841 if ((x->sig_alg) && (x->sig_alg->algorithm))
1842 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1843 if (alg & SSL_kECDH)
1844 {
1845 /* key usage, if present, must allow key agreement */
1846 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
1847 {
1848 return 0;
1849 }
1850 if (alg & SSL_aECDSA)
1851 {
1852 /* signature alg must be ECDSA */
1853 if (signature_nid != NID_ecdsa_with_SHA1)
1854 {
1855 return 0;
1856 }
1857 }
1858 if (alg & SSL_aRSA)
1859 {
1860 /* signature alg must be RSA */
1861 if ((signature_nid != NID_md5WithRSAEncryption) &&
1862 (signature_nid != NID_md4WithRSAEncryption) &&
1863 (signature_nid != NID_md2WithRSAEncryption))
1864 {
1865 return 0;
1866 }
1867 }
1868 }
1869 else if (alg & SSL_aECDSA)
1870 {
1871 /* key usage, if present, must allow signing */
1872 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
1873 {
1874 return 0;
1875 }
1876 }
1877
1878 return 1; /* all checks are ok */
1879 }
1880
1881/* THIS NEEDS CLEANING UP */
1882X509 *ssl_get_server_send_cert(SSL *s)
1883 {
1884 unsigned long alg,mask,kalg;
1885 CERT *c;
1886 int i,is_export;
1887
1888 c=s->cert;
1889 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
1890 alg=s->s3->tmp.new_cipher->algorithms;
1891 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
1892 mask=is_export?c->export_mask:c->mask;
1893 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1894
1895 if (kalg & SSL_kECDH)
1896 {
1897 /* we don't need to look at SSL_kECDHE
1898 * since no certificate is needed for
1899 * anon ECDH and for authenticated
1900 * ECDHE, the check for the auth
1901 * algorithm will set i correctly
1902 * NOTE: For ECDH-RSA, we need an ECC
1903 * not an RSA cert but for ECDHE-RSA
1904 * we need an RSA cert. Placing the
1905 * checks for SSL_kECDH before RSA
1906 * checks ensures the correct cert is chosen.
1907 */
1908 i=SSL_PKEY_ECC;
1909 }
1910 else if (kalg & SSL_aECDSA)
1911 {
1912 i=SSL_PKEY_ECC;
1913 }
1914 else if (kalg & SSL_kDHr)
1915 i=SSL_PKEY_DH_RSA;
1916 else if (kalg & SSL_kDHd)
1917 i=SSL_PKEY_DH_DSA;
1918 else if (kalg & SSL_aDSS)
1919 i=SSL_PKEY_DSA_SIGN;
1920 else if (kalg & SSL_aRSA)
1921 {
1922 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
1923 i=SSL_PKEY_RSA_SIGN;
1924 else
1925 i=SSL_PKEY_RSA_ENC;
1926 }
1927 else if (kalg & SSL_aKRB5)
1928 {
1929 /* VRS something else here? */
1930 return(NULL);
1931 }
1932 else /* if (kalg & SSL_aNULL) */
1933 {
1934 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
1935 return(NULL);
1936 }
1937 if (c->pkeys[i].x509 == NULL) return(NULL);
1938
1939 return(c->pkeys[i].x509);
1940 }
1941
1942EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
1943 {
1944 unsigned long alg;
1945 CERT *c;
1946
1947 alg=cipher->algorithms;
1948 c=s->cert;
1949
1950 if ((alg & SSL_aDSS) &&
1951 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
1952 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
1953 else if (alg & SSL_aRSA)
1954 {
1955 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
1956 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
1957 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
1958 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
1959 else
1960 return(NULL);
1961 }
1962 else if ((alg & SSL_aECDSA) &&
1963 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
1964 return(c->pkeys[SSL_PKEY_ECC].privatekey);
1965 else /* if (alg & SSL_aNULL) */
1966 {
1967 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
1968 return(NULL);
1969 }
1970 }
1971
1972void ssl_update_cache(SSL *s,int mode)
1973 {
1974 int i;
1975
1976 /* If the session_id_length is 0, we are not supposed to cache it,
1977 * and it would be rather hard to do anyway :-) */
1978 if (s->session->session_id_length == 0) return;
1979
1980 i=s->ctx->session_cache_mode;
1981 if ((i & mode) && (!s->hit)
1982 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
1983 || SSL_CTX_add_session(s->ctx,s->session))
1984 && (s->ctx->new_session_cb != NULL))
1985 {
1986 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
1987 if (!s->ctx->new_session_cb(s,s->session))
1988 SSL_SESSION_free(s->session);
1989 }
1990
1991 /* auto flush every 255 connections */
1992 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
1993 ((i & mode) == mode))
1994 {
1995 if ( (((mode & SSL_SESS_CACHE_CLIENT)
1996 ?s->ctx->stats.sess_connect_good
1997 :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
1998 {
1999 SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
2000 }
2001 }
2002 }
2003
2004SSL_METHOD *SSL_get_ssl_method(SSL *s)
2005 {
2006 return(s->method);
2007 }
2008
2009int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
2010 {
2011 int conn= -1;
2012 int ret=1;
2013
2014 if (s->method != meth)
2015 {
2016 if (s->handshake_func != NULL)
2017 conn=(s->handshake_func == s->method->ssl_connect);
2018
2019 if (s->method->version == meth->version)
2020 s->method=meth;
2021 else
2022 {
2023 s->method->ssl_free(s);
2024 s->method=meth;
2025 ret=s->method->ssl_new(s);
2026 }
2027
2028 if (conn == 1)
2029 s->handshake_func=meth->ssl_connect;
2030 else if (conn == 0)
2031 s->handshake_func=meth->ssl_accept;
2032 }
2033 return(ret);
2034 }
2035
2036int SSL_get_error(const SSL *s,int i)
2037 {
2038 int reason;
2039 unsigned long l;
2040 BIO *bio;
2041
2042 if (i > 0) return(SSL_ERROR_NONE);
2043
2044 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2045 * etc, where we do encode the error */
2046 if ((l=ERR_peek_error()) != 0)
2047 {
2048 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2049 return(SSL_ERROR_SYSCALL);
2050 else
2051 return(SSL_ERROR_SSL);
2052 }
2053
2054 if ((i < 0) && SSL_want_read(s))
2055 {
2056 bio=SSL_get_rbio(s);
2057 if (BIO_should_read(bio))
2058 return(SSL_ERROR_WANT_READ);
2059 else if (BIO_should_write(bio))
2060 /* This one doesn't make too much sense ... We never try
2061 * to write to the rbio, and an application program where
2062 * rbio and wbio are separate couldn't even know what it
2063 * should wait for.
2064 * However if we ever set s->rwstate incorrectly
2065 * (so that we have SSL_want_read(s) instead of
2066 * SSL_want_write(s)) and rbio and wbio *are* the same,
2067 * this test works around that bug; so it might be safer
2068 * to keep it. */
2069 return(SSL_ERROR_WANT_WRITE);
2070 else if (BIO_should_io_special(bio))
2071 {
2072 reason=BIO_get_retry_reason(bio);
2073 if (reason == BIO_RR_CONNECT)
2074 return(SSL_ERROR_WANT_CONNECT);
2075 else if (reason == BIO_RR_ACCEPT)
2076 return(SSL_ERROR_WANT_ACCEPT);
2077 else
2078 return(SSL_ERROR_SYSCALL); /* unknown */
2079 }
2080 }
2081
2082 if ((i < 0) && SSL_want_write(s))
2083 {
2084 bio=SSL_get_wbio(s);
2085 if (BIO_should_write(bio))
2086 return(SSL_ERROR_WANT_WRITE);
2087 else if (BIO_should_read(bio))
2088 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
2089 return(SSL_ERROR_WANT_READ);
2090 else if (BIO_should_io_special(bio))
2091 {
2092 reason=BIO_get_retry_reason(bio);
2093 if (reason == BIO_RR_CONNECT)
2094 return(SSL_ERROR_WANT_CONNECT);
2095 else if (reason == BIO_RR_ACCEPT)
2096 return(SSL_ERROR_WANT_ACCEPT);
2097 else
2098 return(SSL_ERROR_SYSCALL);
2099 }
2100 }
2101 if ((i < 0) && SSL_want_x509_lookup(s))
2102 {
2103 return(SSL_ERROR_WANT_X509_LOOKUP);
2104 }
2105
2106 if (i == 0)
2107 {
2108 if (s->version == SSL2_VERSION)
2109 {
2110 /* assume it is the socket being closed */
2111 return(SSL_ERROR_ZERO_RETURN);
2112 }
2113 else
2114 {
2115 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2116 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2117 return(SSL_ERROR_ZERO_RETURN);
2118 }
2119 }
2120 return(SSL_ERROR_SYSCALL);
2121 }
2122
2123int SSL_do_handshake(SSL *s)
2124 {
2125 int ret=1;
2126
2127 if (s->handshake_func == NULL)
2128 {
2129 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
2130 return(-1);
2131 }
2132
2133 s->method->ssl_renegotiate_check(s);
2134
2135 if (SSL_in_init(s) || SSL_in_before(s))
2136 {
2137 ret=s->handshake_func(s);
2138 }
2139 return(ret);
2140 }
2141
2142/* For the next 2 functions, SSL_clear() sets shutdown and so
2143 * one of these calls will reset it */
2144void SSL_set_accept_state(SSL *s)
2145 {
2146 s->server=1;
2147 s->shutdown=0;
2148 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
2149 s->handshake_func=s->method->ssl_accept;
2150 /* clear the current cipher */
2151 ssl_clear_cipher_ctx(s);
2152 }
2153
2154void SSL_set_connect_state(SSL *s)
2155 {
2156 s->server=0;
2157 s->shutdown=0;
2158 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
2159 s->handshake_func=s->method->ssl_connect;
2160 /* clear the current cipher */
2161 ssl_clear_cipher_ctx(s);
2162 }
2163
2164int ssl_undefined_function(SSL *s)
2165 {
2166 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2167 return(0);
2168 }
2169
2170int ssl_undefined_void_function(void)
2171 {
2172 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2173 return(0);
2174 }
2175
2176int ssl_undefined_const_function(const SSL *s)
2177 {
2178 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2179 return(0);
2180 }
2181
2182SSL_METHOD *ssl_bad_method(int ver)
2183 {
2184 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2185 return(NULL);
2186 }
2187
2188const char *SSL_get_version(const SSL *s)
2189 {
2190 if (s->version == TLS1_VERSION)
2191 return("TLSv1");
2192 else if (s->version == SSL3_VERSION)
2193 return("SSLv3");
2194 else if (s->version == SSL2_VERSION)
2195 return("SSLv2");
2196 else
2197 return("unknown");
2198 }
2199
2200SSL *SSL_dup(SSL *s)
2201 {
2202 STACK_OF(X509_NAME) *sk;
2203 X509_NAME *xn;
2204 SSL *ret;
2205 int i;
2206
2207 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2208 return(NULL);
2209
2210 ret->version = s->version;
2211 ret->type = s->type;
2212 ret->method = s->method;
2213
2214 if (s->session != NULL)
2215 {
2216 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
2217 SSL_copy_session_id(ret,s);
2218 }
2219 else
2220 {
2221 /* No session has been established yet, so we have to expect
2222 * that s->cert or ret->cert will be changed later --
2223 * they should not both point to the same object,
2224 * and thus we can't use SSL_copy_session_id. */
2225
2226 ret->method->ssl_free(ret);
2227 ret->method = s->method;
2228 ret->method->ssl_new(ret);
2229
2230 if (s->cert != NULL)
2231 {
2232 if (ret->cert != NULL)
2233 {
2234 ssl_cert_free(ret->cert);
2235 }
2236 ret->cert = ssl_cert_dup(s->cert);
2237 if (ret->cert == NULL)
2238 goto err;
2239 }
2240
2241 SSL_set_session_id_context(ret,
2242 s->sid_ctx, s->sid_ctx_length);
2243 }
2244
2245 ret->options=s->options;
2246 ret->mode=s->mode;
2247 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
2248 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
2249 ret->msg_callback = s->msg_callback;
2250 ret->msg_callback_arg = s->msg_callback_arg;
2251 SSL_set_verify(ret,SSL_get_verify_mode(s),
2252 SSL_get_verify_callback(s));
2253 SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
2254 ret->generate_session_id = s->generate_session_id;
2255
2256 SSL_set_info_callback(ret,SSL_get_info_callback(s));
2257
2258 ret->debug=s->debug;
2259
2260 /* copy app data, a little dangerous perhaps */
2261 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
2262 goto err;
2263
2264 /* setup rbio, and wbio */
2265 if (s->rbio != NULL)
2266 {
2267 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2268 goto err;
2269 }
2270 if (s->wbio != NULL)
2271 {
2272 if (s->wbio != s->rbio)
2273 {
2274 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2275 goto err;
2276 }
2277 else
2278 ret->wbio=ret->rbio;
2279 }
2280 ret->rwstate = s->rwstate;
2281 ret->in_handshake = s->in_handshake;
2282 ret->handshake_func = s->handshake_func;
2283 ret->server = s->server;
2284 ret->new_session = s->new_session;
2285 ret->quiet_shutdown = s->quiet_shutdown;
2286 ret->shutdown=s->shutdown;
2287 ret->state=s->state; /* SSL_dup does not really work at any state, though */
2288 ret->rstate=s->rstate;
2289 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2290 ret->hit=s->hit;
2291
2292 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2293
2294 /* dup the cipher_list and cipher_list_by_id stacks */
2295 if (s->cipher_list != NULL)
2296 {
2297 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2298 goto err;
2299 }
2300 if (s->cipher_list_by_id != NULL)
2301 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
2302 == NULL)
2303 goto err;
2304
2305 /* Dup the client_CA list */
2306 if (s->client_CA != NULL)
2307 {
2308 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2309 ret->client_CA=sk;
2310 for (i=0; i<sk_X509_NAME_num(sk); i++)
2311 {
2312 xn=sk_X509_NAME_value(sk,i);
2313 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
2314 {
2315 X509_NAME_free(xn);
2316 goto err;
2317 }
2318 }
2319 }
2320
2321 if (0)
2322 {
2323err:
2324 if (ret != NULL) SSL_free(ret);
2325 ret=NULL;
2326 }
2327 return(ret);
2328 }
2329
2330void ssl_clear_cipher_ctx(SSL *s)
2331 {
2332 if (s->enc_read_ctx != NULL)
2333 {
2334 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
2335 OPENSSL_free(s->enc_read_ctx);
