summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h2588
-rw-r--r--src/lib/libssl/ssl/Makefile43
-rw-r--r--src/lib/libssl/ssl/shlib_version2
-rw-r--r--src/lib/libssl/ssl2.h272
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h693
-rw-r--r--src/lib/libssl/ssl_algs.c150
-rw-r--r--src/lib/libssl/ssl_asn1.c642
-rw-r--r--src/lib/libssl/ssl_cert.c853
-rw-r--r--src/lib/libssl/ssl_ciph.c1853
-rw-r--r--src/lib/libssl/ssl_err.c610
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c3262
-rw-r--r--src/lib/libssl/ssl_locl.h1177
-rw-r--r--src/lib/libssl/ssl_rsa.c783
-rw-r--r--src/lib/libssl/ssl_sess.c1159
-rw-r--r--src/lib/libssl/ssl_stat.c567
-rw-r--r--src/lib/libssl/ssl_txt.c248
18 files changed, 0 insertions, 15055 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 7219a0e64b..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2588 +0,0 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_H
144#define HEADER_SSL_H
145
146#include <openssl/e_os2.h>
147
148#ifndef OPENSSL_NO_COMP
149#include <openssl/comp.h>
150#endif
151#ifndef OPENSSL_NO_BIO
152#include <openssl/bio.h>
153#endif
154#ifndef OPENSSL_NO_DEPRECATED
155#ifndef OPENSSL_NO_X509
156#include <openssl/x509.h>
157#endif
158#include <openssl/crypto.h>
159#include <openssl/lhash.h>
160#include <openssl/buffer.h>
161#endif
162#include <openssl/pem.h>
163#include <openssl/hmac.h>
164
165#include <openssl/kssl.h>
166#include <openssl/safestack.h>
167#include <openssl/symhacks.h>
168
169#ifdef __cplusplus
170extern "C" {
171#endif
172
173/* SSLeay version number for ASN.1 encoding of the session information */
174/* Version 0 - initial version
175 * Version 1 - added the optional peer certificate
176 */
177#define SSL_SESSION_ASN1_VERSION 0x0001
178
179/* text strings for the ciphers */
180#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
181#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
182#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
183#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
184#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
185#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
186#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
187#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
188#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
189#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
190
191/* VRS Additional Kerberos5 entries
192 */
193#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
194#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
195#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
196#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
197#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
198#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
199#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
200#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
201
202#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
203#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
204#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
205#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
206#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
207#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
208
209#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
210#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
211#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
212#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
213#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
214#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
215#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
216
217#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
218#define SSL_MAX_SID_CTX_LENGTH 32
219
220#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
221#define SSL_MAX_KEY_ARG_LENGTH 8
222#define SSL_MAX_MASTER_KEY_LENGTH 48
223
224
225/* These are used to specify which ciphers to use and not to use */
226
227#define SSL_TXT_EXP40 "EXPORT40"
228#define SSL_TXT_EXP56 "EXPORT56"
229#define SSL_TXT_LOW "LOW"
230#define SSL_TXT_MEDIUM "MEDIUM"
231#define SSL_TXT_HIGH "HIGH"
232#define SSL_TXT_FIPS "FIPS"
233
234#define SSL_TXT_kFZA "kFZA" /* unused! */
235#define SSL_TXT_aFZA "aFZA" /* unused! */
236#define SSL_TXT_eFZA "eFZA" /* unused! */
237#define SSL_TXT_FZA "FZA" /* unused! */
238
239#define SSL_TXT_aNULL "aNULL"
240#define SSL_TXT_eNULL "eNULL"
241#define SSL_TXT_NULL "NULL"
242
243#define SSL_TXT_kRSA "kRSA"
244#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
245#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
246#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */
247#define SSL_TXT_kEDH "kEDH"
248#define SSL_TXT_kKRB5 "kKRB5"
249#define SSL_TXT_kECDHr "kECDHr"
250#define SSL_TXT_kECDHe "kECDHe"
251#define SSL_TXT_kECDH "kECDH"
252#define SSL_TXT_kEECDH "kEECDH"
253#define SSL_TXT_kPSK "kPSK"
254#define SSL_TXT_kGOST "kGOST"
255#define SSL_TXT_kSRP "kSRP"
256
257#define SSL_TXT_aRSA "aRSA"
258#define SSL_TXT_aDSS "aDSS"
259#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */
260#define SSL_TXT_aECDH "aECDH"
261#define SSL_TXT_aKRB5 "aKRB5"
262#define SSL_TXT_aECDSA "aECDSA"
263#define SSL_TXT_aPSK "aPSK"
264#define SSL_TXT_aGOST94 "aGOST94"
265#define SSL_TXT_aGOST01 "aGOST01"
266#define SSL_TXT_aGOST "aGOST"
267
268#define SSL_TXT_DSS "DSS"
269#define SSL_TXT_DH "DH"
270#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
271#define SSL_TXT_ADH "ADH"
272#define SSL_TXT_RSA "RSA"
273#define SSL_TXT_ECDH "ECDH"
274#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
275#define SSL_TXT_AECDH "AECDH"
276#define SSL_TXT_ECDSA "ECDSA"
277#define SSL_TXT_KRB5 "KRB5"
278#define SSL_TXT_PSK "PSK"
279#define SSL_TXT_SRP "SRP"
280
281#define SSL_TXT_DES "DES"
282#define SSL_TXT_3DES "3DES"
283#define SSL_TXT_RC4 "RC4"
284#define SSL_TXT_RC2 "RC2"
285#define SSL_TXT_IDEA "IDEA"
286#define SSL_TXT_SEED "SEED"
287#define SSL_TXT_AES128 "AES128"
288#define SSL_TXT_AES256 "AES256"
289#define SSL_TXT_AES "AES"
290#define SSL_TXT_AES_GCM "AESGCM"
291#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
292#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
293#define SSL_TXT_CAMELLIA "CAMELLIA"
294
295#define SSL_TXT_MD5 "MD5"
296#define SSL_TXT_SHA1 "SHA1"
297#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
298#define SSL_TXT_GOST94 "GOST94"
299#define SSL_TXT_GOST89MAC "GOST89MAC"
300#define SSL_TXT_SHA256 "SHA256"
301#define SSL_TXT_SHA384 "SHA384"
302
303#define SSL_TXT_SSLV2 "SSLv2"
304#define SSL_TXT_SSLV3 "SSLv3"
305#define SSL_TXT_TLSV1 "TLSv1"
306#define SSL_TXT_TLSV1_1 "TLSv1.1"
307#define SSL_TXT_TLSV1_2 "TLSv1.2"
308
309#define SSL_TXT_EXP "EXP"
310#define SSL_TXT_EXPORT "EXPORT"
311
312#define SSL_TXT_ALL "ALL"
313
314/*
315 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
316 * ciphers normally not being used.
317 * Example: "RC4" will activate all ciphers using RC4 including ciphers
318 * without authentication, which would normally disabled by DEFAULT (due
319 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
320 * will make sure that it is also disabled in the specific selection.
321 * COMPLEMENTOF* identifiers are portable between version, as adjustments
322 * to the default cipher setup will also be included here.
323 *
324 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
325 * DEFAULT gets, as only selection is being done and no sorting as needed
326 * for DEFAULT.
327 */
328#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
329#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
330
331/* The following cipher list is used by default.
332 * It also is substituted when an application-defined cipher list string
333 * starts with 'DEFAULT'. */
334#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
335/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
336 * starts with a reasonable order, and all we have to do for DEFAULT is
337 * throwing out anonymous and unencrypted ciphersuites!
338 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
339 * some of them.)
340 */
341
342/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
343#define SSL_SENT_SHUTDOWN 1
344#define SSL_RECEIVED_SHUTDOWN 2
345
346#ifdef __cplusplus
347}
348#endif
349
350#ifdef __cplusplus
351extern "C" {
352#endif
353
354#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
355#define OPENSSL_NO_SSL2
356#endif
357
358#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
359#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
360
361/* This is needed to stop compilers complaining about the
362 * 'struct ssl_st *' function parameters used to prototype callbacks
363 * in SSL_CTX. */
364typedef struct ssl_st *ssl_crock_st;
365typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
366typedef struct ssl_method_st SSL_METHOD;
367typedef struct ssl_cipher_st SSL_CIPHER;
368typedef struct ssl_session_st SSL_SESSION;
369
370DECLARE_STACK_OF(SSL_CIPHER)
371
372/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
373typedef struct srtp_protection_profile_st
374 {
375 const char *name;
376 unsigned long id;
377 } SRTP_PROTECTION_PROFILE;
378
379DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
380
381typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
382typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
383
384
385#ifndef OPENSSL_NO_SSL_INTERN
386
387/* used to hold info on the particular ciphers used */
388struct ssl_cipher_st
389 {
390 int valid;
391 const char *name; /* text name */
392 unsigned long id; /* id, 4 bytes, first is version */
393
394 /* changed in 0.9.9: these four used to be portions of a single value 'algorithms' */
395 unsigned long algorithm_mkey; /* key exchange algorithm */
396 unsigned long algorithm_auth; /* server authentication */
397 unsigned long algorithm_enc; /* symmetric encryption */
398 unsigned long algorithm_mac; /* symmetric authentication */
399 unsigned long algorithm_ssl; /* (major) protocol version */
400
401 unsigned long algo_strength; /* strength and export flags */
402 unsigned long algorithm2; /* Extra flags */
403 int strength_bits; /* Number of bits really used */
404 int alg_bits; /* Number of bits for algorithm */
405 };
406
407
408/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
409struct ssl_method_st
410 {
411 int version;
412 int (*ssl_new)(SSL *s);
413 void (*ssl_clear)(SSL *s);
414 void (*ssl_free)(SSL *s);
415 int (*ssl_accept)(SSL *s);
416 int (*ssl_connect)(SSL *s);
417 int (*ssl_read)(SSL *s,void *buf,int len);
418 int (*ssl_peek)(SSL *s,void *buf,int len);
419 int (*ssl_write)(SSL *s,const void *buf,int len);
420 int (*ssl_shutdown)(SSL *s);
421 int (*ssl_renegotiate)(SSL *s);
422 int (*ssl_renegotiate_check)(SSL *s);
423 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
424 max, int *ok);
425 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len,
426 int peek);
427 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
428 int (*ssl_dispatch_alert)(SSL *s);
429 long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
430 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
431 const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
432 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
433 int (*ssl_pending)(const SSL *s);
434 int (*num_ciphers)(void);
435 const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
436 const struct ssl_method_st *(*get_ssl_method)(int version);
437 long (*get_timeout)(void);
438 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
439 int (*ssl_version)(void);
440 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
441 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
442 };
443
444/* Lets make this into an ASN.1 type structure as follows
445 * SSL_SESSION_ID ::= SEQUENCE {
446 * version INTEGER, -- structure version number
447 * SSLversion INTEGER, -- SSL version number
448 * Cipher OCTET STRING, -- the 3 byte cipher ID
449 * Session_ID OCTET STRING, -- the Session ID
450 * Master_key OCTET STRING, -- the master key
451 * KRB5_principal OCTET STRING -- optional Kerberos principal
452 * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
453 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
454 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
455 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
456 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
457 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
458 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
459 * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
460 * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
461 * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
462 * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
463 * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
464 * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
465 * }
466 * Look in ssl/ssl_asn1.c for more details
467 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
468 */
469struct ssl_session_st
470 {
471 int ssl_version; /* what ssl version session info is
472 * being kept in here? */
473
474 /* only really used in SSLv2 */
475 unsigned int key_arg_length;
476 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
477 int master_key_length;
478 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
479 /* session_id - valid? */
480 unsigned int session_id_length;
481 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
482 /* this is used to determine whether the session is being reused in
483 * the appropriate context. It is up to the application to set this,
484 * via SSL_new */
485 unsigned int sid_ctx_length;
486 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
487
488#ifndef OPENSSL_NO_KRB5
489 unsigned int krb5_client_princ_len;
490 unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
491#endif /* OPENSSL_NO_KRB5 */
492#ifndef OPENSSL_NO_PSK
493 char *psk_identity_hint;
494 char *psk_identity;
495#endif
496 /* Used to indicate that session resumption is not allowed.
497 * Applications can also set this bit for a new session via
498 * not_resumable_session_cb to disable session caching and tickets. */
499 int not_resumable;
500
501 /* The cert is the certificate used to establish this connection */
502 struct sess_cert_st /* SESS_CERT */ *sess_cert;
503
504 /* This is the cert for the other end.
505 * On clients, it will be the same as sess_cert->peer_key->x509
506 * (the latter is not enough as sess_cert is not retained
507 * in the external representation of sessions, see ssl_asn1.c). */
508 X509 *peer;
509 /* when app_verify_callback accepts a session where the peer's certificate
510 * is not ok, we must remember the error for session reuse: */
511 long verify_result; /* only for servers */
512
513 int references;
514 long timeout;
515 long time;
516
517 unsigned int compress_meth; /* Need to lookup the method */
518
519 const SSL_CIPHER *cipher;
520 unsigned long cipher_id; /* when ASN.1 loaded, this
521 * needs to be used to load
522 * the 'cipher' structure */
523
524 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
525
526 CRYPTO_EX_DATA ex_data; /* application specific data */
527
528 /* These are used to make removal of session-ids more
529 * efficient and to implement a maximum cache size. */
530 struct ssl_session_st *prev,*next;
531#ifndef OPENSSL_NO_TLSEXT
532 char *tlsext_hostname;
533#ifndef OPENSSL_NO_EC
534 size_t tlsext_ecpointformatlist_length;
535 unsigned char *tlsext_ecpointformatlist; /* peer's list */
536 size_t tlsext_ellipticcurvelist_length;
537 unsigned char *tlsext_ellipticcurvelist; /* peer's list */
538#endif /* OPENSSL_NO_EC */
539 /* RFC4507 info */
540 unsigned char *tlsext_tick; /* Session ticket */
541 size_t tlsext_ticklen; /* Session ticket length */
542 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
543#endif
544#ifndef OPENSSL_NO_SRP
545 char *srp_username;
546#endif
547 };
548
549#endif
550
551#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
552#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
553/* Allow initial connection to servers that don't support RI */
554#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
555#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
556#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
557#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
558#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
559#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
560#define SSL_OP_TLS_D5_BUG 0x00000100L
561#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
562
563/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
564#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
565
566/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
567 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
568 * the workaround is not needed. Unfortunately some broken SSL/TLS
569 * implementations cannot handle it at all, which is why we include
570 * it in SSL_OP_ALL. */
571#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
572
573/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
574 * This used to be 0x000FFFFFL before 0.9.7. */
575#define SSL_OP_ALL 0x80000BFFL
576
577/* DTLS options */
578#define SSL_OP_NO_QUERY_MTU 0x00001000L
579/* Turn on Cookie Exchange (on relevant for servers) */
580#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
581/* Don't use RFC4507 ticket extension */
582#define SSL_OP_NO_TICKET 0x00004000L
583/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
584#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
585
586/* As server, disallow session resumption on renegotiation */
587#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
588/* Don't use compression even if supported */
589#define SSL_OP_NO_COMPRESSION 0x00020000L
590/* Permit unsafe legacy renegotiation */
591#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
592/* If set, always create a new key when using tmp_ecdh parameters */
593#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
594/* If set, always create a new key when using tmp_dh parameters */
595#define SSL_OP_SINGLE_DH_USE 0x00100000L
596/* Set to always use the tmp_rsa key when doing RSA operations,
597 * even when this violates protocol specs */
598#define SSL_OP_EPHEMERAL_RSA 0x00200000L
599/* Set on servers to choose the cipher according to the server's
600 * preferences */
601#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
602/* If set, a server will allow a client to issue a SSLv3.0 version number
603 * as latest version supported in the premaster secret, even when TLSv1.0
604 * (version 3.1) was announced in the client hello. Normally this is
605 * forbidden to prevent version rollback attacks. */
606#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
607
608#define SSL_OP_NO_SSLv2 0x01000000L
609#define SSL_OP_NO_SSLv3 0x02000000L
610#define SSL_OP_NO_TLSv1 0x04000000L
611#define SSL_OP_NO_TLSv1_2 0x08000000L
612#define SSL_OP_NO_TLSv1_1 0x10000000L
613
614/* These next two were never actually used for anything since SSLeay
615 * zap so we have some more flags.
616 */
617/* The next flag deliberately changes the ciphertest, this is a check
618 * for the PKCS#1 attack */
619#define SSL_OP_PKCS1_CHECK_1 0x0
620#define SSL_OP_PKCS1_CHECK_2 0x0
621
622#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
623#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
624/* Make server add server-hello extension from early version of
625 * cryptopro draft, when GOST ciphersuite is negotiated.
626 * Required for interoperability with CryptoPro CSP 3.x
627 */
628#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
629
630/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
631 * when just a single record has been written): */
632#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
633/* Make it possible to retry SSL_write() with changed buffer location
634 * (buffer contents must stay the same!); this is not the default to avoid
635 * the misconception that non-blocking SSL_write() behaves like
636 * non-blocking write(): */
637#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
638/* Never bother the application with retries if the transport
639 * is blocking: */
640#define SSL_MODE_AUTO_RETRY 0x00000004L
641/* Don't attempt to automatically build certificate chain */
642#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
643/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
644 * TLS only.) "Released" buffers are put onto a free-list in the context
645 * or just freed (depending on the context's setting for freelist_max_len). */
646#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
647/* Send the current time in the Random fields of the ClientHello and
648 * ServerHello records for compatibility with hypothetical implementations
649 * that require it.
650 */
651#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
652#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
653
654/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
655 * they cannot be used to clear bits. */
656
657#define SSL_CTX_set_options(ctx,op) \
658 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
659#define SSL_CTX_clear_options(ctx,op) \
660 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
661#define SSL_CTX_get_options(ctx) \
662 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
663#define SSL_set_options(ssl,op) \
664 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
665#define SSL_clear_options(ssl,op) \
666 SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
667#define SSL_get_options(ssl) \
668 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
669
670#define SSL_CTX_set_mode(ctx,op) \
671 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
672#define SSL_CTX_clear_mode(ctx,op) \
673 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
674#define SSL_CTX_get_mode(ctx) \
675 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
676#define SSL_clear_mode(ssl,op) \
677 SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
678#define SSL_set_mode(ssl,op) \
679 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
680#define SSL_get_mode(ssl) \
681 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
682#define SSL_set_mtu(ssl, mtu) \
683 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
684
685#define SSL_get_secure_renegotiation_support(ssl) \
686 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
687
688#ifndef OPENSSL_NO_HEARTBEATS
689#define SSL_heartbeat(ssl) \
690 SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
691#endif
692
693void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
694void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
695#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
696#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
697
698#ifndef OPENSSL_NO_SRP
699
700#ifndef OPENSSL_NO_SSL_INTERN
701
702typedef struct srp_ctx_st
703 {
704 /* param for all the callbacks */
705 void *SRP_cb_arg;
706 /* set client Hello login callback */
707 int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
708 /* set SRP N/g param callback for verification */
709 int (*SRP_verify_param_callback)(SSL *, void *);
710 /* set SRP client passwd callback */
711 char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
712
713 char *login;
714 BIGNUM *N,*g,*s,*B,*A;
715 BIGNUM *a,*b,*v;
716 char *info;
717 int strength;
718
719 unsigned long srp_Mask;
720 } SRP_CTX;
721
722#endif
723
724/* see tls_srp.c */
725int SSL_SRP_CTX_init(SSL *s);
726int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
727int SSL_SRP_CTX_free(SSL *ctx);
728int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
729int SSL_srp_server_param_with_username(SSL *s, int *ad);
730int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
731int SRP_Calc_A_param(SSL *s);
732int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
733
734#endif
735
736#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
737#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
738#else
739#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
740#endif
741
742#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
743
744/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
745 * them. It is used to override the generation of SSL/TLS session IDs in a
746 * server. Return value should be zero on an error, non-zero to proceed. Also,
747 * callbacks should themselves check if the id they generate is unique otherwise
748 * the SSL handshake will fail with an error - callbacks can do this using the
749 * 'ssl' value they're passed by;
750 * SSL_has_matching_session_id(ssl, id, *id_len)
751 * The length value passed in is set at the maximum size the session ID can be.
752 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
753 * can alter this length to be less if desired, but under SSLv2 session IDs are
754 * supposed to be fixed at 16 bytes so the id will be padded after the callback
755 * returns in this case. It is also an error for the callback to set the size to
756 * zero. */
757typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
758 unsigned int *id_len);
759
760typedef struct ssl_comp_st SSL_COMP;
761
762#ifndef OPENSSL_NO_SSL_INTERN
763
764struct ssl_comp_st
765 {
766 int id;
767 const char *name;
768#ifndef OPENSSL_NO_COMP
769 COMP_METHOD *method;
770#else
771 char *method;
772#endif
773 };
774
775DECLARE_STACK_OF(SSL_COMP)
776DECLARE_LHASH_OF(SSL_SESSION);
777
778struct ssl_ctx_st
779 {
780 const SSL_METHOD *method;
781
782 STACK_OF(SSL_CIPHER) *cipher_list;
783 /* same as above but sorted for lookup */
784 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
785
786 struct x509_store_st /* X509_STORE */ *cert_store;
787 LHASH_OF(SSL_SESSION) *sessions;
788 /* Most session-ids that will be cached, default is
789 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
790 unsigned long session_cache_size;
791 struct ssl_session_st *session_cache_head;
792 struct ssl_session_st *session_cache_tail;
793
794 /* This can have one of 2 values, ored together,
795 * SSL_SESS_CACHE_CLIENT,
796 * SSL_SESS_CACHE_SERVER,
797 * Default is SSL_SESSION_CACHE_SERVER, which means only
798 * SSL_accept which cache SSL_SESSIONS. */
799 int session_cache_mode;
800
801 /* If timeout is not 0, it is the default timeout value set
802 * when SSL_new() is called. This has been put in to make
803 * life easier to set things up */
804 long session_timeout;
805
806 /* If this callback is not null, it will be called each
807 * time a session id is added to the cache. If this function
808 * returns 1, it means that the callback will do a
809 * SSL_SESSION_free() when it has finished using it. Otherwise,
810 * on 0, it means the callback has finished with it.
811 * If remove_session_cb is not null, it will be called when
812 * a session-id is removed from the cache. After the call,
813 * OpenSSL will SSL_SESSION_free() it. */
814 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
815 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
816 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
817 unsigned char *data,int len,int *copy);
818
819 struct
820 {
821 int sess_connect; /* SSL new conn - started */
822 int sess_connect_renegotiate;/* SSL reneg - requested */
823 int sess_connect_good; /* SSL new conne/reneg - finished */
824 int sess_accept; /* SSL new accept - started */
825 int sess_accept_renegotiate;/* SSL reneg - requested */
826 int sess_accept_good; /* SSL accept/reneg - finished */
827 int sess_miss; /* session lookup misses */
828 int sess_timeout; /* reuse attempt on timeouted session */
829 int sess_cache_full; /* session removed due to full cache */
830 int sess_hit; /* session reuse actually done */
831 int sess_cb_hit; /* session-id that was not
832 * in the cache was
833 * passed back via the callback. This
834 * indicates that the application is
835 * supplying session-id's from other
836 * processes - spooky :-) */
837 } stats;
838
839 int references;
840
841 /* if defined, these override the X509_verify_cert() calls */
842 int (*app_verify_callback)(X509_STORE_CTX *, void *);
843 void *app_verify_arg;
844 /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
845 * ('app_verify_callback' was called with just one argument) */
846
847 /* Default password callback. */
848 pem_password_cb *default_passwd_callback;
849
850 /* Default password callback user data. */
851 void *default_passwd_callback_userdata;
852
853 /* get client cert callback */
854 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
855
856 /* cookie generate callback */
857 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
858 unsigned int *cookie_len);
859
860 /* verify cookie callback */
861 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
862 unsigned int cookie_len);
863
864 CRYPTO_EX_DATA ex_data;
865
866 const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
867 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
868 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
869
870 STACK_OF(X509) *extra_certs;
871 STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
872
873
874 /* Default values used when no per-SSL value is defined follow */
875
876 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
877
878 /* what we put in client cert requests */
879 STACK_OF(X509_NAME) *client_CA;
880
881
882 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
883
884 unsigned long options;
885 unsigned long mode;
886 long max_cert_list;
887
888 struct cert_st /* CERT */ *cert;
889 int read_ahead;
890
891 /* callback that allows applications to peek at protocol messages */
892 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
893 void *msg_callback_arg;
894
895 int verify_mode;
896 unsigned int sid_ctx_length;
897 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
898 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
899
900 /* Default generate session ID callback. */
901 GEN_SESSION_CB generate_session_id;
902
903 X509_VERIFY_PARAM *param;
904
905#if 0
906 int purpose; /* Purpose setting */
907 int trust; /* Trust setting */
908#endif
909
910 int quiet_shutdown;
911
912 /* Maximum amount of data to send in one fragment.
913 * actual record size can be more than this due to
914 * padding and MAC overheads.
915 */
916 unsigned int max_send_fragment;
917
918#ifndef OPENSSL_NO_ENGINE
919 /* Engine to pass requests for client certs to
920 */
921 ENGINE *client_cert_engine;
922#endif
923
924#ifndef OPENSSL_NO_TLSEXT
925 /* TLS extensions servername callback */
926 int (*tlsext_servername_callback)(SSL*, int *, void *);
927 void *tlsext_servername_arg;
928 /* RFC 4507 session ticket keys */
929 unsigned char tlsext_tick_key_name[16];
930 unsigned char tlsext_tick_hmac_key[16];
931 unsigned char tlsext_tick_aes_key[16];
932 /* Callback to support customisation of ticket key setting */
933 int (*tlsext_ticket_key_cb)(SSL *ssl,
934 unsigned char *name, unsigned char *iv,
935 EVP_CIPHER_CTX *ectx,
936 HMAC_CTX *hctx, int enc);
937
938 /* certificate status request info */
939 /* Callback for status request */
940 int (*tlsext_status_cb)(SSL *ssl, void *arg);
941 void *tlsext_status_arg;
942
943 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
944 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
945 void *tlsext_opaque_prf_input_callback_arg;
946#endif
947
948#ifndef OPENSSL_NO_PSK
949 char *psk_identity_hint;
950 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
951 unsigned int max_identity_len, unsigned char *psk,
952 unsigned int max_psk_len);
953 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
954 unsigned char *psk, unsigned int max_psk_len);
955#endif
956
957#ifndef OPENSSL_NO_BUF_FREELISTS
958#define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32
959 unsigned int freelist_max_len;
960 struct ssl3_buf_freelist_st *wbuf_freelist;
961 struct ssl3_buf_freelist_st *rbuf_freelist;
962#endif
963#ifndef OPENSSL_NO_SRP
964 SRP_CTX srp_ctx; /* ctx for SRP authentication */
965#endif
966
967#ifndef OPENSSL_NO_TLSEXT
968
969# ifndef OPENSSL_NO_NEXTPROTONEG
970 /* Next protocol negotiation information */
971 /* (for experimental NPN extension). */
972
973 /* For a server, this contains a callback function by which the set of
974 * advertised protocols can be provided. */
975 int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
976 unsigned int *len, void *arg);
977 void *next_protos_advertised_cb_arg;
978 /* For a client, this contains a callback function that selects the
979 * next protocol from the list provided by the server. */
980 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
981 unsigned char *outlen,
982 const unsigned char *in,
983 unsigned int inlen,
984 void *arg);
985 void *next_proto_select_cb_arg;
986# endif
987 /* SRTP profiles we are willing to do from RFC 5764 */
988 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
989#endif
990 };
991
992#endif
993
994#define SSL_SESS_CACHE_OFF 0x0000
995#define SSL_SESS_CACHE_CLIENT 0x0001
996#define SSL_SESS_CACHE_SERVER 0x0002
997#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
998#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
999/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
1000#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
1001#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
1002#define SSL_SESS_CACHE_NO_INTERNAL \
1003 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
1004
1005LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
1006#define SSL_CTX_sess_number(ctx) \
1007 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
1008#define SSL_CTX_sess_connect(ctx) \
1009 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
1010#define SSL_CTX_sess_connect_good(ctx) \
1011 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
1012#define SSL_CTX_sess_connect_renegotiate(ctx) \
1013 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
1014#define SSL_CTX_sess_accept(ctx) \
1015 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
1016#define SSL_CTX_sess_accept_renegotiate(ctx) \
1017 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
1018#define SSL_CTX_sess_accept_good(ctx) \
1019 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
1020#define SSL_CTX_sess_hits(ctx) \
1021 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
1022#define SSL_CTX_sess_cb_hits(ctx) \
1023 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
1024#define SSL_CTX_sess_misses(ctx) \
1025 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
1026#define SSL_CTX_sess_timeouts(ctx) \
1027 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
1028#define SSL_CTX_sess_cache_full(ctx) \
1029 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
1030
1031void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
1032int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
1033void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
1034void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
1035void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
1036SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
1037void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
1038void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
1039void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
1040int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
1041#ifndef OPENSSL_NO_ENGINE
1042int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
1043#endif
1044void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
1045void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
1046#ifndef OPENSSL_NO_NEXTPROTONEG
1047void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
1048 int (*cb) (SSL *ssl,
1049 const unsigned char **out,
1050 unsigned int *outlen,
1051 void *arg),
1052 void *arg);
1053void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
1054 int (*cb) (SSL *ssl,
1055 unsigned char **out,
1056 unsigned char *outlen,
1057 const unsigned char *in,
1058 unsigned int inlen,
1059 void *arg),
1060 void *arg);
1061
1062int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1063 const unsigned char *in, unsigned int inlen,
1064 const unsigned char *client, unsigned int client_len);
1065void SSL_get0_next_proto_negotiated(const SSL *s,
1066 const unsigned char **data, unsigned *len);
1067
1068#define OPENSSL_NPN_UNSUPPORTED 0
1069#define OPENSSL_NPN_NEGOTIATED 1
1070#define OPENSSL_NPN_NO_OVERLAP 2
1071#endif
1072
1073#ifndef OPENSSL_NO_PSK
1074/* the maximum length of the buffer given to callbacks containing the
1075 * resulting identity/psk */
1076#define PSK_MAX_IDENTITY_LEN 128
1077#define PSK_MAX_PSK_LEN 256
1078void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
1079 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
1080 char *identity, unsigned int max_identity_len, unsigned char *psk,
1081 unsigned int max_psk_len));
1082void SSL_set_psk_client_callback(SSL *ssl,
1083 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
1084 char *identity, unsigned int max_identity_len, unsigned char *psk,
1085 unsigned int max_psk_len));
1086void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
1087 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1088 unsigned char *psk, unsigned int max_psk_len));
1089void SSL_set_psk_server_callback(SSL *ssl,
1090 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1091 unsigned char *psk, unsigned int max_psk_len));
1092int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
1093int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
1094const char *SSL_get_psk_identity_hint(const SSL *s);
1095const char *SSL_get_psk_identity(const SSL *s);
1096#endif
1097
1098#define SSL_NOTHING 1
1099#define SSL_WRITING 2
1100#define SSL_READING 3
1101#define SSL_X509_LOOKUP 4
1102
1103/* These will only be used when doing non-blocking IO */
1104#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
1105#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
1106#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
1107#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
1108
1109#define SSL_MAC_FLAG_READ_MAC_STREAM 1
1110#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
1111
1112#ifndef OPENSSL_NO_SSL_INTERN
1113
1114struct ssl_st
1115 {
1116 /* protocol version
1117 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
1118 */
1119 int version;
1120 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
1121
1122 const SSL_METHOD *method; /* SSLv3 */
1123
1124 /* There are 2 BIO's even though they are normally both the
1125 * same. This is so data can be read and written to different
1126 * handlers */
1127
1128#ifndef OPENSSL_NO_BIO
1129 BIO *rbio; /* used by SSL_read */
1130 BIO *wbio; /* used by SSL_write */
1131 BIO *bbio; /* used during session-id reuse to concatenate
1132 * messages */
1133#else
1134 char *rbio; /* used by SSL_read */
1135 char *wbio; /* used by SSL_write */
1136 char *bbio;
1137#endif
1138 /* This holds a variable that indicates what we were doing
1139 * when a 0 or -1 is returned. This is needed for
1140 * non-blocking IO so we know what request needs re-doing when
1141 * in SSL_accept or SSL_connect */
1142 int rwstate;
1143
1144 /* true when we are actually in SSL_accept() or SSL_connect() */
1145 int in_handshake;
1146 int (*handshake_func)(SSL *);
1147
1148 /* Imagine that here's a boolean member "init" that is
1149 * switched as soon as SSL_set_{accept/connect}_state
1150 * is called for the first time, so that "state" and
1151 * "handshake_func" are properly initialized. But as
1152 * handshake_func is == 0 until then, we use this
1153 * test instead of an "init" member.
1154 */
1155
1156 int server; /* are we the server side? - mostly used by SSL_clear*/
1157
1158 int new_session;/* Generate a new session or reuse an old one.
1159 * NB: For servers, the 'new' session may actually be a previously
1160 * cached session or even the previous session unless
1161 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
1162 int quiet_shutdown;/* don't send shutdown packets */
1163 int shutdown; /* we have shut things down, 0x01 sent, 0x02
1164 * for received */
1165 int state; /* where we are */
1166 int rstate; /* where we are when reading */
1167
1168 BUF_MEM *init_buf; /* buffer used during init */
1169 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
1170 int init_num; /* amount read/written */
1171 int init_off; /* amount read/written */
1172
1173 /* used internally to point at a raw packet */
1174 unsigned char *packet;
1175 unsigned int packet_length;
1176
1177 struct ssl2_state_st *s2; /* SSLv2 variables */
1178 struct ssl3_state_st *s3; /* SSLv3 variables */
1179 struct dtls1_state_st *d1; /* DTLSv1 variables */
1180
1181 int read_ahead; /* Read as many input bytes as possible
1182 * (for non-blocking reads) */
1183
1184 /* callback that allows applications to peek at protocol messages */
1185 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
1186 void *msg_callback_arg;
1187
1188 int hit; /* reusing a previous session */
1189
1190 X509_VERIFY_PARAM *param;
1191
1192#if 0
1193 int purpose; /* Purpose setting */
1194 int trust; /* Trust setting */
1195#endif
1196
1197 /* crypto */
1198 STACK_OF(SSL_CIPHER) *cipher_list;
1199 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1200
1201 /* These are the ones being used, the ones in SSL_SESSION are
1202 * the ones to be 'copied' into these ones */
1203 int mac_flags;
1204 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
1205 EVP_MD_CTX *read_hash; /* used for mac generation */
1206#ifndef OPENSSL_NO_COMP
1207 COMP_CTX *expand; /* uncompress */
1208#else
1209 char *expand;
1210#endif
1211
1212 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
1213 EVP_MD_CTX *write_hash; /* used for mac generation */
1214#ifndef OPENSSL_NO_COMP
1215 COMP_CTX *compress; /* compression */
1216#else
1217 char *compress;
1218#endif
1219
1220 /* session info */
1221
1222 /* client cert? */
1223 /* This is used to hold the server certificate used */
1224 struct cert_st /* CERT */ *cert;
1225
1226 /* the session_id_context is used to ensure sessions are only reused
1227 * in the appropriate context */
1228 unsigned int sid_ctx_length;
1229 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
1230
1231 /* This can also be in the session once a session is established */
1232 SSL_SESSION *session;
1233
1234 /* Default generate session ID callback. */
1235 GEN_SESSION_CB generate_session_id;
1236
1237 /* Used in SSL2 and SSL3 */
1238 int verify_mode; /* 0 don't care about verify failure.
1239 * 1 fail if verify fails */
1240 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
1241
1242 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
1243
1244 int error; /* error bytes to be written */
1245 int error_code; /* actual code */
1246
1247#ifndef OPENSSL_NO_KRB5
1248 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
1249#endif /* OPENSSL_NO_KRB5 */
1250
1251#ifndef OPENSSL_NO_PSK
1252 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
1253 unsigned int max_identity_len, unsigned char *psk,
1254 unsigned int max_psk_len);
1255 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1256 unsigned char *psk, unsigned int max_psk_len);
1257#endif
1258
1259 SSL_CTX *ctx;
1260 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
1261 * and SSL_write() calls, good for nbio debuging :-) */
1262 int debug;
1263
1264 /* extra application data */
1265 long verify_result;
1266 CRYPTO_EX_DATA ex_data;
1267
1268 /* for server side, keep the list of CA_dn we can use */
1269 STACK_OF(X509_NAME) *client_CA;
1270
1271 int references;
1272 unsigned long options; /* protocol behaviour */
1273 unsigned long mode; /* API behaviour */
1274 long max_cert_list;
1275 int first_packet;
1276 int client_version; /* what was passed, used for
1277 * SSLv3/TLS rollback check */
1278 unsigned int max_send_fragment;
1279#ifndef OPENSSL_NO_TLSEXT
1280 /* TLS extension debug callback */
1281 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1282 unsigned char *data, int len,
1283 void *arg);
1284 void *tlsext_debug_arg;
1285 char *tlsext_hostname;
1286 int servername_done; /* no further mod of servername
1287 0 : call the servername extension callback.
1288 1 : prepare 2, allow last ack just after in server callback.
1289 2 : don't call servername callback, no ack in server hello
1290 */
1291 /* certificate status request info */
1292 /* Status type or -1 if no status type */
1293 int tlsext_status_type;
1294 /* Expect OCSP CertificateStatus message */
1295 int tlsext_status_expected;
1296 /* OCSP status request only */
1297 STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
1298 X509_EXTENSIONS *tlsext_ocsp_exts;
1299 /* OCSP response received or to be sent */
1300 unsigned char *tlsext_ocsp_resp;
1301 int tlsext_ocsp_resplen;
1302
1303 /* RFC4507 session ticket expected to be received or sent */
1304 int tlsext_ticket_expected;
1305#ifndef OPENSSL_NO_EC
1306 size_t tlsext_ecpointformatlist_length;
1307 unsigned char *tlsext_ecpointformatlist; /* our list */
1308 size_t tlsext_ellipticcurvelist_length;
1309 unsigned char *tlsext_ellipticcurvelist; /* our list */
1310#endif /* OPENSSL_NO_EC */
1311
1312 /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
1313 void *tlsext_opaque_prf_input;
1314 size_t tlsext_opaque_prf_input_len;
1315
1316 /* TLS Session Ticket extension override */
1317 TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
1318
1319 /* TLS Session Ticket extension callback */
1320 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
1321 void *tls_session_ticket_ext_cb_arg;
1322
1323 /* TLS pre-shared secret session resumption */
1324 tls_session_secret_cb_fn tls_session_secret_cb;
1325 void *tls_session_secret_cb_arg;
1326
1327 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1328
1329#ifndef OPENSSL_NO_NEXTPROTONEG
1330 /* Next protocol negotiation. For the client, this is the protocol that
1331 * we sent in NextProtocol and is set when handling ServerHello
1332 * extensions.
1333 *
1334 * For a server, this is the client's selected_protocol from
1335 * NextProtocol and is set when handling the NextProtocol message,
1336 * before the Finished message. */
1337 unsigned char *next_proto_negotiated;
1338 unsigned char next_proto_negotiated_len;
1339#endif
1340
1341#define session_ctx initial_ctx
1342
1343 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
1344 SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
1345
1346 unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated?
1347 0: disabled
1348 1: enabled
1349 2: enabled, but not allowed to send Requests
1350 */
1351 unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
1352 unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
1353#else
1354#define session_ctx ctx
1355#endif /* OPENSSL_NO_TLSEXT */
1356
1357 int renegotiate;/* 1 if we are renegotiating.
1358 * 2 if we are a server and are inside a handshake
1359 * (i.e. not just sending a HelloRequest) */
1360
1361#ifndef OPENSSL_NO_SRP
1362 SRP_CTX srp_ctx; /* ctx for SRP authentication */
1363#endif
1364 };
1365
1366#endif
1367
1368#ifdef __cplusplus
1369}
1370#endif
1371
1372#include <openssl/ssl2.h>
1373#include <openssl/ssl3.h>
1374#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
1375#include <openssl/dtls1.h> /* Datagram TLS */
1376#include <openssl/ssl23.h>
1377#include <openssl/srtp.h> /* Support for the use_srtp extension */
1378
1379#ifdef __cplusplus
1380extern "C" {
1381#endif
1382
1383/* compatibility */
1384#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
1385#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
1386#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
1387#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
1388#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
1389#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
1390
1391/* The following are the possible values for ssl->state are are
1392 * used to indicate where we are up to in the SSL connection establishment.
1393 * The macros that follow are about the only things you should need to use
1394 * and even then, only when using non-blocking IO.
1395 * It can also be useful to work out where you were when the connection
1396 * failed */
1397
1398#define SSL_ST_CONNECT 0x1000
1399#define SSL_ST_ACCEPT 0x2000
1400#define SSL_ST_MASK 0x0FFF
1401#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
1402#define SSL_ST_BEFORE 0x4000
1403#define SSL_ST_OK 0x03
1404#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
1405
1406#define SSL_CB_LOOP 0x01
1407#define SSL_CB_EXIT 0x02
1408#define SSL_CB_READ 0x04
1409#define SSL_CB_WRITE 0x08
1410#define SSL_CB_ALERT 0x4000 /* used in callback */
1411#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
1412#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
1413#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
1414#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
1415#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
1416#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
1417#define SSL_CB_HANDSHAKE_START 0x10
1418#define SSL_CB_HANDSHAKE_DONE 0x20
1419
1420/* Is the SSL_connection established? */
1421#define SSL_get_state(a) SSL_state(a)
1422#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
1423#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
1424#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
1425#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
1426#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
1427
1428/* The following 2 states are kept in ssl->rstate when reads fail,
1429 * you should not need these */
1430#define SSL_ST_READ_HEADER 0xF0
1431#define SSL_ST_READ_BODY 0xF1
1432#define SSL_ST_READ_DONE 0xF2
1433
1434/* Obtain latest Finished message
1435 * -- that we sent (SSL_get_finished)
1436 * -- that we expected from peer (SSL_get_peer_finished).