2336 s->enc_read_ctx=NULL;
2337 }
2338 if (s->enc_write_ctx != NULL)
2339 {
2340 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
2341 OPENSSL_free(s->enc_write_ctx);
2342 s->enc_write_ctx=NULL;
2343 }
2344#ifndef OPENSSL_NO_COMP
2345 if (s->expand != NULL)
2346 {
2347 COMP_CTX_free(s->expand);
2348 s->expand=NULL;
2349 }
2350 if (s->compress != NULL)
2351 {
2352 COMP_CTX_free(s->compress);
2353 s->compress=NULL;
2354 }
2355#endif
2356 }
2357
2358/* Fix this function so that it takes an optional type parameter */
2359X509 *SSL_get_certificate(const SSL *s)
2360 {
2361 if (s->cert != NULL)
2362 return(s->cert->key->x509);
2363 else
2364 return(NULL);
2365 }
2366
2367/* Fix this function so that it takes an optional type parameter */
2368EVP_PKEY *SSL_get_privatekey(SSL *s)
2369 {
2370 if (s->cert != NULL)
2371 return(s->cert->key->privatekey);
2372 else
2373 return(NULL);
2374 }
2375
2376SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2377 {
2378 if ((s->session != NULL) && (s->session->cipher != NULL))
2379 return(s->session->cipher);
2380 return(NULL);
2381 }
2382#ifdef OPENSSL_NO_COMP
2383const void *SSL_get_current_compression(SSL *s)
2384 {
2385 return NULL;
2386 }
2387const void *SSL_get_current_expansion(SSL *s)
2388 {
2389 return NULL;
2390 }
2391#else
2392
2393const COMP_METHOD *SSL_get_current_compression(SSL *s)
2394 {
2395 if (s->compress != NULL)
2396 return(s->compress->meth);
2397 return(NULL);
2398 }
2399
2400const COMP_METHOD *SSL_get_current_expansion(SSL *s)
2401 {
2402 if (s->expand != NULL)
2403 return(s->expand->meth);
2404 return(NULL);
2405 }
2406#endif
2407
2408int ssl_init_wbio_buffer(SSL *s,int push)
2409 {
2410 BIO *bbio;
2411
2412 if (s->bbio == NULL)
2413 {
2414 bbio=BIO_new(BIO_f_buffer());
2415 if (bbio == NULL) return(0);
2416 s->bbio=bbio;
2417 }
2418 else
2419 {
2420 bbio=s->bbio;
2421 if (s->bbio == s->wbio)
2422 s->wbio=BIO_pop(s->wbio);
2423 }
2424 (void)BIO_reset(bbio);
2425/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2426 if (!BIO_set_read_buffer_size(bbio,1))
2427 {
2428 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
2429 return(0);
2430 }
2431 if (push)
2432 {
2433 if (s->wbio != bbio)
2434 s->wbio=BIO_push(bbio,s->wbio);
2435 }
2436 else
2437 {
2438 if (s->wbio == bbio)
2439 s->wbio=BIO_pop(bbio);
2440 }
2441 return(1);
2442 }
2443
2444void ssl_free_wbio_buffer(SSL *s)
2445 {
2446 if (s->bbio == NULL) return;
2447
2448 if (s->bbio == s->wbio)
2449 {
2450 /* remove buffering */
2451 s->wbio=BIO_pop(s->wbio);
2452#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
2453 assert(s->wbio != NULL);
2454#endif
2455 }
2456 BIO_free(s->bbio);
2457 s->bbio=NULL;
2458 }
2459
2460void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2461 {
2462 ctx->quiet_shutdown=mode;
2463 }
2464
2465int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2466 {
2467 return(ctx->quiet_shutdown);
2468 }
2469
2470void SSL_set_quiet_shutdown(SSL *s,int mode)
2471 {
2472 s->quiet_shutdown=mode;
2473 }
2474
2475int SSL_get_quiet_shutdown(const SSL *s)
2476 {
2477 return(s->quiet_shutdown);
2478 }
2479
2480void SSL_set_shutdown(SSL *s,int mode)
2481 {
2482 s->shutdown=mode;
2483 }
2484
2485int SSL_get_shutdown(const SSL *s)
2486 {
2487 return(s->shutdown);
2488 }
2489
2490int SSL_version(const SSL *s)
2491 {
2492 return(s->version);
2493 }
2494
2495SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2496 {
2497 return(ssl->ctx);
2498 }
2499
2500SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2501 {
2502 if (ssl->ctx == ctx)
2503 return ssl->ctx;
2504#ifndef OPENSSL_NO_TLSEXT
2505 if (ctx == NULL)
2506 ctx = ssl->initial_ctx;
2507#endif
2508 if (ssl->cert != NULL)
2509 ssl_cert_free(ssl->cert);
2510 ssl->cert = ssl_cert_dup(ctx->cert);
2511 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
2512 if (ssl->ctx != NULL)
2513 SSL_CTX_free(ssl->ctx); /* decrement reference count */
2514 ssl->ctx = ctx;
2515 return(ssl->ctx);
2516 }
2517
2518#ifndef OPENSSL_NO_STDIO
2519int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2520 {
2521 return(X509_STORE_set_default_paths(ctx->cert_store));
2522 }
2523
2524int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2525 const char *CApath)
2526 {
2527 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
2528 }
2529#endif
2530
2531void SSL_set_info_callback(SSL *ssl,
2532 void (*cb)(const SSL *ssl,int type,int val))
2533 {
2534 ssl->info_callback=cb;
2535 }
2536
2537/* One compiler (Diab DCC) doesn't like argument names in returned
2538 function pointer. */
2539void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2540 {
2541 return ssl->info_callback;
2542 }
2543
2544int SSL_state(const SSL *ssl)
2545 {
2546 return(ssl->state);
2547 }
2548
2549void SSL_set_verify_result(SSL *ssl,long arg)
2550 {
2551 ssl->verify_result=arg;
2552 }
2553
2554long SSL_get_verify_result(const SSL *ssl)
2555 {
2556 return(ssl->verify_result);
2557 }
2558
2559int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2560 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2561 {
2562 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
2563 new_func, dup_func, free_func);
2564 }
2565
2566int SSL_set_ex_data(SSL *s,int idx,void *arg)
2567 {
2568 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2569 }
2570
2571void *SSL_get_ex_data(const SSL *s,int idx)
2572 {
2573 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2574 }
2575
2576int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2577 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2578 {
2579 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
2580 new_func, dup_func, free_func);
2581 }
2582
2583int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
2584 {
2585 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2586 }
2587
2588void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
2589 {
2590 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2591 }
2592
2593int ssl_ok(SSL *s)
2594 {
2595 return(1);
2596 }
2597
2598X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
2599 {
2600 return(ctx->cert_store);
2601 }
2602
2603void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
2604 {
2605 if (ctx->cert_store != NULL)
2606 X509_STORE_free(ctx->cert_store);
2607 ctx->cert_store=store;
2608 }
2609
2610int SSL_want(const SSL *s)
2611 {
2612 return(s->rwstate);
2613 }
2614
2615/*!
2616 * \brief Set the callback for generating temporary RSA keys.
2617 * \param ctx the SSL context.
2618 * \param cb the callback
2619 */
2620
2621#ifndef OPENSSL_NO_RSA
2622void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
2623 int is_export,
2624 int keylength))
2625 {
2626 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
2627 }
2628
2629void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
2630 int is_export,
2631 int keylength))
2632 {
2633 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
2634 }
2635#endif
2636
2637#ifdef DOXYGEN
2638/*!
2639 * \brief The RSA temporary key callback function.
2640 * \param ssl the SSL session.
2641 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
2642 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
2643 * of the required key in bits.
2644 * \return the temporary RSA key.
2645 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
2646 */
2647
2648RSA *cb(SSL *ssl,int is_export,int keylength)
2649 {}
2650#endif
2651
2652/*!
2653 * \brief Set the callback for generating temporary DH keys.
2654 * \param ctx the SSL context.
2655 * \param dh the callback
2656 */
2657
2658#ifndef OPENSSL_NO_DH
2659void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
2660 int keylength))
2661 {
2662 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
2663 }
2664
2665void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
2666 int keylength))
2667 {
2668 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
2669 }
2670#endif
2671
2672#ifndef OPENSSL_NO_ECDH
2673void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2674 int keylength))
2675 {
2676 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2677 }
2678
2679void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2680 int keylength))
2681 {
2682 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2683 }
2684#endif
2685
2686
2687void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2688 {
2689 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
2690 }
2691void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2692 {
2693 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
2694 }
2695
2696
2697
2698#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
2699#include "../crypto/bio/bss_file.c"
2700#endif
2701
2702IMPLEMENT_STACK_OF(SSL_CIPHER)
2703IMPLEMENT_STACK_OF(SSL_COMP)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index ed4ddbbae6..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,982 +0,0 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL_LOCL_H
118#define HEADER_SSL_LOCL_H
119#include <stdlib.h>
120#include <time.h>
121#include <string.h>
122#include <errno.h>
123
124#include "e_os.h"
125
126#include <openssl/buffer.h>
127#ifndef OPENSSL_NO_COMP
128#include <openssl/comp.h>
129#endif
130#include <openssl/bio.h>
131#include <openssl/stack.h>
132#ifndef OPENSSL_NO_RSA
133#include <openssl/rsa.h>
134#endif
135#ifndef OPENSSL_NO_DSA
136#include <openssl/dsa.h>
137#endif
138#include <openssl/err.h>
139#include <openssl/ssl.h>
140#include <openssl/symhacks.h>
141
142#ifdef OPENSSL_BUILD_SHLIBSSL
143# undef OPENSSL_EXTERN
144# define OPENSSL_EXTERN OPENSSL_EXPORT
145#endif
146
147#define PKCS1_CHECK
148
149#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
150 l|=(((unsigned long)(*((c)++)))<< 8), \
151 l|=(((unsigned long)(*((c)++)))<<16), \
152 l|=(((unsigned long)(*((c)++)))<<24))
153
154/* NOTE - c is not incremented as per c2l */
155#define c2ln(c,l1,l2,n) { \
156 c+=n; \
157 l1=l2=0; \
158 switch (n) { \
159 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
160 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
161 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
162 case 5: l2|=((unsigned long)(*(--(c)))); \
163 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
164 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
165 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
166 case 1: l1|=((unsigned long)(*(--(c)))); \
167 } \
168 }
169
170#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
171 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
172 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
173 *((c)++)=(unsigned char)(((l)>>24)&0xff))
174
175#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
176 l|=((unsigned long)(*((c)++)))<<16, \
177 l|=((unsigned long)(*((c)++)))<< 8, \
178 l|=((unsigned long)(*((c)++))))
179
180#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
181 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
182 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
183 *((c)++)=(unsigned char)(((l) )&0xff))
184
185#define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
186 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
187 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
188 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
189 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
190 *((c)++)=(unsigned char)(((l) )&0xff))
191
192#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
193 l|=((BN_ULLONG)(*((c)++)))<<32, \
194 l|=((BN_ULLONG)(*((c)++)))<<24, \
195 l|=((BN_ULLONG)(*((c)++)))<<16, \
196 l|=((BN_ULLONG)(*((c)++)))<< 8, \
197 l|=((BN_ULLONG)(*((c)++))))
198
199/* NOTE - c is not incremented as per l2c */
200#define l2cn(l1,l2,c,n) { \
201 c+=n; \
202 switch (n) { \
203 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
204 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
205 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
206 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
207 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
208 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
209 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
210 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
211 } \
212 }
213
214#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
215 (((unsigned int)(c[1])) )),c+=2)
216#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
217 c[1]=(unsigned char)(((s) )&0xff)),c+=2)
218
219#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
220 (((unsigned long)(c[1]))<< 8)| \
221 (((unsigned long)(c[2])) )),c+=3)
222
223#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
224 c[1]=(unsigned char)(((l)>> 8)&0xff), \
225 c[2]=(unsigned char)(((l) )&0xff)),c+=3)
226
227/* LOCAL STUFF */
228
229#define SSL_DECRYPT 0
230#define SSL_ENCRYPT 1
231
232#define TWO_BYTE_BIT 0x80
233#define SEC_ESC_BIT 0x40
234#define TWO_BYTE_MASK 0x7fff
235#define THREE_BYTE_MASK 0x3fff
236
237#define INC32(a) ((a)=((a)+1)&0xffffffffL)
238#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
239#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
240
241/*
242 * Define the Bitmasks for SSL_CIPHER.algorithms.
243 * This bits are used packed as dense as possible. If new methods/ciphers
244 * etc will be added, the bits a likely to change, so this information
245 * is for internal library use only, even though SSL_CIPHER.algorithms
246 * can be publicly accessed.
247 * Use the according functions for cipher management instead.
248 *
249 * The bit mask handling in the selection and sorting scheme in
250 * ssl_create_cipher_list() has only limited capabilities, reflecting
251 * that the different entities within are mutually exclusive:
252 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
253 */
254#define SSL_MKEY_MASK 0x000000FFL
255#define SSL_kRSA 0x00000001L /* RSA key exchange */
256#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
257#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
258#define SSL_kFZA 0x00000008L
259#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
260#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */
261#define SSL_kECDH 0x00000040L /* ECDH w/ long-term keys */
262#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */
263#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
264
265#define SSL_AUTH_MASK 0x00007F00L
266#define SSL_aRSA 0x00000100L /* Authenticate with RSA */
267#define SSL_aDSS 0x00000200L /* Authenticate with DSS */
268#define SSL_DSS SSL_aDSS
269#define SSL_aFZA 0x00000400L
270#define SSL_aNULL 0x00000800L /* no Authenticate, ADH */
271#define SSL_aDH 0x00001000L /* no Authenticate, ADH */
272#define SSL_aKRB5 0x00002000L /* Authenticate with KRB5 */
273#define SSL_aECDSA 0x00004000L /* Authenticate with ECDSA */
274
275#define SSL_NULL (SSL_eNULL)
276#define SSL_ADH (SSL_kEDH|SSL_aNULL)
277#define SSL_RSA (SSL_kRSA|SSL_aRSA)
278#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
279#define SSL_ECDH (SSL_kECDH|SSL_kECDHE)
280#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
281#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
282
283#define SSL_ENC_MASK 0x1C3F8000L
284#define SSL_DES 0x00008000L
285#define SSL_3DES 0x00010000L
286#define SSL_RC4 0x00020000L
287#define SSL_RC2 0x00040000L
288#define SSL_IDEA 0x00080000L
289#define SSL_eFZA 0x00100000L
290#define SSL_eNULL 0x00200000L
291#define SSL_AES 0x04000000L
292#define SSL_CAMELLIA 0x08000000L
293#define SSL_SEED 0x10000000L
294
295#define SSL_MAC_MASK 0x00c00000L
296#define SSL_MD5 0x00400000L
297#define SSL_SHA1 0x00800000L
298#define SSL_SHA (SSL_SHA1)
299
300#define SSL_SSL_MASK 0x03000000L
301#define SSL_SSLV2 0x01000000L
302#define SSL_SSLV3 0x02000000L
303#define SSL_TLSV1 SSL_SSLV3 /* for now */
304
305/* we have used 1fffffff - 3 bits left to go. */
306
307/*
308 * Export and cipher strength information. For each cipher we have to decide
309 * whether it is exportable or not. This information is likely to change
310 * over time, since the export control rules are no static technical issue.
311 *
312 * Independent of the export flag the cipher strength is sorted into classes.
313 * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
314 * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
315 * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
316 * since SSL_EXP64 could be similar to SSL_LOW.
317 * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
318 * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
319 * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
320 * be possible.
321 */
322#define SSL_EXP_MASK 0x00000003L
323#define SSL_NOT_EXP 0x00000001L
324#define SSL_EXPORT 0x00000002L
325
326#define SSL_STRONG_MASK 0x000000fcL
327#define SSL_STRONG_NONE 0x00000004L
328#define SSL_EXP40 0x00000008L
329#define SSL_MICRO (SSL_EXP40)
330#define SSL_EXP56 0x00000010L
331#define SSL_MINI (SSL_EXP56)
332#define SSL_LOW 0x00000020L
333#define SSL_MEDIUM 0x00000040L
334#define SSL_HIGH 0x00000080L
335#define SSL_FIPS 0x00000100L
336
337/* we have used 000001ff - 23 bits left to go */
338
339/*
340 * Macros to check the export status and cipher strength for export ciphers.
341 * Even though the macros for EXPORT and EXPORT40/56 have similar names,
342 * their meaning is different:
343 * *_EXPORT macros check the 'exportable' status.
344 * *_EXPORT40/56 macros are used to check whether a certain cipher strength
345 * is given.
346 * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
347 * algorithm structure element to be passed (algorithms, algo_strength) and no
348 * typechecking can be done as they are all of type unsigned long, their
349 * direct usage is discouraged.
350 * Use the SSL_C_* macros instead.
351 */
352#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
353#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
354#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
355#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
356#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
357#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
358
359#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
360 ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
361#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
362#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms, \
363 (c)->algo_strength)
364#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
365
366
367#define SSL_ALL 0xffffffffL
368#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
369 SSL_MAC_MASK)
370#define SSL_ALL_STRENGTHS (SSL_EXP_MASK|SSL_STRONG_MASK)
371
372/* Mostly for SSLv3 */
373#define SSL_PKEY_RSA_ENC 0
374#define SSL_PKEY_RSA_SIGN 1
375#define SSL_PKEY_DSA_SIGN 2
376#define SSL_PKEY_DH_RSA 3
377#define SSL_PKEY_DH_DSA 4
378#define SSL_PKEY_ECC 5
379#define SSL_PKEY_NUM 6
380
381/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
382 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
383 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
384 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
385 * SSL_aRSA <- RSA_ENC | RSA_SIGN
386 * SSL_aDSS <- DSA_SIGN
387 */
388
389/*
390#define CERT_INVALID 0
391#define CERT_PUBLIC_KEY 1
392#define CERT_PRIVATE_KEY 2
393*/
394
395#ifndef OPENSSL_NO_EC
396/* From ECC-TLS draft, used in encoding the curve type in
397 * ECParameters
398 */
399#define EXPLICIT_PRIME_CURVE_TYPE 1
400#define EXPLICIT_CHAR2_CURVE_TYPE 2
401#define NAMED_CURVE_TYPE 3
402#endif /* OPENSSL_NO_EC */
403
404typedef struct cert_pkey_st
405 {
406 X509 *x509;
407 EVP_PKEY *privatekey;
408 } CERT_PKEY;
409
410typedef struct cert_st
411 {
412 /* Current active set */
413 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
414 * Probably it would make more sense to store
415 * an index, not a pointer. */
416
417 /* The following masks are for the key and auth
418 * algorithms that are supported by the certs below */
419 int valid;
420 unsigned long mask;
421 unsigned long export_mask;
422#ifndef OPENSSL_NO_RSA
423 RSA *rsa_tmp;
424 RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
425#endif
426#ifndef OPENSSL_NO_DH
427 DH *dh_tmp;
428 DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
429#endif
430#ifndef OPENSSL_NO_ECDH
431 EC_KEY *ecdh_tmp;
432 /* Callback for generating ephemeral ECDH keys */
433 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
434#endif
435
436 CERT_PKEY pkeys[SSL_PKEY_NUM];
437
438 int references; /* >1 only if SSL_copy_session_id is used */
439 } CERT;
440
441
442typedef struct sess_cert_st
443 {
444 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
445
446 /* The 'peer_...' members are used only by clients. */
447 int peer_cert_type;
448
449 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
450 CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
451 /* Obviously we don't have the private keys of these,
452 * so maybe we shouldn't even use the CERT_PKEY type here. */
453
454#ifndef OPENSSL_NO_RSA
455 RSA *peer_rsa_tmp; /* not used for SSL 2 */
456#endif
457#ifndef OPENSSL_NO_DH
458 DH *peer_dh_tmp; /* not used for SSL 2 */
459#endif
460#ifndef OPENSSL_NO_ECDH
461 EC_KEY *peer_ecdh_tmp;
462#endif
463
464 int references; /* actually always 1 at the moment */
465 } SESS_CERT;
466
467
468/*#define MAC_DEBUG */
469
470/*#define ERR_DEBUG */
471/*#define ABORT_DEBUG */
472/*#define PKT_DEBUG 1 */
473/*#define DES_DEBUG */
474/*#define DES_OFB_DEBUG */
475/*#define SSL_DEBUG */
476/*#define RSA_DEBUG */
477/*#define IDEA_DEBUG */
478
479#define FP_ICC (int (*)(const void *,const void *))
480#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
481 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
482#define ssl_get_cipher_by_char(ssl,ptr) \
483 ((ssl)->method->get_cipher_by_char(ptr))
484
485/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
486 * It is a bit of a mess of functions, but hell, think of it as
487 * an opaque structure :-) */
488typedef struct ssl3_enc_method
489 {
490 int (*enc)(SSL *, int);
491 int (*mac)(SSL *, unsigned char *, int);
492 int (*setup_key_block)(SSL *);
493 int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
494 int (*change_cipher_state)(SSL *, int);
495 int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
496 int finish_mac_length;
497 int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
498 const char *client_finished_label;
499 int client_finished_label_len;
500 const char *server_finished_label;
501 int server_finished_label_len;
502 int (*alert_value)(int);
503 } SSL3_ENC_METHOD;
504
505#ifndef OPENSSL_NO_COMP
506/* Used for holding the relevant compression methods loaded into SSL_CTX */
507typedef struct ssl3_comp_st
508 {
509 int comp_id; /* The identifier byte for this compression type */
510 char *name; /* Text name used for the compression type */
511 COMP_METHOD *method; /* The method :-) */
512 } SSL3_COMP;
513#endif
514
515extern SSL3_ENC_METHOD ssl3_undef_enc_method;
516OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
517OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
518
519
520SSL_METHOD *ssl_bad_method(int ver);
521SSL_METHOD *sslv2_base_method(void);
522SSL_METHOD *sslv23_base_method(void);
523SSL_METHOD *sslv3_base_method(void);
524
525extern SSL3_ENC_METHOD TLSv1_enc_data;
526extern SSL3_ENC_METHOD SSLv3_enc_data;
527extern SSL3_ENC_METHOD DTLSv1_enc_data;
528
529#define IMPLEMENT_tls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
530SSL_METHOD *func_name(void) \
531 { \
532 static SSL_METHOD func_name##_data= { \
533 TLS1_VERSION, \
534 tls1_new, \
535 tls1_clear, \
536 tls1_free, \
537 s_accept, \
538 s_connect, \
539 ssl3_read, \
540 ssl3_peek, \
541 ssl3_write, \
542 ssl3_shutdown, \
543 ssl3_renegotiate, \
544 ssl3_renegotiate_check, \
545 ssl3_get_message, \
546 ssl3_read_bytes, \
547 ssl3_write_bytes, \
548 ssl3_dispatch_alert, \
549 ssl3_ctrl, \
550 ssl3_ctx_ctrl, \
551 ssl3_get_cipher_by_char, \
552 ssl3_put_cipher_by_char, \
553 ssl3_pending, \
554 ssl3_num_ciphers, \
555 ssl3_get_cipher, \
556 s_get_meth, \
557 tls1_default_timeout, \
558 &TLSv1_enc_data, \
559 ssl_undefined_void_function, \
560 ssl3_callback_ctrl, \
561 ssl3_ctx_callback_ctrl, \
562 }; \
563 return &func_name##_data; \
564 }
565
566#define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
567SSL_METHOD *func_name(void) \
568 { \
569 static SSL_METHOD func_name##_data= { \
570 SSL3_VERSION, \
571 ssl3_new, \
572 ssl3_clear, \
573 ssl3_free, \
574 s_accept, \
575 s_connect, \
576 ssl3_read, \
577 ssl3_peek, \
578 ssl3_write, \
579 ssl3_shutdown, \
580 ssl3_renegotiate, \
581 ssl3_renegotiate_check, \
582 ssl3_get_message, \
583 ssl3_read_bytes, \
584 ssl3_write_bytes, \
585 ssl3_dispatch_alert, \
586 ssl3_ctrl, \
587 ssl3_ctx_ctrl, \
588 ssl3_get_cipher_by_char, \
589 ssl3_put_cipher_by_char, \
590 ssl3_pending, \
591 ssl3_num_ciphers, \
592 ssl3_get_cipher, \
593 s_get_meth, \
594 ssl3_default_timeout, \
595 &SSLv3_enc_data, \
596 ssl_undefined_void_function, \
597 ssl3_callback_ctrl, \
598 ssl3_ctx_callback_ctrl, \
599 }; \
600 return &func_name##_data; \
601 }
602
603#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
604SSL_METHOD *func_name(void) \
605 { \
606 static SSL_METHOD func_name##_data= { \
607 TLS1_VERSION, \
608 tls1_new, \
609 tls1_clear, \
610 tls1_free, \
611 s_accept, \
612 s_connect, \
613 ssl23_read, \
614 ssl23_peek, \
615 ssl23_write, \
616 ssl_undefined_function, \
617 ssl_undefined_function, \
618 ssl_ok, \
619 ssl3_get_message, \
620 ssl3_read_bytes, \
621 ssl3_write_bytes, \
622 ssl3_dispatch_alert, \
623 ssl3_ctrl, \
624 ssl3_ctx_ctrl, \
625 ssl23_get_cipher_by_char, \
626 ssl23_put_cipher_by_char, \
627 ssl_undefined_const_function, \
628 ssl23_num_ciphers, \
629 ssl23_get_cipher, \
630 s_get_meth, \
631 ssl23_default_timeout, \
632 &ssl3_undef_enc_method, \
633 ssl_undefined_void_function, \
634 ssl3_callback_ctrl, \
635 ssl3_ctx_callback_ctrl, \
636 }; \
637 return &func_name##_data; \
638 }
639
640#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
641SSL_METHOD *func_name(void) \
642 { \
643 static SSL_METHOD func_name##_data= { \
644 SSL2_VERSION, \
645 ssl2_new, /* local */ \
646 ssl2_clear, /* local */ \
647 ssl2_free, /* local */ \
648 s_accept, \
649 s_connect, \
650 ssl2_read, \
651 ssl2_peek, \
652 ssl2_write, \
653 ssl2_shutdown, \
654 ssl_ok, /* NULL - renegotiate */ \
655 ssl_ok, /* NULL - check renegotiate */ \
656 NULL, /* NULL - ssl_get_message */ \