1437 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1438size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1439size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1440
1441/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1442 * are 'ored' with SSL_VERIFY_PEER if they are desired */
1443#define SSL_VERIFY_NONE 0x00
1444#define SSL_VERIFY_PEER 0x01
1445#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1446#define SSL_VERIFY_CLIENT_ONCE 0x04
1447
1448#define OpenSSL_add_ssl_algorithms() SSL_library_init()
1449#define SSLeay_add_ssl_algorithms() SSL_library_init()
1450
1451/* this is for backward compatibility */
1452#if 0 /* NEW_SSLEAY */
1453#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
1454#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1455#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
1456#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
1457#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
1458#endif
1459/* More backward compatibility */
1460#define SSL_get_cipher(s) \
1461 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1462#define SSL_get_cipher_bits(s,np) \
1463 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1464#define SSL_get_cipher_version(s) \
1465 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1466#define SSL_get_cipher_name(s) \
1467 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1468#define SSL_get_time(a) SSL_SESSION_get_time(a)
1469#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1470#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1471#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1472
1473#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
1474#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
1475
1476DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1477
1478#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value from SSL_AD_... */
1479
1480/* These alert types are for SSLv3 and TLSv1 */
1481#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1482#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
1483#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
1484#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1485#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1486#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
1487#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
1488#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
1489#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1490#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1491#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1492#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1493#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1494#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
1495#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
1496#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
1497#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
1498#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1499#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
1500#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
1501#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
1502#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
1503#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1504#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1505#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
1506#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
1507#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
1508#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
1509#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
1510#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
1511
1512#define SSL_ERROR_NONE 0
1513#define SSL_ERROR_SSL 1
1514#define SSL_ERROR_WANT_READ 2
1515#define SSL_ERROR_WANT_WRITE 3
1516#define SSL_ERROR_WANT_X509_LOOKUP 4
1517#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
1518#define SSL_ERROR_ZERO_RETURN 6
1519#define SSL_ERROR_WANT_CONNECT 7
1520#define SSL_ERROR_WANT_ACCEPT 8
1521
1522#define SSL_CTRL_NEED_TMP_RSA 1
1523#define SSL_CTRL_SET_TMP_RSA 2
1524#define SSL_CTRL_SET_TMP_DH 3
1525#define SSL_CTRL_SET_TMP_ECDH 4
1526#define SSL_CTRL_SET_TMP_RSA_CB 5
1527#define SSL_CTRL_SET_TMP_DH_CB 6
1528#define SSL_CTRL_SET_TMP_ECDH_CB 7
1529
1530#define SSL_CTRL_GET_SESSION_REUSED 8
1531#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
1532#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
1533#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
1534#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
1535#define SSL_CTRL_GET_FLAGS 13
1536#define SSL_CTRL_EXTRA_CHAIN_CERT 14
1537
1538#define SSL_CTRL_SET_MSG_CALLBACK 15
1539#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
1540
1541/* only applies to datagram connections */
1542#define SSL_CTRL_SET_MTU 17
1543/* Stats */
1544#define SSL_CTRL_SESS_NUMBER 20
1545#define SSL_CTRL_SESS_CONNECT 21
1546#define SSL_CTRL_SESS_CONNECT_GOOD 22
1547#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1548#define SSL_CTRL_SESS_ACCEPT 24
1549#define SSL_CTRL_SESS_ACCEPT_GOOD 25
1550#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1551#define SSL_CTRL_SESS_HIT 27
1552#define SSL_CTRL_SESS_CB_HIT 28
1553#define SSL_CTRL_SESS_MISSES 29
1554#define SSL_CTRL_SESS_TIMEOUTS 30
1555#define SSL_CTRL_SESS_CACHE_FULL 31
1556#define SSL_CTRL_OPTIONS 32
1557#define SSL_CTRL_MODE 33
1558
1559#define SSL_CTRL_GET_READ_AHEAD 40
1560#define SSL_CTRL_SET_READ_AHEAD 41
1561#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1562#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1563#define SSL_CTRL_SET_SESS_CACHE_MODE 44
1564#define SSL_CTRL_GET_SESS_CACHE_MODE 45
1565
1566#define SSL_CTRL_GET_MAX_CERT_LIST 50
1567#define SSL_CTRL_SET_MAX_CERT_LIST 51
1568
1569#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
1570
1571/* see tls1.h for macros based on these */
1572#ifndef OPENSSL_NO_TLSEXT
1573#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
1574#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
1575#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
1576#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
1577#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
1578#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
1579#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
1580#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
1581#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
1582#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
1583#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
1584#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
1585#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
1586#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
1587#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
1588#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
1589#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
1590#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
1591#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1592
1593#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1594
1595#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
1596#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
1597#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
1598
1599#define SSL_CTRL_SET_SRP_ARG 78
1600#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
1601#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
1602#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
1603#ifndef OPENSSL_NO_HEARTBEATS
1604#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT 85
1605#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86
1606#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87
1607#endif
1608#endif
1609
1610#define DTLS_CTRL_GET_TIMEOUT 73
1611#define DTLS_CTRL_HANDLE_TIMEOUT 74
1612#define DTLS_CTRL_LISTEN 75
1613
1614#define SSL_CTRL_GET_RI_SUPPORT 76
1615#define SSL_CTRL_CLEAR_OPTIONS 77
1616#define SSL_CTRL_CLEAR_MODE 78
1617
1618#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1619#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1620
1621#define DTLSv1_get_timeout(ssl, arg) \
1622 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
1623#define DTLSv1_handle_timeout(ssl) \
1624 SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
1625#define DTLSv1_listen(ssl, peer) \
1626 SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
1627
1628#define SSL_session_reused(ssl) \
1629 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
1630#define SSL_num_renegotiations(ssl) \
1631 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1632#define SSL_clear_num_renegotiations(ssl) \
1633 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1634#define SSL_total_renegotiations(ssl) \
1635 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1636
1637#define SSL_CTX_need_tmp_RSA(ctx) \
1638 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1639#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
1640 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1641#define SSL_CTX_set_tmp_dh(ctx,dh) \
1642 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1643#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
1644 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1645
1646#define SSL_need_tmp_RSA(ssl) \
1647 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1648#define SSL_set_tmp_rsa(ssl,rsa) \
1649 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1650#define SSL_set_tmp_dh(ssl,dh) \
1651 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1652#define SSL_set_tmp_ecdh(ssl,ecdh) \
1653 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1654
1655#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1656 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1657#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
1658 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
1659#define SSL_CTX_clear_extra_chain_certs(ctx) \
1660 SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
1661
1662#ifndef OPENSSL_NO_BIO
1663BIO_METHOD *BIO_f_ssl(void);
1664BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
1665BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1666BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1667int BIO_ssl_copy_session_id(BIO *to,BIO *from);
1668void BIO_ssl_shutdown(BIO *ssl_bio);
1669
1670#endif
1671
1672int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1673SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1674void SSL_CTX_free(SSL_CTX *);
1675long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1676long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1677X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1678void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1679int SSL_want(const SSL *s);
1680int SSL_clear(SSL *s);
1681
1682void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1683
1684const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1685int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1686char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1687const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1688unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
1689
1690int SSL_get_fd(const SSL *s);
1691int SSL_get_rfd(const SSL *s);
1692int SSL_get_wfd(const SSL *s);
1693const char * SSL_get_cipher_list(const SSL *s,int n);
1694char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1695int SSL_get_read_ahead(const SSL * s);
1696int SSL_pending(const SSL *s);
1697#ifndef OPENSSL_NO_SOCK
1698int SSL_set_fd(SSL *s, int fd);
1699int SSL_set_rfd(SSL *s, int fd);
1700int SSL_set_wfd(SSL *s, int fd);
1701#endif
1702#ifndef OPENSSL_NO_BIO
1703void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1704BIO * SSL_get_rbio(const SSL *s);
1705BIO * SSL_get_wbio(const SSL *s);
1706#endif
1707int SSL_set_cipher_list(SSL *s, const char *str);
1708void SSL_set_read_ahead(SSL *s, int yes);
1709int SSL_get_verify_mode(const SSL *s);
1710int SSL_get_verify_depth(const SSL *s);
1711int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1712void SSL_set_verify(SSL *s, int mode,
1713 int (*callback)(int ok,X509_STORE_CTX *ctx));
1714void SSL_set_verify_depth(SSL *s, int depth);
1715#ifndef OPENSSL_NO_RSA
1716int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1717#endif
1718int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1719int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1720int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
1721int SSL_use_certificate(SSL *ssl, X509 *x);
1722int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1723
1724#ifndef OPENSSL_NO_STDIO
1725int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1726int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1727int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1728int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1729int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1730int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1731int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1732STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1733int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1734 const char *file);
1735#ifndef OPENSSL_SYS_VMS
1736#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
1737int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1738 const char *dir);
1739#endif
1740#endif
1741
1742#endif
1743
1744void SSL_load_error_strings(void );
1745const char *SSL_state_string(const SSL *s);
1746const char *SSL_rstate_string(const SSL *s);
1747const char *SSL_state_string_long(const SSL *s);
1748const char *SSL_rstate_string_long(const SSL *s);
1749long SSL_SESSION_get_time(const SSL_SESSION *s);
1750long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1751long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1752long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1753void SSL_copy_session_id(SSL *to,const SSL *from);
1754X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
1755int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
1756 unsigned int sid_ctx_len);
1757
1758SSL_SESSION *SSL_SESSION_new(void);
1759const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
1760 unsigned int *len);
1761unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
1762#ifndef OPENSSL_NO_FP_API
1763int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1764#endif
1765#ifndef OPENSSL_NO_BIO
1766int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1767#endif
1768void SSL_SESSION_free(SSL_SESSION *ses);
1769int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
1770int SSL_set_session(SSL *to, SSL_SESSION *session);
1771int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1772int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
1773int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1774int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1775int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1776 unsigned int id_len);
1777SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char **pp,
1778 long length);
1779
1780#ifdef HEADER_X509_H
1781X509 * SSL_get_peer_certificate(const SSL *s);
1782#endif
1783
1784STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1785
1786int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1787int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1788int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1789void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1790 int (*callback)(int, X509_STORE_CTX *));
1791void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
1792void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
1793#ifndef OPENSSL_NO_RSA
1794int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1795#endif
1796int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1797int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1798int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
1799 const unsigned char *d, long len);
1800int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1801int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1802
1803void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1804void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1805
1806int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1807int SSL_check_private_key(const SSL *ctx);
1808
1809int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1810 unsigned int sid_ctx_len);
1811
1812SSL * SSL_new(SSL_CTX *ctx);
1813int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1814 unsigned int sid_ctx_len);
1815
1816int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1817int SSL_set_purpose(SSL *s, int purpose);
1818int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1819int SSL_set_trust(SSL *s, int trust);
1820
1821int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1822int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1823
1824#ifndef OPENSSL_NO_SRP
1825int SSL_CTX_set_srp_username(SSL_CTX *ctx,char *name);
1826int SSL_CTX_set_srp_password(SSL_CTX *ctx,char *password);
1827int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1828int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
1829 char *(*cb)(SSL *,void *));
1830int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
1831 int (*cb)(SSL *,void *));
1832int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
1833 int (*cb)(SSL *,int *,void *));
1834int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1835
1836int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
1837 BIGNUM *sa, BIGNUM *v, char *info);
1838int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
1839 const char *grp);
1840
1841BIGNUM *SSL_get_srp_g(SSL *s);
1842BIGNUM *SSL_get_srp_N(SSL *s);
1843
1844char *SSL_get_srp_username(SSL *s);
1845char *SSL_get_srp_userinfo(SSL *s);
1846#endif
1847
1848void SSL_free(SSL *ssl);
1849int SSL_accept(SSL *ssl);
1850int SSL_connect(SSL *ssl);
1851int SSL_read(SSL *ssl,void *buf,int num);
1852int SSL_peek(SSL *ssl,void *buf,int num);
1853int SSL_write(SSL *ssl,const void *buf,int num);
1854long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
1855long SSL_callback_ctrl(SSL *, int, void (*)(void));
1856long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1857long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1858
1859int SSL_get_error(const SSL *s,int ret_code);
1860const char *SSL_get_version(const SSL *s);
1861
1862/* This sets the 'default' SSL version that SSL_new() will create */
1863int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1864
1865#ifndef OPENSSL_NO_SSL2
1866const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
1867const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
1868const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
1869#endif
1870
1871const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
1872const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
1873const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
1874
1875const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
1876const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
1877const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
1878
1879const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1880const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1881const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1882
1883const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
1884const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
1885const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */
1886
1887const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
1888const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
1889const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
1890
1891
1892const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1893const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1894const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
1895
1896STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1897
1898int SSL_do_handshake(SSL *s);
1899int SSL_renegotiate(SSL *s);
1900int SSL_renegotiate_abbreviated(SSL *s);
1901int SSL_renegotiate_pending(SSL *s);
1902int SSL_shutdown(SSL *s);
1903
1904const SSL_METHOD *SSL_get_ssl_method(SSL *s);
1905int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1906const char *SSL_alert_type_string_long(int value);
1907const char *SSL_alert_type_string(int value);
1908const char *SSL_alert_desc_string_long(int value);
1909const char *SSL_alert_desc_string(int value);
1910
1911void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1912void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1913STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1914STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1915int SSL_add_client_CA(SSL *ssl,X509 *x);
1916int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1917
1918void SSL_set_connect_state(SSL *s);
1919void SSL_set_accept_state(SSL *s);
1920
1921long SSL_get_default_timeout(const SSL *s);
1922
1923int SSL_library_init(void );
1924
1925char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
1926STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1927
1928SSL *SSL_dup(SSL *ssl);
1929
1930X509 *SSL_get_certificate(const SSL *ssl);
1931/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1932
1933void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1934int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1935void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1936int SSL_get_quiet_shutdown(const SSL *ssl);
1937void SSL_set_shutdown(SSL *ssl,int mode);
1938int SSL_get_shutdown(const SSL *ssl);
1939int SSL_version(const SSL *ssl);
1940int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1941int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1942 const char *CApath);
1943#define SSL_get0_session SSL_get_session /* just peek at pointer */
1944SSL_SESSION *SSL_get_session(const SSL *ssl);
1945SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1946SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1947SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1948void SSL_set_info_callback(SSL *ssl,
1949 void (*cb)(const SSL *ssl,int type,int val));
1950void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1951int SSL_state(const SSL *ssl);
1952void SSL_set_state(SSL *ssl, int state);
1953
1954void SSL_set_verify_result(SSL *ssl,long v);
1955long SSL_get_verify_result(const SSL *ssl);
1956
1957int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1958void *SSL_get_ex_data(const SSL *ssl,int idx);
1959int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1960 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1961
1962int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1963void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1964int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1965 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1966
1967int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1968void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1969int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1970 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1971
1972int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1973
1974#define SSL_CTX_sess_set_cache_size(ctx,t) \
1975 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1976#define SSL_CTX_sess_get_cache_size(ctx) \
1977 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1978#define SSL_CTX_set_session_cache_mode(ctx,m) \
1979 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1980#define SSL_CTX_get_session_cache_mode(ctx) \
1981 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1982
1983#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1984#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1985#define SSL_CTX_get_read_ahead(ctx) \
1986 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1987#define SSL_CTX_set_read_ahead(ctx,m) \
1988 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1989#define SSL_CTX_get_max_cert_list(ctx) \
1990 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1991#define SSL_CTX_set_max_cert_list(ctx,m) \
1992 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1993#define SSL_get_max_cert_list(ssl) \
1994 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1995#define SSL_set_max_cert_list(ssl,m) \
1996 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1997
1998#define SSL_CTX_set_max_send_fragment(ctx,m) \
1999 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
2000#define SSL_set_max_send_fragment(ssl,m) \
2001 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
2002
2003 /* NB: the keylength is only applicable when is_export is true */
2004#ifndef OPENSSL_NO_RSA
2005void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
2006 RSA *(*cb)(SSL *ssl,int is_export,
2007 int keylength));
2008
2009void SSL_set_tmp_rsa_callback(SSL *ssl,
2010 RSA *(*cb)(SSL *ssl,int is_export,
2011 int keylength));
2012#endif
2013#ifndef OPENSSL_NO_DH
2014void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
2015 DH *(*dh)(SSL *ssl,int is_export,
2016 int keylength));
2017void SSL_set_tmp_dh_callback(SSL *ssl,
2018 DH *(*dh)(SSL *ssl,int is_export,
2019 int keylength));
2020#endif
2021#ifndef OPENSSL_NO_ECDH
2022void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
2023 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2024 int keylength));
2025void SSL_set_tmp_ecdh_callback(SSL *ssl,
2026 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2027 int keylength));
2028#endif
2029
2030#ifndef OPENSSL_NO_COMP
2031const COMP_METHOD *SSL_get_current_compression(SSL *s);
2032const COMP_METHOD *SSL_get_current_expansion(SSL *s);
2033const char *SSL_COMP_get_name(const COMP_METHOD *comp);
2034STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
2035int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
2036#else
2037const void *SSL_get_current_compression(SSL *s);
2038const void *SSL_get_current_expansion(SSL *s);
2039const char *SSL_COMP_get_name(const void *comp);
2040void *SSL_COMP_get_compression_methods(void);
2041int SSL_COMP_add_compression_method(int id,void *cm);
2042#endif
2043
2044/* TLS extensions functions */
2045int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
2046
2047int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
2048 void *arg);
2049
2050/* Pre-shared secret session resumption functions */
2051int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
2052
2053void SSL_set_debug(SSL *s, int debug);
2054int SSL_cache_hit(SSL *s);
2055
2056/* BEGIN ERROR CODES */
2057/* The following lines are auto generated by the script mkerr.pl. Any changes
2058 * made after this point may be overwritten when the script is next run.
2059 */
2060void ERR_load_SSL_strings(void);
2061
2062/* Error codes for the SSL functions. */
2063
2064/* Function codes. */
2065#define SSL_F_CLIENT_CERTIFICATE 100
2066#define SSL_F_CLIENT_FINISHED 167
2067#define SSL_F_CLIENT_HELLO 101
2068#define SSL_F_CLIENT_MASTER_KEY 102
2069#define SSL_F_D2I_SSL_SESSION 103
2070#define SSL_F_DO_DTLS1_WRITE 245
2071#define SSL_F_DO_SSL3_WRITE 104
2072#define SSL_F_DTLS1_ACCEPT 246
2073#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295
2074#define SSL_F_DTLS1_BUFFER_RECORD 247
2075#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316
2076#define SSL_F_DTLS1_CLIENT_HELLO 248
2077#define SSL_F_DTLS1_CONNECT 249
2078#define SSL_F_DTLS1_ENC 250
2079#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
2080#define SSL_F_DTLS1_GET_MESSAGE 252
2081#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
2082#define SSL_F_DTLS1_GET_RECORD 254
2083#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
2084#define SSL_F_DTLS1_HEARTBEAT 305
2085#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
2086#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
2087#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
2088#define SSL_F_DTLS1_PROCESS_RECORD 257
2089#define SSL_F_DTLS1_READ_BYTES 258
2090#define SSL_F_DTLS1_READ_FAILED 259
2091#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
2092#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
2093#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
2094#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
2095#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
2096#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
2097#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
2098#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
2099#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
2100#define SSL_F_GET_CLIENT_FINISHED 105
2101#define SSL_F_GET_CLIENT_HELLO 106
2102#define SSL_F_GET_CLIENT_MASTER_KEY 107
2103#define SSL_F_GET_SERVER_FINISHED 108
2104#define SSL_F_GET_SERVER_HELLO 109
2105#define SSL_F_GET_SERVER_VERIFY 110
2106#define SSL_F_I2D_SSL_SESSION 111
2107#define SSL_F_READ_N 112
2108#define SSL_F_REQUEST_CERTIFICATE 113
2109#define SSL_F_SERVER_FINISH 239
2110#define SSL_F_SERVER_HELLO 114
2111#define SSL_F_SERVER_VERIFY 240
2112#define SSL_F_SSL23_ACCEPT 115
2113#define SSL_F_SSL23_CLIENT_HELLO 116
2114#define SSL_F_SSL23_CONNECT 117
2115#define SSL_F_SSL23_GET_CLIENT_HELLO 118
2116#define SSL_F_SSL23_GET_SERVER_HELLO 119
2117#define SSL_F_SSL23_PEEK 237
2118#define SSL_F_SSL23_READ 120
2119#define SSL_F_SSL23_WRITE 121
2120#define SSL_F_SSL2_ACCEPT 122
2121#define SSL_F_SSL2_CONNECT 123
2122#define SSL_F_SSL2_ENC_INIT 124
2123#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
2124#define SSL_F_SSL2_PEEK 234
2125#define SSL_F_SSL2_READ 125
2126#define SSL_F_SSL2_READ_INTERNAL 236
2127#define SSL_F_SSL2_SET_CERTIFICATE 126
2128#define SSL_F_SSL2_WRITE 127
2129#define SSL_F_SSL3_ACCEPT 128
2130#define SSL_F_SSL3_ADD_CERT_TO_BUF 296
2131#define SSL_F_SSL3_CALLBACK_CTRL 233
2132#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
2133#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
2134#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
2135#define SSL_F_SSL3_CLIENT_HELLO 131
2136#define SSL_F_SSL3_CONNECT 132
2137#define SSL_F_SSL3_CTRL 213
2138#define SSL_F_SSL3_CTX_CTRL 133
2139#define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
2140#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
2141#define SSL_F_SSL3_ENC 134
2142#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
2143#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
2144#define SSL_F_SSL3_GET_CERT_STATUS 289
2145#define SSL_F_SSL3_GET_CERT_VERIFY 136
2146#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
2147#define SSL_F_SSL3_GET_CLIENT_HELLO 138
2148#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
2149#define SSL_F_SSL3_GET_FINISHED 140
2150#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
2151#define SSL_F_SSL3_GET_MESSAGE 142
2152#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
2153#define SSL_F_SSL3_GET_NEXT_PROTO 306
2154#define SSL_F_SSL3_GET_RECORD 143
2155#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
2156#define SSL_F_SSL3_GET_SERVER_DONE 145
2157#define SSL_F_SSL3_GET_SERVER_HELLO 146
2158#define SSL_F_SSL3_HANDSHAKE_MAC 285
2159#define SSL_F_SSL3_NEW_SESSION_TICKET 287
2160#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
2161#define SSL_F_SSL3_PEEK 235
2162#define SSL_F_SSL3_READ_BYTES 148
2163#define SSL_F_SSL3_READ_N 149
2164#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
2165#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
2166#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
2167#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
2168#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
2169#define SSL_F_SSL3_SEND_SERVER_HELLO 242
2170#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
2171#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
2172#define SSL_F_SSL3_SETUP_READ_BUFFER 156
2173#define SSL_F_SSL3_SETUP_WRITE_BUFFER 291
2174#define SSL_F_SSL3_WRITE_BYTES 158
2175#define SSL_F_SSL3_WRITE_PENDING 159
2176#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
2177#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
2178#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307
2179#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
2180#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
2181#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
2182#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
2183#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
2184#define SSL_F_SSL_BAD_METHOD 160
2185#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
2186#define SSL_F_SSL_CERT_DUP 221
2187#define SSL_F_SSL_CERT_INST 222
2188#define SSL_F_SSL_CERT_INSTANTIATE 214
2189#define SSL_F_SSL_CERT_NEW 162
2190#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
2191#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
2192#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
2193#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
2194#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
2195#define SSL_F_SSL_CLEAR 164
2196#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
2197#define SSL_F_SSL_CREATE_CIPHER_LIST 166
2198#define SSL_F_SSL_CTRL 232
2199#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
2200#define SSL_F_SSL_CTX_MAKE_PROFILES 309
2201#define SSL_F_SSL_CTX_NEW 169
2202#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
2203#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
2204#define SSL_F_SSL_CTX_SET_PURPOSE 226
2205#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
2206#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
2207#define SSL_F_SSL_CTX_SET_TRUST 229
2208#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
2209#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
2210#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
2211#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
2212#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
2213#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
2214#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
2215#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272
2216#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
2217#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
2218#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
2219#define SSL_F_SSL_DO_HANDSHAKE 180
2220#define SSL_F_SSL_GET_NEW_SESSION 181
2221#define SSL_F_SSL_GET_PREV_SESSION 217
2222#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
2223#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
2224#define SSL_F_SSL_GET_SIGN_PKEY 183
2225#define SSL_F_SSL_INIT_WBIO_BUFFER 184
2226#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
2227#define SSL_F_SSL_NEW 186
2228#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
2229#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
2230#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
2231#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
2232#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
2233#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311
2234#define SSL_F_SSL_PEEK 270
2235#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
2236#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
2237#define SSL_F_SSL_READ 223
2238#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
2239#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
2240#define SSL_F_SSL_SESSION_NEW 189
2241#define SSL_F_SSL_SESSION_PRINT_FP 190
2242#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
2243#define SSL_F_SSL_SESS_CERT_NEW 225
2244#define SSL_F_SSL_SET_CERT 191
2245#define SSL_F_SSL_SET_CIPHER_LIST 271
2246#define SSL_F_SSL_SET_FD 192
2247#define SSL_F_SSL_SET_PKEY 193
2248#define SSL_F_SSL_SET_PURPOSE 227
2249#define SSL_F_SSL_SET_RFD 194
2250#define SSL_F_SSL_SET_SESSION 195
2251#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
2252#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294
2253#define SSL_F_SSL_SET_TRUST 228
2254#define SSL_F_SSL_SET_WFD 196
2255#define SSL_F_SSL_SHUTDOWN 224
2256#define SSL_F_SSL_SRP_CTX_INIT 313
2257#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
2258#define SSL_F_SSL_UNDEFINED_FUNCTION 197
2259#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
2260#define SSL_F_SSL_USE_CERTIFICATE 198
2261#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
2262#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
2263#define SSL_F_SSL_USE_PRIVATEKEY 201
2264#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
2265#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
2266#define SSL_F_SSL_USE_PSK_IDENTITY_HINT 273
2267#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
2268#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
2269#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
2270#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
2271#define SSL_F_SSL_WRITE 208
2272#define SSL_F_TLS1_CERT_VERIFY_MAC 286
2273#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
2274#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
2275#define SSL_F_TLS1_ENC 210
2276#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
2277#define SSL_F_TLS1_HEARTBEAT 315
2278#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
2279#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
2280#define SSL_F_TLS1_PRF 284
2281#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
2282#define SSL_F_WRITE_PENDING 212
2283
2284/* Reason codes. */
2285#define SSL_R_APP_DATA_IN_HANDSHAKE 100
2286#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
2287#define SSL_R_BAD_ALERT_RECORD 101
2288#define SSL_R_BAD_AUTHENTICATION_TYPE 102
2289#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
2290#define SSL_R_BAD_CHECKSUM 104
2291#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
2292#define SSL_R_BAD_DECOMPRESSION 107
2293#define SSL_R_BAD_DH_G_LENGTH 108
2294#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
2295#define SSL_R_BAD_DH_P_LENGTH 110
2296#define SSL_R_BAD_DIGEST_LENGTH 111
2297#define SSL_R_BAD_DSA_SIGNATURE 112
2298#define SSL_R_BAD_ECC_CERT 304
2299#define SSL_R_BAD_ECDSA_SIGNATURE 305
2300#define SSL_R_BAD_ECPOINT 306
2301#define SSL_R_BAD_HANDSHAKE_LENGTH 332
2302#define SSL_R_BAD_HELLO_REQUEST 105
2303#define SSL_R_BAD_LENGTH 271
2304#define SSL_R_BAD_MAC_DECODE 113
2305#define SSL_R_BAD_MAC_LENGTH 333
2306#define SSL_R_BAD_MESSAGE_TYPE 114
2307#define SSL_R_BAD_PACKET_LENGTH 115
2308#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
2309#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 316
2310#define SSL_R_BAD_RESPONSE_ARGUMENT 117
2311#define SSL_R_BAD_RSA_DECRYPT 118
2312#define SSL_R_BAD_RSA_ENCRYPT 119
2313#define SSL_R_BAD_RSA_E_LENGTH 120
2314#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
2315#define SSL_R_BAD_RSA_SIGNATURE 122
2316#define SSL_R_BAD_SIGNATURE 123
2317#define SSL_R_BAD_SRP_A_LENGTH 347
2318#define SSL_R_BAD_SRP_B_LENGTH 348
2319#define SSL_R_BAD_SRP_G_LENGTH 349
2320#define SSL_R_BAD_SRP_N_LENGTH 350
2321#define SSL_R_BAD_SRP_S_LENGTH 351
2322#define SSL_R_BAD_SRTP_MKI_VALUE 352
2323#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
2324#define SSL_R_BAD_SSL_FILETYPE 124
2325#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
2326#define SSL_R_BAD_STATE 126
2327#define SSL_R_BAD_WRITE_RETRY 127
2328#define SSL_R_BIO_NOT_SET 128
2329#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
2330#define SSL_R_BN_LIB 130
2331#define SSL_R_CA_DN_LENGTH_MISMATCH 131
2332#define SSL_R_CA_DN_TOO_LONG 132
2333#define SSL_R_CCS_RECEIVED_EARLY 133
2334#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
2335#define SSL_R_CERT_LENGTH_MISMATCH 135
2336#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2337#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
2338#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2339#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2340#define SSL_R_CLIENTHELLO_TLSEXT 226
2341#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
2342#define SSL_R_COMPRESSION_DISABLED 343
2343#define SSL_R_COMPRESSION_FAILURE 141
2344#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
2345#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
2346#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
2347#define SSL_R_CONNECTION_TYPE_NOT_SET 144
2348#define SSL_R_COOKIE_MISMATCH 308
2349#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
2350#define SSL_R_DATA_LENGTH_TOO_LONG 146
2351#define SSL_R_DECRYPTION_FAILED 147
2352#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
2353#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
2354#define SSL_R_DIGEST_CHECK_FAILED 149
2355#define SSL_R_DTLS_MESSAGE_TOO_BIG 334
2356#define SSL_R_DUPLICATE_COMPRESSION_ID 309
2357#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 317
2358#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318
2359#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
2360#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
2361#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
2362#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
2363#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
2364#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
2365#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
2366#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
2367#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
2368#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
2369#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
2370#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
2371#define SSL_R_HTTPS_PROXY_REQUEST 155
2372#define SSL_R_HTTP_REQUEST 156
2373#define SSL_R_ILLEGAL_PADDING 283
2374#define SSL_R_INCONSISTENT_COMPRESSION 340
2375#define SSL_R_INVALID_CHALLENGE_LENGTH 158
2376#define SSL_R_INVALID_COMMAND 280
2377#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
2378#define SSL_R_INVALID_PURPOSE 278
2379#define SSL_R_INVALID_SRP_USERNAME 357
2380#define SSL_R_INVALID_STATUS_RESPONSE 328
2381#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
2382#define SSL_R_INVALID_TRUST 279
2383#define SSL_R_KEY_ARG_TOO_LONG 284
2384#define SSL_R_KRB5 285
2385#define SSL_R_KRB5_C_CC_PRINC 286
2386#define SSL_R_KRB5_C_GET_CRED 287
2387#define SSL_R_KRB5_C_INIT 288
2388#define SSL_R_KRB5_C_MK_REQ 289
2389#define SSL_R_KRB5_S_BAD_TICKET 290
2390#define SSL_R_KRB5_S_INIT 291
2391#define SSL_R_KRB5_S_RD_REQ 292
2392#define SSL_R_KRB5_S_TKT_EXPIRED 293
2393#define SSL_R_KRB5_S_TKT_NYV 294
2394#define SSL_R_KRB5_S_TKT_SKEW 295
2395#define SSL_R_LENGTH_MISMATCH 159
2396#define SSL_R_LENGTH_TOO_SHORT 160
2397#define SSL_R_LIBRARY_BUG 274
2398#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
2399#define SSL_R_MESSAGE_TOO_LONG 296
2400#define SSL_R_MISSING_DH_DSA_CERT 162
2401#define SSL_R_MISSING_DH_KEY 163
2402#define SSL_R_MISSING_DH_RSA_CERT 164
2403#define SSL_R_MISSING_DSA_SIGNING_CERT 165
2404#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
2405#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
2406#define SSL_R_MISSING_RSA_CERTIFICATE 168
2407#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
2408#define SSL_R_MISSING_RSA_SIGNING_CERT 170
2409#define SSL_R_MISSING_SRP_PARAM 358
2410#define SSL_R_MISSING_TMP_DH_KEY 171
2411#define SSL_R_MISSING_TMP_ECDH_KEY 311
2412#define SSL_R_MISSING_TMP_RSA_KEY 172
2413#define SSL_R_MISSING_TMP_RSA_PKEY 173
2414#define SSL_R_MISSING_VERIFY_MESSAGE 174
2415#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2416#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2417#define SSL_R_NO_CERTIFICATES_RETURNED 176
2418#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
2419#define SSL_R_NO_CERTIFICATE_RETURNED 178
2420#define SSL_R_NO_CERTIFICATE_SET 179
2421#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
2422#define SSL_R_NO_CIPHERS_AVAILABLE 181
2423#define SSL_R_NO_CIPHERS_PASSED 182
2424#define SSL_R_NO_CIPHERS_SPECIFIED 183
2425#define SSL_R_NO_CIPHER_LIST 184
2426#define SSL_R_NO_CIPHER_MATCH 185
2427#define SSL_R_NO_CLIENT_CERT_METHOD 331
2428#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
2429#define SSL_R_NO_COMPRESSION_SPECIFIED 187
2430#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
2431#define SSL_R_NO_METHOD_SPECIFIED 188
2432#define SSL_R_NO_PRIVATEKEY 189
2433#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
2434#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
2435#define SSL_R_NO_PUBLICKEY 192
2436#define SSL_R_NO_RENEGOTIATION 339
2437#define SSL_R_NO_REQUIRED_DIGEST 324
2438#define SSL_R_NO_SHARED_CIPHER 193
2439#define SSL_R_NO_SRTP_PROFILES 359
2440#define SSL_R_NO_VERIFY_CALLBACK 194
2441#define SSL_R_NULL_SSL_CTX 195
2442#define SSL_R_NULL_SSL_METHOD_PASSED 196
2443#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
2444#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
2445#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
2446#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
2447#define SSL_R_PACKET_LENGTH_TOO_LONG 198
2448#define SSL_R_PARSE_TLSEXT 227
2449#define SSL_R_PATH_TOO_LONG 270
2450#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
2451#define SSL_R_PEER_ERROR 200
2452#define SSL_R_PEER_ERROR_CERTIFICATE 201
2453#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
2454#define SSL_R_PEER_ERROR_NO_CIPHER 203
2455#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
2456#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
2457#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
2458#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
2459#define SSL_R_PSK_IDENTITY_NOT_FOUND 223
2460#define SSL_R_PSK_NO_CLIENT_CB 224
2461#define SSL_R_PSK_NO_SERVER_CB 225
2462#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
2463#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
2464#define SSL_R_PUBLIC_KEY_NOT_RSA 210
2465#define SSL_R_READ_BIO_NOT_SET 211
2466#define SSL_R_READ_TIMEOUT_EXPIRED 312
2467#define SSL_R_READ_WRONG_PACKET_TYPE 212
2468#define SSL_R_RECORD_LENGTH_MISMATCH 213
2469#define SSL_R_RECORD_TOO_LARGE 214
2470#define SSL_R_RECORD_TOO_SMALL 298
2471#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335
2472#define SSL_R_RENEGOTIATION_ENCODING_ERR 336
2473#define SSL_R_RENEGOTIATION_MISMATCH 337
2474#define SSL_R_REQUIRED_CIPHER_MISSING 215
2475#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342
2476#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
2477#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
2478#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
2479#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
2480#define SSL_R_SERVERHELLO_TLSEXT 275
2481#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2482#define SSL_R_SHORT_READ 219
2483#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
2484#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
2485#define SSL_R_SRP_A_CALC 361
2486#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362
2487#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363
2488#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364
2489#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
2490#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
2491#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
2492#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319
2493#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320
2494#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
2495#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
2496#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
2497#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
2498#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
2499#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
2500#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
2501#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
2502#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
2503#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
2504#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
2505#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
2506#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
2507#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
2508#define SSL_R_SSL_HANDSHAKE_FAILURE 229
2509#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
2510#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
2511#define SSL_R_SSL_SESSION_ID_CONFLICT 302
2512#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
2513#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
2514#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
2515#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
2516#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
2517#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
2518#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
2519#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
2520#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
2521#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
2522#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
2523#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
2524#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
2525#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
2526#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
2527#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
2528#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
2529#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
2530#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
2531#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
2532#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2533#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
2534#define SSL_R_TLS_HEARTBEAT_PENDING 366
2535#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
2536#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
2537#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2538#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
2539#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
2540#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
2541#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
2542#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
2543#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
2544#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
2545#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
2546#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
2547#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
2548#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
2549#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
2550#define SSL_R_UNEXPECTED_MESSAGE 244
2551#define SSL_R_UNEXPECTED_RECORD 245
2552#define SSL_R_UNINITIALIZED 276
2553#define SSL_R_UNKNOWN_ALERT_TYPE 246
2554#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2555#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2556#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2557#define SSL_R_UNKNOWN_DIGEST 368
2558#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2559#define SSL_R_UNKNOWN_PKEY_TYPE 251
2560#define SSL_R_UNKNOWN_PROTOCOL 252
2561#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
2562#define SSL_R_UNKNOWN_SSL_VERSION 254
2563#define SSL_R_UNKNOWN_STATE 255
2564#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
2565#define SSL_R_UNSUPPORTED_CIPHER 256
2566#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
2567#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
2568#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
2569#define SSL_R_UNSUPPORTED_PROTOCOL 258
2570#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2571#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2572#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
2573#define SSL_R_WRITE_BIO_NOT_SET 260
2574#define SSL_R_WRONG_CIPHER_RETURNED 261
2575#define SSL_R_WRONG_MESSAGE_TYPE 262
2576#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2577#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2578#define SSL_R_WRONG_SIGNATURE_SIZE 265
2579#define SSL_R_WRONG_SIGNATURE_TYPE 370
2580#define SSL_R_WRONG_SSL_VERSION 266
2581#define SSL_R_WRONG_VERSION_NUMBER 267
2582#define SSL_R_X509_LIB 268
2583#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
2584
2585#ifdef __cplusplus
2586}
2587#endif
2588#endif
diff --git a/src/lib/libssl/ssl/Makefile b/src/lib/libssl/ssl/Makefile
deleted file mode 100644
index 805070c5fe..0000000000
--- a/src/lib/libssl/ssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.32 2014/04/13 15:49:50 miod Exp $
2
3LIB= ssl
4
5SSL_SRC= ${.CURDIR}/../../libssl/src
6LSSL_SRC= ${SSL_SRC}/ssl
7
8CFLAGS+= -DTERMIOS -DANSI_SOURCE
9CFLAGS+= -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5
10CFLAGS+= -DOPENSSL_NO_SSL2
11CFLAGS+= -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEATS
12CFLAGS+= -I${SSL_SRC}
13
14SRCS=\
15 s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
16 s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
17 s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
18 t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
19 d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
20 d1_both.c d1_enc.c d1_srtp.c \
21 ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
22 ssl_ciph.c ssl_stat.c ssl_rsa.c \
23 ssl_asn1.c ssl_txt.c ssl_algs.c \
24 bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c
25SRCS+= s3_cbc.c
26SRCS+= o_dir.c
27
28HDRS= srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h
29
30.PATH: ${LSSL_SRC}
31
32includes:
33 @test -d ${DESTDIR}/usr/include/openssl || \
34 mkdir ${DESTDIR}/usr/include/openssl
35 @cd ${LSSL_SRC}; for i in $(HDRS); do \
36 j="cmp -s $$i ${DESTDIR}/usr/include/openssl/`basename $$i` || \
37 ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 $$i\
38 ${DESTDIR}/usr/include/openssl"; \
39 echo $$j; \
40 eval "$$j"; \
41 done;
42
43.include <bsd.lib.mk>
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
deleted file mode 100644
index 629f8a9fc4..0000000000
--- a/src/lib/libssl/ssl/shlib_version
+++ /dev/null
@@ -1,2 +0,0 @@
1major=22
2minor=0
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index eb25dcb0bf..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,272 +0,0 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#ifdef OPENSSL_SYS_MPE
137#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
138#else
139#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
140#endif
141#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
142
143#define SSL2_CHALLENGE_LENGTH 16
144/*#define SSL2_CHALLENGE_LENGTH 32 */
145#define SSL2_MIN_CHALLENGE_LENGTH 16
146#define SSL2_MAX_CHALLENGE_LENGTH 32
147#define SSL2_CONNECTION_ID_LENGTH 16
148#define SSL2_MAX_CONNECTION_ID_LENGTH 16
149#define SSL2_SSL_SESSION_ID_LENGTH 16
150#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
151#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
152#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
153
154#ifndef HEADER_SSL_LOCL_H
155#define CERT char
156#endif
157
158#ifndef OPENSSL_NO_SSL_INTERN
159
160typedef struct ssl2_state_st
161 {
162 int three_byte_header;
163 int clear_text; /* clear text */
164 int escape; /* not used in SSLv2 */
165 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
166
167 /* non-blocking io info, used to make sure the same
168 * args were passwd */
169 unsigned int wnum; /* number of bytes sent so far */
170 int wpend_tot;
171 const unsigned char *wpend_buf;
172
173 int wpend_off; /* offset to data to write */
174 int wpend_len; /* number of bytes passwd to write */
175 int wpend_ret; /* number of bytes to return to caller */
176
177 /* buffer raw data */
178 int rbuf_left;
179 int rbuf_offs;
180 unsigned char *rbuf;
181 unsigned char *wbuf;
182
183 unsigned char *write_ptr;/* used to point to the start due to
184 * 2/3 byte header. */
185
186 unsigned int padding;
187 unsigned int rlength; /* passed to ssl2_enc */
188 int ract_data_length; /* Set when things are encrypted. */
189 unsigned int wlength; /* passed to ssl2_enc */
190 int wact_data_length; /* Set when things are decrypted. */
191 unsigned char *ract_data;
192 unsigned char *wact_data;
193 unsigned char *mac_data;
194
195 unsigned char *read_key;
196 unsigned char *write_key;
197
198 /* Stuff specifically to do with this SSL session */
199 unsigned int challenge_length;
200 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
201 unsigned int conn_id_length;
202 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
203 unsigned int key_material_length;
204 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
205
206 unsigned long read_sequence;
207 unsigned long write_sequence;
208
209 struct {
210 unsigned int conn_id_length;
211 unsigned int cert_type;
212 unsigned int cert_length;
213 unsigned int csl;
214 unsigned int clear;
215 unsigned int enc;
216 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
217 unsigned int cipher_spec_length;
218 unsigned int session_id_length;
219 unsigned int clen;
220 unsigned int rlen;
221 } tmp;
222 } SSL2_STATE;
223
224#endif
225
226/* SSLv2 */
227/* client */
228#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
230#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
231#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
233#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
234#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
235#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
236#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
237#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
238#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
239#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
240#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
241#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
242#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
243#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
244#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
245#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
246/* server */
247#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
248#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
249#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
250#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
251#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
252#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
253#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
254#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
257#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
258#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
259#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
260#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
261#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
262#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
263#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
264#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
265#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
266#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
267
268#ifdef __cplusplus
269}
270#endif
271#endif
272
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index cb8b2492ec..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,693 +0,0 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL3_H
118#define HEADER_SSL3_H
119
120#ifndef OPENSSL_NO_COMP
121#include <openssl/comp.h>
122#endif
123#include <openssl/buffer.h>
124#include <openssl/evp.h>
125#include <openssl/ssl.h>
126
127#ifdef __cplusplus
128extern "C" {
129#endif
130
131/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
132#define SSL3_CK_SCSV 0x030000FF
133
134#define SSL3_CK_RSA_NULL_MD5 0x03000001
135#define SSL3_CK_RSA_NULL_SHA 0x03000002
136#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
137#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
138#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
139#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
140#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
141#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
142#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
143#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
144
145#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
146#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
147#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
148#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
149#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
150#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
151
152#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
153#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
154#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
155#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
156#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
157#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
158
159#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
160#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
161#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
162#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
163#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
164
165#if 0
166 #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
167 #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
168 #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
169 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
170 of the ietf-tls list */
171 #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
172 #endif
173#endif
174
175/* VRS Additional Kerberos5 entries
176 */
177#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
178#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
179#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
180#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
181#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
182#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
183#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
184#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
185
186#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
187#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
188#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
189#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
190#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
191#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
192
193#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
194#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
195#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
196#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
197#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
198#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
199#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
200#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
201#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
202#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
203
204#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
205#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
206#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
207#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
208#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
209#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
210
211#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
212#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
213#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
214#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
215#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
216#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
217
218#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
219#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
220#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
221#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
222#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
223
224#if 0
225 #define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
226 #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
227 #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
228#endif
229
230#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
231#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
232#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
233#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
234#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
235#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
236#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
237#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
238
239#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
240#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
241#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
242#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
243#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
244#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
245
246#define SSL3_SSL_SESSION_ID_LENGTH 32
247#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
248
249#define SSL3_MASTER_SECRET_SIZE 48
250#define SSL3_RANDOM_SIZE 32
251#define SSL3_SESSION_ID_SIZE 32
252#define SSL3_RT_HEADER_LENGTH 5
253
254#ifndef SSL3_ALIGN_PAYLOAD
255 /* Some will argue that this increases memory footprint, but it's
256 * not actually true. Point is that malloc has to return at least
257 * 64-bit aligned pointers, meaning that allocating 5 bytes wastes
258 * 3 bytes in either case. Suggested pre-gaping simply moves these
259 * wasted bytes from the end of allocated region to its front,
260 * but makes data payload aligned, which improves performance:-) */
261# define SSL3_ALIGN_PAYLOAD 8
262#else
263# if (SSL3_ALIGN_PAYLOAD&(SSL3_ALIGN_PAYLOAD-1))!=0
264# error "insane SSL3_ALIGN_PAYLOAD"
265# undef SSL3_ALIGN_PAYLOAD
266# endif
267#endif
268
269/* This is the maximum MAC (digest) size used by the SSL library.
270 * Currently maximum of 20 is used by SHA1, but we reserve for
271 * future extension for 512-bit hashes.
272 */
273
274#define SSL3_RT_MAX_MD_SIZE 64
275
276/* Maximum block size used in all ciphersuites. Currently 16 for AES.
277 */
278
279#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16
280
281#define SSL3_RT_MAX_EXTRA (16384)
282
283/* Maximum plaintext length: defined by SSL/TLS standards */
284#define SSL3_RT_MAX_PLAIN_LENGTH 16384
285/* Maximum compression overhead: defined by SSL/TLS standards */
286#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024
287
288/* The standards give a maximum encryption overhead of 1024 bytes.
289 * In practice the value is lower than this. The overhead is the maximum
290 * number of padding bytes (256) plus the mac size.
291 */
292#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
293
294/* OpenSSL currently only uses a padding length of at most one block so
295 * the send overhead is smaller.
296 */
297
298#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
299 (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
300
301/* If compression isn't used don't include the compression overhead */
302
303#ifdef OPENSSL_NO_COMP
304#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
305#else
306#define SSL3_RT_MAX_COMPRESSED_LENGTH \
307 (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD)
308#endif
309#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
310 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
311#define SSL3_RT_MAX_PACKET_SIZE \
312 (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
313
314#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
315#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
316
317#define SSL3_VERSION 0x0300
318#define SSL3_VERSION_MAJOR 0x03
319#define SSL3_VERSION_MINOR 0x00
320
321#define SSL3_RT_CHANGE_CIPHER_SPEC 20
322#define SSL3_RT_ALERT 21
323#define SSL3_RT_HANDSHAKE 22
324#define SSL3_RT_APPLICATION_DATA 23
325#define TLS1_RT_HEARTBEAT 24
326
327#define SSL3_AL_WARNING 1
328#define SSL3_AL_FATAL 2
329
330#define SSL3_AD_CLOSE_NOTIFY 0
331#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
332#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
333#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
334#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
335#define SSL3_AD_NO_CERTIFICATE 41
336#define SSL3_AD_BAD_CERTIFICATE 42
337#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
338#define SSL3_AD_CERTIFICATE_REVOKED 44
339#define SSL3_AD_CERTIFICATE_EXPIRED 45
340#define SSL3_AD_CERTIFICATE_UNKNOWN 46
341#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
342
343#define TLS1_HB_REQUEST 1
344#define TLS1_HB_RESPONSE 2
345
346#ifndef OPENSSL_NO_SSL_INTERN
347
348typedef struct ssl3_record_st
349 {
350/*r */ int type; /* type of record */
351/*rw*/ unsigned int length; /* How many bytes available */
352/*r */ unsigned int off; /* read/write offset into 'buf' */
353/*rw*/ unsigned char *data; /* pointer to the record data */
354/*rw*/ unsigned char *input; /* where the decode bytes are */
355/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
356/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
357/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
358 } SSL3_RECORD;
359
360typedef struct ssl3_buffer_st
361 {
362 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
363 * see ssl3_setup_buffers() */
364 size_t len; /* buffer size */
365 int offset; /* where to 'copy from' */
366 int left; /* how many bytes left */
367 } SSL3_BUFFER;
368
369#endif
370
371#define SSL3_CT_RSA_SIGN 1
372#define SSL3_CT_DSS_SIGN 2
373#define SSL3_CT_RSA_FIXED_DH 3
374#define SSL3_CT_DSS_FIXED_DH 4
375#define SSL3_CT_RSA_EPHEMERAL_DH 5
376#define SSL3_CT_DSS_EPHEMERAL_DH 6
377#define SSL3_CT_FORTEZZA_DMS 20
378/* SSL3_CT_NUMBER is used to size arrays and it must be large
379 * enough to contain all of the cert types defined either for
380 * SSLv3 and TLSv1.
381 */
382#define SSL3_CT_NUMBER 9
383
384
385#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
386#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
387#define SSL3_FLAGS_POP_BUFFER 0x0004
388#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
389#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
390#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
391
392/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
393 * restart a handshake because of MS SGC and so prevents us
394 * from restarting the handshake in a loop. It's reset on a
395 * renegotiation, so effectively limits the client to one restart
396 * per negotiation. This limits the possibility of a DDoS
397 * attack where the client handshakes in a loop using SGC to
398 * restart. Servers which permit renegotiation can still be
399 * effected, but we can't prevent that.