657 NULL, /* NULL - ssl_get_record */ \
658 NULL, /* NULL - ssl_write_bytes */ \
659 NULL, /* NULL - dispatch_alert */ \
660 ssl2_ctrl, /* local */ \
661 ssl2_ctx_ctrl, /* local */ \
662 ssl2_get_cipher_by_char, \
663 ssl2_put_cipher_by_char, \
664 ssl2_pending, \
665 ssl2_num_ciphers, \
666 ssl2_get_cipher, \
667 s_get_meth, \
668 ssl2_default_timeout, \
669 &ssl3_undef_enc_method, \
670 ssl_undefined_void_function, \
671 ssl2_callback_ctrl, /* local */ \
672 ssl2_ctx_callback_ctrl, /* local */ \
673 }; \
674 return &func_name##_data; \
675 }
676
677#define IMPLEMENT_dtls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
678SSL_METHOD *func_name(void) \
679 { \
680 static SSL_METHOD func_name##_data= { \
681 DTLS1_VERSION, \
682 dtls1_new, \
683 dtls1_clear, \
684 dtls1_free, \
685 s_accept, \
686 s_connect, \
687 ssl3_read, \
688 ssl3_peek, \
689 ssl3_write, \
690 ssl3_shutdown, \
691 ssl3_renegotiate, \
692 ssl3_renegotiate_check, \
693 dtls1_get_message, \
694 dtls1_read_bytes, \
695 dtls1_write_app_data_bytes, \
696 dtls1_dispatch_alert, \
697 ssl3_ctrl, \
698 ssl3_ctx_ctrl, \
699 ssl3_get_cipher_by_char, \
700 ssl3_put_cipher_by_char, \
701 ssl3_pending, \
702 ssl3_num_ciphers, \
703 dtls1_get_cipher, \
704 s_get_meth, \
705 dtls1_default_timeout, \
706 &DTLSv1_enc_data, \
707 ssl_undefined_void_function, \
708 ssl3_callback_ctrl, \
709 ssl3_ctx_callback_ctrl, \
710 }; \
711 return &func_name##_data; \
712 }
713
714void ssl_clear_cipher_ctx(SSL *s);
715int ssl_clear_bad_session(SSL *s);
716CERT *ssl_cert_new(void);
717CERT *ssl_cert_dup(CERT *cert);
718int ssl_cert_inst(CERT **o);
719void ssl_cert_free(CERT *c);
720SESS_CERT *ssl_sess_cert_new(void);
721void ssl_sess_cert_free(SESS_CERT *sc);
722int ssl_set_peer_cert_type(SESS_CERT *c, int type);
723int ssl_get_new_session(SSL *s, int session);
724int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
725int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
726int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
727 const SSL_CIPHER * const *bp);
728STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
729 STACK_OF(SSL_CIPHER) **skp);
730int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
731 int (*put_cb)(const SSL_CIPHER *, unsigned char *));
732STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
733 STACK_OF(SSL_CIPHER) **pref,
734 STACK_OF(SSL_CIPHER) **sorted,
735 const char *rule_str);
736void ssl_update_cache(SSL *s, int mode);
737int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
738 const EVP_MD **md,SSL_COMP **comp);
739int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
740int ssl_undefined_function(SSL *s);
741int ssl_undefined_void_function(void);
742int ssl_undefined_const_function(const SSL *s);
743X509 *ssl_get_server_send_cert(SSL *);
744EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
745int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
746void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
747STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
748int ssl_verify_alarm_type(long type);
749void ssl_load_ciphers(void);
750
751int ssl2_enc_init(SSL *s, int client);
752int ssl2_generate_key_material(SSL *s);
753void ssl2_enc(SSL *s,int send_data);
754void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
755SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
756int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
757int ssl2_part_read(SSL *s, unsigned long f, int i);
758int ssl2_do_write(SSL *s);
759int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
760void ssl2_return_error(SSL *s,int reason);
761void ssl2_write_error(SSL *s);
762int ssl2_num_ciphers(void);
763SSL_CIPHER *ssl2_get_cipher(unsigned int u);
764int ssl2_new(SSL *s);
765void ssl2_free(SSL *s);
766int ssl2_accept(SSL *s);
767int ssl2_connect(SSL *s);
768int ssl2_read(SSL *s, void *buf, int len);
769int ssl2_peek(SSL *s, void *buf, int len);
770int ssl2_write(SSL *s, const void *buf, int len);
771int ssl2_shutdown(SSL *s);
772void ssl2_clear(SSL *s);
773long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
774long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
775long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
776long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
777int ssl2_pending(const SSL *s);
778long ssl2_default_timeout(void );
779
780SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
781int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
782void ssl3_init_finished_mac(SSL *s);
783int ssl3_send_server_certificate(SSL *s);
784int ssl3_send_newsession_ticket(SSL *s);
785int ssl3_send_cert_status(SSL *s);
786int ssl3_get_finished(SSL *s,int state_a,int state_b);
787int ssl3_setup_key_block(SSL *s);
788int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
789int ssl3_change_cipher_state(SSL *s,int which);
790void ssl3_cleanup_key_block(SSL *s);
791int ssl3_do_write(SSL *s,int type);
792void ssl3_send_alert(SSL *s,int level, int desc);
793int ssl3_generate_master_secret(SSL *s, unsigned char *out,
794 unsigned char *p, int len);
795int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
796long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
797int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
798int ssl3_num_ciphers(void);
799SSL_CIPHER *ssl3_get_cipher(unsigned int u);
800int ssl3_renegotiate(SSL *ssl);
801int ssl3_renegotiate_check(SSL *ssl);
802int ssl3_dispatch_alert(SSL *s);
803int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
804int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
805int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
806 const char *sender, int slen,unsigned char *p);
807int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
808void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
809int ssl3_enc(SSL *s, int send_data);
810int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
811unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
812SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
813 STACK_OF(SSL_CIPHER) *srvr);
814int ssl3_setup_buffers(SSL *s);
815int ssl3_new(SSL *s);
816void ssl3_free(SSL *s);
817int ssl3_accept(SSL *s);
818int ssl3_connect(SSL *s);
819int ssl3_read(SSL *s, void *buf, int len);
820int ssl3_peek(SSL *s, void *buf, int len);
821int ssl3_write(SSL *s, const void *buf, int len);
822int ssl3_shutdown(SSL *s);
823void ssl3_clear(SSL *s);
824long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
825long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
826long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
827long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
828int ssl3_pending(const SSL *s);
829
830void ssl3_record_sequence_update(unsigned char *seq);
831int ssl3_do_change_cipher_spec(SSL *ssl);
832long ssl3_default_timeout(void );
833
834int ssl23_num_ciphers(void );
835SSL_CIPHER *ssl23_get_cipher(unsigned int u);
836int ssl23_read(SSL *s, void *buf, int len);
837int ssl23_peek(SSL *s, void *buf, int len);
838int ssl23_write(SSL *s, const void *buf, int len);
839int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
840SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
841long ssl23_default_timeout(void );
842
843long tls1_default_timeout(void);
844int dtls1_do_write(SSL *s,int type);
845int ssl3_read_n(SSL *s, int n, int max, int extend);
846int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
847int ssl3_do_compress(SSL *ssl);
848int ssl3_do_uncompress(SSL *ssl);
849int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
850 unsigned int len);
851unsigned char *dtls1_set_message_header(SSL *s,
852 unsigned char *p, unsigned char mt, unsigned long len,
853 unsigned long frag_off, unsigned long frag_len);
854
855int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
856int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
857
858int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
859int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
860unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
861int dtls1_read_failed(SSL *s, int code);
862int dtls1_buffer_message(SSL *s, int ccs);
863int dtls1_retransmit_message(SSL *s, unsigned short seq,
864 unsigned long frag_off, int *found);
865void dtls1_clear_record_buffer(SSL *s);
866void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
867void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
868void dtls1_reset_seq_numbers(SSL *s, int rw);
869long dtls1_default_timeout(void);
870SSL_CIPHER *dtls1_get_cipher(unsigned int u);
871
872
873
874/* some client-only functions */
875int ssl3_client_hello(SSL *s);
876int ssl3_get_server_hello(SSL *s);
877int ssl3_get_certificate_request(SSL *s);
878int ssl3_get_new_session_ticket(SSL *s);
879int ssl3_get_cert_status(SSL *s);
880int ssl3_get_server_done(SSL *s);
881int ssl3_send_client_verify(SSL *s);
882int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
883int ssl3_send_client_certificate(SSL *s);
884int ssl3_send_client_key_exchange(SSL *s);
885int ssl3_get_key_exchange(SSL *s);
886int ssl3_get_server_certificate(SSL *s);
887int ssl3_check_cert_and_algorithm(SSL *s);
888
889int dtls1_client_hello(SSL *s);
890int dtls1_send_client_certificate(SSL *s);
891int dtls1_send_client_key_exchange(SSL *s);
892int dtls1_send_client_verify(SSL *s);
893
894/* some server-only functions */
895int ssl3_get_client_hello(SSL *s);
896int ssl3_send_server_hello(SSL *s);
897int ssl3_send_hello_request(SSL *s);
898int ssl3_send_server_key_exchange(SSL *s);
899int ssl3_send_certificate_request(SSL *s);
900int ssl3_send_server_done(SSL *s);
901int ssl3_check_client_hello(SSL *s);
902int ssl3_get_client_certificate(SSL *s);
903int ssl3_get_client_key_exchange(SSL *s);
904int ssl3_get_cert_verify(SSL *s);
905
906int dtls1_send_hello_request(SSL *s);
907int dtls1_send_server_hello(SSL *s);
908int dtls1_send_server_certificate(SSL *s);
909int dtls1_send_server_key_exchange(SSL *s);
910int dtls1_send_certificate_request(SSL *s);
911int dtls1_send_server_done(SSL *s);
912
913
914
915int ssl23_accept(SSL *s);
916int ssl23_connect(SSL *s);
917int ssl23_read_bytes(SSL *s, int n);
918int ssl23_write_bytes(SSL *s);
919
920int tls1_new(SSL *s);
921void tls1_free(SSL *s);
922void tls1_clear(SSL *s);
923long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
924long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
925SSL_METHOD *tlsv1_base_method(void );
926
927int dtls1_new(SSL *s);
928int dtls1_accept(SSL *s);
929int dtls1_connect(SSL *s);
930void dtls1_free(SSL *s);
931void dtls1_clear(SSL *s);
932long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
933SSL_METHOD *dtlsv1_base_method(void );
934
935long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
936int dtls1_get_record(SSL *s);
937int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
938 unsigned int len, int create_empty_fragement);
939int dtls1_dispatch_alert(SSL *s);
940int dtls1_enc(SSL *s, int snd);
941
942int ssl_init_wbio_buffer(SSL *s, int push);
943void ssl_free_wbio_buffer(SSL *s);
944
945int tls1_change_cipher_state(SSL *s, int which);
946int tls1_setup_key_block(SSL *s);
947int tls1_enc(SSL *s, int snd);
948int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
949 const char *str, int slen, unsigned char *p);
950int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
951int tls1_mac(SSL *ssl, unsigned char *md, int snd);
952int tls1_generate_master_secret(SSL *s, unsigned char *out,
953 unsigned char *p, int len);
954int tls1_alert_code(int code);
955int ssl3_alert_code(int code);
956int ssl_ok(SSL *s);
957
958int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
959
960SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
961
962#ifndef OPENSSL_NO_TLSEXT
963unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
964unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
965int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
966int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
967int ssl_prepare_clienthello_tlsext(SSL *s);
968int ssl_prepare_serverhello_tlsext(SSL *s);
969int ssl_check_clienthello_tlsext(SSL *s);
970int ssl_check_serverhello_tlsext(SSL *s);
971#ifdef OPENSSL_NO_SHA256
972#define tlsext_tick_md EVP_sha1
973#else
974#define tlsext_tick_md EVP_sha256
975#endif
976int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
977 const unsigned char *limit, SSL_SESSION **ret);
978EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
979void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
980#endif
981
982#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index 27113eba50..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,779 +0,0 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
66
67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 if (x == NULL)
72 {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
74 return(0);
75 }
76 if (!ssl_cert_inst(&ssl->cert))
77 {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
79 return(0);
80 }
81 return(ssl_set_cert(ssl->cert,x));
82 }
83
84#ifndef OPENSSL_NO_STDIO
85int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret=0;
90 X509 *x=NULL;
91
92 in=BIO_new(BIO_s_file_internal());
93 if (in == NULL)
94 {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in,file) <= 0)