400 */
401#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
402
403#ifndef OPENSSL_NO_SSL_INTERN
404
405typedef struct ssl3_state_st
406 {
407 long flags;
408 int delay_buf_pop_ret;
409
410 unsigned char read_sequence[8];
411 int read_mac_secret_size;
412 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
413 unsigned char write_sequence[8];
414 int write_mac_secret_size;
415 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
416
417 unsigned char server_random[SSL3_RANDOM_SIZE];
418 unsigned char client_random[SSL3_RANDOM_SIZE];
419
420 /* flags for countermeasure against known-IV weakness */
421 int need_empty_fragments;
422 int empty_fragment_done;
423
424 /* The value of 'extra' when the buffers were initialized */
425 int init_extra;
426
427 SSL3_BUFFER rbuf; /* read IO goes into here */
428 SSL3_BUFFER wbuf; /* write IO goes into here */
429
430 SSL3_RECORD rrec; /* each decoded record goes in here */
431 SSL3_RECORD wrec; /* goes out from here */
432
433 /* storage for Alert/Handshake protocol data received but not
434 * yet processed by ssl3_read_bytes: */
435 unsigned char alert_fragment[2];
436 unsigned int alert_fragment_len;
437 unsigned char handshake_fragment[4];
438 unsigned int handshake_fragment_len;
439
440 /* partial write - check the numbers match */
441 unsigned int wnum; /* number of bytes sent so far */
442 int wpend_tot; /* number bytes written */
443 int wpend_type;
444 int wpend_ret; /* number of bytes submitted */
445 const unsigned char *wpend_buf;
446
447 /* used during startup, digest all incoming/outgoing packets */
448 BIO *handshake_buffer;
449 /* When set of handshake digests is determined, buffer is hashed
450 * and freed and MD_CTX-es for all required digests are stored in
451 * this array */
452 EVP_MD_CTX **handshake_dgst;
453 /* this is set whenerver we see a change_cipher_spec message
454 * come in when we are not looking for one */
455 int change_cipher_spec;
456
457 int warn_alert;
458 int fatal_alert;
459 /* we allow one fatal and one warning alert to be outstanding,
460 * send close alert via the warning alert */
461 int alert_dispatch;
462 unsigned char send_alert[2];
463
464 /* This flag is set when we should renegotiate ASAP, basically when
465 * there is no more data in the read or write buffers */
466 int renegotiate;
467 int total_renegotiations;
468 int num_renegotiations;
469
470 int in_read_app_data;
471
472 /* Opaque PRF input as used for the current handshake.
473 * These fields are used only if TLSEXT_TYPE_opaque_prf_input is defined
474 * (otherwise, they are merely present to improve binary compatibility) */
475 void *client_opaque_prf_input;
476 size_t client_opaque_prf_input_len;
477 void *server_opaque_prf_input;
478 size_t server_opaque_prf_input_len;
479
480 struct {
481 /* actually only needs to be 16+20 */
482 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
483
484 /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
485 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
486 int finish_md_len;
487 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
488 int peer_finish_md_len;
489
490 unsigned long message_size;
491 int message_type;
492
493 /* used to hold the new cipher we are going to use */
494 const SSL_CIPHER *new_cipher;
495#ifndef OPENSSL_NO_DH
496 DH *dh;
497#endif
498
499#ifndef OPENSSL_NO_ECDH
500 EC_KEY *ecdh; /* holds short lived ECDH key */
501#endif
502
503 /* used when SSL_ST_FLUSH_DATA is entered */
504 int next_state;
505
506 int reuse_message;
507
508 /* used for certificate requests */
509 int cert_req;
510 int ctype_num;
511 char ctype[SSL3_CT_NUMBER];
512 STACK_OF(X509_NAME) *ca_names;
513
514 int use_rsa_tmp;
515
516 int key_block_length;
517 unsigned char *key_block;
518
519 const EVP_CIPHER *new_sym_enc;
520 const EVP_MD *new_hash;
521 int new_mac_pkey_type;
522 int new_mac_secret_size;
523#ifndef OPENSSL_NO_COMP
524 const SSL_COMP *new_compression;
525#else
526 char *new_compression;
527#endif
528 int cert_request;
529 } tmp;
530
531 /* Connection binding to prevent renegotiation attacks */
532 unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
533 unsigned char previous_client_finished_len;
534 unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
535 unsigned char previous_server_finished_len;
536 int send_connection_binding; /* TODOEKR */
537
538#ifndef OPENSSL_NO_NEXTPROTONEG
539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */
540 int next_proto_neg_seen;
541#endif
542
543#ifndef OPENSSL_NO_TLSEXT
544#ifndef OPENSSL_NO_EC
545 /* This is set to true if we believe that this is a version of Safari
546 * running on OS X 10.6 or newer. We wish to know this because Safari
547 * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
548 char is_probably_safari;
549#endif /* !OPENSSL_NO_EC */
550#endif /* !OPENSSL_NO_TLSEXT */
551 } SSL3_STATE;
552
553#endif
554
555/* SSLv3 */
556/*client */
557/* extra state */
558#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
559#ifndef OPENSSL_NO_SCTP
560#define DTLS1_SCTP_ST_CW_WRITE_SOCK (0x310|SSL_ST_CONNECT)
561#define DTLS1_SCTP_ST_CR_READ_SOCK (0x320|SSL_ST_CONNECT)
562#endif
563/* write to server */
564#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
565#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
566/* read from server */
567#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
568#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
569#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
570#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
571#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
572#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
573#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
574#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
575#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
576#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
577#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
578#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
579/* write to server */
580#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
581#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
582#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
583#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
584#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
585#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
586#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
587#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
588#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
589#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
590#ifndef OPENSSL_NO_NEXTPROTONEG
591#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
592#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
593#endif
594#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
595#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
596/* read from server */
597#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
598#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
599#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
600#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
601#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
602#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
603#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
604#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
605
606/* server */
607/* extra state */
608#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
609#ifndef OPENSSL_NO_SCTP
610#define DTLS1_SCTP_ST_SW_WRITE_SOCK (0x310|SSL_ST_ACCEPT)
611#define DTLS1_SCTP_ST_SR_READ_SOCK (0x320|SSL_ST_ACCEPT)
612#endif
613/* read from client */
614/* Do not change the number values, they do matter */
615#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
616#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
617#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
618/* write to client */
619#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
620#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
621#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
622#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
623#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
624#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
625#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
626#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
627#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
628#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
629#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
630#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
631#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
632#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
633#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
634/* read from client */
635#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
636#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
637#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
638#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
639#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
640#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
641#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
642#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
643#ifndef OPENSSL_NO_NEXTPROTONEG
644#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
645#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
646#endif
647#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
648#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
649/* write to client */
650#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
651#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
652#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
653#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
654#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
655#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
656#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
657#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
658
659#define SSL3_MT_HELLO_REQUEST 0
660#define SSL3_MT_CLIENT_HELLO 1
661#define SSL3_MT_SERVER_HELLO 2
662#define SSL3_MT_NEWSESSION_TICKET 4
663#define SSL3_MT_CERTIFICATE 11
664#define SSL3_MT_SERVER_KEY_EXCHANGE 12
665#define SSL3_MT_CERTIFICATE_REQUEST 13
666#define SSL3_MT_SERVER_DONE 14
667#define SSL3_MT_CERTIFICATE_VERIFY 15
668#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
669#define SSL3_MT_FINISHED 20
670#define SSL3_MT_CERTIFICATE_STATUS 22
671#ifndef OPENSSL_NO_NEXTPROTONEG
672#define SSL3_MT_NEXT_PROTO 67
673#endif
674#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
675
676
677#define SSL3_MT_CCS 1
678
679/* These are used when changing over to a new cipher */
680#define SSL3_CC_READ 0x01
681#define SSL3_CC_WRITE 0x02
682#define SSL3_CC_CLIENT 0x10
683#define SSL3_CC_SERVER 0x20
684#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
685#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
686#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
687#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
688
689#ifdef __cplusplus
690}
691#endif
692#endif
693
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 9c34d19725..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/lhash.h>
62#include "ssl_locl.h"
63
64int SSL_library_init(void)
65 {
66
67#ifndef OPENSSL_NO_DES
68 EVP_add_cipher(EVP_des_cbc());
69 EVP_add_cipher(EVP_des_ede3_cbc());
70#endif
71#ifndef OPENSSL_NO_IDEA
72 EVP_add_cipher(EVP_idea_cbc());
73#endif
74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4());
76#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
77 EVP_add_cipher(EVP_rc4_hmac_md5());
78#endif
79#endif
80#ifndef OPENSSL_NO_RC2
81 EVP_add_cipher(EVP_rc2_cbc());
82 /* Not actually used for SSL/TLS but this makes PKCS#12 work
83 * if an application only calls SSL_library_init().
84 */
85 EVP_add_cipher(EVP_rc2_40_cbc());
86#endif
87#ifndef OPENSSL_NO_AES
88 EVP_add_cipher(EVP_aes_128_cbc());
89 EVP_add_cipher(EVP_aes_192_cbc());
90 EVP_add_cipher(EVP_aes_256_cbc());
91 EVP_add_cipher(EVP_aes_128_gcm());
92 EVP_add_cipher(EVP_aes_256_gcm());
93#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
96#endif
97
98#endif
99#ifndef OPENSSL_NO_CAMELLIA
100 EVP_add_cipher(EVP_camellia_128_cbc());
101 EVP_add_cipher(EVP_camellia_256_cbc());
102#endif
103
104#ifndef OPENSSL_NO_SEED
105 EVP_add_cipher(EVP_seed_cbc());
106#endif
107
108#ifndef OPENSSL_NO_MD5
109 EVP_add_digest(EVP_md5());
110 EVP_add_digest_alias(SN_md5,"ssl2-md5");
111 EVP_add_digest_alias(SN_md5,"ssl3-md5");
112#endif
113#ifndef OPENSSL_NO_SHA
114 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
115 EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
116 EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
117#endif
118#ifndef OPENSSL_NO_SHA256
119 EVP_add_digest(EVP_sha224());
120 EVP_add_digest(EVP_sha256());
121#endif
122#ifndef OPENSSL_NO_SHA512
123 EVP_add_digest(EVP_sha384());
124 EVP_add_digest(EVP_sha512());
125#endif
126#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
127 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
128 EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
129 EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
130 EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
131#endif
132#ifndef OPENSSL_NO_ECDSA
133 EVP_add_digest(EVP_ecdsa());
134#endif
135 /* If you want support for phased out ciphers, add the following */
136#if 0
137 EVP_add_digest(EVP_sha());
138 EVP_add_digest(EVP_dss());
139#endif
140#ifndef OPENSSL_NO_COMP
141 /* This will initialise the built-in compression algorithms.
142 The value returned is a STACK_OF(SSL_COMP), but that can
143 be discarded safely */
144 (void)SSL_COMP_get_compression_methods();
145#endif
146 /* initialize cipher/digest methods table */
147 ssl_load_ciphers();
148 return(1);
149 }
150
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index 38540be1e5..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,642 +0,0 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <stdlib.h>
87#include "ssl_locl.h"
88#include <openssl/asn1_mac.h>
89#include <openssl/objects.h>
90#include <openssl/x509.h>
91
92typedef struct ssl_session_asn1_st
93 {
94 ASN1_INTEGER version;
95 ASN1_INTEGER ssl_version;
96 ASN1_OCTET_STRING cipher;
97 ASN1_OCTET_STRING comp_id;
98 ASN1_OCTET_STRING master_key;
99 ASN1_OCTET_STRING session_id;
100 ASN1_OCTET_STRING session_id_context;
101 ASN1_OCTET_STRING key_arg;
102#ifndef OPENSSL_NO_KRB5
103 ASN1_OCTET_STRING krb5_princ;
104#endif /* OPENSSL_NO_KRB5 */
105 ASN1_INTEGER time;
106 ASN1_INTEGER timeout;
107 ASN1_INTEGER verify_result;
108#ifndef OPENSSL_NO_TLSEXT
109 ASN1_OCTET_STRING tlsext_hostname;
110 ASN1_INTEGER tlsext_tick_lifetime;
111 ASN1_OCTET_STRING tlsext_tick;
112#endif /* OPENSSL_NO_TLSEXT */
113#ifndef OPENSSL_NO_PSK
114 ASN1_OCTET_STRING psk_identity_hint;
115 ASN1_OCTET_STRING psk_identity;
116#endif /* OPENSSL_NO_PSK */
117#ifndef OPENSSL_NO_SRP
118 ASN1_OCTET_STRING srp_username;
119#endif /* OPENSSL_NO_SRP */
120 } SSL_SESSION_ASN1;
121
122int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
123 {
124#define LSIZE2 (sizeof(long)*2)
125 int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0;
126 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
127 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
128#ifndef OPENSSL_NO_TLSEXT
129 int v6=0,v9=0,v10=0;
130 unsigned char ibuf6[LSIZE2];
131#endif
132#ifndef OPENSSL_NO_COMP
133 unsigned char cbuf;
134 int v11=0;
135#endif
136#ifndef OPENSSL_NO_SRP
137 int v12=0;
138#endif
139 long l;
140 SSL_SESSION_ASN1 a;
141 M_ASN1_I2D_vars(in);
142
143 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
144 return(0);
145
146 /* Note that I cheat in the following 2 assignments. I know
147 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
148 * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
149 * This is a bit evil but makes things simple, no dynamic allocation
150 * to clean up :-) */
151 a.version.length=LSIZE2;
152 a.version.type=V_ASN1_INTEGER;
153 a.version.data=ibuf1;
154 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
155
156 a.ssl_version.length=LSIZE2;
157 a.ssl_version.type=V_ASN1_INTEGER;
158 a.ssl_version.data=ibuf2;
159 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
160
161 a.cipher.type=V_ASN1_OCTET_STRING;
162 a.cipher.data=buf;
163
164 if (in->cipher == NULL)
165 l=in->cipher_id;
166 else
167 l=in->cipher->id;
168 if (in->ssl_version == SSL2_VERSION)
169 {
170 a.cipher.length=3;
171 buf[0]=((unsigned char)(l>>16L))&0xff;
172 buf[1]=((unsigned char)(l>> 8L))&0xff;
173 buf[2]=((unsigned char)(l ))&0xff;
174 }
175 else
176 {
177 a.cipher.length=2;
178 buf[0]=((unsigned char)(l>>8L))&0xff;
179 buf[1]=((unsigned char)(l ))&0xff;
180 }
181
182#ifndef OPENSSL_NO_COMP
183 if (in->compress_meth)
184 {
185 cbuf = (unsigned char)in->compress_meth;
186 a.comp_id.length = 1;
187 a.comp_id.type = V_ASN1_OCTET_STRING;
188 a.comp_id.data = &cbuf;
189 }
190#endif
191
192 a.master_key.length=in->master_key_length;
193 a.master_key.type=V_ASN1_OCTET_STRING;
194 a.master_key.data=in->master_key;
195
196 a.session_id.length=in->session_id_length;
197 a.session_id.type=V_ASN1_OCTET_STRING;
198 a.session_id.data=in->session_id;
199
200 a.session_id_context.length=in->sid_ctx_length;
201 a.session_id_context.type=V_ASN1_OCTET_STRING;
202 a.session_id_context.data=in->sid_ctx;
203
204 a.key_arg.length=in->key_arg_length;
205 a.key_arg.type=V_ASN1_OCTET_STRING;
206 a.key_arg.data=in->key_arg;
207
208#ifndef OPENSSL_NO_KRB5
209 if (in->krb5_client_princ_len)
210 {
211 a.krb5_princ.length=in->krb5_client_princ_len;
212 a.krb5_princ.type=V_ASN1_OCTET_STRING;
213 a.krb5_princ.data=in->krb5_client_princ;
214 }
215#endif /* OPENSSL_NO_KRB5 */
216
217 if (in->time != 0L)
218 {
219 a.time.length=LSIZE2;
220 a.time.type=V_ASN1_INTEGER;
221 a.time.data=ibuf3;
222 ASN1_INTEGER_set(&(a.time),in->time);
223 }
224
225 if (in->timeout != 0L)
226 {
227 a.timeout.length=LSIZE2;
228 a.timeout.type=V_ASN1_INTEGER;
229 a.timeout.data=ibuf4;
230 ASN1_INTEGER_set(&(a.timeout),in->timeout);
231 }
232
233 if (in->verify_result != X509_V_OK)
234 {
235 a.verify_result.length=LSIZE2;
236 a.verify_result.type=V_ASN1_INTEGER;
237 a.verify_result.data=ibuf5;
238 ASN1_INTEGER_set(&a.verify_result,in->verify_result);
239 }
240
241#ifndef OPENSSL_NO_TLSEXT
242 if (in->tlsext_hostname)
243 {
244 a.tlsext_hostname.length=strlen(in->tlsext_hostname);
245 a.tlsext_hostname.type=V_ASN1_OCTET_STRING;
246 a.tlsext_hostname.data=(unsigned char *)in->tlsext_hostname;
247 }
248 if (in->tlsext_tick)
249 {
250 a.tlsext_tick.length= in->tlsext_ticklen;
251 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
252 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
253 }
254 if (in->tlsext_tick_lifetime_hint > 0)
255 {
256 a.tlsext_tick_lifetime.length=LSIZE2;
257 a.tlsext_tick_lifetime.type=V_ASN1_INTEGER;
258 a.tlsext_tick_lifetime.data=ibuf6;
259 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
260 }
261#endif /* OPENSSL_NO_TLSEXT */
262#ifndef OPENSSL_NO_PSK
263 if (in->psk_identity_hint)
264 {
265 a.psk_identity_hint.length=strlen(in->psk_identity_hint);
266 a.psk_identity_hint.type=V_ASN1_OCTET_STRING;
267 a.psk_identity_hint.data=(unsigned char *)(in->psk_identity_hint);
268 }
269 if (in->psk_identity)
270 {
271 a.psk_identity.length=strlen(in->psk_identity);
272 a.psk_identity.type=V_ASN1_OCTET_STRING;
273 a.psk_identity.data=(unsigned char *)(in->psk_identity);
274 }
275#endif /* OPENSSL_NO_PSK */
276#ifndef OPENSSL_NO_SRP
277 if (in->srp_username)
278 {
279 a.srp_username.length=strlen(in->srp_username);
280 a.srp_username.type=V_ASN1_OCTET_STRING;
281 a.srp_username.data=(unsigned char *)(in->srp_username);
282 }
283#endif /* OPENSSL_NO_SRP */
284
285 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
286 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
287 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
288 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
289 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
290#ifndef OPENSSL_NO_KRB5
291 if (in->krb5_client_princ_len)
292 M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
293#endif /* OPENSSL_NO_KRB5 */
294 if (in->key_arg_length > 0)
295 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
296 if (in->time != 0L)
297 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
298 if (in->timeout != 0L)
299 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
300 if (in->peer != NULL)
301 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
302 M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
303 if (in->verify_result != X509_V_OK)
304 M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
305
306#ifndef OPENSSL_NO_TLSEXT
307 if (in->tlsext_tick_lifetime_hint > 0)
308 M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
309 if (in->tlsext_tick)
310 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
311 if (in->tlsext_hostname)
312 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
313#ifndef OPENSSL_NO_COMP
314 if (in->compress_meth)
315 M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
316#endif
317#endif /* OPENSSL_NO_TLSEXT */
318#ifndef OPENSSL_NO_PSK
319 if (in->psk_identity_hint)
320 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
321 if (in->psk_identity)
322 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
323#endif /* OPENSSL_NO_PSK */
324#ifndef OPENSSL_NO_SRP
325 if (in->srp_username)
326 M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
327#endif /* OPENSSL_NO_SRP */
328
329 M_ASN1_I2D_seq_total();
330
331 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
332 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
333 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
334 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
335 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
336#ifndef OPENSSL_NO_KRB5
337 if (in->krb5_client_princ_len)
338 M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
339#endif /* OPENSSL_NO_KRB5 */
340 if (in->key_arg_length > 0)
341 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
342 if (in->time != 0L)
343 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
344 if (in->timeout != 0L)
345 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
346 if (in->peer != NULL)
347 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
348 M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
349 v4);
350 if (in->verify_result != X509_V_OK)
351 M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
352#ifndef OPENSSL_NO_TLSEXT
353 if (in->tlsext_hostname)
354 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
355#endif /* OPENSSL_NO_TLSEXT */
356#ifndef OPENSSL_NO_PSK
357 if (in->psk_identity_hint)
358 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
359 if (in->psk_identity)
360 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
361#endif /* OPENSSL_NO_PSK */
362#ifndef OPENSSL_NO_TLSEXT
363 if (in->tlsext_tick_lifetime_hint > 0)
364 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
365 if (in->tlsext_tick)
366 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
367#endif /* OPENSSL_NO_TLSEXT */
368#ifndef OPENSSL_NO_COMP
369 if (in->compress_meth)
370 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
371#endif
372#ifndef OPENSSL_NO_SRP
373 if (in->srp_username)
374 M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
375#endif /* OPENSSL_NO_SRP */
376 M_ASN1_I2D_finish();
377 }
378
379SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
380 long length)
381 {
382 int ssl_version=0,i;
383 long id;
384 ASN1_INTEGER ai,*aip;
385 ASN1_OCTET_STRING os,*osp;
386 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
387
388 aip= &ai;
389 osp= &os;
390
391 M_ASN1_D2I_Init();
392 M_ASN1_D2I_start_sequence();
393
394 ai.data=NULL; ai.length=0;
395 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
396 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
397
398 /* we don't care about the version right now :-) */
399 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
400 ssl_version=(int)ASN1_INTEGER_get(aip);
401 ret->ssl_version=ssl_version;
402 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
403
404 os.data=NULL; os.length=0;
405 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
406 if (ssl_version == SSL2_VERSION)
407 {
408 if (os.length != 3)
409 {
410 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
411 goto err;
412 }
413 id=0x02000000L|
414 ((unsigned long)os.data[0]<<16L)|
415 ((unsigned long)os.data[1]<< 8L)|
416 (unsigned long)os.data[2];
417 }
418 else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
419 {
420 if (os.length != 2)
421 {
422 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
423 goto err;
424 }
425 id=0x03000000L|
426 ((unsigned long)os.data[0]<<8L)|
427 (unsigned long)os.data[1];
428 }
429 else
430 {
431 c.error=SSL_R_UNKNOWN_SSL_VERSION;
432 goto err;
433 }
434
435 ret->cipher=NULL;
436 ret->cipher_id=id;
437
438 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
439 if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
440 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
441 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
442 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
443
444 if (os.length > i)
445 os.length = i;
446 if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
447 os.length = sizeof(ret->session_id);
448
449 ret->session_id_length=os.length;
450 OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
451 memcpy(ret->session_id,os.data,os.length);
452
453 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
454 if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
455 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
456 else
457 ret->master_key_length=os.length;
458 memcpy(ret->master_key,os.data,ret->master_key_length);
459
460 os.length=0;
461
462#ifndef OPENSSL_NO_KRB5
463 os.length=0;
464 M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
465 if (os.data)
466 {
467 if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
468 ret->krb5_client_princ_len=0;
469 else
470 ret->krb5_client_princ_len=os.length;
471 memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
472 OPENSSL_free(os.data);
473 os.data = NULL;
474 os.length = 0;
475 }
476 else
477 ret->krb5_client_princ_len=0;
478#endif /* OPENSSL_NO_KRB5 */
479
480 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
481 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
482 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
483 else
484 ret->key_arg_length=os.length;
485 memcpy(ret->key_arg,os.data,ret->key_arg_length);
486 if (os.data != NULL) OPENSSL_free(os.data);
487
488 ai.length=0;
489 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
490 if (ai.data != NULL)
491 {
492 ret->time=ASN1_INTEGER_get(aip);
493 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
494 }
495 else
496 ret->time=(unsigned long)time(NULL);
497
498 ai.length=0;
499 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
500 if (ai.data != NULL)
501 {
502 ret->timeout=ASN1_INTEGER_get(aip);
503 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
504 }
505 else
506 ret->timeout=3;
507
508 if (ret->peer != NULL)
509 {
510 X509_free(ret->peer);
511 ret->peer=NULL;
512 }
513 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
514
515 os.length=0;
516 os.data=NULL;
517 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
518
519 if(os.data != NULL)
520 {
521 if (os.length > SSL_MAX_SID_CTX_LENGTH)
522 {
523 c.error=SSL_R_BAD_LENGTH;
524 goto err;
525 }
526 else
527 {
528 ret->sid_ctx_length=os.length;
529 memcpy(ret->sid_ctx,os.data,os.length);
530 }
531 OPENSSL_free(os.data); os.data=NULL; os.length=0;
532 }
533 else
534 ret->sid_ctx_length=0;
535
536 ai.length=0;
537 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
538 if (ai.data != NULL)
539 {
540 ret->verify_result=ASN1_INTEGER_get(aip);
541 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
542 }
543 else
544 ret->verify_result=X509_V_OK;
545
546#ifndef OPENSSL_NO_TLSEXT
547 os.length=0;
548 os.data=NULL;
549 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,6);
550 if (os.data)
551 {
552 ret->tlsext_hostname = BUF_strndup((char *)os.data, os.length);
553 OPENSSL_free(os.data);
554 os.data = NULL;
555 os.length = 0;
556 }
557 else
558 ret->tlsext_hostname=NULL;
559#endif /* OPENSSL_NO_TLSEXT */
560
561#ifndef OPENSSL_NO_PSK
562 os.length=0;
563 os.data=NULL;
564 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,7);
565 if (os.data)
566 {
567 ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length);
568 OPENSSL_free(os.data);
569 os.data = NULL;
570 os.length = 0;
571 }
572 else
573 ret->psk_identity_hint=NULL;
574
575 os.length=0;
576 os.data=NULL;
577 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,8);
578 if (os.data)
579 {
580 ret->psk_identity = BUF_strndup((char *)os.data, os.length);
581 OPENSSL_free(os.data);
582 os.data = NULL;
583 os.length = 0;
584 }
585 else
586 ret->psk_identity=NULL;
587#endif /* OPENSSL_NO_PSK */
588
589#ifndef OPENSSL_NO_TLSEXT
590 ai.length=0;
591 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
592 if (ai.data != NULL)
593 {
594 ret->tlsext_tick_lifetime_hint=ASN1_INTEGER_get(aip);
595 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
596 }
597 else if (ret->tlsext_ticklen && ret->session_id_length)
598 ret->tlsext_tick_lifetime_hint = -1;
599 else
600 ret->tlsext_tick_lifetime_hint=0;
601 os.length=0;
602 os.data=NULL;
603 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);
604 if (os.data)
605 {
606 ret->tlsext_tick = os.data;
607 ret->tlsext_ticklen = os.length;
608 os.data = NULL;
609 os.length = 0;
610 }
611 else
612 ret->tlsext_tick=NULL;
613#endif /* OPENSSL_NO_TLSEXT */
614#ifndef OPENSSL_NO_COMP
615 os.length=0;
616 os.data=NULL;
617 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,11);
618 if (os.data)
619 {
620 ret->compress_meth = os.data[0];
621 OPENSSL_free(os.data);
622 os.data = NULL;
623 }
624#endif
625
626#ifndef OPENSSL_NO_SRP
627 os.length=0;
628 os.data=NULL;
629 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,12);
630 if (os.data)
631 {
632 ret->srp_username = BUF_strndup((char *)os.data, os.length);
633 OPENSSL_free(os.data);
634 os.data = NULL;
635 os.length = 0;
636 }
637 else
638 ret->srp_username=NULL;
639#endif /* OPENSSL_NO_SRP */
640
641 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
642 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index 5123a89182..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,853 +0,0 @@
1/*! \file ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <stdio.h>
118
119#include "e_os.h"
120#ifndef NO_SYS_TYPES_H
121# include <sys/types.h>
122#endif
123
124#include "o_dir.h"
125#include <openssl/objects.h>
126#include <openssl/bio.h>
127#include <openssl/pem.h>
128#include <openssl/x509v3.h>
129#ifndef OPENSSL_NO_DH
130#include <openssl/dh.h>
131#endif
132#include <openssl/bn.h>
133#include "ssl_locl.h"
134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136 {
137 static volatile int ssl_x509_store_ctx_idx= -1;
138 int got_write_lock = 0;
139
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141
142 if (ssl_x509_store_ctx_idx < 0)
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1;
147
148 if (ssl_x509_store_ctx_idx < 0)
149 {
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 }
154
155 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159
160 return ssl_x509_store_ctx_idx;
161 }
162
163static void ssl_cert_set_default_md(CERT *cert)
164 {
165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
168#endif
169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif
173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif
176 }
177
178CERT *ssl_cert_new(void)
179 {
180 CERT *ret;
181
182 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
183 if (ret == NULL)
184 {
185 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
186 return(NULL);
187 }
188 memset(ret,0,sizeof(CERT));
189
190 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
191 ret->references=1;
192 ssl_cert_set_default_md(ret);
193 return(ret);
194 }
195
196CERT *ssl_cert_dup(CERT *cert)
197 {
198 CERT *ret;
199 int i;
200
201 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
202 if (ret == NULL)
203 {
204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
205 return(NULL);
206 }
207
208 memset(ret, 0, sizeof(CERT));
209
210 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
211 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
212 * if you find that more readable */
213
214 ret->valid = cert->valid;
215 ret->mask_k = cert->mask_k;
216 ret->mask_a = cert->mask_a;
217 ret->export_mask_k = cert->export_mask_k;
218 ret->export_mask_a = cert->export_mask_a;
219
220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL)
222 {
223 RSA_up_ref(cert->rsa_tmp);
224 ret->rsa_tmp = cert->rsa_tmp;
225 }
226 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
227#endif
228
229#ifndef OPENSSL_NO_DH
230 if (cert->dh_tmp != NULL)
231 {
232 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
233 if (ret->dh_tmp == NULL)
234 {
235 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
236 goto err;
237 }
238 if (cert->dh_tmp->priv_key)
239 {
240 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
241 if (!b)
242 {
243 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
244 goto err;
245 }
246 ret->dh_tmp->priv_key = b;
247 }
248 if (cert->dh_tmp->pub_key)
249 {
250 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
251 if (!b)
252 {
253 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
254 goto err;
255 }
256 ret->dh_tmp->pub_key = b;
257 }
258 }
259 ret->dh_tmp_cb = cert->dh_tmp_cb;
260#endif
261
262#ifndef OPENSSL_NO_ECDH
263 if (cert->ecdh_tmp)
264 {
265 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
266 if (ret->ecdh_tmp == NULL)
267 {
268 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
269 goto err;
270 }
271 }
272 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
273#endif
274
275 for (i = 0; i < SSL_PKEY_NUM; i++)
276 {
277 if (cert->pkeys[i].x509 != NULL)
278 {
279 ret->pkeys[i].x509 = cert->pkeys[i].x509;
280 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
281 CRYPTO_LOCK_X509);
282 }
283
284 if (cert->pkeys[i].privatekey != NULL)
285 {
286 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
287 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
288 CRYPTO_LOCK_EVP_PKEY);
289
290 switch(i)
291 {
292 /* If there was anything special to do for
293 * certain types of keys, we'd do it here.
294 * (Nothing at the moment, I think.) */
295
296 case SSL_PKEY_RSA_ENC:
297 case SSL_PKEY_RSA_SIGN:
298 /* We have an RSA key. */
299 break;
300
301 case SSL_PKEY_DSA_SIGN:
302 /* We have a DSA key. */
303 break;
304
305 case SSL_PKEY_DH_RSA:
306 case SSL_PKEY_DH_DSA:
307 /* We have a DH key. */
308 break;
309
310 case SSL_PKEY_ECC:
311 /* We have an ECC key */
312 break;
313
314 default:
315 /* Can't happen. */
316 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
317 }
318 }
319 }
320
321 /* ret->extra_certs *should* exist, but currently the own certificate
322 * chain is held inside SSL_CTX */
323
324 ret->references=1;
325 /* Set digests to defaults. NB: we don't copy existing values as they
326 * will be set during handshake.
327 */
328 ssl_cert_set_default_md(ret);
329
330 return(ret);
331
332#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
333err:
334#endif
335#ifndef OPENSSL_NO_RSA
336 if (ret->rsa_tmp != NULL)
337 RSA_free(ret->rsa_tmp);
338#endif
339#ifndef OPENSSL_NO_DH
340 if (ret->dh_tmp != NULL)
341 DH_free(ret->dh_tmp);
342#endif
343#ifndef OPENSSL_NO_ECDH
344 if (ret->ecdh_tmp != NULL)
345 EC_KEY_free(ret->ecdh_tmp);
346#endif
347
348 for (i = 0; i < SSL_PKEY_NUM; i++)
349 {
350 if (ret->pkeys[i].x509 != NULL)
351 X509_free(ret->pkeys[i].x509);
352 if (ret->pkeys[i].privatekey != NULL)
353 EVP_PKEY_free(ret->pkeys[i].privatekey);
354 }
355
356 return NULL;
357 }
358
359
360void ssl_cert_free(CERT *c)
361 {
362 int i;
363
364 if(c == NULL)
365 return;
366
367 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
368#ifdef REF_PRINT
369 REF_PRINT("CERT",c);
370#endif
371 if (i > 0) return;
372#ifdef REF_CHECK
373 if (i < 0)
374 {
375 fprintf(stderr,"ssl_cert_free, bad reference count\n");
376 abort(); /* ok */
377 }
378#endif
379
380#ifndef OPENSSL_NO_RSA
381 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
382#endif
383#ifndef OPENSSL_NO_DH
384 if (c->dh_tmp) DH_free(c->dh_tmp);
385#endif
386#ifndef OPENSSL_NO_ECDH
387 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
388#endif
389
390 for (i=0; i<SSL_PKEY_NUM; i++)
391 {
392 if (c->pkeys[i].x509 != NULL)
393 X509_free(c->pkeys[i].x509);
394 if (c->pkeys[i].privatekey != NULL)
395 EVP_PKEY_free(c->pkeys[i].privatekey);
396#if 0
397 if (c->pkeys[i].publickey != NULL)
398 EVP_PKEY_free(c->pkeys[i].publickey);
399#endif
400 }
401 OPENSSL_free(c);
402 }
403
404int ssl_cert_inst(CERT **o)
405 {
406 /* Create a CERT if there isn't already one
407 * (which cannot really happen, as it is initially created in
408 * SSL_CTX_new; but the earlier code usually allows for that one
409 * being non-existant, so we follow that behaviour, as it might
410 * turn out that there actually is a reason for it -- but I'm
411 * not sure that *all* of the existing code could cope with
412 * s->cert being NULL, otherwise we could do without the
413 * initialization in SSL_CTX_new).
414 */
415
416 if (o == NULL)
417 {
418 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
419 return(0);
420 }
421 if (*o == NULL)
422 {
423 if ((*o = ssl_cert_new()) == NULL)
424 {
425 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
426 return(0);
427 }
428 }
429 return(1);
430 }
431
432
433SESS_CERT *ssl_sess_cert_new(void)
434 {
435 SESS_CERT *ret;
436
437 ret = OPENSSL_malloc(sizeof *ret);
438 if (ret == NULL)
439 {
440 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
441 return NULL;
442 }
443
444 memset(ret, 0 ,sizeof *ret);
445 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
446 ret->references = 1;
447
448 return ret;
449 }
450
451void ssl_sess_cert_free(SESS_CERT *sc)
452 {
453 int i;
454
455 if (sc == NULL)
456 return;
457
458 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
459#ifdef REF_PRINT
460 REF_PRINT("SESS_CERT", sc);
461#endif
462 if (i > 0)
463 return;
464#ifdef REF_CHECK
465 if (i < 0)
466 {
467 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
468 abort(); /* ok */
469 }
470#endif
471
472 /* i == 0 */
473 if (sc->cert_chain != NULL)
474 sk_X509_pop_free(sc->cert_chain, X509_free);
475 for (i = 0; i < SSL_PKEY_NUM; i++)
476 {
477 if (sc->peer_pkeys[i].x509 != NULL)
478 X509_free(sc->peer_pkeys[i].x509);
479#if 0 /* We don't have the peer's private key. These lines are just
480 * here as a reminder that we're still using a not-quite-appropriate
481 * data structure. */
482 if (sc->peer_pkeys[i].privatekey != NULL)
483 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
484#endif
485 }
486
487#ifndef OPENSSL_NO_RSA
488 if (sc->peer_rsa_tmp != NULL)
489 RSA_free(sc->peer_rsa_tmp);
490#endif
491#ifndef OPENSSL_NO_DH
492 if (sc->peer_dh_tmp != NULL)
493 DH_free(sc->peer_dh_tmp);
494#endif
495#ifndef OPENSSL_NO_ECDH
496 if (sc->peer_ecdh_tmp != NULL)
497 EC_KEY_free(sc->peer_ecdh_tmp);
498#endif
499
500 OPENSSL_free(sc);
501 }
502
503int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
504 {
505 sc->peer_cert_type = type;
506 return(1);
507 }
508
509int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
510 {
511 X509 *x;
512 int i;
513 X509_STORE_CTX ctx;
514
515 if ((sk == NULL) || (sk_X509_num(sk) == 0))
516 return(0);
517
518 x=sk_X509_value(sk,0);
519 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
520 {
521 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
522 return(0);
523 }
524#if 0
525 if (SSL_get_verify_depth(s) >= 0)
526 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
527#endif
528 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
529
530 /* We need to inherit the verify parameters. These can be determined by
531 * the context: if its a server it will verify SSL client certificates
532 * or vice versa.
533 */
534
535 X509_STORE_CTX_set_default(&ctx,
536 s->server ? "ssl_client" : "ssl_server");
537 /* Anything non-default in "param" should overwrite anything in the
538 * ctx.
539 */
540 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
541
542 if (s->verify_callback)
543 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
544
545 if (s->ctx->app_verify_callback != NULL)
546#if 1 /* new with OpenSSL 0.9.7 */
547 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
548#else
549 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
550#endif
551 else
552 {
553#ifndef OPENSSL_NO_X509_VERIFY
554 i=X509_verify_cert(&ctx);
555#else
556 i=0;
557 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
558 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
559#endif
560 }
561
562 s->verify_result=ctx.error;
563 X509_STORE_CTX_cleanup(&ctx);
564
565 return(i);
566 }
567
568static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
569 {
570 if (*ca_list != NULL)
571 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
572
573 *ca_list=name_list;
574 }
575
576STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
577 {
578 int i;
579 STACK_OF(X509_NAME) *ret;
580 X509_NAME *name;
581
582 ret=sk_X509_NAME_new_null();
583 for (i=0; i<sk_X509_NAME_num(sk); i++)
584 {
585 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
586 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
587 {
588 sk_X509_NAME_pop_free(ret,X509_NAME_free);
589 return(NULL);
590 }
591 }
592 return(ret);
593 }
594
595void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
596 {
597 set_client_CA_list(&(s->client_CA),name_list);
598 }
599
600void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
601 {
602 set_client_CA_list(&(ctx->client_CA),name_list);
603 }
604
605STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
606 {
607 return(ctx->client_CA);
608 }
609
610STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
611 {
612 if (s->type == SSL_ST_CONNECT)
613 { /* we are in the client */
614 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
615 (s->s3 != NULL))
616 return(s->s3->tmp.ca_names);
617 else
618 return(NULL);
619 }
620 else
621 {
622 if (s->client_CA != NULL)
623 return(s->client_CA);
624 else
625 return(s->ctx->client_CA);
626 }
627 }
628
629static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
630 {
631 X509_NAME *name;
632
633 if (x == NULL) return(0);
634 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
635 return(0);
636
637 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
638 return(0);
639
640 if (!sk_X509_NAME_push(*sk,name))
641 {
642 X509_NAME_free(name);
643 return(0);
644 }
645 return(1);
646 }
647
648int SSL_add_client_CA(SSL *ssl,X509 *x)
649 {
650 return(add_client_CA(&(ssl->client_CA),x));
651 }
652
653int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
654 {
655 return(add_client_CA(&(ctx->client_CA),x));
656 }
657
658static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
659 {
660 return(X509_NAME_cmp(*a,*b));
661 }
662
663#ifndef OPENSSL_NO_STDIO
664/*!
665 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
666 * it doesn't really have anything to do with clients (except that a common use
667 * for a stack of CAs is to send it to the client). Actually, it doesn't have
668 * much to do with CAs, either, since it will load any old cert.
669 * \param file the file containing one or more certs.
670 * \return a ::STACK containing the certs.
671 */
672STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
673 {
674 BIO *in;
675 X509 *x=NULL;
676 X509_NAME *xn=NULL;
677 STACK_OF(X509_NAME) *ret = NULL,*sk;
678
679 sk=sk_X509_NAME_new(xname_cmp);
680
681 in=BIO_new(BIO_s_file_internal());
682
683 if ((sk == NULL) || (in == NULL))
684 {
685 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
686 goto err;
687 }
688
689 if (!BIO_read_filename(in,file))
690 goto err;
691
692 for (;;)
693 {
694 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
695 break;
696 if (ret == NULL)
697 {
698 ret = sk_X509_NAME_new_null();
699 if (ret == NULL)
700 {
701 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
702 goto err;
703 }
704 }
705 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
706 /* check for duplicates */
707 xn=X509_NAME_dup(xn);
708 if (xn == NULL) goto err;
709 if (sk_X509_NAME_find(sk,xn) >= 0)
710 X509_NAME_free(xn);
711 else
712 {
713 sk_X509_NAME_push(sk,xn);
714 sk_X509_NAME_push(ret,xn);
715 }
716 }
717
718 if (0)
719 {
720err:
721 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
722 ret=NULL;
723 }
724 if (sk != NULL) sk_X509_NAME_free(sk);
725 if (in != NULL) BIO_free(in);
726 if (x != NULL) X509_free(x);
727 if (ret != NULL)
728 ERR_clear_error();
729 return(ret);
730 }
731#endif
732
733/*!
734 * Add a file of certs to a stack.
735 * \param stack the stack to add to.
736 * \param file the file to add from. All certs in this file that are not
737 * already in the stack will be added.
738 * \return 1 for success, 0 for failure. Note that in the case of failure some
739 * certs may have been added to \c stack.
740 */
741
742int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
743 const char *file)
744 {
745 BIO *in;
746 X509 *x=NULL;
747 X509_NAME *xn=NULL;
748 int ret=1;
749 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
750
751 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
752
753 in=BIO_new(BIO_s_file_internal());
754
755 if (in == NULL)
756 {
757 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
758 goto err;
759 }
760
761 if (!BIO_read_filename(in,file))
762 goto err;
763
764 for (;;)
765 {
766 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
767 break;
768 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
769 xn=X509_NAME_dup(xn);
770 if (xn == NULL) goto err;
771 if (sk_X509_NAME_find(stack,xn) >= 0)
772 X509_NAME_free(xn);
773 else
774 sk_X509_NAME_push(stack,xn);
775 }
776
777 ERR_clear_error();
778
779 if (0)
780 {
781err:
782 ret=0;
783 }
784 if(in != NULL)
785 BIO_free(in);
786 if(x != NULL)
787 X509_free(x);
788
789 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
790
791 return ret;
792 }
793
794/*!
795 * Add a directory of certs to a stack.
796 * \param stack the stack to append to.
797 * \param dir the directory to append from. All files in this directory will be
798 * examined as potential certs. Any that are acceptable to
799 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
800 * included.
801 * \return 1 for success, 0 for failure. Note that in the case of failure some
802 * certs may have been added to \c stack.
803 */
804
805int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
806 const char *dir)
807 {
808 OPENSSL_DIR_CTX *d = NULL;
809 const char *filename;
810 int ret = 0;
811
812 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
813
814 /* Note that a side effect is that the CAs will be sorted by name */
815
816 while((filename = OPENSSL_DIR_read(&d, dir)))
817 {
818 char buf[1024];
819 int r;
820
821 if(strlen(dir)+strlen(filename)+2 > sizeof buf)
822 {
823 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
824 goto err;
825 }
826
827#ifdef OPENSSL_SYS_VMS
828 r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
829#else
830 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
831#endif
832 if (r <= 0 || r >= (int)sizeof(buf))
833 goto err;
834 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
835 goto err;
836 }
837
838 if (errno)
839 {
840 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
841 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
842 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
843 goto err;
844 }
845
846 ret = 1;
847
848err:
849 if (d) OPENSSL_DIR_end(&d);
850 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
851 return ret;
852 }
853
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index 0aba8e048c..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1853 +0,0 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#include <stdio.h>
144#include <openssl/objects.h>
145#ifndef OPENSSL_NO_COMP
146#include <openssl/comp.h>
147#endif
148#ifndef OPENSSL_NO_ENGINE
149#include <openssl/engine.h>
150#endif
151#include "ssl_locl.h"
152
153#define SSL_ENC_DES_IDX 0
154#define SSL_ENC_3DES_IDX 1
155#define SSL_ENC_RC4_IDX 2
156#define SSL_ENC_RC2_IDX 3
157#define SSL_ENC_IDEA_IDX 4
158#define SSL_ENC_NULL_IDX 5
159#define SSL_ENC_AES128_IDX 6
160#define SSL_ENC_AES256_IDX 7
161#define SSL_ENC_CAMELLIA128_IDX 8
162#define SSL_ENC_CAMELLIA256_IDX 9
163#define SSL_ENC_GOST89_IDX 10
164#define SSL_ENC_SEED_IDX 11
165#define SSL_ENC_AES128GCM_IDX 12
166#define SSL_ENC_AES256GCM_IDX 13
167#define SSL_ENC_NUM_IDX 14
168
169
170static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
171 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
172 };
173
174#define SSL_COMP_NULL_IDX 0
175#define SSL_COMP_ZLIB_IDX 1
176#define SSL_COMP_NUM_IDX 2
177
178static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
179
180#define SSL_MD_MD5_IDX 0
181#define SSL_MD_SHA1_IDX 1
182#define SSL_MD_GOST94_IDX 2
183#define SSL_MD_GOST89MAC_IDX 3
184#define SSL_MD_SHA256_IDX 4
185#define SSL_MD_SHA384_IDX 5
186/*Constant SSL_MAX_DIGEST equal to size of digests array should be
187 * defined in the
188 * ssl_locl.h */
189#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
190static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
191 NULL,NULL,NULL,NULL,NULL,NULL
192 };
193/* PKEY_TYPE for GOST89MAC is known in advance, but, because
194 * implementation is engine-provided, we'll fill it only if
195 * corresponding EVP_PKEY_METHOD is found
196 */
197static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
198 EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,
199 EVP_PKEY_HMAC,EVP_PKEY_HMAC
200 };
201
202static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
203 0,0,0,0,0,0
204 };
205
206static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
207 SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
208 SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
209 SSL_HANDSHAKE_MAC_SHA384
210 };
211
212#define CIPHER_ADD 1
213#define CIPHER_KILL 2
214#define CIPHER_DEL 3
215#define CIPHER_ORD 4
216#define CIPHER_SPECIAL 5
217
218typedef struct cipher_order_st
219 {
220 const SSL_CIPHER *cipher;
221 int active;
222 int dead;
223 struct cipher_order_st *next,*prev;
224 } CIPHER_ORDER;
225
226static const SSL_CIPHER cipher_aliases[]={
227 /* "ALL" doesn't include eNULL (must be specifically enabled) */
228 {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0},
229 /* "COMPLEMENTOFALL" */
230 {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
231
232 /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
233 {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
234
235 /* key exchange aliases
236 * (some of those using only a single bit here combine
237 * multiple key exchange algs according to the RFCs,
238 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
239 {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0},
240
241 {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
242 {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
243 {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
244 {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0},
245 {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
246
247 {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0},
248
249 {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0},
250 {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0},
251 {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
252 {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0},
253 {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
254
255 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
256 {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0},
257 {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
258
259 /* server authentication aliases */
260 {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
261 {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
262 {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
263 {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0},
264 {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0},
265 {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
266 {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0},
267 {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
268 {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
269 {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
270 {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
271 {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
272 {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
273
274 /* aliases combining key exchange and server authentication */
275 {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
276 {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
277 {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
278 {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
279 {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
280 {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
281 {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
282 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
283 {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0},
284
285
286 /* symmetric encryption aliases */
287 {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0},
288 {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0},
289 {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0},
290 {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0},
291 {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},
292 {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},
293 {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
294 {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
295 {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0},
296 {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0},
297 {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0},
298 {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
299 {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
300 {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
301
302 /* MAC aliases */
303 {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0},
304 {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
305 {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
306 {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
307 {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
308 {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0},
309 {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0},
310
311 /* protocol version aliases */
312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
315 {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
316
317 /* export flag */
318 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
319 {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
320
321 /* strength classes */
322 {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0},
323 {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0},
324 {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
325 {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
326 {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
327 /* FIPS 140-2 approved ciphersuite */
328 {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0},
329 };
330/* Search for public key algorithm with given name and
331 * return its pkey_id if it is available. Otherwise return 0
332 */
333#ifdef OPENSSL_NO_ENGINE
334
335static int get_optional_pkey_id(const char *pkey_name)
336 {
337 const EVP_PKEY_ASN1_METHOD *ameth;
338 int pkey_id=0;
339 ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1);
340 if (ameth)
341 {
342 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
343 }
344 return pkey_id;
345 }
346
347#else
348
349static int get_optional_pkey_id(const char *pkey_name)
350 {
351 const EVP_PKEY_ASN1_METHOD *ameth;
352 ENGINE *tmpeng = NULL;
353 int pkey_id=0;
354 ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
355 if (ameth)
356 {
357 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
358 }
359 if (tmpeng) ENGINE_finish(tmpeng);
360 return pkey_id;
361 }
362
363#endif
364
365void ssl_load_ciphers(void)
366 {
367 ssl_cipher_methods[SSL_ENC_DES_IDX]=
368 EVP_get_cipherbyname(SN_des_cbc);
369 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
370 EVP_get_cipherbyname(SN_des_ede3_cbc);
371 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
372 EVP_get_cipherbyname(SN_rc4);
373 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
374 EVP_get_cipherbyname(SN_rc2_cbc);
375#ifndef OPENSSL_NO_IDEA
376 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
377 EVP_get_cipherbyname(SN_idea_cbc);
378#else
379 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
380#endif
381 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
382 EVP_get_cipherbyname(SN_aes_128_cbc);
383 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
384 EVP_get_cipherbyname(SN_aes_256_cbc);
385 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]=
386 EVP_get_cipherbyname(SN_camellia_128_cbc);
387 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]=
388 EVP_get_cipherbyname(SN_camellia_256_cbc);
389 ssl_cipher_methods[SSL_ENC_GOST89_IDX]=
390 EVP_get_cipherbyname(SN_gost89_cnt);
391 ssl_cipher_methods[SSL_ENC_SEED_IDX]=
392 EVP_get_cipherbyname(SN_seed_cbc);
393
394 ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
395 EVP_get_cipherbyname(SN_aes_128_gcm);
396 ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
397 EVP_get_cipherbyname(SN_aes_256_gcm);
398
399 ssl_digest_methods[SSL_MD_MD5_IDX]=
400 EVP_get_digestbyname(SN_md5);
401 ssl_mac_secret_size[SSL_MD_MD5_IDX]=
402 EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
403 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
404 ssl_digest_methods[SSL_MD_SHA1_IDX]=
405 EVP_get_digestbyname(SN_sha1);
406 ssl_mac_secret_size[SSL_MD_SHA1_IDX]=
407 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
408 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
409 ssl_digest_methods[SSL_MD_GOST94_IDX]=
410 EVP_get_digestbyname(SN_id_GostR3411_94);
411 if (ssl_digest_methods[SSL_MD_GOST94_IDX])
412 {
413 ssl_mac_secret_size[SSL_MD_GOST94_IDX]=
414 EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
415 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
416 }
417 ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
418 EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
419 ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
420 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
421 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
422 }
423
424 ssl_digest_methods[SSL_MD_SHA256_IDX]=
425 EVP_get_digestbyname(SN_sha256);
426 ssl_mac_secret_size[SSL_MD_SHA256_IDX]=
427 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
428 ssl_digest_methods[SSL_MD_SHA384_IDX]=
429 EVP_get_digestbyname(SN_sha384);
430 ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
431 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
432 }
433#ifndef OPENSSL_NO_COMP
434
435static int sk_comp_cmp(const SSL_COMP * const *a,
436 const SSL_COMP * const *b)
437 {
438 return((*a)->id-(*b)->id);
439 }
440
441static void load_builtin_compressions(void)
442 {
443 int got_write_lock = 0;
444
445 CRYPTO_r_lock(CRYPTO_LOCK_SSL);
446 if (ssl_comp_methods == NULL)
447 {
448 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
449 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
450 got_write_lock = 1;
451
452 if (ssl_comp_methods == NULL)
453 {
454 SSL_COMP *comp = NULL;
455
456 MemCheck_off();
457 ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
458 if (ssl_comp_methods != NULL)
459 {
460 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
461 if (comp != NULL)
462 {
463 comp->method=COMP_zlib();
464 if (comp->method
465 && comp->method->type == NID_undef)
466 OPENSSL_free(comp);
467 else
468 {
469 comp->id=SSL_COMP_ZLIB_IDX;
470 comp->name=comp->method->name;
471 sk_SSL_COMP_push(ssl_comp_methods,comp);
472 }
473 }
474 sk_SSL_COMP_sort(ssl_comp_methods);
475 }
476 MemCheck_on();
477 }
478 }
479
480 if (got_write_lock)
481 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
482 else
483 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
484 }
485#endif
486
487int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
488 const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
489 {
490 int i;
491 const SSL_CIPHER *c;
492
493 c=s->cipher;
494 if (c == NULL) return(0);
495 if (comp != NULL)
496 {
497 SSL_COMP ctmp;
498#ifndef OPENSSL_NO_COMP
499 load_builtin_compressions();
500#endif
501
502 *comp=NULL;
503 ctmp.id=s->compress_meth;
504 if (ssl_comp_methods != NULL)
505 {
506 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
507 if (i >= 0)
508 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
509 else
510 *comp=NULL;
511 }
512 }
513
514 if ((enc == NULL) || (md == NULL)) return(0);
515
516 switch (c->algorithm_enc)
517 {
518 case SSL_DES:
519 i=SSL_ENC_DES_IDX;
520 break;
521 case SSL_3DES:
522 i=SSL_ENC_3DES_IDX;
523 break;
524 case SSL_RC4:
525 i=SSL_ENC_RC4_IDX;
526 break;
527 case SSL_RC2:
528 i=SSL_ENC_RC2_IDX;
529 break;
530 case SSL_IDEA:
531 i=SSL_ENC_IDEA_IDX;
532 break;
533 case SSL_eNULL:
534 i=SSL_ENC_NULL_IDX;
535 break;
536 case SSL_AES128:
537 i=SSL_ENC_AES128_IDX;
538 break;
539 case SSL_AES256:
540 i=SSL_ENC_AES256_IDX;
541 break;
542 case SSL_CAMELLIA128:
543 i=SSL_ENC_CAMELLIA128_IDX;
544 break;
545 case SSL_CAMELLIA256:
546 i=SSL_ENC_CAMELLIA256_IDX;
547 break;
548 case SSL_eGOST2814789CNT:
549 i=SSL_ENC_GOST89_IDX;
550 break;
551 case SSL_SEED:
552 i=SSL_ENC_SEED_IDX;
553 break;
554 case SSL_AES128GCM:
555 i=SSL_ENC_AES128GCM_IDX;
556 break;
557 case SSL_AES256GCM:
558 i=SSL_ENC_AES256GCM_IDX;
559 break;
560 default:
561 i= -1;
562 break;
563 }
564
565 if ((i < 0) || (i > SSL_ENC_NUM_IDX))
566 *enc=NULL;
567 else
568 {
569 if (i == SSL_ENC_NULL_IDX)
570 *enc=EVP_enc_null();
571 else
572 *enc=ssl_cipher_methods[i];
573 }
574
575 switch (c->algorithm_mac)
576 {
577 case SSL_MD5:
578 i=SSL_MD_MD5_IDX;
579 break;
580 case SSL_SHA1:
581 i=SSL_MD_SHA1_IDX;
582 break;
583 case SSL_SHA256:
584 i=SSL_MD_SHA256_IDX;
585 break;
586 case SSL_SHA384:
587 i=SSL_MD_SHA384_IDX;
588 break;
589 case SSL_GOST94:
590 i = SSL_MD_GOST94_IDX;
591 break;
592 case SSL_GOST89MAC:
593 i = SSL_MD_GOST89MAC_IDX;
594 break;
595 default:
596 i= -1;
597 break;
598 }
599 if ((i < 0) || (i > SSL_MD_NUM_IDX))
600 {
601 *md=NULL;
602 if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
603 if (mac_secret_size!=NULL) *mac_secret_size = 0;
604 if (c->algorithm_mac == SSL_AEAD)
605 mac_pkey_type = NULL;
606 }
607 else
608 {
609 *md=ssl_digest_methods[i];
610 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
611 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
612 }
613
614 if ((*enc != NULL) &&
615 (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
616 (!mac_pkey_type||*mac_pkey_type != NID_undef))
617 {
618 const EVP_CIPHER *evp;
619
620 if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
621 s->ssl_version < TLS1_VERSION)
622 return 1;
623
624#ifdef OPENSSL_FIPS
625 if (FIPS_mode())
626 return 1;
627#endif
628
629 if (c->algorithm_enc == SSL_RC4 &&
630 c->algorithm_mac == SSL_MD5 &&
631 (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
632 *enc = evp, *md = NULL;
633 else if (c->algorithm_enc == SSL_AES128 &&
634 c->algorithm_mac == SSL_SHA1 &&
635 (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
636 *enc = evp, *md = NULL;
637 else if (c->algorithm_enc == SSL_AES256 &&
638 c->algorithm_mac == SSL_SHA1 &&
639 (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
640 *enc = evp, *md = NULL;
641 return(1);
642 }
643 else
644 return(0);
645 }
646
647int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
648{
649 if (idx <0||idx>=SSL_MD_NUM_IDX)
650 {
651 return 0;
652 }
653 *mask = ssl_handshake_digest_flag[idx];
654 if (*mask)
655 *md = ssl_digest_methods[idx];
656 else
657 *md = NULL;
658 return 1;
659}
660
661#define ITEM_SEP(a) \
662 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
663
664static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
665 CIPHER_ORDER **tail)
666 {
667 if (curr == *tail) return;
668 if (curr == *head)
669 *head=curr->next;
670 if (curr->prev != NULL)
671 curr->prev->next=curr->next;
672 if (curr->next != NULL)
673 curr->next->prev=curr->prev;
674 (*tail)->next=curr;
675 curr->prev= *tail;
676 curr->next=NULL;
677 *tail=curr;
678 }
679
680static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
681 CIPHER_ORDER **tail)
682 {
683 if (curr == *head) return;
684 if (curr == *tail)
685 *tail=curr->prev;
686 if (curr->next != NULL)
687 curr->next->prev=curr->prev;
688 if (curr->prev != NULL)
689 curr->prev->next=curr->next;
690 (*head)->prev=curr;
691 curr->next= *head;
692 curr->prev=NULL;
693 *head=curr;
694 }
695
696static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
697 {
698 *mkey = 0;
699 *auth = 0;
700 *enc = 0;
701 *mac = 0;
702 *ssl = 0;
703
704#ifdef OPENSSL_NO_RSA
705 *mkey |= SSL_kRSA;
706 *auth |= SSL_aRSA;
707#endif
708#ifdef OPENSSL_NO_DSA
709 *auth |= SSL_aDSS;
710#endif
711 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
712 *auth |= SSL_aDH;
713#ifdef OPENSSL_NO_DH
714 *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
715 *auth |= SSL_aDH;
716#endif
717#ifdef OPENSSL_NO_KRB5
718 *mkey |= SSL_kKRB5;
719 *auth |= SSL_aKRB5;
720#endif
721#ifdef OPENSSL_NO_ECDSA
722 *auth |= SSL_aECDSA;
723#endif
724#ifdef OPENSSL_NO_ECDH
725 *mkey |= SSL_kECDHe|SSL_kECDHr;
726 *auth |= SSL_aECDH;
727#endif
728#ifdef OPENSSL_NO_PSK
729 *mkey |= SSL_kPSK;
730 *auth |= SSL_aPSK;
731#endif
732#ifdef OPENSSL_NO_SRP
733 *mkey |= SSL_kSRP;
734#endif
735 /* Check for presence of GOST 34.10 algorithms, and if they
736 * do not present, disable appropriate auth and key exchange */
737 if (!get_optional_pkey_id("gost94")) {
738 *auth |= SSL_aGOST94;
739 }
740 if (!get_optional_pkey_id("gost2001")) {
741 *auth |= SSL_aGOST01;
742 }
743 /* Disable GOST key exchange if no GOST signature algs are available * */
744 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
745 *mkey |= SSL_kGOST;
746 }
747#ifdef SSL_FORBID_ENULL
748 *enc |= SSL_eNULL;
749#endif
750
751
752
753 *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
754 *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
755 *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
756 *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
757 *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
758 *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
759 *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
760 *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0;
761 *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
762 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
763 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
764 *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
765 *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0;
766
767 *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
768 *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
769 *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
770 *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
771 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
772 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
773
774 }
775
776static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
777 int num_of_ciphers,
778 unsigned long disabled_mkey, unsigned long disabled_auth,
779 unsigned long disabled_enc, unsigned long disabled_mac,
780 unsigned long disabled_ssl,
781 CIPHER_ORDER *co_list,
782 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
783 {
784 int i, co_list_num;
785 const SSL_CIPHER *c;
786
787 /*
788 * We have num_of_ciphers descriptions compiled in, depending on the
789 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
790 * These will later be sorted in a linked list with at most num
791 * entries.
792 */
793
794 /* Get the initial list of ciphers */
795 co_list_num = 0; /* actual count of ciphers */
796 for (i = 0; i < num_of_ciphers; i++)
797 {
798 c = ssl_method->get_cipher(i);
799 /* drop those that use any of that is not available */
800 if ((c != NULL) && c->valid &&
801#ifdef OPENSSL_FIPS
802 (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
803#endif
804 !(c->algorithm_mkey & disabled_mkey) &&
805 !(c->algorithm_auth & disabled_auth) &&
806 !(c->algorithm_enc & disabled_enc) &&
807 !(c->algorithm_mac & disabled_mac) &&
808 !(c->algorithm_ssl & disabled_ssl))
809 {
810 co_list[co_list_num].cipher = c;
811 co_list[co_list_num].next = NULL;
812 co_list[co_list_num].prev = NULL;
813 co_list[co_list_num].active = 0;
814 co_list_num++;
815#ifdef KSSL_DEBUG
816 printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
817#endif /* KSSL_DEBUG */
818 /*
819 if (!sk_push(ca_list,(char *)c)) goto err;
820 */
821 }
822 }
823
824 /*
825 * Prepare linked list from list entries
826 */
827 if (co_list_num > 0)
828 {
829 co_list[0].prev = NULL;
830
831 if (co_list_num > 1)
832 {
833 co_list[0].next = &co_list[1];
834
835 for (i = 1; i < co_list_num - 1; i++)
836 {
837 co_list[i].prev = &co_list[i - 1];
838 co_list[i].next = &co_list[i + 1];
839 }
840
841 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
842 }
843
844 co_list[co_list_num - 1].next = NULL;
845
846 *head_p = &co_list[0];
847 *tail_p = &co_list[co_list_num - 1];
848 }
849 }
850
851static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
852 int num_of_group_aliases,
853 unsigned long disabled_mkey, unsigned long disabled_auth,
854 unsigned long disabled_enc, unsigned long disabled_mac,
855 unsigned long disabled_ssl,
856 CIPHER_ORDER *head)
857 {
858 CIPHER_ORDER *ciph_curr;
859 const SSL_CIPHER **ca_curr;
860 int i;
861 unsigned long mask_mkey = ~disabled_mkey;
862 unsigned long mask_auth = ~disabled_auth;
863 unsigned long mask_enc = ~disabled_enc;
864 unsigned long mask_mac = ~disabled_mac;
865 unsigned long mask_ssl = ~disabled_ssl;
866
867 /*
868 * First, add the real ciphers as already collected
869 */
870 ciph_curr = head;
871 ca_curr = ca_list;
872 while (ciph_curr != NULL)
873 {
874 *ca_curr = ciph_curr->cipher;
875 ca_curr++;
876 ciph_curr = ciph_curr->next;
877 }
878
879 /*
880 * Now we add the available ones from the cipher_aliases[] table.
881 * They represent either one or more algorithms, some of which
882 * in any affected category must be supported (set in enabled_mask),
883 * or represent a cipher strength value (will be added in any case because algorithms=0).
884 */
885 for (i = 0; i < num_of_group_aliases; i++)
886 {
887 unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
888 unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
889 unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
890 unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
891 unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
892
893 if (algorithm_mkey)
894 if ((algorithm_mkey & mask_mkey) == 0)
895 continue;
896
897 if (algorithm_auth)
898 if ((algorithm_auth & mask_auth) == 0)
899 continue;
900
901 if (algorithm_enc)
902 if ((algorithm_enc & mask_enc) == 0)
903 continue;
904
905 if (algorithm_mac)
906 if ((algorithm_mac & mask_mac) == 0)
907 continue;
908
909 if (algorithm_ssl)
910 if ((algorithm_ssl & mask_ssl) == 0)
911 continue;
912
913 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
914 ca_curr++;
915 }
916
917 *ca_curr = NULL; /* end of list */
918 }
919
920static void ssl_cipher_apply_rule(unsigned long cipher_id,
921 unsigned long alg_mkey, unsigned long alg_auth,
922 unsigned long alg_enc, unsigned long alg_mac,
923 unsigned long alg_ssl,
924 unsigned long algo_strength,
925 int rule, int strength_bits,
926 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
927 {
928 CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
929 const SSL_CIPHER *cp;
930 int reverse = 0;
931
932#ifdef CIPHER_DEBUG
933 printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
934 rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
935#endif
936
937 if (rule == CIPHER_DEL)
938 reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
939
940 head = *head_p;
941 tail = *tail_p;
942
943 if (reverse)
944 {
945 curr = tail;
946 last = head;
947 }
948 else
949 {
950 curr = head;
951 last = tail;
952 }
953
954 curr2 = curr;
955 for (;;)
956 {
957 if ((curr == NULL) || (curr == last)) break;
958 curr = curr2;
959 curr2 = reverse ? curr->prev : curr->next;
960
961 cp = curr->cipher;
962
963 /*
964 * Selection criteria is either the value of strength_bits
965 * or the algorithms used.
966 */
967 if (strength_bits >= 0)
968 {
969 if (strength_bits != cp->strength_bits)
970 continue;
971 }
972 else
973 {
974#ifdef CIPHER_DEBUG
975 printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
976#endif
977
978 if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
979 continue;
980 if (alg_auth && !(alg_auth & cp->algorithm_auth))
981 continue;
982 if (alg_enc && !(alg_enc & cp->algorithm_enc))
983 continue;
984 if (alg_mac && !(alg_mac & cp->algorithm_mac))
985 continue;
986 if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
987 continue;
988 if ((algo_strength & SSL_EXP_MASK) && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
989 continue;
990 if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
991 continue;
992 }
993
994#ifdef CIPHER_DEBUG
995 printf("Action = %d\n", rule);
996#endif
997
998 /* add the cipher if it has not been added yet. */
999 if (rule == CIPHER_ADD)
1000 {
1001 /* reverse == 0 */
1002 if (!curr->active)
1003 {
1004 ll_append_tail(&head, curr, &tail);
1005 curr->active = 1;
1006 }
1007 }
1008 /* Move the added cipher to this location */
1009 else if (rule == CIPHER_ORD)
1010 {
1011 /* reverse == 0 */
1012 if (curr->active)
1013 {
1014 ll_append_tail(&head, curr, &tail);
1015 }
1016 }
1017 else if (rule == CIPHER_DEL)
1018 {
1019 /* reverse == 1 */
1020 if (curr->active)
1021 {
1022 /* most recently deleted ciphersuites get best positions
1023 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1024 * works in reverse to maintain the order) */
1025 ll_append_head(&head, curr, &tail);
1026 curr->active = 0;
1027 }
1028 }
1029 else if (rule == CIPHER_KILL)
1030 {
1031 /* reverse == 0 */
1032 if (head == curr)
1033 head = curr->next;
1034 else
1035 curr->prev->next = curr->next;
1036 if (tail == curr)
1037 tail = curr->prev;
1038 curr->active = 0;
1039 if (curr->next != NULL)
1040 curr->next->prev = curr->prev;
1041 if (curr->prev != NULL)
1042 curr->prev->next = curr->next;
1043 curr->next = NULL;
1044 curr->prev = NULL;
1045 }
1046 }
1047
1048 *head_p = head;
1049 *tail_p = tail;
1050 }
1051
1052static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
1053 CIPHER_ORDER **tail_p)
1054 {
1055 int max_strength_bits, i, *number_uses;
1056 CIPHER_ORDER *curr;
1057
1058 /*
1059 * This routine sorts the ciphers with descending strength. The sorting
1060 * must keep the pre-sorted sequence, so we apply the normal sorting
1061 * routine as '+' movement to the end of the list.
1062 */
1063 max_strength_bits = 0;
1064 curr = *head_p;
1065 while (curr != NULL)
1066 {
1067 if (curr->active &&
1068 (curr->cipher->strength_bits > max_strength_bits))
1069 max_strength_bits = curr->cipher->strength_bits;
1070 curr = curr->next;
1071 }
1072
1073 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1074 if (!number_uses)
1075 {
1076 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
1077 return(0);
1078 }
1079 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1080
1081 /*
1082 * Now find the strength_bits values actually used
1083 */
1084 curr = *head_p;
1085 while (curr != NULL)
1086 {
1087 if (curr->active)
1088 number_uses[curr->cipher->strength_bits]++;
1089 curr = curr->next;
1090 }
1091 /*
1092 * Go through the list of used strength_bits values in descending
1093 * order.
1094 */
1095 for (i = max_strength_bits; i >= 0; i--)
1096 if (number_uses[i] > 0)
1097 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
1098
1099 OPENSSL_free(number_uses);
1100 return(1);
1101 }
1102
1103static int ssl_cipher_process_rulestr(const char *rule_str,
1104 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
1105 const SSL_CIPHER **ca_list)
1106 {
1107 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
1108 const char *l, *buf;
1109 int j, multi, found, rule, retval, ok, buflen;
1110 unsigned long cipher_id = 0;
1111 char ch;
1112
1113 retval = 1;
1114 l = rule_str;
1115 for (;;)
1116 {
1117 ch = *l;
1118
1119 if (ch == '\0')
1120 break; /* done */
1121 if (ch == '-')
1122 { rule = CIPHER_DEL; l++; }
1123 else if (ch == '+')
1124 { rule = CIPHER_ORD; l++; }
1125 else if (ch == '!')
1126 { rule = CIPHER_KILL; l++; }
1127 else if (ch == '@')
1128 { rule = CIPHER_SPECIAL; l++; }
1129 else
1130 { rule = CIPHER_ADD; }
1131
1132 if (ITEM_SEP(ch))
1133 {
1134 l++;
1135 continue;
1136 }
1137
1138 alg_mkey = 0;
1139 alg_auth = 0;
1140 alg_enc = 0;
1141 alg_mac = 0;
1142 alg_ssl = 0;
1143 algo_strength = 0;
1144
1145 for (;;)
1146 {
1147 ch = *l;
1148 buf = l;
1149 buflen = 0;
1150#ifndef CHARSET_EBCDIC
1151 while ( ((ch >= 'A') && (ch <= 'Z')) ||
1152 ((ch >= '0') && (ch <= '9')) ||
1153 ((ch >= 'a') && (ch <= 'z')) ||
1154 (ch == '-') || (ch == '.'))
1155#else
1156 while ( isalnum(ch) || (ch == '-') || (ch == '.'))
1157#endif
1158 {
1159 ch = *(++l);
1160 buflen++;
1161 }
1162
1163 if (buflen == 0)
1164 {
1165 /*
1166 * We hit something we cannot deal with,
1167 * it is no command or separator nor
1168 * alphanumeric, so we call this an error.
1169 */
1170 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1171 SSL_R_INVALID_COMMAND);
1172 retval = found = 0;
1173 l++;
1174 break;
1175 }
1176
1177 if (rule == CIPHER_SPECIAL)
1178 {
1179 found = 0; /* unused -- avoid compiler warning */
1180 break; /* special treatment */
1181 }
1182
1183 /* check for multi-part specification */
1184 if (ch == '+')
1185 {
1186 multi=1;
1187 l++;
1188 }
1189 else
1190 multi=0;
1191
1192 /*
1193 * Now search for the cipher alias in the ca_list. Be careful
1194 * with the strncmp, because the "buflen" limitation
1195 * will make the rule "ADH:SOME" and the cipher
1196 * "ADH-MY-CIPHER" look like a match for buflen=3.
1197 * So additionally check whether the cipher name found
1198 * has the correct length. We can save a strlen() call:
1199 * just checking for the '\0' at the right place is
1200 * sufficient, we have to strncmp() anyway. (We cannot
1201 * use strcmp(), because buf is not '\0' terminated.)
1202 */
1203 j = found = 0;
1204 cipher_id = 0;
1205 while (ca_list[j])
1206 {
1207 if (!strncmp(buf, ca_list[j]->name, buflen) &&
1208 (ca_list[j]->name[buflen] == '\0'))
1209 {
1210 found = 1;
1211 break;
1212 }
1213 else
1214 j++;
1215 }
1216
1217 if (!found)
1218 break; /* ignore this entry */
1219
1220 if (ca_list[j]->algorithm_mkey)
1221 {
1222 if (alg_mkey)
1223 {
1224 alg_mkey &= ca_list[j]->algorithm_mkey;
1225 if (!alg_mkey) { found = 0; break; }
1226 }
1227 else
1228 alg_mkey = ca_list[j]->algorithm_mkey;
1229 }
1230
1231 if (ca_list[j]->algorithm_auth)
1232 {
1233 if (alg_auth)
1234 {
1235 alg_auth &= ca_list[j]->algorithm_auth;
1236 if (!alg_auth) { found = 0; break; }
1237 }
1238 else
1239 alg_auth = ca_list[j]->algorithm_auth;
1240 }
1241
1242 if (ca_list[j]->algorithm_enc)
1243 {
1244 if (alg_enc)
1245 {
1246 alg_enc &= ca_list[j]->algorithm_enc;
1247 if (!alg_enc) { found = 0; break; }
1248 }
1249 else
1250 alg_enc = ca_list[j]->algorithm_enc;
1251 }
1252
1253 if (ca_list[j]->algorithm_mac)
1254 {
1255 if (alg_mac)
1256 {
1257 alg_mac &= ca_list[j]->algorithm_mac;
1258 if (!alg_mac) { found = 0; break; }
1259 }
1260 else
1261 alg_mac = ca_list[j]->algorithm_mac;
1262 }
1263
1264 if (ca_list[j]->algo_strength & SSL_EXP_MASK)
1265 {
1266 if (algo_strength & SSL_EXP_MASK)
1267 {
1268 algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK;
1269 if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; }
1270 }
1271 else
1272 algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
1273 }
1274
1275 if (ca_list[j]->algo_strength & SSL_STRONG_MASK)
1276 {
1277 if (algo_strength & SSL_STRONG_MASK)
1278 {
1279 algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1280 if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; }
1281 }
1282 else
1283 algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK;
1284 }
1285
1286 if (ca_list[j]->valid)
1287 {
1288 /* explicit ciphersuite found; its protocol version
1289 * does not become part of the search pattern!*/
1290
1291 cipher_id = ca_list[j]->id;
1292 }
1293 else
1294 {
1295 /* not an explicit ciphersuite; only in this case, the
1296 * protocol version is considered part of the search pattern */
1297
1298 if (ca_list[j]->algorithm_ssl)
1299 {
1300 if (alg_ssl)
1301 {
1302 alg_ssl &= ca_list[j]->algorithm_ssl;
1303 if (!alg_ssl) { found = 0; break; }
1304 }
1305 else
1306 alg_ssl = ca_list[j]->algorithm_ssl;
1307 }
1308 }
1309
1310 if (!multi) break;
1311 }
1312
1313 /*
1314 * Ok, we have the rule, now apply it
1315 */
1316 if (rule == CIPHER_SPECIAL)
1317 { /* special command */
1318 ok = 0;
1319 if ((buflen == 8) &&
1320 !strncmp(buf, "STRENGTH", 8))
1321 ok = ssl_cipher_strength_sort(head_p, tail_p);
1322 else
1323 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1324 SSL_R_INVALID_COMMAND);
1325 if (ok == 0)
1326 retval = 0;
1327 /*
1328 * We do not support any "multi" options
1329 * together with "@", so throw away the
1330 * rest of the command, if any left, until
1331 * end or ':' is found.
1332 */
1333 while ((*l != '\0') && !ITEM_SEP(*l))
1334 l++;
1335 }
1336 else if (found)
1337 {
1338 ssl_cipher_apply_rule(cipher_id,
1339 alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength,
1340 rule, -1, head_p, tail_p);
1341 }
1342 else
1343 {
1344 while ((*l != '\0') && !ITEM_SEP(*l))
1345 l++;
1346 }
1347 if (*l == '\0') break; /* done */
1348 }
1349
1350 return(retval);
1351 }
1352
1353STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1354 STACK_OF(SSL_CIPHER) **cipher_list,
1355 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1356 const char *rule_str)
1357 {
1358 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1359 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
1360 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
1361 const char *rule_p;
1362 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1363 const SSL_CIPHER **ca_list = NULL;
1364
1365 /*
1366 * Return with error if nothing to do.
1367 */
1368 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1369 return NULL;
1370
1371 /*
1372 * To reduce the work to do we only want to process the compiled
1373 * in algorithms, so we first get the mask of disabled ciphers.
1374 */
1375 ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
1376
1377 /*
1378 * Now we have to collect the available ciphers from the compiled
1379 * in ciphers. We cannot get more than the number compiled in, so
1380 * it is used for allocation.
1381 */
1382 num_of_ciphers = ssl_method->num_ciphers();
1383#ifdef KSSL_DEBUG
1384 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
1385#endif /* KSSL_DEBUG */
1386 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
1387 if (co_list == NULL)
1388 {
1389 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1390 return(NULL); /* Failure */
1391 }
1392
1393 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1394 disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
1395 co_list, &head, &tail);
1396
1397
1398 /* Now arrange all ciphers by preference: */
1399
1400 /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
1401 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1402 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1403
1404 /* AES is our preferred symmetric cipher */
1405 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1406
1407 /* Temporarily enable everything else for sorting */
1408 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1409
1410 /* Low priority for MD5 */
1411 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
1412
1413 /* Move anonymous ciphers to the end. Usually, these will remain disabled.
1414 * (For applications that allow them, they aren't too bad, but we prefer
1415 * authenticated ciphers.) */
1416 ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1417
1418 /* Move ciphers without forward secrecy to the end */
1419 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1420 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1421 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1422 ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1423 ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1424
1425 /* RC4 is sort-of broken -- move the the end */
1426 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1427
1428 /* Now sort by symmetric encryption strength. The above ordering remains
1429 * in force within each class */
1430 if (!ssl_cipher_strength_sort(&head, &tail))
1431 {
1432 OPENSSL_free(co_list);
1433 return NULL;
1434 }
1435
1436 /* Now disable everything (maintaining the ordering!) */
1437 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1438
1439
1440 /*
1441 * We also need cipher aliases for selecting based on the rule_str.
1442 * There might be two types of entries in the rule_str: 1) names
1443 * of ciphers themselves 2) aliases for groups of ciphers.
1444 * For 1) we need the available ciphers and for 2) the cipher
1445 * groups of cipher_aliases added together in one list (otherwise
1446 * we would be happy with just the cipher_aliases table).
1447 */
1448 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1449 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1450 ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
1451 if (ca_list == NULL)
1452 {
1453 OPENSSL_free(co_list);
1454 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1455 return(NULL); /* Failure */
1456 }
1457 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1458 disabled_mkey, disabled_auth, disabled_enc,
1459 disabled_mac, disabled_ssl, head);
1460
1461 /*
1462 * If the rule_string begins with DEFAULT, apply the default rule
1463 * before using the (possibly available) additional rules.
1464 */
1465 ok = 1;
1466 rule_p = rule_str;
1467 if (strncmp(rule_str,"DEFAULT",7) == 0)
1468 {
1469 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1470 &head, &tail, ca_list);
1471 rule_p += 7;
1472 if (*rule_p == ':')
1473 rule_p++;
1474 }
1475
1476 if (ok && (strlen(rule_p) > 0))
1477 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
1478
1479 OPENSSL_free((void *)ca_list); /* Not needed anymore */
1480
1481 if (!ok)
1482 { /* Rule processing failure */
1483 OPENSSL_free(co_list);
1484 return(NULL);
1485 }
1486
1487 /*
1488 * Allocate new "cipherstack" for the result, return with error
1489 * if we cannot get one.
1490 */
1491 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
1492 {
1493 OPENSSL_free(co_list);
1494 return(NULL);
1495 }
1496
1497 /*
1498 * The cipher selection for the list is done. The ciphers are added
1499 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1500 */
1501 for (curr = head; curr != NULL; curr = curr->next)
1502 {
1503#ifdef OPENSSL_FIPS
1504 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
1505#else
1506 if (curr->active)
1507#endif
1508 {
1509 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1510#ifdef CIPHER_DEBUG
1511 printf("<%s>\n",curr->cipher->name);
1512#endif
1513 }
1514 }
1515 OPENSSL_free(co_list); /* Not needed any longer */
1516
1517 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1518 if (tmp_cipher_list == NULL)
1519 {
1520 sk_SSL_CIPHER_free(cipherstack);
1521 return NULL;
1522 }
1523 if (*cipher_list != NULL)
1524 sk_SSL_CIPHER_free(*cipher_list);
1525 *cipher_list = cipherstack;
1526 if (*cipher_list_by_id != NULL)
1527 sk_SSL_CIPHER_free(*cipher_list_by_id);
1528 *cipher_list_by_id = tmp_cipher_list;
1529 (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
1530
1531 sk_SSL_CIPHER_sort(*cipher_list_by_id);
1532 return(cipherstack);
1533 }
1534
1535char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1536 {
1537 int is_export,pkl,kl;
1538 const char *ver,*exp_str;
1539 const char *kx,*au,*enc,*mac;
1540 unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
1541#ifdef KSSL_DEBUG
1542 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
1543#else
1544 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
1545#endif /* KSSL_DEBUG */
1546
1547 alg_mkey = cipher->algorithm_mkey;
1548 alg_auth = cipher->algorithm_auth;
1549 alg_enc = cipher->algorithm_enc;
1550 alg_mac = cipher->algorithm_mac;
1551 alg_ssl = cipher->algorithm_ssl;
1552
1553 alg2=cipher->algorithm2;
1554
1555 is_export=SSL_C_IS_EXPORT(cipher);
1556 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1557 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
1558 exp_str=is_export?" export":"";
1559
1560 if (alg_ssl & SSL_SSLV2)
1561 ver="SSLv2";
1562 else if (alg_ssl & SSL_SSLV3)
1563 ver="SSLv3";
1564 else if (alg_ssl & SSL_TLSV1_2)
1565 ver="TLSv1.2";
1566 else
1567 ver="unknown";
1568
1569 switch (alg_mkey)
1570 {
1571 case SSL_kRSA:
1572 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
1573 break;
1574 case SSL_kDHr:
1575 kx="DH/RSA";
1576 break;
1577 case SSL_kDHd:
1578 kx="DH/DSS";
1579 break;
1580 case SSL_kKRB5:
1581 kx="KRB5";
1582 break;
1583 case SSL_kEDH:
1584 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
1585 break;
1586 case SSL_kECDHr:
1587 kx="ECDH/RSA";
1588 break;
1589 case SSL_kECDHe:
1590 kx="ECDH/ECDSA";
1591 break;
1592 case SSL_kEECDH:
1593 kx="ECDH";
1594 break;
1595 case SSL_kPSK:
1596 kx="PSK";
1597 break;
1598 case SSL_kSRP:
1599 kx="SRP";
1600 break;
1601 default:
1602 kx="unknown";
1603 }
1604
1605 switch (alg_auth)
1606 {
1607 case SSL_aRSA:
1608 au="RSA";
1609 break;
1610 case SSL_aDSS:
1611 au="DSS";
1612 break;
1613 case SSL_aDH:
1614 au="DH";
1615 break;
1616 case SSL_aKRB5:
1617 au="KRB5";
1618 break;
1619 case SSL_aECDH:
1620 au="ECDH";
1621 break;
1622 case SSL_aNULL:
1623 au="None";
1624 break;
1625 case SSL_aECDSA:
1626 au="ECDSA";
1627 break;
1628 case SSL_aPSK:
1629 au="PSK";
1630 break;
1631 default:
1632 au="unknown";
1633 break;
1634 }
1635
1636 switch (alg_enc)
1637 {
1638 case SSL_DES:
1639 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
1640 break;
1641 case SSL_3DES:
1642 enc="3DES(168)";
1643 break;
1644 case SSL_RC4:
1645 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
1646 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
1647 break;
1648 case SSL_RC2:
1649 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
1650 break;
1651 case SSL_IDEA:
1652 enc="IDEA(128)";
1653 break;
1654 case SSL_eNULL:
1655 enc="None";
1656 break;
1657 case SSL_AES128:
1658 enc="AES(128)";
1659 break;
1660 case SSL_AES256:
1661 enc="AES(256)";
1662 break;
1663 case SSL_AES128GCM:
1664 enc="AESGCM(128)";
1665 break;
1666 case SSL_AES256GCM:
1667 enc="AESGCM(256)";
1668 break;
1669 case SSL_CAMELLIA128:
1670 enc="Camellia(128)";
1671 break;
1672 case SSL_CAMELLIA256:
1673 enc="Camellia(256)";
1674 break;
1675 case SSL_SEED:
1676 enc="SEED(128)";
1677 break;
1678 default:
1679 enc="unknown";
1680 break;
1681 }
1682
1683 switch (alg_mac)
1684 {
1685 case SSL_MD5:
1686 mac="MD5";
1687 break;
1688 case SSL_SHA1:
1689 mac="SHA1";
1690 break;
1691 case SSL_SHA256:
1692 mac="SHA256";
1693 break;
1694 case SSL_SHA384:
1695 mac="SHA384";
1696 break;
1697 case SSL_AEAD:
1698 mac="AEAD";
1699 break;
1700 default:
1701 mac="unknown";
1702 break;
1703 }
1704
1705 if (buf == NULL)
1706 {
1707 len=128;
1708 buf=OPENSSL_malloc(len);
1709 if (buf == NULL) return("OPENSSL_malloc Error");
1710 }
1711 else if (len < 128)
1712 return("Buffer too small");
1713
1714#ifdef KSSL_DEBUG
1715 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl);
1716#else
1717 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1718#endif /* KSSL_DEBUG */
1719 return(buf);
1720 }
1721
1722char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1723 {
1724 int i;
1725
1726 if (c == NULL) return("(NONE)");
1727 i=(int)(c->id>>24L);
1728 if (i == 3)
1729 return("TLSv1/SSLv3");
1730 else if (i == 2)
1731 return("SSLv2");
1732 else
1733 return("unknown");
1734 }
1735
1736/* return the actual cipher being used */
1737const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1738 {
1739 if (c != NULL)
1740 return(c->name);
1741 return("(NONE)");
1742 }
1743
1744/* number of bits for symmetric cipher */
1745int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1746 {
1747 int ret=0;
1748
1749 if (c != NULL)
1750 {
1751 if (alg_bits != NULL) *alg_bits = c->alg_bits;
1752 ret = c->strength_bits;
1753 }
1754 return(ret);
1755 }
1756
1757unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c)
1758 {
1759 return c->id;
1760 }
1761
1762SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1763 {
1764 SSL_COMP *ctmp;
1765 int i,nn;
1766
1767 if ((n == 0) || (sk == NULL)) return(NULL);
1768 nn=sk_SSL_COMP_num(sk);
1769 for (i=0; i<nn; i++)
1770 {
1771 ctmp=sk_SSL_COMP_value(sk,i);
1772 if (ctmp->id == n)
1773 return(ctmp);
1774 }
1775 return(NULL);
1776 }
1777
1778#ifdef OPENSSL_NO_COMP
1779void *SSL_COMP_get_compression_methods(void)
1780 {
1781 return NULL;
1782 }
1783int SSL_COMP_add_compression_method(int id, void *cm)
1784 {
1785 return 1;
1786 }
1787
1788const char *SSL_COMP_get_name(const void *comp)
1789 {
1790 return NULL;
1791 }
1792#else
1793STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1794 {
1795 load_builtin_compressions();
1796 return(ssl_comp_methods);
1797 }
1798
1799int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1800 {
1801 SSL_COMP *comp;
1802
1803 if (cm == NULL || cm->type == NID_undef)
1804 return 1;
1805
1806 /* According to draft-ietf-tls-compression-04.txt, the
1807 compression number ranges should be the following:
1808
1809 0 to 63: methods defined by the IETF
1810 64 to 192: external party methods assigned by IANA
1811 193 to 255: reserved for private use */
1812 if (id < 193 || id > 255)
1813 {
1814 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
1815 return 0;
1816 }
1817
1818 MemCheck_off();
1819 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
1820 comp->id=id;
1821 comp->method=cm;
1822 load_builtin_compressions();
1823 if (ssl_comp_methods
1824 && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
1825 {
1826 OPENSSL_free(comp);
1827 MemCheck_on();
1828 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
1829 return(1);
1830 }
1831 else if ((ssl_comp_methods == NULL)
1832 || !sk_SSL_COMP_push(ssl_comp_methods,comp))
1833 {
1834 OPENSSL_free(comp);
1835 MemCheck_on();
1836 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1837 return(1);
1838 }
1839 else
1840 {
1841 MemCheck_on();
1842 return(0);
1843 }
1844 }
1845
1846const char *SSL_COMP_get_name(const COMP_METHOD *comp)
1847 {
1848 if (comp)
1849 return comp->name;
1850 return NULL;
1851 }
1852
1853#endif
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 370fb57e3b..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,610 +0,0 @@
1/* ssl/ssl_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ssl.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
70
71static ERR_STRING_DATA SSL_str_functs[]=
72 {
73{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"},
74{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"},
75{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
76{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
77{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
78{ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"},
79{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
81{ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
82{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"},
83{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"},
84{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"},
85{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
86{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
87{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
88{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"},
89{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
90{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"},
91{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"},
92{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
93{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
94{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
95{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
96{ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
97{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
98{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "DTLS1_READ_FAILED"},
99{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), "DTLS1_SEND_CERTIFICATE_REQUEST"},
100{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
101{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
102{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY), "DTLS1_SEND_CLIENT_VERIFY"},
103{ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST), "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
104{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
105{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "DTLS1_SEND_SERVER_HELLO"},
106{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
107{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "DTLS1_WRITE_APP_DATA_BYTES"},
108{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"},
109{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"},
110{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
111{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"},
112{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"},
113{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"},
114{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"},
115{ERR_FUNC(SSL_F_READ_N), "READ_N"},
116{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"},
117{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
118{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
119{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
120{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"},
121{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
122{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
123{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
124{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
125{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"},
126{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"},
127{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"},
128{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"},
129{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"},
130{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
131{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"},
132{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"},
133{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"},
134{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"},
135{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"},
136{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"},
137{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"},
138{ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"},
139{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
140{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
141{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
142{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
143{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
144{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
145{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
146{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
147{ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "SSL3_DIGEST_CACHED_RECORDS"},
148{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
149{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
150{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
151{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
152{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
153{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
154{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
155{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
156{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
157{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"},
158{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
159{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
160{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"},
161{ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO), "SSL3_GET_NEXT_PROTO"},
162{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
163{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
164{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
165{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
166{ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC), "ssl3_handshake_mac"},
167{ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
168{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"},
169{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"},
170{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
171{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
172{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
173{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
174{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
175{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
176{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"},
177{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"},
178{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
179{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
180{ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "SSL3_SETUP_READ_BUFFER"},
181{ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "SSL3_SETUP_WRITE_BUFFER"},
182{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
183{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
184{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
185{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
186{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"},
187{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
188{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
189{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
190{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
191{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"},
192{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
193{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
194{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
195{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
196{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
197{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"},
198{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
199{ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), "SSL_CHECK_SERVERHELLO_TLSEXT"},
200{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"},
201{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
202{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
203{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
204{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"},
205{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
206{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
207{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
208{ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"},
209{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
210{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
211{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
212{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
213{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
214{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
215{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"},
216{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
217{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
218{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"},
219{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
220{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
221{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
222{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
223{ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"},
224{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
225{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"},
226{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"},
227{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
231{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"},
232{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
233{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
234{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
235{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
236{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
237{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
238{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT), "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"},
239{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
240{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
241{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT), "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"},
242{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
243{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
244{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
245{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
246{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
247{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
248{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
249{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
250{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
251{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
252{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
253{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
254{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"},
255{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"},
256{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
257{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
258{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
259{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
260{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
261{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
262{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
263{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
264{ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
265{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
266{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
267{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"},
268{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
269{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
270{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
271{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
272{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
273{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
274{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
275{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
276{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
277{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
278{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
279{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
280{ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"},
281{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
282{ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
283{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
284{ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"},
285{ERR_FUNC(SSL_F_TLS1_HEARTBEAT), "SSL_F_TLS1_HEARTBEAT"},
286{ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
287{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
288{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
289{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
290{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
291{0,NULL}
292 };
293
294static ERR_STRING_DATA SSL_str_reasons[]=
295 {
296{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
297{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
298{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"},
299{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
300{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
301{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"},
302{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
303{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"},
304{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
305{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
306{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
307{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
308{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
309{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
310{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) ,"bad ecdsa signature"},
311{ERR_REASON(SSL_R_BAD_ECPOINT) ,"bad ecpoint"},
312{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) ,"bad handshake length"},
313{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
314{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
315{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
316{ERR_REASON(SSL_R_BAD_MAC_LENGTH) ,"bad mac length"},
317{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"},
318{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"},
319{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
320{ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH),"bad psk identity hint length"},
321{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
322{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"},
323{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"},
324{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"},
325{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
326{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
327{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
328{ERR_REASON(SSL_R_BAD_SRP_A_LENGTH) ,"bad srp a length"},
329{ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) ,"bad srp b length"},
330{ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) ,"bad srp g length"},
331{ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) ,"bad srp n length"},
332{ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) ,"bad srp s length"},
333{ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) ,"bad srtp mki value"},
334{ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
335{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
336{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
337{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
338{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"},
339{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
340{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
341{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
342{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
343{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
344{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
345{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
346{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
347{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
348{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
349{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
350{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
351{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
352{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
353{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"},
354{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
355{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
356{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
357{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
358{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
359{ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"},
360{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
361{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
362{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
363{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
364{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
365{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
366{ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
367{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
368{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT),"ecc cert not for key agreement"},
369{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
370{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
371{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
372{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
373{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
374{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
375{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
376{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
377{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
378{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
379{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
380{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
381{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
382{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
383{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
384{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
385{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
386{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
387{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
388{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
389{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
390{ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"},
391{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
392{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
393{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
394{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"},
395{ERR_REASON(SSL_R_KRB5) ,"krb5"},
396{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"},
397{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"},
398{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"},
399{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"},
400{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"},
401{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"},
402{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"},
403{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"},
404{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"},
405{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"},
406{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"},
407{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
408{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
409{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
410{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
411{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
412{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
413{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"},
414{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
415{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
416{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
417{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
418{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
419{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
420{ERR_REASON(SSL_R_MISSING_SRP_PARAM) ,"can't find SRP server param"},
421{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
422{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
423{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
424{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
425{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
426{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
427{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
428{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
429{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
430{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
431{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"},
432{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
433{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"},
434{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"},
435{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
436{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
437{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
438{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
439{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
440{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
441{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
442{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
443{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
444{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
445{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
446{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
447{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
448{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"},
449{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
450{ERR_REASON(SSL_R_NO_SRTP_PROFILES) ,"no srtp profiles"},
451{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
452{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
453{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
454{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
455{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
456{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
457{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
458{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
459{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
460{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
461{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
462{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
463{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
464{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
465{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"},
466{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
467{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
468{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
469{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"},
470{ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND),"psk identity not found"},
471{ERR_REASON(SSL_R_PSK_NO_CLIENT_CB) ,"psk no client cb"},
472{ERR_REASON(SSL_R_PSK_NO_SERVER_CB) ,"psk no server cb"},
473{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
474{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
475{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
476{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"},
477{ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) ,"read timeout expired"},
478{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
479{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
480{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
481{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
482{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
483{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
484{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
485{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
486{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
487{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
488{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
489{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
490{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
491{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
492{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
493{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
494{ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR),"signature algorithms error"},
495{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
496{ERR_REASON(SSL_R_SRP_A_CALC) ,"error with the srp params"},
497{ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES),"srtp could not allocate profiles"},
498{ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),"srtp protection profile list too long"},
499{ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),"srtp unknown protection profile"},
500{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
501{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
502{ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"},
503{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),"ssl3 ext invalid servername"},
504{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),"ssl3 ext invalid servername type"},
505{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
506{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
507{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
508{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
509{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
510{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
511{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
512{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
513{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
514{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
515{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
516{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
517{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
518{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
519{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
520{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
521{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
522{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
523{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
524{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
525{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
526{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
527{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
528{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
529{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
530{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
531{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
532{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
533{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
534{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
535{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
536{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
537{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
538{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),"tlsv1 bad certificate hash value"},
539{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),"tlsv1 bad certificate status response"},
540{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
541{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
542{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
543{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
544{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbearts"},
545{ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) ,"heartbeat request already pending"},
546{ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),"tls illegal exporter label"},
547{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
548{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
549{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
550{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
551{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
552{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
553{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
554{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
555{ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
556{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
557{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
558{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
559{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
560{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
561{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"},
562{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"},
563{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"},
564{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"},
565{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
566{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
567{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
568{ERR_REASON(SSL_R_UNKNOWN_DIGEST) ,"unknown digest"},
569{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
570{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
571{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
572{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
573{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
574{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
575{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
576{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
577{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
578{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
579{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
580{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
581{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
582{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
583{ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
584{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
585{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
586{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
587{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
588{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
589{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
590{ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE) ,"wrong signature type"},
591{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
592{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
593{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
594{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
595{0,NULL}
596 };
597
598#endif
599
600void ERR_load_SSL_strings(void)
601 {
602#ifndef OPENSSL_NO_ERR
603
604 if (ERR_func_error_string(SSL_str_functs[0].error) == NULL)
605 {
606 ERR_load_strings(0,SSL_str_functs);
607 ERR_load_strings(0,SSL_str_reasons);
608 }
609#endif
610 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/err.h>
61#include <openssl/ssl.h>
62
63void SSL_load_error_strings(void)
64 {
65#ifndef OPENSSL_NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index f052deeb97..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,3262 +0,0 @@
1/*! \file ssl/ssl_lib.c
2 * \brief Version independent SSL functions.