100 {
101 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
102 goto end;
103 }
104 if (type == SSL_FILETYPE_ASN1)
105 {
106 j=ERR_R_ASN1_LIB;
107 x=d2i_X509_bio(in,NULL);
108 }
109 else if (type == SSL_FILETYPE_PEM)
110 {
111 j=ERR_R_PEM_LIB;
112 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
113 }
114 else
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
117 goto end;
118 }
119
120 if (x == NULL)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
123 goto end;
124 }
125
126 ret=SSL_use_certificate(ssl,x);
127end:
128 if (x != NULL) X509_free(x);
129 if (in != NULL) BIO_free(in);
130 return(ret);
131 }
132#endif
133
134int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
135 {
136 X509 *x;
137 int ret;
138
139 x=d2i_X509(NULL,&d,(long)len);
140 if (x == NULL)
141 {
142 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
143 return(0);
144 }
145
146 ret=SSL_use_certificate(ssl,x);
147 X509_free(x);
148 return(ret);
149 }
150
151#ifndef OPENSSL_NO_RSA
152int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
153 {
154 EVP_PKEY *pkey;
155 int ret;
156
157 if (rsa == NULL)
158 {
159 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
160 return(0);
161 }
162 if (!ssl_cert_inst(&ssl->cert))
163 {
164 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
165 return(0);
166 }
167 if ((pkey=EVP_PKEY_new()) == NULL)
168 {
169 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
170 return(0);
171 }
172
173 RSA_up_ref(rsa);
174 EVP_PKEY_assign_RSA(pkey,rsa);
175
176 ret=ssl_set_pkey(ssl->cert,pkey);
177 EVP_PKEY_free(pkey);
178 return(ret);
179 }
180#endif
181
182static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
183 {
184 int i;
185
186 i=ssl_cert_type(NULL,pkey);
187 if (i < 0)
188 {
189 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
190 return(0);
191 }
192
193 if (c->pkeys[i].x509 != NULL)
194 {
195 EVP_PKEY *pktmp;
196 pktmp = X509_get_pubkey(c->pkeys[i].x509);
197 EVP_PKEY_copy_parameters(pktmp,pkey);
198 EVP_PKEY_free(pktmp);
199 ERR_clear_error();
200
201#ifndef OPENSSL_NO_RSA
202 /* Don't check the public/private key, this is mostly
203 * for smart cards. */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
206 ;
207 else
208#endif
209 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
210 {
211 X509_free(c->pkeys[i].x509);
212 c->pkeys[i].x509 = NULL;
213 return 0;
214 }
215 }
216
217 if (c->pkeys[i].privatekey != NULL)
218 EVP_PKEY_free(c->pkeys[i].privatekey);
219 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
220 c->pkeys[i].privatekey=pkey;
221 c->key= &(c->pkeys[i]);
222
223 c->valid=0;
224 return(1);
225 }
226
227#ifndef OPENSSL_NO_RSA
228#ifndef OPENSSL_NO_STDIO
229int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
230 {
231 int j,ret=0;
232 BIO *in;
233 RSA *rsa=NULL;
234
235 in=BIO_new(BIO_s_file_internal());
236 if (in == NULL)
237 {
238 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
239 goto end;
240 }
241
242 if (BIO_read_filename(in,file) <= 0)
243 {
244 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
245 goto end;
246 }
247 if (type == SSL_FILETYPE_ASN1)
248 {
249 j=ERR_R_ASN1_LIB;
250 rsa=d2i_RSAPrivateKey_bio(in,NULL);
251 }
252 else if (type == SSL_FILETYPE_PEM)
253 {
254 j=ERR_R_PEM_LIB;
255 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
256 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
257 }
258 else
259 {
260 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
261 goto end;
262 }
263 if (rsa == NULL)
264 {
265 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
266 goto end;
267 }
268 ret=SSL_use_RSAPrivateKey(ssl,rsa);
269 RSA_free(rsa);
270end:
271 if (in != NULL) BIO_free(in);
272 return(ret);
273 }
274#endif
275
276int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
277 {
278 int ret;
279 const unsigned char *p;
280 RSA *rsa;
281
282 p=d;
283 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
284 {
285 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
286 return(0);
287 }
288
289 ret=SSL_use_RSAPrivateKey(ssl,rsa);
290 RSA_free(rsa);
291 return(ret);
292 }
293#endif /* !OPENSSL_NO_RSA */
294
295int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
296 {
297 int ret;
298
299 if (pkey == NULL)
300 {
301 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
302 return(0);
303 }
304 if (!ssl_cert_inst(&ssl->cert))
305 {
306 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
307 return(0);
308 }
309 ret=ssl_set_pkey(ssl->cert,pkey);
310 return(ret);
311 }
312
313#ifndef OPENSSL_NO_STDIO
314int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
315 {
316 int j,ret=0;
317 BIO *in;
318 EVP_PKEY *pkey=NULL;
319
320 in=BIO_new(BIO_s_file_internal());
321 if (in == NULL)
322 {
323 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
324 goto end;
325 }
326
327 if (BIO_read_filename(in,file) <= 0)
328 {
329 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
330 goto end;
331 }
332 if (type == SSL_FILETYPE_PEM)
333 {
334 j=ERR_R_PEM_LIB;
335 pkey=PEM_read_bio_PrivateKey(in,NULL,
336 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
337 }
338 else if (type == SSL_FILETYPE_ASN1)
339 {
340 j = ERR_R_ASN1_LIB;
341 pkey = d2i_PrivateKey_bio(in,NULL);
342 }
343 else
344 {
345 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
346 goto end;
347 }
348 if (pkey == NULL)
349 {
350 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
351 goto end;
352 }
353 ret=SSL_use_PrivateKey(ssl,pkey);
354 EVP_PKEY_free(pkey);
355end:
356 if (in != NULL) BIO_free(in);
357 return(ret);
358 }
359#endif
360
361int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
362 {
363 int ret;
364 const unsigned char *p;
365 EVP_PKEY *pkey;
366
367 p=d;
368 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
369 {
370 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
371 return(0);
372 }
373
374 ret=SSL_use_PrivateKey(ssl,pkey);
375 EVP_PKEY_free(pkey);
376 return(ret);
377 }
378
379int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
380 {
381 if (x == NULL)
382 {
383 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
384 return(0);
385 }
386 if (!ssl_cert_inst(&ctx->cert))
387 {
388 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
389 return(0);
390 }
391 return(ssl_set_cert(ctx->cert, x));
392 }
393
394static int ssl_set_cert(CERT *c, X509 *x)
395 {
396 EVP_PKEY *pkey;
397 int i;
398
399 pkey=X509_get_pubkey(x);
400 if (pkey == NULL)
401 {
402 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
403 return(0);
404 }
405
406 i=ssl_cert_type(x,pkey);
407 if (i < 0)
408 {
409 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
410 EVP_PKEY_free(pkey);
411 return(0);
412 }
413
414 if (c->pkeys[i].privatekey != NULL)
415 {
416 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
417 ERR_clear_error();
418
419#ifndef OPENSSL_NO_RSA
420 /* Don't check the public/private key, this is mostly
421 * for smart cards. */
422 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
423 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
424 RSA_METHOD_FLAG_NO_CHECK))
425 ;
426 else
427#endif /* OPENSSL_NO_RSA */
428 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
429 {
430 /* don't fail for a cert/key mismatch, just free
431 * current private key (when switching to a different
432 * cert & key, first this function should be used,
433 * then ssl_set_pkey */
434 EVP_PKEY_free(c->pkeys[i].privatekey);
435 c->pkeys[i].privatekey=NULL;
436 /* clear error queue */
437 ERR_clear_error();
438 }
439 }
440
441 EVP_PKEY_free(pkey);
442
443 if (c->pkeys[i].x509 != NULL)
444 X509_free(c->pkeys[i].x509);
445 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
446 c->pkeys[i].x509=x;
447 c->key= &(c->pkeys[i]);
448
449 c->valid=0;
450 return(1);
451 }
452
453#ifndef OPENSSL_NO_STDIO
454int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
455 {
456 int j;
457 BIO *in;
458 int ret=0;
459 X509 *x=NULL;
460
461 in=BIO_new(BIO_s_file_internal());
462 if (in == NULL)
463 {
464 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
465 goto end;
466 }
467
468 if (BIO_read_filename(in,file) <= 0)
469 {
470 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
471 goto end;
472 }
473 if (type == SSL_FILETYPE_ASN1)
474 {
475 j=ERR_R_ASN1_LIB;
476 x=d2i_X509_bio(in,NULL);
477 }
478 else if (type == SSL_FILETYPE_PEM)
479 {
480 j=ERR_R_PEM_LIB;
481 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
482 }
483 else
484 {
485 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
486 goto end;
487 }
488
489 if (x == NULL)
490 {
491 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
492 goto end;
493 }
494
495 ret=SSL_CTX_use_certificate(ctx,x);
496end:
497 if (x != NULL) X509_free(x);
498 if (in != NULL) BIO_free(in);
499 return(ret);
500 }
501#endif
502
503int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
504 {
505 X509 *x;
506 int ret;
507
508 x=d2i_X509(NULL,&d,(long)len);
509 if (x == NULL)
510 {
511 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
512 return(0);
513 }
514
515 ret=SSL_CTX_use_certificate(ctx,x);
516 X509_free(x);
517 return(ret);
518 }
519
520#ifndef OPENSSL_NO_RSA
521int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
522 {
523 int ret;
524 EVP_PKEY *pkey;
525
526 if (rsa == NULL)
527 {
528 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
529 return(0);
530 }
531 if (!ssl_cert_inst(&ctx->cert))
532 {
533 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
534 return(0);
535 }
536 if ((pkey=EVP_PKEY_new()) == NULL)
537 {
538 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
539 return(0);
540 }
541
542 RSA_up_ref(rsa);
543 EVP_PKEY_assign_RSA(pkey,rsa);
544
545 ret=ssl_set_pkey(ctx->cert, pkey);
546 EVP_PKEY_free(pkey);
547 return(ret);
548 }
549
550#ifndef OPENSSL_NO_STDIO
551int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
552 {
553 int j,ret=0;
554 BIO *in;
555 RSA *rsa=NULL;
556
557 in=BIO_new(BIO_s_file_internal());
558 if (in == NULL)
559 {
560 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
561 goto end;
562 }
563
564 if (BIO_read_filename(in,file) <= 0)
565 {
566 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
567 goto end;
568 }
569 if (type == SSL_FILETYPE_ASN1)
570 {
571 j=ERR_R_ASN1_LIB;
572 rsa=d2i_RSAPrivateKey_bio(in,NULL);
573 }
574 else if (type == SSL_FILETYPE_PEM)
575 {
576 j=ERR_R_PEM_LIB;
577 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
578 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
579 }
580 else
581 {
582 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
583 goto end;
584 }
585 if (rsa == NULL)
586 {
587 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
588 goto end;
589 }
590 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
591 RSA_free(rsa);
592end:
593 if (in != NULL) BIO_free(in);
594 return(ret);
595 }
596#endif
597
598int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
599 {
600 int ret;
601 const unsigned char *p;
602 RSA *rsa;
603
604 p=d;
605 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
606 {
607 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
608 return(0);
609 }
610
611 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
612 RSA_free(rsa);
613 return(ret);
614 }
615#endif /* !OPENSSL_NO_RSA */
616
617int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
618 {
619 if (pkey == NULL)
620 {
621 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
622 return(0);
623 }
624 if (!ssl_cert_inst(&ctx->cert))
625 {
626 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
627 return(0);
628 }
629 return(ssl_set_pkey(ctx->cert,pkey));
630 }
631
632#ifndef OPENSSL_NO_STDIO
633int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
634 {
635 int j,ret=0;
636 BIO *in;
637 EVP_PKEY *pkey=NULL;
638
639 in=BIO_new(BIO_s_file_internal());
640 if (in == NULL)
641 {
642 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
643 goto end;
644 }
645
646 if (BIO_read_filename(in,file) <= 0)
647 {
648 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
649 goto end;
650 }
651 if (type == SSL_FILETYPE_PEM)
652 {
653 j=ERR_R_PEM_LIB;
654 pkey=PEM_read_bio_PrivateKey(in,NULL,
655 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
656 }
657 else if (type == SSL_FILETYPE_ASN1)
658 {
659 j = ERR_R_ASN1_LIB;
660 pkey = d2i_PrivateKey_bio(in,NULL);
661 }
662 else
663 {
664 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
665 goto end;
666 }
667 if (pkey == NULL)
668 {
669 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
670 goto end;
671 }
672 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
673 EVP_PKEY_free(pkey);
674end:
675 if (in != NULL) BIO_free(in);
676 return(ret);
677 }
678#endif
679
680int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
681 long len)
682 {
683 int ret;
684 const unsigned char *p;
685 EVP_PKEY *pkey;
686
687 p=d;
688 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
689 {
690 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
691 return(0);
692 }
693
694 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
695 EVP_PKEY_free(pkey);
696 return(ret);
697 }
698
699
700#ifndef OPENSSL_NO_STDIO
701/* Read a file that contains our certificate in "PEM" format,
702 * possibly followed by a sequence of CA certificates that should be
703 * sent to the peer in the Certificate message.