3 */
4/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * All rights reserved.
6 *
7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL.
10 *
11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. All advertising materials mentioning features or use of this software
34 * must display the following acknowledgement:
35 * "This product includes cryptographic software written by
36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE.
54 *
55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence
58 * [including the GNU Public Licence.]
59 */
60/* ====================================================================
61 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions
65 * are met:
66 *
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 *
70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in
72 * the documentation and/or other materials provided with the
73 * distribution.
74 *
75 * 3. All advertising materials mentioning features or use of this
76 * software must display the following acknowledgment:
77 * "This product includes software developed by the OpenSSL Project
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
79 *
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
81 * endorse or promote products derived from this software without
82 * prior written permission. For written permission, please contact
83 * openssl-core@openssl.org.
84 *
85 * 5. Products derived from this software may not be called "OpenSSL"
86 * nor may "OpenSSL" appear in their names without prior written
87 * permission of the OpenSSL Project.
88 *
89 * 6. Redistributions of any form whatsoever must retain the following
90 * acknowledgment:
91 * "This product includes software developed by the OpenSSL Project
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
105 * OF THE POSSIBILITY OF SUCH DAMAGE.
106 * ====================================================================
107 *
108 * This product includes cryptographic software written by Eric Young
109 * (eay@cryptsoft.com). This product includes software written by Tim
110 * Hudson (tjh@cryptsoft.com).
111 *
112 */
113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */
118/* ====================================================================
119 * Copyright 2005 Nokia. All rights reserved.
120 *
121 * The portions of the attached software ("Contribution") is developed by
122 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
123 * license.
124 *
125 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
126 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
127 * support (see RFC 4279) to OpenSSL.
128 *
129 * No patent licenses or other rights except those expressly stated in
130 * the OpenSSL open source license shall be deemed granted or received
131 * expressly, by implication, estoppel, or otherwise.
132 *
133 * No assurances are provided by Nokia that the Contribution does not
134 * infringe the patent or other intellectual property rights of any third
135 * party or that the license provides you with all the necessary rights
136 * to make use of the Contribution.
137 *
138 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
139 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
140 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
141 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
142 * OTHERWISE.
143 */
144
145#ifdef REF_CHECK
146# include <assert.h>
147#endif
148#include <stdio.h>
149#include "ssl_locl.h"
150#include "kssl_lcl.h"
151#include <openssl/objects.h>
152#include <openssl/lhash.h>
153#include <openssl/x509v3.h>
154#include <openssl/rand.h>
155#include <openssl/ocsp.h>
156#ifndef OPENSSL_NO_DH
157#include <openssl/dh.h>
158#endif
159#ifndef OPENSSL_NO_ENGINE
160#include <openssl/engine.h>
161#endif
162
163const char *SSL_version_str=OPENSSL_VERSION_TEXT;
164
165SSL3_ENC_METHOD ssl3_undef_enc_method={
166 /* evil casts, but these functions are only called if there's a library bug */
167 (int (*)(SSL *,int))ssl_undefined_function,
168 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
169 ssl_undefined_function,
170 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
171 (int (*)(SSL*, int))ssl_undefined_function,
172 (int (*)(SSL *, const char*, int, unsigned char *))ssl_undefined_function,
173 0, /* finish_mac_length */
174 (int (*)(SSL *, int, unsigned char *))ssl_undefined_function,
175 NULL, /* client_finished_label */
176 0, /* client_finished_label_len */
177 NULL, /* server_finished_label */
178 0, /* server_finished_label_len */
179 (int (*)(int))ssl_undefined_function,
180 (int (*)(SSL *, unsigned char *, size_t, const char *,
181 size_t, const unsigned char *, size_t,
182 int use_context)) ssl_undefined_function,
183 };
184
185int SSL_clear(SSL *s)
186 {
187
188 if (s->method == NULL)
189 {
190 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
191 return(0);
192 }
193
194 if (ssl_clear_bad_session(s))
195 {
196 SSL_SESSION_free(s->session);
197 s->session=NULL;
198 }
199
200 s->error=0;
201 s->hit=0;
202 s->shutdown=0;
203
204#if 0 /* Disabled since version 1.10 of this file (early return not
205 * needed because SSL_clear is not called when doing renegotiation) */
206 /* This is set if we are doing dynamic renegotiation so keep
207 * the old cipher. It is sort of a SSL_clear_lite :-) */
208 if (s->renegotiate) return(1);
209#else
210 if (s->renegotiate)
211 {
212 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
213 return 0;
214 }
215#endif
216
217 s->type=0;
218
219 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
220
221 s->version=s->method->version;
222 s->client_version=s->version;
223 s->rwstate=SSL_NOTHING;
224 s->rstate=SSL_ST_READ_HEADER;
225#if 0
226 s->read_ahead=s->ctx->read_ahead;
227#endif
228
229 if (s->init_buf != NULL)
230 {
231 BUF_MEM_free(s->init_buf);
232 s->init_buf=NULL;
233 }
234
235 ssl_clear_cipher_ctx(s);
236 ssl_clear_hash_ctx(&s->read_hash);
237 ssl_clear_hash_ctx(&s->write_hash);
238
239 s->first_packet=0;
240
241#if 1
242 /* Check to see if we were changed into a different method, if
243 * so, revert back if we are not doing session-id reuse. */
244 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
245 {
246 s->method->ssl_free(s);
247 s->method=s->ctx->method;
248 if (!s->method->ssl_new(s))
249 return(0);
250 }
251 else
252#endif
253 s->method->ssl_clear(s);
254 return(1);
255 }
256
257/** Used to change an SSL_CTXs default SSL method type */
258int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
259 {
260 STACK_OF(SSL_CIPHER) *sk;
261
262 ctx->method=meth;
263
264 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
265 &(ctx->cipher_list_by_id),
266 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
267 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
268 {
269 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
270 return(0);
271 }
272 return(1);
273 }
274
275SSL *SSL_new(SSL_CTX *ctx)
276 {
277 SSL *s;
278
279 if (ctx == NULL)
280 {
281 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
282 return(NULL);
283 }
284 if (ctx->method == NULL)
285 {
286 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
287 return(NULL);
288 }
289
290 s=(SSL *)OPENSSL_malloc(sizeof(SSL));
291 if (s == NULL) goto err;
292 memset(s,0,sizeof(SSL));
293
294#ifndef OPENSSL_NO_KRB5
295 s->kssl_ctx = kssl_ctx_new();
296#endif /* OPENSSL_NO_KRB5 */
297
298 s->options=ctx->options;
299 s->mode=ctx->mode;
300 s->max_cert_list=ctx->max_cert_list;
301
302 if (ctx->cert != NULL)
303 {
304 /* Earlier library versions used to copy the pointer to
305 * the CERT, not its contents; only when setting new
306 * parameters for the per-SSL copy, ssl_cert_new would be
307 * called (and the direct reference to the per-SSL_CTX
308 * settings would be lost, but those still were indirectly
309 * accessed for various purposes, and for that reason they
310 * used to be known as s->ctx->default_cert).
311 * Now we don't look at the SSL_CTX's CERT after having
312 * duplicated it once. */
313
314 s->cert = ssl_cert_dup(ctx->cert);
315 if (s->cert == NULL)
316 goto err;
317 }
318 else
319 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
320
321 s->read_ahead=ctx->read_ahead;
322 s->msg_callback=ctx->msg_callback;
323 s->msg_callback_arg=ctx->msg_callback_arg;
324 s->verify_mode=ctx->verify_mode;
325#if 0
326 s->verify_depth=ctx->verify_depth;
327#endif
328 s->sid_ctx_length=ctx->sid_ctx_length;
329 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
330 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
331 s->verify_callback=ctx->default_verify_callback;
332 s->generate_session_id=ctx->generate_session_id;
333
334 s->param = X509_VERIFY_PARAM_new();
335 if (!s->param)
336 goto err;
337 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
338#if 0
339 s->purpose = ctx->purpose;
340 s->trust = ctx->trust;
341#endif
342 s->quiet_shutdown=ctx->quiet_shutdown;
343 s->max_send_fragment = ctx->max_send_fragment;
344
345 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
346 s->ctx=ctx;
347#ifndef OPENSSL_NO_TLSEXT
348 s->tlsext_debug_cb = 0;
349 s->tlsext_debug_arg = NULL;
350 s->tlsext_ticket_expected = 0;
351 s->tlsext_status_type = -1;
352 s->tlsext_status_expected = 0;
353 s->tlsext_ocsp_ids = NULL;
354 s->tlsext_ocsp_exts = NULL;
355 s->tlsext_ocsp_resp = NULL;
356 s->tlsext_ocsp_resplen = -1;
357 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
358 s->initial_ctx=ctx;
359# ifndef OPENSSL_NO_NEXTPROTONEG
360 s->next_proto_negotiated = NULL;
361# endif
362#endif
363
364 s->verify_result=X509_V_OK;
365
366 s->method=ctx->method;
367
368 if (!s->method->ssl_new(s))
369 goto err;
370
371 s->references=1;
372 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
373
374 SSL_clear(s);
375
376 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
377
378#ifndef OPENSSL_NO_PSK
379 s->psk_client_callback=ctx->psk_client_callback;
380 s->psk_server_callback=ctx->psk_server_callback;
381#endif
382
383 return(s);
384err:
385 if (s != NULL)
386 {
387 if (s->cert != NULL)
388 ssl_cert_free(s->cert);
389 if (s->ctx != NULL)
390 SSL_CTX_free(s->ctx); /* decrement reference count */
391 OPENSSL_free(s);
392 }
393 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
394 return(NULL);
395 }
396
397int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
398 unsigned int sid_ctx_len)
399 {
400 if(sid_ctx_len > sizeof ctx->sid_ctx)
401 {
402 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
403 return 0;
404 }
405 ctx->sid_ctx_length=sid_ctx_len;
406 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
407
408 return 1;
409 }
410
411int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
412 unsigned int sid_ctx_len)
413 {
414 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
415 {
416 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
417 return 0;
418 }
419 ssl->sid_ctx_length=sid_ctx_len;
420 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
421
422 return 1;
423 }
424
425int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
426 {
427 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
428 ctx->generate_session_id = cb;
429 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
430 return 1;
431 }
432
433int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
434 {
435 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
436 ssl->generate_session_id = cb;
437 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
438 return 1;
439 }
440
441int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
442 unsigned int id_len)
443 {
444 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
445 * we can "construct" a session to give us the desired check - ie. to
446 * find if there's a session in the hash table that would conflict with
447 * any new session built out of this id/id_len and the ssl_version in
448 * use by this SSL. */
449 SSL_SESSION r, *p;
450
451 if(id_len > sizeof r.session_id)
452 return 0;
453
454 r.ssl_version = ssl->version;
455 r.session_id_length = id_len;
456 memcpy(r.session_id, id, id_len);
457 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
458 * callback is calling us to check the uniqueness of a shorter ID, it
459 * must be compared as a padded-out ID because that is what it will be
460 * converted to when the callback has finished choosing it. */
461 if((r.ssl_version == SSL2_VERSION) &&
462 (id_len < SSL2_SSL_SESSION_ID_LENGTH))
463 {
464 memset(r.session_id + id_len, 0,
465 SSL2_SSL_SESSION_ID_LENGTH - id_len);
466 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
467 }
468
469 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
470 p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
471 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
472 return (p != NULL);
473 }
474
475int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
476 {
477 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
478 }
479
480int SSL_set_purpose(SSL *s, int purpose)
481 {
482 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
483 }
484
485int SSL_CTX_set_trust(SSL_CTX *s, int trust)
486 {
487 return X509_VERIFY_PARAM_set_trust(s->param, trust);
488 }
489
490int SSL_set_trust(SSL *s, int trust)
491 {
492 return X509_VERIFY_PARAM_set_trust(s->param, trust);
493 }
494
495int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
496 {
497 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
498 }
499
500int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
501 {
502 return X509_VERIFY_PARAM_set1(ssl->param, vpm);
503 }
504
505void SSL_free(SSL *s)
506 {
507 int i;
508
509 if(s == NULL)
510 return;
511
512 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
513#ifdef REF_PRINT
514 REF_PRINT("SSL",s);
515#endif
516 if (i > 0) return;
517#ifdef REF_CHECK
518 if (i < 0)
519 {
520 fprintf(stderr,"SSL_free, bad reference count\n");
521 abort(); /* ok */
522 }
523#endif
524
525 if (s->param)
526 X509_VERIFY_PARAM_free(s->param);
527
528 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
529
530 if (s->bbio != NULL)
531 {
532 /* If the buffering BIO is in place, pop it off */
533 if (s->bbio == s->wbio)
534 {
535 s->wbio=BIO_pop(s->wbio);
536 }
537 BIO_free(s->bbio);
538 s->bbio=NULL;
539 }
540 if (s->rbio != NULL)
541 BIO_free_all(s->rbio);
542 if ((s->wbio != NULL) && (s->wbio != s->rbio))
543 BIO_free_all(s->wbio);
544
545 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
546
547 /* add extra stuff */
548 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
549 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
550
551 /* Make the next call work :-) */
552 if (s->session != NULL)
553 {
554 ssl_clear_bad_session(s);
555 SSL_SESSION_free(s->session);
556 }
557
558 ssl_clear_cipher_ctx(s);
559 ssl_clear_hash_ctx(&s->read_hash);
560 ssl_clear_hash_ctx(&s->write_hash);
561
562 if (s->cert != NULL) ssl_cert_free(s->cert);
563 /* Free up if allocated */
564
565#ifndef OPENSSL_NO_TLSEXT
566 if (s->tlsext_hostname)
567 OPENSSL_free(s->tlsext_hostname);
568 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
569#ifndef OPENSSL_NO_EC
570 if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist);
571 if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist);
572#endif /* OPENSSL_NO_EC */
573 if (s->tlsext_opaque_prf_input) OPENSSL_free(s->tlsext_opaque_prf_input);
574 if (s->tlsext_ocsp_exts)
575 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
576 X509_EXTENSION_free);
577 if (s->tlsext_ocsp_ids)
578 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
579 if (s->tlsext_ocsp_resp)
580 OPENSSL_free(s->tlsext_ocsp_resp);
581#endif
582
583 if (s->client_CA != NULL)
584 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
585
586 if (s->method != NULL) s->method->ssl_free(s);
587
588 if (s->ctx) SSL_CTX_free(s->ctx);
589
590#ifndef OPENSSL_NO_KRB5
591 if (s->kssl_ctx != NULL)
592 kssl_ctx_free(s->kssl_ctx);
593#endif /* OPENSSL_NO_KRB5 */
594
595#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
596 if (s->next_proto_negotiated)
597 OPENSSL_free(s->next_proto_negotiated);
598#endif
599
600#ifndef OPENSSL_NO_SRTP
601 if (s->srtp_profiles)
602 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
603#endif
604
605 OPENSSL_free(s);
606 }
607
608void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
609 {
610 /* If the output buffering BIO is still in place, remove it
611 */
612 if (s->bbio != NULL)
613 {
614 if (s->wbio == s->bbio)
615 {
616 s->wbio=s->wbio->next_bio;
617 s->bbio->next_bio=NULL;
618 }
619 }
620 if ((s->rbio != NULL) && (s->rbio != rbio))
621 BIO_free_all(s->rbio);
622 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
623 BIO_free_all(s->wbio);
624 s->rbio=rbio;
625 s->wbio=wbio;
626 }
627
628BIO *SSL_get_rbio(const SSL *s)
629 { return(s->rbio); }
630
631BIO *SSL_get_wbio(const SSL *s)
632 { return(s->wbio); }
633
634int SSL_get_fd(const SSL *s)
635 {
636 return(SSL_get_rfd(s));
637 }
638
639int SSL_get_rfd(const SSL *s)
640 {
641 int ret= -1;
642 BIO *b,*r;
643
644 b=SSL_get_rbio(s);
645 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
646 if (r != NULL)
647 BIO_get_fd(r,&ret);
648 return(ret);
649 }
650
651int SSL_get_wfd(const SSL *s)
652 {
653 int ret= -1;
654 BIO *b,*r;
655
656 b=SSL_get_wbio(s);
657 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
658 if (r != NULL)
659 BIO_get_fd(r,&ret);
660 return(ret);
661 }
662
663#ifndef OPENSSL_NO_SOCK
664int SSL_set_fd(SSL *s,int fd)
665 {
666 int ret=0;
667 BIO *bio=NULL;
668
669 bio=BIO_new(BIO_s_socket());
670
671 if (bio == NULL)
672 {
673 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
674 goto err;
675 }
676 BIO_set_fd(bio,fd,BIO_NOCLOSE);
677 SSL_set_bio(s,bio,bio);
678 ret=1;
679err:
680 return(ret);
681 }
682
683int SSL_set_wfd(SSL *s,int fd)
684 {
685 int ret=0;
686 BIO *bio=NULL;
687
688 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
689 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
690 {
691 bio=BIO_new(BIO_s_socket());
692
693 if (bio == NULL)
694 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
695 BIO_set_fd(bio,fd,BIO_NOCLOSE);
696 SSL_set_bio(s,SSL_get_rbio(s),bio);
697 }
698 else
699 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
700 ret=1;
701err:
702 return(ret);
703 }
704
705int SSL_set_rfd(SSL *s,int fd)
706 {
707 int ret=0;
708 BIO *bio=NULL;
709
710 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
711 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
712 {
713 bio=BIO_new(BIO_s_socket());
714
715 if (bio == NULL)
716 {
717 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
718 goto err;
719 }
720 BIO_set_fd(bio,fd,BIO_NOCLOSE);
721 SSL_set_bio(s,bio,SSL_get_wbio(s));
722 }
723 else
724 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
725 ret=1;
726err:
727 return(ret);
728 }
729#endif
730
731
732/* return length of latest Finished message we sent, copy to 'buf' */
733size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
734 {
735 size_t ret = 0;
736
737 if (s->s3 != NULL)
738 {
739 ret = s->s3->tmp.finish_md_len;
740 if (count > ret)
741 count = ret;
742 memcpy(buf, s->s3->tmp.finish_md, count);
743 }
744 return ret;
745 }
746
747/* return length of latest Finished message we expected, copy to 'buf' */
748size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
749 {
750 size_t ret = 0;
751
752 if (s->s3 != NULL)
753 {
754 ret = s->s3->tmp.peer_finish_md_len;
755 if (count > ret)
756 count = ret;
757 memcpy(buf, s->s3->tmp.peer_finish_md, count);
758 }
759 return ret;
760 }
761
762
763int SSL_get_verify_mode(const SSL *s)
764 {
765 return(s->verify_mode);
766 }
767
768int SSL_get_verify_depth(const SSL *s)
769 {
770 return X509_VERIFY_PARAM_get_depth(s->param);
771 }
772
773int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
774 {
775 return(s->verify_callback);
776 }
777
778int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
779 {
780 return(ctx->verify_mode);
781 }
782
783int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
784 {
785 return X509_VERIFY_PARAM_get_depth(ctx->param);
786 }
787
788int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
789 {
790 return(ctx->default_verify_callback);
791 }
792
793void SSL_set_verify(SSL *s,int mode,
794 int (*callback)(int ok,X509_STORE_CTX *ctx))
795 {
796 s->verify_mode=mode;
797 if (callback != NULL)
798 s->verify_callback=callback;
799 }
800
801void SSL_set_verify_depth(SSL *s,int depth)
802 {
803 X509_VERIFY_PARAM_set_depth(s->param, depth);
804 }
805
806void SSL_set_read_ahead(SSL *s,int yes)
807 {
808 s->read_ahead=yes;
809 }
810
811int SSL_get_read_ahead(const SSL *s)
812 {
813 return(s->read_ahead);
814 }
815
816int SSL_pending(const SSL *s)
817 {
818 /* SSL_pending cannot work properly if read-ahead is enabled
819 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
820 * and it is impossible to fix since SSL_pending cannot report
821 * errors that may be observed while scanning the new data.
822 * (Note that SSL_pending() is often used as a boolean value,
823 * so we'd better not return -1.)
824 */
825 return(s->method->ssl_pending(s));
826 }
827
828X509 *SSL_get_peer_certificate(const SSL *s)
829 {
830 X509 *r;
831
832 if ((s == NULL) || (s->session == NULL))
833 r=NULL;
834 else
835 r=s->session->peer;
836
837 if (r == NULL) return(r);
838
839 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
840
841 return(r);
842 }
843
844STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
845 {
846 STACK_OF(X509) *r;
847
848 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
849 r=NULL;
850 else
851 r=s->session->sess_cert->cert_chain;
852
853 /* If we are a client, cert_chain includes the peer's own
854 * certificate; if we are a server, it does not. */
855
856 return(r);
857 }
858
859/* Now in theory, since the calling process own 't' it should be safe to
860 * modify. We need to be able to read f without being hassled */
861void SSL_copy_session_id(SSL *t,const SSL *f)
862 {
863 CERT *tmp;
864
865 /* Do we need to to SSL locking? */
866 SSL_set_session(t,SSL_get_session(f));
867
868 /* what if we are setup as SSLv2 but want to talk SSLv3 or
869 * vice-versa */
870 if (t->method != f->method)
871 {
872 t->method->ssl_free(t); /* cleanup current */
873 t->method=f->method; /* change method */
874 t->method->ssl_new(t); /* setup new */
875 }
876
877 tmp=t->cert;
878 if (f->cert != NULL)
879 {
880 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
881 t->cert=f->cert;
882 }
883 else
884 t->cert=NULL;
885 if (tmp != NULL) ssl_cert_free(tmp);
886 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
887 }
888
889/* Fix this so it checks all the valid key/cert options */
890int SSL_CTX_check_private_key(const SSL_CTX *ctx)
891 {
892 if ( (ctx == NULL) ||
893 (ctx->cert == NULL) ||
894 (ctx->cert->key->x509 == NULL))
895 {
896 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
897 return(0);
898 }
899 if (ctx->cert->key->privatekey == NULL)
900 {
901 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
902 return(0);
903 }
904 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
905 }
906
907/* Fix this function so that it takes an optional type parameter */
908int SSL_check_private_key(const SSL *ssl)
909 {
910 if (ssl == NULL)
911 {
912 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
913 return(0);
914 }
915 if (ssl->cert == NULL)
916 {
917 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
918 return 0;
919 }
920 if (ssl->cert->key->x509 == NULL)
921 {
922 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
923 return(0);
924 }
925 if (ssl->cert->key->privatekey == NULL)
926 {
927 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
928 return(0);
929 }
930 return(X509_check_private_key(ssl->cert->key->x509,
931 ssl->cert->key->privatekey));
932 }
933
934int SSL_accept(SSL *s)
935 {
936 if (s->handshake_func == 0)
937 /* Not properly initialized yet */
938 SSL_set_accept_state(s);
939
940 return(s->method->ssl_accept(s));
941 }
942
943int SSL_connect(SSL *s)
944 {
945 if (s->handshake_func == 0)
946 /* Not properly initialized yet */
947 SSL_set_connect_state(s);
948
949 return(s->method->ssl_connect(s));
950 }
951
952long SSL_get_default_timeout(const SSL *s)
953 {
954 return(s->method->get_timeout());
955 }
956
957int SSL_read(SSL *s,void *buf,int num)
958 {
959 if (s->handshake_func == 0)
960 {
961 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
962 return -1;
963 }
964
965 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
966 {
967 s->rwstate=SSL_NOTHING;
968 return(0);
969 }
970 return(s->method->ssl_read(s,buf,num));
971 }
972
973int SSL_peek(SSL *s,void *buf,int num)
974 {
975 if (s->handshake_func == 0)
976 {
977 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
978 return -1;
979 }
980
981 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
982 {
983 return(0);
984 }
985 return(s->method->ssl_peek(s,buf,num));
986 }
987
988int SSL_write(SSL *s,const void *buf,int num)
989 {
990 if (s->handshake_func == 0)
991 {
992 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
993 return -1;
994 }
995
996 if (s->shutdown & SSL_SENT_SHUTDOWN)
997 {
998 s->rwstate=SSL_NOTHING;
999 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
1000 return(-1);
1001 }
1002 return(s->method->ssl_write(s,buf,num));
1003 }
1004
1005int SSL_shutdown(SSL *s)
1006 {
1007 /* Note that this function behaves differently from what one might
1008 * expect. Return values are 0 for no success (yet),
1009 * 1 for success; but calling it once is usually not enough,
1010 * even if blocking I/O is used (see ssl3_shutdown).
1011 */
1012
1013 if (s->handshake_func == 0)
1014 {
1015 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
1016 return -1;
1017 }
1018
1019 if ((s != NULL) && !SSL_in_init(s))
1020 return(s->method->ssl_shutdown(s));
1021 else
1022 return(1);
1023 }
1024
1025int SSL_renegotiate(SSL *s)
1026 {
1027 if (s->renegotiate == 0)
1028 s->renegotiate=1;
1029
1030 s->new_session=1;
1031
1032 return(s->method->ssl_renegotiate(s));
1033 }
1034
1035int SSL_renegotiate_abbreviated(SSL *s)
1036 {
1037 if (s->renegotiate == 0)
1038 s->renegotiate=1;
1039
1040 s->new_session=0;
1041
1042 return(s->method->ssl_renegotiate(s));
1043 }
1044
1045int SSL_renegotiate_pending(SSL *s)
1046 {
1047 /* becomes true when negotiation is requested;
1048 * false again once a handshake has finished */
1049 return (s->renegotiate != 0);
1050 }
1051
1052long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1053 {
1054 long l;
1055
1056 switch (cmd)
1057 {
1058 case SSL_CTRL_GET_READ_AHEAD:
1059 return(s->read_ahead);
1060 case SSL_CTRL_SET_READ_AHEAD:
1061 l=s->read_ahead;
1062 s->read_ahead=larg;
1063 return(l);
1064
1065 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1066 s->msg_callback_arg = parg;
1067 return 1;
1068
1069 case SSL_CTRL_OPTIONS:
1070 return(s->options|=larg);
1071 case SSL_CTRL_CLEAR_OPTIONS:
1072 return(s->options&=~larg);
1073 case SSL_CTRL_MODE:
1074 return(s->mode|=larg);
1075 case SSL_CTRL_CLEAR_MODE:
1076 return(s->mode &=~larg);
1077 case SSL_CTRL_GET_MAX_CERT_LIST:
1078 return(s->max_cert_list);
1079 case SSL_CTRL_SET_MAX_CERT_LIST:
1080 l=s->max_cert_list;
1081 s->max_cert_list=larg;
1082 return(l);
1083 case SSL_CTRL_SET_MTU:
1084#ifndef OPENSSL_NO_DTLS1
1085 if (larg < (long)dtls1_min_mtu())
1086 return 0;
1087#endif
1088
1089 if (SSL_version(s) == DTLS1_VERSION ||
1090 SSL_version(s) == DTLS1_BAD_VER)
1091 {
1092 s->d1->mtu = larg;
1093 return larg;
1094 }
1095 return 0;
1096 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1097 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1098 return 0;
1099 s->max_send_fragment = larg;
1100 return 1;
1101 case SSL_CTRL_GET_RI_SUPPORT:
1102 if (s->s3)
1103 return s->s3->send_connection_binding;
1104 else return 0;
1105 default:
1106 return(s->method->ssl_ctrl(s,cmd,larg,parg));
1107 }
1108 }
1109
1110long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1111 {
1112 switch(cmd)
1113 {
1114 case SSL_CTRL_SET_MSG_CALLBACK:
1115 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1116 return 1;
1117
1118 default:
1119 return(s->method->ssl_callback_ctrl(s,cmd,fp));
1120 }
1121 }
1122
1123LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
1124 {
1125 return ctx->sessions;
1126 }
1127
1128long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1129 {
1130 long l;
1131
1132 switch (cmd)
1133 {
1134 case SSL_CTRL_GET_READ_AHEAD:
1135 return(ctx->read_ahead);
1136 case SSL_CTRL_SET_READ_AHEAD:
1137 l=ctx->read_ahead;
1138 ctx->read_ahead=larg;
1139 return(l);
1140
1141 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1142 ctx->msg_callback_arg = parg;
1143 return 1;
1144
1145 case SSL_CTRL_GET_MAX_CERT_LIST:
1146 return(ctx->max_cert_list);
1147 case SSL_CTRL_SET_MAX_CERT_LIST:
1148 l=ctx->max_cert_list;
1149 ctx->max_cert_list=larg;
1150 return(l);
1151
1152 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1153 l=ctx->session_cache_size;
1154 ctx->session_cache_size=larg;
1155 return(l);
1156 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1157 return(ctx->session_cache_size);
1158 case SSL_CTRL_SET_SESS_CACHE_MODE:
1159 l=ctx->session_cache_mode;
1160 ctx->session_cache_mode=larg;
1161 return(l);
1162 case SSL_CTRL_GET_SESS_CACHE_MODE:
1163 return(ctx->session_cache_mode);
1164
1165 case SSL_CTRL_SESS_NUMBER:
1166 return(lh_SSL_SESSION_num_items(ctx->sessions));
1167 case SSL_CTRL_SESS_CONNECT:
1168 return(ctx->stats.sess_connect);
1169 case SSL_CTRL_SESS_CONNECT_GOOD:
1170 return(ctx->stats.sess_connect_good);
1171 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1172 return(ctx->stats.sess_connect_renegotiate);
1173 case SSL_CTRL_SESS_ACCEPT:
1174 return(ctx->stats.sess_accept);
1175 case SSL_CTRL_SESS_ACCEPT_GOOD:
1176 return(ctx->stats.sess_accept_good);
1177 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1178 return(ctx->stats.sess_accept_renegotiate);
1179 case SSL_CTRL_SESS_HIT:
1180 return(ctx->stats.sess_hit);
1181 case SSL_CTRL_SESS_CB_HIT:
1182 return(ctx->stats.sess_cb_hit);
1183 case SSL_CTRL_SESS_MISSES:
1184 return(ctx->stats.sess_miss);
1185 case SSL_CTRL_SESS_TIMEOUTS:
1186 return(ctx->stats.sess_timeout);
1187 case SSL_CTRL_SESS_CACHE_FULL:
1188 return(ctx->stats.sess_cache_full);
1189 case SSL_CTRL_OPTIONS:
1190 return(ctx->options|=larg);
1191 case SSL_CTRL_CLEAR_OPTIONS:
1192 return(ctx->options&=~larg);
1193 case SSL_CTRL_MODE:
1194 return(ctx->mode|=larg);
1195 case SSL_CTRL_CLEAR_MODE:
1196 return(ctx->mode&=~larg);
1197 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1198 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1199 return 0;
1200 ctx->max_send_fragment = larg;
1201 return 1;
1202 default:
1203 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1204 }
1205 }
1206
1207long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1208 {
1209 switch(cmd)
1210 {
1211 case SSL_CTRL_SET_MSG_CALLBACK:
1212 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1213 return 1;
1214
1215 default:
1216 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1217 }
1218 }
1219
1220int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1221 {
1222 long l;
1223
1224 l=a->id-b->id;
1225 if (l == 0L)
1226 return(0);
1227 else
1228 return((l > 0)?1:-1);
1229 }
1230
1231int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1232 const SSL_CIPHER * const *bp)
1233 {
1234 long l;
1235
1236 l=(*ap)->id-(*bp)->id;
1237 if (l == 0L)
1238 return(0);
1239 else
1240 return((l > 0)?1:-1);
1241 }
1242
1243/** return a STACK of the ciphers available for the SSL and in order of
1244 * preference */
1245STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1246 {
1247 if (s != NULL)
1248 {
1249 if (s->cipher_list != NULL)
1250 {
1251 return(s->cipher_list);
1252 }
1253 else if ((s->ctx != NULL) &&
1254 (s->ctx->cipher_list != NULL))
1255 {
1256 return(s->ctx->cipher_list);
1257 }
1258 }
1259 return(NULL);
1260 }
1261
1262/** return a STACK of the ciphers available for the SSL and in order of
1263 * algorithm id */
1264STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1265 {
1266 if (s != NULL)
1267 {
1268 if (s->cipher_list_by_id != NULL)
1269 {
1270 return(s->cipher_list_by_id);
1271 }
1272 else if ((s->ctx != NULL) &&
1273 (s->ctx->cipher_list_by_id != NULL))
1274 {
1275 return(s->ctx->cipher_list_by_id);
1276 }
1277 }
1278 return(NULL);
1279 }
1280
1281/** The old interface to get the same thing as SSL_get_ciphers() */
1282const char *SSL_get_cipher_list(const SSL *s,int n)
1283 {
1284 SSL_CIPHER *c;
1285 STACK_OF(SSL_CIPHER) *sk;
1286
1287 if (s == NULL) return(NULL);
1288 sk=SSL_get_ciphers(s);
1289 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1290 return(NULL);
1291 c=sk_SSL_CIPHER_value(sk,n);
1292 if (c == NULL) return(NULL);
1293 return(c->name);
1294 }
1295
1296/** specify the ciphers to be used by default by the SSL_CTX */
1297int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1298 {
1299 STACK_OF(SSL_CIPHER) *sk;
1300
1301 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1302 &ctx->cipher_list_by_id,str);
1303 /* ssl_create_cipher_list may return an empty stack if it
1304 * was unable to find a cipher matching the given rule string
1305 * (for example if the rule string specifies a cipher which
1306 * has been disabled). This is not an error as far as
1307 * ssl_create_cipher_list is concerned, and hence
1308 * ctx->cipher_list and ctx->cipher_list_by_id has been
1309 * updated. */
1310 if (sk == NULL)
1311 return 0;
1312 else if (sk_SSL_CIPHER_num(sk) == 0)
1313 {
1314 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1315 return 0;
1316 }
1317 return 1;
1318 }
1319
1320/** specify the ciphers to be used by the SSL */
1321int SSL_set_cipher_list(SSL *s,const char *str)
1322 {
1323 STACK_OF(SSL_CIPHER) *sk;
1324
1325 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1326 &s->cipher_list_by_id,str);
1327 /* see comment in SSL_CTX_set_cipher_list */
1328 if (sk == NULL)
1329 return 0;
1330 else if (sk_SSL_CIPHER_num(sk) == 0)
1331 {
1332 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1333 return 0;
1334 }
1335 return 1;
1336 }
1337
1338/* works well for SSLv2, not so good for SSLv3 */
1339char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1340 {
1341 char *end;
1342 STACK_OF(SSL_CIPHER) *sk;
1343 SSL_CIPHER *c;
1344 size_t curlen = 0;
1345 int i;
1346
1347 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1348 (len < 2))
1349 return(NULL);
1350
1351 sk=s->session->ciphers;
1352 buf[0] = '\0';
1353 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1354 {
1355 c=sk_SSL_CIPHER_value(sk,i);
1356 end = buf + curlen;
1357 if (strlcat(buf, c->name, len) >= len ||
1358 (curlen = strlcat(buf, ":", len)) >= len)
1359 {
1360 /* remove truncated cipher from list */
1361 *end = '\0';
1362 break;
1363 }
1364 }
1365 /* remove trailing colon */
1366 if ((end = strrchr(buf, ':')) != NULL)
1367 *end = '\0';
1368 return(buf);
1369 }
1370
1371int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1372 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1373 {
1374 int i,j=0;
1375 SSL_CIPHER *c;
1376 unsigned char *q;
1377#ifndef OPENSSL_NO_KRB5
1378 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1379#endif /* OPENSSL_NO_KRB5 */
1380
1381 if (sk == NULL) return(0);
1382 q=p;
1383
1384 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1385 {
1386 c=sk_SSL_CIPHER_value(sk,i);
1387 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
1388 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
1389 (TLS1_get_client_version(s) < TLS1_2_VERSION))
1390 continue;
1391#ifndef OPENSSL_NO_KRB5
1392 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
1393 nokrb5)
1394 continue;
1395#endif /* OPENSSL_NO_KRB5 */
1396#ifndef OPENSSL_NO_PSK
1397 /* with PSK there must be client callback set */
1398 if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
1399 s->psk_client_callback == NULL)
1400 continue;
1401#endif /* OPENSSL_NO_PSK */
1402 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1403 p+=j;
1404 }
1405 /* If p == q, no ciphers and caller indicates an error. Otherwise
1406 * add SCSV if not renegotiating.
1407 */
1408 if (p != q && !s->renegotiate)
1409 {
1410 static SSL_CIPHER scsv =
1411 {
1412 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
1413 };
1414 j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
1415 p+=j;
1416#ifdef OPENSSL_RI_DEBUG
1417 fprintf(stderr, "SCSV sent by client\n");
1418#endif
1419 }
1420
1421 return(p-q);
1422 }
1423
1424STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1425 STACK_OF(SSL_CIPHER) **skp)
1426 {
1427 const SSL_CIPHER *c;
1428 STACK_OF(SSL_CIPHER) *sk;
1429 int i,n;
1430 if (s->s3)
1431 s->s3->send_connection_binding = 0;
1432
1433 n=ssl_put_cipher_by_char(s,NULL,NULL);
1434 if ((num%n) != 0)
1435 {
1436 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1437 return(NULL);
1438 }
1439 if ((skp == NULL) || (*skp == NULL))
1440 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1441 else
1442 {
1443 sk= *skp;
1444 sk_SSL_CIPHER_zero(sk);
1445 }
1446
1447 for (i=0; i<num; i+=n)
1448 {
1449 /* Check for SCSV */
1450 if (s->s3 && (n != 3 || !p[0]) &&
1451 (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
1452 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
1453 {
1454 /* SCSV fatal if renegotiating */
1455 if (s->renegotiate)
1456 {
1457 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1458 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1459 goto err;
1460 }
1461 s->s3->send_connection_binding = 1;
1462 p += n;
1463#ifdef OPENSSL_RI_DEBUG
1464 fprintf(stderr, "SCSV received by server\n");
1465#endif
1466 continue;
1467 }
1468
1469 c=ssl_get_cipher_by_char(s,p);
1470 p+=n;
1471 if (c != NULL)
1472 {
1473 if (!sk_SSL_CIPHER_push(sk,c))
1474 {
1475 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1476 goto err;
1477 }
1478 }
1479 }
1480
1481 if (skp != NULL)
1482 *skp=sk;
1483 return(sk);
1484err:
1485 if ((skp == NULL) || (*skp == NULL))
1486 sk_SSL_CIPHER_free(sk);
1487 return(NULL);
1488 }
1489
1490
1491#ifndef OPENSSL_NO_TLSEXT
1492/** return a servername extension value if provided in Client Hello, or NULL.
1493 * So far, only host_name types are defined (RFC 3546).
1494 */
1495
1496const char *SSL_get_servername(const SSL *s, const int type)
1497 {
1498 if (type != TLSEXT_NAMETYPE_host_name)
1499 return NULL;
1500
1501 return s->session && !s->tlsext_hostname ?
1502 s->session->tlsext_hostname :
1503 s->tlsext_hostname;
1504 }
1505
1506int SSL_get_servername_type(const SSL *s)
1507 {
1508 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
1509 return TLSEXT_NAMETYPE_host_name;
1510 return -1;
1511 }
1512
1513# ifndef OPENSSL_NO_NEXTPROTONEG
1514/* SSL_select_next_proto implements the standard protocol selection. It is
1515 * expected that this function is called from the callback set by
1516 * SSL_CTX_set_next_proto_select_cb.
1517 *
1518 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1519 * strings. The length byte itself is not included in the length. A byte
1520 * string of length 0 is invalid. No byte string may be truncated.
1521 *
1522 * The current, but experimental algorithm for selecting the protocol is:
1523 *
1524 * 1) If the server doesn't support NPN then this is indicated to the
1525 * callback. In this case, the client application has to abort the connection
1526 * or have a default application level protocol.
1527 *
1528 * 2) If the server supports NPN, but advertises an empty list then the
1529 * client selects the first protcol in its list, but indicates via the
1530 * API that this fallback case was enacted.
1531 *
1532 * 3) Otherwise, the client finds the first protocol in the server's list
1533 * that it supports and selects this protocol. This is because it's
1534 * assumed that the server has better information about which protocol
1535 * a client should use.
1536 *
1537 * 4) If the client doesn't support any of the server's advertised
1538 * protocols, then this is treated the same as case 2.
1539 *
1540 * It returns either
1541 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1542 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1543 */
1544int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
1545 {
1546 unsigned int i, j;
1547 const unsigned char *result;
1548 int status = OPENSSL_NPN_UNSUPPORTED;
1549
1550 /* For each protocol in server preference order, see if we support it. */
1551 for (i = 0; i < server_len; )
1552 {
1553 for (j = 0; j < client_len; )
1554 {
1555 if (server[i] == client[j] &&
1556 memcmp(&server[i+1], &client[j+1], server[i]) == 0)
1557 {
1558 /* We found a match */
1559 result = &server[i];
1560 status = OPENSSL_NPN_NEGOTIATED;
1561 goto found;
1562 }
1563 j += client[j];
1564 j++;
1565 }
1566 i += server[i];
1567 i++;
1568 }
1569
1570 /* There's no overlap between our protocols and the server's list. */
1571 result = client;
1572 status = OPENSSL_NPN_NO_OVERLAP;
1573
1574 found:
1575 *out = (unsigned char *) result + 1;
1576 *outlen = result[0];
1577 return status;
1578 }
1579
1580/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1581 * requested protocol for this connection and returns 0. If the client didn't
1582 * request any protocol, then *data is set to NULL.
1583 *
1584 * Note that the client can request any protocol it chooses. The value returned
1585 * from this function need not be a member of the list of supported protocols
1586 * provided by the callback.
1587 */
1588void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
1589 {
1590 *data = s->next_proto_negotiated;
1591 if (!*data) {
1592 *len = 0;
1593 } else {
1594 *len = s->next_proto_negotiated_len;
1595 }
1596}
1597
1598/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1599 * TLS server needs a list of supported protocols for Next Protocol
1600 * Negotiation. The returned list must be in wire format. The list is returned
1601 * by setting |out| to point to it and |outlen| to its length. This memory will
1602 * not be modified, but one should assume that the SSL* keeps a reference to
1603 * it.
1604 *
1605 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
1606 * such extension will be included in the ServerHello. */
1607void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1608 {
1609 ctx->next_protos_advertised_cb = cb;
1610 ctx->next_protos_advertised_cb_arg = arg;
1611 }
1612
1613/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1614 * client needs to select a protocol from the server's provided list. |out|
1615 * must be set to point to the selected protocol (which may be within |in|).
1616 * The length of the protocol name must be written into |outlen|. The server's
1617 * advertised protocols are provided in |in| and |inlen|. The callback can
1618 * assume that |in| is syntactically valid.
1619 *
1620 * The client must select a protocol. It is fatal to the connection if this
1621 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1622 */
1623void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1624 {
1625 ctx->next_proto_select_cb = cb;
1626 ctx->next_proto_select_cb_arg = arg;
1627 }
1628# endif
1629#endif
1630
1631int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1632 const char *label, size_t llen, const unsigned char *p, size_t plen,
1633 int use_context)
1634 {
1635 if (s->version < TLS1_VERSION)
1636 return -1;
1637
1638 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
1639 llen, p, plen,
1640 use_context);
1641 }
1642
1643static unsigned long ssl_session_hash(const SSL_SESSION *a)
1644 {
1645 unsigned long l;
1646
1647 l=(unsigned long)
1648 ((unsigned int) a->session_id[0] )|
1649 ((unsigned int) a->session_id[1]<< 8L)|
1650 ((unsigned long)a->session_id[2]<<16L)|
1651 ((unsigned long)a->session_id[3]<<24L);
1652 return(l);
1653 }
1654
1655/* NB: If this function (or indeed the hash function which uses a sort of
1656 * coarser function than this one) is changed, ensure
1657 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1658 * able to construct an SSL_SESSION that will collide with any existing session
1659 * with a matching session ID. */
1660static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1661 {
1662 if (a->ssl_version != b->ssl_version)
1663 return(1);
1664 if (a->session_id_length != b->session_id_length)
1665 return(1);
1666 return(memcmp(a->session_id,b->session_id,a->session_id_length));
1667 }
1668
1669/* These wrapper functions should remain rather than redeclaring
1670 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1671 * variable. The reason is that the functions aren't static, they're exposed via
1672 * ssl.h. */
1673static IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
1674static IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
1675
1676SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1677 {
1678 SSL_CTX *ret=NULL;
1679
1680 if (meth == NULL)
1681 {
1682 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1683 return(NULL);
1684 }
1685
1686#ifdef OPENSSL_FIPS
1687 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1688 {
1689 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1690 return NULL;
1691 }
1692#endif
1693
1694 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1695 {
1696 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1697 goto err;
1698 }
1699 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1700 if (ret == NULL)
1701 goto err;
1702
1703 memset(ret,0,sizeof(SSL_CTX));
1704
1705 ret->method=meth;
1706
1707 ret->cert_store=NULL;
1708 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1709 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1710 ret->session_cache_head=NULL;
1711 ret->session_cache_tail=NULL;
1712
1713 /* We take the system default */
1714 ret->session_timeout=meth->get_timeout();
1715
1716 ret->new_session_cb=0;
1717 ret->remove_session_cb=0;
1718 ret->get_session_cb=0;
1719 ret->generate_session_id=0;
1720
1721 memset((char *)&ret->stats,0,sizeof(ret->stats));
1722
1723 ret->references=1;
1724 ret->quiet_shutdown=0;
1725
1726/* ret->cipher=NULL;*/
1727/* ret->s2->challenge=NULL;
1728 ret->master_key=NULL;
1729 ret->key_arg=NULL;
1730 ret->s2->conn_id=NULL; */
1731
1732 ret->info_callback=NULL;
1733
1734 ret->app_verify_callback=0;
1735 ret->app_verify_arg=NULL;
1736
1737 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1738 ret->read_ahead=0;
1739 ret->msg_callback=0;
1740 ret->msg_callback_arg=NULL;
1741 ret->verify_mode=SSL_VERIFY_NONE;
1742#if 0
1743 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1744#endif
1745 ret->sid_ctx_length=0;
1746 ret->default_verify_callback=NULL;
1747 if ((ret->cert=ssl_cert_new()) == NULL)
1748 goto err;
1749
1750 ret->default_passwd_callback=0;
1751 ret->default_passwd_callback_userdata=NULL;
1752 ret->client_cert_cb=0;
1753 ret->app_gen_cookie_cb=0;
1754 ret->app_verify_cookie_cb=0;
1755
1756 ret->sessions=lh_SSL_SESSION_new();
1757 if (ret->sessions == NULL) goto err;
1758 ret->cert_store=X509_STORE_new();
1759 if (ret->cert_store == NULL) goto err;
1760
1761 ssl_create_cipher_list(ret->method,
1762 &ret->cipher_list,&ret->cipher_list_by_id,
1763 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
1764 if (ret->cipher_list == NULL
1765 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1766 {
1767 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1768 goto err2;
1769 }
1770
1771 ret->param = X509_VERIFY_PARAM_new();
1772 if (!ret->param)
1773 goto err;
1774
1775 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1776 {
1777 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1778 goto err2;
1779 }
1780 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1781 {
1782 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1783 goto err2;
1784 }
1785 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1786 {
1787 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1788 goto err2;
1789 }
1790
1791 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1792 goto err;
1793
1794 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1795
1796 ret->extra_certs=NULL;
1797 /* No compression for DTLS */
1798 if (meth->version != DTLS1_VERSION)
1799 ret->comp_methods=SSL_COMP_get_compression_methods();
1800
1801 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1802
1803#ifndef OPENSSL_NO_TLSEXT
1804 ret->tlsext_servername_callback = 0;
1805 ret->tlsext_servername_arg = NULL;
1806 /* Setup RFC4507 ticket keys */
1807 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1808 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1809 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1810 ret->options |= SSL_OP_NO_TICKET;
1811
1812 ret->tlsext_status_cb = 0;
1813 ret->tlsext_status_arg = NULL;
1814
1815# ifndef OPENSSL_NO_NEXTPROTONEG
1816 ret->next_protos_advertised_cb = 0;
1817 ret->next_proto_select_cb = 0;
1818# endif
1819#endif
1820#ifndef OPENSSL_NO_PSK
1821 ret->psk_identity_hint=NULL;
1822 ret->psk_client_callback=NULL;
1823 ret->psk_server_callback=NULL;
1824#endif
1825#ifndef OPENSSL_NO_SRP
1826 SSL_CTX_SRP_CTX_init(ret);
1827#endif
1828#ifndef OPENSSL_NO_BUF_FREELISTS
1829 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1830 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1831 if (!ret->rbuf_freelist)
1832 goto err;
1833 ret->rbuf_freelist->chunklen = 0;
1834 ret->rbuf_freelist->len = 0;
1835 ret->rbuf_freelist->head = NULL;
1836 ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1837 if (!ret->wbuf_freelist)
1838 {
1839 OPENSSL_free(ret->rbuf_freelist);
1840 goto err;
1841 }
1842 ret->wbuf_freelist->chunklen = 0;
1843 ret->wbuf_freelist->len = 0;
1844 ret->wbuf_freelist->head = NULL;
1845#endif
1846#ifndef OPENSSL_NO_ENGINE
1847 ret->client_cert_engine = NULL;
1848#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
1849#define eng_strx(x) #x
1850#define eng_str(x) eng_strx(x)
1851 /* Use specific client engine automatically... ignore errors */
1852 {
1853 ENGINE *eng;
1854 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1855 if (!eng)
1856 {
1857 ERR_clear_error();
1858 ENGINE_load_builtin_engines();
1859 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1860 }
1861 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
1862 ERR_clear_error();
1863 }
1864#endif
1865#endif
1866 /* Default is to connect to non-RI servers. When RI is more widely
1867 * deployed might change this.
1868 */
1869 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
1870
1871 return(ret);
1872err:
1873 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1874err2:
1875 if (ret != NULL) SSL_CTX_free(ret);
1876 return(NULL);
1877 }
1878
1879#if 0
1880static void SSL_COMP_free(SSL_COMP *comp)
1881 { OPENSSL_free(comp); }
1882#endif
1883
1884#ifndef OPENSSL_NO_BUF_FREELISTS
1885static void
1886ssl_buf_freelist_free(SSL3_BUF_FREELIST *list)
1887 {
1888 SSL3_BUF_FREELIST_ENTRY *ent, *next;
1889 for (ent = list->head; ent; ent = next)
1890 {
1891 next = ent->next;
1892 OPENSSL_free(ent);
1893 }
1894 OPENSSL_free(list);
1895 }
1896#endif
1897
1898void SSL_CTX_free(SSL_CTX *a)
1899 {
1900 int i;
1901
1902 if (a == NULL) return;
1903
1904 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1905#ifdef REF_PRINT
1906 REF_PRINT("SSL_CTX",a);
1907#endif
1908 if (i > 0) return;
1909#ifdef REF_CHECK
1910 if (i < 0)
1911 {
1912 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1913 abort(); /* ok */
1914 }
1915#endif
1916
1917 if (a->param)
1918 X509_VERIFY_PARAM_free(a->param);
1919
1920 /*
1921 * Free internal session cache. However: the remove_cb() may reference
1922 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1923 * after the sessions were flushed.
1924 * As the ex_data handling routines might also touch the session cache,
1925 * the most secure solution seems to be: empty (flush) the cache, then
1926 * free ex_data, then finally free the cache.
1927 * (See ticket [openssl.org #212].)
1928 */
1929 if (a->sessions != NULL)
1930 SSL_CTX_flush_sessions(a,0);
1931
1932 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1933
1934 if (a->sessions != NULL)
1935 lh_SSL_SESSION_free(a->sessions);
1936
1937 if (a->cert_store != NULL)
1938 X509_STORE_free(a->cert_store);
1939 if (a->cipher_list != NULL)
1940 sk_SSL_CIPHER_free(a->cipher_list);
1941 if (a->cipher_list_by_id != NULL)
1942 sk_SSL_CIPHER_free(a->cipher_list_by_id);
1943 if (a->cert != NULL)
1944 ssl_cert_free(a->cert);
1945 if (a->client_CA != NULL)
1946 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1947 if (a->extra_certs != NULL)
1948 sk_X509_pop_free(a->extra_certs,X509_free);
1949#if 0 /* This should never be done, since it removes a global database */
1950 if (a->comp_methods != NULL)
1951 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1952#else
1953 a->comp_methods = NULL;
1954#endif
1955
1956#ifndef OPENSSL_NO_SRTP
1957 if (a->srtp_profiles)
1958 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1959#endif
1960
1961#ifndef OPENSSL_NO_PSK
1962 if (a->psk_identity_hint)
1963 OPENSSL_free(a->psk_identity_hint);
1964#endif
1965#ifndef OPENSSL_NO_SRP
1966 SSL_CTX_SRP_CTX_free(a);
1967#endif
1968#ifndef OPENSSL_NO_ENGINE
1969 if (a->client_cert_engine)
1970 ENGINE_finish(a->client_cert_engine);
1971#endif
1972
1973#ifndef OPENSSL_NO_BUF_FREELISTS
1974 if (a->wbuf_freelist)
1975 ssl_buf_freelist_free(a->wbuf_freelist);
1976 if (a->rbuf_freelist)
1977 ssl_buf_freelist_free(a->rbuf_freelist);
1978#endif
1979
1980 OPENSSL_free(a);
1981 }
1982
1983void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1984 {
1985 ctx->default_passwd_callback=cb;
1986 }
1987
1988void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1989 {
1990 ctx->default_passwd_callback_userdata=u;
1991 }
1992
1993void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1994 {
1995 ctx->app_verify_callback=cb;
1996 ctx->app_verify_arg=arg;
1997 }
1998
1999void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
2000 {
2001 ctx->verify_mode=mode;
2002 ctx->default_verify_callback=cb;
2003 }
2004
2005void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
2006 {
2007 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2008 }
2009
2010void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2011 {
2012 CERT_PKEY *cpk;
2013 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
2014 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
2015 int rsa_tmp_export,dh_tmp_export,kl;
2016 unsigned long mask_k,mask_a,emask_k,emask_a;
2017 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
2018#ifndef OPENSSL_NO_ECDH
2019 int have_ecdh_tmp;
2020#endif
2021 X509 *x = NULL;
2022 EVP_PKEY *ecc_pkey = NULL;
2023 int signature_nid = 0, pk_nid = 0, md_nid = 0;
2024
2025 if (c == NULL) return;
2026
2027 kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
2028
2029#ifndef OPENSSL_NO_RSA
2030 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
2031 rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
2032 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
2033#else
2034 rsa_tmp=rsa_tmp_export=0;
2035#endif
2036#ifndef OPENSSL_NO_DH
2037 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
2038 dh_tmp_export=(c->dh_tmp_cb != NULL ||
2039 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
2040#else
2041 dh_tmp=dh_tmp_export=0;
2042#endif
2043
2044#ifndef OPENSSL_NO_ECDH
2045 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
2046#endif
2047 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
2048 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
2049 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2050 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
2051 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
2052 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
2053 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
2054 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
2055 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
2056 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2057 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
2058/* FIX THIS EAY EAY EAY */
2059 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
2060 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
2061 cpk= &(c->pkeys[SSL_PKEY_ECC]);
2062 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
2063 mask_k=0;
2064 mask_a=0;
2065 emask_k=0;
2066 emask_a=0;
2067
2068
2069
2070#ifdef CIPHER_DEBUG
2071 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
2072 rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
2073 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
2074#endif
2075
2076 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
2077 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2078 mask_k |= SSL_kGOST;
2079 mask_a |= SSL_aGOST01;
2080 }
2081 cpk = &(c->pkeys[SSL_PKEY_GOST94]);
2082 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2083 mask_k |= SSL_kGOST;
2084 mask_a |= SSL_aGOST94;
2085 }
2086
2087 if (rsa_enc || (rsa_tmp && rsa_sign))
2088 mask_k|=SSL_kRSA;
2089 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
2090 emask_k|=SSL_kRSA;
2091
2092#if 0
2093 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
2094 if ( (dh_tmp || dh_rsa || dh_dsa) &&
2095 (rsa_enc || rsa_sign || dsa_sign))
2096 mask_k|=SSL_kEDH;
2097 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
2098 (rsa_enc || rsa_sign || dsa_sign))
2099 emask_k|=SSL_kEDH;
2100#endif
2101
2102 if (dh_tmp_export)
2103 emask_k|=SSL_kEDH;
2104
2105 if (dh_tmp)
2106 mask_k|=SSL_kEDH;
2107
2108 if (dh_rsa) mask_k|=SSL_kDHr;
2109 if (dh_rsa_export) emask_k|=SSL_kDHr;
2110
2111 if (dh_dsa) mask_k|=SSL_kDHd;
2112 if (dh_dsa_export) emask_k|=SSL_kDHd;
2113
2114 if (rsa_enc || rsa_sign)
2115 {
2116 mask_a|=SSL_aRSA;
2117 emask_a|=SSL_aRSA;
2118 }
2119
2120 if (dsa_sign)
2121 {
2122 mask_a|=SSL_aDSS;
2123 emask_a|=SSL_aDSS;
2124 }
2125
2126 mask_a|=SSL_aNULL;
2127 emask_a|=SSL_aNULL;
2128
2129#ifndef OPENSSL_NO_KRB5
2130 mask_k|=SSL_kKRB5;
2131 mask_a|=SSL_aKRB5;
2132 emask_k|=SSL_kKRB5;
2133 emask_a|=SSL_aKRB5;
2134#endif
2135
2136 /* An ECC certificate may be usable for ECDH and/or
2137 * ECDSA cipher suites depending on the key usage extension.
2138 */
2139 if (have_ecc_cert)
2140 {
2141 /* This call populates extension flags (ex_flags) */
2142 x = (c->pkeys[SSL_PKEY_ECC]).x509;
2143 X509_check_purpose(x, -1, 0);
2144 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
2145 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
2146 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
2147 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
2148 ecc_pkey = X509_get_pubkey(x);
2149 ecc_pkey_size = (ecc_pkey != NULL) ?
2150 EVP_PKEY_bits(ecc_pkey) : 0;
2151 EVP_PKEY_free(ecc_pkey);
2152 if ((x->sig_alg) && (x->sig_alg->algorithm))
2153 {
2154 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2155 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2156 }
2157#ifndef OPENSSL_NO_ECDH
2158 if (ecdh_ok)
2159 {
2160
2161 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
2162 {
2163 mask_k|=SSL_kECDHr;
2164 mask_a|=SSL_aECDH;
2165 if (ecc_pkey_size <= 163)
2166 {
2167 emask_k|=SSL_kECDHr;
2168 emask_a|=SSL_aECDH;
2169 }
2170 }
2171
2172 if (pk_nid == NID_X9_62_id_ecPublicKey)
2173 {
2174 mask_k|=SSL_kECDHe;
2175 mask_a|=SSL_aECDH;
2176 if (ecc_pkey_size <= 163)
2177 {
2178 emask_k|=SSL_kECDHe;
2179 emask_a|=SSL_aECDH;
2180 }
2181 }
2182 }
2183#endif
2184#ifndef OPENSSL_NO_ECDSA
2185 if (ecdsa_ok)
2186 {
2187 mask_a|=SSL_aECDSA;
2188 emask_a|=SSL_aECDSA;
2189 }
2190#endif
2191 }
2192
2193#ifndef OPENSSL_NO_ECDH
2194 if (have_ecdh_tmp)
2195 {
2196 mask_k|=SSL_kEECDH;
2197 emask_k|=SSL_kEECDH;
2198 }
2199#endif
2200
2201#ifndef OPENSSL_NO_PSK
2202 mask_k |= SSL_kPSK;
2203 mask_a |= SSL_aPSK;
2204 emask_k |= SSL_kPSK;
2205 emask_a |= SSL_aPSK;
2206#endif
2207
2208 c->mask_k=mask_k;
2209 c->mask_a=mask_a;
2210 c->export_mask_k=emask_k;
2211 c->export_mask_a=emask_a;
2212 c->valid=1;
2213 }
2214
2215/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
2216#define ku_reject(x, usage) \
2217 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
2218
2219#ifndef OPENSSL_NO_EC
2220
2221int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2222 {
2223 unsigned long alg_k, alg_a;
2224 EVP_PKEY *pkey = NULL;
2225 int keysize = 0;
2226 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2227 const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2228
2229 alg_k = cs->algorithm_mkey;
2230 alg_a = cs->algorithm_auth;
2231
2232 if (SSL_C_IS_EXPORT(cs))
2233 {
2234 /* ECDH key length in export ciphers must be <= 163 bits */
2235 pkey = X509_get_pubkey(x);
2236 if (pkey == NULL) return 0;
2237 keysize = EVP_PKEY_bits(pkey);
2238 EVP_PKEY_free(pkey);
2239 if (keysize > 163) return 0;
2240 }
2241
2242 /* This call populates the ex_flags field correctly */
2243 X509_check_purpose(x, -1, 0);
2244 if ((x->sig_alg) && (x->sig_alg->algorithm))
2245 {
2246 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2247 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2248 }
2249 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
2250 {
2251 /* key usage, if present, must allow key agreement */
2252 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
2253 {
2254 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2255 return 0;
2256 }
2257 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
2258 {
2259 /* signature alg must be ECDSA */
2260 if (pk_nid != NID_X9_62_id_ecPublicKey)
2261 {
2262 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2263 return 0;
2264 }
2265 }
2266 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
2267 {
2268 /* signature alg must be RSA */
2269
2270 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2271 {
2272 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2273 return 0;
2274 }
2275 }
2276 }
2277 if (alg_a & SSL_aECDSA)
2278 {
2279 /* key usage, if present, must allow signing */
2280 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
2281 {
2282 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2283 return 0;
2284 }
2285 }
2286
2287 return 1; /* all checks are ok */
2288 }
2289
2290#endif
2291
2292/* THIS NEEDS CLEANING UP */
2293CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
2294 {
2295 unsigned long alg_k,alg_a;
2296 CERT *c;
2297 int i;
2298
2299 c=s->cert;
2300 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2301
2302 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2303 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2304
2305 if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2306 {
2307 /* we don't need to look at SSL_kEECDH
2308 * since no certificate is needed for
2309 * anon ECDH and for authenticated
2310 * EECDH, the check for the auth
2311 * algorithm will set i correctly
2312 * NOTE: For ECDH-RSA, we need an ECC
2313 * not an RSA cert but for EECDH-RSA
2314 * we need an RSA cert. Placing the
2315 * checks for SSL_kECDH before RSA
2316 * checks ensures the correct cert is chosen.
2317 */
2318 i=SSL_PKEY_ECC;
2319 }
2320 else if (alg_a & SSL_aECDSA)
2321 {
2322 i=SSL_PKEY_ECC;
2323 }
2324 else if (alg_k & SSL_kDHr)
2325 i=SSL_PKEY_DH_RSA;
2326 else if (alg_k & SSL_kDHd)
2327 i=SSL_PKEY_DH_DSA;
2328 else if (alg_a & SSL_aDSS)
2329 i=SSL_PKEY_DSA_SIGN;
2330 else if (alg_a & SSL_aRSA)
2331 {
2332 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
2333 i=SSL_PKEY_RSA_SIGN;
2334 else
2335 i=SSL_PKEY_RSA_ENC;
2336 }
2337 else if (alg_a & SSL_aKRB5)
2338 {
2339 /* VRS something else here? */
2340 return(NULL);
2341 }
2342 else if (alg_a & SSL_aGOST94)
2343 i=SSL_PKEY_GOST94;
2344 else if (alg_a & SSL_aGOST01)
2345 i=SSL_PKEY_GOST01;
2346 else /* if (alg_a & SSL_aNULL) */
2347 {
2348 SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
2349 return(NULL);
2350 }
2351
2352 return c->pkeys + i;
2353 }
2354
2355X509 *ssl_get_server_send_cert(const SSL *s)
2356 {
2357 CERT_PKEY *cpk;
2358 cpk = ssl_get_server_send_pkey(s);
2359 if (!cpk)
2360 return NULL;
2361 return cpk->x509;
2362 }
2363
2364EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
2365 {
2366 unsigned long alg_a;
2367 CERT *c;
2368 int idx = -1;
2369
2370 alg_a = cipher->algorithm_auth;
2371 c=s->cert;
2372
2373 if ((alg_a & SSL_aDSS) &&
2374 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2375 idx = SSL_PKEY_DSA_SIGN;
2376 else if (alg_a & SSL_aRSA)
2377 {
2378 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2379 idx = SSL_PKEY_RSA_SIGN;
2380 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2381 idx = SSL_PKEY_RSA_ENC;
2382 }
2383 else if ((alg_a & SSL_aECDSA) &&
2384 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2385 idx = SSL_PKEY_ECC;
2386 if (idx == -1)
2387 {
2388 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2389 return(NULL);
2390 }
2391 if (pmd)
2392 *pmd = c->pkeys[idx].digest;
2393 return c->pkeys[idx].privatekey;
2394 }
2395
2396void ssl_update_cache(SSL *s,int mode)
2397 {
2398 int i;
2399
2400 /* If the session_id_length is 0, we are not supposed to cache it,
2401 * and it would be rather hard to do anyway :-) */
2402 if (s->session->session_id_length == 0) return;
2403
2404 i=s->session_ctx->session_cache_mode;
2405 if ((i & mode) && (!s->hit)
2406 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2407 || SSL_CTX_add_session(s->session_ctx,s->session))
2408 && (s->session_ctx->new_session_cb != NULL))
2409 {
2410 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
2411 if (!s->session_ctx->new_session_cb(s,s->session))
2412 SSL_SESSION_free(s->session);
2413 }
2414
2415 /* auto flush every 255 connections */
2416 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
2417 ((i & mode) == mode))
2418 {
2419 if ( (((mode & SSL_SESS_CACHE_CLIENT)
2420 ?s->session_ctx->stats.sess_connect_good
2421 :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff)
2422 {
2423 SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL));
2424 }
2425 }
2426 }
2427
2428const SSL_METHOD *SSL_get_ssl_method(SSL *s)
2429 {
2430 return(s->method);
2431 }
2432
2433int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2434 {
2435 int conn= -1;
2436 int ret=1;
2437
2438 if (s->method != meth)
2439 {
2440 if (s->handshake_func != NULL)
2441 conn=(s->handshake_func == s->method->ssl_connect);
2442
2443 if (s->method->version == meth->version)
2444 s->method=meth;
2445 else
2446 {
2447 s->method->ssl_free(s);
2448 s->method=meth;
2449 ret=s->method->ssl_new(s);
2450 }
2451
2452 if (conn == 1)
2453 s->handshake_func=meth->ssl_connect;
2454 else if (conn == 0)
2455 s->handshake_func=meth->ssl_accept;
2456 }
2457 return(ret);
2458 }
2459
2460int SSL_get_error(const SSL *s,int i)
2461 {
2462 int reason;
2463 unsigned long l;
2464 BIO *bio;
2465
2466 if (i > 0) return(SSL_ERROR_NONE);
2467
2468 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2469 * etc, where we do encode the error */
2470 if ((l=ERR_peek_error()) != 0)
2471 {
2472 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2473 return(SSL_ERROR_SYSCALL);
2474 else
2475 return(SSL_ERROR_SSL);
2476 }
2477
2478 if ((i < 0) && SSL_want_read(s))
2479 {
2480 bio=SSL_get_rbio(s);
2481 if (BIO_should_read(bio))
2482 return(SSL_ERROR_WANT_READ);
2483 else if (BIO_should_write(bio))
2484 /* This one doesn't make too much sense ... We never try
2485 * to write to the rbio, and an application program where
2486 * rbio and wbio are separate couldn't even know what it
2487 * should wait for.
2488 * However if we ever set s->rwstate incorrectly
2489 * (so that we have SSL_want_read(s) instead of
2490 * SSL_want_write(s)) and rbio and wbio *are* the same,
2491 * this test works around that bug; so it might be safer
2492 * to keep it. */
2493 return(SSL_ERROR_WANT_WRITE);
2494 else if (BIO_should_io_special(bio))
2495 {
2496 reason=BIO_get_retry_reason(bio);
2497 if (reason == BIO_RR_CONNECT)
2498 return(SSL_ERROR_WANT_CONNECT);
2499 else if (reason == BIO_RR_ACCEPT)
2500 return(SSL_ERROR_WANT_ACCEPT);
2501 else
2502 return(SSL_ERROR_SYSCALL); /* unknown */
2503 }
2504 }
2505
2506 if ((i < 0) && SSL_want_write(s))
2507 {
2508 bio=SSL_get_wbio(s);
2509 if (BIO_should_write(bio))
2510 return(SSL_ERROR_WANT_WRITE);
2511 else if (BIO_should_read(bio))
2512 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
2513 return(SSL_ERROR_WANT_READ);
2514 else if (BIO_should_io_special(bio))
2515 {
2516 reason=BIO_get_retry_reason(bio);
2517 if (reason == BIO_RR_CONNECT)
2518 return(SSL_ERROR_WANT_CONNECT);
2519 else if (reason == BIO_RR_ACCEPT)
2520 return(SSL_ERROR_WANT_ACCEPT);
2521 else
2522 return(SSL_ERROR_SYSCALL);
2523 }
2524 }
2525 if ((i < 0) && SSL_want_x509_lookup(s))
2526 {
2527 return(SSL_ERROR_WANT_X509_LOOKUP);
2528 }
2529
2530 if (i == 0)
2531 {
2532 if (s->version == SSL2_VERSION)
2533 {
2534 /* assume it is the socket being closed */
2535 return(SSL_ERROR_ZERO_RETURN);
2536 }
2537 else
2538 {
2539 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2540 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2541 return(SSL_ERROR_ZERO_RETURN);
2542 }
2543 }
2544 return(SSL_ERROR_SYSCALL);
2545 }
2546
2547int SSL_do_handshake(SSL *s)
2548 {
2549 int ret=1;
2550
2551 if (s->handshake_func == NULL)
2552 {
2553 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
2554 return(-1);
2555 }
2556
2557 s->method->ssl_renegotiate_check(s);
2558
2559 if (SSL_in_init(s) || SSL_in_before(s))
2560 {
2561 ret=s->handshake_func(s);
2562 }
2563 return(ret);
2564 }
2565
2566/* For the next 2 functions, SSL_clear() sets shutdown and so
2567 * one of these calls will reset it */
2568void SSL_set_accept_state(SSL *s)
2569 {
2570 s->server=1;
2571 s->shutdown=0;
2572 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
2573 s->handshake_func=s->method->ssl_accept;
2574 /* clear the current cipher */
2575 ssl_clear_cipher_ctx(s);
2576 ssl_clear_hash_ctx(&s->read_hash);
2577 ssl_clear_hash_ctx(&s->write_hash);
2578 }
2579
2580void SSL_set_connect_state(SSL *s)
2581 {
2582 s->server=0;
2583 s->shutdown=0;
2584 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
2585 s->handshake_func=s->method->ssl_connect;
2586 /* clear the current cipher */
2587 ssl_clear_cipher_ctx(s);
2588 ssl_clear_hash_ctx(&s->read_hash);
2589 ssl_clear_hash_ctx(&s->write_hash);
2590 }
2591
2592int ssl_undefined_function(SSL *s)
2593 {
2594 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2595 return(0);
2596 }
2597
2598int ssl_undefined_void_function(void)
2599 {
2600 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2601 return(0);
2602 }
2603
2604int ssl_undefined_const_function(const SSL *s)
2605 {
2606 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2607 return(0);
2608 }
2609
2610SSL_METHOD *ssl_bad_method(int ver)
2611 {
2612 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2613 return(NULL);
2614 }
2615
2616const char *SSL_get_version(const SSL *s)
2617 {
2618 if (s->version == TLS1_2_VERSION)
2619 return("TLSv1.2");
2620 else if (s->version == TLS1_1_VERSION)
2621 return("TLSv1.1");
2622 else if (s->version == TLS1_VERSION)
2623 return("TLSv1");
2624 else if (s->version == SSL3_VERSION)
2625 return("SSLv3");
2626 else if (s->version == SSL2_VERSION)
2627 return("SSLv2");
2628 else
2629 return("unknown");
2630 }
2631
2632SSL *SSL_dup(SSL *s)
2633 {
2634 STACK_OF(X509_NAME) *sk;
2635 X509_NAME *xn;
2636 SSL *ret;
2637 int i;
2638
2639 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2640 return(NULL);
2641
2642 ret->version = s->version;
2643 ret->type = s->type;
2644 ret->method = s->method;
2645
2646 if (s->session != NULL)
2647 {
2648 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
2649 SSL_copy_session_id(ret,s);
2650 }
2651 else
2652 {
2653 /* No session has been established yet, so we have to expect
2654 * that s->cert or ret->cert will be changed later --
2655 * they should not both point to the same object,
2656 * and thus we can't use SSL_copy_session_id. */
2657
2658 ret->method->ssl_free(ret);
2659 ret->method = s->method;
2660 ret->method->ssl_new(ret);
2661
2662 if (s->cert != NULL)
2663 {
2664 if (ret->cert != NULL)
2665 {
2666 ssl_cert_free(ret->cert);
2667 }
2668 ret->cert = ssl_cert_dup(s->cert);
2669 if (ret->cert == NULL)
2670 goto err;
2671 }
2672
2673 SSL_set_session_id_context(ret,
2674 s->sid_ctx, s->sid_ctx_length);
2675 }
2676
2677 ret->options=s->options;
2678 ret->mode=s->mode;
2679 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
2680 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
2681 ret->msg_callback = s->msg_callback;
2682 ret->msg_callback_arg = s->msg_callback_arg;
2683 SSL_set_verify(ret,SSL_get_verify_mode(s),
2684 SSL_get_verify_callback(s));
2685 SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
2686 ret->generate_session_id = s->generate_session_id;
2687
2688 SSL_set_info_callback(ret,SSL_get_info_callback(s));
2689
2690 ret->debug=s->debug;
2691
2692 /* copy app data, a little dangerous perhaps */
2693 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
2694 goto err;
2695
2696 /* setup rbio, and wbio */
2697 if (s->rbio != NULL)
2698 {
2699 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2700 goto err;
2701 }
2702 if (s->wbio != NULL)
2703 {
2704 if (s->wbio != s->rbio)
2705 {
2706 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2707 goto err;
2708 }
2709 else
2710 ret->wbio=ret->rbio;
2711 }
2712 ret->rwstate = s->rwstate;
2713 ret->in_handshake = s->in_handshake;
2714 ret->handshake_func = s->handshake_func;
2715 ret->server = s->server;
2716 ret->renegotiate = s->renegotiate;
2717 ret->new_session = s->new_session;
2718 ret->quiet_shutdown = s->quiet_shutdown;
2719 ret->shutdown=s->shutdown;
2720 ret->state=s->state; /* SSL_dup does not really work at any state, though */
2721 ret->rstate=s->rstate;
2722 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2723 ret->hit=s->hit;
2724
2725 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2726
2727 /* dup the cipher_list and cipher_list_by_id stacks */
2728 if (s->cipher_list != NULL)
2729 {
2730 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2731 goto err;
2732 }
2733 if (s->cipher_list_by_id != NULL)
2734 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
2735 == NULL)
2736 goto err;
2737
2738 /* Dup the client_CA list */
2739 if (s->client_CA != NULL)
2740 {
2741 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2742 ret->client_CA=sk;
2743 for (i=0; i<sk_X509_NAME_num(sk); i++)
2744 {
2745 xn=sk_X509_NAME_value(sk,i);
2746 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
2747 {
2748 X509_NAME_free(xn);
2749 goto err;
2750 }
2751 }
2752 }
2753
2754 if (0)
2755 {
2756err:
2757 if (ret != NULL) SSL_free(ret);
2758 ret=NULL;
2759 }
2760 return(ret);
2761 }
2762
2763void ssl_clear_cipher_ctx(SSL *s)
2764 {
2765 if (s->enc_read_ctx != NULL)
2766 {
2767 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
2768 OPENSSL_free(s->enc_read_ctx);
2769 s->enc_read_ctx=NULL;
2770 }
2771 if (s->enc_write_ctx != NULL)
2772 {
2773 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
2774 OPENSSL_free(s->enc_write_ctx);
2775 s->enc_write_ctx=NULL;
2776 }
2777#ifndef OPENSSL_NO_COMP
2778 if (s->expand != NULL)
2779 {
2780 COMP_CTX_free(s->expand);
2781 s->expand=NULL;
2782 }
2783 if (s->compress != NULL)
2784 {
2785 COMP_CTX_free(s->compress);
2786 s->compress=NULL;
2787 }
2788#endif
2789 }
2790
2791/* Fix this function so that it takes an optional type parameter */
2792X509 *SSL_get_certificate(const SSL *s)
2793 {
2794 if (s->cert != NULL)
2795 return(s->cert->key->x509);
2796 else
2797 return(NULL);
2798 }
2799
2800/* Fix this function so that it takes an optional type parameter */
2801EVP_PKEY *SSL_get_privatekey(SSL *s)
2802 {
2803 if (s->cert != NULL)
2804 return(s->cert->key->privatekey);
2805 else
2806 return(NULL);
2807 }
2808
2809const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2810 {
2811 if ((s->session != NULL) && (s->session->cipher != NULL))
2812 return(s->session->cipher);
2813 return(NULL);
2814 }
2815#ifdef OPENSSL_NO_COMP
2816const void *SSL_get_current_compression(SSL *s)
2817 {
2818 return NULL;
2819 }
2820const void *SSL_get_current_expansion(SSL *s)
2821 {
2822 return NULL;
2823 }
2824#else
2825
2826const COMP_METHOD *SSL_get_current_compression(SSL *s)
2827 {
2828 if (s->compress != NULL)
2829 return(s->compress->meth);
2830 return(NULL);
2831 }
2832
2833const COMP_METHOD *SSL_get_current_expansion(SSL *s)
2834 {
2835 if (s->expand != NULL)
2836 return(s->expand->meth);
2837 return(NULL);
2838 }
2839#endif
2840
2841int ssl_init_wbio_buffer(SSL *s,int push)
2842 {
2843 BIO *bbio;
2844
2845 if (s->bbio == NULL)
2846 {
2847 bbio=BIO_new(BIO_f_buffer());
2848 if (bbio == NULL) return(0);
2849 s->bbio=bbio;
2850 }
2851 else
2852 {
2853 bbio=s->bbio;
2854 if (s->bbio == s->wbio)
2855 s->wbio=BIO_pop(s->wbio);
2856 }
2857 (void)BIO_reset(bbio);
2858/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2859 if (!BIO_set_read_buffer_size(bbio,1))
2860 {
2861 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
2862 return(0);
2863 }
2864 if (push)
2865 {
2866 if (s->wbio != bbio)
2867 s->wbio=BIO_push(bbio,s->wbio);
2868 }
2869 else
2870 {
2871 if (s->wbio == bbio)
2872 s->wbio=BIO_pop(bbio);
2873 }
2874 return(1);
2875 }
2876
2877void ssl_free_wbio_buffer(SSL *s)
2878 {
2879 if (s->bbio == NULL) return;
2880
2881 if (s->bbio == s->wbio)
2882 {
2883 /* remove buffering */
2884 s->wbio=BIO_pop(s->wbio);
2885#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
2886 assert(s->wbio != NULL);
2887#endif
2888 }
2889 BIO_free(s->bbio);
2890 s->bbio=NULL;
2891 }
2892
2893void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2894 {
2895 ctx->quiet_shutdown=mode;
2896 }
2897
2898int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2899 {
2900 return(ctx->quiet_shutdown);
2901 }
2902
2903void SSL_set_quiet_shutdown(SSL *s,int mode)
2904 {
2905 s->quiet_shutdown=mode;
2906 }
2907
2908int SSL_get_quiet_shutdown(const SSL *s)
2909 {
2910 return(s->quiet_shutdown);
2911 }
2912
2913void SSL_set_shutdown(SSL *s,int mode)
2914 {
2915 s->shutdown=mode;
2916 }
2917
2918int SSL_get_shutdown(const SSL *s)
2919 {
2920 return(s->shutdown);
2921 }
2922
2923int SSL_version(const SSL *s)
2924 {
2925 return(s->version);
2926 }
2927
2928SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2929 {
2930 return(ssl->ctx);
2931 }
2932
2933SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2934 {
2935 if (ssl->ctx == ctx)
2936 return ssl->ctx;
2937#ifndef OPENSSL_NO_TLSEXT
2938 if (ctx == NULL)
2939 ctx = ssl->initial_ctx;
2940#endif
2941 if (ssl->cert != NULL)
2942 ssl_cert_free(ssl->cert);
2943 ssl->cert = ssl_cert_dup(ctx->cert);
2944 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
2945 if (ssl->ctx != NULL)
2946 SSL_CTX_free(ssl->ctx); /* decrement reference count */
2947 ssl->ctx = ctx;
2948 return(ssl->ctx);
2949 }
2950
2951#ifndef OPENSSL_NO_STDIO
2952int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2953 {
2954 return(X509_STORE_set_default_paths(ctx->cert_store));
2955 }
2956
2957int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2958 const char *CApath)
2959 {
2960 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
2961 }
2962#endif
2963
2964void SSL_set_info_callback(SSL *ssl,
2965 void (*cb)(const SSL *ssl,int type,int val))
2966 {
2967 ssl->info_callback=cb;
2968 }
2969
2970/* One compiler (Diab DCC) doesn't like argument names in returned
2971 function pointer. */
2972void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2973 {
2974 return ssl->info_callback;
2975 }
2976
2977int SSL_state(const SSL *ssl)
2978 {
2979 return(ssl->state);
2980 }
2981
2982void SSL_set_state(SSL *ssl, int state)
2983 {
2984 ssl->state = state;
2985 }
2986
2987void SSL_set_verify_result(SSL *ssl,long arg)
2988 {
2989 ssl->verify_result=arg;
2990 }
2991
2992long SSL_get_verify_result(const SSL *ssl)
2993 {
2994 return(ssl->verify_result);
2995 }
2996
2997int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2998 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2999 {
3000 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
3001 new_func, dup_func, free_func);
3002 }
3003
3004int SSL_set_ex_data(SSL *s,int idx,void *arg)
3005 {
3006 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
3007 }
3008
3009void *SSL_get_ex_data(const SSL *s,int idx)
3010 {
3011 return(CRYPTO_get_ex_data(&s->ex_data,idx));
3012 }
3013
3014int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
3015 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
3016 {
3017 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3018 new_func, dup_func, free_func);
3019 }
3020
3021int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
3022 {
3023 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
3024 }
3025
3026void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
3027 {
3028 return(CRYPTO_get_ex_data(&s->ex_data,idx));
3029 }
3030
3031int ssl_ok(SSL *s)
3032 {
3033 return(1);
3034 }
3035
3036X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
3037 {
3038 return(ctx->cert_store);
3039 }
3040
3041void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
3042 {
3043 if (ctx->cert_store != NULL)
3044 X509_STORE_free(ctx->cert_store);
3045 ctx->cert_store=store;
3046 }
3047
3048int SSL_want(const SSL *s)
3049 {
3050 return(s->rwstate);
3051 }
3052
3053/*!
3054 * \brief Set the callback for generating temporary RSA keys.
3055 * \param ctx the SSL context.
3056 * \param cb the callback
3057 */
3058
3059#ifndef OPENSSL_NO_RSA
3060void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
3061 int is_export,
3062 int keylength))
3063 {
3064 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3065 }
3066
3067void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
3068 int is_export,
3069 int keylength))
3070 {
3071 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3072 }
3073#endif
3074
3075#ifdef DOXYGEN
3076/*!
3077 * \brief The RSA temporary key callback function.
3078 * \param ssl the SSL session.
3079 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
3080 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
3081 * of the required key in bits.
3082 * \return the temporary RSA key.
3083 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
3084 */
3085
3086RSA *cb(SSL *ssl,int is_export,int keylength)
3087 {}
3088#endif
3089
3090/*!
3091 * \brief Set the callback for generating temporary DH keys.
3092 * \param ctx the SSL context.