704 */
705int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
706 {
707 BIO *in;
708 int ret=0;
709 X509 *x=NULL;
710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712
713 in=BIO_new(BIO_s_file_internal());
714 if (in == NULL)
715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
717 goto end;
718 }
719
720 if (BIO_read_filename(in,file) <= 0)
721 {
722 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
723 goto end;
724 }
725
726 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
727 if (x == NULL)
728 {
729 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
730 goto end;
731 }
732
733 ret=SSL_CTX_use_certificate(ctx,x);
734 if (ERR_peek_error() != 0)
735 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
736 if (ret)
737 {
738 /* If we could set up our certificate, now proceed to
739 * the CA certificates.
740 */
741 X509 *ca;
742 int r;
743 unsigned long err;
744
745 if (ctx->extra_certs != NULL)
746 {
747 sk_X509_pop_free(ctx->extra_certs, X509_free);
748 ctx->extra_certs = NULL;
749 }
750
751 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
752 != NULL)
753 {
754 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
755 if (!r)
756 {
757 X509_free(ca);
758 ret = 0;
759 goto end;
760 }
761 /* Note that we must not free r if it was successfully
762 * added to the chain (while we must free the main
763 * certificate, since its reference count is increased
764 * by SSL_CTX_use_certificate). */
765 }
766 /* When the while loop ends, it's usually just EOF. */
767 err = ERR_peek_last_error();
768 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
769 ERR_clear_error();
770 else
771 ret = 0; /* some real error */
772 }
773
774end:
775 if (x != NULL) X509_free(x);
776 if (in != NULL) BIO_free(in);
777 return(ret);
778 }
779#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 8391d62212..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,906 +0,0 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/lhash.h>
61#include <openssl/rand.h>
62#ifndef OPENSSL_NO_ENGINE
63#include <openssl/engine.h>
64#endif
65#include "ssl_locl.h"
66
67static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
68static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
69static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
70
71SSL_SESSION *SSL_get_session(const SSL *ssl)
72/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
73 {
74 return(ssl->session);
75 }
76
77SSL_SESSION *SSL_get1_session(SSL *ssl)
78/* variant of SSL_get_session: caller really gets something */
79 {
80 SSL_SESSION *sess;
81 /* Need to lock this all up rather than just use CRYPTO_add so that
82 * somebody doesn't free ssl->session between when we check it's
83 * non-null and when we up the reference count. */
84 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
85 sess = ssl->session;
86 if(sess)
87 sess->references++;
88 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
89 return(sess);
90 }
91
92int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
93 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
94 {
95 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
96 new_func, dup_func, free_func);
97 }
98
99int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
100 {
101 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
102 }
103
104void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
105 {
106 return(CRYPTO_get_ex_data(&s->ex_data,idx));
107 }
108
109SSL_SESSION *SSL_SESSION_new(void)
110 {
111 SSL_SESSION *ss;
112
113 ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
114 if (ss == NULL)
115 {
116 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
117 return(0);
118 }
119 memset(ss,0,sizeof(SSL_SESSION));
120
121 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
122 ss->references=1;
123 ss->timeout=60*5+4; /* 5 minute timeout by default */
124 ss->time=(unsigned long)time(NULL);
125 ss->prev=NULL;
126 ss->next=NULL;
127 ss->compress_meth=0;
128#ifndef OPENSSL_NO_TLSEXT
129 ss->tlsext_hostname = NULL;
130#endif
131 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
132 return(ss);
133 }
134
135const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
136 {
137 if(len)
138 *len = s->session_id_length;
139 return s->session_id;
140 }
141
142/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
143 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
144 * until we have no conflict is going to complete in one iteration pretty much
145 * "most" of the time (btw: understatement). So, if it takes us 10 iterations
146 * and we still can't avoid a conflict - well that's a reasonable point to call
147 * it quits. Either the RAND code is broken or someone is trying to open roughly
148 * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
149 * store that many sessions is perhaps a more interesting question ... */
150
151#define MAX_SESS_ID_ATTEMPTS 10
152static int def_generate_session_id(const SSL *ssl, unsigned char *id,
153 unsigned int *id_len)
154{
155 unsigned int retry = 0;
156 do
157 if (RAND_pseudo_bytes(id, *id_len) <= 0)
158 return 0;
159 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
160 (++retry < MAX_SESS_ID_ATTEMPTS));
161 if(retry < MAX_SESS_ID_ATTEMPTS)
162 return 1;
163 /* else - woops a session_id match */
164 /* XXX We should also check the external cache --
165 * but the probability of a collision is negligible, and
166 * we could not prevent the concurrent creation of sessions
167 * with identical IDs since we currently don't have means
168 * to atomically check whether a session ID already exists
169 * and make a reservation for it if it does not
170 * (this problem applies to the internal cache as well).
171 */
172 return 0;
173}
174
175int ssl_get_new_session(SSL *s, int session)
176 {
177 /* This gets used by clients and servers. */
178
179 unsigned int tmp;
180 SSL_SESSION *ss=NULL;
181 GEN_SESSION_CB cb = def_generate_session_id;
182
183 if ((ss=SSL_SESSION_new()) == NULL) return(0);
184
185 /* If the context has a default timeout, use it */
186 if (s->ctx->session_timeout == 0)
187 ss->timeout=SSL_get_default_timeout(s);
188 else
189 ss->timeout=s->ctx->session_timeout;
190
191 if (s->session != NULL)
192 {
193 SSL_SESSION_free(s->session);
194 s->session=NULL;
195 }
196
197 if (session)
198 {
199 if (s->version == SSL2_VERSION)
200 {
201 ss->ssl_version=SSL2_VERSION;
202 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
203 }
204 else if (s->version == SSL3_VERSION)
205 {
206 ss->ssl_version=SSL3_VERSION;
207 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
208 }
209 else if (s->version == TLS1_VERSION)
210 {
211 ss->ssl_version=TLS1_VERSION;
212 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
213 }
214 else if (s->version == DTLS1_VERSION)
215 {
216 ss->ssl_version=DTLS1_VERSION;
217 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
218 }
219 else
220 {
221 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
222 SSL_SESSION_free(ss);
223 return(0);
224 }
225#ifndef OPENSSL_NO_TLSEXT
226 /* If RFC4507 ticket use empty session ID */
227 if (s->tlsext_ticket_expected)
228 {
229 ss->session_id_length = 0;
230 goto sess_id_done;
231 }
232#endif
233 /* Choose which callback will set the session ID */
234 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
235 if(s->generate_session_id)
236 cb = s->generate_session_id;
237 else if(s->ctx->generate_session_id)
238 cb = s->ctx->generate_session_id;
239 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
240 /* Choose a session ID */
241 tmp = ss->session_id_length;
242 if(!cb(s, ss->session_id, &tmp))
243 {
244 /* The callback failed */
245 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
246 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
247 SSL_SESSION_free(ss);
248 return(0);
249 }
250 /* Don't allow the callback to set the session length to zero.
251 * nor set it higher than it was. */
252 if(!tmp || (tmp > ss->session_id_length))
253 {
254 /* The callback set an illegal length */
255 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
256 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
257 SSL_SESSION_free(ss);
258 return(0);
259 }
260 /* If the session length was shrunk and we're SSLv2, pad it */
261 if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
262 memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
263 else
264 ss->session_id_length = tmp;
265 /* Finally, check for a conflict */
266 if(SSL_has_matching_session_id(s, ss->session_id,
267 ss->session_id_length))
268 {
269 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
270 SSL_R_SSL_SESSION_ID_CONFLICT);
271 SSL_SESSION_free(ss);
272 return(0);
273 }
274#ifndef OPENSSL_NO_TLSEXT
275 sess_id_done:
276 if (s->tlsext_hostname) {
277 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
278 if (ss->tlsext_hostname == NULL) {
279 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
280 SSL_SESSION_free(ss);
281 return 0;
282 }
283 }
284#endif
285 }
286 else
287 {
288 ss->session_id_length=0;
289 }
290
291 if (s->sid_ctx_length > sizeof ss->sid_ctx)
292 {
293 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
294 SSL_SESSION_free(ss);
295 return 0;
296 }
297 memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
298 ss->sid_ctx_length=s->sid_ctx_length;
299 s->session=ss;
300 ss->ssl_version=s->version;
301 ss->verify_result = X509_V_OK;
302
303 return(1);
304 }
305
306int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
307 const unsigned char *limit)
308 {
309 /* This is used only by servers. */
310
311 SSL_SESSION *ret=NULL;
312 int fatal = 0;
313#ifndef OPENSSL_NO_TLSEXT
314 int r;
315#endif
316
317 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
318 goto err;
319#ifndef OPENSSL_NO_TLSEXT
320 r = tls1_process_ticket(s, session_id, len, limit, &ret);
321 if (r == -1)
322 {
323 fatal = 1;
324 goto err;
325 }
326 else if (r == 0 || (!ret && !len))
327 goto err;
328 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
329#else
330 if (len == 0)
331 goto err;
332 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
333#endif
334 {
335 SSL_SESSION data;
336 data.ssl_version=s->version;
337 data.session_id_length=len;
338 if (len == 0)
339 return 0;
340 memcpy(data.session_id,session_id,len);
341 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
342 ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
343 if (ret != NULL)
344 /* don't allow other threads to steal it: */
345 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
346 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
347 }
348
349 if (ret == NULL)
350 {
351 int copy=1;
352
353 s->ctx->stats.sess_miss++;
354 ret=NULL;
355 if (s->ctx->get_session_cb != NULL
356 && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
357 != NULL)
358 {
359 s->ctx->stats.sess_cb_hit++;
360
361 /* Increment reference count now if the session callback
362 * asks us to do so (note that if the session structures
363 * returned by the callback are shared between threads,
364 * it must handle the reference count itself [i.e. copy == 0],
365 * or things won't be thread-safe). */
366 if (copy)
367 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
368
369 /* Add the externally cached session to the internal
370 * cache as well if and only if we are supposed to. */
371 if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
372 /* The following should not return 1, otherwise,
373 * things are very strange */
374 SSL_CTX_add_session(s->ctx,ret);
375 }
376 if (ret == NULL)
377 goto err;
378 }
379
380 /* Now ret is non-NULL, and we own one of its reference counts. */
381
382 if (ret->sid_ctx_length != s->sid_ctx_length
383 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
384 {
385 /* We've found the session named by the client, but we don't
386 * want to use it in this context. */
387
388#if 0 /* The client cannot always know when a session is not appropriate,
389 * so we shouldn't generate an error message. */
390
391 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
392#endif
393 goto err; /* treat like cache miss */
394 }
395
396 if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
397 {
398 /* We can't be sure if this session is being used out of
399 * context, which is especially important for SSL_VERIFY_PEER.