3093 * \param dh the callback
3094 */
3095
3096#ifndef OPENSSL_NO_DH
3097void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
3098 int keylength))
3099 {
3100 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3101 }
3102
3103void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
3104 int keylength))
3105 {
3106 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3107 }
3108#endif
3109
3110#ifndef OPENSSL_NO_ECDH
3111void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
3112 int keylength))
3113 {
3114 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3115 }
3116
3117void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
3118 int keylength))
3119 {
3120 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3121 }
3122#endif
3123
3124#ifndef OPENSSL_NO_PSK
3125int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3126 {
3127 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
3128 {
3129 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
3130 return 0;
3131 }
3132 if (ctx->psk_identity_hint != NULL)
3133 OPENSSL_free(ctx->psk_identity_hint);
3134 if (identity_hint != NULL)
3135 {
3136 ctx->psk_identity_hint = BUF_strdup(identity_hint);
3137 if (ctx->psk_identity_hint == NULL)
3138 return 0;
3139 }
3140 else
3141 ctx->psk_identity_hint = NULL;
3142 return 1;
3143 }
3144
3145int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3146 {
3147 if (s == NULL)
3148 return 0;
3149
3150 if (s->session == NULL)
3151 return 1; /* session not created yet, ignored */
3152
3153 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
3154 {
3155 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
3156 return 0;
3157 }
3158 if (s->session->psk_identity_hint != NULL)
3159 OPENSSL_free(s->session->psk_identity_hint);
3160 if (identity_hint != NULL)
3161 {
3162 s->session->psk_identity_hint = BUF_strdup(identity_hint);
3163 if (s->session->psk_identity_hint == NULL)
3164 return 0;
3165 }
3166 else
3167 s->session->psk_identity_hint = NULL;
3168 return 1;
3169 }
3170
3171const char *SSL_get_psk_identity_hint(const SSL *s)
3172 {
3173 if (s == NULL || s->session == NULL)
3174 return NULL;
3175 return(s->session->psk_identity_hint);
3176 }
3177
3178const char *SSL_get_psk_identity(const SSL *s)
3179 {
3180 if (s == NULL || s->session == NULL)
3181 return NULL;
3182 return(s->session->psk_identity);
3183 }
3184
3185void SSL_set_psk_client_callback(SSL *s,
3186 unsigned int (*cb)(SSL *ssl, const char *hint,
3187 char *identity, unsigned int max_identity_len, unsigned char *psk,
3188 unsigned int max_psk_len))
3189 {
3190 s->psk_client_callback = cb;
3191 }
3192
3193void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
3194 unsigned int (*cb)(SSL *ssl, const char *hint,
3195 char *identity, unsigned int max_identity_len, unsigned char *psk,
3196 unsigned int max_psk_len))
3197 {
3198 ctx->psk_client_callback = cb;
3199 }
3200
3201void SSL_set_psk_server_callback(SSL *s,
3202 unsigned int (*cb)(SSL *ssl, const char *identity,
3203 unsigned char *psk, unsigned int max_psk_len))
3204 {
3205 s->psk_server_callback = cb;
3206 }
3207
3208void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
3209 unsigned int (*cb)(SSL *ssl, const char *identity,
3210 unsigned char *psk, unsigned int max_psk_len))
3211 {
3212 ctx->psk_server_callback = cb;
3213 }
3214#endif
3215
3216void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3217 {
3218 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3219 }
3220void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3221 {
3222 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3223 }
3224
3225/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
3226 * vairable, freeing EVP_MD_CTX previously stored in that variable, if
3227 * any. If EVP_MD pointer is passed, initializes ctx with this md
3228 * Returns newly allocated ctx;
3229 */
3230
3231EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md)
3232{
3233 ssl_clear_hash_ctx(hash);
3234 *hash = EVP_MD_CTX_create();
3235 if (md) EVP_DigestInit_ex(*hash,md,NULL);
3236 return *hash;
3237}
3238void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3239{
3240
3241 if (*hash) EVP_MD_CTX_destroy(*hash);
3242 *hash=NULL;
3243}
3244
3245void SSL_set_debug(SSL *s, int debug)
3246 {
3247 s->debug = debug;
3248 }
3249
3250int SSL_cache_hit(SSL *s)
3251 {
3252 return s->hit;
3253 }
3254
3255#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3256#include "../crypto/bio/bss_file.c"
3257#endif
3258
3259IMPLEMENT_STACK_OF(SSL_CIPHER)
3260IMPLEMENT_STACK_OF(SSL_COMP)
3261IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3262 ssl_cipher_id);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index e485907748..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,1177 +0,0 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_LOCL_H
144#define HEADER_SSL_LOCL_H
145#include <stdlib.h>
146#include <time.h>
147#include <string.h>
148#include <errno.h>
149
150#include "e_os.h"
151
152#include <openssl/buffer.h>
153#ifndef OPENSSL_NO_COMP
154#include <openssl/comp.h>
155#endif
156#include <openssl/bio.h>
157#include <openssl/stack.h>
158#ifndef OPENSSL_NO_RSA
159#include <openssl/rsa.h>
160#endif
161#ifndef OPENSSL_NO_DSA
162#include <openssl/dsa.h>
163#endif
164#include <openssl/err.h>
165#include <openssl/ssl.h>
166#include <openssl/symhacks.h>
167
168#ifdef OPENSSL_BUILD_SHLIBSSL
169# undef OPENSSL_EXTERN
170# define OPENSSL_EXTERN OPENSSL_EXPORT
171#endif
172
173#undef PKCS1_CHECK
174
175#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
176 l|=(((unsigned long)(*((c)++)))<< 8), \
177 l|=(((unsigned long)(*((c)++)))<<16), \
178 l|=(((unsigned long)(*((c)++)))<<24))
179
180/* NOTE - c is not incremented as per c2l */
181#define c2ln(c,l1,l2,n) { \
182 c+=n; \
183 l1=l2=0; \
184 switch (n) { \
185 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
186 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
187 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
188 case 5: l2|=((unsigned long)(*(--(c)))); \
189 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
190 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
191 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
192 case 1: l1|=((unsigned long)(*(--(c)))); \
193 } \
194 }
195
196#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
197 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
198 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
199 *((c)++)=(unsigned char)(((l)>>24)&0xff))
200
201#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
202 l|=((unsigned long)(*((c)++)))<<16, \
203 l|=((unsigned long)(*((c)++)))<< 8, \
204 l|=((unsigned long)(*((c)++))))
205
206#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
207 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
208 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
209 *((c)++)=(unsigned char)(((l) )&0xff))
210
211#define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
212 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
213 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
214 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
216 *((c)++)=(unsigned char)(((l) )&0xff))
217
218#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
219 *((c)++)=(unsigned char)(((l)>>48)&0xff), \
220 *((c)++)=(unsigned char)(((l)>>40)&0xff), \
221 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
222 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
223 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
224 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
225 *((c)++)=(unsigned char)(((l) )&0xff))
226
227#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
228 l|=((BN_ULLONG)(*((c)++)))<<32, \
229 l|=((BN_ULLONG)(*((c)++)))<<24, \
230 l|=((BN_ULLONG)(*((c)++)))<<16, \
231 l|=((BN_ULLONG)(*((c)++)))<< 8, \
232 l|=((BN_ULLONG)(*((c)++))))
233
234/* NOTE - c is not incremented as per l2c */
235#define l2cn(l1,l2,c,n) { \
236 c+=n; \
237 switch (n) { \
238 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
239 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
240 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
241 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
242 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
243 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
244 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
245 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
246 } \
247 }
248
249#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
250 (((unsigned int)(c[1])) )),c+=2)
251#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
252 c[1]=(unsigned char)(((s) )&0xff)),c+=2)
253
254#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
255 (((unsigned long)(c[1]))<< 8)| \
256 (((unsigned long)(c[2])) )),c+=3)
257
258#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
259 c[1]=(unsigned char)(((l)>> 8)&0xff), \
260 c[2]=(unsigned char)(((l) )&0xff)),c+=3)
261
262/* LOCAL STUFF */
263
264#define SSL_DECRYPT 0
265#define SSL_ENCRYPT 1
266
267#define TWO_BYTE_BIT 0x80
268#define SEC_ESC_BIT 0x40
269#define TWO_BYTE_MASK 0x7fff
270#define THREE_BYTE_MASK 0x3fff
271
272#define INC32(a) ((a)=((a)+1)&0xffffffffL)
273#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
274#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
275
276/*
277 * Define the Bitmasks for SSL_CIPHER.algorithms.
278 * This bits are used packed as dense as possible. If new methods/ciphers
279 * etc will be added, the bits a likely to change, so this information
280 * is for internal library use only, even though SSL_CIPHER.algorithms
281 * can be publicly accessed.
282 * Use the according functions for cipher management instead.
283 *
284 * The bit mask handling in the selection and sorting scheme in
285 * ssl_create_cipher_list() has only limited capabilities, reflecting
286 * that the different entities within are mutually exclusive:
287 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
288 */
289
290/* Bits for algorithm_mkey (key exchange algorithm) */
291#define SSL_kRSA 0x00000001L /* RSA key exchange */
292#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
293#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
294#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
295#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
296#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
297#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
298#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
299#define SSL_kPSK 0x00000100L /* PSK */
300#define SSL_kGOST 0x00000200L /* GOST key exchange */
301#define SSL_kSRP 0x00000400L /* SRP */
302
303/* Bits for algorithm_auth (server authentication) */
304#define SSL_aRSA 0x00000001L /* RSA auth */
305#define SSL_aDSS 0x00000002L /* DSS auth */
306#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
307#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
308#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
309#define SSL_aKRB5 0x00000020L /* KRB5 auth */
310#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
311#define SSL_aPSK 0x00000080L /* PSK auth */
312#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
313#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
314
315
316/* Bits for algorithm_enc (symmetric encryption) */
317#define SSL_DES 0x00000001L
318#define SSL_3DES 0x00000002L
319#define SSL_RC4 0x00000004L
320#define SSL_RC2 0x00000008L
321#define SSL_IDEA 0x00000010L
322#define SSL_eNULL 0x00000020L
323#define SSL_AES128 0x00000040L
324#define SSL_AES256 0x00000080L
325#define SSL_CAMELLIA128 0x00000100L
326#define SSL_CAMELLIA256 0x00000200L
327#define SSL_eGOST2814789CNT 0x00000400L
328#define SSL_SEED 0x00000800L
329#define SSL_AES128GCM 0x00001000L
330#define SSL_AES256GCM 0x00002000L
331
332#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
333#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
334
335
336/* Bits for algorithm_mac (symmetric authentication) */
337
338#define SSL_MD5 0x00000001L
339#define SSL_SHA1 0x00000002L
340#define SSL_GOST94 0x00000004L
341#define SSL_GOST89MAC 0x00000008L
342#define SSL_SHA256 0x00000010L
343#define SSL_SHA384 0x00000020L
344/* Not a real MAC, just an indication it is part of cipher */
345#define SSL_AEAD 0x00000040L
346
347/* Bits for algorithm_ssl (protocol version) */
348#define SSL_SSLV2 0x00000001L
349#define SSL_SSLV3 0x00000002L
350#define SSL_TLSV1 SSL_SSLV3 /* for now */
351#define SSL_TLSV1_2 0x00000004L
352
353
354/* Bits for algorithm2 (handshake digests and other extra flags) */
355
356#define SSL_HANDSHAKE_MAC_MD5 0x10
357#define SSL_HANDSHAKE_MAC_SHA 0x20
358#define SSL_HANDSHAKE_MAC_GOST94 0x40
359#define SSL_HANDSHAKE_MAC_SHA256 0x80
360#define SSL_HANDSHAKE_MAC_SHA384 0x100
361#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
362
363/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
364 * make sure to update this constant too */
365#define SSL_MAX_DIGEST 6
366
367#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
368
369#define TLS1_PRF_DGST_SHIFT 10
370#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
371#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
372#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
373#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
374#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
375#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
376
377/* Stream MAC for GOST ciphersuites from cryptopro draft
378 * (currently this also goes into algorithm2) */
379#define TLS1_STREAM_MAC 0x04
380
381
382
383/*
384 * Export and cipher strength information. For each cipher we have to decide
385 * whether it is exportable or not. This information is likely to change
386 * over time, since the export control rules are no static technical issue.
387 *
388 * Independent of the export flag the cipher strength is sorted into classes.
389 * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
390 * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
391 * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
392 * since SSL_EXP64 could be similar to SSL_LOW.
393 * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
394 * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
395 * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
396 * be possible.
397 */
398#define SSL_EXP_MASK 0x00000003L
399#define SSL_STRONG_MASK 0x000001fcL
400
401#define SSL_NOT_EXP 0x00000001L
402#define SSL_EXPORT 0x00000002L
403
404#define SSL_STRONG_NONE 0x00000004L
405#define SSL_EXP40 0x00000008L
406#define SSL_MICRO (SSL_EXP40)
407#define SSL_EXP56 0x00000010L
408#define SSL_MINI (SSL_EXP56)
409#define SSL_LOW 0x00000020L
410#define SSL_MEDIUM 0x00000040L
411#define SSL_HIGH 0x00000080L
412#define SSL_FIPS 0x00000100L
413
414/* we have used 000001ff - 23 bits left to go */
415
416/*
417 * Macros to check the export status and cipher strength for export ciphers.
418 * Even though the macros for EXPORT and EXPORT40/56 have similar names,
419 * their meaning is different:
420 * *_EXPORT macros check the 'exportable' status.
421 * *_EXPORT40/56 macros are used to check whether a certain cipher strength
422 * is given.
423 * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
424 * algorithm structure element to be passed (algorithms, algo_strength) and no
425 * typechecking can be done as they are all of type unsigned long, their
426 * direct usage is discouraged.
427 * Use the SSL_C_* macros instead.
428 */
429#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
430#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
431#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
432#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
433#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
434#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
435
436#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
437 (a) == SSL_DES ? 8 : 7)
438#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
439#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
440 (c)->algo_strength)
441#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
442
443
444
445
446/* Mostly for SSLv3 */
447#define SSL_PKEY_RSA_ENC 0
448#define SSL_PKEY_RSA_SIGN 1
449#define SSL_PKEY_DSA_SIGN 2
450#define SSL_PKEY_DH_RSA 3
451#define SSL_PKEY_DH_DSA 4
452#define SSL_PKEY_ECC 5
453#define SSL_PKEY_GOST94 6
454#define SSL_PKEY_GOST01 7
455#define SSL_PKEY_NUM 8
456
457/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
458 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
459 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
460 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
461 * SSL_aRSA <- RSA_ENC | RSA_SIGN
462 * SSL_aDSS <- DSA_SIGN
463 */
464
465/*
466#define CERT_INVALID 0
467#define CERT_PUBLIC_KEY 1
468#define CERT_PRIVATE_KEY 2
469*/
470
471#ifndef OPENSSL_NO_EC
472/* From ECC-TLS draft, used in encoding the curve type in
473 * ECParameters
474 */
475#define EXPLICIT_PRIME_CURVE_TYPE 1
476#define EXPLICIT_CHAR2_CURVE_TYPE 2
477#define NAMED_CURVE_TYPE 3
478#endif /* OPENSSL_NO_EC */
479
480typedef struct cert_pkey_st
481 {
482 X509 *x509;
483 EVP_PKEY *privatekey;
484 /* Digest to use when signing */
485 const EVP_MD *digest;
486 } CERT_PKEY;
487
488typedef struct cert_st
489 {
490 /* Current active set */
491 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
492 * Probably it would make more sense to store
493 * an index, not a pointer. */
494
495 /* The following masks are for the key and auth
496 * algorithms that are supported by the certs below */
497 int valid;
498 unsigned long mask_k;
499 unsigned long mask_a;
500 unsigned long export_mask_k;
501 unsigned long export_mask_a;
502#ifndef OPENSSL_NO_RSA
503 RSA *rsa_tmp;
504 RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
505#endif
506#ifndef OPENSSL_NO_DH
507 DH *dh_tmp;
508 DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
509#endif
510#ifndef OPENSSL_NO_ECDH
511 EC_KEY *ecdh_tmp;
512 /* Callback for generating ephemeral ECDH keys */
513 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
514#endif
515
516 CERT_PKEY pkeys[SSL_PKEY_NUM];
517
518 int references; /* >1 only if SSL_copy_session_id is used */
519 } CERT;
520
521
522typedef struct sess_cert_st
523 {
524 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
525
526 /* The 'peer_...' members are used only by clients. */
527 int peer_cert_type;
528
529 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
530 CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
531 /* Obviously we don't have the private keys of these,
532 * so maybe we shouldn't even use the CERT_PKEY type here. */
533
534#ifndef OPENSSL_NO_RSA
535 RSA *peer_rsa_tmp; /* not used for SSL 2 */
536#endif
537#ifndef OPENSSL_NO_DH
538 DH *peer_dh_tmp; /* not used for SSL 2 */
539#endif
540#ifndef OPENSSL_NO_ECDH
541 EC_KEY *peer_ecdh_tmp;
542#endif
543
544 int references; /* actually always 1 at the moment */
545 } SESS_CERT;
546
547
548/*#define MAC_DEBUG */
549
550/*#define ERR_DEBUG */
551/*#define ABORT_DEBUG */
552/*#define PKT_DEBUG 1 */
553/*#define DES_DEBUG */
554/*#define DES_OFB_DEBUG */
555/*#define SSL_DEBUG */
556/*#define RSA_DEBUG */
557/*#define IDEA_DEBUG */
558
559#define FP_ICC (int (*)(const void *,const void *))
560#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
561 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
562#define ssl_get_cipher_by_char(ssl,ptr) \
563 ((ssl)->method->get_cipher_by_char(ptr))
564
565/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
566 * It is a bit of a mess of functions, but hell, think of it as
567 * an opaque structure :-) */
568typedef struct ssl3_enc_method
569 {
570 int (*enc)(SSL *, int);
571 int (*mac)(SSL *, unsigned char *, int);
572 int (*setup_key_block)(SSL *);
573 int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
574 int (*change_cipher_state)(SSL *, int);
575 int (*final_finish_mac)(SSL *, const char *, int, unsigned char *);
576 int finish_mac_length;
577 int (*cert_verify_mac)(SSL *, int, unsigned char *);
578 const char *client_finished_label;
579 int client_finished_label_len;
580 const char *server_finished_label;
581 int server_finished_label_len;
582 int (*alert_value)(int);
583 int (*export_keying_material)(SSL *, unsigned char *, size_t,
584 const char *, size_t,
585 const unsigned char *, size_t,
586 int use_context);
587 } SSL3_ENC_METHOD;
588
589#ifndef OPENSSL_NO_COMP
590/* Used for holding the relevant compression methods loaded into SSL_CTX */
591typedef struct ssl3_comp_st
592 {
593 int comp_id; /* The identifier byte for this compression type */
594 char *name; /* Text name used for the compression type */
595 COMP_METHOD *method; /* The method :-) */
596 } SSL3_COMP;
597#endif
598
599#ifndef OPENSSL_NO_BUF_FREELISTS
600typedef struct ssl3_buf_freelist_st
601 {
602 size_t chunklen;
603 unsigned int len;
604 struct ssl3_buf_freelist_entry_st *head;
605 } SSL3_BUF_FREELIST;
606
607typedef struct ssl3_buf_freelist_entry_st
608 {
609 struct ssl3_buf_freelist_entry_st *next;
610 } SSL3_BUF_FREELIST_ENTRY;
611#endif
612
613extern SSL3_ENC_METHOD ssl3_undef_enc_method;
614OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[];
615OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
616
617
618SSL_METHOD *ssl_bad_method(int ver);
619
620extern SSL3_ENC_METHOD TLSv1_enc_data;
621extern SSL3_ENC_METHOD SSLv3_enc_data;
622extern SSL3_ENC_METHOD DTLSv1_enc_data;
623
624#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
625
626#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
627 s_get_meth) \
628const SSL_METHOD *func_name(void) \
629 { \
630 static const SSL_METHOD func_name##_data= { \
631 version, \
632 tls1_new, \
633 tls1_clear, \
634 tls1_free, \
635 s_accept, \
636 s_connect, \
637 ssl3_read, \
638 ssl3_peek, \
639 ssl3_write, \
640 ssl3_shutdown, \
641 ssl3_renegotiate, \
642 ssl3_renegotiate_check, \
643 ssl3_get_message, \
644 ssl3_read_bytes, \
645 ssl3_write_bytes, \
646 ssl3_dispatch_alert, \
647 ssl3_ctrl, \
648 ssl3_ctx_ctrl, \
649 ssl3_get_cipher_by_char, \
650 ssl3_put_cipher_by_char, \
651 ssl3_pending, \
652 ssl3_num_ciphers, \
653 ssl3_get_cipher, \
654 s_get_meth, \
655 tls1_default_timeout, \
656 &TLSv1_enc_data, \
657 ssl_undefined_void_function, \
658 ssl3_callback_ctrl, \
659 ssl3_ctx_callback_ctrl, \
660 }; \
661 return &func_name##_data; \
662 }
663
664#define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
665const SSL_METHOD *func_name(void) \
666 { \
667 static const SSL_METHOD func_name##_data= { \
668 SSL3_VERSION, \
669 ssl3_new, \
670 ssl3_clear, \
671 ssl3_free, \
672 s_accept, \
673 s_connect, \
674 ssl3_read, \
675 ssl3_peek, \
676 ssl3_write, \
677 ssl3_shutdown, \
678 ssl3_renegotiate, \
679 ssl3_renegotiate_check, \
680 ssl3_get_message, \
681 ssl3_read_bytes, \
682 ssl3_write_bytes, \
683 ssl3_dispatch_alert, \
684 ssl3_ctrl, \
685 ssl3_ctx_ctrl, \
686 ssl3_get_cipher_by_char, \
687 ssl3_put_cipher_by_char, \
688 ssl3_pending, \
689 ssl3_num_ciphers, \
690 ssl3_get_cipher, \
691 s_get_meth, \
692 ssl3_default_timeout, \
693 &SSLv3_enc_data, \
694 ssl_undefined_void_function, \
695 ssl3_callback_ctrl, \
696 ssl3_ctx_callback_ctrl, \
697 }; \
698 return &func_name##_data; \
699 }
700
701#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
702const SSL_METHOD *func_name(void) \
703 { \
704 static const SSL_METHOD func_name##_data= { \
705 TLS1_2_VERSION, \
706 tls1_new, \
707 tls1_clear, \
708 tls1_free, \
709 s_accept, \
710 s_connect, \
711 ssl23_read, \
712 ssl23_peek, \
713 ssl23_write, \
714 ssl_undefined_function, \
715 ssl_undefined_function, \
716 ssl_ok, \
717 ssl3_get_message, \
718 ssl3_read_bytes, \
719 ssl3_write_bytes, \
720 ssl3_dispatch_alert, \
721 ssl3_ctrl, \
722 ssl3_ctx_ctrl, \
723 ssl23_get_cipher_by_char, \
724 ssl23_put_cipher_by_char, \
725 ssl_undefined_const_function, \
726 ssl23_num_ciphers, \
727 ssl23_get_cipher, \
728 s_get_meth, \
729 ssl23_default_timeout, \
730 &ssl3_undef_enc_method, \
731 ssl_undefined_void_function, \
732 ssl3_callback_ctrl, \
733 ssl3_ctx_callback_ctrl, \
734 }; \
735 return &func_name##_data; \
736 }
737
738#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
739const SSL_METHOD *func_name(void) \
740 { \
741 static const SSL_METHOD func_name##_data= { \
742 SSL2_VERSION, \
743 ssl2_new, /* local */ \
744 ssl2_clear, /* local */ \
745 ssl2_free, /* local */ \
746 s_accept, \
747 s_connect, \
748 ssl2_read, \
749 ssl2_peek, \
750 ssl2_write, \
751 ssl2_shutdown, \
752 ssl_ok, /* NULL - renegotiate */ \
753 ssl_ok, /* NULL - check renegotiate */ \
754 NULL, /* NULL - ssl_get_message */ \
755 NULL, /* NULL - ssl_get_record */ \
756 NULL, /* NULL - ssl_write_bytes */ \
757 NULL, /* NULL - dispatch_alert */ \
758 ssl2_ctrl, /* local */ \
759 ssl2_ctx_ctrl, /* local */ \
760 ssl2_get_cipher_by_char, \
761 ssl2_put_cipher_by_char, \
762 ssl2_pending, \
763 ssl2_num_ciphers, \
764 ssl2_get_cipher, \
765 s_get_meth, \
766 ssl2_default_timeout, \
767 &ssl3_undef_enc_method, \
768 ssl_undefined_void_function, \
769 ssl2_callback_ctrl, /* local */ \
770 ssl2_ctx_callback_ctrl, /* local */ \
771 }; \
772 return &func_name##_data; \
773 }
774
775#define IMPLEMENT_dtls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
776const SSL_METHOD *func_name(void) \
777 { \
778 static const SSL_METHOD func_name##_data= { \
779 DTLS1_VERSION, \
780 dtls1_new, \
781 dtls1_clear, \
782 dtls1_free, \
783 s_accept, \
784 s_connect, \
785 ssl3_read, \
786 ssl3_peek, \
787 ssl3_write, \
788 dtls1_shutdown, \
789 ssl3_renegotiate, \
790 ssl3_renegotiate_check, \
791 dtls1_get_message, \
792 dtls1_read_bytes, \
793 dtls1_write_app_data_bytes, \
794 dtls1_dispatch_alert, \
795 dtls1_ctrl, \
796 ssl3_ctx_ctrl, \
797 ssl3_get_cipher_by_char, \
798 ssl3_put_cipher_by_char, \
799 ssl3_pending, \
800 ssl3_num_ciphers, \
801 dtls1_get_cipher, \
802 s_get_meth, \
803 dtls1_default_timeout, \
804 &DTLSv1_enc_data, \
805 ssl_undefined_void_function, \
806 ssl3_callback_ctrl, \
807 ssl3_ctx_callback_ctrl, \
808 }; \
809 return &func_name##_data; \
810 }
811
812void ssl_clear_cipher_ctx(SSL *s);
813int ssl_clear_bad_session(SSL *s);
814CERT *ssl_cert_new(void);
815CERT *ssl_cert_dup(CERT *cert);
816int ssl_cert_inst(CERT **o);
817void ssl_cert_free(CERT *c);
818SESS_CERT *ssl_sess_cert_new(void);
819void ssl_sess_cert_free(SESS_CERT *sc);
820int ssl_set_peer_cert_type(SESS_CERT *c, int type);
821int ssl_get_new_session(SSL *s, int session);
822int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
823int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
824DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
825 ssl_cipher_id);
826int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
827 const SSL_CIPHER * const *bp);
828STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
829 STACK_OF(SSL_CIPHER) **skp);
830int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
831 int (*put_cb)(const SSL_CIPHER *, unsigned char *));
832STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
833 STACK_OF(SSL_CIPHER) **pref,
834 STACK_OF(SSL_CIPHER) **sorted,
835 const char *rule_str);
836void ssl_update_cache(SSL *s, int mode);
837int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
838 const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
839int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
840int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
841int ssl_undefined_function(SSL *s);
842int ssl_undefined_void_function(void);
843int ssl_undefined_const_function(const SSL *s);
844CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
845X509 *ssl_get_server_send_cert(const SSL *);
846EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
847int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
848void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
849STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
850int ssl_verify_alarm_type(long type);
851void ssl_load_ciphers(void);
852int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
853
854int ssl2_enc_init(SSL *s, int client);
855int ssl2_generate_key_material(SSL *s);
856void ssl2_enc(SSL *s,int send_data);
857void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
858const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
859int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
860int ssl2_part_read(SSL *s, unsigned long f, int i);
861int ssl2_do_write(SSL *s);
862int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
863void ssl2_return_error(SSL *s,int reason);
864void ssl2_write_error(SSL *s);
865int ssl2_num_ciphers(void);
866const SSL_CIPHER *ssl2_get_cipher(unsigned int u);
867int ssl2_new(SSL *s);
868void ssl2_free(SSL *s);
869int ssl2_accept(SSL *s);
870int ssl2_connect(SSL *s);
871int ssl2_read(SSL *s, void *buf, int len);
872int ssl2_peek(SSL *s, void *buf, int len);
873int ssl2_write(SSL *s, const void *buf, int len);
874int ssl2_shutdown(SSL *s);
875void ssl2_clear(SSL *s);
876long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
877long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
878long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
879long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
880int ssl2_pending(const SSL *s);
881long ssl2_default_timeout(void );
882
883const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
884int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
885void ssl3_init_finished_mac(SSL *s);
886int ssl3_send_server_certificate(SSL *s);
887int ssl3_send_newsession_ticket(SSL *s);
888int ssl3_send_cert_status(SSL *s);
889int ssl3_get_finished(SSL *s,int state_a,int state_b);
890int ssl3_setup_key_block(SSL *s);
891int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
892int ssl3_change_cipher_state(SSL *s,int which);
893void ssl3_cleanup_key_block(SSL *s);
894int ssl3_do_write(SSL *s,int type);
895int ssl3_send_alert(SSL *s,int level, int desc);
896int ssl3_generate_master_secret(SSL *s, unsigned char *out,
897 unsigned char *p, int len);
898int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
899long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
900int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
901int ssl3_num_ciphers(void);
902const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
903int ssl3_renegotiate(SSL *ssl);
904int ssl3_renegotiate_check(SSL *ssl);
905int ssl3_dispatch_alert(SSL *s);
906int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
907int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
908int ssl3_final_finish_mac(SSL *s, const char *sender, int slen,unsigned char *p);
909int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
910void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
911int ssl3_enc(SSL *s, int send_data);
912int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
913void ssl3_free_digest_list(SSL *s);
914unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
915SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
916 STACK_OF(SSL_CIPHER) *srvr);
917int ssl3_setup_buffers(SSL *s);
918int ssl3_setup_read_buffer(SSL *s);
919int ssl3_setup_write_buffer(SSL *s);
920int ssl3_release_read_buffer(SSL *s);
921int ssl3_release_write_buffer(SSL *s);
922int ssl3_digest_cached_records(SSL *s);
923int ssl3_new(SSL *s);
924void ssl3_free(SSL *s);
925int ssl3_accept(SSL *s);
926int ssl3_connect(SSL *s);
927int ssl3_read(SSL *s, void *buf, int len);
928int ssl3_peek(SSL *s, void *buf, int len);
929int ssl3_write(SSL *s, const void *buf, int len);
930int ssl3_shutdown(SSL *s);
931void ssl3_clear(SSL *s);
932long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
933long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
934long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
935long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
936int ssl3_pending(const SSL *s);
937
938void ssl3_record_sequence_update(unsigned char *seq);
939int ssl3_do_change_cipher_spec(SSL *ssl);
940long ssl3_default_timeout(void );
941
942int ssl23_num_ciphers(void );
943const SSL_CIPHER *ssl23_get_cipher(unsigned int u);
944int ssl23_read(SSL *s, void *buf, int len);
945int ssl23_peek(SSL *s, void *buf, int len);
946int ssl23_write(SSL *s, const void *buf, int len);
947int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
948const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
949long ssl23_default_timeout(void );
950
951long tls1_default_timeout(void);
952int dtls1_do_write(SSL *s,int type);
953int ssl3_read_n(SSL *s, int n, int max, int extend);
954int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
955int ssl3_do_compress(SSL *ssl);
956int ssl3_do_uncompress(SSL *ssl);
957int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
958 unsigned int len);
959unsigned char *dtls1_set_message_header(SSL *s,
960 unsigned char *p, unsigned char mt, unsigned long len,
961 unsigned long frag_off, unsigned long frag_len);
962
963int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
964int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
965
966int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
967int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
968unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
969int dtls1_read_failed(SSL *s, int code);
970int dtls1_buffer_message(SSL *s, int ccs);
971int dtls1_retransmit_message(SSL *s, unsigned short seq,
972 unsigned long frag_off, int *found);
973int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
974int dtls1_retransmit_buffered_messages(SSL *s);
975void dtls1_clear_record_buffer(SSL *s);
976void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
977void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
978void dtls1_reset_seq_numbers(SSL *s, int rw);
979long dtls1_default_timeout(void);
980struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
981int dtls1_check_timeout_num(SSL *s);
982int dtls1_handle_timeout(SSL *s);
983const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
984void dtls1_start_timer(SSL *s);
985void dtls1_stop_timer(SSL *s);
986int dtls1_is_timer_expired(SSL *s);
987void dtls1_double_timeout(SSL *s);
988int dtls1_send_newsession_ticket(SSL *s);
989unsigned int dtls1_min_mtu(void);
990
991/* some client-only functions */
992int ssl3_client_hello(SSL *s);
993int ssl3_get_server_hello(SSL *s);
994int ssl3_get_certificate_request(SSL *s);
995int ssl3_get_new_session_ticket(SSL *s);
996int ssl3_get_cert_status(SSL *s);
997int ssl3_get_server_done(SSL *s);
998int ssl3_send_client_verify(SSL *s);
999int ssl3_send_client_certificate(SSL *s);
1000int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
1001int ssl3_send_client_key_exchange(SSL *s);
1002int ssl3_get_key_exchange(SSL *s);
1003int ssl3_get_server_certificate(SSL *s);
1004int ssl3_check_cert_and_algorithm(SSL *s);
1005#ifndef OPENSSL_NO_TLSEXT
1006int ssl3_check_finished(SSL *s);
1007# ifndef OPENSSL_NO_NEXTPROTONEG
1008int ssl3_send_next_proto(SSL *s);
1009# endif
1010#endif
1011
1012int dtls1_client_hello(SSL *s);
1013int dtls1_send_client_certificate(SSL *s);
1014int dtls1_send_client_key_exchange(SSL *s);
1015int dtls1_send_client_verify(SSL *s);
1016
1017/* some server-only functions */
1018int ssl3_get_client_hello(SSL *s);
1019int ssl3_send_server_hello(SSL *s);
1020int ssl3_send_hello_request(SSL *s);
1021int ssl3_send_server_key_exchange(SSL *s);
1022int ssl3_send_certificate_request(SSL *s);
1023int ssl3_send_server_done(SSL *s);
1024int ssl3_check_client_hello(SSL *s);
1025int ssl3_get_client_certificate(SSL *s);
1026int ssl3_get_client_key_exchange(SSL *s);
1027int ssl3_get_cert_verify(SSL *s);
1028#ifndef OPENSSL_NO_NEXTPROTONEG
1029int ssl3_get_next_proto(SSL *s);
1030#endif
1031
1032int dtls1_send_hello_request(SSL *s);
1033int dtls1_send_server_hello(SSL *s);
1034int dtls1_send_server_certificate(SSL *s);
1035int dtls1_send_server_key_exchange(SSL *s);
1036int dtls1_send_certificate_request(SSL *s);
1037int dtls1_send_server_done(SSL *s);
1038
1039
1040
1041int ssl23_accept(SSL *s);
1042int ssl23_connect(SSL *s);
1043int ssl23_read_bytes(SSL *s, int n);
1044int ssl23_write_bytes(SSL *s);
1045
1046int tls1_new(SSL *s);
1047void tls1_free(SSL *s);
1048void tls1_clear(SSL *s);
1049long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1050long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
1051
1052int dtls1_new(SSL *s);
1053int dtls1_accept(SSL *s);
1054int dtls1_connect(SSL *s);
1055void dtls1_free(SSL *s);
1056void dtls1_clear(SSL *s);
1057long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1058int dtls1_shutdown(SSL *s);
1059
1060long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
1061int dtls1_get_record(SSL *s);
1062int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
1063 unsigned int len, int create_empty_fragement);
1064int dtls1_dispatch_alert(SSL *s);
1065int dtls1_enc(SSL *s, int snd);
1066
1067int ssl_init_wbio_buffer(SSL *s, int push);
1068void ssl_free_wbio_buffer(SSL *s);
1069
1070int tls1_change_cipher_state(SSL *s, int which);
1071int tls1_setup_key_block(SSL *s);
1072int tls1_enc(SSL *s, int snd);
1073int tls1_final_finish_mac(SSL *s,
1074 const char *str, int slen, unsigned char *p);
1075int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
1076int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1077int tls1_generate_master_secret(SSL *s, unsigned char *out,
1078 unsigned char *p, int len);
1079int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1080 const char *label, size_t llen,
1081 const unsigned char *p, size_t plen, int use_context);
1082int tls1_alert_code(int code);
1083int ssl3_alert_code(int code);
1084int ssl_ok(SSL *s);
1085
1086#ifndef OPENSSL_NO_ECDH
1087int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
1088#endif
1089
1090SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
1091
1092#ifndef OPENSSL_NO_EC
1093int tls1_ec_curve_id2nid(int curve_id);
1094int tls1_ec_nid2curve_id(int nid);
1095#endif /* OPENSSL_NO_EC */
1096
1097#ifndef OPENSSL_NO_TLSEXT
1098unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1099unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1100int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1101int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1102int ssl_prepare_clienthello_tlsext(SSL *s);
1103int ssl_prepare_serverhello_tlsext(SSL *s);
1104int ssl_check_clienthello_tlsext_early(SSL *s);
1105int ssl_check_clienthello_tlsext_late(SSL *s);
1106int ssl_check_serverhello_tlsext(SSL *s);
1107
1108#ifndef OPENSSL_NO_HEARTBEATS
1109int tls1_heartbeat(SSL *s);
1110int dtls1_heartbeat(SSL *s);
1111int tls1_process_heartbeat(SSL *s);
1112int dtls1_process_heartbeat(SSL *s);
1113#endif
1114
1115#ifdef OPENSSL_NO_SHA256
1116#define tlsext_tick_md EVP_sha1
1117#else
1118#define tlsext_tick_md EVP_sha256
1119#endif
1120int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1121 const unsigned char *limit, SSL_SESSION **ret);
1122
1123int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
1124 const EVP_MD *md);
1125int tls12_get_sigid(const EVP_PKEY *pk);
1126const EVP_MD *tls12_get_hash(unsigned char hash_alg);
1127
1128#endif
1129EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
1130void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
1131int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1132 int maxlen);
1133int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1134 int *al);
1135int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1136 int maxlen);
1137int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1138 int *al);
1139long ssl_get_algorithm2(SSL *s);
1140int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
1141int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
1142
1143int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1144int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1145int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1146int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1147
1148/* s3_cbc.c */
1149void ssl3_cbc_copy_mac(unsigned char* out,
1150 const SSL3_RECORD *rec,
1151 unsigned md_size,unsigned orig_len);
1152int ssl3_cbc_remove_padding(const SSL* s,
1153 SSL3_RECORD *rec,
1154 unsigned block_size,
1155 unsigned mac_size);
1156int tls1_cbc_remove_padding(const SSL* s,
1157 SSL3_RECORD *rec,
1158 unsigned block_size,
1159 unsigned mac_size);
1160char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1161void ssl3_cbc_digest_record(
1162 const EVP_MD_CTX *ctx,
1163 unsigned char* md_out,
1164 size_t* md_out_size,
1165 const unsigned char header[13],
1166 const unsigned char *data,
1167 size_t data_plus_mac_size,
1168 size_t data_plus_mac_plus_padding_size,
1169 const unsigned char *mac_secret,
1170 unsigned mac_secret_length,
1171 char is_sslv3);
1172
1173void tls_fips_digest_extra(
1174 const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
1175 const unsigned char *data, size_t data_len, size_t orig_len);
1176
1177#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index 60e7b66859..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,783 +0,0 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
66
67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 if (x == NULL)
72 {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
74 return(0);
75 }
76 if (!ssl_cert_inst(&ssl->cert))
77 {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
79 return(0);
80 }
81 return(ssl_set_cert(ssl->cert,x));
82 }
83
84#ifndef OPENSSL_NO_STDIO
85int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret=0;
90 X509 *x=NULL;
91
92 in=BIO_new(BIO_s_file_internal());
93 if (in == NULL)
94 {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in,file) <= 0)
100 {
101 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
102 goto end;
103 }
104 if (type == SSL_FILETYPE_ASN1)
105 {
106 j=ERR_R_ASN1_LIB;
107 x=d2i_X509_bio(in,NULL);
108 }
109 else if (type == SSL_FILETYPE_PEM)
110 {
111 j=ERR_R_PEM_LIB;
112 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
113 }
114 else
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
117 goto end;
118 }
119
120 if (x == NULL)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
123 goto end;
124 }
125
126 ret=SSL_use_certificate(ssl,x);
127end:
128 if (x != NULL) X509_free(x);
129 if (in != NULL) BIO_free(in);
130 return(ret);
131 }
132#endif
133
134int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
135 {
136 X509 *x;
137 int ret;
138
139 x=d2i_X509(NULL,&d,(long)len);
140 if (x == NULL)
141 {
142 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
143 return(0);
144 }
145
146 ret=SSL_use_certificate(ssl,x);
147 X509_free(x);
148 return(ret);
149 }
150
151#ifndef OPENSSL_NO_RSA
152int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
153 {
154 EVP_PKEY *pkey;
155 int ret;
156
157 if (rsa == NULL)
158 {
159 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
160 return(0);
161 }
162 if (!ssl_cert_inst(&ssl->cert))
163 {
164 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
165 return(0);
166 }
167 if ((pkey=EVP_PKEY_new()) == NULL)
168 {
169 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
170 return(0);
171 }
172
173 RSA_up_ref(rsa);
174 EVP_PKEY_assign_RSA(pkey,rsa);
175
176 ret=ssl_set_pkey(ssl->cert,pkey);
177 EVP_PKEY_free(pkey);
178 return(ret);
179 }
180#endif
181
182static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
183 {
184 int i;
185
186 i=ssl_cert_type(NULL,pkey);
187 if (i < 0)
188 {
189 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
190 return(0);
191 }
192
193 if (c->pkeys[i].x509 != NULL)
194 {
195 EVP_PKEY *pktmp;
196 pktmp = X509_get_pubkey(c->pkeys[i].x509);
197 EVP_PKEY_copy_parameters(pktmp,pkey);
198 EVP_PKEY_free(pktmp);
199 ERR_clear_error();
200
201#ifndef OPENSSL_NO_RSA
202 /* Don't check the public/private key, this is mostly
203 * for smart cards. */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
206 ;
207 else
208#endif
209 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
210 {
211 X509_free(c->pkeys[i].x509);
212 c->pkeys[i].x509 = NULL;
213 return 0;
214 }
215 }
216
217 if (c->pkeys[i].privatekey != NULL)
218 EVP_PKEY_free(c->pkeys[i].privatekey);
219 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
220 c->pkeys[i].privatekey=pkey;
221 c->key= &(c->pkeys[i]);
222
223 c->valid=0;
224 return(1);
225 }
226
227#ifndef OPENSSL_NO_RSA
228#ifndef OPENSSL_NO_STDIO
229int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
230 {
231 int j,ret=0;
232 BIO *in;
233 RSA *rsa=NULL;
234
235 in=BIO_new(BIO_s_file_internal());
236 if (in == NULL)
237 {
238 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
239 goto end;
240 }
241
242 if (BIO_read_filename(in,file) <= 0)
243 {
244 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
245 goto end;
246 }
247 if (type == SSL_FILETYPE_ASN1)
248 {
249 j=ERR_R_ASN1_LIB;
250 rsa=d2i_RSAPrivateKey_bio(in,NULL);
251 }
252 else if (type == SSL_FILETYPE_PEM)
253 {
254 j=ERR_R_PEM_LIB;
255 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
256 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
257 }
258 else
259 {
260 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
261 goto end;
262 }
263 if (rsa == NULL)
264 {
265 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
266 goto end;
267 }
268 ret=SSL_use_RSAPrivateKey(ssl,rsa);
269 RSA_free(rsa);
270end:
271 if (in != NULL) BIO_free(in);
272 return(ret);
273 }
274#endif
275
276int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
277 {
278 int ret;
279 const unsigned char *p;
280 RSA *rsa;
281
282 p=d;
283 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
284 {
285 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
286 return(0);
287 }
288
289 ret=SSL_use_RSAPrivateKey(ssl,rsa);
290 RSA_free(rsa);
291 return(ret);
292 }
293#endif /* !OPENSSL_NO_RSA */
294
295int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
296 {
297 int ret;
298
299 if (pkey == NULL)
300 {
301 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
302 return(0);
303 }
304 if (!ssl_cert_inst(&ssl->cert))
305 {
306 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
307 return(0);
308 }
309 ret=ssl_set_pkey(ssl->cert,pkey);
310 return(ret);
311 }
312
313#ifndef OPENSSL_NO_STDIO
314int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
315 {
316 int j,ret=0;
317 BIO *in;
318 EVP_PKEY *pkey=NULL;
319
320 in=BIO_new(BIO_s_file_internal());
321 if (in == NULL)
322 {
323 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
324 goto end;
325 }
326
327 if (BIO_read_filename(in,file) <= 0)
328 {
329 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
330 goto end;
331 }
332 if (type == SSL_FILETYPE_PEM)
333 {
334 j=ERR_R_PEM_LIB;
335 pkey=PEM_read_bio_PrivateKey(in,NULL,
336 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
337 }
338 else if (type == SSL_FILETYPE_ASN1)
339 {
340 j = ERR_R_ASN1_LIB;
341 pkey = d2i_PrivateKey_bio(in,NULL);
342 }
343 else
344 {
345 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
346 goto end;
347 }
348 if (pkey == NULL)
349 {
350 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
351 goto end;
352 }
353 ret=SSL_use_PrivateKey(ssl,pkey);
354 EVP_PKEY_free(pkey);
355end:
356 if (in != NULL) BIO_free(in);
357 return(ret);
358 }
359#endif
360
361int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
362 {
363 int ret;
364 const unsigned char *p;
365 EVP_PKEY *pkey;
366
367 p=d;
368 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
369 {
370 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
371 return(0);
372 }
373
374 ret=SSL_use_PrivateKey(ssl,pkey);
375 EVP_PKEY_free(pkey);
376 return(ret);
377 }
378
379int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
380 {
381 if (x == NULL)
382 {
383 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
384 return(0);
385 }
386 if (!ssl_cert_inst(&ctx->cert))
387 {
388 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
389 return(0);
390 }
391 return(ssl_set_cert(ctx->cert, x));
392 }
393
394static int ssl_set_cert(CERT *c, X509 *x)
395 {
396 EVP_PKEY *pkey;
397 int i;
398
399 pkey=X509_get_pubkey(x);
400 if (pkey == NULL)
401 {
402 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
403 return(0);
404 }
405
406 i=ssl_cert_type(x,pkey);
407 if (i < 0)
408 {
409 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
410 EVP_PKEY_free(pkey);
411 return(0);
412 }
413
414 if (c->pkeys[i].privatekey != NULL)
415 {
416 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
417 ERR_clear_error();
418
419#ifndef OPENSSL_NO_RSA
420 /* Don't check the public/private key, this is mostly
421 * for smart cards. */
422 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
423 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
424 RSA_METHOD_FLAG_NO_CHECK))
425 ;
426 else
427#endif /* OPENSSL_NO_RSA */
428 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
429 {
430 /* don't fail for a cert/key mismatch, just free
431 * current private key (when switching to a different
432 * cert & key, first this function should be used,
433 * then ssl_set_pkey */
434 EVP_PKEY_free(c->pkeys[i].privatekey);
435 c->pkeys[i].privatekey=NULL;
436 /* clear error queue */
437 ERR_clear_error();
438 }
439 }
440
441 EVP_PKEY_free(pkey);
442
443 if (c->pkeys[i].x509 != NULL)
444 X509_free(c->pkeys[i].x509);
445 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
446 c->pkeys[i].x509=x;
447 c->key= &(c->pkeys[i]);
448
449 c->valid=0;
450 return(1);
451 }
452
453#ifndef OPENSSL_NO_STDIO
454int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
455 {
456 int j;
457 BIO *in;
458 int ret=0;
459 X509 *x=NULL;
460
461 in=BIO_new(BIO_s_file_internal());
462 if (in == NULL)
463 {
464 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
465 goto end;
466 }
467
468 if (BIO_read_filename(in,file) <= 0)
469 {
470 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
471 goto end;
472 }
473 if (type == SSL_FILETYPE_ASN1)
474 {
475 j=ERR_R_ASN1_LIB;
476 x=d2i_X509_bio(in,NULL);
477 }
478 else if (type == SSL_FILETYPE_PEM)
479 {
480 j=ERR_R_PEM_LIB;
481 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
482 }
483 else
484 {
485 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
486 goto end;
487 }
488
489 if (x == NULL)
490 {
491 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
492 goto end;
493 }
494
495 ret=SSL_CTX_use_certificate(ctx,x);
496end:
497 if (x != NULL) X509_free(x);
498 if (in != NULL) BIO_free(in);
499 return(ret);
500 }
501#endif
502
503int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
504 {
505 X509 *x;
506 int ret;
507
508 x=d2i_X509(NULL,&d,(long)len);
509 if (x == NULL)
510 {
511 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
512 return(0);
513 }
514
515 ret=SSL_CTX_use_certificate(ctx,x);
516 X509_free(x);
517 return(ret);
518 }
519
520#ifndef OPENSSL_NO_RSA
521int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
522 {
523 int ret;
524 EVP_PKEY *pkey;
525
526 if (rsa == NULL)
527 {
528 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
529 return(0);
530 }
531 if (!ssl_cert_inst(&ctx->cert))
532 {
533 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
534 return(0);
535 }
536 if ((pkey=EVP_PKEY_new()) == NULL)
537 {
538 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
539 return(0);
540 }
541
542 RSA_up_ref(rsa);
543 EVP_PKEY_assign_RSA(pkey,rsa);
544
545 ret=ssl_set_pkey(ctx->cert, pkey);
546 EVP_PKEY_free(pkey);
547 return(ret);
548 }
549
550#ifndef OPENSSL_NO_STDIO
551int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
552 {
553 int j,ret=0;
554 BIO *in;
555 RSA *rsa=NULL;
556
557 in=BIO_new(BIO_s_file_internal());
558 if (in == NULL)
559 {
560 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
561 goto end;
562 }
563
564 if (BIO_read_filename(in,file) <= 0)
565 {
566 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
567 goto end;
568 }
569 if (type == SSL_FILETYPE_ASN1)
570 {
571 j=ERR_R_ASN1_LIB;
572 rsa=d2i_RSAPrivateKey_bio(in,NULL);
573 }
574 else if (type == SSL_FILETYPE_PEM)
575 {
576 j=ERR_R_PEM_LIB;
577 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
578 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
579 }
580 else
581 {
582 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
583 goto end;
584 }
585 if (rsa == NULL)
586 {
587 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
588 goto end;
589 }
590 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
591 RSA_free(rsa);
592end:
593 if (in != NULL) BIO_free(in);
594 return(ret);
595 }
596#endif
597
598int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
599 {
600 int ret;
601 const unsigned char *p;
602 RSA *rsa;
603
604 p=d;
605 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
606 {
607 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
608 return(0);
609 }
610
611 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
612 RSA_free(rsa);
613 return(ret);
614 }
615#endif /* !OPENSSL_NO_RSA */
616
617int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
618 {
619 if (pkey == NULL)
620 {
621 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
622 return(0);
623 }
624 if (!ssl_cert_inst(&ctx->cert))
625 {
626 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
627 return(0);
628 }
629 return(ssl_set_pkey(ctx->cert,pkey));
630 }
631
632#ifndef OPENSSL_NO_STDIO
633int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
634 {
635 int j,ret=0;
636 BIO *in;
637 EVP_PKEY *pkey=NULL;
638
639 in=BIO_new(BIO_s_file_internal());
640 if (in == NULL)
641 {
642 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
643 goto end;
644 }
645
646 if (BIO_read_filename(in,file) <= 0)
647 {
648 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
649 goto end;
650 }
651 if (type == SSL_FILETYPE_PEM)
652 {
653 j=ERR_R_PEM_LIB;
654 pkey=PEM_read_bio_PrivateKey(in,NULL,
655 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
656 }
657 else if (type == SSL_FILETYPE_ASN1)
658 {
659 j = ERR_R_ASN1_LIB;
660 pkey = d2i_PrivateKey_bio(in,NULL);
661 }
662 else
663 {
664 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
665 goto end;
666 }
667 if (pkey == NULL)
668 {
669 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
670 goto end;
671 }
672 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
673 EVP_PKEY_free(pkey);
674end:
675 if (in != NULL) BIO_free(in);
676 return(ret);
677 }
678#endif
679
680int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
681 long len)
682 {
683 int ret;
684 const unsigned char *p;
685 EVP_PKEY *pkey;
686
687 p=d;
688 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
689 {
690 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
691 return(0);
692 }
693
694 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
695 EVP_PKEY_free(pkey);
696 return(ret);
697 }
698
699
700#ifndef OPENSSL_NO_STDIO
701/* Read a file that contains our certificate in "PEM" format,
702 * possibly followed by a sequence of CA certificates that should be
703 * sent to the peer in the Certificate message.