400 * The application should have used SSL[_CTX]_set_session_id_context.
401 *
402 * For this error case, we generate an error instead of treating
403 * the event like a cache miss (otherwise it would be easy for
404 * applications to effectively disable the session cache by
405 * accident without anyone noticing).
406 */
407
408 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
409 fatal = 1;
410 goto err;
411 }
412
413 if (ret->cipher == NULL)
414 {
415 unsigned char buf[5],*p;
416 unsigned long l;
417
418 p=buf;
419 l=ret->cipher_id;
420 l2n(l,p);
421 if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
422 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
423 else
424 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
425 if (ret->cipher == NULL)
426 goto err;
427 }
428
429
430#if 0 /* This is way too late. */
431
432 /* If a thread got the session, then 'swaped', and another got
433 * it and then due to a time-out decided to 'OPENSSL_free' it we could
434 * be in trouble. So I'll increment it now, then double decrement
435 * later - am I speaking rubbish?. */
436 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
437#endif
438
439 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
440 {
441 s->ctx->stats.sess_timeout++;
442 /* remove it from the cache */
443 SSL_CTX_remove_session(s->ctx,ret);
444 goto err;
445 }
446
447 s->ctx->stats.sess_hit++;
448
449 /* ret->time=time(NULL); */ /* rezero timeout? */
450 /* again, just leave the session
451 * if it is the same session, we have just incremented and
452 * then decremented the reference count :-) */
453 if (s->session != NULL)
454 SSL_SESSION_free(s->session);
455 s->session=ret;
456 s->verify_result = s->session->verify_result;
457 return(1);
458
459 err:
460 if (ret != NULL)
461 SSL_SESSION_free(ret);
462 if (fatal)
463 return -1;
464 else
465 return 0;
466 }
467
468int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
469 {
470 int ret=0;
471 SSL_SESSION *s;
472
473 /* add just 1 reference count for the SSL_CTX's session cache
474 * even though it has two ways of access: each session is in a
475 * doubly linked list and an lhash */
476 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
477 /* if session c is in already in cache, we take back the increment later */
478
479 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
480 s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
481
482 /* s != NULL iff we already had a session with the given PID.
483 * In this case, s == c should hold (then we did not really modify
484 * ctx->sessions), or we're in trouble. */
485 if (s != NULL && s != c)
486 {
487 /* We *are* in trouble ... */
488 SSL_SESSION_list_remove(ctx,s);
489 SSL_SESSION_free(s);
490 /* ... so pretend the other session did not exist in cache
491 * (we cannot handle two SSL_SESSION structures with identical
492 * session ID in the same cache, which could happen e.g. when
493 * two threads concurrently obtain the same session from an external
494 * cache) */
495 s = NULL;
496 }
497
498 /* Put at the head of the queue unless it is already in the cache */
499 if (s == NULL)
500 SSL_SESSION_list_add(ctx,c);
501
502 if (s != NULL)
503 {
504 /* existing cache entry -- decrement previously incremented reference
505 * count because it already takes into account the cache */
506
507 SSL_SESSION_free(s); /* s == c */
508 ret=0;
509 }
510 else
511 {
512 /* new cache entry -- remove old ones if cache has become too large */
513
514 ret=1;
515
516 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
517 {
518 while (SSL_CTX_sess_number(ctx) >
519 SSL_CTX_sess_get_cache_size(ctx))
520 {
521 if (!remove_session_lock(ctx,
522 ctx->session_cache_tail, 0))
523 break;
524 else
525 ctx->stats.sess_cache_full++;
526 }
527 }
528 }
529 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
530 return(ret);
531 }
532
533int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
534{
535 return remove_session_lock(ctx, c, 1);
536}
537
538static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
539 {
540 SSL_SESSION *r;
541 int ret=0;
542
543 if ((c != NULL) && (c->session_id_length != 0))
544 {
545 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
546 if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
547 {
548 ret=1;
549 r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
550 SSL_SESSION_list_remove(ctx,c);
551 }
552
553 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
554
555 if (ret)
556 {
557 r->not_resumable=1;
558 if (ctx->remove_session_cb != NULL)
559 ctx->remove_session_cb(ctx,r);
560 SSL_SESSION_free(r);
561 }
562 }
563 else
564 ret=0;
565 return(ret);
566 }
567
568void SSL_SESSION_free(SSL_SESSION *ss)
569 {
570 int i;
571
572 if(ss == NULL)
573 return;
574
575 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
576#ifdef REF_PRINT
577 REF_PRINT("SSL_SESSION",ss);
578#endif
579 if (i > 0) return;
580#ifdef REF_CHECK
581 if (i < 0)
582 {
583 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
584 abort(); /* ok */
585 }
586#endif
587
588 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
589
590 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
591 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
592 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
593 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
594 if (ss->peer != NULL) X509_free(ss->peer);
595 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
596#ifndef OPENSSL_NO_TLSEXT
597 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
598 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
599#endif
600 OPENSSL_cleanse(ss,sizeof(*ss));
601 OPENSSL_free(ss);
602 }
603
604int SSL_set_session(SSL *s, SSL_SESSION *session)
605 {
606 int ret=0;
607 SSL_METHOD *meth;
608
609 if (session != NULL)
610 {
611 meth=s->ctx->method->get_ssl_method(session->ssl_version);
612 if (meth == NULL)
613 meth=s->method->get_ssl_method(session->ssl_version);
614 if (meth == NULL)
615 {
616 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
617 return(0);
618 }
619
620 if (meth != s->method)
621 {
622 if (!SSL_set_ssl_method(s,meth))
623 return(0);
624 if (s->ctx->session_timeout == 0)
625 session->timeout=SSL_get_default_timeout(s);
626 else
627 session->timeout=s->ctx->session_timeout;
628 }
629
630#ifndef OPENSSL_NO_KRB5
631 if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
632 session->krb5_client_princ_len > 0)
633 {
634 s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
635 memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
636 session->krb5_client_princ_len);
637 s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
638 }
639#endif /* OPENSSL_NO_KRB5 */
640
641 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
642 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
643 if (s->session != NULL)
644 SSL_SESSION_free(s->session);
645 s->session=session;
646 s->verify_result = s->session->verify_result;
647 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
648 ret=1;
649 }
650 else
651 {
652 if (s->session != NULL)
653 {
654 SSL_SESSION_free(s->session);
655 s->session=NULL;
656 }
657
658 meth=s->ctx->method;
659 if (meth != s->method)
660 {
661 if (!SSL_set_ssl_method(s,meth))
662 return(0);
663 }
664 ret=1;
665 }
666 return(ret);
667 }
668
669long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
670 {
671 if (s == NULL) return(0);
672 s->timeout=t;
673 return(1);
674 }
675
676long SSL_SESSION_get_timeout(const SSL_SESSION *s)
677 {
678 if (s == NULL) return(0);
679 return(s->timeout);
680 }
681
682long SSL_SESSION_get_time(const SSL_SESSION *s)
683 {
684 if (s == NULL) return(0);
685 return(s->time);
686 }
687
688long SSL_SESSION_set_time(SSL_SESSION *s, long t)
689 {
690 if (s == NULL) return(0);
691 s->time=t;
692 return(t);
693 }
694
695long SSL_CTX_set_timeout(SSL_CTX *s, long t)
696 {
697 long l;
698 if (s == NULL) return(0);
699 l=s->session_timeout;
700 s->session_timeout=t;
701 return(l);
702 }
703
704long SSL_CTX_get_timeout(const SSL_CTX *s)
705 {
706 if (s == NULL) return(0);
707 return(s->session_timeout);
708 }
709
710typedef struct timeout_param_st
711 {
712 SSL_CTX *ctx;
713 long time;
714 LHASH *cache;
715 } TIMEOUT_PARAM;
716
717static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
718 {
719 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
720 {
721 /* The reason we don't call SSL_CTX_remove_session() is to
722 * save on locking overhead */
723 lh_delete(p->cache,s);
724 SSL_SESSION_list_remove(p->ctx,s);
725 s->not_resumable=1;
726 if (p->ctx->remove_session_cb != NULL)
727 p->ctx->remove_session_cb(p->ctx,s);
728 SSL_SESSION_free(s);
729 }
730 }
731
732static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *)
733
734void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
735 {
736 unsigned long i;
737 TIMEOUT_PARAM tp;
738
739 tp.ctx=s;
740 tp.cache=s->sessions;
741 if (tp.cache == NULL) return;
742 tp.time=t;
743 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
744 i=tp.cache->down_load;
745 tp.cache->down_load=0;
746 lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);
747 tp.cache->down_load=i;
748 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
749 }
750
751int ssl_clear_bad_session(SSL *s)
752 {
753 if ( (s->session != NULL) &&
754 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
755 !(SSL_in_init(s) || SSL_in_before(s)))
756 {
757 SSL_CTX_remove_session(s->ctx,s->session);
758 return(1);
759 }
760 else
761 return(0);
762 }
763
764/* locked by SSL_CTX in the calling function */
765static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
766 {
767 if ((s->next == NULL) || (s->prev == NULL)) return;
768
769 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
770 { /* last element in list */
771 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
772 { /* only one element in list */
773 ctx->session_cache_head=NULL;
774 ctx->session_cache_tail=NULL;
775 }
776 else
777 {
778 ctx->session_cache_tail=s->prev;
779 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
780 }
781 }
782 else
783 {
784 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
785 { /* first element in list */
786 ctx->session_cache_head=s->next;
787 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
788 }
789 else
790 { /* middle of list */
791 s->next->prev=s->prev;
792 s->prev->next=s->next;
793 }
794 }
795 s->prev=s->next=NULL;
796 }
797
798static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
799 {
800 if ((s->next != NULL) && (s->prev != NULL))
801 SSL_SESSION_list_remove(ctx,s);
802
803 if (ctx->session_cache_head == NULL)
804 {
805 ctx->session_cache_head=s;
806 ctx->session_cache_tail=s;
807 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
808 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
809 }
810 else
811 {
812 s->next=ctx->session_cache_head;
813 s->next->prev=s;
814 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
815 ctx->session_cache_head=s;
816 }
817 }
818
819void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
820 int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
821 {
822 ctx->new_session_cb=cb;
823 }
824
825int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
826 {
827 return ctx->new_session_cb;
828 }
829
830void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
831 void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
832 {
833 ctx->remove_session_cb=cb;
834 }
835
836void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
837 {
838 return ctx->remove_session_cb;
839 }
840
841void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
842 SSL_SESSION *(*cb)(struct ssl_st *ssl,
843 unsigned char *data,int len,int *copy))
844 {
845 ctx->get_session_cb=cb;
846 }
847
848SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
849 unsigned char *data,int len,int *copy)
850 {
851 return ctx->get_session_cb;
852 }
853
854void SSL_CTX_set_info_callback(SSL_CTX *ctx,
855 void (*cb)(const SSL *ssl,int type,int val))
856 {
857 ctx->info_callback=cb;
858 }
859
860void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
861 {
862 return ctx->info_callback;
863 }
864
865void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
866 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
867 {
868 ctx->client_cert_cb=cb;
869 }
870
871int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
872 {
873 return ctx->client_cert_cb;
874 }
875
876#ifndef OPENSSL_NO_ENGINE
877int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
878 {
879 if (!ENGINE_init(e))
880 {
881 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
882 return 0;
883 }
884 if(!ENGINE_get_ssl_client_cert_function(e))
885 {
886 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
887 ENGINE_finish(e);
888 return 0;
889 }
890 ctx->client_cert_engine = e;
891 return 1;
892 }
893#endif
894
895void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
896 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
897 {
898 ctx->app_gen_cookie_cb=cb;
899 }
900
901void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
902 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
903 {
904 ctx->app_verify_cookie_cb=cb;
905 }
906
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index 73b02509d4..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,506 +0,0 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61
62const char *SSL_state_string_long(const SSL *s)
63 {
64 const char *str;
65
66 switch (s->state)
67 {
68case SSL_ST_BEFORE: str="before SSL initialization"; break;
69case SSL_ST_ACCEPT: str="before accept initialization"; break;
70case SSL_ST_CONNECT: str="before connect initialization"; break;
71case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
72case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
73case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
74case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
75case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
76case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
77#ifndef OPENSSL_NO_SSL2
78case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
79case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
80case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
81case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
82case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
83case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
84case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
85case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
86case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
87case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
88case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
89case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
90case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
91case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
92case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
93case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
94case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
95case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
96case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
97case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
98case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
99case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
100case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
101case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
102case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
103case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
104case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
105case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
106case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
107case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
108case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
109case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
110case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
111case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
112case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
113case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
114case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
115case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
116#endif
117
118#ifndef OPENSSL_NO_SSL3
119/* SSLv3 additions */
120case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
121case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
122case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
123case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
124case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
125case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
126case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
127case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
128case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
129case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
130case SSL3_ST_CR_SESSION_TICKET_A: str="SSLv3 read server session ticket A";break;
131case SSL3_ST_CR_SESSION_TICKET_B: str="SSLv3 read server session ticket B";break;
132case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
133case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
134case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
135case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
136case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
137case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
138case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
139case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
140case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
141case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break;
142
143case SSL3_ST_CW_CHANGE_A:
144case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
145case SSL3_ST_CW_CHANGE_B:
146case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
147case SSL3_ST_CW_FINISHED_A:
148case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
149case SSL3_ST_CW_FINISHED_B:
150case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break;
151case SSL3_ST_CR_CHANGE_A:
152case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
153case SSL3_ST_CR_CHANGE_B:
154case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
155case SSL3_ST_CR_FINISHED_A:
156case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
157case SSL3_ST_CR_FINISHED_B:
158case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
159
160case SSL3_ST_CW_FLUSH:
161case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
162
163case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
164case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
165case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
166case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
167case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
168case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
169case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
170case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
171case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
172case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
173case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
174case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
175case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
176case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
177case SSL3_ST_SW_SESSION_TICKET_A: str="SSLv3 write session ticket A"; break;
178case SSL3_ST_SW_SESSION_TICKET_B: str="SSLv3 write session ticket B"; break;
179case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
180case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
181case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
182case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
183case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
184case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
185case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
186case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
187#endif
188
189#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
190/* SSLv2/v3 compatibility states */
191/* client */
192case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
193case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
194case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
195case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
196/* server */
197case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
198case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
199#endif
200
201default: str="unknown state"; break;
202 }
203 return(str);
204 }
205
206const char *SSL_rstate_string_long(const SSL *s)
207 {
208 const char *str;
209
210 switch (s->rstate)
211 {
212 case SSL_ST_READ_HEADER: str="read header"; break;
213 case SSL_ST_READ_BODY: str="read body"; break;
214 case SSL_ST_READ_DONE: str="read done"; break;
215 default: str="unknown"; break;
216 }
217 return(str);
218 }
219
220const char *SSL_state_string(const SSL *s)
221 {
222 const char *str;
223
224 switch (s->state)
225 {
226case SSL_ST_BEFORE: str="PINIT "; break;
227case SSL_ST_ACCEPT: str="AINIT "; break;
228case SSL_ST_CONNECT: str="CINIT "; break;
229case SSL_ST_OK: str="SSLOK "; break;
230#ifndef OPENSSL_NO_SSL2
231case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
232case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
233case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
234case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
235case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
236case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
237case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
238case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
239case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
240case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
241case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
242case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
243case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
244case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
245case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
246case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
247case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
248case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
249case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
250case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
251case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
252case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
253case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
254case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
255case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
256case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
257case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
258case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
259case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
260case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
261case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
262case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
263case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
264case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
265case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
266case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
267case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
268case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
269#endif
270
271#ifndef OPENSSL_NO_SSL3
272/* SSLv3 additions */
273case SSL3_ST_SW_FLUSH:
274case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
275case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
276case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
277case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
278case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
279case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
280case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
281case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
282case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
283case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
284case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
285case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
286case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
287case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
288case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
289case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
290case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
291case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
292case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
293case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
294case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
295
296case SSL3_ST_SW_CHANGE_A:
297case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
298case SSL3_ST_SW_CHANGE_B:
299case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
300case SSL3_ST_SW_FINISHED_A:
301case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
302case SSL3_ST_SW_FINISHED_B:
303case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
304case SSL3_ST_SR_CHANGE_A:
305case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
306case SSL3_ST_SR_CHANGE_B:
307case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
308case SSL3_ST_SR_FINISHED_A:
309case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
310case SSL3_ST_SR_FINISHED_B:
311case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
312
313case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
314case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
315case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
316case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
317case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
318case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
319case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
320case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
321case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
322case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
323case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
324case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
325case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
326case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
327case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
328case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
329case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
330case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
331case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
332case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
333case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
334case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
335#endif
336
337#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
338/* SSLv2/v3 compatibility states */
339/* client */
340case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
341case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
342case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
343case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
344/* server */
345case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
346case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
347#endif
348
349default: str="UNKWN "; break;
350 }
351 return(str);
352 }
353
354const char *SSL_alert_type_string_long(int value)
355 {
356 value>>=8;
357 if (value == SSL3_AL_WARNING)
358 return("warning");
359 else if (value == SSL3_AL_FATAL)
360 return("fatal");
361 else
362 return("unknown");
363 }
364
365const char *SSL_alert_type_string(int value)
366 {
367 value>>=8;
368 if (value == SSL3_AL_WARNING)
369 return("W");
370 else if (value == SSL3_AL_FATAL)
371 return("F");
372 else
373 return("U");
374 }
375
376const char *SSL_alert_desc_string(int value)
377 {
378 const char *str;
379
380 switch (value & 0xff)
381 {
382 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
383 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
384 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
385 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
386 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
387 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
388 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
389 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
390 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
391 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
392 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
393 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
394 case TLS1_AD_DECRYPTION_FAILED: str="DC"; break;
395 case TLS1_AD_RECORD_OVERFLOW: str="RO"; break;
396 case TLS1_AD_UNKNOWN_CA: str="CA"; break;
397 case TLS1_AD_ACCESS_DENIED: str="AD"; break;
398 case TLS1_AD_DECODE_ERROR: str="DE"; break;
399 case TLS1_AD_DECRYPT_ERROR: str="CY"; break;
400 case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break;
401 case TLS1_AD_PROTOCOL_VERSION: str="PV"; break;
402 case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break;
403 case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
404 case TLS1_AD_USER_CANCELLED: str="US"; break;
405 case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
406 default: str="UK"; break;
407 }
408 return(str);
409 }
410
411const char *SSL_alert_desc_string_long(int value)
412 {
413 const char *str;
414
415 switch (value & 0xff)
416 {
417 case SSL3_AD_CLOSE_NOTIFY:
418 str="close notify";
419 break;
420 case SSL3_AD_UNEXPECTED_MESSAGE:
421 str="unexpected_message";
422 break;
423 case SSL3_AD_BAD_RECORD_MAC:
424 str="bad record mac";
425 break;
426 case SSL3_AD_DECOMPRESSION_FAILURE:
427 str="decompression failure";
428 break;
429 case SSL3_AD_HANDSHAKE_FAILURE:
430 str="handshake failure";
431 break;
432 case SSL3_AD_NO_CERTIFICATE:
433 str="no certificate";
434 break;
435 case SSL3_AD_BAD_CERTIFICATE:
436 str="bad certificate";
437 break;
438 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
439 str="unsupported certificate";
440 break;
441 case SSL3_AD_CERTIFICATE_REVOKED:
442 str="certificate revoked";
443 break;
444 case SSL3_AD_CERTIFICATE_EXPIRED:
445 str="certificate expired";
446 break;
447 case SSL3_AD_CERTIFICATE_UNKNOWN:
448 str="certificate unknown";
449 break;
450 case SSL3_AD_ILLEGAL_PARAMETER:
451 str="illegal parameter";
452 break;
453 case TLS1_AD_DECRYPTION_FAILED:
454 str="decryption failed";
455 break;
456 case TLS1_AD_RECORD_OVERFLOW:
457 str="record overflow";
458 break;
459 case TLS1_AD_UNKNOWN_CA:
460 str="unknown CA";
461 break;
462 case TLS1_AD_ACCESS_DENIED:
463 str="access denied";
464 break;
465 case TLS1_AD_DECODE_ERROR:
466 str="decode error";
467 break;
468 case TLS1_AD_DECRYPT_ERROR:
469 str="decrypt error";
470 break;
471 case TLS1_AD_EXPORT_RESTRICTION:
472 str="export restriction";
473 break;
474 case TLS1_AD_PROTOCOL_VERSION:
475 str="protocol version";
476 break;
477 case TLS1_AD_INSUFFICIENT_SECURITY:
478 str="insufficient security";
479 break;
480 case TLS1_AD_INTERNAL_ERROR:
481 str="internal error";
482 break;
483 case TLS1_AD_USER_CANCELLED:
484 str="user canceled";
485 break;
486 case TLS1_AD_NO_RENEGOTIATION:
487 str="no renegotiation";
488 break;
489 default: str="unknown"; break;
490 }
491 return(str);
492 }
493
494const char *SSL_rstate_string(const SSL *s)
495 {
496 const char *str;
497
498 switch (s->rstate)
499 {
500 case SSL_ST_READ_HEADER:str="RH"; break;
501 case SSL_ST_READ_BODY: str="RB"; break;
502 case SSL_ST_READ_DONE: str="RD"; break;
503 default: str="unknown"; break;
504 }
505 return(str);
506 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 06b86750fd..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,203 +0,0 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/buffer.h>
61#include "ssl_locl.h"
62
63#ifndef OPENSSL_NO_FP_API
64int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
65 {
66 BIO *b;
67 int ret;
68
69 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
70 {
71 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
72 return(0);
73 }
74 BIO_set_fp(b,fp,BIO_NOCLOSE);
75 ret=SSL_SESSION_print(b,x);
76 BIO_free(b);
77 return(ret);
78 }
79#endif
80
81int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
82 {
83 unsigned int i;
84 const char *s;
85
86 if (x == NULL) goto err;
87 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
88 if (x->ssl_version == SSL2_VERSION)
89 s="SSLv2";
90 else if (x->ssl_version == SSL3_VERSION)
91 s="SSLv3";
92 else if (x->ssl_version == TLS1_VERSION)
93 s="TLSv1";
94 else
95 s="unknown";
96 if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err;
97
98 if (x->cipher == NULL)
99 {
100 if (((x->cipher_id) & 0xff000000) == 0x02000000)
101 {
102 if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0)
103 goto err;
104 }
105 else
106 {
107 if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0)
108 goto err;
109 }
110 }
111 else
112 {
113 if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
114 goto err;
115 }
116 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
117 for (i=0; i<x->session_id_length; i++)
118 {
119 if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
120 }
121 if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
122 for (i=0; i<x->sid_ctx_length; i++)
123 {
124 if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
125 goto err;
126 }
127 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
128 for (i=0; i<(unsigned int)x->master_key_length; i++)
129 {
130 if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
131 }
132 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
133 if (x->key_arg_length == 0)
134 {
135 if (BIO_puts(bp,"None") <= 0) goto err;
136 }
137 else
138 for (i=0; i<x->key_arg_length; i++)
139 {
140 if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
141 }
142#ifndef OPENSSL_NO_KRB5
143 if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
144 if (x->krb5_client_princ_len == 0)
145 {
146 if (BIO_puts(bp,"None") <= 0) goto err;
147 }
148 else
149 for (i=0; i<x->krb5_client_princ_len; i++)
150 {
151 if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
152 }
153#endif /* OPENSSL_NO_KRB5 */
154#ifndef OPENSSL_NO_TLSEXT
155 if (x->tlsext_tick_lifetime_hint)
156 {
157 if (BIO_printf(bp,
158 "\n TLS session ticket lifetime hint: %ld (seconds)",
159 x->tlsext_tick_lifetime_hint) <=0)
160 goto err;
161 }
162 if (x->tlsext_tick)
163 {
164 if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err;
165 if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
166 goto err;
167 }
168#endif
169#ifndef OPENSSL_NO_COMP
170 if (x->compress_meth != 0)
171 {
172 SSL_COMP *comp = NULL;
173
174 ssl_cipher_get_evp(x,NULL,NULL,&comp);
175 if (comp == NULL)
176 {
177 if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
178 }
179 else
180 {
181 if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
182 }
183 }
184#endif
185 if (x->time != 0L)
186 {
187 if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err;
188 }
189 if (x->timeout != 0L)
190 {
191 if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err;
192 }
193 if (BIO_puts(bp,"\n") <= 0) goto err;
194
195 if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
196 if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
197 X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
198
199 return(1);
200err:
201 return(0);
202 }
203
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-09 16:28:48 +0000