704 */
705int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
706 {
707 BIO *in;
708 int ret=0;
709 X509 *x=NULL;
710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712
713 in = BIO_new(BIO_s_file_internal());
714 if (in == NULL)
715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
717 goto end;
718 }
719
720 if (BIO_read_filename(in,file) <= 0)
721 {
722 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
723 goto end;
724 }
725
726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
727 ctx->default_passwd_callback_userdata);
728 if (x == NULL)
729 {
730 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
731 goto end;
732 }
733
734 ret = SSL_CTX_use_certificate(ctx, x);
735
736 if (ERR_peek_error() != 0)
737 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
738 if (ret)
739 {
740 /* If we could set up our certificate, now proceed to
741 * the CA certificates.
742 */
743 X509 *ca;
744 int r;
745 unsigned long err;
746
747 if (ctx->extra_certs != NULL)
748 {
749 sk_X509_pop_free(ctx->extra_certs, X509_free);
750 ctx->extra_certs = NULL;
751 }
752
753 while ((ca = PEM_read_bio_X509(in, NULL,
754 ctx->default_passwd_callback,
755 ctx->default_passwd_callback_userdata))
756 != NULL)
757 {
758 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
759 if (!r)
760 {
761 X509_free(ca);
762 ret = 0;
763 goto end;
764 }
765 /* Note that we must not free r if it was successfully
766 * added to the chain (while we must free the main
767 * certificate, since its reference count is increased
768 * by SSL_CTX_use_certificate). */
769 }
770 /* When the while loop ends, it's usually just EOF. */
771 err = ERR_peek_last_error();
772 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
773 ERR_clear_error();
774 else
775 ret = 0; /* some real error */
776 }
777
778end:
779 if (x != NULL) X509_free(x);
780 if (in != NULL) BIO_free(in);
781 return(ret);
782 }
783#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index ad40fadd02..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,1159 +0,0 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <stdio.h>
139#include <openssl/lhash.h>
140#include <openssl/rand.h>
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144#include "ssl_locl.h"
145
146static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
147static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
148static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
149
150SSL_SESSION *SSL_get_session(const SSL *ssl)
151/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
152 {
153 return(ssl->session);
154 }
155
156SSL_SESSION *SSL_get1_session(SSL *ssl)
157/* variant of SSL_get_session: caller really gets something */
158 {
159 SSL_SESSION *sess;
160 /* Need to lock this all up rather than just use CRYPTO_add so that
161 * somebody doesn't free ssl->session between when we check it's
162 * non-null and when we up the reference count. */
163 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
164 sess = ssl->session;
165 if(sess)
166 sess->references++;
167 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
168 return(sess);
169 }
170
171int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
172 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
173 {
174 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
175 new_func, dup_func, free_func);
176 }
177
178int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
179 {
180 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
181 }
182
183void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
184 {
185 return(CRYPTO_get_ex_data(&s->ex_data,idx));
186 }
187
188SSL_SESSION *SSL_SESSION_new(void)
189 {
190 SSL_SESSION *ss;
191
192 ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
193 if (ss == NULL)
194 {
195 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
196 return(0);
197 }
198 memset(ss,0,sizeof(SSL_SESSION));
199
200 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
201 ss->references=1;
202 ss->timeout=60*5+4; /* 5 minute timeout by default */
203 ss->time=(unsigned long)time(NULL);
204 ss->prev=NULL;
205 ss->next=NULL;
206 ss->compress_meth=0;
207#ifndef OPENSSL_NO_TLSEXT
208 ss->tlsext_hostname = NULL;
209#ifndef OPENSSL_NO_EC
210 ss->tlsext_ecpointformatlist_length = 0;
211 ss->tlsext_ecpointformatlist = NULL;
212 ss->tlsext_ellipticcurvelist_length = 0;
213 ss->tlsext_ellipticcurvelist = NULL;
214#endif
215#endif
216 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
217#ifndef OPENSSL_NO_PSK
218 ss->psk_identity_hint=NULL;
219 ss->psk_identity=NULL;
220#endif
221#ifndef OPENSSL_NO_SRP
222 ss->srp_username=NULL;
223#endif
224 return(ss);
225 }
226
227const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
228 {
229 if(len)
230 *len = s->session_id_length;
231 return s->session_id;
232 }
233
234unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
235 {
236 return s->compress_meth;
237 }
238
239/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
240 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
241 * until we have no conflict is going to complete in one iteration pretty much
242 * "most" of the time (btw: understatement). So, if it takes us 10 iterations
243 * and we still can't avoid a conflict - well that's a reasonable point to call
244 * it quits. Either the RAND code is broken or someone is trying to open roughly
245 * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
246 * store that many sessions is perhaps a more interesting question ... */
247
248#define MAX_SESS_ID_ATTEMPTS 10
249static int def_generate_session_id(const SSL *ssl, unsigned char *id,
250 unsigned int *id_len)
251{
252 unsigned int retry = 0;
253 do
254 if (RAND_pseudo_bytes(id, *id_len) <= 0)
255 return 0;
256 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
257 (++retry < MAX_SESS_ID_ATTEMPTS));
258 if(retry < MAX_SESS_ID_ATTEMPTS)
259 return 1;
260 /* else - woops a session_id match */
261 /* XXX We should also check the external cache --
262 * but the probability of a collision is negligible, and
263 * we could not prevent the concurrent creation of sessions
264 * with identical IDs since we currently don't have means
265 * to atomically check whether a session ID already exists
266 * and make a reservation for it if it does not
267 * (this problem applies to the internal cache as well).
268 */
269 return 0;
270}
271
272int ssl_get_new_session(SSL *s, int session)
273 {
274 /* This gets used by clients and servers. */
275
276 unsigned int tmp;
277 SSL_SESSION *ss=NULL;
278 GEN_SESSION_CB cb = def_generate_session_id;
279
280 if ((ss=SSL_SESSION_new()) == NULL) return(0);
281
282 /* If the context has a default timeout, use it */
283 if (s->session_ctx->session_timeout == 0)
284 ss->timeout=SSL_get_default_timeout(s);
285 else
286 ss->timeout=s->session_ctx->session_timeout;
287
288 if (s->session != NULL)
289 {
290 SSL_SESSION_free(s->session);
291 s->session=NULL;
292 }
293
294 if (session)
295 {
296 if (s->version == SSL2_VERSION)
297 {
298 ss->ssl_version=SSL2_VERSION;
299 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
300 }
301 else if (s->version == SSL3_VERSION)
302 {
303 ss->ssl_version=SSL3_VERSION;
304 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
305 }
306 else if (s->version == TLS1_VERSION)
307 {
308 ss->ssl_version=TLS1_VERSION;
309 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
310 }
311 else if (s->version == TLS1_1_VERSION)
312 {
313 ss->ssl_version=TLS1_1_VERSION;
314 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
315 }
316 else if (s->version == TLS1_2_VERSION)
317 {
318 ss->ssl_version=TLS1_2_VERSION;
319 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
320 }
321 else if (s->version == DTLS1_BAD_VER)
322 {
323 ss->ssl_version=DTLS1_BAD_VER;
324 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
325 }
326 else if (s->version == DTLS1_VERSION)
327 {
328 ss->ssl_version=DTLS1_VERSION;
329 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
330 }
331 else
332 {
333 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
334 SSL_SESSION_free(ss);
335 return(0);
336 }
337#ifndef OPENSSL_NO_TLSEXT
338 /* If RFC4507 ticket use empty session ID */
339 if (s->tlsext_ticket_expected)
340 {
341 ss->session_id_length = 0;
342 goto sess_id_done;
343 }
344#endif
345 /* Choose which callback will set the session ID */
346 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
347 if(s->generate_session_id)
348 cb = s->generate_session_id;
349 else if(s->session_ctx->generate_session_id)
350 cb = s->session_ctx->generate_session_id;
351 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
352 /* Choose a session ID */
353 tmp = ss->session_id_length;
354 if(!cb(s, ss->session_id, &tmp))
355 {
356 /* The callback failed */
357 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
358 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
359 SSL_SESSION_free(ss);
360 return(0);
361 }
362 /* Don't allow the callback to set the session length to zero.
363 * nor set it higher than it was. */
364 if(!tmp || (tmp > ss->session_id_length))
365 {
366 /* The callback set an illegal length */
367 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
368 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
369 SSL_SESSION_free(ss);
370 return(0);
371 }
372 /* If the session length was shrunk and we're SSLv2, pad it */
373 if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
374 memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
375 else
376 ss->session_id_length = tmp;
377 /* Finally, check for a conflict */
378 if(SSL_has_matching_session_id(s, ss->session_id,
379 ss->session_id_length))
380 {
381 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
382 SSL_R_SSL_SESSION_ID_CONFLICT);
383 SSL_SESSION_free(ss);
384 return(0);
385 }
386#ifndef OPENSSL_NO_TLSEXT
387 sess_id_done:
388 if (s->tlsext_hostname) {
389 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
390 if (ss->tlsext_hostname == NULL) {
391 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
392 SSL_SESSION_free(ss);
393 return 0;
394 }
395 }
396#ifndef OPENSSL_NO_EC
397 if (s->tlsext_ecpointformatlist)
398 {
399 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
400 if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
401 {
402 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
403 SSL_SESSION_free(ss);
404 return 0;
405 }
406 ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
407 memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
408 }
409 if (s->tlsext_ellipticcurvelist)
410 {
411 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
412 if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
413 {
414 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
415 SSL_SESSION_free(ss);
416 return 0;
417 }
418 ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
419 memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
420 }
421#endif
422#endif
423 }
424 else
425 {
426 ss->session_id_length=0;
427 }
428
429 if (s->sid_ctx_length > sizeof ss->sid_ctx)
430 {
431 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
432 SSL_SESSION_free(ss);
433 return 0;
434 }
435 memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
436 ss->sid_ctx_length=s->sid_ctx_length;
437 s->session=ss;
438 ss->ssl_version=s->version;
439 ss->verify_result = X509_V_OK;
440
441 return(1);
442 }
443
444/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
445 * connection. It is only called by servers.
446 *
447 * session_id: points at the session ID in the ClientHello. This code will
448 * read past the end of this in order to parse out the session ticket
449 * extension, if any.
450 * len: the length of the session ID.
451 * limit: a pointer to the first byte after the ClientHello.
452 *
453 * Returns:
454 * -1: error
455 * 0: a session may have been found.
456 *
457 * Side effects:
458 * - If a session is found then s->session is pointed at it (after freeing an
459 * existing session if need be) and s->verify_result is set from the session.
460 * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
461 * if the server should issue a new session ticket (to 0 otherwise).
462 */
463int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
464 const unsigned char *limit)
465 {
466 /* This is used only by servers. */
467
468 SSL_SESSION *ret=NULL;
469 int fatal = 0;
470 int try_session_cache = 1;
471#ifndef OPENSSL_NO_TLSEXT
472 int r;
473#endif
474
475 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
476 goto err;
477
478 if (len == 0)
479 try_session_cache = 0;
480
481#ifndef OPENSSL_NO_TLSEXT
482 r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
483 switch (r)
484 {
485 case -1: /* Error during processing */
486 fatal = 1;
487 goto err;
488 case 0: /* No ticket found */
489 case 1: /* Zero length ticket found */
490 break; /* Ok to carry on processing session id. */
491 case 2: /* Ticket found but not decrypted. */
492 case 3: /* Ticket decrypted, *ret has been set. */
493 try_session_cache = 0;
494 break;
495 default:
496 abort();
497 }
498#endif
499
500 if (try_session_cache &&
501 ret == NULL &&
502 !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
503 {
504 SSL_SESSION data;
505 data.ssl_version=s->version;
506 data.session_id_length=len;
507 if (len == 0)
508 return 0;
509 memcpy(data.session_id,session_id,len);
510 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
511 ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
512 if (ret != NULL)
513 {
514 /* don't allow other threads to steal it: */
515 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
516 }
517 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
518 if (ret == NULL)
519 s->session_ctx->stats.sess_miss++;
520 }
521
522 if (try_session_cache &&
523 ret == NULL &&
524 s->session_ctx->get_session_cb != NULL)
525 {
526 int copy=1;
527
528 if ((ret=s->session_ctx->get_session_cb(s,session_id,len,&copy)))
529 {
530 s->session_ctx->stats.sess_cb_hit++;
531
532 /* Increment reference count now if the session callback
533 * asks us to do so (note that if the session structures
534 * returned by the callback are shared between threads,
535 * it must handle the reference count itself [i.e. copy == 0],
536 * or things won't be thread-safe). */
537 if (copy)
538 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
539
540 /* Add the externally cached session to the internal
541 * cache as well if and only if we are supposed to. */
542 if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
543 /* The following should not return 1, otherwise,
544 * things are very strange */
545 SSL_CTX_add_session(s->session_ctx,ret);
546 }
547 }
548
549 if (ret == NULL)
550 goto err;
551
552 /* Now ret is non-NULL and we own one of its reference counts. */
553
554 if (ret->sid_ctx_length != s->sid_ctx_length
555 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
556 {
557 /* We have the session requested by the client, but we don't
558 * want to use it in this context. */
559 goto err; /* treat like cache miss */
560 }
561
562 if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
563 {
564 /* We can't be sure if this session is being used out of
565 * context, which is especially important for SSL_VERIFY_PEER.
566 * The application should have used SSL[_CTX]_set_session_id_context.
567 *
568 * For this error case, we generate an error instead of treating
569 * the event like a cache miss (otherwise it would be easy for
570 * applications to effectively disable the session cache by
571 * accident without anyone noticing).
572 */
573
574 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
575 fatal = 1;
576 goto err;
577 }
578
579 if (ret->cipher == NULL)
580 {
581 unsigned char buf[5],*p;
582 unsigned long l;
583
584 p=buf;
585 l=ret->cipher_id;
586 l2n(l,p);
587 if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
588 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
589 else
590 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
591 if (ret->cipher == NULL)
592 goto err;
593 }
594
595 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
596 {
597 s->session_ctx->stats.sess_timeout++;
598 if (try_session_cache)
599 {
600 /* session was from the cache, so remove it */
601 SSL_CTX_remove_session(s->session_ctx,ret);
602 }
603 goto err;
604 }
605
606 s->session_ctx->stats.sess_hit++;
607
608 if (s->session != NULL)
609 SSL_SESSION_free(s->session);
610 s->session=ret;
611 s->verify_result = s->session->verify_result;
612 return 1;
613
614 err:
615 if (ret != NULL)
616 {
617 SSL_SESSION_free(ret);
618#ifndef OPENSSL_NO_TLSEXT
619 if (!try_session_cache)
620 {
621 /* The session was from a ticket, so we should
622 * issue a ticket for the new session */
623 s->tlsext_ticket_expected = 1;
624 }
625#endif
626 }
627 if (fatal)
628 return -1;
629 else
630 return 0;
631 }
632
633int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
634 {
635 int ret=0;
636 SSL_SESSION *s;
637
638 /* add just 1 reference count for the SSL_CTX's session cache
639 * even though it has two ways of access: each session is in a
640 * doubly linked list and an lhash */
641 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
642 /* if session c is in already in cache, we take back the increment later */
643
644 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
645 s=lh_SSL_SESSION_insert(ctx->sessions,c);
646
647 /* s != NULL iff we already had a session with the given PID.
648 * In this case, s == c should hold (then we did not really modify
649 * ctx->sessions), or we're in trouble. */
650 if (s != NULL && s != c)
651 {
652 /* We *are* in trouble ... */
653 SSL_SESSION_list_remove(ctx,s);
654 SSL_SESSION_free(s);
655 /* ... so pretend the other session did not exist in cache
656 * (we cannot handle two SSL_SESSION structures with identical
657 * session ID in the same cache, which could happen e.g. when
658 * two threads concurrently obtain the same session from an external
659 * cache) */
660 s = NULL;
661 }
662
663 /* Put at the head of the queue unless it is already in the cache */
664 if (s == NULL)
665 SSL_SESSION_list_add(ctx,c);
666
667 if (s != NULL)
668 {
669 /* existing cache entry -- decrement previously incremented reference
670 * count because it already takes into account the cache */
671
672 SSL_SESSION_free(s); /* s == c */
673 ret=0;
674 }
675 else
676 {
677 /* new cache entry -- remove old ones if cache has become too large */
678
679 ret=1;
680
681 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
682 {
683 while (SSL_CTX_sess_number(ctx) >
684 SSL_CTX_sess_get_cache_size(ctx))
685 {
686 if (!remove_session_lock(ctx,
687 ctx->session_cache_tail, 0))
688 break;
689 else
690 ctx->stats.sess_cache_full++;
691 }
692 }
693 }
694 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
695 return(ret);
696 }
697
698int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
699{
700 return remove_session_lock(ctx, c, 1);
701}
702
703static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
704 {
705 SSL_SESSION *r;
706 int ret=0;
707
708 if ((c != NULL) && (c->session_id_length != 0))
709 {
710 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
711 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
712 {
713 ret=1;
714 r=lh_SSL_SESSION_delete(ctx->sessions,c);
715 SSL_SESSION_list_remove(ctx,c);
716 }
717
718 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
719
720 if (ret)
721 {
722 r->not_resumable=1;
723 if (ctx->remove_session_cb != NULL)
724 ctx->remove_session_cb(ctx,r);
725 SSL_SESSION_free(r);
726 }
727 }
728 else
729 ret=0;
730 return(ret);
731 }
732
733void SSL_SESSION_free(SSL_SESSION *ss)
734 {
735 int i;
736
737 if(ss == NULL)
738 return;
739
740 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
741#ifdef REF_PRINT
742 REF_PRINT("SSL_SESSION",ss);
743#endif
744 if (i > 0) return;
745#ifdef REF_CHECK
746 if (i < 0)
747 {
748 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
749 abort(); /* ok */
750 }
751#endif
752
753 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
754
755 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
756 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
757 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
758 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
759 if (ss->peer != NULL) X509_free(ss->peer);
760 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
761#ifndef OPENSSL_NO_TLSEXT
762 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
763 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
764#ifndef OPENSSL_NO_EC
765 ss->tlsext_ecpointformatlist_length = 0;
766 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
767 ss->tlsext_ellipticcurvelist_length = 0;
768 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
769#endif /* OPENSSL_NO_EC */
770#endif
771#ifndef OPENSSL_NO_PSK
772 if (ss->psk_identity_hint != NULL)
773 OPENSSL_free(ss->psk_identity_hint);
774 if (ss->psk_identity != NULL)
775 OPENSSL_free(ss->psk_identity);
776#endif
777#ifndef OPENSSL_NO_SRP
778 if (ss->srp_username != NULL)
779 OPENSSL_free(ss->srp_username);
780#endif
781 OPENSSL_cleanse(ss,sizeof(*ss));
782 OPENSSL_free(ss);
783 }
784
785int SSL_set_session(SSL *s, SSL_SESSION *session)
786 {
787 int ret=0;
788 const SSL_METHOD *meth;
789
790 if (session != NULL)
791 {
792 meth=s->ctx->method->get_ssl_method(session->ssl_version);
793 if (meth == NULL)
794 meth=s->method->get_ssl_method(session->ssl_version);
795 if (meth == NULL)
796 {
797 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
798 return(0);
799 }
800
801 if (meth != s->method)
802 {
803 if (!SSL_set_ssl_method(s,meth))
804 return(0);
805 }
806
807#ifndef OPENSSL_NO_KRB5
808 if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
809 session->krb5_client_princ_len > 0)
810 {
811 s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
812 memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
813 session->krb5_client_princ_len);
814 s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
815 }
816#endif /* OPENSSL_NO_KRB5 */
817
818 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
819 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
820 if (s->session != NULL)
821 SSL_SESSION_free(s->session);
822 s->session=session;
823 s->verify_result = s->session->verify_result;
824 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
825 ret=1;
826 }
827 else
828 {
829 if (s->session != NULL)
830 {
831 SSL_SESSION_free(s->session);
832 s->session=NULL;
833 }
834
835 meth=s->ctx->method;
836 if (meth != s->method)
837 {
838 if (!SSL_set_ssl_method(s,meth))
839 return(0);
840 }
841 ret=1;
842 }
843 return(ret);
844 }
845
846long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
847 {
848 if (s == NULL) return(0);
849 s->timeout=t;
850 return(1);
851 }
852
853long SSL_SESSION_get_timeout(const SSL_SESSION *s)
854 {
855 if (s == NULL) return(0);
856 return(s->timeout);
857 }
858
859long SSL_SESSION_get_time(const SSL_SESSION *s)
860 {
861 if (s == NULL) return(0);
862 return(s->time);
863 }
864
865long SSL_SESSION_set_time(SSL_SESSION *s, long t)
866 {
867 if (s == NULL) return(0);
868 s->time=t;
869 return(t);
870 }
871
872X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
873 {
874 return s->peer;
875 }
876
877int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
878 unsigned int sid_ctx_len)
879 {
880 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
881 {
882 SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
883 return 0;
884 }
885 s->sid_ctx_length=sid_ctx_len;
886 memcpy(s->sid_ctx,sid_ctx,sid_ctx_len);
887
888 return 1;
889 }
890
891long SSL_CTX_set_timeout(SSL_CTX *s, long t)
892 {
893 long l;
894 if (s == NULL) return(0);
895 l=s->session_timeout;
896 s->session_timeout=t;
897 return(l);
898 }
899
900long SSL_CTX_get_timeout(const SSL_CTX *s)
901 {
902 if (s == NULL) return(0);
903 return(s->session_timeout);
904 }
905
906#ifndef OPENSSL_NO_TLSEXT
907int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
908 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
909 {
910 if (s == NULL) return(0);
911 s->tls_session_secret_cb = tls_session_secret_cb;
912 s->tls_session_secret_cb_arg = arg;
913 return(1);
914 }
915
916int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
917 void *arg)
918 {
919 if (s == NULL) return(0);
920 s->tls_session_ticket_ext_cb = cb;
921 s->tls_session_ticket_ext_cb_arg = arg;
922 return(1);
923 }
924
925int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
926 {
927 if (s->version >= TLS1_VERSION)
928 {
929 if (s->tlsext_session_ticket)
930 {
931 OPENSSL_free(s->tlsext_session_ticket);
932 s->tlsext_session_ticket = NULL;
933 }
934
935 s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
936 if (!s->tlsext_session_ticket)
937 {
938 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
939 return 0;
940 }
941
942 if (ext_data)
943 {
944 s->tlsext_session_ticket->length = ext_len;
945 s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
946 memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
947 }
948 else
949 {
950 s->tlsext_session_ticket->length = 0;
951 s->tlsext_session_ticket->data = NULL;
952 }
953
954 return 1;
955 }
956
957 return 0;
958 }
959#endif /* OPENSSL_NO_TLSEXT */
960
961typedef struct timeout_param_st
962 {
963 SSL_CTX *ctx;
964 long time;
965 LHASH_OF(SSL_SESSION) *cache;
966 } TIMEOUT_PARAM;
967
968static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
969 {
970 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
971 {
972 /* The reason we don't call SSL_CTX_remove_session() is to
973 * save on locking overhead */
974 (void)lh_SSL_SESSION_delete(p->cache,s);
975 SSL_SESSION_list_remove(p->ctx,s);
976 s->not_resumable=1;
977 if (p->ctx->remove_session_cb != NULL)
978 p->ctx->remove_session_cb(p->ctx,s);
979 SSL_SESSION_free(s);
980 }
981 }
982
983static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
984
985void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
986 {
987 unsigned long i;
988 TIMEOUT_PARAM tp;
989
990 tp.ctx=s;
991 tp.cache=s->sessions;
992 if (tp.cache == NULL) return;
993 tp.time=t;
994 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
995 i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
996 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
997 lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
998 TIMEOUT_PARAM, &tp);
999 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
1000 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1001 }
1002
1003int ssl_clear_bad_session(SSL *s)
1004 {
1005 if ( (s->session != NULL) &&
1006 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
1007 !(SSL_in_init(s) || SSL_in_before(s)))
1008 {
1009 SSL_CTX_remove_session(s->ctx,s->session);
1010 return(1);
1011 }
1012 else
1013 return(0);
1014 }
1015
1016/* locked by SSL_CTX in the calling function */
1017static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
1018 {
1019 if ((s->next == NULL) || (s->prev == NULL)) return;
1020
1021 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
1022 { /* last element in list */
1023 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
1024 { /* only one element in list */
1025 ctx->session_cache_head=NULL;
1026 ctx->session_cache_tail=NULL;
1027 }
1028 else
1029 {
1030 ctx->session_cache_tail=s->prev;
1031 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
1032 }
1033 }
1034 else
1035 {
1036 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
1037 { /* first element in list */
1038 ctx->session_cache_head=s->next;
1039 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1040 }
1041 else
1042 { /* middle of list */
1043 s->next->prev=s->prev;
1044 s->prev->next=s->next;
1045 }
1046 }
1047 s->prev=s->next=NULL;
1048 }
1049
1050static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
1051 {
1052 if ((s->next != NULL) && (s->prev != NULL))
1053 SSL_SESSION_list_remove(ctx,s);
1054
1055 if (ctx->session_cache_head == NULL)
1056 {
1057 ctx->session_cache_head=s;
1058 ctx->session_cache_tail=s;
1059 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1060 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
1061 }
1062 else
1063 {
1064 s->next=ctx->session_cache_head;
1065 s->next->prev=s;
1066 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1067 ctx->session_cache_head=s;
1068 }
1069 }
1070
1071void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1072 int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
1073 {
1074 ctx->new_session_cb=cb;
1075 }
1076
1077int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
1078 {
1079 return ctx->new_session_cb;
1080 }
1081
1082void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1083 void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
1084 {
1085 ctx->remove_session_cb=cb;
1086 }
1087
1088void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
1089 {
1090 return ctx->remove_session_cb;
1091 }
1092
1093void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
1094 SSL_SESSION *(*cb)(struct ssl_st *ssl,
1095 unsigned char *data,int len,int *copy))
1096 {
1097 ctx->get_session_cb=cb;
1098 }
1099
1100SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
1101 unsigned char *data,int len,int *copy)
1102 {
1103 return ctx->get_session_cb;
1104 }
1105
1106void SSL_CTX_set_info_callback(SSL_CTX *ctx,
1107 void (*cb)(const SSL *ssl,int type,int val))
1108 {
1109 ctx->info_callback=cb;
1110 }
1111
1112void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
1113 {
1114 return ctx->info_callback;
1115 }
1116
1117void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1118 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
1119 {
1120 ctx->client_cert_cb=cb;
1121 }
1122
1123int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
1124 {
1125 return ctx->client_cert_cb;
1126 }
1127
1128#ifndef OPENSSL_NO_ENGINE
1129int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1130 {
1131 if (!ENGINE_init(e))
1132 {
1133 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
1134 return 0;
1135 }
1136 if(!ENGINE_get_ssl_client_cert_function(e))
1137 {
1138 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
1139 ENGINE_finish(e);
1140 return 0;
1141 }
1142 ctx->client_cert_engine = e;
1143 return 1;
1144 }
1145#endif
1146
1147void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1148 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
1149 {
1150 ctx->app_gen_cookie_cb=cb;
1151 }
1152
1153void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1154 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
1155 {
1156 ctx->app_verify_cookie_cb=cb;
1157 }
1158
1159IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index 144b81e55f..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,567 +0,0 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include "ssl_locl.h"
87
88const char *SSL_state_string_long(const SSL *s)
89 {
90 const char *str;
91
92 switch (s->state)
93 {
94case SSL_ST_BEFORE: str="before SSL initialization"; break;
95case SSL_ST_ACCEPT: str="before accept initialization"; break;
96case SSL_ST_CONNECT: str="before connect initialization"; break;
97case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
98case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
99case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
100case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
101case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
102case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
103#ifndef OPENSSL_NO_SSL2
104case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
105case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
106case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
107case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
108case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
109case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
110case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
111case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
112case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
113case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
114case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
115case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
116case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
117case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
118case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
119case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
120case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
121case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
122case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
123case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
124case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
125case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
126case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
127case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
128case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
129case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
130case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
131case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
132case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
133case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
134case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
135case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
136case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
137case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
138case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
139case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
140case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
141case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
142#endif
143
144#ifndef OPENSSL_NO_SSL3
145/* SSLv3 additions */
146case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
147case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
148case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
149case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
150case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
151case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
152case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
153case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
154case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
155case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
156case SSL3_ST_CR_SESSION_TICKET_A: str="SSLv3 read server session ticket A";break;
157case SSL3_ST_CR_SESSION_TICKET_B: str="SSLv3 read server session ticket B";break;
158case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
159case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
160case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
161case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
162case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
163case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
164case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
165case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
166case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
167case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break;
168
169case SSL3_ST_CW_CHANGE_A:
170case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
171case SSL3_ST_CW_CHANGE_B:
172case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
173case SSL3_ST_CW_FINISHED_A:
174case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
175case SSL3_ST_CW_FINISHED_B:
176case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break;
177case SSL3_ST_CR_CHANGE_A:
178case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
179case SSL3_ST_CR_CHANGE_B:
180case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
181case SSL3_ST_CR_FINISHED_A:
182case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
183case SSL3_ST_CR_FINISHED_B:
184case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
185
186case SSL3_ST_CW_FLUSH:
187case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
188
189case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
190case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
191case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
192case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
193case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
194case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
195case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
196case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
197case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
198case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
199case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
200case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
201case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
202case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
203case SSL3_ST_SW_SESSION_TICKET_A: str="SSLv3 write session ticket A"; break;
204case SSL3_ST_SW_SESSION_TICKET_B: str="SSLv3 write session ticket B"; break;
205case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
206case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
207case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
208case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
209case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
210case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
211case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
212case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
213#endif
214
215#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
216/* SSLv2/v3 compatibility states */
217/* client */
218case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
219case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
220case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
221case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
222/* server */
223case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
224case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
225#endif
226
227/* DTLS */
228case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break;
229case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DTLS1 read hello verify request B"; break;
230case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DTLS1 write hello verify request A"; break;
231case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DTLS1 write hello verify request B"; break;
232
233default: str="unknown state"; break;
234 }
235 return(str);
236 }
237
238const char *SSL_rstate_string_long(const SSL *s)
239 {
240 const char *str;
241
242 switch (s->rstate)
243 {
244 case SSL_ST_READ_HEADER: str="read header"; break;
245 case SSL_ST_READ_BODY: str="read body"; break;
246 case SSL_ST_READ_DONE: str="read done"; break;
247 default: str="unknown"; break;
248 }
249 return(str);
250 }
251
252const char *SSL_state_string(const SSL *s)
253 {
254 const char *str;
255
256 switch (s->state)
257 {
258case SSL_ST_BEFORE: str="PINIT "; break;
259case SSL_ST_ACCEPT: str="AINIT "; break;
260case SSL_ST_CONNECT: str="CINIT "; break;
261case SSL_ST_OK: str="SSLOK "; break;
262#ifndef OPENSSL_NO_SSL2
263case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
264case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
265case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
266case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
267case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
268case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
269case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
270case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
271case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
272case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
273case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
274case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
275case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
276case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
277case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
278case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
279case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
280case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
281case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
282case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
283case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
284case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
285case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
286case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
287case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
288case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
289case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
290case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
291case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
292case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
293case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
294case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
295case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
296case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
297case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
298case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
299case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
300case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
301#endif
302
303#ifndef OPENSSL_NO_SSL3
304/* SSLv3 additions */
305case SSL3_ST_SW_FLUSH:
306case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
307case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
308case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
309case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
310case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
311case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
312case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
313case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
314case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
315case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
316case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
317case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
318case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
319case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
320case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
321case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
322case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
323case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
324case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
325case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
326case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
327
328case SSL3_ST_SW_CHANGE_A:
329case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
330case SSL3_ST_SW_CHANGE_B:
331case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
332case SSL3_ST_SW_FINISHED_A:
333case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
334case SSL3_ST_SW_FINISHED_B:
335case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
336case SSL3_ST_SR_CHANGE_A:
337case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
338case SSL3_ST_SR_CHANGE_B:
339case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
340case SSL3_ST_SR_FINISHED_A:
341case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
342case SSL3_ST_SR_FINISHED_B:
343case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
344
345case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
346case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
347case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
348case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
349case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
350case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
351case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
352case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
353case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
354case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
355case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
356case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
357case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
358case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
359case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
360case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
361case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
362case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
363case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
364case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
365case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
366case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
367#endif
368
369#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
370/* SSLv2/v3 compatibility states */
371/* client */
372case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
373case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
374case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
375case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
376/* server */
377case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
378case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
379#endif
380/* DTLS */
381case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break;
382case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break;
383case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DWCHVA"; break;
384case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DWCHVB"; break;
385
386default: str="UNKWN "; break;
387 }
388 return(str);
389 }
390
391const char *SSL_alert_type_string_long(int value)
392 {
393 value>>=8;
394 if (value == SSL3_AL_WARNING)
395 return("warning");
396 else if (value == SSL3_AL_FATAL)
397 return("fatal");
398 else
399 return("unknown");
400 }
401
402const char *SSL_alert_type_string(int value)
403 {
404 value>>=8;
405 if (value == SSL3_AL_WARNING)
406 return("W");
407 else if (value == SSL3_AL_FATAL)
408 return("F");
409 else
410 return("U");
411 }
412
413const char *SSL_alert_desc_string(int value)
414 {
415 const char *str;
416
417 switch (value & 0xff)
418 {
419 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
420 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
421 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
422 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
423 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
424 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
425 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
426 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
427 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
428 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
429 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
430 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
431 case TLS1_AD_DECRYPTION_FAILED: str="DC"; break;
432 case TLS1_AD_RECORD_OVERFLOW: str="RO"; break;
433 case TLS1_AD_UNKNOWN_CA: str="CA"; break;
434 case TLS1_AD_ACCESS_DENIED: str="AD"; break;
435 case TLS1_AD_DECODE_ERROR: str="DE"; break;
436 case TLS1_AD_DECRYPT_ERROR: str="CY"; break;
437 case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break;
438 case TLS1_AD_PROTOCOL_VERSION: str="PV"; break;
439 case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break;
440 case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
441 case TLS1_AD_USER_CANCELLED: str="US"; break;
442 case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
443 case TLS1_AD_UNSUPPORTED_EXTENSION: str="UE"; break;
444 case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str="CO"; break;
445 case TLS1_AD_UNRECOGNIZED_NAME: str="UN"; break;
446 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str="BR"; break;
447 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str="BH"; break;
448 case TLS1_AD_UNKNOWN_PSK_IDENTITY: str="UP"; break;
449 default: str="UK"; break;
450 }
451 return(str);
452 }
453
454const char *SSL_alert_desc_string_long(int value)
455 {
456 const char *str;
457
458 switch (value & 0xff)
459 {
460 case SSL3_AD_CLOSE_NOTIFY:
461 str="close notify";
462 break;
463 case SSL3_AD_UNEXPECTED_MESSAGE:
464 str="unexpected_message";
465 break;
466 case SSL3_AD_BAD_RECORD_MAC:
467 str="bad record mac";
468 break;
469 case SSL3_AD_DECOMPRESSION_FAILURE:
470 str="decompression failure";
471 break;
472 case SSL3_AD_HANDSHAKE_FAILURE:
473 str="handshake failure";
474 break;
475 case SSL3_AD_NO_CERTIFICATE:
476 str="no certificate";
477 break;
478 case SSL3_AD_BAD_CERTIFICATE:
479 str="bad certificate";
480 break;
481 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
482 str="unsupported certificate";
483 break;
484 case SSL3_AD_CERTIFICATE_REVOKED:
485 str="certificate revoked";
486 break;
487 case SSL3_AD_CERTIFICATE_EXPIRED:
488 str="certificate expired";
489 break;
490 case SSL3_AD_CERTIFICATE_UNKNOWN:
491 str="certificate unknown";
492 break;
493 case SSL3_AD_ILLEGAL_PARAMETER:
494 str="illegal parameter";
495 break;
496 case TLS1_AD_DECRYPTION_FAILED:
497 str="decryption failed";
498 break;
499 case TLS1_AD_RECORD_OVERFLOW:
500 str="record overflow";
501 break;
502 case TLS1_AD_UNKNOWN_CA:
503 str="unknown CA";
504 break;
505 case TLS1_AD_ACCESS_DENIED:
506 str="access denied";
507 break;
508 case TLS1_AD_DECODE_ERROR:
509 str="decode error";
510 break;
511 case TLS1_AD_DECRYPT_ERROR:
512 str="decrypt error";
513 break;
514 case TLS1_AD_EXPORT_RESTRICTION:
515 str="export restriction";
516 break;
517 case TLS1_AD_PROTOCOL_VERSION:
518 str="protocol version";
519 break;
520 case TLS1_AD_INSUFFICIENT_SECURITY:
521 str="insufficient security";
522 break;
523 case TLS1_AD_INTERNAL_ERROR:
524 str="internal error";
525 break;
526 case TLS1_AD_USER_CANCELLED:
527 str="user canceled";
528 break;
529 case TLS1_AD_NO_RENEGOTIATION:
530 str="no renegotiation";
531 break;
532 case TLS1_AD_UNSUPPORTED_EXTENSION:
533 str="unsupported extension";
534 break;
535 case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
536 str="certificate unobtainable";
537 break;
538 case TLS1_AD_UNRECOGNIZED_NAME:
539 str="unrecognized name";
540 break;
541 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
542 str="bad certificate status response";
543 break;
544 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
545 str="bad certificate hash value";
546 break;
547 case TLS1_AD_UNKNOWN_PSK_IDENTITY:
548 str="unknown PSK identity";
549 break;
550 default: str="unknown"; break;
551 }
552 return(str);
553 }
554
555const char *SSL_rstate_string(const SSL *s)
556 {
557 const char *str;
558
559 switch (s->rstate)
560 {
561 case SSL_ST_READ_HEADER:str="RH"; break;
562 case SSL_ST_READ_BODY: str="RB"; break;
563 case SSL_ST_READ_DONE: str="RD"; break;
564 default: str="unknown"; break;
565 }
566 return(str);
567 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 6479d52c0c..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,248 +0,0 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <openssl/buffer.h>
87#include "ssl_locl.h"
88
89#ifndef OPENSSL_NO_FP_API
90int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
91 {
92 BIO *b;
93 int ret;
94
95 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
96 {
97 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
98 return(0);
99 }
100 BIO_set_fp(b,fp,BIO_NOCLOSE);
101 ret=SSL_SESSION_print(b,x);
102 BIO_free(b);
103 return(ret);
104 }
105#endif
106
107int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
108 {
109 unsigned int i;
110 const char *s;
111
112 if (x == NULL) goto err;
113 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
114 if (x->ssl_version == SSL2_VERSION)
115 s="SSLv2";
116 else if (x->ssl_version == SSL3_VERSION)
117 s="SSLv3";
118 else if (x->ssl_version == TLS1_2_VERSION)
119 s="TLSv1.2";
120 else if (x->ssl_version == TLS1_1_VERSION)
121 s="TLSv1.1";
122 else if (x->ssl_version == TLS1_VERSION)
123 s="TLSv1";
124 else if (x->ssl_version == DTLS1_VERSION)
125 s="DTLSv1";
126 else if (x->ssl_version == DTLS1_BAD_VER)
127 s="DTLSv1-bad";
128 else
129 s="unknown";
130 if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err;
131
132 if (x->cipher == NULL)
133 {
134 if (((x->cipher_id) & 0xff000000) == 0x02000000)
135 {
136 if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0)
137 goto err;
138 }
139 else
140 {
141 if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0)
142 goto err;
143 }
144 }
145 else
146 {
147 if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
148 goto err;
149 }
150 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
151 for (i=0; i<x->session_id_length; i++)
152 {
153 if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
154 }
155 if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
156 for (i=0; i<x->sid_ctx_length; i++)
157 {
158 if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
159 goto err;
160 }
161 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
162 for (i=0; i<(unsigned int)x->master_key_length; i++)
163 {
164 if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
165 }
166 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
167 if (x->key_arg_length == 0)
168 {
169 if (BIO_puts(bp,"None") <= 0) goto err;
170 }
171 else
172 for (i=0; i<x->key_arg_length; i++)
173 {
174 if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
175 }
176#ifndef OPENSSL_NO_KRB5
177 if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
178 if (x->krb5_client_princ_len == 0)
179 {
180 if (BIO_puts(bp,"None") <= 0) goto err;
181 }
182 else
183 for (i=0; i<x->krb5_client_princ_len; i++)
184 {
185 if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
186 }
187#endif /* OPENSSL_NO_KRB5 */
188#ifndef OPENSSL_NO_PSK
189 if (BIO_puts(bp,"\n PSK identity: ") <= 0) goto err;
190 if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) goto err;
191 if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
192 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
193#endif
194#ifndef OPENSSL_NO_SRP
195 if (BIO_puts(bp,"\n SRP username: ") <= 0) goto err;
196 if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0) goto err;
197#endif
198#ifndef OPENSSL_NO_TLSEXT
199 if (x->tlsext_tick_lifetime_hint)
200 {
201 if (BIO_printf(bp,
202 "\n TLS session ticket lifetime hint: %ld (seconds)",
203 x->tlsext_tick_lifetime_hint) <=0)
204 goto err;
205 }
206 if (x->tlsext_tick)
207 {
208 if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err;
209 if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
210 goto err;
211 }
212#endif
213
214#ifndef OPENSSL_NO_COMP
215 if (x->compress_meth != 0)
216 {
217 SSL_COMP *comp = NULL;
218
219 ssl_cipher_get_evp(x,NULL,NULL,NULL,NULL,&comp);
220 if (comp == NULL)
221 {
222 if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
223 }
224 else
225 {
226 if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
227 }
228 }
229#endif
230 if (x->time != 0L)
231 {
232 if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err;
233 }
234 if (x->timeout != 0L)
235 {
236 if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err;
237 }
238 if (BIO_puts(bp,"\n") <= 0) goto err;
239
240 if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
241 if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
242 X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
243
244 return(1);
245err:
246 return(0);
247 }
248
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-09 10:33:31 +0000